Jump to content

Java:ByteVerify-B and JS:Redirector-AC Trojans


Recommended Posts

I have reason to believe that my computer is okay, but it still acts strangely at times. I would like to see if there is anything fishy going on so I would appreciate your help. Before I installed AVAST, AVG found two rootkits and stated that they could not be removed. This happened twice and then did not happen again. After installing AVAST and uninstalling AVG an AVAST boot scan found two Trojans, Java:ByteVerify-B and JS:Redirector in the "RECYCLER" folder. I'm not sure where these were located, but I'm not going to worry about it at this point. I put them in the virus chest. Should they be deleted?

If I am not mistaken your instructions require me to post the MBAM log within the post along with the first DDS log. They are posted below the main text. The ark and attach files are supposed to be zipped and attached. I hope that I did this correctly. Thanks in advance.

Malwarebytes' Anti-Malware 1.51.1.1800

www.malwarebytes.org

Database version: 7329

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

7/30/2011 3:52:37 PM

mbam-log-2011-07-30 (15-52-37).txt

Scan type: Quick scan

Objects scanned: 191009

Time elapsed: 5 minute(s), 13 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

.

DDS (Ver_2011-06-23.01) - NTFSx86

Internet Explorer: 8.0.6001.18702

Run by poi at 17:06:23 on 2011-07-30

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.642 [GMT -5:00]

.

AV: AVG Anti-Virus Free Edition 2011 *Disabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}

AV: avast! Antivirus *Enabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}

.

============== Running Processes ===============

.

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

C:\WINDOWS\system32\Ati2evxx.exe

svchost.exe

C:\Program Files\AVAST Software\Avast\AvastSvc.exe

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe

C:\Program Files\Belkin\Belkin Wireless Network Utility\WLanCfgG.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\RTHDCPL.EXE

C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe

C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe

C:\Program Files\AVAST Software\Avast\avastUI.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\USB TV\EM28XX\BDARemote.exe

C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe

C:\WINDOWS\system32\wuauclt.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://www.google.com

uWindow Title = Microsoft Internet Explorer

uURLSearchHooks: H - No File

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File

TB: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll

EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

mRun: [nwiz] nwiz.exe /install

mRun: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit

mRun: [RTHDCPL] RTHDCPL.EXE

mRun: [igfxTray] c:\windows\system32\igfxtray.exe

mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe

mRun: [Persistence] c:\windows\system32\igfxpers.exe

mRun: [startCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [avast] "c:\program files\avast software\avast\avastUI.exe" /nogui

mRunOnce: [AvgUninstallURL] cmd.exe /c start http://www.avg.com/ww.special-uninstallation-feedback-lsf?lic=OUxTRlJFRS1WUFVaNy1HMkNNWC1SWFBXQS1QM05aSC05RDIwQy0zN1RT"&"inst=NzctNjc2NDAyOTk1LUJBKzEtWEwrMS1UMi1GUDkrNi1CQVI5RysxLVRCOSsyLUZMKzktRjEwTSs1LVFJWDErNC1YMjAxMCsyLUxJQys3Ny1GTDEwKzEtU1AxKzEtVFVHKzMtU1AxUzIrMS1TVUQrMS1TMUkrMS1TVTMrMS1ERFQrMA"&"prod=55"&"ver=10.0.1390

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\bdarem~1.lnk - c:\program files\usb tv\em28xx\BDARemote.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204

DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB

DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1269795619093

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

TCP: DhcpNameServer = 192.168.1.1

TCP: Interfaces\{A9B57C27-3A8D-4410-BF03-21FBC3F1992C} : DhcpNameServer = 192.168.1.1

Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL

Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL

Notify: AtiExtEvent - Ati2evxx.dll

Notify: igfxcui - igfxdev.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

LSA: Notification Packages = :\windows\system32\srr

Hosts: 127.0.0.1 www.spywareinfo.com

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\documents and settings\poi\application data\mozilla\firefox\profiles\wxaz6z55.default\

FF - prefs.js: browser.search.selectedEngine - AVG Secure Search

FF - prefs.js: browser.startup.homepage - www.google.com

FF - prefs.js: keyword.URL - hxxp://search.avg.com/route/?d=4cbcce4f&v=7.005.030.004&i=23&tp=ab&iy=&ychte=us&lng=en-US&q=

FF - component: c:\program files\avg\avg10\firefox4\components\avgssff4.dll

FF - component: c:\program files\avg\avg10\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll

FF - component: c:\program files\avg\avg10\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll

FF - component: c:\program files\avg\avg10\toolbar\firefox\avg@igeared\components\xpavgtbapi.dll

FF - plugin: c:\program files\adobe\reader 9.0\reader\air\nppdf32.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npMozCouponPrinter.dll

.

============= SERVICES / DRIVERS ===============

.

R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2011-7-15 441176]

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2011-7-15 309848]

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]

R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]

R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2011-7-15 19544]

R2 avast! Antivirus;avast! Antivirus;c:\program files\avast software\avast\AvastSvc.exe [2011-7-15 42184]

R2 HPFECP13;HPFECP13;c:\windows\system32\drivers\HPFecp13.sys [1998-9-25 52800]

R3 L1c;NDIS Miniport Driver for Atheros AR8131/AR8132 PCI-E Ethernet Controller;c:\windows\system32\drivers\l1c51x86.sys [2010-5-26 44032]

S1 FNETURPX;FNETURPX;c:\windows\system32\drivers\fneturpx.sys --> c:\windows\system32\drivers\FNETURPX.SYS [?]

S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2010-5-27 1684736]

S3 FNETTBOH;FNETTBOH;c:\windows\system32\drivers\fnettboh.sys --> c:\windows\system32\drivers\FNETTBOH.SYS [?]

S3 xbreader;MaxDrive XBox Driver (xbreader.sys);c:\windows\system32\drivers\xbreader.sys [2001-1-3 19677]

.

=============== Created Last 30 ================

.

2011-07-16 06:11:14 -------- d-sh--w- c:\documents and settings\poi\IECompatCache

2011-07-16 04:53:31 441176 ----a-w- c:\windows\system32\drivers\aswSnx.sys

2011-07-16 04:52:53 40112 ----a-w- c:\windows\avastSS.scr

2011-07-16 04:52:38 -------- d-----w- c:\program files\AVAST Software

2011-07-16 04:52:38 -------- d-----w- c:\documents and settings\all users\application data\AVAST Software

2011-07-16 04:51:02 56167608 ----a-w- C:\setup_av_free.exe

.

==================== Find3M ====================

.

2011-07-07 00:52:42 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-07-07 00:52:42 22712 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-06-30 10:05:08 43520 ----a-w- c:\windows\system32\CmdLineExt03.dll

2011-06-30 01:54:40 11523592 ----a-w- C:\SUPERAntiSpyware.exe

2011-06-18 06:54:30 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

.

============= FINISH: 17:09:20.34 ===============

attach.zip

ark.zip

Link to post
Share on other sites

:welcome:

Logs will be closed if you haven't replied within 3 days

Please don't attach the scans / logs from these scans, use "copy/paste".

Looks like you're running 2 anti-virus programs.

Never install more than one Antivirus and Firewall! Rather than giving you extra protection, it will decrease the reliability of it seriously!

The reason for this is that if both products have their automatic (Real-Time) protection switched on, your system may lock up due to both software products attempting to access the same file at the same time.

Also because more than one Antivirus and Firewall installed are not compatible with each other, it can cause system performance problems and a serious system slowdown.

1.Click Start > Settings > Control Panel.

2.Next, open Add/Remove Programs and remove either:

AVG

Avast

DO NOT use any TOOLS such as Combofix or HijackThis fixes without supervision.

Doing so could make your pc inoperatible and could require a full reinstall of your OS, losing all your programs and data.

Vista and Windows 7 users:

1. These tools MUST be run from the executable. (.exe) every time you run them

2. With Admin Rights (Right click, choose "Run as Administrator")

Stay with this topic until I give you the all clean post.

You might want to print these instructions out.

Note: Close all browsers before running ATF Cleaner: IE, FireFox, etc.

Please download ATF Cleaner by Atribune.

Download - ATF Cleaner»

Double-click ATF-Cleaner.exe to run the program.

Under Main choose: Select All

Click the Empty Selected button.

  • If you use Firefox browser
    Click Firefox at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

  • Click Opera at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.

It's normal after running ATF cleaner that the PC will be slower to boot the first time or two.

Next:

Note: Close all browsers before running ATF Cleaner: IE, FireFox, etc.

Please download GooredFix from one of the locations below and save it to your Desktop

Download Mirror #1

Download Mirror #2

  • Ensure all Firefox windows are closed.
  • To run the tool, double-click it (XP), or right-click and select Run As Administrator (Vista).
  • When prompted to run the scan, click Yes.
  • It doesn't take long to run, once it is finished move onto the next step

Next:

Note: if the Cure option is not there, please select 'Skip'.

Please read carefully and follow these steps.

  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop.
  • Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
    TDSSKillermain.png
  • If an infected file is detected, the default action will be Cure, click on Continue.
    TDSSKillerMal-1.png
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
    TDSSKillerSuspicious.png
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
    TDSSKillerCompleted.png
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

please post the contents of that log TDSSKiller log.

Also please describe how your computer behaves at the moment.

Link to post
Share on other sites

Thanks LDTate for all your help. Do you prefer replies without your post embedded like this? Please let me know what you prefer.

:welcome:

Logs will be closed if you haven't replied within 3 days

Please don't attach the scans / logs from these scans, use "copy/paste".

Looks like you're running 2 anti-virus programs.

Never install more than one Antivirus and Firewall! Rather than giving you extra protection, it will decrease the reliability of it seriously!

The reason for this is that if both products have their automatic (Real-Time) protection switched on, your system may lock up due to both software products attempting to access the same file at the same time.

Also because more than one Antivirus and Firewall installed are not compatible with each other, it can cause system performance problems and a serious system slowdown.

1.Click Start > Settings > Control Panel.

2.Next, open Add/Remove Programs and remove either:

AVG

Avast

Believe it or not, I uninstalled AVG about a week or so ago. I noticed it being referenced in one of the logs that I posted. I still have this folder under C:\

$AVG8.VAULT$

I'm not sure if this is causing the problem or not. Is it possible that I did not completely uninstall? It is not in the list under Add/Remove programs. I was able to get rid of the linkscanner function, but that was before I posted to this forum. Any ideas to get rid of it?

DO NOT use any TOOLS such as Combofix or HijackThis fixes without supervision.

Doing so could make your pc inoperatible and could require a full reinstall of your OS, losing all your programs and data.

Vista and Windows 7 users:

1. These tools MUST be run from the executable. (.exe) every time you run them

2. With Admin Rights (Right click, choose "Run as Administrator")

Stay with this topic until I give you the all clean post.

You might want to print these instructions out.

Note: Close all browsers before running ATF Cleaner: IE, FireFox, etc.

Please download ATF Cleaner by Atribune.

Download - ATF Cleaner»

Double-click ATF-Cleaner.exe to run the program.

Under Main choose: Select All

Click the Empty Selected button.

  • If you use Firefox browser
    Click Firefox at the top and choose: Select All
    Click the Empty Selected button.
    Was this supposed to delete my history in firefox because it did not.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

  • Click Opera at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.

It's normal after running ATF cleaner that the PC will be slower to boot the first time or two.

Next:

Note: Close all browsers before running ATF Cleaner: IE, FireFox, etc.

Please download GooredFix from one of the locations below and save it to your Desktop

Download Mirror #1

Download Mirror #2

  • Ensure all Firefox windows are closed.
  • To run the tool, double-click it (XP), or right-click and select Run As Administrator (Vista).
  • When prompted to run the scan, click Yes.
  • It doesn't take long to run, once it is finished move onto the next step

Nothing was prompted here.

Next:

Note: if the Cure option is not there, please select 'Skip'.

Please read carefully and follow these steps.

  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop.
  • Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
    TDSSKillermain.png
  • If an infected file is detected, the default action will be Cure, click on Continue.
    TDSSKillerMal-1.png
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
    TDSSKillerSuspicious.png
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
    TDSSKillerCompleted.png
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

please post the contents of that log TDSSKiller log.

2011/08/02 13:59:18.0140 1020 TDSS rootkit removing tool 2.5.13.0 Jul 29 2011 17:24:11

2011/08/02 13:59:20.0140 1020 ================================================================================

2011/08/02 13:59:20.0140 1020 SystemInfo:

2011/08/02 13:59:20.0140 1020

2011/08/02 13:59:20.0140 1020 OS Version: 5.1.2600 ServicePack: 3.0

2011/08/02 13:59:20.0140 1020 Product type: Workstation

2011/08/02 13:59:20.0140 1020 ComputerName: FLOYD

2011/08/02 13:59:20.0140 1020 UserName: poi

2011/08/02 13:59:20.0140 1020 Windows directory: C:\WINDOWS

2011/08/02 13:59:20.0140 1020 System windows directory: C:\WINDOWS

2011/08/02 13:59:20.0140 1020 Processor architecture: Intel x86

2011/08/02 13:59:20.0140 1020 Number of processors: 2

2011/08/02 13:59:20.0140 1020 Page size: 0x1000

2011/08/02 13:59:20.0140 1020 Boot type: Normal boot

2011/08/02 13:59:20.0140 1020 ================================================================================

2011/08/02 13:59:20.0687 1020 Initialize success

2011/08/02 13:59:59.0750 3952 ================================================================================

2011/08/02 13:59:59.0750 3952 Scan started

2011/08/02 13:59:59.0750 3952 Mode: Manual;

2011/08/02 13:59:59.0750 3952 ================================================================================

2011/08/02 13:59:59.0984 3952 Aavmker4 (dfcdd5936cad0138775d5a105d4c7716) C:\WINDOWS\system32\drivers\Aavmker4.sys

2011/08/02 14:00:00.0109 3952 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys

2011/08/02 14:00:00.0156 3952 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys

2011/08/02 14:00:00.0187 3952 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys

2011/08/02 14:00:00.0234 3952 AegisP (2f7f3e8da380325866e566f5d5ec23d5) C:\WINDOWS\system32\DRIVERS\AegisP.sys

2011/08/02 14:00:00.0296 3952 AFD (7618d5218f2a614672ec61a80d854a37) C:\WINDOWS\System32\drivers\afd.sys

2011/08/02 14:00:00.0484 3952 ALCXWDM (34149a136b2b7525113950233f259ec1) C:\WINDOWS\system32\drivers\ALCXWDM.SYS

2011/08/02 14:00:00.0687 3952 Ambfilt (f6af59d6eee5e1c304f7f73706ad11d8) C:\WINDOWS\system32\drivers\Ambfilt.sys

2011/08/02 14:00:00.0796 3952 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys

2011/08/02 14:00:00.0890 3952 aswFsBlk (861cb512e4e850e87dd2316f88d69330) C:\WINDOWS\system32\drivers\aswFsBlk.sys

2011/08/02 14:00:00.0906 3952 aswMon2 (7857e0b4c817f69ff463eea2c63e56f9) C:\WINDOWS\system32\drivers\aswMon2.sys

2011/08/02 14:00:00.0937 3952 aswRdr (8db043bf96bb6d334e5b4888e709e1c7) C:\WINDOWS\system32\drivers\aswRdr.sys

2011/08/02 14:00:00.0984 3952 aswSnx (17230708a2028cd995656df455f2e303) C:\WINDOWS\system32\drivers\aswSnx.sys

2011/08/02 14:00:01.0015 3952 aswSP (dbedd9d43b00630966ef05d2d8d04cee) C:\WINDOWS\system32\drivers\aswSP.sys

2011/08/02 14:00:01.0046 3952 aswTdi (984cfce2168286c2511695c2f9621475) C:\WINDOWS\system32\drivers\aswTdi.sys

2011/08/02 14:00:01.0109 3952 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys

2011/08/02 14:00:01.0140 3952 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys

2011/08/02 14:00:01.0296 3952 ati2mtag (c0b86ecb324e50f6bbd529f9d5c6b24b) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys

2011/08/02 14:00:01.0406 3952 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys

2011/08/02 14:00:01.0437 3952 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys

2011/08/02 14:00:01.0484 3952 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys

2011/08/02 14:00:01.0531 3952 BVRPMPR5 (248dfa5762dde38dfddbbd44149e9d7a) C:\WINDOWS\system32\drivers\BVRPMPR5.SYS

2011/08/02 14:00:01.0546 3952 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys

2011/08/02 14:00:01.0593 3952 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys

2011/08/02 14:00:01.0656 3952 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys

2011/08/02 14:00:01.0671 3952 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys

2011/08/02 14:00:01.0734 3952 CDRPDACC (f4dd5641576334e4eeabfe50b065e572) C:\Program Files\321Studios\Shared\CDRPDACC.SYS

2011/08/02 14:00:01.0859 3952 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys

2011/08/02 14:00:01.0921 3952 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys

2011/08/02 14:00:01.0968 3952 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys

2011/08/02 14:00:02.0015 3952 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys

2011/08/02 14:00:02.0031 3952 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys

2011/08/02 14:00:02.0062 3952 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys

2011/08/02 14:00:02.0109 3952 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys

2011/08/02 14:00:02.0140 3952 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys

2011/08/02 14:00:02.0171 3952 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys

2011/08/02 14:00:02.0203 3952 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys

2011/08/02 14:00:02.0250 3952 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys

2011/08/02 14:00:02.0312 3952 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys

2011/08/02 14:00:02.0343 3952 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys

2011/08/02 14:00:02.0375 3952 gameenum (065639773d8b03f33577f6cdaea21063) C:\WINDOWS\system32\DRIVERS\gameenum.sys

2011/08/02 14:00:02.0406 3952 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys

2011/08/02 14:00:02.0437 3952 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys

2011/08/02 14:00:02.0453 3952 hidusb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys

2011/08/02 14:00:02.0500 3952 HPFECP13 (04937a19a68940aea43b793a900e5ca9) C:\WINDOWS\System32\drivers\HPFECP13.SYS

2011/08/02 14:00:02.0593 3952 HPZid412 (287a63bd8509bd78e7978823b38afa81) C:\WINDOWS\system32\DRIVERS\HPZid412.sys

2011/08/02 14:00:02.0609 3952 HPZipr12 (0b4fda2657c3e0315eaa57f9c6d4fd1f) C:\WINDOWS\system32\DRIVERS\HPZipr12.sys

2011/08/02 14:00:02.0640 3952 HPZius12 (29559db25258b60510a60c4e470fce32) C:\WINDOWS\system32\DRIVERS\HPZius12.sys

2011/08/02 14:00:02.0781 3952 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys

2011/08/02 14:00:02.0875 3952 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys

2011/08/02 14:00:03.0062 3952 ialm (3b743262b6456167888d15f1121b3bf7) C:\WINDOWS\system32\DRIVERS\igxpmp32.sys

2011/08/02 14:00:03.0281 3952 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys

2011/08/02 14:00:03.0484 3952 IntcAzAudAddService (512cc914475348d774d1bb9f866396a5) C:\WINDOWS\system32\drivers\RtkHDAud.sys

2011/08/02 14:00:03.0687 3952 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys

2011/08/02 14:00:03.0718 3952 ip6fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys

2011/08/02 14:00:03.0765 3952 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys

2011/08/02 14:00:03.0796 3952 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys

2011/08/02 14:00:03.0828 3952 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys

2011/08/02 14:00:03.0859 3952 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys

2011/08/02 14:00:03.0906 3952 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys

2011/08/02 14:00:03.0937 3952 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys

2011/08/02 14:00:03.0953 3952 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys

2011/08/02 14:00:03.0984 3952 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys

2011/08/02 14:00:04.0046 3952 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys

2011/08/02 14:00:04.0093 3952 L1c (96478fe91c5a37c673ebe3da87c1a115) C:\WINDOWS\system32\DRIVERS\l1c51x86.sys

2011/08/02 14:00:04.0171 3952 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys

2011/08/02 14:00:04.0218 3952 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys

2011/08/02 14:00:04.0312 3952 Monfilt (9fa7207d1b1adead88ae8eed9cdbbaa5) C:\WINDOWS\system32\drivers\Monfilt.sys

2011/08/02 14:00:04.0375 3952 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys

2011/08/02 14:00:04.0421 3952 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys

2011/08/02 14:00:04.0437 3952 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys

2011/08/02 14:00:04.0468 3952 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys

2011/08/02 14:00:04.0531 3952 MRxSmb (0ea4d8ed179b75f8afa7998ba22285ca) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys

2011/08/02 14:00:04.0562 3952 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys

2011/08/02 14:00:04.0593 3952 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys

2011/08/02 14:00:04.0609 3952 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys

2011/08/02 14:00:04.0625 3952 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys

2011/08/02 14:00:04.0687 3952 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys

2011/08/02 14:00:04.0718 3952 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys

2011/08/02 14:00:04.0750 3952 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys

2011/08/02 14:00:04.0781 3952 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys

2011/08/02 14:00:04.0796 3952 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys

2011/08/02 14:00:04.0828 3952 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys

2011/08/02 14:00:04.0875 3952 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys

2011/08/02 14:00:04.0937 3952 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys

2011/08/02 14:00:04.0953 3952 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys

2011/08/02 14:00:05.0000 3952 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys

2011/08/02 14:00:05.0062 3952 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys

2011/08/02 14:00:05.0093 3952 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys

2011/08/02 14:00:05.0140 3952 NTIDrvr (15a72d5b8f0b6a718207f14bd5ebb8ff) C:\WINDOWS\system32\DRIVERS\NTIDrvr.sys

2011/08/02 14:00:05.0156 3952 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys

2011/08/02 14:00:05.0343 3952 nv (83780f3a86d2804912f22f6e37cd2254) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys

2011/08/02 14:00:05.0546 3952 nvatabus (ae14c94bba18dae39a04d6cc2f4ebd6f) C:\WINDOWS\system32\DRIVERS\nvatabus.sys

2011/08/02 14:00:05.0578 3952 NVENET (e3a4ab772e7b02fefe2a044f1feda836) C:\WINDOWS\system32\DRIVERS\NVENET.sys

2011/08/02 14:00:05.0609 3952 nv_agp (55cd3f687b731bb0ba2e4994b03c6d51) C:\WINDOWS\system32\DRIVERS\nv_agp.sys

2011/08/02 14:00:05.0656 3952 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys

2011/08/02 14:00:05.0671 3952 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys

2011/08/02 14:00:05.0718 3952 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys

2011/08/02 14:00:05.0781 3952 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys

2011/08/02 14:00:05.0796 3952 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys

2011/08/02 14:00:05.0828 3952 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys

2011/08/02 14:00:05.0875 3952 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys

2011/08/02 14:00:05.0937 3952 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys

2011/08/02 14:00:06.0000 3952 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys

2011/08/02 14:00:06.0046 3952 Pcouffin (62c72e912a04aa927d9eaf9a0b157aaf) C:\WINDOWS\system32\Drivers\Pcouffin.sys

2011/08/02 14:00:06.0187 3952 pfc (6c1618a07b49e3873582b6449e744088) C:\WINDOWS\system32\drivers\pfc.sys

2011/08/02 14:00:06.0250 3952 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys

2011/08/02 14:00:06.0281 3952 Processor (a32bebaf723557681bfc6bd93e98bd26) C:\WINDOWS\system32\DRIVERS\processr.sys

2011/08/02 14:00:06.0312 3952 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys

2011/08/02 14:00:06.0328 3952 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys

2011/08/02 14:00:06.0375 3952 PxHelp20 (d86b4a68565e444d76457f14172c875a) C:\WINDOWS\system32\Drivers\PxHelp20.sys

2011/08/02 14:00:06.0468 3952 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys

2011/08/02 14:00:06.0515 3952 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys

2011/08/02 14:00:06.0546 3952 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys

2011/08/02 14:00:06.0578 3952 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys

2011/08/02 14:00:06.0625 3952 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys

2011/08/02 14:00:06.0671 3952 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys

2011/08/02 14:00:06.0703 3952 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys

2011/08/02 14:00:06.0734 3952 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys

2011/08/02 14:00:06.0765 3952 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys

2011/08/02 14:00:06.0828 3952 RT73 (bf4709c002d632170dc15a282813d6b3) C:\WINDOWS\system32\DRIVERS\rt73.sys

2011/08/02 14:00:06.0875 3952 RTL8023xp (7f0413bdd7d53eb4c7a371e7f6f84df1) C:\WINDOWS\system32\DRIVERS\Rtlnicxp.sys

2011/08/02 14:00:06.0968 3952 SASDIFSV (a3281aec37e0720a2bc28034c2df2a56) C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS

2011/08/02 14:00:06.0984 3952 SASKUTIL (61db0d0756a99506207fd724e3692b25) C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS

2011/08/02 14:00:07.0125 3952 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys

2011/08/02 14:00:07.0156 3952 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys

2011/08/02 14:00:07.0187 3952 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys

2011/08/02 14:00:07.0218 3952 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys

2011/08/02 14:00:07.0281 3952 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys

2011/08/02 14:00:07.0343 3952 sptd (7f1b7c4d446cd3f926af45b8c48bd593) C:\WINDOWS\System32\Drivers\sptd.sys

2011/08/02 14:00:07.0390 3952 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys

2011/08/02 14:00:07.0437 3952 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys

2011/08/02 14:00:07.0500 3952 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys

2011/08/02 14:00:07.0515 3952 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys

2011/08/02 14:00:07.0609 3952 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys

2011/08/02 14:00:07.0671 3952 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys

2011/08/02 14:00:07.0703 3952 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys

2011/08/02 14:00:07.0718 3952 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys

2011/08/02 14:00:07.0750 3952 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys

2011/08/02 14:00:07.0796 3952 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys

2011/08/02 14:00:07.0890 3952 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys

2011/08/02 14:00:07.0937 3952 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys

2011/08/02 14:00:07.0968 3952 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys

2011/08/02 14:00:07.0984 3952 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys

2011/08/02 14:00:08.0015 3952 usbohci (0daecce65366ea32b162f85f07c6753b) C:\WINDOWS\system32\DRIVERS\usbohci.sys

2011/08/02 14:00:08.0046 3952 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys

2011/08/02 14:00:08.0078 3952 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS

2011/08/02 14:00:08.0109 3952 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys

2011/08/02 14:00:08.0140 3952 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys

2011/08/02 14:00:08.0171 3952 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys

2011/08/02 14:00:08.0203 3952 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys

2011/08/02 14:00:08.0250 3952 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys

2011/08/02 14:00:08.0312 3952 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys

2011/08/02 14:00:08.0328 3952 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys

2011/08/02 14:00:08.0390 3952 xbreader (05a74d2be6f493c65d7221d1d0e8a23c) C:\WINDOWS\system32\Drivers\xbreader.sys

2011/08/02 14:00:08.0406 3952 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk0\DR0

2011/08/02 14:00:08.0500 3952 Boot (0x1200) (ba06c0cedfd9cdf702313728e1983f58) \Device\Harddisk0\DR0\Partition0

2011/08/02 14:00:08.0515 3952 ================================================================================

2011/08/02 14:00:08.0515 3952 Scan finished

2011/08/02 14:00:08.0515 3952 ================================================================================

2011/08/02 14:00:08.0515 3352 Detected object count: 0

2011/08/02 14:00:08.0515 3352 Actual detected object count: 0

Also please describe how your computer behaves at the moment.

Slower than usual. My main concern is with my laptop and using removable storage devices back and forth between this computer (desktop) and my laptop. I plan on posting another topic for my laptop. Is this okay? There definitely seems to be something wrong with the laptop. I opened Internet Explorer and it went to iGoogle and each time I tried to close the window, two more would open. AVAST also indicated that there is a corrupted file that is associated with a virtual workspace client I used a while back. Is there a way to ensure my flash/external hard drives are clean? I read in another topic (http://forums.malwarebytes.org/index.php?showtopic=82113&st=0&p=418580&hl=sheur3&fromsearch=1entry418580) that there is some danger with USB devices.

If you are wondering why I was looking at this particular topic it is because AVG detected SHeur.COHQ on my laptop but would not get rid of it due to the size of the files that were infected. Later, it would not even detect it. Sorry to keep going on about the laptop. I was just trying to take care of the desktop first because it seemed to be in better shape.

One other thing... do these scans need to be run for each user? No one else uses the computer, but I do have more than one user account on here.

Thanks again!

Link to post
Share on other sites

Your post did not instruct me to post the GooredFix log. Here it is if you need it.

GooredFix by jpshortstuff (03.07.10.1)

Log created at 13:55 on 02/08/2011 (poi)

Firefox version 5.0 (en-US)

========== GooredScan ==========

(none)

========== GooredLog ==========

C:\Program Files\Mozilla Firefox\extensions\

{972ce4c6-7e08-4474-a285-3208198ce6fd} [20:46 11/03/2010]

C:\Documents and Settings\poi\Application Data\Mozilla\Firefox\Profiles\wxaz6z55.default\extensions\

(none)

[HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions]

"{20a82645-c095-46ed-80e3-08825760534b}"="C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\" [20:41 31/05/2010]

"wrc@avast.com"="C:\Program Files\AVAST Software\Avast\WebRep\FF" [04:52 16/07/2011]

-=E.O.F=-

Link to post
Share on other sites

Lets work on one at a time.

combofix doesn't need to be run under every account.

Vista and Windows 7 users:

1. These tools MUST be run from the executable. (.exe) every time you run them

2. With Admin Rights (Right click, choose "Run as Administrator")

Download ComboFix from one of these locations:

Link 1

Link 2 If using this link, Right Click and select Save As.

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : Protective Programs
  • Double click on ComboFix.exe & follow the prompts.
    Notes: Combofix will run without the Recovery Console installed. Skip the Recovery Console part if you're running Vista or Windows 7.
    Note: If you have XP SP3, use the XP SP2 package.
    If Vista or Windows 7, skip the Recovery Console part
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

RC1.png

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

RC2-1.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt using Copy / Paste in your next reply.

Notes:

1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.

2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.

3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.

4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Give it atleast 20-30 minutes to finish if needed.

Please do not attach the scan results from Combofx. Use copy/paste.

Also please describe how your computer behaves at the moment.

Link to post
Share on other sites

Thanks for getting back so quickly. I ran into some problems this time. I evidently did not have the recovery console installed. I did not read the part about ComboFix terminating the internet connection and so I did that before running CF. When I was prompted to install the Console by CF, I tried to reestablish my internet connection manually. This did not work. I went ahead and clicked yes thinking I could get out of CF and start over, but I received a message stating that the installation failed and that the scan would proceed. Additionally, I chose to disable AVAST until reboot, so I don't know if this created a problem. Everything seems to be working fine, but it looks like Google may have changed its appearance once again. It looks the same on my laptop, so I'm thinking maybe it's okay. It still looks like AVG is on the computer. Any ideas how to get rid of it so it doesn't show up anywhere? Here is the CF log:

ComboFix 11-08-03.02 - poi 08/03/2011 10:32:45.1.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.619 [GMT -5:00]

Running from: c:\documents and settings\poi\Desktop\ComboFix.exe

AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}

AV: AVG Anti-Virus Free Edition 2011 *Disabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}

.

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\documents and settings\Je\WINDOWS

c:\documents and settings\poi\Desktop\Setup.exe

C:\Launch Internet Explorer Browser.lnk

c:\program files\messenger\msmsgsin.exe

c:\windows\Install

c:\windows\Install\F5D7050v3.exe

c:\windows\Install\motherboard_driver_audio_realtek_whql(2).exe

c:\windows\Install\motherboard_driver_chipset_nvidia_k8_xp.exe

c:\windows\Install\motherboard_driver_lan_realtek_81xx_xp64_format.exe

c:\windows\Install\RTLanSetup_v621_050620\data1.cab

c:\windows\Install\RTLanSetup_v621_050620\data1.hdr

c:\windows\Install\RTLanSetup_v621_050620\data2.cab

c:\windows\Install\RTLanSetup_v621_050620\ikernel.ex_

c:\windows\Install\RTLanSetup_v621_050620\layout.bin

c:\windows\Install\RTLanSetup_v621_050620\Setup.exe

c:\windows\Install\RTLanSetup_v621_050620\Setup.ini

c:\windows\Install\RTLanSetup_v621_050620\setup.inx

c:\windows\Install\RTLanSetup_v621_050620\setup.iss

c:\windows\Install\RTLanSetup_v621_050620\SETUP.TXT

c:\windows\Install\RTLanSetup_v621_050620\uninicon.ini

c:\windows\Install\RTLanSetup_v621_050620\Win2000\netrtoem.cat

c:\windows\Install\RTLanSetup_v621_050620\Win2000\NetrtOEM.inf

c:\windows\Install\RTLanSetup_v621_050620\Win2000\Rtlnic.sys

c:\windows\Install\RTLanSetup_v621_050620\Win98\Netrtl4.inf

c:\windows\Install\RTLanSetup_v621_050620\Win98\Rtlnic4.sys

c:\windows\Install\RTLanSetup_v621_050620\Win98SE\Netrtlx.inf

c:\windows\Install\RTLanSetup_v621_050620\Win98SE\Rtlnic.sys

c:\windows\Install\RTLanSetup_v621_050620\WinMe\Netrtlx.inf

c:\windows\Install\RTLanSetup_v621_050620\WinMe\Rtlnic.sys

c:\windows\Install\RTLanSetup_v621_050620\WinX64\NetrtOEM.cat

c:\windows\Install\RTLanSetup_v621_050620\WinX64\NetrtOEM.inf

c:\windows\Install\RTLanSetup_v621_050620\WinX64\Rtlnic64.sys

c:\windows\Install\RTLanSetup_v621_050620\WinX64\Rtlnicxp.sys

c:\windows\Install\RTLanSetup_v621_050620\WinXP\NetrtOEM.cat

c:\windows\Install\RTLanSetup_v621_050620\WinXP\NetrtOEM.inf

c:\windows\Install\RTLanSetup_v621_050620\WinXP\Rtlnic64.sys

c:\windows\Install\RTLanSetup_v621_050620\WinXP\Rtlnicxp.sys

c:\windows\Install\xp\data1.cab

c:\windows\Install\xp\data1.hdr

c:\windows\Install\xp\data2.cab

c:\windows\Install\xp\Ethernet\jedih2rx.bin

c:\windows\Install\xp\Ethernet\jedireg.pat

c:\windows\Install\xp\Ethernet\nvenet.cat

c:\windows\Install\xp\Ethernet\nvenet.nvu

c:\windows\Install\xp\Ethernet\nvenet.sys

c:\windows\Install\xp\Ethernet\nvenetxp.inf

c:\windows\Install\xp\Ethernet\nvuenet.exe

c:\windows\Install\xp\Ethernet\ramsed.bin

c:\windows\Install\xp\GART\nv_agp.cat

c:\windows\Install\xp\GART\nv_agp.inf

c:\windows\Install\xp\GART\nv_agp.sys

c:\windows\Install\xp\GART\nvgart.nvu

c:\windows\Install\xp\GART\nvugart.exe

c:\windows\Install\xp\IDE\WinXP\idecoi.dll

c:\windows\Install\xp\IDE\WinXP\INSTALL.EXE

c:\windows\Install\xp\IDE\WinXP\nvatabus.inf

c:\windows\Install\xp\IDE\WinXP\NvAtaBus.sys

c:\windows\Install\xp\IDE\WinXP\nvide.nvu

c:\windows\Install\xp\IDE\WinXP\nvuide.exe

c:\windows\Install\xp\ikernel.ex_

c:\windows\Install\xp\key.ini

c:\windows\Install\xp\layout.bin

c:\windows\Install\xp\NVide.exe

c:\windows\Install\xp\setup.bmp

c:\windows\Install\xp\Setup.exe

c:\windows\Install\xp\Setup.ini

c:\windows\Install\xp\setup.inx

c:\windows\Install\xp\setup.iss

c:\windows\Install\xp\setup_org.iss

c:\windows\Install\xp\Setup16.bmp

c:\windows\Install\xp\SMBus\nvsmb.nvu

c:\windows\Install\xp\SMBus\nvsmbus.inf

c:\windows\Install\xp\SMBus\nvusmb.exe

c:\windows\Install\XPHack\sp1aexpress_usa.exe

c:\windows\Install\XPHack\Windows_XP_CD_Key_and_Product_ID_Changer.exe

c:\windows\Install\XPHack\xpsp1_en_x86.AVB

.

.

((((((((((((((((((((((((( Files Created from 2011-07-03 to 2011-08-03 )))))))))))))))))))))))))))))))

.

.

2011-07-16 06:11 . 2011-07-16 06:11 -------- d-sh--w- c:\documents and settings\poi\IECompatCache

2011-07-16 04:53 . 2011-07-04 11:36 309848 ----a-w- c:\windows\system32\drivers\aswSP.sys

2011-07-16 04:53 . 2011-07-04 11:32 19544 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys

2011-07-16 04:53 . 2011-07-04 11:32 25432 ----a-w- c:\windows\system32\drivers\aswRdr.sys

2011-07-16 04:53 . 2011-07-04 11:36 441176 ----a-w- c:\windows\system32\drivers\aswSnx.sys

2011-07-16 04:53 . 2011-07-04 11:35 43608 ----a-w- c:\windows\system32\drivers\aswTdi.sys

2011-07-16 04:53 . 2011-07-04 11:35 102616 ----a-w- c:\windows\system32\drivers\aswmon2.sys

2011-07-16 04:53 . 2011-07-04 11:35 96344 ----a-w- c:\windows\system32\drivers\aswmon.sys

2011-07-16 04:53 . 2011-07-04 11:32 30808 ----a-w- c:\windows\system32\drivers\aavmker4.sys

2011-07-16 04:52 . 2011-07-04 11:43 40112 ----a-w- c:\windows\avastSS.scr

2011-07-16 04:52 . 2011-07-04 11:43 199304 ----a-w- c:\windows\system32\aswBoot.exe

2011-07-16 04:52 . 2011-07-16 04:52 -------- d-----w- c:\program files\AVAST Software

2011-07-16 04:52 . 2011-07-16 04:52 -------- d-----w- c:\documents and settings\All Users\Application Data\AVAST Software

2011-07-16 04:51 . 2011-07-16 04:51 56167608 ----a-w- C:\setup_av_free.exe

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-07-07 00:52 . 2010-05-26 19:27 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-07-07 00:52 . 2010-05-26 19:27 22712 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-06-30 10:05 . 2008-06-23 02:30 43520 ----a-w- c:\windows\system32\CmdLineExt03.dll

2011-06-30 01:54 . 2011-06-30 01:57 11523592 ----a-w- C:\SUPERAntiSpyware.exe

2011-06-18 06:54 . 2011-06-18 06:54 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-06-30 07:26 . 2011-04-05 05:02 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]

@="{472083B0-C522-11CF-8763-00608CC02F24}"

[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]

2011-07-04 11:43 122512 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-10-07 13574144]

"nwiz"="nwiz.exe" [2008-10-07 1630208]

"NvMediaCenter"="NvMCTray.dll" [2008-10-07 86016]

"RTHDCPL"="RTHDCPL.EXE" [2009-06-25 17887232]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-01-21 134656]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-01-21 166912]

"Persistence"="c:\windows\system32\igfxpers.exe" [2009-01-21 134656]

"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2010-02-11 61440]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-06-08 37296]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]

"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2011-07-04 3493720]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

"AvgUninstallURL"="start http://www.avg.com/ww.special-uninstallation-feedback-lsf?lic=OUxTRlJFRS1WUFVaNy1HMkNNWC1SWFBXQS1QM05aSC05RDIwQy0zN1RT&inst=NzctNjc2NDAyOTk1LUJBKzEtWEwrMS1UMi1GUDkrNi1CQVI5RysxLVRCOSsyLUZMKzktRjEwTSs1LVFJWDErNC1YMjAxMCsyLUxJQys3Ny1GTDEwKzEtU1AxKzEtVFVHKzMtU1AxUzIrMS1TVUQrMS1TMUkrMS1TVTMrMS1ERFQrMA∏=55&ver=10.0.1390" [?]

.

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-9-11 113664]

BDARemote.lnk - c:\program files\USB TV\EM28XX\BDARemote.exe [2010-5-26 81997]

Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

.

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Quake 3 Arena\\quake3.exe"=

.

R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [7/15/2011 11:53 PM 441176]

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [7/15/2011 11:53 PM 309848]

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 1:25 PM 12872]

R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 1:41 PM 67656]

R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [7/15/2011 11:53 PM 19544]

R2 HPFECP13;HPFECP13;c:\windows\system32\drivers\HPFecp13.sys [9/25/1998 3:55 AM 52800]

S1 FNETURPX;FNETURPX;c:\windows\system32\drivers\FNETURPX.SYS --> c:\windows\system32\drivers\FNETURPX.SYS [?]

S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [5/27/2010 3:11 AM 1684736]

S3 FNETTBOH;FNETTBOH;c:\windows\system32\drivers\FNETTBOH.SYS --> c:\windows\system32\drivers\FNETTBOH.SYS [?]

S3 L1c;NDIS Miniport Driver for Atheros AR8131/AR8132 PCI-E Ethernet Controller;c:\windows\system32\drivers\l1c51x86.sys [5/26/2010 2:23 PM 44032]

S3 xbreader;MaxDrive XBox Driver (xbreader.sys);c:\windows\system32\drivers\xbreader.sys [1/3/2001 12:53 AM 19677]

S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [8/15/2008 6:05 PM 716272]

.

Contents of the 'Scheduled Tasks' folder

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000

FF - ProfilePath - c:\documents and settings\poi\Application Data\Mozilla\Firefox\Profiles\wxaz6z55.default\

FF - prefs.js: browser.search.selectedEngine - AVG Secure Search

FF - prefs.js: browser.startup.homepage - www.google.com

FF - prefs.js: keyword.URL - hxxp://search.avg.com/route/?d=4cbcce4f&v=7.005.030.004&i=23&tp=ab&iy=&ychte=us&lng=en-US&q=

.

- - - - ORPHANS REMOVED - - - -

.

URLSearchHooks-{A3BC75A2-1F87-4686-AA43-5347D756017C} - (no file)

Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)

WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)

SafeBoot-AVG Anti-Spyware Driver

SafeBoot-AVG Anti-Spyware Guard

.

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-08-03 10:44

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'winlogon.exe'(564)

c:\program files\SUPERAntiSpyware\SASWINLO.DLL

c:\windows\system32\WININET.dll

c:\windows\system32\Ati2evxx.dll

.

- - - - - - - > 'explorer.exe'(1980)

c:\windows\system32\WININET.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\Ati2evxx.exe

c:\windows\system32\Ati2evxx.exe

c:\program files\AVAST Software\Avast\AvastSvc.exe

c:\program files\Belkin\Belkin Wireless Network Utility\WLService.exe

c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

c:\program files\Belkin\Belkin Wireless Network Utility\WLanCfgG.exe

c:\windows\RTHDCPL.EXE

c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe

c:\windows\system32\wscntfy.exe

c:\program files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe

.

**************************************************************************

.

Completion time: 2011-08-03 10:48:05 - machine was rebooted

ComboFix-quarantined-files.txt 2011-08-03 15:48

.

Pre-Run: 1,325,789,184 bytes free

Post-Run: 2,305,802,240 bytes free

.

Current=1 Default=1 Failed=0 LastKnownGood=2 Sets=1,2,4,5

- - End Of File - - 3278BC9B091B733CF59C08F5B977CC9D

Link to post
Share on other sites

Thanks for the reply. Sorry I am slow, but I didn't know you wanted me to run AppRemover. I guess I was waiting for the next step after ComboFix. I figured I could uninstall AVG when we were finished. There isn't anything showing that I have CA installed on my computer is there? Again, sorry about that.

I did try to uninstall AVG with AppRemover and it did not detect anything. I tried both the options (remove security application and clean up failed uninstall). There was an option to "report an issue" and I submitted a report along with my email address. I indicated in the report that some of the scans you had me run stated that AVG was still installed. I also told them that I have an AVG folder under my C:\ drive ($AVG8.VAULT$). I just looked under program files and I have an AVG folder there as well. There is an AVG 8, AVG 9, and AVG 10 folder within that folder. I looked after I sent the report to AppRemover. Do you think it would be a good idea to reinstall AVG and see if AppRemover detects it then?

Thanks!

Link to post
Share on other sites

Your last post confused me, but I went ahead and ran another ComboFix. I didn't receive any warning about AVG last time. I was unable to install the Recovery Console, but CF still ran. I was able to install the Recovery Console this time since I left my connection live. Sorry if this is not making sense. Also, are you supposed to disable the Windows Firewall?

Here is the ComboFix log:

ComboFix 11-08-04.01 - poi 08/04/2011 14:08:20.2.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.567 [GMT -5:00]

Running from: c:\documents and settings\poi\Desktop\ComboFix.exe

AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}

AV: AVG Anti-Virus Free Edition 2011 *Disabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}

.

.

((((((((((((((((((((((((( Files Created from 2011-07-04 to 2011-08-04 )))))))))))))))))))))))))))))))

.

.

2011-07-16 06:11 . 2011-07-16 06:11 -------- d-sh--w- c:\documents and settings\poi\IECompatCache

2011-07-16 04:53 . 2011-07-04 11:36 309848 ----a-w- c:\windows\system32\drivers\aswSP.sys

2011-07-16 04:53 . 2011-07-04 11:32 19544 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys

2011-07-16 04:53 . 2011-07-04 11:32 25432 ----a-w- c:\windows\system32\drivers\aswRdr.sys

2011-07-16 04:53 . 2011-07-04 11:36 441176 ----a-w- c:\windows\system32\drivers\aswSnx.sys

2011-07-16 04:53 . 2011-07-04 11:35 43608 ----a-w- c:\windows\system32\drivers\aswTdi.sys

2011-07-16 04:53 . 2011-07-04 11:35 102616 ----a-w- c:\windows\system32\drivers\aswmon2.sys

2011-07-16 04:53 . 2011-07-04 11:35 96344 ----a-w- c:\windows\system32\drivers\aswmon.sys

2011-07-16 04:53 . 2011-07-04 11:32 30808 ----a-w- c:\windows\system32\drivers\aavmker4.sys

2011-07-16 04:52 . 2011-07-04 11:43 40112 ----a-w- c:\windows\avastSS.scr

2011-07-16 04:52 . 2011-07-04 11:43 199304 ----a-w- c:\windows\system32\aswBoot.exe

2011-07-16 04:52 . 2011-07-16 04:52 -------- d-----w- c:\program files\AVAST Software

2011-07-16 04:52 . 2011-07-16 04:52 -------- d-----w- c:\documents and settings\All Users\Application Data\AVAST Software

2011-07-16 04:51 . 2011-07-16 04:51 56167608 ----a-w- C:\setup_av_free.exe

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-07-07 00:52 . 2010-05-26 19:27 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-07-07 00:52 . 2010-05-26 19:27 22712 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-06-30 10:05 . 2008-06-23 02:30 43520 ----a-w- c:\windows\system32\CmdLineExt03.dll

2011-06-30 01:54 . 2011-06-30 01:57 11523592 ----a-w- C:\SUPERAntiSpyware.exe

2011-06-18 06:54 . 2011-06-18 06:54 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-06-30 07:26 . 2011-04-05 05:02 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll

.

.

((((((((((((((((((((((((((((( SnapShot@2011-08-03_15.44.01 )))))))))))))))))))))))))))))))))))))))))

.

- 2001-08-23 12:00 . 2011-08-03 13:44 67516 c:\windows\system32\perfc009.dat

+ 2001-08-23 12:00 . 2011-08-04 16:20 67516 c:\windows\system32\perfc009.dat

+ 2001-08-23 12:00 . 2011-08-04 16:20 432686 c:\windows\system32\perfh009.dat

- 2001-08-23 12:00 . 2011-08-03 13:44 432686 c:\windows\system32\perfh009.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]

@="{472083B0-C522-11CF-8763-00608CC02F24}"

[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]

2011-07-04 11:43 122512 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-10-07 13574144]

"nwiz"="nwiz.exe" [2008-10-07 1630208]

"NvMediaCenter"="NvMCTray.dll" [2008-10-07 86016]

"RTHDCPL"="RTHDCPL.EXE" [2009-06-25 17887232]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-01-21 134656]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-01-21 166912]

"Persistence"="c:\windows\system32\igfxpers.exe" [2009-01-21 134656]

"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2010-02-11 61440]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-06-08 37296]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]

"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2011-07-04 3493720]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

"AvgUninstallURL"="start http://www.avg.com/ww.special-uninstallation-feedback-lsf?lic=OUxTRlJFRS1WUFVaNy1HMkNNWC1SWFBXQS1QM05aSC05RDIwQy0zN1RT&inst=NzctNjc2NDAyOTk1LUJBKzEtWEwrMS1UMi1GUDkrNi1CQVI5RysxLVRCOSsyLUZMKzktRjEwTSs1LVFJWDErNC1YMjAxMCsyLUxJQys3Ny1GTDEwKzEtU1AxKzEtVFVHKzMtU1AxUzIrMS1TVUQrMS1TMUkrMS1TVTMrMS1ERFQrMA∏=55&ver=10.0.1390" [?]

.

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-9-11 113664]

BDARemote.lnk - c:\program files\USB TV\EM28XX\BDARemote.exe [2010-5-26 81997]

Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

.

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Quake 3 Arena\\quake3.exe"=

.

R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [7/15/2011 11:53 PM 441176]

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [7/15/2011 11:53 PM 309848]

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 1:25 PM 12872]

R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 1:41 PM 67656]

R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [7/15/2011 11:53 PM 19544]

R2 HPFECP13;HPFECP13;c:\windows\system32\drivers\HPFecp13.sys [9/25/1998 3:55 AM 52800]

R3 L1c;NDIS Miniport Driver for Atheros AR8131/AR8132 PCI-E Ethernet Controller;c:\windows\system32\drivers\l1c51x86.sys [5/26/2010 2:23 PM 44032]

S1 FNETURPX;FNETURPX;c:\windows\system32\drivers\FNETURPX.SYS --> c:\windows\system32\drivers\FNETURPX.SYS [?]

S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [5/27/2010 3:11 AM 1684736]

S3 FNETTBOH;FNETTBOH;c:\windows\system32\drivers\FNETTBOH.SYS --> c:\windows\system32\drivers\FNETTBOH.SYS [?]

S3 xbreader;MaxDrive XBox Driver (xbreader.sys);c:\windows\system32\drivers\xbreader.sys [1/3/2001 12:53 AM 19677]

S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [8/15/2008 6:05 PM 716272]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000

TCP: DhcpNameServer = 192.168.1.1

FF - ProfilePath - c:\documents and settings\poi\Application Data\Mozilla\Firefox\Profiles\wxaz6z55.default\

FF - prefs.js: browser.search.selectedEngine - AVG Secure Search

FF - prefs.js: browser.startup.homepage - www.google.com

FF - prefs.js: keyword.URL - hxxp://search.avg.com/route/?d=4cbcce4f&v=7.005.030.004&i=23&tp=ab&iy=&ychte=us&lng=en-US&q=

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-08-04 14:14

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'winlogon.exe'(740)

c:\program files\SUPERAntiSpyware\SASWINLO.DLL

c:\windows\system32\WININET.dll

c:\windows\system32\Ati2evxx.dll

.

- - - - - - - > 'explorer.exe'(3844)

c:\windows\system32\WININET.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

Completion time: 2011-08-04 14:17:11

ComboFix-quarantined-files.txt 2011-08-04 19:17

.

Pre-Run: 2,192,310,272 bytes free

Post-Run: 2,182,070,272 bytes free

.

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

UnsupportedDebug="do not select this" /debug

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

.

Current=1 Default=1 Failed=0 LastKnownGood=2 Sets=1,2,4,5

- - End Of File - - 20FBA27858034393CE3B523FC67AC95F

Link to post
Share on other sites

Copy/paste the text in the Codebox below into notepad:

Here's how to do that:

Click Start > Run type Notepad click OK.

This will open an empty notepad file:

Take your mouse, and place your cursor at the beginning of the text in the box below, then click and hold the left mouse button, while pulling your mouse over the text. This should highlight the text. Now release the left mouse button. Now, with the cursor over the highlighted text, right click the mouse for options, and select 'copy'. Now over the empty Notepad box, right click your mouse again, and select 'paste' and you will have copied and pasted the text.

KillAll::

FireFox::
FF - ProfilePath - c:\documents and settings\poi\Application Data\Mozilla\Firefox\Profiles\wxaz6z55.default\
FF - prefs.js: browser.search.selectedEngine - AVG Secure Search
FF - prefs.js: keyword.URL - hxxp://search.avg.com/route/?d=4cbcce4f&v=7.005.030.004&i=23&tp=ab&iy=&ychte=us&lng=en-US&q=

Registry::
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"AvgUninstallURL"=-

Save this file to your desktop, Save this as "CFScript"

Here's how to do that:

1.Click File;

2.Click Save As... Change the directory to your desktop;

3.Change the Save as type to "All Files";

4.Type in the file name: CFScript

5.Click Save ...

CFScriptB-4.gif

Drag CFScript.txt into ComboFix.exe

Then post the results log using Copy / Paste

Also please describe how your computer behaves at the moment.

Link to post
Share on other sites

Hope I did this correctly. Thanks for all your patience. My computer seems fine except that I can't get rid of the AVG Secure Search option in the upper right hand corner of firefox (the little quick search bar). Is there anything else I should look for as far as behavior goes?

ComboFix 11-08-04.02 - poi 08/04/2011 20:27:05.3.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.652 [GMT -5:00]

Running from: c:\documents and settings\poi\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\poi\Desktop\CFScript.txt

AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}

AV: AVG Anti-Virus Free Edition 2011 *Disabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}

.

.

((((((((((((((((((((((((( Files Created from 2011-07-05 to 2011-08-05 )))))))))))))))))))))))))))))))

.

.

2011-07-16 06:11 . 2011-07-16 06:11 -------- d-sh--w- c:\documents and settings\poi\IECompatCache

2011-07-16 04:53 . 2011-07-04 11:36 309848 ----a-w- c:\windows\system32\drivers\aswSP.sys

2011-07-16 04:53 . 2011-07-04 11:32 19544 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys

2011-07-16 04:53 . 2011-07-04 11:32 25432 ----a-w- c:\windows\system32\drivers\aswRdr.sys

2011-07-16 04:53 . 2011-07-04 11:36 441176 ----a-w- c:\windows\system32\drivers\aswSnx.sys

2011-07-16 04:53 . 2011-07-04 11:35 43608 ----a-w- c:\windows\system32\drivers\aswTdi.sys

2011-07-16 04:53 . 2011-07-04 11:35 102616 ----a-w- c:\windows\system32\drivers\aswmon2.sys

2011-07-16 04:53 . 2011-07-04 11:35 96344 ----a-w- c:\windows\system32\drivers\aswmon.sys

2011-07-16 04:53 . 2011-07-04 11:32 30808 ----a-w- c:\windows\system32\drivers\aavmker4.sys

2011-07-16 04:52 . 2011-07-04 11:43 40112 ----a-w- c:\windows\avastSS.scr

2011-07-16 04:52 . 2011-07-04 11:43 199304 ----a-w- c:\windows\system32\aswBoot.exe

2011-07-16 04:52 . 2011-07-16 04:52 -------- d-----w- c:\program files\AVAST Software

2011-07-16 04:52 . 2011-07-16 04:52 -------- d-----w- c:\documents and settings\All Users\Application Data\AVAST Software

2011-07-16 04:51 . 2011-07-16 04:51 56167608 ----a-w- C:\setup_av_free.exe

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-07-07 00:52 . 2010-05-26 19:27 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-07-07 00:52 . 2010-05-26 19:27 22712 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-06-30 10:05 . 2008-06-23 02:30 43520 ----a-w- c:\windows\system32\CmdLineExt03.dll

2011-06-30 01:54 . 2011-06-30 01:57 11523592 ----a-w- C:\SUPERAntiSpyware.exe

2011-06-18 06:54 . 2011-06-18 06:54 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-06-30 07:26 . 2011-04-05 05:02 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll

.

.

((((((((((((((((((((((((((((( SnapShot@2011-08-03_15.44.01 )))))))))))))))))))))))))))))))))))))))))

.

- 2001-08-23 12:00 . 2011-08-03 13:44 67516 c:\windows\system32\perfc009.dat

+ 2001-08-23 12:00 . 2011-08-05 01:40 67516 c:\windows\system32\perfc009.dat

+ 2001-08-23 12:00 . 2011-08-05 01:40 432686 c:\windows\system32\perfh009.dat

- 2001-08-23 12:00 . 2011-08-03 13:44 432686 c:\windows\system32\perfh009.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]

@="{472083B0-C522-11CF-8763-00608CC02F24}"

[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]

2011-07-04 11:43 122512 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-10-07 13574144]

"nwiz"="nwiz.exe" [2008-10-07 1630208]

"NvMediaCenter"="NvMCTray.dll" [2008-10-07 86016]

"RTHDCPL"="RTHDCPL.EXE" [2009-06-25 17887232]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-01-21 134656]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-01-21 166912]

"Persistence"="c:\windows\system32\igfxpers.exe" [2009-01-21 134656]

"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2010-02-11 61440]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-06-08 37296]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]

"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2011-07-04 3493720]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

"AvgUninstallURL"="start http://www.avg.com/ww.special-uninstallation-feedback-lsf?lic=OUxTRlJFRS1WUFVaNy1HMkNNWC1SWFBXQS1QM05aSC05RDIwQy0zN1RT&inst=NzctNjc2NDAyOTk1LUJBKzEtWEwrMS1UMi1GUDkrNi1CQVI5RysxLVRCOSsyLUZMKzktRjEwTSs1LVFJWDErNC1YMjAxMCsyLUxJQys3Ny1GTDEwKzEtU1AxKzEtVFVHKzMtU1AxUzIrMS1TVUQrMS1TMUkrMS1TVTMrMS1ERFQrMA∏=55&ver=10.0.1390" [?]

.

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-9-11 113664]

BDARemote.lnk - c:\program files\USB TV\EM28XX\BDARemote.exe [2010-5-26 81997]

Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

.

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Quake 3 Arena\\quake3.exe"=

.

R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [7/15/2011 11:53 PM 441176]

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [7/15/2011 11:53 PM 309848]

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 1:25 PM 12872]

R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 1:41 PM 67656]

R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [7/15/2011 11:53 PM 19544]

R2 HPFECP13;HPFECP13;c:\windows\system32\drivers\HPFecp13.sys [9/25/1998 3:55 AM 52800]

R3 L1c;NDIS Miniport Driver for Atheros AR8131/AR8132 PCI-E Ethernet Controller;c:\windows\system32\drivers\l1c51x86.sys [5/26/2010 2:23 PM 44032]

S1 FNETURPX;FNETURPX;c:\windows\system32\drivers\FNETURPX.SYS --> c:\windows\system32\drivers\FNETURPX.SYS [?]

S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [5/27/2010 3:11 AM 1684736]

S3 FNETTBOH;FNETTBOH;c:\windows\system32\drivers\FNETTBOH.SYS --> c:\windows\system32\drivers\FNETTBOH.SYS [?]

S3 xbreader;MaxDrive XBox Driver (xbreader.sys);c:\windows\system32\drivers\xbreader.sys [1/3/2001 12:53 AM 19677]

S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [8/15/2008 6:05 PM 716272]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000

TCP: DhcpNameServer = 192.168.1.1

FF - ProfilePath - c:\documents and settings\poi\Application Data\Mozilla\Firefox\Profiles\wxaz6z55.default\

FF - prefs.js: browser.startup.homepage - www.google.com

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-08-04 20:38

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'winlogon.exe'(744)

c:\program files\SUPERAntiSpyware\SASWINLO.DLL

c:\windows\system32\WININET.dll

c:\windows\system32\Ati2evxx.dll

.

- - - - - - - > 'explorer.exe'(3480)

c:\windows\system32\WININET.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\Ati2evxx.exe

c:\windows\system32\Ati2evxx.exe

c:\program files\AVAST Software\Avast\AvastSvc.exe

c:\program files\Belkin\Belkin Wireless Network Utility\WLService.exe

c:\program files\Belkin\Belkin Wireless Network Utility\WLanCfgG.exe

c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

c:\windows\system32\wscntfy.exe

c:\windows\RTHDCPL.EXE

c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe

c:\program files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe

.

**************************************************************************

.

Completion time: 2011-08-04 20:42:43 - machine was rebooted

ComboFix-quarantined-files.txt 2011-08-05 01:42

.

Pre-Run: 2,130,989,056 bytes free

Post-Run: 2,111,385,600 bytes free

.

Current=1 Default=1 Failed=0 LastKnownGood=2 Sets=1,2,4,5

- - End Of File - - 74F5E084A50BF38535B5D55CADA49145

Link to post
Share on other sites

It is not an add-on/plugin. There is an option to "manage search engines" to the right of the address bar. I was able to remove AVG as the preferred search engine. In the past it came back after restarting, but did not this time so maybe it is fixed.

When I ran ComboFix last time I did not have the most up-to-date version. Do you think this could have impacted adding CFScript to the executable?

Would it be okay to run it again?

Link to post
Share on other sites

Okay. I ran it again with the updated version saved to my desktop. Log is below. Still shows AVG as one of my anti-virus tools. I have submitted another report to appremover. I'm not sure what else to do to get rid of AVG. Would it be a bad idea to install AVG and then run appremover?

Thanks.

ComboFix 11-08-07.03 - poi 08/07/2011 16:06:21.5.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.471 [GMT -5:00]

Running from: c:\documents and settings\poi\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\poi\Desktop\CFScript.txt

AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}

AV: AVG Anti-Virus Free Edition 2011 *Disabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}

.

.

((((((((((((((((((((((((( Files Created from 2011-07-07 to 2011-08-07 )))))))))))))))))))))))))))))))

.

.

2011-07-16 06:11 . 2011-07-16 06:11 -------- d-sh--w- c:\documents and settings\poi\IECompatCache

2011-07-16 04:53 . 2011-07-04 11:36 309848 ----a-w- c:\windows\system32\drivers\aswSP.sys

2011-07-16 04:53 . 2011-07-04 11:32 19544 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys

2011-07-16 04:53 . 2011-07-04 11:32 25432 ----a-w- c:\windows\system32\drivers\aswRdr.sys

2011-07-16 04:53 . 2011-07-04 11:36 441176 ----a-w- c:\windows\system32\drivers\aswSnx.sys

2011-07-16 04:53 . 2011-07-04 11:35 43608 ----a-w- c:\windows\system32\drivers\aswTdi.sys

2011-07-16 04:53 . 2011-07-04 11:35 102616 ----a-w- c:\windows\system32\drivers\aswmon2.sys

2011-07-16 04:53 . 2011-07-04 11:35 96344 ----a-w- c:\windows\system32\drivers\aswmon.sys

2011-07-16 04:53 . 2011-07-04 11:32 30808 ----a-w- c:\windows\system32\drivers\aavmker4.sys

2011-07-16 04:52 . 2011-07-04 11:43 40112 ----a-w- c:\windows\avastSS.scr

2011-07-16 04:52 . 2011-07-04 11:43 199304 ----a-w- c:\windows\system32\aswBoot.exe

2011-07-16 04:52 . 2011-07-16 04:52 -------- d-----w- c:\program files\AVAST Software

2011-07-16 04:52 . 2011-07-16 04:52 -------- d-----w- c:\documents and settings\All Users\Application Data\AVAST Software

2011-07-16 04:51 . 2011-07-16 04:51 56167608 ----a-w- C:\setup_av_free.exe

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-07-07 00:52 . 2010-05-26 19:27 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-07-07 00:52 . 2010-05-26 19:27 22712 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-06-30 10:05 . 2008-06-23 02:30 43520 ----a-w- c:\windows\system32\CmdLineExt03.dll

2011-06-30 01:54 . 2011-06-30 01:57 11523592 ----a-w- C:\SUPERAntiSpyware.exe

2011-06-18 06:54 . 2011-06-18 06:54 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-06-30 07:26 . 2011-04-05 05:02 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll

.

.

((((((((((((((((((((((((((((( SnapShot@2011-08-03_15.44.01 )))))))))))))))))))))))))))))))))))))))))

.

- 2001-08-23 12:00 . 2011-08-03 13:44 67516 c:\windows\system32\perfc009.dat

+ 2001-08-23 12:00 . 2011-08-07 20:56 67516 c:\windows\system32\perfc009.dat

+ 2001-08-23 12:00 . 2011-08-07 20:56 432686 c:\windows\system32\perfh009.dat

- 2001-08-23 12:00 . 2011-08-03 13:44 432686 c:\windows\system32\perfh009.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]

@="{472083B0-C522-11CF-8763-00608CC02F24}"

[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]

2011-07-04 11:43 122512 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-10-07 13574144]

"nwiz"="nwiz.exe" [2008-10-07 1630208]

"NvMediaCenter"="NvMCTray.dll" [2008-10-07 86016]

"RTHDCPL"="RTHDCPL.EXE" [2009-06-25 17887232]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-01-21 134656]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-01-21 166912]

"Persistence"="c:\windows\system32\igfxpers.exe" [2009-01-21 134656]

"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2010-02-11 61440]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-06-08 37296]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]

"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2011-07-04 3493720]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

"AvgUninstallURL"="start http://www.avg.com/ww.special-uninstallation-feedback-lsf?lic=OUxTRlJFRS1WUFVaNy1HMkNNWC1SWFBXQS1QM05aSC05RDIwQy0zN1RT&inst=NzctNjc2NDAyOTk1LUJBKzEtWEwrMS1UMi1GUDkrNi1CQVI5RysxLVRCOSsyLUZMKzktRjEwTSs1LVFJWDErNC1YMjAxMCsyLUxJQys3Ny1GTDEwKzEtU1AxKzEtVFVHKzMtU1AxUzIrMS1TVUQrMS1TMUkrMS1TVTMrMS1ERFQrMA∏=55&ver=10.0.1390" [?]

.

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-9-11 113664]

BDARemote.lnk - c:\program files\USB TV\EM28XX\BDARemote.exe [2010-5-26 81997]

Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

.

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Quake 3 Arena\\quake3.exe"=

.

R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [7/15/2011 11:53 PM 441176]

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [7/15/2011 11:53 PM 309848]

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 1:25 PM 12872]

R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 1:41 PM 67656]

R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [7/15/2011 11:53 PM 19544]

R2 HPFECP13;HPFECP13;c:\windows\system32\drivers\HPFecp13.sys [9/25/1998 3:55 AM 52800]

R3 L1c;NDIS Miniport Driver for Atheros AR8131/AR8132 PCI-E Ethernet Controller;c:\windows\system32\drivers\l1c51x86.sys [5/26/2010 2:23 PM 44032]

S1 FNETURPX;FNETURPX;c:\windows\system32\drivers\FNETURPX.SYS --> c:\windows\system32\drivers\FNETURPX.SYS [?]

S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [5/27/2010 3:11 AM 1684736]

S3 FNETTBOH;FNETTBOH;c:\windows\system32\drivers\FNETTBOH.SYS --> c:\windows\system32\drivers\FNETTBOH.SYS [?]

S3 xbreader;MaxDrive XBox Driver (xbreader.sys);c:\windows\system32\drivers\xbreader.sys [1/3/2001 12:53 AM 19677]

S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [8/15/2008 6:05 PM 716272]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000

TCP: DhcpNameServer = 192.168.1.1

FF - ProfilePath - c:\documents and settings\poi\Application Data\Mozilla\Firefox\Profiles\wxaz6z55.default\

FF - prefs.js: browser.startup.homepage - www.google.com

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-08-07 16:16

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'winlogon.exe'(740)

c:\program files\SUPERAntiSpyware\SASWINLO.DLL

c:\windows\system32\WININET.dll

c:\windows\system32\Ati2evxx.dll

.

- - - - - - - > 'explorer.exe'(2088)

c:\windows\system32\WININET.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\Ati2evxx.exe

c:\windows\system32\Ati2evxx.exe

c:\program files\AVAST Software\Avast\AvastSvc.exe

c:\program files\Belkin\Belkin Wireless Network Utility\WLService.exe

c:\program files\Belkin\Belkin Wireless Network Utility\WLanCfgG.exe

c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

c:\windows\RTHDCPL.EXE

c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe

c:\windows\system32\wscntfy.exe

c:\program files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe

.

**************************************************************************

.

Completion time: 2011-08-07 16:20:50 - machine was rebooted

ComboFix-quarantined-files.txt 2011-08-07 21:20

.

Pre-Run: 1,824,657,408 bytes free

Post-Run: 1,805,176,832 bytes free

.

Current=1 Default=1 Failed=0 LastKnownGood=2 Sets=1,2,4,5

- - End Of File - - 0630AA9C18097DCCB4FA6105874EA506

Link to post
Share on other sites

Did the feedback, restarted, ran appremover and avgremover again. Still no change that I can see. Here is the CF log.

Thanks for the reply.

ComboFix 11-08-07.03 - poi 08/08/2011 11:52:05.6.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.476 [GMT -5:00]

Running from: c:\documents and settings\poi\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\poi\Desktop\CFScript.txt

AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}

AV: AVG Anti-Virus Free Edition 2011 *Disabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}

.

.

((((((((((((((((((((((((( Files Created from 2011-07-08 to 2011-08-08 )))))))))))))))))))))))))))))))

.

.

2011-07-16 06:11 . 2011-07-16 06:11 -------- d-sh--w- c:\documents and settings\poi\IECompatCache

2011-07-16 04:53 . 2011-07-04 11:36 309848 ----a-w- c:\windows\system32\drivers\aswSP.sys

2011-07-16 04:53 . 2011-07-04 11:32 19544 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys

2011-07-16 04:53 . 2011-07-04 11:32 25432 ----a-w- c:\windows\system32\drivers\aswRdr.sys

2011-07-16 04:53 . 2011-07-04 11:36 441176 ----a-w- c:\windows\system32\drivers\aswSnx.sys

2011-07-16 04:53 . 2011-07-04 11:35 43608 ----a-w- c:\windows\system32\drivers\aswTdi.sys

2011-07-16 04:53 . 2011-07-04 11:35 102616 ----a-w- c:\windows\system32\drivers\aswmon2.sys

2011-07-16 04:53 . 2011-07-04 11:35 96344 ----a-w- c:\windows\system32\drivers\aswmon.sys

2011-07-16 04:53 . 2011-07-04 11:32 30808 ----a-w- c:\windows\system32\drivers\aavmker4.sys

2011-07-16 04:52 . 2011-07-04 11:43 40112 ----a-w- c:\windows\avastSS.scr

2011-07-16 04:52 . 2011-07-04 11:43 199304 ----a-w- c:\windows\system32\aswBoot.exe

2011-07-16 04:52 . 2011-07-16 04:52 -------- d-----w- c:\program files\AVAST Software

2011-07-16 04:52 . 2011-07-16 04:52 -------- d-----w- c:\documents and settings\All Users\Application Data\AVAST Software

2011-07-16 04:51 . 2011-07-16 04:51 56167608 ----a-w- C:\setup_av_free.exe

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-07-07 00:52 . 2010-05-26 19:27 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-07-07 00:52 . 2010-05-26 19:27 22712 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-06-30 10:05 . 2008-06-23 02:30 43520 ----a-w- c:\windows\system32\CmdLineExt03.dll

2011-06-30 01:54 . 2011-06-30 01:57 11523592 ----a-w- C:\SUPERAntiSpyware.exe

2011-06-18 06:54 . 2011-06-18 06:54 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-06-30 07:26 . 2011-04-05 05:02 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll

.

.

((((((((((((((((((((((((((((( SnapShot@2011-08-03_15.44.01 )))))))))))))))))))))))))))))))))))))))))

.

- 2001-08-23 12:00 . 2011-08-03 13:44 67516 c:\windows\system32\perfc009.dat

+ 2001-08-23 12:00 . 2011-08-08 17:05 67516 c:\windows\system32\perfc009.dat

+ 2001-08-23 12:00 . 2011-08-08 17:05 432686 c:\windows\system32\perfh009.dat

- 2001-08-23 12:00 . 2011-08-03 13:44 432686 c:\windows\system32\perfh009.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]

@="{472083B0-C522-11CF-8763-00608CC02F24}"

[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]

2011-07-04 11:43 122512 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-10-07 13574144]

"nwiz"="nwiz.exe" [2008-10-07 1630208]

"NvMediaCenter"="NvMCTray.dll" [2008-10-07 86016]

"RTHDCPL"="RTHDCPL.EXE" [2009-06-25 17887232]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-01-21 134656]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-01-21 166912]

"Persistence"="c:\windows\system32\igfxpers.exe" [2009-01-21 134656]

"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2010-02-11 61440]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-06-08 37296]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]

"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2011-07-04 3493720]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

"AvgUninstallURL"="start http://www.avg.com/ww.special-uninstallation-feedback-lsf?lic=OUxTRlJFRS1WUFVaNy1HMkNNWC1SWFBXQS1QM05aSC05RDIwQy0zN1RT&inst=NzctNjc2NDAyOTk1LUJBKzEtWEwrMS1UMi1GUDkrNi1CQVI5RysxLVRCOSsyLUZMKzktRjEwTSs1LVFJWDErNC1YMjAxMCsyLUxJQys3Ny1GTDEwKzEtU1AxKzEtVFVHKzMtU1AxUzIrMS1TVUQrMS1TMUkrMS1TVTMrMS1ERFQrMA∏=55&ver=10.0.1390" [?]

.

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-9-11 113664]

BDARemote.lnk - c:\program files\USB TV\EM28XX\BDARemote.exe [2010-5-26 81997]

Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

.

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Quake 3 Arena\\quake3.exe"=

.

R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [7/15/2011 11:53 PM 441176]

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [7/15/2011 11:53 PM 309848]

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 1:25 PM 12872]

R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 1:41 PM 67656]

R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [7/15/2011 11:53 PM 19544]

R2 HPFECP13;HPFECP13;c:\windows\system32\drivers\HPFecp13.sys [9/25/1998 3:55 AM 52800]

R3 L1c;NDIS Miniport Driver for Atheros AR8131/AR8132 PCI-E Ethernet Controller;c:\windows\system32\drivers\l1c51x86.sys [5/26/2010 2:23 PM 44032]

S1 FNETURPX;FNETURPX;c:\windows\system32\drivers\FNETURPX.SYS --> c:\windows\system32\drivers\FNETURPX.SYS [?]

S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [5/27/2010 3:11 AM 1684736]

S3 FNETTBOH;FNETTBOH;c:\windows\system32\drivers\FNETTBOH.SYS --> c:\windows\system32\drivers\FNETTBOH.SYS [?]

S3 xbreader;MaxDrive XBox Driver (xbreader.sys);c:\windows\system32\drivers\xbreader.sys [1/3/2001 12:53 AM 19677]

S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [8/15/2008 6:05 PM 716272]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000

TCP: DhcpNameServer = 192.168.1.1

FF - ProfilePath - c:\documents and settings\poi\Application Data\Mozilla\Firefox\Profiles\wxaz6z55.default\

FF - prefs.js: browser.startup.homepage - www.google.com

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-08-08 12:03

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'winlogon.exe'(740)

c:\program files\SUPERAntiSpyware\SASWINLO.DLL

c:\windows\system32\WININET.dll

c:\windows\system32\Ati2evxx.dll

.

- - - - - - - > 'explorer.exe'(3780)

c:\windows\system32\WININET.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\Ati2evxx.exe

c:\windows\system32\Ati2evxx.exe

c:\program files\AVAST Software\Avast\AvastSvc.exe

c:\program files\Belkin\Belkin Wireless Network Utility\WLService.exe

c:\program files\Belkin\Belkin Wireless Network Utility\WLanCfgG.exe

c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

c:\windows\system32\wscntfy.exe

c:\windows\RTHDCPL.EXE

c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe

c:\program files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe

.

**************************************************************************

.

Completion time: 2011-08-08 12:07:21 - machine was rebooted

ComboFix-quarantined-files.txt 2011-08-08 17:07

.

Pre-Run: 1,723,224,064 bytes free

Post-Run: 1,707,986,944 bytes free

.

Current=1 Default=1 Failed=0 LastKnownGood=2 Sets=1,2,4,5

- - End Of File - - A2BE5C0899A8DDD5C5274EA06D86619F

Link to post
Share on other sites

Run a DDS scan and post the results.

Please download DDS by sUBs from one of the following links and save it to your desktop.

[*]Disable any script blocking protection (How to Disable your Security Programs)

[*]Double click DDS icon to run the tool (may take up to 3 minutes to run)

[*]When done, DDS.txt will open.

[*]After a few moments, attach.txt will open in a second window.

[*]Save both reports to your desktop.

---------------------------------------------------

  • Post the contents of the DDS.txt in your next reply

Link to post
Share on other sites

Here you go...

Thanks again. Hope you aren't losing your patience.

.

DDS (Ver_2011-06-23.01) - NTFSx86

Internet Explorer: 8.0.6001.18702

Run by poi at 13:59:57 on 2011-08-08

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.571 [GMT -5:00]

.

AV: AVG Anti-Virus Free Edition 2011 *Disabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}

AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}

.

============== Running Processes ===============

.

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

C:\WINDOWS\system32\Ati2evxx.exe

svchost.exe

C:\Program Files\AVAST Software\Avast\AvastSvc.exe

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe

C:\Program Files\Belkin\Belkin Wireless Network Utility\WLanCfgG.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\System32\svchost.exe -k HTTPFilter

C:\WINDOWS\RTHDCPL.EXE

C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe

C:\Program Files\AVAST Software\Avast\avastUI.exe

C:\Program Files\USB TV\EM28XX\BDARemote.exe

C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe

C:\WINDOWS\explorer.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\system32\wscntfy.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://www.google.com

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

TB: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll

EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File

mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

mRun: [nwiz] nwiz.exe /install

mRun: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit

mRun: [RTHDCPL] RTHDCPL.EXE

mRun: [igfxTray] c:\windows\system32\igfxtray.exe

mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe

mRun: [Persistence] c:\windows\system32\igfxpers.exe

mRun: [startCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [avast] "c:\program files\avast software\avast\avastUI.exe" /nogui

mRunOnce: [AvgUninstallURL] cmd.exe /c start http://www.avg.com/ww.special-uninstallation-feedback-lsf?lic=OUxTRlJFRS1WUFVaNy1HMkNNWC1SWFBXQS1QM05aSC05RDIwQy0zN1RT"&"inst=NzctNjc2NDAyOTk1LUJBKzEtWEwrMS1UMi1GUDkrNi1CQVI5RysxLVRCOSsyLUZMKzktRjEwTSs1LVFJWDErNC1YMjAxMCsyLUxJQys3Ny1GTDEwKzEtU1AxKzEtVFVHKzMtU1AxUzIrMS1TVUQrMS1TMUkrMS1TVTMrMS1ERFQrMA"&"prod=55"&"ver=10.0.1390

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\bdarem~1.lnk - c:\program files\usb tv\em28xx\BDARemote.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204

DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB

DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1269795619093

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

TCP: DhcpNameServer = 192.168.1.1

TCP: Interfaces\{A9B57C27-3A8D-4410-BF03-21FBC3F1992C} : DhcpNameServer = 192.168.1.1

Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL

Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL

Notify: AtiExtEvent - Ati2evxx.dll

Notify: igfxcui - igfxdev.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\documents and settings\poi\application data\mozilla\firefox\profiles\wxaz6z55.default\

FF - prefs.js: browser.startup.homepage - www.google.com

FF - plugin: c:\program files\adobe\reader 9.0\reader\air\nppdf32.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npMozCouponPrinter.dll

.

============= SERVICES / DRIVERS ===============

.

R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2011-7-15 441176]

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2011-7-15 309848]

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]

R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]

R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2011-7-15 19544]

R2 avast! Antivirus;avast! Antivirus;c:\program files\avast software\avast\AvastSvc.exe [2011-7-15 42184]

R2 HPFECP13;HPFECP13;c:\windows\system32\drivers\HPFecp13.sys [1998-9-25 52800]

R3 L1c;NDIS Miniport Driver for Atheros AR8131/AR8132 PCI-E Ethernet Controller;c:\windows\system32\drivers\l1c51x86.sys [2010-5-26 44032]

S1 FNETURPX;FNETURPX;c:\windows\system32\drivers\fneturpx.sys --> c:\windows\system32\drivers\FNETURPX.SYS [?]

S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2010-5-27 1684736]

S3 FNETTBOH;FNETTBOH;c:\windows\system32\drivers\fnettboh.sys --> c:\windows\system32\drivers\FNETTBOH.SYS [?]

S3 xbreader;MaxDrive XBox Driver (xbreader.sys);c:\windows\system32\drivers\xbreader.sys [2001-1-3 19677]

.

=============== Created Last 30 ================

.

2011-08-04 19:06:48 -------- d-sha-r- C:\cmdcons

2011-08-03 15:26:45 256000 ----a-w- c:\windows\PEV.exe

2011-08-03 15:26:45 208896 ----a-w- c:\windows\MBR.exe

2011-08-03 15:26:44 98816 ----a-w- c:\windows\sed.exe

2011-08-03 15:26:44 518144 ----a-w- c:\windows\SWREG.exe

2011-07-16 06:11:14 -------- d-sh--w- c:\documents and settings\poi\IECompatCache

2011-07-16 04:53:31 441176 ----a-w- c:\windows\system32\drivers\aswSnx.sys

2011-07-16 04:52:53 40112 ----a-w- c:\windows\avastSS.scr

2011-07-16 04:52:38 -------- d-----w- c:\program files\AVAST Software

2011-07-16 04:52:38 -------- d-----w- c:\documents and settings\all users\application data\AVAST Software

2011-07-16 04:51:02 56167608 ----a-w- C:\setup_av_free.exe

.

==================== Find3M ====================

.

2011-07-07 00:52:42 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-07-07 00:52:42 22712 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-06-30 10:05:08 43520 ----a-w- c:\windows\system32\CmdLineExt03.dll

2011-06-30 01:54:40 11523592 ----a-w- C:\SUPERAntiSpyware.exe

2011-06-18 06:54:30 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

.

============= FINISH: 14:00:39.92 ===============

Link to post
Share on other sites

That is the only AVG item I see.

Copy/paste the text in the Codebox below into notepad:

Here's how to do that:

Click Start > Run type Notepad click OK.

This will open an empty notepad file:

Take your mouse, and place your cursor at the beginning of the text in the box below, then click and hold the left mouse button, while pulling your mouse over the text. This should highlight the text. Now release the left mouse button. Now, with the cursor over the highlighted text, right click the mouse for options, and select 'copy'. Now over the empty Notepad box, right click your mouse again, and select 'paste' and you will have copied and pasted the text.

KillAll::

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"AvgUninstallURL"=-

Save this file to your desktop, Save this as "CFScript"

Here's how to do that:

1.Click File;

2.Click Save As... Change the directory to your desktop;

3.Change the Save as type to "All Files";

4.Type in the file name: CFScript

5.Click Save ...

CFScriptB-4.gif

Drag CFScript.txt into ComboFix.exe

Then post the results log using Copy / Paste

Also please describe how your computer behaves at the moment.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.