Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Avast keeps finding trojans


  • This topic is locked This topic is locked
18 replies to this topic

#1 pusssykatt

pusssykatt

  • Members
  • 62 posts
  • OFFLINE
  •  
  • Local time:08:20 AM

Posted 21 January 2010 - 02:03 AM

I was using free Avast since last fall, but switched 2 days ago to Microsoft Security Essentials. It found that I had 2 trojans, which were removed. I found out that I couldn't use my main email service with MSE which is free AOL, so I decided yesterday to switch back to free Avast (which now offers scheduled scans). At my first installation I found 2 trojans, removed them, and then my scheduled scan ran tonight, and found 4 more trojans. The trojans are A0065344 and tfswctrl.exe.

When running my RootRepeal when running 'files' I got the message that "could not read boot. try adjusting sector Disk Access Level in opitions dialog", however, I was unsure how to do that.


DDS (Ver_09-12-01.01) - NTFSx86
Run by Billie Feltner at 0:58:55.75 on Thu 01/21/2010
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.638.132 [GMT -5:00]

AV: avast! Antivirus *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\LxrSII1s.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Alwil Software\Avast5\AvastUI.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Billie Feltner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.theanimalrescuesite.com/clickToGive/home.faces?siteId=3
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = localhost;*.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: WormRadar.com IESiteBlocker.NavFilter: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - AVG Safe Search
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: CBHO Object: {cba74cda-df78-4ad9-954e-3b15d0a993de} - c:\program files\corestreet\spoofstick\SpoofStickBHO.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: SpoofStick: {4d46ed77-1429-4cf6-8f63-c84b5d710baf} - c:\program files\corestreet\spoofstick\SpoofStick.dll
TB: AOL Toolbar: {4982d40a-c53b-4615-b15b-b5b5e98d167c} - c:\program files\aol toolbar\toolbar.dll
TB: &Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
TB: {76222034-5CFA-4A43-AADE-1E5DACB71469} - No File
TB: Webshots Toolbar: {c17590d2-ecb4-4b15-8820-f58798dcc118} -
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [GhostWall] "c:\program files\ghostwall\ghostwall.exe" -minimize
mRun: [BCMSMMSG] BCMSMMSG.exe
mRun: [dellsupportcenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P dellsupportcenter
mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSCONFIG.EXE /auto
mRun: [avast5] c:\progra~1\alwils~1\avast5\avastUI.exe /nogui
IE: &AOL Toolbar search - c:\program files\aol toolbar\toolbar.dll/SEARCH.HTML
IE: &Viewpoint Search - c:\program files\viewpoint\viewpoint toolbar\ViewBar.dll/CXTSEARCH.HTML
IE: &Webshots Photo Search - c:\program files\webshots\WSToolbar4IE.dll/MENUSEARCH.HTM
DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} - hxxp://www.support.dell.com/systemprofiler/SysPro.CAB
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/templates/ieawsdc.cab
DPF: {0335A685-ED24-4F7B-A08E-3BD15D84E668} - hxxp://dl.filekicker.com/send/file/128985-NZIL/PhPSetup.cab
DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} - hxxp://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/3/9/8/398422c0-8d3e-40e1-a617-af65a72a0465/LegitCheckControl.cab
DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} - hxxp://download.ewido.net/ewidoOnlineScan.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} - hxxp://aolcc.aol.com/computercheckup/qdiagcc.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1119797346453
DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} - hxxp://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} - hxxp://download.zonelabs.com/bin/promotions/spywaredetector/ICSScanner37570.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {94B82441-A413-4E43-8422-D49930E69764} - hxxps://echat.us.dell.com/Media/VisitorChat/TLIEFlash.CAB
DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38061.6246759259
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
DPF: {DE22A7AB-A739-4C58-AD52-21F9CD6306B7} - hxxp://download.microsoft.com/download/7/E/6/7E6A8567-DFE4-4624-87C3-163549BE2704/clearadj.cab
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\billie~1\applic~1\mozilla\firefox\profiles\gr0lrbzd.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2260173&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine - Swag Bucks Customized Web Search
FF - prefs.js: browser.startup.homepage - hxxp://www.theanimalrescuesite.com
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-&p=
FF - component: c:\documents and settings\billie feltner\application data\mozilla\firefox\profiles\gr0lrbzd.default\extensions\{8bdea9d6-6f62-45eb-8ee9-8a81af0d2f94}\components\FFExternalAlert.dll
FF - component: c:\documents and settings\billie feltner\application data\mozilla\firefox\profiles\gr0lrbzd.default\extensions\{8bdea9d6-6f62-45eb-8ee9-8a81af0d2f94}\components\RadioWMPCore.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPcol308.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDFE0BD779-44EE-4A4B-AA2E-743C63F2E5E6", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDFE0BD779-44EE-4A4B-AA2E-743C63F2E5E6", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\googlebar.js - user_pref("googlebar.ActionNone", "2");
c:\program files\mozilla firefox\defaults\pref\googlebar.js - user_pref("googlebar.ActionCtrl", "1");
c:\program files\mozilla firefox\defaults\pref\googlebar.js - user_pref("googlebar.ActionCtrlShift", "1");
c:\program files\mozilla firefox\defaults\pref\googlebar.js - user_pref("googlebar.ActionAlt", "2");
c:\program files\mozilla firefox\defaults\pref\googlebar.js - user_pref("googlebar.ActionAltShift", "2");
c:\program files\mozilla firefox\defaults\pref\googlebar.js - user_pref("googlebar.ActionShift", "3");
c:\program files\mozilla firefox\defaults\pref\googlebar.js - user_pref("googlebar.ActionAltCtrl", "2");
c:\program files\mozilla firefox\defaults\pref\googlebar.js - user_pref("googlebar.LocationNone", "0");
c:\program files\mozilla firefox\defaults\pref\googlebar.js - user_pref("googlebar.LocationCtrl", "1");
c:\program files\mozilla firefox\defaults\pref\googlebar.js - user_pref("googlebar.LocationCtrlShift", "1");
c:\program files\mozilla firefox\defaults\pref\googlebar.js - user_pref("googlebar.LocationAlt", "0");
c:\program files\mozilla firefox\defaults\pref\googlebar.js - user_pref("googlebar.LocationAltShift", "0");
c:\program files\mozilla firefox\defaults\pref\googlebar.js - user_pref("googlebar.LocationShift", "2");
c:\program files\mozilla firefox\defaults\pref\googlebar.js - user_pref("googlebar.LocationAltCtrl", "0");
c:\program files\mozilla firefox\defaults\pref\googlebar.js - user_pref("googlebar.contextmenuoption", true);
c:\program files\mozilla firefox\defaults\pref\googlebar.js - user_pref("googlebar.hotkeySelectionToggles", false);
c:\program files\mozilla firefox\defaults\pref\googlebar.js - user_pref("googlebar.searchoption", false);
c:\program files\mozilla firefox\defaults\pref\googlebar.js - user_pref("googlebar.historyoption", true);
c:\program files\mozilla firefox\defaults\pref\googlebar.js - user_pref("googlebar.history", "googlebar");
c:\program files\mozilla firefox\defaults\pref\googlebar.js - user_pref("googlebar.maxHistCnt", 10);
c:\program files\mozilla firefox\defaults\pref\googlebar.js - user_pref("googlebar.savelastoption", false);
c:\program files\mozilla firefox\defaults\pref\googlebar.js - user_pref("googlebar.hidemenuoption", false);

============= SERVICES / DRIVERS ===============

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-1-20 162640]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-1-20 19024]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-1-20 40384]
R2 ghstwall;ghstwall;c:\windows\system32\drivers\ghstwall.sys [2007-4-8 6520]
R2 LxrSII1d;Secure II Driver;c:\windows\system32\drivers\LxrSII1d.sys [2006-2-24 70016]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-1-20 40384]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-1-20 40384]
S4 vsdatant;vsdatant; [x]

=============== Created Last 30 ================

2010-01-20 14:00:21 0 d-----w- c:\docume~1\alluse~1\applic~1\Alwil Software
2010-01-19 15:37:00 0 d-----w- c:\program files\SECUNIA UPDATING PROGRAMS
2010-01-18 13:38:22 181120 ------w- c:\windows\system32\MpSigStub.exe
2010-01-18 13:30:48 0 d-----w- c:\program files\MICROSOFT VIRUS PROTECTION

==================== Find3M ====================

2010-01-20 20:11:45 6520 ----a-w- c:\windows\system32\drivers\ghstwall.sys
2009-12-21 17:27:18 466944 ----a-w- c:\windows\system32\BSTIEPrintCtl1.dll
2009-11-21 15:51:04 471552 ----a-w- c:\windows\system32\dllcache\aclayers.dll
2009-10-28 14:36:11 70656 ----a-w- c:\windows\system32\dllcache\ie4uinit.exe
2009-10-28 14:36:11 13824 ------w- c:\windows\system32\dllcache\ieudinit.exe
2009-10-28 06:54:16 634632 ----a-w- c:\windows\system32\dllcache\iexplore.exe
2009-10-28 06:52:46 161792 ----a-w- c:\windows\system32\dllcache\ieakui.dll
2004-07-21 12:48:49 78 ---ha-w- c:\program files\Picasa.ini
2005-04-21 22:54:47 10022 --sha-w- c:\windows\system32\KGyGaAvL.sys
2008-06-28 15:43:00 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008062820080629\index.dat

============= FINISH: 1:00:12.34 ===============


UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-12-01.01)

Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume2
Install Date: 3/15/2004 12:57:43 PM
System Uptime: 1/20/2010 3:10:54 PM (10 hours ago)

Motherboard: Dell Computer Corp. | | 0C2425
Processor: Intel® Pentium® 4 CPU 2.66GHz | Microprocessor | 2658/533mhz

==== Disk Partitions =========================

A: is Removable
C: is FIXED (NTFS) - 38 GiB total, 15.528 GiB free.
D: is CDROM ()
E: is CDROM ()
F: is FIXED (NTFS) - 466 GiB total, 439.996 GiB free.

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP269: 11/25/2009 11:00:44 PM - System Checkpoint
RP270: 11/27/2009 2:20:20 AM - System Checkpoint
RP271: 11/28/2009 3:00:29 AM - System Checkpoint
RP272: 11/29/2009 4:00:28 AM - System Checkpoint
RP273: 11/30/2009 5:00:29 AM - System Checkpoint
RP274: 12/1/2009 6:00:29 AM - System Checkpoint
RP275: 12/1/2009 7:32:49 PM - Uniblue RegistryBooster
RP276: 12/2/2009 8:30:11 PM - System Checkpoint
RP277: 12/3/2009 9:36:00 PM - System Checkpoint
RP278: 12/5/2009 12:07:47 AM - System Checkpoint
RP279: 12/6/2009 12:12:37 AM - System Checkpoint
RP280: 12/6/2009 8:21:35 PM - Uniblue RegistryBooster
RP281: 12/7/2009 9:09:23 AM - Removed Dell DataSafe Online.
RP282: 12/8/2009 9:57:51 AM - System Checkpoint
RP283: 12/9/2009 10:12:38 AM - System Checkpoint
RP284: 12/10/2009 5:00:26 AM - Software Distribution Service 3.0
RP285: 12/11/2009 5:27:56 AM - System Checkpoint
RP286: 12/12/2009 1:49:16 AM - Uniblue RegistryBooster
RP287: 12/13/2009 2:27:56 AM - System Checkpoint
RP288: 12/13/2009 10:12:37 PM - Uniblue RegistryBooster
RP289: 12/14/2009 11:13:21 PM - System Checkpoint
RP290: 12/16/2009 12:37:19 AM - System Checkpoint
RP291: 12/16/2009 7:45:01 PM - Uniblue RegistryBooster
RP292: 12/17/2009 7:16:57 PM - Uniblue RegistryBooster
RP293: 12/18/2009 11:18:24 PM - System Checkpoint
RP294: 12/20/2009 12:06:09 AM - System Checkpoint
RP295: 12/21/2009 2:24:40 AM - System Checkpoint
RP296: 12/21/2009 8:25:45 AM - Uniblue RegistryBooster
RP297: 12/22/2009 10:06:23 AM - System Checkpoint
RP298: 12/23/2009 12:25:07 PM - System Checkpoint
RP299: 12/24/2009 1:00:20 PM - System Checkpoint
RP300: 12/25/2009 2:13:23 PM - System Checkpoint
RP301: 12/26/2009 2:42:33 PM - System Checkpoint
RP302: 12/27/2009 7:36:33 PM - System Checkpoint
RP303: 12/28/2009 9:57:44 AM - Uniblue RegistryBooster
RP304: 12/29/2009 12:34:39 PM - System Checkpoint
RP305: 12/29/2009 1:34:04 PM - Uniblue RegistryBooster
RP306: 12/30/2009 1:39:14 PM - System Checkpoint
RP307: 12/31/2009 7:44:34 PM - Uniblue RegistryBooster
RP308: 1/2/2010 12:34:30 AM - System Checkpoint
RP309: 1/3/2010 12:39:14 AM - System Checkpoint
RP310: 1/4/2010 1:31:56 AM - System Checkpoint
RP311: 1/4/2010 8:21:55 AM - Uniblue RegistryBooster
RP312: 1/5/2010 9:42:57 AM - System Checkpoint
RP313: 1/5/2010 8:06:28 PM - Uniblue RegistryBooster
RP314: 1/6/2010 11:02:00 PM - System Checkpoint
RP315: 1/7/2010 11:15:33 PM - System Checkpoint
RP316: 1/8/2010 11:21:43 PM - System Checkpoint
RP317: 1/10/2010 1:48:15 AM - System Checkpoint
RP318: 1/11/2010 2:21:43 AM - System Checkpoint
RP319: 1/12/2010 3:21:44 AM - System Checkpoint
RP320: 1/13/2010 4:21:44 AM - System Checkpoint
RP321: 1/13/2010 5:00:20 AM - Software Distribution Service 3.0
RP322: 1/14/2010 5:26:32 AM - System Checkpoint
RP323: 1/14/2010 7:53:57 AM - Uniblue RegistryBooster
RP324: 1/15/2010 10:45:42 AM - System Checkpoint
RP325: 1/16/2010 11:35:00 AM - System Checkpoint
RP326: 1/17/2010 12:33:12 PM - System Checkpoint
RP327: 1/18/2010 8:38:12 AM - Software Distribution Service 3.0
RP328: 1/18/2010 7:22:41 PM - Removed Apple Mobile Device Support
RP329: 1/18/2010 10:55:41 PM - Software Distribution Service 3.0
RP330: 1/19/2010 8:43:20 PM - Software Distribution Service 3.0
RP331: 1/20/2010 9:00:21 AM - avast! Free Antivirus Setup

==== Installed Programs ======================

3D Christmas in the City Screensaver
Adobe Flash Player 10 Plugin
Adobe Flash Player ActiveX
Adobe Reader 8.1.7
Adobe Shockwave Player
Adobe® Photoshop® Album Starter Edition 3.2
AM-DeadLink
AOL Coach Version 1.0(Build:20040229.1 en)
AOL Coach Version 2.0(Build:20041026.5 en)
AOL Deskbar
AOL Spyware Protection
AOL Toolbar
AOL Uninstaller (Choose which Products to Remove)
Apple Software Update
avast! Free Antivirus
BadCopy Pro
Banctec Service Agreement
BCM V.92 56K Modem
Bonjour
Broadcom Management Programs
Canon Photo
CCleaner (remove only)
Coupon Printer for Windows
Critical Update for Windows Media Player 11 (KB959772)
Dell Digital Jukebox Driver
Dell Media Experience
Dell Networking Guide
Dell Solution Center
Dell Support Center (Support Software)
DellSupport
eSupportQFolder
GdiplusUpgrade
getPlus®_dll
GhostWall v1.150
HD Tune 2.55
HDD Health v3.3 Beta
Help and Support Customization
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
HP Photosmart Essential
HP Solution Center & Imaging Support Tools 5.0
HP Update
Intel® Extreme Graphics Driver
Internet Explorer Default Page
iTunes
Jasc Paint Shop Photo Album
Jasc Paint Shop Pro 8 Dell Edition
Java™ 6 Update 17
LightScribe 1.4.142.1
Logitech MouseWare 9.41 .1
Maxtor Manager
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB953297)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Application Error Reporting
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Data Access Components KB870669
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office PowerPoint Viewer 2003
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Works 2000
Mozilla Firefox (3.5.7)
MSN Music Assistant
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 6.0 Parser (KB933579)
Nero 7 Essentials
neroxml
OLYMPUS CAMEDIA Master 4.1
Photodex Presenter
Quick Screen Recorder 1.5
QuickTime
RealPlayer
Restorer2000 Demo
Rhapsody Player Engine
Search and Rescue 4
Security Update for CAPICOM (KB931906)
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 7 (KB972260)
Security Update for Windows Internet Explorer 7 (KB974455)
Security Update for Windows Internet Explorer 7 (KB976325)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
SolutionCenter
Sonic DLA
Sonic RecordNow!
Sonic Update Manager
SpoofStick for Internet Explorer 1.02
Spybot - Search & Destroy
Uniblue RegistryBooster 2
Uniblue System Tweaker
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 7 (KB976749)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Viewpoint Media Player
WebFldrs XP
WebReg
Webshots Toolbar
Windows Defender Signatures
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage v1.3.0254.0
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 7
Windows Media Format 11 runtime
Windows Media Player 11
Windows XP Service Pack 3
WinZip
WordPerfect Office 11

==== Event Viewer Messages From Past Week ========

1/18/2010 7:25:50 PM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the service.
1/18/2010 7:25:21 PM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the avast! Antivirus service.

==== End Of File ===========================

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2010/01/21 01:31
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xEFA0F000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF8DC8000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xEEF22000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: Volume F:\
Status: MBR Rootkit Detected!

Path: Volume F:\, Sector 1
Status: Sector mismatch

Path: Volume F:\, Sector 4
Status: Sector mismatch

Path: Volume F:\, Sector 5
Status: Sector mismatch

Path: Volume F:\, Sector 8
Status: Sector mismatch

Path: Volume F:\, Sector 15
Status: Sector mismatch

Path: Volume F:\, Sector 16
Status: Sector mismatch

Path: Volume F:\, Sector 19
Status: Sector mismatch

Path: Volume F:\, Sector 24
Status: Sector mismatch

Path: Volume F:\, Sector 27
Status: Sector mismatch

Path: Volume F:\, Sector 28
Status: Sector mismatch

Path: Volume F:\, Sector 31
Status: Sector mismatch

Path: Volume F:\, Sector 38
Status: Sector mismatch

Path: Volume F:\, Sector 39
Status: Sector mismatch

Path: Volume F:\, Sector 42
Status: Sector mismatch

Path: Volume F:\, Sector 43
Status: Sector mismatch

Path: Volume F:\, Sector 46
Status: Sector mismatch

Path: Volume F:\, Sector 47
Status: Sector mismatch

Path: Volume F:\, Sector 50
Status: Sector mismatch

Path: Volume F:\, Sector 53
Status: Sector mismatch

Path: Volume F:\, Sector 54
Status: Sector mismatch

Path: Volume F:\, Sector 57
Status: Sector mismatch

Path: Volume F:\, Sector 60
Status: Sector mismatch

Path: Volume F:\, Sector 61
Status: Sector mismatch

Path: Volume F:\, Sector 62
Status: Sector mismatch

SSDT
-------------------
#: 025 Function Name: NtClose
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xefaf7bbc

#: 041 Function Name: NtCreateKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xefaf7a78

#: 063 Function Name: NtDeleteKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xefaf802c

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xefaf7f56

#: 068 Function Name: NtDuplicateObject
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xefaf764e

#: 119 Function Name: NtOpenKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xefaf7b52

#: 122 Function Name: NtOpenProcess
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xefaf758e

#: 128 Function Name: NtOpenThread
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xefaf75f2

#: 177 Function Name: NtQueryValueKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xefaf7c72

#: 192 Function Name: NtRenameKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xefaf80fa

#: 204 Function Name: NtRestoreKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xefaf7c32

#: 247 Function Name: NtSetValueKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xefaf7db2

==EOF==


BC AdBot (Login to Remove)

 


#2 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 53,911 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:02:20 PM

Posted 27 January 2010 - 06:57 AM

Hello ,
And welcome.gif to the Bleeping Computer Malware Removal Forum
. My name is Elise and I'll be glad to help you with your computer problems.


I will be working on your malware issues, this may or may not solve other issues you may have with your machine.

Please note that whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.

You may want to keep the link to this topic in your favorites. Alternatively, you can click the button at the top bar of this topic and Track this Topic, where you can choose email notifications. The topics you are tracking are shown here.
-----------------------------------------------------------
If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results. Post both logs (no need to zip attach.txt).
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.


  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.

-------------------------------------------------------------
Please be patient and I'd be grateful if you would note the following
  • The cleaning process is not instant. DDS logs can take some time to research, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that happen.
  • Please reply using the Add/Reply button in the lower right hand corner of your screen. Do not start a new topic.
  • The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • Unfortunately, if I do not hear back from you within 5 days, I will be forced to close your topic. If you still need help after I have closed your topic, send me or a moderator a personal message with the address of the thread or feel free to create a new one.

In the meantime please, do NOT install any new programs or update anything unless told to do so while we are fixing your problem

If you still need help, please include the following in your next reply
  • A detailed description of your problems
  • A new DDS log (don't forget attach.txt)
  • GMER log

Please do NOT post logs as attachments, unless you are unable to copy/paste a log directly in the reply box.


Thanks and again sorry for the delay.
regards, Elise

"Now faith is the substance of things hoped for, the evidence of things not seen."


banner.png

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome


#3 pusssykatt

pusssykatt
  • Topic Starter

  • Members
  • 62 posts
  • OFFLINE
  •  
  • Local time:08:20 AM

Posted 28 January 2010 - 06:53 PM

Avast eventually removed all the the trojans initially showing up, except when running Avast 5 boot-time scan, I am unable to remove a spyware:
F:\System volume information\_restore {B3768 0B2- BA0A -4E5D- BF30- 83E 44C58 8624}\RP331\A0065408.msi|>css can.exe is infected win32:spyware - gen [SPY]

Avast freezes and I'm unable to remove the spyware because of the following:

C:\system volume information\_restore {B37680B2-BAOA-4E5D-BF30-83E44C58 8624}\RP331\A0059788.exe|>wise0011.bin ERROR 4214{installer archive is corrupt

C:\system volume information\_restore {B37680B2-BAOA-4E5D-BF30-83E44C58 8624}\RP331\A0059810.exe|>wise0011.bin ERROR 42145 {installer archive is corrupt

I have deleted Real Player folliowing instructions from the their website, and I have installed Carbonite, thinking that perhaps I would save my files there, and delete all of the Restore Points to try and rid myself of the following:

Thank you for your assistance.


DDS (Ver_09-12-01.01) - NTFSx86
Run by Billie Feltner at 15:25:23.20 on Thu 01/28/2010
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_18
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.638.197 [GMT -5:00]

AV: avast! Antivirus *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Carbonite\Carbonite Backup\carboniteservice.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\LxrSII1s.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\GhostWall\ghostwall.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
C:\Program Files\Carbonite\Carbonite Backup\CarboniteUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\vssvc.exe
C:\WINDOWS\System32\dllhost.exe
C:\WINDOWS\System32\dllhost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Billie Feltner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.theanimalrescuesite.com/clickToGive/home.faces?siteId=3
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = localhost;*.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: WormRadar.com IESiteBlocker.NavFilter: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - AVG Safe Search
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: CBHO Object: {cba74cda-df78-4ad9-954e-3b15d0a993de} - c:\program files\corestreet\spoofstick\SpoofStickBHO.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: SpoofStick: {4d46ed77-1429-4cf6-8f63-c84b5d710baf} - c:\program files\corestreet\spoofstick\SpoofStick.dll
TB: AOL Toolbar: {4982d40a-c53b-4615-b15b-b5b5e98d167c} - c:\program files\aol toolbar\toolbar.dll
TB: &Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
TB: {76222034-5CFA-4A43-AADE-1E5DACB71469} - No File
TB: Webshots Toolbar: {c17590d2-ecb4-4b15-8820-f58798dcc118} -
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [GhostWall] "c:\program files\ghostwall\ghostwall.exe" -minimize
mRun: [BCMSMMSG] BCMSMMSG.exe
mRun: [dellsupportcenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P dellsupportcenter
mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [avast5] c:\progra~1\alwils~1\avast5\avastUI.exe /nogui
mRun: [Carbonite Backup] c:\program files\carbonite\carbonite backup\CarboniteUI.exe
IE: &AOL Toolbar search - c:\program files\aol toolbar\toolbar.dll/SEARCH.HTML
IE: &Viewpoint Search - c:\program files\viewpoint\viewpoint toolbar\ViewBar.dll/CXTSEARCH.HTML
IE: &Webshots Photo Search - c:\program files\webshots\WSToolbar4IE.dll/MENUSEARCH.HTM
DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} - hxxp://www.support.dell.com/systemprofiler/SysPro.CAB
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/templates/ieawsdc.cab
DPF: {0335A685-ED24-4F7B-A08E-3BD15D84E668} - hxxp://dl.filekicker.com/send/file/128985-NZIL/PhPSetup.cab
DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} - hxxp://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/3/9/8/398422c0-8d3e-40e1-a617-af65a72a0465/LegitCheckControl.cab
DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} - hxxp://download.ewido.net/ewidoOnlineScan.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} - hxxp://aolcc.aol.com/computercheckup/qdiagcc.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1119797346453
DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} - hxxp://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} - hxxp://download.zonelabs.com/bin/promotions/spywaredetector/ICSScanner37570.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {94B82441-A413-4E43-8422-D49930E69764} - hxxps://echat.us.dell.com/Media/VisitorChat/TLIEFlash.CAB
DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38061.6246759259
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
DPF: {DE22A7AB-A739-4C58-AD52-21F9CD6306B7} - hxxp://download.microsoft.com/download/7/E/6/7E6A8567-DFE4-4624-87C3-163549BE2704/clearadj.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\billie~1\applic~1\mozilla\firefox\profiles\gr0lrbzd.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2260173&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine - Jux2
FF - prefs.js: browser.startup.homepage - hxxp://www.theanimalrescuesite.com
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-&p=
FF - component: c:\documents and settings\billie feltner\application data\mozilla\firefox\profiles\gr0lrbzd.default\extensions\{8bdea9d6-6f62-45eb-8ee9-8a81af0d2f94}\components\FFExternalAlert.dll
FF - component: c:\documents and settings\billie feltner\application data\mozilla\firefox\profiles\gr0lrbzd.default\extensions\{8bdea9d6-6f62-45eb-8ee9-8a81af0d2f94}\components\RadioWMPCore.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPcol308.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDFE0BD779-44EE-4A4B-AA2E-743C63F2E5E6", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDFE0BD779-44EE-4A4B-AA2E-743C63F2E5E6", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\googlebar.js - user_pref("googlebar.ActionNone", "2");
c:\program files\mozilla firefox\defaults\pref\googlebar.js - user_pref("googlebar.ActionCtrl", "1");
c:\program files\mozilla firefox\defaults\pref\googlebar.js - user_pref("googlebar.ActionCtrlShift", "1");
c:\program files\mozilla firefox\defaults\pref\googlebar.js - user_pref("googlebar.ActionAlt", "2");
c:\program files\mozilla firefox\defaults\pref\googlebar.js - user_pref("googlebar.ActionAltShift", "2");
c:\program files\mozilla firefox\defaults\pref\googlebar.js - user_pref("googlebar.ActionShift", "3");
c:\program files\mozilla firefox\defaults\pref\googlebar.js - user_pref("googlebar.ActionAltCtrl", "2");
c:\program files\mozilla firefox\defaults\pref\googlebar.js - user_pref("googlebar.LocationNone", "0");
c:\program files\mozilla firefox\defaults\pref\googlebar.js - user_pref("googlebar.LocationCtrl", "1");
c:\program files\mozilla firefox\defaults\pref\googlebar.js - user_pref("googlebar.LocationCtrlShift", "1");
c:\program files\mozilla firefox\defaults\pref\googlebar.js - user_pref("googlebar.LocationAlt", "0");
c:\program files\mozilla firefox\defaults\pref\googlebar.js - user_pref("googlebar.LocationAltShift", "0");
c:\program files\mozilla firefox\defaults\pref\googlebar.js - user_pref("googlebar.LocationShift", "2");
c:\program files\mozilla firefox\defaults\pref\googlebar.js - user_pref("googlebar.LocationAltCtrl", "0");
c:\program files\mozilla firefox\defaults\pref\googlebar.js - user_pref("googlebar.contextmenuoption", true);
c:\program files\mozilla firefox\defaults\pref\googlebar.js - user_pref("googlebar.hotkeySelectionToggles", false);
c:\program files\mozilla firefox\defaults\pref\googlebar.js - user_pref("googlebar.searchoption", false);
c:\program files\mozilla firefox\defaults\pref\googlebar.js - user_pref("googlebar.historyoption", true);
c:\program files\mozilla firefox\defaults\pref\googlebar.js - user_pref("googlebar.history", "googlebar");
c:\program files\mozilla firefox\defaults\pref\googlebar.js - user_pref("googlebar.maxHistCnt", 10);
c:\program files\mozilla firefox\defaults\pref\googlebar.js - user_pref("googlebar.savelastoption", false);
c:\program files\mozilla firefox\defaults\pref\googlebar.js - user_pref("googlebar.hidemenuoption", false);

============= SERVICES / DRIVERS ===============

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-1-20 162640]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\SASDIFSV.SYS [2008-12-22 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2008-12-22 74480]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-1-20 19024]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-1-20 40384]
R2 ghstwall;ghstwall;c:\windows\system32\drivers\ghstwall.sys [2007-4-8 6520]
R2 LxrSII1d;Secure II Driver;c:\windows\system32\drivers\LxrSII1d.sys [2006-2-24 70016]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-1-20 40384]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-1-20 40384]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2008-12-22 7408]
S4 vsdatant;vsdatant; [x]

=============== Created Last 30 ================

2010-01-28 13:01:05 0 d-----w- c:\program files\Carbonite
2010-01-28 13:01:05 0 d-----w- c:\docume~1\alluse~1\applic~1\Carbonite
2010-01-20 14:00:21 0 d-----w- c:\docume~1\alluse~1\applic~1\Alwil Software
2010-01-19 15:37:00 0 d-----w- c:\program files\SECUNIA UPDATING PROGRAMS
2010-01-18 13:38:22 181120 ------w- c:\windows\system32\MpSigStub.exe
2010-01-18 13:30:48 0 d-----w- c:\program files\MICROSOFT VIRUS PROTECTION

==================== Find3M ====================

2010-01-28 14:13:31 6520 ----a-w- c:\windows\system32\drivers\ghstwall.sys
2009-12-31 15:33:06 70656 ----a-w- c:\windows\system32\dllcache\ie4uinit.exe
2009-12-31 15:33:06 13824 ------w- c:\windows\system32\dllcache\ieudinit.exe
2009-12-21 17:27:18 466944 ----a-w- c:\windows\system32\BSTIEPrintCtl1.dll
2009-12-18 13:05:43 634648 ----a-w- c:\windows\system32\dllcache\iexplore.exe
2009-12-18 13:04:09 161792 ----a-w- c:\windows\system32\dllcache\ieakui.dll
2009-12-17 22:14:00 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-11-21 15:51:04 471552 ----a-w- c:\windows\system32\dllcache\aclayers.dll
2004-07-21 12:48:49 78 ---ha-w- c:\program files\Picasa.ini
2005-04-21 22:54:47 10022 --sha-w- c:\windows\system32\KGyGaAvL.sys
2008-06-28 15:43:00 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008062820080629\index.dat

============= FINISH: 15:26:37.12 ===============


UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-12-01.01)

Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume2
Install Date: 3/15/2004 12:57:43 PM
System Uptime: 1/28/2010 3:06:19 PM (0 hours ago)

Motherboard: Dell Computer Corp. | | 0C2425
Processor: Intel® Pentium® 4 CPU 2.66GHz | Microprocessor | 2658/533mhz

==== Disk Partitions =========================

A: is Removable
C: is FIXED (NTFS) - 38 GiB total, 15.443 GiB free.
D: is CDROM ()
E: is CDROM ()
F: is FIXED (NTFS) - 466 GiB total, 440.305 GiB free.

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP292: 12/17/2009 7:16:57 PM - Uniblue RegistryBooster
RP293: 12/18/2009 11:18:24 PM - System Checkpoint
RP294: 12/20/2009 12:06:09 AM - System Checkpoint
RP295: 12/21/2009 2:24:40 AM - System Checkpoint
RP296: 12/21/2009 8:25:45 AM - Uniblue RegistryBooster
RP297: 12/22/2009 10:06:23 AM - System Checkpoint
RP298: 12/23/2009 12:25:07 PM - System Checkpoint
RP299: 12/24/2009 1:00:20 PM - System Checkpoint
RP300: 12/25/2009 2:13:23 PM - System Checkpoint
RP301: 12/26/2009 2:42:33 PM - System Checkpoint
RP302: 12/27/2009 7:36:33 PM - System Checkpoint
RP303: 12/28/2009 9:57:44 AM - Uniblue RegistryBooster
RP304: 12/29/2009 12:34:39 PM - System Checkpoint
RP305: 12/29/2009 1:34:04 PM - Uniblue RegistryBooster
RP306: 12/30/2009 1:39:14 PM - System Checkpoint
RP307: 12/31/2009 7:44:34 PM - Uniblue RegistryBooster
RP308: 1/2/2010 12:34:30 AM - System Checkpoint
RP309: 1/3/2010 12:39:14 AM - System Checkpoint
RP310: 1/4/2010 1:31:56 AM - System Checkpoint
RP311: 1/4/2010 8:21:55 AM - Uniblue RegistryBooster
RP312: 1/5/2010 9:42:57 AM - System Checkpoint
RP313: 1/5/2010 8:06:28 PM - Uniblue RegistryBooster
RP314: 1/6/2010 11:02:00 PM - System Checkpoint
RP315: 1/7/2010 11:15:33 PM - System Checkpoint
RP316: 1/8/2010 11:21:43 PM - System Checkpoint
RP317: 1/10/2010 1:48:15 AM - System Checkpoint
RP318: 1/11/2010 2:21:43 AM - System Checkpoint
RP319: 1/12/2010 3:21:44 AM - System Checkpoint
RP320: 1/13/2010 4:21:44 AM - System Checkpoint
RP321: 1/13/2010 5:00:20 AM - Software Distribution Service 3.0
RP322: 1/14/2010 5:26:32 AM - System Checkpoint
RP323: 1/14/2010 7:53:57 AM - Uniblue RegistryBooster
RP324: 1/15/2010 10:45:42 AM - System Checkpoint
RP325: 1/16/2010 11:35:00 AM - System Checkpoint
RP326: 1/17/2010 12:33:12 PM - System Checkpoint
RP327: 1/18/2010 8:38:12 AM - Software Distribution Service 3.0
RP328: 1/18/2010 7:22:41 PM - Removed Apple Mobile Device Support
RP329: 1/18/2010 10:55:41 PM - Software Distribution Service 3.0
RP330: 1/19/2010 8:43:20 PM - Software Distribution Service 3.0
RP331: 1/20/2010 9:00:21 AM - avast! Free Antivirus Setup
RP332: 1/21/2010 9:40:43 AM - System Checkpoint
RP333: 1/21/2010 4:59:47 PM - Software Distribution Service 3.0
RP334: 1/22/2010 7:47:34 AM - Uniblue RegistryBooster
RP335: 1/23/2010 8:06:46 AM - System Checkpoint
RP336: 1/23/2010 11:15:51 AM - Installed SUPERAntiSpyware Free Edition
RP337: 1/23/2010 3:30:26 PM - Installed Java™ 6 Update 18
RP338: 1/24/2010 8:31:34 PM - System Checkpoint
RP339: 1/26/2010 12:26:51 AM - System Checkpoint
RP340: 1/27/2010 1:24:59 AM - System Checkpoint
RP341: 1/27/2010 7:20:44 AM - Uniblue RegistryBooster
RP342: 1/27/2010 9:49:41 PM - Removed Rhapsody Player Engine
RP343: 1/27/2010 9:49:59 PM - Removed Rhapsody Player Engine
RP344: 1/28/2010 6:12:46 AM - Uniblue RegistryBooster
RP345: 1/28/2010 6:30:47 AM - Uniblue RegistryBooster

==== Installed Programs ======================

3D Christmas in the City Screensaver
Adobe Flash Player 10 Plugin
Adobe Flash Player ActiveX
Adobe Reader 8.1.7
Adobe Shockwave Player
Adobe® Photoshop® Album Starter Edition 3.2
AM-DeadLink
AOL Coach Version 1.0(Build:20040229.1 en)
AOL Coach Version 2.0(Build:20041026.5 en)
AOL Deskbar
AOL Spyware Protection
AOL Toolbar
AOL Uninstaller (Choose which Products to Remove)
Apple Software Update
avast! Free Antivirus
BadCopy Pro
Banctec Service Agreement
BCM V.92 56K Modem
Bonjour
Broadcom Management Programs
Canon Photo
Carbonite
CCleaner (remove only)
Coupon Printer for Windows
Critical Update for Windows Media Player 11 (KB959772)
Dell Digital Jukebox Driver
Dell Media Experience
Dell Networking Guide
Dell Solution Center
Dell Support Center (Support Software)
DellSupport
eSupportQFolder
GdiplusUpgrade
getPlus®_dll
GhostWall v1.150
HD Tune 2.55
HDD Health v3.3 Beta
Help and Support Customization
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
HP Photosmart Essential
HP Solution Center & Imaging Support Tools 5.0
HP Update
Intel® Extreme Graphics Driver
Internet Explorer Default Page
iTunes
Jasc Paint Shop Photo Album
Jasc Paint Shop Pro 8 Dell Edition
Java Auto Updater
Java™ 6 Update 18
LightScribe 1.4.142.1
Logitech MouseWare 9.41 .1
Maxtor Manager
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB953297)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Application Error Reporting
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Data Access Components KB870669
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office PowerPoint Viewer 2003
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Works 2000
Mozilla Firefox (3.5.7)
MSN Music Assistant
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 6.0 Parser (KB933579)
Nero 7 Essentials
neroxml
OLYMPUS CAMEDIA Master 4.1
Photodex Presenter
Quick Screen Recorder 1.5
QuickTime
Restorer2000 Demo
Search and Rescue 4
Security Update for CAPICOM (KB931906)
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 7 (KB972260)
Security Update for Windows Internet Explorer 7 (KB974455)
Security Update for Windows Internet Explorer 7 (KB976325)
Security Update for Windows Internet Explorer 7 (KB978207)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
SolutionCenter
Sonic DLA
Sonic RecordNow!
Sonic Update Manager
SpoofStick for Internet Explorer 1.02
Spybot - Search & Destroy
SUPERAntiSpyware Free Edition
Uniblue RegistryBooster 2
Uniblue System Tweaker
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 7 (KB976749)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Viewpoint Media Player
WebFldrs XP
WebReg
Webshots Toolbar
Windows Defender Signatures
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage v1.3.0254.0
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 7
Windows Media Format 11 runtime
Windows Media Player 11
Windows XP Service Pack 3
WinZip
WordPerfect Office 11

==== Event Viewer Messages From Past Week ========

1/28/2010 9:23:22 AM, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service CarboniteService with arguments "" in order to run the server: {36471C67-6A93-4434-92CC-4C614CD06666}
1/28/2010 9:11:31 AM, error: Service Control Manager [7031] - The CarboniteService service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
1/28/2010 9:11:08 AM, error: Service Control Manager [7032] - The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the CarboniteService service, but this action failed with the following error: An instance of the service is already running.
1/28/2010 9:10:08 AM, error: Service Control Manager [7031] - The CarboniteService service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
1/21/2010 1:27:26 AM, error: Ntfs [55] - The file system structure on the disk is corrupt and unusable. Please run the chkdsk utility on the volume F:.

==== End Of File ===========================

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-01-28 18:07:29
Windows 5.1.2600 Service Pack 3
Running: 00qfdpvy.exe; Driver: C:\DOCUME~1\BILLIE~1\LOCALS~1\Temp\kwtoapob.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwClose [0xEE834BBC]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateKey [0xEE834A78]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteKey [0xEE83502C]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteValueKey [0xEE834F56]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDuplicateObject [0xEE83464E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenKey [0xEE834B52]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenProcess [0xEE83458E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenThread [0xEE8345F2]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwQueryValueKey [0xEE834C72]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRenameKey [0xEE8350FA]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRestoreKey [0xEE834C32]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwSetValueKey [0xEE834DB2]

Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateProcessEx [0xEE841322]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateSection [0xEE84114C]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwLoadDriver [0xEE841280]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) NtCreateSection
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ObInsertObject
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ObMakeTemporaryObject

---- Kernel code sections - GMER 1.0.15 ----

PAGE ntoskrnl.exe!ObInsertObject 8056503A 5 Bytes JMP EE83E866 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)
PAGE ntoskrnl.exe!NtCreateSection 805652B3 7 Bytes JMP EE841150 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)
PAGE ntoskrnl.exe!ZwCreateProcessEx 80581030 7 Bytes JMP EE841326 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)
PAGE ntoskrnl.exe!ObMakeTemporaryObject 8059F85E 5 Bytes JMP EE83D594 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)
PAGE ntoskrnl.exe!ZwLoadDriver 805A3B01 7 Bytes JMP EE841284 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[568] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryExW] [6BFA9BE7] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[568] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9C74] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[568] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryW] [6BFA9AD3] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[568] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryA] [6BFA9A4C] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[568] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!LoadLibraryA] [6BFA9A4C] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[568] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!LoadLibraryW] [6BFA9AD3] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[568] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9C74] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[568] @ C:\WINDOWS\system32\Secur32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9C74] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[568] @ C:\WINDOWS\system32\Secur32.dll [KERNEL32.dll!LoadLibraryA] [6BFA9A4C] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[568] @ C:\WINDOWS\system32\Secur32.dll [KERNEL32.dll!LoadLibraryW] [6BFA9AD3] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[568] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9C74] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[568] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryExW] [6BFA9BE7] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[568] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryA] [6BFA9A4C] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[568] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryW] [6BFA9AD3] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[568] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [6BFA9BE7] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[568] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryA] [6BFA9A4C] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[568] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9C74] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[568] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryW] [6BFA9AD3] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[568] @ C:\WINDOWS\system32\msvcrt.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9C74] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[568] @ C:\WINDOWS\system32\msvcrt.dll [KERNEL32.dll!LoadLibraryA] [6BFA9A4C] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[568] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9C74] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[568] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExA] [6BFA9B5A] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[568] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExW] [6BFA9BE7] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[568] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryW] [6BFA9AD3] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[568] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryA] [6BFA9A4C] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[568] @ C:\WINDOWS\system32\WS2_32.dll [KERNEL32.dll!LoadLibraryA] [6BFA9A4C] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[568] @ C:\WINDOWS\system32\WS2_32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9C74] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[568] @ C:\WINDOWS\system32\WS2HELP.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9C74] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[568] @ C:\WINDOWS\system32\WS2HELP.dll [KERNEL32.dll!LoadLibraryA] [6BFA9A4C] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[568] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9C74] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[568] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryA] [6BFA9A4C] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[568] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryW] [6BFA9AD3] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[568] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExW] [6BFA9BE7] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[568] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExA] [6BFA9B5A] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[568] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryA] [6BFA9A4C] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[568] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryW] [6BFA9AD3] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[568] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExW] [6BFA9BE7] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[568] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExA] [6BFA9B5A] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[568] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9C74] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[568] @ C:\WINDOWS\system32\psapi.dll [KERNEL32.dll!LoadLibraryA] [6BFA9A4C] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[568] @ C:\WINDOWS\system32\psapi.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9C74] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[568] @ C:\WINDOWS\system32\NETAPI32.dll [KERNEL32.dll!LoadLibraryW] [6BFA9AD3] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[568] @ C:\WINDOWS\system32\NETAPI32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9C74] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[568] @ C:\WINDOWS\system32\NETAPI32.dll [KERNEL32.dll!LoadLibraryA] [6BFA9A4C] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[568] @ C:\WINDOWS\system32\userenv.dll [KERNEL32.dll!LoadLibraryW] [6BFA9AD3] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[568] @ C:\WINDOWS\system32\userenv.dll [KERNEL32.dll!LoadLibraryExA] [6BFA9B5A] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[568] @ C:\WINDOWS\system32\userenv.dll [KERNEL32.dll!LoadLibraryA] [6BFA9A4C] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[568] @ C:\WINDOWS\system32\userenv.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9C74] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\WINDOWS\system32\services.exe[684] @ C:\WINDOWS\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 00390002
IAT C:\WINDOWS\system32\services.exe[684] @ C:\WINDOWS\system32\services.exe [KERNEL32.dll!CreateProcessW] 00390000

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs aswSP.SYS (avast! self protection module/ALWIL Software)

AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)

Device \FileSystem\Fastfat \FatCdrom aswSP.SYS (avast! self protection module/ALWIL Software)

AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

Device \FileSystem\Fastfat \Fat aswSP.SYS (avast! self protection module/ALWIL Software)

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)

Device \FileSystem\Fs_Rec \FileSystem\UdfsCdRomRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\FatCdRomRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\CdfsRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\FatDiskRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\UdfsDiskRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Cdfs \Cdfs tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)

---- EOF - GMER 1.0.15 ----


#4 pusssykatt

pusssykatt
  • Topic Starter

  • Members
  • 62 posts
  • OFFLINE
  •  
  • Local time:08:20 AM

Posted 30 January 2010 - 10:40 AM

Now I have no sound. When all is done, do I need to reinstall Real Player for sound?

Thanks!

#5 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 53,911 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:02:20 PM

Posted 02 February 2010 - 02:36 PM

Hello pussykatt,

First of all my apologies for the delay. I just got back from the hospital where I spent a few days with my son.

I notice the presence of Uniblue Registry Booster Registry Cleaner on your pc.

I don't personally recommend the use of ANY registry cleaners.
Here is an excerpt from a discussion on regcleaners
QUOTE
Most reg cleaners aren't "bad" as such, but they aren't perfect and even the best have been known to cause problems.
The point we are trying to make is that the risk of using one far outweighs any benefit.
If it does work perfectly you will not see any difference
If it doesn't work properly you may end up with an expensive doorstop.


http://miekiemoes.blogspot.com/2008/02/reg...weaking_13.html
http://forums.whatthetech.com/Regcleaner_t42862.html


COMBOFIX
---------------
Please download ComboFix from one of these locations:
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe and follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.


In your next reply, please include the following:
  • Combofix.txt

regards, Elise

"Now faith is the substance of things hoped for, the evidence of things not seen."


banner.png

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome


#6 pusssykatt

pusssykatt
  • Topic Starter

  • Members
  • 62 posts
  • OFFLINE
  •  
  • Local time:08:20 AM

Posted 02 February 2010 - 05:07 PM

QUOTE(elise025 @ Feb 2 2010, 02:36 PM) View Post
Hello pussykatt,

First of all my apologies for the delay. I just got back from the hospital where I spent a few days with my son.

I notice the presence of Uniblue Registry Booster Registry Cleaner on your pc.

I don't personally recommend the use of ANY registry cleaners.
Here is an excerpt from a discussion on regcleaners
QUOTE
Most reg cleaners aren't "bad" as such, but they aren't perfect and even the best have been known to cause problems.
The point we are trying to make is that the risk of using one far outweighs any benefit.
If it does work perfectly you will not see any difference
If it doesn't work properly you may end up with an expensive doorstop.


http://miekiemoes.blogspot.com/2008/02/reg...weaking_13.html
http://forums.whatthetech.com/Regcleaner_t42862.html


COMBOFIX
---------------
Please download ComboFix from one of these locations:
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe and follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.


In your next reply, please include the following:
  • Combofix.txt



Please, there is no need to apologize. Spending time with your son or your real life is far more important than my computer. I just appreciate any time that you are giving me.

I will not use my Registry Booster anymore, however, can I use ccleaner? I find that when my computer bogs down that using the Registry Booster or ccleaner speeds things up.

Also, after deleting my Real Player files, I no longer have sound. Will reinstalling Real Player cause a problem?

Here is my combofix log:
ComboFix 10-02-02.02 - Billie Feltner 02/02/2010 16:38:10.3.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.638.399 [GMT -5:00]
Running from: c:\documents and settings\Billie Feltner\Desktop\ComboFix.exe
AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Thumbs.db
c:\windows\BackUp
c:\windows\BackUp\T\50421000.DAT
c:\windows\system32\BSTIEPrintCtl1.dll
c:\windows\system32\reboot.txt
F:\Autorun.inf
.
---- Previous Run -------
.
F:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2010-01-02 to 2010-02-02 )))))))))))))))))))))))))))))))
.

2010-01-28 13:01 . 2010-01-28 13:01 -------- d-----w- c:\program files\Carbonite
2010-01-28 13:01 . 2010-01-28 13:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Carbonite
2010-01-23 20:31 . 2010-01-23 20:31 348160 ----a-w- c:\documents and settings\Billie Feltner\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-6016a6b5-n\msvcr71.dll
2010-01-23 20:31 . 2010-01-23 20:31 503808 ----a-w- c:\documents and settings\Billie Feltner\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-6016a6b5-n\msvcp71.dll
2010-01-23 20:31 . 2010-01-23 20:31 499712 ----a-w- c:\documents and settings\Billie Feltner\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-6016a6b5-n\jmc.dll
2010-01-23 20:31 . 2010-01-23 20:31 61440 ----a-w- c:\documents and settings\Billie Feltner\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-5e30a3cb-n\decora-sse.dll
2010-01-23 20:31 . 2010-01-23 20:31 12800 ----a-w- c:\documents and settings\Billie Feltner\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-5e30a3cb-n\decora-d3d.dll
2010-01-23 16:17 . 2010-01-26 13:13 52224 ----a-w- c:\documents and settings\Billie Feltner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-01-20 14:01 . 2010-01-28 21:54 19024 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-01-20 14:01 . 2010-01-28 21:57 163280 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-01-20 14:01 . 2010-01-28 21:54 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-01-20 14:01 . 2010-01-28 21:57 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-01-20 14:01 . 2010-01-28 21:54 100432 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-01-20 14:01 . 2010-01-28 21:54 94800 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-01-20 14:00 . 2010-01-28 21:53 28240 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-01-20 14:00 . 2010-01-28 22:09 152672 ----a-w- c:\windows\system32\aswBoot.exe
2010-01-20 14:00 . 2010-01-19 11:57 38848 ----a-w- c:\windows\system32\avastSS.scr
2010-01-20 14:00 . 2010-01-20 14:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
2010-01-19 15:37 . 2010-01-19 15:37 -------- d-----w- c:\program files\SECUNIA UPDATING PROGRAMS
2010-01-18 13:38 . 2010-01-14 16:12 181120 ------w- c:\windows\system32\MpSigStub.exe
2010-01-18 13:30 . 2010-01-18 13:31 -------- d-----w- c:\program files\MICROSOFT VIRUS PROTECTION
2010-01-11 20:02 . 2010-01-05 16:33 52224 ----a-w- c:\documents and settings\Billie Feltner\Application Data\Mozilla\Firefox\Profiles\gr0lrbzd.default\extensions\{8bdea9d6-6f62-45eb-8ee9-8a81af0d2f94}\components\FFExternalAlert.dll
2010-01-11 20:02 . 2010-01-05 16:33 101376 ----a-w- c:\documents and settings\Billie Feltner\Application Data\Mozilla\Firefox\Profiles\gr0lrbzd.default\extensions\{8bdea9d6-6f62-45eb-8ee9-8a81af0d2f94}\components\RadioWMPCore.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-31 05:33 . 2007-04-08 23:09 6520 ----a-w- c:\windows\system32\drivers\ghstwall.sys
2010-01-26 13:21 . 2009-11-20 13:20 117760 ----a-w- c:\documents and settings\Billie Feltner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-01-26 13:20 . 2008-12-28 16:40 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-01-23 20:31 . 2004-03-11 16:55 -------- d-----w- c:\program files\Common Files\Java
2010-01-23 20:31 . 2004-03-11 16:55 -------- d-----w- c:\program files\Java
2010-01-23 16:15 . 2004-03-15 18:21 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-01-20 20:14 . 2004-03-11 17:04 -------- d-----w- c:\program files\Common Files\InstallShield
2010-01-20 20:14 . 2004-03-11 17:25 -------- d-----w- c:\program files\MUSICMATCH
2010-01-20 14:00 . 2009-11-20 18:40 -------- d-----w- c:\program files\Alwil Software
2010-01-19 00:23 . 2008-04-07 12:33 -------- d-----w- c:\program files\Common Files\Apple
2010-01-18 13:34 . 2009-06-10 15:34 -------- d-----w- c:\program files\WhatsRunning
2010-01-18 13:33 . 2009-04-10 12:11 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-05 10:00 . 2004-02-06 22:05 832512 ----a-w- c:\windows\system32\wininet.dll
2010-01-05 10:00 . 2004-08-04 07:56 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-01-05 10:00 . 2002-08-29 11:00 17408 ----a-w- c:\windows\system32\corpol.dll
2009-12-24 13:07 . 2004-03-15 23:28 -------- d-----w- c:\program files\Common Files\Adobe
2009-12-17 22:14 . 2008-12-01 05:52 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-12-07 14:09 . 2008-11-12 08:19 -------- d-----w- c:\program files\Dell DataSafe Online
2009-11-21 15:51 . 2002-08-29 11:00 471552 ----a-w- c:\windows\AppPatch\aclayers.dll
2009-11-20 18:28 . 2004-03-15 16:58 60464 ----a-w- c:\documents and settings\Billie Feltner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-11-07 17:00 . 2009-11-07 17:00 152576 ----a-w- c:\documents and settings\Billie Feltner\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2004-07-21 12:48 . 2004-07-21 12:48 78 ---ha-w- c:\program files\Picasa.ini
2005-04-21 22:54 . 2005-04-17 13:36 10022 --sha-w- c:\windows\SYSTEM32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Green]
@="{95A27763-F62A-4114-9072-E81D87DE3B68}"
[HKEY_CLASSES_ROOT\CLSID\{95A27763-F62A-4114-9072-E81D87DE3B68}]
2009-12-03 21:52 574096 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Partial]
@="{E300CD91-100F-4E67-9AF3-1384A6124015}"
[HKEY_CLASSES_ROOT\CLSID\{E300CD91-100F-4E67-9AF3-1384A6124015}]
2009-12-03 21:52 574096 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Yellow]
@="{5E529433-B50E-4bef-A63B-16A6B71B071A}"
[HKEY_CLASSES_ROOT\CLSID\{5E529433-B50E-4bef-A63B-16A6B71B071A}]
2009-12-03 21:52 574096 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-06-22 126976]
"GhostWall"="c:\program files\GhostWall\ghostwall.exe" [2005-09-29 217088]
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 122880]
"dellsupportcenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-01-11 246504]
"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-01-28 2757512]
"Carbonite Backup"="c:\program files\Carbonite\Carbonite Backup\CarboniteUI.exe" [2009-12-03 670864]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2010-01-26 13:20 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AOL Companion.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\AOL Companion.lnk
backup=c:\windows\pss\AOL Companion.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]
backup=c:\windows\pss\Logitech Desktop Messenger.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Billie Feltner^Start Menu^Programs^Startup^Secunia PSI.lnk]
backup=c:\windows\pss\Secunia PSI.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Billie Feltner^Start Menu^Programs^Startup^SpywareGuard.lnk]
backup=c:\windows\pss\SpywareGuard.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Billie Feltner^Start Menu^Programs^Startup^Stickies.lnk]
backup=c:\windows\pss\Stickies.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Billie Feltner^Start Menu^Programs^Startup^Webshots.lnk]
backup=c:\windows\pss\Webshots.lnkStartup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2009-09-04 16:08 935288 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-10-03 09:45 39792 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeUpdater]
2008-11-06 21:46 2356088 ----a-w- c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BCMSMMSG]
2003-08-29 08:59 122880 ----a-w- c:\windows\BCMSMMSG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
2007-05-07 15:40 149040 ----a-w- c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2009-01-03 19:47 15360 ------w- c:\windows\SYSTEM32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupportCenter]
2009-05-21 14:55 206064 ----a-w- c:\program files\Dell Support Center\bin\sprtcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dscactivate]
2007-11-15 13:24 16384 ----a-w- c:\program files\Dell Support Center\gs_agent\custom\dsca.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2005-06-22 04:48 155648 ----a-w- c:\windows\SYSTEM32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-06-05 17:39 292136 ----a-w- c:\program files\itunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LDM]
2005-02-09 23:12 32768 ----a-w- c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mxomssmenu]
2008-07-21 22:16 169312 ----a-w- c:\program files\Maxtor\OneTouch Status\MaxMenuMgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2007-03-16 01:02 153136 ----a-w- c:\program files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-05-26 21:18 413696 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
2010-01-26 13:20 2002160 ----a-w- c:\program files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
2003-08-19 06:01 110592 ----a-w- c:\program files\Common Files\Sonic\Update Manager\sgtray.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\America Online 9.0a\\waol.exe"=
"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLAcsd.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\1147802767\\EE\\AOLServiceHost.exe"=
"c:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\AOLSP Scheduler.exe"=
"c:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\asp.exe"=
"c:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe"=
"c:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\AOL\\1147802767\\EE\\aolsoftware.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\Common Files\\Ahead\\Lib\\NMBgMonitor.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\itunes\\iTunes.exe"=

R1 aswSP;aswSP;c:\windows\SYSTEM32\DRIVERS\aswSP.sys [1/20/2010 9:01 AM 163280]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [12/22/2008 11:06 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [12/22/2008 11:05 AM 74480]
R2 aswFsBlk;aswFsBlk;c:\windows\SYSTEM32\DRIVERS\aswFsBlk.sys [1/20/2010 9:01 AM 19024]
R2 ghstwall;ghstwall;c:\windows\SYSTEM32\DRIVERS\ghstwall.sys [4/8/2007 6:09 PM 6520]
R2 LxrSII1d;Secure II Driver;c:\windows\SYSTEM32\DRIVERS\LxrSII1d.sys [2/24/2006 9:30 PM 70016]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [12/22/2008 11:06 AM 7408]
.
Contents of the 'Scheduled Tasks' folder

2010-01-30 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.theanimalrescuesite.com/clickToGive/home.faces?siteId=3
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = localhost;*.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &AOL Toolbar search - c:\program files\AOL Toolbar\toolbar.dll/SEARCH.HTML
IE: &Viewpoint Search - c:\program files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML
IE: &Webshots Photo Search - c:\program files\Webshots\WSToolbar4IE.dll/MENUSEARCH.HTM
DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} - hxxp://download.ewido.net/ewidoOnlineScan.cab
DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} - hxxp://download.zonelabs.com/bin/promotions/spywaredetector/ICSScanner37570.cab
FF - ProfilePath - c:\documents and settings\Billie Feltner\Application Data\Mozilla\Firefox\Profiles\gr0lrbzd.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2260173&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.theanimalrescuesite.com
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-&p=
FF - component: c:\documents and settings\Billie Feltner\Application Data\Mozilla\Firefox\Profiles\gr0lrbzd.default\extensions\{8bdea9d6-6f62-45eb-8ee9-8a81af0d2f94}\components\FFExternalAlert.dll
FF - component: c:\documents and settings\Billie Feltner\Application Data\Mozilla\Firefox\Profiles\gr0lrbzd.default\extensions\{8bdea9d6-6f62-45eb-8ee9-8a81af0d2f94}\components\RadioWMPCore.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPcol308.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDFE0BD779-44EE-4A4B-AA2E-743C63F2E5E6", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDFE0BD779-44EE-4A4B-AA2E-743C63F2E5E6", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\googlebar.js - user_pref("googlebar.ActionNone", "2");
c:\program files\Mozilla Firefox\defaults\pref\googlebar.js - user_pref("googlebar.ActionCtrl", "1");
c:\program files\Mozilla Firefox\defaults\pref\googlebar.js - user_pref("googlebar.ActionCtrlShift", "1");
c:\program files\Mozilla Firefox\defaults\pref\googlebar.js - user_pref("googlebar.ActionAlt", "2");
c:\program files\Mozilla Firefox\defaults\pref\googlebar.js - user_pref("googlebar.ActionAltShift", "2");
c:\program files\Mozilla Firefox\defaults\pref\googlebar.js - user_pref("googlebar.ActionShift", "3");
c:\program files\Mozilla Firefox\defaults\pref\googlebar.js - user_pref("googlebar.ActionAltCtrl", "2");
c:\program files\Mozilla Firefox\defaults\pref\googlebar.js - user_pref("googlebar.LocationNone", "0");
c:\program files\Mozilla Firefox\defaults\pref\googlebar.js - user_pref("googlebar.LocationCtrl", "1");
c:\program files\Mozilla Firefox\defaults\pref\googlebar.js - user_pref("googlebar.LocationCtrlShift", "1");
c:\program files\Mozilla Firefox\defaults\pref\googlebar.js - user_pref("googlebar.LocationAlt", "0");
c:\program files\Mozilla Firefox\defaults\pref\googlebar.js - user_pref("googlebar.LocationAltShift", "0");
c:\program files\Mozilla Firefox\defaults\pref\googlebar.js - user_pref("googlebar.LocationShift", "2");
c:\program files\Mozilla Firefox\defaults\pref\googlebar.js - user_pref("googlebar.LocationAltCtrl", "0");
c:\program files\Mozilla Firefox\defaults\pref\googlebar.js - user_pref("googlebar.contextmenuoption", true);
c:\program files\Mozilla Firefox\defaults\pref\googlebar.js - user_pref("googlebar.hotkeySelectionToggles", false);
c:\program files\Mozilla Firefox\defaults\pref\googlebar.js - user_pref("googlebar.searchoption", false);
c:\program files\Mozilla Firefox\defaults\pref\googlebar.js - user_pref("googlebar.historyoption", true);
c:\program files\Mozilla Firefox\defaults\pref\googlebar.js - user_pref("googlebar.history", "googlebar");
c:\program files\Mozilla Firefox\defaults\pref\googlebar.js - user_pref("googlebar.maxHistCnt", 10);
c:\program files\Mozilla Firefox\defaults\pref\googlebar.js - user_pref("googlebar.savelastoption", false);
c:\program files\Mozilla Firefox\defaults\pref\googlebar.js - user_pref("googlebar.hidemenuoption", false);
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-Dell DataSafe Online - c:\program files\Dell DataSafe Online\DataSafeOnline.exe
MSConfigStartUp-SunJavaUpdateSched - c:\program files\Java\jre6\bin\jusched.exe
MSConfigStartUp-TkBellExe - c:\program files\Common Files\Real\Update_OB\realsched.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-02 16:46
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\vsdatant]
"ImagePath"=""
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(632)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
.
Completion time: 2010-02-02 16:52:10
ComboFix-quarantined-files.txt 2010-02-02 21:51
ComboFix2.txt 2009-08-28 13:57

Pre-Run: 16,539,619,328 bytes free
Post-Run: 16,497,168,384 bytes free

- - End Of File - - 1774A7A4514EE27F9FB08C5FB20CD3E8

Again, many thanks, and I hope your son is feeling better.

#7 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 53,911 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:02:20 PM

Posted 03 February 2010 - 01:47 AM

Hello pussykatt,

Luckily my son is feeling quite well, he still needs some treatment, but no more need for the hospital!

I deleted your previous post (the one with only the quote of my post). There is no need to quote my reply, you can just click AddReply.

You had a flash drive infection. Its important to check all your flash drives and other external storage devices with Flashdrive Disinfector (you can keep using the application also afterwards).

Please download Flash_Disinfector.exe by sUBs and save it to your desktop.
  • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
  • The utility may ask you to insert your flash drive and/or other removable drives. Please do so and allow the utility to clean up those drives as well.
  • Hold down the Shift key when inserting the drive until Windows detects it to keep autorun.inf from executing if it is present.
  • Wait until it has finished scanning and then exit the program.
  • Reboot your computer when done.
Note: As part of its routine, Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive that was plugged in when you ran it. Do not delete this folder...it will help protect your drives from future infection by keeping the autorun file from being installed on the root drive and running other malicious files.


CCleaner is also a temporary file cleaner. I recommend using TFC because its much more thorough and leaves for example browserdata alone. You can use it if you wish.

TFC
--------
Download TFC by OldTimer to your desktop.
(TFC only cleans temp folders. It will not clean URL history, prefetch, or cookies).
Close any open windows.
  • Double click the TFC icon to run the program
  • TFC will close all open programs itself in order to run,
  • Click the Start button to begin the process.
  • Allow TFC to run uninterrupted.
  • The program should not take long to finish it's job.
Once its finished it should automatically reboot your machine, if it doesn't, manually reboot to ensure a complete clean

NOTE:
It's normal after running TFC cleaner that the PC will be slower to boot the first time.

TFC (Temp File Cleaner) will clear out all temp folders for all user accounts (temp, IE temp, java, FF, Opera, Chrome, Safari), including Administrator, All Users, LocalService, NetworkService, and any other accounts in the user folder.



MALWAREBYTES ANTIMALWARE
-------------------------------------------
Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Full Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.


In your next reply, please include the following:
  • MBAM log
  • A description of any remaining problems.

regards, Elise

"Now faith is the substance of things hoped for, the evidence of things not seen."


banner.png

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome


#8 pusssykatt

pusssykatt
  • Topic Starter

  • Members
  • 62 posts
  • OFFLINE
  •  
  • Local time:08:20 AM

Posted 03 February 2010 - 02:02 PM

I'm glad your son is better! I ran the Flash Disinfector and here is the log for Malwarebytes:
Malwarebytes' Anti-Malware 1.44
Database version: 3684
Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.11

2/3/2010 1:52:17 PM
mbam-log-2010-02-03 (13-52-17).txt

Scan type: Full Scan (A:\|C:\|D:\|E:\|F:\|)
Objects scanned: 343947
Time elapsed: 2 hour(s), 58 minute(s), 44 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Thanks!

#9 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 53,911 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:02:20 PM

Posted 03 February 2010 - 02:33 PM

Hello pussykatt,

Any problems left?

ESET ONLINE SCANNER
----------------------------
I'd like us to scan your machine with ESET OnlineScan
  1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  2. Click the button.
  3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    1. Click on to download the ESET Smart Installer. Save it to your desktop.
    2. Double click on the icon on your desktop.
  4. Check
  5. Click the button.
  6. Accept any security warnings from your browser.
  7. Check
  8. Push the Start button.
  9. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  10. When the scan completes, push
  11. Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
    Note - when ESET doesn't find any threats, no report will be created.
  12. Push the button.
  13. Push

In your next reply, please include the following:
  • ESET online scan results

regards, Elise

"Now faith is the substance of things hoped for, the evidence of things not seen."


banner.png

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome


#10 pusssykatt

pusssykatt
  • Topic Starter

  • Members
  • 62 posts
  • OFFLINE
  •  
  • Local time:08:20 AM

Posted 03 February 2010 - 07:21 PM

I ran esetsmart and no infected files were found.

I also solved my sound problem.

Thanks

#11 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 53,911 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:02:20 PM

Posted 04 February 2010 - 01:50 AM

Hello pussykatt,

Good to hear that smile.gif

INSTALL FIREWALL
--------------------------
Install and use a firewall with outbound protection
While the firewall built into Windows XP is adequate to protect you from incoming attacks, it will not be much help in alerting you to programs already on your PC attempting to connect to remote servers
I therefore strongly recommend that you install one of the following free firewalls: Outpost Firewall Free, Sygate Personal Firewall Free or Zonealarm
See Bleepingcomputer's excellent tutorial to help using and understanding a firewall here
Note - If you connect to the internet using a router, you are already behind a hardware firewall.

Note: You should only have one firewall installed at a time. Having more than one firewall program installed at once is likely to cause conflicts and may well decrease your overall protection as well as seriously impairing the performance of your PC.


ALL CLEAN
--------------
Your machine appears to be clean, please take the time to read below on how to secure the machine and take the necessary steps to keep it clean smile.gif

Please do the following to remove the remaining programs from your PC:
  • Delete the tools used during the disinfection:
    • Click start > run and type combofix /uninstall, press enter. This will remove Combofix from your computer.
    • Delete DDS, GMER (this is a random named file) and RootRepeal.
Please read these advices, in order to prevent reinfecting your PC:
  1. Install and update the following programs regularly:
    • an outbound firewall
      A comprehensive tutorial and a list of possible firewalls can be found here.
    • an AntiVirus Software
      It is imperative that you update your AntiVirus Software on regular basis.If you do not update your AntiVirus Software then it will not be able to catch the latest threats.
    • an Anti-Spyware program
      Malware Byte's Anti Malware is an excellent Anti-Spyware scanner. It's scan times are usually under ten minutes, and has excellent detection and removal rates.
      SUPERAntiSpyware is another good scanner with high detection and removal rates.
      Both programs are free for non commercial home use but provide a resident and do not nag if you purchase the paid versions.
    • Spyware Blaster
      A tutorial for Spywareblaster can be found here. If you wish, the commercial version provides automatic updating.
    • MVPs hosts file
      A tutorial for MVPs hosts file can be found here. If you would like automatic updates you might want to take a look at HostMan host file manager. For more information on thehosts file, and what it can do for you,please consult the Tutorial on the Hosts file
  2. Keep Windows (and your other Microsoft software) up to date!
    I cannot stress how important this is enough. Often holes are found in Internet Explorer or Windows itself that require patching. Sometimes these holes will allow an attacker unrestricted access to your computer.
    Therefore, please, visit the Microsoft Update Website and follow the on screen instructions to setup Microsoft Update. Also follow the instructions to update your system. Please REBOOT and repeat this process until there are no more updates to install!!
  3. Keep your other software up to date as well
    Software does not need to be made by Microsoft to be insecure. You can use the Secunia Online Software occasionally to help you check for out of date software on yourmachine.
  4. Stay up to date!
    The MOST IMPORTANT part of any security setup is keeping the software up to date. Malware writers release new variants every single day. If your software updates don't keep up, then the malware will always be one step ahead. Not a good thing sad.gif.
Some more links you might find of interest:

Please reply to this topic if you have read the above information. If your computer is working fine, this topic will be closed afterwards.


regards, Elise

"Now faith is the substance of things hoped for, the evidence of things not seen."


banner.png

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome


#12 pusssykatt

pusssykatt
  • Topic Starter

  • Members
  • 62 posts
  • OFFLINE
  •  
  • Local time:08:20 AM

Posted 05 February 2010 - 10:48 AM

I've done everything that you requested, but have 2 additional questions.

1. Since I use a router, do I need an additional firewall?

2. I use google ads on my webpages, and now I'm unable to view them. What have I installed that is causing this, and can I tweek it to allow me to view these ads?

Thanks!

#13 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 53,911 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:02:20 PM

Posted 05 February 2010 - 11:01 AM

No need for an additional firewall (unless you like to install one) since you are behind a router smile.gif

What browser doesn't show your google ads anymore? If its Firefox, check if you aren't using AdBlock extensions.

Verify if Internet Explorer shows you the ads.
regards, Elise

"Now faith is the substance of things hoped for, the evidence of things not seen."


banner.png

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome


#14 pusssykatt

pusssykatt
  • Topic Starter

  • Members
  • 62 posts
  • OFFLINE
  •  
  • Local time:08:20 AM

Posted 05 February 2010 - 11:05 AM

They don't show up on I.E. either. I haven't installed Ad-Blocker on Firefox, and it doesn't show up on any of my Add-ons.

Thanks!

#15 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 53,911 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:02:20 PM

Posted 05 February 2010 - 11:45 AM

Thats really strange. Are all pages with google ads affected, or only certain sites?

I checked this thread and we didn't remove anything that could cause this as far as I can see. Did you try to disable avast! to see if this somehow is blocking the ads?
regards, Elise

"Now faith is the substance of things hoped for, the evidence of things not seen."


banner.png

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users