Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Yahoo search redirect problem


  • This topic is locked This topic is locked
40 replies to this topic

#1 JM210

JM210

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:08:33 PM

Posted 24 May 2010 - 07:29 PM

Hello,
I have been having major problems with my Yahoo search results being redirected to random sites. I have tried Malwarebytes, Super Anti-spyware and Avast all of which did not help. I started going through the steps listed on this site and I have done everything up until the GMER log. Everytime I have tried to run the scan my pc turns off just a minute or two into the scan. I have also tried to run the scan in safe mode but the same thing happened. I'm stuck now and have no idea what to do to get my logs posted. PLEASE HELP. Below is a copy of DDS.txt




DDS (Ver_10-03-17.01) - NTFSx86
Run by Owner at 18:02:14.75 on Mon 05/24/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1366 [GMT -5:00]

AV: avast! Antivirus *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
svchost.exe
svchost.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\QuickTime\QTTask.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\PROGRA~1\COMMON~1\AOL\122067~1\EE\AOLHOS~1.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\PROGRA~1\COMMON~1\AOL\122067~1\EE\AOLServiceHost.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Java\jre6\bin\jucheck.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Owner.Jason\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/?fr=fp-yie8
uSearch Page =
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uWindow Title = Windows Internet Explorer provided by Yahoo!
uDefault_Page_URL = hxxp://www.yahoo.com/?fr=fp-yie8
uInternet Connection Wizard,ShellNext = hxxp://127.0.0.1:4664/first_usage&s=y8rqOJ6NbgZ8YsC3_SP6eUWn0xI
uInternet Settings,ProxyOverride = *.local
mSearchAssistant = hxxp://www.gateway.com/g/sidepanel.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=PTB&M=MX6931
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
mURLSearchHooks: H - No File
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\windows\system32\BAE.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn\YTSingleInstance.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [Power2GoExpress] NA
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRunOnce: [Shockwave Updater] c:\windows\system32\adobe\shockwave 11\SwHelper_1150596.exe -Update -1150596 -"Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; yie8)" -"http://pbskids.org/dragontales/sticker_story/sszak/sticker.html"
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [HostManager] c:\program files\common files\aol\1220677495\ee\AOLHostManager.exe
mRun: [AOL Spyware Protection] "c:\progra~1\common~1\aol\aolspy~1\AOLSP Scheduler.exe"
mRun: [Reminder] %WINDIR%\Creator\Remind_XP.exe
mRun: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [SMSERIAL] c:\program files\motorola\smserial\sm56hlpr.exe
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
mRun: [MSKDetectorExe] c:\program files\mcafee\spamkiller\MSKDetct.exe /uninstall
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [WinampAgent] "c:\program files\winamp\winampa.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [avast5] c:\progra~1\alwils~1\avast5\avastUI.exe /nogui
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpphot~1.lnk - c:\program files\hp\digital imaging\bin\hpqthb08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\instal~1.lnk - c:\program files\sifxinst\SIFXINST.EXE
mPolicies-system: EnableLUA = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://dl8-cdn-09.sun.com/s/ESD7/JSCDL/jdk/6u13-b03/jinstall-6u13-windows-i586-jc.cab?e=1240608641635&h=ab3916816060cfc8f51118dcab533c81/&filename=jinstall-6u13-windows-i586-jc.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
Filter: text/html - {489692a5-e3c4-4a40-a807-8f96ca3c62bc} -
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: c:\progra~1\google\google~1\GOEC62~1.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
mASetup: {A509B1FF-37FF-4bFF-8CFF-4F3A747040FF} - c:\windows\system32\rundll32.exe c:\windows\system32\advpack.dll,launchinfsectionex c:\program files\internet explorer\clrtour.inf,DefaultInstall.ResetTour,,12

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owner~1.jas\applic~1\mozilla\firefox\profiles\qgv9awno.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo! Search
FF - prefs.js: browser.startup.homepage - www.yahoo.com
FF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-5-18 164048]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-6 68168]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-5-18 19024]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-5-18 40384]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-5-18 40384]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-5-18 40384]

=============== Created Last 30 ================

2010-05-24 23:00:08 0 ----a-w- c:\documents and settings\owner.jason\defogger_reenable
2010-05-19 17:18:51 0 d-----w- c:\program files\Trend Micro
2010-05-19 16:43:26 0 d-----w- c:\docume~1\owner~1.jas\applic~1\Malwarebytes
2010-05-19 16:43:16 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-05-19 16:43:15 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-05-19 16:43:15 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-19 16:43:15 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-05-19 15:08:28 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-05-19 15:07:02 0 d-----w- c:\program files\SUPERAntiSpyware
2010-05-19 15:07:02 0 d-----w- c:\docume~1\owner~1.jas\applic~1\SUPERAntiSpyware.com
2010-05-19 15:05:22 0 d-----w- c:\program files\common files\Wise Installation Wizard
2010-05-18 14:20:42 0 d-----w- c:\docume~1\alluse~1\applic~1\Alwil Software

==================== Find3M ====================

2010-05-20 01:43:40 22352 ----a-w- c:\docume~1\owner~1.jas\applic~1\wklnhst.dat
2010-03-10 06:15:52 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-02-25 06:24:37 916480 ----a-w- c:\windows\system32\wininet.dll
2008-10-12 15:51:09 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008101220081013\index.dat

============= FINISH: 18:03:05.14 ===============

Attached Files


Edited by JM210, 24 May 2010 - 08:29 PM.


BC AdBot (Login to Remove)

 


#2 km2357

km2357

  • Malware Response Team
  • 1,784 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:06:33 PM

Posted 26 May 2010 - 01:23 PM

Hello and welcome to Bleeping Computer.

My name is km2357 and I will be helping you to remove any infection(s) that you may have.

I will be giving you a series of instructions that need to be followed in the order in which I give them to you.

If for any reason you do not understand an instruction or are just unsure then please do not guess, simply post back with your questions/concerns and we will go through it again.

Please do not start another thread or topic, I will assist you at this thread until we solve your problems.

Lastly the fix may take several attempts and my replies may take some time but I will stick with it if you do the same.

Sorry for the delay in replying, the forum is very busy. If you still need help, please post a fresh DDS Log (Both DDS and Attach.txt)

MalWare Removal University Master

Member of ASAP
unite_Invision.png


#3 JM210

JM210
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:08:33 PM

Posted 26 May 2010 - 03:03 PM

Thank you km2357. I am currently at work but as soon as I get home i will post the new logs. Again thank you thank you!!!

#4 JM210

JM210
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:08:33 PM

Posted 26 May 2010 - 08:20 PM

Here are the logs you requested


DDS (Ver_10-03-17.01) - NTFSx86
Run by Owner at 20:16:43.24 on Wed 05/26/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_20
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1361 [GMT -5:00]

AV: avast! Antivirus *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
svchost.exe
svchost.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\PROGRA~1\COMMON~1\AOL\122067~1\EE\AOLHOS~1.EXE
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\PROGRA~1\COMMON~1\AOL\122067~1\EE\AOLServiceHost.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\QuickTime\PictureViewer.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Documents and Settings\Owner.Jason\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/?fr=fp-yie8
uSearch Page =
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uWindow Title = Windows Internet Explorer provided by Yahoo!
uDefault_Page_URL = hxxp://www.yahoo.com/?fr=fp-yie8
uInternet Connection Wizard,ShellNext = hxxp://127.0.0.1:4664/first_usage&s=y8rqOJ6NbgZ8YsC3_SP6eUWn0xI
uInternet Settings,ProxyOverride = *.local
mSearchAssistant = hxxp://www.gateway.com/g/sidepanel.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=PTB&M=MX6931
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
mURLSearchHooks: H - No File
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\windows\system32\BAE.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn\YTSingleInstance.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [Power2GoExpress] NA
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRunOnce: [Shockwave Updater] c:\windows\system32\adobe\shockwave 11\SwHelper_1150596.exe -Update -1150596 -"Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; yie8)" -"http://pbskids.org/dragontales/sticker_story/sszak/sticker.html"
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [HostManager] c:\program files\common files\aol\1220677495\ee\AOLHostManager.exe
mRun: [AOL Spyware Protection] "c:\progra~1\common~1\aol\aolspy~1\AOLSP Scheduler.exe"
mRun: [Reminder] %WINDIR%\Creator\Remind_XP.exe
mRun: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [SMSERIAL] c:\program files\motorola\smserial\sm56hlpr.exe
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
mRun: [MSKDetectorExe] c:\program files\mcafee\spamkiller\MSKDetct.exe /uninstall
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [WinampAgent] "c:\program files\winamp\winampa.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [avast5] c:\progra~1\alwils~1\avast5\avastUI.exe /nogui
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpphot~1.lnk - c:\program files\hp\digital imaging\bin\hpqthb08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\instal~1.lnk - c:\program files\sifxinst\SIFXINST.EXE
mPolicies-system: EnableLUA = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
Filter: text/html - {489692a5-e3c4-4a40-a807-8f96ca3c62bc} -
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: c:\progra~1\google\google~1\GOEC62~1.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
mASetup: {A509B1FF-37FF-4bFF-8CFF-4F3A747040FF} - c:\windows\system32\rundll32.exe c:\windows\system32\advpack.dll,launchinfsectionex c:\program files\internet explorer\clrtour.inf,DefaultInstall.ResetTour,,12

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owner~1.jas\applic~1\mozilla\firefox\profiles\qgv9awno.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo! Search
FF - prefs.js: browser.startup.homepage - www.yahoo.com
FF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-5-18 164048]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-6 68168]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-5-18 19024]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-5-18 40384]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-5-18 40384]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-5-18 40384]

=============== Created Last 30 ================

2010-05-25 14:00:42 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-05-24 23:29:55 0 d-----w- c:\program files\BitZipper
2010-05-24 23:00:08 0 ----a-w- c:\documents and settings\owner.jason\defogger_reenable
2010-05-19 17:18:51 0 d-----w- c:\program files\Trend Micro
2010-05-19 16:43:26 0 d-----w- c:\docume~1\owner~1.jas\applic~1\Malwarebytes
2010-05-19 16:43:16 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-05-19 16:43:15 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-05-19 16:43:15 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-19 16:43:15 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-05-19 15:08:28 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-05-19 15:07:02 0 d-----w- c:\program files\SUPERAntiSpyware
2010-05-19 15:07:02 0 d-----w- c:\docume~1\owner~1.jas\applic~1\SUPERAntiSpyware.com
2010-05-19 15:05:22 0 d-----w- c:\program files\common files\Wise Installation Wizard
2010-05-18 14:20:42 0 d-----w- c:\docume~1\alluse~1\applic~1\Alwil Software

==================== Find3M ====================

2010-05-20 01:43:40 22352 ----a-w- c:\docume~1\owner~1.jas\applic~1\wklnhst.dat
2010-03-10 06:15:52 420352 ----a-w- c:\windows\system32\vbscript.dll
2008-10-12 15:51:09 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008101220081013\index.dat

============= FINISH: 20:17:29.72 ===============

Attached Files



#5 km2357

km2357

  • Malware Response Team
  • 1,784 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:06:33 PM

Posted 26 May 2010 - 08:41 PM

In which browser do these redirects occur? Just Internet Explorer? Just Firefox? Or both?


IMPORTANT I notice there are signs of one or more P2P (Person to Person) File Sharing Programs on your computer.

LimeWire 5.3.6

I'd like you to read the Guidelines for P2P Programs where we explain why it's not a good idea to have them.

Also available here.

My recommendation is you go to Control Panel > Add/Remove Programs and uninstall the programs listed above (in red).


Since its been a few days, let's try running GMER again and see if we can get a log from it.

First, delete GMER.exe off of your computer, then follow the instructions below:


Step # 1: Download and Run Gmer

Please download gmer.zip from Gmer and save it to your desktop.

***Please close any open programs ***

Double-click gmer.exe. The program will begin to run.

**Caution**
These types of scans can produce false positives. Do NOT take any action on any "<--- ROOTKIT" entries unless advised by a trained Security Analyst


If possible rootkit activity is found, you will be asked if you would like to perform a full scan. Click No.

If you do not receive notice about possible rootkit activity remain on the Rootkit/Malware tab & make sure that the 'Sections' button is ticked and the 'Show All' button is unticked.
  • Click the Scan button and let the program do its work. GMER will produce a log.
  • Once the scan is complete, you may receive another notice about rootkit activity.
  • Click OK.
  • GMER will produce a log. Click on the Save button, and save the log as gmer.txt somewhere you can easily find it, such as your desktop.

DO NOT touch the PC at ALL for Whatever reason/s until it has 100% completed its scan, or attempted scan in case of some error etc !

Please post the results from the GMER scan in your reply.

MalWare Removal University Master

Member of ASAP
unite_Invision.png


#6 JM210

JM210
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:08:33 PM

Posted 26 May 2010 - 10:10 PM

Well I followed your instructions and once again at approximately 28 minutes into the scan my computer powered off. And to answer your other question it is happening on both browsers. Now what????

#7 km2357

km2357

  • Malware Response Team
  • 1,784 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:06:33 PM

Posted 27 May 2010 - 01:23 PM

Since GMER is giving you trouble, let's try another rootkit scanner.


Step # 1 Download and run SysProt

Download SysProt Antirootkit from the link below (you will find it at the bottom of the page under attachments, or you can get it from one of the mirrors).

http://sites.google.com/site/sysprotantirootkit/

Unzip it into a folder on your desktop.
  • Double click Sysprot.exe to start the program.
  • Click on the Log tab.
  • In the Write to log box select the following items only:
      Process
      Kernel Modes
      SSDT
      Kernel Hooks
      Hidden Files
  • Click on the Create Log button on the bottom right.
  • After a few seconds a new window should appear.
  • Select Scan Root Drive. Click on the Start button.
  • When it is complete a new window will appear to indicate that the scan is finished.
  • The log will be saved automatically in the same folder Sysprot.exe was extracted to. Open the text file and copy/paste the log here.


MalWare Removal University Master

Member of ASAP
unite_Invision.png


#8 JM210

JM210
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:08:33 PM

Posted 27 May 2010 - 03:58 PM

Here is the log you requested. Hope it helps!!

SysProt AntiRootkit v1.0.1.0
by swatkat

******************************************************************************************
******************************************************************************************

Process:
Name: [System Idle Process]
PID: 0
Hidden: No
Window Visible: No

Name: System
PID: 4
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\smss.exe
PID: 788
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\csrss.exe
PID: 856
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\winlogon.exe
PID: 880
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\services.exe
PID: 924
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\lsass.exe
PID: 936
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\svchost.exe
PID: 1112
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\svchost.exe
PID: 1160
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\svchost.exe
PID: 1304
Hidden: No
Window Visible: No

Name: C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
PID: 1352
Hidden: No
Window Visible: No

Name: C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
PID: 1388
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\svchost.exe
PID: 1472
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\svchost.exe
PID: 1648
Hidden: No
Window Visible: No

Name: C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
PID: 1904
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\spoolsv.exe
PID: 460
Hidden: No
Window Visible: No

Name: C:\WINDOWS\explorer.exe
PID: 780
Hidden: No
Window Visible: No

Name: C:\WINDOWS\ehome\ehtray.exe
PID: 1288
Hidden: No
Window Visible: No

Name: C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
PID: 1296
Hidden: No
Window Visible: No

Name: C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
PID: 1332
Hidden: No
Window Visible: No

Name: C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
PID: 1412
Hidden: No
Window Visible: No

Name: C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
PID: 1500
Hidden: No
Window Visible: No

Name: C:\WINDOWS\stsystra.exe
PID: 1436
Hidden: No
Window Visible: No

Name: C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
PID: 1444
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\igfxtray.exe
PID: 1516
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\hkcmd.exe
PID: 1536
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\igfxpers.exe
PID: 1548
Hidden: No
Window Visible: No

Name: C:\Program Files\Intel\Wireless\Bin\ZCfgSvc.exe
PID: 1600
Hidden: No
Window Visible: No

Name: C:\Program Files\Intel\Wireless\Bin\iFrmewrk.exe
PID: 1624
Hidden: No
Window Visible: No

Name: C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
PID: 1776
Hidden: No
Window Visible: No

Name: C:\Program Files\Common Files\AOL\1220677495\EE\AOLHostManager.exe
PID: 1792
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\igfxsrvc.exe
PID: 1808
Hidden: No
Window Visible: No

Name: C:\Program Files\Common Files\Real\Update_OB\realsched.exe
PID: 1940
Hidden: No
Window Visible: No

Name: C:\Program Files\Common Files\Java\Java Update\jusched.exe
PID: 1960
Hidden: No
Window Visible: No

Name: C:\Program Files\QuickTime\QTTask.exe
PID: 1968
Hidden: No
Window Visible: No

Name: C:\Program Files\iTunes\iTunesHelper.exe
PID: 264
Hidden: No
Window Visible: No

Name: C:\Program Files\Alwil Software\Avast5\AvastUI.exe
PID: 284
Hidden: No
Window Visible: No

Name: C:\Program Files\Messenger\msmsgs.exe
PID: 552
Hidden: No
Window Visible: No

Name: C:\PROGRA~1\COMMON~1\AOL\122067~1\EE\AOLServiceHost.exe
PID: 604
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\ctfmon.exe
PID: 620
Hidden: No
Window Visible: No

Name: C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
PID: 652
Hidden: No
Window Visible: No

Name: C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
PID: 1120
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\svchost.exe
PID: 1264
Hidden: No
Window Visible: No

Name: C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
PID: 1616
Hidden: No
Window Visible: No

Name: C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe
PID: 2344
Hidden: No
Window Visible: No

Name: C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
PID: 2356
Hidden: No
Window Visible: No

Name: C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
PID: 2380
Hidden: No
Window Visible: No

Name: C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe
PID: 2396
Hidden: No
Window Visible: No

Name: C:\Program Files\Bonjour\mDNSResponder.exe
PID: 2408
Hidden: No
Window Visible: No

Name: C:\WINDOWS\ehome\ehrecvr.exe
PID: 2460
Hidden: No
Window Visible: No

Name: C:\WINDOWS\ehome\ehSched.exe
PID: 2576
Hidden: No
Window Visible: No

Name: C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
PID: 2668
Hidden: No
Window Visible: No

Name: C:\Program Files\Java\jre6\bin\jqs.exe
PID: 2696
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\HPZipm12.exe
PID: 2768
Hidden: No
Window Visible: No

Name: C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
PID: 2880
Hidden: No
Window Visible: No

Name: C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
PID: 2984
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\svchost.exe
PID: 3028
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\svchost.exe
PID: 3088
Hidden: No
Window Visible: No

Name: C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
PID: 3180
Hidden: No
Window Visible: No

Name: C:\WINDOWS\ehome\mcrdsvc.exe
PID: 3284
Hidden: No
Window Visible: No

Name: C:\Program Files\iPod\bin\iPodService.exe
PID: 3972
Hidden: No
Window Visible: No

Name: C:\WINDOWS\ehome\ehmsas.exe
PID: 3988
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\dllhost.exe
PID: 2212
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\alg.exe
PID: 3424
Hidden: No
Window Visible: No

Name: C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
PID: 2100
Hidden: No
Window Visible: No

Name: C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe
PID: 3552
Hidden: No
Window Visible: No

Name: C:\Program Files\Mozilla Firefox\firefox.exe
PID: 1812
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\csrss.exe
PID: 1680
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\winlogon.exe
PID: 392
Hidden: No
Window Visible: No

Name: C:\WINDOWS\explorer.exe
PID: 3632
Hidden: No
Window Visible: No

Name: C:\WINDOWS\ehome\ehtray.exe
PID: 496
Hidden: No
Window Visible: No

Name: C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
PID: 2928
Hidden: No
Window Visible: No

Name: C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
PID: 4044
Hidden: No
Window Visible: No

Name: C:\WINDOWS\ehome\ehmsas.exe
PID: 128
Hidden: No
Window Visible: No

Name: C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
PID: 3328
Hidden: No
Window Visible: No

Name: C:\WINDOWS\stsystra.exe
PID: 1380
Hidden: No
Window Visible: No

Name: C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
PID: 3036
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\hkcmd.exe
PID: 456
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\igfxpers.exe
PID: 348
Hidden: No
Window Visible: No

Name: C:\Program Files\Intel\Wireless\Bin\ZCfgSvc.exe
PID: 352
Hidden: No
Window Visible: No

Name: C:\Program Files\Intel\Wireless\Bin\iFrmewrk.exe
PID: 3280
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\igfxsrvc.exe
PID: 2136
Hidden: No
Window Visible: No

Name: C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
PID: 1760
Hidden: No
Window Visible: No

Name: C:\Program Files\Common Files\Java\Java Update\jusched.exe
PID: 916
Hidden: No
Window Visible: No

Name: C:\Program Files\QuickTime\QTTask.exe
PID: 400
Hidden: No
Window Visible: No

Name: C:\Program Files\iTunes\iTunesHelper.exe
PID: 3528
Hidden: No
Window Visible: No

Name: C:\Program Files\Alwil Software\Avast5\AvastUI.exe
PID: 708
Hidden: No
Window Visible: No

Name: C:\Program Files\Common Files\AOL\1220677495\EE\AOLHostManager.exe
PID: 528
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\ctfmon.exe
PID: 3496
Hidden: No
Window Visible: No

Name: C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
PID: 1484
Hidden: No
Window Visible: No

Name: C:\PROGRA~1\COMMON~1\AOL\122067~1\EE\AOLServiceHost.exe
PID: 2060
Hidden: No
Window Visible: No

Name: C:\Program Files\LimeWire\LimeWire.exe
PID: 3540
Hidden: No
Window Visible: No

Name: C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
PID: 5324
Hidden: No
Window Visible: No

Name: C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
PID: 5464
Hidden: No
Window Visible: No

Name: C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe
PID: 5564
Hidden: No
Window Visible: No

Name: C:\Documents and Settings\Owner.Jason\Desktop\SysProt\SysProt.exe
PID: 500
Hidden: No
Window Visible: Yes

******************************************************************************************
******************************************************************************************
Kernel Modules:
Module Name: \??\C:\Documents and Settings\Owner.Jason\Desktop\SysProt\SysProtDrv.sys
Service Name: SysProtDrv.sys
Module Base: A7A62000
Module End: A7A6D000
Hidden: No

Module Name: \WINDOWS\system32\ntkrnlpa.exe
Service Name: ---
Module Base: 804D7000
Module End: 806E4000
Hidden: No

Module Name: \WINDOWS\system32\hal.dll
Service Name: ---
Module Base: 806E4000
Module End: 80704D00
Hidden: No

Module Name: \WINDOWS\system32\KDCOM.DLL
Service Name: ---
Module Base: BADA8000
Module End: BADAA000
Hidden: No

Module Name: \WINDOWS\system32\BOOTVID.dll
Service Name: ---
Module Base: BACB8000
Module End: BACBB000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\ACPI.sys
Service Name: ACPI
Module Base: BA779000
Module End: BA7A7000
Hidden: No

Module Name: \WINDOWS\system32\DRIVERS\WMILIB.SYS
Service Name: ---
Module Base: BADAA000
Module End: BADAC000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\pci.sys
Service Name: PCI
Module Base: BA768000
Module End: BA779000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\isapnp.sys
Service Name: isapnp
Module Base: BA8A8000
Module End: BA8B2000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\ohci1394.sys
Service Name: ohci1394
Module Base: BA8B8000
Module End: BA8C8000
Hidden: No

Module Name: \WINDOWS\system32\DRIVERS\1394BUS.SYS
Service Name: ---
Module Base: BA8C8000
Module End: BA8D6000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\compbatt.sys
Service Name: Compbatt
Module Base: BACBC000
Module End: BACBF000
Hidden: No

Module Name: \WINDOWS\system32\DRIVERS\BATTC.SYS
Service Name: BattC
Module Base: BACC0000
Module End: BACC4000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\pciide.sys
Service Name: PCIIde
Module Base: BAE70000
Module End: BAE71000
Hidden: No

Module Name: \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
Service Name: ---
Module Base: BAB28000
Module End: BAB2F000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\aliide.sys
Service Name: AliIde
Module Base: BADAC000
Module End: BADAE000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\intelide.sys
Service Name: IntelIde
Module Base: BADAE000
Module End: BADB0000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\toside.sys
Service Name: TosIde
Module Base: BADB0000
Module End: BADB2000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\viaide.sys
Service Name: ViaIde
Module Base: BADB2000
Module End: BADB4000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\cmdide.sys
Service Name: CmdIde
Module Base: BADB4000
Module End: BADB6000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\pcmcia.sys
Service Name: Pcmcia
Module Base: BA74A000
Module End: BA768000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\MountMgr.sys
Service Name: MountMgr
Module Base: BA8D8000
Module End: BA8E3000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\ftdisk.sys
Service Name: Disk
Module Base: BA72B000
Module End: BA74A000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\dmload.sys
Service Name: dmload
Module Base: BADB6000
Module End: BADB8000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\dmio.sys
Service Name: dmio
Module Base: BA705000
Module End: BA72B000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\ACPIEC.sys
Service Name: ACPIEC
Module Base: BACC4000
Module End: BACC7000
Hidden: No

Module Name: \WINDOWS\system32\DRIVERS\OPRGHDLR.SYS
Service Name: ---
Module Base: BAE71000
Module End: BAE72000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\PartMgr.sys
Service Name: PartMgr
Module Base: BAB30000
Module End: BAB35000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\VolSnap.sys
Service Name: VolSnap
Module Base: BA8E8000
Module End: BA8F5000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\cpqarray.sys
Service Name: Cpqarray
Module Base: BACC8000
Module End: BACCC000
Hidden: No

Module Name: \WINDOWS\system32\DRIVERS\SCSIPORT.SYS
Service Name: ScsiPort
Module Base: BA6ED000
Module End: BA705000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\IASTOR.SYS
Service Name: iaStor
Module Base: BA617000
Module End: BA6ED000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\atapi.sys
Service Name: atapi
Module Base: BA5FF000
Module End: BA617000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\aha154x.sys
Service Name: Aha154x
Module Base: BACCC000
Module End: BACD0000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\sparrow.sys
Service Name: Sparrow
Module Base: BAB38000
Module End: BAB3D000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\symc810.sys
Service Name: symc810
Module Base: BACD0000
Module End: BACD4000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\aic78xx.sys
Service Name: aic78xx
Module Base: BA8F8000
Module End: BA906000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\dac960nt.sys
Service Name: dac960nt
Module Base: BACD4000
Module End: BACD8000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\ql10wnt.sys
Service Name: Ql10wnt
Module Base: BA908000
Module End: BA911000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\amsint.sys
Service Name: amsint
Module Base: BACD8000
Module End: BACDB000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\asc.sys
Service Name: asc
Module Base: BAB40000
Module End: BAB47000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\asc3550.sys
Service Name: asc3550
Module Base: BACDC000
Module End: BACE0000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\mraid35x.sys
Service Name: mraid35x
Module Base: BAB48000
Module End: BAB4D000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\i2omp.sys
Service Name: i2omp
Module Base: BAB50000
Module End: BAB55000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\ini910u.sys
Service Name: ini910u
Module Base: BACE0000
Module End: BACE4000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\ql1240.sys
Service Name: ql1240
Module Base: BA918000
Module End: BA922000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\aic78u2.sys
Service Name: aic78u2
Module Base: BA928000
Module End: BA936000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\symc8xx.sys
Service Name: symc8xx
Module Base: BAB58000
Module End: BAB60000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\sym_hi.sys
Service Name: sym_hi
Module Base: BAB60000
Module End: BAB67000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\sym_u3.sys
Service Name: sym_u3
Module Base: BAB68000
Module End: BAB70000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\ABP480N5.SYS
Service Name: abp480n5
Module Base: BAB70000
Module End: BAB76000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\asc3350p.sys
Service Name: asc3350p
Module Base: BAB78000
Module End: BAB7E000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\cd20xrnt.sys
Service Name: cd20xrnt
Module Base: BADB8000
Module End: BADBA000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\ultra.sys
Service Name: ultra
Module Base: BA938000
Module End: BA941000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\adpu160m.sys
Service Name: adpu160m
Module Base: BA5E6000
Module End: BA5FF000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\dpti2o.sys
Service Name: dpti2o
Module Base: BAB80000
Module End: BAB85000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\ql1080.sys
Service Name: ql1080
Module Base: BA948000
Module End: BA952000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\ql1280.sys
Service Name: ql1280
Module Base: BA958000
Module End: BA964000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\ql12160.sys
Service Name: ql12160
Module Base: BA968000
Module End: BA974000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\perc2.sys
Service Name: perc2
Module Base: BAB88000
Module End: BAB8F000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\perc2hib.sys
Service Name: perc2hib
Module Base: BADBA000
Module End: BADBC000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\hpn.sys
Service Name: hpn
Module Base: BAB90000
Module End: BAB97000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\cbidf2k.sys
Service Name: cbidf
Module Base: BACE4000
Module End: BACE8000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\dac2w2k.sys
Service Name: dac2w2k
Module Base: BA5BA000
Module End: BA5E6000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\disk.sys
Service Name: ---
Module Base: BA978000
Module End: BA981000
Hidden: No

Module Name: \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
Service Name: ---
Module Base: BA988000
Module End: BA995000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\fltmgr.sys
Service Name: FltMgr
Module Base: BA59A000
Module End: BA5BA000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\sr.sys
Service Name: sr
Module Base: BA588000
Module End: BA59A000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\PxHelp20.sys
Service Name: PxHelp20
Module Base: BA998000
Module End: BA9A1000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\KSecDD.sys
Service Name: KSecDD
Module Base: BA571000
Module End: BA588000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\Ntfs.sys
Service Name: Ntfs
Module Base: BA4E4000
Module End: BA571000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\NDIS.sys
Service Name: NDIS
Module Base: BA4B7000
Module End: BA4E4000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\sisagp.sys
Service Name: sisagp
Module Base: BA9A8000
Module End: BA9B2000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\viaagp.sys
Service Name: viaagp
Module Base: BA9B8000
Module End: BA9C3000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\Mup.sys
Service Name: Mup
Module Base: BA49D000
Module End: BA4B7000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\alim1541.sys
Service Name: alim1541
Module Base: BA9C8000
Module End: BA9D3000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\amdagp.sys
Service Name: amdagp
Module Base: BA9D8000
Module End: BA9E3000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\agp440.sys
Service Name: agp440
Module Base: BA9E8000
Module End: BA9F3000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\agpCPQ.sys
Service Name: agpCPQ
Module Base: BA9F8000
Module End: BAA03000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\intelppm.sys
Service Name: intelppm
Module Base: BAA38000
Module End: BAA41000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\CmBatt.sys
Service Name: CmBatt
Module Base: BAD94000
Module End: BAD98000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\ialmnt5.sys
Service Name: ialm
Module Base: BA207000
Module End: BA324000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\VIDEOPRT.SYS
Service Name: ---
Module Base: BA1F3000
Module End: BA207000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
Service Name: HDAudBus
Module Base: BA1CB000
Module End: BA1F3000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\yk51x86.sys
Service Name: yukonwxp
Module Base: BA02E000
Module End: BA06A000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\w39n51.sys
Service Name: w39n51
Module Base: B992C000
Module End: B9A89000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\usbuhci.sys
Service Name: usbuhci
Module Base: BAC00000
Module End: BAC06000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\USBPORT.SYS
Service Name: ---
Module Base: B97E8000
Module End: B980C000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\usbehci.sys
Service Name: usbehci
Module Base: BAC58000
Module End: BAC60000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\nic1394.sys
Service Name: NIC1394
Module Base: BAA98000
Module End: BAAA8000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\tifm21.sys
Service Name: tifm21
Module Base: B9713000
Module End: B973B000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\i8042prt.sys
Service Name: i8042prt
Module Base: BAAB8000
Module End: BAAC5000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\kbdclass.sys
Service Name: Kbdclass
Module Base: BABB8000
Module End: BABBE000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\SynTP.sys
Service Name: SynTP
Module Base: B960A000
Module End: B9638000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\USBD.SYS
Service Name: ---
Module Base: BADEE000
Module End: BADF0000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\mouclass.sys
Service Name: Mouclass
Module Base: BAC18000
Module End: BAC1E000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\imapi.sys
Service Name: Imapi
Module Base: BAAF8000
Module End: BAB03000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\cdrom.sys
Service Name: Cdrom
Module Base: BA45D000
Module End: BA46D000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\redbook.sys
Service Name: redbook
Module Base: BA44D000
Module End: BA45C000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\ks.sys
Service Name: ---
Module Base: B8ED1000
Module End: B8EF4000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\GEARAspiWDM.sys
Service Name: GEARAspiWDM
Module Base: BABC8000
Module End: BABCE000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\audstub.sys
Service Name: audstub
Module Base: BAFA5000
Module End: BAFA6000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
Service Name: Rasl2tp
Module Base: BA41D000
Module End: BA42A000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\ndistapi.sys
Service Name: NdisTapi
Module Base: BA388000
Module End: BA38B000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\ndiswan.sys
Service Name: NdisWan
Module Base: B8D28000
Module End: B8D3F000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\raspppoe.sys
Service Name: RasPppoe
Module Base: BA40D000
Module End: BA418000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\raspptp.sys
Service Name: PptpMiniport
Module Base: BAA18000
Module End: BAA24000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\TDI.SYS
Service Name: ---
Module Base: B95B9000
Module End: B95BE000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\psched.sys
Service Name: PSched
Module Base: B8C3F000
Module End: B8C50000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\msgpc.sys
Service Name: Gpc
Module Base: BAA28000
Module End: BAA31000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\ptilink.sys
Service Name: Ptilink
Module Base: BAC30000
Module End: BAC35000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\raspti.sys
Service Name: Raspti
Module Base: BAC40000
Module End: BAC45000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\wanatw4.sys
Service Name: wanatw
Module Base: BABF8000
Module End: BABFE000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\rdpdr.sys
Service Name: rdpdr
Module Base: B8A85000
Module End: B8AB5000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\termdd.sys
Service Name: TermDD
Module Base: BAA48000
Module End: BAA52000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\swenum.sys
Service Name: swenum
Module Base: BADFC000
Module End: BADFE000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\update.sys
Service Name: Update
Module Base: B895E000
Module End: B89BC000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\mssmbios.sys
Service Name: mssmbios
Module Base: BA338000
Module End: BA33C000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\NDProxy.SYS
Service Name: NDProxy
Module Base: B96A7000
Module End: B96B1000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\sthda.sys
Service Name: STHDA
Module Base: A8224000
Module End: A8339000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\portcls.sys
Service Name: ---
Module Base: A8115000
Module End: A8139000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\drmk.sys
Service Name: ---
Module Base: BA43D000
Module End: BA44C000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\smserial.sys
Service Name: smserial
Module Base: A7EB3000
Module End: A7F8E000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Modem.SYS
Service Name: Modem
Module Base: BAC28000
Module End: BAC30000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\usbhub.sys
Service Name: usbhub
Module Base: B88EE000
Module End: B88FD000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\usbccgp.sys
Service Name: usbccgp
Module Base: B95E1000
Module End: B95E9000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\usbscan.sys
Service Name: usbscan
Module Base: BA3C5000
Module End: BA3C9000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\usbprint.sys
Service Name: usbprint
Module Base: B95D9000
Module End: B95E0000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\HPZius12.sys
Service Name: HPZius12
Module Base: B95C9000
Module End: B95CF000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
Service Name: usbstor
Module Base: BAC90000
Module End: BAC97000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\HPZid412.sys
Service Name: HPZid412
Module Base: B9677000
Module End: B9684000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\HPZipr12.sys
Service Name: HPZipr12
Module Base: BA3A0000
Module End: BA3A4000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\hidusb.sys
Service Name: HidUsb
Module Base: BA394000
Module End: BA397000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\HIDCLASS.SYS
Service Name: ---
Module Base: B9667000
Module End: B9670000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\HIDPARSE.SYS
Service Name: ---
Module Base: BAC98000
Module End: BAC9F000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\mouhid.sys
Service Name: mouhid
Module Base: BA39C000
Module End: BA39F000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\i2omgmt.SYS
Service Name: i2omgmt
Module Base: BA398000
Module End: BA39B000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Cdr4_xp.SYS
Service Name: Cdr4_xp
Module Base: BAF2F000
Module End: BAF30000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Cdralw2k.SYS
Service Name: Cdralw2k
Module Base: BAF37000
Module End: BAF38000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Fs_Rec.SYS
Service Name: Fs_Rec
Module Base: BAE54000
Module End: BAE56000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Null.SYS
Service Name: Null
Module Base: BAEA0000
Module End: BAEA1000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Beep.SYS
Service Name: Beep
Module Base: A18E8000
Module End: A18EA000
Hidden: No

Module Name: C:\WINDOWS\System32\drivers\vga.sys
Service Name: VgaSave
Module Base: 93A34000
Module End: 93A3A000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\mnmdd.SYS
Service Name: mnmdd
Module Base: A18E6000
Module End: A18E8000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\RDPCDD.sys
Service Name: RDPCDD
Module Base: 9FBAA000
Module End: 9FBAC000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Msfs.SYS
Service Name: Msfs
Module Base: 93A2C000
Module End: 93A31000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Npfs.SYS
Service Name: Npfs
Module Base: 93A24000
Module End: 93A2C000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\rasacd.sys
Service Name: RasAcd
Module Base: 94033000
Module End: 94036000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\ipsec.sys
Service Name: IPSec
Module Base: 9273E000
Module End: 92751000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\tcpip.sys
Service Name: Tcpip
Module Base: 926E5000
Module End: 9273E000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\aswTdi.SYS
Service Name: aswTdi
Module Base: 93C0D000
Module End: 93C17000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\ipnat.sys
Service Name: IpNat
Module Base: 926BF000
Module End: 926E5000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\netbt.sys
Service Name: NetBT
Module Base: 92697000
Module End: 926BF000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\wanarp.sys
Service Name: Wanarp
Module Base: 93BFD000
Module End: 93C06000
Hidden: No

Module Name: C:\WINDOWS\System32\drivers\afd.sys
Service Name: AFD
Module Base: 92675000
Module End: 92697000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\netbios.sys
Service Name: NetBIOS
Module Base: 93BED000
Module End: 93BF6000
Hidden: No

Module Name: \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS
Service Name: SASKUTIL
Module Base: 92653000
Module End: 92675000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\arp1394.sys
Service Name: Arp1394
Module Base: 93BDD000
Module End: 93BEC000
Hidden: No

Module Name: \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
Service Name: SASDIFSV
Module Base: 93A1C000
Module End: 93A22000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\rdbss.sys
Service Name: Rdbss
Module Base: 92628000
Module End: 92653000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
Service Name: MRxSmb
Module Base: 925B8000
Module End: 92628000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Fips.SYS
Service Name: Fips
Module Base: 93BCD000
Module End: 93BD8000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\aswSP.SYS
Service Name: aswSP
Module Base: 92591000
Module End: 925B8000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Aavmker4.SYS
Service Name: Aavmker4
Module Base: 93A0C000
Module End: 93A12000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Fastfat.SYS
Service Name: Fastfat
Module Base: 9256D000
Module End: 92591000
Hidden: No

Module Name: \SystemRoot\System32\Drivers\dump_iaStor.sys
Service Name: ---
Module Base: 92497000
Module End: 9256D000
Hidden: Yes

Module Name: C:\WINDOWS\System32\drivers\Dxapi.sys
Service Name: ---
Module Base: 93B91000
Module End: 93B94000
Hidden: No

Module Name: C:\WINDOWS\System32\watchdog.sys
Service Name: ---
Module Base: 93A04000
Module End: 93A09000
Hidden: No

Module Name: C:\WINDOWS\System32\drivers\dxgthk.sys
Service Name: ---
Module Base: BAF83000
Module End: BAF84000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\aswFsBlk.SYS
Service Name: aswFsBlk
Module Base: 9A2E4000
Module End: 9A2E7000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\AegisP.sys
Service Name: AegisP
Module Base: 92937000
Module End: 9293C000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\s24trans.sys
Service Name: s24trans
Module Base: A76D4000
Module End: A76D8000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\ndisuio.sys
Service Name: Ndisuio
Module Base: B8A5D000
Module End: B8A61000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\aswMon2.SYS
Service Name: aswMon2
Module Base: 92458000
Module End: 9246F000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\wdmaud.sys
Service Name: wdmaud
Module Base: 9232B000
Module End: 92340000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\sysaudio.sys
Service Name: sysaudio
Module Base: A6856000
Module End: A6865000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Cdfs.SYS
Service Name: Cdfs
Module Base: BAB18000
Module End: BAB28000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\mrxdav.sys
Service Name: MRxDAV
Module Base: 91EC0000
Module End: 91EED000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\HTTP.sys
Service Name: HTTP
Module Base: 91BD7000
Module End: 91C18000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\srv.sys
Service Name: Srv
Module Base: 91A5E000
Module End: 91AB5000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\aswRdr.SYS
Service Name: aswRdr
Module Base: A6300000
Module End: A6305000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\kmixer.sys
Service Name: kmixer
Module Base: 910F5000
Module End: 91120000
Hidden: No

******************************************************************************************
******************************************************************************************
SSDT:
Function Name: ZwClose
Address: 92599C7A
Driver Base: 92591000
Driver End: 925B8000
Driver Name: \SystemRoot\System32\Drivers\aswSP.SYS

Function Name: ZwCreateKey
Address: 92599B36
Driver Base: 92591000
Driver End: 925B8000
Driver Name: \SystemRoot\System32\Drivers\aswSP.SYS

Function Name: ZwDeleteKey
Address: 9259A0EA
Driver Base: 92591000
Driver End: 925B8000
Driver Name: \SystemRoot\System32\Drivers\aswSP.SYS

Function Name: ZwDeleteValueKey
Address: 9259A014
Driver Base: 92591000
Driver End: 925B8000
Driver Name: \SystemRoot\System32\Drivers\aswSP.SYS

Function Name: ZwDuplicateObject
Address: 9259970C
Driver Base: 92591000
Driver End: 925B8000
Driver Name: \SystemRoot\System32\Drivers\aswSP.SYS

Function Name: ZwOpenKey
Address: 92599C10
Driver Base: 92591000
Driver End: 925B8000
Driver Name: \SystemRoot\System32\Drivers\aswSP.SYS

Function Name: ZwOpenProcess
Address: 9259964C
Driver Base: 92591000
Driver End: 925B8000
Driver Name: \SystemRoot\System32\Drivers\aswSP.SYS

Function Name: ZwOpenThread
Address: 925996B0
Driver Base: 92591000
Driver End: 925B8000
Driver Name: \SystemRoot\System32\Drivers\aswSP.SYS

Function Name: ZwQueryValueKey
Address: 92599D30
Driver Base: 92591000
Driver End: 925B8000
Driver Name: \SystemRoot\System32\Drivers\aswSP.SYS

Function Name: ZwRenameKey
Address: 9259A1B8
Driver Base: 92591000
Driver End: 925B8000
Driver Name: \SystemRoot\System32\Drivers\aswSP.SYS

Function Name: ZwRestoreKey
Address: 92599CF0
Driver Base: 92591000
Driver End: 925B8000
Driver Name: \SystemRoot\System32\Drivers\aswSP.SYS

Function Name: ZwSetValueKey
Address: 92599E70
Driver Base: 92591000
Driver End: 925B8000
Driver Name: \SystemRoot\System32\Drivers\aswSP.SYS

Function Name: ZwTerminateProcess
Address: 9265D950
Driver Base: 92653000
Driver End: 92675000
Driver Name: \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS

******************************************************************************************
******************************************************************************************
Kernel Hooks:
Hooked Function: ZwLoadDriver
At Address: 8058413A
Jump To: 925A6A28
Module Name: C:\WINDOWS\System32\Drivers\aswSP.SYS

Hooked Function: ZwCreateSection
At Address: 805AB38E
Jump To: 925A68EE
Module Name: C:\WINDOWS\System32\Drivers\aswSP.SYS

Hooked Function: ZwCreateProcessEx
At Address: 805D1134
Jump To: 925A6ACA
Module Name: C:\WINDOWS\System32\Drivers\aswSP.SYS

Hooked Function: ZwClose
At Address: 805BC502
Jump To: 925A2536
Module Name: C:\WINDOWS\System32\Drivers\aswSP.SYS

Hooked Function: PsCreateSystemThread
At Address: 805D1134
Jump To: 925A6ACA
Module Name: C:\WINDOWS\System32\Drivers\aswSP.SYS

Hooked Function: ObMakeTemporaryObject
At Address: 805BC502
Jump To: 925A2536
Module Name: C:\WINDOWS\System32\Drivers\aswSP.SYS

Hooked Function: ObInsertObject
At Address: 805C2F86
Jump To: 925A3EC2
Module Name: C:\WINDOWS\System32\Drivers\aswSP.SYS

Hooked Function: ObCloseHandle
At Address: 805BC502
Jump To: 925A2536
Module Name: C:\WINDOWS\System32\Drivers\aswSP.SYS

******************************************************************************************
******************************************************************************************
Hidden files/folders:
Object: C:\System Recovery\I386
Status: Access denied

Object: C:\System Recovery\SYSRST
Status: Access denied

Object: C:\System Volume Information\MountPointManagerRemoteDatabase
Status: Access denied

Object: C:\System Volume Information\tracking.log
Status: Access denied

Object: C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}
Status: Access denied



#9 km2357

km2357

  • Malware Response Team
  • 1,784 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:06:33 PM

Posted 27 May 2010 - 07:04 PM

Step # 1: Download and Run GooredFix

Please download GooredFix from one of the locations below and save it to your Desktop
Download Mirror #1
Download Mirror #2
  • Ensure all Firefox windows are closed.
  • To run the tool, double-click it (XP), or right-click and select Run As Administrator (Vista).
  • When prompted to run the scan, click Yes.
  • GooredFix will check for infections, and then a log will appear. Please post the contents of that log in your next reply (it can also be found on your desktop, called GooredFix.txt).


Please disable avast! Antivirus as it may interfere with the fixes. Remember to re-enable it back before posting the logs.

* Right click on avast! Antivirus icon near the clock and select Stop On-Access Protection.
* Right click on this icon again and select Program Settings.
* On the left, click on Troubleshooting.
* Uncheck (untick) this box - Disable avast! self-defense module.
* Click OK to apply the settings

If the above doesn't work, do the following:

Right click on the toolbar icon, then pull down "avast shield control" and click "Disable for 1 hour".


Step # 2: Download and Run ComboFix

We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

*Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

* IMPORTANT !!! Save ComboFix.exe to your Desktop

When finished, it shall produce a log for you. Please include C:\ComboFix.txt in your next reply.


In your next post/reply, I need to see the following:

1. GooredFix Log
2. ComboFix Log

MalWare Removal University Master

Member of ASAP
unite_Invision.png


#10 JM210

JM210
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:08:33 PM

Posted 27 May 2010 - 09:09 PM

Hello, I ran GooredFix and got a log but when I tried to run ComboFix I never made it to the screen that is supposed to say please wait ComboFix is preparing to run. It would just have a small box that said ComboFix with loading bars and then it would freeze up. I unistalled it and downloaded it again and it did the same except this time it turned my computer off. Now what do I do?? Here is the GooredFix log.

GooredFix by jpshortstuff (08.01.10.1)
Log created at 20:08 on 27/05/2010 (Owner)
Firefox version 3.0.19 (en-US)

========== GooredScan ==========


========== GooredLog ==========

C:\Program Files\Mozilla Firefox\extensions\
{972ce4c6-7e08-4474-a285-3208198ce6fd} [21:19 17/12/2008]
{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} [21:30 24/04/2009]
{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} [14:00 25/05/2010]

C:\Documents and Settings\Owner.Jason\Application Data\Mozilla\Firefox\Profiles\qgv9awno.default\extensions\
noia2_option@kk.noia [14:57 07/03/2010]
redshift_V2@shift-themes.com [18:05 05/01/2009]
{20a82645-c095-46ed-80e3-08825760534b} [14:08 24/06/2009]
{5c8bfb7c-9a54-11dc-8314-0800200c9a66} [14:57 07/03/2010]
{77b819fa-95ad-4f2c-ac7c-486b356188a9} [14:57 07/03/2010]
{9f08cb5a-76b1-4bcf-aff9-90e1a5d60b1e} [14:57 07/03/2010]
{b9db16a4-6edc-47ec-a1f4-b86292ed211d} [14:57 07/03/2010]

[HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions]
"{20a82645-c095-46ed-80e3-08825760534b}"="c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\" [17:28 09/04/2009]
"jqs@sun.com"="C:\Program Files\Java\jre6\lib\deploy\jqs\ff" [21:29 24/04/2009]

-=E.O.F=-

#11 km2357

km2357

  • Malware Response Team
  • 1,784 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:06:33 PM

Posted 28 May 2010 - 01:40 PM

Edit:

Did you disable Avast before running ComboFix? If you didn't, disable Avast before trying Step #1 and see if ComboFix runs for you.


Let's try this.

First delete ComboFix.exe off of your computer, then follow the instructions below:


Step # 1: Download and Run ComboFix

Download ComboFix from any of the links below. You must rename it to Jmfix before saving it. Save it to your Desktop.

Link 1
Link 2

--------------------------------------------------------------------

Double click on Jmfix.exe & follow the prompts.
    When finished, it will produce a report for you.
  • Please include C:\ComboFix.txt in your next reply so we can continue cleaning the system.
Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall

Edited by km2357, 28 May 2010 - 01:46 PM.
Added extra info regarding Avast

MalWare Removal University Master

Member of ASAP
unite_Invision.png


#12 JM210

JM210
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:08:33 PM

Posted 28 May 2010 - 04:59 PM

AHHHHHH!! This is so frustrating!!! I did everything like you said, I disabled Avast and tried to run Combofix and it turned my computer off after about 5-10 mins of the loading screen. I deleted Combofix and redownloaded it changing the name to Jmfix.exe before saving to desktop and it did the same thing. Now whats the plan?? Thank you so much for helping me!!!!

#13 km2357

km2357

  • Malware Response Team
  • 1,784 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:06:33 PM

Posted 28 May 2010 - 06:59 PM

This infection is a tough one, but we'll beat it. smile.gif

Let's try one more thing and see if we can get ComboFix to run.

Try booting your computer into Safe Mode and running ComboFix (Jmfix.exe) from there.

If ComboFix completes its run, post the log in your next post/reply.

MalWare Removal University Master

Member of ASAP
unite_Invision.png


#14 JM210

JM210
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:08:33 PM

Posted 28 May 2010 - 10:53 PM

Well I think I'm screwed. I tried to go into safe mode by the f8 method and when I chose safe made it would just start scrolling text and then freeze up. I then tried the other method for safe mode listed in the tutorial section for xp. Now when it tries to go into safe mode it gets stuck on the screen that says windows. Just this evening it is like my pc has became really bad for reasons I don't know. I had to write this reply on my iPhone because I can't boot onto any mode now. What should I do. Am I screwed????

#15 km2357

km2357

  • Malware Response Team
  • 1,784 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:06:33 PM

Posted 29 May 2010 - 12:16 PM

QUOTE
I then tried the other method for safe mode listed in the tutorial section for xp.


Did you follow the instructions under the Using the System Configuration Tool Method: section in the WinXP Boot into Safe Mode Tutorial?

If you did, read the following section of the tutorial and follow the instructions within:

http://www.bleepingcomputer.com/tutorials/...#force_safemode

After following the instructions in the link above, let me know whether you can get to Normal Mode or not, as you mentioned that your computer can't boot into any mode now.

MalWare Removal University Master

Member of ASAP
unite_Invision.png





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users