Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Help needed with possible infections


  • This topic is locked This topic is locked
15 replies to this topic

#1 abaddon.abyss

abaddon.abyss

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:09:42 PM

Posted 13 September 2010 - 02:21 PM

Hello, a few days ago my AVG scan showed an infection with an Adload_r.AKC trojan which it could not remove. I did'nt know what to do about it, so I asked a friend who has a bit more knowledge about these things to have a look. He downloaded COMBOFIX onto the computer and it got rid of the Adload_r.AKC trojan . when he went I did a bit of searching about Combofix and found this site at which point I realised he probably does'nt know as much as I thought. My problem now is that I have multiple Iexplorer.exe running in the taskmanager process list which I'm pretty sure is'nt right.

Here is the DDS.TXT log


DDS (Ver_10-03-17.01) - NTFSx86
Run by aaaaaaaaa at 18:50:32.53 on 13/09/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.2.1252.44.1033.18.959.415 [GMT 1:00]

AV: AVG Internet Security 3-pack *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: AVG Firewall *enabled* {8decf618-9569-4340-b34a-d78d28969b66}

============== Running Processes ===============

C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
svchost.exe
svchost.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Virgin Broadband Wireless\AffinegyService.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\AVG\AVG9\avgfws9.exe
C:\WINDOWS\system32\FsUsbExService.Exe
C:\Program Files\CDBurnerXP\NMSAccessU.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
C:\Program Files\AVG\AVG9\avgemc.exe
C:\Program Files\AVG\AVG9\avgam.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Sony\WALKMAN Launcher\WMAAD.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\MpcStar\Codecs\QuickTime\QTSystem\qttask.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\AVG\AVG9\Identity Protection\agent\bin\avgidsmonitor.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\AVG\AVG9\Identity Protection\Agent\Bin\AVGIDSAgent.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\aaaaaaaaa\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://my.ebay.co.uk/ws/eBayISAPI.dll?MyeBay
uInternet Settings,ProxyOverride = <local>
uInternet Settings,ProxyServer = http=hxxp://www-cache.freeserve.com:8080;ftp=http://www-cache.freeserve.com:8080
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: BitComet Helper: {39f7e362-828a-4b5a-bcaf-5b79bfdfea60} - c:\program files\bitcomet\tools\BitCometBHO_1.3.3.2.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: EWPBrowseObject Class: {68f9551e-0411-48e4-9aaf-4bc42a6a46be} - c:\program files\canon\easy-webprint\EWPBrowseLoader.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.5612.1312\swg.dll
TB: Easy-WebPrint: {327c2873-e90d-4c37-aa9d-10ac9baba46c} - c:\program files\canon\easy-webprint\Toolband.dll
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: {4E7BD74F-2B8D-469E-A3F1-F068B59BBB2A} - No File
uRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil10e.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_07\bin\jusched.exe"
mRun: [BJCFD] c:\program files\broadjump\client foundation\CFD.exe
mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\isuspm.exe" -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [WMAAD] c:\program files\sony\walkman launcher\WMAAD.exe
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [QuickTime Task] "c:\program files\mpcstar\codecs\quicktime\qtsystem\qttask.exe" -atboottime
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [NPSStartup]
mRun: [nwiz] nwiz.exe /installquiet
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
IE: &D&ownload &with BitComet - c:\program files\bitcomet\BitComet.exe/AddLink.htm
IE: &D&ownload all video with BitComet - c:\program files\bitcomet\BitComet.exe/AddVideo.htm
IE: &D&ownload all with BitComet - c:\program files\bitcomet\BitComet.exe/AddAllLink.htm
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
IE: {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://c:\program files\bitcomet\tools\BitCometBHO_1.3.3.2.dll/206
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F}
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx1.hotmail.com/mail/w3/pr01/resources/MSNPUpld.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {9732FB42-C321-11D1-836F-00A0C993F125} - hxxp://www.pcpitstop.com/mhLbl.cab
DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} - hxxp://game06.zylom.com/activex/zylomgamesplayer.cab
DPF: {C1FDEE68-98D5-4F42-A4DD-D0BECF5077EB} - hxxp://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-31-0.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - hxxp://www.popcap.com/webgames/popcaploader_v10.cab
DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} - hxxp://gfx1.hotmail.com/mail/w4/pr01/photouploadcontrol/MSNPUpld.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\micros~2\office12\GR99D3~1.DLL
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL

============= SERVICES / DRIVERS ===============

R0 AVGIDSErHrxpx;AVG9IDSErHr;c:\windows\system32\drivers\AVGIDSxx.sys [2009-11-10 25168]
R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [2008-10-4 52872]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-10-4 216400]
R1 AvgMfx86;AVG Minifilter x86 Resident Driver;c:\windows\system32\drivers\avgmfx86.sys [2008-9-7 29584]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-10-4 243024]
R2 avg9emc;AVG E-mail Scanner;c:\program files\avg\avg9\avgemc.exe [2010-6-22 921952]
R2 avg9wd;AVG WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-6-22 308136]
R2 avgfws9;AVG Firewall;c:\program files\avg\avg9\avgfws9.exe [2010-6-22 2331032]
R2 AVGIDSAgent;AVG9IDSAgent;c:\program files\avg\avg9\identity protection\agent\bin\AVGIDSAgent.exe [2010-6-22 5897808]
R2 FsUsbExService;FsUsbExService;c:\windows\system32\FsUsbExService.Exe [2010-5-20 233472]
R2 TomTomHOMEService;TomTomHOMEService;c:\program files\tomtom home 2\TomTomHOMEService.exe [2010-6-24 92008]
R3 Avgfwdx;Avgfwdx;c:\windows\system32\drivers\avgfwdx.sys [2008-10-4 30104]
R3 AVGIDSDriverxpx;AVG9IDSDriver;c:\program files\avg\avg9\identity protection\agent\driver\platform_xp\AVGIDSDriver.sys [2009-11-10 122448]
R3 AVGIDSFilterxpx;AVG9IDSFilter;c:\program files\avg\avg9\identity protection\agent\driver\platform_xp\AVGIDSFilter.sys [2009-11-10 30288]
R3 AVGIDSShimxpx;AVG9IDSShim;c:\program files\avg\avg9\identity protection\agent\driver\platform_xp\AVGIDSShim.sys [2009-11-10 26192]
R3 FsUsbExDisk;FsUsbExDisk;c:\windows\system32\FsUsbExDisk.Sys [2010-5-20 36608]
S2 gupdate1c9b12b228a4c6e;Google Update Service (gupdate1c9b12b228a4c6e);c:\program files\google\update\GoogleUpdate.exe [2009-3-30 133104]
S3 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwdx.sys [2008-10-4 30104]
S3 ICScsiSV;Image Converter SCSI Service;c:\program files\sony\image converter 3\ICScsiSV.exe [2008-10-4 75952]
S3 IcVzMonLauncher;IcVzMonLauncher;c:\program files\sony\image converter 3\IcVzMonLauncher.exe [2008-10-4 67760]
S3 License Management Service SON;License Management Service SON;c:\program files\common files\esonopress shared\service\Licence Manager SON.exe [2009-7-11 69632]
S3 RegVacService;RegVac Registry Service;c:\program files\regvac registry cleaner\RegVserv.exe [2008-9-8 447488]
S3 ss_bbus;SAMSUNG USB Mobile Device (WDM);c:\windows\system32\drivers\ss_bbus.sys [2010-5-20 90112]
S3 ss_bmdfl;SAMSUNG USB Mobile Modem (Filter);c:\windows\system32\drivers\ss_bmdfl.sys [2010-5-20 14976]
S3 ss_bmdm;SAMSUNG USB Mobile Modem;c:\windows\system32\drivers\ss_bmdm.sys [2010-5-20 121856]

============== File Associations ===============

regfile\shell\edit\command=%SystemRoot%\system32\NOTEPAD.EXE %1

=============== Created Last 30 ================

2010-09-13 16:10:13 0 d-----w- C:\ComboFix
2010-09-12 18:30:21 0 d-sha-r- C:\cmdcons
2010-09-12 18:13:30 77312 ----a-w- c:\windows\MBR.exe
2010-09-12 18:13:30 256512 ----a-w- c:\windows\PEV.exe
2010-09-12 18:13:30 161792 ----a-w- c:\windows\SWREG.exe
2010-09-12 18:13:29 98816 ----a-w- c:\windows\sed.exe
2010-08-29 09:11:47 0 d-----w- c:\program files\RSPCA_Cyberpet
2010-08-28 10:30:36 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-08-28 10:30:35 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-08-28 10:30:35 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-08-19 16:35:14 101120 ----a-r- c:\windows\system32\drivers\ewusbmdm.sys
2010-08-19 16:34:31 0 d-----w- c:\docume~1\aaaaaa~1\applic~1\Vodafone
2010-08-19 16:33:54 0 d-----w- c:\docume~1\alluse~1\applic~1\Vodafone

==================== Find3M ====================

2010-06-22 07:43:05 12536 ----a-w- c:\windows\system32\avgrsstx.dll
2010-01-17 19:26:57 2776 --sha-w- c:\windows\system32\KGyGaAvL.sys

============= FINISH: 18:51:23.50 ===============


I also tried to get the GMER logs but when I click on the gmer.exe icon the screen turns blue and text saying " BAD_POOL_HEADER" and all I can do is reset the computer. It boots up ok after but then says something really bad happend and I should let Microsoft know about it.

If anyone can help I would be very gratefull and I thankyou in advance.

BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:04:42 PM

Posted 19 September 2010 - 11:43 PM

Hello and Welcome to the forums!

My name is Gringo and I'll be glad to help you with your computer problems.

Somethings to remember while we are working together.
  1. Do not run any other tool untill instructed to do so!
  2. Please Do not Attach logs or put in code boxes.
  3. Tell me about any problems that have occurred during the fix.
  4. Tell me of any other symptoms you may be having as these can help also.
  5. Do not run anything while running a fix.

In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. By doing this and then choosing Immediate E-Mail notification and then clicking on Proceed you will be advised when we respond to your topic and facilitate the cleaning of your machine.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

In order for me to see the status of the infection I will need a new set of logs to start with.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

DeFogger:
    Please download DeFogger to your desktop.

    Double click DeFogger to run the tool.
    • The application window will appear
    • Click the Disable button to disable your CD Emulation drivers
    • Click Yes to continue
    • A 'Finished!' message will appear
    • Click OK
    • DeFogger may ask you to reboot the machine, if it does - click OK
    Do not re-enable these drivers until otherwise instructed.

Download DDS:
    Please download DDS by sUBs from one of the links below and save it to your desktop:


    Download DDS and save it to your desktop

    Link1
    Link2
    Link3

    Please disable any anti-malware program that will block scripts from running before running DDS.
    • Double-Click on dds.scr and a command window will appear. This is normal.
    • Shortly after two logs will appear:
      • DDS.txt
      • Attach.txt
    • A window will open instructing you save & post the logs
    • Save the logs to a convenient place such as your desktop
    • Copy the contents of both logs & post in your next reply

Scan With RKUnHooker
  • Please Download Rootkit Unhooker Save it to your desktop.
  • Now double-click on RKUnhookerLE.exe to run it.
  • Click the Report tab, then click Scan.
  • Check (Tick) Drivers, Stealth,. Uncheck the rest. then Click OK.
  • Wait till the scanner has finished and then click File, Save Report.
  • Save the report somewhere where you can find it. Click Close.
Copy the entire contents of the report and paste it in a reply here.

Note** you may get this warning it is ok, just ignore

"Rootkit Unhooker has detected a parasite inside itself!
It is recommended to remove parasite, okay?"


information and logs:
    In your next post I need the following
      1.logs from DDS
      2.log from RKUnHooker
      3.let me know of any problems you may have had

Gringo


I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 abaddon.abyss

abaddon.abyss
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:09:42 PM

Posted 22 September 2010 - 11:32 AM

Hello Gringo, many thanks for getting back to me, before I post the requested logs may I ask advice about COMBOFIX, its installed on the computer ( see OP) but not on the desktop, its not listed in the ADD/REMOVE list so I don't know how to uninstall it.

As requested,


DDS (Ver_10-03-17.01) - NTFSx86
Run by aaaaaaaaa at 17:06:55.09 on 22/09/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.2.1252.44.1033.18.959.426 [GMT 1:00]

AV: AVG Internet Security 3-pack *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: AVG Firewall *disabled* {8decf618-9569-4340-b34a-d78d28969b66}

============== Running Processes ===============

C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
svchost.exe
svchost.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Sony\WALKMAN Launcher\WMAAD.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\MpcStar\Codecs\QuickTime\QTSystem\qttask.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AVG\AVG9\Identity Protection\agent\bin\avgidsmonitor.exe
svchost.exe
C:\Program Files\Virgin Broadband Wireless\AffinegyService.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\AVG\AVG9\avgfws9.exe
C:\WINDOWS\system32\FsUsbExService.Exe
C:\Program Files\CDBurnerXP\NMSAccessU.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
C:\Program Files\AVG\AVG9\avgemc.exe
C:\Program Files\AVG\AVG9\avgam.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\aaaaaaaaa\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://my.ebay.co.uk/ws/eBayISAPI.dll?MyeBay
uInternet Settings,ProxyOverride = <local>
uInternet Settings,ProxyServer = http=hxxp://www-cache.freeserve.com:8080;ftp=http://www-cache.freeserve.com:8080
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: BitComet Helper: {39f7e362-828a-4b5a-bcaf-5b79bfdfea60} - c:\program files\bitcomet\tools\BitCometBHO_1.3.3.2.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: EWPBrowseObject Class: {68f9551e-0411-48e4-9aaf-4bc42a6a46be} - c:\program files\canon\easy-webprint\EWPBrowseLoader.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.5612.1312\swg.dll
TB: Easy-WebPrint: {327c2873-e90d-4c37-aa9d-10ac9baba46c} - c:\program files\canon\easy-webprint\Toolband.dll
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: {4E7BD74F-2B8D-469E-A3F1-F068B59BBB2A} - No File
uRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_07\bin\jusched.exe"
mRun: [BJCFD] c:\program files\broadjump\client foundation\CFD.exe
mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\isuspm.exe" -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [WMAAD] c:\program files\sony\walkman launcher\WMAAD.exe
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [QuickTime Task] "c:\program files\mpcstar\codecs\quicktime\qtsystem\qttask.exe" -atboottime
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [NPSStartup]
mRun: [nwiz] nwiz.exe /installquiet
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
IE: &D&ownload &with BitComet - c:\program files\bitcomet\BitComet.exe/AddLink.htm
IE: &D&ownload all video with BitComet - c:\program files\bitcomet\BitComet.exe/AddVideo.htm
IE: &D&ownload all with BitComet - c:\program files\bitcomet\BitComet.exe/AddAllLink.htm
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
IE: {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://c:\program files\bitcomet\tools\BitCometBHO_1.3.3.2.dll/206
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F}
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx1.hotmail.com/mail/w3/pr01/resources/MSNPUpld.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {9732FB42-C321-11D1-836F-00A0C993F125} - hxxp://www.pcpitstop.com/mhLbl.cab
DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} - hxxp://game06.zylom.com/activex/zylomgamesplayer.cab
DPF: {C1FDEE68-98D5-4F42-A4DD-D0BECF5077EB} - hxxp://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-31-0.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - hxxp://www.popcap.com/webgames/popcaploader_v10.cab
DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} - hxxp://gfx1.hotmail.com/mail/w4/pr01/photouploadcontrol/MSNPUpld.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\micros~2\office12\GR99D3~1.DLL
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL

============= SERVICES / DRIVERS ===============

R0 AVGIDSErHrxpx;AVG9IDSErHr;c:\windows\system32\drivers\AVGIDSxx.sys [2009-11-10 25168]
R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [2008-10-4 52872]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-10-4 216400]
R1 AvgMfx86;AVG Minifilter x86 Resident Driver;c:\windows\system32\drivers\avgmfx86.sys [2008-9-7 29584]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-10-4 243024]
R2 avg9emc;AVG E-mail Scanner;c:\program files\avg\avg9\avgemc.exe [2010-6-22 921952]
R2 avg9wd;AVG WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-6-22 308136]
R2 avgfws9;AVG Firewall;c:\program files\avg\avg9\avgfws9.exe [2010-6-22 2331544]
R2 FsUsbExService;FsUsbExService;c:\windows\system32\FsUsbExService.Exe [2010-5-20 233472]
R2 TomTomHOMEService;TomTomHOMEService;c:\program files\tomtom home 2\TomTomHOMEService.exe [2010-6-24 92008]
R3 Avgfwdx;Avgfwdx;c:\windows\system32\drivers\avgfwdx.sys [2008-10-4 30104]
R3 AVGIDSDriverxpx;AVG9IDSDriver;c:\program files\avg\avg9\identity protection\agent\driver\platform_xp\AVGIDSDriver.sys [2009-11-10 122448]
R3 AVGIDSFilterxpx;AVG9IDSFilter;c:\program files\avg\avg9\identity protection\agent\driver\platform_xp\AVGIDSFilter.sys [2009-11-10 30288]
R3 AVGIDSShimxpx;AVG9IDSShim;c:\program files\avg\avg9\identity protection\agent\driver\platform_xp\AVGIDSShim.sys [2009-11-10 26192]
R3 FsUsbExDisk;FsUsbExDisk;c:\windows\system32\FsUsbExDisk.Sys [2010-5-20 36608]
S2 gupdate1c9b12b228a4c6e;Google Update Service (gupdate1c9b12b228a4c6e);c:\program files\google\update\GoogleUpdate.exe [2009-3-30 133104]
S3 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwdx.sys [2008-10-4 30104]
S3 AVGIDSAgent;AVG9IDSAgent;c:\program files\avg\avg9\identity protection\agent\bin\AVGIDSAgent.exe [2010-6-22 5897808]
S3 ICScsiSV;Image Converter SCSI Service;c:\program files\sony\image converter 3\ICScsiSV.exe [2008-10-4 75952]
S3 IcVzMonLauncher;IcVzMonLauncher;c:\program files\sony\image converter 3\IcVzMonLauncher.exe [2008-10-4 67760]
S3 License Management Service SON;License Management Service SON;c:\program files\common files\esonopress shared\service\Licence Manager SON.exe [2009-7-11 69632]
S3 RegVacService;RegVac Registry Service;c:\program files\regvac registry cleaner\RegVserv.exe [2008-9-8 447488]
S3 ss_bbus;SAMSUNG USB Mobile Device (WDM);c:\windows\system32\drivers\ss_bbus.sys [2010-5-20 90112]
S3 ss_bmdfl;SAMSUNG USB Mobile Modem (Filter);c:\windows\system32\drivers\ss_bmdfl.sys [2010-5-20 14976]
S3 ss_bmdm;SAMSUNG USB Mobile Modem;c:\windows\system32\drivers\ss_bmdm.sys [2010-5-20 121856]

============== File Associations ===============

regfile\shell\edit\command=%SystemRoot%\system32\NOTEPAD.EXE %1

=============== Created Last 30 ================

2010-09-22 16:04:15 0 ----a-w- c:\documents and settings\aaaaaaaaa\defogger_reenable
2010-09-13 16:10:13 0 d-----w- C:\ComboFix
2010-09-12 18:30:21 0 d-sha-r- C:\cmdcons
2010-09-12 18:13:30 77312 ----a-w- c:\windows\MBR.exe
2010-09-12 18:13:30 256512 ----a-w- c:\windows\PEV.exe
2010-09-12 18:13:30 161792 ----a-w- c:\windows\SWREG.exe
2010-09-12 18:13:29 98816 ----a-w- c:\windows\sed.exe
2010-08-29 09:11:47 0 d-----w- c:\program files\RSPCA_Cyberpet
2010-08-28 10:30:36 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-08-28 10:30:35 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-08-28 10:30:35 0 d-----w- c:\program files\Malwarebytes' Anti-Malware

==================== Find3M ====================

2010-01-17 19:26:57 2776 --sha-w- c:\windows\system32\KGyGaAvL.sys

============= FINISH: 17:07:14.92 ===============






Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 07/06/2008 01:36:40
System Uptime: 22/09/2010 16:45:11 (1 hours ago)

Motherboard: MSI | | MS-7366
Processor: Intel® Celeron® CPU E1200 @ 1.60GHz | CPU 1 | 1600/200mhz
Processor: Intel® Celeron® CPU E1200 @ 1.60GHz | CPU 1 | 1600/200mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 233 GiB total, 64.518 GiB free.
D: is CDROM ()
E: is CDROM (CDFS)

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP262: 10/09/2010 20:19:58 - System Checkpoint
RP263: 11/09/2010 20:53:43 - System Checkpoint
RP264: 14/09/2010 18:17:00 - System Checkpoint
RP265: 15/09/2010 21:32:43 - System Checkpoint
RP266: 16/09/2010 21:40:39 - System Checkpoint
RP267: 18/09/2010 10:34:01 - System Checkpoint
RP268: 19/09/2010 11:28:56 - System Checkpoint
RP269: 20/09/2010 13:41:39 - System Checkpoint
RP270: 21/09/2010 09:10:43 - Avg Update
RP271: 21/09/2010 09:12:07 - Avg Update
RP272: 22/09/2010 13:52:58 - System Checkpoint

==== Installed Programs ======================


"Nero SoundTrax Help
Acrobat.com
Active Undelete 5.1.005
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Photoshop CS4
Adobe Reader 9.3.4
Adobe Shockwave Player 11.5
Advertising Center
AnyDVD
ArcSoft PhotoStudio 5.5
µTorrent
Audio Editor Gold v7.4.2.10
Avanquest update
AVG 9.0
AviSynth 2.5
BBC iPlayer Desktop
BitComet 1.13
BroadJump Client Foundation
Calendar Wizard for CorelDRAW X3
Canon MP Navigator 3.0
Canon MP460
Canon MP460 User Registration
Canon Utilities Easy-PhotoPrint
CDBurnerXP
Celestron's TheSky (Remove only)
Chuzzle Deluxe 1.0
CloneCD
CloneDVD2
CorelDRAW Graphics Suite X3
Crayon Physics Deluxe - release 51
Crazy Machines New Challenges (Shared Components)
DolbyFiles
Driver Detective
Easy-WebPrint
EN
ExtractNow
FontNav
Google Earth
Google Toolbar for Internet Explorer
Google Update Helper
Google Updater
High Definition Audio Driver Package - KB888111
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB926239)
Hotfix for Windows XP (KB935448)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB976002-v5)
Hotfix for Windows XP (KB981793)
Image Converter 3
ImagXpress
Java™ 6 Update 3
Java™ 6 Update 7
Magic DVD Rip Studio v7.2.4.16
Malwarebytes' Anti-Malware
Menu Templates - Starter Kit
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Software Update for Web Folders (English) 12
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Motorola Phone Tools
Movie Templates - Starter Kit
Mp3tag v2.43
MpcStar 4.5
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 6.0 Parser (KB933579)
Nero BurningROM
Nero BurnRights
Nero ControlCenter
Nero CoverDesigner
Nero CoverDesigner Help
Nero Disc Copy Gadget
Nero Disc Copy Gadget Help
Nero DiscSpeed
Nero DriveSpeed
Nero Express
Nero InfoTool
Nero Live
Nero Live Help
Nero PhotoSnap
Nero PhotoSnap Help
Nero Recode
Nero Recode Help
Nero Rescue Agent
Nero RescueAgent Help
Nero ShowTime
Nero StartSmart
Nero StartSmart Help
Nero Vision
Nero WaveEditor
Nero WaveEditor Help
NeroBurningROM
NeroExpress
Next Generation Visualisations
NVIDIA Display Control Panel
NVIDIA Drivers
NVIDIA nView Desktop Manager
OpenMG Limited Patch 4.7-07-14-05-01
OpenMG Secure Module 4.7.00
OpenOffice.org 2.3
PC Connectivity Solution
PDF Manual NW-A800 Series
Peggle Deluxe 1.0
Peggle Nights Deluxe
Realtek High Definition Audio Driver
RegVac Registry Cleaner 4.02 (Registered Version)
RSDownloader 2.3
SAMSUNG Mobile Composite Device Software
Samsung Mobile Modem Device Software
SAMSUNG Mobile Modem Driver Set
SAMSUNG Mobile Modem V2 Software
Samsung Mobile phone USB driver Software
SAMSUNG Mobile USB Download Driver Software
SAMSUNG Mobile USB Modem 1.0 Software
SAMSUNG Mobile USB Modem Software
Samsung New PC Studio
SAMSUNG SYMBIAN USB Download Driver
SAMSUNG USB Mobile Device Software
SamsungConnectivityCableDriver
ScanSoft OmniPage SE 4.0
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB958470)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB971032)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB980232)
Sibelius Scorch Plugin
Simple Port Forwarding
SonicStage 4.3
Sony Video Shared Library
SoundTrax
Spybot - Search & Destroy
TomTom HOME 2.7.5.2014
TomTom HOME Visual Studio Merge Modules
Turbo Lister 2
Update for Windows Internet Explorer 8 (KB980182)
Update for Windows Internet Explorer 8 (KB982632)
Update for Windows XP (KB898461)
Update for Windows XP (KB932823-v3)
Update for Windows XP (KB955759)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Update Manager
VBA
Video Downloader
VobSub v2.23 (Remove Only)
WALKMAN Launcher
WebFldrs XP
Windows Driver Package - MobileTop (sshpmdm) Modem (01/26/2008 2.6.0.0)
Windows Driver Package - Nokia pccsmcfd (10/12/2007 6.85.4.0)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Imaging Component
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Internet Explorer 8
Windows Media Format 11 runtime
Windows Media Player 11
WinRAR archiver
Wireless Manager
XviD MPEG4 Video Codec (remove only)

==== Event Viewer Messages From Past Week ========

21/09/2010 09:13:26, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the service.
21/09/2010 09:12:56, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the avgfws9 service.
16/09/2010 21:00:46, error: Print [6161] - The document https://ibdswebp3-ext.pb.com/TranResponse/B...elGlobal.aspx?P owned by jane failed to print on printer Canon MP460 Printer. Data type: NT EMF 1.008. Size of the spool file in bytes: 4325376. Number of bytes printed: 4282908. Total number of pages in the document: 2. Number of pages printed: 0. Client machine: \\COMPUTER. Win32 error code returned by the print processor: 13 (0xd).
16/09/2010 17:53:19, error: Service Control Manager [7000] - The Remote Packet Capture Protocol v.0 (experimental) service failed to start due to the following error: The system cannot find the path specified.
16/09/2010 07:47:30, error: Dhcp [1002] - The IP address lease 192.168.1.2 for the Network Card with network address 001D92B40A95 has been denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).

==== End Of File ===========================
















RkU Version: 3.8.388.590, Type LE (SR2)
==============================================
OS Name: Windows XP
Version 5.1.2600 (Service Pack 2)
Number of processors #2
==============================================
>Drivers
==============================================
0xF5FB9000 C:\WINDOWS\system32\DRIVERS\nv4_mini.sys 10235904 bytes (NVIDIA Corporation, NVIDIA Compatible Windows 2000 Miniport Driver, Version 197.45 )
0xBD012000 C:\WINDOWS\System32\nv4_disp.dll 6434816 bytes (NVIDIA Corporation, NVIDIA Compatible Windows 2000 Display driver, Version 197.45 )
0xF2FD2000 C:\WINDOWS\system32\drivers\RtkHDAud.sys 4755456 bytes (Realtek Semiconductor Corp., Realtek® High Definition Audio Function Driver)
0x804D7000 C:\WINDOWS\system32\ntoskrnl.exe 2252800 bytes (Microsoft Corporation, NT Kernel & System)
0x804D7000 PnpManager 2252800 bytes
0x804D7000 RAW 2252800 bytes
0x804D7000 WMIxWDM 2252800 bytes
0xBF800000 Win32k 1851392 bytes
0xBF800000 C:\WINDOWS\System32\win32k.sys 1851392 bytes (Microsoft Corporation, Multi-User Win32 Driver)
0xF697C000 C:\WINDOWS\system32\DRIVERS\NVNRM.SYS 888832 bytes (NVIDIA Corporation, NVIDIA Network Resource Manager.)
0xF72E2000 Ntfs.sys 577536 bytes (Microsoft Corporation, NT File System Driver)
0xF2D95000 C:\WINDOWS\system32\DRIVERS\mrxsmb.sys 454656 bytes (Microsoft Corporation, Windows NT SMB Minirdr)
0xF2EFD000 C:\WINDOWS\system32\DRIVERS\tcpip.sys 360448 bytes (Microsoft Corporation, TCP/IP Protocol Driver)
0xB7A7F000 C:\WINDOWS\system32\DRIVERS\srv.sys 356352 bytes (Microsoft Corporation, Server driver)
0xBFFA0000 C:\WINDOWS\System32\ATMFD.DLL 286720 bytes (Adobe Systems Incorporated, Windows NT OpenType/Type 1 Font Driver)
0xB7BEE000 C:\WINDOWS\System32\Drivers\HTTP.sys 266240 bytes (Microsoft Corporation, HTTP Protocol Stack)
0xF2EA2000 C:\WINDOWS\System32\Drivers\avgtdix.sys 237568 bytes (AVG Technologies CZ, s.r.o., AVG Network connection watcher)
0xF2D61000 C:\WINDOWS\System32\Drivers\avgldx86.sys 212992 bytes (AVG Technologies CZ, s.r.o., AVG AVI Loader Driver)
0xF5EF0000 C:\WINDOWS\system32\DRIVERS\update.sys 212992 bytes (Microsoft Corporation, Update Driver)
0xF5F4C000 C:\WINDOWS\system32\DRIVERS\rdpdr.sys 200704 bytes (Microsoft Corporation, Microsoft RDP Device redirector)
0xF7438000 ACPI.sys 188416 bytes (Microsoft Corporation, ACPI Driver for NT)
0xB7D6F000 C:\WINDOWS\system32\DRIVERS\mrxdav.sys 184320 bytes (Microsoft Corporation, Windows NT WebDav Minirdr)
0xF72B5000 NDIS.sys 184320 bytes (Microsoft Corporation, NDIS 5.1 wrapper driver)
0xF2E04000 C:\WINDOWS\system32\DRIVERS\rdbss.sys 180224 bytes (Microsoft Corporation, Redirected Drive Buffering SubSystem Driver)
0xB702B000 C:\WINDOWS\system32\drivers\kmixer.sys 172032 bytes (Microsoft Corporation, Kernel Mode Audio Mixer)
0xB83C8000 C:\Program Files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSDriver.sys 163840 bytes (AVG Technologies CZ, s.r.o. , IDS Application Activity Monitor Driver.)
0xF2E52000 C:\WINDOWS\system32\DRIVERS\netbt.sys 163840 bytes (Microsoft Corporation, MBT Transport driver)
0xF73E2000 dmio.sys 155648 bytes (Microsoft Corp., Veritas Software, NT Disk Manager I/O Driver)
0xF6A55000 C:\WINDOWS\system32\DRIVERS\HDAudBus.sys 151552 bytes (Windows ® Server 2003 DDK provider, High Definition Audio Bus Driver v1.0a)
0xF6A7A000 C:\WINDOWS\system32\DRIVERS\ks.sys 143360 bytes (Microsoft Corporation, Kernel CSA Library)
0xF6AB5000 C:\WINDOWS\system32\DRIVERS\USBPORT.SYS 143360 bytes (Microsoft Corporation, USB 1.1 & 2.0 Port Driver)
0xF2E30000 C:\WINDOWS\System32\drivers\afd.sys 139264 bytes (Microsoft Corporation, Ancillary Function Driver for WinSock)
0xF2FB0000 C:\WINDOWS\system32\drivers\portcls.sys 139264 bytes (Microsoft Corporation, Port Class (Class Driver for Port/Miniport Devices))
0xF2EDC000 C:\WINDOWS\system32\DRIVERS\ipnat.sys 135168 bytes (Microsoft Corporation, IP Network Address Translator)
0x806FD000 ACPI_HAL 134400 bytes
0x806FD000 C:\WINDOWS\system32\hal.dll 134400 bytes (Microsoft Corporation, Hardware Abstraction Layer DLL)
0xF73AB000 fltMgr.sys 126976 bytes (Microsoft Corporation, Microsoft Filesystem Filter Manager)
0xF7408000 ftdisk.sys 126976 bytes (Microsoft Corporation, FT Disk Driver)
0xF729A000 Mup.sys 110592 bytes (Microsoft Corporation, Multiple UNC Provider driver)
0xF6A9D000 C:\WINDOWS\System32\Drivers\AnyDVD.sys 98304 bytes (SlySoft, Inc., AnyDVD Filter Driver)
0xF73CA000 atapi.sys 98304 bytes (Microsoft Corporation, IDE/ATAPI Port Driver)
0xF2CA9000 C:\WINDOWS\System32\Drivers\dump_atapi.sys 98304 bytes
0xF7382000 KSecDD.sys 94208 bytes (Microsoft Corporation, Kernel Security Support Provider Interface)
0xF5F8E000 C:\WINDOWS\system32\DRIVERS\ndiswan.sys 94208 bytes (Microsoft Corporation, MS PPP Framing Driver (Strong Encryption))
0xB7F53000 C:\WINDOWS\system32\drivers\wdmaud.sys 86016 bytes (Microsoft Corporation, MMSYSTEM Wave/Midi API mapper)
0xF5FA5000 C:\WINDOWS\system32\DRIVERS\VIDEOPRT.SYS 81920 bytes (Microsoft Corporation, Video Port Driver)
0xF2F55000 C:\WINDOWS\system32\DRIVERS\ipsec.sys 77824 bytes (Microsoft Corporation, IPSec Driver)
0xF736F000 WudfPf.sys 77824 bytes (Microsoft Corporation, Windows Driver Foundation - User-mode Driver Framework Platform Driver)
0xBD000000 C:\WINDOWS\System32\drivers\dxg.sys 73728 bytes (Microsoft Corporation, DirectX Graphics Driver)
0xF7399000 sr.sys 73728 bytes (Microsoft Corporation, System Restore Filesystem Filter Driver)
0xF7427000 pci.sys 69632 bytes (Microsoft Corporation, NT Plug and Play PCI Enumerator)
0xF5F7D000 C:\WINDOWS\system32\DRIVERS\psched.sys 69632 bytes (Microsoft Corporation, MS QoS Packet Scheduler)
0xF7697000 C:\WINDOWS\System32\Drivers\Cdfs.SYS 65536 bytes (Microsoft Corporation, CD-ROM File System Driver)
0xF6AD8000 C:\WINDOWS\system32\DRIVERS\serial.sys 65536 bytes (Microsoft Corporation, Serial Device Driver)
0xF7627000 C:\WINDOWS\system32\drivers\drmk.sys 61440 bytes (Microsoft Corporation, Microsoft Kernel DRM Descrambler Filter)
0xF7567000 C:\WINDOWS\system32\DRIVERS\redbook.sys 61440 bytes (Microsoft Corporation, Redbook Audio Filter Driver)
0xB81B0000 C:\WINDOWS\system32\drivers\sysaudio.sys 61440 bytes (Microsoft Corporation, System Audio WDM Filter)
0xF75F7000 C:\WINDOWS\system32\DRIVERS\usbhub.sys 61440 bytes (Microsoft Corporation, Default Hub Driver for USB)
0xF7607000 C:\WINDOWS\system32\DRIVERS\NVENETFD.sys 57344 bytes (NVIDIA Corporation, NVIDIA Networking Function Driver.)
0xF7557000 C:\WINDOWS\system32\DRIVERS\cdrom.sys 53248 bytes (Microsoft Corporation, SCSI CD-ROM Driver)
0xF74C7000 C:\WINDOWS\system32\DRIVERS\CLASSPNP.SYS 53248 bytes (Microsoft Corporation, SCSI Class System Dll)
0xF7537000 C:\WINDOWS\system32\DRIVERS\i8042prt.sys 53248 bytes (Microsoft Corporation, i8042 Port Driver)
0xF7587000 C:\WINDOWS\system32\DRIVERS\rasl2tp.sys 53248 bytes (Microsoft Corporation, RAS L2TP mini-port/call-manager driver)
0xF74A7000 VolSnap.sys 53248 bytes (Microsoft Corporation, Volume Shadow Copy Driver)
0xF74E7000 avgrkx86.sys 49152 bytes (AVG Technologies CZ, s.r.o., AVG Anti-Rootkit Driver)
0xF75A7000 C:\WINDOWS\system32\DRIVERS\raspptp.sys 49152 bytes (Microsoft Corporation, Peer-to-Peer Tunneling Protocol)
0xF7547000 C:\WINDOWS\system32\DRIVERS\imapi.sys 45056 bytes (Microsoft Corporation, IMAPI Kernel Driver)
0xF7497000 MountMgr.sys 45056 bytes (Microsoft Corporation, Mount Manager)
0xF7597000 C:\WINDOWS\system32\DRIVERS\raspppoe.sys 45056 bytes (Microsoft Corporation, RAS PPPoE mini-port/call-manager driver)
0xB8568000 C:\Program Files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSFilter.sys 40960 bytes (AVG Technologies CZ, s.r.o. , IDS Application Activity Monitor Filter Driver.)
0xF7677000 C:\Program Files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSShim.sys 40960 bytes (AVG Technologies CZ, s.r.o. , IDS Application Activity Monitor Loader Driver.)
0xF75E7000 C:\WINDOWS\System32\Drivers\NDProxy.SYS 40960 bytes (Microsoft Corporation, NDIS Proxy)
0xF7577000 C:\WINDOWS\system32\DRIVERS\nvnetbus.sys 40960 bytes (NVIDIA Corporation, NVIDIA Networking Bus Driver.)
0xF75C7000 C:\WINDOWS\system32\DRIVERS\termdd.sys 40960 bytes (Microsoft Corporation, Terminal Server Driver)
0xF74F7000 AVGIDSxx.sys 36864 bytes (AVG Technologies CZ, s.r.o. , IDS Application Activity Monitor Helper Driver.)
0xF74B7000 disk.sys 36864 bytes (Microsoft Corporation, PnP Disk Driver)
0xF7667000 C:\WINDOWS\System32\Drivers\Fips.SYS 36864 bytes (Microsoft Corporation, FIPS Crypto Driver)
0xB778F000 C:\WINDOWS\system32\FsUsbExDisk.SYS 36864 bytes
0xF6AE8000 C:\WINDOWS\system32\DRIVERS\intelppm.sys 36864 bytes (Microsoft Corporation, Processor Device Driver)
0xF7487000 isapnp.sys 36864 bytes (Microsoft Corporation, PNP ISA Bus Driver)
0xF75B7000 C:\WINDOWS\system32\DRIVERS\msgpc.sys 36864 bytes (Microsoft Corporation, MS General Packet Classifier)
0xF7657000 C:\WINDOWS\system32\DRIVERS\netbios.sys 36864 bytes (Microsoft Corporation, NetBIOS interface driver)
0xB8258000 C:\WINDOWS\System32\Drivers\Normandy.SYS 36864 bytes (RKU Driver)
0xF74D7000 PxHelp20.sys 36864 bytes (Sonic Solutions, Px Engine Device Driver for Windows 2000/XP)
0xF7637000 C:\WINDOWS\system32\DRIVERS\wanarp.sys 36864 bytes (Microsoft Corporation, MS Remote Access and Routing ARP Driver)
0xF7807000 C:\WINDOWS\System32\Drivers\Modem.SYS 32768 bytes (Microsoft Corporation, Modem Device Driver)
0xF785F000 C:\WINDOWS\System32\Drivers\Npfs.SYS 32768 bytes (Microsoft Corporation, NPFS Driver)
0xF77FF000 C:\WINDOWS\system32\DRIVERS\avgfwdx.sys 28672 bytes (AVG Technologies CZ, s.r.o., AVG Firewall intermediate miniport driver)
0xF77F7000 C:\WINDOWS\System32\Drivers\ElbyCDFL.sys 28672 bytes (SlySoft, Inc., ElbyCDIO Filter Driver)
0xF7707000 C:\WINDOWS\system32\DRIVERS\PCIIDEX.SYS 28672 bytes (Microsoft Corporation, PCI IDE Bus Driver Extension)
0xF77EF000 C:\WINDOWS\system32\DRIVERS\usbehci.sys 28672 bytes (Microsoft Corporation, EHCI eUSB Miniport Driver)
0xF7877000 C:\WINDOWS\System32\Drivers\avgmfx86.sys 24576 bytes (AVG Technologies CZ, s.r.o., AVG Resident Shield Minifilter Driver)
0xF77D7000 C:\WINDOWS\system32\DRIVERS\kbdclass.sys 24576 bytes (Microsoft Corporation, Keyboard Class Driver)
0xF77DF000 C:\WINDOWS\system32\DRIVERS\mouclass.sys 24576 bytes (Microsoft Corporation, Mouse Class Driver)
0xF784F000 C:\WINDOWS\System32\drivers\vga.sys 24576 bytes (Microsoft Corporation, VGA/Super VGA Video Driver)
0xF786F000 C:\WINDOWS\System32\Drivers\ElbyCDIO.sys 20480 bytes (Elaborate Bytes AG, ElbyCD Windows NT/2000/XP I/O driver)
0xF7857000 C:\WINDOWS\System32\Drivers\Msfs.SYS 20480 bytes (Microsoft Corporation, Mailslot driver)
0xF770F000 PartMgr.sys 20480 bytes (Microsoft Corporation, Partition Manager)
0xF7817000 C:\WINDOWS\system32\DRIVERS\ptilink.sys 20480 bytes (Parallel Technologies, Inc., Parallel Technologies DirectParallel IO Library)
0xF781F000 C:\WINDOWS\system32\DRIVERS\raspti.sys 20480 bytes (Microsoft Corporation, PTI DirectParallel® mini-port/call-manager driver)
0xF780F000 C:\WINDOWS\system32\DRIVERS\TDI.SYS 20480 bytes (Microsoft Corporation, TDI Wrapper)
0xF77E7000 C:\WINDOWS\system32\DRIVERS\usbohci.sys 20480 bytes (Microsoft Corporation, OHCI USB Miniport Driver)
0xF788F000 C:\WINDOWS\System32\watchdog.sys 20480 bytes (Microsoft Corporation, Watchdog Driver)
0xF797F000 C:\WINDOWS\system32\DRIVERS\mssmbios.sys 16384 bytes (Microsoft Corporation, System Management BIOS Driver)
0xB86DC000 C:\WINDOWS\system32\DRIVERS\ndisuio.sys 16384 bytes (Microsoft Corporation, NDIS User mode I/O Driver)
0xF7953000 C:\WINDOWS\system32\DRIVERS\serenum.sys 16384 bytes (Microsoft Corporation, Serial Port Enumerator)
0xF7897000 C:\WINDOWS\system32\BOOTVID.dll 12288 bytes (Microsoft Corporation, VGA Boot Driver)
0xF2FA4000 C:\WINDOWS\System32\drivers\Dxapi.sys 12288 bytes (Microsoft Corporation, DirectX API Driver)
0xF7967000 C:\WINDOWS\system32\DRIVERS\ndistapi.sys 12288 bytes (Microsoft Corporation, NDIS 3.0 connection wrapper driver)
0xF7957000 C:\WINDOWS\system32\DRIVERS\nvsmu.sys 12288 bytes (NVIDIA Corporation, NVIDIA® nForce™ SMU Microcontroller Driver)
0xF7947000 C:\WINDOWS\system32\DRIVERS\rasacd.sys 12288 bytes (Microsoft Corporation, RAS Automatic Connection Driver)
0xF79DD000 C:\WINDOWS\System32\Drivers\Beep.SYS 8192 bytes (Microsoft Corporation, BEEP Driver)
0xF798B000 dmload.sys 8192 bytes (Microsoft Corp., Veritas Software., NT Disk Manager Startup Driver)
0xF7A0B000 C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS 8192 bytes
0xF79DB000 C:\WINDOWS\System32\Drivers\Fs_Rec.SYS 8192 bytes (Microsoft Corporation, File System Recognizer Driver)
0xF7987000 C:\WINDOWS\system32\KDCOM.DLL 8192 bytes (Microsoft Corporation, Kernel Debugger HW Extension DLL)
0xF79DF000 C:\WINDOWS\System32\Drivers\mnmdd.SYS 8192 bytes (Microsoft Corporation, Frame buffer simulator)
0xF79E1000 C:\WINDOWS\System32\DRIVERS\RDPCDD.sys 8192 bytes (Microsoft Corporation, RDP Miniport)
0xF79C9000 C:\WINDOWS\System32\Drivers\RootMdm.sys 8192 bytes (Microsoft Corporation, Legacy Non-Pnp Modem Device Driver)
0xF79CB000 C:\WINDOWS\system32\DRIVERS\swenum.sys 8192 bytes (Microsoft Corporation, Plug and Play Software Device Enumerator)
0xF79D3000 C:\WINDOWS\system32\DRIVERS\USBD.SYS 8192 bytes (Microsoft Corporation, Universal Serial Bus Driver)
0xF7989000 C:\WINDOWS\system32\DRIVERS\WMILIB.SYS 8192 bytes (Microsoft Corporation, WMILIB WMI support library Dll)
0xF7A5F000 C:\WINDOWS\system32\DRIVERS\audstub.sys 4096 bytes (Microsoft Corporation, AudStub Driver)
0xF7A69000 C:\WINDOWS\System32\drivers\dxgthk.sys 4096 bytes (Microsoft Corporation, DirectX Graphics Driver Thunk)
0xF7A76000 C:\WINDOWS\System32\Drivers\Null.SYS 4096 bytes (Microsoft Corporation, NULL Driver)
0xF7A4F000 pciide.sys 4096 bytes (Microsoft Corporation, Generic PCI IDE Bus Driver)
==============================================
>Stealth
==============================================
0x80561500 Faked ServiceTable-->winlogon.exe [ ETHREAD 0x85A3FDA8 ] TID: 128
0x80561500 Faked ServiceTable-->avgtray.exe [ ETHREAD 0x84A15DA8 ] TID: 152
0x80561500 Faked ServiceTable-->iexplore.exe [ ETHREAD 0x847CC9B8 ] TID: 156
0x80561500 Faked ServiceTable-->svchost.exe [ ETHREAD 0x846D2380 ] TID: 164
0x80561500 Faked ServiceTable-->svchost.exe [ ETHREAD 0x849EF7A0 ] TID: 180
0x80561500 Faked ServiceTable-->iexplore.exe [ ETHREAD 0x85D94DA8 ] TID: 184
0x80561500 Faked ServiceTable-->avgtray.exe [ ETHREAD 0x84970640 ] TID: 188
0x80561500 Faked ServiceTable-->avgtray.exe [ ETHREAD 0x84A1A628 ] TID: 204
0x80561500 Faked ServiceTable-->avgchsvx.exe [ ETHREAD 0x848FADA8 ] TID: 212
0x80561500 Faked ServiceTable-->avgchsvx.exe [ ETHREAD 0x848F2B30 ] TID: 216
0x80561500 Faked ServiceTable-->avgchsvx.exe [ ETHREAD 0x848F2DA8 ] TID: 220
0x80561500 Faked ServiceTable-->avgchsvx.exe [ ETHREAD 0x848D6DA8 ] TID: 224
0x80561500 Faked ServiceTable-->avgchsvx.exe [ ETHREAD 0x848D6B30 ] TID: 228, 6619182 bytes
0x80561500 Faked ServiceTable-->avgchsvx.exe [ ETHREAD 0x848D7DA8 ] TID: 232
0x80561500 Faked ServiceTable-->avgchsvx.exe [ ETHREAD 0x848D7B30 ] TID: 236
0x80561500 Faked ServiceTable-->avgtray.exe [ ETHREAD 0x85BD9A90 ] TID: 240
0x80561500 Faked ServiceTable-->svchost.exe [ ETHREAD 0x8472EDA8 ] TID: 244
0x80561500 Faked ServiceTable-->avgtray.exe [ ETHREAD 0x84AB55B8 ] TID: 252
0x80561500 Faked ServiceTable-->avgtray.exe [ ETHREAD 0x85BD7BE0 ] TID: 256
0x80561500 Faked ServiceTable-->avgtray.exe [ ETHREAD 0x85BDB830 ] TID: 260
0x80561500 Faked ServiceTable-->svchost.exe [ ETHREAD 0x848DBDA8 ] TID: 264
0x80561500 Faked ServiceTable-->svchost.exe [ ETHREAD 0x85D83020 ] TID: 280
0x80561500 Faked ServiceTable-->svchost.exe [ ETHREAD 0x848FBDA8 ] TID: 284
0x80561500 Faked ServiceTable-->svchost.exe [ ETHREAD 0x848D3DA8 ] TID: 292
0x80561500 Faked ServiceTable-->avgchsvx.exe [ ETHREAD 0x849A0BC8 ] TID: 296
0x80561500 Faked ServiceTable-->avgchsvx.exe [ ETHREAD 0x84A06BC8 ] TID: 300
0x80561500 Faked ServiceTable-->spoolsv.exe [ ETHREAD 0x848D8DA8 ] TID: 328
0x80561500 Faked ServiceTable-->avgfws9.exe [ ETHREAD 0x847EAB30 ] TID: 332
0x80561500 Faked ServiceTable-->avgwdsvc.exe [ ETHREAD 0x85D57740 ] TID: 336
0x80561500 Faked ServiceTable-->iexplore.exe [ ETHREAD 0x849426B0 ] TID: 348
0x80561500 Faked ServiceTable-->svchost.exe [ ETHREAD 0x848E1A88 ] TID: 360
0x80561500 Faked ServiceTable-->winlogon.exe [ ETHREAD 0x848CADA8 ] TID: 384
0x80561500 Faked ServiceTable-->avgtray.exe [ ETHREAD 0x849DD7C0 ] TID: 388
0x80561500 Faked ServiceTable-->winlogon.exe [ ETHREAD 0x848CAB30 ] TID: 396, 5374020 bytes
0x80561500 Faked ServiceTable-->svchost.exe [ ETHREAD 0x85CB69A0 ] TID: 412
0x80561500 Faked ServiceTable-->avgtray.exe [ ETHREAD 0x8489F828 ] TID: 420, 7864400 bytes
0x80561500 Faked ServiceTable-->avgtray.exe [ ETHREAD 0x8496C648 ] TID: 432
0x80561500 Faked ServiceTable-->winlogon.exe [ ETHREAD 0x848CEB30 ] TID: 440, 3801155 bytes
0x80561500 Faked ServiceTable-->avgtray.exe [ ETHREAD 0x84973DA8 ] TID: 444
0x80561500 Faked ServiceTable-->avgtray.exe [ ETHREAD 0x8496CBE8 ] TID: 448, 5374020 bytes
0x80561500 Faked ServiceTable-->avgwdsvc.exe [ ETHREAD 0x84909380 ] TID: 452
0x80561500 Faked ServiceTable-->avgtray.exe [ ETHREAD 0x848A1A08 ] TID: 456, 196611 bytes
0x80561500 Faked ServiceTable-->AVGIDSMonitor.exe [ ETHREAD 0x8489FBE8 ] TID: 464
0x80561500 Faked ServiceTable-->svchost.exe [ ETHREAD 0x84800730 ] TID: 472
0x80561500 Faked ServiceTable-->svchost.exe [ ETHREAD 0x846F18E8 ] TID: 488
0x80561500 Faked ServiceTable-->RTHDCPL.exe [ ETHREAD 0x84765770 ] TID: 492
0x80561500 Faked ServiceTable-->svchost.exe [ ETHREAD 0x849C2BE0 ] TID: 564
0x80561500 Faked ServiceTable-->svchost.exe [ ETHREAD 0x8472E7A8 ] TID: 596
0x80561500 Faked ServiceTable-->avgwdsvc.exe [ ETHREAD 0x8478A020 ] TID: 604
0x80561500 Faked ServiceTable-->svchost.exe [ ETHREAD 0x8492EDA8 ] TID: 616
0x80561500 Faked ServiceTable-->iexplore.exe [ ETHREAD 0x847FFAC0 ] TID: 620
0x80561500 Faked ServiceTable-->GoogleToolbarNotifier.exe [ ETHREAD 0x85D7B020 ] TID: 624
0x80561500 Faked ServiceTable-->avgfws9.exe [ ETHREAD 0x846D2020 ] TID: 668
0x80561500 Faked ServiceTable-->services.exe [ ETHREAD 0x8474BDA8 ] TID: 676
0x80561500 Faked ServiceTable-->services.exe [ ETHREAD 0x849AC020 ] TID: 680
0x80561500 Faked ServiceTable-->svchost.exe [ ETHREAD 0x85D89020 ] TID: 692
0x80561500 Faked ServiceTable-->avgfws9.exe [ ETHREAD 0x847BC020 ] TID: 696
0x80561500 Faked ServiceTable-->avgnsx.exe [ ETHREAD 0x847A7408 ] TID: 700
0x80561500 Faked ServiceTable-->winlogon.exe [ ETHREAD 0x8487BBA0 ] TID: 704
0x80561500 Faked ServiceTable-->svchost.exe [ ETHREAD 0x848009A8 ] TID: 708
0x80561500 Faked ServiceTable-->avgchsvx.exe [ ETHREAD 0x84792370 ] TID: 724
0x80561500 Faked ServiceTable-->explorer.exe [ ETHREAD 0x849CBDA8 ] TID: 752
0x80561500 Faked ServiceTable-->svchost.exe [ ETHREAD 0x84715640 ] TID: 768
0x80561500 Faked ServiceTable-->svchost.exe [ ETHREAD 0x84BF0020 ] TID: 776
0x80561500 Faked ServiceTable-->explorer.exe [ ETHREAD 0x8499F4A8 ] TID: 784
0x80561500 Faked ServiceTable-->explorer.exe [ ETHREAD 0x848F3B30 ] TID: 792
0x80561500 Faked ServiceTable-->svchost.exe [ ETHREAD 0x847EADA8 ] TID: 800
0x80561500 Faked ServiceTable-->svchost.exe [ ETHREAD 0x84734AE0 ] TID: 820
0x80561500 Faked ServiceTable-->svchost.exe [ ETHREAD 0x84732BA0 ] TID: 840
0x80561500 Faked ServiceTable-->avgchsvx.exe [ ETHREAD 0x849404D0 ] TID: 852
0x80561500 Faked ServiceTable-->avgchsvx.exe [ ETHREAD 0x849162C8 ] TID: 860
0x80561500 Faked ServiceTable-->smss.exe [ ETHREAD 0x85D29B18 ] TID: 872
0x80561500 Faked ServiceTable-->smss.exe [ ETHREAD 0x85B88DA8 ] TID: 892
0x80561500 Faked ServiceTable-->smss.exe [ ETHREAD 0x85D24280 ] TID: 896, 565000 bytes
0x80561500 Faked ServiceTable-->services.exe [ ETHREAD 0x847F17A0 ] TID: 908
0x80561500 Faked ServiceTable-->services.exe [ ETHREAD 0x847F1528 ] TID: 916
0x80561500 Faked ServiceTable-->svchost.exe [ ETHREAD 0x8471BB30 ] TID: 928, 458771 bytes
0x80561500 Faked ServiceTable-->csrss.exe [ ETHREAD 0x85C59130 ] TID: 952, 998464 bytes
0x80561500 Faked ServiceTable-->winlogon.exe [ ETHREAD 0x85C80078 ] TID: 984
0x80561500 Faked ServiceTable-->winlogon.exe [ ETHREAD 0x85C83BA0 ] TID: 988, 7536751 bytes
0x80561500 Faked ServiceTable-->winlogon.exe [ ETHREAD 0x85B84870 ] TID: 996, 6619182 bytes
0x80561500 Faked ServiceTable-->services.exe [ ETHREAD 0x85B93BF8 ] TID: 1028
0x80561500 Faked ServiceTable-->services.exe [ ETHREAD 0x85B88518 ] TID: 1032
0x80561500 Faked ServiceTable-->services.exe [ ETHREAD 0x85C71280 ] TID: 1036
0x80561500 Faked ServiceTable-->lsass.exe [ ETHREAD 0x85D246E0 ] TID: 1040
0x80561500 Faked ServiceTable-->lsass.exe [ ETHREAD 0x85B5E7C8 ] TID: 1044
0x80561500 Faked ServiceTable-->lsass.exe [ ETHREAD 0x85BFE898 ] TID: 1048
0x80561500 Faked ServiceTable-->lsass.exe [ ETHREAD 0x85A41A58 ] TID: 1052
0x80561500 Faked ServiceTable-->lsass.exe [ ETHREAD 0x85B821B8 ] TID: 1056
0x80561500 Faked ServiceTable-->lsass.exe [ ETHREAD 0x85C872A0 ] TID: 1060
0x80561500 Faked ServiceTable-->svchost.exe [ ETHREAD 0x8492ADA8 ] TID: 1068
0x80561500 Faked ServiceTable-->winlogon.exe [ ETHREAD 0x8475ADA8 ] TID: 1084
0x80561500 Faked ServiceTable-->lsass.exe [ ETHREAD 0x85B59280 ] TID: 1096
0x80561500 Faked ServiceTable-->lsass.exe [ ETHREAD 0x85B68510 ] TID: 1100
0x80561500 Faked ServiceTable-->avgrsx.exe [ ETHREAD 0x8487F020 ] TID: 1104
0x80561500 Faked ServiceTable-->lsass.exe [ ETHREAD 0x85E0F1B0 ] TID: 1108
0x80561500 Faked ServiceTable-->lsass.exe [ ETHREAD 0x85D3C608 ] TID: 1112
0x80561500 Faked ServiceTable-->winlogon.exe [ ETHREAD 0x85C68588 ] TID: 1120
0x80561500 Faked ServiceTable-->winlogon.exe [ ETHREAD 0x85BC4DA8 ] TID: 1124
0x80561500 Faked ServiceTable-->winlogon.exe [ ETHREAD 0x84ABA6F0 ] TID: 1128
0x80561500 Faked ServiceTable-->services.exe [ ETHREAD 0x85B9E538 ] TID: 1132
0x80561500 Faked ServiceTable-->svchost.exe [ ETHREAD 0x84740DA8 ] TID: 1140
0x80561500 Faked ServiceTable-->lsass.exe [ ETHREAD 0x85D4BDA8 ] TID: 1144
0x80561500 Faked ServiceTable-->avgam.exe [ ETHREAD 0x847B87A8 ] TID: 1148
0x80561500 Faked ServiceTable-->services.exe [ ETHREAD 0x85B67DA8 ] TID: 1152
0x80561500 Faked ServiceTable-->avgnsx.exe [ ETHREAD 0x85D7F6B0 ] TID: 1164
0x80561500 Faked ServiceTable-->avgwdsvc.exe [ ETHREAD 0x84751360 ] TID: 1168
0x80561500 Faked ServiceTable-->services.exe [ ETHREAD 0x85D24CB0 ] TID: 1172
0x80561500 Faked ServiceTable-->services.exe [ ETHREAD 0x85B50968 ] TID: 1180
0x80561500 Faked ServiceTable-->svchost.exe [ ETHREAD 0x8475C720 ] TID: 1212
0x80561500 Faked ServiceTable-->services.exe [ ETHREAD 0x85C5B860 ] TID: 1232
0x80561500 Faked ServiceTable-->svchost.exe [ ETHREAD 0x85A36A68 ] TID: 1236
0x80561500 Faked ServiceTable-->svchost.exe [ ETHREAD 0x85C57A30 ] TID: 1244
0x80561500 Faked ServiceTable-->svchost.exe [ ETHREAD 0x85D3CA68 ] TID: 1248
0x80561500 Faked ServiceTable-->services.exe [ ETHREAD 0x85D3A538 ] TID: 1256
0x80561500 Faked ServiceTable-->avgfws9.exe [ ETHREAD 0x849FD798 ] TID: 1260
0x80561500 Faked ServiceTable-->svchost.exe [ ETHREAD 0x85C6ABF0 ] TID: 1280, 8781832 bytes
0x80561500 Faked ServiceTable-->svchost.exe [ ETHREAD 0x85C68DA8 ] TID: 1284
0x80561500 Faked ServiceTable-->svchost.exe [ ETHREAD 0x85C615E0 ] TID: 1288, 8781826 bytes
0x80561500 Faked ServiceTable-->svchost.exe [ ETHREAD 0x84CFA5D8 ] TID: 1292
0x80561500 Faked ServiceTable-->CFD.exe [ ETHREAD 0x84A8C6D8 ] TID: 1312
0x80561500 Faked ServiceTable-->svchost.exe [ ETHREAD 0x85C7FD80 ] TID: 1316
0x80561500 Faked ServiceTable-->svchost.exe [ ETHREAD 0x85C74720 ] TID: 1320
0x80561500 Faked ServiceTable-->iexplore.exe [ ETHREAD 0x847B35D8 ] TID: 1344
0x80561500 Faked ServiceTable-->iexplore.exe [ ETHREAD 0x847DB020 ] TID: 1348
0x80561500 Faked ServiceTable-->avgnsx.exe [ ETHREAD 0x84798A00 ] TID: 1352
0x80561500 Faked ServiceTable-->CFD.exe [ ETHREAD 0x846EBB30 ] TID: 1376
0x80561500 Faked ServiceTable-->svchost.exe [ ETHREAD 0x85C80CA8 ] TID: 1424, 3211296 bytes
0x80561500 Faked ServiceTable-->svchost.exe [ ETHREAD 0x85CEB020 ] TID: 1428
0x80561500 Faked ServiceTable-->svchost.exe [ ETHREAD 0x85C5E388 ] TID: 1440, 3801155 bytes
0x80561500 Faked ServiceTable-->avgwdsvc.exe [ ETHREAD 0x8490F7A0 ] TID: 1448
0x80561500 Faked ServiceTable-->services.exe [ ETHREAD 0x847BC9F0 ] TID: 1472
0x80561500 Faked ServiceTable-->svchost.exe [ ETHREAD 0x847E0790 ] TID: 1476
0x80561500 Faked ServiceTable-->avgrsx.exe [ ETHREAD 0x849A3BC8 ] TID: 1492, 3014764 bytes
0x80561500 Faked ServiceTable-->svchost.exe [ ETHREAD 0x846B97A0 ] TID: 1508, 196611 bytes
0x80561500 Faked ServiceTable-->winlogon.exe [ ETHREAD 0x85D4DDA8 ] TID: 1512
0x80561500 Faked ServiceTable-->winlogon.exe [ ETHREAD 0x85B505F0 ] TID: 1516
0x80561500 Faked ServiceTable-->CFD.exe [ ETHREAD 0x84A8CB30 ] TID: 1524, 12845068 bytes
0x80561500 Faked ServiceTable-->avgnsx.exe [ ETHREAD 0x84905798 ] TID: 1528
0x80561500 Faked ServiceTable-->svchost.exe [ ETHREAD 0x849A4B30 ] TID: 1536
0x80561500 Faked ServiceTable-->svchost.exe [ ETHREAD 0x85BDD9D0 ] TID: 1540
0x80561500 Faked ServiceTable-->svchost.exe [ ETHREAD 0x85B5EDA8 ] TID: 1544, 328256 bytes
0x80561500 Faked ServiceTable-->svchost.exe [ ETHREAD 0x85C5A688 ] TID: 1548, 5505056 bytes
0x80561500 Faked ServiceTable-->svchost.exe [ ETHREAD 0x85D23DA8 ] TID: 1552, 7864368 bytes
0x80561500 Faked ServiceTable-->svchost.exe [ ETHREAD 0x84A67628 ] TID: 1568, 20158248 bytes
0x80561500 Faked ServiceTable-->avgemc.exe [ ETHREAD 0x849FA720 ] TID: 1576, 7733362 bytes
0x80561500 Faked ServiceTable-->RTHDCPL.exe [ ETHREAD 0x84762DA8 ] TID: 1580
0x80561500 Faked ServiceTable-->avgemc.exe [ ETHREAD 0x849FADA8 ] TID: 1608, 3670071 bytes
0x80561500 Faked ServiceTable-->svchost.exe [ ETHREAD 0x85D80BA0 ] TID: 1636
0x80561500 Faked ServiceTable-->svchost.exe [ ETHREAD 0x8493EDA8 ] TID: 1652, 328344 bytes
0x80561500 Faked ServiceTable-->svchost.exe [ ETHREAD 0x8493EB30 ] TID: 1656, 2147450879 bytes
0x80561500 Faked ServiceTable-->svchost.exe [ ETHREAD 0x85D39588 ] TID: 1660
0x80561500 Faked ServiceTable-->svchost.exe [ ETHREAD 0x85C7AAA8 ] TID: 1668
0x80561500 Faked ServiceTable-->svchost.exe [ ETHREAD 0x8481FDA8 ] TID: 1688
0x80561500 Faked ServiceTable-->avgwdsvc.exe [ ETHREAD 0x848F9BE0 ] TID: 1696
0x80561500 Faked ServiceTable-->iexplore.exe [ ETHREAD 0x85D7EB30 ] TID: 1704
0x80561500 Faked ServiceTable-->AffinegyService.exe [ ETHREAD 0x84821DA8 ] TID: 1720
0x80561500 Faked ServiceTable-->avgchsvx.exe [ ETHREAD 0x84AAF810 ] TID: 1736
0x80561500 Faked ServiceTable-->avgchsvx.exe [ ETHREAD 0x85A3CB30 ] TID: 1740
0x80561500 Faked ServiceTable-->avgchsvx.exe [ ETHREAD 0x85BBC7F8 ] TID: 1764
0x80561500 Faked ServiceTable-->avgchsvx.exe [ ETHREAD 0x85C5DDA8 ] TID: 1768
0x80561500 Faked ServiceTable-->avgchsvx.exe [ ETHREAD 0x85C1E660 ] TID: 1772
0x80561500 Faked ServiceTable-->avgchsvx.exe [ ETHREAD 0x85A35948 ] TID: 1776
0x80561500 Faked ServiceTable-->avgchsvx.exe [ ETHREAD 0x84A786B0 ] TID: 1780
0x80561500 Faked ServiceTable-->avgchsvx.exe [ ETHREAD 0x85B92DA8 ] TID: 1784
0x80561500 Faked ServiceTable-->svchost.exe [ ETHREAD 0x85B92B30 ] TID: 1788
0x80561500 Faked ServiceTable-->svchost.exe [ ETHREAD 0x8493CDA8 ] TID: 1808
0x80561500 Faked ServiceTable-->avgrsx.exe [ ETHREAD 0x8493CB30 ] TID: 1812
0x80561500 Faked ServiceTable-->avgrsx.exe [ ETHREAD 0x85CEAC00 ] TID: 1816
0x80561500 Faked ServiceTable-->avgcsrvx.exe [ ETHREAD 0x84922DA8 ] TID: 1824
0x80561500 Faked ServiceTable-->avgchsvx.exe [ ETHREAD 0x84922B30 ] TID: 1832
0x80561500 Faked ServiceTable-->avgrsx.exe [ ETHREAD 0x84940DA8 ] TID: 1836
0x80561500 Faked ServiceTable-->lsass.exe [ ETHREAD 0x85BBB370 ] TID: 1840
0x80561500 Faked ServiceTable-->winlogon.exe [ ETHREAD 0x85C9D8D0 ] TID: 1852
0x80561500 Faked ServiceTable-->svchost.exe [ ETHREAD 0x849114A0 ] TID: 1860
0x80561500 Faked ServiceTable-->svchost.exe [ ETHREAD 0x84AAA020 ] TID: 1864
0x80561500 Faked ServiceTable-->svchost.exe [ ETHREAD 0x84925BC8 ] TID: 1880
0x80561500 Faked ServiceTable-->svchost.exe [ ETHREAD 0x85C81548 ] TID: 1884
0x80561500 Faked ServiceTable-->avgcsrvx.exe [ ETHREAD 0x8499EB30 ] TID: 1888
0x80561500 Faked ServiceTable-->avgcsrvx.exe [ ETHREAD 0x849A1DA8 ] TID: 1892
0x80561500 Faked ServiceTable-->avgrsx.exe [ ETHREAD 0x84941DA8 ] TID: 1896
0x80561500 Faked ServiceTable-->avgcsrvx.exe [ ETHREAD 0x8491FDA8 ] TID: 1900, 2097252 bytes
0x80561500 Faked ServiceTable-->avgrsx.exe [ ETHREAD 0x85C805F8 ] TID: 1904, 2147450879 bytes
0x80561500 Faked ServiceTable-->avgrsx.exe [ ETHREAD 0x8493DDA8 ] TID: 1908, 998992 bytes
0x80561500 Faked ServiceTable-->avgcsrvx.exe [ ETHREAD 0x8493DB30 ] TID: 1912
0x80561500 Faked ServiceTable-->avgrsx.exe [ ETHREAD 0x84916DA8 ] TID: 1916
0x80561500 Faked ServiceTable-->avgrsx.exe [ ETHREAD 0x8491EDA8 ] TID: 1920
0x80561500 Faked ServiceTable-->avgrsx.exe [ ETHREAD 0x8491EB30 ] TID: 1924
0x80561500 Faked ServiceTable-->avgrsx.exe [ ETHREAD 0x848ECDA8 ] TID: 1928, 2097252 bytes
0x80561500 Faked ServiceTable-->avgrsx.exe [ ETHREAD 0x848ECB30 ] TID: 1932
0x80561500 Faked ServiceTable-->avgrsx.exe [ ETHREAD 0x848EDDA8 ] TID: 1936
0x80561500 Faked ServiceTable-->avgrsx.exe [ ETHREAD 0x848EDB30 ] TID: 1940, 12845117 bytes
0x80561500 Faked ServiceTable-->avgrsx.exe [ ETHREAD 0x848EFDA8 ] TID: 1944
0x80561500 Faked ServiceTable-->avgcsrvx.exe [ ETHREAD 0x84940B30 ] TID: 1948
0x80561500 Faked ServiceTable-->avgrsx.exe [ ETHREAD 0x84916B30 ] TID: 1952
0x80561500 Faked ServiceTable-->avgrsx.exe [ ETHREAD 0x85C812D0 ] TID: 1956
0x80561500 Faked ServiceTable-->avgcsrvx.exe [ ETHREAD 0x848EFB30 ] TID: 1960
0x80561500 Faked ServiceTable-->avgrsx.exe [ ETHREAD 0x85C86DA8 ] TID: 1964
0x80561500 Faked ServiceTable-->avgrsx.exe [ ETHREAD 0x84945DA8 ] TID: 1968
0x80561500 Faked ServiceTable-->avgcsrvx.exe [ ETHREAD 0x85C0D7A0 ] TID: 1972, 1104640 bytes
0x80561500 Faked ServiceTable-->avgrsx.exe [ ETHREAD 0x84923DA8 ] TID: 1976
0x80561500 Faked ServiceTable-->avgrsx.exe [ ETHREAD 0x8493FDA8 ] TID: 1980, 34209795 bytes
0x80561500 Faked ServiceTable-->avgcsrvx.exe [ ETHREAD 0x8493FB30 ] TID: 1984
0x80561500 Faked ServiceTable-->avgrsx.exe [ ETHREAD 0x84914DA8 ] TID: 1988
0x80561500 Faked ServiceTable-->avgrsx.exe [ ETHREAD 0x84918BC8 ] TID: 1992
0x80561500 Faked ServiceTable-->avgcsrvx.exe [ ETHREAD 0x8491ADA8 ] TID: 1996
0x80561500 Faked ServiceTable-->avgrsx.exe [ ETHREAD 0x8491CBC8 ] TID: 2000
0x80561500 Faked ServiceTable-->avgcsrvx.exe [ ETHREAD 0x8491AB30 ] TID: 2008
0x80561500 Faked ServiceTable-->avgrsx.exe [ ETHREAD 0x85C41968 ] TID: 2016
0x80561500 Faked ServiceTable-->avgrsx.exe [ ETHREAD 0x84926DA8 ] TID: 2020
0x80561500 Faked ServiceTable-->avgrsx.exe [ ETHREAD 0x849A6DA8 ] TID: 2024
0x80561500 Faked ServiceTable-->avgrsx.exe [ ETHREAD 0x84924DA8 ] TID: 2028
0x80561500 Faked ServiceTable-->svchost.exe [ ETHREAD 0x8492C660 ] TID: 2040
0x80561500 Faked ServiceTable-->svchost.exe [ ETHREAD 0x847595E0 ] TID: 2060, 6357054 bytes
0x80561500 Faked ServiceTable-->RTHDCPL.exe [ ETHREAD 0x84A8B568 ] TID: 2072
0x80561500 Faked ServiceTable-->lsass.exe [ ETHREAD 0x8483E020 ] TID: 2076, 19203996 bytes
0x80561500 Faked ServiceTable-->avgfws9.exe [ ETHREAD 0x847E4C90 ] TID: 2080
0x80561500 Faked ServiceTable-->avgfws9.exe [ ETHREAD 0x847039F8 ] TID: 2084, 925584 bytes
0x80561500 Faked ServiceTable-->avgrsx.exe [ ETHREAD 0x85C20790 ] TID: 2088
0x80561500 Faked ServiceTable-->avgwdsvc.exe [ ETHREAD 0x85DF14B0 ] TID: 2092
0x80561500 Faked ServiceTable-->avgwdsvc.exe [ ETHREAD 0x85DF1238 ] TID: 2096
0x80561500 Faked ServiceTable-->svchost.exe [ ETHREAD 0x84A38DA8 ] TID: 2112
0x80561500 Faked ServiceTable-->FsUsbExService.Exe [ ETHREAD 0x84824020 ] TID: 2128
0x80561500 Faked ServiceTable-->avgnsx.exe [ ETHREAD 0x84712DA8 ] TID: 2136
0x80561500 Faked ServiceTable-->avgnsx.exe [ ETHREAD 0x84848DA8 ] TID: 2140
0x80561500 Faked ServiceTable-->iexplore.exe [ ETHREAD 0x8479DB30 ] TID: 2144, 5505125 bytes
0x80561500 Faked ServiceTable-->iexplore.exe [ ETHREAD 0x8479DDA8 ] TID: 2148
0x80561500 Faked ServiceTable-->iexplore.exe [ ETHREAD 0x85D92B30 ] TID: 2152, 6357054 bytes
0x80561500 Faked ServiceTable-->iexplore.exe [ ETHREAD 0x8479D8B8 ] TID: 2156
0x80561500 Faked ServiceTable-->avgnsx.exe [ ETHREAD 0x848BADA8 ] TID: 2160, 1298416 bytes
0x80561500 Faked ServiceTable-->iexplore.exe [ ETHREAD 0x847D5BE0 ] TID: 2176
0x80561500 Faked ServiceTable-->iexplore.exe [ ETHREAD 0x847A1C18 ] TID: 2180
0x80561500 Faked ServiceTable-->avgfws9.exe [ ETHREAD 0x84A8FB60 ] TID: 2184
0x80561500 Faked ServiceTable-->avgfws9.exe [ ETHREAD 0x85D609B8 ] TID: 2188, 328472 bytes
0x80561500 Faked ServiceTable-->avgfws9.exe [ ETHREAD 0x85DC8BA0 ] TID: 2192
0x80561500 Faked ServiceTable-->avgfws9.exe [ ETHREAD 0x85C8A4B8 ] TID: 2196, 6357054 bytes
0x80561500 Faked ServiceTable-->iexplore.exe [ ETHREAD 0x8479D640 ] TID: 2200
0x80561500 Faked ServiceTable-->spoolsv.exe [ ETHREAD 0x849284C0 ] TID: 2204, 7536702 bytes
0x80561500 Faked ServiceTable-->avgfws9.exe [ ETHREAD 0x84760B30 ] TID: 2208
0x80561500 Faked ServiceTable-->avgfws9.exe [ ETHREAD 0x85CF7790 ] TID: 2212
0x80561500 Faked ServiceTable-->csrss.exe [ ETHREAD 0x84864810 ] TID: 2216
0x80561500 Faked ServiceTable-->avgfws9.exe [ ETHREAD 0x84D00BA8 ] TID: 2220
0x80561500 Faked ServiceTable-->avgnsx.exe [ ETHREAD 0x8484BDA8 ] TID: 2228
0x80561500 Faked ServiceTable-->avgfws9.exe [ ETHREAD 0x849BE998 ] TID: 2236
0x80561500 Faked ServiceTable-->avgfws9.exe [ ETHREAD 0x849BE720 ] TID: 2240
0x80561500 Faked ServiceTable-->avgfws9.exe [ ETHREAD 0x84D03338 ] TID: 2244, 5505125 bytes
0x80561500 Faked ServiceTable-->avgfws9.exe [ ETHREAD 0x84B5E770 ] TID: 2252
0x80561500 Faked ServiceTable-->avgfws9.exe [ ETHREAD 0x85C1EBD8 ] TID: 2256
0x80561500 Faked ServiceTable-->avgfws9.exe [ ETHREAD 0x84A8F7A0 ] TID: 2260
0x80561500 Faked ServiceTable-->avgfws9.exe [ ETHREAD 0x84D03020 ] TID: 2264, 5505125 bytes
0x80561500 Faked ServiceTable-->avgfws9.exe [ ETHREAD 0x85C89B30 ] TID: 2268
0x80561500 Faked ServiceTable-->avgfws9.exe [ ETHREAD 0x84D01020 ] TID: 2272
0x80561500 Faked ServiceTable-->svchost.exe [ ETHREAD 0x849BEDA8 ] TID: 2276
0x80561500 Faked ServiceTable-->avgfws9.exe [ ETHREAD 0x85CF6BA8 ] TID: 2280
0x80561500 Faked ServiceTable-->avgfws9.exe [ ETHREAD 0x85C153B0 ] TID: 2284
0x80561500 Faked ServiceTable-->svchost.exe [ ETHREAD 0x847B05A0 ] TID: 2288
0x80561500 Faked ServiceTable-->svchost.exe [ ETHREAD 0x84708370 ] TID: 2292
0x80561500 Faked ServiceTable-->svchost.exe [ ETHREAD 0x84715928 ] TID: 2296, 19207548 bytes
0x80561500 Faked ServiceTable-->svchost.exe [ ETHREAD 0x8497E5C0 ] TID: 2300
0x80561500 Faked ServiceTable-->svchost.exe [ ETHREAD 0x849F9528 ] TID: 2304, 33947659 bytes
0x80561500 Faked ServiceTable-->iexplore.exe [ ETHREAD 0x849EADA8 ] TID: 2340
0x80561500 Faked ServiceTable-->avgcsrvx.exe [ ETHREAD 0x847AC818 ] TID: 2352, 19204524 bytes
0x80561500 Faked ServiceTable-->avgnsx.exe [ ETHREAD 0x8483EDA8 ] TID: 2356
0x80561500 Faked ServiceTable-->avgfws9.exe [ ETHREAD 0x84AB1BA0 ] TID: 2364
0x80561500 Faked ServiceTable-->avgfws9.exe [ ETHREAD 0x84A6ABA0 ] TID: 2376
0x80561500 Faked ServiceTable-->avgnsx.exe [ ETHREAD 0x84794370 ] TID: 2384
0x80561500 Faked ServiceTable-->NMSAccessU.exe [ ETHREAD 0x84D039A0 ] TID: 2388, 3407924 bytes
0x80561500 Faked ServiceTable-->lsass.exe [ ETHREAD 0x84A69890 ] TID: 2392, 6357054 bytes
0x80561500 Faked ServiceTable-->avgfws9.exe [ ETHREAD 0x847117E0 ] TID: 2396, 4456513 bytes
0x80561500 Faked ServiceTable-->avgchsvx.exe [ ETHREAD 0x85C72C40 ] TID: 2404
0x80561500 Faked ServiceTable-->iexplore.exe [ ETHREAD 0x84726A50 ] TID: 2412, 7471215 bytes
0x80561500 Faked ServiceTable-->svchost.exe [ ETHREAD 0x84977678 ] TID: 2416
0x80561500 Faked ServiceTable-->avgnsx.exe [ ETHREAD 0x847CC1F8 ] TID: 2420
0x80561500 Faked ServiceTable-->avgchsvx.exe [ ETHREAD 0x85D466B8 ] TID: 2424
0x80561500 Faked ServiceTable-->svchost.exe [ ETHREAD 0x84728BA0 ] TID: 2436
0x80561500 Faked ServiceTable-->avgnsx.exe [ ETHREAD 0x8479A930 ] TID: 2448
0x80561500 Faked ServiceTable-->iexplore.exe [ ETHREAD 0x846F9CE0 ] TID: 2460
0x80561500 Faked ServiceTable-->svchost.exe [ ETHREAD 0x85CE4928 ] TID: 2472
0x80561500 Faked ServiceTable-->avgam.exe [ ETHREAD 0x849AF428 ] TID: 2492, 3997757 bytes
0x80561500 Faked ServiceTable-->avgcsrvx.exe [ ETHREAD 0x85C9C590 ] TID: 2496, 2097196 bytes
0x80561500 Faked ServiceTable-->svchost.exe [ ETHREAD 0x84891718 ] TID: 2516, 3145784 bytes
0x80561500 Faked ServiceTable-->svchost.exe [ ETHREAD 0x84A25B10 ] TID: 2520
0x80561500 Faked ServiceTable-->svchost.exe [ ETHREAD 0x848AD630 ] TID: 2524
0x80561500 Faked ServiceTable-->svchost.exe [ ETHREAD 0x84A25DA8 ] TID: 2528
0x80561500 Faked ServiceTable-->svchost.exe [ ETHREAD 0x84905DA8 ] TID: 2532
0x80561500 Faked ServiceTable-->spoolsv.exe [ ETHREAD 0x84904DA8 ] TID: 2536
0x80561500 Faked ServiceTable-->lsass.exe [ ETHREAD 0x84741750 ] TID: 2568, 6029362 bytes
0x80561500 Faked ServiceTable-->lsass.exe [ ETHREAD 0x84978A70 ] TID: 2572
0x80561500 Faked ServiceTable-->lsass.exe [ ETHREAD 0x85C128A8 ] TID: 2576
0x80561500 Faked ServiceTable-->lsass.exe [ ETHREAD 0x848AE7F8 ] TID: 2580
0x80561500 Faked ServiceTable-->avgcsrvx.exe [ ETHREAD 0x84719BA8 ] TID: 2592, 6619256 bytes
0x80561500 Faked ServiceTable-->avgchsvx.exe [ ETHREAD 0x84794DA8 ] TID: 2608
0x80561500 Faked ServiceTable-->svchost.exe [ ETHREAD 0x847497A8 ] TID: 2612
0x80561500 Faked ServiceTable-->svchost.exe [ ETHREAD 0x85CE4DA8 ] TID: 2624
0x80561500 Faked ServiceTable-->svchost.exe [ ETHREAD 0x84A6BBD0 ] TID: 2648
0x80561500 Faked ServiceTable-->svchost.exe [ ETHREAD 0x849F3598 ] TID: 2652
0x80561500 Faked ServiceTable-->spoolsv.exe [ ETHREAD 0x848639B0 ] TID: 2656
0x80561500 Faked ServiceTable-->iexplore.exe [ ETHREAD 0x84723928 ] TID: 2660
0x80561500 Faked ServiceTable-->svchost.exe [ ETHREAD 0x84761020 ] TID: 2668
0x80561500 Faked ServiceTable-->svchost.exe [ ETHREAD 0x84862450 ] TID: 2676
0x80561500 Faked ServiceTable-->svchost.exe [ ETHREAD 0x847265C0 ] TID: 2680
0x80561500 Faked ServiceTable-->avgwdsvc.exe [ ETHREAD 0x84A2F2E8 ] TID: 2708
0x80561500 Faked ServiceTable-->avgwdsvc.exe [ ETHREAD 0x85CBC668 ] TID: 2712
0x80561500 Faked ServiceTable-->avgwdsvc.exe [ ETHREAD 0x84934020 ] TID: 2716
0x80561500 Faked ServiceTable-->avgwdsvc.exe [ ETHREAD 0x84934DA8 ] TID: 2720
0x80561500 Faked ServiceTable-->avgwdsvc.exe [ ETHREAD 0x84934B30 ] TID: 2724
0x80561500 Faked ServiceTable-->avgwdsvc.exe [ ETHREAD 0x849348B8 ] TID: 2728
0x80561500 Faked ServiceTable-->svchost.exe [ ETHREAD 0x846FFB40 ] TID: 2732
0x80561500 Faked ServiceTable-->svchost.exe [ ETHREAD 0x85CE5888 ] TID: 2736
0x80561500 Faked ServiceTable-->svchost.exe [ ETHREAD 0x847B55D8 ] TID: 2740
0x80561500 Faked ServiceTable-->iexplore.exe [ ETHREAD 0x85DA2B60 ] TID: 2744
0x80561500 Faked ServiceTable-->TomTomHOMEService.exe [ ETHREAD 0x849EF020 ] TID: 2756
0x80561500 Faked ServiceTable-->iexplore.exe [ ETHREAD 0x849F6AB0 ] TID: 2760
0x80561500 Faked ServiceTable-->svchost.exe [ ETHREAD 0x84736020 ] TID: 2768
0x80561500 Faked ServiceTable-->svchost.exe [ ETHREAD 0x84728518 ] TID: 2776
0x80561500 Faked ServiceTable-->svchost.exe [ ETHREAD 0x85DA5DA8 ] TID: 2784
0x80561500 Faked ServiceTable-->svchost.exe [ ETHREAD 0x85DA5B30 ] TID: 2788
0x80561500 Faked ServiceTable-->svchost.exe [ ETHREAD 0x84862A40 ] TID: 2792
0x80561500 Faked ServiceTable-->avgrsx.exe [ ETHREAD 0x84A03020 ] TID: 2796
0x80561500 Faked ServiceTable-->avgrsx.exe [ ETHREAD 0x849F0DA8 ] TID: 2800
0x80561500 Faked ServiceTable-->spoolsv.exe [ ETHREAD 0x85C14800 ] TID: 2808
0x80561500 Faked ServiceTable-->spoolsv.exe [ ETHREAD 0x84A24DA8 ] TID: 2812
0x80561500 Faked ServiceTable-->svchost.exe [ ETHREAD 0x84713928 ] TID: 2816
0x80561500 Faked ServiceTable-->spoolsv.exe [ ETHREAD 0x85CE6B30 ] TID: 2832
0x80561500 Faked ServiceTable-->iexplore.exe [ ETHREAD 0x847D2678 ] TID: 2852
0x80561500 Faked ServiceTable-->iexplore.exe [ ETHREAD 0x849E5258 ] TID: 2856
0x80561500 Faked ServiceTable-->TomTomHOMEService.exe [ ETHREAD 0x849EFDA8 ] TID: 2876
0x80561500 Faked ServiceTable-->TomTomHOMEService.exe [ ETHREAD 0x8473C020 ] TID: 2880
0x80561500 Faked ServiceTable-->iexplore.exe [ ETHREAD 0x84A1D858 ] TID: 2888
0x80561500 Faked ServiceTable-->svchost.exe [ ETHREAD 0x85CBC020 ] TID: 2900
0x80561500 Faked ServiceTable-->svchost.exe [ ETHREAD 0x847009E8 ] TID: 2912
0x80561500 Faked ServiceTable-->avgwdsvc.exe [ ETHREAD 0x848B3B40 ] TID: 2920
0x80561500 Faked ServiceTable-->svchost.exe [ ETHREAD 0x84751BA0 ] TID: 2932
0x80561500 Faked ServiceTable-->winlogon.exe [ ETHREAD 0x84734020 ] TID: 2944
0x80561500 Faked ServiceTable-->svchost.exe [ ETHREAD 0x84997DA8 ] TID: 2960
0x80561500 Faked ServiceTable-->svchost.exe [ ETHREAD 0x84997B30 ] TID: 2964
0x80561500 Faked ServiceTable-->avgfws9.exe [ ETHREAD 0x849C6518 ] TID: 2984
0x80561500 Faked ServiceTable-->avgwdsvc.exe [ ETHREAD 0x84A07DA8 ] TID: 2988
0x80561500 Faked ServiceTable-->avgwdsvc.exe [ ETHREAD 0x849C5618 ] TID: 2992
0x80561500 Faked ServiceTable-->avgfws9.exe [ ETHREAD 0x84976DA8 ] TID: 2996
0x80561500 Faked ServiceTable-->svchost.exe [ ETHREAD 0x84756DA8 ] TID: 3000
0x80561500 Faked ServiceTable-->svchost.exe [ ETHREAD 0x84A034A0 ] TID: 3004
0x80561500 Faked ServiceTable-->avgwdsvc.exe [ ETHREAD 0x85BED3B0 ] TID: 3012
0x80561500 Faked ServiceTable-->CFD.exe [ ETHREAD 0x84811DA8 ] TID: 3024
0x80561500 Faked ServiceTable-->iexplore.exe [ ETHREAD 0x847FDB30 ] TID: 3028
0x80561500 Faked ServiceTable-->svchost.exe [ ETHREAD 0x85D8D360 ] TID: 3032, 7864421 bytes
0x80561500 Faked ServiceTable-->avgnsx.exe [ ETHREAD 0x846D97C8 ] TID: 3044, 7340129 bytes
0x80561500 Faked ServiceTable-->iexplore.exe [ ETHREAD 0x847E9DA8 ] TID: 3068
0x80561500 Faked ServiceTable-->avgnsx.exe [ ETHREAD 0x8484B4B8 ] TID: 3072
0x80561500 Faked ServiceTable-->avgfws9.exe [ ETHREAD 0x84A19DA8 ] TID: 3084, 3997757 bytes
0x80561500 Faked ServiceTable-->avgchsvx.exe [ ETHREAD 0x8478EDA8 ] TID: 3088, 2097196 bytes
0x80561500 Faked ServiceTable-->svchost.exe [ ETHREAD 0x85D8D020 ] TID: 3116, 10 bytes
0x80561500 Faked ServiceTable-->avgwdsvc.exe [ ETHREAD 0x8473BDA8 ] TID: 3120
0x80561500 Faked ServiceTable-->avgwdsvc.exe [ ETHREAD 0x84A2FB08 ] TID: 3124
0x80561500 Faked ServiceTable-->iexplore.exe [ ETHREAD 0x8472F7B8 ] TID: 3128
0x80561500 Faked ServiceTable-->avgwdsvc.exe [ ETHREAD 0x85BEE790 ] TID: 3132
0x80561500 Faked ServiceTable-->avgwdsvc.exe [ ETHREAD 0x84715DA8 ] TID: 3144
0x80561500 Faked ServiceTable-->svchost.exe [ ETHREAD 0x848676F0 ] TID: 3152, 7536702 bytes
0x80561500 Faked ServiceTable-->avgemc.exe [ ETHREAD 0x84A03DA8 ] TID: 3160, 6357054 bytes
0x80561500 Faked ServiceTable-->avgemc.exe [ ETHREAD 0x84A03B30 ] TID: 3164
0x80561500 Faked ServiceTable-->avgemc.exe [ ETHREAD 0x84A05868 ] TID: 3172
0x80561500 Faked ServiceTable-->avgemc.exe [ ETHREAD 0x847565D0 ] TID: 3176, 7274600 bytes
0x80561500 Faked ServiceTable-->iexplore.exe [ ETHREAD 0x8472F2C8 ] TID: 3180, 1013192 bytes
0x80561500 Faked ServiceTable-->svchost.exe [ ETHREAD 0x846D09A0 ] TID: 3184, 446 bytes
0x80561500 Faked ServiceTable-->svchost.exe [ ETHREAD 0x847B5360 ] TID: 3204
0x80561500 Faked ServiceTable-->avgwdsvc.exe [ ETHREAD 0x84A038B8 ] TID: 3212
0x80561500 Faked ServiceTable-->avgam.exe [ ETHREAD 0x85CDCDA8 ] TID: 3216
0x80561500 Faked ServiceTable-->avgam.exe [ ETHREAD 0x85CDCB30 ] TID: 3220
0x80561500 Faked ServiceTable-->avgam.exe [ ETHREAD 0x849ED620 ] TID: 3228
0x80561500 Faked ServiceTable-->avgam.exe [ ETHREAD 0x85CB6720 ] TID: 3232, 7077993 bytes
0x80561500 Faked ServiceTable-->avgam.exe [ ETHREAD 0x85CA15B8 ] TID: 3236
0x80561500 Faked ServiceTable-->avgwdsvc.exe [ ETHREAD 0x849EDA30 ] TID: 3240
0x80561500 Faked ServiceTable-->svchost.exe [ ETHREAD 0x8471D020 ] TID: 3244
0x80561500 Faked ServiceTable-->avgwdsvc.exe [ ETHREAD 0x85BD4818 ] TID: 3248
0x80561500 Faked ServiceTable-->avgwdsvc.exe [ ETHREAD 0x8473EDA8 ] TID: 3252
0x80561500 Faked ServiceTable-->avgwdsvc.exe [ ETHREAD 0x847569F8 ] TID: 3256, 7864421 bytes
0x80561500 Faked ServiceTable-->avgwdsvc.exe [ ETHREAD 0x84818DA8 ] TID: 3260, 7340129 bytes
0x80561500 Faked ServiceTable-->avgwdsvc.exe [ ETHREAD 0x8489ADA8 ] TID: 3264, 7340146 bytes
0x80561500 Faked ServiceTable-->avgnsx.exe [ ETHREAD 0x84A089F8 ] TID: 3272, 7274612 bytes
0x80561500 Faked ServiceTable-->avgnsx.exe [ ETHREAD 0x849ED020 ] TID: 3276
0x80561500 Faked ServiceTable-->avgnsx.exe [ ETHREAD 0x85BF9DA8 ] TID: 3284
0x80561500 Faked ServiceTable-->avgnsx.exe [ ETHREAD 0x8474F020 ] TID: 3288
0x80561500 Faked ServiceTable-->CFD.exe [ ETHREAD 0x84885920 ] TID: 3292, 38184 bytes
0x80561500 Faked ServiceTable-->svchost.exe [ ETHREAD 0x846FC020 ] TID: 3296
0x80561500 Faked ServiceTable-->avgnsx.exe [ ETHREAD 0x8489AB30 ] TID: 3304
0x80561500 Faked ServiceTable-->svchost.exe [ ETHREAD 0x84A2EDA8 ] TID: 3316
0x80561500 Faked ServiceTable-->svchost.exe [ ETHREAD 0x84932DA8 ] TID: 3320
0x80561500 Faked ServiceTable-->CFD.exe [ ETHREAD 0x84765BA8 ] TID: 3336
0x80561500 Faked ServiceTable-->avgam.exe [ ETHREAD 0x85BEDDA8 ] TID: 3348, 6881396 bytes
0x80561500 Faked ServiceTable-->avgam.exe [ ETHREAD 0x85CDFDA8 ] TID: 3352, 6881357 bytes
0x80561500 Faked ServiceTable-->avgam.exe [ ETHREAD 0x84908DA8 ] TID: 3356, 7864421 bytes
0x80561500 Faked ServiceTable-->avgam.exe [ ETHREAD 0x84908B30 ] TID: 3360, 7340129 bytes
0x80561500 Faked ServiceTable-->avgam.exe [ ETHREAD 0x849086B0 ] TID: 3364
0x80561500 Faked ServiceTable-->avgam.exe [ ETHREAD 0x849FBDA8 ] TID: 3368, 3997757 bytes
0x80561500 Faked ServiceTable-->avgam.exe [ ETHREAD 0x85BEDB30 ] TID: 3376, 2097196 bytes
0x80561500 Faked ServiceTable-->avgam.exe [ ETHREAD 0x85BED8B8 ] TID: 3380, 6225993 bytes
0x80561500 Faked ServiceTable-->svchost.exe [ ETHREAD 0x84A29020 ] TID: 3384, 4456526 bytes
0x80561500 Faked ServiceTable-->avgam.exe [ ETHREAD 0x84807678 ] TID: 3388, 6881388 bytes
0x80561500 Faked ServiceTable-->avgemc.exe [ ETHREAD 0x85CFFDA8 ] TID: 3392
0x80561500 Faked ServiceTable-->avgemc.exe [ ETHREAD 0x85CFFB30 ] TID: 3396
0x80561500 Faked ServiceTable-->avgcsrvx.exe [ ETHREAD 0x849FBA18 ] TID: 3404, 4587640 bytes
0x80561500 Faked ServiceTable-->avgemc.exe [ ETHREAD 0x849BFDA8 ] TID: 3416, 6357111 bytes
0x80561500 Faked ServiceTable-->avgcsrvx.exe [ ETHREAD 0x84990DA8 ] TID: 3420
0x80561500 Faked ServiceTable-->avgcsrvx.exe [ ETHREAD 0x85CDBDA8 ] TID: 3424
0x80561500 Faked ServiceTable-->avgchsvx.exe [ ETHREAD 0x84A29DA8 ] TID: 3428
0x80561500 Faked ServiceTable-->avgchsvx.exe [ ETHREAD 0x84806588 ] TID: 3432
0x80561500 Faked ServiceTable-->avgemc.exe [ ETHREAD 0x84993588 ] TID: 3436
0x80561500 Faked ServiceTable-->avgcsrvx.exe [ ETHREAD 0x85BE0DA8 ] TID: 3440
0x80561500 Faked ServiceTable-->avgemc.exe [ ETHREAD 0x84A27BD8 ] TID: 3444
0x80561500 Faked ServiceTable-->avgchsvx.exe [ ETHREAD 0x84993DA8 ] TID: 3448
0x80561500 Faked ServiceTable-->avgchsvx.exe [ ETHREAD 0x84931DA8 ] TID: 3452
0x80561500 Faked ServiceTable-->avgemc.exe [ ETHREAD 0x85CFF8B8 ] TID: 3456
0x80561500 Faked ServiceTable-->avgcsrvx.exe [ ETHREAD 0x85CFF640 ] TID: 3460
0x80561500 Faked ServiceTable-->avgemc.exe [ ETHREAD 0x85C467C0 ] TID: 3464
0x80561500 Faked ServiceTable-->avgchsvx.exe [ ETHREAD 0x85C46548 ] TID: 3468
0x80561500 Faked ServiceTable-->avgchsvx.exe [ ETHREAD 0x84A28DA8 ] TID: 3472
0x80561500 Faked ServiceTable-->svchost.exe [ ETHREAD 0x84902DA8 ] TID: 3480
0x80561500 Faked ServiceTable-->svchost.exe [ ETHREAD 0x84931898 ] TID: 3512
0x80561500 Faked ServiceTable-->wuauclt.exe [ ETHREAD 0x847AE760 ] TID: 3536
0x80561500 Faked ServiceTable-->avgwdsvc.exe [ ETHREAD 0x84782020 ] TID: 3544
0x80561500 Faked ServiceTable-->avgfws9.exe [ ETHREAD 0x84730BA0 ] TID: 3564
0x80561500 Faked ServiceTable-->avgchsvx.exe [ ETHREAD 0x848BB9B0 ] TID: 3592
0x80561500 Faked ServiceTable-->avgwdsvc.exe [ ETHREAD 0x849EB6A8 ] TID: 3596
0x80561500 Faked ServiceTable-->avgwdsvc.exe [ ETHREAD 0x85C9B950 ] TID: 3600
0x80561500 Faked ServiceTable-->avgwdsvc.exe [ ETHREAD 0x848FE5A8 ] TID: 3604
0x80561500 Faked ServiceTable-->svchost.exe [ ETHREAD 0x849EB2C8 ] TID: 3612
0x80561500 Faked ServiceTable-->avgemc.exe [ ETHREAD 0x8497DB68 ] TID: 3616
0x80561500 Faked ServiceTable-->avgwdsvc.exe [ ETHREAD 0x8497B020 ] TID: 3648
0x80561500 Faked ServiceTable-->avgwdsvc.exe [ ETHREAD 0x8490CDA8 ] TID: 3652
0x80561500 Faked ServiceTable-->svchost.exe [ ETHREAD 0x847389A0 ] TID: 3660
0x80561500 Faked ServiceTable-->svchost.exe [ ETHREAD 0x846CB020 ] TID: 3664
0x80561500 Faked ServiceTable-->avgemc.exe [ ETHREAD 0x8497CDA8 ] TID: 3676
0x80561500 Faked ServiceTable-->svchost.exe [ ETHREAD 0x8472FBC8 ] TID: 3680
0x80561500 Faked ServiceTable-->svchost.exe [ ETHREAD 0x84714450 ] TID: 3688
0x80561500 Faked ServiceTable-->svchost.exe [ ETHREAD 0x848FF720 ] TID: 3696
0x80561500 Faked ServiceTable-->svchost.exe [ ETHREAD 0x847E0DA8 ] TID: 3704
0x80561500 Faked ServiceTable-->WMAAD.exe [ ETHREAD 0x84813878 ] TID: 3712
0x80561500 Faked ServiceTable-->svchost.exe [ ETHREAD 0x849C0B40 ] TID: 3720
0x80561500 Faked ServiceTable-->svchost.exe [ ETHREAD 0x8471C5B8 ] TID: 3744
0x80561500 Faked ServiceTable-->svchost.exe [ ETHREAD 0x8472D020 ] TID: 3748
0x80561500 Faked ServiceTable-->avgwdsvc.exe [ ETHREAD 0x847F3AD0 ] TID: 3752
0x80561500 Faked ServiceTable-->avgemc.exe [ ETHREAD 0x85A43928 ] TID: 3756
0x80561500 Faked ServiceTable-->avgwdsvc.exe [ ETHREAD 0x84805DA8 ] TID: 3760
0x80561500 Faked ServiceTable-->avgwdsvc.exe [ ETHREAD 0x8490CB30 ] TID: 3768
0x80561500 Faked ServiceTable-->avgwdsvc.exe [ ETHREAD 0x8474D998 ] TID: 3788
0x80561500 Faked ServiceTable-->avgwdsvc.exe [ ETHREAD 0x84A22DA8 ] TID: 3792
0x80561500 Faked ServiceTable-->avgwdsvc.exe [ ETHREAD 0x8486D798 ] TID: 3796
0x80561500 Faked ServiceTable-->svchost.exe [ ETHREAD 0x84782660 ] TID: 3804
0x80561500 Faked ServiceTable-->avgwdsvc.exe [ ETHREAD 0x84803020 ] TID: 3808
0x80561500 Faked ServiceTable-->avgwdsvc.exe [ ETHREAD 0x8474DDA8 ] TID: 3812
0x80561500 Faked ServiceTable-->avgwdsvc.exe [ ETHREAD 0x8492F5B8 ] TID: 3816
0x80561500 Faked ServiceTable-->avgwdsvc.exe [ ETHREAD 0x8474C600 ] TID: 3824
0x80561500 Faked ServiceTable-->alg.exe [ ETHREAD 0x847DCBA0 ] TID: 3828
0x80561500 Faked ServiceTable-->alg.exe [ ETHREAD 0x847DC020 ] TID: 3832
0x80561500 Faked ServiceTable-->alg.exe [ ETHREAD 0x847E0020 ] TID: 3836
0x80561500 Faked ServiceTable-->svchost.exe [ ETHREAD 0x8472EB18 ] TID: 3840
0x80561500 Faked ServiceTable-->avgfws9.exe [ ETHREAD 0x846D19A0 ] TID: 3856
0x80561500 Faked ServiceTable-->avgcsrvx.exe [ ETHREAD 0x84798788 ] TID: 3864
0x80561500 Faked ServiceTable-->services.exe [ ETHREAD 0x84953DA8 ] TID: 3872
0x80561500 Faked ServiceTable-->avgwdsvc.exe [ ETHREAD 0x84A225B0 ] TID: 3876
0x80561500 Faked ServiceTable-->avgnsx.exe [ ETHREAD 0x84795020 ] TID: 3896
0x80561500 Faked ServiceTable-->avgnsx.exe [ ETHREAD 0x846E64B0 ] TID: 3900
0x80561500 Faked ServiceTable-->avgcsrvx.exe [ ETHREAD 0x847E6DA8 ] TID: 3908
0x80561500 Faked ServiceTable-->lsass.exe [ ETHREAD 0x84686908 ] TID: 3912
0x80561500 Faked ServiceTable-->svchost.exe [ ETHREAD 0x847E17B8 ] TID: 3916
0x80561500 Faked ServiceTable-->avgfws9.exe [ ETHREAD 0x85BE3020 ] TID: 3920
0x80561500 Faked ServiceTable-->avgfws9.exe [ ETHREAD 0x85D7E4D8 ] TID: 3932
0x80561500 Faked ServiceTable-->avgwdsvc.exe [ ETHREAD 0x847B8020 ] TID: 3936
0x80561500 Faked ServiceTable-->avgwdsvc.exe [ ETHREAD 0x848C3BA8 ] TID: 3940
0x80561500 Faked ServiceTable-->avgwdsvc.exe [ ETHREAD 0x848C3930 ] TID: 3944
0x80561500 Faked ServiceTable-->avgwdsvc.exe [ ETHREAD 0x84A23DA8 ] TID: 3948
0x80561500 Faked ServiceTable-->avgcsrvx.exe [ ETHREAD 0x847197A8 ] TID: 3952
0x80561500 Faked ServiceTable-->avgcsrvx.exe [ ETHREAD 0x847CDDA8 ] TID: 3956
0x80561500 Faked ServiceTable-->avgchsvx.exe [ ETHREAD 0x846E5790 ] TID: 3960
0x80561500 Faked ServiceTable-->avgchsvx.exe [ ETHREAD 0x846E5518 ] TID: 3964
0x80561500 Faked ServiceTable-->avgcsrvx.exe [ ETHREAD 0x8483F020 ] TID: 3968
0x80561500 Faked ServiceTable-->avgchsvx.exe [ ETHREAD 0x846D2B38 ] TID: 3972
0x80561500 Faked ServiceTable-->lsass.exe [ ETHREAD 0x84995798 ] TID: 3988
0x80561500 Faked ServiceTable-->avgchsvx.exe [ ETHREAD 0x848BAB30 ] TID: 3992
0x80561500 Faked ServiceTable-->avgchsvx.exe [ ETHREAD 0x8486C588 ] TID: 3996
0x80561500 Faked ServiceTable-->avgfws9.exe [ ETHREAD 0x85D7D020 ] TID: 4000
0x80561500 Faked ServiceTable-->avgnsx.exe [ ETHREAD 0x8486C020 ] TID: 4004
0x80561500 Faked ServiceTable-->avgcsrvx.exe [ ETHREAD 0x847698B8 ] TID: 4008
0x80561500 Faked ServiceTable-->avgchsvx.exe [ ETHREAD 0x847CDB30 ] TID: 4012
0x80561500 Faked ServiceTable-->avgwdsvc.exe [ ETHREAD 0x849F7DA8 ] TID: 4028
0x80561500 Faked ServiceTable-->iexplore.exe [ ETHREAD 0x84768698 ] TID: 4048
0x80561500 Faked ServiceTable-->svchost.exe [ ETHREAD 0x847BC3B8 ] TID: 4052
0x80561500 Faked ServiceTable-->avgchsvx.exe [ ETHREAD 0x84769B30 ] TID: 4060
0x80561500 Faked ServiceTable-->avgchsvx.exe [ ETHREAD 0x84798510 ] TID: 4064
0x80561500 Faked ServiceTable-->svchost.exe [ ETHREAD 0x8475E020 ] TID: 4076
0x80561500 Faked ServiceTable-->iexplore.exe [ ETHREAD 0x85D9D948 ] TID: 4088


Apart from slow boot up and running I also get the "Found new hardware" window popping up which I just cancel because there is no new hardware.

Thankyou very much Gringo I greatly appreciate help with this. Kind regards Jim.

Edited by abaddon.abyss, 22 September 2010 - 11:35 AM.


#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:04:42 PM

Posted 22 September 2010 - 12:13 PM

Hello

just delete the combofix you have now - I want to rerun a new updated cobofix


update combofix

I would like you to download an updated virsion of combofix.
    Delete the version of combofix you have now on your desktop and download a new one from here

    **Note: It is important that it is saved directly to your desktop**

    1. Close any open browsers.
    2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    Double click on combofix.exe & follow the prompts.
    When finished, it will produce a report for you.

    Note:Do not mouseclick combofix's window while it's running. That may cause it to stall



Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#5 abaddon.abyss

abaddon.abyss
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:09:42 PM

Posted 22 September 2010 - 03:30 PM

Hello Gringo,
Deleted old Combofix, downloaded new one but when it ran it completed all 50 stages then blue screen with " BAD_POOL_HEADER"
"A problem has been detected and Windows has beeen shut down to prevent damage to your computer". No log from Combofix was created. The same thing happened when I tried to run Gmer for the first post.

Thanks Jim.

#6 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:04:42 PM

Posted 22 September 2010 - 04:00 PM

Hello

That is normaly caused by the antivirus


Ok lets try this, I want you to run combofix in safe mode but it is very important that when combofix reboots the computer for you to direct it back into safe mode so it can finish the scan.

Boot into Safe Mode

Reboot your computer in Safe Mode.
  • If the computer is running, shut down Windows, and then turn off the power.
  • Wait 30 seconds, and then turn the computer on.
  • Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
  • Ensure that the Safe Mode option is selected.
  • Press Enter. The computer then begins to start in Safe mode.
  • Login on your usual account.

after combofix has finished its scan please post the report back here.

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#7 abaddon.abyss

abaddon.abyss
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:09:42 PM

Posted 22 September 2010 - 04:46 PM

Hello Gringo,


Combofix log

ComboFix 10-09-22.02 - Administrator 22/09/2010 22:22:10.5.2 - x86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.2.1252.44.1033.18.959.650 [GMT 1:00]
Running from: c:\documents and settings\aaaaaaaaa\Desktop\ComboFix.exe
AV: AVG Internet Security 3-pack *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: AVG Firewall *enabled* {8decf618-9569-4340-b34a-d78d28969b66}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\jane.COMPUTER.000\Application Data\.#
c:\documents and settings\jane.COMPUTER.000\Application Data\.#\MBX@338@A24180.###
c:\documents and settings\jane.COMPUTER.000\Application Data\.#\MBX@338@A241B0.###
c:\documents and settings\jane.COMPUTER.000\Application Data\.#\MBX@338@A241E0.###

.
((((((((((((((((((((((((( Files Created from 2010-08-22 to 2010-09-22 )))))))))))))))))))))))))))))))
.

2010-09-22 21:16 . 2010-09-22 21:16 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Adobe
2010-09-21 08:12 . 2010-09-21 08:12 620896 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgnsx.exe
2010-09-21 08:12 . 2010-09-21 08:12 4093792 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgui.exe
2010-09-21 08:12 . 2010-09-21 08:12 3586912 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\setup.exe
2010-09-21 08:12 . 2010-09-21 08:12 1619296 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgssie.dll
2010-09-21 08:12 . 2010-09-21 08:12 942432 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgcfgx.dll
2010-09-21 08:12 . 2010-09-21 08:12 598368 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgsrmx.dll
2010-09-21 08:12 . 2010-09-21 08:12 4371296 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgcorex.dll
2010-09-21 08:12 . 2010-09-21 08:12 300896 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgchclx.dll
2010-09-21 08:12 . 2010-09-21 08:12 2331032 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgfws9.exe
2010-09-21 08:12 . 2010-09-21 08:12 5649320 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\winspamcatcher.dll
2010-09-21 08:10 . 2010-09-21 08:10 1690952 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.dll
2010-09-13 15:51 . 2010-09-13 15:51 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2010-09-10 12:38 . 2010-09-10 12:38 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2010-08-29 09:11 . 2010-08-29 09:11 -------- d-----w- c:\program files\RSPCA_Cyberpet
2010-08-28 10:30 . 2010-04-29 14:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-08-28 10:30 . 2010-08-28 12:07 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-08-28 10:30 . 2010-04-29 14:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-22 19:58 . 2008-09-08 05:06 -------- d-----w- c:\program files\BitComet
2010-09-22 18:37 . 2009-07-05 14:34 63 ----a-w- c:\windows\popcinfot.dat
2010-09-21 07:50 . 2009-03-30 11:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2010-09-13 17:26 . 2010-05-20 20:35 -------- d-----w- c:\documents and settings\All Users\Application Data\NCH Swift Sound
2010-09-13 17:26 . 2010-05-20 17:33 -------- d-----w- c:\program files\NCH Swift Sound
2010-09-13 17:24 . 2010-05-20 20:32 -------- d-----w- c:\documents and settings\aaaaaaaaa\Application Data\NCH Swift Sound
2010-09-11 09:48 . 2009-07-11 21:20 -------- d-----w- c:\program files\Crayon Physics Deluxe
2010-09-11 07:17 . 2009-11-10 11:49 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2010-09-10 13:10 . 2010-06-28 21:08 -------- d-----w- c:\documents and settings\All Users\Application Data\boost_interprocess
2010-08-25 11:05 . 2008-12-03 18:06 -------- d-----w- c:\program files\Peggle Nights Deluxe
2010-08-20 16:45 . 2009-05-28 08:28 86568 ----a-w- c:\documents and settings\sally.COMPUTER\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-08-20 16:45 . 2010-08-20 16:45 -------- d-----w- c:\documents and settings\sally.COMPUTER\Application Data\Vodafone
2010-08-20 06:41 . 2010-08-20 06:41 -------- d-----w- c:\documents and settings\jane.COMPUTER.000\Application Data\Vodafone
2010-08-19 16:34 . 2010-08-19 16:34 -------- d-----w- c:\documents and settings\aaaaaaaaa\Application Data\Vodafone
2010-08-19 16:34 . 2010-08-19 16:34 -------- d-----w- c:\documents and settings\LocalService\Application Data\Vodafone
2010-08-19 16:33 . 2010-08-19 16:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Vodafone
2010-08-18 06:06 . 2008-11-18 19:54 -------- d-----w- c:\documents and settings\jane.COMPUTER.000\Application Data\Canon
2010-08-06 22:34 . 2010-08-06 18:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2010-08-06 18:28 . 2010-08-06 18:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2010-08-06 18:28 . 2010-08-06 18:28 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller
2010-08-03 09:19 . 2010-08-03 09:19 -------- d-----w- c:\documents and settings\All Users\Application Data\TomTom
2010-08-03 09:18 . 2010-08-03 09:18 -------- d-----w- c:\documents and settings\aaaaaaaaa\Application Data\TomTom
2010-08-03 09:18 . 2010-08-03 09:18 -------- d-----w- c:\program files\TomTom International B.V
2010-08-03 09:18 . 2010-08-03 09:18 -------- d-----w- c:\program files\TomTom HOME 2
2010-08-03 09:17 . 2010-08-03 09:17 -------- d-----w- c:\program files\TomTom DesktopSuite
2010-01-17 19:26 . 2008-10-04 14:19 2776 --sha-w- c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((( SnapShot@2010-09-13_16.24.37 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-10-04 12:44 . 2010-09-18 21:46 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2008-10-04 12:44 . 2010-09-09 09:46 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-10-04 12:44 . 2010-09-18 21:46 16384 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-10-04 12:44 . 2010-09-09 09:46 16384 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-10-04 12:44 . 2010-09-18 21:46 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2008-10-04 12:44 . 2010-09-09 09:46 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2007-08-20 16384512]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"BJCFD"="c:\program files\BroadJump\Client Foundation\CFD.exe" [2003-01-27 376912]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-09-28 185896]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-11 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-09-11 86960]
"WMAAD"="c:\program files\Sony\WALKMAN Launcher\WMAAD.exe" [2007-02-16 110592]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-26 31016]
"QuickTime Task"="c:\program files\MpcStar\Codecs\QuickTime\QTSystem\qttask.exe" [2009-09-26 413696]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2010-06-22 2065760]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"NPSStartup"="" [BU]
"nwiz"="nwiz.exe" [BU]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2010-04-03 110696]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-04-03 13670504]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-12 15360]

c:\documents and settings\sally.COMPUTER\Start Menu\Programs\Startup\
RSPCA_Cyberpet2368320353.lnk - c:\program files\RSPCA_Cyberpet\RSPCA_Cyberpet.exe [2010-8-29 1317816]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-06-22 07:43 12536 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"RequireSignedAppInit_DLLs"=1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
2005-05-03 10:43 69632 ------r- c:\windows\Alcmtr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AutoStartNPSAgent]
2009-08-03 08:29 102400 ----a-w- c:\program files\Samsung\Samsung New PC Studio\NPSAgent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2004-08-04 00:06 1667584 ------w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2008-12-27 20:31 68856 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TomTomHOME.exe]
2010-06-24 14:41 247144 ----a-w- c:\program files\TomTom HOME 2\TomTomHOMERunner.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"mW[ķµˆÖ¾`=µś¾˜v%S8’’Łźé>grl>­Ż\†Š=ŸąŪ±Ž"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\BitComet\\BitComet.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgam.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgdiagex.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Samsung\\Samsung New PC Studio\\npsasvr.exe"=
"c:\\Program Files\\Samsung\\Samsung New PC Studio\\npsvsvr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"9952:TCP"= 9952:TCP:BitComet 9952 TCP
"9952:UDP"= 9952:UDP:BitComet 9952 UDP
"20251:TCP"= 20251:TCP:BitComet 20251 TCP
"20251:UDP"= 20251:UDP:BitComet 20251 UDP
"13976:TCP"= 13976:TCP:BitComet 13976 TCP
"13976:UDP"= 13976:UDP:BitComet 13976 UDP
"9690:TCP"= 9690:TCP:BitComet 9690 TCP
"9690:UDP"= 9690:UDP:BitComet 9690 UDP
"11492:TCP"= 11492:TCP:BitComet 11492 TCP
"11492:UDP"= 11492:UDP:BitComet 11492 UDP
"12717:TCP"= 12717:TCP:BitComet 12717 TCP
"12717:UDP"= 12717:UDP:BitComet 12717 UDP
"10879:TCP"= 10879:TCP:BitComet 10879 TCP
"10879:UDP"= 10879:UDP:BitComet 10879 UDP
"17684:TCP"= 17684:TCP:BitComet 17684 TCP
"17684:UDP"= 17684:UDP:BitComet 17684 UDP
"65535:TCP"= 65535:TCP:BitComet 65535 TCP
"65535:UDP"= 65535:UDP:BitComet 65535 UDP

R0 AVGIDSErHrxpx;AVG9IDSErHr;c:\windows\system32\drivers\AVGIDSxx.sys [10/11/2009 12:50 25168]
R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [04/10/2008 12:25 52872]
S1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [04/10/2008 12:25 216400]
S1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [04/10/2008 12:25 243024]
S2 avg9emc;AVG E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [22/06/2010 08:41 921952]
S2 avg9wd;AVG WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [22/06/2010 08:42 308136]
S2 avgfws9;AVG Firewall;c:\program files\AVG\AVG9\avgfws9.exe [22/06/2010 08:41 2331544]
S2 AVGIDSAgent;AVG9IDSAgent;c:\program files\AVG\AVG9\Identity Protection\Agent\Bin\AVGIDSAgent.exe [22/06/2010 08:42 5897808]
S2 FsUsbExService;FsUsbExService;c:\windows\system32\FsUsbExService.Exe [20/05/2010 20:24 233472]
S2 gupdate1c9b12b228a4c6e;Google Update Service (gupdate1c9b12b228a4c6e);c:\program files\Google\Update\GoogleUpdate.exe [30/03/2009 12:31 133104]
S2 TomTomHOMEService;TomTomHOMEService;c:\program files\TomTom HOME 2\TomTomHOMEService.exe [24/06/2010 15:41 92008]
S3 Avgfwdx;Avgfwdx;c:\windows\system32\drivers\avgfwdx.sys [04/10/2008 12:24 30104]
S3 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwdx.sys [04/10/2008 12:24 30104]
S3 AVGIDSDriverxpx;AVG9IDSDriver;c:\program files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSDriver.sys [10/11/2009 12:49 122448]
S3 AVGIDSFilterxpx;AVG9IDSFilter;c:\program files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSFilter.sys [10/11/2009 12:49 30288]
S3 AVGIDSShimxpx;AVG9IDSShim;c:\program files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSShim.sys [10/11/2009 12:49 26192]
S3 FsUsbExDisk;FsUsbExDisk;c:\windows\system32\FsUsbExDisk.Sys [20/05/2010 20:24 36608]
S3 ICScsiSV;Image Converter SCSI Service;c:\program files\Sony\IMAGE CONVERTER 3\ICScsiSV.exe [04/10/2008 16:08 75952]
S3 IcVzMonLauncher;IcVzMonLauncher;c:\program files\Sony\IMAGE CONVERTER 3\IcVzMonLauncher.exe [04/10/2008 16:08 67760]
S3 License Management Service SON;License Management Service SON;c:\program files\Common Files\esonopress Shared\Service\Licence Manager SON.exe [11/07/2009 10:05 69632]
S3 RegVacService;RegVac Registry Service;c:\program files\RegVac Registry Cleaner\RegVserv.exe [08/09/2008 04:53 447488]
S3 ss_bbus;SAMSUNG USB Mobile Device (WDM);c:\windows\system32\drivers\ss_bbus.sys [20/05/2010 20:24 90112]
S3 ss_bmdfl;SAMSUNG USB Mobile Modem (Filter);c:\windows\system32\drivers\ss_bmdfl.sys [20/05/2010 20:24 14976]
S3 ss_bmdm;SAMSUNG USB Mobile Modem;c:\windows\system32\drivers\ss_bmdm.sys [20/05/2010 20:24 121856]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - PXHELP20
.
Contents of the 'Scheduled Tasks' folder

2010-09-22 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-09-07 11:30]

2010-09-22 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-30 11:31]

2010-09-22 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-30 11:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://my.ebay.co.uk/ws/eBayISAPI.dll?MyEbay&gbh=1&_trksid=m37
uInternet Settings,ProxyOverride = <local>
uInternet Settings,ProxyServer = http=hxxp://www-cache.freeserve.com:8080;ftp=http://www-cache.freeserve.com:8080
DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} - hxxp://game06.zylom.com/activex/zylomgamesplayer.cab
.
.
------- File Associations -------
.
regfile\shell\edit\command=%SystemRoot%\system32\NOTEPAD.EXE %1
.
- - - - ORPHANS REMOVED - - - -

Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-09-22 22:34
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2010-09-22 22:36:16
ComboFix-quarantined-files.txt 2010-09-22 21:36

Pre-Run: 69,246,410,752 bytes free
Post-Run: 69,916,499,968 bytes free

- - End Of File - - 9A62A29B66B9A63AF6DC2BE303DD90AB


Thanks Jim.

#8 abaddon.abyss

abaddon.abyss
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:09:42 PM

Posted 22 September 2010 - 04:50 PM

Hello Gringo,
I will be going to bed soon and will not be at my computer for approx 18 hours. Once again thankyou very much for your help.

Kind regards Jim.

#9 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:04:42 PM

Posted 22 September 2010 - 10:21 PM

Hello Jim

:P2P Warning!:

IMPORTANT I notice there are signs of one or more P2P (Person to Person) File Sharing Programs on your computer.

Please note that as long as you are using any form of Peer-to-Peer networking and downloading files from non-documented sources, you can expect infestations of malware to occur
Once upon a time, P2P file sharing was fairly safe. That is no longer true. P2P programs form a direct conduit on to your computer, their security measures are easily circumvented and malware writers are increasingly exploiting them to spread their wares on to your computer. Further to that, if your P2P program is not configured correctly, your computer may be sharing more files than you realise. There have been cases where people's passwords, address books and other personal, private, and financial details have been exposed to a file sharing network by a badly configured program.

Please read these short reports on the dangers of peer-2-peer programs and file sharing.


These logs are looking alot better. But we still have some work to do.

Please print out these instructions, or copy them to a Notepad file. It will make it easier for you to follow the instructions and complete all of the necessary steps..

uninstall some programs
    1. click on start
    2. then go to settings
    3. after that you need control panel
    4. look for the icon add/remove programs
    click on the following programs

    Java™ 6 Update 3
    Java™ 6 Update 7


    and click on remove

Update Adobe Reader
    Recently there have been vunerabilities detected in older versions of Adobe Reader. It is strongly suggested that you update to the current version.

    You can download it from http://www.adobe.com/products/acrobat/readstep2.html
    After installing the latest Adobe Reader, uninstall all previous versions.
    If you already have Adobe Photoshop® Album Starter Edition installed or do not wish to have it installed UNcheck the box which says Also Download Adobe Photoshop® Album Starter Edition.
      If you don't like Adobe Reader (33.5 MB), you can download Foxit PDF Reader(3.5MB) from here. It's a much smaller file to download and uses a lot less resources than Adobe Reader.

      Note: When installing FoxitReader, be carefull not to install anything to do with AskBar.

Install Java:

Please go here to install Java
  • click on the Free Java Download Button
  • click on Agree and start Free download
  • click on Run
  • click on run again
  • click on install
  • when install is complete click on close

Clear your Java Cache
  • click on Start-> Control Panel (Classic View)-> Java (looks like a coffee cup)
    • On the General tab, under Temporary Internet Files, click the Settings button.
    • Next, click on the Delete Files button
    • There are two options in the window to clear the cache - Leave BOTH Checked
        Applications and Applets
        Trace and Log Files
    • Click OK on Delete Temporary Files Window
      Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
    • Click OK to leave the Temporary Files Window
    • Click OK to leave the Java Control Panel.

TFC(Temp File Cleaner):
  • Please download TFC to your desktop,
  • Save any unsaved work. TFC will close all open application windows.
  • Double-click TFC.exe to run the program.
  • If prompted, click "Yes" to reboot.
Note: Save your work. TFC will automatically close any open programs, let it run uninterrupted. It shouldn't take longer take a couple of minutes, and may only take a few seconds. Only if needed will you be prompted to reboot.

: Malwarebytes' Anti-Malware :
    I would like you to rerun MBAM
  • Double-click mbam icon
  • go to the update tab at the top
  • click on check for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is Checked (ticked) except items in the C:\System Volume Information folder and click on Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply
    • If you accidently close it, the log file is saved here and will be named like this:
    • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.


Download HijackThis
  • Go Here to download HijackThis Installer
  • Save HijackThis Installer to your desktop.
  • Double-click on the HijackThis Installer icon on your desktop. (Vista and Win 7 right click and run as admin)
  • By default it will install to C:\Program Files\Trend Micro\HijackThis .
  • Click on Install.
  • It will create a HijackThis icon on the desktop.
  • Once installed it will launch Hijackthis.
  • Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
  • Click on Edit > Select All then click on Edit > Copy to copy the entire contents of the log.
  • Come back here to this thread and Paste the log in your next reply.
  • DO NOT use the AnalyseThis button its findings are dangerous if misinterpreted.
  • DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.

"information and logs"
    In your next post I need the following
    1. Log From MBAM
    2. report from Hijackthis
    3. let me know of any problems you may have had
    4. How is the computer doing now?

Gringo



I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#10 abaddon.abyss

abaddon.abyss
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:09:42 PM

Posted 23 September 2010 - 12:26 PM

Hello Gringo, I trust you are well,

I already have the latest version of Adobe Reader (version 9) so no update necessary.

here are the requested logs:-


Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4676

Windows 5.1.2600 Service Pack 2
Internet Explorer 8.0.6001.18702

23/09/2010 17:30:48
mbam-log-2010-09-23 (17-30-48).txt

Scan type: Quick scan
Objects scanned: 199945
Time elapsed: 8 minute(s), 6 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)






Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 18:00:02, on 23/09/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVG\AVG9\Identity Protection\Agent\Bin\AVGIDSAgent.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Sony\WALKMAN Launcher\WMAAD.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\MpcStar\Codecs\QuickTime\QTSystem\qttask.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AVG\AVG9\Identity Protection\agent\bin\avgidsmonitor.exe
C:\Program Files\Virgin Broadband Wireless\AffinegyService.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\AVG\AVG9\avgfws9.exe
C:\WINDOWS\system32\FsUsbExService.Exe
C:\Program Files\AVG\AVG9\avgam.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\CDBurnerXP\NMSAccessU.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
C:\Program Files\AVG\AVG9\avgemc.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.ebay.co.uk/ws/eBayISAPI.dll?MyeBay
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=http://www-cache.freeserve.com:8080;ftp=http://www-cache.freeserve.com:8080
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.3.3.2.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
O2 - BHO: Canon Easy Web Print Helper - {68F9551E-0411-48E4-9AAF-4BC42A6A46BE} - C:\Program Files\Canon\Easy-WebPrint\EWPBrowseLoader.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.6.5612.1312\swg.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [WMAAD] C:\Program Files\Sony\WALKMAN Launcher\WMAAD.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\MpcStar\Codecs\QuickTime\QTSystem\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKCU\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.3.3.2.dll/206 (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Broken Internet access because of LSP provider 'c:\windows\system32\lspvpk.dll' missing
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w3/pr01/resources/MSNPUpld.cab
O16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} (mhLabel Class) - http://www.pcpitstop.com/mhLbl.cab
O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) - http://game06.zylom.com/activex/zylomgamesplayer.cab
O16 - DPF: {C1FDEE68-98D5-4F42-A4DD-D0BECF5077EB} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eB...l_v1-0-31-0.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.com/webgames/popcaploader_v10.cab
O16 - DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} (Windows Live Hotmail Photo Upload Tool) - http://gfx1.hotmail.com/mail/w4/pr01/photo...ol/MSNPUpld.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - avgrsstx.dll (file missing)
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: AffinegyService - Affinegy, Inc. - C:\Program Files\Virgin Broadband Wireless\AffinegyService.exe
O23 - Service: AVG E-mail Scanner (avg9emc) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgemc.exe
O23 - Service: AVG WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: AVG Firewall (avgfws9) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgfws9.exe
O23 - Service: AVG9IDSAgent (AVGIDSAgent) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\Identity Protection\Agent\Bin\AVGIDSAgent.exe
O23 - Service: FsUsbExService - Teruten - C:\WINDOWS\system32\FsUsbExService.Exe
O23 - Service: Google Update Service (gupdate1c9b12b228a4c6e) (gupdate1c9b12b228a4c6e) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Image Converter SCSI Service (ICScsiSV) - Sony Corporation - C:\Program Files\Sony\IMAGE CONVERTER 3\ICScsiSV.exe
O23 - Service: IcVzMonLauncher - Sony Corporation - C:\Program Files\Sony\IMAGE CONVERTER 3\IcVzMonLauncher.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Image Converter video recording monitor for VAIO Entertainment - Sony Corporation - C:\Program Files\Sony\IMAGE CONVERTER 3\IcVzMon.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: License Management Service SON - e-sonopress - C:\Program Files\Common Files\esonopress Shared\Service\Licence Manager SON.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: NMSAccessU - Unknown owner - C:\Program Files\CDBurnerXP\NMSAccessU.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PACSPTISVR - Unknown owner - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: RegVac Registry Service (RegVacService) - Super Win Software, Inc. - C:\Program Files\RegVac Registry Cleaner\RegVServ.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - C:\Program Files\WinPcap\rpcapd.exe (file missing)
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: SonicStage Back-End Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SsBeSvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: TomTomHOMEService - TomTom - C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe

--
End of file - 11755 bytes

Thanks Jim.

#11 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:04:42 PM

Posted 23 September 2010 - 02:03 PM

Greetings

These logs are looking very good, we are almost done!!! Just one more scan to go.

:Remove unneeded startup entries:

This part of the fix is purely optional
These are programs that start up when you turn on your computer but don't need to be, any of these programs you can click on their icons (or start from the control panel) and start the program when you need it. By stopping these programs you will boot up faster and your computer will work faster.
  • Run HijackThis
  • Click on the Scan button
  • Put a check beside all of the items listed below (if present):
      O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
      O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
      O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
      O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
      O4 - HKLM\..\Run: [WMAAD] C:\Program Files\Sony\WALKMAN Launcher\WMAAD.exe
      O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
      O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\MpcStar\Codecs\QuickTime\QTSystem\qttask.exe" -atboottime
      O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
      O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
      O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
      O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
      O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
      O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
      O4 - HKCU\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
      O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
  • Close all open windows and browsers/email, etc...
  • Click on the "Fix Checked" button
  • When completed, close the application.

      NOTE**You can research each of those lines >here< and see if you want to keep them or not
      just copy the name between the brakets and paste into the search space
      O4 - HKLM\..\Run: [IntelliPoint]


Eset Online Scanner

**Note** You will need to use Internet explorer for this scan - Vista and win 7 right click on IE shortcut and run as admin

Go Eset web page to run an online scannner from ESET.
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • click on the ESET Online Scanner button
  • Tick the box next to YES, I accept the Terms of Use.
    • Click Start
  • When asked, allow the activex control to install
    • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options
      Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • Use notepad to open the logfile located at C:\Program Files\Eset\Eset Online Scanner\log.txt
Copy and paste that log as a reply to this topic

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#12 abaddon.abyss

abaddon.abyss
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:09:42 PM

Posted 23 September 2010 - 03:51 PM

Hello Gringo,
Removed uneeded startup entries. Ran ESET.

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# IEXPLORE.EXE=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=ee8d3398acac9b4baf14a2b37fb5311b
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2010-09-23 08:43:25
# local_time=2010-09-23 09:43:25 (+0000, GMT Daylight Time)
# country="United Kingdom"
# lang=1033
# osver=5.1.2600 NT Service Pack 2
# compatibility_mode=512 16777215 100 0 9443 9443 0 0
# compatibility_mode=1279 16777215 0 0 0 0 0 0
# compatibility_mode=8192 67108863 100 0 135 135 0 0
# scanned=100294
# found=1
# cleaned=0
# scan_time=4009
C:\Qoobox\Quarantine\C\WINDOWS\system32\Drivers\avgldx86.sys.vir Win32/Olmarik.ZC trojan 00000000000000000000000000000000 I


Thanks Jim.

#13 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:04:42 PM

Posted 23 September 2010 - 04:01 PM

Hello

The Online scan is only reporting backups created during the course of this fix C:\Qoobox\Quarantine\, and/or items located in System Restore's cache C:\System Volume Information\, Whatever is in these folders can't harm you unless you choose to perform a manual restore. the following steps will remove these backups.


Very well done!! This is my general post for when your logs show no more signs of malware - Please let me know if you still are having problems with your computer and what these problems are.


The following procedure will implement some cleanup procedures. It will also reset your System Restore by flushing out previous restore points and create a new restore point. It will also remove all the backups our tools may have made.

Any programs and logs that are left over you can just be deleted from the desktop. TFC is a free temp file cleaner that is very easy to use, I would keep this and use before you do any scans or when you want to free up some space.

:DeFogger:
    To re-enable your Emulation drivers, double click DeFogger to run the tool.
    • The application window will appear
    • Click the Re-enable button to re-enable your CD Emulation drivers
    • Click Yes to continue
    • A 'Finished!' message will appear
    • Click OK
    • DeFogger will now ask to reboot the machine - click OK
    Your Emulation drivers are now re-enabled.


:Uninstall ComboFix:
  • turn off all active protection software
  • push the "windows key" + "R" (between the "Ctrl" button and "Alt" Button)
  • please copy and past the following into the box ComboFix /Uninstall and click OK.
  • Note the space between the X and the /Uninstall, it needs to be there.


:remove tools:

Please download OTCleanIt and save it to desktop. This tool will remove all the tools we used to clean your pc.
  • Double-click OTCleanIt.exe.
  • Click the CleanUp! button.
  • Select Yes when the "Begin cleanup Process?" prompt appears.
  • If you are prompted to Reboot during the cleanup, select Yes.
  • The tool will delete itself once it finishes, if not delete it by yourself.
  • If asked to restart the computer, please do so
Note: If you receive a warning from your firewall or other security programs regarding OTCleanIt attempting to contact the internet, please allow it to do so.

:clear system restore points:

This is a good time to clear your existing system restore points and establish a new clean restore point:
  • Go to Start > All Programs > Accessories > System Tools > System Restore
  • Select Create a restore point, and Ok it.
  • Next, go to Start > Run and type in cleanmgr
  • choose your root drive (normally C:)
  • after it calculates how much space you will save it will open up a new window
  • Select the More options tab at the top of the window
  • Choose the option to clean up system restore and OK it.
  • go back to the disk clean up tab
  • put a checkmark in all - except compress old files (leave this unchecked)
  • click Ok then click yes
This will remove all restore points except the new one you just created and clean unneeded files

:Make your Internet Explorer more secure:
  • From within Internet Explorer click on the Tools menu and then click on Options.
  • Click once on the Security tab
  • Click once on the Internet icon so it becomes highlighted.
  • Click once on the Custom Level button.
  • Change the Download signed ActiveX controls to Prompt
  • Change the Download unsigned ActiveX controls to Disable
  • Change the Initialise and script ActiveX controls not marked as safe to Disable
  • Change the Installation of desktop items to Prompt
  • Change the Launching programs and files in an IFRAME to Prompt
  • When all these settings have been made, click on the OK button.
  • If it prompts you as to whether or not you want to save the settings, press the Yes button.
    Next press the Apply button and then the OK to exit the Internet Properties page.

:Make Firefox more secure:

:Turn On Automatic Updates:
    Turn On Automatic Updates
    1. Click Start, click Run, type sysdm.cpl, and then press ENTER.
    2. Click the Automatic Updates tab, and then click to select one of the following options. We recommend that you select the Automatic (recommended) Automatically download recommended updates for my computer and install them

    If you click this setting, click to select the day and time for scheduled updates to occur. You can schedule Automatic Updates for any time of day. Remember, your computer must be on at the scheduled time for updates to be installed. After you set this option, Windows recognizes when you are online and uses your Internet connection to find updates on the Windows Update Web site or on the Microsoft Update Web site that apply to your computer. Updates are downloaded automatically in the background, and you are not notified or interrupted during this process. An icon appears in the notification area of your taskbar when the updates are being downloaded. You can point to the icon to view the download status. To pause or to resume the download, right-click the icon, and then click Pause or Resume. When the download is completed, another message appears in the notification area so that you can review the updates that are scheduled for installation. If you choose not to install at that time, Windows starts the installation on your set schedule.

    or visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

:antispyware programs:

I would reccomend the download and installation of some or all of the following programs (all free), and the updating of them regularly:
  • WinPatrol As a robust security monitor, WinPatrol will alert you to hijackings, malware attacks and critical changes made to your computer without your permission. WinPatrol takes snapshot of your critical system resources and alerts you to any changes that may occur without your knowledge.
  • Spyware Blaster - By altering your registry, this program stops harmful sites from installing things like ActiveX Controls on your machines.
  • Malwarebytes' Anti-Malware Malwarebytes' Anti-Malware is a new and powerful anti-malware tool. It is
    totally free but for real-time protection you will have to pay a small one-time fee. We used this to help clean your computer and recomend keeping it and using often.

please read this great article by miekiemoes How to prevent Malware:

I'd be grateful if you could reply to this post so that I know you have read it and, if you've no other questions, the thread can then be closed.

I Will Keep This Open For About Three Days, If Anything Comes Up - Just Come Back And Let Me Know, after that time you will have to send me a PM

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here --><-- Don't worry every little bit helps.

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#14 abaddon.abyss

abaddon.abyss
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:09:42 PM

Posted 23 September 2010 - 05:15 PM

Hello Gringo,
O.K. All instructions followed and everything seems fine, although I still have multiple iexplorer.exe running in the process manager even with only one Tab open, but after searching this forum I found that it seems to be a known flaw with IE8 (( unbeleivable I know! ) NOT.)

Many many thanks for your patience and outstanding help. Best wishes Jim. thumbup.gif

#15 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:04:42 PM

Posted 23 September 2010 - 05:47 PM

Hello jim

Thank yuou and you are most welcome

Surf in peace


Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users