Viruses & Spyware ABOUND

Microsoft Windows xp home sp2
December 1, 2009 at 10:23:18
Specs: Windows XP
I have the same problem as other posts had that began with the Google redirect... escalated into pop-ups, even without IE open. Have DSL, spyware terminator & avast home edition & STILL having huge problems. Hope you can help! I can reformat if necessary. I can also provide the logs from the spyware terminator, malwarebytes & hijackthis to the appropriate people if needed. PLEASE HELP!
Thanks!

See More: Viruses & Spyware ABOUND

Report •


#1
December 1, 2009 at 10:36:51
Please save this file to your desktop.

Win32kDiag.exe

Please double click on the Win32kDiag file and post the log it produces. This log might be quite lengthy and may take more than one post to get all of it posted.

Please run RSIT.exe by random/random and post its logs.

Download random's system information tool (RSIT) by random/random from the following link and save it to your desktop.

RSIT.exe

1. Double click on RSIT.exe to launch program.
2.(Vista Users Only) Right click on the RSIT.exe icon and select "Run as Administrator" to run the program.
3. Click Continue at the disclaimer screen.
4. Your firewall may alert you that RSIT is requesting Internet access. Please allow it.
5.Once it has finished, two logs will open: log.txt<-- this will be maximized and info.txt<-- this will be minimized. Both logs will be located at C:\RSIT.exe.

Please post the contents of both logs (in separate post) in your next reply.

Download Gmer.exe from the following link.

Link1

1. Disconnect from the Internet and close all running programs.
2. Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
3. Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
4. Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.
5. GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
6. If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
7. Now click the Scan button. If you see a rootkit warning window, click OK.
8. When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
9. Click the Copy button and paste the results into your next reply.
•Exit GMER and re-enable all active protection when done.


Report •

#2
December 2, 2009 at 06:58:07
This is all I got from the Win32Diag:

Running from: C:\Documents and Settings\Emily\Desktop\Win32kDiag.exe

Log file at : C:\Documents and Settings\Emily\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...

Finished!


Report •

#3
December 2, 2009 at 07:00:42
Here's the RSIT log, first one:

Logfile of random's system information tool 1.06 (written by random/random)
Run by Emily at 2009-12-02 10:02:12
Microsoft Windows XP Home Edition Service Pack 3
System drive C: has 137 GB (90%) free of 153 GB
Total RAM: 447 MB (19% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:02:39 AM, on 12/2/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\The Weather Channel FW\Desktop\DesktopWeather.exe
C:\WINDOWS\system32\LxrJD31s.exe
C:\Program Files\Compaq Connections\6750491\Program\Compaq Connections.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
C:\Program Files\Java\jre6\bin\java.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Spyware Terminator\SpywareTerminatorUpdate.exe
C:\Documents and Settings\Emily\Desktop\RSIT.exe
C:\Documents and Settings\Emily\Desktop\Emily.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie...
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?Lin...
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?Lin...
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie...
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1CB20BF0-BBAE-40A7-93F4-6435FF3D0411} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
O2 - BHO: AT&&T Toolbar - {4E7BD74F-2B8D-469E-94BE-FD60BB9AAE29} - C:\PROGRA~1\ATTTOO~1\ATTTOO~1.DLL
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Crawler Toolbar - {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
O3 - Toolbar: AT&&T Toolbar - {4E7BD74F-2B8D-469E-94BE-FD60BB9AAE29} - C:\PROGRA~1\ATTTOO~1\ATTTOO~1.DLL
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [FaxCenterServer4_in_1] "C:\Program Files\Lexmark 4200 Series\Fax\fm3032.exe" /s
O4 - HKLM\..\Run: [Lexmark 4200 Series] "C:\Program Files\Lexmark 4200 Series\lxbmbmgr.exe"
O4 - HKLM\..\Run: [SpywareTerminator] "C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe"
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [ATT-SST_McciTrayApp] "C:\Program Files\ATT-SST\McciTrayApp.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DW6] "C:\Program Files\The Weather Channel FW\Desktop\DesktopWeather.exe"
O4 - HKCU\..\Run: [SpywareTerminatorUpdate] "C:\Program Files\Spyware Terminator\SpywareTerminatorUpdate.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\6750491\Program\Compaq Connections.exe
O8 - Extra context menu item: Crawler Search - tbr:iemenu
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file:///C:/Program%20Files/Big%20City%20Adventure%20-%20Sydney,%20Australia/Images/stg_drm.ocx
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySp...
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/re...
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file://E:\MCF - Prime Suspects\Images\armhelper.ocx
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://l.yimg.com/jh/games/web_game...
O18 - Protocol: tbr - {4D25FB7A-8902-4291-960E-9ADA051CFBBF} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
O18 - Filter hijack: text/html - {1f8b1c69-82cf-442d-bc6d-0fc1b7554d94} - C:\WINDOWS\batmeter16.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Lexar JD31 (LxrJD31s) - Unknown owner - C:\WINDOWS\SYSTEM32\LxrJD31s.exe
O23 - Service: McciCMService - Motive Communications, Inc. - C:\Program Files\Common Files\Motive\McciCMService.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe
O24 - Desktop Component 0: (no name) - http://render-2.snapfish.com/render...
O24 - Desktop Component 1: (no name) - file:///C:/SCRABBLE/Images/ads/logotop2.gif

--
End of file - 10096 bytes

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
AcroIEHlprObj Class - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [2004-12-14 63136]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1CB20BF0-BBAE-40A7-93F4-6435FF3D0411}]
C:\PROGRA~1\Crawler\Toolbar\ctbr.dll [2009-09-22 1219072]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4E7BD74F-2B8D-469E-94BE-FD60BB9AAE29}]
AT&&T Toolbar - C:\PROGRA~1\ATTTOO~1\ATTTOO~1.DLL [2008-05-23 1865544]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}]
Yahoo! IE Services Button - C:\Program Files\Yahoo!\Common\yiesrvc.dll [2007-12-12 222448]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}]
Google Toolbar Helper - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll [2009-10-16 256112]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C84D72FE-E17D-4195-BB24-76C02E2E7C4E}]
Google Dictionary Compression sdch - C:\Program Files\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll [2009-10-16 458736]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java(tm) Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2009-10-11 41760]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]
JQSIEStartDetectorImpl Class - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll [2009-10-11 73728]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{4B3803EA-5230-4DC3-A7FC-33638F3D3542} - &Crawler Toolbar - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll [2009-09-22 1219072]
{4E7BD74F-2B8D-469E-94BE-FD60BB9AAE29} - AT&&T Toolbar - C:\PROGRA~1\ATTTOO~1\ATTTOO~1.DLL [2008-05-23 1865544]
{2318C2B1-4965-11d4-9B18-009027A5CD4F} - Google Toolbar - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll [2009-10-16 256112]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"=c:\windows\system\hpsysdrv.exe [1998-05-07 52736]
"iTunesHelper"=C:\Program Files\iTunes\iTunesHelper.exe [2004-04-21 286720]
"Recguard"=C:\WINDOWS\SMINST\RECGUARD.EXE [2004-04-14 233472]
"VTTimer"=C:\WINDOWS\system32\VTTimer.exe [2004-10-22 53248]
"AGRSMMSG"=C:\WINDOWS\AGRSMMSG.exe [2004-06-29 88363]
"HP Software Update"=C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe [2004-02-18 49152]
"RealTray"=C:\Program Files\Real\RealPlayer\RealPlay.exe [2007-12-23 26112]
"FaxCenterServer4_in_1"=C:\Program Files\Lexmark 4200 Series\Fax\fm3032.exe [2004-01-22 151552]
""= []
"Lexmark 4200 Series"=C:\Program Files\Lexmark 4200 Series\lxbmbmgr.exe [2004-01-16 57344]
"SpywareTerminator"=C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe [2009-11-27 2172416]
"AlcxMonitor"=C:\WINDOWS\ALCXMNTR.EXE [2004-09-07 57344]
"ATT-SST_McciTrayApp"=C:\Program Files\ATT-SST\McciTrayApp.exe [2008-09-18 1529856]
"avast!"=C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe [2009-11-24 81000]
"Malwarebytes Anti-Malware (reboot)"=C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe [2009-09-10 1312080]
"SunJavaUpdateSched"=C:\Program Files\Java\jre6\bin\jusched.exe [2009-10-11 149280]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2008-04-13 15360]
"DW6"=C:\Program Files\The Weather Channel FW\Desktop\DesktopWeather.exe [2009-10-08 818288]
"SpywareTerminatorUpdate"=C:\Program Files\Spyware Terminator\SpywareTerminatorUpdate.exe [2009-11-27 3055616]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
Compaq Connections.lnk - C:\Program Files\Compaq Connections\6750491\Program\Compaq Connections.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableTaskMgr"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145
"NoActiveDesktopChanges"=0
"NoSetActiveDesktop"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"HonorAutoRunSetting"=
"NoActiveDesktopChanges"=
"NoSetActiveDesktop"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\Compaq Connections\6750491\Program\Compaq Connections.exe"="C:\Program Files\Compaq Connections\6750491\Program\Compaq Connections.exe:*:Enabled:BackWeb for Presario"
"C:\Program Files\EarthLink TotalAccess\TaskPanl.exe"="C:\Program Files\EarthLink TotalAccess\TaskPanl.exe:*:Enabled:Earthlink"
"D:\Alien Shooter\AlienShooter.exe"="D:\Alien Shooter\AlienShooter.exe:*:Disabled:AlienShooter Application"
"C:\Documents and Settings\Emily\Desktop\Alien Shooter\AlienShooter.exe"="C:\Documents and Settings\Emily\Desktop\Alien Shooter\AlienShooter.exe:*:Enabled:AlienShooter Application"
"C:\Program Files\LimeWire\LimeWire.exe"="C:\Program Files\LimeWire\LimeWire.exe:*:Enabled:LimeWire"
"C:\GameHouse\TextTwist\TextTwist.exe"="C:\GameHouse\TextTwist\TextTwist.exe:*:Enabled:Super TextTwist"
"C:\GameHouse\Collapse\Collapse.exe"="C:\GameHouse\Collapse\Collapse.exe:*:Enabled:Super Collapse!"
"C:\Alien Shooter\AlienShooter.exe"="C:\Alien Shooter\AlienShooter.exe:*:Disabled:AlienShooter Application"
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\Program Files\Yahoo!\Messenger\YServer.exe"="C:\Program Files\Yahoo!\Messenger\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\Program Files\ATT-HSI\McciBrowser.exe"="C:\Program Files\ATT-HSI\McciBrowser.exe:*:Enabled:motivebrowser.exe"
"C:\Program Files\CallWave\IAM.exe"="C:\Program Files\CallWave\IAM.exe:*:Enabled:CallWave"
"C:\WINDOWS\system32\LEXPPS.EXE"="C:\WINDOWS\system32\LEXPPS.EXE:*:Enabled:LEXPPS.EXE"
"C:\Program Files\iTunes\iTunes.exe"="C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\Spyware Terminator\SpywareTerminatorUpdate.exe"="C:\Program Files\Spyware Terminator\SpywareTerminatorUpdate.exe:*:Enabled:Crawler Spyware Terminator"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b58d5780-487a-11da-88f0-00112f674cf2}]
shell\AutoRun\command - J:\JDSecure\Windows\JDSecure31.exe


======List of files/folders created in the last 1 months======

2009-12-02 10:02:12 ----D---- C:\rsit
2009-12-01 08:49:30 ----A---- C:\WINDOWS\system32\26500.exe
2009-12-01 08:39:56 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2009-12-01 08:29:28 ----A---- C:\WINDOWS\system32\6334.exe
2009-12-01 08:09:28 ----A---- C:\WINDOWS\system32\18467.exe
2009-11-28 21:36:09 ----D---- C:\Documents and Settings\All Users\Application Data\Adobe
2009-11-28 09:56:45 ----A---- C:\WINDOWS\system32\javaws.exe
2009-11-28 09:56:44 ----A---- C:\WINDOWS\system32\javaw.exe
2009-11-28 09:56:44 ----A---- C:\WINDOWS\system32\java.exe
2009-11-27 21:52:26 ----D---- C:\WINDOWS\pss
2009-11-27 12:25:37 ----D---- C:\Documents and Settings\Emily\Application Data\Malwarebytes
2009-11-27 12:25:20 ----D---- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2009-11-27 12:01:31 ----D---- C:\Program Files\Windows Live Safety Center
2009-11-27 08:46:29 ----D---- C:\Program Files\WinClamAVShield
2009-11-25 03:01:44 ----HDC---- C:\WINDOWS\$NtUninstallKB976098-v2$
2009-11-25 03:01:34 ----HDC---- C:\WINDOWS\$NtUninstallKB973687$
2009-11-22 14:10:57 ----D---- C:\Documents and Settings\All Users\Application Data\PopCap
2009-11-13 15:36:28 ----D---- C:\Program Files\ScenicReflections
2009-11-13 15:36:04 ----A---- C:\WINDOWS\askToolbarInstaller-1.3.3.0.exe
2009-11-13 07:04:40 ----D---- C:\Program Files\The Weather Channel FW
2009-11-11 03:00:47 ----HDC---- C:\WINDOWS\$NtUninstallKB969947$
2009-11-07 18:16:05 ----D---- C:\Documents and Settings\Emily\Application Data\Sony
2009-11-07 18:09:44 ----D---- C:\Documents and Settings\Emily\Application Data\Publish Providers
2009-11-07 18:09:44 ----D---- C:\Documents and Settings\Emily\Application Data\NetMedia Providers
2009-11-07 18:06:41 ----D---- C:\Program Files\Vstplugins
2009-11-07 18:06:23 ----D---- C:\Program Files\Sony
2009-11-07 18:04:40 ----D---- C:\Program Files\Sony Setup

======List of files/folders modified in the last 1 months======

2009-12-02 10:02:18 ----D---- C:\WINDOWS\Prefetch
2009-12-02 09:24:01 ----D---- C:\WINDOWS\Temp
2009-12-02 06:03:45 ----D---- C:\Documents and Settings\All Users\Application Data\Spyware Terminator
2009-12-01 16:40:35 ----D---- C:\Documents and Settings\Emily\Application Data\LimeWire
2009-12-01 13:13:53 ----D---- C:\Documents and Settings\Emily\Application Data\Spyware Terminator
2009-12-01 13:04:46 ----A---- C:\WINDOWS\lexstat.ini
2009-12-01 09:03:33 ----D---- C:\WINDOWS\system32\drivers
2009-12-01 09:03:20 ----D---- C:\WINDOWS\system32\CatRoot2
2009-12-01 09:01:31 ----A---- C:\WINDOWS\SchedLgU.Txt
2009-12-01 09:00:00 ----RD---- C:\Program Files
2009-12-01 08:59:59 ----D---- C:\WINDOWS\system32
2009-12-01 08:48:44 ----D---- C:\Program Files\Spyware Terminator
2009-12-01 07:55:10 ----D---- C:\Program Files\Common Files\Motive
2009-11-30 16:32:13 ----D---- C:\WINDOWS
2009-11-30 06:28:22 ----RSHDC---- C:\WINDOWS\system32\dllcache
2009-11-29 11:14:02 ----AD---- C:\Documents and Settings\All Users\Application Data\TEMP
2009-11-29 09:54:10 ----D---- C:\Config.Msi
2009-11-28 21:37:51 ----D---- C:\Documents and Settings\Emily\Application Data\AdobeUM
2009-11-28 21:37:47 ----SHD---- C:\WINDOWS\Installer
2009-11-28 21:29:32 ----D---- C:\Program Files\Adobe
2009-11-28 09:56:36 ----D---- C:\Program Files\Java
2009-11-28 08:58:28 ----HD---- C:\WINDOWS\inf
2009-11-28 08:56:16 ----D---- C:\WINDOWS\system32\CatRoot
2009-11-27 20:53:26 ----D---- C:\WINDOWS\network diagnostic
2009-11-27 13:22:57 ----D---- C:\Program Files\Shared
2009-11-27 12:01:33 ----SD---- C:\WINDOWS\Downloaded Program Files
2009-11-27 11:48:19 ----SHD---- C:\System Volume Information
2009-11-27 11:48:19 ----D---- C:\WINDOWS\system32\Restore
2009-11-27 11:23:13 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI
2009-11-27 11:22:49 ----D---- C:\Program Files\Online Services
2009-11-27 11:22:35 ----D---- C:\WINDOWS\addins
2009-11-25 03:01:47 ----A---- C:\WINDOWS\imsins.BAK
2009-11-25 03:01:00 ----HD---- C:\WINDOWS\$hf_mig$
2009-11-25 03:00:45 ----D---- C:\WINDOWS\WinSxS
2009-11-24 18:54:29 ----A---- C:\WINDOWS\system32\aswBoot.exe
2009-11-22 09:48:12 ----D---- C:\MCF - Prime Suspects
2009-11-16 21:43:46 ----D---- C:\Hawaiian Explorer - Pearl Harbor
2009-11-07 18:05:49 ----D---- C:\Program Files\Common Files\Microsoft Shared
2009-11-05 09:36:22 ----A---- C:\WINDOWS\system32\MRT.exe

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 Aavmker4;avast! Asynchronous Virus Monitor; C:\WINDOWS\system32\drivers\Aavmker4.sys [2009-11-24 27408]
R1 AmdK7;AMD K7 Processor Driver; C:\WINDOWS\system32\DRIVERS\amdk7.sys [2008-04-13 37760]
R1 aswSP;avast! Self Protection; C:\WINDOWS\system32\drivers\aswSP.sys [2009-11-24 114768]
R1 aswTdi;avast! Network Shield Support; C:\WINDOWS\system32\drivers\aswTdi.sys [2009-11-24 48560]
R1 cdrbsdrv;cdrbsdrv; C:\WINDOWS\system32\drivers\cdrbsdrv.sys [2004-03-08 13567]
R1 sp_rsdrv2;Spyware Terminator Driver 2; \??\C:\WINDOWS\system32\drivers\sp_rsdrv2.sys []
R2 ASCTRM;ASCTRM; C:\WINDOWS\system32\drivers\ASCTRM.sys [2007-12-23 8552]
R2 aswFsBlk;aswFsBlk; C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2009-11-24 20560]
R2 aswMon2;avast! Standard Shield Support; C:\WINDOWS\system32\drivers\aswMon2.sys [2009-11-24 94160]
R2 LxrJD31d;LxrJD31d; \??\C:\WINDOWS\system32\Drivers\LxrJD31d.sys []
R3 AgereSoftModem;Agere Systems Soft Modem; C:\WINDOWS\system32\DRIVERS\AGRSM.sys [2004-06-29 1268204]
R3 ALCXWDM;Service for Realtek AC97 Audio (WDM); C:\WINDOWS\system32\drivers\ALCXWDM.SYS [2004-10-01 2279424]
R3 Arp1394;1394 ARP Client Protocol; C:\WINDOWS\system32\DRIVERS\arp1394.sys [2008-04-13 60800]
R3 aswRdr;aswRdr; C:\WINDOWS\system32\drivers\aswRdr.sys [2009-11-24 23120]
R3 FETND5BV;VIA Rhine-Family Fast Ethernet Adapter Driver Service; C:\WINDOWS\system32\DRIVERS\fetnd5bv.sys [2004-12-16 42496]
R3 GEARAspiWDM;GEAR CDRom Filter; C:\WINDOWS\SYSTEM32\DRIVERS\GEARAspiWDM.sys [2004-04-06 13872]
R3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-04-13 10368]
R3 NIC1394;1394 Net Driver; C:\WINDOWS\system32\DRIVERS\nic1394.sys [2008-04-13 61824]
R3 Ps2;PS2; C:\WINDOWS\system32\DRIVERS\PS2.sys [2002-07-30 23808]
R3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2008-04-13 32128]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2008-04-13 30208]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2008-04-13 59520]
R3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2008-04-13 25856]
R3 usbscan;USB Scanner Driver; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2008-04-13 15104]
R3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2008-04-13 20608]
R3 viagfx;viagfx; C:\WINDOWS\System32\DRIVERS\vtmini.sys [2004-12-07 172672]
S1 kbdhid;Keyboard HID Driver; C:\WINDOWS\system32\DRIVERS\kbdhid.sys [2008-04-13 14592]
S3 ALCXSENS;Service for WDM 3D Audio Driver; C:\WINDOWS\system32\drivers\ALCXSENS.SYS [2003-12-11 391424]
S3 CCDECODE;Closed Caption Decoder; C:\WINDOWS\system32\DRIVERS\CCDECODE.sys [2008-04-13 17024]
S3 dot4;MS IEEE-1284.4 Driver; C:\WINDOWS\system32\DRIVERS\Dot4.sys [2008-04-13 206976]
S3 Dot4Print;Print Class Driver for IEEE-1284.4; C:\WINDOWS\system32\DRIVERS\Dot4Prt.sys [2001-08-17 12928]
S3 Dot4Scan;Scan Class Driver for IEEE-1284.4; C:\WINDOWS\system32\DRIVERS\Dot4Scan.sys [2001-08-17 8704]
S3 dot4usb;Dot4USB Filter Dot4USB Filter; C:\WINDOWS\system32\DRIVERS\dot4usb.sys [2001-08-17 23808]
S3 FETNDIS;VIA PCI 10/100Mb Fast Ethernet Adapter NT Driver; C:\WINDOWS\system32\DRIVERS\fetnd5.sys [2001-08-17 27165]
S3 FETNDISB;VIA Rhine Family Fast Ethernet Adapter Driver Service; C:\WINDOWS\System32\DRIVERS\fetnd5b.sys [2003-11-12 41984]
S3 intelppm;Intel Processor Driver; C:\WINDOWS\system32\DRIVERS\intelppm.sys []
S3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2001-08-17 12160]
S3 MREMP50;MREMP50 NDIS Protocol Driver; \??\C:\PROGRA~1\COMMON~1\Motive\MREMP50.SYS []
S3 MREMP50a64;MREMP50a64 NDIS Protocol Driver; \??\C:\PROGRA~1\COMMON~1\Motive\MREMP50a64.SYS []
S3 MREMPR5;MREMPR5 NDIS Protocol Driver; \??\C:\PROGRA~1\COMMON~1\Motive\MREMPR5.SYS []
S3 MRENDIS5;MRENDIS5 NDIS Protocol Driver; \??\C:\PROGRA~1\COMMON~1\Motive\MRENDIS5.SYS []
S3 MRESP50;MRESP50 NDIS Protocol Driver; \??\C:\PROGRA~1\COMMON~1\Motive\MRESP50.SYS []
S3 MRESP50a64;MRESP50a64 NDIS Protocol Driver; \??\C:\PROGRA~1\COMMON~1\Motive\MRESP50a64.SYS []
S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; C:\WINDOWS\system32\drivers\MSTEE.sys [2008-04-13 5504]
S3 NABTSFEC;NABTS/FEC VBI Codec; C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys [2008-04-13 85248]
S3 NdisIP;Microsoft TV/Video Connection; C:\WINDOWS\system32\DRIVERS\NdisIP.sys [2008-04-13 10880]
S3 rtl8139;Realtek RTL8139(A/B/C)-based PCI Fast Ethernet Adapter NT Driver; C:\WINDOWS\system32\DRIVERS\RTL8139.SYS [2004-08-04 20992]
S3 SLIP;BDA Slip De-Framer; C:\WINDOWS\system32\DRIVERS\SLIP.sys [2008-04-13 11136]
S3 sonypvs1;Sony Digital Imaging Video2; C:\WINDOWS\system32\DRIVERS\sonypvs1.sys [2002-10-15 102220]
S3 streamip;BDA IPSink; C:\WINDOWS\system32\DRIVERS\StreamIP.sys [2008-04-13 15232]
S3 usbaudio;USB Audio Driver (WDM); C:\WINDOWS\system32\drivers\usbaudio.sys [2008-04-13 60032]
S3 wanatw;WAN Miniport (ATW); C:\WINDOWS\system32\DRIVERS\wanatw4.sys []
S3 WSTCODEC;World Standard Teletext Codec; C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS [2008-04-13 19200]
S3 WudfPf;Windows Driver Foundation - User-mode Driver Framework Platform Driver; C:\WINDOWS\system32\DRIVERS\WudfPf.sys [2006-09-28 77568]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-28 82944]
S4 IntelIde;IntelIde; C:\WINDOWS\system32\DRIVERS\intelide.sys [2008-04-13 5504]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 aswUpdSv;avast! iAVS4 Control Service; C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe [2009-11-24 18752]
R2 avast! Antivirus;avast! Antivirus; C:\Program Files\Alwil Software\Avast4\ashServ.exe [2009-11-24 138680]
R2 JavaQuickStarterService;Java Quick Starter; C:\Program Files\Java\jre6\bin\jqs.exe [2009-10-11 153376]
R2 LexBceS;LexBce Server; C:\WINDOWS\system32\LEXBCES.EXE [2004-01-13 311296]
R2 LxrJD31s;Lexar JD31; C:\WINDOWS\system32\LxrJD31s.exe [2006-12-15 71168]
R2 McciCMService;McciCMService; C:\Program Files\Common Files\Motive\McciCMService.exe [2008-09-23 303104]
R2 MDM;Machine Debug Manager; C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE [2003-06-20 322120]
R2 sp_rssrv;Spyware Terminator Realtime Shield Service; C:\Program Files\Spyware Terminator\sp_rsser.exe [2009-11-27 487936]
R3 avast! Mail Scanner;avast! Mail Scanner; C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe [2009-11-24 254040]
R3 iPodService;iPod Service; C:\Program Files\iPod\bin\iPodService.exe [2004-04-21 401408]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe [2004-07-15 32768]
S3 avast! Web Scanner;avast! Web Scanner; C:\Program Files\Alwil Software\Avast4\ashWebSv.exe [2009-11-24 352920]
S3 gusvc;Google Software Updater; C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-10-14 182768]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2003-07-28 89136]
S3 WMPNetworkSvc;Windows Media Player Network Sharing Service; C:\Program Files\Windows Media Player\WMPNetwk.exe [2006-10-18 913408]
S3 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2008-04-13 14336]

-----------------EOF-----------------


Report •

Related Solutions

#4
December 2, 2009 at 07:01:47
And here's the second RSIT log:

info.txt logfile of random's system information tool 1.06 2009-12-02 10:02:43

======Uninstall list======

-->C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\orun32.isu
-->c:\WINDOWS\system32\\MSIEXEC.EXE /x {9541FED0-327F-4df0-8B96-EF57EF622F19}
-->C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
-->VTUninst.exe -reg 5 'HKLM\Software\S3\VT\S3Uninst\S3Timer'
ABBYY FineReader 5.0 Sprint Plus-->MsiExec.exe /X{D1696920-9794-4BBC-8A30-7A88763DE5A2}
Adobe Flash Player 10 ActiveX-->C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Flash Player 10 Plugin-->MsiExec.exe /X{0DFB3DE8-65B9-44FF-AA0A-3BECC5A2BFD1}
Adobe Reader 7.0-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70000000000}
Adobe Shockwave Player 11.5-->"C:\WINDOWS\system32\Adobe\Shockwave 11\uninstaller.exe"
Agere Systems PCI Soft Modem-->agrsmdel
AT&T Self Support Tool-->C:\Program Files\ATT-SST\Uninstall.exe
AT&T Toolbar-->C:\Program Files\ATTToolbar\uninstall.exe
avast! Antivirus-->C:\Program Files\Alwil Software\Avast4\aswRunDll.exe "C:\Program Files\Alwil Software\Avast4\Setup\setiface.dll",RunSetup
Avery Cardoza's 100 Slots 2000-->C:\WINDOWS\uninst.exe -fC:\Cardoza\100Slots2K\DeIsL1.isu
Compaq Connections-->C:\WINDOWS\BWUnin-6.3.2.62.exe -AppId 6750491
Crawler Toolbar with Web Security Guard-->C:\PROGRA~1\Crawler\Toolbar\CToolbar.exe uninst
Google Toolbar for Internet Explorer-->"C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarManager_E582EA556D8DE101.exe" /uninstall
Google Toolbar for Internet Explorer-->MsiExec.exe /I{18455581-E099-4BA8-BC6B-F34B2F06600C}
Help and Support Additions-->C:\PROGRA~1\HELPAN~1\UNWISE.EXE C:\PROGRA~1\HELPAN~1\INSTALL.LOG
Heroes of Hellas (remove only)-->"C:\Program Files\Yahoo! Games\Heroes of Hellas\Uninstall.exe"
High Definition Audio Driver Package - KB835221-->C:\WINDOWS\$NtUninstallKB835221WXP$\spuninst\spuninst.exe
HijackThis 2.0.2-->"C:\Documents and Settings\Emily\Desktop\HijackThis.exe" /uninstall
Hotfix for Windows Internet Explorer 7 (KB947864)-->"C:\WINDOWS\ie7updates\KB947864-IE7\spuninst\spuninst.exe"
Hotfix for Windows Media Format 11 SDK (KB929399)-->"C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
Hotfix for Windows Media Player 11 (KB939683)-->"C:\WINDOWS\$NtUninstallKB939683$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB952287)-->"C:\WINDOWS\$NtUninstallKB952287$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB970653-v3)-->"C:\WINDOWS\$NtUninstallKB970653-v3$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB976098-v2)-->"C:\WINDOWS\$NtUninstallKB976098-v2$\spuninst\spuninst.exe"
HP Software Update-->MsiExec.exe /X{B81023A5-71ED-46EB-BE3B-9F974D1155F1}
ImageMixer VCD2-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F8C6BABF-0837-4EA0-AD6C-8E5A392A7538}\setup.exe" -l0x9 UNINSTALL
InterVideo WinDVD Player-->"C:\Program Files\InstallShield Installation Information\{91810AFC-A4F8-4EBA-A5AA-B198BBC81144}\setup.exe" REMOVEALL
iTunes-->C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{35AFD495-EC2E-4B2B-B9DB-30EEBC74049D}
Java 2 Runtime Environment, SE v1.4.2_03-->MsiExec.exe /I{7148F0A8-6813-11D6-A77B-00B0D0142030}
Java(TM) 6 Update 17-->MsiExec.exe /X{26A24AE4-039D-4CA4-87B4-2F83216015FF}
Java(TM) 6 Update 2-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160020}
JD Secure 3.1-->C:\WINDOWS\System32\JDSecure31.exe /u
Lexmark 4200 Series Fax Solutions-->C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\8\INTEL3~1\IDriver.exe /M{C439D065-5B64-4563-A6B9-1AA202633E13} /l1033 /z/U
Lexmark 4200 Series-->C:\WINDOWS\system32\spool\drivers\w32x86\3\LXBMUN5C.EXE -dLexmark 4200 Series
LimeWire 5.3.6-->"C:\Program Files\LimeWire\uninstall.exe"
Macromedia Flash Player-->MsiExec.exe /X{0456ebd7-5f67-4ab6-852e-63781e3f389c}
Malwarebytes' Anti-Malware-->"C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
Microsoft .NET Framework 1.1 Security Update (KB953297)-->"C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\hotfix.exe" "C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\M953297\M953297Uninstall.msp"
Microsoft .NET Framework 1.1-->msiexec.exe /X {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 1.1-->MsiExec.exe /X{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft Compression Client Pack 1.0 for Windows XP-->"C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Internationalized Domain Names Mitigation APIs-->"C:\WINDOWS\$NtServicePackUninstallIDNMitigationAPIs$\spuninst\spuninst.exe"
Microsoft National Language Support Downlevel APIs-->"C:\WINDOWS\$NtServicePackUninstallNLSDownlevelMapping$\spuninst\spuninst.exe"
Microsoft Office Standard Edition 2003-->MsiExec.exe /I{91120409-6000-11D3-8CFE-0150048383C9}
Microsoft Plus! Digital Media Edition Installer-->MsiExec.exe /X{6E45BA47-383C-4C1E-8ED0-0D4845C293D7}
Microsoft Silverlight-->MsiExec.exe /I{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}
Microsoft User-Mode Driver Framework Feature Pack 1.0-->"C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
MSXML 4.0 SP2 (KB936181)-->MsiExec.exe /I{C04E32E0-0416-434D-AFB9-6969D703A9EF}
MSXML 4.0 SP2 (KB954430)-->MsiExec.exe /I{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}
MSXML 4.0 SP2 (KB973688)-->MsiExec.exe /I{F662A8E6-F4DC-41A2-901E-8C11F044BDEC}
Python 2.2 combined Win32 extensions-->C:\Python22\Lib\SITE-P~1\UNWISE~1.EXE C:\Python22\Lib\SITE-P~1\w32inst.log
Python 2.2.1-->C:\Python22\UNWISE.EXE C:\Python22\INSTALL.LOG
QuickTime-->C:\WINDOWS\unvise32qt.exe C:\WINDOWS\system32\QuickTime\Uninstall.log
RealPlayer Basic-->C:\Program Files\Common Files\Real\Update\\rnuninst.exe RealNetworks|RealPlayer|6.0
S3 S3Display-->vtuninst.exe -reg 5 'HKLM\Software\S3\VT\S3Uninst\S3Display'
S3 S3Gamma2-->vtuninst.exe -reg 5 'HKLM\Software\S3\VT\S3Uninst\S3Gamma2'
S3 S3Info2-->vtuninst.exe -reg 5 'HKLM\Software\S3\VT\S3Uninst\S3Info2'
S3 S3Overlay-->vtuninst.exe -reg 5 'HKLM\Software\S3\VT\S3Uninst\S3Overlay'
Security Update for Step By Step Interactive Training (KB923723)-->"C:\WINDOWS\$NtUninstallKB923723$\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB938127)-->"C:\WINDOWS\ie7updates\KB938127-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB944533)-->"C:\WINDOWS\ie7updates\KB944533-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB972260)-->"C:\WINDOWS\ie7updates\KB972260-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 8 (KB971961)-->"C:\WINDOWS\ie8updates\KB971961-IE8\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 8 (KB972260)-->"C:\WINDOWS\ie8updates\KB972260-IE8\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 8 (KB974455)-->"C:\WINDOWS\ie8updates\KB974455-IE8\spuninst\spuninst.exe"
Security Update for Windows Media Player (KB952069)-->"C:\WINDOWS\$NtUninstallKB952069_WM9$\spuninst\spuninst.exe"
Security Update for Windows Media Player (KB954155)-->"C:\WINDOWS\$NtUninstallKB954155_WM9$\spuninst\spuninst.exe"
Security Update for Windows Media Player (KB968816)-->"C:\WINDOWS\$NtUninstallKB968816_WM9$\spuninst\spuninst.exe"
Security Update for Windows Media Player (KB973540)-->"C:\WINDOWS\$NtUninstallKB973540_WM9L$\spuninst\spuninst.exe"
Security Update for Windows Media Player 11 (KB954154)-->"C:\WINDOWS\$NtUninstallKB954154_WM11$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923561)-->"C:\WINDOWS\$NtUninstallKB923561$\spuninst\spuninst.exe"
Security Update for Windows XP (KB938464-v2)-->"C:\WINDOWS\$NtUninstallKB938464-v2$\spuninst\spuninst.exe"
Security Update for Windows XP (KB941569)-->"C:\WINDOWS\$NtUninstallKB941569$\spuninst\spuninst.exe"
Security Update for Windows XP (KB946648)-->"C:\WINDOWS\$NtUninstallKB946648$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950762)-->"C:\WINDOWS\$NtUninstallKB950762$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950974)-->"C:\WINDOWS\$NtUninstallKB950974$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951066)-->"C:\WINDOWS\$NtUninstallKB951066$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951376-v2)-->"C:\WINDOWS\$NtUninstallKB951376-v2$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951748)-->"C:\WINDOWS\$NtUninstallKB951748$\spuninst\spuninst.exe"
Security Update for Windows XP (KB952004)-->"C:\WINDOWS\$NtUninstallKB952004$\spuninst\spuninst.exe"
Security Update for Windows XP (KB952954)-->"C:\WINDOWS\$NtUninstallKB952954$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954459)-->"C:\WINDOWS\$NtUninstallKB954459$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954600)-->"C:\WINDOWS\$NtUninstallKB954600$\spuninst\spuninst.exe"
Security Update for Windows XP (KB955069)-->"C:\WINDOWS\$NtUninstallKB955069$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956572)-->"C:\WINDOWS\$NtUninstallKB956572$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956744)-->"C:\WINDOWS\$NtUninstallKB956744$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956802)-->"C:\WINDOWS\$NtUninstallKB956802$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956803)-->"C:\WINDOWS\$NtUninstallKB956803$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956844)-->"C:\WINDOWS\$NtUninstallKB956844$\spuninst\spuninst.exe"
Security Update for Windows XP (KB957097)-->"C:\WINDOWS\$NtUninstallKB957097$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958644)-->"C:\WINDOWS\$NtUninstallKB958644$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958687)-->"C:\WINDOWS\$NtUninstallKB958687$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958869)-->"C:\WINDOWS\$NtUninstallKB958869$\spuninst\spuninst.exe"
Security Update for Windows XP (KB959426)-->"C:\WINDOWS\$NtUninstallKB959426$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960225)-->"C:\WINDOWS\$NtUninstallKB960225$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960803)-->"C:\WINDOWS\$NtUninstallKB960803$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960859)-->"C:\WINDOWS\$NtUninstallKB960859$\spuninst\spuninst.exe"
Security Update for Windows XP (KB961371-v2)-->"C:\WINDOWS\$NtUninstallKB961371-v2$\spuninst\spuninst.exe"
Security Update for Windows XP (KB961501)-->"C:\WINDOWS\$NtUninstallKB961501$\spuninst\spuninst.exe"
Security Update for Windows XP (KB968537)-->"C:\WINDOWS\$NtUninstallKB968537$\spuninst\spuninst.exe"
Security Update for Windows XP (KB969059)-->"C:\WINDOWS\$NtUninstallKB969059$\spuninst\spuninst.exe"
Security Update for Windows XP (KB969947)-->"C:\WINDOWS\$NtUninstallKB969947$\spuninst\spuninst.exe"
Security Update for Windows XP (KB970238)-->"C:\WINDOWS\$NtUninstallKB970238$\spuninst\spuninst.exe"
Security Update for Windows XP (KB971486)-->"C:\WINDOWS\$NtUninstallKB971486$\spuninst\spuninst.exe"
Security Update for Windows XP (KB971557)-->"C:\WINDOWS\$NtUninstallKB971557$\spuninst\spuninst.exe"
Security Update for Windows XP (KB971633)-->"C:\WINDOWS\$NtUninstallKB971633$\spuninst\spuninst.exe"
Security Update for Windows XP (KB971657)-->"C:\WINDOWS\$NtUninstallKB971657$\spuninst\spuninst.exe"
Security Update for Windows XP (KB971961)-->"C:\WINDOWS\$NtUninstallKB971961$\spuninst\spuninst.exe"
Security Update for Windows XP (KB973346)-->"C:\WINDOWS\$NtUninstallKB973346$\spuninst\spuninst.exe"
Security Update for Windows XP (KB973354)-->"C:\WINDOWS\$NtUninstallKB973354$\spuninst\spuninst.exe"
Security Update for Windows XP (KB973507)-->"C:\WINDOWS\$NtUninstallKB973507$\spuninst\spuninst.exe"
Security Update for Windows XP (KB973525)-->"C:\WINDOWS\$NtUninstallKB973525$\spuninst\spuninst.exe"
Security Update for Windows XP (KB973869)-->"C:\WINDOWS\$NtUninstallKB973869$\spuninst\spuninst.exe"
Security Update for Windows XP (KB974112)-->"C:\WINDOWS\$NtUninstallKB974112$\spuninst\spuninst.exe"
Security Update for Windows XP (KB974571)-->"C:\WINDOWS\$NtUninstallKB974571$\spuninst\spuninst.exe"
Security Update for Windows XP (KB975025)-->"C:\WINDOWS\$NtUninstallKB975025$\spuninst\spuninst.exe"
Security Update for Windows XP (KB975467)-->"C:\WINDOWS\$NtUninstallKB975467$\spuninst\spuninst.exe"
Sonic RecordNow!-->MsiExec.exe /I{9541FED0-327F-4DF0-8B96-EF57EF622F19}
Sony ACID Music Studio 7.0-->MsiExec.exe /X{A74C1699-4BCE-433F-82D6-F11207A0581B}
Sony USB Driver-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5C29CB8B-AC1E-4114-8D68-9CD080140D4A}\Setup.exe" UNINSTALL
Spyware Terminator-->"C:\Program Files\Spyware Terminator\unins000.exe"
The Weather Channel Desktop 6-->C:\Program Files\The Weather Channel FW\Desktop\TheWeatherChannelCustomUninstall.exe
The Weather Channel Screensaver-->C:\PROGRA~1\THEWEA~1\SCREEN~1\UNWISE.EXE C:\PROGRA~1\THEWEA~1\SCREEN~1\INSTALL.LOG
Update for Windows Internet Explorer 8 (KB973874)-->"C:\WINDOWS\ie8updates\KB973874-IE8\spuninst\spuninst.exe"
Update for Windows Internet Explorer 8 (KB976749)-->"C:\WINDOWS\ie8updates\KB976749-IE8\spuninst\spuninst.exe"
Update for Windows XP (KB951978)-->"C:\WINDOWS\$NtUninstallKB951978$\spuninst\spuninst.exe"
Update for Windows XP (KB967715)-->"C:\WINDOWS\$NtUninstallKB967715$\spuninst\spuninst.exe"
Update for Windows XP (KB968389)-->"C:\WINDOWS\$NtUninstallKB968389$\spuninst\spuninst.exe"
Update for Windows XP (KB973687)-->"C:\WINDOWS\$NtUninstallKB973687$\spuninst\spuninst.exe"
Update for Windows XP (KB973815)-->"C:\WINDOWS\$NtUninstallKB973815$\spuninst\spuninst.exe"
VIA Rhine-Family Fast Ethernet Adapter-->Rundll32.exe vuins32.dll,vuins32Ex $Rhine $VIA
VIA/S3G Display Driver-->VTsetvga.exe -s -rRundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\system32\hg201hp.inf
Viewpoint Media Player-->C:\Program Files\Viewpoint\Viewpoint Experience Technology\mtsAxInstaller.exe /u
Windows Media Format 11 runtime-->"C:\Program Files\Windows Media Player\wmsetsdk.exe" /UninstallAll
Windows Media Format 11 runtime-->"C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Windows Media Player 11-->"C:\Program Files\Windows Media Player\Setup_wm.exe" /Uninstall
Windows Media Player 11-->"C:\WINDOWS\$NtUninstallwmp11$\spuninst\spuninst.exe"
Windows XP Service Pack 3-->"C:\WINDOWS\$NtServicePackUninstall$\spuninst\spuninst.exe"
Yahoo! Browser Services-->C:\PROGRA~1\Yahoo!\Common\UNIN_Y~1.EXE /S
Yahoo! Install Manager-->C:\WINDOWS\system32\regsvr32 /u C:\PROGRA~1\Yahoo!\Common\YINSTH~1.DLL
Yahoo! Internet Mail-->C:\WINDOWS\system32\regsvr32 /u /s C:\PROGRA~1\Yahoo!\Common\YMMAPI.dll
Yahoo! Messenger-->C:\PROGRA~1\Yahoo!\MESSEN~1\UNWISE.EXE /U C:\PROGRA~1\Yahoo!\MESSEN~1\INSTALL.LOG

======Security center information======

AV: Spyware Terminator
AV: avast! antivirus 4.8.1368 [VPS 091202-0]

======System event log======

Computer Name: FAMILY
Event Code: 32
Message: Dependent Assembly Microsoft.VC80.CRT could not be found and Last Error was The referenced assembly is not installed on your system.


Record Number: 32017
Source Name: SideBySide
Time Written: 20091030140534.000000-240
Event Type: error
User:

Computer Name: FAMILY
Event Code: 59
Message: Generate Activation Context failed for C:\Program Files\LimeWire\lib\jacob-1.14.3-x86.dll.
Reference error message: The operation completed successfully.
.

Record Number: 32016
Source Name: SideBySide
Time Written: 20091030131815.000000-240
Event Type: error
User:

Computer Name: FAMILY
Event Code: 59
Message: Resolve Partial Assembly failed for Microsoft.VC80.CRT.
Reference error message: The referenced assembly is not installed on your system.
.

Record Number: 32015
Source Name: SideBySide
Time Written: 20091030131815.000000-240
Event Type: error
User:

Computer Name: FAMILY
Event Code: 32
Message: Dependent Assembly Microsoft.VC80.CRT could not be found and Last Error was The referenced assembly is not installed on your system.


Record Number: 32014
Source Name: SideBySide
Time Written: 20091030131815.000000-240
Event Type: error
User:

Computer Name: FAMILY
Event Code: 4226
Message: TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.

Record Number: 32013
Source Name: Tcpip
Time Written: 20091030121554.000000-240
Event Type: warning
User:

=====Application event log=====

Computer Name: FAMILY
Event Code: 1000
Message: Faulting application game.exe, version 0.0.0.0, faulting module rpcrt4.dll, version 5.1.2600.2180, fault address 0x00012794.

Record Number: 3466
Source Name: Application Error
Time Written: 20080118141229.000000-300
Event Type: error
User:

Computer Name: FAMILY
Event Code: 1000
Message: Faulting application game.exe, version 0.0.0.0, faulting module rpcrt4.dll, version 5.1.2600.2180, fault address 0x00012794.

Record Number: 3465
Source Name: Application Error
Time Written: 20080118141229.000000-300
Event Type: error
User:

Computer Name: FAMILY
Event Code: 1000
Message: Faulting application game.exe, version 0.0.0.0, faulting module rpcrt4.dll, version 5.1.2600.2180, fault address 0x00012794.

Record Number: 3464
Source Name: Application Error
Time Written: 20080118141229.000000-300
Event Type: error
User:

Computer Name: FAMILY
Event Code: 1000
Message: Faulting application game.exe, version 0.0.0.0, faulting module rpcrt4.dll, version 5.1.2600.2180, fault address 0x00012794.

Record Number: 3463
Source Name: Application Error
Time Written: 20080118141229.000000-300
Event Type: error
User:

Computer Name: FAMILY
Event Code: 1000
Message: Faulting application game.exe, version 0.0.0.0, faulting module rpcrt4.dll, version 5.1.2600.2180, fault address 0x00012794.

Record Number: 3462
Source Name: Application Error
Time Written: 20080118141229.000000-300
Event Type: error
User:

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"Path"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;c:\Python22
"windir"=%SystemRoot%
"FP_NO_HOST_CHECK"=NO
"OS"=Windows_NT
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_LEVEL"=6
"PROCESSOR_IDENTIFIER"=x86 Family 6 Model 10 Stepping 0, AuthenticAMD
"PROCESSOR_REVISION"=0a00
"NUMBER_OF_PROCESSORS"=1
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP

-----------------EOF-----------------


Report •

#5
December 2, 2009 at 08:30:59
Here's the GMER.log & thanks so much for the help!

GMER 1.0.15.15252 - http://www.gmer.net
Rootkit scan 2009-12-02 11:23:32
Windows 5.1.2600 Service Pack 3
Running: 4sd4md2p.exe; Driver: C:\DOCUME~1\Emily\LOCALS~1\Temp\uwldypod.sys


---- System - GMER 1.0.15 ----

SSDT \??\C:\WINDOWS\system32\drivers\sp_rsdrv2.sys ZwClose [0xEFB1988E]
SSDT \??\C:\WINDOWS\system32\drivers\sp_rsdrv2.sys ZwCreateFile [0xEFB190EC]
SSDT \??\C:\WINDOWS\system32\drivers\sp_rsdrv2.sys ZwCreateKey [0xEFB18DCE]
SSDT \??\C:\WINDOWS\system32\drivers\sp_rsdrv2.sys ZwCreateSection [0xEFB1A938]
SSDT \??\C:\WINDOWS\system32\drivers\sp_rsdrv2.sys ZwDeleteKey [0xEFB18ED8]
SSDT \??\C:\WINDOWS\system32\drivers\sp_rsdrv2.sys ZwDeleteValueKey [0xEFB18FC2]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDuplicateObject [0xB38D614C]
SSDT \??\C:\WINDOWS\system32\drivers\sp_rsdrv2.sys ZwLoadDriver [0xEFB19BBC]
SSDT \??\C:\WINDOWS\system32\drivers\sp_rsdrv2.sys ZwOpenFile [0xEFB193F4]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenKey [0xB38D664E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenProcess [0xB38D608C]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenThread [0xB38D60F0]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwQueryValueKey [0xB38D676E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRestoreKey [0xB38D672E]
SSDT \??\C:\WINDOWS\system32\drivers\sp_rsdrv2.sys ZwSetInformationFile [0xEFB19526]
SSDT \??\C:\WINDOWS\system32\drivers\sp_rsdrv2.sys ZwSetValueKey [0xEFB18BFC]
SSDT \??\C:\WINDOWS\system32\drivers\sp_rsdrv2.sys ZwTerminateProcess [0xEFB19B04]
SSDT \??\C:\WINDOWS\system32\drivers\sp_rsdrv2.sys ZwWriteFile [0xEFB1970C]

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[480] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E215435 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[480] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2ED67C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[480] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E418F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[480] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E40C1 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[480] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E412C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[480] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E3F92 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[480] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E3FF4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[480] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E41F2 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[480] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E4056 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[744] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E215435 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[744] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 3E2E97F5 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[744] USER32.dll!CallNextHookEx 7E42B3C6 5 Bytes JMP 3E2DCE79 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[744] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2ED67C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[744] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 3E25466C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[744] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E418F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[744] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E40C1 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[744] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E412C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[744] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E3F92 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[744] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E3FF4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[744] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E41F2 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[744] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E4056 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[744] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 3E2ED6D8 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[744] ole32.dll!OleLoadFromStream 77529C85 5 Bytes JMP 3E3E44F7 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[864] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E215435 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[864] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 3E2E97F5 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[864] USER32.dll!CallNextHookEx 7E42B3C6 5 Bytes JMP 3E2DCE79 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[864] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2ED67C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[864] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 3E25466C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[864] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E418F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[864] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E40C1 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[864] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E412C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[864] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E3F92 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[864] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E3FF4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[864] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E41F2 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[864] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E4056 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[864] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 3E2ED6D8 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[864] ole32.dll!OleLoadFromStream 77529C85 5 Bytes JMP 3E3E44F7 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2028] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E215435 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2028] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2ED67C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2028] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E418F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2028] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E40C1 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2028] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E412C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2028] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E3F92 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2028] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E3FF4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2028] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E41F2 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2028] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E4056 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\WINDOWS\system32\services.exe[720] @ C:\WINDOWS\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 003A0002
IAT C:\WINDOWS\system32\services.exe[720] @ C:\WINDOWS\system32\services.exe [KERNEL32.dll!CreateProcessW] 003A0000
IAT C:\Program Files\Internet Explorer\IEXPLORE.EXE[744] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExW] [451F1ACB] C:\Program Files\Internet Explorer\xpshims.dll (Internet Explorer Compatibility Shims for XP/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\IEXPLORE.EXE[864] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExW] [451F1ACB] C:\Program Files\Internet Explorer\xpshims.dll (Internet Explorer Compatibility Shims for XP/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

Device -> \Driver\atapi \Device\Harddisk0\DR0 84EDB369

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----


Report •

#6
December 2, 2009 at 09:20:09
Download SystemLook.exe from the following link.


SystemLook.exe


1. Double-click SystemLook.exe to run it.
2. Copy the content of the following code between the X's into the main textfield:
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
:filefind
atapi*
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
3. Click the Look button to start the scan.
4. When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt


Report •

#7
December 2, 2009 at 11:24:40
Here it is!

SystemLook v1.0 by jpshortstuff (29.08.09)
Log created at 14:24 on 02/12/2009 by Emily (Administrator - Elevation successful)

========== filefind ==========

Searching for "atapi*"
C:\cmdcons\atapi.sy_ --a--- 49558 bytes [02:15 23/10/2004] [12:00 04/08/2004] 28541D14647BB58502D09D1CEAEE6684
C:\WINDOWS\$NtServicePackUninstall$\atapi.sys -----c 95360 bytes [01:54 08/10/2009] [12:59 04/08/2004] CDFE4411A69C224BD1D11B2DA92DAC51
C:\WINDOWS\I386\ATAPI.SY_ ------ 49558 bytes [03:50 12/08/2004] [12:00 04/08/2004] 28541D14647BB58502D09D1CEAEE6684
C:\WINDOWS\ServicePackFiles\i386\atapi.sys ------ 96512 bytes [21:43 04/10/2009] [18:40 13/04/2008] 9F3A2F5AA6875C72BF062C712CFA2674
C:\WINDOWS\system32\dllcache\atapi.sys --a--c 96512 bytes [05:59 04/08/2004] [11:28 30/11/2009] 9F3A2F5AA6875C72BF062C712CFA2674
C:\WINDOWS\system32\drivers\atapi.sys --a--- 96512 bytes [05:59 04/08/2004] [11:28 30/11/2009] 9F3A2F5AA6875C72BF062C712CFA2674

-=End Of File=-


Report •

#8
December 2, 2009 at 11:41:14
In some cases we are not getting the atapi.sys copied to the C:\ folder so bare with us on the redundant run of SystemLook after the copy procedure.

Please run the following command from the Command Prompt, to do so:

1. Click on Start then Run
2. Type cmd in to the area to the right of Open:
3. Click OK
4. In the Command Prompt window that opens, copy and paste the Bold text below:

copy C:\WINDOWS\$NtServicePackUninstall$\atapi.sys C:\ /y

5. Press the Enter key on your keyboard.
6. If successful, you should receive the following message within the Command Prompt window:
1 file(s) copied
7.Exit the Command Prompt window.

Run SystemLook just as you did in response # 6 and post its log.


Report •

#9
December 3, 2009 at 05:23:18
Following is the new log, hope it helps... Also, my sound stopped working yesterday & this morning the avast program flew up saying:

c:\WINDOWS\system32\drivers\atapi.sys
WIN32:Alureon-EM[Rtk}

Great.

SystemLook v1.0 by jpshortstuff (29.08.09)
Log created at 08:14 on 03/12/2009 by Emily (Administrator - Elevation successful)

========== filefind ==========

Searching for "atapi*"
C:\atapi.sys --a--- 95360 bytes [13:13 03/12/2009] [12:59 04/08/2004] CDFE4411A69C224BD1D11B2DA92DAC51
C:\cmdcons\atapi.sy_ --a--- 49558 bytes [02:15 23/10/2004] [12:00 04/08/2004] 28541D14647BB58502D09D1CEAEE6684
C:\WINDOWS\$NtServicePackUninstall$\atapi.sys -----c 95360 bytes [01:54 08/10/2009] [12:59 04/08/2004] CDFE4411A69C224BD1D11B2DA92DAC51
C:\WINDOWS\I386\ATAPI.SY_ ------ 49558 bytes [03:50 12/08/2004] [12:00 04/08/2004] 28541D14647BB58502D09D1CEAEE6684
C:\WINDOWS\ServicePackFiles\i386\atapi.sys ------ 96512 bytes [21:43 04/10/2009] [18:40 13/04/2008] 9F3A2F5AA6875C72BF062C712CFA2674
C:\WINDOWS\system32\dllcache\atapi.sys --a--c 96512 bytes [05:59 04/08/2004] [13:13 03/12/2009] 9F3A2F5AA6875C72BF062C712CFA2674
C:\WINDOWS\system32\drivers\atapi.sys --a--- 96512 bytes [05:59 04/08/2004] [13:13 03/12/2009] 9F3A2F5AA6875C72BF062C712CFA2674

-=End Of File=-


Report •

#10
December 3, 2009 at 11:40:01
Please download “Avenger” by swandog46 to your desktop from this link http://swandog46.geekstogo.com/avenger.zip

1. Click on Avenger.zip to open the file
Extract avenger.exe to your desktop

Copy all the text contained in the code box below between the X's to your Clipboard by highlighting it and pressing (Ctrl+C):
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Files to move:
C:\atapi.sys | C:\WINDOWS\System32\drivers\atapi.sys

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

Now, start The Avenger program by clicking on its icon on your desktop.
Click in the window labeled Input Scrupt Here and paste the text copied to the clipboard into it by pressing (Ctrl+V).
Click the Execute button
Answer "Yes" twice when prompted.

The Avenger will automatically do the following:
It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
On reboot, it will briefly open a black command window on your desktop, this is normal.
After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.


Report •

#11
December 3, 2009 at 14:31:49
Don't know if it helped yet?? Ran it once & the black screen came up for safe mode, etc. but it did that over & over & would never reboot. SO I selected to start in last known mode which worked. Then I ran the avenger again & it rebooted fine. But I still have no sound. And my icons on my desktop are all still highlighted blue (like they're all being clicked on) which has been that way since this whole thing started. Thanks for the input thus far - any other advice??


Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

File move operation "c:\atapi.sys|C:\WINDOWS\System32\drivers\atapi.sys" completed successfully.

Completed script processing.

*******************

Finished! Terminate.


Report •

#12
December 3, 2009 at 15:45:21
You are still infected by what appears to be "Personal Guard 2009".

We need to get Avast and SpyTerminator turn off or disabled before running our next scan, ComboFix. Malwarebytes does not need to be disabled. So download ComboFix per the instructions the follow the direction in the tutorials clickable link "This Link" to get your antivirus and antispyware programs disable...Remember to turn Avast back on but leave spyterminator off until we get you cleaned..

Please download ComboFix to the desktop from one of the following links:

Link1

Link 2

Link 3

Rename the setup file, combofix.exe, before you download it. To do that once the "enter name of file to save to" box appears as the download begins in the filename box rename combofix.exe to to Combo-Fix> click save.
Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop.
If you are using Firefox, make sure that your download settings are as follows:
Tools->Options->Main tab
Set to "Always ask me where to Save the files".

Please do not rename Combofix to other names, but only to the one indicated.
Close any open browsers.
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
-----------------------------------------------------------
Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Click on This Link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
-----------------------------------------------------------
Close any open browsers.
WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
-----------------------------------------------------------
Double click on Combo-Fix.exe & follow the prompts.
Install the recovery console when asked.
When finished, it will produce a report for you.
Please post the "C:\Combo-Fix.txt" .
Note: Do not mouseclick combo-fix's window while it's running. That may cause it to hang.


Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security.

Please do not install any new programs or update anything unless told to do so while we are fixing your problem.


Report •

#13
December 3, 2009 at 18:20:39
Alright, here's the log, but did want to say that ComboFix had to reboot my machine, twice, and avast came back on those times without me realizing it :-( Hope that didn't cause a problem - please advise.

ComboFix 09-12-03.04 - Emily 12/03/2009 20:58.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.447.141 [GMT -5:00]
Running from: c:\documents and settings\Emily\Desktop\combofix.exe
AV: avast! antivirus 4.8.1368 [VPS 091203-1] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Shared
c:\windows\Downloaded Program Files\popcaploader.inf
c:\windows\system32\18467.exe
c:\windows\system32\26500.exe
c:\windows\system32\6334.exe
c:\windows\system32\Drivers\qnoy.sys
c:\windows\system32\drivers\str.sys

Infected copy of c:\windows\system32\DRIVERS\atapi.sys was found and disinfected
Restored copy from - c:\windows\system32\dllcache\atapi.sys

.
((((((((((((((((((((((((( Files Created from 2009-11-04 to 2009-12-04 )))))))))))))))))))))))))))))))
.

2009-12-03 22:14 . 2009-12-03 22:14 78720 ----a-w- c:\windows\system32\drivers\latcdtnlolp.sys
2009-12-02 15:02 . 2009-12-02 15:07 -------- d-----w- C:\rsit
2009-12-01 13:39 . 2009-09-10 19:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-01 13:39 . 2009-09-10 19:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-01 13:39 . 2009-12-01 13:40 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-28 14:52 . 2009-11-28 14:52 152576 ----a-w- c:\documents and settings\Emily\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2009-11-28 14:51 . 2009-11-28 14:51 79488 ----a-w- c:\documents and settings\Emily\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2009-11-27 17:25 . 2009-11-27 17:25 -------- d-----w- c:\documents and settings\Emily\Application Data\Malwarebytes
2009-11-27 17:25 . 2009-11-27 17:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-11-27 17:01 . 2009-11-27 17:01 -------- d-----w- c:\program files\Windows Live Safety Center
2009-11-27 13:46 . 2009-11-27 13:47 -------- d-----w- c:\program files\WinClamAVShield
2009-11-26 15:05 . 2009-11-24 23:50 114768 ----a-w- c:\windows\system32\drivers\aswSP.sys
2009-11-26 15:05 . 2009-11-24 23:50 20560 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2009-11-22 19:10 . 2009-11-22 19:10 -------- d-----w- c:\documents and settings\All Users\Application Data\PopCap
2009-11-18 22:25 . 2009-11-18 22:25 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Help
2009-11-15 13:50 . 2009-10-06 19:14 1117296 ----a-w- c:\windows\system32\TWCSaver.scr
2009-11-13 20:36 . 2009-11-13 20:36 -------- d-----w- c:\program files\ScenicReflections
2009-11-13 20:36 . 2009-11-13 20:36 1577352 ----a-w- c:\windows\askToolbarInstaller-1.3.3.0.exe
2009-11-13 12:04 . 2009-11-15 13:50 -------- d-----w- c:\program files\The Weather Channel FW
2009-11-13 12:04 . 2009-11-15 13:50 -------- d-----w- c:\documents and settings\Emily\Local Settings\Application Data\The Weather Channel
2009-11-07 23:16 . 2009-11-07 23:16 -------- d-----w- c:\documents and settings\Emily\Application Data\Sony
2009-11-07 23:09 . 2009-11-07 23:09 -------- d-----w- c:\documents and settings\Emily\Application Data\Publish Providers
2009-11-07 23:09 . 2009-11-07 23:09 -------- d-----w- c:\documents and settings\Emily\Application Data\NetMedia Providers
2009-11-07 23:09 . 2009-11-07 23:09 -------- d-----w- c:\documents and settings\Emily\Local Settings\Application Data\Sony
2009-11-07 23:06 . 2009-11-07 23:06 -------- d-----w- c:\program files\Vstplugins
2009-11-07 23:06 . 2009-11-07 23:06 -------- d-----w- c:\program files\Sony
2009-11-07 23:04 . 2009-11-07 23:04 -------- d-----w- c:\program files\Sony Setup

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-04 01:55 . 2004-08-04 05:59 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2009-12-04 01:43 . 2008-03-07 16:18 -------- d-----w- c:\documents and settings\Emily\Application Data\Spyware Terminator
2009-12-03 15:05 . 2007-12-27 03:04 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-12-03 13:13 . 2008-03-07 16:18 -------- d-----w- c:\program files\Spyware Terminator
2009-12-03 11:52 . 2008-03-07 16:18 -------- d-----w- c:\documents and settings\All Users\Application Data\Spyware Terminator
2009-12-03 11:37 . 2009-10-04 17:55 -------- d-----w- c:\program files\ATTToolbar
2009-12-01 21:40 . 2007-12-29 07:55 -------- d-----w- c:\documents and settings\Emily\Application Data\LimeWire
2009-12-01 12:55 . 2009-10-04 17:05 -------- d-----w- c:\program files\Common Files\Motive
2009-11-29 02:37 . 2007-12-24 03:13 -------- d-----w- c:\documents and settings\Emily\Application Data\AdobeUM
2009-11-28 14:56 . 2004-08-09 06:12 -------- d-----w- c:\program files\Java
2009-11-27 16:20 . 2009-11-27 16:20 118784 ----a-w- c:\windows\Web\Wallpaper\Scenic- Thanksgiving Hues Wallpaper.exe
2009-11-27 13:36 . 2008-03-07 16:18 142592 ----a-w- c:\windows\system32\drivers\sp_rsdrv2.sys
2009-11-24 23:54 . 2009-10-04 18:52 1280480 ----a-w- c:\windows\system32\aswBoot.exe
2009-11-24 23:51 . 2009-10-04 18:52 93424 ----a-w- c:\windows\system32\drivers\aswmon.sys
2009-11-24 23:50 . 2009-10-04 18:52 94160 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2009-11-24 23:49 . 2009-10-04 18:52 48560 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2009-11-24 23:48 . 2009-10-04 18:52 23120 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2009-11-24 23:47 . 2009-10-04 18:52 27408 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2009-11-24 23:47 . 2009-10-04 18:52 97480 ----a-w- c:\windows\system32\AvastSS.scr
2009-11-13 20:36 . 2009-11-13 20:36 118784 ----a-w- c:\windows\Web\Wallpaper\Scenic- Thanksgiving Hues Wallpaper dir\uninstall.exe
2009-10-29 15:11 . 2009-10-04 17:52 -------- d-----w- c:\program files\ATT-SST
2009-10-28 20:15 . 2009-10-04 17:55 -------- d-----w- c:\documents and settings\All Users\Application Data\ATTToolbar
2009-10-28 20:13 . 2009-10-05 23:25 -------- d-----w- c:\documents and settings\Corey\Application Data\LimeWire
2009-10-28 13:14 . 2009-10-28 13:14 27136 ----a-w- c:\program files\U-0051-01_P.doc
2009-10-27 04:00 . 2009-10-04 23:06 -------- d-----w- c:\documents and settings\Carson\Application Data\Spyware Terminator
2009-10-27 00:00 . 2009-10-08 00:24 -------- d-----w- c:\documents and settings\Carson\Application Data\LimeWire
2009-10-16 20:36 . 2009-10-04 23:28 -------- d-----w- c:\documents and settings\Corey\Application Data\Spyware Terminator
2009-10-15 01:03 . 2009-10-15 01:03 -------- d-----w- c:\program files\Google
2009-10-14 01:15 . 2004-11-07 19:46 31208 ----a-w- c:\documents and settings\Emily\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-11 09:17 . 2009-10-04 23:26 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-10-09 11:07 . 2009-10-09 11:07 -------- d-----w- c:\documents and settings\Carson\Application Data\Apple Computer
2009-10-08 02:07 . 2004-08-09 05:44 81971 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-10-07 00:20 . 2009-10-07 00:20 -------- d-----w- c:\documents and settings\Carson\Application Data\Motive
2009-10-06 00:03 . 2009-10-06 00:03 -------- d-----w- c:\documents and settings\Corey\Application Data\AdobeUM
2009-10-05 23:54 . 2009-10-05 23:54 -------- d--h--r- c:\documents and settings\Corey\Application Data\yahoo!
2009-10-05 23:54 . 2009-10-04 23:29 -------- d-----w- c:\documents and settings\Corey\Application Data\ATTTOOLBAR
2009-10-05 23:27 . 2009-10-05 23:27 -------- d-----w- c:\documents and settings\Corey\Application Data\Motive
2009-10-05 23:25 . 2009-10-05 23:25 7680 ----a-w- c:\documents and settings\Corey\Application Data\LimeWire\browser\xulrunner\components\xulutil.dll
2009-10-04 23:25 . 2009-10-04 23:25 152576 ----a-w- c:\documents and settings\Carson\Application Data\Sun\Java\jre1.6.0_15\lzma.dll
2009-10-04 18:40 . 2009-10-04 18:40 308160 ----a-w- c:\program files\avast_home_setup.exe
2009-09-11 14:18 . 2004-08-09 04:28 136192 ----a-w- c:\windows\system32\msv1_0.dll
2008-05-19 23:26 . 2008-04-19 01:48 7480858 ----a-w- c:\program files\yahoo_madamefate1-2_tm6-3.exe
2008-05-19 10:44 . 2008-05-15 16:32 5806137 ----a-w- c:\program files\MysteryPIVegasSetup.exe
2008-05-17 22:07 . 2008-05-15 16:32 34666520 ----a-w- c:\program files\BigCityAdventureSydSetup.exe
2008-05-15 14:24 . 2008-05-14 22:11 23906352 ----a-w- c:\program files\BigCityAdventureSFSetup.exe
2008-05-14 19:42 . 2008-05-14 19:41 5328825 ----a-w- c:\program files\yahoo_hiddenobjectshow_tm6-3.exe
2008-03-09 19:31 . 2008-03-08 16:20 48824910 ----a-w- c:\program files\iTunesSetup.exe
2008-03-07 15:31 . 2008-03-07 15:31 9823864 ----a-w- c:\program files\SpywareTerminator_Setup.exe
2008-03-07 13:40 . 2008-03-07 13:40 19738872 ----a-w- c:\program files\avastsetup.exe
2008-03-06 15:16 . 2008-03-06 15:16 14881808 ----a-w- c:\program files\avg75free_516a1262.exe
2008-03-06 11:52 . 2008-03-06 11:52 608481 ----a-w- c:\program files\setupeng.exe
2008-01-06 21:27 . 2008-01-06 21:27 608487 ----a-w- c:\program files\DeepBurner1.exe
2007-12-29 07:55 . 2007-12-29 07:55 3381280 ----a-w- c:\program files\LimeWireWin.exe
.

------- Sigcheck -------

[-] 2009-12-04 . 1494C60EE680E8E79A2D3E25D5FE50FF . 96512 . . [5.1.2600.2180] . . c:\windows\system32\drivers\atapi.sys
[7] 2009-12-03 . 9F3A2F5AA6875C72BF062C712CFA2674 . 96512 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\atapi.sys
[7] 2008-04-13 . 9F3A2F5AA6875C72BF062C712CFA2674 . 96512 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\atapi.sys
[7] 2004-08-04 . CDFE4411A69C224BD1D11B2DA92DAC51 . 95360 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\atapi.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DW6"="c:\program files\The Weather Channel FW\Desktop\DesktopWeather.exe" [2009-10-08 818288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER" [X]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2004-04-22 286720]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2004-04-15 233472]
"HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2004-02-18 49152]
"FaxCenterServer4_in_1"="c:\program files\Lexmark 4200 Series\Fax\fm3032.exe" [2004-01-22 151552]
"Lexmark 4200 Series"="c:\program files\Lexmark 4200 Series\lxbmbmgr.exe" [2004-01-16 57344]
"ATT-SST_McciTrayApp"="c:\program files\ATT-SST\McciTrayApp.exe" [2008-09-19 1529856]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-11-24 81000]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]
"VTTimer"="VTTimer.exe" - c:\windows\system32\VTTimer.exe [2004-10-22 53248]
"AGRSMMSG"="AGRSMMSG.exe" - c:\windows\AGRSMMSG.exe [2004-06-30 88363]
"AlcxMonitor"="ALCXMNTR.EXE" - c:\windows\ALCXMNTR.EXE [2004-09-07 57344]

c:\documents and settings\Carson\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - c:\program files\LimeWire\LimeWire.exe [2009-9-30 503808]

c:\documents and settings\Corey\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - c:\program files\LimeWire\LimeWire.exe [2009-9-30 503808]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
Compaq Connections.lnk - c:\program files\Compaq Connections\6750491\Program\Compaq Connections.exe [2004-8-9 16423]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Compaq Connections\\6750491\\Program\\Compaq Connections.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\GameHouse\\TextTwist\\TextTwist.exe"=
"c:\\GameHouse\\Collapse\\Collapse.exe"=
"c:\\Alien Shooter\\AlienShooter.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\ATT-HSI\\McciBrowser.exe"=
"c:\\WINDOWS\\system32\\LEXPPS.EXE"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Spyware Terminator\\SpywareTerminatorUpdate.exe"=

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [11/26/2009 10:05 AM 114768]
R1 sp_rsdrv2;Spyware Terminator Driver 2;c:\windows\system32\drivers\sp_rsdrv2.sys [3/7/2008 11:18 AM 142592]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [11/26/2009 10:05 AM 20560]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
IE: Crawler Search - tbr:iemenu
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
Trusted Zone: motive.com\pattta.att
Trusted Zone: motive.com\patttbc.att
Handler: tbr - {4D25FB7A-8902-4291-960E-9ADA051CFBBF} - c:\progra~1\Crawler\Toolbar\ctbr.dll
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{4F11ACBB-393F-4C86-A214-FF3D0D155CC3} - (no file)
AddRemove-CToolbar_UNINSTALL - c:\progra~1\Crawler\Toolbar\CToolbar.exe uninst
AddRemove-RealPlayer 6.0 - c:\program files\Common Files\Real\Update\\rnuninst.exe RealNetworks|RealPlayer|6.0
AddRemove-{91810AFC-A4F8-4EBA-A5AA-B198BBC81144} - c:\program files\InstallShield Installation Information\{91810AFC-A4F8-4EBA-A5AA-B198BBC81144}\setup.exe REMOVEALL

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-03 21:11
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3364)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\mshtml.dll
c:\windows\system32\msls31.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Motive\McciCMService.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Spyware Terminator\sp_rsser.exe
c:\program files\Real\RealPlayer\RealPlay.exe
c:\program files\Lexmark 4200 Series\lxbmbmon.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-12-03 21:17 - machine was rebooted
ComboFix-quarantined-files.txt 2009-12-04 02:17

Pre-Run: 143,752,921,088 bytes free
Post-Run: 144,148,856,832 bytes free

- - End Of File - - 9A68BA1ECA112F8493B400B53A3912A2


Report •

#14
December 3, 2009 at 18:59:18
Please run Gmer once again please.

Report •

#15
December 4, 2009 at 05:17:21
Here ya go:

ComboFix 09-12-03.04 - Emily 12/03/2009 20:58.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.447.141 [GMT -5:00]
Running from: c:\documents and settings\Emily\Desktop\combofix.exe
AV: avast! antivirus 4.8.1368 [VPS 091203-1] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Shared
c:\windows\Downloaded Program Files\popcaploader.inf
c:\windows\system32\18467.exe
c:\windows\system32\26500.exe
c:\windows\system32\6334.exe
c:\windows\system32\Drivers\qnoy.sys
c:\windows\system32\drivers\str.sys

Infected copy of c:\windows\system32\DRIVERS\atapi.sys was found and disinfected
Restored copy from - c:\windows\system32\dllcache\atapi.sys

.
((((((((((((((((((((((((( Files Created from 2009-11-04 to 2009-12-04 )))))))))))))))))))))))))))))))
.

2009-12-03 22:14 . 2009-12-03 22:14 78720 ----a-w- c:\windows\system32\drivers\latcdtnlolp.sys
2009-12-02 15:02 . 2009-12-02 15:07 -------- d-----w- C:\rsit
2009-12-01 13:39 . 2009-09-10 19:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-01 13:39 . 2009-09-10 19:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-01 13:39 . 2009-12-01 13:40 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-28 14:52 . 2009-11-28 14:52 152576 ----a-w- c:\documents and settings\Emily\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2009-11-28 14:51 . 2009-11-28 14:51 79488 ----a-w- c:\documents and settings\Emily\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2009-11-27 17:25 . 2009-11-27 17:25 -------- d-----w- c:\documents and settings\Emily\Application Data\Malwarebytes
2009-11-27 17:25 . 2009-11-27 17:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-11-27 17:01 . 2009-11-27 17:01 -------- d-----w- c:\program files\Windows Live Safety Center
2009-11-27 13:46 . 2009-11-27 13:47 -------- d-----w- c:\program files\WinClamAVShield
2009-11-26 15:05 . 2009-11-24 23:50 114768 ----a-w- c:\windows\system32\drivers\aswSP.sys
2009-11-26 15:05 . 2009-11-24 23:50 20560 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2009-11-22 19:10 . 2009-11-22 19:10 -------- d-----w- c:\documents and settings\All Users\Application Data\PopCap
2009-11-18 22:25 . 2009-11-18 22:25 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Help
2009-11-15 13:50 . 2009-10-06 19:14 1117296 ----a-w- c:\windows\system32\TWCSaver.scr
2009-11-13 20:36 . 2009-11-13 20:36 -------- d-----w- c:\program files\ScenicReflections
2009-11-13 20:36 . 2009-11-13 20:36 1577352 ----a-w- c:\windows\askToolbarInstaller-1.3.3.0.exe
2009-11-13 12:04 . 2009-11-15 13:50 -------- d-----w- c:\program files\The Weather Channel FW
2009-11-13 12:04 . 2009-11-15 13:50 -------- d-----w- c:\documents and settings\Emily\Local Settings\Application Data\The Weather Channel
2009-11-07 23:16 . 2009-11-07 23:16 -------- d-----w- c:\documents and settings\Emily\Application Data\Sony
2009-11-07 23:09 . 2009-11-07 23:09 -------- d-----w- c:\documents and settings\Emily\Application Data\Publish Providers
2009-11-07 23:09 . 2009-11-07 23:09 -------- d-----w- c:\documents and settings\Emily\Application Data\NetMedia Providers
2009-11-07 23:09 . 2009-11-07 23:09 -------- d-----w- c:\documents and settings\Emily\Local Settings\Application Data\Sony
2009-11-07 23:06 . 2009-11-07 23:06 -------- d-----w- c:\program files\Vstplugins
2009-11-07 23:06 . 2009-11-07 23:06 -------- d-----w- c:\program files\Sony
2009-11-07 23:04 . 2009-11-07 23:04 -------- d-----w- c:\program files\Sony Setup

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-04 01:55 . 2004-08-04 05:59 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2009-12-04 01:43 . 2008-03-07 16:18 -------- d-----w- c:\documents and settings\Emily\Application Data\Spyware Terminator
2009-12-03 15:05 . 2007-12-27 03:04 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-12-03 13:13 . 2008-03-07 16:18 -------- d-----w- c:\program files\Spyware Terminator
2009-12-03 11:52 . 2008-03-07 16:18 -------- d-----w- c:\documents and settings\All Users\Application Data\Spyware Terminator
2009-12-03 11:37 . 2009-10-04 17:55 -------- d-----w- c:\program files\ATTToolbar
2009-12-01 21:40 . 2007-12-29 07:55 -------- d-----w- c:\documents and settings\Emily\Application Data\LimeWire
2009-12-01 12:55 . 2009-10-04 17:05 -------- d-----w- c:\program files\Common Files\Motive
2009-11-29 02:37 . 2007-12-24 03:13 -------- d-----w- c:\documents and settings\Emily\Application Data\AdobeUM
2009-11-28 14:56 . 2004-08-09 06:12 -------- d-----w- c:\program files\Java
2009-11-27 16:20 . 2009-11-27 16:20 118784 ----a-w- c:\windows\Web\Wallpaper\Scenic- Thanksgiving Hues Wallpaper.exe
2009-11-27 13:36 . 2008-03-07 16:18 142592 ----a-w- c:\windows\system32\drivers\sp_rsdrv2.sys
2009-11-24 23:54 . 2009-10-04 18:52 1280480 ----a-w- c:\windows\system32\aswBoot.exe
2009-11-24 23:51 . 2009-10-04 18:52 93424 ----a-w- c:\windows\system32\drivers\aswmon.sys
2009-11-24 23:50 . 2009-10-04 18:52 94160 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2009-11-24 23:49 . 2009-10-04 18:52 48560 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2009-11-24 23:48 . 2009-10-04 18:52 23120 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2009-11-24 23:47 . 2009-10-04 18:52 27408 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2009-11-24 23:47 . 2009-10-04 18:52 97480 ----a-w- c:\windows\system32\AvastSS.scr
2009-11-13 20:36 . 2009-11-13 20:36 118784 ----a-w- c:\windows\Web\Wallpaper\Scenic- Thanksgiving Hues Wallpaper dir\uninstall.exe
2009-10-29 15:11 . 2009-10-04 17:52 -------- d-----w- c:\program files\ATT-SST
2009-10-28 20:15 . 2009-10-04 17:55 -------- d-----w- c:\documents and settings\All Users\Application Data\ATTToolbar
2009-10-28 20:13 . 2009-10-05 23:25 -------- d-----w- c:\documents and settings\Corey\Application Data\LimeWire
2009-10-28 13:14 . 2009-10-28 13:14 27136 ----a-w- c:\program files\U-0051-01_P.doc
2009-10-27 04:00 . 2009-10-04 23:06 -------- d-----w- c:\documents and settings\Carson\Application Data\Spyware Terminator
2009-10-27 00:00 . 2009-10-08 00:24 -------- d-----w- c:\documents and settings\Carson\Application Data\LimeWire
2009-10-16 20:36 . 2009-10-04 23:28 -------- d-----w- c:\documents and settings\Corey\Application Data\Spyware Terminator
2009-10-15 01:03 . 2009-10-15 01:03 -------- d-----w- c:\program files\Google
2009-10-14 01:15 . 2004-11-07 19:46 31208 ----a-w- c:\documents and settings\Emily\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-11 09:17 . 2009-10-04 23:26 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-10-09 11:07 . 2009-10-09 11:07 -------- d-----w- c:\documents and settings\Carson\Application Data\Apple Computer
2009-10-08 02:07 . 2004-08-09 05:44 81971 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-10-07 00:20 . 2009-10-07 00:20 -------- d-----w- c:\documents and settings\Carson\Application Data\Motive
2009-10-06 00:03 . 2009-10-06 00:03 -------- d-----w- c:\documents and settings\Corey\Application Data\AdobeUM
2009-10-05 23:54 . 2009-10-05 23:54 -------- d--h--r- c:\documents and settings\Corey\Application Data\yahoo!
2009-10-05 23:54 . 2009-10-04 23:29 -------- d-----w- c:\documents and settings\Corey\Application Data\ATTTOOLBAR
2009-10-05 23:27 . 2009-10-05 23:27 -------- d-----w- c:\documents and settings\Corey\Application Data\Motive
2009-10-05 23:25 . 2009-10-05 23:25 7680 ----a-w- c:\documents and settings\Corey\Application Data\LimeWire\browser\xulrunner\components\xulutil.dll
2009-10-04 23:25 . 2009-10-04 23:25 152576 ----a-w- c:\documents and settings\Carson\Application Data\Sun\Java\jre1.6.0_15\lzma.dll
2009-10-04 18:40 . 2009-10-04 18:40 308160 ----a-w- c:\program files\avast_home_setup.exe
2009-09-11 14:18 . 2004-08-09 04:28 136192 ----a-w- c:\windows\system32\msv1_0.dll
2008-05-19 23:26 . 2008-04-19 01:48 7480858 ----a-w- c:\program files\yahoo_madamefate1-2_tm6-3.exe
2008-05-19 10:44 . 2008-05-15 16:32 5806137 ----a-w- c:\program files\MysteryPIVegasSetup.exe
2008-05-17 22:07 . 2008-05-15 16:32 34666520 ----a-w- c:\program files\BigCityAdventureSydSetup.exe
2008-05-15 14:24 . 2008-05-14 22:11 23906352 ----a-w- c:\program files\BigCityAdventureSFSetup.exe
2008-05-14 19:42 . 2008-05-14 19:41 5328825 ----a-w- c:\program files\yahoo_hiddenobjectshow_tm6-3.exe
2008-03-09 19:31 . 2008-03-08 16:20 48824910 ----a-w- c:\program files\iTunesSetup.exe
2008-03-07 15:31 . 2008-03-07 15:31 9823864 ----a-w- c:\program files\SpywareTerminator_Setup.exe
2008-03-07 13:40 . 2008-03-07 13:40 19738872 ----a-w- c:\program files\avastsetup.exe
2008-03-06 15:16 . 2008-03-06 15:16 14881808 ----a-w- c:\program files\avg75free_516a1262.exe
2008-03-06 11:52 . 2008-03-06 11:52 608481 ----a-w- c:\program files\setupeng.exe
2008-01-06 21:27 . 2008-01-06 21:27 608487 ----a-w- c:\program files\DeepBurner1.exe
2007-12-29 07:55 . 2007-12-29 07:55 3381280 ----a-w- c:\program files\LimeWireWin.exe
.

------- Sigcheck -------

[-] 2009-12-04 . 1494C60EE680E8E79A2D3E25D5FE50FF . 96512 . . [5.1.2600.2180] . . c:\windows\system32\drivers\atapi.sys
[7] 2009-12-03 . 9F3A2F5AA6875C72BF062C712CFA2674 . 96512 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\atapi.sys
[7] 2008-04-13 . 9F3A2F5AA6875C72BF062C712CFA2674 . 96512 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\atapi.sys
[7] 2004-08-04 . CDFE4411A69C224BD1D11B2DA92DAC51 . 95360 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\atapi.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DW6"="c:\program files\The Weather Channel FW\Desktop\DesktopWeather.exe" [2009-10-08 818288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER" [X]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2004-04-22 286720]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2004-04-15 233472]
"HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2004-02-18 49152]
"FaxCenterServer4_in_1"="c:\program files\Lexmark 4200 Series\Fax\fm3032.exe" [2004-01-22 151552]
"Lexmark 4200 Series"="c:\program files\Lexmark 4200 Series\lxbmbmgr.exe" [2004-01-16 57344]
"ATT-SST_McciTrayApp"="c:\program files\ATT-SST\McciTrayApp.exe" [2008-09-19 1529856]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-11-24 81000]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]
"VTTimer"="VTTimer.exe" - c:\windows\system32\VTTimer.exe [2004-10-22 53248]
"AGRSMMSG"="AGRSMMSG.exe" - c:\windows\AGRSMMSG.exe [2004-06-30 88363]
"AlcxMonitor"="ALCXMNTR.EXE" - c:\windows\ALCXMNTR.EXE [2004-09-07 57344]

c:\documents and settings\Carson\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - c:\program files\LimeWire\LimeWire.exe [2009-9-30 503808]

c:\documents and settings\Corey\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - c:\program files\LimeWire\LimeWire.exe [2009-9-30 503808]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
Compaq Connections.lnk - c:\program files\Compaq Connections\6750491\Program\Compaq Connections.exe [2004-8-9 16423]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Compaq Connections\\6750491\\Program\\Compaq Connections.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\GameHouse\\TextTwist\\TextTwist.exe"=
"c:\\GameHouse\\Collapse\\Collapse.exe"=
"c:\\Alien Shooter\\AlienShooter.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\ATT-HSI\\McciBrowser.exe"=
"c:\\WINDOWS\\system32\\LEXPPS.EXE"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Spyware Terminator\\SpywareTerminatorUpdate.exe"=

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [11/26/2009 10:05 AM 114768]
R1 sp_rsdrv2;Spyware Terminator Driver 2;c:\windows\system32\drivers\sp_rsdrv2.sys [3/7/2008 11:18 AM 142592]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [11/26/2009 10:05 AM 20560]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
IE: Crawler Search - tbr:iemenu
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
Trusted Zone: motive.com\pattta.att
Trusted Zone: motive.com\patttbc.att
Handler: tbr - {4D25FB7A-8902-4291-960E-9ADA051CFBBF} - c:\progra~1\Crawler\Toolbar\ctbr.dll
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{4F11ACBB-393F-4C86-A214-FF3D0D155CC3} - (no file)
AddRemove-CToolbar_UNINSTALL - c:\progra~1\Crawler\Toolbar\CToolbar.exe uninst
AddRemove-RealPlayer 6.0 - c:\program files\Common Files\Real\Update\\rnuninst.exe RealNetworks|RealPlayer|6.0
AddRemove-{91810AFC-A4F8-4EBA-A5AA-B198BBC81144} - c:\program files\InstallShield Installation Information\{91810AFC-A4F8-4EBA-A5AA-B198BBC81144}\setup.exe REMOVEALL

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-03 21:11
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3364)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\mshtml.dll
c:\windows\system32\msls31.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Motive\McciCMService.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Spyware Terminator\sp_rsser.exe
c:\program files\Real\RealPlayer\RealPlay.exe
c:\program files\Lexmark 4200 Series\lxbmbmon.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-12-03 21:17 - machine was rebooted
ComboFix-quarantined-files.txt 2009-12-04 02:17

Pre-Run: 143,752,921,088 bytes free
Post-Run: 144,148,856,832 bytes free

- - End Of File - - 9A68BA1ECA112F8493B400B53A3912A2


Report •

#16
December 4, 2009 at 10:58:46
Go to start> run type in ComboFix /Uninstall (the space after ComboFix is needed) then click ok. Allow it time to uninstall...it will let you know.

Now download ComboFix from the link in response # 12, follow those exact directions, run it and post the log please.

Then post a new Gmer log from the directions in response #1.


Report •

#17
December 4, 2009 at 18:52:39
Better this time, I think?! Didn't reboot like before & icons on desktop are no longer blue :-) still no sound though...

Here's the log:

ComboFix 09-12-04.02 - Emily 12/04/2009 21:36.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.447.243 [GMT -5:00]
Running from: c:\documents and settings\Emily\Desktop\combofix.exe
AV: avast! antivirus 4.8.1368 [VPS 091204-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\Drivers\latcdtnlolp.sys

.
((((((((((((((((((((((((( Files Created from 2009-11-05 to 2009-12-05 )))))))))))))))))))))))))))))))
.

2009-12-02 15:02 . 2009-12-02 15:07 -------- d-----w- C:\rsit
2009-12-01 13:39 . 2009-09-10 19:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-01 13:39 . 2009-09-10 19:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-01 13:39 . 2009-12-01 13:40 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-28 14:52 . 2009-11-28 14:52 152576 ----a-w- c:\documents and settings\Emily\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2009-11-28 14:51 . 2009-11-28 14:51 79488 ----a-w- c:\documents and settings\Emily\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2009-11-27 17:25 . 2009-11-27 17:25 -------- d-----w- c:\documents and settings\Emily\Application Data\Malwarebytes
2009-11-27 17:25 . 2009-11-27 17:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-11-27 17:01 . 2009-11-27 17:01 -------- d-----w- c:\program files\Windows Live Safety Center
2009-11-27 13:46 . 2009-11-27 13:47 -------- d-----w- c:\program files\WinClamAVShield
2009-11-26 15:05 . 2009-11-24 23:50 114768 ----a-w- c:\windows\system32\drivers\aswSP.sys
2009-11-26 15:05 . 2009-11-24 23:50 20560 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2009-11-22 19:10 . 2009-11-22 19:10 -------- d-----w- c:\documents and settings\All Users\Application Data\PopCap
2009-11-18 22:25 . 2009-11-18 22:25 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Help
2009-11-15 13:50 . 2009-10-06 19:14 1117296 ----a-w- c:\windows\system32\TWCSaver.scr
2009-11-13 20:36 . 2009-11-13 20:36 -------- d-----w- c:\program files\ScenicReflections
2009-11-13 20:36 . 2009-11-13 20:36 1577352 ----a-w- c:\windows\askToolbarInstaller-1.3.3.0.exe
2009-11-13 12:04 . 2009-11-15 13:50 -------- d-----w- c:\program files\The Weather Channel FW
2009-11-13 12:04 . 2009-11-15 13:50 -------- d-----w- c:\documents and settings\Emily\Local Settings\Application Data\The Weather Channel
2009-11-07 23:16 . 2009-11-07 23:16 -------- d-----w- c:\documents and settings\Emily\Application Data\Sony
2009-11-07 23:09 . 2009-11-07 23:09 -------- d-----w- c:\documents and settings\Emily\Application Data\Publish Providers
2009-11-07 23:09 . 2009-11-07 23:09 -------- d-----w- c:\documents and settings\Emily\Application Data\NetMedia Providers
2009-11-07 23:09 . 2009-11-07 23:09 -------- d-----w- c:\documents and settings\Emily\Local Settings\Application Data\Sony
2009-11-07 23:06 . 2009-11-07 23:06 -------- d-----w- c:\program files\Vstplugins
2009-11-07 23:06 . 2009-11-07 23:06 -------- d-----w- c:\program files\Sony
2009-11-07 23:04 . 2009-11-07 23:04 -------- d-----w- c:\program files\Sony Setup

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-04 19:01 . 2009-12-04 18:01 28 ----a-w- c:\windows\popcinfot.dat
2009-12-04 18:01 . 2009-12-04 18:01 -------- d-----w- c:\documents and settings\Emily\Application Data\PopCapv1002
2009-12-04 18:01 . 2009-12-04 18:01 -------- d-----w- c:\documents and settings\All Users\Application Data\PopCap Games
2009-12-04 18:01 . 2009-12-04 18:00 -------- d-----w- c:\program files\PopCap Games
2009-12-04 01:55 . 2004-08-04 05:59 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2009-12-04 01:43 . 2008-03-07 16:18 -------- d-----w- c:\documents and settings\Emily\Application Data\Spyware Terminator
2009-12-03 15:05 . 2007-12-27 03:04 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-12-03 13:13 . 2008-03-07 16:18 -------- d-----w- c:\program files\Spyware Terminator
2009-12-03 11:52 . 2008-03-07 16:18 -------- d-----w- c:\documents and settings\All Users\Application Data\Spyware Terminator
2009-12-03 11:37 . 2009-10-04 17:55 -------- d-----w- c:\program files\ATTToolbar
2009-12-01 21:40 . 2007-12-29 07:55 -------- d-----w- c:\documents and settings\Emily\Application Data\LimeWire
2009-12-01 12:55 . 2009-10-04 17:05 -------- d-----w- c:\program files\Common Files\Motive
2009-11-29 02:37 . 2007-12-24 03:13 -------- d-----w- c:\documents and settings\Emily\Application Data\AdobeUM
2009-11-28 14:56 . 2004-08-09 06:12 -------- d-----w- c:\program files\Java
2009-11-27 16:20 . 2009-11-27 16:20 118784 ----a-w- c:\windows\Web\Wallpaper\Scenic- Thanksgiving Hues Wallpaper.exe
2009-11-27 13:36 . 2008-03-07 16:18 142592 ----a-w- c:\windows\system32\drivers\sp_rsdrv2.sys
2009-11-24 23:54 . 2009-10-04 18:52 1280480 ----a-w- c:\windows\system32\aswBoot.exe
2009-11-24 23:51 . 2009-10-04 18:52 93424 ----a-w- c:\windows\system32\drivers\aswmon.sys
2009-11-24 23:50 . 2009-10-04 18:52 94160 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2009-11-24 23:49 . 2009-10-04 18:52 48560 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2009-11-24 23:48 . 2009-10-04 18:52 23120 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2009-11-24 23:47 . 2009-10-04 18:52 27408 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2009-11-24 23:47 . 2009-10-04 18:52 97480 ----a-w- c:\windows\system32\AvastSS.scr
2009-11-13 20:36 . 2009-11-13 20:36 118784 ----a-w- c:\windows\Web\Wallpaper\Scenic- Thanksgiving Hues Wallpaper dir\uninstall.exe
2009-10-29 15:11 . 2009-10-04 17:52 -------- d-----w- c:\program files\ATT-SST
2009-10-28 20:15 . 2009-10-04 17:55 -------- d-----w- c:\documents and settings\All Users\Application Data\ATTToolbar
2009-10-28 20:13 . 2009-10-05 23:25 -------- d-----w- c:\documents and settings\Corey\Application Data\LimeWire
2009-10-28 13:14 . 2009-10-28 13:14 27136 ----a-w- c:\program files\U-0051-01_P.doc
2009-10-27 04:00 . 2009-10-04 23:06 -------- d-----w- c:\documents and settings\Carson\Application Data\Spyware Terminator
2009-10-27 00:00 . 2009-10-08 00:24 -------- d-----w- c:\documents and settings\Carson\Application Data\LimeWire
2009-10-16 20:36 . 2009-10-04 23:28 -------- d-----w- c:\documents and settings\Corey\Application Data\Spyware Terminator
2009-10-15 01:03 . 2009-10-15 01:03 -------- d-----w- c:\program files\Google
2009-10-14 01:15 . 2004-11-07 19:46 31208 ----a-w- c:\documents and settings\Emily\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-11 09:17 . 2009-10-04 23:26 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-10-09 11:07 . 2009-10-09 11:07 -------- d-----w- c:\documents and settings\Carson\Application Data\Apple Computer
2009-10-08 02:07 . 2004-08-09 05:44 81971 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-10-07 00:20 . 2009-10-07 00:20 -------- d-----w- c:\documents and settings\Carson\Application Data\Motive
2009-10-05 23:25 . 2009-10-05 23:25 7680 ----a-w- c:\documents and settings\Corey\Application Data\LimeWire\browser\xulrunner\components\xulutil.dll
2009-10-04 23:25 . 2009-10-04 23:25 152576 ----a-w- c:\documents and settings\Carson\Application Data\Sun\Java\jre1.6.0_15\lzma.dll
2009-10-04 18:40 . 2009-10-04 18:40 308160 ----a-w- c:\program files\avast_home_setup.exe
2009-09-11 14:18 . 2004-08-09 04:28 136192 ----a-w- c:\windows\system32\msv1_0.dll
2008-05-19 23:26 . 2008-04-19 01:48 7480858 ----a-w- c:\program files\yahoo_madamefate1-2_tm6-3.exe
2008-05-19 10:44 . 2008-05-15 16:32 5806137 ----a-w- c:\program files\MysteryPIVegasSetup.exe
2008-05-17 22:07 . 2008-05-15 16:32 34666520 ----a-w- c:\program files\BigCityAdventureSydSetup.exe
2008-05-15 14:24 . 2008-05-14 22:11 23906352 ----a-w- c:\program files\BigCityAdventureSFSetup.exe
2008-05-14 19:42 . 2008-05-14 19:41 5328825 ----a-w- c:\program files\yahoo_hiddenobjectshow_tm6-3.exe
2008-03-09 19:31 . 2008-03-08 16:20 48824910 ----a-w- c:\program files\iTunesSetup.exe
2008-03-07 15:31 . 2008-03-07 15:31 9823864 ----a-w- c:\program files\SpywareTerminator_Setup.exe
2008-03-07 13:40 . 2008-03-07 13:40 19738872 ----a-w- c:\program files\avastsetup.exe
2008-03-06 15:16 . 2008-03-06 15:16 14881808 ----a-w- c:\program files\avg75free_516a1262.exe
2008-03-06 11:52 . 2008-03-06 11:52 608481 ----a-w- c:\program files\setupeng.exe
2008-01-06 21:27 . 2008-01-06 21:27 608487 ----a-w- c:\program files\DeepBurner1.exe
2007-12-29 07:55 . 2007-12-29 07:55 3381280 ----a-w- c:\program files\LimeWireWin.exe
.

------- Sigcheck -------

[-] 2009-12-04 . 1494C60EE680E8E79A2D3E25D5FE50FF . 96512 . . [5.1.2600.2180] . . c:\windows\system32\drivers\atapi.sys
[7] 2009-12-03 . 9F3A2F5AA6875C72BF062C712CFA2674 . 96512 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\atapi.sys
[7] 2008-04-13 . 9F3A2F5AA6875C72BF062C712CFA2674 . 96512 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\atapi.sys
[7] 2004-08-04 . CDFE4411A69C224BD1D11B2DA92DAC51 . 95360 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\atapi.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DW6"="c:\program files\The Weather Channel FW\Desktop\DesktopWeather.exe" [2009-10-08 818288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER" [X]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2004-04-22 286720]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2004-04-15 233472]
"HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2004-02-18 49152]
"FaxCenterServer4_in_1"="c:\program files\Lexmark 4200 Series\Fax\fm3032.exe" [2004-01-22 151552]
"Lexmark 4200 Series"="c:\program files\Lexmark 4200 Series\lxbmbmgr.exe" [2004-01-16 57344]
"ATT-SST_McciTrayApp"="c:\program files\ATT-SST\McciTrayApp.exe" [2008-09-19 1529856]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-11-24 81000]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]
"VTTimer"="VTTimer.exe" - c:\windows\system32\VTTimer.exe [2004-10-22 53248]
"AGRSMMSG"="AGRSMMSG.exe" - c:\windows\AGRSMMSG.exe [2004-06-30 88363]
"AlcxMonitor"="ALCXMNTR.EXE" - c:\windows\ALCXMNTR.EXE [2004-09-07 57344]

c:\documents and settings\Carson\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - c:\program files\LimeWire\LimeWire.exe [2009-9-30 503808]

c:\documents and settings\Corey\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - c:\program files\LimeWire\LimeWire.exe [2009-9-30 503808]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
Compaq Connections.lnk - c:\program files\Compaq Connections\6750491\Program\Compaq Connections.exe [2004-8-9 16423]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Compaq Connections\\6750491\\Program\\Compaq Connections.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\GameHouse\\TextTwist\\TextTwist.exe"=
"c:\\GameHouse\\Collapse\\Collapse.exe"=
"c:\\Alien Shooter\\AlienShooter.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\ATT-HSI\\McciBrowser.exe"=
"c:\\WINDOWS\\system32\\LEXPPS.EXE"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Spyware Terminator\\SpywareTerminatorUpdate.exe"=

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [11/26/2009 10:05 AM 114768]
R1 sp_rsdrv2;Spyware Terminator Driver 2;c:\windows\system32\drivers\sp_rsdrv2.sys [3/7/2008 11:18 AM 142592]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [11/26/2009 10:05 AM 20560]

--- Other Services/Drivers In Memory ---

*Deregistered* - uwldypod
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
IE: Crawler Search - tbr:iemenu
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
Trusted Zone: motive.com\pattta.att
Trusted Zone: motive.com\patttbc.att
Handler: tbr - {4D25FB7A-8902-4291-960E-9ADA051CFBBF} - c:\progra~1\Crawler\Toolbar\ctbr.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-04 21:42
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-12-04 21:44
ComboFix-quarantined-files.txt 2009-12-05 02:44
ComboFix2.txt 2009-12-04 02:17

Pre-Run: 144,626,233,344 bytes free
Post-Run: 144,586,489,856 bytes free

- - End Of File - - C79F9115C0BC3F9B0778446CC34A6693


Report •

#18
December 4, 2009 at 22:40:12
For some reason the rootkit is still with us.

You have several iffy files from p2p programs and remnant of old antivirus programs. If Spyware Terminator is not something you bought please uninstall it and you can reinstall after we get the computer clean.

Next uninstall LimeWire at least until we get you clean.

The following files are remnant of:


Winclam antivirus
Askit toolbar
a virus


Open Notepad and copy/paste everything between the X's into it and make sure the first word (such as KILLALL, File, Folder, Registry etc.) is at the very top of the page.
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
KILLALL::
File::
C:\Program Files\WinClamAVShield
C:\WINDOWS\askToolbarInstaller-1.3.3.0.exe
C:\WINDOWS\batmeter16.dll

Registry::
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
""=-
"AlcxMonitor"=-

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Go to File on the top bar and choose" Save As", Change the "Save As Type" to All Files, Name it CFScript.txt then save it to your desktop.
Then drag/drop the CFScript.txt onto ComboFix.exe (the red symbol on your desktop) if combofix does not auto start click "run".

Please post the log that is produced.

And post a new Gmer log please.


Report •

#19
December 6, 2009 at 06:55:21
Man, thanks so much for all this help! I used this computer for a bit last year, then switched to another, now back to it, not even thinking it could be previously infected. Here are the logs:

ComboFix 09-12-04.02 - Emily 12/06/2009 8:34.3.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.447.192 [GMT -5:00]
Running from: c:\documents and settings\Emily\Desktop\combofix.exe
Command switches used :: c:\documents and settings\Emily\Desktop\CFScript.txt
AV: avast! antivirus 4.8.1368 [VPS 091206-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
* Created a new restore point

FILE ::
"c:\program files\WinClamAVShield"
"c:\windows\askToolbarInstaller-1.3.3.0.exe"
"c:\windows\batmeter16.dll"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\askToolbarInstaller-1.3.3.0.exe

.
((((((((((((((((((((((((( Files Created from 2009-11-06 to 2009-12-06 )))))))))))))))))))))))))))))))
.

2009-12-06 04:02 . 2009-12-06 04:02 -------- d-----w- c:\documents and settings\Emily\Application Data\BigFishv1002
2009-12-05 04:40 . 2009-12-05 04:40 -------- d-----w- c:\documents and settings\Emily\Application Data\Orneon
2009-12-05 03:18 . 2009-12-05 03:18 -------- d-----w- c:\program files\Amazing Adventures - The Caribbean Secret
2009-12-05 03:16 . 2009-12-05 03:17 -------- d-----w- c:\program files\Echoes of the Past - Royal House of Stone
2009-12-05 03:09 . 2009-12-05 03:09 -------- d-----w- c:\program files\bfgclient
2009-12-05 03:08 . 2009-12-06 04:01 -------- d-----w- c:\documents and settings\All Users\Application Data\BigFishGamesCache
2009-12-02 15:02 . 2009-12-02 15:07 -------- d-----w- C:\rsit
2009-12-01 13:39 . 2009-09-10 19:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-01 13:39 . 2009-09-10 19:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-01 13:39 . 2009-12-01 13:40 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-28 14:52 . 2009-11-28 14:52 152576 ----a-w- c:\documents and settings\Emily\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2009-11-28 14:51 . 2009-11-28 14:51 79488 ----a-w- c:\documents and settings\Emily\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2009-11-27 17:25 . 2009-11-27 17:25 -------- d-----w- c:\documents and settings\Emily\Application Data\Malwarebytes
2009-11-27 17:25 . 2009-11-27 17:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-11-27 17:01 . 2009-11-27 17:01 -------- d-----w- c:\program files\Windows Live Safety Center
2009-11-26 15:05 . 2009-11-24 23:50 114768 ----a-w- c:\windows\system32\drivers\aswSP.sys
2009-11-26 15:05 . 2009-11-24 23:50 20560 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2009-11-22 19:10 . 2009-11-22 19:10 -------- d-----w- c:\documents and settings\All Users\Application Data\PopCap
2009-11-18 22:25 . 2009-11-18 22:25 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Help
2009-11-15 13:50 . 2009-10-06 19:14 1117296 ----a-w- c:\windows\system32\TWCSaver.scr
2009-11-13 20:36 . 2009-11-13 20:36 -------- d-----w- c:\program files\ScenicReflections
2009-11-13 12:04 . 2009-11-15 13:50 -------- d-----w- c:\program files\The Weather Channel FW
2009-11-13 12:04 . 2009-11-15 13:50 -------- d-----w- c:\documents and settings\Emily\Local Settings\Application Data\The Weather Channel
2009-11-07 23:16 . 2009-11-07 23:16 -------- d-----w- c:\documents and settings\Emily\Application Data\Sony
2009-11-07 23:09 . 2009-11-07 23:09 -------- d-----w- c:\documents and settings\Emily\Application Data\Publish Providers
2009-11-07 23:09 . 2009-11-07 23:09 -------- d-----w- c:\documents and settings\Emily\Application Data\NetMedia Providers
2009-11-07 23:09 . 2009-11-07 23:09 -------- d-----w- c:\documents and settings\Emily\Local Settings\Application Data\Sony
2009-11-07 23:06 . 2009-11-07 23:06 -------- d-----w- c:\program files\Vstplugins
2009-11-07 23:06 . 2009-11-07 23:06 -------- d-----w- c:\program files\Sony
2009-11-07 23:04 . 2009-11-07 23:04 -------- d-----w- c:\program files\Sony Setup

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-06 05:02 . 2007-12-27 03:04 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-12-05 03:03 . 2009-12-04 18:00 -------- d-----w- c:\program files\PopCap Games
2009-12-05 03:00 . 2008-04-23 23:58 -------- d--h--w- c:\documents and settings\Emily\Application Data\yahoo!
2009-12-04 19:01 . 2009-12-04 18:01 28 ----a-w- c:\windows\popcinfot.dat
2009-12-04 18:01 . 2009-12-04 18:01 -------- d-----w- c:\documents and settings\Emily\Application Data\PopCapv1002
2009-12-04 18:01 . 2009-12-04 18:01 -------- d-----w- c:\documents and settings\All Users\Application Data\PopCap Games
2009-12-04 01:55 . 2004-08-04 05:59 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2009-12-03 11:37 . 2009-10-04 17:55 -------- d-----w- c:\program files\ATTToolbar
2009-12-01 21:40 . 2007-12-29 07:55 -------- d-----w- c:\documents and settings\Emily\Application Data\LimeWire
2009-12-01 12:55 . 2009-10-04 17:05 -------- d-----w- c:\program files\Common Files\Motive
2009-11-29 02:37 . 2007-12-24 03:13 -------- d-----w- c:\documents and settings\Emily\Application Data\AdobeUM
2009-11-28 14:56 . 2004-08-09 06:12 -------- d-----w- c:\program files\Java
2009-11-27 16:20 . 2009-11-27 16:20 118784 ----a-w- c:\windows\Web\Wallpaper\Scenic- Thanksgiving Hues Wallpaper.exe
2009-11-24 23:54 . 2009-10-04 18:52 1280480 ----a-w- c:\windows\system32\aswBoot.exe
2009-11-24 23:51 . 2009-10-04 18:52 93424 ----a-w- c:\windows\system32\drivers\aswmon.sys
2009-11-24 23:50 . 2009-10-04 18:52 94160 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2009-11-24 23:49 . 2009-10-04 18:52 48560 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2009-11-24 23:48 . 2009-10-04 18:52 23120 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2009-11-24 23:47 . 2009-10-04 18:52 27408 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2009-11-24 23:47 . 2009-10-04 18:52 97480 ----a-w- c:\windows\system32\AvastSS.scr
2009-11-13 20:36 . 2009-11-13 20:36 118784 ----a-w- c:\windows\Web\Wallpaper\Scenic- Thanksgiving Hues Wallpaper dir\uninstall.exe
2009-10-29 15:11 . 2009-10-04 17:52 -------- d-----w- c:\program files\ATT-SST
2009-10-28 20:15 . 2009-10-04 17:55 -------- d-----w- c:\documents and settings\All Users\Application Data\ATTToolbar
2009-10-28 20:13 . 2009-10-05 23:25 -------- d-----w- c:\documents and settings\Corey\Application Data\LimeWire
2009-10-28 13:14 . 2009-10-28 13:14 27136 ----a-w- c:\program files\U-0051-01_P.doc
2009-10-27 04:00 . 2009-10-04 23:06 -------- d-----w- c:\documents and settings\Carson\Application Data\Spyware Terminator
2009-10-27 00:00 . 2009-10-08 00:24 -------- d-----w- c:\documents and settings\Carson\Application Data\LimeWire
2009-10-16 20:36 . 2009-10-04 23:28 -------- d-----w- c:\documents and settings\Corey\Application Data\Spyware Terminator
2009-10-15 01:03 . 2009-10-15 01:03 -------- d-----w- c:\program files\Google
2009-10-14 01:15 . 2004-11-07 19:46 31208 ----a-w- c:\documents and settings\Emily\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-11 09:17 . 2009-10-04 23:26 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-10-09 11:07 . 2009-10-09 11:07 -------- d-----w- c:\documents and settings\Carson\Application Data\Apple Computer
2009-10-08 02:07 . 2004-08-09 05:44 81971 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-10-05 23:26 . 2009-10-05 23:26 499712 ----a-w- c:\documents and settings\Corey\Application Data\LimeWire\browser\xulrunner\MSVCP71.DLL
2009-10-05 23:25 . 2009-10-05 23:25 7680 ----a-w- c:\documents and settings\Corey\Application Data\LimeWire\browser\xulrunner\components\xulutil.dll
2009-10-04 23:25 . 2009-10-04 23:25 152576 ----a-w- c:\documents and settings\Carson\Application Data\Sun\Java\jre1.6.0_15\lzma.dll
2009-10-04 18:40 . 2009-10-04 18:40 308160 ----a-w- c:\program files\avast_home_setup.exe
2009-09-11 14:18 . 2004-08-09 04:28 136192 ----a-w- c:\windows\system32\msv1_0.dll
2008-05-19 23:26 . 2008-04-19 01:48 7480858 ----a-w- c:\program files\yahoo_madamefate1-2_tm6-3.exe
2008-05-19 10:44 . 2008-05-15 16:32 5806137 ----a-w- c:\program files\MysteryPIVegasSetup.exe
2008-05-17 22:07 . 2008-05-15 16:32 34666520 ----a-w- c:\program files\BigCityAdventureSydSetup.exe
2008-05-15 14:24 . 2008-05-14 22:11 23906352 ----a-w- c:\program files\BigCityAdventureSFSetup.exe
2008-05-14 19:42 . 2008-05-14 19:41 5328825 ----a-w- c:\program files\yahoo_hiddenobjectshow_tm6-3.exe
2008-03-09 19:31 . 2008-03-08 16:20 48824910 ----a-w- c:\program files\iTunesSetup.exe
2008-03-07 15:31 . 2008-03-07 15:31 9823864 ----a-w- c:\program files\SpywareTerminator_Setup.exe
2008-03-07 13:40 . 2008-03-07 13:40 19738872 ----a-w- c:\program files\avastsetup.exe
2008-03-06 15:16 . 2008-03-06 15:16 14881808 ----a-w- c:\program files\avg75free_516a1262.exe
2008-03-06 11:52 . 2008-03-06 11:52 608481 ----a-w- c:\program files\setupeng.exe
2008-01-06 21:27 . 2008-01-06 21:27 608487 ----a-w- c:\program files\DeepBurner1.exe
2007-12-29 07:55 . 2007-12-29 07:55 3381280 ----a-w- c:\program files\LimeWireWin.exe
.

------- Sigcheck -------

[-] 2009-12-04 . 1494C60EE680E8E79A2D3E25D5FE50FF . 96512 . . [5.1.2600.2180] . . c:\windows\system32\drivers\atapi.sys
[7] 2009-12-03 . 9F3A2F5AA6875C72BF062C712CFA2674 . 96512 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\atapi.sys
[7] 2008-04-13 . 9F3A2F5AA6875C72BF062C712CFA2674 . 96512 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\atapi.sys
[7] 2004-08-04 . CDFE4411A69C224BD1D11B2DA92DAC51 . 95360 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\atapi.sys
.
((((((((((((((((((((((((((((( SnapShot@2009-12-05_02.42.24 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-12-06 13:43 . 2009-12-06 13:43 16384 c:\windows\Temp\Perflib_Perfdata_6bc.dat
+ 2009-12-06 13:43 . 2009-12-06 13:43 16384 c:\windows\Temp\Perflib_Perfdata_594.dat
+ 2009-12-06 13:25 . 2009-12-06 13:25 16384 c:\windows\Temp\Perflib_Perfdata_58c.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DW6"="c:\program files\The Weather Channel FW\Desktop\DesktopWeather.exe" [2009-10-08 818288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER" [X]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2004-04-22 286720]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2004-04-15 233472]
"HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2004-02-18 49152]
"FaxCenterServer4_in_1"="c:\program files\Lexmark 4200 Series\Fax\fm3032.exe" [2004-01-22 151552]
"Lexmark 4200 Series"="c:\program files\Lexmark 4200 Series\lxbmbmgr.exe" [2004-01-16 57344]
"ATT-SST_McciTrayApp"="c:\program files\ATT-SST\McciTrayApp.exe" [2008-09-19 1529856]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-11-24 81000]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]
"VTTimer"="VTTimer.exe" - c:\windows\system32\VTTimer.exe [2004-10-22 53248]
"AGRSMMSG"="AGRSMMSG.exe" - c:\windows\AGRSMMSG.exe [2004-06-30 88363]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
Compaq Connections.lnk - c:\program files\Compaq Connections\6750491\Program\Compaq Connections.exe [2004-8-9 16423]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Compaq Connections\\6750491\\Program\\Compaq Connections.exe"=
"c:\\GameHouse\\TextTwist\\TextTwist.exe"=
"c:\\GameHouse\\Collapse\\Collapse.exe"=
"c:\\Alien Shooter\\AlienShooter.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\ATT-HSI\\McciBrowser.exe"=
"c:\\WINDOWS\\system32\\LEXPPS.EXE"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [11/26/2009 10:05 AM 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [11/26/2009 10:05 AM 20560]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
IE: Crawler Search - tbr:iemenu
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
Trusted Zone: motive.com\pattta.att
Trusted Zone: motive.com\patttbc.att
Handler: tbr - {4D25FB7A-8902-4291-960E-9ADA051CFBBF} - c:\progra~1\Crawler\Toolbar\ctbr.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-06 08:44
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3956)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Motive\McciCMService.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Real\RealPlayer\RealPlay.exe
c:\program files\Lexmark 4200 Series\lxbmbmon.exe
c:\program files\Alwil Software\Avast4\ashMaiSv.exe
c:\program files\Alwil Software\Avast4\ashWebSv.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-12-06 08:49 - machine was rebooted
ComboFix-quarantined-files.txt 2009-12-06 13:49
ComboFix2.txt 2009-12-05 02:44
ComboFix3.txt 2009-12-04 02:17

Pre-Run: 143,841,636,352 bytes free
Post-Run: 143,915,573,248 bytes free

- - End Of File - - CD8CE26163E4B1F53CC0166BE54D6970

GMER 1.0.15.15252 - http://www.gmer.net
Rootkit scan 2009-12-06 09:55:52
Windows 5.1.2600 Service Pack 3
Running: 4sd4md2p.exe; Driver: C:\DOCUME~1\Emily\LOCALS~1\Temp\uwldypod.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwClose [0xF4C686B8]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateKey [0xF4C68574]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteValueKey [0xF4C68A52]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDuplicateObject [0xF4C6814C]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenKey [0xF4C6864E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenProcess [0xF4C6808C]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenThread [0xF4C680F0]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwQueryValueKey [0xF4C6876E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRestoreKey [0xF4C6872E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwSetValueKey [0xF4C688AE]

---- Kernel code sections - GMER 1.0.15 ----

? Combo-Fix.sys The system cannot find the file specified. !
? C:\combofix\catchme.sys The system cannot find the path specified. !
? C:\WINDOWS\system32\Drivers\PROCEXP113.SYS The system cannot find the file specified. !

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\WINDOWS\system32\services.exe[712] @ C:\WINDOWS\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 00380002
IAT C:\WINDOWS\system32\services.exe[712] @ C:\WINDOWS\system32\services.exe [KERNEL32.dll!CreateProcessW] 00380000

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

---- EOF - GMER 1.0.15 ----


Report •

#20
December 6, 2009 at 07:18:52
Much better.

A little clean-up to do.

Delete RSIT, Win32kDiag, GMER and Avenger from your desktop

Go to start> run> type in ComboFix /Uninstall (note the space after ComboFix) then press enter> run. This will uninstall combofix so give the uninstaller a minute to run.

Download ATF Cleaner from this link:
http://www.majorgeeks.com/ATF_Cleaner_d4949.html
Run ATF-Cleaner
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

Empty the restore folder. Go to start>control panel>system>system restore tab>check the box beside "turn off system restore>apply (takes a minute)>ok. Go back and uncheck the box to turn system restore back on>apply>ok.

Next create a new restore point. Go to start> run> type in msconfig> ok> click launch system restore> check the circle beside "create a restore point> next> name it today's date> create > click home > exit the system configuration utility> restart the computer.

You should consider adding "Spywareblaster" to your arsenol of antispyware tools, you can download it from this link Spywareblaster

Just download it,install it, and update it. Its free and runs in the background, so you don't actually run it, and re-writes malicious script before it can install on your computer. Look for updates weekly as there is no auto-update on the free version.

Glad we could help.


Report •

#21
December 6, 2009 at 14:34:28
"Glad we could help" ,,, you're WAY too modest! Thank you so very much for all the help!! Just can't say it enough!

Let me ask you this:

Mozilla Firefox...better to use than Internet Explorer?

Also, when all this happened I lost sound. Any suggestions on that?

Thanks again!


Report •

#22
December 6, 2009 at 15:50:34
FireFox is probably safer right now but you must have internet explorer to update windows.

Go to start> control panel> sound and audio devices. Make sure there is no check beside the mute box and click speaker volume and move both sliders to high> click ok if you moved or unchecked anything. Now click the audio tab and click the three volume button one at the time to make sure the mute buttons are not checked.

Let me know if that helped.


Report •

#23
December 7, 2009 at 05:51:46
No, it didn't fix the sound :-(
Here's what I have, if it helps:

Sound, video and game controllers
Audio Codecs
Legacy Audio Drivers
Legacy Video Capture Devices
Media Control Devices
Realtek AC’97 Audio for VIA (R) Audio Controller
Video Codecs

It shows everything's working right, but we know it's not.

Appreciate any suggestions or ideas! Thanks


Report •

#24
December 7, 2009 at 18:39:36
You will probably need to reinstall the sound drives most likely.

You may have them on a cd that came with the computer, if not you should be able to get them from the hp download center or just google realtek drivers go to downloads and find your newest AC 97 drivers.

You should read up on installing the drivers but it is not hard at all.

You may want to try this first..go to start> control panel> systems> hardware> device manager scroll down to sound> open it by clicking the + sign> right click on "Realtek AC’97 Audio for VIA (R) Audio Controller" click uninstall> restart the computer. Once in a blue moon this works but may save you some time.


Report •

#25
December 8, 2009 at 05:09:21
Will do & thanks so much!!

Have a very happy holiday!


Report •

#26
December 11, 2009 at 06:27:50
I just love you guys!!

"Once in a blue moon" worked just fine for me! Sound is up & running & I just can't thank you all enough for your help with EVERYTHING!!


Report •


Ask Question