Author Topic: Help! Aliens have invaded! (Read 4342 times)

guestolo · « **Reply #20 on:** August 21, 2009, 05:26:21 AM »

Download ComboFix from one of these locations:

[color=\"#0000FF\"]Link 1[/color]
[color=\"#0000FF\"]Link 2[/color]
[color=\"#FF0000\"]Save it ONLY to your Desktop[/color]

--------------------------------------------------------------------
[color=\"#2E8B57\"]Temporarily Disable your AntiVirus/AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with this tool
[/color]

Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

[color=\"#2e8b57\"]**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
[/color]

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply
In addition:
Sysprot Antirootkit
Please download [color=\"#0000FF\"]Sysprot Antirootki[/color]t from the linik
and save to your Desktop

http://sites.google.com/site/sysprotantirootkit/

Unzip it into a folder on your desktop.

Double click Sysprot.exe to start the program.
Click on the Log tab.
In the Write to log box select all items.
Click on the Create Log button on the bottom right.
After a few seconds a new window should appear.
Select Scan Root Drive. Click on the Start button.
When it is complete a new window will appear to indicate that the scan is finished.
The log will be saved automatically in the same folder Sysprot.exe was extracted to.
Open the text file and copy/paste the log here.

cingal08 · « **Reply #21 on:** August 21, 2009, 08:23:09 AM »

Ok...I have completed all of that. I have included all the logs. Once again, thank you very much for all your help.

Combo-fix Log

ComboFix 09-08-20.07 - HP_Administrator 08/21/2009 7:48.4.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.513 [GMT -5:00]
Running from: c:\documents and settings\HP_Administrator\Desktop\Combo-Fix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Outdated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Installer\c31f316.msp
c:\windows\Installer\c31f329.msp
c:\windows\Installer\c31f331.msp
c:\windows\system32\drivers\Sonyhcp.dll
c:\windows\system32\drivers\UACemmyqyrdqj.sys
c:\windows\system32\UAChnywkvlsxw.dll
c:\windows\system32\uacinit.dll
c:\windows\system32\UACklnxnvrlae.dll
c:\windows\system32\UACotqluqqrfb.dll
c:\windows\system32\UACpxkjqeuwrb.dll
c:\windows\system32\UACtwvabvdtpb.dat

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_UACd.sys
-------\Legacy_UACd.sys

((((((((((((((((((((((((( Files Created from 2009-07-21 to 2009-08-21 )))))))))))))))))))))))))))))))
.

2009-08-21 04:46 . 2009-08-03 18:36   38160   ----a-w-   c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-21 04:46 . 2009-08-21 05:12   --------   d-----w-   c:\program files\Malwarebytes' Anti-Malware
2009-08-21 04:46 . 2009-08-03 18:36   19096   ----a-w-   c:\windows\system32\drivers\mbam.sys
2009-08-20 21:57 . 2009-08-20 21:57   0   ----a-w-   c:\windows\nsreg.dat
2009-08-20 21:57 . 2009-08-20 21:57   --------   d-----w-   c:\documents and settings\HP_Administrator\Local Settings\Application Data\Mozilla
2009-08-12 02:20 . 2009-08-18 21:27   --------   d-----w-   c:\program files\Spybot - Search & Destroy
2009-08-12 02:20 . 2009-08-18 21:25   --------   d-----w-   c:\docume~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2009-08-02 22:03 . 2009-08-21 10:10   --------   d--h--w-   C:\$AVG8.VAULT$
2009-08-02 21:56 . 2009-08-02 21:56   11952   ----a-w-   c:\windows\system32\avgrsstx.dll
2009-08-02 21:56 . 2009-08-02 21:56   108552   ----a-w-   c:\windows\system32\drivers\avgtdix.sys
2009-08-02 21:56 . 2009-08-02 21:56   335240   ----a-w-   c:\windows\system32\drivers\avgldx86.sys
2009-08-02 21:56 . 2009-08-02 21:56   27784   ----a-w-   c:\windows\system32\drivers\avgmfx86.sys
2009-08-02 21:55 . 2009-08-12 01:30   --------   d-----w-   c:\windows\system32\drivers\Avg
2009-08-02 21:55 . 2009-08-02 21:55   --------   d-----w-   c:\program files\AVG
2009-08-02 21:55 . 2009-08-02 21:55   --------   d-----w-   c:\docume~1\ALLUSE~1\APPLIC~1\avg8
2009-08-02 21:16 . 2009-08-02 21:16   --------   d-----w-   c:\documents and settings\HP_Administrator\Application Data\AVG8
2009-08-02 17:18 . 2009-08-02 17:18   --------   d-sh--w-   c:\windows\system32\config\systemprofile\IETldCache
2009-08-02 17:06 . 2009-08-02 17:06   0   ----a-w-   c:\windows\system32\cmpwrap.dat
2009-07-28 18:52 . 2009-07-28 18:52   --------   d-----w-   c:\program files\Linksys
2009-07-28 18:52 . 2008-12-12 23:05   23984   ----a-w-   c:\windows\system32\drivers\pnarp.sys
2009-07-28 18:52 . 2008-12-12 23:05   25264   ----a-w-   c:\windows\system32\drivers\purendis.sys
2009-07-28 18:51 . 2009-07-28 18:51   --------   d-----w-   c:\program files\Common Files\Pure Networks Shared
2009-07-28 18:51 . 2009-07-28 18:51   --------   d-----w-   c:\docume~1\ALLUSE~1\APPLIC~1\Pure Networks
2009-07-28 18:50 . 2008-12-04 13:17   627072   ----a-r-   c:\windows\system32\drivers\WUSB54GCv3.sys
2009-07-28 18:50 . 2008-12-04 13:17   221184   ----a-w-   c:\windows\system32\RaCoInst.dll
2009-07-28 18:50 . 2008-12-04 13:17   15312   ----a-r-   c:\windows\system32\RaCoInst.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-12 03:14 . 2006-06-05 13:40   --------   d-----w-   c:\docume~1\ALLUSE~1\APPLIC~1\Yahoo!
2009-08-12 03:14 . 2006-04-26 17:49   --------   d-----w-   c:\program files\Yahoo!
2009-08-12 03:14 . 2007-05-05 20:46   --------   d--h--r-   c:\documents and settings\HP_Administrator\Application Data\yahoo!
2009-08-02 22:25 . 2005-05-05 15:45   --------   d--h--w-   c:\program files\InstallShield Installation Information
2009-08-02 22:25 . 2006-05-30 21:54   --------   d-----w-   c:\program files\Verizon
2009-07-14 18:44 . 2005-06-23 03:10   55048   ----a-w-   c:\documents and settings\HP_Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-07-12 00:06 . 2005-05-05 16:02   --------   d-----w-   c:\program files\Google
2009-07-11 23:54 . 2005-05-05 15:26   --------   d-----w-   c:\program files\HP
2009-07-11 23:54 . 2005-05-05 15:26   --------   d-----w-   c:\program files\Hewlett-Packard
2009-07-11 23:53 . 2009-07-11 23:53   --------   d-----w-   c:\docume~1\ALLUSE~1\APPLIC~1\HP Product Assistant
2009-07-11 23:49 . 2003-05-19 22:01   139264   ----a-w-   c:\windows\system32\hpzjrd01.dll
2009-07-11 23:36 . 2009-07-11 23:36   --------   d-----w-   c:\program files\MSBuild
2009-07-11 23:35 . 2009-07-11 23:35   --------   d-----w-   c:\program files\Reference Assemblies
2009-07-11 16:14 . 2006-09-05 12:39   --------   d-----w-   c:\program files\fsupport
2009-07-11 14:51 . 2009-07-11 14:50   --------   d-----w-   c:\docume~1\ALLUSE~1\APPLIC~1\Lavasoft
2009-07-11 14:51 . 2009-07-11 14:51   --------   dc-h--w-   c:\docume~1\ALLUSE~1\APPLIC~1\{EF63305C-BAD7-4144-9208-D65528260864}
2009-07-11 14:50 . 2006-02-15 19:59   --------   d-----w-   c:\program files\Lavasoft
2009-07-03 17:09 . 2004-08-10 04:00   915456   ----a-w-   c:\windows\system32\wininet.dll
2009-07-03 14:49 . 2009-07-11 14:51   64160   ----a-w-   c:\windows\system32\drivers\Lbd.sys
2009-07-03 14:49 . 2009-07-11 16:14   15688   ----a-w-   c:\windows\system32\lsdelete.exe
2009-06-16 14:36 . 2004-08-10 04:00   81920   ----a-w-   c:\windows\system32\fontsub.dll
2009-06-16 14:36 . 2004-08-10 04:00   119808   ----a-w-   c:\windows\system32\t2embed.dll
2009-06-03 19:09 . 2004-08-10 04:00   1291264   ----a-w-   c:\windows\system32\quartz.dll
2005-07-17 20:00 . 2005-07-17 20:00   251   ----a-w-   c:\program files\wt3d.ini
2005-07-20 15:45 . 2005-07-20 15:45   22   --sha-w-   c:\windows\SMINST\HPCD.sys
.

((((((((((((((((((((((((((((( SnapShot@2009-08-19_03.20.32 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-08-21 12:46 . 2009-08-21 12:46   16384 c:\windows\temp\Perflib_Perfdata_3a8.dat
+ 2005-01-28 02:47 . 2009-08-20 21:45   73100 c:\windows\system32\perfc009.dat
- 2005-01-28 02:47 . 2009-07-28 18:51   73100 c:\windows\system32\perfc009.dat
- 2009-07-11 16:14 . 2009-08-19 03:18   32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2009-07-11 16:14 . 2009-08-21 06:04   32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2005-01-27 18:29 . 2009-08-21 06:04   32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2005-01-27 18:29 . 2009-08-19 03:18   32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-08-02 17:18 . 2009-08-20 21:17   16384 c:\windows\system32\config\systemprofile\IETldCache\index.dat
- 2009-08-02 17:18 . 2009-08-19 03:18   16384 c:\windows\system32\config\systemprofile\IETldCache\index.dat
- 2005-01-27 18:29 . 2009-08-19 03:18   16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2005-01-27 18:29 . 2009-08-21 06:04   16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2005-01-28 02:47 . 2009-07-28 18:51   446338 c:\windows\system32\perfh009.dat
+ 2005-01-28 02:47 . 2009-08-20 21:45   446338 c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2005-02-25 245760]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-02-02 339968]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-03-29 413696]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2009-07-10 195072]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-04 866584]
"KBD"="c:\hp\KBD\KBD.EXE" [2005-02-02 61440]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"nmctxth"="c:\program files\Common Files\Pure Networks Shared\Platform\nmctxth.exe" [2008-12-12 642856]
"Linksys Wireless Manager"="c:\program files\Linksys\Linksys Wireless Manager\LinksysWirelessManager.exe" [2009-02-16 1358384]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-08-02 2000152]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.EXE [2005-09-22 14854144]
"AGRSMMSG"="AGRSMMSG.exe" - c:\windows\AGRSMMSG.exe [2005-03-04 88209]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-23 39264]

c:\docume~1\ALLUSE~1\STARTM~1\Programs\Startup\
Updates from HP.lnk - c:\program files\Updates from HP\309731\Program\Updates from HP.exe [2005-5-5 45056]
WG111v2 Smart Wizard Wireless Setting.lnk - c:\program files\NETGEAR\WG111v2 Configuration Utility\RtlWake.exe [2008-9-18 745472]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-02 21:56   11952   ----a-w-   c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Updates from HP\\309731\\Program\\Updates from HP.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\system32\\java.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\StubInstaller.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [7/11/2009 9:51 AM 64160]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [8/2/2009 4:56 PM 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [8/2/2009 4:56 PM 108552]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [8/2/2009 4:55 PM 297752]
R2 EAPPkt;Realtek EAPPkt Protocol;c:\windows\system32\drivers\EAPPkt.sys [9/18/2008 8:27 PM 66048]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [7/3/2009 9:49 AM 1029456]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]
R3 WUSB54GCv3;Compact Wireless-G USB Network Adapter;c:\windows\system32\drivers\WUSB54GCv3.sys [7/28/2009 1:50 PM 627072]
S3 RTLWUSB;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter NT Driver;c:\windows\system32\drivers\wg111v2.sys [9/18/2008 8:27 PM 167808]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]
c:\windows\system32\rundll32.exe c:\windows\system32\advpack.dll,LaunchINFSectionEx c:\program files\Internet Explorer\clrtour.inf,DefaultInstall.ResetTour,,12
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q305&bd=pavilion&pf=desktop
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q305&bd=pavilion&pf=desktop
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=pavilion&pf=desktop
uInternet Settings,ProxyServer = actsvr.comcastonline.com:8100
uInternet Settings,ProxyOverride = actsvr.comcastonline.com
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &Search - http://kl.bar.need2find.com/KL/menusearch.html?p=KL
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
Trusted Zone: kaspersky.nl\www
FF - ProfilePath - c:\docume~1\HP_ADM~1\APPLIC~1\Mozilla\Firefox\Profiles\azhv9w8e.default\
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-21 07:57
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(916)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2009-08-21 8:01
ComboFix-quarantined-files.txt 2009-08-21 13:01
ComboFix2.txt 2009-08-19 03:25

Pre-Run: 195,689,365,504 bytes free
Post-Run: 195,670,073,344 bytes free

241   --- E O F ---   2009-08-12 02:01

SysProt LOG

SysProt AntiRootkit v1.0.1.0
by swatkat

********************************************************************************
**********
********************************************************************************
**********

Process:
Name: [System Idle Process]
PID: 0
Hidden: No
Window Visible: No

Name: System
PID: 4
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\smss.exe
PID: 796
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\csrss.exe
PID: 888
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\winlogon.exe
PID: 916
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\services.exe
PID: 960
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\lsass.exe
PID: 972
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\ati2evxx.exe
PID: 1120
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\svchost.exe
PID: 1152
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\svchost.exe
PID: 1248
Hidden: No
Window Visible: No

Name: C:\Program Files\Windows Defender\MsMpEng.exe
PID: 1308
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\svchost.exe
PID: 1348
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\svchost.exe
PID: 1664
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\svchost.exe
PID: 1756
Hidden: No
Window Visible: No

Name: C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
PID: 1972
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\ati2evxx.exe
PID: 212
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\spoolsv.exe
PID: 416
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\svchost.exe
PID: 548
Hidden: No
Window Visible: No

Name: C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
PID: 632
Hidden: No
Window Visible: No

Name: C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
PID: 644
Hidden: No
Window Visible: No

Name: C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
PID: 664
Hidden: No
Window Visible: No

Name: C:\WINDOWS\ehome\ehrecvr.exe
PID: 704
Hidden: No
Window Visible: No

Name: C:\WINDOWS\ehome\ehSched.exe
PID: 736
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\svchost.exe
PID: 876
Hidden: No
Window Visible: No

Name: C:\Program Files\Java\jre6\bin\jqs.exe
PID: 936
Hidden: No
Window Visible: No

Name: C:\Program Files\Common Files\LightScribe\LSSrvc.exe
PID: 1452
Hidden: No
Window Visible: No

Name: C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
PID: 1500
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\HPZipm12.exe
PID: 1540
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\svchost.exe
PID: 1596
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\svchost.exe
PID: 1624
Hidden: No
Window Visible: No

Name: C:\WINDOWS\ehome\mcrdsvc.exe
PID: 1748
Hidden: No
Window Visible: No

Name: C:\Program Files\AVG\AVG8\avgrsx.exe
PID: 1832
Hidden: No
Window Visible: No

Name: C:\PROGRA~1\AVG\AVG8\avgnsx.exe
PID: 1840
Hidden: No
Window Visible: No

Name: C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
PID: 696
Hidden: No
Window Visible: No

Name: C:\Program Files\Windows Media Player\wmpnetwk.exe
PID: 2148
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\dllhost.exe
PID: 3520
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\wbem\unsecapp.exe
PID: 3536
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\alg.exe
PID: 3752
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\wbem\wmiprvse.exe
PID: 3968
Hidden: No
Window Visible: No

Name: C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
PID: 508
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\notepad.exe
PID: 2204
Hidden: No
Window Visible: Yes

Name: C:\WINDOWS\explorer.exe
PID: 1788
Hidden: No
Window Visible: No

Name: C:\Program Files\Mozilla Firefox\firefox.exe
PID: 1316
Hidden: No
Window Visible: No

Name: C:\Documents and Settings\HP_Administrator\Desktop\SysProt\SysProt\SysProt.exe
PID: 2872
Hidden: No
Window Visible: Yes

********************************************************************************
**********
********************************************************************************
**********
Kernel Modules:
Module Name: \??\C:\Documents and Settings\HP_Administrator\Desktop\SysProt\SysProt\SysProtDrv.sys
Service Name: SysProtDrv.sys
Module Base: B8127000
Module End: B8132000
Hidden: No

Module Name: \WINDOWS\system32\ntkrnlpa.exe
Service Name: ---
Module Base: 804D7000
Module End: 806E4000
Hidden: No

Module Name: \WINDOWS\system32\hal.dll
Service Name: ---
Module Base: 806E4000
Module End: 80704D00
Hidden: No

Module Name: \WINDOWS\system32\KDCOM.DLL
Service Name: ---
Module Base: F7A90000
Module End: F7A92000
Hidden: No

Module Name: \WINDOWS\system32\BOOTVID.dll
Service Name: ---
Module Base: F79A0000
Module End: F79A3000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\ACPI.sys
Service Name: ACPI
Module Base: F7461000
Module End: F748F000
Hidden: No

Module Name: \WINDOWS\system32\DRIVERS\WMILIB.SYS
Service Name: ---
Module Base: F7A92000
Module End: F7A94000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\pci.sys
Service Name: PCI
Module Base: F7450000
Module End: F7461000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\isapnp.sys
Service Name: isapnp
Module Base: F7590000
Module End: F759A000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\pciide.sys
Service Name: PCIIde
Module Base: F7B58000
Module End: F7B59000
Hidden: No

Module Name: \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
Service Name: ---
Module Base: F7810000
Module End: F7817000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\MountMgr.sys
Service Name: MountMgr
Module Base: F75A0000
Module End: F75AB000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\ftdisk.sys
Service Name: Disk
Module Base: F7431000
Module End: F7450000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\dmload.sys
Service Name: dmload
Module Base: F7A94000
Module End: F7A96000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\dmio.sys
Service Name: dmio
Module Base: F740B000
Module End: F7431000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\PartMgr.sys
Service Name: PartMgr
Module Base: F7818000
Module End: F781D000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\VolSnap.sys
Service Name: VolSnap
Module Base: F75B0000
Module End: F75BD000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\atapi.sys
Service Name: atapi
Module Base: F73F3000
Module End: F740B000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\fasttx2k.sys
Service Name: fasttx2k
Module Base: F73D0000
Module End: F73F3000
Hidden: No

Module Name: \WINDOWS\system32\DRIVERS\SCSIPORT.SYS
Service Name: ScsiPort
Module Base: F73B8000
Module End: F73D0000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\disk.sys
Service Name: ---
Module Base: F75C0000
Module End: F75C9000
Hidden: No

Module Name: \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
Service Name: ---
Module Base: F75D0000
Module End: F75DD000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\fltmgr.sys
Service Name: FltMgr
Module Base: F7398000
Module End: F73B8000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\sr.sys
Service Name: sr
Module Base: F7386000
Module End: F7398000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\Lbd.sys
Service Name: Lbd
Module Base: F75E0000
Module End: F75EF000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\PxHelp20.sys
Service Name: PxHelp20
Module Base: F7820000
Module End: F7825000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\KSecDD.sys
Service Name: KSecDD
Module Base: F736F000
Module End: F7386000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\Ntfs.sys
Service Name: Ntfs
Module Base: F72E2000
Module End: F736F000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\NDIS.sys
Service Name: NDIS
Module Base: F72B5000
Module End: F72E2000
Hidden: No

Module Name: Combo-Fix.sys
Service Name: ---
Module Base: F75F0000
Module End: F75FF000
Hidden: Yes

Module Name: C:\WINDOWS\system32\drivers\ohci1394.sys
Service Name: ohci1394
Module Base: F7600000
Module End: F7610000
Hidden: No

Module Name: \WINDOWS\system32\DRIVERS\1394BUS.SYS
Service Name: ---
Module Base: F7610000
Module End: F761E000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\Mup.sys
Service Name: Mup
Module Base: F729B000
Module End: F72B5000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\nic1394.sys
Service Name: NIC1394
Module Base: F7640000
Module End: F7650000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\intelppm.sys
Service Name: intelppm
Module Base: F7670000
Module End: F7679000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\ati2mtag.sys
Service Name: ati2mtag
Module Base: F6F0D000
Module End: F7002000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\VIDEOPRT.SYS
Service Name: ---
Module Base: F6EF9000
Module End: F6F0D000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
Service Name: HDAudBus
Module Base: F6ED1000
Module End: F6EF9000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\usbuhci.sys
Service Name: usbuhci
Module Base: F7968000
Module End: F796E000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\USBPORT.SYS
Service Name: ---
Module Base: F6EAD000
Module End: F6ED1000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\usbehci.sys
Service Name: usbehci
Module Base: F7970000
Module End: F7978000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\hcwPP2.sys
Service Name: hcwPP2
Module Base: F6E88000
Module End: F6EAD000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\ks.sys
Service Name: ---
Module Base: F6E65000
Module End: F6E88000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\AGRSM.sys
Service Name: AgereSoftModem
Module Base: F6D60000
Module End: F6E65000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Modem.SYS
Service Name: Modem
Module Base: F7978000
Module End: F7980000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\e100b325.sys
Service Name: E100B
Module Base: F6D3A000
Module End: F6D60000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\parport.sys
Service Name: Parport
Module Base: F6D26000
Module End: F6D3A000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\i8042prt.sys
Service Name: i8042prt
Module Base: F7680000
Module End: F768D000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\mouclass.sys
Service Name: Mouclass
Module Base: F7980000
Module End: F7986000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\PS2.sys
Service Name: Ps2
Module Base: F7988000
Module End: F798D000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\kbdclass.sys
Service Name: Kbdclass
Module Base: F7990000
Module End: F7996000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\imapi.sys
Service Name: Imapi
Module Base: F7690000
Module End: F769B000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\cdrom.sys
Service Name: Cdrom
Module Base: F76A0000
Module End: F76B0000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\redbook.sys
Service Name: redbook
Module Base: F76B0000
Module End: F76BF000
Hidden: No

Module Name: C:\WINDOWS\SYSTEM32\DRIVERS\GEARAspiWDM.sys
Service Name: GEARAspiWDM
Module Base: F7A74000
Module End: F7A77000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\audstub.sys
Service Name: audstub
Module Base: F7BB0000
Module End: F7BB1000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
Service Name: Rasl2tp
Module Base: F76C0000
Module End: F76CD000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\ndistapi.sys
Service Name: NdisTapi
Module Base: F7A80000
Module End: F7A83000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\ndiswan.sys
Service Name: NdisWan
Module Base: F6CE7000
Module End: F6CFE000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\raspppoe.sys
Service Name: RasPppoe
Module Base: F76D0000
Module End: F76DB000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\raspptp.sys
Service Name: PptpMiniport
Module Base: F76E0000
Module End: F76EC000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\TDI.SYS
Service Name: ---
Module Base: F7998000
Module End: F799D000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\psched.sys
Service Name: PSched
Module Base: F6CD6000
Module End: F6CE7000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\msgpc.sys
Service Name: Gpc
Module Base: F76F0000
Module End: F76F9000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\ptilink.sys
Service Name: Ptilink
Module Base: F7830000
Module End: F7835000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\raspti.sys
Service Name: Raspti
Module Base: F7860000
Module End: F7865000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\rdpdr.sys
Service Name: rdpdr
Module Base: F6CA6000
Module End: F6CD6000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\termdd.sys
Service Name: TermDD
Module Base: F7700000
Module End: F770A000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\swenum.sys
Service Name: swenum
Module Base: F7ABA000
Module End: F7ABC000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\update.sys
Service Name: Update
Module Base: F6C48000
Module End: F6CA6000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\mssmbios.sys
Service Name: mssmbios
Module Base: F726B000
Module End: F726F000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\NDProxy.SYS
Service Name: NDProxy
Module Base: F7710000
Module End: F771A000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\RtkHDAud.sys
Service Name: IntcAzAudAddService
Module Base: EE81B000
Module End: EEC00000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\portcls.sys
Service Name: ---
Module Base: EE7F7000
Module End: EE81B000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\drmk.sys
Service Name: ---
Module Base: F7082000
Module End: F7091000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\usbhub.sys
Service Name: usbhub
Module Base: F7072000
Module End: F7081000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\USBD.SYS
Service Name: ---
Module Base: F7ABE000
Module End: F7AC0000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Fs_Rec.SYS
Service Name: Fs_Rec
Module Base: F7AC0000
Module End: F7AC2000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Null.SYS
Service Name: Null
Module Base: F7CCD000
Module End: F7CCE000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Beep.SYS
Service Name: Beep
Module Base: F7AC2000
Module End: F7AC4000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\HIDPARSE.SYS
Service Name: ---
Module Base: F7888000
Module End: F788F000
Hidden: No

Module Name: C:\WINDOWS\System32\drivers\vga.sys
Service Name: VgaSave
Module Base: F7890000
Module End: F7896000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\mnmdd.SYS
Service Name: mnmdd
Module Base: F7AC4000
Module End: F7AC6000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\RDPCDD.sys
Service Name: RDPCDD
Module Base: F7AC6000
Module End: F7AC8000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Msfs.SYS
Service Name: Msfs
Module Base: F7898000
Module End: F789D000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Npfs.SYS
Service Name: Npfs
Module Base: F78A0000
Module End: F78A8000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\rasacd.sys
Service Name: RasAcd
Module Base: F7A64000
Module End: F7A67000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\ipsec.sys
Service Name: IPSec
Module Base: EDF7C000
Module End: EDF8F000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\tcpip.sys
Service Name: Tcpip
Module Base: EDF23000
Module End: EDF7C000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\avgtdix.sys
Service Name: AvgTdiX
Module Base: EDF0A000
Module End: EDF23000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\ipnat.sys
Service Name: IpNat
Module Base: EDEE4000
Module End: EDF0A000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\wanarp.sys
Service Name: Wanarp
Module Base: F7052000
Module End: F705B000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\netbt.sys
Service Name: NetBT
Module Base: EDEBC000
Module End: EDEE4000
Hidden: No

Module Name: C:\WINDOWS\System32\drivers\afd.sys
Service Name: AFD
Module Base: EDE9A000
Module End: EDEBC000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\netbios.sys
Service Name: NetBIOS
Module Base: F7042000
Module End: F704B000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\rdbss.sys
Service Name: Rdbss
Module Base: EDE6F000
Module End: EDE9A000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
Service Name: MRxSmb
Module Base: EDDD7000
Module End: EDE47000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Fips.SYS
Service Name: Fips
Module Base: F7032000
Module End: F703D000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\arp1394.sys
Service Name: Arp1394
Module Base: F7022000
Module End: F7031000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
Service Name: USBSTOR
Module Base: F78A8000
Module End: F78AF000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\WUSB54GCv3.sys
Service Name: WUSB54GCv3
Module Base: EDC9D000
Module End: EDD37000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\BANTExt.sys
Service Name: BANTExt
Module Base: F7BA1000
Module End: F7BA2000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\avgmfx86.sys
Service Name: AvgMfx86
Module Base: F78B0000
Module End: F78B6000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\avgldx86.sys
Service Name: AvgLdx86
Module Base: EDC4C000
Module End: EDC9D000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Fastfat.SYS
Service Name: Fastfat
Module Base: EDC28000
Module End: EDC4C000
Hidden: No

Module Name: \SystemRoot\System32\Drivers\dump_atapi.sys
Service Name: ---
Module Base: EDC10000
Module End: EDC28000
Hidden: Yes

Module Name: \SystemRoot\System32\Drivers\dump_WMILIB.SYS
Service Name: ---
Module Base: F7B00000
Module End: F7B02000
Hidden: Yes

Module Name: C:\WINDOWS\System32\drivers\Dxapi.sys
Service Name: ---
Module Base: EDFC7000
Module End: EDFCA000
Hidden: No

Module Name: C:\WINDOWS\System32\watchdog.sys
Service Name: ---
Module Base: F78F0000
Module End: F78F5000
Hidden: No

Module Name: C:\WINDOWS\System32\drivers\dxgthk.sys
Service Name: ---
Module Base: F7C8D000
Module End: F7C8E000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\EAPPkt.sys
Service Name: EAPPkt
Module Base: B8DBF000
Module End: B8DD0000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\ndisuio.sys
Service Name: Ndisuio
Module Base: B8F30000
Module End: B8F34000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\pnarp.sys
Service Name: pnarp
Module Base: F7930000
Module End: F7935000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\purendis.sys
Service Name: purendis
Module Base: F7940000
Module End: F7945000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\mrxdav.sys
Service Name: MRxDAV
Module Base: B8B3A000
Module End: B8B67000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\wdmaud.sys
Service Name: wdmaud
Module Base: B8B25000
Module End: B8B3A000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\sysaudio.sys
Service Name: sysaudio
Module Base: B8CBF000
Module End: B8CCE000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\HTTP.sys
Service Name: HTTP
Module Base: B89D1000
Module End: B8A12000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\srv.sys
Service Name: Srv
Module Base: B865F000
Module End: B86B1000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\TDTCP.SYS
Service Name: TDTCP
Module Base: F78D8000
Module End: F78DE000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\RDPWD.SYS
Service Name: RDPWD
Module Base: B7F5C000
Module End: B7F7F000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\MSPQM.sys
Service Name: MSPQM
Module Base: F7AFC000
Module End: F7AFE000
Hidden: No

Module Name: \??\C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\catchme.sys
Service Name: catchme
Module Base: F78C0000
Module End: F78C8000
Hidden: Yes

Module Name: \??\C:\WINDOWS\system32\Drivers\PROCEXP90.SYS
Service Name: ---
Module Base: F7B2A000
Module End: F7B2C000
Hidden: Yes

Module Name: C:\WINDOWS\system32\drivers\kmixer.sys
Service Name: kmixer
Module Base: B7E43000
Module End: B7E6E000
Hidden: No

********************************************************************************
**********
********************************************************************************
**********
SSDT:
Function Name: ZwCreateKey
Address: F75E087E
Driver Base: F75E0000
Driver End: F75EF000
Driver Name: Lbd.sys

Function Name: ZwSetValueKey
Address: F75E0BFE
Driver Base: F75E0000
Driver End: F75EF000
Driver Name: Lbd.sys

********************************************************************************
**********
********************************************************************************
**********
No Kernel Hooks found

********************************************************************************
**********
********************************************************************************
**********
No IRP Hooks found

********************************************************************************
**********
********************************************************************************
**********
Ports:
Local Address: HPMCE2005:NETBIOS-SSN
Remote Address: 0.0.0.0:0
Type: TCP
Process: System
State: LISTENING

Local Address: HPMCE2005:27015
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
State: LISTENING

Local Address: HPMCE2005:18080
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\PROGRA~1\AVG\AVG8\avgnsx.exe
State: LISTENING

Local Address: HPMCE2005:13128
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\PROGRA~1\AVG\AVG8\avgnsx.exe
State: LISTENING

Local Address: HPMCE2005:10080
Remote Address: LOCALHOST:1441
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: HPMCE2005:10080
Remote Address: LOCALHOST:1439
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: HPMCE2005:10080
Remote Address: LOCALHOST:1437
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: HPMCE2005:10080
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\PROGRA~1\AVG\AVG8\avgnsx.exe
State: LISTENING

Local Address: HPMCE2005:5152
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Program Files\Java\jre6\bin\jqs.exe
State: LISTENING

Local Address: HPMCE2005:1256
Remote Address: LOCALHOST:1255
Type: TCP
Process: C:\Program Files\Mozilla Firefox\firefox.exe
State: ESTABLISHED

Local Address: HPMCE2005:1255
Remote Address: LOCALHOST:1256
Type: TCP
Process: C:\Program Files\Mozilla Firefox\firefox.exe
State: ESTABLISHED

Local Address: HPMCE2005:1252
Remote Address: LOCALHOST:1251
Type: TCP
Process: C:\Program Files\Mozilla Firefox\firefox.exe
State: ESTABLISHED

Local Address: HPMCE2005:1251
Remote Address: LOCALHOST:1252
Type: TCP
Process: C:\Program Files\Mozilla Firefox\firefox.exe
State: ESTABLISHED

Local Address: HPMCE2005:1031
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\WINDOWS\system32\alg.exe
State: LISTENING

Local Address: HPMCE2005:3389
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\WINDOWS\system32\svchost.exe
State: LISTENING

Local Address: HPMCE2005:MICROSOFT-DS
Remote Address: 0.0.0.0:0
Type: TCP
Process: System
State: LISTENING

Local Address: HPMCE2005:EPMAP
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\WINDOWS\system32\svchost.exe
State: LISTENING

Local Address: HPMCE2005:1900
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\svchost.exe
State: NA

Local Address: HPMCE2005:138
Remote Address: NA
Type: UDP
Process: System
State: NA

Local Address: HPMCE2005:NETBIOS-NS
Remote Address: NA
Type: UDP
Process: System
State: NA

Local Address: HPMCE2005:123
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\svchost.exe
State: NA

Local Address: HPMCE2005:1900
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\svchost.exe
State: NA

Local Address: HPMCE2005:123
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\svchost.exe
State: NA

Local Address: HPMCE2005:4500
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\lsass.exe
State: NA

Local Address: HPMCE2005:3776
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\ehome\mcrdsvc.exe
State: NA

Local Address: HPMCE2005:500
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\lsass.exe
State: NA

Local Address: HPMCE2005:MICROSOFT-DS
Remote Address: NA
Type: UDP
Process: System
State: NA

********************************************************************************
**********
********************************************************************************
**********
Hidden files/folders:
Object: C:\System Volume Information\MountPointManagerRemoteDatabase
Status: Access denied

Object: C:\System Volume Information\tracking.log
Status: Access denied

Object: C:\System Volume Information\_restore{B9823275-D858-498B-A4DC-C4EEDA322F67}
Status: Access denied

guestolo · « **Reply #22 on:** August 21, 2009, 08:28:28 PM »

That's looking better, but can you still do the following

Download [color=\"#FF0000\"]> ATF Cleaner <[/color] by Atribune and save it to your Desktop.

Double Click on ATF-Cleaner.exe to Run it
Check the boxes to the left of:

Windows Temp
Current User Temp
All Users Temp
Temporary Internet Files
*Prefetch (Windows XP) only.
Java Cache

The rest are optional - if you want to remove the lot, check "Select All".
Finally click Empty Selected. When you get the "Done Cleaning" message, click OK.
If you use Firefox browser
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit from the Main menu

again run Malwarebytes' Antimalware from the shortcut on your desktop, Check for updates, run another scan and post it's new log

Once again, temporarily disable AVG protection
Then, Go to the following link
[color=\"blue\"]Kaspersky Online Scanner[/color]

Note: If you have used this particular scanner before, you MAY HAVE TO UNINSTALL the program through Add/Remove Programs before downloading the new ActiveX component

Click Yes, when/if prompted to install its ActiveX component.
(Note.. for Internet [color=\"#3333FF\"]Explorer 7[/color] users: If at any time you have trouble with the "Accept" button of the license, click on the "Zoom" tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%[/i].)
The program launches and downloads the latest definition files.

Once the files are downloaded click on Next
Click OK and, under select a target to scan, select My Computer

When the scan is done, in the [color=\"Navy\"]Scan is completed [/color]window (below), any infection is displayed.
There is no option to clean/disinfect, however, we need to analyze the information on the report.

To obtain the report:
Click on: Save Report As (above - red blinking arrow)
Next, in the [color=\"Navy\"]Save as [/color]prompt, [color=\"navy\"]Save in[/color] area, select: Desktop
In the [color=\"navy\"]File name[/color] area, use KScan, or something similar
In [color=\"navy\"]Save as type[/color], click the drop arrow and select: Text file [*.txt]
Then, click: Save
Please post the [color=\"Navy\"]Kaspersky Online Scanner Report [/color]in your reply.

Don't forget to reenable your protection with AVG resident shield

cingal08 · « **Reply #23 on:** August 22, 2009, 02:05:49 AM »

[quote name=\'guestolo\' post=\'464833\' date=\'Aug 21 2009, 08:28 PM\'] That's looking better, but can you still do the following Download <a href="http://www.atribune.org/ccount/click.php?id=1" target="_blank" rel="nofollow">> ATF Cleaner <</a> by Atribune and save it to your Desktop. Double Click on ATF-Cleaner.exe to Run it Check the boxes to the left of: Windows Temp Current User Temp All Users Temp Temporary Internet Files *Prefetch (Windows XP) only. Java Cache The rest are optional - if you want to remove the lot, check "Select All". Finally click Empty Selected. When you get the "Done Cleaning" message, click OK. If you use Firefox browser Click Firefox at the top and choose: Select All Click the Empty Selected button. NOTE: If you would like to keep your saved passwords, please click No at the prompt. Click Exit from the Main menu again run Malwarebytes' Antimalware from the shortcut on your desktop, Check for updates, run another scan and post it's new log Once again, temporarily disable AVG protection Then, Go to the following link <a href="http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html" target="_blank" rel="nofollow">Kaspersky Online Scanner</a> Note: If you have used this particular scanner before, you MAY HAVE TO UNINSTALL the program through Add/Remove Programs before downloading the new ActiveX component Click Yes, when/if prompted to install its ActiveX component. (Note.. for Internet Explorer 7 users: If at any time you have trouble with the "Accept" button of the license, click on the "Zoom" tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%.) The program launches and downloads the latest definition files. <ul><li>Once the files are downloaded click on Next</li><li> Click OK and, under select a target to scan, select My Computer</li></ul>When the scan is done, in the Scan is completed window (below), any infection is displayed. There is no option to clean/disinfect, however, we need to analyze the information on the report. To obtain the report: Click on: Save Report As (above - red blinking arrow) Next, in the Save as prompt, Save in area, select: Desktop In the File name area, use KScan, or something similar In Save as type, click the drop arrow and select: Text file [*.txt] Then, click: Save Please post the Kaspersky Online Scanner Report in your reply. Don't forget to reenable your protection with AVG resident shield [/quote]

guestolo · « **Reply #24 on:** August 22, 2009, 11:40:59 AM »

cingal08 · « **Reply #25 on:** August 22, 2009, 12:03:10 PM »

[quote name=\'guestolo\' post=\'464847\' date=\'Aug 22 2009, 11:40 AM\']

[/quote] 

I am not sure what I did...please help...I posted up all of my reports that you gave me to do...and realized I need to tell you that I did do the ATF Cleaner also so before sending my "fast reply" I clicked edit to add a note to my reply. Now....I cant get a fast reply at all and all of my messages are jumbled and garbled up. ACK. Dont you hate dealing with newbies? I have the reports but hate to post them with all this jumbled crap in them

guestolo · « **Reply #26 on:** August 22, 2009, 12:12:49 PM »

Can you use the ADD REPLY button please on the bottom right instead of Fast reply?

cingal08 · « **Reply #27 on:** August 22, 2009, 12:19:39 PM »

[quote name=\'guestolo\' post=\'464852\' date=\'Aug 22 2009, 12:12 PM\'] Can you use the ADD REPLY button please on the bottom right instead of Fast reply? [/quote] 

I dont see add reply. Only Fast Reply and New Topic. So I am going to try this. I did do the ATF Cleaner and below are my MWB log and below that will be my KScan log. Hope this works.

Malwarebytes' Anti-Malware 1.40
Database version: 2674
Windows 5.1.2600 Service Pack 3

8/21/2009 8:52:11 PM
mbam-log-2009-08-21 (20-52-11).txt

Scan type: Quick Scan
Objects scanned: 103239
Time elapsed: 5 minute(s), 6 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

KSCAN BELOW

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Saturday, August 22, 2009
Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Saturday, August 22, 2009 04:21:40
Records in database: 2674329
--------------------------------------------------------------------------------

Scan settings:
 scan using the following database: extended
 Scan archives: yes
 Scan e-mail databases: yes

Scan area - My Computer:
 C:\
 D:\
 E:\
 F:\
 H:\
 I:\
 J:\
 K:\

Scan statistics:
 Objects scanned: 93025
 Threats found: 8
 Infected objects found: 7
 Suspicious objects found: 1
 Scan duration: 02:18:31

File name / Threat / Threats count
C:\Documents and Settings\HP_Administrator\Application Data\Sun\Java\Deployment\cache\6.0\22\10453ed6-708d1fe9 Infected: Exploit.Java.Gimsh.b 1
C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Microsoft\Outlook\archive.pst Suspicious: Trojan-Spy.HTML.Fraud.gen 1
C:\Program Files\Online Services\AOL90US\comps\toolbar\toolbr.EXE Infected: not-a-virus:AdWare.Win32.SearchIt.t 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\UACemmyqyrdqj.sys.vir Infected: Rootkit.Win32.Agent.moy 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\UAChnywkvlsxw.dll.vir Infected: Trojan.Win32.Tdss.ajkj 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\UACklnxnvrlae.dll.vir Infected: Trojan.Win32.Tdss.anrc 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\UACotqluqqrfb.dll.vir Infected: Packed.Win32.Tdss.m 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\UACpxkjqeuwrb.dll.vir Infected: Packed.Win32.TDSS.y 1

Selected area has been scanned.

guestolo · « **Reply #28 on:** August 22, 2009, 12:21:19 PM »

How is everything running on your end now?
It's looking a lot better

cingal08 · « **Reply #29 on:** August 22, 2009, 12:29:33 PM »

[quote name=\'guestolo\' post=\'464855\' date=\'Aug 22 2009, 12:21 PM\'] How is everything running on your end now? It's looking a lot better [/quote] 

It is running GOOD!! Doing what it is supposed to do!! No problem connecting on the first time. Using Firefox. Which is much better. I havent been surfing or anything yet. Havent been using it except to do what you tell me. But yes, my downloads and eveything are going great. Thank you ever so much!!

guestolo · « **Reply #30 on:** August 22, 2009, 01:12:48 PM »

Let's do a bit of cleaning up

Go to START>>in the search field type in run
Hit Enter
In the run command, copy and paste the following

combofix /u
Hit Enter, this will uninstall ComboFix and it's components

Let's update Sun Java, Adobe Reader, and Adobe Flash, to help plug some security holes that malware can use to infect your computer

Open Control Panel, In Classic view, open the Java icon
and select Settings under Temporary files>>then Delete files, when complete close Java
access Programs and Features
At this point close All Browser windows that are open
Uninstall the following:
Javaâ„¢ 6 Update 13
Javaâ„¢ 6 Update 7
Adobe Reader 7.0.9

After removal, open your browser and come back here
Go to the following link
http://kb2.adobe.com/cps/141/tn_14157.html

Download and save to desktop the uninstaller for Flash
uninstall_flash_player.exe
Once saved to desktop, again close all browser windows
Right click on the Flash uninstaller and choose to "Run as Administrator"

After successfully running the uninstaller, you can manually delete it from desktop
Right click on the Hijackthis shortcut and "Run as Admin"
Do a "System scan only" with Hijackthis and put a check next to these entries:

O2 - BHO: (no name) - {8FD66659-A7AF-4641-9999-C56607D3A0AB} - (no file)

O3 - Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O8 - Extra context menu item: &Search - http://kl.bar.need2find.com/KL/menusearch.html?p=KL

After you have ticked the above entries, close All other open windows
Including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

Right click on OTL.exe, choose to "Run as Admin"
Click on the Cleanup button and follow the prompts
This will help to remove tools that we used and remove OTL itself
Allow to reboot the computer at the prompt

Back in Windows
[color=\"blue\"]Updating Java:[/color]

Download the latest version of Java Runtime Environment (JRE) 6.
Scroll down to where it says "JRE 6 Update 16".
Click the "Download" button to the right.
In the Window that opens, select Windows, beside PLATFORM:>>Check the "agree" box and click Continue.
Click on the link to download Windows Offline Installation and save to your desktop.
Then from your desktop right-click on jre-6u16-windows-i586.exe that you downloaded, choose "Run as Admin" to install the newest version.

NOTE: Java may install a Quick Starter service to run on startup which is really not needed
After installation, simply open the Java icon in Control Panel
Under Advanced tab, expand Miscellaneous, untick "Java Quick Starter" if selected
Apply and Ok it, then exit the Java control panel

You can delete the Java installer after successful installation
Update your Flash, using Internet Explorer
go to the following link
http://www.adobe.com/products/flashplayer/

Allow ActiveX control install when prompted
DO NOT install any Toolbar related software, unless preferred
UNTICK the selection to install any

After you have updated Flash for IE
Then install Flash for Firefox
Using the Firefox browser, again go to the following link
http://www.adobe.com/products/flashplayer/
Download/save to desktop the Flash installer
Close Firefox
Run the installer to install latest flash

Update Adobe Reader
Go to the following link
http://get.adobe.com/reader/
Download and Install the latest
NOTE: When installing, if you have the option to untick any Toolbars, etc.. they may add to the installer
Choose NOT to install any, they are not needed for the A. Reader to function properly
That really goes with any free software, if a toolbar is not needed or wanted, why install it

I suggest that you add SpywareBlaster to your protection software
SpywareBlaster by JavaCool
At the link you can read more about it then continue with
Free Download on the right>>Continue Download at next page
Basically it

Select Manual updating when installing
After installation, Check for updates
After updating, select "Protection Status" on the Left
Then select "Enable all Protection"
"Check for updates every couple of weeks"
after every update just simply click the "enable protection on all unprotected items"
or again, click on Protection Startus>>enable all protection

You may have an old email with attachment that is infected, carefully go through any emails
in Outlook and remove any you are unsure about, clear your deleted items folder
After all the above is complete

Can you again Right click on Hijackthis and choose to "Run as Admin">>Select to do a System Scan and Save logfile and post back here the new log that opens

guestolo · « **Reply #31 on:** August 22, 2009, 01:28:49 PM »

HI again Cingal08
In my last reply I asked you run many of the tools by Right clicking on them and choosing to "Run as Adminstrator"
You can ignore that step, just double click on them to run them
For some reason, I had in my mind you were running Vista, just noticed you have XP SP3

Sorry if there was any confusion

cingal08 · « **Reply #32 on:** August 22, 2009, 10:57:23 PM »

[quote name=\'guestolo\' post=\'464858\' date=\'Aug 22 2009, 01:28 PM\'] HI again Cingal08 In my last reply I asked you run many of the tools by Right clicking on them and choosing to "Run as Adminstrator" You can ignore that step, just double click on them to run them For some reason, I had in my mind you were running Vista, just noticed you have XP SP3 Sorry if there was any confusion [/quote] 

Hi, Im back. I completed all of the above successfully. The only thing I didnt find was a couple of the check marks in the first HJ This. There were a couple of the files already gone. Hoping they were already cleaned? I am posting the HJT log I completed after everything was finished. I do not see those files in the current HJT log either.

I wanted to ask you since we are cleaning things up....can I get rid of the Ad-Aware? It appears to be useless. And anything else you think could be possibly useless, harmful or risky, I will ditch. Just let me know. Thanks a million.

Cindy

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:48:36 PM, on 8/22/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\System32\svchost.exe
c:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe
C:\Program Files\Linksys\Linksys Wireless Manager\LinksysWirelessManager.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe
C:\Program Files\NETGEAR\WG111v2 Configuration Utility\RtlWake.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
c:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\hphmon06.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\DllHost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\NOS\bin\getPlusPlus_Adobe.exe
C:\Program Files\trend micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = actsvr.comcastonline.com:8100
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = actsvr.comcastonline.com
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ArcSoft Connection Service] C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [nmctxth] "C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe"
O4 - HKLM\..\Run: [Linksys Wireless Manager] "C:\Program Files\Linksys\Linksys Wireless Manager\LinksysWirelessManager.exe" /cm /min /lcid 1033
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\RunOnce: [Uninstall Adobe Download Manager] "C:\WINDOWS\system32\rundll32.exe" "C:\Program Files\NOS\bin\getPlus_Helper.dll",Uninstall /Get1noarp
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe
O4 - Global Startup: WG111v2 Smart Wizard Wireless Setting.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm (HKCU)
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm (HKCU)
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemyfios.verizon.net/sdcCommo...oad/tgctlcm.cab
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.1...toUploader5.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} - http://ipgweb.cce.hp.com/rdqcpc/downloads/sysinfo.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1119489249703
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1140026350671
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secur...loadManager.ocx
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} (get_atlcom Class) - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: ArcSoft Connect Daemon (ACDaemon) - ArcSoft Inc. - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - c:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Pure Networks Platform Service (nmservice) - Cisco Systems, Inc. - C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 10148 bytes

guestolo · « **Reply #33 on:** August 23, 2009, 10:12:10 AM »

Quote

can I get rid of the Ad-Aware

Yes you can, personally I haven't used it in awhile, your choice
Ensure to reboot the computer after removal

Back in Windows
To help speed startup time and save resources, optionally do the following
Do a "System scan only" with Hijackthis and put a check next to these entries:

O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\RunOnce: [Uninstall Adobe Download Manager] "C:\WINDOWS\system32\rundll32.exe" "C:\Program Files\NOS\bin\getPlus_Helper.dll",Uninstall /Get1noarp

You can manually check for updates within Adobe Reader under the HELP menu
Also, you can select Preferences and decide when to have Adobe check for updates
Weekly or Monthly, or not at all, and manually check
Note: After installing the newer version of Adobe, it's a good idea to double check to see if there is still more updates manually in the Help menu

You may also want to disable entries related to HP Updater and manually check for updates yourself
From your Start>>All Programs menu
You can optionally tick the next entries
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe

After you have ticked any of the above entries, close All other open windows
Including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

Reboot the computer
Take a look at the following link for more ideas
http://users.telenet.be/bluepatchy/miekiem...owcomputer.html

Hope that helps

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/smile.gif\' class=\'bbc_emoticon\' alt=\'

\' />

cingal08 · « **Reply #34 on:** August 24, 2009, 07:12:13 PM »

Hi questolo
I did all you requested. I went to the link and did some of the clean ups suggested. I still have some programs on this computer that I am unsure of what they are or if I need them. So I will go thru them and ditch the ones I dont need. That may take a little bit of time. But the long and short of it...the computer is running GREAT!!!! So...anything else you can offer? Thank you ever so much for everything!!

guestolo · « **Reply #35 on:** August 27, 2009, 09:06:19 PM »

I think everything should be running good if you followed my last link
How is everything running? If good, I'll lock this topic

TheTechGuide Forum

News:

Author Topic: Help! Aliens have invaded! (Read 4342 times)

guestolo

Help! Aliens have invaded!

cingal08

Help! Aliens have invaded!

guestolo

Help! Aliens have invaded!

cingal08

Help! Aliens have invaded!

guestolo

Help! Aliens have invaded!

cingal08

Help! Aliens have invaded!

guestolo

Help! Aliens have invaded!

cingal08

Help! Aliens have invaded!

guestolo

Help! Aliens have invaded!

cingal08

Help! Aliens have invaded!

guestolo

Help! Aliens have invaded!

guestolo

Help! Aliens have invaded!

cingal08

Help! Aliens have invaded!

guestolo

Help! Aliens have invaded!

cingal08

Help! Aliens have invaded!

guestolo

Help! Aliens have invaded!