# Browser Redirect



## Ordietrying (Oct 5, 2010)

Hi. I've scanned my PC with about four different Antimalware programs. While they have found infections and fixed them, the problem persists. The virus only seems to affect links, and can be circumnavigated by typing the address manually. Any help you could offer would be greatly appreciated!

Specs:

Tech Support Guy System Info Utility version 1.0.0.1
OS Version: Microsoft Windows XP Professional, Service Pack 3, 32 bit
Processor: AMD Phenom(tm) 8650 Triple-Core Processor, x86 Family 16 Model 2 Stepping 3
Processor Count: 3
RAM: 3326 Mb
Graphics Card: ATI Radeon HD 4800 Series, 512 Mb
Hard Drives: C: Total - 953859 MB, Free - 470087 MB; 
Motherboard: Gigabyte Technology Co., Ltd., GA-MA790X-UD4P, x.x, 
Antivirus: avast! Antivirus, Updated: Yes, On-Demand Scanner: Enabled

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:13:09 AM, on 10/5/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\PC Protection\Avast!\AvastSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\Rundll32.exe
C:\PCPROT~1\Avast!\avastUI.exe
C:\PC Protection\ZoneAlarm\zlclient.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\DAEMON Tools Lite\DTLite.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Gigabyte\EasySaver\ESSVR.EXE
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Linksys\WUSB54GSCv2\WLService.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\Linksys\WUSB54GSCv2\WUSB54GSC.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\PC Protection\Hijack This\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [avast5] C:\PCPROT~1\Avast!\avastUI.exe /nogui
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\PC Protection\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\DTLite.exe" -autorun
O9 - Extra button: Add to VideoGet - {88CFA58B-A63F-4A94-9C54-0C7A58E3333E} - C:\PROGRA~1\NUCLEA~1\VideoGet\Plugins\VIDEOG~1.DLL
O9 - Extra 'Tools' menuitem: Add to &VideoGet - {88CFA58B-A63F-4A94-9C54-0C7A58E3333E} - C:\PROGRA~1\NUCLEA~1\VideoGet\Plugins\VIDEOG~1.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{BD5EFC64-FF0F-42A5-B4A6-E62DF6A52D2C}: NameServer = 192.168.5.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{CAE9B97D-6901-4E0B-828B-BA9B9D36C6F8}: NameServer = 192.168.0.1
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - AVAST Software - C:\PC Protection\Avast!\AvastSvc.exe
O23 - Service: avast! Mail Scanner - AVAST Software - C:\PC Protection\Avast!\AvastSvc.exe
O23 - Service: avast! Web Scanner - AVAST Software - C:\PC Protection\Avast!\AvastSvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: ES lite Service for program management. (ES lite Service) - Unknown owner - C:\Program Files\Gigabyte\EasySaver\ESSVR.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NMSAccess - Unknown owner - C:\Arg\CDBurnerXP\NMSAccessU.exe (file missing)
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
O23 - Service: WUSB54GSC - GEMTEKS - C:\Program Files\Linksys\WUSB54GSCv2\WLService.exe
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

--
End of file - 5289 bytes

DDS (Ver_10-03-17.01) - NTFSx86 
Run by Administrator at 11:44:39.89 on Tue 10/05/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_16
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3326.2724 [GMT -4:00]

AV: avast! Antivirus *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\PC Protection\Avast!\AvastSvc.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\Rundll32.exe
C:\PCPROT~1\Avast!\avastUI.exe
C:\PC Protection\ZoneAlarm\zlclient.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\DAEMON Tools Lite\DTLite.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Gigabyte\EasySaver\ESSVR.EXE
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Linksys\WUSB54GSCv2\WLService.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\Linksys\WUSB54GSCv2\WUSB54GSC.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\PC Protection\Hijack This\HijackThis.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Administrator\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearch Page = 
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = <local>
uSearchAssistant = 
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [DAEMON Tools Lite] "c:\program files\daemon tools lite\DTLite.exe" -autorun
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [CTSysVol] c:\program files\creative\sbaudigy\surround mixer\CTSysVol.exe /r
mRun: [P17Helper] Rundll32 P17.dll,P17Helper
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [avast5] c:\pcprot~1\avast!\avastUI.exe /nogui
mRun: [ZoneAlarm Client] "c:\pc protection\zonealarm\zlclient.exe"
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {88CFA58B-A63F-4A94-9C54-0C7A58E3333E} - {17A84966-F1E9-4645-AA9E-5E771EE1C859} - c:\progra~1\nuclea~1\videoget\plugins\VIDEOG~1.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
TCP: {BD5EFC64-FF0F-42A5-B4A6-E62DF6A52D2C} = 192.168.5.1
TCP: {CAE9B97D-6901-4E0B-828B-BA9B9D36C6F8} = 192.168.0.1
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
LSA: Authentication Packages = msv1_0 nwprovau
mASetup: {A509B1FF-37FF-4bFF-8CFF-4F3A747040FF} - c:\windows\system32\rundll32.exe c:\windows\system32\advpack.dll,launchinfsectionex c:\program files\internet explorer\clrtour.inf,DefaultInstall.ResetTour,,12

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\7anms4f2.default\
FF - prefs.js: browser.startup.homepage - www.google.com
FF - plugin: c:\itunes\mozilla plugins\npitunes.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npyaxmpb.dll
FF - plugin: c:\program files\pando networks\media booster\npPandoWebPlugin.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true); 
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true); 
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");

============= SERVICES / DRIVERS ===============

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-4-26 165584]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2010-5-3 486280]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-4-26 17744]
R2 avast! Antivirus;avast! Antivirus;c:\pc protection\avast!\AvastSvc.exe [2010-4-26 40384]
R2 ES lite Service;ES lite Service for program management.;c:\program files\gigabyte\easysaver\essvr.exe [2009-5-4 68136]
R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
R2 WUSB54GSC;WUSB54GSC;c:\program files\linksys\wusb54gscv2\WLService.exe [2009-7-28 65596]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\pc protection\avast!\AvastSvc.exe [2010-4-26 40384]
R3 avast! Web Scanner;avast! Web Scanner;c:\pc protection\avast!\AvastSvc.exe [2010-4-26 40384]
R3 WUSB54GSCV2;Compact Wireless-G USB Network Adapter with SpeedBooster Service;c:\windows\system32\drivers\WUSB54GSCV2.sys [2009-7-28 198144]
S3 pbfilter;pbfilter;c:\tools\peerblock\pbfilter.sys [2010-7-11 14424]

=============== Created Last 30 ================

2010-10-05 01:28:55 85841020 ----a-w- C:\backup2.reg
2010-10-04 23:59:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-10-04 23:59:38 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-10-04 23:53:39 85783994 ----a-w- C:\backup.reg
2010-10-04 22:28:59 0 d-----w- C:\!KillBox
2010-10-03 22:03:51 0 d-----w- c:\program files\Crawler
2010-09-30 20:40:12 38848 ----a-w- c:\windows\avastSS.scr
2010-09-17 19:01:58 1892184 ----a-w- c:\windows\system32\D3DX9_42.dll

==================== Find3M ====================

2010-10-05 15:11:58 16608 ----a-w- c:\windows\gdrv.sys
2010-10-03 15:17:09 3888 ----a-w- c:\windows\system32\drivers\NTHANDLE.SYS
2010-08-17 13:17:06 58880 ----a-w- c:\windows\system32\spoolsv.exe
2010-07-31 04:32:31 107888 ----a-w- c:\windows\system32\CmdLineExt.dll
2010-07-23 06:13:29 590848 ----a-w- c:\windows\system32\rpcrt4.dll
2010-07-22 05:57:20 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2009-05-04 22:07:27 16384 --sha-w- c:\windows\system32\config\systemprofile\cookies\index.dat
2009-05-05 05:46:53 245760 --sha-w- c:\windows\system32\config\systemprofile\ietldcache\index.dat
2009-05-04 22:07:27 16384 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\index.dat
2009-05-04 22:07:27 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\temporary internet files\content.ie5\index.dat

============= FINISH: 11:46:01.26 ===============

I could not generate a GMER log as the scanner would not function. I did uninstall Daemon Tools and it still didn't work. Thanks again!


----------



## Blade81 (Oct 27, 2006)

Hi,

Sorry for delayed response. Forums have been really busy. If you still need help with this do following, please.

Please Download *Rootkit Unhooker* Save it to your desktop.
Now double-click on *RKUnhookerLE.exe *to run it.
Click the *Report *tab, then click *Scan*.
Check (Tick) *Drivers, Stealth, Files, Code Hooks*. Uncheck the rest. then Click *OK*.
Wait till the scanner has finished and then click *File, Save Report*.
Save the report somewhere where you can find it. Click *Close*.
Copy the entire contents of the report + fresh dds.txt contents and paste them in a reply here.

Note** you may get this warning it is ok, just ignore

*Rootkit Unhooker has detected a parasite inside itself!
It is recommended to remove parasite, okay?*


----------



## Ordietrying (Oct 5, 2010)

Hey, thanks for getting back to me! Here is the information you requested. I appreciate your time.

RkU Version: 3.8.388.590, Type LE (SR2)
==============================================
OS Name: Windows XP
Version 5.1.2600 (Service Pack 3)
Number of processors #3
==============================================
>Drivers
==============================================
0xB4EA5000 C:\WINDOWS\system32\DRIVERS\ati2mtag.sys 4939776 bytes (ATI Technologies Inc., ATI Radeon WindowsNT Miniport Driver)
0xBF1FC000 C:\WINDOWS\System32\ati3duag.dll 3567616 bytes (ATI Technologies Inc. , ati3duag.dll)
0xBF563000 C:\WINDOWS\System32\ativvaxx.dll 2179072 bytes (Advanced Micro Devices, Inc. , Radeon Video Acceleration Universal Driver)
0x804D7000 C:\WINDOWS\system32\ntkrnlpa.exe 2150400 bytes (Microsoft Corporation, NT Kernel & System)
0x804D7000 PnpManager 2150400 bytes
0x804D7000 RAW 2150400 bytes
0x804D7000 WMIxWDM 2150400 bytes
0xBF800000 Win32k 1863680 bytes
0xBF800000 C:\WINDOWS\System32\win32k.sys 1863680 bytes (Microsoft Corporation, Multi-User Win32 Driver)
0xB4CCB000 C:\WINDOWS\system32\drivers\P17.sys 1404928 bytes (Creative Technology Ltd., WDM Audio Miniport)
0xB9EB4000 PCI_PNP9238 995328 bytes
0xB9EB4000 splj.sys 995328 bytes
0xB9EB4000 sptd 995328 bytes
0xBF060000 C:\WINDOWS\System32\ati2cqag.dll 638976 bytes (ATI Technologies Inc., Central Memory Manager / Queue Server Module)
0xBF0FC000 C:\WINDOWS\System32\atikvmag.dll 630784 bytes (ATI Technologies Inc., Virtual Command And Memory Manager)
0xA88EE000 C:\WINDOWS\System32\vsdatant.sys 589824 bytes (Check Point Software Technologies LTD, TrueVector Device Driver)
0xB9D12000 Ntfs.sys 577536 bytes (Microsoft Corporation, NT File System Driver)
0xA873A000 C:\WINDOWS\system32\DRIVERS\mrxsmb.sys 458752 bytes (Microsoft Corporation, Windows NT SMB Minirdr)
0xBF196000 C:\WINDOWS\System32\atiok3x2.dll 417792 bytes (Advanced Micro Devices, Inc., Ring 0 x2 component)
0xB4B1D000 C:\WINDOWS\system32\DRIVERS\update.sys 385024 bytes (Microsoft Corporation, Update Driver)
0xA8A2C000 C:\WINDOWS\system32\DRIVERS\tcpip.sys 364544 bytes (Microsoft Corporation, TCP/IP Protocol Driver)
0xA54B7000 C:\WINDOWS\system32\DRIVERS\srv.sys 360448 bytes (Microsoft Corporation, Server driver)
0xBF012000 C:\WINDOWS\System32\ati2dvag.dll 319488 bytes (ATI Technologies Inc., ATI Radeon WindowsNT Display Driver)
0xBFFA0000 C:\WINDOWS\System32\ATMFD.DLL 286720 bytes (Adobe Systems Incorporated, Windows NT OpenType/Type 1 Font Driver)
0xA4C8B000 C:\WINDOWS\System32\Drivers\HTTP.sys 266240 bytes (Microsoft Corporation, HTTP Protocol Stack)
0xB4C18000 C:\WINDOWS\System32\Drivers\ac908b25.SYS 233472 bytes (Microsoft Corporation, IDE/ATAPI Port Driver)
0xA897E000 C:\WINDOWS\system32\DRIVERS\tcpip6.sys 229376 bytes (Microsoft Corporation, IPv6 driver)
0xA87F7000 C:\WINDOWS\System32\drivers\truecrypt.sys 217088 bytes (TrueCrypt Foundation, TrueCrypt Driver)
0xA86BA000 C:\WINDOWS\system32\DRIVERS\WUSB54GSCV2.sys 200704 bytes (Broadcom Corporation, Broadcom Virtual NDIS-WDM Miniport Driver)
0xB4C77000 C:\WINDOWS\system32\DRIVERS\ctoss2k.sys 196608 bytes (Creative Technology Ltd., Creative OS Services Driver (WDM))
0xB4BC0000 C:\WINDOWS\system32\DRIVERS\rdpdr.sys 196608 bytes (Microsoft Corporation, Microsoft RDP Device redirector)
0xB9E6E000 ACPI.sys 188416 bytes (Microsoft Corporation, ACPI Driver for NT)
0xB9CE5000 NDIS.sys 184320 bytes (Microsoft Corporation, NDIS 5.1 wrapper driver)
0xA5627000 C:\WINDOWS\system32\DRIVERS\mrxdav.sys 180224 bytes (Microsoft Corporation, Windows NT WebDav Minirdr)
0xA03E4000 C:\WINDOWS\system32\drivers\kmixer.sys 176128 bytes (Microsoft Corporation, Kernel Mode Audio Mixer)
0xA87AA000 C:\WINDOWS\system32\DRIVERS\rdbss.sys 176128 bytes (Microsoft Corporation, Redirected Drive Buffering SubSystem Driver)
0xB4E69000 C:\WINDOWS\system32\DRIVERS\HDAudBus.sys 163840 bytes (Windows (R) Server 2003 DDK provider, High Definition Audio Bus Driver v1.0a)
0xA89B6000 C:\WINDOWS\system32\DRIVERS\netbt.sys 163840 bytes (Microsoft Corporation, MBT Transport driver)
0xA5653000 C:\WINDOWS\system32\DRIVERS\nwrdr.sys 163840 bytes (Microsoft Corporation, NetWare Redirector File System Driver)
0xA8713000 C:\WINDOWS\System32\Drivers\aswSP.SYS 159744 bytes (AVAST Software, avast! self protection module)
0xB4C51000 C:\WINDOWS\system32\DRIVERS\ctsfm2k.sys 155648 bytes (Creative Technology Ltd, SoundFont(R) Manager (WDM))
0xB9E18000 dmio.sys 155648 bytes (Microsoft Corp., Veritas Software, NT Disk Manager I/O Driver)
0xA89DE000 C:\WINDOWS\system32\DRIVERS\ipnat.sys 155648 bytes (Microsoft Corporation, IP Network Address Translator)
0xB4CA7000 C:\WINDOWS\system32\drivers\portcls.sys 147456 bytes (Microsoft Corporation, Port Class (Class Driver for Port/Miniport Devices))
0xB4E22000 C:\WINDOWS\system32\DRIVERS\USBPORT.SYS 147456 bytes (Microsoft Corporation, USB 1.1 & 2.0 Port Driver)
0xB4E46000 C:\WINDOWS\system32\DRIVERS\ks.sys 143360 bytes (Microsoft Corporation, Kernel CSA Library)
0xA88CC000 C:\WINDOWS\System32\drivers\afd.sys 139264 bytes (Microsoft Corporation, Ancillary Function Driver for WinSock)
0xA87D5000 C:\PC Protection\Super Antispyware\SASKUTIL.SYS 139264 bytes (SUPERAdBlocker.com and SUPERAntiSpyware.com, SASKUTIL.SYS)
0x806E4000 ACPI_HAL 134528 bytes
0x806E4000 C:\WINDOWS\system32\hal.dll 134528 bytes (Microsoft Corporation, Hardware Abstraction Layer DLL)
0xB9DC8000 fltMgr.sys 131072 bytes (Microsoft Corporation, Microsoft Filesystem Filter Manager)
0xB9E3E000 ftdisk.sys 126976 bytes (Microsoft Corporation, FT Disk Driver)
0xB4BA3000 C:\WINDOWS\system32\DRIVERS\mcdbus.sys 118784 bytes (MagicISO, Inc., MagicISO SCSI Host Controller)
0xA8AE0000 C:\WINDOWS\system32\drivers\AtiHdmi.sys 110592 bytes (ATI Research Inc., Ati High Definition Audio Function Driver)
0xB9CCB000 Mup.sys 106496 bytes (Microsoft Corporation, Multiple UNC Provider driver)
0xB9E00000 atapi.sys 98304 bytes (Microsoft Corporation, IDE/ATAPI Port Driver)
0xB9DE8000 jraid.sys 98304 bytes (JMicron Technology Corp., JMicron JMB36X RAID Driver)
0xB9E9C000 C:\WINDOWS\System32\Drivers\SCSIPORT.SYS 98304 bytes (Microsoft Corporation, SCSI Port Driver)
0xA5833000 C:\WINDOWS\System32\Drivers\aswMon2.SYS 94208 bytes (AVAST Software, avast! File System Filter Driver for Windows XP)
0xB9D9F000 KSecDD.sys 94208 bytes (Microsoft Corporation, Kernel Security Support Provider Interface)
0xB4C01000 C:\WINDOWS\system32\DRIVERS\ndiswan.sys 94208 bytes (Microsoft Corporation, MS PPP Framing Driver (Strong Encryption))
0xA59DA000 C:\WINDOWS\system32\DRIVERS\nwlnkipx.sys 90112 bytes (Microsoft Corporation, NWLINK2 IPX Protocol Driver)
0xA5092000 C:\WINDOWS\system32\drivers\wdmaud.sys 86016 bytes (Microsoft Corporation, MMSYSTEM Wave/Midi API mapper)
0xB4E91000 C:\WINDOWS\system32\DRIVERS\VIDEOPRT.SYS 81920 bytes (Microsoft Corporation, Video Port Driver)
0xA8A85000 C:\WINDOWS\system32\DRIVERS\ipsec.sys 77824 bytes (Microsoft Corporation, IPSec Driver)
0xBF000000 C:\WINDOWS\System32\drivers\dxg.sys 73728 bytes (Microsoft Corporation, DirectX Graphics Driver)
0xB9DB6000 sr.sys 73728 bytes (Microsoft Corporation, System Restore Filesystem Filter Driver)
0xB9E5D000 pci.sys 69632 bytes (Microsoft Corporation, NT Plug and Play PCI Enumerator)
0xB4BF0000 C:\WINDOWS\system32\DRIVERS\psched.sys 69632 bytes (Microsoft Corporation, MS QoS Packet Scheduler)
0xA8681000 C:\WINDOWS\System32\Drivers\Udfs.SYS 69632 bytes (Microsoft Corporation, UDF File System Driver)
0xA45F8000 C:\WINDOWS\System32\Drivers\Cdfs.SYS 65536 bytes (Microsoft Corporation, CD-ROM File System Driver)
0xB537B000 C:\WINDOWS\system32\DRIVERS\cdrom.sys 65536 bytes (Microsoft Corporation, SCSI CD-ROM Driver)
0xBA308000 C:\WINDOWS\system32\DRIVERS\nwlnknb.sys 65536 bytes (Microsoft Corporation, NWLINK2 IPX Netbios Protocol Driver)
0xBA0A8000 ohci1394.sys 65536 bytes (Microsoft Corporation, 1394 OpenHCI Port Driver)
0xBA318000 C:\WINDOWS\system32\DRIVERS\rspndr.sys 65536 bytes (Microsoft Corporation, Link-Layer Topology Responder Driver for NDIS 6)
0xBA148000 C:\WINDOWS\system32\DRIVERS\serial.sys 65536 bytes (Microsoft Corporation, Serial Device Driver)
0xBA1A8000 C:\WINDOWS\system32\DRIVERS\AmdLLD.sys 61440 bytes (AMD, Inc., AMD Low Level Device Driver)
0xBA138000 C:\WINDOWS\system32\drivers\drmk.sys 61440 bytes (Microsoft Corporation, Microsoft Kernel DRM Descrambler Filter)
0xB536B000 C:\WINDOWS\system32\DRIVERS\redbook.sys 61440 bytes (Microsoft Corporation, Redbook Audio Filter Driver)
0xA5327000 C:\WINDOWS\system32\drivers\sysaudio.sys 61440 bytes (Microsoft Corporation, System Audio WDM Filter)
0xBA1F8000 C:\WINDOWS\system32\DRIVERS\usbhub.sys 61440 bytes (Microsoft Corporation, Default Hub Driver for USB)
0xBA0B8000 C:\WINDOWS\system32\DRIVERS\1394BUS.SYS 57344 bytes (Microsoft Corporation, 1394 Bus Device Driver)
0xB53EB000 C:\WINDOWS\system32\DRIVERS\nwlnkspx.sys 57344 bytes (Microsoft Corporation, NWLINK2 SPX Protocol Driver)
0xB53AB000 C:\WINDOWS\system32\DRIVERS\AmdPPM.sys 53248 bytes (Advanced Micro Devices, AMD Processor Driver)
0xBA108000 C:\WINDOWS\system32\DRIVERS\CLASSPNP.SYS 53248 bytes (Microsoft Corporation, SCSI Class System Dll)
0xBA158000 C:\WINDOWS\system32\DRIVERS\rasl2tp.sys 53248 bytes (Microsoft Corporation, RAS L2TP mini-port/call-manager driver)
0xBA0E8000 VolSnap.sys 53248 bytes (Microsoft Corporation, Volume Shadow Copy Driver)
0xBA178000 C:\WINDOWS\system32\DRIVERS\raspptp.sys 49152 bytes (Microsoft Corporation, Peer-to-Peer Tunneling Protocol)
0xBA288000 C:\WINDOWS\System32\Drivers\Fips.SYS 45056 bytes (Microsoft Corporation, FIPS Crypto Driver)
0xB538B000 C:\WINDOWS\system32\DRIVERS\imapi.sys 45056 bytes (Microsoft Corporation, IMAPI Kernel Driver)
0xBA0D8000 MountMgr.sys 45056 bytes (Microsoft Corporation, Mount Manager)
0xBA168000 C:\WINDOWS\system32\DRIVERS\raspppoe.sys 45056 bytes (Microsoft Corporation, RAS PPPoE mini-port/call-manager driver)
0xBA238000 C:\WINDOWS\System32\Drivers\aswTdi.SYS 40960 bytes (AVAST Software, avast! TDI Filter Driver)
0xB535B000 C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys 40960 bytes (GEAR Software Inc., CD DVD Filter)
0xBA0C8000 isapnp.sys 40960 bytes (Microsoft Corporation, PNP ISA Bus Driver)
0xBA1C8000 C:\WINDOWS\System32\Drivers\NDProxy.SYS 40960 bytes (Microsoft Corporation, NDIS Proxy)
0xBA198000 C:\WINDOWS\system32\DRIVERS\termdd.sys 40960 bytes (Microsoft Corporation, Terminal Server Driver)
0xBA0F8000 disk.sys 36864 bytes (Microsoft Corporation, PnP Disk Driver)
0xBA2B8000 C:\WINDOWS\system32\DRIVERS\HIDCLASS.SYS 36864 bytes (Microsoft Corporation, Hid Class Library)
0xBA258000 C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys 36864 bytes (Microsoft Corporation, IPv6 Windows Firewall Driver)
0xBA188000 C:\WINDOWS\system32\DRIVERS\msgpc.sys 36864 bytes (Microsoft Corporation, MS General Packet Classifier)
0xBA268000 C:\WINDOWS\system32\DRIVERS\netbios.sys 36864 bytes (Microsoft Corporation, NetBIOS interface driver)
0xA355E000 C:\WINDOWS\System32\Drivers\Normandy.SYS 36864 bytes (RKU Driver)
0xBA248000 C:\WINDOWS\system32\DRIVERS\wanarp.sys 36864 bytes (Microsoft Corporation, MS Remote Access and Routing ARP Driver)
0xBA458000 C:\WINDOWS\System32\Drivers\Npfs.SYS 32768 bytes (Microsoft Corporation, NPFS Driver)
0xBA478000 C:\WINDOWS\system32\DRIVERS\usbccgp.sys 32768 bytes (Microsoft Corporation, USB Common Class Generic Parent Driver)
0xBA4B0000 C:\WINDOWS\system32\DRIVERS\usbehci.sys 32768 bytes (Microsoft Corporation, EHCI eUSB Miniport Driver)
0xBA3E0000 C:\WINDOWS\system32\DRIVERS\fdc.sys 28672 bytes (Microsoft Corporation, Floppy Disk Controller Driver)
0xBA440000 C:\WINDOWS\system32\DRIVERS\HIDPARSE.SYS 28672 bytes (Microsoft Corporation, Hid Parsing Library)
0xBA328000 C:\WINDOWS\system32\DRIVERS\PCIIDEX.SYS 28672 bytes (Microsoft Corporation, PCI IDE Bus Driver Extension)
0xBA470000 C:\WINDOWS\System32\Drivers\Aavmker4.SYS 24576 bytes (AVAST Software, avast! Base Kernel-Mode Device Driver for Windows NT/2000/XP)
0xBA400000 C:\WINDOWS\system32\DRIVERS\kbdclass.sys 24576 bytes (Microsoft Corporation, Keyboard Class Driver)
0xBA408000 C:\WINDOWS\system32\DRIVERS\mouclass.sys 24576 bytes (Microsoft Corporation, Mouse Class Driver)
0xBA460000 C:\PC Protection\Super Antispyware\SASDIFSV.SYS 24576 bytes (SUPERAdBlocker.com and SUPERAntiSpyware.com, SASDIFSV.SYS)
0xBA448000 C:\WINDOWS\System32\drivers\vga.sys 24576 bytes (Microsoft Corporation, VGA/Super VGA Video Driver)
0xA5C10000 C:\WINDOWS\System32\Drivers\aswRdr.SYS 20480 bytes (AVAST Software, avast! TDI RDR Driver)
0xBA410000 C:\WINDOWS\system32\DRIVERS\flpydisk.sys 20480 bytes (Microsoft Corporation, Floppy Driver)
0xBA450000 C:\WINDOWS\System32\Drivers\Msfs.SYS 20480 bytes (Microsoft Corporation, Mailslot driver)
0xBA330000 PartMgr.sys 20480 bytes (Microsoft Corporation, Partition Manager)
0xBA3F0000 C:\WINDOWS\system32\DRIVERS\ptilink.sys 20480 bytes (Parallel Technologies, Inc., Parallel Technologies DirectParallel IO Library)
0xBA338000 PxHelp20.sys 20480 bytes (Sonic Solutions, Px Engine Device Driver for Windows 2000/XP)
0xBA3F8000 C:\WINDOWS\system32\DRIVERS\raspti.sys 20480 bytes (Microsoft Corporation, PTI DirectParallel(R) mini-port/call-manager driver)
0xBA3E8000 C:\WINDOWS\system32\DRIVERS\TDI.SYS 20480 bytes (Microsoft Corporation, TDI Wrapper)
0xBA4A8000 C:\WINDOWS\system32\DRIVERS\usbohci.sys 20480 bytes (Microsoft Corporation, OHCI USB Miniport Driver)
0xBA498000 C:\WINDOWS\System32\watchdog.sys 20480 bytes (Microsoft Corporation, Watchdog Driver)
0xA554B000 C:\WINDOWS\system32\GTNDIS5.SYS 16384 bytes (Printing Communications Assoc., Inc. (PCAUSA), PCAUSA NDIS 5.0 Protocol Driver)
0xB55FE000 C:\WINDOWS\system32\DRIVERS\kbdhid.sys 16384 bytes (Microsoft Corporation, HID Mouse Filter Driver)
0xBA590000 C:\WINDOWS\system32\DRIVERS\mssmbios.sys 16384 bytes (Microsoft Corporation, System Management BIOS Driver)
0xA5AE4000 C:\WINDOWS\system32\DRIVERS\ndisuio.sys 16384 bytes (Microsoft Corporation, NDIS User mode I/O Driver)
0xBA570000 C:\WINDOWS\system32\DRIVERS\serenum.sys 16384 bytes (Microsoft Corporation, Serial Port Enumerator)
0xA8AC0000 C:\WINDOWS\System32\Drivers\aswFsBlk.SYS 12288 bytes (AVAST Software, avast! File System Access Blocking Driver)
0xBA4B8000 C:\WINDOWS\system32\BOOTVID.dll 12288 bytes (Microsoft Corporation, VGA Boot Driver)
0xA8A10000 C:\WINDOWS\System32\drivers\Dxapi.sys 12288 bytes (Microsoft Corporation, DirectX API Driver)
0xB55F2000 C:\WINDOWS\System32\Drivers\Fs_Rec.SYS 12288 bytes (Microsoft Corporation, File System Recognizer Driver)
0xA5267000 C:\WINDOWS\gdrv.sys 12288 bytes (Windows (R) 2000 DDK provider, GIGABYTE Tools)
0xA8AD0000 C:\WINDOWS\system32\DRIVERS\hidusb.sys 12288 bytes (Microsoft Corporation, USB Miniport Driver for Input Devices)
0xA8AB8000 C:\WINDOWS\system32\DRIVERS\mouhid.sys 12288 bytes (Microsoft Corporation, HID Mouse Filter Driver)
0xBA574000 C:\WINDOWS\system32\DRIVERS\ndistapi.sys 12288 bytes (Microsoft Corporation, NDIS 3.0 connection wrapper driver)
0xB55EA000 C:\WINDOWS\system32\DRIVERS\rasacd.sys 12288 bytes (Microsoft Corporation, RAS Automatic Connection Driver)
0xB9C97000 C:\WINDOWS\system32\DRIVERS\tunmp.sys 12288 bytes (Microsoft Corporation, Microsoft Tunnel Interface Driver)
0xBA558000 C:\WINDOWS\system32\DRIVERS\wmiacpi.sys 12288 bytes (Microsoft Corporation, Windows Management Interface for ACPI)
0xBA630000 C:\WINDOWS\System32\Drivers\Beep.SYS 8192 bytes (Microsoft Corporation, BEEP Driver)
0xBA5AC000 dmload.sys 8192 bytes (Microsoft Corp., Veritas Software., NT Disk Manager Startup Driver)
0xBA5A8000 C:\WINDOWS\system32\KDCOM.DLL 8192 bytes (Microsoft Corporation, Kernel Debugger HW Extension DLL)
0xBA632000 C:\WINDOWS\System32\Drivers\mnmdd.SYS 8192 bytes (Microsoft Corporation, Frame buffer simulator)
0xBA634000 C:\WINDOWS\System32\DRIVERS\RDPCDD.sys 8192 bytes (Microsoft Corporation, RDP Miniport)
0xBA618000 C:\WINDOWS\system32\DRIVERS\swenum.sys 8192 bytes (Microsoft Corporation, Plug and Play Software Device Enumerator)
0xBA61C000 C:\WINDOWS\system32\DRIVERS\USBD.SYS 8192 bytes (Microsoft Corporation, Universal Serial Bus Driver)
0xBA5AA000 C:\WINDOWS\System32\Drivers\WMILIB.SYS 8192 bytes (Microsoft Corporation, WMILIB WMI support library Dll)
0xBA78A000 C:\WINDOWS\system32\DRIVERS\audstub.sys 4096 bytes (Microsoft Corporation, AudStub Driver)
0xBA71F000 C:\WINDOWS\System32\drivers\dxgthk.sys 4096 bytes (Microsoft Corporation, DirectX Graphics Driver Thunk)
0xBA6FE000 C:\WINDOWS\System32\Drivers\Null.SYS 4096 bytes (Microsoft Corporation, NULL Driver)
0xBA670000 pciide.sys 4096 bytes (Microsoft Corporation, Generic PCI IDE Bus Driver)
0x8AF061F8 unknown_irp_handler 3592 bytes
0x89E531F8 unknown_irp_handler 3592 bytes
0x8AA501F8 unknown_irp_handler 3592 bytes
0x8AF071F8 unknown_irp_handler 3592 bytes
0x8AF081F8 unknown_irp_handler 3592 bytes
0x8AA221F8 unknown_irp_handler 3592 bytes
0x8AE961F8 unknown_irp_handler 3592 bytes
0x8A0241F8 unknown_irp_handler 3592 bytes
0x8AA0B1F8 unknown_irp_handler 3592 bytes
0x8A0221F8 unknown_irp_handler 3592 bytes
0x890201F8 unknown_irp_handler 3592 bytes
0x8AB37500 unknown_irp_handler 2816 bytes
!!!!!!!!!!!Hidden driver: 0x8AB50AEA ?_empty_? 1302 bytes
!!!!!!!!!!!Hidden driver: 0x8AC1B2F0 ?_empty_? 0 bytes
==============================================
>Stealth
==============================================
0xB9E00000 WARNING: suspicious driver modification [atapi.sys::0x8AB50AEA]
0x05F60000 Hidden Image-->CLI.Aspect.Radeon3D.Graphics.Wizard.DLL [ EPROCESS 0x8999C990 ] PID: 3200, 102400 bytes
0x06A90000 Hidden Image-->CLI.Component.Dashboard.DLL [ EPROCESS 0x8999C990 ] PID: 3200, 1150976 bytes
0x00DF0000 Hidden Image-->MOM.Implementation.DLL [ EPROCESS 0x8996DDA0 ] PID: 1932, 118784 bytes
0x03970000 Hidden Image-->MOM.Implementation.DLL [ EPROCESS 0x8999C990 ] PID: 3200, 118784 bytes
0x067D0000 Hidden Image-->CLI.Aspect.VPURecover.Graphics.Dashboard.DLL [ EPROCESS 0x8999C990 ] PID: 3200, 118784 bytes
0x05DD0000 Hidden Image-->CLI.Aspect.DisplaysOptions.Graphics.Dashboard.DLL [ EPROCESS 0x8999C990 ] PID: 3200, 135168 bytes
0x05D30000 Hidden Image-->CLI.Aspect.Welcome.Graphics.Dashboard.DLL [ EPROCESS 0x8999C990 ] PID: 3200, 151552 bytes
0x06400000 Hidden Image-->CLI.Aspect.DisplaysManager.Graphics.Wizard.DLL [ EPROCESS 0x8999C990 ] PID: 3200, 1740800 bytes
0x06350000 Hidden Image-->CLI.Aspect.InfoCentre.Graphics.Wizard.DLL [ EPROCESS 0x8999C990 ] PID: 3200, 217088 bytes
0x05D60000 Hidden Image-->CLI.Aspect.InfoCentre.Graphics.Dashboard.DLL [ EPROCESS 0x8999C990 ] PID: 3200, 233472 bytes
0x00FC0000 Hidden Image-->MOM.Foundation.DLL [ EPROCESS 0x8996DDA0 ] PID: 1932, 28672 bytes
0x011F0000 Hidden Image-->LOG.Foundation.Implementation.Private.DLL [ EPROCESS 0x8996DDA0 ] PID: 1932, 28672 bytes
0x05700000 Hidden Image-->CLI.Component.Runtime.Extension.EEU.DLL [ EPROCESS 0x8999C990 ] PID: 3200, 28672 bytes
0x045F0000 Hidden Image-->DEM.Foundation.DLL [ EPROCESS 0x8999C990 ] PID: 3200, 28672 bytes
0x00E20000 Hidden Image-->MOM.Foundation.DLL [ EPROCESS 0x8999C990 ] PID: 3200, 28672 bytes
0x00E50000 Hidden Image-->LOG.Foundation.Implementation.Private.DLL [ EPROCESS 0x8999C990 ] PID: 3200, 28672 bytes
0x03B60000 Hidden Image-->CLI.Component.Runtime.Shared.DLL [ EPROCESS 0x8999C990 ] PID: 3200, 28672 bytes
0x03D30000 Hidden Image-->AEM.Server.Shared.DLL [ EPROCESS 0x8999C990 ] PID: 3200, 28672 bytes
0x04050000 Hidden Image-->AEM.Plugin.DPPE.Shared.DLL [ EPROCESS 0x8999C990 ] PID: 3200, 28672 bytes
0x04090000 Hidden Image-->AEM.Plugin.WinMessages.Shared.DLL [ EPROCESS 0x8999C990 ] PID: 3200, 28672 bytes
0x04070000 Hidden Image-->AEM.Plugin.Hotkeys.Shared.DLL [ EPROCESS 0x8999C990 ] PID: 3200, 28672 bytes
0x04690000 Hidden Image-->DEM.Graphics.DLL [ EPROCESS 0x8999C990 ] PID: 3200, 28672 bytes
0x046A0000 Hidden Image-->CLI.Caste.HydraVision.Shared.DLL [ EPROCESS 0x8999C990 ] PID: 3200, 28672 bytes
0x04A50000 Hidden Image-->AEM.Actions.CCAA.Shared.DLL [ EPROCESS 0x8999C990 ] PID: 3200, 28672 bytes
0x04B50000 Hidden Image-->AEM.Plugin.GD.Shared.DLL [ EPROCESS 0x8999C990 ] PID: 3200, 28672 bytes
0x04B00000 Hidden Image-->DEM.OS.DLL [ EPROCESS 0x8999C990 ] PID: 3200, 28672 bytes
0x04AF0000 Hidden Image-->DEM.OS.I0602.DLL [ EPROCESS 0x8999C990 ] PID: 3200, 28672 bytes
0x04B20000 Hidden Image-->DEM.Graphics.I0709.dll [ EPROCESS 0x8999C990 ] PID: 3200, 28672 bytes
0x04CC0000 Hidden Image-->DEM.Graphics.I0804.dll [ EPROCESS 0x8999C990 ] PID: 3200, 28672 bytes
0x04CA0000 Hidden Image-->ResourceManagement.Foundation.Private.DLL [ EPROCESS 0x8999C990 ] PID: 3200, 28672 bytes
0x04FF0000 Hidden Image-->APM.Foundation.DLL [ EPROCESS 0x8999C990 ] PID: 3200, 28672 bytes
0x05060000 Hidden Image-->CLI.Caste.Graphics.Runtime.Shared.Private.DLL [ EPROCESS 0x8999C990 ] PID: 3200, 28672 bytes
0x052C0000 Hidden Image-->DEM.Graphics.I0812.dll [ EPROCESS 0x8999C990 ] PID: 3200, 28672 bytes
0x050A0000 Hidden Image-->DEM.Graphics.I0805.dll [ EPROCESS 0x8999C990 ] PID: 3200, 28672 bytes
0x050E0000 Hidden Image-->DEM.Graphics.I0706.DLL [ EPROCESS 0x8999C990 ] PID: 3200, 28672 bytes
0x05140000 Hidden Image-->CLI.Aspect.HotkeysHandling.Graphics.Runtime.DLL [ EPROCESS 0x8999C990 ] PID: 3200, 28672 bytes
0x05180000 Hidden Image-->CLI.Aspect.HotkeysHandling.Graphics.Shared.DLL [ EPROCESS 0x8999C990 ] PID: 3200, 28672 bytes
0x05290000 Hidden Image-->DEM.Graphics.I0712.dll [ EPROCESS 0x8999C990 ] PID: 3200, 28672 bytes
0x052B0000 Hidden Image-->CLI.Aspect.VPURecover.Graphics.Shared.DLL [ EPROCESS 0x8999C990 ] PID: 3200, 28672 bytes
0x05370000 Hidden Image-->DEM.Graphics.I0703.DLL [ EPROCESS 0x8999C990 ] PID: 3200, 28672 bytes
0x055C0000 Hidden Image-->CLI.Caste.HydraVision.Dashboard.DLL [ EPROCESS 0x8999C990 ] PID: 3200, 28672 bytes
0x05810000 Hidden Image-->AEM.Plugin.REG.Shared.DLL [ EPROCESS 0x8999C990 ] PID: 3200, 28672 bytes
0x05AC0000 Hidden Image-->AEM.Plugin.EEU.Shared.DLL [ EPROCESS 0x8999C990 ] PID: 3200, 28672 bytes
0x05BF0000 Hidden Image-->CLI.Component.Wizard.Shared.DLL [ EPROCESS 0x8999C990 ] PID: 3200, 28672 bytes
0x05C80000 Hidden Image-->CLI.Component.Client.Shared.DLL [ EPROCESS 0x8999C990 ] PID: 3200, 28672 bytes
0x05DC0000 Hidden Image-->CLI.Caste.Graphics.Wizard.Shared.DLL [ EPROCESS 0x8999C990 ] PID: 3200, 28672 bytes
0x05CC0000 Hidden Image-->CLI.Component.Dashboard.Shared.DLL [ EPROCESS 0x8999C990 ] PID: 3200, 28672 bytes
0x05CD0000 Hidden Image-->CLI.Component.Dashboard.Shared.Private.DLL [ EPROCESS 0x8999C990 ] PID: 3200, 28672 bytes
0x05D20000 Hidden Image-->CLI.Caste.Graphics.Dashboard.Shared.DLL [ EPROCESS 0x8999C990 ] PID: 3200, 28672 bytes
0x05E00000 Hidden Image-->CLI.Caste.HydraVision.Wizard.DLL [ EPROCESS 0x8999C990 ] PID: 3200, 28672 bytes
0x05FA0000 Hidden Image-->Branding.dll [ EPROCESS 0x8999C990 ] PID: 3200, 28672 bytes
0x05FC0000 Hidden Image-->atixclib.DLL [ EPROCESS 0x8999C990 ] PID: 3200, 28672 bytes
0x04A80000 Hidden Image-->CLI.Caste.Graphics.Runtime.DLL [ EPROCESS 0x8999C990 ] PID: 3200, 299008 bytes
0x01210000 Hidden Image-->System.Runtime.Remoting.dll [ EPROCESS 0x8996DDA0 ] PID: 1932, 307200 bytes
0x00E90000 Hidden Image-->System.Runtime.Remoting.dll [ EPROCESS 0x8999C990 ] PID: 3200, 307200 bytes
0x012F0000 Hidden Image-->NEWAEM.Foundation.DLL [ EPROCESS 0x8996DDA0 ] PID: 1932, 36864 bytes
0x05080000 Hidden Image-->CLI.Aspect.CustomFormats.Graphics.Shared.DLL [ EPROCESS 0x8999C990 ] PID: 3200, 36864 bytes
0x04AE0000 Hidden Image-->ACE.Graphics.DisplaysManager.Shared.DLL [ EPROCESS 0x8999C990 ] PID: 3200, 36864 bytes
0x039B0000 Hidden Image-->CLI.Foundation.XManifest.DLL [ EPROCESS 0x8999C990 ] PID: 3200, 36864 bytes
0x039E0000 Hidden Image-->AxInterop.WBOCXLib.DLL [ EPROCESS 0x8999C990 ] PID: 3200, 36864 bytes
0x03B40000 Hidden Image-->Interop.WBOCXLib.DLL [ EPROCESS 0x8999C990 ] PID: 3200, 36864 bytes
0x03D00000 Hidden Image-->NEWAEM.Foundation.DLL [ EPROCESS 0x8999C990 ] PID: 3200, 36864 bytes
0x04600000 Hidden Image-->CLI.Caste.HydraVision.Runtime.DLL [ EPROCESS 0x8999C990 ] PID: 3200, 36864 bytes
0x051A0000 Hidden Image-->CLI.Aspect.DisplaysColour2.Graphics.Shared.DLL [ EPROCESS 0x8999C990 ] PID: 3200, 36864 bytes
0x051C0000 Hidden Image-->CLI.Aspect.DisplaysOptions.Graphics.Shared.DLL [ EPROCESS 0x8999C990 ] PID: 3200, 36864 bytes
0x05250000 Hidden Image-->CLI.Aspect.DeviceLCD.Graphics.Shared.DLL [ EPROCESS 0x8999C990 ] PID: 3200, 36864 bytes
0x052A0000 Hidden Image-->CLI.Aspect.VPURecover.Graphics.Runtime.DLL [ EPROCESS 0x8999C990 ] PID: 3200, 36864 bytes
0x05CB0000 Hidden Image-->CLI.Component.Wizard.Shared.Private.DLL [ EPROCESS 0x8999C990 ] PID: 3200, 36864 bytes
0x06390000 Hidden Image-->CLI.Aspect.DeviceTV.Graphics.Wizard.DLL [ EPROCESS 0x8999C990 ] PID: 3200, 372736 bytes
0x070B0000 Hidden Image-->CLI.Aspect.Radeon3D.Graphics.Dashboard.DLL [ EPROCESS 0x8999C990 ] PID: 3200, 372736 bytes
0x05C10000 Hidden Image-->CLI.Component.Wizard.DLL [ EPROCESS 0x8999C990 ] PID: 3200, 413696 bytes
0x060D0000 Hidden Image-->CLI.Aspect.MMVideo.Graphics.Wizard.DLL [ EPROCESS 0x8999C990 ] PID: 3200, 413696 bytes
0x06760000 Hidden Image-->CLI.Aspect.DeviceCRT.Graphics.Dashboard.DLL [ EPROCESS 0x8999C990 ] PID: 3200, 446464 bytes
0x00E90000 Hidden Image-->LOG.Foundation.Private.DLL [ EPROCESS 0x8996DDA0 ] PID: 1932, 45056 bytes
0x00E20000 Hidden Image-->LOG.Foundation.DLL [ EPROCESS 0x8996DDA0 ] PID: 1932, 45056 bytes
0x012C0000 Hidden Image-->CCC.Implementation.DLL [ EPROCESS 0x8996DDA0 ] PID: 1932, 45056 bytes
0x00DF0000 Hidden Image-->CCC.Implementation.DLL [ EPROCESS 0x8999C990 ] PID: 3200, 45056 bytes
0x00E10000 Hidden Image-->LOG.Foundation.DLL [ EPROCESS 0x8999C990 ] PID: 3200, 45056 bytes
0x00EF0000 Hidden Image-->LOG.Foundation.Private.DLL [ EPROCESS 0x8999C990 ] PID: 3200, 45056 bytes
0x03B90000 Hidden Image-->ATICCCom.DLL [ EPROCESS 0x8999C990 ] PID: 3200, 45056 bytes
0x05150000 Hidden Image-->CLI.Aspect.DeviceProperty.Graphics.Runtime.DLL [ EPROCESS 0x8999C990 ] PID: 3200, 45056 bytes
0x05100000 Hidden Image-->CLI.Aspect.DeviceProperty.Graphics.Shared.DLL [ EPROCESS 0x8999C990 ] PID: 3200, 45056 bytes
0x05190000 Hidden Image-->CLI.Aspect.DisplaysOptions.Graphics.Runtime.DLL [ EPROCESS 0x8999C990 ] PID: 3200, 45056 bytes
0x05240000 Hidden Image-->CLI.Aspect.DeviceLCD.Graphics.Runtime.DLL [ EPROCESS 0x8999C990 ] PID: 3200, 45056 bytes
0x046B0000 Hidden Image-->ATIDEMGX.dll [ EPROCESS 0x8999C990 ] PID: 3200, 454656 bytes
0x05ED0000 Hidden Image-->CLI.Aspect.TransCode.Graphics.Wizard.DLL [ EPROCESS 0x8999C990 ] PID: 3200, 503808 bytes
0x05FD0000 Hidden Image-->ResourceManagement.Foundation.Implementation.DLL [ EPROCESS 0x8999C990 ] PID: 3200, 512000 bytes
0x03B20000 Hidden Image-->CLI.Component.Runtime.Shared.Private.DLL [ EPROCESS 0x8999C990 ] PID: 3200, 53248 bytes
0x03B50000 Hidden Image-->CLI.Foundation.Private.DLL [ EPROCESS 0x8999C990 ] PID: 3200, 53248 bytes
0x03CF0000 Hidden Image-->AEM.Server.DLL [ EPROCESS 0x8999C990 ] PID: 3200, 53248 bytes
0x04030000 Hidden Image-->AEM.Plugin.Source.Kit.Server.DLL [ EPROCESS 0x8999C990 ] PID: 3200, 53248 bytes
0x045E0000 Hidden Image-->DEM.Graphics.I0601.DLL [ EPROCESS 0x8999C990 ] PID: 3200, 53248 bytes
0x05070000 Hidden Image-->CLI.Aspect.DeviceCV.Graphics.Shared.DLL [ EPROCESS 0x8999C990 ] PID: 3200, 53248 bytes
0x05110000 Hidden Image-->CLI.Aspect.DisplaysColour2.Graphics.Runtime.DLL [ EPROCESS 0x8999C990 ] PID: 3200, 53248 bytes
0x051D0000 Hidden Image-->CLI.Aspect.DeviceCRT.Graphics.Runtime.DLL [ EPROCESS 0x8999C990 ] PID: 3200, 53248 bytes
0x05AB0000 Hidden Image-->CLI.Component.Client.Shared.Private.DLL [ EPROCESS 0x8999C990 ] PID: 3200, 53248 bytes
0x05C90000 Hidden Image-->CLI.Caste.Graphics.Wizard.DLL [ EPROCESS 0x8999C990 ] PID: 3200, 53248 bytes
0x05F50000 Hidden Image-->CLI.Aspect.TransCode.Graphics.Shared.DLL [ EPROCESS 0x8999C990 ] PID: 3200, 53248 bytes
0xB53AB000 WARNING: Virus alike driver modification [AmdPPM.sys], 53248 bytes
0x05820000 Hidden Image-->CLI.Component.Systemtray.DLL [ EPROCESS 0x8999C990 ] PID: 3200, 552960 bytes
0x07110000 Hidden Image-->CLI.Aspect.DisplaysColour2.Graphics.Dashboard.DLL [ EPROCESS 0x8999C990 ] PID: 3200, 602112 bytes
0x05200000 Hidden Image-->CLI.Aspect.DeviceCRT.Graphics.Shared.DLL [ EPROCESS 0x8999C990 ] PID: 3200, 61440 bytes
0x05280000 Hidden Image-->CLI.Aspect.DeviceDFP.Graphics.Shared.DLL [ EPROCESS 0x8999C990 ] PID: 3200, 61440 bytes
0x05350000 Hidden Image-->CLI.Aspect.Radeon3D.Graphics.Shared.DLL [ EPROCESS 0x8999C990 ] PID: 3200, 61440 bytes
0x053B0000 Hidden Image-->CLI.Aspect.MMVideo.Graphics.Shared.DLL [ EPROCESS 0x8999C990 ] PID: 3200, 61440 bytes
WARNING: File locked for read access [C:\WINDOWS\system32\drivers\sptd.sys]
0x06E60000 Hidden Image-->CLI.Aspect.DeviceCV.Graphics.Dashboard.DLL [ EPROCESS 0x8999C990 ] PID: 3200, 684032 bytes
0x071B0000 Hidden Image-->CLI.Aspect.OverDrive5.Graphics.Dashboard.DLL [ EPROCESS 0x8999C990 ] PID: 3200, 684032 bytes
0x03990000 Hidden Image-->CLI.Component.SkinFactory.DLL [ EPROCESS 0x8999C990 ] PID: 3200, 69632 bytes
0x04A60000 Hidden Image-->CLI.Caste.Graphics.Shared.DLL [ EPROCESS 0x8999C990 ] PID: 3200, 69632 bytes
0x04FD0000 Hidden Image-->APM.Server.DLL [ EPROCESS 0x8999C990 ] PID: 3200, 69632 bytes
0x05260000 Hidden Image-->CLI.Aspect.DeviceDFP.Graphics.Runtime.DLL [ EPROCESS 0x8999C990 ] PID: 3200, 69632 bytes
0x05330000 Hidden Image-->CLI.Aspect.Radeon3D.Graphics.Runtime.DLL [ EPROCESS 0x8999C990 ] PID: 3200, 69632 bytes
0x05310000 Hidden Image-->CLI.Aspect.OverDrive5.Graphics.Shared.DLL [ EPROCESS 0x8999C990 ] PID: 3200, 69632 bytes
0x06810000 Hidden Image-->CLI.Aspect.DeviceCV.Graphics.Wizard.DLL [ EPROCESS 0x8999C990 ] PID: 3200, 700416 bytes
0x05E10000 Hidden Image-->CLI.Aspect.DisplaysManager.Graphics.Dashboard.DLL [ EPROCESS 0x8999C990 ] PID: 3200, 724992 bytes
0x00EA0000 Hidden Image-->LOG.Foundation.Implementation.DLL [ EPROCESS 0x8996DDA0 ] PID: 1932, 77824 bytes
0x00E60000 Hidden Image-->LOG.Foundation.Implementation.DLL [ EPROCESS 0x8999C990 ] PID: 3200, 77824 bytes
0x05040000 Hidden Image-->CLI.Aspect.DeviceCV.Graphics.Runtime.DLL [ EPROCESS 0x8999C990 ] PID: 3200, 77824 bytes
0x05120000 Hidden Image-->CLI.Aspect.DeviceTV.Graphics.Shared.DLL [ EPROCESS 0x8999C990 ] PID: 3200, 77824 bytes
0x06FE0000 Hidden Image-->CLI.Aspect.DeviceTV.Graphics.Dashboard.DLL [ EPROCESS 0x8999C990 ] PID: 3200, 806912 bytes
0x07280000 Hidden Image-->CLI.Aspect.MMVideo.Graphics.Dashboard.DLL [ EPROCESS 0x8999C990 ] PID: 3200, 823296 bytes
0x00E30000 Hidden Image-->CLI.Foundation.DLL [ EPROCESS 0x8999C990 ] PID: 3200, 86016 bytes
0x050B0000 Hidden Image-->CLI.Aspect.DeviceTV.Graphics.Runtime.DLL [ EPROCESS 0x8999C990 ] PID: 3200, 86016 bytes
0x052F0000 Hidden Image-->CLI.Aspect.OverDrive5.Graphics.Runtime.DLL [ EPROCESS 0x8999C990 ] PID: 3200, 86016 bytes
0x05D00000 Hidden Image-->CLI.Caste.Graphics.Dashboard.DLL [ EPROCESS 0x8999C990 ] PID: 3200, 86016 bytes
0x03AE0000 Hidden Image-->CLI.Component.Runtime.DLL [ EPROCESS 0x8999C990 ] PID: 3200, 94208 bytes
0x04B60000 Hidden Image-->ATIDEMOS.DLL [ EPROCESS 0x8999C990 ] PID: 3200, 94208 bytes
0x05380000 Hidden Image-->CLI.Aspect.MMVideo.Graphics.Runtime.DLL [ EPROCESS 0x8999C990 ] PID: 3200, 94208 bytes
==============================================
>Files
==============================================
!-->[Hidden] C:\System Volume Information\_restore{9D6434AD-4BCB-4D3D-9D4D-6B6E4F47F43B}\RP454\A0165877.ini
!-->[Hidden] C:\WINDOWS\pchealth\helpctr\DataColl\CollectedData_8476.xml
!-->[Hidden] C:\WINDOWS\pchealth\helpctr\DataColl\CollectedData_8478.xml
!-->[Hidden] C:\WINDOWS\pchealth\helpctr\DataColl\CollectedData_8480.xml
!-->[Hidden] C:\WINDOWS\pchealth\helpctr\DataColl\CollectedData_8482.xml
!-->[Hidden] C:\WINDOWS\pchealth\helpctr\DataColl\CollectedData_8484.xml
!-->[Hidden] C:\WINDOWS\pchealth\helpctr\DataColl\CollectedData_8486.xml
!-->[Hidden] C:\WINDOWS\pchealth\helpctr\DataColl\CollectedData_8487.xml
!-->[Hidden] C:\WINDOWS\pchealth\helpctr\DataColl\CollectedData_8488.xml
!-->[Hidden] C:\WINDOWS\pchealth\helpctr\DataColl\CollectedData_8490.xml
!-->[Hidden] C:\WINDOWS\pchealth\helpctr\DataColl\CollectedData_8492.xml
!-->[Hidden] C:\WINDOWS\pchealth\helpctr\DataColl\CollectedData_8494.xml
!-->[Hidden] C:\WINDOWS\pchealth\helpctr\DataColl\CollectedData_8496.xml
!-->[Hidden] C:\WINDOWS\pchealth\helpctr\DataColl\CollectedData_8497.xml
!-->[Hidden] C:\WINDOWS\pchealth\helpctr\DataColl\CollectedData_8498.xml
!-->[Hidden] C:\WINDOWS\pchealth\helpctr\DataColl\CollectedData_8500.xml
!-->[Hidden] C:\WINDOWS\pchealth\helpctr\DataColl\CollectedData_8502.xml
!-->[Hidden] C:\WINDOWS\pchealth\helpctr\DataColl\CollectedData_8504.xml
==============================================
>Hooks
==============================================
ntkrnlpa.exe+0x0002D584, Type: Inline - RelativeJump 0x80504584-->80504534 [ntkrnlpa.exe]
ntkrnlpa.exe+0x0002D590, Type: Inline - RelativeJump 0x80504590-->80504524 [ntkrnlpa.exe]
ntkrnlpa.exe+0x0002D85C, Type: Inline - RelativeJump 0x8050485C-->8050480C [ntkrnlpa.exe]
ntkrnlpa.exe+0x0006ECCE, Type: Inline - RelativeJump 0x80545CCE-->80545CD5 [ntkrnlpa.exe]
ntkrnlpa.exe-->NtLoadDriver, Type: Inline - RelativeJump 0x8058413A-->A8728B10 [aswSP.SYS]
ntkrnlpa.exe-->ObInsertObject, Type: Inline - RelativeJump 0x805C2FB2-->A8725FFA [aswSP.SYS]
ntkrnlpa.exe-->ObMakeTemporaryObject, Type: Inline - RelativeJump 0x805BC52E-->A87245D4 [aswSP.SYS]
tcpip.sys-->ndis.sys-->NdisCloseAdapter, Type: IAT modification 0xA8A6B428-->A89287C0 [vsdatant.sys]
tcpip.sys-->ndis.sys-->NdisOpenAdapter, Type: IAT modification 0xA8A6B454-->A8927E90 [vsdatant.sys]
tcpip.sys-->ndis.sys-->NdisRegisterProtocol, Type: IAT modification 0xA8A6B460-->A8928080 [vsdatant.sys]
wanarp.sys-->ndis.sys-->NdisCloseAdapter, Type: IAT modification 0xBA24DB4C-->A89287C0 [vsdatant.sys]
wanarp.sys-->ndis.sys-->NdisDeregisterProtocol, Type: IAT modification 0xBA24DB1C-->A89263D0 [vsdatant.sys]
wanarp.sys-->ndis.sys-->NdisOpenAdapter, Type: IAT modification 0xBA24DB3C-->A8927E90 [vsdatant.sys]
wanarp.sys-->ndis.sys-->NdisRegisterProtocol, Type: IAT modification 0xBA24DB28-->A8928080 [vsdatant.sys]
[1036]AvastUI.exe-->mswsock.dll-->WSPStartup, Type: Inline - RelativeJump 0x71A5C29B-->00000000 [unknown_code_page]
[1352]svchost.exe-->mswsock.dll-->WSPStartup, Type: Inline - RelativeJump 0x71A5C29B-->00000000 [unknown_code_page]
[1444]soundman.exe-->mswsock.dll-->WSPStartup, Type: Inline - RelativeJump 0x71A5C29B-->00000000 [unknown_code_page]
[1608]rundll32.exe-->mswsock.dll-->WSPStartup, Type: Inline - RelativeJump 0x71A5C29B-->00000000 [unknown_code_page]
[1724]CTSysVol.exe-->mswsock.dll-->WSPStartup, Type: Inline - RelativeJump 0x71A5C29B-->00000000 [unknown_code_page]
[1932]MOM.exe-->mswsock.dll-->WSPStartup, Type: Inline - RelativeJump 0x71A5C29B-->00000000 [unknown_code_page]
[2164]ctfmon.exe-->mswsock.dll-->WSPStartup, Type: Inline - RelativeJump 0x71A5C29B-->00000000 [unknown_code_page]
[216]logon.scr-->mswsock.dll-->WSPStartup, Type: Inline - RelativeJump 0x71A5C29B-->00000000 [unknown_code_page]
[260]explorer.exe-->advapi32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77DD1218-->00000000 [shimeng.dll]
[260]explorer.exe-->gdi32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77F110B4-->00000000 [shimeng.dll]
[260]explorer.exe-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x01001268-->00000000 [shimeng.dll]
[260]explorer.exe-->mswsock.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x71A51178-->00000000 [shimeng.dll]
[260]explorer.exe-->mswsock.dll-->WSPStartup, Type: Inline - RelativeJump 0x71A5C29B-->00000000 [unknown_code_page]
[260]explorer.exe-->shell32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x7C9C15A4-->00000000 [shimeng.dll]
[260]explorer.exe-->user32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x7E41133C-->00000000 [shimeng.dll]
[260]explorer.exe-->wininet.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x3D9314B0-->00000000 [shimeng.dll]
[260]explorer.exe-->ws2_32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x71AB109C-->00000000 [shimeng.dll]
[3200]CCC.exe-->mswsock.dll-->WSPStartup, Type: Inline - RelativeJump 0x71A5C29B-->00000000 [unknown_code_page]
[496]AvastSvc.exe-->kernel32.dll-->SetUnhandledExceptionFilter, Type: Inline - PushRet 0x7C844935-->00000000 [unknown_code_page]
[852]winlogon.exe-->mswsock.dll-->WSPStartup, Type: Inline - RelativeJump 0x71A5C29B-->00000000 [unknown_code_page]
[896]services.exe-->advapi32.dll-->CreateProcessAsUserW, Type: IAT modification 0x01001094-->00000000 [unknown_code_page]
[896]services.exe-->kernel32.dll-->CreateProcessW, Type: IAT modification 0x01001114-->00000000 [unknown_code_page]
[896]services.exe-->mswsock.dll-->WSPStartup, Type: Inline - RelativeJump 0x71A5C29B-->00000000 [unknown_code_page]

DDS (Ver_09-09-29.01) - NTFSx86 
Run by Administrator at 9:13:13.42 on Wed 10/20/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_16
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3326.2419 [GMT -4:00]

AV: avast! Antivirus *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\PC Protection\Avast!\AvastSvc.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Gigabyte\EasySaver\ESSVR.EXE
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Linksys\WUSB54GSCv2\WLService.exe
C:\Program Files\Linksys\WUSB54GSCv2\WUSB54GSC.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\Rundll32.exe
C:\PCPROT~1\Avast!\avastUI.exe
C:\PC Protection\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\DAEMON Tools Lite\DTLite.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Administrator\Desktop\dds.com

============== Pseudo HJT Report ===============

uSearch Page = 
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = <local>
uSearchAssistant = 
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [DAEMON Tools Lite] "c:\program files\daemon tools lite\DTLite.exe" -autorun
uRun: [SUPERAntiSpyware] c:\pc protection\super antispyware\SUPERAntiSpyware.exe
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [CTSysVol] c:\program files\creative\sbaudigy\surround mixer\CTSysVol.exe /r
mRun: [P17Helper] Rundll32 P17.dll,P17Helper
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [avast5] c:\pcprot~1\avast!\avastUI.exe /nogui
mRun: [ZoneAlarm Client] "c:\pc protection\zonealarm\zlclient.exe"
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {88CFA58B-A63F-4A94-9C54-0C7A58E3333E} - {17A84966-F1E9-4645-AA9E-5E771EE1C859} - c:\progra~1\nuclea~1\videoget\plugins\VIDEOG~1.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
TCP: {BD5EFC64-FF0F-42A5-B4A6-E62DF6A52D2C} = 192.168.5.1
TCP: {CAE9B97D-6901-4E0B-828B-BA9B9D36C6F8} = 192.168.0.1
Notify: !SASWinLogon - c:\pc protection\super antispyware\SASWINLO.DLL
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\pc protection\super antispyware\SASSEH.DLL
LSA: Authentication Packages = msv1_0 nwprovau

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\7anms4f2.default\
FF - prefs.js: browser.startup.homepage - www.google.com
FF - plugin: c:\itunes\mozilla plugins\npitunes.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npyaxmpb.dll
FF - plugin: c:\program files\pando networks\media booster\npPandoWebPlugin.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true); 
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true); 
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true); // Traditional
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true); // Simplified
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");

============= SERVICES / DRIVERS ===============

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-4-26 165584]
R1 SASDIFSV;SASDIFSV;c:\pc protection\super antispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\pc protection\super antispyware\SASKUTIL.SYS [2010-5-10 67656]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2010-5-3 486280]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-4-26 17744]
R2 avast! Antivirus;avast! Antivirus;c:\pc protection\avast!\AvastSvc.exe [2010-4-26 40384]
R2 ES lite Service;ES lite Service for program management.;c:\program files\gigabyte\easysaver\essvr.exe [2009-5-4 68136]
R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
R2 WUSB54GSC;WUSB54GSC;c:\program files\linksys\wusb54gscv2\WLService.exe [2009-7-28 65596]
R2 YahooAUService;Yahoo! Updater;c:\program files\yahoo!\softwareupdate\YahooAUService.exe [2008-11-9 602392]
R3 AtiHdmiService;ATI Function Driver for HDMI Service;c:\windows\system32\drivers\AtiHdmi.sys [2009-2-26 99856]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\pc protection\avast!\AvastSvc.exe [2010-4-26 40384]
R3 avast! Web Scanner;avast! Web Scanner;c:\pc protection\avast!\AvastSvc.exe [2010-4-26 40384]
R3 WUSB54GSCV2;Compact Wireless-G USB Network Adapter with SpeedBooster Service;c:\windows\system32\drivers\WUSB54GSCV2.sys [2009-7-28 198144]
S3 pbfilter;pbfilter;\??\c:\tools\peerblock\pbfilter.sys --> c:\tools\peerblock\pbfilter.sys [?]

=============== Created Last 30 ================

2010-10-12 15:53 43,520 a------- c:\windows\system32\CmdLineExt03.dll
2010-10-06 16:44 --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-10-06 16:44 --d----- c:\docume~1\admini~1\applic~1\SUPERAntiSpyware.com
2010-10-05 14:27 --d----- c:\program files\DAEMON Tools Lite
2010-10-04 21:28 85,841,020 a------- C:\backup2.reg
2010-10-04 19:59 38,224 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2010-10-04 19:59 20,952 a------- c:\windows\system32\drivers\mbam.sys
2010-10-04 19:53 85,783,994 a------- C:\backup.reg
2010-10-04 18:28 --d----- C:\!KillBox
2010-10-03 18:03 --d----- c:\program files\Crawler
2010-09-30 16:40 38,848 a------- c:\windows\avastSS.scr

==================== Find3M ====================

2010-10-19 16:53 16,608 a------- c:\windows\gdrv.sys
2010-10-03 11:17 3,888 a------- c:\windows\system32\drivers\NTHANDLE.SYS
2010-09-18 12:23 974,848 a------- c:\windows\system32\mfc42u.dll
2010-09-18 02:53 974,848 a------- c:\windows\system32\mfc42.dll
2010-09-18 02:53 954,368 a------- c:\windows\system32\mfc40.dll
2010-09-18 02:53 953,856 a------- c:\windows\system32\mfc40u.dll
2010-09-10 01:58 916,480 a------- c:\windows\system32\wininet.dll
2010-09-10 01:58 43,520 a------- c:\windows\system32\licmgr10.dll
2010-09-01 07:48 285,824 a------- c:\windows\system32\atmfd.dll
2010-08-31 09:38 1,861,888 a------- c:\windows\system32\win32k.sys
2010-08-27 04:02 119,808 a------- c:\windows\system32\t2embed.dll
2010-08-27 02:05 99,840 a------- c:\windows\system32\srvsvc.dll
2010-08-26 09:37 357,248 a------- c:\windows\system32\drivers\srv.sys
2010-08-26 08:52 5,120 a------- c:\windows\system32\xpsp4res.dll
2010-08-23 12:12 617,472 a------- c:\windows\system32\comctl32.dll
2010-08-17 09:17 58,880 a------- c:\windows\system32\spoolsv.exe
2010-08-16 04:43 590,848 a------- c:\windows\system32\rpcrt4.dll
2010-07-31 00:32 107,888 a------- c:\windows\system32\CmdLineExt.dll
2009-05-04 18:07 16,384 a--sh--- c:\windows\system32\config\systemprofile\cookies\index.dat
2009-05-05 01:46 245,760 a--sh--- c:\windows\system32\config\systemprofile\ietldcache\index.dat
2009-05-04 18:07 16,384 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\index.dat
2009-05-04 18:07 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\temporary internet files\content.ie5\index.dat

============= FINISH: 9:14:47.69 ===============


----------



## Blade81 (Oct 27, 2006)

Hi,

Please visit this webpage for download links, and instructions for running ComboFix tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide carefully first.

Please continue as follows:


*Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix*, link
Remember to re-enable them afterwards.

Click *Yes* to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

*C:\ComboFix.txt
New dds log.*

*A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.*


----------



## Ordietrying (Oct 5, 2010)

I had to run Combofix in safe mode. I hope that's ok.

ComboFix 10-10-20.01 - Administrator 10/21/2010 1:35.1.3 - x86 NETWORK
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3326.2990 [GMT -4:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: ZoneAlarm Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\readme.txt
c:\windows\settings.reg
c:\windows\system32\Data

.
((((((((((((((((((((((((( Files Created from 2010-09-21 to 2010-10-21 )))))))))))))))))))))))))))))))
.

2010-10-12 19:53 . 2010-10-12 19:53 43520 ----a-w- c:\windows\system32\CmdLineExt03.dll
2010-10-06 20:44 . 2010-10-06 20:44 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-10-06 20:44 . 2010-10-06 20:44 -------- d-----w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2010-10-05 18:27 . 2010-10-05 18:27 -------- d-----w- c:\program files\DAEMON Tools Lite
2010-10-05 01:28 . 2010-10-05 01:29 85841020 ----a-w- C:\backup2.reg
2010-10-04 23:59 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-10-04 23:59 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-10-04 23:53 . 2010-10-04 23:53 85783994 ----a-w- C:\backup.reg
2010-10-04 22:28 . 2010-10-04 22:28 -------- d-----w- C:\!KillBox
2010-10-03 22:03 . 2010-10-04 22:25 -------- d-----w- c:\program files\Crawler
2010-09-30 20:40 . 2010-09-07 15:12 38848 ----a-w- c:\windows\avastSS.scr

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.

------- Sigcheck -------

[-] 2009-04-18 . 25A740D70E8007814A48D3FA1B34FA34 . 361600 . . [5.1.2600.5649] . . c:\windows\system32\drivers\tcpip.sys

[-] 2009-04-18 . C951DB3D9B6EF3CF4B82454D30A8BF59 . 1614848 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\DTLite.exe" [2010-04-01 357696]
"SUPERAntiSpyware"="c:\pc protection\Super Antispyware\SUPERAntiSpyware.exe" [2010-09-28 2424560]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2007-04-16 577536]
"CTSysVol"="c:\program files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe" [2005-10-31 57344]
"P17Helper"="P17.dll" [2005-05-04 64512]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-03-18 61440]
"ZoneAlarm Client"="c:\pc protection\ZoneAlarm\zlclient.exe" [2009-11-22 1037192]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\pc protection\Super Antispyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\pc protection\Super Antispyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau

[HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^MagicDisc.lnk]
path=c:\documents and settings\Administrator\Start Menu\Programs\Startup\MagicDisc.lnk
backup=c:\windows\pss\MagicDisc.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^OpenOffice.org 3.1.lnk]
path=c:\documents and settings\Administrator\Start Menu\Programs\Startup\OpenOffice.org 3.1.lnk
backup=c:\windows\pss\OpenOffice.org 3.1.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
backup=c:\windows\pss\Windows Search.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-10-15 05:04 39792 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
2008-06-19 08:20 57344 ----a-w- c:\windows\ALCMTR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcWzrd]
2008-06-19 08:42 2808832 ----a-w- c:\windows\ALCWZRD.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\amd_dc_opt]
2008-07-22 17:53 77824 ----a-w- c:\dual core optimizer\amd_dc_opt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BtcMaestro]
2007-10-23 06:48 344064 ------w- c:\program files\HP USB Multimedia Keyboard\Kmaestro.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 15:00 15360 ----a-w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-06-05 17:39 292136 ----a-w- c:\itunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\JMB36X IDE Setup]
2007-03-20 06:36 36864 ------r- c:\windows\RaidTool\xInsIDE.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LanguageShortcut]
2007-01-09 02:17 52256 ----a-w- c:\program files\CyberLink\PowerDVD\Language\Language.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LGODDFU]
2007-02-26 14:40 249856 ----a-w- c:\program files\lg_fwupdate\fwupdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 15:50 155648 ----a-w- c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-05-26 21:18 413696 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
2007-03-15 01:01 71216 ------w- c:\program files\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
2009-01-13 06:37 18084864 ----a-w- c:\windows\RTHDCPL.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
2009-03-18 02:24 61440 ----a-w- c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-12-03 16:19 149280 ----a-w- c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
2000-05-11 05:00 90112 ------w- c:\windows\Updreg.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"TapiSrv"=3 (0x3)
"JavaQuickStarterService"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Games\\Battlefield Vietnam\\bfvietnam.exe"=
"c:\\Games\\Soldat\\Soldat\\Soldat.exe"=
"c:\\Games\\Battlefield 1942\\BF1942.exe"=
"c:\\Games\\Saints Row 2\\SR2_pc.exe"=
"c:\\Games\\Quake III Arena\\quake3.exe"=
"c:\\Games\\Microsoft Games\\Mechwarrior Mercenaries\\MW4MERCS.ICD"=
"c:\\Games\\Microsoft Games\\Mechwarrior Mercenaries\\MW4Mercs.exe"=
"c:\\Games\\Kane and Lynch - Dead Men\\kaneandlynch.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\iTunes\\iTunes.exe"=
"c:\\Games\\Age of Empires 3\\age3.exe"=
"c:\\Games\\Far Cry 2\\bin\\FarCry2.exe"=
"c:\\Games\\Far Cry 2\\bin\\FC2Launcher.exe"=
"c:\\Games\\Far Cry 2\\bin\\FC2Editor.exe"=
"c:\\Games\\Age of Empires 2\\age2_x1\\age2_x1.icd"=
"c:\\Games\\Dead Space\\Dead Space.exe"=
"c:\\Games\\Borderlands\\Binaries\\Borderlands.exe"=
"c:\\Games\\Section 8\\Binaries\\S8Game-F.exe"=
"c:\\Games\\Steam\\SteamApps\\clevertrevor717\\age of chivalry\\hl2.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Games\\Guild Wars\\Gw.exe"=
"c:\\Games\\Steam\\SteamApps\\swordsmanx\\opposing force\\hl.exe"=
"c:\\Games\\Steam\\SteamApps\\common\\bioshock\\Builds\\Release\\Bioshock.exe"=
"c:\\Games\\Call of Juarez\\CoJBiBGame_x86.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\Games\\Steam\\SteamApps\\swordsmanx\\age of chivalry\\hl2.exe"=
"c:\\Games\\Stronghold 2\\Stronghold2.exe"=
"c:\\Games\\Steam\\SteamApps\\common\\left 4 dead\\left4dead.exe"=
"c:\\Games\\Steam\\SteamApps\\common\\left 4 dead 2\\left4dead2.exe"=
"c:\\Games\\Steam\\SteamApps\\swordsmanx\\counter-strike source\\hl2.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"56257:TCP"= 56257:TCPando Media Booster
"56257:UDP"= 56257:UDPando Media Booster

R3 WUSB54GSCV2;Compact Wireless-G USB Network Adapter with SpeedBooster Service;c:\windows\system32\drivers\WUSB54GSCV2.sys [7/28/2009 7:10 PM 198144]
S1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [4/26/2010 12:19 AM 165584]
S1 SASDIFSV;SASDIFSV;c:\pc protection\Super Antispyware\sasdifsv.sys [2/17/2010 2:25 PM 12872]
S1 SASKUTIL;SASKUTIL;c:\pc protection\Super Antispyware\SASKUTIL.SYS [5/10/2010 2:41 PM 67656]
S2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [4/26/2010 12:19 AM 17744]
S2 ES lite Service;ES lite Service for program management.;c:\program files\Gigabyte\EasySaver\essvr.exe [5/4/2009 6:18 PM 68136]
S2 WUSB54GSC;WUSB54GSC;c:\program files\Linksys\WUSB54GSCv2\WLService.exe [7/28/2009 7:10 PM 65596]
S3 pbfilter;pbfilter;\??\c:\tools\PeerBlock\pbfilter.sys --> c:\tools\PeerBlock\pbfilter.sys [?]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [5/12/2009 5:07 PM 691696]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]
2009-03-08 06:32 128512 ----a-w- c:\windows\system32\advpack.dll
.
Contents of the 'Scheduled Tasks' folder

2010-10-19 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = <local>
uSearchAssistant = 
TCP: {BD5EFC64-FF0F-42A5-B4A6-E62DF6A52D2C} = 192.168.5.1
TCP: {CAE9B97D-6901-4E0B-828B-BA9B9D36C6F8} = 192.168.0.1
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\7anms4f2.default\
FF - prefs.js: browser.startup.homepage - www.google.com
FF - plugin: c:\itunes\Mozilla Plugins\npitunes.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npyaxmpb.dll
FF - plugin: c:\program files\Pando Networks\Media Booster\npPandoWebPlugin.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true); 
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true); 
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true); // Traditional
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true); // Simplified
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-DAEMON Tools Lite - c:\program files\DAEMON Tools Lite\daemon.exe
MSConfigStartUp-winupdate - c:\recycler\winupdate.exe
AddRemove-Adobe Photoshop 7.0 - c:\my stuff\Photoshop 7\Uninst.isu
AddRemove-Lords of the Realm II - c:\games\Lords of the Realm 2\SIERRA\Lords2\Uninst.isu

.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-507921405-287218729-682003330-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,21,f9,59,e8,6b,41,a7,40,ab,d1,78,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,21,f9,59,e8,6b,41,a7,40,ab,d1,78,\
"6256FFB019F8FDFBD36745B06F4540E9AEAF222A25"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,21,f9,59,e8,6b,41,a7,40,ab,d1,78,\

[HKEY_USERS\S-1-5-21-507921405-287218729-682003330-500\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:e4,c3,87,7a,97,c7,b8,12,46,b7,14,15,b1,3e,1e,9c,2f,09,93,23,31,95,4f,
a5,6f,75,f2,d0,59,91,95,32,51,79,fc,cf,0c,d8,33,90,a5,5b,6f,f9,fc,5d,ce,89,\
"??"=hex:fd,e5,48,fd,b4,bf,01,41,da,ae,4a,61,c7,3f,cf,6a

[HKEY_USERS\S-1-5-21-507921405-287218729-682003330-500\Software\SecuROM\License information*]
"datasecu"=hex:1a,9d,ad,0f,69,a6,d7,d2,e9,0f,40,28,7b,b1,64,3b,b3,92,84,68,f5,
e6,a8,e5,14,2f,04,29,0c,91,f8,d3,96,b8,45,5d,24,14,38,7b,01,eb,24,32,52,51,\
"rkeysecu"=hex:8b,ec,67,0e,07,c3,4b,6c,0b,97,6b,79,e2,5c,7e,5d
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(764)
c:\pc protection\Super Antispyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\atiadlxx.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
.
Completion time: 2010-10-21 01:42:19
ComboFix-quarantined-files.txt 2010-10-21 05:42

Pre-Run: 539,877,687,296 bytes free
Post-Run: 539,879,747,584 bytes free

- - End Of File - - 8135ACE006CE557E5945FF0485DBF673

DDS (Ver_09-09-29.01) - NTFSx86 
Run by Administrator at 1:48:51.84 on Thu 10/21/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_16
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3326.2825 [GMT -4:00]

AV: avast! Antivirus *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\PC Protection\Avast!\AvastSvc.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\Rundll32.exe
C:\PC Protection\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\Gigabyte\EasySaver\ESSVR.EXE
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Linksys\WUSB54GSCv2\WLService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\Linksys\WUSB54GSCv2\WUSB54GSC.exe
C:\Documents and Settings\Administrator\Desktop\dds.com

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = <local>
uSearchAssistant = 
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
uRun: [DAEMON Tools Lite] "c:\program files\daemon tools lite\DTLite.exe" -autorun
uRun: [SUPERAntiSpyware] c:\pc protection\super antispyware\SUPERAntiSpyware.exe
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [CTSysVol] c:\program files\creative\sbaudigy\surround mixer\CTSysVol.exe /r
mRun: [P17Helper] Rundll32 P17.dll,P17Helper
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [ZoneAlarm Client] "c:\pc protection\zonealarm\zlclient.exe"
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {88CFA58B-A63F-4A94-9C54-0C7A58E3333E} - {17A84966-F1E9-4645-AA9E-5E771EE1C859} - c:\progra~1\nuclea~1\videoget\plugins\VIDEOG~1.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
TCP: {BD5EFC64-FF0F-42A5-B4A6-E62DF6A52D2C} = 192.168.5.1
TCP: {CAE9B97D-6901-4E0B-828B-BA9B9D36C6F8} = 192.168.0.1
Notify: !SASWinLogon - c:\pc protection\super antispyware\SASWINLO.DLL
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\pc protection\super antispyware\SASSEH.DLL
LSA: Authentication Packages = msv1_0 nwprovau

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\7anms4f2.default\
FF - prefs.js: browser.startup.homepage - www.google.com
FF - plugin: c:\itunes\mozilla plugins\npitunes.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npyaxmpb.dll
FF - plugin: c:\program files\pando networks\media booster\npPandoWebPlugin.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true); 
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true); 
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true); // Traditional
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true); // Simplified
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");

============= SERVICES / DRIVERS ===============

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-4-26 165584]
R1 SASDIFSV;SASDIFSV;c:\pc protection\super antispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\pc protection\super antispyware\SASKUTIL.SYS [2010-5-10 67656]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2010-5-3 486280]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-4-26 17744]
R2 avast! Antivirus;avast! Antivirus;c:\pc protection\avast!\AvastSvc.exe [2010-4-26 40384]
R2 ES lite Service;ES lite Service for program management.;c:\program files\gigabyte\easysaver\essvr.exe [2009-5-4 68136]
R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
R2 WUSB54GSC;WUSB54GSC;c:\program files\linksys\wusb54gscv2\WLService.exe [2009-7-28 65596]
R2 YahooAUService;Yahoo! Updater;c:\program files\yahoo!\softwareupdate\YahooAUService.exe [2008-11-9 602392]
R3 AtiHdmiService;ATI Function Driver for HDMI Service;c:\windows\system32\drivers\AtiHdmi.sys [2009-2-26 99856]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\pc protection\avast!\AvastSvc.exe [2010-4-26 40384]
R3 avast! Web Scanner;avast! Web Scanner;c:\pc protection\avast!\AvastSvc.exe [2010-4-26 40384]
R3 WUSB54GSCV2;Compact Wireless-G USB Network Adapter with SpeedBooster Service;c:\windows\system32\drivers\WUSB54GSCV2.sys [2009-7-28 198144]
S3 pbfilter;pbfilter;\??\c:\tools\peerblock\pbfilter.sys --> c:\tools\peerblock\pbfilter.sys [?]

=============== Created Last 30 ================

2010-10-21 01:34 256,512 a------- c:\windows\PEV.exe
2010-10-21 01:34 161,792 a------- c:\windows\SWREG.exe
2010-10-21 01:34 98,816 a------- c:\windows\sed.exe
2010-10-21 01:34 77,312 a------- c:\windows\MBR.exe
2010-10-12 15:53 43,520 a------- c:\windows\system32\CmdLineExt03.dll
2010-10-06 16:44 --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-10-06 16:44 --d----- c:\docume~1\admini~1\applic~1\SUPERAntiSpyware.com
2010-10-05 14:27 --d----- c:\program files\DAEMON Tools Lite
2010-10-04 21:28 85,841,020 a------- C:\backup2.reg
2010-10-04 19:59 38,224 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2010-10-04 19:59 20,952 a------- c:\windows\system32\drivers\mbam.sys
2010-10-04 19:53 85,783,994 a------- C:\backup.reg
2010-10-04 18:28 --d----- C:\!KillBox
2010-10-03 18:03 --d----- c:\program files\Crawler
2010-09-30 16:40 38,848 a------- c:\windows\avastSS.scr

==================== Find3M ====================

2010-10-21 01:47 16,608 a------- c:\windows\gdrv.sys
2010-10-03 11:17 3,888 a------- c:\windows\system32\drivers\NTHANDLE.SYS
2010-09-18 12:23 974,848 a------- c:\windows\system32\mfc42u.dll
2010-09-18 02:53 974,848 a------- c:\windows\system32\mfc42.dll
2010-09-18 02:53 954,368 a------- c:\windows\system32\mfc40.dll
2010-09-18 02:53 953,856 a------- c:\windows\system32\mfc40u.dll
2010-09-10 01:58 916,480 a------- c:\windows\system32\wininet.dll
2010-09-10 01:58 43,520 a------- c:\windows\system32\licmgr10.dll
2010-09-01 07:48 285,824 a------- c:\windows\system32\atmfd.dll
2010-08-31 09:38 1,861,888 a------- c:\windows\system32\win32k.sys
2010-08-27 04:02 119,808 a------- c:\windows\system32\t2embed.dll
2010-08-27 02:05 99,840 a------- c:\windows\system32\srvsvc.dll
2010-08-26 09:37 357,248 a------- c:\windows\system32\drivers\srv.sys
2010-08-26 08:52 5,120 a------- c:\windows\system32\xpsp4res.dll
2010-08-23 12:12 617,472 a------- c:\windows\system32\comctl32.dll
2010-08-17 09:17 58,880 a------- c:\windows\system32\spoolsv.exe
2010-08-16 04:43 590,848 a------- c:\windows\system32\rpcrt4.dll
2010-07-31 00:32 107,888 a------- c:\windows\system32\CmdLineExt.dll
2009-05-05 01:46 245,760 a--sh--- c:\windows\system32\config\systemprofile\ietldcache\index.dat
2009-05-04 18:07 16,384 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\index.dat
2009-05-04 18:07 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\temporary internet files\content.ie5\index.dat

============= FINISH: 1:50:18.03 ===============

Thanks for your time.


----------



## Blade81 (Oct 27, 2006)

Hi,

Did you allow ComboFix install recovery console when requested? The log shows it wasn't installed. Please run ComboFix again and let the RC be installed.


----------



## Ordietrying (Oct 5, 2010)

I did allow it but it failed. Then I tried the manual install. That failed once but it worked after another try. Third time is the charm I guess Here are some fresh logs.

ComboFix 10-10-20.01 - Administrator 10/21/2010 11:22:48.2.3 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3326.2907 [GMT -4:00]
Running from: c:\documents and settings\Administrator\Desktop\a1b2c3d4.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: ZoneAlarm Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

Infected copy of c:\windows\system32\drivers\AmdPPM.sys was found and disinfected 
Restored copy from - Kitty had a snack  
.
((((((((((((((((((((((((( Files Created from 2010-09-21 to 2010-10-21 )))))))))))))))))))))))))))))))
.

2010-10-12 19:53 . 2010-10-12 19:53 43520 ----a-w- c:\windows\system32\CmdLineExt03.dll
2010-10-06 20:44 . 2010-10-06 20:44 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-10-06 20:44 . 2010-10-06 20:44 -------- d-----w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2010-10-05 18:27 . 2010-10-05 18:27 -------- d-----w- c:\program files\DAEMON Tools Lite
2010-10-05 01:28 . 2010-10-05 01:29 85841020 ----a-w- C:\backup2.reg
2010-10-04 23:59 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-10-04 23:59 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-10-04 23:53 . 2010-10-04 23:53 85783994 ----a-w- C:\backup.reg
2010-10-04 22:28 . 2010-10-04 22:28 -------- d-----w- C:\!KillBox
2010-10-03 22:03 . 2010-10-04 22:25 -------- d-----w- c:\program files\Crawler
2010-09-30 20:40 . 2010-09-07 15:12 38848 ----a-w- c:\windows\avastSS.scr

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.

------- Sigcheck -------

[-] 2009-04-18 . 25A740D70E8007814A48D3FA1B34FA34 . 361600 . . [5.1.2600.5649] . . c:\windows\system32\drivers\tcpip.sys

[-] 2009-04-18 . C951DB3D9B6EF3CF4B82454D30A8BF59 . 1614848 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll
.
((((((((((((((((((((((((((((( [email protected]_05.41.03 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-10-21 15:21 . 2010-10-21 15:21 16384 c:\windows\Temp\Perflib_Perfdata_674.dat
+ 2008-04-14 15:00 . 2010-10-21 15:26 71264 c:\windows\system32\perfc009.dat
+ 2009-05-04 22:17 . 2010-10-21 15:21 16608 c:\windows\gdrv.sys
- 2009-05-04 22:17 . 2010-10-19 20:53 16608 c:\windows\gdrv.sys
+ 2008-04-14 15:00 . 2010-10-21 15:26 441454 c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\DTLite.exe" [2010-04-01 357696]
"SUPERAntiSpyware"="c:\pc protection\Super Antispyware\SUPERAntiSpyware.exe" [2010-09-28 2424560]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2007-04-16 577536]
"CTSysVol"="c:\program files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe" [2005-10-31 57344]
"P17Helper"="P17.dll" [2005-05-04 64512]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-03-18 61440]
"ZoneAlarm Client"="c:\pc protection\ZoneAlarm\zlclient.exe" [2009-11-22 1037192]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\pc protection\Super Antispyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\pc protection\Super Antispyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau

[HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^MagicDisc.lnk]
path=c:\documents and settings\Administrator\Start Menu\Programs\Startup\MagicDisc.lnk
backup=c:\windows\pss\MagicDisc.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^OpenOffice.org 3.1.lnk]
path=c:\documents and settings\Administrator\Start Menu\Programs\Startup\OpenOffice.org 3.1.lnk
backup=c:\windows\pss\OpenOffice.org 3.1.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
backup=c:\windows\pss\Windows Search.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-10-15 05:04 39792 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
2008-06-19 08:20 57344 ----a-w- c:\windows\ALCMTR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcWzrd]
2008-06-19 08:42 2808832 ----a-w- c:\windows\ALCWZRD.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\amd_dc_opt]
2008-07-22 17:53 77824 ----a-w- c:\dual core optimizer\amd_dc_opt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BtcMaestro]
2007-10-23 06:48 344064 ------w- c:\program files\HP USB Multimedia Keyboard\Kmaestro.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 15:00 15360 ----a-w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-06-05 17:39 292136 ----a-w- c:\itunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\JMB36X IDE Setup]
2007-03-20 06:36 36864 ------r- c:\windows\RaidTool\xInsIDE.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LanguageShortcut]
2007-01-09 02:17 52256 ----a-w- c:\program files\CyberLink\PowerDVD\Language\Language.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LGODDFU]
2007-02-26 14:40 249856 ----a-w- c:\program files\lg_fwupdate\fwupdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 15:50 155648 ----a-w- c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-05-26 21:18 413696 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
2007-03-15 01:01 71216 ------w- c:\program files\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
2009-01-13 06:37 18084864 ----a-w- c:\windows\RTHDCPL.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
2009-03-18 02:24 61440 ----a-w- c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-12-03 16:19 149280 ----a-w- c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
2000-05-11 05:00 90112 ------w- c:\windows\Updreg.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"TapiSrv"=3 (0x3)
"JavaQuickStarterService"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Games\\Battlefield Vietnam\\bfvietnam.exe"=
"c:\\Games\\Soldat\\Soldat\\Soldat.exe"=
"c:\\Games\\Battlefield 1942\\BF1942.exe"=
"c:\\Games\\Saints Row 2\\SR2_pc.exe"=
"c:\\Games\\Quake III Arena\\quake3.exe"=
"c:\\Games\\Microsoft Games\\Mechwarrior Mercenaries\\MW4MERCS.ICD"=
"c:\\Games\\Microsoft Games\\Mechwarrior Mercenaries\\MW4Mercs.exe"=
"c:\\Games\\Kane and Lynch - Dead Men\\kaneandlynch.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\iTunes\\iTunes.exe"=
"c:\\Games\\Age of Empires 3\\age3.exe"=
"c:\\Games\\Far Cry 2\\bin\\FarCry2.exe"=
"c:\\Games\\Far Cry 2\\bin\\FC2Launcher.exe"=
"c:\\Games\\Far Cry 2\\bin\\FC2Editor.exe"=
"c:\\Games\\Age of Empires 2\\age2_x1\\age2_x1.icd"=
"c:\\Games\\Dead Space\\Dead Space.exe"=
"c:\\Games\\Borderlands\\Binaries\\Borderlands.exe"=
"c:\\Games\\Section 8\\Binaries\\S8Game-F.exe"=
"c:\\Games\\Steam\\SteamApps\\clevertrevor717\\age of chivalry\\hl2.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Games\\Guild Wars\\Gw.exe"=
"c:\\Games\\Steam\\SteamApps\\swordsmanx\\opposing force\\hl.exe"=
"c:\\Games\\Steam\\SteamApps\\common\\bioshock\\Builds\\Release\\Bioshock.exe"=
"c:\\Games\\Call of Juarez\\CoJBiBGame_x86.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\Games\\Steam\\SteamApps\\swordsmanx\\age of chivalry\\hl2.exe"=
"c:\\Games\\Stronghold 2\\Stronghold2.exe"=
"c:\\Games\\Steam\\SteamApps\\common\\left 4 dead\\left4dead.exe"=
"c:\\Games\\Steam\\SteamApps\\common\\left 4 dead 2\\left4dead2.exe"=
"c:\\Games\\Steam\\SteamApps\\swordsmanx\\counter-strike source\\hl2.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"56257:TCP"= 56257:TCPando Media Booster
"56257:UDP"= 56257:UDPando Media Booster

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [4/26/2010 12:19 AM 165584]
R1 SASDIFSV;SASDIFSV;c:\pc protection\Super Antispyware\sasdifsv.sys [2/17/2010 2:25 PM 12872]
R1 SASKUTIL;SASKUTIL;c:\pc protection\Super Antispyware\SASKUTIL.SYS [5/10/2010 2:41 PM 67656]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [4/26/2010 12:19 AM 17744]
R2 ES lite Service;ES lite Service for program management.;c:\program files\Gigabyte\EasySaver\essvr.exe [5/4/2009 6:18 PM 68136]
R2 WUSB54GSC;WUSB54GSC;c:\program files\Linksys\WUSB54GSCv2\WLService.exe [7/28/2009 7:10 PM 65596]
R3 WUSB54GSCV2;Compact Wireless-G USB Network Adapter with SpeedBooster Service;c:\windows\system32\drivers\WUSB54GSCV2.sys [7/28/2009 7:10 PM 198144]
S3 pbfilter;pbfilter;\??\c:\tools\PeerBlock\pbfilter.sys --> c:\tools\PeerBlock\pbfilter.sys [?]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [5/12/2009 5:07 PM 691696]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]
2009-03-08 06:32 128512 ----a-w- c:\windows\system32\advpack.dll
.
Contents of the 'Scheduled Tasks' folder

2010-10-19 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = <local>
uSearchAssistant = 
TCP: {BD5EFC64-FF0F-42A5-B4A6-E62DF6A52D2C} = 192.168.5.1
TCP: {CAE9B97D-6901-4E0B-828B-BA9B9D36C6F8} = 192.168.0.1
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\7anms4f2.default\
FF - prefs.js: browser.startup.homepage - www.google.com
FF - plugin: c:\itunes\Mozilla Plugins\npitunes.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npyaxmpb.dll
FF - plugin: c:\program files\Pando Networks\Media Booster\npPandoWebPlugin.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true); 
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true); 
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true); // Traditional
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true); // Simplified
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-507921405-287218729-682003330-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,21,f9,59,e8,6b,41,a7,40,ab,d1,78,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,21,f9,59,e8,6b,41,a7,40,ab,d1,78,\
"6256FFB019F8FDFBD36745B06F4540E9AEAF222A25"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,21,f9,59,e8,6b,41,a7,40,ab,d1,78,\

[HKEY_USERS\S-1-5-21-507921405-287218729-682003330-500\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:e4,c3,87,7a,97,c7,b8,12,46,b7,14,15,b1,3e,1e,9c,2f,09,93,23,31,95,4f,
a5,6f,75,f2,d0,59,91,95,32,51,79,fc,cf,0c,d8,33,90,a5,5b,6f,f9,fc,5d,ce,89,\
"??"=hex:fd,e5,48,fd,b4,bf,01,41,da,ae,4a,61,c7,3f,cf,6a

[HKEY_USERS\S-1-5-21-507921405-287218729-682003330-500\Software\SecuROM\License information*]
"datasecu"=hex:1a,9d,ad,0f,69,a6,d7,d2,e9,0f,40,28,7b,b1,64,3b,b3,92,84,68,f5,
e6,a8,e5,14,2f,04,29,0c,91,f8,d3,96,b8,45,5d,24,14,38,7b,01,eb,24,32,52,51,\
"rkeysecu"=hex:8b,ec,67,0e,07,c3,4b,6c,0b,97,6b,79,e2,5c,7e,5d
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(840)
c:\pc protection\Super Antispyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\atiadlxx.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
.
Completion time: 2010-10-21 11:30:23
ComboFix-quarantined-files.txt 2010-10-21 15:30
ComboFix2.txt 2010-10-21 05:42

Pre-Run: 539,958,431,744 bytes free
Post-Run: 539,946,123,264 bytes free

- - End Of File - - 3FDA45AB0A14D6C0D15C139DEE938DB2

DDS (Ver_09-09-29.01) - NTFSx86 
Run by Administrator at 11:37:12.43 on Thu 10/21/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_16
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3326.2671 [GMT -4:00]

AV: avast! Antivirus *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\PC Protection\Avast!\AvastSvc.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Gigabyte\EasySaver\ESSVR.EXE
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Linksys\WUSB54GSCv2\WLService.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\Linksys\WUSB54GSCv2\WUSB54GSC.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\PC Protection\Avast!\AvastUI.exe
C:\PC Protection\ZoneAlarm\zlclient.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Administrator\Desktop\dds.com

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = <local>
uSearchAssistant = 
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
uRun: [DAEMON Tools Lite] "c:\program files\daemon tools lite\DTLite.exe" -autorun
uRun: [SUPERAntiSpyware] c:\pc protection\super antispyware\SUPERAntiSpyware.exe
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [CTSysVol] c:\program files\creative\sbaudigy\surround mixer\CTSysVol.exe /r
mRun: [P17Helper] Rundll32 P17.dll,P17Helper
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [ZoneAlarm Client] "c:\pc protection\zonealarm\zlclient.exe"
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {88CFA58B-A63F-4A94-9C54-0C7A58E3333E} - {17A84966-F1E9-4645-AA9E-5E771EE1C859} - c:\progra~1\nuclea~1\videoget\plugins\VIDEOG~1.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
TCP: {BD5EFC64-FF0F-42A5-B4A6-E62DF6A52D2C} = 192.168.5.1
TCP: {CAE9B97D-6901-4E0B-828B-BA9B9D36C6F8} = 192.168.0.1
Notify: !SASWinLogon - c:\pc protection\super antispyware\SASWINLO.DLL
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\pc protection\super antispyware\SASSEH.DLL
LSA: Authentication Packages = msv1_0 nwprovau

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\7anms4f2.default\
FF - prefs.js: browser.startup.homepage - www.google.com
FF - plugin: c:\itunes\mozilla plugins\npitunes.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npyaxmpb.dll
FF - plugin: c:\program files\pando networks\media booster\npPandoWebPlugin.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true); 
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true); 
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true); // Traditional
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true); // Simplified
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");

============= SERVICES / DRIVERS ===============

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-4-26 165584]
R1 SASDIFSV;SASDIFSV;c:\pc protection\super antispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\pc protection\super antispyware\SASKUTIL.SYS [2010-5-10 67656]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2010-5-3 486280]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-4-26 17744]
R2 avast! Antivirus;avast! Antivirus;c:\pc protection\avast!\AvastSvc.exe [2010-4-26 40384]
R2 ES lite Service;ES lite Service for program management.;c:\program files\gigabyte\easysaver\essvr.exe [2009-5-4 68136]
R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
R2 WUSB54GSC;WUSB54GSC;c:\program files\linksys\wusb54gscv2\WLService.exe [2009-7-28 65596]
R2 YahooAUService;Yahoo! Updater;c:\program files\yahoo!\softwareupdate\YahooAUService.exe [2008-11-9 602392]
R3 AtiHdmiService;ATI Function Driver for HDMI Service;c:\windows\system32\drivers\AtiHdmi.sys [2009-2-26 99856]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\pc protection\avast!\AvastSvc.exe [2010-4-26 40384]
R3 avast! Web Scanner;avast! Web Scanner;c:\pc protection\avast!\AvastSvc.exe [2010-4-26 40384]
R3 WUSB54GSCV2;Compact Wireless-G USB Network Adapter with SpeedBooster Service;c:\windows\system32\drivers\WUSB54GSCV2.sys [2009-7-28 198144]
S3 pbfilter;pbfilter;\??\c:\tools\peerblock\pbfilter.sys --> c:\tools\peerblock\pbfilter.sys [?]

=============== Created Last 30 ================

2010-10-21 02:10 a-dshr-- C:\cmdcons
2010-10-21 01:34 256,512 a------- c:\windows\PEV.exe
2010-10-21 01:34 161,792 a------- c:\windows\SWREG.exe
2010-10-21 01:34 98,816 a------- c:\windows\sed.exe
2010-10-21 01:34 77,312 a------- c:\windows\MBR.exe
2010-10-12 15:53 43,520 a------- c:\windows\system32\CmdLineExt03.dll
2010-10-06 16:44 --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-10-06 16:44 --d----- c:\docume~1\admini~1\applic~1\SUPERAntiSpyware.com
2010-10-05 14:27 --d----- c:\program files\DAEMON Tools Lite
2010-10-04 21:28 85,841,020 a------- C:\backup2.reg
2010-10-04 19:59 38,224 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2010-10-04 19:59 20,952 a------- c:\windows\system32\drivers\mbam.sys
2010-10-04 19:53 85,783,994 a------- C:\backup.reg
2010-10-04 18:28 --d----- C:\!KillBox
2010-10-03 18:03 --d----- c:\program files\Crawler
2010-09-30 16:40 38,848 a------- c:\windows\avastSS.scr

==================== Find3M ====================

2010-10-21 11:21 16,608 a------- c:\windows\gdrv.sys
2010-10-03 11:17 3,888 a------- c:\windows\system32\drivers\NTHANDLE.SYS
2010-09-18 12:23 974,848 a------- c:\windows\system32\mfc42u.dll
2010-09-18 02:53 974,848 a------- c:\windows\system32\mfc42.dll
2010-09-18 02:53 954,368 a------- c:\windows\system32\mfc40.dll
2010-09-18 02:53 953,856 a------- c:\windows\system32\mfc40u.dll
2010-09-10 01:58 916,480 a------- c:\windows\system32\wininet.dll
2010-09-10 01:58 43,520 a------- c:\windows\system32\licmgr10.dll
2010-09-01 07:48 285,824 a------- c:\windows\system32\atmfd.dll
2010-08-31 09:38 1,861,888 a------- c:\windows\system32\win32k.sys
2010-08-27 04:02 119,808 a------- c:\windows\system32\t2embed.dll
2010-08-27 02:05 99,840 a------- c:\windows\system32\srvsvc.dll
2010-08-26 09:37 357,248 a------- c:\windows\system32\drivers\srv.sys
2010-08-26 08:52 5,120 a------- c:\windows\system32\xpsp4res.dll
2010-08-23 12:12 617,472 a------- c:\windows\system32\comctl32.dll
2010-08-17 09:17 58,880 a------- c:\windows\system32\spoolsv.exe
2010-08-16 04:43 590,848 a------- c:\windows\system32\rpcrt4.dll
2010-07-31 00:32 107,888 a------- c:\windows\system32\CmdLineExt.dll
2009-05-05 01:46 245,760 a--sh--- c:\windows\system32\config\systemprofile\ietldcache\index.dat
2009-05-04 18:07 16,384 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\index.dat
2009-05-04 18:07 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\temporary internet files\content.ie5\index.dat

============= FINISH: 11:38:01.04 ===============

Thanks for your time.


----------



## Blade81 (Oct 27, 2006)

That looks better 

Open notepad and copy/paste the text in the quotebox below into it:


```
DDS::
uSearchAssistant =
```
Save this as
CFScript

*A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.*










Close all browser windows and refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.

*Uninstall old Adobe Reader versions* and get the latest one (9.4) here or get Foxit Reader here. Make sure you don't install toolbar if choose Foxit Reader! You may also check free readers introduced here.

*Your Java is out of date.* Older versions have vulnerabilities that malware can use to infect your system. *Please follow these steps to remove older version Java components and update to the latest version...*

*Updating Java:*

Download the latest version of *Java Runtime Environment (JRE) 6 Update 22*.
Click the
*Download*
button to the right.
Select Windows on platform combobox and check the box that says:
*Accept*_ License Agreement_. Click continue.

The page will refresh.
Click on the link to download _Windows Offline Installation_ with or without Multi-language and save to your desktop.
Close any programs you may have running - especially your web browser.
Go to *Start* > *Control Panel* double-click on *Add/Remove* programs and remove all older versions of Java.
Check any item with Java Runtime Environment (JRE or J2SE) in the name.
Click the *Remove* or *Change/Remove* button.
Repeat as many times as necessary to remove each Java versions.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on *jre-6u22-windows-i586-p.exe* to install the newest version. Uncheck Carbonite online backup trial if it's offered there.

Download ATF (Atribune Temp File) Cleaner© by Atribune to your desktop.

Double-click ATF Cleaner.exe to open it

Under *Main* choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache
*_The other boxes are optional_*
Then click the Empty Selected button.

If you use Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

If you use Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Click Exit on the Main menu to close the program.

Please run an online scan with *Kaspersky Online Scanner* as instructed in the screenshot here.

Post back its report, a fresh dds.txt log and above mentioned ComboFix resultant log.


----------



## Ordietrying (Oct 5, 2010)

That Kaspersky scan was some fun shennanigans. But it looks like it found something! Here are the other logs you requested as well.

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Friday, October 22, 2010
Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Friday, October 22, 2010 15:10:58
Records in database: 4184543
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
F:\

Scan statistics:
Objects scanned: 249918
Threats found: 1
Infected objects found: 1
Suspicious objects found: 0
Scan duration: 03:42:20

File name / Threat / Threats count
C:\System Volume Information\_restore{9D6434AD-4BCB-4D3D-9D4D-6B6E4F47F43B}\RP456\A0166387.sys Infected: Virus.Win32.TDSS.b 1

Selected area has been scanned.

DDS (Ver_09-09-29.01) - NTFSx86 
Run by Administrator at 20:24:21.78 on Fri 10/22/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_22
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3326.2496 [GMT -4:00]

AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: ZoneAlarm Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\PC Protection\Avast!\AvastSvc.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Gigabyte\EasySaver\ESSVR.EXE
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Linksys\WUSB54GSCv2\WLService.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\Linksys\WUSB54GSCv2\WUSB54GSC.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Java\jre6\bin\java.exe
C:\PC Protection\Avast!\AvastUI.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Games\Steam\Steam.exe
c:\games\steam\steamapps\common\bioshock\Builds\Release\bioshock.exe
C:\Games\Steam\GameOverlayUI.exe
C:\Documents and Settings\Administrator\Desktop\dds.com

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = <local>
uSearchAssistant = 
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [SUPERAntiSpyware] c:\pc protection\super antispyware\SUPERAntiSpyware.exe
uRun: [DAEMON Tools Lite] "c:\program files\daemon tools lite\DTLite.exe" -autorun
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [CTSysVol] c:\program files\creative\sbaudigy\surround mixer\CTSysVol.exe /r
mRun: [P17Helper] Rundll32 P17.dll,P17Helper
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [ZoneAlarm Client] "c:\pc protection\zonealarm\zlclient.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {88CFA58B-A63F-4A94-9C54-0C7A58E3333E} - {17A84966-F1E9-4645-AA9E-5E771EE1C859} - c:\progra~1\nuclea~1\videoget\plugins\VIDEOG~1.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
TCP: {BD5EFC64-FF0F-42A5-B4A6-E62DF6A52D2C} = 192.168.5.1
TCP: {CAE9B97D-6901-4E0B-828B-BA9B9D36C6F8} = 192.168.0.1
Notify: !SASWinLogon - c:\pc protection\super antispyware\SASWINLO.DLL
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\pc protection\super antispyware\SASSEH.DLL
LSA: Authentication Packages = msv1_0 nwprovau

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\7anms4f2.default\
FF - prefs.js: browser.startup.homepage - www.google.com
FF - plugin: c:\documents and settings\administrator\application data\mozilla\firefox\profiles\7anms4f2.default\extensions\{e2883e8f-472f-4fb0-9522-ac9bf37916a7}\plugins\np_gp.dll
FF - plugin: c:\itunes\mozilla plugins\npitunes.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npyaxmpb.dll
FF - plugin: c:\program files\pando networks\media booster\npPandoWebPlugin.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true); 
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true); 
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true); // Traditional
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true); // Simplified
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");

============= SERVICES / DRIVERS ===============

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-4-26 165584]
R1 SASDIFSV;SASDIFSV;c:\pc protection\super antispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\pc protection\super antispyware\SASKUTIL.SYS [2010-5-10 67656]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2010-5-3 486280]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-4-26 17744]
R2 avast! Antivirus;avast! Antivirus;c:\pc protection\avast!\AvastSvc.exe [2010-4-26 40384]
R2 ES lite Service;ES lite Service for program management.;c:\program files\gigabyte\easysaver\essvr.exe [2009-5-4 68136]
R2 WUSB54GSC;WUSB54GSC;c:\program files\linksys\wusb54gscv2\WLService.exe [2009-7-28 65596]
R2 YahooAUService;Yahoo! Updater;c:\program files\yahoo!\softwareupdate\YahooAUService.exe [2008-11-9 602392]
R3 AtiHdmiService;ATI Function Driver for HDMI Service;c:\windows\system32\drivers\AtiHdmi.sys [2009-2-26 99856]
R3 WUSB54GSCV2;Compact Wireless-G USB Network Adapter with SpeedBooster Service;c:\windows\system32\drivers\WUSB54GSCV2.sys [2009-7-28 198144]
S2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
S3 avast! Mail Scanner;avast! Mail Scanner;c:\pc protection\avast!\AvastSvc.exe [2010-4-26 40384]
S3 avast! Web Scanner;avast! Web Scanner;c:\pc protection\avast!\AvastSvc.exe [2010-4-26 40384]
S3 nosGetPlusHelper;getPlus(R) Helper 3004;c:\windows\system32\svchost.exe -k nosGetPlusHelper [2008-4-14 14336]
S3 pbfilter;pbfilter;\??\c:\tools\peerblock\pbfilter.sys --> c:\tools\peerblock\pbfilter.sys [?]

=============== Created Last 30 ================

2010-10-22 14:44 472,808 a------- c:\windows\system32\deployJava1.dll
2010-10-22 14:44 73,728 a------- c:\windows\system32\javacpl.cpl
2010-10-22 12:08 256,512 a------- c:\windows\PEV.exe
2010-10-22 12:08 161,792 a------- c:\windows\SWREG.exe
2010-10-22 12:08 98,816 a------- c:\windows\sed.exe
2010-10-22 12:08 77,312 a------- c:\windows\MBR.exe
2010-10-21 11:56 --d----- c:\program files\DAEMON Tools Lite
2010-10-21 02:10 a-dshr-- C:\cmdcons
2010-10-12 15:53 43,520 a------- c:\windows\system32\CmdLineExt03.dll
2010-10-06 16:44 --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-10-06 16:44 --d----- c:\docume~1\admini~1\applic~1\SUPERAntiSpyware.com
2010-10-04 21:28 85,841,020 a------- C:\backup2.reg
2010-10-04 19:59 38,224 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2010-10-04 19:59 20,952 a------- c:\windows\system32\drivers\mbam.sys
2010-10-04 19:53 85,783,994 a------- C:\backup.reg
2010-10-04 18:28 --d----- C:\!KillBox
2010-10-03 18:03 --d----- c:\program files\Crawler
2010-09-30 16:40 38,848 a------- c:\windows\avastSS.scr

==================== Find3M ====================

2010-10-22 14:42 16,608 a------- c:\windows\gdrv.sys
2010-10-21 11:56 691,696 a------- c:\windows\system32\drivers\sptd.sys
2010-10-03 11:17 3,888 a------- c:\windows\system32\drivers\NTHANDLE.SYS
2010-09-18 12:23 974,848 a------- c:\windows\system32\mfc42u.dll
2010-09-18 02:53 974,848 a------- c:\windows\system32\mfc42.dll
2010-09-18 02:53 954,368 a------- c:\windows\system32\mfc40.dll
2010-09-18 02:53 953,856 a------- c:\windows\system32\mfc40u.dll
2010-09-10 01:58 916,480 a------- c:\windows\system32\wininet.dll
2010-09-10 01:58 43,520 a------- c:\windows\system32\licmgr10.dll
2010-09-01 07:48 285,824 a------- c:\windows\system32\atmfd.dll
2010-08-31 09:38 1,861,888 a------- c:\windows\system32\win32k.sys
2010-08-27 04:02 119,808 a------- c:\windows\system32\t2embed.dll
2010-08-27 02:05 99,840 a------- c:\windows\system32\srvsvc.dll
2010-08-26 09:37 357,248 a------- c:\windows\system32\drivers\srv.sys
2010-08-26 08:52 5,120 a------- c:\windows\system32\xpsp4res.dll
2010-08-23 12:12 617,472 a------- c:\windows\system32\comctl32.dll
2010-08-17 09:17 58,880 a------- c:\windows\system32\spoolsv.exe
2010-08-16 04:43 590,848 a------- c:\windows\system32\rpcrt4.dll
2010-07-31 00:32 107,888 a------- c:\windows\system32\CmdLineExt.dll
2009-05-05 01:46 245,760 a--sh--- c:\windows\system32\config\systemprofile\ietldcache\index.dat
2009-05-04 18:07 16,384 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\index.dat
2009-05-04 18:07 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\temporary internet files\content.ie5\index.dat

============= FINISH: 20:24:35.15 ===============

ComboFix 10-10-20.01 - Administrator 10/22/2010 12:09:40.3.3 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3326.2860 [GMT -4:00]
Running from: c:\documents and settings\Administrator\Desktop\a1b2c3d4.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt
AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: ZoneAlarm Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.

((((((((((((((((((((((((( Files Created from 2010-09-22 to 2010-10-22 )))))))))))))))))))))))))))))))
.

2010-10-21 15:56 . 2010-10-21 15:58 -------- d-----w- c:\program files\DAEMON Tools Lite
2010-10-12 19:53 . 2010-10-12 19:53 43520 ----a-w- c:\windows\system32\CmdLineExt03.dll
2010-10-06 20:44 . 2010-10-06 20:44 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-10-06 20:44 . 2010-10-06 20:44 -------- d-----w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2010-10-05 01:28 . 2010-10-05 01:29 85841020 ----a-w- C:\backup2.reg
2010-10-04 23:59 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-10-04 23:59 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-10-04 23:53 . 2010-10-04 23:53 85783994 ----a-w- C:\backup.reg
2010-10-04 22:28 . 2010-10-04 22:28 -------- d-----w- C:\!KillBox
2010-10-03 22:03 . 2010-10-04 22:25 -------- d-----w- c:\program files\Crawler
2010-09-30 20:40 . 2010-09-07 15:12 38848 ----a-w- c:\windows\avastSS.scr

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.

------- Sigcheck -------

[-] 2009-04-18 . 25A740D70E8007814A48D3FA1B34FA34 . 361600 . . [5.1.2600.5649] . . c:\windows\system32\drivers\tcpip.sys

[-] 2009-04-18 . C951DB3D9B6EF3CF4B82454D30A8BF59 . 1614848 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll
.
((((((((((((((((((((((((((((( [email protected]_05.41.03 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-10-22 16:05 . 2010-10-22 16:05 16384 c:\windows\Temp\Perflib_Perfdata_78c.dat
+ 2008-04-14 15:00 . 2010-10-22 16:09 71264 c:\windows\system32\perfc009.dat
+ 2009-05-04 22:17 . 2010-10-22 16:05 16608 c:\windows\gdrv.sys
- 2009-05-04 22:17 . 2010-10-19 20:53 16608 c:\windows\gdrv.sys
+ 2008-04-14 15:00 . 2010-10-22 16:09 441454 c:\windows\system32\perfh009.dat
+ 2009-05-12 21:07 . 2010-10-21 15:56 691696 c:\windows\system32\drivers\sptd.sys
- 2009-05-12 21:07 . 2009-12-11 05:34 691696 c:\windows\system32\drivers\sptd.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\pc protection\Super Antispyware\SUPERAntiSpyware.exe" [2010-09-28 2424560]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\DTLite.exe" [2010-04-01 357696]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2007-04-16 577536]
"CTSysVol"="c:\program files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe" [2005-10-31 57344]
"P17Helper"="P17.dll" [2005-05-04 64512]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-03-18 61440]
"ZoneAlarm Client"="c:\pc protection\ZoneAlarm\zlclient.exe" [2009-11-22 1037192]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\pc protection\Super Antispyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\pc protection\Super Antispyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau

[HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^MagicDisc.lnk]
path=c:\documents and settings\Administrator\Start Menu\Programs\Startup\MagicDisc.lnk
backup=c:\windows\pss\MagicDisc.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^OpenOffice.org 3.1.lnk]
path=c:\documents and settings\Administrator\Start Menu\Programs\Startup\OpenOffice.org 3.1.lnk
backup=c:\windows\pss\OpenOffice.org 3.1.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
backup=c:\windows\pss\Windows Search.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-10-15 05:04 39792 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
2008-06-19 08:20 57344 ----a-w- c:\windows\ALCMTR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcWzrd]
2008-06-19 08:42 2808832 ----a-w- c:\windows\ALCWZRD.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\amd_dc_opt]
2008-07-22 17:53 77824 ----a-w- c:\dual core optimizer\amd_dc_opt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BtcMaestro]
2007-10-23 06:48 344064 ------w- c:\program files\HP USB Multimedia Keyboard\Kmaestro.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 15:00 15360 ----a-w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-06-05 17:39 292136 ----a-w- c:\itunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\JMB36X IDE Setup]
2007-03-20 06:36 36864 ------r- c:\windows\RaidTool\xInsIDE.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LanguageShortcut]
2007-01-09 02:17 52256 ----a-w- c:\program files\CyberLink\PowerDVD\Language\Language.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LGODDFU]
2007-02-26 14:40 249856 ----a-w- c:\program files\lg_fwupdate\fwupdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 15:50 155648 ----a-w- c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-05-26 21:18 413696 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
2007-03-15 01:01 71216 ------w- c:\program files\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
2009-01-13 06:37 18084864 ----a-w- c:\windows\RTHDCPL.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
2009-03-18 02:24 61440 ----a-w- c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-12-03 16:19 149280 ----a-w- c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
2000-05-11 05:00 90112 ------w- c:\windows\Updreg.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"TapiSrv"=3 (0x3)
"JavaQuickStarterService"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Games\\Battlefield Vietnam\\bfvietnam.exe"=
"c:\\Games\\Soldat\\Soldat\\Soldat.exe"=
"c:\\Games\\Battlefield 1942\\BF1942.exe"=
"c:\\Games\\Saints Row 2\\SR2_pc.exe"=
"c:\\Games\\Quake III Arena\\quake3.exe"=
"c:\\Games\\Microsoft Games\\Mechwarrior Mercenaries\\MW4MERCS.ICD"=
"c:\\Games\\Microsoft Games\\Mechwarrior Mercenaries\\MW4Mercs.exe"=
"c:\\Games\\Kane and Lynch - Dead Men\\kaneandlynch.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\iTunes\\iTunes.exe"=
"c:\\Games\\Age of Empires 3\\age3.exe"=
"c:\\Games\\Far Cry 2\\bin\\FarCry2.exe"=
"c:\\Games\\Far Cry 2\\bin\\FC2Launcher.exe"=
"c:\\Games\\Far Cry 2\\bin\\FC2Editor.exe"=
"c:\\Games\\Age of Empires 2\\age2_x1\\age2_x1.icd"=
"c:\\Games\\Dead Space\\Dead Space.exe"=
"c:\\Games\\Borderlands\\Binaries\\Borderlands.exe"=
"c:\\Games\\Section 8\\Binaries\\S8Game-F.exe"=
"c:\\Games\\Steam\\SteamApps\\clevertrevor717\\age of chivalry\\hl2.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Games\\Guild Wars\\Gw.exe"=
"c:\\Games\\Steam\\SteamApps\\swordsmanx\\opposing force\\hl.exe"=
"c:\\Games\\Steam\\SteamApps\\common\\bioshock\\Builds\\Release\\Bioshock.exe"=
"c:\\Games\\Call of Juarez\\CoJBiBGame_x86.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\Games\\Steam\\SteamApps\\swordsmanx\\age of chivalry\\hl2.exe"=
"c:\\Games\\Stronghold 2\\Stronghold2.exe"=
"c:\\Games\\Steam\\SteamApps\\swordsmanx\\counter-strike source\\hl2.exe"=
"c:\\Games\\Steam\\SteamApps\\common\\left 4 dead\\left4dead.exe"=
"c:\\Games\\Steam\\SteamApps\\common\\left 4 dead 2\\left4dead2.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"56257:TCP"= 56257:TCPando Media Booster
"56257:UDP"= 56257:UDPando Media Booster

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [4/26/2010 12:19 AM 165584]
R1 SASDIFSV;SASDIFSV;c:\pc protection\Super Antispyware\sasdifsv.sys [2/17/2010 2:25 PM 12872]
R1 SASKUTIL;SASKUTIL;c:\pc protection\Super Antispyware\SASKUTIL.SYS [5/10/2010 2:41 PM 67656]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [4/26/2010 12:19 AM 17744]
R2 ES lite Service;ES lite Service for program management.;c:\program files\Gigabyte\EasySaver\essvr.exe [5/4/2009 6:18 PM 68136]
R2 WUSB54GSC;WUSB54GSC;c:\program files\Linksys\WUSB54GSCv2\WLService.exe [7/28/2009 7:10 PM 65596]
R3 WUSB54GSCV2;Compact Wireless-G USB Network Adapter with SpeedBooster Service;c:\windows\system32\drivers\WUSB54GSCV2.sys [7/28/2009 7:10 PM 198144]
S3 pbfilter;pbfilter;\??\c:\tools\PeerBlock\pbfilter.sys --> c:\tools\PeerBlock\pbfilter.sys [?]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [5/12/2009 5:07 PM 691696]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]
2009-03-08 06:32 128512 ----a-w- c:\windows\system32\advpack.dll
.
Contents of the 'Scheduled Tasks' folder

2010-10-19 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = <local>
uSearchAssistant = 
TCP: {BD5EFC64-FF0F-42A5-B4A6-E62DF6A52D2C} = 192.168.5.1
TCP: {CAE9B97D-6901-4E0B-828B-BA9B9D36C6F8} = 192.168.0.1
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\7anms4f2.default\
FF - prefs.js: browser.startup.homepage - www.google.com
FF - plugin: c:\itunes\Mozilla Plugins\npitunes.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npyaxmpb.dll
FF - plugin: c:\program files\Pando Networks\Media Booster\npPandoWebPlugin.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true); 
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true); 
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true); // Traditional
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true); // Simplified
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-507921405-287218729-682003330-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,21,f9,59,e8,6b,41,a7,40,ab,d1,78,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,21,f9,59,e8,6b,41,a7,40,ab,d1,78,\
"6256FFB019F8FDFBD36745B06F4540E9AEAF222A25"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,21,f9,59,e8,6b,41,a7,40,ab,d1,78,\

[HKEY_USERS\S-1-5-21-507921405-287218729-682003330-500\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:e4,c3,87,7a,97,c7,b8,12,46,b7,14,15,b1,3e,1e,9c,2f,09,93,23,31,95,4f,
a5,6f,75,f2,d0,59,91,95,32,51,79,fc,cf,0c,d8,33,90,a5,5b,6f,f9,fc,5d,ce,89,\
"??"=hex:fd,e5,48,fd,b4,bf,01,41,da,ae,4a,61,c7,3f,cf,6a

[HKEY_USERS\S-1-5-21-507921405-287218729-682003330-500\Software\SecuROM\License information*]
"datasecu"=hex:1a,9d,ad,0f,69,a6,d7,d2,e9,0f,40,28,7b,b1,64,3b,b3,92,84,68,f5,
e6,a8,e5,14,2f,04,29,0c,91,f8,d3,96,b8,45,5d,24,14,38,7b,01,eb,24,32,52,51,\
"rkeysecu"=hex:8b,ec,67,0e,07,c3,4b,6c,0b,97,6b,79,e2,5c,7e,5d
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(836)
c:\pc protection\Super Antispyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\atiadlxx.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll

- - - - - - - > 'explorer.exe'(3464)
c:\windows\system32\WININET.dll
c:\windows\system32\msi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-10-22 12:15:59
ComboFix-quarantined-files.txt 2010-10-22 16:15
ComboFix2.txt 2010-10-21 15:30
ComboFix3.txt 2010-10-21 05:42

Pre-Run: 535,196,172,288 bytes free
Post-Run: 535,182,188,544 bytes free

- - End Of File - - 4229945BC300FEA4E2D48E42B5605786

Thank you for your time.


----------



## Blade81 (Oct 27, 2006)

Hi,

That Kaspersky finding will be removed when system restore is reseted (will be done in the final stage of the cleaning process) . How's the system running now?


----------



## Ordietrying (Oct 5, 2010)

System is running good. I'm not getting redirected anymore! Everything us up to date. Anything else you recommend I should do?


----------



## Blade81 (Oct 27, 2006)

Hi,

Please find some final steps to take below 

THESE STEPS ARE VERY IMPORTANT

Let's reset system restore
Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs changing those files. This is the only way to clean these files: You will lose all previous restore points which are likely to be infected. Please note you need Administrator Access to do clean the restore points.

1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.
NOTE: only do this ONCE,*NOT* on a regular basis

Now lets uninstall ComboFix:

Click START then RUN
Now copy-paste *Combofix /uninstall* in the runbox and click OK

Please download OTC and save it to desktop.

Double-click *OTC.exe*.
Click the *CleanUp!* button.
Select *Yes* when the 
Begin cleanup Process?
prompt appears.
If you are prompted to Reboot during the cleanup, select *Yes*.
The tool will delete itself once it finishes, if not delete it by yourself.

Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.

UPDATING WINDOWS AND INTERNET EXPLORER

IMPORTANT: You Need to Update Windows and Internet Explorer to protect your computer from the malware that is around on the Internet. Please go to the windows update site to get the critical updates.

If you are running Microsoft Office, or any portion thereof, go to the Microsoft's Office Update site and make sure you have at least all the critical updates installed (Free) Microsoft Office Update.

Make your Internet Explorer more secure

This can be done by following these simple instructions:
From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialize and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub-frames across different domains to Prompt
When all these settings have been made, click on the OK button.
If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.

The following are recommended third party programs that are designed to keep your computer clean. A link as well as a brief description is included with each item.


hosts file:
Every version of windows has a hosts file as part of them.
In a very basic sense, they are used to locate webpages.
We can customize a hosts file so that it blocks certain webpages.
However, it can slow down certain computers.
This is why using a hosts file is optional!!
Download it here. Make sure you read the instructions on how to install the hosts file. There is a good tutorial  here 
If you decide to download the hosts file, the slowdown problems can usually be avoided by following these steps:
[*]Click the start button (at the lower left hand corner of your screen) [*]Click run [*]In the dialog box, type services.msc [*]hit enter, then locate dns client [*]Highlight it, then double-click it. [*]On the dropdown box, change the setting from automatic to manual. [*]Click ok

Download and run Secunia Personal Software Inspector (PSI) and fix its findings.

*Just a final reminder for you. I am trying to stress these two points.*
UPDATE UPDATE UPDATE!!! Make sure you do this about every 1-2 weeks.
Make sure all of your security programs are up to date.
Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

Once again, please post and tell me how things are going with your system... problems etc.

Have a great day,
Blade


----------



## Ordietrying (Oct 5, 2010)

Mr. Blade,

I did the final steps. My system is running great! Life is good Is there anything else you recommend I do besides UPDATE on a regular basis?

With Sincere Thanks,
Ordietrying

P.S. - If not, I'm ready to mark this thing solved. Solved with a vengeance!


----------



## Blade81 (Oct 27, 2006)

You're welcome 

Those things listed in my final post should help reduce risks of getting reinfected. Especially that Secunia Personal Software Inspector is a great application to assist with keeping vulnerable outdated software up-to-date.


----------



## Ordietrying (Oct 5, 2010)

I just wanted to say thanks again for taking time out of your schedule to help me. I think my internet actually runs faster than it did before! Solved!


----------



## Blade81 (Oct 27, 2006)

You're welcome


----------

