Author Topic: svchost.exe grabs CPU & memory; browser gets redirected (Read 22055 times)

Billb114 · « **on:** October 15, 2010, 08:07:45 PM »

First I want to say what a terrific thing it is you're doing here!

I went to use my PC early this morning and had what I thought was an AVAST! message that it had blocked an unsafe web site. Everything was fine when I left it last night. (Subsequently looking through the Avast! log I don't see anything recorded there, but I have been seeing messages at the bottom of the screen periodically that Avast! network shield has blocked web sites, but I can't copy or write it all before it's gone, and that's usually when the svchost process takes off again).
Previously I had an infection, some 3 - 4 months ago, and was able to clean it (I think) using rkill, exehelper, HJT and comboFix. I've had absolutely no trouble or slow operation during that 3 - 4 month period. So like an idiot I tried the same things today - not working this time. Sorry. I hope I haven't made a bigger mess.
So, symptoms: I have a svchost.exe process that periodically starts grabbing CPU and memory. Firefox and IE get redirected periodically. And I get these messages flash at the bottom of the screen supposedly from Avast! but nothing in the log. Let me know what else I can provide.
Ok enough chatter - the logs so far:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 10/15/2010 at 08:47 PM

Application Version : 4.44.1000

Core Rules Database Version : 5410
Trace Rules Database Version: 3222

Scan type : Complete Scan
Total Scan Time : 01:43:14

Memory items scanned : 445
Memory threats detected : 0
Registry items scanned : 5785
Registry threats detected : 0
File items scanned : 134350
File threats detected : 38

Adware.Tracking Cookie
   C:\Documents and Settings\William Brophy\Cookies\[email protected][1].txt
   C:\Documents and Settings\William Brophy\Cookies\william_brophy@statcounter[1].txt
   C:\Documents and Settings\William Brophy\Cookies\william_brophy@hitbox[2].txt
   C:\Documents and Settings\William Brophy\Cookies\[email protected][1].txt
   C:\Documents and Settings\William Brophy\Cookies\william_brophy@doubleclick[2].txt
   C:\Documents and Settings\William Brophy\Cookies\william_brophy@advertising[2].txt
   C:\Documents and Settings\William Brophy\Cookies\[email protected][1].txt
   C:\Documents and Settings\William Brophy\Cookies\william_brophy@atdmt[2].txt
   C:\Documents and Settings\William Brophy\Cookies\[email protected][1].txt
   C:\Documents and Settings\William Brophy\Cookies\william_brophy@tacoda[2].txt
   C:\Documents and Settings\William Brophy\Cookies\[email protected][2].txt
   C:\Documents and Settings\William Brophy\Cookies\william_brophy@atwola[1].txt
   media.mtvnservices.com [ C:\Documents and Settings\NetworkService\Application Data\Macromedia\Flash Player\#SharedObjects\8R437E53 ]
   media.scanscout.com [ C:\Documents and Settings\NetworkService\Application Data\Macromedia\Flash Player\#SharedObjects\8R437E53 ]
   media1.break.com [ C:\Documents and Settings\NetworkService\Application Data\Macromedia\Flash Player\#SharedObjects\8R437E53 ]
   objects.tremormedia.com [ C:\Documents and Settings\NetworkService\Application Data\Macromedia\Flash Player\#SharedObjects\8R437E53 ]
   secure-us.imrworldwide.com [ C:\Documents and Settings\NetworkService\Application Data\Macromedia\Flash Player\#SharedObjects\8R437E53 ]
   C:\Documents and Settings\NetworkService\Cookies\[email protected][1].txt
   C:\Documents and Settings\NetworkService\Cookies\system@adbrite[2].txt
   C:\Documents and Settings\NetworkService\Cookies\system@adecn[1].txt
   C:\Documents and Settings\NetworkService\Cookies\[email protected][2].txt
   C:\Documents and Settings\NetworkService\Cookies\[email protected][1].txt
   C:\Documents and Settings\NetworkService\Cookies\[email protected][1].txt
   C:\Documents and Settings\NetworkService\Cookies\system@advertise[1].txt
   C:\Documents and Settings\NetworkService\Cookies\system@advertising[1].txt
   C:\Documents and Settings\NetworkService\Cookies\system@atdmt[1].txt
   C:\Documents and Settings\NetworkService\Cookies\[email protected][1].txt
   C:\Documents and Settings\NetworkService\Cookies\[email protected][1].txt
   C:\Documents and Settings\NetworkService\Cookies\system@invitemedia[1].txt
   C:\Documents and Settings\NetworkService\Cookies\[email protected][1].txt
   C:\Documents and Settings\NetworkService\Cookies\system@media6degrees[2].txt
   C:\Documents and Settings\NetworkService\Cookies\system@realmedia[1].txt
   C:\Documents and Settings\NetworkService\Cookies\system@tribalfusion[2].txt
   C:\Documents and Settings\NetworkService\Cookies\system@zedo[2].txt

Trojan.Agent/Gen-Nullo[Short]
   C:\SYSTEM VOLUME INFORMATION\_RESTORE{5EEA23C9-8E19-465C-A889-F98F08855980}\RP600\A0046662.EXE
   C:\SYSTEM VOLUME INFORMATION\_RESTORE{5EEA23C9-8E19-465C-A889-F98F08855980}\RP600\A0046663.EXE
   C:\SYSTEM VOLUME INFORMATION\_RESTORE{5EEA23C9-8E19-465C-A889-F98F08855980}\RP600\A0046664.EXE
   C:\SYSTEM VOLUME INFORMATION\_RESTORE{5EEA23C9-8E19-465C-A889-F98F08855980}\RP600\A0046665.EXE

==============================

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:18:02 PM, on 10/15/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Emsisoft\Online Armor\OAcat.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\netdde.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\sniper.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.yahoo.com/search?fr=mcafee&p=%s
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:29775
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.6.5612.1312\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Dell AIO Printer A920] "C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [@OnlineArmor GUI] "C:\Program Files\Emsisoft\Online Armor\oaui.exe"
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase5483.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1264377862595
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1264377841798
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://zone.msn.com/bingame/luxr/default/mjolauncher.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/popcaploader_v10.cab
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupControlXP Class) - https://secure.maine.gov/dana-cached/setup/JuniperSetupSP1.cab
O16 - DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} (JuniperSetupClientControl Class) - https://secure.maine.gov/dana-cached/sc/JuniperSetupClient.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Juniper Network Connect Service (dsNcService) - Juniper Networks - C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Online Armor Helper Service (OAcat) - Emsi Software GmbH - C:\Program Files\Emsisoft\Online Armor\OAcat.exe
O23 - Service: Online Armor (SvcOnlineArmor) - Emsi Software GmbH - C:\Program Files\Emsisoft\Online Armor\oasrv.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: wampapache - Apache Software Foundation - c:\wamp\bin\apache\apache2.2.11\bin\httpd.exe
O23 - Service: wampmysqld - Unknown owner - c:\wamp\bin\mysql\mysql5.1.33\bin\mysqld.exe

--
End of file - 8382 bytes

========================

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:31:02 PM, on 10/15/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Emsisoft\Online Armor\OAcat.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\netdde.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\sniper.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.yahoo.com/search?fr=mcafee&p=%s
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:29775
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.6.5612.1312\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Dell AIO Printer A920] "C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [@OnlineArmor GUI] "C:\Program Files\Emsisoft\Online Armor\oaui.exe"
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase5483.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1264377862595
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1264377841798
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://zone.msn.com/bingame/luxr/default/mjolauncher.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/popcaploader_v10.cab
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupControlXP Class) - https://secure.maine.gov/dana-cached/setup/JuniperSetupSP1.cab
O16 - DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} (JuniperSetupClientControl Class) - https://secure.maine.gov/dana-cached/sc/JuniperSetupClient.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Juniper Network Connect Service (dsNcService) - Juniper Networks - C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Online Armor Helper Service (OAcat) - Emsi Software GmbH - C:\Program Files\Emsisoft\Online Armor\OAcat.exe
O23 - Service: Online Armor (SvcOnlineArmor) - Emsi Software GmbH - C:\Program Files\Emsisoft\Online Armor\oasrv.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: wampapache - Apache Software Foundation - c:\wamp\bin\apache\apache2.2.11\bin\httpd.exe
O23 - Service: wampmysqld - Unknown owner - c:\wamp\bin\mysql\mysql5.1.33\bin\mysqld.exe

--
End of file - 8215 bytes

SuperDave · « **Reply #1 on:** October 18, 2010, 04:29:50 PM »

Hello and welcome to Computer Hope Forum. My name is Dave. I will be helping you out with your particular problem on your computer. I am working under the guidance of one of the specialist of this forum so it may take a bit longer to process your logs.

1. I will be working on your Malware issues. This may or may not solve other issues you have with your machine.
2. The fixes are specific to your problem and should only be used for this issue on this machine.
3. If you don't know or understand something, please don't hesitate to ask.
4. Please DO NOT run any other tools or scans while I am helping you.
5. It is important that you reply to this thread. Do not start a new topic.
6. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
7. Absence of symptoms does not mean that everything is clear.

********************************
You have Viewpoint installed.

Viewpoint Media Player/Manager/Toolbar is considered as Foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad".

More information:

* ViewMgr.exe - Useless
* Viewpoint to Plunge Into Adware

It is suggested to remove the program now. Go to Start > Control Panel > Add/Remove Programs - (Vista & Win7 is Programs and Features) and remove the following programs if present.

* Viewpoint
* Viewpoint Manager
* Viewpoint Media Player
* Viewpoint Toolbar
* Viewpoint Experience Technology

******************************************
Open HijackThis and select Do a system scan only

Place a check mark next to the following entries: (if there)

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:29775
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

Important: Close all open windows except for HijackThis and then click Fix checked.

Once completed, exit HijackThis.
**************************************

Please download Malwarebytes Anti-Malware from here.

Double Click mbam-setup.exe to install the application.

Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Full Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
Please save the log to a location you will remember.
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy and paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.
***************************************

Download Security Check by screen317 from one of the following links and save it to your desktop.

Link 1
Link 2

* Unzip SecurityCheck.zip and a folder named Security Check should appear.
* Open the Security Check folder and double-click Security Check.bat
* Follow the on-screen instructions inside of the black box.
* A Notepad document should open automatically called checkup.txt
* Post the contents of that document in your next reply.

Note: If a security program requests permission from dig.exe to access the Internet, allow it to do so.
*************************************************
If you have ComboFix on your desktop please delete it before doing this.

Please download ComboFix

from BleepingComputer.com

Alternate link: GeeksToGo.com

Rename ComboFix.exe to commy.exe before you save it to your Desktop
Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools A guide to do this can be found here
Click Start>Run then copy paste the following command into the Run box & click OK "%userprofile%\desktop\commy.exe" /stepdel
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console[/list]

Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the contents of C:\ComboFix.txt in your next reply.

If you have problems with ComboFix usage, see How to use ComboFix

Billb114 · « **Reply #2 on:** October 18, 2010, 09:00:09 PM »

Thank you for taking on my case, SuperDave!

The steps I followed:
I removed Viewpoint Media Player.
I ran HiJackThis and both of those lines were present - I checked them and ran the fix.
Ran MalwareBytes update, then full scan. Didn't pick up anything - log below.
(I had to reboot at this point - the PC was bogged down and not responding).
Ran Security Check - log below.
Ran ComboFix - it reported a rootkit and asked for a reboot. I rebooted and it ran to completion - log below.

==================================
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4875

Windows 5.1.2600 Service Pack 2
Internet Explorer 7.0.5730.13

10/18/2010 7:57:04 PM
mbam-log-2010-10-18 (19-57-04).txt

Scan type: Full scan (C:\|)
Objects scanned: 270088
Time elapsed: 1 hour(s), 6 minute(s), 40 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

===========================================

Results of screen317's Security Check version 0.99.5
Windows XP Service Pack 2
Out of date service pack!!
Internet Explorer 7 Out of date!
``````````````````````````````
Antivirus/Firewall Check:
Windows Firewall Disabled!
avast! Antivirus
ESET Online Scanner v3
Online Armor 4.0
avast! successfully updated!
```````````````````````````````
Anti-malware/Other Utilities Check:
Malwarebytes' Anti-Malware
HijackThis 2.0.2
CCleaner
Wise Registry Cleaner Free 5.02
Java(TM) 6 Update 22
Java 2 SDK, SE v1.4.2_19
Java 2 Runtime Environment, SE v1.4.2_19
Out of date Java installed!
Adobe Flash Player 10.0.42.34
Adobe Reader 9.1
Out of date Adobe Reader installed!
Mozilla Firefox (3.5.13) Firefox Out of Date!
````````````````````````````````
Process Check:
objlist.exe by Laurent
Tall Emu Online Armor OAcat.exe
Tall Emu Online Armor oasrv.exe
Tall Emu Online Armor oaui.exe
Tall Emu Online Armor OAhlp.exe
Alwil Software Avast4 aswUpdSv.exe
Alwil Software Avast4 ashServ.exe
Alwil Software Avast4 ashDisp.exe
Alwil Software Avast4 ashMaiSv.exe
Alwil Software Avast4 ashWebSv.exe
````````````````````````````````
DNS Vulnerability Check:
Unknown. This method cannot test your vulnerability to DNS cache poisoning. (Wireless connection?)

``````````End of Log````````````

==============================================

ComboFix 10-10-18.01 - William Brophy 10/18/2010 22:23:56.6.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.767.518 [GMT -4:00]
Running from: c:\documents and settings\William Brophy\desktop\commy.exe
Command switches used :: /stepdel
AV: avast! antivirus 4.8.1368 [VPS 101018-1] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: Online Armor Firewall *enabled* {B797DAA0-7E2E-4711-8BB3-D12744F1922A}
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2010-09-19 to 2010-10-19 )))))))))))))))))))))))))))))))
.

2010-10-16 13:53 . 2010-10-16 13:53   --------   d-----w-   C:\Avast_report
2010-10-16 01:16 . 2010-09-15 08:50   472808   ----a-w-   c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
2010-10-16 01:16 . 2010-09-15 08:50   472808   ----a-w-   c:\windows\system32\deployJava1.dll
2010-10-15 22:24 . 2010-10-15 22:24   --------   d-----w-   c:\program files\CCleaner
2010-10-15 17:03 . 2010-10-15 20:31   --------   d-----w-   c:\documents and settings\All Users\Application Data\OnlineArmor
2010-10-15 17:03 . 2010-10-15 17:03   --------   d-----w-   c:\documents and settings\William Brophy\Application Data\OnlineArmor
2010-10-15 17:02 . 2010-07-07 16:25   22600   ----a-w-   c:\windows\system32\drivers\OAmon.sys
2010-10-15 17:02 . 2010-07-07 16:25   28232   ----a-w-   c:\windows\system32\drivers\OAnet.sys
2010-10-15 17:02 . 2010-07-07 16:25   236104   ----a-w-   c:\windows\system32\drivers\OADriver.sys
2010-10-15 17:02 . 2010-10-15 17:02   --------   d-----w-   c:\program files\Emsisoft
2010-10-15 10:33 . 2010-10-15 10:33   --------   d-----w-   c:\program files\ESET
2010-10-15 05:20 . 2010-10-15 05:20   --------   d-----w-   c:\documents and settings\William Brophy\Application Data\SUPERAntiSpyware.com
2010-10-15 05:20 . 2010-10-15 23:01   --------   d-----w-   c:\program files\SUPERAntiSpyware
2010-10-15 04:39 . 2010-10-15 04:39   --------   d-----w-   c:\documents and settings\Administrator\Local Settings\Application Data\TSVNCache
2010-09-27 17:58 . 2010-10-06 18:11   --------   d-----w-   c:\documents and settings\William Brophy\Tracing
2010-09-27 14:52 . 2010-07-09 12:31   82696   ----a-w-   c:\windows\system32\lmdimon8.dll
2010-09-27 14:52 . 2010-07-09 12:31   82184   ----a-w-   c:\windows\system32\Spool\prtprocs\w32x86\lmdippr8.dll
2010-09-27 14:52 . 2010-09-27 14:52   --------   d-----w-   c:\program files\DIFX
2010-09-27 14:52 . 2010-09-27 14:52   --------   dc----w-   c:\windows\system32\DRVSTORE
2010-09-27 14:51 . 2010-09-27 14:51   --------   d-----w-   c:\documents and settings\All Users\Application Data\Applications

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvMediaCenter"="c:\windows\system32\NVMCTRAY.DLL" [2003-10-06 49152]
"Aim6"="c:\program files\AIM6\aim6.exe" [2009-05-19 49968]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-03-29 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2003-10-06 5058560]
"nwiz"="nwiz.exe" [2003-10-06 741376]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"PCMService"="c:\program files\Dell\Media Experience\PCMService.exe" [2004-04-12 290816]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"Dell AIO Printer A920"="c:\program files\Dell AIO Printer A920\dlbkbmgr.exe" [2003-05-12 270336]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-11-24 81000]
"@OnlineArmor GUI"="c:\program files\Emsisoft\Online Armor\oaui.exe" [2010-07-07 6854984]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Communicator"="c:\program files\Microsoft Office Communicator\Communicator.exe" [2005-05-12 4167376]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
"{4F07DA45-8170-4859-9B5F-037EF2970034}"= "c:\progra~1\Emsisoft\ONLINE~1\oaevent.dll" [2010-07-07 924488]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21   548352   ----a-w-   c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ckpNotify]
2005-03-02 03:49   24672   ----a-w-   c:\windows\system32\ckpNotify.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Microsoft Office Communicator\\communicator.exe"=
"c:\\DevSuiteHome_1\\BIN\\rwbuilder.exe"=
"c:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_GUI.exe"=
"c:\\Program Files\\CheckPoint\\SecuRemote\\bin\\scc.exe"=
"c:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_Diagnostics.exe"=
"c:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_SDS.exe"=
"c:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_Service.exe"=
"c:\\Program Files\\Microsoft Office\\Live Meeting 8\\Console\\PWConsole.exe"=

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [12/5/2009 1:58 PM 114768]
R1 OADevice;OADriver;c:\windows\system32\drivers\OADriver.sys [10/15/2010 1:02 PM 236104]
R1 OAmon;OAmon;c:\windows\system32\drivers\OAmon.sys [10/15/2010 1:02 PM 22600]
R1 OAnet;OAnet;c:\windows\system32\drivers\OAnet.sys [10/15/2010 1:02 PM 28232]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 2:25 PM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 2:41 PM 67656]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [12/5/2009 1:58 PM 20560]
R2 OAcat;Online Armor Helper Service;c:\program files\Emsisoft\Online Armor\oacat.exe [10/15/2010 1:02 PM 1283400]
R2 Scap;SecureClient Application Policy Module;c:\windows\system32\drivers\scap.sys [1/31/2009 3:50 PM 17456]
R2 SvcOnlineArmor;Online Armor;c:\program files\Emsisoft\Online Armor\oasrv.exe [10/15/2010 1:02 PM 3364680]
R2 VPN-1;VPN-1 Module;c:\windows\system32\drivers\vpn.sys [1/31/2009 3:50 PM 670128]
R3 FW1;SecuRemote Miniport;c:\windows\system32\drivers\fw.sys [1/31/2009 3:50 PM 2041904]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/28/2010 7:37 PM 135664]
S3 OMVA;VPN-1 SecureClient Adapter;c:\windows\system32\drivers\OMVA.sys [1/31/2009 3:50 PM 14924]
.
Contents of the 'Scheduled Tasks' folder

2010-10-04 c:\windows\Tasks\defragC.job
- c:\util\defragC.bat [2010-01-25 03:10]

2010-10-05 c:\windows\Tasks\defragF.job
- c:\util\defragF.bat [2010-01-25 03:10]

2010-10-19 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-28 23:37]

2010-10-19 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-28 23:37]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = <local>
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://secure.maine.gov/dana-cached/sc/JuniperSetupClient.cab
FF - ProfilePath - c:\documents and settings\William Brophy\Application Data\Mozilla\Firefox\Profiles\cwx7r6bq.default\
FF - prefs.js: browser.startup.homepage - hxxp://87.248.113.14/
FF - plugin: c:\program files\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\Real\RealOne Player\Netscape6\nppl3260.dll
FF - plugin: c:\program files\Real\RealOne Player\Netscape6\nprjplug.dll
FF - plugin: c:\program files\Real\RealOne Player\Netscape6\nprpjplug.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
.
- - - - ORPHANS REMOVED - - - -

AddRemove-HijackThis - c:\program files\Trend Micro\HijackThis\HijackThis.exe

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe catchme.sys CLASSPNP.SYS disk.sys >>UNKNOWN [0x83B09566]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf76f3fc3
\Driver\ACPI -> ACPI.sys @ 0xf7666cb8
\Driver\atapi -> atapi.sys @ 0xf761e7b4
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0084
ParseProcedure -> ntoskrnl.exe @ 0x8056f07e
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0084
ParseProcedure -> ntoskrnl.exe @ 0x8056f07e
user & kernel MBR OK

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(708)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
Completion time: 2010-10-18 22:43:26
ComboFix-quarantined-files.txt 2010-10-19 02:43
ComboFix2.txt 2010-10-15 22:12
ComboFix3.txt 2010-10-15 16:06
ComboFix4.txt 2010-10-15 10:26
ComboFix5.txt 2010-10-19 00:32

Pre-Run: 37,838,311,424 bytes free
Post-Run: 37,826,543,616 bytes free

- - End Of File - - FAC841267F6BEE38F65709D952D9D397

SuperDave · « **Reply #3 on:** October 20, 2010, 05:14:15 PM »

Registry cleaners are extremely powerful applications and their potential for harming your OS far outweighs any small potential for improving your computer's performance.
Wise Registry Cleaner Free 5.02

There are a number of them available and some are more safe than others. Keep in mind that no two registry cleaners work entirely the same way. Each vendor uses different criteria as to what constitutes a "bad" entry. One cleaner may find entries on your system that will not cause a problem when removed, another may not find the same entries, and still another may want to remove entries required for a program to work. Without research into what the registry entry selected for deletion is, a registry cleaner can end up being an automated method to cause problems with the registry.

For routine use by those not familiar with the registry, the benefits to your computer are negligible while the potential risks are great.

Further reading: XP Fixes Myth #1: Registry Cleaners
****************************************
Please download the newest version of Adobe Acrobat Reader from Adobe.com

Before installing: it is important to remove older versions of Acrobat Reader since it does not do so automatically and old versions still leave you vulnerable.
Go to the Control Panel and enter Add or Remove Programs.
Search in the list for all previous installed versions of Adobe Acrobat Reader. Uninstall/Remove each of them.

Once old versions are gone, please install the newest version.
************************************************
Download the MBR Rootkit Detector to your desktop.

* Doubleclick mbr.exe and follow prompts.
* A black DOS window will quickly appear then disappear.
* When mbr.exe is finished it will create a log on your desktop.
* Copy and paste contents of that log file to your next reply.

Billb114 · « **Reply #4 on:** October 20, 2010, 07:27:06 PM »

I had to reboot 3 times while trying to do what you suggested. The PC simply freezes up - I wait some time but nothing will run. I'm also still seeing random Avast! Network shield messages about blocked access to malicious sites. Still get the random redirect from Yahoo and Google. Svchost.exe is still grabbing resources. (Just keeping you posted - I know this will take awhile).

Actions:
I removed Wise Registry Cleaner. Only used it a couple times.
I removed Adobe 9.1
I downloaded and installed Adobe 9.4.
I downloaded mbr.exe and ran, log below:

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK

SuperDave · « **Reply #5 on:** October 21, 2010, 04:19:41 PM »

Please download GooredFix from one of the locations below and save it to your Desktop
Download Mirror #1
Download Mirror #2

Ensure all Firefox windows are closed.
To run the tool, double-click it (XP), or right-click and select Run As Administrator (Vista).
When prompted to run the scan, click Yes.
GooredFix will check for infections, and then a log will appear. Please post the contents of that log in your next reply (it can also be found on your desktop, called GooredFix.txt).

.

Please run ComboFix again and post the log.

Billb114 · « **Reply #6 on:** October 22, 2010, 04:55:56 PM »

Thanks, SuperDave.
I downloaded and ran GooredFix.
I then ran ComboFix. It reported the presence of a rootkit and had me reboot. After reboot it ran to completion.

Both logs follow:

GooredFix by jpshortstuff (03.07.10.1)
Log created at 17:59 on 22/10/2010 (William Brophy)
Firefox version 3.5.13 (en-US)

========== GooredScan ==========

========== GooredLog ==========

C:\Program Files\Mozilla Firefox\extensions\
{972ce4c6-7e08-4474-a285-3208198ce6fd} [19:43 31/01/2009]
{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} [20:49 28/03/2009]
{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} [01:16 16/10/2010]

C:\Documents and Settings\William Brophy\Application Data\Mozilla\Firefox\Profiles\cwx7r6bq.default\extensions\
{E2883E8F-472F-4fb0-9522-AC9BF37916A7} [00:29 21/10/2010]

[HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions]
"[email protected]"="C:\Program Files\Java\jre6\lib\deploy\jqs\ff" [20:48 28/03/2009]

-=E.O.F=-

===============================================

ComboFix 10-10-22.03 - William Brophy 10/22/2010 18:29:16.7.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.767.453 [GMT -4:00]
Running from: c:\documents and settings\William Brophy\Desktop\commy.exe
AV: avast! antivirus 4.8.1368 [VPS 101022-1] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: Online Armor Firewall *disabled* {B797DAA0-7E2E-4711-8BB3-D12744F1922A}
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2010-09-22 to 2010-10-22 )))))))))))))))))))))))))))))))
.

2010-10-21 00:30 . 2010-10-21 01:00   --------   d-----w-   c:\documents and settings\William Brophy\Local Settings\Application Data\NOS
2010-10-16 13:53 . 2010-10-16 13:53   --------   d-----w-   C:\Avast_report
2010-10-16 01:16 . 2010-09-15 08:50   472808   ----a-w-   c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
2010-10-16 01:16 . 2010-09-15 08:50   472808   ----a-w-   c:\windows\system32\deployJava1.dll
2010-10-15 22:24 . 2010-10-15 22:24   --------   d-----w-   c:\program files\CCleaner
2010-10-15 17:03 . 2010-10-19 09:46   --------   d-----w-   c:\documents and settings\William Brophy\Application Data\OnlineArmor
2010-10-15 17:03 . 2010-10-15 20:31   --------   d-----w-   c:\documents and settings\All Users\Application Data\OnlineArmor
2010-10-15 17:02 . 2010-07-07 16:25   22600   ----a-w-   c:\windows\system32\drivers\OAmon.sys
2010-10-15 17:02 . 2010-07-07 16:25   28232   ----a-w-   c:\windows\system32\drivers\OAnet.sys
2010-10-15 17:02 . 2010-07-07 16:25   236104   ----a-w-   c:\windows\system32\drivers\OADriver.sys
2010-10-15 17:02 . 2010-10-15 17:02   --------   d-----w-   c:\program files\Emsisoft
2010-10-15 10:33 . 2010-10-15 10:33   --------   d-----w-   c:\program files\ESET
2010-10-15 05:20 . 2010-10-15 05:20   --------   d-----w-   c:\documents and settings\William Brophy\Application Data\SUPERAntiSpyware.com
2010-10-15 05:20 . 2010-10-15 23:01   --------   d-----w-   c:\program files\SUPERAntiSpyware
2010-10-15 04:39 . 2010-10-15 04:39   --------   d-----w-   c:\documents and settings\Administrator\Local Settings\Application Data\TSVNCache
2010-09-27 17:58 . 2010-10-06 18:11   --------   d-----w-   c:\documents and settings\William Brophy\Tracing
2010-09-27 14:52 . 2010-07-09 12:31   82696   ----a-w-   c:\windows\system32\lmdimon8.dll
2010-09-27 14:52 . 2010-07-09 12:31   82184   ----a-w-   c:\windows\system32\Spool\prtprocs\w32x86\lmdippr8.dll
2010-09-27 14:52 . 2010-09-27 14:52   --------   d-----w-   c:\program files\DIFX
2010-09-27 14:52 . 2010-09-27 14:52   --------   dc----w-   c:\windows\system32\DRVSTORE
2010-09-27 14:51 . 2010-09-27 14:51   --------   d-----w-   c:\documents and settings\All Users\Application Data\Applications

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-15 06:29 . 2009-03-28 20:49   73728   ----a-w-   c:\windows\system32\javacpl.cpl
2008-12-23 15:53 . 2009-04-16 16:10   232694   ----a-w-   c:\program files\Putty.reg
2004-09-09 14:48 . 2009-04-16 16:10   376832   ----a-r-   c:\program files\putty.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvMediaCenter"="c:\windows\system32\NVMCTRAY.DLL" [2003-10-06 49152]
"Aim6"="c:\program files\AIM6\aim6.exe" [2009-05-19 49968]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-03-29 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2003-10-06 5058560]
"nwiz"="nwiz.exe" [2003-10-06 741376]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"PCMService"="c:\program files\Dell\Media Experience\PCMService.exe" [2004-04-12 290816]
"Dell AIO Printer A920"="c:\program files\Dell AIO Printer A920\dlbkbmgr.exe" [2003-05-12 270336]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-11-24 81000]
"@OnlineArmor GUI"="c:\program files\Emsisoft\Online Armor\oaui.exe" [2010-07-07 6854984]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Communicator"="c:\program files\Microsoft Office Communicator\Communicator.exe" [2005-05-12 4167376]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
"{4F07DA45-8170-4859-9B5F-037EF2970034}"= "c:\progra~1\Emsisoft\ONLINE~1\oaevent.dll" [2010-07-07 924488]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21   548352   ----a-w-   c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ckpNotify]
2005-03-02 03:49   24672   ----a-w-   c:\windows\system32\ckpNotify.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Microsoft Office Communicator\\communicator.exe"=
"c:\\DevSuiteHome_1\\BIN\\rwbuilder.exe"=
"c:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_GUI.exe"=
"c:\\Program Files\\CheckPoint\\SecuRemote\\bin\\scc.exe"=
"c:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_Diagnostics.exe"=
"c:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_SDS.exe"=
"c:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_Service.exe"=
"c:\\Program Files\\Microsoft Office\\Live Meeting 8\\Console\\PWConsole.exe"=

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [12/5/2009 1:58 PM 114768]
R1 OADevice;OADriver;c:\windows\system32\drivers\OADriver.sys [10/15/2010 1:02 PM 236104]
R1 OAmon;OAmon;c:\windows\system32\drivers\OAmon.sys [10/15/2010 1:02 PM 22600]
R1 OAnet;OAnet;c:\windows\system32\drivers\OAnet.sys [10/15/2010 1:02 PM 28232]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 2:25 PM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 2:41 PM 67656]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [12/5/2009 1:58 PM 20560]
R2 OAcat;Online Armor Helper Service;c:\program files\Emsisoft\Online Armor\oacat.exe [10/15/2010 1:02 PM 1283400]
R2 Scap;SecureClient Application Policy Module;c:\windows\system32\drivers\scap.sys [1/31/2009 3:50 PM 17456]
R2 SvcOnlineArmor;Online Armor;c:\program files\Emsisoft\Online Armor\oasrv.exe [10/15/2010 1:02 PM 3364680]
R2 VPN-1;VPN-1 Module;c:\windows\system32\drivers\vpn.sys [1/31/2009 3:50 PM 670128]
R3 FW1;SecuRemote Miniport;c:\windows\system32\drivers\fw.sys [1/31/2009 3:50 PM 2041904]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/28/2010 7:37 PM 135664]
S3 nosGetPlusHelper;getPlus(R) Helper 3004;c:\windows\System32\svchost.exe -k nosGetPlusHelper [8/12/2004 10:06 AM 14336]
S3 OMVA;VPN-1 SecureClient Adapter;c:\windows\system32\drivers\OMVA.sys [1/31/2009 3:50 PM 14924]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
nosGetPlusHelper   REG_MULTI_SZ     nosGetPlusHelper
.
Contents of the 'Scheduled Tasks' folder

2010-10-04 c:\windows\Tasks\defragC.job
- c:\util\defragC.bat [2010-01-25 03:10]

2010-10-05 c:\windows\Tasks\defragF.job
- c:\util\defragF.bat [2010-01-25 03:10]

2010-10-22 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-28 23:37]

2010-10-22 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-28 23:37]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = <local>
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://secure.maine.gov/dana-cached/sc/JuniperSetupClient.cab
FF - ProfilePath - c:\documents and settings\William Brophy\Application Data\Mozilla\Firefox\Profiles\cwx7r6bq.default\
FF - prefs.js: browser.startup.homepage - hxxp://87.248.113.14/
FF - plugin: c:\documents and settings\William Brophy\Application Data\Mozilla\Firefox\Profiles\cwx7r6bq.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
FF - plugin: c:\program files\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\Real\RealOne Player\Netscape6\nppl3260.dll
FF - plugin: c:\program files\Real\RealOne Player\Netscape6\nprjplug.dll
FF - plugin: c:\program files\Real\RealOne Player\Netscape6\nprpjplug.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true); // Traditional
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true); // Simplified
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-10-22 18:44
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe catchme.sys CLASSPNP.SYS disk.sys >>UNKNOWN [0x83B09566]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf76f3fc3
\Driver\ACPI -> ACPI.sys @ 0xf7666cb8
\Driver\atapi -> atapi.sys @ 0xf761e7b4
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0084
ParseProcedure -> ntoskrnl.exe @ 0x8056f07e
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0084
ParseProcedure -> ntoskrnl.exe @ 0x8056f07e
user & kernel MBR OK

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(704)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
Completion time: 2010-10-22 18:50:24
ComboFix-quarantined-files.txt 2010-10-22 22:50
ComboFix2.txt 2010-10-19 02:43
ComboFix3.txt 2010-10-15 22:12
ComboFix4.txt 2010-10-15 16:06
ComboFix5.txt 2010-10-22 22:12

Pre-Run: 37,383,311,360 bytes free
Post-Run: 37,394,989,056 bytes free

- - End Of File - - A3C02B3C09EA496D58ABF66A2C8341B4

SuperDave · « **Reply #7 on:** October 23, 2010, 06:52:22 PM »

Are you still getting redirects?

Please download MBRCheck.exe by a_d_13 from one of the links provided below and save it to your desktop.

Link 1
Link 2
Link 3

•Double-click on MBRCheck.exe to run it.

•It will open a black window...please do not fix anything (if it gives you an option).

•When complete, you should see Done! Press ENTER to exit.... Press Enter on the keyboard.

•A log named MBRCheck_date_time.txt (i.e. MBRCheck_07.21.10_10.22.51.txt) will appear on the desktop.
•Please copy and paste the contents of that log in your next reply.

Billb114 · « **Reply #8 on:** October 24, 2010, 05:27:57 PM »

Yes - still getting redirects. Avast! catches some and some make it through. A svchost process still grabs memory and CPU cycles - but at a much slower rate.

MBRCheck, version 1.2.3
(c) 2010, AD

Command-line:
Windows Version:      Windows XP Home Edition
Windows Information:      Service Pack 2 (build 2600)
Logical Drives Mask:      0x0000001d

Kernel Drivers (total 134):
0x804D7000 \WINDOWS\system32\ntoskrnl.exe
0x806EC000 \WINDOWS\system32\hal.dll
0x83B5B000 \WINDOWS\system32\KDCOM.DLL
0xF7AC3000 \WINDOWS\system32\BOOTVID.dll
0xF7660000 ACPI.sys
0xF7BAF000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
0xF764F000 pci.sys
0xF76AF000 isapnp.sys
0xF7C77000 pciide.sys
0xF792F000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
0xF7BB1000 intelide.sys
0xF76BF000 MountMgr.sys
0xF7630000 ftdisk.sys
0xF7937000 PartMgr.sys
0xF76CF000 VolSnap.sys
0xF7618000 atapi.sys
0xF76DF000 disk.sys
0xF76EF000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
0xF75F8000 fltMgr.sys
0xF75E6000 sr.sys
0xF75CF000 KSecDD.sys
0xF7542000 Ntfs.sys
0xF7515000 NDIS.sys
0xF74FA000 Mup.sys
0xF76FF000 agp440.sys
0xF782F000 \SystemRoot\system32\DRIVERS\intelppm.sys
0xF6994000 \SystemRoot\system32\DRIVERS\nv4_mini.sys
0xF6980000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0xF796F000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0xF695D000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xF7977000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xF6927000 \SystemRoot\system32\DRIVERS\HSFBS2S2.sys
0xF6904000 \SystemRoot\system32\DRIVERS\ks.sys
0xF6805000 \SystemRoot\system32\DRIVERS\HSFDPSP2.sys
0xF60FB000 \SystemRoot\system32\DRIVERS\HSFCXTS2.sys
0xF79C7000 \SystemRoot\System32\Drivers\Modem.SYS
0xF60D8000 \SystemRoot\system32\DRIVERS\e100b325.sys
0xF79CF000 \SystemRoot\system32\DRIVERS\fdc.sys
0xF6D25000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0xF79D7000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xF6D15000 \SystemRoot\system32\DRIVERS\serial.sys
0xF7B3B000 \SystemRoot\system32\DRIVERS\serenum.sys
0xF60C4000 \SystemRoot\system32\DRIVERS\parport.sys
0xF6D05000 \SystemRoot\system32\DRIVERS\cdrom.sys
0xF6CF5000 \SystemRoot\system32\DRIVERS\redbook.sys
0xF6CE5000 \SystemRoot\system32\DRIVERS\imapi.sys
0xF6040000 \SystemRoot\system32\drivers\smwdm.sys
0xF601C000 \SystemRoot\system32\drivers\portcls.sys
0xF6CD5000 \SystemRoot\system32\drivers\drmk.sys
0xF7BF1000 \SystemRoot\system32\drivers\aeaudio.sys
0xF5E29000 \SystemRoot\system32\DRIVERS\fw.sys
0xF79DF000 \SystemRoot\system32\DRIVERS\TDI.SYS
0xF6CC5000 \SystemRoot\system32\DRIVERS\dsNcAdpt.sys
0xF7D8C000 \SystemRoot\system32\DRIVERS\audstub.sys
0xF6CB5000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xF7B4B000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0xF5E12000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0xF6CA5000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0xF78EF000 \SystemRoot\system32\DRIVERS\raspptp.sys
0xF79E7000 \SystemRoot\system32\DRIVERS\ptilink.sys
0xF79EF000 \SystemRoot\system32\DRIVERS\raspti.sys
0xF78FF000 \SystemRoot\system32\DRIVERS\termdd.sys
0xF79F7000 \SystemRoot\system32\DRIVERS\mouclass.sys
0xF7BF3000 \SystemRoot\system32\DRIVERS\swenum.sys
0xF5D19000 \SystemRoot\system32\DRIVERS\update.sys
0xF7B4F000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0xF1325000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xED8E3000 \SystemRoot\system32\DRIVERS\usbhub.sys
0xF7C15000 \SystemRoot\system32\DRIVERS\USBD.SYS
0xEDA8B000 \SystemRoot\system32\drivers\MODEMCSA.sys
0xF23EB000 \SystemRoot\system32\DRIVERS\flpydisk.sys
0xF7C17000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xEE250000 \SystemRoot\System32\Drivers\Null.SYS
0xF7C19000 \SystemRoot\System32\Drivers\Beep.SYS
0xF23DB000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0xF23D3000 \SystemRoot\System32\drivers\vga.sys
0xF7C1B000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xF7C1D000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xF1AD0000 \SystemRoot\System32\Drivers\Msfs.SYS
0xF1AC8000 \SystemRoot\System32\Drivers\Npfs.SYS
0xED9CB000 \SystemRoot\system32\DRIVERS\rasacd.sys
0xEE938000 \??\C:\WINDOWS\system32\drivers\OAnet.sys
0xEC6D5000 \SystemRoot\system32\DRIVERS\ipsec.sys
0xEE928000 \SystemRoot\system32\DRIVERS\msgpc.sys
0xEC67D000 \SystemRoot\system32\DRIVERS\tcpip.sys
0xF1AC0000 \??\C:\WINDOWS\system32\drivers\OAmon.sys
0xEE918000 \SystemRoot\System32\Drivers\aswTdi.SYS
0xEC655000 \SystemRoot\system32\DRIVERS\netbt.sys
0xEC633000 \SystemRoot\System32\drivers\afd.sys
0xEE908000 \SystemRoot\system32\DRIVERS\netbios.sys
0xEC611000 \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS
0xF1AB8000 \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
0xEC5E5000 \SystemRoot\system32\DRIVERS\rdbss.sys
0xEE7EC000 \SystemRoot\SYSTEM32\DRIVERS\OMCI.SYS
0xEC597000 \??\C:\WINDOWS\system32\drivers\OADriver.sys
0xEC528000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xEC4F5000 \SystemRoot\system32\drivers\mfehidk.sys
0xEC4D4000 \SystemRoot\system32\DRIVERS\ipnat.sys
0xEE8E8000 \SystemRoot\System32\Drivers\Fips.SYS
0xEE8D8000 \SystemRoot\system32\DRIVERS\wanarp.sys
0xEC4B3000 \SystemRoot\System32\Drivers\aswSP.SYS
0xF1AA8000 \SystemRoot\System32\Drivers\Aavmker4.SYS
0xEE136000 \SystemRoot\System32\Drivers\Cdfs.SYS
0xF051A000 \SystemRoot\system32\DRIVERS\usbccgp.sys
0xEE7D0000 \SystemRoot\system32\DRIVERS\hidusb.sys
0xEE116000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0xEE003000 \SystemRoot\system32\DRIVERS\usbscan.sys
0xEDE97000 \SystemRoot\system32\DRIVERS\usbprint.sys
0xEDFFF000 \SystemRoot\system32\DRIVERS\mouhid.sys
0xEDFF7000 \SystemRoot\system32\DRIVERS\kbdhid.sys
0xEC49B000 \SystemRoot\System32\Drivers\dump_atapi.sys
0xF7C41000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
0xBF800000 \SystemRoot\System32\win32k.sys
0xF2545000 \SystemRoot\System32\drivers\Dxapi.sys
0xEDE8F000 \SystemRoot\System32\watchdog.sys
0xBF000000 \SystemRoot\System32\drivers\dxg.sys
0xF7D5B000 \SystemRoot\System32\drivers\dxgthk.sys
0xBF012000 \SystemRoot\System32\nv4_disp.dll
0xEEBD7000 \SystemRoot\system32\DRIVERS\aswFsBlk.sys
0xF7BA7000 \SystemRoot\System32\Drivers\aswRdr.SYS
0xF785F000 \SystemRoot\system32\DRIVERS\ipfltdrv.sys
0xF7BAB000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0xEB43D000 \SystemRoot\System32\Drivers\aswMon2.SYS
0xEB2C0000 \SystemRoot\system32\drivers\wdmaud.sys
0xF77BF000 \SystemRoot\system32\drivers\sysaudio.sys
0xEB14E000 \SystemRoot\system32\DRIVERS\mrxdav.sys
0xF7C71000 \SystemRoot\System32\Drivers\ParVdm.SYS
0xEB082000 \SystemRoot\System32\drivers\vpn.sys
0xF7BB3000 \??\C:\WINDOWS\system32\Drivers\BASFND.sys
0xEB12A000 \SystemRoot\system32\DRIVERS\mdmxsdk.sys
0xF7A17000 \SystemRoot\System32\DRIVERS\Scap.sys
0xEB1F8000 \SystemRoot\system32\DRIVERS\srv.sys
0xECED4000 \SystemRoot\System32\Drivers\HTTP.sys
0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 43):
0 System Idle Process
4 System
608 C:\WINDOWS\system32\smss.exe
680 csrss.exe
704 C:\WINDOWS\system32\winlogon.exe
752 C:\WINDOWS\system32\services.exe
764 C:\WINDOWS\system32\lsass.exe
932 C:\WINDOWS\system32\svchost.exe
1004 svchost.exe
1152 C:\WINDOWS\system32\svchost.exe
1240 svchost.exe
1424 svchost.exe
1604 C:\Program Files\Emsisoft\Online Armor\oacat.exe
1632 C:\Program Files\Emsisoft\Online Armor\oasrv.exe
1792 C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
1840 C:\Program Files\Alwil Software\Avast4\ashServ.exe
396 C:\WINDOWS\system32\LEXBCES.EXE
528 C:\WINDOWS\system32\spoolsv.exe
652 C:\WINDOWS\system32\LEXPPS.EXE
1552 C:\WINDOWS\system32\netdde.exe
1916 C:\Program Files\Bonjour\mDNSResponder.exe
400 C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
1368 C:\Program Files\Java\jre6\bin\jqs.exe
420 C:\WINDOWS\system32\snmp.exe
2096 C:\WINDOWS\system32\svchost.exe
2560 C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
2760 C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
3244 alg.exe
2148 C:\WINDOWS\explorer.exe
2616 C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
1540 C:\Program Files\Common Files\Java\Java Update\jusched.exe
2796 C:\Program Files\Dell\Media Experience\PCMService.exe
2876 C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe
3008 C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
3292 C:\Program Files\Emsisoft\Online Armor\oaui.exe
2336 C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe
3820 C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
1900 C:\WINDOWS\system32\svchost.exe
2068 C:\Program Files\Emsisoft\Online Armor\oahlp.exe
2792 C:\WINDOWS\system32\taskmgr.exe
1212 C:\WINDOWS\system32\wuauclt.exe
1468 C:\Program Files\Mozilla Firefox\firefox.exe
3176 C:\Documents and Settings\William Brophy\Desktop\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`01f60800 (NTFS)

PhysicalDrive0 Model Number: WDCWD600BB-75CAA0, Rev: 16.06V16

Size Device Name MBR Status
--------------------------------------------
55 GB \\.\PhysicalDrive0 Windows XP MBR code detected
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644 A

Done!

SuperDave · « **Reply #9 on:** October 25, 2010, 01:19:16 PM »

Could you please run another scan with ComboFix and post the log?

Billb114 · « **Reply #10 on:** October 25, 2010, 03:53:51 PM »

I've rerun ComboFix.

This time it reported finding an infection in the master boot sector. That was new. I clicked ok, and after a bit it reported finding rootkit activity as before and I click ok to reboot. After the reboot it went through all it's checks. The log follows.

ComboFix 10-10-24.06 - William Brophy 10/25/2010 17:25:18.8.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.767.461 [GMT -4:00]
Running from: c:\documents and settings\William Brophy\Desktop\commy.exe
AV: avast! antivirus 4.8.1368 [VPS 101025-1] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: Online Armor Firewall *enabled* {B797DAA0-7E2E-4711-8BB3-D12744F1922A}
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2010-09-25 to 2010-10-25 )))))))))))))))))))))))))))))))
.

2010-10-25 21:12 . 2010-10-25 21:13   --------   d-----w-   C:\32788R22FWJFW
2010-10-21 00:30 . 2010-10-21 01:00   --------   d-----w-   c:\documents and settings\William Brophy\Local Settings\Application Data\NOS
2010-10-16 13:53 . 2010-10-16 13:53   --------   d-----w-   C:\Avast_report
2010-10-16 01:16 . 2010-09-15 08:50   472808   ----a-w-   c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
2010-10-16 01:16 . 2010-09-15 08:50   472808   ----a-w-   c:\windows\system32\deployJava1.dll
2010-10-15 22:24 . 2010-10-15 22:24   --------   d-----w-   c:\program files\CCleaner
2010-10-15 17:03 . 2010-10-19 09:46   --------   d-----w-   c:\documents and settings\William Brophy\Application Data\OnlineArmor
2010-10-15 17:03 . 2010-10-15 20:31   --------   d-----w-   c:\documents and settings\All Users\Application Data\OnlineArmor
2010-10-15 17:02 . 2010-07-07 16:25   22600   ----a-w-   c:\windows\system32\drivers\OAmon.sys
2010-10-15 17:02 . 2010-07-07 16:25   28232   ----a-w-   c:\windows\system32\drivers\OAnet.sys
2010-10-15 17:02 . 2010-07-07 16:25   236104   ----a-w-   c:\windows\system32\drivers\OADriver.sys
2010-10-15 17:02 . 2010-10-15 17:02   --------   d-----w-   c:\program files\Emsisoft
2010-10-15 10:33 . 2010-10-15 10:33   --------   d-----w-   c:\program files\ESET
2010-10-15 05:20 . 2010-10-15 05:20   --------   d-----w-   c:\documents and settings\William Brophy\Application Data\SUPERAntiSpyware.com
2010-10-15 05:20 . 2010-10-15 23:01   --------   d-----w-   c:\program files\SUPERAntiSpyware
2010-10-15 04:39 . 2010-10-15 04:39   --------   d-----w-   c:\documents and settings\Administrator\Local Settings\Application Data\TSVNCache
2010-09-27 17:58 . 2010-10-06 18:11   --------   d-----w-   c:\documents and settings\William Brophy\Tracing
2010-09-27 14:52 . 2010-07-09 12:31   82696   ----a-w-   c:\windows\system32\lmdimon8.dll
2010-09-27 14:52 . 2010-07-09 12:31   82184   ----a-w-   c:\windows\system32\Spool\prtprocs\w32x86\lmdippr8.dll
2010-09-27 14:52 . 2010-09-27 14:52   --------   d-----w-   c:\program files\DIFX
2010-09-27 14:52 . 2010-09-27 14:52   --------   dc----w-   c:\windows\system32\DRVSTORE
2010-09-27 14:51 . 2010-09-27 14:51   --------   d-----w-   c:\documents and settings\All Users\Application Data\Applications

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-15 06:29 . 2009-03-28 20:49   73728   ----a-w-   c:\windows\system32\javacpl.cpl
2008-12-23 15:53 . 2009-04-16 16:10   232694   ----a-w-   c:\program files\Putty.reg
2004-09-09 14:48 . 2009-04-16 16:10   376832   ----a-r-   c:\program files\putty.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvMediaCenter"="c:\windows\system32\NVMCTRAY.DLL" [2003-10-06 49152]
"Aim6"="c:\program files\AIM6\aim6.exe" [2009-05-19 49968]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-03-29 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2003-10-06 5058560]
"nwiz"="nwiz.exe" [2003-10-06 741376]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"PCMService"="c:\program files\Dell\Media Experience\PCMService.exe" [2004-04-12 290816]
"Dell AIO Printer A920"="c:\program files\Dell AIO Printer A920\dlbkbmgr.exe" [2003-05-12 270336]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-11-24 81000]
"@OnlineArmor GUI"="c:\program files\Emsisoft\Online Armor\oaui.exe" [2010-07-07 6854984]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Communicator"="c:\program files\Microsoft Office Communicator\Communicator.exe" [2005-05-12 4167376]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
"{4F07DA45-8170-4859-9B5F-037EF2970034}"= "c:\progra~1\Emsisoft\ONLINE~1\oaevent.dll" [2010-07-07 924488]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21   548352   ----a-w-   c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ckpNotify]
2005-03-02 03:49   24672   ----a-w-   c:\windows\system32\ckpNotify.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Microsoft Office Communicator\\communicator.exe"=
"c:\\DevSuiteHome_1\\BIN\\rwbuilder.exe"=
"c:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_GUI.exe"=
"c:\\Program Files\\CheckPoint\\SecuRemote\\bin\\scc.exe"=
"c:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_Diagnostics.exe"=
"c:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_SDS.exe"=
"c:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_Service.exe"=
"c:\\Program Files\\Microsoft Office\\Live Meeting 8\\Console\\PWConsole.exe"=

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [12/5/2009 1:58 PM 114768]
R1 OADevice;OADriver;c:\windows\system32\drivers\OADriver.sys [10/15/2010 1:02 PM 236104]
R1 OAmon;OAmon;c:\windows\system32\drivers\OAmon.sys [10/15/2010 1:02 PM 22600]
R1 OAnet;OAnet;c:\windows\system32\drivers\OAnet.sys [10/15/2010 1:02 PM 28232]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 2:25 PM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 2:41 PM 67656]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [12/5/2009 1:58 PM 20560]
R2 OAcat;Online Armor Helper Service;c:\program files\Emsisoft\Online Armor\oacat.exe [10/15/2010 1:02 PM 1283400]
R2 Scap;SecureClient Application Policy Module;c:\windows\system32\drivers\scap.sys [1/31/2009 3:50 PM 17456]
R2 SvcOnlineArmor;Online Armor;c:\program files\Emsisoft\Online Armor\oasrv.exe [10/15/2010 1:02 PM 3364680]
R2 VPN-1;VPN-1 Module;c:\windows\system32\drivers\vpn.sys [1/31/2009 3:50 PM 670128]
R3 FW1;SecuRemote Miniport;c:\windows\system32\drivers\fw.sys [1/31/2009 3:50 PM 2041904]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/28/2010 7:37 PM 135664]
S3 nosGetPlusHelper;getPlus(R) Helper 3004;c:\windows\System32\svchost.exe -k nosGetPlusHelper [8/12/2004 10:06 AM 14336]
S3 OMVA;VPN-1 SecureClient Adapter;c:\windows\system32\drivers\OMVA.sys [1/31/2009 3:50 PM 14924]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
nosGetPlusHelper   REG_MULTI_SZ     nosGetPlusHelper
.
Contents of the 'Scheduled Tasks' folder

2010-10-04 c:\windows\Tasks\defragC.job
- c:\util\defragC.bat [2010-01-25 03:10]

2010-10-05 c:\windows\Tasks\defragF.job
- c:\util\defragF.bat [2010-01-25 03:10]

2010-10-25 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-28 23:37]

2010-10-25 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-28 23:37]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = <local>
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://secure.maine.gov/dana-cached/sc/JuniperSetupClient.cab
FF - ProfilePath - c:\documents and settings\William Brophy\Application Data\Mozilla\Firefox\Profiles\cwx7r6bq.default\
FF - prefs.js: browser.startup.homepage - hxxp://87.248.113.14/
FF - plugin: c:\documents and settings\William Brophy\Application Data\Mozilla\Firefox\Profiles\cwx7r6bq.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
FF - plugin: c:\program files\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\Real\RealOne Player\Netscape6\nppl3260.dll
FF - plugin: c:\program files\Real\RealOne Player\Netscape6\nprjplug.dll
FF - plugin: c:\program files\Real\RealOne Player\Netscape6\nprpjplug.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true); // Traditional
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true); // Simplified
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-10-25 17:40
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.0 by Gmer, http://www.gmer.net
Windows 5.1.2600

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe catchme.sys CLASSPNP.SYS disk.sys >>UNKNOWN [0x83B09566]<<
1 nt!IofCallDriver[0x804E37C5] -> \Device\Harddisk0\DR0[0x83B92AB8]
2 nt[0x804E37C5] -> CLASSPNP.SYS[0xF76F005B] -> \Device\Harddisk0\DR0[0x83B92AB8]
3 CLASSPNP[0xF76F005B] -> nt!IofCallDriver[0x804E37C5] -> [0x83BCC260]
\Driver\atapi[0x83BC9A48] -> IRP_MJ_CREATE -> 0x83B09566
4 nt[0x804E37C5] -> UNKNOWN[0x83B09569] -> [0x83BCC260]
kernel: MBR read successfully
detected hooks:
\Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskWDC_WD600BB-75CAA0______________________16.06V16#4457572d414d4638363139373939_030_0_0_0_0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
\Driver\Disk -> CLASSPNP.SYS @ 0xf76f3fc3
\Driver\ACPI -> ACPI.sys @ 0xf7666cb8
\Driver\atapi DriverStartIo -> 0x83B093B2
\Driver\atapi -> atapi.sys @ 0xf761e7b4
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0084
SecurityProcedure -> ntoskrnl.exe @ 0x8059baf0
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0084
SecurityProcedure -> ntoskrnl.exe @ 0x8059baf0
user != kernel MBR !!!
sectors 117187272 (+227): user != kernel

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(712)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\MPRUI.dll
.
Completion time: 2010-10-25 17:45:50
ComboFix-quarantined-files.txt 2010-10-25 21:45
ComboFix2.txt 2010-10-22 22:50
ComboFix3.txt 2010-10-19 02:43
ComboFix4.txt 2010-10-15 22:12
ComboFix5.txt 2010-10-25 21:14

Pre-Run: 37,320,073,216 bytes free
Post-Run: 37,325,279,232 bytes free

- - End Of File - - 95F41062BF57078BED3BFB98AF586C9D

SuperDave · « **Reply #11 on:** October 25, 2010, 04:27:15 PM »

SysProt Antirootkit

Download
SysProt Antirootkit from the link below (you will find it at the bottom
of the page under attachments, or you can get it from one of the
mirrors).

http://sites.google.com/site/sysprotantirootkit/

Unzip it into a folder on your desktop.

Double click Sysprot.exe to start the program.
Click on the Log tab.
In the Write to log box select the following items.

Process << Selected
Kernel Modules << Selected
SSDT << Selected
Kernel Hooks << Selected
IRP Hooks << NOT Selected
Ports << NOT Selected
Hidden Files << Selected

At the bottom of the page

Hidden Objects Only << Selected

Click on the Create Log button on the bottom right.
After a few seconds a new window should appear.
Select Scan Root Drive. Click on the Start button.
When it is complete a new window will appear to indicate that the scan is finished.
The log will be saved automatically in the same folder Sysprot.exe was

extracted to. Open the text file and copy/paste the log here.
[/list]

Billb114 · « **Reply #12 on:** October 25, 2010, 05:26:13 PM »

I downloaded SysProt and unzipped to the desktop. Tried 5 times to run it with the exact settings you listed. When I click on "Create log" the blue bar at the bottom fills up a few times (processing) and then I get a BSOD. The stop code on the BSOD was the same each time: Ox0000008E (OxC0000005, Ox804E37F3, OxECB7AEA4, Ox00000000)
Below that it had KMixer.sys Address OxECB7AEA4 Base at OxECB7AEA4

SuperDave · « **Reply #13 on:** October 26, 2010, 01:18:12 PM »

Ok. We'll try another one.

Please download 7-Zip and install it. If you already have it, no need to reinstall.

Then, download RootkitUnhooker and save the setup to your Desktop.

Right-click on the RootkitUnhooker setup and mouse-over 7-Zip then click Extract to "RKU***"
Once that is done, enter the folder, and double-click on the setup file. Navigate through setup and finish.
Once that is done, you will see another folder that was created inside the RKU folder. Enter that folder, and double-click on the randomly named file. (It will be alpha-numeric and have an EXE extension on it.)
It will initialize itself and load the scanner. It will also install its driver. Please wait for the interface to begin.
Once inside the interface, do not fix anything. Click on the Report tab.
Next, click on the Scan button and a popup will show. Make sure all are checked, then click on OK. It will begin scanning. When it gets to the Files tab, it will ask you what drives to scan. Just select C:\ and hit OK.
It will finish in about 5 minutes or a little longer depending on how badly infected the system is, or if your security software is enabled.
When finished, it will show the report in the Report tab. Please copy all of it, and post it in your next reply. Depending on how large the log is, you may have to use two or three posts to get all the information in.

Billb114 · « **Reply #14 on:** October 26, 2010, 06:57:44 PM »

Downloaded and ran as directed.
Took over an hour for the files scan to run (I disabled Avast! or I'd still be waiting tomorrow!) It ran through to completion, the log is below:

RkU Version: 3.8.388.590, Type LE (SR2)
==============================================
OS Name: Windows XP
Version 5.1.2600 (Service Pack 2)
Number of processors #1
==============================================
>SSDT State
==============================================
ntoskrnl.exe-->NtAllocateVirtualMemory, Type: Address change 0x8056800D-->EB9C8ED0 [C:\WINDOWS\system32\drivers\OADriver.sys]
ntoskrnl.exe-->NtAssignProcessToJobObject, Type: Address change 0x805A1C30-->EB9C9700 [C:\WINDOWS\system32\drivers\OADriver.sys]
ntoskrnl.exe-->NtClose, Type: Address change 0x80566DB9-->EB8CE6B8 [C:\WINDOWS\System32\Drivers\aswSP.SYS]
ntoskrnl.exe-->NtConnectPort, Type: Address change 0x8058A87C-->EB9C6DA0 [C:\WINDOWS\system32\drivers\OADriver.sys]
ntoskrnl.exe-->NtCreateFile, Type: Address change 0x8056FC68-->EB9D69C0 [C:\WINDOWS\system32\drivers\OADriver.sys]
ntoskrnl.exe-->NtCreateKey, Type: Address change 0x8056E819-->EB8CE574 [C:\WINDOWS\System32\Drivers\aswSP.SYS]
ntoskrnl.exe-->NtCreatePort, Type: Address change 0x80597561-->EB9C68E0 [C:\WINDOWS\system32\drivers\OADriver.sys]
ntoskrnl.exe-->NtCreateProcess, Type: Address change 0x805B0B24-->EB9C3620 [C:\WINDOWS\system32\drivers\OADriver.sys]
ntoskrnl.exe-->NtCreateProcessEx, Type: Address change 0x80581EFE-->EB9C3A30 [C:\WINDOWS\system32\drivers\OADriver.sys]
ntoskrnl.exe-->NtCreateSection, Type: Address change 0x8056469B-->EB9C2EF0 [C:\WINDOWS\system32\drivers\OADriver.sys]
ntoskrnl.exe-->NtCreateThread, Type: Address change 0x8057C51B-->EB9C4F20 [C:\WINDOWS\system32\drivers\OADriver.sys]
ntoskrnl.exe-->NtDebugActiveProcess, Type: Address change 0x806593E1-->EB9C5B90 [C:\WINDOWS\system32\drivers\OADriver.sys]
ntoskrnl.exe-->NtDeleteValueKey, Type: Address change 0x80593B28-->EB8CEA52 [C:\WINDOWS\System32\Drivers\aswSP.SYS]
ntoskrnl.exe-->NtDuplicateObject, Type: Address change 0x80572B96-->EB8CE14C [C:\WINDOWS\System32\Drivers\aswSP.SYS]
ntoskrnl.exe-->NtLoadDriver, Type: Address change 0x805A40FA-->EB9C8490 [C:\WINDOWS\system32\drivers\OADriver.sys]
ntoskrnl.exe-->NtOpenFile, Type: Address change 0x8056FC03-->EB9D7040 [C:\WINDOWS\system32\drivers\OADriver.sys]
ntoskrnl.exe-->NtOpenKey, Type: Address change 0x80567D6B-->EB8CE64E [C:\WINDOWS\System32\Drivers\aswSP.SYS]
ntoskrnl.exe-->NtOpenProcess, Type: Address change 0x80572D76-->EB8CE08C [C:\WINDOWS\System32\Drivers\aswSP.SYS]
ntoskrnl.exe-->NtOpenSection, Type: Address change 0x8057677B-->EB9C3310 [C:\WINDOWS\system32\drivers\OADriver.sys]
ntoskrnl.exe-->NtOpenThread, Type: Address change 0x8058C882-->EB8CE0F0 [C:\WINDOWS\System32\Drivers\aswSP.SYS]
ntoskrnl.exe-->NtProtectVirtualMemory, Type: Address change 0x80573125-->EB9C9350 [C:\WINDOWS\system32\drivers\OADriver.sys]
ntoskrnl.exe-->NtQueryDirectoryFile, Type: Address change 0x80573585-->EB9C8A70 [C:\WINDOWS\system32\drivers\OADriver.sys]
ntoskrnl.exe-->NtQueryValueKey, Type: Address change 0x8056B173-->EB8CE76E [C:\WINDOWS\System32\Drivers\aswSP.SYS]
ntoskrnl.exe-->NtQueueApcThread, Type: Address change 0x8058F70B-->EB9C98A0 [C:\WINDOWS\system32\drivers\OADriver.sys]
ntoskrnl.exe-->NtRequestPort, Type: Address change 0x80589AA8-->EB9C79A0 [C:\WINDOWS\system32\drivers\OADriver.sys]
ntoskrnl.exe-->NtRequestWaitReplyPort, Type: Address change 0x80575F9A-->EB9C7F90 [C:\WINDOWS\system32\drivers\OADriver.sys]
ntoskrnl.exe-->NtRestoreKey, Type: Address change 0x8064C122-->EB8CE72E [C:\WINDOWS\System32\Drivers\aswSP.SYS]
ntoskrnl.exe-->NtResumeThread, Type: Address change 0x8057CB8E-->EB9C6340 [C:\WINDOWS\system32\drivers\OADriver.sys]
ntoskrnl.exe-->NtSecureConnectPort, Type: Address change 0x8057EA6A-->EB9C7190 [C:\WINDOWS\system32\drivers\OADriver.sys]
ntoskrnl.exe-->NtSetContextThread, Type: Address change 0x8062C4EB-->EB9C5970 [C:\WINDOWS\system32\drivers\OADriver.sys]
ntoskrnl.exe-->NtSetSystemInformation, Type: Address change 0x805A26E4-->EB9C5D30 [C:\WINDOWS\system32\drivers\OADriver.sys]
ntoskrnl.exe-->NtSetValueKey, Type: Address change 0x80573CFD-->EB8CE8AE [C:\WINDOWS\System32\Drivers\aswSP.SYS]
ntoskrnl.exe-->NtShutdownSystem, Type: Address change 0x80645923-->EB9C8370 [C:\WINDOWS\system32\drivers\OADriver.sys]
ntoskrnl.exe-->NtSuspendProcess, Type: Address change 0x8062E0CD-->EB9C6520 [C:\WINDOWS\system32\drivers\OADriver.sys]
ntoskrnl.exe-->NtSuspendThread, Type: Address change 0x805DFA98-->EB9C6130 [C:\WINDOWS\system32\drivers\OADriver.sys]
ntoskrnl.exe-->NtSystemDebugControl, Type: Address change 0x80648481-->EB9C5F40 [C:\WINDOWS\system32\drivers\OADriver.sys]
ntoskrnl.exe-->NtTerminateProcess, Type: Address change 0x805847BC-->EB9C4C80 [C:\WINDOWS\system32\drivers\OADriver.sys]
ntoskrnl.exe-->NtTerminateThread, Type: Address change 0x8057BC34-->EB9C5760 [C:\WINDOWS\system32\drivers\OADriver.sys]
ntoskrnl.exe-->NtUnloadDriver, Type: Address change 0x80618800-->EB9C8780 [C:\WINDOWS\system32\drivers\OADriver.sys]
ntoskrnl.exe-->NtWriteVirtualMemory, Type: Address change 0x8057A707-->EB9C9520 [C:\WINDOWS\system32\drivers\OADriver.sys]
==============================================
>Shadow
==============================================
win32k.sys-->NtGdiAlphaBlend, Type: Address change 0xBF8369D9-->EB9C1160 [C:\WINDOWS\system32\drivers\OADriver.sys]
win32k.sys-->NtGdiBitBlt, Type: Address change 0xBF809ACE-->EB9C0480 [C:\WINDOWS\system32\drivers\OADriver.sys]
win32k.sys-->NtGdiCreateDIBSection, Type: Address change 0xBF82A0DA-->EB9C1510 [C:\WINDOWS\system32\drivers\OADriver.sys]
win32k.sys-->NtGdiGetPixel, Type: Address change 0xBF8758B0-->EB9C07D0 [C:\WINDOWS\system32\drivers\OADriver.sys]
win32k.sys-->NtGdiMaskBlt, Type: Address change 0xBF8342D1-->EB9C0A80 [C:\WINDOWS\system32\drivers\OADriver.sys]
win32k.sys-->NtGdiOpenDCW, Type: Address change 0xBF8411F0-->EB9C1880 [C:\WINDOWS\system32\drivers\OADriver.sys]
win32k.sys-->NtGdiTransparentBlt, Type: Address change 0xBF8BF704-->EB9C0E10 [C:\WINDOWS\system32\drivers\OADriver.sys]
win32k.sys-->NtUserAttachThreadInput, Type: Address change 0xBF8F7A81-->EB9BCF60 [C:\WINDOWS\system32\drivers\OADriver.sys]
win32k.sys-->NtUserBlockInput, Type: Address change 0xBF913B91-->EB9BED60 [C:\WINDOWS\system32\drivers\OADriver.sys]
win32k.sys-->NtUserCallHwndParamLock, Type: Address change 0xBF825555-->EB9BE890 [C:\WINDOWS\system32\drivers\OADriver.sys]
win32k.sys-->NtUserCallTwoParam, Type: Address change 0xBF82F32E-->EB9BF9D0 [C:\WINDOWS\system32\drivers\OADriver.sys]
win32k.sys-->NtUserGetAsyncKeyState, Type: Address change 0xBF8678D0-->EB9BDA10 [C:\WINDOWS\system32\drivers\OADriver.sys]
win32k.sys-->NtUserGetClipboardData, Type: Address change 0xBF8EDF73-->EB9BF110 [C:\WINDOWS\system32\drivers\OADriver.sys]
win32k.sys-->NtUserGetDC, Type: Address change 0xBF8043EA-->EB9BFDC0 [C:\WINDOWS\system32\drivers\OADriver.sys]
win32k.sys-->NtUserGetDCEx, Type: Address change 0xBF834E9D-->EB9C0020 [C:\WINDOWS\system32\drivers\OADriver.sys]
win32k.sys-->NtUserGetKeyboardState, Type: Address change 0xBF8BA0D9-->EB9BD8E0 [C:\WINDOWS\system32\drivers\OADriver.sys]
win32k.sys-->NtUserGetKeyState, Type: Address change 0xBF81C8EB-->EB9BD7B0 [C:\WINDOWS\system32\drivers\OADriver.sys]
win32k.sys-->NtUserGetWindowDC, Type: Address change 0xBF80381C-->EB9C0290 [C:\WINDOWS\system32\drivers\OADriver.sys]
win32k.sys-->NtUserMessageCall, Type: Address change 0xBF80EFF3-->EB9BDB40 [C:\WINDOWS\system32\drivers\OADriver.sys]
win32k.sys-->NtUserMoveWindow, Type: Address change 0xBF8346C4-->EB9BF4F0 [C:\WINDOWS\system32\drivers\OADriver.sys]
win32k.sys-->NtUserPostMessage, Type: Address change 0xBF8084A3-->EB9BE020 [C:\WINDOWS\system32\drivers\OADriver.sys]
win32k.sys-->NtUserPostThreadMessage, Type: Address change 0xBF871660-->EB9BE4D0 [C:\WINDOWS\system32\drivers\OADriver.sys]
win32k.sys-->NtUserRegisterRawInputDevices, Type: Address change 0xBF9164F0-->EB9BCD70 [C:\WINDOWS\system32\drivers\OADriver.sys]
win32k.sys-->NtUserSendInput, Type: Address change 0xBF8C3275-->EB9BEB10 [C:\WINDOWS\system32\drivers\OADriver.sys]
win32k.sys-->NtUserSetClipboardViewer, Type: Address change 0xBF8EDCF3-->EB9BEF00 [C:\WINDOWS\system32\drivers\OADriver.sys]
win32k.sys-->NtUserSetParent, Type: Address change 0xBF87D7B6-->EB9BF2B0 [C:\WINDOWS\system32\drivers\OADriver.sys]
win32k.sys-->NtUserSetWindowPos, Type: Address change 0xBF823E66-->EB9BF880 [C:\WINDOWS\system32\drivers\OADriver.sys]
win32k.sys-->NtUserSetWindowsHookAW, Type: Address change 0xBF8BD69C-->EB9BC820 [C:\WINDOWS\system32\drivers\OADriver.sys]
win32k.sys-->NtUserSetWindowsHookEx, Type: Address change 0xBF8BA199-->EB9BC3C0 [C:\WINDOWS\system32\drivers\OADriver.sys]
win32k.sys-->NtUserSetWinEventHook, Type: Address change 0xBF8F01A4-->EB9BCAC0 [C:\WINDOWS\system32\drivers\OADriver.sys]
win32k.sys-->NtUserShowWindow, Type: Address change 0xBF8314B6-->EB9BF790 [C:\WINDOWS\system32\drivers\OADriver.sys]
==============================================
>Processes
==============================================
0x83BC8A00 [4] System
0x83524538 [416] C:\WINDOWS\system32\LEXBCES.EXE (Lexmark International, Inc., LexBce Service)
0x832BC798 [552] C:\WINDOWS\system32\spoolsv.exe (Microsoft Corporation, Spooler SubSystem App)
0x83A85DA0 [608] C:\WINDOWS\system32\smss.exe (Microsoft Corporation, Windows NT Session Manager)
0x834AC538 [668] C:\WINDOWS\system32\LEXPPS.EXE (Lexmark International, Inc., LEXPPS.EXE)
0x8350EC00 [680] C:\WINDOWS\system32\csrss.exe (Microsoft Corporation, Client Server Runtime Process)
0x83694DA0 [704] C:\WINDOWS\system32\winlogon.exe (Microsoft Corporation, Windows NT Logon Application)
0x835C8DA0 [752] C:\WINDOWS\system32\services.exe (Microsoft Corporation, Services and Controller app)
0x8360B318 [764] C:\WINDOWS\system32\lsass.exe (Microsoft Corporation, LSA Shell (Export Version))
0x83A83340 [936] C:\WINDOWS\system32\svchost.exe (Microsoft Corporation, Generic Host Process for Win32 Services)
0x8355F998 [992] C:\Program Files\Java\jre6\bin\jqs.exe (Sun Microsystems, Inc., Java(TM) Quick Starter Service)
0x83500DA0 [1008] C:\WINDOWS\system32\svchost.exe (Microsoft Corporation, Generic Host Process for Win32 Services)
0x83329798 [1156] C:\WINDOWS\system32\svchost.exe (Microsoft Corporation, Generic Host Process for Win32 Services)
0x836F19F8 [1236] C:\WINDOWS\system32\svchost.exe (Microsoft Corporation, Generic Host Process for Win32 Services)
0x830F2DA0 [1284] C:\WINDOWS\system32\ctfmon.exe (Microsoft Corporation, CTF Loader)
0x832FE648 [1400] C:\WINDOWS\system32\svchost.exe (Microsoft Corporation, Generic Host Process for Win32 Services)
0x8376C230 [1432] C:\WINDOWS\system32\netdde.exe (Microsoft Corporation, Network DDE - DDE Communication)
0x83028DA0 [1452] C:\Program Files\Emsisoft\Online Armor\oahlp.exe (Emsi Software GmbH, Online Armor Component)
0x8308F5B8 [1468] C:\Program Files\Emsisoft\Online Armor\oaui.exe (Emsi Software GmbH, Online Armor Component)
0x832B2798 [1532] C:\Program Files\Emsisoft\Online Armor\oacat.exe (Emsi Software GmbH, Online Armor Component)
0x832E0798 [1560] C:\Program Files\Emsisoft\Online Armor\oasrv.exe (Emsi Software GmbH, Online Armor Component)
0x83714508 [1684] C:\Program Files\Bonjour\mDNSResponder.exe (Apple Computer, Inc., Bonjour Service)
0x836C0CC0 [1740] C:\WINDOWS\system32\svchost.exe (Microsoft Corporation, Generic Host Process for Win32 Services)
0x83543A10 [1780] C:\WINDOWS\system32\snmp.exe (Microsoft Corporation, SNMP Service)
0x836F8870 [1828] C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe (ALWIL Software, avast! Antivirus updating service)
0x834FE7B8 [1876] C:\Program Files\Alwil Software\Avast4\ashServ.exe (ALWIL Software, avast! antivirus service)
0x8371FDA0 [1948] C:\Program Files\Juniper Networks\Common Files\dsNcService.exe (Juniper Networks, Network Connect Service)
0x8305E020 [2044] C:\Program Files\TortoiseSVN\bin\TSVNCache.exe (www.tortoisesvn.org, TortoiseSVN status cache)
0x8315BDA0 [2084] C:\Program Files\Adobe\Reader 9.0\Reader\reader_sl.exe (Adobe Systems Incorporated, Adobe Acrobat SpeedLauncher)
0x8354F568 [2124] C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe (ALWIL Software, avast! e-Mail Scanner Service)
0x835B9B28 [2236] C:\Program Files\Alwil Software\Avast4\ashWebSv.exe (ALWIL Software, avast! Web Scanner)
0x831DCB98 [2308] C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe (Dell Computer Corporation, Dell AIO Printer A920Button Monitor)
0x83564538 [2684] C:\WINDOWS\system32\alg.exe (Microsoft Corporation, Application Layer Gateway Service)
0x83182A80 [2820] C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation, Firefox)
0x830645B8 [3040] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (Google Inc., GoogleToolbarNotifier)
0x83135BD8 [3420] C:\Documents and Settings\William Brophy\Desktop\RkU3.8.388.590\MustBeRandomlyNamed\113caXUtpO.exe (UG North, RKULE, SR2 Normandy)
0x8308FDA0 [3444] C:\Program Files\Common Files\Java\Java Update\jusched.exe (Sun Microsystems, Inc., Java(TM) Update Scheduler)
0x831403B8 [3460] C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (Google, gusvc)
0x83113DA0 [3516] C:\Program Files\Dell\Media Experience\PCMService.exe (CyberLink Corp., PowerCinema Resident Program for Dell)
0x83BD1DA0 [3864] C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe (Dell Computer Corporation, Dell AIO Printer A920Button Manager)
0x830A1DA0 [3940] C:\WINDOWS\explorer.exe (Microsoft Corporation, Windows Explorer)
0x83072AC0 [3960] C:\WINDOWS\system32\taskmgr.exe (Microsoft Corporation, Windows TaskManager)
0x8307DBC0 [4088] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe (ALWIL Software, avast! service GUI component)
==============================================
>Drivers
==============================================
0xBF012000 C:\WINDOWS\System32\nv4_disp.dll 4276224 bytes (NVIDIA Corporation, NVIDIA Compatible Windows 2000 Display driver, Version 56.73 )
0x804D7000 C:\WINDOWS\system32\ntoskrnl.exe 2180352 bytes (Microsoft Corporation, NT Kernel & System)
0x804D7000 PnpManager 2180352 bytes
0x804D7000 RAW 2180352 bytes
0x804D7000 WMIxWDM 2180352 bytes
0xF648B000 C:\WINDOWS\system32\DRIVERS\fw.sys 2043904 bytes (Check Point Software Technologies, -)
0xF6994000 C:\WINDOWS\system32\DRIVERS\nv4_mini.sys 1900544 bytes (NVIDIA Corporation, NVIDIA Compatible Windows 2000 Miniport Driver, Version 56.73 )
0xBF800000 Win32k 1851392 bytes
0xBF800000 C:\WINDOWS\System32\win32k.sys 1851392 bytes (Microsoft Corporation, Multi-User Win32 Driver)
0xF6805000 C:\WINDOWS\system32\DRIVERS\HSFDPSP2.sys 1044480 bytes (Conexant Systems, Inc., HSF_DP driver)
0xF675D000 C:\WINDOWS\system32\DRIVERS\HSFCXTS2.sys 688128 bytes (Conexant Systems, Inc., HSF_CNXT driver)
0xB8C0F000 C:\WINDOWS\System32\drivers\vpn.sys 671744 bytes (Check Point Software Technologies, -)
0xF7542000 Ntfs.sys 577536 bytes (Microsoft Corporation, NT File System Driver)
0xF66A2000 C:\WINDOWS\system32\drivers\smwdm.sys 540672 bytes (Analog Devices, Inc., SoundMAX Integrated Digital Audio )
0xEB93B000 C:\WINDOWS\system32\DRIVERS\mrxsmb.sys 454656 bytes (Microsoft Corporation, Windows NT SMB Minirdr)
0xF5D19000 C:\WINDOWS\system32\DRIVERS\update.sys 364544 bytes (Microsoft Corporation, Update Driver)
0xEBA90000 C:\WINDOWS\system32\DRIVERS\tcpip.sys 360448 bytes (Microsoft Corporation, TCP/IP Protocol Driver)
0xB8B45000 C:\WINDOWS\system32\DRIVERS\srv.sys 335872 bytes (Microsoft Corporation, Server driver)
0xEB9AA000 C:\WINDOWS\system32\drivers\OADriver.sys 319488 bytes (Emsisoft, OA Helper Driver)
0xB835C000 C:\WINDOWS\System32\Drivers\HTTP.sys 266240 bytes (Microsoft Corporation, HTTP Protocol Stack)
0xF6927000 C:\WINDOWS\system32\DRIVERS\HSFBS2S2.sys 221184 bytes (Conexant Systems, Inc., HSF_HWB2 WDM driver)
0xEB908000 C:\WINDOWS\system32\drivers\mfehidk.sys 208896 bytes (McAfee, Inc., Host Intrusion Detection Link Driver)
0xF7660000 ACPI.sys 188416 bytes (Microsoft Corporation, ACPI Driver for NT)
0xF7515000 NDIS.sys 184320 bytes (Microsoft Corporation, NDIS 5.1 wrapper driver)
0xB8CDB000 C:\WINDOWS\system32\DRIVERS\mrxdav.sys 180224 bytes (Microsoft Corporation, Windows NT WebDav Minirdr)
0xEB9F8000 C:\WINDOWS\system32\DRIVERS\rdbss.sys 180224 bytes (Microsoft Corporation, Redirected Drive Buffering SubSystem Driver)
0xB714E000 C:\WINDOWS\system32\drivers\kmixer.sys 176128 bytes (Microsoft Corporation, Kernel Mode Audio Mixer)
0xEBA68000 C:\WINDOWS\system32\DRIVERS\netbt.sys 163840 bytes (Microsoft Corporation, MBT Transport driver)
0xF667E000 C:\WINDOWS\system32\drivers\portcls.sys 147456 bytes (Microsoft Corporation, Port Class (Class Driver for Port/Miniport Devices))
0xF673A000 C:\WINDOWS\system32\DRIVERS\e100b325.sys 143360 bytes (Intel Corporation, NDIS 5 driver)
0xF6904000 C:\WINDOWS\system32\DRIVERS\ks.sys 143360 bytes (Microsoft Corporation, Kernel CSA Library)
0xF695D000 C:\WINDOWS\system32\DRIVERS\USBPORT.SYS 143360 bytes (Microsoft Corporation, USB 1.1 & 2.0 Port Driver)
0xEBA46000 C:\WINDOWS\System32\drivers\afd.sys 139264 bytes (Microsoft Corporation, Ancillary Function Driver for WinSock)
0xEBA24000 C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS 139264 bytes (SUPERAdBlocker.com and SUPERAntiSpyware.com, SASKUTIL.SYS)
0xEB8C6000 C:\WINDOWS\System32\Drivers\aswSP.SYS 135168 bytes (ALWIL Software, avast! self protection module)
0xEB8E7000 C:\WINDOWS\system32\DRIVERS\ipnat.sys 135168 bytes (Microsoft Corporation, IP Network Address Translator)
0x806EC000 ACPI_HAL 131968 bytes
0x806EC000 C:\WINDOWS\system32\hal.dll 131968 bytes (Microsoft Corporation, Hardware Abstraction Layer DLL)
0xF75F8000 fltMgr.sys 131072 bytes (Microsoft Corporation, Microsoft Filesystem Filter Manager)
0xF7630000 ftdisk.sys 126976 bytes (Microsoft Corporation, FT Disk Driver)
0xF74FA000 Mup.sys 110592 bytes (Microsoft Corporation, Multiple UNC Provider driver)
0xF7618000 atapi.sys 98304 bytes (Microsoft Corporation, IDE/ATAPI Port Driver)
0xEB8AE000 C:\WINDOWS\System32\Drivers\dump_atapi.sys 98304 bytes
0xF75CF000 KSecDD.sys 94208 bytes (Microsoft Corporation, Kernel Security Support Provider Interface)
0xF5E12000 C:\WINDOWS\system32\DRIVERS\ndiswan.sys 94208 bytes (Microsoft Corporation, MS PPP Framing Driver (Strong Encryption))
0xB8FA2000 C:\WINDOWS\System32\Drivers\aswMon2.SYS 90112 bytes (ALWIL Software, avast! File System Filter Driver for Windows XP)
0xB8E4D000 C:\WINDOWS\system32\drivers\wdmaud.sys 86016 bytes (Microsoft Corporation, MMSYSTEM Wave/Midi API mapper)
0xF6726000 C:\WINDOWS\system32\DRIVERS\parport.sys 81920 bytes (Microsoft Corporation, Parallel Port Driver)
0xF6980000 C:\WINDOWS\system32\DRIVERS\VIDEOPRT.SYS 81920 bytes (Microsoft Corporation, Video Port Driver)
0xEBAE8000 C:\WINDOWS\system32\DRIVERS\ipsec.sys 77824 bytes (Microsoft Corporation, IPSec Driver)
0xBF000000 C:\WINDOWS\System32\drivers\dxg.sys 73728 bytes (Microsoft Corporation, DirectX Graphics Driver)
0xF75E6000 sr.sys 73728 bytes (Microsoft Corporation, System Restore Filesystem Filter Driver)
0xF764F000 pci.sys 69632 bytes (Microsoft Corporation, NT Plug and Play PCI Enumerator)
0xEE4DF000 C:\WINDOWS\System32\Drivers\Cdfs.SYS 65536 bytes (Microsoft Corporation, CD-ROM File System Driver)
0xF790F000 C:\WINDOWS\system32\DRIVERS\serial.sys 65536 bytes (Microsoft Corporation, Serial Device Driver)
0xF773F000 C:\WINDOWS\system32\drivers\drmk.sys 61440 bytes (Microsoft Corporation, Microsoft Kernel DRM Descrambler Filter)
0xF771F000 C:\WINDOWS\system32\DRIVERS\redbook.sys 61440 bytes (Microsoft Corporation, Redbook Audio Filter Driver)
0xF294D000 C:\WINDOWS\system32\drivers\sysaudio.sys 61440 bytes (Microsoft Corporation, System Audio WDM Filter)
0xEDA05000 C:\WINDOWS\system32\DRIVERS\usbhub.sys 61440 bytes (Microsoft Corporation, Default Hub Driver for USB)
0xF791F000 C:\WINDOWS\system32\DRIVERS\cdrom.sys 53248 bytes (Microsoft Corporation, SCSI CD-ROM Driver)
0xF76EF000 C:\WINDOWS\system32\DRIVERS\CLASSPNP.SYS 53248 bytes (Microsoft Corporation, SCSI Class System Dll)
0xF78FF000 C:\WINDOWS\system32\DRIVERS\i8042prt.sys 53248 bytes (Microsoft Corporation, i8042 Port Driver)
0xF6CB5000 C:\WINDOWS\system32\DRIVERS\rasl2tp.sys 53248 bytes (Microsoft Corporation, RAS L2TP mini-port/call-manager driver)
0xF76CF000 VolSnap.sys 53248 bytes (Microsoft Corporation, Volume Shadow Copy Driver)
0xF779F000 C:\WINDOWS\system32\DRIVERS\raspptp.sys 49152 bytes (Microsoft Corporation, Peer-to-Peer Tunneling Protocol)
0xF76FF000 agp440.sys 45056 bytes (Microsoft Corporation, 440 NT AGP Filter)
0xF6CC5000 C:\WINDOWS\system32\DRIVERS\dsNcAdpt.sys 45056 bytes (Juniper Networks, dsNcAdapter)
0xF772F000 C:\WINDOWS\system32\DRIVERS\imapi.sys 45056 bytes (Microsoft Corporation, IMAPI Kernel Driver)
0xF76BF000 MountMgr.sys 45056 bytes (Microsoft Corporation, Mount Manager)
0xF6CA5000 C:\WINDOWS\system32\DRIVERS\raspppoe.sys 45056 bytes (Microsoft Corporation, RAS PPPoE mini-port/call-manager driver)
0xEEAAB000 C:\WINDOWS\System32\Drivers\aswTdi.SYS 40960 bytes (ALWIL Software, avast! TDI Filter Driver)
0xF001A000 C:\WINDOWS\System32\Drivers\NDProxy.SYS 40960 bytes (Microsoft Corporation, NDIS Proxy)
0xF77AF000 C:\WINDOWS\system32\DRIVERS\termdd.sys 40960 bytes (Microsoft Corporation, Terminal Server Driver)
0xF76DF000 disk.sys 36864 bytes (Microsoft Corporation, PnP Disk Driver)
0xEEA7B000 C:\WINDOWS\System32\Drivers\Fips.SYS 36864 bytes (Microsoft Corporation, FIPS Crypto Driver)
0xEE4BF000 C:\WINDOWS\system32\DRIVERS\HIDCLASS.SYS 36864 bytes (Microsoft Corporation, Hid Class Library)
0xF78EF000 C:\WINDOWS\system32\DRIVERS\intelppm.sys 36864 bytes (Microsoft Corporation, Processor Device Driver)
0xF77BF000 C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys 36864 bytes (Microsoft Corporation, IP FILTER DRIVER)
0xF76AF000 isapnp.sys 36864 bytes (Microsoft Corporation, PNP ISA Bus Driver)
0xEEABB000 C:\WINDOWS\system32\DRIVERS\msgpc.sys 36864 bytes (Microsoft Corporation, MS General Packet Classifier)
0xEEA9B000 C:\WINDOWS\system32\DRIVERS\netbios.sys 36864 bytes (Microsoft Corporation, NetBIOS interface driver)
0xF53CE000 C:\WINDOWS\System32\Drivers\Normandy.SYS 36864 bytes (RKU Driver)
0xED9D5000 C:\WINDOWS\system32\drivers\OAnet.sys 36864 bytes (Emsisoft, OA Helper Driver)
0xEEA6B000 C:\WINDOWS\system32\DRIVERS\wanarp.sys 36864 bytes (Microsoft Corporation, MS Remote Access and Routing ARP Driver)
0xEF339000 C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys 32768 bytes (ALWIL Software, avast! File System Access Blocking Driver)
0xF79E7000 C:\WINDOWS\System32\Drivers\Modem.SYS 32768 bytes (Microsoft Corporation, Modem Device Driver)
0xF1A45000 C:\WINDOWS\System32\Drivers\Npfs.SYS 32768 bytes (Microsoft Corporation, NPFS Driver)
0xF1A3D000 C:\WINDOWS\system32\drivers\OAmon.sys 32768 bytes (Emsisoft, TDI Helper Driver)
0xF15BE000 C:\WINDOWS\system32\DRIVERS\usbccgp.sys 32768 bytes (Microsoft Corporation, USB Common Class Generic Parent Driver)
0xF79EF000 C:\WINDOWS\system32\DRIVERS\fdc.sys 28672 bytes (Microsoft Corporation, Floppy Disk Controller Driver)
0xF1A5D000 C:\WINDOWS\system32\DRIVERS\HIDPARSE.SYS 28672 bytes (Microsoft Corporation, Hid Parsing Library)
0xF792F000 C:\WINDOWS\system32\DRIVERS\PCIIDEX.SYS 28672 bytes (Microsoft Corporation, PCI IDE Bus Driver Extension)
0xF79DF000 C:\WINDOWS\system32\DRIVERS\usbehci.sys 28672 bytes (Microsoft Corporation, EHCI eUSB Miniport Driver)
0xF0C72000 C:\WINDOWS\system32\DRIVERS\usbprint.sys 28672 bytes (Microsoft Corporation, USB Printer driver)
0xF79F7000 C:\WINDOWS\system32\DRIVERS\kbdclass.sys 24576 bytes (Microsoft Corporation, Keyboard Class Driver)
0xF7A5F000 C:\WINDOWS\system32\DRIVERS\mouclass.sys 24576 bytes (Microsoft Corporation, Mouse Class Driver)
0xF1A35000 C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS 24576 bytes (SUPERAdBlocker.com and SUPERAntiSpyware.com, SASDIFSV.SYS)
0xF1A55000 C:\WINDOWS\System32\drivers\vga.sys 24576 bytes (Microsoft Corporation, VGA/Super VGA Video Driver)
0xF1A25000 C:\WINDOWS\System32\Drivers\Aavmker4.SYS 20480 bytes (ALWIL Software, avast! Base Kernel-Mode Device Driver for Windows NT/2000/XP)
0xF1A6D000 C:\WINDOWS\system32\DRIVERS\flpydisk.sys 20480 bytes (Microsoft Corporation, Floppy Driver)
0xF1A4D000 C:\WINDOWS\System32\Drivers\Msfs.SYS 20480 bytes (Microsoft Corporation, Mailslot driver)
0xF7937000 PartMgr.sys 20480 bytes (Microsoft Corporation, Partition Manager)
0xF7A4F000 C:\WINDOWS\system32\DRIVERS\ptilink.sys 20480 bytes (Parallel Technologies, Inc., Parallel Technologies DirectParallel IO Library)
0xF7A57000 C:\WINDOWS\system32\DRIVERS\raspti.sys 20480 bytes (Microsoft Corporation, PTI DirectParallel(R) mini-port/call-manager driver)
0xF2767000 C:\WINDOWS\System32\DRIVERS\Scap.sys 20480 bytes (Check Point Software Technologies, -)
0xF79FF000 C:\WINDOWS\system32\DRIVERS\TDI.SYS 20480 bytes (Microsoft Corporation, TDI Wrapper)
0xF79D7000 C:\WINDOWS\system32\DRIVERS\usbuhci.sys 20480 bytes (Microsoft Corporation, UHCI USB Miniport Driver)
0xEE40D000 C:\WINDOWS\System32\watchdog.sys 20480 bytes (Microsoft Corporation, Watchdog Driver)
0xF56F0000 C:\WINDOWS\System32\Drivers\aswRdr.SYS 16384 bytes (ALWIL Software, avast! TDI RDR Driver)
0xF0A53000 C:\WINDOWS\system32\DRIVERS\kbdhid.sys 16384 bytes (Microsoft Corporation, HID Mouse Filter Driver)
0xF14C2000 C:\WINDOWS\system32\drivers\MODEMCSA.sys 16384 bytes (Microsoft Corporation, Unimodem CSA Filter)
0xF7B57000 C:\WINDOWS\system32\DRIVERS\mssmbios.sys 16384 bytes (Microsoft Corporation, System Management BIOS Driver)
0xF56EC000 C:\WINDOWS\system32\DRIVERS\ndisuio.sys 16384 bytes (Microsoft Corporation, NDIS User mode I/O Driver)
0xEEE72000 C:\WINDOWS\SYSTEM32\DRIVERS\OMCI.SYS 16384 bytes (Dell Computer Corporation, OMCI Device Driver)
0xF74B9000 C:\WINDOWS\system32\DRIVERS\serenum.sys 16384 bytes (Microsoft Corporation, Serial Port Enumerator)
0xEE540000 C:\WINDOWS\system32\DRIVERS\usbscan.sys 16384 bytes (Microsoft Corporation, USB Scanner Driver)
0xF7AC3000 C:\WINDOWS\system32\BOOTVID.dll 12288 bytes (Microsoft Corporation, VGA Boot Driver)
0xF0A33000 C:\WINDOWS\System32\drivers\Dxapi.sys 12288 bytes (Microsoft Corporation, DirectX API Driver)
0xEE550000 C:\WINDOWS\system32\DRIVERS\hidusb.sys 12288 bytes (Microsoft Corporation, USB Miniport Driver for Input Devices)
0x83B5B000 C:\WINDOWS\system32\KDCOM.DLL 12288 bytes (Microsoft Corporation, Kernel Debugger HW Extension DLL)
0xB8EB6000 C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys 12288 bytes (Conexant, Diagnostic Interface DRIVER)
0xEE53C000 C:\WINDOWS\system32\DRIVERS\mouhid.sys 12288 bytes (Microsoft Corporation, HID Mouse Filter Driver)
0xF7B53000 C:\WINDOWS\system32\DRIVERS\ndistapi.sys 12288 bytes (Microsoft Corporation, NDIS 3.0 connection wrapper driver)
0xF1432000 C:\WINDOWS\system32\DRIVERS\rasacd.sys 12288 bytes (Microsoft Corporation, RAS Automatic Connection Driver)
0xF7BE9000 C:\WINDOWS\system32\drivers\aeaudio.sys 8192 bytes (Andrea Electronics Corporation, Andrea Audio Stub Driver)
0xF7C41000 C:\WINDOWS\system32\Drivers\BASFND.sys 8192 bytes (Broadcom Corporation, Broadcom NetDetect Driver.)
0xF7C21000 C:\WINDOWS\System32\Drivers\Beep.SYS 8192 bytes (Microsoft Corporation, BEEP Driver)
0xF7C49000 C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS 8192 bytes
0xF7C1F000 C:\WINDOWS\System32\Drivers\Fs_Rec.SYS 8192 bytes (Microsoft Corporation, File System Recognizer Driver)
0xF7BB1000 intelide.sys 8192 bytes (Microsoft Corporation, Intel PCI IDE Driver)
0xF7C23000 C:\WINDOWS\System32\Drivers\mnmdd.SYS 8192 bytes (Microsoft Corporation, Frame buffer simulator)
0xF7C3F000 C:\WINDOWS\System32\Drivers\ParVdm.SYS 8192 bytes (Microsoft Corporation, VDM Parallel Driver)
0xF7C25000 C:\WINDOWS\System32\DRIVERS\RDPCDD.sys 8192 bytes (Microsoft Corporation, RDP Miniport)
0xF7BF3000 C:\WINDOWS\system32\DRIVERS\swenum.sys 8192 bytes (Microsoft Corporation, Plug and Play Software Device Enumerator)
0xF7C1B000 C:\WINDOWS\system32\DRIVERS\USBD.SYS 8192 bytes (Microsoft Corporation, Universal Serial Bus Driver)
0xF7BAF000 C:\WINDOWS\system32\DRIVERS\WMILIB.SYS 8192 bytes (Microsoft Corporation, WMILIB WMI support library Dll)
0xF7D3F000 C:\WINDOWS\system32\DRIVERS\audstub.sys 4096 bytes (Microsoft Corporation, AudStub Driver)
0xF7D7B000 C:\WINDOWS\System32\drivers\dxgthk.sys 4096 bytes (Microsoft Corporation, DirectX Graphics Driver Thunk)
0xEE5AD000 C:\WINDOWS\System32\Drivers\Null.SYS 4096 bytes (Microsoft Corporation, NULL Driver)
0xF7C77000 pciide.sys 4096 bytes (Microsoft Corporation, Generic PCI IDE Bus Driver)
!!!!!!!!!!!Hidden driver: 0x83B093B2 ?_empty_? 3150 bytes
==============================================
>Stealth
==============================================
0xF7618000 WARNING: suspicious driver modification [atapi.sys::0x83B093B2]
==============================================
>Files
==============================================
==============================================
>Hooks
==============================================
ntoskrnl.exe+0x00004AA2, Type: Inline - RelativeJump 0x804DBAA2-->804DBAA9 [ntoskrnl.exe]
ntoskrnl.exe+0x0000B74C, Type: Inline - RelativeJump 0x804E274C-->804E2737 [ntoskrnl.exe]
ntoskrnl.exe+0x0000B760, Type: Inline - RelativeJump 0x804E2760-->804E2789 [ntoskrnl.exe]
ntoskrnl.exe+0x0000B770, Type: Inline - RelativeJump 0x804E2770-->804E2728 [ntoskrnl.exe]
ntoskrnl.exe+0x0000B77C, Type: Inline - RelativeJump 0x804E277C-->804E276F [ntoskrnl.exe]
ntoskrnl.exe+0x0000B78C, Type: Inline - RelativeJump 0x804E278C-->804E27D0 [ntoskrnl.exe]
ntoskrnl.exe+0x0000B7AC, Type: Inline - RelativeJump 0x804E27AC-->D2D1EB8C [unknown_code_page]
ntoskrnl.exe+0x0000B7B8, Type: Inline - RelativeJump 0x804E27B8-->804E274B [ntoskrnl.exe]
ntoskrnl.exe+0x0000B878, Type: Inline - RelativeJump 0x804E2878-->804E281C [ntoskrnl.exe]
ntoskrnl.exe+0x0000B884, Type: Inline - RelativeJump 0x804E2884-->804E28AC [ntoskrnl.exe]
ntoskrnl.exe+0x0000B89C, Type: Inline - RelativeJump 0x804E289C-->804E2887 [ntoskrnl.exe]
ntoskrnl.exe+0x0000B8A8, Type: Inline - RelativeJump 0x804E28A8-->804E28FF [ntoskrnl.exe]
ntoskrnl.exe+0x0000B8CC, Type: Inline - RelativeJump 0x804E28CC-->804E2897 [ntoskrnl.exe]
ntoskrnl.exe+0x0000B8EC, Type: Inline - RelativeJump 0x804E28EC-->804E287C [ntoskrnl.exe]
ntoskrnl.exe+0x0000B96C, Type: Inline - RelativeJump 0x804E296C-->804E291D [ntoskrnl.exe]
ntoskrnl.exe+0x0000B9C4, Type: Inline - RelativeJump 0x804E29C4-->804E296B [ntoskrnl.exe]
ntoskrnl.exe+0x0000B9D8, Type: Inline - RelativeJump 0x804E29D8-->804E2A09 [ntoskrnl.exe]
ntoskrnl.exe+0x0000B9F0, Type: Inline - RelativeJump 0x804E29F0-->804E2993 [ntoskrnl.exe]
ntoskrnl.exe+0x0000B9FC, Type: Inline - RelativeJump 0x804E29FC-->804E2A5B [ntoskrnl.exe]
ntoskrnl.exe+0x0000BA68, Type: Inline - RelativeJump 0x804E2A68-->804E2A18 [ntoskrnl.exe]
ntoskrnl.exe+0x0000BA84, Type: Inline - RelativeCall 0x804E2A84-->E4341616 [unknown_code_page]
ntoskrnl.exe+0x0000BA8C, Type: Inline - RelativeJump 0x804E2A8C-->804E2A15 [ntoskrnl.exe]
ntoskrnl.exe+0x0000BA9C, Type: Inline - RelativeJump 0x804E2A9C-->804E2AD5 [ntoskrnl.exe]
ntoskrnl.exe+0x0000BAAC, Type: Inline - RelativeJump 0x804E2AAC-->804E2B2E [ntoskrnl.exe]
tcpip.sys-->ndis.sys-->NdisCloseAdapter, Type: IAT modification 0xEBACF0A8-->ED9D8300 [OAnet.sys]
tcpip.sys-->ndis.sys-->NdisOpenAdapter, Type: IAT modification 0xEBACF0D4-->ED9D8360 [OAnet.sys]
tcpip.sys-->ndis.sys-->NdisRegisterProtocol, Type: IAT modification 0xEBACF0E0-->ED9D8610 [OAnet.sys]
wanarp.sys-->ndis.sys-->NdisCloseAdapter, Type: IAT modification 0xEEA70B4C-->ED9D8300 [OAnet.sys]
wanarp.sys-->ndis.sys-->NdisDeregisterProtocol, Type: IAT modification 0xEEA70B1C-->ED9D8650 [OAnet.sys]
wanarp.sys-->ndis.sys-->NdisOpenAdapter, Type: IAT modification 0xEEA70B3C-->ED9D8360 [OAnet.sys]
wanarp.sys-->ndis.sys-->NdisRegisterProtocol, Type: IAT modification 0xEEA70B28-->ED9D8610 [OAnet.sys]
[1284]ctfmon.exe-->advapi32.dll-->CreateServiceA, Type: Inline - DirectJump 0x77E370B9-->00000000 [unknown_code_page]
[1284]ctfmon.exe-->advapi32.dll-->CreateServiceW, Type: Inline - DirectJump 0x77E37251-->00000000 [unknown_code_page]
[1284]ctfmon.exe-->kernel32.dll-->CreateProcessA, Type: Inline - DirectJump 0x7C802367-->00000000 [unknown_code_page]
[1284]ctfmon.exe-->kernel32.dll-->CreateProcessW, Type: Inline - DirectJump 0x7C802332-->00000000 [unknown_code_page]
[1284]ctfmon.exe-->user32.dll-->ExitWindowsEx, Type: Inline - DirectJump 0x7E45A045-->00000000 [unknown_code_page]
[1452]oahlp.exe-->user32.dll-->LoadStringA, Type: Inline - DirectJump 0x7E42DFA8-->00000000 [unknown_code_page]
[1452]oahlp.exe-->user32.dll-->LoadStringW, Type: Inline - DirectJump 0x7E419E36-->00000000 [unknown_code_page]
[1468]oaui.exe-->user32.dll-->LoadStringA, Type: Inline - DirectJump 0x7E42DFA8-->00000000 [unknown_code_page]
[1468]oaui.exe-->user32.dll-->LoadStringW, Type: Inline - DirectJump 0x7E419E36-->00000000 [unknown_code_page]
[1560]oasrv.exe-->user32.dll-->LoadStringA, Type: Inline - DirectJump 0x7E42DFA8-->00000000 [unknown_code_page]
[1560]oasrv.exe-->user32.dll-->LoadStringW, Type: Inline - DirectJump 0x7E419E36-->00000000 [unknown_code_page]
[2044]TSVNCache.exe-->advapi32.dll-->CreateServiceA, Type: Inline - DirectJump 0x77E370B9-->00000000 [unknown_code_page]
[2044]TSVNCache.exe-->advapi32.dll-->CreateServiceW, Type: Inline - DirectJump 0x77E37251-->00000000 [unknown_code_page]
[2044]TSVNCache.exe-->kernel32.dll-->CreateProcessA, Type: Inline - DirectJump 0x7C802367-->00000000 [unknown_code_page]
[2044]TSVNCache.exe-->kernel32.dll-->CreateProcessW, Type: Inline - DirectJump 0x7C802332-->00000000 [unknown_code_page]
[2044]TSVNCache.exe-->user32.dll-->ExitWindowsEx, Type: Inline - DirectJump 0x7E45A045-->00000000 [unknown_code_page]
[2308]dlbkbmon.exe-->advapi32.dll-->CreateServiceA, Type: Inline - DirectJump 0x77E370B9-->00000000 [unknown_code_page]
[2308]dlbkbmon.exe-->advapi32.dll-->CreateServiceW, Type: Inline - DirectJump 0x77E37251-->00000000 [unknown_code_page]
[2308]dlbkbmon.exe-->kernel32.dll-->CreateProcessA, Type: Inline - DirectJump 0x7C802367-->00000000 [unknown_code_page]
[2308]dlbkbmon.exe-->kernel32.dll-->CreateProcessW, Type: Inline - DirectJump 0x7C802332-->00000000 [unknown_code_page]
[2308]dlbkbmon.exe-->user32.dll-->ExitWindowsEx, Type: Inline - DirectJump 0x7E45A045-->00000000 [unknown_code_page]
[2820]firefox.exe-->advapi32.dll-->CreateServiceA, Type: Inline - DirectJump 0x77E370B9-->00000000 [unknown_code_page]
[2820]firefox.exe-->advapi32.dll-->CreateServiceW, Type: Inline - DirectJump 0x77E37251-->00000000 [unknown_code_page]
[2820]firefox.exe-->mswsock.dll+0x00004057, Type: Inline - RelativeJump 0x71A54057-->00000000 [unknown_code_page]
[2820]firefox.exe-->mswsock.dll+0x0000433A, Type: Inline - RelativeJump 0x71A5433A-->00000000 [unknown_code_page]
[2820]firefox.exe-->mswsock.dll+0x00005847, Type: Inline - RelativeJump 0x71A55847-->00000000 [unknown_code_page]
[2820]firefox.exe-->ntdll.dll-->KiUserExceptionDispatcher, Type: Inline - RelativeJump 0x7C90E47C-->00000000 [unknown_code_page]
[2820]firefox.exe-->ntdll.dll-->NtProtectVirtualMemory, Type: Inline - RelativeJump 0x7C90D6EE-->00000000 [unknown_code_page]
[2820]firefox.exe-->ntdll.dll-->NtWriteVirtualMemory, Type: Inline - RelativeJump 0x7C90DFAE-->00000000 [unknown_code_page]
[2820]firefox.exe-->user32.dll-->ExitWindowsEx, Type: Inline - DirectJump 0x7E45A045-->00000000 [unknown_code_page]
[3040]GoogleToolbarNotifier.exe-->advapi32.dll-->CreateServiceA, Type: Inline - DirectJump 0x77E370B9-->00000000 [unknown_code_page]
[3040]GoogleToolbarNotifier.exe-->advapi32.dll-->CreateServiceW, Type: Inline - DirectJump 0x77E37251-->00000000 [unknown_code_page]
[3040]GoogleToolbarNotifier.exe-->kernel32.dll-->CreateProcessA, Type: Inline - DirectJump 0x7C802367-->00000000 [unknown_code_page]
[3040]GoogleToolbarNotifier.exe-->kernel32.dll-->CreateProcessW, Type: Inline - DirectJump 0x7C802332-->00000000 [unknown_code_page]
[3040]GoogleToolbarNotifier.exe-->user32.dll-->ExitWindowsEx, Type: Inline - DirectJump 0x7E45A045-->00000000 [unknown_code_page]
[3444]jusched.exe-->advapi32.dll-->CreateServiceA, Type: Inline - DirectJump 0x77E370B9-->00000000 [unknown_code_page]
[3444]jusched.exe-->advapi32.dll-->CreateServiceW, Type: Inline - DirectJump 0x77E37251-->00000000 [unknown_code_page]
[3444]jusched.exe-->kernel32.dll-->CreateProcessA, Type: Inline - DirectJump 0x7C802367-->00000000 [unknown_code_page]
[3444]jusched.exe-->kernel32.dll-->CreateProcessW, Type: Inline - DirectJump 0x7C802332-->00000000 [unknown_code_page]
[3444]jusched.exe-->user32.dll-->ExitWindowsEx, Type: Inline - DirectJump 0x7E45A045-->00000000 [unknown_code_page]
[3516]PCMService.exe-->advapi32.dll-->CreateServiceA, Type: Inline - DirectJump 0x77E370B9-->00000000 [unknown_code_page]
[3516]PCMService.exe-->advapi32.dll-->CreateServiceW, Type: Inline - DirectJump 0x77E37251-->00000000 [unknown_code_page]
[3516]PCMService.exe-->kernel32.dll-->CreateProcessA, Type: Inline - DirectJump 0x7C802367-->00000000 [unknown_code_page]
[3516]PCMService.exe-->kernel32.dll-->CreateProcessW, Type: Inline - DirectJump 0x7C802332-->00000000 [unknown_code_page]
[3516]PCMService.exe-->user32.dll-->ExitWindowsEx, Type: Inline - DirectJump 0x7E45A045-->00000000 [unknown_code_page]
[3864]dlbkbmgr.exe-->advapi32.dll-->CreateServiceA, Type: Inline - DirectJump 0x77E370B9-->00000000 [unknown_code_page]
[3864]dlbkbmgr.exe-->advapi32.dll-->CreateServiceW, Type: Inline - DirectJump 0x77E37251-->00000000 [unknown_code_page]
[3864]dlbkbmgr.exe-->kernel32.dll-->CreateProcessA, Type: Inline - DirectJump 0x7C802367-->00000000 [unknown_code_page]
[3864]dlbkbmgr.exe-->kernel32.dll-->CreateProcessW, Type: Inline - DirectJump 0x7C802332-->00000000 [unknown_code_page]
[3864]dlbkbmgr.exe-->user32.dll-->ExitWindowsEx, Type: Inline - DirectJump 0x7E45A045-->00000000 [unknown_code_page]
[3940]explorer.exe-->advapi32.dll-->CreateServiceA, Type: Inline - DirectJump 0x77E370B9-->00000000 [unknown_code_page]
[3940]explorer.exe-->advapi32.dll-->CreateServiceW, Type: Inline - DirectJump 0x77E37251-->00000000 [unknown_code_page]
[3940]explorer.exe-->mswsock.dll+0x00004057, Type: Inline - RelativeJump 0x71A54057-->00000000 [unknown_code_page]
[3940]explorer.exe-->mswsock.dll+0x0000433A, Type: Inline - RelativeJump 0x71A5433A-->00000000 [unknown_code_page]
[3940]explorer.exe-->mswsock.dll+0x00005847, Type: Inline - RelativeJump 0x71A55847-->00000000 [unknown_code_page]
[3940]explorer.exe-->ntdll.dll-->KiUserExceptionDispatcher, Type: Inline - RelativeJump 0x7C90E47C-->00000000 [unknown_code_page]
[3940]explorer.exe-->ntdll.dll-->NtProtectVirtualMemory, Type: Inline - RelativeJump 0x7C90D6EE-->00000000 [unknown_code_page]
[3940]explorer.exe-->ntdll.dll-->NtWriteVirtualMemory, Type: Inline - RelativeJump 0x7C90DFAE-->00000000 [unknown_code_page]
[3940]explorer.exe-->user32.dll-->ExitWindowsEx, Type: Inline - DirectJump 0x7E45A045-->00000000 [unknown_code_page]
[3960]taskmgr.exe-->advapi32.dll-->CreateServiceA, Type: Inline - DirectJump 0x77E370B9-->00000000 [unknown_code_page]
[3960]taskmgr.exe-->advapi32.dll-->CreateServiceW, Type: Inline - DirectJump 0x77E37251-->00000000 [unknown_code_page]
[3960]taskmgr.exe-->kernel32.dll-->CreateProcessA, Type: Inline - DirectJump 0x7C802367-->00000000 [unknown_code_page]
[3960]taskmgr.exe-->kernel32.dll-->CreateProcessW, Type: Inline - DirectJump 0x7C802332-->00000000 [unknown_code_page]
[3960]taskmgr.exe-->user32.dll-->ExitWindowsEx, Type: Inline - DirectJump 0x7E45A045-->00000000 [unknown_code_page]
[3968]svchost.exe-->mswsock.dll+0x00004057, Type: Inline - RelativeJump 0x71A54057-->00000000 [unknown_code_page]
[3968]svchost.exe-->mswsock.dll+0x0000433A, Type: Inline - RelativeJump 0x71A5433A-->00000000 [unknown_code_page]
[3968]svchost.exe-->mswsock.dll+0x00005847, Type: Inline - RelativeJump 0x71A55847-->00000000 [unknown_code_page]
[3968]svchost.exe-->ntdll.dll-->KiUserExceptionDispatcher, Type: Inline - RelativeJump 0x7C90E47C-->00000000 [unknown_code_page]
[3968]svchost.exe-->ntdll.dll-->NtProtectVirtualMemory, Type: Inline - RelativeJump 0x7C90D6EE-->00000000 [unknown_code_page]
[3968]svchost.exe-->ntdll.dll-->NtWriteVirtualMemory, Type: Inline - RelativeJump 0x7C90DFAE-->00000000 [unknown_code_page]
[3968]svchost.exe-->user32.dll-->GetCursorPos, Type: Inline - RelativeJump 0x7E41BD76-->00000000 [unknown_code_page]
[4088]ashDisp.exe-->advapi32.dll-->CreateServiceA, Type: Inline - DirectJump 0x77E370B9-->00000000 [unknown_code_page]
[4088]ashDisp.exe-->advapi32.dll-->CreateServiceW, Type: Inline - DirectJump 0x77E37251-->00000000 [unknown_code_page]
[4088]ashDisp.exe-->kernel32.dll-->CreateProcessA, Type: Inline - DirectJump 0x7C802367-->00000000 [unknown_code_page]
[4088]ashDisp.exe-->kernel32.dll-->CreateProcessW, Type: Inline - DirectJump 0x7C802332-->00000000 [unknown_code_page]
[4088]ashDisp.exe-->user32.dll-->ExitWindowsEx, Type: Inline - DirectJump 0x7E45A045-->00000000 [unknown_code_page]
[752]services.exe-->advapi32.dll-->CreateProcessAsUserW, Type: IAT modification 0x01001094-->00000000 [unknown_code_page]
[752]services.exe-->kernel32.dll-->CreateProcessW, Type: IAT modification 0x01001114-->00000000 [unknown_code_page]

!!POSSIBLE ROOTKIT ACTIVITY DETECTED!! =)

SuperDave · « **Reply #15 on:** October 27, 2010, 01:31:16 PM »

Please download TDSSKiller from here and save it to your Desktop.

Doubleclick TDSSKiller.exe to run the tool
Click the Start Scan button (If prompted with a "hidden service warning" do go ahead and delete it.)
After the scan has finished, click the Close button
Click the Report button and copy/paste the contents of it into your next reply
Note:It will also create a log in the C:\ directory.

Billb114 · « **Reply #16 on:** October 27, 2010, 02:47:28 PM »

SuperDave -
I downloaded TDSSKiller and ran a scan as instructed. However when it finished I clicked on "continue" by mistake. It's now going to try to cure my PC after reboot. Sorry!
I've not rebooted yet - I will try to wait for your instructions (sometimes the PC bogs down from the malware and freezes up). Again, very sorry!

TDSSKiller log follows:

2010/10/27 16:39:58.0250   TDSS rootkit removing tool 2.4.5.1 Oct 26 2010 11:28:49
2010/10/27 16:39:58.0250   ================================================================================
2010/10/27 16:39:58.0250   SystemInfo:
2010/10/27 16:39:58.0250
2010/10/27 16:39:58.0250   OS Version: 5.1.2600 ServicePack: 2.0
2010/10/27 16:39:58.0250   Product type: Workstation
2010/10/27 16:39:58.0250   ComputerName: COMPUTERROOM
2010/10/27 16:39:58.0250   UserName: William Brophy
2010/10/27 16:39:58.0250   Windows directory: C:\WINDOWS
2010/10/27 16:39:58.0250   System windows directory: C:\WINDOWS
2010/10/27 16:39:58.0250   Processor architecture: Intel x86
2010/10/27 16:39:58.0250   Number of processors: 1
2010/10/27 16:39:58.0250   Page size: 0x1000
2010/10/27 16:39:58.0250   Boot type: Normal boot
2010/10/27 16:39:58.0250   ================================================================================
2010/10/27 16:39:58.0468   Initialize success
2010/10/27 16:40:09.0828   ================================================================================
2010/10/27 16:40:09.0828   Scan started
2010/10/27 16:40:09.0828   Mode: Manual;
2010/10/27 16:40:09.0828   ================================================================================
2010/10/27 16:40:10.0546   Aavmker4 (2ccfa74242741ca22a4267cce9b586f4) C:\WINDOWS\system32\drivers\Aavmker4.sys
2010/10/27 16:40:10.0718   ACPI (a10c7534f7223f4a73a948967d00e69b) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2010/10/27 16:40:10.0796   ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
2010/10/27 16:40:10.0937   aeaudio (11c04b17ed2abbb4833694bcd644ac90) C:\WINDOWS\system32\drivers\aeaudio.sys
2010/10/27 16:40:11.0031   aec (1ee7b434ba961ef845de136224c30fec) C:\WINDOWS\system32\drivers\aec.sys
2010/10/27 16:40:11.0171   AFD (55e6e1c51b6d30e54335750955453702) C:\WINDOWS\System32\drivers\afd.sys
2010/10/27 16:40:11.0281   agp440 (2c428fa0c3e3a01ed93c9b2a27d8d4bb) C:\WINDOWS\system32\DRIVERS\agp440.sys
2010/10/27 16:40:11.0828   aswFsBlk (b4079a98f294a3e262872cb76f4849f0) C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys
2010/10/27 16:40:11.0953   aswMon2 (dbee7b5ecb50fc2cf9323f52cbf41141) C:\WINDOWS\system32\drivers\aswMon2.sys
2010/10/27 16:40:12.0062   aswRdr (8080d683489c99cbace813f6fa4069cc) C:\WINDOWS\system32\drivers\aswRdr.sys
2010/10/27 16:40:12.0203   aswSP (2e5a2ad5004b55df39b7606130a88142) C:\WINDOWS\system32\drivers\aswSP.sys
2010/10/27 16:40:12.0281   aswTdi (d4c83a37efadfa2c398362e0776e3773) C:\WINDOWS\system32\drivers\aswTdi.sys
2010/10/27 16:40:12.0406   AsyncMac (02000abf34af4c218c35d257024807d6) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2010/10/27 16:40:12.0500   atapi (cdfe4411a69c224bd1d11b2da92dac51) C:\WINDOWS\system32\DRIVERS\atapi.sys
2010/10/27 16:40:12.0687   Atmarpc (ec88da854ab7d7752ec8be11a741bb7f) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2010/10/27 16:40:12.0781   audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2010/10/27 16:40:12.0906   BASFND (ce218c09caf41537ceb5a872a019a7e2) C:\WINDOWS\system32\Drivers\BASFND.sys
2010/10/27 16:40:13.0000   Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2010/10/27 16:40:13.0359   cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2010/10/27 16:40:13.0500   Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2010/10/27 16:40:13.0593   Cdfs (cd7d5152df32b47f4e36f710b35aae02) C:\WINDOWS\system32\drivers\Cdfs.sys
2010/10/27 16:40:13.0687   Cdrom (af9c19b3100fe010496b1a27181fbf72) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2010/10/27 16:40:14.0125   Disk (00ca44e4534865f8a3b64f7c0984bff0) C:\WINDOWS\system32\DRIVERS\disk.sys
2010/10/27 16:40:14.0312   dmboot (c0fbb516e06e243f0cf31f597e7ebf7d) C:\WINDOWS\system32\drivers\dmboot.sys
2010/10/27 16:40:14.0484   dmio (f5e7b358a732d09f4bcf2824b88b9e28) C:\WINDOWS\system32\drivers\dmio.sys
2010/10/27 16:40:14.0578   dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2010/10/27 16:40:14.0703   DMusic (a6f881284ac1150e37d9ae47ff601267) C:\WINDOWS\system32\drivers\DMusic.sys
2010/10/27 16:40:14.0859   drmkaud (1ed4dbbae9f5d558dbba4cc450e3eb2e) C:\WINDOWS\system32\drivers\drmkaud.sys
2010/10/27 16:40:14.0968   dsNcAdpt (b2c3f71b86e25c3df78339ddb40a7562) C:\WINDOWS\system32\DRIVERS\dsNcAdpt.sys
2010/10/27 16:40:15.0078   E100B (98ed0bea10477b0f252cca35eb50f838) C:\WINDOWS\system32\DRIVERS\e100b325.sys
2010/10/27 16:40:15.0218   Fastfat (3117f595e9615e04f05a54fc15a03b20) C:\WINDOWS\system32\drivers\Fastfat.sys
2010/10/27 16:40:15.0343   Fdc (ced2e8396a8838e59d8fd529c680e02c) C:\WINDOWS\system32\DRIVERS\fdc.sys
2010/10/27 16:40:15.0468   Fips (e153ab8a11de5452bcf5ac7652dbf3ed) C:\WINDOWS\system32\drivers\Fips.sys
2010/10/27 16:40:15.0578   Flpydisk (0dd1de43115b93f4d85e889d7a86f548) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
2010/10/27 16:40:15.0671   FltMgr (3d234fb6d6ee875eb009864a299bea29) C:\WINDOWS\system32\DRIVERS\fltMgr.sys
2010/10/27 16:40:15.0765   Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2010/10/27 16:40:15.0859   Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2010/10/27 16:40:16.0062   FW1 (7441f96680ac1fad27ae34ff8076d594) C:\WINDOWS\system32\DRIVERS\fw.sys
2010/10/27 16:40:16.0250   Gpc (c0f1d4a21de5a415df8170616703debf) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2010/10/27 16:40:16.0437   hidusb (1de6783b918f540149aa69943bdfeba8) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2010/10/27 16:40:16.0625   HSFHWBS2 (970178e8e003eb1481293830069624b9) C:\WINDOWS\system32\DRIVERS\HSFBS2S2.sys
2010/10/27 16:40:16.0796   HSF_DP (ebb354438a4c5a3327fb97306260714a) C:\WINDOWS\system32\DRIVERS\HSFDPSP2.sys
2010/10/27 16:40:17.0046   HTTP (cb77bb47e67e84deb17ba29632501730) C:\WINDOWS\system32\Drivers\HTTP.sys
2010/10/27 16:40:17.0234   i8042prt (5502b58eef7486ee6f93f3f164dcb808) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2010/10/27 16:40:17.0375   Imapi (f8aa320c6a0409c0380e5d8a99d76ec6) C:\WINDOWS\system32\DRIVERS\imapi.sys
2010/10/27 16:40:17.0500   IntelIde (2d722b2b54ab55b2fa475eb58d7b2aad) C:\WINDOWS\system32\DRIVERS\intelide.sys
2010/10/27 16:40:17.0546   intelppm (279fb78702454dff2bb445f238c048d2) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2010/10/27 16:40:17.0640   Ip6Fw (4448006b6bc60e6c027932cfc38d6855) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys
2010/10/27 16:40:17.0734   IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2010/10/27 16:40:17.0828   IpInIp (e1ec7f5da720b640cd8fb8424f1b14bb) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2010/10/27 16:40:17.0921   IpNat (b5a8e215ac29d24d60b4d1250ef05ace) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2010/10/27 16:40:18.0031   IPSec (64537aa5c003a6afeee1df819062d0d1) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2010/10/27 16:40:18.0156   IRENUM (50708daa1b1cbb7d6ac1cf8f56a24410) C:\WINDOWS\system32\DRIVERS\irenum.sys
2010/10/27 16:40:18.0250   isapnp (e504f706ccb699c2596e9a3da1596e87) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2010/10/27 16:40:18.0375   Kbdclass (ebdee8a2ee5393890a1acee971c4c246) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2010/10/27 16:40:18.0484   kbdhid (e182fa8e49e8ee41b4adc53093f3c7e6) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
2010/10/27 16:40:18.0593   kmixer (ba5deda4d934e6288c2f66caf58d2562) C:\WINDOWS\system32\drivers\kmixer.sys
2010/10/27 16:40:18.0703   KSecDD (674d3e5a593475915dc6643317192403) C:\WINDOWS\system32\drivers\KSecDD.sys
2010/10/27 16:40:18.0906   mdmxsdk (195741aee20369980796b557358cd774) C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys
2010/10/27 16:40:19.0031   mfeavfk (bafdd5e28baea99d7f4772af2f5ec7ee) C:\WINDOWS\system32\drivers\mfeavfk.sys
2010/10/27 16:40:19.0093   mfebopk (1d003e3056a43d881597d6763e83b943) C:\WINDOWS\system32\drivers\mfebopk.sys
2010/10/27 16:40:19.0218   mfehidk (3f138a1c8a0659f329f242d1e389b2cf) C:\WINDOWS\system32\drivers\mfehidk.sys
2010/10/27 16:40:19.0343   mferkdk (41fe2f288e05a6c8ab85dd56770ffbad) C:\WINDOWS\system32\drivers\mferkdk.sys
2010/10/27 16:40:19.0437   mfesmfk (096b52ea918aa909ba5903d79e129005) C:\WINDOWS\system32\drivers\mfesmfk.sys
2010/10/27 16:40:19.0546   mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2010/10/27 16:40:19.0671   Modem (6fc6f9d7acc36dca9b914565a3aeda05) C:\WINDOWS\system32\drivers\Modem.sys
2010/10/27 16:40:19.0765   MODEMCSA (1992e0d143b09653ab0f9c5e04b0fd65) C:\WINDOWS\system32\drivers\MODEMCSA.sys
2010/10/27 16:40:19.0843   Mouclass (34e1f0031153e491910e12551400192c) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2010/10/27 16:40:19.0937   mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2010/10/27 16:40:20.0031   MountMgr (65653f3b4477f3c63e68a9659f85ee2e) C:\WINDOWS\system32\drivers\MountMgr.sys
2010/10/27 16:40:20.0187   MRxDAV (29414447eb5bde2f8397dc965dbb3156) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2010/10/27 16:40:20.0312   MRxSmb (6f2d483b97b395544e59749c47963c6a) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2010/10/27 16:40:20.0531   Msfs (561b3a4333ca2dbdba28b5b956822519) C:\WINDOWS\system32\drivers\Msfs.sys
2010/10/27 16:40:20.0625   MSKSSRV (ae431a8dd3c1d0d0610cdbac16057ad0) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2010/10/27 16:40:20.0687   MSPCLOCK (13e75fef9dfeb08eeded9d0246e1f448) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2010/10/27 16:40:20.0734   MSPQM (1988a33ff19242576c3d0ef9ce785da7) C:\WINDOWS\system32\drivers\MSPQM.sys
2010/10/27 16:40:20.0828   mssmbios (469541f8bfd2b32659d5d463a6714bce) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2010/10/27 16:40:20.0921   Mup (82035e0f41c2dd05ae41d27fe6cf7de1) C:\WINDOWS\system32\drivers\Mup.sys
2010/10/27 16:40:21.0015   NDIS (558635d3af1c7546d26067d5d9b6959e) C:\WINDOWS\system32\drivers\NDIS.sys
2010/10/27 16:40:21.0140   NdisTapi (08d43bbdacdf23f34d79e44ed35c1b4c) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2010/10/27 16:40:21.0234   Ndisuio (34d6cd56409da9a7ed573e1c90a308bf) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2010/10/27 16:40:21.0312   NdisWan (0b90e255a9490166ab368cd55a529893) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2010/10/27 16:40:21.0437   NDProxy (59fc3fb44d2669bc144fd87826bb571f) C:\WINDOWS\system32\drivers\NDProxy.sys
2010/10/27 16:40:21.0562   NetBIOS (3a2aca8fc1d7786902ca434998d7ceb4) C:\WINDOWS\system32\DRIVERS\netbios.sys
2010/10/27 16:40:21.0609   NetBT (0c80e410cd2f47134407ee7dd19cc86b) C:\WINDOWS\system32\DRIVERS\netbt.sys
2010/10/27 16:40:21.0812   Npfs (4f601bcb8f64ea3ac0994f98fed03f8e) C:\WINDOWS\system32\drivers\Npfs.sys
2010/10/27 16:40:21.0953   Ntfs (19a811ef5f1ed5c926a028ce107ff1af) C:\WINDOWS\system32\drivers\Ntfs.sys
2010/10/27 16:40:22.0093   Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2010/10/27 16:40:22.0281   nv (2b298519edbfcf451d43e0f1e8f1006d) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
2010/10/27 16:40:22.0531   NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2010/10/27 16:40:22.0609   NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2010/10/27 16:40:22.0750   OADevice (f759e5266a91e6a9ab5dd7939c6560b6) C:\WINDOWS\system32\drivers\OADriver.sys
2010/10/27 16:40:22.0859   OAmon (fe6a66c9614de5e0f3e6b846a699fcae) C:\WINDOWS\system32\drivers\OAmon.sys
2010/10/27 16:40:22.0953   OAnet (44bff97b3704475194380e563180b64e) C:\WINDOWS\system32\drivers\OAnet.sys
2010/10/27 16:40:23.0031   OMCI (cec7e2c6c1fa00c7ab2f5434f848ae51) C:\WINDOWS\SYSTEM32\DRIVERS\OMCI.SYS
2010/10/27 16:40:23.0125   OMVA (73c74eb8b231974b7a961fddd878ae01) C:\WINDOWS\system32\DRIVERS\OMVA.sys
2010/10/27 16:40:23.0234   Parport (29744eb4ce659dfe3b4122deb45bc478) C:\WINDOWS\system32\DRIVERS\parport.sys
2010/10/27 16:40:23.0343   PartMgr (3334430c29dc338092f79c38ef7b4cd0) C:\WINDOWS\system32\drivers\PartMgr.sys
2010/10/27 16:40:23.0484   ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2010/10/27 16:40:23.0578   PCI (8086d9979234b603ad5bc2f5d890b234) C:\WINDOWS\system32\DRIVERS\pci.sys
2010/10/27 16:40:23.0718   PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
2010/10/27 16:40:23.0843   Pcmcia (82a087207decec8456fbe8537947d579) C:\WINDOWS\system32\drivers\Pcmcia.sys
2010/10/27 16:40:24.0296   PptpMiniport (1c5cc65aac0783c344f16353e60b72ac) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2010/10/27 16:40:24.0406   Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2010/10/27 16:40:24.0812   RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2010/10/27 16:40:24.0921   Rasl2tp (98faeb4a4dcf812ba1c6fca4aa3e115c) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2010/10/27 16:40:25.0000   RasPppoe (7306eeed8895454cbed4669be9f79faa) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2010/10/27 16:40:25.0125   Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2010/10/27 16:40:25.0218   Rdbss (29d66245adba878fff574cd66abd2884) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2010/10/27 16:40:25.0343   RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2010/10/27 16:40:25.0468   RDPWD (b54cd38a9ebfbf2b3561426e3fe26f62) C:\WINDOWS\system32\drivers\RDPWD.sys
2010/10/27 16:40:25.0625   redbook (b31b4588e4086d8d84adbf9845c2402b) C:\WINDOWS\system32\DRIVERS\redbook.sys
2010/10/27 16:40:25.0843   SASDIFSV (a3281aec37e0720a2bc28034c2df2a56) C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
2010/10/27 16:40:25.0875   SASKUTIL (61db0d0756a99506207fd724e3692b25) C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS
2010/10/27 16:40:26.0000   Scap (8c3d61bb8f35264e14fb76856fefad62) C:\WINDOWS\system32\DRIVERS\Scap.sys
2010/10/27 16:40:26.0125   Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2010/10/27 16:40:26.0250   serenum (a2d868aeeff612e70e213c451a70cafb) C:\WINDOWS\system32\DRIVERS\serenum.sys
2010/10/27 16:40:26.0343   Serial (cd9404d115a00d249f70a371b46d5a26) C:\WINDOWS\system32\DRIVERS\serial.sys
2010/10/27 16:40:26.0437   Sfloppy (0d13b6df6e9e101013a7afb0ce629fe0) C:\WINDOWS\system32\drivers\Sfloppy.sys
2010/10/27 16:40:26.0671   smwdm (70b8dd8707dbf6142530c106365df67d) C:\WINDOWS\system32\drivers\smwdm.sys
2010/10/27 16:40:26.0906   splitter (0ce218578fff5f4f7e4201539c45c78f) C:\WINDOWS\system32\drivers\splitter.sys
2010/10/27 16:40:27.0031   sr (e41b6d037d6cd08461470af04500dc24) C:\WINDOWS\system32\DRIVERS\sr.sys
2010/10/27 16:40:27.0187   Srv (ab9c79ed12d65e800aaad3d72a04792f) C:\WINDOWS\system32\DRIVERS\srv.sys
2010/10/27 16:40:27.0421   swenum (03c1bae4766e2450219d20b993d6e046) C:\WINDOWS\system32\DRIVERS\swenum.sys
2010/10/27 16:40:27.0562   swmidi (94abc808fc4b6d7d2bbf42b85e25bb4d) C:\WINDOWS\system32\drivers\swmidi.sys
2010/10/27 16:40:28.0265   sysaudio (650ad082d46bac0e64c9c0e0928492fd) C:\WINDOWS\system32\drivers\sysaudio.sys
2010/10/27 16:40:28.0640   SysProtDrv.sys (7d5b6655442dbcf5e3b86a134ab90584) C:\Documents and Settings\William Brophy\Desktop\SysProtDrv.sys
2010/10/27 16:40:28.0656   Suspicious file (Forged): C:\Documents and Settings\William Brophy\Desktop\SysProtDrv.sys. Real md5: 7d5b6655442dbcf5e3b86a134ab90584, Fake md5: c88b251b625e73c1feef21b61f4ce74d
2010/10/27 16:40:28.0671   SysProtDrv.sys - detected Forged file (1)
2010/10/27 16:40:29.0093   Tcpip (2a5554fc5b1e04e131230e3ce035c3f9) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2010/10/27 16:40:29.0468   TDPIPE (38d437cf2d98965f239b0abcd66dcb0f) C:\WINDOWS\system32\drivers\TDPIPE.sys
2010/10/27 16:40:29.0796   TDTCP (ed0580af02502d00ad8c4c066b156be9) C:\WINDOWS\system32\drivers\TDTCP.sys
2010/10/27 16:40:30.0125   TermDD (a540a99c281d933f3d69d55e48727f47) C:\WINDOWS\system32\DRIVERS\termdd.sys
2010/10/27 16:40:30.0703   Udfs (12f70256f140cd7d52c58c7048fde657) C:\WINDOWS\system32\drivers\Udfs.sys
2010/10/27 16:40:31.0250   Update (ced744117e91bdc0beb810f7d8608183) C:\WINDOWS\system32\DRIVERS\update.sys
2010/10/27 16:40:31.0625   usbccgp (bffd9f120cc63bcbaa3d840f3eef9f79) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2010/10/27 16:40:31.0828   usbehci (15e993ba2f6946b2bfbbfcd30398621e) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2010/10/27 16:40:32.0062   usbhub (c72f40947f92cea56a8fb532edf025f1) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2010/10/27 16:40:32.0343   usbprint (a42369b7cd8886cd7c70f33da6fcbcf5) C:\WINDOWS\system32\DRIVERS\usbprint.sys
2010/10/27 16:40:32.0656   usbscan (a6bc71402f4f7dd5b77fd7f4a8ddba85) C:\WINDOWS\system32\DRIVERS\usbscan.sys
2010/10/27 16:40:32.0937   USBSTOR (6cd7b22193718f1d17a47a1cd6d37e75) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2010/10/27 16:40:33.0218   usbuhci (f8fd1400092e23c8f2f31406ef06167b) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2010/10/27 16:40:33.0546   VgaSave (8a60edd72b4ea5aea8202daf0e427925) C:\WINDOWS\System32\drivers\vga.sys
2010/10/27 16:40:34.0328   VolSnap (ee4660083deba849ff6c485d944b379b) C:\WINDOWS\system32\drivers\VolSnap.sys
2010/10/27 16:40:35.0000   VPN-1 (793b9aed2fc908fdfc93f0afa07f59cf) C:\WINDOWS\System32\drivers\vpn.sys
2010/10/27 16:40:35.0578   Wanarp (984ef0b9788abf89974cfed4bfbaacbc) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2010/10/27 16:40:35.0953   wdmaud (efd235ca22b57c81118c1aeb4798f1c1) C:\WINDOWS\system32\drivers\wdmaud.sys
2010/10/27 16:40:36.0468   winachsf (1225ebea76aac3c84df6c54fe5e5d8be) C:\WINDOWS\system32\DRIVERS\HSFCXTS2.sys
2010/10/27 16:40:37.0093   WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
2010/10/27 16:40:37.0359   WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
2010/10/27 16:40:37.0515   \HardDisk0\MBR - detected Rootkit.Win32.TDSS.tdl4 (0)
2010/10/27 16:40:37.0531   ================================================================================
2010/10/27 16:40:37.0531   Scan finished
2010/10/27 16:40:37.0531   ================================================================================
2010/10/27 16:40:37.0546   Detected object count: 2
2010/10/27 16:41:06.0609   Forged file(SysProtDrv.sys) - User select action: Skip
2010/10/27 16:41:06.0656   \HardDisk0\MBR - will be cured after reboot
2010/10/27 16:41:06.0656   Rootkit.Win32.TDSS.tdl4(\HardDisk0\MBR) - User select action: Cure
2010/10/27 16:42:23.0375   Deinitialize success

SuperDave · « **Reply #17 on:** October 27, 2010, 04:37:27 PM »

Quote

Again, very sorry!

Don't worry about it. Go ahead, reboot and please run ComboFix again and post the log.

Billb114 · « **Reply #18 on:** October 27, 2010, 06:09:27 PM »

Ran ComboFix - reported infection in master boot sector - I clicked "ok"
Then reported rootkit activity found and the PC rebooted.
ComboFix then finished, log follows:

ComboFix 10-10-26.04 - William Brophy 10/27/2010 19:43:09.9.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.767.448 [GMT -4:00]
Running from: c:\documents and settings\William Brophy\Desktop\commy.exe
AV: avast! antivirus 4.8.1368 [VPS 101027-1] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: Online Armor Firewall *disabled* {B797DAA0-7E2E-4711-8BB3-D12744F1922A}
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2010-09-27 to 2010-10-27 )))))))))))))))))))))))))))))))
.

2010-10-26 23:23 . 2010-10-26 23:23   --------   d-----w-   c:\program files\7-Zip
2010-10-21 00:30 . 2010-10-21 01:00   --------   d-----w-   c:\documents and settings\William Brophy\Local Settings\Application Data\NOS
2010-10-16 13:53 . 2010-10-16 13:53   --------   d-----w-   C:\Avast_report
2010-10-16 01:16 . 2010-09-15 08:50   472808   ----a-w-   c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
2010-10-16 01:16 . 2010-09-15 08:50   472808   ----a-w-   c:\windows\system32\deployJava1.dll
2010-10-15 22:24 . 2010-10-15 22:24   --------   d-----w-   c:\program files\CCleaner
2010-10-15 17:03 . 2010-10-19 09:46   --------   d-----w-   c:\documents and settings\William Brophy\Application Data\OnlineArmor
2010-10-15 17:03 . 2010-10-15 20:31   --------   d-----w-   c:\documents and settings\All Users\Application Data\OnlineArmor
2010-10-15 17:02 . 2010-07-07 16:25   22600   ----a-w-   c:\windows\system32\drivers\OAmon.sys
2010-10-15 17:02 . 2010-07-07 16:25   28232   ----a-w-   c:\windows\system32\drivers\OAnet.sys
2010-10-15 17:02 . 2010-07-07 16:25   236104   ----a-w-   c:\windows\system32\drivers\OADriver.sys
2010-10-15 17:02 . 2010-10-15 17:02   --------   d-----w-   c:\program files\Emsisoft
2010-10-15 10:33 . 2010-10-15 10:33   --------   d-----w-   c:\program files\ESET
2010-10-15 05:20 . 2010-10-15 05:20   --------   d-----w-   c:\documents and settings\William Brophy\Application Data\SUPERAntiSpyware.com
2010-10-15 05:20 . 2010-10-15 23:01   --------   d-----w-   c:\program files\SUPERAntiSpyware
2010-10-15 04:39 . 2010-10-15 04:39   --------   d-----w-   c:\documents and settings\Administrator\Local Settings\Application Data\TSVNCache

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-15 06:29 . 2009-03-28 20:49   73728   ----a-w-   c:\windows\system32\javacpl.cpl
2008-12-23 15:53 . 2009-04-16 16:10   232694   ----a-w-   c:\program files\Putty.reg
2004-09-09 14:48 . 2009-04-16 16:10   376832   ----a-r-   c:\program files\putty.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvMediaCenter"="c:\windows\system32\NVMCTRAY.DLL" [2003-10-06 49152]
"Aim6"="c:\program files\AIM6\aim6.exe" [2009-05-19 49968]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-03-29 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2003-10-06 5058560]
"nwiz"="nwiz.exe" [2003-10-06 741376]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"PCMService"="c:\program files\Dell\Media Experience\PCMService.exe" [2004-04-12 290816]
"Dell AIO Printer A920"="c:\program files\Dell AIO Printer A920\dlbkbmgr.exe" [2003-05-12 270336]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-11-24 81000]
"@OnlineArmor GUI"="c:\program files\Emsisoft\Online Armor\oaui.exe" [2010-07-07 6854984]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Communicator"="c:\program files\Microsoft Office Communicator\Communicator.exe" [2005-05-12 4167376]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
"{4F07DA45-8170-4859-9B5F-037EF2970034}"= "c:\progra~1\Emsisoft\ONLINE~1\oaevent.dll" [2010-07-07 924488]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21   548352   ----a-w-   c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ckpNotify]
2005-03-02 03:49   24672   ----a-w-   c:\windows\system32\ckpNotify.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Microsoft Office Communicator\\communicator.exe"=
"c:\\DevSuiteHome_1\\BIN\\rwbuilder.exe"=
"c:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_GUI.exe"=
"c:\\Program Files\\CheckPoint\\SecuRemote\\bin\\scc.exe"=
"c:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_Diagnostics.exe"=
"c:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_SDS.exe"=
"c:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_Service.exe"=
"c:\\Program Files\\Microsoft Office\\Live Meeting 8\\Console\\PWConsole.exe"=

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [12/5/2009 1:58 PM 114768]
R1 OADevice;OADriver;c:\windows\system32\drivers\OADriver.sys [10/15/2010 1:02 PM 236104]
R1 OAmon;OAmon;c:\windows\system32\drivers\OAmon.sys [10/15/2010 1:02 PM 22600]
R1 OAnet;OAnet;c:\windows\system32\drivers\OAnet.sys [10/15/2010 1:02 PM 28232]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 2:25 PM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 2:41 PM 67656]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [12/5/2009 1:58 PM 20560]
R2 OAcat;Online Armor Helper Service;c:\program files\Emsisoft\Online Armor\oacat.exe [10/15/2010 1:02 PM 1283400]
R2 Scap;SecureClient Application Policy Module;c:\windows\system32\drivers\scap.sys [1/31/2009 3:50 PM 17456]
R2 SvcOnlineArmor;Online Armor;c:\program files\Emsisoft\Online Armor\oasrv.exe [10/15/2010 1:02 PM 3364680]
R2 VPN-1;VPN-1 Module;c:\windows\system32\drivers\vpn.sys [1/31/2009 3:50 PM 670128]
R3 FW1;SecuRemote Miniport;c:\windows\system32\drivers\fw.sys [1/31/2009 3:50 PM 2041904]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/28/2010 7:37 PM 135664]
S3 nosGetPlusHelper;getPlus(R) Helper 3004;c:\windows\System32\svchost.exe -k nosGetPlusHelper [8/12/2004 10:06 AM 14336]
S3 OMVA;VPN-1 SecureClient Adapter;c:\windows\system32\drivers\OMVA.sys [1/31/2009 3:50 PM 14924]
S3 SysProtDrv.sys;SysProtDrv.sys;c:\documents and settings\William Brophy\Desktop\SysProtDrv.sys [10/25/2010 11:10 PM 44288]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
nosGetPlusHelper   REG_MULTI_SZ     nosGetPlusHelper
.
Contents of the 'Scheduled Tasks' folder

2010-10-04 c:\windows\Tasks\defragC.job
- c:\util\defragC.bat [2010-01-25 03:10]

2010-10-05 c:\windows\Tasks\defragF.job
- c:\util\defragF.bat [2010-01-25 03:10]

2010-10-27 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-28 23:37]

2010-10-27 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-28 23:37]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = <local>
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://secure.maine.gov/dana-cached/sc/JuniperSetupClient.cab
FF - ProfilePath - c:\documents and settings\William Brophy\Application Data\Mozilla\Firefox\Profiles\cwx7r6bq.default\
FF - prefs.js: browser.startup.homepage - hxxp://87.248.113.14/
FF - plugin: c:\documents and settings\William Brophy\Application Data\Mozilla\Firefox\Profiles\cwx7r6bq.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
FF - plugin: c:\program files\Google\Update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\Real\RealOne Player\Netscape6\nppl3260.dll
FF - plugin: c:\program files\Real\RealOne Player\Netscape6\nprjplug.dll
FF - plugin: c:\program files\Real\RealOne Player\Netscape6\nprpjplug.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true); // Traditional
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true); // Simplified
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-10-27 19:58
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.0 by Gmer, http://www.gmer.net
Windows 5.1.2600

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe catchme.sys CLASSPNP.SYS disk.sys >>UNKNOWN [0x83B09566]<<
1 nt!IofCallDriver[0x804E37C5] -> \Device\Harddisk0\DR0[0x83B92AB8]
2 nt[0x804E37C5] -> CLASSPNP.SYS[0xF76F005B] -> \Device\Harddisk0\DR0[0x83B92AB8]
3 CLASSPNP[0xF76F005B] -> nt!IofCallDriver[0x804E37C5] -> [0x83BE1480]
\Driver\atapi[0x83BC9A48] -> IRP_MJ_CREATE -> 0x83B09566
4 nt[0x804E37C5] -> UNKNOWN[0x83B09569] -> [0x83BE1480]
kernel: MBR read successfully
detected hooks:
\Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskWDC_WD600BB-75CAA0______________________16.06V16#4457572d414d4638363139373939_030_0_0_0_0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
\Driver\Disk -> CLASSPNP.SYS @ 0xf76f3fc3
\Driver\ACPI -> ACPI.sys @ 0xf7666cb8
\Driver\atapi DriverStartIo -> 0x83B093B2
\Driver\atapi -> atapi.sys @ 0xf761e7b4
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0084
SecurityProcedure -> ntoskrnl.exe @ 0x8059baf0
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0084
SecurityProcedure -> ntoskrnl.exe @ 0x8059baf0
user != kernel MBR !!!
sectors 117187261 (+238): user != kernel

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(708)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
Completion time: 2010-10-27 20:04:01
ComboFix-quarantined-files.txt 2010-10-28 00:03
ComboFix2.txt 2010-10-25 21:45
ComboFix3.txt 2010-10-22 22:50
ComboFix4.txt 2010-10-19 02:43
ComboFix5.txt 2010-10-27 23:32

Pre-Run: 37,241,700,352 bytes free
Post-Run: 37,248,167,936 bytes free

- - End Of File - - B1F0543FF5706D3A3126560051C4330E

SuperDave · « **Reply #19 on:** October 29, 2010, 07:22:51 PM »

Could you please reset your modem either by hitting the reset button or unplugging the power for 30 seconds.

I'd like to scan your machine with ESET OnlineScan

•Hold down Control and click on the following link to open ESET OnlineScan in a new window.
ESET OnlineScan
•Click the

button.
•For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)

Click on to download the ESET Smart Installer. Save it to your desktop.
Double click on the icon on your desktop.

•Check

•Click the

button.
•Accept any security warnings from your browser.
•Check

•Push the Start button.
•ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
•When the scan completes, push

•Push

, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
•Push the

button.
•Push

A log file will be saved here: C:\Program Files\ESET\ESET Online Scanner\log.txt

Billb114 · « **Reply #20 on:** October 30, 2010, 03:46:39 PM »

I reset the cable modem.
Then I ran ESET online scan - took about 3 hours. No threats were found.

Log follows:

esets_scanner_update returned -1 esets_gle=0
# version=7
# iexplore.exe=7.00.5730.13 (longhorn(wmbla).070711-1130)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=45f1862a1738a94fa01acb67c80babe1
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2010-10-30 09:43:15
# local_time=2010-10-30 05:43:15 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 2
# compatibility_mode=512 16777215 100 0 3430487 3430487 0 0
# compatibility_mode=769 16775141 100 98 0 223823044 0 0
# compatibility_mode=6401 16777214 66 100 0 9020316 0 0
# compatibility_mode=8192 67108863 100 0 403056 403056 0 0
# scanned=143842
# found=0
# cleaned=0
# scan_time=11508

SuperDave · « **Reply #21 on:** October 30, 2010, 06:51:11 PM »

How's your computer running now? Any problems?

Billb114 · « **Reply #22 on:** October 31, 2010, 12:06:20 PM »

I appreciate your patience!!
I'm still getting redirects and one of the svchost.exe processes was at 99% CPU and 250,000k memory usage just now.

SuperDave · « **Reply #23 on:** November 01, 2010, 01:06:11 PM »

Please download [color="#FF0000"]GooredFix[/color] from one of the locations below and save it to your Desktop
Download Mirror #1
Download Mirror #2

Ensure all Firefox windows are closed.
To run the tool, double-click it (XP), or right-click and select Run As Administrator (Vista).
When prompted to run the scan, click Yes.
GooredFix will check for infections, and then a log will appear. Please post the contents of that log in your next reply (it can also be found on your desktop, called GooredFix.txt).

Billb114 · « **Reply #24 on:** November 01, 2010, 02:28:37 PM »

Hi SuperDave
I downloaded and ran (with no other windows open).
Still having same symptoms.

Log follows:

GooredFix by jpshortstuff (03.07.10.1)
Log created at 16:24 on 01/11/2010 (William Brophy)
Firefox version 3.5.13 (en-US)

========== GooredScan ==========

========== GooredLog ==========

C:\Program Files\Mozilla Firefox\extensions\
{972ce4c6-7e08-4474-a285-3208198ce6fd} [19:43 31/01/2009]
{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} [20:49 28/03/2009]
{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} [01:16 16/10/2010]

C:\Documents and Settings\William Brophy\Application Data\Mozilla\Firefox\Profiles\cwx7r6bq.default\extensions\
{E2883E8F-472F-4fb0-9522-AC9BF37916A7} [00:29 21/10/2010]

[HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions]
"[email protected]"="C:\Program Files\Java\jre6\lib\deploy\jqs\ff" [20:48 28/03/2009]

---------- Old Logs ----------

-=E.O.F=-

SuperDave · « **Reply #25 on:** November 02, 2010, 01:06:01 PM »

Does it always redirect to the same site?

Billb114 · « **Reply #26 on:** November 02, 2010, 01:36:20 PM »

No. Very random. Avast! network shield blocks many that it deems to be malicious sites. Some that it doesn't block appear to be random generic search sites - I close them quickly. Once every now and then - fairly rarely - it is a site with all sorts of pop up warnings that my PC is infected and I need to download their file to fix it. It doesn't allow me to exit the site so I close the browser...quickly. I'm guessing that that is the real intended target site and the rest of the redirects are to show me I have an infected PC.

Also with that svchost process randomly taking off the PC bogs down and freezes up periodically.

SuperDave · « **Reply #27 on:** November 02, 2010, 04:49:38 PM »

Please update and run SAS and MBAM again and post the logs.

Billb114 · « **Reply #28 on:** November 02, 2010, 08:28:43 PM »

Updated both SAS and MalwareBytes and ran each - as you see they didn't find anything except a few tracking cookies. I think some or all of those tracking cookies were from the redirect sites. I don't recognize them.
Still seeing redirects and the svchost thing.
Logs follow:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 11/02/2010 at 08:01 PM

Application Version : 4.45.1000

Core Rules Database Version : 5410
Trace Rules Database Version: 3222

Scan type : Complete Scan
Total Scan Time : 00:45:38

Memory items scanned : 438
Memory threats detected : 0
Registry items scanned : 6459
Registry threats detected : 0
File items scanned : 33907
File threats detected : 246

Adware.Tracking Cookie
   C:\Documents and Settings\William Brophy\Cookies\[email protected][1].txt
   C:\Documents and Settings\William Brophy\Cookies\william_brophy@hitbox[2].txt
   C:\Documents and Settings\William Brophy\Cookies\[email protected][1].txt
   C:\Documents and Settings\William Brophy\Cookies\william_brophy@doubleclick[1].txt
   C:\Documents and Settings\William Brophy\Cookies\william_brophy@yieldmanager[1].txt
   C:\Documents and Settings\William Brophy\Cookies\william_brophy@advertising[1].txt
   C:\Documents and Settings\William Brophy\Cookies\[email protected][1].txt
   C:\Documents and Settings\William Brophy\Cookies\william_brophy@atdmt[1].txt
   C:\Documents and Settings\William Brophy\Cookies\[email protected][1].txt
   C:\Documents and Settings\William Brophy\Cookies\william_brophy@tacoda[2].txt
   C:\Documents and Settings\William Brophy\Cookies\[email protected][2].txt
   C:\Documents and Settings\William Brophy\Cookies\william_brophy@atwola[2].txt
   media.mtvnservices.com [ C:\Documents and Settings\LocalService\Application Data\Macromedia\Flash Player\#SharedObjects\4PB8F3G2 ]
   media.scanscout.com [ C:\Documents and Settings\LocalService\Application Data\Macromedia\Flash Player\#SharedObjects\4PB8F3G2 ]
   media1.break.com [ C:\Documents and Settings\LocalService\Application Data\Macromedia\Flash Player\#SharedObjects\4PB8F3G2 ]
   secure-us.imrworldwide.com [ C:\Documents and Settings\LocalService\Application Data\Macromedia\Flash Player\#SharedObjects\4PB8F3G2 ]
   C:\Documents and Settings\LocalService\Cookies\[email protected][1].txt
   C:\Documents and Settings\LocalService\Cookies\[email protected][2].txt
   C:\Documents and Settings\LocalService\Cookies\system@myroitracking[1].txt
   media.mtvnservices.com [ C:\Documents and Settings\NetworkService\Application Data\Macromedia\Flash Player\#SharedObjects\8R437E53 ]
   media.scanscout.com [ C:\Documents and Settings\NetworkService\Application Data\Macromedia\Flash Player\#SharedObjects\8R437E53 ]
   media1.break.com [ C:\Documents and Settings\NetworkService\Application Data\Macromedia\Flash Player\#SharedObjects\8R437E53 ]
   objects.tremormedia.com [ C:\Documents and Settings\NetworkService\Application Data\Macromedia\Flash Player\#SharedObjects\8R437E53 ]
   secure-us.imrworldwide.com [ C:\Documents and Settings\NetworkService\Application Data\Macromedia\Flash Player\#SharedObjects\8R437E53 ]
   C:\Documents and Settings\NetworkService\Cookies\[email protected][2].txt
   C:\Documents and Settings\NetworkService\Cookies\system@doubleclick[1].txt
   C:\Documents and Settings\NetworkService\Cookies\system@atdmt[1].txt
   C:\Documents and Settings\NetworkService\Cookies\system@interclick[1].txt
   C:\Documents and Settings\NetworkService\Cookies\system@advertise[2].txt
   C:\Documents and Settings\NetworkService\Cookies\system@burstnet[1].txt
   C:\Documents and Settings\NetworkService\Cookies\[email protected][1].txt
   C:\Documents and Settings\NetworkService\Cookies\system@insightexpressai[2].txt
   C:\Documents and Settings\NetworkService\Cookies\[email protected][1].txt
   C:\Documents and Settings\NetworkService\Cookies\system@casalemedia[2].txt
   C:\Documents and Settings\NetworkService\Cookies\[email protected][2].txt
   C:\Documents and Settings\NetworkService\Cookies\[email protected][2].txt
   C:\Documents and Settings\NetworkService\Cookies\system@realmedia[2].txt
   C:\Documents and Settings\NetworkService\Cookies\[email protected][3].txt
   C:\Documents and Settings\NetworkService\Cookies\[email protected][1].txt
   C:\Documents and Settings\NetworkService\Cookies\[email protected][1].txt
   C:\Documents and Settings\NetworkService\Cookies\[email protected][1].txt
   C:\Documents and Settings\NetworkService\Cookies\[email protected][1].txt
   C:\Documents and Settings\NetworkService\Cookies\[email protected][1].txt
   C:\Documents and Settings\NetworkService\Cookies\system@serving-sys[1].txt
   C:\Documents and Settings\NetworkService\Cookies\system@trafficmp[2].txt
   C:\Documents and Settings\NetworkService\Cookies\[email protected][1].txt
   C:\Documents and Settings\NetworkService\Cookies\[email protected][2].txt
   C:\Documents and Settings\NetworkService\Cookies\system@collective-media[2].txt
   C:\Documents and Settings\NetworkService\Cookies\system@advertising[1].txt
   C:\Documents and Settings\NetworkService\Cookies\system@imrworldwide[2].txt
   C:\Documents and Settings\NetworkService\Cookies\[email protected][2].txt
   ia.media-imdb.com [ C:\Documents and Settings\William Brophy\Application Data\Macromedia\Flash Player\#SharedObjects\8SSRWP5M ]
   porn1.tubeland.com [ C:\Documents and Settings\William Brophy\Application Data\Macromedia\Flash Player\#SharedObjects\8SSRWP5M ]
   .advertise.com [ C:\Documents and Settings\William Brophy\Application Data\Mozilla\Firefox\Profiles\cwx7r6bq.default\cookies.sqlite ]
   .doubleclick.net [ C:\Documents and Settings\William Brophy\Application Data\Mozilla\Firefox\Profiles\cwx7r6bq.default\cookies.sqlite ]
   ad.yieldmanager.com [ C:\Documents and Settings\William Brophy\Application Data\Mozilla\Firefox\Profiles\cwx7r6bq.default\cookies.sqlite ]
   ad.yieldmanager.com [ C:\Documents and Settings\William Brophy\Application Data\Mozilla\Firefox\Profiles\cwx7r6bq.default\cookies.sqlite ]
   ad.yieldmanager.com [ C:\Documents and Settings\William Brophy\Application Data\Mozilla\Firefox\Profiles\cwx7r6bq.default\cookies.sqlite ]
   .interclick.com [ C:\Documents and Settings\William Brophy\Application Data\Mozilla\Firefox\Profiles\cwx7r6bq.default\cookies.sqlite ]
   .questionmarket.com [ C:\Documents and Settings\William Brophy\Application Data\Mozilla\Firefox\Profiles\cwx7r6bq.default\cookies.sqlite ]
   .advertising.com [ C:\Documents and Settings\William Brophy\Application Data\Mozilla\Firefox\Profiles\cwx7r6bq.default\cookies.sqlite ]
   .advertising.com [ C:\Documents and Settings\William Brophy\Application Data\Mozilla\Firefox\Profiles\cwx7r6bq.default\cookies.sqlite ]
   .advertising.com [ C:\Documents and Settings\William Brophy\Application Data\Mozilla\Firefox\Profiles\cwx7r6bq.default\cookies.sqlite ]
   .advertising.com [ C:\Documents and Settings\William Brophy\Application Data\Mozilla\Firefox\Profiles\cwx7r6bq.default\cookies.sqlite ]
   .content.yieldmanager.com [ C:\Documents and Settings\William Brophy\Application Data\Mozilla\Firefox\Profiles\cwx7r6bq.default\cookies.sqlite ]
   ad.yieldmanager.com [ C:\Documents and Settings\William Brophy\Application Data\Mozilla\Firefox\Profiles\cwx7r6bq.default\cookies.sqlite ]
   .invitemedia.com [ C:\Documents and Settings\William Brophy\Application Data\Mozilla\Firefox\Profiles\cwx7r6bq.default\cookies.sqlite ]
   .invitemedia.com [ C:\Documents and Settings\William Brophy\Application Data\Mozilla\Firefox\Profiles\cwx7r6bq.default\cookies.sqlite ]
   .invitemedia.com [ C:\Documents and Settings\William Brophy\Application Data\Mozilla\Firefox\Profiles\cwx7r6bq.default\cookies.sqlite ]
   .invitemedia.com [ C:\Documents and Settings\William Brophy\Application Data\Mozilla\Firefox\Profiles\cwx7r6bq.default\cookies.sqlite ]
   .invitemedia.com [ C:\Documents and Settings\William Brophy\Application Data\Mozilla\Firefox\Profiles\cwx7r6bq.default\cookies.sqlite ]
   .invitemedia.com [ C:\Documents and Settings\William Brophy\Application Data\Mozilla\Firefox\Profiles\cwx7r6bq.default\cookies.sqlite ]
   .atdmt.com [ C:\Documents and Settings\William Brophy\Application Data\Mozilla\Firefox\Profiles\cwx7r6bq.default\cookies.sqlite ]
   .atdmt.com [ C:\Documents and Settings\William Brophy\Application Data\Mozilla\Firefox\Profiles\cwx7r6bq.default\cookies.sqlite ]
   .interclick.com [ C:\Documents and Settings\William Brophy\Application Data\Mozilla\Firefox\Profiles\cwx7r6bq.default\cookies.sqlite ]
   .a1.interclick.com [ C:\Documents and Settings\William Brophy\Application Data\Mozilla\Firefox\Profiles\cwx7r6bq.default\cookies.sqlite ]
   .a1.interclick.com [ C:\Documents and Settings\William Brophy\Application Data\Mozilla\Firefox\Profiles\cwx7r6bq.default\cookies.sqlite ]
   .a1.interclick.com [ C:\Documents and Settings\William Brophy\Application Data\Mozilla\Firefox\Profiles\cwx7r6bq.default\cookies.sqlite ]
   .interclick.com [ C:\Documents and Settings\William Brophy\Application Data\Mozilla\Firefox\Profiles\cwx7r6bq.default\cookies.sqlite ]
   .edge.ru4.com [ C:\Documents and Settings\William Brophy\Application Data\Mozilla\Firefox\Profiles\cwx7r6bq.default\cookies.sqlite ]
   .adbrite.com [ C:\Documents and Settings\William Brophy\Application Data\Mozilla\Firefox\Profiles\cwx7r6bq.default\cookies.sqlite ]
   .adbrite.com [ C:\Documents and Settings\William Brophy\Application Data\Mozilla\Firefox\Profiles\cwx7r6bq.default\cookies.sqlite ]
   .advertising.com [ C:\Documents and Settings\William Brophy\Application Data\Mozilla\Firefox\Profiles\cwx7r6bq.default\cookies.sqlite ]
   .yieldmanager.net [ C:\Documents and Settings\William Brophy\Application Data\Mozilla\Firefox\Profiles\cwx7r6bq.default\cookies.sqlite ]
   .bs.serving-sys.com [ C:\Documents and Settings\William Brophy\Application Data\Mozilla\Firefox\Profiles\cwx7r6bq.default\cookies.sqlite ]
   .serving-sys.com [ C:\Documents and Settings\William Brophy\Application Data\Mozilla\Firefox\Profiles\cwx7r6bq.default\cookies.sqlite ]
   .serving-sys.com [ C:\Documents and Settings\William Brophy\Application Data\Mozilla\Firefox\Profiles\cwx7r6bq.default\cookies.sqlite ]
   .serving-sys.com [ C:\Documents and Settings\William Brophy\Application Data\Mozilla\Firefox\Profiles\cwx7r6bq.default\cookies.sqlite ]
   .serving-sys.com [ C:\Documents and Settings\William Brophy\Application Data\Mozilla\Firefox\Profiles\cwx7r6bq.default\cookies.sqlite ]
   .serving-sys.com [ C:\Documents and Settings\William Brophy\Application Data\Mozilla\Firefox\Profiles\cwx7r6bq.default\cookies.sqlite ]
   .serving-sys.com [ C:\Documents and Settings\William Brophy\Application Data\Mozilla\Firefox\Profiles\cwx7r6bq.default\cookies.sqlite ]
   .serving-sys.com [ C:\Documents and Settings\William Brophy\Application Data\Mozilla\Firefox\Profiles\cwx7r6bq.default\cookies.sqlite ]
   ad.yieldmanager.com [ C:\Documents and Settings\William Brophy\Application Data\Mozilla\Firefox\Profiles\cwx7r6bq.default\cookies.sqlite ]
   .apmebf.com [ C:\Documents and Settings\William Brophy\Application Data\Mozilla\Firefox\Profiles\cwx7r6bq.default\cookies.sqlite ]
   .fastclick.net [ C:\Documents and Settings\William Brophy\Application Data\Mozilla\Firefox\Profiles\cwx7r6bq.default\cookies.sqlite ]
   .fastclick.net [ C:\Documents and Settings\William Brophy\Application Data\Mozilla\Firefox\Profiles\cwx7r6bq.default\cookies.sqlite ]
   .fastclick.net [ C:\Documents and Settings\William Brophy\Application Data\Mozilla\Firefox\Profiles\cwx7r6bq.default\cookies.sqlite ]
   .mediaplex.com [ C:\Documents and Settings\William Brophy\Application Data\Mozilla\Firefox\Profiles\cwx7r6bq.default\cookies.sqlite ]
   .mediaplex.com [ C:\Documents and Settings\William Brophy\Application Data\Mozilla\Firefox\Profiles\cwx7r6bq.default\cookies.sqlite ]
   .advertising.com [ C:\Documents and Settings\William Brophy\Application Data\Mozilla\Firefox\Profiles\cwx7r6bq.default\cookies.sqlite ]
   .zedo.com [ C:\Documents and Settings\William Brophy\Application Data\Mozilla\Firefox\Profiles\cwx7r6bq.default\cookies.sqlite ]
   .zedo.com [ C:\Documents and Settings\William Brophy\Application Data\Mozilla\Firefox\Profiles\cwx7r6bq.default\cookies.sqlite ]
   .zedo.com [ C:\Documents and Settings\William Brophy\Application Data\Mozilla\Firefox\Profiles\cwx7r6bq.default\cookies.sqlite ]
   .invitemedia.com [ C:\Documents and Settings\William Brophy\Application Data\Mozilla\Firefox\Profiles\cwx7r6bq.default\cookies.sqlite ]
   .collective-media.net [ C:\Documents and Settings\William Brophy\Application Data\Mozilla\Firefox\Profiles\cwx7r6bq.default\cookies.sqlite ]
   .collective-media.net [ C:\Documents and Settings\William Brophy\Application Data\Mozilla\Firefox\Profiles\cwx7r6bq.default\cookies.sqlite ]
   .revsci.net [ C:\Documents and Settings\William Brophy\Application Data\Mozilla\Firefox\Profiles\cwx7r6bq.default\cookies.sqlite ]
   .invitemedia.com [ C:\Documents and Settings\William Brophy\Application Data\Mozilla\Firefox\Profiles\cwx7r6bq.default\cookies.sqlite ]
   .revsci.net [ C:\Documents and Settings\William Brophy\Application Data\Mozilla\Firefox\Profiles\cwx7r6bq.default\cookies.sqlite ]
   .revsci.net [ C:\Documents and Settings\William Brophy\Application Data\Mozilla\Firefox\Profiles\cwx7r6bq.default\cookies.sqlite ]
   .imrworldwide.com [ C:\Documents and Settings\William Brophy\Application Data\Mozilla\Firefox\Profiles\cwx7r6bq.default\cookies.sqlite ]
   .imrworldwide.com [ C:\Documents and Settings\William Brophy\Application Data\Mozilla\Firefox\Profiles\cwx7r6bq.default\cookies.sqlite ]
   .revsci.net [ C:\Documents and Settings\William Brophy\Application Data\Mozilla\Firefox\Profiles\cwx7r6bq.default\cookies.sqlite ]
   bridge1.admarketplace.net [ C:\Documents and Settings\William Brophy\Application Data\Mozilla\Firefox\Profiles\cwx7r6bq.default\cookies.sqlite ]
   .admarketplace.net [ C:\Documents and Settings\William Brophy\Application Data\Mozilla\Firefox\Profiles\cwx7r6bq.default\cookies.sqlite ]
   banner.adchemy.com [ C:\Documents and Settings\William Brophy\Application Data\Mozilla\Firefox\Profiles\cwx7r6bq.default\cookies.sqlite ]
   banner.adchemy.com [ C:\Documents and Settings\William Brophy\Application Data\Mozilla\Firefox\Profiles\cwx7r6bq.default\cookies.sqlite ]
   .tribalfusion.com [ C:\Documents and Settings\William Brophy\Application Data\Mozilla\Firefox\Profiles\cwx7r6bq.default\cookies.sqlite ]
   .s.clickability.com [ C:\Documents and Settings\William Brophy\Application Data\Mozilla\Firefox\Profiles\cwx7r6bq.default\cookies.sqlite ]
   .s.clickability.com [ C:\Documents and Settings\William Brophy\Application Data\Mozilla\Firefox\Profiles\cwx7r6bq.default\cookies.sqlite ]
   .zedo.com [ C:\Documents and Settings\William Brophy\Application Data\Mozilla\Firefox\Profiles\cwx7r6bq.default\cookies.sqlite ]
   .ads.pointroll.com [ C:\Documents and Settings\William Brophy\Application Data\Mozilla\Firefox\Profiles\cwx7r6bq.default\cookies.sqlite ]
   .pointroll.com [ C:\Documents and Settings\William Brophy\Application Data\Mozilla\Firefox\Profiles\cwx7r6bq.default\cookies.sqlite ]
   .pointroll.com [ C:\Documents and Settings\William Brophy\Application Data\Mozilla\Firefox\Profiles\cwx7r6bq.default\cookies.sqlite ]
   .ads.pointroll.com [ C:\Documents and Settings\William Brophy\Application Data\Mozilla\Firefox\Profiles\cwx7r6bq.default\cookies.sqlite ]
   .ads.pointroll.com [ C:\Documents and Settings\William Brophy\Application Data\Mozilla\Firefox\Profiles\cwx7r6bq.default\cookies.sqlite ]
   .ads.pointroll.com [ C:\Documents and Settings\William Brophy\Application Data\Mozilla\Firefox\Profiles\cwx7r6bq.default\cookies.sqlite ]
   .ads.pointroll.com [ C:\Documents and Settings\William Brophy\Application Data\Mozilla\Firefox\Profiles\cwx7r6bq.default\cookies.sqlite ]
   .ads.pointroll.com [ C:\Documents and Settings\William Brophy\Application Data\Mozilla\Firefox\Profiles\cwx7r6bq.default\cookies.sqlite ]
   .ads.pointroll.com [ C:\Documents and Settings\William Brophy\Application Data\Mozilla\Firefox\Profiles\cwx7r6bq.default\cookies.sqlite ]
   .blethenmaine.112.2o7.net [ C:\Documents and Settings\William Brophy\Application Data\Mozilla\Firefox\Profiles\cwx7r6bq.default\cookies.sqlite ]
   .media2.legacy.com [ C:\Documents and Settings\William Brophy\Application Data\Mozilla\Firefox\Profiles\cwx7r6bq.default\cookies.sqlite ]
   .statcounter.com [ C:\Documents and Settings\William Brophy\Application Data\Mozilla\Firefox\Profiles\cwx7r6bq.default\cookies.sqlite ]
   statse.webtrendslive.com [ C:\Documents and Settings\William Brophy\Application Data\Mozilla\Firefox\Profiles\cwx7r6bq.default\cookies.sqlite ]
   .casalemedia.com [ C:\Documents and Settings\William Brophy\Application Data\Mozilla\Firefox\Profiles\cwx7r6bq.default\cookies.sqlite ]
   .casalemedia.com [ C:\Documents and Settings\William Brophy\Application Data\Mozilla\Firefox\Profiles\cwx7r6bq.default\cookies.sqlite ]
   .casalemedia.com [ C:\Documents and Settings\William Brophy\Application Data\Mozilla\Firefox\Profiles\cwx7r6bq.default\cookies.sqlite ]
   .casalemedia.com [ C:\Documents and Settings\William Brophy\Application Data\Mozilla\Firefox\Profiles\cwx7r6bq.default\cookies.sqlite ]
   .adxpose.com [ C:\Documents and Settings\William Brophy\Application Data\Mozilla\Firefox\Profiles\cwx7r6bq.default\cookies.sqlite ]
   .media6degrees.com [ C:\Documents and Settings\William Brophy\Application Data\Mozilla\Firefox\Profiles\cwx7r6bq.default\cookies.sqlite ]
   .media6degrees.com [ C:\Documents and Settings\William Brophy\Application Data\Mozilla\Firefox\Profiles\cwx7r6bq.default\cookies.sqlite ]
   .media6degrees.com [ C:\Documents and Settings\William Brophy\Application Data\Mozilla\Firefox\Profiles\cwx7r6bq.default\cookies.sqlite ]
   .media6degrees.com [ C:\Documents and Settings\William Brophy\Application Data\Mozilla\Firefox\Profiles\cwx7r6bq.default\cookies.sqlite ]
   .tacoda.net [ C:\Documents and Settings\William Brophy\Application Data\Mozilla\Firefox\Profiles\cwx7r6bq.default\cookies.sqlite ]
   .tacoda.net [ C:\Documents and Settings\William Brophy\Application Data\Mozilla\Firefox\Profiles\cwx7r6bq.default\cookies.sqlite ]
   .tacoda.net [ C:\Documents and Settings\William Brophy\Application Data\Mozilla\Firefox\Profiles\cwx7r6bq.default\cookies.sqlite ]
   .advertising.com [ C:\Documents and Settings\William Brophy\Application Data\Mozilla\Firefox\Profiles\cwx7r6bq.default\cookies.sqlite ]
   .at.atwola.com [ C:\Documents and Settings\William Brophy\Application Data\Mozilla\Firefox\Profiles\cwx7r6bq.default\cookies.sqlite ]
   .at.atwola.com [ C:\Documents and Settings\William Brophy\Application Data\Mozilla\Firefox\Profiles\cwx7r6bq.default\cookies.sqlite ]
   .kontera.com [ C:\Documents and Settings\William Brophy\Application Data\Mozilla\Firefox\Profiles\cwx7r6bq.default\cookies.sqlite ]
   counter.surfcounters.com [ C:\Documents and Settings\William Brophy\Application Data\Mozilla\Firefox\Profiles\cwx7r6bq.default\cookies.sqlite ]
   .zedo.com [ C:\Documents and Settings\William Brophy\Application Data\Mozilla\Firefox\Profiles\cwx7r6bq.default\cookies.sqlite ]
   .zedo.com [ C:\Documents and Settings\William Brophy\Application Data\Mozilla\Firefox\Profiles\cwx7r6bq.default\cookies.sqlite ]
   ad.yieldmanager.com [ C:\Documents and Settings\William Brophy\Application Data\Mozilla\Firefox\Profiles\cwx7r6bq.default\cookies.sqlite ]
   .clickbank.net [ C:\Documents and Settings\William Brophy\Application Data\Mozilla\Firefox\Profiles\cwx7r6bq.default\cookies.sqlite ]
   .sexyads.com [ C:\Documents and Settings\William Brophy\Application Data\Mozilla\Firefox\Profiles\cwx7r6bq.default\cookies.sqlite ]
   .sexyads.com [ C:\Documents and Settings\William Brophy\Application Data\Mozilla\Firefox\Profiles\cwx7r6bq.default\cookies.sqlite ]
   .sexyads.com [ C:\Documents and Settings\William Brophy\Application Data\Mozilla\Firefox\Profiles\cwx7r6bq.default\cookies.sqlite ]
   www.sexyads.com [ C:\Documents and Settings\William Brophy\Application Data\Mozilla\Firefox\Profiles\cwx7r6bq.default\cookies.sqlite ]
   .adinterax.com [ C:\Documents and Settings\William Brophy\Application Data\Mozilla\Firefox\Profiles\cwx7r6bq.default\cookies.sqlite ]
   .adinterax.com [ C:\Documents and Settings\William Brophy\Application Data\Mozilla\Firefox\Profiles\cwx7r6bq.default\cookies.sqlite ]
   www.trackimizer.com [ C:\Documents and Settings\William Brophy\Application Data\Mozilla\Firefox\Profiles\cwx7r6bq.default\cookies.sqlite ]
   .trafficmp.com [ C:\Documents and Settings\William Brophy\Application Data\Mozilla\Firefox\Profiles\cwx7r6bq.default\cookies.sqlite ]
   .trafficmp.com [ C:\Documents and Settings\William Brophy\Application Data\Mozilla\Firefox\Profiles\cwx7r6bq.default\cookies.sqlite ]
   .trafficmp.com [ C:\Documents and Settings\William Brophy\Application Data\Mozilla\Firefox\Profiles\cwx7r6bq.default\cookies.sqlite ]
   .trafficmp.com [ C:\Documents and Settings\William Brophy\Application Data\Mozilla\Firefox\Profiles\cwx7r6bq.default\cookies.sqlite ]
   .trafficmp.com [ C:\Documents and Settings\William Brophy\Application Data\Mozilla\Firefox\Profiles\cwx7r6bq.default\cookies.sqlite ]
   .invitemedia.com [ C:\Documents and Settings\William Brophy\Application Data\Mozilla\Firefox\Profiles\cwx7r6bq.default\cookies.sqlite ]
   .tacoda.net [ C:\Documents and Settings\William Brophy\Application Data\Mozilla\Firefox\Profiles\cwx7r6bq.default\cookies.sqlite ]
   .adecn.com [ C:\Documents and Settings\William Brophy\Application Data\Mozilla\Firefox\Profiles\cwx7r6bq.default\cookies.sqlite ]
   .mediabrandsww.com [ C:\Documents and Settings\William Brophy\Application Data\Mozilla\Firefox\Profiles\cwx7r6bq.default\cookies.sqlite ]
   .media6degrees.com [ C:\Documents and Settings\William Brophy\Application Data\Mozilla\Firefox\Profiles\cwx7r6bq.default\cookies.sqlite ]
   .ru4.com [ C:\Documents and Settings\William Brophy\Application Data\Mozilla\Firefox\Profiles\cwx7r6bq.default\cookies.sqlite ]
   .ru4.com [ C:\Documents and Settings\William Brophy\Application Data\Mozilla\Firefox\Profiles\cwx7r6bq.default\cookies.sqlite ]
   user.lucidmedia.com [ C:\Documents and Settings\William Brophy\Application Data\Mozilla\Firefox\Profiles\cwx7r6bq.default\cookies.sqlite ]
   www2.addfreestats.com [ C:\Documents and Settings\William Brophy\Application Data\Mozilla\Firefox\Profiles\cwx7r6bq.default\cookies.sqlite ]
   .*adult URL* [ C:\Documents and Settings\William Brophy\Application Data\Mozilla\Firefox\Profiles\cwx7r6bq.default\cookies.sqlite ]
   .*adult URL* [ C:\Documents and Settings\William Brophy\Application Data\Mozilla\Firefox\Profiles\cwx7r6bq.default\cookies.sqlite ]
   .*adult URL* [ C:\Documents and Settings\William Brophy\Application Data\Mozilla\Firefox\Profiles\cwx7r6bq.default\cookies.sqlite ]
   .*adult URL* [ C:\Documents and Settings\William Brophy\Application Data\Mozilla\Firefox\Profiles\cwx7r6bq.default\cookies.sqlite ]
   .*adult URL* [ C:\Documents and Settings\William Brophy\Application Data\Mozilla\Firefox\Profiles\cwx7r6bq.default\cookies.sqlite ]
   .*adult URL* [ C:\Documents and Settings\William Brophy\Application Data\Mozilla\Firefox\Profiles\cwx7r6bq.default\cookies.sqlite ]
   .*adult URL* [ C:\Documents and Settings\William Brophy\Application Data\Mozilla\Firefox\Profiles\cwx7r6bq.default\cookies.sqlite ]
   .*adult URL* [ C:\Documents and Settings\William Brophy\Application Data\Mozilla\Firefox\Profiles\cwx7r6bq.default\cookies.sqlite ]
   .banners.facebookofsex.com [ C:\Documents and Settings\William Brophy\Application Data\Mozilla\Firefox\Profiles\cwx7r6bq.default\cookies.sqlite ]
   .banners.facebookofsex.com [ C:\Documents and Settings\William Brophy\Application Data\Mozilla\Firefox\Profiles\cwx7r6bq.default\cookies.sqlite ]
   .banners.facebookofsex.com [ C:\Documents and Settings\William Brophy\Application Data\Mozilla\Firefox\Profiles\cwx7r6bq.default\cookies.sqlite ]
   .banners.facebookofsex.com [ C:\Documents and Settings\William Brophy\Application Data\Mozilla\Firefox\Profiles\cwx7r6bq.default\cookies.sqlite ]
   .banners.facebookofsex.com [ C:\Documents and Settings\William Brophy\Application Data\Mozilla\Firefox\Profiles\cwx7r6bq.default\cookies.sqlite ]
   .fhg.hornyeurosluts.com [ C:\Documents and Settings\William Brophy\Application Data\Mozilla\Firefox\Profiles\cwx7r6bq.default\cookies.sqlite ]
   .fhg.hornyeurosluts.com [ C:\Documents and Settings\William Brophy\Application Data\Mozilla\Firefox\Profiles\cwx7r6bq.default\cookies.sqlite ]
   .teensatwork.com [ C:\Documents and Settings\William Brophy\Application Data\Mozilla\Firefox\Profiles\cwx7r6bq.default\cookies.sqlite ]
   .teensatwork.com [ C:\Documents and Settings\William Brophy\Application Data\Mozilla\Firefox\Profiles\cwx7r6bq.default\cookies.sqlite ]
   www.justteensite.com [ C:\Documents and Settings\William Brophy\Application Data\Mozilla\Firefox\Profiles\cwx7r6bq.default\cookies.sqlite ]
   www.justteensite.com [ C:\Documents and Settings\William Brophy\Application Data\Mozilla\Firefox\Profiles\cwx7r6bq.default\cookies.sqlite ]
   www.justteensite.com [ C:\Documents and Settings\William Brophy\Application Data\Mozilla\Firefox\Profiles\cwx7r6bq.default\cookies.sqlite ]
   .justteensite.com [ C:\Documents and Settings\William Brophy\Application Data\Mozilla\Firefox\Profiles\cwx7r6bq.default\cookies.sqlite ]
   .justteensite.com [ C:\Documents and Settings\William Brophy\Application Data\Mozilla\Firefox\Profiles\cwx7r6bq.default\cookies.sqlite ]
   .a1.interclick.com [ C:\Documents and Settings\William Brophy\Application Data\Mozilla\Firefox\Profiles\cwx7r6bq.default\cookies.sqlite ]
   .media6degrees.com [ C:\Documents and Settings\William Brophy\Application Data\Mozilla\Firefox\Profiles\cwx7r6bq.default\cookies.sqlite ]
   .www.burstnet.com [ C:\Documents and Settings\William Brophy\Application Data\Mozilla\Firefox\Profiles\cwx7r6bq.default\cookies.sqlite ]
   .burstnet.com [ C:\Documents and Settings\William Brophy\Application Data\Mozilla\Firefox\Profiles\cwx7r6bq.default\cookies.sqlite ]
   www.burstnet.com [ C:\Documents and Settings\William Brophy\Application Data\Mozilla\Firefox\Profiles\cwx7r6bq.default\cookies.sqlite ]
   .burstnet.com [ C:\Documents and Settings\William Brophy\Application Data\Mozilla\Firefox\Profiles\cwx7r6bq.default\cookies.sqlite ]
   .kontera.com [ C:\Documents and Settings\William Brophy\Application Data\Mozilla\Firefox\Profiles\cwx7r6bq.default\cookies.sqlite ]
   .kontera.com [ C:\Documents and Settings\William Brophy\Application Data\Mozilla\Firefox\Profiles\cwx7r6bq.default\cookies.sqlite ]
   .zedo.com [ C:\Documents and Settings\William Brophy\Application Data\Mozilla\Firefox\Profiles\cwx7r6bq.default\cookies.sqlite ]
   .geobanner.facebookofsex.com [ C:\Documents and Settings\William Brophy\Application Data\Mozilla\Firefox\Profiles\cwx7r6bq.default\cookies.sqlite ]
   .geobanner.facebookofsex.com [ C:\Documents and Settings\William Brophy\Application Data\Mozilla\Firefox\Profiles\cwx7r6bq.default\cookies.sqlite ]
   .geobanner.facebookofsex.com [ C:\Documents and Settings\William Brophy\Application Data\Mozilla\Firefox\Profiles\cwx7r6bq.default\cookies.sqlite ]
   .geobanner.facebookofsex.com [ C:\Documents and Settings\William Brophy\Application Data\Mozilla\Firefox\Profiles\cwx7r6bq.default\cookies.sqlite ]
   .geobanner.facebookofsex.com [ C:\Documents and Settings\William Brophy\Application Data\Mozilla\Firefox\Profiles\cwx7r6bq.default\cookies.sqlite ]
   ad.yieldmanager.com [ C:\Documents and Settings\William Brophy\Application Data\Mozilla\Firefox\Profiles\cwx7r6bq.default\cookies.sqlite ]
   .specificclick.net [ C:\Documents and Settings\William Brophy\Application Data\Mozilla\Firefox\Profiles\cwx7r6bq.default\cookies.sqlite ]
   .revsci.net [ C:\Documents and Settings\William Brophy\Application Data\Mozilla\Firefox\Profiles\cwx7r6bq.default\cookies.sqlite ]
   .revsci.net [ C:\Documents and Settings\William Brophy\Application Data\Mozilla\Firefox\Profiles\cwx7r6bq.default\cookies.sqlite ]
   .revsci.net [ C:\Documents and Settings\William Brophy\Application Data\Mozilla\Firefox\Profiles\cwx7r6bq.default\cookies.sqlite ]
   .specificclick.net [ C:\Documents and Settings\William Brophy\Application Data\Mozilla\Firefox\Profiles\cwx7r6bq.default\cookies.sqlite ]
   .hitbox.com [ C:\Documents and Settings\William Brophy\Application Data\Mozilla\Firefox\Profiles\cwx7r6bq.default\cookies.sqlite ]
   .ehg-eset.hitbox.com [ C:\Documents and Settings\William Brophy\Application Data\Mozilla\Firefox\Profiles\cwx7r6bq.default\cookies.sqlite ]
   .hitbox.com [ C:\Documents and Settings\William Brophy\Application Data\Mozilla\Firefox\Profiles\cwx7r6bq.default\cookies.sqlite ]
   .eset.122.2o7.net [ C:\Documents and Settings\William Brophy\Application Data\Mozilla\Firefox\Profiles\cwx7r6bq.default\cookies.sqlite ]
   .casalemedia.com [ C:\Documents and Settings\William Brophy\Application Data\Mozilla\Firefox\Profiles\cwx7r6bq.default\cookies.sqlite ]
   .a1.interclick.com [ C:\Documents and Settings\William Brophy\Application Data\Mozilla\Firefox\Profiles\cwx7r6bq.default\cookies.sqlite ]
   .a1.interclick.com [ C:\Documents and Settings\William Brophy\Application Data\Mozilla\Firefox\Profiles\cwx7r6bq.default\cookies.sqlite ]
   .a1.interclick.com [ C:\Documents and Settings\William Brophy\Application Data\Mozilla\Firefox\Profiles\cwx7r6bq.default\cookies.sqlite ]
   .questionmarket.com [ C:\Documents and Settings\William Brophy\Application Data\Mozilla\Firefox\Profiles\cwx7r6bq.default\cookies.sqlite ]
   .revsci.net [ C:\Documents and Settings\William Brophy\Application Data\Mozilla\Firefox\Profiles\cwx7r6bq.default\cookies.sqlite ]
   .questionmarket.com [ C:\Documents and Settings\William Brophy\Application Data\Mozilla\Firefox\Profiles\cwx7r6bq.default\cookies.sqlite ]
   ad.yieldmanager.com [ C:\Documents and Settings\William Brophy\Application Data\Mozilla\Firefox\Profiles\cwx7r6bq.default\cookies.sqlite ]
   ad.yieldmanager.com [ C:\Documents and Settings\William Brophy\Application Data\Mozilla\Firefox\Profiles\cwx7r6bq.default\cookies.sqlite ]
   .bizzclick.com [ C:\Documents and Settings\William Brophy\Application Data\Mozilla\Firefox\Profiles\cwx7r6bq.default\cookies.sqlite ]
   n-traffic.com [ C:\Documents and Settings\William Brophy\Application Data\Mozilla\Firefox\Profiles\cwx7r6bq.default\cookies.sqlite ]
   .*adult URL* [ C:\Documents and Settings\William Brophy\Application Data\Mozilla\Firefox\Profiles\cwx7r6bq.default\cookies.sqlite ]
   .*adult URL* [ C:\Documents and Settings\William Brophy\Application Data\Mozilla\Firefox\Profiles\cwx7r6bq.default\cookies.sqlite ]
   www.*censored*.com [ C:\Documents and Settings\William Brophy\Application Data\Mozilla\Firefox\Profiles\cwx7r6bq.default\cookies.sqlite ]
   .*adult URL* [ C:\Documents and Settings\William Brophy\Application Data\Mozilla\Firefox\Profiles\cwx7r6bq.default\cookies.sqlite ]
   .18eighteen.com [ C:\Documents and Settings\William Brophy\Application Data\Mozilla\Firefox\Profiles\cwx7r6bq.default\cookies.sqlite ]
   .18eighteen.com [ C:\Documents and Settings\William Brophy\Application Data\Mozilla\Firefox\Profiles\cwx7r6bq.default\cookies.sqlite ]
   .18eighteen.com [ C:\Documents and Settings\William Brophy\Application Data\Mozilla\Firefox\Profiles\cwx7r6bq.default\cookies.sqlite ]
   counter8.sextracker.com [ C:\Documents and Settings\William Brophy\Application Data\Mozilla\Firefox\Profiles\cwx7r6bq.default\cookies.sqlite ]
   .sextracker.com [ C:\Documents and Settings\William Brophy\Application Data\Mozilla\Firefox\Profiles\cwx7r6bq.default\cookies.sqlite ]
   .collective-media.net [ C:\Documents and Settings\William Brophy\Application Data\Mozilla\Firefox\Profiles\cwx7r6bq.default\cookies.sqlite ]
   .collective-media.net [ C:\Documents and Settings\William Brophy\Application Data\Mozilla\Firefox\Profiles\cwx7r6bq.default\cookies.sqlite ]
   .collective-media.net [ C:\Documents and Settings\William Brophy\Application Data\Mozilla\Firefox\Profiles\cwx7r6bq.default\cookies.sqlite ]
   .collective-media.net [ C:\Documents and Settings\William Brophy\Application Data\Mozilla\Firefox\Profiles\cwx7r6bq.default\cookies.sqlite ]

===================================
MBAM:

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 5026

Windows 5.1.2600 Service Pack 2
Internet Explorer 7.0.5730.13

11/2/2010 9:11:17 PM
mbam-log-2010-11-02 (21-11-17).txt

Scan type: Full scan (C:\|)
Objects scanned: 274943
Time elapsed: 59 minute(s), 27 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

SuperDave · « **Reply #29 on:** November 03, 2010, 01:15:29 PM »

Ok. Let's try this.

Delete the Firefox overlay.xul file.

The overlay.xul file can be found in:

C:/Program Files/Mozilla/Firefox/extentions/{xxxxxxxxxx}/chrome/content/overlay.xul

Note: {xxxxxxxxxx} represents random letters and numbers. The exact letters and numbers vary from one computer to another.

Billb114 · « **Reply #30 on:** November 03, 2010, 05:15:52 PM »

I'm not finding that file in that location.

There is an overlay.xul and an overlay.js in C:\Program Files\Java\jre6\lib\deploy\jqs\ff\chrome\content\

In the directory tree you suggest I have actually two branches with 2 files in each:

C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}\chrome\content\ffjcext\ffjcext.xul and ...\ffjcext.js

AND

C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}\chrome\content\ffjcext\ffjcext.xul and ...\ffjcext.js

Curiously the 2 files in the latter branch (bolded) have a create and mod date of 10/15/2010 - right about the time that I ran my first scans for my first post here. I've no clue if that is significant.

I'm running Firefox 3.5.15 -- Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.15) Gecko/20101026 Firefox/3.5.15)

So I'm not going to delete anything just yet - awaiting your instruction.

SuperDave · « **Reply #31 on:** November 03, 2010, 07:08:48 PM »

Ok. I'm going to consult my mentor on this.

Billb114 · « **Reply #32 on:** November 03, 2010, 07:58:20 PM »

No problem! I just appreciate the help - it's pretty clear how much you're doing on here with everyone so - I'm good! I can wait.

Billb114 · « **Reply #33 on:** November 07, 2010, 05:55:12 PM »

SuperDave,
My son was home for the weekend and without my knowledge he had a look at my PC and ran TDSSKiller. I'll post the log below. After TDSS rebooted the PC we've not seen any of the previous problems! That svchost process is staying at 28Kb and I spent 30 minutes doing searches on Google with no redirects. The Avast Network shield has not picked up any redirects. It's been about 6 hours now so I'm hoping it's really fixed!
If there is anything else you can suggest or recommend for checking or cleanup or whatever - I'll try it.

TDSSKiller log:

2010/11/07 13:02:42.0062   TDSS rootkit removing tool 2.4.5.1 Oct 26 2010 11:28:49
2010/11/07 13:02:42.0062   ================================================================================
2010/11/07 13:02:42.0062   SystemInfo:
2010/11/07 13:02:42.0062
2010/11/07 13:02:42.0062   OS Version: 5.1.2600 ServicePack: 2.0
2010/11/07 13:02:42.0062   Product type: Workstation
2010/11/07 13:02:42.0062   ComputerName: COMPUTERROOM
2010/11/07 13:02:42.0062   UserName: William Brophy
2010/11/07 13:02:42.0062   Windows directory: C:\WINDOWS
2010/11/07 13:02:42.0062   System windows directory: C:\WINDOWS
2010/11/07 13:02:42.0062   Processor architecture: Intel x86
2010/11/07 13:02:42.0062   Number of processors: 1
2010/11/07 13:02:42.0062   Page size: 0x1000
2010/11/07 13:02:42.0062   Boot type: Normal boot
2010/11/07 13:02:42.0062   ================================================================================
2010/11/07 13:02:43.0078   Initialize success
2010/11/07 13:02:56.0671   ================================================================================
2010/11/07 13:02:56.0671   Scan started
2010/11/07 13:02:56.0671   Mode: Manual;
2010/11/07 13:02:56.0671   ================================================================================
2010/11/07 13:02:57.0406   Aavmker4 (2ccfa74242741ca22a4267cce9b586f4) C:\WINDOWS\system32\drivers\Aavmker4.sys
2010/11/07 13:02:57.0578   ACPI (a10c7534f7223f4a73a948967d00e69b) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2010/11/07 13:02:57.0687   ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
2010/11/07 13:02:57.0796   aeaudio (11c04b17ed2abbb4833694bcd644ac90) C:\WINDOWS\system32\drivers\aeaudio.sys
2010/11/07 13:02:57.0953   aec (1ee7b434ba961ef845de136224c30fec) C:\WINDOWS\system32\drivers\aec.sys
2010/11/07 13:02:58.0062   AFD (55e6e1c51b6d30e54335750955453702) C:\WINDOWS\System32\drivers\afd.sys
2010/11/07 13:02:58.0171   agp440 (2c428fa0c3e3a01ed93c9b2a27d8d4bb) C:\WINDOWS\system32\DRIVERS\agp440.sys
2010/11/07 13:02:58.0703   aswFsBlk (b4079a98f294a3e262872cb76f4849f0) C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys
2010/11/07 13:02:58.0781   aswMon2 (dbee7b5ecb50fc2cf9323f52cbf41141) C:\WINDOWS\system32\drivers\aswMon2.sys
2010/11/07 13:02:58.0921   aswRdr (8080d683489c99cbace813f6fa4069cc) C:\WINDOWS\system32\drivers\aswRdr.sys
2010/11/07 13:02:59.0046   aswSP (2e5a2ad5004b55df39b7606130a88142) C:\WINDOWS\system32\drivers\aswSP.sys
2010/11/07 13:02:59.0156   aswTdi (d4c83a37efadfa2c398362e0776e3773) C:\WINDOWS\system32\drivers\aswTdi.sys
2010/11/07 13:02:59.0265   AsyncMac (02000abf34af4c218c35d257024807d6) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2010/11/07 13:02:59.0343   atapi (cdfe4411a69c224bd1d11b2da92dac51) C:\WINDOWS\system32\DRIVERS\atapi.sys
2010/11/07 13:02:59.0515   Atmarpc (ec88da854ab7d7752ec8be11a741bb7f) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2010/11/07 13:02:59.0609   audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2010/11/07 13:02:59.0718   BASFND (ce218c09caf41537ceb5a872a019a7e2) C:\WINDOWS\system32\Drivers\BASFND.sys
2010/11/07 13:02:59.0828   Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2010/11/07 13:03:00.0187   cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2010/11/07 13:03:00.0343   Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2010/11/07 13:03:00.0437   Cdfs (cd7d5152df32b47f4e36f710b35aae02) C:\WINDOWS\system32\drivers\Cdfs.sys
2010/11/07 13:03:00.0546   Cdrom (af9c19b3100fe010496b1a27181fbf72) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2010/11/07 13:03:01.0062   Disk (00ca44e4534865f8a3b64f7c0984bff0) C:\WINDOWS\system32\DRIVERS\disk.sys
2010/11/07 13:03:01.0187   dmboot (c0fbb516e06e243f0cf31f597e7ebf7d) C:\WINDOWS\system32\drivers\dmboot.sys
2010/11/07 13:03:01.0343   dmio (f5e7b358a732d09f4bcf2824b88b9e28) C:\WINDOWS\system32\drivers\dmio.sys
2010/11/07 13:03:01.0453   dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2010/11/07 13:03:01.0593   DMusic (a6f881284ac1150e37d9ae47ff601267) C:\WINDOWS\system32\drivers\DMusic.sys
2010/11/07 13:03:01.0765   drmkaud (1ed4dbbae9f5d558dbba4cc450e3eb2e) C:\WINDOWS\system32\drivers\drmkaud.sys
2010/11/07 13:03:01.0859   dsNcAdpt (b2c3f71b86e25c3df78339ddb40a7562) C:\WINDOWS\system32\DRIVERS\dsNcAdpt.sys
2010/11/07 13:03:02.0031   E100B (98ed0bea10477b0f252cca35eb50f838) C:\WINDOWS\system32\DRIVERS\e100b325.sys
2010/11/07 13:03:02.0187   Fastfat (3117f595e9615e04f05a54fc15a03b20) C:\WINDOWS\system32\drivers\Fastfat.sys
2010/11/07 13:03:02.0312   Fdc (ced2e8396a8838e59d8fd529c680e02c) C:\WINDOWS\system32\DRIVERS\fdc.sys
2010/11/07 13:03:02.0421   Fips (e153ab8a11de5452bcf5ac7652dbf3ed) C:\WINDOWS\system32\drivers\Fips.sys
2010/11/07 13:03:02.0531   Flpydisk (0dd1de43115b93f4d85e889d7a86f548) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
2010/11/07 13:03:02.0640   FltMgr (3d234fb6d6ee875eb009864a299bea29) C:\WINDOWS\system32\DRIVERS\fltMgr.sys
2010/11/07 13:03:02.0734   Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2010/11/07 13:03:02.0828   Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2010/11/07 13:03:03.0062   FW1 (7441f96680ac1fad27ae34ff8076d594) C:\WINDOWS\system32\DRIVERS\fw.sys
2010/11/07 13:03:03.0265   Gpc (c0f1d4a21de5a415df8170616703debf) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2010/11/07 13:03:03.0390   hidusb (1de6783b918f540149aa69943bdfeba8) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2010/11/07 13:03:03.0531   HSFHWBS2 (970178e8e003eb1481293830069624b9) C:\WINDOWS\system32\DRIVERS\HSFBS2S2.sys
2010/11/07 13:03:03.0687   HSF_DP (ebb354438a4c5a3327fb97306260714a) C:\WINDOWS\system32\DRIVERS\HSFDPSP2.sys
2010/11/07 13:03:03.0859   HTTP (cb77bb47e67e84deb17ba29632501730) C:\WINDOWS\system32\Drivers\HTTP.sys
2010/11/07 13:03:04.0140   i8042prt (5502b58eef7486ee6f93f3f164dcb808) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2010/11/07 13:03:04.0218   Imapi (f8aa320c6a0409c0380e5d8a99d76ec6) C:\WINDOWS\system32\DRIVERS\imapi.sys
2010/11/07 13:03:04.0390   IntelIde (2d722b2b54ab55b2fa475eb58d7b2aad) C:\WINDOWS\system32\DRIVERS\intelide.sys
2010/11/07 13:03:04.0453   intelppm (279fb78702454dff2bb445f238c048d2) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2010/11/07 13:03:04.0562   Ip6Fw (4448006b6bc60e6c027932cfc38d6855) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys
2010/11/07 13:03:04.0687   IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2010/11/07 13:03:04.0781   IpInIp (e1ec7f5da720b640cd8fb8424f1b14bb) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2010/11/07 13:03:04.0890   IpNat (b5a8e215ac29d24d60b4d1250ef05ace) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2010/11/07 13:03:05.0000   IPSec (64537aa5c003a6afeee1df819062d0d1) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2010/11/07 13:03:05.0140   IRENUM (50708daa1b1cbb7d6ac1cf8f56a24410) C:\WINDOWS\system32\DRIVERS\irenum.sys
2010/11/07 13:03:05.0265   isapnp (e504f706ccb699c2596e9a3da1596e87) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2010/11/07 13:03:05.0359   Kbdclass (ebdee8a2ee5393890a1acee971c4c246) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2010/11/07 13:03:05.0437   kbdhid (e182fa8e49e8ee41b4adc53093f3c7e6) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
2010/11/07 13:03:05.0531   kmixer (ba5deda4d934e6288c2f66caf58d2562) C:\WINDOWS\system32\drivers\kmixer.sys
2010/11/07 13:03:05.0640   KSecDD (674d3e5a593475915dc6643317192403) C:\WINDOWS\system32\drivers\KSecDD.sys
2010/11/07 13:03:05.0906   mdmxsdk (195741aee20369980796b557358cd774) C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys
2010/11/07 13:03:06.0015   mfeavfk (bafdd5e28baea99d7f4772af2f5ec7ee) C:\WINDOWS\system32\drivers\mfeavfk.sys
2010/11/07 13:03:06.0140   mfebopk (1d003e3056a43d881597d6763e83b943) C:\WINDOWS\system32\drivers\mfebopk.sys
2010/11/07 13:03:06.0265   mfehidk (3f138a1c8a0659f329f242d1e389b2cf) C:\WINDOWS\system32\drivers\mfehidk.sys
2010/11/07 13:03:06.0375   mferkdk (41fe2f288e05a6c8ab85dd56770ffbad) C:\WINDOWS\system32\drivers\mferkdk.sys
2010/11/07 13:03:06.0484   mfesmfk (096b52ea918aa909ba5903d79e129005) C:\WINDOWS\system32\drivers\mfesmfk.sys
2010/11/07 13:03:06.0593   mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2010/11/07 13:03:06.0687   Modem (6fc6f9d7acc36dca9b914565a3aeda05) C:\WINDOWS\system32\drivers\Modem.sys
2010/11/07 13:03:06.0796   MODEMCSA (1992e0d143b09653ab0f9c5e04b0fd65) C:\WINDOWS\system32\drivers\MODEMCSA.sys
2010/11/07 13:03:06.0875   Mouclass (34e1f0031153e491910e12551400192c) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2010/11/07 13:03:07.0046   mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2010/11/07 13:03:07.0203   MountMgr (65653f3b4477f3c63e68a9659f85ee2e) C:\WINDOWS\system32\drivers\MountMgr.sys
2010/11/07 13:03:07.0453   MRxDAV (29414447eb5bde2f8397dc965dbb3156) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2010/11/07 13:03:07.0625   MRxSmb (6f2d483b97b395544e59749c47963c6a) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2010/11/07 13:03:07.0812   Msfs (561b3a4333ca2dbdba28b5b956822519) C:\WINDOWS\system32\drivers\Msfs.sys
2010/11/07 13:03:07.0984   MSKSSRV (ae431a8dd3c1d0d0610cdbac16057ad0) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2010/11/07 13:03:08.0109   MSPCLOCK (13e75fef9dfeb08eeded9d0246e1f448) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2010/11/07 13:03:08.0187   MSPQM (1988a33ff19242576c3d0ef9ce785da7) C:\WINDOWS\system32\drivers\MSPQM.sys
2010/11/07 13:03:08.0281   mssmbios (469541f8bfd2b32659d5d463a6714bce) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2010/11/07 13:03:08.0390   Mup (82035e0f41c2dd05ae41d27fe6cf7de1) C:\WINDOWS\system32\drivers\Mup.sys
2010/11/07 13:03:08.0484   NDIS (558635d3af1c7546d26067d5d9b6959e) C:\WINDOWS\system32\drivers\NDIS.sys
2010/11/07 13:03:08.0609   NdisTapi (08d43bbdacdf23f34d79e44ed35c1b4c) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2010/11/07 13:03:08.0687   Ndisuio (34d6cd56409da9a7ed573e1c90a308bf) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2010/11/07 13:03:08.0796   NdisWan (0b90e255a9490166ab368cd55a529893) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2010/11/07 13:03:08.0937   NDProxy (59fc3fb44d2669bc144fd87826bb571f) C:\WINDOWS\system32\drivers\NDProxy.sys
2010/11/07 13:03:09.0046   NetBIOS (3a2aca8fc1d7786902ca434998d7ceb4) C:\WINDOWS\system32\DRIVERS\netbios.sys
2010/11/07 13:03:09.0140   NetBT (0c80e410cd2f47134407ee7dd19cc86b) C:\WINDOWS\system32\DRIVERS\netbt.sys
2010/11/07 13:03:09.0328   Npfs (4f601bcb8f64ea3ac0994f98fed03f8e) C:\WINDOWS\system32\drivers\Npfs.sys
2010/11/07 13:03:09.0484   Ntfs (19a811ef5f1ed5c926a028ce107ff1af) C:\WINDOWS\system32\drivers\Ntfs.sys
2010/11/07 13:03:09.0671   Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2010/11/07 13:03:09.0859   nv (2b298519edbfcf451d43e0f1e8f1006d) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
2010/11/07 13:03:10.0062   NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2010/11/07 13:03:10.0171   NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2010/11/07 13:03:10.0281   OADevice (f759e5266a91e6a9ab5dd7939c6560b6) C:\WINDOWS\system32\drivers\OADriver.sys
2010/11/07 13:03:10.0375   OAmon (fe6a66c9614de5e0f3e6b846a699fcae) C:\WINDOWS\system32\drivers\OAmon.sys
2010/11/07 13:03:10.0484   OAnet (44bff97b3704475194380e563180b64e) C:\WINDOWS\system32\drivers\OAnet.sys
2010/11/07 13:03:10.0593   OMCI (cec7e2c6c1fa00c7ab2f5434f848ae51) C:\WINDOWS\SYSTEM32\DRIVERS\OMCI.SYS
2010/11/07 13:03:10.0671   OMVA (73c74eb8b231974b7a961fddd878ae01) C:\WINDOWS\system32\DRIVERS\OMVA.sys
2010/11/07 13:03:10.0796   Parport (29744eb4ce659dfe3b4122deb45bc478) C:\WINDOWS\system32\DRIVERS\parport.sys
2010/11/07 13:03:10.0921   PartMgr (3334430c29dc338092f79c38ef7b4cd0) C:\WINDOWS\system32\drivers\PartMgr.sys
2010/11/07 13:03:11.0046   ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2010/11/07 13:03:11.0140   PCI (8086d9979234b603ad5bc2f5d890b234) C:\WINDOWS\system32\DRIVERS\pci.sys
2010/11/07 13:03:11.0281   PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
2010/11/07 13:03:11.0375   Pcmcia (82a087207decec8456fbe8537947d579) C:\WINDOWS\system32\drivers\Pcmcia.sys
2010/11/07 13:03:12.0468   PptpMiniport (1c5cc65aac0783c344f16353e60b72ac) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2010/11/07 13:03:12.0562   Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2010/11/07 13:03:12.0921   RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2010/11/07 13:03:13.0015   Rasl2tp (98faeb4a4dcf812ba1c6fca4aa3e115c) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2010/11/07 13:03:13.0109   RasPppoe (7306eeed8895454cbed4669be9f79faa) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2010/11/07 13:03:13.0218   Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2010/11/07 13:03:13.0312   Rdbss (29d66245adba878fff574cd66abd2884) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2010/11/07 13:03:13.0421   RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2010/11/07 13:03:13.0531   RDPWD (b54cd38a9ebfbf2b3561426e3fe26f62) C:\WINDOWS\system32\drivers\RDPWD.sys
2010/11/07 13:03:13.0656   redbook (b31b4588e4086d8d84adbf9845c2402b) C:\WINDOWS\system32\DRIVERS\redbook.sys
2010/11/07 13:03:13.0843   SASDIFSV (a3281aec37e0720a2bc28034c2df2a56) C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
2010/11/07 13:03:13.0890   SASKUTIL (61db0d0756a99506207fd724e3692b25) C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS
2010/11/07 13:03:14.0015   Scap (8c3d61bb8f35264e14fb76856fefad62) C:\WINDOWS\system32\DRIVERS\Scap.sys
2010/11/07 13:03:14.0125   Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2010/11/07 13:03:14.0296   serenum (a2d868aeeff612e70e213c451a70cafb) C:\WINDOWS\system32\DRIVERS\serenum.sys
2010/11/07 13:03:14.0390   Serial (cd9404d115a00d249f70a371b46d5a26) C:\WINDOWS\system32\DRIVERS\serial.sys
2010/11/07 13:03:14.0453   Sfloppy (0d13b6df6e9e101013a7afb0ce629fe0) C:\WINDOWS\system32\drivers\Sfloppy.sys
2010/11/07 13:03:14.0640   smwdm (70b8dd8707dbf6142530c106365df67d) C:\WINDOWS\system32\drivers\smwdm.sys
2010/11/07 13:03:14.0859   splitter (0ce218578fff5f4f7e4201539c45c78f) C:\WINDOWS\system32\drivers\splitter.sys
2010/11/07 13:03:14.0984   sr (e41b6d037d6cd08461470af04500dc24) C:\WINDOWS\system32\DRIVERS\sr.sys
2010/11/07 13:03:15.0109   Srv (ab9c79ed12d65e800aaad3d72a04792f) C:\WINDOWS\system32\DRIVERS\srv.sys
2010/11/07 13:03:15.0328   swenum (03c1bae4766e2450219d20b993d6e046) C:\WINDOWS\system32\DRIVERS\swenum.sys
2010/11/07 13:03:15.0421   swmidi (94abc808fc4b6d7d2bbf42b85e25bb4d) C:\WINDOWS\system32\drivers\swmidi.sys
2010/11/07 13:03:15.0890   sysaudio (650ad082d46bac0e64c9c0e0928492fd) C:\WINDOWS\system32\drivers\sysaudio.sys
2010/11/07 13:03:16.0078   SysProtDrv.sys (56f64c490aaa9519d677074eadb565d1) C:\Documents and Settings\William Brophy\Desktop\SysProtDrv.sys
2010/11/07 13:03:16.0078   Suspicious file (Forged): C:\Documents and Settings\William Brophy\Desktop\SysProtDrv.sys. Real md5: 56f64c490aaa9519d677074eadb565d1, Fake md5: c88b251b625e73c1feef21b61f4ce74d
2010/11/07 13:03:16.0093   SysProtDrv.sys - detected Forged file (1)
2010/11/07 13:03:16.0234   Tcpip (2a5554fc5b1e04e131230e3ce035c3f9) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2010/11/07 13:03:16.0390   TDPIPE (38d437cf2d98965f239b0abcd66dcb0f) C:\WINDOWS\system32\drivers\TDPIPE.sys
2010/11/07 13:03:16.0468   TDTCP (ed0580af02502d00ad8c4c066b156be9) C:\WINDOWS\system32\drivers\TDTCP.sys
2010/11/07 13:03:16.0562   TermDD (a540a99c281d933f3d69d55e48727f47) C:\WINDOWS\system32\DRIVERS\termdd.sys
2010/11/07 13:03:16.0765   Udfs (12f70256f140cd7d52c58c7048fde657) C:\WINDOWS\system32\drivers\Udfs.sys
2010/11/07 13:03:16.0968   Update (ced744117e91bdc0beb810f7d8608183) C:\WINDOWS\system32\DRIVERS\update.sys
2010/11/07 13:03:17.0125   usbccgp (bffd9f120cc63bcbaa3d840f3eef9f79) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2010/11/07 13:03:17.0203   usbehci (15e993ba2f6946b2bfbbfcd30398621e) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2010/11/07 13:03:17.0296   usbhub (c72f40947f92cea56a8fb532edf025f1) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2010/11/07 13:03:17.0406   usbprint (a42369b7cd8886cd7c70f33da6fcbcf5) C:\WINDOWS\system32\DRIVERS\usbprint.sys
2010/11/07 13:03:17.0515   usbscan (a6bc71402f4f7dd5b77fd7f4a8ddba85) C:\WINDOWS\system32\DRIVERS\usbscan.sys
2010/11/07 13:03:17.0609   USBSTOR (6cd7b22193718f1d17a47a1cd6d37e75) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2010/11/07 13:03:17.0718   usbuhci (f8fd1400092e23c8f2f31406ef06167b) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2010/11/07 13:03:17.0812   VgaSave (8a60edd72b4ea5aea8202daf0e427925) C:\WINDOWS\System32\drivers\vga.sys
2010/11/07 13:03:17.0984   VolSnap (ee4660083deba849ff6c485d944b379b) C:\WINDOWS\system32\drivers\VolSnap.sys
2010/11/07 13:03:18.0093   VPN-1 (793b9aed2fc908fdfc93f0afa07f59cf) C:\WINDOWS\System32\drivers\vpn.sys
2010/11/07 13:03:18.0312   Wanarp (984ef0b9788abf89974cfed4bfbaacbc) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2010/11/07 13:03:18.0453   wdmaud (efd235ca22b57c81118c1aeb4798f1c1) C:\WINDOWS\system32\drivers\wdmaud.sys
2010/11/07 13:03:18.0593   winachsf (1225ebea76aac3c84df6c54fe5e5d8be) C:\WINDOWS\system32\DRIVERS\HSFCXTS2.sys
2010/11/07 13:03:18.0859   WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
2010/11/07 13:03:18.0968   WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
2010/11/07 13:03:19.0078   \HardDisk0\MBR - detected Rootkit.Win32.TDSS.tdl4 (0)
2010/11/07 13:03:19.0078   ================================================================================
2010/11/07 13:03:19.0078   Scan finished
2010/11/07 13:03:19.0078   ================================================================================
2010/11/07 13:03:19.0109   Detected object count: 2
2010/11/07 13:03:44.0234   SysProtDrv.sys (56f64c490aaa9519d677074eadb565d1) C:\Documents and Settings\William Brophy\Desktop\SysProtDrv.sys
2010/11/07 13:03:44.0234   Suspicious file (Forged): C:\Documents and Settings\William Brophy\Desktop\SysProtDrv.sys. Real md5: 56f64c490aaa9519d677074eadb565d1, Fake md5: c88b251b625e73c1feef21b61f4ce74d
2010/11/07 13:03:44.0265   C:\Documents and Settings\William Brophy\Desktop\SysProtDrv.sys - quarantined
2010/11/07 13:03:44.0281   Forged file(SysProtDrv.sys) - User select action: Quarantine
2010/11/07 13:03:44.0375   \HardDisk0\MBR - will be cured after reboot
2010/11/07 13:03:44.0375   Rootkit.Win32.TDSS.tdl4(\HardDisk0\MBR) - User select action: Cure
2010/11/07 13:03:52.0250   Deinitialize success

SuperDave · « **Reply #34 on:** November 08, 2010, 12:18:33 PM »

Well, that is good news. Let's do some cleanup.

* Click START then RUN - Vista users press the Windows Key and the R keys together for the Run box.
* Now type commy /uninstall in the runbox
* Make sure there's a space between commy and /Uninstall
* Then hit Enter

* The above procedure will:
* Delete the following:
* ComboFix and its associated files and folders.
* Reset the clock settings.
* Hide file extensions, if required.
* Hide System/Hidden files, if required.
* Set a new, clean Restore Point.
*********************************
Clean out your temporary internet files and temp files.

Download TFC by OldTimer to your desktop.

Double-click TFC.exe to run it.

Note: If you are running on Vista, right-click on the file and choose Run As Administrator

TFC will close all programs when run, so make sure you have saved all your work before you begin.

* Click the Start button to begin the cleaning process.
* Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two.
* Please let TFC run uninterrupted until it is finished.

Once TFC is finished it should restart your computer. If it does not, please manually restart the computer yourself to ensure a complete cleaning.
**************************************
Use the Secunia Software Inspector to check for out of date software.

•Click Start Now

•Check the box next to Enable thorough system inspection.

•Click Start

•Allow the scan to finish and scroll down to see if any updates are needed.
•Update anything listed.
.
----------

Go to Microsoft Windows Update and get all critical updates.

----------

I suggest using WOT - Web of Trust. WOT is a free Internet security addon for your browser. It will keep you safe from online scams, identity theft, spyware, spam, viruses and unreliable shopping sites. WOT warns you before you interact with a risky website. It's easy and it's free.

SpywareBlaster- Secure your Internet Explorer to make it harder for ActiveX programs to run on your computer. Also stop certain cookies from being added to your computer when running Mozilla based browsers like Firefox.
* Using SpywareBlaster to protect your computer from Spyware and Malware
* If you don't know what ActiveX controls are, see here

Protect yourself against spyware using the Immunize feature in Spybot - Search & Destroy. Guide: Use Spybot's Immunize Feature to prevent spyware infection in real-time. Note: To ensure you have the latest Immunizations always update Spybot - Search & Destroy before Immunizing. Spybot - Search & Destroy FAQ

Check out Keeping Yourself Safe On The Web for tips and free tools to help keep you safe in the future.

Also see Slow Computer? It may not be Malware for free cleaning/maintenance tools to help keep your computer running smoothly.
Safe Surfing!

Billb114 · « **Reply #35 on:** November 08, 2010, 05:55:10 PM »

Following your advice!

Thank you so much, SuperDave! I appreciate your patience and your efforts.

Computer Hope Forum

News:

Author Topic: svchost.exe grabs CPU & memory; browser gets redirected (Read 22055 times)

Billb114

SuperDave

Billb114

SuperDave

Billb114

SuperDave

Billb114

SuperDave

Billb114

SuperDave

Billb114

SuperDave

Billb114

SuperDave

Billb114

SuperDave

Billb114

SuperDave

Billb114

SuperDave

Billb114

SuperDave

Billb114

SuperDave

Billb114

SuperDave

Billb114

SuperDave

Billb114

SuperDave

Billb114

SuperDave

Billb114

Billb114

SuperDave

Billb114