Malware Removal Guide Completed (Please Review)

[roco]

Hello, I really appreciate the help you are providing here. Please understand that I have an adult website that I own so please excuse the adult sites listed form ad companies and such.

My issue started with crush alert popups if website is idle,then this turned into constant rebooting,then turning into not being able to access files at all giving dll errors. I have done a system restore in that situation, but the was just a temp fix. I still get the crush alert popups plus popups from AV8 and somewhere else asking me to run a scan. I would push the x button and at times it would attempt to perform a scan on it's own.

I have followed all directions in the guide,but not able to update my java because I get an error

Here are my logs in attachments :

Thanks,
Roco



[recovering disk space - old attachment deleted by admin]

[SuperDave]

Hello and welcome to Computer Hope Forum. My name is Dave. I will be helping you out with your particular problem on your computer.

1. I will be working on your Malware issues. This may or may not solve other issues you have with your machine.
2. The fixes are specific to your problem and should only be used for this issue on this machine.
3. If you don't know or understand something, please don't hesitate to ask.
4. Please DO NOT run any other tools or scans while I am helping you.
5. It is important that you reply to this thread. Do not start a new topic.
6. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
7. Absence of symptoms does not mean that everything is clear.

If you can't access the internet with your infected computer you will have to download and transfer any programs to the computer you're using now and transfer them to the infected computer with a CD-RW or a USB storage device. I prefer a CD because a storage device can get infected. If you use a storage device hold the shift key down while inserting the USB storage device for about 10 secs. You will also have to transfer the logs you receive back to the good computer using the same method until we can get the computer back on-line.

Please do not attach your logs unless absolutely necessary. Copy and paste in your replies.

I see you are running Poker Stars. Poker Stars has a history of distributing spyware in their products. However, security experts still question this program as good or bad. I recommend to remove it to prevent spyware, but it is up to you to decide if you want to keep it.

If you would like to uninstall it, do so as follows:

Press Start, and navigate to the Control Panel. When in the control panel enter Add or Remove programs. Search for and locate PokerStars, and either click Change/Remove or Remove.
*********************************************************
Open HijackThis and select Do a system scan only

Place a check mark next to the following entries: (if there)

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:6092
R3 - URLSearchHook: (no name) -  - (no file)
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)

Important: Close all open windows except for HijackThis and then click Fix checked.

Once completed, exit HijackThis.
********************************************
Download ComboFix by sUBs from one of the below links.  Be sure to save it to the Desktop.

link # 1
Link # 2

Close any open web browsers (Firefox, Internet Explorer, etc) before starting ComboFix.

Temporarily disable your anti-virus, and any anti-spyware real-time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.

Right-click combofix.exe and select Run as Administrator and follow the prompts.
When finished, ComboFix will produce a log for you.
Post the ComboFix log and a new HijackThis log in your next reply.

NOTE: Do not mouseclick ComboFix's window while it is running. That may cause it to stall.

Remember to re-enable your anti-virus and anti-spyware protection when ComboFix is complete.
*****************************************************
Download Security Check by screen317 from one of the following links and save it to your desktop.

Link 1
Link 2

* Unzip SecurityCheck.zip and a folder named Security Check should appear.
* Open the Security Check folder and double-click Security Check.bat
* Follow the on-screen instructions inside of the black box.
* A Notepad document should open automatically called checkup.txt
* Post the contents of that document in your next reply.

Note: If a security program requests permission from dig.exe to access the Internet, allow it to do so.

[roco]

Hi, Thanks for replying Super Dave I followed all of your instructions but ComboFix seems to not work. I will give it till the morning to finish but the ComboFix window does not seem to be running and the progress bar is not moving. Maybe it takes some time not sure but It has been hours now and the window is still the same. Also,The only option I have is to run as the owner current user. I do not have a Run as Administrator option. Is that ok?

Roco

[roco]

Ok it is now morning and still nothing is happening with Combofix..Yet my Avast is disabled and I am still getting these popups. Should I skip this step and move on security check?

[SuperDave]

Ok. Please try this:Delete your copy of ComboFix from your desktop and follow the instructions below.

Please download ComboFix from BleepingComputer.com

Alternate link: GeeksToGo.com

Rename ComboFix.exe to commy.exe before you save it to your Desktop
Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools A guide to do this can be found here
Click Start>Run then copy paste the following command into the Run box & click OK "%userprofile%\desktop\commy.exe" /stepdel
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console[/list]

Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:


Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you.  Please include the contents of C:\ComboFix.txt in your next reply.

If you have problems with ComboFix usage, see How to use ComboFix

[roco]

Hi Super Dave,

It all worked out so far and here are the logs from ComboFix and new HijackThis.

ComboFix

ComboFix 11-01-25.01 - NewUser 01/25/2011  16:30:02.2.2 - x86
Microsoft Windows XP Home Edition  5.1.2600.2.1252.1.1033.18.1535.1152 [GMT -8:00]
Running from: c:\documents and settings\NewUser\My Documents\Downloads\commy.exe.exe
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: Online Armor Firewall *Disabled* {B797DAA0-7E2E-4711-8BB3-D12744F1922A}
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Desktop\AUTORUN.INF
c:\documents and settings\NewUser\Local Settings\Application Data\{947C1E04-5AA8-446B-938A-647C6C26E336}
c:\documents and settings\NewUser\Local Settings\Application Data\{947C1E04-5AA8-446B-938A-647C6C26E336}\chrome.manifest
c:\documents and settings\NewUser\Local Settings\Application Data\{947C1E04-5AA8-446B-938A-647C6C26E336}\chrome\content\_cfg.js
c:\documents and settings\NewUser\Local Settings\Application Data\{947C1E04-5AA8-446B-938A-647C6C26E336}\chrome\content\overlay.xul
c:\documents and settings\NewUser\Local Settings\Application Data\{947C1E04-5AA8-446B-938A-647C6C26E336}\install.rdf
.
---- Previous Run -------
.
c:\documents and settings\Desktop\awmaw.exe
c:\documents and settings\Desktop\ffmpeg.exe
c:\documents and settings\Desktop\utorrent.exe
c:\documents and settings\Desktop\wrar361.exe
c:\windows\SET584.tmp
c:\windows\SET694.tmp
c:\windows\SET6CF.tmp
c:\windows\SETCC8.tmp
c:\windows\system32\_003648_.tmp.dll
c:\windows\system32\_003654_.tmp.dll
c:\windows\system32\_003657_.tmp.dll
c:\windows\system32\_003662_.tmp.dll
c:\windows\system32\_003668_.tmp.dll
c:\windows\system32\_003691_.tmp.dll
c:\windows\system32\_003816_.tmp.dll
c:\windows\system32\_003817_.tmp.dll
c:\windows\system32\_003818_.tmp.dll
c:\windows\system32\_003819_.tmp.dll
c:\windows\system32\_003822_.tmp.dll
c:\windows\system32\_003823_.tmp.dll
c:\windows\system32\_003824_.tmp.dll
c:\windows\system32\_003825_.tmp.dll
c:\windows\system32\_003830_.tmp.dll
c:\windows\system32\_003831_.tmp.dll
c:\windows\system32\_003832_.tmp.dll
c:\windows\system32\_003833_.tmp.dll
c:\windows\system32\_003840_.tmp.dll
c:\windows\system32\_003841_.tmp.dll
c:\windows\system32\_003842_.tmp.dll
c:\windows\system32\_003844_.tmp.dll
c:\windows\system32\_003845_.tmp.dll
c:\windows\system32\_003848_.tmp.dll
c:\windows\system32\_003849_.tmp.dll
c:\windows\system32\_003852_.tmp.dll
c:\windows\system32\_003853_.tmp.dll
c:\windows\system32\_003855_.tmp.dll
c:\windows\system32\_003856_.tmp.dll
c:\windows\system32\_003858_.tmp.dll
c:\windows\system32\_003860_.tmp.dll
c:\windows\system32\_003861_.tmp.dll
c:\windows\system32\_003862_.tmp.dll
c:\windows\system32\_003863_.tmp.dll

.
\\.\PhysicalDrive0 - Bootkit Whistler was found and disinfected
.
(((((((((((((((((((((((((   Files Created from 2010-12-26 to 2011-01-26  )))))))))))))))))))))))))))))))
.

2011-01-24 21:17 . 2011-01-25 19:38   --------   d-----w-   C:\Logs
2011-01-23 16:17 . 2011-01-23 16:17   388096   ----a-r-   c:\documents and settings\NewUser\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-01-22 06:17 . 2011-01-22 09:29   --------   d-----w-   c:\documents and settings\All Users\Application Data\OnlineArmor
2011-01-22 06:17 . 2011-01-22 06:17   --------   d-----w-   c:\documents and settings\NewUser\Application Data\OnlineArmor
2011-01-22 06:16 . 2010-07-07 20:25   22600   ----a-w-   c:\windows\system32\drivers\OAmon.sys
2011-01-22 06:16 . 2010-07-07 20:25   28232   ----a-w-   c:\windows\system32\drivers\OAnet.sys
2011-01-22 06:16 . 2010-07-07 20:25   236104   ----a-w-   c:\windows\system32\drivers\OADriver.sys
2011-01-22 06:16 . 2011-01-22 06:16   --------   d-----w-   c:\program files\Emsisoft
2011-01-08 20:31 . 2011-01-08 20:31   --------   d--h--w-   c:\windows\PIF
2010-12-27 17:06 . 2011-01-13 08:37   17744   ----a-w-   c:\windows\system32\drivers\aswFsBlk.sys
2010-12-27 17:06 . 2011-01-13 08:41   294608   ----a-w-   c:\windows\system32\drivers\aswSP.sys
2010-12-27 17:06 . 2011-01-13 08:37   23632   ----a-w-   c:\windows\system32\drivers\aswRdr.sys
2010-12-27 17:06 . 2011-01-13 08:40   47440   ----a-w-   c:\windows\system32\drivers\aswTdi.sys
2010-12-27 17:06 . 2011-01-13 08:40   100176   ----a-w-   c:\windows\system32\drivers\aswmon2.sys
2010-12-27 17:06 . 2011-01-13 08:39   94544   ----a-w-   c:\windows\system32\drivers\aswmon.sys
2010-12-27 17:06 . 2011-01-13 08:37   29392   ----a-w-   c:\windows\system32\drivers\aavmker4.sys
2010-12-27 17:06 . 2011-01-13 08:47   38848   ----a-w-   c:\windows\avastSS.scr
2010-12-27 17:06 . 2011-01-13 08:47   188216   ----a-w-   c:\windows\system32\aswBoot.exe
2010-12-27 17:06 . 2010-12-27 17:06   --------   d-----w-   c:\program files\Alwil Software
2010-12-27 17:06 . 2010-12-27 17:06   --------   d-----w-   c:\documents and settings\All Users\Application Data\Alwil Software
2010-12-27 12:09 . 2010-12-27 12:09   --------   d-----w-   c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-11-29 18:08 . 2010-11-29 18:07   2963664   ----a-w-   C:\ccsetup301.exe
2006-09-05 00:59 . 2006-09-05 00:59   34384   ----a-w-   c:\program files\mozilla firefox\plugins\atgpcdec.dll
2006-09-05 00:59 . 2006-09-05 00:59   93848   ----a-w-   c:\program files\mozilla firefox\plugins\atgpcext.dll
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Messenger (Yahoo!)"="c:\progra~1\Yahoo!\Messenger\YahooMessenger.exe" [2010-04-29 5248312]
"ICQ"="c:\program files\ICQ7.2\ICQ.exe" [2011-01-05 133432]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast5"="c:\program files\Alwil Software\Avast5\avastUI.exe" [2011-01-13 3396624]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-11 417792]
"@OnlineArmor GUI"="c:\program files\Emsisoft\Online Armor\oaui.exe" [2010-07-07 6854984]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"SetDefaultMidi"="MIDIDEF.EXE" [2003-06-20 49152]
"FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\FlashUtil10e.exe" [2010-01-27 256280]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
"{4F07DA45-8170-4859-9B5F-037EF2970034}"= "c:\progra~1\Emsisoft\ONLINE~1\oaevent.dll" [2010-07-07 924488]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21   548352   ----a-w-   c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute   REG_MULTI_SZ      autocheck autochk *\0SsiEfr.e

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-12-22 09:57   35760   ----a-w-   c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeAAMUpdater-1.0]
2010-03-06 10:44   500208   ------w-   c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeCS5ServiceManager]
2010-02-22 11:57   406992   ----a-w-   c:\program files\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2004-08-04 07:56   15360   ----a-w-   c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTHelper]
2003-11-13 18:18   24576   ----a-w-   c:\windows\system32\CTHELPER.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2010-01-12 06:17   13666408   ----a-w-   c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2010-01-12 06:17   110696   ----a-w-   c:\windows\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-11-11 07:08   417792   ----a-w-   c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioAudioCentral]
2003-07-15 20:36   319488   ----a-w-   c:\program files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]
2003-10-21 18:43   868352   ----a-w-   c:\program files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioEngineUtility]
2003-05-02 02:44   65536   ----a-w-   c:\program files\Common Files\Roxio Shared\System\EngUtil.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-05-14 18:44   248552   ----a-w-   c:\program files\Common Files\Java\Java Update\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SwitchBoard]
2010-02-19 20:37   517096   ----a-w-   c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"YahooAUService"=2 (0x2)
"SwitchBoard"=3 (0x3)
"PrismXL"=2 (0x2)
"MDM"=2 (0x2)
"JavaQuickStarterService"=2 (0x2)
"iPod Service"=3 (0x3)
"idsvc"=3 (0x3)
"IDriverT"=3 (0x3)
"ICQ Service"=2 (0x2)
"hasplms"=2 (0x2)
"Bonjour Service"=2 (0x2)
"Ati HotKey Poller"=2 (0x2)
"Apple Mobile Device"=2 (0x2)
"nvsvc"=2 (0x2)
"gupdate"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\EA GAMES\\Medal of Honor Pacific Assault(tm)\\mohpa.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\ICQ7.2\\ICQ.exe"=
"c:\\Program Files\\ICQ7.2\\aolload.exe"=
"c:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1947:TCP"= 1947:TCP:HASP SRM
"1947:UDP"= 1947:UDP:HASP SRM

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [12/27/2010 9:06 AM 294608]
R1 OADevice;OADriver;c:\windows\system32\drivers\OADriver.sys [1/21/2011 10:16 PM 236104]
R1 OAmon;OAmon;c:\windows\system32\drivers\OAmon.sys [1/21/2011 10:16 PM 22600]
R1 OAnet;OAnet;c:\windows\system32\drivers\OAnet.sys [1/21/2011 10:16 PM 28232]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 10:25 AM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 10:41 AM 67656]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [12/27/2010 9:06 AM 17744]
R2 OAcat;Online Armor Helper Service;c:\program files\Emsisoft\Online Armor\oacat.exe [1/21/2011 10:16 PM 1283400]
S2 SvcOnlineArmor;Online Armor;c:\program files\Emsisoft\Online Armor\oasrv.exe [1/21/2011 10:16 PM 3364680]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [9/13/2010 8:22 AM 102448]
S3 nosGetPlusHelper;getPlus(R) Helper 3004;c:\windows\System32\svchost.exe -k nosGetPlusHelper [7/30/2006 9:55 AM 14336]
S4 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [11/29/2010 10:08 AM 136176]
S4 hasplms;HASP License Manager;c:\windows\system32\hasplms.exe  -run --> c:\windows\system32\hasplms.exe  -run [?]
S4 ICQ Service;ICQ Service;c:\program files\ICQ6Toolbar\ICQ Service.exe [9/3/2010 12:13 PM 246520]
S4 SwitchBoard;SwitchBoard;c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2/19/2010 12:37 PM 517096]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
nosGetPlusHelper   REG_MULTI_SZ      nosGetPlusHelper
.
Contents of the 'Scheduled Tasks' folder

2011-01-19 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 20:34]

2011-01-26 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-11-29 18:08]

2011-01-26 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-11-29 18:08]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://start.icq.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
IE: {{FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - c:\program files\PokerStars.NET\PokerStarsUpdate.exe
DPF: {82836898-30F4-4813-9A2F-120C012E44E7} - hxxp://www.dsvanywhere.com/appeon/weblibrary_ax/ceondownloadcenter.cab
DPF: {A084A130-28AE-4B32-B51A-1C8CE164BC88} - hxxp://www.convergysworkathome.com/AppHardT.CAB
DPF: {C1417ACD-9FFB-4B26-8060-ED6B55F04CCE} - (local)
FF - ProfilePath - c:\documents and settings\NewUser\Application Data\Mozilla\Firefox\Profiles\jtpbkl07.default\
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: Ant Video Downloader: [email protected] - %profile%\extensions\[email protected]
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Adobe DLM (powered by getPlus(R)): {E2883E8F-472F-4fb0-9522-AC9BF37916A7} - %profile%\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: [email protected] - c:\program files\Java\jre6\lib\deploy\jqs\ff
.
- - - - ORPHANS REMOVED - - - -

SafeBoot-svcWRSSSDK
MSConfigStartUp-nwiz - nwiz.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-01-25 16:35
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ... 

scanning hidden autostart entries ...

scanning hidden files ... 

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\giffile\shell\Open\ddeexec]
@DACL=(02 0000)
@="\"file:%1\",,-1,,,,,"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(572)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2011-01-25  16:38:01
ComboFix-quarantined-files.txt  2011-01-26 00:37

Pre-Run: 84,432,793,600 bytes free
Post-Run: 84,334,997,504 bytes free

- - End Of File - - 43ECD71D12F07015340B97A2164D66E3
=====
HijackThis

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 4:43:49 PM, on 1/25/2011
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.17055)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Emsisoft\Online Armor\OAcat.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast5\avastUI.exe
C:\Program Files\ICQ7.2\ICQ.exe
C:\PROGRA~1\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HiJackThis\sniper.exe.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.icq.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: ICQToolBar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQ6Toolbar\ICQToolBar.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: ICQToolBar - {855F3B16-6D32-4FE6-8A56-BBB695989046} - C:\Program Files\ICQ6Toolbar\ICQToolBar.dll
O4 - HKLM\..\Run: [avast5] "C:\Program Files\Alwil Software\Avast5\avastUI.exe" /nogui
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [@OnlineArmor GUI] "C:\Program Files\Emsisoft\Online Armor\oaui.exe"
O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\PROGRA~1\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [ICQ] "C:\Program Files\ICQ7.2\ICQ.exe" silent loginmode=4
O4 - HKUS\S-1-5-18\..\RunOnce: [SetDefaultMidi] MIDIDEF.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil10e.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [SetDefaultMidi] MIDIDEF.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: ICQ7.2 - {72EFBFE4-C74F-4187-AEFD-73EA3BE968D6} - C:\Program Files\ICQ7.2\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ7.2 - {72EFBFE4-C74F-4187-AEFD-73EA3BE968D6} - C:\Program Files\ICQ7.2\ICQ.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: PokerStars.net - {FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - C:\Program Files\PokerStars.NET\PokerStarsUpdate.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1154394226250
O16 - DPF: {82836898-30F4-4813-9A2F-120C012E44E7} (EonDownloadCenter Class) - http://www.dsvanywhere.com/appeon/weblibrary_ax/ceondownloadcenter.cab
O16 - DPF: {A084A130-28AE-4B32-B51A-1C8CE164BC88} (WNICheck2 Class) - http://www.convergysworkathome.com/AppHardT.CAB
O16 - DPF: {C1417ACD-9FFB-4B26-8060-ED6B55F04CCE} (EonUISpace Class) - (local)
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: avast! Antivirus - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: Online Armor Helper Service (OAcat) - Unknown owner - C:\Program Files\Emsisoft\Online Armor\OAcat.exe
O23 - Service: Online Armor (SvcOnlineArmor) - Unknown owner - C:\Program Files\Emsisoft\Online Armor\oasrv.exe

--
End of file - 5120 bytes

Should I still use Security Check by screen317 as well? I can see a difference already!!

[SuperDave]

Should I still use Security Check by screen317 as well?

Yes. Please run the Security Check and post the log.

SysProt Antirootkit

Download
SysProt Antirootkit from the link below (you will find it at the bottom
of the page under attachments, or you can get it from one of the
mirrors).

http://sites.google.com/site/sysprotantirootkit/

Unzip it into a folder on your desktop.

• Double click Sysprot.exe to start the program.
• Click on the Log tab.
• In the Write to log box select the following items.
• Process << Selected
  
• Kernel Modules << Selected
  
• SSDT << Selected
  
• Kernel Hooks << Selected
  
• IRP Hooks << NOT Selected
  
• Ports << NOT Selected
  
• Hidden Files << Selected
  
• At the bottom of the page
• Hidden Objects Only << Selected
  
• Click on the Create Log button on the bottom right.
• After a few seconds a new window should appear.
• Select Scan Root Drive. Click on the Start button.
• When it is complete a new window will appear to indicate that the scan is finished.
• The

log will be saved automatically in the same folder Sysprot.exe was
extracted to. Open the text file and copy/paste the log here.
[/list]

[roco]

Hi Super Dave,

Here are the logs for Security Check and SysProt

Security Check screen317

 Results of screen317's Security Check version 0.99.7 
 Windows XP Service Pack 2 
 Out of date service pack!!
 Internet Explorer 7 Out of date!
``````````````````````````````
Antivirus/Firewall Check:
 Windows Firewall Enabled! 
 avast! Free Antivirus   
 Online Armor 4.0   
```````````````````````````````
Anti-malware/Other Utilities Check:
 Malwarebytes' Anti-Malware   
 CCleaner     
 Java(TM) 6 Update 22 
 Adobe Flash Player 10.1.102.64 
Adobe Reader 9.3
Out of date Adobe Reader installed!
 Mozilla Firefox (3.6.13)
````````````````````````````````
Process Check: 
objlist.exe by Laurent
 Tall Emu Online Armor OAcat.exe
 Alwil Software Avast5 AvastSvc.exe 
 Alwil Software Avast5 avastUI.exe 
``````````End of Log````````````

====

SysProt AntiRootkit

SysProt AntiRootkit v1.0.1.0
by swatkat

******************************************************************************************
******************************************************************************************

Process:
Name: [System Idle Process]
PID: 0
Hidden: No
Window Visible: No

Name: System
PID: 4
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\smss.exe
PID: 500
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\csrss.exe
PID: 552
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\winlogon.exe
PID: 576
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\services.exe
PID: 620
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\lsass.exe
PID: 632
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\svchost.exe
PID: 796
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\svchost.exe
PID: 844
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\svchost.exe
PID: 912
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\svchost.exe
PID: 980
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\svchost.exe
PID: 1056
Hidden: No
Window Visible: No

Name: C:\Program Files\Emsisoft\Online Armor\oacat.exe
PID: 1104
Hidden: No
Window Visible: No

Name: C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
PID: 1388
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\spoolsv.exe
PID: 1768
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\svchost.exe
PID: 196
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\svchost.exe
PID: 1988
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\alg.exe
PID: 1812
Hidden: No
Window Visible: No

Name: C:\WINDOWS\explorer.exe
PID: 3396
Hidden: No
Window Visible: No

Name: C:\Program Files\Alwil Software\Avast5\AvastUI.exe
PID: 3916
Hidden: No
Window Visible: No

Name: C:\Program Files\ICQ7.2\ICQ.exe
PID: 1608
Hidden: No
Window Visible: Yes

Name: C:\WINDOWS\system32\ctfmon.exe
PID: 2156
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\wuauclt.exe
PID: 2388
Hidden: No
Window Visible: No

Name: C:\PROGRA~1\Yahoo!\Messenger\Ymsgr_tray.exe
PID: 1596
Hidden: No
Window Visible: No

Name: C:\Documents and Settings\NewUser\Desktop\SysProt\SysProt.exe
PID: 1284
Hidden: No
Window Visible: Yes

******************************************************************************************
******************************************************************************************
Kernel Modules:
Module Name: \??\C:\Documents and Settings\NewUser\Desktop\SysProt\SysProtDrv.sys
Service Name: SysProtDrv.sys
Module Base: B131F000
Module End: B132A000
Hidden: No

Module Name: \WINDOWS\system32\ntoskrnl.exe
Service Name: ---
Module Base: 804D7000
Module End: 806FD000
Hidden: No

Module Name: \WINDOWS\system32\hal.dll
Service Name: ---
Module Base: 806FD000
Module End: 8071DD00
Hidden: No

Module Name: \WINDOWS\system32\KDCOM.DLL
Service Name: ---
Module Base: F7987000
Module End: F7989000
Hidden: No

Module Name: \WINDOWS\system32\BOOTVID.dll
Service Name: ---
Module Base: F7897000
Module End: F789A000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\ACPI.sys
Service Name: ACPI
Module Base: F75A8000
Module End: F75D6000
Hidden: No

Module Name: \WINDOWS\System32\DRIVERS\WMILIB.SYS
Service Name: ---
Module Base: F7989000
Module End: F798B000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\pci.sys
Service Name: PCI
Module Base: F7597000
Module End: F75A8000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\isapnp.sys
Service Name: isapnp
Module Base: F75F7000
Module End: F7600000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\ohci1394.sys
Service Name: ohci1394
Module Base: F7607000
Module End: F7616000
Hidden: No

Module Name: \WINDOWS\System32\DRIVERS\1394BUS.SYS
Service Name: ---
Module Base: F7617000
Module End: F7624000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\pciide.sys
Service Name: PCIIde
Module Base: F7A4F000
Module End: F7A50000
Hidden: No

Module Name: \WINDOWS\System32\DRIVERS\PCIIDEX.SYS
Service Name: ---
Module Base: F7707000
Module End: F770E000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\MountMgr.sys
Service Name: MountMgr
Module Base: F7627000
Module End: F7632000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\ftdisk.sys
Service Name: Disk
Module Base: F74D8000
Module End: F74F7000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\PartMgr.sys
Service Name: PartMgr
Module Base: F770F000
Module End: F7714000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\VolSnap.sys
Service Name: VolSnap
Module Base: F7637000
Module End: F7644000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\atapi.sys
Service Name: atapi
Module Base: F74C0000
Module End: F74D8000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\disk.sys
Service Name: ---
Module Base: F7647000
Module End: F7650000
Hidden: No

Module Name: \WINDOWS\System32\DRIVERS\CLASSPNP.SYS
Service Name: ---
Module Base: F7657000
Module End: F7664000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\fltmgr.sys
Service Name: FltMgr
Module Base: F74A0000
Module End: F74C0000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\sr.sys
Service Name: sr
Module Base: F748E000
Module End: F74A0000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\PxHelp20.sys
Service Name: PxHelp20
Module Base: F7667000
Module End: F7671000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\KSecDD.sys
Service Name: KSecDD
Module Base: F7860000
Module End: F7877000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\Ntfs.sys
Service Name: Ntfs
Module Base: F7B52000
Module End: F7BDF000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\NDIS.sys
Service Name: NDIS
Module Base: F7833000
Module End: F7860000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\Mup.sys
Service Name: Mup
Module Base: F796C000
Module End: F7987000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\agp440.sys
Service Name: agp440
Module Base: F7677000
Module End: F7682000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\nic1394.sys
Service Name: NIC1394
Module Base: F76A7000
Module End: F76B7000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\intelppm.sys
Service Name: intelppm
Module Base: F76D7000
Module End: F76E0000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
Service Name: nv
Module Base: B66C4000
Module End: B7091000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\VIDEOPRT.SYS
Service Name: ---
Module Base: B66B0000
Module End: B66C4000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\usbuhci.sys
Service Name: usbuhci
Module Base: F774F000
Module End: F7754000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\USBPORT.SYS
Service Name: ---
Module Base: B668D000
Module End: B66B0000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\usbehci.sys
Service Name: usbehci
Module Base: F7757000
Module End: F775E000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\ctaud2k.sys
Service Name: ctaud2k
Module Base: B6633000
Module End: B668D000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\portcls.sys
Service Name: ---
Module Base: B660F000
Module End: B6633000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\drmk.sys
Service Name: ---
Module Base: F76E7000
Module End: F76F6000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\ks.sys
Service Name: ---
Module Base: B65EC000
Module End: B660F000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\ctoss2k.sys
Service Name: ossrv
Module Base: B65C0000
Module End: B65EC000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\ctprxy2k.sys
Service Name: ctprxy2k
Module Base: F79B9000
Module End: F79BB000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\IntelC53.sys
Service Name: IntelC53
Module Base: F76F7000
Module End: F7703000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\IntelC51.sys
Service Name: IntelC51
Module Base: B64BF000
Module End: B65C0000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\IntelC52.sys
Service Name: IntelC52
Module Base: B6451000
Module End: B64BF000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\mohfilt.sys
Service Name: mohfilt
Module Base: F775F000
Module End: F7764000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Modem.SYS
Service Name: Modem
Module Base: F7767000
Module End: F776F000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\e100b325.sys
Service Name: E100B
Module Base: B642D000
Module End: B6451000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\serial.sys
Service Name: Serial
Module Base: F7587000
Module End: F7597000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\serenum.sys
Service Name: serenum
Module Base: B87E0000
Module End: B87E4000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\parport.sys
Service Name: Parport
Module Base: B6419000
Module End: B642D000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\imapi.sys
Service Name: Imapi
Module Base: F7577000
Module End: F7582000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\cdrom.sys
Service Name: Cdrom
Module Base: F7567000
Module End: F7574000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\redbook.sys
Service Name: redbook
Module Base: F7557000
Module End: F7566000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\pwd_2k.SYS
Service Name: pwd_2k
Module Base: B63FC000
Module End: B6419000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\audstub.sys
Service Name: audstub
Module Base: F7AB9000
Module End: F7ABA000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\rasl2tp.sys
Service Name: Rasl2tp
Module Base: F7547000
Module End: F7554000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\ndistapi.sys
Service Name: NdisTapi
Module Base: B87D4000
Module End: B87D7000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\ndiswan.sys
Service Name: NdisWan
Module Base: B63E5000
Module End: B63FC000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\raspppoe.sys
Service Name: RasPppoe
Module Base: F7537000
Module End: F7542000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\raspptp.sys
Service Name: PptpMiniport
Module Base: F7527000
Module End: F7533000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\TDI.SYS
Service Name: ---
Module Base: F7777000
Module End: F777C000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\ptilink.sys
Service Name: Ptilink
Module Base: F777F000
Module End: F7784000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\raspti.sys
Service Name: Raspti
Module Base: F7787000
Module End: F778C000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\termdd.sys
Service Name: TermDD
Module Base: F7517000
Module End: F7521000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\kbdclass.sys
Service Name: Kbdclass
Module Base: F778F000
Module End: F7795000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\mouclass.sys
Service Name: Mouclass
Module Base: B70D9000
Module End: B70DF000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\swenum.sys
Service Name: swenum
Module Base: F79BB000
Module End: F79BD000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\update.sys
Service Name: Update
Module Base: B63B1000
Module End: B63E5000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\WmBEnum.sys
Service Name: WmBEnum
Module Base: B87C8000
Module End: B87CB000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\WmXlCore.sys
Service Name: WmXlCore
Module Base: F7507000
Module End: F7512000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\mssmbios.sys
Service Name: mssmbios
Module Base: B87C4000
Module End: B87C8000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\dvd_2K.SYS
Service Name: dvd_2K
Module Base: B70C1000
Module End: B70C7000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\NDProxy.SYS
Service Name: NDProxy
Module Base: F746E000
Module End: F7478000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\usbhub.sys
Service Name: usbhub
Module Base: F745E000
Module End: F746D000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\USBD.SYS
Service Name: ---
Module Base: F79CB000
Module End: F79CD000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\hap16v2k.sys
Service Name: hap16v2k
Module Base: B393B000
Module End: B3960000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\ha10kx2k.sys
Service Name: ha10kx2k
Module Base: B385E000
Module End: B393B000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\emupia2k.sys
Service Name: emupia
Module Base: B383C000
Module End: B385E000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\ctsfm2k.sys
Service Name: ctsfm2k
Module Base: B381C000
Module End: B383C000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\ctac32k.sys
Service Name: ctac32k
Module Base: B377E000
Module End: B381C000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\flpydisk.sys
Service Name: Flpydisk
Module Base: B70B9000
Module End: B70BE000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Cdr4_xp.SYS
Service Name: Cdr4_xp
Module Base: F7A5B000
Module End: F7A5C000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Cdralw2k.SYS
Service Name: Cdralw2k
Module Base: F7A5D000
Module End: F7A5E000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Fs_Rec.SYS
Service Name: Fs_Rec
Module Base: F79D1000
Module End: F79D3000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Null.SYS
Service Name: Null
Module Base: F7A62000
Module End: F7A63000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Beep.SYS
Service Name: Beep
Module Base: F79D3000
Module End: F79D5000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\HIDPARSE.SYS
Service Name: ---
Module Base: B70A1000
Module End: B70A8000
Hidden: No

Module Name: C:\WINDOWS\System32\drivers\vga.sys
Service Name: VgaSave
Module Base: B7099000
Module End: B709F000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\mnmdd.SYS
Service Name: mnmdd
Module Base: F79D5000
Module End: F79D7000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\RDPCDD.sys
Service Name: RDPCDD
Module Base: F79D7000
Module End: F79D9000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\cdudf_xp.SYS
Service Name: cdudf_xp
Module Base: B36F6000
Module End: B3736000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\DVDVRRdr_xp.SYS
Service Name: DVDVRRdr_xp
Module Base: B36C0000
Module End: B36E4000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Msfs.SYS
Service Name: Msfs
Module Base: B7091000
Module End: B7096000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Npfs.SYS
Service Name: Npfs
Module Base: F7797000
Module End: F779F000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\UdfReadr_xp.SYS
Service Name: UdfReadr_xp
Module Base: B3601000
Module End: B3636000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\rasacd.sys
Service Name: RasAcd
Module Base: B3978000
Module End: B397B000
Hidden: No

Module Name: \??\C:\WINDOWS\system32\drivers\OAnet.sys
Service Name: OAnet
Module Base: F741E000
Module End: F7427000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\ipsec.sys
Service Name: IPSec
Module Base: B35B4000
Module End: B35C7000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\msgpc.sys
Service Name: Gpc
Module Base: F740E000
Module End: F7417000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\tcpip.sys
Service Name: Tcpip
Module Base: B355C000
Module End: B35B4000
Hidden: No

Module Name: \??\C:\WINDOWS\system32\drivers\OAmon.sys
Service Name: OAmon
Module Base: F779F000
Module End: F77A7000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\ipnat.sys
Service Name: IpNat
Module Base: B353B000
Module End: B355C000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\aswTdi.SYS
Service Name: aswTdi
Module Base: F7887000
Module End: F7891000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\wanarp.sys
Service Name: Wanarp
Module Base: F7877000
Module End: F7880000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\netbt.sys
Service Name: NetBT
Module Base: B3513000
Module End: B353B000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\arp1394.sys
Service Name: Arp1394
Module Base: B81A1000
Module End: B81B0000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\aswRdr.SYS
Service Name: aswRdr
Module Base: F77A7000
Module End: F77AC000
Hidden: No

Module Name: C:\WINDOWS\System32\drivers\afd.sys
Service Name: AFD
Module Base: B34F1000
Module End: B3513000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\netbios.sys
Service Name: NetBIOS
Module Base: B8191000
Module End: B819A000
Hidden: No

Module Name: \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS
Service Name: SASKUTIL
Module Base: B34CF000
Module End: B34F1000
Hidden: No

Module Name: \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
Service Name: SASDIFSV
Module Base: F77AF000
Module End: F77B5000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\rdbss.sys
Service Name: Rdbss
Module Base: B34A4000
Module End: B34CF000
Hidden: No

Module Name: \??\C:\WINDOWS\system32\drivers\OADriver.sys
Service Name: OADevice
Module Base: B3456000
Module End: B34A4000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\mrxsmb.sys
Service Name: MRxSmb
Module Base: B33E7000
Module End: B3456000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Fips.SYS
Service Name: Fips
Module Base: B8171000
Module End: B817A000
Hidden: No

Module Name: \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys
Service Name: eeCtrl
Module Base: B3389000
Module End: B33E7000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\aswSP.SYS
Service Name: aswSP
Module Base: B32A2000
Module End: B32E9000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Aavmker4.SYS
Service Name: Aavmker4
Module Base: F77C7000
Module End: F77CD000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\hidusb.sys
Service Name: HidUsb
Module Base: B376A000
Module End: B376D000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\HIDCLASS.SYS
Service Name: ---
Module Base: B8151000
Module End: B815A000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\mouhid.sys
Service Name: mouhid
Module Base: B375E000
Module End: B3761000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\kbdhid.sys
Service Name: kbdhid
Module Base: B3756000
Module End: B375A000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Cdfs.SYS
Service Name: Cdfs
Module Base: B2DA1000
Module End: B2DB1000
Hidden: No

Module Name: \SystemRoot\System32\Drivers\dump_atapi.sys
Service Name: ---
Module Base: B1B58000
Module End: B1B70000
Hidden: Yes

Module Name: \SystemRoot\System32\Drivers\dump_WMILIB.SYS
Service Name: ---
Module Base: B1BD8000
Module End: B1BDA000
Hidden: Yes

Module Name: C:\WINDOWS\System32\drivers\Dxapi.sys
Service Name: ---
Module Base: B1BA6000
Module End: B1BA9000
Hidden: No

Module Name: C:\WINDOWS\System32\watchdog.sys
Service Name: ---
Module Base: B2A12000
Module End: B2A17000
Hidden: No

Module Name: C:\WINDOWS\System32\drivers\dxgthk.sys
Service Name: ---
Module Base: B2CA0000
Module End: B2CA1000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\aswFsBlk.SYS
Service Name: aswFsBlk
Module Base: B329A000
Module End: B329D000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\ndisuio.sys
Service Name: Ndisuio
Module Base: B2EFF000
Module End: B2F03000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\aswMon2.SYS
Service Name: aswMon2
Module Base: B18D0000
Module End: B18E7000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\mrxdav.sys
Service Name: MRxDAV
Module Base: B1673000
Module End: B16A0000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\ParVdm.SYS
Service Name: ParVdm
Module Base: B2BE2000
Module End: B2BE4000
Hidden: No

Module Name: \??\C:\WINDOWS\system32\drivers\aksfridge.sys
Service Name: aksfridge
Module Base: B15F1000
Module End: B164B000
Hidden: No

Module Name: \??\C:\WINDOWS\system32\drivers\hardlock.sys
Service Name: Hardlock
Module Base: B1561000
Module End: B15F1000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Fastfat.SYS
Service Name: Fastfat
Module Base: B153E000
Module End: B1561000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\secdrv.sys
Service Name: Secdrv
Module Base: B14EE000
Module End: B1516000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\srv.sys
Service Name: Srv
Module Base: B1497000
Module End: B14EE000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\wdmaud.sys
Service Name: wdmaud
Module Base: B11B2000
Module End: B11C7000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\sysaudio.sys
Service Name: sysaudio
Module Base: B1738000
Module End: B1747000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\kmixer.sys
Service Name: kmixer
Module Base: B1164000
Module End: B118F000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\HTTP.sys
Service Name: HTTP
Module Base: B0F13000
Module End: B0F54000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\fdc.sys
Service Name: Fdc
Module Base: F776F000
Module End: F7776000
Hidden: No

******************************************************************************************
******************************************************************************************
SSDT:
Function Name: ZwAllocateVirtualMemory
Address: B32AB728
Driver Base: B32A2000
Driver End: B32E9000
Driver Name: \SystemRoot\System32\Drivers\aswSP.SYS

Function Name: ZwAssignProcessToJobObject
Address: B3475700
Driver Base: B3456000
Driver End: B34A4000
Driver Name: \??\C:\WINDOWS\system32\drivers\OADriver.sys

Function Name: ZwClose
Address: B32B27EA
Driver Base: B32A2000
Driver End: B32E9000
Driver Name: \SystemRoot\System32\Drivers\aswSP.SYS

Function Name: ZwConnectPort
Address: B3472DA0
Driver Base: B3456000
Driver End: B34A4000
Driver Name: \??\C:\WINDOWS\system32\drivers\OADriver.sys

Function Name: ZwCreateFile
Address: B34829C0
Driver Base: B3456000
Driver End: B34A4000
Driver Name: \??\C:\WINDOWS\system32\drivers\OADriver.sys

Function Name: ZwCreatePort
Address: B34728E0
Driver Base: B3456000
Driver End: B34A4000
Driver Name: \??\C:\WINDOWS\system32\drivers\OADriver.sys

Function Name: ZwCreateProcess
Address: B346F620
Driver Base: B3456000
Driver End: B34A4000
Driver Name: \??\C:\WINDOWS\system32\drivers\OADriver.sys

Function Name: ZwCreateProcessEx
Address: B346FA30
Driver Base: B3456000
Driver End: B34A4000
Driver Name: \??\C:\WINDOWS\system32\drivers\OADriver.sys

Function Name: ZwCreateSection
Address: B346EEF0
Driver Base: B3456000
Driver End: B34A4000
Driver Name: \??\C:\WINDOWS\system32\drivers\OADriver.sys

Function Name: ZwCreateThread
Address: B3470F20
Driver Base: B3456000
Driver End: B34A4000
Driver Name: \??\C:\WINDOWS\system32\drivers\OADriver.sys

Function Name: ZwDebugActiveProcess
Address: B3471B90
Driver Base: B3456000
Driver End: B34A4000
Driver Name: \??\C:\WINDOWS\system32\drivers\OADriver.sys

Function Name: ZwDeleteKey
Address: B32B2CA8
Driver Base: B32A2000
Driver End: B32E9000
Driver Name: \SystemRoot\System32\Drivers\aswSP.SYS

Function Name: ZwDeleteValueKey
Address: B32B2BBE
Driver Base: B32A2000
Driver End: B32E9000
Driver Name: \SystemRoot\System32\Drivers\aswSP.SYS

Function Name: ZwDuplicateObject
Address: B32B2276
Driver Base: B32A2000
Driver End: B32E9000
Driver Name: \SystemRoot\System32\Drivers\aswSP.SYS

Function Name: ZwFreeVirtualMemory
Address: B32AB7D8
Driver Base: B32A2000
Driver End: B32E9000
Driver Name: \SystemRoot\System32\Drivers\aswSP.SYS

Function Name: ZwLoadDriver
Address: B3474490
Driver Base: B3456000
Driver End: B34A4000
Driver Name: \??\C:\WINDOWS\system32\drivers\OADriver.sys

Function Name: ZwOpenFile
Address: B3483040
Driver Base: B3456000
Driver End: B34A4000
Driver Name: \??\C:\WINDOWS\system32\drivers\OADriver.sys

Function Name: ZwOpenProcess
Address: B32B21B2
Driver Base: B32A2000
Driver End: B32E9000
Driver Name: \SystemRoot\System32\Drivers\aswSP.SYS

Function Name: ZwOpenSection
Address: B346F310
Driver Base: B3456000
Driver End: B34A4000
Driver Name: \??\C:\WINDOWS\system32\drivers\OADriver.sys

Function Name: ZwOpenThread
Address: B32B2218
Driver Base: B32A2000
Driver End: B32E9000
Driver Name: \SystemRoot\System32\Drivers\aswSP.SYS

Function Name: ZwProtectVirtualMemory
Address: B32AB870
Driver Base: B32A2000
Driver End: B32E9000
Driver Name: \SystemRoot\System32\Drivers\aswSP.SYS

Function Name: ZwQueryDirectoryFile
Address: B3474A70
Driver Base: B3456000
Driver End: B34A4000
Driver Name: \??\C:\WINDOWS\system32\drivers\OADriver.sys

Function Name: ZwQueryValueKey
Address: B32B28C2
Driver Base: B32A2000
Driver End: B32E9000
Driver Name: \SystemRoot\System32\Drivers\aswSP.SYS

Function Name: ZwQueueApcThread
Address: B34758A0
Driver Base: B3456000
Driver End: B34A4000
Driver Name: \??\C:\WINDOWS\system32\drivers\OADriver.sys

Function Name: ZwRenameKey
Address: B32B2D76
Driver Base: B32A2000
Driver End: B32E9000
Driver Name: \SystemRoot\System32\Drivers\aswSP.SYS

Function Name: ZwRequestPort
Address: B34739A0
Driver Base: B3456000
Driver End: B34A4000
Driver Name: \??\C:\WINDOWS\system32\drivers\OADriver.sys

Function Name: ZwRequestWaitReplyPort
Address: B3473F90
Driver Base: B3456000
Driver End: B34A4000
Driver Name: \??\C:\WINDOWS\system32\drivers\OADriver.sys

Function Name: ZwRestoreKey
Address: B32B2880
Driver Base: B32A2000
Driver End: B32E9000
Driver Name: \SystemRoot\System32\Drivers\aswSP.SYS

Function Name: ZwResumeThread
Address: B3472340
Driver Base: B3456000
Driver End: B34A4000
Driver Name: \??\C:\WINDOWS\system32\drivers\OADriver.sys

Function Name: ZwSecureConnectPort
Address: B3473190
Driver Base: B3456000
Driver End: B34A4000
Driver Name: \??\C:\WINDOWS\system32\drivers\OADriver.sys

Function Name: ZwSetContextThread
Address: B3471970
Driver Base: B3456000
Driver End: B34A4000
Driver Name: \??\C:\WINDOWS\system32\drivers\OADriver.sys

Function Name: ZwSetSystemInformation
Address: B3471D30
Driver Base: B3456000
Driver End: B34A4000
Driver Name: \??\C:\WINDOWS\system32\drivers\OADriver.sys

Function Name: ZwSetValueKey
Address: B32B2A04
Driver Base: B32A2000
Driver End: B32E9000
Driver Name: \SystemRoot\System32\Drivers\aswSP.SYS

Function Name: ZwShutdownSystem
Address: B3474370
Driver Base: B3456000
Driver End: B34A4000
Driver Name: \??\C:\WINDOWS\system32\drivers\OADriver.sys

Function Name: ZwSuspendProcess
Address: B3472520
Driver Base: B3456000
Driver End: B34A4000
Driver Name: \??\C:\WINDOWS\system32\drivers\OADriver.sys

Function Name: ZwSuspendThread
Address: B3472130
Driver Base: B3456000
Driver End: B34A4000
Driver Name: \??\C:\WINDOWS\system32\drivers\OADriver.sys

Function Name: ZwSystemDebugControl
Address: B3471F40
Driver Base: B3456000
Driver End: B34A4000
Driver Name: \??\C:\WINDOWS\system32\drivers\OADriver.sys

Function Name: ZwTerminateProcess
Address: B3470C80
Driver Base: B3456000
Driver End: B34A4000
Driver Name: \??\C:\WINDOWS\system32\drivers\OADriver.sys

Function Name: ZwTerminateThread
Address: B3471760
Driver Base: B3456000
Driver End: B34A4000
Driver Name: \??\C:\WINDOWS\system32\drivers\OADriver.sys

Function Name: ZwUnloadDriver
Address: B3474780
Driver Base: B3456000
Driver End: B34A4000
Driver Name: \??\C:\WINDOWS\system32\drivers\OADriver.sys

Function Name: ZwWriteVirtualMemory
Address: B3475520
Driver Base: B3456000
Driver End: B34A4000
Driver Name: \??\C:\WINDOWS\system32\drivers\OADriver.sys

******************************************************************************************
******************************************************************************************
Kernel Hooks:
Hooked Function: ObMakeTemporaryObject
At Address: 805A80B6
Jump To: B32BB1EE
Module Name: C:\WINDOWS\System32\Drivers\aswSP.SYS

Hooked Function: ObInsertObject
At Address: 8056CBBF
Jump To: B32BCC88
Module Name: C:\WINDOWS\System32\Drivers\aswSP.SYS

Hooked Function: ObDereferenceSecurityDescriptor
At Address: 8056CBBF
Jump To: B32BCC88
Module Name: C:\WINDOWS\System32\Drivers\aswSP.SYS

******************************************************************************************
******************************************************************************************
Hidden files/folders:
Object: C:\Qoobox\BackEnv\AppData.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Cache.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Cookies.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Desktop.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Favorites.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\History.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\LocalAppData.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\LocalSettings.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Music.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\NetHood.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Personal.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Pictures.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\PrintHood.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Profiles.Folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Profiles.Folder.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Programs.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Recent.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\SendTo.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\SetPath.bat
Status: Access denied

Object: C:\Qoobox\BackEnv\StartMenu.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\StartUp.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\SysPath.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Templates.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\VikPev00
Status: Access denied

[SuperDave]

Update Your Java (JRE)

Old versions of Java have vulnerabilities that malware can use to infect your system.

First Verify your Java Version

If there are any other version(s) installed then update now.

Get the new version (if needed)

If your version is out of date install the newest version of the Sun Java Runtime Environment.

Note: UNCHECK any pre-checked toolbar and/or software offered with the Java update. The pre-checked toolbars/software are not part of the Java update.

Be sure to close ALL open web browsers before starting the installation.

Remove any old versions

1. Download JavaRa and unzip the file to your Desktop.
2. Open JavaRA.exe and choose Remove Older Versions
3. Once complete exit JavaRA.
4. Run CCleaner.

Additional Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click OK and reboot your computer.
******************************************
Please download the newest version of Adobe Acrobat Reader from Adobe.com

Before installing: it is important to remove older versions of Acrobat Reader since it does not do so automatically and old versions still leave you vulnerable.
Go to the Control Panel and enter Add or Remove Programs.
Search in the list for all previous installed versions of Adobe Acrobat Reader. Uninstall/Remove each of them.

Once old versions are gone, please install the newest version.
*****************************************************
I'd like to scan your machine with ESET OnlineScan

•Hold down Control and click on the following link to open ESET OnlineScan in a new window.
ESET OnlineScan
•Click the button.
•For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)

• Click on to download the ESET Smart Installer. Save it to your desktop.
  
• Double click on the icon on your desktop.
  

•Check
•Click the button.
•Accept any security warnings from your browser.
•Check
•Push the Start button.
•ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
•When the scan completes, push
•Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
•Push the button.
•Push
A log file will be saved here: C:\Program Files\ESET\ESET Online Scanner\log.txt

[roco]

Hi, here is what ESET OnlineScan found. Should I re scan then delete these files?

C:\Program Files\ICQ7.2\packages\Facebook\updates\manifest   Win32/Adware.SpywareProtect2009 application
C:\Program Files\ICQ7.2\packages\geo1\updates\manifest   Win32/Adware.SpywareProtect2009 application
C:\Program Files\ICQ7.2\packages\kolobok\updates\manifest   Win32/Adware.SpywareProtect2009 application
C:\Program Files\ICQ7.2\packages\zlango7\updates\manifest   Win32/Adware.SpywareProtect2009 application
C:\Program Files\ICQ7.2\Xtraz\zlango7\resources\en-us\xtraz_list.dtd   Win32/Adware.SpywareProtect2009 application
C:\Program Files\Mozilla Firefox\plugins\WebEx\424\atpdmod.dll   probably a variant of Win32/Genetik trojan

[SuperDave]

Yes. Please run it again and clear those files.

[roco]

All files cleared. Please let me know the next step..Thanks Super Dave!!

[SuperDave]

It sounds like you're happy with the results. If there's nothing else, let's do some cleanup.

Download OTL to your desktop.
To remove all of the tools we used and the files and folders they created do the following:
Double click OTL.exe.

• Click the CleanUp button.
  
• Select Yes when the "Begin cleanup Process?" prompt appears.
  
• If you are prompted to Reboot during the cleanup, select Yes.
  
• The tool will delete itself once it finishes.

Note: If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.
*****************************************************
Clean out your temporary internet files and temp files.

Download TFC by OldTimer to your desktop.

Double-click TFC.exe to run it.

Note: If you are running on Vista, right-click on the file and choose Run As Administrator

TFC will close all programs when run, so make sure you have saved all your work before you begin.

* Click the Start button to begin the cleaning process.
* Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two.
* Please let TFC run uninterrupted until it is finished.

Once TFC is finished it should restart your computer. If it does not, please manually restart the computer yourself to ensure a complete cleaning.
******************************************************
Use the Secunia Software Inspector to check for out of date software.

•Click Start Now

•Check the box next to Enable thorough system inspection.

•Click Start

•Allow the scan to finish and scroll down to see if any updates are needed.
•Update anything listed.
.
----------

Go to Microsoft Windows Update and get all critical updates.

----------

I suggest using WOT - Web of Trust. WOT is a free Internet security addon for your browser. It will keep you safe from online scams, identity theft, spyware, spam, viruses and unreliable shopping sites. WOT warns you before you interact with a risky website. It's easy and it's free.

SpywareBlaster- Secure your Internet Explorer to make it harder for ActiveX programs to run on your computer. Also stop certain cookies from being added to your computer when running Mozilla based browsers like Firefox.
* Using SpywareBlaster to protect your computer from Spyware and Malware
* If you don't know what ActiveX controls are, see here

Protect yourself against spyware using the Immunize feature in Spybot - Search & Destroy. Guide: Use Spybot's Immunize Feature to prevent spyware infection in real-time. Note: To ensure you have the latest Immunizations always update Spybot - Search & Destroy before Immunizing. Spybot - Search & Destroy FAQ

Check out Keeping Yourself Safe On The Web for tips and free tools to help keep you safe in the future.

Also see Slow Computer? It may not be Malware for free cleaning/maintenance tools to help keep your computer running smoothly.
Safe Surfing!

[roco]

Ok I wanted to wait a while to see if my issue would return,but nope all is fine and I am VERY HAPPY with Computer Hope and

"Super Dave To The Rescue!!"

I am using Avast and Online Armor for protection. Will this be ok because I hate spybot lol. But if I have to use it I will.

Take care,
Roco

[SuperDave]

I am using Avast and Online Armor for protection. Will this be ok because I hate spybot lol. But if I have to use it I will.

If you don't like Spybot you should use SpywareBlaster and Windows Defender.
I will lock this thread. If you need it re-opened, please send me a pm.