Clicking search results from Google randomly(read:occasionally, sometimes more often than not, and not always even the same link) redirects me to another page, Clickover.cn/longunintelligiblestring. Does the same thing in Firefox and Chrome. NoScript stops the page from loading, but I'd still like to figure out what's causing it, as scans from Avast!, Spybot and Malwarebytes are all showing my system as clean. A quick search for anything pertaining to clickover.cn leaves me empty-handed. So, any thoughts? Thanks in advance.


Heres my HijackThis logfile to get things started.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:53:48 PM, on 7/28/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Vidalia Bundle\Vidalia\vidalia.exe
C:\Program Files\Vidalia Bundle\Privoxy\privoxy.exe
C:\Program Files\Vidalia Bundle\Tor\tor.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Winamp\winamp.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\SearchProtocolHost.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O3 - Toolbar: Veoh Web Player Video Finder - {0FBB9689-D3D7-4f7a-A2E2-585B10099BFC} - C:\Program Files\Veoh Networks\VeohWebPlayer\VeohIEToolbar.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=pavilion&pf=laptop
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {25365FF3-2746-4230-9DA7-163CCA318309} (Automatic Driver Installation Control) - http://inst.c-wss.com/vwhpro/EN/install/gtdownlr.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1182131443798
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1182131395142
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{C672E896-7E75-43CE-BB9E-053766318D7F}: NameServer = 192.168.2.1
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe

--
End of file - 5892 bytes

Hi and Welcome,

NOTE:

• Malware removal is NOT instantaneous, most infections require several courses of action to completely eradicate.
• Absence of symptoms does not always mean the computer is clean
• Kindly follow my instructions in the order posted.
• Please DO NOT run any scans or fix items without my direction.

Please do the following:

STEP #1

Please download DDS from either of these links

LINK 1
LINK 2

and save it to your desktop.

• Disable any script blocking protection
• Double click dds.pif to run the tool.
• When done, two DDS.txt's will open.
• Save both reports to your desktop.

---------------------------------------------------
Please include the contents of the following in your next reply:

DDS.txt
Attach.txt.


STEP #2



Download GMER Rootkit Scanner from here or here.

• Extract the contents of the zipped file to desktop.
• Double click GMER.exe. If asked to allow gmer.sys driver to load, please consent .
• If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.
  
  
  Click the image to enlarge it
  
• In the right panel, you will see several boxes that have been checked. Uncheck the following ...
  • Sections
  • IAT/EAT
  • Drives/Partition other than Systemdrive (typically C:\)
  • Show All (don't miss this one)
• Then click the Scan button & wait for it to finish.
• Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.
  
• Save it where you can easily find it, such as your desktop, and post it in your next reply.

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

Thanks for the quick reply Catbyte.


GMER 1.0.15.14972 - http://www.gmer.net
Rootkit scan 2009-07-29 16:04:19
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.15 ----

INT 0x01 \SystemRoot\system32\DRIVERS\ati2mtag.sys (ATI Radeon WindowsNT Miniport Driver/ATI Technologies Inc.) F67144F6
INT 0x03 \SystemRoot\system32\DRIVERS\ati2mtag.sys (ATI Radeon WindowsNT Miniport Driver/ATI Technologies Inc.) F671459C
INT 0x62 ? 871D8BF8
INT 0x82 ? 871D8BF8
INT 0xB4 ? 86EE5BF8
INT 0xB4 ? 86EE5BF8
INT 0xB4 ? 86EE5BF8
INT 0xB4 ? 86EE5BF8

Code 86DA8190 ZwEnumerateKey
Code 86E101E0 ZwFlushInstructionCache
Code 86DF4096 ZwSaveKey
Code 86E93686 ZwSaveKeyEx
Code 86F5F9BE IofCallDriver
Code 86ED42BE IofCompleteRequest

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 871D71F8

AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)

Device \FileSystem\Fastfat \FatCdrom 861981F8
Device \Driver\NetBT \Device\NetBT_Tcpip_{C672E896-7E75-43CE-BB9E-053766318D7F} 86E07500

AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 EABFiltr.sys (QLB PS/2 Keyboard filter driver/Hewlett-Packard Development Company, L.P.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 EABFiltr.sys (QLB PS/2 Keyboard filter driver/Hewlett-Packard Development Company, L.P.)

Device \Driver\usbohci \Device\USBPDO-0 86D9A1F8
Device \Driver\usbohci \Device\USBPDO-1 86D9A1F8
Device \Driver\dmio \Device\DmControl\DmIoDaemon 8716C1F8
Device \Driver\dmio \Device\DmControl\DmConfig 8716C1F8
Device \Driver\dmio \Device\DmControl\DmPnP 8716C1F8
Device \Driver\dmio \Device\DmControl\DmInfo 8716C1F8
Device \Driver\usbehci \Device\USBPDO-2 86D41500

AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

Device \Driver\sptd \Device\2260635054 spxp.sys
Device \Driver\NetBT \Device\NetBt_Wins_Export 86E07500
Device \Driver\NetBT \Device\NetbiosSmb 86E07500

AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

Device \Driver\PCI_PNP6304 \Device\0000005e spxp.sys
Device \Driver\usbohci \Device\USBFDO-0 86D9A1F8
Device \Driver\usbohci \Device\USBFDO-1 86D9A1F8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 863211F8
Device \Driver\usbehci \Device\USBFDO-2 86D41500
Device \FileSystem\MRxSmb \Device\LanmanRedirector 863211F8
Device \Driver\Ftdisk \Device\FtControl 871D91F8
Device \Driver\afn304am \Device\Scsi\afn304am1Port2Path0Target0Lun0 86D1E500
Device \Driver\afn304am \Device\Scsi\afn304am1 86D1E500
Device \FileSystem\Fastfat \Fat 861981F8

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)

Device \FileSystem\Cdfs \Cdfs 863201F8
---- Processes - GMER 1.0.15 ----

Library \\?\globalroot\systemroot\system32\geyekrdqwrtqkh.dll (*** hidden *** ) @ C:\Program Files\Alwil Software\Avast4\ashServ.exe [164] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekrdqwrtqkh.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [268] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekrdqwrtqkh.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [424] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekrdqwrtqkh.dll (*** hidden *** ) @ C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe [528] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekrdqwrtqkh.dll (*** hidden *** ) @ C:\WINDOWS\system32\ctfmon.exe [620] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekrdqwrtqkh.dll (*** hidden *** ) @ C:\WINDOWS\system32\spoolsv.exe [748] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekrdqwrtqkh.dll (*** hidden *** ) @ C:\WINDOWS\system32\MsPMSPSv.exe [868] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekrdqwrtqkh.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [932] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekrdqwrtqkh.dll (*** hidden *** ) @ C:\WINDOWS\eHome\ehRecvr.exe [988] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekrdqwrtqkh.dll (*** hidden *** ) @ C:\WINDOWS\system32\winlogon.exe [1056] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekrdqwrtqkh.dll (*** hidden *** ) @ C:\WINDOWS\system32\services.exe [1108] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekrdqwrtqkh.dll (*** hidden *** ) @ C:\WINDOWS\system32\lsass.exe [1120] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekrdqwrtqkh.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1292] 0x00960000
Library \\?\globalroot\systemroot\system32\geyekrdqwrtqkh.dll (*** hidden *** ) @ C:\WINDOWS\eHome\ehSched.exe [1336] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekrdqwrtqkh.dll (*** hidden *** ) @ C:\WINDOWS\system32\wbem\wmiprvse.exe [1352] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekrdqwrtqkh.dll (*** hidden *** ) @ C:\WINDOWS\system32\SearchIndexer.exe [1356] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekrdqwrtqkh.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1400] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekrdqwrtqkh.dll (*** hidden *** ) @ C:\WINDOWS\System32\svchost.exe [1464] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekrdqwrtqkh.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1528] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekrdqwrtqkh.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1652] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekrdqwrtqkh.dll (*** hidden *** ) @ C:\Program Files\Java\jre6\bin\jqs.exe [1680] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekrdqwrtqkh.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1736] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekrdqwrtqkh.dll (*** hidden *** ) @ C:\Program Files\Common Files\LightScribe\LSSrvc.exe [1812] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekrdqwrtqkh.dll (*** hidden *** ) @ C:\Program Files\Mozilla Firefox\firefox.exe [1904] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekrdqwrtqkh.dll (*** hidden *** ) @ C:\Program Files\uTorrent\uTorrent.exe [1948] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekrdqwrtqkh.dll (*** hidden *** ) @ C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe [2000] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekrdqwrtqkh.dll (*** hidden *** ) @ C:\DOCUME~1\FATALP~1\LOCALS~1\Temp\RarSFX0\FI.exe [2104] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekrdqwrtqkh.dll (*** hidden *** ) @ C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe [2272] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekrdqwrtqkh.dll (*** hidden *** ) @ C:\Program Files\Alwil Software\Avast4\ashWebSv.exe [2292] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekrdqwrtqkh.dll (*** hidden *** ) @ C:\WINDOWS\system32\dllhost.exe [2328] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekrdqwrtqkh.dll (*** hidden *** ) @ C:\WINDOWS\system32\wbem\wmiapsrv.exe [2360] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekrdqwrtqkh.dll (*** hidden *** ) @ C:\WINDOWS\System32\alg.exe [2528] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekrdqwrtqkh.dll (*** hidden *** ) @ C:\WINDOWS\system32\cmd.exe [2660] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekrdqwrtqkh.dll (*** hidden *** ) @ C:\Documents and Settings\FatalPlus\My Documents\New Folder\gmer.exe [3400] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekrdqwrtqkh.dll (*** hidden *** ) @ C:\Program Files\Winamp\winamp.exe [3488] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekrdqwrtqkh.dll (*** hidden *** ) @ C:\Documents and Settings\FatalPlus\My Documents\New Folder\dds.scr [3504] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekrdqwrtqkh.dll (*** hidden *** ) @ C:\WINDOWS\Explorer.EXE [3564] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekrdqwrtqkh.dll (*** hidden *** ) @ C:\Documents and Settings\FatalPlus\Local Settings\Application Data\Google\Update\1.2.183.7\GoogleCrashHandler.exe [3880] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekrdqwrtqkh.dll (*** hidden *** ) @ C:\WINDOWS\system32\rundll32.exe [3928] 0x10000000

---- EOF - GMER 1.0.15 ----

can you post the combofix log that you ran already

you should be able to find it at C:\Combofix.txt

I downloaded it, but I don't think I ever ran it. I have no combofix.txt in C:\ (EDIT: or anywhere that I can find)

Should I run it now?

This post has been edited by fatalplus: Jul 29 2009, 02:52 PM

Hi,

delete the copy of ComboFix that you have (right click the icon > delete)

download a fresh copy, renaming it before saving:

Download Combofix from either of the links below. You must rename it before saving it.
Save it to your desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**

• If you are using Firefox, make sure that your download settings are as follows:
  
  • Tools->Options->Main tab
  • Set to "Always ask me where to Save the files".

Link 1
Link 2



During the download, rename Combofix to Combo-Fix as follows:





--------------------------------------------------------------------

• It is important you rename Combofix during the download, but not after.
• Please do not rename Combofix to other names, but only to the one indicated.

• Double click on Combo-Fix.exe & follow the prompts.
  
  • When finished, it will produce a report for you.
  • Please post the "C:\Combo-Fix.txt" for further review.
  
  **Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**
  
  
  
  -----------------------------------------------------------
  
  
• Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
• Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
  
  -----------------------------------------------------------

Combo-Fix log

ComboFix 09-07-29.03 - FatalPlus 07/29/2009 18:30.1.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.547 [GMT -4:00]
Running from: c:\documents and settings\FatalPlus\Desktop\Combo-Fix.exe
AV: avast! antivirus 4.8.1335 [VPS 090728-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

Overlay aborted ... Please run ComboFix once more
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\ALLUSE~1\APPLIC~1\Microsoft\Network\Downloader\qmgr0.dat
c:\docume~1\ALLUSE~1\APPLIC~1\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\FatalPlus\Local Settings\Temporary Internet Files\fbk.sts
c:\windows\Installer\102bd4b1.msp
c:\windows\kb913800.exe
c:\windows\system32\_000003_.tmp.dll
c:\windows\system32\_000005_.tmp.dll
c:\windows\system32\_000006_.tmp.dll
c:\windows\system32\_000008_.tmp.dll
c:\windows\system32\_000009_.tmp.dll
c:\windows\system32\_000025_.tmp.dll
c:\windows\wiaserviv.log

----- BITS: Possible infected sites -----

hxxp://updateserver.info
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_TDSSSERV
-------\Legacy_OREANS32


((((((((((((((((((((((((( Files Created from 2009-06-28 to 2009-07-29 )))))))))))))))))))))))))))))))
.

2009-07-29 02:53 . 2009-07-29 02:53 -------- d-----w- c:\program files\Trend Micro
2009-07-29 01:57 . 2009-07-29 01:57 3310 ----a-r- c:\documents and settings\FatalPlus\Application Data\Microsoft\Installer\{6B3CA80E-6AC0-4725-BABF-9B0FEF880CB3}\_16496df1.exe
2009-07-29 01:57 . 2009-07-29 01:57 1078 ----a-r- c:\documents and settings\FatalPlus\Application Data\Microsoft\Installer\{6B3CA80E-6AC0-4725-BABF-9B0FEF880CB3}\_69525f90.exe
2009-07-29 01:57 . 2009-07-29 01:57 1078 ----a-r- c:\documents and settings\FatalPlus\Application Data\Microsoft\Installer\{6B3CA80E-6AC0-4725-BABF-9B0FEF880CB3}\_4ae13d6c.exe
2009-07-29 01:57 . 2009-07-29 01:57 1078 ----a-r- c:\documents and settings\FatalPlus\Application Data\Microsoft\Installer\{6B3CA80E-6AC0-4725-BABF-9B0FEF880CB3}\_2cd672ae.exe
2009-07-29 01:57 . 2009-07-29 01:57 1078 ----a-r- c:\documents and settings\FatalPlus\Application Data\Microsoft\Installer\{6B3CA80E-6AC0-4725-BABF-9B0FEF880CB3}\_294823.exe
2009-07-29 01:57 . 2009-07-29 01:57 1078 ----a-r- c:\documents and settings\FatalPlus\Application Data\Microsoft\Installer\{6B3CA80E-6AC0-4725-BABF-9B0FEF880CB3}\_18be6784.exe
2009-07-29 01:57 . 2009-07-29 01:57 -------- d-----w- c:\program files\Power Tab Software
2009-07-28 22:06 . 2009-02-05 20:06 23152 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2009-07-28 22:06 . 2009-02-05 20:06 51376 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2009-07-28 22:06 . 2009-02-05 20:05 26944 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2009-07-28 22:06 . 2009-02-05 20:04 97480 ----a-w- c:\windows\system32\AvastSS.scr
2009-07-28 22:06 . 2009-02-05 20:08 93296 ----a-w- c:\windows\system32\drivers\aswmon.sys
2009-07-28 22:06 . 2009-02-05 20:08 94032 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2009-07-28 22:06 . 2009-02-05 20:07 114768 ----a-w- c:\windows\system32\drivers\aswSP.sys
2009-07-28 22:06 . 2009-02-05 20:07 20560 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2009-07-28 22:05 . 2009-02-05 20:11 1256296 ----a-w- c:\windows\system32\aswBoot.exe
2009-07-28 22:05 . 2009-07-28 22:05 -------- d-----w- c:\program files\Alwil Software
2009-07-28 22:01 . 2009-07-28 22:02 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-07-28 22:01 . 2009-07-28 22:02 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2009-07-25 10:26 . 2009-07-25 10:35 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-07-25 10:26 . 2009-07-25 10:35 -------- d-----w- c:\program files\Black Isle
2009-07-18 12:28 . 2009-07-18 12:28 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-07-17 22:55 . 2009-07-17 22:55 -------- d-----w- c:\documents and settings\FatalPlus\Local Settings\Application Data\Temp
2009-07-16 07:05 . 2009-07-16 07:05 -------- d-sh--w- c:\documents and settings\Default User\IETldCache
2009-07-12 14:45 . 2009-07-12 14:45 -------- d-sh--w- c:\documents and settings\FatalPlus\PrivacIE
2009-07-07 21:19 . 2009-07-07 21:19 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2009-07-07 21:17 . 2009-07-07 21:17 -------- d-sh--w- c:\documents and settings\FatalPlus\IETldCache
2009-07-07 21:01 . 2009-06-02 10:12 102912 ----a-w- c:\windows\system32\dllcache\iecompat.dll
2009-07-07 21:01 . 2009-07-28 21:20 -------- d-----w- c:\windows\ie8updates
2009-07-07 20:59 . 2009-07-03 17:09 12800 ----a-w- c:\windows\system32\dllcache\xpshims.dll
2009-07-07 20:59 . 2009-07-03 17:09 246272 ----a-w- c:\windows\system32\dllcache\ieproxy.dll
2009-07-07 20:56 . 2009-07-07 20:59 -------- dc-h--w- c:\windows\ie8
2009-07-06 13:04 . 2008-12-04 05:25 120832 ----a-w- c:\documents and settings\FatalPlus\Application Data\Mozilla\Firefox\Profiles\8q84ujfl.default\extensions\{77b819fa-95ad-4f2c-ac7c-486b356188a9}\plugins\npietab.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-29 20:12 . 2009-04-16 14:18 -------- d-----w- c:\documents and settings\FatalPlus\Application Data\uTorrent
2009-07-29 02:54 . 2009-01-11 20:30 -------- d-----w- c:\documents and settings\FatalPlus\Application Data\tor
2009-07-29 02:54 . 2009-01-11 20:30 -------- d-----w- c:\documents and settings\FatalPlus\Application Data\Vidalia
2009-07-29 02:26 . 2009-02-08 17:26 -------- d-----w- c:\program files\PeerGuardian2
2009-07-28 21:51 . 2009-05-27 23:50 -------- d-----w- c:\program files\Avira
2009-07-28 21:51 . 2009-05-27 23:50 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Avira
2009-07-28 11:27 . 2009-05-27 23:57 -------- d-----w- c:\documents and settings\FatalPlus\Application Data\Winamp
2009-07-27 21:27 . 2008-12-25 22:02 -------- d-----w- c:\program files\Steam
2009-07-25 01:59 . 2009-04-09 12:15 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-07-22 14:18 . 2008-04-12 20:04 -------- d-----w- c:\program files\Microsoft Silverlight
2009-07-20 20:20 . 2009-05-27 23:57 -------- d-----w- c:\program files\Winamp
2009-07-16 17:39 . 2009-06-14 15:09 -------- d-----w- c:\program files\Guitar Pro 5
2009-07-16 15:22 . 2008-08-29 12:45 -------- d-----w- c:\program files\Trillian
2009-07-16 07:08 . 2009-03-09 20:28 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Microsoft Help
2009-07-14 00:21 . 2009-04-17 19:01 -------- d-----w- c:\documents and settings\FatalPlus\Application Data\dvdcss
2009-07-13 17:36 . 2009-04-09 12:15 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-13 17:36 . 2009-04-09 12:15 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-04 20:45 . 2009-06-12 15:50 -------- d-----w- c:\program files\Guitar Scales Method
2009-07-03 17:09 . 2004-08-10 15:00 915456 ----a-w- c:\windows\system32\wininet.dll
2009-06-28 12:15 . 2008-08-30 16:29 -------- d-----w- c:\program files\Common Files\Blizzard Entertainment
2009-06-18 22:04 . 2006-11-04 18:12 -------- d-----w- c:\program files\DivX
2009-06-16 14:36 . 2004-08-10 15:00 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-16 14:36 . 2004-08-10 15:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-15 14:37 . 2006-11-06 22:41 -------- d-----w- c:\program files\Common Files\Adobe
2009-06-14 15:12 . 2009-02-10 23:00 106912 ----a-w- c:\documents and settings\FatalPlus\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-11 21:10 . 2009-06-11 21:10 -------- d-----w- c:\program files\Jamorama
2009-06-11 11:11 . 2009-06-11 11:11 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\QuickTime
2009-06-11 11:09 . 2009-02-03 12:28 -------- d-----w- c:\documents and settings\FatalPlus\Application Data\DAEMON Tools Lite
2009-06-11 11:08 . 2009-05-28 03:52 -------- d-----w- c:\program files\DAEMON Tools Lite
2009-06-11 11:07 . 2009-06-11 10:53 -------- d-----w- c:\program files\DAEMON Tools Pro
2009-06-11 10:53 . 2009-06-11 10:53 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\DAEMON Tools Pro
2009-06-11 07:21 . 2008-10-10 05:10 -------- d-----w- c:\program files\Windows Desktop Search
2009-06-10 18:53 . 2009-06-10 18:43 -------- d-----w- c:\program files\eCogNeato Development Company
2009-06-03 19:09 . 2005-06-29 09:55 1291264 ----a-w- c:\windows\system32\quartz.dll
2009-05-28 03:44 . 2008-10-14 02:14 721904 ----a-w- c:\windows\system32\drivers\sptd.sys
2009-05-25 04:24 . 2008-05-27 02:18 350208 ----a-w- c:\windows\system32\mssph.dll
2009-05-19 17:09 . 2009-05-19 17:09 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-05-19 14:20 . 2009-05-19 14:20 4096 ----a-w- c:\windows\d3dx.dat
2009-05-15 23:36 . 2009-05-17 14:24 85504 ----a-w- c:\windows\system32\ff_vfw.dll
2009-05-15 23:36 . 2009-05-17 14:24 60273 ----a-w- c:\windows\system32\pthreadGC2.dll
2009-05-10 15:03 . 2009-05-10 15:03 4032 ----a-w- c:\windows\unins000.dat
2009-05-10 15:03 . 2009-05-10 15:03 794906 ----a-w- c:\windows\unins000.exe
2009-05-07 15:32 . 2004-08-10 15:00 345600 ----a-w- c:\windows\system32\localspl.dll
2009-07-23 02:08 . 2009-04-07 23:17 134648 ----a-w- c:\program files\mozilla firefox\components\brwsrcmp.dll
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
2006-09-03 00:34 . 2006-09-03 00:34 22 --sha-w- c:\windows\SMINST\HPCD.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0autocheck lsdelete

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Photosmart Premier Fast Start.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Photosmart Premier Fast Start.lnk
backup=c:\windows\pss\HP Photosmart Premier Fast Start.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Privoxy.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Privoxy.lnk
backup=c:\windows\pss\Privoxy.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^VPN Client.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\VPN Client.lnk
backup=c:\windows\pss\VPN Client.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
backup=c:\windows\pss\Windows Search.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^FatalPlus^Start Menu^Programs^Startup^ChkDisk.dll]
path=c:\documents and settings\FatalPlus\Start Menu\Programs\Startup\ChkDisk.dll
backup=c:\windows\pss\ChkDisk.dllStartup

[HKLM\~\startupfolder\C:^Documents and Settings^John Gilligan^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\documents and settings\John Gilligan\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^John Gilligan^Start Menu^Programs^Startup^OpenOffice.org 2.4.lnk]
path=c:\documents and settings\John Gilligan\Start Menu\Programs\Startup\OpenOffice.org 2.4.lnk
backup=c:\windows\pss\OpenOffice.org 2.4.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"McTaskManager"=2 (0x2)
"McShield"=3 (0x3)
"McAfeeFramework"=2 (0x2)
"Ati HotKey Poller"=2 (0x2)
"ATI Smart"=2 (0x2)
"avg8wd"=2 (0x2)
"hpqwmiex"=2 (0x2)
"Diskeeper"=2 (0x2)
"CVPND"=2 (0x2)
"WRConsumerService"=2 (0x2)
"WebrootSpySweeperService"=2 (0x2)
"Pml Driver HPZ12"=2 (0x2)
"idsvc"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"BM75400e5c"=Rundll32.exe "c:\windows\system32\ydfdyidm.dll",s

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Vidalia Bundle\\Tor\\tor.exe"=
"c:\\Program Files\\FlashFXP\\FlashFXP.exe"=
"c:\\Program Files\\Veoh Networks\\VeohWebPlayer\\veohwebplayer.exe"=
"c:\\Program Files\\Vidalia Bundle\\Privoxy\\privoxy.exe"=
"c:\\WINDOWS\\system32\\taskmgr.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Steam\\steamapps\\72fender@comcast.net\\counter-strike source\\hl2.exe"=
"c:\\Program Files\\Steam\\Steam.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [7/28/2009 6:06 PM 114768]
R1 atitray;atitray;c:\program files\Radeon Omega Drivers\v4.8.442\ATI Tray Tools\atitray.sys [5/19/2009 12:54 PM 17952]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [7/28/2009 6:06 PM 20560]
R3 HSFHWATI;HSFHWATI;c:\windows\system32\drivers\HSFHWATI.sys [8/22/2005 5:06 AM 231424]
S1 wdmaudd;wdmaudd;c:\windows\system32\drivers\wdmaudd.sys --> c:\windows\system32\drivers\wdmaudd.sys [?]
S3 xbreader;MaxDrive XBox Driver (xbreader.sys);c:\windows\system32\drivers\xbreader.sys [1/3/2001 12:53 AM 19677]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
IE: &Google Search - c:\program files\Google\GoogleToolbar1.dll/cmsearch.html
IE: &Translate English Word - c:\program files\Google\GoogleToolbar1.dll/cmwordtrans.html
IE: Backward Links - c:\program files\Google\GoogleToolbar1.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\Google\GoogleToolbar1.dll/cmcache.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
IE: Similar Pages - c:\program files\Google\GoogleToolbar1.dll/cmsimilar.html
IE: Translate Page into English - c:\program files\Google\GoogleToolbar1.dll/cmtrans.html
TCP: {C672E896-7E75-43CE-BB9E-053766318D7F} = 192.168.2.1
FF - ProfilePath - c:\docume~1\FATALP~1\APPLIC~1\Mozilla\Firefox\Profiles\8q84ujfl.default\
FF - prefs.js: browser.startup.homepage - chrome://fastdial/content/fastdial.html
FF - plugin: c:\documents and settings\FatalPlus\Local Settings\Application Data\Google\Update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Veoh Networks\Veoh\Plugins\noreg\NPVeohVersion.dll
FF - plugin: c:\program files\Veoh Networks\VeohWebPlayer\NPVeohTVPlugin.dll
FF - plugin: c:\program files\Veoh Networks\VeohWebPlayer\npWebPlayerVideoPluginATL.dll
.

**************************************************************************

disk not found C:\

please note that you need administrator rights to perform deep scan
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1060)
geyekrdqwrtqkh.dll 10000000 32768 \\?\globalroot\systemroot\system32\geyekrdqwrtqkh.dll
c:\windows\system32\WININET.dll
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'lsass.exe'(1124)
geyekrdqwrtqkh.dll 10000000 32768 \\?\globalroot\systemroot\system32\geyekrdqwrtqkh.dll
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(3228)
c:\windows\system32\WININET.dll
geyekrdqwrtqkh.dll 10000000 32768 \\?\globalroot\systemroot\system32\geyekrdqwrtqkh.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\windows\system32\MsPMSPSv.exe
c:\windows\system32\searchindexer.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-07-29 18:59 - machine was rebooted
ComboFix-quarantined-files.txt 2009-07-29 22:59

Pre-Run: 13,203,361,792 bytes free
Post-Run: 13,425,508,352 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

272 --- E O F --- 2009-07-28 21:21

Hi,



Please run ComboFix again.

Woops, guess I should have read through it better. Here's the new one.

ComboFix 09-07-29.03 - FatalPlus 07/29/2009 21:01.2.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.609 [GMT -4:00]
Running from: c:\documents and settings\FatalPlus\Desktop\Combo-Fix.exe
AV: avast! antivirus 4.8.1335 [VPS 090729-1] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((( Files Created from 2009-06-28 to 2009-07-30 )))))))))))))))))))))))))))))))
.

2009-07-29 02:53 . 2009-07-29 02:53 -------- d-----w- c:\program files\Trend Micro
2009-07-29 01:57 . 2009-07-29 01:57 3310 ----a-r- c:\documents and settings\FatalPlus\Application Data\Microsoft\Installer\{6B3CA80E-6AC0-4725-BABF-9B0FEF880CB3}\_16496df1.exe
2009-07-29 01:57 . 2009-07-29 01:57 1078 ----a-r- c:\documents and settings\FatalPlus\Application Data\Microsoft\Installer\{6B3CA80E-6AC0-4725-BABF-9B0FEF880CB3}\_69525f90.exe
2009-07-29 01:57 . 2009-07-29 01:57 1078 ----a-r- c:\documents and settings\FatalPlus\Application Data\Microsoft\Installer\{6B3CA80E-6AC0-4725-BABF-9B0FEF880CB3}\_4ae13d6c.exe
2009-07-29 01:57 . 2009-07-29 01:57 1078 ----a-r- c:\documents and settings\FatalPlus\Application Data\Microsoft\Installer\{6B3CA80E-6AC0-4725-BABF-9B0FEF880CB3}\_2cd672ae.exe
2009-07-29 01:57 . 2009-07-29 01:57 1078 ----a-r- c:\documents and settings\FatalPlus\Application Data\Microsoft\Installer\{6B3CA80E-6AC0-4725-BABF-9B0FEF880CB3}\_294823.exe
2009-07-29 01:57 . 2009-07-29 01:57 1078 ----a-r- c:\documents and settings\FatalPlus\Application Data\Microsoft\Installer\{6B3CA80E-6AC0-4725-BABF-9B0FEF880CB3}\_18be6784.exe
2009-07-29 01:57 . 2009-07-29 01:57 -------- d-----w- c:\program files\Power Tab Software
2009-07-28 22:06 . 2009-02-05 20:06 23152 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2009-07-28 22:06 . 2009-02-05 20:06 51376 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2009-07-28 22:06 . 2009-02-05 20:05 26944 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2009-07-28 22:06 . 2009-02-05 20:04 97480 ----a-w- c:\windows\system32\AvastSS.scr
2009-07-28 22:06 . 2009-02-05 20:08 93296 ----a-w- c:\windows\system32\drivers\aswmon.sys
2009-07-28 22:06 . 2009-02-05 20:08 94032 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2009-07-28 22:06 . 2009-02-05 20:07 114768 ----a-w- c:\windows\system32\drivers\aswSP.sys
2009-07-28 22:06 . 2009-02-05 20:07 20560 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2009-07-28 22:05 . 2009-02-05 20:11 1256296 ----a-w- c:\windows\system32\aswBoot.exe
2009-07-28 22:05 . 2009-07-28 22:05 -------- d-----w- c:\program files\Alwil Software
2009-07-28 22:01 . 2009-07-28 22:02 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-07-28 22:01 . 2009-07-28 22:02 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2009-07-25 10:26 . 2009-07-25 10:35 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-07-25 10:26 . 2009-07-25 10:35 -------- d-----w- c:\program files\Black Isle
2009-07-18 12:28 . 2009-07-18 12:28 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-07-17 22:55 . 2009-07-17 22:55 -------- d-----w- c:\documents and settings\FatalPlus\Local Settings\Application Data\Temp
2009-07-16 07:05 . 2009-07-16 07:05 -------- d-sh--w- c:\documents and settings\Default User\IETldCache
2009-07-12 14:45 . 2009-07-12 14:45 -------- d-sh--w- c:\documents and settings\FatalPlus\PrivacIE
2009-07-07 21:19 . 2009-07-07 21:19 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2009-07-07 21:17 . 2009-07-07 21:17 -------- d-sh--w- c:\documents and settings\FatalPlus\IETldCache
2009-07-07 21:01 . 2009-06-02 10:12 102912 ----a-w- c:\windows\system32\dllcache\iecompat.dll
2009-07-07 21:01 . 2009-07-28 21:20 -------- d-----w- c:\windows\ie8updates
2009-07-07 20:59 . 2009-07-03 17:09 12800 ----a-w- c:\windows\system32\dllcache\xpshims.dll
2009-07-07 20:59 . 2009-07-03 17:09 246272 ----a-w- c:\windows\system32\dllcache\ieproxy.dll
2009-07-07 20:56 . 2009-07-07 20:59 -------- dc-h--w- c:\windows\ie8
2009-07-06 13:04 . 2008-12-04 05:25 120832 ----a-w- c:\documents and settings\FatalPlus\Application Data\Mozilla\Firefox\Profiles\8q84ujfl.default\extensions\{77b819fa-95ad-4f2c-ac7c-486b356188a9}\plugins\npietab.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-29 20:12 . 2009-04-16 14:18 -------- d-----w- c:\documents and settings\FatalPlus\Application Data\uTorrent
2009-07-29 02:54 . 2009-01-11 20:30 -------- d-----w- c:\documents and settings\FatalPlus\Application Data\tor
2009-07-29 02:54 . 2009-01-11 20:30 -------- d-----w- c:\documents and settings\FatalPlus\Application Data\Vidalia
2009-07-29 02:26 . 2009-02-08 17:26 -------- d-----w- c:\program files\PeerGuardian2
2009-07-28 21:51 . 2009-05-27 23:50 -------- d-----w- c:\program files\Avira
2009-07-28 21:51 . 2009-05-27 23:50 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Avira
2009-07-28 11:27 . 2009-05-27 23:57 -------- d-----w- c:\documents and settings\FatalPlus\Application Data\Winamp
2009-07-27 21:27 . 2008-12-25 22:02 -------- d-----w- c:\program files\Steam
2009-07-25 01:59 . 2009-04-09 12:15 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-07-22 14:18 . 2008-04-12 20:04 -------- d-----w- c:\program files\Microsoft Silverlight
2009-07-20 20:20 . 2009-05-27 23:57 -------- d-----w- c:\program files\Winamp
2009-07-16 17:39 . 2009-06-14 15:09 -------- d-----w- c:\program files\Guitar Pro 5
2009-07-16 15:22 . 2008-08-29 12:45 -------- d-----w- c:\program files\Trillian
2009-07-16 07:08 . 2009-03-09 20:28 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Microsoft Help
2009-07-14 00:21 . 2009-04-17 19:01 -------- d-----w- c:\documents and settings\FatalPlus\Application Data\dvdcss
2009-07-13 17:36 . 2009-04-09 12:15 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-13 17:36 . 2009-04-09 12:15 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-04 20:45 . 2009-06-12 15:50 -------- d-----w- c:\program files\Guitar Scales Method
2009-07-03 17:09 . 2004-08-10 15:00 915456 ----a-w- c:\windows\system32\wininet.dll
2009-06-28 12:15 . 2008-08-30 16:29 -------- d-----w- c:\program files\Common Files\Blizzard Entertainment
2009-06-18 22:04 . 2006-11-04 18:12 -------- d-----w- c:\program files\DivX
2009-06-16 14:36 . 2004-08-10 15:00 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-16 14:36 . 2004-08-10 15:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-15 14:37 . 2006-11-06 22:41 -------- d-----w- c:\program files\Common Files\Adobe
2009-06-14 15:12 . 2009-02-10 23:00 106912 ----a-w- c:\documents and settings\FatalPlus\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-11 21:10 . 2009-06-11 21:10 -------- d-----w- c:\program files\Jamorama
2009-06-11 11:11 . 2009-06-11 11:11 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\QuickTime
2009-06-11 11:09 . 2009-02-03 12:28 -------- d-----w- c:\documents and settings\FatalPlus\Application Data\DAEMON Tools Lite
2009-06-11 11:08 . 2009-05-28 03:52 -------- d-----w- c:\program files\DAEMON Tools Lite
2009-06-11 11:07 . 2009-06-11 10:53 -------- d-----w- c:\program files\DAEMON Tools Pro
2009-06-11 10:53 . 2009-06-11 10:53 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\DAEMON Tools Pro
2009-06-11 07:21 . 2008-10-10 05:10 -------- d-----w- c:\program files\Windows Desktop Search
2009-06-10 18:53 . 2009-06-10 18:43 -------- d-----w- c:\program files\eCogNeato Development Company
2009-06-03 19:09 . 2005-06-29 09:55 1291264 ----a-w- c:\windows\system32\quartz.dll
2009-05-28 03:44 . 2008-10-14 02:14 721904 ----a-w- c:\windows\system32\drivers\sptd.sys
2009-05-25 04:24 . 2008-05-27 02:18 350208 ----a-w- c:\windows\system32\mssph.dll
2009-05-19 17:09 . 2009-05-19 17:09 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-05-19 14:20 . 2009-05-19 14:20 4096 ----a-w- c:\windows\d3dx.dat
2009-05-15 23:36 . 2009-05-17 14:24 85504 ----a-w- c:\windows\system32\ff_vfw.dll
2009-05-15 23:36 . 2009-05-17 14:24 60273 ----a-w- c:\windows\system32\pthreadGC2.dll
2009-05-10 15:03 . 2009-05-10 15:03 4032 ----a-w- c:\windows\unins000.dat
2009-05-10 15:03 . 2009-05-10 15:03 794906 ----a-w- c:\windows\unins000.exe
2009-05-07 15:32 . 2004-08-10 15:00 345600 ----a-w- c:\windows\system32\localspl.dll
2009-07-23 02:08 . 2009-04-07 23:17 134648 ----a-w- c:\program files\mozilla firefox\components\brwsrcmp.dll
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
2006-09-03 00:34 . 2006-09-03 00:34 22 --sha-w- c:\windows\SMINST\HPCD.sys
.

((((((((((((((((((((((((((((( SnapShot@2009-07-29_22.54.15 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-07-30 01:13 . 2009-07-30 01:13 16384 c:\windows\Temp\Perflib_Perfdata_a4.dat
- 2009-07-29 22:26 . 2009-07-29 22:26 16384 c:\windows\Temp\Perflib_Perfdata_a4.dat
+ 2009-07-30 01:13 . 2009-07-30 01:13 16384 c:\windows\Temp\Perflib_Perfdata_740.dat
+ 2006-09-03 00:08 . 2009-07-30 00:43 81920 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2006-09-03 00:08 . 2009-07-29 22:43 81920 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2006-09-03 00:08 . 2009-07-30 00:43 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2006-09-03 00:08 . 2009-07-29 22:43 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-07-18 12:28 . 2009-07-30 00:43 16384 c:\windows\system32\config\systemprofile\IETldCache\index.dat
- 2009-07-18 12:28 . 2009-07-29 22:43 16384 c:\windows\system32\config\systemprofile\IETldCache\index.dat
+ 2006-09-03 00:08 . 2009-07-30 00:43 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2006-09-03 00:08 . 2009-07-29 22:43 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0autocheck lsdelete

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Photosmart Premier Fast Start.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Photosmart Premier Fast Start.lnk
backup=c:\windows\pss\HP Photosmart Premier Fast Start.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Privoxy.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Privoxy.lnk
backup=c:\windows\pss\Privoxy.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^VPN Client.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\VPN Client.lnk
backup=c:\windows\pss\VPN Client.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
backup=c:\windows\pss\Windows Search.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^FatalPlus^Start Menu^Programs^Startup^ChkDisk.dll]
path=c:\documents and settings\FatalPlus\Start Menu\Programs\Startup\ChkDisk.dll
backup=c:\windows\pss\ChkDisk.dllStartup

[HKLM\~\startupfolder\C:^Documents and Settings^John Gilligan^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\documents and settings\John Gilligan\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^John Gilligan^Start Menu^Programs^Startup^OpenOffice.org 2.4.lnk]
path=c:\documents and settings\John Gilligan\Start Menu\Programs\Startup\OpenOffice.org 2.4.lnk
backup=c:\windows\pss\OpenOffice.org 2.4.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"McTaskManager"=2 (0x2)
"McShield"=3 (0x3)
"McAfeeFramework"=2 (0x2)
"Ati HotKey Poller"=2 (0x2)
"ATI Smart"=2 (0x2)
"avg8wd"=2 (0x2)
"hpqwmiex"=2 (0x2)
"Diskeeper"=2 (0x2)
"CVPND"=2 (0x2)
"WRConsumerService"=2 (0x2)
"WebrootSpySweeperService"=2 (0x2)
"Pml Driver HPZ12"=2 (0x2)
"idsvc"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"BM75400e5c"=Rundll32.exe "c:\windows\system32\ydfdyidm.dll",s

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Vidalia Bundle\\Tor\\tor.exe"=
"c:\\Program Files\\FlashFXP\\FlashFXP.exe"=
"c:\\Program Files\\Veoh Networks\\VeohWebPlayer\\veohwebplayer.exe"=
"c:\\Program Files\\Vidalia Bundle\\Privoxy\\privoxy.exe"=
"c:\\WINDOWS\\system32\\taskmgr.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Steam\\steamapps\\72fender@comcast.net\\counter-strike source\\hl2.exe"=
"c:\\Program Files\\Steam\\Steam.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [7/28/2009 6:06 PM 114768]
R1 atitray;atitray;c:\program files\Radeon Omega Drivers\v4.8.442\ATI Tray Tools\atitray.sys [5/19/2009 12:54 PM 17952]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [7/28/2009 6:06 PM 20560]
R3 HSFHWATI;HSFHWATI;c:\windows\system32\drivers\HSFHWATI.sys [8/22/2005 5:06 AM 231424]
S1 wdmaudd;wdmaudd;c:\windows\system32\drivers\wdmaudd.sys --> c:\windows\system32\drivers\wdmaudd.sys [?]
S3 xbreader;MaxDrive XBox Driver (xbreader.sys);c:\windows\system32\drivers\xbreader.sys [1/3/2001 12:53 AM 19677]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
IE: &Google Search - c:\program files\Google\GoogleToolbar1.dll/cmsearch.html
IE: &Translate English Word - c:\program files\Google\GoogleToolbar1.dll/cmwordtrans.html
IE: Backward Links - c:\program files\Google\GoogleToolbar1.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\Google\GoogleToolbar1.dll/cmcache.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
IE: Similar Pages - c:\program files\Google\GoogleToolbar1.dll/cmsimilar.html
IE: Translate Page into English - c:\program files\Google\GoogleToolbar1.dll/cmtrans.html
TCP: {C672E896-7E75-43CE-BB9E-053766318D7F} = 192.168.2.1
FF - ProfilePath - c:\docume~1\FATALP~1\APPLIC~1\Mozilla\Firefox\Profiles\8q84ujfl.default\
FF - prefs.js: browser.startup.homepage - chrome://fastdial/content/fastdial.html
FF - plugin: c:\documents and settings\FatalPlus\Local Settings\Application Data\Google\Update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Veoh Networks\Veoh\Plugins\noreg\NPVeohVersion.dll
FF - plugin: c:\program files\Veoh Networks\VeohWebPlayer\NPVeohTVPlugin.dll
FF - plugin: c:\program files\Veoh Networks\VeohWebPlayer\npWebPlayerVideoPluginATL.dll
.

**************************************************************************

disk not found C:\

please note that you need administrator rights to perform deep scan
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1060)
geyekrdqwrtqkh.dll 10000000 32768 \\?\globalroot\systemroot\system32\geyekrdqwrtqkh.dll
c:\windows\system32\WININET.dll
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'lsass.exe'(1124)
geyekrdqwrtqkh.dll 10000000 32768 \\?\globalroot\systemroot\system32\geyekrdqwrtqkh.dll
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(3368)
c:\windows\system32\WININET.dll
geyekrdqwrtqkh.dll 10000000 32768 \\?\globalroot\systemroot\system32\geyekrdqwrtqkh.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\windows\system32\MsPMSPSv.exe
c:\windows\system32\searchindexer.exe
c:\program files\Alwil Software\Avast4\ashMaiSv.exe
c:\program files\Alwil Software\Avast4\ashWebSv.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\wbem\wmiapsrv.exe
.
**************************************************************************
.
Completion time: 2009-07-30 21:21 - machine was rebooted
ComboFix-quarantined-files.txt 2009-07-30 01:21
ComboFix2.txt 2009-07-29 22:59

Pre-Run: 13,471,969,280 bytes free
Post-Run: 13,468,016,640 bytes free

260 --- E O F --- 2009-07-28 21:21

Hi,

Please do the following:

• Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
• They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".

Copy/paste the text inside the Codebox below into notepad:

Here's how to do that:
Click Start > Run type Notepad click OK.
This will open an empty notepad file:

Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')



Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

Save this file to your desktop, Save this as "CFScript"

Here's how to do that:

1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...

• Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
• ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
• When finished, it shall produce a log for you.
• Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

**Note**
When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.

• Ensure you are connected to the internet and click OK on the message box.

NEXT

• Make sure to use Internet Explorer for this
• Please go to VirSCAN.org FREE on-line scan service
• Copy and paste the following file path into the "Suspicious files to scan" box on the top of the page:
  

  
  c:\windows\system32\drivers\wdmaudd.sys
  

• Click on the Upload button
• If a pop-up appears saying the file has been scanned already, please select the ReScan button.
• Once the Scan is completed, click on the "Copy to Clipboard" button. This will copy the link of the report into the Clipboard.
• Paste the contents of the Clipboard in your next reply.

NEXT

Please download Sysprot Antirootkit from here

http://sites.google.com/site/sysprotantirootkit/

Unzip it into a folder on your desktop.

• Double click Sysprot.exe to start the program.
  
• Click on the Log tab.
• In the Write to log box select all items.
• Click on the Create Log button on the bottom right.
• After a few seconds a new window should appear.
• Select Scan Root Drive. Click on the Start button.
• When it is complete a new window will appear to indicate that the scan is finished.
• The log will be saved automatically in the same folder Sysprot.exe was extracted to.
  
• Open the text file and copy/paste the log here.

ComboFix 09-07-29.03 - FatalPlus 07/29/2009 22:12.3.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.559 [GMT -4:00]
Running from: c:\documents and settings\FatalPlus\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\FatalPlus\Desktop\CFScript.txt
AV: avast! antivirus 4.8.1335 [VPS 090729-1] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((( Files Created from 2009-06-28 to 2009-07-30 )))))))))))))))))))))))))))))))
.

2009-07-29 02:53 . 2009-07-29 02:53 -------- d-----w- c:\program files\Trend Micro
2009-07-29 01:57 . 2009-07-29 01:57 3310 ----a-r- c:\documents and settings\FatalPlus\Application Data\Microsoft\Installer\{6B3CA80E-6AC0-4725-BABF-9B0FEF880CB3}\_16496df1.exe
2009-07-29 01:57 . 2009-07-29 01:57 1078 ----a-r- c:\documents and settings\FatalPlus\Application Data\Microsoft\Installer\{6B3CA80E-6AC0-4725-BABF-9B0FEF880CB3}\_69525f90.exe
2009-07-29 01:57 . 2009-07-29 01:57 1078 ----a-r- c:\documents and settings\FatalPlus\Application Data\Microsoft\Installer\{6B3CA80E-6AC0-4725-BABF-9B0FEF880CB3}\_4ae13d6c.exe
2009-07-29 01:57 . 2009-07-29 01:57 1078 ----a-r- c:\documents and settings\FatalPlus\Application Data\Microsoft\Installer\{6B3CA80E-6AC0-4725-BABF-9B0FEF880CB3}\_2cd672ae.exe
2009-07-29 01:57 . 2009-07-29 01:57 1078 ----a-r- c:\documents and settings\FatalPlus\Application Data\Microsoft\Installer\{6B3CA80E-6AC0-4725-BABF-9B0FEF880CB3}\_294823.exe
2009-07-29 01:57 . 2009-07-29 01:57 1078 ----a-r- c:\documents and settings\FatalPlus\Application Data\Microsoft\Installer\{6B3CA80E-6AC0-4725-BABF-9B0FEF880CB3}\_18be6784.exe
2009-07-29 01:57 . 2009-07-29 01:57 -------- d-----w- c:\program files\Power Tab Software
2009-07-28 22:06 . 2009-02-05 20:06 23152 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2009-07-28 22:06 . 2009-02-05 20:06 51376 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2009-07-28 22:06 . 2009-02-05 20:05 26944 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2009-07-28 22:06 . 2009-02-05 20:04 97480 ----a-w- c:\windows\system32\AvastSS.scr
2009-07-28 22:06 . 2009-02-05 20:08 93296 ----a-w- c:\windows\system32\drivers\aswmon.sys
2009-07-28 22:06 . 2009-02-05 20:08 94032 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2009-07-28 22:06 . 2009-02-05 20:07 114768 ----a-w- c:\windows\system32\drivers\aswSP.sys
2009-07-28 22:06 . 2009-02-05 20:07 20560 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2009-07-28 22:05 . 2009-02-05 20:11 1256296 ----a-w- c:\windows\system32\aswBoot.exe
2009-07-28 22:05 . 2009-07-28 22:05 -------- d-----w- c:\program files\Alwil Software
2009-07-28 22:01 . 2009-07-28 22:02 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-07-28 22:01 . 2009-07-28 22:02 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2009-07-25 10:26 . 2009-07-25 10:35 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-07-25 10:26 . 2009-07-25 10:35 -------- d-----w- c:\program files\Black Isle
2009-07-18 12:28 . 2009-07-18 12:28 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-07-17 22:55 . 2009-07-17 22:55 -------- d-----w- c:\documents and settings\FatalPlus\Local Settings\Application Data\Temp
2009-07-16 07:05 . 2009-07-16 07:05 -------- d-sh--w- c:\documents and settings\Default User\IETldCache
2009-07-12 14:45 . 2009-07-12 14:45 -------- d-sh--w- c:\documents and settings\FatalPlus\PrivacIE
2009-07-07 21:19 . 2009-07-07 21:19 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2009-07-07 21:17 . 2009-07-07 21:17 -------- d-sh--w- c:\documents and settings\FatalPlus\IETldCache
2009-07-07 21:01 . 2009-06-02 10:12 102912 ----a-w- c:\windows\system32\dllcache\iecompat.dll
2009-07-07 21:01 . 2009-07-28 21:20 -------- d-----w- c:\windows\ie8updates
2009-07-07 20:59 . 2009-07-03 17:09 12800 ----a-w- c:\windows\system32\dllcache\xpshims.dll
2009-07-07 20:59 . 2009-07-03 17:09 246272 ----a-w- c:\windows\system32\dllcache\ieproxy.dll
2009-07-07 20:56 . 2009-07-07 20:59 -------- dc-h--w- c:\windows\ie8
2009-07-06 13:04 . 2008-12-04 05:25 120832 ----a-w- c:\documents and settings\FatalPlus\Application Data\Mozilla\Firefox\Profiles\8q84ujfl.default\extensions\{77b819fa-95ad-4f2c-ac7c-486b356188a9}\plugins\npietab.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-29 20:12 . 2009-04-16 14:18 -------- d-----w- c:\documents and settings\FatalPlus\Application Data\uTorrent
2009-07-29 02:54 . 2009-01-11 20:30 -------- d-----w- c:\documents and settings\FatalPlus\Application Data\tor
2009-07-29 02:54 . 2009-01-11 20:30 -------- d-----w- c:\documents and settings\FatalPlus\Application Data\Vidalia
2009-07-29 02:26 . 2009-02-08 17:26 -------- d-----w- c:\program files\PeerGuardian2
2009-07-28 21:51 . 2009-05-27 23:50 -------- d-----w- c:\program files\Avira
2009-07-28 21:51 . 2009-05-27 23:50 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Avira
2009-07-28 11:27 . 2009-05-27 23:57 -------- d-----w- c:\documents and settings\FatalPlus\Application Data\Winamp
2009-07-27 21:27 . 2008-12-25 22:02 -------- d-----w- c:\program files\Steam
2009-07-25 01:59 . 2009-04-09 12:15 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-07-22 14:18 . 2008-04-12 20:04 -------- d-----w- c:\program files\Microsoft Silverlight
2009-07-20 20:20 . 2009-05-27 23:57 -------- d-----w- c:\program files\Winamp
2009-07-16 17:39 . 2009-06-14 15:09 -------- d-----w- c:\program files\Guitar Pro 5
2009-07-16 15:22 . 2008-08-29 12:45 -------- d-----w- c:\program files\Trillian
2009-07-16 07:08 . 2009-03-09 20:28 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Microsoft Help
2009-07-14 00:21 . 2009-04-17 19:01 -------- d-----w- c:\documents and settings\FatalPlus\Application Data\dvdcss
2009-07-13 17:36 . 2009-04-09 12:15 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-13 17:36 . 2009-04-09 12:15 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-04 20:45 . 2009-06-12 15:50 -------- d-----w- c:\program files\Guitar Scales Method
2009-07-03 17:09 . 2004-08-10 15:00 915456 ----a-w- c:\windows\system32\wininet.dll
2009-06-28 12:15 . 2008-08-30 16:29 -------- d-----w- c:\program files\Common Files\Blizzard Entertainment
2009-06-18 22:04 . 2006-11-04 18:12 -------- d-----w- c:\program files\DivX
2009-06-16 14:36 . 2004-08-10 15:00 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-16 14:36 . 2004-08-10 15:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-15 14:37 . 2006-11-06 22:41 -------- d-----w- c:\program files\Common Files\Adobe
2009-06-14 15:12 . 2009-02-10 23:00 106912 ----a-w- c:\documents and settings\FatalPlus\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-11 21:10 . 2009-06-11 21:10 -------- d-----w- c:\program files\Jamorama
2009-06-11 11:11 . 2009-06-11 11:11 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\QuickTime
2009-06-11 11:09 . 2009-02-03 12:28 -------- d-----w- c:\documents and settings\FatalPlus\Application Data\DAEMON Tools Lite
2009-06-11 11:08 . 2009-05-28 03:52 -------- d-----w- c:\program files\DAEMON Tools Lite
2009-06-11 11:07 . 2009-06-11 10:53 -------- d-----w- c:\program files\DAEMON Tools Pro
2009-06-11 10:53 . 2009-06-11 10:53 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\DAEMON Tools Pro
2009-06-11 07:21 . 2008-10-10 05:10 -------- d-----w- c:\program files\Windows Desktop Search
2009-06-10 18:53 . 2009-06-10 18:43 -------- d-----w- c:\program files\eCogNeato Development Company
2009-06-03 19:09 . 2005-06-29 09:55 1291264 ----a-w- c:\windows\system32\quartz.dll
2009-05-28 03:44 . 2008-10-14 02:14 721904 ----a-w- c:\windows\system32\drivers\sptd.sys
2009-05-25 04:24 . 2008-05-27 02:18 350208 ----a-w- c:\windows\system32\mssph.dll
2009-05-19 17:09 . 2009-05-19 17:09 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-05-19 14:20 . 2009-05-19 14:20 4096 ----a-w- c:\windows\d3dx.dat
2009-05-15 23:36 . 2009-05-17 14:24 85504 ----a-w- c:\windows\system32\ff_vfw.dll
2009-05-15 23:36 . 2009-05-17 14:24 60273 ----a-w- c:\windows\system32\pthreadGC2.dll
2009-05-10 15:03 . 2009-05-10 15:03 4032 ----a-w- c:\windows\unins000.dat
2009-05-10 15:03 . 2009-05-10 15:03 794906 ----a-w- c:\windows\unins000.exe
2009-05-07 15:32 . 2004-08-10 15:00 345600 ----a-w- c:\windows\system32\localspl.dll
2009-07-23 02:08 . 2009-04-07 23:17 134648 ----a-w- c:\program files\mozilla firefox\components\brwsrcmp.dll
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
2006-09-03 00:34 . 2006-09-03 00:34 22 --sha-w- c:\windows\SMINST\HPCD.sys
.

((((((((((((((((((((((((((((( SnapShot@2009-07-29_22.54.15 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-07-30 02:24 . 2009-07-30 02:24 16384 c:\windows\Temp\Perflib_Perfdata_9c.dat
+ 2009-07-30 02:24 . 2009-07-30 02:24 16384 c:\windows\Temp\Perflib_Perfdata_388.dat
- 2006-09-03 00:08 . 2009-07-29 22:43 81920 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2006-09-03 00:08 . 2009-07-30 02:09 81920 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2006-09-03 00:08 . 2009-07-30 02:09 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2006-09-03 00:08 . 2009-07-29 22:43 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-07-18 12:28 . 2009-07-30 02:09 16384 c:\windows\system32\config\systemprofile\IETldCache\index.dat
- 2009-07-18 12:28 . 2009-07-29 22:43 16384 c:\windows\system32\config\systemprofile\IETldCache\index.dat
+ 2006-09-03 00:08 . 2009-07-30 02:09 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2006-09-03 00:08 . 2009-07-29 22:43 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0autocheck lsdelete

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Photosmart Premier Fast Start.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Photosmart Premier Fast Start.lnk
backup=c:\windows\pss\HP Photosmart Premier Fast Start.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Privoxy.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Privoxy.lnk
backup=c:\windows\pss\Privoxy.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^VPN Client.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\VPN Client.lnk
backup=c:\windows\pss\VPN Client.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
backup=c:\windows\pss\Windows Search.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^FatalPlus^Start Menu^Programs^Startup^ChkDisk.dll]
path=c:\documents and settings\FatalPlus\Start Menu\Programs\Startup\ChkDisk.dll
backup=c:\windows\pss\ChkDisk.dllStartup

[HKLM\~\startupfolder\C:^Documents and Settings^John Gilligan^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\documents and settings\John Gilligan\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^John Gilligan^Start Menu^Programs^Startup^OpenOffice.org 2.4.lnk]
path=c:\documents and settings\John Gilligan\Start Menu\Programs\Startup\OpenOffice.org 2.4.lnk
backup=c:\windows\pss\OpenOffice.org 2.4.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"McTaskManager"=2 (0x2)
"McShield"=3 (0x3)
"McAfeeFramework"=2 (0x2)
"Ati HotKey Poller"=2 (0x2)
"ATI Smart"=2 (0x2)
"avg8wd"=2 (0x2)
"hpqwmiex"=2 (0x2)
"Diskeeper"=2 (0x2)
"CVPND"=2 (0x2)
"WRConsumerService"=2 (0x2)
"WebrootSpySweeperService"=2 (0x2)
"Pml Driver HPZ12"=2 (0x2)
"idsvc"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Vidalia Bundle\\Tor\\tor.exe"=
"c:\\Program Files\\FlashFXP\\FlashFXP.exe"=
"c:\\Program Files\\Veoh Networks\\VeohWebPlayer\\veohwebplayer.exe"=
"c:\\Program Files\\Vidalia Bundle\\Privoxy\\privoxy.exe"=
"c:\\WINDOWS\\system32\\taskmgr.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Steam\\steamapps\\72fender@comcast.net\\counter-strike source\\hl2.exe"=
"c:\\Program Files\\Steam\\Steam.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [7/28/2009 6:06 PM 114768]
R1 atitray;atitray;c:\program files\Radeon Omega Drivers\v4.8.442\ATI Tray Tools\atitray.sys [5/19/2009 12:54 PM 17952]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [7/28/2009 6:06 PM 20560]
R3 HSFHWATI;HSFHWATI;c:\windows\system32\drivers\HSFHWATI.sys [8/22/2005 5:06 AM 231424]
S1 wdmaudd;wdmaudd;c:\windows\system32\drivers\wdmaudd.sys --> c:\windows\system32\drivers\wdmaudd.sys [?]
S3 xbreader;MaxDrive XBox Driver (xbreader.sys);c:\windows\system32\drivers\xbreader.sys [1/3/2001 12:53 AM 19677]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
IE: &Google Search - c:\program files\Google\GoogleToolbar1.dll/cmsearch.html
IE: &Translate English Word - c:\program files\Google\GoogleToolbar1.dll/cmwordtrans.html
IE: Backward Links - c:\program files\Google\GoogleToolbar1.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\Google\GoogleToolbar1.dll/cmcache.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
IE: Similar Pages - c:\program files\Google\GoogleToolbar1.dll/cmsimilar.html
IE: Translate Page into English - c:\program files\Google\GoogleToolbar1.dll/cmtrans.html
TCP: {C672E896-7E75-43CE-BB9E-053766318D7F} = 192.168.2.1
FF - ProfilePath - c:\docume~1\FATALP~1\APPLIC~1\Mozilla\Firefox\Profiles\8q84ujfl.default\
FF - prefs.js: browser.startup.homepage - chrome://fastdial/content/fastdial.html
FF - plugin: c:\documents and settings\FatalPlus\Local Settings\Application Data\Google\Update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Veoh Networks\Veoh\Plugins\noreg\NPVeohVersion.dll
FF - plugin: c:\program files\Veoh Networks\VeohWebPlayer\NPVeohTVPlugin.dll
FF - plugin: c:\program files\Veoh Networks\VeohWebPlayer\npWebPlayerVideoPluginATL.dll
.

**************************************************************************

disk not found C:\

please note that you need administrator rights to perform deep scan
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1060)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(3644)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\windows\system32\MsPMSPSv.exe
c:\windows\system32\searchindexer.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\wbem\wmiapsrv.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-07-30 22:32 - machine was rebooted
ComboFix-quarantined-files.txt 2009-07-30 02:32
ComboFix2.txt 2009-07-30 01:22
ComboFix3.txt 2009-07-29 22:59

Pre-Run: 13,467,553,792 bytes free
Post-Run: 13,466,308,608 bytes free

252 --- E O F --- 2009-07-28 21:21



VirSCAN.org Scanned Report :
Scanned time : 2009/07/29 23:09:58 (EDT)
Scanner results: All Scanners reported not find malware!
File Name : wdmaud.sys
File Size : 83072 byte
File Type : PE32 executable for MS Windows (native) Intel 80386 32-bit
MD5 : 6768acf64b18196494413695f0c3a00f
SHA1 : 400eaa59b0c8015c37f1af04a4d031de75f63520
Online report : http://virscan.org/report/0a306afde9ec99a7...be40c81fd0.html

Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 4.5.0.3 20090730050112 2009-07-30 0.41 -
AhnLab V3 2009.07.28.02 2009.07.28 2009-07-28 0.82 -
AntiVir 8.2.0.234 7.1.5.47 2009-07-29 0.43 -
Antiy 2.0.18 20090729.2652900 2009-07-29 0.12 -
Arcavir 2009 200907291911 2009-07-29 0.04 -
Authentium 5.1.1 200907292018 2009-07-29 1.52 -
AVAST! 4.7.4 090729-1 2009-07-29 0.01 -
AVG 8.5.288 270.13.35/2271 2009-07-30 0.33 -
BitDefender 7.81008.3869559 7.26888 2009-07-30 3.44 -
CA (VET) 9.0.0.143 31.6.6645 2009-07-30 6.83 -
ClamAV 0.95.2 9630 2009-07-29 0.03 -
Comodo 3.10 1809 2009-07-29 0.80 -
CP Secure 1.1.0.715 2009.07.28 2009-07-28 12.06 -
Dr.Web 4.44.0.9170 2009.07.29 2009-07-29 5.15 -
F-Prot 4.4.4.56 20090729 2009-07-29 1.40 -
F-Secure 7.02.73807 2009.07.29.10 2009-07-29 0.04 -
Fortinet 2.81-3.120 10.659 2009-07-29 0.34 -
GData 19.6767/19.418 20090730 2009-07-30 5.18 -
ViRobot 20090729 2009.07.29 2009-07-29 0.42 -
Ikarus T3.1.01.64 2009.07.30.73127 2009-07-30 3.92 -
JiangMin 11.0.800 2009.07.29 2009-07-29 5.17 -
Kaspersky 5.5.10 2009.07.30 2009-07-30 0.06 -
KingSoft 2009.2.5.15 2009.7.30.7 2009-07-30 0.47 -
McAfee 5.3.00 5692 2009-07-29 3.03 -
Microsoft 1.4903 2009.07.30 2009-07-30 5.16 -
Norman 6.01.09 6.01.00 2009-07-29 4.01 -
Panda 9.05.01 2009.07.29 2009-07-29 1.97 -
Trend Micro 8.700-1004 6.330.01 2009-07-29 0.03 -
Quick Heal 10.00 2009.07.28 2009-07-28 1.07 -
Rising 20.0 21.40.24.00 2009-07-29 0.85 -
Sophos 2.89.1 4.44 2009-07-30 2.71 -
Sunbelt 5297 5297 2009-07-29 1.13 -
Symantec 1.3.0.24 20090729.005 2009-07-29 0.23 -
nProtect 20090728.01 4951926 2009-07-28 6.44 -
The Hacker 6.3.4.3 v00378 2009-07-29 0.66 -
VBA32 3.12.10.9 20090729.1928 2009-07-29 1.79 -
VirusBuster 4.5.11.10 10.109.16/1824374 2009-07-29 2.23 -




SysProt AntiRootkit v1.0.1.0
by swatkat

********************************************************************************
**********
********************************************************************************
**********

Process:
Name: [System Idle Process]
PID: 0
Hidden: No
Window Visible: No

Name: System
PID: 4
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\smss.exe
PID: 916
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\csrss.exe
PID: 1024
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\winlogon.exe
PID: 1060
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\services.exe
PID: 1108
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\lsass.exe
PID: 1120
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\svchost.exe
PID: 1272
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\svchost.exe
PID: 1396
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\svchost.exe
PID: 1444
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\svchost.exe
PID: 1568
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\svchost.exe
PID: 1640
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\svchost.exe
PID: 1732
Hidden: No
Window Visible: No

Name: C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
PID: 1996
Hidden: No
Window Visible: No

Name: C:\Program Files\Alwil Software\Avast4\ashServ.exe
PID: 156
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\spoolsv.exe
PID: 532
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\svchost.exe
PID: 636
Hidden: No
Window Visible: No

Name: C:\WINDOWS\ehome\ehrecvr.exe
PID: 776
Hidden: No
Window Visible: No

Name: C:\WINDOWS\ehome\ehSched.exe
PID: 848
Hidden: No
Window Visible: No

Name: C:\Program Files\Java\jre6\bin\jqs.exe
PID: 904
Hidden: No
Window Visible: No

Name: C:\Program Files\Common Files\LightScribe\LSSrvc.exe
PID: 988
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\svchost.exe
PID: 1484
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\svchost.exe
PID: 1824
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\MsPMSPSv.exe
PID: 1948
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\searchindexer.exe
PID: 336
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\dllhost.exe
PID: 3040
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\wbem\wmiapsrv.exe
PID: 3180
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\alg.exe
PID: 3444
Hidden: No
Window Visible: No

Name: C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
PID: 1464
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\ctfmon.exe
PID: 2336
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\wscntfy.exe
PID: 3944
Hidden: No
Window Visible: No

Name: C:\WINDOWS\explorer.exe
PID: 3644
Hidden: No
Window Visible: No

Name: C:\Program Files\Mozilla Firefox\firefox.exe
PID: 2864
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\taskmgr.exe
PID: 2524
Hidden: No
Window Visible: Yes

Name: C:\Documents and Settings\FatalPlus\Desktop\SysProt\SysProt.exe
PID: 308
Hidden: No
Window Visible: Yes

Name: C:\WINDOWS\system32\searchprotocolhost.exe
PID: 2764
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\searchfilterhost.exe
PID: 3636
Hidden: No
Window Visible: No

********************************************************************************
**********
********************************************************************************
**********
Kernel Modules:
Module Name: \systemroot\system32\drivers\geyekrmnukcigp.sys
Service Name: geyekrflnqlsuo
Module Base: ---
Module End: ---
Hidden: Yes

Module Name: \??\C:\Documents and Settings\FatalPlus\Desktop\SysProt\SysProtDrv.sys
Service Name: SysProtDrv.sys
Module Base: BA2F2000
Module End: BA2FD000
Hidden: No

Module Name: \WINDOWS\system32\ntkrnlpa.exe
Service Name: ---
Module Base: 804D7000
Module End: 806CF680
Hidden: No

Module Name: \WINDOWS\system32\hal.dll
Service Name: ---
Module Base: 806D0000
Module End: 806F0300
Hidden: No

Module Name: \WINDOWS\system32\KDCOM.DLL
Service Name: ---
Module Base: F7A92000
Module End: F7A94000
Hidden: No

Module Name: \WINDOWS\system32\BOOTVID.dll
Service Name: ---
Module Base: F79A2000
Module End: F79A5000
Hidden: No

Module Name: spfn.sys
Service Name: ---
Module Base: F7390000
Module End: F7491000
Hidden: Yes

Module Name: \WINDOWS\System32\Drivers\WMILIB.SYS
Service Name: ---
Module Base: F7A94000
Module End: F7A96000
Hidden: No

Module Name: \WINDOWS\System32\Drivers\SCSIPORT.SYS
Service Name: ScsiPort
Module Base: F7378000
Module End: F7390000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\ACPI.sys
Service Name: ACPI
Module Base: F734A000
Module End: F7378000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\isapnp.sys
Service Name: isapnp
Module Base: F7592000
Module End: F759C000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\pci.sys
Service Name: PCI
Module Base: F7339000
Module End: F734A000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\compbatt.sys
Service Name: Compbatt
Module Base: F79A6000
Module End: F79A9000
Hidden: No

Module Name: \WINDOWS\system32\DRIVERS\BATTC.SYS
Service Name: BattC
Module Base: F79AA000
Module End: F79AE000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\pciide.sys
Service Name: PCIIde
Module Base: F7B5A000
Module End: F7B5B000
Hidden: No

Module Name: \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
Service Name: ---
Module Base: F7812000
Module End: F7819000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\intelide.sys
Service Name: IntelIde
Module Base: F7A96000
Module End: F7A98000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\viaide.sys
Service Name: ViaIde
Module Base: F7A98000
Module End: F7A9A000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\aliide.sys
Service Name: AliIde
Module Base: F7A9A000
Module End: F7A9C000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\pcmcia.sys
Service Name: Pcmcia
Module Base: F731B000
Module End: F7339000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\MountMgr.sys
Service Name: MountMgr
Module Base: F75A2000
Module End: F75AD000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\ftdisk.sys
Service Name: Disk
Module Base: F72FC000
Module End: F731B000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\dmload.sys
Service Name: dmload
Module Base: F7A9C000
Module End: F7A9E000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\dmio.sys
Service Name: dmio
Module Base: F72D6000
Module End: F72FC000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\ACPIEC.sys
Service Name: ACPIEC
Module Base: F79AE000
Module End: F79B1000
Hidden: No

Module Name: \WINDOWS\system32\DRIVERS\OPRGHDLR.SYS
Service Name: ---
Module Base: F7B5B000
Module End: F7B5C000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\PartMgr.sys
Service Name: PartMgr
Module Base: F781A000
Module End: F781F000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\VolSnap.sys
Service Name: VolSnap
Module Base: F75B2000
Module End: F75BF000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\atapi.sys
Service Name: atapi
Module Base: F72BE000
Module End: F72D6000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\disk.sys
Service Name: ---
Module Base: F75C2000
Module End: F75CB000
Hidden: No

Module Name: \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
Service Name: ---
Module Base: F75D2000
Module End: F75DF000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\fltmgr.sys
Service Name: FltMgr
Module Base: F729E000
Module End: F72BE000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\sr.sys
Service Name: sr
Module Base: F728C000
Module End: F729E000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\PxHelp20.sys
Service Name: PxHelp20
Module Base: F75E2000
Module End: F75EC000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\KSecDD.sys
Service Name: KSecDD
Module Base: F7275000
Module End: F728C000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\WudfPf.sys
Service Name: WudfPf
Module Base: F7262000
Module End: F7275000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\Ntfs.sys
Service Name: Ntfs
Module Base: F71D5000
Module End: F7262000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\NDIS.sys
Service Name: NDIS
Module Base: F71A8000
Module End: F71D5000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\Serial.sys
Service Name: Serial
Module Base: F75F2000
Module End: F7602000
Hidden: No

Module Name: Combo-Fix.sys
Service Name: ---
Module Base: F7602000
Module End: F7611000
Hidden: Yes

Module Name: C:\WINDOWS\system32\drivers\ohci1394.sys
Service Name: ohci1394
Module Base: F7612000
Module End: F7622000
Hidden: No

Module Name: \WINDOWS\system32\DRIVERS\1394BUS.SYS
Service Name: ---
Module Base: F7622000
Module End: F7630000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\Mup.sys
Service Name: Mup
Module Base: F718E000
Module End: F71A8000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\nic1394.sys
Service Name: NIC1394
Module Base: F7642000
Module End: F7652000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\AmdK8.sys
Service Name: AmdK8
Module Base: F7672000
Module End: F7680000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\wmiacpi.sys
Service Name: WmiAcpi
Module Base: F7145000
Module End: F7148000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\ati2mtag.sys
Service Name: ati2mtag
Module Base: F63A5000
Module End: F6690000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\VIDEOPRT.SYS
Service Name: ---
Module Base: F6391000
Module End: F63A5000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\usbohci.sys
Service Name: usbohci
Module Base: F794A000
Module End: F794F000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\USBPORT.SYS
Service Name: ---
Module Base: F636D000
Module End: F6391000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\usbehci.sys
Service Name: usbehci
Module Base: F7952000
Module End: F795A000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\imapi.sys
Service Name: Imapi
Module Base: F7682000
Module End: F768D000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\cdrom.sys
Service Name: Cdrom
Module Base: F7692000
Module End: F76A2000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\redbook.sys
Service Name: redbook
Module Base: F76A2000
Module End: F76B1000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\ks.sys
Service Name: ---
Module Base: F634A000
Module End: F636D000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\i8042prt.sys
Service Name: i8042prt
Module Base: F76B2000
Module End: F76BF000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\kbdclass.sys
Service Name: Kbdclass
Module Base: F795A000
Module End: F7960000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\SynTP.sys
Service Name: SynTP
Module Base: F6315000
Module End: F634A000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\USBD.SYS
Service Name: ---
Module Base: F7ADA000
Module End: F7ADC000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\mouclass.sys
Service Name: Mouclass
Module Base: F7962000
Module End: F7968000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\CmBatt.sys
Service Name: CmBatt
Module Base: F713D000
Module End: F7141000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\bcmwl5.sys
Service Name: BCM43XX
Module Base: F61C1000
Module End: F6315000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\tifm21.sys
Service Name: tifm21
Module Base: F6199000
Module End: F61C1000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\sdbus.sys
Service Name: sdbus
Module Base: F6185000
Module End: F6199000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\camc6hal.sys
Service Name: CAMCHALA
Module Base: F612F000
Module End: F6185000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\camc6aud.sys
Service Name: CAMCAUD
Module Base: F76C2000
Module End: F76CC000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\portcls.sys
Service Name: ---
Module Base: F610B000
Module End: F612F000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\drmk.sys
Service Name: ---
Module Base: F76D2000
Module End: F76E1000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\HSFHWATI.sys
Service Name: HSFHWATI
Module Base: F60D2000
Module End: F610B000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\HSF_DPV.sys
Service Name: HSF_DPV
Module Base: F5FD5000
Module End: F60D2000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys
Service Name: winachsf
Module Base: F5F25000
Module End: F5FD5000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Modem.SYS
Service Name: Modem
Module Base: F796A000
Module End: F7972000
Hidden: No

Module Name: \SystemRoot\System32\Drivers\a4imc2rw.SYS
Service Name: ---
Module Base: F5EED000
Module End: F5F25000
Hidden: Yes

Module Name: C:\WINDOWS\system32\DRIVERS\dne2000.sys
Service Name: DNE
Module Base: F5ED2000
Module End: F5EED000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\audstub.sys
Service Name: audstub
Module Base: F7CC3000
Module End: F7CC4000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
Service Name: Rasl2tp
Module Base: F76E2000
Module End: F76EF000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\ndistapi.sys
Service Name: NdisTapi
Module Base: F6D21000
Module End: F6D24000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\ndiswan.sys
Service Name: NdisWan
Module Base: F5EBB000
Module End: F5ED2000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\raspppoe.sys
Service Name: RasPppoe
Module Base: F76F2000
Module End: F76FD000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\raspptp.sys
Service Name: PptpMiniport
Module Base: F6720000
Module End: F672C000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\TDI.SYS
Service Name: ---
Module Base: F786A000
Module End: F786F000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\psched.sys
Service Name: PSched
Module Base: F5EAA000
Module End: F5EBB000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\msgpc.sys
Service Name: Gpc
Module Base: F6710000
Module End: F6719000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\ptilink.sys
Service Name: Ptilink
Module Base: F7872000
Module End: F7877000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\raspti.sys
Service Name: Raspti
Module Base: F787A000
Module End: F787F000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\pcouffin.sys
Service Name: pcouffin
Module Base: F6700000
Module End: F670C000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\rdpdr.sys
Service Name: rdpdr
Module Base: F5E7A000
Module End: F5EAA000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\termdd.sys
Service Name: TermDD
Module Base: F66F0000
Module End: F66FA000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\swenum.sys
Service Name: swenum
Module Base: F7AE0000
Module End: F7AE2000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\update.sys
Service Name: Update
Module Base: F5E1C000
Module End: F5E7A000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\mssmbios.sys
Service Name: mssmbios
Module Base: F6D05000
Module End: F6D09000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\NDProxy.SYS
Service Name: NDProxy
Module Base: F66E0000
Module End: F66EA000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\usbhub.sys
Service Name: usbhub
Module Base: F66B0000
Module End: F66BF000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Fs_Rec.SYS
Service Name: Fs_Rec
Module Base: F7AE6000
Module End: F7AE8000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Null.SYS
Service Name: Null
Module Base: F7BB6000
Module End: F7BB7000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\HIDPARSE.SYS
Service Name: ---
Module Base: F78A2000
Module End: F78A9000
Hidden: No

Module Name: C:\WINDOWS\System32\drivers\vga.sys
Service Name: VgaSave
Module Base: F78AA000
Module End: F78B0000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\mnmdd.SYS
Service Name: mnmdd
Module Base: F7AE8000
Module End: F7AEA000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\RDPCDD.sys
Service Name: RDPCDD
Module Base: F7AEA000
Module End: F7AEC000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Msfs.SYS
Service Name: Msfs
Module Base: F78B2000
Module End: F78B7000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Npfs.SYS
Service Name: Npfs
Module Base: F78BA000
Module End: F78C2000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\rasacd.sys
Service Name: RasAcd
Module Base: F7A86000
Module End: F7A89000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\ipsec.sys
Service Name: IPSec
Module Base: EDD50000
Module End: EDD63000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\tcpip.sys
Service Name: Tcpip
Module Base: EDCF7000
Module End: EDD50000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\aswTdi.SYS
Service Name: aswTdi
Module Base: F6690000
Module End: F669B000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\netbt.sys
Service Name: NetBT
Module Base: EDC2F000
Module End: EDC57000
Hidden: No

Module Name: C:\WINDOWS\System32\drivers\afd.sys
Service Name: AFD
Module Base: EDC0D000
Module End: EDC2F000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\netbios.sys
Service Name: NetBIOS
Module Base: F7702000
Module End: F770B000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\rdbss.sys
Service Name: Rdbss
Module Base: EDBE2000
Module End: EDC0D000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
Service Name: MRxSmb
Module Base: EDB72000
Module End: EDBE2000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Fips.SYS
Service Name: Fips
Module Base: F7722000
Module End: F772D000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\ipnat.sys
Service Name: IpNat
Module Base: EDB4C000
Module End: EDB72000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\wanarp.sys
Service Name: Wanarp
Module Base: F7732000
Module End: F773B000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\arp1394.sys
Service Name: Arp1394
Module Base: F7742000
Module End: F7751000
Hidden: No

Module Name: \??\C:\WINDOWS\system32\drivers\EABFiltr.sys
Service Name: eabfiltr
Module Base: F7AFA000
Module End: F7AFC000
Hidden: No

Module Name: \??\C:\Program Files\Radeon Omega Drivers\v4.8.442\ATI Tray Tools\atitray.sys
Service Name: atitray
Module Base: F7149000
Module End: F714D000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\aswSP.SYS
Service Name: aswSP
Module Base: EDB03000
Module End: EDB24000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Aavmker4.SYS
Service Name: Aavmker4
Module Base: F78C2000
Module End: F78C7000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\hidusb.sys
Service Name: HidUsb
Module Base: F6D25000
Module End: F6D28000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\HIDCLASS.SYS
Service Name: ---
Module Base: F7762000
Module End: F776B000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\mouhid.sys
Service Name: mouhid
Module Base: F5E18000
Module End: F5E1B000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Cdfs.SYS
Service Name: Cdfs
Module Base: F7772000
Module End: F7782000
Hidden: No

Module Name: \SystemRoot\System32\Drivers\dump_atapi.sys
Service Name: ---
Module Base: EDAEB000
Module End: EDB03000
Hidden: Yes

Module Name: \SystemRoot\System32\Drivers\dump_WMILIB.SYS
Service Name: ---
Module Base: F7AFE000
Module End: F7B00000
Hidden: Yes

Module Name: C:\WINDOWS\System32\drivers\Dxapi.sys
Service Name: ---
Module Base: F5E00000
Module End: F5E03000
Hidden: No

Module Name: C:\WINDOWS\System32\watchdog.sys
Service Name: ---
Module Base: F78CA000
Module End: F78CF000
Hidden: No

Module Name: C:\WINDOWS\System32\drivers\dxgthk.sys
Service Name: ---
Module Base: F7C2A000
Module End: F7C2B000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys
Service Name: aswFsBlk
Module Base: F78E2000
Module End: F78EA000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\ndisuio.sys
Service Name: Ndisuio
Module Base: EB67F000
Module End: EB683000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\aswMon2.SYS
Service Name: aswMon2
Module Base: EB4DD000
Module End: EB4F3000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\mrxdav.sys
Service Name: MRxDAV
Module Base: EB320000
Module End: EB34D000
Hidden: No

Module Name: \??\C:\WINDOWS\system32\Drivers\CVPNDRVA.sys
Service Name: CVPNDRVA
Module Base: EB1D3000
Module End: EB258000
Hidden: No

Module Name: C:\WINDOWS\System32\drivers\enodpl.sys
Service Name: enodpl
Module Base: F7B22000
Module End: F7B24000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\HTTP.sys
Service Name: HTTP
Module Base: EB16A000
Module End: EB1AB000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\srv.sys
Service Name: Srv
Module Base: EB050000
Module End: EB0A2000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys
Service Name: mdmxsdk
Module Base: EB264000
Module End: EB267000
Hidden: No

Module Name: \??\C:\WINDOWS\system32\drivers\symlcbrd.sys
Service Name: symlcbrd
Module Base: F7922000
Module End: F7928000
Hidden: No

Module Name: C:\WINDOWS\System32\drivers\tandpl.sys
Service Name: tandpl
Module Base: F7B2C000
Module End: F7B2E000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\wdmaud.sys
Service Name: wdmaud
Module Base: F68B4000
Module End: F68C9000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\sysaudio.sys
Service Name: sysaudio
Module Base: EB0EA000
Module End: EB0F9000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\aswRdr.SYS
Service Name: aswRdr
Module Base: F70A9000
Module End: F70AD000
Hidden: No

Module Name: \??\C:\DOCUME~1\FATALP~1\LOCALS~1\Temp\catchme.sys
Service Name: catchme
Module Base: F78D2000
Module End: F78DA000
Hidden: Yes

Module Name: \??\C:\WINDOWS\system32\Drivers\PROCEXP90.SYS
Service Name: ---
Module Base: F7AAA000
Module End: F7AAC000
Hidden: Yes

Module Name: C:\WINDOWS\system32\drivers\kmixer.sys
Service Name: kmixer
Module Base: BA402000
Module End: BA42D000
Hidden: No

********************************************************************************
**********
********************************************************************************
**********
No SSDT Hooks found

********************************************************************************
**********
********************************************************************************
**********
Kernel Hooks:
Hooked Function: ZwSaveKeyEx
At Address: 8061BECA
Jump To: 86EBC1B2
Module Name: _unknown_

Hooked Function: ZwSaveKey
At Address: 8061BDE4
Jump To: 86D7049A
Module Name: _unknown_

Hooked Function: ZwFlushInstructionCache
At Address: 805ABEC4
Jump To: 86EB064C
Module Name: _unknown_

Hooked Function: ZwEnumerateKey
At Address: 8061AB70
Jump To: 86FAD2E4
Module Name: _unknown_

Hooked Function: IofCompleteRequest
At Address: 804EE1C0
Jump To: 86E1DC23
Module Name: _unknown_

Hooked Function: IofCallDriver
At Address: 804EE130
Jump To: 86D3E09B
Module Name: _unknown_

********************************************************************************
**********
********************************************************************************
**********
IRP Hooks:
Hooked Module: \SystemRoot\System32\Drivers\a4imc2rw.SYS
Hooked IRP: IRP_MJ_CREATE
Jump To: 86F42500
Hooking Module: _unknown_

Hooked Module: \SystemRoot\System32\Drivers\a4imc2rw.SYS
Hooked IRP: IRP_MJ_CLOSE
Jump To: 86F42500
Hooking Module: _unknown_

Hooked Module: \SystemRoot\System32\Drivers\a4imc2rw.SYS
Hooked IRP: IRP_MJ_DEVICE_CONTROL
Jump To: 86F42500
Hooking Module: _unknown_

Hooked Module: \SystemRoot\System32\Drivers\a4imc2rw.SYS
Hooked IRP: IRP_MJ_INTERNAL_DEVICE_CONTROL
Jump To: 86F42500
Hooking Module: _unknown_

Hooked Module: \SystemRoot\System32\Drivers\a4imc2rw.SYS
Hooked IRP: IRP_MJ_POWER
Jump To: 86F42500
Hooking Module: _unknown_

Hooked Module: \SystemRoot\System32\Drivers\a4imc2rw.SYS
Hooked IRP: IRP_MJ_SYSTEM_CONTROL
Jump To: 86F42500
Hooking Module: _unknown_

Hooked Module: \Driver\PCI_PNP3488
Hooked IRP: IRP_MJ_CREATE
Jump To: F73D4AEA
Hooking Module: spfn.sys

Hooked Module: \Driver\PCI_PNP3488
Hooked IRP: IRP_MJ_CREATE_NAMED_PIPE
Jump To: F73D4AEA
Hooking Module: spfn.sys

Hooked Module: \Driver\PCI_PNP3488
Hooked IRP: IRP_MJ_CLOSE
Jump To: F73D4AEA
Hooking Module: spfn.sys

Hooked Module: \Driver\PCI_PNP3488
Hooked IRP: IRP_MJ_READ
Jump To: F73D4AEA
Hooking Module: spfn.sys

Hooked Module: \Driver\PCI_PNP3488
Hooked IRP: IRP_MJ_WRITE
Jump To: F73D4AEA
Hooking Module: spfn.sys

Hooked Module: \Driver\PCI_PNP3488
Hooked IRP: IRP_MJ_QUERY_INFORMATION
Jump To: F73D4AEA
Hooking Module: spfn.sys

Hooked Module: \Driver\PCI_PNP3488
Hooked IRP: IRP_MJ_SET_INFORMATION
Jump To: F73D4AEA
Hooking Module: spfn.sys

Hooked Module: \Driver\PCI_PNP3488
Hooked IRP: IRP_MJ_QUERY_EA
Jump To: F73D4AEA
Hooking Module: spfn.sys

Hooked Module: \Driver\PCI_PNP3488
Hooked IRP: IRP_MJ_SET_EA
Jump To: F73D4AEA
Hooking Module: spfn.sys

Hooked Module: \Driver\PCI_PNP3488
Hooked IRP: IRP_MJ_FLUSH_BUFFERS
Jump To: F73D4AEA
Hooking Module: spfn.sys

Hooked Module: \Driver\PCI_PNP3488
Hooked IRP: IRP_MJ_QUERY_VOLUME_INFORMATION
Jump To: F73D4AEA
Hooking Module: spfn.sys

Hooked Module: \Driver\PCI_PNP3488
Hooked IRP: IRP_MJ_SET_VOLUME_INFORMATION
Jump To: F73D4AEA
Hooking Module: spfn.sys

Hooked Module: \Driver\PCI_PNP3488
Hooked IRP: IRP_MJ_DIRECTORY_CONTROL
Jump To: F73D4AEA
Hooking Module: spfn.sys

Hooked Module: \Driver\PCI_PNP3488
Hooked IRP: IRP_MJ_FILE_SYSTEM_CONTROL
Jump To: F73D4AEA
Hooking Module: spfn.sys

Hooked Module: \Driver\PCI_PNP3488
Hooked IRP: IRP_MJ_DEVICE_CONTROL
Jump To: F73D4AEA
Hooking Module: spfn.sys

Hooked Module: \Driver\PCI_PNP3488
Hooked IRP: IRP_MJ_INTERNAL_DEVICE_CONTROL
Jump To: F73D4AEA
Hooking Module: spfn.sys

Hooked Module: \Driver\PCI_PNP3488
Hooked IRP: IRP_MJ_SHUTDOWN
Jump To: F73D4AEA
Hooking Module: spfn.sys

Hooked Module: \Driver\PCI_PNP3488
Hooked IRP: IRP_MJ_LOCK_CONTROL
Jump To: F73D4AEA
Hooking Module: spfn.sys

Hooked Module: \Driver\PCI_PNP3488
Hooked IRP: IRP_MJ_CLEANUP
Jump To: F73D4AEA
Hooking Module: spfn.sys

Hooked Module: \Driver\PCI_PNP3488
Hooked IRP: IRP_MJ_CREATE_MAILSLOT
Jump To: F73D4AEA
Hooking Module: spfn.sys

Hooked Module: \Driver\PCI_PNP3488
Hooked IRP: IRP_MJ_QUERY_SECURITY
Jump To: F73D4AEA
Hooking Module: spfn.sys

Hooked Module: \Driver\PCI_PNP3488
Hooked IRP: IRP_MJ_SET_SECURITY
Jump To: F73D4AEA
Hooking Module: spfn.sys

Hooked Module: \Driver\PCI_PNP3488
Hooked IRP: IRP_MJ_POWER
Jump To: F7398E30
Hooking Module: spfn.sys

Hooked Module: \Driver\PCI_PNP3488
Hooked IRP: IRP_MJ_SYSTEM_CONTROL
Jump To: F73AD514
Hooking Module: spfn.sys

Hooked Module: \Driver\PCI_PNP3488
Hooked IRP: IRP_MJ_DEVICE_CHANGE
Jump To: F73D4AEA
Hooking Module: spfn.sys

Hooked Module: \Driver\PCI_PNP3488
Hooked IRP: IRP_MJ_QUERY_QUOTA
Jump To: F73D4AEA
Hooking Module: spfn.sys

Hooked Module: \Driver\PCI_PNP3488
Hooked IRP: IRP_MJ_SET_QUOTA
Jump To: F73D4AEA
Hooking Module: spfn.sys

Hooked Module: \Driver\sptd
Hooked IRP: IRP_MJ_CREATE
Jump To: F7391000
Hooking Module: spfn.sys

Hooked Module: \Driver\sptd
Hooked IRP: IRP_MJ_CREATE_NAMED_PIPE
Jump To: F7391000
Hooking Module: spfn.sys

Hooked Module: \Driver\sptd
Hooked IRP: IRP_MJ_CLOSE
Jump To: F7391000
Hooking Module: spfn.sys

Hooked Module: \Driver\sptd
Hooked IRP: IRP_MJ_READ
Jump To: F7391000
Hooking Module: spfn.sys

Hooked Module: \Driver\sptd
Hooked IRP: IRP_MJ_WRITE
Jump To: F7391000
Hooking Module: spfn.sys

Hooked Module: \Driver\sptd
Hooked IRP: IRP_MJ_QUERY_INFORMATION
Jump To: F7391000
Hooking Module: spfn.sys

Hooked Module: \Driver\sptd
Hooked IRP: IRP_MJ_SET_INFORMATION
Jump To: F7391000
Hooking Module: spfn.sys

Hooked Module: \Driver\sptd
Hooked IRP: IRP_MJ_QUERY_EA
Jump To: F7391000
Hooking Module: spfn.sys

Hooked Module: \Driver\sptd
Hooked IRP: IRP_MJ_SET_EA
Jump To: F7391000
Hooking Module: spfn.sys

Hooked Module: \Driver\sptd
Hooked IRP: IRP_MJ_FLUSH_BUFFERS
Jump To: F7391000
Hooking Module: spfn.sys

Hooked Module: \Driver\sptd
Hooked IRP: IRP_MJ_QUERY_VOLUME_INFORMATION
Jump To: F7391000
Hooking Module: spfn.sys

Hooked Module: \Driver\sptd
Hooked IRP: IRP_MJ_SET_VOLUME_INFORMATION
Jump To: F7391000
Hooking Module: spfn.sys

Hooked Module: \Driver\sptd
Hooked IRP: IRP_MJ_DIRECTORY_CONTROL
Jump To: F7391000
Hooking Module: spfn.sys

Hooked Module: \Driver\sptd
Hooked IRP: IRP_MJ_FILE_SYSTEM_CONTROL
Jump To: F7391000
Hooking Module: spfn.sys

Hooked Module: \Driver\sptd
Hooked IRP: IRP_MJ_DEVICE_CONTROL
Jump To: F7391000
Hooking Module: spfn.sys

Hooked Module: \Driver\sptd
Hooked IRP: IRP_MJ_INTERNAL_DEVICE_CONTROL
Jump To: F7391000
Hooking Module: spfn.sys

Hooked Module: \Driver\sptd
Hooked IRP: IRP_MJ_SHUTDOWN
Jump To: F7391000
Hooking Module: spfn.sys

Hooked Module: \Driver\sptd
Hooked IRP: IRP_MJ_LOCK_CONTROL
Jump To: F7391000
Hooking Module: spfn.sys

Hooked Module: \Driver\sptd
Hooked IRP: IRP_MJ_CLEANUP
Jump To: F7391000
Hooking Module: spfn.sys

Hooked Module: \Driver\sptd
Hooked IRP: IRP_MJ_CREATE_MAILSLOT
Jump To: F7391000
Hooking Module: spfn.sys

Hooked Module: \Driver\sptd
Hooked IRP: IRP_MJ_QUERY_SECURITY
Jump To: F7391000
Hooking Module: spfn.sys

Hooked Module: \Driver\sptd
Hooked IRP: IRP_MJ_SET_SECURITY
Jump To: F7391000
Hooking Module: spfn.sys

Hooked Module: \Driver\sptd
Hooked IRP: IRP_MJ_POWER
Jump To: F7391000
Hooking Module: spfn.sys

Hooked Module: \Driver\sptd
Hooked IRP: IRP_MJ_SYSTEM_CONTROL
Jump To: F7391000
Hooking Module: spfn.sys

Hooked Module: \Driver\sptd
Hooked IRP: IRP_MJ_DEVICE_CHANGE
Jump To: F7391000
Hooking Module: spfn.sys

Hooked Module: \Driver\sptd
Hooked IRP: IRP_MJ_QUERY_QUOTA
Jump To: F7391000
Hooking Module: spfn.sys

Hooked Module: \Driver\sptd
Hooked IRP: IRP_MJ_SET_QUOTA
Jump To: F7391000
Hooking Module: spfn.sys

Hooked Module: C:\WINDOWS\system32\drivers\dmio.sys
Hooked IRP: IRP_MJ_CREATE
Jump To: 8716C1F8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\drivers\dmio.sys
Hooked IRP: IRP_MJ_CLOSE
Jump To: 8716C1F8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\drivers\dmio.sys
Hooked IRP: IRP_MJ_READ
Jump To: 8716C1F8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\drivers\dmio.sys
Hooked IRP: IRP_MJ_WRITE
Jump To: 8716C1F8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\drivers\dmio.sys
Hooked IRP: IRP_MJ_FLUSH_BUFFERS
Jump To: 8716C1F8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\drivers\dmio.sys
Hooked IRP: IRP_MJ_DEVICE_CONTROL
Jump To: 8716C1F8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\drivers\dmio.sys
Hooked IRP: IRP_MJ_INTERNAL_DEVICE_CONTROL
Jump To: 8716C1F8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\drivers\dmio.sys
Hooked IRP: IRP_MJ_SHUTDOWN
Jump To: 8716C1F8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\drivers\dmio.sys
Hooked IRP: IRP_MJ_POWER
Jump To: 8716C1F8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\drivers\dmio.sys
Hooked IRP: IRP_MJ_SYSTEM_CONTROL
Jump To: 8716C1F8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\DRIVERS\usbohci.sys
Hooked IRP: IRP_MJ_CREATE
Jump To: 86F2F1F8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\DRIVERS\usbohci.sys
Hooked IRP: IRP_MJ_CLOSE
Jump To: 86F2F1F8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\DRIVERS\usbohci.sys
Hooked IRP: IRP_MJ_DEVICE_CONTROL
Jump To: 86F2F1F8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\DRIVERS\usbohci.sys
Hooked IRP: IRP_MJ_INTERNAL_DEVICE_CONTROL
Jump To: 86F2F1F8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\DRIVERS\usbohci.sys
Hooked IRP: IRP_MJ_POWER
Jump To: 86F2F1F8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\DRIVERS\usbohci.sys
Hooked IRP: IRP_MJ_SYSTEM_CONTROL
Jump To: 86F2F1F8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\drivers\ftdisk.sys
Hooked IRP: IRP_MJ_CREATE
Jump To: 871D91F8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\drivers\ftdisk.sys
Hooked IRP: IRP_MJ_READ
Jump To: 871D91F8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\drivers\ftdisk.sys
Hooked IRP: IRP_MJ_WRITE
Jump To: 871D91F8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\drivers\ftdisk.sys
Hooked IRP: IRP_MJ_FLUSH_BUFFERS
Jump To: 871D91F8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\drivers\ftdisk.sys
Hooked IRP: IRP_MJ_DEVICE_CONTROL
Jump To: 871D91F8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\drivers\ftdisk.sys
Hooked IRP: IRP_MJ_INTERNAL_DEVICE_CONTROL
Jump To: 871D91F8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\drivers\ftdisk.sys
Hooked IRP: IRP_MJ_SHUTDOWN
Jump To: 871D91F8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\drivers\ftdisk.sys
Hooked IRP: IRP_MJ_CLEANUP
Jump To: 871D91F8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\drivers\ftdisk.sys
Hooked IRP: IRP_MJ_POWER
Jump To: 871D91F8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\drivers\ftdisk.sys
Hooked IRP: IRP_MJ_SYSTEM_CONTROL
Jump To: 871D91F8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\DRIVERS\netbt.sys
Hooked IRP: IRP_MJ_CREATE
Jump To: 863791F8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\DRIVERS\netbt.sys
Hooked IRP: IRP_MJ_CLOSE
Jump To: 863791F8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\DRIVERS\netbt.sys
Hooked IRP: IRP_MJ_DEVICE_CONTROL
Jump To: 863791F8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\DRIVERS\netbt.sys
Hooked IRP: IRP_MJ_INTERNAL_DEVICE_CONTROL
Jump To: 863791F8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\DRIVERS\netbt.sys
Hooked IRP: IRP_MJ_CLEANUP
Jump To: 863791F8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\DRIVERS\cdrom.sys
Hooked IRP: IRP_MJ_CREATE
Jump To: 86F431F8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\DRIVERS\cdrom.sys
Hooked IRP: IRP_MJ_CLOSE
Jump To: 86F431F8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\DRIVERS\cdrom.sys
Hooked IRP: IRP_MJ_READ
Jump To: 86F431F8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\DRIVERS\cdrom.sys
Hooked IRP: IRP_MJ_WRITE
Jump To: 86F431F8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\DRIVERS\cdrom.sys
Hooked IRP: IRP_MJ_FLUSH_BUFFERS
Jump To: 86F431F8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\DRIVERS\cdrom.sys
Hooked IRP: IRP_MJ_DEVICE_CONTROL
Jump To: 86F431F8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\DRIVERS\cdrom.sys
Hooked IRP: IRP_MJ_INTERNAL_DEVICE_CONTROL
Jump To: 86F431F8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\DRIVERS\cdrom.sys
Hooked IRP: IRP_MJ_SHUTDOWN
Jump To: 86F431F8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\DRIVERS\cdrom.sys
Hooked IRP: IRP_MJ_POWER
Jump To: 86F431F8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\DRIVERS\cdrom.sys
Hooked IRP: IRP_MJ_SYSTEM_CONTROL
Jump To: 86F431F8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\DRIVERS\usbehci.sys
Hooked IRP: IRP_MJ_CREATE
Jump To: 86F02368
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\DRIVERS\usbehci.sys
Hooked IRP: IRP_MJ_CLOSE
Jump To: 86F02368
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\DRIVERS\usbehci.sys
Hooked IRP: IRP_MJ_DEVICE_CONTROL
Jump To: 86F02368
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\DRIVERS\usbehci.sys
Hooked IRP: IRP_MJ_INTERNAL_DEVICE_CONTROL
Jump To: 86F02368
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\DRIVERS\usbehci.sys
Hooked IRP: IRP_MJ_POWER
Jump To: 86F02368
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\DRIVERS\usbehci.sys
Hooked IRP: IRP_MJ_SYSTEM_CONTROL
Jump To: 86F02368
Hooking Module: _unknown_

********************************************************************************
**********
********************************************************************************
**********
Ports:
Local Address: FATALX:1301
Remote Address: 95.211.93.9:HTTP
Type: TCP
Process: C:\Program Files\Mozilla Firefox\firefox.exe
State: ESTABLISHED

Local Address: FATALX:1286
Remote Address: 96.17.160.80:HTTP
Type: TCP
Process: C:\Program Files\Mozilla Firefox\firefox.exe
State: CLOSE_WAIT

Local Address: FATALX:1284
Remote Address: 96.17.151.34:HTTP
Type: TCP
Process: C:\Program Files\Mozilla Firefox\firefox.exe
State: CLOSE_WAIT

Local Address: FATALX:1043
Remote Address: 213.133.110.21:HTTPS
Type: TCP
Process: C:\WINDOWS\system32\svchost.exe
State: CLOSE_WAIT

Local Address: FATALX:1041
Remote Address: 78.46.213.91:HTTPS
Type: TCP
Process: C:\WINDOWS\system32\svchost.exe
State: CLOSE_WAIT

Local Address: FATALX:NETBIOS-SSN
Remote Address: 0.0.0.0:0
Type: TCP
Process: System
State: LISTENING

Local Address: FATALX:5152
Remote Address: LOCALHOST:1035
Type: TCP
Process: C:\Program Files\Java\jre6\bin\jqs.exe
State: CLOSE_WAIT

Local Address: FATALX:5152
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Program Files\Java\jre6\bin\jqs.exe
State: LISTENING

Local Address: FATALX:1039
Remote Address: LOCALHOST:1038
Type: TCP
Process: C:\Program Files\Mozilla Firefox\firefox.exe
State: ESTABLISHED

Local Address: FATALX:1038
Remote Address: LOCALHOST:1039
Type: TCP
Process: C:\Program Files\Mozilla Firefox\firefox.exe
State: ESTABLISHED

Local Address: FATALX:1034
Remote Address: LOCALHOST:1033
Type: TCP
Process: C:\Program Files\Mozilla Firefox\firefox.exe
State: ESTABLISHED

Local Address: FATALX:1033
Remote Address: LOCALHOST:1034
Type: TCP
Process: C:\Program Files\Mozilla Firefox\firefox.exe
State: ESTABLISHED

Local Address: FATALX:1025
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\WINDOWS\system32\alg.exe
State: LISTENING

Local Address: FATALX:MICROSOFT-DS
Remote Address: 0.0.0.0:0
Type: TCP
Process: System
State: LISTENING

Local Address: FATALX:EPMAP
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\WINDOWS\system32\svchost.exe
State: LISTENING

Local Address: FATALX:1900
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\svchost.exe
State: NA

Local Address: FATALX:138
Remote Address: NA
Type: UDP
Process: System
State: NA

Local Address: FATALX:NETBIOS-NS
Remote Address: NA
Type: UDP
Process: System
State: NA

Local Address: FATALX:123
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\svchost.exe
State: NA

Local Address: FATALX:1900
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\svchost.exe
State: NA

Local Address: FATALX:1048
Remote Address: NA
Type: UDP
Process: C:\Program Files\Mozilla Firefox\firefox.exe
State: NA

Local Address: FATALX:123
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\svchost.exe
State: NA

Local Address: FATALX:4500
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\lsass.exe
State: NA

Local Address: FATALX:500
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\lsass.exe
State: NA

Local Address: FATALX:MICROSOFT-DS
Remote Address: NA
Type: UDP
Process: System
State: NA

********************************************************************************
**********
********************************************************************************
**********
Hidden files/folders:
Object: C:\Documents and Settings\FatalPlus\Local Settings\Temp\geyekr000
Status: Hidden

Object: C:\Documents and Settings\FatalPlus\My Documents\My Music\Classical Music Top 100\008. Antonín Dvorák - New World Symphony (Op. 95) - Largo.mp3
Status: Hidden

Object: C:\Documents and Settings\FatalPlus\My Documents\My Music\Classical Music Top 100\024. Bedrich Smetana - Má Vlast - Vltava.mp3
Status: Hidden

Object: C:\Documents and Settings\FatalPlus\My Documents\My Music\Classical Music Top 100\051. Frv©dv©ric Franvßois Chopin - Concerto Pour Piano No. 1 (Op. 11) - Romance.mp3
Status: Hidden

Object: C:\Documents and Settings\FatalPlus\My Documents\My Music\Classical Music Top 100\052. Gabriel Urbain Faurv© - Requiem (Op. 48) - Pie Jesu.mp3
Status: Hidden

Object: C:\Documents and Settings\FatalPlus\My Documents\My Music\Classical Music Top 100\057. Antonv?n Dvo˜ôv°k - Rusalka - Mƒõsv?ƒçku Na Nebi Hlubokv©m.mp3
Status: Hidden

Object: C:\Documents and Settings\FatalPlus\My Documents\My Music\Classical Music Top 100\061. Pyotr Ilyich Tchaikovsky - The Nutcracker (Op. 71) - Waltz Of The Flowers - –©–µ–ª–?—É–O—á–?–?.mp3
Status: Hidden

Object: C:\Documents and Settings\FatalPlus\My Documents\My Music\Classical Music Top 100\065. Frv©dv©ric Franvßois Chopin - Concerto Pour Piano No. 2 (Op. 21).mp3
Status: Hidden

Object: C:\Documents and Settings\FatalPlus\My Documents\My Music\Classical Music Top 100\067. Jules vâmile Frv©dv©ric Massenet - Thav_s - Mv©ditation.mp3
Status: Hidden

Object: C:\Documents and Settings\FatalPlus\My Documents\My Music\Classical Music Top 100\071. Giuseppe Fortunino Francesco Verdi - Rigoletto - La Donna và Mobile.mp3
Status: Hidden

Object: C:\Documents and Settings\FatalPlus\My Documents\My Music\Classical Music Top 100\072. Pyotr Ilyich Tchaikovsky - The Nutcracker (Op. 71) - Dance Of The Sugar-Plum Fairy - –©–µ–ª–?—É–O—á–?–?.mp3
Status: Hidden

Object: C:\Documents and Settings\FatalPlus\My Documents\My Music\Classical Music Top 100\073. Johann Sebastian Bach - Doppelkonzert Fvºr Zwei Violinen (BWV 1043) - Largo Ma Non Tanto.mp3
Status: Hidden

Object: C:\Documents and Settings\FatalPlus\My Documents\My Music\Classical Music Top 100\074. Georg Friederich Hv§ndel - Serse (HWV 40) - Ombra Mai Fvp.mp3
Status: Hidden

Object: C:\Documents and Settings\FatalPlus\My Documents\My Music\Classical Music Top 100\078. Niccolv= Paganini - Concerto Pour Violon No. 1 (Op. 6).mp3
Status: Hidden

Object: C:\Documents and Settings\FatalPlus\My Documents\My Music\Classical Music Top 100\079. Gabriel Urbain Faurv© - Requiem (Op. 48) - In Paradisum.mp3
Status: Hidden

Object: C:\Documents and Settings\FatalPlus\My Documents\My Music\Classical Music Top 100\080. Joaquv?n Rodrigo Vidre - Concierto De Aranjuez - Adagio.mp3
Status: Hidden

Object: C:\Documents and Settings\FatalPlus\My Documents\My Music\Classical Music Top 100\082. Wolfgang Amadeus Mozart - Die Zauberflv?te (K. 620) - Overture.mp3
Status: Hidden

Object: C:\Documents and Settings\FatalPlus\My Documents\My Music\Classical Music Top 100\086. Wolfgang Amadeus Mozart - Konzert Fvºr Flv?te, Harfe Und Orchester (K. 299) - Allegro.mp3
Status: Hidden

Object: C:\Documents and Settings\FatalPlus\My Documents\My Music\Classical Music Top 100\089. Georg Friederich Hv§ndel - Solomon (HWV 67) - The Arrival Of The Queen Of Sheba.mp3
Status: Hidden

Object: C:\Documents and Settings\FatalPlus\My Documents\My Music\Classical Music Top 100\091. Johann Strauss, Jr. - An Der Schv?nen Blauen Donau (Op. 314).mp3
Status: Hidden

Object: C:\Documents and Settings\FatalPlus\My Documents\My Music\Classical Music Top 100\094. Wolfgang Amadeus Mozart - Krv?nungsmesse (K. 317) - Agnus Dei.mp3
Status: Hidden

Object: C:\Documents and Settings\FatalPlus\My Documents\My Music\Classical Music Top 100\095. Erik Alfred Leslie Satie - Gymnopv©die No.1.mp3
Status: Hidden

Object: C:\Documents and Settings\FatalPlus\My Documents\My Music\Classical Music Top 100\100. Cv©sar-Auguste-Jean-Guillaume-Hubert Franck - Panis Angelicus.mp3
Status: Hidden

Object: C:\Qoobox\Quarantine\C\WINDOWS\system32\geyekrdqwrtqkh.dll.vir
Status: Hidden

Object: C:\WINDOWS\system32\drivers\geyekrmnukcigp.sys
Status: Hidden

Object: C:\WINDOWS\system32\geyekrdqwrtqkh.dll
Status: Hidden

Object: C:\WINDOWS\system32\geyekrhwbhnyra.dll
Status: Hidden

Object: C:\WINDOWS\system32\geyekrkxtkvatu.dat
Status: Hidden

Object: C:\WINDOWS\system32\geyekrtnwreulo.dat
Status: Hidden

Object: C:\WINDOWS\Temp\geyekrciobrnnqwe.tmp
Status: Hidden

Object: C:\WINDOWS\Temp\geyekrovncwoixyv.tmp
Status: Hidden

Hi,

Please do the following:

1. Please download The Avenger2 by Swandog46 to your Desktop.

• Right click on the Avenger.zip folder and select "Extract All..."
• Follow the prompts and extract the avenger folder to your desktop

2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):


Note: the above code was created specifically for this user.  If you are not this user, do NOT follow these directions as they could damage the workings of your system.
3. Now, open the Avenger folder and start The Avenger program by clicking on its icon.

• Right click on the window under Input script here:, and select Paste.
• You can also Paste the text copied to the clipboard into this window by pressing (Ctrl+V), or click on the third button under the menu to paste it from the clipboard.
• Click on Execute
• Answer "Yes" twice when prompted.

4. The Avenger will automatically do the following:

• It will Restart your computer. ( In cases where the code to execute contains "Drivers to Delete" or "Drivers to Disable", The Avenger will actually restart your system twice.)
• On reboot, it will briefly open a black command window on your desktop, this is normal.
• After the restart, it creates a log file that should open with the results of Avenger’s actions.  This log file will be located at  C:\avenger.txt
• The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

5. Please copy/paste the content of c:\avenger.txt into your reply

Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.

Hidden driver "aaemfbpt" found!
Could not open driver aaemfbpt for rootkit scan. Error:c0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Rootkit scan completed.

Driver "geyekrflnqlsuo" deleted successfully.

Error: could not delete file "C:\Windows\system32\drivers\geyekrmnukcigp.sys"
Deletion of file "C:\Windows\system32\drivers\geyekrmnukcigp.sys" failed!
Status: 0xc0000156


Error: could not delete file "C:\Documents and Settings\FatalPlus\Local Settings\Temp\geyekr000"
Deletion of file "C:\Documents and Settings\FatalPlus\Local Settings\Temp\geyekr000" failed!
Status: 0xc0000156


Error: could not delete file "C:\WINDOWS\system32\geyekrdqwrtqkh.dll"
Deletion of file "C:\WINDOWS\system32\geyekrdqwrtqkh.dll" failed!
Status: 0xc0000156


Error: could not delete file "C:\WINDOWS\system32\geyekrhwbhnyra.dll"
Deletion of file "C:\WINDOWS\system32\geyekrhwbhnyra.dll" failed!
Status: 0xc0000156


Error: could not delete file "C:\WINDOWS\system32\geyekrkxtkvatu.dat"
Deletion of file "C:\WINDOWS\system32\geyekrkxtkvatu.dat" failed!
Status: 0xc0000156


Error: could not delete file "C:\WINDOWS\system32\geyekrtnwreulo.dat"
Deletion of file "C:\WINDOWS\system32\geyekrtnwreulo.dat" failed!
Status: 0xc0000156


Error: file "C:\WINDOWS\Temp\geyekrciobrnnqwe.tmp" not found!
Deletion of file "C:\WINDOWS\Temp\geyekrciobrnnqwe.tmp" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "C:\WINDOWS\Temp\geyekrovncwoixyv.tmp" not found!
Deletion of file "C:\WINDOWS\Temp\geyekrovncwoixyv.tmp" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Completed script processing.

*******************

Finished! Terminate.




doesn't look too promising...

No, it doesn't, this is one of the new variants that is very difficult to kill, but it is possible. Hang in there with me and we'll get it - I will be asking for a lot of scans...OK

Please do the following:

• Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
• They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".

Copy/paste the text inside the Codebox below into notepad:

Here's how to do that:
Click Start > Run type Notepad click OK.
This will open an empty notepad file:

Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')



Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

Save this file to your desktop, Save this as "CFScript"

Here's how to do that:

1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...

• Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
• ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
• When finished, it shall produce a log for you.
• Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

ComboFix 09-07-29.04 - FatalPlus 07/30/2009 9:10.4.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.545 [GMT -4:00]
Running from: c:\documents and settings\FatalPlus\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\FatalPlus\Desktop\CFScript.txt
AV: avast! antivirus 4.8.1335 [VPS 090729-1] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((( Files Created from 2009-06-28 to 2009-07-30 )))))))))))))))))))))))))))))))
.

2009-07-30 13:08 . 2009-07-30 13:08 40448 ----a-w- c:\windows\system32\geyekrsijtewtm.dll
2009-07-30 03:54 . 2009-07-30 13:09 10983 ----a-w- c:\windows\system32\geyekrnqndekri.dat
2009-07-30 03:44 . 2009-07-30 03:44 85 ----a-w- c:\windows\system32\geyekrlog.dat
2009-07-30 03:44 . 2009-07-30 03:44 17920 ----a-w- c:\windows\system32\geyekrvhxbqpxu.dll
2009-07-29 02:53 . 2009-07-29 02:53 -------- d-----w- c:\program files\Trend Micro
2009-07-29 01:57 . 2009-07-29 01:57 3310 ----a-r- c:\documents and settings\FatalPlus\Application Data\Microsoft\Installer\{6B3CA80E-6AC0-4725-BABF-9B0FEF880CB3}\_16496df1.exe
2009-07-29 01:57 . 2009-07-29 01:57 1078 ----a-r- c:\documents and settings\FatalPlus\Application Data\Microsoft\Installer\{6B3CA80E-6AC0-4725-BABF-9B0FEF880CB3}\_69525f90.exe
2009-07-29 01:57 . 2009-07-29 01:57 1078 ----a-r- c:\documents and settings\FatalPlus\Application Data\Microsoft\Installer\{6B3CA80E-6AC0-4725-BABF-9B0FEF880CB3}\_4ae13d6c.exe
2009-07-29 01:57 . 2009-07-29 01:57 1078 ----a-r- c:\documents and settings\FatalPlus\Application Data\Microsoft\Installer\{6B3CA80E-6AC0-4725-BABF-9B0FEF880CB3}\_2cd672ae.exe
2009-07-29 01:57 . 2009-07-29 01:57 1078 ----a-r- c:\documents and settings\FatalPlus\Application Data\Microsoft\Installer\{6B3CA80E-6AC0-4725-BABF-9B0FEF880CB3}\_294823.exe
2009-07-29 01:57 . 2009-07-29 01:57 1078 ----a-r- c:\documents and settings\FatalPlus\Application Data\Microsoft\Installer\{6B3CA80E-6AC0-4725-BABF-9B0FEF880CB3}\_18be6784.exe
2009-07-29 01:57 . 2009-07-29 01:57 -------- d-----w- c:\program files\Power Tab Software
2009-07-28 22:06 . 2009-02-05 20:06 23152 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2009-07-28 22:06 . 2009-02-05 20:06 51376 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2009-07-28 22:06 . 2009-02-05 20:05 26944 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2009-07-28 22:06 . 2009-02-05 20:04 97480 ----a-w- c:\windows\system32\AvastSS.scr
2009-07-28 22:06 . 2009-02-05 20:08 93296 ----a-w- c:\windows\system32\drivers\aswmon.sys
2009-07-28 22:06 . 2009-02-05 20:08 94032 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2009-07-28 22:06 . 2009-02-05 20:07 114768 ----a-w- c:\windows\system32\drivers\aswSP.sys
2009-07-28 22:06 . 2009-02-05 20:07 20560 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2009-07-28 22:05 . 2009-02-05 20:11 1256296 ----a-w- c:\windows\system32\aswBoot.exe
2009-07-28 22:05 . 2009-07-28 22:05 -------- d-----w- c:\program files\Alwil Software
2009-07-28 22:01 . 2009-07-28 22:02 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-07-28 22:01 . 2009-07-28 22:02 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2009-07-25 10:26 . 2009-07-25 10:35 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-07-25 10:26 . 2009-07-25 10:35 -------- d-----w- c:\program files\Black Isle
2009-07-18 12:28 . 2009-07-18 12:28 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-07-17 22:55 . 2009-07-17 22:55 -------- d-----w- c:\documents and settings\FatalPlus\Local Settings\Application Data\Temp
2009-07-16 07:05 . 2009-07-16 07:05 -------- d-sh--w- c:\documents and settings\Default User\IETldCache
2009-07-12 14:45 . 2009-07-12 14:45 -------- d-sh--w- c:\documents and settings\FatalPlus\PrivacIE
2009-07-07 21:19 . 2009-07-07 21:19 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2009-07-07 21:17 . 2009-07-07 21:17 -------- d-sh--w- c:\documents and settings\FatalPlus\IETldCache
2009-07-07 21:01 . 2009-06-02 10:12 102912 ----a-w- c:\windows\system32\dllcache\iecompat.dll
2009-07-07 21:01 . 2009-07-28 21:20 -------- d-----w- c:\windows\ie8updates
2009-07-07 20:59 . 2009-07-03 17:09 12800 ----a-w- c:\windows\system32\dllcache\xpshims.dll
2009-07-07 20:59 . 2009-07-03 17:09 246272 ----a-w- c:\windows\system32\dllcache\ieproxy.dll
2009-07-07 20:56 . 2009-07-07 20:59 -------- dc-h--w- c:\windows\ie8
2009-07-06 13:04 . 2008-12-04 05:25 120832 ----a-w- c:\documents and settings\FatalPlus\Application Data\Mozilla\Firefox\Profiles\8q84ujfl.default\extensions\{77b819fa-95ad-4f2c-ac7c-486b356188a9}\plugins\npietab.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-29 20:12 . 2009-04-16 14:18 -------- d-----w- c:\documents and settings\FatalPlus\Application Data\uTorrent
2009-07-29 02:54 . 2009-01-11 20:30 -------- d-----w- c:\documents and settings\FatalPlus\Application Data\tor
2009-07-29 02:54 . 2009-01-11 20:30 -------- d-----w- c:\documents and settings\FatalPlus\Application Data\Vidalia
2009-07-29 02:26 . 2009-02-08 17:26 -------- d-----w- c:\program files\PeerGuardian2
2009-07-28 21:51 . 2009-05-27 23:50 -------- d-----w- c:\program files\Avira
2009-07-28 21:51 . 2009-05-27 23:50 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Avira
2009-07-28 11:27 . 2009-05-27 23:57 -------- d-----w- c:\documents and settings\FatalPlus\Application Data\Winamp
2009-07-27 21:27 . 2008-12-25 22:02 -------- d-----w- c:\program files\Steam
2009-07-25 01:59 . 2009-04-09 12:15 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-07-22 14:18 . 2008-04-12 20:04 -------- d-----w- c:\program files\Microsoft Silverlight
2009-07-20 20:20 . 2009-05-27 23:57 -------- d-----w- c:\program files\Winamp
2009-07-16 17:39 . 2009-06-14 15:09 -------- d-----w- c:\program files\Guitar Pro 5
2009-07-16 15:22 . 2008-08-29 12:45 -------- d-----w- c:\program files\Trillian
2009-07-16 07:08 . 2009-03-09 20:28 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Microsoft Help
2009-07-14 00:21 . 2009-04-17 19:01 -------- d-----w- c:\documents and settings\FatalPlus\Application Data\dvdcss
2009-07-13 17:36 . 2009-04-09 12:15 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-13 17:36 . 2009-04-09 12:15 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-04 20:45 . 2009-06-12 15:50 -------- d-----w- c:\program files\Guitar Scales Method
2009-07-03 17:09 . 2004-08-10 15:00 915456 ----a-w- c:\windows\system32\wininet.dll
2009-06-28 12:15 . 2008-08-30 16:29 -------- d-----w- c:\program files\Common Files\Blizzard Entertainment
2009-06-18 22:04 . 2006-11-04 18:12 -------- d-----w- c:\program files\DivX
2009-06-16 14:36 . 2004-08-10 15:00 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-16 14:36 . 2004-08-10 15:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-15 14:37 . 2006-11-06 22:41 -------- d-----w- c:\program files\Common Files\Adobe
2009-06-14 15:12 . 2009-02-10 23:00 106912 ----a-w- c:\documents and settings\FatalPlus\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-11 21:10 . 2009-06-11 21:10 -------- d-----w- c:\program files\Jamorama
2009-06-11 11:11 . 2009-06-11 11:11 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\QuickTime
2009-06-11 11:09 . 2009-02-03 12:28 -------- d-----w- c:\documents and settings\FatalPlus\Application Data\DAEMON Tools Lite
2009-06-11 11:08 . 2009-05-28 03:52 -------- d-----w- c:\program files\DAEMON Tools Lite
2009-06-11 11:07 . 2009-06-11 10:53 -------- d-----w- c:\program files\DAEMON Tools Pro
2009-06-11 10:53 . 2009-06-11 10:53 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\DAEMON Tools Pro
2009-06-11 07:21 . 2008-10-10 05:10 -------- d-----w- c:\program files\Windows Desktop Search
2009-06-10 18:53 . 2009-06-10 18:43 -------- d-----w- c:\program files\eCogNeato Development Company
2009-06-03 19:09 . 2005-06-29 09:55 1291264 ----a-w- c:\windows\system32\quartz.dll
2009-05-28 03:44 . 2008-10-14 02:14 721904 ----a-w- c:\windows\system32\drivers\sptd.sys
2009-05-25 04:24 . 2008-05-27 02:18 350208 ----a-w- c:\windows\system32\mssph.dll
2009-05-19 17:09 . 2009-05-19 17:09 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-05-19 14:20 . 2009-05-19 14:20 4096 ----a-w- c:\windows\d3dx.dat
2009-05-15 23:36 . 2009-05-17 14:24 85504 ----a-w- c:\windows\system32\ff_vfw.dll
2009-05-15 23:36 . 2009-05-17 14:24 60273 ----a-w- c:\windows\system32\pthreadGC2.dll
2009-05-10 15:03 . 2009-05-10 15:03 4032 ----a-w- c:\windows\unins000.dat
2009-05-10 15:03 . 2009-05-10 15:03 794906 ----a-w- c:\windows\unins000.exe
2009-05-07 15:32 . 2004-08-10 15:00 345600 ----a-w- c:\windows\system32\localspl.dll
2009-07-23 02:08 . 2009-04-07 23:17 134648 ----a-w- c:\program files\mozilla firefox\components\brwsrcmp.dll
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
2006-09-03 00:34 . 2006-09-03 00:34 22 --sha-w- c:\windows\SMINST\HPCD.sys
.

((((((((((((((((((((((((((((( SnapShot@2009-07-29_22.54.15 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-07-30 13:17 . 2009-07-30 13:17 16384 c:\windows\Temp\Perflib_Perfdata_314.dat
+ 2009-07-30 13:17 . 2009-07-30 13:17 16384 c:\windows\Temp\Perflib_Perfdata_120.dat
- 2006-09-03 00:08 . 2009-07-29 22:43 81920 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2006-09-03 00:08 . 2009-07-30 03:44 81920 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2006-09-03 00:08 . 2009-07-30 03:44 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2006-09-03 00:08 . 2009-07-29 22:43 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-07-18 12:28 . 2009-07-30 03:44 16384 c:\windows\system32\config\systemprofile\IETldCache\index.dat
- 2009-07-18 12:28 . 2009-07-29 22:43 16384 c:\windows\system32\config\systemprofile\IETldCache\index.dat
+ 2006-09-03 00:08 . 2009-07-30 03:44 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2006-09-03 00:08 . 2009-07-29 22:43 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0autocheck lsdelete

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Photosmart Premier Fast Start.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Photosmart Premier Fast Start.lnk
backup=c:\windows\pss\HP Photosmart Premier Fast Start.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Privoxy.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Privoxy.lnk
backup=c:\windows\pss\Privoxy.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^VPN Client.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\VPN Client.lnk
backup=c:\windows\pss\VPN Client.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
backup=c:\windows\pss\Windows Search.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^FatalPlus^Start Menu^Programs^Startup^ChkDisk.dll]
path=c:\documents and settings\FatalPlus\Start Menu\Programs\Startup\ChkDisk.dll
backup=c:\windows\pss\ChkDisk.dllStartup

[HKLM\~\startupfolder\C:^Documents and Settings^John Gilligan^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\documents and settings\John Gilligan\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^John Gilligan^Start Menu^Programs^Startup^OpenOffice.org 2.4.lnk]
path=c:\documents and settings\John Gilligan\Start Menu\Programs\Startup\OpenOffice.org 2.4.lnk
backup=c:\windows\pss\OpenOffice.org 2.4.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"McTaskManager"=2 (0x2)
"McShield"=3 (0x3)
"McAfeeFramework"=2 (0x2)
"Ati HotKey Poller"=2 (0x2)
"ATI Smart"=2 (0x2)
"avg8wd"=2 (0x2)
"hpqwmiex"=2 (0x2)
"Diskeeper"=2 (0x2)
"CVPND"=2 (0x2)
"WRConsumerService"=2 (0x2)
"WebrootSpySweeperService"=2 (0x2)
"Pml Driver HPZ12"=2 (0x2)
"idsvc"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Vidalia Bundle\\Tor\\tor.exe"=
"c:\\Program Files\\FlashFXP\\FlashFXP.exe"=
"c:\\Program Files\\Veoh Networks\\VeohWebPlayer\\veohwebplayer.exe"=
"c:\\Program Files\\Vidalia Bundle\\Privoxy\\privoxy.exe"=
"c:\\WINDOWS\\system32\\taskmgr.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Steam\\steamapps\\72fender@comcast.net\\counter-strike source\\hl2.exe"=
"c:\\Program Files\\Steam\\Steam.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [7/28/2009 6:06 PM 114768]
R1 atitray;atitray;c:\program files\Radeon Omega Drivers\v4.8.442\ATI Tray Tools\atitray.sys [5/19/2009 12:54 PM 17952]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [7/28/2009 6:06 PM 20560]
R3 HSFHWATI;HSFHWATI;c:\windows\system32\drivers\HSFHWATI.sys [8/22/2005 5:06 AM 231424]
S1 wdmaudd;wdmaudd;c:\windows\system32\drivers\wdmaudd.sys --> c:\windows\system32\drivers\wdmaudd.sys [?]
S3 xbreader;MaxDrive XBox Driver (xbreader.sys);c:\windows\system32\drivers\xbreader.sys [1/3/2001 12:53 AM 19677]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
IE: &Google Search - c:\program files\Google\GoogleToolbar1.dll/cmsearch.html
IE: &Translate English Word - c:\program files\Google\GoogleToolbar1.dll/cmwordtrans.html
IE: Backward Links - c:\program files\Google\GoogleToolbar1.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\Google\GoogleToolbar1.dll/cmcache.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
IE: Similar Pages - c:\program files\Google\GoogleToolbar1.dll/cmsimilar.html
IE: Translate Page into English - c:\program files\Google\GoogleToolbar1.dll/cmtrans.html
TCP: {C672E896-7E75-43CE-BB9E-053766318D7F} = 192.168.2.1
FF - ProfilePath - c:\docume~1\FATALP~1\APPLIC~1\Mozilla\Firefox\Profiles\8q84ujfl.default\
FF - prefs.js: browser.startup.homepage - chrome://fastdial/content/fastdial.html
FF - plugin: c:\documents and settings\FatalPlus\Local Settings\Application Data\Google\Update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Veoh Networks\Veoh\Plugins\noreg\NPVeohVersion.dll
FF - plugin: c:\program files\Veoh Networks\VeohWebPlayer\NPVeohTVPlugin.dll
FF - plugin: c:\program files\Veoh Networks\VeohWebPlayer\npWebPlayerVideoPluginATL.dll
.

**************************************************************************

disk not found C:\

please note that you need administrator rights to perform deep scan
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\geyekrflnqlsuo]
"imagepath"="\systemroot\system32\drivers\geyekrmnukcigp.sys"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1793090235-2609153547-1392540267-1006\Software\SecuROM\License information*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"datasecu"=hex:0f,8d,9d,bb,ea,10,b7,a4,43,83,f5,36,69,68,24,18,77,09,5a,b5,20,
22,a0,21,e4,41,41,13,72,83,63,8a,81,8d,45,e4,99,fc,7e,74,b9,1c,dc,21,52,c0,\
"rkeysecu"=hex:9f,ca,16,75,83,0a,d6,fd,d2,a5,ab,cb,c1,0d,12,f7

[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,79,00,73,00,\

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\geyekrflnqlsuo]
@DACL=(02 0000)
"start"=dword:00000001
"type"=dword:00000001
"group"="file system"
"imagepath"=expand:"\\systemroot\\system32\\drivers\\geyekrmnukcigp.sys"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1060)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(2472)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\windows\system32\MsPMSPSv.exe
c:\windows\system32\searchindexer.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\wbem\wmiapsrv.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-07-30 9:23 - machine was rebooted
ComboFix-quarantined-files.txt 2009-07-30 13:23
ComboFix2.txt 2009-07-30 02:32
ComboFix3.txt 2009-07-30 01:22
ComboFix4.txt 2009-07-29 22:59

Pre-Run: 12,721,262,592 bytes free
Post-Run: 12,691,542,016 bytes free

276 --- E O F --- 2009-07-28 21:21