Recently my antivirus and anti-malware program went nuts showing infections and I did my best to get rid of them but it hasn't totally worked. I did some research and found that I have a winupdate.exe infection but possibly others. I am unable to gain access to some security sites and certain computer options such as the use of Task Manager is no longer possible.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:33:26 PM, on 8/07/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16850)
Boot mode: Normal

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\PROGRA~1\AVG8\avgwdsvc.exe
E:\WINDOWS\system32\svchost.exe
E:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
E:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\PROGRA~1\AVG8\avgrsx.exe
E:\WINDOWS\Explorer.EXE
E:\WINDOWS\System32\hkcmd.exe
E:\PROGRA~1\AVG8\avgtray.exe
E:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
E:\Program Files\Logitech\Logitech WebCam Software\LWS.exe
E:\WINDOWS\system32\ctfmon.exe
E:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
E:\Program Files\K-Lite Codec Pack\Media Player Classic\mplayerc.exe
E:\WINDOWS\System32\dllhost.exe
E:\PROGRA~1\AVG8\avgnsx.exe
E:\Program Files\Nero\Nero 7\Nero Vision\NeroVision.exe
E:\Program Files\uTorrent\uTorrent.exe
E:\Program Files\SpywareGuard\sgmain.exe
E:\Program Files\SpywareGuard\sgbhp.exe
E:\Program Files\Java\jre6\bin\jqs.exe
E:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Trillian\Trillian.exe
E:\Program Files\Nero\Nero 7\Core\nero.exe
E:\WINDOWS\System32\imapi.exe
E:\DiskCheck\DiskCheck.exe
E:\Car Thief 5\carthief.exe
E:\Program Files\Mozilla Firefox\firefox.exe
E:\DOCUME~1\Katrina\LOCALS~1\Temp\79642.exe
E:\WINDOWS\system32\spoolsv.exe
E:\Program Files\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
R3 - URLSearchHook: (no name) - *{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - E:\Program Files\AVG8\Toolbar\IEToolbar.dll
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - E:\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: Steganos Password Manager AutoFill - {1427A821-7B93-4F08-9A34-9FA03A3D93DB} - E:\Steganos Security Suite 2007\PasswordManagerBHO.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - E:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - E:\Program Files\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - E:\Program Files\AVG8\Toolbar\IEToolbar.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - E:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - E:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - E:\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\Portable.1.Video.Converter.5.2.12\P.#1.Video.Converter.5.2.12\App\msdxm.ocx (file missing)
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - E:\Program Files\AVG8\Toolbar\IEToolbar.dll
O4 - HKLM\..\Run: [hpqSRMon] E:\HP\Digital Imaging\bin\hpqSRMon.exe
O4 - HKLM\..\Run: [HotKeysCmds] E:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [AVG8_TRAY] E:\PROGRA~1\AVG8\avgtray.exe
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "E:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKLM\..\Run: [MSConfig] E:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [SunJavaUpdateSched] "E:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [winupdate.exe] E:\WINDOWS\system32\winupdate.exe
O4 - HKLM\..\RunOnce: [NoIE4StubProcessing] E:\WINDOWS\system32\reg.exe DELETE "HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components" /v "NoIE4StubProcessing" /f
O4 - HKCU\..\Run: [ctfmon.exe] E:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] E:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] E:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] E:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] E:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = E:\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: MiniMinder.lnk = E:\Program Files\MiniMind\MiniMind.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\MICROS~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Translate with &Babylon - res://C:\program files\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll/Translate.htm
O9 - Extra button: Download with YouTube Clip Extractor - {5cf75f98-add9-467a-a3b3-e6ab38e7808f} - E:\Program Files\YouTube Clip Extractor\ClipExtractor.exe (file missing)
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - E:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - E:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - E:\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - E:\Program Files\AVG8\avgpp.dll
O20 - Winlogon Notify: !SASWinLogon - E:\SUPERAntiSpyware\SASWINLO.DLL
O20 - Winlogon Notify: avgrsstarter - E:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - E:\PROGRA~1\AVG8\avgwdsvc.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - E:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - E:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: MBAMService - Malwarebytes Corporation - E:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Unknown owner - E:\Program Files\Alcohol 120\StarWind\StarWindServiceAE.exe (file missing)

--
End of file - 7744 bytes

Hi,

Please do the following:

• Open HiJackThis
• Click on Do a system scan only
• Check the boxes next to ONLY the entries listed below (if still present):

R3 - URLSearchHook: (no name) - *{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O4 - HKLM\..\Run: [winupdate.exe] E:\WINDOWS\system32\winupdate.exe

• Close all windows except Hijackthis and click Fix Checked
• Click Yes when prompted
• Close HijackThis.

NEXT

Please download DDS and save it to your desktop.

• Disable any script blocking protection
• Double click dds.pif to run the tool.
• When done, two DDS.txt's will open.
• Save both reports to your desktop.

---------------------------------------------------
Please include the contents of the following in your next reply:

DDS.txt
Attach.txt.


NEXT



Download GMER Rootkit Scanner from here or here.

• Extract the contents of the zipped file to desktop.
• Double click GMER.exe. If asked to allow gmer.sys driver to load, please consent .
• If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.
  
  
  Click the image to enlarge it
  
• In the right panel, you will see several boxes that have been checked. Uncheck the following ...
  • Sections
  • IAT/EAT
  • Drives/Partition other than Systemdrive (typically C:\)
  • Show All (don't miss this one)
• Then click the Scan button & wait for it to finish.
• Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.
  
• Save it where you can easily find it, such as your desktop, and copy/paste it into your next reply.

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

I will do the rest of what you asked but until then I need to let you know I cannot download DDS from that location. It seems to be because it's a security site and as I said I have had trouble accessing many of those sites.


This post has been edited by EnigmaChick: Jul 8 2009, 08:14 AM

Try this LINK


If that doesn't work


I uploaded the file to media fire HERE...you should be able to retrieve it from there.

What qualifies as script blocking protection?

Hi,

Script blocking is often included in your AntiVirus. If you haven't installed third party script blocking software then disabling your antivirus will suffice.

(note: I included a link to MediaFire where I uploaded DDS for you in my post above if you are unable to access the host sites)

I am currently running GMER, here is the DDS results.

DDS (Ver_09-06-26.01) - NTFSx86
Run by Katrina at 0:25:08.20 on Thu 09/07/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_14
Microsoft Windows XP Home Edition 5.1.2600.2.1252.61.1033.18.1015.421 [GMT 10:00]

AV: ThreatFire *On-access scanning enabled* (Updated) {67B2B9A1-25C8-4057-962D-807958FFC9E3}
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

E:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
E:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
svchost.exe
E:\PROGRA~1\AVG8\avgwdsvc.exe
E:\WINDOWS\system32\svchost.exe -k hpdevmgmt
E:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
E:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
E:\WINDOWS\System32\svchost.exe -k HPZ12
E:\WINDOWS\System32\svchost.exe -k HPZ12
E:\WINDOWS\System32\svchost.exe -k imgsvc
E:\PROGRA~1\AVG8\avgrsx.exe
E:\WINDOWS\Explorer.EXE
E:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
E:\Program Files\Logitech\Logitech WebCam Software\LWS.exe
E:\WINDOWS\system32\ctfmon.exe
E:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
E:\Program Files\K-Lite Codec Pack\Media Player Classic\mplayerc.exe
E:\WINDOWS\System32\dllhost.exe
E:\PROGRA~1\AVG8\avgnsx.exe
E:\Program Files\Nero\Nero 7\Nero Vision\NeroVision.exe
E:\Program Files\uTorrent\uTorrent.exe
E:\Program Files\SpywareGuard\sgmain.exe
E:\Program Files\SpywareGuard\sgbhp.exe
E:\Program Files\Java\jre6\bin\jqs.exe
E:\Program Files\Windows Live\Contacts\wlcomm.exe
E:\Car Thief 5\carthief.exe
E:\WINDOWS\system32\spoolsv.exe
E:\Program Files\Mozilla Firefox\firefox.exe
E:\Documents and Settings\Katrina\Desktop\dds.scr

============== Pseudo HJT Report ===============

uInternet Settings,ProxyServer = 127.0.0.1:8080
uInternet Settings,ProxyOverride = local
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - e:\program files\avg8\toolbar\IEToolbar.dll
mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - e:\program files\avg8\toolbar\IEToolbar.dll
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - e:\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: Steganos Password Manager AutoFill: {1427a821-7b93-4f08-9a34-9fa03a3d93db} - e:\steganos security suite 2007\PasswordManagerBHO.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - e:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - e:\program files\avg8\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - e:\progra~1\spybot~1\SDHelper.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - e:\program files\avg8\toolbar\IEToolbar.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - e:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - e:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - e:\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - e:\program files\avg8\toolbar\IEToolbar.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] e:\windows\system32\ctfmon.exe
mRun: [hpqSRMon] e:\hp\digital imaging\bin\hpqSRMon.exe
mRun: [HotKeysCmds] e:\windows\system32\hkcmd.exe
mRun: [AVG8_TRAY] e:\progra~1\avg8\avgtray.exe
mRun: [Malwarebytes' Anti-Malware] "e:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
mRun: [MSConfig] e:\windows\pchealth\helpctr\binaries\MSConfig.exe /auto
mRun: [SunJavaUpdateSched] "e:\program files\java\jre6\bin\jusched.exe"
mRunOnce: [NoIE4StubProcessing] e:\windows\system32\reg.exe delete "hklm\software\microsoft\active setup\Installed Components" /v "NoIE4StubProcessing" /f
dRun: [CTFMON.EXE] e:\windows\system32\CTFMON.EXE
StartupFolder: e:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - e:\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: e:\docume~1\alluse~1\startm~1\programs\startup\minimi~1.lnk - e:\program files\minimind\MiniMind.exe
uPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
uPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
uPolicies-system: DisableTaskMgr = 1 (0x1)
mPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-system: EnableLUA = 0 (0x0)
IE: E&xport to Microsoft Excel - e:\micros~1\office11\EXCEL.EXE/3000
IE: Translate with &Babylon - c:\program files\babylon\babylon-pro\utils\BabylonIEPI.dll/Translate.htm
IE: {5cf75f98-add9-467a-a3b3-e6ab38e7808f} - e:\program files\youtube clip extractor\ClipExtractor.exe
IE: {6224f700-cba3-4071-b251-47cb894244cd} - e:\progra~1\icq\ICQ.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - e:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - e:\micros~1\office11\REFIEBAR.DLL
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - e:\hp\digital imaging\smart web printing\hpswp_BHO.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - e:\progra~1\spybot~1\SDHelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - e:\program files\belarc\advisor\system\BAVoilaX.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - e:\program files\avg8\avgpp.dll
Notify: !SASWinLogon - e:\superantispyware\SASWINLO.DLL
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxdev.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - e:\progra~1\window~4\MpShHook.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - e:\superantispyware\SASSEH.DLL
SEH: SpywareGuard.Handler: {81559c35-8464-49f7-bb0e-07a383bef910} - e:\program files\spywareguard\spywareguard.dll

================= FIREFOX ===================

FF - ProfilePath - e:\docume~1\katrina\applic~1\mozilla\firefox\profiles\qi5gvnvg.default\
FF - prefs.js: browser.startup.homepage - www.yahoo7.com.au
FF - component: e:\program files\avg8\firefox\components\avgssff.dll
FF - plugin: c:\videolan\npvlc.dll
FF - plugin: e:\program files\k-lite codec pack\real\browser\plugins\nppl3260.dll
FF - plugin: e:\program files\k-lite codec pack\real\browser\plugins\nprpjplug.dll
FF - plugin: e:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: e:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - plugin: e:\windows\system32\c2mp\npdivx32.dll
FF - plugin: e:\windows\system32\npmirage.dll
FF - HiddenExtension: Java Console: No Registry Reference - e:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: network.proxy.type - 0
e:\program files\mozilla firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
e:\program files\mozilla firefox\greprefs\all.js - pref("media.cache_size", 51200);
e:\program files\mozilla firefox\greprefs\all.js - pref("media.ogg.enabled", true);
e:\program files\mozilla firefox\greprefs\all.js - pref("media.wave.enabled", true);
e:\program files\mozilla firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
e:\program files\mozilla firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
e:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
e:\program files\mozilla firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
e:\program files\mozilla firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
e:\program files\mozilla firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
e:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.dpi", -1);
e:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
e:\program files\mozilla firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
e:\program files\mozilla firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
e:\program files\mozilla firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
e:\program files\mozilla firefox\greprefs\all.js - pref("geo.enabled", true);
e:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
e:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
e:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
e:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
e:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
e:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
e:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
e:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
e:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
e:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
e:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
e:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
e:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
e:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
e:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
e:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
e:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
e:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
e:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
e:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
e:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
e:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
e:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
e:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
e:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
e:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
e:\program files\mozilla firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
e:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
e:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
e:\program files\mozilla firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;e:\windows\system32\drivers\Lbd.sys [2009-6-1 64160]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;e:\windows\system32\drivers\avgldx86.sys [2008-12-18 327688]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;e:\windows\system32\drivers\avgmfx86.sys [2008-12-18 27784]
R1 AvgTdiX;AVG Free8 Network Redirector;e:\windows\system32\drivers\avgtdix.sys [2009-5-3 108552]
R1 SASDIFSV;SASDIFSV;e:\superantispyware\sasdifsv.sys [2008-11-17 8944]
R1 SASKUTIL;SASKUTIL;e:\superantispyware\SASKUTIL.SYS [2008-11-17 55024]
R1 SLEE_15_DRIVER;Steganos Live Encryption Engine 15 [Driver];e:\windows\system32\drivers\sleen15.sys [2007-2-21 80232]
R1 StarPortLite;StarPort Storage Controller (Lite);e:\windows\system32\drivers\StarPortLite.sys [2009-1-11 95592]
R2 avg8wd;AVG Free8 WatchDog;e:\progra~1\avg8\avgwdsvc.exe [2009-1-29 298776]
R2 MBAMService;MBAMService;e:\program files\malwarebytes' anti-malware\mbamservice.exe [2008-12-17 195856]
R3 AtcL002;NDIS Miniport Driver for Atheros L2 Fast Ethernet Controller;e:\windows\system32\drivers\l251x86.sys [2007-10-17 30720]
R3 bbcap;bbcap;e:\windows\system32\drivers\bbcap.sys [2009-3-15 4096]
R3 HssDrv;Hotspot Shield Helper Miniport;e:\windows\system32\drivers\hssdrv.sys [2009-4-11 31704]
R3 MBAMProtector;MBAMProtector;e:\windows\system32\drivers\mbam.sys [2008-12-17 19096]
S1 Uim_Ed;Uim Encrypted Disk Image Plugin;e:\windows\system32\drivers\Uim_ed.sys [2009-6-30 39016]
S1 UimCrAes;UIM Advanced Encryption Standard CryptoPlugin Driver;e:\windows\system32\drivers\UimCrAes.sys [2009-6-30 42304]
S1 UimCrStd;UIM Standard CryptoPlugin Driver;e:\windows\system32\drivers\UimCrStd.sys [2009-6-30 48240]
S2 spupdsvc;Windows Service Pack Installer update service;e:\windows\system32\spupdsvc.exe [2008-12-17 26144]
S3 BCASPROT;Advanced System Protector;\??\e:\program files\systweak\advanced system protector\sasprot32.sys --> e:\program files\systweak\advanced system protector\sasprot32.sys [?]
S3 block_reader;MPR DRV;\??\e:\program files\multi password recovery\block_reader.sys --> e:\program files\multi password recovery\block_reader.sys [?]
S3 DsAudioDevice_286;DsAudioDevice_286;e:\windows\system32\drivers\DsAudioDevice_286.sys [2008-12-25 16640]
S3 MaplomL;MaplomL; [x]
S3 PSI;PSI;e:\windows\system32\drivers\psi_mf.sys [2008-6-16 7808]
S3 SASENUM;SASENUM;e:\superantispyware\SASENUM.SYS [2008-11-17 7408]
S3 SBRE;SBRE;\??\e:\windows\system32\drivers\sbredrv.sys --> e:\windows\system32\drivers\SBREdrv.sys [?]
S3 SCREAMINGBDRIVER;Screaming Bee Audio;e:\windows\system32\drivers\screamingbaudio.sys --> e:\windows\system32\drivers\ScreamingBAudio.sys [?]
S3 tap0801;TAP-Win32 Adapter V8;e:\windows\system32\drivers\tap0801.sys [2007-2-16 26624]
S3 WsAudio_DeviceS(1);WsAudio_DeviceS(1);e:\windows\system32\drivers\WsAudio_DeviceS(1).sys [2009-5-28 16640]
S4 History Explorer Service;History Explorer Service;"e:\program files\history explorer\historyexplorer.service.exe" --> e:\program files\history explorer\HistoryExplorer.Service.exe [?]
S4 HssSrv;Hotspot Shield Helper Service;e:\program files\hotspot shield\hsswpr\hsssrv.exe [2009-2-6 117208]
S4 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;e:\program files\lavasoft\ad-aware\AAWService.exe [2009-3-10 1029456]
S4 Viewpoint Manager Service;Viewpoint Manager Service;e:\program files\viewpoint\common\ViewpointService.exe [2009-6-21 45132]
S4 WinDefend;Windows Defender;e:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]

=============== Created Last 30 ================

2009-07-08 22:27 360,320 a------- e:\windows\system32\drivers\TCPIP.SYS.ORIGINAL
2009-07-08 21:10 <DIR> --d----- e:\docume~1\katrina\applic~1\Hoyle FaceCreator
2009-07-08 21:10 <DIR> --d----- e:\docume~1\katrina\applic~1\Hoyle Puzzle and Board Games
2009-07-08 20:49 <DIR> --d----- e:\program files\Encore
2009-07-08 17:26 <DIR> --d----- e:\windows\ie8updates
2009-07-08 17:24 873 a------- e:\windows\system32\spupdsvc.inf
2009-07-08 17:21 <DIR> -cd-h--- e:\windows\ie8
2009-07-08 17:17 102,912 -c------ e:\windows\system32\dllcache\iecompat.dll
2009-07-08 17:17 246,272 -c------ e:\windows\system32\dllcache\ieproxy.dll
2009-07-08 17:17 12,800 -c------ e:\windows\system32\dllcache\xpshims.dll
2009-07-08 17:17 25,600 -------- e:\windows\system32\SET197.tmp
2009-07-08 17:17 1,985,024 -------- e:\windows\system32\SET199.tmp
2009-07-08 17:17 1,207,808 -------- e:\windows\system32\SET195.tmp
2009-07-08 17:17 915,456 -------- e:\windows\system32\SET194.tmp
2009-07-08 17:17 5,936,128 -------- e:\windows\system32\SET196.tmp
2009-07-08 17:17 11,064,832 -------- e:\windows\system32\SET19A.tmp
2009-07-08 17:05 73,728 a------- e:\windows\system32\javacpl.cpl
2009-07-08 11:04 3,249 a------- e:\windows\system32\wbem\Outlook_01c9ff680cc9462e.mof
2009-07-06 22:47 15,688 a------- e:\windows\system32\lsdelete.exe
2009-07-06 01:31 <DIR> --d----- e:\docume~1\katrina\applic~1\imeem
2009-07-06 01:28 1,540,096 a------- e:\windows\system32\openh323.ocx
2009-07-05 01:21 <DIR> --d----- e:\docume~1\katrina\applic~1\mgc-air.3F352008F1E0CAA322358B6AB180C94356384B80.1
2009-07-04 18:29 236 a------- E:\sqmdata00.sqm
2009-07-04 18:29 200 a------- E:\sqmnoopt00.sqm
2009-07-02 03:06 268,648 a------- e:\windows\system32\mucltui.dll
2009-07-02 03:06 208,744 a------- e:\windows\system32\muweb.dll
2009-07-02 03:06 27,496 a------- e:\windows\system32\mucltui.dll.mui
2009-07-01 20:35 15,933,491 a------- E:\setup.exe
2009-07-01 16:43 169,472 a------- e:\windows\system32\Unwise32.exe
2009-07-01 15:25 <DIR> --d----- e:\documents and settings\katrina\Tracing
2009-07-01 15:24 <DIR> --d----- e:\program files\Microsoft
2009-07-01 15:24 <DIR> --d----- e:\program files\Yahoo!
2009-07-01 15:24 <DIR> --d----- e:\program files\Windows Live SkyDrive
2009-07-01 15:20 <DIR> --d----- e:\program files\common files\Windows Live
2009-07-01 13:53 <DIR> --d----- e:\windows\system32\wbem\Repository
2009-06-30 18:45 48,240 a------- e:\windows\system32\drivers\UimCrStd.sys
2009-06-30 18:28 544,768 a------- e:\windows\system32\msvcr71d.dll
2009-06-30 18:28 765,952 a------- e:\windows\system32\msvcp71d.dll
2009-06-30 18:28 42,304 a------- e:\windows\system32\drivers\UimCrAes.sys
2009-06-30 18:28 39,016 a------- e:\windows\system32\drivers\Uim_ed.sys
2009-06-30 12:05 416,256 a------- e:\windows\system32\pushwav.ax
2009-06-28 17:09 94,720 a------- e:\windows\cadkasdeinst01e.exe
2009-06-27 20:30 94,208 a------- e:\windows\system32\drivers\ezplay.sys
2009-06-26 20:38 <DIR> --d----- e:\program files\common files\DirectX
2009-06-26 19:41 <DIR> --d----- e:\docume~1\alluse~1\applic~1\ProStroke Golf
2009-06-26 18:44 <DIR> --d----- e:\program files\Oxygen Interactive
2009-06-24 18:54 <DIR> --d----- e:\docume~1\katrina\applic~1\Talkative IRC
2009-06-24 18:53 151,552 a------- e:\windows\system32\AGPOPUPMENU.OCX
2009-06-24 18:53 87,552 a------- e:\windows\system32\HIRC.OCX
2009-06-24 18:53 53,760 a------- e:\windows\system32\WINMENU.OCX
2009-06-24 18:53 45,568 a------- e:\windows\system32\HIDENTD.OCX
2009-06-24 18:53 36,864 a------- e:\windows\system32\CBSSUBCLASS.DLL
2009-06-24 18:44 <DIR> --d----- e:\docume~1\katrina\applic~1\pIRC
2009-06-24 18:39 <DIR> --d----- e:\docume~1\katrina\applic~1\Bersirc
2009-06-24 18:38 69,632 a------- e:\windows\system32\realbap1.dll
2009-06-23 10:04 <DIR> --d----- e:\docume~1\alluse~1\applic~1\AVG Security Toolbar
2009-06-21 17:41 <DIR> --d----- e:\windows\speech
2009-06-21 17:39 <DIR> --d----- e:\windows\lhsp
2009-06-21 17:35 319,488 a------- e:\windows\uninst.exe
2009-06-21 15:40 <DIR> --d----- e:\docume~1\alluse~1\applic~1\Viewpoint
2009-06-21 15:40 <DIR> --d----- e:\program files\Viewpoint
2009-06-21 15:40 <DIR> --d----- e:\docume~1\alluse~1\applic~1\acccore
2009-06-21 15:40 <DIR> --d----- e:\program files\common files\AOL
2009-06-21 15:39 <DIR> --d----- e:\program files\AIM6
2009-06-21 15:39 365 a---h--- E:\IPH.PH
2009-06-21 14:52 <DIR> --d----- e:\documents and settings\katrina\Data
2009-06-21 14:37 <DIR> --d----- e:\docume~1\katrina\applic~1\Tkabber
2009-06-21 14:19 84,992 a------- e:\windows\system32\atl70.dll
2009-06-21 12:48 <DIR> --d----- e:\program files\ICQ
2009-06-21 12:02 199 a------- e:\windows\MSN-Popup.ini
2009-06-20 02:36 90,112 a------- e:\windows\system32\QuickTimeVR.qtx
2009-06-20 02:36 57,344 a------- e:\windows\system32\QuickTime.qts
2009-06-19 22:59 2,053,219 a------- E:\MPR_1.1.4_www.softarchive.net.exe
2009-06-19 22:26 <DIR> --d----- e:\docume~1\katrina\applic~1\Screaming Bee
2009-06-19 20:33 <DIR> --d----- e:\docume~1\katrina\applic~1\Miranda
2009-06-19 18:58 <DIR> --d----- e:\docume~1\katrina\applic~1\Artweaver
2009-06-19 17:33 <DIR> --d----- e:\docume~1\katrina\applic~1\ArcticLine
2009-06-19 14:48 <DIR> --d----- e:\docume~1\katrina\applic~1\Xilisoft Corporation
2009-06-17 22:29 695,642 a------- e:\windows\unins000.exe
2009-06-17 22:29 3,823 a------- e:\windows\unins000.dat
2009-06-17 18:08 <DIR> --d----- e:\docume~1\katrina\applic~1\Smart Audio Editor
2009-06-17 16:50 <DIR> --d----- e:\docume~1\katrina\applic~1\JAM Software
2009-06-17 16:39 <DIR> --d----- e:\docume~1\katrina\applic~1\GoodSync
2009-06-17 12:34 <DIR> --d----- e:\docume~1\katrina\applic~1\Langmeier Software
2009-06-17 11:18 <DIR> --d----- e:\docume~1\alluse~1\applic~1\KLS Soft
2009-06-17 10:08 <DIR> --d----- E:\Morrowind Stuff

==================== Find3M ====================

2009-07-08 22:27 360,320 a------- e:\windows\system32\drivers\TCPIP.SYS
2009-07-08 17:05 410,984 a------- e:\windows\system32\deploytk.dll
2009-07-08 02:26 0 a------- e:\windows\system32\drivers\lvuvc.hs
2009-07-08 02:26 0 a------- e:\windows\system32\drivers\logiflt.iad
2009-06-24 18:38 52,736 a------- e:\windows\system32\shell.dll.tmp
2009-06-23 10:04 327,688 a------- e:\windows\system32\drivers\avgldx86.sys
2009-06-23 10:04 11,952 a------- e:\windows\system32\avgrsstx.dll
2009-06-21 12:48 868 a------- e:\program files\INSTALL.LOG
2009-06-17 11:27 38,160 a------- e:\windows\system32\drivers\mbamswissarmy.sys
2009-06-17 11:27 19,096 a------- e:\windows\system32\drivers\mbam.sys
2009-06-04 00:53 64,160 a------- e:\windows\system32\drivers\Lbd.sys
2009-06-03 10:31 76 a------- e:\docume~1\alluse~1\applic~1\814eb8c1.dat
2009-05-14 15:16 256,856 a------- e:\windows\system32\drivers\UimFIO.sys
2009-05-14 15:15 33,112 a------- e:\windows\system32\drivers\UimBus.sys
2009-05-11 17:26 98,304 a------- e:\windows\system32\CmdLineExt.dll
2009-05-08 01:44 344,064 a------- e:\windows\system32\localspl.dll
2009-04-30 23:02 539,160 a------- e:\windows\system32\LVUI2RC.dll
2009-04-30 23:02 539,160 a------- e:\windows\system32\LVUI2.dll
2009-04-30 22:57 199,192 a------- e:\windows\system32\lvci1201278.dll
2009-04-30 22:57 416,280 a------- e:\windows\system32\lvcodec2.dll
2009-04-30 22:39 34,068 a------- e:\windows\system32\Repository.reg
2009-04-29 14:56 827,392 -------- e:\windows\system32\wininet.dll
2009-04-17 19:58 1,846,656 a------- e:\windows\system32\win32k.sys
2009-04-16 01:26 583,168 a------- e:\windows\system32\rpcrt4.dll

============= FINISH: 0:26:03.51 ===============

Here's the GMER results.

GMER 1.0.15.14972 - http://www.gmer.net
Rootkit scan 2009-07-09 01:26:13
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.15 ----

INT 0x62 ? 86F67BF8
INT 0x82 ? 86F67BF8
INT 0xA4 ? 86DFAF00
INT 0xB4 ? 86DFAF00

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 86F661F8
Device \FileSystem\Fastfat \FatCdrom 86AEB500
Device \FileSystem\Udfs \UdfsCdRom 85E48500
Device \FileSystem\Udfs \UdfsDisk 85E48500

AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device \Driver\usbuhci \Device\USBPDO-0 86DFC500
Device \Driver\usbuhci \Device\USBPDO-1 86DFC500
Device \Driver\usbuhci \Device\USBPDO-2 86DFC500
Device \Driver\PCI_PNP2402 \Device\00000054 splj.sys
Device \Driver\usbuhci \Device\USBPDO-3 86DFC500
Device \Driver\usbehci \Device\USBPDO-4 86DF8500

AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device \Driver\Ftdisk \Device\HarddiskVolume1 86FD81F8
Device \Driver\Ftdisk \Device\HarddiskVolume2 86FD81F8
Device \Driver\Cdrom \Device\CdRom0 86E0C500
Device \Driver\Ftdisk \Device\HarddiskVolume3 86FD81F8
Device \Driver\Cdrom \Device\CdRom1 86E0C500
Device \Driver\atapi \Device\Ide\IdePort0 86F671F8
Device \Driver\atapi \Device\Ide\IdePort1 86F671F8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 86F671F8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c 86F671F8
Device \Driver\Ftdisk \Device\HarddiskVolume4 86FD81F8
Device \Driver\Cdrom \Device\CdRom2 86E0C500
Device \Driver\usbstor \Device\00000080 86B07500
Device \Driver\Cdrom \Device\CdRom3 86E0C500
Device \Driver\usbstor \Device\00000081 86B07500
Device \Driver\sptd \Device\2511036152 splj.sys
Device \Driver\Cdrom \Device\CdRom4 86E0C500
Device \Driver\Cdrom \Device\CdRom5 86E0C500
Device \Driver\NetBT \Device\NetBt_Wins_Export 86B0C3D0
Device \Driver\usbstor \Device\00000084 86B07500
Device \Driver\usbstor \Device\00000085 86B07500
Device \Driver\NetBT \Device\NetbiosSmb 86B0C3D0

AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device \Driver\NetBT \Device\NetBT_Tcpip_{64729181-F900-4158-A30E-7A5E1B303016} 86B0C3D0

AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device \Driver\NetBT \Device\NetBT_Tcpip_{1A3CB916-EB44-4900-B625-0276B86F78EC} 86B0C3D0
Device \Driver\usbuhci \Device\USBFDO-0 86DFC500
Device \Driver\usbuhci \Device\USBFDO-1 86DFC500
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 869F3500
Device \Driver\usbuhci \Device\USBFDO-2 86DFC500
Device \FileSystem\MRxSmb \Device\LanmanRedirector 869F3500
Device \Driver\usbuhci \Device\USBFDO-3 86DFC500
Device \Driver\Ftdisk \Device\FtControl 86FD81F8
Device \Driver\usbehci \Device\USBFDO-4 86DF8500
Device \Driver\aogwoswr \Device\Scsi\aogwoswr1Port3Path0Target3Lun0 86D891F8
Device \Driver\aogwoswr \Device\Scsi\aogwoswr1Port3Path0Target1Lun0 86D891F8
Device \Driver\aogwoswr \Device\Scsi\aogwoswr1Port3Path0Target0Lun0 86D891F8
Device \Driver\aogwoswr \Device\Scsi\aogwoswr1Port3Path0Target4Lun0 86D891F8
Device \Driver\aogwoswr \Device\Scsi\aogwoswr1 86D891F8
Device \Driver\aogwoswr \Device\Scsi\aogwoswr1Port3Path0Target2Lun0 86D891F8
Device \FileSystem\Fastfat \Fat 86AEB500

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device \FileSystem\Cdfs \Cdfs 869B7500

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x5E 0xCB 0xC3 0x53 ...
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 E:\Program Files\Alcohol 120\
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0x7A 0x8D 0xCE 0xCA ...
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0x6B 0x2E 0xA8 0x5F ...
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg41
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg41@ujdew 0x4E 0xA7 0x36 0x25 ...
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg42
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg42@ujdew 0xAC 0x89 0xA8 0x3A ...
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg43
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg43@ujdew 0xAC 0x89 0xA8 0x3A ...
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg44
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg44@ujdew 0xAC 0x89 0xA8 0x3A ...
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 1
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x0F 0xB3 0x27 0x84 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 E:\Program Files\Alcohol 120\
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x52 0x74 0xA6 0x23 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager@PendingFileRenameOperations ???ZF????+?+?,?,?,?,?,?,?,?,?,?,?-?+?-?-?-?,???z?z?z?z?z?z?z?z?{?{??????????????????IpFilterDriver?sys???????????r???R???????????S?????s?????????x??????s????}?}?????????????Z???g??? ???????P?????Z?????-?,?????????????????????????Z?????Z?&??? ???????-?????????????0?????? ???In????????????? ???????S???????????????????? ?N??Z?????????????e??? ???????E??????fs???????????????????p?????????????????????D???????????????M????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????Logitech USB Camera (QuickCam S5500)?4????????????? ? ? ? ?!? ?!?!?"?!?*?"??Realtek High Definition Audio?????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????? ???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0xC3 0xFF 0x80 0xD6 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 E:\Program Files\Alcohol 120\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0x7A 0x8D 0xCE 0xCA ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0x6B 0x2E 0xA8 0x5F ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg41
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg41@ujdew 0x9C 0xC5 0x3E 0xCF ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg42
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg42@ujdew 0xAC 0x89 0xA8 0x3A ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg43
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg43@ujdew 0xAC 0x89 0xA8 0x3A ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg44
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg44@ujdew 0xAC 0x89 0xA8 0x3A ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x0F 0xB3 0x27 0x84 ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x7E 0xC5 0x17 0x95 ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 E:\Program Files\Alcohol 120\
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0x7A 0x8D 0xCE 0xCA ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0x03 0x2C 0x14 0xEE ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg41
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg41@ujdew 0xF0 0x74 0x80 0x4C ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg42
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg42@ujdew 0xAC 0x89 0xA8 0x3A ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg43
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg43@ujdew 0xAC 0x89 0xA8 0x3A ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg44
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg44@ujdew 0xAC 0x89 0xA8 0x3A ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 1
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x0F 0xB3 0x27 0x84 ...
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{64695C2E-529F-2B5C-0407-E117AECD38D4}
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{7904EF72-0898-1598-E971-0B9E9A9BF3AA}
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{7904EF72-0898-1598-E971-0B9E9A9BF3AA}@fbmbofiobghblmmcoobdkidlgdclnflnlhmmhbedblea 0x61 0x62 0x61 0x6D ...
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{7904EF72-0898-1598-E971-0B9E9A9BF3AA}@fbmbofiobghblmmcoobdkidlgdclnflnlhmmibleijmi 0x64 0x62 0x63 0x6D ...
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{DD27D838-5C9F-4C9E-CCE8-01DF6E0254CD}
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{DD27D838-5C9F-4C9E-CCE8-01DF6E0254CD}@abafpjlfimhkhcjhkcbkieekgamagklkfc 0x61 0x62 0x6E 0x63 ...
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{DD27D838-5C9F-4C9E-CCE8-01DF6E0254CD}@mabfkmlgeffdfgmecnkbkgpngp 0x66 0x62 0x62 0x65 ...

---- EOF - GMER 1.0.15 ----

Hi,

Please do the following:

Download ComboFix from one of these locations:
Link 1
Link 2
Link 3

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

• Double click on ComboFix.exe & follow the prompts.

As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

• Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

• Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.


Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

I downloaded ComboFix from the first and third link(couldn't from the second for the same reason as why I couldn't download DDS the first time) and both times after running it I got this pop up.

Hi,

First lets get task manager working:
please do the following:

1. Go to Start->Run and type in notepad and hit OK.
2. Then copy and paste the content of the following codebox into Notepad:
   
   
   CODE
   @echo off
   reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableTaskMgr /t Reg_dword /d 0 /f
   del %0
   
   
3. Save the file to your DESKTOP as "find.bat". Make sure to save it with the quotes.
4. Once saved, the icon to click should look like this on your desktop:
   
   
   
5. Double click find.bat. to run it. A small black box should open and close - this is normal.

NEXT

Delete the Copy of ComboFix that you have on your desktop and do this:

Download Combofix from any of the links below. You must rename it before saving it.
Save it to your desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**

• If you are using Firefox, make sure that your download settings are as follows:
  
  • Tools->Options->Main tab
  • Set to "Always ask me where to Save the files".

Link 1
Link 2
Link 3


During the download, rename Combofix to Combo-Fix as follows:





--------------------------------------------------------------------

• It is important you rename Combofix during the download, but not after.
• Please do not rename Combofix to other names, but only to the one indicated.

• Double click on Combo-Fix.exe & follow the prompts.
  
  • When finished, it will produce a report for you.
  • Please post the "C:\Combo-Fix.txt" for further review.
  
  **Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**
  
  
  
  -----------------------------------------------------------
  
  
• Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
• Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
  
  -----------------------------------------------------------

Try running it in safe mode

If it still will not run and you get the same error message - please do the following:

• Make sure to use Internet Explorer for this
• Please go to VirSCAN.org FREE on-line scan service
• Copy and paste the following file path into the "Suspicious files to scan" box on the top of the page:
  

  
  
  c:\windows\system32\userinit.exe
  

• Click on the Upload button
• If a pop-up appears saying the file has been scanned already, please select the ReScan button.
• Once the Scan is completed, click on the "Copy to Clipboard" button. This will copy the link of the report into the Clipboard.
• Paste the contents of the Clipboard in your next reply.

Please do the same for the following files:

c:\windows\system32\svchost.exe
c:\windows\explorer.exe
c:\windows\system32\ctfmon.exe
c:\windows\system32\spoolsv.exe

Task Manager is now working, thank you!

I tried both methods but still got the same pop up message. You mentioned making sure previous versions of it were deleted, I just wanted to let you know that just after I press OK on the pop up the file deletes itself automatically.

Here are the file scan results.

Well, this is very bad news.

Unfortunately you have been hit with the worst virus out there VIRUT


VIRUTis a polymorphic file infector with some additional features. It spreads all around the drive and infects even files infected by another virus previously.

Unfortunately, the cleaning of this virus is not recommended.

The only thing we recommend is to do a full reformat and install.

We have an excellent tutorial on how to reformat here

Things to bear in mind, only back up data files (word, excell etc.) DO NOT backup any .exe/.scr/.htm/.html/.xml/.zip/.pif/.com/.rar files... as they could all be infected and will simply re-infect your system again, there is no way of being certain what this infection can do.

Read more about the VIRUT FILE INFECTOR HERE

If you don't have a Windows Installation Disk (if this came with Windows pre-installed), you may have a Manufacturer restore disk to restore the computer to its original state - this depends on the Manufacturer though. Otherwise, give the Manufacturer a call and ask them to send you a restore disk or Windows installation CD.

Here is a guide on backing up your data;
Although you can use whatever method you prefer.

Do not back up to another machine, as it may become compromised.

Burn to DVD/CD, or to an external drive which has nothing else on it, and which you can format should it happen to become infected from the backups.

Should you have any questions, please feel free to ask.

I am sorry there is nothing more that we can do.


More information:



Miekiemoes, a highly regarded expert in malware removal, and an MS-MVP,
has an extremely informative blog post about Virut. - she only ever recommends a total reformat.

At least this way, you have the best chance of having a clean machine once more.

For future protection read this very well written article Think Prevention.


PS...using utorrent and Limewire are certain conduits for this type of infection

Does the files that shouldn't be backed up mean all drives that are both internal and external as I have a internal drive partitioned into 2 separate drives and 2 flash drives(one is very large), just the internal hardrive or just the system partition?

If you have moved any files between the drives at all, then yes, it means all the drives.