OK, I'm in the process...Tea Timer isn't quite like you said. don't know if it matters. When I right clicked the icon in the tray and unchecked resident, it did not gray out. Then when I opened the program and went to tools and clicked resident...it was already there, nothing changed. I unchecked resident tea timer and restarted. That's where I'm at right now. Before I started this, the computer hung up two or three times and we had to restart two ro three times today. It's going very slow. Previous to this, it had been going fast. I'm off to do step 2 now. I'll be back posting notes if needed. Thanks for the help.
Step 3
Only this one was there to "Fix checked"
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
Step 4
I had to turn off the firewall to let Combo fix work, and I'm not sure it is working...may have to do that again. (I'm posting this on another computer.) OK, I had to drag the .txt file onto combofix again and it started this time. It deleted tons of limewire files. How were those still on there? I deleted them when you said. you can see from hjk file. Does this mean that someone reinstalled it or were they always there? Was the Ask toolbar the bad guy or just something broken? I'm waiting on the combofix log now.
I have the combofix text file, but AVG is running again. It has been popping up and scanning at weird times and it won't stop when you right click and tell it to stop all scans. I continue to have two AVG things in the tray. The combo fix log says that a user-mapped section open something and it can't do something. Is that because I didn't turn off the Resident part of AVG? I'm waiting on the scanned computer to open up firefox sow I can paste the log.
ComboFix 08-11-22.02 - Aaron Morgan 2008-11-24 22:27:59.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.736 [GMT -6:00]
Running from: c:\documents and settings\Aaron Morgan\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Aaron Morgan\Desktop\CFScript.txt
* Created a new restore point
FILE ::
c:\windows\system32\cssdll32.dll
.
/wow section - STAGE 32A
The requested operation cannot be performed on a file with a user-mapped section open.
The requested operation cannot be performed on a file with a user-mapped section open.
The requested operation cannot be performed on a file with a user-mapped section open.
The requested operation cannot be performed on a file with a user-mapped section open.
The requested operation cannot be performed on a file with a user-mapped section open.
The requested operation cannot be performed on a file with a user-mapped section open.
The requested operation cannot be performed on a file with a user-mapped section open.
The requested operation cannot be performed on a file with a user-mapped section open.
The requested operation cannot be performed on a file with a user-mapped section open.
The requested operation cannot be performed on a file with a user-mapped section open.
The requested operation cannot be performed on a file with a user-mapped section open.
The requested operation cannot be performed on a file with a user-mapped section open.
The requested operation cannot be performed on a file with a user-mapped section open.
The requested operation cannot be performed on a file with a user-mapped section open.
The requested operation cannot be performed on a file with a user-mapped section open.
The requested operation cannot be performed on a file with a user-mapped section open.
The requested operation cannot be performed on a file with a user-mapped section open.
The requested operation cannot be performed on a file with a user-mapped section open.
The requested operation cannot be performed on a file with a user-mapped section open.
The requested operation cannot be performed on a file with a user-mapped section open.
The requested operation cannot be performed on a file with a user-mapped section open.
The requested operation cannot be performed on a file with a user-mapped section open.
The requested operation cannot be performed on a file with a user-mapped section open.
The requested operation cannot be performed on a file with a user-mapped section open.
The requested operation cannot be performed on a file with a user-mapped section open.
The requested operation cannot be performed on a file with a user-mapped section open.
The requested operation cannot be performed on a file with a user-mapped section open.
The requested operation cannot be performed on a file with a user-mapped section open.
The requested operation cannot be performed on a file with a user-mapped section open.
The requested operation cannot be performed on a file with a user-mapped section open.
The requested operation cannot be performed on a file with a user-mapped section open.
The requested operation cannot be performed on a file with a user-mapped section open.
The requested operation cannot be performed on a file with a user-mapped section open.
The requested operation cannot be performed on a file with a user-mapped section open.
The requested operation cannot be performed on a file with a user-mapped section open.
The requested operation cannot be performed on a file with a user-mapped section open.
The requested operation cannot be performed on a file with a user-mapped section open.
The requested operation cannot be performed on a file with a user-mapped section open.
The requested operation cannot be performed on a file with a user-mapped section open.
The requested operation cannot be performed on a file with a user-mapped section open.
The requested operation cannot be performed on a file with a user-mapped section open.
The requested operation cannot be performed on a file with a user-mapped section open.
The requested operation cannot be performed on a file with a user-mapped section open.
The requested operation cannot be performed on a file with a user-mapped section open.
The requested operation cannot be performed on a file with a user-mapped section open.
The requested operation cannot be performed on a file with a user-mapped section open.
The requested operation cannot be performed on a file with a user-mapped section open.
The requested operation cannot be performed on a file with a user-mapped section open.
The requested operation cannot be performed on a file with a user-mapped section open.
The requested operation cannot be performed on a file with a user-mapped section open.
The requested operation cannot be performed on a file with a user-mapped section open.
The requested operation cannot be performed on a file with a user-mapped section open.
The requested operation cannot be performed on a file with a user-mapped section open.
The requested operation cannot be performed on a file with a user-mapped section open.
The requested operation cannot be performed on a file with a user-mapped section open.
The requested operation cannot be performed on a file with a user-mapped section open.
The requested operation cannot be performed on a file with a user-mapped section open.
The requested operation cannot be performed on a file with a user-mapped section open.
The requested operation cannot be performed on a file with a user-mapped section open.
The requested operation cannot be performed on a file with a user-mapped section open.
The requested operation cannot be performed on a file with a user-mapped section open.
The requested operation cannot be performed on a file with a user-mapped section open.
The requested operation cannot be performed on a file with a user-mapped section open.
The requested operation cannot be performed on a file with a user-mapped section open.
The requested operation cannot be performed on a file with a user-mapped section open.
The requested operation cannot be performed on a file with a user-mapped section open.
The requested operation cannot be performed on a file with a user-mapped section open.
The requested operation cannot be performed on a file with a user-mapped section open.
The requested operation cannot be performed on a file with a user-mapped section open.
The requested operation cannot be performed on a file with a user-mapped section open.
The requested operation cannot be performed on a file with a user-mapped section open.
The requested operation cannot be performed on a file with a user-mapped section open.
The requested operation cannot be performed on a file with a user-mapped section open.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\Aaron Morgan\Application Data\LimeWire
c:\documents and settings\Aaron Morgan\Application Data\LimeWire\.NetworkShare\LimeWireWin4.16.6.exe
c:\documents and settings\Aaron Morgan\Application Data\LimeWire\410splashfree.png
c:\documents and settings\Aaron Morgan\Application Data\LimeWire\410splashpro.png
c:\documents and settings\Aaron Morgan\Application Data\LimeWire\412splashpro.png
c:\documents and settings\Aaron Morgan\Application Data\LimeWire\414splashfree.png
c:\documents and settings\Aaron Morgan\Application Data\LimeWire\active.mojito
c:\documents and settings\Aaron Morgan\Application Data\LimeWire\createtimes.cache
c:\documents and settings\Aaron Morgan\Application Data\LimeWire\data.ser
c:\documents and settings\Aaron Morgan\Application Data\LimeWire\fileurns.bak
c:\documents and settings\Aaron Morgan\Application Data\LimeWire\fileurns.cache
c:\documents and settings\Aaron Morgan\Application Data\LimeWire\filters.props
c:\documents and settings\Aaron Morgan\Application Data\LimeWire\gnutella.net
c:\documents and settings\Aaron Morgan\Application Data\LimeWire\installation.props
c:\documents and settings\Aaron Morgan\Application Data\LimeWire\library.dat
c:\documents and settings\Aaron Morgan\Application Data\LimeWire\limewire.props
c:\documents and settings\Aaron Morgan\Application Data\LimeWire\mojito.props
c:\documents and settings\Aaron Morgan\Application Data\LimeWire\passive.mojito
c:\documents and settings\Aaron Morgan\Application Data\LimeWire\pub1.key
c:\documents and settings\Aaron Morgan\Application Data\LimeWire\public.key
c:\documents and settings\Aaron Morgan\Application Data\LimeWire\questions.props
c:\documents and settings\Aaron Morgan\Application Data\LimeWire\responses.cache
c:\documents and settings\Aaron Morgan\Application Data\LimeWire\secureMessage.key
c:\documents and settings\Aaron Morgan\Application Data\LimeWire\simpp.xml
c:\documents and settings\Aaron Morgan\Application Data\LimeWire\spam.dat
c:\documents and settings\Aaron Morgan\Application Data\LimeWire\tables.props
c:\documents and settings\Aaron Morgan\Application Data\LimeWire\themes\black_theme.lwtp
c:\documents and settings\Aaron Morgan\Application Data\LimeWire\themes\black_theme\
01_star.gif
c:\documents and settings\Aaron Morgan\Application Data\LimeWire\themes\black_theme\
02_star.gif
c:\documents and settings\Aaron Morgan\Application Data\LimeWire\themes\black_theme\
03_star.gif
c:\documents and settings\Aaron Morgan\Application Data\LimeWire\themes\black_theme\
04_star.gif
c:\documents and settings\Aaron Morgan\Application Data\LimeWire\themes\black_theme\
05_star.gif
c:\documents and settings\Aaron Morgan\Application Data\LimeWire\themes\black_theme\chat.gif
c:\documents and settings\Aaron Morgan\Application Data\LimeWire\themes\black_theme\dir_closed.gif
c:\documents and settings\Aaron Morgan\Application Data\LimeWire\themes\black_theme\dir_open.gif
c:\documents and settings\Aaron Morgan\Application Data\LimeWire\themes\black_theme\forward_dn.gif
c:\documents and settings\Aaron Morgan\Application Data\LimeWire\themes\black_theme\forward_up.gif
c:\documents and settings\Aaron Morgan\Application Data\LimeWire\themes\black_theme\kill.gif
c:\documents and settings\Aaron Morgan\Application Data\LimeWire\themes\black_theme\kill_on.gif
c:\documents and settings\Aaron Morgan\Application Data\LimeWire\themes\black_theme\lime.gif
c:\documents and settings\Aaron Morgan\Application Data\LimeWire\themes\black_theme\logo.gif
c:\documents and settings\Aaron Morgan\Application Data\LimeWire\themes\black_theme\notsearching.gif
c:\documents and settings\Aaron Morgan\Application Data\LimeWire\themes\black_theme\pause_dn.gif
c:\documents and settings\Aaron Morgan\Application Data\LimeWire\themes\black_theme\pause_up.gif
c:\documents and settings\Aaron Morgan\Application Data\LimeWire\themes\black_theme\play_dn.gif
c:\documents and settings\Aaron Morgan\Application Data\LimeWire\themes\black_theme\play_up.gif
c:\documents and settings\Aaron Morgan\Application Data\LimeWire\themes\black_theme\question.gif
c:\documents and settings\Aaron Morgan\Application Data\LimeWire\themes\black_theme\rewind_dn.gif
c:\documents and settings\Aaron Morgan\Application Data\LimeWire\themes\black_theme\rewind_up.gif
c:\documents and settings\Aaron Morgan\Application Data\LimeWire\themes\black_theme\searching.gif
c:\documents and settings\Aaron Morgan\Application Data\LimeWire\themes\black_theme\splash.png
c:\documents and settings\Aaron Morgan\Application Data\LimeWire\themes\black_theme\splashpro.png
c:\documents and settings\Aaron Morgan\Application Data\LimeWire\themes\black_theme\stop_dn.gif
c:\documents and settings\Aaron Morgan\Application Data\LimeWire\themes\black_theme\stop_up.gif
c:\documents and settings\Aaron Morgan\Application Data\LimeWire\themes\black_theme\theme.txt
c:\documents and settings\Aaron Morgan\Application Data\LimeWire\themes\black_theme\warning.gif
c:\documents and settings\Aaron Morgan\Application Data\LimeWire\themes\classic_theme.lwtp
c:\documents and settings\Aaron Morgan\Application Data\LimeWire\themes\classic_theme\
01_star.gif
c:\documents and settings\Aaron Morgan\Application Data\LimeWire\themes\classic_theme\
02_star.gif
c:\documents and settings\Aaron Morgan\Application Data\LimeWire\themes\classic_theme\
03_star.gif
c:\documents and settings\Aaron Morgan\Application Data\LimeWire\themes\classic_theme\
04_star.gif
c:\documents and settings\Aaron Morgan\Application Data\LimeWire\themes\classic_theme\
05_star.gif
c:\documents and settings\Aaron Morgan\Application Data\LimeWire\themes\classic_theme\chat.gif
c:\documents and settings\Aaron Morgan\Application Data\LimeWire\themes\classic_theme\dir_open.gif
c:\documents and settings\Aaron Morgan\Application Data\LimeWire\themes\classic_theme\forward_dn.gif
c:\documents and settings\Aaron Morgan\Application Data\LimeWire\themes\classic_theme\forward_up.gif
c:\documents and settings\Aaron Morgan\Application Data\LimeWire\themes\classic_theme\kill.gif
c:\documents and settings\Aaron Morgan\Application Data\LimeWire\themes\classic_theme\logo.gif
c:\documents and settings\Aaron Morgan\Application Data\LimeWire\themes\classic_theme\notsearching.gif
c:\documents and settings\Aaron Morgan\Application Data\LimeWire\themes\classic_theme\pause_dn.gif
c:\documents and settings\Aaron Morgan\Application Data\LimeWire\themes\classic_theme\pause_up.gif
c:\documents and settings\Aaron Morgan\Application Data\LimeWire\themes\classic_theme\play_dn.gif
c:\documents and settings\Aaron Morgan\Application Data\LimeWire\themes\classic_theme\play_up.gif
c:\documents and settings\Aaron Morgan\Application Data\LimeWire\themes\classic_theme\question.gif
c:\documents and settings\Aaron Morgan\Application Data\LimeWire\themes\classic_theme\rewind_dn.gif
c:\documents and settings\Aaron Morgan\Application Data\LimeWire\themes\classic_theme\rewind_up.gif
c:\documents and settings\Aaron Morgan\Application Data\LimeWire\themes\classic_theme\search.gif
c:\documents and settings\Aaron Morgan\Application Data\LimeWire\themes\classic_theme\searching.gif
c:\documents and settings\Aaron Morgan\Application Data\LimeWire\themes\classic_theme\splash.png
c:\documents and settings\Aaron Morgan\Application Data\LimeWire\themes\classic_theme\splashpro.png
c:\documents and settings\Aaron Morgan\Application Data\LimeWire\themes\classic_theme\stop_dn.gif
c:\documents and settings\Aaron Morgan\Application Data\LimeWire\themes\classic_theme\stop_up.gif
c:\documents and settings\Aaron Morgan\Application Data\LimeWire\themes\classic_theme\theme.txt
c:\documents and settings\Aaron Morgan\Application Data\LimeWire\themes\classic_theme\warning.gif
c:\documents and settings\Aaron Morgan\Application Data\LimeWire\themes\limewire_theme.lwtp
c:\documents and settings\Aaron Morgan\Application Data\LimeWire\themes\limewire_theme\
01_star.gif
c:\documents and settings\Aaron Morgan\Application Data\LimeWire\themes\limewire_theme\
02_star.gif
c:\documents and settings\Aaron Morgan\Application Data\LimeWire\themes\limewire_theme\
03_star.gif
c:\documents and settings\Aaron Morgan\Application Data\LimeWire\themes\limewire_theme\
04_star.gif
c:\documents and settings\Aaron Morgan\Application Data\LimeWire\themes\limewire_theme\
05_star.gif
c:\documents and settings\Aaron Morgan\Application Data\LimeWire\themes\limewire_theme\chat.gif
c:\documents and settings\Aaron Morgan\Application Data\LimeWire\themes\limewire_theme\dir_closed.gif
c:\documents and settings\Aaron Morgan\Application Data\LimeWire\themes\limewire_theme\dir_open.gif
c:\documents and settings\Aaron Morgan\Application Data\LimeWire\themes\limewire_theme\forward_dn.gif
c:\documents and settings\Aaron Morgan\Application Data\LimeWire\themes\limewire_theme\forward_up.gif
c:\documents and settings\Aaron Morgan\Application Data\LimeWire\themes\limewire_theme\kill.gif
c:\documents and settings\Aaron Morgan\Application Data\LimeWire\themes\limewire_theme\kill_on.gif
c:\documents and settings\Aaron Morgan\Application Data\LimeWire\themes\limewire_theme\lime.gif
c:\documents and settings\Aaron Morgan\Application Data\LimeWire\themes\limewire_theme\logo.gif
c:\documents and settings\Aaron Morgan\Application Data\LimeWire\themes\limewire_theme\notsearching.gif
c:\documents and settings\Aaron Morgan\Application Data\LimeWire\themes\limewire_theme\pause_dn.gif
c:\documents and settings\Aaron Morgan\Application Data\LimeWire\themes\limewire_theme\pause_up.gif
c:\documents and settings\Aaron Morgan\Application Data\LimeWire\themes\limewire_theme\play_dn.gif
c:\documents and settings\Aaron Morgan\Application Data\LimeWire\themes\limewire_theme\play_up.gif
c:\documents and settings\Aaron Morgan\Application Data\LimeWire\themes\limewire_theme\question.gif
c:\documents and settings\Aaron Morgan\Application Data\LimeWire\themes\limewire_theme\rewind_dn.gif
c:\documents and settings\Aaron Morgan\Application Data\LimeWire\themes\limewire_theme\rewind_up.gif
c:\documents and settings\Aaron Morgan\Application Data\LimeWire\themes\limewire_theme\searching.gif
c:\documents and settings\Aaron Morgan\Application Data\LimeWire\themes\limewire_theme\splashpro.png
c:\documents and settings\Aaron Morgan\Application Data\LimeWire\themes\limewire_theme\stop_dn.gif
c:\documents and settings\Aaron Morgan\Application Data\LimeWire\themes\limewire_theme\stop_up.gif
c:\documents and settings\Aaron Morgan\Application Data\LimeWire\themes\limewire_theme\theme.txt
c:\documents and settings\Aaron Morgan\Application Data\LimeWire\themes\limewire_theme\warning.gif
c:\documents and settings\Aaron Morgan\Application Data\LimeWire\themes\limewirePro_theme.lwtp
c:\documents and settings\Aaron Morgan\Application Data\LimeWire\themes\limewirePro_theme\
01_star.gif
c:\documents and settings\Aaron Morgan\Application Data\LimeWire\themes\limewirePro_theme\
02_star.gif
c:\documents and settings\Aaron Morgan\Application Data\LimeWire\themes\limewirePro_theme\
03_star.gif
c:\documents and settings\Aaron Morgan\Application Data\LimeWire\themes\limewirePro_theme\
04_star.gif
c:\documents and settings\Aaron Morgan\Application Data\LimeWire\themes\limewirePro_theme\
05_star.gif
c:\documents and settings\Aaron Morgan\Application Data\LimeWire\themes\limewirePro_theme\chat.gif
c:\documents and settings\Aaron Morgan\Application Data\LimeWire\themes\limewirePro_theme\dir_closed.gif
c:\documents and settings\Aaron Morgan\Application Data\LimeWire\themes\limewirePro_theme\dir_open.gif
c:\documents and settings\Aaron Morgan\Application Data\LimeWire\themes\limewirePro_theme\forward_dn.gif
c:\documents and settings\Aaron Morgan\Application Data\LimeWire\themes\limewirePro_theme\forward_up.gif
c:\documents and settings\Aaron Morgan\Application Data\LimeWire\themes\limewirePro_theme\kill.gif
c:\documents and settings\Aaron Morgan\Application Data\LimeWire\themes\limewirePro_theme\kill_on.gif
c:\documents and settings\Aaron Morgan\Application Data\LimeWire\themes\limewirePro_theme\lime.gif
c:\documents and settings\Aaron Morgan\Application Data\LimeWire\themes\limewirePro_theme\logo.gif
c:\documents and settings\Aaron Morgan\Application Data\LimeWire\themes\limewirePro_theme\notsearching.gif
c:\documents and settings\Aaron Morgan\Application Data\LimeWire\themes\limewirePro_theme\pause_dn.gif
c:\documents and settings\Aaron Morgan\Application Data\LimeWire\themes\limewirePro_theme\pause_up.gif
c:\documents and settings\Aaron Morgan\Application Data\LimeWire\themes\limewirePro_theme\play_dn.gif
c:\documents and settings\Aaron Morgan\Application Data\LimeWire\themes\limewirePro_theme\play_up.gif
c:\documents and settings\Aaron Morgan\Application Data\LimeWire\themes\limewirePro_theme\question.gif
c:\documents and settings\Aaron Morgan\Application Data\LimeWire\themes\limewirePro_theme\rewind_dn.gif
c:\documents and settings\Aaron Morgan\Application Data\LimeWire\themes\limewirePro_theme\rewind_up.gif
c:\documents and settings\Aaron Morgan\Application Data\LimeWire\themes\limewirePro_theme\searching.gif
c:\documents and settings\Aaron Morgan\Application Data\LimeWire\themes\limewirePro_theme\splash.png
c:\documents and settings\Aaron Morgan\Application Data\LimeWire\themes\limewirePro_theme\splashpro.png
c:\documents and settings\Aaron Morgan\Application Data\LimeWire\themes\limewirePro_theme\stop_dn.gif
c:\documents and settings\Aaron Morgan\Application Data\LimeWire\themes\limewirePro_theme\stop_up.gif
c:\documents and settings\Aaron Morgan\Application Data\LimeWire\themes\limewirePro_theme\theme.txt
c:\documents and settings\Aaron Morgan\Application Data\LimeWire\themes\limewirePro_theme\warning.gif
c:\documents and settings\Aaron Morgan\Application Data\LimeWire\themes\other_theme.lwtp
c:\documents and settings\Aaron Morgan\Application Data\LimeWire\themes\other_theme\
01_star.gif
c:\documents and settings\Aaron Morgan\Application Data\LimeWire\themes\other_theme\
02_star.gif
c:\documents and settings\Aaron Morgan\Application Data\LimeWire\themes\other_theme\
03_star.gif
c:\program files\COMODO\SafeSurf
c:\windows\system32\cssdll32.dll
.
((((((((((((((((((((((((( Files Created from 2008-10-25 to 2008-11-25 )))))))))))))))))))))))))))))))
.
2008-11-24 22:14 . 2008-10-21 16:59 262,144 --a------ c:\program files\Uninstall Ask Toolbar.dll
2008-11-17 14:04 . 2008-11-17 14:04 2,306,113 --a------ c:\windows\system32\GPhotos.scr
2008-11-12 12:50 . 2008-10-24 05:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys
2008-11-12 12:48 . 2008-09-04 11:15 1,106,944 -----c--- c:\windows\system32\dllcache\msxml3.dll
2008-11-05 01:27 . 2008-11-05 01:30 250 --a------ c:\windows\gmer.ini
2008-10-30 21:12 . 2008-10-30 21:12 <DIR> d-------- C:\Rustbfix
2008-10-28 21:07 . 2008-10-28 21:07 2,720 --a------ c:\windows\system32\tmp.reg
2008-10-28 21:04 . 2008-10-10 06:58 82,944 --a------ c:\windows\system32\o4Patch.exe
2008-10-28 21:04 . 2008-10-10 06:58 82,944 --a------ c:\windows\system32\IEDFix.C.exe
2008-10-28 21:03 . 2008-09-08 21:38 88,576 --a------ c:\windows\system32\AntiXPVSTFix.exe
2008-10-28 21:03 . 2008-10-01 13:51 87,552 --a------ c:\windows\system32\VACFix.exe
2008-10-28 21:03 . 2008-05-18 19:40 82,944 --a------ c:\windows\system32\IEDFix.exe
2008-10-28 21:03 . 2008-08-18 10:19 82,432 --a------ c:\windows\system32\404Fix.exe
2008-10-28 21:02 . 2007-09-05 22:22 289,144 --a------ c:\windows\system32\VCCLSID.exe
2008-10-28 21:02 . 2004-07-31 16:50 51,200 --a------ c:\windows\system32\dumphive.exe
2008-10-28 21:02 . 2007-10-03 22:36 25,600 --a------ c:\windows\system32\WS2Fix.exe
2008-10-28 21:01 . 2006-04-27 15:49 288,417 --a------ c:\windows\system32\SrchSTS.exe
2008-10-28 21:00 . 2003-06-05 19:13 53,248 --a------ c:\windows\system32\Process.exe
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-25 04:28 --------- d-----w c:\program files\COMODO
2008-11-24 20:16 --------- d-----w c:\documents and settings\All Users\Application Data\Google Updater
2008-11-24 03:13 --------- d-----w c:\documents and settings\Aaron Morgan\Application Data\OpenOffice.org2
2008-11-22 02:48 --------- d-----w c:\documents and settings\Aaron Morgan\Application Data\Move Networks
2008-11-19 18:12 99,216 ----a-w c:\windows\system32\drivers\cmdguard.sys
2008-11-19 18:12 31,504 ----a-w c:\windows\system32\drivers\cmdhlp.sys
2008-11-19 18:12 143,096 ----a-w c:\windows\system32\guard32.dll
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-22 08:32 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-10-22 08:32 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-10-22 08:20 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-10-22 08:15 --------- d-----w c:\program files\SpywareBlaster
2008-10-21 23:38 --------- d-----w c:\documents and settings\All Users\Application Data\comodo
2008-10-21 22:58 --------- d-----w c:\documents and settings\Aaron Morgan\Application Data\Comodo
2008-10-21 22:50 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2008-10-17 01:25 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2008-10-17 01:25 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
2008-10-16 20:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 20:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 20:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 20:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 20:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 20:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 20:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 20:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-09-30 22:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll
2008-09-28 05:02 138,280 ----a-w c:\windows\system32\drivers\PnkBstrK.sys
2008-09-28 05:02 111,928 ----a-w c:\windows\system32\PnkBstrB.exe
2008-09-15 12:12 1,846,400 ----a-w c:\windows\system32\win32k.sys
2008-09-10 01:14 1,307,648 ------w c:\windows\system32\msxml6.dll
2008-09-04 17:15 1,106,944 ----a-w c:\windows\system32\msxml3.dll
2008-08-26 07:24 826,368 ----a-w c:\windows\system32\wininet.dll
2008-06-16 23:10 744 ----a-w c:\documents and settings\Aaron Morgan\Application Data\filterclsid.dat
2006-04-01 17:52 1 ----a-w c:\documents and settings\Aaron Morgan\SI.bin
2008-08-24 22:48 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008082420080825\index.dat
.
((((((((((((((((((((((((((((( snapshot@2008-11-23_13.17.08.56 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-11-25 04:15:52 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_40c.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"MySpaceIM"="c:\program files\MySpace\IM\MySpaceIM.exe" [BU]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 63712]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-10-27 185896]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-22 116040]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-09-30 1234712]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-05-27 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-07-30 289064]
"COMODO Firewall Pro"="c:\program files\COMODO\Firewall\cfp.exe" [2008-11-19 1796856]
"COMODO Internet Security"="c:\program files\COMODO\Firewall\cfp.exe" [2008-11-19 1796856]
"AtiPTA"="atiptaxx.exe" [2005-11-22 c:\windows\system32\atiptaxx.exe]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@=""
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"RioMSC"=2 (0x2)
"iPod Service"=3 (0x3)
"Apple Mobile Device"=2 (0x2)
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Program Files\\Wolfenstein - Enemy Territory\\ET.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Wolfenstein - Enemy Territory\\ETDED.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Electronic Arts\\EADM\\Core.exe"=
"c:\\Program Files\\EA SPORTS\\Madden NFL 07\\Updater.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"11654:TCP"= 11654:TCP:BitComet 11654 TCP
"11654:UDP"= 11654:UDP:BitComet 11654 UDP
"8403:TCP"= 8403:TCP:BitComet 8403 TCP
"8403:UDP"= 8403:UDP:BitComet 8403 UDP
"13659:TCP"= 13659:TCP:BitComet 13659 TCP
"13659:UDP"= 13659:UDP:BitComet 13659 UDP
"26511:TCP"= 26511:TCP:BitComet 26511 TCP
"26511:UDP"= 26511:UDP:BitComet 26511 UDP
"8772:TCP"= 8772:TCP:BitComet 8772 TCP
"8772:UDP"= 8772:UDP:BitComet 8772 UDP
R1 atitray;atitray;\??\c:\program files\Radeon Omega Drivers\v2.6.87\ATI Tray Tools\atitray.sys [2005-11-13 9088]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys [2008-08-24 97928]
R1 cmdGuard;COMODO Firewall Pro Sandbox Driver;c:\windows\system32\DRIVERS\cmdguard.sys [2008-10-21 99216]
R1 cmdHlp;COMODO Firewall Pro Helper Driver;c:\windows\system32\DRIVERS\cmdhlp.sys [2008-10-21 31504]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2008-08-24 875288]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-08-24 231704]
R2 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\Drivers\avgtdix.sys [2008-08-24 76040]
R2 UxTuneUp;TuneUp Theme Extension;c:\windows\System32\svchost.exe -k netsvcs [2002-08-29 14336]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-01-25 42000]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3fd74298-d5eb-11dc-9e6e-806d6172696f}]
\Shell\AutoRun\command - D:\Setup.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c7107e34-0e5e-11da-9551-806d6172696f}]
\Shell\AutoRun\command - D:\Setup.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c94dbc9c-0fff-11dd-9e97-000d87496c17}]
\Shell\AutoRun\command - J:\Launch.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c94dbcab-0fff-11dd-9e97-000d87496c17}]
\Shell\AutoRun\command - F:\install.EXE id= ver=1.0.0.0
*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
2008-11-21 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2007\SystemOptimizer.exe [2007-04-27 05:51]
2008-11-23 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]
2008-06-24 c:\windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job
- c:\program files\Spybot - Search & Destroy\SpybotSD.exe [2008-07-07 08:42]
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.netRootkit scan 2008-11-24 22:30:57
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(776)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\WgaLogon.dll
.
Completion time: 2008-11-24 22:33:08
ComboFix-quarantined-files.txt 2008-11-25 04:31:50
ComboFix2.txt 2008-11-23 19:19:03
Pre-Run: 63,137,042,432 bytes free
Post-Run: 63,126,941,696 bytes free
399 --- E O F --- 2008-11-13 01:25:30
Alright I'm moving to the next step.
Gmer - I turned off the firewall before I scanned. Here's the log:
GMER 1.0.14.14536 -
http://www.gmer.netRootkit scan 2008-11-24 22:53:05
Windows 5.1.2600 Service Pack 3
---- System - GMER 1.0.14 ----
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwAdjustPrivilegesToken [0xBAFEB7B6]
SSDT d347bus.sys (PnP BIOS Extension/ ) ZwClose [0xF7520818]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwConnectPort [0xBAFEAD16]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwCreateFile [0xBAFEB372]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwCreateKey [0xBAFEBF80]
SSDT d347bus.sys (PnP BIOS Extension/ ) ZwCreatePagingFile [0xF7514A20]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwCreatePort [0xBAFEAA70]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwCreateSection [0xBAFECC70]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwCreateSymbolicLinkObject [0xBAFEB99C]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwCreateThread [0xBAFEA646]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwDeleteKey [0xBAFEBBEA]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwDeleteValueKey [0xBAFEBD9A]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwDuplicateObject [0xBAFEA4F8]
SSDT d347bus.sys (PnP BIOS Extension/ ) ZwEnumerateKey [0xF75152A8]
SSDT d347bus.sys (PnP BIOS Extension/ ) ZwEnumerateValueKey [0xF7520910]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwLoadDriver [0xBAFEC8F2]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwMakeTemporaryObject [0xBAFEAF5C]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwOpenFile [0xBAFEB5AA]
SSDT d347bus.sys (PnP BIOS Extension/ ) ZwOpenKey [0xF7520794]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwOpenProcess [0xBAFEA228]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwOpenSection [0xBAFEB1EC]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwOpenThread [0xBAFEA3A0]
SSDT d347bus.sys (PnP BIOS Extension/ ) ZwQueryKey [0xF75152C8]
SSDT d347bus.sys (PnP BIOS Extension/ ) ZwQueryValueKey [0xF7520866]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwRenameKey [0xBAFEC346]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwRequestWaitReplyPort [0xBAFEAB8E]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwSecureConnectPort [0xBAFEC6AA]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwSetSystemInformation [0xBAFECAA0]
SSDT d347bus.sys (PnP BIOS Extension/ ) ZwSetSystemPowerState [0xF75200B0]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwSetValueKey [0xBAFEC146]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwShutdownSystem [0xBAFEAEF6]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwSystemDebugControl [0xBAFEB0E0]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwTerminateProcess [0xBAFEA93A]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwTerminateThread [0xBAFEA808]
INT 0x62 ? 88B6CBF8
INT 0x63 ? 888D1F00
INT 0x73 ? 888D1F00
INT 0x82 ? 88B6CBF8
INT 0x83 ? 888D1F00
---- Kernel code sections - GMER 1.0.14 ----
? spat.sys The system cannot find the file specified. !
.text USBPORT.SYS!DllUnload F72738AC 5 Bytes JMP 888D14E0
? C:\WINDOWS\system32\Drivers\PROCEXP90.SYS The system cannot find the file specified. !
? C:\ComboFix\catchme.sys The system cannot find the path specified. !
---- Kernel IAT/EAT - GMER 1.0.14 ----
IAT \WINDOWS\System32\Drivers\SCSIPORT.SYS[ntoskrnl.exe!DbgBreakPoint] 88BDB2D8
IAT pci.sys[ntoskrnl.exe!IoDetachDevice] [F758293C] spat.sys
IAT pci.sys[ntoskrnl.exe!IoAttachDeviceToDeviceStack] [F7582990] spat.sys
IAT \SystemRoot\System32\DRIVERS\USBPORT.SYS[ntoskrnl.exe!DbgBreakPoint] 888D15E0
IAT \SystemRoot\System32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [F7562D92] spat.sys
IAT \SystemRoot\System32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisCloseAdapter] [F737D710] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\System32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisOpenAdapter] [F737D770] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\System32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisDeregisterProtocol] [F737D990] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\System32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisRegisterProtocol] [F737D950] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\System32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisRegisterProtocol] [F737D950] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\System32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisOpenAdapter] [F737D770] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\System32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisCloseAdapter] [F737D710] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\System32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisDeregisterProtocol] [F737D990] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\System32\DRIVERS\psched.sys[NDIS.SYS!NdisDeregisterProtocol] [F737D990] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\System32\DRIVERS\psched.sys[NDIS.SYS!NdisRegisterProtocol] [F737D950] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\System32\DRIVERS\psched.sys[NDIS.SYS!NdisOpenAdapter] [F737D770] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\System32\DRIVERS\psched.sys[NDIS.SYS!NdisCloseAdapter] [F737D710] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisRegisterProtocol] [F737D950] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisDeregisterProtocol] [F737D990] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisCloseAdapter] [F737D710] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisOpenAdapter] [F737D770] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\System32\DRIVERS\tcpip.sys[NDIS.SYS!NdisCloseAdapter] [F737D710] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\System32\DRIVERS\tcpip.sys[NDIS.SYS!NdisOpenAdapter] [F737D770] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\System32\DRIVERS\tcpip.sys[NDIS.SYS!NdisRegisterProtocol] [F737D950] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisDeregisterProtocol] [F737D990] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisRegisterProtocol] [F737D950] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisOpenAdapter] [F737D770] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisCloseAdapter] [F737D710] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\System32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisRegisterProtocol] [F737D950] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\System32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisDeregisterProtocol] [F737D990] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\System32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisCloseAdapter] [F737D710] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\System32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisOpenAdapter] [F737D770] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
---- Devices - GMER 1.0.14 ----
Device \FileSystem\Ntfs \Ntfs 88BD71F8
Device \FileSystem\Udfs \UdfsCdRom 885CB500
Device \FileSystem\Udfs \UdfsCdRom 88819E90
Device \FileSystem\Udfs \UdfsDisk 885CB500
Device \FileSystem\Udfs \UdfsDisk 88819E90
AttachedDevice \Driver\Tcpip \Device\Ip cmdhlp.sys (COMODO Internet Security Helper Driver/COMODO)
AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
Device \Driver\cmdHlp \Device\CFPTcpFlt avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
Device \Driver\usbohci \Device\USBPDO-0 888D31F8
Device \Driver\dmio \Device\DmControl\DmIoDaemon 88BD91F8
Device \Driver\dmio \Device\DmControl\DmConfig 88BD91F8
Device \Driver\dmio \Device\DmControl\DmPnP 88BD91F8
Device \Driver\dmio \Device\DmControl\DmInfo 88BD91F8
Device \Driver\usbohci \Device\USBPDO-1 888D31F8
Device \Driver\usbehci \Device\USBPDO-2 888DE1F8
Device \Driver\cmdHlp \Device\CFPRawFlt avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
Device \Driver\cmdHlp \Device\CFPUdpFlt avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp cmdhlp.sys (COMODO Internet Security Helper Driver/COMODO)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
Device \Driver\Ftdisk \Device\HarddiskVolume1 88B6D1F8
Device \Driver\Cdrom \Device\CdRom0 887E0170
Device \FileSystem\Rdbss \Device\FsWrap 886C1820
Device \Driver\Cdrom \Device\CdRom1 887E0170
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 887E0278
Device \Driver\atapi \Device\Ide\IdePort0 887E0278
Device \Driver\atapi \Device\Ide\IdePort1 887E0278
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e 887E0278
Device \Driver\NetBT \Device\NetBt_Wins_Export 883721F8
Device \Driver\NetBT \Device\NetbiosSmb 883721F8
Device \FileSystem\Srv \Device\LanmanServer 88551D30
AttachedDevice \Driver\Tcpip \Device\Udp cmdhlp.sys (COMODO Internet Security Helper Driver/COMODO)
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp cmdhlp.sys (COMODO Internet Security Helper Driver/COMODO)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
Device \Driver\cmdHlp \Device\cmdhlp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
Device \Driver\usbohci \Device\USBFDO-0 888D31F8
Device \Driver\usbohci \Device\USBFDO-1 888D31F8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 883531F8
Device \Driver\cmdHlp \Device\CFPIpFlt avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
Device \Driver\usbehci \Device\USBFDO-2 888DE1F8
Device \FileSystem\MRxSmb \Device\LanmanRedirector 883531F8
Device \FileSystem\Npfs \Device\NamedPipe 8873C5F0
Device \Driver\Ftdisk \Device\FtControl 88B6D1F8
Device \Driver\NetBT \Device\NetBT_Tcpip_{CE720297-240C-48AA-A46A-657689230769} 883721F8
Device \FileSystem\Msfs \Device\Mailslot 8873C9C8
Device \Driver\d347prt \Device\Scsi\d347prt1Port2Path0Target0Lun0 885381B8
Device \Driver\d347prt \Device\Scsi\d347prt1 885381B8
Device \FileSystem\Fs_Rec \FileSystem\UdfsCdRomRecognizer 8873DB68
Device \FileSystem\Fs_Rec \FileSystem\FatCdRomRecognizer 8873DB68
Device \FileSystem\Fs_Rec \FileSystem\CdfsRecognizer 8873DB68
Device \FileSystem\Fs_Rec \FileSystem\FatDiskRecognizer 8873DB68
Device \FileSystem\Fs_Rec \FileSystem\UdfsDiskRecognizer 8873DB68
Device \FileSystem\Cdfs \Cdfs 885AA500
Device \FileSystem\Cdfs \Cdfs 8881A078
---- Modules - GMER 1.0.14 ----
Module _________ F7477000-F748F000 (98304 bytes)
---- Registry - GMER 1.0.14 ----
Reg HKLM\SYSTEM\CurrentControlSet\Services\d347prt\Cfg\0Jf40
Reg HKLM\SYSTEM\CurrentControlSet\Services\d347prt\Cfg\0Jf40@khjeh 0x20 0x02 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\d347prt\Cfg\0Jf40@hj34z0 0x33 0x53 0xB8 0xAF ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 46235088
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 -743653309
---- EOF - GMER 1.0.14 ----
What is CATCHME ??? Is that someone screwing around with my computer?Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:04:13, on 11/24/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\COMODO\Firewall\cmdagent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
C:\Program Files\COMODO\Firewall\cfp.exe
C:\Program Files\Trend Micro\HijackThis\motoaaron.exe.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://yahoo.com/R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AVG Safe Search - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\4.1.805.4472\swg.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\COMODO\Firewall\cfp.exe" -h
O4 - HKLM\..\Run: [COMODO Internet Security] "C:\Program Files\COMODO\Firewall\cfp.exe" -h
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe
O8 - Extra context menu item: Add to Google Photos Screensa&ver -
res://C:\WINDOWS\system32\GPhotos.scr/200
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Outpost Firewall Pro Quick Tune - {44627E97-789B-40d4-B5C2-58BD171129A1} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) -
http://www.creative.com/su/ocx/15026/CTSUEng.cabO16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) -
http://www.kaspersky.com/kos/eng/partne ... nicode.cabO16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) -
http://www.creative.com/su/ocx/15029/CTPID.cabO18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - Unknown owner - C:\Program Files\COMODO\Firewall\cmdagent.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
--
End of file - 7046 bytes
OK, I think I did it all. I think I will highlight my notes to separate from the logs. Thanks for all the help.