Infected with hxxp:IFrame-HW[Trj]

[darkie14]

My kids were on a MySpace page watching videos the other night and now if I try to go online for anything my avast software goes nuts and I get the line in the title. it says it is in the temp. internet files folder. I shut the computer down and let avast do a complete scan and I ran spybaster and AVG. All to no avail. S I come once again to the great guys and gals here at tech support for help. I also have a strange thing happen when I try to move a file, it moves but also brings up a box from Easy CD Creator and wants me to put in the CD to install. I don't even use that program. Weird. Below I have inclosed the files you asked for (DDS & Attach & GMER). Any help would be greatly appreciated.

GMER 1.0.15.14972 - http://www.gmer.net
Rootkit scan 2009-07-09 20:22:20
Windows 5.1.2600 Service Pack 2


---- Kernel code sections - GMER 1.0.15 ----

? srescan.sys The system cannot find the file specified. !
? System32\DRIVERS\AvgAsCln.sys The system cannot find the path specified. !
? C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\NOTEPAD.EXE[144] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA484E
.text C:\WINDOWS\system32\NOTEPAD.EXE[144] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA48DD
.text C:\WINDOWS\system32\NOTEPAD.EXE[144] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA48EA
.text C:\WINDOWS\system32\NOTEPAD.EXE[144] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA48D3
.text C:\WINDOWS\system32\NOTEPAD.EXE[144] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes CALL 7FFA492B
.text C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\knlwrap.exe[188] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA484E
.text C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\knlwrap.exe[188] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA48DD
.text C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\knlwrap.exe[188] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA48EA
.text C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\knlwrap.exe[188] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA48D3
.text C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\knlwrap.exe[188] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes CALL 7FFA492B
.text C:\WINDOWS\ehome\ehtray.exe[192] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA484E
.text C:\WINDOWS\ehome\ehtray.exe[192] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA48DD
.text C:\WINDOWS\ehome\ehtray.exe[192] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA48EA
.text C:\WINDOWS\ehome\ehtray.exe[192] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA48D3
.text C:\WINDOWS\ehome\ehtray.exe[192] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes CALL 7FFA492B
.text C:\WINDOWS\SOUNDMAN.EXE[220] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA484E
.text C:\WINDOWS\SOUNDMAN.EXE[220] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA48DD
.text C:\WINDOWS\SOUNDMAN.EXE[220] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA48EA
.text C:\WINDOWS\SOUNDMAN.EXE[220] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA48D3
.text C:\WINDOWS\SOUNDMAN.EXE[220] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes CALL 7FFA492B
.text C:\WINDOWS\system32\spoolsv.exe[288] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA484E
.text C:\WINDOWS\system32\spoolsv.exe[288] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA48DD
.text C:\WINDOWS\system32\spoolsv.exe[288] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA48EA
.text C:\WINDOWS\system32\spoolsv.exe[288] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA48D3
.text C:\WINDOWS\system32\spoolsv.exe[288] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes CALL 7FFA492B
.text C:\Program Files\Digital Media Reader\readericon45G.exe[428] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA484E
.text C:\Program Files\Digital Media Reader\readericon45G.exe[428] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA48DD
.text C:\Program Files\Digital Media Reader\readericon45G.exe[428] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA48EA
.text C:\Program Files\Digital Media Reader\readericon45G.exe[428] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA48D3
.text C:\Program Files\Digital Media Reader\readericon45G.exe[428] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes CALL 7FFA492B
.text C:\WINDOWS\eHome\ehmsas.exe[460] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA484E
.text C:\WINDOWS\eHome\ehmsas.exe[460] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA48DD
.text C:\WINDOWS\eHome\ehmsas.exe[460] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA48EA
.text C:\WINDOWS\eHome\ehmsas.exe[460] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA48D3
.text C:\WINDOWS\eHome\ehmsas.exe[460] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes CALL 7FFA492B
.text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[480] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA484E
.text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[480] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA48DD
.text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[480] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA48EA
.text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[480] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA48D3
.text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[480] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes CALL 7FFA492B
.text C:\WINDOWS\eHome\ehRecvr.exe[524] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA484E
.text C:\WINDOWS\eHome\ehRecvr.exe[524] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA48DD
.text C:\WINDOWS\eHome\ehRecvr.exe[524] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA48EA
.text C:\WINDOWS\eHome\ehRecvr.exe[524] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA48D3
.text C:\WINDOWS\eHome\ehRecvr.exe[524] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes CALL 7FFA492B
.text C:\WINDOWS\eHome\ehSched.exe[564] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA484E
.text C:\WINDOWS\eHome\ehSched.exe[564] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA48DD
.text C:\WINDOWS\eHome\ehSched.exe[564] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA48EA
.text C:\WINDOWS\eHome\ehSched.exe[564] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA48D3
.text C:\WINDOWS\eHome\ehSched.exe[564] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes CALL 7FFA492B
.text C:\WINDOWS\system32\nvsvc32.exe[716] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA484E
.text C:\WINDOWS\system32\nvsvc32.exe[716] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA48DD
.text C:\WINDOWS\system32\nvsvc32.exe[716] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA48EA
.text C:\WINDOWS\system32\nvsvc32.exe[716] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA48D3
.text C:\WINDOWS\system32\nvsvc32.exe[716] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes CALL 7FFA492B
.text C:\WINDOWS\system32\winlogon.exe[752] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FF9484E
.text C:\WINDOWS\system32\winlogon.exe[752] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FF948DD
.text C:\WINDOWS\system32\winlogon.exe[752] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FF948EA
.text C:\WINDOWS\system32\winlogon.exe[752] ntdll.dll!NtDeviceIoControlFile 7C90D8E3 5 Bytes CALL 7FF94B6E
.text C:\WINDOWS\system32\winlogon.exe[752] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FF948D3
.text C:\WINDOWS\system32\winlogon.exe[752] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes CALL 7FF9492B
.text C:\WINDOWS\system32\services.exe[796] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FF9484E
.text C:\WINDOWS\system32\services.exe[796] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FF948DD
.text C:\WINDOWS\system32\services.exe[796] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FF948EA
.text C:\WINDOWS\system32\services.exe[796] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FF948D3
.text C:\WINDOWS\system32\services.exe[796] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes CALL 7FF9492B
.text C:\WINDOWS\system32\lsass.exe[808] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FF9484E
.text C:\WINDOWS\system32\lsass.exe[808] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FF948DD
.text C:\WINDOWS\system32\lsass.exe[808] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FF948EA
.text C:\WINDOWS\system32\lsass.exe[808] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FF948D3
.text C:\WINDOWS\system32\lsass.exe[808] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes CALL 7FF9492B
.text C:\WINDOWS\system32\HPZipm12.exe[868] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA484E
.text C:\WINDOWS\system32\HPZipm12.exe[868] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA48DD
.text C:\WINDOWS\system32\HPZipm12.exe[868] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA48EA
.text C:\WINDOWS\system32\HPZipm12.exe[868] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA48D3
.text C:\WINDOWS\system32\HPZipm12.exe[868] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes CALL 7FFA492B
.text C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\iKernel.exe[892] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA484E
.text C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\iKernel.exe[892] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA48DD
.text C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\iKernel.exe[892] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA48EA
.text C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\iKernel.exe[892] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA48D3
.text C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\iKernel.exe[892] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes CALL 7FFA492B
.text C:\WINDOWS\ehome\mcrdsvc.exe[916] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA484E
.text C:\WINDOWS\ehome\mcrdsvc.exe[916] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA48DD
.text C:\WINDOWS\ehome\mcrdsvc.exe[916] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA48EA
.text C:\WINDOWS\ehome\mcrdsvc.exe[916] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA48D3
.text C:\WINDOWS\ehome\mcrdsvc.exe[916] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes CALL 7FFA492B
.text C:\WINDOWS\system32\svchost.exe[964] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA484E
.text C:\WINDOWS\system32\svchost.exe[964] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA48DD
.text C:\WINDOWS\system32\svchost.exe[964] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA48EA
.text C:\WINDOWS\system32\svchost.exe[964] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA48D3
.text C:\WINDOWS\system32\svchost.exe[964] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes CALL 7FFA492B
.text C:\WINDOWS\system32\svchost.exe[1024] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA484E
.text C:\WINDOWS\system32\svchost.exe[1024] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA48DD
.text C:\WINDOWS\system32\svchost.exe[1024] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA48EA
.text C:\WINDOWS\system32\svchost.exe[1024] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA48D3
.text C:\WINDOWS\system32\svchost.exe[1024] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes CALL 7FFA492B
.text C:\WINDOWS\System32\svchost.exe[1120] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FF9484E
.text C:\WINDOWS\System32\svchost.exe[1120] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FF948DD
.text C:\WINDOWS\System32\svchost.exe[1120] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FF948EA
.text C:\WINDOWS\System32\svchost.exe[1120] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FF948D3
.text C:\WINDOWS\System32\svchost.exe[1120] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes CALL 7FF9492B
.text C:\WINDOWS\system32\svchost.exe[1156] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA484E
.text C:\WINDOWS\system32\svchost.exe[1156] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA48DD
.text C:\WINDOWS\system32\svchost.exe[1156] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA48EA
.text C:\WINDOWS\system32\svchost.exe[1156] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA48D3
.text C:\WINDOWS\system32\svchost.exe[1156] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes CALL 7FFA492B
.text C:\WINDOWS\system32\MsPMSPSv.exe[1196] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA484E
.text C:\WINDOWS\system32\MsPMSPSv.exe[1196] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA48DD
.text C:\WINDOWS\system32\MsPMSPSv.exe[1196] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA48EA
.text C:\WINDOWS\system32\MsPMSPSv.exe[1196] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA48D3
.text C:\WINDOWS\system32\MsPMSPSv.exe[1196] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes CALL 7FFA492B
.text C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS[1308] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA484E
.text C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS[1308] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA48DD
.text C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS[1308] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA48EA
.text C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS[1308] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA48D3
.text C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS[1308] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes CALL 7FFA492B
.text C:\WINDOWS\system32\svchost.exe[1316] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA484E
.text C:\WINDOWS\system32\svchost.exe[1316] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA48DD
.text C:\WINDOWS\system32\svchost.exe[1316] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA48EA
.text C:\WINDOWS\system32\svchost.exe[1316] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA48D3
.text C:\WINDOWS\system32\svchost.exe[1316] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes CALL 7FFA492B
.text C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe[1368] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA484E
.text C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe[1368] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA48DD
.text C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe[1368] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA48EA
.text C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe[1368] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA48D3
.text C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe[1368] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes CALL 7FFA492B
.text C:\WINDOWS\system32\svchost.exe[1432] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA484E
.text C:\WINDOWS\system32\svchost.exe[1432] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA48DD
.text C:\WINDOWS\system32\svchost.exe[1432] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA48EA
.text C:\WINDOWS\system32\svchost.exe[1432] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA48D3
.text C:\WINDOWS\system32\svchost.exe[1432] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes CALL 7FFA492B
.text C:\WINDOWS\system32\svchost.exe[1468] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA484E
.text C:\WINDOWS\system32\svchost.exe[1468] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA48DD
.text C:\WINDOWS\system32\svchost.exe[1468] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA48EA
.text C:\WINDOWS\system32\svchost.exe[1468] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA48D3
.text C:\WINDOWS\system32\svchost.exe[1468] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes CALL 7FFA492B
.text C:\WINDOWS\system32\ZoneLabs\vsmon.exe[1492] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FF9484E
.text C:\WINDOWS\system32\ZoneLabs\vsmon.exe[1492] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FF948DD
.text C:\WINDOWS\system32\ZoneLabs\vsmon.exe[1492] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FF948EA
.text C:\WINDOWS\system32\ZoneLabs\vsmon.exe[1492] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FF948D3
.text C:\WINDOWS\system32\ZoneLabs\vsmon.exe[1492] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes CALL 7FF9492B
.text C:\WINDOWS\system32\svchost.exe[1504] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA484E
.text C:\WINDOWS\system32\svchost.exe[1504] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA48DD
.text C:\WINDOWS\system32\svchost.exe[1504] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA48EA
.text C:\WINDOWS\system32\svchost.exe[1504] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA48D3
.text C:\WINDOWS\system32\svchost.exe[1504] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes CALL 7FFA492B
.text C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe[1828] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA484E
.text C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe[1828] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA48DD
.text C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe[1828] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA48EA
.text C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe[1828] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA48D3
.text C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe[1828] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes CALL 7FFA492B
.text C:\Program Files\Alwil Software\Avast4\ashServ.exe[1892] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FF8484E
.text C:\Program Files\Alwil Software\Avast4\ashServ.exe[1892] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FF848DD
.text C:\Program Files\Alwil Software\Avast4\ashServ.exe[1892] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FF848EA
.text C:\Program Files\Alwil Software\Avast4\ashServ.exe[1892] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FF848D3
.text C:\Program Files\Alwil Software\Avast4\ashServ.exe[1892] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes CALL 7FF8492B
.text C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe[2156] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA484E
.text C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe[2156] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA48DD
.text C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe[2156] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA48EA
.text C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe[2156] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA48D3
.text C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe[2156] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes CALL 7FFA492B
.text C:\Program Files\Alwil Software\Avast4\ashWebSv.exe[2176] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA484E
.text C:\Program Files\Alwil Software\Avast4\ashWebSv.exe[2176] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA48DD
.text C:\Program Files\Alwil Software\Avast4\ashWebSv.exe[2176] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA48EA
.text C:\Program Files\Alwil Software\Avast4\ashWebSv.exe[2176] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA48D3
.text C:\Program Files\Alwil Software\Avast4\ashWebSv.exe[2176] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes CALL 7FFA492B
.text C:\WINDOWS\system32\dllhost.exe[2228] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA484E
.text C:\WINDOWS\system32\dllhost.exe[2228] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA48DD
.text C:\WINDOWS\system32\dllhost.exe[2228] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA48EA
.text C:\WINDOWS\system32\dllhost.exe[2228] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA48D3
.text C:\WINDOWS\system32\dllhost.exe[2228] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes CALL 7FFA492B
.text C:\Documents and Settings\Owner\Desktop\gmer\gmer.exe[2456] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA484E
.text C:\Documents and Settings\Owner\Desktop\gmer\gmer.exe[2456] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA48DD
.text C:\Documents and Settings\Owner\Desktop\gmer\gmer.exe[2456] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA48EA
.text C:\Documents and Settings\Owner\Desktop\gmer\gmer.exe[2456] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA48D3
.text C:\Documents and Settings\Owner\Desktop\gmer\gmer.exe[2456] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes CALL 7FFA492B
.text C:\Program Files\Sony\Content Transfer\ContentTransferWMDetector.exe[2500] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA484E
.text C:\Program Files\Sony\Content Transfer\ContentTransferWMDetector.exe[2500] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA48DD
.text C:\Program Files\Sony\Content Transfer\ContentTransferWMDetector.exe[2500] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA48EA
.text C:\Program Files\Sony\Content Transfer\ContentTransferWMDetector.exe[2500] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA48D3
.text C:\Program Files\Sony\Content Transfer\ContentTransferWMDetector.exe[2500] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes CALL 7FFA492B
.text C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe[2576] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA484E
.text C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe[2576] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA48DD
.text C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe[2576] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA48EA
.text C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe[2576] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA48D3
.text C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe[2576] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes CALL 7FFA492B
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[2588] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA484E
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[2588] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA48DD
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[2588] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA48EA
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[2588] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA48D3
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[2588] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes CALL 7FFA492B
.text C:\WINDOWS\System32\alg.exe[2612] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA484E
.text C:\WINDOWS\System32\alg.exe[2612] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA48DD
.text C:\WINDOWS\System32\alg.exe[2612] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA48EA
.text C:\WINDOWS\System32\alg.exe[2612] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA48D3
.text C:\WINDOWS\System32\alg.exe[2612] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes CALL 7FFA492B
.text C:\WINDOWS\system32\msiexec.exe[3760] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA484E
.text C:\WINDOWS\system32\msiexec.exe[3760] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA48DD
.text C:\WINDOWS\system32\msiexec.exe[3760] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA48EA
.text C:\WINDOWS\system32\msiexec.exe[3760] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA48D3
.text C:\WINDOWS\system32\msiexec.exe[3760] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes CALL 7FFA492B
.reloc C:\WINDOWS\Explorer.EXE[3968] C:\WINDOWS\Explorer.EXE section is executable [0x010FB000, 0x8800, 0xE0000040]
.reloc C:\WINDOWS\Explorer.EXE[3968] C:\WINDOWS\Explorer.EXE entry point in ".reloc" section [0x01103594]
.text C:\WINDOWS\Explorer.EXE[3968] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA484E
.text C:\WINDOWS\Explorer.EXE[3968] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA48DD
.text C:\WINDOWS\Explorer.EXE[3968] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA48EA
.text C:\WINDOWS\Explorer.EXE[3968] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA48D3
.text C:\WINDOWS\Explorer.EXE[3968] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes CALL 7FFA492B

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)

Device \Driver\Tcpip \Device\Ip vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)

AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

Device \Driver\Tcpip \Device\Tcp vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)

AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

Device \Driver\Tcpip \Device\Udp vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)

AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

Device \Driver\Tcpip \Device\RawIp vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)

AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

Device \Driver\Tcpip \Device\IPMULTICAST vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)

AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)

---- EOF - GMER 1.0.15 ----


DDS (Ver_09-06-26.01) - NTFSx86
Run by Owner at 20:05:12.39 on Thu 07/09/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.894.456 [GMT -6:00]

AV: avast! antivirus 4.8.1229 [VPS 090708-0] *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
AV: *On-access scanning disabled* (Outdated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Digital Media Reader\readericon45G.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Sony\Content Transfer\ContentTransferWMDetector.exe
C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\knlwrap.exe
C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\iKernel.exe
C:\Documents and Settings\Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://att.my.yahoo.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.15642\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
TB: {4E7BD74F-2B8D-469E-9EB4-FE6FA694B13E} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [EasyLinkAdvisor] "c:\program files\linksys easylink advisor\LinksysAgent.exe" /startup
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [readericon] c:\program files\digital media reader\readericon45G.exe
mRun: [Reminder] %WINDIR%\Creator\Remind_XP.exe
mRun: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
mRun: [Zone Labs Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [ContentTransferWMDetector.exe] c:\program files\sony\content transfer\ContentTransferWMDetector.exe
mRunOnce: [NSSInstallation] c:\windows\system32\adobe\shockwave 11\nssstub.exe /RunOnce
StartupFolder: c:\docume~1\owner\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {3DCEC959-378A-4922-AD7E-FD5C925D927F} - hxxp://disney.go.com/pirates/online/testActiveX/built/signed/DisneyOnlineGames.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-5-24 78416]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2006-12-18 392824]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2008-5-24 20560]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2008-5-24 147640]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 119808]
R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2008-5-24 250040]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2008-5-24 348344]
R4 AVG Anti-Spyware Driver;AVG Anti-Spyware Driver;\??\c:\program files\grisoft\avg anti-spyware 7.5\guard.sys --> c:\program files\grisoft\avg anti-spyware 7.5\guard.sys [?]
R4 AvgAsCln;AVG Anti-Spyware Clean Driver;c:\windows\system32\drivers\avgascln.sys --> c:\windows\system32\drivers\AvgAsCln.sys [?]

=============== Created Last 30 ================

2009-07-06 16:07 <DIR> --d----- c:\program files\MP3Gain
2009-07-06 15:54 2 a------- c:\windows\0101120101464849.dat
2009-07-06 15:54 1 a------- c:\windows\934fdfg34fgjf23
2009-07-06 15:54 38,400 ----h--- c:\windows\pp10.exe
2009-07-06 15:54 2 a------- c:\windows\010112010146118114.dat
2009-07-06 15:53 <DIR> --d----- c:\windows\system32\wbem\Repository
2009-07-06 15:48 359,808 a------- c:\windows\system32\drivers\TCPIP.SYS.ORIGINAL
2009-07-06 15:45 <DIR> --d----- c:\docume~1\owner\applic~1\AVS4YOU
2009-07-06 15:45 <DIR> --d----- c:\program files\common files\AVSMedia
2009-07-06 15:45 <DIR> --d----- c:\program files\AVS4YOU
2009-07-06 15:30 <DIR> --d----- c:\program files\Audacity
2009-07-02 09:31 54,156 a---h--- c:\windows\QTFont.qfn
2009-07-02 09:31 1,409 a------- c:\windows\QTFont.for

==================== Find3M ====================

2009-07-01 10:20 24,226 a------- c:\docume~1\owner\applic~1\wklnhst.dat
2009-01-24 11:19 34 a------- c:\documents and settings\owner\jagex_runescape_preferences.dat
2007-03-23 18:59 102,400 a------- c:\docume~1\owner\applic~1\ezpinst.exe
2007-03-23 18:59 47,360 a------- c:\docume~1\owner\applic~1\pcouffin.sys

============= FINISH: 20:05:35.15 ===============

[tetonbob]

Hello -

Please subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe.

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

---------------------------------------------------------------------------------------------

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Stay with me until given the 'all clear' even if symptoms diminish. Lack of symptoms does not always mean the job is complete.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by me or another helper at this forum.

---------------------------------------------------------------------------------------------

1. Download ComboFix from this location:
   
   Link 1
   
   * IMPORTANT !!! Place combofix.exe on your Desktop
   
2. Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
   
   
   You can get help on disabling your protection programs here
   
3. Double click on combofix.exe & follow the prompts.
   
4. As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
   
   Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
   
   
   
   
   
   The Windows recovery console will allow you to boot up into a special recovery mode that allows us to help you in the case that your computer has a problem after an attempted removal of malware.
   
   With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal.
   
   Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement.
   
   ComboFix will now automatically install the Microsoft Windows Recovery Console onto your computer, which will show up as a new option when booting up your computer. Do not select the Microsoft Windows Recovery Console option when you start your computer unless requested to by a helper.
   
   Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see a message that says:
   
   The Recovery Console was successfully installed.
   
   
   
   Click on Yes, to continue scanning for malware.
   
5. Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
   
6. When finished, it shall produce a log for you. Post that log in your next reply
   
   Note:
   Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
   
   ---------------------------------------------------------------------------------------------
   
7. Ensure your AntiVirus and AntiSpyware applications are re-enabled.
   
   ---------------------------------------------------------------------------------------------

[darkie14]

My avast program alerted me, but it was too late. I ran the scan from boot and quarantined everything that came up and then ran AVG and Adware. No luck. It started out only if you tried to go online then avast would light up like a christmas tree. Now it will not boot up normally, I have to boot up in Safe Mode. I tried restoring to a previous date but it said it coudn't. Here are the DDS and Attach logs. The GMER (ark.text) gave no log to save. The program is hard to see because the resolution is stuck on the lowest setting so some of the buttons on GMER overlap.


DDS (Ver_09-06-26.01) - NTFSx86 MINIMAL
Run by Owner at 16:12:42.64 on Mon 07/13/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.894.686 [GMT -6:00]

AV: avast! antivirus 4.8.1229 [VPS 090710-0] *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
AV: *On-access scanning disabled* (Outdated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://att.my.yahoo.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.15642\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
TB: {4E7BD74F-2B8D-469E-9EB4-FE6FA694B13E} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [EasyLinkAdvisor] "c:\program files\linksys easylink advisor\LinksysAgent.exe" /startup
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [readericon] c:\program files\digital media reader\readericon45G.exe
mRun: [Reminder] %WINDIR%\Creator\Remind_XP.exe
mRun: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
mRun: [Zone Labs Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [ContentTransferWMDetector.exe] c:\program files\sony\content transfer\ContentTransferWMDetector.exe
mRunOnce: [NSSInstallation] c:\windows\system32\adobe\shockwave 11\nssstub.exe /RunOnce
StartupFolder: c:\docume~1\owner\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {3DCEC959-378A-4922-AD7E-FD5C925D927F} - hxxp://disney.go.com/pirates/online/testActiveX/built/signed/DisneyOnlineGames.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

S1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-5-24 78416]
S1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2006-12-18 392824]
S2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2008-5-24 20560]
S2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2008-5-24 147640]
S2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 119808]
S2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
S3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2008-5-24 250040]
S3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2008-5-24 348344]

=============== Created Last 30 ================

2009-07-11 06:17 359,808 ac------ c:\windows\system32\dllcache\TCPIP.SYS
2009-07-10 22:04 <DIR> --d----- c:\program files\V CAST Music with Rhapsody
2009-07-10 22:00 <DIR> --d----- c:\program files\LG Electronics
2009-07-06 16:07 <DIR> --d----- c:\program files\MP3Gain
2009-07-06 15:54 2 a------- c:\windows\0101120101464849.dat
2009-07-06 15:54 1 a------- c:\windows\934fdfg34fgjf23
2009-07-06 15:54 38,400 ----h--- c:\windows\pp10.exe
2009-07-06 15:54 2 a------- c:\windows\010112010146118114.dat
2009-07-06 15:53 <DIR> --d----- c:\windows\system32\wbem\Repository
2009-07-06 15:48 359,808 a------- c:\windows\system32\drivers\TCPIP.SYS.ORIGINAL
2009-07-06 15:45 <DIR> --d----- c:\docume~1\owner\applic~1\AVS4YOU
2009-07-06 15:45 <DIR> --d----- c:\program files\common files\AVSMedia
2009-07-06 15:45 <DIR> --d----- c:\program files\AVS4YOU
2009-07-06 15:30 <DIR> --d----- c:\program files\Audacity
2009-07-02 09:31 54,156 a---h--- c:\windows\QTFont.qfn
2009-07-02 09:31 1,409 a------- c:\windows\QTFont.for

==================== Find3M ====================

2009-07-11 06:17 359,808 a------- c:\windows\system32\drivers\TCPIP.SYS
2009-07-01 10:20 24,226 a------- c:\docume~1\owner\applic~1\wklnhst.dat
2009-01-24 11:19 34 a------- c:\documents and settings\owner\jagex_runescape_preferences.dat
2007-03-23 18:59 102,400 a------- c:\docume~1\owner\applic~1\ezpinst.exe
2007-03-23 18:59 47,360 a------- c:\docume~1\owner\applic~1\pcouffin.sys

============= FINISH: 16:13:09.34 ===============

[darkie14]

Sorry I did not find this original post and thought it got deleted so I reposted then I found this one. Big Problem......I downloaded the combofix and put it on my desktop, ran it, and it cam up with an error that said:

!!ALERT!! It is not safe to continue!

The contents of combofix has been compromised. Please download a fresh copy from http://www.bleepingcomputer.com/comb...o-use-combofix

Note: You may be infected with a file patching virus 'Virut'

I followed the instuctions and downloaded a fresh copy and got the same error. I am using a laptop to get online and transferring files via SD card. What should I do?

[tetonbob]

Use Safe Mode with Networking

Please go to: VirusTotal

• On the page you'll find a "Browse" button.
  
• Next to the browse button you'll see a box to enter text.
• Please copy/paste the following:
  
  C:\WINDOWS\Explorer.EXE
  
  
• Then click the "Send File " button just below.
• This will scan the file. Please be patient.
• If you get a message saying File has already been analyzed: click Reanalyze file now
• Once scanned, copy and paste the results in your next reply, or simply provide the link to the results page.
  
• Please repeat for the following files:
  
  • 
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\SYSTEM32\lsass.exe
    

[darkie14]

No can do. :( I can get online, but EVERY time I type in the web site, it takes me to google and from there it keeps going to all sorts of search engines. I can't get to the virus total website. What now???

[tetonbob]

If the machine is infected with Virut, which is a possibility based on what ComboFix is indicating, but not 100% certainty, which is why I was trying to have you scan other files...if it is Virut, your only recourse is to format.

I wonder if the download and transfer of ComboFix was corrupted by the AntiVirus on the laptop?

Also, if it is Virut, the other machine is at risk if you're transferring files back and forth.

I would first suggest that you delete the existing version of ComboFix on the machine, and then try to download it directly, from Safe mode with networking on the infected machine.

[darkie14]

Did that. Same error message. I can get online I just can't get where you want me to go.

[tetonbob]

Sorry, what same error message, from what?

[darkie14]

The one from post #4

[tetonbob]

Well, that doesn't seem to fit with this comment, which is why I asked

Quote:

I can get online I just can't get where you want me to go.

So, you were able to download a new copy of ComboFix from the infected machine just now, and you received the same Alert message?

[darkie14]

Yes. I'm sorry. I was able to download the combofix and tried to run but got the error message. After that I can get online but no matter what I type in the adress bar, it takes me to google then to random search engines.

[tetonbob]

Based on the infection name from Avast, and the reaction of ComboFix, I'm afraid we have a case of Virut here. I'd like to try to scan a file to confirm that, can you access this page?

http://www.bleepingcomputer.com/subm...php?channel=28

[darkie14]

Same thing happens. I restarted in safe mode with networking and signed online. Home page came up then tried to go to bleeping computer and got google instead. I tried to trick it and change the home page to bleeping computer but didn't work.

[tetonbob]

Can you zip a copy of C:\Windows\explorer.exe and attach it to a reply here?

[darkie14]

I will try my best. Give just a minute.

[darkie14]

Also each time I restart ther is a program called Antivirus plus installed on my desk top and in program files with a internet page sign thatsays EULA. Any ideas what that is?

[tetonbob]

Rogue "security application", malware. If you have access to your Task Manager, kill the process, or if not, try to X out of it.

[darkie14]

I think this is what you wanted.

tetonbob's note:

Attachment deleted, thanks.

[tetonbob]

Hello -

I've deleted the attachment, thanks for uploading. That was a slightly risky move on my part, I only did it because you've been so swift in replying, and I'm right here right now.

It's as bad as I thought....you can view this thread and the link below from another machine.

http://www.virustotal.com/analisis/b...529-1247598920

Here's the results

Antivirus;Version;Last Update;Result
a-squared;4.5.0.22;2009.07.14;Virus.Win32.Virut.q!IK
AhnLab-V3;5.0.0.2;2009.07.14;-
AntiVir;7.9.0.215;2009.07.14;W32/Virut.Gen
Antiy-AVL;2.0.3.1;2009.07.14;-
Authentium;5.1.2.4;2009.07.14;W32/Virut.AI!Generic
Avast;4.8.1335.0;2009.07.14;Win32:Vitro
AVG;8.5.0.387;2009.07.14;Win32/Virut
BitDefender;7.2;2009.07.14;Win32.Virtob.Gen.12
CAT-QuickHeal;10.00;2009.07.14;W32.Virut.G
ClamAV;0.94.1;2009.07.14;-
Comodo;1650;2009.07.14;-
DrWeb;5.0.0.12182;2009.07.14;Win32.Virut.56
eSafe;7.0.17.0;2009.07.14;-
eTrust-Vet;31.6.6612;2009.07.14;Win32/Virut.17408
F-Prot;4.4.4.56;2009.07.13;W32/Virut.AI!Generic
F-Secure;8.0.14470.0;2009.07.14;Virus.Win32.Virut.ce
Fortinet;3.120.0.0;2009.07.14;W32/Virut.ZI
GData;19;2009.07.14;Win32.Virtob.Gen.12
Ikarus;T3.1.1.64.0;2009.07.14;Virus.Win32.Virut.q
Jiangmin;11.0.706;2009.07.14;-
K7AntiVirus;7.10.792;2009.07.14;-
Kaspersky;7.0.0.125;2009.07.14;Virus.Win32.Virut.ce
McAfee;5676;2009.07.14;W32/Virut.n.gen
McAfee+Artemis;5676;2009.07.14;W32/Virut.n.gen
McAfee-GW-Edition;6.8.5;2009.07.14;Heuristic.LooksLike.Trojan.Crypt.H
Microsoft;1.4803;2009.07.14;Virus:Win32/Virut.BM
NOD32;4243;2009.07.14;Win32/Virut.NBP
Norman;6.01.09;2009.07.14;-
nProtect;2009.1.8.0;2009.07.14;-
Panda;10.0.0.14;2009.07.14;Suspicious file
PCTools;4.4.2.0;2009.07.14;-
Prevx;3.0;2009.07.14;-
Rising;21.38.14.00;2009.07.14;Win32.Virut.bm
Sophos;4.43.0;2009.07.14;W32/Scribble-B
Sunbelt;3.2.1858.2;2009.07.14;Virus.Win32.Virut.ce (v)
Symantec;1.4.4.12;2009.07.14;W32.Virut.CF
TheHacker;6.3.4.3.366;2009.07.14;-
TrendMicro;8.950.0.1094;2009.07.14;PE_VIRUX.J
VBA32;3.12.10.8;2009.07.14;Virus.Win32.Virut.X6
ViRobot;2009.7.14.1835;2009.07.14;-
VirusBuster;4.6.5.0;2009.07.14;-

Additional information
File size: 1052672 bytes
MD5...: 1a4afccf26e869f48d393cd964222e08
SHA1..: 6e08ed949a1007b8a259bd7f674775f664b964f2
SHA256: be022b512f37479ac654b47f9deaa3b8ef9346f6dc3ff50d5438a09fe6655529


Your system is infected with a polymorphic file infector called Virut. Virut is capable of infecting all the machine's executable files (.exe) and screensaver files (.scr). However, the problem is that the virus has a number of bugs in its code, and as a result, it may misinfect a proportion of executable files and therefore, the files are corrupted beyond repair. As of now, security experts suggest that a format and clean install, or destructive recovery if you have an OEM recovery partition, is the best way to clean the infection and it is the best and safest way to return the machine to its normal working state.

Backup all your documents and important items (personal data, work documents, etc) only. DO NOT backup any executable files (softwares) and screensavers (*.scr). It attempts to infect any accessed .exe or .scr files by appending itself to the executable.

Also, avoid backing up compressed files (zip/cab/rar) files that have .exe or .scr files inside them. Virut can penetrate and infect .exe files inside compressed files too.

Recent variants also modify htm, html, asp and php files.

Do not back up to another machine, as it may become compromised. Burn to DVD/CD, or to an external drive which has nothing else on it, and which you can format should it happen to become infected from the backups.

See miekiemoes' blog for similar comments here:

http://miekiemoes.blogspot.com/2009/...-throwing.html