[snowyskies]

Alright, so my neighbor's pretty much computer illiterate but she noticed her computer was running a lot slower than usual. So I paid her a visit, and I've got her family's desktop in my house now. She promised me yummy food when it's fixed, lol.

First question is:

Just by looking through the task manager I can see something dodgy. Right now the target desktop's not currently connected to my family's wifi...should I allow it into the network to get access to patches and tools or should I leave it offline and start carefully transferring things via USB flash drives? Once I know the best way to get HJT to that machine I'll gladly post a log :3

Thanks,
Starry

[snowyskies]

fell off the first page, bringing it back up :3

[snowyskies]

up ye get, thread. XD

Ah, I'd have to head back to the computer in question, but I do recall off the top of my head that there's this gamevance32.exe that looks...rather iffy.

[sjpritch25]

Welcome to TSG

Do you still require assistance?

[snowyskies]

Yes, I could really use the help.

I've not had to remove any sort of adware in a few years and I can't quite manage to read HJT logs myself yet.

Ah, I'm at school at the moment (lunch break between my college courses yay) but I'll be home this evening to the computer in question.

[sjpritch25]

Please download Malwarebytes' Anti-Malware from Here.



Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  
• If an update is found, it will download and install the latest version.
  
• Once the program has loaded, select "Perform Quick Scan", then click Scan.
  
• The scan may take some time to finish,so please be patient.
  
• When the scan is complete, click OK, then Show Results to view the results.
  
• Make sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  
• Copy&Paste the entire report in your next reply.
  

Extra Note:



If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediatly.



=======================================================


We need to see some additional information about what is happening in your machine.
Please perform the following scan:

• Download DDS by sUBs from one of the following links. Save it to your desktop.
  • DDS.scr
  • DDS.pif
• Double click on the DDS icon, allow it to run.
• A small box will open, with an explanation about the tool.
• When done, DDS will open two (2) logs
  1. DDS.txt
  2. Attach.txt
• Save both reports to your desktop.
• The instructions here ask you to attach the Attach.txt.
  
  
• Instead of attaching, please copy/past both logs into your next reply.
  
• Close the program window, and delete the program from your desktop.

Please note: You may have to disable any script protection running if the scan fails to run.
After downloading the tool, disconnect from the internet and disable all antivirus protection.
Run the scan, enable your A/V and reconnect to the internet.
Information on A/V control HERE


=============================================================


Download GMER Antirootkit Here, click on and save to your Desktop

• Disconnect from the internet and disable all active protection so your security program drivers will not conflict with gmer's driver
• Double-click Gmer.exe to run the program.
• When the program opens, click the "Rootkit" Tab
• On the right-side, check all the items to be scanned, but leave "Show All" unchecked
• Select all drives that are connected to your system to be scanned
• Click the Scan button
• When the scan is finished, click Copy to save the scan log to the Windows clipboard
• Open Notepad or a similar text editor
• Paste the clipboard contents into a text file by clicking Edit | Paste or Ctl V
• Save the gmer scan log and post it in your next reply.
• Close Gmer
• Open a command prompt (Start | run |type cmd and hit Enter)
  • Type or paste the following to unload the gmer driver:
  • net stop gmer
  • Hit Enter
  • Exit the command prompt.
• Re-enable all active protection.

[snowyskies]

Alright, I'll do that as soon as I'm home. :3 Thank you for the help!

Ah, real quick, should I keep that machine disconnected from the internet and use a flash drive to transfer the installers and updates or should I keep all other machines in the house shut down while I let that one online long enough to get patches and these tools downloaded? I'm not sure which would be more secure for my family's machines.

[sjpritch25]

you can take it offline after mbam has updated. yes to everything else.

[snowyskies]

alright, I'm finally home for the weekend and I'm starting the scans now :3 Should I do a HJT run before and after these other scans, too?

[snowyskies]

Malwarebytes' Anti-Malware 1.41
Database version: 3063
Windows 5.1.2600 Service Pack 3

10/30/2009 8:35:11 PM
mbam-log-2009-10-30 (20-35-11).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 210544
Time elapsed: 1 hour(s), 14 minute(s), 10 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 7
Registry Keys Infected: 16
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 11

Memory Processes Infected:
C:\Program Files\Gamevance\gamevance32.exe (Adware.Gamevance) -> Unloaded process successfully.

Memory Modules Infected:
C:\Program Files\Gamevance\gvtl.dll (Trojan.BHO) -> Delete on reboot.
C:\Program Files\Gamevance\gamevancelib32.dll (Adware.Gamevance) -> Delete on reboot.
C:\Program Files\Gamevance\gvcfglib.dll (Adware.Gamevance) -> Delete on reboot.
C:\Program Files\Gamevance\gvhlp.dll (Adware.Gamevance) -> Delete on reboot.
C:\Program Files\Gamevance\gvpop.dll (Adware.Gamevance) -> Delete on reboot.
C:\Program Files\Gamevance\gvutil.dll (Adware.Gamevance) -> Delete on reboot.
C:\Program Files\Gamevance\gvwslib.dll (Adware.Gamevance) -> Delete on reboot.

Registry Keys Infected:
HKEY_CLASSES_ROOT\gamevance.linker (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{1d22e9e4-f771-4b8d-aa68-ba04e8980e07} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{a851c98a-6136-4b02-9ec7-22aaf33e7b97} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{da4b6a86-82e7-4a9e-abb9-3b225bc214a4} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{7370f91f-6994-4595-9949-601fa2261c8d} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{7370 f91f-6994-4595-9949-601fa2261c8d} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Brows er Helper Objects\{7370f91f-6994-4595-9949-601fa2261c8d} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\gamevance.linker.1 (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{7545 d8c8-f53c-4e2f-8fa0-d248ef4a6e61} (Rogue.Installer) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{549b 5ca7-4a86-11d7-a4df-000874180bb3} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{f919 fbd3-a96b-4679-af26-f551439bb5fd} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{00db dac8-4691-4797-8e6a-7c6ab89bc441} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{fc14 8228-87e1-4d00-ac06-58dcaa52a4d1} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Brows er Helper Objects\{549b5ca7-4a86-11d7-a4df-000874180bb3} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\game vance (Adware.Gamevance) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\gvtl (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gamevance (Adware.Gamevance) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Program Files\Gamevance (Adware.Gamevance) -> Delete on reboot.

Files Infected:
C:\Program Files\Gamevance\gvtl.dll (Trojan.BHO) -> Delete on reboot.
C:\Program Files\Gamevance\ars.cfg (Adware.Gamevance) -> Quarantined and deleted successfully.
C:\Program Files\Gamevance\gamevance32.exe (Adware.Gamevance) -> Quarantined and deleted successfully.
C:\Program Files\Gamevance\gamevancelib32.dll (Adware.Gamevance) -> Delete on reboot.
C:\Program Files\Gamevance\gvcfglib.dll (Adware.Gamevance) -> Delete on reboot.
C:\Program Files\Gamevance\gvhlp.dll (Adware.Gamevance) -> Delete on reboot.
C:\Program Files\Gamevance\gvpop.dll (Adware.Gamevance) -> Delete on reboot.
C:\Program Files\Gamevance\gvun.exe (Adware.Gamevance) -> Quarantined and deleted successfully.
C:\Program Files\Gamevance\gvutil.dll (Adware.Gamevance) -> Delete on reboot.
C:\Program Files\Gamevance\gvwslib.dll (Adware.Gamevance) -> Delete on reboot.
C:\Program Files\Gamevance\icon.ico (Adware.Gamevance) -> Quarantined and deleted successfully.

[snowyskies]

I'll post the other two reports once GMER finishes so I can reconnect the machine in question to the internet. ^^

...what does the DDS tool do? I'm rather curious as to why it's a .scr file, I guess. xD

[sjpritch25]

okay

[snowyskies]

There! Finally finished :3


DDS (Ver_09-10-26.01) - NTFSx86
Run by Owner at 22:50:35.76 on Fri 10/30/2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.959.534 [GMT -4:00]

AV: Norton Internet Security *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\VTTimer.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
svchost.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIEJA.EXE
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40ST7.EXE
C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Owner\Desktop\gmer.exe
C:\Documents and Settings\Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
uSearch Page = hxxp://www.google.com
uDefault_Search_URL = hxxp://srch-us10.hpwis.com/
uSearch Bar = hxxp://www.google.com/ie
uWindow Title = Microsoft Internet Explorer provided by Comcast
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mStart Page = hxxp://www.comcast.net
mSearch Bar = hxxp://srch-us10.hpwis.com/
mWindow Title = Microsoft Internet Explorer provided by Comcast
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = localhost
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: N/A: {0579b4b6-0293-4d73-b02d-5ebb0ba0f0a2} - c:\program files\asksbar\srchastt\1.bin\A2SRCHAS.DLL
BHO: Ask Search Assistant BHO: {0579b4b1-0293-4d73-b02d-5ebb0ba0f0a2} - c:\program files\asksbar\srchastt\1.bin\A2SRCHAS.DLL
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 6.0\reader\activex\AcroIEHelper.dll
BHO: NCO 2.0 IE BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\common files\symantec shared\coshared\browser\2.5\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\progra~1\common~1\symant~1\ids\IPSBHO.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Easy Photo Print: {9421dd08-935f-4701-a9ca-22df90ac4ea6} - c:\program files\epson software\easy photo print\EPTBL.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: Ask Toolbar BHO: {f0d4b231-da4b-4daf-81e4-dfee4931a4aa} - c:\program files\asksbar\bar\1.bin\ASKSBAR.DLL
BHO: {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - No File
TB: HP View: {b2847e28-5d7d-4deb-8b67-05d28bcf79f5} - c:\program files\hp\digital imaging\bin\hpdtlk02.dll
TB: Show Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\common files\symantec shared\coshared\browser\2.5\CoIEPlg.dll
TB: Ask Toolbar: {f0d4b239-da4b-4daf-81e4-dfee4931a4aa} - c:\program files\asksbar\bar\1.bin\ASKSBAR.DLL
TB: Easy Photo Print: {9421dd08-935f-4701-a9ca-22df90ac4ea6} - c:\program files\epson software\easy photo print\EPTBL.dll
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
EB: hp view: {8f4902b6-6c04-4ade-8052-aa58578a21bd} - c:\windows\system32\Shdocvw.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [EPSON NX300 Series] c:\windows\system32\spool\drivers\w32x86\3\e_fatieja.exe /fu "c:\windows\temp\E_S64.tmp" /EF "HKCU"
mRun: [KBD] c:\hp\kbd\KBD.EXE
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [VTTimer] VTTimer.exe
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [osCheck] "c:\program files\norton internet security\osCheck.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: {17A27031-71FC-11d4-815C-005004D0F1FA} - c:\program files\marketbrowser\lmt\MarketBrowser_Launch.xpy
IE: {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/
IE: {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/
IE: {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\jp2iexp.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
LSP: SpSubLSP.dll
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1108229645223
DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} - hxxps://webdl.symantec.com/activex/symdlmgr.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1173480141890
DPF: {78FAE917-35E2-4A6B-9B40-000AD226482B} - hxxp://moneycentral.msn.com/cabs/ticker.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} - hxxps://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
DPF: {B020B534-4AA2-4B99-BD6D-5F6EE286DF5C} - hxxps://a248.e.akamai.net/f/248/5462/2h/www.symantecstore.com/v2.0-img/operations/symbizpr/xcontrol/SymDlBrg.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://active.macromedia.com/flash2/cabs/swflash.cab
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R2 LiveUpdate Notice;LiveUpdate Notice;c:\program files\common files\symantec shared\CCSVCHST.EXE [2008-1-25 149352]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-9-6 102448]
S2 mrtRate;mrtRate; [x]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2008-1-12 23888]

=============== Created Last 30 ================

2009-10-30 23:01:37 0 d-----w- c:\docume~1\owner\applic~1\Malwarebytes
2009-10-30 23:01:29 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-30 23:01:27 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-30 23:01:27 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-30 23:01:27 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes

==================== Find3M ====================

2009-09-11 14:18:39 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:03:36 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 07:36:27 832512 ----a-w- c:\windows\system32\wininet.dll
2009-08-29 07:36:24 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-08-29 07:36:24 17408 ----a-w- c:\windows\system32\corpol.dll
2009-08-26 08:00:21 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-05 09:01:48 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-05 00:44:46 2189184 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-08-04 23:52:22 1193832 ----a-w- c:\windows\system32\FM20.DLL
2009-08-04 14:20:08 2066048 ----a-w- c:\windows\system32\ntkrnlpa.exe
2006-01-05 00:12:42 410617 --sha-w- c:\windows\system32\adeeg.bak1
2006-02-22 03:05:11 445729 --sha-w- c:\windows\system32\adeeg.bak2
2006-04-14 22:58:01 445793 --sha-w- c:\windows\system32\adeeg.ini2
2009-01-24 21:49:06 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009012420090125\index.dat

============= FINISH: 22:50:45.92 ===============

[snowyskies]

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-10-26.01)

Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume2
Install Date: 10/2/2004 9:34:33 PM
System Uptime: 10/30/2009 8:36:45 PM (2 hours ago)

Motherboard: ASUSTek Computer INC. | | Kelut
Processor: AMD Athlon(tm) XP 3000+ | Socket A | 2100/200mhz

==== Disk Partitions =========================

A: is Removable
C: is FIXED (NTFS) - 107 GiB total, 87.459 GiB free.
D: is FIXED (FAT32) - 4 GiB total, 0.631 GiB free.
E: is CDROM (CDFS)
F: is CDROM ()
G: is Removable
H: is Removable
I: is Removable
J: is Removable

==== Disabled Device Manager Items =============

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Linksys Wireless-G PCI Adapter
Device ID: PCI\VEN_1814&DEV_0201&SUBSYS_00321737&REV_01\3&61AAA01&1&48
Manufacturer: Linksys, A Division of Cisco Systems, Inc.
Name: Linksys Wireless-G PCI Adapter
PNP Device ID: PCI\VEN_1814&DEV_0201&SUBSYS_00321737&REV_01\3&61AAA01&1&48
Service: RT2500

==== System Restore Points ===================

RP1086: 7/20/2009 7:49:59 PM - System Checkpoint
RP1087: 7/21/2009 8:33:24 PM - System Checkpoint
RP1088: 7/22/2009 8:34:29 PM - System Checkpoint
RP1089: 7/23/2009 11:28:50 PM - System Checkpoint
RP1090: 7/24/2009 11:49:20 PM - System Checkpoint
RP1091: 7/27/2009 5:57:12 PM - System Checkpoint
RP1092: 7/28/2009 4:00:16 PM - Software Distribution Service 3.0
RP1093: 7/29/2009 7:54:29 PM - System Checkpoint
RP1094: 7/30/2009 8:36:09 PM - System Checkpoint
RP1095: 7/31/2009 9:36:09 PM - System Checkpoint
RP1096: 8/1/2009 10:36:09 PM - System Checkpoint
RP1097: 8/2/2009 11:36:09 PM - System Checkpoint
RP1098: 8/3/2009 11:37:14 PM - System Checkpoint
RP1099: 8/5/2009 12:36:03 AM - System Checkpoint
RP1100: 8/6/2009 1:36:02 AM - System Checkpoint
RP1101: 8/7/2009 2:36:03 AM - System Checkpoint
RP1102: 8/8/2009 3:36:05 AM - System Checkpoint
RP1103: 8/9/2009 4:36:03 AM - System Checkpoint
RP1104: 8/10/2009 5:36:02 AM - System Checkpoint
RP1105: 8/11/2009 7:17:02 PM - System Checkpoint
RP1106: 8/12/2009 4:00:31 PM - Software Distribution Service 3.0
RP1107: 8/13/2009 4:17:11 PM - System Checkpoint
RP1108: 8/14/2009 4:00:16 PM - Software Distribution Service 3.0
RP1109: 8/15/2009 4:11:23 PM - System Checkpoint
RP1110: 8/16/2009 5:14:22 PM - System Checkpoint
RP1111: 8/17/2009 6:11:23 PM - System Checkpoint
RP1112: 8/18/2009 7:28:54 PM - System Checkpoint
RP1113: 8/19/2009 7:36:25 PM - System Checkpoint
RP1114: 8/20/2009 8:11:16 PM - System Checkpoint
RP1115: 8/21/2009 9:03:46 PM - System Checkpoint
RP1116: 8/22/2009 9:04:11 PM - System Checkpoint
RP1117: 8/23/2009 10:32:28 PM - System Checkpoint
RP1118: 8/24/2009 10:34:45 PM - System Checkpoint
RP1119: 8/25/2009 11:34:42 PM - System Checkpoint
RP1120: 8/26/2009 4:00:15 PM - Software Distribution Service 3.0
RP1121: 8/27/2009 4:34:34 PM - System Checkpoint
RP1122: 8/28/2009 4:39:14 PM - System Checkpoint
RP1123: 8/29/2009 5:58:35 PM - System Checkpoint
RP1124: 8/30/2009 6:34:35 PM - System Checkpoint
RP1125: 8/31/2009 7:34:34 PM - System Checkpoint
RP1126: 9/1/2009 8:34:34 PM - System Checkpoint
RP1127: 9/2/2009 9:34:26 PM - System Checkpoint
RP1128: 9/3/2009 9:58:11 PM - System Checkpoint
RP1129: 9/4/2009 10:34:27 PM - System Checkpoint
RP1130: 9/5/2009 11:34:28 PM - System Checkpoint
RP1131: 9/7/2009 12:34:27 AM - System Checkpoint
RP1132: 9/8/2009 1:14:37 AM - System Checkpoint
RP1133: 9/9/2009 2:14:36 AM - System Checkpoint
RP1134: 9/10/2009 3:14:36 AM - System Checkpoint
RP1135: 9/10/2009 4:00:26 PM - Software Distribution Service 3.0
RP1136: 9/11/2009 4:14:28 PM - System Checkpoint
RP1137: 9/12/2009 5:14:28 PM - System Checkpoint
RP1138: 9/13/2009 6:00:56 PM - System Checkpoint
RP1139: 9/14/2009 7:09:16 PM - System Checkpoint
RP1140: 9/17/2009 7:38:05 PM - System Checkpoint
RP1141: 10/17/2009 9:25:16 PM - System Checkpoint
RP1142: 10/18/2009 4:00:43 PM - Software Distribution Service 3.0
RP1143: 10/18/2009 5:55:44 PM - Software Distribution Service 3.0
RP1144: 10/30/2009 9:56:10 PM - System Checkpoint

==== Installed Programs ======================


ABBYY FineReader 6.0 Sprint
Ad-Aware SE Personal
Adobe Atmosphere Player for Acrobat and Adobe Reader
Adobe Flash Player 10 ActiveX
Adobe Reader 6.0
Agere Systems PCI Soft Modem
AiO_Scan
AIOMinimal
AiOSoftware
AppCore
Ask Toolbar
Barbie® As Sleeping Beauty
Blackhawk Striker from Hewlett-Packard Desktops (remove only)
Blasterball 2 from Hewlett-Packard Desktops (remove only)
Bounce Symphony from Hewlett-Packard Desktops (remove only)
CameraDrivers
ccCommon
ComcastSUPPORT
Component Framework
Copy
CreativeProjects
Critical Update for Windows Media Player 11 (KB959772)
Director
Disney's Active Play, A Bug's Life
Disney's Mickey Mouse Toddler
DocProc
Easy Internet Sign-up
Epson Easy Photo Print 2
EPSON NX300 Series Printer Uninstall
EPSON Scan
Excavation from Hewlett-Packard Desktops (remove only)
Fax
Five Card Frenzy from Hewlett-Packard Desktops (remove only)
Foxit Reader
HijackThis 1.99.1
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Format SDK (KB902344)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB970653-v3)
HP Image Zone 3.5
HP Image Zone Plus 3.5
HP Instant Support
HP Organize
HP Photo & Imaging 3.5 - HP Devices
HP PSC & OfficeJet 3.0
HP Software Update
hpg2436
hpg3970
hpg4600
hpg5530
hpg8200
HPIZ350
hpmdtab
HpSdpAppCoreApp
HPSystemDiagnostics
HUNT 1.0
InstantShare
IntelliMover Data Transfer Demo
InterVideo WinDVD Creator 2
InterVideo WinDVD Player
Java(TM) 6 Update 11
KBD
Learn2 Player (Uninstall Only)
Little Bear Preschool Thinking Adventures
LiveUpdate (Symantec Corporation)
LiveUpdate Notice (Symantec Corporation)
Macromedia Shockwave Player
Malwarebytes' Anti-Malware
MapSource
MapSource - City Select North America v6
MarketBrowser
Memories Disc Creator 2.0
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB953297)
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Money 2004
Microsoft Money 2004 System Pack
Microsoft National Language Support Downlevel APIs
Microsoft Office Standard Edition 2003
Microsoft Plus! Digital Media Edition
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Works 7.0
Move Networks Media Player for Internet Explorer
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 6 Service Pack 2 (KB954459)
Multimedia Card Reader
MusicIP Mixer 1.7
MusicIP MyDJ Plug-in
MUSICMATCH® Jukebox
Norton AntiVirus
Norton AntiVirus Help
Norton Confidential Core
Norton Internet Security
Norton Internet Security (Symantec Corporation)
Norton Protection Center
NVIDIA GART Driver
Octoshape add-in for Adobe Flash Player
OpenOffice.org 2.4
Orbital from Hewlett-Packard Desktops (remove only)
Otto from Hewlett-Packard Desktops (remove only)
Overball from Hewlett-Packard Desktops (remove only)
PC-Doctor for Windows
Phonics 2-3
PhotoGallery
Photosmart 140,240,7200,7600,7700,7900 Series
Polar Bowler from Hewlett-Packard Desktops (remove only)
PrintScreen
PS2
PSShortcutsP
QFolder
Quicken 2004
QuickProjects
QuickTime
Readme
RealPlayer
RecordNow!
Rhapsody Player Engine
S3 S3Display
S3 S3Gamma2
S3 S3Info2
S3 S3Overlay
Scan
Security Update for CAPICOM (KB931906)
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 7 (KB972260)
Security Update for Windows Internet Explorer 7 (KB974455)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB911565)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Shockwave
SkinsHP1
SkinsHP2
Slyder from Hewlett-Packard Desktops (remove only)
Sonic Update Manager
SpamSubtract
SPBBC 32bit
Symantec Real Time Storage Protection Component
SymNet
Toolkit View(HP)
TrayApp
Unload
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB973815)
Updates from HP
VIA Rhine-Family Fast-Ethernet Adapter
VIA/S3G Display Driver
WebFldrs XP
WebReg
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 7
Windows Media Format 11 runtime
Windows Media Format SDK Hotfix - KB891122
Windows Media Player 11
Windows XP Service Pack 3

==== Event Viewer Messages From Past Week ========

10/30/2009 6:44:48 PM, error: Service Control Manager [7000] - The mrtRate service failed to start due to the following error: The system cannot find the file specified.

==== End Of File ===========================

[snowyskies]

GMER 1.0.15.15163 - http://www.gmer.net
Rootkit scan 2009-10-30 22:53:45
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\Owner\LOCALS~1\Temp\kxldapow.sys


---- System - GMER 1.0.15 ----

SSDT 85F9A130 ZwAlertResumeThread
SSDT 85F47E08 ZwAlertThread
SSDT 8610AC90 ZwAllocateVirtualMemory
SSDT 86178A10 ZwConnectPort
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwCreateKey [0xF555F020]
SSDT 85FBE270 ZwCreateMutant
SSDT 8614A060 ZwCreateThread
SSDT 863232B8 ZwDebugActiveProcess
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteKey [0xF555F2A0]
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteValueKey [0xF555F800]
SSDT 85F03E50 ZwFreeVirtualMemory
SSDT 85E931B8 ZwImpersonateAnonymousToken
SSDT 85F9A0F8 ZwImpersonateThread
SSDT 85EA9168 ZwMapViewOfSection
SSDT 85E93180 ZwOpenEvent
SSDT 860D4670 ZwOpenProcessToken
SSDT 86176C08 ZwOpenSection
SSDT 86280950 ZwOpenThreadToken
SSDT 86260AB8 ZwResumeThread
SSDT 85FF2328 ZwSetContextThread
SSDT 85F89160 ZwSetInformationProcess
SSDT 86072110 ZwSetInformationThread
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwSetValueKey [0xF555FA50]
SSDT 860F3520 ZwSuspendProcess
SSDT 85F47E40 ZwSuspendThread
SSDT 86109998 ZwTerminateProcess
SSDT 85FF22F0 ZwTerminateThread
SSDT 86038188 ZwUnmapViewOfSection
SSDT 860221E8 ZwWriteVirtualMemory

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!_abnormal_termination + 4A0 804E2AFC 4 Bytes CALL 26D42D22

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----