Hoib

Perfect! Thanks for the info. Is this a sticky? And thank you too to FireFox. Hoib

OK, thanks for dropping in. If we get someone from staff to come aboard on it and confirm, it's a "forum sticky" or a FAQ in my book. I'll stand by.... Hoib

A simple question: When I run MBAM on a Windows 7 machine, do I have to run it from each/all accounts and profiles on that machine? IOW, does running MBAM, let's say from the Admin account, clean up all accounts or just the one I'm sitting on? Thanks. Hoib

Please close this thread. I decided that a reinstall of Windows was a necessary move. Serious Boot Sector infection. Able to get user files off, simply reinstall, update Windows and drivers. Reinstall a few progs. "Nuff said. H

OK, here we go. Brother's machine. Infected by clicking on some sort of International Delivery web-based eMail. I've attached the request FRST logs. I see on the user account at least three processes that resist stopping. They terminate but come right back on. They are: evlio.exe, doabux.exe and ivegh.exe. Moved the three containing folders for each to never-never-land but they're re-established. No information at Google about these so am coming here for help. Symptoms: Really really slow response. I see none of these in Task Mgr on the Admin side. (I keep user away from Admin rights). I just got prompted to install jvlsetup.exe on the user side which I cancelled. Attempted MBAM from the user side, performed current update. Finds 309 objects; a vast majority of MindSpark crud and PUP.Trojan objects. Hit Remove. Reboot and they're all back. Attempted MBAM from Safe Mode. Finds 0 objects. Will standby for assistance. Hoib FRST.txt Addition.txt

Please close this thread. Problem has been solved. Thank you MBAM designers! H

Hi - My brother-in-law's system (XP Pro SP3 with AMD dual-core, 4gB RAM, large disk 25% full) is infected with Personal Shield Pro and XP AntiVirus 2012. I have it at my house for cleaning. There are two accounts, his and his wife's. I used the self help guides (basically a run of MBAM) and worked his account. But the infection is still active on hers. They're both "admin" permitted (yep - we're going to change that!) What should I have done to get to both accounts simultaneously? At present the system is so infected, in Safe Mode on her account, PSP or XP A/V starts up, comes in and takes over. That's a new one on me! Anyway, normal or safe mode, the system is now almost unusable, has trouble booting sometimes. A mess! If I'm going to post logs for help, which account should I use? I can work alone with self-help, but I need to know how to get both accounts cleaned because history shows you do one and the other gets whacked. Any help or direction appreciated. H Hi, Miss Elise and everyone else, I am experiencing something similar to http://forums.malwarebytes.org/index.php?showtopic=92976 Here's what happened: I am on Vista SP2 All of my browsers (FF, Chrome, IE) have been hijacked by some redirect malware: searchmagnified.com, fast-find-answers.com and an IP address url 63.209.69.107 that is probably Scour.com? The hosts file in C:\Windows\System32\drivers\etc is hosts.ics (icalendar file), and 4 other files, is this right for Vista SP2? Also, I experience a BSOD which says something about iastor.sys ( I used MalwareBytes, Esetscan, CCleaner, etc, but to no avail Should I also disable Windows Defender before I begin ComboFix? Is it very dangerous to use ComboFix? :'( All of this started only yesterday after I got infected by a rogue/scareware Security Protection and MB got rid of it. Thank you all :'( I'm helping my little sister finish her homework hope we can complete it today. Hi guys, can anyone help me? What should I do first? Download HiJack this?

Hi "screen" - LT is really operating well-100% better. We've updated drivers and instructed now the correct way to clean and to ensure Endpoint is fully up to date. Didn't touch the RWIN values - my FIOS is not his DSL! I wish I knew more about rootkits and how to analyze and disinfect. Nonetheless - Thank you for your help. Where's the tip jar!? H

OK, done! There's a lot here. I did everything in sequence. However, I went off to some errands and after a couple of hours or so, I came back and apparently this thing went and did a Windows update. It proposed to install IE8. I allowed it. Hope this wasn't bad ju-ju. I will test this now and wait for your next instruction. ComboFix 10-08-08.01 - Admin 08/08/2010 17:44:06.1.1 - x86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.279 [GMT -4:00] Running from: c:\hssetups\ComboFix.exe AV: Symantec Endpoint Protection *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C} FW: Symantec Endpoint Protection *enabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6} . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\documents and settings\Admin\Application Data\alot c:\windows\system32\gotomon.log . ((((((((((((((((((((((((( Files Created from 2010-07-08 to 2010-08-08 ))))))))))))))))))))))))))))))) . 2010-08-08 21:17 . 2010-08-08 21:17 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache 2010-08-08 21:01 . 2010-06-14 14:31 744448 -c----w- c:\windows\system32\dllcache\helpsvc.exe 2010-08-08 20:30 . 2010-08-08 20:30 -------- d-sh--w- c:\documents and settings\Admin\IECompatCache 2010-08-08 20:28 . 2010-08-08 20:28 -------- d-sh--w- c:\documents and settings\Admin\PrivacIE 2010-08-08 20:26 . 2010-08-08 20:26 -------- d-sh--w- c:\documents and settings\Admin\IETldCache 2010-08-08 20:17 . 2010-08-08 21:05 -------- d-----w- c:\windows\ie8updates 2010-08-08 20:11 . 2010-08-08 20:16 -------- dc-h--w- c:\windows\ie8 2010-08-08 20:06 . 2010-05-06 10:41 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll 2010-08-08 20:06 . 2010-05-06 10:41 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll 2010-08-08 20:06 . 2010-05-06 10:41 247808 -c----w- c:\windows\system32\dllcache\ieproxy.dll 2010-08-08 20:05 . 2010-04-16 11:43 41984 -c----w- c:\windows\system32\dllcache\iecompat.dll 2010-08-08 11:57 . 2010-08-08 11:57 -------- d-----w- c:\documents and settings\Admin\Application Data\Malwarebytes 2010-08-08 11:57 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2010-08-08 11:57 . 2010-08-08 11:57 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2010-08-08 11:57 . 2010-08-08 11:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes 2010-08-08 11:57 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys 2010-08-07 17:04 . 2010-08-08 18:54 -------- d-----w- c:\documents and settings\Admin\Local Settings\Application Data\Temp 2010-08-07 17:01 . 2010-08-08 18:59 -------- d-----w- c:\documents and settings\Admin\Local Settings\Application Data\Google 2010-08-07 16:44 . 2010-08-07 16:44 -------- d-----w- c:\program files\What's my computer doing 2010-08-06 22:43 . 2010-08-06 22:43 -------- d-----w- c:\program files\Defraggler 2010-08-06 22:37 . 2010-08-06 22:37 -------- d-----w- c:\program files\CCleaner 2010-08-06 21:54 . 2010-08-06 21:54 -------- d-----w- c:\program files\VS Revo Group . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2010-08-06 22:04 . 2009-01-06 01:22 -------- d-----w- c:\documents and settings\Admin\Application Data\SUPERAntiSpyware.com 2010-08-06 22:03 . 2009-01-06 03:30 -------- d-----w- c:\documents and settings\All Users\Application Data\TuneUp Software 2010-08-06 22:00 . 2009-01-06 03:30 -------- d-sh--w- c:\documents and settings\All Users\Application Data\{55A29068-F2CE-456C-9148-C869879E2357} 2010-06-28 00:26 . 2010-06-28 00:26 -------- d-----w- c:\documents and settings\Admin\Application Data\Verizon Wireless 2010-06-28 00:17 . 2010-06-28 00:17 -------- d-----w- c:\documents and settings\All Users\Application Data\WEngineLite 2010-06-28 00:17 . 2010-06-28 00:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Verizon Wireless 2010-06-28 00:17 . 2010-06-28 00:17 -------- d-----w- c:\program files\Verizon Wireless 2010-06-28 00:12 . 2010-06-28 00:12 -------- d-----w- c:\program files\PANTECH 2010-06-27 14:27 . 2010-06-27 14:27 -------- d-----w- c:\documents and settings\Admin\Application Data\InstallShield 2010-06-14 17:03 . 2008-12-07 23:42 78480 ----a-w- c:\documents and settings\Admin\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2010-06-14 14:31 . 2008-12-07 20:34 744448 ----a-w- c:\windows\PCHEALTH\HELPCTR\Binaries\helpsvc.exe 2010-06-14 03:06 . 2010-06-14 03:06 -------- d-----w- c:\documents and settings\Admin\Application Data\MSN6 2010-06-14 03:06 . 2010-06-14 03:06 -------- d-----w- c:\documents and settings\All Users\Application Data\MSN6 2010-06-14 02:38 . 2010-06-14 02:38 -------- d-----w- c:\documents and settings\Admin\Application Data\Office Genuine Advantage 2010-06-02 23:59 . 2007-06-19 22:08 161920 ----a-w- c:\windows\system32\drivers\WpsHelper.sys 2010-05-23 01:12 . 2010-05-23 01:12 503808 ----a-w- c:\documents and settings\Admin\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-10689328-n\msvcp71.dll 2010-05-23 01:12 . 2010-05-23 01:12 499712 ----a-w- c:\documents and settings\Admin\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-10689328-n\jmc.dll 2010-05-23 01:12 . 2010-05-23 01:12 348160 ----a-w- c:\documents and settings\Admin\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-10689328-n\msvcr71.dll 2010-05-23 01:12 . 2010-05-23 01:12 61440 ----a-w- c:\documents and settings\Admin\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-602bcb97-n\decora-sse.dll 2010-05-23 01:12 . 2010-05-23 01:12 12800 ----a-w- c:\documents and settings\Admin\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-602bcb97-n\decora-d3d.dll 2010-05-12 03:27 . 2009-01-06 03:31 604488 ----a-w- c:\windows\system32\TUProgSt.exe . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Google Update"="c:\documents and settings\Admin\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-08-08 136176] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "TMESRV.EXE"="c:\program files\TOSHIBA\TME3\TMESRV31.EXE" [2003-01-21 122880] "TMESBS.EXE"="c:\program files\TOSHIBA\TME3\TMESBS32.EXE" [2002-11-30 86016] "TMERzCtl.EXE"="c:\program files\TOSHIBA\TME3\TMERzCtl.EXE" [2003-01-21 69632] "TMEEJME.EXE"="c:\program files\TOSHIBA\TME3\TMEEJME.EXE" [2003-01-21 65536] "TFNF5"="TFNF5.exe" [2001-08-03 73728] "TFncKy"="TFncKy.exe" [bU] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-12-21 7774208] "NDSTray.exe"="c:\program files\TOSHIBA\ConfigFree\NDSTray.exe" [2003-01-18 458752] c:\documents and settings\All Users\Start Menu\Programs\Startup\ PC Health.lnk - c:\program files\Toshiba\TOSHIBA Management Console\TOSHealthLocalS.vbs [2008-12-7 3547] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer] "NoRecentDocsNetHood"= 1 (0x1) [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToMyPC] 2009-12-15 22:13 15216 ----a-w- c:\program files\Citrix\GoToMyPC\G2WinLogon.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Sebring] 2003-09-10 09:47 110592 ----a-w- c:\windows\system32\LgNotify.dll [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr] @="Service" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr] @="Service" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus] @="Service" [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^RAMASST.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\RAMASST.lnk backup=c:\windows\pss\RAMASST.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^What's my computer doing.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\What's my computer doing.lnk backup=c:\windows\pss\What's my computer doing.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck] c:\windows\system32\dumprep 0 -k [X] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\000StTHK] 2001-06-24 01:28 24576 ----a-w- c:\windows\system32\000StTHK.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\00THotkey] 2003-01-17 15:41 253952 ----a-w- c:\windows\system32\00THotkey.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Apoint] 2002-12-25 19:38 159744 ----a-w- c:\program files\Apoint2K\Apoint.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CarboniteSetupLite] 2009-07-31 22:38 283792 ----a-w- c:\program files\Carbonite\CarbonitePreinstaller.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp] 2008-02-01 06:25 115560 ----a-w- c:\program files\Common Files\Symantec Shared\ccApp.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe] 2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update] 2010-08-08 18:47 136176 ----atw- c:\documents and settings\Admin\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes Anti-Malware (reboot)] 2010-04-29 10:19 1090952 ----a-w- c:\hssetups\MalwarebytesPortable\App\Malwarebytes\mbam.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PRONoMgr.exe] 2003-09-02 05:28 86016 ----a-w- c:\program files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched] 2010-02-18 15:43 248040 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Tpwrtray] 2002-12-10 15:49 237568 ----a-w- c:\windows\system32\TPWRTRAY.EXE [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-] "nwiz"=nwiz.exe /install "NvMediaCenter"=RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit "SMSERIAL"=c:\program files\Motorola\SMSERIAL\sm56hlpr.exe [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusOverride"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\Smc.exe"= "c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\SNAC.EXE"= "c:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe"= "c:\\WINDOWS\\system32\\mmc.exe"= R1 TMEI3E;TMEI3E;c:\windows\system32\drivers\TMEI3E.sys [12/7/2008 6:14 PM 5760] R2 Tmesbs;Tmesbs32;c:\program files\Toshiba\TME3\tmesbs32.exe [12/7/2008 6:14 PM 86016] R2 Tmesrv;Tmesrv3;c:\program files\Toshiba\TME3\TMESRV31.exe [12/7/2008 6:14 PM 122880] R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [8/8/2010 12:16 PM 102448] S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [5/29/2007 2:55 PM 23888] S3 PTUMWBus;PANTECH USB Modem V2 Composite Device Driver;c:\windows\system32\drivers\PTUMWBus.sys [6/27/2010 8:12 PM 54544] S3 PTUMWCDF;PANTECH USB Modem V2 Installation CD;c:\windows\system32\drivers\PTUMWCDF.sys [6/27/2010 8:12 PM 22032] S3 PTUMWCSP;PANTECH USB Modem V2 Connection Port;c:\windows\system32\drivers\PTUMWCSP.sys [6/27/2010 8:12 PM 160400] S3 PTUMWFLT;PTUMWNET Filter Driver;c:\windows\system32\drivers\PTUMWFLT.sys [6/27/2010 8:12 PM 12048] S3 PTUMWMdm;PANTECH USB Modem V2 Modem Driver;c:\windows\system32\drivers\PTUMWMdm.sys [6/27/2010 8:12 PM 160400] S3 PTUMWNET;PANTECH USB Modem V2 WWAN Driver;c:\windows\system32\drivers\PTUMWNET.sys [6/27/2010 8:12 PM 115216] S3 PTUMWNSP;PANTECH USB Modem V2 NMEA Port;c:\windows\system32\drivers\PTUMWNSP.sys [6/27/2010 8:12 PM 160400] S3 PTUMWVsp;PANTECH USB Modem V2 Diagnostic Port;c:\windows\system32\drivers\PTUMWVsp.sys [6/27/2010 8:12 PM 160400] S3 SMSIVZAM5;SMSIVZAM5 NDIS Protocol Driver;c:\progra~1\VERIZO~1\VZACCE~1\SMSIVZAM5.SYS [5/25/2009 3:43 PM 32408] . Contents of the 'Scheduled Tasks' folder 2010-08-08 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-861567501-920026266-1343024091-1003Core.job - c:\documents and settings\Admin\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-08-08 18:47] 2010-08-08 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-861567501-920026266-1343024091-1003UA.job - c:\documents and settings\Admin\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-08-08 18:47] 2010-08-08 c:\windows\Tasks\OGALogon.job - c:\windows\system32\OGAEXEC.exe [2009-08-03 19:07] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.google.com/ uSearchURL,(Default) = hxxp://search.alot.com/web?q=&pr=auto&client_id=EC4A024001CAD9BD0164130E&src_id=11313&camp_id=768&tb_version=2.5.9000.490 DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab . - - - - ORPHANS REMOVED - - - - WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file) SafeBoot-Symantec Antvirus ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2010-08-08 17:49 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(1516) c:\program files\Citrix\GoToMyPC\G2WinLogon.dll c:\windows\System32\LgNotify.dll . Completion time: 2010-08-08 17:52:16 ComboFix-quarantined-files.txt 2010-08-08 21:52 Pre-Run: 30,662,905,856 bytes free Post-Run: 30,637,830,144 bytes free WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn - - End Of File - - D7D1259190D99AB2585D5251FB741917 DDS (Ver_10-03-17.01) - NTFSx86 Run by Admin at 17:53:16.94 on Sun 08/08/2010 Internet Explorer: 8.0.6001.18702 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.217 [GMT -4:00] AV: Symantec Endpoint Protection *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C} FW: Symantec Endpoint Protection *disabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6} ============== Running Processes =============== C:\WINDOWS\system32\svchost -k DcomLaunch svchost.exe C:\WINDOWS\System32\svchost.exe -k netsvcs C:\WINDOWS\System32\S24EvMon.exe C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe svchost.exe svchost.exe C:\WINDOWS\system32\ZCfgSvc.exe C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\System32\DVDRAMSV.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\System32\RegSrvc.exe C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe C:\Program Files\Sprint\Sierra Wireless\Sprint PCS Connection Manager\SPCSUtilityService.exe C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe C:\Program Files\TOSHIBA\TME3\Tmesbs32.exe C:\Program Files\TOSHIBA\TME3\Tmesrv31.exe C:\WINDOWS\System32\1XConfig.exe C:\Program Files\TOSHIBA\TME3\TMESBS32.EXE C:\Program Files\TOSHIBA\TME3\TMERzCtl.EXE C:\Program Files\TOSHIBA\TME3\TMEEJME.EXE C:\WINDOWS\system32\TFNF5.exe C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe C:\WINDOWS\system32\ctfmon.exe C:\Documents and Settings\Admin\Local Settings\Application Data\Google\Update\1.2.183.29\GoogleCrashHandler.exe C:\WINDOWS\System32\svchost.exe -k HTTPFilter C:\WINDOWS\system32\wscntfy.exe C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe C:\WINDOWS\explorer.exe C:\Documents and Settings\Admin\Desktop\The Fix\dds.EXE ============== Pseudo HJT Report =============== uStart Page = hxxp://www.google.com/ uSearchURL,(Default) = hxxp://search.alot.com/web?q=&pr=auto&client_id=EC4A024001CAD9BD0164130E&src_id=11313&camp_id=768&tb_version=2.5.9000.490 BHO: MSN Toolbar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn\toolbar\3.0.0988.2\msneshellx.dll BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll TB: MSN Toolbar: {1e61ed7c-7cb8-49d6-b9e9-ab4c880c8414} - c:\program files\msn\toolbar\3.0.0988.2\msneshellx.dll uRun: [Google Update] "c:\documents and settings\admin\local settings\application data\google\update\GoogleUpdate.exe" /c mRun: [TMESRV.EXE] c:\program files\toshiba\tme3\TMESRV31.EXE /Logon mRun: [TMESBS.EXE] c:\program files\toshiba\tme3\TMESBS32.EXE /Client mRun: [TMERzCtl.EXE] c:\program files\toshiba\tme3\TMERzCtl.EXE /Service mRun: [TMEEJME.EXE] c:\program files\toshiba\tme3\TMEEJME.EXE mRun: [TFNF5] TFNF5.exe mRun: [TFncKy] TFncKy.exe /Type 25 mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup mRun: [NDSTray.exe] "c:\program files\toshiba\configfree\NDSTray.exe" StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\pcheal~1.lnk - c:\program files\toshiba\toshiba management console\TOSHealthLocalS.vbs uPolicies-explorer: NoRecentDocsNetHood = 1 (0x1) IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe IE: {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - c:\program files\pokerstars\PokerStarsUpdate.exe IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1228687814891 DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1228689056052 DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll Notify: GoToMyPC - c:\program files\citrix\gotomypc\G2WinLogon.dll Notify: Sebring - c:\windows\system32\LgNotify.dll SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll ============= SERVICES / DRIVERS =============== R1 TMEI3E;TMEI3E;c:\windows\system32\drivers\TMEI3E.sys [2008-12-7 5760] R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2008-2-1 108392] R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2008-2-1 108392] R2 Symantec AntiVirus;Symantec Endpoint Protection;c:\program files\symantec\symantec endpoint protection\Rtvscan.exe [2008-4-4 2234296] R2 Tmesbs;Tmesbs32;c:\program files\toshiba\tme3\tmesbs32.exe [2008-12-7 86016] R2 Tmesrv;Tmesrv3;c:\program files\toshiba\tme3\TMESRV31.exe [2008-12-7 122880] R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-8-8 102448] R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20100808.003\NAVENG.SYS [2010-8-8 85424] R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20100808.003\NAVEX15.SYS [2010-8-8 1362608] S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2007-5-29 23888] S3 PTUMWBus;PANTECH USB Modem V2 Composite Device Driver;c:\windows\system32\drivers\PTUMWBus.sys [2010-6-27 54544] S3 PTUMWCDF;PANTECH USB Modem V2 Installation CD;c:\windows\system32\drivers\PTUMWCDF.sys [2010-6-27 22032] S3 PTUMWCSP;PANTECH USB Modem V2 Connection Port;c:\windows\system32\drivers\PTUMWCSP.sys [2010-6-27 160400] S3 PTUMWFLT;PTUMWNET Filter Driver;c:\windows\system32\drivers\PTUMWFLT.sys [2010-6-27 12048] S3 PTUMWMdm;PANTECH USB Modem V2 Modem Driver;c:\windows\system32\drivers\PTUMWMdm.sys [2010-6-27 160400] S3 PTUMWNET;PANTECH USB Modem V2 WWAN Driver;c:\windows\system32\drivers\PTUMWNET.sys [2010-6-27 115216] S3 PTUMWNSP;PANTECH USB Modem V2 NMEA Port;c:\windows\system32\drivers\PTUMWNSP.sys [2010-6-27 160400] S3 PTUMWVsp;PANTECH USB Modem V2 Diagnostic Port;c:\windows\system32\drivers\PTUMWVsp.sys [2010-6-27 160400] S3 SMSIVZAM5;SMSIVZAM5 NDIS Protocol Driver;c:\progra~1\verizo~1\vzacce~1\SMSIVZAM5.SYS [2009-5-25 32408] =============== Created Last 30 ================ 2010-08-08 21:43:14 0 d-sha-r- C:\cmdcons 2010-08-08 21:41:56 98816 ----a-w- c:\windows\sed.exe 2010-08-08 21:41:56 77312 ----a-w- c:\windows\MBR.exe 2010-08-08 21:41:56 256512 ----a-w- c:\windows\PEV.exe 2010-08-08 21:41:56 161792 ----a-w- c:\windows\SWREG.exe 2010-08-08 21:01:06 744448 -c----w- c:\windows\system32\dllcache\helpsvc.exe 2010-08-08 20:30:02 0 d-sh--w- c:\documents and settings\admin\IECompatCache 2010-08-08 20:28:49 0 d-sh--w- c:\documents and settings\admin\PrivacIE 2010-08-08 20:26:23 0 d-sh--w- c:\documents and settings\admin\IETldCache 2010-08-08 20:17:59 0 d-----w- c:\windows\ie8updates 2010-08-08 20:11:44 0 dc-h--w- c:\windows\ie8 2010-08-08 20:06:24 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll 2010-08-08 20:06:19 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll 2010-08-08 20:06:18 247808 -c----w- c:\windows\system32\dllcache\ieproxy.dll 2010-08-08 20:05:30 41984 -c----w- c:\windows\system32\dllcache\iecompat.dll 2010-08-08 11:57:19 0 d-----w- c:\docume~1\admin\applic~1\Malwarebytes 2010-08-08 11:57:08 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2010-08-08 11:57:06 20952 ----a-w- c:\windows\system32\drivers\mbam.sys 2010-08-08 11:57:06 0 d-----w- c:\program files\Malwarebytes' Anti-Malware 2010-08-08 11:57:06 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes 2010-08-07 16:44:43 0 d-----w- c:\program files\What's my computer doing 2010-08-06 22:43:26 0 d-----w- c:\program files\Defraggler 2010-08-06 22:37:29 0 d-----w- c:\program files\CCleaner 2010-08-06 21:54:33 0 d-----w- c:\program files\VS Revo Group ==================== Find3M ==================== 2010-05-12 03:27:29 604488 ----a-w- c:\windows\system32\TUProgSt.exe ============= FINISH: 17:53:30.35 =============== Online Scanner - Scanning Report - Sunday, August 8, 2010 20:07:23Scanning Report Sunday, August 8, 2010 18:03:36 - 20:07:23 Computer name: USER-OEPSKKFJFV Scanning type: Scan system for malware, spyware and rootkits Target: C:\ 7 malware found TrackingCookie.Atdmt (spyware) System (Disinfected) Suspicious:W32/Malware!Gemini (spyware) System (Disinfected) TrackingCookie.Doubleclick (spyware) System (Disinfected) TrackingCookie.Webtrends (spyware) System (Disinfected) TrackingCookie.Mediaplex (spyware) System (Disinfected) TrackingCookie.Yieldmanager (spyware) System (Disinfected) Suspicious:W32/Malware!Gemini (virus) C:\PROGRAM FILES\GORDIANKNOT\VSTRIP_GUI.EXE (Not cleaned) Statistics Scanned: Files: 38997 System: 3189 Not scanned: 10 Actions: Disinfected: 6 Renamed: 0 Deleted: 0 Not cleaned: 1 Submitted: 0 Files not scanned: C:\PAGEFILE.SYS C:\WINDOWS\SYSTEM32\CONFIG\SECURITY C:\WINDOWS\SYSTEM32\CONFIG\SAM C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE C:\WINDOWS\SYSTEM32\CATROOT2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\CATDB C:\WINDOWS\SYSTEM32\CATROOT2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\CATDB C:\DOCUMENTS AND SETTINGS\ADMIN\LOCAL SETTINGS\TEMP\HSPERFDATA_ADMIN\2120 C:\DOCUMENTS AND SETTINGS\ADMIN\LOCAL SETTINGS\TEMP\HSPERFDATA_ADMIN\3720 Options Scanning engines: Scanning options: Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML XXX ANI AVB BAT CMD JOB LSP MAP MHT MIF PHP POT SWF WMF NWS TAR Use advanced heuristics Copyright

Hi screen - thanks for taking the time to help us out. MBAM installed from a thumb drive as was DDS. I can't trust that this thing will connect to any site past the home page. See additional comments below. Two logs pasted per your request. I'm in house all day today... H Malwarebytes' Anti-Malware 1.46 www.malwarebytes.org Database version: 4406 Windows 5.1.2600 Service Pack 3 Internet Explorer 7.0.5730.13 8/8/2010 8:06:34 AM mbam-log-2010-08-08 (08-06-34).txt Scan type: Quick scan Objects scanned: 126005 Time elapsed: 8 minute(s), 34 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) DDS (Ver_10-03-17.01) - NTFSx86 Run by Admin at 8:07:29.25 on Sun 08/08/2010 Internet Explorer: 7.0.5730.13 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.132 [GMT -4:00] AV: Symantec Endpoint Protection *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C} FW: Symantec Endpoint Protection *enabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6} ============== Running Processes =============== C:\WINDOWS\system32\svchost -k DcomLaunch svchost.exe C:\WINDOWS\System32\svchost.exe -k netsvcs C:\WINDOWS\System32\S24EvMon.exe C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe svchost.exe svchost.exe C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe C:\WINDOWS\system32\ZCfgSvc.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\System32\1XConfig.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe C:\WINDOWS\System32\DVDRAMSV.exe C:\Program Files\Citrix\GoToMyPC\g2svc.exe C:\Program Files\Citrix\GoToMyPC\g2comm.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\Program Files\Citrix\GoToMyPC\g2pre.exe C:\WINDOWS\system32\nvsvc32.exe C:\Program Files\Citrix\GoToMyPC\g2tray.exe C:\WINDOWS\System32\RegSrvc.exe C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe C:\Program Files\Sprint\Sierra Wireless\Sprint PCS Connection Manager\SPCSUtilityService.exe C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe C:\Program Files\TOSHIBA\TME3\Tmesbs32.exe C:\Program Files\TOSHIBA\TME3\Tmesrv31.exe C:\Program Files\TOSHIBA\TME3\TMESBS32.EXE C:\Program Files\TOSHIBA\TME3\TMERzCtl.EXE C:\Program Files\TOSHIBA\TME3\TMEEJME.EXE C:\WINDOWS\system32\TFNF5.exe C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe C:\Documents and Settings\Admin\Desktop\The Fix\dds.EXE ============== Pseudo HJT Report =============== uStart Page = hxxp://www.google.com/ uSearchURL,(Default) = hxxp://search.alot.com/web?q=&pr=auto&client_id=EC4A024001CAD9BD0164130E&src_id=11313&camp_id=768&tb_version=2.5.9000.490 uURLSearchHooks: H - No File BHO: MSN Toolbar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn\toolbar\3.0.0988.2\msneshellx.dll BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll TB: MSN Toolbar: {1e61ed7c-7cb8-49d6-b9e9-ab4c880c8414} - c:\program files\msn\toolbar\3.0.0988.2\msneshellx.dll TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File mRun: [TMESRV.EXE] c:\program files\toshiba\tme3\TMESRV31.EXE /Logon mRun: [TMESBS.EXE] c:\program files\toshiba\tme3\TMESBS32.EXE /Client mRun: [TMERzCtl.EXE] c:\program files\toshiba\tme3\TMERzCtl.EXE /Service mRun: [TMEEJME.EXE] c:\program files\toshiba\tme3\TMEEJME.EXE mRun: [TFNF5] TFNF5.exe mRun: [TFncKy] TFncKy.exe /Type 25 mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup mRun: [NDSTray.exe] "c:\program files\toshiba\configfree\NDSTray.exe" mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\pcheal~1.lnk - c:\program files\toshiba\toshiba management console\TOSHealthLocalS.vbs uPolicies-explorer: NoRecentDocsNetHood = 1 (0x1) uPolicies-system: DisableTaskMgr = uPolicies-system: NoDispBackgroundPage = uPolicies-system: NoDispSettingsPage = uPolicies-system: NoDispAppearancePage = IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000 IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe IE: {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - c:\program files\pokerstars\PokerStarsUpdate.exe IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1228687814891 DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1228689056052 DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll Notify: GoToMyPC - c:\program files\citrix\gotomypc\G2WinLogon.dll Notify: Sebring - c:\windows\system32\LgNotify.dll SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll ============= SERVICES / DRIVERS =============== R1 TMEI3E;TMEI3E;c:\windows\system32\drivers\TMEI3E.sys [2008-12-7 5760] R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2008-2-1 108392] R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2008-2-1 108392] R2 Symantec AntiVirus;Symantec Endpoint Protection;c:\program files\symantec\symantec endpoint protection\Rtvscan.exe [2008-4-4 2234296] R2 Tmesbs;Tmesbs32;c:\program files\toshiba\tme3\tmesbs32.exe [2008-12-7 86016] R2 Tmesrv;Tmesrv3;c:\program files\toshiba\tme3\TMESRV31.exe [2008-12-7 122880] R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20100807.004\NAVENG.SYS [2010-8-7 85424] R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20100807.004\NAVEX15.SYS [2010-8-7 1362608] S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2007-5-29 23888] S3 PTUMWBus;PANTECH USB Modem V2 Composite Device Driver;c:\windows\system32\drivers\PTUMWBus.sys [2010-6-27 54544] S3 PTUMWCDF;PANTECH USB Modem V2 Installation CD;c:\windows\system32\drivers\PTUMWCDF.sys [2010-6-27 22032] S3 PTUMWCSP;PANTECH USB Modem V2 Connection Port;c:\windows\system32\drivers\PTUMWCSP.sys [2010-6-27 160400] S3 PTUMWFLT;PTUMWNET Filter Driver;c:\windows\system32\drivers\PTUMWFLT.sys [2010-6-27 12048] S3 PTUMWMdm;PANTECH USB Modem V2 Modem Driver;c:\windows\system32\drivers\PTUMWMdm.sys [2010-6-27 160400] S3 PTUMWNET;PANTECH USB Modem V2 WWAN Driver;c:\windows\system32\drivers\PTUMWNET.sys [2010-6-27 115216] S3 PTUMWNSP;PANTECH USB Modem V2 NMEA Port;c:\windows\system32\drivers\PTUMWNSP.sys [2010-6-27 160400] S3 PTUMWVsp;PANTECH USB Modem V2 Diagnostic Port;c:\windows\system32\drivers\PTUMWVsp.sys [2010-6-27 160400] S3 SMSIVZAM5;SMSIVZAM5 NDIS Protocol Driver;c:\progra~1\verizo~1\vzacce~1\SMSIVZAM5.SYS [2009-5-25 32408] =============== Created Last 30 ================ 2010-08-08 11:57:19 0 d-----w- c:\docume~1\admin\applic~1\Malwarebytes 2010-08-08 11:57:08 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2010-08-08 11:57:06 20952 ----a-w- c:\windows\system32\drivers\mbam.sys 2010-08-08 11:57:06 0 d-----w- c:\program files\Malwarebytes' Anti-Malware 2010-08-08 11:57:06 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes 2010-08-07 16:44:43 0 d-----w- c:\program files\What's my computer doing 2010-08-06 22:43:26 0 d-----w- c:\program files\Defraggler 2010-08-06 22:37:29 0 d-----w- c:\program files\CCleaner 2010-08-06 21:54:33 0 d-----w- c:\program files\VS Revo Group ==================== Find3M ==================== 2010-05-12 03:27:29 604488 ----a-w- c:\windows\system32\TUProgSt.exe ============= FINISH: 8:08:35.45 =============== Performance note: IE very sluggish. I was surprised that MBAM was even able to grab an update because it had failed 3 times before yesterday. Endpoint also able to grab it's update in the background. So, I'm sitting here wondering if this is solely an IE7 problem or do we truly have bad guys lurking beneath it. Further description of symptoms: Launch IE7, calls up homepage (Google) with somewhat reasonable speed (though that's not always dependable). Then if we try to go to another page or search item, progress bar limps along and 9 out of 10 times "IE cannot display the page". I've run the Repair facility numerous times always returning with "Everything's Fine". That's IE. I did try to load on Chrome, but the app failed to initialize and I had to uninstall it. Decided to stop there and come here. Standing by.... H

Hello - I have my friend's laptop here a Toshiba Satellite Pro M15. We've run some routing maintenance to get it to load pages faster (or load pages at all!). I first ran MBAM with manually applied rules.ref. Found 2 trojans and a Fakeware. Removed and reboot. I've run CCleaner, both cleaning and reg adjustments. Found a lot of gunk. I've defragged and also used ATF. Chkdsk runs through without complaint. He uses Symantec Endpoint as his antimalware prog. I believe SEP shut down updates for some reason and that's how I think he got the bad guys in there. I took out 3 toolbar thingies and some leftover software using RevoUninstaller Free. I took the liberty of running scans with OTL and GMER to get a jump on things. Looking for a guide to help me figure out how to get this back to a usable state. Note: When GMER runs it is R-E-A-L sensitive! It doesn't take much for the LT to BSOD while GMER is running or just after it has run. In fact I had to run GMER by setting the StartUp in MSCONFIG to "Diagnostic" mode as I could not get GMER to complete a scan without a BSOD any other way. MBAM Log: Malwarebytes' Anti-Malware 1.46 www.malwarebytes.org Database version: 4402 Windows 5.1.2600 Service Pack 3 Internet Explorer 7.0.5730.13 8/7/2010 12:26:20 PM mbam-log-2010-08-07 (12-26-20).txt Scan type: Full scan (C:\|) Objects scanned: 163935 Time elapsed: 42 minute(s), 27 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 3 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: HKEY_CLASSES_ROOT\CLSID\{35a5b43b-cb8a-49ca-a9f4-d3b308d2e3cc} (Trojan.FakeAlert) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{35a5b43b-cb8a-49ca-a9f4-d3b308d2e3cc} (Trojan.FakeAlert) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servises (Malware.Trace) -> Quarantined and deleted successfully. Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) OTL logfile created on: 8/7/2010 2:31:14 PM - Run 1 OTL by OldTimer - Version 3.2.9.1 Folder = C:\Documents and Settings\Admin\Desktop\The Fix Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation Internet Explorer (Version = 7.0.5730.13) Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy 511.00 Mb Total Physical Memory | 198.00 Mb Available Physical Memory | 39.00% Memory free 1.00 Gb Paging File | 1.00 Gb Available in Paging File | 73.00% Paging File free Paging file location(s): C:\pagefile.sys 768 1536 [binary data] %SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files Drive C: | 37.25 Gb Total Space | 27.94 Gb Free Space | 75.00% Space Free | Partition Type: NTFS D: Drive not present or media not loaded Drive E: | 3.73 Gb Total Space | 3.59 Gb Free Space | 96.40% Space Free | Partition Type: FAT32 F: Drive not present or media not loaded G: Drive not present or media not loaded H: Drive not present or media not loaded I: Drive not present or media not loaded Computer Name: USER-OEPSKKFJFV Current User Name: Admin Logged in as Administrator. Current Boot Mode: Normal Scan Mode: Current user Company Name Whitelist: On Skip Microsoft Files: On File Age = 90 Days Output = Standard Quick Scan ========== Processes (SafeList) ========== PRC - [2010/07/19 03:09:26 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Admin\Desktop\The Fix\OTL.exe PRC - [2009/12/15 18:12:58 | 001,955,184 | ---- | M] (Citrix Online, a division of Citrix Systems, Inc.) -- C:\Program Files\Citrix\GoToMyPC\g2tray.exe PRC - [2009/12/15 18:12:56 | 000,557,424 | ---- | M] (Citrix Online, a division of Citrix Systems, Inc.) -- C:\Program Files\Citrix\GoToMyPC\g2svc.exe PRC - [2009/12/15 18:12:52 | 000,574,832 | ---- | M] (Citrix Online, a division of Citrix Systems, Inc.) -- C:\Program Files\Citrix\GoToMyPC\g2pre.exe PRC - [2009/12/15 18:12:44 | 001,089,392 | ---- | M] (Citrix Online, a division of Citrix Systems, Inc.) -- C:\Program Files\Citrix\GoToMyPC\g2comm.exe PRC - [2008/04/13 20:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe PRC - [2008/04/04 20:01:20 | 002,234,296 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe PRC - [2008/04/04 19:55:38 | 001,660,288 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe PRC - [2008/04/04 19:55:36 | 002,475,392 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe PRC - [2008/02/01 02:25:38 | 000,115,560 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccApp.exe PRC - [2008/02/01 02:25:16 | 000,108,392 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe PRC - [2007/08/29 15:14:12 | 000,131,072 | ---- | M] (Sprint Spectrum, L.L.C) -- C:\Program Files\Sprint\Sierra Wireless\Sprint PCS Connection Manager\SPCSUtilityService.exe PRC - [2003/09/10 05:44:56 | 000,356,352 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\ZCfgSvc.exe PRC - [2003/09/10 05:38:28 | 000,184,320 | ---- | M] (Intel) -- C:\WINDOWS\system32\1XConfig.exe PRC - [2003/09/10 05:37:44 | 000,303,171 | ---- | M] (Intel Corporation ) -- C:\WINDOWS\system32\S24EvMon.exe PRC - [2003/09/10 05:36:36 | 000,122,880 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\RegSrvc.exe PRC - [2003/01/21 12:10:44 | 000,122,880 | ---- | M] (TOSHIBA) -- C:\Program Files\Toshiba\TME3\TMESRV31.exe PRC - [2003/01/21 12:09:20 | 000,069,632 | ---- | M] (TOSHIBA) -- C:\Program Files\Toshiba\TME3\TMERzCtl.exe PRC - [2003/01/21 12:06:48 | 000,065,536 | ---- | M] (TOSHIBA) -- C:\Program Files\Toshiba\TME3\TMEEJME.exe PRC - [2003/01/17 21:26:50 | 000,458,752 | ---- | M] (TOSHIBA CORPORATION) -- C:\Program Files\Toshiba\ConfigFree\NDSTray.exe PRC - [2002/11/29 22:09:22 | 000,086,016 | ---- | M] (TOSHIBA Corporation) -- C:\Program Files\Toshiba\TME3\tmesbs32.exe PRC - [2002/11/08 15:27:18 | 000,049,152 | ---- | M] (Matsushita Electric Industrial Co., Ltd.) -- C:\WINDOWS\system32\DVDRAMSV.exe PRC - [2002/07/15 17:36:54 | 000,045,056 | ---- | M] (Analog Devices, Inc.) -- C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe ========== Modules (SafeList) ========== MOD - [2010/07/19 03:09:26 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Admin\Desktop\The Fix\OTL.exe MOD - [2008/04/13 20:10:20 | 000,110,592 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msscript.ocx MOD - [2008/04/04 19:58:44 | 000,357,760 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\system32\sysfer.dll MOD - [2002/09/12 18:06:12 | 000,053,248 | ---- | M] (TOSHIBA) -- C:\Program Files\Toshiba\TME3\TMEEJMD.dll ========== Win32 Services (SafeList) ========== SRV - File not found [Disabled | Stopped] -- C:\WINDOWS\System32\hidserv.dll -- (HidServ) SRV - [2009/12/15 18:12:56 | 000,557,424 | ---- | M] (Citrix Online, a division of Citrix Systems, Inc.) [Auto | Running] -- C:\Program Files\Citrix\GoToMyPC\g2svc.exe -- (GoToMyPC) SRV - [2008/04/04 20:01:20 | 002,234,296 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe -- (Symantec AntiVirus) SRV - [2008/04/04 19:55:36 | 002,475,392 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe -- (SmcService) SRV - [2008/04/04 03:45:18 | 000,288,136 | ---- | M] (Symantec Corporation) [On_Demand | Stopped] -- C:\Program Files\Symantec\Symantec Endpoint Protection\SNAC.EXE -- (SNAC) SRV - [2008/02/01 02:25:16 | 000,108,392 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe -- (ccSetMgr) SRV - [2008/02/01 02:25:16 | 000,108,392 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe -- (ccEvtMgr) SRV - [2007/08/29 15:14:12 | 000,131,072 | ---- | M] (Sprint Spectrum, L.L.C) [Auto | Running] -- C:\Program Files\Sprint\Sierra Wireless\Sprint PCS Connection Manager\SPCSUtilityService.exe -- (SPCSUtilityService) SRV - [2007/08/11 21:05:27 | 003,093,872 | ---- | M] (Symantec Corporation) [On_Demand | Stopped] -- C:\Program Files\Symantec\LiveUpdate\LuComServer_3_3.EXE -- (LiveUpdate) SRV - [2003/09/10 05:37:44 | 000,303,171 | ---- | M] (Intel Corporation ) [Auto | Running] -- C:\WINDOWS\system32\S24EvMon.exe -- (S24EventMonitor) SRV - [2003/09/10 05:36:36 | 000,122,880 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\WINDOWS\system32\RegSrvc.exe -- (RegSrvc) SRV - [2003/01/21 12:10:44 | 000,122,880 | ---- | M] (TOSHIBA) [Auto | Running] -- C:\Program Files\TOSHIBA\TME3\Tmesrv31.exe -- (Tmesrv) SRV - [2002/11/29 22:09:22 | 000,086,016 | ---- | M] (TOSHIBA Corporation) [Auto | Running] -- C:\Program Files\TOSHIBA\TME3\Tmesbs32.exe -- (Tmesbs) SRV - [2002/11/08 15:27:18 | 000,049,152 | ---- | M] (Matsushita Electric Industrial Co., Ltd.) [Auto | Running] -- C:\WINDOWS\system32\DVDRAMSV.exe -- (DVD-RAM_Service) SRV - [2002/07/15 17:36:54 | 000,045,056 | ---- | M] (Analog Devices, Inc.) [Auto | Running] -- C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe -- (SoundMAX Agent Service (default)) ========== Driver Services (SafeList) ========== DRV - [2010/07/15 04:00:00 | 001,362,608 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20100807.004\NAVEX15.SYS -- (NAVEX15) DRV - [2010/07/15 04:00:00 | 000,085,424 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20100807.004\NAVENG.SYS -- (NAVENG) DRV - [2010/06/02 19:59:06 | 000,161,920 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\WpsHelper.sys -- (WpsHelper) DRV - [2010/05/26 04:00:00 | 000,371,248 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys -- (eeCtrl) DRV - [2010/05/26 04:00:00 | 000,102,448 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys -- (EraserUtilRebootDrv) DRV - [2009/10/27 03:28:50 | 000,160,400 | ---- | M] (DEVGURU Co., LTD.(www.devguru.co.kr)) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\PTUMWVsp.sys -- (PTUMWVsp) DRV - [2009/10/27 03:28:44 | 000,160,400 | ---- | M] (DEVGURU Co., LTD.(www.devguru.co.kr)) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\PTUMWNSP.sys -- (PTUMWNSP) DRV - [2009/10/27 03:28:38 | 000,115,216 | ---- | M] (DEVGURU Co., LTD.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\PTUMWNET.sys -- (PTUMWNET) DRV - [2009/10/27 03:28:32 | 000,160,400 | ---- | M] (DEVGURU Co., LTD.(www.devguru.co.kr)) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\PTUMWMdm.sys -- (PTUMWMdm) DRV - [2009/10/27 03:28:26 | 000,012,048 | ---- | M] (DEVGURU Co., LTD.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\PTUMWFLT.sys -- (PTUMWFLT) DRV - [2009/10/27 03:28:20 | 000,160,400 | ---- | M] (DEVGURU Co., LTD.(www.devguru.co.kr)) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\PTUMWCSP.sys -- (PTUMWCSP) DRV - [2009/10/27 03:28:14 | 000,022,032 | ---- | M] (DEVGURU Co., LTD.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\PTUMWCDF.sys -- (PTUMWCDF) DRV - [2009/10/27 03:28:04 | 000,054,544 | ---- | M] (DEVGURU Co., LTD.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\PTUMWBus.sys -- (PTUMWBus) DRV - [2009/05/25 15:43:58 | 000,032,408 | ---- | M] (Smith Micro Inc.) [Kernel | On_Demand | Stopped] -- C:\Program Files\Verizon Wireless\VZAccess Manager\SMSIVZAM5.sys -- (SMSIVZAM5) DRV - [2008/12/07 21:46:55 | 000,123,952 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\SYMEVENT.SYS -- (SymEvent) DRV - [2008/12/07 17:35:36 | 000,014,037 | ---- | M] (Meetinghouse Data Communications) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\mdc8021x.sys -- (MDC8021X) AEGIS Protocol (IEEE 802.1x) DRV - [2008/07/30 18:42:12 | 000,023,888 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\COH_Mon.sys -- (COH_Mon) DRV - [2008/04/04 20:01:46 | 000,091,520 | ---- | M] (Symantec Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\SYSTEM32\Drivers\SysPlant.sys -- (SysPlant) DRV - [2008/04/04 19:59:46 | 000,040,832 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\WPSDRVnt.sys -- (WPS) DRV - [2008/03/21 20:14:24 | 000,317,616 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\srtspl.sys -- (SRTSPL) DRV - [2008/03/21 20:14:24 | 000,279,088 | ---- | M] (Symantec Corporation) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\srtsp.sys -- (SRTSP) DRV - [2008/03/21 20:14:24 | 000,043,696 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\srtspx.sys -- (SRTSPX) DRV - [2008/03/12 16:19:50 | 000,049,536 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Teefer2.sys -- (Teefer2) DRV - [2008/03/04 15:43:08 | 000,984,832 | ---- | M] (Motorola Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\smserial.sys -- (smserial) DRV - [2008/02/27 14:49:00 | 000,003,840 | ---- | M] () [Kernel | System | Running] -- C:\WINDOWS\System32\Drivers\BANTExt.sys -- (BANTExt) DRV - [2008/01/17 19:24:44 | 000,420,400 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys -- (SPBBCDrv) DRV - [2007/10/30 21:55:38 | 000,191,536 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\System32\Drivers\SYMTDI.SYS -- (SYMTDI) DRV - [2007/10/30 21:55:34 | 000,027,696 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\System32\Drivers\SYMREDRV.SYS -- (SYMREDRV) DRV - [2007/08/10 12:08:48 | 000,024,456 | ---- | M] () [Kernel | On_Demand | Running] -- C:\WINDOWS\System32\drivers\swmsflt.sys -- (swmsflt) DRV - [2007/06/27 11:42:32 | 000,073,856 | ---- | M] (Sierra Wireless Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\swmx00.sys -- (SWMX00) Sierra Wireless USB MUX Driver (#00) DRV - [2007/06/27 11:41:46 | 000,101,248 | ---- | M] (Sierra Wireless Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\SWNC5E00.sys -- (SWNC5E00) Sierra Wireless MUX NDIS Driver (#00) DRV - [2006/12/21 12:29:00 | 005,747,488 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nv4_mini.sys -- (nv) DRV - [2004/11/01 05:19:00 | 000,163,712 | ---- | M] (VIA Technologies, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\vinyl97.sys -- (VIAudio) Vinyl AC'97 Audio Controller (WDM) DRV - [2003/12/05 06:50:28 | 000,979,840 | ---- | M] (Intel

Here's another scan log just completed. Malwarebytes' Anti-Malware 1.46 www.malwarebytes.org Database version: 4244 Windows 5.1.2600 Service Pack 3 Internet Explorer 8.0.6001.18702 6/26/2010 3:39:52 PM mbam-log-2010-06-26 (15-39-52).txt Scan type: Quick scan Objects scanned: 126096 Time elapsed: 18 minute(s), 27 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) I think we're clean. Agree? H

I don't know - they're not found any more after another scan just now. So, are we set? H

Oh - did the Qoobox dump show anything to be concerned about? H

I would say they're running pretty good. Scan with MBAM reveals nothing. Scan with ESET SS comes up with 2 harmless tracking cookies - but nothing else. Shall we declare victory? H

Yes, Borislav - I sent it the other day. And now, I've just sent it again a second time. Please let me know if the file is coming through. I've installed ESET now so I feel better about being fully protected. It looks like he installed Google Chrome on June 9 - when the problems started. But he doesn't remember from where he was installing it from. I've instructed him to be very careful from now on. Let me know if you have success in reading the file dump. H

We are looking good! Seems to be running fine now. No pop-ups, or new windows opening. Adobe Rdr 7.5 uninstalled. Did the Qoobox dump. What did the report show you? Bonus: Uninstalled MBAM 1.46. Reinstalled MBAM 1.46. No need to rename/redirect. Update now works. Full scan now works. Full scan shows no sign of infection. I'm going to scrap/uninstall SAV 10.0 as it obviously misses stuff. Purchased ESET Smart Security and am set to install that. Are we good to go? H

OK, I think it all went well. ComboFix 10-06-22.02 - mike dolphin 06/22/2010 17:28:00.1.1 - x86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1247.821 [GMT -4:00] Running from: c:\documents and settings\mike dolphin\Desktop\ComboFix.exe Command switches used :: c:\documents and settings\mike dolphin\Desktop\CFScript.txt AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C} file zipped: c:\windows\system32\begapofi . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\documents and settings\mike dolphin\My Documents\AllReg.reg c:\windows\is-DSI7I.exe c:\windows\system32\begapofi . ((((((((((((((((((((((((( Files Created from 2010-05-22 to 2010-06-22 ))))))))))))))))))))))))))))))) . 2010-06-21 22:37 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2010-06-21 22:37 . 2010-06-21 22:38 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2010-06-21 22:37 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys 2010-06-21 22:28 . 2010-06-21 22:28 -------- d-----w- c:\documents and settings\mike dolphin\Local Settings\Application Data\TechSmith 2010-06-21 02:42 . 2010-06-22 11:52 -------- d-----w- C:\The Fixx 2010-06-21 01:47 . 2001-08-17 17:48 12160 -c--a-w- c:\windows\system32\dllcache\mouhid.sys 2010-06-21 01:47 . 2001-08-17 17:48 12160 ----a-w- c:\windows\system32\drivers\mouhid.sys 2010-06-21 01:47 . 2008-04-13 18:45 10368 -c--a-w- c:\windows\system32\dllcache\hidusb.sys 2010-06-21 01:47 . 2008-04-13 18:45 10368 ----a-w- c:\windows\system32\drivers\hidusb.sys 2010-06-09 00:39 . 2010-06-21 02:23 -------- d-----w- C:\ProgramData 2010-06-09 00:39 . 2010-06-09 00:39 -------- d-----w- c:\program files\Angle Interactive . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2010-06-22 21:37 . 2007-10-03 12:16 -------- d-----w- c:\program files\Symantec AntiVirus 2010-06-22 21:18 . 2007-10-07 21:03 -------- d-----w- c:\program files\Spybot - Search & Destroy 2010-06-22 21:16 . 2007-10-07 21:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy 2010-06-22 11:54 . 2007-10-07 21:09 -------- d-----w- c:\program files\CCleaner 2010-06-12 11:26 . 2010-02-26 16:00 25992 ----a-w- c:\windows\system32\pgdfgsvc.exe 2010-05-14 11:26 . 2008-03-09 19:56 -------- d-----w- c:\program files\Google . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SiSPower"="SiSPower.dll" [2005-08-25 49152] "SoundMAXPnP"="c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-10-14 1388544] "ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2005-06-02 48752] "vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2005-06-23 85696] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-12-11 286720] "HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2008-12-08 54576] c:\documents and settings\All Users\Start Menu\Programs\Startup\ HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472] [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager] BootExecute REG_MULTI_SZ autocheck autochk *\0pgdfgsvc C 1 [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes' Anti-Malware] 2010-04-29 19:39 437584 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-] "Universal Installer"="c:\program files\ComcastUI\Universal Installer\uinstaller.exe" /fromrun /starthidden [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime "SoundMAX"="c:\program files\Analog Devices\SoundMAX\Smax4.exe" /tray [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"= "c:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"= "c:\\WINDOWS\\system32\\logon.scr"= S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [3/14/2010 8:14 PM 135664] S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [6/23/2005 7:27 PM 124608] --- Other Services/Drivers In Memory --- *Deregistered* - EraserUtilDrv11010 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs UxTuneUp . Contents of the 'Scheduled Tasks' folder 2010-06-18 c:\windows\Tasks\1-Click Maintenance.job - c:\program files\TuneUp Utilities 2008\OneClick.exe [2007-12-21 20:17] 2010-06-22 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job - c:\program files\Google\Update\GoogleUpdate.exe [2010-03-15 00:14] 2010-06-22 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job - c:\program files\Google\Update\GoogleUpdate.exe [2010-03-15 00:14] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.google.com/ uInternet Settings,ProxyOverride = *.local IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab . - - - - ORPHANS REMOVED - - - - BHO-{dfdcac03-890e-4677-ae82-dac4e3a3407c} - perobewe.dll SharedTaskScheduler-{e7f84a76-87ba-4e3a-9513-fc539134727e} - (no file) MSConfigStartUp-SpybotSD TeaTimer - c:\program files\Spybot - Search & Destroy\TeaTimer.exe ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2010-06-22 17:35 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'explorer.exe'(3980) c:\windows\system32\WININET.dll c:\windows\system32\ieframe.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . ------------------------ Other Running Processes ------------------------ . c:\program files\Common Files\Symantec Shared\ccSetMgr.exe c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe c:\program files\Symantec AntiVirus\DefWatch.exe c:\windows\system32\HPZipm12.exe c:\program files\Analog Devices\SoundMAX\SMAgent.exe c:\program files\Symantec AntiVirus\Rtvscan.exe c:\windows\system32\wscntfy.exe c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe . ************************************************************************** . Completion time: 2010-06-22 17:41:50 - machine was rebooted ComboFix-quarantined-files.txt 2010-06-22 21:41 Pre-Run: 64,276,541,440 bytes free Post-Run: 64,234,110,976 bytes free WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn - - End Of File - - 50B40EAC497ECF73B2E360DF3984B478 UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG. IF REQUESTED, ZIP IT UP & ATTACH IT DDS (Ver_10-03-17.01) Microsoft Windows XP Professional Boot Device: \Device\HarddiskVolume3 Install Date: 9/26/2007 5:27:25 PM System Uptime: 6/22/2010 5:33:13 PM (0 hours ago) Motherboard: ECS | | 761GX-M754-964 Processor: Mobile AMD Athlon XP-M Processor 3100+ | CPU 1 | 1800/200mhz ==== Disk Partitions ========================= A: is Removable C: is FIXED (NTFS) - 75 GiB total, 59.842 GiB free. D: is CDROM () E: is FIXED (NTFS) - 112 GiB total, 106.728 GiB free. ==== Disabled Device Manager Items ============= ==== System Restore Points =================== RP960: 6/22/2010 7:55:57 AM - System Checkpoint RP961: 6/22/2010 7:55:57 AM - System Checkpoint RP962: 6/22/2010 7:55:56 AM - System Checkpoint RP963: 6/22/2010 7:55:56 AM - System Checkpoint RP964: 6/22/2010 7:55:56 AM - System Checkpoint RP965: 6/22/2010 7:55:56 AM - System Checkpoint RP966: 6/22/2010 7:55:56 AM - System Checkpoint RP967: 6/22/2010 7:55:56 AM - Software Distribution Service 3.0 RP968: 6/22/2010 7:55:56 AM - System Checkpoint RP969: 6/22/2010 7:55:56 AM - System Checkpoint RP970: 6/22/2010 7:55:56 AM - System Checkpoint RP971: 6/22/2010 7:55:55 AM - System Checkpoint RP972: 6/22/2010 7:55:55 AM - System Checkpoint RP973: 6/22/2010 7:55:55 AM - System Checkpoint RP974: 6/22/2010 7:55:55 AM - System Checkpoint RP975: 6/22/2010 7:55:55 AM - System Checkpoint RP976: 6/22/2010 7:55:55 AM - System Checkpoint RP977: 6/22/2010 7:55:55 AM - System Checkpoint RP978: 6/22/2010 7:55:55 AM - System Checkpoint RP979: 6/22/2010 7:55:55 AM - System Checkpoint RP980: 6/22/2010 7:55:55 AM - System Checkpoint RP981: 4/14/2010 3:00:18 AM - Software Distribution Service 3.0 RP982: 4/15/2010 3:00:24 AM - Software Distribution Service 3.0 RP983: 4/16/2010 3:27:29 AM - System Checkpoint RP984: 4/17/2010 4:27:29 AM - System Checkpoint RP985: 4/18/2010 5:27:29 AM - System Checkpoint RP986: 4/19/2010 6:28:34 AM - System Checkpoint RP987: 4/20/2010 7:27:29 AM - System Checkpoint RP988: 4/21/2010 8:27:29 AM - System Checkpoint RP989: 4/22/2010 9:27:29 AM - System Checkpoint RP990: 4/23/2010 10:27:33 AM - System Checkpoint RP991: 4/24/2010 11:27:35 AM - System Checkpoint RP992: 4/25/2010 2:14:31 PM - System Checkpoint RP993: 4/26/2010 2:27:34 PM - System Checkpoint RP994: 4/27/2010 3:27:34 PM - System Checkpoint RP995: 4/28/2010 4:39:58 PM - System Checkpoint RP996: 4/29/2010 5:27:34 PM - System Checkpoint RP997: 4/30/2010 5:28:05 PM - System Checkpoint RP998: 5/1/2010 6:28:05 PM - System Checkpoint RP999: 5/2/2010 6:41:53 PM - System Checkpoint RP1000: 5/3/2010 6:42:58 PM - System Checkpoint RP1001: 5/4/2010 7:37:27 PM - System Checkpoint RP1002: 5/10/2010 6:45:07 PM - System Checkpoint RP1003: 5/11/2010 7:12:21 PM - System Checkpoint RP1004: 5/12/2010 8:12:21 PM - System Checkpoint RP1005: 5/13/2010 3:00:23 AM - Software Distribution Service 3.0 RP1006: 5/14/2010 3:12:21 AM - System Checkpoint RP1007: 5/15/2010 4:12:21 AM - System Checkpoint RP1008: 5/16/2010 5:12:21 AM - System Checkpoint RP1009: 5/17/2010 6:12:21 AM - System Checkpoint RP1010: 5/18/2010 7:12:24 AM - System Checkpoint RP1011: 5/19/2010 8:12:23 AM - System Checkpoint RP1012: 5/20/2010 8:15:51 AM - System Checkpoint RP1013: 5/21/2010 9:12:24 AM - System Checkpoint RP1014: 5/22/2010 1:04:33 PM - System Checkpoint RP1015: 5/23/2010 1:10:43 PM - System Checkpoint RP1016: 5/24/2010 1:18:47 PM - System Checkpoint RP1017: 5/25/2010 2:12:24 PM - System Checkpoint RP1018: 5/26/2010 3:00:18 AM - Software Distribution Service 3.0 RP1019: 5/27/2010 7:32:27 AM - System Checkpoint RP1020: 6/1/2010 7:07:46 PM - System Checkpoint RP1021: 6/2/2010 7:36:54 PM - System Checkpoint RP1022: 6/3/2010 8:36:54 PM - System Checkpoint RP1023: 6/4/2010 9:35:49 PM - System Checkpoint RP1024: 6/5/2010 10:35:53 PM - System Checkpoint RP1025: 6/6/2010 11:36:00 PM - System Checkpoint RP1026: 6/8/2010 12:35:49 AM - System Checkpoint RP1027: 6/9/2010 1:35:50 AM - System Checkpoint RP1028: 6/10/2010 2:35:49 AM - System Checkpoint RP1029: 6/11/2010 3:35:51 AM - System Checkpoint RP1030: 6/12/2010 4:35:49 AM - System Checkpoint RP1031: 6/13/2010 5:35:48 AM - System Checkpoint RP1032: 6/14/2010 6:36:01 AM - System Checkpoint RP1033: 6/15/2010 7:33:06 AM - System Checkpoint RP1034: 6/16/2010 7:33:16 AM - System Checkpoint RP1035: 6/17/2010 8:33:17 AM - System Checkpoint RP1036: 6/18/2010 9:33:16 AM - System Checkpoint RP1037: 6/19/2010 10:33:15 AM - System Checkpoint RP1038: 6/20/2010 10:51:54 AM - System Checkpoint RP1039: 6/21/2010 4:59:31 PM - System Checkpoint RP1040: 6/21/2010 6:33:26 PM - Revo Uninstaller's restore point - Malwarebytes' Anti-Malware RP1041: 6/22/2010 5:14:52 PM - Revo Uninstaller's restore point - Spybot - Search & Destroy ==== Installed Programs ====================== Adobe Flash Player 10 ActiveX Adobe Reader 7.0.5 BufferChm CCleaner CCScore Comcast High-Speed Internet Install Wizard Comcast Universal Installer v1.2 Critical Update for Windows Media Player 11 (KB959772) CustomerResearchQFolder D4100 D4100_Help DeviceManagementQFolder ESSBrwr ESSCDBK ESScore ESSgui ESSini ESSPCD ESSPDock ESSSONIC ESSTOOLS essvatgt eSupportQFolder Google Chrome Google Earth Google Update Helper Hotfix for Windows Media Format 11 SDK (KB929399) Hotfix for Windows Media Player 11 (KB939683) Hotfix for Windows XP (KB952287) Hotfix for Windows XP (KB970653-v3) Hotfix for Windows XP (KB976098-v2) Hotfix for Windows XP (KB979306) Hotfix for Windows XP (KB981793) HP Customer Participation Program 7.0 HP Imaging Device Functions 7.0 HP Photosmart and Deskjet 7.0 Software HP Photosmart Essential HP Solution Center 7.0 HP Update hph_ProductContext hph_readme hph_software hph_software_req HPPhotoSmartExpress HPProductAssistant InstantShareDevicesMFC J2SE Runtime Environment 5.0 Update 6 kgcbase Kodak EasyShare software KSU LiveUpdate 2.6 (Symantec Corporation) Macromedia Flash Player 8 Macromedia Shockwave Player Malwarebytes' Anti-Malware MarketResearch Mavis Beacon Teaches Typing Deluxe 16 MetaFrame Presentation Server Web Client for Win32 Microsoft Compression Client Pack 1.0 for Windows XP Microsoft Internationalized Domain Names Mitigation APIs Microsoft National Language Support Downlevel APIs Microsoft Office Professional Edition 2003 Microsoft User-Mode Driver Framework Feature Pack 1.0 MSXML 4.0 SP2 (KB954430) MSXML 4.0 SP2 (KB973688) netbrdg Notifier OfotoXMI PanoStandAlone QuickTime RCA Digital Cable Modem Revo Uninstaller 1.88 Security Update for CAPICOM (KB931906) Security Update for Windows Internet Explorer 7 (KB938127) Security Update for Windows Internet Explorer 7 (KB942615) Security Update for Windows Internet Explorer 7 (KB956390) Security Update for Windows Internet Explorer 7 (KB958215) Security Update for Windows Internet Explorer 7 (KB960714) Security Update for Windows Internet Explorer 7 (KB961260) Security Update for Windows Internet Explorer 7 (KB963027) Security Update for Windows Internet Explorer 7 (KB969897) Security Update for Windows Internet Explorer 7 (KB972260) Security Update for Windows Internet Explorer 7 (KB974455) Security Update for Windows Internet Explorer 7 (KB976325) Security Update for Windows Internet Explorer 7 (KB978207) Security Update for Windows Media Player (KB911564) Security Update for Windows Media Player (KB952069) Security Update for Windows Media Player (KB954155) Security Update for Windows Media Player (KB968816) Security Update for Windows Media Player (KB973540) Security Update for Windows Media Player 10 (KB936782) Security Update for Windows Media Player 11 (KB936782) Security Update for Windows Media Player 11 (KB954154) Security Update for Windows XP (KB923561) Security Update for Windows XP (KB938464-v2) Security Update for Windows XP (KB938464) Security Update for Windows XP (KB941569) Security Update for Windows XP (KB946648) Security Update for Windows XP (KB950762) Security Update for Windows XP (KB950974) Security Update for Windows XP (KB951066) Security Update for Windows XP (KB951376-v2) Security Update for Windows XP (KB951698) Security Update for Windows XP (KB951748) Security Update for Windows XP (KB952004) Security Update for Windows XP (KB952954) Security Update for Windows XP (KB954211) Security Update for Windows XP (KB954459) Security Update for Windows XP (KB954600) Security Update for Windows XP (KB955069) Security Update for Windows XP (KB956391) Security Update for Windows XP (KB956572) Security Update for Windows XP (KB956744) Security Update for Windows XP (KB956802) Security Update for Windows XP (KB956803) Security Update for Windows XP (KB956841) Security Update for Windows XP (KB956844) Security Update for Windows XP (KB957095) Security Update for Windows XP (KB957097) Security Update for Windows XP (KB958644) Security Update for Windows XP (KB958687) Security Update for Windows XP (KB958690) Security Update for Windows XP (KB958869) Security Update for Windows XP (KB959426) Security Update for Windows XP (KB960225) Security Update for Windows XP (KB960715) Security Update for Windows XP (KB960803) Security Update for Windows XP (KB960859) Security Update for Windows XP (KB961371) Security Update for Windows XP (KB961373) Security Update for Windows XP (KB961501) Security Update for Windows XP (KB968537) Security Update for Windows XP (KB969059) Security Update for Windows XP (KB969898) Security Update for Windows XP (KB969947) Security Update for Windows XP (KB970238) Security Update for Windows XP (KB970430) Security Update for Windows XP (KB971468) Security Update for Windows XP (KB971486) Security Update for Windows XP (KB971557) Security Update for Windows XP (KB971633) Security Update for Windows XP (KB971657) Security Update for Windows XP (KB971961) Security Update for Windows XP (KB972270) Security Update for Windows XP (KB973346) Security Update for Windows XP (KB973354) Security Update for Windows XP (KB973507) Security Update for Windows XP (KB973525) Security Update for Windows XP (KB973869) Security Update for Windows XP (KB973904) Security Update for Windows XP (KB974112) Security Update for Windows XP (KB974318) Security Update for Windows XP (KB974392) Security Update for Windows XP (KB974571) Security Update for Windows XP (KB975025) Security Update for Windows XP (KB975467) Security Update for Windows XP (KB975560) Security Update for Windows XP (KB975561) Security Update for Windows XP (KB975713) Security Update for Windows XP (KB977165) Security Update for Windows XP (KB977816) Security Update for Windows XP (KB977914) Security Update for Windows XP (KB978037) Security Update for Windows XP (KB978251) Security Update for Windows XP (KB978262) Security Update for Windows XP (KB978338) Security Update for Windows XP (KB978542) Security Update for Windows XP (KB978601) Security Update for Windows XP (KB978706) Security Update for Windows XP (KB979309) Security Update for Windows XP (KB979683) Security Update for Windows XP (KB980232) Security Update for Windows XP (KB981349) SFR SHASTA SiS VGA Utilities SiSAGP driver skin0001 SKINXSDK SolutionCenter SoundMAX staticcr Status Symantec AntiVirus Toolbox tooltips TrayApp TuneUp Utilities 2008 Unload Update for Windows Internet Explorer 7 (KB976749) Update for Windows Internet Explorer 7 (KB980182) Update for Windows XP (KB951072-v2) Update for Windows XP (KB951978) Update for Windows XP (KB955759) Update for Windows XP (KB955839) Update for Windows XP (KB967715) Update for Windows XP (KB968389) Update for Windows XP (KB971737) Update for Windows XP (KB973687) Update for Windows XP (KB973815) VPRINTOL WebFldrs XP WebReg Windows Media Format 11 runtime Windows Media Player 11 Windows XP Service Pack 3 WinRAR archiver WIRELESS ==== Event Viewer Messages From Past Week ======== 6/22/2010 6:29:44 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD eeCtrl Fips IPSec MRxSmb NetBIOS NetBT Processor RasAcd Rdbss SAVRT SAVRTPEL SYMTDI Tcpip 6/22/2010 6:29:44 AM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD Networking Support Environment service which failed to start because of the following error: A device attached to the system is not functioning. 6/22/2010 6:29:44 AM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning. 6/22/2010 6:29:44 AM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning. 6/22/2010 6:29:44 AM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning. 6/22/2010 6:28:54 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E} 6/22/2010 5:28:39 PM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the Symantec AntiVirus service. 6/22/2010 5:27:53 PM, error: Service Control Manager [7034] - The Symantec Settings Manager service terminated unexpectedly. It has done this 1 time(s). 6/22/2010 5:27:53 PM, error: Service Control Manager [7034] - The Symantec Event Manager service terminated unexpectedly. It has done this 1 time(s). 6/22/2010 5:27:53 PM, error: Service Control Manager [7034] - The SoundMAX Agent Service service terminated unexpectedly. It has done this 1 time(s). 6/22/2010 5:27:53 PM, error: Service Control Manager [7034] - The Print Spooler service terminated unexpectedly. It has done this 1 time(s). 6/22/2010 5:27:53 PM, error: Service Control Manager [7034] - The Pml Driver HPZ12 service terminated unexpectedly. It has done this 1 time(s). 6/22/2010 5:27:53 PM, error: Service Control Manager [7034] - The Application Layer Gateway Service service terminated unexpectedly. It has done this 1 time(s). 6/21/2010 6:51:50 PM, error: System Error [1003] - Error code 1000007f, parameter1 0000000d, parameter2 00000000, parameter3 00000000, parameter4 00000000. 6/20/2010 9:45:40 PM, error: Dhcp [1002] - The IP address lease 71.192.57.121 for the Network Card with network address 0016EC54C937 has been denied by the DHCP server 0.0.0.0 (The DHCP Server sent a DHCPNACK message). 6/20/2010 11:46:42 AM, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service wuauserv with arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334} 6/20/2010 10:31:19 AM, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service upnphost with arguments "" in order to run the server: {204810B9-73B2-11D4-BF42-00B0D0118B56} 6/20/2010 1:52:08 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF} 6/20/2010 1:48:17 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811} 6/20/2010 1:22:38 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: eeCtrl Fips Processor SAVRT SAVRTPEL SYMTDI 6/20/2010 1:05:15 PM, error: Service Control Manager [7034] - The Symantec AntiVirus Definition Watcher service terminated unexpectedly. It has done this 1 time(s). ==== End Of File =========================== How'd I do? H

OK all went well. CF ran with the parms in CFScript.txt. Here are the logs: ComboFix 10-06-22.02 - mike dolphin 06/22/2010 17:28:00.1.1 - x86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1247.821 [GMT -4:00] Running from: c:\documents and settings\mike dolphin\Desktop\ComboFix.exe Command switches used :: c:\documents and settings\mike dolphin\Desktop\CFScript.txt AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C} file zipped: c:\windows\system32\begapofi . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\documents and settings\mike dolphin\My Documents\AllReg.reg c:\windows\is-DSI7I.exe c:\windows\system32\begapofi . ((((((((((((((((((((((((( Files Created from 2010-05-22 to 2010-06-22 ))))))))))))))))))))))))))))))) . 2010-06-21 22:37 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2010-06-21 22:37 . 2010-06-21 22:38 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2010-06-21 22:37 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys 2010-06-21 22:28 . 2010-06-21 22:28 -------- d-----w- c:\documents and settings\mike dolphin\Local Settings\Application Data\TechSmith 2010-06-21 02:42 . 2010-06-22 11:52 -------- d-----w- C:\The Fixx 2010-06-21 01:47 . 2001-08-17 17:48 12160 -c--a-w- c:\windows\system32\dllcache\mouhid.sys 2010-06-21 01:47 . 2001-08-17 17:48 12160 ----a-w- c:\windows\system32\drivers\mouhid.sys 2010-06-21 01:47 . 2008-04-13 18:45 10368 -c--a-w- c:\windows\system32\dllcache\hidusb.sys 2010-06-21 01:47 . 2008-04-13 18:45 10368 ----a-w- c:\windows\system32\drivers\hidusb.sys 2010-06-09 00:39 . 2010-06-21 02:23 -------- d-----w- C:\ProgramData 2010-06-09 00:39 . 2010-06-09 00:39 -------- d-----w- c:\program files\Angle Interactive . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2010-06-22 21:37 . 2007-10-03 12:16 -------- d-----w- c:\program files\Symantec AntiVirus 2010-06-22 21:18 . 2007-10-07 21:03 -------- d-----w- c:\program files\Spybot - Search & Destroy 2010-06-22 21:16 . 2007-10-07 21:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy 2010-06-22 11:54 . 2007-10-07 21:09 -------- d-----w- c:\program files\CCleaner 2010-06-12 11:26 . 2010-02-26 16:00 25992 ----a-w- c:\windows\system32\pgdfgsvc.exe 2010-05-14 11:26 . 2008-03-09 19:56 -------- d-----w- c:\program files\Google . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SiSPower"="SiSPower.dll" [2005-08-25 49152] "SoundMAXPnP"="c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-10-14 1388544] "ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2005-06-02 48752] "vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2005-06-23 85696] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-12-11 286720] "HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2008-12-08 54576] c:\documents and settings\All Users\Start Menu\Programs\Startup\ HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472] [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager] BootExecute REG_MULTI_SZ autocheck autochk *\0pgdfgsvc C 1 [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes' Anti-Malware] 2010-04-29 19:39 437584 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-] "Universal Installer"="c:\program files\ComcastUI\Universal Installer\uinstaller.exe" /fromrun /starthidden [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime "SoundMAX"="c:\program files\Analog Devices\SoundMAX\Smax4.exe" /tray [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"= "c:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"= "c:\\WINDOWS\\system32\\logon.scr"= S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [3/14/2010 8:14 PM 135664] S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [6/23/2005 7:27 PM 124608] --- Other Services/Drivers In Memory --- *Deregistered* - EraserUtilDrv11010 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs UxTuneUp . Contents of the 'Scheduled Tasks' folder 2010-06-18 c:\windows\Tasks\1-Click Maintenance.job - c:\program files\TuneUp Utilities 2008\OneClick.exe [2007-12-21 20:17] 2010-06-22 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job - c:\program files\Google\Update\GoogleUpdate.exe [2010-03-15 00:14] 2010-06-22 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job - c:\program files\Google\Update\GoogleUpdate.exe [2010-03-15 00:14] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.google.com/ uInternet Settings,ProxyOverride = *.local IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab . - - - - ORPHANS REMOVED - - - - BHO-{dfdcac03-890e-4677-ae82-dac4e3a3407c} - perobewe.dll SharedTaskScheduler-{e7f84a76-87ba-4e3a-9513-fc539134727e} - (no file) MSConfigStartUp-SpybotSD TeaTimer - c:\program files\Spybot - Search & Destroy\TeaTimer.exe ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2010-06-22 17:35 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'explorer.exe'(3980) c:\windows\system32\WININET.dll c:\windows\system32\ieframe.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . ------------------------ Other Running Processes ------------------------ . c:\program files\Common Files\Symantec Shared\ccSetMgr.exe c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe c:\program files\Symantec AntiVirus\DefWatch.exe c:\windows\system32\HPZipm12.exe c:\program files\Analog Devices\SoundMAX\SMAgent.exe c:\program files\Symantec AntiVirus\Rtvscan.exe c:\windows\system32\wscntfy.exe c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe . ************************************************************************** . Completion time: 2010-06-22 17:41:50 - machine was rebooted ComboFix-quarantined-files.txt 2010-06-22 21:41 Pre-Run: 64,276,541,440 bytes free Post-Run: 64,234,110,976 bytes free WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn - - End Of File - - 50B40EAC497ECF73B2E360DF3984B478 DDS (Ver_10-03-17.01) - NTFSx86 Run by mike dolphin at 17:45:19.51 on Tue 06/22/2010 Internet Explorer: 7.0.5730.13 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1247.677 [GMT -4:00] AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C} ============== Running Processes =============== C:\WINDOWS\system32\svchost -k DcomLaunch svchost.exe C:\WINDOWS\System32\svchost.exe -k netsvcs svchost.exe svchost.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\system32\spoolsv.exe svchost.exe C:\Program Files\Symantec AntiVirus\DefWatch.exe C:\WINDOWS\system32\HPZipm12.exe C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe C:\WINDOWS\System32\svchost.exe -k imgsvc C:\Program Files\Symantec AntiVirus\Rtvscan.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\PROGRA~1\SYMANT~1\VPTray.exe C:\Program Files\HP\HP Software Update\HPWuSchd2.exe C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe C:\WINDOWS\system32\wscntfy.exe C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe C:\WINDOWS\explorer.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\WINDOWS\system32\ctfmon.exe C:\Documents and Settings\mike dolphin\Desktop\dds.scr ============== Pseudo HJT Report =============== uStart Page = hxxp://www.google.com/ uInternet Settings,ProxyOverride = *.local uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_06\bin\ssv.dll TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe mRun: [siSPower] Rundll32.exe SiSPower.dll,ModeAgent mRun: [soundMAXPnP] c:\program files\analog devices\soundmax\SMax4PNP.exe mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe" mRun: [vptray] c:\progra~1\symant~1\VPTray.exe mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000 IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_06\bin\ssv.dll IE: {7F9DB11C-E358-4ca6-A83D-ACC663939424} - {9999A076-A9E2-4C99-8A2B-632FC9429223} IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1191791640765 DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1191792277593 DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab Notify: NavLogon - c:\windows\system32\NavLogon.dll SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll ============= SERVICES / DRIVERS =============== R1 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2005-2-4 324232] R1 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2005-2-4 53896] R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2005-6-2 185968] R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2005-6-2 161392] R2 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2005-6-23 1715904] R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20100620.006\naveng.sys [2010-6-20 85552] R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20100620.006\navex15.sys [2010-6-20 1347504] S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-3-14 135664] S3 ccPwdSvc;Symantec Password Validation;c:\program files\common files\symantec shared\ccPwdSvc.exe [2005-6-2 83568] S3 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2005-6-23 124608] =============== Created Last 30 ================ 2010-06-22 21:27:07 0 d-sha-r- C:\cmdcons 2010-06-22 21:25:42 98816 ----a-w- c:\windows\sed.exe 2010-06-22 21:25:42 77312 ----a-w- c:\windows\MBR.exe 2010-06-22 21:25:42 256512 ----a-w- c:\windows\PEV.exe 2010-06-22 21:25:42 161792 ----a-w- c:\windows\SWREG.exe 2010-06-21 22:41:08 0 ----a-w- c:\documents and settings\mike dolphin\defogger_reenable 2010-06-21 22:37:11 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2010-06-21 22:37:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys 2010-06-21 22:37:08 0 d-----w- c:\program files\Malwarebytes' Anti-Malware 2010-06-21 02:42:49 0 d-----w- C:\The Fixx 2010-06-21 01:47:14 12160 -c--a-w- c:\windows\system32\dllcache\mouhid.sys 2010-06-21 01:47:14 12160 ----a-w- c:\windows\system32\drivers\mouhid.sys 2010-06-21 01:47:01 10368 -c--a-w- c:\windows\system32\dllcache\hidusb.sys 2010-06-21 01:47:01 10368 ----a-w- c:\windows\system32\drivers\hidusb.sys 2010-06-09 00:39:37 0 d-----w- C:\ProgramData 2010-06-09 00:39:37 0 d-----w- c:\program files\Angle Interactive ==================== Find3M ==================== 2010-06-12 11:26:47 25992 ----a-w- c:\windows\system32\pgdfgsvc.exe 2009-04-12 19:23:01 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009041220090413\index.dat ============= FINISH: 17:45:36.96 =============== How'd I do? H

Here's my brother-in-law's Dell Dimension 4600 - XP Pro - SP3 - plenty of disk space. He brought it to me as a couple of weeks ago something happened and all sorts of nonsense is going on. When IE or Chrome is launched, it goes to the correct web add but after about a minute or two another window appears advertising Newsmania or Stopzilla or Automaticsystemprofits.com and the list goes on. I used MBAM. the bad guys blocked it so I used a randomly named copy found elsewhere here in the forums. I ran DDS and GMER - logs below. Then, with MBAM, I did a quick scan - found 12 baddies. Removed and rebooted. Baddies remained. I did a full scan. System hung - hard reset. Did full scan in safe mode. Found 12 baddies, remove and reboot. Did a quick scan in norm mode (since full scan won't complete in norm mode) and it found 2 more. Note: Before and during this process, I tried to update MBAM but got this error: <img src="http://img411.imageshack.us/img411/2103/mbamupdateerror62120106.png" alt="Image Hosted by ImageShack.us"/><br/>By <a target="_new" href="http://profile.imageshack.us/user/hoib">hoib</a> at 2010-06-22. Will have to tackle this later, I believe. So I used another computer to download MBAM's update and copies rules.ref to the proper location. Used Spybot which found pretty much the same items as MBAM and also failed to remove half of what it found. I'm going to need some help now to continue cleaning as I'm out of options and need some expert help. Logs follow below. I'll stay engaged because the family needs this back pronto! DDS (Ver_10-03-17.01) - NTFSx86 Run by mike dolphin at 18:41:58.45 on Mon 06/21/2010 Internet Explorer: 7.0.5730.13 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1247.512 [GMT -4:00] AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C} ============== Running Processes =============== C:\WINDOWS\system32\svchost -k DcomLaunch C:\WINDOWS\system32\svchost -k rpcss C:\WINDOWS\System32\svchost.exe -k netsvcs C:\WINDOWS\System32\svchost.exe -k NetworkService C:\WINDOWS\System32\svchost.exe -k LocalService C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\System32\svchost.exe -k LocalService C:\WINDOWS\system32\HPZipm12.exe C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe C:\WINDOWS\System32\svchost.exe -k imgsvc C:\Program Files\Symantec AntiVirus\Rtvscan.exe C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\PROGRA~1\SYMANT~1\VPTray.exe C:\Program Files\HP\HP Software Update\HPWuSchd2.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe C:\WINDOWS\System32\alg.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Herb's Special Folder\SnagIt.10.0.0.788.Portable\SnagIt.10.0.0.788.Portable\SnagitPortable.exe C:\Herb's Special Folder\SnagIt.10.0.0.788.Portable\SnagIt.10.0.0.788.Portable\App\Snagit\SnagIt32.exe C:\Herb's Special Folder\SnagIt.10.0.0.788.Portable\SnagIt.10.0.0.788.Portable\App\Snagit\TSCHelp.exe C:\Herb's Special Folder\SnagIt.10.0.0.788.Portable\SnagIt.10.0.0.788.Portable\App\Snagit\SnagPriv.exe C:\Herb's Special Folder\SnagIt.10.0.0.788.Portable\SnagIt.10.0.0.788.Portable\App\Snagit\snagiteditor.exe C:\Documents and Settings\mike dolphin\Desktop\dds.scr C:\WINDOWS\system32\wbem\wmiprvse.exe ============== Pseudo HJT Report =============== uStart Page = hxxp://www.google.com/ uInternet Settings,ProxyOverride = *.local uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_06\bin\ssv.dll BHO: {dfdcac03-890e-4677-ae82-dac4e3a3407c} - perobewe.dll TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe uRun: [spybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe mRun: [siSPower] Rundll32.exe SiSPower.dll,ModeAgent mRun: [soundMAXPnP] c:\program files\analog devices\soundmax\SMax4PNP.exe mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe" mRun: [vptray] c:\progra~1\symant~1\VPTray.exe mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe mRun: [fimikeyuwa] Rundll32.exe "givobebe.dll",s mRun: [nulamodiy] Rundll32.exe "c:\windows\system32\bahezido.dll",a mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000 IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_06\bin\ssv.dll IE: {7F9DB11C-E358-4ca6-A83D-ACC663939424} - {9999A076-A9E2-4C99-8A2B-632FC9429223} IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1191791640765 DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1191792277593 DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab Notify: NavLogon - c:\windows\system32\NavLogon.dll AppInit_DLLs: wudadefi.dll c:\windows\system32\nabehunu.dll c:\windows\system32\galabano.dll c:\windows\system32\nokafolu.dll c:\windows\system32\futavova.dll c:\windows\system32\kiwugilo.dll c:\windows\system32\nuvutame.dll c:\windows\system32\domitena.dll c:\windows\system32\nosinisu.dll c:\windows\system32\lugefulo.dll c:\windows\system32\jidufavu.dll c:\windows\system32\rarepero.dll c:\windows\system32\tupukenu.dll c:\windows\system32\fakafuto.dll c:\windows\system32\ropekibe.dll c:\windows\system32\bahezido.dll SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll SSODL: juwajejud - {b0f0943a-eac8-4c79-abb9-575e3c80ef2a} - c:\windows\system32\bahezido.dll STS: mujuzedij: {e7f84a76-87ba-4e3a-9513-fc539134727e} - c:\windows\system32\ropekibe.dll STS: kupuhivus: {b0f0943a-eac8-4c79-abb9-575e3c80ef2a} - c:\windows\system32\bahezido.dll LSA: Notification Packages = scecli wudadefi.dll ============= SERVICES / DRIVERS =============== R1 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2005-2-4 324232] R1 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2005-2-4 53896] R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2005-6-2 185968] R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2005-6-2 161392] R2 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2005-6-23 1715904] R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20100620.006\naveng.sys [2010-6-20 85552] R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20100620.006\navex15.sys [2010-6-20 1347504] S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-3-14 135664] S3 ccPwdSvc;Symantec Password Validation;c:\program files\common files\symantec shared\ccPwdSvc.exe [2005-6-2 83568] S3 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2005-6-23 124608] =============== Created Last 30 ================ 2010-06-21 22:41:08 0 ----a-w- c:\documents and settings\mike dolphin\defogger_reenable 2010-06-21 22:37:11 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2010-06-21 22:37:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys 2010-06-21 22:37:08 0 d-----w- c:\program files\Malwarebytes' Anti-Malware 2010-06-21 02:42:49 0 d-----w- C:\The Fixx 2010-06-21 01:47:14 12160 -c--a-w- c:\windows\system32\dllcache\mouhid.sys 2010-06-21 01:47:14 12160 ----a-w- c:\windows\system32\drivers\mouhid.sys 2010-06-21 01:47:01 10368 -c--a-w- c:\windows\system32\dllcache\hidusb.sys 2010-06-21 01:47:01 10368 ----a-w- c:\windows\system32\drivers\hidusb.sys 2010-06-09 00:39:37 0 d-----w- C:\ProgramData 2010-06-09 00:39:37 0 d-----w- c:\program files\Angle Interactive ==================== Find3M ==================== 2010-06-12 11:26:47 25992 ----a-w- c:\windows\system32\pgdfgsvc.exe 2010-03-21 20:30:37 99328 --sha-w- c:\windows\system32\bahezido.dll 2010-03-21 01:46:43 99328 --sha-w- c:\windows\system32\fetotava.dll 2009-04-12 19:23:01 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009041220090413\index.dat ============= FINISH: 18:42:37.26 =============== GMER 1.0.15.15281 - http://www.gmer.net Rootkit scan 2010-06-21 20:09:15 Windows 5.1.2600 Service Pack 3 Running: 6gc14l33.exe; Driver: C:\DOCUME~1\MIKEDO~1\LOCALS~1\Temp\kxtdypow.sys ---- System - GMER 1.0.15 ---- SSDT 89442088 ZwConnectPort ---- Kernel code sections - GMER 1.0.15 ---- init C:\WINDOWS\system32\drivers\senfilt.sys entry point in "init" section [0xBA495900] ---- User code sections - GMER 1.0.15 ---- .text C:\WINDOWS\system32\HPZipm12.exe[236] kernel32.dll!GetFileAttributesW 7C80B7EC 5 Bytes JMP 10001A81 C:\WINDOWS\system32\wudadefi.dll .text C:\WINDOWS\system32\HPZipm12.exe[236] kernel32.dll!FindFirstFileExW 7C80EB1D 5 Bytes JMP 100019AB C:\WINDOWS\system32\wudadefi.dll .text C:\WINDOWS\system32\HPZipm12.exe[236] kernel32.dll!FindNextFileW 7C80EFDA 7 Bytes JMP 10001A11 C:\WINDOWS\system32\wudadefi.dll .text C:\WINDOWS\system32\HPZipm12.exe[236] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 10001A28 C:\WINDOWS\system32\wudadefi.dll .text C:\WINDOWS\system32\HPZipm12.exe[236] kernel32.dll!DeleteFileW 7C831F63 5 Bytes JMP 10001B0E C:\WINDOWS\system32\wudadefi.dll .text C:\WINDOWS\system32\HPZipm12.exe[236] kernel32.dll!MoveFileExW 7C83568B 5 Bytes JMP 10001BDF C:\WINDOWS\system32\wudadefi.dll .text C:\WINDOWS\system32\HPZipm12.exe[236] kernel32.dll!Module32FirstW 7C8652E7 5 Bytes JMP 10001AB8 C:\WINDOWS\system32\wudadefi.dll .text C:\WINDOWS\system32\HPZipm12.exe[236] kernel32.dll!Module32NextW 7C865484 5 Bytes JMP 10001AF7 C:\WINDOWS\system32\wudadefi.dll .text C:\WINDOWS\system32\HPZipm12.exe[236] PSAPI.DLL!EnumProcessModules 76BF1EF4 5 Bytes JMP 10001B45 C:\WINDOWS\system32\wudadefi.dll .text C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe[240] kernel32.dll!GetFileAttributesW 7C80B7EC 5 Bytes JMP 00B01A81 C:\WINDOWS\system32\wudadefi.dll .text C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe[240] kernel32.dll!FindFirstFileExW 7C80EB1D 5 Bytes JMP 00B019AB C:\WINDOWS\system32\wudadefi.dll .text C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe[240] kernel32.dll!FindNextFileW 7C80EFDA 7 Bytes JMP 00B01A11 C:\WINDOWS\system32\wudadefi.dll .text C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe[240] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00B01A28 C:\WINDOWS\system32\wudadefi.dll .text C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe[240] kernel32.dll!DeleteFileW 7C831F63 5 Bytes JMP 00B01B0E C:\WINDOWS\system32\wudadefi.dll .text C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe[240] kernel32.dll!MoveFileExW 7C83568B 5 Bytes JMP 00B01BDF C:\WINDOWS\system32\wudadefi.dll .text C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe[240] kernel32.dll!Module32FirstW 7C8652E7 5 Bytes JMP 00B01AB8 C:\WINDOWS\system32\wudadefi.dll .text C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe[240] kernel32.dll!Module32NextW 7C865484 5 Bytes JMP 00B01AF7 C:\WINDOWS\system32\wudadefi.dll .text C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe[240] PSAPI.DLL!EnumProcessModules 76BF1EF4 5 Bytes JMP 00B01B45 C:\WINDOWS\system32\wudadefi.dll .text C:\Program Files\Common Files\Symantec Shared\ccApp.exe[408] kernel32.dll!GetFileAttributesW 7C80B7EC 5 Bytes JMP 10001A81 C:\WINDOWS\system32\wudadefi.dll .text C:\Program Files\Common Files\Symantec Shared\ccApp.exe[408] kernel32.dll!FindFirstFileExW 7C80EB1D 5 Bytes JMP 100019AB C:\WINDOWS\system32\wudadefi.dll .text C:\Program Files\Common Files\Symantec Shared\ccApp.exe[408] kernel32.dll!FindNextFileW 7C80EFDA 7 Bytes JMP 10001A11 C:\WINDOWS\system32\wudadefi.dll .text C:\Program Files\Common Files\Symantec Shared\ccApp.exe[408] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 10001A28 C:\WINDOWS\system32\wudadefi.dll .text C:\Program Files\Common Files\Symantec Shared\ccApp.exe[408] kernel32.dll!DeleteFileW 7C831F63 5 Bytes JMP 10001B0E C:\WINDOWS\system32\wudadefi.dll .text C:\Program Files\Common Files\Symantec Shared\ccApp.exe[408] kernel32.dll!MoveFileExW 7C83568B 5 Bytes JMP 10001BDF C:\WINDOWS\system32\wudadefi.dll .text C:\Program Files\Common Files\Symantec Shared\ccApp.exe[408] kernel32.dll!Module32FirstW 7C8652E7 5 Bytes JMP 10001AB8 C:\WINDOWS\system32\wudadefi.dll .text C:\Program Files\Common Files\Symantec Shared\ccApp.exe[408] kernel32.dll!Module32NextW 7C865484 5 Bytes JMP 10001AF7 C:\WINDOWS\system32\wudadefi.dll .text C:\Program Files\Common Files\Symantec Shared\ccApp.exe[408] PSAPI.DLL!EnumProcessModules 76BF1EF4 5 Bytes JMP 10001B45 C:\WINDOWS\system32\wudadefi.dll .text C:\Documents and Settings\mike dolphin\Desktop\6gc14l33.exe[976] kernel32.dll!GetFileAttributesW 7C80B7EC 5 Bytes JMP 10001A81 C:\WINDOWS\system32\wudadefi.dll .text C:\Documents and Settings\mike dolphin\Desktop\6gc14l33.exe[976] kernel32.dll!FindFirstFileExW 7C80EB1D 5 Bytes JMP 100019AB C:\WINDOWS\system32\wudadefi.dll .text C:\Documents and Settings\mike dolphin\Desktop\6gc14l33.exe[976] kernel32.dll!FindNextFileW 7C80EFDA 7 Bytes JMP 10001A11 C:\WINDOWS\system32\wudadefi.dll .text C:\Documents and Settings\mike dolphin\Desktop\6gc14l33.exe[976] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 10001A28 C:\WINDOWS\system32\wudadefi.dll .text C:\Documents and Settings\mike dolphin\Desktop\6gc14l33.exe[976] kernel32.dll!DeleteFileW 7C831F63 5 Bytes JMP 10001B0E C:\WINDOWS\system32\wudadefi.dll .text C:\Documents and Settings\mike dolphin\Desktop\6gc14l33.exe[976] kernel32.dll!MoveFileExW 7C83568B 5 Bytes JMP 10001BDF C:\WINDOWS\system32\wudadefi.dll .text C:\Documents and Settings\mike dolphin\Desktop\6gc14l33.exe[976] kernel32.dll!Module32FirstW 7C8652E7 5 Bytes JMP 10001AB8 C:\WINDOWS\system32\wudadefi.dll .text C:\Documents and Settings\mike dolphin\Desktop\6gc14l33.exe[976] kernel32.dll!Module32NextW 7C865484 5 Bytes JMP 10001AF7 C:\WINDOWS\system32\wudadefi.dll .text C:\Documents and Settings\mike dolphin\Desktop\6gc14l33.exe[976] PSAPI.DLL!EnumProcessModules 76BF1EF4 5 Bytes JMP 10001B45 C:\WINDOWS\system32\wudadefi.dll .text C:\PROGRA~1\SYMANT~1\VPTray.exe[1248] kernel32.dll!GetFileAttributesW 7C80B7EC 5 Bytes JMP 00A41A81 C:\WINDOWS\system32\wudadefi.dll .text C:\PROGRA~1\SYMANT~1\VPTray.exe[1248] kernel32.dll!FindFirstFileExW 7C80EB1D 5 Bytes JMP 00A419AB C:\WINDOWS\system32\wudadefi.dll .text C:\PROGRA~1\SYMANT~1\VPTray.exe[1248] kernel32.dll!FindNextFileW 7C80EFDA 7 Bytes JMP 00A41A11 C:\WINDOWS\system32\wudadefi.dll .text C:\PROGRA~1\SYMANT~1\VPTray.exe[1248] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00A41A28 C:\WINDOWS\system32\wudadefi.dll .text C:\PROGRA~1\SYMANT~1\VPTray.exe[1248] kernel32.dll!DeleteFileW 7C831F63 5 Bytes JMP 00A41B0E C:\WINDOWS\system32\wudadefi.dll .text C:\PROGRA~1\SYMANT~1\VPTray.exe[1248] kernel32.dll!MoveFileExW 7C83568B 5 Bytes JMP 00A41BDF C:\WINDOWS\system32\wudadefi.dll .text C:\PROGRA~1\SYMANT~1\VPTray.exe[1248] kernel32.dll!Module32FirstW 7C8652E7 5 Bytes JMP 00A41AB8 C:\WINDOWS\system32\wudadefi.dll .text C:\PROGRA~1\SYMANT~1\VPTray.exe[1248] kernel32.dll!Module32NextW 7C865484 5 Bytes JMP 00A41AF7 C:\WINDOWS\system32\wudadefi.dll .text C:\PROGRA~1\SYMANT~1\VPTray.exe[1248] PSAPI.DLL!EnumProcessModules 76BF1EF4 5 Bytes JMP 00A41B45 C:\WINDOWS\system32\wudadefi.dll .text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[1400] kernel32.dll!GetFileAttributesW 7C80B7EC 5 Bytes JMP 10001A81 C:\WINDOWS\system32\wudadefi.dll .text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[1400] kernel32.dll!FindFirstFileExW 7C80EB1D 5 Bytes JMP 100019AB C:\WINDOWS\system32\wudadefi.dll .text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[1400] kernel32.dll!FindNextFileW 7C80EFDA 7 Bytes JMP 10001A11 C:\WINDOWS\system32\wudadefi.dll .text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[1400] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 10001A28 C:\WINDOWS\system32\wudadefi.dll .text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[1400] kernel32.dll!DeleteFileW 7C831F63 5 Bytes JMP 10001B0E C:\WINDOWS\system32\wudadefi.dll .text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[1400] kernel32.dll!MoveFileExW 7C83568B 5 Bytes JMP 10001BDF C:\WINDOWS\system32\wudadefi.dll .text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[1400] kernel32.dll!Module32FirstW 7C8652E7 5 Bytes JMP 10001AB8 C:\WINDOWS\system32\wudadefi.dll .text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[1400] kernel32.dll!Module32NextW 7C865484 5 Bytes JMP 10001AF7 C:\WINDOWS\system32\wudadefi.dll .text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[1400] PSAPI.DLL!EnumProcessModules 76BF1EF4 5 Bytes JMP 10001B45 C:\WINDOWS\system32\wudadefi.dll .text C:\WINDOWS\Explorer.EXE[1460] kernel32.dll!GetFileAttributesW 7C80B7EC 5 Bytes JMP 01D51A81 C:\WINDOWS\system32\wudadefi.dll .text C:\WINDOWS\Explorer.EXE[1460] kernel32.dll!FindFirstFileExW 7C80EB1D 5 Bytes JMP 01D519AB C:\WINDOWS\system32\wudadefi.dll .text C:\WINDOWS\Explorer.EXE[1460] kernel32.dll!FindNextFileW 7C80EFDA 7 Bytes JMP 01D51A11 C:\WINDOWS\system32\wudadefi.dll .text C:\WINDOWS\Explorer.EXE[1460] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 01D51A28 C:\WINDOWS\system32\wudadefi.dll .text C:\WINDOWS\Explorer.EXE[1460] kernel32.dll!DeleteFileW 7C831F63 5 Bytes JMP 01D51B0E C:\WINDOWS\system32\wudadefi.dll .text C:\WINDOWS\Explorer.EXE[1460] kernel32.dll!MoveFileExW 7C83568B 5 Bytes JMP 01D51BDF C:\WINDOWS\system32\wudadefi.dll .text C:\WINDOWS\Explorer.EXE[1460] kernel32.dll!Module32FirstW 7C8652E7 5 Bytes JMP 01D51AB8 C:\WINDOWS\system32\wudadefi.dll .text C:\WINDOWS\Explorer.EXE[1460] kernel32.dll!Module32NextW 7C865484 5 Bytes JMP 01D51AF7 C:\WINDOWS\system32\wudadefi.dll .text C:\WINDOWS\Explorer.EXE[1460] PSAPI.DLL!EnumProcessModules 76BF1EF4 5 Bytes JMP 01D51B45 C:\WINDOWS\system32\wudadefi.dll .text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[1720] kernel32.dll!GetFileAttributesW 7C80B7EC 5 Bytes JMP 10001A81 C:\WINDOWS\system32\wudadefi.dll .text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[1720] kernel32.dll!FindFirstFileExW 7C80EB1D 5 Bytes JMP 100019AB C:\WINDOWS\system32\wudadefi.dll .text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[1720] kernel32.dll!FindNextFileW 7C80EFDA 7 Bytes JMP 10001A11 C:\WINDOWS\system32\wudadefi.dll .text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[1720] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 10001A28 C:\WINDOWS\system32\wudadefi.dll .text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[1720] kernel32.dll!DeleteFileW 7C831F63 5 Bytes JMP 10001B0E C:\WINDOWS\system32\wudadefi.dll .text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[1720] kernel32.dll!MoveFileExW 7C83568B 5 Bytes JMP 10001BDF C:\WINDOWS\system32\wudadefi.dll .text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[1720] kernel32.dll!Module32FirstW 7C8652E7 5 Bytes JMP 10001AB8 C:\WINDOWS\system32\wudadefi.dll .text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[1720] kernel32.dll!Module32NextW 7C865484 5 Bytes JMP 10001AF7 C:\WINDOWS\system32\wudadefi.dll .text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[1720] PSAPI.DLL!EnumProcessModules 76BF1EF4 5 Bytes JMP 10001B45 C:\WINDOWS\system32\wudadefi.dll .text C:\WINDOWS\system32\ctfmon.exe[1792] kernel32.dll!GetFileAttributesW 7C80B7EC 5 Bytes JMP 009F1A81 C:\WINDOWS\system32\wudadefi.dll .text C:\WINDOWS\system32\ctfmon.exe[1792] kernel32.dll!FindFirstFileExW 7C80EB1D 5 Bytes JMP 009F19AB C:\WINDOWS\system32\wudadefi.dll .text C:\WINDOWS\system32\ctfmon.exe[1792] kernel32.dll!FindNextFileW 7C80EFDA 7 Bytes JMP 009F1A11 C:\WINDOWS\system32\wudadefi.dll .text C:\WINDOWS\system32\ctfmon.exe[1792] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 009F1A28 C:\WINDOWS\system32\wudadefi.dll .text C:\WINDOWS\system32\ctfmon.exe[1792] kernel32.dll!DeleteFileW 7C831F63 5 Bytes JMP 009F1B0E C:\WINDOWS\system32\wudadefi.dll .text C:\WINDOWS\system32\ctfmon.exe[1792] kernel32.dll!MoveFileExW 7C83568B 5 Bytes JMP 009F1BDF C:\WINDOWS\system32\wudadefi.dll .text C:\WINDOWS\system32\ctfmon.exe[1792] kernel32.dll!Module32FirstW 7C8652E7 5 Bytes JMP 009F1AB8 C:\WINDOWS\system32\wudadefi.dll .text C:\WINDOWS\system32\ctfmon.exe[1792] kernel32.dll!Module32NextW 7C865484 5 Bytes JMP 009F1AF7 C:\WINDOWS\system32\wudadefi.dll .text C:\WINDOWS\system32\ctfmon.exe[1792] PSAPI.DLL!EnumProcessModules 76BF1EF4 5 Bytes JMP 009F1B45 C:\WINDOWS\system32\wudadefi.dll .text C:\Program Files\Symantec AntiVirus\DefWatch.exe[1924] kernel32.dll!GetFileAttributesW 7C80B7EC 5 Bytes JMP 10001A81 C:\WINDOWS\system32\wudadefi.dll .text C:\Program Files\Symantec AntiVirus\DefWatch.exe[1924] kernel32.dll!FindFirstFileExW 7C80EB1D 5 Bytes JMP 100019AB C:\WINDOWS\system32\wudadefi.dll .text C:\Program Files\Symantec AntiVirus\DefWatch.exe[1924] kernel32.dll!FindNextFileW 7C80EFDA 7 Bytes JMP 10001A11 C:\WINDOWS\system32\wudadefi.dll .text C:\Program Files\Symantec AntiVirus\DefWatch.exe[1924] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 10001A28 C:\WINDOWS\system32\wudadefi.dll .text C:\Program Files\Symantec AntiVirus\DefWatch.exe[1924] kernel32.dll!DeleteFileW 7C831F63 5 Bytes JMP 10001B0E C:\WINDOWS\system32\wudadefi.dll .text C:\Program Files\Symantec AntiVirus\DefWatch.exe[1924] kernel32.dll!MoveFileExW 7C83568B 5 Bytes JMP 10001BDF C:\WINDOWS\system32\wudadefi.dll .text C:\Program Files\Symantec AntiVirus\DefWatch.exe[1924] kernel32.dll!Module32FirstW 7C8652E7 5 Bytes JMP 10001AB8 C:\WINDOWS\system32\wudadefi.dll .text C:\Program Files\Symantec AntiVirus\DefWatch.exe[1924] kernel32.dll!Module32NextW 7C865484 5 Bytes JMP 10001AF7 C:\WINDOWS\system32\wudadefi.dll .text C:\Program Files\Symantec AntiVirus\DefWatch.exe[1924] PSAPI.DLL!EnumProcessModules 76BF1EF4 5 Bytes JMP 10001B45 C:\WINDOWS\system32\wudadefi.dll .text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[2196] kernel32.dll!GetFileAttributesW 7C80B7EC 5 Bytes JMP 00B71A81 C:\WINDOWS\system32\wudadefi.dll .text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[2196] kernel32.dll!FindFirstFileExW 7C80EB1D 5 Bytes JMP 00B719AB C:\WINDOWS\system32\wudadefi.dll .text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[2196] kernel32.dll!FindNextFileW 7C80EFDA 7 Bytes JMP 00B71A11 C:\WINDOWS\system32\wudadefi.dll .text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[2196] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00B71A28 C:\WINDOWS\system32\wudadefi.dll .text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[2196] kernel32.dll!DeleteFileW 7C831F63 5 Bytes JMP 00B71B0E C:\WINDOWS\system32\wudadefi.dll .text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[2196] kernel32.dll!MoveFileExW 7C83568B 5 Bytes JMP 00B71BDF C:\WINDOWS\system32\wudadefi.dll .text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[2196] kernel32.dll!Module32FirstW 7C8652E7 5 Bytes JMP 00B71AB8 C:\WINDOWS\system32\wudadefi.dll .text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[2196] kernel32.dll!Module32NextW 7C865484 5 Bytes JMP 00B71AF7 C:\WINDOWS\system32\wudadefi.dll .text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[2196] PSAPI.DLL!EnumProcessModules 76BF1EF4 5 Bytes JMP 00B71B45 C:\WINDOWS\system32\wudadefi.dll .text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[2404] kernel32.dll!GetFileAttributesW 7C80B7EC 5 Bytes JMP 00B31A81 C:\WINDOWS\system32\wudadefi.dll .text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[2404] kernel32.dll!FindFirstFileExW 7C80EB1D 5 Bytes JMP 00B319AB C:\WINDOWS\system32\wudadefi.dll .text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[2404] kernel32.dll!FindNextFileW 7C80EFDA 7 Bytes JMP 00B31A11 C:\WINDOWS\system32\wudadefi.dll .text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[2404] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00B31A28 C:\WINDOWS\system32\wudadefi.dll .text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[2404] kernel32.dll!DeleteFileW 7C831F63 5 Bytes JMP 00B31B0E C:\WINDOWS\system32\wudadefi.dll .text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[2404] kernel32.dll!MoveFileExW 7C83568B 5 Bytes JMP 00B31BDF C:\WINDOWS\system32\wudadefi.dll .text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[2404] kernel32.dll!Module32FirstW 7C8652E7 5 Bytes JMP 00B31AB8 C:\WINDOWS\system32\wudadefi.dll .text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[2404] kernel32.dll!Module32NextW 7C865484 5 Bytes JMP 00B31AF7 C:\WINDOWS\system32\wudadefi.dll .text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[2404] PSAPI.DLL!EnumProcessModules 76BF1EF4 5 Bytes JMP 00B31B45 C:\WINDOWS\system32\wudadefi.dll ---- Devices - GMER 1.0.15 ---- AttachedDevice \FileSystem\Ntfs \Ntfs SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation) AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation) AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation) AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation) Device mrxsmb.sys (Windows NT SMB Minirdr/Microsoft Corporation) Device Fastfat.SYS (Fast FAT File System Driver/Microsoft Corporation) AttachedDevice fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation) AttachedDevice SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ---- Processes - GMER 1.0.15 ---- Library C:\WINDOWS\system32\wudadefi.dll (*** hidden *** ) @ C:\WINDOWS\system32\HPZipm12.exe [236] 0x10000000 Library C:\WINDOWS\system32\wudadefi.dll (*** hidden *** ) @ C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe [240] 0x00B00000 Library C:\WINDOWS\system32\wudadefi.dll (*** hidden *** ) @ C:\Program Files\Common Files\Symantec Shared\ccApp.exe [408] 0x10000000 Library C:\WINDOWS\system32\wudadefi.dll (*** hidden *** ) @ C:\WINDOWS\system32\winlogon.exe [600] 0x10000000 Library C:\WINDOWS\system32\wudadefi.dll (*** hidden *** ) @ C:\WINDOWS\system32\services.exe [648] 0x10000000 Library C:\WINDOWS\system32\wudadefi.dll (*** hidden *** ) @ C:\WINDOWS\system32\lsass.exe [668] 0x10000000 Library C:\WINDOWS\system32\wudadefi.dll (*** hidden *** ) @ C:\Documents and Settings\mike dolphin\Desktop\6gc14l33.exe [976] 0x10000000 Library C:\WINDOWS\system32\wudadefi.dll (*** hidden *** ) @ C:\PROGRA~1\SYMANT~1\VPTray.exe [1248] 0x00A40000 Library C:\WINDOWS\system32\wudadefi.dll (*** hidden *** ) @ C:\Program Files\HP\HP Software Update\HPWuSchd2.exe [1400] 0x10000000 Library C:\WINDOWS\system32\wudadefi.dll (*** hidden *** ) @ C:\WINDOWS\Explorer.EXE [1460] 0x01D50000 Library C:\WINDOWS\system32\wudadefi.dll (*** hidden *** ) @ C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe [1720] 0x10000000 Library C:\WINDOWS\system32\wudadefi.dll (*** hidden *** ) @ C:\WINDOWS\system32\ctfmon.exe [1792] 0x009F0000 Library C:\WINDOWS\system32\wudadefi.dll (*** hidden *** ) @ C:\Program Files\Symantec AntiVirus\DefWatch.exe [1924] 0x10000000 Library C:\WINDOWS\system32\wudadefi.dll (*** hidden *** ) @ C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2196] 0x00B70000 Library C:\WINDOWS\system32\wudadefi.dll (*** hidden *** ) @ C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe [2404] 0x00B30000 ---- Files - GMER 1.0.15 ---- File C:\WINDOWS\system32\wudadefi.dll 70656 bytes executable File C:\WINDOWS\system32\begapofi 6456 bytes ---- EOF - GMER 1.0.15 ---- Malwarebytes' Anti-Malware 1.46 www.malwarebytes.org Database version: 4223 Windows 5.1.2600 Service Pack 3 Internet Explorer 7.0.5730.13 6/22/2010 7:41:21 AM mbam-log-2010-06-22 (07-41-21).txt Scan type: Quick scan Objects scanned: 120723 Time elapsed: 6 minute(s), 16 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) Malwarebytes' Anti-Malware 1.46 www.malwarebytes.org Database version: 4223 Windows 5.1.2600 Service Pack 3 (Safe Mode) Internet Explorer 7.0.5730.13 6/22/2010 7:28:59 AM mbam-log-2010-06-22 (07-28-59).txt Scan type: Full scan (C:\|) Objects scanned: 159874 Time elapsed: 45 minute(s), 29 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 2 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nulamodiy (Trojan.Vundo.H) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fimikeyuwa (Trojan.Vundo) -> Quarantined and deleted successfully. Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) Although these logs indicate No Malicious Items, I really wnat to make sure I got it all. And, I'm not that sure. So, I'm just looking to see if someone else can look things over. Thanks H

OH $#%^&@#!!!! I did not see page 2 Schrauber. I've been refreshing only page 1. My fault and I'll take all the blame!!! I'm so embarrased! H

OK, good advice! I do understand. I'll give it another day. Right now, I've got another problem - the last step wound up having the system not being able to boot. Logs in and out when a user name is clicked. Let me ask this if you don't mind: Are WhatTheTech and MalWareBytes forums related to each other? H

I'm working on a Dell with Malware abounding. I've enlisted support from another forum (WhatTheTech). We've been going along for over a week with the normal amount of posting and logs/replies and new scans, new cleaning utilities, etc. I last posted a ComboFix log for the volunteer who is helping me 3 days ago. It seems to take 1-2 days to get a reply. Since I'm on the third day and there's no sign of him returning soon, may I please ask if I can bring the problem here, since I've now used MBAM and it's still not cleaned up. Just want to follow the policy closely. But I also would like to get the PC back to my brother as he is anxious. What's the policy here? And, yes I can probably bow out of the other forum gracefully with a note to the moderator(s). H

OK, here's what worked. I loaded on the installer for MBAM on the thumbdrive. But at the same time I also grabbed a copy of MS's Malicious Software Removal Tool (MSRT). My thought was run MSRT first because MS usually puts out it's tools to do very basic things and it didn't require any installation. Worth a shot? You bet because it found three trojans and stopped them. After a single reboot, no more explorer cycling. Then I was able to uninstall the corrupted MBAM and load on a fresh newer version install of MBAM, did an update, and scanned and cleaned. I repeated MBAM 3 times until MBAM reported all clear. System runs well now. I've ensured that real-time protection is on which was probably my problem in the first place. At least now I know how to install MBAM to a thumb drive so the experience will help in the future. Thanks to all. H

OK, I'll give this a shot. What a nasty little POS this malware is. Not seen this before - but... I'll try to post back results for the next poor soul who lets his grandkids run amok... H