salp

Hi, got the darn ICE ransom virus/bug somehow on my Dell desktop running Windows XP w/SP3 I can't access the desktop to run Malwarebytes or any other spyware program that I have, I can get to a 'boot device menu' so I could run some type of cleaner off of a flash it seems. thanks

Here is a ESET scan log-- ESETSmartInstaller@High as downloader log: all ok # version=7 # OnlineScannerApp.exe=1.0.0.1 # OnlineScanner.ocx=1.0.0.6211 # api_version=3.0.2 # EOSSerial=13f2720ce8125541ad365ddd9cfda38d # end=finished # remove_checked=true # archives_checked=true # unwanted_checked=true # unsafe_checked=false # antistealth_checked=true # utc_time=2010-01-13 09:50:06 # local_time=2010-01-13 04:50:06 (-0500, Eastern Standard Time) # country="United States" # lang=1033 # osver=5.1.2600 NT Service Pack 2 # compatibility_mode=512 16777215 100 0 1641563 1641563 0 0 # compatibility_mode=1024 16777175 100 0 2952833 2952833 0 0 # compatibility_mode=5892 16776574 100 100 9934050 103240758 0 0 # compatibility_mode=7937 16777214 0 50 5532614 5533303 0 0 # compatibility_mode=8192 67108863 100 0 15221191 15221191 0 0 # scanned=61220 # found=4 # cleaned=4 # scan_time=2996 C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DNSFlushcws1.zip Win32/Bagle.gen.zip worm (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\Qoobox\Quarantine\C\WINDOWS\system32\critical_warning.html.vir Win32/TrojanDownloader.FakeAlert.ADG trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Internet Explorer\Desktop.htt Win32/TrojanDownloader.FakeAlert.ADM trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\VTR4DODQ\oiCharEl[1].pdf PDF/Exploit.Gen trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C # version=7 # iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339) # OnlineScanner.ocx=1.0.0.6211 # api_version=3.0.2 # EOSSerial=13f2720ce8125541ad365ddd9cfda38d # end=finished # remove_checked=true # archives_checked=true # unwanted_checked=true # unsafe_checked=true # antistealth_checked=true # utc_time=2010-04-05 09:49:38 # local_time=2010-04-05 05:49:38 (-0500, Eastern Daylight Time) # country="United States" # lang=9 # osver=5.1.2600 NT Service Pack 2 # compatibility_mode=512 16777215 100 0 8723004 8723004 0 0 # compatibility_mode=1024 16777175 100 0 10034274 10034274 0 0 # compatibility_mode=6143 16777215 0 0 0 0 0 0 # compatibility_mode=7937 16777214 0 50 12614055 12614744 0 0 # compatibility_mode=8192 67108863 100 0 22302632 22302632 0 0 # scanned=65703 # found=0 # cleaned=0 # scan_time=6328 # version=7 # iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339) # OnlineScanner.ocx=1.0.0.6211 # api_version=3.0.2 # EOSSerial=13f2720ce8125541ad365ddd9cfda38d # end=finished # remove_checked=true # archives_checked=false # unwanted_checked=true # unsafe_checked=false # antistealth_checked=true # utc_time=2010-04-29 12:54:03 # local_time=2010-04-28 08:54:03 (-0500, Eastern Daylight Time) # country="United States" # lang=9 # osver=5.1.2600 NT Service Pack 2 # compatibility_mode=512 16777215 100 0 10721826 10721826 0 0 # compatibility_mode=1024 16777175 100 0 12033096 12033096 0 0 # compatibility_mode=6143 16777215 0 0 0 0 0 0 # compatibility_mode=7937 16777214 0 50 14612877 14613566 0 0 # compatibility_mode=8192 67108863 100 0 24301454 24301454 0 0 # scanned=65578 # found=0 # cleaned=0 # scan_time=5771 ________________________________________________________________________________ ____________________________________ I hope things look good on this machine!

Hi kahdah-- hereis the dds txt on my new used computer DDS (Ver_10-03-17.01) - NTFSx86 Run by JC Surveillance Inc at 23:35:07.53 on Wed 04/28/2010 Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_20 Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2038.1060 [GMT -4:00] AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF} AV: *On-access scanning disabled* (Outdated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83} AV: Microsoft Security Essentials *On-access scanning enabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF} FW: *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8} ============== Running Processes =============== C:\WINDOWS\system32\svchost -k DcomLaunch C:\WINDOWS\system32\svchost -k rpcss c:\Program Files\Microsoft Security Essentials\MsMpEng.exe C:\WINDOWS\System32\svchost.exe -k netsvcs C:\WINDOWS\system32\svchost.exe -k NetworkService C:\WINDOWS\system32\svchost.exe -k LocalService C:\Program Files\AVG\AVG9\avgchsvx.exe C:\Program Files\AVG\AVG9\avgrsx.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\AVG\AVG9\avgcsrvx.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\svchost.exe -k LocalService C:\Program Files\AVG\AVG9\avgwdsvc.exe C:\WINDOWS\system32\igfxpers.exe C:\PROGRA~1\AVG\AVG9\avgtray.exe C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\Program Files\Microsoft Security Essentials\msseces.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Logitech\SetPoint\SetPoint.exe C:\Program Files\NETGEAR\WPN111\wpn111.exe C:\Program Files\Dell Support Center\bin\sprtsvc.exe C:\Program Files\AVG\AVG9\avgnsx.exe C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE C:\WINDOWS\System32\alg.exe C:\WINDOWS\System32\svchost.exe -k HTTPFilter C:\WINDOWS\system32\taskmgr.exe C:\WINDOWS\system32\svchost.exe -k imgsvc C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\WINDOWS\system32\NOTEPAD.EXE C:\Documents and Settings\JC Surveillance Inc\My Documents\Downloads\dds.com C:\WINDOWS\system32\wbem\wmiprvse.exe ============== Pseudo HJT Report =============== uSearchURL,(Default) = hxxp://www.google.com/search?q=%s BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File uRun: [updateMgr] "c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1 uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe uRun: [Advanced SystemCare 3] "c:\program files\iobit\advanced systemcare 3\AWC.exe" /startup mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE mRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter mRun: [igfxtray] c:\windows\system32\igfxtray.exe mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe mRun: [igfxpers] c:\windows\system32\igfxpers.exe mRun: [userFaultCheck] %systemroot%\system32\dumprep 0 -u mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe" mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe mRun: [iSUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start mRun: [iSUSPM Startup] "c:\program files\common files\installshield\updateservice\isuspm.exe" -startup mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe" mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide mRun: [MSSE] "c:\program files\microsoft security essentials\msseces.exe" -hide -runkey mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot mRun: [sigmatelSysTrayApp] stsystra.exe dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\netgea~1.lnk - c:\program files\netgear\wpn111\wpn111.exe dPolicies-explorer: NoSetActiveDesktop = 1 (0x1) IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office11\EXCEL.EXE/3000 IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office11\REFIEBAR.DLL IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} - hxxp://pcpitstop.com/betapit/PCPitStop.CAB DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204 DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6796.cab DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} - hxxp://ax.emsisoft.com/asquared.cab DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} - hxxp://utilities.pcpitstop.com/da2/PCPitStop2.cab Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll Notify: avgrsstarter - avgrsstx.dll Notify: igfxcui - igfxdev.dll Notify: LBTWlgn - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL ================= FIREFOX =================== FF - ProfilePath - c:\docume~1\jcsurv~1\applic~1\mozilla\firefox\profiles\0evo8ztb.default\ FF - component: c:\program files\avg\avg9\firefox\components\avgssff.dll FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll FF - HiddenExtension: XUL Cache: {3507B79D-BAEB-4E98-B24C-B9BD25991D82} - c:\documents and settings\jc surveillance inc\local settings\application data\{3507B79D-BAEB-4E98-B24C-B9BD25991D82} FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\ FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} ---- FIREFOX POLICIES ---- FF - user.js: browser.cache.memory.capacity - 65536 FF - user.js: browser.chrome.favicons - false FF - user.js: browser.display.show_image_placeholders - true FF - user.js: browser.turbo.enabled - true FF - user.js: browser.urlbar.autocomplete.enabled - true FF - user.js: browser.urlbar.autofill - true FF - user.js: content.interrupt.parsing - true FF - user.js: content.max.tokenizing.time - 2250000 FF - user.js: content.notify.backoffcount - 5 FF - user.js: content.notify.interval - 750000 FF - user.js: content.notify.ontimer - true FF - user.js: content.switch.threshold - 750000 FF - user.js: network.http.max-connections - 48 FF - user.js: network.http.max-connections-per-server - 16 FF - user.js: network.http.max-persistent-connections-per-proxy - 16 FF - user.js: network.http.max-persistent-connections-per-server - 8 FF - user.js: network.http.pipelining - true FF - user.js: network.http.pipelining.firstrequest - true FF - user.js: network.http.pipelining.maxrequests - 8 FF - user.js: network.http.proxy.pipelining - true FF - user.js: network.http.request.max-start-delay - 0 FF - user.js: nglayout.initialpaint.delay - 0 FF - user.js: plugin.expose_full_path - true FF - user.js: ui.submenuDelay - 0 c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true); c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false); c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true); c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true); c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32); c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600); c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false); c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false); c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1); c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false); c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2); c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1); c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25); c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800); c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25); c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5); c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false); c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true); c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600); c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com"); c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff"); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties"); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties"); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org"); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com"); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20); ============= SERVICES / DRIVERS =============== R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-3-2 64288] R0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys [2009-9-29 51984] R0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys [2009-9-29 59664] R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-11-29 216200] R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-11-29 29512] R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-11-29 242896] R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2009-6-18 149040] R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\SASDIFSV.SYS [2009-11-23 12872] R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-11-23 66632] R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-3-19 308064] R3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;c:\windows\system32\DNINDIS5.sys [2008-8-14 17149] R3 WPN111;Wireless USB 2.0 Adapter with RangeMax Service;c:\windows\system32\drivers\WPN111.sys [2009-7-26 362944] S2 IS360service;IS360service;c:\program files\iobit\iobit security 360\is360srv.exe [2010-2-8 311568] S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2010-2-4 1284840] S2 ThreatFire;ThreatFire;c:\program files\threatfire\tfservice.exe service --> c:\program files\threatfire\TFService.exe service [?] S2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592] S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-11-23 12872] S3 TfNetMon;TfNetMon;c:\windows\system32\drivers\TfNetMon.sys [2009-9-29 33552] S4 PCPitstop Scheduling;PCPitstop Scheduling;c:\program files\pcpitstop\PCPitstopScheduleService.exe [2010-4-17 85504] =============== Created Last 30 ================ 2010-04-26 00:02:53 411368 ----a-w- c:\windows\system32\deployJava1.dll 2010-04-16 18:42:09 1374 ----a-w- c:\windows\imsins.BAK 2010-04-07 08:16:11 15880 ----a-w- c:\windows\system32\lsdelete.exe 2010-04-04 10:06:58 0 d-----w- c:\program files\Roxio ==================== Find3M ==================== 2010-04-21 13:32:14 242896 ----a-w- c:\windows\system32\drivers\avgtdix.sys 2010-03-30 04:46:30 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2010-03-30 04:45:52 20824 ----a-w- c:\windows\system32\drivers\mbam.sys 2010-03-19 19:03:16 12464 ----a-w- c:\windows\system32\avgrsstx.dll 2010-03-19 19:02:01 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys 2010-03-10 06:15:52 420352 ----a-w- c:\windows\system32\vbscript.dll 2010-03-10 06:15:52 420352 ----a-w- c:\windows\system32\dllcache\vbscript.dll 2010-02-25 15:54:36 11070976 ------w- c:\windows\system32\dllcache\ieframe.dll 2010-02-24 14:16:06 181632 ------w- c:\windows\system32\MpSigStub.exe 2010-02-24 12:31:30 454016 ----a-w- c:\windows\system32\dllcache\mrxsmb.sys 2010-02-24 09:54:25 173056 ------w- c:\windows\system32\dllcache\ie4uinit.exe 2010-02-17 15:57:54 2063744 ----a-w- c:\windows\system32\dllcache\ntkrnlpa.exe 2010-02-16 17:37:57 2186880 ----a-w- c:\windows\system32\dllcache\ntoskrnl.exe 2010-02-16 17:35:40 2143744 ----a-w- c:\windows\system32\ntoskrnl.exe 2010-02-16 17:35:40 2143744 ----a-w- c:\windows\system32\dllcache\ntkrnlmp.exe 2010-02-16 16:57:54 2021888 ----a-w- c:\windows\system32\ntkrnlpa.exe 2010-02-16 16:57:54 2021888 ----a-w- c:\windows\system32\dllcache\ntkrpamp.exe 2010-02-12 04:47:05 100864 ----a-w- c:\windows\system32\dllcache\6to4svc.dll 2010-02-12 04:47:05 100864 ----a-w- c:\windows\system32\6to4svc.dll 2010-02-11 12:01:43 226880 ----a-w- c:\windows\system32\dllcache\tcpip6.sys 2009-09-04 12:59:25 19395 ----a-w- c:\program files\common files\inucaf.sys 2009-09-04 12:59:25 17544 ----a-w- c:\program files\common files\hiden.dat 2009-09-04 12:59:25 14896 ----a-w- c:\program files\common files\elexuk.exe 2009-09-04 12:59:25 13452 ----a-w- c:\program files\common files\erug.ban 2009-09-04 12:59:25 12945 ----a-w- c:\program files\common files\cypizamaq._sy 2009-08-14 03:43:54 8 --sha-r- c:\windows\system32\18006624F4.sys 2007-06-09 02:45:58 88 -csha-r- c:\windows\system32\F1D74CB742.sys 2009-07-10 21:27:10 8 --sha-r- c:\windows\system32\FCF4F4C102.sys 2009-10-03 16:37:17 3350 -csha-w- c:\windows\system32\KGyGaAvL.sys ============= FINISH: 23:35:52.50 ===============

Thank you so much Kahdah!! everything seems to be back to normal for now One last question, during this infection process I bought a used desktop, the previous owner said it was once riddled with 'adware' how can I check it if MalwareBytes picks up nothing?

Hi, I ran the Combofix /uninstall -- it seemed to work o/k But your 2nd step of -- Double click on OTL to run it. has me a bit confused, I don't recall this procedure? I then looked at the 3rd step of updating Java -- the link you gave does NOT have the choice mention, but has a choice of JDK 6 Update 19 with JavaFX SDK or JDK 6 Update 19 with NetBeans 6.8 If I change pages, I found a Java SE Runtime Environment 6u20 should I use that one? Thanx, salp

All seems to be running o/k for a couple of days! Is it possible that it's running clean enough to do some online payments? Thank you so much for your help!!

========================================================================= ESETSmartInstaller@High as CAB hook log: OnlineScanner.ocx - registred OK # version=7 # iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339) # OnlineScanner.ocx=1.0.0.6211 # api_version=3.0.2 # EOSSerial=b8bac8f94096234c8dd71244be6210a7 # end=finished # remove_checked=true # archives_checked=true # unwanted_checked=true # unsafe_checked=false # antistealth_checked=true # utc_time=2010-04-05 04:13:21 # local_time=2010-04-05 12:13:21 (-0500, Eastern Daylight Time) # country="United States" # lang=9 # osver=5.1.2600 NT Service Pack 3 # compatibility_mode=1024 16777175 100 0 0 0 0 0 # compatibility_mode=6143 16777215 0 0 0 0 0 0 # compatibility_mode=8192 67108863 100 0 0 0 0 0 # scanned=55322 # found=1 # cleaned=1 # scan_time=8699 C:\Program Files\MusicMatch\MusicMatch Jukebox\HWUpdateMove.exe Win32/Adware.HiWire application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C esets_scanner_update returned -1 esets_gle=53251

========================================================================= Malwarebytes' Anti-Malware 1.45 www.malwarebytes.org Database version: 3930 Windows 5.1.2600 Service Pack 3 Internet Explorer 8.0.6001.18702 4/4/2010 6:18:43 PM mbam-log-2010-04-04 (18-18-43).txt Scan type: Full scan (C:\|) Objects scanned: 161448 Time elapsed: 1 hour(s), 9 minute(s), 15 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) I also ran Spybot Search & Destroy -- only picked up a couple of FireFox cookies -- And ran Super AntiSpyware, nothing

Hi kahdah, thank you so much for helping me -- here are the ComboFix & TDSSKiller logs -- ComboFix 10-03-20.06 - pats 03/21/2010 15:29:05.1.1 - x86 Running from: c:\documents and settings\pats\Desktop\ComboFix.exe AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF} . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\recycler\NPROTECT c:\recycler\S-1-5-21-477365121-4083767938-562202453-1007 c:\windows\system32\drivers\tsk5A.tmp . . . is infected!! . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_TDSSSERV ((((((((((((((((((((((((( Files Created from 2010-02-21 to 2010-03-21 ))))))))))))))))))))))))))))))) . 2010-03-21 18:54 . 2010-03-21 18:54 36488 ----a-w- c:\windows\system32\drivers\klmd.sys 2010-03-18 04:07 . 2010-03-02 18:16 15880 ----a-w- c:\windows\system32\lsdelete.exe 2010-03-17 18:15 . 2010-03-17 18:15 -------- d-s---w- c:\documents and settings\NetworkService\UserData 2010-03-17 14:08 . 2010-03-17 14:08 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Identities 2010-03-10 18:39 . 2009-10-23 15:28 3558912 ------w- c:\windows\system32\dllcache\moviemk.exe 2010-03-02 18:15 . 2010-03-19 17:17 1597440 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-Aware.exe 2010-03-02 18:15 . 2010-03-19 17:17 818256 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWTray.exe 2010-03-02 18:15 . 2010-03-19 17:17 1263728 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWService.exe 2010-03-02 18:11 . 2010-03-02 18:37 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6} 2010-03-02 18:11 . 2010-02-04 15:53 2954656 -c--a-w- c:\documents and settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}\Ad-AwareInstaller.exe 2010-02-28 05:15 . 2010-02-28 05:15 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2010-03-21 19:23 . 2001-08-17 19:51 96512 ----a-w- c:\windows\system32\drivers\atapi.sys 2010-03-21 04:07 . 2009-12-02 17:50 117760 ----a-w- c:\documents and settings\pats\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL 2010-03-19 20:28 . 2006-02-06 21:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy 2010-03-19 20:25 . 2005-12-21 19:25 -------- d-----w- c:\program files\CCleaner 2010-03-19 17:18 . 2010-03-02 18:16 885736 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\threatwork.exe 2010-03-19 17:18 . 2010-03-02 18:16 210552 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lavamessage.dll 2010-03-19 17:18 . 2010-03-02 18:16 393896 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lavalicense.dll 2010-03-19 17:18 . 2010-03-02 18:16 565392 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\aawapi.dll 2010-03-19 17:18 . 2010-03-02 18:16 221920 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\VipreBridge.dll 2010-03-19 17:18 . 2010-03-02 18:16 430496 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\UpdateManager.dll 2010-03-19 17:17 . 2010-03-02 18:16 167312 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\ShellExt.dll 2010-03-19 17:17 . 2010-03-02 18:16 329560 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\RPAPI.dll 2010-03-19 17:17 . 2010-03-02 18:16 94712 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\PrivacyClean.dll 2010-03-19 17:17 . 2010-03-02 18:16 966104 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\CEAPI.dll 2010-03-19 17:17 . 2010-03-02 18:16 848160 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareCommand.exe 2010-03-19 17:17 . 2010-03-02 18:16 855352 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareAdmin.exe 2010-03-02 18:16 . 2010-03-02 18:16 566608 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\sbap.dll 2010-03-02 18:16 . 2010-03-02 18:16 15880 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lsdelete.exe 2010-03-02 18:16 . 2010-03-02 18:16 1230160 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\SBTE.dll 2010-03-02 18:16 . 2010-03-02 18:16 247120 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\SBRE.dll 2010-03-02 18:16 . 2010-03-02 18:16 6330848 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Resources.dll 2010-03-02 18:16 . 2010-03-02 18:16 17480 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\EmailScannerBridge.dll 2010-03-02 18:10 . 2009-07-29 04:48 -------- d-----w- c:\program files\Lavasoft 2010-03-02 18:10 . 2007-12-29 00:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft 2010-02-26 19:00 . 2008-09-23 22:19 -------- d-----w- c:\program files\SUPERAntiSpyware 2010-02-24 14:16 . 2009-10-06 23:55 181632 ------w- c:\windows\system32\MpSigStub.exe 2010-02-13 13:46 . 2009-07-28 08:06 -------- d-----w- c:\program files\McAfee 2010-02-04 15:53 . 2010-03-02 18:16 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys 2010-01-29 01:01 . 2002-02-28 20:51 68416 -c--a-w- c:\documents and settings\pats\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2010-01-29 00:36 . 2008-04-03 01:28 -------- d-----w- c:\program files\Microsoft Silverlight 2010-01-13 18:45 . 2009-12-20 09:05 52224 ----a-w- c:\documents and settings\pats\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll 2010-01-12 20:40 . 2009-12-31 20:05 5115824 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe 2010-01-07 21:07 . 2009-09-14 03:55 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2010-01-07 21:07 . 2009-09-14 03:55 19160 ----a-w- c:\windows\system32\drivers\mbam.sys 2009-12-31 16:50 . 2001-08-18 12:00 353792 ----a-w- c:\windows\system32\drivers\srv.sys 2009-12-22 05:21 . 2004-08-24 01:32 667136 ----a-w- c:\windows\system32\wininet.dll 2009-12-22 05:20 . 2004-12-07 23:57 81920 ------w- c:\windows\system32\ieencode.dll 2004-08-04 05:56 . 2006-12-23 07:21 73728 -csha-w- c:\windows\RegisteredPackages\{DD90D410-1823-43EB-9A16-A2331BF08799}$BACKUP$\System\wmplayer.exe 2009-11-10 19:51 . 2009-11-10 19:51 56320 --sha-r- c:\windows\SYSTEM32\QNAD.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-03 866584] "AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2010-03-19 2046816] c:\documents and settings\pats\Start Menu\Programs\Startup\ Webshots.lnk - c:\program files\Webshots\WebshotsTray.exe [2002-4-17 196608] c:\documents and settings\All Users\Start Menu\Programs\Startup\ NETGEAR WPN111 Smart Wizard.lnk - c:\program files\NETGEAR\WPN111\WPN111.exe [2008-8-25 884838] [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] 2009-09-03 19:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter] 2002-01-09 01:42 11952 ----a-w- c:\windows\SYSTEM32\avgrsstx.dll [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service] @="Service" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] 2007-07-15 21:37 77824 ----a-w- c:\program files\QuickTime\qttask.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe] 2009-10-27 12:37 198160 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "ACS"=2 (0x2) [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled] "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" -osboot [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "DisableNotifications"= 1 (0x1) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Common Files\\AOL\\ACS\\acsd.exe"= "c:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"= "c:\\Program Files\\Real\\RealPlayer\\realplay.exe"= "c:\\Program Files\\Messenger\\msmsgs.exe"= "c:\\WINDOWS\\SYSTEM32\\USMT\\migwiz.exe"= "c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"= "c:\\Program Files\\Mozilla Firefox\\firefox.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\AVG\\AVG8\\avgemc.exe"= "c:\\Program Files\\AVG\\AVG8\\avgupd.exe"= "c:\\Program Files\\Lavasoft\\Ad-Aware\\Ad-Aware.exe"= "c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"= "c:\\Program Files\\Spybot - Search & Destroy\\SpybotSD.exe"= "c:\\Program Files\\SUPERAntiSpyware\\SUPERAntiSpyware.exe"= "c:\\Program Files\\Spybot - Search & Destroy\\SDUpdate.exe"= "c:\\Program Files\\NETGEAR\\WPN111\\WPN111.exe"= "c:\\Program Files\\Microsoft Picture It! 2002\\Kodak EasyShare software\\bin\\EasyShare.exe"= "c:\\Program Files\\America Online 9.0\\waol.exe"= "c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"= "c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"= "c:\\Program Files\\Common Files\\AOL\\1177770550\\ee\\aolsoftware.exe"= "c:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"= R0 Lbd;Lbd;c:\windows\SYSTEM32\DRIVERS\Lbd.sys [3/2/2010 2:16 PM 64288] R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\SYSTEM32\DRIVERS\avgldx86.sys [9/26/2008 1:57 PM 335240] R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\SYSTEM32\DRIVERS\avgtdix.sys [9/26/2008 1:57 PM 108552] R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [11/23/2009 9:43 AM 12872] R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [11/23/2009 9:43 AM 66632] R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [12/7/2001 1:23 AM 908056] R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [12/7/2001 1:23 AM 297752] R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2/4/2010 11:52 AM 1263728] R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [7/28/2009 4:08 AM 93320] R2 Nhksrv;Netropa NHK Server;c:\windows\Nhksrv.exe [8/6/2001 3:41 PM 28672] R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2/23/2007 11:20 PM 24652] R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592] R3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;c:\windows\SYSTEM32\DNINDIS5.sys [8/25/2008 9:36 PM 17149] R3 Msikbd2k;DellTouch;c:\windows\SYSTEM32\DRIVERS\Msikbd2k.sys [10/3/2000 5:18 PM 6942] R3 WPN111;Wireless USB 2.0 Adapter with RangeMax Service;c:\windows\SYSTEM32\DRIVERS\WPN111.sys [9/16/2008 2:39 PM 362944] S2 ExtractorServiceNPF04;DeepSight Extractor Service for NPF04;c:\program files\Symantec\DeepSight Extractor\ExtractorServiceNPF04.exe --> c:\program files\Symantec\DeepSight Extractor\ExtractorServiceNPF04.exe [?] S3 AR5513;%ATHER.Service.DispName%;c:\windows\system32\DRIVERS\ar5513.sys --> c:\windows\system32\DRIVERS\ar5513.sys [?] S3 AWINDIS5;AWINDIS5 Protocol Driver;c:\windows\SYSTEM32\AWINDIS5.SYS [4/4/2005 5:55 PM 16194] S3 NETGEAR_WG311T_SERVICE;NETGEAR WG311T Wireless Adapter Service;c:\windows\system32\DRIVERS\wg311tn5.sys --> c:\windows\system32\DRIVERS\wg311tn5.sys [?] S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [11/23/2009 9:43 AM 12872] S3 StreamSurge;StreamSurge Driver (miniport);c:\windows\system32\DRIVERS\ss.sys --> c:\windows\system32\DRIVERS\ss.sys [?] S4 PCPitstop Scheduling;PCPitstop Scheduling;c:\program files\PCPitstop\PCPitstopScheduleService.exe [11/27/2009 2:20 PM 85504] . Contents of the 'Scheduled Tasks' folder 2010-03-21 c:\windows\Tasks\Ad-Aware Update (Weekly).job - c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 17:17] 2010-03-21 c:\windows\Tasks\GlaryInitialize.job - c:\program files\Glary Utilities\initialize.exe [2008-04-05 20:55] 2010-03-21 c:\windows\Tasks\MP Scheduled Scan.job - c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 23:20] . . ------- Supplementary Scan ------- . uStart Page = hxxp://connecticut.cox.net/cci/home uInternet Connection Wizard,ShellNext = hxxp://education.dellnet.com/ uInternet Settings,ProxyServer = http=127.0.0.1:5555 uInternet Settings,ProxyOverride = <local> uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s Trusted Zone: aol.com\www Trusted Zone: bestbuy.com\www Trusted Zone: ebates.com\www Trusted Zone: eprize.net\degree Trusted Zone: monster.com Trusted Zone: nascar.com\poll Trusted Zone: nascar.com\www Trusted Zone: oldnavy.com Trusted Zone: olx.com\www Trusted Zone: paypal.com Trusted Zone: radiomat.com\www Trusted Zone: staples.com\www Trusted Zone: wfsb.com Trusted Zone: www.ebay Trusted Zone: www.shoplocal Trusted Zone: yahoo.com\www DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab DPF: ppctlcab - hxxp://www.pestscan.com/scanner/ppctlcab.cab DPF: {8FD07749-EFFA-48C6-947C-45A8D7BF422F} - hxxp://www.cyberlink.com/multi/patch/prog/UpdateAdvisor.cab DPF: {94E5218F-9737-4FC2-8457-567B1FF23DC0} - hxxp://utilities.pcpitstop.com/Nirvana/controls/DiskMD3Ctrl.dll DPF: {A553720A-BFED-4EA4-A71F-7EFCA690A1F7} - hxxp://utilities.pcpitstop.com/Nirvana/controls/pcpitstopAntiVirus.dll DPF: {F09BFD07-20B5-46D8-A6D5-BE4EF22F1F4D} - hxxp://members.driverguide.com/director/dispatch_getfile.php?mode=toolkit_lite FF - ProfilePath - c:\documents and settings\pats\Application Data\Mozilla\Firefox\Profiles\ez8wrl8h.default\ FF - prefs.js: browser.search.selectedEngine - Google FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava11.dll FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava12.dll FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava13.dll FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava14.dll FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava32.dll FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJPI150_06.dll FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPOJI610.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\NPTURNMED.dll FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll . - - - - ORPHANS REMOVED - - - - SafeBoot-klmdb.sys AddRemove-WebCyberCoach_wtrb - c:\program files\WebCyberCoach\b_Dell\WCC_Wipe.exe WebCyberCoach ext\wtrb ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2010-03-21 15:49 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** [HKEY_LOCAL_MACHINE\System\ControlSet004\Services\atapi] "ImagePath"="system32\drivers\tsk5A.tmp" . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_USERS\S-1-5-21-2225589205-1163395192-3403473811-1006\Software\Microsoft\SystemCertificates\AddressBook*] @Allowed: (Read) (RestrictedCode) @Allowed: (Read) (RestrictedCode) [HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL] @DACL=(02 0000) "Installed"="1" [HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI] @DACL=(02 0000) "Installed"="1" "NoChange"="1" [HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS] @DACL=(02 0000) "Installed"="1" . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(648) c:\program files\SUPERAntiSpyware\SASWINLO.dll c:\windows\system32\msacm32.drv - - - - - - - > 'explorer.exe'(3756) c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . ------------------------ Other Running Processes ------------------------ . c:\windows\system32\rundll32.exe c:\program files\Common Files\AOL\ACS\AOLacsd.exe c:\windows\System32\locator.exe c:\windows\wanmpsvc.exe c:\windows\System32\wbem\unsecapp.exe c:\progra~1\AVG\AVG8\avgrsx.exe c:\progra~1\AVG\AVG8\avgnsx.exe c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe c:\program files\AVG\AVG8\avgcsrvx.exe c:\windows\Webshots.scr c:\program files\Lavasoft\Ad-Aware\AAWTray.exe . ************************************************************************** . Completion time: 2010-03-21 16:05:00 - machine was rebooted ComboFix-quarantined-files.txt 2010-03-21 20:04 Pre-Run: 27,741,253,632 bytes free Post-Run: 27,958,919,168 bytes free WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn - - End Of File - - A8819A617532CEE6BB4908EAEAE1ACBF TDSS rootkit removing tool, Kaspersky Lab, 2010 version 2.2.8 Mar 10 2010 155320 Scanning Services ... Scanning Kernel memory ... Driver atapi infected by TDSS rootkit! File CWINDOWSsystem32DRIVERSatapi.sys infected by TDSS rootkit ... will be cured on next reboot Completed Results Memory objects infected cured cured on reboot 1 0 0 Registry objects infected cured cured on reboot 0 0 0 File objects infected cured cured on reboot 1 0 1 To finalize removal of infection and avoid loosing of data program will reboot your PC now. Close all programs and choose Y to restart or N to continue ================================================================= what would be my next step to get rid of the @%(#!/?^ infection? and again thanx!

Hi all! I've been running pretty 'clean' with Mbytes until the other day when I got the XP Smart Security 2010 pop-ups, I immediately disconnected from the net & ran Mbytes - No results - ran Super Anti-Spyware - No results -ran AVG free AntiVirus - No results - ran Spybot Search & Destroy - just some FireFox cookies found - kept getting the pop-ups - in task manager, ave.exe was the process that started each time with the pop-ups - kept ending the process while searching for the file ave,exe & deleted the file, that stopped the XP Smart Security 2010 pop-ups but now when using fireFox I get random spam/phishing site pop-ups & seems like my google search in FireFox is hacked, I also can NOT open Internet Explorer! As requested in-> I'm infected - What do I do now?, Please follow these instructions to clean your system--here are the logs... DDS- UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG. IF REQUESTED, ZIP IT UP & ATTACH IT DDS (Ver_10-03-17.01) Microsoft Windows XP Home Edition Boot Device: \Device\HarddiskVolume2 Install Date: 1/26/2002 11:11:46 AM System Uptime: 3/18/2010 2:28:01 PM (24 hours ago) Motherboard: Dell Computer Corporation | | Dimension 4300 Processor: Intel® Pentium® 4 CPU 1.60GHz | Microprocessor | 1595/100mhz ==== Disk Partitions ========================= A: is Removable C: is FIXED (NTFS) - 37 GiB total, 25.397 GiB free. D: is CDROM () ==== Disabled Device Manager Items ============= ==== System Restore Points =================== RP66: 1/9/2010 2:02:31 PM - System Checkpoint RP67: 1/12/2010 3:59:05 PM - System Checkpoint RP68: 1/13/2010 12:03:18 PM - Software Distribution Service 3.0 RP69: 1/14/2010 11:34:09 AM - Software Distribution Service 3.0 RP70: 1/15/2010 12:37:46 PM - System Checkpoint RP71: 1/16/2010 3:59:04 PM - System Checkpoint RP72: 1/17/2010 5:31:05 PM - System Checkpoint RP73: 1/18/2010 7:27:34 PM - System Checkpoint RP74: 1/19/2010 2:52:21 AM - Software Distribution Service 3.0 RP75: 1/20/2010 4:16:45 AM - System Checkpoint RP76: 1/21/2010 5:35:39 AM - System Checkpoint RP77: 1/22/2010 7:38:02 AM - System Checkpoint RP78: 1/23/2010 10:06:24 AM - System Checkpoint RP79: 1/23/2010 12:30:26 PM - Software Distribution Service 3.0 RP80: 1/24/2010 6:10:25 PM - System Checkpoint RP81: 1/26/2010 12:08:47 AM - System Checkpoint RP82: 1/26/2010 10:56:29 PM - Software Distribution Service 3.0 RP83: 1/27/2010 9:58:07 AM - Software Distribution Service 3.0 RP84: 1/28/2010 2:35:29 PM - System Checkpoint RP85: 1/28/2010 11:14:53 PM - Software Distribution Service 3.0 RP86: 1/30/2010 6:20:48 AM - System Checkpoint RP87: 1/31/2010 6:46:19 AM - System Checkpoint RP88: 2/1/2010 6:47:35 AM - System Checkpoint RP89: 2/2/2010 12:44:34 PM - System Checkpoint RP90: 2/2/2010 7:53:18 PM - Windows Defender Checkpoint RP91: 2/2/2010 9:15:00 PM - Software Distribution Service 3.0 RP92: 2/4/2010 1:04:40 AM - System Checkpoint RP93: 2/4/2010 11:31:49 AM - Avg8 Update RP94: 2/4/2010 1:18:47 PM - Software Distribution Service 3.0 RP95: 2/5/2010 4:52:48 PM - System Checkpoint RP96: 2/6/2010 8:11:32 PM - System Checkpoint RP97: 2/7/2010 9:56:20 PM - System Checkpoint RP98: 2/8/2010 11:48:08 PM - System Checkpoint RP99: 2/9/2010 2:43:02 AM - Software Distribution Service 3.0 RP100: 2/9/2010 7:51:26 PM - Software Distribution Service 3.0 RP101: 2/10/2010 8:23:45 PM - System Checkpoint RP102: 2/11/2010 10:23:51 PM - System Checkpoint RP103: 2/12/2010 10:31:53 AM - Software Distribution Service 3.0 RP104: 2/13/2010 11:29:15 AM - System Checkpoint RP105: 2/14/2010 12:40:13 PM - System Checkpoint RP106: 2/15/2010 2:23:19 PM - System Checkpoint RP107: 2/15/2010 5:40:47 PM - Software Distribution Service 3.0 RP108: 2/16/2010 7:56:48 PM - System Checkpoint RP109: 2/17/2010 12:53:16 PM - Windows Defender Checkpoint RP110: 2/18/2010 12:54:19 PM - System Checkpoint RP111: 2/19/2010 1:00:55 AM - Software Distribution Service 3.0 RP112: 2/26/2010 1:51:57 PM - Software Distribution Service 3.0 RP113: 2/27/2010 7:50:33 PM - System Checkpoint RP114: 2/28/2010 8:16:49 PM - System Checkpoint RP115: 3/2/2010 12:28:35 PM - Software Distribution Service 3.0 RP116: 3/5/2010 1:38:10 PM - Software Distribution Service 3.0 RP117: 3/6/2010 2:08:40 PM - System Checkpoint RP118: 3/7/2010 4:51:40 PM - System Checkpoint RP119: 3/8/2010 10:27:23 AM - Software Distribution Service 3.0 RP120: 3/9/2010 4:09:47 PM - System Checkpoint RP121: 3/10/2010 8:18:29 AM - Avg8 Update RP122: 3/10/2010 1:40:27 PM - Software Distribution Service 3.0 RP123: 3/11/2010 1:37:03 PM - Software Distribution Service 3.0 RP124: 3/12/2010 3:01:29 PM - System Checkpoint RP125: 3/13/2010 6:10:26 PM - System Checkpoint RP126: 3/14/2010 7:14:47 PM - System Checkpoint RP127: 3/15/2010 2:47:30 PM - Software Distribution Service 3.0 RP128: 3/16/2010 5:04:14 PM - System Checkpoint RP129: 3/17/2010 5:23:07 PM - System Checkpoint RP130: 3/18/2010 6:17:10 PM - System Checkpoint RP131: 3/19/2010 8:50:23 AM - Avg8 Update RP132: 3/19/2010 8:52:09 AM - Avg8 Update ==== Installed Programs ====================== Ad-Aware Ad-Aware Email Scanner for Outlook Adobe Flash Player 10 Plugin Adobe Flash Player ActiveX Adobe Reader 7.0.9 Adobe Shockwave Player Agilysys Web File Viewer AOL Uninstaller (Choose which Products to Remove) ATI Display Driver AusLogics Disk Defrag AutoUpdate AVG Free 8.5 CCleaner Critical Update for Windows Media Player 11 (KB959772) DelFin Media Viewer Dell Driver Reset Tool Dell Solution Center Dell Support 5.0.0 (630) DellTouch DivX Codec DivX Player DivX Web Player Easy CD Creator 5 Basic EPSON Printer Software ESSBrwr ESSCDBK ESScore ESSCT ESSEMAIL ESSgui ESShelp ESSini ESSPCD ESSSONIC ESSTOOLS essvatgt essvcpt ESSvpaht ESSvpot Exterminate3 Generic - HCF PCI Modem Glary Utilities 2.14.0.711 Help and Support Customization HLPIndex HLPSFO Hotfix for Windows Media Format 11 SDK (KB929399) Hotfix for Windows Media Player 11 (KB939683) Hotfix for Windows XP (KB952287) Hotfix for Windows XP (KB970653-v3) Hotfix for Windows XP (KB976098-v2) Hotfix for Windows XP (KB979306) Intel® Processor ID Utility J2SE Runtime Environment 5.0 Update 5 J2SE Runtime Environment 5.0 Update 6 Java 2 Runtime Environment, SE v1.4.2_08 Kodak EasyShare software KSU LeadTool Logitech MouseWare 9.79.1 Malwarebytes' Anti-Malware McAfee SiteAdvisor Microsoft Compression Client Pack 1.0 for Windows XP Microsoft Data Access Components KB870669 Microsoft Encarta Encyclopedia Standard 2002 Microsoft Money 2002 Microsoft Money 2002 System Pack Microsoft Picture It! Photo 2002 Microsoft Silverlight Microsoft Streets and Trips 2002 Microsoft User-Mode Driver Framework Feature Pack 1.0 Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053 Microsoft Visual C++ 2005 Redistributable Microsoft Word 2002 Microsoft Works 2002 Setup Launcher Microsoft Works 6.0 Microsoft Works Suite Add-in for Microsoft Word Modem Helper Mozilla Firefox (3.0.14) MSXML 4.0 SP2 (KB927978) MSXML 4.0 SP2 (KB936181) MSXML 4.0 SP2 (KB954430) MSXML 4.0 SP2 (KB973688) MusicMatch Jukebox MyDeluxeInvoices & Estimates NETGEAR RangeMax Wireless USB 2.0 Adapter WPN111 Notifier OfotoXMI OTtBP OTtBPSDK PC Matic 1.0.0.0 PCDADDIN PCDHELP PCDrdsho PhoneTools PowerDVD RealPlayer Security Update for CAPICOM (KB931906) Security Update for Step By Step Interactive Training (KB898458) Security Update for Step By Step Interactive Training (KB923723) Security Update for Windows Media Player (KB911564) Security Update for Windows Media Player (KB952069) Security Update for Windows Media Player (KB954155) Security Update for Windows Media Player (KB968816) Security Update for Windows Media Player (KB973540) Security Update for Windows Media Player 10 (KB917734) Security Update for Windows Media Player 11 (KB936782) Security Update for Windows Media Player 11 (KB954154) Security Update for Windows Media Player 6.4 (KB925398) Security Update for Windows Media Player 9 (KB911565) Security Update for Windows Media Player 9 (KB917734) Security Update for Windows XP (KB923561) Security Update for Windows XP (KB923689) Security Update for Windows XP (KB938464) Security Update for Windows XP (KB941569) Security Update for Windows XP (KB946648) Security Update for Windows XP (KB950759) Security Update for Windows XP (KB950760) Security Update for Windows XP (KB950762) Security Update for Windows XP (KB950974) Security Update for Windows XP (KB951066) Security Update for Windows XP (KB951376-v2) Security Update for Windows XP (KB951376) Security Update for Windows XP (KB951698) Security Update for Windows XP (KB951748) Security Update for Windows XP (KB952004) Security Update for Windows XP (KB952954) Security Update for Windows XP (KB953838) Security Update for Windows XP (KB953839) Security Update for Windows XP (KB954459) Security Update for Windows XP (KB954600) Security Update for Windows XP (KB955069) Security Update for Windows XP (KB956572) Security Update for Windows XP (KB956744) Security Update for Windows XP (KB956802) Security Update for Windows XP (KB956803) Security Update for Windows XP (KB956844) Security Update for Windows XP (KB957097) Security Update for Windows XP (KB958644) Security Update for Windows XP (KB958687) Security Update for Windows XP (KB958869) Security Update for Windows XP (KB959426) Security Update for Windows XP (KB960225) Security Update for Windows XP (KB960803) Security Update for Windows XP (KB960859) Security Update for Windows XP (KB961371) Security Update for Windows XP (KB961501) Security Update for Windows XP (KB968537) Security Update for Windows XP (KB969059) Security Update for Windows XP (KB969897) Security Update for Windows XP (KB969947) Security Update for Windows XP (KB970238) Security Update for Windows XP (KB970430) Security Update for Windows XP (KB971468) Security Update for Windows XP (KB971486) Security Update for Windows XP (KB971557) Security Update for Windows XP (KB971633) Security Update for Windows XP (KB971657) Security Update for Windows XP (KB971961) Security Update for Windows XP (KB972260) Security Update for Windows XP (KB972270) Security Update for Windows XP (KB973346) Security Update for Windows XP (KB973354) Security Update for Windows XP (KB973507) Security Update for Windows XP (KB973525) Security Update for Windows XP (KB973869) Security Update for Windows XP (KB973904) Security Update for Windows XP (KB974112) Security Update for Windows XP (KB974318) Security Update for Windows XP (KB974392) Security Update for Windows XP (KB974455) Security Update for Windows XP (KB974571) Security Update for Windows XP (KB975025) Security Update for Windows XP (KB975467) Security Update for Windows XP (KB975560) Security Update for Windows XP (KB975561) Security Update for Windows XP (KB975713) Security Update for Windows XP (KB976325) Security Update for Windows XP (KB977165) Security Update for Windows XP (KB977914) Security Update for Windows XP (KB978037) Security Update for Windows XP (KB978251) Security Update for Windows XP (KB978262) Security Update for Windows XP (KB978706) SFR SFR2 SHASTA Shockwave Shockwave Player SKIN0001 SKINXSDK SoundMAX Spybot - Search & Destroy SUPERAntiSpyware Free Edition System Requirements Lab TBS WMP Plug-in Update for Windows XP (KB951072-v2) Update for Windows XP (KB951978) Update for Windows XP (KB955759) Update for Windows XP (KB955839) Update for Windows XP (KB967715) Update for Windows XP (KB968389) Update for Windows XP (KB971737) Update for Windows XP (KB973687) Update for Windows XP (KB973815) Update for Windows XP (KB976749) Update for Windows XP (KB978207) Viewpoint Manager (Remove Only) Viewpoint Media Player Visual C++ 2008 x86 Runtime - (v9.0.30729) Visual C++ 2008 x86 Runtime - v9.0.30729.01 VPRINTOL WebCyberCoach 3.2 Dell WebFldrs XP WebIQ Client Software Webshots! Windows Defender Windows Defender Signatures Windows Genuine Advantage Notifications (KB905474) Windows Genuine Advantage v1.3.0254.0 Windows Genuine Advantage Validation Tool (KB892130) Windows Media Format 11 runtime Windows Media Player 11 Windows XP Service Pack 3 WIRELESS Works Suite OS Pack Works Synchronization ==== Event Viewer Messages From Past Week ======== 3/19/2010 8:53:23 AM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the avg8wd service. 3/17/2010 9:51:34 AM, error: System Error [1003] - Error code 100000d1, parameter1 00035de8, parameter2 00000002, parameter3 00000000, parameter4 edcc6d0f. 3/17/2010 9:49:41 AM, error: Ftdisk [49] - Configuring the Page file for crash dump failed. Make sure there is a page file on the boot partition and that is large enough to contain all physical memory. 3/17/2010 9:49:41 AM, error: Ftdisk [45] - The system could not sucessfully load the crash dump driver. 3/17/2010 5:07:36 PM, error: Service Control Manager [7034] - The McAfee SiteAdvisor Service service terminated unexpectedly. It has done this 1 time(s). 3/17/2010 2:00:43 AM, error: Service Control Manager [7034] - The Application Layer Gateway Service service terminated unexpectedly. It has done this 1 time(s). 3/17/2010 10:22:34 PM, error: Tcpip [4199] - The system detected an address conflict for IP address 192.168.0.2 with the system having network hardware address 00:24:8D:13:2B:D5. Network operations on this system may be disrupted as a result. 3/15/2010 11:16:21 AM, error: Service Control Manager [7034] - The AVG Free8 WatchDog service terminated unexpectedly. It has done this 1 time(s). 3/15/2010 11:16:15 AM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the AOL Connectivity Service service to connect. 3/15/2010 11:16:15 AM, error: Service Control Manager [7000] - The AOL Connectivity Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion. 3/14/2010 8:31:43 PM, error: WPN111 [43] - 3/14/2010 12:23:18 PM, error: System Error [1003] - Error code 100000d1, parameter1 00035de8, parameter2 00000002, parameter3 00000000, parameter4 edb86d0f. 3/12/2010 9:04:48 PM, error: Dhcp [1002] - The IP address lease 192.168.0.2 for the Network Card with network address 00184D340B6A has been denied by the DHCP server 0.0.0.0 (The DHCP Server sent a DHCPNACK message). ==== End Of File =========================== Attach- DDS (Ver_10-03-17.01) - NTFSx86 Run by pats at 14:10:56.46 on Fri 03/19/2010 Internet Explorer: 6.0.2900.5512 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.71 [GMT -4:00] AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF} ============== Running Processes =============== C:\WINDOWS\system32\svchost -k DcomLaunch svchost.exe C:\Program Files\Windows Defender\MsMpEng.exe C:\WINDOWS\System32\svchost.exe -k netsvcs svchost.exe svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\rundll32.exe svchost.exe C:\WINDOWS\Nhksrv.exe C:\Program Files\McAfee\SiteAdvisor\McSACore.exe C:\WINDOWS\System32\svchost.exe -k imgsvc C:\Program Files\Viewpoint\Common\ViewpointService.exe C:\WINDOWS\wanmpsvc.exe C:\Program Files\Windows Defender\MSASCui.exe C:\WINDOWS\system32\taskmgr.exe C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe C:\Program Files\NETGEAR\WPN111\WPN111.exe C:\Program Files\Webshots\WebshotsTray.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\AVG\AVG8\avgtray.exe C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe C:\PROGRA~1\AVG\AVG8\avgrsx.exe C:\PROGRA~1\AVG\AVG8\avgnsx.exe C:\PROGRA~1\AVG\AVG8\avgemc.exe C:\Program Files\AVG\AVG8\avgcsrvx.exe C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe C:\Documents and Settings\pats\Desktop\dds.com ============== Pseudo HJT Report =============== uStart Page = hxxp://connecticut.cox.net/cci/home uDefault_Page_URL = hxxp://education.dellnet.com/ uInternet Connection Wizard,ShellNext = hxxp://education.dellnet.com/ uInternet Settings,ProxyServer = http=127.0.0.1:5555 uInternet Settings,ProxyOverride = <local> uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll mWinlogon: Userinit=c:\windows\system32\userinit.exe BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_06\bin\ssv.dll BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll TB: {BA52B914-B692-46c4-B683-905236F6F655} - No File TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k mRunServices: [AolAcsDaemon1] c:\progra~1\common~1\aol\acs\acsd.exe StartupFolder: c:\docume~1\pats\startm~1\programs\startup\webshots.lnk - c:\program files\webshots\WebshotsTray.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\netgea~1.lnk - c:\program files\netgear\wpn111\WPN111.exe mPolicies-system: EnableLUA = 0 (0x0) IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim95\aim.exe IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_06\bin\ssv.dll IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll IE: {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - {301DA1EE-F65C-4188-A417-9E915CC8FBFA} - c:\program files\microsoft money\system\mnyviewer.dll Trusted Zone: aol.com\www Trusted Zone: bestbuy.com\www Trusted Zone: ebates.com\www Trusted Zone: eprize.net\degree Trusted Zone: monster.com Trusted Zone: nascar.com\poll Trusted Zone: nascar.com\www Trusted Zone: oldnavy.com Trusted Zone: olx.com\www Trusted Zone: paypal.com Trusted Zone: radiomat.com\www Trusted Zone: staples.com\www Trusted Zone: wfsb.com Trusted Zone: www.ebay Trusted Zone: www.shoplocal Trusted Zone: yahoo.com\www DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab DPF: ppctlcab - hxxp://www.pestscan.com/scanner/ppctlcab.cab DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} - hxxp://support.dell.com/systemprofiler/SysPro.CAB DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/templates/ieawsdc.cab DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} - hxxp://utilities.pcpitstop.com/Nirvana/controls/PCPitStop.CAB DPF: {11818680-FCF6-11D0-9808-0800092A4865} - hxxp://www.jud2.state.ct.us/webforms/Codebase/FormCtl.cab DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/director/sw.cab DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204 DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} - hxxp://www.pctuneup.com/internet/pcpConnCheck.cab DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} - hxxps://www-secure.symantec.com/techsupp/asa/LSSupCtl.cab DPF: {224F7DEA-B7C1-11D3-AB40-00902712A5C9} - hxxp://www.jud2.state.ct.us/webforms/codebase/plsspeller.cab DPF: {26FCCDF9-A7E1-452A-A73D-7BF7B4D0BA6C} - hxxp://pictures.aolcdn.com/ap/Resources/1.2.0.38/cab/aolpPlugins.10.1.0.0.cab DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} - hxxp://www.pestscan.com/scanner/axscanner.cab DPF: {362C56AA-6E4F-40C7-A0B5-85501DBDAD77} - hxxp://i.dell.com/images/global/js/scanner/SysProExe.cab DPF: {37DF41B2-61DB-4CAC-A755-CFB3C7EE7F40} - hxxp://esupport.aol.com/help/acp2/engine/aolcoach_core_1.cab DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxps://objects.aol.com/mcafee/molbin/shared/mcinsctl/en-us/4,0,0,83/mcinsctl.cab DPF: {4FAE30E1-EE9C-477D-8D06-BF8D3429B60F} - hxxp://webiq001.webiqonline.com/WebIQ/bin/WebIQ.cab DPF: {56393399-041A-4650-94C7-13DFCB1F4665} - hxxp://www.pcpitstop.com/pestscan/pestscan.cab DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1166856996890 DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab DPF: {8FD07749-EFFA-48C6-947C-45A8D7BF422F} - hxxp://www.cyberlink.com/multi/patch/prog/UpdateAdvisor.cab DPF: {94E5218F-9737-4FC2-8457-567B1FF23DC0} - hxxp://utilities.pcpitstop.com/Nirvana/controls/DiskMD3Ctrl.dll DPF: {9732FB42-C321-11D1-836F-00A0C993F125} - hxxp://www.pcpitstop.com/mhLbl.cab DPF: {A553720A-BFED-4EA4-A71F-7EFCA690A1F7} - hxxp://utilities.pcpitstop.com/Nirvana/controls/pcpitstopAntiVirus.dll DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} - hxxp://www.crucial.com/controls/cpcScanner.cab DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - hxxps://objects.aol.com/mcafee/molbin/shared/mcgdmgr/en-us/1,0,0,20/McGDMgr.cab DPF: {CAFEEFAC-0014-0002-0008-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} - hxxps://www-secure.symantec.com/techsupp/asa/SymAData.cab DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} - hxxp://www.symantec.com/techsupp/activedata/ActiveData.cab DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} - hxxp://driveragent.com/files/driveragent.cab DPF: {EF2FB80F-0975-408E-A871-B00CC863478A} - hxxp://www.jud2.state.ct.us/webforms/codebase/fontinstaller.cab DPF: {F09BFD07-20B5-46D8-A6D5-BE4EF22F1F4D} - hxxp://members.driverguide.com/director/dispatch_getfile.php?mode=toolkit_lite DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} - hxxp://utilities.pcpitstop.com/Nirvana/controls/pcpitstop2.dll TCP: NameServer = 208.67.220.220,208.67.222.222 Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll Notify: avgrsstarter - avgrsstx.dll SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\window~4\MpShHook.dll SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL ================= FIREFOX =================== FF - ProfilePath - c:\docume~1\pats\applic~1\mozilla\firefox\profiles\ez8wrl8h.default\ FF - prefs.js: browser.search.selectedEngine - Google FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava11.dll FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava12.dll FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava13.dll FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava14.dll FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava32.dll FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJPI150_06.dll FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPOJI610.dll FF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dll FF - plugin: c:\program files\mozilla firefox\plugins\NPTURNMED.dll FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll ============= SERVICES / DRIVERS =============== R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-3-2 64288] R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-9-26 335240] R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-9-26 27784] R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-9-26 108552] R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\SASDIFSV.SYS [2009-11-23 12872] R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-11-23 66632] R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2001-12-7 908056] R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2001-12-7 297752] R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2010-2-4 1263728] R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2009-7-28 93320] R2 Nhksrv;Netropa NHK Server;c:\windows\Nhksrv.exe [2001-8-6 28672] R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2007-2-23 24652] R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592] R3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;c:\windows\system32\DNINDIS5.sys [2008-8-25 17149] R3 Msikbd2k;DellTouch;c:\windows\system32\drivers\Msikbd2k.sys [2000-10-3 6942] R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-11-23 12872] R3 WPN111;Wireless USB 2.0 Adapter with RangeMax Service;c:\windows\system32\drivers\WPN111.sys [2008-9-16 362944] S2 ExtractorServiceNPF04;DeepSight Extractor Service for NPF04;c:\program files\symantec\deepsight extractor\extractorservicenpf04.exe --> c:\program files\symantec\deepsight extractor\ExtractorServiceNPF04.exe [?] S3 AR5513;%ATHER.Service.DispName%;c:\windows\system32\drivers\ar5513.sys --> c:\windows\system32\drivers\ar5513.sys [?] S3 AWINDIS5;AWINDIS5 Protocol Driver;c:\windows\system32\AWINDIS5.SYS [2005-4-4 16194] S3 NETGEAR_WG311T_SERVICE;NETGEAR WG311T Wireless Adapter Service;c:\windows\system32\drivers\wg311tn5.sys --> c:\windows\system32\drivers\wg311tn5.sys [?] S3 StreamSurge;StreamSurge Driver (miniport);c:\windows\system32\drivers\ss.sys --> c:\windows\system32\drivers\ss.sys [?] S4 PCPitstop Scheduling;PCPitstop Scheduling;c:\program files\pcpitstop\PCPitstopScheduleService.exe [2009-11-27 85504] =============== Created Last 30 ================ 2010-03-19 18:06:51 0 ----a-w- c:\documents and settings\pats\defogger_reenable 2010-03-18 04:07:08 15880 ----a-w- c:\windows\system32\lsdelete.exe 2010-03-10 18:39:39 3558912 ------w- c:\windows\system32\dllcache\moviemk.exe 2010-03-02 18:16:53 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys 2010-03-02 18:11:28 0 dc-h--w- c:\docume~1\alluse~1\applic~1\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6} 2010-02-28 05:15:59 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys ==================== Find3M ==================== 2010-03-18 16:10:14 96512 ----a-w- c:\windows\system32\drivers\atapi.sys 2010-03-18 16:10:14 96512 ----a-w- c:\windows\system32\dllcache\atapi.sys 2010-02-24 14:16:06 181632 ------w- c:\windows\system32\MpSigStub.exe 2009-12-31 16:50:03 353792 ------w- c:\windows\system32\dllcache\srv.sys 2009-12-22 05:21:05 667136 ----a-w- c:\windows\system32\wininet.dll 2009-12-22 05:21:05 667136 ------w- c:\windows\system32\dllcache\wininet.dll 2009-12-22 05:21:03 627712 ------w- c:\windows\system32\dllcache\urlmon.dll 2009-12-22 05:21:02 1509888 ------w- c:\windows\system32\dllcache\shdocvw.dll 2009-12-22 05:21:00 3071488 ------w- c:\windows\system32\dllcache\mshtml.dll 2009-12-22 05:20:58 81920 ------w- c:\windows\system32\ieencode.dll 2009-12-22 05:20:58 81920 ------w- c:\windows\system32\dllcache\ieencode.dll 2004-08-04 05:56:58 73728 -csha-w- c:\windows\registeredpackages\{dd90d410-1823-43eb-9a16-a2331bf08799}$backup$\system\wmplayer.exe 2009-11-10 19:51:36 56320 --sha-r- c:\windows\system32\QNAD.dll ============= FINISH: 14:13:33.01 =============== GMER- GMER 1.0.15.15281 - http://www.gmer.net Rootkit scan 2010-03-19 15:42:00 Windows 5.1.2600 Service Pack 3 Running: o4y5xrvy.exe; Driver: C:\DOCUME~1\pats\LOCALS~1\Temp\pxtdapog.sys ---- System - GMER 1.0.15 ---- SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwCreateKey [0xF884687E] SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwSetValueKey [0xF8846BFE] SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com) ZwTerminateProcess [0xEBC9C320] ---- Devices - GMER 1.0.15 ---- AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.) AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.) AttachedDevice \Driver\Tcpip \Device\Tcp Lbd.sys (Boot Driver/Lavasoft AB) AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.) AttachedDevice \Driver\Tcpip \Device\Udp Lbd.sys (Boot Driver/Lavasoft AB) AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.) AttachedDevice \Driver\Tcpip \Device\RawIp Lbd.sys (Boot Driver/Lavasoft AB) AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation) Device -> \Driver\atapi \Device\Harddisk0\DR0 8371FCA1 ---- Registry - GMER 1.0.15 ---- Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL@Installed 1 Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI@Installed 1 Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI@NoChange 1 Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS@Installed 1 ---- Files - GMER 1.0.15 ---- File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification ---- EOF - GMER 1.0.15 ---- Thank you in advance - this forum is a great help!

---------------------------------------------------------------------------------------------------------------- Hey Screen317 - Thats O/K for the delay I know your probably busy, besides it's kinda like old times on AOHell dial-up with this temporary 1.6 Dell loaner machine I downloaded Opera & it seems to work O/K -- I tried the Inherit.exe & dragged it to FF, got the O/K window, but it did NOT work opening FF -- I tried a gamble & re-downloaded MalwareBytes by re-naming it Mybytes & updated it -- tried to run it & it worked, produced quite a lengthy log of problems! I did the re-boot. Still seems infected -- IE, FF, SuperAntispyware, Spybot S&D all still inoperable! Should I try re-downloading them all thru Opera? Here is the MalwareBytes log -- Malwarebytes' Anti-Malware 1.41 Database version: 3061 Windows 5.1.2600 Service Pack 2 10/30/2009 1:29:17 PM mbam-log-2009-10-30 (13-29-17).txt Scan type: Full Scan (C:\|) Objects scanned: 157147 Time elapsed: 32 minute(s), 49 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 3 Registry Data Items Infected: 1 Folders Infected: 1 Files Infected: 87 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\mBt (Backdoor.Bot) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\udfa (Backdoor.Bot) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\mfa (Backdoor.Bot) -> Quarantined and deleted successfully. Registry Data Items Infected: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. Folders Infected: C:\Documents and Settings\JC Surveillance Inc\Application Data\1041402358 (Rogue.SecurityTool) -> Quarantined and deleted successfully. Files Infected: C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\07322620\07322620.exe.vir (Rogue.SecurityTool) -> Quarantined and deleted successfully. C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\60646527\60646527.exe.vir (Rogue.SecurityTool) -> Quarantined and deleted successfully. C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\62188732\62188732.exe.vir (Rogue.SecurityTool) -> Quarantined and deleted successfully. C:\Qoobox\Quarantine\C\Documents and Settings\JC Surveillance Inc\Application Data\2241974040\2241974040.exe.vir (Rogue.SecurityTool) -> Quarantined and deleted successfully. C:\Qoobox\Quarantine\C\Documents and Settings\JC Surveillance Inc\Application Data\2628233894\2628233894.exe.vir (Rogue.SecurityTool) -> Quarantined and deleted successfully. C:\Qoobox\Quarantine\C\Documents and Settings\JC Surveillance Inc\Application Data\6750707535\6750707535.exe.vir (Rogue.SecurityTool) -> Quarantined and deleted successfully. C:\Qoobox\Quarantine\C\Documents and Settings\JC Surveillance Inc\Application Data\9045131913\9045131913.exe.vir (Rogue.SecurityTool) -> Quarantined and deleted successfully. C:\Qoobox\Quarantine\C\Documents and Settings\JC Surveillance Inc\Application Data\9081900915\9081900915.exe.vir (Rogue.SecurityTool) -> Quarantined and deleted successfully. C:\Qoobox\Quarantine\C\WINDOWS\system32\bubopoyu.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully. C:\Qoobox\Quarantine\C\WINDOWS\system32\dapotado.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully. C:\Qoobox\Quarantine\C\WINDOWS\system32\hjgruimxbnevpt.dll.vir (Rootkit.TDSS) -> Quarantined and deleted successfully. C:\Qoobox\Quarantine\C\WINDOWS\system32\hjgruinpaowfbv.dll.vir (Rootkit.TDSS) -> Quarantined and deleted successfully. C:\Qoobox\Quarantine\C\WINDOWS\system32\hjgruircmxdvmf.dll.vir (Rootkit.TDSS) -> Quarantined and deleted successfully. C:\Qoobox\Quarantine\C\WINDOWS\system32\hjgruissibnmpx.dll.vir (Rootkit.TDSS) -> Quarantined and deleted successfully. C:\Qoobox\Quarantine\C\WINDOWS\system32\Iasv32.dll.vir (Backdoor.Bot) -> Quarantined and deleted successfully. C:\Qoobox\Quarantine\C\WINDOWS\system32\dirupahu.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully. C:\Qoobox\Quarantine\C\WINDOWS\system32\dojisino.exe.vir (Rogue.SecurityTool) -> Quarantined and deleted successfully. C:\Qoobox\Quarantine\C\WINDOWS\system32\eventlog.dll.vir (Trojan.Sirefef) -> Quarantined and deleted successfully. C:\Qoobox\Quarantine\C\WINDOWS\system32\fomegozu.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully. C:\Qoobox\Quarantine\C\WINDOWS\system32\isasdk.sys.vir (Backdoor.Bot) -> Quarantined and deleted successfully. C:\Qoobox\Quarantine\C\WINDOWS\system32\laduwowa.exe.vir (Rogue.SecurityTool) -> Quarantined and deleted successfully. C:\Qoobox\Quarantine\C\WINDOWS\system32\lohowopo.exe.vir (Trojan.Dropper) -> Quarantined and deleted successfully. C:\Qoobox\Quarantine\C\WINDOWS\system32\mehoguhi.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully. C:\Qoobox\Quarantine\C\WINDOWS\system32\pulamiwa.exe.vir (Rogue.SecurityTool) -> Quarantined and deleted successfully. C:\Qoobox\Quarantine\C\WINDOWS\system32\tejahazu.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully. C:\Qoobox\Quarantine\C\WINDOWS\system32\UACosbedicjws.dll.vir (Rootkit.TDSS) -> Quarantined and deleted successfully. C:\Qoobox\Quarantine\C\WINDOWS\system32\UACrnavipbxxn.dll.vir (Rogue.Multiple) -> Quarantined and deleted successfully. C:\Qoobox\Quarantine\C\WINDOWS\system32\utdoinfeyp.dll.vir (Trojan.Downloader) -> Quarantined and deleted successfully. C:\Qoobox\Quarantine\C\WINDOWS\system32\nuvoyijo.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully. C:\Qoobox\Quarantine\C\WINDOWS\system32\UAChfqxovnras.dll.vir (Rootkit.TDSS) -> Quarantined and deleted successfully. C:\Qoobox\Quarantine\C\WINDOWS\system32\winhelper.dll.vir (Trojan.FakeAlert) -> Quarantined and deleted successfully. C:\Qoobox\Quarantine\C\WINDOWS\system32\fonemike.exe.vir (Rogue.SecurityTool) -> Quarantined and deleted successfully. C:\Qoobox\Quarantine\C\WINDOWS\system32\winupdate.exe.vir (Trojan.FakeAlert) -> Quarantined and deleted successfully. C:\Qoobox\Quarantine\C\WINDOWS\system32\wiwow64.exe.vir (Backdoor.Bot) -> Quarantined and deleted successfully. C:\Qoobox\Quarantine\C\WINDOWS\system32\yobiseha.exe.vir (Rogue.SecurityTool) -> Quarantined and deleted successfully. C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\UACwrumbpfuvk.sys.vir (Rootkit.TDSS) -> Quarantined and deleted successfully. C:\Qoobox\Quarantine\C\WINDOWS\Temp\t4m0_34489622498.bk.old.vir (Trojan.Backdoor) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\A0000079.exe (Backdoor.Bot) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\A0000080.old (Backdoor.Bot) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\A0000081.exe (Backdoor.Bot) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\A0000082.dll (Trojan.Agent) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\A0000083.exe (Backdoor.Bot) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\A0000097.exe (Backdoor.Bot) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\A0000099.old (Backdoor.Bot) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\A0000101.exe (Backdoor.Bot) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\A0000105.exe (Backdoor.Bot) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP10\A0002238.dll (Trojan.Backdoor) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP10\A0002239.exe (Backdoor.Bot) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP10\A0002249.sys (Backdoor.Bot) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP2\A0000382.exe (Backdoor.Bot) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP2\A0000384.exe (Backdoor.Bot) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP3\A0000583.exe (Backdoor.Bot) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP3\A0000584.old (Backdoor.Bot) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP3\A0000588.exe (Backdoor.Bot) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP3\A0000590.exe (Backdoor.Bot) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP5\A0000738.exe (Backdoor.Bot) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP6\A0000762.exe (Backdoor.Bot) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP6\A0000763.exe (Backdoor.Bot) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP6\A0000764.old (Backdoor.Bot) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP6\A0000765.dll (Backdoor.Bot) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP6\A0000766.exe (Backdoor.Bot) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP7\A0000785.exe (Backdoor.Bot) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP7\A0000786.exe (Backdoor.Bot) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP7\A0000787.old (Backdoor.Bot) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP7\A0000788.dll (Backdoor.Bot) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP7\A0000789.exe (Backdoor.Bot) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP8\A0000808.exe (Backdoor.Bot) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP8\A0000809.exe (Backdoor.Bot) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP8\A0000810.old (Backdoor.Bot) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP8\A0000811.dll (Backdoor.Bot) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP8\A0000812.exe (Backdoor.Bot) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP9\A0001880.exe (Backdoor.Bot) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP9\A0001881.exe (Backdoor.Bot) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP9\A0001882.old (Backdoor.Bot) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP9\A0001883.dll (Backdoor.Bot) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP9\A0001884.exe (Backdoor.Bot) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP9\A0002062.exe (Trojan.Backdoor) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP9\A0002063.old (Backdoor.Bot) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP9\A0002064.dll (Trojan.Backdoor) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP9\A0002066.exe (Backdoor.Bot) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP9\A0002068.exe (Trojan.Backdoor) -> Quarantined and deleted successfully. C:\WINDOWS\system32\mdtdisk.sys (Spyware.OnlineGames) -> Quarantined and deleted successfully. C:\WINDOWS\system32\opeia.exe (Trojan.Backdoor) -> Quarantined and deleted successfully. C:\WINDOWS\system32\wmdtc.exe (Trojan.Backdoor) -> Quarantined and deleted successfully. C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\HT3L7PQ9\cyijjxb[1].htm (Trojan.Vundo) -> Quarantined and deleted successfully. C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\NFH6SBO0\SetupAdvancedVirusRemover[1].exe (Rogue.Installer) -> Quarantined and deleted successfully. C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\VTR4DODQ\dfghfghgfj[1].dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Hey, deleted the winlogin from the thumbdrive - I try to connect utilizing my 'known' good network wireless adapter on a 'known' good router hooked up to a cable modem (what I'm using now with this old machine) - I try usually to use the FireFox browser - but you asked me to use in internet explorer in one of 'our' steps & both give the same error message of - windows cannot access the specified device, path or file. you maynot have the appropriate permissions to access the item - & when I try to use them as Run As - I get the same message - I tried Safe Mode with networking - still unable to connect!! As a side note, as mentioned before I have Lavasofts Ad-Aware & that has the capability to update itself to current definitions & runs o/k (no it has NOT detected anything!) & also AVG8.5Free Antivirus (lotta good that did me) which has the capability to update itself to current definitions, but does NOT run!

Hi - here is the VirusTotal analysis, I was only able to upload as a zip file from the thumbdrive? -- Srpski | Македонски | العربية | Suomi | ihMdI | | עברית | | Sloven

Hey, hi & thanx for the quick response, I don't know what I'm doing wrong, be aware I'm still doing all this utilizing a USB thumbdrive to do this since the affected @%X!? machine can NOT access the net - I tried it again by putting the CFScript.txt file on my desktop & dragging it to ComboFix which is renamed Pats.exe (the only way I've been able to run CF) & it produced the following CF log -- ComboFix 09-10-25.01 - JC Surveillance Inc 10/25/2009 20:10.4.2 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1526.1010 [GMT -4:00] Running from: G:\Pats.exe.exe Command switches used :: c:\documents and settings\JC Surveillance Inc\Desktop\CFScript.txt.txt AV: *On-access scanning disabled* (Outdated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83} AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF} FW: *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8} file zipped: c:\windows\system32\biferopa.dll file zipped: c:\windows\system32\BtwSrv.dll file zipped: c:\windows\system32\FastNetSrv.exe file zipped: c:\windows\system32\fowajitu.dll file zipped: c:\windows\system32\gibegovu.dll file zipped: c:\windows\system32\gipafula.dll file zipped: c:\windows\system32\gowaheke.dll file zipped: c:\windows\system32\hugeloko.dll file zipped: c:\windows\system32\jevetedo.dll file zipped: c:\windows\system32\jivigupi.exe file zipped: c:\windows\system32\kahowuhi.dll file zipped: c:\windows\system32\kowatapi.exe file zipped: c:\windows\system32\lsm32.sys file zipped: c:\windows\system32\nesirona.dll file zipped: c:\windows\system32\nokiyubu.dll file zipped: c:\windows\system32\parewote.dll file zipped: c:\windows\system32\puwudeta.dll file zipped: c:\windows\system32\rahobeto.dll file zipped: c:\windows\system32\rasawofu.dll file zipped: c:\windows\system32\rolivepa.exe file zipped: c:\windows\system32\sohibesi.dll file zipped: c:\windows\system32\vakumene.dll file zipped: c:\windows\system32\viliwesi.dll file zipped: c:\windows\system32\weyalomi.dll file zipped: c:\windows\system32\wufajojo.dll file zipped: c:\windows\system32\yaruvofo.exe file zipped: c:\windows\system32\yiralujo.dll file zipped: c:\windows\system32\zumububo.dll file zipped: c:\windows\system32\F1D74CB742.sys file zipped: c:\windows\system32\FCF4F4C102.sys . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\windows\system32\biferopa.dll c:\windows\system32\BtwSrv.dll c:\windows\system32\FastNetSrv.exe c:\windows\system32\fowajitu.dll c:\windows\system32\gibegovu.dll c:\windows\system32\gipafula.dll c:\windows\system32\gowaheke.dll c:\windows\system32\hugeloko.dll c:\windows\system32\Install.txt c:\windows\system32\jevetedo.dll c:\windows\system32\jivigupi.exe c:\windows\system32\kahowuhi.dll c:\windows\system32\kowatapi.exe c:\windows\system32\lsm32.sys c:\windows\system32\nesirona.dll c:\windows\system32\nokiyubu.dll c:\windows\system32\parewote.dll c:\windows\system32\puwudeta.dll c:\windows\system32\rahobeto.dll c:\windows\system32\rasawofu.dll c:\windows\system32\rolivepa.exe c:\windows\system32\sohibesi.dll c:\windows\system32\vakumene.dll c:\windows\system32\viliwesi.dll c:\windows\system32\weyalomi.dll c:\windows\system32\wufajojo.dll c:\windows\system32\yaruvofo.exe c:\windows\system32\yiralujo.dll c:\windows\system32\zumububo.dll c:\windows\TEMP\mta13187.dll . --------------- FCopy --------------- c:\windows\$hf_mig$\KB951748\SP3GDR\tcpip.sys --> c:\windows\system32\drivers\tcpip.sys . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_BTWSRV -------\Legacy_FASTNETSRV -------\Service_BtwSrv -------\Service_fastnetsrv ((((((((((((((((((((((((( Files Created from 2009-09-26 to 2009-10-26 ))))))))))))))))))))))))))))))) . 2009-10-26 00:04 . 2009-10-26 00:04 -------- d-----w- C:\Pats.exe6863P 2009-10-25 14:48 . 2009-10-25 15:00 -------- d-----w- C:\Pats.exe30505P 2009-10-25 14:46 . 2009-10-25 14:46 -------- d-----w- C:\Pats.exe9727P 2009-10-25 14:40 . 2009-10-25 14:41 -------- d-----w- C:\Pats.exe 2009-10-20 14:53 . 2009-10-01 14:29 195440 ------w- c:\windows\system32\MpSigStub.exe 2009-10-17 20:09 . 2009-10-17 21:04 -------- d-----w- C:\salp.exe 2009-10-04 14:39 . 2009-10-04 15:09 -------- d-----w- c:\documents and settings\JC Surveillance Inc\Application Data\1041402358 2009-09-30 00:23 . 2009-09-30 00:23 65584 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2009-09-30 00:22 . 2009-09-23 12:07 59664 ----a-w- c:\windows\system32\drivers\TfSysMon.sys 2009-09-30 00:22 . 2009-09-23 12:07 51984 ----a-w- c:\windows\system32\drivers\TfFsMon.sys 2009-09-30 00:22 . 2009-09-23 12:07 33552 ----a-w- c:\windows\system32\drivers\TfNetMon.sys 2009-09-30 00:22 . 2009-09-30 00:22 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools 2009-09-30 00:03 . 2009-09-30 00:03 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla 2009-09-29 17:37 . 2009-09-29 17:37 -------- d-s---w- c:\documents and settings\LocalService\UserData 2009-09-28 15:45 . 2009-09-28 15:46 -------- d-----w- c:\program files\Windows Live Safety Center 2009-09-27 19:00 . 2009-09-27 19:00 -------- d-----w- c:\program files\winlogin.exe 2009-09-27 18:04 . 2009-10-11 17:47 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware2 2009-09-27 17:43 . 2009-10-20 16:11 -------- d-----w- c:\documents and settings\JC Surveillance Inc\Local Settings\Application Data\Deployment . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-10-25 15:07 . 2008-10-19 16:53 -------- d-----w- c:\documents and settings\JC Surveillance Inc\Application Data\U3 2009-10-20 15:03 . 2008-10-20 20:52 -------- d-----w- c:\program files\Mozilla Thunderbird 2009-10-18 19:37 . 2009-04-12 20:57 15688 ----a-w- c:\windows\system32\lsdelete.exe 2009-10-11 17:47 . 2009-02-13 15:59 -------- d-----w- c:\program files\bytes 2009-10-05 04:58 . 2007-06-10 03:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy 2009-10-03 20:26 . 2007-10-29 00:06 -------- d-----w- c:\program files\Lavasoft 2009-10-03 16:37 . 2007-06-04 00:13 3350 -csha-w- c:\windows\system32\KGyGaAvL.sys 2009-09-30 00:37 . 2009-01-28 14:37 -------- d-----w- c:\program files\Common Files\Download Manager 2009-09-12 22:33 . 2007-06-04 00:29 65584 -c--a-w- c:\documents and settings\JC Surveillance Inc\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2009-09-11 14:03 . 2004-08-10 16:51 136192 ----a-w- c:\windows\system32\msv1_0.dll 2009-09-10 18:54 . 2009-02-13 15:59 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2009-09-10 18:53 . 2009-02-13 15:59 19160 ----a-w- c:\windows\system32\drivers\mbam.sys 2009-09-10 16:43 . 2009-09-10 16:43 -------- d-----w- c:\program files\MSBuild 2009-09-10 16:43 . 2009-09-10 16:43 -------- d-----w- c:\program files\Reference Assemblies 2009-09-10 16:40 . 2009-09-10 16:40 -------- d-----w- c:\program files\MSXML 6.0 2009-09-10 15:36 . 2008-09-26 16:36 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8 2009-09-05 16:57 . 2009-09-05 16:57 -------- d-----w- c:\program files\Coupons 2009-09-04 23:49 . 2006-09-12 17:45 -------- d-----w- c:\program files\Java 2009-09-04 20:45 . 2004-08-10 16:51 58880 ----a-w- c:\windows\system32\msasn1.dll 2009-09-03 18:08 . 2009-07-17 21:48 -------- d-----w- c:\program files\EPSON 2009-08-28 13:50 . 2008-09-26 16:37 11952 ----a-w- c:\windows\system32\avgrsstx.dll 2009-08-28 13:50 . 2008-09-26 16:36 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys 2009-08-28 13:50 . 2008-09-26 16:36 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys 2009-08-26 08:16 . 2004-08-10 16:51 247326 ----a-w- c:\windows\system32\strmdll.dll 2009-08-14 03:43 . 2009-08-14 03:43 8 --sh--r- c:\windows\system32\18006624F4.sys 2009-08-05 09:11 . 2004-08-10 16:51 204800 ----a-w- c:\windows\system32\mswebdvd.dll 2009-08-04 12:49 . 2004-08-10 16:51 2142720 ------w- c:\windows\system32\ntoskrnl.exe 2009-08-04 12:02 . 2004-08-04 02:59 2020864 ------w- c:\windows\system32\ntkrnlpa.exe 2007-06-09 02:45 . 2007-06-04 00:13 88 -csh--r- c:\windows\system32\F1D74CB742.sys 2009-07-10 21:27 . 2009-07-10 21:27 8 --sh--r- c:\windows\system32\FCF4F4C102.sys . (((((((((((((((((((((((((((((((((((((((((((( Look ))))))))))))))))))))))))))))))))))))))))))))))))))))))))) . ---- Directory of c:\documents and settings\JC Surveillance Inc\Application Data\1041402358 ---- ((((((((((((((((((((((((((((( SnapShot_2009-10-24_18.12.45 ))))))))))))))))))))))))))))))))))))))))) . + 2009-10-26 00:21 . 2009-10-26 00:21 16384 c:\windows\temp\Perflib_Perfdata_7bc.dat + 2009-10-26 00:21 . 2009-10-26 00:21 16384 c:\windows\temp\Perflib_Perfdata_794.dat + 2004-08-04 09:00 . 2004-08-04 09:00 88064 c:\windows\system32\wmdtc.exe + 2004-08-04 09:00 . 2004-08-04 09:00 88064 c:\windows\system32\opeia.exe + 2004-08-10 16:51 . 2008-06-20 11:51 361600 c:\windows\system32\dllcache\tcpip.sys . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472] "DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X] "Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-03 866584] "dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2008-02-13 16384] "DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064] "AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-10-18 2025752] "ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920] "ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856] "igfxtray"="c:\windows\system32\igfxtray.exe" [2006-03-24 94208] "igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-03-24 77824] "igfxpers"="c:\windows\system32\igfxpers.exe" [2006-03-24 118784] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-09-12 98304] "EPSON Stylus C84 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_S4I2D1.EXE" [2003-05-27 99840] "DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2005-10-05 94208] "Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-10-18 520024] "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280] "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-04-19 185896] "SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2006-02-10 282624] "Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" - c:\windows\KHALMNPR.Exe [2008-02-29 76304] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696] Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2008-8-27 805392] [HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer] "NoSetActiveDesktop"= 1 (0x1) "NoActiveDesktopChanges"= 1 (0x1) [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] 2008-12-22 16:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn] 2008-05-02 06:42 72208 ----a-w- c:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter] 2009-08-28 13:50 11952 ----a-w- c:\windows\system32\avgrsstx.dll [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service] @="Service" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup] @="" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend] @="Service" [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusOverride"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"= "c:\\Program Files\\AVG\\AVG8\\avgemc.exe"= "c:\\Program Files\\AVG\\AVG8\\avgupd.exe"= "c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"= "c:\\Program Files\\Mozilla Thunderbird\\thunderbird.exe"= "c:\\Program Files\\Mozilla Firefox\\firefox.exe"= "c:\\Program Files\\AVG\\AVG8\\avgrsx.exe"= R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [4/12/2009 3:36 PM 64160] R0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys [9/29/2009 8:22 PM 51984] R0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys [9/29/2009 8:22 PM 59664] R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [9/26/2008 12:36 PM 335240] R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [9/26/2008 12:37 PM 108552] R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [1/15/2009 5:17 PM 9968] R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [1/15/2009 5:17 PM 55024] R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [9/26/2008 12:36 PM 297752] R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [3/9/2009 3:06 PM 1028432] R3 WPN111;Wireless USB 2.0 Adapter with RangeMax Service;c:\windows\system32\drivers\WPN111.sys [7/26/2009 6:02 PM 362944] S2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [9/26/2008 12:36 PM 908056] S2 ThreatFire;ThreatFire;c:\program files\ThreatFire\TFService.exe service --> c:\program files\ThreatFire\TFService.exe service [?] S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592] S3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;c:\windows\system32\DNINDIS5.sys [8/14/2008 7:59 PM 17149] S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [1/15/2009 5:17 PM 7408] S3 TfNetMon;TfNetMon;c:\windows\system32\drivers\TfNetMon.sys [9/29/2009 8:22 PM 33552] --- Other Services/Drivers In Memory --- *Deregistered* - mbr . Contents of the 'Scheduled Tasks' folder 2009-10-25 c:\windows\Tasks\Ad-Aware Update (Weekly).job - c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 19:37] 2009-10-02 c:\windows\Tasks\MP Scheduled Scan.job - c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 23:20] . . ------- Supplementary Scan ------- . mStart Page = hxxp://www.google.com uSearchURL,(Default) = hxxp://www.google.com/search?q=%s IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000 FF - ProfilePath - c:\documents and settings\JC Surveillance Inc\Application Data\Mozilla\Firefox\Profiles\0evo8ztb.default\ FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\npCouponPrinter.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\NPTURNMED.dll FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll FF - HiddenExtension: XUL Cache: {3507B79D-BAEB-4E98-B24C-B9BD25991D82} - c:\documents and settings\JC Surveillance Inc\Local Settings\Application Data\{3507B79D-BAEB-4E98-B24C-B9BD25991D82} FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-10-25 20:21 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** [HKEY_LOCAL_MACHINE\System\ControlSet002\Services\ThreatFire] "AlternateImagePath"="" . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_USERS\S-1-5-21-477365121-4083767938-562202453-1007\Software\Microsoft\SystemCertificates\AddressBook*] @Allowed: (Read) (RestrictedCode) @Allowed: (Read) (RestrictedCode) [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{020487CC-FC04-4B1E-863F-D9801796230B}\InProcServer32] @DACL=(02 0000) @="c:\\DOCUME~1\\JCSURV~1\\LOCALS~1\\Temp\\wndutl32.dll" "ThreadingModel"="Apartment" . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(632) c:\program files\SUPERAntiSpyware\SASWINLO.dll c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll c:\program files\common files\logishrd\bluetooth\LBTServ.dll - - - - - - - > 'explorer.exe'(3632) c:\program files\Logitech\SetPoint\lgscroll.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . ------------------------ Other Running Processes ------------------------ . c:\program files\Java\jre6\bin\jqs.exe c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE c:\program files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe c:\program files\Dell Support Center\bin\sprtsvc.exe c:\progra~1\AVG\AVG8\avgrsx.exe c:\progra~1\AVG\AVG8\avgnsx.exe c:\pats.exe29600p\CF32492.exe c:\program files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE c:\pats.exe29600p\PEV.cfxxe . ************************************************************************** . Completion time: 2009-10-26 20:25 - machine was rebooted ComboFix-quarantined-files.txt 2009-10-26 00:25 ComboFix2.txt 2009-10-25 15:00 ComboFix3.txt 2009-10-24 18:16 Pre-Run: 63,595,044,864 bytes free Post-Run: 63,550,963,712 bytes free Current=2 Default=2 Failed=3 LastKnownGood=4 Sets=1,2,3,4 - - End Of File - - 748EE79B2788F14A6D8EC1CA43B0402B Hope we can work from this

Hey Screen317 - here is the latest ComboFix log - ComboFix 09-10-24.03 - JC Surveillance Inc 10/25/2009 10:49.3.2 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1526.936 [GMT -4:00] Running from: G:\Pats.exe.exe Command switches used :: c:\documents and settings\JC Surveillance Inc\Desktop\CFScript.lnk AV: *On-access scanning disabled* (Outdated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83} AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF} FW: *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8} . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\windows\system32\Install.txt c:\windows\TEMP\mta13187.dll c:\windows\TEMP\t4m0_34489622498.bk.old c:\windows\TEMP\x1c91492.dll . ((((((((((((((((((((((((( Files Created from 2009-09-25 to 2009-10-25 ))))))))))))))))))))))))))))))) . 2009-10-25 14:46 . 2009-10-25 14:46 -------- d-----w- C:\Pats.exe9727P 2009-10-25 14:40 . 2009-10-25 14:41 -------- d-----w- C:\Pats.exe 2009-10-20 14:53 . 2009-10-01 14:29 195440 ------w- c:\windows\system32\MpSigStub.exe 2009-10-17 20:09 . 2009-10-17 21:04 -------- d-----w- C:\salp.exe 2009-10-13 15:54 . 2009-10-13 16:38 1011572 ----a-w- c:\windows\system32\rolivepa.exe 2009-10-11 15:54 . 2009-10-11 16:30 1011348 ----a-w- c:\windows\system32\yaruvofo.exe 2009-10-08 14:56 . 2009-10-08 15:41 1011246 ----a-w- c:\windows\system32\jivigupi.exe 2009-10-07 02:28 . 2009-10-07 02:37 39424 ----a-w- c:\windows\system32\hugeloko.dll 2009-10-06 02:28 . 2009-10-06 02:41 39424 ----a-w- c:\windows\system32\gibegovu.dll 2009-10-04 14:39 . 2009-10-04 15:09 -------- d-----w- c:\documents and settings\JC Surveillance Inc\Application Data\1041402358 2009-09-30 00:23 . 2009-09-30 00:23 65584 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2009-09-30 00:22 . 2009-09-23 12:07 59664 ----a-w- c:\windows\system32\drivers\TfSysMon.sys 2009-09-30 00:22 . 2009-09-23 12:07 51984 ----a-w- c:\windows\system32\drivers\TfFsMon.sys 2009-09-30 00:22 . 2009-09-23 12:07 33552 ----a-w- c:\windows\system32\drivers\TfNetMon.sys 2009-09-30 00:22 . 2009-09-30 00:22 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools 2009-09-30 00:03 . 2009-09-30 00:03 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla 2009-09-29 17:37 . 2009-09-29 17:37 -------- d-s---w- c:\documents and settings\LocalService\UserData 2009-09-28 15:45 . 2009-09-28 15:46 -------- d-----w- c:\program files\Windows Live Safety Center 2009-09-27 19:00 . 2009-09-27 19:00 -------- d-----w- c:\program files\winlogin.exe 2009-09-27 18:04 . 2009-10-11 17:47 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware2 2009-09-27 17:43 . 2009-10-20 16:11 -------- d-----w- c:\documents and settings\JC Surveillance Inc\Local Settings\Application Data\Deployment . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-10-20 15:03 . 2008-10-20 20:52 -------- d-----w- c:\program files\Mozilla Thunderbird 2009-10-18 19:37 . 2009-04-12 20:57 15688 ----a-w- c:\windows\system32\lsdelete.exe 2009-10-12 04:25 . 2009-07-12 04:25 39424 --sha-w- c:\windows\system32\zumububo.dll 2009-10-11 17:47 . 2009-02-13 15:59 -------- d-----w- c:\program files\bytes 2009-10-11 16:25 . 2009-07-11 16:25 39424 --sha-w- c:\windows\system32\kahowuhi.dll 2009-10-11 16:25 . 2009-07-11 16:25 28160 --sha-w- c:\windows\system32\vakumene.dll 2009-10-11 15:47 . 2008-10-19 16:53 -------- d-----w- c:\documents and settings\JC Surveillance Inc\Application Data\U3 2009-10-08 15:32 . 2009-07-08 15:32 39424 --sha-w- c:\windows\system32\wufajojo.dll 2009-10-07 14:32 . 2009-07-07 14:32 39424 --sha-w- c:\windows\system32\puwudeta.dll 2009-10-06 14:32 . 2009-07-06 14:32 91136 --sha-w- c:\windows\system32\parewote.dll 2009-10-05 14:31 . 2009-07-05 14:31 90624 --sha-w- c:\windows\system32\gipafula.dll 2009-10-05 14:31 . 2009-07-05 14:31 38912 --sha-w- c:\windows\system32\biferopa.dll 2009-10-05 04:58 . 2007-06-10 03:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy 2009-10-05 02:31 . 2009-07-05 02:31 38912 --sha-w- c:\windows\system32\viliwesi.dll 2009-10-04 14:31 . 2009-07-04 14:31 38912 --sha-w- c:\windows\system32\gowaheke.dll 2009-10-04 02:31 . 2009-07-04 02:31 1048099 --sha-w- c:\windows\system32\kowatapi.exe 2009-10-04 02:31 . 2009-07-04 02:31 38912 --sha-w- c:\windows\system32\nesirona.dll 2009-10-03 20:26 . 2007-10-29 00:06 -------- d-----w- c:\program files\Lavasoft 2009-10-03 16:37 . 2007-06-04 00:13 3350 -csha-w- c:\windows\system32\KGyGaAvL.sys 2009-10-03 14:31 . 2009-07-03 14:30 52224 --sha-w- c:\windows\system32\yiralujo.dll 2009-10-03 14:30 . 2009-07-03 14:30 90112 --sha-w- c:\windows\system32\fowajitu.dll 2009-10-03 14:30 . 2009-07-03 14:30 38912 --sha-w- c:\windows\system32\nokiyubu.dll 2009-10-03 02:30 . 2009-07-03 02:30 90624 --sha-w- c:\windows\system32\rahobeto.dll 2009-10-02 14:30 . 2009-07-02 14:30 91136 --sha-w- c:\windows\system32\rasawofu.dll 2009-10-02 14:30 . 2009-07-02 14:30 39424 --sha-w- c:\windows\system32\sohibesi.dll 2009-10-02 14:30 . 2009-07-02 14:30 28160 --sha-w- c:\windows\system32\jevetedo.dll 2009-09-30 00:37 . 2009-01-28 14:37 -------- d-----w- c:\program files\Common Files\Download Manager 2009-09-12 22:33 . 2007-06-04 00:29 65584 -c--a-w- c:\documents and settings\JC Surveillance Inc\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2009-09-11 14:03 . 2004-08-10 16:51 136192 ----a-w- c:\windows\system32\msv1_0.dll 2009-09-10 18:54 . 2009-02-13 15:59 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2009-09-10 18:53 . 2009-02-13 15:59 19160 ----a-w- c:\windows\system32\drivers\mbam.sys 2009-09-10 16:43 . 2009-09-10 16:43 -------- d-----w- c:\program files\MSBuild 2009-09-10 16:43 . 2009-09-10 16:43 -------- d-----w- c:\program files\Reference Assemblies 2009-09-10 16:40 . 2009-09-10 16:40 -------- d-----w- c:\program files\MSXML 6.0 2009-09-10 15:36 . 2008-09-26 16:36 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8 2009-09-05 16:57 . 2009-09-05 16:57 -------- d-----w- c:\program files\Coupons 2009-09-04 23:49 . 2006-09-12 17:45 -------- d-----w- c:\program files\Java 2009-09-04 20:45 . 2004-08-10 16:51 58880 ----a-w- c:\windows\system32\msasn1.dll 2009-09-03 18:08 . 2009-07-17 21:48 -------- d-----w- c:\program files\EPSON 2009-08-28 13:50 . 2008-09-26 16:37 11952 ----a-w- c:\windows\system32\avgrsstx.dll 2009-08-28 13:50 . 2008-09-26 16:36 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys 2009-08-28 13:50 . 2008-09-26 16:36 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys 2009-08-26 08:16 . 2004-08-10 16:51 247326 ----a-w- c:\windows\system32\strmdll.dll 2009-08-14 03:43 . 2009-08-14 03:43 8 --sh--r- c:\windows\system32\18006624F4.sys 2009-08-05 09:11 . 2004-08-10 16:51 204800 ----a-w- c:\windows\system32\mswebdvd.dll 2009-08-04 12:49 . 2004-08-10 16:51 2142720 ------w- c:\windows\system32\ntoskrnl.exe 2009-08-04 12:02 . 2004-08-04 02:59 2020864 ------w- c:\windows\system32\ntkrnlpa.exe 2007-06-09 02:45 . 2007-06-04 00:13 88 -csh--r- c:\windows\system32\F1D74CB742.sys 2009-07-10 21:27 . 2009-07-10 21:27 8 --sh--r- c:\windows\system32\FCF4F4C102.sys 2009-07-06 14:32 . 2009-07-06 14:32 3 --sha-w- c:\windows\system32\weyalomi.dll . ------- Sigcheck ------- [7] 2008-06-20 . AD978A1B783B5719720CFF204B666C8E . 361600 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys [7] 2008-06-20 . 9AEFA14BD6B182D61E3119FA5F436D3D . 361600 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB951748\SP3GDR\tcpip.sys [-] 2008-06-20 . 1CC09561E21A48A7F649A40F18235860 . 360320 . . [5.1.2600.3394] . . c:\windows\system32\dllcache\tcpip.sys [-] 2008-06-20 . 1CC09561E21A48A7F649A40F18235860 . 360320 . . [5.1.2600.3394] . . c:\windows\system32\drivers\tcpip.sys [7] 2008-06-20 . 744E57C99232201AE98C49168B918F48 . 360960 . . [5.1.2600.3394] . . c:\windows\$hf_mig$\KB951748\SP2QFE\tcpip.sys [7] 2007-10-30 . 90CAFF4B094573449A0872A0F919B178 . 360064 . . [5.1.2600.3244] . . c:\windows\$NtUninstallKB951748$\tcpip.sys [7] 2007-10-30 . 64798ECFA43D78C7178375FCDD16D8C8 . 360832 . . [5.1.2600.3244] . . c:\windows\$hf_mig$\KB941644\SP2QFE\tcpip.sys [7] 2006-04-20 . B2220C618B42A2212A59D91EBD6FC4B4 . 360576 . . [5.1.2600.2892] . . c:\windows\$hf_mig$\KB917953\SP2QFE\tcpip.sys [7] 2006-04-20 . 1DBF125862891817F374F407626967F4 . 359808 . . [5.1.2600.2892] . . c:\windows\$NtUninstallKB941644$\tcpip.sys [7] 2004-08-04 . 9F4B36614A0FC234525BA224957DE55C . 359040 . . [5.1.2600.2180] . . c:\windows\$NtUninstallKB917953$\tcpip.sys . ((((((((((((((((((((((((((((( SnapShot_2009-10-24_18.12.45 ))))))))))))))))))))))))))))))))))))))))) . + 2009-10-25 14:56 . 2009-10-25 14:56 16384 c:\windows\temp\Perflib_Perfdata_7ec.dat + 2009-10-25 14:56 . 2009-10-25 14:56 16384 c:\windows\temp\Perflib_Perfdata_18c.dat + 2004-08-04 09:00 . 2004-08-04 09:00 88064 c:\windows\system32\wmdtc.exe + 2004-08-04 09:00 . 2004-08-04 09:00 88064 c:\windows\system32\opeia.exe + 2004-08-04 09:00 . 2004-08-04 09:00 47616 c:\windows\system32\FastNetSrv.exe + 2004-08-04 09:00 . 2004-08-04 09:00 46592 c:\windows\system32\BtwSrv.dll + 2009-10-25 14:56 . 2009-06-26 15:59 620032 c:\windows\temp\x1c18044.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472] "DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X] "Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-03 866584] "dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2008-02-13 16384] "DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064] "AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-10-18 2025752] "ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920] "ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856] "igfxtray"="c:\windows\system32\igfxtray.exe" [2006-03-24 94208] "igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-03-24 77824] "igfxpers"="c:\windows\system32\igfxpers.exe" [2006-03-24 118784] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-09-12 98304] "EPSON Stylus C84 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_S4I2D1.EXE" [2003-05-27 99840] "DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2005-10-05 94208] "Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-10-18 520024] "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280] "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-04-19 185896] "SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2006-02-10 282624] "Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" - c:\windows\KHALMNPR.Exe [2008-02-29 76304] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696] Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2008-8-27 805392] [HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer] "NoSetActiveDesktop"= 1 (0x1) "NoActiveDesktopChanges"= 1 (0x1) [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] 2008-12-22 16:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn] 2008-05-02 06:42 72208 ----a-w- c:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter] 2009-08-28 13:50 11952 ----a-w- c:\windows\system32\avgrsstx.dll [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service] @="Service" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup] @="" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend] @="Service" [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusOverride"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"= "c:\\Program Files\\AVG\\AVG8\\avgemc.exe"= "c:\\Program Files\\AVG\\AVG8\\avgupd.exe"= "c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"= "c:\\Program Files\\Mozilla Thunderbird\\thunderbird.exe"= "c:\\Program Files\\Mozilla Firefox\\firefox.exe"= "c:\\Program Files\\AVG\\AVG8\\avgrsx.exe"= R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [4/12/2009 3:36 PM 64160] R0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys [9/29/2009 8:22 PM 51984] R0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys [9/29/2009 8:22 PM 59664] R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [9/26/2008 12:36 PM 335240] R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [9/26/2008 12:37 PM 108552] R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [1/15/2009 5:17 PM 9968] R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [1/15/2009 5:17 PM 55024] R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [9/26/2008 12:36 PM 297752] R2 BtwSrv;BtwSrv;c:\windows\system32\svchost.exe -k netsvcs [8/10/2004 12:51 PM 14336] R2 fastnetsrv;fastnetsrv Service;c:\windows\system32\FastNetSrv.exe [8/4/2004 5:00 AM 47616] R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [3/9/2009 3:06 PM 1028432] R3 WPN111;Wireless USB 2.0 Adapter with RangeMax Service;c:\windows\system32\drivers\WPN111.sys [7/26/2009 6:02 PM 362944] S2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [9/26/2008 12:36 PM 908056] S2 ThreatFire;ThreatFire;c:\program files\ThreatFire\TFService.exe service --> c:\program files\ThreatFire\TFService.exe service [?] S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592] S3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;c:\windows\system32\DNINDIS5.sys [8/14/2008 7:59 PM 17149] S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [1/15/2009 5:17 PM 7408] S3 TfNetMon;TfNetMon;c:\windows\system32\drivers\TfNetMon.sys [9/29/2009 8:22 PM 33552] --- Other Services/Drivers In Memory --- *NewlyCreated* - BTWSRV HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs BtwSrv . Contents of the 'Scheduled Tasks' folder 2009-10-18 c:\windows\Tasks\Ad-Aware Update (Weekly).job - c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 19:37] 2009-10-02 c:\windows\Tasks\MP Scheduled Scan.job - c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 23:20] . . ------- Supplementary Scan ------- . mStart Page = hxxp://www.google.com uSearchURL,(Default) = hxxp://www.google.com/search?q=%s IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000 FF - ProfilePath - c:\documents and settings\JC Surveillance Inc\Application Data\Mozilla\Firefox\Profiles\0evo8ztb.default\ FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\npCouponPrinter.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\NPTURNMED.dll FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll FF - HiddenExtension: XUL Cache: {3507B79D-BAEB-4E98-B24C-B9BD25991D82} - c:\documents and settings\JC Surveillance Inc\Local Settings\Application Data\{3507B79D-BAEB-4E98-B24C-B9BD25991D82} FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-10-25 10:56 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** [HKEY_LOCAL_MACHINE\System\ControlSet002\Services\ThreatFire] "AlternateImagePath"="" . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_USERS\S-1-5-21-477365121-4083767938-562202453-1007\Software\Microsoft\SystemCertificates\AddressBook*] @Allowed: (Read) (RestrictedCode) @Allowed: (Read) (RestrictedCode) [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{020487CC-FC04-4B1E-863F-D9801796230B}\InProcServer32] @DACL=(02 0000) @="c:\\DOCUME~1\\JCSURV~1\\LOCALS~1\\Temp\\wndutl32.dll" "ThreadingModel"="Apartment" . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(632) c:\program files\SUPERAntiSpyware\SASWINLO.dll c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll c:\program files\common files\logishrd\bluetooth\LBTServ.dll - - - - - - - > 'explorer.exe'(216) c:\program files\Logitech\SetPoint\lgscroll.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . ------------------------ Other Running Processes ------------------------ . c:\program files\Java\jre6\bin\jqs.exe c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE c:\program files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe c:\program files\Dell Support Center\bin\sprtsvc.exe c:\progra~1\AVG\AVG8\avgrsx.exe c:\progra~1\AVG\AVG8\avgnsx.exe c:\windows\system32\wbem\unsecapp.exe c:\pats.exe30505p\CF1191.exe c:\windows\system32\wmdtc.exe c:\program files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE c:\windows\system32\lsm32.sys c:\pats.exe30505p\PEV.cfxxe . ************************************************************************** . Completion time: 2009-10-25 11:00 - machine was rebooted ComboFix-quarantined-files.txt 2009-10-25 15:00 ComboFix2.txt 2009-10-24 18:16 Pre-Run: 63,661,957,120 bytes free Post-Run: 63,624,085,504 bytes free Current=2 Default=2 Failed=3 LastKnownGood=4 Sets=1,2,3,4 - - End Of File - - A43A3EFD50F9CC35C37FA38440FDC09C