TechMom

MBAM Support - please advise. We are also getting this same alert on all workstations. this alert also appears to have caused all workstations to reboot, which included our 911 dispatch center. A random reboot of computers that critical is extremely bad. Is this a false positive? If so, what is the remediation? thank you

We are also seeing this issue from several of our clients but the Anti Exploit versions vary from 1.9., 1.12.2.14 and 1.13.2.98. All pc's are running windows 7 32bit and are at different patch levels. At this point there seems to be no rhyme or reason to what we are seeing.

Yes, it was an install over the top of a working 1.75 version. OS is Windows7 x64. Yes, the ID and Key are in the Registry. It did not show any errors with the upgrade. When it didn't show that it was registered, I entered my ID & Key. The fields had the green check mark but it did not show that it was registered. When it didn't activate, I activated the trial so I have that reg key also.

Upgraded to 2.01 today but the license / registration didn't get recognized (?). It shows that I am running the trial version. I attempted to activate with the original license key that I have but it won't activate with it.

Please see the PM I sent you.

Disregard the DCOM error. It is referencing the iPod service & I don't really care about that at the moment. After another reboot, I am able to get out!!! Not sure why & I'm still skeptical about this system actually being clean. I still want to get Norton Security Scan removed - can't do it through add/remove applet, and F5. Plus I need to reinstall Java, Adobe Reader and possible some of the other apps that I removed during this process.

Hope you had an nice enjoyable day! Host file was definately not the default host file. Only entry was 127.0.0.1. localhost It didn't have the Microsoft comments or anything. I replace it with a default host file. This is strange MSCONFIG - Services tab All services are selected with their various status but the Enable All is grayed out. Disabled all then enabled all This is a Dell Dimension 4800 NIC is an Intel Pro/100 VE On Reboot - System Event log Event Type: Error Source: DCOM Event Category: None Event ID: 10005 10/10/2009 DCOM got error "The service cannot be started, either because it is disabled or because it has no enabled devices The management console shows DCOM Server Process Launcher - status Started - Startup Type Automatic

More logs.... everything looks clean but I still don't think it is. When I ran DrWeb, it did not allow me to save the log. Not sure why. Said it saved but it was no where to be found. Services still aren't right. Some are disabled that shouldn't be or they are set to manual. (just not right by sight). I was thinking about running SFC just for grins, what do you think? Avira AntiVir Personal Report file date: Saturday, October 10, 2009 07:46 Scanning for 1787120 virus strains and unwanted programs. Licensee : Avira AntiVir Personal - FREE Antivirus Serial number : 0000149996-ADJIE-0000001 Platform : Windows XP Windows version : (Service Pack 3) [5.1.2600] Boot mode : Normally booted Username : SYSTEM Computer name : GBUNTON Version information: BUILD.DAT : 9.0.0.410 18074 Bytes 9/25/2009 11:56:00 AVSCAN.EXE : 9.0.3.7 466689 Bytes 7/21/2009 21:36:14 AVSCAN.DLL : 9.0.3.0 40705 Bytes 2/27/2009 18:58:24 LUKE.DLL : 9.0.3.2 209665 Bytes 2/20/2009 19:35:49 LUKERES.DLL : 9.0.2.0 12033 Bytes 2/27/2009 18:58:52 ANTIVIR0.VDF : 7.1.0.0 15603712 Bytes 10/27/2008 20:30:36 ANTIVIR1.VDF : 7.1.4.132 5707264 Bytes 6/24/2009 17:21:42 ANTIVIR2.VDF : 7.1.6.50 4333568 Bytes 9/29/2009 08:25:05 ANTIVIR3.VDF : 7.1.6.95 404480 Bytes 10/9/2009 08:25:07 Engineversion : 8.2.1.35 AEVDF.DLL : 8.1.1.2 106867 Bytes 10/10/2009 08:25:26 AESCRIPT.DLL : 8.1.2.35 483707 Bytes 10/10/2009 08:25:24 AESCN.DLL : 8.1.2.5 127346 Bytes 10/10/2009 08:25:23 AERDL.DLL : 8.1.3.2 479604 Bytes 10/10/2009 08:25:22 AEPACK.DLL : 8.2.0.0 422261 Bytes 10/10/2009 08:25:20 AEOFFICE.DLL : 8.1.0.38 196987 Bytes 7/23/2009 17:59:39 AEHEUR.DLL : 8.1.0.167 2011511 Bytes 10/10/2009 08:25:19 AEHELP.DLL : 8.1.7.0 237940 Bytes 10/10/2009 08:25:11 AEGEN.DLL : 8.1.1.67 364916 Bytes 10/10/2009 08:25:10 AEEMU.DLL : 8.1.1.0 393587 Bytes 10/10/2009 08:25:09 AECORE.DLL : 8.1.8.1 184693 Bytes 10/10/2009 08:25:08 AEBB.DLL : 8.1.0.3 53618 Bytes 10/9/2008 22:32:40 AVWINLL.DLL : 9.0.0.3 18177 Bytes 12/12/2008 16:47:59 AVPREF.DLL : 9.0.3.0 44289 Bytes 10/10/2009 08:25:26 AVREP.DLL : 8.0.0.3 155905 Bytes 1/20/2009 22:34:28 AVREG.DLL : 9.0.0.0 36609 Bytes 12/5/2008 18:32:09 AVARKT.DLL : 9.0.0.3 292609 Bytes 3/24/2009 23:05:41 AVEVTLOG.DLL : 9.0.0.7 167169 Bytes 1/30/2009 18:37:08 SQLITE3.DLL : 3.6.1.0 326401 Bytes 1/28/2009 23:03:49 SMTPLIB.DLL : 9.2.0.25 28417 Bytes 2/2/2009 16:21:33 NETNT.DLL : 9.0.0.0 11521 Bytes 12/5/2008 18:32:10 RCIMAGE.DLL : 9.0.0.25 2438913 Bytes 5/15/2009 23:39:58 RCTEXT.DLL : 9.0.37.0 86785 Bytes 4/17/2009 18:19:48 Configuration settings for the scan: Jobname.............................: Complete system scan Configuration file..................: C:\Program Files\Avira\AntiVir Desktop\sysscan.avp Logging.............................: low Primary action......................: interactive Secondary action....................: ignore Scan master boot sector.............: on Scan boot sector....................: on Boot sectors........................: C:, Process scan........................: on Scan registry.......................: on Search for rootkits.................: on Integrity checking of system files..: off Scan all files......................: All files Scan archives.......................: on Recursion depth.....................: 20 Smart extensions....................: on Macro heuristic.....................: on File heuristic......................: medium Deviating risk categories...........: +GAME,+JOKE,+SPR, Start of the scan: Saturday, October 10, 2009 07:46 Starting search for hidden objects. '60549' objects were checked, '0' hidden objects were found. The scan of running processes will be started Scan process 'avscan.exe' - '1' Module(s) have been scanned Scan process 'avcenter.exe' - '1' Module(s) have been scanned Scan process 'taskmgr.exe' - '1' Module(s) have been scanned Scan process 'avguard.exe' - '1' Module(s) have been scanned Scan process 'avgnt.exe' - '1' Module(s) have been scanned Scan process 'sched.exe' - '1' Module(s) have been scanned Scan process 'wuauclt.exe' - '1' Module(s) have been scanned Scan process 'svchost.exe' - '1' Module(s) have been scanned Scan process 'alg.exe' - '1' Module(s) have been scanned Scan process 'wscntfy.exe' - '1' Module(s) have been scanned Scan process 'svchost.exe' - '1' Module(s) have been scanned Scan process 'ctfmon.exe' - '1' Module(s) have been scanned Scan process 'GoogleToolbarNotifier.exe' - '1' Module(s) have been scanned Scan process 'DVDLauncher.exe' - '1' Module(s) have been scanned Scan process 'igfxpers.exe' - '1' Module(s) have been scanned Scan process 'hkcmd.exe' - '1' Module(s) have been scanned Scan process 'explorer.exe' - '1' Module(s) have been scanned Scan process 'spoolsv.exe' - '1' Module(s) have been scanned Scan process 'svchost.exe' - '1' Module(s) have been scanned Scan process 'svchost.exe' - '1' Module(s) have been scanned Scan process 'svchost.exe' - '1' Module(s) have been scanned Scan process 'svchost.exe' - '1' Module(s) have been scanned Scan process 'svchost.exe' - '1' Module(s) have been scanned Scan process 'lsass.exe' - '1' Module(s) have been scanned Scan process 'services.exe' - '1' Module(s) have been scanned Scan process 'winlogon.exe' - '1' Module(s) have been scanned Scan process 'csrss.exe' - '1' Module(s) have been scanned Scan process 'smss.exe' - '1' Module(s) have been scanned 28 processes with 28 modules were scanned Starting master boot sector scan: Master boot sector HD0 [iNFO] No virus was found! Start scanning boot sectors: Boot sector 'C:\' [iNFO] No virus was found! Starting to scan executable files (registry). The registry was scanned ( '53' files ). Starting the file scan: Begin scan in 'C:\' C:\pagefile.sys [WARNING] The file could not be opened! [NOTE] This file is a Windows system file. [NOTE] This file cannot be opened for scanning. C:\New Folder\HijackThis.exe [WARNING] The file could not be opened! C:\New Folder\HIJACKTHIS\Copy of Copy of HIJACKTHIS.EXE [WARNING] The file could not be opened! End of the scan: Saturday, October 10, 2009 08:38 Used time: 51:37 Minute(s) The scan has been done completely. 8467 Scanned directories 266385 Files were scanned 0 Viruses and/or unwanted programs were found 0 Files were classified as suspicious 0 files were deleted 0 Viruses and unwanted programs were repaired 0 Files were moved to quarantine 0 Files were renamed 3 Files cannot be scanned 266382 Files not concerned 1338 Archives were scanned 3 Warnings 1 Notes 60549 Objects were scanned with rootkit scan 0 Hidden objects were found ::: HJT ::: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 8:53:39 AM, on 10/10/2009 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v8.00 (8.00.6001.18702) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\hkcmd.exe C:\WINDOWS\system32\igfxpers.exe C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Avira\AntiVir Desktop\sched.exe C:\Program Files\Avira\AntiVir Desktop\avgnt.exe C:\Program Files\Avira\AntiVir Desktop\avguard.exe C:\New Folder\hjt\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://comcast.net/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil10a.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {41EF3CD2-D8CC-4438-84B1-280BB4E77C8E} (F5 Networks Dynamic Application Tunnel Control) - https://vpn.wallacegroup.us/vdesk/terminal/...0,2008,904,1947 O16 - DPF: {45B69029-F3AB-4204-92DE-D5140C3E8E74} (F5 Networks Auto Update) - C:\DOCUME~1\gjbunton\LOCALS~1\Temp\IXP000.TMP\InstallerControl.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1212080689437 O16 - DPF: {6C275925-A1ED-4DD2-9CEE-9823F5FDAA10} (F5 Networks Static Application Tunnel Control) - https://vpn.wallacegroup.us/vdesk/terminal/...,2007,1001,2136 O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1212080723437 O16 - DPF: {CC85ACDF-B277-486F-8C70-2C9B2ED2A4E7} (F5 Networks SuperHost Class) - https://vpn.wallacegroup.us/vdesk/terminal/...0,2008,904,1945 O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab O16 - DPF: {E0FF21FA-B857-45C5-8621-F120A0C17FF2} (F5 Networks Host Control) - https://vpn.wallacegroup.us/vdesk/terminal/...0,2008,904,1940 O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe -- End of file - 4754 bytes ::: MB Log ::: Malwarebytes' Anti-Malware 1.41 Database version: 2935 Windows 5.1.2600 Service Pack 3 10/10/2009 3:35:00 PM mbam-log-2009-10-10 (15-35-00).txt Scan type: Full Scan (C:\|) Objects scanned: 196947 Time elapsed: 1 hour(s), 46 minute(s), 18 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected)

As I stated in my last post, I reconfigured Avira for the additional categories. I also ran a new HJT and am posting that log too. Next I will run DrWeb & post that log with another HJT. ::Avira full scan log:: Avira AntiVir Personal Report file date: Saturday, October 10, 2009 07:46 Scanning for 1787120 virus strains and unwanted programs. Licensee : Avira AntiVir Personal - FREE Antivirus Serial number : 0000149996-ADJIE-0000001 Platform : Windows XP Windows version : (Service Pack 3) [5.1.2600] Boot mode : Normally booted Username : SYSTEM Computer name : GBUNTON Version information: BUILD.DAT : 9.0.0.410 18074 Bytes 9/25/2009 11:56:00 AVSCAN.EXE : 9.0.3.7 466689 Bytes 7/21/2009 21:36:14 AVSCAN.DLL : 9.0.3.0 40705 Bytes 2/27/2009 18:58:24 LUKE.DLL : 9.0.3.2 209665 Bytes 2/20/2009 19:35:49 LUKERES.DLL : 9.0.2.0 12033 Bytes 2/27/2009 18:58:52 ANTIVIR0.VDF : 7.1.0.0 15603712 Bytes 10/27/2008 20:30:36 ANTIVIR1.VDF : 7.1.4.132 5707264 Bytes 6/24/2009 17:21:42 ANTIVIR2.VDF : 7.1.6.50 4333568 Bytes 9/29/2009 08:25:05 ANTIVIR3.VDF : 7.1.6.95 404480 Bytes 10/9/2009 08:25:07 Engineversion : 8.2.1.35 AEVDF.DLL : 8.1.1.2 106867 Bytes 10/10/2009 08:25:26 AESCRIPT.DLL : 8.1.2.35 483707 Bytes 10/10/2009 08:25:24 AESCN.DLL : 8.1.2.5 127346 Bytes 10/10/2009 08:25:23 AERDL.DLL : 8.1.3.2 479604 Bytes 10/10/2009 08:25:22 AEPACK.DLL : 8.2.0.0 422261 Bytes 10/10/2009 08:25:20 AEOFFICE.DLL : 8.1.0.38 196987 Bytes 7/23/2009 17:59:39 AEHEUR.DLL : 8.1.0.167 2011511 Bytes 10/10/2009 08:25:19 AEHELP.DLL : 8.1.7.0 237940 Bytes 10/10/2009 08:25:11 AEGEN.DLL : 8.1.1.67 364916 Bytes 10/10/2009 08:25:10 AEEMU.DLL : 8.1.1.0 393587 Bytes 10/10/2009 08:25:09 AECORE.DLL : 8.1.8.1 184693 Bytes 10/10/2009 08:25:08 AEBB.DLL : 8.1.0.3 53618 Bytes 10/9/2008 22:32:40 AVWINLL.DLL : 9.0.0.3 18177 Bytes 12/12/2008 16:47:59 AVPREF.DLL : 9.0.3.0 44289 Bytes 10/10/2009 08:25:26 AVREP.DLL : 8.0.0.3 155905 Bytes 1/20/2009 22:34:28 AVREG.DLL : 9.0.0.0 36609 Bytes 12/5/2008 18:32:09 AVARKT.DLL : 9.0.0.3 292609 Bytes 3/24/2009 23:05:41 AVEVTLOG.DLL : 9.0.0.7 167169 Bytes 1/30/2009 18:37:08 SQLITE3.DLL : 3.6.1.0 326401 Bytes 1/28/2009 23:03:49 SMTPLIB.DLL : 9.2.0.25 28417 Bytes 2/2/2009 16:21:33 NETNT.DLL : 9.0.0.0 11521 Bytes 12/5/2008 18:32:10 RCIMAGE.DLL : 9.0.0.25 2438913 Bytes 5/15/2009 23:39:58 RCTEXT.DLL : 9.0.37.0 86785 Bytes 4/17/2009 18:19:48 Configuration settings for the scan: Jobname.............................: Complete system scan Configuration file..................: C:\Program Files\Avira\AntiVir Desktop\sysscan.avp Logging.............................: low Primary action......................: interactive Secondary action....................: ignore Scan master boot sector.............: on Scan boot sector....................: on Boot sectors........................: C:, Process scan........................: on Scan registry.......................: on Search for rootkits.................: on Integrity checking of system files..: off Scan all files......................: All files Scan archives.......................: on Recursion depth.....................: 20 Smart extensions....................: on Macro heuristic.....................: on File heuristic......................: medium Deviating risk categories...........: +GAME,+JOKE,+SPR, Start of the scan: Saturday, October 10, 2009 07:46 Starting search for hidden objects. '60549' objects were checked, '0' hidden objects were found. The scan of running processes will be started Scan process 'avscan.exe' - '1' Module(s) have been scanned Scan process 'avcenter.exe' - '1' Module(s) have been scanned Scan process 'taskmgr.exe' - '1' Module(s) have been scanned Scan process 'avguard.exe' - '1' Module(s) have been scanned Scan process 'avgnt.exe' - '1' Module(s) have been scanned Scan process 'sched.exe' - '1' Module(s) have been scanned Scan process 'wuauclt.exe' - '1' Module(s) have been scanned Scan process 'svchost.exe' - '1' Module(s) have been scanned Scan process 'alg.exe' - '1' Module(s) have been scanned Scan process 'wscntfy.exe' - '1' Module(s) have been scanned Scan process 'svchost.exe' - '1' Module(s) have been scanned Scan process 'ctfmon.exe' - '1' Module(s) have been scanned Scan process 'GoogleToolbarNotifier.exe' - '1' Module(s) have been scanned Scan process 'DVDLauncher.exe' - '1' Module(s) have been scanned Scan process 'igfxpers.exe' - '1' Module(s) have been scanned Scan process 'hkcmd.exe' - '1' Module(s) have been scanned Scan process 'explorer.exe' - '1' Module(s) have been scanned Scan process 'spoolsv.exe' - '1' Module(s) have been scanned Scan process 'svchost.exe' - '1' Module(s) have been scanned Scan process 'svchost.exe' - '1' Module(s) have been scanned Scan process 'svchost.exe' - '1' Module(s) have been scanned Scan process 'svchost.exe' - '1' Module(s) have been scanned Scan process 'svchost.exe' - '1' Module(s) have been scanned Scan process 'lsass.exe' - '1' Module(s) have been scanned Scan process 'services.exe' - '1' Module(s) have been scanned Scan process 'winlogon.exe' - '1' Module(s) have been scanned Scan process 'csrss.exe' - '1' Module(s) have been scanned Scan process 'smss.exe' - '1' Module(s) have been scanned 28 processes with 28 modules were scanned Starting master boot sector scan: Master boot sector HD0 [iNFO] No virus was found! Start scanning boot sectors: Boot sector 'C:\' [iNFO] No virus was found! Starting to scan executable files (registry). The registry was scanned ( '53' files ). Starting the file scan: Begin scan in 'C:\' C:\pagefile.sys [WARNING] The file could not be opened! [NOTE] This file is a Windows system file. [NOTE] This file cannot be opened for scanning. C:\New Folder\HijackThis.exe [WARNING] The file could not be opened! C:\New Folder\HIJACKTHIS\Copy of Copy of HIJACKTHIS.EXE [WARNING] The file could not be opened! End of the scan: Saturday, October 10, 2009 08:38 Used time: 51:37 Minute(s) The scan has been done completely. 8467 Scanned directories 266385 Files were scanned 0 Viruses and/or unwanted programs were found 0 Files were classified as suspicious 0 files were deleted 0 Viruses and unwanted programs were repaired 0 Files were moved to quarantine 0 Files were renamed 3 Files cannot be scanned 266382 Files not concerned 1338 Archives were scanned 3 Warnings 1 Notes 60549 Objects were scanned with rootkit scan 0 Hidden objects were found ::: HJT log ::: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 8:53:39 AM, on 10/10/2009 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v8.00 (8.00.6001.18702) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\hkcmd.exe C:\WINDOWS\system32\igfxpers.exe C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Avira\AntiVir Desktop\sched.exe C:\Program Files\Avira\AntiVir Desktop\avgnt.exe C:\Program Files\Avira\AntiVir Desktop\avguard.exe C:\New Folder\hjt\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://comcast.net/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil10a.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {41EF3CD2-D8CC-4438-84B1-280BB4E77C8E} (F5 Networks Dynamic Application Tunnel Control) - https://vpn.wallacegroup.us/vdesk/terminal/...0,2008,904,1947 O16 - DPF: {45B69029-F3AB-4204-92DE-D5140C3E8E74} (F5 Networks Auto Update) - C:\DOCUME~1\gjbunton\LOCALS~1\Temp\IXP000.TMP\InstallerControl.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1212080689437 O16 - DPF: {6C275925-A1ED-4DD2-9CEE-9823F5FDAA10} (F5 Networks Static Application Tunnel Control) - https://vpn.wallacegroup.us/vdesk/terminal/...,2007,1001,2136 O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1212080723437 O16 - DPF: {CC85ACDF-B277-486F-8C70-2C9B2ED2A4E7} (F5 Networks SuperHost Class) - https://vpn.wallacegroup.us/vdesk/terminal/...0,2008,904,1945 O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab O16 - DPF: {E0FF21FA-B857-45C5-8621-F120A0C17FF2} (F5 Networks Host Control) - https://vpn.wallacegroup.us/vdesk/terminal/...0,2008,904,1940 O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe -- End of file - 4754 bytes Couple questions - I see that there is now a run once for FlashPlayer update - not sure if it's legit or not but I am leaving it alone. Also, any idea how to uninstall the F5 Networks? I haven't been able to find anything. I would like to get rid of it. I figure that if this guy really needs it we can always reinstall it. More to come...

After I installed Avira & was able to get the defs updated, I ran it but unfortunately I let it run with the defaults so it didn't check for dialers, joke programs (Jokes), games or spyware (SPR) but here's the log anyway. I had it clean what it found. I had to select expert mode to locate the extended threat categories. So I will run it again with the following selected: Adware Adware/spyware Back-door client Dialer Double-extension files Games Jokes Phishing Security privacy risk (SPR) I will post that log shortly. Once I complete this scan I will run Dr.Web CureIt and post that log. ::::: Avira Log ::::: Avira AntiVir Personal Report file date: Saturday, October 10, 2009 01:27 Scanning for 1787120 virus strains and unwanted programs. Licensee : Avira AntiVir Personal - FREE Antivirus Serial number : 0000149996-ADJIE-0000001 Platform : Windows XP Windows version : (Service Pack 3) [5.1.2600] Boot mode : Normally booted Username : SYSTEM Computer name : GBUNTON Version information: BUILD.DAT : 9.0.0.410 18074 Bytes 9/25/2009 11:56:00 AVSCAN.EXE : 9.0.3.7 466689 Bytes 7/21/2009 21:36:14 AVSCAN.DLL : 9.0.3.0 40705 Bytes 2/27/2009 18:58:24 LUKE.DLL : 9.0.3.2 209665 Bytes 2/20/2009 19:35:49 LUKERES.DLL : 9.0.2.0 12033 Bytes 2/27/2009 18:58:52 ANTIVIR0.VDF : 7.1.0.0 15603712 Bytes 10/27/2008 20:30:36 ANTIVIR1.VDF : 7.1.4.132 5707264 Bytes 6/24/2009 17:21:42 ANTIVIR2.VDF : 7.1.6.50 4333568 Bytes 9/29/2009 08:25:05 ANTIVIR3.VDF : 7.1.6.95 404480 Bytes 10/9/2009 08:25:07 Engineversion : 8.2.1.35 AEVDF.DLL : 8.1.1.2 106867 Bytes 10/10/2009 08:25:26 AESCRIPT.DLL : 8.1.2.35 483707 Bytes 10/10/2009 08:25:24 AESCN.DLL : 8.1.2.5 127346 Bytes 10/10/2009 08:25:23 AERDL.DLL : 8.1.3.2 479604 Bytes 10/10/2009 08:25:22 AEPACK.DLL : 8.2.0.0 422261 Bytes 10/10/2009 08:25:20 AEOFFICE.DLL : 8.1.0.38 196987 Bytes 7/23/2009 17:59:39 AEHEUR.DLL : 8.1.0.167 2011511 Bytes 10/10/2009 08:25:19 AEHELP.DLL : 8.1.7.0 237940 Bytes 10/10/2009 08:25:11 AEGEN.DLL : 8.1.1.67 364916 Bytes 10/10/2009 08:25:10 AEEMU.DLL : 8.1.1.0 393587 Bytes 10/10/2009 08:25:09 AECORE.DLL : 8.1.8.1 184693 Bytes 10/10/2009 08:25:08 AEBB.DLL : 8.1.0.3 53618 Bytes 10/9/2008 22:32:40 AVWINLL.DLL : 9.0.0.3 18177 Bytes 12/12/2008 16:47:59 AVPREF.DLL : 9.0.3.0 44289 Bytes 10/10/2009 08:25:26 AVREP.DLL : 8.0.0.3 155905 Bytes 1/20/2009 22:34:28 AVREG.DLL : 9.0.0.0 36609 Bytes 12/5/2008 18:32:09 AVARKT.DLL : 9.0.0.3 292609 Bytes 3/24/2009 23:05:41 AVEVTLOG.DLL : 9.0.0.7 167169 Bytes 1/30/2009 18:37:08 SQLITE3.DLL : 3.6.1.0 326401 Bytes 1/28/2009 23:03:49 SMTPLIB.DLL : 9.2.0.25 28417 Bytes 2/2/2009 16:21:33 NETNT.DLL : 9.0.0.0 11521 Bytes 12/5/2008 18:32:10 RCIMAGE.DLL : 9.0.0.25 2438913 Bytes 5/15/2009 23:39:58 RCTEXT.DLL : 9.0.37.0 86785 Bytes 4/17/2009 18:19:48 Configuration settings for the scan: Jobname.............................: Complete system scan Configuration file..................: C:\Program Files\Avira\AntiVir Desktop\sysscan.avp Logging.............................: low Primary action......................: interactive Secondary action....................: ignore Scan master boot sector.............: on Scan boot sector....................: on Boot sectors........................: C:, Process scan........................: on Scan registry.......................: on Search for rootkits.................: on Integrity checking of system files..: off Scan all files......................: All files Scan archives.......................: on Recursion depth.....................: 20 Smart extensions....................: on Macro heuristic.....................: on File heuristic......................: medium Start of the scan: Saturday, October 10, 2009 01:27 Starting search for hidden objects. '60598' objects were checked, '0' hidden objects were found. The scan of running processes will be started Scan process 'avscan.exe' - '1' Module(s) have been scanned Scan process 'avcenter.exe' - '1' Module(s) have been scanned Scan process 'taskmgr.exe' - '1' Module(s) have been scanned Scan process 'avguard.exe' - '1' Module(s) have been scanned Scan process 'avgnt.exe' - '1' Module(s) have been scanned Scan process 'sched.exe' - '1' Module(s) have been scanned Scan process 'wuauclt.exe' - '1' Module(s) have been scanned Scan process 'svchost.exe' - '1' Module(s) have been scanned Scan process 'alg.exe' - '1' Module(s) have been scanned Scan process 'wscntfy.exe' - '1' Module(s) have been scanned Scan process 'svchost.exe' - '1' Module(s) have been scanned Scan process 'ctfmon.exe' - '1' Module(s) have been scanned Scan process 'GoogleToolbarNotifier.exe' - '1' Module(s) have been scanned Scan process 'DVDLauncher.exe' - '1' Module(s) have been scanned Scan process 'igfxpers.exe' - '1' Module(s) have been scanned Scan process 'hkcmd.exe' - '1' Module(s) have been scanned Scan process 'explorer.exe' - '1' Module(s) have been scanned Scan process 'spoolsv.exe' - '1' Module(s) have been scanned Scan process 'svchost.exe' - '1' Module(s) have been scanned Scan process 'svchost.exe' - '1' Module(s) have been scanned Scan process 'svchost.exe' - '1' Module(s) have been scanned Scan process 'svchost.exe' - '1' Module(s) have been scanned Scan process 'svchost.exe' - '1' Module(s) have been scanned Scan process 'lsass.exe' - '1' Module(s) have been scanned Scan process 'services.exe' - '1' Module(s) have been scanned Scan process 'winlogon.exe' - '1' Module(s) have been scanned Scan process 'csrss.exe' - '1' Module(s) have been scanned Scan process 'smss.exe' - '1' Module(s) have been scanned 28 processes with 28 modules were scanned Starting master boot sector scan: Master boot sector HD0 [iNFO] No virus was found! Start scanning boot sectors: Boot sector 'C:\' [iNFO] No virus was found! Starting to scan executable files (registry). The registry was scanned ( '53' files ). Starting the file scan: Begin scan in 'C:\' C:\pagefile.sys [WARNING] The file could not be opened! [NOTE] This file is a Windows system file. [NOTE] This file cannot be opened for scanning. C:\Documents and Settings\Matt\My Documents\LimeWire\Saved\andre nickatina pinapple juice.wma [DETECTION] Contains recognition pattern of the EXP/MediaPlaye.3186 exploit C:\Documents and Settings\Matt\My Documents\LimeWire\Saved\mac dre feeling myself.wma [DETECTION] Is the TR/Dldr.WMA.Wimad.X Trojan C:\Documents and Settings\Sam\My Documents\FrostWire\Incomplete\T-5088466-it aint my life grouch.snd [DETECTION] Contains recognition pattern of the EXP/ASF.GetCodec.Gen exploit C:\Documents and Settings\Sam\My Documents\FrostWire\Saved\Blink 182 - Another Girl, Another Planet.mp3 [DETECTION] Contains recognition pattern of the EXP/ASF.GetCodec.Gen exploit C:\Documents and Settings\Sam\My Documents\FrostWire\Saved\Staind - Believe(1).mp3 [DETECTION] Contains recognition pattern of the EXP/ASF.GetCodec.Gen exploit C:\New Folder\HijackThis.exe [WARNING] The file could not be opened! C:\New Folder\HIJACKTHIS\Copy of Copy of HIJACKTHIS.EXE [WARNING] The file could not be opened! C:\Qoobox\Quarantine\C\WINDOWS\system32\OLDbraviax.exe.vir [DETECTION] Is the TR/Vilsel.dfu Trojan Beginning disinfection: C:\Documents and Settings\Matt\My Documents\LimeWire\Saved\andre nickatina pinapple juice.wma [DETECTION] Contains recognition pattern of the EXP/MediaPlaye.3186 exploit [NOTE] The file was moved to '4b349835.qua'! C:\Documents and Settings\Matt\My Documents\LimeWire\Saved\mac dre feeling myself.wma [DETECTION] Is the TR/Dldr.WMA.Wimad.X Trojan [NOTE] The file was moved to '4b339828.qua'! C:\Documents and Settings\Sam\My Documents\FrostWire\Incomplete\T-5088466-it aint my life grouch.snd [DETECTION] Contains recognition pattern of the EXP/ASF.GetCodec.Gen exploit [NOTE] The file was moved to '4b0597f5.qua'! C:\Documents and Settings\Sam\My Documents\FrostWire\Saved\Blink 182 - Another Girl, Another Planet.mp3 [DETECTION] Contains recognition pattern of the EXP/ASF.GetCodec.Gen exploit [NOTE] The file was moved to '4b399835.qua'! C:\Documents and Settings\Sam\My Documents\FrostWire\Saved\Staind - Believe(1).mp3 [DETECTION] Contains recognition pattern of the EXP/ASF.GetCodec.Gen exploit [NOTE] The file was moved to '4b31983d.qua'! C:\Qoobox\Quarantine\C\WINDOWS\system32\OLDbraviax.exe.vir [DETECTION] Is the TR/Vilsel.dfu Trojan [NOTE] The file was moved to '4b149815.qua'! End of the scan: Saturday, October 10, 2009 07:18 Used time: 50:24 Minute(s) The scan has been done completely. 8453 Scanned directories 266445 Files were scanned 6 Viruses and/or unwanted programs were found 0 Files were classified as suspicious 0 files were deleted 0 Viruses and unwanted programs were repaired 6 Files were moved to quarantine 0 Files were renamed 3 Files cannot be scanned 266436 Files not concerned 1338 Archives were scanned 3 Warnings 7 Notes 60598 Objects were scanned with rootkit scan 0 Hidden objects were found

Ping .yahoo.com Request times out Ping 4.2.2.2 Request times out also did a flushdns If I open IE, I still get two instances of iexplore.exe in process manager (this is IE 8 which I haven't played with much yet) ROOTREPEAL © AD, 2007-2009 ================================================== Scan Start Time: 2009/10/10 00:32 Program Version: Version 1.3.5.0 Windows Version: Windows XP SP3 ================================================== Drivers ------------------- Name: dump_atapi.sys Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys Address: 0xEFA4E000 Size: 98304 File Visible: No Signed: - Status: - Name: dump_WMILIB.SYS Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS Address: 0xF8AF6000 Size: 8192 File Visible: No Signed: - Status: - Name: rootrepeal.sys Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys Address: 0xEEEFF000 Size: 49152 File Visible: No Signed: - Status: - Hidden/Locked Files ------------------- Path: C:\WINDOWS\Config\Config Status: Locked to the Windows API! Path: C:\WINDOWS\Connection Wizard\Connection Wizard Status: Locked to the Windows API! Path: C:\WINDOWS\addins\addins Status: Locked to the Windows API! Path: C:\WINDOWS\PIF\PIF Status: Locked to the Windows API! Path: C:\WINDOWS\$hf_mig$\KB915865\KB915865 Status: Locked to the Windows API! Path: C:\WINDOWS\system32\1025\1025 Status: Locked to the Windows API! Path: C:\WINDOWS\system32\1028\1028 Status: Locked to the Windows API! Path: C:\WINDOWS\system32\1031\1031 Status: Locked to the Windows API! Path: C:\WINDOWS\system32\1037\1037 Status: Locked to the Windows API! Path: C:\WINDOWS\system32\1041\1041 Status: Locked to the Windows API! Path: C:\WINDOWS\system32\1042\1042 Status: Locked to the Windows API! Path: C:\WINDOWS\system32\1054\1054 Status: Locked to the Windows API! Path: C:\WINDOWS\system32\2052\2052 Status: Locked to the Windows API! Path: C:\WINDOWS\system32\3076\3076 Status: Locked to the Windows API! Path: C:\WINDOWS\system32\3com_dmi\3com_dmi Status: Locked to the Windows API! Path: C:\WINDOWS\system32\export\export Status: Locked to the Windows API! Path: C:\WINDOWS\system32\ShellExt\ShellExt Status: Locked to the Windows API! Path: C:\WINDOWS\system32\xircom\xircom Status: Locked to the Windows API! Path: C:\WINDOWS\system32\wins\wins Status: Locked to the Windows API! Path: C:\WINDOWS\system32\dhcp\dhcp Status: Locked to the Windows API! Path: C:\WINDOWS\ime\imejp98\imejp98 Status: Locked to the Windows API! Path: C:\WINDOWS\CSC\d1\d1 Status: Locked to the Windows API! Path: C:\WINDOWS\CSC\d2\d2 Status: Locked to the Windows API! Path: C:\WINDOWS\CSC\d3\d3 Status: Locked to the Windows API! Path: C:\WINDOWS\CSC\d4\d4 Status: Locked to the Windows API! Path: C:\WINDOWS\CSC\d5\d5 Status: Locked to the Windows API! Path: C:\WINDOWS\CSC\d6\d6 Status: Locked to the Windows API! Path: C:\WINDOWS\CSC\d7\d7 Status: Locked to the Windows API! Path: C:\WINDOWS\CSC\d8\d8 Status: Locked to the Windows API! Path: C:\WINDOWS\java\classes\classes Status: Locked to the Windows API! Path: C:\WINDOWS\java\trustlib\trustlib Status: Locked to the Windows API! Path: C:\WINDOWS\assembly\temp\temp Status: Locked to the Windows API! Path: C:\WINDOWS\assembly\tmp\tmp Status: Locked to the Windows API! Path: C:\WINDOWS\WinSxS\InstallTemp\InstallTemp Status: Locked to the Windows API! Path: C:\WINDOWS\msapps\msinfo\msinfo Status: Locked to the Windows API! Path: C:\WINDOWS\Registration\CRMLog\CRMLog Status: Locked to the Windows API! Path: C:\WINDOWS\SoftwareDistribution\AuthCabs\Downloaded\Downloaded Status: Locked to the Windows API! Path: C:\WINDOWS\Sun\Java\Deployment\Deployment Status: Locked to the Windows API! Path: C:\WINDOWS\system32\IME\CINTLGNT\CINTLGNT Status: Locked to the Windows API! Path: C:\WINDOWS\system32\IME\PINTLGNT\PINTLGNT Status: Locked to the Windows API! Path: C:\WINDOWS\system32\IME\TINTLGNT\TINTLGNT Status: Locked to the Windows API! Path: C:\WINDOWS\system32\oobe\sample\sample Status: Locked to the Windows API! Path: C:\WINDOWS\system32\wbem\snmp\snmp Status: Locked to the Windows API! Path: C:\WINDOWS\system32\bfreedos\driver\driver Status: Locked to the Windows API! Path: C:\WINDOWS\system32\bfreedos\freedos\freedos Status: Locked to the Windows API! Path: C:\WINDOWS\system32\bfreedos\hdd\hdd Status: Locked to the Windows API! Path: C:\WINDOWS\system32\spool\PRINTERS\PRINTERS Status: Locked to the Windows API! Path: C:\WINDOWS\system32\appmgmt\MACHINE\MACHINE Status: Locked to the Windows API! Path: C:\WINDOWS\system32\appmgmt\S-1-5-21-776561741-823518204-839522115-1008\S-1-5-21-776561741-823518204-839522115-1008 Status: Locked to the Windows API! Path: C:\WINDOWS\system32\appmgmt\S-1-5-21-776561741-823518204-839522115-500\S-1-5-21-776561741-823518204-839522115-500 Status: Locked to the Windows API! Path: C:\WINDOWS\system32\drivers\disdn\disdn Status: Locked to the Windows API! Path: C:\WINDOWS\system32\mui\dispspec\dispspec Status: Locked to the Windows API! Path: C:\WINDOWS\ime\chsime\applets\applets Status: Locked to the Windows API! Path: C:\WINDOWS\ime\CHTIME\Applets\Applets Status: Locked to the Windows API! Path: C:\WINDOWS\ime\imejp\applets\applets Status: Locked to the Windows API! Path: C:\WINDOWS\ime\imjp8_1\applets\applets Status: Locked to the Windows API! Path: C:\WINDOWS\ime\imkr6_1\applets\applets Status: Locked to the Windows API! Path: C:\WINDOWS\ime\imkr6_1\dicts\dicts Status: Locked to the Windows API! Path: C:\WINDOWS\ime\shared\res\res Status: Locked to the Windows API! Path: C:\WINDOWS\PCHealth\ERRORREP\QHEADLES\QHEADLES Status: Locked to the Windows API! Path: C:\WINDOWS\PCHealth\ERRORREP\QSIGNOFF\QSIGNOFF Status: Locked to the Windows API! Path: C:\WINDOWS\PCHealth\HelpCtr\BATCH\BATCH Status: Locked to the Windows API! Path: C:\WINDOWS\PCHealth\HelpCtr\HelpFiles\HelpFiles Status: Locked to the Windows API! Path: C:\WINDOWS\PCHealth\HelpCtr\InstalledSKUs\InstalledSKUs Status: Locked to the Windows API! Path: C:\WINDOWS\PCHealth\HelpCtr\System_OEM\System_OEM Status: Locked to the Windows API! Path: C:\WINDOWS\PCHealth\HelpCtr\Temp\Temp Status: Locked to the Windows API! Path: C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\TempDir\TempDir Status: Locked to the Windows API! Path: C:\WINDOWS\system32\oobe\html\ispsgnup\ispsgnup Status: Locked to the Windows API! Path: C:\WINDOWS\system32\oobe\html\oemcust\oemcust Status: Locked to the Windows API! Path: C:\WINDOWS\system32\oobe\html\oemhw\oemhw Status: Locked to the Windows API! Path: C:\WINDOWS\system32\oobe\html\oemreg\oemreg Status: Locked to the Windows API! Path: C:\WINDOWS\system32\wbem\mof\bad\bad Status: Locked to the Windows API! Path: C:\WINDOWS\system32\wbem\mof\good\good Status: Locked to the Windows API! Path: C:\WINDOWS\system32\config\systemprofile\Favorites\Favorites Status: Locked to the Windows API! Path: C:\WINDOWS\system32\config\systemprofile\My Documents\My Documents Status: Locked to the Windows API! Path: C:\WINDOWS\system32\config\systemprofile\NetHood\NetHood Status: Locked to the Windows API! Path: C:\WINDOWS\system32\config\systemprofile\PrintHood\PrintHood Status: Locked to the Windows API! Path: C:\WINDOWS\system32\config\systemprofile\Recent\Recent Status: Locked to the Windows API! Path: C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP213.tmp\ZAP213.tmp Status: Locked to the Windows API! Path: C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP2FD.tmp\ZAP2FD.tmp Status: Locked to the Windows API! Path: C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP319.tmp\ZAP319.tmp Status: Locked to the Windows API! Path: C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP32C.tmp\ZAP32C.tmp Status: Locked to the Windows API! Path: C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files Status: Locked to the Windows API! Path: C:\WINDOWS\PCHealth\HelpCtr\Config\CheckPoint\CheckPoint Status: Locked to the Windows API! Path: C:\WINDOWS\PCHealth\HelpCtr\System\DFS\DFS Status: Locked to the Windows API! Path: C:\WINDOWS\PCHealth\HelpCtr\System\News\News Status: Locked to the Windows API! Path: C:\WINDOWS\system32\config\systemprofile\Application Data\AdobeUM\AdobeUM Status: Locked to the Windows API! Path: C:\WINDOWS\system32\config\systemprofile\My Documents\My eBooks\My eBooks Status: Locked to the Windows API! Path: C:\WINDOWS\Installer\$PatchCache$\Managed\0DC1503A46F231838AD88BCDDC8E8F7C\3.2.30729\3.2.30729 Status: Locked to the Windows API! Path: C:\WINDOWS\Installer\$PatchCache$\Managed\D7314F9862C648A4DB8BE2A5B47BE100\1.0.0\1.0.0 Status: Locked to the Windows API! Path: C:\WINDOWS\Installer\$PatchCache$\Managed\DC3BF90CC0D3D2F398A9A6D1762F70F3\2.2.30729\2.2.30729 Status: Locked to the Windows API! Path: C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind Logs Status: Locked to the Windows API! Path: C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\AddIns\AddIns Status: Locked to the Windows API! Path: C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Templates\Templates Status: Locked to the Windows API! Path: C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.MSO\Content.MSO Status: Locked to the Windows API! Path: C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.Word\Content.Word Status: Locked to the Windows API! Path: C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Sqm\Sqm Status: Locked to the Windows API! Path: C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Word\STARTUP\STARTUP Status: Locked to the Windows API! Path: C:\WINDOWS\system32\config\systemprofile\Application Data\Yahoo!\Companion\Buttons\Buttons Status: Locked to the Windows API! Path: C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\OFFICE\OFFICE Status: Locked to the Windows API! Path: C:\WINDOWS\system32\config\systemprofile\Application Data\Adobe\Acrobat\6.0\Collab\Collab Status: Locked to the Windows API! Path: C:\WINDOWS\system32\config\systemprofile\Application Data\Adobe\Acrobat\6.0\eBooks\eBooks Status: Locked to the Windows API! Path: C:\WINDOWS\system32\config\systemprofile\Application Data\Adobe\Acrobat\6.0\Preferences\Preferences Status: Locked to the Windows API! Path: C:\WINDOWS\system32\config\systemprofile\Application Data\Macromedia\Flash Player\#SharedObjects\UUJV7BHA\UUJV7BHA Status: Locked to the Windows API! Path: C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\Certificates\Certificates Status: Locked to the Windows API! Path: C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CRLs\CRLs Status: Locked to the Windows API! Path: C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CTLs\CTLs Status: Locked to the Windows API! Path: C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Google\Custom Buttons\Enterprise\Enterprise Status: Locked to the Windows API! Path: C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Google\FastSearch\dictionaries\dictionaries Status: Locked to the Windows API! Path: C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Google\FastSearch\exceptions\exceptions Status: Locked to the Windows API! Path: C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Google\Toolbar History\thumbnails\thumbnails Status: Locked to the Windows API! Path: C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Google\Toolbar History\urls\urls Status: Locked to the Windows API! Path: C:\WINDOWS\system32\config\systemprofile\Application Data\Macromedia\Flash Player\#SharedObjects\UUJV7BHA\is1.j.tv2n.net\is1.j.tv2n.net Status: Locked to the Windows API! Path: C:\WINDOWS\system32\config\systemprofile\Application Data\Macromedia\Flash Player\#SharedObjects\UUJV7BHA\m1.2mdn.net\m1.2mdn.net Status: Locked to the Windows API! Path: C:\WINDOWS\system32\config\systemprofile\Application Data\Macromedia\Flash Player\#SharedObjects\UUJV7BHA\udn.specificclick.net\udn.specificclick.net Status: Locked to the Windows API! Path: C:\WINDOWS\system32\config\systemprofile\Application Data\Macromedia\Flash Player\#SharedObjects\UUJV7BHA\video.flashtalking.com\video.flashtalking.com Status: Locked to the Windows API! Path: C:\WINDOWS\system32\config\systemprofile\Application Data\Macromedia\Flash Player\#SharedObjects\UUJV7BHA\vizu.com\vizu.com Status: Locked to the Windows API! Path: C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Google\Toolbar Cache\6.1.1715.1442\en\en Status: Locked to the Windows API! Path: C:\WINDOWS\system32\config\systemprofile\Application Data\Macromedia\Flash Player\#SharedObjects\UUJV7BHA\as1.suitesmart.com\_f5e.swf\_f5e.swf Status: Locked to the Windows API! Path: C:\WINDOWS\system32\config\systemprofile\Application Data\Macromedia\Flash Player\#SharedObjects\UUJV7BHA\cdn4.specificclick.net\img\img Status: Locked to the Windows API! Path: C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Adobe\Acrobat\6.0\Cache\Search\Search Status: Locked to the Windows API! Path: C:\WINDOWS\system32\config\systemprofile\Application Data\Macromedia\Flash Player\#SharedObjects\UUJV7BHA\i.ivillage.com\rightcol\rightcol_uni.swf\rightcol_uni.swf Status: Locked to the Windows API! Path: C:\WINDOWS\system32\config\systemprofile\Application Data\Macromedia\Flash Player\#SharedObjects\UUJV7BHA\media.mtvnservices.com\player\loader\loader Status: Locked to the Windows API! Path: C:\WINDOWS\system32\config\systemprofile\Application Data\Macromedia\Flash Player\#SharedObjects\UUJV7BHA\media.mtvnservices.com\player\release\release Status: Locked to the Windows API! Path: C:\WINDOWS\system32\config\systemprofile\Application Data\Macromedia\Flash Player\#SharedObjects\UUJV7BHA\videos.video-loader.com\rktprl0905\TV2NPlayer.swf\TV2NPlayer.swf Status: Locked to the Windows API! Path: C:\WINDOWS\system32\config\systemprofile\Application Data\Macromedia\Flash Player\#SharedObjects\UUJV7BHA\www.blinkx.com\f2\player.swf\player.swf Status: Locked to the Windows API! Path: C:\WINDOWS\system32\config\systemprofile\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#as1.suitesmart.com\#as1.suitesmart.com Status: Locked to the Windows API! Path: C:\WINDOWS\system32\config\systemprofile\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#cdn.visiblemeasures.com\#cdn.visiblemeasures.com Status: Locked to the Windows API! Path: C:\WINDOWS\system32\config\systemprofile\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#cdn4.specificclick.net\#cdn4.specificclick.net Status: Locked to the Windows API! Path: C:\WINDOWS\system32\config\systemprofile\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#i.ivillage.com\#i.ivillage.com Status: Locked to the Windows API! Path: C:\WINDOWS\system32\config\systemprofile\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#is1.j.tv2n.net\#is1.j.tv2n.net Status: Locked to the Windows API! Path: C:\WINDOWS\system32\config\systemprofile\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#m1.2mdn.net\#m1.2mdn.net Status: Locked to the Windows API! Path: C:\WINDOWS\system32\config\systemprofile\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#media.mtvnservices.com\#media.mtvnservices.com Status: Locked to the Windows API! Path: C:\WINDOWS\system32\config\systemprofile\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#udn.specificclick.net\#udn.specificclick.net Status: Locked to the Windows API! Path: C:\WINDOWS\system32\config\systemprofile\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#video.flashtalking.com\#video.flashtalking.com Status: Locked to the Windows API! Path: C:\WINDOWS\system32\config\systemprofile\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#videos.video-loader.com\#videos.video-loader.com Status: Locked to the Windows API! Path: C:\WINDOWS\system32\config\systemprofile\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#vizu.com\#vizu.com Status: Locked to the Windows API! Path: C:\WINDOWS\system32\config\systemprofile\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.blinkx.com\#www.blinkx.com Status: Locked to the Windows API! Path: C:\WINDOWS\system32\config\systemprofile\Application Data\Macromedia\Flash Player\#SharedObjects\UUJV7BHA\cdn.visiblemeasures.com\swf\as2\AS2SOHandler.swf\AS2SOHandler.swf Status: Locked to the Windows API! ==EOF==

Here's the latest log... Also, I downloaded Avira. Do you think it's ok to install it now? Do you want another HJT log? Malwarebytes' Anti-Malware 1.41 Database version: 2935 Windows 5.1.2600 Service Pack 3 10/10/2009 12:13:48 AM mbam-log-2009-10-10 (00-13-48).txt Scan type: Quick Scan Objects scanned: 137222 Time elapsed: 19 minute(s), 19 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected)

So, at this point the computer has been rebooted. I created a new restore point & ran cleanmgr. (I considered just turing off system restore completely until this piece is clean, but I didn't) I copied the updated rules.ref and am running a full scan right now. I'll post the log as soon as it's finished. I'm guesing I should probably wait for it to be done before running inherit. right? As for how long am I available to work on this... I have all night.

Ran: VArestorepolices.inf Ran: FixPolicies Ran: IDefault_XP_Tablet_PC_2005_SP3_Start_v300.reg Ran: CMD /K DEL C:\WINDOWS\*.TMP c:\windows\Set3.tmp Access is denied. C:\windows\Set7.temp Access is denied. Atempted to uninstall (through add/remove applet) Adobe Reader 6. Java

Here's the DDS.log DDS (Ver_09-09-29.01) - NTFSx86 Run by gjbunton at 22:27:04.98 on Fri 10/09/2009 Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_14 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.510.266 [GMT -7:00] AV: McAfee VirusScan *On-access scanning disabled* (Outdated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83} FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8} ============== Running Processes =============== C:\WINDOWS\system32\svchost -k DcomLaunch svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\svchost.exe -k netsvcs C:\Program Files\McAfee\VirusScan\McShield.exe C:\WINDOWS\System32\dmadmin.exe C:\WINDOWS\system32\igfxpers.exe C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe C:\Program Files\McAfee.com\Agent\mcagent.exe C:\Program Files\Java\jre6\bin\jusched.exe C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe C:\WINDOWS\explorer.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\system32\taskmgr.exe C:\WINDOWS\system32\wuauclt.exe C:\Documents and Settings\gjbunton\Desktop\dds.scr ============== Pseudo HJT Report =============== uStart Page = hxxp://comcast.net/ mStart Page = about:blank TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe" uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe mRun: [igfxtray] c:\windows\system32\igfxtray.exe mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe mRun: [igfxpers] c:\windows\system32\igfxpers.exe mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe" mRun: [mcagent_exe] c:\program files\mcafee.com\agent\mcagent.exe /runkey mRun: [sunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe" mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe" mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000 IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab DPF: {41EF3CD2-D8CC-4438-84B1-280BB4E77C8E} - hxxps://vpn.wallacegroup.us/vdesk/terminal/f5tunsrv.cab#version=6030,2008,904,1947 DPF: {45B69029-F3AB-4204-92DE-D5140C3E8E74} - c:\docume~1\gjbunton\locals~1\temp\ixp000.tmp\InstallerControl.cab DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1212080689437 DPF: {6C275925-A1ED-4DD2-9CEE-9823F5FDAA10} - hxxps://vpn.wallacegroup.us/vdesk/terminal/urTermProxy.cab#version=6020,2007,1001,2136 DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1212080723437 DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab DPF: {CC85ACDF-B277-486F-8C70-2C9B2ED2A4E7} - hxxps://vpn.wallacegroup.us/vdesk/terminal/urxshost.cab#version=6030,2008,904,1945 DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab DPF: {E0FF21FA-B857-45C5-8621-F120A0C17FF2} - hxxps://vpn.wallacegroup.us/vdesk/terminal/urxhost.cab#version=6030,2008,904,1940 Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll Notify: igfxcui - igfxdev.dll SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll ============= SERVICES / DRIVERS =============== R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2008-7-7 201320] R2 McShield;McAfee Real-time Scanner;c:\program files\mcafee\virusscan\Mcshield.exe [2008-7-7 144704] R3 libusb0;LibUsb-Win32 - Kernel Driver, Version 0.1.12.1;c:\windows\system32\drivers\libusb0.sys [2009-3-30 28672] R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2008-7-7 79304] R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2008-7-7 35240] S3 FsUsbExDisk;FsUsbExDisk;c:\windows\system32\FsUsbExDisk.Sys [2009-8-26 36608] S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2008-7-7 33832] S3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2008-7-7 40488] S4 FsUsbExService;FsUsbExService;c:\windows\system32\FsUsbExService.Exe [2009-8-26 233472] S4 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2009-8-4 210216] S4 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2008-7-7 359248] S4 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2008-7-7 695624] =============== Created Last 30 ================ 2009-10-09 19:37 <DIR> a-dshr-- C:\cmdcons 2009-10-09 19:36 <DIR> --d----- C:\Combo-Fix 2009-10-09 18:47 4,224 ac------ c:\windows\system32\dllcache\beep.sys 2009-10-09 18:47 4,224 -------- c:\windows\system32\drivers\beep.sys 2009-10-09 18:40 56,320 ac------ c:\windows\system32\dllcache\eventlog.dll 2009-10-09 18:40 56,320 -------- c:\windows\system32\eventlog.dll 2009-10-09 12:02 50,176 ac------ c:\windows\system32\dllcache\proquota.exe 2009-10-09 12:02 50,176 a------- c:\windows\system32\proquota.exe 2009-10-09 11:43 229,888 a------- c:\windows\PEV.exe 2009-10-09 11:43 161,792 a------- c:\windows\SWREG.exe 2009-10-09 11:43 98,816 a------- c:\windows\sed.exe 2009-10-04 11:07 116,224 ac------ c:\windows\system32\dllcache\xrxwiadr.dll 2009-10-04 11:07 23,040 ac------ c:\windows\system32\dllcache\xrxwbtmp.dll 2009-10-04 11:07 27,648 ac------ c:\windows\system32\dllcache\xrxftplt.exe 2009-10-04 11:07 18,944 ac------ c:\windows\system32\dllcache\xrxscnui.dll 2009-10-04 11:07 4,608 ac------ c:\windows\system32\dllcache\xrxflnch.exe 2009-10-04 11:07 99,865 ac------ c:\windows\system32\dllcache\xlog.exe 2009-10-04 11:05 12,127 ac------ c:\windows\system32\dllcache\wadv02nt.sys 2009-10-04 11:04 17,152 ac------ c:\windows\system32\dllcache\usbohci.sys 2009-10-04 11:03 48,736 ac------ c:\windows\system32\dllcache\srwlnd5.sys 2009-10-04 11:02 11,136 ac------ c:\windows\system32\dllcache\slip.sys 2009-10-04 11:01 23,936 ac------ c:\windows\system32\dllcache\sccmusbm.sys 2009-10-04 11:00 899,146 ac------ c:\windows\system32\dllcache\r2mdkxga.sys 2009-10-04 10:59 121,344 ac------ c:\windows\system32\dllcache\phvfwext.dll 2009-10-04 10:58 44,544 ac------ c:\windows\system32\dllcache\ovui2.dll 2009-10-04 10:57 132,695 ac------ c:\windows\system32\dllcache\netwlan5.sys 2009-10-04 10:56 35,200 ac------ c:\windows\system32\dllcache\msgame.sys 2009-10-04 10:55 727,786 ac------ c:\windows\system32\dllcache\ltck000c.sys 2009-10-04 10:54 8,704 ac------ c:\windows\system32\dllcache\kbdjpn.dll 2009-10-04 10:54 8,192 ac------ c:\windows\system32\dllcache\kbdkor.dll 2009-10-04 10:54 6,144 ac------ c:\windows\system32\dllcache\kbd106.dll 2009-10-04 10:54 5,632 ac------ c:\windows\system32\dllcache\kbd103.dll 2009-10-04 10:54 6,144 ac------ c:\windows\system32\dllcache\kbd101c.dll 2009-10-04 10:54 6,144 ac------ c:\windows\system32\dllcache\kbd101b.dll 2009-10-04 10:52 372,824 ac------ c:\windows\system32\dllcache\iconf32.dll 2009-10-04 10:51 123,392 ac------ c:\windows\system32\dllcache\hpgt21tk.dll 2009-10-04 10:50 442,240 ac------ c:\windows\system32\dllcache\fpnpbase.sys 2009-10-04 10:50 441,728 ac------ c:\windows\system32\dllcache\fpcmbase.sys 2009-10-04 10:50 444,416 ac------ c:\windows\system32\dllcache\fpcibase.sys 2009-10-04 10:50 34,173 ac------ c:\windows\system32\dllcache\forehe.sys 2009-10-04 10:50 71,680 ac------ c:\windows\system32\dllcache\fnfilter.dll 2009-10-04 10:49 27,165 ac------ c:\windows\system32\dllcache\fetnd5.sys 2009-10-04 10:49 22,090 ac------ c:\windows\system32\dllcache\fem556n5.sys 2009-10-04 10:49 24,618 ac------ c:\windows\system32\dllcache\fa410nd5.sys 2009-10-04 10:49 16,074 ac------ c:\windows\system32\dllcache\fa312nd5.sys 2009-10-04 10:49 12,362 ac------ c:\windows\system32\dllcache\f3ab18xi.sys 2009-10-04 10:49 11,850 ac------ c:\windows\system32\dllcache\f3ab18xj.sys 2009-10-04 10:49 16,998 ac------ c:\windows\system32\dllcache\ex10.sys 2009-10-04 10:49 7,040 ac------ c:\windows\system32\dllcache\exabyte2.sys 2009-10-04 10:49 45,568 ac------ c:\windows\system32\dllcache\esunib.dll 2009-10-04 10:49 45,568 ac------ c:\windows\system32\dllcache\esuni.dll 2009-10-04 10:47 19,594 ac------ c:\windows\system32\dllcache\e100isa4.sys 2009-10-04 10:46 10,240 ac------ c:\windows\system32\dllcache\compbatt.sys 2009-10-04 10:45 121,856 ac------ c:\windows\system32\dllcache\camext30.dll 2009-10-04 10:45 236,032 ac------ c:\windows\system32\dllcache\camext20.dll 2009-10-04 10:45 116,736 ac------ c:\windows\system32\dllcache\camext30.ax 2009-10-04 10:45 244,224 ac------ c:\windows\system32\dllcache\camext20.ax 2009-10-04 10:45 74,240 ac------ c:\windows\system32\dllcache\camexo20.dll 2009-10-04 10:45 73,216 ac------ c:\windows\system32\dllcache\camexo20.ax 2009-10-04 10:45 223,232 ac------ c:\windows\system32\dllcache\camdrv21.sys 2009-10-04 10:45 171,264 ac------ c:\windows\system32\dllcache\camdrv30.sys 2009-10-04 10:45 314,752 ac------ c:\windows\system32\dllcache\camdro21.sys 2009-10-04 10:42 18,432 ac------ c:\windows\system32\dllcache\bdaplgin.ax 2009-10-04 10:41 6,272 ac------ c:\windows\system32\dllcache\apmbatt.sys 2009-10-04 10:40 66,048 ac------ c:\windows\system32\dllcache\s3legacy.dll 2009-10-04 08:50 <DIR> --d-h--- c:\windows\system32\GroupPolicy 2009-10-04 08:40 <DIR> --dsh--- c:\documents and settings\gjbunton\PrivacIE 2009-10-03 17:25 <DIR> --dsh--- c:\documents and settings\gjbunton\IECompatCache 2009-10-03 17:22 <DIR> --d----- c:\docume~1\gjbunton\applic~1\Malwarebytes 2009-10-03 14:11 <DIR> --d----- c:\program files\Lavasoft 2009-10-03 14:11 <DIR> --d----- c:\program files\common files\Wise Installation Wizard 2009-10-03 13:08 <DIR> --d----- c:\windows\pss 2009-10-01 06:41 <DIR> --d-h--- c:\windows\PIF 2009-10-01 06:34 <DIR> --d----- c:\program files\Spybot - Search & Destroy 2009-10-01 06:34 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy 2009-10-01 06:32 38,224 a------- c:\windows\system32\drivers\mbamswissarmy.sys 2009-10-01 06:32 19,160 a------- c:\windows\system32\drivers\mbam.sys 2009-10-01 06:32 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes 2009-10-01 06:32 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware 2009-10-01 06:29 6,144 -------- c:\windows\system32\1A.tmp 2009-10-01 06:29 6,144 -------- c:\windows\system32\19.tmp 2009-10-01 06:28 6,144 -------- c:\windows\system32\18.tmp 2009-10-01 06:28 <DIR> --d----- c:\program files\Sophos 2009-09-29 19:22 <DIR> --d----- C:\New Folder 2009-09-29 16:48 14,592 ac------ c:\windows\system32\dllcache\kbdhid.sys 2009-09-29 16:48 14,592 a------- c:\windows\system32\drivers\kbdhid.sys 2009-09-29 10:01 95,744 a------- c:\windows\system32\OLDrnpasswd.exe 2009-09-13 21:40 43 a------- c:\windows\system32\OLDSKYNETxrdolijp.dat ==================== Find3M ==================== 2009-09-13 16:12 90,112 a------- c:\windows\DUMP9172.tmp 2009-09-13 16:11 90,112 a------- c:\windows\DUMPe2fd.tmp 2009-09-13 16:10 90,112 a------- c:\windows\DUMP7e48.tmp 2009-09-13 16:09 90,112 a------- c:\windows\DUMP806b.tmp 2009-09-13 16:08 90,112 a------- c:\windows\DUMPdbda.tmp 2009-09-13 16:06 90,112 a------- c:\windows\DUMPc822.tmp 2009-09-13 16:05 90,112 a------- c:\windows\DUMPd1b7.tmp 2009-09-13 16:03 90,112 a------- c:\windows\DUMP83a7.tmp 2009-09-13 16:02 90,112 a------- c:\windows\DUMPe7c0.tmp 2009-09-13 16:01 90,112 a------- c:\windows\DUMPd522.tmp 2009-09-13 15:59 90,112 a------- c:\windows\DUMP7ec5.tmp 2009-09-13 15:58 90,112 a------- c:\windows\DUMP972f.tmp 2009-09-13 15:57 90,112 a------- c:\windows\DUMPda43.tmp 2009-09-13 15:55 90,112 a------- c:\windows\DUMPd89d.tmp 2009-09-13 15:54 90,112 a------- c:\windows\DUMPe3a9.tmp 2009-09-13 15:53 90,112 a------- c:\windows\DUMPde2b.tmp 2009-09-13 15:51 90,112 a------- c:\windows\DUMP876f.tmp 2009-09-13 15:50 90,112 a------- c:\windows\DUMPf433.tmp 2009-09-13 15:48 90,112 a------- c:\windows\DUMPde0b.tmp 2009-09-13 15:47 90,112 a------- c:\windows\DUMP9a5b.tmp 2009-09-13 15:46 90,112 a------- c:\windows\DUMPeb2b.tmp 2009-09-13 15:44 90,112 a------- c:\windows\DUMPd205.tmp 2009-09-13 15:42 90,112 a------- c:\windows\DUMPd968.tmp 2009-09-13 15:41 90,112 a------- c:\windows\DUMPd5fe.tmp 2009-09-13 15:40 90,112 a------- c:\windows\DUMPd7b2.tmp 2009-09-13 15:38 90,112 a------- c:\windows\DUMPd5fd.tmp 2009-09-13 15:37 90,112 a------- c:\windows\DUMP82cd.tmp 2009-09-13 15:36 90,112 a------- c:\windows\DUMP7d8c.tmp 2009-09-13 15:35 90,112 a------- c:\windows\DUMPd5ce.tmp 2009-09-13 15:33 90,112 a------- c:\windows\DUMP81c2.tmp 2009-09-13 15:32 90,112 a------- c:\windows\DUMP8c13.tmp 2009-09-13 15:31 90,112 a------- c:\windows\DUMP83b6.tmp 2009-09-13 15:30 90,112 a------- c:\windows\DUMP8165.tmp 2009-09-13 15:29 90,112 a------- c:\windows\DUMPd457.tmp 2009-09-13 15:27 90,112 a------- c:\windows\DUMP803c.tmp 2009-09-13 15:26 90,112 a------- c:\windows\DUMPe1f3.tmp 2009-09-13 15:25 90,112 a------- c:\windows\DUMPc7c4.tmp 2009-09-13 15:23 90,112 a------- c:\windows\DUMP80c8.tmp 2009-09-13 15:22 90,112 a------- c:\windows\DUMP7f32.tmp 2009-09-13 15:21 90,112 a------- c:\windows\DUMPced9.tmp 2009-09-13 15:20 90,112 a------- c:\windows\DUMP7dbb.tmp 2009-09-13 15:19 90,112 a------- c:\windows\DUMP80f7.tmp 2009-09-13 15:17 90,112 a------- c:\windows\DUMP83d6.tmp 2009-09-13 15:16 90,112 a------- c:\windows\DUMPd0dc.tmp 2009-09-13 15:15 90,112 a------- c:\windows\DUMP82cc.tmp 2009-09-13 15:14 90,112 a------- c:\windows\DUMPa066.tmp 2009-09-13 15:13 90,112 a------- c:\windows\DUMPd551.tmp 2009-09-13 15:12 90,112 a------- c:\windows\DUMP7c92.tmp 2009-09-13 15:10 90,112 a------- c:\windows\DUMPb287.tmp 2009-09-13 15:09 90,112 a------- c:\windows\DUMPe203.tmp 2009-09-13 15:08 90,112 a------- c:\windows\DUMPca45.tmp 2009-09-13 15:06 90,112 a------- c:\windows\DUMPd503.tmp 2009-09-13 15:05 90,112 a------- c:\windows\DUMPd66a.tmp 2009-09-13 15:03 90,112 a------- c:\windows\DUMPcd33.tmp 2009-09-13 15:02 90,112 a------- c:\windows\DUMPe2ce.tmp 2009-09-13 15:00 90,112 a------- c:\windows\DUMPdcb4.tmp 2009-09-13 14:59 90,112 a------- c:\windows\DUMPe4c2.tmp 2009-09-13 14:57 90,112 a------- c:\windows\DUMP804b.tmp 2009-09-13 14:56 90,112 a------- c:\windows\DUMPb6fb.tmp 2009-09-13 14:55 90,112 a------- c:\windows\DUMP8240.tmp 2009-09-13 14:54 90,112 a------- c:\windows\DUMPd282.tmp 2009-09-13 14:52 90,112 a------- c:\windows\DUMPdf16.tmp 2009-09-13 14:51 90,112 a------- c:\windows\DUMPe88b.tmp 2009-09-13 14:50 90,112 a------- c:\windows\DUMP8bd4.tmp 2009-09-13 14:49 90,112 a------- c:\windows\DUMPdf34.tmp 2009-09-13 14:47 90,112 a------- c:\windows\DUMPdbd9.tmp 2009-09-13 14:46 90,112 a------- c:\windows\DUMPf01c.tmp 2009-09-13 14:44 90,112 a------- c:\windows\DUMPe5cc.tmp 2009-09-13 14:43 90,112 a------- c:\windows\DUMPe714.tmp 2009-09-13 14:41 90,112 a------- c:\windows\DUMPcdb0.tmp 2009-09-13 14:40 90,112 a------- c:\windows\DUMPc7b5.tmp 2009-09-13 14:38 90,112 a------- c:\windows\DUMPb0c2.tmp 2009-09-13 14:37 90,112 a------- c:\windows\DUMP7e09.tmp 2009-09-13 14:36 90,112 a------- c:\windows\DUMPc709.tmp 2009-09-13 14:34 90,112 a------- c:\windows\DUMPbe2f.tmp 2009-09-13 14:33 90,112 a------- c:\windows\DUMPcc68.tmp 2009-09-13 14:32 90,112 a------- c:\windows\DUMPe03e.tmp 2009-09-13 14:30 90,112 a------- c:\windows\DUMPdf53.tmp 2009-09-13 14:29 90,112 a------- c:\windows\DUMPcaf1.tmp 2009-09-13 14:27 90,112 a------- c:\windows\DUMP8b09.tmp 2009-09-13 14:26 90,112 a------- c:\windows\DUMPdf15.tmp 2009-09-13 14:25 90,112 a------- c:\windows\DUMPd447.tmp 2009-09-13 14:24 90,112 a------- c:\windows\DUMPdafe.tmp 2009-09-13 14:22 90,112 a------- c:\windows\DUMPdc56.tmp 2009-09-13 14:21 90,112 a------- c:\windows\DUMP84df.tmp 2009-09-13 14:20 90,112 a------- c:\windows\DUMPa344.tmp 2009-09-13 14:18 90,112 a------- c:\windows\DUMP8b19.tmp 2009-09-13 14:17 90,112 a------- c:\windows\DUMPb749.tmp 2009-09-13 14:16 90,112 a------- c:\windows\DUMP970f.tmp 2009-09-13 14:15 90,112 a------- c:\windows\DUMPdf92.tmp 2009-09-13 14:13 90,112 a------- c:\windows\DUMPd8eb.tmp 2009-09-13 14:12 90,112 a------- c:\windows\DUMP7e19.tmp 2009-09-13 14:11 90,112 a------- c:\windows\DUMP9aa9.tmp 2009-09-13 14:10 90,112 a------- c:\windows\DUMP9db7.tmp 2009-09-13 14:09 90,112 a------- c:\windows\DUMPdb1d.tmp 2009-09-13 14:07 90,112 a------- c:\windows\DUMPddae.tmp 2009-09-13 14:06 90,112 a------- c:\windows\DUMP823f.tmp 2009-09-13 14:05 90,112 a------- c:\windows\DUMPe697.tmp 2009-09-13 14:03 90,112 a------- c:\windows\DUMPc860.tmp 2009-09-13 14:02:04 A------- 90,112 c:\windows\DUMPe06d.tmp ============= FINISH: 22:27:35.84 =============== Here's the attach.txt UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG. IF REQUESTED, ZIP IT UP & ATTACH IT DDS (Ver_09-09-29.01) Microsoft Windows XP Professional Boot Device: \Device\HarddiskVolume1 Install Date: 5/29/2008 9:37:24 AM System Uptime: 10/9/2009 7:52:25 PM (3 hours ago) Motherboard: Dell Computer Corp. | | 0F4491 Processor: Intel® Pentium® 4 CPU 2.80GHz | Microprocessor | 2793/800mhz ==== Disk Partitions ========================= C: is FIXED (NTFS) - 74 GiB total, 50.128 GiB free. D: is CDROM () E: is CDROM () F: is Removable ==== Disabled Device Manager Items ============= ==== System Restore Points =================== RP1: 10/9/2009 6:36:22 PM - System Checkpoint ==== Installed Programs ====================== Adobe Atmosphere Player for Acrobat and Adobe Reader Adobe Flash Player 10 ActiveX Adobe Flash Player 10 Plugin Adobe Reader 6.0.1 Adobe Shockwave Player 11.5 Apple Mobile Device Support Apple Software Update Bonjour CDBurnerXP Critical Update for Windows Media Player 11 (KB959772) Dell ResourceCD Digital Locker Assistant Game Maker 6.1 Game Maker 7.0 GIMP 2.6.3 Google Earth Google Toolbar for Internet Explorer HijackThis 1.99.1 Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595) Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484) Hotfix for Windows Internet Explorer 7 (KB947864) Hotfix for Windows Media Format 11 SDK (KB929399) Hotfix for Windows Media Player 11 (KB939683) Hotfix for Windows XP (KB952287) Hotfix for Windows XP (KB954550-v5) Hotfix for Windows XP (KB961118) Intel® 537EP V9x DF PCI Modem Intel® Extreme Graphics 2 Driver Intel® PRO Network Connections Drivers iTunes Java 6 Update 14 Java 6 Update 2 Java 6 Update 7 LibUSB-Win32-0.1.12.1 Malwarebytes' Anti-Malware McAfee SecurityCenter Microsoft .NET Framework 1.1 Microsoft .NET Framework 1.1 Hotfix (KB928366) Microsoft .NET Framework 2.0 Service Pack 2 Microsoft .NET Framework 3.0 Service Pack 2 Microsoft .NET Framework 3.5 SP1 Microsoft Compression Client Pack 1.0 for Windows XP Microsoft Internationalized Domain Names Mitigation APIs Microsoft National Language Support Downlevel APIs Microsoft Office Professional Edition 2003 Microsoft Silverlight Microsoft User-Mode Driver Framework Feature Pack 1.0 Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148 Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022 MobileMe Control Panel MP3 Player Utilities MP3 Player Utilities 4.00 MP3 Player Utilities 4.05 Norton Security Scan Norton Security Scan (Symantec Corporation) OpenOffice.org Installer 1.0 PC Connectivity Solution PowerDVD 5.3 QuickFreedom 1.1.0 QuickTime Safari SAMSUNG Mobile Composite Device Software SAMSUNG Mobile Modem Driver Set Samsung Mobile phone USB driver Software SAMSUNG Mobile USB Modem 1.0 Software SAMSUNG Mobile USB Modem Software Samsung New PC Studio SamsungConnectivityCableDriver Security Update for Windows Internet Explorer 7 (KB938127-v2) Security Update for Windows Internet Explorer 7 (KB950759) Security Update for Windows Internet Explorer 7 (KB953838) Security Update for Windows Internet Explorer 7 (KB956390) Security Update for Windows Internet Explorer 7 (KB958215) Security Update for Windows Internet Explorer 7 (KB960714) Security Update for Windows Internet Explorer 7 (KB961260) Security Update for Windows Internet Explorer 7 (KB969897) Security Update for Windows Internet Explorer 8 (KB972260) Security Update for Windows Media Player (KB952069) Security Update for Windows Media Player (KB973540) Security Update for Windows Media Player 11 (KB936782) Security Update for Windows Media Player 11 (KB954154) Security Update for Windows XP (KB923561) Security Update for Windows XP (KB923789) Security Update for Windows XP (KB938464) Security Update for Windows XP (KB941569) Security Update for Windows XP (KB946648) Security Update for Windows XP (KB950760) Security Update for Windows XP (KB950762) Security Update for Windows XP (KB950974) Security Update for Windows XP (KB951066) Security Update for Windows XP (KB951376-v2) Security Update for Windows XP (KB951698) Security Update for Windows XP (KB951748) Security Update for Windows XP (KB952004) Security Update for Windows XP (KB952954) Security Update for Windows XP (KB953839) Security Update for Windows XP (KB954211) Security Update for Windows XP (KB954459) Security Update for Windows XP (KB954600) Security Update for Windows XP (KB955069) Security Update for Windows XP (KB956391) Security Update for Windows XP (KB956572) Security Update for Windows XP (KB956744) Security Update for Windows XP (KB956802) Security Update for Windows XP (KB956803) Security Update for Windows XP (KB956841) Security Update for Windows XP (KB957095) Security Update for Windows XP (KB957097) Security Update for Windows XP (KB958644) Security Update for Windows XP (KB958687) Security Update for Windows XP (KB958690) Security Update for Windows XP (KB959426) Security Update for Windows XP (KB960225) Security Update for Windows XP (KB960715) Security Update for Windows XP (KB960803) Security Update for Windows XP (KB960859) Security Update for Windows XP (KB961371-v2) Security Update for Windows XP (KB961373) Security Update for Windows XP (KB961501) Security Update for Windows XP (KB968537) Security Update for Windows XP (KB969898) Security Update for Windows XP (KB970238) Security Update for Windows XP (KB971557) Security Update for Windows XP (KB971633) Security Update for Windows XP (KB971657) Security Update for Windows XP (KB973346) Security Update for Windows XP (KB973354) Security Update for Windows XP (KB973507) Security Update for Windows XP (KB973869) Sophos Anti-Rootkit 1.5.0 SoundMAX Spybot - Search & Destroy Starcraft teenSMART