nagrap2

Hi, It doesn't let me load anything up now. Once the laptop startsup after about 5 secs, the System Tool dialogue opens and doesn't then let me open anything not even my computer.

Hi, I tried the suggested rkill files, the one that worked was: WiNlOgOn.exe Log: -------------------------------------------------- This log file is located at C:\rkill.log. Please post this only if requested to by the person helping you. Otherwise you can close this log when you wish. Rkill was run on 01/02/2011 at 21:27:00. Operating System: Microsoft Windows XP Processes terminated by Rkill or while it was running: C:\Documents and Settings\All Users\Application Data\eAgKhCf15400\eAgKhCf15400.exe Rkill completed on 01/02/2011 at 21:27:09. ------------------------------------------------------ I then ran Malwarebytes as instructed and was able to update to the latest version. Then when the application restarted, I get the following error: "An error has occurred. Please report this error code to our support team. MBAM_ERROR_EXPANDING_VARIABLES(0, 453)" Please suggest next steps.

Hi, I have the System Tool virus. I have followed the instructions and downloaded DeFogger, DDS, GMER but when I try to run them System Tool prevents them from running. I also cannot run Internet Explorer or Malwarebytes. I have tried renaming the exe files to something else, but they still do not execute. Please advise.... Thanks in advance...

Hi, My laptop is infected with the System Tool virus. I have tried to startup in Safe mode with networking, I then ran Malwarebytes and it detected approx 20 infections. I removed those, then when I restarted in normal mode System Tool re-appeared. Now I am unable to run any apps. Please help !! Thanks in advance...

Hi, I have run Combofix and have pasted the log below. The trojan doesn't seem to be popping now, however, are you able to check from the below to see if it is completely removed? ComboFix 10-11-17.04 - Owner 18/11/2010 20:11:29.1.2 - x86 Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe AV: PCguard Anti-Virus *On-access scanning disabled* (Updated) {5B5A3BD7-8573-4672-AEA8-C9BB713B6755} FW: PCguard Firewall *disabled* {80593BF4-D969-4EC5-ADAE-A22F2DFC7A22} . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\2E.tmp C:\desktop.ini c:\documents and settings\Owner\Local Settings\Application Data\147491517.exe c:\documents and settings\Owner\Local Settings\Application Data\24443339.exe c:\documents and settings\Owner\Local Settings\Application Data\710192911.exe c:\documents and settings\Owner\Start Menu\Programs\Security Tool.lnk C:\kmd.exe c:\program files\Altnet c:\program files\Altnet\Download Manager\adm25.dll c:\program files\Altnet\Download Manager\adm4.dll c:\program files\Altnet\Download Manager\adm4005.exe c:\program files\Altnet\Download Manager\admdata.dll c:\program files\Altnet\Download Manager\admdloader.dll c:\program files\Altnet\Download Manager\admfdi.dll c:\program files\Altnet\Download Manager\admprog.dll c:\program files\Altnet\Download Manager\asmend.exe c:\program files\Altnet\Download Manager\dminfo3.cab c:\program files\Altnet\Download Manager\dmsetup.bmp c:\program files\Altnet\Download Manager\dmsetupbig.bmp c:\program files\Altnet\Download Manager\jsinstall.cab c:\program files\Altnet\Download Manager\jslegals.txt c:\program files\Altnet\Download Manager\selectdir.txt c:\program files\Altnet\Download Manager\selectdir1st.txt c:\program files\Altnet\My Altnet Shares\Bullguard Protection\cab.xmd.cab c:\program files\Altnet\My Altnet Shares\Bullguard Protection\cevakrnl.cab c:\program files\Altnet\My Altnet Shares\Bullguard Protection\cevakrnl.cvd.cab c:\program files\Altnet\My Altnet Shares\Bullguard Protection\cevakrnl.ivd.cab (incomplete) c:\program files\Altnet\My Altnet Shares\Bullguard Protection\cevakrnl.ivd.cab c:\program files\Altnet\My Altnet Shares\Bullguard Protection\cevakrnl.rvd.cab (incomplete) c:\program files\Altnet\My Altnet Shares\Bullguard Protection\cevakrnl.rvd.cab c:\program files\Altnet\My Altnet Shares\Bullguard Protection\cevakrnl.xmd.cab c:\program files\Altnet\My Altnet Shares\Bullguard Protection\cran.cab c:\program files\Altnet\My Altnet Shares\Bullguard Protection\cran.cvd.cab c:\program files\Altnet\My Altnet Shares\Bullguard Protection\cran.xmd.cab c:\program files\Altnet\My Altnet Shares\Bullguard Protection\dbx.cab c:\program files\Altnet\My Altnet Shares\Bullguard Protection\dbx.xmd.cab c:\program files\Altnet\My Altnet Shares\Bullguard Protection\docfile.xmd.cab c:\program files\Altnet\My Altnet Shares\Bullguard Protection\emalware.cab c:\program files\Altnet\My Altnet Shares\Bullguard Protection\emalware.cvd.cab c:\program files\Altnet\My Altnet Shares\Bullguard Protection\emalware.ivd.cab (incomplete-1) c:\program files\Altnet\My Altnet Shares\Bullguard Protection\emalware.ivd.cab (incomplete-2) c:\program files\Altnet\My Altnet Shares\Bullguard Protection\emalware.ivd.cab (incomplete-3) c:\program files\Altnet\My Altnet Shares\Bullguard Protection\emalware.ivd.cab (incomplete) c:\program files\Altnet\My Altnet Shares\Bullguard Protection\emalware.ivd.cab c:\program files\Altnet\My Altnet Shares\Bullguard Protection\hqx.xmd.cab c:\program files\Altnet\My Altnet Shares\Bullguard Protection\html.cab c:\program files\Altnet\My Altnet Shares\Bullguard Protection\html.xmd.cab c:\program files\Altnet\My Altnet Shares\Bullguard Protection\java.cab c:\program files\Altnet\My Altnet Shares\Bullguard Protection\java.cvd.cab c:\program files\Altnet\My Altnet Shares\Bullguard Protection\mdx.cab c:\program files\Altnet\My Altnet Shares\Bullguard Protection\mdx.xmd.cab (incomplete) c:\program files\Altnet\My Altnet Shares\Bullguard Protection\mdx.xmd.cab c:\program files\Altnet\My Altnet Shares\Bullguard Protection\mdx_97.cab c:\program files\Altnet\My Altnet Shares\Bullguard Protection\mdx_97.ivd.cab (incomplete-1) c:\program files\Altnet\My Altnet Shares\Bullguard Protection\mdx_97.ivd.cab (incomplete-2) c:\program files\Altnet\My Altnet Shares\Bullguard Protection\mdx_97.ivd.cab (incomplete) c:\program files\Altnet\My Altnet Shares\Bullguard Protection\mdx_97.ivd.cab c:\program files\Altnet\My Altnet Shares\Bullguard Protection\mdx_w95.cvd.cab c:\program files\Altnet\My Altnet Shares\Bullguard Protection\mdx_x95.cvd.cab c:\program files\Altnet\My Altnet Shares\Bullguard Protection\mime.cab c:\program files\Altnet\My Altnet Shares\Bullguard Protection\mime.xmd.cab c:\program files\Altnet\My Altnet Shares\Bullguard Protection\mso.cab c:\program files\Altnet\My Altnet Shares\Bullguard Protection\mso.xmd.cab c:\program files\Altnet\My Altnet Shares\Bullguard Protection\na.cab c:\program files\Altnet\My Altnet Shares\Bullguard Protection\na.cvd.cab c:\program files\Altnet\My Altnet Shares\Bullguard Protection\na.xmd.cab c:\program files\Altnet\My Altnet Shares\Bullguard Protection\nelf.cab c:\program files\Altnet\My Altnet Shares\Bullguard Protection\nelf.cvd.cab c:\program files\Altnet\My Altnet Shares\Bullguard Protection\pdf.cab c:\program files\Altnet\My Altnet Shares\Bullguard Protection\pdf.xmd.cab c:\program files\Altnet\My Altnet Shares\Bullguard Protection\plugins.cab c:\program files\Altnet\My Altnet Shares\Bullguard Protection\plugins.cab.cab (incomplete) c:\program files\Altnet\My Altnet Shares\Bullguard Protection\plugins.cab.cab c:\program files\Altnet\My Altnet Shares\Bullguard Protection\rup.cab c:\program files\Altnet\My Altnet Shares\Bullguard Protection\rup.cvd.cab (incomplete) c:\program files\Altnet\My Altnet Shares\Bullguard Protection\rup.cvd.cab c:\program files\Altnet\My Altnet Shares\Bullguard Protection\rup.xmd.cab c:\program files\Altnet\My Altnet Shares\Bullguard Protection\sdx.cab c:\program files\Altnet\My Altnet Shares\Bullguard Protection\sdx.cvd.cab c:\program files\Altnet\My Altnet Shares\Bullguard Protection\sdx.ivd.cab (incomplete) c:\program files\Altnet\My Altnet Shares\Bullguard Protection\sdx.ivd.cab c:\program files\Altnet\My Altnet Shares\Bullguard Protection\sdx.xmd.cab (incomplete) c:\program files\Altnet\My Altnet Shares\Bullguard Protection\sdx.xmd.cab c:\program files\Altnet\My Altnet Shares\Bullguard Protection\sfx.xmd.cab c:\program files\Altnet\My Altnet Shares\Bullguard Protection\tar.cab c:\program files\Altnet\My Altnet Shares\Bullguard Protection\tar.xmd.cab c:\program files\Altnet\My Altnet Shares\Bullguard Protection\unpack.cab c:\program files\Altnet\My Altnet Shares\Bullguard Protection\unpack.cvd.cab (incomplete) c:\program files\Altnet\My Altnet Shares\Bullguard Protection\unpack.cvd.cab c:\program files\Altnet\My Altnet Shares\Bullguard Protection\unpack.ivd.cab c:\program files\Altnet\My Altnet Shares\Bullguard Protection\unpack.xmd.cab c:\program files\Altnet\My Altnet Shares\Bullguard Protection\update.cab c:\program files\Altnet\My Altnet Shares\Bullguard Protection\update.txt.cab c:\program files\Altnet\My Altnet Shares\Bullguard Protection\ve.xmd.cab c:\program files\Altnet\My Altnet Shares\Bullguard Protection\zip.cab c:\program files\Altnet\My Altnet Shares\Bullguard Protection\zip.xmd.cab c:\program files\Mozilla Firefox\plugins\NPNd2fn.dll c:\program files\Need2Find c:\program files\Need2Find\bar\1.bin\N2FFXTBR.JAR c:\program files\Need2Find\bar\1.bin\N2NTSTBR.JAR c:\program files\Need2Find\bar\1.bin\N2PLUGIN.DLL c:\program files\Need2Find\bar\1.bin\NPND2FN.DLL c:\program files\Need2Find\bar\1.bin\PARTNER.DAT c:\program files\Need2Find\bar\Cache\0091FED1 c:\program files\Need2Find\bar\Cache\files.ini c:\program files\Need2Find\bar\History\search c:\program files\Need2Find\bar\Settings\prevcfg.htm c:\windows\Readme.txt c:\windows\system\Color c:\windows\system32\hadl.dll c:\windows\system32\iexplore.exe c:\windows\system32\system D:\Autorun.inf . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_FCI -------\Legacy_SYSLIBRARY ((((((((((((((((((((((((( Files Created from 2010-10-18 to 2010-11-18 ))))))))))))))))))))))))))))))) . 2010-11-16 22:08 . 2010-11-16 22:08 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes 2010-11-16 21:09 . 2010-11-16 21:09 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE 2010-11-16 21:04 . 2010-04-29 15:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2010-11-16 21:04 . 2010-04-29 15:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys 2010-11-16 21:04 . 2010-11-16 23:20 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2010-11-16 20:45 . 2010-11-16 20:45 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes 2010-11-16 20:45 . 2010-11-16 20:45 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes 2010-11-16 20:43 . 2010-11-16 20:43 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache 2010-11-15 17:33 . 2010-11-15 17:33 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools 2010-10-31 16:55 . 2010-10-31 16:56 -------- d-----w- c:\documents and settings\Owner\Application Data\vShare 2010-10-31 16:54 . 2010-10-31 16:55 -------- d-----w- c:\program files\vShare 2010-10-31 16:48 . 2010-10-31 16:48 -------- d-----w- c:\program files\Veetle . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2010-09-18 12:23 . 2003-01-02 19:10 974848 ----a-w- c:\windows\system32\mfc42u.dll 2010-09-18 06:53 . 2003-01-02 19:10 974848 ----a-w- c:\windows\system32\mfc42.dll 2010-09-18 06:53 . 2003-01-02 19:10 954368 ----a-w- c:\windows\system32\mfc40.dll 2010-09-18 06:53 . 2003-01-02 19:10 953856 ----a-w- c:\windows\system32\mfc40u.dll 2010-09-10 05:58 . 2004-02-06 17:05 916480 ----a-w- c:\windows\system32\wininet.dll 2010-09-10 05:58 . 2003-01-02 19:10 43520 ----a-w- c:\windows\system32\licmgr10.dll 2010-09-10 05:58 . 2003-01-02 19:10 1469440 ------w- c:\windows\system32\inetcpl.cpl 2010-09-01 11:51 . 2003-01-01 15:37 285824 ----a-w- c:\windows\system32\atmfd.dll 2010-08-31 13:42 . 2003-01-02 19:11 1852800 ----a-w- c:\windows\system32\win32k.sys 2010-08-27 08:02 . 2003-01-02 19:11 119808 ----a-w- c:\windows\system32\t2embed.dll 2010-08-27 05:57 . 2003-01-02 19:10 99840 ----a-w- c:\windows\system32\srvsvc.dll 2010-08-26 13:39 . 2003-01-01 15:12 357248 ----a-w- c:\windows\system32\drivers\srv.sys 2010-08-26 12:52 . 2009-04-14 20:22 5120 ----a-w- c:\windows\system32\xpsp4res.dll 2010-08-23 16:12 . 2003-01-02 19:10 617472 ----a-w- c:\windows\system32\comctl32.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "NVIEW"="nview.dll" [2003-03-04 831557] "kdx"="c:\program files\Kontiki\KHost.exe" [2006-11-08 1040832] "PcSync"="c:\program files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2006-06-27 1449984] "Podmailing"="c:\program files\Podmailing\Podmailing.exe" [2008-06-06 173056] "Skype"="c:\program files\Skype\Phone\Skype.exe" [2010-02-22 26101032] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "NokiaMServer"="c:\program files\Common Files\Nokia\MPlatform\NokiaMServer" [X] "UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 110592] "AlcxMonitor"="ALCXMNTR.EXE" [2004-02-17 50176] "NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648] "EPSON Stylus Photo RX420 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATI9CE.EXE" [2004-04-09 98304] "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2005-05-22 180269] "EPSON Stylus Photo RX420 Series (Copy 1)"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATI9CE.EXE" [2004-04-09 98304] "Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992] "nwiz"="nwiz.exe" [2003-03-04 323584] "NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2003-03-04 4595712] "KBD"="c:\hp\KBD\KBD.EXE" [2003-02-12 61440] "hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736] "HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2003-03-12 114688] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2005-12-20 278528] "Sony Ericsson PC Suite"="c:\program files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2005-10-26 159744] "4oD"="c:\program files\Kontiki\KHost.exe" [2006-11-08 1040832] "WinampAgent"="c:\program files\Winamp\winampa.exe" [2006-09-26 35328] "Nokia FastStart"="c:\program files\Nokia\Nokia Music\NokiaMusic.exe" [2008-12-03 2372840] "EPSON Stylus Photo RX420 Series (Copy 2)"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATI9CE.EXE" [2004-04-09 98304] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696] "Broadbandadvisor.exe"="c:\program files\Virgin Broadband\advisor\Broadbandadvisor.exe" [2009-05-27 2303216] "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552] c:\documents and settings\All Users\Start Menu\Programs\Startup\ blueyonder Instant Support Tool.lnk - c:\program files\blueyonder IST\bin\matcli.exe [2003-10-19 204800] Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588] [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager] BootExecute REG_MULTI_SZ PDBoot.exe\0autocheck autochk * [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusOverride"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Messenger\\msmsgs.exe"= "c:\\Program Files\\LimeWire\\LimeWire.exe"= "c:\\StubInstaller.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Program Files\\NetMeeting\\conf.exe"= "c:\\WINDOWS\\system32\\rtcshare.exe"= "c:\\WINDOWS\\PCHealth\\HelpCtr\\Binaries\\helpctr.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Kontiki\\KService.exe"= "c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"= "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= "c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"= "c:\\Program Files\\Skype\\Phone\\Skype.exe"= "c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"= R2 PD91Agent;PD91Agent;c:\program files\Raxco\PerfectDisk2008\PD91Agent.exe [22/09/2008 16:58 693512] R2 RadialpointSafeConnectAgent;Virgin Broadband PCguard SafeConnectAgent;c:\program files\Virgin Broadband\PCguard\SafeConnect\bin\SanaAgent.exe [14/11/2008 18:28 4937752] R2 ScanDrv;ScanDrv;c:\windows\system32\drivers\scandrv.sys [28/02/2004 16:05 195396] R3 RadialpointSafeConnectDriver;RadialpointSafeConnectDriver;c:\program files\Virgin Broadband\PCguard\SafeConnect\Driver\platform_XP\SafeConnectDriver.sys [14/11/2008 18:28 161304] R3 RadialpointSafeConnectFilter;RadialpointSafeConnectFilter;c:\program files\Virgin Broadband\PCguard\SafeConnect\Driver\platform_XP\SafeConnectFilter.sys [14/11/2008 18:28 29720] R3 RadialpointSafeConnectShim;RadialpointSafeConnectShim;c:\program files\Virgin Broadband\PCguard\SafeConnect\Driver\platform_XP\SafeConnectShim.sys [14/11/2008 18:28 27376] S2 gupdate1cabfbcb3e7fcc4;Google Update Service (gupdate1cabfbcb3e7fcc4);c:\program files\Google\Update\GoogleUpdate.exe [09/03/2010 19:14 133104] S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [16/11/2010 21:04 38224] S3 Normandy;Normandy SR2; [x] S3 PD91Engine;PD91Engine;c:\program files\Raxco\PerfectDisk2008\PD91Engine.exe [22/09/2008 16:58 910600] S3 Radialpoint Security Services;Virgin Broadband PCguard;c:\program files\Virgin Broadband\PCguard\RpsSecurityAwareR.exe [27/05/2009 13:10 170736] . Contents of the 'Scheduled Tasks' folder 2010-11-18 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job - c:\program files\Google\Update\GoogleUpdate.exe [2010-03-09 19:13] 2010-11-18 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job - c:\program files\Google\Update\GoogleUpdate.exe [2010-03-09 19:13] . . ------- Supplementary Scan ------- . uStart Page = hxxp://vshare.toolbarhome.com/?hp=df&t=1 uDefault_Search_URL = hxxp://srch-qgb8.hpwis.com/ uSearchMigratedDefaultURL = hxxp://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?} uInternet Connection Wizard,ShellNext = iexplore IE: &Google Search - c:\program files\google\GoogleToolbar2.dll/cmsearch.html IE: Backward Links - c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html IE: Cached Snapshot of Page - c:\program files\google\GoogleToolbar2.dll/cmcache.html IE: Similar Pages - c:\program files\google\GoogleToolbar2.dll/cmsimilar.html IE: Translate into English - c:\program files\google\GoogleToolbar2.dll/cmtrans.html DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\q7l2yjno.default\ FF - plugin: c:\program files\Google\Update\1.2.183.39\npGoogleOneClick8.dll FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll FF - plugin: c:\program files\Veetle\Player\npvlc.dll FF - plugin: c:\program files\Veetle\plugins\npVeetle.dll FF - plugin: c:\program files\Virgin Broadband\advisor\nprpspa.dll FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ ---- FIREFOX POLICIES ---- c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true); // Traditional c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true); // Simplified . - - - - ORPHANS REMOVED - - - - WebBrowser-{F48BDBDD-846B-456D-A78D-F9F6100C7D57} - (no file) HKLM-Run-Msdmxm - c:\windows\system32\msdmxm.exe HKLM-Run-EvtHtm - c:\windows\system32\evthtm.exe HKLM-Run-PS2 - c:\windows\system32\ps2.exe HKLM-Run-ATIPTA - c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe AddRemove-AltnetDM - c:\program files\Altnet\Download Manager\AltnetUninstall.exe AddRemove-EvtHtm - c:\windows\system32\evthtm.exe AddRemove-Msdmxm - c:\windows\system32\Msdmxm.exe AddRemove-Yazzle1461Oin - c:\program files\Common Files\Yazzle1461OinUninstaller.exe ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2010-11-18 20:29 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(784) c:\windows\system32\Ati2evxx.dll - - - - - - - > 'explorer.exe'(2540) c:\windows\system32\WININET.dll c:\windows\system32\ieframe.dll c:\windows\system32\webcheck.dll c:\windows\system32\WPDShServiceObj.dll c:\program files\Nokia\Nokia PC Suite 6\PhoneBrowser.dll c:\program files\Nokia\Nokia PC Suite 6\PCSCM.dll c:\windows\system32\ConnAPI.DLL c:\program files\Nokia\Nokia PC Suite 6\Lang\PhoneBrowser_eng.nlr c:\program files\Nokia\Nokia PC Suite 6\Resource\PhoneBrowser_Nokia.ngr c:\program files\ArcSoft\PhotoImpression 5\share\pihook.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . ------------------------ Other Running Processes ------------------------ . c:\windows\system32\Ati2evxx.exe c:\program files\Virgin Broadband\PCguard\Fws.exe c:\program files\Symantec\LiveUpdate\ALUSchedulerSvc.exe c:\program files\Java\jre6\bin\jqs.exe c:\program files\Kontiki\KService.exe c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe c:\windows\system32\Ati2evxx.exe c:\windows\ALCXMNTR.EXE c:\progra~1\Nokia\NOKIAP~1\LAUNCH~1.EXE c:\program files\Common Files\Teleca Shared\CapabilityManager.exe c:\program files\Common Files\Nokia\MPlatform\NokiaMServer.exe c:\progra~1\COMMON~1\Nokia\MPAPI\MPAPI3s.exe c:\program files\blueyonder IST\bin\mpbtn.exe c:\program files\iPod\bin\iPodService.exe c:\program files\Common Files\PCSuite\Services\ServiceLayer.exe c:\program files\Common Files\Teleca Shared\Generic.exe c:\program files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe c:\windows\system32\wscntfy.exe . ************************************************************************** . Completion time: 2010-11-18 20:51:28 - machine was rebooted ComboFix-quarantined-files.txt 2010-11-18 20:51 Pre-Run: 61,329,727,488 bytes free Post-Run: 66,791,022,592 bytes free - - End Of File - - 4FA321475AC89BCCF12AFE1852AE3395

Hi, I ran ATF Cleaner as requested and it cleared approx 500MB. I ran Goored Fix I ran TDSSKiller and it said no infections found. When I try to click on the Report button to download the log, Security Tool kicks in and prevents Notepad from starting. Basically whenever I try to run any executable it is prevented by Security Tool. The way I got around running the above was to rename each executable to "iexplore.exe" as explorer seems to startup fine. What can we try next?

Attaching OTListIt.txt as when I try to paste it says it's too long. OTListIt.txt

Hi, I have tried to scan using Malwarebytes in safe boot mode and it doesn't detect any trojans. I then start in normal mode and try to scan and Malwarebytes doesn't complete as I get the blue screen of death. I then tried to follow the guide given here (http://forums.malwarebytes.org/index.php?showtopic=9573) but the Security Tool blocks me from running the DDS.scr file in normal mode, so restarted in Safe Boot mode. I was unable to run the GMER Rootkit Scanner as I get a windows error saying program has encountered a problem and needs to close... I then tried to follow the instructions given at the bottom of this (http://forums.malwarebytes.org/index.php?showtopic=67755&hl=Security+Tool) post to run OTL.exe and RookitUnhooker. Unfortunately RootkitUnhooker did not run as I got an error saying "Error loading/opening driver". I am running Windows XP. Please let me know if you require me to run any other tools? DDS.txt: DDS (Ver_10-11-10.01) - NTFSx86 NETWORK Run by Administrator at 0:18:46.51 on 17/11/2010 Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_21 Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.511.368 [GMT 0:00] AV: PCguard Anti-Virus *On-access scanning enabled* (Updated) {5B5A3BD7-8573-4672-AEA8-C9BB713B6755} FW: PCguard Firewall *enabled* {80593BF4-D969-4EC5-ADAE-A22F2DFC7A22} ============== Running Processes =============== C:\WINDOWS\system32\svchost -k DcomLaunch svchost.exe C:\WINDOWS\System32\svchost.exe -k netsvcs svchost.exe svchost.exe C:\WINDOWS\Explorer.EXE C:\Documents and Settings\Administrator\Desktop\dds.scr ============== Pseudo HJT Report =============== mSearchAssistant = BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll BHO: vShare Plugin: {043c5167-00bb-4324-af7e-62013faedacf} - c:\program files\vshare\vshare_toolbar.dll BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll BHO: PopKill Class: {3c060ea2-e6a9-4e49-a530-d4657b8c449a} - c:\program files\virgin broadband\pcguard\pkR.dll BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar2.dll BHO: Skype add-on for Internet Explorer: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll BHO: EpsonToolBandKicker Class: {e99421fb-68dd-40f0-b4ac-b7027cae2f1a} - c:\program files\epson\epson web-to-page\EPSON Web-To-Page.dll TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar2.dll TB: EPSON Web-To-Page: {ee5d279f-081b-4404-994d-c6b60aaeba6d} - c:\program files\epson\epson web-to-page\EPSON Web-To-Page.dll TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll TB: vShare Plugin: {043c5167-00bb-4324-af7e-62013faedacf} - c:\program files\vshare\vshare_toolbar.dll EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File uRun: [NVIEW] rundll32.exe nview.dll,nViewLoadHook uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe mRun: [updateManager] "c:\program files\common files\sonic\update manager\sgtray.exe" /r mRun: [AlcxMonitor] ALCXMNTR.EXE mRun: [Msdmxm] c:\windows\system32\msdmxm.exe /nocomm mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe mRun: [EPSON Stylus Photo RX420 Series] c:\windows\system32\spool\drivers\w32x86\3\E_FATI9CE.EXE /P31 "EPSON Stylus Photo RX420 Series" /O5 "LPT1:" /M "Stylus Photo RX420" mRun: [EvtHtm] c:\windows\system32\evthtm.exe /nocomm mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot mRun: [userFaultCheck] %systemroot%\system32\dumprep 0 -u mRun: [EPSON Stylus Photo RX420 Series (Copy 1)] c:\windows\system32\spool\drivers\w32x86\3\E_FATI9CE.EXE /P40 "EPSON Stylus Photo RX420 Series (Copy 1)" /O6 "USB001" /M "Stylus Photo RX420" mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE mRun: [PS2] c:\windows\system32\ps2.exe mRun: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup mRun: [KBD] c:\hp\kbd\KBD.EXE mRun: [hpsysdrv] c:\windows\system\hpsysdrv.exe mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe" mRun: [<NO NAME>] mRun: [sony Ericsson PC Suite] "c:\program files\sony ericsson\mobile2\application launcher\Application Launcher.exe" /startoptions mRun: [PCSuiteTrayApplication] c:\progra~1\nokia\nokiap~1\LAUNCH~1.EXE -startup mRun: [RecoverFromReboot] c:\windows\temp\RecoverFromReboot.exe mRun: [4oD] "c:\program files\kontiki\KHost.exe" -all mRun: [WinampAgent] c:\program files\winamp\winampa.exe mRun: [NokiaMServer] c:\program files\common files\nokia\mplatform\NokiaMServer /watchfiles mRun: [Nokia FastStart] "c:\program files\nokia\nokia music\NokiaMusic.exe" /command:faststart mRun: [EPSON Stylus Photo RX420 Series (Copy 2)] c:\windows\system32\spool\drivers\w32x86\3\E_FATI9CE.EXE /P40 "EPSON Stylus Photo RX420 Series (Copy 2)" /O5 "LPT1:" /M "Stylus Photo RX420" mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe" mRun: [broadbandadvisor.exe] "c:\program files\virgin broadband\advisor\Broadbandadvisor.exe" /AUTORUN mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe" StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueyo~1.lnk - c:\program files\blueyonder ist\bin\matcli.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab DPF: {00000055-9980-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/fhg.CAB DPF: {00000075-9980-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/voxacm.CAB DPF: {00B71CFB-6864-4346-A978-C0A14556272C} - hxxp://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} - hxxp://zone.msn.com/binFrameWork/v10/StagingUI.cab46479.cab DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} - hxxp://www.ipix.com/viewers/ipixx.cab DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204 DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} - hxxp://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} - hxxp://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} - hxxp://zone.msn.com/BinFrameWork/v10/ZBuddy.cab32846.cab DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} - hxxp://zone.msn.com/binframework/v10/ZPAChat.cab32846.cab DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1133824864851 DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} - hxxp://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37913.5428703704 DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} - hxxp://messenger.msn.com/download/MsnMessengerSetupDownloader.cab DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab34246.cab DPF: {BD393C14-72AD-4790-A095-76522973D6B8} - hxxp://messenger.zone.msn.com/binary/Bankshot.cab31267.cab DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} - hxxp://zone.msn.com/binframework/v10/StProxy.cab41227.cab DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} - hxxp://fdl.msn.com/zone/datafiles/heartbeat.cab DPF: {FF3C5A9F-5A91-4930-80E8-4709194C2AD3} - hxxp://zone.msn.com/bingame/zpagames/CheckersZPA.cab40641.cab Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL Handler: vsharechrome - {3F3A4B8A-86FC-43A4-BB00-6D7EBE9D4484} - c:\program files\vshare\vshare_toolbar.dll Notify: AtiExtEvent - Ati2evxx.dll Notify: igfxcui - igfxsrvc.dll SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll ================= FIREFOX =================== FF - ProfilePath - FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\ FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} ---- FIREFOX POLICIES ---- c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true); c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true); c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true); c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true); c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true); c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true); c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true); // Traditional c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true); // Simplified ============= SERVICES / DRIVERS =============== S1 KLIF;KLIF;c:\windows\system32\drivers\klif.sys [2010-1-11 179984] S2 gupdate1cabfbcb3e7fcc4;Google Update Service (gupdate1cabfbcb3e7fcc4);c:\program files\google\update\GoogleUpdate.exe [2010-3-9 133104] S2 PD91Agent;PD91Agent;c:\program files\raxco\perfectdisk2008\PD91Agent.exe [2008-9-22 693512] S2 RadialpointSafeConnectAgent;Virgin Broadband PCguard SafeConnectAgent;c:\program files\virgin broadband\pcguard\safeconnect\bin\SanaAgent.exe [2008-11-14 4937752] S2 ScanDrv;ScanDrv;c:\windows\system32\drivers\scandrv.sys [2004-2-28 195396] S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2010-11-16 38224] S3 PD91Engine;PD91Engine;c:\program files\raxco\perfectdisk2008\PD91Engine.exe [2008-9-22 910600] S3 Radialpoint Security Services;Virgin Broadband PCguard;c:\program files\virgin broadband\pcguard\RpsSecurityAwareR.exe [2009-5-27 170736] S3 RadialpointSafeConnectDriver;RadialpointSafeConnectDriver;c:\program files\virgin broadband\pcguard\safeconnect\driver\platform_xp\SafeConnectDriver.sys [2008-11-14 161304] S3 RadialpointSafeConnectFilter;RadialpointSafeConnectFilter;c:\program files\virgin broadband\pcguard\safeconnect\driver\platform_xp\SafeConnectFilter.sys [2008-11-14 29720] S3 RadialpointSafeConnectShim;RadialpointSafeConnectShim;c:\program files\virgin broadband\pcguard\safeconnect\driver\platform_xp\SafeConnectShim.sys [2008-11-14 27376] =============== Created Last 30 ================ 2010-11-16 23:56:58 69120 ----a-w- c:\windows\system32\iexplore.exe 2010-11-16 21:09:09 -------- d-sh--w- c:\documents and settings\administrator\PrivacIE 2010-11-16 21:04:20 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2010-11-16 21:04:19 20952 ----a-w- c:\windows\system32\drivers\mbam.sys 2010-11-16 21:04:18 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2010-11-16 20:45:36 -------- d-----w- c:\docume~1\admini~1\applic~1\Malwarebytes 2010-11-16 20:45:20 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes 2010-11-16 20:43:03 -------- d-sh--w- c:\documents and settings\administrator\IETldCache 2010-11-15 17:33:42 -------- d-----w- c:\docume~1\alluse~1\applic~1\PC Tools 2010-10-31 16:54:59 -------- d-----w- c:\program files\vShare 2010-10-31 16:48:20 -------- d-----w- c:\program files\Veetle ==================== Find3M ==================== 2010-09-18 12:23:26 974848 ----a-w- c:\windows\system32\mfc42u.dll 2010-09-18 06:53:25 974848 ----a-w- c:\windows\system32\mfc42.dll 2010-09-18 06:53:25 954368 ----a-w- c:\windows\system32\mfc40.dll 2010-09-18 06:53:25 953856 ----a-w- c:\windows\system32\mfc40u.dll 2010-09-10 05:58:08 916480 ----a-w- c:\windows\system32\wininet.dll 2010-09-10 05:58:06 43520 ----a-w- c:\windows\system32\licmgr10.dll 2010-09-10 05:58:06 1469440 ------w- c:\windows\system32\inetcpl.cpl 2010-09-01 11:51:14 285824 ----a-w- c:\windows\system32\atmfd.dll 2010-08-31 13:42:52 1852800 ----a-w- c:\windows\system32\win32k.sys 2010-08-27 08:02:29 119808 ----a-w- c:\windows\system32\t2embed.dll 2010-08-27 05:57:43 99840 ----a-w- c:\windows\system32\srvsvc.dll 2010-08-26 12:52:45 5120 ----a-w- c:\windows\system32\xpsp4res.dll 2010-08-23 16:12:04 617472 ----a-w- c:\windows\system32\comctl32.dll ============= FINISH: 0:20:33.51 =============== Attach.zip

I did some further reading and managed to fix the issue. Under internet options --> connections --> LAN settings the "use a proxy server for your LAN" option was checked so I unchecked and checked "automatically detect settings". All seems to be working fine now !! Thanks for your help, please can you close this topic now.

Hi, Since I could startup Firefox web browser I tried renaming the Malwarebytes exe to firefox.exe and managed to get it to startup. I ran a scan and cleared the 5 items that were flagged as being trojans. So now the pc seems to be clean of the trojan however I am now facing the following issue: When I open up either internet explorer or firefox I am unable to load up any http web pages, however, I am able to view https webpages. This issue seems to have come about after removing the files malwarebytes flagged as being trojan files. Please advise.

Hi, Looks like I have a trojan which is preventing me from starting up Malwarebytes. I get a fake warning popping saying Threat: Win32/Nuqel.E I have tried the following so far but no luck: 1) Tried renaming the exe to have an extension of .com bbut still didn't startup 2) Tried running in Safeboot mode and Malwarebutes started and ran scan, also removed all infections, but then when running in non-safeboot mode infections re-appeared. What should I try next? Thanks in advance, Nagra

Hi, Looks like I have a trojan which is preventing me from starting up Malwarebytes. I get a fake warning popping saying Threat: Win32/Nuqel.E I have tried the following so far but no luck: 1) Tried renaming the exe to have an extension of .com bbut still didn't startup 2) Tried running in Safeboot mode and Malwarebutes started and ran scan, also removed all infections, but then when running in non-safeboot mode infections re-appeared. What should I try next? Thanks in advance, Nagra

Hi, I have completed the above, but when I try removing the infected files I get the "Regedit has been disabled by the Administrator" message. I'm sure others have experienced this issue, is someone able to point me to the relevant post?

Hi, I have a trojan and have run malware bytes quick scan. When I go to remove the infected files I get the following message, please advise on how I re-enable regedit: "Regedit has been disabled by the Administrator" Thanks in advance...

Hi, I have the XP Antispyware 2010 trojan on my other laptop. I have tried to install Anti-Malware but it does not startup when I try to click the setup file. I have tried followng various guides on the web that recommend renaming the exe to something else and then trying to run but it does not work. I have tried following the removing manually instructions but find I have different files to what the guides tell me. I noticed there is a av.exe running. Please can someone help !!! Much appreciated.