jnhyep57

Hi Ron, Thanks for letting me know. MBAM is doing an excellent job at IP blocking. However, I am somewhat concerned with the sudden onslaught of IP blocks from 221.192.199.48/.46. I had no programs launched from 07:36 to 08:00. These are the same IP's that were frequently noted in my wireshark live capture. I ran Wireshark live capture for 30 min. (09:06 to 09:37) and IP 221.192.48/.46 were being blocked by MBAM. Protection log 6-11-2010 06:40:55 (null) MESSAGE Protection started successfully 06:41:56 Harry MESSAGE IP Protection started successfully 06:57:08 Harry MESSAGE Scheduled update executed successfully 06:57:08 Harry MESSAGE IP Protection stopped 06:57:14 Harry MESSAGE Database updated successfully 06:57:16 Harry MESSAGE IP Protection started successfully 06:57:41 Harry IP-BLOCK 221.192.199.48 07:01:45 Harry IP-BLOCK 221.192.199.48 07:13:47 Harry IP-BLOCK 221.192.199.48 07:17:49 Harry IP-BLOCK 221.192.199.48 07:19:48 Harry IP-BLOCK 221.192.199.48 07:27:43 Harry IP-BLOCK 221.192.199.48 07:29:37 Harry IP-BLOCK 221.192.199.46 07:39:48 Harry IP-BLOCK 221.192.199.48 07:55:51 Harry IP-BLOCK 221.192.199.48 08:03:04 Harry IP-BLOCK 221.192.199.46 08:12:10 Harry IP-BLOCK 221.192.199.46 08:18:14 Harry IP-BLOCK 218.8.245.123 08:54:30 Harry IP-BLOCK 221.192.199.46 08:55:53 Harry IP-BLOCK 221.192.199.48 08:57:53 Harry IP-BLOCK 221.192.199.48 09:06:09 Harry IP-BLOCK 221.192.199.48 09:06:39 Harry IP-BLOCK 221.192.199.46 09:12:39 Harry IP-BLOCK 221.192.199.46 09:31:01 Harry IP-BLOCK 221.192.199.46 09:33:59 Harry IP-BLOCK 221.192.199.46 09:37:02 Harry IP-BLOCK 221.192.199.46 Also, I am unable to install a high priority security update - Microsoft .NET Framework 1.1 for Windows XP (KB979906). I may have to uninstall .NET Framework 1.1 to resolve this issue either by ADD/REMOVE or use of a microsoft fix-it-tool. Please let me know if this is acceptable. Otherwise, is it safe to wait until my computer problem is resolved? Thanks again for all your help!

I downloaded the wireshark file (42.1 KB) to Rapidshare.com. You should be getting the file through email. Please let me know if you do not receive it or if I need to do another live capture. Protection log 6-9-2010 07:23:53 (null) MESSAGE Protection started successfully 07:24:43 Harry MESSAGE IP Protection started successfully 08:41:57 Harry IP-BLOCK 218.8.245.123 10:08:33 (null) MESSAGE Protection started successfully 10:09:49 Harry MESSAGE IP Protection started successfully 10:14:34 (null) MESSAGE Protection started successfully 10:15:14 Harry MESSAGE IP Protection started successfully 10:21:17 (null) MESSAGE Protection started successfully 10:22:11 Harry MESSAGE IP Protection started successfully 10:59:27 Harry IP-BLOCK 222.68.194.69 12:32:15 Harry IP-BLOCK 204.188.201.130 13:52:08 Harry IP-BLOCK 218.8.245.123 15:49:15 Harry IP-BLOCK 219.153.65.33 Started wireshark live capture at 11:58 and ended at 16:17. Can you please explain to me why IP's 221.192.199.46 & 221.192.199.48 are not being blocked. Question: I haven't added MBAM as an exception in my Windows Firewall. Should I add it now? Thanks again for all your help and time!

Please see attachments for DDS. Just got a different IP block, 222.68.194.69 (China) while replying to this post. Thanks again for all your help! DDS.txt Attach.zip

I didn't get a block any time I opened the browser. It occurred sometimes not always. I'm using Firefox.

I hope I caught it in time. The IP block flashed very briefly before I could do the above. My email was not launched and I was on Malwarebytes forum. The second IP block of 218.8.245.123 was on start up with SAS update window appearing on the screen. It again flashed very briefly. Usually the IP block bubble stays on the screen longer. Protection log for 6/8/10 07:20:20 (null) MESSAGE Protection started successfully 07:21:15 Harry MESSAGE IP Protection started successfully 08:06:30 (null) MESSAGE Protection started successfully 08:07:25 Harry MESSAGE IP Protection started successfully 08:29:50 Harry IP-BLOCK 218.8.245.123 09:50:09 (null) MESSAGE Protection started successfully 09:50:51 Harry MESSAGE IP Protection started successfully 10:24:38 Harry MESSAGE IP Protection stopped 10:24:49 Harry MESSAGE Database updated successfully 10:24:51 Harry MESSAGE IP Protection started successfully 13:06:33 Harry IP-BLOCK 218.8.245.123 (on malwarebytes forum) 20:03:54 (null) MESSAGE Protection started successfully 20:04:35 Harry MESSAGE IP Protection started successfully 20:04:42 Harry IP-BLOCK 218.8.245.123 (on start up with SAS update pop up window appearing on screen) Thank you again for all your help and time!

Hello, MBAM full scan on 6/8/14 with 3rd flash drive: Malwarebytes' Anti-Malware 1.46 www.malwarebytes.org Database version: 4181 Windows 5.1.2600 Service Pack 3 Internet Explorer 8.0.6001.18702 6/8/2010 11:10:27 AM mbam-log-2010-06-08 (11-10-27).txt Scan type: Full scan (A:\|C:\|D:\|E:\|F:\|) Objects scanned: 167577 Time elapsed: 45 minute(s), 13 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) Please see attached file for Combofix with 3rd flash drive. I'll attempt to do this as soon as I get another block. Thanks again for all your help! log3rdflashdrive.txt

Hello, I don't have a router. My internet service is provided by Time Warner Road Runner and I have a Toshiba modem connected to my computer. I am still getting IP block on 218.8.245.123 when I launch my email and when I'm web browsing. What else can I do to resolve this problem? Protection log for 6-7-10 07:38:19 (null) MESSAGE Protection started successfully 07:39:38 Harry MESSAGE IP Protection started successfully 09:55:45 Harry IP-BLOCK 218.8.245.123 (when I launched my email) 14:43:23 Harry IP-BLOCK 218.8.245.123 (when web browsing, please note email not launched) 19:06:01 (null) MESSAGE Protection started successfully 19:06:59 Harry MESSAGE IP Protection started successfully 20:46:52 Harry MESSAGE IP Protection stopped 20:47:02 Harry MESSAGE Database updated successfully 20:47:06 Harry MESSAGE IP Protection started successfully My Search Assistant Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\MyWaySA Class Name: <NO CLASS> Last Write Time: 6/2/2010 - 8:37 PM Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\MyWaySA\SearchAssistantDE Class Name: <NO CLASS> Last Write Time: 6/2/2010 - 8:37 PM Value 0 Name: CurInstall Type: REG_SZ Data: 1 Value 1 Name: sr Type: REG_SZ Data: 0 Value 2 Name: pl Type: REG_SZ Data: 9 Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\MyWaySA Class Name: <NO CLASS> Last Write Time: 6/2/2010 - 8:37 PM Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\MyWaySA\SearchAssistantDE Class Name: <NO CLASS> Last Write Time: 6/2/2010 - 8:37 PM Value 0 Name: CurInstall Type: REG_SZ Data: 1 Value 1 Name: sr Type: REG_SZ Data: 0 Value 2 Name: pl Type: REG_SZ Data: 9 Ran McAfee AV nothing found with 2 flash drives. See attached file for Combofix. MBAM full scan: Malwarebytes' Anti-Malware 1.46 www.malwarebytes.org Database version: 4177 Windows 5.1.2600 Service Pack 3 Internet Explorer 8.0.6001.18702 6/7/2010 9:29:24 PM mbam-log-2010-06-07 (21-29-24).txt Scan type: Full scan (A:\|C:\|D:\|E:\|F:\|G:\|) Objects scanned: 167288 Time elapsed: 41 minute(s), 45 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) I could only run 2 flash drives since I only have 2 ports. I'll post the 3rd flash drive results later. I did run Combofix with the flash drives on 5/14 (please refer to posts #8 & #11 for combofix results) when I asked screen if the flash drives could be infected. McAfee AV was scanning my 3rd flash drive today, 6/8 and IP 218.8.245.123 was blocked. McAfee scan for 3rd flash drive - nothing found. I'll run Combofix next and post it later. Thanks again for all your help! log.txt

Hello Ron, I've deleted all my email messages hoping it will resolve the IP blocks that I've been getting when I launch my email. However, if the IP blocks continue when I open my email is this okay? Also, can you please elaborate on how some type of AD may have a link to that particular site. Completed Unfortunately I use my computer for work related things so I can't use any other AV except for McAfee VirusScan 8.7. Can you please direct me to the download site? However, I don't even know if I need it. I'll have to check what programs require it to be installed. Questions: 1. I can't remove My Way Search Assistant with the ADD/REMOVE. This is the error message received when trying to remove it: RUNDLL Error loading C:\PROGRA~1\MyWaySA\SrchAsDe\1.bin\desrcas.dll The specified module could not be found. 2. I am still getting IP blocks from 218.8.245.123 while web browsing and my email was not launched. Is this okay? 3. I found this folder in Windows folder called PeerNet that contains sqldb20.dll, sqlse20.dll & sqlqp20.dll. Can I delete the folder? 4. I have 3 flash drives. Is it safe to say they are not infected? Finally, I can't thank you enough for helping me to clean up my computer! If it wasn't for MBAM Pro (IP blocking), I wouldn't have known my computer was infected! MBAM Pro is an excellent program and this forum is so supportive and wonderful. I will definitely recommend MBAM Pro and this forum to my friends and family. Thanks again for all the excellent help and support! :)

Hello, protection-log-2010-06-05 06:18:24 Harry MESSAGE Protection started successfully 06:18:28 Harry MESSAGE IP Protection started successfully 09:00:29 Harry IP-BLOCK 218.8.245.123 (opened email) 13:55:56 Harry IP-BLOCK 218.8.245.123 (launched Malwarebytes to open protection log) 14:44:02 Harry MESSAGE Protection started successfully 14:44:08 Harry MESSAGE IP Protection started successfully I am only opening my email to check for messages from you. Otherwise, I don't launch it at all. I had the computer running without launching anything from 14:44 to 17:45 and had no IP blocks. Thanks again for all your help and time!

Hello, I deleted the stupid question since I knew what the answer would be. I'll be waiting patiently for your next reply. Thanks again for all your help!

protection-log-2010-06-04 05:36:22 Harry MESSAGE Protection started successfully 05:36:26 Harry MESSAGE IP Protection started successfully 06:20:50 Harry IP-BLOCK 218.8.245.123 07:36:19 Harry MESSAGE Protection started successfully 07:36:23 Harry MESSAGE IP Protection started successfully 07:51:52 Harry MESSAGE Protection started successfully 07:51:56 Harry MESSAGE IP Protection started successfully 08:01:48 Harry MESSAGE Protection started successfully 08:01:52 Harry MESSAGE IP Protection started successfully 08:39:50 Harry MESSAGE Protection started successfully 08:39:54 Harry MESSAGE IP Protection started successfully 08:48:11 Harry MESSAGE Protection started successfully 08:48:15 Harry MESSAGE IP Protection started successfully 09:04:47 Harry MESSAGE Protection started successfully 09:04:50 Harry MESSAGE IP Protection started successfully 09:04:52 Harry MESSAGE IP Protection stopped 09:05:02 Harry MESSAGE Database updated successfully 09:05:03 Harry MESSAGE IP Protection started successfully 10:46:35 Harry MESSAGE Protection started successfully 10:46:39 Harry MESSAGE IP Protection started successfully 13:17:11 Harry MESSAGE Protection started successfully 13:17:15 Harry MESSAGE IP Protection started successfully 13:58:00 Harry MESSAGE Protection started successfully 13:58:09 Harry MESSAGE IP Protection started successfully 17:05:44 Harry IP-BLOCK 218.8.245.123 17:16:36 Harry IP-BLOCK 60.173.10.155 I was having problems with receiving my email then IP 218.8.245.123 was blocked. Then another IP block occurred soon after. I'll be waiting for your next set of instructions. Thanks again for all your time and help!!

Hello, Here's the logs and attachments: JavaRa 1.15 Removal Log. Report follows after line. ------------------------------------ The JavaRa removal process was started on Fri Jun 04 06:05:20 2010 Found and removed: SOFTWARE\Classes\JavaPlugin.142_03 ------------------------------------ Finished reporting. ComboFix 10-06-03.01 - Harry 06/04/2010 8:26.6.2 - x86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2294.1894 [GMT -10:00] Running from: c:\documents and settings\Harry\My Documents\Downloads\ComboFix.exe Command switches used :: c:\documents and settings\Harry\Desktop\CFscript.txt FILE :: "c:\windows\system32\drivers\awrtpd.sys" "c:\windows\system32\drivers\awrtrd.sys" "c:\windows\system32\drivers\Lbd.sys" "c:\windows\system32\drivers\npf.sys" "c:\windows\system32\drivers\nsdriver.sys" "c:\windows\system32\drivers\SBREDrv.sys" "c:\windows\system32\drivers\wanatw4.sys" . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\windows\system32\drivers\SBREDrv.sys . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_AD-WATCH_CONNECT_FILTER -------\Legacy_AD-WATCH_REAL-TIME_SCANNER -------\Legacy_AD-WATCH_REGISTRY_FILTER -------\Legacy_LBD -------\Legacy_MRTRATE -------\Legacy_NPF -------\Legacy_SBRE -------\Legacy_SPRTSVC_MEDICSP2 -------\Service_Ad-Watch Connect Filter -------\Service_Ad-Watch Real-Time Scanner -------\Service_Ad-Watch Registry Filter -------\Service_Lbd -------\Service_mrtRate -------\Service_SBRE -------\Service_sprtsvc_medicsp2 -------\Service_wanatw ((((((((((((((((((((((((( Files Created from 2010-05-04 to 2010-06-04 ))))))))))))))))))))))))))))))) . 2010-06-02 07:36 . 2010-06-02 07:40 -------- d-----w- c:\program files\ERUNT 2010-06-01 23:00 . 2010-04-30 01:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2010-06-01 23:00 . 2010-04-30 01:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys 2010-06-01 23:00 . 2010-06-01 23:00 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2010-05-29 17:42 . 2010-06-02 05:13 -------- d-----w- c:\documents and settings\Harry\Application Data\Wireshark 2010-05-23 18:20 . 2010-05-23 18:20 61440 ----a-w- c:\documents and settings\Harry\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-7e4622b2-n\decora-sse.dll 2010-05-23 18:20 . 2010-05-23 18:20 503808 ----a-w- c:\documents and settings\Harry\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-1084c7d2-n\msvcp71.dll 2010-05-23 18:20 . 2010-05-23 18:20 499712 ----a-w- c:\documents and settings\Harry\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-1084c7d2-n\jmc.dll 2010-05-23 18:20 . 2010-05-23 18:20 348160 ----a-w- c:\documents and settings\Harry\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-1084c7d2-n\msvcr71.dll 2010-05-23 18:20 . 2010-05-23 18:20 12800 ----a-w- c:\documents and settings\Harry\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-7e4622b2-n\decora-d3d.dll 2010-05-15 21:10 . 2010-05-15 21:10 86016 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe 2010-05-15 07:41 . 2010-05-15 07:41 -------- d-----w- c:\documents and settings\All Users\Application Data\F-Secure 2010-05-15 07:30 . 2010-05-15 07:30 12800 ----a-w- c:\documents and settings\Harry\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-72c50c91-n\decora-d3d.dll 2010-05-15 07:30 . 2010-05-15 07:30 61440 ----a-w- c:\documents and settings\Harry\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-72c50c91-n\decora-sse.dll 2010-05-15 07:30 . 2010-05-15 07:30 503808 ----a-w- c:\documents and settings\Harry\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-72326f82-n\msvcp71.dll 2010-05-15 07:30 . 2010-05-15 07:30 499712 ----a-w- c:\documents and settings\Harry\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-72326f82-n\jmc.dll 2010-05-15 07:30 . 2010-05-15 07:30 348160 ----a-w- c:\documents and settings\Harry\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-72326f82-n\msvcr71.dll 2010-05-15 07:30 . 2010-05-15 21:31 411368 ----a-w- c:\windows\system32\deployJava1.dll 2010-05-08 22:43 . 2010-05-08 22:43 -------- d-----w- c:\windows\Performance 2010-05-08 22:42 . 2010-05-08 22:42 -------- d-----w- c:\documents and settings\Harry\Local Settings\Application Data\Microsoft Corporation . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2010-06-04 17:35 . 2009-11-07 23:08 -------- d-----w- c:\program files\Microsoft Silverlight 2010-06-03 02:19 . 2005-10-13 05:04 45936 ----a-w- c:\documents and settings\Harry\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2010-06-02 07:48 . 2010-05-03 05:58 -------- d-----w- c:\program files\SUPERAntiSpyware 2010-06-01 23:00 . 2010-04-18 05:36 -------- d-----w- c:\documents and settings\Harry\Application Data\Malwarebytes 2010-06-01 23:00 . 2010-04-24 18:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes 2010-05-26 18:50 . 2010-05-01 01:24 -------- d-----w- c:\program files\CCleaner 2010-05-21 17:12 . 2010-05-04 02:34 63488 ----a-w- c:\documents and settings\Harry\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll 2010-05-21 17:12 . 2010-05-03 05:59 117760 ----a-w- c:\documents and settings\Harry\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL 2010-05-16 04:50 . 2009-12-17 03:03 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS 2010-05-15 21:15 . 2005-05-24 08:19 -------- d-----w- c:\program files\Common Files\Adobe 2010-05-12 06:53 . 2009-11-26 23:05 -------- d-----w- c:\documents and settings\Harry\Application Data\WhiteSmoke 2010-05-12 03:18 . 2009-05-28 06:40 -------- d-----w- c:\documents and settings\All Users\Application Data\Dell 2010-05-12 03:18 . 2008-12-15 22:12 -------- d-----w- c:\documents and settings\All Users\Application Data\SupportSoft 2010-05-07 02:41 . 2010-04-16 19:02 858000 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat 2010-05-06 21:34 . 2005-03-31 13:27 -------- d-----w- c:\program files\WordPerfect Office 12 2010-05-04 18:00 . 2010-05-04 18:00 -------- d-----w- c:\documents and settings\Harry\Application Data\WinPatrol 2010-05-04 18:00 . 2010-05-04 18:00 -------- d-----w- c:\program files\BillP Studios 2010-05-04 07:58 . 2005-04-06 08:48 -------- d--h--w- c:\documents and settings\Harry\Application Data\Gtek 2010-05-04 07:58 . 2005-03-31 13:31 -------- d--ha-w- c:\documents and settings\All Users\Application Data\GTek 2010-05-03 05:59 . 2010-05-03 05:59 52224 ----a-w- c:\documents and settings\Harry\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll 2010-05-03 05:58 . 2010-05-03 05:58 -------- d-----w- c:\documents and settings\Harry\Application Data\SUPERAntiSpyware.com 2010-05-01 01:11 . 2005-03-31 13:26 -------- d-----w- c:\program files\Dell 2010-04-29 17:24 . 2010-02-22 20:39 518 ----a-w- c:\documents and settings\Harry\Application Data\iolo\Registry\Last\restore.bat 2010-04-27 05:16 . 2008-04-25 21:24 -------- d-----w- c:\documents and settings\Harry\Application Data\Intuit 2010-04-23 20:00 . 2010-04-23 20:00 -------- d-----w- c:\program files\VS Revo Group 2010-04-23 04:40 . 2010-04-23 04:34 -------- d-----w- c:\program files\Unlocker 2010-04-22 22:15 . 2008-05-23 02:38 -------- d-----w- c:\program files\Spybot - Search & Destroy 2010-04-22 00:11 . 2010-04-12 05:43 -------- dc-h--w- c:\documents and settings\All Users\Application Data\~0 2010-04-21 02:34 . 2009-05-29 07:06 1483 ----a-w- c:\documents and settings\Harry\Application Data\iolo\restore.bat 2010-03-10 06:15 . 2004-08-04 11:00 420352 ----a-w- c:\windows\system32\vbscript.dll . ((((((((((((((((((((((((((((( SnapShot@2010-06-01_22.05.29 ))))))))))))))))))))))))))))))))))))))))) . + 2010-06-04 16:17 . 2010-06-04 16:17 49152 c:\windows\Installer\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}\ConfigIcon.dll + 2004-08-10 19:08 . 2010-06-03 06:40 201736 c:\windows\SYSTEM32\FNTCACHE.DAT - 2004-08-10 19:08 . 2010-05-07 02:42 201736 c:\windows\SYSTEM32\FNTCACHE.DAT + 2010-06-04 17:48 . 2010-06-04 17:48 262144 c:\windows\SYSTEM32\CONFIG\SM Registry Backup\NTUSER.DAT + 2010-06-04 17:48 . 2010-06-04 17:48 262144 c:\windows\SYSTEM32\CONFIG\Original\NTUSER.DAT + 2010-06-04 17:48 . 2010-06-04 17:48 262144 c:\windows\SYSTEM32\CONFIG\Before Compact\NTUSER.DAT + 2010-06-02 07:38 . 2010-06-02 07:38 208896 c:\windows\ERDNT\6-1-2010\Users\00000002\UsrClass.dat + 2010-06-02 07:38 . 2005-10-20 22:02 163328 c:\windows\ERDNT\6-1-2010\ERDNT.EXE + 2010-06-02 07:38 . 2010-06-02 07:38 4124672 c:\windows\ERDNT\6-1-2010\Users\00000001\NTUSER.DAT + 2010-06-04 16:16 . 2010-06-04 16:16 20242432 c:\windows\Installer\2567f3.msp . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "igfxtray"="c:\windows\system32\igfxtray.exe" [2006-03-24 94208] "igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-03-24 77824] "igfxpers"="c:\windows\system32\igfxpers.exe" [2006-03-24 118784] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce] "RunNarrator"="Narrator.exe" [2008-04-14 53760] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2005-3-31 24576] [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [6/1/2010 1:00 PM 304464] R3 MBAMProtector;MBAMProtector;c:\windows\SYSTEM32\DRIVERS\mbam.sys [6/1/2010 1:00 PM 20952] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.google.com/ IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000 Trusted Zone: internet Trusted Zone: intuit.com\ttlc Trusted Zone: mcafee.com Trusted Zone: turbotax.com FF - ProfilePath - c:\documents and settings\Harry\Application Data\Mozilla\Firefox\Profiles\5q0h3cqf.default\ FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ ---- FIREFOX POLICIES ---- c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false); c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false); c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr ef", true); c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", ""); c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false); c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false); . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2010-06-04 08:33 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences] @Denied: (2) (LocalSystem) "88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15, d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,f0,df,6e,5a,2e,65,a5,4b,81,60,61,\ "2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15, d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,f0,df,6e,5a,2e,65,a5,4b,81,60,61,\ . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'explorer.exe'(3384) c:\windows\system32\WININET.dll c:\progra~1\WINDOW~2\wmpband.dll c:\windows\system32\ieframe.dll c:\windows\system32\msi.dll c:\windows\system32\webcheck.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . ------------------------ Other Running Processes ------------------------ . c:\windows\system32\LEXBCES.EXE c:\windows\system32\LEXPPS.EXE c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe c:\program files\Intel\PROSetWired\NCS\Sync\NetSvc.exe c:\windows\system32\wscntfy.exe . ************************************************************************** . Completion time: 2010-06-04 08:36:51 - machine was rebooted ComboFix-quarantined-files.txt 2010-06-04 18:36 ComboFix2.txt 2010-06-01 22:07 ComboFix3.txt 2010-05-22 18:18 Pre-Run: 16,811,622,400 bytes free Post-Run: 16,705,368,064 bytes free - - End Of File - - 70394F316B48AF4E6C15B297ACC3DA1E ntbtlog.txt Service Pack 3 6 4 2010 08:47:16.375 Loaded driver \WINDOWS\system32\ntkrnlpa.exe Loaded driver \WINDOWS\system32\hal.dll Loaded driver \WINDOWS\system32\KDCOM.DLL Loaded driver \WINDOWS\system32\BOOTVID.dll Loaded driver ACPI.sys Loaded driver \WINDOWS\system32\DRIVERS\WMILIB.SYS Loaded driver pci.sys Loaded driver isapnp.sys Loaded driver pciide.sys Loaded driver \WINDOWS\system32\DRIVERS\PCIIDEX.SYS Loaded driver aliide.sys Loaded driver cmdide.sys Loaded driver toside.sys Loaded driver viaide.sys Loaded driver intelide.sys Loaded driver MountMgr.sys Loaded driver ftdisk.sys Loaded driver PartMgr.sys Loaded driver VolSnap.sys Loaded driver cpqarray.sys Loaded driver \WINDOWS\system32\DRIVERS\SCSIPORT.SYS Loaded driver atapi.sys Loaded driver aha154x.sys Loaded driver sparrow.sys Loaded driver symc810.sys Loaded driver aic78xx.sys Loaded driver dac960nt.sys Loaded driver ql10wnt.sys Loaded driver amsint.sys Loaded driver asc.sys Loaded driver asc3550.sys Loaded driver mraid35x.sys Loaded driver i2omp.sys Loaded driver ini910u.sys Loaded driver ql1240.sys Loaded driver aic78u2.sys Loaded driver symc8xx.sys Loaded driver sym_hi.sys Loaded driver sym_u3.sys Loaded driver ABP480N5.SYS Loaded driver asc3350p.sys Loaded driver cd20xrnt.sys Loaded driver ultra.sys Loaded driver adpu160m.sys Loaded driver dpti2o.sys Loaded driver ql1080.sys Loaded driver ql1280.sys Loaded driver ql12160.sys Loaded driver perc2.sys Loaded driver perc2hib.sys Loaded driver hpn.sys Loaded driver cbidf2k.sys Loaded driver dac2w2k.sys Loaded driver disk.sys Loaded driver \WINDOWS\system32\DRIVERS\CLASSPNP.SYS Loaded driver fltmgr.sys Loaded driver sr.sys Loaded driver drvmcdb.sys Loaded driver PxHelp20.sys Loaded driver KSecDD.sys Loaded driver Ntfs.sys Loaded driver NDIS.sys Loaded driver sisagp.sys Loaded driver viaagp.sys Loaded driver Mup.sys Loaded driver agp440.sys Loaded driver alim1541.sys Loaded driver amdagp.sys Loaded driver agpCPQ.sys Loaded driver \SystemRoot\system32\DRIVERS\intelppm.sys Loaded driver \SystemRoot\system32\DRIVERS\ialmnt5.sys Loaded driver \SystemRoot\system32\DRIVERS\usbuhci.sys Loaded driver \SystemRoot\system32\DRIVERS\usbehci.sys Loaded driver \SystemRoot\system32\DRIVERS\HSFHWBS2.sys Loaded driver \SystemRoot\system32\DRIVERS\HSF_DP.sys Loaded driver \SystemRoot\system32\DRIVERS\HSF_CNXT.sys Loaded driver \SystemRoot\System32\Drivers\Modem.SYS Loaded driver \SystemRoot\system32\DRIVERS\e100b325.sys Loaded driver \SystemRoot\system32\drivers\smwdm.sys Loaded driver \SystemRoot\system32\drivers\aeaudio.sys Loaded driver \SystemRoot\system32\DRIVERS\fdc.sys Loaded driver \SystemRoot\system32\DRIVERS\i8042prt.sys Loaded driver \SystemRoot\system32\DRIVERS\kbdclass.sys Loaded driver \SystemRoot\system32\DRIVERS\mouclass.sys Loaded driver \SystemRoot\system32\DRIVERS\parport.sys Loaded driver \SystemRoot\system32\DRIVERS\serial.sys Loaded driver \SystemRoot\system32\DRIVERS\serenum.sys Loaded driver \SystemRoot\system32\drivers\sscdbhk5.sys Loaded driver \SystemRoot\system32\DRIVERS\cdrom.sys Loaded driver \SystemRoot\system32\DRIVERS\redbook.sys Loaded driver \SystemRoot\system32\DRIVERS\imapi.sys Loaded driver \SystemRoot\system32\DRIVERS\audstub.sys Loaded driver \SystemRoot\system32\DRIVERS\rasl2tp.sys Loaded driver \SystemRoot\system32\DRIVERS\ndistapi.sys Loaded driver \SystemRoot\system32\DRIVERS\ndiswan.sys Loaded driver \SystemRoot\system32\DRIVERS\raspppoe.sys Loaded driver \SystemRoot\system32\DRIVERS\raspptp.sys Loaded driver \SystemRoot\system32\DRIVERS\msgpc.sys Loaded driver \SystemRoot\system32\DRIVERS\psched.sys Loaded driver \SystemRoot\system32\DRIVERS\ptilink.sys Loaded driver \SystemRoot\system32\DRIVERS\raspti.sys Loaded driver \SystemRoot\system32\DRIVERS\termdd.sys Loaded driver \SystemRoot\system32\DRIVERS\swenum.sys Loaded driver \SystemRoot\system32\DRIVERS\update.sys Loaded driver \SystemRoot\system32\DRIVERS\mssmbios.sys Loaded driver \SystemRoot\system32\DRIVERS\omci.sys Loaded driver \SystemRoot\System32\Drivers\NDProxy.SYS Did not load driver \SystemRoot\System32\Drivers\NDProxy.SYS Loaded driver \SystemRoot\system32\DRIVERS\usbhub.sys Loaded driver \SystemRoot\system32\drivers\MODEMCSA.sys Loaded driver \SystemRoot\system32\DRIVERS\Dot4.sys Loaded driver \SystemRoot\system32\DRIVERS\flpydisk.sys Loaded driver \SystemRoot\system32\DRIVERS\Dot4Prt.sys Did not load driver \SystemRoot\System32\Drivers\lbrtfdc.SYS Did not load driver \SystemRoot\System32\Drivers\Sfloppy.SYS Loaded driver \SystemRoot\System32\Drivers\i2omgmt.SYS Did not load driver \SystemRoot\System32\Drivers\Changer.SYS Did not load driver \SystemRoot\System32\Drivers\Cdaudio.SYS Loaded driver \SystemRoot\System32\Drivers\Fs_Rec.SYS Loaded driver \SystemRoot\System32\Drivers\Null.SYS Loaded driver \SystemRoot\System32\Drivers\Beep.SYS Loaded driver \SystemRoot\system32\drivers\ssrtln.sys Loaded driver \SystemRoot\System32\drivers\vga.sys Loaded driver \SystemRoot\System32\Drivers\mnmdd.SYS Loaded driver \SystemRoot\System32\DRIVERS\RDPCDD.sys Loaded driver \SystemRoot\System32\Drivers\Msfs.SYS Loaded driver \SystemRoot\System32\Drivers\Npfs.SYS Loaded driver \SystemRoot\system32\DRIVERS\rasacd.sys Loaded driver \SystemRoot\system32\DRIVERS\ipsec.sys Loaded driver \SystemRoot\system32\DRIVERS\tcpip.sys Loaded driver \SystemRoot\system32\DRIVERS\ipnat.sys Loaded driver \SystemRoot\system32\DRIVERS\wanarp.sys Loaded driver \SystemRoot\system32\DRIVERS\netbt.sys Loaded driver \SystemRoot\System32\drivers\ws2ifsl.sys Loaded driver \SystemRoot\System32\drivers\afd.sys Loaded driver \SystemRoot\system32\DRIVERS\netbios.sys Did not load driver \SystemRoot\System32\Drivers\PCIDump.SYS Loaded driver \SystemRoot\system32\DRIVERS\rdbss.sys Loaded driver \SystemRoot\system32\DRIVERS\mrxsmb.sys Loaded driver \SystemRoot\System32\Drivers\Fips.SYS Loaded driver \SystemRoot\System32\Drivers\Cdfs.SYS Loaded driver \??\C:\WINDOWS\system32\drivers\mbam.sys Loaded driver \SystemRoot\system32\drivers\drvnddm.sys Loaded driver \SystemRoot\system32\dla\tfsndres.sys Loaded driver \SystemRoot\system32\dla\tfsnifs.sys Loaded driver \SystemRoot\system32\dla\tfsnopio.sys Loaded driver \SystemRoot\system32\dla\tfsnpool.sys Loaded driver \SystemRoot\system32\dla\tfsnboio.sys Loaded driver \SystemRoot\system32\dla\tfsncofs.sys Loaded driver \SystemRoot\system32\dla\tfsndrct.sys Loaded driver \SystemRoot\system32\dla\tfsnudf.sys Loaded driver \SystemRoot\system32\dla\tfsnudfa.sys Loaded driver \SystemRoot\system32\DRIVERS\ndisuio.sys Did not load driver \SystemRoot\system32\DRIVERS\rdbss.sys Did not load driver \SystemRoot\system32\DRIVERS\mrxsmb.sys Loaded driver \SystemRoot\system32\drivers\wdmaud.sys Loaded driver \SystemRoot\system32\drivers\sysaudio.sys Loaded driver \SystemRoot\system32\drivers\splitter.sys Loaded driver \SystemRoot\system32\drivers\aec.sys Loaded driver \SystemRoot\system32\drivers\swmidi.sys Loaded driver \SystemRoot\system32\drivers\DMusic.sys Loaded driver \SystemRoot\system32\drivers\kmixer.sys Loaded driver \SystemRoot\system32\drivers\drmkaud.sys Loaded driver \SystemRoot\system32\DRIVERS\mrxdav.sys Loaded driver \SystemRoot\system32\DRIVERS\srv.sys Loaded driver \SystemRoot\system32\DRIVERS\mdmxsdk.sys Did not load driver \SystemRoot\system32\DRIVERS\ipnat.sys Loaded driver \SystemRoot\System32\Drivers\HTTP.sys Loaded driver \SystemRoot\System32\DRIVERS\ipfltdrv.sys Loaded driver \SystemRoot\system32\drivers\kmixer.sys mbam-log-2010-06-04 (09-32-02).txt Malwarebytes' Anti-Malware 1.46 www.malwarebytes.org Database version: 4169 Windows 5.1.2600 Service Pack 3 Internet Explorer 8.0.6001.18702 6/4/2010 9:33:02 AM mbam-log-2010-06-04 (09-33-02).txt Scan type: Full scan (A:\|C:\|D:\|E:\|) Objects scanned: 168125 Time elapsed: 27 minute(s), 23 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) Thanks again for all your help and time! SIGVERIF.TXT

I did run TURNOFF.BAT the first time, however, it ran a few seconds but it did not restart the computer. It said to restart your computer to complete the procedure which I did. I ran TURNOFF.BAT again although it still said that there were some errors but it was successful and to restart the computer. This is what appeared after clicking twice on TURNOFF.BAT: [sC] OpenService FAILED 1060: The specified service does not exist as an installed service. [sC] OpenService FAILED 1060: The specified service does not exist as an installed service. [sC] ChangeService Configuration SUCCESS [sC] OpenService Failed 1060: The specified service does not exist as an installed service. [sC] ChangeService Configuration SUCCESS [sC] ChangeService Configuration SUCCESS [sC] ChangeService Configuration SUCCESS [sC] OpenService Failed 1060: The specified service does not exist as an installed service. [sC] ChangeService Configuration SUCCESS Error: The system was unable to find the specified registry key or value Error: The system was unable to find the specified registry key or value Error: The system was unable to find the specified registry key or value Error: The system was unable to find the specified registry key or value Error: The system was unable to find the specified registry key or value Error: The system was unable to find the specified registry key or value The operation completed successfully The operation completed successfully Ok Successfully reset the Winsock Catalog. You must restart the machine in order to complete the reset. I then rebooted the computer and ran DDS. I hope I did it correctly this time. Thanks again for all your time in helping me! DDS.txt Attach.zip

Hello, Completed steps 1-11 excluding step 6, since the GMER scan froze and I was unable to save the log. Copy of the most recent MBAM protection log after running the computer for 3 hrs (without accessing the internet) is below. Please see the requested attached folders and logs. Also, I'm concerned that my 3 flash drives may be infected. The flash drives were included in earlier scans (Combofix, DDS) but I'm not sure if they were infected or not. I'll be waiting patiently for your next instructions. Thank you so much for all your time and help! 04:45:56 Harry MESSAGE Protection started successfully 04:46:00 Harry MESSAGE IP Protection started successfully 04:58:14 Harry MESSAGE IP Protection stopped 08:08:34 Harry MESSAGE Protection started successfully 08:08:42 Harry MESSAGE IP Protection started successfully 08:09:00 Harry MESSAGE IP Protection stopped 08:09:10 Harry MESSAGE Database updated successfully 08:09:11 Harry MESSAGE IP Protection started successfully 08:30:36 Harry IP-BLOCK 218.10.181.151 08:30:38 Harry IP-BLOCK 218.10.181.151 09:10:03 Harry IP-BLOCK 218.8.245.123 Kasperskyonlinescanner.txt AutoRuns.zip NETINFO.TXT restore.txt DDS.txt Attach.txt

Hello, I got to Step 06 running of GMER. It scanned for 4.5 hours. However, when the scan was finished I tried to save and the program froze. I couldn't end the program or shutdown the appropriate way. I had to press the computer button to shut it down. What should I do next? Run GMER again? Should I continue on with Step 07? Thanks for all your time and help!

Hello again, Here's the Combofix log. However, I wasn't able to overwrite the current one on my desktop since the file is read-only. I had to rename it to Combofix1. Also, I had to uninstall MBAM in order to reinstall McAfee VirusScan 8.7. Then I reinstalled MBAM again. I just completed a quick scan with MBAM and nothing was found. I am now running a scan with McAfee. ComboFix 10-06-01.01 - Harry 06/01/2010 12:00:09.5.2 - x86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2294.1872 [GMT -10:00] Running from: c:\documents and settings\Harry\Desktop\ComboFix1.exe . ((((((((((((((((((((((((( Files Created from 2010-05-01 to 2010-06-01 ))))))))))))))))))))))))))))))) . 2010-05-29 17:42 . 2010-06-01 18:10 -------- d-----w- c:\documents and settings\Harry\Application Data\Wireshark 2010-05-29 17:40 . 2010-05-29 17:40 -------- d-----w- c:\program files\WinPcap 2010-05-29 17:40 . 2010-05-29 17:41 -------- d-----w- c:\program files\Wireshark 2010-05-23 18:20 . 2010-05-23 18:20 61440 ----a-w- c:\documents and settings\Harry\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-7e4622b2-n\decora-sse.dll 2010-05-23 18:20 . 2010-05-23 18:20 503808 ----a-w- c:\documents and settings\Harry\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-1084c7d2-n\msvcp71.dll 2010-05-23 18:20 . 2010-05-23 18:20 499712 ----a-w- c:\documents and settings\Harry\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-1084c7d2-n\jmc.dll 2010-05-23 18:20 . 2010-05-23 18:20 348160 ----a-w- c:\documents and settings\Harry\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-1084c7d2-n\msvcr71.dll 2010-05-23 18:20 . 2010-05-23 18:20 12800 ----a-w- c:\documents and settings\Harry\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-7e4622b2-n\decora-d3d.dll 2010-05-22 18:03 . 2010-06-01 21:58 -------- d-----w- C:\ComboFix 2010-05-15 21:31 . 2010-05-15 21:31 -------- d-----w- c:\program files\Common Files\Java 2010-05-08 22:43 . 2010-05-08 22:43 -------- d-----w- c:\windows\Performance 2010-05-08 22:42 . 2010-05-08 22:42 -------- d-----w- c:\documents and settings\Harry\Local Settings\Application Data\Microsoft Corporation 2010-05-04 18:00 . 2010-05-04 18:00 -------- d-----w- c:\documents and settings\Harry\Application Data\WinPatrol 2010-05-04 18:00 . 2004-08-10 19:04 0 ----a-w- c:\documents and settings\Harry\Application Data\WinPatrol\Config.sys 2010-05-04 18:00 . 2004-08-10 19:04 0 ----a-w- c:\documents and settings\Harry\Application Data\WinPatrol\Autoexec.bat 2010-05-04 18:00 . 2010-05-04 18:00 -------- d-----w- c:\program files\BillP Studios 2010-05-04 02:34 . 2010-05-21 17:12 63488 ----a-w- c:\documents and settings\Harry\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll 2010-05-03 05:59 . 2010-05-03 05:59 52224 ----a-w- c:\documents and settings\Harry\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll 2010-05-03 05:59 . 2010-05-21 17:12 117760 ----a-w- c:\documents and settings\Harry\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL 2010-05-03 05:58 . 2010-05-03 05:58 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com 2010-05-03 05:58 . 2010-05-08 17:39 -------- d-----w- c:\program files\SUPERAntiSpyware 2010-05-03 05:58 . 2010-05-03 05:58 -------- d-----w- c:\documents and settings\Harry\Application Data\SUPERAntiSpyware.com 2010-05-03 05:57 . 2010-05-03 05:57 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2010-06-01 21:52 . 2008-04-17 07:58 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee 2010-06-01 21:51 . 2008-04-17 07:58 -------- d-----w- c:\program files\McAfee 2010-05-26 18:50 . 2010-05-01 01:24 -------- d-----w- c:\program files\CCleaner 2010-05-16 04:50 . 2009-12-17 03:03 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS 2010-05-15 21:31 . 2010-05-15 07:30 411368 ----a-w- c:\windows\system32\deployJava1.dll 2010-05-15 21:30 . 2010-05-15 21:30 -------- d-----w- c:\program files\Java 2010-05-15 21:15 . 2005-05-24 08:19 -------- d-----w- c:\program files\Common Files\Adobe 2010-05-15 21:10 . 2010-05-15 21:10 86016 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe 2010-05-15 07:41 . 2010-05-15 07:41 -------- d-----w- c:\documents and settings\All Users\Application Data\F-Secure 2010-05-15 07:30 . 2010-05-15 07:30 12800 ----a-w- c:\documents and settings\Harry\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-72c50c91-n\decora-d3d.dll 2010-05-15 07:30 . 2010-05-15 07:30 61440 ----a-w- c:\documents and settings\Harry\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-72c50c91-n\decora-sse.dll 2010-05-15 07:30 . 2010-05-15 07:30 503808 ----a-w- c:\documents and settings\Harry\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-72326f82-n\msvcp71.dll 2010-05-15 07:30 . 2010-05-15 07:30 499712 ----a-w- c:\documents and settings\Harry\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-72326f82-n\jmc.dll 2010-05-15 07:30 . 2010-05-15 07:30 348160 ----a-w- c:\documents and settings\Harry\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-72326f82-n\msvcr71.dll 2010-05-12 06:53 . 2009-11-26 23:05 -------- d-----w- c:\documents and settings\Harry\Application Data\WhiteSmoke 2010-05-12 03:18 . 2009-05-28 06:40 -------- d-----w- c:\documents and settings\All Users\Application Data\Dell 2010-05-12 03:18 . 2008-12-15 22:12 -------- d-----w- c:\documents and settings\All Users\Application Data\SupportSoft 2010-05-07 02:41 . 2010-04-16 19:02 858000 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat 2010-05-06 22:11 . 2005-10-13 05:04 45936 ----a-w- c:\documents and settings\Harry\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2010-05-06 21:34 . 2005-03-31 13:27 -------- d-----w- c:\program files\WordPerfect Office 12 2010-05-04 07:58 . 2005-04-06 08:48 -------- d--h--w- c:\documents and settings\Harry\Application Data\Gtek 2010-05-04 07:58 . 2005-03-31 13:31 -------- d--ha-w- c:\documents and settings\All Users\Application Data\GTek 2010-05-01 01:11 . 2005-03-31 13:26 -------- d-----w- c:\program files\Dell 2010-04-30 01:39 . 2010-04-29 23:08 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2010-04-30 01:39 . 2010-04-29 23:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys 2010-04-29 23:08 . 2010-04-18 05:36 -------- d-----w- c:\documents and settings\Harry\Application Data\Malwarebytes 2010-04-29 23:08 . 2010-04-29 23:08 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2010-04-29 23:08 . 2010-04-24 18:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes 2010-04-29 17:24 . 2010-02-22 20:39 518 ----a-w- c:\documents and settings\Harry\Application Data\iolo\Registry\Last\restore.bat 2010-04-27 05:16 . 2008-04-25 21:24 -------- d-----w- c:\documents and settings\Harry\Application Data\Intuit 2010-04-26 01:51 . 2010-04-23 20:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft 2010-04-23 20:00 . 2010-04-23 20:00 -------- d-----w- c:\program files\VS Revo Group 2010-04-23 04:40 . 2010-04-23 04:34 -------- d-----w- c:\program files\Unlocker 2010-04-22 22:15 . 2008-05-23 02:38 -------- d-----w- c:\program files\Spybot - Search & Destroy 2010-04-22 00:11 . 2010-04-12 05:43 -------- dc-h--w- c:\documents and settings\All Users\Application Data\~0 2010-04-21 02:34 . 2009-05-29 07:06 1483 ----a-w- c:\documents and settings\Harry\Application Data\iolo\restore.bat 2010-03-10 06:15 . 2004-08-04 11:00 420352 ----a-w- c:\windows\system32\vbscript.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-07 110592] "dla"="c:\windows\system32\dla\tfswctrl.exe" [2005-05-31 122941] "igfxtray"="c:\windows\system32\igfxtray.exe" [2006-03-24 94208] "igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-03-24 77824] "igfxpers"="c:\windows\system32\igfxpers.exe" [2006-03-24 118784] "Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2010-04-30 437584] "WinPatrol"="c:\program files\BillP Studios\WinPatrol\winpatrol.exe" [2009-10-10 320832] "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce] "RunNarrator"="Narrator.exe" [2008-04-14 53760] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2005-3-31 24576] [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] 2009-09-04 01:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\WINDOWS\\SYSTEM32\\LEXPPS.EXE"= "c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"= R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 11:25 AM 12872] R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [4/27/2010 5:30 PM 68168] R1 SBRE;SBRE;c:\windows\SYSTEM32\DRIVERS\SBREDrv.sys [11/1/2009 3:32 PM 95024] R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [4/29/2010 1:08 PM 304464] R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe --> c:\windows\system32\mfevtps.exe [?] R2 mrtRate;mrtRate;c:\windows\SYSTEM32\DRIVERS\MrtRate.sys [4/5/2005 9:46 PM 34916] R2 NPF;NetGroup Packet Filter Driver;c:\windows\SYSTEM32\DRIVERS\npf.sys [10/20/2009 8:19 AM 50704] R2 sprtsvc_medicsp2;SupportSoft Sprocket Service (medicsp2);c:\program files\twc\medicsp2\bin\sprtsvc.exe [12/15/2008 12:11 PM 202280] R3 MBAMProtector;MBAMProtector;c:\windows\SYSTEM32\DRIVERS\mbam.sys [4/29/2010 1:08 PM 20952] S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys --> c:\windows\system32\DRIVERS\Lbd.sys [?] S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys --> c:\windows\system32\drivers\mferkdet.sys [?] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.google.com/ uInternet Connection Wizard,ShellNext = hxxp://www.dell4me.com/myway IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000 Trusted Zone: internet Trusted Zone: intuit.com\ttlc Trusted Zone: mcafee.com Trusted Zone: turbotax.com FF - ProfilePath - c:\documents and settings\Harry\Application Data\Mozilla\Firefox\Profiles\5q0h3cqf.default\ FF - prefs.js: browser.search.selectedEngine - Yahoo FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ ---- FIREFOX POLICIES ---- c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false); c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false); c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr ef", true); c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", ""); c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false); c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false); . . ------- File Associations ------- . JSEFile=NOTEPAD.EXE %1 . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2010-06-01 12:05 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences] @Denied: (2) (LocalSystem) "88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15, d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,f0,df,6e,5a,2e,65,a5,4b,81,60,61,\ "2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15, d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,f0,df,6e,5a,2e,65,a5,4b,81,60,61,\ . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(656) c:\program files\SUPERAntiSpyware\SASWINLO.dll c:\windows\system32\WININET.dll c:\documents and settings\Harry\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL c:\documents and settings\Harry\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll c:\documents and settings\Harry\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll - - - - - - - > 'explorer.exe'(1884) c:\windows\system32\WININET.dll c:\progra~1\WINDOW~2\wmpband.dll c:\windows\system32\msi.dll c:\windows\system32\ieframe.dll c:\windows\system32\webcheck.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . Completion time: 2010-06-01 12:07:40 ComboFix-quarantined-files.txt 2010-06-01 22:07 ComboFix2.txt 2010-05-22 18:18 Pre-Run: 17,340,882,944 bytes free Post-Run: 17,312,796,672 bytes free - - End Of File - - 5B1F0784B3BE1398275577F196584911 Thanks again for helping me!

Hello AdvancedSetup, Sorry to hear about screen317's computer problems and thank you very much for taking over for him. I'm attaching two zip files. I wasn't sure how to run Wireshark since I need instructions for dummies. I'll uninstall my av and run Combofix. Will get back to you later with my scan results. Thanks again for helping me! wireshark_myIP1hr.zip wireshark_myIP2hrs.zip

Hi screeb317, I'm attaching a second wireshark log. Thanks again for all your help.

Hi screen317, I saved it in notepad and I'm attaching it. I hope this is ok. Thanks for all your help! wireshark_myIP1.5hrs.txt

Hi screen317, I did the following to tell Wireshark what to capture (I hope this is correct): Clicked on the Capture Filter button of Capture Options. In the Filter Name box I typed First Capture Filter. In the Filter String box I typed host followed by my IP address. Clicked OK and now I'm back to the Capture Options window. Clicked the Start button. Frame 1 has 46 bytes on wire, 46 bytes captured. It will take several more hours to complete. How do I save the log to my desktop so that I can upload it here? I apologize if I've done it incorrectly again. I'll wait for further instructions from you. Thanks again for all your time and help!

Hi screen317, I decided to stop the live capture to post a message to you since it was running over 5.5 hrs. However, when I clicked on restart nothing happened. I saved the live capture to my desktop but couldn't upload it. This is the screenshot of Wireshark. I clicked on Intel

Hi screen317, It's been running over 5 hrs. Is it suppose to generate a log after running the live capture? Thanks again for all your help!

Hi screen317, Thank you so much for letting me know. I really appreciate all the help I've been given and I will wait patiently for your next reply.

Hi screen, Here's the RootRepeal log. However, it doesn't appear to have run correctly although I proceeded as instructed. It was done in about 30 min. Also, I ran GMER in Safe Mode (log posted below RootRepeal). ROOTREPEAL © AD, 2007-2009 ================================================== Scan Start Time: 2010/05/24 10:47 Program Version: Version 1.3.5.0 Windows Version: Windows XP SP3 ================================================== Drivers ------------------- Name: dump_atapi.sys Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys Address: 0xA92B3000 Size: 98304 File Visible: No Signed: - Status: - Name: dump_WMILIB.SYS Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS Address: 0xBA65E000 Size: 8192 File Visible: No Signed: - Status: - Name: Fs_Rec.SYS Image Path: C:\WINDOWS\System32\Drivers\Fs_Rec.SYS Address: 0xBA5D8000 Size: 7936 File Visible: - Signed: - Status: Hidden from the Windows API! Name: mrxdav.sys Image Path: C:\WINDOWS\system32\DRIVERS\mrxdav.sys Address: 0xA8A29000 Size: 180608 File Visible: - Signed: - Status: Hidden from the Windows API! Name: mrxsmb.sys Image Path: C:\WINDOWS\system32\DRIVERS\mrxsmb.sys Address: 0xA936B000 Size: 455680 File Visible: - Signed: - Status: Hidden from the Windows API! Name: Ntfs.sys Image Path: Ntfs.sys Address: 0xB9DE8000 Size: 574976 File Visible: - Signed: - Status: Hidden from the Windows API! Name: rootrepeal.sys Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys Address: 0xA8233000 Size: 49152 File Visible: No Signed: - Status: - Hidden/Locked Files ------------------- Path: C:\hiberfil.sys Status: Locked to the Windows API! SSDT ------------------- #: 257 Function Name: NtTerminateProcess Status: Hooked by "C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS" at address 0xa9410950 ==EOF== GMER ran in Safe Mode GMER 1.0.15.15281 - http://www.gmer.net Rootkit scan 2010-05-24 10:27:57 Windows 5.1.2600 Service Pack 3 Running: gmer.exe; Driver: C:\DOCUME~1\Harry\LOCALS~1\Temp\pxtdypog.sys ---- Registry - GMER 1.0.15 ---- Reg HKLM\SOFTWARE\Classes\CLSID\{77F8D6E9-F0A7-8D50-B905-CAC75B2E221B}\Control@ Reg HKLM\SOFTWARE\Classes\CLSID\{77F8D6E9-F0A7-8D50-B905-CAC75B2E221B}\InprocServer32@ C:\WINDOWS\system32\THREED32.OCX Reg HKLM\SOFTWARE\Classes\CLSID\{77F8D6E9-F0A7-8D50-B905-CAC75B2E221B}\InprocServer32@InprocServer32 9~EowM9KA?EODmlI}'28Components_WINSYSDIR>`}1*n6d]T9]Ts8?N7]I`? Reg HKLM\SOFTWARE\Classes\CLSID\{77F8D6E9-F0A7-8D50-B905-CAC75B2E221B}\MiscStatus@ 0 Reg HKLM\SOFTWARE\Classes\CLSID\{77F8D6E9-F0A7-8D50-B905-CAC75B2E221B}\MiscStatus\1 Reg HKLM\SOFTWARE\Classes\CLSID\{77F8D6E9-F0A7-8D50-B905-CAC75B2E221B}\MiscStatus\1@ 205201 Reg HKLM\SOFTWARE\Classes\CLSID\{77F8D6E9-F0A7-8D50-B905-CAC75B2E221B}\ProgID@ Threed.SSFrame Reg HKLM\SOFTWARE\Classes\CLSID\{77F8D6E9-F0A7-8D50-B905-CAC75B2E221B}\ToolboxBitmap32@ D:\qb336\SRC11~1.MSI\CD\CORECO~2\THREED32.OCX, 2 Reg HKLM\SOFTWARE\Classes\CLSID\{77F8D6E9-F0A7-8D50-B905-CAC75B2E221B}\TypeLib@ {0BA686C6-F7D3-101A-993E-0000C0EF6F5E} Reg HKLM\SOFTWARE\Classes\CLSID\{77F8D6E9-F0A7-8D50-B905-CAC75B2E221B}\Version@ 1.0 ---- EOF - GMER 1.0.15 ---- Thanks again for all your help!

Hi screen317, GMER scan failed. It was terminated and a blue screen appeared with the following message: Stop: 0000021a {Fatal System Error} The Windows Subsystem system process terminated unexpectedly with a status of Oxc0000005 (Ox00260fd4 Ox0053e064). The system has been shut down. Attempted a 2nd time: It ran well over 7 hrs and when I came back to check, the computer had shut down. Thanks again for all your help!