CaseyJ000

RogueKiller V8.8.0 _x64_ [Dec 27 2013] by Tigzy mail : tigzyRK<at>gmail<dot>com Feedback : http://www.adlice.com/forum/ Website : http://www.adlice.com/softwares/roguekiller/ Blog : http://www.adlice.com Operating System : Windows 8 (6.2.9200 ) 64 bits version Started in : Normal mode User : Frances [Admin rights] Mode : Scan -- Date : 01/01/2014 16:49:53 | ARK || FAK || MBR | ¤¤¤ Bad processes : 1 ¤¤¤ [sUSP PATH] RTFTrack.exe -- C:\Windows\RTFTrack.exe [7] -> KILLED [TermProc] ¤¤¤ Registry Entries : 2 ¤¤¤ [HJ DESK][PUM] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND [HJ DESK][PUM] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND ¤¤¤ Scheduled tasks : 0 ¤¤¤ ¤¤¤ Startup Entries : 0 ¤¤¤ ¤¤¤ Web browsers : 0 ¤¤¤ ¤¤¤ Browser Addons : 0 ¤¤¤ ¤¤¤ Particular Files / Folders: ¤¤¤ ¤¤¤ Driver : [NOT LOADED 0x0] ¤¤¤ ¤¤¤ External Hives: ¤¤¤ ¤¤¤ Infection : ¤¤¤ ¤¤¤ HOSTS File: ¤¤¤ --> %SystemRoot%\System32\drivers\etc\hosts ¤¤¤ MBR Check: ¤¤¤ +++++ PhysicalDrive0: (\\.\PHYSICALDRIVE0 @ IDE) SAMSUNG MZMPA016HMCD-000L1 +++++ --- User --- [MBR] d87fea20a968db50a215ff8fa61332b3 [bSP] 6ccf4a75b377dfedf0e8b0e84af7c270 : Empty MBR Code Partition table: 0 - [XXXXXX] UNKNOWN (0x00) [VISIBLE] Offset (sectors): 1 | Size: 2097152 Mo User = LL1 ... OK! User = LL2 ... OK! +++++ PhysicalDrive1: (\\.\PHYSICALDRIVE1 @ IDE) ST1000LM024 HN-M101MBB +++++ --- User --- [MBR] 7e3d9d0ce68fd34adc74f87936c67a8a [bSP] 7be713f242635d8751abd75dba143061 : Empty MBR Code Partition table: 0 - [XXXXXX] UNKNOWN (0x00) [VISIBLE] Offset (sectors): 1 | Size: 2097152 Mo User = LL1 ... OK! User = LL2 ... OK! Finished : << RKreport[0]_S_01012014_164953.txt >>

(Sorry, I forgot the logs in previous post) My wife hit a website with the NKW trojan also called JS/Agent I saw on her ESET log: JS/Agent.NKW trojan Unable to clean, in the C:\ Users\USERNAME\AppData\Local|Microsoft|Windows\Temporary Internet Files\Low\Content.IE5\PEZI44NV\cityloftsquare_com{1}.htm I ran Eset and Malewarebytes and they didn't detect anything now. I opened in Safe Mode. And made all files and folders visible in Control Panel. Everything has become a lot more difficult and unfamiliar because this is on Windows 8. After several attempts to get to this file I finally copied the whole address in the address bar and was able to see the content, the file did not seem to be there. but I deleted everything anyway. Any suggestions of what to do next? I see on the web there is a lot of info about this virus getting into the registry. Thanks in advance. DDS (Ver_2012-11-20.01) - NTFS_AMD64 Internet Explorer: 10.0.9200.16537 Run by Frances at 15:32:27 on 2013-12-29 Microsoft Windows 8 6.2.9200.0.1252.1.1033.18.8139.5293 [GMT -8:00] . AV: ESET NOD32 Antivirus 6.0 *Enabled/Updated* {77DEAFED-8149-104B-25A1-21771CA47CD1} AV: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46} SP: ESET NOD32 Antivirus 6.0 *Enabled/Updated* {CCBF4E09-A773-1FC5-1F11-1A056723366C} SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46} . ============== Running Processes =============== . C:\windows\system32\svchost.exe -k DcomLaunch C:\windows\system32\nvvsvc.exe C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe C:\windows\system32\svchost.exe -k RPCSS C:\windows\System32\svchost.exe -k LocalServiceNetworkRestricted C:\windows\system32\svchost.exe -k netsvcs C:\windows\system32\svchost.exe -k LocalService C:\windows\System32\svchost.exe -k LocalSystemNetworkRestricted C:\windows\system32\dwm.exe C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe C:\windows\system32\nvvsvc.exe C:\Program Files\Sandboxie\SbieSvc.exe C:\windows\system32\svchost.exe -k NetworkService C:\windows\system32\WLANExt.exe C:\windows\System32\spoolsv.exe C:\windows\system32\svchost.exe -k LocalServiceNoNetwork C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe C:\windows\system32\dashost.exe C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe C:\Program Files\Intel\WiFi\bin\EvtEng.exe C:\Program Files\Diskeeper Corporation\ExpressCache\ExpressCache.exe C:\Program Files\Intel\iCLS Client\HeciServer.exe C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe C:\windows\system32\svchost.exe -k imgsvc C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe C:\windows\system32\svchost.exe -k NetworkServiceNetworkRestricted C:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation C:\Windows\System32\WUDFHost.exe C:\Windows\System32\WUDFHost.exe C:\windows\system32\wbem\unsecapp.exe C:\windows\system32\wbem\wmiprvse.exe C:\Program Files\Intel\BluetoothHS\BTHSAmpPalService.exe C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe C:\Program Files\Intel\BluetoothHS\BTHSSecurityMgr.exe C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe C:\windows\system32\SearchIndexer.exe C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe C:\windows\system32\taskhostex.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe C:\windows\Explorer.EXE C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE C:\Program Files\NVIDIA Corporation\Display\nvtray.exe C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe C:\Program Files\Synaptics\SynTP\SynLenovoGestureMgr.exe C:\Windows\System32\rundll32.exe C:\Program Files\Lenovo\Onekey Theater\OnekeyStudio.exe C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe C:\Program Files (x86)\Lenovo\Energy Management\utility.exe C:\Windows\RTFTrack.exe C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe C:\Program Files\Sandboxie\SbieCtrl.exe C:\Program Files (x86)\Sony\Sony Picture Utility\PMBCore\SPUVolumeWatcher.exe C:\Program Files (x86)\Lenovo\YouCam\YCMMirage.exe C:\Program Files (x86)\Lenovo\YouCam\YouCamTray.exe C:\Program Files (x86)\Lenovo\PowerDVD10\PDVD10Serv.exe C:\Program Files (x86)\Cyberlink\Shared files\brs.exe C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe C:\Program Files\Sandboxie\SbieSvc.exe C:\Program Files\Sandboxie\SandboxieRpcSs.exe C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Windows\System32\rundll32.exe C:\Program Files\Sandboxie\SandboxieCrypto.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\windows\system32\SearchProtocolHost.exe C:\windows\system32\SearchFilterHost.exe C:\windows\system32\wbem\wmiprvse.exe C:\windows\system32\wbem\WmiApSrv.exe C:\windows\System32\cscript.exe . ============== Pseudo HJT Report =============== . mWinlogon: Userinit = userinit.exe BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL uRun: [sandboxieControl] "C:\Program Files\Sandboxie\SbieCtrl.exe" mRun: [iAStorIcon] C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIconLaunch.exe "C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe" 60 mRun: [YouCam Mirage] "C:\Program Files (x86)\Lenovo\YouCam\YCMMirage.exe" mRun: [YouCam Tray] "C:\Program Files (x86)\Lenovo\YouCam\YouCamTray.exe" /s mRun: [updateP2GShortCut] "C:\Program Files (x86)\Lenovo\Power2Go\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\Lenovo\Power2Go" UpdateWithCreateOnce "SOFTWARE\CyberLink\Power2Go\5.0" mRun: [RemoteControl10] "C:\Program Files (x86)\Lenovo\PowerDVD10\PDVD10Serv.exe" mRun: [bDRegion] C:\Program Files (x86)\Cyberlink\Shared files\brs.exe mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" StartupFolder: C:\Users\Frances\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\PICTUR~1.LNK - C:\Program Files (x86)\Sony\Sony Picture Utility\PMBCore\SPUVolumeWatcher.exe IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~1\Office14\EXCEL.EXE/3000 IE: Se&nd to OneNote - C:\PROGRA~2\MICROS~1\Office14\ONBttnIE.dll/105 IE: Send to Bluetooth - C:\Program Files (x86)\Intel\Bluetooth\btSendToObject.htm IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll DPF: {4FF78044-96B4-4312-A5B7-FDA3CB328095} - TCP: NameServer = 192.168.1.254 TCP: Interfaces\{5477CD7A-2F0B-48B1-94EF-8AEFD4D4981B} : DHCPNameServer = 192.168.1.254 TCP: Interfaces\{787D7AFD-9AB8-4A66-BFC3-7E02F80AAFC3} : DHCPNameServer = 192.168.1.254 Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL AppInit_DLLs= C:\PROGRA~2\NVIDIA~1\3DVISI~1\nvStInit.dll SSODL: WebCheck - <orphaned> mASetup: {A6EADE66-0000-0000-484E-7E8A45000000} - "C:\windows\SysWOW64\Rundll32.exe" "C:\Program Files (x86)\Adobe\Reader 11.0\Esl\AiodLite.dll",CreateReaderUserSettings x64-BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL x64-Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe -s x64-Run: [RtHDVBg_Dolby] C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe /FORPCEE4 x64-Run: [synLenovoGestureMgr] "C:\Program Files (x86)\Synaptics\SynTP\SynLenovoGestureMgr.exe" /m x64-Run: [bTMTrayAgent] rundll32.exe "C:\Program Files (x86)\Intel\Bluetooth\btmshellex.dll",TrayApp x64-Run: [OnekeyStudio] C:\Program Files\Lenovo\Onekey Theater\OnekeyStudio.exe x64-Run: [Energy Management] C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe x64-Run: [EnergyUtility] C:\Program Files (x86)\Lenovo\Energy Management\Utility.exe x64-Run: [RtsFT] RTFTrack.exe x64-Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice x64-IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll x64-IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll x64-Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL x64-SSODL: WebCheck - <orphaned> . ============= SERVICES / DRIVERS =============== . R0 excsd;ExpressCache Storage Filter Driver;C:\windows\System32\Drivers\excsd.sys [2013-2-19 95024] R0 iaStorA;iaStorA;C:\windows\System32\Drivers\iaStorA.sys [2013-2-19 647736] R0 LHDmgr;LHDmgr;C:\windows\System32\Drivers\LhdX64.sys [2013-2-19 39008] R1 eamonm;eamonm;C:\windows\System32\Drivers\eamonm.sys [2013-2-20 213416] R1 excfs;ExpressCache File System Filter Driver;C:\windows\System32\Drivers\excfs.sys [2013-2-19 23344] R2 AMPPALR3;Intel® Centrino® Wireless Bluetooth® + High Speed Service;C:\Program Files\Intel\BluetoothHS\BTHSAmpPalService.exe [2012-9-13 731688] R2 Bluetooth Device Monitor;Bluetooth Device Monitor;C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe [2012-9-30 1112000] R2 Bluetooth OBEX Service;Bluetooth OBEX Service;C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe [2012-9-30 1132480] R2 BTHSSecurityMgr;Intel® Centrino® Wireless Bluetooth® + High Speed Security Service;C:\Program Files\Intel\BluetoothHS\BTHSSecurityMgr.exe [2012-8-15 135984] R2 ekrn;ESET Service;C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe [2013-3-4 1341664] R2 epfwwfpr;epfwwfpr;C:\windows\System32\Drivers\epfwwfpr.sys [2013-1-10 139768] R2 ExpressCache;ExpressCache;C:\Program Files\Diskeeper Corporation\ExpressCache\ExpressCache.exe [2012-3-30 79664] R2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [2013-2-19 14904] R2 Intel® Capability Licensing Service Interface;Intel® Capability Licensing Service Interface;C:\Program Files\Intel\iCLS Client\HeciServer.exe [2012-4-20 635104] R2 jhi_service;Intel® Dynamic Application Loader Host Interface Service;C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\Jhi_service.exe [2013-2-19 166720] R2 MBAMScheduler;MBAMScheduler;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [2013-3-20 418376] R2 MBAMService;MBAMService;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2013-3-20 701512] R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2012-12-4 382824] R2 UNS;Intel® Management and Security Application User Notification Service;C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [2013-2-19 365376] R2 ZeroConfigService;Intel® PROSet/Wireless Zero Configuration Service;C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe [2013-8-28 3378416] R3 ACPIVPC;Lenovo Virtual Power Controller Driver;C:\windows\System32\Drivers\AcpiVpc.sys [2012-5-15 33560] R3 AMPPAL;Intel® Centrino® Wireless Bluetooth® + High Speed Virtual Adapter;C:\windows\System32\Drivers\AmpPal.sys [2012-9-13 162344] R3 BthLEEnum;Bluetooth Low Energy Driver;C:\windows\System32\Drivers\BthLEEnum.sys [2012-7-25 202752] R3 btmaux;Intel Bluetooth Auxiliary Service;C:\windows\System32\Drivers\btmaux.sys [2012-10-1 132480] R3 btmhsf;btmhsf;C:\windows\System32\Drivers\btmhsf.sys [2013-10-15 1390904] R3 ibtfltcoex;ibtfltcoex;C:\windows\System32\Drivers\iBtFltCoex.sys [2013-10-15 69088] R3 JMCR;JMCR;C:\windows\System32\Drivers\jmcr.sys [2012-7-22 174176] R3 L1C;NDIS Miniport Driver for Qualcomm Atheros AR81xx PCI-E Ethernet Controller;C:\windows\System32\Drivers\L1C63x64.sys [2012-11-8 118936] R3 MBAMProtector;MBAMProtector;C:\windows\System32\Drivers\mbam.sys [2013-3-20 25928] R3 NETwNe64;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows 8 - 64 Bit;C:\windows\System32\Drivers\NETwew00.sys [2013-10-8 3345376] R3 rtsuvc;Lenovo EasyCamera;C:\windows\System32\Drivers\rtsuvc.sys [2013-2-19 8230160] R3 SbieDrv;SbieDrv;C:\Program Files\Sandboxie\SbieDrv.sys [2013-10-16 200552] R3 SmbDrvI;SmbDrvI;C:\windows\System32\Drivers\Smb_driver_Intel.sys [2013-1-21 31032] R3 WUDFWpdMtp;WUDFWpdMtp;C:\windows\System32\Drivers\WUDFRd.sys [2012-7-25 198656] S2 0243831364389521mcinstcleanup;McAfee Application Installer Cleanup (0243831364389521);C:\windows\TEMP\024383~1.EXE -cleanup -nolog --> C:\windows\TEMP\024383~1.EXE -cleanup -nolog [?] S2 CLKMSVC10_3A60B698;CyberLink Product - 2013/02/19 13:09:14;C:\Program Files (x86)\Lenovo\PowerDVD10\NavFilter\kmsvc.exe [2012-5-23 243728] S3 AMPPALP;Intel® Centrino® Wireless Bluetooth® + High Speed Protocol;C:\windows\System32\Drivers\AmpPal.sys [2012-9-13 162344] S3 MyWiFiDHCPDNS;Wireless PAN DHCP Server;C:\Program Files\Intel\WiFi\bin\PanDhcpDns.exe [2013-8-28 273136] S3 wsvd;wsvd;C:\windows\System32\Drivers\wsvd.sys [2013-2-19 102376] . =============== Created Last 30 ================ . 2013-12-09 14:51:01 -------- d-----w- C:\Program Files\Common Files\Intel 2013-12-09 14:51:01 -------- d-----w- C:\Program Files (x86)\Cisco 2013-12-09 14:51:00 -------- d-----w- C:\ProgramData\Intel.sav 2013-12-09 14:49:52 -------- d-----w- C:\ProgramData\Package Cache 2013-12-09 14:49:42 -------- d-----w- C:\Intel . ==================== Find3M ==================== . 2013-11-05 22:58:57 78296 ----a-w- C:\windows\SysWow64\FlashPlayerCPLApp.cpl 2013-11-05 22:58:57 694232 ----a-w- C:\windows\SysWow64\FlashPlayerApp.exe 2013-10-15 19:42:24 1390904 ----a-w- C:\windows\System32\drivers\btmhsf.sys 2013-10-15 19:42:10 80184 ----a-w- C:\windows\System32\btmwu.dll 2013-10-15 19:42:10 69088 ----a-w- C:\windows\System32\drivers\iBtFltCoex.sys 2013-10-12 08:45:20 2241536 ----a-w- C:\windows\System32\wininet.dll 2013-10-12 08:43:37 3959808 ----a-w- C:\windows\System32\jscript9.dll 2013-10-12 07:03:50 1767936 ----a-w- C:\windows\SysWow64\wininet.dll 2013-10-12 07:02:33 2877952 ----a-w- C:\windows\SysWow64\jscript9.dll 2013-10-10 11:53:35 96600 ----a-w- C:\windows\System32\drivers\wfplwfs.sys 2013-10-10 09:21:20 1160192 ----a-w- C:\windows\System32\IKEEXT.DLL 2013-10-10 09:20:43 723968 ----a-w- C:\windows\System32\BFE.DLL 2013-10-09 06:12:50 2193136 ----a-w- C:\windows\System32\Netwuw01.dll 2013-10-09 06:12:46 3345376 ----a-w- C:\windows\System32\drivers\NETwew00.sys 2013-10-08 22:30:32 35328 ----a-w- C:\windows\SysWow64\wuapp.exe 2013-10-08 22:30:17 84992 ----a-w- C:\windows\SysWow64\wudriver.dll 2013-10-08 22:30:17 126976 ----a-w- C:\windows\SysWow64\wuwebv.dll 2013-10-08 22:28:11 40448 ----a-w- C:\windows\System32\wuapp.exe 2013-10-08 22:27:56 99328 ----a-w- C:\windows\System32\wudriver.dll 2013-10-08 22:27:56 252928 ----a-w- C:\windows\System32\WUSettingsProvider.dll 2013-10-08 22:27:56 1622016 ----a-w- C:\windows\System32\wucltux.dll 2013-10-08 22:27:56 142848 ----a-w- C:\windows\System32\wuwebv.dll 2013-10-08 22:27:45 175104 ----a-w- C:\windows\System32\storewuauth.dll 2013-10-05 06:10:20 285016 ----a-w- C:\windows\System32\drivers\spaceport.sys 2013-10-02 23:25:41 1300992 ----a-w- C:\windows\System32\gdi32.dll 2013-10-02 02:50:07 447320 ----a-w- C:\windows\System32\drivers\USBHUB3.SYS 2013-10-01 23:37:57 1569280 ----a-w- C:\windows\SysWow64\crypt32.dll 2013-10-01 23:37:53 2035712 ----a-w- C:\windows\SysWow64\authui.dll 2013-10-01 23:26:49 1890816 ----a-w- C:\windows\System32\crypt32.dll 2013-10-01 23:26:45 2304512 ----a-w- C:\windows\System32\authui.dll 2013-10-01 22:22:19 1022976 ----a-w- C:\windows\SysWow64\gdi32.dll . ============= FINISH: 15:32:50.32 =============== . UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG. IF REQUESTED, ZIP IT UP & ATTACH IT . DDS (Ver_2012-11-20.01) . Microsoft Windows 8 Boot Device: \Device\HarddiskVolume3 Install Date: 3/4/2013 2:48:14 AM System Uptime: 12/29/2013 11:28:52 AM (4 hours ago) . Motherboard: LENOVO | | INVALID Processor: Intel® Core i7-3630QM CPU @ 2.40GHz | U3E1 | 2401/100mhz . ==== Disk Partitions ========================= . C: is FIXED (NTFS) - 884 GiB total, 816.294 GiB free. D: is FIXED (NTFS) - 25 GiB total, 22.299 GiB free. E: is CDROM () F: is FIXED (NTFS) - 2795 GiB total, 2652.858 GiB free. . ==== Disabled Device Manager Items ============= . ==== System Restore Points =================== . RP46: 12/18/2013 6:14:34 AM - Scheduled Checkpoint RP47: 12/25/2013 7:48:14 AM - Scheduled Checkpoint RP48: 12/29/2013 10:54:26 AM - Restore Operation . ==== Installed Programs ====================== . Adobe Reader XI (11.0.05) Canon iP2600 series Citrix Online Launcher D3DX10 Definition Update for Microsoft Office 2010 (KB982726) 32-Bit Edition Energy Management ESET NOD32 Antivirus ExpressCache GoToMeeting 5.4.0.1082 Intel® Control Center Intel® Management Engine Components Intel® PRO/Wireless Driver Intel® PROSet/Wireless for Bluetooth® + High Speed Intel® PROSet/Wireless Software for Bluetooth® Technology Intel® Rapid Storage Technology Intel® PROSet/Wireless Software Intel® PROSet/Wireless WiFi Software Intel® Trusted Connect Service Client JMicron Flash Media Controller Driver Junk Mail filter update Lenovo EasyCamera Lenovo OneKey Recovery Lenovo PowerDVD10 Lenovo YouCam Malwarebytes Anti-Malware version 1.75.0.1300 Microsoft Application Error Reporting Microsoft Office Access MUI (English) 2010 Microsoft Office Access Setup Metadata MUI (English) 2010 Microsoft Office Excel MUI (English) 2010 Microsoft Office Home and Student 2010 Microsoft Office Office 64-bit Components 2010 Microsoft Office OneNote MUI (English) 2010 Microsoft Office Outlook MUI (English) 2010 Microsoft Office PowerPoint MUI (English) 2010 Microsoft Office Proof (English) 2010 Microsoft Office Proof (French) 2010 Microsoft Office Proof (Spanish) 2010 Microsoft Office Proofing (English) 2010 Microsoft Office Publisher MUI (English) 2010 Microsoft Office Shared 64-bit MUI (English) 2010 Microsoft Office Shared 64-bit Setup Metadata MUI (English) 2010 Microsoft Office Shared MUI (English) 2010 Microsoft Office Shared Setup Metadata MUI (English) 2010 Microsoft Office Single Image 2010 Microsoft Office Word MUI (English) 2010 Microsoft Visual C++ 2005 Redistributable Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729 Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 Microsoft Visual C++ 2010 x64 Redistributable - 10.0.40219 Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 MSVCRT MSVCRT_amd64 MSVCRT110 MSVCRT110_amd64 NVIDIA 3D Vision Driver 307.64 NVIDIA Control Panel 307.64 NVIDIA Graphics Driver 307.64 NVIDIA HD Audio Driver 1.3.18.0 NVIDIA Install Application NVIDIA PhysX NVIDIA PhysX System Software 9.12.1031 NVIDIA Stereoscopic 3D Driver NVIDIA Update 1.10.8 NVIDIA Update Components Onekey Theater Photo Common Picture Package Music Transfer Power2Go Qualcomm Atheros Communications Inc.® AR81Family Gigabit/Fast Ethernet Driver Realtek High Definition Audio Driver Sandboxie 4.06 (64-bit) Security Update for Microsoft Excel 2010 (KB2826033) 32-Bit Edition Security Update for Microsoft Office 2010 (KB2553284) 32-Bit Edition Security Update for Microsoft Office 2010 (KB2687423) 32-Bit Edition Security Update for Microsoft Office 2010 (KB2760781) 32-Bit Edition Security Update for Microsoft Office 2010 (KB2826023) 32-Bit Edition Security Update for Microsoft Office 2010 (KB2826035) 32-Bit Edition Security Update for Microsoft Outlook 2010 (KB2837597) 32-Bit Edition Service Pack 2 for Microsoft Office 2010 (KB2687455) 32-Bit Edition Shared C Run-time for x64 Sony Picture Utility SugarSync Manager Synaptics Pointing Device Driver Update for Microsoft Access 2010 (KB2553446) 32-Bit Edition Update for Microsoft Filter Pack 2.0 (KB2810071) 32-Bit Edition Update for Microsoft Office 2010 (KB2589298) 32-Bit Edition Update for Microsoft Office 2010 (KB2589352) 32-Bit Edition Update for Microsoft Office 2010 (KB2589375) 32-Bit Edition Update for Microsoft Office 2010 (KB2597087) 32-Bit Edition Update for Microsoft Office 2010 (KB2760598) 32-Bit Edition Update for Microsoft Office 2010 (KB2760631) 32-Bit Edition Update for Microsoft Office 2010 (KB2794737) 32-Bit Edition Update for Microsoft Office 2010 (KB2826026) 32-Bit Edition Update for Microsoft OneNote 2010 (KB2810072) 32-Bit Edition Update for Microsoft PowerPoint 2010 (KB2553145) 32-Bit Edition Update for Microsoft Visio Viewer 2010 (KB2810066) 32-Bit Edition Update for Microsoft Word 2010 (KB2827323) 32-Bit Edition UserGuide Windows Driver Package - Lenovo (ACPIVPC) System (06/15/2012 8.1.0.1) Windows Driver Package - Lenovo (WUDFRd) LenovoVhid (06/19/2012 10.13.29.733) Windows Live Communications Platform Windows Live Essentials Windows Live Installer Windows Live Mail Windows Live MIME IFilter Windows Live Photo Common Windows Live PIMT Platform Windows Live SOXE Windows Live SOXE Definitions Windows Live UX Platform Windows Live UX Platform Language Pack Windows Live Writer Windows Live Writer Resources . ==== Event Viewer Messages From Past Week ======== . 12/29/2013 11:29:50 AM, Error: Service Control Manager [7034] - The McAfee Application Installer Cleanup (0243831364389521) service terminated unexpectedly. It has done this 1 time(s). 12/29/2013 11:25:58 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service ShellHWDetection with arguments "Unavailable" in order to run the server: {DD522ACC-F821-461A-A407-50B198B896DC} 12/29/2013 11:25:28 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "Unavailable" in order to run the server: {9E175B6D-F52A-11D8-B9A5-505054503030} 12/29/2013 11:25:18 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service NVSvc with arguments "Unavailable" in order to run the server: {DCAB0989-1301-4319-BE5F-ADE89F88581C} 12/29/2013 11:25:12 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service Bluetooth Device Monitor with arguments "Unavailable" in order to run the server: {DABF28BE-F6B4-4E40-8F40-C4FB26F3116C} 12/29/2013 11:22:44 AM, Error: Service Control Manager [7001] - The Computer Browser service depends on the Server service which failed to start because of the following error: The dependency service or group failed to start. 12/29/2013 11:21:40 AM, Error: Service Control Manager [7001] - The HomeGroup Provider service depends on the Function Discovery Provider Host service which failed to start because of the following error: The dependency service or group failed to start. 12/29/2013 11:21:39 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "Unavailable" in order to run the server: {7D096C5F-AC08-4F1F-BEB7-5C22C517CE39} 12/29/2013 11:21:29 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service EventSystem with arguments "Unavailable" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF} 12/29/2013 11:20:37 AM, Error: Microsoft-Windows-WLAN-AutoConfig [10000] - WLAN Extensibility Module has failed to start. Module Path: C:\windows\System32\IWMSSvc.dll Error Code: 21 12/29/2013 10:55:42 AM, Error: Ntfs [55] - A corruption was discovered in the file system structure on volume Windows8_OS. The Master File Table (MFT) contains a corrupted file record. The file reference number is 0x100000000001f. The name of the file is "\$Extend\$RmMetadata\$TxfLog\$Tops". 12/29/2013 10:55:41 AM, Error: Microsoft-Windows-Kernel-General [5] - {Registry Hive Recovered} Registry hive (file): '\??\Volume{4e093e31-c266-41c5-ab7a-9f39a6070c64}\System Volume Information\SystemRestore\New-software' was corrupted and it has been recovered. Some data might have been lost. 12/24/2013 12:29:40 PM, Error: bowser [8003] - The master browser has received a server announcement from the computer JIM-PC that believes that it is the master browser for the domain on transport NetBT_Tcpip_{787D7AFD-9AB8-4A66-BFC3-7E02F80AAFC3}. The master browser is stopping or an election is being forced. . ==== End Of File ===========================

My wife hit a website with the NKW trojan also called JS/Agent I saw on her ESET log: JS/Agent.NKW trojan Unable to clean, in the C:\ Users\USERNAME\AppData\Local|Microsoft|Windows\Temporary Internet Files\Low\Content.IE5\PEZI44NV\cityloftsquare_com{1}.htm I ran Eset and Malewarebytes and they didn't detect anything now. I opened in Safe Mode. And made all files and folders visible in Control Panel. Everything has become a lot more difficult and unfamiliar because this is on Windows 8. After several attempts to get to this file I finally copied the whole address in the address bar and was able to see the content, the file did not seem to be there. but I deleted everything anyway. Any suggestions of what to do next? I see on the web there is a lot of info about this virus getting into the registry. Thanks in advance.

Here it is... esetLog6_26_12.rtf

Hi Maniac, This is an Eset scan of our backup drive it didn't detect anything. what do you think? I think some old adware scanners got backed up plus at least one antiVirus we were working with. This computer is on Windows 7 now.

Ok, Later, today I will put Windows 7 on. I assume I would disconnect drive E, the suspicious Back drive prior to doing that? After putting Windows & on reinstalling Eset and Malwarbytes would you suggest adding anything else? And if so is there something powerful enough to kill leftover infections in Drive E other than Virustotal.com? Does Windows 7 have better prevention of Backdor trojans or Rootkit corruptions?

I was thinking I might. I guess you're saying proceed with info on the "What to do when you've been hacked" webpages. What's the first step to wipe out Drive C? Or does installing Windows 7 over Windows XP do that anyway?

Ok, Let's do it.

Well, My wife and I have been talking about the email here and the file sizes are bigger than what virustotal.com will take. We were talking about whether we should make separate folders with the most important emails and scan those. I was reading the virustotal.com site and it seem like you might be able to buy it and scan bigger files. But I don't see how to do that on the site. seems like you have to contact them and get a price. The problem is based on what you had me read about being hacked I'm concerned about every email and every file, But I can't submit them all. Are there particular areas that look suspicious to you? Or places that Backdoor Trojans usually hide that I could upload whole folders? I've seen that it keeps regenerating into the temp file but some other location is causing that. Anyway, I can reorganize some emails folders and scan them at virustotal.com or we can proceed with the reformat. Let me know what you think is best?

Well, there are no obvious problems again. I read your links about being hacked and as I said, I backed up Drive C as much as I could. Every time I've run a Kapersky Scan some files are ignored as password protected on and that could be real, or a hidden trojan, I guess. Plus Anything that was there is also in external Backup drive E now. My wife has been changing passwords on another computer including email.

I realized that there was a Combo Fix still installed in a different place, after I sent you the last CF log. If you want me to delete both and rerun it let me know. Here's the new Avast log aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software Run date: 2012-06-24 08:53:30 ----------------------------- 08:53:30.219 OS Version: Windows 5.1.2600 Service Pack 3 08:53:30.219 Number of processors: 1 586 0x207 08:53:30.219 ComputerName: JIM2-88XVZV9YF UserName: Frances 08:53:31.360 Initialize success 08:58:26.141 AVAST engine defs: 12062400 09:00:13.876 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 09:00:13.876 Disk 0 Vendor: ST380021A 3.75 Size: 76319MB BusType: 3 09:00:13.891 Disk 0 MBR read successfully 09:00:13.891 Disk 0 MBR scan 09:00:13.954 Disk 0 Windows XP default MBR code 09:00:13.969 Disk 0 Partition 1 00 DE Dell Utility Dell 4.1 31 MB offset 63 09:00:13.985 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 76277 MB offset 64260 09:00:13.985 Disk 0 scanning sectors +156280320 09:00:14.063 Disk 0 scanning C:\WINDOWS\system32\drivers 09:00:40.048 Service scanning 09:01:03.235 Modules scanning 09:01:12.094 Disk 0 trace - called modules: 09:01:12.126 ntoskrnl.exe CLASSPNP.SYS disk.sys atapi.sys hal.dll intelide.sys PCIIDEX.SYS 09:01:12.641 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x87390ab8] 09:01:12.641 3 CLASSPNP.SYS[f7821fd7] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x873a8d98] 09:01:13.704 AVAST engine scan C:\WINDOWS 09:01:52.673 AVAST engine scan C:\WINDOWS\system32 09:05:21.907 AVAST engine scan C:\WINDOWS\system32\drivers 09:05:44.438 AVAST engine scan C:\Documents and Settings\Frances 09:47:15.126 AVAST engine scan C:\Documents and Settings\All Users 09:48:26.813 Scan finished successfully 09:50:30.126 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Frances\Desktop\MBR.dat" 09:50:30.126 The log file has been saved successfully to "C:\Documents and Settings\Frances\Desktop\aswMBR.txt"

Maniac, I backed up all the data on the infected computer yesterday to an external Drive. I'm still running in Safe Mode with Networking in order to use these tools. I had some troble disabling the ESET ,as the Icon is gone< I launched the scannner from the program file and ended it in the Task Manager. If it spoiled the Combo Fix log let me know what to do and I'll do it again. Malwarebytes Anti-Malware (PRO) 1.61.0.1400 www.malwarebytes.org Database version: v2012.06.24.02 Windows XP Service Pack 3 x86 NTFS (Safe Mode/Networking) Internet Explorer 8.0.6001.18702 Administrator :: JIM2-88XVZV9YF [administrator] Protection: Disabled 6/24/2012 7:06:36 AM mbam-log-2012-06-24 (07-06-36).txt Scan type: Quick scan Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM Scan options disabled: P2P Objects scanned: 213958 Time elapsed: 3 minute(s), 59 second(s) Memory Processes Detected: 0 (No malicious items detected) Memory Modules Detected: 0 (No malicious items detected) Registry Keys Detected: 0 (No malicious items detected) Registry Values Detected: 0 (No malicious items detected) Registry Data Items Detected: 0 (No malicious items detected) Folders Detected: 0 (No malicious items detected) Files Detected: 0 (No malicious items detected) (end) ComboFix 12-06-23.06 - Administrator 06/24/2012 7:30.3.1 - x86 NETWORK Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.591 [GMT -7:00] Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe AV: ESET Smart Security 4.2 *Enabled/Updated* {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0} FW: ESET Personal firewall *Enabled* {E5E70D32-0101-4340-86A3-A7B0F1C8FFE0} . . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . c:\documents and settings\All Users\Application Data\TEMP c:\windows\system32\dllcache\wmpvis.dll . . ((((((((((((((((((((((((( Files Created from 2012-05-24 to 2012-06-24 ))))))))))))))))))))))))))))))) . . 2012-06-22 15:01 . 2012-06-22 15:01 770384 ----a-w- c:\program files\Mozilla Firefox\msvcr100.dll 2012-06-22 15:01 . 2012-06-22 15:01 421200 ----a-w- c:\program files\Mozilla Firefox\msvcp100.dll 2012-06-22 14:54 . 2012-06-22 15:00 -------- d-----w- c:\windows\LastGood 2012-06-20 05:15 . 2012-05-11 14:42 521728 -c----w- c:\windows\system32\dllcache\jsdbgui.dll 2012-06-20 04:52 . 2012-06-20 05:11 -------- d-----w- C:\TDSSKiller_Quarantine 2012-06-16 14:29 . 2001-08-18 05:36 5632 ----a-w- c:\windows\system32\ptpusb.dll 2012-06-16 14:29 . 2008-04-13 18:45 15104 -c--a-w- c:\windows\system32\dllcache\usbscan.sys 2012-06-16 14:29 . 2008-04-13 18:45 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys 2012-06-16 14:29 . 2008-04-14 00:12 159232 ----a-w- c:\windows\system32\ptpusd.dll 2012-06-13 02:25 . 2012-06-13 02:25 -------- d-----w- c:\program files\Common Files\Java 2012-06-13 02:25 . 2012-06-13 02:25 73728 ----a-w- c:\windows\system32\javacpl.cpl 2012-06-13 02:25 . 2012-06-13 02:25 476936 ----a-w- c:\windows\system32\npdeployJava1.dll 2012-05-30 01:58 . 2012-05-30 02:01 419488 ----a-w- c:\windows\system32\FlashPlayerApp.exe 2012-05-29 14:49 . 2012-05-29 14:49 -------- d-----w- c:\program files\Mozilla Maintenance Service . . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2012-06-13 02:25 . 2011-01-16 17:12 472840 ----a-w- c:\windows\system32\deployJava1.dll 2012-06-02 22:19 . 2007-06-07 22:42 22040 ----a-w- c:\windows\system32\wucltui.dll.mui 2012-06-02 22:19 . 2007-06-07 22:42 15384 ----a-w- c:\windows\system32\wuaucpl.cpl.mui 2012-06-02 22:19 . 2005-01-17 22:26 329240 ----a-w- c:\windows\system32\wucltui.dll 2012-06-02 22:19 . 2005-01-17 22:26 219160 ----a-w- c:\windows\system32\wuaucpl.cpl 2012-06-02 22:19 . 2005-01-17 22:26 210968 ----a-w- c:\windows\system32\wuweb.dll 2012-06-02 22:19 . 2007-06-07 22:42 15384 ----a-w- c:\windows\system32\wuapi.dll.mui 2012-06-02 22:19 . 2005-05-26 11:16 45080 ----a-w- c:\windows\system32\wups2.dll 2012-06-02 22:19 . 2005-01-17 22:26 35864 ----a-w- c:\windows\system32\wups.dll 2012-06-02 22:19 . 2005-01-16 20:38 53784 ----a-w- c:\windows\system32\wuauclt.exe 2012-06-02 22:19 . 2002-09-03 19:34 97304 ----a-w- c:\windows\system32\cdm.dll 2012-06-02 22:19 . 2007-06-07 22:42 17944 ----a-w- c:\windows\system32\wuaueng.dll.mui 2012-06-02 22:19 . 2005-01-17 22:26 577048 ----a-w- c:\windows\system32\wuapi.dll 2012-06-02 22:19 . 2005-01-16 20:38 1933848 ----a-w- c:\windows\system32\wuaueng.dll 2012-06-02 22:18 . 2010-02-27 15:47 275696 ----a-w- c:\windows\system32\mucltui.dll 2012-06-02 22:18 . 2010-02-27 15:47 214256 ----a-w- c:\windows\system32\muweb.dll 2012-06-02 22:18 . 2010-02-27 15:47 17136 ----a-w- c:\windows\system32\mucltui.dll.mui 2012-05-31 13:22 . 2008-09-13 14:58 599040 ----a-w- c:\windows\system32\crypt32.dll 2012-05-30 02:01 . 2011-07-16 17:21 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl 2012-05-16 15:08 . 2004-08-24 03:32 916992 ----a-w- c:\windows\system32\wininet.dll 2012-05-15 13:20 . 2008-09-13 14:57 1863168 ----a-w- c:\windows\system32\win32k.sys 2012-05-11 14:42 . 2002-09-03 19:42 43520 ------w- c:\windows\system32\licmgr10.dll 2012-05-11 14:42 . 2002-09-03 19:40 1469440 ------w- c:\windows\system32\inetcpl.cpl 2012-05-11 11:38 . 2008-09-13 15:00 385024 ------w- c:\windows\system32\html.iec 2012-05-04 13:12 . 2008-09-13 14:57 2192640 ----a-w- c:\windows\system32\ntoskrnl.exe 2012-05-04 12:32 . 2008-09-13 14:57 2069120 ----a-w- c:\windows\system32\ntkrnlpa.exe 2012-05-02 13:46 . 2008-09-13 14:57 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys 2012-04-04 22:56 . 2011-05-15 00:50 22344 ----a-w- c:\windows\system32\drivers\mbam.sys 2012-06-22 15:01 . 2012-05-29 14:48 85472 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll . . ((((((((((((((((((((((((((((( SnapShot@2012-06-20_14.04.30 ))))))))))))))))))))))))))))))))))))))))) . + 2012-06-22 07:44 . 2012-06-02 22:19 45080 c:\windows\system32\SoftwareDistribution\Setup\ServiceStartup\wups2.dll\7.6.7600.256\wups2.dll + 2012-06-22 07:44 . 2012-06-02 22:19 35864 c:\windows\system32\SoftwareDistribution\Setup\ServiceStartup\wups.dll\7.6.7600.256\wups.dll + 2005-01-17 22:26 . 2012-06-02 22:19 35864 c:\windows\system32\dllcache\wups.dll + 2005-01-16 20:38 . 2012-06-02 22:19 53784 c:\windows\system32\dllcache\wuauclt.exe + 2002-09-03 19:34 . 2012-06-02 22:19 97304 c:\windows\system32\dllcache\cdm.dll + 2005-01-17 22:26 . 2012-06-02 22:19 210968 c:\windows\system32\dllcache\wuweb.dll + 2005-01-17 22:26 . 2012-06-02 22:19 329240 c:\windows\system32\dllcache\wucltui.dll + 2005-01-17 22:26 . 2012-06-02 22:19 577048 c:\windows\system32\dllcache\wuapi.dll + 2012-06-22 15:00 . 2012-06-20 04:12 133208 c:\windows\LastGood\system32\DRIVERS\86109906.sys + 2012-06-22 14:54 . 2012-06-20 04:12 475736 c:\windows\LastGood\system32\DRIVERS\6801776drv.sys + 2012-06-22 14:56 . 2012-06-20 04:12 133208 c:\windows\LastGood\system32\DRIVERS\33722614.sys + 2005-01-16 20:38 . 2012-06-02 22:19 1933848 c:\windows\system32\dllcache\wuaueng.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "frxmxins"="frxmxins" [X] "basicsmssmenu"="c:\program files\Seagate\Basics\Basics Status\MaxMenuMgrBasics.exe" [2007-10-10 169328] "CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2007-10-26 652624] "CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2007-09-14 1603152] "IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2009-11-12 1468256] "egui"="c:\program files\ESET\ESET Smart Security\egui.exe" [2010-08-12 2215064] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2005-10-18 278528] "Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-04-04 462408] "APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-09-27 59240] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2011-10-24 421888] "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-04-04 843712] "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696] . c:\documents and settings\Administrator\Start Menu\Programs\Startup\ _uninst_.lnk - c:\documents and settings\Administrator\Local Settings\temp\_uninst_.bat [N/A] . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist] 2011-05-17 02:24 13672 ----a-w- c:\program files\Citrix\GoToAssist\615\g2awinlogon.dll . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "gusvc"=2 (0x2) . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring] "DisableMonitoring"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"= . S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys --> c:\windows\system32\DRIVERS\Lbd.sys [?] S1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [7/29/2010 1:31 PM 115008] S1 SASDIFSV;SASDIFSV;\??\c:\docume~1\Frances\LOCALS~1\Temp\SAS_SelfExtract\SASDIFSV.SYS --> c:\docume~1\Frances\LOCALS~1\Temp\SAS_SelfExtract\SASDIFSV.SYS [?] S1 SASKUTIL;SASKUTIL;\??\c:\docume~1\Frances\LOCALS~1\Temp\SAS_SelfExtract\SASKUTIL.SYS --> c:\docume~1\Frances\LOCALS~1\Temp\SAS_SelfExtract\SASKUTIL.SYS [?] S2 ekrn;ESET Service;c:\program files\ESET\ESET Smart Security\ekrn.exe [8/12/2010 2:16 PM 810144] S2 FGLRXUtil;FGLRXUTIL;c:\windows\system32\frxhser.exe [1/16/2005 1:59 PM 53248] S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [5/14/2011 5:50 PM 654408] S2 PPPoEService;PPPoE Service;c:\progra~1\NTS\ENTERN~1\app\pppoeservice.exe --> c:\progra~1\NTS\ENTERN~1\app\pppoeservice.exe [?] S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [5/29/2012 6:58 PM 257696] S3 atifglrx;atifglrx;c:\windows\system32\drivers\fglrxm.sys [1/16/2005 1:59 PM 417061] S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [5/14/2011 5:50 PM 22344] S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\Mozilla Maintenance Service\maintenanceservice.exe [5/29/2012 7:49 AM 129976] . Contents of the 'Scheduled Tasks' folder . 2012-06-22 c:\windows\Tasks\Adobe Flash Player Updater.job - c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-05-30 02:01] . 2012-06-19 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-02 00:57] . . ------- Supplementary Scan ------- . uInternet Connection Wizard,ShellNext = "c:\docume~1\Frances\Desktop\OUTLOO~1\msimn.exe" TCP: DhcpNameServer = 192.168.1.254 DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ucmmjbyv.default\ . . ************************************************************************** . catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2012-06-24 07:35 Windows 5.1.2600 Service Pack 3 NTFS . scanning hidden processes ... . scanning hidden autostart entries ... . scanning hidden files ... . scan completed successfully hidden files: 0 . ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- . [HKEY_USERS\S-1-5-21-1935655697-1078081533-725345543-500\Software\Microsoft\Internet Explorer\User Preferences] @Denied: (2) (Administrator) "88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15, d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,b3,7d,06,fc,07,f2,c7,43,b4,cd,9f,\ "2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15, d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,b3,7d,06,fc,07,f2,c7,43,b4,cd,9f,\ . --------------------- DLLs Loaded Under Running Processes --------------------- . - - - - - - - > 'winlogon.exe'(816) c:\windows\system32\Ati2evxx.dll c:\program files\Citrix\GoToAssist\615\G2AWinLogon.dll . Completion time: 2012-06-24 07:37:36 ComboFix-quarantined-files.txt 2012-06-24 14:37 ComboFix2.txt 2012-06-20 14:07 . Pre-Run: 33,666,752,512 bytes free Post-Run: 33,780,744,192 bytes free . - - End Of File - - D48CBCFC5150DE7ADEAB7EA5014C543C

I'm not sure what was happening this morning but My wife was trying to print an email, and she said something was wrong. there was a light blue screen I've never seen before with her email windows on top. It had words on it. It looked like some sort of "HA HA We've taken over" screen. I pushed the button to turn the computer off. tried to reboot could install AVG. The location for the download was blocked. I tried to make the download locations not be "read only" but nothing worked and I couldn't even change the location it was greyed out. I started to get requests for Administrator passwords when I tried to change the location. I rebooted in Safe mode, Started AVG,downloaded from my other computer. It picked up no threats. the Malewarebytes, however, now had quarantined 2 files I had not seen before. One is a Passwords generator. I wrote down what they were before deleting. I did the DDS in Safe Mode. It's included below. I'm now in Safe Mode with Networking. I'm nervous about transferring anything to my other computer with my USB Stick. Spyware.Passwords.Xgen c:\documents and settings|Frances|local settings\Temp494A.tmp Trojan agent.Gen c:\documents and settings|allusers\application Data\Defender1.exe.exe . DDS (Ver_2011-08-26.01) - NTFSx86 MINIMAL Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_33 Run by Administrator at 19:22:29 on 2012-06-22 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.661 [GMT -7:00] . AV: ESET Smart Security 4.2 *Enabled/Updated* {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0} FW: ESET Personal firewall *Enabled* . ============== Running Processes =============== . C:\WINDOWS\system32\svchost.exe -k DcomLaunch svchost.exe C:\WINDOWS\system32\svchost.exe -k netsvcs C:\WINDOWS\Explorer.EXE C:\Documents and Settings\Administrator\Desktop\setup_11.0.0.1245.x01_2012_06_22_16_41.exe C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RarSFX0\7586332.exe C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\3454357\7586332.exe . ============== Pseudo HJT Report =============== . uInternet Connection Wizard,ShellNext = "c:\docume~1\frances\desktop\outloo~1\msimn.exe" BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll BHO: Java Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe mRun: [frxmxins] frxmxins mRun: [basicsmssmenu] "c:\program files\seagate\basics\basics status\MaxMenuMgrBasics.exe" mRun: [CanonSolutionMenu] c:\program files\canon\solutionmenu\CNSLMAIN.exe /logon mRun: [CanonMyPrinter] c:\program files\canon\myprinter\BJMyPrt.exe /logon mRun: [intelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe" mRun: [egui] "c:\program files\eset\eset smart security\egui.exe" /hide /waitservice mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe" mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe" mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe" mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe" StartupFolder: c:\docume~1\admini~1\startm~1\programs\startup\_uninst_.lnk - c:\documents and settings\administrator\local settings\temp\_uninst_.bat IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} - hxxp://www.ipix.com/viewers/ipixx.cab DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} - hxxp://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\yinsthelper.dll DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://www.clarkcolor.com/ClarkActivia.cab DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} - hxxps://webdl.symantec.com/activex/symdlmgr.cab DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_33-windows-i586.cab DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab DPF: {CAFEEFAC-0016-0000-0033-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_33-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_33-windows-i586.cab DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://aon.webex.com/client/T25L10NSP41EP7/webex/ieatgpc.cab Notify: AtiExtEvent - Ati2evxx.dll Notify: GoToAssist - c:\program files\citrix\gotoassist\615\G2AWinLogon.dll SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll . ================= FIREFOX =================== . FF - ProfilePath - c:\documents and settings\administrator\application data\mozilla\firefox\profiles\ucmmjbyv.default\ FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd} FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff . ============= SERVICES / DRIVERS =============== . S0 Lbd;Lbd;c:\windows\system32\drivers\lbd.sys --> c:\windows\system32\drivers\Lbd.sys [?] S1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [2010-7-29 115008] S1 SASDIFSV;SASDIFSV;\??\c:\docume~1\frances\locals~1\temp\sas_selfextract\sasdifsv.sys --> c:\docume~1\frances\locals~1\temp\sas_selfextract\SASDIFSV.SYS [?] S1 SASKUTIL;SASKUTIL;\??\c:\docume~1\frances\locals~1\temp\sas_selfextract\saskutil.sys --> c:\docume~1\frances\locals~1\temp\sas_selfextract\SASKUTIL.SYS [?] S2 ekrn;ESET Service;c:\program files\eset\eset smart security\ekrn.exe [2010-8-12 810144] S2 FGLRXUtil;FGLRXUTIL;c:\windows\system32\frxhser.exe [2005-1-16 53248] S2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-5-14 654408] S2 PPPoEService;PPPoE Service;c:\progra~1\nts\entern~1\app\pppoeservice.exe --> c:\progra~1\nts\entern~1\app\pppoeservice.exe [?] S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\macromed\flash\FlashPlayerUpdateService.exe [2012-5-29 257696] S3 atifglrx;atifglrx;c:\windows\system32\drivers\fglrxm.sys [2005-1-16 417061] S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-5-14 22344] S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\mozilla maintenance service\maintenanceservice.exe [2012-5-29 129976] . =============== Created Last 30 ================ . 2012-06-22 15:01:03 770384 ----a-w- c:\program files\mozilla firefox\msvcr100.dll 2012-06-22 15:01:03 421200 ----a-w- c:\program files\mozilla firefox\msvcp100.dll 2012-06-20 13:51:06 518144 ----a-w- c:\windows\SWREG.exe 2012-06-20 13:51:06 256000 ----a-w- c:\windows\PEV.exe 2012-06-20 13:51:06 208896 ----a-w- c:\windows\MBR.exe 2012-06-20 13:51:05 98816 ----a-w- c:\windows\sed.exe 2012-06-20 05:15:19 521728 -c----w- c:\windows\system32\dllcache\jsdbgui.dll 2012-06-20 04:52:34 -------- d-----w- C:\TDSSKiller_Quarantine 2012-06-16 14:29:31 5632 ----a-w- c:\windows\system32\ptpusb.dll 2012-06-16 14:29:30 15104 -c--a-w- c:\windows\system32\dllcache\usbscan.sys 2012-06-16 14:29:30 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys 2012-06-16 14:29:29 159232 ----a-w- c:\windows\system32\ptpusd.dll 2012-06-13 02:25:34 73728 ----a-w- c:\windows\system32\javacpl.cpl 2012-06-13 02:25:34 476936 ----a-w- c:\windows\system32\npdeployJava1.dll 2012-05-30 01:58:31 419488 ----a-w- c:\windows\system32\FlashPlayerApp.exe 2012-05-29 14:49:32 -------- d-----w- c:\program files\Mozilla Maintenance Service . ==================== Find3M ==================== . 2012-06-13 02:25:02 472840 ----a-w- c:\windows\system32\deployJava1.dll 2012-06-02 22:19:44 22040 ----a-w- c:\windows\system32\wucltui.dll.mui 2012-06-02 22:19:38 219160 ----a-w- c:\windows\system32\wuaucpl.cpl 2012-06-02 22:19:38 15384 ----a-w- c:\windows\system32\wuaucpl.cpl.mui 2012-06-02 22:19:34 15384 ----a-w- c:\windows\system32\wuapi.dll.mui 2012-06-02 22:19:30 17944 ----a-w- c:\windows\system32\wuaueng.dll.mui 2012-06-02 22:18:58 275696 ----a-w- c:\windows\system32\mucltui.dll 2012-06-02 22:18:58 214256 ----a-w- c:\windows\system32\muweb.dll 2012-06-02 22:18:58 17136 ----a-w- c:\windows\system32\mucltui.dll.mui 2012-05-31 13:22:09 599040 ----a-w- c:\windows\system32\crypt32.dll 2012-05-30 02:01:24 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl 2012-05-16 15:08:26 916992 ----a-w- c:\windows\system32\wininet.dll 2012-05-15 13:20:33 1863168 ----a-w- c:\windows\system32\win32k.sys 2012-05-11 14:42:33 43520 ------w- c:\windows\system32\licmgr10.dll 2012-05-11 14:42:33 1469440 ------w- c:\windows\system32\inetcpl.cpl 2012-05-11 11:38:02 385024 ------w- c:\windows\system32\html.iec 2012-05-04 13:12:30 2192640 ----a-w- c:\windows\system32\ntoskrnl.exe 2012-05-04 12:32:19 2069120 ----a-w- c:\windows\system32\ntkrnlpa.exe 2012-05-02 13:46:36 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys 2012-04-04 22:56:40 22344 ----a-w- c:\windows\system32\drivers\mbam.sys . ============= FINISH: 19:24:04.90 =============== . UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG. IF REQUESTED, ZIP IT UP & ATTACH IT . DDS (Ver_2011-08-26.01) . Microsoft Windows XP Professional Boot Device: \Device\HarddiskVolume2 Install Date: 1/16/2005 12:43:54 PM System Uptime: 6/22/2012 8:24:00 AM (11 hours ago) . Motherboard: Dell Computer Corp. | | Processor: Intel® Pentium® 4 CPU 2.80GHz | Microprocessor | 2784/533mhz . ==== Disk Partitions ========================= . A: is Removable C: is FIXED (NTFS) - 74 GiB total, 31.033 GiB free. D: is CDROM () E: is FIXED (NTFS) - 699 GiB total, 637.908 GiB free. . ==== Disabled Device Manager Items ============= . ==== System Restore Points =================== . RP289: 3/25/2012 5:25:38 AM - System Checkpoint RP290: 3/26/2012 8:12:52 AM - System Checkpoint RP291: 3/27/2012 1:22:24 PM - System Checkpoint RP292: 3/28/2012 1:50:02 PM - System Checkpoint RP293: 3/29/2012 2:26:38 PM - System Checkpoint RP294: 3/30/2012 2:42:12 PM - System Checkpoint RP295: 3/31/2012 3:26:35 PM - System Checkpoint RP296: 4/1/2012 3:27:39 PM - System Checkpoint RP297: 4/2/2012 3:53:59 PM - System Checkpoint RP298: 4/3/2012 3:56:22 PM - System Checkpoint RP299: 4/4/2012 4:16:52 PM - System Checkpoint RP300: 4/5/2012 4:22:39 PM - System Checkpoint RP301: 4/6/2012 5:20:29 PM - System Checkpoint RP302: 4/7/2012 5:41:34 PM - System Checkpoint RP303: 4/8/2012 5:56:07 PM - System Checkpoint RP304: 4/9/2012 6:08:07 PM - System Checkpoint RP305: 4/10/2012 6:42:55 PM - System Checkpoint RP306: 4/11/2012 8:50:12 AM - Software Distribution Service 3.0 RP307: 4/12/2012 10:01:33 AM - System Checkpoint RP308: 4/13/2012 10:48:15 AM - System Checkpoint RP309: 4/14/2012 8:25:44 PM - System Checkpoint RP310: 4/15/2012 9:42:50 PM - System Checkpoint RP311: 4/16/2012 9:47:08 PM - System Checkpoint RP312: 4/17/2012 10:47:09 PM - System Checkpoint RP313: 4/18/2012 11:11:20 PM - System Checkpoint RP314: 4/19/2012 1:15:01 PM - Installed QuickTime RP315: 4/20/2012 1:24:07 PM - System Checkpoint RP316: 4/21/2012 2:23:56 PM - System Checkpoint RP317: 4/22/2012 3:25:00 PM - System Checkpoint RP318: 4/23/2012 4:23:55 PM - System Checkpoint RP319: 4/24/2012 5:20:14 PM - System Checkpoint RP320: 4/25/2012 6:30:50 PM - System Checkpoint RP321: 4/26/2012 7:21:19 PM - System Checkpoint RP322: 4/27/2012 7:43:38 PM - System Checkpoint RP323: 4/28/2012 8:37:59 PM - System Checkpoint RP324: 4/29/2012 9:37:58 PM - System Checkpoint RP325: 4/30/2012 10:07:20 PM - System Checkpoint RP326: 5/1/2012 10:36:38 PM - System Checkpoint RP327: 5/2/2012 10:59:15 PM - System Checkpoint RP328: 5/3/2012 11:59:14 PM - System Checkpoint RP329: 5/5/2012 12:59:19 AM - System Checkpoint RP330: 5/6/2012 1:59:15 AM - System Checkpoint RP331: 5/7/2012 2:50:19 AM - System Checkpoint RP332: 5/8/2012 3:50:18 AM - System Checkpoint RP333: 5/9/2012 4:50:20 AM - System Checkpoint RP334: 5/10/2012 8:57:12 AM - System Checkpoint RP335: 5/10/2012 1:13:35 PM - Software Distribution Service 3.0 RP336: 5/11/2012 1:30:29 PM - System Checkpoint RP337: 5/12/2012 1:52:39 PM - System Checkpoint RP338: 5/13/2012 2:40:36 PM - System Checkpoint RP339: 5/14/2012 3:15:29 PM - System Checkpoint RP340: 5/15/2012 3:43:46 PM - System Checkpoint RP341: 5/16/2012 4:42:09 PM - System Checkpoint RP342: 5/17/2012 5:30:11 PM - System Checkpoint RP343: 5/18/2012 5:43:41 PM - System Checkpoint RP344: 5/19/2012 6:30:10 PM - System Checkpoint RP345: 5/20/2012 7:30:08 PM - System Checkpoint RP346: 5/21/2012 8:07:08 PM - System Checkpoint RP347: 5/22/2012 8:42:21 PM - System Checkpoint RP348: 5/23/2012 8:42:41 PM - System Checkpoint RP349: 5/24/2012 8:43:48 PM - System Checkpoint RP350: 5/25/2012 9:20:43 PM - System Checkpoint RP351: 5/26/2012 10:20:45 PM - System Checkpoint RP352: 5/27/2012 11:20:44 PM - System Checkpoint RP353: 5/28/2012 11:27:32 PM - System Checkpoint RP354: 5/29/2012 11:40:20 PM - System Checkpoint RP355: 5/30/2012 11:58:35 PM - System Checkpoint RP356: 6/1/2012 12:58:36 AM - System Checkpoint RP357: 6/2/2012 6:56:36 AM - System Checkpoint RP358: 6/3/2012 7:54:39 AM - System Checkpoint RP359: 6/4/2012 7:50:42 PM - System Checkpoint RP360: 6/5/2012 8:50:30 PM - System Checkpoint RP361: 6/6/2012 9:38:21 PM - System Checkpoint RP362: 6/7/2012 10:38:20 PM - System Checkpoint RP363: 6/8/2012 10:59:34 PM - System Checkpoint RP364: 6/9/2012 11:57:51 PM - System Checkpoint RP365: 6/11/2012 12:05:40 AM - System Checkpoint RP366: 6/12/2012 12:12:42 AM - System Checkpoint RP367: 6/12/2012 7:24:08 PM - Removed Java 6 Update 26 RP368: 6/12/2012 7:24:49 PM - Installed Java 6 Update 33 RP369: 6/13/2012 8:11:58 PM - Software Distribution Service 3.0 RP370: 6/14/2012 8:23:23 PM - System Checkpoint RP371: 6/15/2012 9:07:50 PM - System Checkpoint RP372: 6/16/2012 9:37:07 PM - System Checkpoint RP373: 6/17/2012 10:21:14 PM - System Checkpoint RP374: 6/18/2012 10:35:53 PM - System Checkpoint RP375: 6/19/2012 10:15:38 PM - Software Distribution Service 3.0 RP376: 6/20/2012 7:26:11 AM - Removed Skype™ 5.8 RP377: 6/21/2012 10:07:24 AM - System Checkpoint . ==== Installed Programs ====================== . 2Wire Wireless Client Adobe Flash Player 11 ActiveX Adobe Flash Player 11 Plugin Adobe Photoshop Album 2.0 Starter Edition Adobe Reader X (10.1.3) Apple Application Support Apple Software Update AT&T Yahoo! High Speed Internet Home Networking Installer ATI - Software Uninstall Utility ATI Display Driver Canon iP2600 series Canon iP2600 series User Registration Canon My Printer Canon Utilities Easy-PhotoPrint EX Canon Utilities Solution Menu Critical Update for Windows Media Player 11 (KB959772) Dell ResourceCD Drive Manager ESET Online Scanner v3 ESET Smart Security GoToAssist Corporate HighMAT Extension to Microsoft Windows XP CD Writing Wizard Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595) Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484) Hotfix for Windows Internet Explorer 7 (KB947864) Hotfix for Windows Media Format 11 SDK (KB929399) Hotfix for Windows Media Player 11 (KB939683) Hotfix for Windows XP (KB2158563) Hotfix for Windows XP (KB2443685) Hotfix for Windows XP (KB2570791) Hotfix for Windows XP (KB2633952) Hotfix for Windows XP (KB952287) Hotfix for Windows XP (KB954550-v5) Hotfix for Windows XP (KB961118) Hotfix for Windows XP (KB970653-v3) Hotfix for Windows XP (KB976098-v2) Hotfix for Windows XP (KB979306) Hotfix for Windows XP (KB981793) Intel® PRO Ethernet Adapter and Software iTunes Java Auto Updater Java 6 Update 33 Junk Mail filter update Malwarebytes Anti-Malware version 1.61.0.1400 Microsoft .NET Framework 1.1 Microsoft .NET Framework 1.1 Security Update (KB2656353) Microsoft .NET Framework 1.1 Security Update (KB2656370) Microsoft .NET Framework 1.1 Security Update (KB979906) Microsoft .NET Framework 2.0 Service Pack 2 Microsoft .NET Framework 3.0 Service Pack 2 Microsoft .NET Framework 3.5 SP1 Microsoft Application Error Reporting Microsoft Choice Guard Microsoft Compression Client Pack 1.0 for Windows XP Microsoft Excel 97 Microsoft IntelliPoint 7.1 Microsoft Internationalized Domain Names Mitigation APIs Microsoft National Language Support Downlevel APIs Microsoft Silverlight Microsoft User-Mode Driver Framework Feature Pack 1.0 Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053 Microsoft Visual C++ 2005 Redistributable Microsoft Word 97 Mozilla Firefox 12.0 (x86 en-US) Mozilla Maintenance Service MSVCRT MSXML 6 Service Pack 2 (KB954459) Norton SystemWorks Picture Package Music Transfer QuickTime Security Update for Microsoft .NET Framework 3.5 SP1 (KB2604111) Security Update for Microsoft .NET Framework 3.5 SP1 (KB2657424) Security Update for Microsoft Windows (KB2564958) Security Update for Windows Internet Explorer 7 (KB928090) Security Update for Windows Internet Explorer 7 (KB929969) Security Update for Windows Internet Explorer 7 (KB931768) Security Update for Windows Internet Explorer 7 (KB933566) Security Update for Windows Internet Explorer 7 (KB937143) Security Update for Windows Internet Explorer 7 (KB938127) Security Update for Windows Internet Explorer 7 (KB939653) Security Update for Windows Internet Explorer 7 (KB942615) Security Update for Windows Internet Explorer 7 (KB944533) Security Update for Windows Internet Explorer 7 (KB950759) Security Update for Windows Internet Explorer 7 (KB953838) Security Update for Windows Internet Explorer 7 (KB956390) Security Update for Windows Internet Explorer 7 (KB958215) Security Update for Windows Internet Explorer 7 (KB960714) Security Update for Windows Internet Explorer 7 (KB961260) Security Update for Windows Internet Explorer 7 (KB963027) Security Update for Windows Internet Explorer 7 (KB969897) Security Update for Windows Internet Explorer 8 (KB2497640) Security Update for Windows Internet Explorer 8 (KB2510531) Security Update for Windows Internet Explorer 8 (KB2530548) Security Update for Windows Internet Explorer 8 (KB2544521) Security Update for Windows Internet Explorer 8 (KB2559049) Security Update for Windows Internet Explorer 8 (KB2586448) Security Update for Windows Internet Explorer 8 (KB2618444) Security Update for Windows Internet Explorer 8 (KB2647516) Security Update for Windows Internet Explorer 8 (KB2675157) Security Update for Windows Internet Explorer 8 (KB2699988) Security Update for Windows Internet Explorer 8 (KB982381) Security Update for Windows Media Player (KB2378111) Security Update for Windows Media Player (KB911564) Security Update for Windows Media Player (KB952069) Security Update for Windows Media Player (KB954155) Security Update for Windows Media Player (KB968816) Security Update for Windows Media Player (KB973540) Security Update for Windows Media Player (KB975558) Security Update for Windows Media Player (KB978695) Security Update for Windows Media Player 10 (KB911565) Security Update for Windows Media Player 10 (KB917734) Security Update for Windows Media Player 11 (KB936782) Security Update for Windows Media Player 11 (KB954154) Security Update for Windows Media Player 6.4 (KB925398) Security Update for Windows XP (KB2079403) Security Update for Windows XP (KB2115168) Security Update for Windows XP (KB2121546) Security Update for Windows XP (KB2160329) Security Update for Windows XP (KB2229593) Security Update for Windows XP (KB2259922) Security Update for Windows XP (KB2279986) Security Update for Windows XP (KB2286198) Security Update for Windows XP (KB2296011) Security Update for Windows XP (KB2296199) Security Update for Windows XP (KB2347290) Security Update for Windows XP (KB2360937) Security Update for Windows XP (KB2387149) Security Update for Windows XP (KB2393802) Security Update for Windows XP (KB2412687) Security Update for Windows XP (KB2419632) Security Update for Windows XP (KB2423089) Security Update for Windows XP (KB2436673) Security Update for Windows XP (KB2440591) Security Update for Windows XP (KB2443105) Security Update for Windows XP (KB2476490) Security Update for Windows XP (KB2476687) Security Update for Windows XP (KB2478960) Security Update for Windows XP (KB2478971) Security Update for Windows XP (KB2479628) Security Update for Windows XP (KB2479943) Security Update for Windows XP (KB2481109) Security Update for Windows XP (KB2483185) Security Update for Windows XP (KB2485376) Security Update for Windows XP (KB2485663) Security Update for Windows XP (KB2503658) Security Update for Windows XP (KB2503665) Security Update for Windows XP (KB2506212) Security Update for Windows XP (KB2506223) Security Update for Windows XP (KB2507618) Security Update for Windows XP (KB2507938) Security Update for Windows XP (KB2508272) Security Update for Windows XP (KB2508429) Security Update for Windows XP (KB2509553) Security Update for Windows XP (KB2511455) Security Update for Windows XP (KB2524375) Security Update for Windows XP (KB2535512) Security Update for Windows XP (KB2536276-v2) Security Update for Windows XP (KB2536276) Security Update for Windows XP (KB2544893-v2) Security Update for Windows XP (KB2544893) Security Update for Windows XP (KB2555917) Security Update for Windows XP (KB2562937) Security Update for Windows XP (KB2566454) Security Update for Windows XP (KB2567053) Security Update for Windows XP (KB2567680) Security Update for Windows XP (KB2570222) Security Update for Windows XP (KB2570947) Security Update for Windows XP (KB2584146) Security Update for Windows XP (KB2585542) Security Update for Windows XP (KB2592799) Security Update for Windows XP (KB2598479) Security Update for Windows XP (KB2603381) Security Update for Windows XP (KB2618451) Security Update for Windows XP (KB2619339) Security Update for Windows XP (KB2620712) Security Update for Windows XP (KB2621440) Security Update for Windows XP (KB2624667) Security Update for Windows XP (KB2631813) Security Update for Windows XP (KB2633171) Security Update for Windows XP (KB2639417) Security Update for Windows XP (KB2641653) Security Update for Windows XP (KB2646524) Security Update for Windows XP (KB2647518) Security Update for Windows XP (KB2653956) Security Update for Windows XP (KB2659262) Security Update for Windows XP (KB2660465) Security Update for Windows XP (KB2661637) Security Update for Windows XP (KB2676562) Security Update for Windows XP (KB2685939) Security Update for Windows XP (KB2686509) Security Update for Windows XP (KB2695962) Security Update for Windows XP (KB2707511) Security Update for Windows XP (KB2709162) Security Update for Windows XP (KB923561) Security Update for Windows XP (KB923689) Security Update for Windows XP (KB938464-v2) Security Update for Windows XP (KB938464) Security Update for Windows XP (KB941569) Security Update for Windows XP (KB946648) Security Update for Windows XP (KB950760) Security Update for Windows XP (KB950762) Security Update for Windows XP (KB950974) Security Update for Windows XP (KB951066) Security Update for Windows XP (KB951376-v2) Security Update for Windows XP (KB951376) Security Update for Windows XP (KB951698) Security Update for Windows XP (KB951748) Security Update for Windows XP (KB952004) Security Update for Windows XP (KB952954) Security Update for Windows XP (KB953839) Security Update for Windows XP (KB954211) Security Update for Windows XP (KB954600) Security Update for Windows XP (KB955069) Security Update for Windows XP (KB956391) Security Update for Windows XP (KB956572) Security Update for Windows XP (KB956744) Security Update for Windows XP (KB956802) Security Update for Windows XP (KB956803) Security Update for Windows XP (KB956841) Security Update for Windows XP (KB956844) Security Update for Windows XP (KB957095) Security Update for Windows XP (KB957097) Security Update for Windows XP (KB958644) Security Update for Windows XP (KB958687) Security Update for Windows XP (KB958690) Security Update for Windows XP (KB958869) Security Update for Windows XP (KB959426) Security Update for Windows XP (KB960225) Security Update for Windows XP (KB960715) Security Update for Windows XP (KB960803) Security Update for Windows XP (KB960859) Security Update for Windows XP (KB961371) Security Update for Windows XP (KB961373) Security Update for Windows XP (KB961501) Security Update for Windows XP (KB968537) Security Update for Windows XP (KB969059) Security Update for Windows XP (KB969898) Security Update for Windows XP (KB969947) Security Update for Windows XP (KB970238) Security Update for Windows XP (KB970430) Security Update for Windows XP (KB971468) Security Update for Windows XP (KB971486) Security Update for Windows XP (KB971557) Security Update for Windows XP (KB971633) Security Update for Windows XP (KB971657) Security Update for Windows XP (KB972270) Security Update for Windows XP (KB973346) Security Update for Windows XP (KB973354) Security Update for Windows XP (KB973507) Security Update for Windows XP (KB973525) Security Update for Windows XP (KB973869) Security Update for Windows XP (KB973904) Security Update for Windows XP (KB974112) Security Update for Windows XP (KB974318) Security Update for Windows XP (KB974392) Security Update for Windows XP (KB974571) Security Update for Windows XP (KB975025) Security Update for Windows XP (KB975467) Security Update for Windows XP (KB975560) Security Update for Windows XP (KB975561) Security Update for Windows XP (KB975562) Security Update for Windows XP (KB975713) Security Update for Windows XP (KB977165) Security Update for Windows XP (KB977816) Security Update for Windows XP (KB977914) Security Update for Windows XP (KB978037) Security Update for Windows XP (KB978251) Security Update for Windows XP (KB978262) Security Update for Windows XP (KB978338) Security Update for Windows XP (KB978542) Security Update for Windows XP (KB978601) Security Update for Windows XP (KB978706) Security Update for Windows XP (KB979309) Security Update for Windows XP (KB979482) Security Update for Windows XP (KB979559) Security Update for Windows XP (KB979683) Security Update for Windows XP (KB979687) Security Update for Windows XP (KB980195) Security Update for Windows XP (KB980218) Security Update for Windows XP (KB980232) Security Update for Windows XP (KB980436) Security Update for Windows XP (KB981322) Security Update for Windows XP (KB981852) Security Update for Windows XP (KB981957) Security Update for Windows XP (KB981997) Security Update for Windows XP (KB982132) Security Update for Windows XP (KB982214) Security Update for Windows XP (KB982665) Security Update for Windows XP (KB982802) Segoe UI Sony Picture Utility SpywareBlaster 4.6 Symantec Technical Support Web Controls Update for Microsoft .NET Framework 3.5 SP1 (KB963707) Update for Windows Internet Explorer 8 (KB2447568) Update for Windows XP (KB2141007) Update for Windows XP (KB2345886) Update for Windows XP (KB2467659) Update for Windows XP (KB2541763) Update for Windows XP (KB2607712) Update for Windows XP (KB2616676) Update for Windows XP (KB2641690) Update for Windows XP (KB2718704) Update for Windows XP (KB951072-v2) Update for Windows XP (KB951978) Update for Windows XP (KB955759) Update for Windows XP (KB955839) Update for Windows XP (KB967715) Update for Windows XP (KB968389) Update for Windows XP (KB971029) Update for Windows XP (KB971737) Update for Windows XP (KB973687) Update for Windows XP (KB973815) Visual C++ 2008 x86 Runtime - (v9.0.30729) Visual C++ 2008 x86 Runtime - v9.0.30729.01 WebEx WebFldrs XP Windows 7 Upgrade Advisor Windows Genuine Advantage Notifications (KB905474) Windows Genuine Advantage v1.3.0254.0 Windows Genuine Advantage Validation Tool (KB892130) Windows Internet Explorer 7 Windows Internet Explorer 8 Windows Live Communications Platform Windows Live Essentials Windows Live Mail Windows Live Sign-in Assistant Windows Live Upload Tool Windows Media Format 11 runtime Windows Media Format SDK Hotfix - KB891122 Windows Media Player 11 Windows XP Service Pack 3 . ==== Event Viewer Messages From Past Week ======== . 6/22/2012 8:26:27 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811} 6/22/2012 8:26:01 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD ehdrv epfwtdi Fips intelppm IPSec Lbd MRxSmb NetBIOS NetBT OMCI RasAcd Rdbss SASDIFSV SASKUTIL Tcpip WS2IFSL 6/22/2012 8:26:01 AM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD Networking Support Environment service which failed to start because of the following error: A device attached to the system is not functioning. 6/22/2012 8:26:01 AM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning. 6/22/2012 8:26:01 AM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning. 6/22/2012 8:26:01 AM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBT service which failed to start because of the following error: A device attached to the system is not functioning. 6/22/2012 8:25:47 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF} 6/22/2012 8:25:43 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E} 6/22/2012 7:53:52 AM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000001' while processing the file '' on the volume 'HarddiskVolume2'. It has stopped monitoring the volume. 6/22/2012 11:59:51 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service MSIServer with arguments "" in order to run the server: {000C101C-0000-0000-C000-000000000046} 6/20/2012 8:06:48 AM, error: Service Control Manager [7038] - The SSDPSRV service was unable to log on as NT AUTHORITY\LocalService with the currently configured password due to the following error: Access is denied. To ensure that the service is configured properly, use the Services snap-in in Microsoft Management Console (MMC). 6/20/2012 8:06:48 AM, error: Service Control Manager [7000] - The SSDP Discovery Service service failed to start due to the following error: The service did not start due to a logon failure. 6/19/2012 9:46:16 AM, error: Print [6161] - The document http://msn.careerbuilder.com/Article/MSN-2870-Interviewing-The- owned by Frances failed to print on printer Canon iP2600 series. Data type: NT EMF 1.008. Size of the spool file in bytes: 115608. Number of bytes printed: 115440. Total number of pages in the document: 1. Number of pages printed: 0. Client machine: \\JIM2-88XVZV9YF. Win32 error code returned by the print processor: 0 (0x0). 6/19/2012 9:44:44 AM, error: Print [6161] - The document http://msn.careerbuilder.com/Article/MSN-2870-Interviewing-The- owned by Frances failed to print on printer Canon iP2600 series. Data type: NT EMF 1.008. Size of the spool file in bytes: 196608. Number of bytes printed: 115440. Total number of pages in the document: 1. Number of pages printed: 0. Client machine: \\JIM2-88XVZV9YF. Win32 error code returned by the print processor: 0 (0x0). 6/19/2012 9:00:46 PM, error: Print [6161] - The document https://hrjobs.travelers.com/psc/PSHR110/EMPLOYEE/HRMS/c/HRS_HR owned by Frances failed to print on printer Canon iP2600 series. Data type: NT EMF 1.008. Size of the spool file in bytes: 196608. Number of bytes printed: 39100. Total number of pages in the document: 2. Number of pages printed: 0. Client machine: \\JIM2-88XVZV9YF. Win32 error code returned by the print processor: 0 (0x0). 6/19/2012 11:41:15 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Lbd SASDIFSV SASKUTIL 6/19/2012 11:41:15 AM, error: Service Control Manager [7000] - The iPodService service failed to start due to the following error: %1 is not a valid Win32 application. 6/19/2012 11:41:14 AM, error: DCOM [10005] - DCOM got error "%193" attempting to start the service iPodService with arguments "-Service" in order to run the server: {7A7FB085-6068-4898-8CCA-480A9187277C} 6/19/2012 11:41:07 AM, error: Service Control Manager [7000] - The Upload Manager service failed to start due to the following error: The account specified for this service is different from the account specified for other services running in the same process. 6/19/2012 11:41:07 AM, error: Service Control Manager [7000] - The PPPoE Service service failed to start due to the following error: The system cannot find the file specified. . ==== End Of File ===========================

Immmediately reinstall what? The OS? I think we might be having a bit of trouble understanding each other. we've been running ESET and Malewarebytes for a long time. As I said ESET and Malwarbytes were active just a few seconds ago when the trojan took control of the computer. I'll be in touch, I have to go and I'll have to work on this when I get home. I'll check into the forum to see what you say. sorry, I was afraid all the data would be lost if I didn't run AVG again. ESET and Malwarbytes are getting tricked by this. We had the 2011 AntiVirus Malware on this computer last year and it was a major problem to save my wife's emails because the Virus changed almost everything to "read only" Thanks for the help, I'll take care of you. Best Wishes.

I didn't uninstall ESET by the way, and I looked at it right before my wife opened the email and it said everything was fine. The AVG scan notes a lot of files as password protected now, and when I did it before. I don't know where that log is but I imagine the trojan is in those too.

I just wanted to stabilize it because it changed everything to "read only." It'll take 3 hours to rescan, but I assume Trojan will still be in email. Computer is unplugged from internet. I guess I'll have to start reformatting when I get home. Some passwords may be in emails, Probably not, probably on my machine.

installing avg in safe mode. Wife opened email. Computer went crazy. Have to leave for work. running Kaspersky in Safe Mode now.

Giant problems now. Computer is not allowing AVG scan to be downloaded but I'm going to try to put it on from a USB. it keeps changing all the folders even desktop to read only.

I'm going to have to assemble the passwords and things for the softwares and buy the OS. it may take me a while to get everything together. One of the articles you recommended says these Rootkit Backdoor Trojans could be hidden in stored emails and pictures. I guess anything is possible at this point. I'm a bit worried about that. What do you think?

Hi Maniac, I did this scan with the internet connected. I don't know if that was okay. Let me know if you need me to do it again. I was wondering how to insure the Data was clean when we put the new Operating System in. At some point the other day we were got some sort of Java update box and I guess it was probably fake based on this report. I'd been doing a lot of Java updates since I was advised to do it in another thread here. I didn't realize the trojan was active. Status: Deleted (events: 6) 6/21/2012 7:30:17 AM Deleted Trojan program Rootkit.Boot.Pihar.b C:\TDSSKiller_Quarantine\19.06.2012_21.49.43\mbr0000\mbr0000\tsk0000.dta High 6/21/2012 7:30:17 AM Deleted Trojan program Rootkit.Boot.Pihar.b C:\TDSSKiller_Quarantine\19.06.2012_21.49.43\mbr0000\mbr0000\tsk0000.dta//HDDImage High 6/21/2012 7:32:46 AM Deleted Trojan program Rootkit.Boot.Pihar.b C:\TDSSKiller_Quarantine\19.06.2012_21.49.43\mbr0000\mbr0000\tsk0001.dta//mbr//HDDImage High 6/21/2012 7:32:46 AM Deleted Trojan program Rootkit.Boot.Pihar.b C:\TDSSKiller_Quarantine\19.06.2012_21.49.43\mbr0000\mbr0000\tsk0001.dta//vbr0 High 6/21/2012 7:32:46 AM Deleted Trojan program Rootkit.Boot.Pihar.b C:\TDSSKiller_Quarantine\19.06.2012_21.49.43\mbr0000\mbr0000\tsk0001.dta//mbr High 6/21/2012 7:32:46 AM Deleted Trojan program Rootkit.Boot.Pihar.b C:\TDSSKiller_Quarantine\19.06.2012_21.49.43\mbr0000\mbr0000\tsk0001.dta High Status: Disinfected (events: 10) 6/21/2012 8:53:38 AM Disinfected Trojan program Trojan-Downloader.Java.OpenConnection.eh E:\Backup\backup5_15_11\Local Disk ©\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\6.0\32\5b0c2160-2e1bee54/durdom/huiak.class High 6/21/2012 8:53:38 AM Disinfected Trojan program Trojan-Downloader.Java.OpenConnection.eh E:\Backup\backup5_15_11\Local Disk ©\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\6.0\36\205b5264-63832b5f/durdom/huiak.class High 6/21/2012 8:53:39 AM Disinfected Trojan program Trojan-Downloader.Java.OpenConnection.eh E:\Backup\backup5_15_11\Local Disk ©\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\6.0\38\1d3809e6-5c7776ca/durdom/huiak.class High 6/21/2012 8:53:38 AM Disinfected Trojan program Trojan-Downloader.Java.OpenConnection.eh E:\Backup\backup5_15_11\Local Disk ©\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\6.0\32\5b0c2160-2e1bee54 High 6/21/2012 8:53:39 AM Disinfected Trojan program Trojan-Downloader.Java.OpenConnection.eh E:\Backup\backup5_15_11\Local Disk ©\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\6.0\36\205b5264-63832b5f High 6/21/2012 8:53:39 AM Disinfected Trojan program Trojan-Downloader.Java.OpenConnection.eh E:\Backup\backup5_15_11\Local Disk ©\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\6.0\38\1d3809e6-5c7776ca High 6/21/2012 8:53:43 AM Disinfected Trojan program Trojan-Downloader.Java.OpenConnection.eh E:\Backup\backup5_15_11\Local Disk ©\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\6.0\39\45ba72e7-1e7fb920/durdom/huiak.class High 6/21/2012 8:53:43 AM Disinfected Trojan program Trojan-Downloader.Java.OpenConnection.eh E:\Backup\backup5_15_11\Local Disk ©\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\6.0\50\4e6a9e72-3047fa74/durdom/huiak.class High 6/21/2012 8:53:43 AM Disinfected Trojan program Trojan-Downloader.Java.OpenConnection.eh E:\Backup\backup5_15_11\Local Disk ©\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\6.0\39\45ba72e7-1e7fb920 High 6/21/2012 8:53:43 AM Disinfected Trojan program Trojan-Downloader.Java.OpenConnection.eh E:\Backup\backup5_15_11\Local Disk ©\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\6.0\50\4e6a9e72-3047fa74 High

Here's the Combofix log. I guess we will install Window 7. (Temporarily, can I use something like Sandoxie until we get the OS? I'll probably have my wife on Sandbox after we install the OS. If it's the dumbest thing you've ever heard let me know.) We won't do any banking or Credit card use on this computer until this is changed. Is there a possibility the Backdoor Trojan can get into other computers on a hardwire router? If so I can't have her change passwords on my computer. Is her Iphone somewhat safe because it is a MAC? Thanks! ESET first detected bad websites at 5/8/12. I imagine System Restore is fully infected ComboFix 12-06-20.01 - Frances 06/20/2012 6:53.2.1 - x86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.534 [GMT -7:00] Running from: c:\documents and settings\Frances\Desktop\ComboFix.exe AV: ESET Smart Security 4.2 *Disabled/Updated* {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0} FW: ESET Personal firewall *Enabled* {E5E70D32-0101-4340-86A3-A7B0F1C8FFE0} . . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . c:\documents and settings\All Users\Application Data\TEMP c:\documents and settings\All Users\Application Data\TEMP\DFC5A2B2.TMP c:\windows\_detmp.2 . . ((((((((((((((((((((((((( Files Created from 2012-05-20 to 2012-06-20 ))))))))))))))))))))))))))))))) . . 2012-06-20 05:15 . 2012-05-11 14:42 521728 -c----w- c:\windows\system32\dllcache\jsdbgui.dll 2012-06-20 04:52 . 2012-06-20 05:11 -------- d-----w- C:\TDSSKiller_Quarantine 2012-06-16 14:32 . 2012-06-16 14:32 -------- d-----w- c:\documents and settings\Frances\Application Data\AdobeAUM 2012-06-16 14:29 . 2001-08-18 05:36 5632 ----a-w- c:\windows\system32\ptpusb.dll 2012-06-16 14:29 . 2008-04-13 18:45 15104 -c--a-w- c:\windows\system32\dllcache\usbscan.sys 2012-06-16 14:29 . 2008-04-13 18:45 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys 2012-06-16 14:29 . 2008-04-14 00:12 159232 ----a-w- c:\windows\system32\ptpusd.dll 2012-06-13 02:25 . 2012-06-13 02:25 -------- d-----w- c:\program files\Common Files\Java 2012-06-13 02:25 . 2012-06-13 02:25 73728 ----a-w- c:\windows\system32\javacpl.cpl 2012-06-13 02:25 . 2012-06-13 02:25 476936 ----a-w- c:\windows\system32\npdeployJava1.dll 2012-05-30 01:58 . 2012-05-30 02:01 419488 ----a-w- c:\windows\system32\FlashPlayerApp.exe 2012-05-29 14:49 . 2012-05-29 14:49 -------- d-----w- c:\program files\Mozilla Maintenance Service . . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2012-06-13 02:25 . 2011-01-16 17:12 472840 ----a-w- c:\windows\system32\deployJava1.dll 2012-05-31 13:22 . 2008-09-13 14:58 599040 ----a-w- c:\windows\system32\crypt32.dll 2012-05-30 02:01 . 2011-07-16 17:21 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl 2012-05-16 15:08 . 2004-08-24 03:32 916992 ----a-w- c:\windows\system32\wininet.dll 2012-05-15 13:20 . 2008-09-13 14:57 1863168 ----a-w- c:\windows\system32\win32k.sys 2012-05-11 14:42 . 2002-09-03 19:42 43520 ------w- c:\windows\system32\licmgr10.dll 2012-05-11 14:42 . 2002-09-03 19:40 1469440 ------w- c:\windows\system32\inetcpl.cpl 2012-05-11 11:38 . 2008-09-13 15:00 385024 ------w- c:\windows\system32\html.iec 2012-05-04 13:12 . 2008-09-13 14:57 2192640 ----a-w- c:\windows\system32\ntoskrnl.exe 2012-05-04 12:32 . 2008-09-13 14:57 2069120 ----a-w- c:\windows\system32\ntkrnlpa.exe 2012-05-02 13:46 . 2008-09-13 14:57 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys 2012-04-04 22:56 . 2011-05-15 00:50 22344 ----a-w- c:\windows\system32\drivers\mbam.sys 2012-04-21 01:19 . 2012-05-29 14:48 97208 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll . . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "frxmxins"="frxmxins" [X] "basicsmssmenu"="c:\program files\Seagate\Basics\Basics Status\MaxMenuMgrBasics.exe" [2007-10-10 169328] "CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2007-10-26 652624] "CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2007-09-14 1603152] "IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2009-11-12 1468256] "egui"="c:\program files\ESET\ESET Smart Security\egui.exe" [2010-08-12 2215064] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2005-10-18 278528] "Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-04-04 462408] "APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-09-27 59240] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2011-10-24 421888] "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-04-04 843712] "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696] . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce] "FGLRXDetectPnPMonitor"="fglrxmon.dll" [2003-09-17 307200] . c:\documents and settings\Frances\Start Menu\Programs\Startup\ Picture Motion Browser Media Check Tool.lnk - c:\program files\Sony\Sony Picture Utility\PMBCore\SPUVolumeWatcher.exe [2008-9-26 385024] . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist] 2011-05-17 02:24 13672 ----a-w- c:\program files\Citrix\GoToAssist\615\g2awinlogon.dll . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "gusvc"=2 (0x2) . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring] "DisableMonitoring"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Skype\\Phone\\Skype.exe"= "c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"= . R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [7/29/2010 1:31 PM 115008] R2 ekrn;ESET Service;c:\program files\ESET\ESET Smart Security\ekrn.exe [8/12/2010 2:16 PM 810144] R2 FGLRXUtil;FGLRXUTIL;c:\windows\system32\frxhser.exe [1/16/2005 1:59 PM 53248] R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [5/14/2011 5:50 PM 654408] R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [5/14/2011 5:50 PM 22344] S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys --> c:\windows\system32\DRIVERS\Lbd.sys [?] S1 SASDIFSV;SASDIFSV;\??\c:\docume~1\Frances\LOCALS~1\Temp\SAS_SelfExtract\SASDIFSV.SYS --> c:\docume~1\Frances\LOCALS~1\Temp\SAS_SelfExtract\SASDIFSV.SYS [?] S1 SASKUTIL;SASKUTIL;\??\c:\docume~1\Frances\LOCALS~1\Temp\SAS_SelfExtract\SASKUTIL.SYS --> c:\docume~1\Frances\LOCALS~1\Temp\SAS_SelfExtract\SASKUTIL.SYS [?] S2 PPPoEService;PPPoE Service;c:\progra~1\NTS\ENTERN~1\app\pppoeservice.exe --> c:\progra~1\NTS\ENTERN~1\app\pppoeservice.exe [?] S2 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [2/29/2012 8:50 AM 158856] S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [5/29/2012 6:58 PM 257696] S3 atifglrx;atifglrx;c:\windows\system32\drivers\fglrxm.sys [1/16/2005 1:59 PM 417061] S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\Mozilla Maintenance Service\maintenanceservice.exe [5/29/2012 7:49 AM 129976] . Contents of the 'Scheduled Tasks' folder . 2012-06-20 c:\windows\Tasks\Adobe Flash Player Updater.job - c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-05-30 02:01] . 2012-06-19 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-02 00:57] . . ------- Supplementary Scan ------- . uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8 uSearchURL,(Default) = hxxp://www.google.com/keyword/%s TCP: DhcpNameServer = 192.168.1.254 DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab FF - ProfilePath - c:\documents and settings\Frances\Application Data\Mozilla\Firefox\Profiles\pi4kvmcf.default\ . . ************************************************************************** . catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2012-06-20 07:04 Windows 5.1.2600 Service Pack 3 NTFS . scanning hidden processes ... . scanning hidden autostart entries ... . scanning hidden files ... . scan completed successfully hidden files: 0 . ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- . - - - - - - - > 'winlogon.exe'(940) c:\windows\system32\Ati2evxx.dll c:\program files\Citrix\GoToAssist\615\G2AWinLogon.dll c:\windows\system32\FRXHDLL.DLL . Completion time: 2012-06-20 07:07:10 ComboFix-quarantined-files.txt 2012-06-20 14:07 . Pre-Run: 33,240,498,176 bytes free Post-Run: 34,392,760,320 bytes free . - - End Of File - - 0879C58C21D3CA7FB475844B8DF69923

Hi Maniac, I saw your posts on Techmonkey.com related to this trojan. I've already ran TDSSKiller because I saw the info about blue screens probably coming soon, and hadn't heard back from anyone. My apologies. So I have those logs too. MBAM Malwarebytes Anti-Malware (PRO) 1.61.0.1400 www.malwarebytes.org Database version: v2012.06.19.07 Windows XP Service Pack 3 x86 NTFS Internet Explorer 8.0.6001.18702 Frances :: JIM2-88XVZV9YF [administrator] Protection: Disabled 6/19/2012 10:26:25 PM mbam-log-2012-06-19 (22-26-25).txt Scan type: Full scan Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM Scan options disabled: P2P Objects scanned: 417013 Time elapsed: 2 hour(s), 28 minute(s), 16 second(s) Memory Processes Detected: 0 (No malicious items detected) Memory Modules Detected: 0 (No malicious items detected) Registry Keys Detected: 0 (No malicious items detected) Registry Values Detected: 0 (No malicious items detected) Registry Data Items Detected: 0 (No malicious items detected) Folders Detected: 0 (No malicious items detected) Files Detected: 0 (No malicious items detected) (end) dds.txt . DDS (Ver_2011-08-26.01) - NTFSx86 Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_33 Run by Frances at 6:00:33 on 2012-06-20 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.278 [GMT -7:00] . AV: ESET Smart Security 4.2 *Enabled/Updated* {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0} FW: ESET Personal firewall *Enabled* . ============== Running Processes =============== . C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe -k DcomLaunch svchost.exe C:\WINDOWS\System32\svchost.exe -k netsvcs C:\WINDOWS\system32\Ati2evxx.exe svchost.exe svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Seagate\Basics\Basics Status\MaxMenuMgrBasics.exe C:\Program Files\Canon\MyPrinter\BJMyPrt.exe C:\Program Files\Microsoft IntelliPoint\ipoint.exe C:\Program Files\ESET\ESET Smart Security\egui.exe C:\Program Files\Common Files\Java\Java Update\jusched.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Sony\Sony Picture Utility\PMBCore\SPUVolumeWatcher.exe svchost.exe C:\Program Files\Seagate\Basics\Service\SyncServicesBasics.exe C:\Program Files\ESET\ESET Smart Security\ekrn.exe C:\WINDOWS\system32\frxhser.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\WINDOWS\system32\frxhapp.exe C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe C:\WINDOWS\System32\svchost.exe -k imgsvc C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe C:\WINDOWS\notepad.exe C:\WINDOWS\explorer.exe C:\Program Files\Microsoft Office\Office\Winword.exe C:\Program Files\Mozilla Firefox\firefox.exe . ============== Pseudo HJT Report =============== . uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8 uSearchURL,(Default) = hxxp://www.google.com/keyword/%s uURLSearchHooks: &Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File TB: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe mRun: [frxmxins] frxmxins mRun: [basicsmssmenu] "c:\program files\seagate\basics\basics status\MaxMenuMgrBasics.exe" mRun: [CanonSolutionMenu] c:\program files\canon\solutionmenu\CNSLMAIN.exe /logon mRun: [CanonMyPrinter] c:\program files\canon\myprinter\BJMyPrt.exe /logon mRun: [intelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe" mRun: [egui] "c:\program files\eset\eset smart security\egui.exe" /hide /waitservice mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe" mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe" mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe" mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe" mRunOnce: [FGLRXDetectPnPMonitor] rundll32 fglrxmon.dll,MonitorDetect StartupFolder: c:\docume~1\frances\startm~1\programs\startup\pictur~1.lnk - c:\program files\sony\sony picture utility\pmbcore\SPUVolumeWatcher.exe IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} - hxxp://www.ipix.com/viewers/ipixx.cab DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} - hxxp://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\yinsthelper.dll DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://www.clarkcolor.com/ClarkActivia.cab DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} - hxxps://webdl.symantec.com/activex/symdlmgr.cab DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_33-windows-i586.cab DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab DPF: {CAFEEFAC-0016-0000-0033-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_33-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_33-windows-i586.cab DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://aon.webex.com/client/T25L10NSP41EP7/webex/ieatgpc.cab TCP: DhcpNameServer = 192.168.1.254 TCP: Interfaces\{7A7E11BE-51A3-42F3-8CDD-67FC3AD14385} : DhcpNameServer = 192.168.1.254 Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL Notify: AtiExtEvent - Ati2evxx.dll Notify: GoToAssist - c:\program files\citrix\gotoassist\615\G2AWinLogon.dll SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll . ================= FIREFOX =================== . FF - ProfilePath - c:\documents and settings\frances\application data\mozilla\firefox\profiles\pi4kvmcf.default\ FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll FF - plugin: c:\program files\java\jre6\bin\plugin2\npjp2.dll FF - plugin: c:\program files\microsoft silverlight\4.1.10329.0\npctrlui.dll FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_2_202_235.dll FF - plugin: c:\windows\system32\npdeployJava1.dll FF - plugin: c:\windows\system32\npptools.dll . ============= SERVICES / DRIVERS =============== . R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [2010-7-29 115008] R2 ekrn;ESET Service;c:\program files\eset\eset smart security\ekrn.exe [2010-8-12 810144] R2 FGLRXUtil;FGLRXUTIL;c:\windows\system32\frxhser.exe [2005-1-16 53248] R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-5-14 654408] R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-5-14 22344] R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2012-6-19 40776] S0 Lbd;Lbd;c:\windows\system32\drivers\lbd.sys --> c:\windows\system32\drivers\Lbd.sys [?] S1 SASDIFSV;SASDIFSV;\??\c:\docume~1\frances\locals~1\temp\sas_selfextract\sasdifsv.sys --> c:\docume~1\frances\locals~1\temp\sas_selfextract\SASDIFSV.SYS [?] S1 SASKUTIL;SASKUTIL;\??\c:\docume~1\frances\locals~1\temp\sas_selfextract\saskutil.sys --> c:\docume~1\frances\locals~1\temp\sas_selfextract\SASKUTIL.SYS [?] S2 PPPoEService;PPPoE Service;c:\progra~1\nts\entern~1\app\pppoeservice.exe --> c:\progra~1\nts\entern~1\app\pppoeservice.exe [?] S2 SkypeUpdate;Skype Updater;c:\program files\skype\updater\Updater.exe [2012-2-29 158856] S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\macromed\flash\FlashPlayerUpdateService.exe [2012-5-29 257696] S3 atifglrx;atifglrx;c:\windows\system32\drivers\fglrxm.sys [2005-1-16 417061] S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\mozilla maintenance service\maintenanceservice.exe [2012-5-29 129976] . =============== Created Last 30 ================ . 2012-06-20 05:26:06 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2012-06-20 05:15:19 521728 -c----w- c:\windows\system32\dllcache\jsdbgui.dll 2012-06-20 04:52:34 -------- d-----w- C:\TDSSKiller_Quarantine 2012-06-16 14:32:56 -------- d-----w- c:\documents and settings\frances\application data\AdobeAUM 2012-06-16 14:29:31 5632 ----a-w- c:\windows\system32\ptpusb.dll 2012-06-16 14:29:30 15104 -c--a-w- c:\windows\system32\dllcache\usbscan.sys 2012-06-16 14:29:30 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys 2012-06-16 14:29:29 159232 ----a-w- c:\windows\system32\ptpusd.dll 2012-06-13 02:25:34 73728 ----a-w- c:\windows\system32\javacpl.cpl 2012-06-13 02:25:34 476936 ----a-w- c:\windows\system32\npdeployJava1.dll 2012-05-30 01:58:31 419488 ----a-w- c:\windows\system32\FlashPlayerApp.exe 2012-05-29 14:49:32 -------- d-----w- c:\program files\Mozilla Maintenance Service . ==================== Find3M ==================== . 2012-06-13 02:25:02 472840 ----a-w- c:\windows\system32\deployJava1.dll 2012-05-31 13:22:09 599040 ----a-w- c:\windows\system32\crypt32.dll 2012-05-30 02:01:24 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl 2012-05-16 15:08:26 916992 ----a-w- c:\windows\system32\wininet.dll 2012-05-15 13:20:33 1863168 ----a-w- c:\windows\system32\win32k.sys 2012-05-11 14:42:33 43520 ------w- c:\windows\system32\licmgr10.dll 2012-05-11 14:42:33 1469440 ------w- c:\windows\system32\inetcpl.cpl 2012-05-11 11:38:02 385024 ------w- c:\windows\system32\html.iec 2012-05-04 13:12:30 2192640 ----a-w- c:\windows\system32\ntoskrnl.exe 2012-05-04 12:32:19 2069120 ----a-w- c:\windows\system32\ntkrnlpa.exe 2012-05-02 13:46:36 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys 2012-04-04 22:56:40 22344 ----a-w- c:\windows\system32\drivers\mbam.sys . ============= FINISH: 6:01:40.56 =============== .Extras.txt UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG. IF REQUESTED, ZIP IT UP & ATTACH IT . DDS (Ver_2011-08-26.01) . Microsoft Windows XP Professional Boot Device: \Device\HarddiskVolume2 Install Date: 1/16/2005 12:43:54 PM System Uptime: 6/19/2012 10:20:10 PM (8 hours ago) . Motherboard: Dell Computer Corp. | | Processor: Intel® Pentium® 4 CPU 2.80GHz | Microprocessor | 2784/533mhz . ==== Disk Partitions ========================= . A: is Removable C: is FIXED (NTFS) - 74 GiB total, 31.087 GiB free. D: is CDROM () E: is FIXED (NTFS) - 699 GiB total, 637.908 GiB free. G: is Removable . ==== Disabled Device Manager Items ============= . ==== System Restore Points =================== . RP287: 3/23/2012 3:25:35 AM - System Checkpoint RP288: 3/24/2012 4:25:35 AM - System Checkpoint RP289: 3/25/2012 5:25:38 AM - System Checkpoint RP290: 3/26/2012 8:12:52 AM - System Checkpoint RP291: 3/27/2012 1:22:24 PM - System Checkpoint RP292: 3/28/2012 1:50:02 PM - System Checkpoint RP293: 3/29/2012 2:26:38 PM - System Checkpoint RP294: 3/30/2012 2:42:12 PM - System Checkpoint RP295: 3/31/2012 3:26:35 PM - System Checkpoint RP296: 4/1/2012 3:27:39 PM - System Checkpoint RP297: 4/2/2012 3:53:59 PM - System Checkpoint RP298: 4/3/2012 3:56:22 PM - System Checkpoint RP299: 4/4/2012 4:16:52 PM - System Checkpoint RP300: 4/5/2012 4:22:39 PM - System Checkpoint RP301: 4/6/2012 5:20:29 PM - System Checkpoint RP302: 4/7/2012 5:41:34 PM - System Checkpoint RP303: 4/8/2012 5:56:07 PM - System Checkpoint RP304: 4/9/2012 6:08:07 PM - System Checkpoint RP305: 4/10/2012 6:42:55 PM - System Checkpoint RP306: 4/11/2012 8:50:12 AM - Software Distribution Service 3.0 RP307: 4/12/2012 10:01:33 AM - System Checkpoint RP308: 4/13/2012 10:48:15 AM - System Checkpoint RP309: 4/14/2012 8:25:44 PM - System Checkpoint RP310: 4/15/2012 9:42:50 PM - System Checkpoint RP311: 4/16/2012 9:47:08 PM - System Checkpoint RP312: 4/17/2012 10:47:09 PM - System Checkpoint RP313: 4/18/2012 11:11:20 PM - System Checkpoint RP314: 4/19/2012 1:15:01 PM - Installed QuickTime RP315: 4/20/2012 1:24:07 PM - System Checkpoint RP316: 4/21/2012 2:23:56 PM - System Checkpoint RP317: 4/22/2012 3:25:00 PM - System Checkpoint RP318: 4/23/2012 4:23:55 PM - System Checkpoint RP319: 4/24/2012 5:20:14 PM - System Checkpoint RP320: 4/25/2012 6:30:50 PM - System Checkpoint RP321: 4/26/2012 7:21:19 PM - System Checkpoint RP322: 4/27/2012 7:43:38 PM - System Checkpoint RP323: 4/28/2012 8:37:59 PM - System Checkpoint RP324: 4/29/2012 9:37:58 PM - System Checkpoint RP325: 4/30/2012 10:07:20 PM - System Checkpoint RP326: 5/1/2012 10:36:38 PM - System Checkpoint RP327: 5/2/2012 10:59:15 PM - System Checkpoint RP328: 5/3/2012 11:59:14 PM - System Checkpoint RP329: 5/5/2012 12:59:19 AM - System Checkpoint RP330: 5/6/2012 1:59:15 AM - System Checkpoint RP331: 5/7/2012 2:50:19 AM - System Checkpoint RP332: 5/8/2012 3:50:18 AM - System Checkpoint RP333: 5/9/2012 4:50:20 AM - System Checkpoint RP334: 5/10/2012 8:57:12 AM - System Checkpoint RP335: 5/10/2012 1:13:35 PM - Software Distribution Service 3.0 RP336: 5/11/2012 1:30:29 PM - System Checkpoint RP337: 5/12/2012 1:52:39 PM - System Checkpoint RP338: 5/13/2012 2:40:36 PM - System Checkpoint RP339: 5/14/2012 3:15:29 PM - System Checkpoint RP340: 5/15/2012 3:43:46 PM - System Checkpoint RP341: 5/16/2012 4:42:09 PM - System Checkpoint RP342: 5/17/2012 5:30:11 PM - System Checkpoint RP343: 5/18/2012 5:43:41 PM - System Checkpoint RP344: 5/19/2012 6:30:10 PM - System Checkpoint RP345: 5/20/2012 7:30:08 PM - System Checkpoint RP346: 5/21/2012 8:07:08 PM - System Checkpoint RP347: 5/22/2012 8:42:21 PM - System Checkpoint RP348: 5/23/2012 8:42:41 PM - System Checkpoint RP349: 5/24/2012 8:43:48 PM - System Checkpoint RP350: 5/25/2012 9:20:43 PM - System Checkpoint RP351: 5/26/2012 10:20:45 PM - System Checkpoint RP352: 5/27/2012 11:20:44 PM - System Checkpoint RP353: 5/28/2012 11:27:32 PM - System Checkpoint RP354: 5/29/2012 11:40:20 PM - System Checkpoint RP355: 5/30/2012 11:58:35 PM - System Checkpoint RP356: 6/1/2012 12:58:36 AM - System Checkpoint RP357: 6/2/2012 6:56:36 AM - System Checkpoint RP358: 6/3/2012 7:54:39 AM - System Checkpoint RP359: 6/4/2012 7:50:42 PM - System Checkpoint RP360: 6/5/2012 8:50:30 PM - System Checkpoint RP361: 6/6/2012 9:38:21 PM - System Checkpoint RP362: 6/7/2012 10:38:20 PM - System Checkpoint RP363: 6/8/2012 10:59:34 PM - System Checkpoint RP364: 6/9/2012 11:57:51 PM - System Checkpoint RP365: 6/11/2012 12:05:40 AM - System Checkpoint RP366: 6/12/2012 12:12:42 AM - System Checkpoint RP367: 6/12/2012 7:24:08 PM - Removed Java™ 6 Update 26 RP368: 6/12/2012 7:24:49 PM - Installed Java™ 6 Update 33 RP369: 6/13/2012 8:11:58 PM - Software Distribution Service 3.0 RP370: 6/14/2012 8:23:23 PM - System Checkpoint RP371: 6/15/2012 9:07:50 PM - System Checkpoint RP372: 6/16/2012 9:37:07 PM - System Checkpoint RP373: 6/17/2012 10:21:14 PM - System Checkpoint RP374: 6/18/2012 10:35:53 PM - System Checkpoint RP375: 6/19/2012 10:15:38 PM - Software Distribution Service 3.0 . ==== Installed Programs ====================== . 2Wire Wireless Client Adobe Flash Player 11 ActiveX Adobe Flash Player 11 Plugin Adobe Photoshop Album 2.0 Starter Edition Adobe Reader X (10.1.3) Apple Application Support Apple Software Update AT&T Yahoo! High Speed Internet Home Networking Installer ATI - Software Uninstall Utility ATI Display Driver Canon iP2600 series Canon iP2600 series User Registration Canon My Printer Canon Utilities Easy-PhotoPrint EX Canon Utilities Solution Menu Critical Update for Windows Media Player 11 (KB959772) Dell Driver Download Manager Dell ResourceCD Drive Manager ESET Online Scanner v3 ESET Smart Security GoToAssist Corporate HighMAT Extension to Microsoft Windows XP CD Writing Wizard Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595) Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484) Hotfix for Windows Internet Explorer 7 (KB947864) Hotfix for Windows Media Format 11 SDK (KB929399) Hotfix for Windows Media Player 11 (KB939683) Hotfix for Windows XP (KB2158563) Hotfix for Windows XP (KB2443685) Hotfix for Windows XP (KB2570791) Hotfix for Windows XP (KB2633952) Hotfix for Windows XP (KB952287) Hotfix for Windows XP (KB954550-v5) Hotfix for Windows XP (KB961118) Hotfix for Windows XP (KB970653-v3) Hotfix for Windows XP (KB976098-v2) Hotfix for Windows XP (KB979306) Hotfix for Windows XP (KB981793) Intel® PRO Ethernet Adapter and Software iTunes Java Auto Updater Java™ 6 Update 33 Junk Mail filter update Malwarebytes Anti-Malware version 1.61.0.1400 Microsoft .NET Framework 1.1 Microsoft .NET Framework 1.1 Security Update (KB2656353) Microsoft .NET Framework 1.1 Security Update (KB2656370) Microsoft .NET Framework 1.1 Security Update (KB979906) Microsoft .NET Framework 2.0 Service Pack 2 Microsoft .NET Framework 3.0 Service Pack 2 Microsoft .NET Framework 3.5 SP1 Microsoft Application Error Reporting Microsoft Choice Guard Microsoft Compression Client Pack 1.0 for Windows XP Microsoft Excel 97 Microsoft IntelliPoint 7.1 Microsoft Internationalized Domain Names Mitigation APIs Microsoft National Language Support Downlevel APIs Microsoft Silverlight Microsoft User-Mode Driver Framework Feature Pack 1.0 Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053 Microsoft Visual C++ 2005 Redistributable Microsoft Word 97 Mozilla Firefox 12.0 (x86 en-US) Mozilla Maintenance Service MSVCRT MSXML 6 Service Pack 2 (KB954459) Norton SystemWorks Picture Package Music Transfer QuickTime Security Update for Microsoft .NET Framework 3.5 SP1 (KB2604111) Security Update for Microsoft .NET Framework 3.5 SP1 (KB2657424) Security Update for Microsoft Windows (KB2564958) Security Update for Windows Internet Explorer 7 (KB928090) Security Update for Windows Internet Explorer 7 (KB929969) Security Update for Windows Internet Explorer 7 (KB931768) Security Update for Windows Internet Explorer 7 (KB933566) Security Update for Windows Internet Explorer 7 (KB937143) Security Update for Windows Internet Explorer 7 (KB938127) Security Update for Windows Internet Explorer 7 (KB939653) Security Update for Windows Internet Explorer 7 (KB942615) Security Update for Windows Internet Explorer 7 (KB944533) Security Update for Windows Internet Explorer 7 (KB950759) Security Update for Windows Internet Explorer 7 (KB953838) Security Update for Windows Internet Explorer 7 (KB956390) Security Update for Windows Internet Explorer 7 (KB958215) Security Update for Windows Internet Explorer 7 (KB960714) Security Update for Windows Internet Explorer 7 (KB961260) Security Update for Windows Internet Explorer 7 (KB963027) Security Update for Windows Internet Explorer 7 (KB969897) Security Update for Windows Internet Explorer 8 (KB2497640) Security Update for Windows Internet Explorer 8 (KB2510531) Security Update for Windows Internet Explorer 8 (KB2530548) Security Update for Windows Internet Explorer 8 (KB2544521) Security Update for Windows Internet Explorer 8 (KB2559049) Security Update for Windows Internet Explorer 8 (KB2586448) Security Update for Windows Internet Explorer 8 (KB2618444) Security Update for Windows Internet Explorer 8 (KB2647516) Security Update for Windows Internet Explorer 8 (KB2675157) Security Update for Windows Internet Explorer 8 (KB2699988) Security Update for Windows Internet Explorer 8 (KB982381) Security Update for Windows Media Player (KB2378111) Security Update for Windows Media Player (KB911564) Security Update for Windows Media Player (KB952069) Security Update for Windows Media Player (KB954155) Security Update for Windows Media Player (KB968816) Security Update for Windows Media Player (KB973540) Security Update for Windows Media Player (KB975558) Security Update for Windows Media Player (KB978695) Security Update for Windows Media Player 10 (KB911565) Security Update for Windows Media Player 10 (KB917734) Security Update for Windows Media Player 11 (KB936782) Security Update for Windows Media Player 11 (KB954154) Security Update for Windows Media Player 6.4 (KB925398) Security Update for Windows XP (KB2079403) Security Update for Windows XP (KB2115168) Security Update for Windows XP (KB2121546) Security Update for Windows XP (KB2160329) Security Update for Windows XP (KB2229593) Security Update for Windows XP (KB2259922) Security Update for Windows XP (KB2279986) Security Update for Windows XP (KB2286198) Security Update for Windows XP (KB2296011) Security Update for Windows XP (KB2296199) Security Update for Windows XP (KB2347290) Security Update for Windows XP (KB2360937) Security Update for Windows XP (KB2387149) Security Update for Windows XP (KB2393802) Security Update for Windows XP (KB2412687) Security Update for Windows XP (KB2419632) Security Update for Windows XP (KB2423089) Security Update for Windows XP (KB2436673) Security Update for Windows XP (KB2440591) Security Update for Windows XP (KB2443105) Security Update for Windows XP (KB2476490) Security Update for Windows XP (KB2476687) Security Update for Windows XP (KB2478960) Security Update for Windows XP (KB2478971) Security Update for Windows XP (KB2479628) Security Update for Windows XP (KB2479943) Security Update for Windows XP (KB2481109) Security Update for Windows XP (KB2483185) Security Update for Windows XP (KB2485376) Security Update for Windows XP (KB2485663) Security Update for Windows XP (KB2503658) Security Update for Windows XP (KB2503665) Security Update for Windows XP (KB2506212) Security Update for Windows XP (KB2506223) Security Update for Windows XP (KB2507618) Security Update for Windows XP (KB2507938) Security Update for Windows XP (KB2508272) Security Update for Windows XP (KB2508429) Security Update for Windows XP (KB2509553) Security Update for Windows XP (KB2511455) Security Update for Windows XP (KB2524375) Security Update for Windows XP (KB2535512) Security Update for Windows XP (KB2536276-v2) Security Update for Windows XP (KB2536276) Security Update for Windows XP (KB2544893-v2) Security Update for Windows XP (KB2544893) Security Update for Windows XP (KB2555917) Security Update for Windows XP (KB2562937) Security Update for Windows XP (KB2566454) Security Update for Windows XP (KB2567053) Security Update for Windows XP (KB2567680) Security Update for Windows XP (KB2570222) Security Update for Windows XP (KB2570947) Security Update for Windows XP (KB2584146) Security Update for Windows XP (KB2585542) Security Update for Windows XP (KB2592799) Security Update for Windows XP (KB2598479) Security Update for Windows XP (KB2603381) Security Update for Windows XP (KB2618451) Security Update for Windows XP (KB2619339) Security Update for Windows XP (KB2620712) Security Update for Windows XP (KB2621440) Security Update for Windows XP (KB2624667) Security Update for Windows XP (KB2631813) Security Update for Windows XP (KB2633171) Security Update for Windows XP (KB2639417) Security Update for Windows XP (KB2641653) Security Update for Windows XP (KB2646524) Security Update for Windows XP (KB2647518) Security Update for Windows XP (KB2653956) Security Update for Windows XP (KB2659262) Security Update for Windows XP (KB2660465) Security Update for Windows XP (KB2661637) Security Update for Windows XP (KB2676562) Security Update for Windows XP (KB2685939) Security Update for Windows XP (KB2686509) Security Update for Windows XP (KB2695962) Security Update for Windows XP (KB2707511) Security Update for Windows XP (KB2709162) Security Update for Windows XP (KB923561) Security Update for Windows XP (KB923689) Security Update for Windows XP (KB938464-v2) Security Update for Windows XP (KB938464) Security Update for Windows XP (KB941569) Security Update for Windows XP (KB946648) Security Update for Windows XP (KB950760) Security Update for Windows XP (KB950762) Security Update for Windows XP (KB950974) Security Update for Windows XP (KB951066) Security Update for Windows XP (KB951376-v2) Security Update for Windows XP (KB951376) Security Update for Windows XP (KB951698) Security Update for Windows XP (KB951748) Security Update for Windows XP (KB952004) Security Update for Windows XP (KB952954) Security Update for Windows XP (KB953839) Security Update for Windows XP (KB954211) Security Update for Windows XP (KB954600) Security Update for Windows XP (KB955069) Security Update for Windows XP (KB956391) Security Update for Windows XP (KB956572) Security Update for Windows XP (KB956744) Security Update for Windows XP (KB956802) Security Update for Windows XP (KB956803) Security Update for Windows XP (KB956841) Security Update for Windows XP (KB956844) Security Update for Windows XP (KB957095) Security Update for Windows XP (KB957097) Security Update for Windows XP (KB958644) Security Update for Windows XP (KB958687) Security Update for Windows XP (KB958690) Security Update for Windows XP (KB958869) Security Update for Windows XP (KB959426) Security Update for Windows XP (KB960225) Security Update for Windows XP (KB960715) Security Update for Windows XP (KB960803) Security Update for Windows XP (KB960859) Security Update for Windows XP (KB961371) Security Update for Windows XP (KB961373) Security Update for Windows XP (KB961501) Security Update for Windows XP (KB968537) Security Update for Windows XP (KB969059) Security Update for Windows XP (KB969898) Security Update for Windows XP (KB969947) Security Update for Windows XP (KB970238) Security Update for Windows XP (KB970430) Security Update for Windows XP (KB971468) Security Update for Windows XP (KB971486) Security Update for Windows XP (KB971557) Security Update for Windows XP (KB971633) Security Update for Windows XP (KB971657) Security Update for Windows XP (KB972270) Security Update for Windows XP (KB973346) Security Update for Windows XP (KB973354) Security Update for Windows XP (KB973507) Security Update for Windows XP (KB973525) Security Update for Windows XP (KB973869) Security Update for Windows XP (KB973904) Security Update for Windows XP (KB974112) Security Update for Windows XP (KB974318) Security Update for Windows XP (KB974392) Security Update for Windows XP (KB974571) Security Update for Windows XP (KB975025) Security Update for Windows XP (KB975467) Security Update for Windows XP (KB975560) Security Update for Windows XP (KB975561) Security Update for Windows XP (KB975562) Security Update for Windows XP (KB975713) Security Update for Windows XP (KB977165) Security Update for Windows XP (KB977816) Security Update for Windows XP (KB977914) Security Update for Windows XP (KB978037) Security Update for Windows XP (KB978251) Security Update for Windows XP (KB978262) Security Update for Windows XP (KB978338) Security Update for Windows XP (KB978542) Security Update for Windows XP (KB978601) Security Update for Windows XP (KB978706) Security Update for Windows XP (KB979309) Security Update for Windows XP (KB979482) Security Update for Windows XP (KB979559) Security Update for Windows XP (KB979683) Security Update for Windows XP (KB979687) Security Update for Windows XP (KB980195) Security Update for Windows XP (KB980218) Security Update for Windows XP (KB980232) Security Update for Windows XP (KB980436) Security Update for Windows XP (KB981322) Security Update for Windows XP (KB981852) Security Update for Windows XP (KB981957) Security Update for Windows XP (KB981997) Security Update for Windows XP (KB982132) Security Update for Windows XP (KB982214) Security Update for Windows XP (KB982665) Security Update for Windows XP (KB982802) Segoe UI Skype™ 5.8 Sony Picture Utility SpywareBlaster 4.6 Symantec Technical Support Web Controls Update for Microsoft .NET Framework 3.5 SP1 (KB963707) Update for Windows Internet Explorer 8 (KB2447568) Update for Windows XP (KB2141007) Update for Windows XP (KB2345886) Update for Windows XP (KB2467659) Update for Windows XP (KB2541763) Update for Windows XP (KB2607712) Update for Windows XP (KB2616676) Update for Windows XP (KB2641690) Update for Windows XP (KB2718704) Update for Windows XP (KB951072-v2) Update for Windows XP (KB951978) Update for Windows XP (KB955759) Update for Windows XP (KB955839) Update for Windows XP (KB967715) Update for Windows XP (KB968389) Update for Windows XP (KB971029) Update for Windows XP (KB971737) Update for Windows XP (KB973687) Update for Windows XP (KB973815) Visual C++ 2008 x86 Runtime - (v9.0.30729) Visual C++ 2008 x86 Runtime - v9.0.30729.01 WebEx WebFldrs XP Windows 7 Upgrade Advisor Windows Genuine Advantage Notifications (KB905474) Windows Genuine Advantage v1.3.0254.0 Windows Genuine Advantage Validation Tool (KB892130) Windows Internet Explorer 7 Windows Internet Explorer 8 Windows Live Communications Platform Windows Live Essentials Windows Live Mail Windows Live Sign-in Assistant Windows Live Upload Tool Windows Media Format 11 runtime Windows Media Format SDK Hotfix - KB891122 Windows Media Player 11 Windows XP Service Pack 3 . ==== Event Viewer Messages From Past Week ======== . 6/19/2012 9:46:16 AM, error: Print [6161] - The document http://msn.careerbui...terviewing-The- owned by Frances failed to print on printer Canon iP2600 series. Data type: NT EMF 1.008. Size of the spool file in bytes: 115608. Number of bytes printed: 115440. Total number of pages in the document: 1. Number of pages printed: 0. Client machine: \\JIM2-88XVZV9YF. Win32 error code returned by the print processor: 0 (0x0). 6/19/2012 9:44:44 AM, error: Print [6161] - The document http://msn.careerbui...terviewing-The- owned by Frances failed to print on printer Canon iP2600 series. Data type: NT EMF 1.008. Size of the spool file in bytes: 196608. Number of bytes printed: 115440. Total number of pages in the document: 1. Number of pages printed: 0. Client machine: \\JIM2-88XVZV9YF. Win32 error code returned by the print processor: 0 (0x0). 6/19/2012 9:00:46 PM, error: Print [6161] - The document https://hrjobs.trave...E/HRMS/c/HRS_HR owned by Frances failed to print on printer Canon iP2600 series. Data type: NT EMF 1.008. Size of the spool file in bytes: 196608. Number of bytes printed: 39100. Total number of pages in the document: 2. Number of pages printed: 0. Client machine: \\JIM2-88XVZV9YF. Win32 error code returned by the print processor: 0 (0x0). 6/15/2012 10:33:32 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Lbd SASDIFSV SASKUTIL 6/15/2012 10:33:32 PM, error: Service Control Manager [7000] - The iPodService service failed to start due to the following error: %1 is not a valid Win32 application. 6/15/2012 10:33:32 PM, error: DCOM [10005] - DCOM got error "%193" attempting to start the service iPodService with arguments "-Service" in order to run the server: {7A7FB085-6068-4898-8CCA-480A9187277C} 6/15/2012 10:33:31 PM, error: Service Control Manager [7000] - The Upload Manager service failed to start due to the following error: The account specified for this service is different from the account specified for other services running in the same process. 6/15/2012 10:33:31 PM, error: Service Control Manager [7000] - The PPPoE Service service failed to start due to the following error: The system cannot find the file specified. . ==== End Of File =========================== TDSSKiller.2.7.40.0_19.06.2012_21.49.43_log.zip TDSSKiller.2.7.40.0_19.06.2012_22.04.46_log.zip

I'm getting ESET alerts on my wife's computer running Windows XP blocking "newgenerationp.com/x" and "oldschoolzzz.com.x" ESET keeps giving alerts that the computer needs to be updated, but I see the updates have been failing for several days. And they failed when I tried. Malewarebytes is showing nothing now. I deleted a trojan earlier today. I know i should post some logs first, but if anyone has any suggestions of what to start with let me know.

I was on the Malwarebytes Forum and got some great help from Kasdah in June. My Battery Surge protector started started to fail and I bought a new one. around the same time I started to get "Windows Delayed File Write" errors. I bought a new battery backup and unfortunately I installed the new Software disk. The next time I tried to restart my Administrator Password window wouldn't come up. I restarted in Safe Mode, did 2 system restores back to before the day I got the Delayed Write errors.. I got these Logs from OTL as you can see It's still looking for the "APC PowerChute Personal Edition 3.0" even though I removed the program and disconnected the wire. I wasn't sure the "Delayed File Write" wasn't some sort of Virus. But I changed all the check boxes that 'Enable Write Catching' My computer keeps freezing up at this point and I have to keep restarting it. I know I need to upgrade the operating system but I'm also not sure if the Hard Disk has to be replaced also. I'm getting a lot of these since the delayed Write File errors started happening 2012/03/12 19:38:39 -0700 DJ7G3BC1 Administrator MESSAGE Starting IP protection 2012/03/12 19:38:41 -0700 DJ7G3BC1 Administrator ERROR IP protection failed: PfMakeLog failed with error code 122 Thanks in advance for any help. system Specs Dell Precision Windows XP Professional x64 Edition Version2003 Service Pack 2 5110@160GHz 8 GB of RAM OTL.zip mbam-log-2012-03-12 (08-20-49).txt

Great, Thank you so much!!! I was reading some of the included webpages and I noticed on the one about what can slow you computer. "Don't install more than one Antivirus and Firewall with Realtime Protection enabled." I have ESET and then I bought Malwarebytes. They're both running I guess. I haven't seen any mention of that as a problem until now. Should I turn off part of ESET?