XP Internet Security already BACK after 4 days!

[pinkshoegirl]

I was able to run DDS - files follow. However, I've tried the rootkit scan twice and both times my computer goes to the blue screen - physical memory dump partway during the scan. Figures I was waiting for tomorrow's paycheck to order my anti-malware! I can't believe it's back so fast as I am hardly online!

DDS (Ver_09-12-01.01) - NTFSx86

Run by Owner at 20:23:25.85 on Thu 03/04/2010

Internet Explorer: 7.0.5730.13

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.504 [GMT -5:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}

FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

I:\WINDOWS\system32\Ati2evxx.exe

I:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

I:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

I:\WINDOWS\system32\spoolsv.exe

I:\WINDOWS\system32\Ati2evxx.exe

I:\WINDOWS\Explorer.EXE

I:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe

I:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

I:\Program Files\Bonjour\mDNSResponder.exe

I:\Program Files\Carbonite\Carbonite Backup\carboniteservice.exe

I:\WINDOWS\eHome\ehRecvr.exe

I:\WINDOWS\eHome\ehSched.exe

I:\Program Files\Java\jre6\bin\jqs.exe

I:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

i:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe

i:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe

I:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe

I:\Program Files\McAfee\MPF\MPFSrv.exe

I:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlservr.exe

I:\WINDOWS\system32\svchost.exe -k imgsvc

I:\WINDOWS\wanmpsvc.exe

i:\PROGRA~1\mcafee.com\agent\mcagent.exe

I:\WINDOWS\system32\dllhost.exe

I:\Program Files\Common Files\AOL\1149769522\ee\AOLSoftware.exe

I:\Program Files\Winamp\winampa.exe

I:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9HA.EXE

I:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe

I:\WINDOWS\ehome\ehtray.exe

I:\Program Files\Common Files\AOL\ACS\AOLDial.exe

I:\Program Files\ATI Technologies\ATI.ACE\cli.exe

I:\Program Files\Napster\napster.exe

I:\Program Files\Carbonite\Carbonite Backup\CarboniteUI.exe

I:\Program Files\QuickTime\QTTask.exe

I:\WINDOWS\SM1BG.EXE

I:\Program Files\iTunes\iTunesHelper.exe

I:\Program Files\Common Files\Java\Java Update\jusched.exe

I:\WINDOWS\system32\ctfmon.exe

I:\WINDOWS\eHome\ehmsas.exe

I:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe

I:\Program Files\internet explorer\iexplore.exe

I:\Program Files\iPod\bin\iPodService.exe

I:\WINDOWS\system32\taskmgr.exe

I:\Program Files\ATI Technologies\ATI.ACE\cli.exe

I:\Program Files\ATI Technologies\ATI.ACE\cli.exe

I:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe

i:\PROGRA~1\mcafee\msc\mcuimgr.exe

I:\Documents and Settings\Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.aol.com/

uSearchMigratedDefaultURL = hxxp://search.aol.com/aolcom/search?query={searchTerms}&invocationType=msie70a

mStart Page = hxxp://www.google.com

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - i:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - i:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - i:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

uRun: [ctfmon.exe] i:\windows\system32\ctfmon.exe

mRun: [EPSON Stylus Photo RX620 Series] i:\windows\system32\spool\drivers\w32x86\3\E_FATI9HA.EXE /P31 "EPSON Stylus Photo RX620 Series" /O6 "USB001" /M "Stylus Photo RX620"

mRun: [WinampAgent] i:\program files\winamp\winampa.exe

mRun: [sM1BG] i:\windows\SM1BG.EXE

mRun: [Pure Networks Port Magic] "i:\progra~1\purene~1\portma~1\PortAOL.exe" -Run

mRun: [HostManager] i:\program files\common files\aol\1149769522\ee\AOLSoftware.exe

mRun: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe

mRun: [ehTray] i:\windows\ehome\ehtray.exe

mRun: [ATICCC] "i:\program files\ati technologies\ati.ace\cli.exe" runtime -Delay

mRun: [AOLDialer] i:\program files\common files\aol\acs\AOLDial.exe

mRun: [Adobe Photo Downloader] "i:\program files\adobe\photoshop album starter edition\3.0\apps\apdproxy.exe"

mRun: [NapsterShell] i:\program files\napster\napster.exe /systray

mRun: [mcagent_exe] i:\program files\mcafee.com\agent\mcagent.exe /runkey

mRun: [Carbonite Backup] i:\program files\carbonite\carbonite backup\CarboniteUI.exe

mRun: [QuickTime Task] "i:\program files\quicktime\QTTask.exe" -atboottime

mRun: [iTunesHelper] "i:\program files\itunes\iTunesHelper.exe"

mRun: [sunJavaUpdateSched] "i:\program files\common files\java\java update\jusched.exe"

StartupFolder: i:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - i:\program files\adobe\acrobat 7.0\reader\reader_sl.exe

StartupFolder: i:\docume~1\alluse~1\startm~1\programs\startup\quickb~1.lnk - i:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - i:\program files\messenger\msmsgs.exe

IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - i:\windows\system32\Shdocvw.dll

DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab

DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204

DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab

DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab

DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

Notify: AtiExtEvent - Ati2evxx.dll

============= SERVICES / DRIVERS ===============

R0 sonypvl2;sonypvl2;i:\windows\system32\drivers\sonypvl2.sys [2006-6-11 19478]

R1 mfehidk;McAfee Inc. mfehidk;i:\windows\system32\drivers\mfehidk.sys [2007-12-17 201320]

R1 sonypvf2;sonypvf2;i:\windows\system32\drivers\sonypvf2.sys [2006-6-11 635017]

R1 sonypvt2;sonypvt2;i:\windows\system32\drivers\sonypvt2.sys [2006-6-11 431236]

R2 McProxy;McAfee Proxy Service;i:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2008-6-4 359248]

R2 McShield;McAfee Real-time Scanner;i:\progra~1\mcafee\viruss~1\mcshield.exe [2007-12-17 144704]

R3 McSysmon;McAfee SystemGuards;i:\progra~1\mcafee\viruss~1\mcsysmon.exe [2007-12-17 695624]

R3 mfeavfk;McAfee Inc. mfeavfk;i:\windows\system32\drivers\mfeavfk.sys [2007-12-17 79304]

R3 mfebopk;McAfee Inc. mfebopk;i:\windows\system32\drivers\mfebopk.sys [2007-12-17 35240]

R3 mfesmfk;McAfee Inc. mfesmfk;i:\windows\system32\drivers\mfesmfk.sys [2007-12-17 40488]

S1 sonypvd2;sonypvd2;i:\windows\system32\drivers\sonypvd2.sys [2006-6-11 64093]

S3 mferkdk;McAfee Inc. mferkdk;i:\windows\system32\drivers\mferkdk.sys [2007-12-17 33832]

S3 MSSQL$NR2005;MSSQL$NR2005;i:\program files\microsoft sql server\mssql$nr2005\binn\sqlservr.exe -snr2005 --> i:\program files\microsoft sql server\mssql$nr2005\binn\sqlservr.exe -sNR2005 [?]

S3 SQLAgent$NR2005;SQLAgent$NR2005;i:\program files\microsoft sql server\mssql$nr2005\binn\sqlagent.exe -i nr2005 --> i:\program files\microsoft sql server\mssql$nr2005\binn\sqlagent.EXE -i NR2005 [?]

=============== Created Last 30 ================

2010-02-28 15:14:16 73728 ----a-w- i:\windows\system32\javacpl.cpl

2010-02-27 16:40:47 0 d-----w- I:\Combo-Fix

2010-02-27 16:35:34 50176 ----a-w- i:\windows\system32\proquota.exe

2010-02-27 15:58:24 10240 --sha-w- i:\documents and settings\owner\Thumbs.db

2010-02-26 22:43:42 0 d-sha-r- I:\cmdcons

2010-02-26 01:20:41 0 ----a-w- i:\documents and settings\owner\defogger_reenable

==================== Find3M ====================

2010-02-28 15:13:51 411368 ----a-w- i:\windows\system32\deploytk.dll

2010-01-07 21:07:14 38224 ----a-w- i:\windows\system32\drivers\mbamswissarmy.sys

2010-01-07 21:07:04 19160 ----a-w- i:\windows\system32\drivers\mbam.sys

2003-08-27 18:19:18 36963 ------r- i:\program files\common files\SM1updtr.dll

============= FINISH: 20:24:01.48 ===============

Attach.zip

[Maniac]

Hello pinkshoegirl! Welcome to MalwareBytes' Anti-Malware Forums!

My name is Borislav and I will be glad to help you solve your problems with malware. Before we begin, please note the following:

• The process of cleaning your system may take some time, so please be patient.
  
• Stay with the topic until I tell you that your system is clean. Missing symptoms does not mean that everything is okay.
  
• Instructions that I give are for your system only!
  
• If you don't know or can't understand something please ask.
  
• Do not install any software or hardware, while work on.
  

Step 1:

Please uninstall the following applications:

Adobe Reader 7.1.0

McAfee SecurityCenter

After finish our work, please download and install the latest version of Adobe Reader from:

http://www.adobe.com

Step 2:

Please go into the Control Panel, Add/Remove and for now remove ALL versions of JAVA

Then run this tool to help cleanup any left over Java

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.

Please download JavaRa and unzip it to your desktop.

***Please close any instances of Internet Explorer (or other web browser) before continuing!***

• Double-click on JavaRa.exe to start the program.
  
• From the drop-down menu, choose English and click on Select.
  
• JavaRa will open; click on Remove Older Versions to remove the older versions of Java installed on your computer.
  
• Click Yes when prompted. When JavaRa is done, a notice will appear that a logfile has been produced. Click OK.
  
• A logfile will pop up. Please save it to a convenient location and post it back when you reply
  Then look for the following Java folders and if found delete them.
  C:\Program Files\Java
  C:\Program Files\Common Files\Java
  C:\Windows\Sun
  C:\Documents and Settings\All Users\Application Data\Java
  C:\Documents and Settings\All Users\Application Data\Sun\Java
  C:\Documents and Settings\username\Application Data\Java
  C:\Documents and Settings\username\Application Data\Sun\Java
  

Step 3:

Download RootRepeal.zip and unzip it to your Desktop.

• Double click RootRepeal.exe to start the program
  
• Click on the Report tab at the bottom of the program window
  
• Click the Scan button
  
• In the Select Scan dialog, check:
  • 
    
  • Drivers
    
  • Files
    
  • Processes
    
  • SSDT
    
  • Stealth Objects
    
  • Hidden Services
    

  [*]Click the OK button

  [*]In the next dialog, select all drives showing

  [*]Click OK to start the scan

  Note: The scan can take some time.
  DO NOT
  run any other programs while the scan is running

  [*]When the scan is complete, the Save Report button will become available

  [*]Click this and save the report to your Desktop as RootRepeal.txt

  [*]Go to File, then Exit to close the program

If the report is not too long, post the contents of RootRepeal.txt in your next reply. If the report is very long, it will not be complete if you post it, so please attach it to your reply instead.

Step 4:

Please visit Combofix Guide & Instructions for instructions for installing the recovery console and downloading and running ComboFix.

The only thing different from the instructions there is that when downloading and saving the ComboFix.exe I would like you to rename it to Combo-Fix.exe please.

Post the log from ComboFix when you've accomplished that along with a new HijackThis log.

Important notes regarding ComboFix:

ComboFix may reset a number of Internet Explorer's settings, including making it the default browser. This can easily be changed once we're finished.

ComboFix also prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you, please let me know. This can be undone manually when we're finished. Read HERE for an article written by dvk01 on why we disable autoruns.

Note: During this process, it would help a great deal and be very much appreciated if you would refrain from installing any new software or hardware on this machine, unless absolutely necessary, until the clean up process is finished as it makes our job more tedious, with additional new files that may have to be researched, which is very time consuming.

Also, please do not run any security programs or fixes on your own as doing so may compromise what we will be doing. It is important that you wait for instructions.

In your next reply, please include these log(s):

* HijackThis Uninstall List

* HijackThis log (new)

* JavaRa log

* RootRepeal log

* ComboFix log

[pinkshoegirl]

I think this is everything, I'm not sure what you meant by new HiJack this log and uninstall list? So I reran DDS, I hope that is correct!

JavaRa 1.15 Removal Log.

Report follows after line.

------------------------------------

The JavaRa removal process was started on Sat Feb 27 10:06:54 2010

Found and removed: I:\Documents and Settings\Owner\Application Data\Sun\Java\jre1.6.0_12

Found and removed: I:\Documents and Settings\Owner\Application Data\Sun\Java\jre1.6.0_14

Found and removed: I:\Documents and Settings\Owner\Application Data\Sun\Java\jre1.6.0_15

Found and removed: I:\Documents and Settings\Owner\Application Data\Sun\Java\jre1.6.0_16

Found and removed: Software\JavaSoft\Java2D\1.5.0_06

Found and removed: SOFTWARE\Classes\JavaPlugin.150_06

Found and removed: SOFTWARE\Classes\JavaWebStart.isInstalled.1.5.0.0

JavaRa 1.15 Removal Log.

Report follows after line.

------------------------------------

The JavaRa removal process was started on Sat Feb 27 10:08:21 2010

------------------------------------

Finished reporting.

JavaRa 1.15 Removal Log.

Report follows after line.

------------------------------------

The JavaRa removal process was started on Fri Mar 05 17:16:55 2010

------------------------------------

Finished reporting.

ROOTREPEAL © AD, 2007-2009

==================================================

Scan Start Time: 2010/03/05 17:20

Program Version: Version 1.3.5.0

Windows Version: Windows XP Media Center Edition SP2

==================================================

Drivers

-------------------

Name: dump_atapi.sys

Image Path: I:\WINDOWS\System32\Drivers\dump_atapi.sys

Address: 0xB6C09000 Size: 98304 File Visible: No Signed: -

Status: -

Name: dump_WMILIB.SYS

Image Path: I:\WINDOWS\System32\Drivers\dump_WMILIB.SYS

Address: 0xF7DD7000 Size: 8192 File Visible: No Signed: -

Status: -

Name: rootrepeal.sys

Image Path: I:\WINDOWS\system32\drivers\rootrepeal.sys

Address: 0xB36AA000 Size: 49152 File Visible: No Signed: -

Status: -

Hidden/Locked Files

-------------------

Path: i:\windows\temp\perflib_perfdata_110.dat

Status: Allocation size mismatch (API: 16384, Raw: 0)

==EOF==

Attach.zip

Combofix_log.txt

DDS.txt

[Maniac]

• Launch Malwarebytes' Anti-Malware
  
• If an update is found, it will download and install the latest version.
  
• Once the program has loaded, select "Perform Quick Scan", then click Scan.
  
• The scan may take some time to finish,so please be patient.
  
• When the scan is complete, click OK, then Show Results to view the results.
  
• Make sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  
• Copy&Paste the entire report in your next reply.
  

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

[pinkshoegirl]

Malwarebytes' Anti-Malware 1.44

Database version: 3828

Windows 5.1.2600 Service Pack 2

Internet Explorer 7.0.5730.13

3/6/2010 10:05:24 AM

mbam-log-2010-03-06 (10-05-24).txt

Scan type: Quick Scan

Objects scanned: 116016

Time elapsed: 3 minute(s), 51 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

[Maniac]

Very good!

Let's install some antivirus program.

It is extremely important that you have an antivirus program installed and running on your computer to prevent possible infections. I would like you to download and install a free antivirus program.

• Avira AntiVir Personal
  

Next,

Perform a full scan with Avira and let it delete everything it is finding.

Then reboot.

After reboot, open your Avira and select "reports".

There doubleclick the report from the Full scan you have done. Click the "Report File" button and copy and paste this report in your next reply together with a new HijackThislog.

[pinkshoegirl]

Avira AntiVir Personal

Report file date: Saturday, March 06, 2010 15:30

Scanning for 1820270 virus strains and unwanted programs.

Licensee : Avira AntiVir Personal - FREE Antivirus

Serial number : 0000149996-ADJIE-0000001

Platform : Windows XP

Windows version : (Service Pack 2) [5.1.2600]

Boot mode : Normally booted

Username : SYSTEM

Computer name : KENNY-577585BD9

Version information:

BUILD.DAT : 9.0.0.418 21723 Bytes 12/2/2009 16:28:00

AVSCAN.EXE : 9.0.3.10 466689 Bytes 10/13/2009 16:26:33

AVSCAN.DLL : 9.0.3.0 40705 Bytes 2/27/2009 15:58:24

LUKE.DLL : 9.0.3.2 209665 Bytes 2/20/2009 16:35:49

LUKERES.DLL : 9.0.2.0 12033 Bytes 2/27/2009 15:58:52

VBASE000.VDF : 7.10.0.0 19875328 Bytes 11/6/2009 12:35:52

VBASE001.VDF : 7.10.1.0 1372672 Bytes 11/19/2009 20:28:31

VBASE002.VDF : 7.10.3.1 3143680 Bytes 1/20/2010 20:28:42

VBASE003.VDF : 7.10.3.75 996864 Bytes 1/26/2010 20:28:46

VBASE004.VDF : 7.10.4.203 1579008 Bytes 3/5/2010 20:28:52

VBASE005.VDF : 7.10.4.204 2048 Bytes 3/5/2010 20:28:52

VBASE006.VDF : 7.10.4.205 2048 Bytes 3/5/2010 20:28:52

VBASE007.VDF : 7.10.4.206 2048 Bytes 3/5/2010 20:28:52

VBASE008.VDF : 7.10.4.207 2048 Bytes 3/5/2010 20:28:52

VBASE009.VDF : 7.10.4.208 2048 Bytes 3/5/2010 20:28:52

VBASE010.VDF : 7.10.4.209 2048 Bytes 3/5/2010 20:28:52

VBASE011.VDF : 7.10.4.210 2048 Bytes 3/5/2010 20:28:53

VBASE012.VDF : 7.10.4.211 2048 Bytes 3/5/2010 20:28:53

VBASE013.VDF : 7.10.4.212 2048 Bytes 3/5/2010 20:28:53

VBASE014.VDF : 7.10.4.213 2048 Bytes 3/5/2010 20:28:53

VBASE015.VDF : 7.10.4.214 2048 Bytes 3/5/2010 20:28:53

VBASE016.VDF : 7.10.4.215 2048 Bytes 3/5/2010 20:28:53

VBASE017.VDF : 7.10.4.216 2048 Bytes 3/5/2010 20:28:53

VBASE018.VDF : 7.10.4.217 2048 Bytes 3/5/2010 20:28:53

VBASE019.VDF : 7.10.4.218 2048 Bytes 3/5/2010 20:28:53

VBASE020.VDF : 7.10.4.219 2048 Bytes 3/5/2010 20:28:54

VBASE021.VDF : 7.10.4.220 2048 Bytes 3/5/2010 20:28:54

VBASE022.VDF : 7.10.4.221 2048 Bytes 3/5/2010 20:28:54

VBASE023.VDF : 7.10.4.222 2048 Bytes 3/5/2010 20:28:54

VBASE024.VDF : 7.10.4.223 2048 Bytes 3/5/2010 20:28:54

VBASE025.VDF : 7.10.4.224 2048 Bytes 3/5/2010 20:28:54

VBASE026.VDF : 7.10.4.225 2048 Bytes 3/5/2010 20:28:54

VBASE027.VDF : 7.10.4.226 2048 Bytes 3/5/2010 20:28:54

VBASE028.VDF : 7.10.4.227 2048 Bytes 3/5/2010 20:28:54

VBASE029.VDF : 7.10.4.228 2048 Bytes 3/5/2010 20:28:55

VBASE030.VDF : 7.10.4.229 2048 Bytes 3/5/2010 20:28:55

VBASE031.VDF : 7.10.4.233 25088 Bytes 3/5/2010 20:28:55

Engineversion : 8.2.1.180

AEVDF.DLL : 8.1.1.3 106868 Bytes 3/6/2010 20:29:08

AESCRIPT.DLL : 8.1.3.17 1032570 Bytes 3/6/2010 20:29:08

AESCN.DLL : 8.1.5.0 127347 Bytes 3/6/2010 20:29:06

AESBX.DLL : 8.1.2.0 254323 Bytes 3/6/2010 20:29:09

AERDL.DLL : 8.1.4.2 479602 Bytes 3/6/2010 20:29:05

AEPACK.DLL : 8.2.1.0 426356 Bytes 3/6/2010 20:29:04

AEOFFICE.DLL : 8.1.0.39 196987 Bytes 3/6/2010 20:29:03

AEHEUR.DLL : 8.1.1.7 2326902 Bytes 3/6/2010 20:29:02

AEHELP.DLL : 8.1.10.1 237942 Bytes 3/6/2010 20:28:58

AEGEN.DLL : 8.1.2.0 373107 Bytes 3/6/2010 20:28:57

AEEMU.DLL : 8.1.1.0 393587 Bytes 11/8/2009 12:38:26

AECORE.DLL : 8.1.12.2 188790 Bytes 3/6/2010 20:28:56

AEBB.DLL : 8.1.0.3 53618 Bytes 11/8/2009 12:38:20

AVWINLL.DLL : 9.0.0.3 18177 Bytes 12/12/2008 13:47:59

AVPREF.DLL : 9.0.3.0 44289 Bytes 8/26/2009 20:14:02

AVREP.DLL : 8.0.0.7 159784 Bytes 3/6/2010 20:29:10

AVREG.DLL : 9.0.0.0 36609 Bytes 12/5/2008 15:32:09

AVARKT.DLL : 9.0.0.3 292609 Bytes 3/24/2009 20:05:41

AVEVTLOG.DLL : 9.0.0.7 167169 Bytes 1/30/2009 15:37:08

SQLITE3.DLL : 3.6.1.0 326401 Bytes 1/28/2009 20:03:49

SMTPLIB.DLL : 9.2.0.25 28417 Bytes 2/2/2009 13:21:33

NETNT.DLL : 9.0.0.0 11521 Bytes 12/5/2008 15:32:10

RCIMAGE.DLL : 9.0.0.25 2438913 Bytes 5/15/2009 20:39:58

RCTEXT.DLL : 9.0.73.0 86785 Bytes 10/13/2009 17:25:47

Configuration settings for the scan:

Jobname.............................: Complete system scan

Configuration file..................: i:\program files\avira\antivir desktop\sysscan.avp

Logging.............................: low

Primary action......................: interactive

Secondary action....................: ignore

Scan master boot sector.............: on

Scan boot sector....................: on

Boot sectors........................: I:,

Process scan........................: on

Scan registry.......................: on

Search for rootkits.................: on

Integrity checking of system files..: off

Scan all files......................: All files

Scan archives.......................: on

Recursion depth.....................: 20

Smart extensions....................: on

Macro heuristic.....................: on

File heuristic......................: medium

Deviating risk categories...........: +APPL,+GAME,+JOKE,+PCK,+PFS,+SPR,

Start of the scan: Saturday, March 06, 2010 15:30

Starting search for hidden objects.

'107452' objects were checked, '0' hidden objects were found.

The scan of running processes will be started

Scan process 'avscan.exe' - '1' Module(s) have been scanned

Scan process 'avcenter.exe' - '1' Module(s) have been scanned

Scan process 'avscan.exe' - '1' Module(s) have been scanned

Scan process 'avgnt.exe' - '1' Module(s) have been scanned

Scan process 'sched.exe' - '1' Module(s) have been scanned

Scan process 'avguard.exe' - '1' Module(s) have been scanned

Scan process 'msiexec.exe' - '1' Module(s) have been scanned

Scan process 'aoltpsd3.exe' - '1' Module(s) have been scanned

Scan process 'shellmon.exe' - '1' Module(s) have been scanned

Scan process 'waol.exe' - '1' Module(s) have been scanned

Scan process 'explorer.exe' - '1' Module(s) have been scanned

Scan process 'msdtc.exe' - '1' Module(s) have been scanned

Scan process 'CLI.exe' - '1' Module(s) have been scanned

Scan process 'CLI.exe' - '1' Module(s) have been scanned

Scan process 'iPodService.exe' - '1' Module(s) have been scanned

Scan process 'qbupdate.exe' - '1' Module(s) have been scanned

Scan process 'ehmsas.exe' - '1' Module(s) have been scanned

Scan process 'E_FATI9HA.EXE' - '1' Module(s) have been scanned

Scan process 'ctfmon.exe' - '1' Module(s) have been scanned

Scan process 'QTTask.exe' - '1' Module(s) have been scanned

Scan process 'napster.exe' - '1' Module(s) have been scanned

Scan process 'iTunesHelper.exe' - '1' Module(s) have been scanned

Scan process 'CarboniteUI.exe' - '1' Module(s) have been scanned

Scan process 'ehtray.exe' - '1' Module(s) have been scanned

Scan process 'CLI.exe' - '1' Module(s) have been scanned

Scan process 'SM1bg.exe' - '1' Module(s) have been scanned

Scan process 'aolsoftware.exe' - '1' Module(s) have been scanned

Scan process 'dllhost.exe' - '1' Module(s) have been scanned

Scan process 'wanmpsvc.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'sqlservr.exe' - '1' Module(s) have been scanned

Scan process 'ehSched.exe' - '1' Module(s) have been scanned

Scan process 'ehRecvr.exe' - '1' Module(s) have been scanned

Scan process 'CarboniteService.exe' - '1' Module(s) have been scanned

Scan process 'mDNSResponder.exe' - '1' Module(s) have been scanned

Scan process 'AppleMobileDeviceService.exe' - '1' Module(s) have been scanned

Scan process 'AOLacsd.exe' - '1' Module(s) have been scanned

Scan process 'ati2evxx.exe' - '1' Module(s) have been scanned

Scan process 'spoolsv.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'ati2evxx.exe' - '1' Module(s) have been scanned

Scan process 'lsass.exe' - '1' Module(s) have been scanned

Scan process 'services.exe' - '1' Module(s) have been scanned

Scan process 'winlogon.exe' - '1' Module(s) have been scanned

Scan process 'csrss.exe' - '1' Module(s) have been scanned

Scan process 'smss.exe' - '1' Module(s) have been scanned

50 processes with 50 modules were scanned

Starting master boot sector scan:

Master boot sector HD0

[iNFO] No virus was found!

Master boot sector HD1

[iNFO] No virus was found!

Master boot sector HD2

[iNFO] No virus was found!

Master boot sector HD3

[iNFO] No virus was found!

Master boot sector HD4

[iNFO] No virus was found!

Master boot sector HD5

[iNFO] No virus was found!

Start scanning boot sectors:

Boot sector 'I:\'

[iNFO] No virus was found!

Starting to scan executable files (registry).

The registry was scanned ( '62' files ).

Starting the file scan:

Begin scan in 'I:\'

I:\pagefile.sys

[WARNING] The file could not be opened!

[NOTE] This file is a Windows system file.

[NOTE] This file cannot be opened for scanning.

I:\Program Files\Common Files\AOL\1149769522\ee\services\imApp\ver1_2_80\uninst.exe

[DETECTION] Contains recognition pattern of the ADSPY/AdSpy.Gen adware or spyware

I:\Program Files\Common Files\AOL\Backup\ACS\Rollback\Suite\comps\acsrollb.exe

[0] Archive type: NSIS

--> [PluginsDir]/utility.dll

[DETECTION] Is the TR/StartPage.HMI Trojan

I:\System Volume Information\_restore{492C6F41-ED66-4374-AF45-B68863E1AECF}\RP1065\A0105118.dll

[DETECTION] Is the TR/Trash.Gen Trojan

I:\System Volume Information\_restore{492C6F41-ED66-4374-AF45-B68863E1AECF}\RP1067\A0105217.exe

[DETECTION] Is the TR/Dldr.FraudLo.sxm Trojan

I:\System Volume Information\_restore{492C6F41-ED66-4374-AF45-B68863E1AECF}\RP1067\A0105218.exe

[DETECTION] Is the TR/Drop.Agent.wzh Trojan

I:\System Volume Information\_restore{492C6F41-ED66-4374-AF45-B68863E1AECF}\RP1075\A0105572.dll

[DETECTION] Is the TR/Agent.35328 Trojan

I:\System Volume Information\_restore{492C6F41-ED66-4374-AF45-B68863E1AECF}\RP1075\A0105712.exe

[DETECTION] Is the TR/FakeRean.A.134 Trojan

Beginning disinfection:

I:\Program Files\Common Files\AOL\1149769522\ee\services\imApp\ver1_2_80\uninst.exe

[DETECTION] Contains recognition pattern of the ADSPY/AdSpy.Gen adware or spyware

[NOTE] The file was moved to '4bfbd1fb.qua'!

I:\Program Files\Common Files\AOL\Backup\ACS\Rollback\Suite\comps\acsrollb.exe

[NOTE] The file was moved to '4c05d1f0.qua'!

I:\System Volume Information\_restore{492C6F41-ED66-4374-AF45-B68863E1AECF}\RP1065\A0105118.dll

[DETECTION] Is the TR/Trash.Gen Trojan

[NOTE] The file was moved to '4bc3d1bd.qua'!

I:\System Volume Information\_restore{492C6F41-ED66-4374-AF45-B68863E1AECF}\RP1067\A0105217.exe

[DETECTION] Is the TR/Dldr.FraudLo.sxm Trojan

[NOTE] The file was moved to '4aa66cfe.qua'!

I:\System Volume Information\_restore{492C6F41-ED66-4374-AF45-B68863E1AECF}\RP1067\A0105218.exe

[DETECTION] Is the TR/Drop.Agent.wzh Trojan

[NOTE] The file was moved to '4aa17456.qua'!

I:\System Volume Information\_restore{492C6F41-ED66-4374-AF45-B68863E1AECF}\RP1075\A0105572.dll

[DETECTION] Is the TR/Agent.35328 Trojan

[NOTE] The file was moved to '4aa514b6.qua'!

I:\System Volume Information\_restore{492C6F41-ED66-4374-AF45-B68863E1AECF}\RP1075\A0105712.exe

[DETECTION] Is the TR/FakeRean.A.134 Trojan

[NOTE] The file was moved to '4ff8c676.qua'!

End of the scan: Saturday, March 06, 2010 17:05

Used time: 1:06:01 Hour(s)

The scan has been done completely.

9936 Scanned directories

478410 Files were scanned

7 Viruses and/or unwanted programs were found

0 Files were classified as suspicious

0 files were deleted

0 Viruses and unwanted programs were repaired

7 Files were moved to quarantine

0 Files were renamed

1 Files cannot be scanned

478402 Files not concerned

2395 Archives were scanned

1 Warnings

8 Notes

107452 Objects were scanned with rootkit scan

0 Hidden objects were found

Attach.zip

DDS.txt

[Maniac]

Please clear system restore points only:

http://www.microsoft.com/windowsxp/using/h...ps/mcgill1.mspx

Finally, tell me how are things now.

[pinkshoegirl]

I don't have this option:

2.

Click to add a check mark beside Turn off System Restore on all Drives, and click Apply.

[Maniac]

See this:

http://www.solidblogger.com/wp-content/upl...tem-restore.png

[pinkshoegirl]

okay i had to turn system restore back on though in order to create a new restore point after deleting the old ones. now i leave it on correct?

[Maniac]

No, don't create a new one.

How are things running now?

[pinkshoegirl]

I already created a new one because the link you posted said I should:

All system restore points are deleted. Now you should manually create a restore point.

1.

Click Start, click All Programs, click Accessories, click System Tools, and then click System Restore.

2.

Click Create a Restore Point, and then click Next.

3.

Name your restore point. (I use the date as well as a descriptive term such as "After Restore Point Deletion.")

[pinkshoegirl]

I'm sorry I just realized I was suppose to clear them only... But I turn it back on correct?

[Maniac]

Yes, no problem.

What about the situation now?

[pinkshoegirl]

It's been fine since I ran the combo fix. Just a few questions:

You had be delete my McAfee antivirus and install Avira. Is this better than McAfee and does it have a firewall as that was deleted with McAfee also? Or do I need to unistall it and reinstall McAfee?

Last week when you were working with me I did something with a Defogger that said I may need to re-enable after we were done?

And lastly, I deleted Java, is this safe to reinstall?

Thanks as always for your help

[Maniac]

You had be delete my McAfee antivirus and install Avira. Is this better than McAfee and does it have a firewall as that was deleted with McAfee also? Or do I need to unistall it and reinstall McAfee?

Yes, I think Avira is better than McAfee. Also, it's free. Avira is antivirus program. If you want firewall you can choose some free of them:

• Comodo Firewall
  
• Online Armor
  
• PC Tools Firewall Plus
  

Last week when you were working with me I did something with a Defogger that said I may need to re-enable after we were done?

I suggest that you not do this.

And lastly, I deleted Java, is this safe to reinstall?

Bad idea! Just download and install the latest version from here:

http://www.java.com/en/download/index.jsp

[pinkshoegirl]

great! thanks again everything is up and seems to be running fine except when i run new programs that is taking longer than usual - thanks so much for the links.

[Maniac]

Step 1:

Please manually delete: JavaRa ; RootRepeal ; DDS ;

Step 2:

* Go to start > run and copy and paste next command in the field:

ComboFix /uninstall

Make sure there's a space between Combofix and /

Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Safe surfing!

[Maurice Naggar]

Since this issue is resolved I will close the thread to prevent others from posting here. If you need assistance please start your own topic and someone will be happy to assist you.