Rogue.AVSecuritySuite - Does MBAM Kill It All ?

[rlazelle]

I am running XP/Pro SP-3 and Firefox 3.6.3.

Yesterday I clicked on a reference in a forum on Video Cards and got malware. I finally got MBAM to run after killing bad entries in the Logon and Scheduled tasks. I was able to run an old version of MBAM v4052 which killed entries in

(1) HKEY_LOCAL_MACHINE\SOFTWARE\avsuite and

(2) HKEY_CURRENT_USER\Software\avsoft

in both for (Rogue.AntivirusSuite) and (Trojan.Fraudpack)

I then updated MBAM to v4177 which found (Trojan.Gentee) in an old unused file.

After removing the Trojan I reran the full scan and it was clean.

This mourning I downloaded v4178 and ran a full scan, which came up with several (Rogue.AVSecuritySuite) files in

C:\Documents and Settings\(userid)\Local Settings\Temp

C:\Documents and Settings\(userid)\Local Settings\Temp

C:\Documents and Settings\(userid)\Local Settings\Temporary Internet

I could not access the internet:

(1) from Firefox until I changed: tools/advanced/network/connections/settings to NO Proxy

(2) from IE8 until I ran: tools/internet options/advanced/restore Internet settings

MBAM v 4179 is now running.

So, do I need to do anything more to get rid of this plague?

Thanks --Roy--

[Maniac]

Hello Roy! Welcome to MalwareBytes' Anti-Malware Forums!

My name is Borislav and I will be glad to help you solve your problems with malware. Before we begin, please note the following:

• The process of cleaning your system may take some time, so please be patient.
  
• Stay with the topic until I tell you that your system is clean. Missing symptoms does not mean that everything is okay.
  
• Instructions that I give are for your system only!
  
• If you don't know or can't understand something please ask.
  
• Do not install or uninstall any software or hardware, while work on.
  

Please follow these instructions:

http://forums.malwarebytes.org/index.php?showtopic=9573

Post all logs if you can.

[rlazelle]

Thanks for the reply. Currently I am experiencing no symptoms.

I ran mbam w/def 4182 full scan last night and it found nothing.

So, is the PC now OK ?

[Maniac]

I don't know and I can't tell without logs.

[rlazelle]

Here are the 3 mbam logs.:

(1) run with def-4052 which found rogue in registry

(2) run with def-4178 which found rogue in files

(3) latest run def-4180 no malicious items detected.

=================================

(1) run with def-4052 which found rogue in registry

=================================

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4052

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

6/7/2010 3:22:32 PM

mbam-log-2010-06-07 (15-22-32).txt

Scan type: Full scan (C:\|D:\|)

Objects scanned: 305621

Time elapsed: 1 hour(s), 56 minute(s), 28 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 4

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\avsuite (Rogue.AntivirusSuite) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\Software\avsuite (Rogue.AntivirusSuite) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\avsoft (Trojan.Fraudpack) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\Software\avsoft (Trojan.Fraudpack) -> Quarantined and deleted successfully.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

==============================

(2) run with def-4178 which found rogue in files

==============================

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4178

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

6/8/2010 7:01:08 AM

mbam-log-2010-06-08 (07-01-08).txt

Scan type: Full scan (C:\|D:\|)

Objects scanned: 316468

Time elapsed: 1 hour(s), 38 minute(s), 22 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 4

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\Documents and Settings\lazeller\Local Settings\Application Data\orwefgsfy\qgkixr.exe (Rogue.AVSecuritySuite) -> Quarantined and deleted successfully.

C:\Documents and Settings\lazeller\Local Settings\Temp\DBqF.exe (Rogue.AVSecuritySuite) -> Quarantined and deleted successfully.

C:\Documents and Settings\lazeller\Local Settings\Temp\xDgX.exe (Rogue.AVSecuritySuite) -> Quarantined and deleted successfully.

C:\Documents and Settings\lazeller\Local Settings\Temporary Internet Files\Content.IE5\T88EY4TK\n002102304801r0409J11000601Rc15a2320Wbc5f6f06X20fab0f2Y6cf6720bZ03003f360[1

] (Rogue.AVSecuritySuite) -> Quarantined and deleted successfully.

=================================

(3) latest run def-4180 no malicious items detected.

=================================

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4182

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

6/8/2010 8:25:45 PM

mbam-log-2010-06-08 (20-25-45).txt

Scan type: Full scan (C:\|D:\|)

Objects scanned: 316329

Time elapsed: 1 hour(s), 56 minute(s), 49 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

==============

end of logs

================

[Maniac]

And these logs too:

http://forums.malwarebytes.org/index.php?showtopic=9573

[rlazelle]

OK here are the logs requested.

(1) mbam - already posted

(2) DDS.txt - pasted

(3) Attach.txt - pasted

(3) ark.txt - attached

=====================

(2) DDS.txt

=================

DDS (Ver_10-03-17.01) - NTFSx86

Run by Administrator at 10:53:58.55 on Wed 06/09/2010

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_17

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.530 [GMT -7:00]

AV: VirusScan Enterprise + AntiSpyware Enterprise *On-access scanning enabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}

FW: McAfee Host Intrusion Prevention Firewall *disabled* {2F1275E3-2F4F-43E9-944B-3F63F9BDA5F5}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\Program Files\LANDesk\Shared Files\residentagent.exe

C:\Program Files\McAfee\Host Intrusion Prevention\FireSvc.exe

C:\Program Files\McAfee\Host Intrusion Prevention\HIPSCore\HIPSvc.exe

C:\WINDOWS\System32\svchost.exe -k HTTPFilter

C:\WINDOWS\System32\inetsrv\inetinfo.exe

C:\Program Files\LANDesk\LDClient\LocalSch.EXE

C:\WINDOWS\system32\CBA\pds.exe

C:\Program Files\LANDesk\LDCLient\tmcsvc.exe

C:\Program Files\McAfee\VirusScan Enterprise\EngineServer.exe

C:\Program Files\McAfee\Common Framework\FrameworkService.exe

C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\PROGRA~1\LANDesk\LDClient\collector.exe

C:\WINDOWS\system32\mfevtps.exe

C:\WINDOWS\ProPatches\Scheduler\stSchedEx.exe

C:\PROGRA~1\LANDesk\LDClient\LDregwatch.exe

C:\Program Files\LANDesk\LDCLient\softmon.exe

C:\Program Files\Verdiem\SurveyorSD\Bin\SurveyorSD.exe

C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe

C:\WINDOWS\system32\igfxpers.exe

C:\Program Files\Verdiem\SurveyorSD\bin\SurveyorSession.exe

C:\Program Files\McAfee\Host Intrusion Prevention\FireTray.exe

C:\Program Files\Microsoft IntelliPoint\ipoint.exe

C:\Program Files\McAfee\Common Framework\udaterui.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\McAfee\Common Framework\McTray.exe

C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe

C:\Documents and Settings\lazeller\Desktop\Malware Kill Folder\dds.scr

============== Pseudo HJT Report ===============

mSearchAssistant = hxxp://www.google.com/ie

BHO: AutorunsDisabled - No File

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll

BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan enterprise\scriptsn.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File

EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

mRun: [AdaptecDirectCD] "c:\program files\roxio\easy cd creator 5\directcd\DirectCD.exe"

mRun: [igfxtray] c:\windows\system32\igfxtray.exe

mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe

mRun: [igfxpers] c:\windows\system32\igfxpers.exe

mRun: [surveyorSession] c:\program files\verdiem\surveyorsd\bin\SurveyorSession.exe

mRun: [McAfee Host Intrusion Prevention Tray] "c:\program files\mcafee\host intrusion prevention\FireTray.exe"

mRun: [intelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"

mRun: [McAfeeUpdaterUI] "c:\program files\mcafee\common framework\udaterui.exe" /StartedFromRunKey

mRun: [shStatEXE] "c:\program files\mcafee\virusscan enterprise\SHSTAT.EXE" /STANDALONE

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL

DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab

DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab

DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc3.cab

DPF: {41EF3CD2-D8CC-4438-84B1-280BB4E77C8E} - hxxps://vpn1key.metrokc.gov/vdesk/terminal/f5tunsrv.cab#version=6030,2009,327,1558

DPF: {45B69029-F3AB-4204-92DE-D5140C3E8E74} - hxxps://vpn1key.metrokc.gov/vdesk/terminal/InstallerControl.cab

DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1156192863764

DPF: {76850F2A-FCAA-454F-82D3-BD46CB186EF5} - hxxp://escwebheat/iheat/iHEAT-activex.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab

DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38016.5939351852

DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

DPF: {E0FF21FA-B857-45C5-8621-F120A0C17FF2} - hxxps://vpn1key.metrokc.gov/vdesk/terminal/urxhost.cab#version=6030,2009,327,1548

TCP: {0912E915-D402-4307-95AE-40CCC72CD935} = 146.129.189.4,146.129.56.4

Notify: igfxcui - igfxdev.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

Hosts: 146.129.189.194 ITSMVSRV

Hosts: 146.129.189.195 ITSMVSXA

Hosts: 146.120.177.130

Hosts: 146.129.56.6

Hosts: 146.129.67.137 kcsorpis

================= FIREFOX ===================

FF - ProfilePath -

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

---- FIREFOX POLICIES ----

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);

c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);

c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2007-3-22 343760]

R1 ATMDLC;Attachmate DLC Protocol;c:\windows\system32\drivers\atmdlc.sys [2004-6-14 35270]

R2 CBA8;LANDesk® Management Agent;c:\program files\landesk\shared files\residentAgent.exe [2009-11-4 147456]

R2 enterceptAgent;McAfee Host Intrusion Prevention Service;c:\program files\mcafee\host intrusion prevention\FireSvc.exe [2009-10-20 1489984]

R2 hips;McAfee HIPSCore Service;c:\program files\mcafee\host intrusion prevention\hipscore\HIPSvc.exe [2009-12-17 35696]

R2 LANDesk Targeted Multicast;LANDesk Targeted Multicast;c:\program files\landesk\ldclient\tmcsvc.exe [2010-3-11 182272]

R2 McAfeeEngineService;McAfee Engine Service;c:\program files\mcafee\virusscan enterprise\EngineServer.exe [2009-8-31 21256]

R2 McAfeeFramework;McAfee Framework Service;c:\program files\mcafee\common framework\FrameworkService.exe [2009-9-22 103744]

R2 McShield;McAfee McShield;c:\program files\mcafee\virusscan enterprise\Mcshield.exe [2009-8-31 146448]

R2 McTaskManager;McAfee Task Manager;c:\program files\mcafee\virusscan enterprise\VsTskMgr.exe [2009-8-31 66896]

R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2009-4-28 70728]

R2 Shavlik Scheduler;Shavlik Remote Scheduler Service;c:\windows\propatches\scheduler\stSchedEx.exe [2006-2-14 181872]

R2 Softmon;LANDesk® Software Monitoring Service;c:\program files\landesk\ldclient\SoftMon.exe [2010-3-11 263680]

R2 SurveyorSD;Verdiem Surveyor Client;c:\program files\verdiem\surveyorsd\bin\SurveyorSD.exe [2009-3-20 2217216]

R3 FirehkMP;FirehkMP;c:\windows\system32\drivers\firehk.sys [2007-9-20 44680]

R3 HIPK;McAfee Inc. HIPK;c:\windows\system32\drivers\HIPK.sys [2008-2-1 107960]

R3 HIPPSK;McAfee Inc. HIPPSK;c:\windows\system32\drivers\HIPPSK.sys [2008-2-1 38680]

R3 HIPQK;McAfee Inc. HIPQK;c:\windows\system32\drivers\HIPQK.sys [2008-2-1 35584]

R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2007-3-22 91672]

R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2007-3-22 43288]

S2 ousbehci;OrangeWare USB Enhanced Host Controller Service;c:\windows\system32\drivers\ousbehci.sys [2009-3-20 45696]

S3 Firehk;McAfee NDIS Intermediate Filter;c:\windows\system32\drivers\firehk.sys [2007-9-20 44680]

S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2010-5-6 65448]

S3 ousb2hub;OrangeWare USB 2.0 Root Hub Support;c:\windows\system32\drivers\ousb2hub.sys [2009-3-20 56960]

S4 gupdate;Google Update Service (gupdate); [x]

=============== Created Last 30 ================

2010-06-09 17:52:02 0 ----a-w- c:\documents and settings\administrator\defogger_reenable

2010-06-09 17:46:39 0 d-sh--w- c:\documents and settings\administrator\IETldCache

2010-06-09 14:36:04 3254 ----a-w- c:\windows\system32\wbem\Outlook_01cb07e116fab8dc.mof

2010-06-09 01:22:34 39816 ----a-w- c:\windows\system32\HIPIS0e011af.dll

2010-06-09 01:22:34 113 ----a-w- c:\windows\system32\api_hook_list.dat

2010-06-08 23:23:24 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll

2010-06-08 17:31:39 0 d-----w- C:\un-categorized

2010-06-08 15:52:00 77312 ----a-w- c:\windows\MBR.exe

2010-06-08 15:51:57 256512 ----a-w- c:\windows\PEV.exe

2010-06-08 15:51:57 161792 ----a-w- c:\windows\SWREG.exe

2010-06-08 15:51:56 98816 ----a-w- c:\windows\sed.exe

2010-06-08 15:51:41 0 d-s---w- C:\Combo-Fix

2010-06-07 17:11:15 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-06-07 17:11:12 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-06-07 17:11:11 0 d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-05-13 23:28:53 0 d-----w- C:\Inetpub

2010-05-13 22:20:29 0 d-----w- c:\program files\Eusing Free Registry Cleaner

2010-05-13 21:33:38 0 d-----w- c:\docume~1\alluse~1\applic~1\Attachmate

2010-05-13 21:33:24 0 d-----w- c:\program files\Attachmate

==================== Find3M ====================

2010-05-06 10:41:53 916480 ----a-w- c:\windows\system32\wininet.dll

2010-05-02 05:22:50 1851264 ----a-w- c:\windows\system32\win32k.sys

2010-04-20 05:30:08 285696 ----a-w- c:\windows\system32\atmfd.dll

2008-08-18 22:58:20 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008081820080819\index.dat

============= FINISH: 10:55:27.29 ===============

end dds

========================================================================

==========

(3) Attach.txt

==========

=========================================================================

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.

IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-03-17.01)

Microsoft Windows XP Professional

Boot Device: \Device\HarddiskVolume2

Install Date: 1/30/2004 1:12:17 PM

System Uptime: 6/9/2010 7:04:54 AM (3 hours ago)

Motherboard: Dell Computer Corp. | | 0U1325

Processor: Intel® Pentium® 4 CPU 3.00GHz | Microprocessor | 2992/800mhz

==== Disk Partitions =========================

A: is Removable

C: is FIXED (NTFS) - 20 GiB total, 3.401 GiB free.

D: is FIXED (NTFS) - 54 GiB total, 34.138 GiB free.

E: is CDROM ()

F: is CDROM ()

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP1: 6/8/2010 1:51:57 PM - System Checkpoint

RP2: 6/8/2010 1:54:10 PM - malwarebytes clean run

RP3: 6/8/2010 5:55:28 PM - Software Distribution Service 3.0

==== Installed Programs ======================

Add-ons

Adobe Flash Player 10 Plugin

Adobe Reader 9.3.2

Advanced Network Diagramming

Advanced Network Diagramming Help

Advanced Network Diagramming Samples

Attachmate EXTRA! X-treme 8

Block Diagrams

Block Diagrams Help

Block Diagrams Samples

Borders and Backgrounds

Borders and Backgrounds Help

CAD Drawing Display

CAD Drawing Display Samples

Callouts and Connectors

Callouts and Connectors Help

Canon MF4320-4350

ClearType Tuning Control Panel Applet

Clip Art and Symbols

Clip Art and Symbols Help

CmdHere Powertoy For Windows XP

Compatibility Pack for the 2007 Office system

Crystal Reports Basic Runtime for Visual Studio 2008

Cumulative Update for Microsoft Visual Basic 6.0 SP6 (KB957924-v2)

Custom Properties Editor

Database Design

Database Design Help

Database Design Samples

Database Wizard

Database Wizard Samples

Dell ResourceCD

Developing Visio Solutions

Developing Visio Solutions Help

Directory Services

Directory Services Help

Directory Services Samples

Easy CD Creator 5 Basic

Flowcharts

Flowcharts Help

Flowcharts Samples

Forms and Charts

Forms and Charts Help

Forms and Charts Samples

Google Update Helper

Graphics Filters

Help for Visio 2000 (HTML Help)

Hex Workshop v3.1

Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)

Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)

Hotfix for Windows Internet Explorer 7 (KB947864)

Hotfix for Windows Media Format 11 SDK (KB929399)

Hotfix for Windows Media Player 11 (KB939683)

Hotfix for Windows XP (KB952287)

Hotfix for Windows XP (KB954550-v5)

Hotfix for Windows XP (KB961118)

Hotfix for Windows XP (KB970653-v3)

Hotfix for Windows XP (KB976098-v2)

Hotfix for Windows XP (KB979306)

Hotfix for Windows XP (KB981793)

IBM WebSphere MQ

Image Resizer Powertoy for Windows XP

Intel® Extreme Graphics 2 Driver

Intel® PRO Network Connections Drivers

Internet Diagrams

Internet Diagrams Help

Internet Diagrams Samples

Java 6 Update 17

LANDesk Advance Agent

LANDesk® Common Base Agent 8

Malwarebytes' Anti-Malware

Maps

Maps Help

Maps Samples

McAfee Agent

McAfee AntiSpyware Enterprise Module

McAfee Host Intrusion Prevention

McAfee VirusScan Enterprise

Microsoft .NET Framework 1.1

Microsoft .NET Framework 1.1 Security Update (KB979906)

Microsoft .NET Framework 2.0 Service Pack 2

Microsoft .NET Framework 3.0 Service Pack 2

Microsoft .NET Framework 3.5 SP1

Microsoft Application Error Reporting

Microsoft Base Smart Card Cryptographic Service Provider Package

Microsoft Compression Client Pack 1.0 for Windows XP

Microsoft Data Access Components KB870669

Microsoft IntelliPoint 6.2

Microsoft Internationalized Domain Names Mitigation APIs

Microsoft National Language Support Downlevel APIs

Microsoft Office 2007 Service Pack 2 (SP2)

Microsoft Office Access 2003 Inside Out

Microsoft Office Access 2007

Microsoft Office Access MUI (English) 2007

Microsoft Office Access Setup Metadata MUI (English) 2007

Microsoft Office Integration

Microsoft Office Live Meeting 2005

Microsoft Office Professional Edition 2003

Microsoft Office Proof (English) 2007

Microsoft Office Proof (French) 2007

Microsoft Office Proof (Spanish) 2007

Microsoft Office Proofing (English) 2007

Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)

Microsoft Office Shared MUI (English) 2007

Microsoft Office Shared Setup Metadata MUI (English) 2007

Microsoft Software Update for Web Folders (English) 12

Microsoft SQL Server 2000

Microsoft User-Mode Driver Framework Feature Pack 1.0

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148

Microsoft Visual J# 2.0 Redistributable Package

Microsoft Visual SourceSafe 6.0

Microsoft Visual Studio 6.0 Enterprise Edition

Microsoft Visual Studio Service Pack 3

Microsoft Web Publishing Wizard 1.53

Microsoft WSE 2.0 SP3 Runtime

Mozilla Firefox (3.6)

MQ Triggers

MQClientGetPutSetup

MSXML 4.0 SP2 (KB925672)

MSXML 4.0 SP2 (KB927978)

MSXML 4.0 SP2 (KB936181)

MSXML 4.0 SP2 (KB954430)

MSXML 4.0 SP2 (KB973688)

MSXML 6.0 Parser (KB933579)

MyDefrag v4.2.9

Network Diagrams

Network Diagrams Help

Network Diagrams Samples

Office Layout

Office Layout Help

Office Layout Samples

OGA Notifier 2.0.0048.0

Online Documentation

Organization Charts

Organization Charts Help

Organization Charts Samples

Page Layout Wizard

PowerDVD

Print ShapeSheet

Program Files

Program Files Help

Program Files Professional

Program Files Professional Help

Project Schedules

Project Schedules Help

Project Schedules Samples

Property Reporting Wizard

QuickTime

RealPlayer

Release Notes

Release Notes Professional

Sample Drawings

SAS OnlineDoc 9.1 for Windows

Save as HTML

Security Update for 2007 Microsoft Office System (KB969559)

Security Update for 2007 Microsoft Office System (KB976321)

Security Update for 2007 Microsoft Office System (KB982312)

Security Update for Microsoft Office system 2007 (972581)

Security Update for Microsoft Office system 2007 (KB974234)

Security Update for Windows Internet Explorer 7 (KB928090)

Security Update for Windows Internet Explorer 7 (KB929969)

Security Update for Windows Internet Explorer 7 (KB931768)

Security Update for Windows Internet Explorer 7 (KB933566)

Security Update for Windows Internet Explorer 7 (KB937143)

Security Update for Windows Internet Explorer 7 (KB938127)

Security Update for Windows Internet Explorer 7 (KB942615)

Security Update for Windows Internet Explorer 7 (KB944533)

Security Update for Windows Internet Explorer 7 (KB950759)

Security Update for Windows Internet Explorer 7 (KB953838)

Security Update for Windows Internet Explorer 7 (KB956390)

Security Update for Windows Internet Explorer 7 (KB958215)

Security Update for Windows Internet Explorer 7 (KB960714)

Security Update for Windows Internet Explorer 7 (KB961260)

Security Update for Windows Internet Explorer 7 (KB963027)

Security Update for Windows Internet Explorer 7 (KB969897)

Security Update for Windows Internet Explorer 8 (KB969897)

Security Update for Windows Internet Explorer 8 (KB971961)

Security Update for Windows Internet Explorer 8 (KB972260)

Security Update for Windows Internet Explorer 8 (KB974455)

Security Update for Windows Internet Explorer 8 (KB976325)

Security Update for Windows Internet Explorer 8 (KB978207)

Security Update for Windows Internet Explorer 8 (KB981332)

Security Update for Windows Internet Explorer 8 (KB982381)

Security Update for Windows Media Player (KB911564)

Security Update for Windows Media Player (KB952069)

Security Update for Windows Media Player (KB954155)

Security Update for Windows Media Player (KB968816)

Security Update for Windows Media Player (KB973540)

Security Update for Windows Media Player (KB978695)

Security Update for Windows Media Player 10 (KB911565)

Security Update for Windows Media Player 10 (KB917734)

Security Update for Windows Media Player 10 (KB936782)

Security Update for Windows Media Player 11 (KB954154)

Security Update for Windows Media Player 6.4 (KB925398)

Security Update for Windows XP (KB923561)

Security Update for Windows XP (KB923689)

Security Update for Windows XP (KB938464)

Security Update for Windows XP (KB941569)

Security Update for Windows XP (KB946648)

Security Update for Windows XP (KB950760)

Security Update for Windows XP (KB950762)

Security Update for Windows XP (KB950974)

Security Update for Windows XP (KB951066)

Security Update for Windows XP (KB951376-v2)

Security Update for Windows XP (KB951376)

Security Update for Windows XP (KB951698)

Security Update for Windows XP (KB951748)

Security Update for Windows XP (KB952004)

Security Update for Windows XP (KB952954)

Security Update for Windows XP (KB953155)

Security Update for Windows XP (KB953839)

Security Update for Windows XP (KB954211)

Security Update for Windows XP (KB954459)

Security Update for Windows XP (KB954600)

Security Update for Windows XP (KB955069)

Security Update for Windows XP (KB956391)

Security Update for Windows XP (KB956572)

Security Update for Windows XP (KB956744)

Security Update for Windows XP (KB956802)

Security Update for Windows XP (KB956803)

Security Update for Windows XP (KB956841)

Security Update for Windows XP (KB956844)

Security Update for Windows XP (KB957095)

Security Update for Windows XP (KB957097)

Security Update for Windows XP (KB958644)

Security Update for Windows XP (KB958687)

Security Update for Windows XP (KB958690)

Security Update for Windows XP (KB958869)

Security Update for Windows XP (KB959426)

Security Update for Windows XP (KB960225)

Security Update for Windows XP (KB960715)

Security Update for Windows XP (KB960803)

Security Update for Windows XP (KB960859)

Security Update for Windows XP (KB961371)

Security Update for Windows XP (KB961373)

Security Update for Windows XP (KB961501)

Security Update for Windows XP (KB968537)

Security Update for Windows XP (KB969059)

Security Update for Windows XP (KB969898)

Security Update for Windows XP (KB969947)

Security Update for Windows XP (KB970238)

Security Update for Windows XP (KB970430)

Security Update for Windows XP (KB970483)

Security Update for Windows XP (KB971468)

Security Update for Windows XP (KB971486)

Security Update for Windows XP (KB971557)

Security Update for Windows XP (KB971633)

Security Update for Windows XP (KB971657)

Security Update for Windows XP (KB972270)

Security Update for Windows XP (KB973346)

Security Update for Windows XP (KB973354)

Security Update for Windows XP (KB973507)

Security Update for Windows XP (KB973525)

Security Update for Windows XP (KB973869)

Security Update for Windows XP (KB973904)

Security Update for Windows XP (KB974112)

Security Update for Windows XP (KB974318)

Security Update for Windows XP (KB974392)

Security Update for Windows XP (KB974571)

Security Update for Windows XP (KB975025)

Security Update for Windows XP (KB975467)

Security Update for Windows XP (KB975560)

Security Update for Windows XP (KB975561)

Security Update for Windows XP (KB975562)

Security Update for Windows XP (KB975713)

Security Update for Windows XP (KB976323)

Security Update for Windows XP (KB977165)

Security Update for Windows XP (KB977816)

Security Update for Windows XP (KB977914)

Security Update for Windows XP (KB978037)

Security Update for Windows XP (KB978251)

Security Update for Windows XP (KB978262)

Security Update for Windows XP (KB978338)

Security Update for Windows XP (KB978542)

Security Update for Windows XP (KB978601)

Security Update for Windows XP (KB978706)

Security Update for Windows XP (KB979309)

Security Update for Windows XP (KB979482)

Security Update for Windows XP (KB979559)

Security Update for Windows XP (KB979683)

Security Update for Windows XP (KB980195)

Security Update for Windows XP (KB980218)

Security Update for Windows XP (KB980232)

Shape Explorer

Shape Explorer Help

Sheridan ActiveThreed Plus

SmartShape Wizard

Software Design

Software Design Help

Software Design Samples

Solutions

SoundMAX

Spelling

Stencil Report Wizard

TClockEx

TempLocation

TextPad 5

Time Zone Data Update Tool for Microsoft Office Outlook

Tweak UI

UML Specification

Update for 2007 Microsoft Office System (KB967642)

Update for Microsoft .NET Framework 3.5 SP1 (KB963707)

Update for Windows Internet Explorer 8 (KB971180)

Update for Windows Internet Explorer 8 (KB976662)

Update for Windows Internet Explorer 8 (KB976749)

Update for Windows Internet Explorer 8 (KB980182)

Update for Windows XP (KB951072-v2)

Update for Windows XP (KB951978)

Update for Windows XP (KB955759)

Update for Windows XP (KB955839)

Update for Windows XP (KB967715)

Update for Windows XP (KB968389)

Update for Windows XP (KB971737)

Update for Windows XP (KB973687)

Update for Windows XP (KB973815)

VBA

Verdiem Surveyor Client

VineMQGet

VineMQGet53

Visio

Visio 2000

Visio Core Files

WebFldrs XP

Win IP Config 2.7

Windows 7 Upgrade Advisor

Windows Defender Signatures

Windows Genuine Advantage Notifications (KB905474)

Windows Genuine Advantage v1.3.0254.0

Windows Genuine Advantage Validation Tool (KB892130)

Windows Imaging Component

Windows Internet Explorer 7

Windows Internet Explorer 8

Windows Media Connect

Windows Media Format 11 runtime

Windows Media Format SDK Hotfix - KB891122

Windows Media Player 11

Windows XP Service Pack 3

WinZip

XML Paper Specification Shared Components Pack 1.0

==== Event Viewer Messages From Past Week ========

6/7/2010 9:04:31 PM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000001' while processing the file '' on the volume 'HarddiskVolume2'. It has stopped monitoring the volume.

6/7/2010 9:00:50 PM, error: TermServDevices [1111] - Driver Amyuni Document Converter 400 required for printer Quicken PDF Printer is unknown. Contact the administrator to install the driver before you log in again.

6/7/2010 12:47:45 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD ATMDLC Fips FireTDI intelppm IPSec mfehidk mfetdik MRxSmb NetBIOS NetBT RasAcd Rdbss Tcpip

6/7/2010 12:47:45 PM, error: Service Control Manager [7001] - The World Wide Web Publishing service depends on the IIS Admin service which failed to start because of the following error: The dependency service or group failed to start.

6/7/2010 12:47:45 PM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD Networking Support Environment service which failed to start because of the following error: A device attached to the system is not functioning.

6/7/2010 12:47:45 PM, error: Service Control Manager [7001] - The Simple Mail Transfer Protocol (SMTP) service depends on the IIS Admin service which failed to start because of the following error: The dependency service or group failed to start.

6/7/2010 12:47:45 PM, error: Service Control Manager [7001] - The McAfee Validation Trust Protection Service service depends on the McAfee Inc. mfehidk service which failed to start because of the following error: A device attached to the system is not functioning.

6/7/2010 12:47:45 PM, error: Service Control Manager [7001] - The McAfee McShield service depends on the McAfee Validation Trust Protection Service service which failed to start because of the following error: The dependency service or group failed to start.

6/7/2010 12:47:45 PM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.

6/7/2010 12:47:45 PM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.

6/7/2010 12:47:45 PM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.

6/7/2010 12:43:28 PM, error: NETLOGON [5719] - No Domain Controller is available for domain KC due to the following: There are currently no logon servers available to service the logon request. . Make sure that the computer is connected to the network and try again. If the problem persists, please contact your domain administrator.

6/7/2010 11:00:46 AM, error: Service Control Manager [7000] - The OrangeWare USB Enhanced Host Controller Service service failed to start due to the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.

6/7/2010 10:55:02 AM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the IMAPI CD-Burning COM Service service to connect.

6/7/2010 10:55:02 AM, error: Service Control Manager [7000] - The IMAPI CD-Burning COM Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.

6/4/2010 12:10:01 PM, error: Service Control Manager [7034] - The McAfee McShield service terminated unexpectedly. It has done this 1 time(s).

6/3/2010 8:52:18 PM, error: TermServDevices [1111] - Driver Microsoft Shared Fax Driver required for printer Fax is unknown. Contact the administrator to install the driver before you log in again.

6/3/2010 8:52:18 PM, error: TermServDevices [1111] - Driver Canon MF4320-4350 (FAX) required for printer Canon MF4320-4350 (FAX) is unknown. Contact the administrator to install the driver before you log in again.

==== End Of File ===========================

ark.txt

[Maniac]

This is not the entire log file from GMER.

[AdvancedSetup]

Due to the lack of feedback this Topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

The fixes and advice in this thread are for this machine only. Do not apply the instructions from this thread to your own machine. Please start a new thread describing your issue and someone will be along to assist you.