Jump to content

Can't get rid of it!


twilson
 Share

Recommended Posts

I've run it all. Have not re-enabled CD emulation drivers. McAfee a/v run and cleaned system - but the stuff keeps coming back (winhost, artemis!(extension varies), generic.dx!uhf)

Still have browser hijack as well.

Hope you can help! The thought of completely wiping clean is an option, but preferably a last resort.

Thanks

MWB log:

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4052

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

10/15/2010 11:05:38 AM

mbam-log-2010-10-15 (11-05-38).txt

Scan type: Quick scan

Objects scanned: 120340

Time elapsed: 14 minute(s), 52 second(s)

Memory Processes Infected: 1

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 1

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

C:\Documents and Settings\Tina & Steve\Application Data\Microsoft\svchost.exe (Backdoor.Bot) -> No action taken.

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost (Backdoor.Bot) -> No action taken.

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\Documents and Settings\Tina & Steve\Application Data\Microsoft\svchost.exe (Backdoor.Bot) -> No action taken.

DDS log file:

DDS (Ver_10-10-10.03) - NTFSx86

Run by Tina & Steve at 11:46:36.74 on Fri 10/15/2010

Internet Explorer: 8.0.6001.18702

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.95 [GMT -7:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}

FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINDOWS\system32\Ati2evxx.exe

E:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Documents and Settings\Tina & Steve\Application Data\Microsoft\Windows\shell.exe

svchost.exe

C:\DOCUME~1\TINA&S~1\LOCALS~1\Temp\dwm.exe

E:\Program Files\HP\HP Software Update\HPWuSchd2.exe

C:\Program Files\McAfee.com\Agent\mcagent.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\Program Files\Logitech\MouseWare\system\em_exec.exe

E:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\WINDOWS\system32\svchost.exe -k hpdevmgmt

E:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

"C:\Documents and Settings\Tina & Steve\Application Data\Microsoft\svchost.exe"

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\McAfee\SiteAdvisor\McSACore.exe

C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe

c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe

C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe

C:\Program Files\McAfee\MPF\MPFSrv.exe

C:\WINDOWS\System32\svchost.exe -k HPZ12

C:\WINDOWS\System32\svchost.exe -k HPZ12

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

C:\Program Files\Viewpoint\Common\ViewpointService.exe

C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

C:\Program Files\iPod\bin\iPodService.exe

E:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe

E:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe

C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe

C:\Documents and Settings\Tina & Steve\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://msn.com/

uSearch Page = hxxp://www.google.com

uSearch Bar = hxxp://www.google.com/ie

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

uInternet Settings,ProxyServer = http=127.0.0.1:50370

uInternet Settings,ProxyOverride = *.local

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

mSearchAssistant = hxxp://www.google.com/ie

uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll

uWinlogon: Shell=explorer.exe,c:\documents and settings\tina & steve\application data\microsoft\windows\shell.exe

uWindows: Load=c:\docume~1\tina&s~1\locals~1\temp\dwm.exe

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll

BHO: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - No File

BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll

BHO: LastPass Browser Helper Object: {95d9ecf5-2a4d-4550-be49-70d42f71296e} - c:\program files\lastpass\LPBar.dll

BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.5612.1312\swg.dll

BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File

TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll

TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

TB: LastPass Toolbar: {9f6b5cc3-5c7b-4b5c-97af-19dec1e380e5} - c:\program files\lastpass\LPBar.dll

TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File

TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File

TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"

uRun: [Google Update] "c:\documents and settings\tina & steve\local settings\application data\google\update\GoogleUpdate.exe" /c

uRun: [updateMgr] "c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe" AcRdB7_1_0 -reboot 1

mRun: [Logitech Utility] Logi_MwX.Exe

mRun: [HP Software Update] e:\program files\hp\hp software update\HPWuSchd2.exe

mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey

mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime

mRun: [iTunesHelper] "e:\program files\itunes\iTunesHelper.exe"

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - e:\program files\hp\digital imaging\bin\hpqtra08.exe

IE: E&xport to Microsoft Excel - e:\progra~1\micros~1\office11\EXCEL.EXE/3000

IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html

IE: LastPass - file://c:\program files\lastpass\context.html?cmd=lastpass

IE: LastPass Fill Forms - file://c:\program files\lastpass\context.html?cmd=fillforms

IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - e:\progra~1\aim\aim.exe

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {43699cd0-e34f-11de-8a39-0800200c9a66} - {95D9ECF5-2A4D-4550-BE49-70D42F71296E} - c:\program files\lastpass\LPBar.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - e:\progra~1\micros~1\office11\REFIEBAR.DLL

DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab

DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/7/3/e7345c16-80aa-4488-ae10-9ac6be844f99/OGAControl.cab

DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/director/sw.cab

DPF: {549F957E-2F89-11D6-8CFE-00C04F52B225} - hxxp://albertsons.coupons.smartsource.com/download/cscmv5X.cab

DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase4009.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab

DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} - hxxp://a19.g.akamai.net/7/19/7125/1444/ftp.coupons.com/v3123/cpbrkpie.cab

DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab

DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab

TCP: {B79B2236-97B3-4B10-B5B0-AA18634776BC} = 208.67.222.222,208.67.222.220

TCP: {DCDE6DC7-C71A-49D4-93CA-A89A9933C4C0} = 208.67.222.222,208.67.220.220

Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll

Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll

Notify: !SASWinLogon - e:\program files\superantispyware\SASWINLO.dll

Notify: AtiExtEvent - Ati2evxx.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

SEH: Eudora's Shell Extension: {edb0e980-90bd-11d4-8599-0008c7d3b6f8} - e:\program files\qualcomm\eudora\EuShlExt.dll

SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - e:\program files\superantispyware\SASSEH.DLL

============= SERVICES / DRIVERS ===============

R0 HWFProt;Hywave File Protector HWFProt;c:\windows\system32\drivers\HWFProt.sys [2007-12-2 43936]

R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-3-25 214664]

R1 SASDIFSV;SASDIFSV;e:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]

R1 SASKUTIL;SASKUTIL;e:\program files\superantispyware\SASKUTIL.SYS [2010-2-17 66632]

R2 aawservice;Ad-Aware 2007 Service;e:\program files\lavasoft\ad-aware 2007\aawservice.exe [2008-1-4 587096]

R2 BCMNTIO;BCMNTIO;c:\progra~1\checkit\diagno~1\BCMNTIO.sys [2006-6-8 3744]

R2 MAPMEM;MAPMEM;c:\progra~1\checkit\diagno~1\MAPMEM.sys [2006-6-8 3904]

R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2009-4-20 93320]

R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2009-4-20 359952]

R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2009-4-20 144704]

R2 npf;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2009-11-16 50704]

R2 Symantec Core LC;Symantec Core LC;c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [2005-12-28 1251720]

R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2007-1-10 24652]

R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2009-4-20 606736]

R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2009-4-20 79816]

R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2009-4-20 35272]

R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2009-4-20 40552]

S2 gupdate1c985a636d80fa0;Google Update Service (gupdate1c985a636d80fa0);c:\program files\google\update\GoogleUpdate.exe [2009-2-2 133104]

S2 ME102RB;NETGEAR ME102 Access Point;c:\windows\system32\drivers\Me102rb.sys [2005-11-7 15360]

S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2009-4-20 34248]

S3 SASENUM;SASENUM;e:\program files\superantispyware\SASENUM.SYS [2010-2-17 12872]

============== File Associations ===============

JSEFile=NOTEPAD.EXE %1

VBEFile=NOTEPAD.EXE %1

VBSFile=NOTEPAD.EXE %1

=============== Created Last 30 ================

2010-10-15 18:08:42 120320 ------w- c:\docume~1\tina&s~1\applic~1\microsoft\svchost.exe

2010-10-15 07:10:11 139776 ----a-w- c:\docume~1\tina&s~1\applic~1\microsoft\windows\shell.exe

2010-10-13 18:02:27 207 ----a-w- c:\docume~1\tina&s~1\applic~1\microsoft\gb_27332161.bat

2010-10-13 18:02:16 205 ----a-w- c:\docume~1\tina&s~1\applic~1\microsoft\gb_27321115.bat

2010-10-13 18:02:01 135 ----a-w- c:\docume~1\tina&s~1\applic~1\microsoft\gb_27305673.bat

2010-10-13 18:01:47 217 ----a-w- c:\docume~1\tina&s~1\applic~1\microsoft\gb_27292354.bat

2010-10-12 20:07:04 953856 -c----w- c:\windows\system32\dllcache\mfc40u.dll

2010-10-12 20:07:03 974848 -c----w- c:\windows\system32\dllcache\mfc42.dll

2010-10-12 20:06:44 617472 -c----w- c:\windows\system32\dllcache\comctl32.dll

2010-10-12 14:31:59 137 ----a-w- c:\docume~1\tina&s~1\applic~1\microsoft\gb_343341959.bat

2010-10-12 14:31:47 135 ----a-w- c:\docume~1\tina&s~1\applic~1\microsoft\gb_343329691.bat

2010-10-12 14:31:31 217 ----a-w- c:\docume~1\tina&s~1\applic~1\microsoft\gb_343313488.bat

2010-10-12 14:31:16 205 ----a-w- c:\docume~1\tina&s~1\applic~1\microsoft\gb_343298096.bat

2010-10-12 07:23:03 -------- d-----w- c:\program files\iPod

2010-10-12 07:16:58 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin7.dll

2010-10-12 07:16:58 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin6.dll

2010-10-12 07:16:58 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin5.dll

2010-10-12 07:16:58 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin4.dll

2010-10-12 07:16:58 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin3.dll

2010-10-12 07:16:58 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin2.dll

2010-10-12 07:16:57 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin.dll

2010-10-12 07:09:52 -------- d-----w- c:\program files\Bonjour

2010-10-08 15:58:44 207 ----a-w- c:\docume~1\tina&s~1\applic~1\microsoft\gb_2966575.bat

2010-10-08 15:58:32 205 ----a-w- c:\docume~1\tina&s~1\applic~1\microsoft\gb_2954438.bat

2010-10-08 15:58:15 96768 ------w- c:\docume~1\tina&s~1\applic~1\microsoft\svchostu.exe

2010-10-08 15:58:03 135 ----a-w- c:\docume~1\tina&s~1\applic~1\microsoft\gb_2925015.bat

2010-10-08 15:57:32 217 ----a-w- c:\docume~1\tina&s~1\applic~1\microsoft\gb_2893841.bat

2010-10-08 15:45:40 137 ----a-w- c:\docume~1\tina&s~1\applic~1\microsoft\gb_2182067.bat

2010-10-08 15:45:29 135 ----a-w- c:\docume~1\tina&s~1\applic~1\microsoft\gb_2170841.bat

2010-10-08 15:45:06 217 ----a-w- c:\docume~1\tina&s~1\applic~1\microsoft\gb_2148118.bat

==================== Find3M ====================

2010-09-18 19:23:26 974848 ----a-w- c:\windows\system32\mfc42u.dll

2010-09-18 06:53:25 974848 ----a-w- c:\windows\system32\mfc42.dll

2010-09-18 06:53:25 954368 ----a-w- c:\windows\system32\mfc40.dll

2010-09-18 06:53:25 953856 ----a-w- c:\windows\system32\mfc40u.dll

2010-09-10 05:58:08 916480 ----a-w- c:\windows\system32\wininet.dll

2010-09-10 05:58:06 43520 ----a-w- c:\windows\system32\licmgr10.dll

2010-09-10 05:58:06 1469440 ------w- c:\windows\system32\inetcpl.cpl

2010-09-08 18:17:46 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx

2010-09-08 18:17:46 69632 ----a-w- c:\windows\system32\QuickTime.qts

2010-09-01 11:51:14 285824 ----a-w- c:\windows\system32\atmfd.dll

2010-08-31 13:42:52 1852800 ----a-w- c:\windows\system32\win32k.sys

2010-08-27 08:02:29 119808 ----a-w- c:\windows\system32\t2embed.dll

2010-08-27 05:57:43 99840 ----a-w- c:\windows\system32\srvsvc.dll

2010-08-26 12:52:45 5120 ----a-w- c:\windows\system32\xpsp4res.dll

2010-08-23 16:12:04 617472 ----a-w- c:\windows\system32\comctl32.dll

2010-08-17 13:17:06 58880 ----a-w- c:\windows\system32\spoolsv.exe

2010-08-16 08:45:00 590848 ----a-w- c:\windows\system32\rpcrt4.dll

2010-07-28 01:44:10 91424 ----a-w- c:\windows\system32\dnssd.dll

2010-07-28 01:44:10 107808 ----a-w- c:\windows\system32\dns-sd.exe

============= FINISH: 11:48:48.46 ===============

attach.zip

Link to post
Share on other sites

Hi twilson and Welcome to Malwarebytes Forum!

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Stay with me until given the 'all clear' even if symptoms diminish. Lack of symptoms does not always mean the job is complete.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by me or another helper.

---------------------------------------------------------------------------------------------

  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop.
  • Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • Click the Report button and copy/paste the contents of it into your next reply

Note:It will also create a log in the C:\ directory.

Link to post
Share on other sites

Hi Kenny,

Thanks for your help.

I ran TDSS Killer and here's the log. If it helps to note, my computer has been off all weekend, the only things that have been run on my computer since boot is opening Eudora and Chrome - then running TDSS. McAfee is still running in the background (with Script blocking enabled). Here's the log from TDSS Killer:

2010/10/17 16:35:00.0147 TDSS rootkit removing tool 2.4.4.0 Oct 4 2010 09:06:59

2010/10/17 16:35:00.0147 ================================================================================

2010/10/17 16:35:00.0147 SystemInfo:

2010/10/17 16:35:00.0147

2010/10/17 16:35:00.0147 OS Version: 5.1.2600 ServicePack: 3.0

2010/10/17 16:35:00.0147 Product type: Workstation

2010/10/17 16:35:00.0157 ComputerName: OFFICE

2010/10/17 16:35:00.0157 UserName: Tina & Steve

2010/10/17 16:35:00.0157 Windows directory: C:\WINDOWS

2010/10/17 16:35:00.0157 System windows directory: C:\WINDOWS

2010/10/17 16:35:00.0157 Processor architecture: Intel x86

2010/10/17 16:35:00.0157 Number of processors: 1

2010/10/17 16:35:00.0157 Page size: 0x1000

2010/10/17 16:35:00.0157 Boot type: Normal boot

2010/10/17 16:35:00.0157 ================================================================================

2010/10/17 16:35:01.0289 Initialize success

2010/10/17 16:35:12.0615 ================================================================================

2010/10/17 16:35:12.0615 Scan started

2010/10/17 16:35:12.0615 Mode: Manual;

2010/10/17 16:35:12.0615 ================================================================================

2010/10/17 16:35:15.0019 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys

2010/10/17 16:35:15.0129 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys

2010/10/17 16:35:15.0289 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys

2010/10/17 16:35:15.0419 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys

2010/10/17 16:35:15.0860 AmdK7 (8fce268cdbdd83b23419d1f35f42c7b1) C:\WINDOWS\system32\DRIVERS\amdk7.sys

2010/10/17 16:35:16.0020 AN983 (116bff96077a4a724e0aab800525ceb5) C:\WINDOWS\system32\DRIVERS\AN983.sys

2010/10/17 16:35:16.0160 asc (62d318e9a0c8fc9b780008e724283707) C:\WINDOWS\system32\DRIVERS\asc.sys

2010/10/17 16:35:16.0441 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys

2010/10/17 16:35:16.0531 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys

2010/10/17 16:35:16.0831 ati2mtag (7790f8d1000fce5cfd33ccf4f861928f) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys

2010/10/17 16:35:17.0182 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys

2010/10/17 16:35:17.0292 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys

2010/10/17 16:35:17.0442 BCMNTIO (90a87d49205b3893281203a477f66fe5) C:\PROGRA~1\CheckIt\DIAGNO~1\BCMNTIO.sys

2010/10/17 16:35:17.0663 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys

2010/10/17 16:35:17.0833 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys

2010/10/17 16:35:17.0983 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys

2010/10/17 16:35:18.0093 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys

2010/10/17 16:35:18.0193 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys

2010/10/17 16:35:18.0534 cmuda (53f4cc55f3c255439c5973e31f0adce7) C:\WINDOWS\system32\drivers\cmuda.sys

2010/10/17 16:35:19.0195 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys

2010/10/17 16:35:19.0325 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys

2010/10/17 16:35:19.0475 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys

2010/10/17 16:35:19.0595 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys

2010/10/17 16:35:19.0715 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys

2010/10/17 16:35:19.0906 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys

2010/10/17 16:35:20.0056 EUSBMSD (d3745f5d78d59670cf36a8d59e2921d0) C:\WINDOWS\system32\DRIVERS\EUSBMSD.SYS

2010/10/17 16:35:20.0306 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys

2010/10/17 16:35:20.0396 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys

2010/10/17 16:35:20.0497 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys

2010/10/17 16:35:20.0607 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys

2010/10/17 16:35:20.0697 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys

2010/10/17 16:35:20.0807 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys

2010/10/17 16:35:20.0877 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys

2010/10/17 16:35:20.0967 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\Drivers\GEARAspiWDM.sys

2010/10/17 16:35:21.0148 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys

2010/10/17 16:35:21.0328 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys

2010/10/17 16:35:21.0528 HPZid412 (d03d10f7ded688fecf50f8fbf1ea9b8a) C:\WINDOWS\system32\DRIVERS\HPZid412.sys

2010/10/17 16:35:21.0738 HPZipr12 (89f41658929393487b6b7d13c8528ce3) C:\WINDOWS\system32\DRIVERS\HPZipr12.sys

2010/10/17 16:35:21.0949 HPZius12 (abcb05ccdbf03000354b9553820e39f8) C:\WINDOWS\system32\DRIVERS\HPZius12.sys

2010/10/17 16:35:22.0159 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys

2010/10/17 16:35:22.0279 HWFProt (a2336de59459040e7eda7a10277a4929) C:\WINDOWS\system32\Drivers\HWFProt.sys

2010/10/17 16:35:22.0750 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys

2010/10/17 16:35:22.0890 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys

2010/10/17 16:35:23.0190 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys

2010/10/17 16:35:23.0291 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys

2010/10/17 16:35:23.0401 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys

2010/10/17 16:35:23.0501 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys

2010/10/17 16:35:23.0581 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys

2010/10/17 16:35:23.0681 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys

2010/10/17 16:35:23.0771 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys

2010/10/17 16:35:23.0861 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys

2010/10/17 16:35:23.0942 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys

2010/10/17 16:35:24.0052 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys

2010/10/17 16:35:24.0152 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys

2010/10/17 16:35:24.0252 L8042PR2 (0f8b7bf7097d1e8d78f2f52a2bea03cd) C:\WINDOWS\system32\Drivers\l8042pr2.sys

2010/10/17 16:35:24.0542 LHidFlt2 (3c357dfdbbf2b4b01aa4b9c8a26e4416) C:\WINDOWS\system32\DRIVERS\LHidFlt2.Sys

2010/10/17 16:35:24.0783 LMouFlt2 (aef09673376a4d93c09e8341854f1bf4) C:\WINDOWS\system32\Drivers\LMouFlt2.sys

2010/10/17 16:35:25.0093 MAPMEM (61330a29bd4230505a7618bc41693cbb) C:\PROGRA~1\CheckIt\DIAGNO~1\MAPMEM.sys

2010/10/17 16:35:25.0454 ME102RB (a411e6f4b185ffb2a4d3fbd4cf0bfe11) C:\WINDOWS\system32\Drivers\ME102RB.sys

2010/10/17 16:35:25.0674 mfeavfk (bafdd5e28baea99d7f4772af2f5ec7ee) C:\WINDOWS\system32\drivers\mfeavfk.sys

2010/10/17 16:35:25.0944 mfebopk (1d003e3056a43d881597d6763e83b943) C:\WINDOWS\system32\drivers\mfebopk.sys

2010/10/17 16:35:26.0165 mfehidk (3f138a1c8a0659f329f242d1e389b2cf) C:\WINDOWS\system32\drivers\mfehidk.sys

2010/10/17 16:35:26.0405 mferkdk (41fe2f288e05a6c8ab85dd56770ffbad) C:\WINDOWS\system32\drivers\mferkdk.sys

2010/10/17 16:35:26.0716 mfesmfk (096b52ea918aa909ba5903d79e129005) C:\WINDOWS\system32\drivers\mfesmfk.sys

2010/10/17 16:35:26.0956 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys

2010/10/17 16:35:27.0086 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys

2010/10/17 16:35:27.0156 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys

2010/10/17 16:35:27.0276 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys

2010/10/17 16:35:27.0366 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys

2010/10/17 16:35:27.0497 MPFP (bc2a92cff784555ed622f861cb34f2e6) C:\WINDOWS\system32\Drivers\Mpfp.sys

2010/10/17 16:35:27.0927 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys

2010/10/17 16:35:28.0087 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys

2010/10/17 16:35:28.0258 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys

2010/10/17 16:35:28.0378 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys

2010/10/17 16:35:28.0458 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys

2010/10/17 16:35:28.0538 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys

2010/10/17 16:35:28.0648 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys

2010/10/17 16:35:28.0748 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys

2010/10/17 16:35:28.0879 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys

2010/10/17 16:35:28.0979 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys

2010/10/17 16:35:29.0069 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys

2010/10/17 16:35:29.0169 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys

2010/10/17 16:35:29.0249 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys

2010/10/17 16:35:29.0349 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys

2010/10/17 16:35:29.0429 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys

2010/10/17 16:35:29.0670 npf (b9730495e0cf674680121e34bd95a73b) C:\WINDOWS\system32\drivers\npf.sys

2010/10/17 16:35:30.0010 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys

2010/10/17 16:35:30.0130 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys

2010/10/17 16:35:30.0491 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys

2010/10/17 16:35:30.0651 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys

2010/10/17 16:35:30.0761 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys

2010/10/17 16:35:30.0912 PalmUSBD (803cf09c795290825607505d37819135) C:\WINDOWS\system32\drivers\PalmUSBD.sys

2010/10/17 16:35:31.0112 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys

2010/10/17 16:35:31.0222 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys

2010/10/17 16:35:31.0332 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys

2010/10/17 16:35:31.0422 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys

2010/10/17 16:35:31.0603 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys

2010/10/17 16:35:31.0713 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys

2010/10/17 16:35:32.0324 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys

2010/10/17 16:35:32.0434 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys

2010/10/17 16:35:32.0534 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys

2010/10/17 16:35:32.0644 PxHelp20 (86724469cd077901706854974cd13c3e) C:\WINDOWS\system32\Drivers\PxHelp20.sys

2010/10/17 16:35:33.0125 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys

2010/10/17 16:35:33.0205 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys

2010/10/17 16:35:33.0335 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys

2010/10/17 16:35:33.0405 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys

2010/10/17 16:35:33.0505 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys

2010/10/17 16:35:33.0575 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys

2010/10/17 16:35:33.0726 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys

2010/10/17 16:35:33.0836 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys

2010/10/17 16:35:34.0076 SASDIFSV (a3281aec37e0720a2bc28034c2df2a56) E:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS

2010/10/17 16:35:34.0256 SASENUM (7ce61c25c159f50f9eaf6d77fc83fa35) E:\Program Files\SUPERAntiSpyware\SASENUM.SYS

2010/10/17 16:35:34.0477 SASKUTIL (67d2688756dd304af655349baad82bff) E:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS

2010/10/17 16:35:34.0777 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys

2010/10/17 16:35:34.0897 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys

2010/10/17 16:35:34.0967 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys

2010/10/17 16:35:35.0158 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys

2010/10/17 16:35:35.0348 sisagp (1630fbdbcb0cf3a60c02b6f140bab98b) C:\WINDOWS\system32\DRIVERS\SISAGPX.sys

2010/10/17 16:35:35.0538 SISNIC (8204c49cde112f7b9c2f15707fe2cc5a) C:\WINDOWS\system32\DRIVERS\sisnic.sys

2010/10/17 16:35:35.0839 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys

2010/10/17 16:35:35.0969 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys

2010/10/17 16:35:36.0119 Srv (0f6aefad3641a657e18081f52d0c15af) C:\WINDOWS\system32\DRIVERS\srv.sys

2010/10/17 16:35:36.0409 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys

2010/10/17 16:35:36.0520 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys

2010/10/17 16:35:36.0930 symlcbrd (b226f8a4d780acdf76145b58bb791d5b) C:\WINDOWS\system32\drivers\symlcbrd.sys

2010/10/17 16:35:37.0291 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys

2010/10/17 16:35:37.0431 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys

2010/10/17 16:35:37.0531 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys

2010/10/17 16:35:37.0651 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys

2010/10/17 16:35:37.0771 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys

2010/10/17 16:35:38.0032 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys

2010/10/17 16:35:38.0222 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys

2010/10/17 16:35:38.0402 USBAAPL (4b8a9c16b6d9258ed99c512aecb8c555) C:\WINDOWS\system32\Drivers\usbaapl.sys

2010/10/17 16:35:38.0713 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys

2010/10/17 16:35:38.0803 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys

2010/10/17 16:35:38.0903 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys

2010/10/17 16:35:38.0993 usbohci (0daecce65366ea32b162f85f07c6753b) C:\WINDOWS\system32\DRIVERS\usbohci.sys

2010/10/17 16:35:39.0093 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys

2010/10/17 16:35:39.0213 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys

2010/10/17 16:35:39.0324 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS

2010/10/17 16:35:39.0414 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys

2010/10/17 16:35:39.0514 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys

2010/10/17 16:35:39.0684 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys

2010/10/17 16:35:39.0844 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys

2010/10/17 16:35:40.0005 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys

2010/10/17 16:35:40.0205 WmBEnum (1abfd1399436e81c9d857f5fc76eaf98) C:\WINDOWS\system32\drivers\WmBEnum.sys

2010/10/17 16:35:40.0415 WmFilter (b3cfcbcc91ff61ef82fc693b8b57e7f0) C:\WINDOWS\system32\drivers\WmFilter.sys

2010/10/17 16:35:40.0696 WmVirHid (a40d2dd0f019423ef6c363f1295eb38d) C:\WINDOWS\system32\drivers\WmVirHid.sys

2010/10/17 16:35:40.0886 WmXlCore (2bf505424f469155cd90d7b3301d7adc) C:\WINDOWS\system32\drivers\WmXlCore.sys

2010/10/17 16:35:41.0206 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys

2010/10/17 16:35:41.0307 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys

2010/10/17 16:35:41.0797 ================================================================================

2010/10/17 16:35:41.0797 Scan finished

2010/10/17 16:35:41.0797 ================================================================================

Again, thanks for your help!

Tina

Link to post
Share on other sites

No problem Tina.

  1. Download ComboFix from below:
    Combofix download
    * IMPORTANT !!! Place combofix.exe on your Desktop
  2. Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
    You can get help on disabling your protection programs here
  3. Double click on combofix.exe & follow the prompts.
  4. As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
    cfRC_screen_1.png
    The Windows recovery console will allow you to boot up into a special recovery mode that allows us to help you in the case that your computer has a problem after an attempted removal of malware.
    With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal.
    Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement.
    ComboFix will now automatically install the Microsoft Windows Recovery Console onto your computer, which will show up as a new option when booting up your computer. Do not select the Microsoft Windows Recovery Console option when you start your computer unless requested to by a helper.
    Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see a message that says:
    The Recovery Console was successfully installed.
    cfRC_screen_2.png
    Click on Yes, to continue scanning for malware.
  5. Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
  6. When finished, it shall produce a log for you. Post that log in your next reply
    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
    ---------------------------------------------------------------------------------------------
  7. Ensure your AntiVirus and AntiSpyware applications are re-enabled.
    ---------------------------------------------------------------------------------------------

Link to post
Share on other sites

I realized while Combofix was running that my System Restore has been off. Should I leave it off, or turn it back on?

Here's the log from Combofix:

ComboFix 10-10-17.01 - Tina & Steve 10/17/2010 17:26:09.1.1 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.141 [GMT -7:00]

Running from: c:\documents and settings\Tina & Steve\Desktop\ComboFix.exe

AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}

FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\docume~1\TINA&S~1\LOCALS~1\Temp\dwm.exe

c:\documents and settings\Tina & Steve\Application Data\Microsoft\svchost.exe

c:\documents and settings\Tina & Steve\Local Settings\Temp\dwm.exe

c:\windows\system32\BSTIEPrintCtl1.dll

c:\windows\system32\spool\prtprocs\w32x86\CNMPP21.DLL

c:\windows\system32\vbzlib1.dll

.

((((((((((((((((((((((((( Files Created from 2010-09-18 to 2010-10-18 )))))))))))))))))))))))))))))))

.

2010-10-15 07:10 . 2010-10-15 07:10 139776 ----a-w- c:\documents and settings\Tina & Steve\Application Data\Microsoft\Windows\shell.exe

2010-10-13 18:02 . 2010-10-13 18:02 207 ----a-w- c:\documents and settings\Tina & Steve\Application Data\Microsoft\gb_27332161.bat

2010-10-13 18:02 . 2010-10-13 18:02 205 ----a-w- c:\documents and settings\Tina & Steve\Application Data\Microsoft\gb_27321115.bat

2010-10-13 18:02 . 2010-10-13 18:02 135 ----a-w- c:\documents and settings\Tina & Steve\Application Data\Microsoft\gb_27305673.bat

2010-10-13 18:01 . 2010-10-13 18:01 217 ----a-w- c:\documents and settings\Tina & Steve\Application Data\Microsoft\gb_27292354.bat

2010-10-12 20:07 . 2010-09-18 06:53 953856 -c----w- c:\windows\system32\dllcache\mfc40u.dll

2010-10-12 20:07 . 2010-09-18 06:53 974848 -c----w- c:\windows\system32\dllcache\mfc42.dll

2010-10-12 20:06 . 2010-08-23 16:12 617472 -c----w- c:\windows\system32\dllcache\comctl32.dll

2010-10-12 14:31 . 2010-10-12 14:31 137 ----a-w- c:\documents and settings\Tina & Steve\Application Data\Microsoft\gb_343341959.bat

2010-10-12 14:31 . 2010-10-12 14:31 135 ----a-w- c:\documents and settings\Tina & Steve\Application Data\Microsoft\gb_343329691.bat

2010-10-12 14:31 . 2010-10-12 14:31 217 ----a-w- c:\documents and settings\Tina & Steve\Application Data\Microsoft\gb_343313488.bat

2010-10-12 14:31 . 2010-10-12 14:31 205 ----a-w- c:\documents and settings\Tina & Steve\Application Data\Microsoft\gb_343298096.bat

2010-10-12 07:23 . 2010-10-12 07:23 -------- d-----w- c:\program files\iPod

2010-10-12 07:16 . 2010-10-12 07:16 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin7.dll

2010-10-12 07:16 . 2010-10-12 07:16 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin6.dll

2010-10-12 07:16 . 2010-10-12 07:16 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin5.dll

2010-10-12 07:16 . 2010-10-12 07:16 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin4.dll

2010-10-12 07:16 . 2010-10-12 07:16 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin3.dll

2010-10-12 07:16 . 2010-10-12 07:16 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin2.dll

2010-10-12 07:16 . 2010-10-12 07:16 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin.dll

2010-10-12 07:09 . 2010-10-12 07:09 -------- d-----w- c:\program files\Bonjour

2010-10-08 15:58 . 2010-10-08 15:58 207 ----a-w- c:\documents and settings\Tina & Steve\Application Data\Microsoft\gb_2966575.bat

2010-10-08 15:58 . 2010-10-08 15:58 205 ----a-w- c:\documents and settings\Tina & Steve\Application Data\Microsoft\gb_2954438.bat

2010-10-08 15:58 . 2010-10-08 15:58 135 ----a-w- c:\documents and settings\Tina & Steve\Application Data\Microsoft\gb_2925015.bat

2010-10-08 15:57 . 2010-10-08 15:57 217 ----a-w- c:\documents and settings\Tina & Steve\Application Data\Microsoft\gb_2893841.bat

2010-10-08 15:45 . 2010-10-08 15:45 137 ----a-w- c:\documents and settings\Tina & Steve\Application Data\Microsoft\gb_2182067.bat

2010-10-08 15:45 . 2010-10-08 15:45 135 ----a-w- c:\documents and settings\Tina & Steve\Application Data\Microsoft\gb_2170841.bat

2010-10-08 15:45 . 2010-10-08 15:45 217 ----a-w- c:\documents and settings\Tina & Steve\Application Data\Microsoft\gb_2148118.bat

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-05-23 68856]

"Google Update"="c:\documents and settings\Tina & Steve\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-09-09 133104]

"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Logitech Utility"="Logi_MwX.Exe" [2003-12-17 19968]

"HP Software Update"="e:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-12-11 49152]

"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-29 1218008]

"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-09-22 47904]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-09-08 421888]

"iTunesHelper"="e:\program files\iTunes\iTunesHelper.exe" [2010-09-24 421160]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

HP Digital Imaging Monitor.lnk - e:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2008-3-25 214360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}"= "e:\program files\Qualcomm\Eudora\EuShlExt.dll" [2003-03-31 86016]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "e:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2009-09-03 22:21 548352 ----a-w- e:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]

@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]

@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]

@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"c:\\WINDOWS\\system32\\usmt\\migwiz.exe"=

"e:\\Program Files\\Palm\\HOTSYNC.EXE"=

"c:\\WINDOWS\\system32\\sessmgr.exe"=

"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=

"c:\\Program Files\\Common Files\\AOL\\1142830760\\ee\\aolsoftware.exe"=

"c:\\Program Files\\Common Files\\AOL\\1142830760\\ee\\aim6.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"e:\\Program Files\\iTunes\\iTunes.exe"=

R0 HWFProt;Hywave File Protector HWFProt;c:\windows\system32\drivers\HWFProt.sys [12/2/2007 8:33 PM 43936]

R1 SASDIFSV;SASDIFSV;e:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 11:25 AM 12872]

R1 SASKUTIL;SASKUTIL;e:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2/17/2010 11:15 AM 66632]

R2 BCMNTIO;BCMNTIO;c:\progra~1\CheckIt\DIAGNO~1\BCMNTIO.sys [6/8/2006 1:17 PM 3744]

R2 MAPMEM;MAPMEM;c:\progra~1\CheckIt\DIAGNO~1\MAPMEM.sys [6/8/2006 1:17 PM 3904]

R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [4/20/2009 7:54 AM 93320]

R2 npf;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [11/16/2009 9:33 AM 50704]

R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [1/10/2007 4:46 PM 24652]

S2 gupdate1c985a636d80fa0;Google Update Service (gupdate1c985a636d80fa0);c:\program files\Google\Update\GoogleUpdate.exe [2/2/2009 7:22 PM 133104]

S2 ME102RB;NETGEAR ME102 Access Point;c:\windows\system32\drivers\Me102rb.sys [11/7/2005 7:50 PM 15360]

S3 SASENUM;SASENUM;e:\program files\SUPERAntiSpyware\SASENUM.SYS [2/17/2010 11:15 AM 12872]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

.

Contents of the 'Scheduled Tasks' folder

2010-10-12 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 20:34]

2010-10-18 c:\windows\Tasks\Google Software Updater.job

- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-01-27 03:09]

2010-10-18 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-03 02:21]

2010-10-18 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-03 02:21]

2010-10-15 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-299502267-1202660629-1957994488-1004Core.job

- c:\documents and settings\Tina & Steve\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-09 14:40]

2010-10-18 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-299502267-1202660629-1957994488-1004UA.job

- c:\documents and settings\Tina & Steve\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-09 14:40]

2010-10-15 c:\windows\Tasks\McDefragTask.job

- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-04-20 19:22]

2010-10-01 c:\windows\Tasks\McQcTask.job

- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-04-20 19:22]

2010-10-17 c:\windows\Tasks\User_Feed_Synchronization-{D7DC8026-9BE9-4680-AF15-ACC23FDAC7AC}.job

- c:\windows\system32\msfeedssync.exe [2006-10-17 11:31]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://msn.com/

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

uInternet Settings,ProxyServer = http=127.0.0.1:50370

uInternet Settings,ProxyOverride = *.local

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

IE: E&xport to Microsoft Excel - e:\progra~1\MICROS~1\OFFICE11\EXCEL.EXE/3000

IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html

IE: LastPass - file://c:\program files\LastPass\context.html?cmd=lastpass

IE: LastPass Fill Forms - file://c:\program files\LastPass\context.html?cmd=fillforms

TCP: {B79B2236-97B3-4B10-B5B0-AA18634776BC} = 208.67.222.222,208.67.222.220

TCP: {DCDE6DC7-C71A-49D4-93CA-A89A9933C4C0} = 208.67.222.222,208.67.220.220

.

.

------- File Associations -------

.

JSEFile=NOTEPAD.EXE %1

.

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-299502267-1202660629-1957994488-1004\Software\Microsoft\SystemCertificates\AddressBook*]

@Allowed: (Read) (RestrictedCode)

@Allowed: (Read) (RestrictedCode)

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(584)

e:\program files\SUPERAntiSpyware\SASWINLO.dll

c:\windows\system32\WININET.dll

c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(3212)

c:\windows\system32\WININET.dll

c:\program files\Logitech\MouseWare\System\LgWndHk.dll

c:\windows\system32\ieframe.dll

c:\program files\Common Files\Logitech\Scrolling\LgMsgHk.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\Ati2evxx.exe

c:\windows\system32\Ati2evxx.exe

e:\program files\Lavasoft\Ad-Aware 2007\aawservice.exe

c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\progra~1\McAfee\MSC\mcmscsvc.exe

c:\progra~1\COMMON~1\mcafee\mna\mcnasvc.exe

c:\progra~1\COMMON~1\mcafee\mcproxy\mcproxy.exe

c:\program files\Logitech\MouseWare\system\em_exec.exe

c:\program files\McAfee\MPF\MPFSrv.exe

c:\program files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe

c:\program files\iPod\bin\iPodService.exe

e:\program files\HP\Digital Imaging\bin\hpqSTE08.exe

e:\program files\HP\Digital Imaging\bin\hpqbam08.exe

c:\progra~1\McAfee\VIRUSS~1\mcshield.exe

.

**************************************************************************

.

Completion time: 2010-10-17 17:59:17 - machine was rebooted

ComboFix-quarantined-files.txt 2010-10-18 00:59

Pre-Run: 1,519,132,672 bytes free

Post-Run: 1,646,186,496 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

UnsupportedDebug="do not select this" /debug

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - 6B8126076986C0FD6AAB6B6B8B423866

Link to post
Share on other sites

Yes turn System Restore back on please.

Please download ATF Cleaner by Atribune.

  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main choose: Select All
  • Click the Empty Selected button.

Click Exit on the Main menu to close the program.

Next

Update Run Malwarebytes

  • Launch Malwarebytes' Anti-Malware
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Link to post
Share on other sites

System Restore was on after all. -

Since we've been doing all of this today, my default browser is no longer Chrome, and an icon for IE has shown up on my desktop. - Let me know when it's ok to reset my browser. :)

Here's the latest MBAM log:

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4865

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

10/17/2010 7:42:40 PM

mbam-log-2010-10-17 (19-42-40).txt

Scan type: Quick scan

Objects scanned: 139257

Time elapsed: 15 minute(s), 29 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\Documents and Settings\Tina & Steve\Application Data\Microsoft\Windows\shell.exe (Trojan.Shell) -> Quarantined and deleted successfully.

I really do appreciate all of your help!

Link to post
Share on other sites

Smile we are getting closer. Good job you done there. Please run this online scan to help look for remnants.

ESET Online Scanner

Note: You can use either Internet Explorer or Mozilla FireFox for this scan. You will however may need to disable your current installed Anti-Virus, how to do so can be read here.

  • Please go here then click on: EOLS1.gif
  • Select the option YES, I accept the Terms of Use then click on: EOLS2.gif
  • When prompted allow the Add-On/Active X to install.
  • Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
  • Now click on Advanced Settings and select the following:

    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology

[*]Now click on: EOLS3.gif

[*]The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.

[*]When completed the Online Scan will begin automatically.

[*]Do not touch either the Mouse or keyboard during the scan otherwise it may stall.

[*]When completed select Uninstall application on close if you so wish, make sure you copy the logfile first!

[*]Now click on: EOLS4.gif

[*]Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.

[*]Copy and paste that log as a reply to this topic.

Note: Do not forget to re-enable your Anti-Virus application after running the above scan!

Link to post
Share on other sites

Wow - that one was a deep scan.....More stuff - in some really old files. Yikes!

Eset log file:

C:\Documents and Settings\Tina & Steve\Application Data\Sun\Java\Deployment\cache\6.0\8\2e524588-7bfa65aa multiple threats

C:\Program Files\RegistryFix\RegistryFix.exe a variant of Win32/Adware.ErrorClean application

C:\Program Files\RegistryFix\RegistryFix.v6.0.WinALL.CRACKED-iNDUCT\crack.rar a variant of Win32/Adware.ErrorClean application

C:\Qoobox\Quarantine\C\Documents and Settings\Tina & Steve\Application Data\Microsoft\svchost.exe.vir a variant of Win32/Kryptik.HKQ trojan

C:\Qoobox\Quarantine\C\DOCUME~1\TINA&S~1\LOCALS~1\Temp\dwm.exe.vir Win32/Agent.RQD trojan

C:\System Volume Information\_restore{82F150A1-2CF5-44C8-902C-D7EA861902C1}\RP1\A0000027.exe a variant of Win32/Kryptik.HKQ trojan

D:\WINDOWS\SYSTEM32\brix6ie.ocx Win32/Adware.Coupons application

E:\Filetopia Downloads\RegistryFix.v6.0.WinALL.CRACKED-iNDUCT.zip a variant of Win32/Adware.ErrorClean application

E:\My Documents\Downloads\SmitfraudFix (2).exe multiple threats

F:\Tina's Updates\DVD Rip\TMPGEnc-0.11.27.111.zip probably a variant of Win32/TrojanDownloader.Agent.JDZVDPS trojan

F:\Tina's Updates\DVD Rip\TMPGEnc.exe probably a variant of Win32/TrojanDownloader.Agent.JDZVDPS trojan

F:\Tina's Updates\halloween screen savers\ghouls.exe multiple threats

Link to post
Share on other sites

Please download the OTM by OldTimer.

  • Save it to your desktop.
  • Please double-click OTM.exe to run it. (Vista users, please right click on OTM.exe and select "Run as an Administrator")
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
    :Processes

    :Services

    :Reg

    :Files
    C:\Documents and Settings\Tina & Steve\Application Data\Sun\Java\Deployment\cache\6.0\8\2e524588-7bfa65aa
    C:\Program Files\RegistryFix\RegistryFix.exe
    D:\WINDOWS\SYSTEM32\brix6ie.ocx
    E:\Filetopia Downloads\RegistryFix.v6.0.WinALL
    E:\My Documents\Downloads\SmitfraudFix
    F:\Tina's Updates\DVD Rip\TMPGEnc-0.11.27.111.zip
    F:\Tina's Updates\DVD Rip\TMPGEnc.exe
    F:\Tina's Updates\halloween screen savers\ghouls.exe

    :Commands
    [purity]
    [resethosts]
    [emptytemp]
    [CREATERESTOREPOINT]
    [EMPTYFLASH]
    [Reboot]


  • Return to OTM, right click in the "Paste instructions for items to be Move" window (under the light Yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • A log of files and folders moved will be created in the c:\_OTM\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
  • Close OTM

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Link to post
Share on other sites

Kenny - Thank you for your time and patience!

OTL log:

All processes killed

========== PROCESSES ==========

========== SERVICES/DRIVERS ==========

========== REGISTRY ==========

========== FILES ==========

C:\Documents and Settings\Tina & Steve\Application Data\Sun\Java\Deployment\cache\6.0\8\2e524588-7bfa65aa moved successfully.

C:\Program Files\RegistryFix\RegistryFix.exe moved successfully.

D:\WINDOWS\SYSTEM32\brix6ie.ocx moved successfully.

File/Folder E:\Filetopia Downloads\RegistryFix.v6.0.WinALL not found.

File/Folder E:\My Documents\Downloads\SmitfraudFix not found.

F:\Tina's Updates\DVD Rip\TMPGEnc-0.11.27.111.zip moved successfully.

F:\Tina's Updates\DVD Rip\TMPGEnc.exe moved successfully.

F:\Tina's Updates\halloween screen savers\ghouls.exe moved successfully.

========== COMMANDS ==========

C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.

HOSTS file reset successfully

[EMPTYTEMP]

User: All Users

User: Default User

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 67 bytes

->Flash cache emptied: 41 bytes

User: LocalService

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 33170 bytes

User: NetworkService

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 32835 bytes

User: Tina & Steve

->Temp folder emptied: 6258763 bytes

->Temporary Internet Files folder emptied: 1238542 bytes

->Java cache emptied: 93682996 bytes

->Google Chrome cache emptied: 66706838 bytes

->Apple Safari cache emptied: 78878720 bytes

->Flash cache emptied: 404709 bytes

%systemdrive% .tmp files removed: 0 bytes

%systemroot% .tmp files removed: 2142714 bytes

%systemroot%\System32 .tmp files removed: 0 bytes

%systemroot%\System32\dllcache .tmp files removed: 0 bytes

%systemroot%\System32\drivers .tmp files removed: 0 bytes

Windows Temp folder emptied: 19777 bytes

%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes

%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes

RecycleBin emptied: 0 bytes

Total Files Cleaned = 238.00 mb

Restore point Set: OTM Restore Point (0)

OTM by OldTimer - Version 3.1.16.1 log created on 10182010_114609

Files moved on Reboot...

File C:\WINDOWS\temp\mcmsc_0xabSG3hIQoOiMN not found!

File C:\WINDOWS\temp\mcmsc_IoinRhwesBd5yK4 not found!

Registry entries deleted on Reboot...

Link to post
Share on other sites

Nice Job Tina!!!!

There are some older versions of Java on your computer. These can be a source of infection.

[javaicon.gif

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.

  • Download the latest version of Java Runtime Environment (JRE) 6 and save it to your desktop.
  • Scroll down to where it says Java SE Runtime Environment (JRE) - JRE 6 Update 21 -
  • Click the Download button to the right.
  • Select the Windows platform from the dropdown menu.
  • Read the License Agreement and then check the box that says: I agree to the Java SE Runtime Environment 6u16 with JavaFX 1 License Agreement. Click on Continue.The page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE or Java) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u121 -windows-i586-p.exe to install the newest version.

  • After the install is complete, go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup)
    • On the General tab, under Temporary Internet Files, click the Settings button.
    • Next, click on the Delete Files button
    • There are two options in the window to clear the cache - Leave BOTH Checked
      • Applications and Applets
        Trace and Log Files

      [*]Click OK on Delete Temporary Files Window

      Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.

      [*]Click OK to leave the Temporary Files Window

      [*]Click OK to leave the Java Control Panel.

To test your Java Run-time, you may go to this page http://www.java.com/en/download/help/testvm.xml

When all is well, you should see Java Version: 1.6.0_21 from Sun Microsystems Inc.

-------------------------------------------------------------------

Your Computer is Clean

CLEAN-1.jpg

Some final items:

To remove all of the tools we used and the files and folders they created, please do the following:

Please download OTC.exe by OldTimer:

  • Save it to your Desktop.
  • Double click OTC.exe.
  • Click the CleanUp! button.
  • If you are prompted to Reboot during the cleanup, select Yes.
  • The tool will delete itself once it finishes.

Note: If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.

Here are some additional links for you to check out to help you with your computer security.

Browsers

Just because your computer came loaded with Internet Explorer doesn't mean that you have to use it, there are other free alternatives, FIREFOX and OPERA, both are free to use and are more secure than IE.

If you are using firefox you can stay more secure by adding NoScript and WOT (Web Of Trust)

NoScript stops Java scripts from starting on a web page unless you give permission for them, and WOT (Web Of Trust) has a comprehensive list of ratings for different websites allowing you to easily see if a website that you are about to go to has a bad reputation; in fact it will warn you to check if you are sure that you want to continue to a bad website.

  • Make your Internet Explorer more secure - This can be done by following these simple instructions:
  • From within Internet Explorer click on the Tools menu and then click on Options.
  • Click once on the Security tab
  • Click once on the Internet icon so it becomes highlighted.
  • Click once on the Custom Level button.
  • Change the Download signed ActiveX controls to Prompt
  • Change the Download unsigned ActiveX controls to Disable
  • Change the Initialize and script ActiveX controls not marked as safe to Disable
  • Change the Installation of desktop items to Prompt
  • Change the Launching programs and files in an IFRAME to Prompt
  • Change the Navigate sub-frames across different domains to Prompt
  • When all these settings have been made, click on the OK button
  • If it prompts you as to whether or not you want to save the settings, press the Yes button.
  • Next press the Apply button and then the OK to exit the Internet Properties page.

Additional Security Measures

Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

SpywareBlaster- SpywareBlaster will add a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

Cookienator- Scans your PC for tracking cookies in multiple browsers as well as in Adobe Flash.

Secunia software inspector & update checker

Visit My Blog for Malware and Spyware Tips

6567E80CC55576485246E130E48A9FA8.png

Link to post
Share on other sites

Kenny,

You have been absolutely awesome! I really appreciate all the time and effort you put into helping me. Jedi indeed!

I assume it's ok to reset Chrome as my default browser? Also, should I run defogger again to turn back on the cd-rom emulation drivers?

Just a humble padawan~

Tina

Link to post
Share on other sites

I assume it's ok to reset Chrome as my default browser? Also, should I run defogger again to turn back on the cd-rom emulation drivers?

Yes you can have Chrome your default browser..... :)

To re-enable your Emulation drivers, double click DeFogger to run the tool.

  • The application window will appear
  • Click the Re-enable button to re-enable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger will now ask to reboot the machine - click OK

Your Emulation drivers are now re-enabled.

I never seen FanBoys, but will check it out. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.