am i infected?

[sunnie]

I." got another registry value showing up.

hkey_current_user\software\microsoft\windows\currentversion\ex

plorer\advanced|start_showmydocs"

result first appeared Jan 28. told in previous discussion in

general forums that mbam has been finding this long time, so may be

malware change.

http://forums.malwarebytes.org/index.php?showtopic=73724.

full scan by MSE found nothing before I posted to mbam (both

issues)

While waiting for response on msgboard (73724) for this item,

in safemode, ran tdss & allowed it to quarantine what the

notes tell me is probably a false positive, though not aware

which of my sw installed/ uses it:

Alert Type: No Access

Object Type: File

Original Name: C:\WINDOWS\system32\drivers\sptd.sys.

AND also in safemode, ran latest definitions Superantispyware,

found nothing.

II. per instructions on mbam main board, I removed the

registry item using mbam (in safemode), then re-ran mbam in

safemode and shows is clean.

III Couldn't get avira to complete downloading, so instead ran

latest dr web scanner in full (admin, OA - program guard &

firewall disabled; winpatrol off; MSE realtime protection off

& service disabled).

Dr web "found & quarantined" something mid-scan, seemed to be

continuing the scan, but less than a minute later, windows

stop error msg appeared onscreen:

"a problem has been detected and windows has shut down to

prevent damage to your computer. If this is the first time

you've seen this stop error screen, start your computer

again...

Technical information:

Stop: OxOOOOOO7F (OxOOOOOOOD OxOOOOOOOO OxOOOOOOOO OxOOOOOOOO)

IV Rebooted & seemed ok, so continued -- same items disabled -

Dr Web scan in full began again from beginning.

upon completion the only log shows is clean, no earlier log.

("Quarantine" is empty.) No idea whether it found a false

positive or a real malware, nor whether it really quarantined

what it found or not.Full 2nd Dr web scan took over 30 hours

to complete. (Haven't extensively used the computer to find

out whether anything has been crippled or removed yet, just

scanned & posted) Seemed wise to complete the other scans

suggested to find out whether any reason for concern exists.

V DDS appears to have run & completed. Only after saving

attach.txt and dds.txt, did I notice a popup stating windows

scripting is disabled.

(I disabled windows scripting myself & use script sentry as

backup, though I disabled Scriptsentry before running this.)

does windows scripting need to be enabled to complete DDS

scan? if so what should I do - disable script sentry again,

and also enable windows scripting, (also reboot?)

then re-run DDS scan

or

is the popup just to advise in case i don't know its disabled?

thank you for your help.

VI. DDS.txt:

DDS (Ver_10-12-12.02) - NTFSx86

Run by Administrator at 15:41:36.39 on Fri 02/04/2011

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_23

============== Running Processes ===============

C:\Program Files\USB Safely Remove\USBSRService.exe

C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

C:\Program Files\Tall Emu\Online Armor\OAcat.exe

C:\Program Files\Tall Emu\Online Armor\oasrv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\msiexec.exe

C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe

C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

C:\Program Files\Sandboxie\SbieSvc.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\WINDOWS\system32\igfxpers.exe

C:\WINDOWS\system32\dla\tfswctrl.exe

C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe

C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe

C:\WINDOWS\system32\igfxsrvc.exe

C:\WINDOWS\stsystra.exe

C:\Program Files\Tall Emu\Online Armor\oaui.exe

C:\Program Files\Microsoft Security Client\msseces.exe

C:\Program Files\Sandboxie\SbieCtrl.exe

C:\Program Files\Tall Emu\Online Armor\OAhlp.exe

C:\Program Files\Digital Line Detect\DLG.exe

C:\Program Files\FileBX\FileBX.exe

C:\Program Files\FastStone Capture\FSCapture.exe

C:\Program Files\Foxit Software\Foxit Reader\Foxit Reader.exe

C:\Program Files\Sandboxie\SandboxieRpcSs.exe

C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe

C:\Documents and Settings\User Account

Name\Desktop\tdss_remover_latest\dds.scr

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup

C:\WINDOWS\system32\svchost.exe -k LocalService

C:\WINDOWS\system32\svchost.exe -k LocalService

============== Pseudo HJT Report ===============

uStart Page = about:blank

uSearch Page = hxxp://www.google.com

uSearch Bar = hxxp://start.earthlink.net/AL/Search

uDefault_Page_URL = about:blank

uDefault_Search_URL = hxxp://www.google.com/ie

uWindow Title =

mSearch Bar = hxxp://www.google.com/

mWindow Title =

uInternet Settings,ProxyOverride = *.local

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

mSearchAssistant = hxxp://start.earthlink.net/AL/Search

mCustomizeSearch = hxxp://www.google.com/

uURLSearchHooks: SrchHook Class: {44f9b173-041c-4825-a9b9-

d914bd9dcbb3} - c:\program files\earthlink

totalaccess\ElnIE.dll

uURLSearchHooks: H - No File

uURLSearchHooks: H - No File

BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-

206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll

BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890}

- c:\windows\system32\dla\tfswshx.dll

BHO: RoboForm: {724d43a9-0d85-11d4-9908-00400523e39a} -

c:\program files\roboform\ai roboform\roboform.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-

9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-

eabfe594f69c} - c:\program files\java\jre6

\lib\deploy\jqs\ie\jqs_plugin.dll

TB: {0BF43445-2F28-4351-9252-17FE6E806AA0} - No File

TB: &RoboForm: {724d43a0-0d85-11d4-9908-00400523e39a} -

c:\program files\roboform\ai roboform\roboform.dll

TB: {C7768536-96F8-4001-B1A2-90EE21279187} - No File

TB: {D554D8FC-B36D-4BB4-93DB-4A3394D505E3} - No File

TB: {4E7BD74F-2B8D-469E-88A9-EB6DA381A928} - No File

TB: {4D46ED77-1429-4CF6-8F63-C84B5D710BAF} - No File

TB: {7792546F-70AE-4ABC-B2B6-BE68E9410002} - No File

EB: Copernic Desktop Search 2: {968631b6-4729-440d-9bf4-

251f5593ec9a} - c:\program files\copernic desktop search 2

\DesktopSearchBand202000032.dll

EB: Copernic Desktop Search 2: {9c3fca1f-99e3-48f2-a7f4-

dd3931b2f99a} - c:\program files\copernic desktop search 2

\DesktopSearchBand202000032.dll

uRun: [HostsMan] "c:\program files\hostsman\hm.exe" -s

uRun: [HostsServer] "c:\program files\hostsman\hostssrv.exe"

--start

uRun: [KeePass Password Safe] "c:\program files\keepass

password safe\KeePass.exe"

uRun: [uSB Safely Remove] c:\program files\usb safely

remove\USBSafelyRemove.exe /startup

uRun: [sandboxieControl] c:\program

files\sandboxie\SbieCtrl.exe

uRun: [RoboForm] "c:\program files\roboform\ai

roboform\RoboTaskBarIcon.exe"

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

mRun: [synTPEnh] "c:\program

files\synaptics\syntp\SynTPEnh.exe"

mRun: [igfxpers] c:\windows\system32\igfxpers.exe

mRun: [dla] c:\windows\system32\dla\tfswctrl.exe

mRun: [intelWireless] "c:\program

files\intel\wireless\bin\ifrmewrk.exe" /tf Intel

PROSet/Wireless

mRun: [intelZeroConfig] "c:\program

files\intel\wireless\bin\ZCfgSvc.exe"

mRun: [sigmatelSysTrayApp] stsystra.exe

mRun: [WinPatrol] c:\program files\billp

studios\winpatrol\winpatrol.exe -expressboot

mRun: [@OnlineArmor GUI] "c:\program files\tall emu\online

armor\oaui.exe"

mRun: [MSC] "c:\program files\microsoft security

client\msseces.exe" -hide -runkey

dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1

\dw\dwtrig20.exe" -t

IE: Add to EverNote - c:\program

files\evernote\evernote\enbar.dll/2000

IE: Clear Fields - file://c:\program files\roboform\ai

roboform\RoboFormComClearFields.html

IE: Customize Menu - file://c:\program files\roboform\ai

roboform\RoboFormComCustomizeIEMenu.html

IE: Fill Forms - file://c:\program files\roboform\ai

roboform\RoboFormComFillForms.html

IE: Identities Editor - file://c:\program files\roboform\ai

roboform\RoboFormComEditIdent.html

IE: Logoff - file://c:\program files\roboform\ai

roboform\RoboFormComLogoff.html

IE: Passcards Editor - file://c:\program files\roboform\ai

roboform\RoboFormComEditPass.html

IE: Password Generator - file://c:\program files\roboform\ai

roboform\RoboFormComPasswordGenerator.html

IE: Reset Fields - file://c:\program files\roboform\ai

roboform\RoboFormComResetFields.html

IE: RoboForm Options - file://c:\program files\roboform\ai

roboform\RoboFormComOptions.html

IE: RoboForm TaskBar Icon - file://c:\program

files\roboform\ai roboform\RoboFormComTaskBarIcon.html

IE: RoboForm Toolbar - file://c:\program files\roboform\ai

roboform\RoboFormComShowToolbar.html

IE: Safenotes Editor - file://c:\program files\roboform\ai

roboform\RoboFormComEditNote.html

IE: Save Forms - file://c:\program files\roboform\ai

roboform\RoboFormComSavePass.html

IE: Scan link by Dr.Web - http://www.drweb.com/online/drweb-

online-en.html

IE: Set Fields - file://c:\program files\roboform\ai

roboform\RoboFormComSetFields.html

IE: {320AF880-6646-11D3-ABEE-C5DBF3571F46} - c:\program

files\roboform\ai roboform\RoboFormComFillForms.html

IE: {320AF880-6646-11D3-ABEE-C5DBF3571F49} - c:\program

files\roboform\ai roboform\RoboFormComSavePass.html

IE: {320AF880-6646-11D3-ABEE-C5DBF3571F4C} - c:\program

files\roboform\ai roboform\RoboFormComOptions.html

IE: {320AF880-6646-11D3-ABEE-C5DBF3571F4E} - c:\program

files\roboform\ai roboform\RoboFormComCustomizeIEMenu.html

IE: {320AF880-6646-11D3-ABEE-C5DBF3571F50} - c:\program

files\roboform\ai roboform\RoboFormComPasswordGenerator.html

IE: {320AF880-6646-11D3-ABEE-C5DBF3571F51} - c:\program

files\roboform\ai roboform\RoboFormComTaskBarIcon.html

IE: {320AF880-6646-11D3-ABEE-C5DBF3571F52} - c:\program

files\roboform\ai roboform\RoboFormComSetFields.html

IE: {320AF880-6646-11D3-ABEE-C5DBF3571F53} - c:\program

files\roboform\ai roboform\RoboFormComResetFields.html

IE: {320AF880-6646-11D3-ABEE-C5DBF3571F54} - c:\program

files\roboform\ai roboform\RoboFormComClearFields.html

IE: {320AF880-6646-11D3-ABEE-C5DBF3571F55} - c:\program

files\roboform\ai roboform\RoboFormComLogoff.html

IE: {45DB34C3-955C-11D3-ABEF-444553540000} - c:\program

files\roboform\ai roboform\RoboFormComEditIdent.html

IE: {45DB34C3-955C-11D3-ABEF-444553540001} - c:\program

files\roboform\ai roboform\RoboFormComEditPass.html

IE: {45DB34C3-955C-11D3-ABEF-444553540002} - c:\program

files\roboform\ai roboform\RoboFormComEditNote.html

IE: {4C730913-3961-439b-83D5-F4E445520422} - c:\program

files\citi virtual account numbers\CitiVAN.exe

IE: {724d43aa-0d85-11d4-9908-00400523e39a} - c:\program

files\roboform\ai roboform\RoboFormComShowToolbar.html

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network

Diagnostic\xpnetdiag.exe

IE: {A5ABA0BB-F195-40d8-A5E9-0801153E6597} - {2151DA8C-C5B6-

4B4F-86AB-BDA449BF8747} - c:\program

files\evernote\evernote\enbar.dll

IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-

2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll

Trusted Zone: live.com\safety

Trusted Zone: microsoft.com\*.update

Trusted Zone: microsoft.com\*.windowsupdate

Trusted Zone: microsoft.com\go

Trusted Zone: microsoft.com\support

Trusted Zone: microsoft.com\technet

Trusted Zone: microsoft.com\update

Trusted Zone: microsoft.com\windowsupdate

Trusted Zone: microsoft.com\www

Trusted Zone: microsoft.com\www.update

Trusted Zone: microsoft.com \*.windowsupdate

Trusted Zone: microsoft.net\*.update

Trusted Zone: secunia.com\psi

Trusted Zone: windowsupdate.com

Trusted Zone: windowsupdate.com\au.download

Trusted Zone: windowsupdate.com\download

DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} -

hxxps://support.dell.com/systemprofiler/SysPro.CAB

DPF: {10ABC6DB-E091-4EAE-98DD-21B5A2460714} -

hxxp://www.pandasoftware.es/avchecker/controles/AvDetInst.cab

DPF: {166B1BCA-3F9C-11CF-8075-444553540000} -

hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/s

w.cab

DPF: {17492023-C23A-453E-A040-C7C580BBF700} -

hxxp://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-

48D9-9B0E-1719D1177202/LegitCheckControl.cab

DPF: {1842B0EE-B597-11D4-8997-00104BD12D94}

DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} -

hxxp://download.ewido.net/ewidoOnlineScan.cab

DPF: {1EF9F042-C2EB-4293-8213-474CAEEF531D} -

hxxp://www.trendsecure.com/framework/control/en-

US/activex/TmHcmsX.CAB

DPF: {22492231-AEF0-49FC-9180-CE8969AB1273} -

hxxp://download.sp.f-secure.com/ols/f-secure-

rtm/resources/fslauncher.cab

DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} -

hxxp://download.zonelabs.com/bin/free/cm/ICSCM_ca.cab

DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} -

hxxp://a516.g.akamai.net/f/516/25175/7d/runaware.download.akam

ai.com/25175/citrix/wficat-no-eula.cab

DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} -

hxxps://support.microsoft.com/OAS/ActiveX/odc.cab

DPF: {4B48D5DF-9021-45F7-A240-60304302A215} -

hxxp://download.microsoft.com/download/5/c/2/5c2fc4b7-3875-

4eec-946b-ffe15472cabc/WebCleaner.cab

DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21}

DPF: {56393399-041A-4650-94C7-13DFCB1F4665}

DPF: {5AE58FCF-6F6A-49B2-B064-02492C66E3F4} -

hxxp://catalog.update.microsoft.com/v7/site/ClientControl/en/x

86/MuCatalogWebControl.cab?1188991895871

DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} -

hxxp://download.bitdefender.com/resources/scan8/oscan8.cab

DPF: {5F0C30E4-1E72-4DCC-85E5-57810F1CA97B} -

hxxp://www.amiuptodate.com/vsc/bin/1,0,0,9/McUpdatePortal.cab

DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} -

hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/

en/x86/client/muweb_site.cab?1255721425250

DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} -

hxxp://download.eset.com/special/eos-beta/OnlineScanner.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} -

hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-

i586.cab

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} -

hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultra

shim.cab

DPF: {9732FB42-C321-11D1-836F-00A0C993F125}

DPF: {99FE5072-78AA-4FEE-89BA-69A5FA55343F} -

hxxp://download.microsoft.com/download/B/3/A/B3A2EA73-793D-

4ABE-992D-C81140384044/igdtoolx.cab

DPF: {9C024426-7859-4B2D-AB4C-B1E370AE7549} -

hxxp://us.mcafee.com/Apps/WSC/en-us/WscWlanScannerCtrl.cab

DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} -

hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CA

B?39295.4206481481

DPF: {A5A76EA0-7B92-4707-9DBF-6F6FE56A6800} -

hxxp://scan.networkmagic.com/nmscan/download/WebDiag.4.5.8056.

1-ship-WD.V1.cab

DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} -

hxxp://www.superadblocker.com/activex/sabspx.cab

DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70}

DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} -

hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-

i586.cab

DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} -

hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-

i586.cab

DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} -

hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-

i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} -

hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-

i586.cab

Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} -

c:\program files\belarc\advisor\system\BAVoilaX.dll

Handler: pure-go - {4746C79A-2042-4332-8650-48966E44ABA8} -

c:\program files\common files\pure networks

shared\platform\puresp4.dll

Notify: !SASWinLogon - c:\program

files\superantispyware\SASWINLO.DLL

Notify: igfxcui - igfxdev.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-

94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

SEH: Eudora's Shell Extension: {edb0e980-90bd-11d4-8599-

0008c7d3b6f8} - Eudora's Shell Extension

SEH: OA Shell Helper: {4f07da45-8170-4859-9b5f-037ef2970034} -

c:\progra~1\tallem~1\online~1\oaevent.dll

SEH: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - No File

============= SERVICES / DRIVERS ===============

R? BW2NDIS5;BW2NDIS5

R? clr_optimization_v4.0.30319_32;Microsoft .NET Framework

NGEN v4.0.30319_X86

R? fsbl-standalone;F-Secure BlackLight Beta Engine Driver

R? IKFileFlt;File Filter Driver

R? IKFileSec;File Security Driver

R? IkSysFlt;System Filter Driver

R? IKSysSec;System Security Driver

R? McrdSvc;Media Center Extender Service

R? NetBurnerService;Net Burner iSCSI Service

R? NPF;NetGroup Packet Filter Driver

R? PC FineTune Task Manager;PC FineTune Task Manager

R? PermissionTVDownloadManager;PermissionTV Download Manager

Service

R? PSI;PSI

R? SASDIFSV;SASDIFSV

R? SASKUTIL;SASKUTIL

R? Snaptune Recording Service;Snaptune Recording Service

R? WPFFontCache_v0400;Windows Presentation Foundation Font

Cache 4.0.0.0

R? WsAudioDevice_383;WsAudioDevice_383

S? hotcore3;Hotcore helper

S? MpFilter;Microsoft Malware Protection Driver

S? NetBurn;Paragon NetBurning Driver

S? OAcat;Online Armor Helper Service

S? OADevice;OADriver

S? OAmon;OAmon

S? OAnet;OAnet

S? pctfw1;pctfw1

S? SbieDrv;SbieDrv

S? StarPortLite;StarPort Storage Controller (Lite)

S? SvcOnlineArmor;Online Armor

S? USBSafelyRemoveService;USB Safely Remove Assistant

=============== File Associations ===============

JSEFile=c:\program files\script sentry\ScriptSentry.exe "%1"

%*

regfile=c:\program files\script sentry\ScriptSentry.exe "%1"

%*

scrfile="%1" %*

VBEFile=c:\program files\script sentry\ScriptSentry.exe "%1"

%*

VBSFile=c:\program files\script sentry\ScriptSentry.exe "%1"

%*

=============== Created Last 30 ================

2011-02-03 13:42:23 5890896 ----a-w- c:\docume~1

\alluse~1\applic~1\microsoft\microsoft antimalware\definition

updates\{ff6156c4-3e24-475d-a1d2-572041a8c1a4}\mpengine.dll

2011-02-03 03:22:44 14143488 ----a-w-

c:\documents and settings\administrator\ntuser.tmp

2011-02-02 18:18:31 -------- d-----w-

C:\TDSSKiller_Quarantine

2011-02-02 03:03:29 -------- d-----w-

c:\program files\Hitman Pro 3.5

2011-02-02 03:02:41 -------- d-----w-

c:\docume~1\alluse~1\applic~1\Hitman Pro

2011-01-26 16:16:13 38224 ----a-w-

c:\windows\system32\drivers\mbamswissarmy.sys

2011-01-26 16:16:05 20952 ----a-w-

c:\windows\system32\drivers\mbam.sys

2011-01-25 21:38:12 -------- d-----w-

c:\windows\Temp46C98DD5-5E16-94ED-8BB5-6DC527781562-Signatures

2011-01-25 21:38:06 -------- d-----w-

c:\program files\Microsoft Security Client

==================== Find3M ====================

2010-12-13 15:13:18 73728 ----a-w-

c:\windows\system32\javacpl.cpl

2010-12-13 15:13:17 472808 ----a-w-

c:\windows\system32\deployJava1.dll

2010-12-13 15:12:28 0 ----a-w-

c:\windows\system32\REN21.tmp

2010-12-13 15:12:28 0 ----a-w-

c:\windows\system32\REN20.tmp

2010-12-13 15:12:28 0 ----a-w-

c:\windows\system32\REN1F.tmp

2010-11-18 18:12:44 81920 ----a-w-

c:\windows\system32\isign32.dll

2010-11-09 14:52:35 249856 ----a-w-

c:\windows\system32\odbc32.dll

============= FINISH: 15:46:07.00 ===============

Attach.zip

[screen317]

Hi,

Turn Word Wrap off in Notepad when composing your replies.

Seems like the only issue is that Dr. Web quarantined something it shouldn't have.

I would report it to them and see what they have to say.

No, I do not believe you're actually infected.

[sunnie]

Hi,

Turn Word Wrap off in Notepad when composing your replies.

Seems like the only issue is that Dr. Web quarantined something it shouldn't have.

I would report it to them and see what they have to say.

No, I do not believe you're actually infected.

thank you very much for your reply. Please clarify whether these new symptoms are of concern. If not, should I remove from quarantine sptd in tdss? and re-enable the emulation drivers? (sorry for the notepad)

yesterday in AM, in user acct: the (pup hijack registry which was clean via mbam) reappeared: no my documents in start. ran mbam, found the hijack again. chose to clean it & rebooted. docs appear (for now?) on start button. re-ran mbam, clean (for now?). my docs appears today as well.

also winpatrol plus alerted me to several new hidden filles, which I allowed, & which seem to be tmp/log files operating from sys32. a quick look at the winpatrol online indicates they may be reghive related and need to run, but the names and suffixes aren't identical to winpatrol's listing, & if they need to run where have they been all the years i have my computer till today? on the other hand, i left the disabled items disabled till told to reenable & that may play a part in this, so will wait for advice.

Periodically, keypad is resistant to my typing on certain keys while hard drive is noisy. this has been happening over several weeks.

[screen317]

Hi,

If not, should I remove from quarantine sptd in tdss? and re-enable the emulation drivers? (sorry for the notepad)

Yes, remove sptd from quarantine and re-enable the emulation drivers.

If you were really infected, you would see symptoms of infection. You would be getting popups or your bank would have told you that your accounts have already been compromised.

The problem with borderline paranoid programs such as WinPatrol is that in the hands of inexperienced users, it makes people, well, paranoid at every new item that appears.

Add the PUP to MBAM's Ignore List. It's not an infection and it's just causing you stress.

Periodically, keypad is resistant to my typing on certain keys while hard drive is noisy. this has been happening over several weeks.

Likely just a standard performance issue.

Next, please run the PCPitstop Full Tests here. When the tests are complete, a results page will pop up. Copy and paste the URL of the Results screen and post it here for me.

Are there any additional questions I can answer for you?

[sunnie]

The problem with borderline paranoid programs such as WinPatrol is that in the hands of inexperienced users, it makes people, well, paranoid at every new item that appears.

from pcpitstop site

"To get control over your running programs we suggest WinPatrol Plus"

Likely just a standard performance issue.

Next, please run the PCPitstop Full Tests here. When the tests are complete, a results page will pop up. Copy and paste the URL of the Results screen and post it here for me.

Are there any additional questions I can answer for you?

fyi; pc pitstop is switching from the older scan you recommended (full) to a new scan pCmatic. when I got to the site, no matter where i went, every "scan now" linked to the pcmatic download. I clicked, expecting active x, instead this downloaded. after a while, I decided to run it -- big mistake. & I want to share my experience with you so you are aware as you advise others, this is new software for them.

1. 1 button cleans all it's findings. no choices. closing it without clicking on the "clean all button" resulted in it cleaning all anyway. Unfortunately, it chose to clean a win.32 trojan and delete a scareware program. It didn't identify either of them by name, but when I realized that it was executing without allowing me any control, I went hunting for info on what it had done. you just told me my GMER etc logs are clean!! re-ran mbam, clean. so went hunting.

Found the scan xml file in C:\Documents and Settings\All Users\Application Data\PCPitstop and figured out from there what it had done. had to fully delete sandboxie, and reinstall (the scareware). tdss remover by Kaspersky was the alleged win32 trojan and I'll wait to see if I need it again before reinstalling. (still think I'm an "inexperienced user'? a real inexperienced user would have needed a ton of hand-holding, & wouldn't have a running system right now.

2. after uninstalling PC Pitstop's pcmatic crapware, I went back to pcpitstop site and didn't allow another download. eventually found the way in to the online scan, it took me over 10 minutes of refusing to download till I found active x scanner tucked away in a corner. got the newer scan, not the old Full one. No reason to send you over there to interpret it to me: no malware found -- highlights: it lists as "unknown software" signed by Microsoft components of MSE (I googled msseces.exe, it's the alert notification. turn it off & you wont know what MSE finds) as well as Online Armor, SandboxIE, and Keepass. (It does recognize --- & list as "must run", rather than "optional": Winpatrol Plus.) Not impressive.

The fixes suggested are

free up space on my hard drive,

update a display adapter,

& delete 2 "craplets" I used Winpatrol to research the so-called craplets. (1 was truly optional, but I find it convenient to utilize, so won't be disabling it. The other is my integrated graphics controller -- & I don't have a discrete graphics card. According to Bill P., it runs as a Winlogon Notify Service when computer starts & should be left in place.

thank you for letting me know that the scan logs are clean. I hope freeing up space on the hard drive is enough to get rid of the remaining sluggish symptoms.

[screen317]

Hi,

The problem with borderline paranoid programs such as WinPatrol is that in the hands of inexperienced users, it makes people, well, paranoid at every new item that appears.

from pcpitstop site

"To get control over your running programs we suggest WinPatrol Plus"

Just because they recommend it, it doesn't mean I do..

Clicking the link I gave shows a log-in menu on the left. Upon registering and logging in, you are presented with the Full Scan...

Either way, looks like you sorted it out; it's unfortunate that you ended up downloading their scanner and that it presented issues for you.

Anything else I can help with?

[sunnie]

the activeX full scan made suggestions which weren't the best, in my opinion, but since you offered to walk me through them, this seems like a non-issue as long as the people you send to use the scan don't act on the results, but rather allow you to walk them through it.

reasons I posted about the download is

1. if the current site setup confused me, it will confuse others you counsel. So the new download should be avoided / suggested with care, & when you send people to the website, warn not to allow the download.

2. the download auto-removes or disables by partly removing, as the case may be legit software (sandboxie,kaspersky tdss remover) without stating specifically what it's doing. Even backing out once the scan completes without choosing to let it execute the "system clean", doesn't stop it doing what it does. At minimum, you owe it to your paying customers to communicate with pcpitstop & verify that the download won't disable mbam's realtime protection. Besides that, I thought it reasonable to let you know that it will compound the problems of others who can't figure out why their "fixed" computer isn't working any more & it doesn't seem to offer (on the free download, anyhow) any means of undoing. I thought it would be courteous to give you a heads-up about my experience. Now you know, and it's up to you whether to warn people to stick with active x /do not download OR send people elsewhere, OR walk people through further chaos it will create on their systems.

thank you again for your help.

[screen317]

Certainly, I agree 100%, and I appreciate that you took time to share all of that. It will be taken into consideration for the future.

[screen317]

Since this issue is resolved I will close the thread to prevent others from posting here. If you need assistance please start your own topic and someone will be happy to assist you.