Free Malware Removal Forum

by **tcwc** » January 4th, 2010, 3:28 am

Was surfing the net, a Malware Defense software popped-up. I tried to close it & cancel it, but the Malware Defense software auto installed anyway.

I was able to uninstall it, but within minutes it REINSTALLED itself again. So I uninstalled it again.

Computer starts locking up. I was unable to run my Malwarebytes' Anti-Malware, and McAfee that were already installed in the computer. Seems like Malwarebytes & McAfee have disappeared from the computer.

Please kindly help & below is my HijackThis log, many thanks:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:03:38 AM, on 1/4/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16945)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SYSTEM32\Brmfrmps.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Documents and Settings\Terry.MASTER\Desktop\mbam-setup.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Roxio\MyDVD\MyDVD\USBDeviceService.exe
C:\WINDOWS\system32\BRMFRSMG.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Internet Explorer\Iexplore.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/def ... earch.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/def ... .yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.7.4.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn2\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [McAfee Backup] "C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [settdebugx.exe] C:\DOCUME~1\TERRY~1.MAS\LOCALS~1\Temp\settdebugx.exe
O4 - HKCU\..\Run: [Malware Defense] "C:\Program Files\Malware Defense\mdefense.exe" -noscan
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {09BA8F6D-CB54-424B-839C-C2A6C8E6B436} - (no file)
O9 - Extra button: BitComet Search - {461CC20B-FB6E-4f16-8FE8-C29359DB100E} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.7.4.dll
O9 - Extra button: Add to Favorites - {9BEF3FB8-E5E0-4494-BC59-7BAC1C9AD503} - C:\PROGRA~1\COMMON~1\TIDYFA~1\AddToFav.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Open Tidy Favorites - {E3CB497B-E230-4445-8B34-13476822F867} - C:\PROGRA~1\COMMON~1\TIDYFA~1\OpenFav.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/200 ... oader5.cab
O16 - DPF: {10E0E75E-6701-4134-9D95-C0942ED1F1C8} (Snapfish Outlook Import ActiveX Control) - http://www2.snapfish.com/SnapfishOutlookImport.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www2.snapfish.com/SnapfishActivia.cab
O16 - DPF: {488A4255-3236-44B3-8F27-FA1AECAA8844} (EditCtrl Class) - https://img.alipay.com/download/2121/aliedit.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} - http://www.eset.eu/OnlineScanner.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/Fac ... oader3.cab
O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) - http://us.games2.yimg.com/download.game ... _0_0_1.ocx
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v ... b56649.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553550000} - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - http://photo.walmart.com/photo/upload/XUpload.ocx
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Brother Industries, Ltd. - C:\WINDOWS\SYSTEM32\Brmfrmps.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: MBackMonitor - McAfee - C:\Program Files\McAfee\MBK\MBackMonitor.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: SolidWorks Licensing Service - SolidWorks - C:\Program Files\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: USBDeviceService - Unknown owner - C:\Program Files\Roxio\MyDVD\MyDVD\USBDeviceService.exe

--
End of file - 10034 bytes

******************************************************
Below is the Uninstall List, Thanks

²Æ¸¶Í¨°²È«¿Ø¼þ 1.1.0.7
Ad-Aware
Ad-Aware
Adobe Atmosphere Player for Acrobat and Adobe Reader
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Photoshop Album 2.0 Starter Edition
Adobe Photoshop Elements 2.0
Adobe Reader 8.1.6
Adobe Reader Chinese Simplified Fonts
Adobe Shockwave Player 11
Alcohol 120%
AnswerWorks 4.0 Runtime - English
AnswerWorks 5.0 English Runtime
Apple Software Update
BCM V.92 56K Modem
BitComet 0.91
Broadcom Management Programs
Brother MFL-Pro Suite
CCleaner (remove only)
Chinese Traditional Fonts Support For Adobe Reader 8
Critical Update for Windows Media Player 11 (KB959772)
DeductionPro 2006
Dell Digital Jukebox Driver
Dell Media Experience
Dell Solution Center
DellSupport
DS21Patch
EasyRecovery Professional
Google Earth
Google Toolbar for Internet Explorer
Google Updater
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
hp deskjet 825c series (Remove only)
Intel(R) Extreme Graphics Driver
Internet Explorer Default Page
ItsDeductible Express
Java(TM) 6 Update 17
Java(TM) 6 Update 3
Java(TM) 6 Update 5
Java(TM) 6 Update 7
Learn2 Player (Uninstall Only)
Malwarebytes' Anti-Malware
McAfee SecurityCenter
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB953297)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1
Microsoft Choice Guard
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Data Access Components KB870669
Microsoft Encarta Encyclopedia Standard 2004
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Money 2004
Microsoft Money 2004 System Pack
Microsoft National Language Support Downlevel APIs
Microsoft Office 2000 SR-1 Premium
Microsoft Project 2000
Microsoft User-Mode Driver Framework Feature Pack 1.0
Modem Helper
Mozilla Firefox (3.0.3)
MSVCRT
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
Musicmatch® Jukebox
Nero 6 Ultra Edition
On2 VP7 Personal Edition
PaperPort 8.0 SE
Pdf995
PdfEdit995
PowerDVD
QuickTime
RealPlayer
Roxio MyDVD
Roxio UDF Reader
Roxio Update Manager
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 7 (KB972260)
Security Update for Windows Internet Explorer 7 (KB974455)
Security Update for Windows Internet Explorer 7 (KB976325)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Segoe UI
Shockwave
Sonic MyDVD
Sonic RecordNow!
SUPERAntiSpyware Free Edition
Synacast Plug-in 1.0.9.7
TaxCut Premium 2006
Tidy Favorites 4.09
TurboTax 2008
TurboTax 2008 WinPerFedFormset
TurboTax 2008 WinPerProgramHelp
TurboTax 2008 WinPerReleaseEngine
TurboTax 2008 WinPerTaxSupport
TurboTax 2008 WinPerUserEducation
TurboTax 2008 wrapper
TurboTax Basic 2007
TurboTax ItsDeductible 2005
TurboTax Premier 2005
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 7 (KB976749)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB961503)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
WD Diagnostics
WebCyberCoach 3.2 Dell
WildTangent Web Driver
WinAVIVideoConverter
Windows Defender Signatures
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Essentials
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Live Upload Tool
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows XP Service Pack 3
WinRAR archiver
WordPerfect Office 11
Yahoo! Anti-Spy
Yahoo! Messenger
Yahoo! Photos Easy Upload Tool
Yahoo! Toolbar

by **Vino Rosso** » January 7th, 2010, 5:00 pm

Hi

Please run the following two scans:

DDS
Download DDS.scr by sUBs from one of the following links and save it to your desktop.
Link 1
Link 2

Double-Click on dds.scr and a command window will appear. This is normal
Shortly after two logs will appear, DDS.txt and Attach.txt
A window will open instructing you save and post the logs
Save the logs to a convenient place such as your desktop
Copy the contents of both logs and post, not attach, in your next reply

Gmer
Download GMER Rootkit Scanner from here.

Double click the .exe file. If asked to allow gmer.sys driver to load, please consent
If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO << Important!

Click the image to enlarge it
In the right panel, you will see several boxes that have been checked. UNcheck the following ...
- UNcheck Sections
- UNcheck IAT/EAT
- UNcheck Drives/Partition other than Systemdrive (typically C:\)
- UNcheck Show All (don't miss this one)
Then click the Scan button & wait for it to finish
Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file
Save it where you can easily find it, such as your desktop, and post it in reply

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries
Note: Do not run any programs while Gmer is running.

To post in next reply:
Contents of DDS log
Contents of Attach.txt
Contents of Gmer log

Thanks
Vino

by **tcwc** » January 8th, 2010, 1:24 am

Vino,
Thanks for your reply

. You are like the light at the end of the tunnel

I was also able to install GMER and tried to ran the scan 3 times, and all 3 times the computer got completely LOCKED up at the end (has to restart the computer) . & was unable to save a log.
What should I do?
Thanks for the help.

Below are the DDS & Attach logs:

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-12-01.01)

Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume2
Install Date: 1/10/2004 5:30:18 PM
System Uptime: 1/7/2010 3:42:42 PM (1 hours ago)

Motherboard: Dell Computer Corp. | | 0C2425
Processor: Intel(R) Pentium(R) 4 CPU 2.40GHz | Microprocessor | 2392/533mhz

==== Disk Partitions =========================

A: is Removable
C: is FIXED (NTFS) - 38 GiB total, 14.157 GiB free.
D: is CDROM ()
E: is CDROM ()
G: is CDROM ()

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP260: 10/18/2009 8:27:39 PM - Installed EasyRecovery Professional
RP261: 10/18/2009 8:38:32 PM - Removed PC Inspector File Recovery
RP262: 10/20/2009 2:26:53 PM - System Checkpoint
RP263: 10/22/2009 1:17:09 PM - System Checkpoint
RP264: 10/23/2009 10:12:27 PM - System Checkpoint
RP265: 10/25/2009 3:49:30 PM - System Checkpoint
RP266: 10/26/2009 7:02:46 PM - System Checkpoint
RP267: 10/28/2009 2:51:23 PM - System Checkpoint
RP268: 10/29/2009 2:56:20 PM - System Checkpoint
RP269: 10/30/2009 3:24:17 PM - System Checkpoint
RP270: 10/31/2009 3:43:35 PM - System Checkpoint
RP271: 11/2/2009 4:44:49 PM - System Checkpoint
RP272: 11/4/2009 12:16:34 AM - Installed Java(TM) 6 Update 17
RP273: 11/4/2009 3:40:44 PM - Software Distribution Service 3.0
RP274: 11/6/2009 4:36:42 PM - System Checkpoint
RP275: 11/7/2009 9:37:47 PM - System Checkpoint
RP276: 11/9/2009 4:53:32 PM - System Checkpoint
RP277: 11/12/2009 5:31:53 AM - Software Distribution Service 3.0
RP278: 11/13/2009 10:49:53 PM - System Checkpoint
RP279: 11/16/2009 3:51:14 PM - System Checkpoint
RP280: 11/17/2009 6:09:44 PM - System Checkpoint
RP281: 11/19/2009 3:25:06 PM - System Checkpoint
RP282: 11/21/2009 12:26:57 AM - System Checkpoint
RP283: 11/22/2009 4:39:26 PM - System Checkpoint
RP284: 11/24/2009 7:15:26 PM - System Checkpoint
RP285: 11/25/2009 10:53:34 AM - Software Distribution Service 3.0
RP286: 11/26/2009 12:09:16 PM - System Checkpoint
RP287: 11/29/2009 4:27:15 PM - System Checkpoint
RP288: 12/1/2009 9:06:10 PM - System Checkpoint
RP289: 12/3/2009 9:47:50 AM - System Checkpoint
RP290: 12/4/2009 7:33:11 PM - System Checkpoint
RP291: 12/6/2009 8:08:08 PM - System Checkpoint
RP292: 12/7/2009 10:51:07 PM - System Checkpoint
RP293: 12/8/2009 11:20:32 PM - System Checkpoint
RP294: 12/9/2009 6:02:13 PM - Software Distribution Service 3.0
RP295: 12/10/2009 11:18:42 PM - System Checkpoint
RP296: 12/12/2009 12:38:03 AM - System Checkpoint
RP297: 12/13/2009 8:57:48 PM - System Checkpoint
RP298: 12/15/2009 2:35:59 PM - System Checkpoint
RP299: 12/17/2009 6:40:20 PM - System Checkpoint
RP300: 12/18/2009 7:15:44 PM - System Checkpoint
RP301: 12/21/2009 11:37:58 PM - System Checkpoint
RP302: 12/23/2009 6:29:55 AM - System Checkpoint
RP303: 12/24/2009 11:21:13 AM - System Checkpoint
RP304: 12/26/2009 1:35:38 AM - System Checkpoint
RP305: 12/27/2009 11:08:50 AM - System Checkpoint
RP306: 12/28/2009 2:22:36 PM - System Checkpoint
RP307: 12/29/2009 5:43:16 PM - System Checkpoint
RP308: 12/30/2009 9:45:35 PM - System Checkpoint
RP309: 12/31/2009 9:59:02 PM - System Checkpoint
RP310: 1/2/2010 4:12:35 PM - System Checkpoint
RP311: 1/3/2010 4:49:02 PM - System Checkpoint
RP312: 1/4/2010 5:21:56 PM - System Checkpoint
RP313: 1/4/2010 8:34:07 PM - Restore Operation

==== Installed Programs ======================

Ad-Aware
Adobe Atmosphere Player for Acrobat and Adobe Reader
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Photoshop Album 2.0 Starter Edition
Adobe Photoshop Elements 2.0
Adobe Reader 8.1.6
Adobe Reader Chinese Simplified Fonts
Adobe Shockwave Player 11
Alcohol 120%
AnswerWorks 4.0 Runtime - English
AnswerWorks 5.0 English Runtime
Apple Software Update
Banctec Service Agreement
BCM V.92 56K Modem
BitComet 0.91
Broadcom Management Programs
Brother MFL-Pro Suite
CCleaner (remove only)
Chinese Traditional Fonts Support For Adobe Reader 8
Critical Update for Windows Media Player 11 (KB959772)
DeductionPro 2006
Dell Digital Jukebox Driver
Dell Media Experience
Dell Networking Guide
Dell Solution Center
DellSupport
DS21Patch
EasyRecovery Professional
Google Earth
Google Toolbar for Internet Explorer
Google Updater
Help and Support Customization
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
hp deskjet 825c series (Remove only)
Intel(R) Extreme Graphics Driver
Internet Explorer Default Page
ItsDeductible Express
Java(TM) 6 Update 17
Java(TM) 6 Update 3
Java(TM) 6 Update 5
Java(TM) 6 Update 7
Learn2 Player (Uninstall Only)
McAfee SecurityCenter
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB953297)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Application Error Reporting
Microsoft Choice Guard
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Data Access Components KB870669
Microsoft Encarta Encyclopedia Standard 2004
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Money 2004
Microsoft Money 2004 System Pack
Microsoft National Language Support Downlevel APIs
Microsoft Office 2000 SR-1 Premium
Microsoft Project 2000
Microsoft User-Mode Driver Framework Feature Pack 1.0
Modem Helper
Mozilla Firefox (3.0.3)
MSVCRT
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
Musicmatch® Jukebox
Nero 6 Ultra Edition
On2 VP7 Personal Edition
PaperPort 8.0 SE
Pdf995
PdfEdit995
PowerDVD
QuickTime
RealPlayer
Roxio MyDVD
Roxio UDF Reader
Roxio Update Manager
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 7 (KB972260)
Security Update for Windows Internet Explorer 7 (KB974455)
Security Update for Windows Internet Explorer 7 (KB976325)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Segoe UI
Shockwave
Sonic MyDVD
Sonic RecordNow!
SUPERAntiSpyware Free Edition
Synacast Plug-in 1.0.9.7
TaxCut Premium 2006
Tidy Favorites 4.09
TurboTax 2008
TurboTax 2008 WinPerFedFormset
TurboTax 2008 WinPerProgramHelp
TurboTax 2008 WinPerReleaseEngine
TurboTax 2008 WinPerTaxSupport
TurboTax 2008 WinPerUserEducation
TurboTax 2008 wrapper
TurboTax Basic 2007
TurboTax ItsDeductible 2005
TurboTax Premier 2005
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 7 (KB976749)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB961503)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
WD Diagnostics
WebCyberCoach 3.2 Dell
WebFldrs XP
WinAVIVideoConverter
Windows Defender Signatures
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 7
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Live Upload Tool
Windows Media Format 11 runtime
Windows Media Player 11
Windows XP Service Pack 3
WinRAR archiver
WordPerfect Office 11
Yahoo! Anti-Spy
Yahoo! Messenger
Yahoo! Photos Easy Upload Tool
Yahoo! Toolbar

==== Event Viewer Messages From Past Week ========

1/7/2010 4:30:42 PM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000001' while processing the file '' on the volume 'HarddiskVolume3'. It has stopped monitoring the volume.
1/5/2010 2:08:48 PM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the JavaQuickStarterService service.
1/4/2010 8:21:32 PM, error: Service Control Manager [7034] - The USBDeviceService service terminated unexpectedly. It has done this 1 time(s).
1/4/2010 8:21:32 PM, error: Service Control Manager [7034] - The StarWind iSCSI Service service terminated unexpectedly. It has done this 1 time(s).
1/4/2010 8:21:30 PM, error: Service Control Manager [7034] - The Java Quick Starter service terminated unexpectedly. It has done this 1 time(s).
1/4/2010 8:21:30 PM, error: Service Control Manager [7034] - The Intuit Update Service service terminated unexpectedly. It has done this 1 time(s).
1/4/2010 8:21:29 PM, error: Service Control Manager [7034] - The Brother Popup Suspend service for Resource manager service terminated unexpectedly. It has done this 1 time(s).
1/4/2010 4:36:52 PM, error: Service Control Manager [7000] - The McAfee Real-time Scanner service failed to start due to the following error: The system cannot find the file specified.
1/4/2010 4:36:52 PM, error: Service Control Manager [7000] - The McAfee Personal Firewall Service service failed to start due to the following error: The system cannot find the file specified.
1/4/2010 4:36:52 PM, error: Service Control Manager [7000] - The McAfee Network Agent service failed to start due to the following error: The system cannot find the file specified.
1/3/2010 9:45:04 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
1/3/2010 9:44:51 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD Fips intelppm IPSec mfehidk MPFP MRxSmb NetBIOS NetBT RasAcd Rdbss SASDIFSV SASKUTIL Tcpip
1/3/2010 9:44:51 PM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD Networking Support Environment service which failed to start because of the following error: A device attached to the system is not functioning.
1/3/2010 9:44:51 PM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
1/3/2010 9:44:51 PM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
1/3/2010 9:44:51 PM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
1/3/2010 9:43:56 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
1/3/2010 9:17:58 PM, error: DCOM [10005] - DCOM got error "%1053" attempting to start the service McMSCSvc with arguments "" in order to run the server: {B299BB78-EBBE-48F9-8725-E6A84C4E7C1D}
1/3/2010 9:14:33 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the McAfee Services service to connect.
1/3/2010 9:14:33 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the McAfee Real-time Scanner service to connect.
1/3/2010 9:14:33 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the McAfee Proxy Service service to connect.
1/3/2010 9:14:33 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the McAfee Personal Firewall Service service to connect.
1/3/2010 9:14:33 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the McAfee Network Agent service to connect.
1/3/2010 9:14:33 PM, error: Service Control Manager [7000] - The McAfee Services service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
1/3/2010 9:14:33 PM, error: Service Control Manager [7000] - The McAfee Real-time Scanner service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
1/3/2010 9:14:33 PM, error: Service Control Manager [7000] - The McAfee Proxy Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
1/3/2010 9:14:33 PM, error: Service Control Manager [7000] - The McAfee Personal Firewall Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
1/3/2010 9:14:33 PM, error: Service Control Manager [7000] - The McAfee Network Agent service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
1/3/2010 8:39:51 PM, error: DCOM [10005] - DCOM got error "%1053" attempting to start the service MCODS with arguments "" in order to run the server: {C98F04D7-CD30-4BB0-B7D7-8DD7448520F2}
1/2/2010 3:05:22 PM, error: Service Control Manager [7031] - The McAfee Real-time Scanner service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
1/2/2010 1:19:55 AM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the Netman service.
1/1/2010 11:06:03 PM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the WZCSVC service.

==== End Of File ===========================

DDS (Ver_09-12-01.01) - NTFSx86
Run by Terry at 16:52:05.84 on Thu 01/07/2010
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.766.404 [GMT -5:00]

AV: Malware Defense *On-access scanning enabled* (Outdated) {28e00e3b-806e-4533-925c-f4c3d79514b9}
AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\SYSTEM32\Brmfrmps.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Roxio\MyDVD\MyDVD\USBDeviceService.exe
C:\WINDOWS\system32\BRMFRSMG.EXE
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Documents and Settings\Terry.MASTER\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/def ... earch.html
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/def ... .yahoo.com
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn2\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\progra~1\yahoo!\companion\installs\cpn2\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: BitComet Helper: {39f7e362-828a-4b5a-bcaf-5b79bfdfea60} - c:\program files\bitcomet\tools\BitCometBHO_1.1.7.4.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {0BF43445-2F28-4351-9252-17FE6E806AA0} - No File
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn2\yt.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar3.dll
EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [DellSupport] "c:\program files\dellsupport\DSAgnt.exe" /startup
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [settdebugx.exe] c:\docume~1\terry~1.mas\locals~1\temp\settdebugx.exe
uRun: [Malware Defense] "c:\program files\malware defense\mdefense.exe" -noscan
mRun: [BCMSMMSG] BCMSMMSG.exe
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [adobesecupdate] c:\docume~1\terry~1.mas\locals~1\temp\rea4D.tmp.exe
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~2.lnk - c:\program files\microsoft office\office\OSA9.EXE
IE: Yahoo! &SMS - file:///c:\program files\yahoo!\Common/ycsms.htm
IE: {09BA8F6D-CB54-424B-839C-C2A6C8E6B436}
IE: {9BEF3FB8-E5E0-4494-BC59-7BAC1C9AD503}\lang0401
IE: {9BEF3FB8-E5E0-4494-BC59-7BAC1C9AD503}\lang0402
IE: {9BEF3FB8-E5E0-4494-BC59-7BAC1C9AD503}\lang0404
IE: {9BEF3FB8-E5E0-4494-BC59-7BAC1C9AD503}\lang0405
IE: {9BEF3FB8-E5E0-4494-BC59-7BAC1C9AD503}\lang0406
IE: {9BEF3FB8-E5E0-4494-BC59-7BAC1C9AD503}\lang0407
IE: {9BEF3FB8-E5E0-4494-BC59-7BAC1C9AD503}\lang040B
IE: {9BEF3FB8-E5E0-4494-BC59-7BAC1C9AD503}\lang040C
IE: {9BEF3FB8-E5E0-4494-BC59-7BAC1C9AD503}\lang040D
IE: {9BEF3FB8-E5E0-4494-BC59-7BAC1C9AD503}\lang0410
IE: {9BEF3FB8-E5E0-4494-BC59-7BAC1C9AD503}\lang0413
IE: {9BEF3FB8-E5E0-4494-BC59-7BAC1C9AD503}\lang0415
IE: {9BEF3FB8-E5E0-4494-BC59-7BAC1C9AD503}\lang0416
IE: {9BEF3FB8-E5E0-4494-BC59-7BAC1C9AD503}\lang0418
IE: {9BEF3FB8-E5E0-4494-BC59-7BAC1C9AD503}\lang0419
IE: {9BEF3FB8-E5E0-4494-BC59-7BAC1C9AD503}\lang041D
IE: {9BEF3FB8-E5E0-4494-BC59-7BAC1C9AD503}\lang0421
IE: {9BEF3FB8-E5E0-4494-BC59-7BAC1C9AD503}\lang0422
IE: {9BEF3FB8-E5E0-4494-BC59-7BAC1C9AD503}\lang0429
IE: {9BEF3FB8-E5E0-4494-BC59-7BAC1C9AD503}\lang0C1A
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {E3CB497B-E230-4445-8B34-13476822F867}\lang0401
IE: {E3CB497B-E230-4445-8B34-13476822F867}\lang0402
IE: {E3CB497B-E230-4445-8B34-13476822F867}\lang0404
IE: {E3CB497B-E230-4445-8B34-13476822F867}\lang0405
IE: {E3CB497B-E230-4445-8B34-13476822F867}\lang0406
IE: {E3CB497B-E230-4445-8B34-13476822F867}\lang0407
IE: {E3CB497B-E230-4445-8B34-13476822F867}\lang040B
IE: {E3CB497B-E230-4445-8B34-13476822F867}\lang040C
IE: {E3CB497B-E230-4445-8B34-13476822F867}\lang040D
IE: {E3CB497B-E230-4445-8B34-13476822F867}\lang0410
IE: {E3CB497B-E230-4445-8B34-13476822F867}\lang0413
IE: {E3CB497B-E230-4445-8B34-13476822F867}\lang0415
IE: {E3CB497B-E230-4445-8B34-13476822F867}\lang0416
IE: {E3CB497B-E230-4445-8B34-13476822F867}\lang0418
IE: {E3CB497B-E230-4445-8B34-13476822F867}\lang0419
IE: {E3CB497B-E230-4445-8B34-13476822F867}\lang041D
IE: {E3CB497B-E230-4445-8B34-13476822F867}\lang0421
IE: {E3CB497B-E230-4445-8B34-13476822F867}\lang0422
IE: {E3CB497B-E230-4445-8B34-13476822F867}\lang0429
IE: {E3CB497B-E230-4445-8B34-13476822F867}\lang0C1A
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {461CC20B-FB6E-4f16-8FE8-C29359DB100E} - {E7A829CC-671F-4C3D-B590-8C0AEA72E6B2} - c:\program files\bitcomet\tools\BitCometBHO_1.1.7.4.dll
IE: {9BEF3FB8-E5E0-4494-BC59-7BAC1C9AD503} - {70BEC6D2-977B-43CB-9A50-424099BA3897} - c:\progra~1\common~1\tidyfa~1\AddToFav.dll
IE: {E3CB497B-E230-4445-8B34-13476822F867} - {9B0CFC24-6650-4BEE-8030-6FCAE4672685} - c:\progra~1\common~1\tidyfa~1\OpenFav.dll
DPF: ppctlcab - hxxp://www.pestscan.com/scanner/ppctlcab.cab
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/templates/ieawsdc.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/200 ... oader5.cab
DPF: {10E0E75E-6701-4134-9D95-C0942ED1F1C8} - hxxp://www2.snapfish.com/SnapfishOutlookImport.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shoc ... tor/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\yinsthelper.dll
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/ ... mv9VCM.CAB
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://www2.snapfish.com/SnapfishActivia.cab
DPF: {488A4255-3236-44B3-8F27-FA1AECAA8844} - hxxps://img.alipay.com/download/2121/aliedit.cab
DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} - hxxp://www.eset.eu/OnlineScanner.cab
DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} - hxxp://upload.facebook.com/controls/Fac ... oader3.cab
DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} - hxxp://us.games2.yimg.com/download.game ... _0_0_1.ocx
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/fl ... rashim.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://cdn2.zone.msn.com/binFramework/v ... b56649.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shoc ... wflash.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553550000} - hxxp://fpdownload2.macromedia.com/get/s ... wflash.cab
DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} - hxxp://photo.walmart.com/photo/upload/XUpload.ocx
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\terry~1.mas\applic~1\mozilla\firefox\profiles\3k4bgw6q.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - plugin: c:\progra~1\yahoo!\common\npyaxmpb.dll
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - HiddenExtension: XUL Cache: {7A15B911-7DEE-403B-B668-65B370A148A5} - c:\documents and settings\terry.master\local settings\application data\{7A15B911-7DEE-403B-B668-65B370A148A5}
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-3-9 64160]
R0 PzWDM;PzWDM;c:\windows\system32\drivers\PzWDM.sys [2007-9-1 15172]
R0 Vax347b;Vax347b;c:\windows\system32\drivers\Vax347b.sys [2005-8-21 159616]
R0 Vax347s;Vax347s;c:\windows\system32\drivers\Vax347s.sys [2005-8-21 5248]
R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-7-8 214664]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\SASDIFSV.SYS [2006-10-10 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2007-2-27 55024]
R2 StarWindService;StarWind iSCSI Service;c:\program files\alcohol soft\alcohol 120\starwind\StarWindService.exe [2005-4-2 217600]
R3 Alidevice;Alidevice;c:\windows\system32\drivers\alidevice.sys [2008-7-14 6656]
R3 brfilt;Brother MFC Filter Driver;c:\windows\system32\drivers\BrFilt.sys [2004-6-19 2944]
R3 brparimg;Brother Multi Function Parallel Image driver;c:\windows\system32\drivers\BrParImg.sys [2004-6-19 3168]
R3 BrParWdm;Brother WDM Parallel Driver;c:\windows\system32\drivers\BrParwdm.sys [2004-6-19 39552]
R3 BrSerWDM;Brother WDM Serial driver;c:\windows\system32\drivers\BrSerWdm.sys [2004-6-19 60416]
S2 0299281262642801mcinstcleanup;McAfee Application Installer Cleanup (0299281262642801);c:\docume~1\terry~1.mas\locals~1\temp\029928~1.exe c:\progra~1\common~1\mcafee\instal~1\cleanup.ini -cleanup -nolog -service --> c:\docume~1\terry~1.mas\locals~1\temp\029928~1.exe c:\progra~1\common~1\mcafee\instal~1\cleanup.ini -cleanup -nolog -service [?]
S2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\McProxy.exe [2010-1-4 359952]
S2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2010-1-4 144704]
S3 JumpShot;Lexar Media USB Compact Flash Driver;c:\windows\system32\drivers\LEXAR2K.SYS [2004-2-4 16971]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-1-18 1028432]
S3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2010-1-4 606736]
S3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2009-8-19 79816]
S3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2009-8-19 35272]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2009-8-19 34248]
S3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2009-8-19 40552]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2006-2-16 4096]

=============== Created Last 30 ================

2010-01-04 22:59:47 4899 ----a-w- c:\windows\system32\Config.MPF
2010-01-04 22:06:55 120136 ----a-w- c:\windows\system32\drivers\Mpfp.sys
2010-01-04 21:45:26 0 d-----w- c:\program files\common files\McAfee
2010-01-04 21:44:40 0 d-----w- c:\program files\McAfee
2010-01-04 02:10:00 8212 ----a-w- c:\windows\mfebcdata
2010-01-04 01:07:49 878 ----a-w- c:\windows\system32\krl32mainweq.dll
2010-01-04 01:06:37 131 ----a-w- c:\windows\system32\srcr.dat
2009-12-30 05:20:30 54156 ---ha-w- c:\windows\QTFont.qfn
2009-12-30 05:20:30 1409 ----a-w- c:\windows\QTFont.for

==================== Find3M ====================

2010-01-04 02:24:15 15688 ----a-w- c:\windows\system32\lsdelete.exe
2009-10-28 14:36:11 70656 ------w- c:\windows\system32\dllcache\ie4uinit.exe
2009-10-28 14:36:11 13824 ------w- c:\windows\system32\dllcache\ieudinit.exe
2009-10-28 06:54:16 634632 ----a-w- c:\windows\system32\dllcache\iexplore.exe
2009-10-28 06:52:46 161792 ------w- c:\windows\system32\dllcache\ieakui.dll
2009-10-21 05:38:36 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38:36 75776 ------w- c:\windows\system32\dllcache\strmfilt.dll
2009-10-21 05:38:36 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-21 05:38:36 25088 ------w- c:\windows\system32\dllcache\httpapi.dll
2009-10-20 16:20:16 265728 ------w- c:\windows\system32\dllcache\http.sys
2009-10-13 10:30:16 270336 ----a-w- c:\windows\system32\oakley.dll
2009-10-13 10:30:16 270336 ------w- c:\windows\system32\dllcache\oakley.dll
2009-10-12 13:38:19 149504 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:38:19 149504 ------w- c:\windows\system32\dllcache\rastls.dll
2009-10-12 13:38:18 79872 ----a-w- c:\windows\system32\raschap.dll
2009-10-12 13:38:18 79872 ------w- c:\windows\system32\dllcache\raschap.dll
2009-10-11 09:17:27 411368 ----a-w- c:\windows\system32\deploytk.dll
2007-06-23 10:57:07 50688 ----a-w- c:\program files\ATF-Cleaner.exe
2005-06-17 01:15:16 56 --sh--r- c:\windows\system32\57940AE56E.sys
2005-06-17 01:15:16 10856 --sha-w- c:\windows\system32\KGyGaAvL.sys
2008-08-04 04:49:21 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008080420080805\index.dat

============= FINISH: 16:53:57.70 ===============

by **Vino Rosso** » January 8th, 2010, 5:18 am

OK, let's start to tackle things...

1 - Scan With ComboFix
Download ComboFix from one of these locations (DO NOT download ComboFix from anywhere else but one of the provided links):
Link 1
Link 2

**IMPORTANT !!! Save ComboFix.exe to your Desktop**

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools and may lead to unpredictable results or possible machine damage.
A guide to do this can be found here.
Double click on ComboFix.exe and follow the prompts.
As part of its process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue its malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the contents of C:\ComboFix.txt in your next reply

A word of warning: Neither I nor sUBs are responsible for any damage you may cause to your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper.

Please post in your next reply:
ComboFix log

Thanks
Vino

by **tcwc** » January 8th, 2010, 3:41 pm

OK. Finally able to run & finish GMER. Here is the log.
Will scan with ComboFix later today & post log.
Thanking you in advance.

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-01-08 14:35:42
Windows 5.1.2600 Service Pack 3
Running: e5ctdxy8.exe; Driver: C:\DOCUME~1\TERRY~1.MAS\LOCALS~1\Temp\uftdypow.sys

---- System - GMER 1.0.15 ----

Code 83901200 ZwEnumerateKey
Code 8394B208 ZwFlushInstructionCache
Code 8394C35E IofCallDriver
Code 83A71566 IofCompleteRequest

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 83B7F960

AttachedDevice \Driver\Tcpip \Device\Ip Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 Alidevice.SYS (Windows NT alipay kernel module/alipay.com)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 Alidevice.SYS (Windows NT alipay kernel module/alipay.com)
AttachedDevice \Driver\Tcpip \Device\Tcp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

Device \FileSystem\Rdbss \Device\FsWrap 837DE158
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-17 839FF8A0
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 839FF8A0
Device \Driver\atapi \Device\Ide\IdePort0 839FF8A0
Device \Driver\atapi \Device\Ide\IdePort1 839FF8A0
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-f 839FF8A0
Device \FileSystem\Srv \Device\LanmanServer 8361BD70

AttachedDevice \Driver\Tcpip \Device\Udp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 837FF828
Device \FileSystem\MRxSmb \Device\LanmanRedirector 837FF828
Device \FileSystem\Npfs \Device\NamedPipe 839F0248
Device \FileSystem\Msfs \Device\Mailslot 838443C8
Device \Driver\Vax347s \Device\Scsi\Vax347s1 83B5FCF8
Device \Driver\Vax347s \Device\Scsi\Vax347s1Port2Path0Target0Lun0 83B5FCF8
Device \FileSystem\Fastfat \Fat EDA92D20
Device \FileSystem\Fastfat \Fat 83429DA0

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device \FileSystem\Fs_Rec \FileSystem\UdfsCdRomRecognizer 839F9188
Device \FileSystem\Fs_Rec \FileSystem\FatCdRomRecognizer 839F9188
Device \FileSystem\Fs_Rec \FileSystem\CdfsRecognizer 839F9188
Device \FileSystem\Fs_Rec \FileSystem\FatDiskRecognizer 839F9188
Device \FileSystem\Fs_Rec \FileSystem\UdfsDiskRecognizer 839F9188
Device \FileSystem\Cdfs \Cdfs 8380B2D8
Device \FileSystem\Cdfs \Cdfs tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)

---- Modules - GMER 1.0.15 ----

Module _________ F7467000-F747F000 (98304 bytes)
Module \systemroot\system32\drivers\H8SRTxtlworswuh.sys (*** hidden *** ) EEDA5000-EEDC2000 (118784 bytes)
---- Processes - GMER 1.0.15 ----

Library \\?\globalroot\systemroot\system32\H8SRTqajroqmvny.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [548] 0x10000000
Library \\?\globalroot\systemroot\system32\H8SRTqajroqmvny.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [928] 0x00C20000
Library \\?\globalroot\systemroot\system32\H8SRTqajroqmvny.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1056] 0x10000000
Library \\?\globalroot\systemroot\system32\H8SRTqajroqmvny.dll (*** hidden *** ) @ C:\WINDOWS\Explorer.EXE [1112] 0x10000000
Library \\?\globalroot\systemroot\system32\H8SRTqajroqmvny.dll (*** hidden *** ) @ C:\WINDOWS\System32\svchost.exe [1168] 0x10000000
Library \\?\globalroot\systemroot\system32\H8SRTqajroqmvny.dll (*** hidden *** ) @ C:\WINDOWS\System32\svchost.exe [1264] 0x10000000
Library \\?\globalroot\systemroot\system32\H8SRTqajroqmvny.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1408] 0x10000000
Library \\?\globalroot\systemroot\system32\H8SRTqajroqmvny.dll (*** hidden *** ) @ C:\WINDOWS\System32\svchost.exe [1496] 0x10000000
Library \\?\globalroot\systemroot\system32\H8SRTqajroqmvny.dll (*** hidden *** ) @ C:\WINDOWS\System32\svchost.exe [1996] 0x10000000
Library \\?\globalroot\systemroot\system32\H8SRTqajroqmvny.dll (*** hidden *** ) @ C:\WINDOWS\System32\svchost.exe [3700] 0x10000000
Library \\?\globalroot\systemroot\system32\H8SRTqajroqmvny.dll (*** hidden *** ) @ C:\Program Files\Internet Explorer\Iexplore.exe [3844] 0x10000000

---- Services - GMER 1.0.15 ----

Service C:\WINDOWS\system32\drivers\H8SRTxtlworswuh.sys (*** hidden *** ) [SYSTEM] H8SRTd.sys <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\ControlSet001\Services\TDSSserv.sys@start 1
Reg HKLM\SYSTEM\ControlSet001\Services\TDSSserv.sys@type 1
Reg HKLM\SYSTEM\ControlSet001\Services\TDSSserv.sys@imagepath \systemroot\system32\drivers\TDSSmaxt.sys
Reg HKLM\SYSTEM\ControlSet001\Services\TDSSserv.sys@group file system
Reg HKLM\SYSTEM\ControlSet001\Services\TDSSserv.sys\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\TDSSserv.sys\modules@TDSSserv \systemroot\system32\drivers\TDSSmaxt.sys
Reg HKLM\SYSTEM\ControlSet001\Services\TDSSserv.sys\modules@TDSSl \systemroot\system32\TDSSofxh.dll
Reg HKLM\SYSTEM\ControlSet001\Services\TDSSserv.sys\modules@tdssservers \systemroot\system32\TDSSosvd.dat
Reg HKLM\SYSTEM\ControlSet001\Services\TDSSserv.sys\modules@tdssmain \systemroot\system32\TDSSbrsr.dll
Reg HKLM\SYSTEM\ControlSet001\Services\TDSSserv.sys\modules@tdsslog \systemroot\system32\TDSSriqp.dll
Reg HKLM\SYSTEM\ControlSet001\Services\TDSSserv.sys\modules@tdssadw \systemroot\system32\TDSScfum.dll
Reg HKLM\SYSTEM\ControlSet001\Services\TDSSserv.sys\modules@tdssinit \systemroot\system32\TDSSlxwp.dll
Reg HKLM\SYSTEM\ControlSet001\Services\TDSSserv.sys\modules@tdssurls \systemroot\system32\TDSSnmxq.log
Reg HKLM\SYSTEM\ControlSet001\Services\TDSSserv.sys\modules@tdsspanels \systemroot\system32\TDSSsihl.dll
Reg HKLM\SYSTEM\ControlSet001\Services\TDSSserv.sys\modules@tdsserrors \systemroot\system32\TDSSrhym.log
Reg HKLM\SYSTEM\ControlSet001\Services\TDSSserv.sys\modules@TDSSproc \systemroot\system32\TDSStkdv.log
Reg HKLM\SYSTEM\ControlSet002\Services\H8SRTd.sys (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\H8SRTd.sys@start 1
Reg HKLM\SYSTEM\ControlSet002\Services\H8SRTd.sys@type 1
Reg HKLM\SYSTEM\ControlSet002\Services\H8SRTd.sys@imagepath \systemroot\system32\drivers\H8SRTxtlworswuh.sys
Reg HKLM\SYSTEM\ControlSet002\Services\H8SRTd.sys@group file system
Reg HKLM\SYSTEM\ControlSet002\Services\H8SRTd.sys\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\H8SRTd.sys\modules@H8SRTd \\?\globalroot\systemroot\system32\drivers\H8SRTxtlworswuh.sys
Reg HKLM\SYSTEM\ControlSet002\Services\H8SRTd.sys\modules@H8SRTc \\?\globalroot\systemroot\system32\H8SRTylqpqjnbaw.dll
Reg HKLM\SYSTEM\ControlSet002\Services\H8SRTd.sys\modules@H8SRTsrcr \\?\globalroot\systemroot\system32\H8SRTvuirtblkhd.dat
Reg HKLM\SYSTEM\ControlSet002\Services\H8SRTd.sys\modules@h8srtserf \\?\globalroot\systemroot\system32\H8SRTqajroqmvny.dll
Reg HKLM\SYSTEM\ControlSet002\Services\H8SRTd.sys\modules@h8srtbbr \\?\globalroot\systemroot\system32\H8SRTmexrqjkomw.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys@start 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys@type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys@imagepath \systemroot\system32\drivers\H8SRTxtlworswuh.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys@group file system
Reg HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys\modules
Reg HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys\modules@H8SRTd \\?\globalroot\systemroot\system32\drivers\H8SRTxtlworswuh.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys\modules@H8SRTc \\?\globalroot\systemroot\system32\H8SRTylqpqjnbaw.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys\modules@H8SRTsrcr \\?\globalroot\systemroot\system32\H8SRTvuirtblkhd.dat
Reg HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys\modules@h8srtserf \\?\globalroot\systemroot\system32\H8SRTqajroqmvny.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys\modules@h8srtbbr \\?\globalroot\systemroot\system32\H8SRTmexrqjkomw.dll
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{02478D38-C3F9-4EFB-9B51-7695ECA05670}\iexplore@Count 33976
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\iexplore@Count 48066
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2318C2B1-4965-11D4-9B18-009027A5CD4F}\iexplore@Count 21031
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{39F7E362-828A-4B5A-BCAF-5B79BFDFEA60}\iexplore@Count 31508
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{39F7E362-828A-4B5A-BCAF-5B79BFDFEA60}\iexplore@Blocked 3908
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{461CC20B-FB6E-4F16-8FE8-C29359DB100E}\iexplore@Count 27083
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{461CC20B-FB6E-4F16-8FE8-C29359DB100E}\iexplore@Blocked 3293
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{5C255C8A-E604-49B4-9D64-90988571CECB}\iexplore@Count 1871
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{7DB2D5A0-7241-4E79-B68D-6309F01C5231}\iexplore@Count 36974
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{9030D464-4C02-4ABF-8ECC-5164760863C6}\iexplore@Count 12730
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{9BEF3FB8-E5E0-4494-BC59-7BAC1C9AD503}\iexplore@Count 3288
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}\iexplore@Count 8062
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DBC80044-A445-435B-BC74-9C25C1C588A9}\iexplore@Count 1981
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{E2E2DD38-D088-4134-82B7-F2BA38496583}\iexplore@Count 37078
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{E3CB497B-E230-4445-8B34-13476822F867}\iexplore@Count 3288
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}\iexplore@Count 1981
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{FB5F1910-F110-11D2-BB9E-00C04F795683}\iexplore@Count 37082
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{FB5F1910-F110-11D2-BB9E-00C04F795683}\iexplore@Blocked 3293

---- Files - GMER 1.0.15 ----

File C:\Documents and Settings\Terry.MASTER\Local Settings\temp\h8srtmainqt.dll 16451 bytes
File C:\WINDOWS\SYSTEM32\DRIVERS\H8SRTxtlworswuh.sys 40448 bytes executable <-- ROOTKIT !!!
File C:\WINDOWS\SYSTEM32\H8SRTmexrqjkomw.dll 40960 bytes executable
File C:\WINDOWS\SYSTEM32\H8SRTqajroqmvny.dll 36864 bytes executable
File C:\WINDOWS\SYSTEM32\H8SRTvuirtblkhd.dat 173 bytes
File C:\WINDOWS\SYSTEM32\H8SRTylqpqjnbaw.dll 23040 bytes executable
File C:\WINDOWS\Temp\H8SRT828f.tmp 244 bytes

---- EOF - GMER 1.0.15 ----

by **Vino Rosso** » January 8th, 2010, 4:20 pm

tcwc wrote:OK. Finally able to run & finish GMER. Here is the log.

Thanks for posting the GMER log. It confirms my suspicions.

Please post the ComboFix log when you can.

by **tcwc** » January 9th, 2010, 4:46 am

Vino, Let me thanks you for all your help first. :bounce:

So far I can feel the computer is getting better.

I did the ComboFix Scan, but I was UNABLE to turn off the McAfee because the McAfee System Tray Icon was gone & I could NOT even run it via the c:\Program Folder or Start Menu. Would that affected the Scan?

However, after the ComboFix completed, McAfee System Tray Icon has reappeared & I was able to active it.

Lastly, the Malwarebytes' Anti-Malware that was previously installed in the computer still UNABLE to run.

Please see log below:

ComboFix 10-01-04.01 - Terry 01/08/2010 18:10:18.3.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.766.479 [GMT -5:00]
Running from: c:\documents and settings\Terry.MASTER\Desktop\Combo--Fix.exe
AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Downloaded Program Files\popcaploader.inf
c:\windows\system32\drivers\H8SRTxtlworswuh.sys
c:\windows\system32\H8SRTmexrqjkomw.dll
c:\windows\system32\H8SRTqajroqmvny.dll
c:\windows\system32\H8SRTvuirtblkhd.dat
c:\windows\system32\H8SRTylqpqjnbaw.dll
c:\windows\system32\srcr.dat

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_H8SRTd.sys
-------\Legacy_H8SRTd.sys

((((((((((((((((((((((((( Files Created from 2009-12-08 to 2010-01-08 )))))))))))))))))))))))))))))))
.

2010-01-04 22:06 . 2009-07-16 17:32 120136 ----a-w- c:\windows\system32\drivers\Mpfp.sys
2010-01-04 21:45 . 2010-01-04 22:07 -------- d-----w- c:\program files\Common Files\McAfee
2010-01-04 21:44 . 2010-01-04 22:41 -------- d-----w- c:\program files\McAfee
2010-01-04 01:07 . 2010-01-08 05:07 857 ----a-w- c:\windows\system32\krl32mainweq.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-08 22:51 . 2008-09-25 18:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2010-01-08 22:50 . 2007-03-08 14:50 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2010-01-08 05:56 . 2008-08-04 01:39 -------- d-----w- c:\program files\Trend Micro
2010-01-07 07:28 . 2008-12-02 06:50 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-04 21:55 . 2004-01-05 15:41 -------- d-----w- c:\program files\McAfee.com
2010-01-04 02:24 . 2009-03-09 14:36 15688 ----a-w- c:\windows\system32\lsdelete.exe
2009-11-13 09:53 . 2005-09-26 05:49 -------- d-----w- c:\program files\MSN Games
2009-11-04 21:54 . 2009-08-19 05:41 40552 ----a-w- c:\windows\system32\drivers\mfesmfk.sys
2009-11-04 21:54 . 2009-08-19 05:41 35272 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2009-11-04 21:54 . 2009-08-19 05:41 79816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2009-11-04 21:54 . 2009-07-08 17:44 214664 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2009-10-31 16:44 . 2009-10-31 16:44 128 ----a-w- c:\documents and settings\ETHAN\Local Settings\Application Data\fusioncache.dat
2009-10-31 16:43 . 2005-10-10 02:04 63296 ----a-w- c:\documents and settings\ETHAN\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-29 07:46 . 2004-02-06 22:05 832512 ----a-w- c:\windows\system32\wininet.dll
2009-10-29 07:46 . 2004-08-04 07:56 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-10-29 07:46 . 2002-08-29 11:00 17408 ----a-w- c:\windows\system32\corpol.dll
2009-10-21 05:38 . 2004-08-04 07:56 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38 . 2004-08-04 07:56 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-20 16:20 . 2004-08-04 06:00 265728 ----a-w- c:\windows\system32\drivers\http.sys
2009-10-13 10:30 . 2002-08-29 11:00 270336 ----a-w- c:\windows\system32\oakley.dll
2009-10-12 13:38 . 2002-08-29 11:00 149504 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:38 . 2002-08-29 11:00 79872 ----a-w- c:\windows\system32\raschap.dll
2009-10-11 09:17 . 2009-09-09 15:51 411368 ----a-w- c:\windows\system32\deploytk.dll
2007-06-23 10:57 . 2007-06-23 10:57 50688 ----a-w- c:\program files\ATF-Cleaner.exe
2008-12-18 21:43 . 2008-12-23 01:46 36864 ----a-w- c:\program files\mozilla firefox\components\NsThunderLoader.dll
2008-12-18 21:43 . 2008-12-23 01:46 53248 ----a-w- c:\program files\mozilla firefox\components\ThunderComponent.dll
2005-06-17 01:15 . 2005-06-09 05:13 56 --sh--r- c:\windows\SYSTEM32\57940AE56E.sys
2005-06-17 01:15 . 2005-06-09 05:13 10856 --sha-w- c:\windows\SYSTEM32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 122880]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2003-08-06 114741]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-10-25 282624]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2005-12-17 180269]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-29 1218008]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2004-4-18 113664]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-1-20 65588]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-07-12 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2007-04-19 17:41 294912 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ lsdelete

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UserFaultCheck

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ad-Watch]
2010-01-04 02:21 520024 ----a-w- c:\program files\Lavasoft\Ad-Aware\AAWTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DetectorApp]
2005-08-31 10:15 102400 ----a-w- c:\program files\Roxio\MyDVD\MyDVD\DetectorApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndexSearch]
2002-08-12 14:07 36864 ----a-w- c:\program files\Scansoft\PaperPort\IndexSearch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBJ]
2005-07-15 01:35 1961984 ------w- c:\progra~1\Ahead\NEROBA~1\NBJ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 15:50 155648 ----a-w- c:\windows\SYSTEM32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SetDefPrt]
2003-07-10 17:56 45056 ------w- c:\program files\Brother\Brmfl03a\BrStDvPt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2005-12-17 03:33 180269 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\BitComet\\BitComet.exe"=
"c:\\Program Files\\Windows Media Player\\wmplayer.exe"=
"c:\\Program Files\\Common Files\\Synacast\\SynaLive\\PE.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Tidy Favorites\\TidyFavorites.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"2625:UDP"= 2625:UDP:ppLive
"14015:TCP"= 14015:TCP:BitComet 14015 TCP
"14015:UDP"= 14015:UDP:BitComet 14015 UDP
"67:UDP"= 67:UDP:DHCP Discovery Service

R0 Lbd;Lbd;c:\windows\SYSTEM32\DRIVERS\Lbd.sys [3/9/2009 6:26 AM 64160]
R0 PzWDM;PzWDM;c:\windows\SYSTEM32\DRIVERS\PzWDM.sys [9/1/2007 10:08 AM 15172]
R0 Vax347s;Vax347s;c:\windows\SYSTEM32\DRIVERS\Vax347s.sys [8/21/2005 1:29 PM 5248]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [10/10/2006 12:53 PM 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2/27/2007 11:39 AM 55024]
R3 Alidevice;Alidevice;c:\windows\SYSTEM32\DRIVERS\alidevice.sys [7/14/2008 9:42 AM 6656]
R3 brfilt;Brother MFC Filter Driver;c:\windows\SYSTEM32\DRIVERS\BrFilt.sys [6/19/2004 11:56 PM 2944]
R3 brparimg;Brother Multi Function Parallel Image driver;c:\windows\SYSTEM32\DRIVERS\BrParImg.sys [6/19/2004 11:57 PM 3168]
R3 BrParWdm;Brother WDM Parallel Driver;c:\windows\SYSTEM32\DRIVERS\BrParwdm.sys [6/19/2004 11:56 PM 39552]
R3 BrSerWDM;Brother WDM Serial driver;c:\windows\SYSTEM32\DRIVERS\BrSerWdm.sys [6/19/2004 11:52 PM 60416]
S2 0299281262642801mcinstcleanup;McAfee Application Installer Cleanup (0299281262642801);c:\docume~1\TERRY~1.MAS\LOCALS~1\Temp\029928~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service --> c:\docume~1\TERRY~1.MAS\LOCALS~1\Temp\029928~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service [?]
S3 JumpShot;Lexar Media USB Compact Flash Driver;c:\windows\SYSTEM32\DRIVERS\LEXAR2K.SYS [2/4/2004 12:36 AM 16971]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [1/18/2009 4:34 PM 1028432]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2/16/2006 4:51 PM 4096]
S4 Vax347b;Vax347b;c:\windows\SYSTEM32\DRIVERS\Vax347b.sys [8/21/2005 1:29 PM 159616]
.
Contents of the 'Scheduled Tasks' folder

2009-03-09 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-01-18 02:22]

2010-01-08 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-09-14 06:00]

2010-01-04 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2010-01-04 17:22]

2010-01-04 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2010-01-04 17:22]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/def ... earch.html
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/def ... .yahoo.com
IE: Yahoo! &SMS - file:///c:\program files\Yahoo!\Common/ycsms.htm
IE: {{09BA8F6D-CB54-424B-839C-C2A6C8E6B436}
IE: {{9BEF3FB8-E5E0-4494-BC59-7BAC1C9AD503}\lang0401
IE: {{9BEF3FB8-E5E0-4494-BC59-7BAC1C9AD503}\lang0402
IE: {{9BEF3FB8-E5E0-4494-BC59-7BAC1C9AD503}\lang0404
IE: {{9BEF3FB8-E5E0-4494-BC59-7BAC1C9AD503}\lang0405
IE: {{9BEF3FB8-E5E0-4494-BC59-7BAC1C9AD503}\lang0406
IE: {{9BEF3FB8-E5E0-4494-BC59-7BAC1C9AD503}\lang0407
IE: {{9BEF3FB8-E5E0-4494-BC59-7BAC1C9AD503}\lang040B
IE: {{9BEF3FB8-E5E0-4494-BC59-7BAC1C9AD503}\lang040C
IE: {{9BEF3FB8-E5E0-4494-BC59-7BAC1C9AD503}\lang040D
IE: {{9BEF3FB8-E5E0-4494-BC59-7BAC1C9AD503}\lang0410
IE: {{9BEF3FB8-E5E0-4494-BC59-7BAC1C9AD503}\lang0413
IE: {{9BEF3FB8-E5E0-4494-BC59-7BAC1C9AD503}\lang0415
IE: {{9BEF3FB8-E5E0-4494-BC59-7BAC1C9AD503}\lang0416
IE: {{9BEF3FB8-E5E0-4494-BC59-7BAC1C9AD503}\lang0418
IE: {{9BEF3FB8-E5E0-4494-BC59-7BAC1C9AD503}\lang0419
IE: {{9BEF3FB8-E5E0-4494-BC59-7BAC1C9AD503}\lang041D
IE: {{9BEF3FB8-E5E0-4494-BC59-7BAC1C9AD503}\lang0421
IE: {{9BEF3FB8-E5E0-4494-BC59-7BAC1C9AD503}\lang0422
IE: {{9BEF3FB8-E5E0-4494-BC59-7BAC1C9AD503}\lang0429
IE: {{9BEF3FB8-E5E0-4494-BC59-7BAC1C9AD503}\lang0C1A
IE: {{E3CB497B-E230-4445-8B34-13476822F867}\lang0401
IE: {{E3CB497B-E230-4445-8B34-13476822F867}\lang0402
IE: {{E3CB497B-E230-4445-8B34-13476822F867}\lang0404
IE: {{E3CB497B-E230-4445-8B34-13476822F867}\lang0405
IE: {{E3CB497B-E230-4445-8B34-13476822F867}\lang0406
IE: {{E3CB497B-E230-4445-8B34-13476822F867}\lang0407
IE: {{E3CB497B-E230-4445-8B34-13476822F867}\lang040B
IE: {{E3CB497B-E230-4445-8B34-13476822F867}\lang040C
IE: {{E3CB497B-E230-4445-8B34-13476822F867}\lang040D
IE: {{E3CB497B-E230-4445-8B34-13476822F867}\lang0410
IE: {{E3CB497B-E230-4445-8B34-13476822F867}\lang0413
IE: {{E3CB497B-E230-4445-8B34-13476822F867}\lang0415
IE: {{E3CB497B-E230-4445-8B34-13476822F867}\lang0416
IE: {{E3CB497B-E230-4445-8B34-13476822F867}\lang0418
IE: {{E3CB497B-E230-4445-8B34-13476822F867}\lang0419
IE: {{E3CB497B-E230-4445-8B34-13476822F867}\lang041D
IE: {{E3CB497B-E230-4445-8B34-13476822F867}\lang0421
IE: {{E3CB497B-E230-4445-8B34-13476822F867}\lang0422
IE: {{E3CB497B-E230-4445-8B34-13476822F867}\lang0429
IE: {{E3CB497B-E230-4445-8B34-13476822F867}\lang0C1A
IE: {{9BEF3FB8-E5E0-4494-BC59-7BAC1C9AD503} - {70BEC6D2-977B-43CB-9A50-424099BA3897} - c:\progra~1\COMMON~1\TIDYFA~1\AddToFav.dll
IE: {{E3CB497B-E230-4445-8B34-13476822F867} - {9B0CFC24-6650-4BEE-8030-6FCAE4672685} - c:\progra~1\COMMON~1\TIDYFA~1\OpenFav.dll
DPF: ppctlcab - hxxp://www.pestscan.com/scanner/ppctlcab.cab
DPF: {488A4255-3236-44B3-8F27-FA1AECAA8844} - hxxps://img.alipay.com/download/2121/aliedit.cab
FF - ProfilePath - c:\documents and settings\Terry.MASTER\Application Data\Mozilla\Firefox\Profiles\3k4bgw6q.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - plugin: c:\progra~1\Yahoo!\Common\npyaxmpb.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF - HiddenExtension: XUL Cache: {7A15B911-7DEE-403B-B668-65B370A148A5} - c:\documents and settings\Terry.MASTER\Local Settings\Application Data\{7A15B911-7DEE-403B-B668-65B370A148A5}
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Malware Defense - c:\program files\Malware Defense\mdefense.exe
MSConfigStartUp-CTFMON - (no file)
AddRemove-WebCyberCoach_wtrb - c:\program files\WebCyberCoach\b_Dell\WCC_Wipe.exe WebCyberCoach ext\wtrb

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-08 18:35
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(640)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(1184)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\SYSTEM32\Brmfrmps.exe
c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe
c:\progra~1\McAfee\VIRUSS~1\mcshield.exe
c:\program files\McAfee\MPF\MPFSrv.exe
c:\program files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
c:\program files\Roxio\MyDVD\MyDVD\USBDeviceService.exe
c:\windows\system32\BRMFRSMG.EXE
c:\progra~1\McAfee\VIRUSS~1\mcsysmon.exe
c:\progra~1\mcafee.com\agent\mcagent.exe
c:\windows\BCMSMMSG.exe
.
**************************************************************************
.
Completion time: 2010-01-08 18:48:48 - machine was rebooted
ComboFix-quarantined-files.txt 2010-01-08 23:48

Pre-Run: 14,964,924,416 bytes free
Post-Run: 15,181,570,048 bytes free

- - End Of File - - C9DC5D6CF7D496C5531BE277384F9395

by **Vino Rosso** » January 9th, 2010, 8:23 am

Hi

tcwc wrote:Vino, Let me thanks you for all your help first. So far I can feel the computer is getting better.

Good!

tcwc wrote:I did the ComboFix Scan, but I was UNABLE to turn off the McAfee because the McAfee System Tray Icon was gone & I could NOT even run it via the c:\Program Folder or Start Menu. Would that affected the Scan?

Possibly but ComboFix was able to run so we're probably OK.

tcwc wrote:Lastly, the Malwarebytes' Anti-Malware that was previously installed in the computer still UNABLE to run.

Patience please. Don't try to run anything until I ask. Something may get removed that would help understand what's causing problems.

1 - ComboFix Script Fixes
Open Notepad - it must be Notepad, not Wordpad.
Copy the text below in the code box by highlighting all the text and pressing Ctrl+C

Code: Select all

File::
c:\windows\system32\krl32mainweq.dll

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=-

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=-

Go to the Notepad window and click Edit > Paste
Then click File > Save
Name the file "CFScript.txt" (including the quotes)
Save the file to your Desktop

The main ComboFix.exe program should be on your Desktop
Drag the file you just created CFScript.txt and drop it on the main ComboFix.exe icon
Please wait for ComboFix to finish running

Please Note: Do not mouse click in the combofix window while it is running - this may cause your system to hang/crash.

Please post the ComboFix log.

2 - Temporary File Cleaner
This program clears out files from the computer's temporary folders and empties the Recycle Bin
Check your computer's Recycle Bin and restore any files you wish to keep before running this tool

Please download TFC by Old Timer from here: http://oldtimer.geekstogo.com/TFC.exe
Save TFC.exe to your Desktop

** Save any documents, etc. and close all programs **

Double-click TFC.exe
Click the Start button and, if prompted, click Yes to re-boot.

3 - Online Kaspersky Scan
Notes
Do NOT run this scan if you are on dial-up.
Java must be installed and enabled for the scan to work.
Disable your computer's antivirus program as leaving it active will cause conflicts
On August 8th, 2006 Kaspersky updated the software used for Free Online Virus Scanner. In order to continue using the online scanner you will need to uninstall the old version (if previously used) from your Add/Remove Programs list and then install the latest version.

Close ALL programs and windows except for your browser
Please go to >Online Kaspersky Scan< and perform an online antivirus scan.
Read through the Requirements and limitations statement and click on the Accept button.
You will be prompted to install an application from Kaspersky. Click the Run button. It will start downloading and installing the scanner and virus definitions.
When the downloads have finished, the scrolling window will show 'Database is updated. Ready to scan'. Click on the Settings button at the bottom left.
Make sure these boxes are checked/ticked. If they are not, please tick them and click on the Save button:
- Spyware, Adware, Dialers, and other potentially dangerous programs
- Archives
- Mail databases
Click on My Computer under Scan on the left. OK any warnings from your protection programs.
Go for a long walk. Please be patient and let the scanner finish. It is better that you do NOT use the computer while the scan is running. Keep all other programs/windows closed.
Once the scan is complete (the 'status' will show complete), click on View Scan Report and any infected objects will be shown.
Click on Save Report As... and change the Files of type to Text file (.txt)
Name the file KAVScan-ddmmyy before clicking on the Save button. Save the report to a convenient place - for example the Desktop.
Please post this log in your next reply.

Note - enable your antivirus program before browsing away from the Kaspersky site.

Go to the Desktop and double-click on the Kaspersky report KAVScan-ddmmyy.txt, it will open in Notepad
Click Edit > Select all then Edit > Copy
Reply to this thread and paste (Ctrl+V) the report.

Thanks
Vino

by **tcwc** » January 10th, 2010, 8:23 pm

Thank Vino,

ComboFix 10-01-04.01 - Terry 01/09/2010 22:56:07.4.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.766.483 [GMT -5:00]
Running from: c:\documents and settings\Terry.MASTER\Desktop\Combo--Fix.exe
Command switches used :: c:\documents and settings\Terry.MASTER\Desktop\CFScript.txt
AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

FILE ::
"c:\windows\system32\krl32mainweq.dll"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\krl32mainweq.dll

.
((((((((((((((((((((((((( Files Created from 2009-12-10 to 2010-01-10 )))))))))))))))))))))))))))))))
.

2010-01-07 21:47 . 2010-01-07 21:47 12840432 ----a-w- c:\documents and settings\All Users\Application Data\Google Updater\cache\packdata_ci_earth_5.1.3533.1731_en_setup.exe
2010-01-04 22:06 . 2009-07-16 17:32 120136 ----a-w- c:\windows\system32\drivers\Mpfp.sys
2010-01-04 21:45 . 2010-01-04 22:07 -------- d-----w- c:\program files\Common Files\McAfee
2010-01-04 21:44 . 2010-01-04 22:41 -------- d-----w- c:\program files\McAfee
2010-01-04 02:24 . 2010-01-04 02:24 17632 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\WSCUpdate.dll
2010-01-04 02:23 . 2010-01-04 02:23 68640 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Drivers\64\lbd.sys
2010-01-04 02:23 . 2010-01-04 02:23 303976 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Drivers\64\AAWDriverTool.exe
2010-01-04 02:22 . 2010-01-04 02:22 3695616 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AutoLaunch.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-09 23:53 . 2008-09-25 18:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2010-01-09 08:17 . 2008-08-04 01:39 -------- d-----w- c:\program files\Trend Micro
2010-01-08 22:50 . 2007-03-08 14:50 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2010-01-07 07:28 . 2008-12-02 06:50 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-04 21:55 . 2004-01-05 15:41 -------- d-----w- c:\program files\McAfee.com
2010-01-04 02:24 . 2009-07-11 00:58 314712 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\threatwork.exe
2010-01-04 02:24 . 2009-07-11 00:58 25440 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\savapibridge.dll
2010-01-04 02:24 . 2009-06-13 06:42 15688 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lsdelete.exe
2010-01-04 02:24 . 2009-03-09 14:36 15688 ----a-w- c:\windows\system32\lsdelete.exe
2010-01-04 02:24 . 2009-07-11 00:58 168800 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lavamessage.dll
2010-01-04 02:24 . 2009-07-11 00:58 349008 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lavalicense.dll
2010-01-04 02:23 . 2009-07-11 00:58 298336 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\UpdateManager.dll
2010-01-04 02:23 . 2009-07-11 00:58 84320 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\ShellExt.dll
2010-01-04 02:23 . 2009-07-11 00:58 1630560 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Resources.dll
2010-01-04 02:23 . 2009-07-11 00:58 246640 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\RPAPI.dll
2010-01-04 02:23 . 2009-07-11 00:58 40288 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\PrivacyClean.dll
2010-01-04 02:23 . 2009-07-11 00:58 664936 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\CEAPI.dll
2010-01-04 02:22 . 2009-07-11 00:58 562552 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareCommand.exe
2010-01-04 02:22 . 2009-07-11 00:58 566632 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareAdmin.exe
2010-01-04 02:22 . 2009-07-11 00:58 2353992 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-Aware.exe
2010-01-04 02:21 . 2009-07-11 00:58 640760 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWWSC.exe
2010-01-04 02:21 . 2009-07-11 00:58 520024 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWTray.exe
2010-01-04 02:20 . 2009-07-11 00:58 1028432 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWService.exe
2009-11-13 09:53 . 2005-09-26 05:49 -------- d-----w- c:\program files\MSN Games
2009-11-04 21:54 . 2009-08-19 05:41 40552 ----a-w- c:\windows\system32\drivers\mfesmfk.sys
2009-11-04 21:54 . 2009-08-19 05:41 35272 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2009-11-04 21:54 . 2009-08-19 05:41 79816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2009-11-04 21:54 . 2009-07-08 17:44 214664 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2009-11-04 04:15 . 2009-11-04 04:15 152576 ----a-w- c:\documents and settings\Terry.MASTER\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2009-10-31 16:44 . 2009-10-31 16:44 128 ----a-w- c:\documents and settings\ETHAN\Local Settings\Application Data\fusioncache.dat
2009-10-31 16:43 . 2005-10-10 02:04 63296 ----a-w- c:\documents and settings\ETHAN\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-29 07:46 . 2004-02-06 22:05 832512 ------w- c:\windows\system32\wininet.dll
2009-10-29 07:46 . 2004-08-04 07:56 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-10-29 07:46 . 2002-08-29 11:00 17408 ----a-w- c:\windows\system32\corpol.dll
2009-10-21 05:38 . 2004-08-04 07:56 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38 . 2004-08-04 07:56 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-20 16:20 . 2004-08-04 06:00 265728 ----a-w- c:\windows\system32\drivers\http.sys
2009-10-13 10:30 . 2002-08-29 11:00 270336 ----a-w- c:\windows\system32\oakley.dll
2009-10-12 13:38 . 2002-08-29 11:00 149504 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:38 . 2002-08-29 11:00 79872 ----a-w- c:\windows\system32\raschap.dll
2007-06-23 10:57 . 2007-06-23 10:57 50688 ----a-w- c:\program files\ATF-Cleaner.exe
2008-12-18 21:43 . 2008-12-23 01:46 36864 ----a-w- c:\program files\mozilla firefox\components\NsThunderLoader.dll
2008-12-18 21:43 . 2008-12-23 01:46 53248 ----a-w- c:\program files\mozilla firefox\components\ThunderComponent.dll
2005-06-17 01:15 . 2005-06-09 05:13 56 --sh--r- c:\windows\SYSTEM32\57940AE56E.sys
2005-06-17 01:15 . 2005-06-09 05:13 10856 --sha-w- c:\windows\SYSTEM32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 122880]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2003-08-06 114741]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-10-25 282624]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2005-12-17 180269]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-29 1218008]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2004-4-18 113664]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-1-20 65588]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-07-12 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2007-04-19 17:41 294912 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ lsdelete

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ad-Watch]
2010-01-04 02:21 520024 ----a-w- c:\program files\Lavasoft\Ad-Aware\AAWTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DetectorApp]
2005-08-31 10:15 102400 ----a-w- c:\program files\Roxio\MyDVD\MyDVD\DetectorApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndexSearch]
2002-08-12 14:07 36864 ----a-w- c:\program files\Scansoft\PaperPort\IndexSearch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBJ]
2005-07-15 01:35 1961984 ------w- c:\progra~1\Ahead\NEROBA~1\NBJ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 15:50 155648 ----a-w- c:\windows\SYSTEM32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SetDefPrt]
2003-07-10 17:56 45056 ------w- c:\program files\Brother\Brmfl03a\BrStDvPt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2005-12-17 03:33 180269 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\BitComet\\BitComet.exe"=
"c:\\Program Files\\Windows Media Player\\wmplayer.exe"=
"c:\\Program Files\\Common Files\\Synacast\\SynaLive\\PE.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Tidy Favorites\\TidyFavorites.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"2625:UDP"= 2625:UDP:ppLive
"14015:TCP"= 14015:TCP:BitComet 14015 TCP
"14015:UDP"= 14015:UDP:BitComet 14015 UDP
"67:UDP"= 67:UDP:DHCP Discovery Service

R0 Lbd;Lbd;c:\windows\SYSTEM32\DRIVERS\Lbd.sys [3/9/2009 6:26 AM 64160]
R0 PzWDM;PzWDM;c:\windows\SYSTEM32\DRIVERS\PzWDM.sys [9/1/2007 10:08 AM 15172]
R0 Vax347s;Vax347s;c:\windows\SYSTEM32\DRIVERS\Vax347s.sys [8/21/2005 1:29 PM 5248]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [10/10/2006 12:53 PM 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2/27/2007 11:39 AM 55024]
R3 Alidevice;Alidevice;c:\windows\SYSTEM32\DRIVERS\alidevice.sys [7/14/2008 9:42 AM 6656]
R3 brfilt;Brother MFC Filter Driver;c:\windows\SYSTEM32\DRIVERS\BrFilt.sys [6/19/2004 11:56 PM 2944]
R3 brparimg;Brother Multi Function Parallel Image driver;c:\windows\SYSTEM32\DRIVERS\BrParImg.sys [6/19/2004 11:57 PM 3168]
R3 BrParWdm;Brother WDM Parallel Driver;c:\windows\SYSTEM32\DRIVERS\BrParwdm.sys [6/19/2004 11:56 PM 39552]
R3 BrSerWDM;Brother WDM Serial driver;c:\windows\SYSTEM32\DRIVERS\BrSerWdm.sys [6/19/2004 11:52 PM 60416]
S2 0299281262642801mcinstcleanup;McAfee Application Installer Cleanup (0299281262642801);c:\docume~1\TERRY~1.MAS\LOCALS~1\Temp\029928~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service --> c:\docume~1\TERRY~1.MAS\LOCALS~1\Temp\029928~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service [?]
S3 JumpShot;Lexar Media USB Compact Flash Driver;c:\windows\SYSTEM32\DRIVERS\LEXAR2K.SYS [2/4/2004 12:36 AM 16971]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [1/18/2009 4:34 PM 1028432]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2/16/2006 4:51 PM 4096]
S4 Vax347b;Vax347b;c:\windows\SYSTEM32\DRIVERS\Vax347b.sys [8/21/2005 1:29 PM 159616]
.
Contents of the 'Scheduled Tasks' folder

2009-03-09 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-01-18 02:22]

2010-01-10 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-09-14 06:00]

2010-01-04 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2010-01-04 17:22]

2010-01-04 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2010-01-04 17:22]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/def ... earch.html
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/def ... .yahoo.com
IE: Yahoo! &SMS - file:///c:\program files\Yahoo!\Common/ycsms.htm
IE: {{09BA8F6D-CB54-424B-839C-C2A6C8E6B436}
IE: {{9BEF3FB8-E5E0-4494-BC59-7BAC1C9AD503}\lang0401
IE: {{9BEF3FB8-E5E0-4494-BC59-7BAC1C9AD503}\lang0402
IE: {{9BEF3FB8-E5E0-4494-BC59-7BAC1C9AD503}\lang0404
IE: {{9BEF3FB8-E5E0-4494-BC59-7BAC1C9AD503}\lang0405
IE: {{9BEF3FB8-E5E0-4494-BC59-7BAC1C9AD503}\lang0406
IE: {{9BEF3FB8-E5E0-4494-BC59-7BAC1C9AD503}\lang0407
IE: {{9BEF3FB8-E5E0-4494-BC59-7BAC1C9AD503}\lang040B
IE: {{9BEF3FB8-E5E0-4494-BC59-7BAC1C9AD503}\lang040C
IE: {{9BEF3FB8-E5E0-4494-BC59-7BAC1C9AD503}\lang040D
IE: {{9BEF3FB8-E5E0-4494-BC59-7BAC1C9AD503}\lang0410
IE: {{9BEF3FB8-E5E0-4494-BC59-7BAC1C9AD503}\lang0413
IE: {{9BEF3FB8-E5E0-4494-BC59-7BAC1C9AD503}\lang0415
IE: {{9BEF3FB8-E5E0-4494-BC59-7BAC1C9AD503}\lang0416
IE: {{9BEF3FB8-E5E0-4494-BC59-7BAC1C9AD503}\lang0418
IE: {{9BEF3FB8-E5E0-4494-BC59-7BAC1C9AD503}\lang0419
IE: {{9BEF3FB8-E5E0-4494-BC59-7BAC1C9AD503}\lang041D
IE: {{9BEF3FB8-E5E0-4494-BC59-7BAC1C9AD503}\lang0421
IE: {{9BEF3FB8-E5E0-4494-BC59-7BAC1C9AD503}\lang0422
IE: {{9BEF3FB8-E5E0-4494-BC59-7BAC1C9AD503}\lang0429
IE: {{9BEF3FB8-E5E0-4494-BC59-7BAC1C9AD503}\lang0C1A
IE: {{E3CB497B-E230-4445-8B34-13476822F867}\lang0401
IE: {{E3CB497B-E230-4445-8B34-13476822F867}\lang0402
IE: {{E3CB497B-E230-4445-8B34-13476822F867}\lang0404
IE: {{E3CB497B-E230-4445-8B34-13476822F867}\lang0405
IE: {{E3CB497B-E230-4445-8B34-13476822F867}\lang0406
IE: {{E3CB497B-E230-4445-8B34-13476822F867}\lang0407
IE: {{E3CB497B-E230-4445-8B34-13476822F867}\lang040B
IE: {{E3CB497B-E230-4445-8B34-13476822F867}\lang040C
IE: {{E3CB497B-E230-4445-8B34-13476822F867}\lang040D
IE: {{E3CB497B-E230-4445-8B34-13476822F867}\lang0410
IE: {{E3CB497B-E230-4445-8B34-13476822F867}\lang0413
IE: {{E3CB497B-E230-4445-8B34-13476822F867}\lang0415
IE: {{E3CB497B-E230-4445-8B34-13476822F867}\lang0416
IE: {{E3CB497B-E230-4445-8B34-13476822F867}\lang0418
IE: {{E3CB497B-E230-4445-8B34-13476822F867}\lang0419
IE: {{E3CB497B-E230-4445-8B34-13476822F867}\lang041D
IE: {{E3CB497B-E230-4445-8B34-13476822F867}\lang0421
IE: {{E3CB497B-E230-4445-8B34-13476822F867}\lang0422
IE: {{E3CB497B-E230-4445-8B34-13476822F867}\lang0429
IE: {{E3CB497B-E230-4445-8B34-13476822F867}\lang0C1A
IE: {{9BEF3FB8-E5E0-4494-BC59-7BAC1C9AD503} - {70BEC6D2-977B-43CB-9A50-424099BA3897} - c:\progra~1\COMMON~1\TIDYFA~1\AddToFav.dll
IE: {{E3CB497B-E230-4445-8B34-13476822F867} - {9B0CFC24-6650-4BEE-8030-6FCAE4672685} - c:\progra~1\COMMON~1\TIDYFA~1\OpenFav.dll
DPF: ppctlcab - hxxp://www.pestscan.com/scanner/ppctlcab.cab
DPF: {488A4255-3236-44B3-8F27-FA1AECAA8844} - hxxps://img.alipay.com/download/2121/aliedit.cab
FF - ProfilePath - c:\documents and settings\Terry.MASTER\Application Data\Mozilla\Firefox\Profiles\3k4bgw6q.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - plugin: c:\progra~1\Yahoo!\Common\npyaxmpb.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF - HiddenExtension: XUL Cache: {7A15B911-7DEE-403B-B668-65B370A148A5} - c:\documents and settings\Terry.MASTER\Local Settings\Application Data\{7A15B911-7DEE-403B-B668-65B370A148A5}
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-09 23:06
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(636)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
c:\windows\system32\COMRes.dll
.
Completion time: 2010-01-09 23:10:53
ComboFix-quarantined-files.txt 2010-01-10 04:10

Pre-Run: 15,055,212,544 bytes free
Post-Run: 15,111,573,504 bytes free

- - End Of File - - 76407578DBF714964539B83CBDB74E33

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Sunday, January 10, 2010
Operating system: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Sunday, January 10, 2010 06:35:05
Records in database: 3296091
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\

Scan statistics:
Objects scanned: 95228
Threats found: 1
Infected objects found: 2
Suspicious objects found: 0
Scan duration: 02:41:43

File name / Threat / Threats count
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\DRIVERS\H8SRTxtlworswuh.sys.vir Infected: Trojan.Win32.Tdss.avei 1
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP313\A0041899.sys Infected: Trojan.Win32.Tdss.avei 1

Selected area has been scanned.

by **Vino Rosso** » January 11th, 2010, 4:55 am

Hi

How is the computer now? Any problems?

by **tcwc** » January 11th, 2010, 5:13 pm

The computer is running pretty good.

The McAfee is back up & running as usual.

The only thing is Malwarebytes' Anti-Malware that was originally installed still CANNOT be ran.
It has the following error messages when I double click to start
Run-time error "0"
Run-time error "44"

Thanking you in advance.

by **Vino Rosso** » January 11th, 2010, 5:27 pm

Hi

Please try downloading and installing a fresh copy of Malwarebytes' Anti-Malware... allow the program to install over itself. (The program has recently been updated anyway.)

1 - Malwarebytes' Anti-Malware
Please go here: http://www.malwarebytes.org/mbam-download.php and download Malwarebytes Anti-Malware and save it to your desktop.

Make sure you are connected to the Internet.
Double-click on mbam-setup.exe to install the application.
When the installation begins, follow the prompts and do not make any changes to default settings.
When installation has finished, make sure you leave both of these checked:
- Update Malwarebytes' Anti-Malware
- Launch Malwarebytes' Anti-Malware
Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from >here< and just double-click on mbam-rules.exe to install.
On the Scanner tab:
- Select "Perform Full Scan" then click on the Scan button.
If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
Make sure that all items are ticked/checked except items in the C:\System Volume Information folder and click on Remove Selected.
When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
Copy and paste the contents of that report in your next reply and exit MBAM.

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

Thanks
Vino

by **tcwc** » January 12th, 2010, 2:11 am

The Scan went fine. Thanks.

However, there is a New DAT File named "Settings" on my Desktop. It is created on 01/08/2010 which is during the period we cleaning up the computer. Can you tell what it is/where it came from? May I attach it for you to look at?

Anyway, here is the Log:

Malwarebytes' Anti-Malware 1.44
Database version: 3544
Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.11

1/11/2010 11:06:57 PM
mbam-log-2010-01-11 (23-06-57).txt

Scan type: Full Scan (C:\|)
Objects scanned: 255075
Time elapsed: 2 hour(s), 48 minute(s), 49 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 6

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\H8SRTmexrqjkomw.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\H8SRTqajroqmvny.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\H8SRTylqpqjnbaw.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\DRIVERS\H8SRTxtlworswuh.sys.vir (Malware.Packer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP313\A0041986.sys (Malware.Trace) -> Not selected for removal.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP314\A0043192.sys (Malware.Trace) -> Not selected for removal.

by **Vino Rosso** » January 12th, 2010, 3:30 am

Hi

tcwc wrote:The Scan went fine. Thanks.

However, there is a New DAT File named "Settings" on my Desktop. It is created on 01/08/2010 which is during the period we cleaning up the computer. Can you tell what it is/where it came from? May I attach it for you to look at?

Let's see what information is available...

1 - File Analyser
Please download filealyz.exe by clicking >here<
Save the file to your Desktop
Double-click filealyz.exe and follow the prompts to install the program.

Once installed, right-click on the file in question... settings.dat and select Analyze file with FileAlyzer
Filealyser will take a few moments to collect the data. Please be patient.

When the report window appears, click Report > Save report to file...
Name the report "filerep.txt" (including the quotes) and save it to your Desktop

Then go to your Desktop and double-click on filerep.txt - the file will open in Notepad
In Notepad, click Edit > Select all then Edit > Copy
Reply to this post, click in the reply window and press Ctrl+V to paste the report.

Thanks
Vino

by **tcwc** » January 12th, 2010, 10:12 pm

********************************************************************
FileAlyzer © 2003-2006 Safer Networking Ltd. All Rights Reserved.
********************************************************************

File: C:\Documents and Settings\Terry.MASTER\Desktop\settings.dat
Date: 1/12/2010 9:10:44 PM

***** General ******************************************************
Location: C:\Documents and Settings\Terry.MASTER\Desktop\
Size: 15
Version:
CRC-32: ADD4567A
MD5: 3AB20AF273ABC5B26C631214F4821335
SHA1: 33BB791BB8A3B10F7140305AC1DFF084C7747A6E
Read only: No
Hidden: No
System file: No
Directory: No
Archive: Yes
Symbolic link: No
Time stamp: Friday, January 08, 2010 12:51:41 AM
Creation: Friday, January 08, 2010 12:46:54 AM
Last access: Tuesday, January 12, 2010 9:05:38 PM
Last write: Friday, January 08, 2010 12:51:42 AM

Free Malware Removal Forum

HiJackThis Log - Malware Defense – Virus Attacked pls help

HiJackThis Log - Malware Defense – Virus Attacked pls help

Re: HiJackThis Log - Malware Defense – Virus Attacked pls help

Re: HiJackThis Log - Malware Defense – Virus Attacked pls help

Re: HiJackThis Log - Malware Defense – Virus Attacked pls help

Re: HiJackThis Log - Malware Defense – Virus Attacked pls help

Re: HiJackThis Log - Malware Defense – Virus Attacked pls help

Re: HiJackThis Log - Malware Defense – Virus Attacked pls help

Re: HiJackThis Log - Malware Defense – Virus Attacked pls help

Re: HiJackThis Log - Malware Defense – Virus Attacked pls help

Re: HiJackThis Log - Malware Defense – Virus Attacked pls help

Re: HiJackThis Log - Malware Defense – Virus Attacked pls help

Re: HiJackThis Log - Malware Defense – Virus Attacked pls help

Re: HiJackThis Log - Malware Defense – Virus Attacked pls help

Re: HiJackThis Log - Malware Defense – Virus Attacked pls help

Re: HiJackThis Log - Malware Defense – Virus Attacked pls help

Who is online