# Slow Computer, Redirecting on all browsers, Just In Time Debugging svchost.exe memory



## Skaione (Feb 12, 2009)

I recently got a virus which was giving me a circle with a white "X" in it, sending a message about how my computer has been infected. I don't remember what it said because I deleted it. But Prior to this I get a Just-In-Time Debugging menu which pops up
which then says, Please select a debugger.

Also I get redirected a lot from google to legit websites, such as monster market place among other things.

I ran a Malewarebytes scan and a spybot s+d scan and they both found things, but now when I scan it shows up clean.


Also when I had the virus it was telling me to uninstall Maleware Bytes.

Thanks for any help


----------



## Skaione (Feb 12, 2009)

Bump


----------



## Skaione (Feb 12, 2009)

Also after a while, my sound gets turned off, and I have to restart, the computer tells me that I need to install, but when I restart it works again.


----------



## Skaione (Feb 12, 2009)

Qvomya.exe is an unknown process that was terminated, and I have an "FakeAlert-FakeSpy!env.a" picked up by McAfee


----------



## Skaione (Feb 12, 2009)

I got a new infection called Security Master AV, and McAfee doesnt turn on anymore.
I get this pop up and its like screaming at me like an animal like a screeching noise.
Also there were pop up of you Identity may be stolen, but since I got the infection I havent accessed the bank websites and I dont save my passwords.

Can someone please help me soon?


----------



## Skaione (Feb 12, 2009)

And then Imagine by John Lennon started playing, but in a cheap cellphone ringtone kinda way


----------



## CatByte (Feb 24, 2009)

Hi and Welcome,

Please do the following:

Please download and run the following tool to help allow other programs to run. (courtesy of BleepingComputer.com)
There are 3 different versions. If one of them won't run then download and try to run the other one.
Vista and Win7 users need to right click and choose Run as Admin
You only need to get one of them to run, not all of them.

http://download.bleepingcomputer.com/grinler/rkill.exe
http://download.bleepingcomputer.com/grinler/rkill.com
http://download.bleepingcomputer.com/grinler/rkill.scr

Note:

You will likely see a message from this rogue telling you the file is infected. Ignore the message. Leave the message OPEN, do not close the message. Run rkill repeatedly until it's able to do it's job. This may take a few tries. You'll be able to tell rkill has done it's job when your desktop (explorer.exe) cycles off and then on again.

At this point, you should now be able to run analysis tools.

Once the tool has run, do NOT reboot the machine, and then try to run DDS and GMER.

If for some reason the machine reboots, repeat the process. Again, try not to restart the machine.

Please download *DDS* from either of these links

*LINK 1* 
*LINK 2*

and save it to your *desktop.*

Disable any script blocking protection
 Double click *dds.pif* to run the tool. 
When done, two *DDS.txt's* will open. 
Save both reports to your *desktop.*
---------------------------------------------------
*Please include the contents of the following in your next reply:*

*DDS.txt*
*Attach.txt*.

*NEXT*

Download *GMER Rootkit Scanner *from *here**http://www.gmer.net/download.php*http://www.gmer.net/download.php to your desktop. It will be a randomly named executable.

 Double click the exe file.
 If it gives you a warning about rootkit activity and asks if you want to run scan...click on *NO*, then use the following settings for a more complete scan.


_Click the image to enlarge it_

 In the right panel, you will see several boxes that have been checked. Ensure the following are *unchecked*
 IAT/EAT
 Drives/Partition other than Systemdrive (typically C:\) 
 Show All (don't miss this one)

 Then click the Scan button & wait for it to finish. 
 Once done click on the *[Save..]* button, and in the File name area, type in *"Gmer.txt"* or it will save as a .log file which cannot be uploaded to your post.

Save it where you can easily find it, such as your desktop, and attach it in reply.

_**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries _[/QUOTE]


----------



## Skaione (Feb 12, 2009)

Sorry for the long delay the Gmer had trouble running.

Also I have trouble connecting to the internet and when I sign on the computer the taskbar switches for a 95 theme( grey and edgy) to the xp theme (blue green and curved)

I couldnt add the documents individually so I zipped them up, I hope thats okay.
Thanks.


----------



## CatByte (Feb 24, 2009)

Hi,
Please do the following:

Download *Combofix* from either of the links below but *rename it to combo.com before* saving it to your desktop.

 *Link 1*
 *Link 2*

--------------------------------------------------------------------

Double click on the *renamed* ComboFix.exe & follow the prompts. 
When finished, it will produce a report for you.
Please post the *C:\ComboFix.txt* so we can continue cleaning the system.
NOTE: Very Important! - Please disable all your security programs before running ComboFix as they will interfere


----------



## Skaione (Feb 12, 2009)

So it should run as combofix.com.exe?

also should I install ms windows recovery console?


----------



## Skaione (Feb 12, 2009)

Here is the log


----------



## CatByte (Feb 24, 2009)

Hi

Please do the following:


Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. 
They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".

*Copy/paste the text inside the Codebox below into notepad:*

Here's how to do that:
Click* Start > Run* type *Notepad* click *OK.*
This will open an empty notepad file:

*Copy* all the text *inside of the code box* - *Press Ctrl+C* (or right click on the highlighted section and choose 'copy')


```
http://forums.techguy.org/virus-other-malware-removal/930696-slow-computer-redirecting-all-browsers.html

File::
c:\windows\Wfepodivodu.bin

Folder::
c:\documents and settings\Darian\Application Data\Security Master AV
c:\documents and settings\All Users\Application Data\SMBFVHLVAV
c:\documents and settings\Darian\Local Settings\Application Data\dhjglvkir
c:\documents and settings\Darian\Local Settings\Application Data\htdryreyd

Collect::
c:\windows\Urasofikahasa.dat
c:\windows\Qvomya.exe
c:\windows\system32\igfxrchtr.dll

DirLook::
c:\documents and settings\Darian\WINDOWS
```
Now *paste* the copied text into the open notepad - press *CTRL+V* (or right click and choose 'paste')
*
Save this file to your desktop, Save this as "CFScript"*

Here's how to do that:

1.Click *File*;
2.Click *Save As*... Change the directory to your *desktop*;
3.Change the* Save as type* to *"All Files";*
4.Type in the file name: *CFScript*
5.Click *Save ...*










Referring to the *screenshot* above, *drag CFScript.txt* into *ComboFix.exe.*
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it shall produce a log for you. 
*Copy and paste the contents of the log in your next reply.*

CAUTION: *Do not* mouse-click ComboFix's window while it is running. That may cause it to stall.

*
NEXT*


Please go to  VirSCAN.org FREE on-line scan service
Copy and paste the following file path into the *"Suspicious files to scan"* box on the top of the page:

*c:\windows\system32\mipsinf.sys *​
Click on the *Upload* button
If a pop-up appears saying the file has been scanned already, please select the *ReScan* button.
Once the Scan is completed, click on the "*Copy to Clipboard*" button. This will copy the link of the report into the Clipboard.
Paste the contents of the Clipboard in your next reply.


----------



## Skaione (Feb 12, 2009)

I cant do this as I get the BSOD with BAD_POOL_CALLER


----------



## CatByte (Feb 24, 2009)

try booting into safe mode and running it from safe mode


reboot your machine and start tapping F8 on reboot till an advanced menu appears > arrow up to safe mode > enter


----------



## Skaione (Feb 12, 2009)

This is the combofix logfile

ComboFix 10-06-28.01 - Darian 06/30/2010 13:14:49.2.2 - x86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1776 [GMT -4:00]
Running from: c:\documents and settings\Darian\My Documents\ComboFix.exe
Command switches used :: c:\documents and settings\Darian\Desktop\CFScript.txt
AV: McAfee VirusScan Enterprise *On-access scanning disabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
FW: Doctor Web Firewall *enabled* {3454C8F1-ECBC-4181-A7F4-04632FBA762B}

FILE ::
"c:\windows\Wfepodivodu.bin"

file zipped: c:\windows\Qvomya.exe
file zipped: c:\windows\system32\igfxrchtr.dll
file zipped: c:\windows\Urasofikahasa.dat
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\nEhA132T.exe
c:\documents and settings\All Users\Application Data\pragmamfeklnmal.dll
c:\documents and settings\All Users\Application Data\SMBFVHLVAV
c:\documents and settings\All Users\Application Data\SMBFVHLVAV\SMHUXAV.cfg
c:\documents and settings\Darian\Application Data\Security Master AV
c:\documents and settings\Darian\Application Data\Security Master AV\cookies.sqlite
c:\documents and settings\Darian\Application Data\Security Master AV\Instructions.ini
c:\documents and settings\Darian\Local Settings\Application Data\dhjglvkir
c:\documents and settings\Darian\Local Settings\Application Data\htdryreyd
c:\documents and settings\jai\Desktop\Defense Center Support.lnk
c:\documents and settings\jai\Desktop\Defense Center.lnk
c:\documents and settings\jai\Start Menu\Programs\Defense Center
c:\documents and settings\jai\Start Menu\Programs\Defense Center\About.lnk
c:\documents and settings\jai\Start Menu\Programs\Defense Center\Activate.lnk
c:\documents and settings\jai\Start Menu\Programs\Defense Center\Buy.lnk
c:\documents and settings\jai\Start Menu\Programs\Defense Center\Defense Center Support.lnk
c:\documents and settings\jai\Start Menu\Programs\Defense Center\Defense Center.lnk
c:\documents and settings\jai\Start Menu\Programs\Defense Center\Scan.lnk
c:\documents and settings\jai\Start Menu\Programs\Defense Center\Settings.lnk
c:\documents and settings\jai\Start Menu\Programs\Defense Center\Update.lnk
c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe
c:\program files\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe
c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe
c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe
c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
c:\program files\Defense Center
c:\program files\Defense Center\about.ico
c:\program files\Defense Center\activate.ico
c:\program files\Defense Center\buy.ico
c:\program files\Defense Center\def.db
c:\program files\Defense Center\defcnt .exe
c:\program files\Defense Center\defcnt.exe
c:\program files\Defense Center\defext.dll
c:\program files\Defense Center\defhook.dll
c:\program files\Defense Center\help.ico
c:\program files\Defense Center\scan.ico
c:\program files\Defense Center\settings.ico
c:\program files\Defense Center\splash.mp3
c:\program files\Defense Center\Uninstall.exe
c:\program files\Defense Center\update.ico
c:\program files\Defense Center\virus.mp3
c:\program files\DivX\DivX Update\DivXUpdate.exe
c:\program files\Java\jre6\bin\jusched.exe
c:\program files\Network Associates\Common Framework\udaterui.exe
c:\program files\QuickTime\qttask .exe
c:\program files\QuickTime\qttask .exe
c:\program files\QuickTime\qttask.exe
c:\program files\Verizon\McciTrayApp.exe
c:\program files\Verizon\VSP\VerizonServicepoint.exe
c:\windows\PRAGMAcxbeqwhoix
c:\windows\PRAGMAcxbeqwhoix\pragmabbr.dll
c:\windows\PRAGMAcxbeqwhoix\PRAGMAc.dll
c:\windows\PRAGMAcxbeqwhoix\PRAGMAcfg.ini
c:\windows\PRAGMAcxbeqwhoix\PRAGMAd.sys
c:\windows\PRAGMAcxbeqwhoix\pragmaserf.dll
c:\windows\PRAGMAcxbeqwhoix\PRAGMAsrcr.dat
c:\windows\Qvomya.exe
c:\windows\system32\igfxrchtr.dll
c:\windows\Urasofikahasa.dat
c:\windows\Wfepodivodu.bin
d:\hard drive info\Itunes\iTunesHelper.exe


```
<pre>
c:\program files\Adobe\Reader 9.0\Reader\Reader_sl .exe ---^> c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe
c:\program files\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager .exe ---^> c:\program files\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe
c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility .exe ---^> c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe
c:\program files\Common Files\InstallShield\UpdateService\ISUSPM .exe ---^> c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe
c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv .exe ---^> c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
c:\program files\DivX\DivX Update\DivXUpdate .exe ---^> c:\program files\DivX\DivX Update\DivXUpdate.exe
c:\program files\Java\jre6\bin\jusched .exe ---^> c:\program files\Java\jre6\bin\jusched.exe
c:\program files\Network Associates\Common Framework\udaterui .exe ---^> c:\program files\Network Associates\Common Framework\udaterui.exe
c:\program files\QuickTime\qttask   .exe ---^> c:\program files\QuickTime\qttask.exe
c:\program files\Verizon\McciTrayApp .exe ---^> c:\program files\Verizon\McciTrayApp.exe
c:\program files\Verizon\VSP\VerizonServicepoint .exe ---^> c:\program files\Verizon\VSP\VerizonServicepoint.exe
</pre>
```
.
Infected copy of c:\windows\system32\DRIVERS\compbatt.sys was found and disinfected 
Restored copy from - Kitty ate it  
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_PRAGMACXBEQWHOIX
-------\Service_PRAGMAcxbeqwhoix

((((((((((((((((((((((((( Files Created from 2010-05-28 to 2010-06-30 )))))))))))))))))))))))))))))))
.

2010-06-27 03:09 . 2010-06-27 03:09 -------- d-----w- c:\documents and settings\Guest\Local Settings\Application Data\Identities
2010-06-27 03:08 . 2010-06-27 03:08 -------- d-----w- c:\documents and settings\Guest\Local Settings\Application Data\Mozilla
2010-06-27 03:08 . 2010-06-27 03:08 -------- d-----w- c:\documents and settings\Guest\Application Data\Windows Desktop Search
2010-06-27 03:08 . 2010-06-27 03:08 -------- d-----w- c:\documents and settings\Guest\Application Data\Apple Computer
2010-06-27 03:08 . 2010-06-27 03:08 -------- d-----w- c:\documents and settings\Guest\Local Settings\Application Data\Apple Computer
2010-06-27 03:08 . 2010-06-27 03:08 -------- d-----w- c:\documents and settings\Guest\Application Data\Verizon
2010-06-27 03:08 . 2010-06-27 03:08 -------- d-----w- c:\documents and settings\Guest\Local Settings\Application Data\Adobe
2010-06-27 03:08 . 2010-06-27 03:08 -------- d-----w- c:\documents and settings\Guest\Local Settings\Application Data\PowerDVD DX
2010-06-26 01:16 . 2010-06-26 01:16 -------- d-s---w- c:\documents and settings\Darian\UserData
2010-06-23 13:00 . 2010-06-23 13:00 388096 ----a-r- c:\documents and settings\Darian\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-06-23 13:00 . 2010-06-23 13:00 -------- d-----w- c:\program files\Trend Micro
2010-06-22 11:17 . 2010-06-22 11:17 348160 ----a-w- c:\documents and settings\jai\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-2b7ba3b7-n\msvcr71.dll
2010-06-22 11:17 . 2010-06-22 11:17 503808 ----a-w- c:\documents and settings\jai\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-2b7ba3b7-n\msvcp71.dll
2010-06-22 11:17 . 2010-06-22 11:17 499712 ----a-w- c:\documents and settings\jai\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-2b7ba3b7-n\jmc.dll
2010-06-22 00:32 . 1997-04-09 00:08 299520 ----a-w- c:\windows\uninst.exe
2010-06-22 00:32 . 2010-06-22 00:32 -------- d-----w- c:\documents and settings\Darian\WINDOWS
2010-06-21 22:24 . 2010-06-21 22:24 -------- d-----w- c:\documents and settings\Darian\Application Data\Uniblue
2010-06-21 22:09 . 2010-06-21 22:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Ubisoft
2010-06-21 22:09 . 2010-06-21 22:09 22328 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2010-06-21 22:09 . 2010-06-21 22:09 22328 ----a-w- c:\documents and settings\Darian\Application Data\PnkBstrK.sys
2010-06-21 01:36 . 2010-06-21 01:36 -------- d-----w- c:\program files\BitTorrent
2010-06-21 00:47 . 2010-06-24 23:57 -------- d-----w- c:\program files\Panda Security
2010-06-17 03:35 . 2010-06-21 00:41 -------- d-----w- c:\documents and settings\jai\Local Settings\Application Data\AskToolbar
2010-06-16 23:01 . 2005-05-26 19:34 2297552 ----a-w- c:\windows\system32\d3dx9_26.dll
2010-06-16 22:58 . 2010-06-16 22:58 -------- d-----w- c:\documents and settings\Darian\Application Data\SEGA
2010-06-16 22:53 . 2010-06-16 22:53 -------- d-----w- c:\documents and settings\Darian\Application Data\Roxio
2010-06-16 22:35 . 2010-06-16 22:35 -------- d-----w- c:\documents and settings\Darian\Application Data\CyberLink
2010-06-16 17:50 . 2010-06-16 17:50 56765 ----a-w- c:\documents and settings\All Users\Application Data\DivX\DivXPlusShortcuts\Uninstaller.exe
2010-06-16 17:50 . 2010-06-16 17:50 56997 ----a-w- c:\documents and settings\All Users\Application Data\DivX\WebPlayer\Uninstaller.exe
2010-06-15 03:06 . 2010-06-15 03:07 -------- d-----w- c:\documents and settings\Darian\Local Settings\Application Data\Temp
2010-06-14 23:34 . 2010-06-14 23:34 -------- d-----w- c:\documents and settings\All Users\Application Data\regid.1986-12.com.adobe
2010-06-14 23:32 . 2010-06-14 23:32 -------- d-----w- c:\documents and settings\All Users\Application Data\ALM
2010-06-14 23:29 . 2010-06-14 23:29 -------- d-----w- c:\program files\Adobe Media Player
2010-06-14 23:09 . 2010-06-14 23:30 -------- d-----w- c:\documents and settings\Darian\.gimp-2.6
2010-06-14 22:09 . 2010-06-15 01:18 -------- d-----w- c:\documents and settings\Darian\Local Settings\Application Data\Adobe
2010-06-14 21:57 . 2010-06-21 00:43 -------- d-----w- c:\program files\Common Files\Akamai
2010-06-14 03:27 . 2010-06-14 03:27 -------- d-s---w- c:\documents and settings\LocalService\UserData
2010-06-14 02:55 . 2010-06-14 02:55 -------- d-s---w- c:\documents and settings\NetworkService\UserData
2010-06-13 22:35 . 2010-06-13 22:35 -------- d-----w- c:\documents and settings\Darian\Application Data\Malwarebytes
2010-06-13 19:40 . 2010-06-13 19:40 -------- d-----w- c:\documents and settings\Darian\Application Data\Windows Search
2010-06-13 19:37 . 2010-06-29 21:38 -------- d-----w- c:\documents and settings\Darian\Application Data\BitTorrent
2010-06-13 18:43 . 2010-06-13 18:43 -------- d-----w- c:\documents and settings\Darian\Application Data\acccore
2010-06-13 18:43 . 2010-06-14 23:04 -------- d-----w- c:\documents and settings\Darian\Local Settings\Application Data\AIM
2010-06-13 18:43 . 2010-06-13 18:43 -------- d-----w- c:\documents and settings\Darian\Local Settings\Application Data\AOL
2010-06-13 18:42 . 2010-06-13 18:42 503808 ----a-w- c:\documents and settings\Darian\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-48658e97-n\msvcp71.dll
2010-06-13 18:42 . 2010-06-13 18:42 499712 ----a-w- c:\documents and settings\Darian\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-48658e97-n\jmc.dll
2010-06-13 18:42 . 2010-06-13 18:42 348160 ----a-w- c:\documents and settings\Darian\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-48658e97-n\msvcr71.dll
2010-06-13 18:20 . 2010-06-13 18:20 -------- d-----w- c:\documents and settings\Darian\Local Settings\Application Data\Identities
2010-06-13 18:20 . 2010-06-13 18:20 -------- d-----w- c:\documents and settings\Darian\Application Data\Windows Desktop Search
2010-06-13 18:20 . 2010-06-13 20:42 -------- d-----w- c:\documents and settings\Darian\Application Data\Apple Computer
2010-06-13 18:20 . 2010-06-13 18:20 -------- d-----w- c:\documents and settings\Darian\DoctorWeb
2010-06-13 18:20 . 2010-06-13 18:20 -------- d-----w- c:\documents and settings\Darian\Application Data\Verizon
2010-06-13 18:20 . 2010-06-13 18:20 -------- d-----w- c:\documents and settings\Darian\Local Settings\Application Data\FLVService
2010-06-13 18:20 . 2010-06-13 18:20 -------- d-----w- c:\documents and settings\Darian\Local Settings\Application Data\PowerDVD DX
2010-06-13 17:44 . 2010-06-13 19:22 -------- d-----w- c:\documents and settings\Darian\Local Settings\Application Data\Apple Computer
2010-06-13 17:42 . 2010-06-13 17:42 -------- d-sh--w- C:\DrWeb Quarantine
2010-06-13 17:25 . 2010-06-13 17:25 -------- d-----w- c:\documents and settings\Darian\Application Data\InstallShield
2010-06-12 14:28 . 2010-06-12 14:28 -------- d-----w- c:\documents and settings\Darian\Application Data\DivX
2010-06-12 14:24 . 2010-06-12 14:24 -------- d-----w- c:\documents and settings\Darian\Local Settings\Application Data\Opera
2010-06-12 14:21 . 2010-06-14 23:41 68064 ----a-w- c:\documents and settings\Darian\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-06-12 14:21 . 2010-06-12 14:21 -------- d-----w- c:\documents and settings\Darian\Local Settings\Application Data\Mozilla
2010-06-11 02:52 . 2010-06-11 02:52 -------- d-----w- c:\documents and settings\jai\DoctorWeb
2010-06-11 02:15 . 2010-06-13 19:05 -------- d-----w- c:\program files\DrWeb
2010-06-11 02:14 . 2010-06-11 02:20 -------- d-----w- c:\windows\SxsCaPendDel
2010-06-10 15:57 . 2010-06-10 15:57 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple
2010-06-09 19:16 . 2010-06-09 19:16 2304 ----a-w- c:\windows\system32\mipsinf.sys
2010-06-09 00:58 . 2010-06-09 00:58 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-06-09 00:54 . 2010-06-13 19:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-06-08 22:29 . 2010-06-08 22:29 -------- d-----w- c:\documents and settings\All Users\Application Data\BSD
2010-06-08 22:28 . 2010-06-08 22:53 -------- d-----w- c:\program files\Common Files\BSD
2010-06-08 22:28 . 2010-05-10 01:17 1571840 ----a-w- c:\windows\bsdsetup.dll
2010-06-08 11:09 . 2010-06-08 11:09 -------- d-----w- c:\documents and settings\jai\Local Settings\Application Data\Opera
2010-06-08 00:22 . 2010-06-08 00:22 -------- d-----w- c:\documents and settings\jai\Local Settings\Application Data\AOL
2010-06-08 00:21 . 2010-06-08 00:21 -------- d-----w- c:\program files\iPod
2010-06-08 00:19 . 2010-06-08 00:19 -------- d-----w- c:\program files\Apple Software Update
2010-06-08 00:19 . 2010-06-08 00:19 -------- d-----w- c:\documents and settings\jai\Local Settings\Application Data\Apple
2010-06-07 00:27 . 2010-06-29 15:37 -------- d-----w- C:\QUARANTINE
2010-06-06 16:54 . 2010-06-08 22:48 -------- d-----w- c:\program files\TrojanHunter 5.3
2010-06-05 19:05 . 2010-06-05 19:06 -------- d-----w- c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-06-05 18:58 . 2010-06-30 17:27 -------- d-----w- c:\program files\QuickTime
2010-06-05 18:54 . 2010-04-16 12:33 41472 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2010-06-05 18:54 . 2010-04-16 12:33 3003680 ----a-w- c:\windows\system32\usbaaplrc.dll
2010-06-03 21:38 . 2010-06-03 21:38 53600 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Update\Uninstaller.exe
2010-06-03 21:38 . 2010-06-03 21:38 57715 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Player\Uninstaller.exe
2010-06-03 21:37 . 2010-06-03 21:37 54153 ----a-w- c:\documents and settings\All Users\Application Data\DivX\DFXPlugin\Uninstaller.exe
2010-06-03 21:37 . 2010-06-03 21:37 54128 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Converter\Uninstaller.exe
2010-06-03 21:37 . 2010-06-03 21:37 54644 ----a-w- c:\documents and settings\All Users\Application Data\DivX\TranscodeEngine\Uninstaller.exe
2010-06-03 21:37 . 2010-06-03 21:37 54101 ----a-w- c:\documents and settings\All Users\Application Data\DivX\MPEG2Plugin\Uninstaller.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-30 17:27 . 2010-01-31 18:37 -------- d-----w- c:\program files\Verizon
2010-06-30 16:04 . 2010-06-30 14:01 112 ----a-w- c:\documents and settings\All Users\Application Data\Nf83Ph2k.dat
2010-06-29 15:37 . 2009-05-17 13:48 10240 ----a-w- c:\windows\system32\drivers\compbatt.sys
2010-06-22 02:12 . 2009-05-24 14:17 -------- d-----w- c:\program files\Opera
2010-06-21 22:08 . 2010-06-21 22:08 107832 ----a-w- c:\windows\system32\PnkBstrB.exe
2010-06-21 22:08 . 2010-06-21 22:08 66872 ----a-w- c:\windows\system32\PnkBstrA.exe
2010-06-21 22:08 . 2010-06-21 22:08 2337865 ----a-w- c:\windows\system32\pbsvc.exe
2010-06-21 21:35 . 2009-05-17 18:57 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-06-21 04:01 . 2009-10-24 04:30 -------- d-----w- c:\documents and settings\jai\Application Data\BitTorrent
2010-06-21 00:40 . 2009-10-04 01:41 -------- d-----w- c:\program files\AIM Toolbar
2010-06-21 00:37 . 2009-09-12 22:04 -------- d-----w- c:\program files\CCleaner
2010-06-18 02:26 . 2009-06-13 01:02 442 ----a-w- c:\windows\PowerReg.dat
2010-06-18 01:34 . 2009-06-14 21:20 -------- d-----w- c:\program files\Common Files\AOL
2010-06-17 04:06 . 2009-05-17 18:04 68064 ----a-w- c:\documents and settings\jai\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-06-16 18:49 . 2010-04-19 22:05 57344 ----a-w- c:\documents and settings\All Users\Application Data\DivX\RunAsUser\RUNASUSERPROCESS.dll
2010-06-16 18:49 . 2010-04-03 23:47 -------- d-----w- c:\documents and settings\All Users\Application Data\DivX
2010-06-16 17:50 . 2009-06-06 16:25 -------- d-----w- c:\program files\DivX
2010-06-16 17:24 . 2010-04-04 01:32 1062184 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Setup\Resource.dll
2010-06-14 23:31 . 2009-06-17 13:07 -------- d-----w- c:\program files\Common Files\Adobe
2010-06-14 23:26 . 2009-06-17 13:03 -------- d-----w- c:\program files\Common Files\Adobe AIR
2010-06-14 02:54 . 2009-10-10 21:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-06-13 17:41 . 2010-01-31 18:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Radialpoint
2010-06-12 14:59 . 2009-08-18 20:43 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2010-06-11 02:01 . 2009-06-20 03:23 -------- d-----w- c:\program files\DNA
2010-06-08 00:24 . 2009-10-12 14:54 -------- d-----w- c:\documents and settings\jai\Application Data\Apple Computer
2010-06-08 00:21 . 2009-08-05 00:42 -------- d-----w- c:\program files\Common Files\Apple
2010-06-08 00:19 . 2009-08-05 00:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2010-06-06 23:49 . 2010-01-31 18:47 -------- d-----w- c:\program files\Common Files\Motive
2010-06-05 18:56 . 2009-08-05 00:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2010-06-04 02:43 . 2009-06-03 23:20 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-06-03 21:38 . 2009-06-06 16:25 -------- d-----w- c:\program files\Common Files\DivX Shared
2010-06-03 21:36 . 2010-04-04 01:32 895256 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Setup\DivXSetup.exe
2010-05-19 22:25 . 2010-05-19 22:25 -------- d-----w- c:\program files\Mobipocket.com
2010-05-19 22:23 . 2010-05-19 22:23 -------- d-----w- c:\program files\Abdio
2010-05-17 21:34 . 2010-05-17 21:34 57409 ----a-w- c:\documents and settings\All Users\Application Data\DivX\ControlPanel\Uninstaller.exe
2010-05-14 23:54 . 2010-04-09 03:36 -------- d-----w- c:\program files\IDoser v4
2010-05-13 21:04 . 2010-05-13 00:51 -------- d-----w- c:\program files\Steam
2010-05-08 23:16 . 2009-08-19 16:32 -------- d-----w- c:\program files\Google
2010-04-29 19:39 . 2009-06-03 23:20 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 19:39 . 2009-06-03 23:20 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-28 19:45 . 2010-04-28 19:45 73000 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.1.1.12\SetupAdmin.exe
2010-04-19 22:04 . 2010-04-19 22:04 84040 ----a-w- c:\documents and settings\All Users\Application Data\DivX\TransferWizard\Uninstaller.exe
2010-04-19 22:04 . 2010-04-19 22:04 54166 ----a-w- c:\documents and settings\All Users\Application Data\DivX\DSAVCDecoder\Uninstaller.exe
2010-04-19 22:04 . 2010-04-19 22:03 57532 ----a-w- c:\documents and settings\All Users\Application Data\DivX\DSASPDecoder\Uninstaller.exe
2010-04-13 23:08 . 2010-04-12 00:02 17480 ----a-w- c:\windows\system32\drivers\hamachi.sys
2010-04-12 21:27 . 2010-04-11 02:36 21840 ----atw- c:\windows\system32\SIntfNT.dll
2010-04-12 21:27 . 2010-04-11 02:36 17212 ----atw- c:\windows\system32\SIntf32.dll
2010-04-12 21:27 . 2010-04-11 02:36 12067 ----atw- c:\windows\system32\SIntf16.dll
2010-04-06 22:55 . 2010-04-06 22:55 55304 ---ha-w- c:\windows\system32\mlfcache.dat
2010-04-04 01:30 . 2010-04-04 01:30 57054 ----a-w- c:\documents and settings\All Users\Application Data\DivX\DSDesktopComponents\Uninstaller.exe
2010-04-04 01:30 . 2010-04-04 01:30 56458 ----a-w- c:\documents and settings\All Users\Application Data\DivX\DivXDecoderShortcut\Uninstaller.exe
2010-04-04 01:30 . 2010-04-04 01:30 54174 ----a-w- c:\documents and settings\All Users\Application Data\DivX\DSAACDecoder\Uninstaller.exe
2010-04-04 01:30 . 2010-04-04 01:30 52963 ----a-w- c:\documents and settings\All Users\Application Data\DivX\MSVC80CRTRedist\Uninstaller.exe
2010-04-04 01:29 . 2010-04-04 01:29 54073 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Qt4.5\Uninstaller.exe
2010-04-04 01:29 . 2010-04-04 01:29 56969 ----a-w- c:\documents and settings\All Users\Application Data\DivX\ASPEncoder\Uninstaller.exe
.

```
<pre>
c:\program files\McAfee\VirusScan Enterprise\SHSTAT .exe
c:\program files\SigmaTel\C-Major Audio\WDM\stsystra .exe
</pre>
```
(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of c:\documents and settings\Darian\WINDOWS ----

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM .exe -scheduler" [X]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\qttask .exe -atboottime" [X]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-10-09 2183168]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-03-31 138008]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-03-31 162584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-03-30 138008]
"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\stsystra.exe" [2010-06-29 36356]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2008-02-26 128296]
"McAfeeUpdaterUI"="c:\program files\Network Associates\Common Framework\udaterui.exe" [2008-03-14 136512]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [N/A]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]
"Verizon_McciTrayApp"="c:\program files\Verizon\McciTrayApp.exe" [2010-03-17 1565696]
"VerizonServicepoint.exe"="c:\program files\Verizon\VSP\VerizonServicepoint.exe" [2009-11-18 4269296]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2010-06-03 1144104]
"iTunesHelper"="d:\hard drive info\Itunes\iTunesHelper.exe" [N/A]
"AdobeAAMUpdater-1.0"="c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2010-03-06 500208]
"AdobeCS5ServiceManager"="c:\program files\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" [2010-02-22 406992]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\McAfeeEngineService]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
2009-07-26 21:44 3883856 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Network Associates\\Common Framework\\FrameworkService.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\Opera\\opera.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Verizon\\VSP\\ServicepointService.exe"=
"c:\\WINDOWS\\Downloaded Program Files\\ijjiOptimizer.exe"=
"d:\\Hard Drive Info\\Itunes\\iTunes.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\WINDOWS\\system32\\spoolsv.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1034:TCP"= 1034:TCP:Akamai NetSession Interface
"5000:UDP"= 5000:UDP:Akamai NetSession Interface

R2 McAfeeEngineService;McAfee Engine Service;c:\program files\McAfee\VirusScan Enterprise\EngineServer.exe [9/29/2008 8:07 AM 19456]
S0 cerc6;cerc6; [x]
S2 gupdate1ca20eac4a94386;Google Update Service (gupdate1ca20eac4a94386);c:\program files\Google\Update\GoogleUpdate.exe [8/19/2009 12:33 PM 133104]
S2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [5/19/2009 9:15 PM 67904]
S2 ServicepointService;ServicepointService;c:\program files\Verizon\VSP\ServicepointService.exe [1/31/2010 2:51 PM 668912]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [5/19/2009 9:15 PM 64432]
S3 mipsinf;mipsinf;c:\windows\system32\mipsinf.sys [6/9/2010 3:16 PM 2304]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
.
Contents of the 'Scheduled Tasks' folder

2010-06-15 c:\windows\Tasks\AdobeAAMUpdater-1.0-6400SOOKHAI-Darian.job
- c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe [2010-06-14 07:44]

2010-06-24 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 15:50]

2010-06-30 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-08-19 16:32]

2010-06-30 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-08-19 16:33]

2010-06-30 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-08-19 16:33]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.ask.com/?o=10148&l=dis
uInternet Connection Wizard,ShellNext = hxxp://www.acidbig.com/ac.php?aid=391&sid=direct
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Darian\Application Data\Mozilla\Firefox\Profiles\la5sqfqe.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - google.com
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&q=
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\program files\Common Files\Motive\npMotive.dll
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1636.7222\npCIDetect13.dll
FF - plugin: c:\program files\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\Verizon\VSP\nprpspa.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF - plugin: d:\hard drive info\Itunes\Mozilla Plugins\npitunes.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
d:\fuegofox\greprefs\all.js - pref("ui.use_native_colors", true);
d:\fuegofox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
d:\fuegofox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
d:\fuegofox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
d:\fuegofox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true); 
d:\fuegofox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
d:\fuegofox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
d:\fuegofox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
d:\fuegofox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
d:\fuegofox\greprefs\all.js - pref("network.proxy.type", 5);
d:\fuegofox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
d:\fuegofox\greprefs\all.js - pref("svg.smil.enabled", false);
d:\fuegofox\greprefs\all.js - pref("accelerometer.enabled", true);
d:\fuegofox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
d:\fuegofox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
d:\fuegofox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
d:\fuegofox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
d:\fuegofox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
d:\fuegofox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
d:\fuegofox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
d:\fuegofox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
d:\fuegofox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
d:\fuegofox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
d:\fuegofox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
d:\fuegofox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS REMOVED - - - -

AddRemove-Defense Center - c:\program files\Defense Center\Pklkvqdii+`}`

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-30 13:27
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(276)
c:\windows\System32\BCMLogon.dll
.
Completion time: 2010-06-30 13:33:15 - machine was rebooted
ComboFix-quarantined-files.txt 2010-06-30 17:33
ComboFix2.txt 2010-06-28 23:32

Pre-Run: 12,408,860,672 bytes free
Post-Run: 12,602,298,368 bytes free

- - End Of File - - 34B9CFC2615720ED0EAD502905850865

Here is the VirScan

VirSCAN.org Scanned Report :
Scanned time : 2010/06/30 13:44:43 (EDT)
Scanner results: 50% Scanner(s) (18/36) found malware!
File Name : mipsinf.sys
File Size : 2304 byte
File Type : PE32 executable for MS Windows (native) Intel 80386 32-bit
MD5 : 6a94289ca78bcc44e8170b80cec9ab16
SHA1 : 7d9f0367c13aeed4246e7afd1d8cfaa5b8c9d15d
Online report : http://virscan.org/report/0aa23141ca80a46632e13210a2c5bb44.html

Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 5.0.0.13 20100701013121 2010-07-01 5.02 Trojan.Agent_r!IK
AhnLab V3 2010.06.18.01 2010.06.18 2010-06-18 1.47 -
AntiVir 8.2.4.2 7.10.8.235 2010-06-30 0.27 TR/Dldr.Geral.twj
Antiy 2.0.18 20100630.4810408 2010-06-30 0.12 -
Arcavir 2009 201006281601 2010-06-28 0.00 -
Authentium 5.1.1 201006292201 2010-06-29 1.27 -
AVAST! 4.7.4 100630-1 2010-06-30 0.00 -
AVG 8.5.793 271.1.1/2973 2010-06-30 0.22 Agent_r.GW
BitDefender 7.90123.6351685 7.32507 2010-06-30 3.79 Trojan.Generic.4196792
ClamAV 0.96.1 11293 2010-06-30 0.01 -
Comodo 3.13.579 5263 2010-06-30 0.85 -
CP Secure 1.3.0.5 2010.06.30 2010-06-30 0.03 -
Dr.Web 5.0.2.3300 2010.06.30 2010-06-30 8.41 Trojan.Sixtofour.1
F-Prot 4.4.4.56 20100629 2010-06-29 1.29 -
F-Secure 7.02.73807 2010.06.30.03 2010-06-30 0.11 Trojan-Downloader.Win32.Geral.twj [AVP]
Fortinet 4.1.133 12.98 2010-06-29 0.14 W32/Rootkit.Q!tr.dldr
GData 21.435/21.159 20100630 2010-06-30 7.04 Trojan-Downloader.Win32.Geral.twj [Engine:A]
ViRobot 20100629 2010.06.29 2010-06-29 0.38 -
Ikarus T3.1.01.84 2010.06.30.76169 2010-06-30 6.97 Trojan.Agent_r
JiangMin 13.0.900 2010.06.30 2010-06-30 1.22 TrojanDownloader.Geral.bvf
Kaspersky 5.5.10 2010.06.30 2010-06-30 0.08 Trojan-Downloader.Win32.Geral.twj
KingSoft 2009.2.5.15 2010.6.30.18 2010-06-30 0.61 -
McAfee 5400.1158 6029 2010-06-30 16.70 Generic.dx!tbz
Microsoft 1.5902 2010.06.30 2010-06-30 6.75 -
Norman 6.05.10 6.05.00 2010-06-29 6.01 -
Panda 9.05.01 2010.06.27 2010-06-27 1.83 W32/Spamta.QO.worm 
Trend Micro 9.120-1004 7.276.11 2010-06-30 0.02 TROJ_GERAL.AX
Quick Heal 10.00 2010.06.30 2010-06-30 1.51 -
Rising 20.0 22.54.02.04 2010-06-30 0.73 Trojan.Win32.Generic.520929C0
Sophos 3.07.1 4.54 2010-06-30 3.65 Mal/Rootkit-Q
Sunbelt 3.9.2426.2 6524 2010-06-29 7.70 Trojan.Win32.Generic!BT
Symantec 1.3.0.24 20100629.002 2010-06-29 0.23 -
nProtect 20100629.01 8851204 2010-06-29 7.68 Trojan-Downloader/W32.Geral.2304.M
The Hacker 6.5.2.0 v00306 2010-06-29 0.31 -
VBA32 3.12.12.5 20100630.0947 2010-06-30 2.75 -
VirusBuster 4.5.11.10 10.126.110/20423342010-06-30 2.34 -


----------



## Skaione (Feb 12, 2009)

I dont know if this is relevant but the other account on the computer couldnt handle exe files, but I fixed it, I jus thtought I should let you know


----------



## CatByte (Feb 24, 2009)

Hi

Please do the following:


Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. 
They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".

*Copy/paste the text inside the Codebox below into notepad:*

Here's how to do that:
Click* Start > Run* type *Notepad* click *OK.*
This will open an empty notepad file:

*Copy* all the text *inside of the code box* - *Press Ctrl+C* (or right click on the highlighted section and choose 'copy')


```
http://forums.techguy.org/7469107-post15.html

Collect::
c:\documents and settings\All Users\Application Data\Nf83Ph2k.dat
c:\windows\system32\mipsinf.sys

RenV::
c:\program files\McAfee\VirusScan Enterprise\SHSTAT .exe
c:\program files\SigmaTel\C-Major Audio\WDM\stsystra .exe

Folder::
c:\documents and settings\Darian\WINDOWS

Driver::
mipsinf
```
Now *paste* the copied text into the open notepad - press *CTRL+V* (or right click and choose 'paste')
*
Save this file to your desktop, Save this as "CFScript"*

Here's how to do that:

1.Click *File*;
2.Click *Save As*... Change the directory to your *desktop*;
3.Change the* Save as type* to *"All Files";*
4.Type in the file name: *CFScript*
5.Click *Save ...*










Referring to the *screenshot* above, *drag CFScript.txt* into *ComboFix.exe.*
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it shall produce a log for you. 
*Copy and paste the contents of the log in your next reply.*

CAUTION: *Do not* mouse-click ComboFix's window while it is running. That may cause it to stall.

*NEXT*


Please open your *MalwareBytes AntiMalware* Program
Click the *Update Tab* and *search for updates*
If an update is found, it will download and install the latest version.
Once the program has loaded, select* "Perform Quick Scan"*, then click* Scan.*
The scan may take some time to finish, so please be patient.
When the scan is complete, click *OK*, then *Show Results* to view the results.
Make sure that everything is checked, and click *Remove Selected*. <-- very important
When disinfection is completed, a *log* will open in Notepad and you may be prompted to Restart. (See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
*Copy&Paste the entire report in your next reply.*

Extra Note:If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately. 


*NEXT*

**Vista users - right click on the IE icon and run as administrator

*Run an on-line scan with Kaspersky*

Using Internet Explorer or Firefox, visit *Kaspersky On-line Scanner*

*1.* Click *Accept*, when prompted to download and install the program files and database of malware definitions. 
*2.* To optimize scanning time and produce a more sensible report for review:

Close any open programs
Turn off the real time scanner of any existing antivirus program while performing the online scan
*3.* Click *Run* at the Security prompt. 
The program will then begin downloading and installing and will also update the database. 
Please be patient as this can take several minutes. 

Once the update is complete, click on *My Computer* under the green *Scan* bar to the left to start the scan. 
Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it. 
Do *NOT* be alarmed by what you see in the report. Many of the finds have likely been quarantined. 
Click *View scan report* at the bottom.










 Click the *Save as Text* button to save the file to your desktop so that you may post it in your next reply


----------



## Skaione (Feb 12, 2009)

Hey Catbyte,
I wanted to say thanks for all your help as you really did make an impact on my computer, but the effort is no longer needed as my dad just reinstalled the operating system.

I was wondering if there are any programs you recommend?


----------



## CatByte (Feb 24, 2009)

I always recommend Malwarebytes Antimalware

Microsoft Security Essentials

and the Web of Trust


thanks for letting me know

stay safe

~CB


----------



## Skaione (Feb 12, 2009)

I am on a new computer, and I googled Web of Trust, and I got redirected.
The only thing I downloaded was SpywareGuard CCleaner and Divx Web Player.
I saw spyware guard on this site, CCleaner I use on my desktop (which has no problems) and Divx I am quite sure is clean. Could it be my provider?


----------



## Skaione (Feb 12, 2009)

SHould I keep posting here or make a new thread?


----------



## CatByte (Feb 24, 2009)

Hi

Please post a DDS log, Attach.txt and GMER scan

for the new computer.

Are you using the same router as the other computer?

If so reset the router:


This can be done by inserting something tiny like a paper clip end or pencil tip into a small hole labeled "reset" located on the back of the router. 
Press and hold down the small button inside until the lights on the front of the router blink off and then on again (usually about 10 seconds). 
If you don't know the router's default password, you can look it up. HERE
You also need to reconfigure any security settings you had in place prior to the reset. 
You may also need to consult with your Internet service provider to find out which DNS servers your network should be using.

then flush the DNS


Go to *Start > Run* > type: *cmd*
Press *OK *or Hit Enter.
At the command prompt, type or copy/paste: *ipconfig /flushdns* (note the space between "..g /f…" it needs to be there)
Hit *Enter.*
You will get a confirmation that the flush was successful.
Close the command box.


----------



## Skaione (Feb 12, 2009)

Here is the DDS

DDS (Ver_10-03-17.01) - NTFSx86 
Run by king at 21:06:51.93 on Fri 07/09/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2039.1260 [GMT -4:00]

AV: McAfee VirusScan Enterprise *On-access scanning enabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\WiFi\bin\S24EvMon.exe
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Intel\WiFi\bin\ZCfgSvc.exe
C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\DivX\DivX Update\DivXUpdate.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
svchost.exe
C:\WINDOWS\system32\basfipm.exe
C:\Program Files\Intel\WiFi\bin\EvtEng.exe
c:\PROGRA~1\mcafee\SITEAD~1\mcsacore.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
C:\Program Files\Intel\WiFi\bin\WLKeeper.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Documents and Settings\king\Desktop\Malware\dds.scr

============== Pseudo HJT Report ===============

uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [IntelZeroConfig] "c:\program files\intel\wifi\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\common files\intel\wirelesscommon\iFrmewrk.exe" /tf Intel Wireless Tray
mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"
mRun: [ShStatEXE] "c:\program files\mcafee\virusscan enterprise\SHSTAT.EXE" /STANDALONE
mRun: [McAfeeUpdaterUI] "c:\program files\mcafee\common framework\UdaterUI.exe" /StartedFromRunKey
mRun: [DivXUpdate] "c:\program files\divx\divx update\DivXUpdate.exe" /CHECKNOW
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1277495900906
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Notify: igfxcui - igfxdev.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\king\applic~1\mozilla\firefox\profiles\5822chp1.default\
FF - prefs.js: browser.search.selectedEngine - Secure Search
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=mcafee&p=
FF - prefs.js: network.proxy.type - 0
FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true); 
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 mferkdk;VSCore mferkdk;c:\program files\mcafee\virusscan enterprise\mferkdk.sys [2006-11-30 31944]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\progra~1\mcafee\sitead~1\mcsacore.exe [2010-7-6 93320]
R2 McAfeeFramework;McAfee Framework Service;c:\program files\mcafee\common framework\FrameworkService.exe [2010-6-28 104000]
R2 McShield;McAfee McShield;c:\program files\mcafee\virusscan enterprise\Mcshield.exe [2007-2-22 144960]
R2 McTaskManager;McAfee Task Manager;c:\program files\mcafee\virusscan enterprise\VsTskMgr.exe [2007-2-22 54872]
R3 GTIPCI21;GTIPCI21;c:\windows\system32\drivers\gtipci21.sys [2010-6-25 88192]
R3 mfeavfk;McAfee Inc.;c:\windows\system32\drivers\mfeavfk.sys [2010-6-28 72264]
R3 mfebopk;McAfee Inc.;c:\windows\system32\drivers\mfebopk.sys [2010-6-28 34152]
R3 mfehidk;McAfee Inc.;c:\windows\system32\drivers\mfehidk.sys [2010-6-28 170408]
S0 cerc6;cerc6; [x]

=============== Created Last 30 ================

2010-07-09 16:18:02 5632 ----a-w- c:\windows\system32\ptpusb.dll
2010-07-09 16:18:00 159232 ----a-w- c:\windows\system32\ptpusd.dll
2010-07-09 16:17:58 15104 -c--a-w- c:\windows\system32\dllcache\usbscan.sys
2010-07-09 16:17:58 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys
2010-07-07 20:36:49 0 d-----w- c:\windows\system32\XPSViewer
2010-07-07 20:35:49 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2010-07-07 20:35:49 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2010-07-07 20:35:49 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
2010-07-07 20:35:49 575488 ------w- c:\windows\system32\xpsshhdr.dll
2010-07-07 20:35:49 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
2010-07-07 20:35:49 1676288 ------w- c:\windows\system32\xpssvcs.dll
2010-07-07 20:35:49 117760 ------w- c:\windows\system32\prntvpt.dll
2010-07-07 20:35:47 0 d-----w- C:\48519f810407baa651
2010-07-07 17:02:30 0 d-----w- c:\program files\common files\DivX Shared
2010-07-07 17:00:54 0 d-----w- c:\program files\DivX
2010-07-07 17:00:32 0 d-----w- c:\docume~1\alluse~1\applic~1\DivX
2010-07-07 01:06:56 12160 -c--a-w- c:\windows\system32\dllcache\mouhid.sys
2010-07-07 01:06:56 12160 ----a-w- c:\windows\system32\drivers\mouhid.sys
2010-07-07 01:06:51 10368 -c--a-w- c:\windows\system32\dllcache\hidusb.sys
2010-07-07 01:06:51 10368 ----a-w- c:\windows\system32\drivers\hidusb.sys
2010-07-07 00:57:04 0 d-----w- c:\program files\CCleaner
2010-07-07 00:36:17 0 d-----w- c:\program files\SpywareGuard
2010-07-06 13:01:02 0 d-----w- c:\windows\pss
2010-06-28 16:45:38 0 d-----w- c:\docume~1\alluse~1\applic~1\Uninstall
2010-06-28 16:45:35 0 d-----w- c:\program files\common files\SureThing Shared
2010-06-28 16:44:16 0 d-----w- c:\program files\common files\Sonic Shared
2010-06-28 16:43:23 0 d-----w- c:\program files\Roxio
2010-06-28 16:42:48 0 d-----w- c:\docume~1\king\applic~1\Roxio Log Files
2010-06-28 16:39:48 280 ----a-w- c:\windows\system32\epoPGPsdk.dll.sig
2010-06-28 16:39:48 1495552 ----a-w- c:\windows\system32\epoPGPsdk.dll
2010-06-28 16:39:48 0 d-----w- c:\program files\common files\Cisco Systems
2010-06-28 16:39:27 64360 ----a-w- c:\windows\system32\drivers\mfeapfk.sys
2010-06-28 16:39:27 34152 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2010-06-28 16:39:26 72264 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2010-06-28 16:39:26 52136 ----a-w- c:\windows\system32\drivers\mfetdik.sys
2010-06-28 16:39:25 170408 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2010-06-28 16:39:09 0 d-----w- c:\program files\McAfee
2010-06-28 16:39:09 0 d-----w- c:\program files\common files\McAfee
2010-06-28 16:34:46 89088 ----a-w- c:\windows\system32\atl71.dll
2010-06-28 16:34:46 499712 ----a-w- c:\windows\system32\msvcp71.dll
2010-06-28 16:34:46 348160 ----a-w- c:\windows\system32\msvcr71.dll
2010-06-28 16:34:46 1060864 ----a-w- c:\windows\system32\MFC71.dll
2010-06-28 16:34:46 1047552 ----a-w- c:\windows\system32\MFC71u.dll
2010-06-25 21:42:22 0 d-----w- c:\docume~1\king\applic~1\Malwarebytes
2010-06-25 21:42:10 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-06-25 21:42:09 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-06-25 21:42:09 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-06-25 21:42:09 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-06-25 21:35:42 0 d-----w- c:\program files\AVG
2010-06-25 21:35:24 0 d-----w- c:\docume~1\alluse~1\applic~1\avg9
2010-06-25 21:12:48 376 ----a-w- c:\windows\ODBC.INI
2010-06-25 21:12:40 28040 ----a-w- c:\windows\system32\mdimon.dll
2010-06-25 21:11:56 0 d-----w- c:\program files\common files\L&H
2010-06-25 21:11:23 0 d-----w- c:\program files\Microsoft ActiveSync
2010-06-25 21:09:51 0 d-----w- c:\windows\SHELLNEW
2010-06-25 21:07:33 88192 ----a-w- c:\windows\system32\drivers\gtipci21.sys
2010-06-25 21:07:33 28672 ----a-w- c:\windows\cttib1.dll
2010-06-25 21:07:33 17120 ----a-w- c:\windows\system32\drivers\tiscfw.deb
2010-06-25 21:07:28 0 d-----w- c:\windows\tiinst
2010-06-25 21:05:04 0 d-----w- c:\windows\Downloaded Installations
2010-06-25 21:03:38 0 d-----w- c:\docume~1\king\applic~1\Intel
2010-06-25 21:03:16 557056 ----a-w- c:\windows\system32\Netw2c32.dll
2010-06-25 21:03:16 2732032 ----a-w- c:\windows\system32\Netw2r32.dll
2010-06-25 21:03:16 2216064 ----a-w- c:\windows\system32\drivers\w29n51.sys
2010-06-25 21:02:57 0 d-----w- c:\program files\common files\Intel
2010-06-25 20:43:10 0 d-sh--w- c:\documents and settings\king\PrivacIE
2010-06-25 20:33:16 135168 ----a-w- c:\windows\system32\igfxres.dll
2010-06-25 20:33:03 0 d-sh--w- c:\documents and settings\king\IETldCache
2010-06-25 20:26:57 0 d-----w- c:\windows\ie8updates
2010-06-25 20:26:55 41984 -c----w- c:\windows\system32\dllcache\iecompat.dll
2010-06-25 20:25:45 0 dc-h--w- c:\windows\ie8
2010-06-25 20:13:59 5376 -c--a-w- c:\windows\system32\dllcache\mspclock.sys
2010-06-25 20:13:59 5376 ----a-w- c:\windows\system32\drivers\MSPCLOCK.sys
2010-06-25 20:13:56 0 d-----w- c:\program files\Sigmatel
2010-06-25 20:13:54 60160 -c--a-w- c:\windows\system32\dllcache\drmk.sys
2010-06-25 20:13:54 60160 ----a-w- c:\windows\system32\drivers\drmk.sys
2010-06-25 20:13:54 4096 -c--a-w- c:\windows\system32\dllcache\ksuser.dll
2010-06-25 20:13:54 4096 ----a-w- c:\windows\system32\ksuser.dll
2010-06-25 20:13:54 146048 -c--a-w- c:\windows\system32\dllcache\portcls.sys
2010-06-25 20:13:54 146048 ----a-w- c:\windows\system32\drivers\portcls.sys
2010-06-25 20:13:54 129536 -c--a-w- c:\windows\system32\dllcache\ksproxy.ax
2010-06-25 20:13:54 129536 ----a-w- c:\windows\system32\ksproxy.ax
2010-06-25 20:13:26 0 d-----w- c:\program files\CONEXANT
2010-06-25 20:10:32 455680 -c----w- c:\windows\system32\dllcache\mrxsmb.sys
2010-06-25 20:05:36 2189952 -c----w- c:\windows\system32\dllcache\ntoskrnl.exe
2010-06-25 20:05:36 2146304 -c----w- c:\windows\system32\dllcache\ntkrnlmp.exe
2010-06-25 20:05:35 2024448 -c----w- c:\windows\system32\dllcache\ntkrpamp.exe
2010-06-25 20:05:26 2560 ------w- c:\windows\system32\xpsp4res.dll
2010-06-25 20:03:48 272128 -c----w- c:\windows\system32\dllcache\bthport.sys
2010-06-25 20:03:48 272128 ------w- c:\windows\system32\drivers\bthport.sys
2010-06-25 20:00:32 26144 ----a-w- c:\windows\system32\spupdsvc.exe
2010-06-25 20:00:32 0 d-----w- c:\windows\system32\PreInstall
2010-06-25 20:00:30 0 d--h--w- c:\windows\$hf_mig$
2010-06-25 19:57:22 0 d-----w- c:\program files\Broadcom
2010-06-25 19:44:26 0 d-sh--w- c:\documents and settings\all users\DRM
2010-06-25 19:44:02 0 d--h--w- c:\program files\WindowsUpdate
2010-06-25 19:43:17 0 d-----w- c:\program files\common files\MSSoap
2010-06-25 19:41:24 0 d-----w- c:\program files\Online Services
2010-06-25 19:41:16 0 d-----w- c:\program files\Messenger
2010-06-25 19:41:12 0 d-----w- c:\program files\MSN Gaming Zone
2010-06-25 19:40:31 0 d-----w- c:\program files\Windows NT
2010-06-25 15:35:05 0 d-----w- c:\program files\common files\ODBC
2010-06-25 15:35:01 0 d-----w- c:\program files\common files\SpeechEngines
2010-06-25 15:34:30 0 d-----r- c:\documents and settings\all users\Documents

==================== Find3M ====================

2010-06-25 19:41:54 21640 ----a-w- c:\windows\system32\emptyregdb.dat
2010-05-06 10:41:53 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-02 05:22:50 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-04-27 18:40:40 133616 ------w- c:\windows\system32\pxafs.dll
2010-04-27 18:40:40 126448 ------w- c:\windows\system32\pxinsi64.exe
2010-04-27 18:40:40 123888 ------w- c:\windows\system32\pxcpyi64.exe
2010-04-20 05:30:08 285696 ----a-w- c:\windows\system32\atmfd.dll
2010-04-16 16:09:05 81920 ------w- c:\windows\system32\ieencode.dll

============= FINISH: 21:07:38.29 ===============


----------



## CatByte (Feb 24, 2009)

Please do the following:

Download Bootkit remover to your desktop
This is a rar file if you do not have a program to open it then download and install Peazip

Extract *Remover.exe* to your desktop
Double click *Remover.exe* to run it 
It will show a Black screen with some data on it 
*Right click* on the screen and select > *Select All *
Press *Control+C*
Now open a *notepad* and press *Control+V*
Post the resultant log here please 
*
NEXT*

Download *ComboFix *from one of the following locations:
*Link 1* 
*Link 2 *

VERY IMPORTANT !!! Save ComboFix.exe to your *Desktop *

* IMPORTANT - *Disable your AntiVirus and AntiSpyware applications*, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here 

Double click on *ComboFix.exe* & follow the prompts.
As part of it's process, *ComboFix will check to see if the Microsoft Windows Recovery Console* is installed. With malware infections being as they are today, it's *strongly recommended *to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.


Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.











Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:











*Click on Yes*, to continue scanning for malware.
When finished, it shall produce a log for you.* Please include the C:\ComboFix.txt in your next reply.*
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.


----------



## Skaione (Feb 12, 2009)

Bookkit logs, the combofix is attacched

Bootkit Remover version 1.0.0.1
(c) 2009 eSage Lab
www.esagelab.com

\\.\C: -> \\.\PhysicalDrive0
MD5: 6def5ffcbcdbdb4082f1015625e597bd
\\.\D: -> \\.\PhysicalDrive0

Size Device Name MBR Status
--------------------------------------------
55 GB \\.\PhysicalDrive0 OK (DOS/Win32 Boot code found)

Press any key to quit...

thanks


----------



## CatByte (Feb 24, 2009)

Hi

Please do the following:


Please open your *MalwareBytes AntiMalware* Program
Click the *Update Tab* and *search for updates*
If an update is found, it will download and install the latest version.
Once the program has loaded, select* "Perform Quick Scan"*, then click* Scan.*
The scan may take some time to finish, so please be patient.
When the scan is complete, click *OK*, then *Show Results* to view the results.
Make sure that everything is checked, and click *Remove Selected*. <-- very important
When disinfection is completed, a *log* will open in Notepad and you may be prompted to Restart. (See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
*Copy&Paste the entire report in your next reply.*

Extra Note:If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately. 


*NEXT*

*Run an on-line scan with Kaspersky*

Using Internet Explorer or Firefox, visit *Kaspersky On-line Scanner*

*1.* Click *Accept*, when prompted to download and install the program files and database of malware definitions. 
*2.* To optimize scanning time and produce a more sensible report for review:

Close any open programs
Turn off the real time scanner of any existing antivirus program while performing the online scan
*3.* Click *Run* at the Security prompt. 
The program will then begin downloading and installing and will also update the database. 
Please be patient as this can take several minutes. 

Once the update is complete, click on *My Computer* under the green *Scan* bar to the left to start the scan. 
Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it. 
Do *NOT* be alarmed by what you see in the report. Many of the finds have likely been quarantined. 
Click *View scan report* at the bottom.










 Click the *Save as Text* button to save the file to your desktop so that you may post it in your next reply


----------



## Skaione (Feb 12, 2009)

I'm going to do the Kapersky right now

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4300

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

7/10/2010 8:11:40 PM
mbam-log-2010-07-10 (20-11-40).txt

Scan type: Quick scan
Objects scanned: 130000
Time elapsed: 4 minute(s), 30 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


----------



## Skaione (Feb 12, 2009)

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Saturday, July 10, 2010
Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Saturday, July 10, 2010 20:43:12
Records in database: 4241289
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\

Scan statistics:
Objects scanned: 26467
Threats found: 0
Infected objects found: 0
Suspicious objects found: 0
Scan duration: 00:43:59

No threats found. Scanned area is clean.

Selected area has been scanned.


----------



## CatByte (Feb 24, 2009)

Hi

Have the redirects stopped?

How is the computer behaving?

Are there any outstanding issues?


----------



## Skaione (Feb 12, 2009)

The Redirects havent stopped and I get pop ups.

No real virus but I get redirects to "malicious sites" as told by mcafee site advisor


----------



## CatByte (Feb 24, 2009)

Hi

Did you reset the router and flush the DNS?

Please run the following programs:

Download *TFC* to your *desktop*

Close any open windows.
Double click the *TFC* icon to run the program
TFC *will close all open programs itself* in order to run, 
Click the *Start* button to begin the process. 
Allow *TFC* to run uninterrupted.
The program should not take long to finish it's job
Once its finished it should automatically *reboot your machine,*
if it doesn't, manually reboot to ensure a complete clean
*It's normal after running TFC cleaner that the PC will be slower to boot the first time. *

*
NEXT*

Download *OTL* to your Desktop

Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
When the window appears, underneath *Output* at the top change it to *Minimal Output*.
Check the boxes beside *LOP Check* and *Purity Check*.
Under the Custom Scan box paste this in

*
netsvcs
drivers32 /all
%SYSTEMDRIVE%\*.*
%systemroot%\system32\*.wt
%systemroot%\system32\*.ruy
%systemroot%\Fonts\*.com
%systemroot%\Fonts\*.dll
%systemroot%\Fonts\*.ini
%systemroot%\Fonts\*.ini2
%systemroot%\system32\spool\prtprocs\w32x86\*.tmp
%systemroot%\system32\Spool\prtprocs\w32x86\*.dll
%systemroot%\*. /mp /s
CREATERESTOREPOINT
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles
%systemroot%\System32\config\*.sav
%systemroot%\system32\user32.dll /md5
%systemroot%\system32\ws2_32.dll /md5
%systemroot%\system32\ws2help.dll /md5
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs

*

Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
When the scan completes, it will open two notepad windows. *OTL.Txt* and *Extras.Txt*. These are saved in the same location as OTL.
Please copy *(Edit->Select All, Edit->Copy)* the contents of these files, one at a time, and post them in your next reply.


----------



## Skaione (Feb 12, 2009)

I reset it and flushed but

"


If you dont know the router's default password, you can look it up. HERE
You also need to reconfigure any security settings you had in place prior to the reset.
You may also need to consult with your Internet service provider to find out which DNS servers your network should be using."
I didn't need this, I dont think so I just skipped it.


----------



## CatByte (Feb 24, 2009)

Please do the following:

Please download *Rootkit Unhooker* and save it on your desktop.

Disable your security programs
Double click *RKUnhookerLE.exe* to run it
Click the *Report* tab, then click *Scan*
Check *Drivers, Stealth Code, Files, and Code Hooks*
Uncheck the rest, then click *OK*
When prompted to Select Disks for Scan, make sure *C:\* is checked and click OK
Wait till the scanner has finished then go *File > Save Report*
Save the report somewhere you can find it. Click Close
Copy the entire contents of the report and paste it in your next reply.
*Note - You may get this warning, it is ok, just ignore it:*
"Rootkit Unhooker has detected a parasite inside itself!
It is recommended to remove parasite, okay?"​
*NEXT*

Run *OTL.exe*

Copy/paste the following text written *inside of the code box* into the *Custom Scans/Fixes* box located at the bottom of OTL


```
:OTL
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1 213.109.65.65

:Commands
[resethosts]
[emptyflash]
[purity]
[emptytemp]
[Reboot]
```

Then click the *Run Fix* button at the top
Let the program run unhindered, reboot when it is done
Then post the OTL log


----------



## Skaione (Feb 12, 2009)

There are the 2 logs from the scans


----------



## CatByte (Feb 24, 2009)

Hi

Please do the following:


Download *TDSSKiller* and save it to your Desktop.

*Extract* the file and *run it.*

Once completed it will create a log in your *C:\* drive called TDSSKiller*_** _(*** denotes version & date)_

please post the content of the TDSSKiller log


----------



## Skaione (Feb 12, 2009)

Hey, sorry for the wait I went away on vacation to a place with no internet =\

this is the logfile


14:15:15:062 1744 TDSS rootkit removing tool 2.3.2.2 Jun 30 2010 17:23:49
14:15:15:062 1744 ================================================================================
14:15:15:062 1744 SystemInfo:

14:15:15:062 1744 OS Version: 5.1.2600 ServicePack: 3.0
14:15:15:062 1744 Product type: Workstation
14:15:15:062 1744 ComputerName: HOME-A27E18600D
14:15:15:062 1744 UserName: king
14:15:15:062 1744 Windows directory: C:\WINDOWS
14:15:15:062 1744 System windows directory: C:\WINDOWS
14:15:15:062 1744 Processor architecture: Intel x86
14:15:15:062 1744 Number of processors: 1
14:15:15:062 1744 Page size: 0x1000
14:15:15:062 1744 Boot type: Normal boot
14:15:15:062 1744 ================================================================================
14:15:15:453 1744 Initialize success
14:15:15:453 1744 
14:15:15:453 1744 Scanning Services ...
14:15:15:984 1744 Raw services enum returned 326 services
14:15:16:000 1744 
14:15:16:000 1744 Scanning Drivers ...
14:15:16:828 1744 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
14:15:16:859 1744 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
14:15:16:921 1744 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
14:15:17:046 1744 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
14:15:17:156 1744 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
14:15:17:171 1744 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
14:15:17:203 1744 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
14:15:17:250 1744 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
14:15:17:312 1744 b57w2k (2acf06176b9d011567d7f25b83ddd066) C:\WINDOWS\system32\DRIVERS\b57xp32.sys
14:15:17:453 1744 BASFND (3d87b0484be1093c6614062701f375c5) C:\WINDOWS\system32\Drivers\BASFND.sys
14:15:17:546 1744 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
14:15:17:718 1744 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
14:15:17:750 1744 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
14:15:17:781 1744 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
14:15:17:843 1744 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
14:15:17:890 1744 CmBatt (0f6c187d38d98f8df904589a5f94d411) C:\WINDOWS\system32\DRIVERS\CmBatt.sys
14:15:17:906 1744 Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\WINDOWS\system32\DRIVERS\compbatt.sys
14:15:17:953 1744 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
14:15:18:015 1744 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
14:15:18:093 1744 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
14:15:18:140 1744 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
14:15:18:203 1744 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
14:15:18:250 1744 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
14:15:18:281 1744 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
14:15:18:359 1744 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys
14:15:18:375 1744 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
14:15:18:406 1744 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
14:15:18:453 1744 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\DRIVERS\fltMgr.sys
14:15:18:484 1744 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
14:15:18:500 1744 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
14:15:18:546 1744 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
14:15:18:609 1744 GTIPCI21 (ca835331825599b938e37525796d3549) C:\WINDOWS\system32\DRIVERS\gtipci21.sys
14:15:18:859 1744 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
14:15:18:906 1744 HSFHWICH (a84bbbdd125d370593004f6429f8445c) C:\WINDOWS\system32\DRIVERS\HSFHWICH.sys
14:15:19:000 1744 HSF_DPV (b678fa91cf4a1c19b462d8db04cd02ab) C:\WINDOWS\system32\DRIVERS\HSF_DPV.SYS
14:15:19:171 1744 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
14:15:19:218 1744 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
14:15:19:390 1744 ialm (5a8e05f1d5c36abd58cffa111eb325ea) C:\WINDOWS\system32\DRIVERS\ialmnt5.sys
14:15:19:625 1744 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
14:15:19:671 1744 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
14:15:19:703 1744 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
14:15:19:718 1744 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys
14:15:19:750 1744 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
14:15:19:812 1744 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
14:15:19:843 1744 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
14:15:19:859 1744 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
14:15:19:921 1744 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
14:15:19:937 1744 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
14:15:19:968 1744 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
14:15:20:000 1744 klmd23 (316353165feba3d0538eaa9c2f60c5b7) C:\WINDOWS\system32\drivers\klmd.sys
14:15:20:062 1744 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
14:15:20:078 1744 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
14:15:20:125 1744 mdmxsdk (3c318b9cd391371bed62126581ee9961) C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys
14:15:20:171 1744 mfeapfk (b5c306c5b5e7417b9d2b410894678069) C:\WINDOWS\system32\drivers\mfeapfk.sys
14:15:20:328 1744 mfeavfk (87b28198b308af3469d6e0b81d86c1fa) C:\WINDOWS\system32\drivers\mfeavfk.sys
14:15:20:484 1744 mfebopk (cf37784dd24c83f62626bc0ea3f5e386) C:\WINDOWS\system32\drivers\mfebopk.sys
14:15:20:515 1744 mfehidk (241c09c7d8c589ea1d72a36e6578e42c) C:\WINDOWS\system32\drivers\mfehidk.sys
14:15:20:578 1744 mferkdk (37b5228bea6b4429ffb90dfa77af4431) C:\Program Files\McAfee\VirusScan Enterprise\mferkdk.sys
14:15:20:703 1744 mfetdik (19c2d8af421e96d12e4004ca2162dbe9) C:\WINDOWS\system32\drivers\mfetdik.sys
14:15:20:781 1744 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
14:15:20:828 1744 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
14:15:20:859 1744 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
14:15:20:890 1744 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
14:15:20:921 1744 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
14:15:20:937 1744 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
14:15:21:015 1744 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
14:15:21:031 1744 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
14:15:21:078 1744 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
14:15:21:109 1744 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
14:15:21:140 1744 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
14:15:21:281 1744 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
14:15:21:312 1744 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
14:15:21:359 1744 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
14:15:21:406 1744 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
14:15:21:453 1744 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
14:15:21:468 1744 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
14:15:21:515 1744 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys
14:15:21:515 1744 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
14:15:21:562 1744 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
14:15:21:593 1744 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
14:15:21:625 1744 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
14:15:21:687 1744 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
14:15:21:734 1744 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
14:15:21:734 1744 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
14:15:21:781 1744 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
14:15:21:796 1744 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
14:15:21:828 1744 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
14:15:21:875 1744 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
14:15:21:921 1744 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\drivers\PCIIde.sys
14:15:21:953 1744 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\DRIVERS\pcmcia.sys
14:15:22:031 1744 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
14:15:22:046 1744 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
14:15:22:109 1744 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
14:15:22:140 1744 PxHelp20 (e42e3433dbb4cffe8fdd91eab29aea8e) C:\WINDOWS\system32\Drivers\PxHelp20.sys
14:15:22:484 1744 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
14:15:22:500 1744 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
14:15:22:531 1744 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
14:15:22:562 1744 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
14:15:22:578 1744 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
14:15:22:609 1744 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
14:15:22:640 1744 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
14:15:22:671 1744 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
14:15:22:687 1744 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
14:15:22:734 1744 s24trans (96b4494d4734970f47c566e098c4f527) C:\WINDOWS\system32\DRIVERS\s24trans.sys
14:15:22:812 1744 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
14:15:22:859 1744 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
14:15:22:859 1744 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
14:15:22:890 1744 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
14:15:22:953 1744 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
14:15:23:000 1744 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
14:15:23:062 1744 Srv (89220b427890aa1dffd1a02648ae51c3) C:\WINDOWS\system32\DRIVERS\srv.sys
14:15:23:093 1744 STAC97 (305cc42945a713347f978d78566113f3) C:\WINDOWS\system32\drivers\STAC97.sys
14:15:23:250 1744 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
14:15:23:312 1744 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
14:15:23:390 1744 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
14:15:23:468 1744 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
14:15:23:515 1744 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
14:15:23:562 1744 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
14:15:23:687 1744 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
14:15:23:796 1744 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
14:15:23:859 1744 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
14:15:23:906 1744 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
14:15:23:937 1744 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
14:15:24:000 1744 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
14:15:24:031 1744 usbstor (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
14:15:24:062 1744 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
14:15:24:109 1744 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
14:15:24:187 1744 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
14:15:24:359 1744 w29n51 (f0608f3b5b6d16f4870e867f9d069b6b) C:\WINDOWS\system32\DRIVERS\w29n51.sys
14:15:24:687 1744 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
14:15:24:828 1744 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
14:15:25:812 1744 winachsf (0c5b9cf1bdf998750d9c5eeb5f8c55ac) C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys
14:15:25:906 1744 
14:15:25:906 1744 Completed
14:15:25:906 1744 
14:15:25:906 1744 Results:
14:15:25:906 1744 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
14:15:25:906 1744 File objects infected / cured / cured on reboot: 0 / 0 / 0
14:15:25:906 1744 
14:15:25:906 1744 KLMD(ARK) unloaded successfully


----------



## CatByte (Feb 24, 2009)

Please delete the copy of combofix that you have on your desktop and download a fresh copy and run it:

*Link 1* 

Remember to disable your security programs

*NEXT*

Please download MBRCheck.exe to your desktop.

Be sure to disable your security programs
Double click on the file to run it (Vista and Windows 7 users will have to confirm the UAC prompt)
A window will open on your desktop
if an unknown bootcode is found you will have further options available to you, at this time press *N* then press *Enter* twice.
If nothing unusual is found just press *Enter*
A .txt file named MBRCheck_mm.dd.yy_hh.mm.ss should appear on your desktop. 
Please post the contents of that file.


----------



## Skaione (Feb 12, 2009)

ComboFix log

ComboFix 10-07-23.04 - king 07/24/2010 10:56:54.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2039.1595 [GMT -4:00]
Running from: c:\documents and settings\king\Desktop\ComboFix.exe
AV: McAfee VirusScan Enterprise *On-access scanning disabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
.

((((((((((((((((((((((((( Files Created from 2010-06-24 to 2010-07-24 )))))))))))))))))))))))))))))))
.

2010-07-14 23:56 . 2010-07-14 23:56 -------- d-----w- c:\documents and settings\king\Application Data\Roxio
2010-07-13 23:28 . 2010-07-14 01:38 -------- d-----w- c:\documents and settings\king\Application Data\BitTorrent
2010-07-13 23:28 . 2010-07-13 23:28 -------- d-----w- c:\program files\BitTorrent
2010-07-12 19:00 . 2010-07-12 19:00 -------- d-----w- c:\program files\AC3Filter
2010-07-12 16:19 . 2010-07-12 16:19 -------- d-----w- C:\_OTL
2010-07-11 00:15 . 2010-07-11 00:15 -------- d-----w- c:\windows\Sun
2010-07-11 00:15 . 2010-07-11 00:15 -------- d-----w- c:\program files\Common Files\Java
2010-07-11 00:15 . 2010-07-11 00:15 503808 ----a-w- c:\documents and settings\king\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-52431bec-n\msvcp71.dll
2010-07-11 00:15 . 2010-07-11 00:15 499712 ----a-w- c:\documents and settings\king\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-52431bec-n\jmc.dll
2010-07-11 00:15 . 2010-07-11 00:15 348160 ----a-w- c:\documents and settings\king\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-52431bec-n\msvcr71.dll
2010-07-11 00:14 . 2010-07-11 00:14 61440 ----a-w- c:\documents and settings\king\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-75efe436-n\decora-sse.dll
2010-07-11 00:14 . 2010-07-11 00:14 12800 ----a-w- c:\documents and settings\king\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-75efe436-n\decora-d3d.dll
2010-07-11 00:14 . 2010-07-11 00:14 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-07-11 00:14 . 2010-07-11 00:14 -------- d-----w- c:\program files\Java
2010-07-09 16:18 . 2001-08-18 02:36 5632 ----a-w- c:\windows\system32\ptpusb.dll
2010-07-09 16:18 . 2008-04-14 09:42 159232 ----a-w- c:\windows\system32\ptpusd.dll
2010-07-09 16:17 . 2008-04-14 04:15 15104 -c--a-w- c:\windows\system32\dllcache\usbscan.sys
2010-07-09 16:17 . 2008-04-14 04:15 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys
2010-07-07 17:05 . 2010-07-07 17:05 57344 ----a-w- c:\documents and settings\All Users\Application Data\DivX\RunAsUser\RUNASUSERPROCESS.dll
2010-07-07 17:04 . 2010-07-07 17:00 1062184 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Setup\Resource.dll
2010-07-07 17:04 . 2010-07-07 17:00 895256 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Setup\DivXSetup.exe
2010-07-07 17:04 . 2010-07-07 17:04 56997 ----a-w- c:\documents and settings\All Users\Application Data\DivX\WebPlayer\Uninstaller.exe
2010-07-07 17:04 . 2010-07-07 17:04 56765 ----a-w- c:\documents and settings\All Users\Application Data\DivX\DivXPlusShortcuts\Uninstaller.exe
2010-07-07 17:03 . 2010-07-07 17:03 53600 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Update\Uninstaller.exe
2010-07-07 17:03 . 2010-07-07 17:03 57715 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Player\Uninstaller.exe
2010-07-07 17:03 . 2010-07-07 17:03 -------- d-----w- c:\documents and settings\king\Application Data\DivX
2010-07-07 17:03 . 2010-07-07 17:03 84062 ----a-w- c:\documents and settings\All Users\Application Data\DivX\TransferWizard\Uninstaller.exe
2010-07-07 17:03 . 2010-07-07 17:03 57054 ----a-w- c:\documents and settings\All Users\Application Data\DivX\DSDesktopComponents\Uninstaller.exe
2010-07-07 17:03 . 2010-07-07 17:03 54166 ----a-w- c:\documents and settings\All Users\Application Data\DivX\DSAVCDecoder\Uninstaller.exe
2010-07-07 17:03 . 2010-07-07 17:03 57532 ----a-w- c:\documents and settings\All Users\Application Data\DivX\DSASPDecoder\Uninstaller.exe
2010-07-07 17:03 . 2010-07-07 17:03 56458 ----a-w- c:\documents and settings\All Users\Application Data\DivX\DivXDecoderShortcut\Uninstaller.exe
2010-07-07 17:03 . 2010-07-07 17:03 54174 ----a-w- c:\documents and settings\All Users\Application Data\DivX\DSAACDecoder\Uninstaller.exe
2010-07-07 17:03 . 2010-07-07 17:03 54153 ----a-w- c:\documents and settings\All Users\Application Data\DivX\DFXPlugin\Uninstaller.exe
2010-07-07 17:02 . 2010-07-07 17:02 54128 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Converter\Uninstaller.exe
2010-07-07 17:02 . 2010-07-07 17:02 54644 ----a-w- c:\documents and settings\All Users\Application Data\DivX\TranscodeEngine\Uninstaller.exe
2010-07-07 17:02 . 2010-07-07 17:02 54101 ----a-w- c:\documents and settings\All Users\Application Data\DivX\MPEG2Plugin\Uninstaller.exe
2010-07-07 17:02 . 2010-07-07 17:02 57409 ----a-w- c:\documents and settings\All Users\Application Data\DivX\ControlPanel\Uninstaller.exe
2010-07-07 17:02 . 2010-07-07 17:02 52963 ----a-w- c:\documents and settings\All Users\Application Data\DivX\MSVC80CRTRedist\Uninstaller.exe
2010-07-07 17:02 . 2010-07-07 17:02 54073 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Qt4.5\Uninstaller.exe
2010-07-07 17:02 . 2010-07-07 17:02 -------- d-----w- c:\program files\Common Files\DivX Shared
2010-07-07 17:02 . 2010-07-07 17:02 56969 ----a-w- c:\documents and settings\All Users\Application Data\DivX\ASPEncoder\Uninstaller.exe
2010-07-07 17:00 . 2010-07-17 20:01 -------- d-----w- c:\program files\DivX
2010-07-07 17:00 . 2010-07-07 17:00 144696 ----a-w- c:\documents and settings\All Users\Application Data\DivX\RunAsUser\RUNASUSERPROCESS.exe
2010-07-07 17:00 . 2010-07-07 17:04 -------- d-----w- c:\documents and settings\All Users\Application Data\DivX
2010-07-07 01:06 . 2001-08-17 17:48 12160 -c--a-w- c:\windows\system32\dllcache\mouhid.sys
2010-07-07 01:06 . 2001-08-17 17:48 12160 ----a-w- c:\windows\system32\drivers\mouhid.sys
2010-07-07 01:06 . 2008-04-14 04:15 10368 -c--a-w- c:\windows\system32\dllcache\hidusb.sys
2010-07-07 01:06 . 2008-04-14 04:15 10368 ----a-w- c:\windows\system32\drivers\hidusb.sys
2010-07-07 00:57 . 2010-07-07 00:57 -------- d-----w- c:\program files\CCleaner
2010-07-07 00:36 . 2010-07-07 17:01 -------- d-----w- c:\program files\SpywareGuard
2010-07-06 23:44 . 2010-07-06 23:44 0 ----a-w- c:\windows\nsreg.dat
2010-07-06 23:44 . 2010-07-06 23:44 -------- d-----w- c:\documents and settings\king\Local Settings\Application Data\Mozilla
2010-06-28 16:44 . 2010-06-28 16:44 -------- d-----w- c:\documents and settings\All Users\Application Data\Sonic
2010-06-28 16:44 . 2010-06-28 16:44 -------- d-----w- c:\program files\Common Files\Sonic Shared
2010-06-28 16:43 . 2010-06-28 16:44 -------- d-----w- c:\program files\Common Files\Roxio Shared
2010-06-28 16:43 . 2010-06-28 16:43 -------- d-----w- c:\documents and settings\All Users\Application Data\InstallShield
2010-06-28 16:43 . 2010-06-28 16:45 -------- d-----w- c:\program files\Roxio
2010-06-28 16:42 . 2010-06-28 16:42 -------- d-----w- c:\documents and settings\king\Application Data\Roxio Log Files
2010-06-28 16:42 . 2010-06-28 16:42 -------- d-----w- c:\documents and settings\king\Application Data\CyberLink
2010-06-28 16:39 . 2010-06-28 16:39 -------- d-----w- c:\program files\Common Files\Cisco Systems
2010-06-28 16:39 . 2006-12-19 19:06 1495552 ----a-w- c:\windows\system32\epoPGPsdk.dll
2010-06-28 16:39 . 2010-07-07 01:14 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2010-06-28 16:39 . 2006-11-30 12:50 64360 ----a-w- c:\windows\system32\drivers\mfeapfk.sys
2010-06-28 16:39 . 2006-11-30 12:50 34152 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2010-06-28 16:39 . 2006-11-30 12:50 72264 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2010-06-28 16:39 . 2006-11-30 12:50 52136 ----a-w- c:\windows\system32\drivers\mfetdik.sys
2010-06-28 16:39 . 2007-02-23 00:50 170408 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2010-06-28 16:39 . 2010-07-08 02:50 -------- d-----w- c:\program files\McAfee
2010-06-28 16:39 . 2010-07-07 01:14 -------- d-----w- c:\program files\Common Files\McAfee
2010-06-28 16:35 . 2010-06-28 16:35 -------- d-----w- c:\documents and settings\king\Local Settings\Application Data\PowerDVD DX
2010-06-28 16:35 . 2010-06-28 16:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Dell
2010-06-28 16:34 . 2010-06-28 16:34 -------- d-----w- c:\program files\CyberLink
2010-06-28 16:34 . 2008-02-26 14:57 89088 ----a-w- c:\windows\system32\atl71.dll
2010-06-28 16:34 . 2008-02-26 14:57 499712 ----a-w- c:\windows\system32\msvcp71.dll
2010-06-28 16:34 . 2008-02-26 14:57 348160 ----a-w- c:\windows\system32\msvcr71.dll
2010-06-28 16:34 . 2008-02-26 14:57 1060864 ----a-w- c:\windows\system32\MFC71.dll
2010-06-28 16:34 . 2008-02-26 14:57 1047552 ----a-w- c:\windows\system32\MFC71u.dll
2010-06-25 21:42 . 2010-06-25 21:42 -------- d-----w- c:\documents and settings\king\Application Data\Malwarebytes
2010-06-25 21:42 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-06-25 21:42 . 2010-06-25 21:42 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-06-25 21:42 . 2010-06-25 21:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-06-25 21:42 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-06-25 21:35 . 2010-06-25 21:35 -------- d-----w- c:\program files\AVG
2010-06-25 21:35 . 2010-07-07 00:25 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2010-06-25 21:12 . 2007-04-09 17:23 28552 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\mdippr.dll
2010-06-25 21:12 . 2007-04-09 17:23 28040 ----a-w- c:\windows\system32\mdimon.dll
2010-06-25 21:11 . 2010-06-25 21:11 -------- d-----w- c:\program files\Common Files\L&H
2010-06-25 21:11 . 2010-06-25 21:11 -------- d-----w- c:\program files\Microsoft ActiveSync
2010-06-25 21:10 . 2010-06-25 21:16 -------- d-----w- c:\program files\Microsoft Works
2010-06-25 21:09 . 2010-06-25 21:11 -------- d-----w- c:\windows\SHELLNEW
2010-06-25 21:09 . 2010-06-25 21:09 -------- d-----w- c:\program files\Microsoft.NET
2010-06-25 21:02 . 2010-06-25 21:02 -------- d-----w- c:\program files\Intel
2010-06-25 21:02 . 2010-06-25 21:02 -------- d-----w- c:\program files\Common Files\Intel
2010-06-25 21:02 . 2010-06-25 21:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Intel
2010-06-25 21:01 . 2010-07-09 14:46 63592 ----a-w- c:\documents and settings\king\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-06-25 21:01 . 2010-06-25 21:06 -------- d-----w- c:\documents and settings\king\Local Settings\Application Data\Deployment
2010-06-25 20:43 . 2010-06-25 20:43 -------- d-sh--w- c:\documents and settings\king\PrivacIE
2010-06-25 20:33 . 2005-10-14 18:45 135168 ----a-w- c:\windows\system32\igfxres.dll
2010-06-25 20:33 . 2010-06-25 20:33 -------- d-sh--w- c:\documents and settings\king\IETldCache
2010-06-25 20:26 . 2010-07-06 23:30 -------- d-----w- c:\windows\ie8updates
2010-06-25 20:26 . 2010-04-16 11:43 41984 -c----w- c:\windows\system32\dllcache\iecompat.dll
2010-06-25 20:25 . 2010-06-25 20:26 -------- dc-h--w- c:\windows\ie8
2010-06-25 20:13 . 2008-04-14 04:09 5376 -c--a-w- c:\windows\system32\dllcache\mspclock.sys
2010-06-25 20:13 . 2008-04-14 04:09 5376 ----a-w- c:\windows\system32\drivers\MSPCLOCK.sys
2010-06-25 20:13 . 2010-06-25 20:13 -------- d-----w- c:\program files\Sigmatel
2010-06-25 20:13 . 2008-04-14 09:41 4096 -c--a-w- c:\windows\system32\dllcache\ksuser.dll
2010-06-25 20:13 . 2008-04-14 09:41 4096 ----a-w- c:\windows\system32\ksuser.dll
2010-06-25 20:13 . 2008-04-14 04:49 146048 -c--a-w- c:\windows\system32\dllcache\portcls.sys
2010-06-25 20:13 . 2008-04-14 04:49 146048 ----a-w- c:\windows\system32\drivers\portcls.sys
2010-06-25 20:13 . 2008-04-14 04:15 60160 -c--a-w- c:\windows\system32\dllcache\drmk.sys
2010-06-25 20:13 . 2008-04-14 04:15 60160 ----a-w- c:\windows\system32\drivers\drmk.sys
2010-06-25 20:13 . 2010-06-25 20:13 -------- d-----w- c:\program files\CONEXANT
2010-06-25 20:10 . 2010-02-24 13:11 455680 -c----w- c:\windows\system32\dllcache\mrxsmb.sys
2010-06-25 20:05 . 2010-02-17 13:10 2189952 -c----w- c:\windows\system32\dllcache\ntoskrnl.exe
2010-06-25 20:05 . 2010-02-16 14:08 2146304 -c----w- c:\windows\system32\dllcache\ntkrnlmp.exe
2010-06-25 20:05 . 2010-02-16 13:25 2024448 -c----w- c:\windows\system32\dllcache\ntkrpamp.exe
2010-06-25 20:05 . 2008-05-03 11:55 2560 ------w- c:\windows\system32\xpsp4res.dll
2010-06-25 20:03 . 2008-06-13 11:05 272128 -c----w- c:\windows\system32\dllcache\bthport.sys
2010-06-25 20:03 . 2008-06-13 11:05 272128 ------w- c:\windows\system32\drivers\bthport.sys
2010-06-25 20:00 . 2009-01-07 22:21 26144 ----a-w- c:\windows\system32\spupdsvc.exe
2010-06-25 20:00 . 2010-07-13 19:45 -------- d--h--w- c:\windows\$hf_mig$

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-09 02:55 . 2010-06-25 19:44 87263 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2010-07-07 20:36 . 2010-07-07 20:36 -------- d-----w- c:\program files\MSBuild
2010-07-07 20:36 . 2010-07-07 20:36 -------- d-----w- c:\program files\Reference Assemblies
2010-06-28 16:45 . 2010-06-28 16:45 -------- d-----w- c:\documents and settings\All Users\Application Data\Uninstall
2010-06-28 16:45 . 2010-06-28 16:45 -------- d-----w- c:\program files\Common Files\SureThing Shared
2010-06-28 16:43 . 2010-06-25 19:57 -------- d-----w- c:\program files\Common Files\InstallShield
2010-06-28 16:34 . 2010-06-25 19:57 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-06-25 21:03 . 2010-06-25 21:03 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\Intel
2010-06-25 21:03 . 2010-06-25 21:03 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Intel
2010-06-25 21:03 . 2010-06-25 21:03 -------- d-----w- c:\documents and settings\LocalService\Application Data\Intel
2010-06-25 21:03 . 2010-06-25 21:03 -------- d-----w- c:\documents and settings\king\Application Data\Intel
2010-06-25 21:03 . 2010-06-25 21:03 -------- d-----w- c:\documents and settings\Default User\Application Data\Intel
2010-06-25 19:57 . 2010-06-25 19:57 -------- d-----w- c:\program files\Broadcom
2010-06-25 19:46 . 2010-06-25 19:46 -------- d-----w- c:\program files\microsoft frontpage
2010-06-25 19:41 . 2010-06-25 19:41 21640 ----a-w- c:\windows\system32\emptyregdb.dat
2010-06-14 14:31 . 2010-06-25 19:42 744448 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe
2010-05-06 10:41 . 2008-04-14 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-02 05:22 . 2008-04-14 12:00 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-04-27 18:40 . 2008-11-18 21:15 133616 ------w- c:\windows\system32\pxafs.dll
2010-04-27 18:40 . 2007-11-14 18:08 123888 ------w- c:\windows\system32\pxcpyi64.exe
2010-04-27 18:40 . 2007-11-14 18:08 126448 ------w- c:\windows\system32\pxinsi64.exe
2010-04-27 18:40 . 2007-11-14 07:00 45648 ------w- c:\windows\system32\drivers\PxHelp20.sys
2010-04-27 18:40 . 2007-10-17 06:00 9200 ------w- c:\windows\system32\drivers\cdralw2k.sys
2010-04-27 18:40 . 2007-10-17 06:00 9072 ------w- c:\windows\system32\drivers\cdr4_xp.sys
.

((((((((((((((((((((((((((((( [email protected]_17.11.50 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-07-24 13:41 . 2010-07-24 13:41 16384 c:\windows\temp\Perflib_Perfdata_694.dat
+ 2010-07-11 00:14 . 2010-07-11 00:14 153376 c:\windows\system32\javaws.exe
+ 2010-07-11 00:14 . 2010-07-11 00:14 145184 c:\windows\system32\javaw.exe
+ 2010-07-11 00:14 . 2010-07-11 00:14 145184 c:\windows\system32\java.exe
+ 2010-06-25 19:42 . 2010-06-14 14:31 744448 c:\windows\system32\dllcache\helpsvc.exe
- 2010-06-25 19:42 . 2008-04-14 12:00 744448 c:\windows\system32\dllcache\helpsvc.exe
+ 2010-07-11 00:15 . 2010-07-11 00:15 180224 c:\windows\Installer\19ffbbd.msi
+ 2010-07-11 00:14 . 2010-07-11 00:14 576000 c:\windows\Installer\19ffbb7.msi
+ 2010-06-25 20:25 . 2010-07-02 19:39 34045896 c:\windows\system32\MRT.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-10-14 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-10-14 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-10-14 114688]
"IntelZeroConfig"="c:\program files\Intel\WiFi\bin\ZCfgSvc.exe" [2009-11-03 1372160]
"IntelWireless"="c:\program files\Common Files\Intel\WirelessCommon\iFrmewrk.exe" [2009-11-03 1202448]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2008-02-26 128296]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2007-02-23 112216]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\UdaterUI.exe" [2006-12-19 136768]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2010-06-03 1144104]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 09:42 1695232 ------w- c:\program files\Messenger\msmsgs.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=

R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\progra~1\mcafee\SITEAD~1\mcsacore.exe [7/6/2010 9:14 PM 93320]
R3 GTIPCI21;GTIPCI21;c:\windows\system32\drivers\gtipci21.sys [6/25/2010 5:07 PM 88192]
S0 cerc6;cerc6; [x]
.
.
------- Supplementary Scan -------
.
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\king\Application Data\Mozilla\Firefox\Profiles\5822chp1.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=mcafee&p=
FF - prefs.js: network.proxy.type - 0
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true); 
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-24 11:01
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(844)
c:\windows\system32\netprovcredman.dll

- - - - - - - > 'explorer.exe'(3760)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
Completion time: 2010-07-24 11:02:43
ComboFix-quarantined-files.txt 2010-07-24 15:02
ComboFix2.txt 2010-07-10 17:13

Pre-Run: 15,800,143,872 bytes free
Post-Run: 15,809,576,960 bytes free

- - End Of File - - AF0BB616D85E15BBC5D6D33A6F5DD93A

MBRCheck, version 1.1.1

(c) 2010, AD

\\.\C: --> \\.\PhysicalDrive0

\\.\D: --> \\.\PhysicalDrive0

Size Device Name MBR Status

--------------------------------------------

55 GB \\.\PhysicalDrive0 Windows XP MBR code detected

Done! Press ENTER to exit...

thanks


----------



## CatByte (Feb 24, 2009)

Hi

There doesn't appear to be any malware remaining on the machine.

Are there any outstanding issues?


----------



## Skaione (Feb 12, 2009)

I still get pop ups or google syndicate or something along those lines 

also I get an update for windows media player 9 althought I have wmp 11


----------



## CatByte (Feb 24, 2009)

do the popups occur both in FireFox and IE as I don't see any more malware

It may be one of your add-ons perhaps

can you please give me a list of add-ons that you have installed.


----------



## Skaione (Feb 12, 2009)

I get redirected on Firefox and IE as well. My add-ons are Java Console 6.0.20, Java QuickStarter 1.0, McAfee SiteAdvisor 3.1, and Microsoft .NET Framework Assistant 1.1


----------



## CatByte (Feb 24, 2009)

Hi

Please run the following:

Please download and execute this file, and post the log produced. The log is also saved at C:\maxhandle.txt

If the infection I suspect is not found...Nothing found! is echoed to the screen - no log is produced.

*
NEXT*

Download and run *HAMeb_check.exe* save it to your desktop.

Click on the icon to run it, when complete it will open a log for you, please post the content of the log in your next reply.

Note: The log is temporary - it will not be saved when closed, so please be sure to copy the content so that you can paste it into your next reply before you close the log


----------



## Skaione (Feb 12, 2009)

C:\Documents and Settings\king\Desktop\HAMeb_check.exe
Mon 07/26/2010 at 15:20:51.81

Account active No
Local Group Memberships

~~ Checking profile list ~~

No HelpAssistant profile in registry

~~ Checking for HelpAssistant directories ~~

none found

~~ Checking mbr ~~

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys atapi.sys hal.dll intelide.sys PCIIDEX.SYS 
kernel: MBR read successfully
user & kernel MBR OK

~~ Checking for termsrv32.dll ~~

termsrv32.dll was not found

HKEY_LOCAL_MACHINE\system\currentcontrolset\services\termservice\parameters
ServiceDll REG_EXPAND_SZ %SystemRoot%\System32\termsrv.dll

~~ Checking firewall ports ~~

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile\GloballyOpenPorts\List]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

~~ EOF ~~


----------



## Skaione (Feb 12, 2009)

I keep getting a VideoCOP popup as well


----------



## CatByte (Feb 24, 2009)

did you run the maxhandle program as well?


----------



## Skaione (Feb 12, 2009)

yeah there was no log


----------



## CatByte (Feb 24, 2009)

Please run this program as well:

Please download *Rootkit Unhooker* and save it on your desktop.

Disable your security programs
Double click *RKUnhookerLE.exe* to run it
Click the *Report* tab, then click *Scan*
Check *Drivers, Stealth Code, Files, and Code Hooks*
Uncheck the rest, then click *OK*
When prompted to Select Disks for Scan, make sure *C:\* is checked and click OK
Wait till the scanner has finished then go *File > Save Report*
Save the report somewhere you can find it. Click Close
Copy the entire contents of the report and paste it in your next reply.
*Note - You may get this warning, it is ok, just ignore it:*
"Rootkit Unhooker has detected a parasite inside itself!
It is recommended to remove parasite, okay?"​


----------



## Skaione (Feb 12, 2009)

RkU Version: 3.8.388.590, Type LE (SR2)
==============================================
OS Name: Windows XP
Version 5.1.2600 (Service Pack 3)
Number of processors #1
==============================================
>Drivers
==============================================
0xB97A8000 C:\WINDOWS\system32\DRIVERS\w29n51.sys 2220032 bytes (Intel® Corporation, Intel® Wireless LAN Driver)
0x804D7000 C:\WINDOWS\system32\ntkrnlpa.exe 2066816 bytes (Microsoft Corporation, NT Kernel & System)
0x804D7000 PnpManager 2066816 bytes
0x804D7000 RAW 2066816 bytes
0x804D7000 WMIxWDM 2066816 bytes
0xBF800000 Win32k 1851392 bytes
0xBF800000 C:\WINDOWS\System32\win32k.sys 1851392 bytes (Microsoft Corporation, Multi-User Win32 Driver)
0xB9A32000 C:\WINDOWS\system32\DRIVERS\ialmnt5.sys 1306624 bytes (Intel Corporation, Intel Graphics Miniport Driver)
0xB95EE000 C:\WINDOWS\system32\DRIVERS\HSF_DPV.SYS 1036288 bytes (Conexant Systems, Inc., HSF_DP driver)
0xBF077000 C:\WINDOWS\System32\ialmdd5.DLL 929792 bytes (Intel Corporation, DirectDraw(R) Driver for Intel(R) Graphics Technology)
0xB9541000 C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys 708608 bytes (Conexant Systems, Inc., HSF_CNXT driver)
0xB9E3D000 Ntfs.sys 577536 bytes (Microsoft Corporation, NT File System Driver)
0xA9108000 C:\WINDOWS\system32\DRIVERS\mrxsmb.sys 458752 bytes (Microsoft Corporation, Windows NT SMB Minirdr)
0xB944F000 C:\WINDOWS\system32\DRIVERS\update.sys 385024 bytes (Microsoft Corporation, Update Driver)
0xA923B000 C:\WINDOWS\system32\DRIVERS\tcpip.sys 364544 bytes (Microsoft Corporation, TCP/IP Protocol Driver)
0xA89A1000 C:\WINDOWS\system32\DRIVERS\srv.sys 356352 bytes (Microsoft Corporation, Server driver)
0xBFFA0000 C:\WINDOWS\System32\ATMFD.DLL 286720 bytes (Adobe Systems Incorporated, Windows NT OpenType/Type 1 Font Driver)
0xB9765000 C:\WINDOWS\system32\drivers\STAC97.sys 274432 bytes (SigmaTel, Inc., SigmaTel Audio Driver (WDM))
0xA800F000 C:\WINDOWS\System32\Drivers\HTTP.sys 266240 bytes (Microsoft Corporation, HTTP Protocol Stack)
0xBF042000 C:\WINDOWS\System32\ialmdev5.DLL 217088 bytes (Intel Corporation, Component GHAL Driver)
0xB96EB000 C:\WINDOWS\system32\DRIVERS\HSFHWICH.sys 208896 bytes (Conexant Systems, Inc., HSFHWICH WDM driver)
0xB94AD000 C:\WINDOWS\system32\DRIVERS\rdpdr.sys 196608 bytes (Microsoft Corporation, Microsoft RDP Device redirector)
0xB9F79000 ACPI.sys 188416 bytes (Microsoft Corporation, ACPI Driver for NT)
0xA8AE8000 C:\WINDOWS\system32\DRIVERS\mrxdav.sys 184320 bytes (Microsoft Corporation, Windows NT WebDav Minirdr)
0xB9E10000 NDIS.sys 184320 bytes (Microsoft Corporation, NDIS 5.1 wrapper driver)
0xA72AC000 C:\WINDOWS\system32\drivers\kmixer.sys 176128 bytes (Microsoft Corporation, Kernel Mode Audio Mixer)
0xA9178000 C:\WINDOWS\system32\DRIVERS\rdbss.sys 176128 bytes (Microsoft Corporation, Redirected Drive Buffering SubSystem Driver)
0xA8451000 C:\WINDOWS\system32\drivers\mfehidk.sys 163840 bytes (McAfee, Inc., Host Intrusion Detection Link Driver)
0xA9213000 C:\WINDOWS\system32\DRIVERS\netbt.sys 163840 bytes (Microsoft Corporation, MBT Transport driver)
0xA91ED000 C:\WINDOWS\system32\DRIVERS\ipnat.sys 155648 bytes (Microsoft Corporation, IP Network Address Translator)
0xB9741000 C:\WINDOWS\system32\drivers\portcls.sys 147456 bytes (Microsoft Corporation, Port Class (Class Driver for Port/Miniport Devices))
0xB99DC000 C:\WINDOWS\system32\DRIVERS\USBPORT.SYS 147456 bytes (Microsoft Corporation, USB 1.1 & 2.0 Port Driver)
0xB971E000 C:\WINDOWS\system32\drivers\ks.sys 143360 bytes (Microsoft Corporation, Kernel CSA Library)
0xA91A3000 C:\WINDOWS\System32\drivers\afd.sys 139264 bytes (Microsoft Corporation, Ancillary Function Driver for WinSock)
0xBF020000 C:\WINDOWS\System32\ialmdnt5.dll 139264 bytes (Intel Corporation, Controller Hub for Intel Graphics Driver)
0x806D0000 ACPI_HAL 131840 bytes
0x806D0000 C:\WINDOWS\system32\hal.dll 131840 bytes (Microsoft Corporation, Hardware Abstraction Layer DLL)
0xB9EF3000 fltMgr.sys 131072 bytes (Microsoft Corporation, Microsoft Filesystem Filter Manager)
0xB9F2B000 ftdisk.sys 126976 bytes (Microsoft Corporation, FT Disk Driver)
0xB9A00000 C:\WINDOWS\system32\DRIVERS\b57xp32.sys 122880 bytes (Broadcom Corporation, Broadcom NetXtreme Gigabit Ethernet NDIS5.1 Driver.)
0xB9F4A000 pcmcia.sys 122880 bytes (Microsoft Corporation, PCMCIA Bus Driver)
0xB9DF6000 Mup.sys 106496 bytes (Microsoft Corporation, Multiple UNC Provider driver)
0xB9F13000 atapi.sys 98304 bytes (Microsoft Corporation, IDE/ATAPI Port Driver)
0xA90C8000 C:\WINDOWS\System32\Drivers\dump_atapi.sys 98304 bytes
0xB9ECA000 KSecDD.sys 94208 bytes (Microsoft Corporation, Kernel Security Support Provider Interface)
0xB9516000 C:\WINDOWS\system32\DRIVERS\ndiswan.sys 94208 bytes (Microsoft Corporation, MS PPP Framing Driver (Strong Encryption))
0xB99C6000 C:\WINDOWS\system32\DRIVERS\gtipci21.sys 90112 bytes (Texas Instruments, Texas Instruments PCI GemCore IFD Handler)
0xA8C03000 C:\WINDOWS\system32\drivers\wdmaud.sys 86016 bytes (Microsoft Corporation, MMSYSTEM Wave/Midi API mapper)
0xB952D000 C:\WINDOWS\system32\DRIVERS\parport.sys 81920 bytes (Microsoft Corporation, Parallel Port Driver)
0xB9A1E000 C:\WINDOWS\system32\DRIVERS\VIDEOPRT.SYS 81920 bytes (Microsoft Corporation, Video Port Driver)
0xA9294000 C:\WINDOWS\system32\DRIVERS\ipsec.sys 77824 bytes (Microsoft Corporation, IPSec Driver)
0xBF000000 C:\WINDOWS\System32\drivers\dxg.sys 73728 bytes (Microsoft Corporation, DirectX Graphics Driver)
0xB9EE1000 sr.sys 73728 bytes (Microsoft Corporation, System Restore Filesystem Filter Driver)
0xB9F68000 pci.sys 69632 bytes (Microsoft Corporation, NT Plug and Play PCI Enumerator)
0xB9505000 C:\WINDOWS\system32\DRIVERS\psched.sys 69632 bytes (Microsoft Corporation, MS QoS Packet Scheduler)
0xBA2F8000 C:\WINDOWS\System32\Drivers\Cdfs.SYS 65536 bytes (Microsoft Corporation, CD-ROM File System Driver)
0xBA1C8000 C:\WINDOWS\system32\DRIVERS\cdrom.sys 65536 bytes (Microsoft Corporation, SCSI CD-ROM Driver)
0xA8541000 C:\WINDOWS\system32\drivers\mfeavfk.sys 65536 bytes (McAfee, Inc., Anti-Virus File System Filter Driver)
0xBA1A8000 C:\WINDOWS\system32\DRIVERS\serial.sys 65536 bytes (Microsoft Corporation, Serial Device Driver)
0xBA188000 C:\WINDOWS\system32\drivers\drmk.sys 61440 bytes (Microsoft Corporation, Microsoft Kernel DRM Descrambler Filter)
0xA8591000 C:\WINDOWS\system32\drivers\mfeapfk.sys 61440 bytes (McAfee, Inc., Access Protection Filter Driver)
0xBA1D8000 C:\WINDOWS\system32\DRIVERS\redbook.sys 61440 bytes (Microsoft Corporation, Redbook Audio Filter Driver)
0xA8EB8000 C:\WINDOWS\system32\drivers\sysaudio.sys 61440 bytes (Microsoft Corporation, System Audio WDM Filter)
0xBA278000 C:\WINDOWS\system32\DRIVERS\usbhub.sys 61440 bytes (Microsoft Corporation, Default Hub Driver for USB)
0xBF012000 C:\WINDOWS\System32\ialmrnt5.dll 57344 bytes (Intel Corporation, Controller Hub for Intel Graphics Driver)
0xBA0E8000 C:\WINDOWS\system32\DRIVERS\CLASSPNP.SYS 53248 bytes (Microsoft Corporation, SCSI Class System Dll)
0xBA198000 C:\WINDOWS\system32\DRIVERS\i8042prt.sys 53248 bytes (Microsoft Corporation, i8042 Port Driver)
0xBA1E8000 C:\WINDOWS\system32\DRIVERS\rasl2tp.sys 53248 bytes (Microsoft Corporation, RAS L2TP mini-port/call-manager driver)
0xBA0C8000 VolSnap.sys 53248 bytes (Microsoft Corporation, Volume Shadow Copy Driver)
0xBA288000 C:\WINDOWS\system32\drivers\mfetdik.sys 49152 bytes (McAfee, Inc., Anti-Virus Mini-Firewall Driver)
0xBA208000 C:\WINDOWS\system32\DRIVERS\raspptp.sys 49152 bytes (Microsoft Corporation, Peer-to-Peer Tunneling Protocol)
0xBA2A8000 C:\WINDOWS\System32\Drivers\Fips.SYS 45056 bytes (Microsoft Corporation, FIPS Crypto Driver)
0xBA1B8000 C:\WINDOWS\system32\DRIVERS\imapi.sys 45056 bytes (Microsoft Corporation, IMAPI Kernel Driver)
0xBA0B8000 MountMgr.sys 45056 bytes (Microsoft Corporation, Mount Manager)
0xBA1F8000 C:\WINDOWS\system32\DRIVERS\raspppoe.sys 45056 bytes (Microsoft Corporation, RAS PPPoE mini-port/call-manager driver)
0xBA0A8000 isapnp.sys 40960 bytes (Microsoft Corporation, PNP ISA Bus Driver)
0xBA248000 C:\WINDOWS\System32\Drivers\NDProxy.SYS 40960 bytes (Microsoft Corporation, NDIS Proxy)
0xBA0F8000 PxHelp20.sys 40960 bytes (Sonic Solutions, Px Engine Device Driver for Windows 2000/XP)
0xBA238000 C:\WINDOWS\system32\DRIVERS\termdd.sys 40960 bytes (Microsoft Corporation, Terminal Server Driver)
0xBA0D8000 disk.sys 36864 bytes (Microsoft Corporation, PnP Disk Driver)
0xBA178000 C:\WINDOWS\system32\DRIVERS\intelppm.sys 36864 bytes (Microsoft Corporation, Processor Device Driver)
0xBA218000 C:\WINDOWS\system32\DRIVERS\msgpc.sys 36864 bytes (Microsoft Corporation, MS General Packet Classifier)
0xBA298000 C:\WINDOWS\system32\DRIVERS\netbios.sys 36864 bytes (Microsoft Corporation, NetBIOS interface driver)
0xA7F8F000 C:\WINDOWS\System32\Drivers\Normandy.SYS 36864 bytes (RKU Driver)
0xBA2D8000 C:\WINDOWS\system32\DRIVERS\wanarp.sys 36864 bytes (Microsoft Corporation, MS Remote Access and Routing ARP Driver)
0xBA398000 C:\WINDOWS\System32\Drivers\Modem.SYS 32768 bytes (Microsoft Corporation, Modem Device Driver)
0xBA3F0000 C:\WINDOWS\System32\Drivers\Npfs.SYS 32768 bytes (Microsoft Corporation, NPFS Driver)
0xBA390000 C:\WINDOWS\system32\DRIVERS\usbehci.sys 32768 bytes (Microsoft Corporation, EHCI eUSB Miniport Driver)
0xBA408000 C:\WINDOWS\system32\DRIVERS\HIDPARSE.SYS 28672 bytes (Microsoft Corporation, Hid Parsing Library)
0xBA4A0000 C:\WINDOWS\system32\drivers\mfebopk.sys 28672 bytes (McAfee, Inc., Buffer Overflow Protection Driver)
0xBA3F8000 C:\Program Files\McAfee\VirusScan Enterprise\mferkdk.sys 28672 bytes (McAfee, Inc., VSCore Code Analysis Driver)
0xBA328000 C:\WINDOWS\System32\Drivers\PCIIDEX.SYS 28672 bytes (Microsoft Corporation, PCI IDE Bus Driver Extension)
0xBA3A8000 C:\WINDOWS\system32\DRIVERS\kbdclass.sys 24576 bytes (Microsoft Corporation, Keyboard Class Driver)
0xBA350000 C:\DOCUME~1\king\LOCALS~1\Temp\mbr.sys 24576 bytes
0xBA3A0000 C:\WINDOWS\system32\DRIVERS\mouclass.sys 24576 bytes (Microsoft Corporation, Mouse Class Driver)
0xBA388000 C:\WINDOWS\system32\DRIVERS\usbuhci.sys 24576 bytes (Microsoft Corporation, UHCI USB Miniport Driver)
0xBA3E0000 C:\WINDOWS\System32\drivers\vga.sys 24576 bytes (Microsoft Corporation, VGA/Super VGA Video Driver)
0xBA3E8000 C:\WINDOWS\System32\Drivers\Msfs.SYS 20480 bytes (Microsoft Corporation, Mailslot driver)
0xBA330000 PartMgr.sys 20480 bytes (Microsoft Corporation, Partition Manager)
0xBA3B8000 C:\WINDOWS\system32\DRIVERS\ptilink.sys 20480 bytes (Parallel Technologies, Inc., Parallel Technologies DirectParallel IO Library)
0xBA3C0000 C:\WINDOWS\system32\DRIVERS\raspti.sys 20480 bytes (Microsoft Corporation, PTI DirectParallel(R) mini-port/call-manager driver)
0xBA3B0000 C:\WINDOWS\system32\DRIVERS\TDI.SYS 20480 bytes (Microsoft Corporation, TDI Wrapper)
0xBA418000 C:\WINDOWS\System32\watchdog.sys 20480 bytes (Microsoft Corporation, Watchdog Driver)
0xBA4C0000 C:\WINDOWS\system32\DRIVERS\BATTC.SYS 16384 bytes (Microsoft Corporation, Battery Class Driver)
0xBA554000 C:\WINDOWS\system32\DRIVERS\CmBatt.sys 16384 bytes (Microsoft Corporation, Control Method Battery Driver)
0xBA580000 C:\WINDOWS\system32\DRIVERS\mssmbios.sys 16384 bytes (Microsoft Corporation, System Management BIOS Driver)
0xA8FD8000 C:\WINDOWS\system32\DRIVERS\ndisuio.sys 16384 bytes (Microsoft Corporation, NDIS User mode I/O Driver)
0xBA55C000 C:\WINDOWS\system32\DRIVERS\serenum.sys 16384 bytes (Microsoft Corporation, Serial Port Enumerator)
0xBA558000 C:\WINDOWS\system32\DRIVERS\SMCLIB.SYS 16384 bytes (Microsoft Corporation, Smard Card Driver Library)
0xBA4B8000 C:\WINDOWS\system32\BOOTVID.dll 12288 bytes (Microsoft Corporation, VGA Boot Driver)
0xBA4BC000 compbatt.sys 12288 bytes (Microsoft Corporation, Composite Battery Driver)
0xB94DD000 C:\WINDOWS\System32\drivers\Dxapi.sys 12288 bytes (Microsoft Corporation, DirectX API Driver)
0xA8A08000 C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys 12288 bytes (Conexant, Diagnostic Interface DRIVER)
0xBA564000 C:\WINDOWS\system32\DRIVERS\ndistapi.sys 12288 bytes (Microsoft Corporation, NDIS 3.0 connection wrapper driver)
0xB9DA9000 C:\WINDOWS\system32\DRIVERS\rasacd.sys 12288 bytes (Microsoft Corporation, RAS Automatic Connection Driver)
0xA8FD4000 C:\WINDOWS\system32\DRIVERS\s24trans.sys 12288 bytes (Intel Corporation, Intel WLAN Packet Driver)
0xBA61E000 C:\WINDOWS\system32\Drivers\BASFND.sys 8192 bytes (Broadcom Corporation, Broadcom NetDetect Driver.)
0xBA5C6000 C:\WINDOWS\System32\Drivers\Beep.SYS 8192 bytes (Microsoft Corporation, BEEP Driver)
0xBA5D0000 C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS 8192 bytes
0xBA5C4000 C:\WINDOWS\System32\Drivers\Fs_Rec.SYS 8192 bytes (Microsoft Corporation, File System Recognizer Driver)
0xBA5AC000 intelide.sys 8192 bytes (Microsoft Corporation, Intel PCI IDE Driver)
0xBA5A8000 C:\WINDOWS\system32\KDCOM.DLL 8192 bytes (Microsoft Corporation, Kernel Debugger HW Extension DLL)
0xBA5C8000 C:\WINDOWS\System32\Drivers\mnmdd.SYS 8192 bytes (Microsoft Corporation, Frame buffer simulator)
0xBA61C000 C:\WINDOWS\System32\Drivers\ParVdm.SYS 8192 bytes (Microsoft Corporation, VDM Parallel Driver)
0xBA644000 C:\WINDOWS\system32\Drivers\PROCEXP113.SYS 8192 bytes
0xBA5CA000 C:\WINDOWS\System32\DRIVERS\RDPCDD.sys 8192 bytes (Microsoft Corporation, RDP Miniport)
0xBA5C0000 C:\WINDOWS\system32\DRIVERS\swenum.sys 8192 bytes (Microsoft Corporation, Plug and Play Software Device Enumerator)
0xBA5C2000 C:\WINDOWS\system32\DRIVERS\USBD.SYS 8192 bytes (Microsoft Corporation, Universal Serial Bus Driver)
0xBA5AA000 C:\WINDOWS\system32\DRIVERS\WMILIB.SYS 8192 bytes (Microsoft Corporation, WMILIB WMI support library Dll)
0xBA676000 C:\WINDOWS\system32\DRIVERS\audstub.sys 4096 bytes (Microsoft Corporation, AudStub Driver)
0xBA7A1000 C:\WINDOWS\System32\drivers\dxgthk.sys 4096 bytes (Microsoft Corporation, DirectX Graphics Driver Thunk)
0xBA747000 C:\WINDOWS\System32\Drivers\Null.SYS 4096 bytes (Microsoft Corporation, NULL Driver)
0xBA670000 PCIIde.sys 4096 bytes (Microsoft Corporation, Generic PCI IDE Bus Driver)
==============================================
>Stealth
==============================================
==============================================
>Files
==============================================
==============================================
>Hooks
==============================================
ntkrnlpa.exe+0x0006AA8A, Type: Inline - RelativeJump 0x80541A8A-->80541A91 [ntkrnlpa.exe]
ntkrnlpa.exe-->NtCreateKey, Type: Inline - RelativeJump 0x8061A344-->A84644FF [mfehidk.sys]
ntkrnlpa.exe-->NtDeleteKey, Type: Inline - RelativeJump 0x8061A7E0-->A8464513 [mfehidk.sys]
ntkrnlpa.exe-->NtDeleteValueKey, Type: Inline - RelativeJump 0x8061A9B0-->A846453F [mfehidk.sys]
ntkrnlpa.exe-->NtOpenKey, Type: Inline - RelativeJump 0x8061B722-->A84644EB [mfehidk.sys]
ntkrnlpa.exe-->NtRenameKey, Type: Inline - RelativeJump 0x80619D66-->A8464529 [mfehidk.sys]
ntkrnlpa.exe-->NtSetValueKey, Type: Inline - RelativeJump 0x806188B6-->A8464555 [mfehidk.sys]
ntkrnlpa.exe-->NtTerminateProcess, Type: Inline - RelativeJump 0x805C8CAA-->A846456B [mfehidk.sys]
[1668]explorer.exe-->advapi32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77DD1218-->00000000 [shimeng.dll]
[1668]explorer.exe-->gdi32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77F110B4-->00000000 [shimeng.dll]
[1668]explorer.exe-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x01001268-->00000000 [shimeng.dll]
[1668]explorer.exe-->shell32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x7C9C15A4-->00000000 [shimeng.dll]
[1668]explorer.exe-->user32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x7E41133C-->00000000 [shimeng.dll]
[1668]explorer.exe-->wininet.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x3D9314B0-->00000000 [shimeng.dll]
[1668]explorer.exe-->ws2_32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x71AB109C-->00000000 [shimeng.dll]
[4948]firefox.exe-->ntdll.dll-->LdrLoadDll, Type: Inline - RelativeJump 0x7C9163C3-->00000000 [firefox.exe]
[5480]plugin-container.exe-->user32.dll-->TrackPopupMenu, Type: Inline - RelativeJump 0x7E46531E-->00000000 [xul.dll]

!!POSSIBLE ROOTKIT ACTIVITY DETECTED!! =)


----------



## CatByte (Feb 24, 2009)

Download the latest version of *Trendmicro's Hijackthis* to your *desktop.*

*Double click* the downloaded program icon to install it








Follow the prompts and by default it will install in *C:\Program Files\Trendmicro\Hijackthis\Highjackthis.exe*

*Open HJT *

Click on *Scan and Save a Log File,* it will open in *Notepad*
Go to *Format* and make sure *Wordwrap is Unchecked*
Go to *Edit> Select All.....Edit > Copy and Paste* the new log into this thread by using the *Add Reply* button.

*DO NOT* have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.


----------



## Skaione (Feb 12, 2009)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:26:07 PM, on 7/27/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\WiFi\bin\S24EvMon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Intel\WiFi\bin\ZCfgSvc.exe
C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\DivX\DivX Update\DivXUpdate.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\WINDOWS\system32\basfipm.exe
C:\Program Files\Intel\WiFi\bin\EvtEng.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Java\jre6\bin\jqs.exe
c:\PROGRA~1\mcafee\SITEAD~1\mcsacore.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\WiFi\bin\WLKeeper.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
O1 - Hosts: ÿþ127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\WiFi\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe" /tf Intel Wireless Tray
O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [DivXUpdate] "C:\Program Files\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1277495900906
O18 - Protocol: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
O23 - Service: Broadcom ASF IP monitoring service v6.0.4 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\system32\basfipm.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel(R) Corporation - C:\Program Files\Intel\WiFi\bin\EvtEng.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McAfee SiteAdvisor Service - McAfee, Inc. - c:\PROGRA~1\mcafee\SITEAD~1\mcsacore.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel(R) Corporation - C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless WiFi Service (S24EventMonitor) - Intel(R) Corporation - C:\Program Files\Intel\WiFi\bin\S24EvMon.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel(R) Corporation - C:\Program Files\Intel\WiFi\bin\WLKeeper.exe

--
End of file - 6493 bytes


----------



## CatByte (Feb 24, 2009)

Hi

Please do the following:


Open *HiJackThis*
Click on *Do a system scan only*
Check the boxes next to *ONLY* the entries listed below (if still present): 
*
O1 - Hosts: ÿþ127.0.0.1 localhost
*​
Close all windows except *Hijackthis* and click *Fix Checked*
Click *Yes* when prompted
Close HijackThis.
*

NEXT*

Please download *SmitfraudFix*
Double-click *SmitfraudFix.exe*
Select option #1 - *Search* by typing *1* and press "*Enter*"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.
*Note* : *process.exe* is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.


----------



## Skaione (Feb 12, 2009)

SmitFraudFix v2.424

Scan done at 22:17:47.92, Tue 07/27/2010
Run from C:\Program Files\Mozilla Firefox\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\WiFi\bin\S24EvMon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Intel\WiFi\bin\ZCfgSvc.exe
C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\DivX\DivX Update\DivXUpdate.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\WINDOWS\system32\basfipm.exe
C:\Program Files\Intel\WiFi\bin\EvtEng.exe
C:\Program Files\Java\jre6\bin\jqs.exe
c:\PROGRA~1\mcafee\SITEAD~1\mcsacore.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\WiFi\bin\WLKeeper.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\SmitfraudFix\Policies.exe
C:\WINDOWS\system32\cmd.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts

»»»»»»»»»»»»»»»»»»»»»»»» C:\

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\king

»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\king\LOCALS~1\Temp

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\king\Application Data

»»»»»»»»»»»»»»»»»»»»»»»» Start Menu

»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\king\FAVORI~1

»»»»»»»»»»»»»»»»»»»»»»»» Desktop

»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files

»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys

»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"

»»»»»»»»»»»»»»»»»»»»»»»» o4Patch
!!!Attention, following keys are not inevitably infected!!!

o4Patch
Credits: Malware Analysis & Diagnostic
Code: S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» IEDFix
!!!Attention, following keys are not inevitably infected!!!

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» Agent.OMZ.Fix
!!!Attention, following keys are not inevitably infected!!!

Agent.OMZ.Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» VACFix
!!!Attention, following keys are not inevitably infected!!!

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» 404Fix
!!!Attention, following keys are not inevitably infected!!!

404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]

»»»»»»»»»»»»»»»»»»»»»»»» Winlogon
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"="C:\\WINDOWS\\system32\\userinit.exe,"

»»»»»»»»»»»»»»»»»»»»»»»» RK

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""

»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: Intel(R) PRO/Wireless 2200BG Network Connection - Packet Scheduler Miniport
DNS Server Search Order: 192.168.1.1
DNS Server Search Order: 213.109.65.65

HKLM\SYSTEM\CCS\Services\Tcpip\..\{99E7D386-7460-4492-933D-A89863320246}: DhcpNameServer=192.168.1.1 213.109.65.65
HKLM\SYSTEM\CS1\Services\Tcpip\..\{99E7D386-7460-4492-933D-A89863320246}: DhcpNameServer=192.168.1.1 213.109.65.65
HKLM\SYSTEM\CS2\Services\Tcpip\..\{99E7D386-7460-4492-933D-A89863320246}: DhcpNameServer=192.168.1.1 213.109.65.65
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1 213.109.65.65
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1 213.109.65.65
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1 213.109.65.65

»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection

»»»»»»»»»»»»»»»»»»»»»»»» End


----------



## CatByte (Feb 24, 2009)

Hi

Please do the following:

*You should print out these instructions, or copy them to a Notepad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.*

Please reboot your computer in *Safe Mode* by doing the following :
Restart your computer.
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually.
Instead of Windows loading as normal, a menu with options should appear.
Select the first option, to run Windows in Safe Mode, then press "Enter".
Choose your usual account.
*2.* Once in Safe Mode
 Double-click *SmitfraudFix.exe*
Select option #5 - *Search and Clean DNS Hijack* by typing *5* and press "*Enter*".
You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing *Y* and press "Enter".
*The tool will now check if* *wininet.dll* *is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter"*.

The tool may need to restart your computer to finish the cleaning process; *if it doesn't, please restart anyway into normal Windows.* A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply along with a new HijackThis log.
The report can also be found at *C:\rapport.txt*.

Please reboot and provide the following in your next post: rapport.txt


----------



## Skaione (Feb 12, 2009)

It doesnt work in safe mode, what should I do.
Also I get redirected on this site, as in when I browse tech guy it sends me somewhere else


----------



## CatByte (Feb 24, 2009)

Please run it in Normal mode.

thanks


----------



## Skaione (Feb 12, 2009)

I didnt get the option to clean the registry


----------



## CatByte (Feb 24, 2009)

OK, that didn't remove the hijacker unfortunately

It is hooked into your router.

You need to reset your router again.

Make sure it is completely disconnected:

then do the following:

Consult this link to find out what is the default username and password of your router and note down them: Route Passwords

Then rest your router to it's factory default settings:



> *Reset your router to its default configuration.* *Usually, this can be done by inserting something tiny like a paper clip end or pencil tip into a small hole labeled "reset" located on the back of the router*. Press and hold down the small button inside until the lights on the front of the router blink off and then on again (usually about 10 seconds)"



This is the difficult part.
First get to the routers server. To do that type* http:\\192.168.1.1* in the address bar and click Enter. You get the log in window.
Fill in the password you have already found and you will get the configuration page.
Configure the router to allow you to connect to your ISP server. In some routers it is done by a setup wizard. But you have to fill in the log in password your ISP has initially given to you.
You can also call your ISP if you don't have your initial password.

VERY IMPORTANT
*Don't forget to change the routers default password and set a strong password.* Note down the password and keep it somewhere for future reference. Change the login name as well.

 Please make sure of the following settings:
Go to start => Control panel => Double-click *Network and Sharing Center*.
In the left window select *Manage network Connection*.
In the right window right-click *Local Area connection* and select *Properties *.
*Internet Protocol Version 6 (IP6v)* should be checked. Double-click on it: Make sure of the following settings:
The option *Obtain an IP address automatically* should be checked.
The option *Obtain DNS server address automatically* should be checked.

Click *OK*.
*Internet Protocol Version 4 (IP4v)* should be checked. Double-click on it.
The option *Obtain an IP address automatically* should be checked.
The option *Obtain DNS server address automatically* should be checked.

Click *OK* twice.
If you should change any setting reboot the computer.


----------



## Skaione (Feb 12, 2009)

My router make is not listed, and I can't contact verizon, Is there anything else I can do?


----------



## CatByte (Feb 24, 2009)

what happens when you go to the router's server?

(by typing: http:\\192.168.1.1)

there should be instructions there for resetting the router.

what is the make and model of your router?

how old is it?


----------



## Skaione (Feb 12, 2009)

I got it to reset, but instead of Internet Protocol Version 6 (IP6v) I Just get Internet protocall, and there is no version 4 either


----------



## CatByte (Feb 24, 2009)

hmm

OK,

what is the status of the computer now?

how is it behaving are there any outstanding issues?

Are you having any connection issues?


----------



## Skaione (Feb 12, 2009)

Now I don't have any connection problems, but occasionally WMP11 pops up out of the blue


----------



## CatByte (Feb 24, 2009)

Hi,

I don't believe your remaining issues are malware related,

we need to clean up our tools, then I suggest you post in the windows forum to see if the techs can assist with the performance issues.

You can delete the *MBRCheck*, *DDS* and *GMER* logs and programs from your desktop.

*
NEXT*

*Follow these steps to uninstall Combofix *


Make sure your security programs are totally disabled.
Click *START* then *RUN*
Now copy/paste *Combofix /uninstall* into the *runbox* and click *OK.* Note the *space* between the *..X* and the */U*, it needs to be there.










If there are any logs/tools remaining > right click and delete them.

*NEXT*

Below I have included a number of recommendations for how to protect your computer against malware infections.


It is good security practice to change your passwords to all your online accounts on a fairly regular basis, this is especially true after an infection. Refer to this Microsoft article *
Strong passwords: How to create and use them* Then consider a *password keeper,* to keep all your passwords safe.

Keep Windows updated by regularly checking their website at :
http://windowsupdate.microsoft.com/
This will ensure your computer has always the latest security updates available installed on your computer.

*Make Internet Explorer more secure*
Click *Start* > *Run*
Type *Inetcpl.cpl* & click *OK*
Click on the *Security* tab
Click *Reset all zones to default level*
Make sure the *Internet Zone* is selected & Click *Custom level*
In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
Next Click *OK*, then *Apply* button and then *OK* to exit the Internet Properties page.

*Download* *TFC* *to your desktop*
Close any open windows.
Double click the *TFC* icon to run the program
TFC *will close all open programs itself* in order to run, 
Click the *Start* button to begin the process. 
Allow *TFC* to run uninterrupted.
The program should not take long to finish it's job
Once its finished it should automatically *reboot your machine,*
if it doesn't, manually reboot to ensure a complete clean
*It's normal after running TFC cleaner that the PC will be slower to boot the first time. *

*WOT*, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:
*Green* to go 
*Yellow* for caution 
*Red* to stop
 WOT has an addon available for both Firefox and IE

*Keep a backup of your important files* - Now, more than ever, it's especially important to protect your digital files and memories. This article is full of good information on alternatives for home backup solutions.

*ERUNT* (Emergency Recovery Utility NT) allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed.

In light of your recent issue, I'm sure you'd like to avoid any future infections. Please take a look at these well written articles:
*Think Prevention.*
*PC Safety and Security--What Do I Need?.*

***Be very wary with any security software that is advertised in popups or in other ways. They are not only usually of no use, but often have malware in them. *

Thank you for your patience, and performing all of the procedures requested.

Please respond one last time so we can consider the thread resolved and close it, thank-you.


----------



## Skaione (Feb 12, 2009)

Finished, and thank you so much for all your help


----------

