Hi. New to this forum, and hope that I can get help with my problem. About a week ago, I got caught by the AntiSpyware 2010 virus, and things have gone downhill from there.

My biggest current problem seems to be the very annoying redirects from search engine results. It doesn't happen at first, then happens all of the time. I use McAfee and have run scans, although I am not convinced it is working right at this time. I have also tried running malwarebytes, superantispyware, and the latest spybot. The problem persists, however.

I am also getting paranoid that whatever is residing in my computer is starting to mess with other things, such as printer settings in MS Word 2007, and my audio speakers.

Anyway, I have followed the "Before you Post" instructions, and my DDS log is copied/pasted below. Thank you for your help!!!


DDS (Ver_10-03-17.01) - NTFSx86
Run by Owner at 13:37:44.01 on Fri 05/07/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_20
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1145 [GMT -5:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Citrix\GoToMyPC\g2svc.exe
C:\Program Files\Citrix\GoToMyPC\g2comm.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Citrix\GoToMyPC\g2pre.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Program Files\Citrix\GoToMyPC\g2tray.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\Retrospect\Retrospect 7.6\retrorun.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\SearchIndexer.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\PROGRA~1\Maxtor\OneTouch\Utils\OneTouch.exe
C:\WINDOWS\MXOALDR.EXE
C:\Program Files\DELL\Dell Laser MFP 1815\PaperPort\pptd40nt.exe
C:\PROGRAM FILES\DELL\DELL LASER MFP 1815\PSU\Scan2Pc.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\YouSendIt\Express\YouSendIt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DisplayFusion\DisplayFusion.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Palm\Hotsync.exe
C:\Program Files\PFU\ScanSnap\Driver\PfuSsMon.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\FQXIPQ25\dds[1].com

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.johnstonlawgroup.com/
uSearch Bar = hxxp://www.google.com/hws/sb/dell-usuk-rel/en/side.html?channel=us
uDefault_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=4070620 (http://www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=4070620)
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
mURLSearchHooks: H - No File
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common

files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and

settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google

toolbar\GoogleToolbar_32.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat

8.0\acrobat\AcroIEFavClient.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program

files\google\googletoolbarnotifier\5.5.4723.1820\swg.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\bae\BAE.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program

files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
TB: {4E4D87BA-2985-409B-8D81-1F4B0F990902} - No File
TB: FireShot: {6e6e744e-4d20-4ce3-9a7a-26dfffe22f68} - c:\documents and settings\Owner\application

data\mozilla\firefox\profiles\hezivife.default\extensions\{0b457caa-602d-484a-8fe7-c1d894a011ba}\library\fsaddin-0.80.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [YouSendIt.exe] c:\program files\yousendit\express\YouSendIt.exe -ui none
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [DisplayFusion] "c:\program files\displayfusion\DisplayFusion.exe"
mRun: [DMXLauncher] c:\program files\dell\media experience\DMXLauncher.exe
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 8.0\acrobat\Acrotray.exe"
mRun: [<NO NAME>]
mRun: [MaxtorOneTouch] c:\progra~1\maxtor\onetouch\utils\OneTouch.exe
mRun: [MXO Auto Loader] c:\windows\MXOALDR.EXE
mRun: [PaperPort PTD] "c:\program files\dell\dell laser mfp 1815\paperport\pptd40nt.exe"
mRun: [IndexSearch] "c:\program files\dell\dell laser mfp 1815\paperport\IndexSearch.exe"
mRun: [MFP1815_S2P] c:\program files\dell\dell laser mfp 1815\psu\Scan2Pc.exe
mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
mRun: [GoToMyPC] "c:\program files\citrix\gotomypc\g2svc.exe" -logon
mRun: [PfuSsSct.exe] c:\program files\pfu\scansnap\PfuSsSct.exe /Station
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [LogMeIn GUI] "c:\program files\logmein\x86\LogMeInSystray.exe"
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [HotSync] "c:\program files\palmsource\desktop\HotSync.exe" -AllUsers
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\isuspm.exe -startup
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
StartupFolder: c:\docume~1\owner1\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat

7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\google~1.lnk - c:\program files\google\google calendar

sync\GoogleCalendarSync.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hotsyn~1.lnk - c:\program files\palm\Hotsync.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\scansn~1.lnk - c:\program

files\pfu\scansnap\driver\PfuSsMon.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop

search\WindowsSearch.exe
IE: Append to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat

8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat

8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google

toolbar\component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} -

c:\progra~1\mi1933~1\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} - hxxp://support.dell.com/systemprofiler/SysPro.CAB
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} -

hxxp://download.microsoft.com/download/e/7/3/e7345c16-80aa-4488-ae10-9ac6be844f99/OGAControl.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} -

hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1182905414984
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Notify: AtiExtEvent - Ati2evxx.dll
Notify: GoToAssist - c:\program files\citrix\gotoassist\514\G2AWinLogon.dll
Notify: GoToMyPC - c:\program files\citrix\gotomypc\G2WinLogon.dll
Notify: LMIinit - LMIinit.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop

search\MSNLNamespaceMgr.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owner1\applic~1\mozilla\firefox\profiles\hezivife.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.johnstonlawgroup.com/
FF - component: c:\documents and settings\all users\application

data\real\realplayer\browserrecordplugin\firefox\ext\components\nprpffbrowserrecordext.dll
FF - component: c:\documents and settings\Owner\application

data\mozilla\firefox\profiles\hezivife.default\extensions\{0b457caa-602d-484a-8fe7-c1d894a011ba}\platform\winnt_x86-msvc\comp

onents\SSSLauncher.dll
FF - component: c:\documents and settings\Owner\application

data\mozilla\firefox\profiles\hezivife.default\extensions\{3b56bcc7-54e5-44a2-9b44-66c3ef58c13e}\components\nstidy.dll
FF - plugin: c:\documents and settings\all users\application

data\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5videoshim.dll
FF - plugin: c:\progra~1\palm\packag~1\NPInstal.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\virtual earth 3d\npVE3D.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} -

c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla

firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js -

pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name",

"chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js -

pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2007-7-19 214664]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2009-11-27 47640]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2010-1-17 359952]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2010-1-17 144704]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2010-1-17 606736]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2007-7-19 79816]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2007-7-19 35272]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2007-7-19 40552]
S1 SASDIFSV;SASDIFSV;\??\c:\docume~1\owner1\locals~1\temp\sas_selfextract\sasdifsv.sys -->

c:\docume~1\owner1\locals~1\temp\sas_selfextract\SASDIFSV.SYS [?]
S1 SASKUTIL;SASKUTIL;\??\c:\docume~1\owner1\locals~1\temp\sas_selfextract\saskutil.sys -->

c:\docume~1\owner1\locals~1\temp\sas_selfextract\SASKUTIL.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-1-6 135664]
S2 LMIInfo;LogMeIn Kernel Information Provider;\??\c:\program files\logmein\x86\rainfo.sys --> c:\program

files\logmein\x86\RaInfo.sys [?]
S2 SSPORT;SSPORT;\??\c:\windows\system32\drivers\ssport.sys --> c:\windows\system32\drivers\SSPORT.sys [?]
S3 brfilt;Brother MFC Filter Driver;c:\windows\system32\drivers\BrFilt.sys [2007-7-20 2944]
S3 BrSerWDM;Brother WDM Serial driver;c:\windows\system32\drivers\BrSerWdm.sys [2007-7-20 60416]
S3 BrUsbMdm;Brother MFC USB Fax Only Modem;c:\windows\system32\drivers\BrUsbMdm.sys [2007-7-20 11008]
S3 BrUsbScn;Brother MFC USB Scanner driver;c:\windows\system32\drivers\BrUsbScn.sys [2007-7-20 10368]
S3 DM150Drv;DM150Drv;c:\windows\system32\drivers\dm150drv.sys --> c:\windows\system32\drivers\DM150Drv.sys [?]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2007-7-19 34248]
S3 SASENUM;SASENUM;\??\c:\docume~1\owner1\locals~1\temp\sas_selfextract\sasenum.sys -->

c:\docume~1\owner1\locals~1\temp\sas_selfextract\SASENUM.SYS [?]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]

=============== Created Last 30 ================

2010-05-06 22:04:11 0 d-----w- c:\program files\Spybot - Search & Destroy
2010-05-06 22:04:11 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2010-05-01 23:56:27 1100 ----a-w- c:\windows\system32\d3d8caps.dat
2010-04-29 18:02:29 0 d-----w- c:\program files\Trend Micro
2010-04-29 01:52:14 0 d-----w- c:\docume~1\owner1\applic~1\Malwarebytes
2010-04-29 01:51:57 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 01:51:55 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-29 01:51:55 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-29 01:51:55 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-04-28 20:41:18 0 d-----w- c:\docume~1\owner1\applic~1\SUPERAntiSpyware.com
2010-04-28 20:41:18 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-04-28 18:04:36 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2010-04-28 17:24:10 860160 ----a-w- c:\windows\FunambolAddin.dll
2010-04-28 17:24:10 1503232 ----a-w- c:\windows\winmainclientdll.dll
2010-04-28 17:18:27 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-04-28 17:18:26 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-04-27 22:20:29 0 d-----w- c:\windows\pss
2010-04-27 20:39:21 0 d-----w- c:\docume~1\alluse~1\applic~1\avG

==================== Find3M ====================

2010-03-24 20:23:41 499712 ----a-w- c:\windows\system32\msvcp71.dll
2010-03-24 20:23:41 348160 ----a-w- c:\windows\system32\msvcr71.dll
2010-03-24 20:01:28 141925 ----a-w- c:\windows\fonts\AdobeFnt08.lst
2010-03-10 06:15:52 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-03-10 06:15:52 420352 ----a-w- c:\windows\system32\dllcache\vbscript.dll
2010-02-25 16:54:36 11070976 ------w- c:\windows\system32\dllcache\ieframe.dll
2010-02-24 13:11:07 455680 ------w- c:\windows\system32\dllcache\mrxsmb.sys
2010-02-24 09:54:25 173056 ------w- c:\windows\system32\dllcache\ie4uinit.exe
2010-02-17 14:10:28 2189952 ------w- c:\windows\system32\dllcache\ntoskrnl.exe
2010-02-16 14:08:49 2146304 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 14:08:49 2146304 ------w- c:\windows\system32\dllcache\ntkrnlmp.exe
2010-02-16 13:25:04 2066816 ------w- c:\windows\system32\dllcache\ntkrnlpa.exe
2010-02-16 13:25:04 2024448 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-16 13:25:04 2024448 ------w- c:\windows\system32\dllcache\ntkrpamp.exe
2010-02-12 04:33:11 100864 ----a-w- c:\windows\system32\6to4svc.dll
2010-02-12 04:33:11 100864 ------w- c:\windows\system32\dllcache\6to4svc.dll
2010-02-11 12:02:15 226880 ------w- c:\windows\system32\dllcache\tcpip6.sys
2008-12-12 17:15:36 16384 --sha-w- c:\windows\system32\config\systemprofile\local settings\application

data\microsoft\feeds cache\index.dat
2008-12-12 17:15:36 49152 --sha-w- c:\windows\system32\config\systemprofile\local

settings\history\history.ie5\mshist012008121220081213\index.dat

============= FINISH: 13:39:53.50 ===============


DDS (Ver_10-03-17.01) - NTFSx86
Run by Owner at 13:37:44.01 on Fri 05/07/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_20
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1145 [GMT -5:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Citrix\GoToMyPC\g2svc.exe
C:\Program Files\Citrix\GoToMyPC\g2comm.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Citrix\GoToMyPC\g2pre.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Program Files\Citrix\GoToMyPC\g2tray.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\Retrospect\Retrospect 7.6\retrorun.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\SearchIndexer.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\PROGRA~1\Maxtor\OneTouch\Utils\OneTouch.exe
C:\WINDOWS\MXOALDR.EXE
C:\Program Files\DELL\Dell Laser MFP 1815\PaperPort\pptd40nt.exe
C:\PROGRAM FILES\DELL\DELL LASER MFP 1815\PSU\Scan2Pc.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\YouSendIt\Express\YouSendIt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DisplayFusion\DisplayFusion.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Palm\Hotsync.exe
C:\Program Files\PFU\ScanSnap\Driver\PfuSsMon.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\FQXIPQ25\dds[1].com

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.johnstonlawgroup.com/
uSearch Bar = hxxp://www.google.com/hws/sb/dell-usuk-rel/en/side.html?channel=us
uDefault_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=4070620 (http://www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=4070620)
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
mURLSearchHooks: H - No File
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common

files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and

settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google

toolbar\GoogleToolbar_32.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat

8.0\acrobat\AcroIEFavClient.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program

files\google\googletoolbarnotifier\5.5.4723.1820\swg.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\bae\BAE.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program

files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
TB: {4E4D87BA-2985-409B-8D81-1F4B0F990902} - No File
TB: FireShot: {6e6e744e-4d20-4ce3-9a7a-26dfffe22f68} - c:\documents and settings\Owner\application

data\mozilla\firefox\profiles\hezivife.default\extensions\{0b457caa-602d-484a-8fe7-c1d894a011ba}\library\fsaddin-0.80.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [YouSendIt.exe] c:\program files\yousendit\express\YouSendIt.exe -ui none
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [DisplayFusion] "c:\program files\displayfusion\DisplayFusion.exe"
mRun: [DMXLauncher] c:\program files\dell\media experience\DMXLauncher.exe
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 8.0\acrobat\Acrotray.exe"
mRun: [<NO NAME>]
mRun: [MaxtorOneTouch] c:\progra~1\maxtor\onetouch\utils\OneTouch.exe
mRun: [MXO Auto Loader] c:\windows\MXOALDR.EXE
mRun: [PaperPort PTD] "c:\program files\dell\dell laser mfp 1815\paperport\pptd40nt.exe"
mRun: [IndexSearch] "c:\program files\dell\dell laser mfp 1815\paperport\IndexSearch.exe"
mRun: [MFP1815_S2P] c:\program files\dell\dell laser mfp 1815\psu\Scan2Pc.exe
mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
mRun: [GoToMyPC] "c:\program files\citrix\gotomypc\g2svc.exe" -logon
mRun: [PfuSsSct.exe] c:\program files\pfu\scansnap\PfuSsSct.exe /Station
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [LogMeIn GUI] "c:\program files\logmein\x86\LogMeInSystray.exe"
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [HotSync] "c:\program files\palmsource\desktop\HotSync.exe" -AllUsers
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\isuspm.exe -startup
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
StartupFolder: c:\docume~1\owner1\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat

7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\google~1.lnk - c:\program files\google\google calendar

sync\GoogleCalendarSync.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hotsyn~1.lnk - c:\program files\palm\Hotsync.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\scansn~1.lnk - c:\program

files\pfu\scansnap\driver\PfuSsMon.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop

search\WindowsSearch.exe
IE: Append to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat

8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat

8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google

toolbar\component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} -

c:\progra~1\mi1933~1\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} - hxxp://support.dell.com/systemprofiler/SysPro.CAB
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} -

hxxp://download.microsoft.com/download/e/7/3/e7345c16-80aa-4488-ae10-9ac6be844f99/OGAControl.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} -

hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1182905414984
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Notify: AtiExtEvent - Ati2evxx.dll
Notify: GoToAssist - c:\program files\citrix\gotoassist\514\G2AWinLogon.dll
Notify: GoToMyPC - c:\program files\citrix\gotomypc\G2WinLogon.dll
Notify: LMIinit - LMIinit.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop

search\MSNLNamespaceMgr.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owner1\applic~1\mozilla\firefox\profiles\hezivife.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.johnstonlawgroup.com/
FF - component: c:\documents and settings\all users\application

data\real\realplayer\browserrecordplugin\firefox\ext\components\nprpffbrowserrecordext.dll
FF - component: c:\documents and settings\Owner\application

data\mozilla\firefox\profiles\hezivife.default\extensions\{0b457caa-602d-484a-8fe7-c1d894a011ba}\platform\winnt_x86-msvc\comp

onents\SSSLauncher.dll
FF - component: c:\documents and settings\Owner\application

data\mozilla\firefox\profiles\hezivife.default\extensions\{3b56bcc7-54e5-44a2-9b44-66c3ef58c13e}\components\nstidy.dll
FF - plugin: c:\documents and settings\all users\application

data\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5videoshim.dll
FF - plugin: c:\progra~1\palm\packag~1\NPInstal.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\virtual earth 3d\npVE3D.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} -

c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla

firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js -

pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name",

"chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js -

pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2007-7-19 214664]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2009-11-27 47640]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2010-1-17 359952]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2010-1-17 144704]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2010-1-17 606736]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2007-7-19 79816]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2007-7-19 35272]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2007-7-19 40552]
S1 SASDIFSV;SASDIFSV;\??\c:\docume~1\owner1\locals~1\temp\sas_selfextract\sasdifsv.sys -->

c:\docume~1\owner1\locals~1\temp\sas_selfextract\SASDIFSV.SYS [?]
S1 SASKUTIL;SASKUTIL;\??\c:\docume~1\owner1\locals~1\temp\sas_selfextract\saskutil.sys -->

c:\docume~1\owner1\locals~1\temp\sas_selfextract\SASKUTIL.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-1-6 135664]
S2 LMIInfo;LogMeIn Kernel Information Provider;\??\c:\program files\logmein\x86\rainfo.sys --> c:\program

files\logmein\x86\RaInfo.sys [?]
S2 SSPORT;SSPORT;\??\c:\windows\system32\drivers\ssport.sys --> c:\windows\system32\drivers\SSPORT.sys [?]
S3 brfilt;Brother MFC Filter Driver;c:\windows\system32\drivers\BrFilt.sys [2007-7-20 2944]
S3 BrSerWDM;Brother WDM Serial driver;c:\windows\system32\drivers\BrSerWdm.sys [2007-7-20 60416]
S3 BrUsbMdm;Brother MFC USB Fax Only Modem;c:\windows\system32\drivers\BrUsbMdm.sys [2007-7-20 11008]
S3 BrUsbScn;Brother MFC USB Scanner driver;c:\windows\system32\drivers\BrUsbScn.sys [2007-7-20 10368]
S3 DM150Drv;DM150Drv;c:\windows\system32\drivers\dm150drv.sys --> c:\windows\system32\drivers\DM150Drv.sys [?]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2007-7-19 34248]
S3 SASENUM;SASENUM;\??\c:\docume~1\owner1\locals~1\temp\sas_selfextract\sasenum.sys -->

c:\docume~1\owner1\locals~1\temp\sas_selfextract\SASENUM.SYS [?]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]

=============== Created Last 30 ================

2010-05-06 22:04:11 0 d-----w- c:\program files\Spybot - Search & Destroy
2010-05-06 22:04:11 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2010-05-01 23:56:27 1100 ----a-w- c:\windows\system32\d3d8caps.dat
2010-04-29 18:02:29 0 d-----w- c:\program files\Trend Micro
2010-04-29 01:52:14 0 d-----w- c:\docume~1\owner1\applic~1\Malwarebytes
2010-04-29 01:51:57 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 01:51:55 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-29 01:51:55 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-29 01:51:55 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-04-28 20:41:18 0 d-----w- c:\docume~1\owner1\applic~1\SUPERAntiSpyware.com
2010-04-28 20:41:18 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-04-28 18:04:36 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2010-04-28 17:24:10 860160 ----a-w- c:\windows\FunambolAddin.dll
2010-04-28 17:24:10 1503232 ----a-w- c:\windows\winmainclientdll.dll
2010-04-28 17:18:27 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-04-28 17:18:26 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-04-27 22:20:29 0 d-----w- c:\windows\pss
2010-04-27 20:39:21 0 d-----w- c:\docume~1\alluse~1\applic~1\avG

==================== Find3M ====================

2010-03-24 20:23:41 499712 ----a-w- c:\windows\system32\msvcp71.dll
2010-03-24 20:23:41 348160 ----a-w- c:\windows\system32\msvcr71.dll
2010-03-24 20:01:28 141925 ----a-w- c:\windows\fonts\AdobeFnt08.lst
2010-03-10 06:15:52 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-03-10 06:15:52 420352 ----a-w- c:\windows\system32\dllcache\vbscript.dll
2010-02-25 16:54:36 11070976 ------w- c:\windows\system32\dllcache\ieframe.dll
2010-02-24 13:11:07 455680 ------w- c:\windows\system32\dllcache\mrxsmb.sys
2010-02-24 09:54:25 173056 ------w- c:\windows\system32\dllcache\ie4uinit.exe
2010-02-17 14:10:28 2189952 ------w- c:\windows\system32\dllcache\ntoskrnl.exe
2010-02-16 14:08:49 2146304 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 14:08:49 2146304 ------w- c:\windows\system32\dllcache\ntkrnlmp.exe
2010-02-16 13:25:04 2066816 ------w- c:\windows\system32\dllcache\ntkrnlpa.exe
2010-02-16 13:25:04 2024448 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-16 13:25:04 2024448 ------w- c:\windows\system32\dllcache\ntkrpamp.exe
2010-02-12 04:33:11 100864 ----a-w- c:\windows\system32\6to4svc.dll
2010-02-12 04:33:11 100864 ------w- c:\windows\system32\dllcache\6to4svc.dll
2010-02-11 12:02:15 226880 ------w- c:\windows\system32\dllcache\tcpip6.sys
2008-12-12 17:15:36 16384 --sha-w- c:\windows\system32\config\systemprofile\local settings\application

data\microsoft\feeds cache\index.dat
2008-12-12 17:15:36 49152 --sha-w- c:\windows\system32\config\systemprofile\local

settings\history\history.ie5\mshist012008121220081213\index.dat

============= FINISH: 13:39:53.50 ===============

Hello and :welcome: to Safer Networking

My name is peku006 and I will be helping you to remove any infection(s) that you may have.
I will be giving you a series of instructions that need to be followed in the order in which I give them to you.

Please observe these rules while we work:


If you don't know or understand something please don't hesitate to ask
Please DO NOT run any other tools or scans whilst I am helping you.
It is important that you reply to this thread. Do not start a new topic.
Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
Absence of symptoms does not mean that everything is clear.

We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:
This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
If you need help to disable your protection programs see here. (http://www.bleepingcomputer.com/forums/topic114351.html)

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply

Thanks peku006

Thank you for your assistance. I have followed your directions, and my ComboFix log is pasted below:



ComboFix 10-05-09.08 - Thomas Johnston 05/10/2010 11:42:49.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1470 [GMT -5:00]
Running from: c:\documents and settings\Thomas Johnston\Desktop\ComboFix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.
PEV Error: AppFolder

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Thomas Johnston\GoToAssistDownloadHelper.exe
c:\documents and settings\Thomas Johnston\Local Settings\Temporary Internet Files\3f763nB1.jpg
c:\documents and settings\Thomas Johnston\Local Settings\Temporary Internet Files\iFX6ow0.jpg
c:\documents and settings\Thomas Johnston\Local Settings\Temporary Internet Files\klA38PAY0.jpg
c:\documents and settings\Thomas Johnston\Local Settings\Temporary Internet Files\Pik5b.jpg
c:\documents and settings\Thomas Johnston\System
c:\documents and settings\Thomas Johnston\System\win_qs8.jqx
C:\restore
c:\restore\CLIENTS\CURRENT CLIENTS\Peroutka, Francis & Marian\2008-04-07 Summary letter to clients (post-execution).docx
c:\windows\explorer(2).exe
c:\windows\explorer(3).exe
c:\windows\system32\Vb40032.dll
c:\windows\system32\gotomon.log . . . . failed to delete

Infected copy of c:\windows\system32\drivers\nvata.sys was found and disinfected
Restored copy from - Kitty had a snack :p
.
((((((((((((((((((((((((( Files Created from 2010-04-10 to 2010-05-10 )))))))))))))))))))))))))))))))
.

2010-05-10 16:38 . 2007-02-26 02:25 105472 ----a-w- c:\windows\system32\drivers\nvata.sys
2010-05-07 18:19 . 2010-05-07 18:19 -------- d-----w- c:\program files\ERUNT
2010-05-06 22:04 . 2010-05-06 22:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-05-06 22:04 . 2010-05-06 22:07 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-05-01 23:56 . 2010-05-01 23:56 1100 ----a-w- c:\windows\system32\d3d8caps.dat
2010-05-01 23:56 . 2010-05-01 23:56 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-04-29 18:02 . 2010-04-29 18:02 -------- d-----w- c:\program files\Trend Micro
2010-04-29 01:52 . 2010-04-29 01:52 -------- d-----w- c:\documents and settings\Thomas Johnston\Application Data\Malwarebytes
2010-04-29 01:51 . 2010-04-29 20:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 01:51 . 2010-05-01 01:39 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-29 01:51 . 2010-04-29 20:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-29 01:51 . 2010-04-29 01:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-04-28 20:41 . 2010-04-28 20:41 -------- d-----w- c:\documents and settings\Thomas Johnston\Application Data\SUPERAntiSpyware.com
2010-04-28 20:41 . 2010-04-28 20:41 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-04-28 18:04 . 2010-05-07 17:11 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2010-04-28 17:24 . 2007-07-09 07:59 860160 ----a-w- c:\windows\FunambolAddin.dll
2010-04-28 17:24 . 2007-07-09 07:59 1503232 ----a-w- c:\windows\winmainclientdll.dll
2010-04-28 17:18 . 2010-04-28 17:18 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-04-27 20:39 . 2010-04-27 20:39 -------- d-----w- c:\documents and settings\All Users\Application Data\avG
2010-04-27 20:39 . 2010-04-27 20:39 -------- d-----w- c:\documents and settings\Thomas Johnston\Local Settings\Application Data\avG
2010-04-26 23:15 . 2010-04-26 23:15 -------- d-----w- c:\documents and settings\Thomas Johnston\Local Settings\Application Data\ohacmqboi
2010-04-26 22:53 . 2010-04-26 22:53 -------- d-----w- c:\documents and settings\Thomas Johnston\Local Settings\Application Data\rfwysipel
2010-04-26 22:29 . 2010-04-26 22:29 -------- d-----w- c:\documents and settings\Thomas Johnston\Local Settings\Application Data\koimuikte
2010-04-12 16:21 . 2010-04-12 16:22 -------- d-----w- c:\program files\QuickTime

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-10 07:09 . 2007-07-20 01:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Retrospect
2010-05-10 03:16 . 2008-09-15 20:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2010-05-03 20:31 . 2010-04-01 17:38 -------- d-----w- c:\documents and settings\Thomas Johnston\Application Data\DisplayFusion
2010-04-30 19:25 . 2008-04-10 18:35 -------- d-----w- c:\program files\Common Files\lacerte shared
2010-04-28 17:18 . 2007-06-20 13:07 -------- d-----w- c:\program files\Common Files\Java
2010-04-28 17:18 . 2007-06-20 13:07 -------- d-----w- c:\program files\Java
2010-04-27 20:38 . 2010-04-27 20:38 61440 ----a-w- c:\documents and settings\Thomas Johnston\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-331cf324-n\decora-sse.dll
2010-04-27 20:38 . 2010-04-27 20:38 503808 ----a-w- c:\documents and settings\Thomas Johnston\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-21054d65-n\msvcp71.dll
2010-04-27 20:38 . 2010-04-27 20:38 499712 ----a-w- c:\documents and settings\Thomas Johnston\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-21054d65-n\jmc.dll
2010-04-27 20:38 . 2010-04-27 20:38 348160 ----a-w- c:\documents and settings\Thomas Johnston\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-21054d65-n\msvcr71.dll
2010-04-27 20:38 . 2010-04-27 20:38 12800 ----a-w- c:\documents and settings\Thomas Johnston\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-331cf324-n\decora-d3d.dll
2010-04-22 19:33 . 2007-06-27 01:47 -------- d-----w- c:\documents and settings\All Users\Application Data\FLEXnet
2010-04-16 00:52 . 2007-06-20 13:16 -------- d-----w- c:\program files\Google
2010-04-15 08:04 . 2007-09-08 23:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-04-14 14:15 . 2010-01-18 02:36 -------- d-----w- c:\program files\McAfee
2010-04-12 16:21 . 2007-07-02 06:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2010-04-01 17:33 . 2010-04-01 17:33 -------- d-----w- c:\program files\DisplayFusion
2010-03-24 20:24 . 2010-03-24 20:24 45056 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimwmp.dll
2010-03-24 20:24 . 2010-03-24 20:24 45056 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimswf.dll
2010-03-24 20:24 . 2010-03-24 20:24 45056 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimrp.dll
2010-03-24 20:24 . 2010-03-24 20:24 45056 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimqt.dll
2010-03-24 20:24 . 2010-03-24 20:24 49152 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext\Components\nprpffbrowserrecordext.dll
2010-03-24 20:24 . 2010-03-24 20:24 40960 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Chrome\Hook\rpchromebrowserrecordhelper.dll
2010-03-24 20:24 . 2010-03-24 20:24 308808 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Common\rpmainbrowserrecordplugin.dll
2010-03-24 20:24 . 2010-03-24 20:24 14848 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll
2010-03-24 20:24 . 2010-03-24 20:24 341600 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
2010-03-24 20:24 . 2010-02-13 22:00 -------- d-----w- c:\program files\Common Files\Real
2010-03-24 20:24 . 2010-02-13 22:00 -------- d-----w- c:\program files\Real
2010-03-24 20:24 . 2010-03-24 20:24 -------- d-----w- c:\program files\Common Files\xing shared
2010-03-24 20:23 . 2003-03-19 01:14 499712 ----a-w- c:\windows\system32\msvcp71.dll
2010-03-24 20:23 . 2003-02-21 09:42 348160 ----a-w- c:\windows\system32\msvcr71.dll
2010-03-19 21:18 . 2010-03-19 21:08 -------- d-----w- c:\program files\EVP Systems
2010-03-17 19:38 . 2010-03-17 19:38 -------- d-----w- c:\program files\Virtual Earth 3D
2010-03-10 06:15 . 2004-08-10 17:51 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-02-25 06:24 . 2004-08-10 17:51 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-24 13:11 . 2004-08-10 17:51 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-19 00:42 . 2007-06-26 02:58 101408 ----a-w- c:\documents and settings\Thomas Johnston\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-02-19 00:18 . 2010-02-19 00:18 10134 ----a-r- c:\documents and settings\Thomas Johnston\Application Data\Microsoft\Installer\{6A3CAA8E-6DDB-4AA7-A411-9982FF9180FE}\ARPPRODUCTICON.exe
2010-02-16 14:08 . 2004-08-10 17:51 2146304 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25 . 2004-08-04 03:59 2024448 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-12 04:33 . 2004-08-10 17:50 100864 ----a-w- c:\windows\system32\6to4svc.dll
2010-02-11 12:02 . 2004-08-10 17:51 226880 ----a-w- c:\windows\system32\drivers\tcpip6.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-27 68856]
"YouSendIt.exe"="c:\program files\YouSendIt\Express\YouSendIt.exe" [2009-06-30 82432]
"DisplayFusion"="c:\program files\DisplayFusion\DisplayFusion.exe" [2010-03-17 800944]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2005-10-05 94208]
"SigmatelSysTrayApp"="stsystra.exe" [2006-08-15 282624]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2010-04-02 624056]
"MaxtorOneTouch"="c:\progra~1\Maxtor\OneTouch\Utils\OneTouch.exe" [2003-05-21 45056]
"MXO Auto Loader"="c:\windows\MXOALDR.EXE" [2003-04-07 118784]
"PaperPort PTD"="c:\program files\DELL\Dell Laser MFP 1815\PaperPort\pptd40nt.exe" [2006-02-20 36864]
"IndexSearch"="c:\program files\DELL\Dell Laser MFP 1815\PaperPort\IndexSearch.exe" [2006-02-20 40960]
"MFP1815_S2P"="c:\program files\DELL\DELL LASER MFP 1815\PSU\Scan2Pc.exe" [2006-12-22 258952]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-10-14 155648]
"GoToMyPC"="c:\program files\Citrix\GoToMyPC\g2svc.exe" [2007-06-20 258856]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-08-29 61440]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-29 1218008]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-03-24 202256]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-18 421888]
"ISUSPM Startup"="c:\progra~1\common~1\instal~1\update~1\isuspm.exe" [2004-07-27 221184]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]

c:\documents and settings\Thomas Johnston\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2007-6-20 24576]
Google Calendar Sync.lnk - c:\program files\Google\Google Calendar Sync\GoogleCalendarSync.exe [2008-10-2 546288]
HotSync Manager.lnk - c:\program files\Palm\Hotsync.exe [2008-1-3 1392640]
ScanSnap Manager.lnk - c:\program files\PFU\ScanSnap\Driver\PfuSsMon.exe [2008-5-7 1769472]
Windows Desktop Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2007-2-5 118784]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2007-02-05 294400]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2008-04-30 18:08 10536 ----a-w- c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToMyPC]
2007-06-20 17:09 10536 ----a-w- c:\program files\Citrix\GoToMyPC\G2WinLogon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2009-09-29 01:34 87352 ----a-w- c:\windows\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

S1 SASDIFSV;SASDIFSV;\??\c:\docume~1\THOMAS~1\LOCALS~1\Temp\SAS_SelfExtract\SASDIFSV.SYS --> c:\docume~1\THOMAS~1\LOCALS~1\Temp\SAS_SelfExtract\SASDIFSV.SYS [?]
S1 SASKUTIL;SASKUTIL;\??\c:\docume~1\THOMAS~1\LOCALS~1\Temp\SAS_SelfExtract\SASKUTIL.sys --> c:\docume~1\THOMAS~1\LOCALS~1\Temp\SAS_SelfExtract\SASKUTIL.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/6/2010 4:35 AM 135664]
S2 LMIInfo;LogMeIn Kernel Information Provider;\??\c:\program files\LogMeIn\x86\RaInfo.sys --> c:\program files\LogMeIn\x86\RaInfo.sys [?]
S2 SSPORT;SSPORT;\??\c:\windows\system32\Drivers\SSPORT.sys --> c:\windows\system32\Drivers\SSPORT.sys [?]
S3 brfilt;Brother MFC Filter Driver;c:\windows\system32\drivers\BrFilt.sys [7/20/2007 9:42 PM 2944]
S3 BrSerWDM;Brother WDM Serial driver;c:\windows\system32\drivers\BrSerWdm.sys [7/20/2007 9:42 PM 60416]
S3 BrUsbMdm;Brother MFC USB Fax Only Modem;c:\windows\system32\drivers\BrUsbMdm.sys [7/20/2007 9:42 PM 11008]
S3 BrUsbScn;Brother MFC USB Scanner driver;c:\windows\system32\drivers\BrUsbScn.sys [7/20/2007 9:42 PM 10368]
S3 DM150Drv;DM150Drv;c:\windows\system32\DRIVERS\DM150Drv.sys --> c:\windows\system32\DRIVERS\DM150Drv.sys [?]
S3 SASENUM;SASENUM;\??\c:\docume~1\THOMAS~1\LOCALS~1\Temp\SAS_SelfExtract\SASENUM.SYS --> c:\docume~1\THOMAS~1\LOCALS~1\Temp\SAS_SelfExtract\SASENUM.SYS [?]
.
Contents of the 'Scheduled Tasks' folder

2010-05-10 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34]

2010-05-10 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-06-27 17:05]

2010-05-10 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-06 09:35]

2010-05-10 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-06 09:35]

2010-04-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2010-01-18 18:22]

2010-05-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2010-01-18 18:22]

2010-05-10 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-4249249894-3923564320-3083111120-1006.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 03:09]

2010-05-10 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-4249249894-3923564320-3083111120-1006.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 03:09]

2010-05-10 c:\windows\Tasks\User_Feed_Synchronization-{A6B807C7-8DB7-4AE3-9BE9-913AFD11DA97}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 09:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.johnstonlawgroup.com/
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
FF - ProfilePath - c:\documents and settings\Thomas Johnston\Application Data\Mozilla\Firefox\Profiles\hezivife.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.johnstonlawgroup.com/
FF - component: c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext\components\nprpffbrowserrecordext.dll
FF - component: c:\documents and settings\Thomas Johnston\Application Data\Mozilla\Firefox\Profiles\hezivife.default\extensions\{0b457cAA-602d-484a-8fe7-c1d894a011ba}\platform\WINNT_x86-msvc\components\SSSLauncher.dll
FF - component: c:\documents and settings\Thomas Johnston\Application Data\Mozilla\Firefox\Profiles\hezivife.default\extensions\{3b56bcc7-54e5-44a2-9b44-66c3ef58c13e}\components\nstidy.dll
FF - plugin: c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll
FF - plugin: c:\progra~1\Palm\PACKAG~1\NPInstal.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Virtual Earth 3D\npVE3D.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-PfuSsSct.exe - c:\program files\PFU\ScanSnap\PfuSsSct.exe
HKLM-Run-LogMeIn GUI - c:\program files\LogMeIn\x86\LogMeInSystray.exe
HKLM-Run-HotSync - c:\program files\PalmSource\Desktop\HotSync.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-10 12:34
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: error reading MBR
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x89EFDEE4]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xba0ccf28
\Driver\ACPI -> ACPI.sys @ 0xb9f7fcb8
\Driver\atapi -> atapi.sys @ 0xb9f21852
IoDeviceObjectType ->\Device\Harddisk0\DR0 ->NDIS: Broadcom 440x 10/100 Integrated Controller -> SendCompleteHandler -> NDIS.sys @ 0xb9dd0bb0
PacketIndicateHandler -> NDIS.sys @ 0xb9ddda21
SendHandler -> NDIS.sys @ 0xb9dbb87b

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-4249249894-3923564320-3083111120-1006\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*b* a%]
@Class="Shell"
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-4249249894-3923564320-3083111120-1006\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*b* a%\OpenWithList]
@Class="Shell"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(624)
c:\windows\system32\WININET.dll
c:\windows\system32\Ati2evxx.dll
c:\program files\Citrix\GoToAssist\514\G2AWinLogon.dll
c:\program files\Citrix\GoToMyPC\G2WinLogon.dll
c:\windows\system32\LMIinit.dll

- - - - - - - > 'lsass.exe'(684)
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(3424)
c:\windows\system32\WININET.dll
c:\program files\DisplayFusion\DisplayFusionHookx86.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Citrix\GoToMyPC\g2comm.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Citrix\GoToMyPC\g2pre.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\progra~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\program files\Citrix\GoToMyPC\g2tray.exe
c:\progra~1\McAfee\VIRUSS~1\mcshield.exe
c:\program files\McAfee\MPF\MPFSrv.exe
c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
c:\program files\Retrospect\Retrospect 7.6\retrorun.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\windows\system32\SearchIndexer.exe
c:\windows\system32\SearchProtocolHost.exe
c:\progra~1\mcafee.com\agent\mcagent.exe
c:\windows\stsystra.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
c:\windows\system32\SearchFilterHost.exe
.
**************************************************************************
.
Completion time: 2010-05-10 12:42:01 - machine was rebooted
ComboFix-quarantined-files.txt 2010-05-10 17:41

Pre-Run: 200,630,521,856 bytes free
Post-Run: 200,699,940,864 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - 13B4B8ECE4239D23291A4C006ECE5495

Hi TMJ1968

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1 (http://jpshortstuff.247fixes.com/SystemLook.exe)
Download Mirror #2 (http://images.malwareremoval.com/jpshortstuff/SystemLook.exe)

Double-click SystemLook.exe to run it.
Copy the content of the following codebox into the main textfield:

:dir
c:\documents and settings\All Users\Application Data\avG
c:\documents and settings\Thomas Johnston\Local Settings\Application Data\avG
c:\documents and settings\Thomas Johnston\Local Settings\Application Data\ohacmqboi
c:\documents and settings\Thomas Johnston\Local Settings\Application Data\rfwysipel



Click the Look button to start the scan.
When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found at on your Desktop entitled SystemLook.txt

Thanks peku006

Here you go:


SystemLook v1.0 by jpshortstuff (11.01.10)
Log created at 14:20 on 10/05/2010 by Thomas Johnston (Administrator - Elevation successful)

========== dir ==========

c:\documents and settings\All Users\Application Data\avG - Parameters: "(none)"

---Files---
None found.

---Folders---
None found.

c:\documents and settings\Thomas Johnston\Local Settings\Application Data\avG - Parameters: "(none)"

---Files---
None found.

---Folders---
None found.

c:\documents and settings\Thomas Johnston\Local Settings\Application Data\ohacmqboi - Parameters: "(none)"

---Files---
None found.

---Folders---
None found.

c:\documents and settings\Thomas Johnston\Local Settings\Application Data\rfwysipel - Parameters: "(none)"

---Files---
None found.

---Folders---
None found.

-=End Of File=-

Hi TMJ1968

1 - Run Malwarebytes' Anti-Malware


Open Malwarebytes' Anti-Malware
Select the Update tab
Click Check for Updates
After the update have been completed, Select the Scanner tab.
Make sure the "Perform full scan" option is selected.
Then click on the Scan button.
If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
Click on the Show Results button to see a list of any malware that was found.
Check all items except items in the C:\System Volume Information folder... then click on Remove Selected.
We will take care of the System Volume Information items later.
When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
Copy and paste the contents of that report in your next reply and exit MBAM.

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

2 - Status Check
Please reply with

1. the Malwarebytes' Anti-Malware Log

Thanks peku006

Here is the log. It looks like it didn't find anything (although it didn't find anything previously, either).



Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4090

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

5/11/2010 8:43:00 AM
mbam-log-2010-05-11 (08-43-00).txt

Scan type: Full scan (C:\|I:\|)
Objects scanned: 260316
Time elapsed: 59 minute(s), 49 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Hi TMJ1968

1 - Clean temp files


Please download TFC (http://oldtimer.geekstogo.com/TFC.exe) to your desktop
Save any unsaved work. TFC will close all open application windows.
Double-click TFC.exe to run the program.
If prompted, click Yes to reboot.


NOTE: Save your work.TFC will automatically close any open programs, let it run uninterrupted. It shouldn't take longer take a couple of minutes, and may only take a few seconds. Only if needed will you be prompted to reboot.

2 - Eset online scannner

You can use either Internet Explorer or Mozilla FireFox for this scan.

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.


Please go here (http://www.eset.com/onlinescan/) then click on: http://i280.photobucket.com/albums/kk173/Dakeyras_album2/EOLS1.gif
Select the option YES, I accept the Terms of Use then click on: http://i280.photobucket.com/albums/kk173/Dakeyras_album2/EOLS2.gif
When prompted allow the Add-On/Active X to install.
Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
Now click on Advanced Settings and select the following:

Scan for potentially unwanted applications
Scan for potentially unsafe applications
Enable Anti-Stealth Technology
Now click on: http://i280.photobucket.com/albums/kk173/Dakeyras_album2/EOLS3.gif
The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
When completed the Online Scan will begin automatically.
Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
When completed select Uninstall application on close if you so wish, make sure you copy the logfile first!
Now click on: http://i280.photobucket.com/albums/kk173/Dakeyras_album2/EOLS4.gif
Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.
Copy and paste that log as a reply to this topic.

3 - Run Hijackthis
Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad

4 - Status Check
Please reply with

1. the Eset online scannner report
2. a fresh HijackThis log

Thanks peku006

As instructed:

1. ESET log:

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# IEXPLORE.EXE=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=bcdd15ad22993d49b5872f110f0c7c46
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2010-05-12 01:34:26
# local_time=2010-05-11 08:34:26 (-0600, Central Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 128735 128735 0 0
# compatibility_mode=4864 16777215 100 0 0 0 0 0
# compatibility_mode=5121 16776869 100 96 2469689 25616008 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=141810
# found=0
# cleaned=0
# scan_time=13584


2. fresh HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:38:19 PM, on 5/11/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Citrix\GoToMyPC\g2svc.exe
C:\Program Files\Citrix\GoToMyPC\g2comm.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Citrix\GoToMyPC\g2pre.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Program Files\Citrix\GoToMyPC\g2tray.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\Retrospect\Retrospect 7.6\retrorun.exe
C:\WINDOWS\Explorer.EXE
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\PROGRA~1\Maxtor\OneTouch\Utils\OneTouch.exe
C:\WINDOWS\MXOALDR.EXE
C:\Program Files\DELL\Dell Laser MFP 1815\PaperPort\pptd40nt.exe
C:\PROGRAM FILES\DELL\DELL LASER MFP 1815\PSU\Scan2Pc.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\YouSendIt\Express\YouSendIt.exe
C:\Program Files\DisplayFusion\DisplayFusion.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Google\Google Calendar Sync\GoogleCalendarSync.exe
C:\Program Files\Palm\Hotsync.exe
C:\Program Files\PFU\ScanSnap\Driver\PfuSsMon.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.johnstonlawgroup.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=4070620
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.yahoo.com/search?fr=mcafee&p=%s
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.5.4723.1820\swg.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: (no name) - {4E4D87BA-2985-409B-8D81-1F4B0F990902} - (no file)
O3 - Toolbar: FireShot - {6E6E744E-4D20-4ce3-9A7A-26DFFFE22F68} - C:\Documents and Settings\Thomas Johnston\Application Data\Mozilla\Firefox\Profiles\hezivife.default\extensions\{0b457cAA-602d-484a-8fe7-c1d894a011ba}\library\fsaddin-0.80.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [MaxtorOneTouch] C:\PROGRA~1\Maxtor\OneTouch\Utils\OneTouch.exe
O4 - HKLM\..\Run: [MXO Auto Loader] C:\WINDOWS\MXOALDR.EXE
O4 - HKLM\..\Run: [PaperPort PTD] "C:\Program Files\DELL\Dell Laser MFP 1815\PaperPort\pptd40nt.exe"
O4 - HKLM\..\Run: [IndexSearch] "C:\Program Files\DELL\Dell Laser MFP 1815\PaperPort\IndexSearch.exe"
O4 - HKLM\..\Run: [MFP1815_S2P] C:\PROGRAM FILES\DELL\DELL LASER MFP 1815\PSU\Scan2Pc.exe
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [GoToMyPC] "C:\Program Files\Citrix\GoToMyPC\g2svc.exe" -logon
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\isuspm.exe -startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [YouSendIt.exe] C:\Program Files\YouSendIt\Express\YouSendIt.exe -ui none
O4 - HKCU\..\Run: [DisplayFusion] "C:\Program Files\DisplayFusion\DisplayFusion.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Google Calendar Sync.lnk = C:\Program Files\Google\Google Calendar Sync\GoogleCalendarSync.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\Palm\Hotsync.exe
O4 - Global Startup: ScanSnap Manager.lnk = ?
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1182905414984
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O20 - Winlogon Notify: GoToAssist - C:\Program Files\Citrix\GoToAssist\514\G2AWinLogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\514\g2aservice.exe
O23 - Service: GoToMyPC - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToMyPC\g2svc.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: MBackMonitor - McAfee - C:\Program Files\McAfee\MBK\MBackMonitor.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Retrospect Express HD Launcher (RetroExpLauncher) - Unknown owner - C:\PROGRA~1\RETROS~1\RETROS~1.0\retrorun.exe (file missing)
O23 - Service: Retrospect Launcher (RetroLauncher) - EMC Corporation - C:\Program Files\Retrospect\Retrospect 7.6\retrorun.exe
O23 - Service: Retrospect Helper - EMC Corporation - C:\Program Files\Retrospect\Retrospect 7.6\rthlpsvc.exe

--
End of file - 13591 bytes

Hi TMJ1968


Run HijackThis
Click on the Scan button
Put a check beside all of the items listed below (if present):


O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O3 - Toolbar: (no name) - {4E4D87BA-2985-409B-8D81-1F4B0F990902} - (no file)


Close all open windows and browsers/email, etc...
Click on the "Fix Checked" button
When completed, close the application.

Security Check
Please download Security Check (http://screen317.spywareinfoforum.org/SecurityCheck.exe) ... by screen317. Save it to your desktop.
Alternate download site: Link 2 (http://screen317.changelog.fr/SecurityCheck.exe)
Double click the SecurityCheck.exe icon to begin.
Press the Space Bar when you see the "press any key to continue..." message.
A Notepad results file will open automatically called checkup.txt
Save "checkup.txt" to your desktop. (This output file is NOT automatically saved!)
Please copy/paste the entire contents of the checkup.txt file into your next reply.

How's the computer running now?
Thanks peku006

Here is the log file. The computer seems not so sluggish now. I will get back to you soon as to any remaining problems that I may uncover as I use the computer today.

Thanks for your help and prompt replies!!!!



Results of screen317's Security Check version 0.99.4
Windows XP Service Pack 3
Internet Explorer 8
``````````````````````````````
Antivirus/Firewall Check:
Windows Security Center service is not running! This report may not be accurate!
ESET Online Scanner v3
McAfee SecurityCenter
```````````````````````````````
Anti-malware/Other Utilities Check:
Malwarebytes' Anti-Malware
HijackThis 2.0.2
Java(TM) 6 Update 20
Adobe Flash Player 10.0.45.2
Adobe Reader 7.0.8
Adobe Reader 7.0.5 Language Support
Out of date Adobe Reader installed!
Mozilla Firefox (3.6.3)
````````````````````````````````
Process Check:
objlist.exe by Laurent
McAfee VIRUSS~1 mcshield.exe
McAfee VIRUSS~1 mcsysmon.exe
````````````````````````````````
DNS Vulnerability Check:

``````````End of Log````````````

I am sorry to report that I am still having the same search engine redirect problem as before. :sad:

Hi TMJ1968

Please download gmer.zip (http://www.gmer.net/gmer.zip) from Gmer and save it to your desktop.

Right click on gmer.zip and select Extract All....
Click Next on seeing the Welcome to the Compressed (zipped) Folders Extraction Wizard.
Click on the Browse button. Click on Desktop. Then click OK.
Click Next. It will start extracting.
Once done, check (tick) the Show extracted files box and click Finish.
Double click on gmer.exe to run it.
Select the Rootkit tab.
On the right hand side, check all the items to be scanned, but leave Show All box unchecked.
Select all drives that are connected to your system to be scanned.
Click on the Scan button.
When the scan is finished, click Copy to save the scan log to the Windows clipboard.
Open Notepad or a similar text editor.
Paste the clipboard contents into the text editor.
Save the Gmer scan log and post it in your next reply.
Close Gmer.
Open Command Prompt by going to Start > Run and type in cmd. Press Enter.
In Command Prompt, type in net stop gmer. Press Enter.
Type in exit to close Command Prompt.

Note: Do not run any programs while Gmer is running.

Thanks peku006

:surrender::confused:I followed your directions and downloaded GMER and tried to run it.

After about one hour scanning (and seemingly making progress), I got the dreaded blue screen closing all programs and Windows due to something named:

uwddqpow.sys
address A21A3c3E base at A21A3000
DateStamp 4b274f8d

So I manually shut down the computer and rebooted. I tried to run GMER again, and again it seemed to making progress. Then, as it was scanning I:, my external hard disk, I again got blue screen and:

STOP d0000144 Unknown Hard Error

After again manually turing off computer I tried to restart in safe mode by using F8 during boot-up. That didn't work, and I also couldn't use msconfig to try to boot to safe mode (/SAFEBOOT was grayed out as an option and I couldn't check it).

It seems like things are getting worse--ugh! I really appreciate your help now more than ever, and also could use some encouragement, if possible.

:surrender: ????

Also, Windows is telling me that updates are available. Should I do the updates? I'll wait for your directions.

:thanks:

Hi TMJ1968

Should I do the updates
wait a little

uwddqpow.sys
address A21A3c3E base at A21A3000
DateStamp 4b274f8d
Are you sure of that name.......we can try another tool

Download RootRepeal from the following location and save it to your desktop.

Link 1 (http://rootrepeal.googlepages.com/RootRepeal.zip)
Link 2 (http://ad13.geekstogo.com/RootRepeal.zip)
Link 3 (http://rootrepeal.psikotick.com/RootRepeal.zip)

Unzip it to your Desktop
Double click RootRepeal.exe to start the program
Click on the Report tab at the bottom of the program window
Click the Scan button
In the Select Scan dialog, check:

Drivers
Files
Processes
SSDT
Stealth Objects
Hidden Services
Shadow SSDT

Click the OK button
Check the box for your main system drive (Usually C:), and Click OK to start the scan

The scan can take some time. DO NOT run any other programs while the scan is running

When the scan is complete, the Save Report button will become available
Click this and save the report to your Desktop as RootRepeal.txt
Go to File, then Exit to close the program

Thanks peku006

I downloaded RootRepeal and started it...and the computer froze. I couldn't even get into the Task Manager (Ctrl-Alt-Del). I'm still stuck...

Hi TMJ1968

Lets run TDSS Killer by Kaspersky.

-Download TDSS Killer (http://support.kaspersky.com/viruses/solutions?qid=208280684) and save to your Desktop. Also print out those instructions on the same page for running the scan.

-Extract (unzip) the file to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.

-Go to Start ->Run. Type/Copy and Paste the following text into the prompt:


"%userprofile%\Desktop\TDSSKiller.exe" -l C:\report.txt -v

-Click OK.
-If malicious services or files have been detected, the utility will prompt to reboot the PC in order to complete the disinfection procedure. Please reboot when prompted.

-After reboot, the driver will delete malicious registry keys and files as well as remove itself from the services list.
-A log file named report.txt should have been created and saved to the root directory (usually C:\report.txt).
Thanks peku006

I had to restart my computer before starting out with your instructions this morning. When I did so, the windows update automatically installed and required a restart. Upon restart (which was somewhat faster), a "May 10 Update Malware Removal Tool" opened and said that it had automatically removed some malware when it restarted, and suggested that I do a full scan. (Note: It did not tell me what was removed automatically upon restart.)

So I did a full scan, which turned up only one thing, somethings called "win32/Alureon.H", which it then repaired.

So then I ran TDSSKiller.exe, as you instructed in your last post, which appeared to find nothing. The log is below:




13:21:49:718 2188 TDSS rootkit removing tool 2.2.8.1 Mar 22 2010 10:43:04
13:21:49:718 2188 ================================================================================
13:21:49:718 2188 SystemInfo:

13:21:49:718 2188 OS Version: 5.1.2600 ServicePack: 3.0
13:21:49:718 2188 Product type: Workstation
13:21:49:718 2188 ComputerName: NESTEGG
13:21:49:718 2188 UserName: Thomas Johnston
13:21:49:718 2188 Windows directory: C:\WINDOWS
13:21:49:718 2188 Processor architecture: Intel x86
13:21:49:718 2188 Number of processors: 2
13:21:49:718 2188 Page size: 0x1000
13:21:49:734 2188 Boot type: Normal boot
13:21:49:734 2188 ================================================================================
13:21:49:734 2188 UnloadDriverW: NtUnloadDriver error 2
13:21:49:734 2188 ForceUnloadDriverW: UnloadDriverW(klmd21) error 2
13:21:49:750 2188 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\system
13:21:49:750 2188 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
13:21:49:750 2188 wfopen_ex: Trying to KLMD file open
13:21:49:750 2188 wfopen_ex: File opened ok (Flags 2)
13:21:49:750 2188 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\software
13:21:49:750 2188 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
13:21:49:750 2188 wfopen_ex: Trying to KLMD file open
13:21:49:750 2188 wfopen_ex: File opened ok (Flags 2)
13:21:49:750 2188 Initialize success
13:21:49:750 2188
13:21:49:750 2188 Scanning Services ...
13:21:49:796 2188 Raw services enum returned 393 services
13:21:49:796 2188
13:21:49:796 2188 Scanning Kernel memory ...
13:21:49:796 2188 Devices to scan: 12
13:21:49:796 2188
13:21:49:796 2188 Driver Name: Disk
13:21:49:796 2188 IRP_MJ_CREATE : BA0CEBB0
13:21:49:796 2188 IRP_MJ_CREATE_NAMED_PIPE : 804F4562
13:21:49:796 2188 IRP_MJ_CLOSE : BA0CEBB0
13:21:49:796 2188 IRP_MJ_READ : BA0C8D1F
13:21:49:796 2188 IRP_MJ_WRITE : BA0C8D1F
13:21:49:796 2188 IRP_MJ_QUERY_INFORMATION : 804F4562
13:21:49:796 2188 IRP_MJ_SET_INFORMATION : 804F4562
13:21:49:796 2188 IRP_MJ_QUERY_EA : 804F4562
13:21:49:796 2188 IRP_MJ_SET_EA : 804F4562
13:21:49:796 2188 IRP_MJ_FLUSH_BUFFERS : BA0C92E2
13:21:49:796 2188 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562
13:21:49:796 2188 IRP_MJ_SET_VOLUME_INFORMATION : 804F4562
13:21:49:796 2188 IRP_MJ_DIRECTORY_CONTROL : 804F4562
13:21:49:796 2188 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562
13:21:49:796 2188 IRP_MJ_DEVICE_CONTROL : BA0C93BB
13:21:49:796 2188 IRP_MJ_INTERNAL_DEVICE_CONTROL : BA0CCF28
13:21:49:796 2188 IRP_MJ_SHUTDOWN : BA0C92E2
13:21:49:796 2188 IRP_MJ_LOCK_CONTROL : 804F4562
13:21:49:796 2188 IRP_MJ_CLEANUP : 804F4562
13:21:49:796 2188 IRP_MJ_CREATE_MAILSLOT : 804F4562
13:21:49:796 2188 IRP_MJ_QUERY_SECURITY : 804F4562
13:21:49:796 2188 IRP_MJ_SET_SECURITY : 804F4562
13:21:49:796 2188 IRP_MJ_POWER : BA0CAC82
13:21:49:796 2188 IRP_MJ_SYSTEM_CONTROL : BA0CF99E
13:21:49:796 2188 IRP_MJ_DEVICE_CHANGE : 804F4562
13:21:49:796 2188 IRP_MJ_QUERY_QUOTA : 804F4562
13:21:49:796 2188 IRP_MJ_SET_QUOTA : 804F4562
13:21:49:828 2188 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
13:21:49:828 2188
13:21:49:828 2188 Driver Name: Disk
13:21:49:828 2188 IRP_MJ_CREATE : BA0CEBB0
13:21:49:828 2188 IRP_MJ_CREATE_NAMED_PIPE : 804F4562
13:21:49:828 2188 IRP_MJ_CLOSE : BA0CEBB0
13:21:49:828 2188 IRP_MJ_READ : BA0C8D1F
13:21:49:828 2188 IRP_MJ_WRITE : BA0C8D1F
13:21:49:828 2188 IRP_MJ_QUERY_INFORMATION : 804F4562
13:21:49:828 2188 IRP_MJ_SET_INFORMATION : 804F4562
13:21:49:828 2188 IRP_MJ_QUERY_EA : 804F4562
13:21:49:828 2188 IRP_MJ_SET_EA : 804F4562
13:21:49:828 2188 IRP_MJ_FLUSH_BUFFERS : BA0C92E2
13:21:49:828 2188 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562
13:21:49:828 2188 IRP_MJ_SET_VOLUME_INFORMATION : 804F4562
13:21:49:828 2188 IRP_MJ_DIRECTORY_CONTROL : 804F4562
13:21:49:828 2188 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562
13:21:49:828 2188 IRP_MJ_DEVICE_CONTROL : BA0C93BB
13:21:49:828 2188 IRP_MJ_INTERNAL_DEVICE_CONTROL : BA0CCF28
13:21:49:828 2188 IRP_MJ_SHUTDOWN : BA0C92E2
13:21:49:828 2188 IRP_MJ_LOCK_CONTROL : 804F4562
13:21:49:828 2188 IRP_MJ_CLEANUP : 804F4562
13:21:49:828 2188 IRP_MJ_CREATE_MAILSLOT : 804F4562
13:21:49:828 2188 IRP_MJ_QUERY_SECURITY : 804F4562
13:21:49:828 2188 IRP_MJ_SET_SECURITY : 804F4562
13:21:49:828 2188 IRP_MJ_POWER : BA0CAC82
13:21:49:828 2188 IRP_MJ_SYSTEM_CONTROL : BA0CF99E
13:21:49:828 2188 IRP_MJ_DEVICE_CHANGE : 804F4562
13:21:49:828 2188 IRP_MJ_QUERY_QUOTA : 804F4562
13:21:49:828 2188 IRP_MJ_SET_QUOTA : 804F4562
13:21:49:843 2188 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
13:21:49:843 2188
13:21:49:843 2188 Driver Name: Disk
13:21:49:843 2188 IRP_MJ_CREATE : BA0CEBB0
13:21:49:843 2188 IRP_MJ_CREATE_NAMED_PIPE : 804F4562
13:21:49:843 2188 IRP_MJ_CLOSE : BA0CEBB0
13:21:49:843 2188 IRP_MJ_READ : BA0C8D1F
13:21:49:843 2188 IRP_MJ_WRITE : BA0C8D1F
13:21:49:843 2188 IRP_MJ_QUERY_INFORMATION : 804F4562
13:21:49:843 2188 IRP_MJ_SET_INFORMATION : 804F4562
13:21:49:843 2188 IRP_MJ_QUERY_EA : 804F4562
13:21:49:843 2188 IRP_MJ_SET_EA : 804F4562
13:21:49:843 2188 IRP_MJ_FLUSH_BUFFERS : BA0C92E2
13:21:49:843 2188 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562
13:21:49:843 2188 IRP_MJ_SET_VOLUME_INFORMATION : 804F4562
13:21:49:843 2188 IRP_MJ_DIRECTORY_CONTROL : 804F4562
13:21:49:843 2188 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562
13:21:49:843 2188 IRP_MJ_DEVICE_CONTROL : BA0C93BB
13:21:49:843 2188 IRP_MJ_INTERNAL_DEVICE_CONTROL : BA0CCF28
13:21:49:843 2188 IRP_MJ_SHUTDOWN : BA0C92E2
13:21:49:843 2188 IRP_MJ_LOCK_CONTROL : 804F4562
13:21:49:843 2188 IRP_MJ_CLEANUP : 804F4562
13:21:49:843 2188 IRP_MJ_CREATE_MAILSLOT : 804F4562
13:21:49:843 2188 IRP_MJ_QUERY_SECURITY : 804F4562
13:21:49:843 2188 IRP_MJ_SET_SECURITY : 804F4562
13:21:49:843 2188 IRP_MJ_POWER : BA0CAC82
13:21:49:843 2188 IRP_MJ_SYSTEM_CONTROL : BA0CF99E
13:21:49:843 2188 IRP_MJ_DEVICE_CHANGE : 804F4562
13:21:49:843 2188 IRP_MJ_QUERY_QUOTA : 804F4562
13:21:49:843 2188 IRP_MJ_SET_QUOTA : 804F4562
13:21:49:843 2188 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
13:21:49:843 2188
13:21:49:843 2188 Driver Name: Disk
13:21:49:843 2188 IRP_MJ_CREATE : BA0CEBB0
13:21:49:843 2188 IRP_MJ_CREATE_NAMED_PIPE : 804F4562
13:21:49:843 2188 IRP_MJ_CLOSE : BA0CEBB0
13:21:49:843 2188 IRP_MJ_READ : BA0C8D1F
13:21:49:843 2188 IRP_MJ_WRITE : BA0C8D1F
13:21:49:843 2188 IRP_MJ_QUERY_INFORMATION : 804F4562
13:21:49:843 2188 IRP_MJ_SET_INFORMATION : 804F4562
13:21:49:843 2188 IRP_MJ_QUERY_EA : 804F4562
13:21:49:843 2188 IRP_MJ_SET_EA : 804F4562
13:21:49:843 2188 IRP_MJ_FLUSH_BUFFERS : BA0C92E2
13:21:49:843 2188 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562
13:21:49:843 2188 IRP_MJ_SET_VOLUME_INFORMATION : 804F4562
13:21:49:843 2188 IRP_MJ_DIRECTORY_CONTROL : 804F4562
13:21:49:843 2188 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562
13:21:49:843 2188 IRP_MJ_DEVICE_CONTROL : BA0C93BB
13:21:49:843 2188 IRP_MJ_INTERNAL_DEVICE_CONTROL : BA0CCF28
13:21:49:843 2188 IRP_MJ_SHUTDOWN : BA0C92E2
13:21:49:843 2188 IRP_MJ_LOCK_CONTROL : 804F4562
13:21:49:843 2188 IRP_MJ_CLEANUP : 804F4562
13:21:49:843 2188 IRP_MJ_CREATE_MAILSLOT : 804F4562
13:21:49:843 2188 IRP_MJ_QUERY_SECURITY : 804F4562
13:21:49:843 2188 IRP_MJ_SET_SECURITY : 804F4562
13:21:49:843 2188 IRP_MJ_POWER : BA0CAC82
13:21:49:843 2188 IRP_MJ_SYSTEM_CONTROL : BA0CF99E
13:21:49:843 2188 IRP_MJ_DEVICE_CHANGE : 804F4562
13:21:49:843 2188 IRP_MJ_QUERY_QUOTA : 804F4562
13:21:49:843 2188 IRP_MJ_SET_QUOTA : 804F4562
13:21:49:859 2188 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
13:21:49:859 2188
13:21:49:859 2188 Driver Name: USBSTOR
13:21:49:859 2188 IRP_MJ_CREATE : BA42D218
13:21:49:859 2188 IRP_MJ_CREATE_NAMED_PIPE : 804F4562
13:21:49:859 2188 IRP_MJ_CLOSE : BA42D218
13:21:49:859 2188 IRP_MJ_READ : BA42D23C
13:21:49:859 2188 IRP_MJ_WRITE : BA42D23C
13:21:49:859 2188 IRP_MJ_QUERY_INFORMATION : 804F4562
13:21:49:859 2188 IRP_MJ_SET_INFORMATION : 804F4562
13:21:49:859 2188 IRP_MJ_QUERY_EA : 804F4562
13:21:49:859 2188 IRP_MJ_SET_EA : 804F4562
13:21:49:859 2188 IRP_MJ_FLUSH_BUFFERS : 804F4562
13:21:49:859 2188 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562
13:21:49:859 2188 IRP_MJ_SET_VOLUME_INFORMATION : 804F4562
13:21:49:859 2188 IRP_MJ_DIRECTORY_CONTROL : 804F4562
13:21:49:859 2188 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562
13:21:49:859 2188 IRP_MJ_DEVICE_CONTROL : BA42D180
13:21:49:859 2188 IRP_MJ_INTERNAL_DEVICE_CONTROL : BA4289E6
13:21:49:859 2188 IRP_MJ_SHUTDOWN : 804F4562
13:21:49:859 2188 IRP_MJ_LOCK_CONTROL : 804F4562
13:21:49:859 2188 IRP_MJ_CLEANUP : 804F4562
13:21:49:859 2188 IRP_MJ_CREATE_MAILSLOT : 804F4562
13:21:49:859 2188 IRP_MJ_QUERY_SECURITY : 804F4562
13:21:49:859 2188 IRP_MJ_SET_SECURITY : 804F4562
13:21:49:859 2188 IRP_MJ_POWER : BA42C5F0
13:21:49:859 2188 IRP_MJ_SYSTEM_CONTROL : BA42AA6E
13:21:49:859 2188 IRP_MJ_DEVICE_CHANGE : 804F4562
13:21:49:859 2188 IRP_MJ_QUERY_QUOTA : 804F4562
13:21:49:859 2188 IRP_MJ_SET_QUOTA : 804F4562
13:21:49:875 2188 C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS - Verdict: 1
13:21:49:875 2188
13:21:49:875 2188 Driver Name: USBSTOR
13:21:49:875 2188 IRP_MJ_CREATE : BA42D218
13:21:49:875 2188 IRP_MJ_CREATE_NAMED_PIPE : 804F4562
13:21:49:875 2188 IRP_MJ_CLOSE : BA42D218
13:21:49:875 2188 IRP_MJ_READ : BA42D23C
13:21:49:875 2188 IRP_MJ_WRITE : BA42D23C
13:21:49:875 2188 IRP_MJ_QUERY_INFORMATION : 804F4562
13:21:49:875 2188 IRP_MJ_SET_INFORMATION : 804F4562
13:21:49:875 2188 IRP_MJ_QUERY_EA : 804F4562
13:21:49:875 2188 IRP_MJ_SET_EA : 804F4562
13:21:49:875 2188 IRP_MJ_FLUSH_BUFFERS : 804F4562
13:21:49:875 2188 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562
13:21:49:875 2188 IRP_MJ_SET_VOLUME_INFORMATION : 804F4562
13:21:49:875 2188 IRP_MJ_DIRECTORY_CONTROL : 804F4562
13:21:49:875 2188 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562
13:21:49:875 2188 IRP_MJ_DEVICE_CONTROL : BA42D180
13:21:49:875 2188 IRP_MJ_INTERNAL_DEVICE_CONTROL : BA4289E6
13:21:49:875 2188 IRP_MJ_SHUTDOWN : 804F4562
13:21:49:875 2188 IRP_MJ_LOCK_CONTROL : 804F4562
13:21:49:875 2188 IRP_MJ_CLEANUP : 804F4562
13:21:49:875 2188 IRP_MJ_CREATE_MAILSLOT : 804F4562
13:21:49:875 2188 IRP_MJ_QUERY_SECURITY : 804F4562
13:21:49:875 2188 IRP_MJ_SET_SECURITY : 804F4562
13:21:49:875 2188 IRP_MJ_POWER : BA42C5F0
13:21:49:875 2188 IRP_MJ_SYSTEM_CONTROL : BA42AA6E
13:21:49:875 2188 IRP_MJ_DEVICE_CHANGE : 804F4562
13:21:49:875 2188 IRP_MJ_QUERY_QUOTA : 804F4562
13:21:49:875 2188 IRP_MJ_SET_QUOTA : 804F4562
13:21:49:890 2188 C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS - Verdict: 1
13:21:49:890 2188
13:21:49:890 2188 Driver Name: USBSTOR
13:21:49:890 2188 IRP_MJ_CREATE : BA42D218
13:21:49:890 2188 IRP_MJ_CREATE_NAMED_PIPE : 804F4562
13:21:49:890 2188 IRP_MJ_CLOSE : BA42D218
13:21:49:890 2188 IRP_MJ_READ : BA42D23C
13:21:49:890 2188 IRP_MJ_WRITE : BA42D23C
13:21:49:890 2188 IRP_MJ_QUERY_INFORMATION : 804F4562
13:21:49:890 2188 IRP_MJ_SET_INFORMATION : 804F4562
13:21:49:890 2188 IRP_MJ_QUERY_EA : 804F4562
13:21:49:890 2188 IRP_MJ_SET_EA : 804F4562
13:21:49:890 2188 IRP_MJ_FLUSH_BUFFERS : 804F4562
13:21:49:890 2188 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562
13:21:49:890 2188 IRP_MJ_SET_VOLUME_INFORMATION : 804F4562
13:21:49:890 2188 IRP_MJ_DIRECTORY_CONTROL : 804F4562
13:21:49:890 2188 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562
13:21:49:890 2188 IRP_MJ_DEVICE_CONTROL : BA42D180
13:21:49:890 2188 IRP_MJ_INTERNAL_DEVICE_CONTROL : BA4289E6
13:21:49:890 2188 IRP_MJ_SHUTDOWN : 804F4562
13:21:49:890 2188 IRP_MJ_LOCK_CONTROL : 804F4562
13:21:49:890 2188 IRP_MJ_CLEANUP : 804F4562
13:21:49:890 2188 IRP_MJ_CREATE_MAILSLOT : 804F4562
13:21:49:890 2188 IRP_MJ_QUERY_SECURITY : 804F4562
13:21:49:890 2188 IRP_MJ_SET_SECURITY : 804F4562
13:21:49:890 2188 IRP_MJ_POWER : BA42C5F0
13:21:49:890 2188 IRP_MJ_SYSTEM_CONTROL : BA42AA6E
13:21:49:890 2188 IRP_MJ_DEVICE_CHANGE : 804F4562
13:21:49:890 2188 IRP_MJ_QUERY_QUOTA : 804F4562
13:21:49:890 2188 IRP_MJ_SET_QUOTA : 804F4562
13:21:49:890 2188 C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS - Verdict: 1
13:21:49:890 2188
13:21:49:890 2188 Driver Name: USBSTOR
13:21:49:890 2188 IRP_MJ_CREATE : BA42D218
13:21:49:890 2188 IRP_MJ_CREATE_NAMED_PIPE : 804F4562
13:21:49:890 2188 IRP_MJ_CLOSE : BA42D218
13:21:49:890 2188 IRP_MJ_READ : BA42D23C
13:21:49:890 2188 IRP_MJ_WRITE : BA42D23C
13:21:49:890 2188 IRP_MJ_QUERY_INFORMATION : 804F4562
13:21:49:890 2188 IRP_MJ_SET_INFORMATION : 804F4562
13:21:49:890 2188 IRP_MJ_QUERY_EA : 804F4562
13:21:49:890 2188 IRP_MJ_SET_EA : 804F4562
13:21:49:890 2188 IRP_MJ_FLUSH_BUFFERS : 804F4562
13:21:49:890 2188 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562
13:21:49:890 2188 IRP_MJ_SET_VOLUME_INFORMATION : 804F4562
13:21:49:890 2188 IRP_MJ_DIRECTORY_CONTROL : 804F4562
13:21:49:890 2188 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562
13:21:49:890 2188 IRP_MJ_DEVICE_CONTROL : BA42D180
13:21:49:890 2188 IRP_MJ_INTERNAL_DEVICE_CONTROL : BA4289E6
13:21:49:890 2188 IRP_MJ_SHUTDOWN : 804F4562
13:21:49:890 2188 IRP_MJ_LOCK_CONTROL : 804F4562
13:21:49:890 2188 IRP_MJ_CLEANUP : 804F4562
13:21:49:890 2188 IRP_MJ_CREATE_MAILSLOT : 804F4562
13:21:49:890 2188 IRP_MJ_QUERY_SECURITY : 804F4562
13:21:49:890 2188 IRP_MJ_SET_SECURITY : 804F4562
13:21:49:890 2188 IRP_MJ_POWER : BA42C5F0
13:21:49:890 2188 IRP_MJ_SYSTEM_CONTROL : BA42AA6E
13:21:49:890 2188 IRP_MJ_DEVICE_CHANGE : 804F4562
13:21:49:890 2188 IRP_MJ_QUERY_QUOTA : 804F4562
13:21:49:890 2188 IRP_MJ_SET_QUOTA : 804F4562
13:21:49:906 2188 C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS - Verdict: 1
13:21:49:906 2188
13:21:49:906 2188 Driver Name: Disk
13:21:49:906 2188 IRP_MJ_CREATE : BA0CEBB0
13:21:49:906 2188 IRP_MJ_CREATE_NAMED_PIPE : 804F4562
13:21:49:906 2188 IRP_MJ_CLOSE : BA0CEBB0
13:21:49:906 2188 IRP_MJ_READ : BA0C8D1F
13:21:49:906 2188 IRP_MJ_WRITE : BA0C8D1F
13:21:49:906 2188 IRP_MJ_QUERY_INFORMATION : 804F4562
13:21:49:906 2188 IRP_MJ_SET_INFORMATION : 804F4562
13:21:49:906 2188 IRP_MJ_QUERY_EA : 804F4562
13:21:49:906 2188 IRP_MJ_SET_EA : 804F4562
13:21:49:906 2188 IRP_MJ_FLUSH_BUFFERS : BA0C92E2
13:21:49:906 2188 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562
13:21:49:906 2188 IRP_MJ_SET_VOLUME_INFORMATION : 804F4562
13:21:49:906 2188 IRP_MJ_DIRECTORY_CONTROL : 804F4562
13:21:49:906 2188 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562
13:21:49:906 2188 IRP_MJ_DEVICE_CONTROL : BA0C93BB
13:21:49:906 2188 IRP_MJ_INTERNAL_DEVICE_CONTROL : BA0CCF28
13:21:49:906 2188 IRP_MJ_SHUTDOWN : BA0C92E2
13:21:49:906 2188 IRP_MJ_LOCK_CONTROL : 804F4562
13:21:49:906 2188 IRP_MJ_CLEANUP : 804F4562
13:21:49:906 2188 IRP_MJ_CREATE_MAILSLOT : 804F4562
13:21:49:906 2188 IRP_MJ_QUERY_SECURITY : 804F4562
13:21:49:906 2188 IRP_MJ_SET_SECURITY : 804F4562
13:21:49:906 2188 IRP_MJ_POWER : BA0CAC82
13:21:49:906 2188 IRP_MJ_SYSTEM_CONTROL : BA0CF99E
13:21:49:906 2188 IRP_MJ_DEVICE_CHANGE : 804F4562
13:21:49:906 2188 IRP_MJ_QUERY_QUOTA : 804F4562
13:21:49:906 2188 IRP_MJ_SET_QUOTA : 804F4562
13:21:49:906 2188 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
13:21:49:906 2188
13:21:49:906 2188 Driver Name: Disk
13:21:49:906 2188 IRP_MJ_CREATE : BA0CEBB0
13:21:49:906 2188 IRP_MJ_CREATE_NAMED_PIPE : 804F4562
13:21:49:906 2188 IRP_MJ_CLOSE : BA0CEBB0
13:21:49:906 2188 IRP_MJ_READ : BA0C8D1F
13:21:49:906 2188 IRP_MJ_WRITE : BA0C8D1F
13:21:49:906 2188 IRP_MJ_QUERY_INFORMATION : 804F4562
13:21:49:906 2188 IRP_MJ_SET_INFORMATION : 804F4562
13:21:49:906 2188 IRP_MJ_QUERY_EA : 804F4562
13:21:49:906 2188 IRP_MJ_SET_EA : 804F4562
13:21:49:906 2188 IRP_MJ_FLUSH_BUFFERS : BA0C92E2
13:21:49:906 2188 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562
13:21:49:906 2188 IRP_MJ_SET_VOLUME_INFORMATION : 804F4562
13:21:49:906 2188 IRP_MJ_DIRECTORY_CONTROL : 804F4562
13:21:49:906 2188 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562
13:21:49:906 2188 IRP_MJ_DEVICE_CONTROL : BA0C93BB
13:21:49:906 2188 IRP_MJ_INTERNAL_DEVICE_CONTROL : BA0CCF28
13:21:49:906 2188 IRP_MJ_SHUTDOWN : BA0C92E2
13:21:49:906 2188 IRP_MJ_LOCK_CONTROL : 804F4562
13:21:49:906 2188 IRP_MJ_CLEANUP : 804F4562
13:21:49:906 2188 IRP_MJ_CREATE_MAILSLOT : 804F4562
13:21:49:906 2188 IRP_MJ_QUERY_SECURITY : 804F4562
13:21:49:906 2188 IRP_MJ_SET_SECURITY : 804F4562
13:21:49:906 2188 IRP_MJ_POWER : BA0CAC82
13:21:49:906 2188 IRP_MJ_SYSTEM_CONTROL : BA0CF99E
13:21:49:906 2188 IRP_MJ_DEVICE_CHANGE : 804F4562
13:21:49:906 2188 IRP_MJ_QUERY_QUOTA : 804F4562
13:21:49:906 2188 IRP_MJ_SET_QUOTA : 804F4562
13:21:49:921 2188 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
13:21:49:921 2188
13:21:49:921 2188 Driver Name: Disk
13:21:49:921 2188 IRP_MJ_CREATE : BA0CEBB0
13:21:49:921 2188 IRP_MJ_CREATE_NAMED_PIPE : 804F4562
13:21:49:921 2188 IRP_MJ_CLOSE : BA0CEBB0
13:21:49:921 2188 IRP_MJ_READ : BA0C8D1F
13:21:49:921 2188 IRP_MJ_WRITE : BA0C8D1F
13:21:49:921 2188 IRP_MJ_QUERY_INFORMATION : 804F4562
13:21:49:921 2188 IRP_MJ_SET_INFORMATION : 804F4562
13:21:49:921 2188 IRP_MJ_QUERY_EA : 804F4562
13:21:49:921 2188 IRP_MJ_SET_EA : 804F4562
13:21:49:921 2188 IRP_MJ_FLUSH_BUFFERS : BA0C92E2
13:21:49:921 2188 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562
13:21:49:921 2188 IRP_MJ_SET_VOLUME_INFORMATION : 804F4562
13:21:49:921 2188 IRP_MJ_DIRECTORY_CONTROL : 804F4562
13:21:49:921 2188 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562
13:21:49:921 2188 IRP_MJ_DEVICE_CONTROL : BA0C93BB
13:21:49:921 2188 IRP_MJ_INTERNAL_DEVICE_CONTROL : BA0CCF28
13:21:49:921 2188 IRP_MJ_SHUTDOWN : BA0C92E2
13:21:49:921 2188 IRP_MJ_LOCK_CONTROL : 804F4562
13:21:49:921 2188 IRP_MJ_CLEANUP : 804F4562
13:21:49:921 2188 IRP_MJ_CREATE_MAILSLOT : 804F4562
13:21:49:921 2188 IRP_MJ_QUERY_SECURITY : 804F4562
13:21:49:921 2188 IRP_MJ_SET_SECURITY : 804F4562
13:21:49:921 2188 IRP_MJ_POWER : BA0CAC82
13:21:49:921 2188 IRP_MJ_SYSTEM_CONTROL : BA0CF99E
13:21:49:921 2188 IRP_MJ_DEVICE_CHANGE : 804F4562
13:21:49:921 2188 IRP_MJ_QUERY_QUOTA : 804F4562
13:21:49:921 2188 IRP_MJ_SET_QUOTA : 804F4562
13:21:49:921 2188 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
13:21:49:921 2188
13:21:49:921 2188 Driver Name: nvata
13:21:49:921 2188 IRP_MJ_CREATE : B9EE7894
13:21:49:921 2188 IRP_MJ_CREATE_NAMED_PIPE : B9EE7874
13:21:49:921 2188 IRP_MJ_CLOSE : B9EE7894
13:21:49:921 2188 IRP_MJ_READ : B9EE7874
13:21:49:921 2188 IRP_MJ_WRITE : B9EE7874
13:21:49:921 2188 IRP_MJ_QUERY_INFORMATION : B9EE7874
13:21:49:921 2188 IRP_MJ_SET_INFORMATION : B9EE7874
13:21:49:921 2188 IRP_MJ_QUERY_EA : B9EE7874
13:21:49:921 2188 IRP_MJ_SET_EA : B9EE7874
13:21:49:921 2188 IRP_MJ_FLUSH_BUFFERS : B9EE7874
13:21:49:921 2188 IRP_MJ_QUERY_VOLUME_INFORMATION : B9EE7874
13:21:49:921 2188 IRP_MJ_SET_VOLUME_INFORMATION : B9EE7874
13:21:49:921 2188 IRP_MJ_DIRECTORY_CONTROL : B9EE7874
13:21:49:921 2188 IRP_MJ_FILE_SYSTEM_CONTROL : B9EE7874
13:21:49:921 2188 IRP_MJ_DEVICE_CONTROL : B9EE78AE
13:21:49:921 2188 IRP_MJ_INTERNAL_DEVICE_CONTROL : B9EE7D6E
13:21:49:921 2188 IRP_MJ_SHUTDOWN : B9EE7874
13:21:49:921 2188 IRP_MJ_LOCK_CONTROL : B9EE7874
13:21:49:921 2188 IRP_MJ_CLEANUP : B9EE7874
13:21:49:921 2188 IRP_MJ_CREATE_MAILSLOT : B9EE7874
13:21:49:921 2188 IRP_MJ_QUERY_SECURITY : B9EE7874
13:21:49:921 2188 IRP_MJ_SET_SECURITY : B9EE7874
13:21:49:921 2188 IRP_MJ_POWER : B9EE7D0E
13:21:49:921 2188 IRP_MJ_SYSTEM_CONTROL : B9EE7A9C
13:21:49:921 2188 IRP_MJ_DEVICE_CHANGE : B9EE7874
13:21:49:921 2188 IRP_MJ_QUERY_QUOTA : B9EE7874
13:21:49:921 2188 IRP_MJ_SET_QUOTA : B9EE7874
13:21:49:937 2188 C:\WINDOWS\system32\drivers\nvata.sys - Verdict: 1
13:21:49:937 2188
13:21:49:953 2188 Completed
13:21:49:953 2188
13:21:49:953 2188 Results:
13:21:49:953 2188 Memory objects infected / cured / cured on reboot: 0 / 0 / 0
13:21:49:953 2188 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
13:21:49:953 2188 File objects infected / cured / cured on reboot: 0 / 0 / 0
13:21:49:953 2188
13:21:49:953 2188 fclose_ex: Trying to close file C:\WINDOWS\system32\config\system
13:21:49:953 2188 fclose_ex: Trying to close file C:\WINDOWS\system32\config\software
13:21:49:953 2188 KLMD(ARK) unloaded successfully


I will now attempt to run the RootRepeal scan and post the results.

Thanks!:cowboy:

Hi TMJ1968

Do not run the RootRepeal.....it is not necessary

Please download maxlook (http://noahdfear.net/downloads/maxlook.exe), saving the file to your desktop.
Double click maxlook.exe to run it. Note - you must run it only once!

1.Restart your computer.
2.Before Windows loads, you will be prompted to choose which Operating System to start.
3.Use the up and down arrow key to select Microsoft Windows Recovery Console
4.You must enter which Windows installation to log onto. Type 1 and press 'Enter'.
5.At the C:\Windows prompt, type the following bolded entries, and press 'Enter' (note the spaces):
batch look.bat

http://noahdfear.net/WTT/lookXP.gif

You will see 1 file copied many times then return to the x:\windows> prompt.
Type Exit to restart your computer then logon in normal mode.

Click Start >> Run and then type the following in the run box

maxlook -sig

(note the space before the - sign)
It will produce looklog.txt on the desktop and open it.
Please post the results here.

Thanks peku006

When restarting, computer will not let me into (choose) windows recovery console. It just flashes by quickly. It also will not recognize F2 or F12 on restart. So stuck again with instructions I cannot complete....

Is there any way we could set a specific time to work on this, where we could both be online? It has been a week and things seem worse. Of course, that is not your fault. But the time difference is making it very difficult to accomplish anything with only one e-mail exchange a day. Thanks for your consideration.

Hi TMJ1968


Is there any way we could set a specific time to work on this, where we could both be online?I'm sorry but I do not know when I have "free time" ,"real life is really hectic",
It appears that you have TDL3, or Alureon rootkit infections, and they may be difficult to remove

we need to use ComboFix again

Delete the copy of combofix.exe on your desktop and download a fresh copy from > here < (http://download.bleepingcomputer.com/sUBs/ComboFix.exe), saving it to your desktop.

and run Combofix again

Please include the C:\ComboFix.txt in your next reply

Thanks peku006

Due to a lack of response, this topic is now closed

If you still require help, please open a new thread in the Malware Removal forum (http://forums.spybot.info/forumdisplay.php?f=22), include a
fresh DDS log, and wait for a new helper.

Your donation helps improving Spybot-S&D! (http://www.safer-networking.org/en/donate/index.html)