S&D cannot be deleted. S&D and IE exe cannot be launched

Status
Not open for further replies.
You don't need Inherit right now, just proceed with the instructions in my previous post
 
Normal boot, my ID:

When I try Start -> Run -> usrini~1.exe /uninstall
I get told not found.

I went to C:\Windows and search for
*usrini*
(and I have it set to show hidden files & folders)
and it did not find anything. I then tried searcing for
*userini* (Added an "e" to the name) and found a few hits. See zipped screen shot of the hits and advise how I need to proceed.

Thanks
 
Thats fine, its most likely gone, you may have removed it when you said you tried to uninstall the program prior to posting, just go ahead with the rest of the fix
 
I think CF almost worked. It seemed to work up to the reboot. Then it rebooted. Then it ran for a while building the log after the reboot. However, after a time, I got one of those "program abended, do you want to notify Microsoft" notices for pev-cfxxe. I am pasting below the CF log and I am attaching a zip file of a pic of the program abend / notify MS thing (I also had it show the details and included that in the screen shot as well).


ComboFix 11-01-11.03 - Paul Brown 01/12/2011 20:06:19.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.515 [GMT -6:00]
Running from: c:\documents and settings\Paul Brown\Desktop\Combo-Fix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\.wtav
c:\program files\Gamevance
c:\program files\QUAD Utilities
c:\program files\QUAD Utilities\QUAD Registry Cleaner\QUAD Registry Cleaner Help.chm
C:\Thumbs.db
c:\windows\assembly\GAC\__AssemblyInfo__.ini
c:\windows\jestertb.dll
c:\windows\system32\drivers\vbma3a2b.sys
c:\windows\system32\eventmgr.exe
c:\windows\TEMP\logishrd\LVPrcInj01.dll
c:\windows\WinSxS\x86_Microsoft.Windows.Shell.HWEventDetector_6595b64144ccf1df_5.2.2.3_x-ww_5390e909\shsvcs.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_vbma3a2b


((((((((((((((((((((((((( Files Created from 2010-12-13 to 2011-01-13 )))))))))))))))))))))))))))))))
.

2011-01-11 23:54 . 2011-01-11 23:54 38400 ------w- c:\windows\system32\fdrv2.sys
2011-01-05 02:27 . 2011-01-05 23:33 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-01-04 12:32 . 2011-01-04 12:32 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2011-01-04 12:32 . 2011-01-04 12:32 -------- d-----w- c:\documents and settings\Paul Brown\Application Data\SUPERAntiSpyware.com
2011-01-03 23:58 . 2011-01-03 23:58 -------- d-----w- c:\documents and settings\Paul Brown\Application Data\Malwarebytes
2011-01-03 23:57 . 2010-12-21 00:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-01-03 23:57 . 2011-01-03 23:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-01-03 23:57 . 2011-01-08 03:01 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-01-03 23:57 . 2010-12-21 00:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-12-31 06:26 . 2010-12-31 06:26 -------- d-----w- c:\documents and settings\Administrator
2010-12-29 00:43 . 2010-12-29 00:44 -------- d-----w- c:\program files\ERUNT
2010-12-28 23:43 . 2011-01-03 23:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-12-28 22:31 . 2010-12-28 22:32 -------- d-----w- c:\program files\ContentWatch
2010-12-28 22:31 . 2010-12-28 22:31 -------- d-----w- c:\documents and settings\All Users\Application Data\ContentWatch
2010-12-28 00:55 . 2010-12-28 00:55 -------- d-----w- c:\documents and settings\Z Emer Admin\Local Settings\Application Data\HP
2010-12-28 00:55 . 2010-12-28 00:55 -------- d-----w- c:\documents and settings\Z Emer Admin\Local Settings\Application Data\Apple Computer
2010-12-28 00:55 . 2010-12-28 00:55 -------- d-----w- c:\documents and settings\Z Emer Admin\Application Data\Apple Computer
2010-12-28 00:31 . 2010-12-28 00:31 75264 ----a-w- c:\windows\system32\dcaf.sys
2010-12-28 00:28 . 2011-01-11 12:00 75264 ----a-w- c:\windows\system32\ceaf.sys
2010-12-25 20:19 . 2010-12-25 20:23 -------- d-----w- c:\documents and settings\Paul Brown\Application Data\Apple Computer
2010-12-25 20:17 . 2009-05-18 19:17 26600 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2010-12-25 20:17 . 2008-04-17 18:12 107368 ----a-w- c:\windows\system32\GEARAspi.dll
2010-12-25 20:16 . 2010-12-25 20:16 -------- d-----w- c:\program files\iPod
2010-12-25 20:16 . 2010-12-25 20:17 -------- d-----w- c:\program files\iTunes
2010-12-25 20:16 . 2010-12-25 20:17 -------- d-----w- c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-12-25 20:15 . 2010-12-25 20:15 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin7.dll
2010-12-25 20:15 . 2010-12-25 20:15 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin6.dll
2010-12-25 20:15 . 2010-12-25 20:15 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin5.dll
2010-12-25 20:15 . 2010-12-25 20:15 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin4.dll
2010-12-25 20:14 . 2010-12-25 20:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2010-12-25 20:14 . 2010-12-25 20:14 -------- d-----w- c:\documents and settings\Paul Brown\Local Settings\Application Data\Apple
2010-12-25 20:14 . 2010-12-25 20:14 -------- d-----w- c:\program files\Apple Software Update
2010-12-25 20:13 . 2010-12-25 20:13 -------- d-----w- c:\program files\Bonjour
2010-12-25 20:12 . 2010-12-25 20:16 -------- d-----w- c:\program files\Common Files\Apple
2010-12-25 20:12 . 2010-12-25 20:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2010-12-25 20:10 . 2010-12-25 20:19 -------- d-----w- c:\documents and settings\Paul Brown\Local Settings\Application Data\Apple Computer

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-12-15 20:37 . 2010-03-04 02:23 81920 ----a-w- c:\windows\system32\wxcode_msw28u_wxjson_CW.dll
2010-12-15 20:36 . 2010-03-04 02:23 1073152 ----a-w- c:\windows\system32\wxcode_msw28u_wxcurl_CW.dll
2010-12-15 20:34 . 2010-03-04 02:23 975872 ----a-w- c:\windows\system32\libxml2_CW.dll
2010-12-15 20:30 . 2009-01-02 18:47 151552 ----a-w- c:\windows\system32\libexpat.dll
2010-12-15 04:09 . 2010-03-04 02:23 720384 ----a-w- c:\windows\system32\cwalsp.dll
2010-12-15 04:09 . 2010-03-04 02:23 1884160 ----a-w- c:\windows\system32\AltaRecovery.exe
2010-11-29 23:38 . 2010-11-29 23:38 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-11-29 23:38 . 2010-11-29 23:38 69632 ----a-w- c:\windows\system32\QuickTime.qts
2010-11-28 01:52 . 2007-12-31 02:24 43520 ----a-w- c:\windows\system32\CmdLineExt03.dll
.

------- Sigcheck -------

[7] 2009-06-29 . 3CFC56F73D494FC1AA2B6E981DF15ACD . 634632 . . [7.00.6000.16876] . . c:\windows\system32\dllcache\iexplore.exe
[7] 2009-06-29 . 02E2754D3E566C11A4934825920C47DD . 634632 . . [7.00.6000.21073] . . c:\windows\$hf_mig$\KB972260-IE7\SP3QFE\iexplore.exe
[7] 2008-04-14 . 55794B97A7FAABD2910873C85274F409 . 93184 . . [6.00.2900.5512] . . c:\windows\ie7\iexplore.exe
[7] 2008-04-14 . 55794B97A7FAABD2910873C85274F409 . 93184 . . [6.00.2900.5512] . . c:\windows\ServicePackFiles\i386\iexplore.exe
[7] 2007-08-13 . DE49B348A18369B4626FBA1D49B07FB4 . 622080 . . [7.00.5730.13] . . c:\windows\ie7updates\KB972260-IE7\iexplore.exe
[7] 2004-08-04 . E7484514C0464642BE7B4DC2689354C8 . 93184 . . [6.00.2900.2180] . . c:\windows\$NtServicePackUninstall$\iexplore.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Nero\Lib\NMBgMonitor.exe" [2007-10-15 202024]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-12-14 2424560]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2003-10-06 5058560]
"REGSHAVE"="c:\program files\REGSHAVE\REGSHAVE.EXE" [2002-02-05 53248]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
"nwiz"="nwiz.exe" [2003-10-06 741376]
"NeroFilterCheck"="c:\program files\Common Files\Nero\Lib\NeroCheck.exe" [2007-03-01 153136]
"NBKeyScan"="c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2007-09-20 1836328]
"Monitor"="c:\program files\LeapFrog\LeapFrog Connect\Monitor.exe" [2010-05-04 550232]
"LogitechQuickCamRibbon"="c:\program files\Logitech\Logitech WebCam Software\LWS.exe" [2009-05-08 2780432]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-12-13 421160]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 49152]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2006-06-13 127036]
"cwcptray"="c:\program files\ContentWatch\Internet Protection\cwtray.exe" [2010-12-15 354112]
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 122880]

c:\documents and settings\Rachel\Start Menu\Programs\Startup\
Shortcut to WinSnow98.lnk - f:\documents\Long-Term-All-3\2009-07-30\Download\WinSnow98.exe [N/A]

c:\documents and settings\Paul Brown\Start Menu\Programs\Startup\
ClearPlay Easy Updates.lnk - c:\program files\ClearPlay\ClearPlay Easy Updates\ClearPlayEasyUpdates.exe [2008-3-4 1540096]
ExifLauncher2.lnk - c:\program files\FinePixViewer\QuickDCF2.exe [2008-2-11 303104]
FastStone Capture.lnk - c:\program files\FastStone Capture\FSCapture.exe [2007-2-12 1111552]
Forget Me Not.lnk - c:\program files\Mindscape\AGSpirit\PMREMIND.EXE [2009-10-26 346624]
Microsoft Find Fast.lnk - c:\program files\Microsoft Office\Office\FINDFAST.EXE [1996-11-17 111376]
Office Startup.lnk - c:\program files\Microsoft Office\Office\OSA.EXE [1996-11-17 51984]
RCA Detective.lnk - c:\documents and settings\Paul Brown\My Documents\RCA Detective\RCADetective.exe [2009-10-19 1069056]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe [2006-10-23 40048]
Adobe Reader Synchronizer.lnk - c:\program files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe [2006-10-22 734872]
Event Reminder.lnk - c:\program files\Broderbund\PrintMaster\PMremind.exe [2009-2-14 331776]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-1-2 210520]
VPN Client.lnk - c:\windows\Installer\{6DC47739-3BB0-4494-A43D-193BF54070AE}\Icon3E5562ED7.ico [2009-1-13 6144]
WinZip Quick Pick.lnk - c:\z-software-for-installs\Winzip\WZQKPICK.EXE [2011-1-3 106560]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
"AntiSpywareOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Nero\\Nero8\\Nero Home\\NeroHome.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\NetMeeting\\conf.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfcCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxs08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgplgtupl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgpc01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgm.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgh.exe"=
"c:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Logitech\\Logitech Vid\\Vid.exe"=

R1 ceaf;ceaf; [x]
R2 CwAltaService20;ContentWatch;c:\program files\ContentWatch\Internet Protection\cwsvc.exe [2010-12-15 2109440]
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-06-20 136176]
R3 pohci13F;pohci13F;c:\docume~1\PAULBR~1\LOCALS~1\Temp\pohci13F.sys [x]
R3 scsiscan;SCSI Scanner Driver;c:\windows\system32\DRIVERS\scsiscan.sys [2008-04-13 11520]
S1 fdrv2;fdrv2;c:\windows\system32\fdrv2.sys [2011-01-11 38400]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2010-02-17 12872]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2010-05-10 67656]
S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [2010-11-24 88176]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
HPService REG_MULTI_SZ HPSLPSVC
.
Contents of the 'Scheduled Tasks' folder

2011-01-13 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-12-25 12:20]

2011-01-13 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-06-20 11:27]

2011-01-13 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-06-20 11:27]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
Trusted Zone: ameren.com
Trusted Zone: brownshoe.com
Trusted Zone: clearplay.com
Trusted Zone: hp.com
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: VPNJava - hxxps://remote.brownshoe.com/CACHE/stc/1/binaries/VPNJava.cab
DPF: {55963676-2F5E-4BAF-AC28-CF26AA587566} - hxxps://remote.brownshoe.com/CACHE/stc/1/binaries/vpnweb.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-01-12 20:18
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1645522239-602609370-839522115-1004\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,79,00,73,00,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(744)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(2232)
c:\windows\system32\WININET.dll
c:\windows\system32\nView.dll
c:\progra~1\mcafee\SITEAD~1\saHook.dll
c:\windows\system32\nvwddi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\mshtml.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\windows\system32\bgsvcgen.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Cisco Systems\VPN Client\cvpnd.exe
c:\program files\LeapFrog\LeapFrog Connect\CommandService.exe
c:\program files\Nero\Nero8\Nero BackItUp\NBService.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\wscntfy.exe
c:\windows\BCMSMMSG.exe
c:\windows\system32\rundll32.exe
c:\program files\Common Files\Nero\Lib\NMIndexingService.exe
c:\windows\system32\devldr32.exe
c:\program files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
c:\program files\Common Files\Logishrd\LQCVFX\COCIManager.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\imapi.exe
c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
c:\program files\HP\Digital Imaging\bin\hpqgpc01.exe
c:\windows\system32\dwwin.exe
.
**************************************************************************
.
Completion time: 2011-01-12 20:31:00 - machine was rebooted
ComboFix-quarantined-files.txt 2011-01-13 02:30

Pre-Run: 6,289,784,832 bytes free
Post-Run: 7,447,400,448 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

- - End Of File - - 3CB2FFB62DDA788633CA8EDFBCB8B97A
 
Good Morning,

Paydirt, you finally got it to run and it removed what we wanted it to. I need to look over your log real close to see if there is more to remove , in the meantime run this program.


Please download Malwarebytes from Here or Here

  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
    MBAMCapture.jpg
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected .
  • When completed, a log will open in Notepad. Please save it to a convenient location and post the results.
  • Note: If you receive a notice that some of the items couldn't be removed, that they have been added to the delete on reboot list, please reboot.
Post the report please
 
Good morning,

MB ran, found three items and needed to reboot (which I did). I will post the log below. After the reboot, I ran the quick scan again and MB abended just like combo fix did after the reboot. That is, I got a "MS anti-MW has encountered a problem and needs to close. We are sorry for the inconvenience" and had the send/don't send buttons. (And since it abended, there is not a 2nd log.)


Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 5510

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

01/13/2011 6:01:12 AM
mbam-log-2011-01-13 (06-01-12).txt

Scan type: Quick scan
Objects scanned: 251845
Time elapsed: 6 minute(s), 11 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\AppID\GamevanceText.DLL (Adware.GameVance) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\WINDOWS\system32\dcaf.sys (Backdoor.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\ceaf.sys (Backdoor.Agent) -> Quarantined and deleted successfully.
 
Please See prior post.

I did NOT reboot after THAT post and I ran the MW scan again and no errors showed up. I am going to launch a full scan now but I do not know how long it will take so I might have to leave to go to work before it completes.
 
Do this and then let me know how things are running now ?

ESET Online Scanner
I'd like us to scan your machine with ESET OnlineScan

*Note
It is recommended to disable onboard antivirus program and antispyware programs while performing scans so there are no conflicts and it will speed up scan time.
Please don't go surfing while your resident protection is disabled!
Once the scan is finished remember to re-enable your antivirus along with your antispyware programs.


  1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  2. Click the
    esetOnline.png
    button.
  3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    1. Click on
      esetSmartInstall.png
      to download the ESET Smart Installer. Save it to your desktop.
    2. Double click on the
      esetSmartInstallDesktopIcon.png
      icon on your desktop.
  4. Check
    esetAcceptTerms.png
  5. Click the
    esetStart.png
    button.
  6. Accept any security warnings from your browser.
  7. Check
    esetScanArchives.png
  8. Make sure that the option "Remove found threats" is Unchecked
  9. Push the Start button.
  10. ESET will then download updates for itself, install itself, and begin
    scanning your computer. Please be patient as this can take some time.
  11. When the scan completes, push
    esetListThreats.png
  12. Push
    esetExport.png
    , and save the file to your desktop using a unique name, such as
    ESETScan. Include the contents of this report in your next reply.
  13. Push the
    esetBack.png
    button.
  14. Push
    esetFinish.png
Please make sure you include the following items in your next post:
The log that was produced after running ESET Online Scanner.
 
Hi,

Just got back to my Computer before heading off to work. The full MW scan found more stuff.

I DID NOT click remove selected because I wanted your input before proceeding.

I did say create log and will post it below.

The MW tool is still open and waiting for either repair or abort.

Please let me know if I should continue with the repair and then do what you put in post #68 or if I should abort and go straight to your instructions in post #68

Here is the log from the full scan:


Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 5510

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

01/13/2011 7:19:43 AM
mbam-log-2011-01-13 (07-19-10).txt

Scan type: Full scan (C:\|)
Objects scanned: 312853
Time elapsed: 52 minute(s), 33 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 168

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\Qoobox\quarantine\C\WINDOWS\WinSxS\x86_microsoft.windows.shell.hweventdetector_6595b64144ccf1df_5.2.2.3_x-ww_5390e909\shsvcs.dll.vir (Trojan.Agent.Max) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1009\A0159296.dll (Trojan.Agent.Max) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1009\A0159308.dll (Trojan.Agent.Max) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1009\A0159318.sys (Backdoor.Agent) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1009\A0160308.dll (Trojan.Agent.Max) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1009\A0160317.sys (Backdoor.Agent) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1009\A0160327.dll (Trojan.Agent.Max) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1009\A0160351.sys (Backdoor.Agent) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1009\A0160352.dll (Trojan.Agent.Max) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1009\A0160359.sys (Backdoor.Agent) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1009\A0160362.dll (Trojan.Agent.Max) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1009\A0160370.sys (Backdoor.Agent) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1009\A0160436.dll (Trojan.Agent.Max) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1009\A0160446.sys (Backdoor.Agent) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1010\A0160664.dll (Trojan.Agent.Max) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1010\A0160670.sys (Backdoor.Agent) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1010\A0160672.dll (Trojan.Agent.Max) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1010\A0160678.sys (Backdoor.Agent) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1012\A0160842.dll (Trojan.Agent.Max) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1012\A0160848.sys (Backdoor.Agent) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1012\A0160850.dll (Trojan.Agent.Max) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1012\A0160856.sys (Backdoor.Agent) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1012\A0160858.dll (Trojan.Agent.Max) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1012\A0160862.dll (Trojan.Agent.Max) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1012\A0160867.dll (Trojan.Agent.Max) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1012\A0160875.dll (Trojan.Agent.Max) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1012\A0160885.sys (Backdoor.Agent) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1013\A0160933.dll (Trojan.Agent.Max) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1014\A0161104.sys (Backdoor.Agent) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1014\A0161252.dll (Trojan.Agent.Max) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1014\A0161059.sys (Backdoor.Agent) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1014\A0161063.dll (Trojan.Agent.Max) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1014\A0161073.sys (Backdoor.Agent) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1014\A0161081.dll (Trojan.Agent.Max) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1014\A0161091.sys (Backdoor.Agent) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1014\A0161094.dll (Trojan.Agent.Max) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1014\A0161113.dll (Trojan.Agent.Max) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1014\A0161159.dll (Trojan.Agent.Max) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1014\A0161169.sys (Backdoor.Agent) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1014\A0161171.dll (Trojan.Agent.Max) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1014\A0161176.dll (Trojan.Agent.Max) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1014\A0161181.dll (Trojan.Agent.Max) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1014\A0161191.sys (Backdoor.Agent) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1014\A0161195.dll (Trojan.Agent.Max) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1014\A0161200.dll (Trojan.Agent.Max) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1014\A0161205.dll (Trojan.Agent.Max) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1014\A0161217.sys (Backdoor.Agent) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1014\A0161220.dll (Trojan.Agent.Max) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1014\A0161230.sys (Backdoor.Agent) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1014\A0161237.dll (Trojan.Agent.Max) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1014\A0161247.dll (Trojan.Agent.Max) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1014\A0161257.dll (Trojan.Agent.Max) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1014\A0161271.dll (Trojan.Agent.Max) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1014\A0161276.dll (Trojan.Agent.Max) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1014\A0161286.dll (Trojan.Agent.Max) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1014\A0161298.dll (Trojan.Agent.Max) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1014\A0161308.sys (Backdoor.Agent) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1014\A0161310.dll (Trojan.Agent.Max) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1014\A0161320.sys (Backdoor.Agent) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1014\A0161322.dll (Trojan.Agent.Max) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1014\A0161327.dll (Trojan.Agent.Max) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1014\A0161330.dll (Trojan.Agent.Max) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1014\A0161340.dll (Trojan.Agent.Max) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1014\A0161345.dll (Trojan.Agent.Max) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1014\A0161350.dll (Trojan.Agent.Max) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1014\A0161363.dll (Trojan.Agent.Max) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1014\A0161374.dll (Trojan.Agent.Max) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1014\A0161389.sys (Backdoor.Agent) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1014\A0161394.dll (Trojan.Agent.Max) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1014\A0161405.dll (Trojan.Agent.Max) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1014\A0161415.sys (Backdoor.Agent) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1015\A0161417.dll (Trojan.Agent.Max) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1015\A0161426.sys (Backdoor.Agent) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1015\A0161465.dll (Trojan.Agent.Max) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1015\A0161476.dll (Trojan.Agent.Max) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1015\A0161501.dll (Trojan.Agent.Max) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1015\A0162501.dll (Trojan.Agent.Max) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1015\A0162512.dll (Trojan.Agent.Max) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1016\A0162530.dll (Trojan.Agent.Max) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1016\A0162535.dll (Trojan.Agent.Max) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1016\A0162540.dll (Trojan.Agent.Max) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1016\A0162545.sys (Backdoor.Agent) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1016\A0162547.dll (Trojan.Agent.Max) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1016\A0162558.sys (Backdoor.Agent) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1016\A0162595.sys (Backdoor.Agent) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1016\A0162601.dll (Trojan.Agent.Max) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1016\A0162607.dll (Trojan.Agent.Max) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1016\A0162561.dll (Trojan.Agent.Max) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1016\A0162597.dll (Trojan.Agent.Max) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1016\A0162723.dll (Trojan.Agent.Max) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1016\A0162813.dll (Trojan.Agent.Max) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1016\A0162638.dll (Trojan.Agent.Max) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1016\A0162643.dll (Trojan.Agent.Max) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1016\A0162672.sys (Backdoor.Agent) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1016\A0162674.dll (Trojan.Agent.Max) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1016\A0162708.sys (Backdoor.Agent) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1016\A0162735.dll (Trojan.Agent.Max) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1016\A0162745.sys (Backdoor.Agent) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1016\A0162749.dll (Trojan.Agent.Max) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1016\A0162778.sys (Backdoor.Agent) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1016\A0162780.dll (Trojan.Agent.Max) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1016\A0162790.dll (Trojan.Agent.Max) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1016\A0162800.sys (Backdoor.Agent) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1016\A0162802.dll (Trojan.Agent.Max) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1016\A0162818.sys (Backdoor.Agent) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1016\A0162820.dll (Trojan.Agent.Max) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1016\A0162830.sys (Backdoor.Agent) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1016\A0162832.dll (Trojan.Agent.Max) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1016\A0162842.sys (Backdoor.Agent) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1016\A0162847.dll (Trojan.Agent.Max) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1016\A0162857.sys (Backdoor.Agent) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1016\A0162859.dll (Trojan.Agent.Max) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1016\A0162869.sys (Backdoor.Agent) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1016\A0162873.dll (Trojan.Agent.Max) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1016\A0162883.sys (Backdoor.Agent) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1017\A0162937.sys (Backdoor.Agent) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1017\A0162886.dll (Trojan.Agent.Max) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1017\A0162891.sys (Backdoor.Agent) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1017\A0162894.dll (Trojan.Agent.Max) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1017\A0162913.dll (Trojan.Agent.Max) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1017\A0162918.sys (Backdoor.Agent) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1017\A0162920.dll (Trojan.Agent.Max) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1017\A0162925.sys (Backdoor.Agent) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1017\A0162927.dll (Trojan.Agent.Max) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1017\A0162932.dll (Trojan.Agent.Max) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1017\A0162939.dll (Trojan.Agent.Max) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1017\A0162944.dll (Trojan.Agent.Max) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1017\A0162949.sys (Backdoor.Agent) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1017\A0162959.dll (Trojan.Agent.Max) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1017\A0162969.sys (Backdoor.Agent) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1018\A0162973.dll (Trojan.Agent.Max) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1018\A0162979.dll (Trojan.Agent.Max) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1018\A0163074.sys (Trojan.Agent) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1018\A0163075.dll (Trojan.Agent.Max) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1018\A0163437.sys (Backdoor.Agent) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1018\A0163082.sys (Backdoor.Agent) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1018\A0163157.dll (Trojan.Agent.Max) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1018\A0163162.sys (Backdoor.Agent) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1018\A0163237.dll (Trojan.Agent.Max) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1018\A0163248.sys (Backdoor.Agent) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1018\A0163249.dll (Trojan.Agent.Max) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1018\A0163259.sys (Backdoor.Agent) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1018\A0163336.dll (Trojan.Agent.Max) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1018\A0163341.sys (Backdoor.Agent) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1018\A0163343.dll (Trojan.Agent.Max) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1018\A0163353.sys (Backdoor.Agent) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1018\A0163428.dll (Trojan.Agent.Max) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1018\A0163432.dll (Trojan.Agent.Max) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1018\A0163518.dll (Trojan.Agent.Max) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1019\A0163533.dll (Trojan.Agent.Max) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1019\A0163542.sys (Backdoor.Agent) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1019\A0163545.dll (Trojan.Agent.Max) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1019\A0163555.sys (Backdoor.Agent) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1019\A0163561.sys (Trojan.Agent) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1019\A0163566.dll (Trojan.Agent.Max) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1019\A0163570.dll (Trojan.Agent.Max) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1019\A0163580.sys (Backdoor.Agent) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1019\A0163587.dll (Trojan.Agent.Max) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1019\A0163597.sys (Backdoor.Agent) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1019\A0163673.dll (Trojan.Agent.Max) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1019\A0163682.sys (Trojan.Agent) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1019\A0163689.dll (Trojan.Agent.Max) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1019\A0163694.sys (Trojan.Agent) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1019\A0163699.dll (Trojan.Agent.Max) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1019\A0163705.dll (Trojan.Agent.Max) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1019\A0163710.dll (Trojan.Agent.Max) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1019\A0163725.dll (Trojan.Agent.Max) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1020\A0163989.dll (Trojan.Agent.Max) -> No action taken.
 
Hi,

All that Malwarebytes found where in your System Restore program, there harmless unless you try to restore your computer to an earlier date than you take the chance of becoming infected again. There was also one entry in Qoobox which is a back up of what Combofix removed. Malwarebytes is one of the better programs to come along in quite awhile , it just removes bad stuff, nothing legit .


My instructions for Malwarebytes
Be sure that everything is checked, and click Remove Selected .
I would not have posted this if I wanted you to abort the program. You need to run Malwarebytes again and remove all it finds.



Then to be sure its all gone do this

System Restore is a component of Microsoft's Windows Me, Windows XP, Windows Vista and Windows 7 operating systems that allows for the rolling back of system files, registry keys, installed programs, etc., to a previous state in the event of malfunctioning or failure. Old restore points can be a source of re-infection.

Please follow the steps below to create a clean restore point:
  1. Click Start > Run > copy and paste the following into the run box:
    %SystemRoot%\System32\restore\rstrui.exe
  2. Press OK. Choose Create a Restore Point then click Next.
  3. Name it (something you'll remember) and click Create.
  4. When the confirmation screen shows the restore point has been created click Close.

Then remove all previous Restore Points
  1. Click Start > Run > copy and paste the following into the run box:
    cleanmgr
  2. Choose to scan drive C:\ (if C:\ is your main drive).
  3. At the top, click on More Options tab. Click the Clean up... button in the System Restore box.
  4. Click on the Yes button.
  5. When finished, click on Cancel button to exit.


We will remove Qoobox when where done.


So go ahead and run MBAW removing what it finds and post the report, then run the System Restore program, there is no report for this.

After you have done the above go ahead and run ESET
 
Hi - I finished the exec of MWB to remove the bad stuff. Rebooted. Ran a full scan. All clean. I will post the log below. I created the sys restore point and deleted the old points per your instructions. After this post, I will run ESET and post those results as well.


Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 5510

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

01/13/2011 7:21:52 PM
mbam-log-2011-01-13 (19-21-52).txt

Scan type: Full scan (C:\|E:\|F:\|G:\|)
Objects scanned: 346183
Time elapsed: 1 hour(s), 48 minute(s), 9 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
 
Good morning,

Please see prior post for the run of MWB. Below is the contents of the ESET log.

Thanks


C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\_vbma3a2b_.sys.zip a variant of Win32/Rootkit.Kryptik.CK trojan

C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\DOH1BRDG\script_card[1] Win32/Adware.Antivirus2010 application

C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\XG2318XA\uninstall[1] Win32/Adware.Antivirus2010 application
 
That bad file is in the Combofix back up folder and the other two are in your Temporary Internet Files..


Please download ATF Cleaner by Atribune to your desktop.
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main choose: Select All
  • Click the Empty Selected button.
Your system may start up slower after running ATF Cleaner, this is expected but will be back to normal after the first or second boot up
Please note: If you use online banking or are registered online with any other organizations, ensure you have memorized password and other personal information as removing cookies will temporarily disable the auto-login facility.



Now open up OTL and click on Cleanup and it will remove all the tools we used to clean your system along with there backups.


How is your computer behaving now ?
 
Hi,

Ran ATF & OTL. Nothing odd happened with either of them so I suppose that they did what they needed to do.

Regarding the computer running.

SB S&D - I was having trouble with it at the start of the post and we have not done anything with it since then so I assume that I need to uninstall (if applicable) and reinstall. I am ready to do that if you think it is time to try it.

Avast - Same as SB S&D. Shall I try a un/reinstall?

IE7 - Same as SB S&D. In days gone by, I seem to recall that IE could not be uninstalled for a reinstall. I looked in add/remove back at the start of all of this trouble to see if it had a repair option but I did not see it. How do I get IE7 running again. (Note: I cannot recall if my computer will not handle IE8 or I just have not had time to look into it but I would prefer to stick with IE7 for now and deal with IE8 at another time.) How do I get IE7 running again?

MS Word (which I have only tried a little bit) acts as if I launched the document twice. That is, it opens, and then the screen "blinks" and I get a notice/window that talks the file being in use and asking if I want to make a copy.

By "blink", I mean the screen does some sort of change/blanks or something real quick but then the screen is back to what it was before.

MS Excel does the same thing (which I have only tried a little more than MS Word). Excel acts like word some of the time and other times, it just "blinks" but does not give the notice about trying to open the file again.

Other apps - I have not tried other stuff. I have had the computer turned off unless I was doing something related to repair so as to limit the virus having access to stuff. I have only started opening the MS documents the last day or two after we got through a couple of good scans. (I have not tried to make any changes or do any saves or creates).

Note: Of course all of my application settings are on C:\ as well as some of my apps saved data (because they do not give the choice to save anywhere besides C:\). At the same time though, I have a lot of data on a separate hard drive that I removed at the first sign of trouble and just recently added back in so that it could be part of the full blown MWB scan.

Ditto for the hard drive that I used to back up my data.

Ditto for a flash drive that I used a little bit because at the very beginning of all of this, I was posting on my win 98 machine, downloading files to the flash and transferring them to the this XP machine (the trouble machine) to do our work. Then I realized that Google Chrome would work on the XP machine and did not need to use the Win 98/flash drive stuff any more.

I know all three of these extra drives were part of the MWB scan because I was able to list them as drives to scan. However, I could not tell if the on-line scan checked these other three drives through. Is there something extra that we should run against these drives or do you think that the MWB scan was sufficient?

Quick review of what wasrecently scanned when (to the best I can recall)

MWB - C:\ found trouble, did CF to fix things up.
MWB - C:\ Nothing found
MWB - C:\ +E:\ (data drive) F:\(Back up drive) G:\(Flash) - Nothing found

On-line scan - I would assume it scanned C:\ but I do not know if it scanned E, F & G.

Thanks!
 
Hi,

Since you used a flash drive inbetween computers I would run this on the computer we are working on.


Please download Flash_Disinfector.exe by sUBs and save it to your desktop:

  • Double-click Flash_Disinfector.exe to run it.
  • Follow any prompts that may appear.
  • Wait until the program has finished scanning, then please exit the program.
The tool may ask you to insert your flash drive, or other removable drives. Please do so and allow the tool to clean it up as well.


Please restart your computer.




The name of the game is security and keeping things updated, Internet Explorer 8 is much more secure than version 7. You can download and install it running windows updates or from this link.

http://www.microsoft.com/windows/internet-explorer/worldwide-sites.aspx




At the beginning of working on this computer I gave you the option to format and reinstall windows, with the amount and type of malware you had and along with the other problems this is the route I would have taken if it was my computer.

We just do malware removal on this forum so I am going to link you to a nice windows support forum that you can post at for your other problems.
http://forums.whatthetech.com/index.php?showforum=119







Safe Surfn
Ken
 
Since this issue appears to be resolved ... this Topic has been closed. Glad I could help.
 
Last edited by a moderator:
Status
Not open for further replies.
Back
Top