Welcome. Thank you for using Dell Community Forums.
I am reviewing your log. In the meantime, you can help me by addressing the following:
* Have you have posted this issue on another forum? If so, please provide a link to the topic.
* If you have disabled System Restore in an attempt to begin cleaning malware, please enable it now. We will flush System Restore when we are finished cleaning and we are sure that everything is running smoothly.
* If you are using any cracked software, please remove it. In addition to being illegal, when you install cracked software, you are running executable files from dubious, unknown sources. You are giving these sources access to information on your hard disk, and potential control over operation of your computer. Definition of cracked software HERE.
* If you are using any P2P (file sharing) programs, please remove them before we clean your computer. The nature of such software and the high incidence of malware in files downloaded with them is counter productive to restoring your PC to a healthy state. That includes BitTorrent and similar programs. There is a partial list HERE.
* If this computer belongs to someone else, do you have authority to apply the fixes we will use?
* After we begin working, please print or copy all instructions to Notepad in order to assist you when carrying out procedures. Please follow all instructions in sequence. Do not, on your own, install/re-install any programs or run any fixes or scanners that you have not been instructed to use because this may cause conflicts with the tools that I am using. Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate. It is understood by the trained analysts that once a helper replies to a log, he continues working with you until the issue is resolved.
* During the course of our cleanup please do not do any additional online work or surfing until we have verified that your system is clean.
* We may be using some specialized tools during our fix. Certain embedded files that are part of legitimate programs or specialized fix tools such as process.exe, restart.exe, SmiUpdate.exe, reboot.exe, ws2fix.exe, prcviewer.exe and nircmd.exe may at times be detected by some anti-virus/anti-malware scanners as a "RiskTool", "Hacking tool", "Potentially unwanted tool", or even "malware (virus/trojan)" when that is not the case. Such programs have legitimate uses in contexts where an authorized user or administrator has knowingly installed it. These detections do not necessarily mean the file is malware or a bad program. It means it has the potential for being misused by others. Anti-virus scanners cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert you or even automatically remove them.
I have no way of knowing exactly what changes that McAfee tech actually made to the system, but I will do my best to see if we can address the malware that is still showing in there.
I look forward to your reply so we can begin cleaning.
No Reply within 3 days will result in this topic being closed, and I will remove it from my subscriptions. If you require more time, please let me know.
Instructions posted for this user are customized for this user only. The tools used may cause damage if used on a computer with different infections. If you think you have similar problems, please post a log at the top of this board to start a new forum topic.
Hi Bugbatter thanks for taking my problem, here are my responses to your questions:
No postings to another forum
will enable system restore, that was recommended by another software removal tool, which has been removed, and system restore enabled
cracked software, I really do not think so
ok a bit torrent website was used to download a concert but I was not smart enough to figure it out, so there it sits, now its removed
this is my computer
ok copies will be made in notepad
no surfing, no problem
specialized tools, welcomed
I have a log of what the mcafee techs did to assist, they created 2 logs which i can post if you want
Also FYI I removed all the Java from the HJT log before I contacted you, reason being just before problems started a Java screen popped up and seemed to initiate the problem. I may have to reload Java but the redirect problem seemed to initiate from a Java, so for now I am keeping it off.
A small box will open, with an explanation about the tool.
Click Yes at the prompt for Optional Scan.
When done, DDS will open two (2) logs
1. DDS.txt 2. Attach.txt
Save both reports to your desktop.
Copy/paste both logs to your reply on the forum. Do not attach them.
Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet. Information on A/V control HERE.
If that does not work, please uninstall McAfee. (If you have the CD's, or use McAfee Support, you can re-install it once we have verified that the computer is clean.)
Now double-click on RKUnhookerLE.exe to run it.
Click the Report tab, then click Scan.
Check (Tick) Drivers, Stealth. UNcheck the rest. then Click OK.
Wait till the scanner has finished and then click File, Save Report.
Save the report somewhere where you can find it. (eg. desktop) then Click Close.
Copy the entire contents of the report and paste it in a reply here.
Here are the 3 reports as requested. I had some trouble getting the Unhooker to run as it kept saying that it would not run "not valid Win32 Application" but finally got it to open up. Hope this sheds some light. Thanks.
1. DDS
DDS (Ver_10-03-17.01) - NTFSx86 Run by owner at 19:04:30.60 on Mon 09/13/2010 Internet Explorer: 8.0.6001.18702 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1918.1304 [GMT -5:00]
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG. IF REQUESTED, ZIP IT UP & ATTACH IT
DDS (Ver_10-03-17.01)
Microsoft Windows XP Home Edition Boot Device: \Device\HarddiskVolume2 Install Date: 3/31/2008 5:54:38 PM System Uptime: 9/13/2010 6:34:06 PM (1 hours ago)
C: is FIXED (NTFS) - 112 GiB total, 98.552 GiB free. D: is CDROM ()
==== Disabled Device Manager Items =============
Class GUID: {4D36E968-E325-11CE-BFC1-08002BE10318} Description: ATI Radeon Xpress 1150 Device ID: PCI\VEN_1002&DEV_5974&SUBSYS_022A1028&REV_00\4&3B383830&0&2808 Manufacturer: ATI Technologies Inc. Name: ATI Radeon Xpress 1150 PNP Device ID: PCI\VEN_1002&DEV_5974&SUBSYS_022A1028&REV_00\4&3B383830&0&2808 Service: ati2mtag
==== System Restore Points ===================
RP1: 9/12/2010 11:07:28 PM - System Checkpoint
==== Installed Programs ======================
Adobe Flash Player 10 ActiveX Adobe Reader 8.2.4 ATI Catalyst Control Center ATI Display Driver Broadcom Management Programs C-Media Wi-Sonic Wireless Audio Driver Camera Support Core Library Camera Window Canon Camera Support Core Library Canon Camera Window for ZoomBrowser EX Canon MovieEdit Task for ZoomBrowser EX Canon PhotoRecord Canon RAW Image Task for ZoomBrowser EX Canon RemoteCapture Task for ZoomBrowser EX Canon Utilities PhotoStitch 3.1 Canon Utilities ZoomBrowser EX Compatibility Pack for the 2007 Office system Conexant HDA D330 MDC V.92 Modem Critical Update for Windows Media Player 11 (KB959772) Dell Automated PC TuneUp Dell DataSafe Online Dell Network Assistant Dell Support Center Dell Touchpad Dell Wireless WLAN Card Digital Line Detect Google Desktop HijackThis 2.0.2 Hotfix for Windows Media Format 11 SDK (KB929399) Hotfix for Windows Media Player 11 (KB939683) Hotfix for Windows XP (KB952287) Linksys Wireless-G Music Bridge Malwarebytes' Anti-Malware McAfee SecurityCenter Microsoft .NET Framework 1.1 Microsoft .NET Framework 1.1 Security Update (KB979906) Microsoft Compression Client Pack 1.0 for Windows XP Microsoft Office PowerPoint Viewer 2007 (English) Microsoft Office Word Viewer 2003 Microsoft User-Mode Driver Framework Feature Pack 1.0 Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053 Microsoft Visual C++ 2005 Redistributable Microsoft Works Modem Diagnostic Tool MovieEdit Task MSN MSXML 6.0 Parser (KB933579) muvee autoProducer 4.1 NetWaiting Outlook Express Backup V6.5 PhotoStitch PMP DV PowerDVD QuickSet RAW Image Task 1.1 RemoteCapture Task 1.0.3 Rhapsody Rhapsody Player Engine Security Update for Windows Internet Explorer 8 (KB2183461) Security Update for Windows Internet Explorer 8 (KB969897) Security Update for Windows Internet Explorer 8 (KB971961) Security Update for Windows Internet Explorer 8 (KB976325) Security Update for Windows Media Player 11 (KB954154) Security Update for Windows XP (KB923561) Security Update for Windows XP (KB950760) Security Update for Windows XP (KB951748) Security Update for Windows XP (KB954600) Security Update for Windows XP (KB956390) Security Update for Windows XP (KB956802) Security Update for Windows XP (KB957095) Security Update for Windows XP (KB958687) Security Update for Windows XP (KB960803) Security Update for Windows XP (KB961501) Security Update for Windows XP (KB970430) Security Update for Windows XP (KB971557) Security Update for Windows XP (KB973354) Security Update for Windows XP (KB974112) Security Update for Windows XP (KB974571) Security Update for Windows XP (KB975561) Security Update for Windows XP (KB977816) Security Update for Windows XP (KB978251) Security Update for Windows XP (KB978601) Security Update for Windows XP (KB979309) Security Update for Windows XP (KB980436) Security Update for Windows XP (KB981997) Update for Windows Internet Explorer 8 (KB980182) Update for Windows XP (KB951072-v2) Update for Windows XP (KB968389) Update for Windows XP (KB973687) WebFldrs XP Windows Genuine Advantage Validation Tool (KB892130) Windows Installer 3.1 (KB893803) Windows Internet Explorer 8 Windows Live OneCare safety scanner Windows Media Format 11 runtime Windows Media Player 11 Windows XP Service Pack 3 Yahoo! Software Update Yahoo! Toolbar
==== Event Viewer Messages From Past Week ========
9/8/2010 11:22:14 PM, error: Service Control Manager [7023] - The Application Management service terminated with the following error: The specified module could not be found. 9/12/2010 1:20:23 AM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the Browser service. 9/12/2010 1:19:44 AM, error: Service Control Manager [7023] - The Windows Firewall/Internet Connection Sharing (ICS) service terminated with the following error: Access is denied. 9/11/2010 8:12:03 PM, error: Service Control Manager [7000] - The MCSTRM service failed to start due to the following error: The system cannot find the file specified. 9/11/2010 8:10:49 PM, error: Ftdisk [49] - Configuring the Page file for crash dump failed. Make sure there is a page file on the boot partition and that is large enough to contain all physical memory. 9/11/2010 8:10:49 PM, error: Ftdisk [45] - The system could not sucessfully load the crash dump driver. 9/11/2010 11:44:41 PM, information: Windows File Protection [64017] - Windows File Protection file scan completed successfully. 9/11/2010 11:20:28 PM, information: Windows File Protection [64020] - Windows File Protection scan found that the system file c:\windows\system32\ativvaxx.dll has a bad signature. This file was restored to the original version to maintain system stability. The file version of the system file is 6.14.1.9. 9/11/2010 11:20:27 PM, information: Windows File Protection [64020] - Windows File Protection scan found that the system file c:\windows\system32\ativvaxx.dll has a bad signature. This file was restored to the original version to maintain system stability. The file version of the system file is 6.14.10.124. 9/11/2010 11:20:16 PM, information: Windows File Protection [64020] - Windows File Protection scan found that the system file c:\windows\system32\ati3duag.dll has a bad signature. This file was restored to the original version to maintain system stability. The file version of the system file is 6.14.10.448. 9/11/2010 11:20:16 PM, information: Windows File Protection [64020] - Windows File Protection scan found that the system file c:\windows\system32\ati3duag.dll has a bad signature. This file was restored to the original version to maintain system stability. The file version of the system file is 6.14.10.231. 9/11/2010 11:20:15 PM, information: Windows File Protection [64020] - Windows File Protection scan found that the system file c:\windows\system32\drivers\ati2mtag.sys has a bad signature. This file was restored to the original version to maintain system stability. The file version of the system file is 6.14.10.6462. 9/11/2010 11:20:14 PM, information: Windows File Protection [64020] - Windows File Protection scan found that the system file c:\windows\system32\drivers\ati2mtag.sys has a bad signature. This file was restored to the original version to maintain system stability. The file version of the system file is 6.14.10.6648. 9/11/2010 11:20:14 PM, information: Windows File Protection [64020] - Windows File Protection scan found that the system file c:\windows\system32\ati2dvag.dll has a bad signature. This file was restored to the original version to maintain system stability. The file version of the system file is 6.14.10.6648. 9/11/2010 11:20:14 PM, information: Windows File Protection [64020] - Windows File Protection scan found that the system file c:\windows\system32\ati2dvag.dll has a bad signature. This file was restored to the original version to maintain system stability. The file version of the system file is 6.14.10.6462. 9/11/2010 11:20:13 PM, information: Windows File Protection [64020] - Windows File Protection scan found that the system file c:\windows\system32\ati2cqag.dll has a bad signature. This file was restored to the original version to maintain system stability. The file version of the system file is 6.14.10.321. 9/11/2010 11:20:13 PM, information: Windows File Protection [64020] - Windows File Protection scan found that the system file c:\windows\system32\ati2cqag.dll has a bad signature. This file was restored to the original version to maintain system stability. The file version of the system file is 6.14.10.233. 9/11/2010 11:19:53 PM, information: Windows File Protection [64020] - Windows File Protection scan found that the system file c:\windows\system32\a3d.dll has a bad signature. This file was restored to the original version to maintain system stability. The file version of the system file is 2.9.0.0. 9/11/2010 11:19:51 PM, information: Windows File Protection [64020] - Windows File Protection scan found that the system file c:\windows\system32\a3d.dll has a bad signature. This file was restored to the original version to maintain system stability. The file version of the system file is 4.12.1.2008. 9/11/2010 11:19:14 PM, information: Windows File Protection [64016] - Windows File Protection file scan was started.
Please login as Administrator. If using Vista or Windows 7, do not attempt to simply run ComboFix with Admin Approval Mode.
Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Please disable McAfee in the same way that you did previously. <-- Important!
Double click on ComboFix.exe & follow the prompts.
As part of its process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue its malware removal procedures.
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
Click on Yes, to continue scanning for malware.
When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a fresh HijackThis log for further review.
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.
3. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
4. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
5. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
* Additional information on A/V control HERE. * ComboFix is not intended for use with servers.
Downloaded Combo Fix, disabled McAfee AV, the MS Windows Recovery Console was installed, clicked yes to scan for Malware, during the scan it detected a problem with the router table, my router icon popped up, the scan said it fixed it, then got a blue screen saying "Problem detected Windows Shut Down." Then it listed a message:
Bad_Pool_Caller
Maybe when my router icon popped up it interrupted the scan, just a thought. Also CF did not ask me to log in as an administrator. I will not re-run Combofix until I hear from you, per your instructions. Thanks for your help.
If that does not work, Reboot into Safemode: Turn on the computer. Immediately begin tapping the F8 key. Use the arrow keys to highlight Safe Mode and press the Enter key. Rerun ComboFix.
ComboFix 10-09-14.01 - owner 09/14/2010 20:18:52.1.2 - x86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1918.1453 [GMT -5:00] Running from: c:\documents and settings\owner\Desktop\ComboFix.exe AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83} FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8} .
((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) .
c:\documents and settings\owner\Application Data\Microsoft\shell.exe c:\documents and settings\owner\Application Data\Microsoft\svchost.exe c:\documents and settings\owner\Local Settings\Application Data\{A2D09425-A8B9-4C2B-B492-E958A005C649} c:\documents and settings\owner\Local Settings\Application Data\{A2D09425-A8B9-4C2B-B492-E958A005C649}\chrome.manifest c:\documents and settings\owner\Local Settings\Application Data\{A2D09425-A8B9-4C2B-B492-E958A005C649}\chrome\content\_cfg.js c:\documents and settings\owner\Local Settings\Application Data\{A2D09425-A8B9-4C2B-B492-E958A005C649}\chrome\content\overlay.xul c:\documents and settings\owner\Local Settings\Application Data\{A2D09425-A8B9-4C2B-B492-E958A005C649}\install.rdf c:\windows\onucuqew.dll c:\windows\system32\drivers\1028_DELL_XPS_Vostro 1000 .MRK c:\windows\system32\drivers\DELL_XPS_Vostro 1000 .MRK c:\windows\system32\drivers\npf.sys c:\windows\system32\Packet.dll c:\windows\system32\wpcap.dll
Infected copy of c:\windows\system32\drivers\i8042prt.sys was found and disinfected Restored copy from - Kitty had a snack :p . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) .
-------\Legacy_NPF -------\Service_NPF
((((((((((((((((((((((((( Files Created from 2010-08-15 to 2010-09-15 ))))))))))))))))))))))))))))))) .
- - End Of File - - 5F3A9A2E59A2F12BDD0145AB0ECDF454
2. HJT Log
Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 8:39:55 PM, on 9/14/2010 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v8.00 (8.00.6001.18702) Boot mode: Normal
Using ComboFix again please run another scan in Normal Mode (Don't forget to disable McAfee.). Please post the log from that scan.
In addition let's run an online virus scan by Kaspersky from HERE.
1. At the main page. Press on " Accept". After reading the contents. 2. At the next window Select Update. Allow the Database to update. Note: If prompted to run or update your Java, then follow the prompts to do so. Kaspersky requires Java to run. 3. Once the Database has finished, under the Scan icon Select My Computer to start the scan. The scan may take a few minutes to complete. 4. Select Scan Report. 5. If any threats were found they will appear in the report 6. Select "Save error report as" Then in the file name just type in kaspersky Under "save as type" select text .txt Save it to your Desktop.
Copy and post the results of the Kaspersky Online scan along with your ComboFix log. If no threats were found by Kaspersky report that as well.
Here is the ComboFix Report today. Also ran Kaspersky and 1 threat identified and 2 infected objects, report is posted. I had to upload Java to run Kaspersky and if you recall I had removed all Java as that seemed to be part of the problem. Also at startup today Microsoft had 9 updates waiting for me so that automaticaly loaded.
The following has happened since just after the problem originated: At startup windows installer pops up which seems to be searching for a file, then it goes to Dell Support Center, then it says "Wait while Windows Configures Dell Support Center," then it says "features that you are trying to use are on a CD-ROM, and then it tells me to insert Dell Support Center CD. I have not done this, I am just assuming some files may have been removed by mistake before I contacted you, and that I could add them when the computer is clean. Here are the logs:
ComboFix 10-09-14.04 - owner 09/15/2010 10:26:24.2.2 - x86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1918.1419 [GMT -5:00] Running from: c:\documents and settings\owner\Desktop\ComboFix.exe AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83} FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8} .
((((((((((((((((((((((((( Files Created from 2010-08-15 to 2010-09-15 ))))))))))))))))))))))))))))))) .
- - End Of File - - 8C2E95B6B2CCBF0FF5BE371BA9BBB4C2
-------------------------------------------------------------------------------- KASPERSKY ONLINE SCANNER 7.0: scan report Wednesday, September 15, 2010 Operating system: Microsoft Windows XP Home Edition Service Pack 3 (build 2600) Kaspersky Online Scanner version: 7.0.26.13 Last database update: Wednesday, September 15, 2010 12:05:24 Records in database: 4215361 --------------------------------------------------------------------------------
Scan settings: scan using the following database: extended Scan archives: yes Scan e-mail databases: yes
The items that Kaspersky found were nothing we didn't know about -- either taken care of by Combofix or to be removed by purging System Restore once we are sure everything is back to normal. It may be that Dell Support Center was changed by the malware. (It likes to suppress anything with "support" in the name.) If that was the case, a scanner may have removed any corrupt files. Refer to this discussion regarding Dell Support Center: http://en.community.dell.com/dell-groups/new-to-community/f/3511/t/19255417.aspx It's your choice whether to remove it or reinstall.
Let's run one more s can to make sure your security is back to where it should be: Download Security Check by screen317 and save it to your Desktop: here or here
Run Security Check
Follow the onscreen instructions inside of the command window.
A Notepad document should open automatically called checkup.txt; close Notepad. We will need this log, too, so remember where you've saved it!
If one of your security applications (e.g., third-party firewall) requests permission to allow DIG.EXE access the Internet, allow it to do so.
Let me know if everything is running smoothly. If so, we'll remove our tools and reset System Restore. If I were you, I'd be tempted to go back to Office Max and tell them that they charged you to remove a virus and sold you anti-virus software, but missed the rootkit.
Everything seems to be working, no redirects, you've been such a help, thanks!! Thanks for your advice as well. Here is the log from security check:
Results of screen317's Security Check version 0.99.5 Windows XP Service Pack 3 Internet Explorer 8 `````````````````````````````` Antivirus/Firewall Check: Windows Firewall Disabled! McAfee SecurityCenter ``````````````````````````````` Anti-malware/Other Utilities Check: Malwarebytes' Anti-Malware HijackThis 2.0.2 Java(TM) 6 Update 21 Adobe Flash Player Adobe Reader 8.2.4 Out of date Adobe Reader installed! ```````````````````````````````` Process Check: objlist.exe by Laurent McAfee VIRUSS~1 mcshield.exe McAfee VIRUSS~1 mcsysmon.exe ```````````````````````````````` DNS Vulnerability Check: GREAT! (Not vulnerable to DNS cache poisoning)
Your HijackThis is obsolete, but we didn't need it to fix anything. I would suggest removing that and using version 2.04 if you need to come back for malware removal in the future.
Your Adobe Acrobat Reader is out of date. Older versions are vulnerable to attack. Unless you specifically need that version it needs to be updated. Uninstall your current version using Add/Remove Programs.
* Untick the Free McAfee® Security Scan Plus (optional) unless you want it.
It's time for some housekeeping. Because the tools we used to scan the computer, as well as tools to delete files and folders, are no longer needed, they should be removed, along with the folders created by these tools.
You can go a head and delete DDS and its logs, Unhooker + log as well as SecurityCheck.
* Click Start then Run Copy and paste next command in the field:
ComboFix /Uninstall
Make sure there's a space between Combofix and / Then hit enter.
This will remove ComboFix, run some cleanup procedures, and flush System Restore, thus creating a clean Restore Point.
Here is my standard list of simple steps that you can take to reduce the chance of infection in the future.
If you have used Malwarebytes' Anti-Malware as part of your cleaning procedures, keep it updated and use it to scan every so often for malware, or upgrade to the paid version for realtime scanning and auto updating.
The following suggestions are general prevention and are not customized for your computer. You may have already taken some of these steps, and depending on your current security, you may not need to implement all of these:
1. Visit Microsoft Update: Make sure that you have all the Critical Updates recommended for your operating system, Office, and IE. The first defense against infection is a properly patched OS from Microsoft Update at update.microsoft.com. More info HERE.
2. Please use a firewall and realtime anti-virus. Keep the anti-virus software and firewall software up to date.. Run a complete system scan with your anti-virus at least once a week...preferably in Safe mode. If your anti-virus program is a paid/licensed version that is about to expire, you can consider using a free one such as: Microsoft Security Essentials AntiVir Personal Edition Classic Avast! Home Edition
If you prefer not to use the Windows Firewall, there are several of the freeware Firewalls available on the public domain.
3. Using an alternate browser can reduce your chance of certain infections installing themselves. You might consider installing Mozilla / Firefox. http://www.mozilla.com/en-US/
4. Do not use file sharing. Even the safest P2P file sharing programs that do not contain bundled spyware, still expose you to risks because of the very nature of the P2P file sharing process. By default, most P2P file sharing programs are configured to automatically launch at startup. They are also configured to allow other P2P users on the same network open access to a shared directory on your computer. The reason for this is simple. File sharing relies on its members giving and gaining unfettered access to computers across the P2P network. However, this practice can make you vulnerable to data and identity theft. Even if you change those risky default settings to a safer configuration, the act of downloading files from an anonymous source greatly increases your exposure to infection. That is because the files you are downloading may actually contain a disguised threat. Many very malicious worms and trojans, such as the Storm Worm, target and spread across P2P files sharing networks because of their known vulnerabilities.
5. Keep your software updated...make it easier on yourself and install the free security tool Secunia PSI .
6. If you have not already done so, you might want to install CCleaner and run it in each user's profile: http://www.ccleaner.com/ ** UNcheck the option to install the Yahoo toolbar that is checked by default for the Standard version, or download the toolbar-free versions (Slim or Basic) when given the option for those.
7. Web Of Trust , uses colored alerts to warn about risky websites warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:
Red for Warning = STOP
Yellow for Use Caution
Green for Safe
Grey for Unknown
There is a Web Of Trust version for Firefox as well.
8. If you still wish to use Internet Explorer, please make sure you install SpywareBlaster: http://www.javacoolsoftware.com/spywareblaster.html It will: Prevent the installation of ActiveX-based spyware, adware, browser hijackers, dialers, and other potentially unwanted software. Block spyware/tracking cookies in Internet Explorer and Mozilla Firefox. Restrict the actions of potentially unwanted sites in Internet Explorer. Tutorial here:http://www.bleepingcomputer.com/forums/tutorial49.html Periodically check for updates.
9. You might want to install Winpatrol. Winpatrol is heuristic protection program, meaning it looks for patterns in codes that work like malware. It also takes a snapshot of your system's critical resources and alerts you to any changes that may occur without you knowing. You can read more about Winpatrol's features here. You can download a free copy of Winpatrol or use the Plus version for more features. You can read Winpatrol's FAQ if you run into problems.
10. Many of us in the online security community have tried and tested programs to determine their abilities. Please remember that there is no guarantee regarding computer security. However, the available software, combined with the rest of these recommendations will contribute to helping your system running safely.
Here are some helpful articles: How did I get infected? HERE
I'm not pulling your leg, honest? by Sandi Hardmeier HERE
Let us know if we have not resolved your problem. Otherwise, you are good to go. Happy and Safe Surfing!
Bugbatter
3 Apprentice
•
20.5K Posts
0
September 12th, 2010 15:00
Welcome. Thank you for using Dell Community Forums.
I am reviewing your log. In the meantime, you can help me by addressing the following:
* Have you have posted this issue on another forum? If so, please provide a link to the topic.
* If you have disabled System Restore in an attempt to begin cleaning malware, please enable it now. We will flush System Restore when we are finished cleaning and we are sure that everything is running smoothly.
* If you are using any cracked software, please remove it. In addition to being illegal, when you install cracked software, you are running executable files from dubious, unknown sources. You are giving these sources access to information on your hard disk, and potential control over operation of your computer. Definition of cracked software HERE.
* If you are using any P2P (file sharing) programs, please remove them before we clean your computer. The nature of such software and the high incidence of malware in files downloaded with them is counter productive to restoring your PC to a healthy state. That includes BitTorrent and similar programs. There is a partial list HERE.
* If this computer belongs to someone else, do you have authority to apply the fixes we will use?
* After we begin working, please print or copy all instructions to Notepad in order to assist you when carrying out procedures. Please follow all instructions in sequence. Do not, on your own, install/re-install any programs or run any fixes or scanners that you have not been instructed to use because this may cause conflicts with the tools that I am using. Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate. It is understood by the trained analysts that once a helper replies to a log, he continues working with you until the issue is resolved.
* During the course of our cleanup please do not do any additional online work or surfing until we have verified that your system is clean.
* We may be using some specialized tools during our fix. Certain embedded files that are part of legitimate programs or specialized fix tools such as process.exe, restart.exe, SmiUpdate.exe, reboot.exe, ws2fix.exe, prcviewer.exe and nircmd.exe may at times be detected by some anti-virus/anti-malware scanners as a "RiskTool", "Hacking tool", "Potentially unwanted tool", or even "malware (virus/trojan)" when that is not the case. Such programs have legitimate uses in contexts where an authorized user or administrator has knowingly installed it. These detections do not necessarily mean the file is malware or a bad program. It means it has the potential for being misused by others. Anti-virus scanners cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert you or even automatically remove them.
I have no way of knowing exactly what changes that McAfee tech actually made to the system, but I will do my best to see if we can address the malware that is still showing in there.
I look forward to your reply so we can begin cleaning.
No Reply within 3 days will result in this topic being closed, and I will remove it from my subscriptions. If you require more time, please let me know.
Instructions posted for this user are customized for this user only. The tools used may cause damage if used on a computer with different infections. If you think you have similar problems, please post a log at the top of this board to start a new forum topic.
buster1514
7 Posts
0
September 13th, 2010 11:00
Bugbatter
3 Apprentice
•
20.5K Posts
0
September 13th, 2010 15:00
Please do not do anything with Java unless I give you instructions.Make sure System Restore is enabled.
Before I start cleaning I need to see some additional information about what is happening in your machine.
1. DDS.txt
2. Attach.txt
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet. Information on A/V control HERE.
Please Download Rootkit Unhooker Save it to your desktop.
Please make sure McAfee is disabled before running this next scan. You may enable it when you are finished.
- Please open McAfee Security Centre
- Under Common Tasks click on Home
- Click Computer Files
- Click Configure
- Make sure the following are disabled by ticking the "Off" button.
Virus protectionSpyware protection
System Guards Protection
Script Scanning Protection (you may have to scroll down to see it)
Further info on disabling and re-enabling McAfee: http://help.aol.com/help/microsites/microsite.do?cmd=displayKCPopup&docType=kc&externalID=222820
If that does not work, please uninstall McAfee. (If you have the CD's, or use McAfee Support, you can re-install it once we have verified that the computer is clean.)
In your next reply please include the following:
buster1514
7 Posts
0
September 13th, 2010 21:00
Hi There,
Here are the 3 reports as requested. I had some trouble getting the Unhooker to run as it kept saying that it would not run "not valid Win32 Application" but finally got it to open up. Hope this sheds some light. Thanks.
1. DDS
DDS (Ver_10-03-17.01) - NTFSx86
Run by owner at 19:04:30.60 on Mon 09/13/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1918.1304 [GMT -5:00]
AV: Antivirus *On-access scanning enabled* (Outdated) {28e00e3b-806e-4533-925c-f4c3d79514b9}
AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
============== Running Processes ===============
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Dell Network Assistant\hnm_svc.exe
c:\PROGRA~1\mcafee\SITEAD~1\mcsacore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\owner\Application Data\Microsoft\Windows\shell.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
"C:\Documents and Settings\owner\Application Data\Microsoft\svchost.exe"
C:\DOCUME~1\owner~1\LOCALS~1\Temp\dwm.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Linksys Wireless-G Music Bridge\WMB54G.exe
C:\WINDOWS\System\CmFlywav.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DellAutomatedPCTuneUp\PTAgnt.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Dell Network Assistant\ezi_hnm2.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Internet Explorer\iexplore.exe
c:\PROGRA~1\mcafee\VIRUSS~1\mcvsshld.exe
C:\Documents and Settings\owner\Desktop\dds.scr
============== Pseudo HJT Report ===============
uStart Page = hxxp://www.yahoo.com/?fr=fp-yie8
uDefault_Page_URL = hxxp://www.yahoo.com/?fr=fp-yie8
uWindow Title = Windows Internet Explorer provided by Yahoo!
uSearch Bar =
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/ymj/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyServer = http=127.0.0.1:50370
uSearchAssistant =
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn2\yt.dll
uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
uWinlogon: Shell=explorer.exe,c:\documents and settings\owner\application data\microsoft\windows\shell.exe
uWindows: Load=c:\docume~1\owner~1\locals~1\temp\dwm.exe
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn2\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn2\YTSingleInstance.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn2\yt.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [DellAutomatedPCTuneUp] "c:\program files\dellautomatedpctuneup\PTAgnt.exe" /startup
uRun: [Izofubopituc] rundll32.exe "c:\windows\kbjericp.dll",Startup
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [Malwarebytes Anti-Malware (rootkit-scan)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [Linksys WMB54G Utility] c:\program files\linksys wireless-g music bridge\WMB54G.exe -R
mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
mRun: [CmFlywaveName] c:\windows\system\CmFlywav.exe
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\CLIStart.exe"
mRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"
mRun: [svchost] c:\documents and settings\owner\application data\microsoft\svchost.exe
dRun: [wexvxcxw] c:\documents and settings\networkservice\local settings\application data\friwqfiks\iixemjpshdw.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\dellne~1.lnk - c:\windows\installer\{0240bdfb-2995-4a3f-8c96-18d41282b716}\Icon0240BDFB3.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://www1.snapfish.com/SnapfishActivia.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6770.cab
DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} - hxxp://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,5374/mcfscan.cab
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
mASetup: {A509B1FF-37FF-4bFF-8CFF-4F3A747040FF} - c:\windows\system32\rundll32.exe c:\windows\system32\advpack.dll,launchinfsectionex c:\program files\internet explorer\clrtour.inf,DefaultInstall.ResetTour,,12
============= SERVICES / DRIVERS ===============
R0 atiide;atiide;c:\windows\system32\drivers\atiide.sys [2008-3-26 3456]
R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-11-4 214664]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\progra~1\mcafee\sitead~1\mcsacore.exe [2010-9-1 88176]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2010-9-1 359952]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2010-9-1 144704]
R3 cmvad;C-Media Wi-Sonic Wireless Audio Interface;c:\windows\system32\drivers\cmudaxv.sys [2008-4-2 1351360]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2010-9-1 606736]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2010-9-1 79816]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2010-9-1 35272]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2010-9-1 40552]
S3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\google\google desktop search\GoogleDesktop.exe [2008-3-26 30192]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2010-9-1 34248]
S3 NPF;WinPcap Packet Driver (NPF);c:\windows\system32\drivers\npf.sys [2010-9-2 50704]
S3 ssmirrdr;ssmirrdr;c:\windows\system32\drivers\ssmirrdr.sys [2010-8-26 10112]
=============== Created Last 30 ================
2010-09-12 04:44:40 116224 ----a-w- c:\windows\system32\dllcache\xrxwiadr.dll
2010-09-12 04:44:36 23040 ----a-w- c:\windows\system32\dllcache\xrxwbtmp.dll
2010-09-12 04:44:35 18944 ----a-w- c:\windows\system32\dllcache\xrxscnui.dll
2010-09-12 04:44:31 27648 ----a-w- c:\windows\system32\dllcache\xrxftplt.exe
2010-09-12 04:44:26 4608 ----a-w- c:\windows\system32\dllcache\xrxflnch.exe
2010-09-12 04:44:21 99865 ----a-w- c:\windows\system32\dllcache\xlog.exe
2010-09-12 04:44:17 16970 ----a-w- c:\windows\system32\dllcache\xem336n5.sys
2010-09-12 04:44:15 19455 ----a-w- c:\windows\system32\dllcache\wvchntxx.sys
2010-09-12 04:44:12 12063 ----a-w- c:\windows\system32\dllcache\wsiintxx.sys
2010-09-12 04:44:11 8192 ----a-w- c:\windows\system32\dllcache\wshirda.dll
2010-09-12 04:42:56 397502 ----a-w- c:\windows\system32\dllcache\vpctcom.sys
2010-09-12 04:41:56 28160 ----a-w- c:\windows\system32\dllcache\umaxu40.dll
2010-09-12 04:40:56 315520 ----a-w- c:\windows\system32\dllcache\trid3d.dll
2010-09-12 04:39:58 36640 ----a-w- c:\windows\system32\dllcache\t2r4mini.sys
2010-09-12 04:38:56 61824 ----a-w- c:\windows\system32\dllcache\speed.sys
2010-09-12 04:37:59 45568 ----a-w- c:\windows\system32\dllcache\smb3w.dll
2010-09-12 04:36:59 18400 ----a-w- c:\windows\system32\dllcache\sgsmld.sys
2010-09-12 04:35:58 198400 ----a-w- c:\windows\system32\dllcache\s3sav4.dll
2010-09-12 04:34:59 37563 ----a-w- c:\windows\system32\dllcache\rlnet5.sys
2010-09-12 04:33:59 7168 ----a-w- c:\windows\system32\dllcache\pnrmc.sys
2010-09-12 04:32:59 25216 ----a-w- c:\windows\system32\dllcache\ovsound2.sys
2010-09-12 04:31:58 7552 ----a-w- c:\windows\system32\dllcache\nsmmc.sys
2010-09-12 04:30:57 19968 ----a-w- c:\windows\system32\dllcache\mxnic.sys
2010-09-12 04:29:58 92416 ----a-w- c:\windows\system32\dllcache\mga.sys
2010-09-12 04:28:58 26442 ----a-w- c:\windows\system32\dllcache\lanepic5.sys
2010-09-12 04:27:58 20480 ----a-w- c:\windows\system32\dllcache\icam5ext.dll
2010-09-12 04:26:57 391199 ----a-w- c:\windows\system32\dllcache\hsf_k56k.sys
2010-09-12 04:25:58 2688 ----a-w- c:\windows\system32\dllcache\hidswvd.sys
2010-09-12 04:24:59 16074 ----a-w- c:\windows\system32\dllcache\fa312nd5.sys
2010-09-12 04:23:59 7296 ----a-w- c:\windows\system32\dllcache\elmsmc.sys
2010-09-12 04:22:59 102484 ----a-w- c:\windows\system32\dllcache\digiinf.dll
2010-09-12 04:21:59 60970 ----a-w- c:\windows\system32\dllcache\cpqtrnd5.sys
2010-09-12 04:20:59 13824 ----a-w- c:\windows\system32\dllcache\bulltlp3.sys
2010-09-12 04:19:59 747392 ----a-w- c:\windows\system32\dllcache\adm8830.sys
2010-09-12 03:36:28 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-09-12 03:36:26 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-09-12 03:36:26 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-09-12 02:39:41 0 d-----w- c:\program files\Trend Micro
2010-09-03 02:18:26 50704 ----a-w- c:\windows\system32\drivers\npf.sys
2010-09-03 02:18:26 281104 ----a-w- c:\windows\system32\wpcap.dll
2010-09-03 02:18:26 100880 ----a-w- c:\windows\system32\Packet.dll
2010-09-02 01:00:11 11679 ----a-w- c:\windows\system32\Config.MPF
2010-09-02 00:57:21 40552 ----a-w- c:\windows\system32\drivers\mfesmfk.sys
2010-09-02 00:57:20 79816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2010-09-02 00:57:20 35272 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2010-09-02 00:57:08 120136 ----a-w- c:\windows\system32\drivers\Mpfp.sys
2010-09-02 00:56:02 0 d-----w- c:\program files\common files\McAfee
2010-09-02 00:55:56 0 d-----w- c:\program files\McAfee.com
2010-09-02 00:55:42 0 d-----w- c:\program files\McAfee
2010-09-02 00:55:29 34248 ----a-w- c:\windows\system32\drivers\mferkdk.sys
2010-09-01 23:57:26 0 d-----w- C:\temp
2010-09-01 23:56:37 0 d-----w- c:\docume~1\owner~1\applic~1\supportdotcom
2010-09-01 23:56:29 0 d-----w- c:\program files\common files\supportdotcom
2010-09-01 23:49:36 0 d-----w- c:\windows\pss
2010-09-01 04:24:22 2848 ----a-w- c:\windows\onucuqew.dll
2010-09-01 03:33:25 120 ----a-w- c:\windows\Sziqupehuk.dat
2010-09-01 03:33:25 0 ----a-w- c:\windows\Xcifedokez.bin
2010-08-26 09:16:02 28032 ----a-w- c:\windows\system32\ssmirrdr.dll
2010-08-26 09:16:02 10112 ----a-w- c:\windows\system32\drivers\ssmirrdr.sys
==================== Find3M ====================
2010-08-09 04:06:27 7196 ----a-w- c:\docume~1\owner~1\applic~1\wklnhst.dat
2010-07-27 06:30:35 8462336 ----a-w- c:\windows\system32\dllcache\shell32.dll
2010-06-30 12:31:35 149504 ----a-w- c:\windows\system32\schannel.dll
2010-06-30 12:31:35 149504 ----a-w- c:\windows\system32\dllcache\schannel.dll
2010-06-24 22:51:58 11077120 ------w- c:\windows\system32\dllcache\ieframe.dll
2010-06-24 12:22:03 916480 ----a-w- c:\windows\system32\wininet.dll
2010-06-24 12:22:03 916480 ----a-w- c:\windows\system32\dllcache\wininet.dll
2010-06-24 12:22:03 12800 ------w- c:\windows\system32\dllcache\xpshims.dll
2010-06-24 12:22:02 1210368 ----a-w- c:\windows\system32\dllcache\urlmon.dll
2010-06-24 12:22:01 611840 ----a-w- c:\windows\system32\dllcache\mstime.dll
2010-06-24 12:22:01 5951488 ----a-w- c:\windows\system32\dllcache\mshtml.dll
2010-06-24 12:22:01 206848 ----a-w- c:\windows\system32\dllcache\occache.dll
2010-06-24 12:21:59 599040 ------w- c:\windows\system32\dllcache\msfeeds.dll
2010-06-24 12:21:59 55296 ------w- c:\windows\system32\dllcache\msfeedsbs.dll
2010-06-24 12:21:59 25600 ----a-w- c:\windows\system32\dllcache\jsproxy.dll
2010-06-24 12:21:58 247808 ------w- c:\windows\system32\dllcache\ieproxy.dll
2010-06-24 12:21:58 1986560 ------w- c:\windows\system32\dllcache\iertutil.dll
2010-06-24 12:21:58 184320 ----a-w- c:\windows\system32\dllcache\iepeers.dll
2010-06-24 12:21:56 743424 ------w- c:\windows\system32\dllcache\iedvtool.dll
2010-06-24 12:21:55 387584 ----a-w- c:\windows\system32\dllcache\iedkcs32.dll
2010-06-23 13:44:04 1851904 ----a-w- c:\windows\system32\win32k.sys
2010-06-23 13:44:04 1851904 ----a-w- c:\windows\system32\dllcache\win32k.sys
2010-06-23 12:08:09 173056 ----a-w- c:\windows\system32\dllcache\ie4uinit.exe
2010-06-21 15:27:11 354304 ----a-w- c:\windows\system32\dllcache\srv.sys
2010-06-18 13:36:12 3558912 ----a-w- c:\windows\system32\dllcache\moviemk.exe
2010-06-17 14:03:00 80384 ----a-w- c:\windows\system32\iccvid.dll
============= FINISH: 19:06:10.81 ===============
2. Attach:
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
DDS (Ver_10-03-17.01)
Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume2
Install Date: 3/31/2008 5:54:38 PM
System Uptime: 9/13/2010 6:34:06 PM (1 hours ago)
Motherboard: Dell Inc. | | 0WY383
Processor: AMD Athlon(tm) 64 X2 Dual-Core Processor TK-57 | Socket M2/S1G1 | 1895/200mhz
==== Disk Partitions =========================
C: is FIXED (NTFS) - 112 GiB total, 98.552 GiB free.
D: is CDROM ()
==== Disabled Device Manager Items =============
Class GUID: {4D36E968-E325-11CE-BFC1-08002BE10318}
Description: ATI Radeon Xpress 1150
Device ID: PCI\VEN_1002&DEV_5974&SUBSYS_022A1028&REV_00\4&3B383830&0&2808
Manufacturer: ATI Technologies Inc.
Name: ATI Radeon Xpress 1150
PNP Device ID: PCI\VEN_1002&DEV_5974&SUBSYS_022A1028&REV_00\4&3B383830&0&2808
Service: ati2mtag
==== System Restore Points ===================
RP1: 9/12/2010 11:07:28 PM - System Checkpoint
==== Installed Programs ======================
Adobe Flash Player 10 ActiveX
Adobe Reader 8.2.4
ATI Catalyst Control Center
ATI Display Driver
Broadcom Management Programs
C-Media Wi-Sonic Wireless Audio Driver
Camera Support Core Library
Camera Window
Canon Camera Support Core Library
Canon Camera Window for ZoomBrowser EX
Canon MovieEdit Task for ZoomBrowser EX
Canon PhotoRecord
Canon RAW Image Task for ZoomBrowser EX
Canon RemoteCapture Task for ZoomBrowser EX
Canon Utilities PhotoStitch 3.1
Canon Utilities ZoomBrowser EX
Compatibility Pack for the 2007 Office system
Conexant HDA D330 MDC V.92 Modem
Critical Update for Windows Media Player 11 (KB959772)
Dell Automated PC TuneUp
Dell DataSafe Online
Dell Network Assistant
Dell Support Center
Dell Touchpad
Dell Wireless WLAN Card
Digital Line Detect
Google Desktop
HijackThis 2.0.2
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
Linksys Wireless-G Music Bridge
Malwarebytes' Anti-Malware
McAfee SecurityCenter
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Office PowerPoint Viewer 2007 (English)
Microsoft Office Word Viewer 2003
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Works
Modem Diagnostic Tool
MovieEdit Task
MSN
MSXML 6.0 Parser (KB933579)
muvee autoProducer 4.1
NetWaiting
Outlook Express Backup V6.5
PhotoStitch
PMP DV
PowerDVD
QuickSet
RAW Image Task 1.1
RemoteCapture Task 1.0.3
Rhapsody
Rhapsody Player Engine
Security Update for Windows Internet Explorer 8 (KB2183461)
Security Update for Windows Internet Explorer 8 (KB969897)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB976325)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB956390)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981997)
Update for Windows Internet Explorer 8 (KB980182)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB968389)
Update for Windows XP (KB973687)
WebFldrs XP
Windows Genuine Advantage Validation Tool (KB892130)
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 8
Windows Live OneCare safety scanner
Windows Media Format 11 runtime
Windows Media Player 11
Windows XP Service Pack 3
Yahoo! Software Update
Yahoo! Toolbar
==== Event Viewer Messages From Past Week ========
9/8/2010 11:22:14 PM, error: Service Control Manager [7023] - The Application Management service terminated with the following error: The specified module could not be found.
9/12/2010 1:20:23 AM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the Browser service.
9/12/2010 1:19:44 AM, error: Service Control Manager [7023] - The Windows Firewall/Internet Connection Sharing (ICS) service terminated with the following error: Access is denied.
9/11/2010 8:12:03 PM, error: Service Control Manager [7000] - The MCSTRM service failed to start due to the following error: The system cannot find the file specified.
9/11/2010 8:10:49 PM, error: Ftdisk [49] - Configuring the Page file for crash dump failed. Make sure there is a page file on the boot partition and that is large enough to contain all physical memory.
9/11/2010 8:10:49 PM, error: Ftdisk [45] - The system could not sucessfully load the crash dump driver.
9/11/2010 11:44:41 PM, information: Windows File Protection [64017] - Windows File Protection file scan completed successfully.
9/11/2010 11:20:28 PM, information: Windows File Protection [64020] - Windows File Protection scan found that the system file c:\windows\system32\ativvaxx.dll has a bad signature. This file was restored to the original version to maintain system stability. The file version of the system file is 6.14.1.9.
9/11/2010 11:20:27 PM, information: Windows File Protection [64020] - Windows File Protection scan found that the system file c:\windows\system32\ativvaxx.dll has a bad signature. This file was restored to the original version to maintain system stability. The file version of the system file is 6.14.10.124.
9/11/2010 11:20:16 PM, information: Windows File Protection [64020] - Windows File Protection scan found that the system file c:\windows\system32\ati3duag.dll has a bad signature. This file was restored to the original version to maintain system stability. The file version of the system file is 6.14.10.448.
9/11/2010 11:20:16 PM, information: Windows File Protection [64020] - Windows File Protection scan found that the system file c:\windows\system32\ati3duag.dll has a bad signature. This file was restored to the original version to maintain system stability. The file version of the system file is 6.14.10.231.
9/11/2010 11:20:15 PM, information: Windows File Protection [64020] - Windows File Protection scan found that the system file c:\windows\system32\drivers\ati2mtag.sys has a bad signature. This file was restored to the original version to maintain system stability. The file version of the system file is 6.14.10.6462.
9/11/2010 11:20:14 PM, information: Windows File Protection [64020] - Windows File Protection scan found that the system file c:\windows\system32\drivers\ati2mtag.sys has a bad signature. This file was restored to the original version to maintain system stability. The file version of the system file is 6.14.10.6648.
9/11/2010 11:20:14 PM, information: Windows File Protection [64020] - Windows File Protection scan found that the system file c:\windows\system32\ati2dvag.dll has a bad signature. This file was restored to the original version to maintain system stability. The file version of the system file is 6.14.10.6648.
9/11/2010 11:20:14 PM, information: Windows File Protection [64020] - Windows File Protection scan found that the system file c:\windows\system32\ati2dvag.dll has a bad signature. This file was restored to the original version to maintain system stability. The file version of the system file is 6.14.10.6462.
9/11/2010 11:20:13 PM, information: Windows File Protection [64020] - Windows File Protection scan found that the system file c:\windows\system32\ati2cqag.dll has a bad signature. This file was restored to the original version to maintain system stability. The file version of the system file is 6.14.10.321.
9/11/2010 11:20:13 PM, information: Windows File Protection [64020] - Windows File Protection scan found that the system file c:\windows\system32\ati2cqag.dll has a bad signature. This file was restored to the original version to maintain system stability. The file version of the system file is 6.14.10.233.
9/11/2010 11:19:53 PM, information: Windows File Protection [64020] - Windows File Protection scan found that the system file c:\windows\system32\a3d.dll has a bad signature. This file was restored to the original version to maintain system stability. The file version of the system file is 2.9.0.0.
9/11/2010 11:19:51 PM, information: Windows File Protection [64020] - Windows File Protection scan found that the system file c:\windows\system32\a3d.dll has a bad signature. This file was restored to the original version to maintain system stability. The file version of the system file is 4.12.1.2008.
9/11/2010 11:19:14 PM, information: Windows File Protection [64016] - Windows File Protection file scan was started.
==== End Of File ===========================
3. RKUnhooker:
RkU Version: 3.8.388.590, Type LE (SR2)
==============================================
OS Name: Windows XP
Version 5.1.2600 (Service Pack 3)
Number of processors #2
==============================================
>Drivers
==============================================
0x804D7000 C:\WINDOWS\system32\ntkrnlpa.exe 2150400 bytes (Microsoft Corporation, NT Kernel & System)
0x804D7000 PnpManager 2150400 bytes
0x804D7000 RAW 2150400 bytes
0x804D7000 WMIxWDM 2150400 bytes
0xBF800000 Win32k 1855488 bytes
0xBF800000 C:\WINDOWS\System32\win32k.sys 1855488 bytes (Microsoft Corporation, Multi-User Win32 Driver)
0xB99BD000 C:\WINDOWS\system32\drivers\cmudaxv.sys 1351680 bytes (C-Media Electronics Inc, C-Media Wi-Sonic Audio WDM Driver)
0xB95A0000 C:\WINDOWS\system32\drivers\sthda.sys 1175552 bytes (SigmaTel, Inc., NDRC)
0xB9BBC000 C:\WINDOWS\system32\DRIVERS\bcmwl5.sys 1126400 bytes (Broadcom Corp., Broadcom 802.11 Network Adapter wireless driver)
0xB9772000 C:\WINDOWS\system32\DRIVERS\HSF_DPV.sys 991232 bytes (Conexant Systems, Inc., HSF_DP driver)
0xB96BF000 C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys 733184 bytes (Conexant Systems, Inc., HSF_CNXT driver)
0xB9E5B000 Ntfs.sys 577536 bytes (Microsoft Corporation, NT File System Driver)
0xB9340000 C:\WINDOWS\system32\DRIVERS\mrxsmb.sys 458752 bytes (Microsoft Corporation, Windows NT SMB Minirdr)
0xB98C0000 C:\WINDOWS\system32\DRIVERS\update.sys 385024 bytes (Microsoft Corporation, Update Driver)
0xB9514000 C:\WINDOWS\system32\DRIVERS\tcpip.sys 364544 bytes (Microsoft Corporation, TCP/IP Protocol Driver)
0xB8968000 C:\WINDOWS\system32\DRIVERS\srv.sys 356352 bytes (Microsoft Corporation, Server driver)
0xB7D1C000 C:\WINDOWS\System32\Drivers\HTTP.sys 266240 bytes (Microsoft Corporation, HTTP Protocol Stack)
0xB9864000 C:\WINDOWS\system32\DRIVERS\HSFHWAZL.sys 212992 bytes (Conexant Systems, Inc., HSF_HWAZL WDM driver)
0xB930D000 C:\WINDOWS\system32\drivers\mfehidk.sys 208896 bytes (McAfee, Inc., Host Intrusion Detection Link Driver)
0xB9B1B000 C:\WINDOWS\system32\DRIVERS\SynTP.sys 204800 bytes (Synaptics, Inc., Synaptics Touchpad Driver)
0xB9F79000 ACPI.sys 188416 bytes (Microsoft Corporation, ACPI Driver for NT)
0xB8C58000 C:\WINDOWS\system32\DRIVERS\mrxdav.sys 184320 bytes (Microsoft Corporation, Windows NT WebDav Minirdr)
0xB9E2E000 NDIS.sys 184320 bytes (Microsoft Corporation, NDIS 5.1 wrapper driver)
0xB7807000 C:\WINDOWS\system32\drivers\kmixer.sys 176128 bytes (Microsoft Corporation, Kernel Mode Audio Mixer)
0xB93B0000 C:\WINDOWS\system32\DRIVERS\rdbss.sys 176128 bytes (Microsoft Corporation, Redirected Drive Buffering SubSystem Driver)
0xB9B4D000 C:\WINDOWS\system32\DRIVERS\HDAudBus.sys 163840 bytes (Windows (R) Server 2003 DDK provider, High Definition Audio Bus Driver v1.0a)
0xB9425000 C:\WINDOWS\system32\DRIVERS\netbt.sys 163840 bytes (Microsoft Corporation, MBT Transport driver)
0xB94ED000 C:\WINDOWS\System32\Drivers\Mpfp.sys 159744 bytes (McAfee, Inc., McAfee Personal Firewall Plus Driver)
0xB77E1000 C:\WINDOWS\system32\DRIVERS\ipnat.sys 155648 bytes (Microsoft Corporation, IP Network Address Translator)
0xB9999000 C:\WINDOWS\system32\drivers\portcls.sys 147456 bytes (Microsoft Corporation, Port Class (Class Driver for Port/Miniport Devices))
0xB9B98000 C:\WINDOWS\system32\DRIVERS\USBPORT.SYS 147456 bytes (Microsoft Corporation, USB 1.1 & 2.0 Port Driver)
0xB9B75000 C:\WINDOWS\system32\DRIVERS\ks.sys 143360 bytes (Microsoft Corporation, Kernel CSA Library)
0xB9403000 C:\WINDOWS\System32\drivers\afd.sys 139264 bytes (Microsoft Corporation, Ancillary Function Driver for WinSock)
0x806E4000 ACPI_HAL 134400 bytes
0x806E4000 C:\WINDOWS\system32\hal.dll 134400 bytes (Microsoft Corporation, Hardware Abstraction Layer DLL)
0xB9F11000 fltmgr.sys 131072 bytes (Microsoft Corporation, Microsoft Filesystem Filter Manager)
0xB9F49000 ftdisk.sys 126976 bytes (Microsoft Corporation, FT Disk Driver)
0xB9E14000 Mup.sys 106496 bytes (Microsoft Corporation, Multiple UNC Provider driver)
0xB9F31000 atapi.sys 98304 bytes (Microsoft Corporation, IDE/ATAPI Port Driver)
0xB9EE8000 KSecDD.sys 94208 bytes (Microsoft Corporation, Kernel Security Support Provider Interface)
0xB9982000 C:\WINDOWS\system32\DRIVERS\ndiswan.sys 94208 bytes (Microsoft Corporation, MS PPP Framing Driver (Strong Encryption))
0xB8C1B000 C:\WINDOWS\system32\drivers\wdmaud.sys 86016 bytes (Microsoft Corporation, MMSYSTEM Wave/Midi API mapper)
0xB9B07000 C:\WINDOWS\system32\DRIVERS\sdbus.sys 81920 bytes (Microsoft Corporation, SecureDigital Bus Driver)
0xB9CCF000 C:\WINDOWS\system32\DRIVERS\VIDEOPRT.SYS 81920 bytes (Microsoft Corporation, Video Port Driver)
0xB956D000 C:\WINDOWS\system32\DRIVERS\ipsec.sys 77824 bytes (Microsoft Corporation, IPSec Driver)
0xBF000000 C:\WINDOWS\System32\drivers\dxg.sys 73728 bytes (Microsoft Corporation, DirectX Graphics Driver)
0xB7A3A000 C:\WINDOWS\system32\drivers\mfeavfk.sys 73728 bytes (McAfee, Inc., Anti-Virus File System Filter Driver)
0xB9EFF000 sr.sys 73728 bytes (Microsoft Corporation, System Restore Filesystem Filter Driver)
0xB9F68000 pci.sys 69632 bytes (Microsoft Corporation, NT Plug and Play PCI Enumerator)
0xB9949000 C:\WINDOWS\system32\DRIVERS\psched.sys 69632 bytes (Microsoft Corporation, MS QoS Packet Scheduler)
0xBA0F8000 C:\WINDOWS\system32\DRIVERS\bcm4sbxp.sys 65536 bytes (Broadcom Corporation, Broadcom Corporation NDIS 5.1 ethernet driver)
0xBA278000 C:\WINDOWS\System32\Drivers\Cdfs.SYS 65536 bytes (Microsoft Corporation, CD-ROM File System Driver)
0xBA2E8000 C:\WINDOWS\system32\DRIVERS\cdrom.sys 65536 bytes (Microsoft Corporation, SCSI CD-ROM Driver)
0xBA118000 C:\WINDOWS\system32\drivers\drmk.sys 61440 bytes (Microsoft Corporation, Microsoft Kernel DRM Descrambler Filter)
0xBA2F8000 C:\WINDOWS\system32\DRIVERS\redbook.sys 61440 bytes (Microsoft Corporation, Redbook Audio Filter Driver)
0xB9045000 C:\WINDOWS\system32\drivers\sysaudio.sys 61440 bytes (Microsoft Corporation, System Audio WDM Filter)
0xBA188000 C:\WINDOWS\system32\DRIVERS\usbhub.sys 61440 bytes (Microsoft Corporation, Default Hub Driver for USB)
0xBA108000 C:\WINDOWS\system32\DRIVERS\rimmptsk.sys 57344 bytes (REDC, RICOH MMC Driver)
0xBA0E8000 C:\WINDOWS\system32\DRIVERS\CLASSPNP.SYS 53248 bytes (Microsoft Corporation, SCSI Class System Dll)
0xBA308000 C:\WINDOWS\system32\DRIVERS\i8042prt.sys 53248 bytes (Microsoft Corporation, i8042 Port Driver)
0xBA128000 C:\WINDOWS\system32\DRIVERS\rasl2tp.sys 53248 bytes (Microsoft Corporation, RAS L2TP mini-port/call-manager driver)
0xBA0C8000 VolSnap.sys 53248 bytes (Microsoft Corporation, Volume Shadow Copy Driver)
0xBA148000 C:\WINDOWS\system32\DRIVERS\raspptp.sys 49152 bytes (Microsoft Corporation, Peer-to-Peer Tunneling Protocol)
0xBA1C8000 C:\WINDOWS\System32\Drivers\Fips.SYS 45056 bytes (Microsoft Corporation, FIPS Crypto Driver)
0xBA2D8000 C:\WINDOWS\system32\DRIVERS\imapi.sys 45056 bytes (Microsoft Corporation, IMAPI Kernel Driver)
0xBA0B8000 MountMgr.sys 45056 bytes (Microsoft Corporation, Mount Manager)
0xBA138000 C:\WINDOWS\system32\DRIVERS\raspppoe.sys 45056 bytes (Microsoft Corporation, RAS PPPoE mini-port/call-manager driver)
0xBA0A8000 isapnp.sys 40960 bytes (Microsoft Corporation, PNP ISA Bus Driver)
0xBA178000 C:\WINDOWS\System32\Drivers\NDProxy.SYS 40960 bytes (Microsoft Corporation, NDIS Proxy)
0xBA168000 C:\WINDOWS\system32\DRIVERS\termdd.sys 40960 bytes (Microsoft Corporation, Terminal Server Driver)
0xBA0D8000 disk.sys 36864 bytes (Microsoft Corporation, PnP Disk Driver)
0xBA198000 C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys 36864 bytes (Microsoft Corporation, IP FILTER DRIVER)
0xBA158000 C:\WINDOWS\system32\DRIVERS\msgpc.sys 36864 bytes (Microsoft Corporation, MS General Packet Classifier)
0xBA1A8000 C:\WINDOWS\system32\DRIVERS\netbios.sys 36864 bytes (Microsoft Corporation, NetBIOS interface driver)
0xB8D95000 C:\WINDOWS\System32\Drivers\Normandy.SYS 36864 bytes (RKU Driver)
0xBA2C8000 C:\WINDOWS\system32\DRIVERS\processr.sys 36864 bytes (Microsoft Corporation, Processor Device Driver)
0xBA1D8000 C:\WINDOWS\system32\DRIVERS\wanarp.sys 36864 bytes (Microsoft Corporation, MS Remote Access and Routing ARP Driver)
0xBA430000 C:\WINDOWS\System32\Drivers\Modem.SYS 32768 bytes (Microsoft Corporation, Modem Device Driver)
0xBA450000 C:\WINDOWS\System32\Drivers\Npfs.SYS 32768 bytes (Microsoft Corporation, NPFS Driver)
0xBA3E0000 C:\WINDOWS\system32\DRIVERS\usbehci.sys 32768 bytes (Microsoft Corporation, EHCI eUSB Miniport Driver)
0xBA388000 C:\WINDOWS\system32\drivers\mfebopk.sys 28672 bytes (McAfee, Inc., Buffer Overflow Protection Driver)
0xBA328000 C:\WINDOWS\system32\DRIVERS\PCIIDEX.SYS 28672 bytes (Microsoft Corporation, PCI IDE Bus Driver Extension)
0xBA3F0000 C:\WINDOWS\system32\DRIVERS\kbdclass.sys 24576 bytes (Microsoft Corporation, Keyboard Class Driver)
0xBA410000 C:\WINDOWS\system32\DRIVERS\mouclass.sys 24576 bytes (Microsoft Corporation, Mouse Class Driver)
0xBA440000 C:\WINDOWS\System32\drivers\vga.sys 24576 bytes (Microsoft Corporation, VGA/Super VGA Video Driver)
0xBA448000 C:\WINDOWS\System32\Drivers\Msfs.SYS 20480 bytes (Microsoft Corporation, Mailslot driver)
0xBA330000 PartMgr.sys 20480 bytes (Microsoft Corporation, Partition Manager)
0xBA458000 C:\WINDOWS\System32\Drivers\PCASp50.sys 20480 bytes (Printing Communications Assoc., Inc. (PCAUSA), PCAUSA NDIS 5.0 SPR Protocol Driver)
0xBA420000 C:\WINDOWS\system32\DRIVERS\ptilink.sys 20480 bytes (Parallel Technologies, Inc., Parallel Technologies DirectParallel IO Library)
0xBA428000 C:\WINDOWS\system32\DRIVERS\raspti.sys 20480 bytes (Microsoft Corporation, PTI DirectParallel(R) mini-port/call-manager driver)
0xBA418000 C:\WINDOWS\system32\DRIVERS\TDI.SYS 20480 bytes (Microsoft Corporation, TDI Wrapper)
0xBA3D8000 C:\WINDOWS\system32\DRIVERS\usbohci.sys 20480 bytes (Microsoft Corporation, OHCI USB Miniport Driver)
0xBA3B0000 C:\WINDOWS\System32\watchdog.sys 20480 bytes (Microsoft Corporation, Watchdog Driver)
0xB997E000 C:\WINDOWS\SYSTEM32\DRIVERS\APPDRV.SYS 16384 bytes (Dell Inc, App Support Driver)
0xBA4C0000 C:\WINDOWS\system32\DRIVERS\BATTC.SYS 16384 bytes (Microsoft Corporation, Battery Class Driver)
0xBA59C000 C:\WINDOWS\system32\DRIVERS\CmBatt.sys 16384 bytes (Microsoft Corporation, Control Method Battery Driver)
0xB8790000 C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys 16384 bytes (Conexant, Diagnostic Interface x86 Driver)
0xB9DE8000 C:\WINDOWS\system32\DRIVERS\mssmbios.sys 16384 bytes (Microsoft Corporation, System Management BIOS Driver)
0xB8ED9000 C:\WINDOWS\system32\DRIVERS\ndisuio.sys 16384 bytes (Microsoft Corporation, NDIS User mode I/O Driver)
0xB98B0000 C:\WINDOWS\system32\DRIVERS\packet.sys 16384 bytes (SingleClick Systems, SCS NDIS 5.0 Auto IP Protocol Driver)
0xBA4C4000 ACPIEC.sys 12288 bytes (Microsoft Corporation, ACPI Embedded Controller Driver)
0xBA4B8000 C:\WINDOWS\system32\BOOTVID.dll 12288 bytes (Microsoft Corporation, VGA Boot Driver)
0xBA4BC000 compbatt.sys 12288 bytes (Microsoft Corporation, Composite Battery Driver)
0xB9962000 C:\WINDOWS\System32\drivers\Dxapi.sys 12288 bytes (Microsoft Corporation, DirectX API Driver)
0xBFF50000 C:\WINDOWS\System32\framebuf.dll 12288 bytes (Microsoft Corporation, Framebuffer Display Driver)
0xBA568000 C:\WINDOWS\System32\Drivers\i2omgmt.SYS 12288 bytes (Microsoft Corporation, I2O Utility Filter)
0xBA5A0000 C:\WINDOWS\system32\DRIVERS\ndistapi.sys 12288 bytes (Microsoft Corporation, NDIS 3.0 connection wrapper driver)
0xBA56C000 C:\WINDOWS\system32\DRIVERS\rasacd.sys 12288 bytes (Microsoft Corporation, RAS Automatic Connection Driver)
0xBA55C000 C:\WINDOWS\system32\DRIVERS\wmiacpi.sys 12288 bytes (Microsoft Corporation, Windows Management Interface for ACPI)
0xBA646000 C:\WINDOWS\System32\Drivers\Beep.SYS 8192 bytes (Microsoft Corporation, BEEP Driver)
0xBA5C2000 C:\WINDOWS\system32\DRIVERS\datunidr.sys 8192 bytes (Gteko Ltd., GUniDriver)
0xBA644000 C:\WINDOWS\System32\Drivers\Fs_Rec.SYS 8192 bytes (Microsoft Corporation, File System Recognizer Driver)
0xBA5A8000 C:\WINDOWS\system32\KDCOM.DLL 8192 bytes (Microsoft Corporation, Kernel Debugger HW Extension DLL)
0xBA648000 C:\WINDOWS\System32\Drivers\mnmdd.SYS 8192 bytes (Microsoft Corporation, Frame buffer simulator)
0xBA620000 C:\Program Files\DellAutomatedPCTuneUp\GTAction\triggers\PTproct.sys 8192 bytes (Gteko Ltd., Process Trigger Driver)
0xBA64A000 C:\WINDOWS\System32\DRIVERS\RDPCDD.sys 8192 bytes (Microsoft Corporation, RDP Miniport)
0xBA636000 C:\WINDOWS\system32\DRIVERS\swenum.sys 8192 bytes (Microsoft Corporation, Plug and Play Software Device Enumerator)
0xBA634000 C:\WINDOWS\system32\DRIVERS\USBD.SYS 8192 bytes (Microsoft Corporation, Universal Serial Bus Driver)
0xBA5AA000 C:\WINDOWS\system32\DRIVERS\WMILIB.SYS 8192 bytes (Microsoft Corporation, WMILIB WMI support library Dll)
0xBA672000 atiide.sys 4096 bytes (ATI Technologies Inc., ATI SATA(IDE Mode) Controller Driver)
0xBA7DC000 C:\WINDOWS\system32\DRIVERS\audstub.sys 4096 bytes (Microsoft Corporation, AudStub Driver)
0xBA7A1000 C:\WINDOWS\System32\drivers\dxgthk.sys 4096 bytes (Microsoft Corporation, DirectX Graphics Driver Thunk)
0xBA7E3000 C:\WINDOWS\System32\Drivers\Null.SYS 4096 bytes (Microsoft Corporation, NULL Driver)
0xBA671000 C:\WINDOWS\system32\DRIVERS\OPRGHDLR.SYS 4096 bytes (Microsoft Corporation, ACPI Operation Registration Driver)
0xBA670000 pciide.sys 4096 bytes (Microsoft Corporation, Generic PCI IDE Bus Driver)
!!!!!!!!!!!Hidden driver: 0x8A487AEA ?_empty_? 1302 bytes
!!!!!!!!!!!Hidden driver: 0x8A62CC08 ?_empty_? 0 bytes
==============================================
>Stealth
==============================================
0xB9F31000 WARNING: suspicious driver modification [atapi.sys::0x8A487AEA]
0xBA308000 WARNING: Virus alike driver modification [i8042prt.sys], 53248 bytes
Bugbatter
3 Apprentice
•
20.5K Posts
0
September 14th, 2010 06:00
Thank you for the information. Good job!
Please visit this webpage for download links, and instructions for running ComboFix (If you have a prior copy of Combofix, delete it now!) :
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Please login as Administrator. If using Vista or Windows 7, do not attempt to simply run ComboFix with Admin Approval Mode.
Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Please disable McAfee in the same way that you did previously. <-- Important!Double click on ComboFix.exe & follow the prompts.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue its malware removal procedures.
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
Click on Yes, to continue scanning for malware.
When finished, it will produce a log for you.
Please include the C:\ComboFix.txt in your next reply along with a fresh HijackThis log for further review.
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.
3. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
4. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
5. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
* Additional information on A/V control HERE. * ComboFix is not intended for use with servers.
buster1514
7 Posts
0
September 14th, 2010 16:00
Hi Bugbatter,
Downloaded Combo Fix, disabled McAfee AV, the MS Windows Recovery Console was installed, clicked yes to scan for Malware, during the scan it detected a problem with the router table, my router icon popped up, the scan said it fixed it, then got a blue screen saying "Problem detected Windows Shut Down." Then it listed a message:
Bad_Pool_Caller
Maybe when my router icon popped up it interrupted the scan, just a thought. Also CF did not ask me to log in as an administrator. I will not re-run Combofix until I hear from you, per your instructions. Thanks for your help.
Bugbatter
3 Apprentice
•
20.5K Posts
0
September 14th, 2010 17:00
Reboot.
Try ComboFix again.
If that does not work,
Reboot into Safemode:
Turn on the computer.
Immediately begin tapping the F8 key.
Use the arrow keys to highlight Safe Mode and press the Enter key. Rerun ComboFix.
buster1514
7 Posts
0
September 14th, 2010 19:00
1. ComboFix Log:
ComboFix 10-09-14.01 - owner 09/14/2010 20:18:52.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1918.1453 [GMT -5:00]
Running from: c:\documents and settings\owner\Desktop\ComboFix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\owner\Application Data\Microsoft\shell.exe
c:\documents and settings\owner\Application Data\Microsoft\svchost.exe
c:\documents and settings\owner\Local Settings\Application Data\{A2D09425-A8B9-4C2B-B492-E958A005C649}
c:\documents and settings\owner\Local Settings\Application Data\{A2D09425-A8B9-4C2B-B492-E958A005C649}\chrome.manifest
c:\documents and settings\owner\Local Settings\Application Data\{A2D09425-A8B9-4C2B-B492-E958A005C649}\chrome\content\_cfg.js
c:\documents and settings\owner\Local Settings\Application Data\{A2D09425-A8B9-4C2B-B492-E958A005C649}\chrome\content\overlay.xul
c:\documents and settings\owner\Local Settings\Application Data\{A2D09425-A8B9-4C2B-B492-E958A005C649}\install.rdf
c:\windows\onucuqew.dll
c:\windows\system32\drivers\1028_DELL_XPS_Vostro 1000 .MRK
c:\windows\system32\drivers\DELL_XPS_Vostro 1000 .MRK
c:\windows\system32\drivers\npf.sys
c:\windows\system32\Packet.dll
c:\windows\system32\wpcap.dll
Infected copy of c:\windows\system32\drivers\i8042prt.sys was found and disinfected
Restored copy from - Kitty had a snack :p
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_NPF
-------\Service_NPF
((((((((((((((((((((((((( Files Created from 2010-08-15 to 2010-09-15 )))))))))))))))))))))))))))))))
.
2010-09-14 18:12 . 2010-09-14 18:12 162816 ----a-w- c:\documents and settings\owner\Application Data\Microsoft\Windows\shell.exe
2010-09-12 04:44 . 2008-04-14 00:12 116224 ----a-w- c:\windows\system32\dllcache\xrxwiadr.dll
2010-09-12 04:44 . 2001-08-18 03:36 23040 ----a-w- c:\windows\system32\dllcache\xrxwbtmp.dll
2010-09-12 04:44 . 2008-04-14 00:12 18944 ----a-w- c:\windows\system32\dllcache\xrxscnui.dll
2010-09-12 04:44 . 2001-08-18 03:37 27648 ----a-w- c:\windows\system32\dllcache\xrxftplt.exe
2010-09-12 04:44 . 2001-08-18 03:37 4608 ----a-w- c:\windows\system32\dllcache\xrxflnch.exe
2010-09-12 04:44 . 2001-08-18 03:37 99865 ----a-w- c:\windows\system32\dllcache\xlog.exe
2010-09-12 04:44 . 2001-08-17 17:11 16970 ----a-w- c:\windows\system32\dllcache\xem336n5.sys
2010-09-12 04:44 . 2004-08-04 03:29 19455 ----a-w- c:\windows\system32\dllcache\wvchntxx.sys
2010-09-12 04:44 . 2004-08-04 03:29 12063 ----a-w- c:\windows\system32\dllcache\wsiintxx.sys
2010-09-12 04:44 . 2008-04-14 00:12 8192 ----a-w- c:\windows\system32\dllcache\wshirda.dll
2010-09-12 04:42 . 2001-08-17 18:28 397502 ----a-w- c:\windows\system32\dllcache\vpctcom.sys
2010-09-12 04:41 . 2001-08-18 03:36 28160 ----a-w- c:\windows\system32\dllcache\umaxu40.dll
2010-09-12 04:40 . 2001-08-17 19:56 315520 ----a-w- c:\windows\system32\dllcache\trid3d.dll
2010-09-12 04:39 . 2001-08-17 17:50 36640 ----a-w- c:\windows\system32\dllcache\t2r4mini.sys
2010-09-12 04:38 . 2001-08-17 18:51 61824 ----a-w- c:\windows\system32\dllcache\speed.sys
2010-09-12 04:37 . 2001-08-18 03:36 45568 ----a-w- c:\windows\system32\dllcache\smb3w.dll
2010-09-12 04:36 . 2001-07-21 19:29 18400 ----a-w- c:\windows\system32\dllcache\sgsmld.sys
2010-09-12 04:35 . 2001-08-17 19:56 198400 ----a-w- c:\windows\system32\dllcache\s3sav4.dll
2010-09-12 04:34 . 2001-08-17 17:12 37563 ----a-w- c:\windows\system32\dllcache\rlnet5.sys
2010-09-12 04:33 . 2001-08-17 18:53 7168 ----a-w- c:\windows\system32\dllcache\pnrmc.sys
2010-09-12 04:32 . 2001-08-17 19:05 25216 ----a-w- c:\windows\system32\dllcache\ovsound2.sys
2010-09-12 04:31 . 2008-04-13 18:54 28672 ----a-w- c:\windows\system32\dllcache\nscirda.sys
2010-09-12 04:30 . 2001-08-17 18:49 19968 ----a-w- c:\windows\system32\dllcache\mxnic.sys
2010-09-12 04:29 . 2004-08-04 11:00 92416 ----a-w- c:\windows\system32\dllcache\mga.sys
2010-09-12 04:28 . 2001-08-17 17:12 26442 ----a-w- c:\windows\system32\dllcache\lanepic5.sys
2010-09-12 04:27 . 2001-08-18 03:36 20480 ----a-w- c:\windows\system32\dllcache\icam5ext.dll
2010-09-12 04:26 . 2001-08-17 18:28 391199 ----a-w- c:\windows\system32\dllcache\hsf_k56k.sys
2010-09-12 04:25 . 2008-04-14 00:11 21504 ----a-w- c:\windows\system32\dllcache\hidserv.dll
2010-09-12 04:24 . 2001-08-17 17:12 16074 ----a-w- c:\windows\system32\dllcache\fa312nd5.sys
2010-09-12 04:23 . 2001-08-17 18:53 7296 ----a-w- c:\windows\system32\dllcache\elmsmc.sys
2010-09-12 04:22 . 2001-08-18 03:36 102484 ----a-w- c:\windows\system32\dllcache\digiinf.dll
2010-09-12 04:21 . 2001-08-17 17:11 60970 ----a-w- c:\windows\system32\dllcache\cpqtrnd5.sys
2010-09-12 04:20 . 2001-08-17 18:51 13824 ----a-w- c:\windows\system32\dllcache\bulltlp3.sys
2010-09-12 04:19 . 2004-08-04 03:32 10880 ----a-w- c:\windows\system32\dllcache\admjoy.sys
2010-09-12 03:36 . 2010-04-29 20:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-09-12 03:36 . 2010-09-12 03:36 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-09-12 03:36 . 2010-04-29 20:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-09-12 02:39 . 2010-09-12 02:39 -------- d-----w- c:\program files\Trend Micro
2010-09-03 07:22 . 2010-09-03 07:22 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\friwqfiks
2010-09-03 07:21 . 2010-09-03 07:21 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-09-03 05:22 . 2010-09-03 05:22 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2010-09-03 05:19 . 2010-09-03 05:19 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-09-03 05:18 . 2010-09-03 05:18 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2010-09-02 00:57 . 2009-11-04 21:54 40552 ----a-w- c:\windows\system32\drivers\mfesmfk.sys
2010-09-02 00:57 . 2009-11-04 21:54 79816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2010-09-02 00:57 . 2009-11-04 21:54 35272 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2010-09-02 00:57 . 2010-07-15 20:18 120136 ----a-w- c:\windows\system32\drivers\Mpfp.sys
2010-09-02 00:56 . 2010-09-02 00:57 -------- d-----w- c:\program files\Common Files\McAfee
2010-09-02 00:55 . 2010-09-02 00:56 -------- d-----w- c:\program files\McAfee.com
2010-09-02 00:55 . 2010-09-02 03:14 -------- d-----w- c:\program files\McAfee
2010-09-02 00:55 . 2009-11-04 21:53 34248 ----a-w- c:\windows\system32\drivers\mferkdk.sys
2010-09-02 00:55 . 2010-09-02 03:57 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2010-09-01 23:57 . 2010-09-03 15:33 -------- d-----w- c:\documents and settings\All Users\Application Data\support.com
2010-09-01 23:57 . 2010-09-01 23:57 -------- d-----w- C:\temp
2010-09-01 23:56 . 2010-09-01 23:56 -------- d-----w- c:\documents and settings\owner\Application Data\supportdotcom
2010-09-01 23:56 . 2010-09-03 20:47 -------- d-----w- c:\program files\Common Files\supportdotcom
2010-09-01 03:34 . 2010-09-01 03:34 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2010-09-01 03:33 . 2010-09-01 03:33 120 ----a-w- c:\windows\Sziqupehuk.dat
2010-09-01 03:33 . 2010-09-01 03:33 0 ----a-w- c:\windows\Xcifedokez.bin
2010-09-01 03:30 . 2010-09-02 00:50 -------- d-----w- c:\documents and settings\owner\Local Settings\Application Data\rhlnspbgv
2010-09-01 02:38 . 2010-07-09 14:26 475136 ----a-w- c:\documents and settings\All Users\Application Data\Dell\RMC\RMCCreationInfo.exe
2010-09-01 02:38 . 2010-07-02 14:25 1118208 ------w- c:\documents and settings\All Users\Application Data\Dell\RMC\Libxml2.dll
2010-09-01 02:38 . 2010-07-02 14:25 60416 ----a-w- c:\documents and settings\All Users\Application Data\Dell\RMC\ZLib1.dll
2010-09-01 02:37 . 2010-08-17 18:10 372736 ------w- c:\documents and settings\All Users\Application Data\Dell\DSL\DSLCheck.exe
2010-08-26 09:16 . 2010-08-26 09:16 28032 ----a-w- c:\windows\system32\ssmirrdr.dll
2010-08-26 09:16 . 2010-08-26 09:16 10112 ----a-w- c:\windows\system32\drivers\ssmirrdr.sys
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-15 01:28 . 2008-03-26 21:13 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-09-15 01:28 . 2008-12-30 03:04 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2010-09-09 04:22 . 2008-03-26 21:03 -------- d-----w- c:\program files\Dell
2010-09-08 03:24 . 2008-03-26 21:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Dell
2010-09-03 05:04 . 2008-04-17 22:43 -------- d-----w- c:\program files\Windows Live Safety Center
2010-08-12 04:50 . 2008-03-26 21:11 -------- d-----w- c:\program files\Microsoft Works
2010-08-09 04:06 . 2008-04-14 05:00 7196 ----a-w- c:\documents and settings\owner\Application Data\wklnhst.dat
2010-07-30 03:08 . 2008-09-13 23:44 -------- d-----w- c:\program files\Rhapsody
2010-06-30 12:31 . 2004-08-10 18:51 149504 ----a-w- c:\windows\system32\schannel.dll
2010-06-24 12:22 . 2004-08-10 18:51 916480 ----a-w- c:\windows\system32\wininet.dll
2010-06-23 13:44 . 2004-08-10 18:51 1851904 ----a-w- c:\windows\system32\win32k.sys
2010-06-21 15:27 . 2004-08-10 18:51 354304 ----a-w- c:\windows\system32\drivers\srv.sys
2010-06-17 14:03 . 2004-08-10 18:51 80384 ----a-w- c:\windows\system32\iccvid.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellAutomatedPCTuneUp"="c:\program files\DellAutomatedPCTuneUp\PTAgnt.exe" [2007-10-11 465136]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-29 1218008]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-04-27 851968]
"SigmatelSysTrayApp"="stsystra.exe" [2007-04-24 303104]
"Malwarebytes Anti-Malware (rootkit-scan)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-04-29 1090952]
"Linksys WMB54G Utility"="c:\program files\Linksys Wireless-G Music Bridge\WMB54G.exe" [2005-11-23 1167360]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2008-02-14 16384]
"CmFlywaveName"="c:\windows\System\CmFlywav.exe" [2005-10-05 32768]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-10-09 2183168]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-05-10 90112]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-02-14 202544]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2007-09-17 124200]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Dell Network Assistant.lnk - c:\windows\Installer\{0240BDFB-2995-4A3F-8C96-18D41282B716}\Icon0240BDFB3.exe [2008-3-26 7168]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2008-3-26 50688]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ \0
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@="Service"
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD DX\\PowerDVD.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD DX\\PDVDDXSrv.exe"=
"c:\\WINDOWS\\system32\\usmt\\migwiz.exe"=
"c:\\Program Files\\Dell Network Assistant\\ezi_hnm2.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"10421:UDP"= 10421:UDP:SingleClick Discovery Protocol
"10426:UDP"= 10426:UDP:SingleClick ICC
R0 atiide;atiide;c:\windows\system32\drivers\atiide.sys [3/26/2008 3:38 PM 3456]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\progra~1\mcafee\SITEAD~1\mcsacore.exe [9/1/2010 8:03 PM 88176]
R3 cmvad;C-Media Wi-Sonic Wireless Audio Interface;c:\windows\system32\drivers\cmudaxv.sys [4/2/2008 11:48 PM 1351360]
S3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [3/26/2008 4:08 PM 30192]
S3 ssmirrdr;ssmirrdr;c:\windows\system32\drivers\ssmirrdr.sys [8/26/2010 4:16 AM 10112]
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]
2009-03-08 09:32 128512 ----a-w- c:\windows\system32\advpack.dll
.
Contents of the 'Scheduled Tasks' folder
2010-09-02 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2010-09-02 17:22]
2010-09-02 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2010-09-02 17:22]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/?fr=fp-yie8
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/ymj/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyServer = http=127.0.0.1:50370
uSearchAssistant =
.
- - - - ORPHANS REMOVED - - - -
HKCU-Run-Izofubopituc - c:\windows\kbjericp.dll
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-09-14 20:29
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\S-1-5-21-2500294489-1602433411-3114019721-1006\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe,-101"
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe"
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(784)
c:\windows\system32\Ati2evxx.dll
c:\windows\System32\BCMLogon.dll
- - - - - - - > 'explorer.exe'(1340)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\WLTRYSVC.EXE
c:\windows\System32\bcmwltry.exe
c:\program files\Dell Network Assistant\hnm_svc.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\progra~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\progra~1\McAfee\VIRUSS~1\mcshield.exe
c:\program files\McAfee\MPF\MPFSrv.exe
c:\program files\Dell Support Center\bin\sprtsvc.exe
c:\progra~1\mcafee.com\agent\mcagent.exe
c:\windows\system32\wscntfy.exe
c:\windows\stsystra.exe
c:\program files\ATI Technologies\ATI.ACE\CLI.EXE
c:\program files\Dell Network Assistant\ezi_hnm2.exe
c:\windows\system32\msiexec.exe
c:\windows\system32\MsiExec.exe
.
**************************************************************************
.
Completion time: 2010-09-14 20:35:07 - machine was rebooted
ComboFix-quarantined-files.txt 2010-09-15 01:35
Pre-Run: 105,811,750,912 bytes free
Post-Run: 105,992,761,344 bytes free
- - End Of File - - 5F3A9A2E59A2F12BDD0145AB0ECDF454
2. HJT Log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:39:55 PM, on 9/14/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Dell Network Assistant\hnm_svc.exe
c:\PROGRA~1\mcafee\SITEAD~1\mcsacore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Linksys Wireless-G Music Bridge\WMB54G.exe
C:\WINDOWS\System\CmFlywav.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\DellAutomatedPCTuneUp\PTAgnt.exe
C:\Program Files\Dell Network Assistant\ezi_hnm2.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/?fr=fp-yie8
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/ymj/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:50370
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
R3 - URLSearchHook: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\YTSingleInstance.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (rootkit-scan)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [Linksys WMB54G Utility] C:\Program Files\Linksys Wireless-G Music Bridge\WMB54G.exe -R
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [CmFlywaveName] C:\WINDOWS\System\CmFlywav.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
O4 - HKCU\..\Run: [DellAutomatedPCTuneUp] "C:\Program Files\DellAutomatedPCTuneUp\PTAgnt.exe" /startup
O4 - Global Startup: Dell Network Assistant.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www1.snapfish.com/SnapfishActivia.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6770.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,5374/mcfscan.cab
O18 - Protocol: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: DellAMBrokerService - Unknown owner - C:\Program Files\DellAutomatedPCTuneUp\brkrsvc.exe
O23 - Service: Google Desktop Manager 5.9.1005.12335 (GoogleDesktopManager-051210-111108) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Advanced Networking Service (hnmsvc) - SingleClick Systems - C:\Program Files\Dell Network Assistant\hnm_svc.exe
O23 - Service: McAfee SiteAdvisor Service - McAfee, Inc. - c:\PROGRA~1\mcafee\SITEAD~1\mcsacore.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
--
End of file - 7714 bytes
Bugbatter
3 Apprentice
•
20.5K Posts
0
September 15th, 2010 05:00
Using ComboFix again please run another scan in Normal Mode (Don't forget to disable McAfee.). Please post the log from that scan.
In addition let's run an online virus scan by Kaspersky from HERE.
2. At the next window Select Update. Allow the Database to update.
Note: If prompted to run or update your Java, then follow the prompts to do so. Kaspersky requires Java to run.
3. Once the Database has finished, under the Scan icon Select My Computer to start the scan. The scan may take a few minutes to complete.
4. Select Scan Report.
5. If any threats were found they will appear in the report
6. Select "Save error report as"
Then in the file name just type in kaspersky
Under "save as type" select text .txt
Save it to your Desktop.
Copy and post the results of the Kaspersky Online scan along with your ComboFix log. If no threats were found by Kaspersky report that as well.
Let me know how things are running at that point.
buster1514
7 Posts
0
September 15th, 2010 12:00
Here is the ComboFix Report today. Also ran Kaspersky and 1 threat identified and 2 infected objects, report is posted. I had to upload Java to run Kaspersky and if you recall I had removed all Java as that seemed to be part of the problem. Also at startup today Microsoft had 9 updates waiting for me so that automaticaly loaded.
The following has happened since just after the problem originated: At startup windows installer pops up which seems to be searching for a file, then it goes to Dell Support Center, then it says "Wait while Windows Configures Dell Support Center," then it says "features that you are trying to use are on a CD-ROM, and then it tells me to insert Dell Support Center CD. I have not done this, I am just assuming some files may have been removed by mistake before I contacted you, and that I could add them when the computer is clean. Here are the logs:
ComboFix 10-09-14.04 - owner 09/15/2010 10:26:24.2.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1918.1419 [GMT -5:00]
Running from: c:\documents and settings\owner\Desktop\ComboFix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.
((((((((((((((((((((((((( Files Created from 2010-08-15 to 2010-09-15 )))))))))))))))))))))))))))))))
.
2010-09-14 18:12 . 2010-09-14 18:12 162816 ----a-w- c:\documents and settings\owner\Application Data\Microsoft\Windows\shell.exe
2010-09-12 04:44 . 2008-04-14 00:12 116224 ----a-w- c:\windows\system32\dllcache\xrxwiadr.dll
2010-09-12 04:44 . 2001-08-18 03:36 23040 ----a-w- c:\windows\system32\dllcache\xrxwbtmp.dll
2010-09-12 04:44 . 2008-04-14 00:12 18944 ----a-w- c:\windows\system32\dllcache\xrxscnui.dll
2010-09-12 04:44 . 2001-08-18 03:37 27648 ----a-w- c:\windows\system32\dllcache\xrxftplt.exe
2010-09-12 04:44 . 2001-08-18 03:37 4608 ----a-w- c:\windows\system32\dllcache\xrxflnch.exe
2010-09-12 04:44 . 2001-08-18 03:37 99865 ----a-w- c:\windows\system32\dllcache\xlog.exe
2010-09-12 04:44 . 2001-08-17 17:11 16970 ----a-w- c:\windows\system32\dllcache\xem336n5.sys
2010-09-12 04:44 . 2004-08-04 03:29 19455 ----a-w- c:\windows\system32\dllcache\wvchntxx.sys
2010-09-12 04:44 . 2004-08-04 03:29 12063 ----a-w- c:\windows\system32\dllcache\wsiintxx.sys
2010-09-12 04:44 . 2008-04-14 00:12 8192 ----a-w- c:\windows\system32\dllcache\wshirda.dll
2010-09-12 04:42 . 2001-08-17 18:28 397502 ----a-w- c:\windows\system32\dllcache\vpctcom.sys
2010-09-12 04:41 . 2001-08-18 03:36 28160 ----a-w- c:\windows\system32\dllcache\umaxu40.dll
2010-09-12 04:40 . 2001-08-17 19:56 315520 ----a-w- c:\windows\system32\dllcache\trid3d.dll
2010-09-12 04:39 . 2001-08-17 17:50 36640 ----a-w- c:\windows\system32\dllcache\t2r4mini.sys
2010-09-12 04:38 . 2001-08-17 18:51 61824 ----a-w- c:\windows\system32\dllcache\speed.sys
2010-09-12 04:37 . 2001-08-18 03:36 45568 ----a-w- c:\windows\system32\dllcache\smb3w.dll
2010-09-12 04:36 . 2001-07-21 19:29 18400 ----a-w- c:\windows\system32\dllcache\sgsmld.sys
2010-09-12 04:35 . 2001-08-17 19:56 198400 ----a-w- c:\windows\system32\dllcache\s3sav4.dll
2010-09-12 04:34 . 2001-08-17 17:12 37563 ----a-w- c:\windows\system32\dllcache\rlnet5.sys
2010-09-12 04:33 . 2001-08-17 18:53 7168 ----a-w- c:\windows\system32\dllcache\pnrmc.sys
2010-09-12 04:32 . 2001-08-17 19:05 25216 ----a-w- c:\windows\system32\dllcache\ovsound2.sys
2010-09-12 04:31 . 2008-04-13 18:54 28672 ----a-w- c:\windows\system32\dllcache\nscirda.sys
2010-09-12 04:30 . 2001-08-17 18:49 19968 ----a-w- c:\windows\system32\dllcache\mxnic.sys
2010-09-12 04:29 . 2004-08-04 11:00 92416 ----a-w- c:\windows\system32\dllcache\mga.sys
2010-09-12 04:28 . 2001-08-17 17:12 26442 ----a-w- c:\windows\system32\dllcache\lanepic5.sys
2010-09-12 04:27 . 2001-08-18 03:36 20480 ----a-w- c:\windows\system32\dllcache\icam5ext.dll
2010-09-12 04:26 . 2001-08-17 18:28 391199 ----a-w- c:\windows\system32\dllcache\hsf_k56k.sys
2010-09-12 04:25 . 2008-04-14 00:11 21504 ----a-w- c:\windows\system32\dllcache\hidserv.dll
2010-09-12 04:24 . 2001-08-17 17:12 16074 ----a-w- c:\windows\system32\dllcache\fa312nd5.sys
2010-09-12 04:23 . 2001-08-17 18:53 7296 ----a-w- c:\windows\system32\dllcache\elmsmc.sys
2010-09-12 04:22 . 2001-08-18 03:36 102484 ----a-w- c:\windows\system32\dllcache\digiinf.dll
2010-09-12 04:21 . 2001-08-17 17:11 60970 ----a-w- c:\windows\system32\dllcache\cpqtrnd5.sys
2010-09-12 04:20 . 2001-08-17 18:51 13824 ----a-w- c:\windows\system32\dllcache\bulltlp3.sys
2010-09-12 04:19 . 2004-08-04 03:32 10880 ----a-w- c:\windows\system32\dllcache\admjoy.sys
2010-09-12 03:36 . 2010-04-29 20:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-09-12 03:36 . 2010-09-12 03:36 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-09-12 03:36 . 2010-04-29 20:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-09-12 02:39 . 2010-09-12 02:39 -------- d-----w- c:\program files\Trend Micro
2010-09-03 07:22 . 2010-09-03 07:22 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\friwqfiks
2010-09-03 07:21 . 2010-09-03 07:21 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-09-03 05:22 . 2010-09-03 05:22 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2010-09-03 05:19 . 2010-09-03 05:19 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-09-03 05:18 . 2010-09-03 05:18 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2010-09-02 00:57 . 2009-11-04 21:54 40552 ----a-w- c:\windows\system32\drivers\mfesmfk.sys
2010-09-02 00:57 . 2009-11-04 21:54 79816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2010-09-02 00:57 . 2009-11-04 21:54 35272 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2010-09-02 00:57 . 2010-07-15 20:18 120136 ----a-w- c:\windows\system32\drivers\Mpfp.sys
2010-09-02 00:56 . 2010-09-02 00:57 -------- d-----w- c:\program files\Common Files\McAfee
2010-09-02 00:55 . 2010-09-02 00:56 -------- d-----w- c:\program files\McAfee.com
2010-09-02 00:55 . 2010-09-02 03:14 -------- d-----w- c:\program files\McAfee
2010-09-02 00:55 . 2009-11-04 21:53 34248 ----a-w- c:\windows\system32\drivers\mferkdk.sys
2010-09-02 00:55 . 2010-09-02 03:57 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2010-09-01 23:57 . 2010-09-03 15:33 -------- d-----w- c:\documents and settings\All Users\Application Data\support.com
2010-09-01 23:57 . 2010-09-01 23:57 -------- d-----w- C:\temp
2010-09-01 23:56 . 2010-09-01 23:56 -------- d-----w- c:\documents and settings\owner\Application Data\supportdotcom
2010-09-01 23:56 . 2010-09-03 20:47 -------- d-----w- c:\program files\Common Files\supportdotcom
2010-09-01 03:34 . 2010-09-01 03:34 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2010-09-01 03:33 . 2010-09-01 03:33 120 ----a-w- c:\windows\Sziqupehuk.dat
2010-09-01 03:33 . 2010-09-01 03:33 0 ----a-w- c:\windows\Xcifedokez.bin
2010-09-01 03:30 . 2010-09-02 00:50 -------- d-----w- c:\documents and settings\owner\Local Settings\Application Data\rhlnspbgv
2010-09-01 02:38 . 2010-07-09 14:26 475136 ----a-w- c:\documents and settings\All Users\Application Data\Dell\RMC\RMCCreationInfo.exe
2010-09-01 02:38 . 2010-07-02 14:25 1118208 ------w- c:\documents and settings\All Users\Application Data\Dell\RMC\Libxml2.dll
2010-09-01 02:38 . 2010-07-02 14:25 60416 ----a-w- c:\documents and settings\All Users\Application Data\Dell\RMC\ZLib1.dll
2010-09-01 02:37 . 2010-08-17 18:10 372736 ------w- c:\documents and settings\All Users\Application Data\Dell\DSL\DSLCheck.exe
2010-08-26 09:16 . 2010-08-26 09:16 28032 ----a-w- c:\windows\system32\ssmirrdr.dll
2010-08-26 09:16 . 2010-08-26 09:16 10112 ----a-w- c:\windows\system32\drivers\ssmirrdr.sys
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-15 15:01 . 2008-03-26 21:13 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-09-15 15:01 . 2008-12-30 03:04 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2010-09-09 04:22 . 2008-03-26 21:03 -------- d-----w- c:\program files\Dell
2010-09-08 03:24 . 2008-03-26 21:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Dell
2010-09-03 05:04 . 2008-04-17 22:43 -------- d-----w- c:\program files\Windows Live Safety Center
2010-08-17 13:17 . 2004-08-10 18:51 58880 ----a-w- c:\windows\system32\spoolsv.exe
2010-08-12 04:50 . 2008-03-26 21:11 -------- d-----w- c:\program files\Microsoft Works
2010-08-09 04:06 . 2008-04-14 05:00 7196 ----a-w- c:\documents and settings\owner\Application Data\wklnhst.dat
2010-07-30 03:08 . 2008-09-13 23:44 -------- d-----w- c:\program files\Rhapsody
2010-07-22 15:49 . 2004-08-10 18:51 590848 ----a-w- c:\windows\system32\rpcrt4.dll
2010-07-22 05:57 . 2009-04-15 23:08 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2010-06-30 12:31 . 2004-08-10 18:51 149504 ----a-w- c:\windows\system32\schannel.dll
2010-06-24 12:22 . 2004-08-10 18:51 916480 ----a-w- c:\windows\system32\wininet.dll
2010-06-23 13:44 . 2004-08-10 18:51 1851904 ----a-w- c:\windows\system32\win32k.sys
2010-06-21 15:27 . 2004-08-10 18:51 354304 ----a-w- c:\windows\system32\drivers\srv.sys
2010-06-18 17:45 . 2004-08-10 18:51 293376 ----a-w- c:\windows\system32\winsrv.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellAutomatedPCTuneUp"="c:\program files\DellAutomatedPCTuneUp\PTAgnt.exe" [2007-10-11 465136]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-29 1218008]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-04-27 851968]
"SigmatelSysTrayApp"="stsystra.exe" [2007-04-24 303104]
"Malwarebytes Anti-Malware (rootkit-scan)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-04-29 1090952]
"Linksys WMB54G Utility"="c:\program files\Linksys Wireless-G Music Bridge\WMB54G.exe" [2005-11-23 1167360]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2008-02-14 16384]
"CmFlywaveName"="c:\windows\System\CmFlywav.exe" [2005-10-05 32768]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-10-09 2183168]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-05-10 90112]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-02-14 202544]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2007-09-17 124200]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Dell Network Assistant.lnk - c:\windows\Installer\{0240BDFB-2995-4A3F-8C96-18D41282B716}\Icon0240BDFB3.exe [2008-3-26 7168]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2008-3-26 50688]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ \0
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@="Service"
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD DX\\PowerDVD.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD DX\\PDVDDXSrv.exe"=
"c:\\WINDOWS\\system32\\usmt\\migwiz.exe"=
"c:\\Program Files\\Dell Network Assistant\\ezi_hnm2.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"10421:UDP"= 10421:UDP:SingleClick Discovery Protocol
"10426:UDP"= 10426:UDP:SingleClick ICC
R0 atiide;atiide;c:\windows\system32\drivers\atiide.sys [3/26/2008 3:38 PM 3456]
R3 cmvad;C-Media Wi-Sonic Wireless Audio Interface;c:\windows\system32\drivers\cmudaxv.sys [4/2/2008 11:48 PM 1351360]
S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\progra~1\mcafee\SITEAD~1\mcsacore.exe [9/1/2010 8:03 PM 88176]
S3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [3/26/2008 4:08 PM 30192]
S3 ssmirrdr;ssmirrdr;c:\windows\system32\drivers\ssmirrdr.sys [8/26/2010 4:16 AM 10112]
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]
2009-03-08 09:32 128512 ----a-w- c:\windows\system32\advpack.dll
.
Contents of the 'Scheduled Tasks' folder
2010-09-02 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2010-09-02 17:22]
2010-09-02 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2010-09-02 17:22]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/?fr=fp-yie8
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/ymj/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyServer = http=127.0.0.1:50370
uSearchAssistant =
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-09-15 10:30
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\S-1-5-21-2500294489-1602433411-3114019721-1006\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe,-101"
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe"
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(780)
c:\windows\system32\Ati2evxx.dll
c:\windows\System32\BCMLogon.dll
- - - - - - - > 'explorer.exe'(3268)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-09-15 10:32:52
ComboFix-quarantined-files.txt 2010-09-15 15:32
ComboFix2.txt 2010-09-15 01:35
Pre-Run: 105,849,339,904 bytes free
Post-Run: 105,853,014,016 bytes free
- - End Of File - - 8C2E95B6B2CCBF0FF5BE371BA9BBB4C2
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Wednesday, September 15, 2010
Operating system: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Wednesday, September 15, 2010 12:05:24
Records in database: 4215361
--------------------------------------------------------------------------------
Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes
Scan area - My Computer:
C:\
D:\
Scan statistics:
Objects scanned: 58832
Threats found: 1
Infected objects found: 2
Suspicious objects found: 0
Scan duration: 01:17:32
File name / Threat / Threats count
C:\Qoobox\Quarantine\C\WINDOWS\system32\Drivers\i8042prt.sys.vir Infected: Virus.Win32.TDSS.b 1
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\A0004192.sys Infected: Virus.Win32.TDSS.b 1
Selected area has been scanned.
Bugbatter
3 Apprentice
•
20.5K Posts
0
September 15th, 2010 13:00
The items that Kaspersky found were nothing we didn't know about -- either taken care of by Combofix or to be removed by purging System Restore once we are sure everything is back to normal. It may be that Dell Support Center was changed by the malware. (It likes to suppress anything with "support" in the name.) If that was the case, a scanner may have removed any corrupt files. Refer to this discussion regarding Dell Support Center: http://en.community.dell.com/dell-groups/new-to-community/f/3511/t/19255417.aspx It's your choice whether to remove it or reinstall.
Let's run one more s can to make sure your security is back to where it should be: Download Security Check by screen317 and save it to your Desktop: here or here
Let me know if everything is running smoothly. If so, we'll remove our tools and reset System Restore. If I were you, I'd be tempted to go back to Office Max and tell them that they charged you to remove a virus and sold you anti-virus software, but missed the rootkit.
buster1514
7 Posts
0
September 15th, 2010 14:00
Everything seems to be working, no redirects, you've been such a help, thanks!! Thanks for your advice as well. Here is the log from security check:
Results of screen317's Security Check version 0.99.5
Windows XP Service Pack 3
Internet Explorer 8
``````````````````````````````
Antivirus/Firewall Check:
Windows Firewall Disabled!
McAfee SecurityCenter
```````````````````````````````
Anti-malware/Other Utilities Check:
Malwarebytes' Anti-Malware
HijackThis 2.0.2
Java(TM) 6 Update 21
Adobe Flash Player
Adobe Reader 8.2.4
Out of date Adobe Reader installed!
````````````````````````````````
Process Check:
objlist.exe by Laurent
McAfee VIRUSS~1 mcshield.exe
McAfee VIRUSS~1 mcsysmon.exe
````````````````````````````````
DNS Vulnerability Check:
GREAT! (Not vulnerable to DNS cache poisoning)
``````````End of Log````````````
Bugbatter
3 Apprentice
•
20.5K Posts
0
September 15th, 2010 15:00
Good job!
Your HijackThis is obsolete, but we didn't need it to fix anything. I would suggest removing that and using version 2.04 if you need to come back for malware removal in the future.
Your Adobe Acrobat Reader is out of date. Older versions are vulnerable to attack. Unless you specifically need that version it needs to be updated. Uninstall your current version using Add/Remove Programs.
REBOOT.
Please go to this link to update to the latest version for your operating system: http://get.adobe.com/reader/otherversions/
* Untick the Free McAfee® Security Scan Plus (optional) unless you want it.
It's time for some housekeeping.
Because the tools we used to scan the computer, as well as tools to delete files and folders, are no longer needed, they should be removed, along with the folders created by these tools.
You can go a head and delete DDS and its logs, Unhooker + log as well as SecurityCheck.
* Click Start then Run
Copy and paste next command in the field:
ComboFix /Uninstall
Make sure there's a space between Combofix and / Then hit enter.
This will remove ComboFix, run some cleanup procedures, and flush System Restore, thus creating a clean Restore Point.
Here is my standard list of simple steps that you can take to reduce the chance of infection in the future.
If you have used Malwarebytes' Anti-Malware as part of your cleaning procedures, keep it updated and use it to scan every so often for malware, or upgrade to the paid version for realtime scanning and auto updating.
The following suggestions are general prevention and are not customized for your computer. You may have already taken some of these steps, and depending on your current security, you may not need to implement all of these:
1. Visit Microsoft Update: Make sure that you have all the Critical Updates recommended for your operating system, Office, and IE. The first defense against infection is a properly patched OS from Microsoft Update at update.microsoft.com. More info HERE.
2. Please use a firewall and realtime anti-virus. Keep the anti-virus software and firewall software up to date.. Run a complete system scan with your anti-virus at least once a week...preferably in Safe mode.
If your anti-virus program is a paid/licensed version that is about to expire, you can consider using a free one such as:
Microsoft Security Essentials
AntiVir Personal Edition Classic
Avast! Home Edition
If you prefer not to use the Windows Firewall, there are several of the freeware Firewalls available on the public domain.
Please see this list for anti-virus, firewalls, and other FREE SECURITY SOFTWARE.
3. Using an alternate browser can reduce your chance of certain infections installing themselves. You might consider installing Mozilla / Firefox.
http://www.mozilla.com/en-US/
4. Do not use file sharing. Even the safest P2P file sharing programs that do not contain bundled spyware, still expose you to risks because of the very nature of the P2P file sharing process. By default, most P2P file sharing programs are configured to automatically launch at startup. They are also configured to allow other P2P users on the same network open access to a shared directory on your computer. The reason for this is simple. File sharing relies on its members giving and gaining unfettered access to computers across the P2P network. However, this practice can make you vulnerable to data and identity theft. Even if you change those risky default settings to a safer configuration, the act of downloading files from an anonymous source greatly increases your exposure to infection. That is because the files you are downloading may actually contain a disguised threat. Many very malicious worms and trojans, such as the Storm Worm, target and spread across P2P files sharing networks because of their known vulnerabilities.
5. Keep your software updated...make it easier on yourself and install the free security tool Secunia PSI .
6. If you have not already done so, you might want to install CCleaner and run it in each user's profile: http://www.ccleaner.com/ ** UNcheck the option to install the Yahoo toolbar that is checked by default for the Standard version, or download the toolbar-free versions (Slim or Basic) when given the option for those.
7. Web Of Trust , uses colored alerts to warn about risky websites warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:
There is a Web Of Trust version for Firefox as well.
8. If you still wish to use Internet Explorer, please make sure you install SpywareBlaster: http://www.javacoolsoftware.com/spywareblaster.html
It will:
Prevent the installation of ActiveX-based spyware, adware, browser hijackers, dialers, and other potentially unwanted software.
Block spyware/tracking cookies in Internet Explorer and Mozilla Firefox.
Restrict the actions of potentially unwanted sites in Internet Explorer.
Tutorial here:http://www.bleepingcomputer.com/forums/tutorial49.html
Periodically check for updates.
9. You might want to install Winpatrol. Winpatrol is heuristic protection program, meaning it looks for patterns in codes that work like malware. It also takes a snapshot of your system's critical resources and alerts you to any changes that may occur without you knowing. You can read more about Winpatrol's features here. You can download a free copy of Winpatrol or use the Plus version for more features.
You can read Winpatrol's FAQ if you run into problems.
10. Many of us in the online security community have tried and tested programs to determine their abilities. Please remember that there is no guarantee regarding computer security. However, the available software, combined with the rest of these recommendations will contribute to helping your system running safely.
Here are some helpful articles:
How did I get infected? HERE
I'm not pulling your leg, honest?
by Sandi Hardmeier HERE
Let us know if we have not resolved your problem. Otherwise, you are good to go.
Happy and Safe Surfing!