[fauskie]

I've poured through quite a few of the other threads about this bug but it seems as though each case is unique or at least a different approach seems to be used in each instance.

I get the pop-up about the trojan and it asks me to use their security program which I didn't do.

I tried to use the DDS.scr file but my computer says "windows script host access is disabled on this computer."

I'm unable to install MBAM, the application times out when I try to run the install.

I cannot access the internet to update Mcafee. I show my wireless network is connected but the bug must be preventing me from accessing any web pages so I'm forced to use my desktop PC to transfer files via a burned CD to my infected laptop (win XP)...

I'm pretty much at a stand still as most of the other threads about this bug seem to utilize an application which I'm currently unable to run....



Thanks in advance!!

[Advertisements]

Hello fauskie,

Welcome to Geeks to Go! My name is Fred21543 and I will be helping you fix your computer problem.

Take note that I'm still in training, and my posts will have to be checked by an expert. This may cause delays in between my responses, so I ask for your patience.
Please stick with me until we get your computer cleaned up.


Please follow the steps in this topic , and post back with an HijackThis log

[Fred21543]

Hello fauskie,

Welcome to Geeks to Go! My name is Fred21543 and I will be helping you fix your computer problem.

Take note that I'm still in training, and my posts will have to be checked by an expert. This may cause delays in between my responses, so I ask for your patience.
Please stick with me until we get your computer cleaned up.


Please follow the steps in this topic , and post back with an HijackThis log

[fauskie]

Hi Fred, thanks for taking the time to help me out, it is greatly appreciated!

Please note that at this time I am unable to run the malwarebytes anti-malware program. I get the following message; run time error 372. Failed to load control "vbalgrid" from vbalgrid6.ocx

I cannot currently access the internet whatsoever.

And to make matters worse, the only way I can get the log from Hijackthis is to manually type everything from the txt file off my laptop (infected computer) onto my main PC. My windows has seriously taken a bad sh#t, it doesn't recognize a USB card, flash card, micro SD card, firewire, USB to USB and I cannot access the internet to e-mail myself the text file. I cannot even burn a CD from my infected computer. No copying and pasting of files or dragging files from one dir to another.

I noticed when I startup the computer and ctrl-alt-dlt to pull up the task manager, there is a program called hdfind.exe that pulls all 100% from my CPU. I've also noticed at task manager that my user name/account no longer is listed under the "user" tab. It's almost as though my windows is starting from scratch and/or has no drivers.....

[fauskie]

Let me also add to this thread what I posted in the Waiting Room Forum.

Prior to my current windows problem, I was unable to run MBAM until I changed the filename and also disabled TDSSserv.sys from my device manager. It was the only way I could run the MBAM installer.

MBAM found and cleaned around 18 trojans/infections. After reboot, I was able to access internet and my Mcafee began to work normally. At this time, I took advantage to update Mcafee then ran a full scan after updating the virus database. Mcafee found 2 or 3 infections and I seem to remember one that applied itself to explorer.exe. I was instructed to reboot the computer and ever since that reboot my windows has not been the same.

That is what has me in the current situation with my windows not being responsive to anything I do...


Please note that I can run Hijackthis and do have a log file saved on the infected computer but the only way I can get you the log is to manually type everything since I cannot copy the file from my infected computer in any way to transfer to my main PC....

[Fred21543]

Try following the steps in this first post here; http://www.geekstogo...h...3D0&start=0
to see if you can get MBAM working.

Please run System File Checker:

Go to Start >> Run and type in SFC /SCANNOW and click OK.

The System File Checker will check all the Windows files on your computer and replace any that have been deleted or damaged.
Note: You may be prompted to insert your original Windows CD, so please have this at hand.

[fauskie]

I tried the system file checker, it ran fine but hasn't changed anything.

I am not able to complete the steps in the link you gave as I cannot install SubInACL, I get the following error;

"Windows installer service could not be accessed. The can occur if you are running windows in safe mode (which I am not), or if the windows installer is not correctly installed. Contact your support personnel for assistance."

hidfind.exe is taking 100% of my CPU

when I shut windows down, I always get "apusbpnp" is not responding.


windows is shot real bad!

[Fred21543]

Go to this site and follow the instructions to perform an XP Repair Install:
http://www.microsoft...ips/doug92.mspx

Let me know if Windows is running better after this.

Then do this;

Download the tools needed, from your clean computer, save them to a CD, and transfer them to the infected computer.

***************************************************

Download ComboFix from one of these locations:

Link 1
Link 2
Link 3

**Note: It is important that it is saved directly to your desktop**

After downloading this file, rename it to Solved.exe
--------------------------------------------------------------------

With malware infections being as they are today, it's strongly recommended to have the Windows Recovery Console pre-installed on your machine before doing any malware removal.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.


Go to Microsoft's website => http://support.microsoft.com/kb/310994

Select the download that's appropriate for your Operating System




Download the file & save it as it's originally named.


---------------------------------------------------------------------

Transfer all files you just downloaded, to the desktop of the infected computer.

--------------------------------------------------------------------


Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

• Drag the setup package onto ComboFix.exe and drop it.
  
  
• Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console.
  
  
  
  
  
  
• At the next prompt, click 'Yes' to run the full ComboFix scan.
  
  
• When the tool is finished, it will produce a report for you.

Please post the C:\ComboFix.txt in your next reply.

[fauskie]

Fred, you da man!!

My windows is working pretty much normally at current time and I am actually able to post this message from my believed to be infected computer. Please note that I am unsure of how to disable my Mcafee Security Center. I went to the task manager and stopped running all Mcafee applications but they all reappeared after about 15 seconds. I'm not sure if it affected the scan by combofix but here is a copy of the log;



Running from: c:\documents and settings\Brian\Desktop\solved.exe
Command switches used :: c:\documents and settings\Brian\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
* Resident AV is active

.
ADS - system32: deleted 929862 bytes in 1 streams.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\TDSSosvd.dat

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_TDSSSERV.SYS
-------\Service_TDSSserv.sys


((((((((((((((((((((((((( Files Created from 2008-12-28 to 2009-01-29 )))))))))))))))))))))))))))))))
.

2009-01-28 21:31 . 2009-01-28 21:31 <DIR> d-------- c:\windows\system32\CatRoot_bak
2009-01-28 21:30 . 2008-06-13 08:10 272,128 -----c--- c:\windows\system32\dllcache\bthport.sys
2009-01-28 21:29 . 2008-08-14 05:00 2,180,352 -----c--- c:\windows\system32\dllcache\ntoskrnl.exe
2009-01-28 21:29 . 2008-08-14 04:58 2,136,064 -----c--- c:\windows\system32\dllcache\ntkrnlmp.exe
2009-01-28 21:29 . 2008-08-14 04:22 2,057,728 -----c--- c:\windows\system32\dllcache\ntkrnlpa.exe
2009-01-28 21:29 . 2008-08-14 04:22 2,015,744 -----c--- c:\windows\system32\dllcache\ntkrpamp.exe
2009-01-28 21:28 . 2008-10-24 06:10 453,632 -----c--- c:\windows\system32\dllcache\mrxsmb.sys
2009-01-28 21:13 . 2004-08-03 16:04 156,672 --a--c--- c:\windows\system32\dllcache\winzm.ime
2009-01-28 21:13 . 2004-08-03 16:04 156,672 --a--c--- c:\windows\system32\dllcache\winsp.ime
2009-01-28 21:13 . 2004-08-03 16:04 156,672 --a--c--- c:\windows\system32\dllcache\winpy.ime
2009-01-28 21:13 . 2004-08-03 16:04 79,360 --a--c--- c:\windows\system32\dllcache\winar30.ime
2009-01-28 21:13 . 2001-08-23 16:00 69,120 --a--c--- c:\windows\system32\dllcache\wingb.ime
2009-01-28 21:13 . 2004-08-03 16:04 65,536 --a--c--- c:\windows\system32\dllcache\winime.ime
2009-01-28 21:13 . 2001-08-23 16:00 28,288 --a--c--- c:\windows\system32\dllcache\xjis.nls
2009-01-28 21:11 . 2001-08-23 16:00 1,875,968 --a--c--- c:\windows\system32\dllcache\msir3jp.lex
2009-01-28 21:10 . 2001-08-23 16:00 13,463,552 --a--c--- c:\windows\system32\dllcache\hwxjpn.dll
2009-01-28 21:09 . 2001-08-23 16:00 10,096,640 --a--c--- c:\windows\system32\dllcache\hwxcht.dll
2009-01-28 21:08 . 2004-08-03 17:56 369,664 --a--c--- c:\windows\system32\dllcache\asp51.dll
2009-01-28 21:07 . 2004-05-13 00:39 876,653 --a--c--- c:\windows\system32\dllcache\fp4awel.dll
2009-01-28 21:03 . 2001-08-23 16:00 16,384 --a--c--- c:\windows\system32\dllcache\isignup.exe
2009-01-28 21:03 . 2009-01-28 21:03 749 -rah----- c:\windows\WindowsShell.Manifest
2009-01-28 21:03 . 2009-01-28 21:03 749 -rah----- c:\windows\system32\wuaucpl.cpl.manifest
2009-01-28 21:03 . 2009-01-28 21:03 749 -rah----- c:\windows\system32\sapi.cpl.manifest
2009-01-28 21:03 . 2009-01-28 21:03 749 -rah----- c:\windows\system32\nwc.cpl.manifest
2009-01-28 21:03 . 2009-01-28 21:03 749 -rah----- c:\windows\system32\ncpa.cpl.manifest
2009-01-28 21:03 . 2009-01-28 21:03 488 -rah----- c:\windows\system32\logonui.exe.manifest
2009-01-28 21:02 . 2004-08-03 17:56 32,768 --a--c--- c:\windows\system32\dllcache\icwdl.dll
2009-01-28 20:49 . 2001-08-23 16:00 24,661 --a------ c:\windows\system32\spxcoins.dll
2009-01-28 20:49 . 2001-08-23 16:00 24,661 --a--c--- c:\windows\system32\dllcache\spxcoins.dll
2009-01-28 20:49 . 2001-08-23 16:00 13,312 --a------ c:\windows\system32\irclass.dll
2009-01-28 20:49 . 2001-08-23 16:00 13,312 --a--c--- c:\windows\system32\dllcache\irclass.dll
2009-01-27 19:58 . 2009-01-20 15:52 2,737,824 --a------ C:\desktop
2009-01-24 12:14 . 2009-01-24 12:14 <DIR> d-------- c:\program files\Trend Micro
2009-01-23 20:29 . 2009-01-23 20:29 <DIR> d-------- c:\documents and settings\Brian\Application Data\Malwarebytes
2009-01-23 20:23 . 2009-01-27 19:53 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-01-23 20:23 . 2009-01-23 20:23 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-21 23:40 . 2009-01-26 23:42 <DIR> d-------- c:\program files\ERUNT
2009-01-20 16:37 . 2009-01-20 16:48 <DIR> d-------- C:\malware
2009-01-20 12:43 . 2009-01-28 22:56 4,706 --a------ c:\windows\system32\Config.MPF
2009-01-20 12:24 . 2006-03-03 08:07 143,360 --a------ c:\windows\system32\dunzip32.dll
2009-01-20 12:22 . 2007-11-22 06:44 201,320 --a------ c:\windows\system32\drivers\mfehidk.sys
2009-01-20 12:22 . 2007-11-22 06:44 79,304 --a------ c:\windows\system32\drivers\mfeavfk.sys
2009-01-20 12:22 . 2007-12-02 12:51 40,488 --a------ c:\windows\system32\drivers\mfesmfk.sys
2009-01-20 12:22 . 2007-11-22 06:44 35,240 --a------ c:\windows\system32\drivers\mfebopk.sys
2009-01-20 12:22 . 2007-11-22 06:44 33,832 --a------ c:\windows\system32\drivers\mferkdk.sys
2009-01-20 12:21 . 2007-07-13 06:20 113,952 --a------ c:\windows\system32\drivers\Mpfp.sys
2009-01-20 12:20 . 2009-01-20 12:21 <DIR> d-------- c:\program files\McAfee.com
2009-01-20 12:20 . 2009-01-23 23:35 <DIR> d-------- c:\program files\McAfee
2009-01-20 12:20 . 2009-01-23 22:48 <DIR> d-------- c:\program files\Common Files\McAfee
2009-01-20 12:05 . 2009-01-20 12:39 <DIR> d-------- c:\documents and settings\All Users\Application Data\McAfee
2009-01-20 11:53 . 2009-01-20 11:53 52,158 --a------ c:\windows\Sysvxd.exe
2009-01-19 23:31 . 2009-01-19 23:31 <DIR> d-------- c:\documents and settings\Brian\Application Data\Yahoo
2009-01-03 22:57 . 2009-01-24 01:02 <DIR> d-------- C:\new musci

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-13 03:19 --------- d-----w c:\documents and settings\Brian\Application Data\LimeWire
2009-01-12 19:25 --------- d-----w c:\documents and settings\Brian\Application Data\GrabIt
2008-12-11 11:57 333,184 ----a-w c:\windows\system32\drivers\srv.sys
2008-12-11 02:59 --------- d-----w c:\documents and settings\All Users\Application Data\InterVideo
2008-12-11 02:58 --------- d-----w c:\documents and settings\Brian\Application Data\Ulead Systems
2008-12-11 02:58 --------- d-----w c:\documents and settings\All Users\Application Data\Ulead Systems
2008-12-11 02:52 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-11 02:50 --------- d-----w c:\documents and settings\All Users\Application Data\Bluetooth
2008-12-11 02:48 --------- d-----w c:\program files\Google Video
2008-12-11 02:48 --------- d-----w c:\documents and settings\Brian\Application Data\VideoReDoPlus
2008-12-11 02:42 --------- d-----w c:\program files\Java
2008-12-11 02:09 --------- d-----w c:\documents and settings\All Users\Application Data\DVD Shrink
2008-11-29 04:28 --------- d-----w c:\program files\Netflix
2007-10-03 03:47 80 --sha-r c:\windows\system32\35E4711ACF.dll
2008-08-18 23:41 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008081820080819\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-03 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifSvc.exe" [2007-11-28 583048]
"McENUI"="c:\progra~1\McAfee\MHN\McENUI.exe" [2007-11-30 1164576]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2007-11-01 582992]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2007-06-27 185632]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-04-27 282624]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2007-06-01 257088]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-05 344064]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2005-10-07 176128]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-04-11 c:\windows\KHALMNPR.Exe]

c:\documents and settings\Brian\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
Picture Motion Browser Media Check Tool.lnk - c:\program files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe [2008-02-09 344064]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
NkvMon.exe.lnk - c:\program files\Nikon\NkView6\NkvMon.exe [2007-07-12 233472]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.ac3filter"= ac3filter.acm

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech SetPoint.lnk]
backup=c:\windows\pss\Logitech SetPoint.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=

S3 MEITUNER;FireBus MPEG2TS Tuner Subunit Device;c:\windows\system32\drivers\meistb.sys [2008-08-25 22891]
S3 MSPANEL;AVC Panel Device;c:\windows\system32\drivers\mstapeo.sys [2008-08-25 49024]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{644A4322-7128-E694-771C-CF236241FED9}]
c:\windows\system32:myspacce.exe
.
Contents of the 'Scheduled Tasks' folder

2009-01-20 c:\windows\Tasks\McDefragTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2007-12-04 13:32]

2009-01-20 c:\windows\Tasks\McQcTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2007-12-04 13:32]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-realteke - c:\documents and settings\Brian\Application Data\Google\cijwg16225165.exe
HKLM-Run-RegistryMechanic - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.geekstogo.com/
uInternet Connection Wizard,ShellNext = hxxp://www.yahoo.com/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: turbotax.com
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-28 22:56:55
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(868)
c:\windows\system32\Ati2evxx.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Apoint\hidfind.exe
c:\program files\Apoint\ApntEx.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\InterVideo\DeviceService\DevSvc.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\program files\Common Files\McAfee\MNA\McNASvc.exe
c:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe
c:\progra~1\McAfee\VIRUSS~1\Mcshield.exe
c:\program files\McAfee\MPF\MpfSrv.exe
c:\program files\McAfee\MSK\msksrver.exe
c:\program files\iPod\bin\iPodService.exe
c:\progra~1\McAfee\VIRUSS~1\mcsysmon.exe
.
**************************************************************************
.
Completion time: 2009-01-28 23:01:59 - machine was rebooted
ComboFix-quarantined-files.txt 2009-01-29 04:01:41

Pre-Run: 10,228,875,264 bytes free
Post-Run: 10,124,517,376 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

203 --- E O F --- 2009-01-29 03:19:09

[Fred21543]

Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :

• Restart your computer
• After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
• Instead of Windows loading as normal, the Advanced Options Menu should appear;
• Select the first option, to run Windows in Safe Mode, then press Enter.
• Choose your usual account.

• Open the extracted SDFix folder and double click RunThis.bat to start the script.
• Type Y to begin the cleanup process.
• It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
• Press any Key and it will restart the PC.
• When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
• Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
  (Report.txt will also be copied to Clipboard ready for posting back on the forum).
• Finally paste the contents of the Report.txt back on the forum with a new HijackThis log

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

ADS::
c:\windows\system32
Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{644A4322-7128-E694-771C-CF236241FED9}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{644A4322-7128-E694-771C-CF236241FED9}]
File::
c:\windows\Sysvxd.exe
c:\windows\system32\35E4711ACF.dll

Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.


Do you know what is in these directories?

C:\malware
C:\new musci
C:\desktop

GrabIt and LimeWire are P2P Programs. P2P Programs are not recommended as the uses of them can vary legally from area to area, and they are a great way of acquiring all kinds of malicious software! Therefore I recommend you go to Start > Settings > Control Panel > Add/Remove Programs and remove these programs.

[fauskie]

SDFix Log;


SDFix: Version 1.240
Run by Brian on Thu 01/29/2009 at 07:50 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Default Security Values
Restoring Default Hosts File

Rebooting


Checking Files :

No Trojan Files Found






Removing Temp Files

ADS Check :

[fauskie]

HijackThis Log;

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:33:13 PM, on 1/29/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifSvc.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Nikon\NkView6\NkvMon.exe
C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\Apoint\Apntex.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Startup: Picture Motion Browser Media Check Tool.lnk = C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Capture Device Service - InterVideo Inc. - C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifSvc.exe

--
End of file - 6250 bytes

[fauskie]

ComboFix Log;

ComboFix 09-01-21.04 - Brian 2009-01-29 22:24:05.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.511.251 [GMT -5:00]
Running from: c:\documents and settings\Brian\Desktop\solved.exe
Command switches used :: c:\documents and settings\Brian\Desktop\CFScript.txt
FW: Norton AntiVirus *disabled*
* Created a new restore point

FILE ::
c:\windows\system32\35E4711ACF.dll
c:\windows\Sysvxd.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\35E4711ACF.dll
c:\windows\Sysvxd.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_TDSSSERV.SYS


((((((((((((((((((((((((( Files Created from 2008-12-28 to 2009-01-30 )))))))))))))))))))))))))))))))
.

2009-01-29 19:47 . 2009-01-29 19:47 <DIR> d-------- c:\windows\ERUNT
2009-01-29 19:39 . 2009-01-29 20:20 <DIR> d-------- C:\SDFix
2009-01-28 21:31 . 2009-01-28 21:31 <DIR> d-------- c:\windows\system32\CatRoot_bak
2009-01-28 21:30 . 2008-06-13 08:10 272,128 -----c--- c:\windows\system32\dllcache\bthport.sys
2009-01-28 21:29 . 2008-08-14 05:00 2,180,352 -----c--- c:\windows\system32\dllcache\ntoskrnl.exe
2009-01-28 21:29 . 2008-08-14 04:58 2,136,064 -----c--- c:\windows\system32\dllcache\ntkrnlmp.exe
2009-01-28 21:29 . 2008-08-14 04:22 2,057,728 -----c--- c:\windows\system32\dllcache\ntkrnlpa.exe
2009-01-28 21:29 . 2008-08-14 04:22 2,015,744 -----c--- c:\windows\system32\dllcache\ntkrpamp.exe
2009-01-28 21:28 . 2008-10-24 06:10 453,632 -----c--- c:\windows\system32\dllcache\mrxsmb.sys
2009-01-28 21:13 . 2004-08-03 16:04 156,672 --a--c--- c:\windows\system32\dllcache\winzm.ime
2009-01-28 21:13 . 2004-08-03 16:04 156,672 --a--c--- c:\windows\system32\dllcache\winsp.ime
2009-01-28 21:13 . 2004-08-03 16:04 156,672 --a--c--- c:\windows\system32\dllcache\winpy.ime
2009-01-28 21:13 . 2004-08-03 16:04 79,360 --a--c--- c:\windows\system32\dllcache\winar30.ime
2009-01-28 21:13 . 2001-08-23 16:00 69,120 --a--c--- c:\windows\system32\dllcache\wingb.ime
2009-01-28 21:13 . 2004-08-03 16:04 65,536 --a--c--- c:\windows\system32\dllcache\winime.ime
2009-01-28 21:13 . 2001-08-23 16:00 28,288 --a--c--- c:\windows\system32\dllcache\xjis.nls
2009-01-28 21:11 . 2001-08-23 16:00 1,875,968 --a--c--- c:\windows\system32\dllcache\msir3jp.lex
2009-01-28 21:10 . 2001-08-23 16:00 13,463,552 --a--c--- c:\windows\system32\dllcache\hwxjpn.dll
2009-01-28 21:09 . 2001-08-23 16:00 10,096,640 --a--c--- c:\windows\system32\dllcache\hwxcht.dll
2009-01-28 21:08 . 2004-08-03 17:56 369,664 --a--c--- c:\windows\system32\dllcache\asp51.dll
2009-01-28 21:07 . 2004-05-13 00:39 876,653 --a--c--- c:\windows\system32\dllcache\fp4awel.dll
2009-01-28 21:03 . 2001-08-23 16:00 16,384 --a--c--- c:\windows\system32\dllcache\isignup.exe
2009-01-28 21:03 . 2009-01-28 21:03 749 -rah----- c:\windows\WindowsShell.Manifest
2009-01-28 21:03 . 2009-01-28 21:03 749 -rah----- c:\windows\system32\wuaucpl.cpl.manifest
2009-01-28 21:03 . 2009-01-28 21:03 749 -rah----- c:\windows\system32\sapi.cpl.manifest
2009-01-28 21:03 . 2009-01-28 21:03 749 -rah----- c:\windows\system32\nwc.cpl.manifest
2009-01-28 21:03 . 2009-01-28 21:03 749 -rah----- c:\windows\system32\ncpa.cpl.manifest
2009-01-28 21:03 . 2009-01-28 21:03 488 -rah----- c:\windows\system32\logonui.exe.manifest
2009-01-28 21:02 . 2004-08-03 17:56 32,768 --a--c--- c:\windows\system32\dllcache\icwdl.dll
2009-01-28 20:49 . 2001-08-23 16:00 24,661 --a------ c:\windows\system32\spxcoins.dll
2009-01-28 20:49 . 2001-08-23 16:00 24,661 --a--c--- c:\windows\system32\dllcache\spxcoins.dll
2009-01-28 20:49 . 2001-08-23 16:00 13,312 --a------ c:\windows\system32\irclass.dll
2009-01-28 20:49 . 2001-08-23 16:00 13,312 --a--c--- c:\windows\system32\dllcache\irclass.dll
2009-01-27 19:58 . 2009-01-20 15:52 2,737,824 --a------ C:\desktop
2009-01-24 12:14 . 2009-01-24 12:14 <DIR> d-------- c:\program files\Trend Micro
2009-01-23 20:29 . 2009-01-23 20:29 <DIR> d-------- c:\documents and settings\Brian\Application Data\Malwarebytes
2009-01-23 20:23 . 2009-01-27 19:53 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-01-23 20:23 . 2009-01-23 20:23 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-21 23:40 . 2009-01-26 23:42 <DIR> d-------- c:\program files\ERUNT
2009-01-20 16:37 . 2009-01-20 16:48 <DIR> d-------- C:\malware
2009-01-20 12:05 . 2009-01-29 22:22 <DIR> d-------- c:\documents and settings\All Users\Application Data\McAfee
2009-01-19 23:31 . 2009-01-19 23:31 <DIR> d-------- c:\documents and settings\Brian\Application Data\Yahoo
2009-01-03 22:57 . 2009-01-24 01:02 <DIR> d-------- C:\new musci
2008-12-18 23:19 . 2008-12-19 23:09 <DIR> d-------- C:\sony_pics

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-30 00:37 --------- d-----w c:\program files\LimeWire
2009-01-13 03:19 --------- d-----w c:\documents and settings\Brian\Application Data\LimeWire
2009-01-12 19:25 --------- d-----w c:\documents and settings\Brian\Application Data\GrabIt
2008-12-11 11:57 333,184 ----a-w c:\windows\system32\drivers\srv.sys
2008-12-11 02:59 --------- d-----w c:\documents and settings\All Users\Application Data\InterVideo
2008-12-11 02:58 --------- d-----w c:\documents and settings\Brian\Application Data\Ulead Systems
2008-12-11 02:58 --------- d-----w c:\documents and settings\All Users\Application Data\Ulead Systems
2008-12-11 02:52 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-11 02:50 --------- d-----w c:\documents and settings\All Users\Application Data\Bluetooth
2008-12-11 02:48 --------- d-----w c:\program files\Google Video
2008-12-11 02:48 --------- d-----w c:\documents and settings\Brian\Application Data\VideoReDoPlus
2008-12-11 02:42 --------- d-----w c:\program files\Java
2008-12-11 02:09 --------- d-----w c:\documents and settings\All Users\Application Data\DVD Shrink
2008-11-29 04:28 --------- d-----w c:\program files\Netflix
2008-08-18 23:41 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008081820080819\index.dat
.

((((((((((((((((((((((((((((( snapshot@2009-01-28_23.00.15.40 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-10-20 17:02:28 163,328 ----a-w c:\windows\ERDNT\AutoBackup\1-29-2009\ERDNT.EXE
+ 2009-01-30 00:34:19 4,694,016 ----a-w c:\windows\ERDNT\AutoBackup\1-29-2009\Users\00000001\NTUSER.DAT
+ 2009-01-30 00:34:19 221,184 ----a-w c:\windows\ERDNT\AutoBackup\1-29-2009\Users\00000002\UsrClass.dat
+ 2005-10-20 17:02:28 163,328 ----a-w c:\windows\ERDNT\AutoBackup\2009-01-29\ERDNT.EXE
+ 2009-01-30 03:16:28 4,694,016 ----a-w c:\windows\ERDNT\AutoBackup\2009-01-29\Users\00000001\NTUSER.DAT
+ 2009-01-30 03:16:28 221,184 ----a-w c:\windows\ERDNT\AutoBackup\2009-01-29\Users\00000002\UsrClass.dat
+ 2008-08-07 20:27:04 163,328 ----a-w c:\windows\ERUNT\SDFIX\ERDNT.EXE
+ 2009-01-30 00:47:42 4,694,016 ----a-w c:\windows\ERUNT\SDFIX\Users\00000001\NTUSER.DAT
+ 2009-01-30 00:47:42 221,184 ----a-w c:\windows\ERUNT\SDFIX\Users\00000002\UsrClass.dat
+ 2008-08-07 20:27:04 163,328 ----a-w c:\windows\ERUNT\SDFIX_First_Run\ERDNT.EXE
+ 2009-01-30 00:47:26 4,694,016 ----a-w c:\windows\ERUNT\SDFIX_First_Run\Users\00000001\NTUSER.DAT
+ 2009-01-30 00:47:26 221,184 ----a-w c:\windows\ERUNT\SDFIX_First_Run\Users\00000002\UsrClass.dat
- 2009-01-29 02:16:50 32,768 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2009-01-30 00:42:23 32,768 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2009-01-29 02:16:50 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-01-30 00:42:23 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2009-01-29 02:16:50 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2009-01-30 00:42:23 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-03 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifSvc.exe" [2007-11-28 583048]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2007-06-27 185632]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-04-27 282624]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2007-06-01 257088]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-05 344064]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2005-10-07 176128]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-04-11 c:\windows\KHALMNPR.Exe]

c:\documents and settings\Brian\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
Picture Motion Browser Media Check Tool.lnk - c:\program files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe [2008-02-09 344064]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
NkvMon.exe.lnk - c:\program files\Nikon\NkView6\NkvMon.exe [2007-07-12 233472]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.ac3filter"= ac3filter.acm

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech SetPoint.lnk]
backup=c:\windows\pss\Logitech SetPoint.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=

S3 MEITUNER;FireBus MPEG2TS Tuner Subunit Device;c:\windows\system32\drivers\meistb.sys [2008-08-25 22891]
S3 MSPANEL;AVC Panel Device;c:\windows\system32\drivers\mstapeo.sys [2008-08-25 49024]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-McENUI - c:\progra~1\McAfee\MHN\McENUI.exe
HKLM-Run-mcagent_exe - c:\program files\McAfee.com\Agent\mcagent.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.hotmail.com/
uInternet Connection Wizard,ShellNext = hxxp://www.yahoo.com/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: turbotax.com
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-29 22:27:58
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(852)
c:\windows\system32\Ati2evxx.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\InterVideo\DeviceService\DevSvc.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\windows\system32\wscntfy.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Apoint\hidfind.exe
c:\program files\Apoint\ApntEx.exe
.
**************************************************************************
.
Completion time: 2009-01-29 22:31:28 - machine was rebooted [Brian]
ComboFix-quarantined-files.txt 2009-01-30 03:31:12
ComboFix2.txt 2009-01-29 04:02:08

Pre-Run: 10,140,958,720 bytes free
Post-Run: 10,133,176,320 bytes free

192 --- E O F --- 2009-01-29 03:19:09

[fauskie]

the three directories you asked me about all were created by me.

I inserted all of the files that are currently present in those directories....

[Fred21543]

Please download JavaRa to your desktop and unzip it to its own folder

• Run JavaRa.exe, pick the language of your choice and click Select. Then click Remove Older Versions.
• Accept any prompts.
• Open JavaRa.exe again and select Search For Updates.
• Select Update Using Sun Java's Website then click Search and click on the Open Webpage button. Download and install the latest Java Runtime Environment (JRE) version for your computer.

Your Adobe Acrobat Reader is out of date. Older versions are vulnerable to attack.

Please click Here to update.


Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select "Perform Quick Scan", then click Scan.
• The scan may take some time to finish,so please be patient.
• When the scan is complete, click OK, then Show Results to view the results.
• Make sure that everything is checked, and click Remove Selected.
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
• Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.

Please do an online scan with Kaspersky WebScanner

• Read through the requirements and privacy statement and click on Accept button.
• It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
• When the downloads have finished, click on Settings.
• Make sure the following is checked.
  
  • Spyware, Adware, Dialers, and other potentially dangerous programs
    Archives
    Mail databases
• Click on My Computer under Scan.
• Once the scan is complete, it will display the results. Click on View Scan Report.
• You will see a list of infected items there. Click on Save Report As....
• Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
• Please post this log in your next reply.

[fauskie]

MBAM log;

Malwarebytes' Anti-Malware 1.33
Database version: 1712
Windows 5.1.2600 Service Pack 3

1/31/2009 7:59:47 PM
mbam-log-2009-01-31 (19-59-47).txt

Scan type: Quick Scan
Objects scanned: 50169
Time elapsed: 4 minute(s), 24 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)