Help Please Virus and Trojan

Computing.Net > Forums > Security and Virus > Help Please Virus and Trojan

Computer Problems? Computing.Net has over 1,000,000 posts about all things technology related! Over 90% answered within 24 hours! Click here to start participating now! Also, be sure to check out the New User Guide.

Help Please Virus and Trojan

Name: Enchanted
Date: November 12, 2008 at 18:21:39 Pacific
OS: Win XP Home
CPU/Ram: 3.00 ghz\2.50 Ram
Product: Dell Dimention 9100

Comment:

Please , I am going nuts here. I have a virus and a Trojan that I can not get rid of. I have done recovery console fixboot and some other fxfix thing and sophia or sophea download I almost killed off my whole computer doing both of those. It has been over a week now and the longer they stay on the more virus's and Trojan's i get. I have spy-bot search and destroy which says my comp is clean. I run Webroot Antivirus/Spyware and it keeps picking them up and saying it cleaned them but it lies. The Trojan is : Trojan-Agent-tdss on my c: drive. The virus is Troj/Mbroot-A which is on my removable external drive F which i use a USB cable to connect to my tower. I have reformatted both my computer and the external drive 4 times and I am still infected. Please anyone help me before i just throw in the towel on this machine. This computer is almost 4 years old and the warranty is no longer working. So now what??

Sponsored Link

Ads by Google

Response Number 1

Name: jabuck
Date: November 12, 2008 at 18:53:02 Pacific

Reply:

If you can get Malwarebytes downloaded rename the setup file mbam-setup.exe before running it. Just right click on it> click rename> rename it enchanted.exe then run it.
If you cannot download Malwarebytes download it from an uninfected computer to a cd then run it on the infected compter.
Please download Malwarebytes' Anti-Malware from one of these sites:
MalwareBytes1
MalwareBytes2
1. Double Click mbam-setup.exe to install the application.
2. Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
3. If an update is found, it will download and install the latest version.
4. Once the program has loaded, select "Perform Quick Scan", then click Scan. The scan may take some time to finish,so please be patient.
5. When the scan is complete, click OK, then Show Results to view the results.
6. Make sure that everything found is checked, and click Remove Selected.
7. When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.
8. The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
9. Copy&Paste the entire report in your next reply.

Please download and install the latest version of HijackThis v2.0.2:

Download the "HijackThis" Installer from this link:
Hijack This

1. Save " HJTInstall.exe" to your desktop.
2. Double click on HJTInstall.exe to run the program.
3. By default it will install to C:\Program Files\Trend Micro\HijackThis.
4. Accept the license agreement by clicking the "I Accept" button.
5.Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log.
6. Click "Save log" to save the log file and then the log will open in Notepad.
7. Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
8. Paste the log in your next reply.
9. Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.

Response Number 2

Name: Enchanted
Date: November 12, 2008 at 20:03:46 Pacific

Reply:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:01:37 PM, on 11/12/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Program Files\Webroot\WebrootSecurity\WRConsumerService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Webroot\WebrootSecurity\SpySweeper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\RUNDLL32.exe
C:\Program Files\Yahoo!\Common\YMailAdvisor.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\Program Files\Webroot\WebrootSecurity\SpySweeperUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\WISPTIS.exe
C:\Program Files\Pando Networks\Pando\pando.exe
C:\Program Files\Webroot\WebrootSecurity\SSU.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Charlene\Desktop\HiJackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://mysearch.myway.com/jsp/dells...
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?Lin...
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?Lin...
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://register.hp.com/servlet/WebR...
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: CInterceptor Object - {38D3FE60-3D53-4F37-BB0E-C7A97A26A156} - C:\Program Files\Pando Networks\Pando\PandoIEPlugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\YTSingleInstance.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe"
O4 - HKLM\..\Run: [SigmatelSysTrayApp] "C:\WINDOWS\stsystra.exe"
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [dla] "C:\WINDOWS\system32\dla\tfswctrl.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [NvCplDaemon] "C:\WINDOWS\system32\RUNDLL32.exe" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] "C:\WINDOWS\system32\nwiz.exe" /install
O4 - HKLM\..\Run: [NvMediaCenter] "C:\WINDOWS\system32\RUNDLL32.exe" C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [YMailAdvisor] "C:\Program Files\Yahoo!\Common\YMailAdvisor.exe"
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] "C:\WINDOWS\system32\dumprep.exe" 0 -k
O4 - HKLM\..\Run: [SpySweeper] C:\Program Files\Webroot\WebrootSecurity\SpySweeperUI.exe /startintray
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [ctfmon.exe] "C:\WINDOWS\system32\ctfmon.exe"
O4 - HKCU\..\Run: [Search Protection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKCU\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper200711281.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microso...
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microso...
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl.sun.com/webapps/downl...
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. (www.webroot.com) - C:\Program Files\Webroot\WebrootSecurity\SpySweeper.exe
O23 - Service: Webroot Client Service (WRConsumerService) - Webroot Software, Inc. - C:\Program Files\Webroot\WebrootSecurity\WRConsumerService.exe
--
End of file - 8283 bytes
Malwarebytes' Anti-Malware 1.30
Database version: 1392
Windows 5.1.2600 Service Pack 3
11/12/2008 10:58:39 PM
mbam-log-2008-11-12 (22-58-39).txt
Scan type: Full Scan (C:\|D:\|E:\|F:\|G:\|)
Objects scanned: 84118
Time elapsed: 16 minute(s), 8 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 7
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 2
Files Infected: 3
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CLASSES_ROOT\TypeLib\{4d25f920-b9fe-4682-bf72-8ab8210d6d75} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{4d25f923-b9fe-4682-bf72-8ab8210d6d75} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{4d25f921-b9fe-4682-bf72-8ab8210d6d75} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{4d25f921-b9fe-4682-bf72-8ab8210d6d75} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4d25f921-b9fe-4682-bf72-8ab8210d6d75} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{4d25f924-b9fe-4682-bf72-8ab8210d6d75} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{4d25f926-b9fe-4682-bf72-8ab8210d6d75} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks\{4d25f926-b9fe-4682-bf72-8ab8210d6d75} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
C:\Program Files\MyWaySA (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWaySA\SrchAsDe (Adware.MyWebSearch) -> Quarantined and deleted successfully.
Files Infected:
C:\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\TDSSfxmp.dll (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\TDSStkdv.log (Trojan.TDSS) -> Quarantined and deleted successfully.

Response Number 3

Name: jabuck
Date: November 12, 2008 at 20:10:40 Pacific

Reply:

Now try to run SDFix.
Download SDFix.exe and save it to your Desktop.
Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with SDFix or remove some of its embedded files which may cause "unpredictable results".
Click on This Link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
Remember to re-enable the protection again afterwards before connecting to the Internet.
1.Double click SDFix.exe and choose Install to extract it to its own folder on the Desktop. Please then reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press "Enter".
Choose your usual account.
2. Open the c:\SDFix folder and double click RunThis.cmd to start the script.
Type Y to begin the script.
It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
3. Your system will take longer that normal to restart as the fixtool will be running and removing files.
When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
4. Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt

Response Number 4

Name: Enchanted
Date: November 12, 2008 at 20:34:08 Pacific

Reply:

[b]SDFix: Version 1.240 [/b]
Run by Charlene on Wed 11/12/2008 at 11:25 PM
Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix
[b]Checking Services [/b]:

Restoring Default Security Values
Restoring Default Hosts File
Rebooting

[b]Checking Files [/b]:
Trojan Files Found:
C:\WINDOWS\SYSTEM32\TDSSOSVD.dat - Deleted
Removing Temp Files
[b]ADS Check [/b]:

[b]Final Check [/b]:
catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-12 23:28:44
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden services & system hive ...
scanning hidden registry entries ...
scanning hidden files ...
scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

[b]Remaining Services [/b]:

Authorized Application Key Export:
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Enabled:AOL"
"C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online 9.0\\waol.exe:*:Enabled:AOL"
"C:\\Program Files\\Pando Networks\\Pando\\pando.exe"="C:\\Program Files\\Pando Networks\\Pando\\pando.exe:*:Enabled:Pando Application"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe:*:Enabled:AOL"
"C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online 9.0\\waol.exe:*:Enabled:AOL"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
[b]Remaining Files [/b]:

File Backups: - C:\SDFix\backups\backups.zip
[b]Files with Hidden Attributes [/b]:
Sun 13 Apr 2008 1,695,232 ..SH. --- "C:\Program Files\Messenger\msmsgs.exe"
Sun 13 Apr 2008 60,416 A.SH. --- "C:\Program Files\Outlook Express\msimn.exe"
Wed 22 Oct 2008 949,072 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\advcheck.dll"
Mon 15 Sep 2008 1,562,960 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDHelper.dll"
Mon 7 Jul 2008 1,429,840 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDUpdate.exe"
Mon 7 Jul 2008 4,891,472 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
Tue 16 Sep 2008 1,833,296 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
Wed 22 Oct 2008 962,896 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\Tools.dll"
Wed 12 Nov 2008 0 A..H. --- "C:\WINDOWS\Temp\wrstemp\SSMS03FB3BBE-99B2-4076-8313-B842F8129EF4.tmp"
Wed 12 Nov 2008 0 A..H. --- "C:\WINDOWS\Temp\wrstemp\SSMS0322195F-B0BD-4B5F-ACEA-B042D4274A28.tmp"
Wed 12 Nov 2008 0 A..H. --- "C:\WINDOWS\Temp\wrstemp\SSMS06472ACA-7452-44E1-BB01-FD6A87F3CF16.tmp"
Wed 12 Nov 2008 0 A..H. --- "C:\WINDOWS\Temp\wrstemp\SSMS07ADA4C7-4A0E-4FE0-966D-D4A5BB9CEEF4.tmp"
Wed 12 Nov 2008 0 A..H. --- "C:\WINDOWS\Temp\wrstemp\SSMS080200EF-8597-440D-94D0-5A0C6B619E45.tmp"
Wed 12 Nov 2008 0 A..H. --- "C:\WINDOWS\Temp\wrstemp\SSMS09191D22-1FE3-415B-AADF-F79453E59AEB.tmp"
Wed 12 Nov 2008 0 A..H. --- "C:\WINDOWS\Temp\wrstemp\SSMS0C0B8BC3-B7F5-4E20-8AE6-122F74CAB83E.tmp"
Wed 12 Nov 2008 0 A..H. --- "C:\WINDOWS\Temp\wrstemp\SSMS0CAF8B48-116B-4DC2-B6F9-B28C8F24D3C2.tmp"
Wed 12 Nov 2008 0 A..H. --- "C:\WINDOWS\Temp\wrstemp\SSMS0C0BFAD1-56F7-4B38-8003-99396345F54D.tmp"
Wed 12 Nov 2008 0 A..H. --- "C:\WINDOWS\Temp\wrstemp\SSMS122DFAF4-87C1-4872-ADD7-0E045B8D4CF8.tmp"
Wed 12 Nov 2008 0 A..H. --- "C:\WINDOWS\Temp\wrstemp\SSMS12807E88-2E67-46F0-811F-E6FECE99D3AD.tmp"
Wed 12 Nov 2008 0 A..H. --- "C:\WINDOWS\Temp\wrstemp\SSMS1381B4E4-12C6-44F4-8BB2-C45D28CC1248.tmp"
Wed 12 Nov 2008 0 A..H. --- "C:\WINDOWS\Temp\wrstemp\SSMS15835D34-E818-4402-BC0B-B638A4CFC868.tmp"
Wed 12 Nov 2008 0 A..H. --- "C:\WINDOWS\Temp\wrstemp\SSMS16FD2708-F523-409E-B7A9-F6C246A66497.tmp"
Wed 12 Nov 2008 0 A..H. --- "C:\WINDOWS\Temp\wrstemp\SSMS186FDDF6-F759-4530-A8B3-A8DB1419AD28.tmp"
Wed 12 Nov 2008 0 A..H. --- "C:\WINDOWS\Temp\wrstemp\SSMS1ACDF142-E397-418C-A8A4-F01271E9ABCF.tmp"
Wed 12 Nov 2008 65,536 A..H. --- "C:\WINDOWS\Temp\wrstemp\SSMS213BE6E5-89C3-463A-A671-8AEADE58A075.tmp"
Wed 12 Nov 2008 0 A..H. --- "C:\WINDOWS\Temp\wrstemp\SSMS2262302B-BEE8-4438-AD3C-5495A63E9A77.tmp"
Wed 12 Nov 2008 0 A..H. --- "C:\WINDOWS\Temp\wrstemp\SSMS25676155-7F71-4A30-8C21-5B2466E9EA27.tmp"
Wed 12 Nov 2008 0 A..H. --- "C:\WINDOWS\Temp\wrstemp\SSMS2745BCF9-1646-4DA0-A7A4-BC05390361AE.tmp"
Wed 12 Nov 2008 0 A..H. --- "C:\WINDOWS\Temp\wrstemp\SSMS27B0CFAA-7DC8-4A91-8D11-8FE19D3BE7CE.tmp"
Wed 12 Nov 2008 0 A..H. --- "C:\WINDOWS\Temp\wrstemp\SSMS28956DA2-E20B-40D1-95AF-20EC24B43616.tmp"
Wed 12 Nov 2008 0 A..H. --- "C:\WINDOWS\Temp\wrstemp\SSMS2C1D413A-A3F6-4C5F-B3CF-C3715C4D1668.tmp"
Wed 12 Nov 2008 0 A..H. --- "C:\WINDOWS\Temp\wrstemp\SSMS2DBEC1C4-3CD8-4D45-B36A-B615454FE93A.tmp"
Wed 12 Nov 2008 0 A..H. --- "C:\WINDOWS\Temp\wrstemp\SSMS2EC7C840-4DE9-4FA8-8487-E1DD6F89C87B.tmp"
Wed 12 Nov 2008 0 A..H. --- "C:\WINDOWS\Temp\wrstemp\SSMS34ED8060-B30A-4B51-9836-4624AEA63346.tmp"
Wed 12 Nov 2008 0 A..H. --- "C:\WINDOWS\Temp\wrstemp\SSMS379E83F9-B501-4E6A-8D5F-71E1A3186ED7.tmp"
Wed 12 Nov 2008 0 A..H. --- "C:\WINDOWS\Temp\wrstemp\SSMS3741EABE-4BD7-4C8E-BB9E-ED613AF89531.tmp"
Wed 12 Nov 2008 0 A..H. --- "C:\WINDOWS\Temp\wrstemp\SSMS3A8D956C-F787-44E2-973C-9B77BC89FF03.tmp"
Wed 12 Nov 2008 0 A..H. --- "C:\WINDOWS\Temp\wrstemp\SSMS3BBF4C67-AB1C-4D2C-B372-8B0EFCD4477B.tmp"
Wed 12 Nov 2008 0 A..H. --- "C:\WINDOWS\Temp\wrstemp\SSMS421DF22E-7C32-4E43-903E-2F1028B01E38.tmp"
Wed 12 Nov 2008 0 A..H. --- "C:\WINDOWS\Temp\wrstemp\SSMS43B345C0-F703-496C-9B7F-6374537EE2D4.tmp"
Wed 12 Nov 2008 0 A..H. --- "C:\WINDOWS\Temp\wrstemp\SSMS5306036C-FF94-4826-9FC0-18EAB3C6DA93.tmp"
Wed 12 Nov 2008 0 A..H. --- "C:\WINDOWS\Temp\wrstemp\SSMS54B0FD89-0AE1-4F8E-9FC7-9A0B7E45A8A8.tmp"
Wed 12 Nov 2008 0 A..H. --- "C:\WINDOWS\Temp\wrstemp\SSMS55AA57AF-DA52-4E12-A344-19221F8B2B3C.tmp"
Wed 12 Nov 2008 0 A..H. --- "C:\WINDOWS\Temp\wrstemp\SSMS55EFD4D1-1713-4AAF-99C9-9A16AA972478.tmp"
Wed 12 Nov 2008 0 A..H. --- "C:\WINDOWS\Temp\wrstemp\SSMS5864A33B-A8B4-437E-8D85-8B55138F62A8.tmp"
Wed 12 Nov 2008 0 A..H. --- "C:\WINDOWS\Temp\wrstemp\SSMS59A6F437-A177-4150-89E5-CA15AAFC4AAF.tmp"
Wed 12 Nov 2008 0 A..H. --- "C:\WINDOWS\Temp\wrstemp\SSMS5A0542A5-DCA1-4945-B420-403713798C10.tmp"
Wed 12 Nov 2008 0 A..H. --- "C:\WINDOWS\Temp\wrstemp\SSMS5E354DA8-9194-4E99-9A1F-C5875298CDE8.tmp"
Wed 12 Nov 2008 0 A..H. --- "C:\WINDOWS\Temp\wrstemp\SSMS60BFCD86-A6BA-49D2-AF2C-4E5CA1960E9E.tmp"
Wed 12 Nov 2008 0 A..H. --- "C:\WINDOWS\Temp\wrstemp\SSMS60B988A9-845C-47DA-8C8E-E56299FB96B2.tmp"
Wed 12 Nov 2008 0 A..H. --- "C:\WINDOWS\Temp\wrstemp\SSMS6369FD8C-8FD4-4C58-B0C7-14A8C0554D9D.tmp"
Wed 12 Nov 2008 0 A..H. --- "C:\WINDOWS\Temp\wrstemp\SSMS6532F5A1-9440-42F5-B16A-517C675991EC.tmp"
Wed 12 Nov 2008 0 A..H. --- "C:\WINDOWS\Temp\wrstemp\SSMS6822BCEF-D757-4EC5-B03B-E59FF7DCEBBB.tmp"
Wed 12 Nov 2008 0 A..H. --- "C:\WINDOWS\Temp\wrstemp\SSMS6948906A-DEB7-4A33-8292-6AAB8DB54B33.tmp"
Wed 12 Nov 2008 0 A..H. --- "C:\WINDOWS\Temp\wrstemp\SSMS69BB296B-6B66-4611-9BDB-69BD56A3EF75.tmp"
Wed 12 Nov 2008 0 A..H. --- "C:\WINDOWS\Temp\wrstemp\SSMS6BA1EA5B-06ED-4229-AA84-D2E8DF4DF01B.tmp"
Wed 12 Nov 2008 0 A..H. --- "C:\WINDOWS\Temp\wrstemp\SSMS6F66603C-4533-478D-BAC4-16749175766B.tmp"
Wed 12 Nov 2008 0 A..H. --- "C:\WINDOWS\Temp\wrstemp\SSMS707D391A-D050-4246-A206-485977B47E71.tmp"
Wed 12 Nov 2008 0 A..H. --- "C:\WINDOWS\Temp\wrstemp\SSMS71B61261-6B8F-4636-A663-98184654DB1E.tmp"
Wed 12 Nov 2008 0 A..H. --- "C:\WINDOWS\Temp\wrstemp\SSMS72DB2854-5461-4DFF-B57E-A035934DC7EB.tmp"
Wed 12 Nov 2008 0 A..H. --- "C:\WINDOWS\Temp\wrstemp\SSMS73868C2F-5560-4931-95A0-8302416E2AE0.tmp"
Wed 12 Nov 2008 0 A..H. --- "C:\WINDOWS\Temp\wrstemp\SSMS7393BBB3-FFFB-4762-9F10-1463093283FB.tmp"
Wed 12 Nov 2008 0 A..H. --- "C:\WINDOWS\Temp\wrstemp\SSMS74DD83FB-68BD-4E5D-98B5-5FA74FD30AEC.tmp"
Wed 12 Nov 2008 0 A..H. --- "C:\WINDOWS\Temp\wrstemp\SSMS7A35ED82-A994-402A-8E08-37F2DD663950.tmp"
Wed 12 Nov 2008 0 A..H. --- "C:\WINDOWS\Temp\wrstemp\SSMS7DE4DCD4-78CB-404D-BC24-BF3357DA7A10.tmp"
Wed 12 Nov 2008 0 A..H. --- "C:\WINDOWS\Temp\wrstemp\SSMS7F352637-4457-44AD-BF0F-325ADCE011A9.tmp"
Wed 12 Nov 2008 0 A..H. --- "C:\WINDOWS\Temp\wrstemp\SSMS83E7F028-FFAA-44FA-8CAB-829D078B6A94.tmp"
Wed 12 Nov 2008 0 A..H. --- "C:\WINDOWS\Temp\wrstemp\SSMS87B8AFB7-B2B4-4C43-A798-427EBBA68B40.tmp"
Wed 12 Nov 2008 0 A..H. --- "C:\WINDOWS\Temp\wrstemp\SSMS8863466F-CB3D-4220-B451-F83A263D3101.tmp"
Wed 12 Nov 2008 0 A..H. --- "C:\WINDOWS\Temp\wrstemp\SSMS8BE42A1B-9A2B-4620-B4D4-9D6AEE00901A.tmp"
Wed 12 Nov 2008 0 A..H. --- "C:\WINDOWS\Temp\wrstemp\SSMS8B4FD3C9-1C14-4B04-BAB9-727B35F36945.tmp"
Wed 12 Nov 2008 0 A..H. --- "C:\WINDOWS\Temp\wrstemp\SSMS8E91AFDE-6655-4BAD-97C4-8415882E038B.tmp"
Wed 12 Nov 2008 0 A..H. --- "C:\WINDOWS\Temp\wrstemp\SSMS91852033-C087-4D25-930F-ECD88D3C1EF7.tmp"
Wed 12 Nov 2008 0 A..H. --- "C:\WINDOWS\Temp\wrstemp\SSMS927434A7-0AAE-4E93-97B0-E97A3854C91D.tmp"
Wed 12 Nov 2008 0 A..H. --- "C:\WINDOWS\Temp\wrstemp\SSMS928B00AF-11D4-49CA-9A7A-5E4F582D212C.tmp"
Wed 12 Nov 2008 0 A..H. --- "C:\WINDOWS\Temp\wrstemp\SSMS94C5C811-616F-47F1-B86F-207076512A6C.tmp"
Wed 12 Nov 2008 0 A..H. --- "C:\WINDOWS\Temp\wrstemp\SSMS9706EE7E-A1C3-4B05-ADDE-939756041902.tmp"
Wed 12 Nov 2008 0 A..H. --- "C:\WINDOWS\Temp\wrstemp\SSMS988B0EC1-8D3B-4085-931F-CA58D45413F9.tmp"
Wed 12 Nov 2008 0 A..H. --- "C:\WINDOWS\Temp\wrstemp\SSMS98FB6CBF-5890-4CA5-A483-4CFE9B2BFBB8.tmp"
Wed 12 Nov 2008 0 A..H. --- "C:\WINDOWS\Temp\wrstemp\SSMS9A06C245-A946-49AA-9F58-4D877878B323.tmp"
Wed 12 Nov 2008 0 A..H. --- "C:\WINDOWS\Temp\wrstemp\SSMS9BC8E4F9-73B2-4A85-BE12-891DF7323B4C.tmp"
Wed 12 Nov 2008 0 A..H. --- "C:\WINDOWS\Temp\wrstemp\SSMS9D515B8C-79A5-4DCF-A809-561696E52B1A.tmp"
Wed 12 Nov 2008 0 A..H. --- "C:\WINDOWS\Temp\wrstemp\SSMS9E6B99F4-1A1A-4D20-84FA-2332FD6F17E3.tmp"
Wed 12 Nov 2008 0 A..H. --- "C:\WINDOWS\Temp\wrstemp\SSMSA23065C5-DACA-4FB9-B8C6-60B9787935FF.tmp"
Wed 12 Nov 2008 0 A..H. --- "C:\WINDOWS\Temp\wrstemp\SSMSA3E404C1-F34C-4E61-849C-03D17F4FB291.tmp"
Wed 12 Nov 2008 0 A..H. --- "C:\WINDOWS\Temp\wrstemp\SSMSA429D9D6-2A50-4DD8-A887-11031FB90BEC.tmp"
Wed 12 Nov 2008 0 A..H. --- "C:\WINDOWS\Temp\wrstemp\SSMSA72ADE36-56E1-4577-8380-8B259520DE1A.tmp"
Wed 12 Nov 2008 0 A..H. --- "C:\WINDOWS\Temp\wrstemp\SSMSA85C91F8-0613-4E1F-8504-25E3A81951CE.tmp"
Wed 12 Nov 2008 0 A..H. --- "C:\WINDOWS\Temp\wrstemp\SSMSABE35275-27F4-4AB3-934D-6D3BF0D86298.tmp"
Wed 12 Nov 2008 0 A..H. --- "C:\WINDOWS\Temp\wrstemp\SSMSABCBA04D-ABDD-448F-99CB-99E67506C347.tmp"
Wed 12 Nov 2008 0 A..H. --- "C:\WINDOWS\Temp\wrstemp\SSMSB8959720-216B-4481-8C8A-26CDBB72E129.tmp"
Wed 12 Nov 2008 0 A..H. --- "C:\WINDOWS\Temp\wrstemp\SSMSC3E585E8-E8F4-42D1-A6D5-5D83D639985D.tmp"
Wed 12 Nov 2008 65,536 A..H. --- "C:\WINDOWS\Temp\wrstemp\SSMSC8747A77-F51C-4E5D-88B7-11B2115E5EE7.tmp"
Wed 12 Nov 2008 0 A..H. --- "C:\WINDOWS\Temp\wrstemp\SSMSCF2225DA-AEF2-4B7E-8F08-9C53B90FBA29.tmp"
Wed 12 Nov 2008 0 A..H. --- "C:\WINDOWS\Temp\wrstemp\SSMSD10BFFF1-30EA-420F-89E6-72A7470BD25F.tmp"
Wed 12 Nov 2008 0 A..H. --- "C:\WINDOWS\Temp\wrstemp\SSMSDA773056-372E-466A-950F-8BD0A17CFEF7.tmp"
Wed 12 Nov 2008 0 A..H. --- "C:\WINDOWS\Temp\wrstemp\SSMSDAC44A38-B5C4-45D2-AA62-976BF1D87468.tmp"
Wed 12 Nov 2008 0 A..H. --- "C:\WINDOWS\Temp\wrstemp\SSMSDB1EF85F-AE31-4A22-A5C3-31C64816C201.tmp"
Wed 12 Nov 2008 0 A..H. --- "C:\WINDOWS\Temp\wrstemp\SSMSDB30FA4D-8EA4-425A-9BCA-08A320C69274.tmp"
Wed 12 Nov 2008 0 A..H. --- "C:\WINDOWS\Temp\wrstemp\SSMSDC84977E-A596-40B2-B2D0-4023870EE9F8.tmp"
Wed 12 Nov 2008 0 A..H. --- "C:\WINDOWS\Temp\wrstemp\SSMSDD2D501F-E6EC-40C8-9C44-9E2BED8E4552.tmp"
Wed 12 Nov 2008 0 A..H. --- "C:\WINDOWS\Temp\wrstemp\SSMSE074BE47-EC8D-4E84-B6D6-AB97597DF635.tmp"
Wed 12 Nov 2008 0 A..H. --- "C:\WINDOWS\Temp\wrstemp\SSMSEDB4CD13-C484-4B9E-9D87-E32018191FB6.tmp"
Wed 12 Nov 2008 0 A..H. --- "C:\WINDOWS\Temp\wrstemp\SSMSEFFEE9F9-5F83-43A1-90F6-2DCA7323A8AB.tmp"
Wed 12 Nov 2008 0 A..H. --- "C:\WINDOWS\Temp\wrstemp\SSMSF179B031-C7DE-4EDB-A582-94AD12376ADC.tmp"
Wed 12 Nov 2008 0 A..H. --- "C:\WINDOWS\Temp\wrstemp\SSMSF32AD1D9-0D43-4B54-8E3D-25E0CA143F5C.tmp"
Wed 12 Nov 2008 0 A..H. --- "C:\WINDOWS\Temp\wrstemp\SSMSF5823D98-C17C-4F84-B93D-5FC8C02C7811.tmp"
Wed 12 Nov 2008 0 A..H. --- "C:\WINDOWS\Temp\wrstemp\SSMSF6C71080-3708-42C9-8B2E-BE2621DB317A.tmp"
Wed 12 Nov 2008 0 A..H. --- "C:\WINDOWS\Temp\wrstemp\SSMSF66722DE-C2E5-449C-B591-A7C82F693998.tmp"
Wed 12 Nov 2008 0 A..H. --- "C:\WINDOWS\Temp\wrstemp\SSMSFA99DEDA-BD90-4C59-9A3E-576A65F4130B.tmp"
Wed 12 Nov 2008 0 A..H. --- "C:\WINDOWS\Temp\wrstemp\SSMSFB66CFA1-BD50-4851-9666-0943AC3F384D.tmp"
Wed 12 Nov 2008 0 A..H. --- "C:\WINDOWS\Temp\wrstemp\SSMSFE11DBFD-D07F-432F-99EC-4221D3A3C756.tmp"
Tue 11 Nov 2008 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
[b]Finished![/b]

Response Number 5

Name: Enchanted
Date: November 12, 2008 at 21:07:09 Pacific

Reply:

ok ran my Webroot program on my F drive and it is still saying Troj/Mbroot-A in \\.\ PHYSICALDRIVE 1 . So I disconnected my F drive and ran Webroot on my comp and all is gone. So now my question is , what do i do next to get this dang thing off my F drive so I can use it again ? I have so much stored on it and need it for work. I also want to say thank you so far for all the help you have been providing it is very kind of you.

OCR dll JQSIEStartDetectorImpl Class jqs_plugin.dll trojan-agent-tdss	mebroot trojan jqsiestartdetectorimpl class jqs_plugin.dll catchme.exe
See More

Response Number 6

Name: Enchanted
Date: November 12, 2008 at 21:59:41 Pacific

Reply:

I forgot to tell you I also ran Trojan Hunter and here is the log for it , maybe it might help out more.
TrojanHunter Scan Report - Saved 2008-11-13 00:56
Suspicious registry entry: HKLM\Software\Microsoft\Windows\CurrentVersion\Run\YSearchProtection
Suspicious registry entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Run\YSearchProtection
Found NTFS alternate data stream: C:\Documents and Settings\Charlene\Desktop\Diner+Dash+-+Flo+Through+Time.zip:Zone.Identifier:$DATA
Found NTFS alternate data stream: C:\Documents and Settings\Charlene\Desktop\enchanted.exe.exe:Zone.Identifier:$DATA
Warning: Executable file with double extensions found: C:\Documents and Settings\Charlene\Desktop\enchanted.exe.exe
Found NTFS alternate data stream: C:\Documents and Settings\Charlene\Desktop\HiJackThis.exe:Zone.Identifier:$DATA
Found NTFS alternate data stream: C:\Documents and Settings\Charlene\Desktop\SDFix.exe:Zone.Identifier:$DATA
Warning: Unable to unpack UPX-packed file C:\Documents and Settings\Charlene\Desktop\SDFix.exe/catchme.exe
Warning: Unable to unpack UPX-packed file C:\Documents and Settings\Charlene\Desktop\SDFix.exe/Cghtme.exe
Warning: Unable to unpack UPX-packed file C:\Documents and Settings\Charlene\Desktop\SDFix.exe/ERDNT.E_E
Found NTFS alternate data stream: C:\Documents and Settings\Charlene\Desktop\windows-kb890830-v2.4.exe:Zone.Identifier:$DATA
Warning: Unable to unpack UPX-packed file C:\Documents and Settings\Charlene\Local Settings\Application Data\Mozilla\Firefox\Profiles\aw9pyn98.default\Cache\DD0DBD66d01/catchme.exe
Warning: Unable to unpack UPX-packed file C:\Documents and Settings\Charlene\Local Settings\Application Data\Mozilla\Firefox\Profiles\aw9pyn98.default\Cache\DD0DBD66d01/Cghtme.exe
Warning: Unable to unpack UPX-packed file C:\Documents and Settings\Charlene\Local Settings\Application Data\Mozilla\Firefox\Profiles\aw9pyn98.default\Cache\DD0DBD66d01/ERDNT.E_E
Warning: Executable file with double extensions found: C:\Program Files\Microsoft Silverlight\2.0.31005.0\System.Net.dll
Warning: Executable file with double extensions found: C:\Program Files\Microsoft Silverlight\2.0.31005.0\System.ServiceModel.Web.dll
Warning: Executable file with double extensions found: C:\Program Files\Microsoft Silverlight\2.0.31005.0\System.Xml.dll
Warning: Executable file with double extensions found: C:\Program Files\Webroot\WebrootSecurity\Backup\Interop.VSS.dll
Warning: Executable file with double extensions found: C:\Program Files\Webroot\WebrootSecurity\Backup\Xceed.Zip.dll
Warning: Unable to unpack UPX-packed file C:\SDFix\apps\Cghtme.exe
Warning: Unable to unpack UPX-packed file C:\SDFix\apps\ERDNT.E_E
Warning: Unable to unpack UPX-packed file C:\SDFix\catchme.exe
Warning: Executable file with double extensions found: C:\WINDOWS\assembly\GAC\LEAD.Drawing.Imaging.Ocr\13.0.0.35__9cf889f53ea9b907\LEAD.Drawing.Imaging.Ocr.dll
Warning: Executable file with double extensions found: C:\WINDOWS\assembly\GAC\Microsoft.Office.Interop.Access.Dao\12.0.0.0__71e9bce111e9429c\Microsoft.Office.interop.access.dao.dll
Warning: Executable file with double extensions found: C:\WINDOWS\assembly\GAC\Microsoft.VisualBasic.Vsa\7.0.5000.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Vsa.dll
Warning: Executable file with double extensions found: C:\WINDOWS\assembly\GAC\Microsoft.Vsa\7.0.5000.0__b03f5f7f11d50a3a\Microsoft.Vsa.dll
Warning: Executable file with double extensions found: C:\WINDOWS\assembly\GAC\System.Web\1.0.5000.0__b03f5f7f11d50a3a\System.Web.dll
Warning: Executable file with double extensions found: C:\WINDOWS\assembly\GAC\System.Xml\1.0.5000.0__b77a5c561934e089\System.XML.dll
Warning: Executable file with double extensions found: C:\WINDOWS\assembly\GAC_32\System.Web\2.0.0.0__b03f5f7f11d50a3a\System.Web.dll
Warning: Executable file with double extensions found: C:\WINDOWS\assembly\GAC_MSIL\Microsoft.VisualBasic.Vsa\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Vsa.dll
Warning: Executable file with double extensions found: C:\WINDOWS\assembly\GAC_MSIL\Microsoft.Vsa\8.0.0.0__b03f5f7f11d50a3a\Microsoft.Vsa.dll
Warning: Executable file with double extensions found: C:\WINDOWS\assembly\GAC_MSIL\System.Xml\2.0.0.0__b77a5c561934e089\System.XML.dll
Warning: Executable file with double extensions found: C:\WINDOWS\assembly\NativeImages1_v1.1.4322\System.Xml\1.0.5000.0__b77a5c561934e089_3ffece3d\System.Xml.dll
Warning: Executable file with double extensions found: C:\WINDOWS\assembly\NativeImages1_v1.1.4322\System.Xml\1.0.5000.0__b77a5c561934e089_b8f35eec\System.Xml.dll
Warning: Unable to unpack UPX-packed file C:\WINDOWS\ERUNT\SDFIX\ERDNT.exe
Warning: Unable to unpack UPX-packed file C:\WINDOWS\ERUNT\SDFIX_First_Run\ERDNT.exe
Warning: Executable file with double extensions found: C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Microsoft.VisualBasic.Vsa.dll
Warning: Executable file with double extensions found: C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Microsoft.Vsa.dll
Warning: Executable file with double extensions found: C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\System.Web.dll
Warning: Executable file with double extensions found: C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\System.XML.dll
Warning: Executable file with double extensions found: C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Microsoft.VisualBasic.Vsa.dll
Warning: Executable file with double extensions found: C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Microsoft.Vsa.dll
Warning: Executable file with double extensions found: C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\System.Web.dll
Warning: Executable file with double extensions found: C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\System.XML.dll
Warning: Unable to unpack UPX-packed file F:\games\AIO_Games_Patches\AIO Games Patches\Reflexive Games Universal-Patch\Reflexive Arcade Games Keygen-FFF\Reflexive Arcade Games Keygen-FFF.exe
Found adware file: F:\Writers Tools -11in1\WT\WT_AIO\NewNovelist.v1.1.RETAIL\nnsetup_v1_1.exe/Upx.zquuwypb (Adware.IEPlugin.100)
Removed registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\YSearchProtection
Removed registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\YSearchProtection
Quarantined file F:\Writers Tools -11in1\WT\WT_AIO\NewNovelist.v1.1.RETAIL\nnsetup_v1_1.exe

Response Number 7

Name: jabuck
Date: November 13, 2008 at 03:26:35 Pacific

Reply:

Make sure your F: drive is connected to the computer.
Please download ComboFix to the desktop from one of the following links:
Link1
Link 2
Link 3
Combofix is a powerful tool so follow the instructions exactly or you could damage your computer.
Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with Combofix and remove some of its embedded files which may cause "unpredictable results".
Click on This Link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
In your case to run Combofix do the following:
1. Go offline turn off your Webroot antivirus, SpySweeper, Yprotection and any other antispyware that you may have.
2. Run Combofix and save its log.
3. Restart the computer to get the antivirus running again but leave the antispyware programs off until we get the computer cleaned.
4. Post the Combofix log.

Remember to re-enable the protection again afterwards before connecting to the Internet.

Double-click combofix.exe
Follow the prompts.
(Don't click on the window while the program is running or move the mouse, it will cause your system to hang.)
Please post the log it produces.

Response Number 8

Name: Enchanted
Date: November 13, 2008 at 05:30:20 Pacific

Reply:

ComboFix 08-11-12.01 - Charlene 2008-11-13 8:23:26.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2136 [GMT -5:00]
Running from: c:\documents and settings\Charlene\Desktop\ComboFix.exe
[COLOR=RED][B]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/B][/COLOR]
.
((((((((((((((((((((((((( Files Created from 2008-10-13 to 2008-11-13 )))))))))))))))))))))))))))))))
.
2008-11-13 00:33 . 2008-11-13 00:33 <DIR> d-------- c:\program files\TrojanHunter
2008-11-13 00:31 . 2008-11-13 00:31 <DIR> d-------- c:\documents and settings\Charlene\Application Data\TrojanHunter
2008-11-13 00:30 . 2008-11-13 00:30 <DIR> d-------- c:\program files\TrojanHunter 5.0
2008-11-12 23:25 . 2008-11-12 23:25 578,560 --a------ c:\windows\system32\dllcache\user32.dll
2008-11-12 23:24 . 2008-11-12 23:24 <DIR> d-------- c:\windows\ERUNT
2008-11-12 23:19 . 2008-11-12 23:29 <DIR> d-------- C:\SDFix
2008-11-12 22:39 . 2008-11-12 22:39 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-11-12 22:39 . 2008-11-12 22:39 <DIR> d-------- c:\documents and settings\Charlene\Application Data\Malwarebytes
2008-11-12 22:39 . 2008-11-12 22:39 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-11-12 22:39 . 2008-10-22 16:28 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-11-12 22:39 . 2008-10-22 16:28 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-11-12 08:57 . 2008-11-12 08:57 <DIR> d-------- c:\program files\Common Files\Adobe
2008-11-12 08:57 . 2008-11-12 08:57 <DIR> d-------- c:\documents and settings\Charlene\Application Data\AdobeUM
2008-11-12 08:29 . 2008-11-12 08:29 54,156 --ah----- c:\windows\QTFont.qfn
2008-11-12 08:29 . 2008-11-12 08:29 1,409 --a------ c:\windows\QTFont.for
2008-11-12 07:16 . 2008-09-04 12:15 1,106,944 --------- c:\windows\system32\dllcache\msxml3.dll
2008-11-12 07:16 . 2008-10-24 06:21 455,296 --------- c:\windows\system32\dllcache\mrxsmb.sys
2008-11-11 11:34 . 2008-11-11 11:34 <DIR> d-------- c:\documents and settings\Charlene\Application Data\Creative
2008-11-11 11:32 . 2008-11-12 07:21 1,393 --a------ c:\windows\imsins.BAK
2008-11-11 11:19 . 2008-11-11 11:20 <DIR> d-------- c:\documents and settings\Charlene\Application Data\Yahoo!
2008-11-11 10:52 . 2008-11-11 10:52 <DIR> d-------- c:\program files\Microsoft Silverlight
2008-11-11 10:25 . 2008-11-11 10:25 <DIR> d-------- c:\program files\MSXML 4.0
2008-11-11 10:24 . 2008-10-03 12:41 6,066,176 --------- c:\windows\system32\dllcache\ieframe.dll
2008-11-11 10:24 . 2007-04-17 04:32 2,455,488 --------- c:\windows\system32\dllcache\ieapfltr.dat
2008-11-11 10:24 . 2007-03-08 00:10 991,232 --------- c:\windows\system32\dllcache\ieframe.dll.mui
2008-11-11 10:24 . 2008-08-26 02:24 459,264 --------- c:\windows\system32\dllcache\msfeeds.dll
2008-11-11 10:24 . 2008-08-26 02:24 383,488 --------- c:\windows\system32\dllcache\ieapfltr.dll
2008-11-11 10:24 . 2008-08-26 02:24 267,776 --------- c:\windows\system32\dllcache\iertutil.dll
2008-11-11 10:24 . 2008-08-26 02:24 63,488 --------- c:\windows\system32\dllcache\icardie.dll
2008-11-11 10:24 . 2008-08-26 02:24 52,224 --------- c:\windows\system32\dllcache\msfeedsbs.dll
2008-11-11 10:24 . 2008-08-25 03:38 13,824 --------- c:\windows\system32\dllcache\ieudinit.exe
2008-11-11 10:16 . 2008-11-11 10:16 <DIR> d-------- c:\program files\Windows Media Connect 2
2008-11-11 10:13 . 2008-11-11 11:30 <DIR> d-------- c:\windows\system32\LogFiles
2008-11-11 10:13 . 2008-11-11 10:15 <DIR> d-------- c:\windows\system32\drivers\UMDF
2008-11-11 09:57 . 2008-11-11 09:57 <DIR> d-------- c:\windows\system32\scripting
2008-11-11 09:57 . 2008-11-11 09:57 <DIR> d-------- c:\windows\system32\en
2008-11-11 09:57 . 2008-11-11 09:57 <DIR> d-------- c:\windows\system32\bits
2008-11-11 09:57 . 2008-11-11 09:57 <DIR> d-------- c:\windows\l2schemas
2008-11-11 09:54 . 2008-11-11 09:54 <DIR> d-------- c:\windows\ServicePackFiles
2008-11-11 09:39 . 2008-11-11 09:39 <DIR> d-------- c:\windows\EHome
2008-11-11 09:32 . 2008-07-18 22:09 25,800 --a------ c:\windows\system32\wuapi.dll.mui
2008-11-11 09:26 . 2008-11-11 09:26 <DIR> d--hs---- c:\documents and settings\Charlene\UserData
2008-11-11 09:26 . 2008-07-18 22:07 270,880 --a------ c:\windows\system32\mucltui.dll
2008-11-11 09:26 . 2008-07-18 22:07 210,976 --a------ c:\windows\system32\muweb.dll
2008-11-11 09:26 . 2008-07-18 22:07 29,728 --a------ c:\windows\system32\mucltui.dll.mui
2008-11-11 09:24 . 2008-11-11 09:24 <DIR> d-------- c:\documents and settings\Charlene\Application Data\LimeWire
2008-11-11 09:23 . 2008-11-11 09:23 <DIR> d-------- c:\windows\Sun
2008-11-11 09:23 . 2008-11-11 09:23 410,976 --a------ c:\windows\system32\deploytk.dll
2008-11-11 09:23 . 2008-11-11 09:23 73,728 --a------ c:\windows\system32\javacpl.cpl
2008-11-11 09:10 . 2008-11-11 09:10 2 --a------ c:\windows\msoffice.ini
2008-11-11 08:33 . 2008-11-11 08:33 <DIR> d-------- c:\program files\GameSpy Arcade
2008-11-11 08:33 . 2008-11-11 08:33 <DIR> d-------- c:\documents and settings\Charlene\Application Data\Leadertech
2008-11-11 08:15 . 2008-11-11 08:15 <DIR> d-------- C:\NeverwinterNights
2008-11-11 08:10 . 2008-11-11 08:10 <DIR> d--h----- c:\windows\PIF
2008-11-11 08:10 . 2008-11-11 08:10 <DIR> d-------- c:\program files\Xvid
2008-11-11 08:10 . 2008-11-11 08:10 <DIR> d-------- c:\program files\UltraISO
2008-11-11 08:10 . 2008-11-11 08:10 <DIR> d-------- c:\program files\Common Files\EZB Systems
2008-11-11 08:10 . 2008-04-27 10:33 765,952 --a------ c:\windows\system32\xvidcore.dll
2008-11-11 08:10 . 2008-04-27 10:35 180,224 --a------ c:\windows\system32\xvidvfw.dll
2008-11-11 08:10 . 2007-06-28 18:55 77,824 --a------ c:\windows\system32\xvid.ax
2008-11-11 08:09 . 2008-11-11 15:47 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-11-11 08:09 . 2008-11-12 20:22 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-11-11 08:07 . 2008-11-11 11:20 <DIR> d-------- c:\documents and settings\All Users\Application Data\Yahoo! Companion
2008-11-11 08:06 . 2008-11-11 08:06 <DIR> d-------- c:\program files\Pando Networks
2008-11-11 08:05 . 2008-11-11 11:20 <DIR> d-------- c:\program files\Yahoo!
2008-11-11 08:05 . 2008-11-11 08:06 <DIR> d-------- c:\program files\LimeWire
2008-11-11 08:04 . 2008-11-11 08:04 <DIR> d-------- c:\windows\system32\AGEIA
2008-11-11 08:04 . 2008-11-11 08:05 <DIR> d-------- c:\program files\CCleaner
2008-11-11 08:04 . 2008-11-11 08:04 <DIR> d-------- c:\program files\AGEIA Technologies
2008-11-11 08:03 . 2008-11-11 08:03 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2008-11-11 08:03 . 2008-10-07 13:33 201,157 --a------ c:\windows\system32\nvapps.nvb
2008-11-11 08:02 . 2008-11-11 08:02 <DIR> d-------- C:\NVIDIA
2008-11-11 08:00 . 2008-11-11 08:00 <DIR> d-------- c:\program files\Common Files\SWF Studio
2008-11-11 07:52 . 2008-11-12 07:20 <DIR> d-------- c:\documents and settings\All Users\Application Data\Microsoft Help
2008-11-11 07:48 . 2008-11-11 07:48 <DIR> dr-h----- C:\MSOCache
2008-11-11 07:46 . 2004-08-03 22:41 404,990 --------- c:\windows\system32\drivers\slntamr.sys
2008-11-11 07:46 . 2004-08-03 22:41 129,535 --------- c:\windows\system32\drivers\slnt7554.sys
2008-11-11 07:46 . 2004-08-03 22:41 95,424 --------- c:\windows\system32\drivers\slnthal.sys
2008-11-11 07:46 . 2004-08-03 22:29 25,471 --------- c:\windows\system32\drivers\watv10nt.sys
2008-11-11 07:46 . 2004-08-03 22:29 22,271 --------- c:\windows\system32\drivers\watv06nt.sys
2008-11-11 07:46 . 2004-08-03 22:41 13,240 --------- c:\windows\system32\drivers\slwdmsup.sys
2008-11-11 07:46 . 2004-08-03 22:29 11,935 --------- c:\windows\system32\drivers\wadv11nt.sys
2008-11-11 07:46 . 2004-08-03 22:29 11,871 --------- c:\windows\system32\drivers\wadv09nt.sys
2008-11-11 07:46 . 2004-08-03 22:29 11,807 --------- c:\windows\system32\drivers\wadv07nt.sys
2008-11-11 07:46 . 2004-08-03 22:29 11,295 --------- c:\windows\system32\drivers\wadv08nt.sys
2008-11-11 07:45 . 2004-08-03 22:41 1,309,184 --------- c:\windows\system32\drivers\mtlstrm.sys
2008-11-11 07:45 . 2004-08-03 22:41 1,041,536 --------- c:\windows\system32\drivers\hsfdpsp2.sys
2008-11-11 07:45 . 2004-08-03 22:41 685,056 --------- c:\windows\system32\drivers\hsfcxts2.sys
2008-11-11 07:45 . 2004-08-03 22:29 452,736 --------- c:\windows\system32\drivers\mtxparhm.sys
2008-11-11 07:45 . 2004-08-03 22:41 220,032 --------- c:\windows\system32\drivers\hsfbs2s2.sys
2008-11-11 07:45 . 2004-08-03 22:41 180,360 --------- c:\windows\system32\drivers\ntmtlfax.sys
2008-11-11 07:45 . 2004-08-03 22:29 166,912 --------- c:\windows\system32\drivers\s3gnbm.sys
2008-11-11 07:45 . 2004-07-17 22:55 129,045 --------- c:\windows\system32\drivers\cxthsfs2.cty
2008-11-11 07:45 . 2004-08-03 22:41 126,686 --------- c:\windows\system32\drivers\mtlmnt5.sys
2008-11-11 07:45 . 2004-07-17 11:35 67,866 --------- c:\windows\system32\drivers\netwlan5.img
2008-11-11 07:45 . 2004-08-03 22:41 13,776 --------- c:\windows\system32\drivers\recagent.sys
2008-11-11 07:40 . 2003-12-11 11:15 626,960 -ra------ c:\windows\system32\hpvaut32.dll
2008-11-11 07:40 . 2003-12-11 11:15 487,424 -ra------ c:\windows\system32\hpvcp70.dll
2008-11-11 07:40 . 2003-12-11 11:15 344,064 -ra------ c:\windows\system32\hpvcr70.dll
2008-11-11 07:40 . 2003-12-11 11:15 44,544 -ra------ c:\windows\system32\MSXML4a.dll
2008-11-11 07:39 . 2008-11-11 07:39 <DIR> d-------- c:\program files\Common Files\Hewlett-Packard
2008-11-11 07:35 . 2008-11-11 07:35 <DIR> d-------- c:\program files\Common Files\HP
2008-11-11 07:32 . 2008-11-11 07:40 <DIR> d-------- c:\program files\HP
2008-11-11 07:31 . 2004-01-05 02:30 565,248 -ra------ c:\windows\system32\hpotscl.dll
2008-11-11 07:31 . 2008-05-01 09:33 331,776 --------- c:\windows\system32\dllcache\msadce.dll
2008-11-11 07:31 . 2004-01-05 02:30 274,432 -ra------ c:\windows\system32\hpgwiamd.dll
2008-11-11 07:31 . 2004-01-05 02:30 262,144 -ra------ c:\windows\system32\HPZc3212.dll
2008-11-11 07:31 . 2008-05-08 09:02 203,136 --------- c:\windows\system32\dllcache\rmcast.sys
2008-11-11 07:31 . 2004-01-05 02:30 90,112 -ra------ c:\windows\system32\hpovst08.dll
2008-11-11 07:31 . 2004-01-05 02:30 38,867 --------- c:\windows\hpomdl03.dat
2008-11-11 07:31 . 2008-11-11 07:42 29,134 --a------ c:\windows\hpoins03.dat
2008-11-11 07:31 . 2008-04-13 13:47 25,856 --a------ c:\windows\system32\drivers\usbprint.sys
2008-11-11 07:31 . 2004-01-05 02:30 21,488 -ra------ c:\windows\system32\drivers\HPZius12.sys
2008-11-11 07:31 . 2008-04-13 13:45 15,104 --a------ c:\windows\system32\drivers\usbscan.sys
2008-11-11 07:30 . 2008-10-15 11:34 337,408 --------- c:\windows\system32\dllcache\netapi32.dll
2008-11-11 07:30 . 2008-04-13 13:45 32,128 --a------ c:\windows\system32\drivers\usbccgp.sys
2008-11-11 07:30 . 2008-11-11 07:30 4,128 --a------ C:\INFCACHE.1
2008-11-10 15:30 . 2007-08-10 20:46 26,488 --a------ c:\windows\system32\spupdsvc.exe
2008-11-10 15:26 . 2008-04-11 14:04 691,712 --------- c:\windows\system32\dllcache\inetcomm.dll
2008-11-10 15:26 . 2008-08-14 05:04 138,496 --------- c:\windows\system32\dllcache\afd.sys
2008-11-10 15:23 . 2008-11-10 15:23 <DIR> d-------- c:\program files\Webroot
2008-11-10 15:23 . 2008-11-10 15:23 <DIR> d-------- c:\documents and settings\Charlene\Application Data\Webroot
2008-11-10 15:23 . 2008-11-10 15:26 <DIR> d-------- c:\documents and settings\All Users\Application Data\Webroot
2008-11-10 15:23 . 2008-11-10 15:23 <DIR> d-------- C:\Binaries
2008-11-10 15:23 . 2008-10-12 13:18 1,553,272 --a------ c:\windows\WRSetup.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-11 15:45 --------- d-----w c:\program files\Microsoft Works
2008-11-11 14:23 --------- d-----w c:\program files\Java
2008-11-11 14:17 --------- d-----w c:\documents and settings\All Users\Application Data\GTek
2008-11-11 14:14 --------- d-----w c:\program files\Symantec
2008-11-11 14:14 --------- d-----w c:\program files\Common Files\Symantec Shared
2008-11-11 14:14 --------- d-----w c:\documents and settings\All Users\Application Data\Symantec
2008-11-11 14:10 --------- d-----w c:\program files\Common Files\AOL
2008-11-11 14:10 --------- d-----w c:\documents and settings\All Users\Application Data\AOL
2008-11-11 14:08 --------- d-----w c:\program files\Common Files\Intuit
2008-11-11 13:59 --------- d-----w c:\program files\MUSICMATCH
2008-11-11 13:54 --------- d--h--w c:\program files\InstallShield Installation Information
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-02 15:07 453,152 ----a-w c:\windows\system32\nvuninst.exe
2008-10-02 09:15 29,808 ----a-w c:\windows\system32\drivers\ssfs0bbc.sys
2008-10-02 09:15 23,152 ----a-w c:\windows\system32\drivers\sshrmd.sys
2008-10-02 09:15 170,608 ----a-w c:\windows\system32\drivers\ssidrv.sys
2008-09-30 21:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll
2008-09-15 12:12 1,846,400 ----a-w c:\windows\system32\win32k.sys
2008-09-15 12:12 1,846,400 ------w c:\windows\system32\dllcache\win32k.sys
2008-09-10 01:14 1,307,648 ----a-w c:\windows\system32\msxml6.dll
2008-09-10 01:14 1,307,648 ------w c:\windows\system32\dllcache\msxml6.dll
2008-09-08 10:41 333,824 ------w c:\windows\system32\dllcache\srv.sys
2008-09-04 17:15 1,106,944 ----a-w c:\windows\system32\msxml3.dll
2008-09-04 14:31 288,024 ----a-w c:\windows\system32\PhysXCplUI.exe
2008-08-29 13:57 70,936 ----a-w c:\windows\system32\PhysXLoader.dll
2008-08-27 18:54 3,593,216 ------w c:\windows\system32\dllcache\mshtml.dll
2008-08-25 08:37 70,656 ------w c:\windows\system32\dllcache\ie4uinit.exe
2008-08-23 05:56 635,848 ------w c:\windows\system32\dllcache\iexplore.exe
2008-08-23 05:54 161,792 ------w c:\windows\system32\dllcache\ieakui.dll
2008-08-14 10:11 2,189,184 ------w c:\windows\system32\dllcache\ntoskrnl.exe
2008-08-14 10:09 2,145,280 ----a-w c:\windows\system32\ntoskrnl.exe
2008-08-14 10:09 2,145,280 ------w c:\windows\system32\dllcache\ntkrnlmp.exe
2008-08-14 09:33 2,066,048 ------w c:\windows\system32\dllcache\ntkrnlpa.exe
2008-08-14 09:33 2,023,936 ----a-w c:\windows\system32\ntkrnlpa.exe
2008-08-14 09:33 2,023,936 ------w c:\windows\system32\dllcache\ntkrpamp.exe
.
((((((((((((((((((((((((((((( snapshot@2008-11-13_ 8.19.55.75 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-11-13 04:27:46 32,768 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2008-11-13 13:18:47 32,768 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2008-11-13 04:27:46 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-11-13 13:18:47 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-11-13 04:27:46 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-11-13 13:18:47 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2008-11-13 04:31:52 64,200 ----a-w c:\windows\system32\perfc009.dat
+ 2008-11-13 13:22:52 64,200 ----a-w c:\windows\system32\perfc009.dat
- 2008-11-13 04:31:52 407,670 ----a-w c:\windows\system32\perfh009.dat
+ 2008-11-13 13:22:52 407,670 ----a-w c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FDAD4DA1-61A2-4FD8-9C17-86F7AC245081}]
2008-07-28 05:46 160496 --a------ c:\program files\Yahoo!\Companion\Installs\cpn0\YTSingleInstance.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\BackupIconOverlayId]
@="{2EE61E5C-8F94-4AAB-8A80-D2A8CD1FEDAD}"
[HKEY_CLASSES_ROOT\CLSID\{2EE61E5C-8F94-4AAB-8A80-D2A8CD1FEDAD}]
2008-10-12 13:11 238968 --a------ c:\program files\Webroot\WebrootSecurity\Backup\CtxMenu_1_0_0_9.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"Search Protection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2008-06-26 111856]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-11-11 136600]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2005-04-25 139264]
"SigmatelSysTrayApp"="c:\windows\stsystra.exe" [2005-03-22 339968]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-08-25 339968]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-10-07 13574144]
"nwiz"="c:\windows\system32\nwiz.exe" [2008-10-07 1630208]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-10-07 86016]
"YMailAdvisor"="c:\program files\Yahoo!\Common\YMailAdvisor.exe" [2008-06-05 125208]
"THGuard"="c:\program files\TrojanHunter 5.0\THGuard.exe" [2008-03-25 1047712]
"SpySweeper"="c:\program files\Webroot\WebrootSecurity\SpySweeperUI.exe" [2008-10-12 6272888]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WRConsumerService]
@="Service"
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BuildBU]
--a------ 2005-09-09 06:35 61440 c:\dell\bldbubg.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTRegRun]
--------- 1999-10-10 20:00 41984 c:\windows\Ctregrun.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellHelp]
--a------ 2004-04-01 15:51 1589248 c:\dell\DellHelp\DellHelp.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DMXLauncher]
--a------ 2005-01-27 01:02 86016 c:\program files\Dell\Media Experience\DMXLauncher.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
--------- 2005-02-23 16:19 53248 c:\program files\CyberLink\PowerDVD\DVDLauncher.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
--a------ 2003-12-22 08:38 241664 c:\program files\HP\hpcoretech\hpcmpmgr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2003-08-04 17:28 49152 c:\program files\HP\HP Software Update\hpwuSchd.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Pando]
--a------ 2008-09-25 09:44 3544392 c:\program files\Pando Networks\Pando\pando.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QBReminderFlash]
--a------ 2004-11-11 10:26 26112 c:\program files\Intuit\QuickBooks 2005\Atom\QBReminder.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2005-09-09 06:55 98304 c:\program files\QuickTime\qttask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
--a------ 2005-09-09 06:55 26112 c:\program files\Real\RealPlayer\realplay.exe
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Pando Networks\\Pando\\pando.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"58120:TCP"= 58120:TCP:Pando P2P TCP Listening Port
"58120:UDP"= 58120:UDP:Pando P2P UDP Listening Port
R0 ssfs0bbc;ssfs0bbc;c:\windows\system32\DRIVERS\ssfs0bbc.sys [2008-10-02 29808]
R2 WRConsumerService;Webroot Client Service;c:\program files\Webroot\WebrootSecurity\WRConsumerService.exe [2008-10-12 1066360]
R3 V0080Dev;Creative Camera VF0080 Driver;c:\windows\system32\DRIVERS\V0080Dev.sys [2004-10-09 503507]
S3 NAL;Nal Service ;c:\windows\system32\Drivers\iqvw32.sys [2004-11-02 19456]
.
Contents of the 'Scheduled Tasks' folder
2008-11-10 c:\windows\Tasks\wrSpySweeper_L340BC3B756214A888E151048905FB8DE.job
- c:\program files\Webroot\WebrootSecurity\SpySweeperUI.exe [2008-10-12 13:18]
2008-11-10 c:\windows\Tasks\wrSpySweeper_L340BC3B756214A888E151048905FB8DE.job
- c:\program files\Webroot\WebrootSecurity\SpySweeperUI.exe [2008-10-12 13:18]
2008-11-10 c:\windows\Tasks\wrSpySweeper_L340BC3B756214A888E151048905FB8DE.job
- c:\","d:\","E:\" []
.
.
------- Supplementary Scan -------
.
FireFox -: Profile - c:\documents and settings\Charlene\Application Data\Mozilla\Firefox\Profiles\aw9pyn98.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.yahoo.com/
FF -: plugin - c:\program files\Adobe\Acrobat 6.0\Reader\browser\nppdf32.dll
FF -: plugin - c:\program files\Java\jre6\bin\new_plugin\npdeploytk.dll
FF -: plugin - c:\program files\Java\jre6\bin\new_plugin\npjp2.dll
FF -: plugin - c:\program files\Microsoft Silverlight\2.0.31005.0\npctrl.dll
FF -: plugin - c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF -: plugin - c:\program files\Yahoo!\Common\npyaxmpb.dll
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-13 08:24:54
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-11-13 8:25:37
ComboFix-quarantined-files.txt 2008-11-13 13:25:35
ComboFix2.txt 2008-11-13 13:20:44
Pre-Run: 52,091,019,264 bytes free
Post-Run: 52,074,299,392 bytes free
290 --- E O F --- 2008-11-12 13:38:29

Response Number 9

Name: Enchanted
Date: November 13, 2008 at 12:20:08 Pacific

Reply:

ok , so what is next on the list to do. I am ready and willing to finally get this virus or trojan gone for good. I did post last log as you asked. I hope you have not given up on me lol. I took off of work for a few days until this is resolved. So i have all the time in the world to do this.

Response Number 10

Name: Enchanted
Date: November 13, 2008 at 12:22:59 Pacific

Reply:

ok ran my Webroot program on my F drive and it is still saying Troj/Mbroot-A in \\.\ PHYSICALDRIVE 1 . I just don't get why it is still there after all this. This is annoying. I await your next instruction.

Response Number 11

Name: jabuck
Date: November 13, 2008 at 15:48:15 Pacific

Reply:

I don't see anything but lets look a little further.
Empty the restore folder. Go to start>control panel>system>system restore tab>check the box beside "turn off system restore>apply (takes a minute)>ok. Go back and uncheck the box to turn system restore back on>apply>ok.

Download ATF Cleaner from this link:
http://www.majorgeeks.com/ATF_Cleaner_d4949.html
Run ATF-Cleaner
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
Please run Esets online scanner from this link:
ESET
1. Note: You will need to use Internet explorer for this scan
2. Tick the box next to YES, I accept the Terms of Use.
3. Click Start
4. When asked, allow the activex control to install
5. Click Start
6. Make sure that the option Remove found threats is unticked ( Iwant to see what is found first), and the option Scan unwanted applications is checked
7. Click Scan
8. Wait for the scan to finish
9. Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
10. Copy and paste that log in your next reply.

Response Number 12

Name: Enchanted
Date: November 13, 2008 at 18:01:59 Pacific

Reply:

# version=4
# OnlineScanner.ocx=1.0.0.56
# OnlineScannerDLLA.dll=1, 0, 0, 51
# OnlineScannerDLLW.dll=1, 0, 0, 51
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=3612 (20081113)
# vers_arch_module=1.064 (20080214)
# vers_adv_heur_module=1.066 (20070917)
# EOSSerial=6d35e69e6022ed4fa8cda12daf895b37
# end=finished
# remove_checked=true
# unwanted_checked=true
# utc_time=2008-11-14 01:58:05
# local_time=2008-11-13 08:58:05 (-0500, Eastern Standard Time)
# country="United States"
# osver=5.1.2600 NT Service Pack 3
# scanned=244142
# found=1
# scan_time=2219
F:\games\AIO_Games_Patches\AIO Games Patches\Reflexive Games Universal-Patch\Reflexive Arcade Games Universal Patch\Reflexive Arcade Games Universal Patch Build 171.exe Win32/Agent.OBH trojan (unable to clean - deleted) 00000000000000000000000000000000

Response Number 13

Name: Enchanted
Date: November 13, 2008 at 18:05:25 Pacific

Reply:

ok ran my Webroot program on my F drive and it is still saying Boot Sector Troj/Mbroot-A in \\.\ PHYSICALDRIVE 1 . Ok next lol. I have to laugh or i will cry at this point.

Response Number 14

Name: jabuck
Date: November 13, 2008 at 19:23:12 Pacific

Reply:

Make sure you F: drive is plugged in.
This program will most likely remove the virus but may cause some programs to no longer function properly if the remove infected file was needed by the program to operate.
Please run the BitDefender online scan this link:
Bitdefender Online Scanner

You will need to allow an active x install for the scan to run.
Leave the scanning options at default and press "click here to scan"
When finished scanning, click on "click here to export the scan report"
Save it to your desktop, at "file name" type in "bdscan" then click save.
Post a log in your reply.

Response Number 15

Name: Enchanted
Date: November 13, 2008 at 19:35:59 Pacific

Reply:

The Bitdefender wont scan my computer. It keeps telling me the virus update failed do you wish to go on , I say yes then it tells me the scan failed. I tried twice and got the same thing.

Response Number 16

Name: Enchanted
Date: November 13, 2008 at 19:59:01 Pacific

Reply:

ok I am getting some where. I had to change some internet settings duh me lol. I shall post log as soon as it is done.

Response Number 17

Name: Enchanted
Date: November 13, 2008 at 20:25:20 Pacific

Reply:

ok nope I was wrong this thing just refuses to run so now what?

Response Number 18

Name: Enchanted
Date: November 13, 2008 at 21:24:15 Pacific

Reply:

ok I downloaded the free trial version and here is what i got for you.

BitDefender Log File
Product : BitDefender Antivirus 2009
Version : BitDefender UIScanner v.12
Scanning task : Deep System Scan
Log date : 00:23:12 14/11/2008
Log path : C:\Documents and Settings\All Users\Application Data\Bitdefender\Desktop\Profiles\Logs\deep_scan\1226640192_1_02.xml
Scan Paths:Path 0000: C:\Program Files\BitDefender\BitDefender 2009\uiscan.exe
Path 0001: C:\WINDOWS\system32\wbem\wmiprvse.exe
Path 0002: C:\Program Files\Mozilla Firefox\firefox.exe
Path 0003: C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
Path 0004: C:\WINDOWS\System32\svchost.exe
Path 0005: C:\Program Files\BitDefender\BitDefender 2009\vsserv.exe
Path 0006: C:\Program Files\Webroot\WebrootSecurity\SSU.exe
Path 0007: C:\Program Files\BitDefender\BitDefender 2009\seccenter.exe
Path 0008: C:\WINDOWS\system32\wuauclt.exe
Path 0009: C:\WINDOWS\system32\ctfmon.exe
Path 0010: C:\Program Files\BitDefender\BitDefender 2009\bdagent.exe
Path 0011: C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
Path 0012: C:\Program Files\Webroot\WebrootSecurity\SpySweeperUI.exe
Path 0013: C:\Program Files\TrojanHunter 5.0\THGuard.exe
Path 0014: C:\Program Files\Yahoo!\Common\YMailAdvisor.exe
Path 0015: C:\WINDOWS\system32\RUNDLL32.exe
Path 0016: C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
Path 0017: C:\WINDOWS\system32\dla\tfswctrl.exe
Path 0018: C:\WINDOWS\stsystra.exe
Path 0019: C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
Path 0020: C:\Program Files\Java\jre6\bin\jusched.exe
Path 0021: C:\WINDOWS\System32\alg.exe
Path 0022: C:\Program Files\Webroot\WebrootSecurity\SpySweeper.exe
Path 0023: C:\WINDOWS\system32\svchost.exe
Path 0024: C:\WINDOWS\system32\nvsvc32.exe
Path 0025: C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.exe
Path 0026: C:\Program Files\Java\jre6\bin\jqs.exe
Path 0027: C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
Path 0028: C:\WINDOWS\Explorer.exe
Path 0029: C:\WINDOWS\system32\spoolsv.exe
Path 0030: C:\WINDOWS\system32\svchost.exe
Path 0031: C:\WINDOWS\system32\svchost.exe
Path 0032: C:\WINDOWS\System32\svchost.exe
Path 0033: C:\WINDOWS\system32\svchost.exe
Path 0034: C:\WINDOWS\system32\svchost.exe
Path 0035: C:\Program Files\Webroot\WebrootSecurity\WRConsumerService.exe
Path 0036: C:\WINDOWS\system32\lsass.exe
Path 0037: C:\WINDOWS\system32\services.exe
Path 0038: C:\WINDOWS\system32\winlogon.exe
Path 0039: C:\WINDOWS\system32\csrss.exe
Path 0040: \SystemRoot\System32\smss.exe
Path 0041: C:\
Path 0042: F:\
Scan Options:Scan for viruses : Yes
Scan for adware : Yes
Scan for spyware : Yes
Scan for applications : Yes
Scan for dialers : Yes
Scan for rootkits : Yes
Target Selection Options:Scan registry keys : Yes
Scan cookies : Yes
Scan boot sectors : Yes
Scan memory processes : Yes
Scan archives : Yes
Scan runtime packers : Yes
Scan emails : No
Scan all files : Yes
Heuristic Scan : Yes
Scanned extensions :
Excluded extensions :
Target Processing:Default action for infected objects : Disinfect
Default action for suspicious objects : None
Default action for hidden objects : None
Default action for encrypted infected objects : None
Default action for encrypted suspicious objects : None
Default action for password-protected objects : None
Scan engines summaryNumber of virus signatures : 2167927
Archive plugins : 43
Email plugins : 6
Scan plugins : 12
System plugins : 5
Unpack plugins : 7
Overall scan summaryScanned items : 130646
Infected items : 2
Suspicious items : 0
Resolved items : 2
Unresolved items : 5
Password-protected items : 5
Individual viruses found : 2
Scanned directories : 4043
Scanned boot sectors : 6
Scanned archives : 3895
Input-output errors : 141
Scan time : 00:36:49
Files per second : 58
Scanned processes summaryScanned : 41
Infected : 0
Scanned registry keys summaryScanned : 1084
Infected : 0
Scanned cookies summaryScanned : 1084
Infected : 0
Resolved issues:Object Name Threat Name Final Status
F:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP2\A0000175.exe Trojan.Generic.1082645 Deleted
F:\=]Master Boot Record Trojan.Mebroot.B Deleted

Objects that were not scanned:Object Name Reason Final Status
F:\filesnwn\database\data1.rar=]HH_AREAS.CDX Overcompressed No action was possible
C:\Documents and Settings\Charlene\My Documents\My Pando Packages\trojanhunter\LiveUpdate.exe=](ZIP Sfx o)=]AutoPlay/autorun.cdd=]_detect.dat Password-protected No action was possible
C:\Documents and Settings\Charlene\My Documents\My Pando Packages\trojanhunter\LiveUpdate.exe=](ZIP Sfx o)=]AutoPlay/autorun.cdd=]_proj.dat Password-protected No action was possible
C:\Documents and Settings\Charlene\My Documents\My Pando Packages\trojanhunter\LiveUpdate.exe=](ZIP Sfx o)=]AutoPlay/autorun.cdd=]_fonts.dat Password-protected No action was possible
F:\Rosetta Stone Application CD\RosettaStone Application CD v2.07.nrg=]autorun.apm=]amsdata.dat Password-protected No action was possible

Response Number 19

Name: Enchanted
Date: November 13, 2008 at 21:34:31 Pacific

Reply:

Just so you know i ran my Webroot program on my F drive and it is still saying Boot Sector Troj/Mbroot-A in \\.\ PHYSICALDRIVE 1 . So what is next if anything?

Sponsored Link

Ads by Google

google redirect problem

Computer is F***'d

Post Locked

This post is quite old and has been locked from receiving new replies. Please create a new posting instead.

Go to Security and Virus Forum Home

Sponsored links

Ads by Google

Results for: Help Please Virus and Trojan

Virus and Trojans Re-installing

Summary

www.computing.net/answers/security/virus-and-trojans-reinstalling/13749.html

virus and trojan

Summary

www.computing.net/answers/security/virus-and-trojan/27769.html

Help Please re Virus Alert!

Summary

www.computing.net/answers/security/help-please-re-virus-alert/23343.html

From the Geek Dictionary
directx 10 - The DirectX version that Microsoft has come up that is only Compatable with...

Ask a Question!

Weekly Poll
What do you think of the new preview of Chrome OS?

Poll Finishes In 4 Days.
Discuss in The Lounge
Poll History

Recent Posts
replaced hdd /dissassembly prohibited

PDF link with links

International phone plan

slow closing of programs

Delay opening documents

All Awaiting Reply

Tom's News
AOL Getting New Logos Made From Random Stuff

AT&T Sets the Coverage Map Record Straight

FOX: Repeat File Sharers Should Have Internet Cut

District Judge Faked Illness to Play MW2

Man Arrested for Refusing to Tweet at Crowd

More Tom's Guide News

Data Recovery

Manufacturer List | About Us | Advertising Info | Contact Us
The information on Computing.Net is the opinions of its users. Such opinions may not be accurate and they are to be used at your own risk. Computing.Net cannot verify the validity of the statements made on this site. Computing.Net and Computing.Net LLC hereby disclaim all responsibility and liability for the content of Computing.Net and its accuracy.
PLEASE READ THE FULL DISCLAIMER AND LEGAL TERMS BY CLICKING HERE