My virus program (Embarq Security) keeps finding the win32.fontra.c virus. I delete or quarantine it but it keeps popping up that it has detected it again. It says it is in my System Volume Information folder but I can't get into the folder to check it out. I have tried to change the security properties to get into it but have been unsuccessful. Help!

Hello, I will take a look at your system. Please disable Embarq Security temporary, you can enable it later. Download the "HijackThis" Installer from this link: http://www.trendsecure.com/portal/e... 1. Save " HJTInstall.exe" to your desktop. 2. Double click on HJTInstall.exe to run the program. 3. By default it will install to C:\Program Files\Trend Micro\HijackThis. 4. Accept the license agreement by clicking the "I Accept" button. 5.Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log. 6. Click "Save log" to save the log file and then the log will open in Notepad. 7. Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log. 8. Paste the log in your next reply. 9. Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required. Post Hijackthis Log in your next reply. *Do Safe Computing*

Here it is! Thanks! Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 2:32:26 PM, on 5/9/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16640) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\EMBARQ Online Security\Anti-Virus\fsgk32st.exe C:\Program Files\EMBARQ Online Security\Common\FSMA32.exe C:\Program Files\EMBARQ Online Security\Anti-Virus\FSGK32.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Viewpoint\Common\ViewpointService.exe C:\Program Files\EMBARQ Online Security\Anti-Virus\fssm32.exe C:\WINDOWS\Explorer.exe C:\Program Files\Analog Devices\Core\smax4pnp.exe C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe C:\WINDOWS\system32\hkcmd.exe C:\WINDOWS\system32\igfxpers.exe C:\WINDOWS\system32\PRISMSVR.exe C:\WINDOWS\system32\dla\tfswctrl.exe C:\Documents and Settings\LukeandEm\lsass.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\2Wire 802.11g Wireless\PRISMCFG.exe C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mim.exe C:\Program Files\MUSICMATCH\Musicmatch Jukebox\MMDiag.exe C:\PROGRA~1\MICROS~4\Office10\OUTLOOK.exe C:\Program Files\Microsoft Office\Office10\WINWORD.exe C:\Program Files\Internet Explorer\IEXPLORE.exe C:\Program Files\iTunes\iTunes.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\distnoted.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceHelper.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?Lin... R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?Lin... R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/yc... R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1 R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - (no file) R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file) O2 - BHO: {c171d3e5-97bb-062b-08a4-72f790e62d03} - {30d26e09-7f27-4a80-b260-bb795e3d171c} - C:\WINDOWS\system32\bwmxsfof.dll (file missing) O2 - BHO: (no name) - {3964D8D6-86D0-493A-B460-A805B5401114} - (no file) O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O2 - BHO: (no name) - {B14FA6B6-897D-4068-9393-9FEC37919CC0} - C:\WINDOWS\system32\awtrRijI.dll (file missing) O2 - BHO: (no name) - {B3102264-D09D-4322-B625-503FBF18DD7E} - C:\WINDOWS\system32\khfEUkjH.dll (file missing) O2 - BHO: (no name) - {BC302BCF-5755-41DF-89F5-22EC200DE644} - (no file) O3 - Toolbar: EarthLink Toolbar - {C7768536-96F8-4001-B1A2-90EE21279187} - (no file) O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe O4 - HKLM\..\Run: [PRISMSVR.EXE] "C:\WINDOWS\system32\PRISMSVR.exe" /APPLY O4 - HKLM\..\Run: [SprintModemUpdate] javaw.exe -cp "C:\Program Files\Motive\FirmwareUpdater\lib\SprintModemUpdate.jar" com.motive.firmwareUpdater.client.SprintModemUpdate O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\EMBARQ Online Security\Common\FSM32.exe" /splash O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\EMBARQ Online Security\FSGUI\TNBUtil.exe" /CHECKALL /WAITFORSW O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [Host Process] C:\WINDOWS\Fonts\svchost.exe O4 - HKLM\..\Run: [LSA Shellu] C:\Documents and Settings\LukeandEm\lsass.exe O4 - HKLM\..\Run: [runner1] C:\WINDOWS\mrofinu1188.exe 61A847B5BBF72813339330466188719AB689201522886B092CBD44BD8689220221DD3257 O4 - HKLM\..\Run: [b0a7c86d] rundll32.exe "C:\WINDOWS\system32\pgeeeeeg.dll",b O4 - HKLM\..\Run: [BMb394fbf1] Rundll32.exe "C:\WINDOWS\system32\yysnybjt.dll",s O4 - HKLM\..\RunServices: [p2p networking] p2pnetworking.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [DDC] C:\WINDOWS\system32\whqfqgaj.exe O4 - Global Startup: 2Wire Wireless Client.lnk = C:\Program Files\2Wire 802.11g Wireless\PRISMCFG.exe O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolba... O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000 O8 - Extra context menu item: EarthLink Google Search - res://C:\Program Files\EarthLink\Toolbar\SearchUI.dll/search.html O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {10E0E75E-6701-4134-9D95-C0942ED1F1C8} (Snapfish Outlook Import ActiveX Control) - http://www.snapfish.com/SnapfishOut... O16 - DPF: {1A781DED-C22D-4153-3213-A3211E29DF13} (GameDesire Card Games) - http://67.15.101.3/g_bin/eng/cards_... O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/no... O16 - DPF: {2A0B9B82-D5C8-4D3D-8338-AD55B23662B1} (F5 Networks CacheCleaner) - https://esource.jeld-wen.net/vdesk/cachecleaner.cab O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.snapfish.com/SnapfishAct... O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySp... O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedI... O16 - DPF: {55027008-315F-4F45-BBC3-8BE119764741} (Slide Image Uploader Control) - http://www.slide.com/uploader/Slide... O16 - DPF: {5CB1506E-1DEA-4E63-89A7-E40E52AEA1FD} (OnagerCtrl Class) - http://usfulfillment.puretracks.com... O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls... O16 - DPF: {8A0019EB-51FA-4AE5-A40B-C0496BBFC739} (Verizon Wireless Media Upload) - http://picture.vzw.com/activex/Veri... O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/1... O16 - DPF: {A959E4A5-0B3D-449E-9998-348705BD4092} (Desktop.Smdesk) - http://www.servicemagic.com/smod/sm... O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) - http://aolsvc.aol.com/onlinegames/f... O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://aolsvc.aol.com/onlinegames/c... O20 - Winlogon Notify: ddcca - C:\WINDOWS\ O20 - Winlogon Notify: khfEUkjH - khfEUkjH.dll (file missing) O20 - Winlogon Notify: urqoolm - urqoolm.dll (file missing) O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: DomainService - Unknown owner - C:\WINDOWS\system32\whqfqgaj.exe (file missing) O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe O23 - Service: F-Secure BlackLight Sensor - Unknown owner - C:\WINDOWS\TEMP\F-Secure\Anti-Virus\fsblsrv.exe (file missing) O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corporation - C:\Program Files\EMBARQ Online Security\Anti-Virus\fsgk32st.exe O23 - Service: F-Secure Automatic Update Agent (FSAUA) - F-Secure Corporation - C:\Program Files\EMBARQ Online Security\FSAUA\program\fsaua.exe O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\EMBARQ Online Security\FWES\Program\fsdfwd.exe O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\EMBARQ Online Security\Common\FSMA32.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: NetCom3 Service (Netcom3) - Unknown owner - C:\Program Files\Netcom3 Cleaner\PSCMonitor.exe (file missing) O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe -- End of file - 10483 bytes

okay the guy on top sounds wierd not you but the guy who wants you to download something any way i also have EMBARQ here in WA real good i also couldnt remove Sh*t i dont know y though but yea um ... you can probally just remove embarq secruity and just download Avg free or if you use windows for other email web writting i recomened Linux its way better no viruses ever you can download it for free at there websites i recomend linuxmint has alot of cool 3d affects just burn it to a cd in a image not data or audio you may need to download a iso imager burner i used isoburn its good and fast any way ill show you how but it wont let me give emails um just send me a email at nbaplaya14 at gmail dot com

Malware & Adware infection found on your system. Please take note of the following: 1. Please do not make any system changes yet. as any changes you make may well alter your log. 2. The cleaning process is not instant. Please continue to review my answers until I tell you that your computer is clean. 3. If there's anything that you don't understand, please ask your question(s) before proceeding with the fixes. 4. Please reply to this thread. Do not start a new topic. Go to Control Panel --> Add/remove Prog --> Remove Viewpoint and all its contents. Disable EMBARQ Online Security temporary to avoid conflicts with removal tools which we will use to clean up your pc. Please run HijackThis again! and click "Scan." Place checks next to the following entries: R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - (no file) R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file) O2 - BHO: {c171d3e5-97bb-062b-08a4-72f790e62d03} - {30d26e09-7f27-4a80-b260-bb795e3d171c} - C:\WINDOWS\system32\bwmxsfof.dll (file missing) O2 - BHO: (no name) - {3964D8D6-86D0-493A-B460-A805B5401114} - (no file) O2 - BHO: (no name) - {B14FA6B6-897D-4068-9393-9FEC37919CC0} - C:\WINDOWS\system32\awtrRijI.dll (file missing) O2 - BHO: (no name) - {B3102264-D09D-4322-B625-503FBF18DD7E} - C:\WINDOWS\system32\khfEUkjH.dll (file missing) O2 - BHO: (no name) - {BC302BCF-5755-41DF-89F5-22EC200DE644} - (no file) O3 - Toolbar: EarthLink Toolbar - {C7768536-96F8-4001-B1A2-90EE21279187} - (no file) O4 - HKLM\..\Run: [Host Process] C:\WINDOWS\Fonts\svchost.exe O4 - HKLM\..\Run: [LSA Shellu] C:\Documents and Settings\LukeandEm\lsass.exe O4 - HKLM\..\Run: [runner1] C:\WINDOWS\mrofinu1188.exe 61A847B5BBF72813339330466188719AB689201522886B092CBD44BD8689220221DD3257 O4 - HKLM\..\Run: [b0a7c86d] rundll32.exe "C:\WINDOWS\system32\pgeeeeeg.dll",b O4 - HKLM\..\Run: [BMb394fbf1] Rundll32.exe "C:\WINDOWS\system32\yysnybjt.dll",s O4 - HKLM\..\RunServices: [p2p networking] p2pnetworking.exe O4 - HKCU\..\Run: [DDC] C:\WINDOWS\system32\whqfqgaj.exe O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolba... O16 - DPF: {1A781DED-C22D-4153-3213-A3211E29DF13} (GameDesire Card Games) - http://67.15.101.3/g_bin/eng/cards_... O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/no... O20 - Winlogon Notify: ddcca - C:\WINDOWS\ O20 - Winlogon Notify: khfEUkjH - khfEUkjH.dll (file missing) O20 - Winlogon Notify: urqoolm - urqoolm.dll (file missing) O23 - Service: DomainService - Unknown owner - C:\WINDOWS\system32\whqfqgaj.exe (file missing) O23 - Service: F-Secure BlackLight Sensor - Unknown owner - C:\WINDOWS\TEMP\F-Secure\Anti-Virus\fsblsrv.exe (file missing) O23 - Service: NetCom3 Service (Netcom3) - Unknown owner - C:\Program Files\Netcom3 Cleaner\PSCMonitor.exe (file missing) Close all browsers and other windows except for HijackThis!, and click "Fix checked". ----- Please download SDFix by AndyManchesta and save it to your desktop. Download: http://downloads.andymanchesta.com/... When using this tool, you must use the use the Administrator's account or an account with "Administrative rights" Double click SDFix.exe and it will extract the files to %systemdrive% (this is the drive that contains the Windows Directory, typically C:\SDFix). Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode". Open the SDFix folder and double click RunThis.bat to start the script. Type Y to begin the cleanup process. It will remove any Trojan Services or Registry Entries found then prompt you to press any key to Reboot. Press any Key and it will restart the PC. When the PC restarts, the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons. Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt. Copy and paste the contents of the results file Report.txt in your next reply. Note: If this error message is displayed when running SDFix: The command prompt has been disabled by your administrator. Press any key to continue... Please go to Start Menu > Run > and type (copy/paste) the following line: %systemdrive%\SDFix\apps\swreg IMPORT %systemdrive%\SDFix\apps\Enable_Command_Prompt.reg Press OK and then run SDFix again. • If the Command Prompt window flashes on then off again on XP or Win 2000, please go to Start Menu > Run > then copy and paste the following line: %systemdrive%\SDFix\apps\FixPath.exe /Q Reboot and then run SDFix again. • If SDFix still does not run check the %comspec% variable. Right click My Computer > click Properties > Advanced > Environment Variables and check that the ComSpec variable points to cmd.exe. %SystemRoot%\system32\cmd.exe ------- Please download Malwarebytes' Anti-Malware to your desktop. This is an Free Antimalware Application tool. Download link: http://www.malwarebytes.org/mbam/pr... >DoubleClick mbam-setup.exe and follow the prompts to install MBA-M. >Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish. >If an update is found, it will download and install the latest database updates. >Once the program has loaded, select Perform full scan, then click Scan. >When the scan is complete, click OK, then Show Results to view the results. >Be sure that everything is checked, and click Remove Selected. >When MBAM finishes, Notepad will open with the log. Please save it where you can find it easily. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt Post its Log in your next reply. ------ Download Combofix by sUBs and save to your desktop. (If you have previously downloaded ComboFix,please delete that version now.) download link HERE: http://download.bleepingcomputer.co... http://www.forospyware.com/sUBs/Com... Note It is important that it is saved directly to your desktop Close any open browsers. Double click on combofix.exe and follow the prompts. When it's finished it will produce a log. Post the entire contents of C:\ComboFix.txt into your next reply. Note Do not mouseclick combofix's window while it's running. That may cause the program to freeze/hang. Note In case your Antivirus or any other realtime scanner is displaying an alert after you downloaded Combofix or while you use Combofix,please disable your scanner and redownload Combofix again. Some scanners may see some combofix related components as suspicious and block or delete them while there's nothing wrong with them. Also post a new Hijackthis log. *Do Safe Computing*

Whew! Here is all of it: SDFix Report.txt --------------- [b]SDFix: Version 1.181 [/b] Run by LukeandEm on Sat 05/10/2008 at 01:14 PM Microsoft Windows XP [Version 5.1.2600] Running From: C:\DOCUME~1\LUKEAN~1\Desktop\SDFix [b]Checking Services [/b]: Restoring Windows Registry Values Restoring Windows Default Hosts File Rebooting [b]Checking Files [/b]: Trojan Files Found: C:\WINDOWS\SYSTEM32\TASKKILL.exe - Deleted C:\Documents and Settings\LukeandEm\Local Settings\Temp\tem529.tmp.exe - Deleted C:\Documents and Settings\LocalService\Application Data\NetMon\domains.txt - Deleted C:\Documents and Settings\LocalService\Application Data\NetMon\log.txt - Deleted C:\Documents and Settings\LukeandEm\lsass.exe - Deleted C:\Documents and Settings\LukeandEm\services.exe - Deleted C:\WINDOWS\system32\atmtd.dll - Deleted C:\WINDOWS\system32\pac.txt - Deleted C:\WINDOWS\uninstall_nmon.vbs - Deleted Folder C:\Program Files\Network Monitor - Removed Folder C:\Documents and Settings\LocalService\Application Data\NetMon - Removed Folder C:\WINDOWS\system32\bkEur18 - Removed Folder C:\WINDOWS\system32\Z1 - Removed Removing Temp Files [b]ADS Check [/b]: [b]Final Check [/b]: catchme 0.3.1359.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-05-10 13:22:55 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden services & system hive ... scanning hidden registry entries ... scanning hidden files ... scan completed successfully hidden processes: 0 hidden services: 0 hidden files: 0 [b]Remaining Services [/b]: Authorized Application Key Export: [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list] "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019" "C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger" "C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server" "C:\\Program Files\\AIM\\aim.exe"="C:\\Program Files\\AIM\\aim.exe:*:Enabled:AOL Instant Messenger" "C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online 9.0\\waol.exe:*:Disabled:America Online 9.0" "C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Disabled:AOL" "C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe:*:Disabled:AOL" "C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire" "C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Loader" "C:\\Program Files\\TurboTax\\Basic 2006\\32bit\\ttax.exe"="C:\\Program Files\\TurboTax\\Basic 2006\\32bit\\ttax.exe:LocalSubNet:Enabled:TurboTax" "C:\\Program Files\\TurboTax\\Basic 2006\\32bit\\updatemgr.exe"="C:\\Program Files\\TurboTax\\Basic 2006\\32bit\\updatemgr.exe:LocalSubNet:Enabled:TurboTax Update Manager" "C:\\WINDOWS\\system32\\bfxfyxjv.exe"="C:\\WINDOWS\\system32\\bfx" "C:\\WINDOWS\\system32\\whqfqgaj.exe"="C:\\WINDOWS\\system32\\whq" "C:\\Documents and Settings\\LukeandEm\\Application Data\\Facebook\\facebook.exe"="C:\\Documents and Settings\\LukeandEm\\Application Data\\Facebook\\facebook.exe:127.0.0.1/255.255.255.255:Enabled:Facebook" "C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes" "C:\\Program Files\\TurboTax\\Basic 2007\\32bit\\ttax.exe"="C:\\Program Files\\TurboTax\\Basic 2007\\32bit\\ttax.exe:LocalSubNet:Enabled:TurboTax" "C:\\Program Files\\TurboTax\\Basic 2007\\32bit\\updatemgr.exe"="C:\\Program Files\\TurboTax\\Basic 2007\\32bit\\updatemgr.exe:LocalSubNet:Enabled:TurboTax Update Manager" [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list] "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019" "C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Enabled:AOL" "C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe:*:Enabled:AOL" "C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online 9.0\\waol.exe:*:Enabled:America Online 9.0" "C:\\Program Files\\AIM\\aim.exe"="C:\\Program Files\\AIM\\aim.exe:*:Enabled:AOL Instant Messenger" [b]Remaining Files [/b]: File Backups: - C:\DOCUME~1\LUKEAN~1\Desktop\SDFix\backups\backups.zip [b]Files with Hidden Attributes [/b]: Sat 12 May 2007 4 A..H. --- "C:\WINDOWS\uccspecb.sys" Wed 13 Oct 2004 1,694,208 ..SH. --- "C:\Program Files\Messenger\msmsgs.exe" Tue 28 Aug 2007 1,603,907 A.SH. --- "C:\WINDOWS\system32\accdd.tmp" Tue 28 Aug 2007 1,602,632 A.SH. --- "C:\WINDOWS\system32\accdd.bak1" Thu 30 Aug 2007 1,730,405 A.SH. --- "C:\WINDOWS\system32\accdd.tmp2" Thu 30 Aug 2007 1,730,264 A.SH. --- "C:\WINDOWS\system32\accdd.bak2" Thu 25 Aug 2005 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak" Sun 27 Jan 2008 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp" Sun 27 Jan 2008 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv02.tmp" Thu 25 Aug 2005 4,348 ...H. --- "C:\Documents and Settings\LukeandEm\My Documents\My Music\License Backup\drmv1key.bak" Tue 3 Jan 2006 20 A..H. --- "C:\Documents and Settings\LukeandEm\My Documents\My Music\License Backup\drmv1lic.bak" Thu 25 Aug 2005 312 A.SH. --- "C:\Documents and Settings\LukeandEm\My Documents\My Music\License Backup\drmv2key.bak" Thu 12 Apr 2007 8 A..H. --- "C:\Documents and Settings\LukeandEm\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\lock.tmp" Thu 12 Apr 2007 8 A..H. --- "C:\Documents and Settings\LukeandEm\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u2\lock.tmp" Sat 14 Apr 2007 8 A..H. --- "C:\Documents and Settings\LukeandEm\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u3\lock.tmp" Sat 21 Apr 2007 8 A..H. --- "C:\Documents and Settings\LukeandEm\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u4\lock.tmp" [b]Finished![/b] Malwarebytes log-date.txt --------------- Malwarebytes' Anti-Malware 1.12 Database version: 738 Scan type: Full Scan (C:\|D:\|) Objects scanned: 103625 Time elapsed: 29 minute(s), 25 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 52 Registry Values Infected: 2 Registry Data Items Infected: 0 Folders Infected: 1 Files Infected: 37 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{df780f87-ff2b-4df8-92d0-73db16a1543a} (Adware.PopCap) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\cpbrkpie.coupon6ctrl.1 (Adware.Coupons) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{9522b3fb-7a2b-4646-8af6-36e7f593073c} (Adware.Coupons) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{9522b3fb-7a2b-4646-8af6-36e7f593073c} (Adware.Coupons) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{a85a5e6a-de2c-4f4e-99dc-f469df5a0eec} (Adware.Coupons) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Interface\{6e780f0b-bcd6-40cb-b2db-7af47ab4d4a4} (Adware.Coupons) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Interface\{a138be8b-f051-4802-9a3f-a750a6d862d4} (Adware.Coupons) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{87255c51-cd7d-4506-b9ad-97606daf53f3} (Adware.Coupons) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Typelib\{87255c51-cd7d-4506-b9ad-97606daf53f3} (Adware.Coupons) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{07b18eab-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{147a976f-eee1-4377-8ea7-4716e4cdd239} (Adware.MyWebSearch) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{1e0de227-5ce4-4ea3-ab0c-8b03e1aa76bc} (Adware.MyWebSearch) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{25560540-9571-4d7b-9389-0f166788785a} (Adware.MyWebSearch) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{2eff3cf7-99c1-4c29-bc2b-68e057e22340} (Adware.MyWebSearch) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{3dc201fb-e9c9-499c-a11f-23c360d7c3f8} (Adware.MyWebSearch) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{3e720452-b472-4954-b7aa-33069eb53906} (Adware.MyWebSearch) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{63d0ed2c-b45b-4458-8b3b-60c69bbbd83c} (Adware.MyWebSearch) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{7473d294-b7bb-4f24-ae82-7e2ce94bb6a9} (Adware.MyWebSearch) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{98d9753d-d73b-42d5-8c85-4469cda897ab} (Adware.MyWebSearch) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{9afb8248-617f-460d-9366-d71cdeda3179} (Adware.MyWebSearch) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{9ff05104-b030-46fc-94b8-81276e4e27df} (Adware.MyWebSearch) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{a4730ebe-43a6-443e-9776-36915d323ad3} (Adware.MyWebSearch) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{a6573479-9075-4a65-98a6-19fd29cf7374} (Adware.MyWebSearch) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{e79dfbca-5697-4fbd-94e5-5b2a9c7c1612} (Adware.MyWebSearch) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Interface\{3e1656ed-f60e-4597-b6aa-b6a58e171495} (Adware.MyWebSearch) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Interface\{6e74766c-4d93-4cc0-96d1-47b8e07ff9ca} (Adware.MyWebSearch) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Interface\{741de825-a6f0-4497-9aa6-8023cf9b0fff} (Adware.MyWebSearch) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Interface\{de38c398-b328-4f4c-a3ad-1b5e4ed93477} (Adware.MyWebSearch) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\Software\MediaHoldings (Adware.PlayMP3Z) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\Software\PlayMP3 (Adware.PlayMP3Z) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\Software\FBrowsingAdvisor (Trojan.FBrowsingAdvisor) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\fbrowsingadvisor_is1 (Trojan.FBrowsingAdvisor) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Malware.Trace) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\Software\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\Software\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\Software\WebBuying (Adware.WebBuying) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\MIME\Database\Content Type\application/x-f3embed (Adware.MyWebSearch) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Outlook\Addins\MyWebSearch.OutlookAddin (Adware.MyWebSearch) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Word\Addins\MyWebSearch.OutlookAddin (Adware.MyWebSearch) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\Software\MyWebSearch (Adware.MyWebSearch) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\Software\Fun Web Products (Adware.MyWebSearch) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\Software\Microsoft\DomainService (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DomainService (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DomainService (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\Software\Microsoft\CAC (Malware.Trace) -> Quarantined and deleted successfully. Registry Values Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{b3102264-d09d-4322-b625-503fbf18dd7e} (Trojan.Vundo) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform\FunWebProducts (Adware.MyWebSearch) -> Quarantined and deleted successfully. Registry Data Items Infected: (No malicious items detected) Folders Infected: C:\Program Files\FBrowsingAdvisor (Trojan.FBrowsingAdvisor) -> Quarantined and deleted successfully. Files Infected: C:\WINDOWS\system32\dfdswrdj.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\WINDOWS\system32\jdrwsdfd.ini (Trojan.Vundo) -> Quarantined and deleted successfully. C:\WINDOWS\system32\jhfbtgic.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\WINDOWS\system32\cigtbfhj.ini (Trojan.Vundo) -> Quarantined and deleted successfully. C:\WINDOWS\system32\jvpomtdu.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\WINDOWS\system32\udtmopvj.ini (Trojan.Vundo) -> Quarantined and deleted successfully. C:\WINDOWS\system32\mdhtpobe.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\WINDOWS\system32\ebopthdm.ini (Trojan.Vundo) -> Quarantined and deleted successfully. C:\WINDOWS\system32\noltfkmc.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\WINDOWS\system32\cmkftlon.ini (Trojan.Vundo) -> Quarantined and deleted successfully. C:\WINDOWS\system32\nrljrgxf.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\WINDOWS\system32\fxgrjlrn.ini (Trojan.Vundo) -> Quarantined and deleted successfully. C:\WINDOWS\system32\oxixdwsi.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\WINDOWS\system32\iswdxixo.ini (Trojan.Vundo) -> Quarantined and deleted successfully. C:\WINDOWS\system32\pcrrbibb.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\WINDOWS\system32\bbibrrcp.ini (Trojan.Vundo) -> Quarantined and deleted successfully. C:\WINDOWS\system32\uarwakgt.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\WINDOWS\system32\tgkawrau.ini (Trojan.Vundo) -> Quarantined and deleted successfully. C:\WINDOWS\system32\vdyqofid.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\WINDOWS\system32\difoqydv.ini (Trojan.Vundo) -> Quarantined and deleted successfully. C:\WINDOWS\system32\wfswqwdy.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\WINDOWS\system32\ydwqwsfw.ini (Trojan.Vundo) -> Quarantined and deleted successfully. C:\WINDOWS\CouponPrinter.ocx (Adware.Coupons) -> Quarantined and deleted successfully. C:\regxpcom.exe (Trojan.FBrowsingAdvisor) -> Quarantined and deleted successfully. C:\Documents and Settings\LukeandEm\Local Settings\Temporary Internet Files\Content.IE5\JU1FC4GI\css4[1].0 (Trojan.Vundo) -> Quarantined and deleted successfully. C:\Program Files\FBrowsingAdvisor\XPCOMEvents.dll (Trojan.FBrowsingAdvisor) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP769\A0082916.dll (Adware.TargetSaver) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP769\A0082917.vbs (Malware.Trace) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP769\A0082923.dll (Adware.TargetSaver) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP769\A0082927.exe (Trojan.FBrowsingAdvisor) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP769\A0082928.vbs (Malware.Trace) -> Quarantined and deleted successfully. C:\WINDOWS\system32\Macromed\Download\Install.exe (Rogue.Installer) -> Quarantined and deleted successfully. C:\Program Files\FBrowsingAdvisor\IXPCOMEvents.xpt (Trojan.FBrowsingAdvisor) -> Quarantined and deleted successfully. C:\Program Files\FBrowsingAdvisor\Logo.png (Trojan.FBrowsingAdvisor) -> Quarantined and deleted successfully. C:\Program Files\FBrowsingAdvisor\main.db (Trojan.FBrowsingAdvisor) -> Quarantined and deleted successfully. C:\Program Files\FBrowsingAdvisor\unins000.dat (Trojan.FBrowsingAdvisor) -> Quarantined and deleted successfully. C:\Program Files\FBrowsingAdvisor\unins000.exe (Trojan.FBrowsingAdvisor) -> Quarantined and deleted successfully. Combofix.txt --------------- ComboFix 08-05-09.1 - LukeandEm 2008-05-10 14:06:16.1 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.456 [GMT -4:00] Running from: C:\Documents and Settings\LukeandEm\Desktop\ComboFix.exe * Created a new restore point [color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color] . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\Documents and Settings\LukeandEm\Application Data\FunWebProducts C:\Documents and Settings\LukeandEm\Application Data\FunWebProducts\Data\LukeandEm\avatar.dat C:\Documents and Settings\LukeandEm\Application Data\FunWebProducts\Data\LukeandEm\register.dat C:\WINDOWS\cookies.ini C:\WINDOWS\Downloaded Program Files\setup.inf C:\WINDOWS\Fonts\' C:\WINDOWS\pskt.ini C:\WINDOWS\system32\accdd.bak1 C:\WINDOWS\system32\accdd.bak2 C:\WINDOWS\system32\accdd.ini C:\WINDOWS\system32\accdd.ini2 C:\WINDOWS\system32\accdd.tmp C:\WINDOWS\system32\accdd.tmp2 C:\WINDOWS\system32\akljjnlr.ini C:\WINDOWS\system32\cenmevto.ini C:\WINDOWS\system32\configs C:\WINDOWS\system32\f10WtR C:\WINDOWS\system32\fmoaitwp.ini C:\WINDOWS\system32\geeeeegp.ini C:\WINDOWS\system32\IjiRrtwa.ini C:\WINDOWS\system32\IjiRrtwa.ini2 C:\WINDOWS\system32\iudcdvvt.ini C:\WINDOWS\system32\mcrh.tmp C:\WINDOWS\system32\ogloqslc.ini C:\WINDOWS\system32\oncfxgok.ini C:\WINDOWS\system32\tempchk C:\WINDOWS\system32\tsmpajia.ini C:\WINDOWS\system32\V1 C:\WINDOWS\system32\win . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_CMDSERVICE -------\Legacy_DOMAINSERVICE -------\Legacy_NETWORK_MONITOR ((((((((((((((((((((((((( Files Created from 2008-04-10 to 2008-05-10 ))))))))))))))))))))))))))))))) . 2008-05-10 13:31 . 2008-05-10 13:31 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware 2008-05-10 13:31 . 2008-05-10 13:31 <DIR> d-------- C:\Documents and Settings\LukeandEm\Application Data\Malwarebytes 2008-05-10 13:31 . 2008-05-10 13:31 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes 2008-05-10 13:31 . 2008-05-05 20:46 27,048 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys 2008-05-10 13:31 . 2008-05-05 20:46 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys 2008-05-10 13:09 . 2008-05-10 13:09 <DIR> d-------- C:\WINDOWS\ERUNT 2008-05-09 14:31 . 2008-05-09 14:31 <DIR> d-------- C:\Program Files\Trend Micro 2008-05-09 13:14 . 2008-05-09 13:14 <DIR> d--h----- C:\WINDOWS\PIF 2008-05-08 16:45 . 2008-05-08 16:45 <DIR> d-------- C:\Program Files\Recuva 2008-05-06 16:40 . 2008-05-06 16:41 <DIR> d-------- C:\Program Files\LimeWire 2008-05-05 19:57 . 2008-05-05 19:58 <DIR> d-------- C:\WINDOWS\Fonts2 2008-05-04 19:09 . 2008-05-04 19:09 109,734 --a------ C:\WINDOWS\BMb394fbf1.xml 2008-05-04 19:08 . 2008-05-04 23:47 <DIR> d-------- C:\Pinochle 2008-05-04 19:03 . 2008-05-04 19:03 147,456 --a------ C:\WINDOWS\system32\vbzip10.dll 2008-04-20 10:39 . 2008-04-20 10:39 <DIR> d-------- C:\Documents and Settings\LukeandEm\Application Data\7Wonders . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-05-10 16:52 --------- d-----w C:\Program Files\Viewpoint 2008-05-10 16:52 --------- d-----w C:\Documents and Settings\LukeandEm\Application Data\Viewpoint 2008-05-05 22:41 --------- d--h--w C:\Program Files\InstallShield Installation Information 2008-04-21 02:00 --------- d-----w C:\Program Files\DivX 2008-04-11 20:20 --------- d-----w C:\Program Files\Java 2008-03-31 00:48 --------- d-----w C:\Program Files\EMBARQ Online Security 2008-03-26 21:39 51,072 ----a-w C:\WINDOWS\system32\drivers\fsdfw.sys 2008-03-26 21:39 30,016 ----a-w C:\WINDOWS\system32\drivers\fsndis5.sys 2008-03-19 09:15 --------- d-----w C:\Program Files\AIM6 2008-03-19 09:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint 2008-03-19 09:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL Downloads 2008-03-19 09:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL 2007-06-05 01:03 78,512 ----a-w C:\Documents and Settings\LukeandEm\Application Data\GDIPFONTCACHEV1.DAT 2005-07-29 20:24 472 --sha-r C:\WINDOWS\THVrZWFuZEVt\nJpOtqIRtHpQ.vbs . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BC302BCF-5755-41DF-89F5-22EC200DE644}] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 06:00 15360] "Aim6"="" [] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 20:42 1404928] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784] "IntelMeM"="C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 21:12 221184] "RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2005-08-12 14:17 26112] "ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 17:50 221184] "ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-08-09 06:03 81920] "igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-09-20 10:35 94208] "igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-09-20 10:32 77824] "igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-09-20 10:36 114688] "MimBoot"="C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe" [2006-01-19 12:06 11776] "PRISMSVR.EXE"="C:\WINDOWS\system32\PRISMSVR.exe" [2004-04-13 19:45 290905] "SprintModemUpdate"="javaw.exe" [2008-02-22 01:23 135168 C:\WINDOWS\system32\javaw.exe] "dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2005-05-31 06:33 122941] "F-Secure Manager"="C:\Program Files\EMBARQ Online Security\Common\FSM32.exe" [2007-04-26 07:43 176177] "F-Secure TNB"="C:\Program Files\EMBARQ Online Security\FSGUI\TNBUtil.exe" [2007-04-26 07:41 733184] "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-01-10 16:27 385024] "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-01-15 04:22 267048] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ 2Wire Wireless Client.lnk - C:\Program Files\2Wire 802.11g Wireless\PRISMCFG.exe [2006-10-09 17:57:45 335979] [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "C:\\Program Files\\LimeWire\\LimeWire.exe"= "C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"= "C:\\Program Files\\iTunes\\iTunes.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "8097:TCP"= 8097:TCP:*:Disabled:EarthLink UHP Modem Support R0 FSFW;F-Secure Firewall Driver;C:\WINDOWS\system32\drivers\fsdfw.sys [2008-03-26 17:39] R1 F-Secure HIPS;F-Secure HIPS;C:\Program Files\EMBARQ Online Security\HIPS\fshs.sys [2008-02-13 06:16] R3 F-Secure Gatekeeper;F-Secure Gatekeeper;C:\Program Files\EMBARQ Online Security\Anti-Virus\minifilter\fsgk.sys [2007-04-26 07:42] R3 WlanUIG;2Wire 802.11g USB Driver;C:\WINDOWS\system32\DRIVERS\WlanUIG.sys [2004-05-16 20:46] S3 musbehco;musbehco;C:\DOCUME~1\LUKEAN~1\LOCALS~1\Temp\musbehco.sys [] S3 Netcom3;NetCom3 Service;C:\Program Files\Netcom3 Cleaner\PSCMonitor.exe [] S4 F-Secure BlackLight Sensor;F-Secure BlackLight Sensor;C:\WINDOWS\TEMP\F-Secure\Anti-Virus\fsblsrv.exe [] S4 F-Secure Filter;F-Secure File System Filter;C:\Program Files\EMBARQ Online Security\Anti-Virus\Win2K\FSfilter.sys [2007-04-26 07:42] S4 F-Secure Recognizer;F-Secure File System Recognizer;C:\Program Files\EMBARQ Online Security\Anti-Virus\Win2K\FSrec.sys [2007-04-26 07:42] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1951c432-1f30-11da-8d8b-caae537e4e81}] \Shell\Auto\command - F:\Start.exe \Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.exe Shell32.DLL,ShellExec_RunDLL Start.exe . Contents of the 'Scheduled Tasks' folder "2008-05-07 00:25:05 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job" - C:\Program Files\Apple Software Update\SoftwareUpdate.exe "2008-05-10 16:59:25 C:\WINDOWS\Tasks\Scheduled scanning task.job" - C:\PROGRA~1\EMBARQ~1\ANTI-V~1\fsav.exeQ /HARD /POLICY /SCHED /NOBREAK /REPORT=C:\PROGRA~1\EMBARQ~1\ANTI-V~1\report.txt . ************************************************************************** catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-05-10 14:12:35 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . r Running Proce . C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\EMBARQ Online Security\Anti-Virus\fsgk32st.exe C:\Program Files\EMBARQ Online Security\Common\FSMA32.exe C:\Program Files\EMBARQ Online Security\Anti-Virus\fsgk32.exe C:\Program Files\EMBARQ Online Security\Anti-Virus\fssm32.exe C:\PROGRA~1\MUSICM~1\MUSICM~3\MMDiag.exe C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mim.exe C:\Program Files\iPod\bin\iPodService.exe C:\WINDOWS\system32\wscntfy.exe C:\Program Files\EMBARQ Online Security\Common\FSLAUNCH.exe . ************************************************************************** . Completion time: 2008-05-10 14:19:58 - machine was rebooted ComboFix-quarantined-files.txt 2008-05-10 18:19:34 Pre-Run: 13,500,096,512 bytes free Post-Run: 13,757,018,112 bytes free 165 --- E O F --- 2008-04-12 07:06:28 New Hijackthis! Log --------------- Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 2:23:10 PM, on 5/10/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16640) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\EMBARQ Online Security\Anti-Virus\fsgk32st.exe C:\Program Files\EMBARQ Online Security\Common\FSMA32.exe C:\Program Files\EMBARQ Online Security\Anti-Virus\FSGK32.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\EMBARQ Online Security\Anti-Virus\fssm32.exe C:\Program Files\Analog Devices\Core\smax4pnp.exe C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe C:\Program Files\Real\RealPlayer\RealPlay.exe C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe C:\WINDOWS\system32\hkcmd.exe C:\WINDOWS\system32\igfxpers.exe C:\WINDOWS\system32\PRISMSVR.exe C:\WINDOWS\system32\dla\tfswctrl.exe C:\PROGRA~1\MUSICM~1\MUSICM~3\MMDiag.exe C:\Program Files\iTunes\iTunesHelper.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mim.exe C:\Program Files\2Wire 802.11g Wireless\PRISMCFG.exe C:\Program Files\iPod\bin\iPodService.exe C:\WINDOWS\system32\wscntfy.exe C:\Program Files\EMBARQ Online Security\Common\FSLAUNCH.exe C:\WINDOWS\explorer.exe C:\Program Files\internet explorer\iexplore.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?Lin... R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?Lin... R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?Lin... R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/yc... R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1 O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O2 - BHO: (no name) - {BC302BCF-5755-41DF-89F5-22EC200DE644} - (no file) O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe O4 - HKLM\..\Run: [PRISMSVR.EXE] "C:\WINDOWS\system32\PRISMSVR.exe" /APPLY O4 - HKLM\..\Run: [SprintModemUpdate] javaw.exe -cp "C:\Program Files\Motive\FirmwareUpdater\lib\SprintModemUpdate.jar" com.motive.firmwareUpdater.client.SprintModemUpdate O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\EMBARQ Online Security\Common\FSM32.exe" /splash O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\EMBARQ Online Security\FSGUI\TNBUtil.exe" /CHECKALL /WAITFORSW O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - Global Startup: 2Wire Wireless Client.lnk = C:\Program Files\2Wire 802.11g Wireless\PRISMCFG.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000 O8 - Extra context menu item: EarthLink Google Search - res://C:\Program Files\EarthLink\Toolbar\SearchUI.dll/search.html O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {10E0E75E-6701-4134-9D95-C0942ED1F1C8} (Snapfish Outlook Import ActiveX Control) - http://www.snapfish.com/SnapfishOut... O16 - DPF: {2A0B9B82-D5C8-4D3D-8338-AD55B23662B1} (F5 Networks CacheCleaner) - https://esource.jeld-wen.net/vdesk/cachecleaner.cab O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.snapfish.com/SnapfishAct... O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySp... O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedI... O16 - DPF: {55027008-315F-4F45-BBC3-8BE119764741} (Slide Image Uploader Control) - http://www.slide.com/uploader/Slide... O16 - DPF: {5CB1506E-1DEA-4E63-89A7-E40E52AEA1FD} (OnagerCtrl Class) - http://usfulfillment.puretracks.com... O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls... O16 - DPF: {8A0019EB-51FA-4AE5-A40B-C0496BBFC739} (Verizon Wireless Media Upload) - http://picture.vzw.com/activex/Veri... O16 - DPF: {A959E4A5-0B3D-449E-9998-348705BD4092} (Desktop.Smdesk) - http://www.servicemagic.com/smod/sm... O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) - http://aolsvc.aol.com/onlinegames/f... O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corporation - C:\Program Files\EMBARQ Online Security\Anti-Virus\fsgk32st.exe O23 - Service: F-Secure Automatic Update Agent (FSAUA) - F-Secure Corporation - C:\Program Files\EMBARQ Online Security\FSAUA\program\fsaua.exe O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\EMBARQ Online Security\FWES\Program\fsdfwd.exe O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\EMBARQ Online Security\Common\FSMA32.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: NetCom3 Service (Netcom3) - Unknown owner - C:\Program Files\Netcom3 Cleaner\PSCMonitor.exe (file missing) O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe -- End of file - 7775 bytes

Logs looking much better, except few sympotms of infection. -- Open notepad, Don't use any other texteditor than notepad or the script will fail. Copy/paste the bold text below into notepad: Registry:: [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BC302BCF-5755-41DF-89F5-22EC200DE644}] Save this as text file with name of CFScript. Select "All files" from Save as Type. Then drag the CFScript file into ComboFix.exe icon. This will start ComboFix again. ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal. When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply. ------ Reset and Re-enable your System Restore: Your system restore points are infected with Trojan and Malware, so please remove them and create new restore points. Now you should Set a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since System Restore is a protected directory, your tools can not access it to delete these bad files which sometimes can reinfect your system. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state. (You will lose all previous restore points which are likely to be infected) 1. Turn off System Restore: On the Desktop, right-click My Computer. Click Properties. Click the System Restore tab. Check Turn off System Restore. Click Apply, and then click OK. 2. Restart your computer. 3. Turn ON System Restore: On the Desktop, right-click My Computer. Click Properties. Click the System Restore tab. UN-Check Turn off System Restore. Click Apply, and then click OK. System Restore will now be active again. ---- Please download ATF Cleaner by Atribune. (This program is for XP and Windows 2000 only) Download: http://www.atribune.org/ccount/clic... Double-click ATF-Cleaner.exe to run the program. Under Main "Select Files to Delete" choose: Select All. Click the Empty Selected button. If you use Firefox browser: Click Firefox at the top and choose: Select All Click the Empty Selected button. NOTE: If you would like to keep your saved passwords, please click No at the prompt. If you use Opera browser: Click Opera at the top and choose: Select All Click the Empty Selected button. NOTE: If you would like to keep your saved passwords, please click No at the prompt. Click Exit on the Main menu to close the program. --- Please do an online scan with Kaspersky WebScanner. online scanner: http://www.kaspersky.com/virusscanner 1.Click on "Kaspersky Online Scanner". 2.You will be prompted to install an ActiveX component from Kaspersky, Click Yes. 3.The program will launch and then begin downloading the latest definition files. 4.Once the files have been downloaded click on "NEXT". 5.Now click on "Scan Settings". 6.In the scan settings make that the following are selected: 7.Scan using the following Anti-Virus database: Extended (if available otherwise Standard) 8.Scan Options: Scan Archives Scan Mail Bases 9.Click OK. 10.Under select a target to scan, select "My Computer". This will program will start and scan your system. The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected. Upon completion, click on the "Save as Text" button. Save the file to your desktop. Copy and paste that information in your next reply along with Fresh Hijackthis log. ======= By the way how things are running now? what are you feeling? *Do Safe Computing*