30 replies to this topic

[vltjr]

I can't post an Mbam scan log because whatever is infecting my computer is compltely shutting the computer down before the scan completes running (by this I mean suddenly and totally powering it off). This seems to have begun over the weekend when I started getting strange pop-ups and browser hijacks. I ran Mbam at that time and had "Trojan TDSS" show up in the results. Mbam quarantined and removed it and everything seemed alright for a day or so. Then I had a recurrence of the strange behavior, so I ran Mbam again and this time it found "Rootkit TDS". Once again there seemed to be no problem with quarantine and removal, but to try and make sure it was clean, I ran another scan. This is when I started experiencing the power shut off. I've tried uninstalling and reinstalling Malwarebytes, but that didn't help. I also tried running an A-Squared scan and had the same thing happen (shut-down before scan completed).

Sorry about rambling on, but since I can't post a scan log I figured I'd try to be as detailed as possible.

I can post a HijackThis log, and that follows.

Thanks for your help.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:27:48 AM, on 9/2/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16876)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Comodo\COMODO Internet Security\cmdagent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRAM FILES\MAMUTU\mamutu.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Comodo\COMODO Internet Security\cfp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\a-squared Anti-MalwareII\a2service.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Mamutu\a2service.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\Program Files\Windows Media Player\WMPNetwk.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\hjt.exe.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...n&pf=laptop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft....k/?LinkId=74005
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [RecGuard] C:\Windows\SMINST\RecGuard.exe
O4 - HKLM\..\Run: [Mamutu Guard] "C:\PROGRAM FILES\MAMUTU\mamutu.exe" /silent
O4 - HKLM\..\Run: [a-squared] "C:\PROGRAM FILES\A-SQUARED ANTI-MALWAREII\a2guard.exe" /d=60
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [COMODO Internet Security] "C:\Program Files\Comodo\COMODO Internet Security\cfp.exe" -h
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk.disabled
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.1...toUploader5.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail....es/MSNPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1224635315968
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1241924918390
O16 - DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} (GMNRev Class) - http://h20270.www2.hp.com/ediags/gmn2/inst...tDetection2.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2590DE03-42A0-49EF-8314-F1D58D603E68}: NameServer = 156.154.70.22,156.154.71.22
O17 - HKLM\System\CCS\Services\Tcpip\..\{EB91A32F-40A4-4CE1-B911-6F950C608F41}: NameServer = 156.154.70.22,156.154.71.22
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O20 - AppInit_DLLs: C:\WINDOWS\system32\guard32.dll
O23 - Service: McAfee Application Installer Cleanup (0034811251857799) (0034811251857799mcinstcleanup) - Unknown owner - C:\DOCUME~1\VICTOR~1.CMA\LOCALS~1\Temp\003481~1.EXE (file missing)
O23 - Service: a-squared Anti-Malware Service (a2AntiMalware) - Emsi Software GmbH - C:\Program Files\a-squared Anti-MalwareII\a2service.exe
O23 - Service: AddFiltr - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\AddFiltr.exe
O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - COMODO - C:\Program Files\Comodo\COMODO Internet Security\cmdagent.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Mamutu Service (Mamutu) - Emsi Software GmbH - C:\Program Files\Mamutu\a2service.exe
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 8808 bytes

MBAM log inserted on behalf of member
Malwarebytes' Anti-Malware 1.40
Database version: 2721
Windows 5.1.2600 Service Pack 3

8/31/2009 10:41:01 AM
mbam-log-2009-08-31 (10-41-01).txt

Scan type: Full Scan (C:\|)
Objects scanned: 251112
Time elapsed: 1 hour(s), 5 minute(s), 0 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\drivers\bftivbvrxvbcvtnt.sys (Rootkit.TDSS) -> Quarantined and deleted successfully.

[Maurice Naggar]

Hello,

I've added your MBAM log in your post. I'd like to convey to you to stop un-installing and re-installing MBAM.
It has found a rootkit and has attempted to remove it. We need to have you get some additional reports.

Do the following:
1. Go >> Here << and download ERUNT
(ERUNT (Emergency Recovery Utility NT) is a free program that allows you to keep a complete backup of your registry and restore it when needed.)
2. Install ERUNT by following the prompts
(use the default install settings but say no to the portion that asks you to add ERUNT to the start-up folder, if you like you can enable this option later)
3. Start ERUNT
(either by double clicking on the desktop icon or choosing to start the program at the end of the setup)
4. Choose a location for the backup
(the default location is C:\WINDOWS\ERDNT which is acceptable).
5. Make sure that at least the first two check boxes are ticked
6. Press OK
7. Press YES to create the folder.

=

1. Set Windows to show all files and all folders.
On your Desktop, double click My Computer, from the menu options, select tools, then Folder Options, and then select VIEW Tab and look at all of settings listed.

"CHECK" (turn on) Display the contents of system folders.

Under column, Hidden files and folders----choose ( *select* ) Show hidden files and folders.
Next, un-check Hide extensions for known file types.
Next un-check Hide protected operating system files.

2. Take out the trash (temporary files & temporary internet files)
Please download ATF Cleaner by Atribune, saving it to your desktop. It is used to cleanout temporary files & temp areas used by internet browsers.
Start ATF-Cleaner.exe to run the program.

Under Main choose: Select All

Click the Empty Selected button.

If you use Firefox browser, do this also:
Click Firefox at the top and choose: Select All

Click the Empty Selected button.

NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser, do this also:
Click Opera at the top and choose: Select All

Click the Empty Selected button.

NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.
ATF-Cleaner should be run per the above in every user-login account {User Profile}

=

Go >> here <<
and download RootRepeal and SAVE to your Desktop.

Doubleclick RootRepeal.exe icon on your Desktop.
Click on the Report tab at bottom of window and then click on Scan button.

A Windows will open asking what to include in the scan. Check all of the below and then click Ok.

Drivers
Files
Processes
SSDT
Hidden Services
Stealth Objects


You will then be asked which drive to scan.
Check C: (or the drive your operating system is installed on if not C) and click Ok again.
The scan will start.
It will take a little while so please be patient. When the scan has finished, click on Save Report.
Name the log RootRepeal.txt and save it to your Documents folder (it should default there).
When you have done this, please copy and paste it in this thread.
=

Start your MBAM MalwareBytes' Anti-Malware.
Click the Settings Tab. Make sure all option lines have a checkmark.

Next, Click the Update tab. Press the "Check for Updates" button.
At this time of posting, the current definitions are # 2734 or later. The latest program version is 1.40

When done, click the Scanner tab.
Do a Quick Scan.

When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.

=

Download DDS and save it to your desktop from http://www.techsuppo...ctools/sUBs/dds here or http://download.blee...om/sUBs/dds.scr or
http://www.forospyware.com/sUBs/dds

Disable any script blocker if your antivirus/antimalware has it.
Then double click dds.scr to run the tool.
When done, DDS.txt will open.
Click Yes at the next prompt for Optional Scan.

• When done, DDS will open two (2) logs:
  
• DDS.txt
  
• Attach.txt
  
• Save both reports to your desktop.

Please include the following logs in your next reply:
RootRepeal.txt
the latest MBAM scan log
DDS.txt
Attach.txt

[vltjr]

After several hang ups and restarts I made it through the RootRepeal scan. I wanted to post this before I ran the MBAM scan, since (as I stated previously) every recent scan has resulted in a shut down/power off result. Most of these have made it difficult to power back up, but I'll give it a shot.

Thanks for the help so far. I'm keeping my fingers crossed.

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/09/02 22:51
Program Version: Version 1.3.5.0
Windows Version: Windows XP Media Center Edition SP3
==================================================

Drivers
-------------------
Name: dump_nvata.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_nvata.sys
Address: 0xF436A000 Size: 102400 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF79E3000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xB7F3D000 Size: 49152 File Visible: No Signed: -
Status: -

SSDT
-------------------
#: 011 Function Name: NtAdjustPrivilegesToken
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf46adf4a

#: 031 Function Name: NtConnectPort
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf46ad454

#: 037 Function Name: NtCreateFile
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf46adaee

#: 041 Function Name: NtCreateKey
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf46ae4c6

#: 046 Function Name: NtCreatePort
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf46ad132

#: 050 Function Name: NtCreateSection
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf46af1d6

#: 052 Function Name: NtCreateSymbolicLinkObject
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf46af4ae

#: 053 Function Name: NtCreateThread
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf46accf8

#: 063 Function Name: NtDeleteKey
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf46ae130

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf46ae2e0

#: 068 Function Name: NtDuplicateObject
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf46aca5a

#: 097 Function Name: NtLoadDriver
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf46aee58

#: 105 Function Name: NtMakeTemporaryObject
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf46ad6d8

#: 116 Function Name: NtOpenFile
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf46add32

#: 122 Function Name: NtOpenProcess
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf46ac78a

#: 125 Function Name: NtOpenSection
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf46ad968

#: 128 Function Name: NtOpenThread
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf46ac902

#: 192 Function Name: NtRenameKey
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf46ae88c

#: 200 Function Name: NtRequestWaitReplyPort
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf46ad250

#: 210 Function Name: NtSecureConnectPort
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf46aebf4

#: 240 Function Name: NtSetSystemInformation
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf46af006

#: 247 Function Name: NtSetValueKey
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf46ae68c

#: 249 Function Name: NtShutdownSystem
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf46ad672

#: 255 Function Name: NtSystemDebugControl
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf46ad85c

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf46acffc

#: 258 Function Name: NtTerminateThread
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf46aceca

==EOF==

[vltjr]

Here's my MBAM log. I'm posting these logs one at a time because I don't if or when this computer going to be more severely damaged by this infection. Even though I made it through the QuickScan (although only a full scan has detected this rootkit in the recent past), the computer shut down on me while I was copying the log.

Malwarebytes' Anti-Malware 1.40
Database version: 2734
Windows 5.1.2600 Service Pack 3

9/2/2009 11:28:33 PM
mbam-log-2009-09-02 (23-28-33).txt

Scan type: Quick Scan
Objects scanned: 131641
Time elapsed: 8 minute(s), 26 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Program Files\Shared\lib.sig (Adware.Deepdive) -> Quarantined and deleted successfully.

[Maurice Naggar]

I suspect the BSOD issues are related to Comodo.

Disable the Comodo firewall and immediately enable the Windows firewall.
Right-click the Comodo system tray icon.
Select Exit.
On the Pop up window, Click the Yes button.

Click Start, click Run, type

Firewall.cpl

and then click OK.
On the General tab, click On (recommended).
Click OK.

Then, go and follow my last reply about running MBAM program & also the steps for DDS.

[vltjr]

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-07-30.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 10/21/2008 4:10:28 AM
System Uptime: 9/2/2009 11:31:17 PM (0 hours ago)

Motherboard: Quanta | | 30B7
Processor: AMD Turion™ 64 X2 Mobile Technology TL-50 | Socket S1 | 1607/200mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 81 GiB total, 42.122 GiB free.
D: is FIXED (FAT32) - 12 GiB total, 0.307 GiB free.
E: is CDROM ()

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP482: 8/20/2009 1:52:21 PM - Revo Uninstaller's restore point - Microsoft Money 2006
RP483: 8/20/2009 1:57:37 PM - Revo Uninstaller's restore point - Microsoft Works
RP484: 8/20/2009 3:28:36 PM - Software Distribution Service 3.0
RP485: 8/20/2009 10:21:15 PM - Software Distribution Service 3.0
RP486: 8/20/2009 11:50:30 PM - Software Distribution Service 3.0
RP487: 8/21/2009 3:00:56 AM - Software Distribution Service 3.0
RP488: 8/21/2009 5:22:18 AM - Software Distribution Service 3.0
RP489: 8/22/2009 3:00:53 AM - Software Distribution Service 3.0
RP490: 8/22/2009 5:42:00 AM - Software Distribution Service 3.0
RP491: 8/22/2009 9:40:22 AM - Software Distribution Service 3.0
RP492: 8/22/2009 11:32:53 AM - Software Distribution Service 3.0
RP493: 8/22/2009 1:20:52 PM - Software Distribution Service 3.0
RP494: 8/23/2009 3:01:22 AM - Software Distribution Service 3.0
RP495: 8/24/2009 1:30:51 AM - Software Distribution Service 3.0
RP496: 8/24/2009 2:23:13 PM - Software Distribution Service 3.0
RP497: 8/25/2009 1:58:55 AM - Software Distribution Service 3.0
RP498: 8/25/2009 1:28:14 PM - Software Distribution Service 3.0
RP499: 8/26/2009 12:11:05 AM - Software Distribution Service 3.0
RP500: 8/26/2009 12:55:01 PM - Software Distribution Service 3.0
RP501: 8/26/2009 9:25:15 PM - Software Distribution Service 3.0
RP502: 8/27/2009 1:24:42 AM - Software Distribution Service 3.0
RP503: 8/28/2009 2:17:41 AM - System Checkpoint
RP504: 8/28/2009 3:00:45 AM - Software Distribution Service 3.0
RP505: 8/28/2009 2:53:23 PM - Revo Uninstaller's restore point - Microsoft Works
RP506: 8/28/2009 2:56:13 PM - Removed Microsoft Works
RP507: 8/28/2009 8:46:29 PM - Revo Uninstaller's restore point - Java™ 6 Update 15
RP508: 8/28/2009 8:46:43 PM - Removed Java™ 6 Update 15
RP509: 8/28/2009 11:02:39 PM - Spybot-S&D Spyware removal
RP510: 8/28/2009 11:04:20 PM - Software Distribution Service 3.0
RP511: 8/28/2009 11:14:40 PM - Revo Uninstaller's restore point - Mamutu 2.0
RP512: 8/28/2009 11:19:18 PM - Revo Uninstaller's restore point - a-squared Anti-Malware 4.5
RP513: 8/28/2009 11:29:58 PM - Installed Java™ 6 Update 15
RP514: 8/29/2009 3:00:50 AM - Software Distribution Service 3.0
RP515: 8/29/2009 4:26:53 PM - Installed Kaspersky Internet Security 2010.
RP516: 8/30/2009 3:00:47 AM - Software Distribution Service 3.0
RP517: 8/30/2009 5:46:41 AM - Software Distribution Service 3.0
RP518: 8/31/2009 3:02:01 AM - Software Distribution Service 3.0
RP519: 8/31/2009 9:27:40 PM - Revo Uninstaller's restore point - Kaspersky Internet Security 2010
RP520: 8/31/2009 9:28:35 PM - Removed Kaspersky Internet Security 2010.
RP521: 8/31/2009 9:42:36 PM - Removed Java™ 6 Update 15
RP522: 8/31/2009 9:54:00 PM - Installed Java™ 6 Update 16
RP523: 8/31/2009 11:25:46 PM - Removed Ask a Librarian - Provider 3.0.
RP524: 8/31/2009 11:28:16 PM - Installed Ask a Librarian - Provider 3.0.
RP525: 8/31/2009 11:39:58 PM - Removed Ask a Librarian - Provider 3.0.
RP526: 8/31/2009 11:46:27 PM - Installed Ask a Librarian - Provider 3.0.
RP527: 9/1/2009 2:36:26 AM - Revo Uninstaller's restore point - Ask a Librarian - Provider 3.0
RP528: 9/1/2009 2:36:37 AM - Removed Ask a Librarian - Provider 3.0.
RP529: 9/1/2009 3:00:37 AM - Software Distribution Service 3.0
RP530: 9/1/2009 3:29:49 AM - Installed Ask a Librarian - Provider 3.0.
RP531: 9/1/2009 4:38:18 AM - Revo Uninstaller's restore point - Ask a Librarian - Provider 3.0
RP532: 9/1/2009 4:38:37 AM - Removed Ask a Librarian - Provider 3.0.
RP533: 9/2/2009 3:00:57 AM - Software Distribution Service 3.0
RP534: 9/2/2009 10:42:26 AM - Configured Customer Experience Enhancement
RP535: 9/2/2009 10:47:52 AM - Configured Customer Experience Enhancement
RP536: 9/2/2009 10:48:42 AM - Removed TourSetup
RP537: 9/2/2009 10:50:56 AM - Configured Customer Experience Enhancement
RP538: 9/2/2009 10:52:17 AM - Configured Customer Experience Enhancement
RP539: 9/2/2009 2:08:36 PM - Configured Customer Experience Enhancement
RP540: 9/2/2009 2:09:29 PM - Revo Uninstaller's restore point - Flustomer Experience Exchange
RP541: 9/2/2009 2:10:14 PM - Configured Customer Experience Enhancement
RP542: 9/2/2009 2:17:02 PM - Revo Uninstaller's restore point - HP Rhapsody
RP543: 9/2/2009 2:21:28 PM - Revo Uninstaller's restore point - Quicken 2006
RP544: 9/2/2009 2:23:59 PM - Removed Quicken 2006
RP545: 9/2/2009 2:28:59 PM - Revo Uninstaller's restore point - Sonic Audio Module
RP546: 9/2/2009 2:29:36 PM - Removed Sonic Audio Module
RP547: 9/2/2009 2:30:57 PM - Revo Uninstaller's restore point - Sonic Copy Module
RP548: 9/2/2009 2:31:53 PM - Removed Sonic Copy Module
RP549: 9/2/2009 2:33:11 PM - Revo Uninstaller's restore point - Sonic Data Module
RP550: 9/2/2009 2:33:31 PM - Removed Sonic Data Module
RP551: 9/2/2009 2:34:48 PM - Revo Uninstaller's restore point - Sonic MyDVD Plus
RP552: 9/2/2009 2:35:55 PM - Removed Sonic MyDVD Plus
RP553: 9/2/2009 2:40:17 PM - Revo Uninstaller's restore point - SonicAC3Encoder
RP554: 9/2/2009 2:42:01 PM - Revo Uninstaller's restore point - Sonic Express Labeler
RP555: 9/2/2009 2:42:21 PM - Removed Sonic Express Labeler
RP556: 9/2/2009 2:43:42 PM - Revo Uninstaller's restore point - Sonic Update Manager
RP557: 9/2/2009 2:43:56 PM - Removed Sonic Update Manager
RP558: 9/2/2009 2:45:16 PM - Revo Uninstaller's restore point - SonicMPEGEncoder
RP559: 9/2/2009 4:08:44 PM - Software Distribution Service 3.0

==== Installed Programs ======================

a-squared Anti-Malware 4.5
a-squared HiJackFree 3.1
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Media Player
Adobe Reader 9.1.3
Adobe Shockwave Player
AIM 6
AML Free Registry Cleaner 4.18
Big Fish Games Client
BufferChm
Canon MP Navigator 3.0
Canon MP160
CCleaner (remove only)
COMODO Internet Security
COMODO livePCsupport 1.0.65302.27
COMODO System Cleaner 1.1.64946.38(32bit)
Compatibility Pack for the 2007 Office system
Conexant HD Audio
CP_AtenaShokunin1Config
CP_CalendarTemplates1
cp_LightScribeConfig
cp_OnlineProjectsConfig
CP_Package_Basic1
CP_Package_Variety1
CP_Package_Variety2
CP_Package_Variety3
CP_Panorama1Config
cp_PosterPrintConfig
cp_UpdateProjectsConfig
Critical Update for Windows Media Player 11 (KB959772)
CueTour
Customer Experience Enhancement
Destinations
DeviceManagementQFolder
ERUNT 1.1j
Fish Tycoon
FullDPAppQFolder
GemMaster Mystic
Google Toolbar for Internet Explorer
GoToMeeting 4.0.0.320
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 10 (KB903157)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
HP Help and Support
HP Imaging Device Functions 6.0
HP Photosmart Premier Software 6.0
HP Product Detection
HP Quick Launch Buttons 6.10 A2
HP QuickPlay 2.3
HP User Guides 0031
HP Wireless Assistant 2.00 G2
HpSdpAppCoreApp
InstantShareDevices
Java™ 6 Update 16
Jing
LightScribe 1.4.97.1
Macromedia Flash Player 8
Macromedia Shockwave Player
Malwarebytes' Anti-Malware
Mamutu 2.0
McAfee SiteAdvisor
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
Microsoft National Language Support Downlevel APIs
Microsoft Office Professional Edition 2003
Microsoft VC9 runtime libraries
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Mozilla Firefox (3.5.2)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
muvee autoProducer 5.0
NVIDIA Drivers
OptionalContentQFolder
Otto
PhotoGallery
Picasa 3
Pop-Up Stopper Free Edition
Power Tab Editor 1.7
RandMap
Revo Uninstaller 1.83
RollerCoaster Tycoon 3
Security Update for CAPICOM (KB931906)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 7 (KB972260)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956390)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973869)
Sibelius Scorch Plugin 5.2.5.48
SkinsHP1
Soft Data Fax Modem with SmartCP
Sonic_PrimoSDK
Spybot - Search & Destroy
Synaptics Pointing Device Driver
Trillian
Unload
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Media Player 10 (KB910393)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB973815)
Update Rollup 2 for Windows XP Media Center Edition 2005
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
WebFldrs XP
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 7
Windows Media Connect
Windows Media Format 11 runtime
Windows Media Player 11
Windows XP Media Center Edition 2005 KB925766
Windows XP Service Pack 3
Wireless Home Network Setup

==== Event Viewer Messages From Past Week ========

9/1/2009 12:10:26 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AmdK8 cmdGuard Fips Lbd
9/1/2009 12:10:18 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
8/31/2009 9:28:16 AM, error: Service Control Manager [7031] - The Windows Media Player Network Sharing Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 30000 milliseconds: Restart the service.
8/31/2009 8:58:52 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AmdK8 Fips Lbd
8/31/2009 2:08:26 PM, error: Service Control Manager [7031] - The a-squared Anti-Malware Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 0 milliseconds: Restart the service.
8/31/2009 10:44:53 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AliIde IntelIde Lbd Pcmcia ViaIde
8/29/2009 6:47:59 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD AmdK8 Fips IPSec kl1 KLIF Lbd MRxSmb NetBIOS NetBT RasAcd Rdbss Tcpip
8/29/2009 6:47:59 PM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.
8/29/2009 6:47:59 PM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
8/29/2009 6:47:59 PM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
8/29/2009 6:47:59 PM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
8/29/2009 6:46:56 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
8/29/2009 6:46:48 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
8/29/2009 4:28:16 PM, error: Dhcp [1001] - Your computer was not assigned an address from the network (by the DHCP Server) for the Network Card with network address 001A7302B101. The following error occurred: The operation was canceled by the user. . Your computer will continue to try and obtain an address on its own from the network address (DHCP) server.
8/29/2009 4:22:11 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Lbd
8/29/2009 4:11:08 PM, error: Service Control Manager [7034] - The McAfee SiteAdvisor Service service terminated unexpectedly. It has done this 1 time(s).
8/29/2009 3:06:54 AM, error: Windows Update Agent [20] - Installation Failure: Windows failed to install the following update with error 0x80070643: Update for Microsoft Office Outlook 2003 Junk Email Filter (KB972688).
8/29/2009 3:05:26 AM, error: Windows Update Agent [20] - Installation Failure: Windows failed to install the following update with error 0x80070643: Security Update for Microsoft PowerPoint 2003 (KB957784).
8/29/2009 3:05:00 AM, error: Windows Update Agent [20] - Installation Failure: Windows failed to install the following update with error 0x80070643: Security Update for Microsoft Office Web Components (KB947319).
8/29/2009 3:04:18 AM, error: Windows Update Agent [20] - Installation Failure: Windows failed to install the following update with error 0x80070643: Security Update for Microsoft Office Excel 2003 (KB969681).
8/29/2009 3:02:32 AM, error: Windows Update Agent [20] - Installation Failure: Windows failed to install the following update with error 0x80070643: Security Update for Microsoft Office Word 2003 (KB969603).
8/29/2009 2:43:11 AM, error: Service Control Manager [7034] - The Viewpoint Manager Service service terminated unexpectedly. It has done this 1 time(s).
8/29/2009 12:19:48 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Windows CardSpace service to connect.
8/29/2009 12:19:48 PM, error: Service Control Manager [7000] - The Windows CardSpace service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
8/28/2009 8:48:28 PM, error: Service Control Manager [7034] - The Java Quick Starter service terminated unexpectedly. It has done this 1 time(s).
8/28/2009 11:58:05 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AliIde IntelIde Pcmcia ViaIde
8/26/2009 9:29:05 PM, error: Windows Update Agent [20] - Installation Failure: Windows failed to install the following update with error 0x80070643: Internet Explorer 8 for Windows XP.
8/26/2009 11:43:46 AM, error: Dhcp [1002] - The IP address lease 192.168.1.2 for the Network Card with network address 001A7302B101 has been denied by the DHCP server 192.168.154.3 (The DHCP Server sent a DHCPNACK message).
8/26/2009 11:35:42 PM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the NVSvc service.
8/26/2009 11:35:42 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the IMAPI CD-Burning COM Service service to connect.
8/26/2009 11:35:42 PM, error: Service Control Manager [7000] - The IMAPI CD-Burning COM Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.

==== End Of File ===========================



UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-07-30.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 10/21/2008 4:10:28 AM
System Uptime: 9/2/2009 11:31:17 PM (0 hours ago)

Motherboard: Quanta | | 30B7
Processor: AMD Turion™ 64 X2 Mobile Technology TL-50 | Socket S1 | 1607/200mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 81 GiB total, 42.122 GiB free.
D: is FIXED (FAT32) - 12 GiB total, 0.307 GiB free.
E: is CDROM ()

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP482: 8/20/2009 1:52:21 PM - Revo Uninstaller's restore point - Microsoft Money 2006
RP483: 8/20/2009 1:57:37 PM - Revo Uninstaller's restore point - Microsoft Works
RP484: 8/20/2009 3:28:36 PM - Software Distribution Service 3.0
RP485: 8/20/2009 10:21:15 PM - Software Distribution Service 3.0
RP486: 8/20/2009 11:50:30 PM - Software Distribution Service 3.0
RP487: 8/21/2009 3:00:56 AM - Software Distribution Service 3.0
RP488: 8/21/2009 5:22:18 AM - Software Distribution Service 3.0
RP489: 8/22/2009 3:00:53 AM - Software Distribution Service 3.0
RP490: 8/22/2009 5:42:00 AM - Software Distribution Service 3.0
RP491: 8/22/2009 9:40:22 AM - Software Distribution Service 3.0
RP492: 8/22/2009 11:32:53 AM - Software Distribution Service 3.0
RP493: 8/22/2009 1:20:52 PM - Software Distribution Service 3.0
RP494: 8/23/2009 3:01:22 AM - Software Distribution Service 3.0
RP495: 8/24/2009 1:30:51 AM - Software Distribution Service 3.0
RP496: 8/24/2009 2:23:13 PM - Software Distribution Service 3.0
RP497: 8/25/2009 1:58:55 AM - Software Distribution Service 3.0
RP498: 8/25/2009 1:28:14 PM - Software Distribution Service 3.0
RP499: 8/26/2009 12:11:05 AM - Software Distribution Service 3.0
RP500: 8/26/2009 12:55:01 PM - Software Distribution Service 3.0
RP501: 8/26/2009 9:25:15 PM - Software Distribution Service 3.0
RP502: 8/27/2009 1:24:42 AM - Software Distribution Service 3.0
RP503: 8/28/2009 2:17:41 AM - System Checkpoint
RP504: 8/28/2009 3:00:45 AM - Software Distribution Service 3.0
RP505: 8/28/2009 2:53:23 PM - Revo Uninstaller's restore point - Microsoft Works
RP506: 8/28/2009 2:56:13 PM - Removed Microsoft Works
RP507: 8/28/2009 8:46:29 PM - Revo Uninstaller's restore point - Java™ 6 Update 15
RP508: 8/28/2009 8:46:43 PM - Removed Java™ 6 Update 15
RP509: 8/28/2009 11:02:39 PM - Spybot-S&D Spyware removal
RP510: 8/28/2009 11:04:20 PM - Software Distribution Service 3.0
RP511: 8/28/2009 11:14:40 PM - Revo Uninstaller's restore point - Mamutu 2.0
RP512: 8/28/2009 11:19:18 PM - Revo Uninstaller's restore point - a-squared Anti-Malware 4.5
RP513: 8/28/2009 11:29:58 PM - Installed Java™ 6 Update 15
RP514: 8/29/2009 3:00:50 AM - Software Distribution Service 3.0
RP515: 8/29/2009 4:26:53 PM - Installed Kaspersky Internet Security 2010.
RP516: 8/30/2009 3:00:47 AM - Software Distribution Service 3.0
RP517: 8/30/2009 5:46:41 AM - Software Distribution Service 3.0
RP518: 8/31/2009 3:02:01 AM - Software Distribution Service 3.0
RP519: 8/31/2009 9:27:40 PM - Revo Uninstaller's restore point - Kaspersky Internet Security 2010
RP520: 8/31/2009 9:28:35 PM - Removed Kaspersky Internet Security 2010.
RP521: 8/31/2009 9:42:36 PM - Removed Java™ 6 Update 15
RP522: 8/31/2009 9:54:00 PM - Installed Java™ 6 Update 16
RP523: 8/31/2009 11:25:46 PM - Removed Ask a Librarian - Provider 3.0.
RP524: 8/31/2009 11:28:16 PM - Installed Ask a Librarian - Provider 3.0.
RP525: 8/31/2009 11:39:58 PM - Removed Ask a Librarian - Provider 3.0.
RP526: 8/31/2009 11:46:27 PM - Installed Ask a Librarian - Provider 3.0.
RP527: 9/1/2009 2:36:26 AM - Revo Uninstaller's restore point - Ask a Librarian - Provider 3.0
RP528: 9/1/2009 2:36:37 AM - Removed Ask a Librarian - Provider 3.0.
RP529: 9/1/2009 3:00:37 AM - Software Distribution Service 3.0
RP530: 9/1/2009 3:29:49 AM - Installed Ask a Librarian - Provider 3.0.
RP531: 9/1/2009 4:38:18 AM - Revo Uninstaller's restore point - Ask a Librarian - Provider 3.0
RP532: 9/1/2009 4:38:37 AM - Removed Ask a Librarian - Provider 3.0.
RP533: 9/2/2009 3:00:57 AM - Software Distribution Service 3.0
RP534: 9/2/2009 10:42:26 AM - Configured Customer Experience Enhancement
RP535: 9/2/2009 10:47:52 AM - Configured Customer Experience Enhancement
RP536: 9/2/2009 10:48:42 AM - Removed TourSetup
RP537: 9/2/2009 10:50:56 AM - Configured Customer Experience Enhancement
RP538: 9/2/2009 10:52:17 AM - Configured Customer Experience Enhancement
RP539: 9/2/2009 2:08:36 PM - Configured Customer Experience Enhancement
RP540: 9/2/2009 2:09:29 PM - Revo Uninstaller's restore point - Flustomer Experience Exchange
RP541: 9/2/2009 2:10:14 PM - Configured Customer Experience Enhancement
RP542: 9/2/2009 2:17:02 PM - Revo Uninstaller's restore point - HP Rhapsody
RP543: 9/2/2009 2:21:28 PM - Revo Uninstaller's restore point - Quicken 2006
RP544: 9/2/2009 2:23:59 PM - Removed Quicken 2006
RP545: 9/2/2009 2:28:59 PM - Revo Uninstaller's restore point - Sonic Audio Module
RP546: 9/2/2009 2:29:36 PM - Removed Sonic Audio Module
RP547: 9/2/2009 2:30:57 PM - Revo Uninstaller's restore point - Sonic Copy Module
RP548: 9/2/2009 2:31:53 PM - Removed Sonic Copy Module
RP549: 9/2/2009 2:33:11 PM - Revo Uninstaller's restore point - Sonic Data Module
RP550: 9/2/2009 2:33:31 PM - Removed Sonic Data Module
RP551: 9/2/2009 2:34:48 PM - Revo Uninstaller's restore point - Sonic MyDVD Plus
RP552: 9/2/2009 2:35:55 PM - Removed Sonic MyDVD Plus
RP553: 9/2/2009 2:40:17 PM - Revo Uninstaller's restore point - SonicAC3Encoder
RP554: 9/2/2009 2:42:01 PM - Revo Uninstaller's restore point - Sonic Express Labeler
RP555: 9/2/2009 2:42:21 PM - Removed Sonic Express Labeler
RP556: 9/2/2009 2:43:42 PM - Revo Uninstaller's restore point - Sonic Update Manager
RP557: 9/2/2009 2:43:56 PM - Removed Sonic Update Manager
RP558: 9/2/2009 2:45:16 PM - Revo Uninstaller's restore point - SonicMPEGEncoder
RP559: 9/2/2009 4:08:44 PM - Software Distribution Service 3.0

==== Installed Programs ======================

a-squared Anti-Malware 4.5
a-squared HiJackFree 3.1
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Media Player
Adobe Reader 9.1.3
Adobe Shockwave Player
AIM 6
AML Free Registry Cleaner 4.18
Big Fish Games Client
BufferChm
Canon MP Navigator 3.0
Canon MP160
CCleaner (remove only)
COMODO Internet Security
COMODO livePCsupport 1.0.65302.27
COMODO System Cleaner 1.1.64946.38(32bit)
Compatibility Pack for the 2007 Office system
Conexant HD Audio
CP_AtenaShokunin1Config
CP_CalendarTemplates1
cp_LightScribeConfig
cp_OnlineProjectsConfig
CP_Package_Basic1
CP_Package_Variety1
CP_Package_Variety2
CP_Package_Variety3
CP_Panorama1Config
cp_PosterPrintConfig
cp_UpdateProjectsConfig
Critical Update for Windows Media Player 11 (KB959772)
CueTour
Customer Experience Enhancement
Destinations
DeviceManagementQFolder
ERUNT 1.1j
Fish Tycoon
FullDPAppQFolder
GemMaster Mystic
Google Toolbar for Internet Explorer
GoToMeeting 4.0.0.320
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 10 (KB903157)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
HP Help and Support
HP Imaging Device Functions 6.0
HP Photosmart Premier Software 6.0
HP Product Detection
HP Quick Launch Buttons 6.10 A2
HP QuickPlay 2.3
HP User Guides 0031
HP Wireless Assistant 2.00 G2
HpSdpAppCoreApp
InstantShareDevices
Java™ 6 Update 16
Jing
LightScribe 1.4.97.1
Macromedia Flash Player 8
Macromedia Shockwave Player
Malwarebytes' Anti-Malware
Mamutu 2.0
McAfee SiteAdvisor
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
Microsoft National Language Support Downlevel APIs
Microsoft Office Professional Edition 2003
Microsoft VC9 runtime libraries
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Mozilla Firefox (3.5.2)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
muvee autoProducer 5.0
NVIDIA Drivers
OptionalContentQFolder
Otto
PhotoGallery
Picasa 3
Pop-Up Stopper Free Edition
Power Tab Editor 1.7
RandMap
Revo Uninstaller 1.83
RollerCoaster Tycoon 3
Security Update for CAPICOM (KB931906)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 7 (KB972260)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956390)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973869)
Sibelius Scorch Plugin 5.2.5.48
SkinsHP1
Soft Data Fax Modem with SmartCP
Sonic_PrimoSDK
Spybot - Search & Destroy
Synaptics Pointing Device Driver
Trillian
Unload
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Media Player 10 (KB910393)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB973815)
Update Rollup 2 for Windows XP Media Center Edition 2005
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
WebFldrs XP
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 7
Windows Media Connect
Windows Media Format 11 runtime
Windows Media Player 11
Windows XP Media Center Edition 2005 KB925766
Windows XP Service Pack 3
Wireless Home Network Setup

==== Event Viewer Messages From Past Week ========

9/1/2009 12:10:26 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AmdK8 cmdGuard Fips Lbd
9/1/2009 12:10:18 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
8/31/2009 9:28:16 AM, error: Service Control Manager [7031] - The Windows Media Player Network Sharing Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 30000 milliseconds: Restart the service.
8/31/2009 8:58:52 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AmdK8 Fips Lbd
8/31/2009 2:08:26 PM, error: Service Control Manager [7031] - The a-squared Anti-Malware Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 0 milliseconds: Restart the service.
8/31/2009 10:44:53 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AliIde IntelIde Lbd Pcmcia ViaIde
8/29/2009 6:47:59 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD AmdK8 Fips IPSec kl1 KLIF Lbd MRxSmb NetBIOS NetBT RasAcd Rdbss Tcpip
8/29/2009 6:47:59 PM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.
8/29/2009 6:47:59 PM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
8/29/2009 6:47:59 PM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
8/29/2009 6:47:59 PM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
8/29/2009 6:46:56 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
8/29/2009 6:46:48 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
8/29/2009 4:28:16 PM, error: Dhcp [1001] - Your computer was not assigned an address from the network (by the DHCP Server) for the Network Card with network address 001A7302B101. The following error occurred: The operation was canceled by the user. . Your computer will continue to try and obtain an address on its own from the network address (DHCP) server.
8/29/2009 4:22:11 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Lbd
8/29/2009 4:11:08 PM, error: Service Control Manager [7034] - The McAfee SiteAdvisor Service service terminated unexpectedly. It has done this 1 time(s).
8/29/2009 3:06:54 AM, error: Windows Update Agent [20] - Installation Failure: Windows failed to install the following update with error 0x80070643: Update for Microsoft Office Outlook 2003 Junk Email Filter (KB972688).
8/29/2009 3:05:26 AM, error: Windows Update Agent [20] - Installation Failure: Windows failed to install the following update with error 0x80070643: Security Update for Microsoft PowerPoint 2003 (KB957784).
8/29/2009 3:05:00 AM, error: Windows Update Agent [20] - Installation Failure: Windows failed to install the following update with error 0x80070643: Security Update for Microsoft Office Web Components (KB947319).
8/29/2009 3:04:18 AM, error: Windows Update Agent [20] - Installation Failure: Windows failed to install the following update with error 0x80070643: Security Update for Microsoft Office Excel 2003 (KB969681).
8/29/2009 3:02:32 AM, error: Windows Update Agent [20] - Installation Failure: Windows failed to install the following update with error 0x80070643: Security Update for Microsoft Office Word 2003 (KB969603).
8/29/2009 2:43:11 AM, error: Service Control Manager [7034] - The Viewpoint Manager Service service terminated unexpectedly. It has done this 1 time(s).
8/29/2009 12:19:48 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Windows CardSpace service to connect.
8/29/2009 12:19:48 PM, error: Service Control Manager [7000] - The Windows CardSpace service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
8/28/2009 8:48:28 PM, error: Service Control Manager [7034] - The Java Quick Starter service terminated unexpectedly. It has done this 1 time(s).
8/28/2009 11:58:05 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AliIde IntelIde Pcmcia ViaIde
8/26/2009 9:29:05 PM, error: Windows Update Agent [20] - Installation Failure: Windows failed to install the following update with error 0x80070643: Internet Explorer 8 for Windows XP.
8/26/2009 11:43:46 AM, error: Dhcp [1002] - The IP address lease 192.168.1.2 for the Network Card with network address 001A7302B101 has been denied by the DHCP server 192.168.154.3 (The DHCP Server sent a DHCPNACK message).
8/26/2009 11:35:42 PM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the NVSvc service.
8/26/2009 11:35:42 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the IMAPI CD-Burning COM Service service to connect.
8/26/2009 11:35:42 PM, error: Service Control Manager [7000] - The IMAPI CD-Burning COM Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.

==== End Of File ===========================

[vltjr]

Maurice Naggar, on Sep 2 2009, 11:48 PM, said:

I suspect the BSOD issues are related to Comodo.

Disable the Comodo firewall and immediately enable the Windows firewall.
Right-click the Comodo system tray icon.
Select Exit.
On the Pop up window, Click the Yes button.

Click Start, click Run, type

Firewall.cpl

and then click OK.
On the General tab, click On (recommended).
Click OK.

Then, go and follow my last reply about running MBAM program & also the steps for DDS.

I just saw your 11:48PM post. Are you asking me to perform another MBAM QuickScan after disabling Comodo and running the Windows Firewall? I posted my MBAM log just before you posted.

[Maurice Naggar]

You overlooked copying & pasting the DDS.txt log which I need.
You posted the Attach.txt twice

Hold off on the new MBAM run.

[vltjr]

Sorry about that. I was in a hurry trying to do this and get the kids to bed. Here's the DDS.text log:


DDS (Ver_09-07-30.01) - NTFSx86
Run by Carol at 23:48:07.32 on Wed 09/02/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_16
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.959.523 [GMT -5:00]

AV: COMODO Antivirus *On-access scanning disabled* (Updated) {043803A5-4F86-4ef7-AFC5-F6E02A79969B}
AV: a-squared Anti-Malware *On-access scanning enabled* (Updated) {0F8591BB-342B-4493-91C3-4E948ED21255}
FW: COMODO Firewall *enabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\Program Files\Comodo\COMODO Internet Security\cmdagent.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Program Files\a-squared Anti-MalwareII\a2service.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Mamutu\a2service.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRAM FILES\MAMUTU\mamutu.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Comodo\COMODO Internet Security\cfp.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\ehome\mcrdsvc.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\Windows Media Player\WMPNetwk.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Carol.CMAXWELL\Desktop\dds.pif
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uWindow Title = Carol
mDefault_Page_URL = hxxp://www.google.com/
mStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=pavilion&pf=laptop
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_B7C5AC242193BB3E.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
uRun: [PopUpStopperFreeEdition] "c:\progra~1\panicw~1\pop-up~1\PSFree.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [hpWirelessAssistant] c:\program files\hpq\hp wireless assistant\HP Wireless Assistant.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [RecGuard] c:\windows\sminst\RecGuard.exe
mRun: [Mamutu Guard] "c:\program files\mamutu\mamutu.exe" /silent
mRun: [a-squared] "c:\program files\a-squared anti-malwareii\a2guard.exe" /d=60
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [COMODO Internet Security] "c:\program files\comodo\comodo internet security\cfp.exe" -h
StartupFolder: c:\documents and settings\carol.cmaxwell\start menu\programs\startup\Adobe Media Player.lnk.disabled
StartupFolder: c:\documents and settings\all users\start menu\programs\startup\Adobe Reader Speed Launch.lnk.disabled
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\servic~1.lnk - c:\program files\microsoft sql server\80\tools\binn\sqlmangr.exe
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAControl.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx1.hotmail.com/mail/w3/resources/MSNPUpld.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1224635315968
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1241924918390
DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} - hxxp://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection2.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
TCP: {2590DE03-42A0-49EF-8314-F1D58D603E68} = 156.154.70.22,156.154.71.22
TCP: {EB91A32F-40A4-4CE1-B911-6F950C608F41} = 156.154.70.22,156.154.71.22
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
AppInit_DLLs: c:\windows\system32\guard32.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath -
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\mozilla firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\mozilla firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");

============= SERVICES / DRIVERS ===============

R0 crpf;crpf;c:\windows\system32\drivers\crpf.sys [2009-7-11 36512]
R0 csdf;cdsf;c:\windows\system32\drivers\csdf.sys [2009-7-11 39456]
R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdguard.sys [2009-8-31 132168]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [2009-8-31 25160]
R2 a2AntiMalware;a-squared Anti-Malware Service;c:\program files\a-squared anti-malwareii\a2service.exe [2009-8-28 980512]
R2 cmdAgent;COMODO Internet Security Helper Service;c:\program files\comodo\comodo internet security\cmdagent.exe [2009-8-31 715392]
R2 Mamutu;Mamutu Service;c:\program files\mamutu\a2service.exe [2009-8-28 980512]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2009-8-31 210216]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-6 99328]
S0 Lbd;Lbd;c:\windows\system32\drivers\lbd.sys --> c:\windows\system32\drivers\Lbd.sys [?]
S2 0034811251857799mcinstcleanup;McAfee Application Installer Cleanup (0034811251857799);c:\docume~1\victor~1.cma\locals~1\temp\003481~1.exe c:\progra~1\common~1\mcafee\instal~1\cleanup.ini -cleanup -nolog -service --> c:\docume~1\victor~1.cma\locals~1\temp\003481~1.exe c:\progra~1\common~1\mcafee\instal~1\cleanup.ini -cleanup -nolog -service [?]

=============== Created Last 30 ================

2009-09-02 03:55 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-02 03:55 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-09-02 03:54 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-08-31 23:41 <DIR> --d----- c:\windows\system32\appmgmt
2009-08-31 22:08 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Comodo
2009-08-31 22:08 179,792 a------- c:\windows\system32\guard32.dll
2009-08-31 22:08 132,168 a------- c:\windows\system32\drivers\cmdguard.sys
2009-08-31 22:08 25,160 a------- c:\windows\system32\drivers\cmdhlp.sys
2009-08-31 21:54 73,728 a------- c:\windows\system32\javacpl.cpl
2009-08-31 21:16 <DIR> --d----- c:\program files\common files\McAfee
2009-08-31 21:16 <DIR> --d----- c:\program files\McAfee
2009-08-28 23:48 <DIR> --d----- c:\program files\a-squared Anti-MalwareII
2009-08-28 23:41 <DIR> --d----- c:\program files\Mamutu
2009-08-28 23:32 <DIR> --d----- c:\program files\a-squared Anti-Malware
2009-08-18 23:21 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Viewpoint
2009-08-18 23:21 <DIR> --d----- c:\docume~1\alluse~1\applic~1\acccore
2009-08-18 23:20 <DIR> --d----- c:\program files\common files\AOL
2009-08-18 23:19 <DIR> --d----- c:\program files\AIM6
2009-08-18 23:19 367 a---h--- C:\IPH.PH
2009-08-18 12:32 <DIR> --d----- c:\docume~1\carol~1.cma\applic~1\Trillian
2009-08-17 10:45 98,304 a------- c:\windows\system32\CmdLineExt.dll
2009-08-16 21:44 <DIR> --d----- c:\docume~1\carol~1.cma\applic~1\Atari
2009-08-16 21:00 <DIR> --d----- c:\program files\Atari
2009-08-12 23:12 128,512 -------- c:\windows\system32\dllcache\dhtmled.ocx
2009-08-12 23:12 1,315,328 -------- c:\windows\system32\dllcache\msoe.dll
2009-08-11 16:56 <DIR> --d----- c:\docume~1\carol~1.cma\applic~1\CBS Interactive
2009-08-09 17:49 411,368 a------- c:\windows\system32\deploytk.dll
2009-08-08 15:08 <DIR> --d----- c:\program files\a-squared HiJackFree
2009-08-08 14:57 11,254 a------- c:\windows\system32\locate.com
2009-08-08 14:26 <DIR> --d----- C:\ISeeYouXP
2009-08-08 01:21 <DIR> --d----- c:\windows\system32\wbem\Repository
2009-08-07 22:48 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-08-07 22:47 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-08-07 14:55 <DIR> --d----- C:\32788R22FWJFW.0.tmp
2009-08-05 04:01 204,800 -------- c:\windows\system32\dllcache\mswebdvd.dll

==================== Find3M ====================

2009-09-02 23:41 1,474,832 a------- c:\windows\system32\drivers\sfi.dat
2009-08-29 14:44 153,104 a------- c:\windows\system32\drivers\tmcomm.sys
2009-08-05 04:01 204,800 -------- c:\windows\system32\mswebdvd.dll
2009-07-19 08:33 3,597,824 -------- c:\windows\system32\dllcache\mshtml.dll
2009-07-19 08:32 6,067,200 -------- c:\windows\system32\dllcache\ieframe.dll
2009-07-17 14:01 58,880 a------- c:\windows\system32\atl.dll
2009-07-17 14:01 58,880 -------- c:\windows\system32\dllcache\atl.dll
2009-07-13 23:43 10,841,088 -------- c:\windows\system32\dllcache\wmp.dll
2009-07-13 23:43 286,208 -------- c:\windows\system32\wmpdxm.dll
2009-07-13 23:43 286,208 -------- c:\windows\system32\dllcache\wmpdxm.dll
2009-06-29 06:07 13,824 -------- c:\windows\system32\dllcache\ieudinit.exe
2009-06-29 06:07 70,656 -------- c:\windows\system32\dllcache\ie4uinit.exe
2009-06-29 03:35 634,632 -------- c:\windows\system32\dllcache\iexplore.exe
2009-06-29 03:33 2,452,872 -------- c:\windows\system32\dllcache\ieapfltr.dat
2009-06-29 03:33 161,792 -------- c:\windows\system32\dllcache\ieakui.dll
2009-06-27 18:37 1,409 a------- c:\windows\fonts\RPRSTITL.FOT
2009-06-27 18:37 1,409 a------- c:\windows\fonts\RPRSSTMP.FOT
2009-06-27 18:37 1,409 a------- c:\windows\fonts\RPRSSCRP.FOT
2009-06-27 18:37 1,409 a------- c:\windows\fonts\RPRSMET_.FOT
2009-06-27 18:37 1,409 a------- c:\windows\fonts\OPUSFS__.FOT
2009-06-27 18:37 1,409 a------- c:\windows\fonts\OPUSCSC_.FOT
2009-06-27 18:37 1,409 a------- c:\windows\fonts\OPUSCS__.FOT
2009-06-27 18:37 1,409 a------- c:\windows\fonts\OPUSC___.FOT
2009-06-27 18:37 1,409 a------- c:\windows\fonts\INK2SPEC.FOT
2009-06-25 03:25 301,568 a------- c:\windows\system32\kerberos.dll
2009-06-25 03:25 147,456 a------- c:\windows\system32\schannel.dll
2009-06-25 03:25 136,192 a------- c:\windows\system32\msv1_0.dll
2009-06-25 03:25 56,832 a------- c:\windows\system32\secur32.dll
2009-06-25 03:25 54,272 a------- c:\windows\system32\wdigest.dll
2009-06-25 03:25 730,112 -------- c:\windows\system32\lsasrv.dll
2009-06-25 03:25 730,112 -------- c:\windows\system32\dllcache\lsasrv.dll
2009-06-25 03:25 301,568 -------- c:\windows\system32\dllcache\kerberos.dll
2009-06-25 03:25 147,456 -------- c:\windows\system32\dllcache\schannel.dll
2009-06-25 03:25 136,192 -------- c:\windows\system32\dllcache\msv1_0.dll
2009-06-25 03:25 56,832 -------- c:\windows\system32\dllcache\secur32.dll
2009-06-25 03:25 54,272 -------- c:\windows\system32\dllcache\wdigest.dll
2009-06-24 06:18 92,928 -------- c:\windows\system32\dllcache\ksecdd.sys
2009-06-16 09:36 119,808 -------- c:\windows\system32\t2embed.dll
2009-06-16 09:36 119,808 -------- c:\windows\system32\dllcache\t2embed.dll
2009-06-16 09:36 81,920 -------- c:\windows\system32\fontsub.dll
2009-06-16 09:36 81,920 -------- c:\windows\system32\dllcache\fontsub.dll
2009-06-12 07:31 80,896 -------- c:\windows\system32\tlntsess.exe
2009-06-12 07:31 80,896 -------- c:\windows\system32\dllcache\tlntsess.exe
2009-06-12 07:31 76,288 -------- c:\windows\system32\telnet.exe
2009-06-12 07:31 76,288 -------- c:\windows\system32\dllcache\telnet.exe
2009-06-10 09:19 2,066,432 -------- c:\windows\system32\mstscax.dll
2009-06-10 09:19 2,066,432 -------- c:\windows\system32\dllcache\mstscax.dll
2009-06-10 09:13 84,992 -------- c:\windows\system32\dllcache\avifil32.dll
2009-06-10 09:13 84,992 -------- c:\windows\system32\avifil32.dll
2009-06-10 01:14 132,096 -------- c:\windows\system32\wkssvc.dll
2009-06-10 01:14 132,096 -------- c:\windows\system32\dllcache\wkssvc.dll
2008-12-18 14:06 60,744 a------- c:\documents and settings\carol.cmaxwell\g2mdlhlpx.exe

============= FINISH: 23:49:31.65 ===============

[vltjr]

I believe I have developed a new problem. I had to move my computer, which meant powering off, and when I restarted Comodo autostarted, so I had to exit it. When I did I got the message that Comodo had encountered a problem and had to close. Also got a send/don't send error report message. Additionally, when I tried to run Windows firewall, I got an "RUNDLL Error loading C:\WINDOWS\system32\shell32.dll Access is denied." message. The same error message appeared when I attempted to open the Security Center in the Control Panel. It seems as though I may have no firewall active right now.

[Maurice Naggar]

GooredFix

Please download GooredFix from one of the locations below and save it to your Desktop
Download Mirror #1
Download Mirror #2

• Ensure all Firefox windows are closed.
  
• To run the tool, double-click it (XP), or right-click and select Run As Administrator (Vista).
  
• When prompted to run the scan, click Yes.
  
• GooredFix will check for infections, and then a log will appear. Please post the contents of that log in your next reply (it can also be found on your desktop, called GooredFix.txt).

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

If you have a prior copy of Combofix, delete it now !

Download Combofix from any of the links below. You must rename it before saving it. Save it to your Desktop.

Link 1
Link 2
Link 3







* IMPORTANT !!! SAVE AS Combo-Fix.exe to your Desktop
If your I.E. browser shows a warning message at the top, do a Right-Click on the bar and select Download, saving it to the Desktop.

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  
  
  
• Double click on Combo-Fix.exe & follow the prompts.
  
  
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
  
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.





Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:




Click on Yes, to continue scanning for malware.

Please watch Combofix as it runs, as you may see messages which require your response, or the pressing of OK button.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
-------------------------------------------------------

A caution - Do not run Combofix more than once.
Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock.
The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled.
If this occurs, please reboot to restore the desktop.
Even when ComboFix appears to be doing nothing, look at your Drive light.
If it is flashing, Combofix is still at work.
=

RE-Enable your AntiVirus and AntiSpyware applications.

Next, Download Security Check by screen317 and save it to your Desktop: here or here

• Run Security Check
  
• Follow the onscreen instructions inside of the command window.
  
• A Notepad document should open automatically called checkup.txt; close Notepad. We will need this log, too, so remember where you've saved it!

If one of your security applications (e.g., third-party firewall) requests permission to allow DIG.EXE access the Internet, allow it to do so.


Reply with copy of GooredFix.txt
C:\Combofix.txt
and Checkup.txt

[vltjr]

Sorry it took me so long to get back to this. Following this post I am pasting GooredFix.txt log. I wanted some advice before running Combofix. What I'm not sure of is renaming Combofix.exe to Combo-fix.exe. I had previously downloaded Combofix on my own (and renamed it), but wisely chickened out of using it without some expert guidance. I deleted it yesterday, but thought it would be a good idea to check for any leftover files before downloading and running it per your instructions. I'm attaching a screenshot of my search resuts. It may be nothing, but I thought that file seemed suspicious, so I was reluctant to proceed.

I await further advice.
Thanks.


Here is my GooredFix log:

GooredFix by jpshortstuff (12.07.09)
Log created at 15:43 on 03/09/2009 (Carol)
Firefox version 3.5.2 (en-US)

========== GooredScan ==========

C:\Program Files\Mozilla Firefox\extensions\
{972ce4c6-7e08-4474-a285-3208198ce6fd} [19:16 23/05/2009]
{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} [02:54 01/09/2009]

[HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions]
"{20a82645-c095-46ed-80e3-08825760534b}"="c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\" [02:49 10/05/2009]
"{B7082FAA-CB62-4872-9106-E42DD88EDE45}"="C:\Program Files\McAfee\SiteAdvisor" [02:16 01/09/2009]
"jqs@sun.com"="C:\Program Files\Java\jre6\lib\deploy\jqs\ff" [22:49 09/08/2009]

-=E.O.F=-

Attached Files

•  SearchScreenshot.doc   100K   19 downloads

[Maurice Naggar]

@vltjr

The item in the screencapture is our friend. Do not be spooked.
I very much need for you to proceed just as I outlined.

Whatever old copy you have, delete the old Combofix (with the red lion icon).

Get and save the new combofix and Rename it during the Save dialog (see the images in my note)

Onward & forward

[vltjr]

Maurice Naggar, on Sep 3 2009, 05:18 PM, said:

@vltjr



The item in the screencapture is our friend. Do not be spooked.
I very much need for you to proceed just as I outlined.

Whatever old copy you have, delete the old Combofix (with the red lion icon).

Get and save the new combofix and Rename it during the Save dialog (see the images in my note)

Onward & forward

This is tedious work; I applaud your patience Maurice. I just started the Combo-fix scan, and after several error messages stating that I could not open a file (it appeared to be a version of the one in the screenshot that I attached) because I may not have permissions to do so (I'm paraphrasing); I wish I would have saved a screenshot. I'm not sure what to do now. Should I abort the scan?

By the way, AV and anti-malware is disabled, and Windows firewall is running.

I'll be waiting, and once again, thanks.

vltjr

[vltjr]

vltjr, on Sep 3 2009, 06:04 PM, said:

This is tedious work; I applaud your patience Maurice. I just started the Combo-fix scan, and after several error messages stating that I could not open a file (it appeared to be a version of the one in the screenshot that I attached) because I may not have permissions to do so (I'm paraphrasing); I wish I would have saved a screenshot. I'm not sure what to do now. Should I abort the scan?

By the way, AV and anti-malware is disabled, and Windows firewall is running.

I'll be waiting, and once again, thanks.

vltjr

Maurice,
I wasn't really clear about this, but at this moment the scan is still running, although it is hung due to the "Windows cannot open this file:" prompt which is still sitting there in the middle of my desktop
waiting for me to make a choice.

[vltjr]

I just realized that my attachment didn't work. It turns out that it's almost 1mb, so I can't upload it. I tried to redo it with no success. I created it the same way I did my earlier screenshot (which was only 100kb) so I'm not sure what's going on.

Anyway the text of the message I've got on my desktop is:

" Windows cannot open this file:

File: nircmd.cfxxe

"To open this file, Windows needs to know what program created it...or you can manually...etc.
What do you want to do?

Use the Web service...etc.

Select the program from a list"

I think you know what I'm referring to. or ? I'm not sure.

[Maurice Naggar]

Close/exit the command prompt window if it is still showing.
If you have to, restart the system.

Download and run Win32kDiag:

1. Download Win32kDiag from any of the following locations and save it to your Desktop.
[list]

• Download Win32kDiag (Win32kDiag.exe) - #1
  
  
• Download Win32kDiag (Win32kDiag.exe) - #2
  
  
• Download Win32kDiag (Win32kDiag.exe) - #3

Go to Start > RUN and copy and paste the following command in the field:

"%userprofile%\desktop\win32kdiag.exe" -f -r

Then try to start Combofix one more time.

[vltjr]

Right off the bat I've run into another problem. Win32kDiag stalled shortly after beginning the scan. I restarted the computer (thinking it might have to do with something left over from the earlier unsuccessful Combo-Fix scan, and tried to run the Win32kDiag scan again. It hung up at the same place. For what it's worth, here's the log:


Log file is located at: C:\Documents and Settings\Carol.CMAXWELL\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...



Cannot access: C:\WINDOWS\system32\drivers\sfi.dat




Should I go ahead with the rest of the instructions in your last post, or would you like for me to try something different?

Thanks

[Maurice Naggar]

Go ahead with th rest of steps in my last reply.

[vltjr]

This morning brought a new problem. I left the computer on last night because I wanted to make sure that there weren't any start-up problems. This infection shows some signs of intelligence, in that whenever it senses being threatened it responds by negatively affecting more programs (especially security software) and/or functions. Anyway, this morning I noticed that the computer was shut down. I have it set to stay fully powered indefinitely since I've been trying to deal with this infection, and I didn't leave anything running when I went to bed last night (that is no applications were running in Task Manager). When I started it back up, it allowed me to log on, and seemed to be functioning OK, but then it just abruptly shut down. This behavior has only been experienced with this current infection when I was trying to scan with MBAM or A-Squared (as I described in the opening post of this thread. Since then I have been unable to successfully start it back up. A few time it seemed as though it was going to start booting, and then...click. I can't even boot to safe mode utilizing the tapping F8 method (which worked when I experienced the abrupt shutdowns during the scans. I'm really lost as to what to try next. I hope I'm not completely scr**ed.

Thanks. (I need a plaintively sobbing emoticon)