63 replies to this topic

[Lorgeo]

I am suffering much the same symptoms here. Malwarebytes (and every other type of anti malware download) won't run the exe file. McAfee can't update, IE and firefox are being redirected unless I type or paste url's in. Please help!

Thanks!!

[screen317]

Hi and welcome to Malwarebytes.

Please visit this webpage for instructions for running ComboFix:
http://www.bleepingc...to-use-combofix

• When the tool is finished, it will produce a report for you.
  
• Please post the C:\ComboFix.txt along with a new HijackThis log so we may continue cleaning the system.

-screen317

[Lorgeo]

screen317, on Sep 8 2009, 09:28 AM, said:

Hi and welcome to Malwarebytes.

Please visit this webpage for instructions for running ComboFix:
http://www.bleepingc...to-use-combofix

• When the tool is finished, it will produce a report for you.
  
• Please post the C:\ComboFix.txt along with a new HijackThis log so we may continue cleaning the system.

-screen317

Thanks for the reply......I'll do that when I get home today.

[screen317]

Okay thanks for letting me know.

[Lorgeo]

screen317, on Sep 8 2009, 09:28 AM, said:

Hi and welcome to Malwarebytes.

Please visit this webpage for instructions for running ComboFix:
http://www.bleepingc...to-use-combofix

• When the tool is finished, it will produce a report for you.
  
• Please post the C:\ComboFix.txt along with a new HijackThis log so we may continue cleaning the system.

-screen317

Hello,
I can download combofix, but I can't get it to run. It seems this thing doesn't let .exe files run....what now?

[screen317]

Rename ComboFix.exe to Lorgeo.bat and see if it will run now.

-screen317

[Lorgeo]

screen317, on Sep 9 2009, 12:26 AM, said:

Rename ComboFix.exe to Lorgeo.bat and see if it will run now.

-screen317

here's the log...Thanks Chris

ComboFix 09-09-08.04 - Sharon Lornie 09/08/2009 20:57.1.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.700 [GMT -4:00]
Running from: c:\documents and settings\Sharon Lornie\Desktop\Lorgeo.bat.exe
AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\SHARON~1\LOCALS~1\Temp\csrss.exe
c:\documents and settings\All Users\Application Data\98146086.ini
c:\documents and settings\All Users\Application Data\dinawasywy.exe
c:\documents and settings\All Users\Application Data\gotudusode.sys
c:\documents and settings\All Users\Application Data\xiwepodyhi.pif
c:\documents and settings\All Users\Documents\ajizoziled.reg
c:\documents and settings\All Users\Documents\iluk.bin
c:\documents and settings\All Users\Documents\juzo.exe
c:\documents and settings\All Users\Documents\ohifag.vbs
c:\documents and settings\All Users\Documents\sohufexuso._dl
c:\documents and settings\George Lornie\Application Data\Microsoft\Internet Explorer\Quick Launch\PC_Antispyware2010.lnk
c:\documents and settings\George Lornie\Application Data\pepanipov.lib
c:\documents and settings\George Lornie\Application Data\qudeker.bat
c:\documents and settings\George Lornie\Application Data\tituxykaxa._dl
c:\documents and settings\George Lornie\Cookies\latalo.com
c:\documents and settings\George Lornie\Cookies\lomu._dl
c:\documents and settings\George Lornie\Cookies\ujacefal.pif
c:\documents and settings\George Lornie\Local Settings\Application Data\pefugag.com
c:\documents and settings\George Lornie\Local Settings\Application Data\vemyfus._dl
c:\documents and settings\George Lornie\Local Settings\Application Data\voji.bin
c:\documents and settings\George Lornie\Local Settings\Application Data\xyfo.vbs
c:\documents and settings\George Lornie\Local Settings\Temporary Internet Files\fucisid.pif
c:\documents and settings\George Lornie\Local Settings\Temporary Internet Files\hamujepuwu.sys
c:\documents and settings\George Lornie\Local Settings\Temporary Internet Files\okytum.bin
c:\documents and settings\George Lornie\Start Menu\Programs\PC_Antispyware2010
c:\documents and settings\George Lornie\Start Menu\Programs\PC_Antispyware2010\PC_Antispyware2010.lnk
c:\documents and settings\George Lornie\Start Menu\Programs\PC_Antispyware2010\Uninstall.lnk
C:\p2hhr.bat
c:\program files\Common Files\abutuzo.exe
c:\program files\Common Files\bezy.scr
c:\program files\Common Files\huwun.reg
c:\program files\Common Files\uzyjify.bat
c:\program files\driver
c:\recycler\S-1-5-21-436374069-1450960922-332254115-1003
c:\windows\COUPON~1.OCX
c:\windows\CouponPrinter.ocx
c:\windows\hudusa.sys
c:\windows\is-QI5RO.exe
c:\windows\padifonyq.dl
c:\windows\system32\_scui.cpl
c:\windows\system32\1478059950.dat
c:\windows\system32\bidisp.dll
c:\windows\system32\BSTIEPrintCtl1.dll
c:\windows\system32\Drivers\pkdswfh.sys
c:\windows\system32\drivers\UACeiephwauph.sys
c:\windows\system32\opyhakary.reg
c:\windows\system32\oxazepana.vbs
c:\windows\system32\UACctvnkjgwqu.dll
c:\windows\system32\uacinit.dll
c:\windows\system32\UAClyfqxmneti.log
c:\windows\system32\UACoqaliqvcsy.dll
c:\windows\system32\UACourxnhsaow.dat
c:\windows\system32\UACrmmcyddalo.dll
c:\windows\system32\UACsyapmpiroj.dll
c:\windows\system32\ufyx.exe
c:\windows\system32\yhexasahoq.bat
c:\windows\xawimotyv.sys
c:\windows\ysetydyzaq.sys

c:\windows\system32\proquota.exe was missing
Restored copy from - c:\windows\ServicePackFiles\i386\proquota.exe

Infected copy of c:\windows\system32\eventlog.dll was found and disinfected
Restored copy from - c:\i386\EVENTLOG.DLL
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_UACd.sys
-------\Legacy_UACd.sys
-------\Legacy_DRIVER
-------\Legacy_DRIVERDRV
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}


((((((((((((((((((((((((( Files Created from 2009-08-09 to 2009-09-09 )))))))))))))))))))))))))))))))
.

2009-09-09 00:25 . 2009-09-09 00:25 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-09-09 00:23 . 2009-09-09 00:23 -------- d-----w- c:\documents and settings\Sharon Lornie\Application Data\SUPERAntiSpyware.com
2009-09-09 00:21 . 2009-09-09 00:21 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-09-06 03:04 . 2009-09-06 03:04 -------- d-----w- C:\fb8eb561c5833f2c58869339
2009-09-04 10:53 . 2009-09-04 10:53 -------- d-----w- C:\653969c15600e1893d10ded87d93
2009-09-04 01:21 . 2009-09-04 01:21 469712 ----a-w- c:\windows\macromix.dll
2009-09-04 01:21 . 2009-09-04 01:21 30544 ----a-w- c:\windows\dirdib.drv
2009-09-02 01:16 . 2009-09-02 10:02 -------- d-----w- c:\documents and settings\George Lornie\.housecall6.6
2009-08-31 15:23 . 2009-08-31 15:24 -------- d-----w- C:\84b4c392b7e790afdc9ada39b4
2009-08-30 18:45 . 2009-08-30 18:45 -------- d-----w- c:\program files\Windows Defender
2009-08-30 16:04 . 2009-09-04 01:07 -------- d-----w- c:\documents and settings\Sharon Lornie\.housecall6.6
2009-08-25 23:49 . 2009-08-25 23:49 -------- d-----w- c:\program files\Trend Micro
2009-08-25 23:06 . 2009-08-25 23:06 -------- d-----w- c:\program files\Microsoft Windows OneCare Live
2009-08-25 19:07 . 2009-08-25 19:07 -------- d-----w- c:\documents and settings\George Lornie\Local Settings\Application Data\AVG Security Toolbar
2009-08-25 01:03 . 2009-08-25 01:03 -------- d-----w- c:\documents and settings\Sharon Lornie\Application Data\McAfee
2009-08-25 00:37 . 2009-08-25 00:37 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2009-08-23 17:27 . 2009-08-23 17:27 -------- d-----w- c:\documents and settings\Sharon Lornie\Local Settings\Application Data\AVG Security Toolbar
2009-08-23 16:52 . 2009-08-23 16:52 -------- d-----w- c:\documents and settings\Sharon Lornie\Local Settings\Application Data\PCHealth
2009-08-23 15:53 . 2009-08-23 15:53 -------- d-----w- c:\program files\AVG
2009-08-23 15:53 . 2009-08-25 22:57 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-08-23 15:41 . 2009-08-30 15:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-08-23 15:41 . 2009-08-29 22:12 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-08-22 16:27 . 2009-08-22 16:27 -------- d-----w- c:\documents and settings\George Lornie\Local Settings\Application Data\PCHealth
2009-08-22 03:36 . 2009-08-22 03:36 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-08-22 03:31 . 2009-08-25 23:00 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-08-21 22:43 . 2009-08-21 22:43 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2009-08-21 04:39 . 2009-08-21 04:39 -------- d-----w- c:\windows\system32\XPSViewer
2009-08-21 04:39 . 2009-08-21 04:39 -------- d-----w- c:\program files\MSBuild
2009-08-21 04:39 . 2009-08-21 04:39 -------- d-----w- c:\program files\Reference Assemblies
2009-08-21 04:39 . 2008-07-06 12:06 89088 ------w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-08-21 04:39 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
2009-08-21 04:39 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\dllcache\xpsshhdr.dll
2009-08-21 04:39 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
2009-08-21 04:39 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\dllcache\xpssvcs.dll
2009-08-21 04:39 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
2009-08-21 04:39 . 2008-07-06 10:50 597504 ------w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-08-21 04:39 . 2009-08-21 04:39 -------- d-----w- C:\62af607a42fb976e0bec32
2009-08-16 16:31 . 2009-08-16 16:31 -------- d-----w- C:\OEMSettings
2009-08-16 16:31 . 2009-08-16 16:31 17801 ----a-w- c:\windows\system32\drivers\AegisP.sys
2009-08-12 04:37 . 2009-07-10 13:27 1315328 ------w- c:\windows\system32\dllcache\msoe.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-09 00:50 . 2004-08-04 11:00 55808 ----a-w- c:\windows\system32\eventlog.dll
2009-09-08 21:14 . 2009-05-14 01:08 -------- d-----w- c:\program files\McAfee
2009-09-02 01:08 . 2008-09-26 18:08 -------- d-----w- c:\documents and settings\LocalService\Application Data\SACore
2009-08-30 23:18 . 2005-02-13 16:19 59320 -c--a-w- c:\documents and settings\George Lornie\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-30 18:42 . 2009-05-18 23:13 -------- d-----w- c:\program files\Windows Live
2009-08-30 02:51 . 2009-08-30 02:51 18113 ----a-w- c:\documents and settings\George Lornie\Application Data\ilovesydy.dat
2009-08-30 02:51 . 2009-08-30 02:51 13178 ----a-w- c:\documents and settings\George Lornie\Application Data\tewewiza.dat
2009-08-25 22:58 . 2009-06-06 20:28 -------- d-----w- c:\program files\AVS4YOU
2009-08-25 01:03 . 2006-05-15 15:44 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-08-23 19:52 . 2005-02-08 06:35 59320 -c--a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-22 16:10 . 2009-01-02 00:47 -------- d-----w- c:\program files\eMusic Download Manager
2009-08-22 16:09 . 2008-11-16 20:49 -------- d-----w- c:\program files\LimeWire
2009-08-22 12:38 . 2009-05-14 00:01 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-22 03:51 . 2009-08-22 03:51 8 ----a-w- c:\program files\rgsrounk.txt
2009-08-22 01:54 . 2009-06-04 00:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Electronic Arts
2009-08-19 20:10 . 2009-01-01 22:04 20 ---h--w- c:\documents and settings\All Users\Application Data\PKP_DLdu.DAT
2009-08-18 01:48 . 2009-01-03 17:28 -------- d-----w- c:\documents and settings\George Lornie\Application Data\LimeWire
2009-08-16 16:31 . 2009-01-01 19:16 -------- d-----w- c:\program files\NETGEAR
2009-08-16 16:29 . 2005-02-08 06:25 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-08-12 03:21 . 2009-01-12 21:29 -------- d-----w- c:\program files\AIM6
2009-08-12 03:21 . 2008-06-28 22:05 -------- d-----w- c:\documents and settings\All Users\Application Data\AOL Downloads
2009-08-05 09:01 . 2004-08-04 11:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-01 15:59 . 2009-06-11 00:03 -------- d-----w- c:\documents and settings\George Lornie\Application Data\ZoomBrowser EX
2009-08-01 15:58 . 2009-06-10 23:55 -------- d-----w- c:\documents and settings\All Users\Application Data\ZoomBrowser
2009-07-17 19:01 . 2004-08-04 11:00 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-16 16:32 . 2009-05-14 01:09 120136 ----a-w- c:\windows\system32\drivers\Mpfp.sys
2009-07-14 03:43 . 2004-08-04 11:00 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-06-25 08:25 . 2004-08-04 11:00 730112 ----a-w- c:\windows\system32\lsasrv.dll
2009-06-25 08:25 . 2004-08-04 11:00 56832 ----a-w- c:\windows\system32\secur32.dll
2009-06-25 08:25 . 2004-08-04 11:00 54272 ----a-w- c:\windows\system32\wdigest.dll
2009-06-25 08:25 . 2004-08-04 11:00 301568 ----a-w- c:\windows\system32\kerberos.dll
2009-06-25 08:25 . 2004-08-04 11:00 147456 ----a-w- c:\windows\system32\schannel.dll
2009-06-25 08:25 . 2004-08-04 11:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-06-24 11:18 . 2004-08-04 11:00 92928 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2009-06-16 14:36 . 2004-08-04 11:00 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-16 14:36 . 2004-08-04 11:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-12 12:31 . 2004-08-04 11:00 80896 ----a-w- c:\windows\system32\tlntsess.exe
2009-06-12 12:31 . 2004-08-04 11:00 76288 ----a-w- c:\windows\system32\telnet.exe
.

------- Sigcheck -------

[7] 2008-06-20 . AD978A1B783B5719720CFF204B666C8E . 361600 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
[7] 2008-06-20 . 9AEFA14BD6B182D61E3119FA5F436D3D . 361600 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB951748\SP3GDR\tcpip.sys
[-] 2008-06-20 . 9425B72F40257B45D45D24773273DAD0 . 361600 . . [5.1.2600.5625] . . c:\windows\SYSTEM32\DLLCACHE\tcpip.sys
[-] 2008-06-20 . 9425B72F40257B45D45D24773273DAD0 . 361600 . . [5.1.2600.5625] . . c:\windows\SYSTEM32\DRIVERS\tcpip.sys
[7] 2008-06-20 . 2A5554FC5B1E04E131230E3CE035C3F9 . 360320 . . [5.1.2600.3394] . . c:\windows\$NtServicePackUninstall$\tcpip.sys
[7] 2008-06-20 . 744E57C99232201AE98C49168B918F48 . 360960 . . [5.1.2600.3394] . . c:\windows\$hf_mig$\KB951748\SP2QFE\tcpip.sys
[7] 2008-04-13 . 93EA8D04EC73A85DB02EB8805988F733 . 361344 . . [5.1.2600.5512] . . c:\windows\$NtUninstallKB951748$\tcpip.sys
[-] 2008-04-13 . ACCF5A9A1FFAA490F33DBA1C632B95E1 . 361344 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\tcpip.sys
[-] 2007-10-30 . 90CAFF4B094573449A0872A0F919B178 . 360064 . . [5.1.2600.3244] . . c:\windows\$NtUninstallKB951748_0$\tcpip.sys
[-] 2007-10-30 . 64798ECFA43D78C7178375FCDD16D8C8 . 360832 . . [5.1.2600.3244] . . c:\windows\$hf_mig$\KB941644\SP2QFE\tcpip.sys
[-] 2006-04-20 . B2220C618B42A2212A59D91EBD6FC4B4 . 360576 . . [5.1.2600.2892] . . c:\windows\$hf_mig$\KB917953\SP2QFE\tcpip.sys
[-] 2006-04-20 . 1DBF125862891817F374F407626967F4 . 359808 . . [5.1.2600.2892] . . c:\windows\$NtUninstallKB941644$\tcpip.sys
[-] 2006-01-13 . 5562CC0A47B2AEF06D3417B733F3C195 . 360448 . . [5.1.2600.2827] . . c:\windows\$hf_mig$\KB913446\SP2QFE\tcpip.sys
[-] 2006-01-13 . 583E063FDC888CA30D05C2724B0D7EF4 . 359808 . . [5.1.2600.2827] . . c:\windows\$NtUninstallKB917953$\tcpip.sys
[-] 2005-05-25 . 63FDFEA54EB53DE2D863EE454937CE1E . 359936 . . [5.1.2600.2685] . . c:\windows\$hf_mig$\KB893066\SP2QFE\tcpip.sys
[-] 2005-05-25 . 88763A98A4C26C409741B4AA162720C9 . 359808 . . [5.1.2600.2685] . . c:\windows\$NtUninstallKB913446$\tcpip.sys
[7] 2004-08-04 . 9F4B36614A0FC234525BA224957DE55C . 359040 . . [5.1.2600.2180] . . c:\windows\$NtUninstallKB893066$\tcpip.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088]
"msnmsgr"="c:\program files\MSN Messenger\msnmsgr.exe" [2007-01-19 5674352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-08-25 339968]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-07-10 645328]
"McENUI"="c:\progra~1\McAfee\MHN\McENUI.exe" [2009-07-08 1176808]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-06-29 520024]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-03 866584]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-07 110592]
"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 36975]
"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2005-02-08 26112]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"IAAnotif"="c:\program files\Intel\Intel Application Accelerator\iaanotif.exe" [2004-03-23 135168]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-10-12 57344]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-11-16 127035]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" - c:\windows\SYSTEM32\narrator.exe [2008-04-14 53760]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
America Online 9.0 Tray Icon.lnk - c:\program files\America Online 9.0\aoltray.exe [2005-2-8 156784]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2005-2-8 24576]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-1-21 65588]
NETGEAR WPN311 Smart Wizard.lnk - c:\program files\NETGEAR\WPN311\wlancfg5.exe [2006-12-4 1503232]
Nikon Monitor.lnk - c:\program files\Common Files\Nikon\Monitor\NkMonitor.exe [2007-10-18 479232]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\documents and settings\George Lornie\My Documents\jackieA\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 19:21 548352 ----a-w- c:\documents and settings\George Lornie\My Documents\jackieA\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"sdCoreService"=2 (0x2)
"sdAuxService"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\SYSTEM32\\USMT\\MIGWIZ.EXE"=
"c:\\Program Files\\CATIC\\PrepExpress\\PrepExp.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

R0 Lbd;Lbd;c:\windows\SYSTEM32\DRIVERS\Lbd.sys [1/24/2009 11:45 AM 64160]
R1 SASDIFSV;SASDIFSV;c:\documents and settings\George Lornie\My Documents\jackieA\sasdifsv.sys [9/3/2009 3:22 PM 9968]
R1 SASKUTIL;SASKUTIL;c:\documents and settings\George Lornie\My Documents\jackieA\SASKUTIL.SYS [9/3/2009 3:22 PM 74480]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [5/13/2009 9:12 PM 210216]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [9/15/2008 4:30 PM 24652]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [1/18/2009 5:34 PM 1029456]
S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]
S3 pfsvgae;pfsvgae;\??\c:\docume~1\GEORGE~1\LOCALS~1\Temp\pfsvgae.sys --> c:\docume~1\GEORGE~1\LOCALS~1\Temp\pfsvgae.sys [?]
S3 SASENUM;SASENUM;c:\documents and settings\George Lornie\My Documents\jackieA\SASENUM.SYS [9/3/2009 3:22 PM 7408]
.
Contents of the 'Scheduled Tasks' folder

2009-09-07 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-01-18 14:45]

2009-08-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-05-14 01:26]

2009-07-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-05-14 01:26]
.
- - - - ORPHANS REMOVED - - - -

Toolbar-{9ee802e8-c931-47ab-b570-aa8f791598ca} - (no file)
Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{9EE802E8-C931-47AB-B570-AA8F791598CA} - (no file)
HKCU-Run-Yahoo! Pager - c:\program files\Yahoo!\Messenger\ypager.exe
HKCU-Run-Aim6 - (no file)
HKLM-Run-ISTray - c:\program files\Spyware Doctor\pctsTray.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mStart Page = hxxp://www.google.com
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
IE: &Search - http://edits.mywebsearch.com/toolbaredits/...?p=ZKxdm174TQUS
IE: &Yahoo! Search - file:///c:\program files\Yahoo!\Common/ycsrch.htm
IE: Yahoo! &Dictionary - file:///c:\program files\Yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - file:///c:\program files\Yahoo!\Common/ycdict.htm
Trusted Zone: att.com\www.customerservice
Trusted Zone: internet
Trusted Zone: mcafee.com
FF - ProfilePath - c:\documents and settings\Sharon Lornie\Application Data\Mozilla\Firefox\Profiles\csf96qf2.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - plugin: c:\documents and settings\Sharon Lornie\Application Data\Mozilla\Firefox\Profiles\csf96qf2.default\extensions\{0C7E3F01-99E9-4095-9BDC-F84724960B57}\plugins\NPCpnMgr.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJPI150_06.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPOJI610.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll

---- FIREFOX POLICIES ----
FF - user.js: dom.disable_open_during_load - true // Popupblocker control handled by McAfee Privacy Service
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-08 21:08
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(584)
c:\documents and settings\George Lornie\My Documents\jackieA\SASWINLO.dll

- - - - - - - > 'explorer.exe'(1500)
c:\program files\McAfee\SiteAdvisor\saHook.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\SYSTEM32\ati2evxx.exe
c:\windows\SYSTEM32\acs.exe
c:\progra~1\COMMON~1\AOL\ACS\AOLacsd.exe
c:\documents and settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40ST7.EXE
c:\documents and settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE
c:\program files\Intel\Intel Application Accelerator\IAANTmon.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\program files\Common Files\McAfee\MNA\McNASvc.exe
c:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe
c:\program files\McAfee\MPF\MpfSrv.exe
c:\program files\McAfee\MSK\msksrver.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe
.
**************************************************************************
.
Completion time: 2009-09-09 21:12 - machine was rebooted
ComboFix-quarantined-files.txt 2009-09-09 01:12

Pre-Run: 115,894,800,384 bytes free
Post-Run: 117,263,695,872 bytes free

Current=3 Default=3 Failed=2 LastKnownGood=4 Sets=1,2,3,4
358 --- E O F --- 2009-09-08 21:10

[Lorgeo]

What should I do now?

[Lorgeo]

I figured I would run Malwarebytes.....here's the log:

Malwarebytes' Anti-Malware 1.40
Database version: 2551
Windows 5.1.2600 Service Pack 3

9/9/2009 9:00:24 PM
mbam-log-2009-09-09 (21-00-19).txt

Scan type: Full Scan (C:\|F:\|)
Objects scanned: 217627
Time elapsed: 45 minute(s), 54 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 5
Registry Data Items Infected: 5
Folders Infected: 0
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{4d25f926-b9fe-4682-bf72-8ab8210d6d75} (Adware.MyWebSearch) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256a51-b582-467e-b8d4-7786eda79ae0} (Trojan.Vundo) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\MyWebSearch (Adware.MyWebSearch) -> No action taken.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks\{00a6faf6-072e-44cf-8957-5838f569a31d} (Adware.MyWebSearch) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks\{4d25f926-b9fe-4682-bf72-8ab8210d6d75} (Adware.MyWebSearch) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\{07b18ea9-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\MenuExt\&Search\(default) (Adware.Hotbar) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows System Recover! (Trojan.Downloader) -> No action taken.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions (Hijack.FolderOptions) -> Bad: (1) Good: (0) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\UACrmmcyddalo.dll.vir (Rogue.Agent) -> No action taken.
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\_scui.cpl.vir (Rogue.HomeAntiVirus) -> No action taken.
C:\Documents and Settings\All Users\BPK\bpk.exe (Malware.Packer.T) -> No action taken.
C:\Documents and Settings\All Users\BPK\bpkvw.exe (Malware.Packer.T) -> No action taken.

[Lorgeo]

It seems that everything looks good, but after reading alot of these posts, I bet I still have some clean up to do....
Can anyone out there tell me what I should do to make sure this thing is gone??

[screen317]

Hi,

Please use the ADDREPLY button to reply instead of the "REPLY button.


Next, please delete your copy of ComboFix, download the latest version from here, and save it to your Desktop. Do not run it yet.

Now, please download this file and save it as it's originally named, next to ComboFix.exe.





Now close all open windows and programs, then drag the setup package onto ComboFix.exe and drop it. Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console. When complete, it will ask you whether or not to continue with the malware scan. Select Yes, and post the resultant log.


After that, please use the Internet Explorer browser and click here to use the F-Secure Online Scanner.

• Click Start Scanning.
  
• You should get a notification bar (on top) to install the ActiveX control.
  
• Click on it and select to install the ActiveX.
  
• Once the ActiveX is installed, you should accept the License terms by clicking OK below to start the scan.
  
• In case you are having problems with installing the ActiveX/starting the scan, please read here.
  
• Click the Full System Scan button.
  
• It will start to download scanner components and databases. This can take a while.
  
• The main scan will start.
  
• Once the scan has finished scanning, click the Automatic cleaning (recommended) button
  
• It could be possible that your firewall gives an alert - allow it, because that's a connection you establish to submit infected files to F-Secure.
  
• The cleaning can take a while, so please be patient.
  
• Then click the Show report button and Copy/Paste what is present under results in your next reply.

Next, download my Security Check from here or here.

• Save it to your Desktop.
  
• Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  
• A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Let me know how things are running now and what issues remain.

-screen317

[Lorgeo]

Thanks for the reply and instructions. (And how to reply correctly )
I'll run through this next steps when I get home this evening.

Thanks again for all the help and guidance.

[screen317]

Okay thanks for letting me know.

[Lorgeo]

Here's the latest ComboFix Log.....thanks

ComboFix 09-09-10.01 - Sharon Lornie 09/10/2009 18:40.2.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.473 [GMT -4:00]
Running from: c:\documents and settings\Sharon Lornie\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Sharon Lornie\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.

((((((((((((((((((((((((( Files Created from 2009-08-10 to 2009-09-10 )))))))))))))))))))))))))))))))
.

2009-09-10 03:10 . 2009-09-10 03:10 -------- d--h--w- c:\windows\PIF
2009-09-10 01:31 . 2009-07-16 16:32 120136 ----a-w- c:\windows\system32\drivers\Mpfp.sys
2009-09-10 01:31 . 2009-09-10 01:31 -------- d-----w- c:\program files\Common Files\McAfee
2009-09-10 00:08 . 2009-09-10 00:08 -------- d-----w- c:\documents and settings\Sharon Lornie\Application Data\Malwarebytes
2009-09-10 00:08 . 2009-08-03 17:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-10 00:08 . 2009-08-03 17:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-09 01:05 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\proquota.exe
2009-09-09 01:05 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\dllcache\proquota.exe
2009-09-09 00:25 . 2009-09-09 00:25 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-09-09 00:23 . 2009-09-10 02:30 -------- d-----w- c:\documents and settings\Sharon Lornie\Application Data\SUPERAntiSpyware.com
2009-09-06 03:04 . 2009-09-06 03:04 -------- d-----w- C:\fb8eb561c5833f2c58869339
2009-09-04 10:53 . 2009-09-04 10:53 -------- d-----w- C:\653969c15600e1893d10ded87d93
2009-09-04 01:21 . 2009-09-04 01:21 469712 ----a-w- c:\windows\macromix.dll
2009-09-04 01:21 . 2009-09-04 01:21 30544 ----a-w- c:\windows\dirdib.drv
2009-09-02 01:16 . 2009-09-02 10:02 -------- d-----w- c:\documents and settings\George Lornie\.housecall6.6
2009-08-31 15:23 . 2009-08-31 15:24 -------- d-----w- C:\84b4c392b7e790afdc9ada39b4
2009-08-30 18:45 . 2009-09-10 01:39 -------- d-----w- c:\program files\Windows Defender
2009-08-30 16:04 . 2009-09-04 01:07 -------- d-----w- c:\documents and settings\Sharon Lornie\.housecall6.6
2009-08-25 23:49 . 2009-08-25 23:49 -------- d-----w- c:\program files\Trend Micro
2009-08-25 23:06 . 2009-08-25 23:06 -------- d-----w- c:\program files\Microsoft Windows OneCare Live
2009-08-25 19:07 . 2009-08-25 19:07 -------- d-----w- c:\documents and settings\George Lornie\Local Settings\Application Data\AVG Security Toolbar
2009-08-25 01:03 . 2009-08-25 01:03 -------- d-----w- c:\documents and settings\Sharon Lornie\Application Data\McAfee
2009-08-25 00:37 . 2009-08-25 00:37 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2009-08-23 17:27 . 2009-08-23 17:27 -------- d-----w- c:\documents and settings\Sharon Lornie\Local Settings\Application Data\AVG Security Toolbar
2009-08-23 16:52 . 2009-08-23 16:52 -------- d-----w- c:\documents and settings\Sharon Lornie\Local Settings\Application Data\PCHealth
2009-08-23 15:53 . 2009-08-23 15:53 -------- d-----w- c:\program files\AVG
2009-08-23 15:53 . 2009-08-25 22:57 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-08-23 15:41 . 2009-08-30 15:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-08-23 15:41 . 2009-08-29 22:12 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-08-22 16:27 . 2009-08-22 16:27 -------- d-----w- c:\documents and settings\George Lornie\Local Settings\Application Data\PCHealth
2009-08-22 03:36 . 2009-08-22 03:36 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-08-22 03:31 . 2009-08-25 23:00 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-08-21 22:43 . 2009-08-21 22:43 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2009-08-21 04:39 . 2009-08-21 04:39 -------- d-----w- c:\windows\system32\XPSViewer
2009-08-21 04:39 . 2009-08-21 04:39 -------- d-----w- c:\program files\MSBuild
2009-08-21 04:39 . 2009-08-21 04:39 -------- d-----w- c:\program files\Reference Assemblies
2009-08-21 04:39 . 2008-07-06 12:06 89088 ------w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-08-21 04:39 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
2009-08-21 04:39 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\dllcache\xpsshhdr.dll
2009-08-21 04:39 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
2009-08-21 04:39 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\dllcache\xpssvcs.dll
2009-08-21 04:39 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
2009-08-21 04:39 . 2008-07-06 10:50 597504 ------w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-08-21 04:39 . 2009-08-21 04:39 -------- d-----w- C:\62af607a42fb976e0bec32
2009-08-16 16:31 . 2009-08-16 16:31 -------- d-----w- C:\OEMSettings
2009-08-16 16:31 . 2009-08-16 16:31 17801 ----a-w- c:\windows\system32\drivers\AegisP.sys
2009-08-12 04:37 . 2009-07-10 13:27 1315328 ------w- c:\windows\system32\dllcache\msoe.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-10 22:19 . 2009-05-14 01:08 -------- d-----w- c:\program files\McAfee
2009-09-10 01:34 . 2006-05-15 15:44 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-09-10 01:31 . 2005-02-08 06:31 -------- d-----w- c:\program files\McAfee.com
2009-09-10 00:09 . 2009-05-14 00:01 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-09 00:50 . 2004-08-04 11:00 55808 ------w- c:\windows\system32\eventlog.dll
2009-09-02 01:08 . 2008-09-26 18:08 -------- d-----w- c:\documents and settings\LocalService\Application Data\SACore
2009-08-30 23:18 . 2005-02-13 16:19 59320 -c--a-w- c:\documents and settings\George Lornie\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-30 18:42 . 2009-05-18 23:13 -------- d-----w- c:\program files\Windows Live
2009-08-30 02:51 . 2009-08-30 02:51 18113 ----a-w- c:\documents and settings\George Lornie\Application Data\ilovesydy.dat
2009-08-30 02:51 . 2009-08-30 02:51 13178 ----a-w- c:\documents and settings\George Lornie\Application Data\tewewiza.dat
2009-08-25 22:58 . 2009-06-06 20:28 -------- d-----w- c:\program files\AVS4YOU
2009-08-23 19:52 . 2005-02-08 06:35 59320 -c--a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-22 16:10 . 2009-01-02 00:47 -------- d-----w- c:\program files\eMusic Download Manager
2009-08-22 16:09 . 2008-11-16 20:49 -------- d-----w- c:\program files\LimeWire
2009-08-22 03:51 . 2009-08-22 03:51 8 ----a-w- c:\program files\rgsrounk.txt
2009-08-22 01:54 . 2009-06-04 00:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Electronic Arts
2009-08-19 20:10 . 2009-01-01 22:04 20 ---h--w- c:\documents and settings\All Users\Application Data\PKP_DLdu.DAT
2009-08-18 01:48 . 2009-01-03 17:28 -------- d-----w- c:\documents and settings\George Lornie\Application Data\LimeWire
2009-08-16 16:31 . 2009-01-01 19:16 -------- d-----w- c:\program files\NETGEAR
2009-08-16 16:29 . 2005-02-08 06:25 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-08-12 03:21 . 2009-01-12 21:29 -------- d-----w- c:\program files\AIM6
2009-08-12 03:21 . 2008-06-28 22:05 -------- d-----w- c:\documents and settings\All Users\Application Data\AOL Downloads
2009-08-05 09:01 . 2004-08-04 11:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-01 15:59 . 2009-06-11 00:03 -------- d-----w- c:\documents and settings\George Lornie\Application Data\ZoomBrowser EX
2009-08-01 15:58 . 2009-06-10 23:55 -------- d-----w- c:\documents and settings\All Users\Application Data\ZoomBrowser
2009-07-17 19:01 . 2004-08-04 11:00 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-14 03:43 . 2004-08-04 11:00 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-08 17:44 . 2009-03-25 15:06 214024 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2009-07-08 17:44 . 2007-01-17 18:36 40552 ----a-w- c:\windows\system32\drivers\mfesmfk.sys
2009-07-08 17:44 . 2007-01-17 18:36 35272 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2009-07-08 17:44 . 2007-01-17 18:36 79816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2009-07-08 17:43 . 2007-01-17 18:36 34248 ----a-w- c:\windows\system32\drivers\mferkdk.sys
2009-06-25 08:25 . 2004-08-04 11:00 730112 ----a-w- c:\windows\system32\lsasrv.dll
2009-06-25 08:25 . 2004-08-04 11:00 56832 ----a-w- c:\windows\system32\secur32.dll
2009-06-25 08:25 . 2004-08-04 11:00 54272 ----a-w- c:\windows\system32\wdigest.dll
2009-06-25 08:25 . 2004-08-04 11:00 301568 ----a-w- c:\windows\system32\kerberos.dll
2009-06-25 08:25 . 2004-08-04 11:00 147456 ----a-w- c:\windows\system32\schannel.dll
2009-06-25 08:25 . 2004-08-04 11:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-06-24 11:18 . 2004-08-04 11:00 92928 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2009-06-16 14:36 . 2004-08-04 11:00 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-16 14:36 . 2004-08-04 11:00 119808 ----a-w- c:\windows\system32\t2embed.dll
.

------- Sigcheck -------

[7] 2008-06-20 . AD978A1B783B5719720CFF204B666C8E . 361600 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
[7] 2008-06-20 . 9AEFA14BD6B182D61E3119FA5F436D3D . 361600 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB951748\SP3GDR\tcpip.sys
[-] 2008-06-20 . 9425B72F40257B45D45D24773273DAD0 . 361600 . . [5.1.2600.5625] . . c:\windows\SYSTEM32\DLLCACHE\tcpip.sys
[-] 2008-06-20 . 9425B72F40257B45D45D24773273DAD0 . 361600 . . [5.1.2600.5625] . . c:\windows\SYSTEM32\DRIVERS\tcpip.sys
[7] 2008-06-20 . 2A5554FC5B1E04E131230E3CE035C3F9 . 360320 . . [5.1.2600.3394] . . c:\windows\$NtServicePackUninstall$\tcpip.sys
[7] 2008-06-20 . 744E57C99232201AE98C49168B918F48 . 360960 . . [5.1.2600.3394] . . c:\windows\$hf_mig$\KB951748\SP2QFE\tcpip.sys
[7] 2008-04-13 . 93EA8D04EC73A85DB02EB8805988F733 . 361344 . . [5.1.2600.5512] . . c:\windows\$NtUninstallKB951748$\tcpip.sys
[-] 2008-04-13 . ACCF5A9A1FFAA490F33DBA1C632B95E1 . 361344 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\tcpip.sys
[-] 2007-10-30 . 90CAFF4B094573449A0872A0F919B178 . 360064 . . [5.1.2600.3244] . . c:\windows\$NtUninstallKB951748_0$\tcpip.sys
[-] 2007-10-30 . 64798ECFA43D78C7178375FCDD16D8C8 . 360832 . . [5.1.2600.3244] . . c:\windows\$hf_mig$\KB941644\SP2QFE\tcpip.sys
[-] 2006-04-20 . B2220C618B42A2212A59D91EBD6FC4B4 . 360576 . . [5.1.2600.2892] . . c:\windows\$hf_mig$\KB917953\SP2QFE\tcpip.sys
[-] 2006-04-20 . 1DBF125862891817F374F407626967F4 . 359808 . . [5.1.2600.2892] . . c:\windows\$NtUninstallKB941644$\tcpip.sys
[-] 2006-01-13 . 5562CC0A47B2AEF06D3417B733F3C195 . 360448 . . [5.1.2600.2827] . . c:\windows\$hf_mig$\KB913446\SP2QFE\tcpip.sys
[-] 2006-01-13 . 583E063FDC888CA30D05C2724B0D7EF4 . 359808 . . [5.1.2600.2827] . . c:\windows\$NtUninstallKB917953$\tcpip.sys
[-] 2005-05-25 . 63FDFEA54EB53DE2D863EE454937CE1E . 359936 . . [5.1.2600.2685] . . c:\windows\$hf_mig$\KB893066\SP2QFE\tcpip.sys
[-] 2005-05-25 . 88763A98A4C26C409741B4AA162720C9 . 359808 . . [5.1.2600.2685] . . c:\windows\$NtUninstallKB913446$\tcpip.sys
[7] 2004-08-04 . 9F4B36614A0FC234525BA224957DE55C . 359040 . . [5.1.2600.2180] . . c:\windows\$NtUninstallKB893066$\tcpip.sys
.
((((((((((((((((((((((((((((( SnapShot@2009-09-09_01.08.40 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-09-10 00:08 . 2009-09-10 22:26 32768 c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2005-02-12 17:53 . 2009-09-09 00:41 32768 c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2005-02-12 17:53 . 2009-09-10 22:26 32768 c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\index.dat
- 2005-02-12 17:53 . 2009-09-09 00:41 32768 c:\windows\SYSTEM32\CONFIG\systemprofile\Cookies\index.dat
+ 2005-02-12 17:53 . 2009-09-10 22:26 32768 c:\windows\SYSTEM32\CONFIG\systemprofile\Cookies\index.dat
+ 2004-08-04 11:00 . 2009-08-13 15:16 512000 c:\windows\SYSTEM32\jscript.dll
- 2004-08-04 11:00 . 2008-05-09 10:53 512000 c:\windows\SYSTEM32\jscript.dll
+ 2004-08-04 11:00 . 2009-06-21 21:44 153088 c:\windows\SYSTEM32\DLLCACHE\triedit.dll
- 2004-08-04 11:00 . 2008-04-14 00:12 153088 c:\windows\SYSTEM32\DLLCACHE\triedit.dll
+ 2008-05-09 10:53 . 2009-08-13 15:16 512000 c:\windows\SYSTEM32\DLLCACHE\jscript.dll
- 2008-05-09 10:53 . 2008-05-09 10:53 512000 c:\windows\SYSTEM32\DLLCACHE\jscript.dll
- 2004-08-04 11:00 . 2008-06-18 10:03 2458112 c:\windows\SYSTEM32\WMVCore.dll
+ 2004-08-04 11:00 . 2009-05-20 08:56 2458112 c:\windows\SYSTEM32\WMVCore.dll
+ 2004-08-04 11:00 . 2009-05-20 08:56 2458112 c:\windows\SYSTEM32\DLLCACHE\WMVCore.dll
- 2004-08-04 11:00 . 2008-06-18 10:03 2458112 c:\windows\SYSTEM32\DLLCACHE\WMVCore.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088]
"msnmsgr"="c:\program files\MSN Messenger\msnmsgr.exe" [2007-01-19 5674352]
"Aim6"="" [BU]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-08-25 339968]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-06-29 520024]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-07 110592]
"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 36975]
"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2005-02-08 26112]
"IAAnotif"="c:\program files\Intel\Intel Application Accelerator\iaanotif.exe" [2004-03-23 135168]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-10-12 57344]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-11-16 127035]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"ISTray"="c:\program files\Spyware Doctor\pctsTray.exe" [BU]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-07-10 645328]
"McENUI"="c:\progra~1\McAfee\MHN\McENUI.exe" [2009-07-08 1176808]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" - c:\windows\SYSTEM32\narrator.exe [2008-04-14 53760]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
America Online 9.0 Tray Icon.lnk - c:\program files\America Online 9.0\aoltray.exe [2005-2-8 156784]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2005-2-8 24576]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-1-21 65588]
NETGEAR WPN311 Smart Wizard.lnk - c:\program files\NETGEAR\WPN311\wlancfg5.exe [2006-12-4 1503232]
Nikon Monitor.lnk - c:\program files\Common Files\Nikon\Monitor\NkMonitor.exe [2007-10-18 479232]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"sdCoreService"=2 (0x2)
"sdAuxService"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\SYSTEM32\\USMT\\MIGWIZ.EXE"=
"c:\\Program Files\\CATIC\\PrepExpress\\PrepExp.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

R0 Lbd;Lbd;c:\windows\SYSTEM32\DRIVERS\Lbd.sys [1/24/2009 11:45 AM 64160]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [9/9/2009 9:33 PM 203280]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [9/15/2008 4:30 PM 24652]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [1/18/2009 5:34 PM 1029456]
S3 pfsvgae;pfsvgae;\??\c:\docume~1\GEORGE~1\LOCALS~1\Temp\pfsvgae.sys --> c:\docume~1\GEORGE~1\LOCALS~1\Temp\pfsvgae.sys [?]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - MBACKMONITOR
.
Contents of the 'Scheduled Tasks' folder

2009-09-07 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-01-18 14:45]

2009-09-10 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-09-10 01:26]

2009-09-10 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-09-10 01:26]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mStart Page = hxxp://www.google.com
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
IE: &Search
IE: &Yahoo! Search - file:///c:\program files\Yahoo!\Common/ycsrch.htm
IE: Yahoo! &Dictionary - file:///c:\program files\Yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - file:///c:\program files\Yahoo!\Common/ycdict.htm
Trusted Zone: att.com\www.customerservice
Trusted Zone: internet
Trusted Zone: mcafee.com
FF - ProfilePath - c:\documents and settings\Sharon Lornie\Application Data\Mozilla\Firefox\Profiles\csf96qf2.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - plugin: c:\documents and settings\Sharon Lornie\Application Data\Mozilla\Firefox\Profiles\csf96qf2.default\extensions\{0C7E3F01-99E9-4095-9BDC-F84724960B57}\plugins\NPCpnMgr.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJPI150_06.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPOJI610.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll

---- FIREFOX POLICIES ----
FF - user.js: dom.disable_open_during_load - true // Popupblocker control handled by McAfee Privacy Service
.
- - - - ORPHANS REMOVED - - - -

Toolbar-{9ee802e8-c931-47ab-b570-aa8f791598ca} - (no file)
Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{9EE802E8-C931-47AB-B570-AA8F791598CA} - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-10 18:46
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(412)
c:\program files\McAfee\SiteAdvisor\saHook.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-09-10 18:48
ComboFix-quarantined-files.txt 2009-09-10 22:48
ComboFix2.txt 2009-09-09 01:12

Pre-Run: 117,418,618,880 bytes free
Post-Run: 117,401,825,280 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

Current=3 Default=3 Failed=2 LastKnownGood=4 Sets=1,2,3,4
289 --- E O F --- 2009-09-10 22:21

[Lorgeo]

The F-Secure log:

Scanning Report
Thursday, September 10, 2009 19:06:37 - 20:17:43
Computer name: DRAGONLADY
Scanning type: Scan system for malware, spyware and rootkits
Target: C:\


--------------------------------------------------------------------------------

2 malware found
TrackingCookie.Webtrends (spyware)
System (Disinfected)
Trojan.Generic.1718150 (virus)
C:\PROGRAM FILES\MICROSOFT MONEY\MNYREG.EXE (Renamed & Submitted)

--------------------------------------------------------------------------------

Statistics
Scanned:
Files: 71600
System: 5128
Not scanned: 22
Actions:
Disinfected: 1
Renamed: 1
Deleted: 0
Not cleaned: 0
Submitted: 1
Files not scanned:
C:\PAGEFILE.SYS
C:\WINDOWS\IS-QI5RO.MSG
C:\WINDOWS\TEMP\MCMSC_N1DX5VIOVUEX2HN
C:\WINDOWS\TEMP\SQLITE_9CBKWFTQMXFQAXK
C:\WINDOWS\SYSTEM32\DUMPREP.EXE
C:\WINDOWS\SYSTEM32\MRT.EXE
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
C:\WINDOWS\SYSTEM32\CONFIG\SAM
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM
C:\WINDOWS\SOFTWAREDISTRIBUTION\DOWNLOAD\CFDF673D5F64980A67E3F1A551949306\UPDATE\UPDATE.EXE
C:\WINDOWS\SOFTWAREDISTRIBUTION\DOWNLOAD\6B4E49F1A78B9558FEEB103A07B06A32\UPDATE\UPDATE.EXE
C:\WINDOWS\IE7\SPUNINST\SPUNINST.EXE
C:\PROGRAM FILES\WINDOWS DEFENDER\MSMPENG.EXE
C:\PROGRAM FILES\TREND MICRO\HIJACKTHIS\HIJACKTHIS.EXE
C:\PROGRAM FILES\MALWAREBYTES' ANTI-MALWARE\XXX.EXE
C:\PROGRAM FILES\LAVASOFT\AD-AWARE\AAWSERVICE.EXE
C:\DOCUMENTS AND SETTINGS\GEORGE LORNIE\MY DOCUMENTS\JACKIEA\WINLOGON.EXE.EXE
C:\DOCUMENTS AND SETTINGS\GEORGE LORNIE\LOCAL SETTINGS\TEMP\HSPERFDATA_MONKEYS\1732
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\35D17CA9CA71D543D6A22FC131DDFD02_50E417E0-E461-474B-96E2-077B80325612
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\3AD391678A806EC4D691E83AAA393B6F_50E417E0-E461-474B-96E2-077B80325612

--------------------------------------------------------------------------------

Options
Scanning engines:
Scanning options:
Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML XXX ANI AVB BAT CMD JOB LSP MAP MHT MIF PHP POT SWF WMF NWS TAR
Use advanced heuristics

[Lorgeo]

The security check log:

Results of screen317's Security Check version 0.98.9
Windows XP Service Pack 3
``````````````````````````````
Antivirus/Firewall Check:
Windows Firewall Disabled!


Antivirus up to date!
``````````````````````````````
Anti-malware/Other Utilities Check:
Ad-Aware
Malwarebytes' Anti-Malware
Java 2 Runtime Environment, SE v1.4.2_03
Java 2 Runtime Environment, SE v1.4.2_06
Adobe Flash Player 10
Adobe Reader 8.1.2
Out of date Adobe Reader installed!
``````````````````````````````
Process Check:
objlist.exe by Laurent
Ad-Aware AAWService.exe is disabled!
Ad-Aware AAWTray.exe is disabled!

McAfee VIRUSS~1 mcsysmon.exe
McAfee VIRUSS~1 mcshield.exe

``````````````````````````````
DNS Vulnerability Check:
GREAT! (Not vulnerable to DNS cache poisoning)

`````````End of Log```````````

[Lorgeo]

Hello...
Everything seems ok now.....THANKS AGAIN!!! It was like a battle of good and evil.....looks like good may have prevailed.

Any thoughts as to what I can do to prevent this from happening again?

[Lorgeo]

One thing though......I can't download any Windows updates.

[screen317]

What happens when you try to download Windows Updates??

Try getting them from http://update.microsoft.com


Next, please open Notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the quotebox below into Notepad:

Quote

FCOPY::
c:\windows\$hf_mig$\KB951748\SP3GDR\tcpip.sys | c:\windows\SYSTEM32\DRIVERS\tcpip.sys
c:\windows\$hf_mig$\KB951748\SP3GDR\tcpip.sys | c:\windows\SYSTEM32\DLLCACHE\tcpip.sys

Save this as CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.



This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.


-screen317

[Lorgeo]

I was clicking Start then Windows Update. It looked like it was downloading, then a window comes up saying each individual download failed. However and IE8 screen popped up but was unusable. I am not home now and I can't quite remember. I'll try the way you suggested tonite.

Also, I deleted ComboFix from my desktop.....can I still download it from the link above?

Thanks!