Here's the log from malwarebytes. I tried many times but still cannot remove uacinit.dll



Malwarebytes' Anti-Malware 1.40
Database version: 2551
Windows 5.1.2600 Service Pack 3

8/7/2009 1:24:41 PM
mbam-log-2009-08-07 (13-24-41).txt

Scan type: Full Scan (C:\|E:\|)
Objects scanned: 169160
Time elapsed: 31 minute(s), 51 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_USERS\S-1-5-19\SOFTWARE\Classes\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\URL (Hijack.Search) -> Bad: (http://search-gala.com/?&uid=164&q={searchTerms}) Good: (http://www.Google.com/) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\uacinit.dll (Trojan.Agent) -> Delete on reboot.

Hi liv, welcome to Malwarebytes


We Need to check for Rootkits with RootRepeal

1. Download RootRepeal from the following location and save it to your desktop.
   
   • Zip Mirrors (Recommended)
     
     • Primary Mirror
       
     • Secondary Mirror
       
     • Secondary Mirror
     
     
   • Rar Mirrors - Only if you know what a RAR is and can extract it.
     
     • Primary Mirror
       
     • Secondary Mirror
       
     • Secondary Mirror
2. Extract RootRepeal.exe from the archive.
3. Open on your desktop.
4. Click the tab.
5. Click the button.
6. Check all seven boxes:
7. Push Ok
8. Check the box for your main system drive (Usually C:), and press Ok.
9. Allow RootRepeal to run a scan of your system. This may take some time.
10. Once the scan completes, push the button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.

thanks for answering

I don't see the 7 boxes option in rootrepeal, but anyway, here's the log

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/08/10 20:06
Program Version: Version 1.3.3.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: ACPI.sys
Image Path: ACPI.sys
Address: 0xF8443000 Size: 187776 File Visible: - Signed: -
Status: -

Name: ACPI_HAL
Image Path: \Driver\ACPI_HAL
Address: 0x804D7000 Size: 2066048 File Visible: - Signed: -
Status: -

Name: AegisP.sys
Image Path: C:\WINDOWS\system32\DRIVERS\AegisP.sys
Address: 0xA9FF3000 Size: 15968 File Visible: - Signed: -
Status: -

Name: afd.sys
Image Path: C:\WINDOWS\System32\drivers\afd.sys
Address: 0xAA2B8000 Size: 138496 File Visible: - Signed: -
Status: -

Name: APPDRV.SYS
Image Path: C:\WINDOWS\SYSTEM32\DRIVERS\APPDRV.SYS
Address: 0xF8A2E000 Size: 16128 File Visible: - Signed: -
Status: -

Name: atapi.sys
Image Path: atapi.sys
Address: 0xF83FB000 Size: 96512 File Visible: - Signed: -
Status: -

Name: ATMFD.DLL
Image Path: C:\WINDOWS\System32\ATMFD.DLL
Address: 0xBFFA0000 Size: 286720 File Visible: - Signed: -
Status: -

Name: audstub.sys
Image Path: C:\WINDOWS\system32\DRIVERS\audstub.sys
Address: 0xF8C5B000 Size: 3072 File Visible: - Signed: -
Status: -

Name: BATTC.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\BATTC.SYS
Address: 0xF898A000 Size: 16384 File Visible: - Signed: -
Status: -

Name: bcm4sbxp.sys
Image Path: C:\WINDOWS\system32\DRIVERS\bcm4sbxp.sys
Address: 0xF87C2000 Size: 45312 File Visible: - Signed: -
Status: -

Name: bcmwl5.sys
Image Path: C:\WINDOWS\system32\DRIVERS\bcmwl5.sys
Address: 0xF8076000 Size: 369024 File Visible: - Signed: -
Status: -

Name: Beep.SYS
Image Path: C:\WINDOWS\System32\Drivers\Beep.SYS
Address: 0xF8AAC000 Size: 4224 File Visible: - Signed: -
Status: -

Name: BOOTVID.dll
Image Path: C:\WINDOWS\system32\BOOTVID.dll
Address: 0xF8982000 Size: 12288 File Visible: - Signed: -
Status: -

Name: catchme.sys
Image Path: C:\ComboFix\catchme.sys
Address: 0xF8972000 Size: 31744 File Visible: No Signed: -
Status: -

Name: Cdfs.SYS
Image Path: C:\WINDOWS\System32\Drivers\Cdfs.SYS
Address: 0xA90D2000 Size: 63744 File Visible: - Signed: -
Status: -

Name: cdrom.sys
Image Path: C:\WINDOWS\system32\DRIVERS\cdrom.sys
Address: 0xF85F2000 Size: 62976 File Visible: - Signed: -
Status: -

Name: CLASSPNP.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\CLASSPNP.SYS
Address: 0xF85B2000 Size: 53248 File Visible: - Signed: -
Status: -

Name: CmBatt.sys
Image Path: C:\WINDOWS\system32\DRIVERS\CmBatt.sys
Address: 0xF8A46000 Size: 13952 File Visible: - Signed: -
Status: -

Name: Combo-Fix.sys
Image Path: Combo-Fix.sys
Address: 0xF85D2000 Size: 60416 File Visible: No Signed: -
Status: -

Name: compbatt.sys
Image Path: compbatt.sys
Address: 0xF8986000 Size: 10240 File Visible: - Signed: -
Status: -

Name: disk.sys
Image Path: disk.sys
Address: 0xF85A2000 Size: 36352 File Visible: - Signed: -
Status: -

Name: drmk.sys
Image Path: C:\WINDOWS\system32\drivers\drmk.sys
Address: 0xF8692000 Size: 61440 File Visible: - Signed: -
Status: -

Name: drvmcdb.sys
Image Path: drvmcdb.sys
Address: 0xF83B4000 Size: 85344 File Visible: - Signed: -
Status: -

Name: drvnddm.sys
Image Path: C:\WINDOWS\system32\drivers\drvnddm.sys
Address: 0xAA740000 Size: 38240 File Visible: - Signed: -
Status: -

Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xAA05F000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF8AC0000 Size: 8192 File Visible: No Signed: -
Status: -

Name: Dxapi.sys
Image Path: C:\WINDOWS\System32\drivers\Dxapi.sys
Address: 0xF7FC3000 Size: 12288 File Visible: - Signed: -
Status: -

Name: dxg.sys
Image Path: C:\WINDOWS\System32\drivers\dxg.sys
Address: 0xBF000000 Size: 73728 File Visible: - Signed: -
Status: -

Name: dxgthk.sys
Image Path: C:\WINDOWS\System32\drivers\dxgthk.sys
Address: 0xF8CA3000 Size: 4096 File Visible: - Signed: -
Status: -

Name: Fastfat.SYS
Image Path: C:\WINDOWS\System32\Drivers\Fastfat.SYS
Address: 0xAA077000 Size: 143744 File Visible: - Signed: -
Status: -

Name: Fips.SYS
Image Path: C:\WINDOWS\System32\Drivers\Fips.SYS
Address: 0xF86F2000 Size: 44544 File Visible: - Signed: -
Status: -

Name: fltmgr.sys
Image Path: fltmgr.sys
Address: 0xF83DB000 Size: 129792 File Visible: - Signed: -
Status: -

Name: Fs_Rec.SYS
Image Path: C:\WINDOWS\System32\Drivers\Fs_Rec.SYS
Address: 0xF8AAA000 Size: 7936 File Visible: - Signed: -
Status: -

Name: ftdisk.sys
Image Path: ftdisk.sys
Address: 0xF8413000 Size: 125056 File Visible: - Signed: -
Status: -

Name: hal.dll
Image Path: C:\WINDOWS\system32\hal.dll
Address: 0x806D0000 Size: 131840 File Visible: - Signed: -
Status: -

Name: HDAudBus.sys
Image Path: C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
Address: 0xF80F5000 Size: 163840 File Visible: - Signed: -
Status: -

Name: HSF_CNXT.sys
Image Path: C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys
Address: 0xAA3FD000 Size: 717952 File Visible: - Signed: -
Status: -

Name: HSF_DPV.sys
Image Path: C:\WINDOWS\system32\DRIVERS\HSF_DPV.sys
Address: 0xAA4AD000 Size: 1035008 File Visible: - Signed: -
Status: -

Name: HSFHWAZL.sys
Image Path: C:\WINDOWS\system32\DRIVERS\HSFHWAZL.sys
Address: 0xAA5AA000 Size: 201600 File Visible: - Signed: -
Status: -

Name: HTTP.sys
Image Path: C:\WINDOWS\System32\Drivers\HTTP.sys
Address: 0xA926A000 Size: 264832 File Visible: - Signed: -
Status: -

Name: i2omgmt.SYS
Image Path: C:\WINDOWS\System32\Drivers\i2omgmt.SYS
Address: 0xF827C000 Size: 8576 File Visible: - Signed: -
Status: -

Name: i8042prt.sys
Image Path: C:\WINDOWS\system32\DRIVERS\i8042prt.sys
Address: 0xF87D2000 Size: 52480 File Visible: - Signed: -
Status: -

Name: ialmdd5.DLL
Image Path: C:\WINDOWS\System32\ialmdd5.DLL
Address: 0xBF077000 Size: 929792 File Visible: - Signed: -
Status: -

Name: ialmdev5.DLL
Image Path: C:\WINDOWS\System32\ialmdev5.DLL
Address: 0xBF042000 Size: 217088 File Visible: - Signed: -
Status: -

Name: ialmdnt5.dll
Image Path: C:\WINDOWS\System32\ialmdnt5.dll
Address: 0xBF020000 Size: 139264 File Visible: - Signed: -
Status: -

Name: ialmnt5.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ialmnt5.sys
Address: 0xF8131000 Size: 1302688 File Visible: - Signed: -
Status: -

Name: ialmrnt5.dll
Image Path: C:\WINDOWS\System32\ialmrnt5.dll
Address: 0xBF012000 Size: 57344 File Visible: - Signed: -
Status: -

Name: imapi.sys
Image Path: C:\WINDOWS\system32\DRIVERS\imapi.sys
Address: 0xF87E2000 Size: 42112 File Visible: - Signed: -
Status: -

Name: intelide.sys
Image Path: intelide.sys
Address: 0xF8A76000 Size: 5504 File Visible: - Signed: -
Status: -

Name: intelppm.sys
Image Path: C:\WINDOWS\system32\DRIVERS\intelppm.sys
Address: 0xF87B2000 Size: 36352 File Visible: - Signed: -
Status: -

Name: ipfltdrv.sys
Image Path: C:\WINDOWS\System32\DRIVERS\ipfltdrv.sys
Address: 0xF86C2000 Size: 32896 File Visible: - Signed: -
Status: -

Name: ipnat.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ipnat.sys
Address: 0xAA19C000 Size: 152832 File Visible: - Signed: -
Status: -

Name: ipsec.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ipsec.sys
Address: 0xAA382000 Size: 75264 File Visible: - Signed: -
Status: -

Name: isapnp.sys
Image Path: isapnp.sys
Address: 0xF8572000 Size: 37248 File Visible: - Signed: -
Status: -

Name: kbdclass.sys
Image Path: C:\WINDOWS\system32\DRIVERS\kbdclass.sys
Address: 0xF88BA000 Size: 24576 File Visible: - Signed: -
Status: -

Name: KDCOM.DLL
Image Path: C:\WINDOWS\system32\KDCOM.DLL
Address: 0xF8A72000 Size: 8192 File Visible: - Signed: -
Status: -

Name: kmixer.sys
Image Path: C:\WINDOWS\system32\drivers\kmixer.sys
Address: 0xA8FBF000 Size: 172416 File Visible: - Signed: -
Status: -

Name: ks.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ks.sys
Address: 0xF8024000 Size: 143360 File Visible: - Signed: -
Status: -

Name: KSecDD.sys
Image Path: KSecDD.sys
Address: 0xF839D000 Size: 92288 File Visible: - Signed: -
Status: -

Name: mdmxsdk.sys
Image Path: C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys
Address: 0xA9C16000 Size: 11840 File Visible: - Signed: -
Status: -

Name: mfeavfk.sys
Image Path: C:\WINDOWS\system32\drivers\mfeavfk.sys
Address: 0xA92FB000 Size: 73152 File Visible: - Signed: -
Status: -

Name: mfebopk.sys
Image Path: C:\WINDOWS\system32\drivers\mfebopk.sys
Address: 0xF88EA000 Size: 28544 File Visible: - Signed: -
Status: -

Name: mfehidk.sys
Image Path: C:\WINDOWS\system32\drivers\mfehidk.sys
Address: 0xAA1EA000 Size: 207296 File Visible: - Signed: -
Status: -

Name: mferkdk.sys
Image Path: C:\WINDOWS\system32\drivers\mferkdk.sys
Address: 0xF8842000 Size: 27488 File Visible: - Signed: -
Status: -

Name: mfesmfk.sys
Image Path: C:\WINDOWS\system32\drivers\mfesmfk.sys
Address: 0xA9B90000 Size: 33824 File Visible: - Signed: -
Status: -

Name: mnmdd.SYS
Image Path: C:\WINDOWS\System32\Drivers\mnmdd.SYS
Address: 0xF8AAE000 Size: 4224 File Visible: - Signed: -
Status: -

Name: Modem.SYS
Image Path: C:\WINDOWS\System32\Drivers\Modem.SYS
Address: 0xF88F2000 Size: 30080 File Visible: - Signed: -
Status: -

Name: mouclass.sys
Image Path: C:\WINDOWS\system32\DRIVERS\mouclass.sys
Address: 0xF88B2000 Size: 23040 File Visible: - Signed: -
Status: -

Name: MountMgr.sys
Image Path: MountMgr.sys
Address: 0xF8582000 Size: 42368 File Visible: - Signed: -
Status: -

Name: Mpfp.sys
Image Path: C:\WINDOWS\System32\Drivers\Mpfp.sys
Address: 0xAA302000 Size: 159744 File Visible: - Signed: -
Status: -

Name: mrxdav.sys
Image Path: C:\WINDOWS\system32\DRIVERS\mrxdav.sys
Address: 0xA9CF2000 Size: 180608 File Visible: - Signed: -
Status: -

Name: mrxsmb.sys
Image Path: C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
Address: 0xAA21D000 Size: 455296 File Visible: - Signed: -
Status: -

Name: Msfs.SYS
Image Path: C:\WINDOWS\System32\Drivers\Msfs.SYS
Address: 0xF8912000 Size: 19072 File Visible: - Signed: -
Status: -

Name: msgpc.sys
Image Path: C:\WINDOWS\system32\DRIVERS\msgpc.sys
Address: 0xF8642000 Size: 35072 File Visible: - Signed: -
Status: -

Name: mssmbios.sys
Image Path: C:\WINDOWS\system32\DRIVERS\mssmbios.sys
Address: 0xF8A62000 Size: 15488 File Visible: - Signed: -
Status: -

Name: Mup.sys
Image Path: Mup.sys
Address: 0xF82C9000 Size: 105344 File Visible: - Signed: -
Status: -

Name: NDIS.sys
Image Path: NDIS.sys
Address: 0xF82E3000 Size: 182656 File Visible: - Signed: -
Status: -

Name: ndistapi.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ndistapi.sys
Address: 0xF8A52000 Size: 10112 File Visible: - Signed: -
Status: -

Name: ndisuio.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ndisuio.sys
Address: 0xA9FEF000 Size: 14592 File Visible: - Signed: -
Status: -

Name: ndiswan.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ndiswan.sys
Address: 0xF7FFC000 Size: 91520 File Visible: - Signed: -
Status: -

Name: NDProxy.SYS
Image Path: C:\WINDOWS\System32\Drivers\NDProxy.SYS
Address: 0xF8662000 Size: 40576 File Visible: - Signed: -
Status: -

Name: netbios.sys
Image Path: C:\WINDOWS\system32\DRIVERS\netbios.sys
Address: 0xF86D2000 Size: 34688 File Visible: - Signed: -
Status: -

Name: netbt.sys
Image Path: C:\WINDOWS\system32\DRIVERS\netbt.sys
Address: 0xAA2DA000 Size: 162816 File Visible: - Signed: -
Status: -

Name: Npfs.SYS
Image Path: C:\WINDOWS\System32\Drivers\Npfs.SYS
Address: 0xF891A000 Size: 30848 File Visible: - Signed: -
Status: -

Name: Ntfs.sys
Image Path: Ntfs.sys
Address: 0xF8310000 Size: 574976 File Visible: - Signed: -
Status: -

Name: ntkrnlpa.exe
Image Path: C:\WINDOWS\system32\ntkrnlpa.exe
Address: 0x804D7000 Size: 2066048 File Visible: - Signed: -
Status: -

Name: Null.SYS
Image Path: C:\WINDOWS\System32\Drivers\Null.SYS
Address: 0xF8B8D000 Size: 2944 File Visible: - Signed: -
Status: -

Name: PartMgr.sys
Image Path: PartMgr.sys
Address: 0xF87FA000 Size: 19712 File Visible: - Signed: -
Status: -

Name: pci.sys
Image Path: pci.sys
Address: 0xF8432000 Size: 68224 File Visible: - Signed: -
Status: -

Name: pciide.sys
Image Path: pciide.sys
Address: 0xF8B3A000 Size: 3328 File Visible: - Signed: -
Status: -

Name: PCIIDEX.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\PCIIDEX.SYS
Address: 0xF87F2000 Size: 28672 File Visible: - Signed: -
Status: -

Name: pfc.sys
Image Path: C:\WINDOWS\system32\drivers\pfc.sys
Address: 0xF8A4A000 Size: 10368 File Visible: - Signed: -
Status: -

Name: PnpManager
Image Path: \Driver\PnpManager
Address: 0x804D7000 Size: 2066048 File Visible: - Signed: -
Status: -

Name: portcls.sys
Image Path: C:\WINDOWS\system32\drivers\portcls.sys
Address: 0xAA5DC000 Size: 147456 File Visible: - Signed: -
Status: -

Name: PROCEXP90.SYS
Image Path: C:\WINDOWS\system32\Drivers\PROCEXP90.SYS
Address: 0xF8B24000 Size: 6464 File Visible: No Signed: -
Status: -

Name: psched.sys
Image Path: C:\WINDOWS\system32\DRIVERS\psched.sys
Address: 0xF7FEB000 Size: 69120 File Visible: - Signed: -
Status: -

Name: ptilink.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ptilink.sys
Address: 0xF88CA000 Size: 17792 File Visible: - Signed: -
Status: -

Name: PxHelp20.sys
Image Path: PxHelp20.sys
Address: 0xF85C2000 Size: 36320 File Visible: - Signed: -
Status: -

Name: rasacd.sys
Image Path: C:\WINDOWS\system32\DRIVERS\rasacd.sys
Address: 0xF8270000 Size: 8832 File Visible: - Signed: -
Status: -

Name: rasl2tp.sys
Image Path: C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
Address: 0xF8612000 Size: 51328 File Visible: - Signed: -
Status: -

Name: raspppoe.sys
Image Path: C:\WINDOWS\system32\DRIVERS\raspppoe.sys
Address: 0xF8622000 Size: 41472 File Visible: - Signed: -
Status: -

Name: raspptp.sys
Image Path: C:\WINDOWS\system32\DRIVERS\raspptp.sys
Address: 0xF8632000 Size: 48384 File Visible: - Signed: -
Status: -

Name: raspti.sys
Image Path: C:\WINDOWS\system32\DRIVERS\raspti.sys
Address: 0xF88D2000 Size: 16512 File Visible: - Signed: -
Status: -

Name: RAW
Image Path: \FileSystem\RAW
Address: 0x804D7000 Size: 2066048 File Visible: - Signed: -
Status: -

Name: rdbss.sys
Image Path: C:\WINDOWS\system32\DRIVERS\rdbss.sys
Address: 0xAA28D000 Size: 175744 File Visible: - Signed: -
Status: -

Name: RDPCDD.sys
Image Path: C:\WINDOWS\System32\DRIVERS\RDPCDD.sys
Address: 0xF8AB0000 Size: 4224 File Visible: - Signed: -
Status: -

Name: redbook.sys
Image Path: C:\WINDOWS\system32\DRIVERS\redbook.sys
Address: 0xF8602000 Size: 57600 File Visible: - Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xA8F5F000 Size: 49152 File Visible: No Signed: -
Status: -

Name: sr.sys
Image Path: sr.sys
Address: 0xF83C9000 Size: 73472 File Visible: - Signed: -
Status: -

Name: srv.sys
Image Path: C:\WINDOWS\system32\DRIVERS\srv.sys
Address: 0xA9BB0000 Size: 333952 File Visible: - Signed: -
Status: -

Name: sscdbhk5.sys
Image Path: C:\WINDOWS\system32\drivers\sscdbhk5.sys
Address: 0xF8A94000 Size: 5568 File Visible: - Signed: -
Status: -

Name: ssrtln.sys
Image Path: C:\WINDOWS\system32\drivers\ssrtln.sys
Address: 0xF8902000 Size: 23488 File Visible: - Signed: -
Status: -

Name: sthda.sys
Image Path: C:\WINDOWS\system32\drivers\sthda.sys
Address: 0xAA600000 Size: 999552 File Visible: - Signed: -
Status: -

Name: swenum.sys
Image Path: C:\WINDOWS\system32\DRIVERS\swenum.sys
Address: 0xF8A96000 Size: 4352 File Visible: - Signed: -
Status: -

Name: SynTP.sys
Image Path: C:\WINDOWS\system32\DRIVERS\SynTP.sys
Address: 0xF8047000 Size: 191936 File Visible: - Signed: -
Status: -

Name: sysaudio.sys
Image Path: C:\WINDOWS\system32\drivers\sysaudio.sys
Address: 0xA9BA0000 Size: 60800 File Visible: - Signed: -
Status: -

Name: tcpip.sys
Image Path: C:\WINDOWS\system32\DRIVERS\tcpip.sys
Address: 0xAA329000 Size: 361600 File Visible: - Signed: -
Status: -

Name: TDI.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\TDI.SYS
Address: 0xF88C2000 Size: 20480 File Visible: - Signed: -
Status: -

Name: termdd.sys
Image Path: C:\WINDOWS\system32\DRIVERS\termdd.sys
Address: 0xF8652000 Size: 40704 File Visible: - Signed: -
Status: -

Name: tfsnboio.sys
Image Path: C:\WINDOWS\system32\dla\tfsnboio.sys
Address: 0xF894A000 Size: 25824 File Visible: - Signed: -
Status: -

Name: tfsncofs.sys
Image Path: C:\WINDOWS\system32\dla\tfsncofs.sys
Address: 0xAA730000 Size: 34784 File Visible: - Signed: -
Status: -

Name: tfsndrct.sys
Image Path: C:\WINDOWS\system32\dla\tfsndrct.sys
Address: 0xF8BC7000 Size: 4064 File Visible: - Signed: -
Status: -

Name: tfsndres.sys
Image Path: C:\WINDOWS\system32\dla\tfsndres.sys
Address: 0xF8BC6000 Size: 2176 File Visible: - Signed: -
Status: -

Name: tfsnifs.sys
Image Path: C:\WINDOWS\system32\dla\tfsnifs.sys
Address: 0xA9FA9000 Size: 86528 File Visible: - Signed: -
Status: -

Name: tfsnopio.sys
Image Path: C:\WINDOWS\system32\dla\tfsnopio.sys
Address: 0xAA053000 Size: 15168 File Visible: - Signed: -
Status: -

Name: tfsnpool.sys
Image Path: C:\WINDOWS\system32\dla\tfsnpool.sys
Address: 0xF8AC4000 Size: 6304 File Visible: - Signed: -
Status: -

Name: tfsnudf.sys
Image Path: C:\WINDOWS\system32\dla\tfsnudf.sys
Address: 0xA9F90000 Size: 98656 File Visible: - Signed: -
Status: -

Name: tfsnudfa.sys
Image Path: C:\WINDOWS\system32\dla\tfsnudfa.sys
Address: 0xA9F77000 Size: 100544 File Visible: - Signed: -
Status: -

Name: tmcomm.sys
Image Path: C:\WINDOWS\system32\drivers\tmcomm.sys
Address: 0xA96A5000 Size: 97280 File Visible: - Signed: -
Status: -

Name: update.sys
Image Path: C:\WINDOWS\system32\DRIVERS\update.sys
Address: 0xF7F2B000 Size: 384768 File Visible: - Signed: -
Status: -

Name: USBD.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\USBD.SYS
Address: 0xF8A92000 Size: 8192 File Visible: - Signed: -
Status: -

Name: usbehci.sys
Image Path: C:\WINDOWS\system32\DRIVERS\usbehci.sys
Address: 0xF88AA000 Size: 30208 File Visible: - Signed: -
Status: -

Name: usbhub.sys
Image Path: C:\WINDOWS\system32\DRIVERS\usbhub.sys
Address: 0xF86B2000 Size: 59520 File Visible: - Signed: -
Status: -

Name: USBPORT.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\USBPORT.SYS
Address: 0xF80D1000 Size: 147456 File Visible: - Signed: -
Status: -

Name: USBSTOR.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
Address: 0xF883A000 Size: 26368 File Visible: - Signed: -
Status: -

Name: usbuhci.sys
Image Path: C:\WINDOWS\system32\DRIVERS\usbuhci.sys
Address: 0xF88A2000 Size: 20608 File Visible: - Signed: -
Status: -

Name: vga.sys
Image Path: C:\WINDOWS\System32\drivers\vga.sys
Address: 0xF890A000 Size: 20992 File Visible: - Signed: -
Status: -

Name: VIDEOPRT.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\VIDEOPRT.SYS
Address: 0xF811D000 Size: 81920 File Visible: - Signed: -
Status: -

Name: VolSnap.sys
Image Path: VolSnap.sys
Address: 0xF8592000 Size: 52352 File Visible: - Signed: -
Status: -

Name: wanarp.sys
Image Path: C:\WINDOWS\system32\DRIVERS\wanarp.sys
Address: 0xF8712000 Size: 34560 File Visible: - Signed: -
Status: -

Name: watchdog.sys
Image Path: C:\WINDOWS\System32\watchdog.sys
Address: 0xF893A000 Size: 20480 File Visible: - Signed: -
Status: -

Name: wdmaud.sys
Image Path: C:\WINDOWS\system32\drivers\wdmaud.sys
Address: 0xA9993000 Size: 83072 File Visible: - Signed: -
Status: -

Name: Win32k
Image Path: \Driver\Win32k
Address: 0xBF800000 Size: 1847296 File Visible: - Signed: -
Status: -

Name: win32k.sys
Image Path: C:\WINDOWS\System32\win32k.sys
Address: 0xBF800000 Size: 1847296 File Visible: - Signed: -
Status: -

Name: WMILIB.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\WMILIB.SYS
Address: 0xF8A74000 Size: 8192 File Visible: - Signed: -
Status: -

Name: WMIxWDM
Image Path: \Driver\WMIxWDM
Address: 0x804D7000 Size: 2066048 File Visible: - Signed: -
Status: -

Name: ws2ifsl.sys
Image Path: C:\WINDOWS\System32\drivers\ws2ifsl.sys
Address: 0xF8A12000 Size: 12032 File Visible: - Signed: -
Status: -





I have read other posts and do a Combofix scan. so here is the log for combofix
ComboFix 09-08-10.01 - JimEllen 08/10/2009 19:45.1.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.503.207 [GMT -4:00]
Running from: E:\ComboFix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

?


.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_UACd.sys
-------\Legacy_UACd.sys


((((((((((((((((((((((((( Files Created from 2009-07-10 to 2009-08-10 )))))))))))))))))))))))))))))))
.

2009-08-10 20:16 . 2009-08-10 20:16 -------- d-----w- c:\documents and settings\JimEllen\Local Settings\Application Data\Downloaded Installations
2009-08-10 18:47 . 2009-08-03 17:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-10 18:47 . 2009-08-03 17:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-10 18:13 . 2009-08-10 18:23 2730 ----a-w- c:\windows\system32\tmp.reg
2009-08-10 17:48 . 2009-08-10 17:49 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2009-08-10 17:36 . 2009-08-10 17:36 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-08-10 16:09 . 2009-08-10 16:11 16455 ----a-w- c:\windows\metafile.dat
2009-08-10 14:16 . 2009-08-10 14:17 -------- d-----w- C:\3379528461cdc5d9c9381d8c
2009-08-10 13:38 . 2009-08-10 13:37 102664 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2009-08-10 13:36 . 2009-08-10 17:54 -------- d-----w- c:\documents and settings\JimEllen\.housecall6.6
2009-08-10 13:15 . 2009-08-10 13:15 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\PCHealth
2009-08-07 19:34 . 2009-08-07 19:36 -------- d-----w- c:\documents and settings\JimEllen\Application Data\U3
2009-08-07 19:28 . 2009-08-07 19:28 -------- d-----w- c:\documents and settings\JimEllen\Local Settings\Application Data\PCHealth
2009-08-07 13:59 . 2009-08-07 13:59 -------- d-----w- c:\documents and settings\JimEllen\Application Data\Malwarebytes
2009-08-07 13:58 . 2009-08-07 13:58 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Malwarebytes
2009-08-07 13:58 . 2009-08-10 18:47 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-06 22:17 . 2009-08-06 22:17 -------- d-----w- c:\program files\Alwil Software
2009-08-06 22:00 . 2009-08-06 22:00 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google
2009-08-06 21:21 . 2009-08-06 21:21 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\avg8
2009-08-06 20:35 . 2001-08-17 17:48 12160 ----a-w- c:\windows\system32\drivers\mouhid.sys
2009-08-06 20:35 . 2001-08-17 17:48 12160 ----a-w- c:\windows\system32\dllcache\mouhid.sys
2009-08-06 20:35 . 2008-04-13 18:45 10368 ----a-w- c:\windows\system32\drivers\hidusb.sys
2009-08-06 20:35 . 2008-04-13 18:45 10368 ----a-w- c:\windows\system32\dllcache\hidusb.sys
2009-08-06 18:33 . 2004-08-04 11:00 185344 ----a-w- c:\windows\system32\Thawbrkr.dll
2009-08-06 18:33 . 2004-08-04 11:00 185344 ----a-w- c:\windows\system32\dllcache\thawbrkr.dll
2009-08-06 18:33 . 2004-08-04 11:00 10752 ----a-w- c:\windows\system32\dllcache\c_iscii.dll
2009-08-06 18:33 . 2004-08-04 11:00 10752 ----a-w- c:\windows\system32\c_iscii.dll
2009-08-06 18:33 . 2004-08-04 11:00 5632 ----a-w- c:\windows\system32\kbdusa.dll
2009-08-06 18:33 . 2004-08-04 11:00 5632 ----a-w- c:\windows\system32\dllcache\kbdusa.dll
2009-08-06 18:33 . 2004-08-04 11:00 6144 ----a-w- c:\windows\system32\ftlx041e.dll
2009-08-06 18:33 . 2004-08-04 11:00 6144 ----a-w- c:\windows\system32\dllcache\ftlx041e.dll
2009-07-27 02:42 . 2009-08-07 15:30 -------- d-sh--w- c:\docume~1\ALLUSE~1\APPLIC~1\fe390bf
2009-07-25 07:51 . 2009-07-25 07:51 -------- d-----w- C:\9920ba37f743a8ff2420
2009-07-25 04:36 . 2009-08-10 17:47 5952 ------w- c:\windows\system32\uacinit.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-10 15:26 . 2006-03-11 18:54 55104 -c--a-w- c:\documents and settings\JimEllen\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-10 15:24 . 2009-03-20 20:35 -------- d-----w- c:\program files\McAfee
2009-07-14 12:09 . 2009-03-20 20:25 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\McAfee
2009-06-26 16:50 . 2004-08-10 18:51 666624 ----a-w- c:\windows\system32\wininet.dll
2009-06-26 16:50 . 2004-08-10 18:51 81920 ----a-w- c:\windows\system32\ieencode.dll
2009-06-16 14:36 . 2004-08-10 18:51 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-16 14:36 . 2004-08-10 18:51 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-03 19:09 . 2004-08-10 18:51 1291264 ----a-w- c:\windows\system32\quartz.dll
2009-06-02 23:22 . 2007-05-27 13:59 4652 --sha-w- c:\windows\system32\KGyGaAvL.sys
2009-06-02 23:22 . 2007-05-27 13:59 104 --sh--r- c:\windows\system32\668A0AE9C1.sys
2006-08-20 23:17 . 2006-08-20 23:19 774144 ----a-w- c:\program files\RngInterstitial.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{0579B4B6-0293-4d73-B02D-5EBB0BA0F0A2}"= "c:\program files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL" [2008-07-18 66912]

[HKEY_CLASSES_ROOT\clsid\{0579b4b6-0293-4d73-b02d-5ebb0ba0f0a2}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0579B4B1-0293-4d73-B02D-5EBB0BA0F0A2}]
2008-07-18 01:57 66912 ----a-w- c:\program files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Dell Wireless Manager UI"="c:\windows\system32\WLTRAY" [X]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-10-15 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-10-15 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-10-15 114688]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-11-29 761947]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2005-09-01 684032]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-02-21 98304]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"MimBoot"="c:\progra~1\MUSICM~1\MUSICM~3\mimboot.exe" [2005-09-09 8192]
"MMTray"="c:\progra~1\MUSICM~1\MUSICM~3\mm_tray.exe" [2005-09-09 110592]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2006-02-21 169472]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb07.exe" [2002-12-10 188416]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2007-05-12 185896]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 132496]
"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2005-09-10 393216]

c:\docume~1\ALLUSE~1\STARTM~1\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-2-21 24576]
NkbMonitor.exe.lnk - c:\program files\Nikon\PictureProject\NkbMonitor.exe [2006-4-4 118784]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"EditLevel"= 0 (0x0)
"NoCommonGroups"= 0 (0x0)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"EditLevel"= 0 (0x0)
"NoCommonGroups"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mfehidk.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mferkdk.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"="0x00000000"
"UpdatesDisableNotify"="0x00000000"
"FirewallDisableNotify"="0x00000000"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [3/20/2009 4:41 PM 210216]
S2 pnssrytorjzoh;pnssrytorjzoh; [x]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-LELA - c:\program files\Linksys\Linksys EasyLink Advisor\Linksys EasyLink Advisor.exe
SafeBoot-mfehidk
SafeBoot-mferkdk
SafeBoot-mfetdik
SafeBoot-mfetdik.sys


.
------- Supplementary Scan -------
.
Trusted Zone: musicmatch.com\online
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-10 19:58
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(776)
c:\windows\System32\BCMLogon.dll
.
Completion time: 2009-08-10 20:01
ComboFix-quarantined-files.txt 2009-08-11 00:01

Pre-Run: 25,677,328,384 bytes free
Post-Run: 25,861,386,240 bytes free

158 --- E O F --- 2009-08-10 19:56

Hi liv,


1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:



Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

ComboFix 09-08-10.01 - JimEllen 08/10/2009 20:34.2.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.503.238 [GMT -4:00]
Running from: E:\ComboFix.exe
Command switches used :: E:\CFScript.txt
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
"c:\windows\system32\668A0AE9C1.sys"

file zipped: c:\windows\system32\uacinit.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

?
c:\program files\AskSBar


.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_PNSSRYTORJZOH
-------\Service_pnssrytorjzoh


((((((((((((((((((((((((( Files Created from 2009-07-11 to 2009-08-11 )))))))))))))))))))))))))))))))
.

2009-08-11 00:05 . 2009-08-11 00:05 -------- d-s---w- c:\windows\Cookies
2009-08-10 20:16 . 2009-08-10 20:16 -------- d-----w- c:\documents and settings\JimEllen\Local Settings\Application Data\Downloaded Installations
2009-08-10 18:47 . 2009-08-03 17:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-10 18:47 . 2009-08-03 17:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-10 18:13 . 2009-08-10 18:23 2730 ----a-w- c:\windows\system32\tmp.reg
2009-08-10 17:48 . 2009-08-10 17:49 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2009-08-10 17:36 . 2009-08-10 17:36 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-08-10 16:09 . 2009-08-10 16:11 16455 ----a-w- c:\windows\metafile.dat
2009-08-10 14:16 . 2009-08-10 14:17 -------- d-----w- C:\3379528461cdc5d9c9381d8c
2009-08-10 13:38 . 2009-08-10 13:37 102664 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2009-08-10 13:36 . 2009-08-10 17:54 -------- d-----w- c:\documents and settings\JimEllen\.housecall6.6
2009-08-10 13:15 . 2009-08-10 13:15 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\PCHealth
2009-08-07 19:34 . 2009-08-07 19:36 -------- d-----w- c:\documents and settings\JimEllen\Application Data\U3
2009-08-07 19:28 . 2009-08-07 19:28 -------- d-----w- c:\documents and settings\JimEllen\Local Settings\Application Data\PCHealth
2009-08-07 13:59 . 2009-08-07 13:59 -------- d-----w- c:\documents and settings\JimEllen\Application Data\Malwarebytes
2009-08-07 13:58 . 2009-08-07 13:58 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Malwarebytes
2009-08-07 13:58 . 2009-08-10 18:47 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-06 22:17 . 2009-08-06 22:17 -------- d-----w- c:\program files\Alwil Software
2009-08-06 22:00 . 2009-08-06 22:00 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google
2009-08-06 21:21 . 2009-08-06 21:21 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\avg8
2009-08-06 20:35 . 2001-08-17 17:48 12160 ----a-w- c:\windows\system32\drivers\mouhid.sys
2009-08-06 20:35 . 2001-08-17 17:48 12160 ----a-w- c:\windows\system32\dllcache\mouhid.sys
2009-08-06 20:35 . 2008-04-13 18:45 10368 ----a-w- c:\windows\system32\drivers\hidusb.sys
2009-08-06 20:35 . 2008-04-13 18:45 10368 ----a-w- c:\windows\system32\dllcache\hidusb.sys
2009-08-06 18:33 . 2004-08-04 11:00 185344 ----a-w- c:\windows\system32\Thawbrkr.dll
2009-08-06 18:33 . 2004-08-04 11:00 185344 ----a-w- c:\windows\system32\dllcache\thawbrkr.dll
2009-08-06 18:33 . 2004-08-04 11:00 10752 ----a-w- c:\windows\system32\dllcache\c_iscii.dll
2009-08-06 18:33 . 2004-08-04 11:00 10752 ----a-w- c:\windows\system32\c_iscii.dll
2009-08-06 18:33 . 2004-08-04 11:00 5632 ----a-w- c:\windows\system32\kbdusa.dll
2009-08-06 18:33 . 2004-08-04 11:00 5632 ----a-w- c:\windows\system32\dllcache\kbdusa.dll
2009-08-06 18:33 . 2004-08-04 11:00 6144 ----a-w- c:\windows\system32\ftlx041e.dll
2009-08-06 18:33 . 2004-08-04 11:00 6144 ----a-w- c:\windows\system32\dllcache\ftlx041e.dll
2009-07-27 02:42 . 2009-08-07 15:30 -------- d-sh--w- c:\docume~1\ALLUSE~1\APPLIC~1\fe390bf
2009-07-25 07:51 . 2009-07-25 07:51 -------- d-----w- C:\9920ba37f743a8ff2420
2009-07-25 04:36 . 2009-08-11 00:34 5952 ----a-w- c:\windows\system32\uacinit.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-10 15:26 . 2006-03-11 18:54 55104 -c--a-w- c:\documents and settings\JimEllen\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-10 15:24 . 2009-03-20 20:35 -------- d-----w- c:\program files\McAfee
2009-07-14 12:09 . 2009-03-20 20:25 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\McAfee
2009-06-26 16:50 . 2004-08-10 18:51 666624 ----a-w- c:\windows\system32\wininet.dll
2009-06-26 16:50 . 2004-08-10 18:51 81920 ----a-w- c:\windows\system32\ieencode.dll
2009-06-16 14:36 . 2004-08-10 18:51 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-16 14:36 . 2004-08-10 18:51 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-03 19:09 . 2004-08-10 18:51 1291264 ----a-w- c:\windows\system32\quartz.dll
2009-06-02 23:22 . 2007-05-27 13:59 4652 --sha-w- c:\windows\system32\KGyGaAvL.sys
2009-06-02 23:22 . 2007-05-27 13:59 104 --sh--r- c:\windows\system32\668A0AE9C1.sys
2006-08-20 23:17 . 2006-08-20 23:19 774144 ----a-w- c:\program files\RngInterstitial.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-08-10_23.58.20 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-08-11 00:41 . 2009-08-11 00:41 16384 c:\windows\Temp\Temporary Internet Files\Content.IE5\index.dat
+ 2009-08-11 00:41 . 2009-08-11 00:41 16384 c:\windows\Temp\History\History.IE5\index.dat
+ 2009-08-11 00:41 . 2009-08-11 00:41 16384 c:\windows\Temp\Cookies\index.dat
+ 2009-08-11 00:39 . 2009-08-11 00:39 53248 c:\windows\ERDNT\subs\Users\00000005\NTUSER.DAT
+ 2009-08-11 00:39 . 2009-08-11 00:39 49152 c:\windows\ERDNT\subs\Users\00000003\NTUSER.DAT
+ 2009-08-11 00:05 . 2009-08-11 00:08 16384 c:\windows\Cookies\index.dat
+ 2009-08-11 00:39 . 2009-08-11 00:39 8192 c:\windows\ERDNT\subs\Users\00000004\UsrClass.dat
+ 2009-08-11 00:39 . 2009-08-11 00:39 8192 c:\windows\ERDNT\subs\Users\00000002\UsrClass.dat
+ 2009-08-11 00:39 . 2009-08-11 00:39 352256 c:\windows\ERDNT\subs\Users\00000006\UsrClass.dat
+ 2009-08-11 00:39 . 2009-08-11 00:39 233472 c:\windows\ERDNT\subs\Users\00000001\NTUSER.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Dell Wireless Manager UI"="c:\windows\system32\WLTRAY" [X]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-10-15 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-10-15 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-10-15 114688]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-11-29 761947]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2005-09-01 684032]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-02-21 98304]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"MimBoot"="c:\progra~1\MUSICM~1\MUSICM~3\mimboot.exe" [2005-09-09 8192]
"MMTray"="c:\progra~1\MUSICM~1\MUSICM~3\mm_tray.exe" [2005-09-09 110592]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2006-02-21 169472]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb07.exe" [2002-12-10 188416]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2007-05-12 185896]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 132496]
"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2005-09-10 393216]

c:\docume~1\ALLUSE~1\STARTM~1\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-2-21 24576]
NkbMonitor.exe.lnk - c:\program files\Nikon\PictureProject\NkbMonitor.exe [2006-4-4 118784]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"EditLevel"= 0 (0x0)
"NoCommonGroups"= 0 (0x0)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"EditLevel"= 0 (0x0)
"NoCommonGroups"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mfehidk.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mferkdk.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [3/20/2009 4:41 PM 210216]
.
.
------- Supplementary Scan -------
.
Trusted Zone: musicmatch.com\online
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-10 20:42
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(776)
c:\windows\System32\BCMLogon.dll

- - - - - - - > 'explorer.exe'(1104)
c:\program files\McAfee\SiteAdvisor\saHook.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\WLTRYSVC.EXE
c:\windows\system32\BCMWLTRY.EXE
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\COMMON~1\McAfee\MNA\McNASvc.exe
c:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe
c:\progra~1\McAfee\VIRUSS~1\Mcshield.exe
c:\program files\McAfee\MPF\MpfSrv.exe
c:\program files\McAfee\MSK\msksrver.exe
c:\program files\Dell\NicConfigSvc\NicConfigSvc.exe
c:\windows\system32\wdfmgr.exe
c:\progra~1\McAfee.com\Agent\mcagent.exe
c:\windows\system32\igfxsrvc.exe
c:\windows\system32\WLTRAY.EXE
c:\progra~1\MUSICM~1\MUSICM~3\MMDiag.exe
c:\program files\Google\Google Desktop Search\GoogleDesktopIndex.exe
c:\program files\Google\Google Desktop Search\GoogleDesktopDisplay.exe
c:\program files\MUSICMATCH\Musicmatch Jukebox\mim.exe
.
**************************************************************************
.
Completion time: 2009-08-11 20:48 - machine was rebooted
ComboFix-quarantined-files.txt 2009-08-11 00:48
ComboFix2.txt 2009-08-11 00:01

Pre-Run: 25,887,416,320 bytes free
Post-Run: 25,790,353,408 bytes free

185 --- E O F --- 2009-08-10 19:56

Launch Malwarebytes' Anti-Malware

• If an update is found, it will download and install the latest version.
• Once the program has loaded, select "Perform Quick Scan", then click Scan.
• The scan may take some time to finish, so please be patient.
• When the scan is complete, click OK, then Show Results to view the results.
• Make sure that everything is checked, and click Remove Selected.
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
• Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.




Go to Kaspersky website and perform an online antivirus scan.

1. Read through the requirements and privacy statement and click on Accept button.
2. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
3. When the downloads have finished, click on Settings.
4. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
   Spyware, Adware, Dialers, and other potentially dangerous programs
   Archives
   Mail databases
5. Click on My Computer under Scan.
6. Once the scan is complete, it will display the results. Click on View Scan Report.
7. You will see a list of infected items there. Click on Save Report As....
8. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.

hey, thank you very much for the help. malwarebytes says that it is succesfully removed. I'm taking a break now. I will scan online with kaspersky tomorrow and post its log later.

So here's malwarebytes' log:



Malwarebytes' Anti-Malware 1.40
Database version: 2551
Windows 5.1.2600 Service Pack 3

8/10/2009 9:44:36 PM
mbam-log-2009-08-10 (21-44-36).txt

Scan type: Quick Scan
Objects scanned: 94626
Time elapsed: 10 minute(s), 7 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\uacinit.dll (Trojan.Agent) -> Quarantined and deleted successfully.

for some reasons, i cannot start the kaspersky web scanner. It says "check license failed" when installing update.

anyway, i rescan with malwarebytes and mcafee full scan. no malwares found. I guess the pc is all cleaned up. everything seems to be back to normal now.

thank you very much for the support.

You're welcome.


I would like to see one more scan to make sure you are clean.

• Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
• Double click on RSIT.exe to run RSIT.
• Click Continue at the disclaimer screen.
• Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)

here you go

Hi liv,


Please go to Start > Control Panel > Add/Remove Programs and remove the following (if present):


Adobe Acrobat - Reader 6.0.2 Update
Adobe Reader 6.0.1
Ask Toolbar
Java™ 6 Update 3
Viewpoint Media Player





Please download the OTM by OldTimer.

• Save it to your desktop.
• Please double-click OTM.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
• Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  
  
  CODE
  :processes
  explorer.exe
  
  :Files
  C:\Program Files\AskSBar
  
  :Reg
  [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA}]
  [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
  "{F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA}"=-
  
  :commands
  [purity]
  [emptytemp]
  [start explorer]
  
  
• Return to OTM, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
  
• Click the red Moveit! button.
• Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
• Close OTM3

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.




Download TFC by OldTimer to your desktop

• Please double-click TFC.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
• It will close all programs when run, so make sure you have saved all your work before you begin.
• Click the Start button to begin the process. Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two. Let it run uninterrupted to completion.
• Once it's finished it should reboot your machine. If it does not, please manually reboot the machine yourself to ensure a complete clean.

Your Adobe Acrobat Reader is out of date. Older versions are vulnerable to attack.

Please go to the link below to update.

http://www.adobe.com/products/acrobat/readstep2.html




Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version of Java components and upgrade the application. Beware it is NOT supported for use in 9x or ME and probably will not install in those systems

Upgrading Java:

• Download the latest version of Java SE Runtime Environment (JRE)JRE 6 Update 15.
• Click the "Download" button to the right.
• Select your Platform and check the box that says: "I agree to the Java SE Runtime Environment 6 License Agreement.".
• Click on Continue.
• Click on the link to download Windows Offline Installation (jre-6u14-windows-i586.exe) and save it to your desktop. Do NOT use the Sun Download Manager..
• Close any programs you may have running - especially your web browser.
• Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
• Check any item with Java Runtime Environment (JRE or J2SE) in the name.
• Click the Remove or Change/Remove button.
• Repeat as many times as necessary to remove each Java version.
• Reboot your computer once all Java components are removed.
• Then from your desktop double-click on the download to install the newest version.(Vista users, right click on the jre-6u14-windows-i586.exe and select "Run as an Administrator.")

I could not uninstalled Ask toolbar, it gives me the following error "specified module could not be found"

Java i don't see JRE6 update 15, but i installed JRE 6 update 16 instead

other than that, all went as instructed


All processes killed
========== PROCESSES ==========
No active process named explorer.exe was found!
========== FILES ==========
File/Folder C:\Program Files\AskSBar not found.
========== REGISTRY ==========
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA}\ deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\\{F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA}\ deleted successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32768 bytes

User: JimEllen
->Temp folder emptied: 77085305 bytes
->Temporary Internet Files folder emptied: 1499127 bytes
->Java cache emptied: 41659220 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 770249 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
File delete failed. C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
->Temporary Internet Files folder emptied: 33170 bytes

User: Owner
->Temp folder emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 19569 bytes
%systemroot%\System32 .tmp files removed: 7246353 bytes
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_b60.dat scheduled to be deleted on reboot.
Windows Temp folder emptied: 73937 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 122.47 mb


OTM by OldTimer - Version 3.0.0.6 log created on 08112009_183048

Files moved on Reboot...
File C:\WINDOWS\temp\Perflib_Perfdata_b60.dat not found!

Registry entries deleted on Reboot...

Your log looks clean, Great Job


Follow these steps to uninstall Combofix and tools used in the removal of malware

• Click START then RUN
• Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.
  

Now for some cleanup..
Please download OTC and save it to Desktop.

• Please make sure you are connecting to the Internet
• Double-click OTC.exe
• Click the CleanUp! button.
• Select Yes when the "Begin cleanup Process?" prompt appears.
• If you are prompted to Reboot during the cleanup, select Yes

Set a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since System Restore is a protected directory, your tools can not access it to delete these bad files which sometimes can reinfect your system. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:

• Go to Start > Programs > Accessories > System Tools and click "System Restore".
• Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
• Then go to Start > Run and type: Cleanmgr
• Click "OK".
• Click the "More Options" Tab.
• Click "Clean Up" in the System Restore section to remove all previous restore points except the newly created one.

• Make your Internet Explorer more secure - This can be done by following these simple instructions:
  1. From within Internet Explorer click on the Tools menu and then click on Options.
  2. Click once on the Security tab
  3. Click once on the Internet icon so it becomes highlighted.
  4. Click once on the Custom Level button.
     
     1. Change the Download signed ActiveX controls to Prompt
     2. Change the Download unsigned ActiveX controls to Disable
     3. Change the Initialize and script ActiveX controls not marked as safe to Disable
     4. Change the Installation of desktop items to Prompt
     5. Change the Launching programs and files in an IFRAME to Prompt
     6. Change the Navigate sub-frames across different domains to Prompt
     7. When all these settings have been made, click on the OK button.
     8. If it prompts you as to whether or not you want to save the settings, press the Yes button.

Next press the Apply button and then the OK to exit the Internet Properties page.

• Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.
  
  
• Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
  
  
• Install SpywareBlaster - SpywareBlaster will add a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.
  
  
• Install SpywareGuard - SpywareGuard offers realtime protection from spyware installation attempts. Make sure you are only running one real-time anti-spyware protection program or there will be a conflict.
  
  
• Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically.

here are some additional utilities that will enhance your safety

• McAfee Site Advisor <= McAfee Site Advisor protects your browser against malicious sites and warns you when you go to one.
• MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
• Winpatrol <= Download and install the free version of Winpatrol. a tutorial for this product is located here:
  Using Winpatrol to protect your computer from malicious software

all done. thank you

You're welcome