INITech

Thanks, I'll do the wipe and restore.

DDS LOG Finally... DDS (Ver_10-11-05.01) - NTFSx86 Run by Haley Layman at 18:52:25.37 on Fri 11/05/2010 Internet Explorer: 8.0.6001.18702 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1980.1469 [GMT -4:00] AV: AVG Anti-Virus Free Edition 2011 *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF} ============== Running Processes =============== C:\WINDOWS\system32\svchost -k DcomLaunch svchost.exe C:\WINDOWS\system32\svchost.exe -k netsvcs svchost.exe svchost.exe C:\WINDOWS\system32\spoolsv.exe svchost.exe C:\WINDOWS\system32\EloSrvce.exe C:\Program Files\EPSON\EPSON Advanced Printer Driver 4\EpsonPHLog.exe C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe C:\Program Files\EPSON\EPSON Advanced Printer Driver 4\EpsonPH.exe C:\WINDOWS\system32\SearchIndexer.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\system32\taskmgr.exe C:\Documents and Settings\Haley Layman\Local Settings\temp\B.tmp\MBR.DAT C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Common Files\Intuit\Entitlement Client\v5.3\Server\Intuit.Spc.Map.EntitlementClient.Server.Service.exe C:\Documents and Settings\Haley Layman\Desktop\dds.scr ============== Pseudo HJT Report =============== uSearch Page = uWindow Title = Windows Internet Explorer provided by Yahoo! uStart Page = hxxp://www.yahoo.com/?fr=fp-yie8 uDefault_Page_URL = hxxp://www.yahoo.com/?fr=fp-yie8 mDefault_Page_URL = hxxp://www.yahoo.com/?fr=fp-yie8 mStart Page = hxxp://www.yahoo.com/?fr=fp-yie8 uInternet Settings,ProxyServer = http=127.0.0.1:50370 uSearchAssistant = mSearchAssistant = BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SearchHelper.dll BHO: Java Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} - hxxps://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab Handler: intu-help-qb3 - {c5e479ea-0a65-4b05-8c6c-2fc8cc682eb4} - c:\program files\intuit\quickbooks 2010\HelpAsyncPluggableProtocol.dll Handler: qbpos - {662E7FAE-5C17-491C-AD9D-98C1F66CC6A0} - c:\windows\system32\QBPOSProtocol.dll Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - c:\windows\system32\mscoree.dll Notify: GoToAssist - c:\program files\citrix\gotoassist\514\G2AWinLogon.dll Notify: igfxcui - igfxdev.dll SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll mASetup: {A509B1FF-37FF-4bFF-8CFF-4F3A747040FF} - c:\windows\system32\rundll32.exe c:\windows\system32\advpack.dll,launchinfsectionex c:\program files\internet explorer\clrtour.inf,DefaultInstall.ResetTour,,12 ================= FIREFOX =================== FF - ProfilePath - c:\docume~1\haleyl~1\applic~1\mozilla\firefox\profiles\he7kxq6y.default\ FF - prefs.js: browser.startup.homepage - hxxp://forums.malwarebytes.org/index.php?showtopic=66877&st=0&gopid=340273entry340273 FF - prefs.js: network.proxy.type - 0 FF - plugin: c:\documents and settings\haley layman\application data\move networks\plugins\npqmp071505000010.dll FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\ ---- FIREFOX POLICIES ---- c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true); c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true); c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true); c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true); c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true); c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true); c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true); // Traditional c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true); // Simplified ============= SERVICES / DRIVERS =============== R0 SFAUDIO;Sonic Focus DSP Driver;c:\windows\system32\drivers\sfaudio.sys [2009-3-5 24064] R2 EpsonPOSLog;Epson Point of Service Log Service;c:\program files\epson\epson advanced printer driver 4\EpsonPHLog.exe [2008-11-28 290816] R2 EpsonPOSPort;Epson Point of Service Port Handler;c:\program files\epson\epson advanced printer driver 4\EpsonPH.exe [2009-3-11 376832] R2 Esdpdx01;Esdpdx01;c:\windows\system32\drivers\ESDPDX01.SYS [2009-3-11 95495] R2 Intuit Entitlement Service v5.3;Intuit Entitlement Service v5.3;c:\program files\common files\intuit\entitlement client\v5.3\server\Intuit.Spc.Map.EntitlementClient.Server.Service.exe [2008-7-29 20480] R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2010-11-1 304464] R3 e1kexpress;Intel® PRO/1000 PCI Express Network Connection Driver K;c:\windows\system32\drivers\e1k5132.sys [2009-3-5 144480] R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2010-11-1 20952] S2 ASFAgent;ASF Agent;c:\program files\intel\asf agent\ASFAgent.exe [2007-4-19 133968] S2 PEVSystemStart;PEVSystemStart;"c:\cmbofx\pev.cfxxe" exec /i "c:\cmbofx\regt.cfxxe" /s "c:\cmbofx\cregb.dat" --> c:\cmbofx\PEV.cfxxe [?] S2 QBPOSDBServiceV8;QBPOS Database Manager v8;c:\program files\intuit\quickbooks point of sale 8.0\databaseserver\QBPOSDBService.exe [2010-10-14 2734480] S3 AsfAlrt;AsfAlrt Service;c:\windows\system32\drivers\Asfalrt.sys [2007-4-19 42832] S3 EloBus;Elobus Filter Driver;c:\windows\system32\drivers\elobus.sys --> c:\windows\system32\drivers\EloBus.sys [?] S3 elomoufiltr;Dell-SRV2;c:\windows\system32\drivers\elofiltr.sys [2009-5-17 53248] S3 EloSer;Elo Serial Driver;c:\windows\system32\drivers\eloser.sys --> c:\windows\system32\drivers\EloSer.sys [?] S3 EloUsb;Dell-SRV;c:\windows\system32\drivers\EloUsb.Sys [2009-5-17 74496] S3 QuickBooksDB20;QuickBooksDB20;c:\progra~1\intuit\quickb~1\qbdbmgrn.exe -hvquickbooksdb20 --> c:\progra~1\intuit\quickb~1\QBDBMgrN.exe -hvQuickBooksDB20 [?] S3 TMUSB;EPSON USB Device Driver for TM/BA/EU Printers;c:\windows\system32\drivers\TMUSBXP.sys [2009-3-11 48384] =============== Created Last 30 ================ 2010-11-05 21:20:55 719832 ----a-w- c:\program files\mozilla firefox\mozcpp19.dll 2010-11-05 21:20:55 16856 ----a-w- c:\program files\mozilla firefox\plugin-container.exe 2010-11-05 20:11:02 3903792 ----a-w- C:\cf1001.exe 2010-11-02 18:06:39 -------- d-sha-r- C:\cmdcons 2010-11-02 18:00:59 98816 ----a-w- c:\windows\sed.exe 2010-11-02 18:00:59 86528 ----a-w- c:\windows\MBR.exe 2010-11-02 18:00:59 256512 ----a-w- c:\windows\PEV.exe 2010-11-02 18:00:59 161792 ----a-w- c:\windows\SWREG.exe 2010-11-02 17:06:39 -------- d-----w- c:\docume~1\haleyl~1\applic~1\AVG 2010-11-01 20:41:23 -------- d-----w- c:\docume~1\haleyl~1\applic~1\AVG10 2010-11-01 20:23:10 -------- d-----w- c:\docume~1\alluse~1\applic~1\AVG10 2010-11-01 20:22:50 -------- d-----w- c:\program files\AVG 2010-11-01 19:10:52 -------- d-----w- c:\docume~1\alluse~1\applic~1\MFAData 2010-11-01 17:44:45 -------- d-sh--w- c:\documents and settings\haley layman\IECompatCache 2010-11-01 17:38:30 185344 -c--a-w- c:\windows\system32\dllcache\thawbrkr.dll 2010-11-01 17:38:30 185344 ----a-w- c:\windows\system32\Thawbrkr.dll 2010-11-01 17:38:29 10752 -c--a-w- c:\windows\system32\dllcache\c_iscii.dll 2010-11-01 17:38:29 10752 ----a-w- c:\windows\system32\c_iscii.dll 2010-11-01 17:38:27 5632 -c--a-w- c:\windows\system32\dllcache\kbdusa.dll 2010-11-01 17:38:27 5632 ----a-w- c:\windows\system32\kbdusa.dll 2010-11-01 17:38:22 6144 -c--a-w- c:\windows\system32\dllcache\ftlx041e.dll 2010-11-01 17:38:22 6144 ----a-w- c:\windows\system32\ftlx041e.dll 2010-11-01 17:38:20 19456 -c--a-w- c:\windows\system32\dllcache\agt040d.dll 2010-11-01 17:38:20 19456 -c--a-w- c:\windows\system32\dllcache\agt0401.dll 2010-11-01 17:08:03 -------- d-----w- c:\docume~1\haleyl~1\applic~1\Malwarebytes 2010-11-01 17:06:56 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2010-11-01 17:06:55 20952 ----a-w- c:\windows\system32\drivers\mbam.sys 2010-11-01 17:06:55 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2010-11-01 17:06:55 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes 2010-11-01 16:30:49 -------- d-----w- c:\windows\pss 2010-10-29 21:01:12 0 ----a-w- c:\windows\Ylavidimeqaguvi.bin 2010-10-14 18:54:30 457616 ----a-w- c:\windows\system32\QBPOSProtocol.dll 2010-10-12 20:23:19 974848 -c----w- c:\windows\system32\dllcache\mfc42.dll 2010-10-12 20:23:19 954368 -c----w- c:\windows\system32\dllcache\mfc40.dll 2010-10-12 20:23:19 953856 -c----w- c:\windows\system32\dllcache\mfc40u.dll 2010-10-12 20:19:56 617472 -c----w- c:\windows\system32\dllcache\comctl32.dll ==================== Find3M ==================== 2010-09-18 16:23:26 974848 ----a-w- c:\windows\system32\mfc42u.dll 2010-09-18 06:53:25 974848 ----a-w- c:\windows\system32\mfc42.dll 2010-09-18 06:53:25 954368 ----a-w- c:\windows\system32\mfc40.dll 2010-09-18 06:53:25 953856 ----a-w- c:\windows\system32\mfc40u.dll 2010-09-10 05:58:08 916480 ----a-w- c:\windows\system32\wininet.dll 2010-09-10 05:58:06 43520 ----a-w- c:\windows\system32\licmgr10.dll 2010-09-10 05:58:06 1469440 ------w- c:\windows\system32\inetcpl.cpl 2010-09-01 11:51:14 285824 ----a-w- c:\windows\system32\atmfd.dll 2010-08-31 13:38:48 1861888 ----a-w- c:\windows\system32\win32k.sys 2010-08-27 08:02:29 119808 ----a-w- c:\windows\system32\t2embed.dll 2010-08-27 05:57:43 99840 ----a-w- c:\windows\system32\srvsvc.dll 2010-08-26 12:52:45 5120 ----a-w- c:\windows\system32\xpsp4res.dll 2010-08-23 16:12:04 617472 ----a-w- c:\windows\system32\comctl32.dll 2010-08-17 13:17:06 58880 ----a-w- c:\windows\system32\spoolsv.exe 2010-08-16 08:45:00 590848 ----a-w- c:\windows\system32\rpcrt4.dll ============= FINISH: 18:53:43.17 ===============

DDS repeatedly locks up with the progress bar directly under the last "e" in where.

Here is a MBAM LOG: Malwarebytes' Anti-Malware 1.46 www.malwarebytes.org Database version: 5015 Windows 5.1.2600 Service Pack 3 Internet Explorer 8.0.6001.18702 11/1/2010 2:53:58 PM mbam-log-2010-11-01 (14-53-58).txt Scan type: Full scan (C:\|D:\|) Objects scanned: 237512 Time elapsed: 35 minute(s), 35 second(s) Memory Processes Infected: 2 Memory Modules Infected: 0 Registry Keys Infected: 3 Registry Values Infected: 4 Registry Data Items Infected: 3 Folders Infected: 1 Files Infected: 8 Memory Processes Infected: C:\Documents and Settings\Haley Layman\Application Data\Microsoft\svchost.exe (Backdoor.Bot) -> Unloaded process successfully. C:\Documents and Settings\Haley Layman\Application Data\Microsoft\Windows\shell.exe (Trojan.Shell) -> Unloaded process successfully. Memory Modules Infected: (No malicious items detected) Registry Keys Infected: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\pragmaxtbvorptex (Trojan.DNSChanger) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\AnVi (Rogue.AnVi) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\PRAGMA (Rootkit.TDSS) -> Quarantined and deleted successfully. Registry Values Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost (Backdoor.Bot) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\24d1ca9a-a864-4f7b-86fe-495eb56529d8 (Malware.Trace) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\7bde84a2-f58f-46ec-9eac-f1f90fead080 (Malware.Trace) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load (Trojan.Agent) -> Quarantined and deleted successfully. Registry Data Items Infected: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell (Hijack.Shell) -> Bad: (explorer.exe,C:\Documents and Settings\Haley Layman\Application Data\Microsoft\Windows\shell.exe) Good: (Explorer.exe) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. Folders Infected: C:\WINDOWS\PRAGMAxtbvorptex (Trojan.DNSChanger) -> Quarantined and deleted successfully. Files Infected: C:\WINDOWS\rayconciap.dll (Trojan.Hiloti) -> Quarantined and deleted successfully. C:\WINDOWS\PRAGMAxtbvorptex\PRAGMAc.dll (Trojan.Agent.Gen) -> Quarantined and deleted successfully. C:\WINDOWS\PRAGMAxtbvorptex\PRAGMAd.sys (Trojan.DNSChanger) -> Quarantined and deleted successfully. C:\WINDOWS\PRAGMAxtbvorptex\PRAGMAcfg.ini (Trojan.DNSChanger) -> Quarantined and deleted successfully. C:\WINDOWS\PRAGMAxtbvorptex\PRAGMAsrcr.dat (Trojan.DNSChanger) -> Quarantined and deleted successfully. C:\Documents and Settings\Haley Layman\Application Data\Microsoft\svchost.exe (Backdoor.Bot) -> Delete on reboot. C:\Documents and Settings\Haley Layman\Application Data\Microsoft\Windows\shell.exe (Trojan.Shell) -> Delete on reboot. C:\Documents and Settings\Haley Layman\Application Data\Microsoft\Internet Explorer\Quick Launch\Antivirus.lnk (Rogue.AntiVirus) -> Quarantined and deleted successfully.

Previously Malwarebytes was ran several times in both normal and safe mode. Do you want them all? I'm in safemode now, it seems to be more stable. Is this ok?

Malwarebytes scan found and repaired multiple viruses Now on boot explorer doesnt run 100% of the time maybe ever 3rd reboot explorer will load just fine. Registered malwarebytes winxp pro