maryy

That's great. You're very patient. Thank you very much. M. Y.

Woops ... ran the full scan by mistake-- the quick scan had reported clean. here's the log: Malwarebytes' Anti-Malware 1.41 Database version: 2786 Windows 5.1.2600 Service Pack 3 9/12/2009 10:38:13 PM mbam-log-2009-09-12 (22-38-13).txt Scan type: Full Scan (C:\|) Objects scanned: 523462 Time elapsed: 4 hour(s), 45 minute(s), 53 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) Here's Eset's log: ESETSmartInstaller@High as CAB hook log: OnlineScanner.ocx - registred OK # version=6 # IEXPLORE.EXE=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339) # OnlineScanner.ocx=1.0.0.6050 # api_version=3.0.2 # EOSSerial=d2dd2de2a98f6947b98f1fe668ecf5f0 # end=stopped # remove_checked=true # archives_checked=false # unwanted_checked=true # unsafe_checked=true # antistealth_checked=true # utc_time=2009-09-06 06:51:25 # local_time=2009-09-05 11:51:25 (-0800, Pacific Daylight Time) # country="United States" # lang=1033 # osver=5.1.2600 NT Service Pack 3 # compatibility_mode=1797 21 100 100 1156968593750 # compatibility_mode=2817 63 100 100 316444658281250 # scanned=16092 # found=0 # cleaned=0 # scan_time=434 # version=6 # iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339) # OnlineScanner.ocx=1.0.0.6050 # api_version=3.0.2 # EOSSerial=d2dd2de2a98f6947b98f1fe668ecf5f0 # end=finished # remove_checked=true # archives_checked=true # unwanted_checked=true # unsafe_checked=false # antistealth_checked=true # utc_time=2009-09-13 11:36:44 # local_time=2009-09-13 04:36:44 (-0800, Pacific Daylight Time) # country="United States" # lang=1033 # osver=5.1.2600 NT Service Pack 3 # compatibility_mode=1798 37 100 100 565640468750 # compatibility_mode=2817 63 100 100 323095846718750 # scanned=635544 # found=2 # cleaned=0 # scan_time=20865 C:\Documents and Settings\user1\Local Settings\Application Data\Identities\{FC7AC938-F43A-4C42-968E-F18737F16BD8}\Microsoft\Outlook Express\old_sent (last 5_2003).dbx VBS/LoveLetter.Colombia worm (unable to clean) 00000000000000000000000000000000 I C:\Documents and Settings\user1\Local Settings\Application Data\Identities\{FC7AC938-F43A-4C42-968E-F18737F16BD8}\Microsoft\Outlook Express\old_sent_to6_2002.dbx Win32/Adware.Webhancer.A application (unable to clean) 00000000000000000000000000000000 I If I am not mistaken the two files listed above are folders from Outlook Express email. They are also very old -- one from 2002 and the other from 2003! I don't need them and if it helps, I can delete them by hand. But it's hard to imagine how these could be significant after all this time. Regards and thanks. M. Y.

GooredFix by jpshortstuff (12.07.09) Log created at 11:16 on 12/09/2009 (user1) Firefox version 3.5.3 (en-US) ========== GooredScan ========== C:\Program Files\Mozilla Firefox\extensions\ powermarks@kaylon.com [16:23 03/01/2007] {972ce4c6-7e08-4474-a285-3208198ce6fd} [16:21 03/01/2007] {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} [16:39 01/05/2007] {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} [19:13 26/07/2007] {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} [17:25 28/10/2007] {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} [18:38 27/03/2008] {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} [16:00 06/07/2008] {CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA} [18:01 02/11/2008] {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} [18:09 04/03/2009] {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} [06:23 11/04/2009] {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} [21:43 08/09/2009] {FE76A1D3-DF55-4527-8BB7-07A3C6ABE9D6} [16:48 20/07/2007] [HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions] "{20a82645-c095-46ed-80e3-08825760534b}"="c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\" [21:19 10/02/2009] "{000a9d1c-beef-4f90-9363-039d445309b8}"="C:\Program Files\Google\Google Gears\Firefox\" [21:54 04/09/2009] "jqs@sun.com"="C:\Program Files\Java\jre6\lib\deploy\jqs\ff" [18:01 02/11/2008] -=E.O.F=- -------------------------------------------------------- ******************************************************************************** * * * FixIEDef Log * * Version 1.7.22.7514 * * * ******************************************************************************** Created at 11:18:15 on Saturday, September 12, 2009 Time Zone : (GMT-08:00) Pacific Time (US & Canada) Logged On User : user1 Operating System : Microsoft Windows XP Home Edition Service Pack 3 OS Architecture : X86 System Langauge : English (United States) Keyboard Layout : English (United States) Processor : X64 Intel® Core2 CPU 6600 @ 2.40GHz System Drive : C:\ Windows Directory : C:\WINDOWS System Directory : C:\WINDOWS\system32 System Drive Type : Fixed System Drive Status : READY System Drive Label : System Drive Size : 305.23 GB System Drive Free : 16.32 GB Total Physical Memory: 2046 MB Free Physical Memory : 1362 MB Total Page File : 2046 MB Free Page File : 2100 MB Total Virtual Memory : 2048 MB Free Virtual Memory : 1961 MB Boot State : Normal boot -------------------------------------------------------------------------------- !!! userinit.exe is Clean !!! -------------------------------------------------------------------------------- !!! Files that have been deleted !!! C:\WINDOWS\system32\tmp.txt -------------------------------------------------------------------------------- !!! Directories that have been removed !!! No malicious directories to be removed -------------------------------------------------------------------------------- !!! Registry entries that have been removed !!! No malicious Registry entries found ================================================================================ All Done ShadowPuterDude Safe Surfing!!! ----------------------------------- Thanks! M. Y. (I'll be away for a few hours and then back for the day)

Well, all may not yet be copacetic. I just clicked on a link from a political discussion forum and the link is supposed to go here: http://www.nytimes.com/2007/03/12/us/12med...;pagewanted=all . The first time I tried that link, I received a popup or popunder from: http://www.toptvbytes.com/index.aspx?pid=10088&SID=1796 and the tab I opened with the link in Firefox went to here: (CAUTION--DO NOT CLICK THIS LINK UNLESS PROTECTED! I changed it so it won't work unless a dot is substituted for my text between the asterisks. ) http://malwareinternetscanner03 **dot**com/1/?sess=%3D2259jDwMi02MyZpcD02Ni43NS4yNDkuNyZ0aW1lPTEyNTY3MMkMNQkN -- Avira caught it and stopped the browser from accessing it with a warning "The requested URL has been identified as a potentially dangerous website. In order not to compromise your security, the access to this page has been blocked. Category/categories:Malware. Generated by AntiVir WebGuard 9.0.5.0 " I closed the involved tab and tried the same link again and it connected to the correct URL-- the NYT article. The prior page I accessed before the discussion forum was snopes.com. That gave me a Netflix popup (as usual). Firefox is fully updated, version 3.5.3 . I did quite a bit of browsing today and this has been the only anomaly I noticed. Any idea what caused this or what to do about it or how serious it may be? This computer is used for some banking though I switched that function to a well running and well protected laptop while this trouble shooting is going on. The computer runs fine today other than the above and maybe FF is a bit slow. I suspect I can run any scanner program that you'd like. Thanks! M. Y.

MBAM SCAN LOG: Malwarebytes' Anti-Malware 1.40 Database version: 2774 Windows 5.1.2600 Service Pack 3 9/10/2009 7:02:15 PM mbam-log-2009-09-10 (19-02-15).txt Scan type: Full Scan (C:\|) Objects scanned: 520788 Time elapsed: 4 hour(s), 26 minute(s), 24 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 1 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: C:\Qoobox\Quarantine\C\WINDOWS\system32\eventlog.dll.vir (Trojan.Sirefef) -> Quarantined and deleted successfully. GMER.TXT: GMER 1.0.15.15077 [gmer.exe] - http://www.gmer.net Rootkit scan 2009-09-11 08:49:12 Windows 5.1.2600 Service Pack 3 ---- System - GMER 1.0.15 ---- SSDT BAF60BAE ZwCreateKey SSDT BAF60BA4 ZwCreateThread SSDT BAF60BB3 ZwDeleteKey SSDT BAF60BBD ZwDeleteValueKey SSDT BAF60BC2 ZwLoadKey SSDT BAF60B90 ZwOpenProcess SSDT BAF60B95 ZwOpenThread SSDT BAF60BCC ZwReplaceKey SSDT BAF60BC7 ZwRestoreKey SSDT BAF60BB8 ZwSetValueKey SSDT BAF60B9F ZwTerminateProcess SSDT BAF60B9A ZwWriteVirtualMemory ---- Devices - GMER 1.0.15 ---- AttachedDevice \Driver\Tcpip \Device\Ip avfwot.sys (TDI filtering kernel driver/Avira GmbH) AttachedDevice \Driver\Tcpip \Device\Tcp avfwot.sys (TDI filtering kernel driver/Avira GmbH) AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 snapman.sys (Acronis Snapshot API/Acronis) AttachedDevice \Driver\Tcpip \Device\Udp avfwot.sys (TDI filtering kernel driver/Avira GmbH) AttachedDevice \Driver\Tcpip \Device\RawIp avfwot.sys (TDI filtering kernel driver/Avira GmbH) ---- Registry - GMER 1.0.15 ---- Reg HKLM\SOFTWARE\Classes\CLSID\{12D6502E-043D-FB91-713D-CA485AE31673}\InProcServer32 Reg HKLM\SOFTWARE\Classes\CLSID\{12D6502E-043D-FB91-713D-CA485AE31673}\InProcServer32@oadnadkhjbgegodlmcjnolaelolijn 0x6A 0x61 0x63 0x61 ... Reg HKLM\SOFTWARE\Classes\CLSID\{12D6502E-043D-FB91-713D-CA485AE31673}\InProcServer32@nadnkcabafnddlccliceghmkmodh 0x6A 0x61 0x63 0x61 ... ---- Files - GMER 1.0.15 ---- ADS C:\System Volume Information\_restore{BC0A5C4A-5200-4703-8FD3-2C54CB731FCB}\RP2\A0000041.sys:1 8704 bytes executable ADS C:\System Volume Information\_restore{BC0A5C4A-5200-4703-8FD3-2C54CB731FCB}\RP2\A0000046.sys:1 8704 bytes executable ADS C:\System Volume Information\_restore{BC0A5C4A-5200-4703-8FD3-2C54CB731FCB}\RP2\A0000065.sys:1 8704 bytes executable ADS C:\System Volume Information\_restore{BC0A5C4A-5200-4703-8FD3-2C54CB731FCB}\RP2\A0000072.sys:1 8704 bytes executable ADS C:\System Volume Information\_restore{BC0A5C4A-5200-4703-8FD3-2C54CB731FCB}\RP2\A0000056.sys:1 8704 bytes executable File C:\Documents and Settings\user1\Desktop\temporary data\grouped desktop icons to unravel 16 jan 2009\temporary pics and videos\all gekko stuff temporary for sale\gekko stuff recovered from other drives\From_250_apricorn drive\pics_gekko_04_30_04\return to anchorage\P5031178.JPG 1127258 bytes File C:\Documents and Settings\user1\Desktop\temporary data\grouped desktop icons to unravel 16 jan 2009\temporary pics and videos\all gekko stuff temporary for sale\gekko stuff recovered from other drives\From_250_apricorn drive\pics_gekko_04_30_04\return to anchorage\P5031161.JPG 1312961 bytes File C:\Documents and Settings\user1\Desktop\temporary data\grouped desktop icons to unravel 16 jan 2009\temporary pics and videos\all gekko stuff temporary for sale\gekko stuff recovered from other drives\From_250_apricorn drive\pics_gekko_04_30_04\return to anchorage\P5031162.JPG 1916617 bytes File C:\Documents and Settings\user1\Desktop\temporary data\grouped desktop icons to unravel 16 jan 2009\temporary pics and videos\all gekko stuff temporary for sale\gekko stuff recovered from other drives\From_250_apricorn drive\pics_gekko_04_30_04\return to anchorage\P5031163.JPG 1929773 bytes File C:\Documents and Settings\user1\Desktop\temporary data\grouped desktop icons to unravel 16 jan 2009\temporary pics and videos\all gekko stuff temporary for sale\gekko stuff recovered from other drives\From_250_apricorn drive\pics_gekko_04_30_04\return to anchorage\P5031164.JPG 1864782 bytes File C:\Documents and Settings\user1\Desktop\temporary data\grouped desktop icons to unravel 16 jan 2009\temporary pics and videos\all gekko stuff temporary for sale\gekko stuff recovered from other drives\From_250_apricorn drive\pics_gekko_04_30_04\return to anchorage\P5031165.JPG 2025580 bytes File C:\Documents and Settings\user1\Desktop\temporary data\grouped desktop icons to unravel 16 jan 2009\temporary pics and videos\all gekko stuff temporary for sale\gekko stuff recovered from other drives\From_250_apricorn drive\pics_gekko_04_30_04\return to anchorage\P5031166.JPG 1751723 bytes File C:\Documents and Settings\user1\Desktop\temporary data\grouped desktop icons to unravel 16 jan 2009\temporary pics and videos\all gekko stuff temporary for sale\gekko stuff recovered from other drives\From_250_apricorn drive\pics_gekko_04_30_04\return to anchorage\P5031167.JPG 1437183 bytes File C:\Documents and Settings\user1\Desktop\temporary data\grouped desktop icons to unravel 16 jan 2009\temporary pics and videos\all gekko stuff temporary for sale\gekko stuff recovered from other drives\From_250_apricorn drive\pics_gekko_04_30_04\return to anchorage\P5031168.JPG 2320084 bytes File C:\Documents and Settings\user1\Desktop\temporary data\grouped desktop icons to unravel 16 jan 2009\temporary pics and videos\all gekko stuff temporary for sale\gekko stuff recovered from other drives\From_250_apricorn drive\pics_gekko_04_30_04\return to anchorage\P5031169.JPG 2369072 bytes File C:\Documents and Settings\user1\Desktop\temporary data\grouped desktop icons to unravel 16 jan 2009\temporary pics and videos\all gekko stuff temporary for sale\gekko stuff recovered from other drives\From_250_apricorn drive\pics_gekko_04_30_04\return to anchorage\P5031170.JPG 1966530 bytes File C:\Documents and Settings\user1\Desktop\temporary data\grouped desktop icons to unravel 16 jan 2009\temporary pics and videos\all gekko stuff temporary for sale\gekko stuff recovered from other drives\From_250_apricorn drive\pics_gekko_04_30_04\return to anchorage\P5031171.JPG 1943830 bytes File C:\Documents and Settings\user1\Desktop\temporary data\grouped desktop icons to unravel 16 jan 2009\temporary pics and videos\all gekko stuff temporary for sale\gekko stuff recovered from other drives\From_250_apricorn drive\pics_gekko_04_30_04\return to anchorage\P5031172.JPG 1866613 bytes File C:\Documents and Settings\user1\Desktop\temporary data\grouped desktop icons to unravel 16 jan 2009\temporary pics and videos\all gekko stuff temporary for sale\gekko stuff recovered from other drives\From_250_apricorn drive\pics_gekko_04_30_04\return to anchorage\P5031173.JPG 1884373 bytes File C:\Documents and Settings\user1\Desktop\temporary data\grouped desktop icons to unravel 16 jan 2009\temporary pics and videos\all gekko stuff temporary for sale\gekko stuff recovered from other drives\From_250_apricorn drive\pics_gekko_04_30_04\return to anchorage\P5031174.JPG 1998313 bytes File C:\Documents and Settings\user1\Desktop\temporary data\grouped desktop icons to unravel 16 jan 2009\temporary pics and videos\all gekko stuff temporary for sale\gekko stuff recovered from other drives\From_250_apricorn drive\pics_gekko_04_30_04\return to anchorage\P5031175.JPG 2100706 bytes File C:\Documents and Settings\user1\Desktop\temporary data\grouped desktop icons to unravel 16 jan 2009\temporary pics and videos\all gekko stuff temporary for sale\gekko stuff recovered from other drives\From_250_apricorn drive\pics_gekko_04_30_04\return to anchorage\P5031176.JPG 1795936 bytes File C:\Documents and Settings\user1\Desktop\temporary data\grouped desktop icons to unravel 16 jan 2009\temporary pics and videos\all gekko stuff temporary for sale\gekko stuff recovered from other drives\From_250_apricorn drive\pics_gekko_04_30_04\return to anchorage\P5031177.JPG 1410303 bytes File C:\Documents and Settings\user1\Desktop\temporary data\grouped desktop icons to unravel 16 jan 2009\temporary pics and videos\all gekko stuff temporary for sale\gekko stuff recovered from other drives\From_250_apricorn drive\pics_gekko_04_30_04\return to anchorage\P5031179.JPG 286404 bytes File C:\Documents and Settings\user1\Desktop\temporary data\grouped desktop icons to unravel 16 jan 2009\temporary pics and videos\all gekko stuff temporary for sale\gekko stuff recovered from other drives\From_250_apricorn drive\pics_gekko_04_30_04\return to anchorage\P5031180.JPG 1781610 bytes File C:\Documents and Settings\user1\Desktop\temporary data\grouped desktop icons to unravel 16 jan 2009\temporary pics and videos\all gekko stuff temporary for sale\gekko stuff recovered from other drives\From_250_apricorn drive\pics_gekko_04_30_04\return to anchorage\P5031181.JPG 1021017 bytes File C:\Documents and Settings\user1\Desktop\temporary data\grouped desktop icons to unravel 16 jan 2009\temporary pics and videos\all gekko stuff temporary for sale\gekko stuff recovered from other drives\From_250_apricorn drive\pics_gekko_04_30_04\return to anchorage\P5041182.JPG 378687 bytes File C:\Documents and Settings\user1\Desktop\temporary data\grouped desktop icons to unravel 16 jan 2009\temporary pics and videos\all gekko stuff temporary for sale\gekko stuff recovered from other drives\From_250_apricorn drive\pics_gekko_04_30_04\return to anchorage\P5041183.JPG 403750 bytes File C:\Documents and Settings\user1\Desktop\temporary data\grouped desktop icons to unravel 16 jan 2009\temporary pics and videos\all gekko stuff temporary for sale\gekko stuff recovered from other drives\From_250_apricorn drive\pics_gekko_04_30_04\return to anchorage\P5041184.JPG 1164497 bytes File C:\Documents and Settings\user1\Desktop\temporary data\grouped desktop icons to unravel 16 jan 2009\temporary pics and videos\all gekko stuff temporary for sale\gekko stuff recovered from other drives\From_250_apricorn drive\pics_gekko_04_30_04\return to anchorage\P5041185.JPG 2314880 bytes File C:\Documents and Settings\user1\Desktop\temporary data\grouped desktop icons to unravel 16 jan 2009\temporary pics and videos\all gekko stuff temporary for sale\gekko stuff recovered from other drives\From_250_apricorn drive\pics_gekko_04_30_04\return to anchorage\P5041186.JPG 2435349 bytes File C:\Documents and Settings\user1\Desktop\temporary data\grouped desktop icons to unravel 16 jan 2009\temporary pics and videos\all gekko stuff temporary for sale\gekko stuff recovered from other drives\From_250_apricorn drive\pics_gekko_04_30_04\return to anchorage\P5041187.JPG 2534233 bytes File C:\Documents and Settings\user1\Desktop\temporary data\grouped desktop icons to unravel 16 jan 2009\temporary pics and videos\all gekko stuff temporary for sale\gekko stuff recovered from other drives\From_250_apricorn drive\pics_gekko_04_30_04\return to anchorage\P5041188.JPG 2576637 bytes File C:\Documents and Settings\user1\Desktop\temporary data\grouped desktop icons to unravel 16 jan 2009\temporary pics and videos\all gekko stuff temporary for sale\gekko stuff recovered from other drives\From_250_apricorn drive\pics_gekko_04_30_04\return to anchorage\P5041189.JPG 2490951 bytes File C:\Documents and Settings\user1\Desktop\temporary data\grouped desktop icons to unravel 16 jan 2009\temporary pics and videos\all gekko stuff temporary for sale\gekko stuff recovered from other drives\From_250_apricorn drive\pics_gekko_04_30_04\return to anchorage\P5041190.JPG 2596927 bytes File C:\Documents and Settings\user1\Desktop\temporary data\grouped desktop icons to unravel 16 jan 2009\temporary pics and videos\all gekko stuff temporary for sale\gekko stuff recovered from other drives\From_250_apricorn drive\pics_gekko_04_30_04\return to anchorage\P5041191.JPG 2175079 bytes File C:\Documents and Settings\user1\Desktop\temporary data\grouped desktop icons to unravel 16 jan 2009\temporary pics and videos\all gekko stuff temporary for sale\gekko stuff recovered from other drives\From_250_apricorn drive\pics_gekko_04_30_04\return to anchorage\P5041192.JPG 2349697 bytes File C:\Documents and Settings\user1\Desktop\temporary data\grouped desktop icons to unravel 16 jan 2009\temporary pics and videos\all gekko stuff temporary for sale\gekko stuff recovered from other drives\From_250_apricorn drive\pics_gekko_04_30_04\return to anchorage\P5041193.JPG 2448487 bytes File C:\Documents and Settings\user1\Desktop\temporary data\grouped desktop icons to unravel 16 jan 2009\temporary pics and videos\all gekko stuff temporary for sale\gekko stuff recovered from other drives\From_250_apricorn drive\pics_gekko_04_30_04\return to anchorage\P5041194.JPG 2387656 bytes File C:\Documents and Settings\user1\Desktop\temporary data\grouped desktop icons to unravel 16 jan 2009\temporary pics and videos\all gekko stuff temporary for sale\gekko stuff recovered from other drives\From_250_apricorn drive\pics_gekko_04_30_04\return to anchorage\P5041195.JPG 2481140 bytes File C:\Documents and Settings\user1\Desktop\temporary data\grouped desktop icons to unravel 16 jan 2009\temporary pics and videos\all gekko stuff temporary for sale\gekko stuff recovered from other drives\From_250_apricorn drive\pics_gekko_04_30_04\return to anchorage\P5041196.JPG 2541145 bytes File C:\Documents and Settings\user1\Desktop\temporary data\grouped desktop icons to unravel 16 jan 2009\temporary pics and videos\all gekko stuff temporary for sale\gekko stuff recovered from other drives\From_250_apricorn drive\pics_gekko_04_30_04\return to anchorage\P5041197.JPG 2458840 bytes File C:\Documents and Settings\user1\Desktop\temporary data\grouped desktop icons to unravel 16 jan 2009\temporary pics and videos\all gekko stuff temporary for sale\gekko stuff recovered from other drives\From_250_apricorn drive\pics_gekko_04_30_04\return to anchorage\P5041198.JPG 2595027 bytes File C:\Documents and Settings\user1\Desktop\temporary data\grouped desktop icons to unravel 16 jan 2009\temporary pics and videos\all gekko stuff temporary for sale\gekko stuff recovered from other drives\From_250_apricorn drive\pics_gekko_04_30_04\return to anchorage\P5041199.JPG 2755933 bytes File C:\Documents and Settings\user1\Desktop\temporary data\grouped desktop icons to unravel 16 jan 2009\temporary pics and videos\all gekko stuff temporary for sale\gekko stuff recovered from other drives\From_250_apricorn drive\pics_gekko_04_30_04\return to anchorage\P5041200.JPG 2696896 bytes File C:\Documents and Settings\user1\Desktop\temporary data\grouped desktop icons to unravel 16 jan 2009\temporary pics and videos\all gekko stuff temporary for sale\gekko stuff recovered from other drives\From_250_apricorn drive\pics_gekko_04_30_04\return to anchorage\P5041201.JPG 2550105 bytes File C:\Documents and Settings\user1\Desktop\temporary data\grouped desktop icons to unravel 16 jan 2009\temporary pics and videos\all gekko stuff temporary for sale\gekko stuff recovered from other drives\From_250_apricorn drive\pics_gekko_04_30_04\return to anchorage\P5041202.JPG 1920479 bytes File C:\Documents and Settings\user1\Desktop\temporary data\grouped desktop icons to unravel 16 jan 2009\temporary pics and videos\all gekko stuff temporary for sale\gekko stuff recovered from other drives\From_250_apricorn drive\pics_gekko_04_30_04\return to anchorage\P5041203.JPG 1680012 bytes File C:\Documents and Settings\user1\Desktop\temporary data\grouped desktop icons to unravel 16 jan 2009\temporary pics and videos\all gekko stuff temporary for sale\gekko stuff recovered from other drives\From_250_apricorn drive\pics_gekko_04_30_04\return to anchorage\P5041204.JPG 1612098 bytes ---- EOF - GMER 1.0.15 ---- FYI: The files with the long path name at the end of the log are JPG's I made myself with a Sony camera. No idea why the program would notice those. The computer runs fine. The browsers, both IE8 and FF seem slow. This may be because prior to consulting you, I tightened up Avira's security setting. If everything seems clean now, I can experiment with that or maybe there is a better, less speed-reducing antivirus I can use (it doesn't need to be free)? Please let me know if any other tests seem indicated. Again, many thanks for the very valuable and patient help. If you have an extra moment, I'd be interested if you know what malware I had and typically where it might have come from.

/--------------------------------------------------------------\ | Trend Micro System Cleaner | | Copyright 2009-2010, Trend Micro, Inc. | | http://www.trendmicro.com | \--------------------------------------------------------------/ 2009-09-08, 00:03:20, Auto-clean mode specified. 2009-09-08, 00:03:20, Initialized Rootkit Driver version 1.6.0.1059. 2009-09-08, 00:03:20, Running scanner "C:\dce\TSC.BIN"... 2009-09-08, 00:03:24, Scanner "C:\dce\TSC.BIN" has finished running. 2009-09-08, 00:03:24, TSC Log:

Hi. Sorry about the apparently independent actions -- they took place between the time I first posted and your first reply and the renaming idea came from a sticky set of instructions elsewhere in the forum. I ran Combofix at the same time to see if it would run instead of being terminated by whatever malware I had. I did not mean to increase your workload! Won't happen again. Trend Micro ran fine until the end at which time, I am guessing it did a reboot which probably re-activates Avira Premium Security Suite whose scanners had been turned off-- anyway the Trend Micro program stopped with a message from Avira: "SSAPI command line scanner. This application is trying to execute code in another process (explorer.exe)-- Allow/Deny." I allowed and Trend Micro continued and terminated, apparently normally. The log display from inside the Trend Micro scanner isn't copyable as text. Transcribing it manually from a screen image, the next to last entry is "Scanner C:\DEC\TSC.bin has finished running." Next line says "TSC Log:" and the last line consists of what looks like 3 characters. The first is a "y" with two dots over it, the second looks like a p overwritten with an L and the last is a D. The files report.log and sysclean.log exist and can be loaded into Notepad and read as text. Would you like me to post either or both? sysclean.log is fairly brief but report.log is quite lengthy, a 135KB file. I then tried to run Kaspersky's web scan as directed. First I updated Java as requested. I made sure Avira was as much OFF as I can make it (all scanners unchecked) and I disabled Spybot. Kaspersky started to load but terminated with the error: "Launch of the JACA application is interrupted. Please establish an interrupted Internet connection for work with this program." The only other thing I can think of to tell you is that no programs are running that I was able to disable from taskbars and the only other thing is that some Windows updates are pending and the Windows shield icon is on the task bar. My browser seems to run fine and the internet connection is from Time Warner cable via a cable modem and a Linksys wifi router however this computer is hard wired to the router via a CAT5 cable. I've had no problems with the internet connection recently. I did not run the last program you requested nor post the Trend Micro logs pending your further directions. If you'd like me to uninstall Avira, I'll be happy to. Shall I allow Windows update to run at this time? Thanks and again, sorry for the previous inconvenience. M. Y.

Hi again, Well... Malwarebytes now runs. I'll post the log below -- I did an uneventful update of it yesterday. Just FYI, I am still unable to delete some of the original malwarebyte files so I reinstalled the program into a folder called malwarebytes2 (under Program Files) and I renamed the exe file to winlogon.exe just in case. Rootrepeal.exe stops running rapidly with a "blue screen of death". I tried it with all my usual startup items active and also with Spybot, Avira, Gotomypc, and Bounceback (a backup system) deactivated from the task bar at the bottom right of the screen. I did not try deactivating individual processes so presumably Teatimer or other things may have been running. I ran it three times. On one run with the startup programs deactivated as above, Rootrepeal gave an error message in a box before the screen went blue. I could probably capture that with a camera and type it in if it would help. It stayed up too short a time to read. Two of the runs with the programs inactivated didn't get very far. The third (with the above programs active) ran for a short time and scanned a few dozen files before it went "bloooey!" It may help to know I use an Asus PN5SLI mother board which is quite fussy. I am not overclocking it. It complained after the third blue screen event during the cold restart, went to its own "safe mode" but restarted OK without problems or other error messages when I pressed F1 to continue. I'm happy to uninstall ALL the antiviral stuff-- Avira and Spybot and anything else you'd like removed and I can make an image backup of the hard drive and work on that so my data will be preserved. Just let me know if that's the best way to go. If so, it may be a day or two before I can continue with your instructions. Here's the Malwarebytes log from yesterday. Did you want another Combofix log? I did not attempt the additional steps you specified after Rootrepeal would not run. *------- Malwarebytes' Anti-Malware 1.40 Database version: 2750 Windows 5.1.2600 Service Pack 3 9/7/2009 12:58:50 AM mbam-log-2009-09-07 (00-58-50).txt Scan type: Full Scan (C:\|) Objects scanned: 516240 Time elapsed: 4 hour(s), 18 minute(s), 4 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 1 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: C:\Documents and Settings\user1\Desktop\Temporary Programs\System utilities\benchmarks\super_pi\super_pi_mod-1.5\super_pi_mod.exe (Malware.Packer.Krunchy) -> Quarantined and deleted successfully. *------- Superpi is infected? I've had that download for a long time-- way before the current problem started! Anyway, I allowed Malwarebytes to remove it. I'm sure you know how much all this assistance is appreciated! M.Y.

Hi and thank you for the prompt reply. I have a question about Avira Premium Security Suite. I can uncheck the various scan options but I can not shut it off completely and it still asks for various permissions. I don't mind uninstalling it if that would be better-- please advise. Prior to your reply, I ran Combofix again as Combo-fix.exe and it ran and updated itself. It then provided the following log which I am adding here in case it changes your instructions. I apologize for jumping the gun but I thought Combofix wasn't running because the blue screen was on for quite a while -- or maybe it started running at some point. In any case, I thought it better to hold off following the previous instructions and let you know about this log. I regret the inconvenience and incompleteness of the first post! *------- ComboFix 09-09-06.02 - user1 09/06/2009 10:44.2.2 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1603 [GMT -7:00] Running from: c:\documents and settings\user1\Desktop\Combo-Fix.exe AV: AntiVir Desktop *On-access scanning disabled* (Updated) {11638345-E4FC-4BEE-BB73-EC754659C5F6} FW: Avira Firewall *enabled* {11638345-E4FC-4BEE-BB73-EC754659C5F6} . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\documents and settings\All Users\Start Menu\Programs\HOLUX c:\documents and settings\All Users\Start Menu\Programs\HOLUX \GpsViewer.lnk c:\documents and settings\user1\Application Data\inst.exe C:\install.exe c:\windows\Installer\4e340b3.msi c:\windows\Installer\50887c3.msp c:\windows\Installer\WMEncoder.msi c:\windows\system32\AutoRun.inf c:\windows\system32\drivers\Sonyhcp.dll c:\windows\UA000019.DLL c:\windows\UA000079.DLL c:\windows\UA000106.DLL Infected copy of c:\windows\system32\eventlog.dll was found and disinfected Restored copy from - c:\windows\system32\logevent.dll . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED} ((((((((((((((((((((((((( Files Created from 2009-08-06 to 2009-09-06 ))))))))))))))))))))))))))))))) . 2009-09-06 15:52 . 2009-09-06 15:52 -------- d-----w- c:\program files\GiPo@Utilities 2009-09-06 15:52 . 2009-09-06 15:52 -------- d-----w- c:\program files\Common Files\Gibinsoft Shared 2009-09-06 07:08 . 2009-09-06 07:08 -------- d-----w- c:\documents and settings\user1\Application Data\Avira 2009-09-06 06:59 . 2009-05-08 21:13 97608 ----a-w- c:\windows\system32\drivers\avfwot.sys 2009-09-06 06:59 . 2009-03-30 17:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys 2009-09-06 06:59 . 2009-02-13 19:29 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys 2009-09-06 06:59 . 2009-02-13 19:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys 2009-09-06 06:59 . 2009-02-24 20:06 69632 ----a-w- c:\windows\system32\drivers\avfwim.sys 2009-09-06 06:59 . 2009-09-06 06:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira 2009-09-06 06:59 . 2009-09-06 06:59 -------- d-----w- c:\program files\Avira 2009-09-06 06:40 . 2009-09-06 06:40 -------- d-----w- c:\program files\ESET 2009-09-05 22:28 . 2009-09-05 22:28 -------- d-----w- c:\program files\CMS Products 2009-09-05 22:28 . 2007-08-31 19:39 10240 ----a-w- c:\windows\system32\drivers\portd64.sys 2009-09-05 22:21 . 2008-01-02 16:35 35520 ----a-w- c:\windows\system32\BBUninstall.exe 2009-09-05 22:21 . 2009-09-05 22:21 -------- d-----w- c:\documents and settings\user1\Application Data\InstallShield Installation Information 2009-08-27 06:28 . 2009-08-27 06:29 -------- d-----w- c:\program files\MapExplorer 2009-08-27 06:20 . 2009-08-27 06:20 -------- d-----w- c:\documents and settings\user1\Application Data\GARMIN 2009-08-26 00:22 . 2003-09-22 23:01 11520 ------w- c:\windows\system32\drivers\WDMSTUB.sys 2009-08-25 23:43 . 2007-03-08 22:18 8320 ----a-w- c:\windows\system32\drivers\grmnusb.sys 2009-08-25 23:43 . 2007-03-08 22:18 18432 ----a-w- c:\windows\system32\drivers\grmngen.sys 2009-08-25 23:41 . 2009-08-27 06:17 -------- d-----w- C:\Garmin 2009-08-15 20:36 . 2009-08-15 20:36 -------- d-----w- c:\program files\Seagate 2009-08-15 20:36 . 2009-08-15 20:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Seagate 2009-08-15 20:34 . 2009-08-15 20:34 -------- d-----w- c:\documents and settings\user1\Local Settings\Application Data\Downloaded Installations 2009-08-15 20:33 . 2009-08-15 20:33 -------- d-----w- c:\documents and settings\user1\Application Data\Leadertech . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-09-06 16:42 . 2008-12-18 17:34 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2009-09-06 16:22 . 2006-12-31 21:12 -------- d-----w- c:\program files\Spybot - Search & Destroy 2009-09-06 06:53 . 2007-01-03 16:22 -------- d-----w- c:\program files\Powermarks 3.5 2009-09-04 21:54 . 2007-01-03 08:24 -------- d-----w- c:\program files\Google 2009-09-04 20:18 . 2007-10-08 20:38 -------- d-----w- c:\program files\Olympus 2009-09-04 20:18 . 2006-12-13 02:41 -------- d--h--w- c:\program files\InstallShield Installation Information 2009-08-30 23:38 . 2007-02-19 14:19 -------- d-----w- c:\program files\MpcStar 2009-08-27 05:46 . 2007-02-11 01:29 -------- d-----w- c:\program files\BitComet 2009-08-22 13:14 . 2008-08-30 18:47 -------- d-----w- c:\program files\MediaCoder 2009-08-17 22:50 . 2007-08-09 01:10 -------- d-----w- c:\documents and settings\user1\Application Data\Canon 2009-08-17 07:18 . 2007-03-15 03:13 -------- d-----w- c:\program files\Zoom Player 2009-08-03 20:36 . 2008-12-18 17:34 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2009-08-03 20:36 . 2008-12-18 17:34 19096 ----a-w- c:\windows\system32\drivers\mbam.sys 2009-07-28 23:33 . 2009-05-03 20:37 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys 2009-07-21 05:26 . 2007-06-14 06:17 -------- d-----w- c:\program files\URLToysPerlSA 2005-05-14 00:12 . 2005-05-14 00:12 217073 --sha-r- c:\windows\meta4.exe 2005-10-24 18:13 . 2005-10-24 18:13 66560 --sha-r- c:\windows\MOTA113.exe 2005-10-14 04:27 . 2005-10-14 04:27 422400 --sha-r- c:\windows\x2.64.exe 2005-10-08 02:14 . 2005-10-08 02:14 308224 --sha-r- c:\windows\system32\avisynth.dll 2005-07-14 19:31 . 2005-07-14 19:31 27648 --sha-r- c:\windows\system32\AVSredirect.dll 2005-06-26 22:32 . 2005-06-26 22:32 616448 --sha-r- c:\windows\system32\cygwin1.dll 2005-06-22 05:37 . 2005-06-22 05:37 45568 --sha-r- c:\windows\system32\cygz.dll 2004-01-25 07:00 . 2004-01-25 07:00 70656 --sha-r- c:\windows\system32\i420vfw.dll 2006-04-27 17:24 . 2006-04-27 17:24 2945024 --sha-r- c:\windows\system32\Smab.dll 2005-02-28 20:16 . 2005-02-28 20:16 240128 --sha-r- c:\windows\system32\x.264.exe 2004-01-25 07:00 . 2004-01-25 07:00 70656 --sha-r- c:\windows\system32\yv12vfw.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-03-09 7561216] "GoToMyPC"="c:\program files\Citrix\GoToMyPC\g2svc.exe" [2007-06-20 258856] "SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2006-12-19 868352] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792] "MaxMenuMgr"="c:\program files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe" [2009-03-27 181544] "avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153] "High Definition Audio Property Page Shortcut"="HDAShCut.exe" - c:\windows\system32\HDAShCut.exe [2004-10-27 61952] c:\documents and settings\user1\Start Menu\Programs\Startup\ BounceBack Launcher.lnk - c:\program files\CMS Products\BounceBack Server\BBStartup.exe [2009-9-5 40960] c:\documents and settings\All Users\Start Menu\Programs\Startup\AutorunsDisabled HP Digital Imaging Monitor.lnk - c:\program files\Hp\Digital Imaging\bin\hpqtra08.exe [2007-3-11 210520] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToMyPC] 2007-06-20 19:09 10536 ----a-w- c:\program files\Citrix\GoToMyPC\G2WinLogon.dll [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice] @="Service" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice] @="" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice] @="" [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Device Detector 2.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Device Detector 2.lnk backup=c:\windows\pss\Device Detector 2.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\InterVideo WinCinema Manager.lnk backup=c:\windows\pss\InterVideo WinCinema Manager.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SMART-ER.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\SMART-ER.lnk backup=c:\windows\pss\SMART-ER.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^user1^Start Menu^Programs^Startup^Secunia PSI (RC1).lnk] path=c:\documents and settings\user1\Start Menu\Programs\Startup\Secunia PSI (RC1).lnk backup=c:\windows\pss\Secunia PSI (RC1).lnkStartup [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "c:\\Program Files\\GigaByte\\VGA Utility Manager\\gvupdate.exe"= "c:\\Program Files\\GigaByte\\VGA Utility Manager\\gvflashw.exe"= "c:\\WINDOWS\\system32\\dpnsvr.exe"= "c:\\Program Files\\EtiVoServer\\EtiVoSrv.exe"= "c:\\WINDOWS\\system32\\java.exe"= "c:\\Program Files\\GigaByte\\VGA Utility Manager\\G-VGA.exe"= "c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"= "c:\\WINDOWS\\system32\\sessmgr.exe"= "c:\\Program Files\\TVHarmony\\AutoPilot.exe"= "c:\\Program Files\\Skype\\Phone\\Skype.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Mozilla Firefox\\firefox.exe"= "c:\\WINDOWS\\system32\\dpvsetup.exe"= "c:\\Program Files\\Media Player Classic\\mplayerc.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "26233:TCP"= 26233:TCP:*:Disabled:BitComet 26233 TCP "26233:UDP"= 26233:UDP:*:Disabled:BitComet 26233 UDP "7329:TCP"= 7329:TCP:BitComet 7329 TCP "7329:UDP"= 7329:UDP:BitComet 7329 UDP "2190:UDP"= 2190:UDP:*:Disabled:HMO "2190:TCP"= 2190:TCP:*:Disabled:HMO "8081:TCP"= 8081:TCP:*:Disabled:HMO R0 ezgmntr;EZ GIG II Backup Archive Explorer;c:\windows\system32\drivers\ezgmntr.sys [12/20/2006 8:38 PM 213760] R1 avfwot;avfwot;c:\windows\system32\drivers\avfwot.sys [9/5/2009 11:59 PM 97608] R2 AntiVirFirewallService;Avira Firewall;c:\program files\Avira\AntiVir Desktop\avfwsvc.exe [9/5/2009 11:59 PM 388865] R2 AntiVirMailService;Avira AntiVir MailGuard;c:\program files\Avira\AntiVir Desktop\avmailc.exe [9/5/2009 11:59 PM 194817] R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [9/5/2009 11:59 PM 108289] R2 AntiVirWebService;Avira AntiVir WebGuard;c:\program files\Avira\AntiVir Desktop\avwebgrd.exe [9/5/2009 11:59 PM 434945] R2 BBWatcherService;BBWatcherService;c:\program files\CMS Products\BounceBack Server\BBWatcherService.exe [9/5/2009 3:28 PM 36864] R2 ezgfsfilt;EZ GIG II FS Filter;c:\windows\system32\drivers\ezgfsfilt.sys [12/20/2006 8:38 PM 28800] R2 FreeAgentGoNext Service;Seagate Service;c:\program files\Seagate\SeagateManager\Sync\FreeAgentService.exe [3/27/2009 3:54 PM 165160] R3 avfwim;AvFw Packet Filter Miniport;c:\windows\system32\drivers\avfwim.sys [9/5/2009 11:59 PM 69632] S2 gupdate1c9bd2f6accc6cc;Google Update Service (gupdate1c9bd2f6accc6cc);c:\program files\Google\Update\GoogleUpdate.exe [4/14/2009 11:32 AM 133104] S3 EtiVoServer;EtiVoServer;c:\program files\EtiVoServer\EtiVoSrv.exe [9/8/2005 11:09 PM 24576] S3 npf;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [3/15/2009 1:13 PM 34064] S3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [2/19/2008 1:24 AM 7808] S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [5/15/2008 8:25 AM 747912] S4 GPCIDrv;GPCIDrv;c:\windows\GPCIDrv.sys [11/8/2008 1:49 PM 5112] S4 GVTDrv;GVTDrv;c:\windows\system32\drivers\GVTDrv.sys [12/30/2006 9:17 AM 17962] S4 TCCrystalCpuInfo;TCCrystalCpuInfo;\??\c:\docume~1\user1\LOCALS~1\Temp\TCCpuInfo.sys --> c:\docume~1\user1\LOCALS~1\Temp\TCCpuInfo.sys [?] S4 TivoBeacon2;TiVo Beacon;c:\program files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe [7/9/2008 4:13 PM 868864] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}] "c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP . Contents of the 'Scheduled Tasks' folder 2009-09-06 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job - c:\program files\Google\Update\GoogleUpdate.exe [2009-04-14 18:32] 2009-09-06 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job - c:\program files\Google\Update\GoogleUpdate.exe [2009-04-14 18:32] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.google.com/ IE: &D&ownload &with BitComet - c:\program files\BitComet\BitComet.exe/AddLink.htm IE: &D&ownload all video with BitComet - c:\program files\BitComet\BitComet.exe/AddVideo.htm IE: &D&ownload all with BitComet - c:\program files\BitComet\BitComet.exe/AddAllLink.htm IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200 IE: Download All by FlashGet IE: Download using FlashGet LSP: c:\program files\Avira\AntiVir Desktop\avsda.dll DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} - hxxp://204.13.252.204:90/activex/AMC.cab FF - ProfilePath - c:\documents and settings\user1\Application Data\Mozilla\Firefox\Profiles\z4f3xe0j.default\ FF - prefs.js: browser.startup.homepage - hxxp://en-us.start.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official FF - plugin: c:\program files\Google\Picasa3\npPicasa2.dll FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll FF - plugin: c:\program files\Google\Update\1.2.183.7\npGoogleOneClick8.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\np32asw.dll FF - plugin: c:\program files\MpcStar\Codecs\Real\browser\plugins\nppl3260.dll FF - plugin: c:\program files\MpcStar\Codecs\Real\browser\plugins\nprpjplug.dll FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-09-06 10:55 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{12D6502E-043D-FB91-713D-CA485AE31673}\InProcServer32*] "oadnadkhjbgegodlmcjnolaelolijn"=hex:6a,61,63,61,68,6b,6e,63,6c,6a,6c,6a,6d,65, 68,68,6e,63,70,70,00,f9 "nadnkcabafnddlccliceghmkmodh"=hex:6a,61,63,61,68,6b,6e,63,6c,6a,6c,6a,6d,65, 68,68,6e,63,70,70,00,f9 . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(1028) c:\program files\Citrix\GoToMyPC\G2WinLogon.dll - - - - - - - > 'lsass.exe'(1084) c:\program files\Avira\AntiVir Desktop\avsda.dll - - - - - - - > 'explorer.exe'(3052) c:\windows\system32\WININET.dll c:\windows\system32\ieframe.dll c:\windows\system32\webcheck.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . ------------------------ Other Running Processes ------------------------ . c:\program files\Avira\AntiVir Desktop\avguard.exe c:\program files\Common Files\InterVideo\DeviceService\DevSvc.exe c:\program files\Olympus\DeviceDetector\DM1Service.exe c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE c:\program files\Google\Update\1.2.183.7\GoogleCrashHandler.exe c:\windows\system32\nvsvc32.exe c:\program files\Citrix\GoToMyPC\g2comm.exe c:\program files\Citrix\GoToMyPC\g2pre.exe c:\program files\Citrix\GoToMyPC\g2tray.exe c:\windows\system32\wscntfy.exe c:\program files\CMS Products\BounceBack Server\BBLauncher.exe c:\program files\Avira\AntiVir Desktop\usrreq.exe . ************************************************************************** . Completion time: 2009-09-06 11:07 - machine was rebooted ComboFix-quarantined-files.txt 2009-09-06 18:07 ComboFix2.txt 2009-01-03 21:06 Pre-Run: 21,244,571,648 bytes free Post-Run: 21,270,700,032 bytes free Current=1 Default=1 Failed=0 LastKnownGood=4 Sets=1,2,3,4 255 --- E O F --- 2008-09-18 18:22

Wow! Whatever I got is a piece of work this malware must be! The following either won't load or get interrupted and disappear midscan: Malwarebytes Spybot Hijackthis and even Rootrepeal Combofix as combo-fix.exe on the desktop also will not run hey, "who are those guys?" The system has Avira Premium Security Suite and it blocks outgoing packets and attempts by msa.exe and b.exe to access the internet. However a full scan including rootkits done by the Avira program reveals no problem. Avira seems to scan fine, it just doesn't find anything to remove. I do have an uninfected computer on which I am running now and writing from. I can transfer programs via USB flashdrive-- and my infected computer can boot from one. I have a 2GB flashdrive and can borrow a 16GB one if that helps. The system has a CD/DVD drive. My uninfected system burns CD's but not DVD's. Thanks to your forum, I did install the console prior to this infestation and can access it at startup. However even though I downloaded combofix to the desktop as "combo-fix" it also will not run past the first display or so. The system is a Core 2 Duo running WinXP SP/3 with most of the updates done but maybe not the last week's or so. I tried updating Spybot which worked and now it shows up in the task bar again however it won't come up. It did detect msa.exe on one startup (a few restarts ago) and offered to delete it which I accepted. Now, msa.exe no longer shows up in the running processes list on Task Manager. However b.exe is still present. Teatimer is in the list of running processes. I'd appreciate (you have no idea how much) any help you can provide in removing this persistent pest. And I will be delighted to contribute (again) to your excellent efforts. I'd also appreciate if you know, if this is could be a password stealer or other identity theft risk in which case, I will use the other computer to change banking passwords. Again thanks for all the good you guys do! I'll watch here for replies.