Yuri

Thanks, I will take to this.

After upgrade to SP3 on every reboot the icon with AIR plus CFG.exe Entry Point not Found comes up with the message "apsGetInterfaceCount is not found in liblrary wlanapi.dll." Pressing OK continues a process and PC works after that. The router Dlink AirPlus DWL-G520 with PCI/B is on my PC to support small network of two computers. Please help/advise how to get rid of this strange thing.

Hello Ron, The log is clean and at the bottom of this post. Thanks you for your assistance. Your great help definitely saved us from big trouble. At the end of this painful process I would like to ask you two questions. First question: ============== I have to confess that after some perusal of the forum

Hello Ron, All the tasks performed. Results are in ZIPed archive. Thanks for your attention. Yuri New_Fix_PC.zip New_Fix_PC.zip

Hello Ron, I have missed to ask you these things: - should Symantec AV be deactivated totaly, which I do know how to do, or only AUTO-Protect disabled? - I do not know "If it (AV) has Script Blocking features, please disable these..." how to find out if it does have any - when this laptop boots up the first thing that coming up right after desktop activates is MS-Messanger. To me it is the bad thing. Daughter is communicating by that nasty tool with her friends. But the way the Messanger comes up to play is absolutely ab-normal to me. What do you think? (about that MS-Mesanger). Thanks, Yuri

Hello Ron, CHKDSK did not give any problem or protocol. I assume it was ok. Should I repeat it? Unfortunately am not home now and can perform all operations you assigned only later today. I would like to ask you about the situation and for explanation of some processes. Is normal WinZip file OK for all the logs to be sent to you? But the main question is what that she has on her laptop. What is the name of that infection we are fighting? I have to confess I should have done it before posting, after some perusal of the forum

Hello Ron, I finally was able to perform all task assigned for me. There are all logs requested. What is included: 1. MalwareBytes log 2. ComboFix log 3. HijackThis log 4. JavaRa leletion log 5. CCleaner log added to zip archive 6. DDS.txt log added to zip archive 7.Aattach.txt log added to zip archive Thanks for your attention, Yuri ================================== Malwarebytes' Anti-Malware 1.38 Database version: 2406 Windows 5.1.2600 Service Pack 2 11/07/2009 9:44:59 AM mbam-log-2009-07-11 (09-44-59).txt Scan type: Full Scan (C:\|) Objects scanned: 177071 Time elapsed: 47 minute(s), 30 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) ====================================== ComboFix 09-07-09.06 - Elena 12/07/2009 13:50.2.2 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2046.1582 [GMT -4:00] Running from: c:\documents and settings\Elena\Desktop\Combo-Fix.exe Command switches used :: c:\documents and settings\Elena\Desktop\CFscript.txt . ((((((((((((((((((((((((( Files Created from 2009-06-12 to 2009-07-12 ))))))))))))))))))))))))))))))) . 2009-07-12 17:02 . 2009-07-12 17:45 -------- d-s---w- C:\ComboFix 2009-07-11 03:09 . 2009-07-11 03:09 -------- d-----w- c:\program files\ESET 2009-07-09 04:20 . 2009-07-09 04:58 -------- d-----w- c:\documents and settings\Elena\Application Data\Messenger 2009-07-09 02:59 . 2009-07-09 04:26 -------- d-----w- c:\documents and settings\Elena\Application Data\BitTorrent . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-07-10 17:48 . 2007-08-31 18:49 -------- d-----w- c:\documents and settings\Elena\Application Data\Skype 2009-07-10 17:47 . 2009-04-10 16:59 -------- d-----w- c:\documents and settings\Elena\Application Data\skypePM 2009-07-09 14:38 . 2009-07-09 04:21 4 ---h--w- c:\windows\Fonts\mlog 2009-07-03 13:54 . 2007-08-02 18:47 35291 ----a-w- c:\windows\system32\nvModes.dat 2009-06-18 20:01 . 2009-02-19 01:48 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2009-06-18 20:01 . 2009-03-31 14:21 3561743 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe 2009-06-17 15:27 . 2009-02-19 01:48 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2009-06-17 15:27 . 2009-02-19 01:48 19096 ----a-w- c:\windows\system32\drivers\mbam.sys 2009-05-28 02:28 . 2007-08-09 17:37 68840 -c--a-w- c:\documents and settings\Elena\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2009-05-28 02:27 . 2009-05-28 02:27 -------- d-----w- c:\program files\Microsoft 2009-05-28 02:27 . 2009-05-28 02:26 -------- d-----w- c:\program files\Windows Live 2009-05-28 02:27 . 2009-05-28 02:27 -------- d-----w- c:\program files\Windows Live SkyDrive 2009-05-28 02:24 . 2009-05-28 02:24 -------- d-----w- c:\program files\Common Files\Windows Live 2009-05-07 15:44 . 2004-08-10 17:51 344064 ----a-w- c:\windows\system32\localspl.dll 2009-04-29 04:56 . 2004-08-10 17:51 827392 ----a-w- c:\windows\system32\wininet.dll 2009-04-29 04:55 . 2004-08-10 17:51 78336 ----a-w- c:\windows\system32\ieencode.dll 2009-04-17 09:58 . 2004-08-10 17:51 1846656 ----a-w- c:\windows\system32\win32k.sys 2009-04-15 15:11 . 2004-08-10 17:51 584192 ----a-w- c:\windows\system32\rpcrt4.dll . ------- Sigcheck ------- [-] 2008-04-14 00:12 14336 27C6D03BCDB8CFEB96B716F3D8BE3E18 c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\svchost.exe [-] 2004-08-04 10:00 14336 8F078AE4ED187AAABC0A305146DE6716 c:\windows\system32\svchost.exe [-] 2005-03-02 18:19 577024 1800F293BCCC8EDE8A70E12B88D80036 c:\windows\$hf_mig$\KB890859\SP2QFE\user32.dll [-] 2007-03-08 15:48 578048 7AA4F6C00405DFC4B70ED4214E7D687B c:\windows\$hf_mig$\KB925902\SP2QFE\user32.dll [-] 2008-04-14 00:12 578560 B26B135FF1B9F60C9388B4A7D16F600B c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\user32.dll [-] 2007-03-08 15:36 577536 B409909F6E2E8A7067076ED748ABF1E7 c:\windows\system32\user32.dll [-] 2007-03-08 15:36 577536 B409909F6E2E8A7067076ED748ABF1E7 c:\windows\system32\dllcache\user32.dll [-] 2008-04-14 00:12 82432 2CCC474EB85CEAA3E1FA1726580A3E5A c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\ws2_32.dll [-] 2004-08-04 10:00 82944 2ED0B7F12A60F90092081C50FA0EC2B2 c:\windows\system32\ws2_32.dll [-] 2004-08-04 10:00 82944 2ED0B7F12A60F90092081C50FA0EC2B2 c:\windows\system32\dllcache\ws2_32.dll [-] 2006-01-09 18:02 662016 DDE9597A3311748C1519444E2BC147BD c:\windows\$hf_mig$\KB912945\SP2QFE\wininet.dll [-] 2007-02-20 09:52 665600 B258C922D22DEEC880B60720531D7627 c:\windows\$hf_mig$\KB931768\SP2QFE\wininet.dll [-] 2007-06-26 14:35 665600 E1A3DD68B5380B360A7310A64D9BB188 c:\windows\$hf_mig$\KB937143\SP2QFE\wininet.dll [-] 2007-08-22 12:55 665600 A1BC17EB3758D73C3938B2318820F5B4 c:\windows\$hf_mig$\KB939653\SP2QFE\wininet.dll [-] 2007-10-11 05:57 666112 80D660A49E0D118144423099B2A9F5DA c:\windows\$hf_mig$\KB942615\SP2QFE\wininet.dll [-] 2007-12-07 00:44 666112 085A7C37F9C6EDE1BA870B7DBEC06399 c:\windows\$hf_mig$\KB944533\SP2QFE\wininet.dll [-] 2008-02-16 09:32 666112 BB1EACD6AB47E78EBCA02EB781550D55 c:\windows\$hf_mig$\KB947864\SP2QFE\wininet.dll [-] 2008-04-21 06:56 666624 2E7DE1BF9418B071799EB53DE8CC22F5 c:\windows\$hf_mig$\KB950759\SP2QFE\wininet.dll [-] 2008-04-21 06:44 666112 2B0C24AA747A93A28987B6D65A4A74BC c:\windows\$hf_mig$\KB950759\SP3GDR\wininet.dll [-] 2008-04-21 06:24 666624 26F240C250E5B4B395CB4B178BA75437 c:\windows\$hf_mig$\KB950759\SP3QFE\wininet.dll [-] 2008-06-23 16:12 667136 611ACE3F4201E9610AF8452F7C268995 c:\windows\$hf_mig$\KB953838\SP2QFE\wininet.dll [-] 2008-06-23 15:09 666112 F12FBB673DE9CC802C5DC518FE99AA2F c:\windows\$hf_mig$\KB953838\SP3GDR\wininet.dll [-] 2008-06-23 14:54 666624 972299B7241EC325D8C7E5638C884925 c:\windows\$hf_mig$\KB953838\SP3QFE\wininet.dll [-] 2008-08-20 05:33 667648 C91E3A6EF094202F6B5CA8960DFCF243 c:\windows\$hf_mig$\KB956390\SP2QFE\wininet.dll [-] 2008-08-20 05:30 666112 9AF5F25124FBDC36E2B510729CBA2674 c:\windows\$hf_mig$\KB956390\SP3GDR\wininet.dll [-] 2008-08-20 04:58 666624 94418F53D2612C26DBADC04DAFBC197C c:\windows\$hf_mig$\KB956390\SP3QFE\wininet.dll [-] 2008-08-26 09:08 827904 77C192FE56A70D7FA0247BA0A6201C32 c:\windows\$hf_mig$\KB956390-IE7\SP2QFE\wininet.dll [-] 2008-10-16 20:24 827904 0D5B75171FF51775B630A431B6C667E8 c:\windows\$hf_mig$\KB958215-IE7\SP2QFE\wininet.dll [-] 2008-12-20 23:56 827904 044E0A4E9FE97C0FB9AFE9C89E2A82E6 c:\windows\$hf_mig$\KB961260-IE7\SP2QFE\wininet.dll [-] 2009-03-03 00:17 828416 C8667854873938CA13C986F16B0CD183 c:\windows\$hf_mig$\KB963027-IE7\SP3QFE\wininet.dll [-] 2009-04-29 04:49 828928 62CCA075F44015147B8971DAFFBCFF76 c:\windows\$hf_mig$\KB969897-IE7\SP3QFE\wininet.dll [-] 2007-02-20 09:48 658944 30D1C47E40EFBB792FF8D3C3B51CE507 c:\windows\$NtUninstallKB937143$\wininet.dll [-] 2007-06-26 14:09 658944 184E47C8F7B331025E6DC92740DB188F c:\windows\$NtUninstallKB939653$\wininet.dll [-] 2007-08-22 13:12 658944 1901AD51DA8BE9F8B38D5D526E5D1788 c:\windows\$NtUninstallKB942615$\wininet.dll [-] 2007-10-11 06:13 659456 2005AD86A22AEE68E21EE59F9CCB77F2 c:\windows\$NtUninstallKB944533$\wininet.dll [-] 2007-12-07 01:07 659456 57D1B5150CF6331FAC6B3E04C1FCB966 c:\windows\$NtUninstallKB947864$\wininet.dll [-] 2008-02-16 08:59 659456 0C690E77C0E924C45B4D7045B182FFF1 c:\windows\$NtUninstallKB950759$\wininet.dll [-] 2008-04-21 07:04 659456 1EFB8A3EA8454AEC1BB8A240A2845598 c:\windows\$NtUninstallKB953838$\wininet.dll [-] 2008-06-23 15:38 659456 9EEA04BC4C3FA521D256D89940FAB4DB c:\windows\$NtUninstallKB956390$\wininet.dll [-] 2008-08-20 05:38 659456 87E694D09893978F22024FEEEDF35342 c:\windows\ie7\wininet.dll [-] 2007-08-13 23:54 818688 A4A0FC92358F39538A6494C42EF99FE9 c:\windows\ie7updates\KB956390-IE7\wininet.dll [-] 2008-08-26 07:24 826368 EF8EBA98145BFA44E80D17A3B3453300 c:\windows\ie7updates\KB958215-IE7\wininet.dll [-] 2008-10-16 20:38 826368 6741EAF7B7F110E803A6E38F6E5FA6B0 c:\windows\ie7updates\KB961260-IE7\wininet.dll [-] 2008-12-20 23:15 826368 A82935D32D0672E8FF4E91AE398E901C c:\windows\ie7updates\KB963027-IE7\wininet.dll [-] 2009-03-03 00:18 826368 28775945CCD53DEE280EF58DEA1A94C4 c:\windows\ie7updates\KB969897-IE7\wininet.dll [-] 2008-04-14 00:12 666112 7A4F775ABB2F1C97DEF3E73AFA2FAEDD c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\wininet.dll [-] 2009-04-29 04:56 827392 8E2D471157B0DF329D8D0EA5D83B0DDB c:\windows\system32\wininet.dll [-] 2009-04-29 04:56 827392 8E2D471157B0DF329D8D0EA5D83B0DDB c:\windows\system32\dllcache\wininet.dll [-] 2006-04-20 12:18 360576 B2220C618B42A2212A59D91EBD6FC4B4 c:\windows\$hf_mig$\KB917953\SP2QFE\tcpip.sys [-] 2007-10-30 16:53 360832 64798ECFA43D78C7178375FCDD16D8C8 c:\windows\$hf_mig$\KB941644\SP2QFE\tcpip.sys [-] 2008-06-20 10:44 360960 744E57C99232201AE98C49168B918F48 c:\windows\$hf_mig$\KB951748\SP2QFE\tcpip.sys [-] 2008-06-20 11:51 361600 9AEFA14BD6B182D61E3119FA5F436D3D c:\windows\$hf_mig$\KB951748\SP3GDR\tcpip.sys [-] 2008-06-20 11:59 361600 AD978A1B783B5719720CFF204B666C8E c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys [-] 2004-08-04 10:00 359040 9F4B36614A0FC234525BA224957DE55C c:\windows\$NtUninstallKB917953$\tcpip.sys [-] 2006-04-20 11:51 359808 1DBF125862891817F374F407626967F4 c:\windows\$NtUninstallKB941644$\tcpip.sys [-] 2007-10-30 17:20 360064 90CAFF4B094573449A0872A0F919B178 c:\windows\$NtUninstallKB951748$\tcpip.sys [-] 2008-04-13 19:20 361344 93EA8D04EC73A85DB02EB8805988F733 c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\tcpip.sys [-] 2008-06-20 10:45 360320 2A5554FC5B1E04E131230E3CE035C3F9 c:\windows\system32\dllcache\tcpip.sys [-] 2008-06-20 10:45 360320 2A5554FC5B1E04E131230E3CE035C3F9 c:\windows\system32\drivers\tcpip.sys [-] 2008-04-14 00:12 507904 ED0EF0A136DEC83DF69F04118870003E c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\winlogon.exe [-] 2004-08-04 10:00 502272 01C3346C241652F43AED8E2149881BFE c:\windows\system32\winlogon.exe [-] 2004-08-04 10:00 502272 01C3346C241652F43AED8E2149881BFE c:\windows\system32\dllcache\winlogon.exe [-] 2008-04-13 19:20 182656 1DF7F42665C94B825322FAE71721130D c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\ndis.sys [-] 2004-08-04 10:00 182912 558635D3AF1C7546D26067D5D9B6959E c:\windows\system32\drivers\ndis.sys [-] 2008-04-13 18:53 36608 3BB22519A194418D5FEC05D800A19AD0 c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\ip6fw.sys [-] 2004-08-04 10:00 29056 4448006B6BC60E6C027932CFC38D6855 c:\windows\system32\drivers\ip6fw.sys [-] 2005-03-02 00:36 2056832 D8ABA3EAB509627E707A3B14F00FBB6B c:\windows\$hf_mig$\KB890859\SP2QFE\ntkrnlpa.exe [-] 2007-02-28 06:15 2059392 4D3DBDCCBF97F5BA1E74F322B155C3BA c:\windows\$hf_mig$\KB931784\SP2QFE\ntkrnlpa.exe [-] 2009-02-07 23:02 2066048 5BA7F2141BC6DB06100D0E5A732C617A c:\windows\$hf_mig$\KB956572\SP3GDR\ntkrnlpa.exe [-] 2009-02-06 10:30 2066176 607352B9CB3D708C67F6039097801B5A c:\windows\$hf_mig$\KB956572\SP3QFE\ntkrnlpa.exe [-] 2008-08-14 09:33 2066048 4AC58F03EB94A72809949D757FC39D80 c:\windows\$hf_mig$\KB956841\SP3GDR\ntkrnlpa.exe [-] 2008-08-14 19:39 2066048 A25E9B86EFFB2AF33BF51E676B68BFB0 c:\windows\$hf_mig$\KB956841\SP3QFE\ntkrnlpa.exe [-] 2007-02-28 08:38 2015744 A58AC1C6199EF34228ABEE7FC057AE09 c:\windows\$NtUninstallKB931784$\ntkrnlpa.exe [-] 2008-08-14 09:18 2020864 501FDE895F35DF1DAE49FD54BBF9D396 c:\windows\$NtUninstallKB956572$\ntkrnlpa.exe [-] 2007-02-28 09:15 2017280 2DFB215E291E3D9B1CF9A6739B3BF16C c:\windows\$NtUninstallKB956841$\ntkrnlpa.exe [-] 2009-02-06 09:49 2062976 9D832AF3FD1917DB0E1E8B2F000A2E3A c:\windows\Driver Cache\i386\ntkrnlpa.exe [-] 2008-04-13 18:31 2065792 109F8E3E3C82E337BB71B6BC9B895D61 c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\ntkrnlpa.exe [-] 2009-02-06 09:49 2020864 243223E3FB74B68DFFBB41989F33DFB3 c:\windows\system32\ntkrnlpa.exe [-] 2009-02-06 09:49 2062976 9D832AF3FD1917DB0E1E8B2F000A2E3A c:\windows\system32\dllcache\ntkrnlpa.exe [-] 2005-03-02 01:04 2179456 28187802B7C368C0D3AEF7D4C382AABB c:\windows\$hf_mig$\KB890859\SP2QFE\ntoskrnl.exe [-] 2007-02-28 09:55 2182144 5A5C8DB4AA962C714C8371FBDF189FC9 c:\windows\$hf_mig$\KB931784\SP2QFE\ntoskrnl.exe [-] 2009-02-06 11:08 2189056 7A95B10A73737EBF24139AAA63F5212B c:\windows\$hf_mig$\KB956572\SP3GDR\ntoskrnl.exe [-] 2009-02-07 23:35 2189184 EFE8EACE83EAAD5849A7A548FB75B584 c:\windows\$hf_mig$\KB956572\SP3QFE\ntoskrnl.exe [-] 2008-08-14 10:11 2189184 EEAF32F8E15A24F62BECB1BD403BB5C5 c:\windows\$hf_mig$\KB956841\SP3GDR\ntoskrnl.exe [-] 2008-08-14 20:11 2189184 31914172342BFF330063F343AC6958FE c:\windows\$hf_mig$\KB956841\SP3QFE\ntoskrnl.exe [-] 2007-02-28 09:08 2136064 1220FAF071DEA8653EE21DE7DCDA8BFD c:\windows\$NtUninstallKB931784$\ntoskrnl.exe [-] 2008-08-14 09:55 2142720 60794EA12961B7341AD54C731B50AE15 c:\windows\$NtUninstallKB956572$\ntoskrnl.exe [-] 2007-02-28 09:53 2137600 E6679C3023B17D8B78946BC5DF53FA20 c:\windows\$NtUninstallKB956841$\ntoskrnl.exe [-] 2009-02-06 10:32 2186112 6A936E9D7BADAF3CAAEED1E1966EC1B0 c:\windows\Driver Cache\i386\ntoskrnl.exe [-] 2008-04-13 19:27 2188928 0C89243C7C3EE199B96FCC16990E0679 c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\ntoskrnl.exe [-] 2009-02-06 10:29 2142720 19A791C5DFE59AA9BB1461C4957004F6 c:\windows\system32\ntoskrnl.exe [-] 2009-02-06 10:32 2186112 6A936E9D7BADAF3CAAEED1E1966EC1B0 c:\windows\system32\dllcache\ntoskrnl.exe [-] 2007-06-13 10:23 1033216 97BD6515465659FF8F3B7BE375B2EA87 c:\windows\explorer.exe [-] 2007-06-13 11:26 1033216 7712DF0CDDE3A5AC89843E61CD5B3658 c:\windows\$hf_mig$\KB938828\SP2QFE\explorer.exe [-] 2004-08-04 10:00 1032192 A0732187050030AE399B241436565E64 c:\windows\$NtUninstallKB938828$\explorer.exe [-] 2008-04-14 00:12 1033728 12896823FB95BFB3DC9B46BCAEDC9923 c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\explorer.exe [-] 2007-06-13 10:23 1033216 97BD6515465659FF8F3B7BE375B2EA87 c:\windows\system32\dllcache\explorer.exe [-] 2009-02-06 11:11 110592 65DF52F5B8B6E9BBD183505225C37315 c:\windows\$hf_mig$\KB956572\SP3GDR\services.exe [-] 2009-02-06 11:06 110592 020CEAAEDC8EB655B6506B8C70D53BB6 c:\windows\$hf_mig$\KB956572\SP3QFE\services.exe [-] 2004-08-04 10:00 108032 C6CE6EEC82F187615D1002BB3BB50ED4 c:\windows\$NtUninstallKB956572$\services.exe [-] 2008-04-14 00:12 108544 0E776ED5F7CC9F94299E70461B7B8185 c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\services.exe [-] 2009-02-06 10:22 110592 4712531AB7A01B7EE059853CA17D39BD c:\windows\system32\services.exe [-] 2009-02-06 10:22 110592 4712531AB7A01B7EE059853CA17D39BD c:\windows\system32\dllcache\services.exe [-] 2008-04-14 00:12 13312 BF2466B3E18E970D8A976FB95FC1CA85 c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\lsass.exe [-] 2004-08-04 10:00 13312 84885F9B82F4D55C6146EBF6065D75D2 c:\windows\system32\lsass.exe [-] 2008-04-14 00:12 15360 5F1D5F88303D4A4DBC8E5F97BA967CC3 c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\ctfmon.exe [-] 2004-08-04 10:00 15360 24232996A38C0B0CF151C2140AE29FC8 c:\windows\system32\ctfmon.exe [-] 2005-06-11 00:17 57856 AD3D9D191AEA7B5445FE1D82FFBB4788 c:\windows\$hf_mig$\KB896423\SP2QFE\spoolsv.exe [-] 2008-04-14 00:12 57856 D8E14A61ACC1D4A6CD0D38AEBAC7FA3B c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\spoolsv.exe [-] 2005-06-10 23:53 57856 DA81EC57ACD4CDC3D4C51CF3D409AF9F c:\windows\system32\spoolsv.exe [-] 2008-04-14 00:12 26112 A93AEE1928A9D7CE3E16D24EC7380F89 c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\userinit.exe [-] 2004-08-04 10:00 24576 39B1FFB03C2296323832ACBAE50D2AFF c:\windows\system32\userinit.exe [-] 2008-04-14 00:12 295424 FF3477C03BE7201C294C35F684B3479F c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\termsrv.dll [-] 2004-08-04 10:00 295424 B60C877D16D9C880B952FDA04ADF16E6 c:\windows\system32\termsrv.dll [-] 2006-07-05 10:57 985088 0FDD84928A5DDE2510761B7EC76CCEC9 c:\windows\$hf_mig$\KB917422\SP2QFE\kernel32.dll [-] 2007-04-16 16:07 986112 09F7CB3687F86EDAA4CA081F7AB66C03 c:\windows\$hf_mig$\KB935839\SP2QFE\kernel32.dll [-] 2009-03-21 13:54 989184 80202858D245FF07DAA1739C57A3E19B c:\windows\$hf_mig$\KB959426\SP2QFE\kernel32.dll [-] 2009-03-21 14:06 989696 B921FB870C9AC0D509B2CCABBBBE95F3 c:\windows\$hf_mig$\KB959426\SP3GDR\kernel32.dll [-] 2009-03-21 13:59 991744 DA11D9D6ECBDF0F93436A4B7C13F7BEC c:\windows\$hf_mig$\KB959426\SP3QFE\kernel32.dll [-] 2006-07-05 10:55 984064 D8DB5397DE07577C1CB50BA6D23B3AD4 c:\windows\$NtUninstallKB935839$\kernel32.dll [-] 2007-04-16 15:52 984576 A01F9CA902A88F7CED06884174D6419D c:\windows\$NtUninstallKB959426$\kernel32.dll [-] 2008-04-14 00:11 989696 C24B983D211C34DA8FCC1AC38477971D c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\kernel32.dll [-] 2009-03-21 14:18 986112 B6ACAED7588295129791E0E6A2B0FADE c:\windows\system32\kernel32.dll [-] 2009-03-21 14:18 986112 B6ACAED7588295129791E0E6A2B0FADE c:\windows\system32\dllcache\kernel32.dll [-] 2008-04-14 00:12 17408 50A166237A0FA771261275A405646CC0 c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\powrprof.dll [-] 2004-08-04 10:00 17408 1B5F6923ABB450692E9FE0672C897AED c:\windows\system32\powrprof.dll [-] 2008-04-14 00:11 110080 0DA85218E92526972A821587E6A8BF8F c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\imm32.dll [-] 2004-08-04 10:00 110080 87CA7CE6469577F059297B9D6556D66D c:\windows\system32\imm32.dll [-] 2004-08-04 10:00 110080 87CA7CE6469577F059297B9D6556D66D c:\windows\system32\dllcache\imm32.dll [-] 2008-04-14 00:12 1614848 9DD07AF82244867CA36681EA2D29CE79 c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\sfcfiles.dll [-] 2004-08-04 10:00 1580544 30A609E00BD1D4FFC49D6B5A432BE7F2 c:\windows\system32\sfcfiles.dll [-] 2008-04-13 18:39 24576 463C1EC80CD17420A542B7F36A36F128 c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\kbdclass.sys [-] 2004-08-04 03:58 24576 EBDEE8A2EE5393890A1ACEE971C4C246 c:\windows\system32\drivers\kbdclass.sys . ((((((((((((((((((((((((((((( SnapShot@2009-07-10_03.39.27 ))))))))))))))))))))))))))))))))))))))))) . + 2004-08-10 17:51 . 2009-07-10 13:26 65446 c:\windows\system32\perfc009.dat - 2004-08-10 17:51 . 2009-07-10 03:37 65446 c:\windows\system32\perfc009.dat + 2004-08-10 17:51 . 2009-07-10 13:26 411142 c:\windows\system32\perfh009.dat - 2004-08-10 17:51 . 2009-07-10 03:37 411142 c:\windows\system32\perfh009.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360] "msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-02-06 3885408] "MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-05-31 8429568] "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-05-31 81920] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-06-29 286720] "ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2004-02-29 66680] "vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2004-03-12 124128] "Dell QuickSet"="c:\program files\Dell\QuickSet\Quickset.exe" [2007-02-20 1191936] "nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2007-05-31 1626112] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "AppInit_DLLs"=c:\windows\system32\wxvault.dll [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa] Authentication Packages REG_MULTI_SZ msv1_0 wvauth [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Bluetooth Manager.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Bluetooth Manager.lnk backup=c:\windows\pss\Bluetooth Manager.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\WINDOWS\\system32\\LMabcoms.exe"= "c:\\Program Files\\DC++\\DCPlusPlus.exe"= "c:\\Program Files\\ApexDC++\\ApexDC.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Documents and Settings\\Elena\\Application Data\\Macromedia\\Flash Player\\www.macromedia.com\\bin\\octoshape\\octoshape.exe"= "c:\\Program Files\\Common Files\\Microsoft Shared\\VS7DEBUG\\MDM.EXE"= "c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"= "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= "c:\\Program Files\\Messenger\\msmsgs.exe"= "c:\\Program Files\\Skype\\Phone\\Skype.exe"= R2 ASFIPmon;Broadcom ASF IP and SMBIOS Mailbox Monitor;c:\program files\Broadcom\ASFIPMon\AsfIpMon.exe [19/12/2006 3:21 PM 79432] R2 Wave UCSPlus;Wave UCSPlus;c:\windows\system32\dllhost.exe [10/08/2004 1:50 PM 5120] R3 DXEC01;DXEC01;c:\windows\system32\drivers\dxec01.sys [02/11/2006 1:32 PM 97536] S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [12/03/2004 4:18 PM 169192] . Contents of the 'Scheduled Tasks' folder 2009-07-11 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-07-25 17:15] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.google.ca/ig?hl=en mStart Page = about:blank LSP: c:\windows\system32\biolsp.dll DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab FF - ProfilePath - c:\documents and settings\Elena\Application Data\Mozilla\Firefox\Profiles\yjrwp41r.default\ FF - prefs.js: browser.startup.homepage - hxxp://www.google.ca/ FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava11.dll FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava12.dll FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava13.dll FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava14.dll FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava32.dll FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJPI150_06.dll FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPOJI610.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-07-12 13:54 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(1128) c:\windows\System32\BCMLogon.dll - - - - - - - > 'lsass.exe'(1184) c:\windows\system32\wvauth.dll c:\windows\system32\biolsp.dll - - - - - - - > 'explorer.exe'(868) c:\windows\system32\nview.dll c:\windows\system32\nvwddi.dll c:\windows\system32\biolsp.dll . ------------------------ Other Running Processes ------------------------ . c:\program files\Common Files\Symantec Shared\ccSetMgr.exe c:\windows\system32\WLTRYSVC.EXE c:\windows\system32\BCMWLTRY.EXE c:\windows\system32\scardsvr.exe c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe c:\program files\Bonjour\mDNSResponder.exe c:\program files\Symantec AntiVirus\DefWatch.exe c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE c:\program files\Dell\QuickSet\NicConfigSvc.exe c:\windows\system32\nvsvc32.exe c:\program files\SigmaTel\C-Major Audio\WDM\stacsv.exe c:\program files\NTRU Cryptosystems\NTRU TCG Software Stack\bin\tcsd_win32.exe c:\windows\system32\msdtc.exe c:\windows\system32\wscntfy.exe c:\windows\system32\rundll32.exe c:\windows\system32\rundll32.exe . ************************************************************************** . Completion time: 2009-07-12 13:57 - machine was rebooted ComboFix-quarantined-files.txt 2009-07-12 17:57 ComboFix2.txt 2009-07-10 03:42 Pre-Run: 13,192,269,824 bytes free Post-Run: 13,195,227,136 bytes free WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect 300 --- E O F --- 2009-07-04 14:23 ======================================================== Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 3:25:08 PM, on 12/07/2009 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16850) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\WINDOWS\System32\WLTRYSVC.EXE C:\WINDOWS\System32\bcmwltry.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\Symantec AntiVirus\DefWatch.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe C:\WINDOWS\system32\nvsvc32.exe C:\Program Files\SigmaTel\C-Major Audio\WDM\StacSV.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\dllhost.exe C:\WINDOWS\system32\rundll32.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\PROGRA~1\SYMANT~1\VPTray.exe C:\Program Files\Dell\QuickSet\Quickset.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Messenger\msmsgs.exe C:\WINDOWS\system32\dllhost.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\internet explorer\iexplore.exe C:\WINDOWS\system32\NOTEPAD.EXE C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/ig?hl=en R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file) O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\Quickset.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/Facebo...toUploader3.cab O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1189451780656 O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O20 - AppInit_DLLs: C:\WINDOWS\system32\wxvault.dll O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Broadcom ASF IP and SMBIOS Mailbox Monitor (ASFIPmon) - Broadcom Corporation - C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: lmab_device - Unknown owner - C:\WINDOWS\system32\LMabcoms.exe O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe O23 - Service: SecureStorageService - Wave Systems Corp. - C:\Program Files\Wave Systems Corp\Secure Storage Manager\SecureStorageService.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\Program Files\SigmaTel\C-Major Audio\WDM\StacSV.exe O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe O23 - Service: NTRU TSS v1.2.1.12 TCS (tcsd_win32.exe) - Unknown owner - C:\Program Files\NTRU Cryptosystems\NTRU TCG Software Stack\bin\tcsd_win32.exe O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE -- End of file - 6718 bytes ================================== JavaRa 1.14 Removal Log. Report follows after line. ------------------------------------ The JavaRa removal process was started on Sun Jul 12 14:19:31 2009 Found and removed: Software\JavaSoft\Java2D\1.5.0_06 Found and removed: SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\\C:\Program Files\Java\jre1.5.0_06\ ------------------------------------ Finished reporting. All_logs.zip All_logs.zip

Hello Ron, It looks I am having some problems. When downloaded ComboFix at first, I forgotten to disconnect the Internet. So disconnecting the Internet during its work gave me halt at disclaimers windows. I had to reboot the machine. So, I have deleted ComboFix and tried to download ComboFix fresh. There are all problems started: Given I have two links - download.bleepingcomputer.com/sUBs/ComboFix.exe This gives error 404 subs.geekstogo.com/ComboFix.exe This redirects me to site www.forospyware.con Thus I decided to postpone and ask you what is going on. Is it infection on my machine or else? Thanks Yuri.

Hello Ron, Thanks for prompt reply. I have run this new scan, it does not show anything. Should it be done more? Yuri. There is the log: ================================================== ESETSmartInstaller@High as CAB hook log: OnlineScanner.ocx - registred OK # version=6 # iexplore.exe=7.00.6000.16850 (vista_gdr.090423-0018) # OnlineScanner.ocx=1.0.0.5886 # api_version=3.0.2 # EOSSerial=78b6d18602d2df4e9fd1966b6b56253f # end=finished # remove_checked=false # archives_checked=false # unwanted_checked=true # unsafe_checked=false # antistealth_checked=true # utc_time=2009-07-11 03:38:35 # local_time=2009-07-10 11:38:35 (-0500, Eastern Daylight Time) # country="Canada" # lang=9 # osver=5.1.2600 NT Service Pack 2 # compatibility_mode=3585 63 50 0 0 # scanned=83485 # found=0 # cleaned=0 # scan_time=1385

Hello, people at MalwareBytes. Let me thank you once again for help to clean my PC in April. But this time I need some help with my daughter

Hello Dan, Finally I was able to clean it up totally. Now the stick is empty. There is only one wrinkle with it. I have cleaned it from CMD prompt (DOS legacy screen). Then I started disinfector. It did not show anything , I assume it finished OK. Checking the drive (stick) I can see invisible directory autorun.inf, which has a file named

I will go home and wipe out the entire stick. That will help as it does not pose any threat to my desktop. Thanks, Yuri.

Hello Dan. Things do not look good. Desinfector worked fine and deleted a lot of stuff from the stick. You can compare it to my prev. post. But hidden file and folders are not visible even the radio button is ON. There are three hidden folders.Please see below. After that there is HJT. Thanks, Yuri ===================================== Microsoft Windows XP [Version 5.1.2600] © Copyright 1985-2001 Microsoft Corp. C:\Documents and Settings\Yuri Naumtchik>dir F:\ Volume in drive F is CORSAIR Volume Serial Number is 9C89-5C61 Directory of F:\ 18/02/2009 10:48 AM 2,876,720 mbam-setup.exe 1 File(s) 2,876,720 bytes 0 Dir(s) 1,011,531,776 bytes free C:\Documents and Settings\Yuri Naumtchik>dir f:\ /A Volume in drive F is CORSAIR Volume Serial Number is 9C89-5C61 Directory of f:\ 01/04/2009 10:15 PM <DIR> autorun.inf 19/09/2008 12:10 AM <DIR> Recycled 09/10/2006 09:15 AM <DIR> Nokia Music Manager 18/02/2009 10:48 AM 2,876,720 mbam-setup.exe 1 File(s) 2,876,720 bytes 3 Dir(s) 1,011,531,776 bytes free C:\Documents and Settings\Yuri Naumtchik>dir F:\Recycled\ /A Volume in drive F is CORSAIR Volume Serial Number is 9C89-5C61 Directory of F:\Recycled 19/09/2008 12:10 AM <DIR> . 19/09/2008 12:10 AM <DIR> .. 19/09/2008 12:10 AM 63 desktop.ini 1 File(s) 63 bytes 2 Dir(s) 1,011,531,776 bytes free C:\Documents and Settings\Yuri Naumtchik>dir f:\autorun.inf\ /a Volume in drive F is CORSAIR Volume Serial Number is 9C89-5C61 Directory of f:\autorun.inf 01/04/2009 10:15 PM <DIR> . 01/04/2009 10:15 PM <DIR> .. 0 File(s) 0 bytes 2 Dir(s) 1,011,531,776 bytes free C:\Documents and Settings\Yuri Naumtchik>dir f:\"Nokia Music Manager"\ /a Volume in drive F is CORSAIR Volume Serial Number is 9C89-5C61 Directory of f:\Nokia Music Manager 19/09/2008 12:10 AM <DIR> . 19/09/2008 12:10 AM <DIR> .. 09/10/2006 09:15 AM 76 desktop.ini 09/10/2006 09:15 AM <DIR> N-1-5-21-1895552279-3129831955-389522551-6003 09/10/2006 09:15 AM <DIR> N-1-5-21-1895522279-3129831995-389222551-6003 09/10/2006 09:15 AM <DIR> N-1-5-21-1895522279-3129831995-389522551-6003 09/10/2006 09:15 AM <DIR> N-1-5-21-1895522279-3129831995-389552551-6003 09/10/2006 09:15 AM <DIR> N-1-5-21-1895222279-3129831995-389225551-6003 09/10/2006 09:15 AM <DIR> N-1-5-21-1895552279-3129831995-389225551-6003 1 File(s) 76 bytes 8 Dir(s) 1,011,531,776 bytes free C:\Documents and Settings\Yuri Naumtchik>dir f:\"Nokia Music Manager"\N-1-5-21-1895552279-3129831995-389225551-6003\ /A Volume in drive F is CORSAIR Volume Serial Number is 9C89-5C61 Directory of f:\Nokia Music Manager\N-1-5-21-1895552279-3129831995-389225551-6003 19/09/2008 12:10 AM <DIR> . 19/09/2008 12:10 AM <DIR> .. 09/10/2006 09:15 AM 76 desktop.ini 09/10/2006 09:15 AM 0 info2 2 File(s) 76 bytes 2 Dir(s) 1,011,531,776 bytes free C:\Documents and Settings\Yuri Naumtchik> ================================== Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 10:22:04 PM, on 01/04/2009 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16791) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\Symantec AntiVirus\DefWatch.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\Program Files\Google\Update\GoogleUpdate.exe C:\WINDOWS\System32\nvsvc32.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Symantec AntiVirus\Rtvscan.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\D-Link\AirPlus XtremeG\AirPlusCFG.exe C:\PROGRA~1\SYMANT~1\VPTray.exe C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe C:\Program Files\QuickTime\qttask.exe C:\WINDOWS\Samsung\PanelMgr\ssmmgr.exe C:\Program Files\Java\jre6\bin\jusched.exe C:\WINDOWS\system32\RUNDLL32.EXE C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Orbitdownloader\orbitdm.exe C:\Program Files\Orbitdownloader\orbitnet.exe C:\WINDOWS\explorer.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - C:\Program Files\Orbitdownloader\orbitcth.dll O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll O3 - Toolbar: Grab Pro - {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - C:\Program Files\Orbitdownloader\GrabPro.dll O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [D-Link AirPlus XtremeG] C:\Program Files\D-Link\AirPlus XtremeG\AirPlusCFG.exe O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe O4 - HKLM\..\Run: [symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Enterprise O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [samsung PanelMgr] C:\WINDOWS\Samsung\PanelMgr\ssmmgr.exe /autorun O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe" O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKUS\S-1-5-21-2745678790-3757435101-538525854-1009\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Oksana') O4 - HKUS\S-1-5-21-2745678790-3757435101-538525854-1009\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe (User 'Oksana') O4 - HKUS\S-1-5-21-2745678790-3757435101-538525854-1009\..\Run: [i.UA Checker] c:\program files\mi6\i.ua checker\iua_checker.exe (User 'Oksana') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O4 - Global Startup: Orbit.lnk = C:\Program Files\Orbitdownloader\orbitdm.exe O8 - Extra context menu item: &Экспорт в Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe O23 - Service: Google Update Service (gupdate1c9a76a5b4470d6) (gupdate1c9a76a5b4470d6) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: PACSPTISVR - Unknown owner - C:\Program Files\Common Files\Sony Shared\AVLib\Pacsptisvr.exe (file missing) O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: Sony SPTI Service (SPTISRV) - Unknown owner - C:\Program Files\Common Files\Sony Shared\AVLib\Sptisrv.exe (file missing) O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Unknown owner - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe (file missing) -- End of file - 6995 bytes

Thank you Dan. I will go and apply this fix to USB drive. Then I will let you know. Yuri

Thanks Dan. I will read all your suggestions and recomendations they are of a great value for me Also I will go and leave my mark on donations and "Stand Up and Be Counted!" page. I am currently thinking about the switch from Symantec to Kaspersky antivirus protection. But one thing still bothers my mind. Knowing my computer is clean at the moment it is scary to insert the memory stick into its socket. The memory stick has infection, as I understand. Please see below. Please advice how to clean it safely. ============================ Microsoft Windows XP [Version 5.1.2600] © Copyright 1985-2001 Microsoft Corp. C:\Documents and Settings\Oksana>dir F:\ Volume in drive F is CORSAIR Volume Serial Number is 9C89-5C61 Directory of F:\ 05/03/2009 10:57 PM 14,929,905 klcodec470f.exe 25/03/2009 02:57 PM <DIR> RECYCLER 12/02/2009 11:28 AM <DIR> dosbox-0.70 18/02/2009 10:48 AM 2,876,720 mbam-setup.exe 2 File(s) 17,806,625 bytes 2 Dir(s) 989,200,384 bytes free C:\Documents and Settings\Oksana>dir F:\ /A Volume in drive F is CORSAIR Volume Serial Number is 9C89-5C61 Directory of F:\ 05/03/2009 10:57 PM 14,929,905 klcodec470f.exe 25/03/2009 03:01 PM 377 autorun.inf 25/03/2009 02:57 PM <DIR> RECYCLER 19/09/2008 12:10 AM <DIR> Recycled 09/10/2006 09:15 AM <DIR> Nokia Music Manager 12/02/2009 11:28 AM <DIR> dosbox-0.70 18/02/2009 10:48 AM 2,876,720 mbam-setup.exe 3 File(s) 17,807,002 bytes 4 Dir(s) 989,200,384 bytes free C:\Documents and Settings\Oksana> C:\Documents and Settings\Oksana>type F:\autorun.inf [autorun] ;rwtarldzqbleclgltduepvlzewevxkxglbqihkvztwpfvzmknynakcbrplfforuusleinfxgvkysynx kuqqoggnsy shellexecute="RECYCLER\S-9-4-75-100025816-100017017-100013772-5338.com f:\" ;pxemhheifqiyucdlxazilkxosbgjiuzhckwkcfigemubqeeyrnawsmmlptodhrtomnlqzmgytzwzfrj shell\Open\command="RECYCLER\S-9-4-75-100025816-100017017-100013772-5338.com f:\ " ;sjveoiogdiyudfudm shell=Open C:\Documents and Sett