Suspected infections on my computer

Solved
By becky329
Sep 6, 2010
Topic Status:
Not open for further replies.
  1. I noticed my computer running slowly lately and I have had a redirect on my Firefox. I have attached my logs.

    Malwarebytes' Anti-Malware 1.46
    www.malwarebytes.org

    Database version: 4494

    Windows 5.1.2600 Service Pack 2
    Internet Explorer 8.0.6001.18702

    9/4/2010 2:12:43 PM
    mbam-log-2010-09-04 (14-12-43).txt

    Scan type: Full scan (C:\|D:\|E:\|F:\|)
    Objects scanned: 289029
    Time elapsed: 3 hour(s), 17 minute(s), 27 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 1

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    C:\System Volume Information\_restore{CA84156C-45F8-472E-9CEC-088CF2273354}\RP393\A0039945.dll (Trojan.Hiloti) -> Quarantined and deleted successfully.
  2. becky329

    becky329 Newcomer, in training Topic Starter Posts: 67

    GMER log;

    GMER 1.0.15.15281 - http://www.gmer.net
    Rootkit scan 2010-09-04 18:51:56
    Windows 5.1.2600 Service Pack 2
    Running: kolnxki3.exe; Driver: C:\DOCUME~1\Owner\LOCALS~1\Temp\pwlyrpod.sys


    ---- System - GMER 1.0.15 ----

    SSDT F8B1641E ZwCreateKey
    SSDT F8B16414 ZwCreateThread
    SSDT F8B16423 ZwDeleteKey
    SSDT F8B1642D ZwDeleteValueKey
    SSDT F8B16432 ZwLoadKey
    SSDT F8B16400 ZwOpenProcess
    SSDT F8B16405 ZwOpenThread
    SSDT F8B1643C ZwReplaceKey
    SSDT F8B16437 ZwRestoreKey
    SSDT F8B16428 ZwSetValueKey
    SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com) ZwTerminateProcess [0xEFDC60B0]

    ---- Kernel code sections - GMER 1.0.15 ----

    init C:\WINDOWS\system32\drivers\senfilt.sys entry point in "init" section [0xF80DFF80]

    ---- User code sections - GMER 1.0.15 ----

    .text C:\WINDOWS\System32\svchost.exe[980] ntdll.dll!NtProtectVirtualMemory 7C90DEB6 5 Bytes JMP 0090000A
    .text C:\WINDOWS\System32\svchost.exe[980] ntdll.dll!NtWriteVirtualMemory 7C90EA32 3 Bytes JMP 0091000A
    .text C:\WINDOWS\System32\svchost.exe[980] ntdll.dll!NtWriteVirtualMemory + 4 7C90EA36 1 Byte [84]
    .text C:\WINDOWS\System32\svchost.exe[980] ntdll.dll!KiUserExceptionDispatcher 7C90EAEC 5 Bytes JMP 008F000C
    .text C:\WINDOWS\System32\svchost.exe[980] ole32.dll!CoCreateInstance 77526009 5 Bytes JMP 00B9000A
    .text C:\WINDOWS\Explorer.EXE[1372] ntdll.dll!NtProtectVirtualMemory 7C90DEB6 5 Bytes JMP 00BA000A
    .text C:\WINDOWS\Explorer.EXE[1372] ntdll.dll!NtWriteVirtualMemory 7C90EA32 5 Bytes JMP 00BB000A
    .text C:\WINDOWS\Explorer.EXE[1372] ntdll.dll!KiUserExceptionDispatcher 7C90EAEC 5 Bytes JMP 00B9000C
    .text C:\WINDOWS\system32\wuauclt.exe[2580] ntdll.dll!NtProtectVirtualMemory 7C90DEB6 5 Bytes JMP 0119000A
    .text C:\WINDOWS\system32\wuauclt.exe[2580] ntdll.dll!NtWriteVirtualMemory 7C90EA32 5 Bytes JMP 011A000A
    .text C:\WINDOWS\system32\wuauclt.exe[2580] ntdll.dll!KiUserExceptionDispatcher 7C90EAEC 5 Bytes JMP 0118000C

    ---- Devices - GMER 1.0.15 ----

    Device \FileSystem\Fastfat \Fat EED1CC8A

    AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

    ---- EOF - GMER 1.0.15 ----
  3. becky329

    becky329 Newcomer, in training Topic Starter Posts: 67

    DDS Log # 1

    DDS (Ver_10-03-17.01) - NTFSx86
    Run by Owner at 19:06:00.62 on Sat 09/04/2010
    Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_16
    Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.510.146 [GMT -4:00]

    AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

    ============== Running Processes ===============

    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    svchost.exe
    svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Avira\AntiVir Desktop\sched.exe
    C:\Program Files\Avira\AntiVir Desktop\avguard.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
    C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
    C:\WINDOWS\system32\svchost.exe -k imgsvc
    C:\WINDOWS\system32\igfxpers.exe
    C:\Program Files\Analog Devices\Core\smax4pnp.exe
    C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
    C:\Program Files\Java\jre6\bin\jusched.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\System32\svchost.exe -k HTTPFilter
    C:\WINDOWS\system32\wuauclt.exe
    C:\Documents and Settings\Owner\Desktop\dds.scr

    ============== Pseudo HJT Report ===============

    uStart Page = hxxp://www.google.com/
    uInternet Settings,ProxyOverride = *.local
    uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
    BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.4.4525.1752\swg.dll
    BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
    BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
    TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
    uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
    uRun: [Wsisuy] rundll32.exe "c:\windows\dsdmsndp.dll",Startup
    mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
    mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
    mRun: [Persistence] c:\windows\system32\igfxpers.exe
    mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
    mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
    mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
    mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
    mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
    mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
    StartupFolder: c:\docume~1\owner\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
    DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
    DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
    Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
    Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
    Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
    Notify: igfxcui - igfxdev.dll
    SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

    ================= FIREFOX ===================

    FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\oeyzpp30.default\
    FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
    FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}

    ---- FIREFOX POLICIES ----
    FF - user.js: yahoo.homepage.dontask - truec:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
    c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
    c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
    c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
    c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
    c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
    c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
    c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
    c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

    ============= SERVICES / DRIVERS ===============

    R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2009-7-12 11608]
    R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-6-23 9968]
    R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-6-23 74480]
    R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2009-7-12 135336]
    R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2009-7-12 267432]
    R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-7-12 60936]
    R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2009-7-12 88176]
    R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-6-23 7408]

    =============== Created Last 30 ================

    2010-08-28 12:47:33 0 d--h--w- c:\windows\PIF

    ==================== Find3M ====================


    ============= FINISH: 19:07:15.06 ===============
  4. becky329

    becky329 Newcomer, in training Topic Starter Posts: 67

    DDS log # 2

    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT

    DDS (Ver_10-03-17.01)

    Microsoft Windows XP Home Edition
    Boot Device: \Device\HarddiskVolume2
    Install Date: 7/11/2009 10:06:41 PM
    System Uptime: 9/4/2010 5:47:12 PM (2 hours ago)

    Motherboard: Dell Computer Corp. | | 0WF887
    Processor: Intel(R) Celeron(R) CPU 2.53GHz | Microprocessor | 2527/533mhz

    ==== Disk Partitions =========================

    C: is FIXED (NTFS) - 53 GiB total, 16.78 GiB free.
    D: is FIXED (NTFS) - 75 GiB total, 19.012 GiB free.
    E: is FIXED (NTFS) - 18 GiB total, 18.436 GiB free.
    F: is CDROM ()

    ==== Disabled Device Manager Items =============

    Class GUID: {4D36E96D-E325-11CE-BFC1-08002BE10318}
    Description: PCI Simple Communications Controller
    Device ID: PCI\VEN_14F1&DEV_2F20&SUBSYS_200F14F1&REV_00\4&1C660DD6&0&08F0
    Manufacturer:
    Name: PCI Simple Communications Controller
    PNP Device ID: PCI\VEN_14F1&DEV_2F20&SUBSYS_200F14F1&REV_00\4&1C660DD6&0&08F0
    Service:

    ==== System Restore Points ===================

    RP333: 6/7/2010 1:32:28 AM - System Checkpoint
    RP334: 6/8/2010 2:32:24 AM - System Checkpoint
    RP335: 6/9/2010 5:47:16 AM - System Checkpoint
    RP336: 6/10/2010 6:21:07 AM - System Checkpoint
    RP337: 6/11/2010 3:48:28 PM - System Checkpoint
    RP338: 6/12/2010 5:37:08 PM - System Checkpoint
    RP339: 6/13/2010 6:32:48 PM - System Checkpoint
    RP340: 6/14/2010 7:49:19 PM - System Checkpoint
    RP341: 6/15/2010 8:05:04 PM - System Checkpoint
    RP342: 6/16/2010 9:05:01 PM - System Checkpoint
    RP343: 6/17/2010 10:29:50 PM - System Checkpoint
    RP344: 6/19/2010 9:10:27 AM - System Checkpoint
    RP345: 6/20/2010 9:32:03 AM - System Checkpoint
    RP346: 6/21/2010 5:54:00 PM - System Checkpoint
    RP347: 6/22/2010 6:48:00 PM - System Checkpoint
    RP348: 6/23/2010 7:36:19 PM - System Checkpoint
    RP349: 6/24/2010 10:07:22 PM - System Checkpoint
    RP350: 6/25/2010 10:51:08 PM - System Checkpoint
    RP351: 6/27/2010 12:03:09 AM - System Checkpoint
    RP352: 6/28/2010 12:51:10 AM - System Checkpoint
    RP353: 6/29/2010 1:51:10 AM - System Checkpoint
    RP354: 6/30/2010 2:27:41 AM - System Checkpoint
    RP355: 7/1/2010 6:07:43 AM - System Checkpoint
    RP356: 7/2/2010 10:49:32 PM - System Checkpoint
    RP357: 7/3/2010 11:43:52 PM - System Checkpoint
    RP358: 7/10/2010 9:33:55 PM - System Checkpoint
    RP359: 7/11/2010 9:56:05 PM - System Checkpoint
    RP360: 7/12/2010 10:30:21 PM - System Checkpoint
    RP361: 7/14/2010 5:36:45 AM - System Checkpoint
    RP362: 7/15/2010 6:55:31 PM - System Checkpoint
    RP363: 7/16/2010 8:36:59 PM - System Checkpoint
    RP364: 7/18/2010 8:54:29 AM - System Checkpoint
    RP365: 7/19/2010 9:13:46 AM - System Checkpoint
    RP366: 7/20/2010 10:13:48 AM - System Checkpoint
    RP367: 7/21/2010 7:12:07 PM - System Checkpoint
    RP368: 7/22/2010 9:04:58 PM - System Checkpoint
    RP369: 7/23/2010 9:43:16 PM - System Checkpoint
    RP370: 7/24/2010 10:05:38 PM - System Checkpoint
    RP371: 7/25/2010 10:51:04 PM - System Checkpoint
    RP372: 7/26/2010 11:20:41 PM - System Checkpoint
    RP373: 7/28/2010 4:44:16 AM - System Checkpoint
    RP374: 7/29/2010 5:46:39 AM - System Checkpoint
    RP375: 7/30/2010 5:49:54 AM - System Checkpoint
    RP376: 7/31/2010 5:54:23 AM - System Checkpoint
    RP377: 8/7/2010 7:44:06 PM - System Checkpoint
    RP378: 8/9/2010 7:57:13 AM - System Checkpoint
    RP379: 8/10/2010 7:42:26 PM - System Checkpoint
    RP380: 8/12/2010 9:05:13 PM - System Checkpoint
    RP381: 8/13/2010 9:07:29 PM - System Checkpoint
    RP382: 8/14/2010 11:09:03 PM - System Checkpoint
    RP383: 8/15/2010 11:39:31 PM - System Checkpoint
    RP384: 8/17/2010 12:39:29 AM - System Checkpoint
    RP385: 8/18/2010 1:36:08 AM - System Checkpoint
    RP386: 8/19/2010 5:32:04 AM - System Checkpoint
    RP387: 8/20/2010 6:28:57 AM - System Checkpoint
    RP388: 8/21/2010 11:04:25 PM - System Checkpoint
    RP389: 8/22/2010 11:31:14 PM - System Checkpoint
    RP390: 8/24/2010 6:15:16 AM - System Checkpoint
    RP391: 8/25/2010 7:01:07 AM - System Checkpoint
    RP392: 8/26/2010 8:50:00 PM - System Checkpoint
    RP393: 8/27/2010 9:15:50 PM - System Checkpoint
    RP394: 8/29/2010 6:22:57 AM - System Checkpoint
    RP395: 9/4/2010 8:49:16 AM - System Checkpoint

    ==== Installed Programs ======================

    Adobe Flash Player 10 ActiveX
    Adobe Flash Player 10 Plugin
    Adobe Reader 9.3
    Apple Application Support
    Apple Mobile Device Support
    Apple Software Update
    ATI - Software Uninstall Utility
    ATI Parental Control
    Avira AntiVir Personal - Free Antivirus
    Bonjour
    Dell Resource CD
    ERUNT 1.1j
    Free Studio version 4.2
    Google Toolbar for Internet Explorer
    High Definition Audio Driver Package - KB835221
    HijackThis 1.99.1
    Hotfix for Windows XP (KB908673)
    Intel(R) Extreme Graphics 2 Driver
    Intel(R) PRO Network Connections Drivers
    iTunes
    J2SE Runtime Environment 5.0 Update 6
    Java(TM) 6 Update 16
    Malwarebytes' Anti-Malware
    McAfee SiteAdvisor
    Microsoft Office Professional Edition 2003
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    Modem Helper
    Mozilla Firefox (3.6.8)
    MSN
    QuickTime
    Security Update for Windows XP (KB912812)
    SigmaTel Audio
    SoundMAX
    Spelling Dictionaries Support For Adobe Reader 9
    SUPERAntiSpyware Free Edition
    Uninstall 1.0.0.1
    Update for Windows XP (KB922120)
    Walmart MP3 Music Downloads
    WebFldrs XP
    Windows Internet Explorer 8
    Windows XP Hotfix - KB839210

    ==== Event Viewer Messages From Past Week ========

    9/4/2010 7:59:36 AM, error: Service Control Manager [7034] - The McAfee SiteAdvisor Service service terminated unexpectedly. It has done this 1 time(s).
    9/4/2010 7:59:36 AM, error: Service Control Manager [7034] - The Java Quick Starter service terminated unexpectedly. It has done this 1 time(s).
    9/4/2010 7:59:36 AM, error: Service Control Manager [7034] - The iPod Service service terminated unexpectedly. It has done this 1 time(s).
    9/4/2010 7:59:36 AM, error: Service Control Manager [7034] - The Bonjour Service service terminated unexpectedly. It has done this 1 time(s).
    9/4/2010 7:59:36 AM, error: Service Control Manager [7031] - The Apple Mobile Device service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
    9/3/2010 7:20:53 PM, error: Service Control Manager [7032] - The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Windows Management Instrumentation service, but this action failed with the following error: An instance of the service is already running.
    8/30/2010 5:42:34 AM, error: Ftdisk [49] - Configuring the Page file for crash dump failed. Make sure there is a page file on the boot partition and that is large enough to contain all physical memory.
    8/30/2010 5:42:34 AM, error: Ftdisk [45] - The system could not sucessfully load the crash dump driver.
    8/29/2010 7:03:58 PM, error: MRxSmb [8003] - The master browser has received a server announcement from the computer EMACHINES that believes that it is the master browser for the domain on transport NetBT_Tcpip_{E54ADA1E-2228-4A2F. The master browser is stopping or an election is being forced.
    8/28/2010 9:02:02 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
    8/28/2010 8:59:11 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: avgio avipbb Fips intelppm SASDIFSV SASKUTIL ssmdrv
    8/28/2010 8:08:49 AM, error: Service Control Manager [7000] - The Application Layer Gateway Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
    8/28/2010 8:08:48 AM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Application Layer Gateway Service service to connect.
    8/28/2010 6:07:55 PM, error: Service Control Manager [7000] - The SASDIFSV service failed to start due to the following error: Cannot create a file when that file already exists.
    8/28/2010 10:19:19 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: PCIIde
    8/28/2010 10:18:35 AM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000001' while processing the file '' on the volume 'HarddiskVolume2'. It has stopped monitoring the volume.
    8/28/2010 10:17:31 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

    ==== End Of File ===========================
  5. becky329

    becky329 Newcomer, in training Topic Starter Posts: 67

    I do not use my computer for much more than surfing recipe sites, iPhone maintenance, reading blogs, ordering clothing online and connecting to my childs school site.

    ** I have also ran a TDSS killer and can attach the log if needed.

    Thank you for any help you can give.
  6. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +35

    Welcome to TechSpot. I'll help with any malware. While I finish checking you logs, please run the following:

    Please download ComboFix from Here and save to your Desktop.

    • [1]. Do NOT rename Combofix unless instructed.
      [2].Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3].Close any open browsers.
      [4]. Double click combofix.exe & follow the prompts to run.
    • NOTE: Combofix will disconnect your machine from the Internet as soon as it starts. The connection is automatically restored before CF completes its run. If it does not, restart your computer to restore your connection.
      [5]. If Combofix asks you to install Recovery Console, please allow it.
      [6]. If Combofix asks you to update the program, always allow.
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      [7]. A report will be generated after the scan. Please post the C:\ComboFix.txt in next reply.
    Note: Do not mouseclick combofix's window while it's running. That may cause it to stall.
    Make sure you re-enable your security programs, when you're done with Combofix.
    ===================================
    Run Eset NOD32 Online AntiVirus scan HERE
    1. Tick the box next to YES, I accept the Terms of Use.
    2. Click Start
    3. When asked, allow the Active X control to install
    4. Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
    5. Click Start
    6. Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
    7. Click Scan
    8. Wait for the scan to finish
    9. Re-enable your Antivirus software.
    10. A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.
    ====================================
    You can give me the TDSS Killer log since you have already run it. But if you have it running in the background. please either disable or uninstall it.

    Important
    Do not use any other cleaning programs or scans while I'm helping you, unless I direct you to. Do not use a Registry cleaner or make any changes in the Registry.
  7. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +35

    Becky, the system is infected with the Backdoor.Win32.Rbot.aag Worm. It is a network worm and IRC backdoor Trojan. W32/Rbot-AMG runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels. Looks like it got on the system about 8/28.

    Because of it's 'backdoor' capabilities, you should change all of your passwords and monitor any online financial transactions. It you have a network set up, it's advisable that you not connect as the infection could be passed on to other computers on the network.

    A 'Backdoor' is a program that provides attackers with remote access to infected computers. If your surfing involves any P2P or File Sharing programs, you should stop using these programs immediately.

    While we should be able to remove the current infection, caution is advised because it is not known what files may have been compromised.
  8. becky329

    becky329 Newcomer, in training Topic Starter Posts: 67

    I am attaching the TDSS killer log. I hate to admit it but I have gotten to the limit of my computer knowledge/ability. My husband says he will help me close and disable my programs this afternoon. (He is painting his Jeep mirrors this morning). Thank you for your assistance.


    2010/09/04 19:29:11.0312 TDSS rootkit removing tool 2.4.2.0 Sep 3 2010 10:26:06
    2010/09/04 19:29:11.0312 ================================================================================
    2010/09/04 19:29:11.0312 SystemInfo:
    2010/09/04 19:29:11.0312
    2010/09/04 19:29:11.0312 OS Version: 5.1.2600 ServicePack: 2.0
    2010/09/04 19:29:11.0312 Product type: Workstation
    2010/09/04 19:29:11.0312 ComputerName: DELLDE051
    2010/09/04 19:29:11.0312 UserName: Owner
    2010/09/04 19:29:11.0312 Windows directory: C:\WINDOWS
    2010/09/04 19:29:11.0312 System windows directory: C:\WINDOWS
    2010/09/04 19:29:11.0312 Processor architecture: Intel x86
    2010/09/04 19:29:11.0312 Number of processors: 1
    2010/09/04 19:29:11.0312 Page size: 0x1000
    2010/09/04 19:29:11.0312 Boot type: Normal boot
    2010/09/04 19:29:11.0312 ================================================================================
    2010/09/04 19:29:14.0968 Initialize success
    2010/09/04 19:29:18.0796 ================================================================================
    2010/09/04 19:29:18.0796 Scan started
    2010/09/04 19:29:18.0796 Mode: Manual;
    2010/09/04 19:29:18.0796 ================================================================================
    2010/09/04 19:29:20.0187 ACPI (a10c7534f7223f4a73a948967d00e69b) C:\WINDOWS\system32\DRIVERS\ACPI.sys
    2010/09/04 19:29:20.0281 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
    2010/09/04 19:29:20.0437 aec (841f385c6cfaf66b58fbd898722bb4f0) C:\WINDOWS\system32\drivers\aec.sys
    2010/09/04 19:29:20.0562 AFD (5ac495f4cb807b2b98ad2ad591e6d92e) C:\WINDOWS\System32\drivers\afd.sys
    2010/09/04 19:29:20.0906 AsyncMac (02000abf34af4c218c35d257024807d6) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
    2010/09/04 19:29:21.0031 atapi (cdfe4411a69c224bd1d11b2da92dac51) C:\WINDOWS\system32\DRIVERS\atapi.sys
    2010/09/04 19:29:21.0140 Atmarpc (ec88da854ab7d7752ec8be11a741bb7f) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
    2010/09/04 19:29:21.0296 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
    2010/09/04 19:29:21.0437 avgio (0b497c79824f8e1bf22fa6aacd3de3a0) C:\Program Files\Avira\AntiVir Desktop\avgio.sys
    2010/09/04 19:29:21.0515 avgntflt (a88d29d928ad2b830e87b53e3f9bc182) C:\WINDOWS\system32\DRIVERS\avgntflt.sys
    2010/09/04 19:29:21.0562 avipbb (1289e9a5d9118a25a13c0009519088e3) C:\WINDOWS\system32\DRIVERS\avipbb.sys
    2010/09/04 19:29:21.0687 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
    2010/09/04 19:29:21.0828 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
    2010/09/04 19:29:21.0984 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
    2010/09/04 19:29:22.0093 Cdfs (cd7d5152df32b47f4e36f710b35aae02) C:\WINDOWS\system32\drivers\Cdfs.sys
    2010/09/04 19:29:22.0218 Cdrom (af9c19b3100fe010496b1a27181fbf72) C:\WINDOWS\system32\DRIVERS\cdrom.sys
    2010/09/04 19:29:22.0328 cercsr6 (84853b3fd012251690570e9e7e43343f) C:\WINDOWS\system32\drivers\cercsr6.sys
    2010/09/04 19:29:22.0578 Disk (00ca44e4534865f8a3b64f7c0984bff0) C:\WINDOWS\system32\DRIVERS\disk.sys
    2010/09/04 19:29:22.0703 dmboot (c0fbb516e06e243f0cf31f597e7ebf7d) C:\WINDOWS\system32\drivers\dmboot.sys
    2010/09/04 19:29:22.0859 dmio (f5e7b358a732d09f4bcf2824b88b9e28) C:\WINDOWS\system32\drivers\dmio.sys
    2010/09/04 19:29:22.0984 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
    2010/09/04 19:29:23.0093 DMusic (a6f881284ac1150e37d9ae47ff601267) C:\WINDOWS\system32\drivers\DMusic.sys
    2010/09/04 19:29:23.0250 drmkaud (1ed4dbbae9f5d558dbba4cc450e3eb2e) C:\WINDOWS\system32\drivers\drmkaud.sys
    2010/09/04 19:29:23.0375 E100B (d57a8fc800b501ac05b10d00f66d127a) C:\WINDOWS\system32\DRIVERS\e100b325.sys
    2010/09/04 19:29:23.0515 Fastfat (3117f595e9615e04f05a54fc15a03b20) C:\WINDOWS\system32\drivers\Fastfat.sys
    2010/09/04 19:29:23.0656 Fdc (ced2e8396a8838e59d8fd529c680e02c) C:\WINDOWS\system32\drivers\Fdc.sys
    2010/09/04 19:29:23.0781 Fips (e153ab8a11de5452bcf5ac7652dbf3ed) C:\WINDOWS\system32\drivers\Fips.sys
    2010/09/04 19:29:23.0875 Flpydisk (0dd1de43115b93f4d85e889d7a86f548) C:\WINDOWS\system32\drivers\Flpydisk.sys
    2010/09/04 19:29:24.0015 FltMgr (157754f0df355a9e0a6f54721914f9c6) C:\WINDOWS\system32\DRIVERS\fltMgr.sys
    2010/09/04 19:29:24.0156 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
    2010/09/04 19:29:24.0296 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
    2010/09/04 19:29:24.0421 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
    2010/09/04 19:29:24.0562 Gpc (c0f1d4a21de5a415df8170616703debf) C:\WINDOWS\system32\DRIVERS\msgpc.sys
    2010/09/04 19:29:24.0687 hidusb (1de6783b918f540149aa69943bdfeba8) C:\WINDOWS\system32\DRIVERS\hidusb.sys
    2010/09/04 19:29:24.0890 HTTP (c19b522a9ae0bbc3293397f3055e80a1) C:\WINDOWS\system32\Drivers\HTTP.sys
    2010/09/04 19:29:25.0171 i8042prt (5502b58eef7486ee6f93f3f164dcb808) C:\WINDOWS\system32\drivers\i8042prt.sys
    2010/09/04 19:29:25.0343 ialm (0294a30b302ca71a2c26e582dda93486) C:\WINDOWS\system32\DRIVERS\ialmnt5.sys
    2010/09/04 19:29:25.0531 Imapi (f8aa320c6a0409c0380e5d8a99d76ec6) C:\WINDOWS\system32\DRIVERS\imapi.sys
    2010/09/04 19:29:25.0687 IntelIde (2d722b2b54ab55b2fa475eb58d7b2aad) C:\WINDOWS\system32\DRIVERS\intelide.sys
    2010/09/04 19:29:25.0812 intelppm (279fb78702454dff2bb445f238c048d2) C:\WINDOWS\system32\DRIVERS\intelppm.sys
    2010/09/04 19:29:25.0906 Ip6Fw (4448006b6bc60e6c027932cfc38d6855) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys
    2010/09/04 19:29:26.0015 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
    2010/09/04 19:29:26.0109 IpInIp (e1ec7f5da720b640cd8fb8424f1b14bb) C:\WINDOWS\system32\DRIVERS\ipinip.sys
    2010/09/04 19:29:26.0187 IpNat (b5a8e215ac29d24d60b4d1250ef05ace) C:\WINDOWS\system32\DRIVERS\ipnat.sys
    2010/09/04 19:29:26.0359 IPSec (64537aa5c003a6afeee1df819062d0d1) C:\WINDOWS\system32\DRIVERS\ipsec.sys
    2010/09/04 19:29:26.0484 IRENUM (50708daa1b1cbb7d6ac1cf8f56a24410) C:\WINDOWS\system32\DRIVERS\irenum.sys
    2010/09/04 19:29:26.0578 isapnp (e504f706ccb699c2596e9a3da1596e87) C:\WINDOWS\system32\DRIVERS\isapnp.sys
    2010/09/04 19:29:26.0703 Kbdclass (ebdee8a2ee5393890a1acee971c4c246) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
    2010/09/04 19:29:26.0859 kbdhid (e182fa8e49e8ee41b4adc53093f3c7e6) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
    2010/09/04 19:29:26.0953 kmixer (d93cad07c5683db066b0b2d2d3790ead) C:\WINDOWS\system32\drivers\kmixer.sys
    2010/09/04 19:29:27.0109 KSecDD (eb7ffe87fd367ea8fca0506f74a87fbb) C:\WINDOWS\system32\drivers\KSecDD.sys
    2010/09/04 19:29:27.0281 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
    2010/09/04 19:29:27.0437 Modem (6fc6f9d7acc36dca9b914565a3aeda05) C:\WINDOWS\system32\drivers\Modem.sys
    2010/09/04 19:29:27.0546 Mouclass (34e1f0031153e491910e12551400192c) C:\WINDOWS\system32\DRIVERS\mouclass.sys
    2010/09/04 19:29:27.0671 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
    2010/09/04 19:29:27.0750 MountMgr (65653f3b4477f3c63e68a9659f85ee2e) C:\WINDOWS\system32\drivers\MountMgr.sys
    2010/09/04 19:29:27.0937 MRxDAV (46edcc8f2db2f322c24f48785cb46366) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
    2010/09/04 19:29:28.0078 MRxSmb (1fd607fc67f7f7c633c3da65bfc53d18) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
    2010/09/04 19:29:28.0312 Msfs (561b3a4333ca2dbdba28b5b956822519) C:\WINDOWS\system32\drivers\Msfs.sys
    2010/09/04 19:29:28.0437 MSKSSRV (ae431a8dd3c1d0d0610cdbac16057ad0) C:\WINDOWS\system32\drivers\MSKSSRV.sys
    2010/09/04 19:29:28.0531 MSPCLOCK (13e75fef9dfeb08eeded9d0246e1f448) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
    2010/09/04 19:29:28.0625 MSPQM (1988a33ff19242576c3d0ef9ce785da7) C:\WINDOWS\system32\drivers\MSPQM.sys
    2010/09/04 19:29:28.0718 mssmbios (469541f8bfd2b32659d5d463a6714bce) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
    2010/09/04 19:29:28.0828 Mup (82035e0f41c2dd05ae41d27fe6cf7de1) C:\WINDOWS\system32\drivers\Mup.sys
    2010/09/04 19:29:28.0953 NDIS (558635d3af1c7546d26067d5d9b6959e) C:\WINDOWS\system32\drivers\NDIS.sys
    2010/09/04 19:29:29.0078 NdisTapi (08d43bbdacdf23f34d79e44ed35c1b4c) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
    2010/09/04 19:29:29.0187 Ndisuio (34d6cd56409da9a7ed573e1c90a308bf) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
    2010/09/04 19:29:29.0328 NdisWan (0b90e255a9490166ab368cd55a529893) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
    2010/09/04 19:29:29.0453 NDProxy (59fc3fb44d2669bc144fd87826bb571f) C:\WINDOWS\system32\drivers\NDProxy.sys
    2010/09/04 19:29:29.0578 NetBIOS (3a2aca8fc1d7786902ca434998d7ceb4) C:\WINDOWS\system32\DRIVERS\netbios.sys
    2010/09/04 19:29:29.0687 NetBT (0c80e410cd2f47134407ee7dd19cc86b) C:\WINDOWS\system32\DRIVERS\netbt.sys
    2010/09/04 19:29:29.0796 Npfs (4f601bcb8f64ea3ac0994f98fed03f8e) C:\WINDOWS\system32\drivers\Npfs.sys
    2010/09/04 19:29:29.0953 Ntfs (b78be402c3f63dd55521f73876951cdd) C:\WINDOWS\system32\drivers\Ntfs.sys
    2010/09/04 19:29:30.0140 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
    2010/09/04 19:29:30.0234 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
    2010/09/04 19:29:30.0359 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
    2010/09/04 19:29:30.0484 Parport (29744eb4ce659dfe3b4122deb45bc478) C:\WINDOWS\system32\DRIVERS\parport.sys
    2010/09/04 19:29:30.0593 PartMgr (3334430c29dc338092f79c38ef7b4cd0) C:\WINDOWS\system32\drivers\PartMgr.sys
    2010/09/04 19:29:30.0687 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
    2010/09/04 19:29:30.0781 PCI (8086d9979234b603ad5bc2f5d890b234) C:\WINDOWS\system32\DRIVERS\pci.sys
    2010/09/04 19:29:30.0968 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\drivers\PCIIde.sys
    2010/09/04 19:29:31.0062 Pcmcia (82a087207decec8456fbe8537947d579) C:\WINDOWS\system32\drivers\Pcmcia.sys
    2010/09/04 19:29:31.0390 PptpMiniport (1c5cc65aac0783c344f16353e60b72ac) C:\WINDOWS\system32\DRIVERS\raspptp.sys
    2010/09/04 19:29:31.0500 PSched (48671f327553dcf1d27f6197f622a668) C:\WINDOWS\system32\DRIVERS\psched.sys
    2010/09/04 19:29:31.0593 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
    2010/09/04 19:29:31.0859 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
    2010/09/04 19:29:31.0937 Rasl2tp (98faeb4a4dcf812ba1c6fca4aa3e115c) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
    2010/09/04 19:29:32.0046 RasPppoe (7306eeed8895454cbed4669be9f79faa) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
    2010/09/04 19:29:32.0171 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
    2010/09/04 19:29:32.0281 Rdbss (29d66245adba878fff574cd66abd2884) C:\WINDOWS\system32\DRIVERS\rdbss.sys
    2010/09/04 19:29:32.0406 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
    2010/09/04 19:29:32.0531 RDPWD (d4f5643d7714ef499ae9527fdcd50894) C:\WINDOWS\system32\drivers\RDPWD.sys
    2010/09/04 19:29:32.0703 redbook (0190248bbe3985a47cf3c03180d8c16b) C:\WINDOWS\system32\DRIVERS\redbook.sys
    2010/09/04 19:29:32.0718 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\redbook.sys. Real md5: 0190248bbe3985a47cf3c03180d8c16b, Fake md5: b31b4588e4086d8d84adbf9845c2402b
    2010/09/04 19:29:32.0718 redbook - detected Rootkit.Win32.TDSS.tdl3 (0)
    2010/09/04 19:29:32.0812 rspndr (a3b23fb3f295694091f51865f98588b2) C:\WINDOWS\system32\DRIVERS\rspndr.sys
    2010/09/04 19:29:32.0953 SASDIFSV (5bf35c4ea3f00fa8d3f1e5bf03d24584) C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
    2010/09/04 19:29:33.0015 SASENUM (a22f08c98ac2f44587bf3a1fb52bf8cd) C:\Program Files\SUPERAntiSpyware\SASENUM.SYS
    2010/09/04 19:29:33.0078 SASKUTIL (c7d81c10d3befeee41f3408714637438) C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys
    2010/09/04 19:29:33.0234 Secdrv (d26e26ea516450af9d072635c60387f4) C:\WINDOWS\system32\DRIVERS\secdrv.sys
    2010/09/04 19:29:33.0390 senfilt (b9c7617c1e8ab6fdff75d3c8dafcb4c8) C:\WINDOWS\system32\drivers\senfilt.sys
    2010/09/04 19:29:33.0640 serenum (a2d868aeeff612e70e213c451a70cafb) C:\WINDOWS\system32\DRIVERS\serenum.sys
    2010/09/04 19:29:33.0703 Serial (cd9404d115a00d249f70a371b46d5a26) C:\WINDOWS\system32\DRIVERS\serial.sys
    2010/09/04 19:29:33.0812 Sfloppy (0d13b6df6e9e101013a7afb0ce629fe0) C:\WINDOWS\system32\drivers\Sfloppy.sys
    2010/09/04 19:29:33.0953 smwdm (0066ff77aeb4ae70066f7e94d5a6d866) C:\WINDOWS\system32\drivers\smwdm.sys
    2010/09/04 19:29:34.0156 splitter (8e186b8f23295d1e42c573b82b80d548) C:\WINDOWS\system32\drivers\splitter.sys
    2010/09/04 19:29:34.0265 sr (e41b6d037d6cd08461470af04500dc24) C:\WINDOWS\system32\DRIVERS\sr.sys
    2010/09/04 19:29:34.0359 Srv (20b7e396720353e4117d64d9dcb926ca) C:\WINDOWS\system32\DRIVERS\srv.sys
    2010/09/04 19:29:34.0546 ssmdrv (a36ee93698802cd899f98bfd553d8185) C:\WINDOWS\system32\DRIVERS\ssmdrv.sys
    2010/09/04 19:29:34.0640 swenum (03c1bae4766e2450219d20b993d6e046) C:\WINDOWS\system32\DRIVERS\swenum.sys
    2010/09/04 19:29:34.0750 swmidi (94abc808fc4b6d7d2bbf42b85e25bb4d) C:\WINDOWS\system32\drivers\swmidi.sys
    2010/09/04 19:29:34.0953 sysaudio (650ad082d46bac0e64c9c0e0928492fd) C:\WINDOWS\system32\drivers\sysaudio.sys
    2010/09/04 19:29:35.0093 Tcpip (9f4b36614a0fc234525ba224957de55c) C:\WINDOWS\system32\DRIVERS\tcpip.sys
    2010/09/04 19:29:35.0281 TDPIPE (38d437cf2d98965f239b0abcd66dcb0f) C:\WINDOWS\system32\drivers\TDPIPE.sys
    2010/09/04 19:29:35.0343 TDTCP (ed0580af02502d00ad8c4c066b156be9) C:\WINDOWS\system32\drivers\TDTCP.sys
    2010/09/04 19:29:35.0468 TermDD (a540a99c281d933f3d69d55e48727f47) C:\WINDOWS\system32\DRIVERS\termdd.sys
    2010/09/04 19:29:35.0625 Udfs (12f70256f140cd7d52c58c7048fde657) C:\WINDOWS\system32\drivers\Udfs.sys
    2010/09/04 19:29:35.0828 Update (aff2e5045961bbc0a602bb6f95eb1345) C:\WINDOWS\system32\DRIVERS\update.sys
    2010/09/04 19:29:36.0015 USBAAPL (e8c1b9ebac65288e1b51e8a987d98af6) C:\WINDOWS\system32\Drivers\usbaapl.sys
    2010/09/04 19:29:36.0125 usbehci (708579b01fed227aadb393cb0c3b4a2c) C:\WINDOWS\system32\DRIVERS\usbehci.sys
    2010/09/04 19:29:36.0265 usbhub (c72f40947f92cea56a8fb532edf025f1) C:\WINDOWS\system32\DRIVERS\usbhub.sys
    2010/09/04 19:29:36.0375 usbscan (a6bc71402f4f7dd5b77fd7f4a8ddba85) C:\WINDOWS\system32\DRIVERS\usbscan.sys
    2010/09/04 19:29:36.0531 USBSTOR (6cd7b22193718f1d17a47a1cd6d37e75) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
    2010/09/04 19:29:36.0640 usbuhci (f8fd1400092e23c8f2f31406ef06167b) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
    2010/09/04 19:29:36.0750 VgaSave (8a60edd72b4ea5aea8202daf0e427925) C:\WINDOWS\System32\drivers\vga.sys
    2010/09/04 19:29:36.0890 VolSnap (ee4660083deba849ff6c485d944b379b) C:\WINDOWS\system32\drivers\VolSnap.sys
    2010/09/04 19:29:37.0031 Wanarp (984ef0b9788abf89974cfed4bfbaacbc) C:\WINDOWS\system32\DRIVERS\wanarp.sys
    2010/09/04 19:29:37.0171 wdmaud (2797f33ebf50466020c430ee4f037933) C:\WINDOWS\system32\drivers\wdmaud.sys
    2010/09/04 19:29:37.0343 ================================================================================
    2010/09/04 19:29:37.0343 Scan finished
    2010/09/04 19:29:37.0343 ================================================================================
    2010/09/04 19:29:37.0375 Detected object count: 1
    2010/09/04 19:30:38.0312 redbook (0190248bbe3985a47cf3c03180d8c16b) C:\WINDOWS\system32\DRIVERS\redbook.sys
    2010/09/04 19:30:38.0312 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\redbook.sys. Real md5: 0190248bbe3985a47cf3c03180d8c16b, Fake md5: b31b4588e4086d8d84adbf9845c2402b
    2010/09/04 19:30:39.0046 Backup copy found, using it..
    2010/09/04 19:30:39.0062 C:\WINDOWS\system32\DRIVERS\redbook.sys - will be cured after reboot
    2010/09/04 19:30:39.0062 Rootkit.Win32.TDSS.tdl3(redbook) - User select action: Cure
    2010/09/04 19:30:48.0234 Deinitialize success
  9. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +35

    Just keep in mind- if you would like me to continue helping you, please advise him I have requested this:
    You should be able to run Combofix and the Eset scan easily with my directions. The only programs you need to disable for them are the security programs. All I see is AVIRA ANTIVIR
    • Please navigate to the system tray on the bottom right hand corner and look for an open white umbrella on red background[​IMG]
      • Right click on the Avira icon> Click to Uncheck the option AntiVir Guard enable.
      • You should now see a closed, white umbrella on a red background [​IMG]
    You succesfully disabled the AntiVir Guard.
  10. becky329

    becky329 Newcomer, in training Topic Starter Posts: 67

    Here's the combo fix log, running Eset next.

    ComboFix 10-09-06.03 - Owner 09/06/2010 17:04:29.1.1 - x86
    Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.510.222 [GMT -4:00]
    Running from: c:\documents and settings\Owner\My Documents\Downloads\ComboFix.exe
    AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\windows\system32\drivers\1028_DELL_XPS_Dell DE051 .MRK
    c:\windows\system32\drivers\DELL_XPS_Dell DE051 .MRK

    .
    ((((((((((((((((((((((((( Files Created from 2010-08-06 to 2010-09-06 )))))))))))))))))))))))))))))))
    .

    2010-09-06 10:33 . 2010-09-06 10:33 -------- d-----w- c:\windows\LastGood
    2010-08-28 13:04 . 2010-08-28 13:04 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
    2010-08-28 13:01 . 2010-08-28 13:01 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
    2010-08-28 13:00 . 2010-08-28 13:00 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
    2010-08-28 12:47 . 2010-08-28 12:47 -------- d--h--w- c:\windows\PIF

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-09-04 23:31 . 2009-07-11 21:55 57472 ----a-w- c:\windows\system32\drivers\redbook.sys
    2010-08-28 22:07 . 2009-07-13 01:02 -------- d-----w- c:\program files\SUPERAntiSpyware
    2010-08-28 13:02 . 2009-07-12 13:59 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-08-28 11:35 . 2009-07-12 13:53 -------- d-----w- c:\program files\McAfee
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-09-19 1998576]
    "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-07-12 39408]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-04-05 94208]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-04-05 77824]
    "Persistence"="c:\windows\system32\igfxpers.exe" [2005-04-05 114688]
    "SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
    "avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-03-02 282792]
    "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-31 149280]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-18 421888]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-03-26 142120]

    c:\documents and settings\Owner\Start Menu\Programs\Startup\
    ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]

    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
    2009-09-10 22:45 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=

    R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [6/23/2009 11:01 AM 9968]
    R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [6/23/2009 11:01 AM 74480]
    R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [7/12/2009 10:17 AM 135336]
    R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [7/12/2009 9:54 AM 88176]
    R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [6/23/2009 11:01 AM 7408]

    --- Other Services/Drivers In Memory ---

    *NewlyCreated* - KLMDB
    *Deregistered* - klmd25
    *Deregistered* - klmdb
    *Deregistered* - pwlyrpod
    .
    Contents of the 'Scheduled Tasks' folder

    2010-09-03 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

    2010-09-06 c:\windows\Tasks\User_Feed_Synchronization-{187F1E56-F43A-4693-880F-D322638AB6C3}.job
    - c:\windows\system32\msfeedssync.exe [2009-03-08 08:31]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.com/
    uInternet Settings,ProxyOverride = *.local
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\oeyzpp30.default\
    FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/

    ---- FIREFOX POLICIES ----
    FF - user.js: yahoo.homepage.dontask - truec:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
    .
    - - - - ORPHANS REMOVED - - - -

    HKCU-Run-Wsisuy - c:\windows\dsdmsndp.dll
    SafeBoot-klmdb.sys
    AddRemove-HijackThis - c:\documents and settings\Owner\Desktop\HijackThis.exe



    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-09-06 17:08
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'winlogon.exe'(616)
    c:\program files\SUPERAntiSpyware\SASWINLO.DLL
    .
    Completion time: 2010-09-06 17:10:52
    ComboFix-quarantined-files.txt 2010-09-06 21:10

    Pre-Run: 17,839,386,624 bytes free
    Post-Run: 17,837,453,312 bytes free

    WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    UnsupportedDebug="do not select this" /debug
    multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

    - - End Of File - - 03F294DD4B4707BDFF372FB2B9C538B5
  11. becky329

    becky329 Newcomer, in training Topic Starter Posts: 67

    Here is my ESET log.

    ESETSmartInstaller@High as downloader log:
    all ok
    # version=7
    # OnlineScannerApp.exe=1.0.0.1
    # OnlineScanner.ocx=1.0.0.6211
    # api_version=3.0.2
    # EOSSerial=c151dfeac91d5d4fae6cc7009719ee70
    # end=finished
    # remove_checked=false
    # archives_checked=false
    # unwanted_checked=true
    # unsafe_checked=false
    # antistealth_checked=true
    # utc_time=2010-09-06 10:25:24
    # local_time=2010-09-06 06:25:24 (-0500, Eastern Daylight Time)
    # country="United States"
    # lang=1033
    # osver=5.1.2600 NT Service Pack 2
    # compatibility_mode=1797 16775141 100 100 0 57761250 0 0
    # compatibility_mode=8192 67108863 100 0 0 0 0 0
    # scanned=164586
    # found=4
    # cleaned=0
    # scan_time=4042
    D:\Documents and Settings\Owner\Application Data\Thunderbird\Profiles\2bybbyq3.default\Mail\Local Folders\Inbox HTML/Phishing.gen trojan 00000000000000000000000000000000 I
    D:\Documents and Settings\Owner\Application Data\Thunderbird\Profiles\2bybbyq3.default\Mail\Local Folders\Trash multiple threats 00000000000000000000000000000000 I
    D:\Documents and Settings\Owner\Local Settings\Application Data\Identities\{ACC631EB-A4F2-4FE2-BBC2-D01983609247}\Microsoft\Outlook Express\Deleted Items.dbx multiple threats 00000000000000000000000000000000 I
    D:\Documents and Settings\Owner\Local Settings\Application Data\Identities\{ACC631EB-A4F2-4FE2-BBC2-D01983609247}\Microsoft\Outlook Express\Inbox.dbx HTML/Phishing.gen trojan 00000000000000000000000000000000 I
     
  12. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +35

    Becky, I'd like you to handle the entries in the Eset log first:

    Please download OTMovit by Old Timer and save to your desktop.
    • Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
    • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

      Code:
      :Processes	
      :Services
      :Reg
      
      :Files 
      D:\Documents and Settings\Owner\Application Data\Thunderbird\Profiles\2bybbyq3.default\Mail\Local Folders\Inbox 
      D:\Documents and Settings\Owner\Application Data\Thunderbird\Profiles\2bybbyq3.default\Mail\Local Folders\Trash 
      D:\Documents and Settings\Owner\Local Settings\Application Data\Identities\{ACC631EB-A4F2-4FE2-BBC2-D01983609247}\Microsoft\Outlook Express\Deleted Items.dbx 
      D:\Documents and Settings\Owner\Local Settings\Application Data\Identities\{ACC631EB-A4F2-4FE2-BBC2-D01983609247}\Microsoft\Outlook Express\Inbox.dbx 
      
      :Commands
      [purity]
      [emptytemp]
      [start explorer]
      [Reboot]
    • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
    • Click the red Moveit! button.
    • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
    • Close OTMoveIt3
    If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

    HTML.Phishing.gen trojan: See this http://en.wikipedia.org/wiki/Phishing

    It appears that you have email accounts with both Thunderbird and Outlook Express. Most likely, these entries are for attachments you opened in the email. I don't know if removing just these entries will handle the problem, so after have run OTMoveIT, I'd like you to reboot, then run another Eset scan.

    If necessary, I will instruct you in removing the OE Deleted Items.dbx and OE Inbox.dbx Store boxes. I will handle Combofix separately. In the meantime, please do not open or save any new attachments in either Thunderbird or OE.
  13. becky329

    becky329 Newcomer, in training Topic Starter Posts: 67

    OTM log attached.

    The Thunderbird account belongs to my husbands D drive that had to be installed in my computer when his motherboard died.....He has another computer now and we only keep the drive because it has history on it. If needed we can delete Thunderbird and OE off the D drive on this computer.

    All processes killed
    ========== PROCESSES ==========
    ========== SERVICES/DRIVERS ==========
    ========== REGISTRY ==========
    ========== FILES ==========
    D:\Documents and Settings\Owner\Application Data\Thunderbird\Profiles\2bybbyq3.default\Mail\Local Folders\Inbox moved successfully.
    D:\Documents and Settings\Owner\Application Data\Thunderbird\Profiles\2bybbyq3.default\Mail\Local Folders\Trash moved successfully.
    D:\Documents and Settings\Owner\Local Settings\Application Data\Identities\{ACC631EB-A4F2-4FE2-BBC2-D01983609247}\Microsoft\Outlook Express\Deleted Items.dbx moved successfully.
    D:\Documents and Settings\Owner\Local Settings\Application Data\Identities\{ACC631EB-A4F2-4FE2-BBC2-D01983609247}\Microsoft\Outlook Express\Inbox.dbx moved successfully.
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: Administrator
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: All Users

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: LocalService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 33170 bytes

    User: NetworkService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 655494 bytes
    ->Flash cache emptied: 1823 bytes

    User: Owner
    ->Temp folder emptied: 307280 bytes
    ->Temporary Internet Files folder emptied: 1091220 bytes
    ->Java cache emptied: 0 bytes
    ->FireFox cache emptied: 46133832 bytes
    ->Flash cache emptied: 3868 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 0 bytes
    %systemroot%\System32 .tmp files removed: 0 bytes
    %systemroot%\System32\dllcache .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 0 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
    RecycleBin emptied: 0 bytes

    Total Files Cleaned = 46.00 mb


    OTM by OldTimer - Version 3.1.15.0 log created on 09072010_182441

    Files moved on Reboot...

    Registry entries deleted on Reboot...
  14. becky329

    becky329 Newcomer, in training Topic Starter Posts: 67

    Eset scan number 2

    C:\_OTM\MovedFiles\09072010_182441\D_Documents and Settings\Owner\Application Data\Thunderbird\Profiles\2bybbyq3.default\Mail\Local Folders\Inbox HTML/Phishing.gen trojan
    C:\_OTM\MovedFiles\09072010_182441\D_Documents and Settings\Owner\Application Data\Thunderbird\Profiles\2bybbyq3.default\Mail\Local Folders\Trash multiple threats
    C:\_OTM\MovedFiles\09072010_182441\D_Documents and Settings\Owner\Local Settings\Application Data\Identities\{ACC631EB-A4F2-4FE2-BBC2-D01983609247}\Microsoft\Outlook Express\Deleted Items.dbx multiple threats
    C:\_OTM\MovedFiles\09072010_182441\D_Documents and Settings\Owner\Local Settings\Application Data\Identities\{ACC631EB-A4F2-4FE2-BBC2-D01983609247}\Microsoft\Outlook Express\Inbox.dbx HTML/Phishing.gen trojan
  15. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +35

    Okay good. Looks like you were able to remove the individual emails. Are you still noticing any redirects?

    Please run this Custom CFScript

    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad and copy/paste the text in the code below into it:
    Code:
    File::
    Folder::
    c:\windows\PIF
    c:\documents and settings\Administrator\IETldCache
    
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please attach to your next reply.
    =============================
    You have 2 outdated versions of Java on the system. Please use Add/Remove Programs in the Control Panel to uninstall all but the current v6u21 of Java.
  16. becky329

    becky329 Newcomer, in training Topic Starter Posts: 67

    Thank you for all of your time and help. My internet has stopped redirecting. I knew something was wrong, but I could never have fixed it on my own!!!

    combo fix log attached

    ComboFix 10-09-08.01 - Owner 09/08/2010 19:36:16.2.1 - x86
    Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.510.277 [GMT -4:00]
    Running from: c:\documents and settings\Owner\My Documents\Downloads\ComboFix.exe
    Command switches used :: c:\documents and settings\Owner\My Documents\Downloads\CFScript.txt
    AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\documents and settings\Administrator\IETldCache
    c:\documents and settings\Administrator\IETldCache\index.dat

    .
    ((((((((((((((((((((((((( Files Created from 2010-08-08 to 2010-09-08 )))))))))))))))))))))))))))))))
    .

    2010-09-07 22:24 . 2010-09-07 22:24 -------- d-----w- C:\_OTM
    2010-09-06 21:14 . 2010-09-06 21:14 -------- d-----w- c:\program files\ESET
    2010-08-28 13:04 . 2010-08-28 13:04 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
    2010-08-28 13:01 . 2010-08-28 13:01 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
    2010-08-28 12:47 . 2010-08-28 12:47 -------- d--h--w- c:\windows\PIF

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-09-04 23:31 . 2009-07-11 21:55 57472 ----a-w- c:\windows\system32\drivers\redbook.sys
    2010-08-28 22:07 . 2009-07-13 01:02 -------- d-----w- c:\program files\SUPERAntiSpyware
    2010-08-28 13:02 . 2009-07-12 13:59 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-08-28 11:35 . 2009-07-12 13:53 -------- d-----w- c:\program files\McAfee
    .

    ((((((((((((((((((((((((((((( SnapShot@2010-09-06_21.08.28 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2010-09-07 22:27 . 2010-09-07 22:27 16384 c:\windows\Temp\Perflib_Perfdata_7a8.dat
    + 2009-07-12 02:01 . 2009-08-06 23:24 35552 c:\windows\system32\wups.dll
    + 2009-07-12 02:01 . 2009-08-06 23:24 35552 c:\windows\system32\dllcache\wups.dll
    + 2010-09-07 22:29 . 2010-09-07 22:29 176128 c:\windows\ERDNT\AutoBackup\9-7-2010\Users\00000002\UsrClass.dat
    + 2010-09-07 22:29 . 2005-10-20 16:02 163328 c:\windows\ERDNT\AutoBackup\9-7-2010\ERDNT.EXE
    + 2010-09-06 22:44 . 2010-09-06 22:44 176128 c:\windows\ERDNT\AutoBackup\9-6-2010\Users\00000002\UsrClass.dat
    + 2010-09-06 22:44 . 2005-10-20 16:02 163328 c:\windows\ERDNT\AutoBackup\9-6-2010\ERDNT.EXE
    + 2010-09-07 22:29 . 2010-09-07 22:29 2035712 c:\windows\ERDNT\AutoBackup\9-7-2010\Users\00000001\NTUSER.DAT
    + 2010-09-06 22:44 . 2010-09-06 22:44 2031616 c:\windows\ERDNT\AutoBackup\9-6-2010\Users\00000001\NTUSER.DAT
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-09-19 1998576]
    "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-07-12 39408]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-04-05 94208]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-04-05 77824]
    "Persistence"="c:\windows\system32\igfxpers.exe" [2005-04-05 114688]
    "SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
    "avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-03-02 282792]
    "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-31 149280]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-18 421888]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-03-26 142120]

    c:\documents and settings\Owner\Start Menu\Programs\Startup\
    ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]

    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
    2009-09-10 22:45 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=

    R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [6/23/2009 11:01 AM 9968]
    R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [6/23/2009 11:01 AM 74480]
    R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [7/12/2009 10:17 AM 135336]
    R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [7/12/2009 9:54 AM 88176]
    R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [6/23/2009 11:01 AM 7408]
    .
    Contents of the 'Scheduled Tasks' folder

    2010-09-03 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

    2010-09-08 c:\windows\Tasks\User_Feed_Synchronization-{187F1E56-F43A-4693-880F-D322638AB6C3}.job
    - c:\windows\system32\msfeedssync.exe [2009-03-08 08:31]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.com/
    uInternet Settings,ProxyOverride = *.local
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\oeyzpp30.default\
    FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/

    ---- FIREFOX POLICIES ----
    FF - user.js: yahoo.homepage.dontask - truec:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
    .

    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-09-08 19:40
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'winlogon.exe'(616)
    c:\program files\SUPERAntiSpyware\SASWINLO.DLL
    .
    Completion time: 2010-09-08 19:43:05
    ComboFix-quarantined-files.txt 2010-09-08 23:42
    ComboFix2.txt 2010-09-06 21:10

    Pre-Run: 17,357,836,288 bytes free
    Post-Run: 17,351,729,152 bytes free

    - - End Of File - - 273244992A587FCEDEB8082E17C091CC
  17. becky329

    becky329 Newcomer, in training Topic Starter Posts: 67

    While I am working on my computer, could you help me disinfect/check a 1.0 gb Sandisk mini cruzer thumb drive? I am afraid to use it now my computer is cured.

    Thank you
  18. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +35

    Flash Drive Disinfector:
    Threat Removal Procedure:

    • [1]. Download Flash_Disinfector and save it to your Desktop.
      [2]. After downloading, double-click on Flash_Disinfector to run it.
      [3]. Just follow the prompts and continue until it begin scanning.
      [​IMG]
      [4]. If asked to insert your flash drive or any removable device including USB Pen Drive and Memory Stick, please do so.
      [5]. It will scan removable drives, wait for the scan to finish. Done.

    Becky, there is one entry that didn't get removed from the script. I will need to examine the contents- so run this CFScript one more time:

    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad and copy/paste the text in the code below into it:
    Code:
    File::
    DirLook::
    c:\windows\PIF
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please paste in your next reply.
    ====================
    Edit: Before I forget- you have 2 old versions of Java still on the system. Please go to Add/Remove Programs in the Control Panel and uninstall all Java except v6u21.
  19. becky329

    becky329 Newcomer, in training Topic Starter Posts: 67

    Here is the combo fix log. I removed the other Java and the computer seems to be running ok.

    Thank you
    Becky

    ComboFix 10-09-09.03 - Owner 09/09/2010 18:43:32.3.1 - x86
    Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.510.299 [GMT -4:00]
    Running from: c:\documents and settings\Owner\My Documents\Downloads\ComboFix.exe
    Command switches used :: c:\documents and settings\Owner\My Documents\Downloads\CFScript.txt
    AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
    .

    ((((((((((((((((((((((((( Files Created from 2010-08-09 to 2010-09-09 )))))))))))))))))))))))))))))))
    .

    2010-09-07 22:24 . 2010-09-07 22:24 -------- d-----w- C:\_OTM
    2010-09-06 21:14 . 2010-09-06 21:14 -------- d-----w- c:\program files\ESET
    2010-08-28 13:04 . 2010-08-28 13:04 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
    2010-08-28 13:01 . 2010-08-28 13:01 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
    2010-08-28 12:47 . 2010-08-28 12:47 -------- d--h--w- c:\windows\PIF

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-09-08 23:54 . 2009-07-12 03:30 -------- d-----w- c:\program files\Java
    2010-09-04 23:31 . 2009-07-11 21:55 57472 ----a-w- c:\windows\system32\drivers\redbook.sys
    2010-08-28 22:07 . 2009-07-13 01:02 -------- d-----w- c:\program files\SUPERAntiSpyware
    2010-08-28 13:02 . 2009-07-12 13:59 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-08-28 11:35 . 2009-07-12 13:53 -------- d-----w- c:\program files\McAfee
    .

    (((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    ---- Directory of c:\windows\PIF ----



    ((((((((((((((((((((((((((((( SnapShot@2010-09-06_21.08.28 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2010-09-07 22:27 . 2010-09-07 22:27 16384 c:\windows\Temp\Perflib_Perfdata_7a8.dat
    + 2009-07-12 02:01 . 2009-08-06 23:24 35552 c:\windows\system32\wups.dll
    + 2009-07-12 02:01 . 2009-08-06 23:24 35552 c:\windows\system32\dllcache\wups.dll
    + 2010-09-07 22:29 . 2010-09-07 22:29 176128 c:\windows\ERDNT\AutoBackup\9-7-2010\Users\00000002\UsrClass.dat
    + 2010-09-07 22:29 . 2005-10-20 16:02 163328 c:\windows\ERDNT\AutoBackup\9-7-2010\ERDNT.EXE
    + 2010-09-06 22:44 . 2010-09-06 22:44 176128 c:\windows\ERDNT\AutoBackup\9-6-2010\Users\00000002\UsrClass.dat
    + 2010-09-06 22:44 . 2005-10-20 16:02 163328 c:\windows\ERDNT\AutoBackup\9-6-2010\ERDNT.EXE
    + 2010-09-07 22:29 . 2010-09-07 22:29 2035712 c:\windows\ERDNT\AutoBackup\9-7-2010\Users\00000001\NTUSER.DAT
    + 2010-09-06 22:44 . 2010-09-06 22:44 2031616 c:\windows\ERDNT\AutoBackup\9-6-2010\Users\00000001\NTUSER.DAT
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-09-19 1998576]
    "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-07-12 39408]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-04-05 94208]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-04-05 77824]
    "Persistence"="c:\windows\system32\igfxpers.exe" [2005-04-05 114688]
    "SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
    "avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-03-02 282792]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-18 421888]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-03-26 142120]
    "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-31 149280]

    c:\documents and settings\Owner\Start Menu\Programs\Startup\
    ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]

    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
    2009-09-10 22:45 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=

    R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [6/23/2009 11:01 AM 9968]
    R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [6/23/2009 11:01 AM 74480]
    R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [7/12/2009 10:17 AM 135336]
    R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [7/12/2009 9:54 AM 88176]
    R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [6/23/2009 11:01 AM 7408]

    --- Other Services/Drivers In Memory ---

    *NewlyCreated* - APPMGMT
    .
    Contents of the 'Scheduled Tasks' folder

    2010-09-03 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

    2010-09-09 c:\windows\Tasks\User_Feed_Synchronization-{187F1E56-F43A-4693-880F-D322638AB6C3}.job
    - c:\windows\system32\msfeedssync.exe [2009-03-08 08:31]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.com/
    uInternet Settings,ProxyOverride = *.local
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\oeyzpp30.default\
    FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/

    ---- FIREFOX POLICIES ----
    FF - user.js: yahoo.homepage.dontask - truec:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
    .

    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-09-09 18:47
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'winlogon.exe'(616)
    c:\program files\SUPERAntiSpyware\SASWINLO.DLL

    - - - - - - - > 'explorer.exe'(1184)
    c:\windows\system32\ieframe.dll
    c:\windows\system32\webcheck.dll
    .
    Completion time: 2010-09-09 18:50:18
    ComboFix-quarantined-files.txt 2010-09-09 22:50
    ComboFix2.txt 2010-09-08 23:43
    ComboFix3.txt 2010-09-06 21:10

    Pre-Run: 17,329,086,464 bytes free
    Post-Run: 17,322,184,704 bytes free

    - - End Of File - - E3819B876B472C973168F059F7F58063
  20. becky329

    becky329 Newcomer, in training Topic Starter Posts: 67

    I downloaded flash disinfector and Avira has blocked G:Autorun.inf". Is this the program or something bad on the thumbdrive? I did not proceed until I have confirmation ........

    Becky
  21. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +35

    I noticed you also have McAfee on the system. You have downloaded the Flash Disinfector program, right? Go Offline- File> Work Offline> Disable Avira> then run the disinfector.
  22. becky329

    becky329 Newcomer, in training Topic Starter Posts: 67

    I used the disinfector ... nothing seemed to happen? Not sure what I was expecting though.

    Do I need McAfee? Should I disable?
  23. becky329

    becky329 Newcomer, in training Topic Starter Posts: 67

    I am sorry I did not respond sooner, I have been working on another computer in the house that shares a home network. I decided to clean them all up at once so we dont share our viruses.

    This computer seems to be back in working order. I have not noticed anything suspicious today. Thank you.

    Becky
  24. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +35

    I saw McAfee but it's only the site advisor so I left it:

    Please run this CFScript:

    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad and copy/paste the text in the code below into it:
    Code:
    KillAll::
    File::
    c:\program files\mcafee\siteadvisor\McSACore.exe
    Folder::
    c:\program files\McAfee
    c:\windows\PIF
    DDS::
    uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
    BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
    TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
    DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
    
    Extra::
    File::
    c:\program files\mcafee\siteadvisor\components\McFFPlg.dll
    Firefox::
    Firefox-: -  Profile - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\oeyzpp30.default\
    
    Driver::
    McAfee SiteAdvisor Service
    
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please paste into to your next reply.
    ====================
    Can you scan the flash drive with Eset Nod32, the online scan?
  25. becky329

    becky329 Newcomer, in training Topic Starter Posts: 67

    I will try the Eset scan. Combo fix log attached:

    ComboFix 10-09-13.01 - Owner 09/13/2010 19:10:45.4.1 - x86
    Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.510.268 [GMT -4:00]
    Running from: c:\documents and settings\Owner\My Documents\Downloads\ComboFix.exe
    Command switches used :: c:\documents and settings\Owner\My Documents\Downloads\CFScript.txt
    AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
    * Created a new restore point

    FILE ::
    "c:\program files\mcafee\siteadvisor\components\McFFPlg.dll"
    "c:\program files\mcafee\siteadvisor\McSACore.exe"
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\progra~1\mcafee\sitead~1\mcieplg.dll
    c:\program files\McAfee
    c:\program files\McAfee\SiteAdvisor\ActUtil.exe
    c:\program files\McAfee\SiteAdvisor\apengine.dll
    c:\program files\McAfee\SiteAdvisor\chrome.manifest
    c:\program files\McAfee\SiteAdvisor\cntscan.dll
    c:\program files\McAfee\SiteAdvisor\Components\IMcFFPlg.xpt
    c:\program files\mcafee\siteadvisor\components\McFFPlg.dll
    c:\program files\McAfee\SiteAdvisor\content.dat
    c:\program files\McAfee\SiteAdvisor\contents.rdf
    c:\program files\McAfee\SiteAdvisor\default.txt
    c:\program files\McAfee\SiteAdvisor\Download\s1qk
    c:\program files\McAfee\SiteAdvisor\Download\s1qk.1
    c:\program files\McAfee\SiteAdvisor\Download\s1qk.2
    c:\program files\McAfee\SiteAdvisor\Download\s1qk.3
    c:\program files\McAfee\SiteAdvisor\Download\s1qk.4
    c:\program files\McAfee\SiteAdvisor\Download\s1qk.5
    c:\program files\McAfee\SiteAdvisor\Download\s1qk.6
    c:\program files\McAfee\SiteAdvisor\Download\s1qk.7
    c:\program files\McAfee\SiteAdvisor\Download\s1qk.8
    c:\program files\McAfee\SiteAdvisor\Download\s1qk.9
    c:\program files\McAfee\SiteAdvisor\Download\s1qk.a
    c:\program files\McAfee\SiteAdvisor\Download\s1qk.b
    c:\program files\McAfee\SiteAdvisor\Download\s1qk.c
    c:\program files\McAfee\SiteAdvisor\Download\s1qk.d
    c:\program files\McAfee\SiteAdvisor\Download\s1qk.e
    c:\program files\McAfee\SiteAdvisor\Download\s1qk.f
    c:\program files\McAfee\SiteAdvisor\Download\s1qk.g
    c:\program files\McAfee\SiteAdvisor\Download\s1qk.h
    c:\program files\McAfee\SiteAdvisor\Download\s1qk.i
    c:\program files\McAfee\SiteAdvisor\Download\s1qk.j
    c:\program files\McAfee\SiteAdvisor\Download\s1qk.k
    c:\program files\McAfee\SiteAdvisor\Download\s1qk.l
    c:\program files\McAfee\SiteAdvisor\Download\s1qk.m
    c:\program files\McAfee\SiteAdvisor\Download\s1qk.n
    c:\program files\McAfee\SiteAdvisor\Download\s1qk.o
    c:\program files\McAfee\SiteAdvisor\Download\s1qk.p
    c:\program files\McAfee\SiteAdvisor\Download\s1qk.q
    c:\program files\McAfee\SiteAdvisor\Download\s1qk.r
    c:\program files\McAfee\SiteAdvisor\Download\s1uc
    c:\program files\McAfee\SiteAdvisor\Download\s1uc.1
    c:\program files\McAfee\SiteAdvisor\Download\s1uc.2
    c:\program files\McAfee\SiteAdvisor\Download\s1uc.3
    c:\program files\McAfee\SiteAdvisor\Download\s1uc.4
    c:\program files\McAfee\SiteAdvisor\elist.dat
    c:\program files\McAfee\SiteAdvisor\ffplg.inf
    c:\program files\McAfee\SiteAdvisor\ieplg.inf
    c:\program files\McAfee\SiteAdvisor\install.rdf
    c:\program files\McAfee\SiteAdvisor\mcbrwctl.dll
    c:\program files\McAfee\SiteAdvisor\mcfrmwk.dll
    c:\program files\McAfee\SiteAdvisor\McIEPlg.dll
    c:\program files\McAfee\SiteAdvisor\McPlgUI.dll
    c:\program files\mcafee\siteadvisor\McSACore.exe
    c:\program files\McAfee\SiteAdvisor\McSACorePS.dll
    c:\program files\McAfee\SiteAdvisor\msacmain.inf
    c:\program files\McAfee\SiteAdvisor\sa_cache_sqlite.dll
    c:\program files\McAfee\SiteAdvisor\sa_http_win32.dll
    c:\program files\McAfee\SiteAdvisor\SA_indep.inf
    c:\program files\McAfee\SiteAdvisor\SA_main.inf
    c:\program files\McAfee\SiteAdvisor\sa_mbl.dll
    c:\program files\McAfee\SiteAdvisor\sa_store_sqlite.dll
    c:\program files\McAfee\SiteAdvisor\SA_win32.inf
    c:\program files\McAfee\SiteAdvisor\sac.inf
    c:\program files\McAfee\SiteAdvisor\sachook.inf
    c:\program files\McAfee\SiteAdvisor\sacimg.inf
    c:\program files\McAfee\SiteAdvisor\sacomm.inf
    c:\program files\McAfee\SiteAdvisor\sacore.dll
    c:\program files\McAfee\SiteAdvisor\sacore.inf
    c:\program files\McAfee\SiteAdvisor\sacres.inf
    c:\program files\McAfee\SiteAdvisor\safelocalization.inf
    c:\program files\McAfee\SiteAdvisor\sahook.dll
    c:\program files\McAfee\SiteAdvisor\saplugin.dll
    c:\program files\McAfee\SiteAdvisor\sares.dll
    c:\program files\McAfee\SiteAdvisor\SASet.dll
    c:\program files\McAfee\SiteAdvisor\saSets.ini
    c:\program files\McAfee\SiteAdvisor\SaSSHMod.dll
    c:\program files\McAfee\SiteAdvisor\saupkeep.dll
    c:\program files\McAfee\SiteAdvisor\Scripts\balloon.html
    c:\program files\McAfee\SiteAdvisor\Scripts\balloon_logo.gif
    c:\program files\McAfee\SiteAdvisor\Scripts\balloon_logo_plus.gif
    c:\program files\McAfee\SiteAdvisor\Scripts\blackpixel.gif
    c:\program files\McAfee\SiteAdvisor\Scripts\bullet.gif
    c:\program files\McAfee\SiteAdvisor\Scripts\button_black.gif
    c:\program files\McAfee\SiteAdvisor\Scripts\button_black_lock.gif
    c:\program files\McAfee\SiteAdvisor\Scripts\button_disabled.gif
    c:\program files\McAfee\SiteAdvisor\Scripts\button_green.gif
    c:\program files\McAfee\SiteAdvisor\Scripts\button_green_lock.gif
    c:\program files\McAfee\SiteAdvisor\Scripts\button_grey.gif
    c:\program files\McAfee\SiteAdvisor\Scripts\button_grey_lock.gif
    c:\program files\McAfee\SiteAdvisor\Scripts\button_hs.gif
    c:\program files\McAfee\SiteAdvisor\Scripts\button_hs_lock.gif
    c:\program files\McAfee\SiteAdvisor\Scripts\button_red.gif
    c:\program files\McAfee\SiteAdvisor\Scripts\button_red_lock.gif
    c:\program files\McAfee\SiteAdvisor\Scripts\button_yellow.gif
    c:\program files\McAfee\SiteAdvisor\Scripts\button_yellow_lock.gif
    c:\program files\McAfee\SiteAdvisor\Scripts\common.js
    c:\program files\McAfee\SiteAdvisor\Scripts\contents.rdf
    c:\program files\McAfee\SiteAdvisor\Scripts\corner-solid.gif
    c:\program files\McAfee\SiteAdvisor\Scripts\cornersm-hollow.gif
    c:\program files\McAfee\SiteAdvisor\Scripts\cornersm-solid.gif
    c:\program files\McAfee\SiteAdvisor\Scripts\down_arrow.gif
    c:\program files\McAfee\SiteAdvisor\Scripts\download_careful.gif
    c:\program files\McAfee\SiteAdvisor\Scripts\download_unsafe.gif
    c:\program files\McAfee\SiteAdvisor\Scripts\empty.gif
    c:\program files\McAfee\SiteAdvisor\Scripts\error-icon.gif
    c:\program files\McAfee\SiteAdvisor\Scripts\favicon.ico
    c:\program files\McAfee\SiteAdvisor\Scripts\g.png
    c:\program files\McAfee\SiteAdvisor\Scripts\g_banner_c.gif
    c:\program files\McAfee\SiteAdvisor\Scripts\g_banner_l.gif
    c:\program files\McAfee\SiteAdvisor\Scripts\g_banner_r.gif
    c:\program files\McAfee\SiteAdvisor\Scripts\g_banner_sep.gif
    c:\program files\McAfee\SiteAdvisor\Scripts\g_bottom_c.gif
    c:\program files\McAfee\SiteAdvisor\Scripts\g_bottom_l.gif
    c:\program files\McAfee\SiteAdvisor\Scripts\g_bottom_r.gif
    c:\program files\McAfee\SiteAdvisor\Scripts\g_bottom_sep.gif
    c:\program files\McAfee\SiteAdvisor\Scripts\g_facet.gif
    c:\program files\McAfee\SiteAdvisor\Scripts\g_footer_c.gif
    c:\program files\McAfee\SiteAdvisor\Scripts\g_footer_l.gif
    c:\program files\McAfee\SiteAdvisor\Scripts\g_footer_r.gif
    c:\program files\McAfee\SiteAdvisor\Scripts\g_header_c.gif
    c:\program files\McAfee\SiteAdvisor\Scripts\g_header_l.gif
    c:\program files\McAfee\SiteAdvisor\Scripts\g_header_r.gif
    c:\program files\McAfee\SiteAdvisor\Scripts\g_icon.gif
    c:\program files\McAfee\SiteAdvisor\Scripts\g_upsell_border.gif
    c:\program files\McAfee\SiteAdvisor\Scripts\gl.png
    c:\program files\McAfee\SiteAdvisor\Scripts\gleftarrow.gif
    c:\program files\McAfee\SiteAdvisor\Scripts\gllc.png
    c:\program files\McAfee\SiteAdvisor\Scripts\glrc.png
    c:\program files\McAfee\SiteAdvisor\Scripts\gr.png
    c:\program files\McAfee\SiteAdvisor\Scripts\green.gif
    c:\program files\McAfee\SiteAdvisor\Scripts\greenbubble.gif
    c:\program files\McAfee\SiteAdvisor\Scripts\greendownarrow.gif
    c:\program files\McAfee\SiteAdvisor\Scripts\greenuparrow.gif
    c:\program files\McAfee\SiteAdvisor\Scripts\grightarrow.gif
    c:\program files\McAfee\SiteAdvisor\Scripts\gul.png
    c:\program files\McAfee\SiteAdvisor\Scripts\gulc.png
    c:\program files\McAfee\SiteAdvisor\Scripts\gurc.png
    c:\program files\McAfee\SiteAdvisor\Scripts\hackersafe.gif
    c:\program files\McAfee\SiteAdvisor\Scripts\hs.gif
    c:\program files\McAfee\SiteAdvisor\Scripts\hs_icon.gif
    c:\program files\McAfee\SiteAdvisor\Scripts\inst-background.gif
    c:\program files\McAfee\SiteAdvisor\Scripts\inst-top.gif
    c:\program files\McAfee\SiteAdvisor\Scripts\inst-xup.gif
    c:\program files\McAfee\SiteAdvisor\Scripts\large-buttonC.gif
    c:\program files\McAfee\SiteAdvisor\Scripts\large-buttonL.gif
    c:\program files\McAfee\SiteAdvisor\Scripts\large-buttonR.gif
    c:\program files\McAfee\SiteAdvisor\Scripts\locale\cs-CZ\FF\safe.css
    c:\program files\McAfee\SiteAdvisor\Scripts\locale\cs-CZ\IE\safe.css
    c:\program files\McAfee\SiteAdvisor\Scripts\locale\da-DK\FF\safe.css
    c:\program files\McAfee\SiteAdvisor\Scripts\locale\da-DK\IE\safe.css
    c:\program files\McAfee\SiteAdvisor\Scripts\locale\de-DE\FF\safe.css
    c:\program files\McAfee\SiteAdvisor\Scripts\locale\de-DE\IE\safe.css
    c:\program files\McAfee\SiteAdvisor\Scripts\locale\el-GR\FF\safe.css
    c:\program files\McAfee\SiteAdvisor\Scripts\locale\el-GR\IE\safe.css
    c:\program files\McAfee\SiteAdvisor\Scripts\locale\en-AU\FF\safe.css
    c:\program files\McAfee\SiteAdvisor\Scripts\locale\en-AU\IE\safe.css
    c:\program files\McAfee\SiteAdvisor\Scripts\locale\en-CA\FF\safe.css
    c:\program files\McAfee\SiteAdvisor\Scripts\locale\en-CA\IE\safe.css
    c:\program files\McAfee\SiteAdvisor\Scripts\locale\en-GB\FF\safe.css
    c:\program files\McAfee\SiteAdvisor\Scripts\locale\en-GB\IE\safe.css
    c:\program files\McAfee\SiteAdvisor\Scripts\locale\en-IE\FF\safe.css
    c:\program files\McAfee\SiteAdvisor\Scripts\locale\en-IE\IE\safe.css
    c:\program files\McAfee\SiteAdvisor\Scripts\locale\en-US\FF\safe.css
    c:\program files\McAfee\SiteAdvisor\Scripts\locale\en-US\IE\safe.css
    c:\program files\McAfee\SiteAdvisor\Scripts\locale\es-AR\FF\safe.css
    c:\program files\McAfee\SiteAdvisor\Scripts\locale\es-AR\IE\safe.css
    c:\program files\McAfee\SiteAdvisor\Scripts\locale\es-CL\FF\safe.css
    c:\program files\McAfee\SiteAdvisor\Scripts\locale\es-CL\IE\safe.css
    c:\program files\McAfee\SiteAdvisor\Scripts\locale\es-ES\FF\safe.css
    c:\program files\McAfee\SiteAdvisor\Scripts\locale\es-ES\IE\safe.css
    c:\program files\McAfee\SiteAdvisor\Scripts\locale\es-MX\FF\safe.css
    c:\program files\McAfee\SiteAdvisor\Scripts\locale\es-MX\IE\safe.css
    c:\program files\McAfee\SiteAdvisor\Scripts\locale\es-PE\FF\safe.css
    c:\program files\McAfee\SiteAdvisor\Scripts\locale\es-PE\IE\safe.css
    c:\program files\McAfee\SiteAdvisor\Scripts\locale\fi-FI\FF\safe.css
    c:\program files\McAfee\SiteAdvisor\Scripts\locale\fi-FI\IE\safe.css
    c:\program files\McAfee\SiteAdvisor\Scripts\locale\fr-CA\FF\safe.css
    c:\program files\McAfee\SiteAdvisor\Scripts\locale\fr-CA\IE\safe.css
    c:\program files\McAfee\SiteAdvisor\Scripts\locale\fr-FR\FF\safe.css
    c:\program files\McAfee\SiteAdvisor\Scripts\locale\fr-FR\IE\safe.css
    c:\program files\McAfee\SiteAdvisor\Scripts\locale\hu-HU\FF\safe.css
    c:\program files\McAfee\SiteAdvisor\Scripts\locale\hu-HU\IE\safe.css
    c:\program files\McAfee\SiteAdvisor\Scripts\locale\it-IT\FF\safe.css
    c:\program files\McAfee\SiteAdvisor\Scripts\locale\it-IT\IE\safe.css
    c:\program files\McAfee\SiteAdvisor\Scripts\locale\ja-JP\FF\safe.css
    c:\program files\McAfee\SiteAdvisor\Scripts\locale\ja-JP\IE\safe.css
    c:\program files\McAfee\SiteAdvisor\Scripts\locale\ko-KR\FF\safe.css
    c:\program files\McAfee\SiteAdvisor\Scripts\locale\ko-KR\IE\safe.css
    c:\program files\McAfee\SiteAdvisor\Scripts\locale\nb-NO\FF\safe.css
    c:\program files\McAfee\SiteAdvisor\Scripts\locale\nb-NO\IE\safe.css
    c:\program files\McAfee\SiteAdvisor\Scripts\locale\nl-NL\FF\safe.css
    c:\program files\McAfee\SiteAdvisor\Scripts\locale\nl-NL\IE\safe.css
    c:\program files\McAfee\SiteAdvisor\Scripts\locale\no-NO\FF\safe.css
    c:\program files\McAfee\SiteAdvisor\Scripts\locale\no-NO\IE\safe.css
    c:\program files\McAfee\SiteAdvisor\Scripts\locale\pl-PL\FF\safe.css
    c:\program files\McAfee\SiteAdvisor\Scripts\locale\pl-PL\IE\safe.css
    c:\program files\McAfee\SiteAdvisor\Scripts\locale\pt-BR\FF\safe.css
    c:\program files\McAfee\SiteAdvisor\Scripts\locale\pt-BR\IE\safe.css
    c:\program files\McAfee\SiteAdvisor\Scripts\locale\pt-PT\FF\safe.css
    c:\program files\McAfee\SiteAdvisor\Scripts\locale\pt-PT\IE\safe.css
    c:\program files\McAfee\SiteAdvisor\Scripts\locale\ru-RU\FF\safe.css
    c:\program files\McAfee\SiteAdvisor\Scripts\locale\ru-RU\IE\safe.css
    c:\program files\McAfee\SiteAdvisor\Scripts\locale\sk-SK\FF\safe.css
    c:\program files\McAfee\SiteAdvisor\Scripts\locale\sk-SK\IE\safe.css
    c:\program files\McAfee\SiteAdvisor\Scripts\locale\sv-SE\FF\safe.css
    c:\program files\McAfee\SiteAdvisor\Scripts\locale\sv-SE\IE\safe.css
    c:\program files\McAfee\SiteAdvisor\Scripts\locale\tr-TR\FF\safe.css
    c:\program files\McAfee\SiteAdvisor\Scripts\locale\tr-TR\IE\safe.css
    c:\program files\McAfee\SiteAdvisor\Scripts\locale\zh-CN\FF\safe.css
    c:\program files\McAfee\SiteAdvisor\Scripts\locale\zh-CN\IE\safe.css
    c:\program files\McAfee\SiteAdvisor\Scripts\locale\zh-TW\FF\safe.css
    c:\program files\McAfee\SiteAdvisor\Scripts\locale\zh-TW\IE\safe.css
    c:\program files\McAfee\SiteAdvisor\Scripts\main.js
    c:\program files\McAfee\SiteAdvisor\Scripts\mainff.js
    c:\program files\McAfee\SiteAdvisor\Scripts\mcafee_logo.gif
    c:\program files\McAfee\SiteAdvisor\Scripts\mcafee_yahoo_cobranded_toolbar.gif
    c:\program files\McAfee\SiteAdvisor\Scripts\mcafeesiteadvisor.gif
    c:\program files\McAfee\SiteAdvisor\Scripts\mcwedge.gif
    c:\program files\McAfee\SiteAdvisor\Scripts\nb_arrow_down.gif
    c:\program files\McAfee\SiteAdvisor\Scripts\nb_arrow_up.gif
    c:\program files\McAfee\SiteAdvisor\Scripts\nb_button_black.gif
    c:\program files\McAfee\SiteAdvisor\Scripts\nb_button_black_lock.gif
    c:\program files\McAfee\SiteAdvisor\Scripts\nb_button_disabled.gif
    c:\program files\McAfee\SiteAdvisor\Scripts\nb_button_green.gif
    c:\program files\McAfee\SiteAdvisor\Scripts\nb_button_green_lock.gif
    c:\program files\McAfee\SiteAdvisor\Scripts\nb_button_grey.gif
    c:\program files\McAfee\SiteAdvisor\Scripts\nb_button_grey_lock.gif
    c:\program files\McAfee\SiteAdvisor\Scripts\nb_button_hs.gif
    c:\program files\McAfee\SiteAdvisor\Scripts\nb_button_hs_lock.gif
    c:\program files\McAfee\SiteAdvisor\Scripts\nb_button_red.gif
    c:\program files\McAfee\SiteAdvisor\Scripts\nb_button_red_lock.gif
    c:\program files\McAfee\SiteAdvisor\Scripts\nb_button_yellow.gif
    c:\program files\McAfee\SiteAdvisor\Scripts\nb_button_yellow_lock.gif
    c:\program files\McAfee\SiteAdvisor\Scripts\protectedmode.gif
    c:\program files\McAfee\SiteAdvisor\Scripts\protection.gif
    c:\program files\McAfee\SiteAdvisor\Scripts\protmode-off.gif
    c:\program files\McAfee\SiteAdvisor\Scripts\protmode-on.gif
    c:\program files\McAfee\SiteAdvisor\Scripts\question-icon.gif
    c:\program files\McAfee\SiteAdvisor\Scripts\r.png
    c:\program files\McAfee\SiteAdvisor\Scripts\r_banner_c.gif
    c:\program files\McAfee\SiteAdvisor\Scripts\r_banner_l.gif
    c:\program files\McAfee\SiteAdvisor\Scripts\r_banner_r.gif
    c:\program files\McAfee\SiteAdvisor\Scripts\r_banner_sep.gif
    c:\program files\McAfee\SiteAdvisor\Scripts\r_bottom_c.gif
    c:\program files\McAfee\SiteAdvisor\Scripts\r_bottom_l.gif
    c:\program files\McAfee\SiteAdvisor\Scripts\r_bottom_r.gif
    c:\program files\McAfee\SiteAdvisor\Scripts\r_bottom_sep.gif
    c:\program files\McAfee\SiteAdvisor\Scripts\r_facet.gif
    c:\program files\McAfee\SiteAdvisor\Scripts\r_footer_c.gif
    c:\program files\McAfee\SiteAdvisor\Scripts\r_footer_l.gif
    c:\program files\McAfee\SiteAdvisor\Scripts\r_footer_r.gif
    c:\program files\McAfee\SiteAdvisor\Scripts\r_header_c.gif
    c:\program files\McAfee\SiteAdvisor\Scripts\r_header_l.gif
    c:\program files\McAfee\SiteAdvisor\Scripts\r_header_r.gif
    c:\program files\McAfee\SiteAdvisor\Scripts\r_header_r_nox.gif
    c:\program files\McAfee\SiteAdvisor\Scripts\r_icon.gif
    c:\program files\McAfee\SiteAdvisor\Scripts\r_upsell_border.gif
    c:\program files\McAfee\SiteAdvisor\Scripts\red.gif
    c:\program files\McAfee\SiteAdvisor\Scripts\redarrow.gif
    c:\program files\McAfee\SiteAdvisor\Scripts\redbubble.gif
    c:\program files\McAfee\SiteAdvisor\Scripts\reddownarrow.gif
    c:\program files\McAfee\SiteAdvisor\Scripts\reduparrow.gif
    c:\program files\McAfee\SiteAdvisor\Scripts\rl.png
    c:\program files\McAfee\SiteAdvisor\Scripts\rleftarrow.gif
    c:\program files\McAfee\SiteAdvisor\Scripts\rllc.png
    c:\program files\McAfee\SiteAdvisor\Scripts\rlrc.png
    c:\program files\McAfee\SiteAdvisor\Scripts\rr.png
    c:\program files\McAfee\SiteAdvisor\Scripts\rrightarrow.gif
    c:\program files\McAfee\SiteAdvisor\Scripts\rul.png
    c:\program files\McAfee\SiteAdvisor\Scripts\rulc.png
    c:\program files\McAfee\SiteAdvisor\Scripts\rurc.png
    c:\program files\McAfee\SiteAdvisor\Scripts\sa-logo-plus.gif
    c:\program files\McAfee\SiteAdvisor\Scripts\sa-logo.gif
    c:\program files\McAfee\SiteAdvisor\Scripts\safe-facet-green.gif
    c:\program files\McAfee\SiteAdvisor\Scripts\safe-facet-red.gif
    c:\program files\McAfee\SiteAdvisor\Scripts\safe-facet-white.gif
    c:\program files\McAfee\SiteAdvisor\Scripts\safe-facet-yellow.gif
    c:\program files\McAfee\SiteAdvisor\Scripts\safe.xul
    c:\program files\McAfee\SiteAdvisor\Scripts\safe_ff.js
    c:\program files\McAfee\SiteAdvisor\Scripts\safe_ie.js
    c:\program files\McAfee\SiteAdvisor\Scripts\safesearch.dat
    c:\program files\McAfee\SiteAdvisor\Scripts\safesearch.js
    c:\program files\McAfee\SiteAdvisor\Scripts\saffplg.js
    c:\program files\McAfee\SiteAdvisor\Scripts\SAPlus-graphic.gif
    c:\program files\McAfee\SiteAdvisor\Scripts\searchglass.gif
    c:\program files\McAfee\SiteAdvisor\Scripts\selected_tab.gif
    c:\program files\McAfee\SiteAdvisor\Scripts\siteadvisor.gif
    c:\program files\McAfee\SiteAdvisor\Scripts\SliderA1.gif
    c:\program files\McAfee\SiteAdvisor\Scripts\SliderA2.gif
    c:\program files\McAfee\SiteAdvisor\Scripts\SliderA3.gif
    c:\program files\McAfee\SiteAdvisor\Scripts\SliderA4.gif
    c:\program files\McAfee\SiteAdvisor\Scripts\SliderD1.gif
    c:\program files\McAfee\SiteAdvisor\Scripts\SliderD2.gif
    c:\program files\McAfee\SiteAdvisor\Scripts\SliderD3.gif
    c:\program files\McAfee\SiteAdvisor\Scripts\SliderD4.gif
    c:\program files\McAfee\SiteAdvisor\Scripts\small-buttonC.gif
    c:\program files\McAfee\SiteAdvisor\Scripts\small-buttonL.gif
    c:\program files\McAfee\SiteAdvisor\Scripts\small-buttonR.gif
    c:\program files\McAfee\SiteAdvisor\Scripts\unselected_tab.gif
    c:\program files\McAfee\SiteAdvisor\Scripts\untested.gif
    c:\program files\McAfee\SiteAdvisor\Scripts\w_banner_c.gif
    c:\program files\McAfee\SiteAdvisor\Scripts\w_banner_l.gif
    c:\program files\McAfee\SiteAdvisor\Scripts\w_banner_r.gif
    c:\program files\McAfee\SiteAdvisor\Scripts\w_banner_sep.gif
    c:\program files\McAfee\SiteAdvisor\Scripts\w_bottom_c.gif
    c:\program files\McAfee\SiteAdvisor\Scripts\w_bottom_l.gif
    c:\program files\McAfee\SiteAdvisor\Scripts\w_bottom_r.gif
    c:\program files\McAfee\SiteAdvisor\Scripts\w_bottom_sep.gif
    c:\program files\McAfee\SiteAdvisor\Scripts\w_footer_c.gif
    c:\program files\McAfee\SiteAdvisor\Scripts\w_footer_l.gif
    c:\program files\McAfee\SiteAdvisor\Scripts\w_footer_r.gif
    c:\program files\McAfee\SiteAdvisor\Scripts\w_header_c.gif
    c:\program files\McAfee\SiteAdvisor\Scripts\w_header_l.gif
    c:\program files\McAfee\SiteAdvisor\Scripts\w_header_r.gif
    c:\program files\McAfee\SiteAdvisor\Scripts\w_icon.gif
    c:\program files\McAfee\SiteAdvisor\Scripts\w_upsell_border.gif
    c:\program files\McAfee\SiteAdvisor\Scripts\whitebubble.gif
    c:\program files\McAfee\SiteAdvisor\Scripts\whitedownarrow.gif
    c:\program files\McAfee\SiteAdvisor\Scripts\whiteuparrow.gif
    c:\program files\McAfee\SiteAdvisor\Scripts\wleftarrow.gif
    c:\program files\McAfee\SiteAdvisor\Scripts\wrightarrow.gif
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.