please can you help-some kind of virus

I can't get in to anything. I had go into safe mode to get to here. Got your name from a friend. Don't know where to start...

Hi

Please attempt to log in to Safe Mode with Networking.

Rooter Rootkit Detector - Download

Download Rooter.exe to your desktop

1. Double click it to start the tool.
   
2. A Notepad file containing the report will open, also found at
   %systemdrive%(usually C:)\Rooter.txt. Post that log in your next reply.
   

Rooter.exe (v1.0.2) by Eric_71
.
SeDebugPrivilege granted successfully ...
.
Windows XP . (5.1.2600) Service Pack 3
[32_bits] - x86 Family 6 Model 23 Stepping 6, GenuineIntel
.
[wscsvc] STOPPED (state:1) : Security Center -> Disabled !
[SharedAccess] RUNNING (state:4)
Windows Firewall -> Disabled !
.
Internet Explorer 8.0.6001.18702
.
C:\ [Fixed-NTFS] .. ( Total:298 Go - Free:289 Go )
D:\ [CD_Rom]
F:\ [Removable]
.
Scan : 15:08.59
Path : C:\Documents and Settings\Nadine\Local Settings\Temporary Internet Files\Content.IE5\GUQ3SIP0\Rooter[1].exe
User : Nadine ( Administrator -> YES )
.
----------------------\\ Processes
.
Locked [System Process] (0)
______ System (4)
______ \SystemRoot\System32\smss.exe (536)
______ \??\C:\WINDOWS\system32\csrss.exe (596)
______ \??\C:\WINDOWS\system32\winlogon.exe (620)
______ C:\WINDOWS\system32\services.exe (664)
______ C:\WINDOWS\system32\lsass.exe (676)
______ C:\WINDOWS\system32\svchost.exe (864)
______ C:\WINDOWS\system32\svchost.exe (948)
______ C:\WINDOWS\system32\svchost.exe (1120)
______ C:\WINDOWS\system32\svchost.exe (1208)
______ C:\WINDOWS\system32\svchost.exe (1308)
______ C:\WINDOWS\Explorer.EXE (1592)
______ C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe (1688)
______ C:\Program Files\McAfee\MPF\MPFSrv.exe (1760)
______ c:\PROGRA~1\mcafee.com\agent\mcagent.exe (152)
______ C:\Program Files\Internet Explorer\iexplore.exe (580)
______ C:\Program Files\Internet Explorer\iexplore.exe (908)
______ C:\WINDOWS\system32\ctfmon.exe (1040)
______ c:\PROGRA~1\mcafee\msc\mcuimgr.exe (256)
______ C:\Program Files\Internet Explorer\iexplore.exe (1656)
______ C:\Documents and Settings\Nadine\Local Settings\Temporary Internet Files\Content.IE5\GUQ3SIP0\Rooter[1].exe (1012)
.
----------------------\\ Device\Harddisk0\
.
\Device\Harddisk0 [Sectors : 63 x 512 Bytes]
.
\Device\Harddisk0\Partition1 (Start_Offset:32256 | Length:41094144)
\Device\Harddisk0\Partition2 --[ MBR ]-- (Start_Offset:41943040 | Length:320029941760)
.
----------------------\\ Scheduled Tasks
.
C:\WINDOWS\Tasks\At1.job
C:\WINDOWS\Tasks\At10.job
C:\WINDOWS\Tasks\At11.job
C:\WINDOWS\Tasks\At12.job
C:\WINDOWS\Tasks\At13.job
C:\WINDOWS\Tasks\At14.job
C:\WINDOWS\Tasks\At15.job
C:\WINDOWS\Tasks\At16.job
C:\WINDOWS\Tasks\At17.job
C:\WINDOWS\Tasks\At18.job
C:\WINDOWS\Tasks\At19.job
C:\WINDOWS\Tasks\At2.job
C:\WINDOWS\Tasks\At20.job
C:\WINDOWS\Tasks\At21.job
C:\WINDOWS\Tasks\At22.job
C:\WINDOWS\Tasks\At23.job
C:\WINDOWS\Tasks\At24.job
C:\WINDOWS\Tasks\At3.job
C:\WINDOWS\Tasks\At4.job
C:\WINDOWS\Tasks\At5.job
C:\WINDOWS\Tasks\At6.job
C:\WINDOWS\Tasks\At7.job
C:\WINDOWS\Tasks\At8.job
C:\WINDOWS\Tasks\At9.job
C:\WINDOWS\Tasks\desktop.ini
C:\WINDOWS\Tasks\McDefragTask.job
C:\WINDOWS\Tasks\McQcTask.job
C:\WINDOWS\Tasks\SA.DAT
.
----------------------\\ Registry
.
.
----------------------\\ Files & Folders
.
----------------------\\ Scan completed at 15:09.23
.
C:\Rooter$\Rooter_1.txt - (08/09/2009 | 15:09.23)

Hi

Please download Malwarebytes Anti-Malware from here.

Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
  
• If an update is found, it will download and install the latest version.
  
• Once the program has loaded, select "Perform Full Scan", then click Scan.
  
• The scan may take some time to finish,so please be patient.
  
• When the scan is complete, click OK, then Show Results to view the results.
  
• Make sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  
• Please save the log to a location you will remember.
  
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  
• Copy and paste the entire report in your next reply.
  

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

Malwarebytes' Anti-Malware 1.40
Database version: 2759
Windows 5.1.2600 Service Pack 3 (Safe Mode)

9/8/2009 5:11:47 PM
mbam-log-2009-09-08 (17-11-47).txt

Scan type: Full Scan (C:\|)
Objects scanned: 178453
Time elapsed: 12 minute(s), 47 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 12
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 4
Files Infected: 24

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{b8c60d42-9881-11de-b7c5-cd5255d89593} (Trojan.BHO.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{b8c60d42-9881-11de-b7c5-cd5255d89593} (Trojan.BHO.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{bca9b86c-91bc-11de-b1cd-35c755d89593} (Rogue.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{b8c60d42-9881-11de-b7c5-cd5255d89593} (Rogue.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{35a5b43b-cb8a-49ca-a9f4-d3b308d2e3cc} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{35a5b43b-cb8a-49ca-a9f4-d3b308d2e3cc} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{35a5b43b-cb8a-49ca-a9f4-d3b308d2e3cc} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ControlPanel\NameSpace\{bca9b86c-91bc-11de-b1cd-35c755d89593} (Rogue.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{bca9b86c-91bc-11de-b1cd-35c755d89593} (Rogue.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace\{bca9b86c-91bc-11de-b1cd-35c755d89593} (Rogue.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\NetworkNeighborhood\NameSpace\{bca9b86c-91bc-11de-b1cd-35c755d89593} (Rogue.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SystemSecurity2009 (Rogue.SystemSecurity) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\19437504 (Rogue.Multiple.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tsc (Rogue.Total.Security) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Documents and Settings\All Users\Application Data\19437504 (Rogue.Multiple.H) -> Quarantined and deleted successfully.
C:\Program Files\SafetyCenter (Trojan.SafetyCenter) -> Quarantined and deleted successfully.
C:\Documents and Settings\Nadine\Start Menu\Programs\System Security (Rogue.SystemSecurity) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\TSC (Rogue.Total.Security) -> Quarantined and deleted successfully.

Files Infected:
C:\Documents and Settings\Nadine\Local Settings\Temp\~131.dll (Trojan.BHO.H) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\19437504\19437504.exe (Rogue.Multiple.H) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\19437504\19437504.glu (Rogue.Multiple.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\iehelpmod.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Nadine\Application Data\Sun\Java\Deployment\cache\6.0\32\43fbc220-67534d5e (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Nadine\Local Settings\Temp\par.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Nadine\Local Settings\Temp\protect.exe (Rogue.SafetyCenter) -> Quarantined and deleted successfully.
C:\Documents and Settings\Nadine\Local Settings\Temporary Internet Files\Content.IE5\03P5SO20\1251214205[1].exe (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\Program Files\SafetyCenter\protector.exe (Rogue.SafetyCenter) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\hjgruiulndjglk.dll (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\Program Files\SafetyCenter\main.ico (Trojan.SafetyCenter) -> Quarantined and deleted successfully.
C:\Program Files\SafetyCenter\sound.wav (Trojan.SafetyCenter) -> Quarantined and deleted successfully.
C:\Documents and Settings\Nadine\Start Menu\Programs\System Security\System Security (Rogue.SystemSecurity) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\TSC\Computer Scan.lnk (Rogue.Total.Security) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\TSC\Help.lnk (Rogue.Total.Security) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\TSC\Registration.lnk (Rogue.Total.Security) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\TSC\Security Center.lnk (Rogue.Total.Security) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\TSC\Settings.lnk (Rogue.Total.Security) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\TSC\Total Security.lnk (Rogue.Total.Security) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\TSC\Update.lnk (Rogue.Total.Security) -> Quarantined and deleted successfully.
C:\Documents and Settings\Nadine\Desktop\System Security 2009.lnk (Rogue.SystemSecurity) -> Quarantined and deleted successfully.
C:\Documents and Settings\Nadine\Desktop\Total Security.lnk (Rogue.TotalSecurity) -> Quarantined and deleted successfully.
C:\Program Files\TSC\tsc.exe (Rogue.Total.Security) -> Quarantined and deleted successfully.
C:\Documents and Settings\Nadine\Application Data\Microsoft\Internet Explorer\Quick Launch\TSC.lnk (Rogue.Total.Security) -> Quarantined and deleted successfully.

Hi

It appears your system has been quite compromised. Please be patient. From this point on, the advisers, administrators, and moderators; should be the only members that you take advice from, until they have verified your log as clean. Please do not ask for help anywhere else.


Please download ComboFix from Here or Here

* IMPORTANT !!! Save ComboFix.exe to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Note: If you are having difficulty properly disabling your protective
  programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : Protective Programs
  
• Double click on ComboFix.exe & follow the prompts.
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.




Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:




Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Do not mouse-click Combofix's window while it is running. That may cause it to stall.

ComboFix 09-09-09.01 - Nadine 09/09/2009 16:52.1.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3061.2609 [GMT -4:00]
Running from: c:\documents and settings\Nadine\Desktop\ComboFix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Outdated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Christine\Application Data\alot
c:\documents and settings\Christine\Application Data\none
c:\documents and settings\Nadine\Application Data\alot
c:\documents and settings\Nadine\Application Data\alot\BrowserSearch\BrowserSearch.xml
c:\documents and settings\Nadine\Application Data\alot\BrowserSearch\BrowserSearch.xml.backup
c:\documents and settings\Nadine\Application Data\alot\Button_0\Button_0.xml
c:\documents and settings\Nadine\Application Data\alot\Button_0\Button_0.xml.backup
c:\documents and settings\Nadine\Application Data\alot\Button_1\Button_1.xml
c:\documents and settings\Nadine\Application Data\alot\Button_1\Button_1.xml.backup
c:\documents and settings\Nadine\Application Data\alot\Button_2\Button_2.xml
c:\documents and settings\Nadine\Application Data\alot\Button_2\Button_2.xml.backup
c:\documents and settings\Nadine\Application Data\alot\Button_3\Button_3.xml
c:\documents and settings\Nadine\Application Data\alot\Button_3\Button_3.xml.backup
c:\documents and settings\Nadine\Application Data\alot\Button_4\Button_4.xml
c:\documents and settings\Nadine\Application Data\alot\Button_4\Button_4.xml.backup
c:\documents and settings\Nadine\Application Data\alot\Button_5\Button_5.xml
c:\documents and settings\Nadine\Application Data\alot\Button_5\Button_5.xml.backup
c:\documents and settings\Nadine\Application Data\alot\Button_6\Button_6.xml
c:\documents and settings\Nadine\Application Data\alot\Button_6\Button_6.xml.backup
c:\documents and settings\Nadine\Application Data\alot\Button_7\Button_7.xml
c:\documents and settings\Nadine\Application Data\alot\Button_7\Button_7.xml.backup
c:\documents and settings\Nadine\Application Data\alot\Button_8\Button_8.xml
c:\documents and settings\Nadine\Application Data\alot\Button_8\Button_8.xml.backup
c:\documents and settings\Nadine\Application Data\alot\Button_9\Button_9.xml
c:\documents and settings\Nadine\Application Data\alot\Button_9\Button_9.xml.backup
c:\documents and settings\Nadine\Application Data\alot\configurator\configurator.xml
c:\documents and settings\Nadine\Application Data\alot\configurator\configurator.xml.backup
c:\documents and settings\Nadine\Application Data\alot\contextMenu\contextMenu.xml
c:\documents and settings\Nadine\Application Data\alot\contextMenu\contextMenu.xml.backup
c:\documents and settings\Nadine\Application Data\alot\ErrorSearch\ErrorSearch.xml
c:\documents and settings\Nadine\Application Data\alot\ErrorSearch\ErrorSearch.xml.backup
c:\documents and settings\Nadine\Application Data\alot\postInstallLayout\postInstallLayout.xml
c:\documents and settings\Nadine\Application Data\alot\postInstallLayout\postInstallLayout.xml.backup
c:\documents and settings\Nadine\Application Data\alot\preferencesLayout\preferencesLayout.xml
c:\documents and settings\Nadine\Application Data\alot\preferencesLayout\preferencesLayout.xml.backup
c:\documents and settings\Nadine\Application Data\alot\products\products.xml
c:\documents and settings\Nadine\Application Data\alot\products\products.xml.backup
c:\documents and settings\Nadine\Application Data\alot\Resources\BrowserSearch\alot_search_defend.html
c:\documents and settings\Nadine\Application Data\alot\Resources\BrowserSearch\images\favicon.ico
c:\documents and settings\Nadine\Application Data\alot\Resources\Button_0\images\alot_logo_button.bmp
c:\documents and settings\Nadine\Application Data\alot\Resources\Button_0\images\alot_logo_button.png
c:\documents and settings\Nadine\Application Data\alot\Resources\Button_1\images\alot_image_search.bmp
c:\documents and settings\Nadine\Application Data\alot\Resources\Button_1\images\alot_image_search.png
c:\documents and settings\Nadine\Application Data\alot\Resources\Button_1\images\alot_news_search.bmp
c:\documents and settings\Nadine\Application Data\alot\Resources\Button_1\images\alot_news_search.png
c:\documents and settings\Nadine\Application Data\alot\Resources\Button_1\images\alot_search_button.bmp
c:\documents and settings\Nadine\Application Data\alot\Resources\Button_1\images\alot_search_button.png
c:\documents and settings\Nadine\Application Data\alot\Resources\Button_1\images\alot_shop_search.bmp
c:\documents and settings\Nadine\Application Data\alot\Resources\Button_1\images\alot_shop_search.png
c:\documents and settings\Nadine\Application Data\alot\Resources\Button_1\images\alot_videos_search.bmp
c:\documents and settings\Nadine\Application Data\alot\Resources\Button_1\images\alot_videos_search.png
c:\documents and settings\Nadine\Application Data\alot\Resources\Button_1\images\alot_web_search.bmp
c:\documents and settings\Nadine\Application Data\alot\Resources\Button_1\images\alot_web_search.png
c:\documents and settings\Nadine\Application Data\alot\Resources\Button_2\images\default_1030_alot_cel_search.bmp
c:\documents and settings\Nadine\Application Data\alot\Resources\Button_2\images\default_1030_alot_cel_search.png
c:\documents and settings\Nadine\Application Data\alot\Resources\Button_3\images\default_2334_default_2301_hulu.bmp
c:\documents and settings\Nadine\Application Data\alot\Resources\Button_3\images\default_2334_default_2301_hulu.png
c:\documents and settings\Nadine\Application Data\alot\Resources\Button_4\images\default_1153_alot_cel_entcenter.bmp
c:\documents and settings\Nadine\Application Data\alot\Resources\Button_4\images\default_1153_alot_cel_entcenter.png
c:\documents and settings\Nadine\Application Data\alot\Resources\Button_5\images\default_1154_alot_cel_photos.bmp
c:\documents and settings\Nadine\Application Data\alot\Resources\Button_5\images\default_1154_alot_cel_photos.png
c:\documents and settings\Nadine\Application Data\alot\Resources\Button_6\images\default_1151_alot_mrkt_starpulse.bmp
c:\documents and settings\Nadine\Application Data\alot\Resources\Button_6\images\default_1151_alot_mrkt_starpulse.png
c:\documents and settings\Nadine\Application Data\alot\Resources\Button_7\images\2428_icon.png
c:\documents and settings\Nadine\Application Data\alot\Resources\Button_8\images\2554_icon.png
c:\documents and settings\Nadine\Application Data\alot\Resources\Button_9\images\default_1795_default_1795_alot_configure.bmp
c:\documents and settings\Nadine\Application Data\alot\Resources\Button_9\images\default_1795_default_1795_alot_configure.png
c:\documents and settings\Nadine\Application Data\alot\Resources\contextMenu\images\alot_icon.bmp
c:\documents and settings\Nadine\Application Data\alot\Resources\contextMenu\images\alot_icon.png
c:\documents and settings\Nadine\Application Data\alot\Resources\contextMenu\images\alot_logo_button.bmp
c:\documents and settings\Nadine\Application Data\alot\Resources\contextMenu\images\alot_logo_button.png
c:\documents and settings\Nadine\Application Data\alot\Resources\Shared\images\alot_brand.png
c:\documents and settings\Nadine\Application Data\alot\Resources\Shared\images\alot_configure.bmp
c:\documents and settings\Nadine\Application Data\alot\Resources\Shared\images\alot_configure.png
c:\documents and settings\Nadine\Application Data\alot\Resources\Shared\images\alot_splitter.png
c:\documents and settings\Nadine\Application Data\alot\Resources\Shared\images\discover.png
c:\documents and settings\Nadine\Application Data\alot\Resources\Shared\images\intro_popup.png
c:\documents and settings\Nadine\Application Data\alot\TimerManager\TimerManager.xml
c:\documents and settings\Nadine\Application Data\alot\TimerManager\TimerManager.xml.backup
c:\documents and settings\Nadine\Application Data\alot\toolbar.xml
c:\documents and settings\Nadine\Application Data\alot\toolbar.xml.backup
c:\documents and settings\Nadine\Application Data\alot\toolbarContextMenu\toolbarContextMenu.xml
c:\documents and settings\Nadine\Application Data\alot\toolbarContextMenu\toolbarContextMenu.xml.backup
c:\documents and settings\Nadine\Application Data\alot\ToolbarSearch\ToolbarSearch.xml
c:\documents and settings\Nadine\Application Data\alot\ToolbarSearch\ToolbarSearch.xml.backup
c:\documents and settings\Nadine\Application Data\alot\Updater\Updater.xml
c:\documents and settings\Nadine\Application Data\alot\Updater\Updater.xml.backup
c:\documents and settings\Nadine\Application Data\none
c:\program files\alot
c:\program files\alot\alotUninst.exe
c:\program files\alot\bin\alot.dll
c:\program files\alot\bin\BHO\alotBHO.dll
c:\windows\COUPON~1.OCX
c:\windows\CouponPrinter.ocx
c:\windows\system32\drivers\hjgruiwswlpuny.sys
c:\windows\system32\drivers\kbiwkmxtxoxyed.sys
c:\windows\system32\hjgruidsvnthvo.dll
c:\windows\system32\hjgruieohfogbr.dat
c:\windows\system32\hjgruilpwcoppt.dat
c:\windows\system32\hjgruiulndjglk.dll
c:\windows\system32\kbiwkmdaevqstp.dll
c:\windows\system32\kbiwkmdkwwhhxk.dat
c:\windows\system32\kbiwkmehkvaaxr.dat
c:\windows\system32\kbiwkmjvynswvk.dll
c:\windows\system32\kbiwkmkyxexmej.dll
c:\windows\Tasks\At1.job
c:\windows\Tasks\At10.job
c:\windows\Tasks\At11.job
c:\windows\Tasks\At12.job
c:\windows\Tasks\At13.job
c:\windows\Tasks\At14.job
c:\windows\Tasks\At15.job
c:\windows\Tasks\At16.job
c:\windows\Tasks\At17.job
c:\windows\Tasks\At18.job
c:\windows\Tasks\At19.job
c:\windows\Tasks\At2.job
c:\windows\Tasks\At20.job
c:\windows\Tasks\At21.job
c:\windows\Tasks\At22.job
c:\windows\Tasks\At23.job
c:\windows\Tasks\At24.job
c:\windows\Tasks\At3.job
c:\windows\Tasks\At4.job
c:\windows\Tasks\At5.job
c:\windows\Tasks\At6.job
c:\windows\Tasks\At7.job
c:\windows\Tasks\At8.job
c:\windows\Tasks\At9.job

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_hjgruiddkjejwy
-------\Legacy_hjgruiddkjejwy
-------\Service_kbiwkmmwxqirfm
-------\Legacy_kbiwkmmwxqirfm


((((((((((((((((((((((((( Files Created from 2009-08-09 to 2009-09-09 )))))))))))))))))))))))))))))))
.

2009-09-08 20:49 . 2009-09-08 20:49 -------- d-----w- c:\documents and settings\Nadine\Application Data\Malwarebytes
2009-09-08 20:49 . 2009-08-03 17:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-08 20:49 . 2009-09-08 20:49 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-08 20:49 . 2009-09-08 20:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-09-08 20:49 . 2009-08-03 17:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-08 19:09 . 2009-09-08 19:09 -------- d-----w- C:\Rooter$
2009-09-07 00:05 . 2009-09-07 00:05 2198 ----a-w- C:\a3VSw.bat
2009-09-06 20:46 . 2009-09-06 20:46 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-09-04 20:16 . 2009-09-04 20:16 -------- d-sh--w- c:\documents and settings\Christine\PrivacIE
2009-09-04 20:15 . 2009-09-04 20:15 -------- d-sh--w- c:\documents and settings\Christine\IETldCache
2009-09-04 15:37 . 2009-09-04 15:37 -------- d-sh--w- c:\documents and settings\Nadine\PrivacIE
2009-09-04 15:36 . 2009-09-04 15:36 -------- d-sh--w- c:\documents and settings\Nadine\IETldCache
2009-09-04 15:33 . 2009-09-04 15:33 -------- d-sh--w- c:\documents and settings\Melissa\IETldCache
2009-09-04 15:32 . 2009-09-04 15:32 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2009-09-04 15:28 . 2009-08-07 08:48 100352 -c----w- c:\windows\system32\dllcache\iecompat.dll
2009-09-04 15:28 . 2009-09-04 15:28 -------- d-----w- c:\windows\ie8updates
2009-09-04 15:28 . 2009-07-19 22:48 11067392 -c----w- c:\windows\system32\dllcache\ieframe.dll
2009-09-04 15:28 . 2009-07-03 17:09 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2009-09-04 15:28 . 2009-07-03 17:09 594432 -c----w- c:\windows\system32\dllcache\msfeeds.dll
2009-09-04 15:28 . 2009-07-03 17:09 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll
2009-09-04 15:28 . 2009-07-03 17:09 1985536 -c----w- c:\windows\system32\dllcache\iertutil.dll
2009-09-04 15:28 . 2009-07-03 17:09 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2009-09-04 15:27 . 2009-09-04 15:27 -------- dc-h--w- c:\windows\ie8
2009-09-04 04:10 . 2009-09-04 04:10 -------- d-----w- c:\program files\Common Files\TSCUninstall
2009-09-04 04:09 . 2009-09-08 21:11 -------- d-----w- c:\program files\TSC
2009-08-31 15:11 . 2009-08-31 15:11 -------- d-----w- c:\program files\Windows Media Connect 2
2009-08-31 15:10 . 2009-08-31 15:10 -------- d-----w- c:\windows\system32\drivers\UMDF
2009-08-27 05:58 . 2009-08-27 05:58 -------- d-----w- c:\documents and settings\Nadine\Application Data\MSNInstaller
2009-08-26 08:41 . 2009-08-26 08:41 -------- d-----w- c:\windows\Cache
2009-08-26 08:41 . 2009-08-26 08:41 -------- d-----w- c:\program files\Coupons
2009-08-12 18:23 . 2009-07-10 13:27 1315328 -c----w- c:\windows\system32\dllcache\msoe.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-04 04:17 . 2009-06-20 20:53 2338 ----a-w- c:\documents and settings\Nadine\Application Data\wklnhst.dat
2009-08-09 20:09 . 2009-02-13 11:11 34776 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-05 09:01 . 2008-04-25 16:16 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-02 21:18 . 2009-02-13 11:14 -------- d-----w- c:\program files\Microsoft Silverlight
2009-07-29 16:58 . 2009-02-13 11:10 -------- d-----w- c:\program files\Dell DataSafe Online
2009-07-28 17:01 . 2009-07-28 17:01 154 ----a-w- c:\documents and settings\Christine\Application Data\wklnhst.dat
2009-07-28 16:59 . 2009-07-28 16:59 -------- d-----w- c:\documents and settings\Christine\Application Data\Template
2009-07-17 19:01 . 2008-04-25 16:16 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-14 03:43 . 2008-04-25 16:16 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-03 17:09 . 2008-04-25 16:16 915456 ----a-w- c:\windows\system32\wininet.dll
2009-06-25 08:25 . 2008-04-25 16:16 54272 ----a-w- c:\windows\system32\wdigest.dll
2009-06-25 08:25 . 2008-04-25 16:16 56832 ----a-w- c:\windows\system32\secur32.dll
2009-06-25 08:25 . 2008-04-25 16:16 147456 ----a-w- c:\windows\system32\schannel.dll
2009-06-25 08:25 . 2008-04-25 16:16 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-06-25 08:25 . 2008-04-25 16:16 730112 ----a-w- c:\windows\system32\lsasrv.dll
2009-06-25 08:25 . 2008-04-25 16:16 301568 ----a-w- c:\windows\system32\kerberos.dll
2009-06-24 11:18 . 2008-04-25 16:16 92928 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2009-06-18 07:09 . 2009-06-18 07:09 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-06-16 14:36 . 2008-04-25 16:16 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-16 14:36 . 2008-04-25 16:16 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-12 12:31 . 2008-04-25 16:16 80896 ----a-w- c:\windows\system32\tlntsess.exe
2009-06-12 12:31 . 2008-04-25 16:16 76288 ----a-w- c:\windows\system32\telnet.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2008-12-03 3882312]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-07-17 142104]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-07-17 162584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-07-17 138008]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2007-11-02 582992]
"Dell DataSafe Online"="c:\program files\Dell DataSafe Online\DataSafeOnline.exe" [2009-07-07 1779952]
"dldtmon.exe"="c:\program files\Dell V305\dldtmon.exe" [2008-06-24 668912]
"dldtamon"="c:\program files\Dell V305\dldtamon.exe" [2008-06-24 16624]
"dellsupportcenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-10-04 206064]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.EXE [2007-07-17 16132608]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2009-02-13 11:10 10536 ----a-w- c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\WINDOWS\\system32\\dldtcoms.exe"=
"c:\\Program Files\\Dell V305\\dldtmon.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\dldtpswx.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\dldttime.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\dldtjswx.exe"=

R2 dldt_device;dldt_device;c:\windows\system32\dldtcoms.exe -service --> c:\windows\system32\dldtcoms.exe -service [?]
S2 dldtCATSCustConnectService;dldtCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\dldtserv.exe [2/25/2008 12:38 PM 99568]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-07-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-02-13 19:32]

2009-09-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-02-13 19:32]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.aol.com/
.
- - - - ORPHANS REMOVED - - - -

AddRemove-alotToolbar - c:\program files\alot\alotUninst.exe
AddRemove-TSC - c:\program files\TSC\tsc.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-09 16:59
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(724)
c:\program files\Citrix\GoToAssist\514\G2AWinLogon.dll
.
Completion time: 2009-09-09 16:59
ComboFix-quarantined-files.txt 2009-09-09 20:59

Pre-Run: 307,913,347,072 bytes free
Post-Run: 308,686,225,408 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

292 --- E O F --- 2009-09-08 21:18

Hi

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

DirLook::
c:\program files\alot
Folder::
c:\program files\TSC
c:\program files\Common Files\TSCUninstall

Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

ComboFix 09-09-10.03 - Nadine 09/11/2009 10:55.2.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3061.2281 [GMT -4:00]
Running from: c:\documents and settings\Nadine\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Nadine\Desktop\CFScript.txt
AV: McAfee VirusScan *On-access scanning disabled* (Outdated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Common Files\TSCUninstall
c:\program files\Common Files\TSCUninstall\Uninstall.lnk
c:\program files\TSC

.
((((((((((((((((((((((((( Files Created from 2009-08-11 to 2009-09-11 )))))))))))))))))))))))))))))))
.

2009-09-11 14:47 . 2009-09-11 14:47 -------- d-----w- c:\windows\LastGood
2009-09-10 18:23 . 2009-06-21 21:44 153088 -c----w- c:\windows\system32\dllcache\triedit.dll
2009-09-08 20:49 . 2009-09-08 20:49 -------- d-----w- c:\documents and settings\Nadine\Application Data\Malwarebytes
2009-09-08 20:49 . 2009-08-03 17:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-08 20:49 . 2009-09-08 20:49 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-08 20:49 . 2009-09-08 20:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-09-08 20:49 . 2009-08-03 17:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-08 19:09 . 2009-09-08 19:09 -------- d-----w- C:\Rooter$
2009-09-07 00:05 . 2009-09-07 00:05 2198 ----a-w- C:\a3VSw.bat
2009-09-06 20:46 . 2009-09-06 20:46 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-09-04 20:16 . 2009-09-04 20:16 -------- d-sh--w- c:\documents and settings\Christine\PrivacIE
2009-09-04 20:15 . 2009-09-04 20:15 -------- d-sh--w- c:\documents and settings\Christine\IETldCache
2009-09-04 15:37 . 2009-09-04 15:37 -------- d-sh--w- c:\documents and settings\Nadine\PrivacIE
2009-09-04 15:36 . 2009-09-04 15:36 -------- d-sh--w- c:\documents and settings\Nadine\IETldCache
2009-09-04 15:33 . 2009-09-04 15:33 -------- d-sh--w- c:\documents and settings\Melissa\IETldCache
2009-09-04 15:32 . 2009-09-04 15:32 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2009-09-04 15:28 . 2009-08-07 08:48 100352 -c----w- c:\windows\system32\dllcache\iecompat.dll
2009-09-04 15:28 . 2009-09-11 14:47 -------- d-----w- c:\windows\ie8updates
2009-09-04 15:28 . 2009-07-19 22:48 11067392 -c----w- c:\windows\system32\dllcache\ieframe.dll
2009-09-04 15:28 . 2009-07-03 17:09 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2009-09-04 15:28 . 2009-07-03 17:09 594432 -c----w- c:\windows\system32\dllcache\msfeeds.dll
2009-09-04 15:28 . 2009-07-03 17:09 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll
2009-09-04 15:28 . 2009-07-03 17:09 1985536 -c----w- c:\windows\system32\dllcache\iertutil.dll
2009-09-04 15:28 . 2009-07-03 17:09 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2009-09-04 15:27 . 2009-09-04 15:27 -------- dc-h--w- c:\windows\ie8
2009-08-31 15:11 . 2009-08-31 15:11 -------- d-----w- c:\program files\Windows Media Connect 2
2009-08-31 15:10 . 2009-08-31 15:10 -------- d-----w- c:\windows\system32\drivers\UMDF
2009-08-27 05:58 . 2009-08-27 05:58 -------- d-----w- c:\documents and settings\Nadine\Application Data\MSNInstaller
2009-08-26 08:41 . 2009-08-26 08:41 -------- d-----w- c:\windows\Cache
2009-08-26 08:41 . 2009-08-26 08:41 -------- d-----w- c:\program files\Coupons
2009-08-12 18:23 . 2009-07-10 13:27 1315328 -c----w- c:\windows\system32\dllcache\msoe.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-11 14:47 . 2009-02-13 11:14 -------- d-----w- c:\program files\Microsoft Silverlight
2009-09-04 04:17 . 2009-06-20 20:53 2338 ----a-w- c:\documents and settings\Nadine\Application Data\wklnhst.dat
2009-08-09 20:09 . 2009-02-13 11:11 34776 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-05 09:01 . 2008-04-25 16:16 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-29 16:58 . 2009-02-13 11:10 -------- d-----w- c:\program files\Dell DataSafe Online
2009-07-28 17:01 . 2009-07-28 17:01 154 ----a-w- c:\documents and settings\Christine\Application Data\wklnhst.dat
2009-07-28 16:59 . 2009-07-28 16:59 -------- d-----w- c:\documents and settings\Christine\Application Data\Template
2009-07-17 19:01 . 2008-04-25 16:16 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-14 03:43 . 2008-04-25 16:16 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-03 17:09 . 2008-04-25 16:16 915456 ------w- c:\windows\system32\wininet.dll
2009-06-25 08:25 . 2008-04-25 16:16 54272 ----a-w- c:\windows\system32\wdigest.dll
2009-06-25 08:25 . 2008-04-25 16:16 56832 ----a-w- c:\windows\system32\secur32.dll
2009-06-25 08:25 . 2008-04-25 16:16 147456 ----a-w- c:\windows\system32\schannel.dll
2009-06-25 08:25 . 2008-04-25 16:16 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-06-25 08:25 . 2008-04-25 16:16 730112 ----a-w- c:\windows\system32\lsasrv.dll
2009-06-25 08:25 . 2008-04-25 16:16 301568 ----a-w- c:\windows\system32\kerberos.dll
2009-06-24 11:18 . 2008-04-25 16:16 92928 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2009-06-22 06:44 . 2009-09-10 18:23 726528 ----a-w- c:\windows\system32\SETE5.tmp
2009-06-18 07:09 . 2009-06-18 07:09 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-06-16 14:36 . 2008-04-25 16:16 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-16 14:36 . 2008-04-25 16:16 81920 ----a-w- c:\windows\system32\fontsub.dll
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of c:\program files\alot ----



((((((((((((((((((((((((((((( SnapShot@2009-09-09_20.59.23 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-06-16 17:00 . 2009-09-11 14:52 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2009-06-16 17:00 . 2009-09-09 17:24 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2009-06-16 17:00 . 2009-09-09 17:24 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2009-09-09 21:52 . 2009-09-11 14:52 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2009-02-13 11:05 . 2009-03-08 08:33 726528 c:\windows\system32\dllcache\jscript.dll
+ 2009-02-13 11:05 . 2009-06-22 06:44 726528 c:\windows\system32\dllcache\jscript.dll
+ 2009-09-11 14:47 . 2008-07-08 13:02 382840 c:\windows\ie8updates\KB971961-IE8\spuninst\updspapi.dll
+ 2009-09-11 14:47 . 2008-07-08 13:02 231288 c:\windows\ie8updates\KB971961-IE8\spuninst\spuninst.exe
+ 2009-09-11 14:47 . 2009-03-08 08:33 726528 c:\windows\ie8updates\KB971961-IE8\jscript.dll
+ 2008-04-25 16:16 . 2009-05-20 08:56 2458112 c:\windows\system32\WMVCore.dll
- 2008-04-25 16:16 . 2008-06-18 09:03 2458112 c:\windows\system32\WMVCore.dll
+ 2008-11-07 20:45 . 2009-05-20 08:56 2458112 c:\windows\system32\dllcache\WMVCore.dll
- 2008-11-07 20:45 . 2008-06-18 09:03 2458112 c:\windows\system32\dllcache\WMVCore.dll
+ 2009-09-04 15:24 . 2009-08-28 21:38 24689600 c:\windows\system32\MRT.exe
+ 2009-09-11 14:47 . 2009-09-11 14:47 15709696 c:\windows\Installer\462643c.msp
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2008-12-03 3882312]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-07-17 142104]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-07-17 162584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-07-17 138008]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2007-11-02 582992]
"Dell DataSafe Online"="c:\program files\Dell DataSafe Online\DataSafeOnline.exe" [2009-07-07 1779952]
"dldtmon.exe"="c:\program files\Dell V305\dldtmon.exe" [2008-06-24 668912]
"dldtamon"="c:\program files\Dell V305\dldtamon.exe" [2008-06-24 16624]
"dellsupportcenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-10-04 206064]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.EXE [2007-07-17 16132608]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2009-02-13 11:10 10536 ----a-w- c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\WINDOWS\\system32\\dldtcoms.exe"=
"c:\\Program Files\\Dell V305\\dldtmon.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\dldtpswx.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\dldttime.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\dldtjswx.exe"=

R2 dldt_device;dldt_device;c:\windows\system32\dldtcoms.exe -service --> c:\windows\system32\dldtcoms.exe -service [?]
S2 dldtCATSCustConnectService;dldtCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\dldtserv.exe [2/25/2008 12:38 PM 99568]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-07-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-02-13 19:32]

2009-09-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-02-13 19:32]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.aol.com/
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-11 10:59
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(720)
c:\program files\Citrix\GoToAssist\514\G2AWinLogon.dll
c:\windows\system32\igfxdev.dll

- - - - - - - > 'winlogon.exe'(4088)
c:\program files\Citrix\GoToAssist\514\G2AWinLogon.dll
c:\windows\system32\igfxdev.dll
.
Completion time: 2009-09-11 11:00
ComboFix-quarantined-files.txt 2009-09-11 15:00
ComboFix2.txt 2009-09-09 20:59

Pre-Run: 308,534,038,528 bytes free
Post-Run: 308,561,076,224 bytes free

175 --- E O F --- 2009-09-11 14:48

Hi

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

Suspect::
C:\a3VSw.bat
c:\windows\system32\d3d9caps.dat

File::
c:\windows\system32\SETE5.tmp
c:\windows\Installer\462643c.msp

Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

==

Please re-open Malwarebytes, click the Update tab, and click Check for Updates. Then, click the Scanner tab, select Perform Full Scan, and press Scan.

==

Please post the following logs in your next reply:

-ComboFix log
-Malwarebytes log

Also, please tell me how your computer is running.

ComboFix 09-09-13.04 - Nadine 09/13/2009 16:10.3.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3061.2403 [GMT -4:00]
Running from: c:\documents and settings\Nadine\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Nadine\Desktop\CFScript.txt
AV: McAfee VirusScan *On-access scanning disabled* (Outdated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

FILE ::
"c:\windows\Installer\462643c.msp"
"c:\windows\system32\SETE5.tmp"

file zipped: C:\a3VSw.bat
file zipped: c:\windows\system32\d3d9caps.dat
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Installer\462643c.msp

.
((((((((((((((((((((((((( Files Created from 2009-08-13 to 2009-09-13 )))))))))))))))))))))))))))))))
.

2009-09-10 18:23 . 2009-06-21 21:44 153088 -c----w- c:\windows\system32\dllcache\triedit.dll
2009-09-08 20:49 . 2009-09-08 20:49 -------- d-----w- c:\documents and settings\Nadine\Application Data\Malwarebytes
2009-09-08 20:49 . 2009-08-03 17:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-08 20:49 . 2009-09-08 20:49 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-08 20:49 . 2009-09-08 20:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-09-08 20:49 . 2009-08-03 17:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-08 19:09 . 2009-09-08 19:09 -------- d-----w- C:\Rooter$
2009-09-07 00:05 . 2009-09-07 00:05 2198 ----a-w- C:\a3VSw.bat
2009-09-06 20:46 . 2009-09-06 20:46 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-09-04 20:16 . 2009-09-04 20:16 -------- d-sh--w- c:\documents and settings\Christine\PrivacIE
2009-09-04 20:15 . 2009-09-04 20:15 -------- d-sh--w- c:\documents and settings\Christine\IETldCache
2009-09-04 15:37 . 2009-09-04 15:37 -------- d-sh--w- c:\documents and settings\Nadine\PrivacIE
2009-09-04 15:36 . 2009-09-04 15:36 -------- d-sh--w- c:\documents and settings\Nadine\IETldCache
2009-09-04 15:33 . 2009-09-04 15:33 -------- d-sh--w- c:\documents and settings\Melissa\IETldCache
2009-09-04 15:32 . 2009-09-04 15:32 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2009-09-04 15:28 . 2009-08-07 08:48 100352 -c----w- c:\windows\system32\dllcache\iecompat.dll
2009-09-04 15:28 . 2009-09-11 14:47 -------- d-----w- c:\windows\ie8updates
2009-09-04 15:28 . 2009-07-19 22:48 11067392 -c----w- c:\windows\system32\dllcache\ieframe.dll
2009-09-04 15:28 . 2009-07-03 17:09 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2009-09-04 15:28 . 2009-07-03 17:09 594432 -c----w- c:\windows\system32\dllcache\msfeeds.dll
2009-09-04 15:28 . 2009-07-03 17:09 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll
2009-09-04 15:28 . 2009-07-03 17:09 1985536 -c----w- c:\windows\system32\dllcache\iertutil.dll
2009-09-04 15:28 . 2009-07-03 17:09 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2009-09-04 15:27 . 2009-09-04 15:27 -------- dc-h--w- c:\windows\ie8
2009-08-31 15:11 . 2009-08-31 15:11 -------- d-----w- c:\program files\Windows Media Connect 2
2009-08-31 15:10 . 2009-08-31 15:10 -------- d-----w- c:\windows\system32\drivers\UMDF
2009-08-27 05:58 . 2009-08-27 05:58 -------- d-----w- c:\documents and settings\Nadine\Application Data\MSNInstaller
2009-08-26 08:41 . 2009-08-26 08:41 -------- d-----w- c:\windows\Cache
2009-08-26 08:41 . 2009-08-26 08:41 -------- d-----w- c:\program files\Coupons

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-12 02:43 . 2009-06-20 20:53 2338 ----a-w- c:\documents and settings\Nadine\Application Data\wklnhst.dat
2009-09-11 15:16 . 2009-02-13 11:14 -------- d-----w- c:\program files\Microsoft Silverlight
2009-08-09 20:09 . 2009-02-13 11:11 34776 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-05 09:01 . 2008-04-25 16:16 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-29 16:58 . 2009-02-13 11:10 -------- d-----w- c:\program files\Dell DataSafe Online
2009-07-28 17:01 . 2009-07-28 17:01 154 ----a-w- c:\documents and settings\Christine\Application Data\wklnhst.dat
2009-07-28 16:59 . 2009-07-28 16:59 -------- d-----w- c:\documents and settings\Christine\Application Data\Template
2009-07-17 19:01 . 2008-04-25 16:16 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-14 03:43 . 2008-04-25 16:16 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-03 17:09 . 2008-04-25 16:16 915456 ------w- c:\windows\system32\wininet.dll
2009-06-25 08:25 . 2008-04-25 16:16 54272 ----a-w- c:\windows\system32\wdigest.dll
2009-06-25 08:25 . 2008-04-25 16:16 56832 ----a-w- c:\windows\system32\secur32.dll
2009-06-25 08:25 . 2008-04-25 16:16 147456 ----a-w- c:\windows\system32\schannel.dll
2009-06-25 08:25 . 2008-04-25 16:16 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-06-25 08:25 . 2008-04-25 16:16 730112 ----a-w- c:\windows\system32\lsasrv.dll
2009-06-25 08:25 . 2008-04-25 16:16 301568 ----a-w- c:\windows\system32\kerberos.dll
2009-06-24 11:18 . 2008-04-25 16:16 92928 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2009-06-18 07:09 . 2009-06-18 07:09 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-06-16 14:36 . 2008-04-25 16:16 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-16 14:36 . 2008-04-25 16:16 81920 ----a-w- c:\windows\system32\fontsub.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-09-09_20.59.23 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-06-16 17:00 . 2009-09-13 20:09 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2009-06-16 17:00 . 2009-09-09 17:24 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2009-06-16 17:00 . 2009-09-09 17:24 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2009-09-11 19:38 . 2009-09-13 20:09 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2008-04-25 16:16 . 2009-06-22 06:44 726528 c:\windows\system32\jscript.dll
- 2008-04-25 16:16 . 2009-03-08 08:33 726528 c:\windows\system32\jscript.dll
+ 2009-02-13 11:05 . 2009-06-22 06:44 726528 c:\windows\system32\dllcache\jscript.dll
- 2009-02-13 11:05 . 2009-03-08 08:33 726528 c:\windows\system32\dllcache\jscript.dll
+ 2009-09-11 14:47 . 2008-07-08 13:02 382840 c:\windows\ie8updates\KB971961-IE8\spuninst\updspapi.dll
+ 2009-09-11 14:47 . 2008-07-08 13:02 231288 c:\windows\ie8updates\KB971961-IE8\spuninst\spuninst.exe
+ 2009-09-11 14:47 . 2009-03-08 08:33 726528 c:\windows\ie8updates\KB971961-IE8\jscript.dll
+ 2008-04-25 16:16 . 2009-05-20 08:56 2458112 c:\windows\system32\WMVCore.dll
- 2008-04-25 16:16 . 2008-06-18 09:03 2458112 c:\windows\system32\WMVCore.dll
+ 2008-11-07 20:45 . 2009-05-20 08:56 2458112 c:\windows\system32\dllcache\WMVCore.dll
- 2008-11-07 20:45 . 2008-06-18 09:03 2458112 c:\windows\system32\dllcache\WMVCore.dll
+ 2009-09-04 15:24 . 2009-08-28 21:38 24689600 c:\windows\system32\MRT.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2008-12-03 3882312]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-07-17 142104]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-07-17 162584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-07-17 138008]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2007-11-02 582992]
"Dell DataSafe Online"="c:\program files\Dell DataSafe Online\DataSafeOnline.exe" [2009-07-07 1779952]
"dldtmon.exe"="c:\program files\Dell V305\dldtmon.exe" [2008-06-24 668912]
"dldtamon"="c:\program files\Dell V305\dldtamon.exe" [2008-06-24 16624]
"dellsupportcenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-10-04 206064]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.EXE [2007-07-17 16132608]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2009-02-13 11:10 10536 ----a-w- c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\WINDOWS\\system32\\dldtcoms.exe"=
"c:\\Program Files\\Dell V305\\dldtmon.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\dldtpswx.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\dldttime.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\dldtjswx.exe"=

R2 dldt_device;dldt_device;c:\windows\system32\dldtcoms.exe -service --> c:\windows\system32\dldtcoms.exe -service [?]
S2 dldtCATSCustConnectService;dldtCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\dldtserv.exe [2/25/2008 12:38 PM 99568]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-07-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-02-13 19:32]

2009-09-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-02-13 19:32]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.aol.com/
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-13 16:15
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(720)
c:\program files\Citrix\GoToAssist\514\G2AWinLogon.dll
c:\windows\system32\igfxdev.dll

- - - - - - - > 'winlogon.exe'(844)
c:\program files\Citrix\GoToAssist\514\G2AWinLogon.dll
c:\windows\system32\igfxdev.dll
.
Completion time: 2009-09-13 16:16
ComboFix-quarantined-files.txt 2009-09-13 20:16
ComboFix2.txt 2009-09-11 15:00
ComboFix3.txt 2009-09-09 20:59

Pre-Run: 308,534,255,616 bytes free
Post-Run: 308,570,230,784 bytes free

174 --- E O F --- 2009-09-13 20:04
Upload was successful

Malwarebytes' Anti-Malware 1.41
Database version: 2792
Windows 5.1.2600 Service Pack 3

9/13/2009 4:35:21 PM
mbam-log-2009-09-13 (16-35-21).txt

Scan type: Full Scan (C:\|)
Objects scanned: 150219
Time elapsed: 8 minute(s), 41 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Qoobox\Quarantine\C\WINDOWS\system32\kbiwkmdaevqstp.dll.vir (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\kbiwkmjvynswvk.dll.vir (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP62\A0006598.dll (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{45B5E8B9-949A-471E-999D-F381DA56A

I think it is running okay now, I can sign on and navigate, but I haven't done much until we are finished to make sure. Do you have a suggestion as to what should I be running for prevention or defense? Thanks.

Hi. I will give you prevention tips after your computer is declared clean.

Please re-open Malwarebytes, click the Update tab, and click Check for Updates. Then, click the Scanner tab, select Perform Quick Scan, and press Scan.

Please post a FULL log in your next reply.

Malwarebytes' Anti-Malware 1.41
Database version: 2804
Windows 5.1.2600 Service Pack 3

9/15/2009 2:09:16 PM
mbam-log-2009-09-15 (14-09-16).txt

Scan type: Quick Scan
Objects scanned: 119190
Time elapsed: 2 minute(s), 41 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Hi

Your computer is clean.

Now to get you off to a good start we will clean your restore points so that all the bad stuff is gone for good. Then if you need to restore at some stage you will be clean. There are several ways to reset your restore points, but this is my method:

• Select Start > All Programs > Accessories > System tools > System Restore.
  
• On the dialogue box that appears select Create a Restore Point
  
• Click NEXT
  
• Enter a name e.g. Clean
  
• Click CREATE

You now have a clean restore point, to get rid of the bad ones:

• Select Start > All Programs > Accessories > System tools > Disk Cleanup.
  
• In the Drop down box that appears select your main drive e.g. C
  
• Click OK
  
• The System will do some calculation and the display a dialogue box with TABS
  
• Select the More Options Tab.
  
• At the bottom will be a system restore box with a CLEANUP button click this
  
• Accept the Warning and select OK again, the program will close and you are done
  

==

Download Security Check by screen317 from here or here.

• Save it to your Desktop.
• Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
• A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Results of screen317's Security Check version 0.98.9
Windows XP Service Pack 3
``````````````````````````````
Antivirus/Firewall Check:
Windows Firewall Disabled!


Antivirus out of date! (On Access scanning disabled!)
``````````````````````````````
Anti-malware/Other Utilities Check:
Malwarebytes' Anti-Malware
Java(TM) 6 Update 7
Out of date Java installed!
Adobe Flash Player 10
Adobe Reader 9
``````````````````````````````
Process Check:
objlist.exe by Laurent

McAfee VIRUSS~1 mcshield.exe
McAfee VIRUSS~1 mcsysmon.exe

``````````````````````````````
DNS Vulnerability Check:
GREAT! (Not vulnerable to DNS cache poisoning)

`````````End of Log```````````

Hi

I saw that you may have McAfee installed. Would you like this removed?

Here are better, free alternatives to McAfee:

1) Antivir PersonalEditionClassic
-Free anti-virus software for Windows.
-Detects and removes more than 50,000 viruses. Free support.
2) avast! 4 Home Edition
-Anti-virus program for Windows.
-The home edition is freeware for noncommercial user.
3) AVG Anti-Virus Free Edition
- Free edition of the AVG anti-virus program for Windows.
- Available for single computer use for home and non commercial use.

It is strongly recommended that you run only one antivirus program at a time. Having more than one antivirus program active in memory uses additional resources and can result in program conflicts and false virus alerts.

==

Java is out of date.

Download the newest version from here http://www.java.com/en/download/manual.jsp.

It's important to remove older versions of Java since it does not do so automatically and old versions still leave you vulnerable.
Go to Start > Control Panel > Software and open Add or Remove Programs.
Search in the list for all previous installed versions of Java. (J2SE Runtime Environment).
They will have this icon next to them:
Select each in turn and click Remove.

Once old versions are gone, please install the newest version.

==

Please read the following information that I have provided, which will help you prevent malicious software in the future. Please keep in mind, malware is a continuous danger on the Internet. It is highly important to stay safe while browsing, to prevent re-infection.

Software recommendations

Firewall

• Tallemu Online Armor: the free version is just as good as the premium. I have linked you to the free version.
  
• Comodo Firewall: the free version is just as good as the premium. I have linked you to the free version. The optional security suite enhances the firewall by 40% increase. If you would like to install the suite that includes antivirus, then remove your old antivirus first.
  
• PC Tools Firewall Plus: free and excellent firewall.

AntiSpyware

• SpywareBlaster
  SpywareBlaster is a program that prevents spyware from installing on your computer. A tutorial on using SpywareBlaster may be found here.
  
• Spybot - Search & Destroy.
  Spybot - Search & Destroy is a spyware and adware removal program. It also has realtime protection, TeaTimer to help safeguard your computer against spyware. (The link for Spybot - Search & Destroy contains a tutorial that will help you download, install, and begin using Spybot).
  

NOTE: Please keep ALL of these programs up-to-date and run them whenever you suspect a problem to prevent malware problems.

Resident Protection help
A number of programs have resident protection and it is a good idea to run the resident protection of one of each type of program to maintain protection. However, it is important to run only one resident program of each type since they can conflict and become less effective. That means only one antivirus, firewall, and scanning anti-spyware program at a time. Passive protectors such as SpywareBlaster can be run with any of them.

Rogue programs help
There are a lot of rogue programs out there that want to scare you into giving them your money and some malware actually claims to be security programs. If you get a popup for a security program that you did not install yourself, do NOT click on it and ask for help immediately. It is very important to run an antivirus and firewall, but you can't always rely on reviews and ads for information. Ask in a security forum that you trust if you are not sure. If you are unsure and looking for anti-spyware programs, you can find out if it is a rogue here:
http://www.spywarewarrior.com/rogue_anti-spyware.htm

Securing your computer

• Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.
  
• hpHosts file replaces your current HOSTS file with one containing well known ad sites and other bad sites. This prevents your computer from connecting to those sites by redirecting them to 127.0.0.1, which is your local computer's loopback address, meaning it will be difficult to infect your computer in the future.
  

Please consider using an alternate browser
Mozilla's Firefox browser is a very good alternative. In addition to being generally more secure than Internet Explorer, it has a very good built-in popup blocker and add-ons, like NoScript, can make it even more secure. Opera is another good option.

If you are interested:

• Firefox may be downloaded from here: http://www.getfirefox.com
  
• Opera is available here: http://www.opera.com/download/
  

Thank you for choosing GeekPolice. Please see this page if you would like to leave feedback or contribute to our site. Do you have any more questions? Do you want to know how to remove the McAfee?

yes I would like to remove Mcafee please, thank you.

Hi

Please download and run MCPR.exe

1. Download the removal tool from: http://download.mcafee.com/products/licensed/cust_support_patches/MCPR.exe
   
2. Click Save and save the file to a folder on your computer.
   
3. Navigate to the folder where the file was saved.
   
4. Make sure all McAfee windows are closed.
   
5. Double-click MCPR.exe to run the removal tool.
   
   NOTE: Windows Vista users must right-click MCPR.exe and select Run as Administrator.
   
6. Restart your computer after receiving the message CleanUp Successful.
   Your McAfee product will not be fully removed until the system is restarted.