Total Security has taken over

I have used this site before with great success so I downloaded Hijack this on memory stick but when I start up the infected computer it immediately starts running a Total Security scan and it seems to have disabled everything else. McAfree, userinit.exe so I can't even run the Hijack This to see what is going on.


Please please Help!
Thank You

Hi

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

• Double-click SystemLook.exe to run it.
  
• Copy the content of the following codebox into the main textfield:
  

  Code:

  
:filefind
scecli.dll
netlogon.dll
eventlog.dll
winlogon.exe
comres.dll
crypt32.dll
gpedit.dll
rundll32.exe
sfc.dll
svchost.exe

  
  
  
• Click the Look button to start the scan.
  
• When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
  

Note: The log can also be found on your Desktop entitled SystemLook.txt

When I turned on the computer last night to try and run the Hijack this the Total Security scan started almost immediately and then seemed to lock me out from doing anything. I then tried to start it in safe mode and it wouldnt let me and then I started from the Last successful startup and again Total started running the scan and seemed to not let me do anything. Task Manager says it was disabled. I will try again but any first steps that might prevent this to increase my chances of it letting me run the SystemLook scan?

Thanks for your help

Hi

Please download this from another computer and then transfer it to the infected computer.

Please download ComboFix by sUBs
Link 1: Forospyware.com or Link 2: BleepingComputer.com

Please save the file to your Desktop, but rename it first:




Important information about ComboFix

Before the download:

• Please copy and paste these instructions to Notepad and save to your Desktop, or print them - for easier access.
  
• It is important to rename ComboFix before the download.
  
• Please do not rename ComboFix to other names, but only the one indicated.

After the download:

• Close any open browsers.
  
• Very Important: Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results". Please visit here if you don't know how.
  
• WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  
• Please do not attempt to re-connect your machine back to the Internet until ComboFix has completely finished.
  
• If there is no Internet connection after running ComboFix, then restart your computer to restore back your connection.
  

Running ComboFix:

• Double click on svchost.exe & follow the prompts.
  
• It will attempt to install the Recovery Console:

• When ComboFix finishes, it will produce a report for you.
  
• Please post the "C:\Combo-Fix.txt" in your next reply.
  

Troubleshooting ComboFix

Safe Mode:

If you still cannot get ComboFix to run, try booting into Safe Mode, and run it there.

(To boot into Safe Mode, tap F8 after BIOS, and just before the Windows
logo appears. A list of options will appear, select "Safe Mode.")

Re-downloading:

If this doesn't work either, try the same method (above method), but try to download it again, except name
ComboFix.exe to iexplore.exe, explorer.exe, or winlogon.exe.

Malware is known for blocking all "user" processes, except for its whitelist of system important processes such as iexplore.exe, explorer.exe, winlogon.exe.

OK

got the files copied on a stick drive. went to computer and started it in safe mode - says problem with windows and shit windows down to protect computer - it says run virus software, disable new stuff and it is on a blue screen. Can I run the program on the usb drive from here? Or what else can I try?

Hi

Avira AntiVir Rescue System is a Linux-based application that allows accessing computers that cannot be booted anymore.

• Download The Avira AntiVir Rescue System from here.
  
• Just double-click on the rescue system package to burn it to a CD/DVD.
  
• Then please use that CD/DVD with Avira Rescue System to boot your computer.

You'll get a boot option to either boot from hard drive or AntiVir Rescue System.


Press the number 2 on your keyboard to boot into AntiVir Rescue System.

Please wait until drivers are loaded and Main menu shows. Then please select the second option “Scan your system with AntiVir” and hit Enter.


Under Configuration, please select Scan all files, Try to repair infected files and Rename files if they cannot be removed?.


Then please start the scan.

The Avira AntiVir Rescue System wil now

• repair a damaged system,
  
• rescue data,
  
• scan the system for virus infections.

Burned the CD and put it in the drive. Do I do a regular startup, safe mode? How do I get the computer to know to read the CD?

How do I get the computer to run the Avira Rescue program on the CD?????

Hi

When the computer boots, hit F12 quickly, then select CD/DVD drive as the option.

If this does not work, then enter the BIOS by either pressing F2 or Delete, immediately when the computer boots. Go to the section where the boot order is done, and select the CD/DVD drive as the first device that boots. Most utilities have a help section on the left or right, to guide you on how to do this. Most of these configuration screens are different.

Then, it should boot from the CD.

ComboFix 09-09-22.02 - Ryan 09/22/2009 22:36.1.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1702 [GMT -5:00]
Running from: E:\ComboFix.exe
AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall Plus *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\13773904
c:\documents and settings\All Users\Application Data\13773904\13773904
c:\documents and settings\All Users\Application Data\13773904\13773904.exe
c:\documents and settings\All Users\Application Data\13773904\pc13773904ins
c:\windows\system32\11478.exe
c:\windows\system32\11942.exe
c:\windows\system32\15724.exe
c:\windows\system32\16827.exe
c:\windows\system32\18467.exe
c:\windows\system32\19169.exe
c:\windows\system32\23281.exe
c:\windows\system32\24464.exe
c:\windows\system32\26500.exe
c:\windows\system32\26962.exe
c:\windows\system32\28145.exe
c:\windows\system32\29358.exe
c:\windows\system32\2995.exe
c:\windows\system32\32391.exe
c:\windows\system32\41.exe
c:\windows\system32\4827.exe
c:\windows\system32\491.exe
c:\windows\system32\5436.exe
c:\windows\system32\5705.exe
c:\windows\system32\6334.exe
c:\windows\system32\9961.exe
c:\windows\system32\AVR09.exe
c:\windows\system32\critical_warning.html
c:\windows\system32\fujegifu.dll
c:\windows\system32\hetibesi.dll
c:\windows\system32\hoguyovu.dll.tmp
c:\windows\system32\kutozali.exe
c:\windows\system32\logon.exe
c:\windows\system32\mefibena.dll
c:\windows\system32\merilaro.dll
c:\windows\system32\puvelepu.dll
c:\windows\system32\rafesumu.dll.tmp
c:\windows\system32\rapirapi.dll
c:\windows\system32\siweviji.dll
c:\windows\system32\wavemile.dll
c:\windows\system32\wegafuhu.dll.tmp
c:\windows\system32\winhelper.dll
c:\windows\system32\winupdate.exe
c:\windows\system32\wuyojogi.dll

.
((((((((((((((((((((((((( Files Created from 2009-08-23 to 2009-09-23 )))))))))))))))))))))))))))))))
.

2009-09-13 12:17 . 2009-09-13 12:17 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-09-13 09:12 . 2009-09-13 09:12 -------- d-----w- c:\windows\system32\scripting
2009-09-13 09:12 . 2009-09-13 09:12 -------- d-----w- c:\windows\system32\en
2009-09-13 09:12 . 2009-09-13 09:12 -------- d-----w- c:\windows\l2schemas
2009-09-13 09:12 . 2009-09-13 09:12 -------- d-----w- c:\windows\system32\bits
2009-09-13 09:07 . 2009-09-13 09:07 -------- d-----w- c:\windows\EHome
2009-09-12 14:55 . 2009-09-12 14:55 -------- d-----w- c:\windows\Sun
2009-09-09 23:10 . 2009-09-09 23:10 127488 ----a-w- c:\windows\system32\T4 Quote Saver.scr
2009-09-09 23:10 . 2009-09-09 23:10 25600 ----a-w- c:\windows\system32\T4SIC.dll
2009-09-08 23:21 . 2009-06-21 21:44 153088 ------w- c:\windows\system32\dllcache\triedit.dll
2009-09-07 15:02 . 2009-09-07 15:04 -------- d-----w- c:\documents and settings\Ryan\Local Settings\Application Data\Google
2009-09-07 15:00 . 2009-09-07 15:02 -------- d-----w- c:\program files\Google
2009-09-07 14:54 . 2009-09-07 14:54 -------- d-----w- c:\documents and settings\Ryan\Application Data\Template
2009-09-07 11:20 . 2009-09-07 11:20 -------- d-sh--w- c:\documents and settings\Ryan\PrivacIE
2009-09-07 11:12 . 2009-09-07 11:12 -------- d-sh--w- c:\documents and settings\Ryan\IETldCache
2009-09-07 10:59 . 2009-08-07 08:48 100352 ------w- c:\windows\system32\dllcache\iecompat.dll
2009-09-07 10:58 . 2009-09-07 10:58 -------- d-----w- c:\windows\ie8updates
2009-09-07 10:58 . 2009-07-19 23:48 11067392 ------w- c:\windows\system32\dllcache\ieframe.dll
2009-09-07 10:58 . 2009-07-03 17:09 12800 ------w- c:\windows\system32\dllcache\xpshims.dll
2009-09-07 10:58 . 2009-07-03 17:09 594432 ------w- c:\windows\system32\dllcache\msfeeds.dll
2009-09-07 10:58 . 2009-07-03 17:09 55296 ------w- c:\windows\system32\dllcache\msfeedsbs.dll
2009-09-07 10:58 . 2009-07-03 17:09 1985536 ------w- c:\windows\system32\dllcache\iertutil.dll
2009-09-07 10:58 . 2009-07-03 17:09 246272 ------w- c:\windows\system32\dllcache\ieproxy.dll
2009-09-07 10:58 . 2009-09-07 10:58 -------- dc-h--w- c:\windows\ie8
2009-09-05 03:21 . 2009-09-05 03:21 -------- d-sh--w- c:\documents and settings\Ryan\UserData
2009-09-04 03:26 . 2009-09-04 03:26 -------- d-----w- c:\documents and settings\Ryan\Application Data\AdobeUM
2009-09-04 01:25 . 2009-09-04 03:25 -------- d-----w- c:\documents and settings\Ryan\Local Settings\Application Data\Adobe
2009-08-30 11:40 . 2009-09-13 09:11 -------- d-----w- c:\windows\ServicePackFiles
2009-08-30 11:39 . 2009-08-30 11:39 -------- d-----w- c:\program files\MSXML 4.0
2009-08-29 15:01 . 2009-03-06 14:22 284160 ------w- c:\windows\system32\dllcache\pdh.dll
2009-08-29 15:01 . 2009-02-09 12:10 473600 ------w- c:\windows\system32\dllcache\fastprox.dll
2009-08-29 15:01 . 2009-02-09 12:10 401408 ------w- c:\windows\system32\dllcache\rpcss.dll
2009-08-29 15:01 . 2009-02-06 11:11 110592 ------w- c:\windows\system32\dllcache\services.exe
2009-08-29 15:01 . 2009-02-06 10:39 35328 ------w- c:\windows\system32\dllcache\sc.exe
2009-08-29 15:01 . 2009-02-06 10:10 227840 ------w- c:\windows\system32\dllcache\wmiprvse.exe
2009-08-29 15:01 . 2009-02-09 12:10 729088 ------w- c:\windows\system32\dllcache\lsasrv.dll
2009-08-29 15:01 . 2009-02-09 12:10 714752 ------w- c:\windows\system32\dllcache\ntdll.dll
2009-08-29 15:01 . 2009-02-09 12:10 617472 ------w- c:\windows\system32\dllcache\advapi32.dll
2009-08-29 15:01 . 2009-02-09 12:10 453120 ------w- c:\windows\system32\dllcache\wmiprvsd.dll
2009-08-29 15:01 . 2009-02-06 11:08 2189056 ------w- c:\windows\system32\dllcache\ntoskrnl.exe
2009-08-29 15:01 . 2009-02-06 11:06 2145280 ------w- c:\windows\system32\dllcache\ntkrnlmp.exe
2009-08-29 15:01 . 2009-02-06 10:32 2023936 ------w- c:\windows\system32\dllcache\ntkrpamp.exe
2009-08-29 14:59 . 2009-08-29 14:59 127 ----a-w- c:\documents and settings\Ryan\Local Settings\Application Data\fusioncache.dat
2009-08-29 14:58 . 2009-08-29 14:58 -------- d-----w- c:\documents and settings\Ryan\Local Settings\Application Data\CTS
2009-08-29 14:58 . 2009-08-29 14:58 -------- d-----w- c:\program files\CTS
2009-08-29 14:57 . 2009-07-10 13:27 1315328 ------w- c:\windows\system32\dllcache\msoe.dll
2009-08-29 14:57 . 2009-06-10 14:19 2066432 ------w- c:\windows\system32\dllcache\mstscax.dll
2009-08-29 14:57 . 2008-05-03 11:55 2560 ------w- c:\windows\system32\xpsp4res.dll
2009-08-29 14:57 . 2008-04-21 12:08 215552 ------w- c:\windows\system32\dllcache\wordpad.exe
2009-08-29 14:57 . 2008-06-13 11:05 272128 ------w- c:\windows\system32\drivers\bthport.sys
2009-08-29 14:57 . 2008-06-13 11:05 272128 ------w- c:\windows\system32\dllcache\bthport.sys
2009-08-29 14:57 . 2008-10-24 11:21 455296 ------w- c:\windows\system32\dllcache\mrxsmb.sys
2009-08-29 14:57 . 2008-05-08 14:02 203136 ------w- c:\windows\system32\dllcache\rmcast.sys
2009-08-29 14:57 . 2008-12-11 10:57 333952 ------w- c:\windows\system32\dllcache\srv.sys
2009-08-29 14:57 . 2008-05-01 14:33 331776 ------w- c:\windows\system32\dllcache\msadce.dll
2009-08-29 14:57 . 2008-04-11 19:04 691712 ------w- c:\windows\system32\dllcache\inetcomm.dll
2009-08-29 14:52 . 2008-10-15 16:34 337408 ------w- c:\windows\system32\dllcache\netapi32.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-23 03:42 . 2009-03-07 19:23 -------- d-----w- c:\program files\Steam
2009-09-22 01:27 . 2009-06-22 01:27 49152 --sha-w- c:\windows\system32\fiwevoga.dll
2009-09-13 21:26 . 2008-06-23 18:55 37344 ----a-w- c:\documents and settings\Ryan\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-07 14:54 . 2009-09-07 14:54 0 ----a-w- c:\documents and settings\Ryan\Application Data\wklnhst.dat
2009-09-07 08:01 . 2009-09-07 08:01 -------- d-----w- c:\program files\MSBuild
2009-09-07 08:01 . 2009-09-07 08:01 -------- d-----w- c:\program files\Reference Assemblies
2009-08-14 05:02 . 2009-08-14 00:57 -------- d-----w- c:\program files\Warcraft III
2009-08-14 01:04 . 2009-08-14 00:59 55618 ----a-w- c:\windows\War3Unin.dat
2009-08-14 01:04 . 2009-08-14 00:59 2829 ----a-w- c:\windows\War3Unin.pif
2009-08-14 01:04 . 2009-08-14 00:59 139264 ----a-w- c:\windows\War3Unin.exe
2009-08-05 09:01 . 2004-08-10 18:51 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-29 04:37 . 2004-08-10 18:51 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-07-29 04:37 . 2004-08-10 18:51 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-07-17 19:01 . 2004-08-10 18:50 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-13 15:08 . 2004-08-10 18:51 286720 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-03 17:09 . 2004-08-10 18:51 915456 ----a-w- c:\windows\system32\wininet.dll
2009-06-22 01:31 . 2009-06-22 01:31 49152 --sha-w- c:\windows\system32\sapawoma.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{fde32ef9-7e44-452e-8f14-322f0cbf900b}]
2009-06-22 01:31 49152 --sha-w- c:\windows\system32\sapawoma.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="c:\program files\Dell Support\DSAgnt.exe" [2006-08-29 395776]
"Steam"="c:\program files\Steam\Steam.exe" [2009-08-29 1217784]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-09-07 39408]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-08-08 7630848]
"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 36975]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-07-06 151552]
"DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2005-10-05 94208]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"VSOCheckTask"="c:\progra~1\McAfee.com\VSO\mcmnhdlr.exe" [2005-07-09 151552]
"OASClnt"="c:\program files\McAfee.com\VSO\oasclnt.exe" [2005-08-12 53248]
"MCAgentExe"="c:\progra~1\mcafee.com\agent\mcagent.exe" [2005-07-02 303104]
"MCUpdateExe"="c:\progra~1\mcafee.com\agent\mcupdate.exe" [2005-08-26 212992]
"MSKDetectorExe"="c:\progra~1\McAfee\SPAMKI~1\MSKDetct.exe" [2005-07-13 1117184]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
"MSKAGENTEXE"="c:\progra~1\McAfee\SPAMKI~1\MskAgent.exe" [2005-07-13 110592]
"VirusScan Online"="c:\progra~1\mcafee.com\vso\mcvsshld.exe" [2005-08-10 163840]
"MPFExe"="c:\progra~1\McAfee.com\PERSON~1\MpfTray.exe" [2005-08-18 999424]
"Google Quick Search Box"="c:\program files\Google\Quick Search Box\GoogleQuickSearchBox.exe" [2009-09-07 122368]
"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2006-07-24 282624]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
Wireless USB 2.0 WLAN Card Utility.lnk - c:\program files\Dell Wireless\PRISMCFG.exe [2008-2-6 921704]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PRISMAPI.DLL]
2005-12-23 02:08 450646 ----a-w- c:\windows\system32\PRISMAPI.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\LucasArts\\Star Wars Empire at War\\GameData\\sweaw.exe"=
"c:\\Program Files\\Empire Interactive\\Strangelite\\Starship Troopers\\STGame.exe"=
"c:\\Program Files\\Stardock Games\\Sins of a Solar Empire\\Sins of a Solar Empire.exe"=
"c:\\Program Files\\Warcraft III\\War3.exe"=
"c:\\Program Files\\Warcraft III\\Warcraft III.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\empire total war\\Empire.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R2 PRISMSVC;PRISMSVC;c:\windows\system32\PRISMSVC.exe [2/6/2008 2:09 PM 61526]
S3 jswmidin;jswmidin;\??\c:\docume~1\Ryan\LOCALS~1\Temp\jswmidin.sys --> c:\docume~1\Ryan\LOCALS~1\Temp\jswmidin.sys [?]
S3 PLCNDIS5;PLCNDIS5 NDIS Protocol Driver;c:\progra~1\SMC\POWERL~1\PLCNDIS5.SYS [9/10/2002 6:44 PM 17018]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-09-23 c:\windows\Tasks\McAfee.com Scan for Viruses - My Computer (COMP-Ryan).job
- c:\program files\mcafee.com\vso\mcmnhdlr.exe [2008-02-06 00:18]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.dell.com
uInternet Connection Wizard,ShellNext = hxxp://www.dell.com/
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-13773904 - c:\documents and settings\All Users\Application Data\13773904\13773904.exe
HKLM-Run-tarosejowa - fujegifu.dll
SharedTaskScheduler-{242aa567-f336-4a40-a31f-d36e11ae69c7} - c:\windows\system32\kuribuja.dll
SSODL-nagevekog-{242aa567-f336-4a40-a31f-d36e11ae69c7} - c:\windows\system32\kuribuja.dll



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-22 22:42
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(688)
c:\windows\system32\PRISMAPI.DLL

- - - - - - - > 'explorer.exe'(2872)
c:\windows\system32\WININET.dll
c:\progra~1\McAfee\SPAMKI~1\mskoeplg.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\IEFRAME.dll
c:\windows\system32\mshtml.dll
c:\windows\system32\msls31.dll
c:\progra~1\mcafee.com\vso\McVSSkt.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\PRISMSVR.exe
c:\progra~1\McAfee.com\VSO\McVSEscn.exe
c:\program files\Intel\Intel Matrix Storage Manager\IAANTmon.exe
c:\program files\McAfee.com\Agent\Mcdetect.exe
c:\progra~1\McAfee.com\PERSON~1\MpfAgent.exe
c:\progra~1\McAfee.com\VSO\McShield.exe
c:\progra~1\McAfee.com\Agent\McTskshd.exe
c:\progra~1\McAfee.com\PERSON~1\MpfService.exe
c:\progra~1\McAfee\SPAMKI~1\MSKSrvr.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\wdfmgr.exe
c:\program files\Common Files\InstallShield\UpdateService\agent.exe
.
**************************************************************************
.
Completion time: 2009-09-23 22:46 - machine was rebooted
ComboFix-quarantined-files.txt 2009-09-23 03:46

Pre-Run: 173,117,886,464 bytes free
Post-Run: 173,811,388,416 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

255 --- E O F --- 2009-09-14 08:00

Hi

Unfortunately, your log shows a dangerous trojan is residing on your computer which has a backdoor functionality. It is possible that a remote attacker has already breached your computer. If you do any banking or other financial transactions on the computer, or if it contains any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would
be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, your computer is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the Operating System.

Visit the following sites for more information on internet theft and when to reformat!
How Do I Handle Possible Identity Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

Should you decide not to follow that advice, we will of course do our best to clean the computer of any infections that we can see but, as I already stated, we can in no way guarantee it to be trustworthy.

If you have any questions before making a final decision, please feel free to ask.

Please let me know if you would like to continue with trying to clean your computer.

Instead, if you decide to format and reinstall, please disconnect your computer from the Internet immediately.

My husband is using this computer. He had problems with his old computer in April with Win32/Nugel and Geek Police got it back up and running. He again started having problems with that computer (security popups again)and so grabbed this computer from my son who is away at college (u can see all the games on it) to replace that old computer.
I spent all last evening running McAffree ( found only 1 PUP) , the malaware program you guys recomended doing quick scans and then full scans and removed all the infections. Starting and restarting each time.

He goes on the internet, his work(commodity trading order entry system - supposedly on a T4 line?????) reads lots of newspapers, political blogs, is what he uses it for. I took your advice and unplugged it from the comcast router.

What trojan is it this time? Is it a keylogger? He is going to change his banking codes but how can I tell if my computer is safe to do that on. I just ran full scan on the malaware and McAffree again myself yesterday because I am always nervous.

Should I run the Combo fix or Hijack this on mine to verify it is clean ???

Sounds like we should reformat it. What do I need to get together to do that? Computer is from Dell and still under warranty. Do I go through them to reformat it? Or post another thread?

Hi

Here is a tutorial on reformatting and reinstalling: http://forums.whatthetech.com/How_Reformat_Reinstall_your_Operating_System_t91962.html

Only the computer mentioned in this topic should be reformatted and reinstalled. For the other computer you mention, please post a new topic and copy & paste the address of this thread to it, along with a HijackThis log. Do not run ComboFix or any other special tools.

Sorry - I have been out of town for the weekend. Actually at UD for parents weekend.

Is Total Security the big threat that I should be worried about. What is the name of this Trojan the computer has with backdoor functionality??? Where do you get it and if I reformat the computer how do I not get this particular trojan again? What software / strategies will prevent it in the future. You see my husband only goes on very specific sites ( newspapers, political blogs, Rivals (ND blog) and these habits will not change. So after I reformat - how do I be sure the computer is protected so I dont have to keep doing this?

What is the name of this TROJAN and what specifically will block this TROJAN and others????????


And who is this Megmeg posting on this thread? Could you please review my combofix results post and be sure there is not some confusion on what MY computer has and what needs to be done. Reformatting is a lot of work!


Thanks !