Win 7 System Guard Trojan

Like many, I caught a trojan or trojans. It implanted links to porn sites on my computer and kept asking me to install this Win 7 System Guard to protect against supposedly 29 viruses/trojans/etc that I had on my computer.

My lavasoft and mcafee and firefox were disabled. When I got mcafee to run a scan, it didn't find anything.

So, I ran Combofix.exe and it deleted many files. Then I ran Malwarebytes' Anti-Malware fast scan and it deleted one trojan. Then I ran it again in full mode and it deleted one more trojan. Next was trendmicro's HouseCall which found nothing, then their rootkitbuster.exe, and finally combofix.exe and malwarebyte again in safe mode (which found nothing).

Unfortunately, that second combofix run deleted the log of the first, but I have the malwarebyte logs. My question is, after looking at the logs below, can I reasonably be sure my computer is disinfected, or is there more I need to do?

thanks in advance.

Here is the first MWB log:


Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org

Database version: 4049

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

4/29/2010 1:22:04 AM
mbam-log-2010-04-29 (01-22-04).txt

Scan type: Quick scan
Objects scanned: 112689
Time elapsed: 6 minute(s), 47 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Users\Le Minh Triet\AppData\Local\ave.exe" /START "C:\Program Files\Mozilla Firefox\firefox.exe" -safe-mode) Good: (firefox.exe -safe-mode) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


The second MWB log:

Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org

Database version: 4049

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

4/29/2010 2:33:01 AM
mbam-log-2010-04-29 (02-33-01).txt

Scan type: Full scan (C:\|F:\|G:\|)
Objects scanned: 253461
Time elapsed: 58 minute(s), 28 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Qoobox\Quarantine\C\Users\Le Minh Triet\AppData\Local\Temp\csoqq.dll.vir (Trojan.Ertfor) -> Quarantined and deleted successfully.


The third MWB log:

Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org

Database version: 4049

Windows 6.1.7600 (Safe Mode)
Internet Explorer 8.0.7600.16385

4/29/2010 3:48:45 AM
mbam-log-2010-04-29 (03-48-45).txt

Scan type: Full scan (C:\|F:\|G:\|)
Objects scanned: 250354
Time elapsed: 27 minute(s), 28 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

The Combofix log:

ComboFix 10-04-28.04 - Le Minh Triet 04/29/2010 3:11.2.2 - x86 MINIMAL
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.3070.2304 [GMT -5:00]
Running from: c:\users\Le Minh Triet\Desktop\ComboFix.exe
AV: McAfee VirusScan Enterprise *On-access scanning enabled* (Outdated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
.

((((((((((((((((((((((((( Files Created from 2010-03-28 to 2010-04-29 )))))))))))))))))))))))))))))))
.

2010-04-29 08:17 . 2010-04-29 08:17 -------- dc----w- c:\users\Owner\AppData\Local\temp
2010-04-29 08:17 . 2010-04-29 08:17 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-04-29 08:17 . 2010-04-29 08:17 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-04-29 08:07 . 2010-04-29 08:10 -------- d-----w- C:\32788R22FWJFW
2010-04-29 07:47 . 2010-04-29 07:47 -------- d-----w- c:\windows\system32\Wat
2010-04-29 06:13 . 2010-04-29 06:13 -------- d-----w- c:\users\Le Minh Triet\AppData\Roaming\Malwarebytes
2010-04-29 06:12 . 2010-03-30 05:46 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 06:12 . 2010-04-29 06:12 -------- d-----w- c:\programdata\Malwarebytes
2010-04-29 06:12 . 2010-03-30 05:45 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-29 06:12 . 2010-04-29 06:12 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-29 05:13 . 2010-04-29 05:13 260608 ----a-w- c:\programdata\Microsoft\Windows Defender\LocalCopy\{F3870710-5316-174B-94C6-7A3730C468E7}-sysmon64x.exe
2010-04-29 02:40 . 2010-04-29 02:40 260608 ----a-w- c:\programdata\Microsoft\Windows Defender\LocalCopy\{3F49E783-43EC-1B57-8F65-C78B5357E7A7}-sysmon64x.exe
2010-04-29 01:42 . 2010-04-29 05:21 -------- d-----w- c:\programdata\salizuya
2010-04-29 01:42 . 2010-04-29 01:42 -------- d-----w- c:\programdata\rojolutu
2010-04-29 01:42 . 2010-04-29 01:42 -------- d-----w- c:\programdata\jiwirido
2010-04-29 00:20 . 2010-04-29 00:20 -------- d-----w- c:\users\Le Minh Triet\AppData\Roaming\Flickr
2010-04-29 00:20 . 2010-04-29 00:20 -------- d-----w- c:\users\Le Minh Triet\AppData\Local\Flickr
2010-04-28 23:57 . 2010-04-28 23:57 -------- d-----w- c:\program files\SyncToy 2.1
2010-04-28 21:53 . 2010-03-26 02:49 66048 -c--a-w- c:\users\Le Minh Triet\AppData\Roaming\Mozilla\Firefox\Profiles\2oicotto.default\extensions\twitternotifier@naan.net\platform\WINNT\components\nsTwitterFoxSign.dll
2010-04-28 21:53 . 2009-11-26 03:03 61952 -c--a-w- c:\users\Le Minh Triet\AppData\Roaming\Mozilla\Firefox\Profiles\2oicotto.default\extensions\cfxHelper@Triton\components\dwmxpcom.dll
2010-04-28 21:53 . 2010-04-07 20:28 253952 -c--a-w- c:\users\Le Minh Triet\AppData\Roaming\Mozilla\Firefox\Profiles\2oicotto.default\extensions\ietab@ip.cn\plugins\npCoralIETab.dll
2010-04-28 21:46 . 2010-04-28 21:46 -------- d-----w- c:\program files\Common Files\Java
2010-04-28 21:46 . 2010-04-12 22:29 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-04-28 21:42 . 2009-09-26 05:58 194488 ----a-w- c:\windows\system32\drivers\fvevol.sys
2010-04-28 21:42 . 2009-12-11 07:44 133720 ----a-w- c:\windows\system32\drivers\ksecpkg.sys
2010-04-28 21:42 . 2009-12-11 07:38 1037312 ----a-w- c:\windows\system32\lsasrv.dll
2010-04-28 21:42 . 2010-02-27 12:07 3954568 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-04-28 21:42 . 2010-02-27 12:07 3899280 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-04-28 21:42 . 2010-03-08 21:33 427520 ----a-w- c:\windows\system32\vbscript.dll
2010-04-28 21:42 . 2010-02-27 07:32 221696 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2010-04-28 21:42 . 2010-02-27 07:32 95744 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2010-04-28 21:42 . 2010-02-27 07:32 123392 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-04-28 21:41 . 2009-12-29 06:55 172032 ----a-w- c:\windows\system32\wintrust.dll
2010-04-28 21:41 . 2010-01-09 06:52 132608 ----a-w- c:\windows\system32\cabview.dll
2010-04-19 19:59 . 2010-04-19 19:59 255472 ----a-w- c:\users\Le Minh Triet\AppData\Roaming\Mozilla\plugins\npgoogletalk.dll
2010-04-02 16:31 . 2010-04-02 16:32 20846064 ----a-w- c:\users\Le Minh Triet\AppData\Roaming\Real\Update\setup3.11\rp\RealPlayerSPGold.exe
2010-04-02 16:31 . 2010-04-02 16:31 79368 ----a-w- c:\users\Le Minh Triet\AppData\Roaming\Real\Update\setup3.11\RUP\vista.exe
2010-04-02 16:31 . 2010-04-02 16:31 64000 ----a-w- c:\users\Le Minh Triet\AppData\Roaming\Real\Update\setup3.11\RUP\inst_config\gcapi_dll.dll
2010-04-02 16:31 . 2010-04-02 16:31 52288 ----a-w- c:\users\Le Minh Triet\AppData\Roaming\Real\Update\setup3.11\RUP\inst_config\gtapi.dll
2010-04-02 16:31 . 2010-04-02 16:31 50688 ----a-w- c:\users\Le Minh Triet\AppData\Roaming\Real\Update\setup3.11\RUP\inst_config\fftbapi.dll
2010-04-02 16:31 . 2010-04-02 16:31 49152 ----a-w- c:\users\Le Minh Triet\AppData\Roaming\Real\Update\setup3.11\RUP\inst_config\CarboniteCompatibility.dll
2010-04-02 16:31 . 2010-04-02 16:31 118784 ----a-w- c:\users\Le Minh Triet\AppData\Roaming\Real\Update\setup3.11\RUP\inst_config\compat.dll
2010-04-02 03:52 . 2010-04-28 21:38 439816 ----a-w- c:\users\Le Minh Triet\AppData\Roaming\Real\Update\setup3.11\setup.exe
2010-03-31 04:11 . 2010-02-23 07:56 977920 ----a-w- c:\windows\system32\wininet.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-29 08:05 . 2010-01-02 17:16 -------- d-----w- c:\users\Le Minh Triet\AppData\Roaming\Skype
2010-04-29 07:48 . 2010-01-02 07:49 17920 ----a-w- c:\windows\system32\rpcnetp.exe
2010-04-29 07:48 . 2010-01-02 07:12 57752 ----a-w- c:\windows\system32\rpcnet.dll
2010-04-29 05:24 . 2010-01-02 07:49 17920 ----a-w- c:\windows\system32\rpcnetp.dll
2010-04-28 21:46 . 2010-01-02 17:27 -------- d-----w- c:\program files\Java
2010-04-28 21:39 . 2010-01-02 07:12 13160 ----a-w- c:\windows\system32\Upgrd.exe
2010-04-28 21:39 . 2010-01-02 07:12 57752 ------w- c:\windows\system32\rpcnet.exe
2010-03-26 19:03 . 2010-01-02 14:20 -------- d-----w- c:\program files\PC-Doctor
2010-03-26 17:30 . 2010-03-26 17:30 -------- d-----w- c:\program files\Utimaco
2010-03-25 20:26 . 2010-03-25 20:14 -------- d-----w- c:\users\Le Minh Triet\AppData\Roaming\RipIt4Me
2010-03-25 20:25 . 2010-03-25 20:25 -------- d-----w- c:\program files\DVD Decrypter
2010-03-25 20:17 . 2010-03-25 20:17 643072 ----a-w- c:\users\Le Minh Triet\AppData\Roaming\RipIt4Me\updater\ri4mupdater.exe
2010-03-25 20:16 . 2010-03-25 20:16 -------- d-----w- c:\users\Le Minh Triet\AppData\Roaming\Vso
2010-03-25 20:16 . 2010-03-25 20:16 47360 ----a-w- c:\windows\system32\drivers\pcouffin.sys
2010-03-25 20:16 . 2010-03-25 20:16 47360 ----a-w- c:\users\Le Minh Triet\AppData\Roaming\pcouffin.sys
2010-03-25 20:16 . 2010-03-25 20:16 47360 ----a-w- c:\users\Le Minh Triet\AppData\Roaming\pcouffin.sys
2010-03-25 20:16 . 2010-03-25 20:15 -------- d-----w- c:\program files\DVDFab 7
2010-03-25 20:09 . 2010-03-25 20:09 -------- d-----w- c:\programdata\DVD Shrink
2010-03-25 20:09 . 2010-03-25 20:09 -------- d-----w- c:\program files\DVD Shrink
2010-03-25 03:28 . 2010-01-02 13:54 -------- d-----w- c:\users\Le Minh Triet\AppData\Roaming\HandBrake
2010-03-25 01:48 . 2010-03-25 01:44 -------- d-----w- c:\users\Le Minh Triet\AppData\Roaming\InfraRecorder
2010-03-25 01:43 . 2010-03-25 01:43 -------- d-----w- c:\program files\InfraRecorder
2010-03-19 14:24 . 2010-03-19 14:24 -------- d-----w- c:\program files\Lavasoft
2010-03-19 14:24 . 2010-03-19 14:24 -------- dc-h--w- c:\programdata\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}
2010-03-19 14:24 . 2010-01-02 08:07 -------- d-----w- c:\programdata\Lavasoft
2010-03-19 12:07 . 2010-03-19 12:07 -------- d-----w- c:\programdata\FLEXnet
2010-03-19 10:16 . 2010-01-02 07:21 -------- d-----w- c:\program files\Common Files\Adobe
2010-03-19 10:16 . 2010-03-19 10:16 -------- d-----w- c:\program files\Common Files\Macrovision Shared
2010-03-19 10:15 . 2010-01-02 06:53 114560 ----a-w- c:\users\Le Minh Triet\AppData\Local\GDIPFONTCACHEV1.DAT
2010-03-17 00:33 . 2010-03-17 00:33 -------- d-----w- c:\users\Le Minh Triet\AppData\Roaming\AdobeUM
2010-03-15 00:52 . 2010-03-15 00:52 -------- d-----w- c:\users\Le Minh Triet\AppData\Roaming\inkscape
2010-03-15 00:51 . 2010-03-15 00:51 -------- d-----w- c:\users\Le Minh Triet\AppData\Roaming\Notepad++
2010-03-15 00:51 . 2010-03-15 00:51 -------- d-----w- c:\program files\Notepad++
2010-03-13 20:23 . 2010-01-23 13:43 -------- d-----w- c:\program files\uTorrent
2010-03-13 13:28 . 2010-01-23 13:42 -------- d-----w- c:\users\Le Minh Triet\AppData\Roaming\uTorrent
2010-03-10 15:14 . 2010-03-10 15:14 118784 ----a-w- c:\programdata\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimwmp.dll
2010-03-10 15:14 . 2010-03-10 15:14 118784 ----a-w- c:\programdata\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimswf.dll
2010-03-10 15:14 . 2010-03-10 15:14 118784 ----a-w- c:\programdata\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimrp.dll
2010-03-10 15:14 . 2010-03-10 15:14 118784 ----a-w- c:\programdata\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimqt.dll
2010-03-10 15:14 . 2010-03-10 15:14 118784 ----a-w- c:\programdata\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext\Components\nprpffbrowserrecordext.dll
2010-03-10 15:14 . 2010-03-10 15:14 300616 ----a-w- c:\programdata\Real\RealPlayer\BrowserRecordPlugin\Common\rpmainbrowserrecordplugin.dll
2010-03-10 15:14 . 2010-03-10 15:14 118784 ----a-w- c:\programdata\Real\RealPlayer\BrowserRecordPlugin\Chrome\Hook\rpchromebrowserrecordhelper.dll
2010-03-10 15:14 . 2010-03-10 15:14 329312 ----a-w- c:\programdata\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
2010-03-10 15:14 . 2010-01-02 16:56 -------- d-----w- c:\program files\Common Files\Real
2010-03-10 15:13 . 2010-01-02 16:56 -------- d-----w- c:\program files\Real
2010-03-10 15:13 . 2010-03-10 15:13 -------- d-----w- c:\program files\Common Files\xing shared
2010-03-09 21:46 . 2010-03-09 21:46 -------- d-----w- c:\program files\Common Files\Hewlett-Packard
2010-03-09 21:46 . 2010-03-09 21:46 -------- d-----w- c:\program files\Hewlett-Packard
2010-03-09 21:44 . 2010-03-09 21:44 -------- d-----w- c:\programdata\Hewlett-Packard
2010-03-09 00:46 . 2010-03-09 00:46 -------- d-----w- c:\program files\Morphyre
2010-03-09 00:44 . 2010-01-02 16:34 -------- d-----w- c:\users\Le Minh Triet\AppData\Roaming\Winamp
2010-03-09 00:42 . 2010-01-02 16:34 -------- d-----w- c:\program files\Winamp
2010-03-09 00:40 . 2010-03-09 00:40 -------- d-----w- c:\program files\R4
2010-03-08 06:47 . 2010-01-02 16:34 -------- d-----w- c:\program files\Winamp Detect
2010-03-07 13:50 . 2010-03-07 13:50 79368 ----a-w- c:\users\Le Minh Triet\AppData\Roaming\Real\Update\setup3.10\RUP\vista.exe
2010-03-07 05:07 . 2010-03-07 05:07 439816 ----a-w- c:\users\Le Minh Triet\AppData\Roaming\Real\Update\setup3.10\setup.exe
2010-03-05 15:16 . 2010-03-05 15:16 -------- d-----w- c:\program files\Microsoft
2010-02-24 15:16 . 2010-01-02 06:54 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-02-18 08:06 . 2010-02-18 08:06 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-02-18 03:59 . 2010-01-02 07:20 38784 ----a-w- c:\users\Le Minh Triet\AppData\Roaming\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-02-18 03:59 . 2010-01-02 07:20 38784 ----a-w- c:\users\Default\AppData\Roaming\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-02-15 14:13 . 2010-02-15 14:13 64099864 ----a-w- c:\users\Le Minh Triet\AppData\Roaming\Nokia\Ovi Suite\Software Updater\NokiaOviSuite2Installer.exe
2010-02-08 01:12 . 2010-02-08 01:12 12212040 ----a-w- c:\programdata\OviInstallerCache\{D07520AE-F890-40E2-97BB-FC627869C8B3}\Installer\CommonCustomActions\WMFDist11-WindowsXP-X86-ENU.exe
2010-02-08 01:12 . 2010-02-08 01:12 13930312 ----a-w- c:\programdata\OviInstallerCache\{D07520AE-F890-40E2-97BB-FC627869C8B3}\Installer\CommonCustomActions\WMFDist11-WindowsXP-X64-ENU.exe
2010-02-08 01:12 . 2010-02-08 01:12 77824 ----a-w- c:\programdata\OviInstallerCache\{D07520AE-F890-40E2-97BB-FC627869C8B3}\Installer\CommonCustomActions\Run_XML6_SP1.exe
2010-02-08 01:12 . 2010-02-08 01:12 61440 ----a-w- c:\programdata\OviInstallerCache\{D07520AE-F890-40E2-97BB-FC627869C8B3}\Installer\CommonCustomActions\WMF11Runx86.exe
2010-02-08 01:12 . 2010-02-08 01:12 58880 ----a-w- c:\programdata\OviInstallerCache\{D07520AE-F890-40E2-97BB-FC627869C8B3}\Installer\CommonCustomActions\WMF11Runx64.exe
2010-02-08 01:12 . 2010-02-08 01:12 50000 ----a-w- c:\programdata\OviInstallerCache\{D07520AE-F890-40E2-97BB-FC627869C8B3}\Installer\CommonCustomActions\pcswpc.exe
2010-02-08 00:33 . 2010-02-08 01:12 98360888 ----a-w- c:\programdata\OviInstallerCache\{D07520AE-F890-40E2-97BB-FC627869C8B3}\Nokia_Ovi_Suite_2_1_0_82_ALL.exe
2010-02-04 15:53 . 2010-03-19 14:24 2954656 -c--a-w- c:\programdata\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}\Ad-AwareInstaller.exe
2010-02-04 15:53 . 2010-03-19 14:27 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-02-02 07:45 . 2010-02-24 13:30 2048 ----a-w- c:\windows\system32\tzres.dll
2008-09-29 14:07 . 2010-01-02 09:20 22576 ----a-w- c:\program files\mozilla firefox\components\scriptff.dll
2009-06-10 21:26 . 2009-07-14 02:04 9633792 --sha-r- c:\windows\Fonts\StaticCache.dat
2009-07-14 01:14 . 2009-07-13 23:42 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF}]
2009-11-04 03:12 556432 ----a-w- c:\progra~1\MICROS~4\Office14\URLREDIR.DLL

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2009-10-09 25623336]
"Messenger (Yahoo!)"="c:\progra~1\Yahoo!\Messenger\YahooMessenger.exe" [2009-11-10 5244216]
"Google Update"="c:\users\Le Minh Triet\AppData\Local\Google\Update\GoogleUpdate.exe" [2010-01-02 135664]
"googletalk"="c:\users\Le Minh Triet\AppData\Roaming\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\udaterui.exe" [2008-03-14 136512]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2008-09-29 124240]
"VirtualCloneDrive"="c:\program files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" [2009-06-17 85160]
"TpShocks"="TpShocks.exe" [2009-07-09 337184]
"PWMTRV"="c:\progra~1\ThinkPad\UTILIT~1\PWMTR32V.DLL" [2009-09-09 714016]
"AcWin7Hlpr"="c:\program files\Lenovo\Access Connections\AcTBenabler.exe" [2009-10-13 36864]
"TPHOTKEY"="c:\program files\Lenovo\HOTKEY\TPOSDSVC.exe" [2009-11-17 69568]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2009-07-14 1541416]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2010-01-13 37888]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2009-05-18 1314816]
"cssauth"="c:\program files\Lenovo\Client Security Solution\cssauth.exe" [2009-10-19 3093816]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]
"BCSSync"="c:\program files\Microsoft Office\Office14\BCSSync.exe" [2009-09-27 83312]
"nmctxth"="c:\program files\Common Files\Pure Networks Shared\Platform\nmctxth.exe" [2009-04-07 642856]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-03-10 202256]
"Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2008-06-12 37232]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2008-06-12 640376]
"PDService.exe"="c:\program files\Utimaco\SafeGuard PrivateDisk\pdservice.exe" [2007-09-07 53248]
"Launch Backup Service Once"="c:\program files\Lenovo\Rescue and Recovery\rrstrigger.exe" [2009-09-25 21304]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-03-30 1086856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"GrpConv"="grpconv -o" [X]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
"DisableCAD"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
2009-08-17 20:27 100104 ----a-w- c:\program files\ThinkVantage Fingerprint Software\psqlpwd.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\System32\acaptuser32.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\McAfeeEngineService]
@="Service"

[HKLM\~\startupfolder\C:^Users^Le Minh Triet^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OneNote 2010 Screen Clipper and Launcher.lnk]
path=c:\users\Le Minh Triet\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2010 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2010 Screen Clipper and Launcher.lnk.Startup
backupExtension=.Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NokiaMServer]
c:\program files\Common Files\Nokia\MPlatform\NokiaMServer [X]

R1 lenovo.smi;Lenovo System Interface Driver;c:\windows\system32\DRIVERS\smiif32.sys [2008-05-13 13480]
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-01-02 135664]
R2 LENOVO.CAMMUTE;Lenovo Camera Mute;c:\program files\LENOVO\HOTKEY\CAMMUTE.exe [2009-11-09 54632]
R2 LENOVO.MICMUTE;Lenovo Microphone Mute;c:\program files\LENOVO\HOTKEY\MICMUTE.exe [2009-11-18 44984]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2008-09-29 67904]
R2 PrivateDisk;PrivateDisk;c:\program files\Utimaco\SafeGuard PrivateDisk\PrivateDiskM.sys [2007-09-07 57856]
R2 smihlp;SMI Helper Driver (smihlp);c:\program files\ThinkVantage Fingerprint Software\smihlp.sys [2009-03-13 12560]
R2 TPHKSVC;On Screen Display;c:\program files\LENOVO\HOTKEY\TPHKSVC.exe [2009-11-17 62904]
R3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2010-03-19 1263728]
R3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2008-09-29 64432]
R3 netw5v32;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\DRIVERS\netw5v32.sys [2009-07-13 4231168]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2009-09-26 4639136]
R3 PCDSRVC{3037D694-FD904ACA-06000000}_0;PCDSRVC{3037D694-FD904ACA-06000000}_0 - PCDR Kernel Mode Service Helper Driver;c:\program files\pc-doctor\pcdsrvc.pkms [2009-11-20 20848]
R3 PCDSRVC{C4B36920-79E24793-06000000}_0;PCDSRVC{C4B36920-79E24793-06000000}_0 - PCDR Kernel Mode Service Helper Driver;c:\progra~1\pc-doc~1\pcdsrvc.pkms [2009-11-20 20848]
R3 Power Manager DBC Service;Power Manager DBC Service;c:\program files\ThinkPad\Utilities\PWMDBSVC.EXE [2009-09-09 75040]
R3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL3.SYS [2009-07-13 207360]
R3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV3.SYS [2009-07-13 980992]
R3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT3.SYS [2009-07-13 661504]
R3 TVTI2C;Lenovo SM bus driver;c:\windows\system32\DRIVERS\Tvti2c.sys [2009-07-02 38336]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-04-29 1343400]
R3 WSDPrintDevice;WSD Print Support via UMB;c:\windows\system32\DRIVERS\WSDPrint.sys [2009-07-14 17920]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [2010-02-04 64288]
S0 TPDIGIMN;TPDIGIMN;c:\windows\System32\DRIVERS\ApsHM86.sys [2009-06-29 20520]
S2 McAfeeEngineService;McAfee Engine Service;c:\program files\McAfee\VirusScan Enterprise\EngineServer.exe [2008-09-29 19456]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder

2010-04-29 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-02 08:07]

2010-04-29 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-02 08:07]

2010-04-04 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1209684377-1073439955-1070647248-1000Core.job
- c:\users\Le Minh Triet\AppData\Local\Google\Update\GoogleUpdate.exe [2010-01-04 08:07]

2010-04-29 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1209684377-1073439955-1070647248-1000UA.job
- c:\users\Le Minh Triet\AppData\Local\Google\Update\GoogleUpdate.exe [2010-01-04 08:07]

2010-01-19 c:\windows\Tasks\PCDoctorBackgroundMonitorTask.job
- c:\program files\PC-Doctor\pcdlauncher.exe [2009-11-20 10:12]

2010-04-06 c:\windows\Tasks\SystemToolsDailyTest.job
- c:\program files\PC-Doctor\pcdr5cuiw32.exe [2010-02-18 00:15]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://med.uth.tmc.edu/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
mStart Page = hxxp://www.yahoo.com/
uInternet Settings,ProxyOverride = ;*.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\MICROS~4\Office14\ONBttnIE.dll/105
Trusted Zone: internet
Trusted Zone: mcafee.com
Trusted Zone: tmc.edu\vpn.uth
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\Common Files\microsoft shared\OFFICE14\MSOXMLMF.DLL
FF - ProfilePath - c:\users\Le Minh Triet\AppData\Roaming\Mozilla\Firefox\Profiles\2oicotto.default\
FF - prefs.js: browser.startup.homepage - hxxp://med.uth.tmc.edu/
FF - component: c:\programdata\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext\components\nprpffbrowserrecordext.dll
FF - component: c:\users\Le Minh Triet\AppData\Roaming\Mozilla\Firefox\Profiles\2oicotto.default\extensions\cfxHelper@Triton\components\dwmxpcom.dll
FF - component: c:\users\Le Minh Triet\AppData\Roaming\Mozilla\Firefox\Profiles\2oicotto.default\extensions\twitternotifier@naan.net\platform\WINNT\components\nsTwitterFoxSign.dll
FF - plugin: c:\progra~1\MICROS~4\Office14\NPAUTHZ.DLL
FF - plugin: c:\progra~1\MICROS~4\Office14\NPSPWRAP.DLL
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npwachk.dll
FF - plugin: c:\program files\RayV\RayV\plugins\nprayvplugin.dll
FF - plugin: c:\users\Le Minh Triet\AppData\Local\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\users\Le Minh Triet\AppData\Roaming\Move Networks\plugins\npqmp071706000001.dll
FF - plugin: c:\users\Le Minh Triet\AppData\Roaming\Mozilla\Firefox\Profiles\2oicotto.default\extensions\ietab@ip.cn\plugins\npCoralIETab.dll
FF - plugin: c:\users\Le Minh Triet\AppData\Roaming\Mozilla\plugins\npgoogletalk.dll

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
- - - - ORPHANS REMOVED - - - -

HKLM-RunOnce- - (no file)



[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\PCDSRVC{3037D694-FD904ACA-06000000}_0]
"ImagePath"="\??\c:\program files\pc-doctor\pcdsrvc.pkms"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\PCDSRVC{C4B36920-79E24793-06000000}_0]
"ImagePath"="\??\c:\progra~1\pc-doc~1\pcdsrvc.pkms"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2010-04-29 03:18:42
ComboFix-quarantined-files.txt 2010-04-29 08:18
ComboFix2.txt 2010-04-29 05:30

Pre-Run: 12,342,243,328 bytes free
Post-Run: 12,292,853,760 bytes free

- - End Of File - - 9DDEBEB98A43FE90C536BC8E5BA75493

Hi


GMER

Note about this tool:

• This program may freeze. Do not reboot the computer, unless it has been frozen for over 30 minutes.
  
• This program may cause a blue screen of death. If it does, do not scan, and then reply to let me know.
  
• No matter what is in the log, please post all the information/contents of the log.

Please download the GMER Rootkit Scanner. Unzip it to your Desktop.

Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.

Double-click gmer.exe. The program will begin to run.

**Caution**
These types of scans can produce false positives. Do NOT take any action on any "<--- ROOKIT" entries unless advised!

If possible rootkit activity is found, you will be asked if you would like to perform a full scan.

• Click NO
  
• In the right panel, you will see a bunch of boxes that have been checked ... leave everything checked and ensure the Show all box is un-checked.
  
• Now click the Scan button.
  Once the scan is complete, you may receive another notice about rootkit activity.
  
• Click OK.
  
• GMER will produce a log. Click on the [Save..] button, and in the File name area, type in "GMER.txt"
  
• Save it where you can easily find it, such as your desktop.

Post the contents of GMER.txt in your next reply.

Thanks for your prompt help. Below is my gmer log. it did cause a BSOD - first time I saw that on Windows 7. I didn't see any warning of a rootkit or infection.

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-04-29 23:25:58
Windows 6.1.7600
Running: gmer.exe; Driver: C:\Users\LEMINH~1\AppData\Local\Temp\kxriyaoc.sys


---- System - GMER 1.0.15 ----

INT 0x1F \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82A36AF8
INT 0x37 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82A36104
INT 0xC1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82A363F4
INT 0xD1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82A1F2D8
INT 0xD2 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82A1E898
INT 0xDF \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82A361DC
INT 0xE1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82A36958
INT 0xE3 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82A366F8
INT 0xFD \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82A36F2C
INT 0xFE \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82A371A8

Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwCreateProcess [0x8B596FF8]
Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwCreateProcessEx [0x8B59700C]
Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwCreateUserProcess [0x8B597022]
Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwNotifyChangeKey [0x8B59705E]
Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwReplaceKey [0x8B597086]
Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwRestoreKey [0x8B597072]
Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetContextThread [0x8B59704A]
Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetInformationProcess [0x8B597036]
Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwTerminateProcess [0x8B596FE4]
Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtSetInformationProcess

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwSaveKeyEx + 13AD 82A96599 1 Byte [06]
.text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 82ABAF52 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
PAGE ntkrnlpa.exe!ZwNotifyChangeKey 82C4CD23 5 Bytes JMP 8B597062 \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtSetInformationProcess 82CA0449 5 Bytes JMP 8B59703A \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateUserProcess 82CA8E20 5 Bytes JMP 8B597026 \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwTerminateProcess 82CB4B7D 5 Bytes JMP 8B596FE8 \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwRestoreKey 82CE8F95 5 Bytes JMP 8B597076 \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwReplaceKey 82CF0102 5 Bytes JMP 8B59708A \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateProcess 82D2DE5F 5 Bytes JMP 8B596FFC \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateProcessEx 82D2DEAA 7 Bytes JMP 8B597010 \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwSetContextThread 82D2ED6B 5 Bytes JMP 8B59704E \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
.text C:\Windows\system32\DRIVERS\atikmdag.sys section is writeable [0x91A19000, 0x23097E, 0xE8000020]
.text peauth.sys 9A83CC9D 28 Bytes [4F, 3A, 12, 3A, 7F, FC, 5D, ...]
.text peauth.sys 9A83CCC1 28 Bytes [4F, 3A, 12, 3A, 7F, FC, 5D, ...]
PAGE peauth.sys 9A842E20 101 Bytes CALL 03CBD368
PAGE peauth.sys 9A84302C 102 Bytes [07, ED, 79, AB, 57, F3, 1A, ...]

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Program Files\Lenovo\System Update\SUService.exe[1064] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [752B5E25] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
IAT C:\Program Files\Lenovo\System Update\SUService.exe[1064] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [752B5E25] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
IAT C:\Program Files\Lenovo\System Update\SUService.exe[1064] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [752B5E25] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
IAT C:\Program Files\Lenovo\System Update\SUService.exe[1064] @ C:\Windows\system32\ADVAPI32.dll [KERNEL32.dll!GetProcAddress] [752B5E25] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
IAT C:\Program Files\Lenovo\System Update\SUService.exe[1064] @ C:\Windows\system32\CRYPT32.dll [KERNEL32.dll!GetProcAddress] [752B5E25] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
IAT C:\Windows\System32\rundll32.exe[2720] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [752B5E25] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
IAT C:\Windows\System32\rundll32.exe[2720] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [752B5E25] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
IAT C:\Windows\System32\rundll32.exe[2720] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [752B5E25] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
IAT C:\Windows\System32\rundll32.exe[2720] @ C:\Windows\system32\ADVAPI32.dll [KERNEL32.dll!GetProcAddress] [752B5E25] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
IAT C:\Windows\system32\rpcnet.exe[2764] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [752B5E25] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
IAT C:\Windows\system32\rpcnet.exe[2764] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [752B5E25] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
IAT C:\Windows\system32\rpcnet.exe[2764] @ C:\Windows\system32\ADVAPI32.dll [KERNEL32.dll!GetProcAddress] [752B5E25] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
IAT C:\Windows\system32\rpcnet.exe[2764] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [752B5E25] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
IAT C:\Windows\system32\rpcnet.exe[2764] @ C:\Windows\system32\CRYPT32.dll [KERNEL32.dll!GetProcAddress] [752B5E25] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[5376] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!LoadLibraryExW] [6144AE77] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[5376] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!LoadLibraryA] [6144ADA9] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[5376] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!LoadLibraryW] [6144ADE9] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[5376] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [6144A7A3] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[5376] @ C:\Windows\system32\USER32.dll [GDI32.dll!GetStockObject] [61449CEC] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[5376] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [6144AE77] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[5376] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!LoadLibraryExA] [6144AE29] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[5376] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [6144A7A3] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[5376] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!LoadLibraryW] [6144ADE9] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[5376] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryW] [6144ADE9] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[5376] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryA] [6144ADA9] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[5376] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExW] [6144AE77] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[5376] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [6144A7A3] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[5376] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExA] [6144AE29] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[5376] @ C:\Windows\system32\SHLWAPI.dll [GDI32.dll!GetStockObject] [61449CEC] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[5376] @ C:\Windows\system32\SHLWAPI.dll [USER32.dll!GetSysColor] [61449C27] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[5376] @ C:\Windows\system32\SHLWAPI.dll [USER32.dll!DefWindowProcW] [6144A3BA] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[5376] @ C:\Windows\system32\SHLWAPI.dll [USER32.dll!DefWindowProcA] [6144A3BA] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[5376] @ C:\Windows\system32\SHELL32.dll [USER32.dll!GetSysColorBrush] [61449CF2] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[5376] @ C:\Windows\system32\SHELL32.dll [USER32.dll!TrackPopupMenu] [61449B56] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[5376] @ C:\Windows\system32\SHELL32.dll [USER32.dll!TrackPopupMenuEx] [61449B94] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[5376] @ C:\Windows\system32\SHELL32.dll [USER32.dll!AnimateWindow] [61449D87] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[5376] @ C:\Windows\system32\SHELL32.dll [USER32.dll!GetSysColor] [61449C27] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[5376] @ C:\Windows\system32\SHELL32.dll [USER32.dll!DefWindowProcW] [6144A3BA] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[5376] @ C:\Windows\system32\SHELL32.dll [GDI32.dll!GetStockObject] [61449CEC] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[5376] @ C:\Windows\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryA] [6144ADA9] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[5376] @ C:\Windows\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryW] [6144ADE9] C:\Program Files\Yahoo!\Messenger\yui.dll

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (Kernel Mode Driver Framework Runtime/Microsoft Corporation)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (Kernel Mode Driver Framework Runtime/Microsoft Corporation)

Device \Driver\ACPI_HAL \Device\00000061 halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)

AttachedDevice \Driver\tdx \Device\Tcp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume4 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)

Device \Driver\BTHUSB \Device\00000086 bthport.sys (Bluetooth Bus Driver/Microsoft Corporation)
Device \Driver\BTHUSB \Device\00000088 bthport.sys (Bluetooth Bus Driver/Microsoft Corporation)

AttachedDevice \Driver\tdx \Device\Udp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\fastfat \Fat mfehidk.sys (McAfee Link Driver/McAfee, Inc.)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\0016cfef1fca
Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\0016cfef1fca (not active ControlSet)

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 sector 08: copy of MBR

---- EOF - GMER 1.0.15 ----

Please download Stealth MBR Rootkit Detector by GMER from GMER.net, and save to your Desktop.

• Right-click on mbr.exe and click Run as Administrator to start the program.
  
• When done scanning, it will save a log on the Desktop called mbr.log.
  
• Please post the contents of that log in your next reply.

Here is the mbr.log

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK
copy of MBR has been found in sector 8 !

Please download HAMeb_check.exe and save it to your desktop.

• Double-click on HAMeb_check.exe to run the utility and it will create a log.
• Copy and paste the contents of that log in your next reply.

It says "this tool is not compatible with your system. Press any key to continue..."

No log written.

Please download Profiles by noahdfear.

• Save it to your desktop.
• Double-click profiles.exe and post its log when you reply

Here it is:


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-18
ProfileImagePath REG_EXPAND_SZ %systemroot%\system32\config\systemprofile

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-19
ProfileImagePath REG_EXPAND_SZ C:\Windows\ServiceProfiles\LocalService

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-20
ProfileImagePath REG_EXPAND_SZ C:\Windows\ServiceProfiles\NetworkService

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-1209684377-1073439955-1070647248-1000
ProfileImagePath REG_EXPAND_SZ C:\Users\Le Minh Triet

SystemRoot REG_SZ C:\Windows

This seems rather odd.

Please open Command Prompt (Start > Run and type CMD and press OK [Vista/7: Start search: CMD and press enter])
Enter the following in to the black box, pressing enter after each line:



Post a log (MBR.log).

it says:

C:\Users\Le Minh Triet>cd\

C:\>mbr.exe -f
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: error reading MBR
kernel: error reading MBR

C:\>exit

Sorry. When you go to open Command Prompt, right-click on it first, and click Run as Administrator.

Then do the commands as stated above in the codebox.

here it is when run as an administrator:

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK
copy of MBR has been found in sector 8 !

File Name : termsrv.dll
File Size : 543232 byte
File Type : PE32 executable for MS Windows (DLL) (console) Intel 80386 3
MD5 : a01e50a04d7b1960b33e92b9080e6a94
SHA1 : efd82448fe8c8beb48f40f88bd84ab15ea8510b4

Scanner results
Scanner results : Scanners did not find malware!
Time : 2010/04/30 22:17:49 (CDT)

VirSCAN.org Scanned Report :
Scanned time : 2010/04/30 22:17:49 (CDT)
Scanner results: Scanners did not find malware!
File Name : termsrv.dll
File Size : 543232 byte
File Type : PE32 executable for MS Windows (DLL) (console) Intel 80386 3
MD5 : a01e50a04d7b1960b33e92b9080e6a94
SHA1 : efd82448fe8c8beb48f40f88bd84ab15ea8510b4
Online report : http://virscan.org/report/6fd94a002fc319febe734a12f9715a86.html

Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 4.5.0.8 20100501070118 2010-05-01 40.13 -
AhnLab V3 2010.04.30.02 2010.04.30 2010-04-30 13.13 -
AntiVir 8.2.1.224 7.10.7.16 2010-04-30 0.26 -
Antiy 2.0.18 20100429.4301541 2010-04-29 0.12 -
Arcavir 2009 201004291451 2010-04-29 0.08 -
Authentium 5.1.1 201004302217 2010-04-30 4.79 -
AVAST! 4.7.4 100430-1 2010-04-30 0.04 -
AVG 8.5.793 271.1.1/2846 2010-05-01 2.29 -
BitDefender 7.81008.5692627 7.31453 2010-05-01 5.62 -
ClamAV 0.95.3 10884 2010-05-01 0.12 -
Comodo 3.13.579 4723 2010-04-30 40.14 -
CP Secure 1.3.0.5 2010.04.30 2010-04-30 0.10 -
Dr.Web 5.0.2.3300 2010.05.01 2010-05-01 7.61 -
F-Prot 4.4.4.56 20100430 2010-04-30 8.32 -
F-Secure 7.02.73807 2010.04.30.12 2010-04-30 8.96 -
Fortinet 4.0.14 11.761 2010-04-30 1.21 -
GData 21.61/21.22 20100501 2010-05-01 40.32 -
ViRobot 20100430 2010.04.30 2010-04-30 21.00 -
Ikarus T3.1.01.80 2010.04.30.75753 2010-04-30 5.86 -
JiangMin 13.0.900 2010.04.29 2010-04-29 40.12 -
Kaspersky 5.5.10 2010.04.30 2010-04-30 0.08 -
KingSoft 2009.2.5.15 2010.4.30.22 2010-04-30 40.13 -
McAfee 5400.1158 5968 2010-04-30 0.02 -
Microsoft 1.5703 2010.05.01 2010-05-01 40.12 -
Norman 6.04.12 6.04.00 2010-04-30 4.01 -
Panda 9.05.01 2010.04.30 2010-04-30 40.12 -
Trend Micro 9.120-1004 7.138.15 2010-04-30 0.03 -
Quick Heal 10.00 2010.04.29 2010-04-29 40.12 -
Rising 20.0 22.45.04.03 2010-04-30 40.12 -
Sophos 3.06.0 4.52 2010-05-01 3.62 -
Sunbelt 3.9.2418.2 6242 2010-04-30 40.12 -
Symantec 1.3.0.24 20100430.003 2010-04-30 18.23 -
nProtect 20100429.01 8053525 2010-04-29 40.12 -
The Hacker 6.5.2.0 v00274 2010-04-29 40.12 -
VBA32 3.12.12.4 20100429.2024 2010-04-29 2.65 -
VirusBuster 4.5.11.10 10.126.9/2000197 2010-04-30 2.66 -

Please download this file:

Dr. Web CureIt!

and run a scan with it. Post the log it generates.

It will be a *.cvs file, so double-click on it, and open it in Notepad.

the express scan found this:

vietnameseface.js;C:\Users\Le Minh Triet\Documents\THI Files\Recipes\hu tieu xao_files;Probably SCRIPT.Virus;;

i tried to run a full scan, but after 15 hrs it was only about 30% done and then it caused BSOD. don't know why. The only things it had found different than above was a trojan in the quarantine of windows defender.

Save these instructions so you can have access to them while in Safe Mode.

Please click here to download AVP Tool by Kaspersky.

• Save it to your desktop.
• Reboot your computer into SafeMode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight SafeMode then hit enter.
• Double click the setup file to run it.
• Click Next to continue.
• Accept the License agreement and click on next.
• It will, by default, install it to your desktop folder. Click Next.
• It will then open a box There will be a tab that says Automatic scan.
• Under Automatic scan make sure these are checked.

• Hidden Startup Objects
• System Memory
• Disk Boot Sectors.
• My Computer.
• Also any other drives (Removable that you may have)

Leave the rest of the settings as they appear as default.

• Then click on Scan at the to right hand Corner.
• It will automatically Neutralize any objects found.
• If some objects are left un-neutralized then click the button that says Neutralize all
• If it says it cannot be neutralized then choose the delete option when prompted.
• After that is done click on the reports button at the bottom and save it to file name it Kas.
• Save it somewhere convenient like your desktop and just post only the detected Virus\malware in the report it will be at the very top under Detected post those results in your next reply.
  
  Note: This tool will self uninstall when you close it so please save the log before closing it.

Here's the report from kaspersky:

Autoscan: completed 6 minutes ago (events: 8, objects: 651627, time: 01:11:15)
5/1/2010 10:37:53 PM Task started
5/1/2010 11:17:44 PM Detected: Packed.Win32.Katusha.j C:\Qoobox\Quarantine\C\ProgramData\salizuya\salizuya.dll.vir
5/1/2010 11:17:44 PM Detected: Packed.Win32.Katusha.j C:\Qoobox\Quarantine\C\Users\Le Minh Triet\AppData\Local\ave.exe.vir
5/1/2010 11:17:44 PM Detected: Trojan.Win32.FraudPack.aujv C:\Qoobox\Quarantine\C\Users\Le Minh Triet\AppData\Local\lpodrixqo\txweamqtssd.exe.vir
5/1/2010 11:19:04 PM Deleted: Packed.Win32.Katusha.j C:\Qoobox\Quarantine\C\ProgramData\salizuya\salizuya.dll.vir
5/1/2010 11:19:08 PM Deleted: Packed.Win32.Katusha.j C:\Qoobox\Quarantine\C\Users\Le Minh Triet\AppData\Local\ave.exe.vir
5/1/2010 11:19:09 PM Deleted: Trojan.Win32.FraudPack.aujv C:\Qoobox\Quarantine\C\Users\Le Minh Triet\AppData\Local\lpodrixqo\txweamqtssd.exe.vir
5/1/2010 11:49:08 PM Task completed

Please run a free online scan with the ESET Online Scanner

• Tick the box next to YES, I accept the Terms of Use
  
• Click Start
  
• When asked, allow the ActiveX control to install
  
• Click Start
  
• Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  
• Click Scan (This scan can take several hours, so please be patient)
  
• Once the scan is completed, you may close the window
  
• Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  
• Copy and paste that log as a reply to this topic
  

I ran the program and it said 'no threats found.'

To manually create a new Restore Point

• Go to Control Panel and select System and Maintenance
  
• Select System
  
• On the left select Advance System Settings and accept the warning if you get one
  
• Select System Protection Tab
  
• Select Create at the bottom
  
• Type in a name i.e. Clean
  
• Select Create

Now we can purge the infected ones

• Go back to the System and Maintenance page
  
• Select Performance Information and Tools
  
• On the left select Open Disk Cleanup
  
• Select Files from all users and accept the warning if you get one
  
• In the drop down box select your main drive i.e. C
  
• For a few moments the system will make some calculations
  
• Select the More Options tab
  
• In the System Restore and Shadow Backups select Clean up
  
• Select Delete on the pop up
  
• Select OK
  
• Select Delete

You are now done

To remove all of the tools we used and the files and folders they created, please do the following:
Please download OTC.exe by OldTimer:

• Save it to your Desktop.
  
• Double click OTC.exe.
  
• Click the CleanUp! button.
  
• If you are prompted to Reboot during the cleanup, select Yes.
  
• The tool will delete itself once it finishes.
  

Note: If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.

==

Please download TFC by OldTimer to your desktop

• Please double-click TFC.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  
• It will close all programs when run, so make sure you have saved all your work before you begin.
  
• Click the Start
  button to begin the process. Depending on how often you clean temp
  files, execution time should be anywhere from a few seconds to a minute
  or two. Let it run uninterrupted to completion.
  
• Once it's finished it should reboot your machine. If it does not, please manually reboot the machine yourself to ensure a complete clean.

==

Download Security Check by screen317 from SpywareInfoforum.org or Changelog.fr.

• Save it to your Desktop.
• Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
• A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Results of screen317's Security Check version 0.99.4
Windows 7 (UAC is enabled)
Internet Explorer 8
``````````````````````````````
Antivirus/Firewall Check:
Windows Firewall Enabled!
WMI entry may not exist for antivirus; attempting automatic update.
```````````````````````````````
Anti-malware/Other Utilities Check:
Malwarebytes' Anti-Malware
HijackThis 2.0.2
Java(TM) 6 Update 16
Java(TM) 6 Update 20
Out of date Java installed!
Adobe Flash Player 10.0.45.2
Adobe Reader 9.3.1
Mozilla Thunderbird (3.0.) Thunderbird Out of Date!
````````````````````````````````
Process Check:
objlist.exe by Laurent
Norton ccSvcHst.exe
````````````````````````````````
DNS Vulnerability Check:
GREAT! (Not vulnerable to DNS cache poisoning)

``````````End of Log````````````

Please read the following information that I have provided, which will help you prevent malicious software in the future. Please keep in mind, malware is a continuous danger on the Internet. It is highly important to stay safe while browsing, to prevent re-infection.

Software recommendations

Antivirus/Antispyware

• Microsoft Security Essentials: this is Microsoft's free antivirus/antispyware program. It equips you with protection against viruses, spyware, trojans, rootkits, and worms. It is also light on the computer's performance. Note: when installing this, you have both an antivirus and antispyware. Make sure you also get a firewall.
  
• AVG Free: this is one of the most powerful, and easiest to use security software. The free version equips you with protection against viruses, spyware, trojans, rootkits, worms, and rogue software. Note: when installing this, you have both an antivirus and antispyware. Make sure you also get a firewall.

Firewall

• Tallemu Online Armor: the free version is just as good as the premium. I have linked you to the free version.
  
• Comodo Firewall: the free version is just as good as the premium. I have linked you to the free version. The optional security suite enhances the firewall by 40% increase. If you would like to install the suite that includes antivirus, then remove your old antivirus first.
  
• PC Tools Firewall Plus: free and excellent firewall.

Note: Please keep ALL of these programs up-to-date and run them whenever you suspect a problem to prevent malware problems.

Resident Protection help
A number of programs have resident protection and it is a good idea to run the resident protection of one of each type of program to maintain protection. However, it is important to run only one resident program of each type since they can conflict and become less effective. That means only one antivirus, firewall, and scanning anti-spyware program at a time. Passive protectors such as SpywareBlaster can be run with any of them.

Rogue programs help
There are a lot of rogue programs out there that want to scare you into giving them your money and some malware actually claims to be security programs. If you get a popup for a security program that you did not install yourself, do NOT click on it and ask for help immediately. It is very important to run an antivirus and firewall, but you can't always rely on reviews and ads for information. Ask in a security forum that you trust if you are not sure. If you are unsure and looking for anti-spyware programs, you can find out if it is a rogue here:
http://www.spywarewarrior.com/rogue_anti-spyware.htm

Securing your computer

• Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.
  
• hpHosts file replaces your current HOSTS file with one containing well known ad sites and other bad sites. This prevents your computer from connecting to those sites by redirecting them to 127.0.0.1, which is your local computer's loopback address, meaning it will be difficult to infect your computer in the future.
  

Please consider using an alternate browser
Mozilla's Firefox browser is a very good alternative. In addition to being generally more secure than Internet Explorer, it has a very good built-in popup blocker and add-ons, like NoScript, can make it even more secure. Opera is another good option.

If you are interested:

• Firefox may be downloaded from here: http://www.getfirefox.com
  
• Opera is available here: http://www.opera.com/download/
  

See this page for more info about malware and prevention.

Thank you for choosing GeekPolice. Please see this page if you would like to leave feedback or contribute to our site. Do you have any more questions?

No more questions. Thank you for all your help!

You're welcome.