[Inactive] E-mail compromised

**artkaye** · April 15th, 2011, 08:41 AM

Gmail alerted me about unknown activity on my mail account. A few days earlier my internet banking service had been phished and an amount was transferred out of the account. Fortunately the culprit was arrested when he attempted to collect at the bank.

I have since changed my passwords. I have installed KeyScrambler and scanned my system with MBAM and SUPERAntispyware.

What else must I do to be safer? Thank you in advance.

**Shinma** · April 15th, 2011, 09:03 AM

Antivirus software.

**fink** · April 15th, 2011, 09:40 AM

I've moved this thread to our intensive care forum. You may still be infected with a trojan or keylogger etc. Malwarebytes and superantispyware are good but there are a lot of malicious programs that they cannot find.

Follow these instructions and let us have a look at the results..

http://discussions.virtualdr.com/sho...d.php?t=167915

Also, never respond to emails or requests for your username or passwords.. reputable websites will not send you an email asking for them. A password should be at least 12 characters in length with upper and lower case letters, numbers and even better with other symbols such as ? #@ etc.

More info on safe computer use.... http://www.bleepingcomputer.com/forums/topic2520.html

(Spybot - Search and Destroy and Ad-Aware Personal aren't really that effective any longer so ignore that outdated recommendation)

**artkaye** · April 16th, 2011, 08:10 AM

This is the result of the MBAM scan:

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6373

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

4/16/2011 12:06:20 PM
mbam-log-2011-04-16 (12-06-20).txt

Scan type: Quick scan
Objects scanned: 204477
Time elapsed: 4 minute(s), 14 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

**artkaye** · April 16th, 2011, 09:44 AM

This is the GMER Log:
GMER 1.0.15.15570 - http://www.gmer.net
Rootkit scan 2011-04-16 13:40:23
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 WDC_WD3200AAJS-60M0A0 rev.02.03E02
Running: ycstwz5g.exe; Driver: C:\DOCUME~1\intel\LOCALS~1\Temp\kwlcapod.sys

---- System - GMER 1.0.15 ----

SSDT \SystemRoot\system32\drivers\pwipf6.sys (pwipf6/Privacyware/PWI, Inc.) ZwAdjustPrivilegesToken [0xA8683AF0]
SSDT 8A4DAE08 ZwAlertResumeThread
SSDT 8A4DAE40 ZwAlertThread
SSDT 89C2EAD8 ZwAllocateVirtualMemory
SSDT 8A589C88 ZwConnectPort
SSDT \SystemRoot\system32\drivers\pwipf6.sys (pwipf6/Privacyware/PWI, Inc.) ZwCreateFile [0xA8684970]
SSDT BA6D80AE ZwCreateKey
SSDT 8A4D5F10 ZwCreateMutant
SSDT \SystemRoot\system32\drivers\pwipf6.sys (pwipf6/Privacyware/PWI, Inc.) ZwCreatePort [0xA86856C0]
SSDT \SystemRoot\system32\drivers\pwipf6.sys (pwipf6/Privacyware/PWI, Inc.) ZwCreateProcessEx [0xA86861B0]
SSDT \SystemRoot\system32\drivers\pwipf6.sys (pwipf6/Privacyware/PWI, Inc.) ZwCreateSection [0xA8685920]
SSDT BA6D80A4 ZwCreateThread
SSDT \SystemRoot\system32\drivers\pwipf6.sys (pwipf6/Privacyware/PWI, Inc.) ZwDebugActiveProcess [0xA8683240]
SSDT BA6D80B3 ZwDeleteKey
SSDT BA6D80BD ZwDeleteValueKey
SSDT \SystemRoot\system32\drivers\pwipf6.sys (pwipf6/Privacyware/PWI, Inc.) ZwDuplicateObject [0xA8683350]
SSDT 89C2EA58 ZwFreeVirtualMemory
SSDT 8A4D5FD0 ZwImpersonateAnonymousToken
SSDT 89BE3750 ZwImpersonateThread
SSDT BA6D80C2 ZwLoadKey
SSDT 8A498E08 ZwMapViewOfSection
SSDT 8A4D5E50 ZwOpenEvent
SSDT \SystemRoot\system32\drivers\pwipf6.sys (pwipf6/Privacyware/PWI, Inc.) ZwOpenFile [0xA8684BE0]
SSDT BA6D8090 ZwOpenProcess
SSDT 8A4D6C80 ZwOpenProcessToken
SSDT \SystemRoot\system32\drivers\pwipf6.sys (pwipf6/Privacyware/PWI, Inc.) ZwOpenSection [0xA8682DC0]
SSDT BA6D8095 ZwOpenThread
SSDT 89C640B0 ZwOpenThreadToken
SSDT 89C0CF80 ZwQueryValueKey
SSDT BA6D80CC ZwReplaceKey
SSDT BA6D80C7 ZwRestoreKey
SSDT 8A5531C0 ZwResumeThread
SSDT \SystemRoot\system32\drivers\pwipf6.sys (pwipf6/Privacyware/PWI, Inc.) ZwSecureConnectPort [0xA8685530]
SSDT 89C21978 ZwSetContextThread
SSDT 89C54068 ZwSetInformationProcess
SSDT 89C218B8 ZwSetInformationThread
SSDT BA6D80B8 ZwSetValueKey
SSDT 89C0CEC0 ZwSuspendProcess
SSDT 8A4DAF48 ZwSuspendThread
SSDT 8A498FD0 ZwTerminateProcess
SSDT 89C217F8 ZwTerminateThread
SSDT 89BA68A8 ZwUnmapViewOfSection
SSDT 89BA6928 ZwWriteVirtualMemory

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwCallbackReturn + 2C10 805044AC 12 Bytes [F0, 3A, 68, A8, 08, AE, 4D, ...]
.text ntkrnlpa.exe!ZwCallbackReturn + 2C28 805044C4 4 Bytes JMP 05CA89C2
.text ntkrnlpa.exe!ZwCallbackReturn + 2D30 805045CC 4 Bytes JMP 92A289C2

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\SearchIndexer.exe[2264] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 00585C0C C:\WINDOWS\system32\MSSRCH.DLL (mssrch.dll/Microsoft Corporation)
.text C:\Program Files\Real\RealPlayer\update\realsched.exe[3396] kernel32.dll!SetUnhandledExceptionFilter 7C84495D 5 Bytes [33, C0, C2, 04, 00] {XOR EAX, EAX; RET 0x4}

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Ip pwipf6.sys (pwipf6/Privacyware/PWI, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip fssfltr_tdi.sys (Family Safety Filter Driver (TDI)/Microsoft Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp pwipf6.sys (pwipf6/Privacyware/PWI, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp fssfltr_tdi.sys (Family Safety Filter Driver (TDI)/Microsoft Corporation)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 hotcore3.sys (A part of Paragon System Utilities/Paragon Software Group)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 hotcore3.sys (A part of Paragon System Utilities/Paragon Software Group)
AttachedDevice \Driver\Tcpip \Device\Udp pwipf6.sys (pwipf6/Privacyware/PWI, Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp fssfltr_tdi.sys (Family Safety Filter Driver (TDI)/Microsoft Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp pwipf6.sys (pwipf6/Privacyware/PWI, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp fssfltr_tdi.sys (Family Safety Filter Driver (TDI)/Microsoft Corporation)

Device mrxsmb.sys (Windows NT SMB Minirdr/Microsoft Corporation)
Device InCDFs.sys (InCD File System Driver/Nero AG)

---- EOF - GMER 1.0.15 ----

**artkaye** · April 16th, 2011, 09:48 AM

This is the MBRCheck report:

MBRCheck, version 1.2.3
(c) 2010, AD

Command-line:
Windows Version: Windows XP Professional
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x0000001c

Kernel Drivers (total 134):
0x804D7000 \WINDOWS\system32\ntkrnlpa.exe
0x806E5000 \WINDOWS\system32\hal.dll
0xBA5A8000 \WINDOWS\system32\KDCOM.DLL
0xBA4B8000 \WINDOWS\system32\BOOTVID.dll
0xB9F79000 ACPI.sys
0xBA5AA000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
0xB9F68000 pci.sys
0xBA0A8000 isapnp.sys
0xBA670000 pciide.sys
0xBA328000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
0xBA0B8000 MountMgr.sys
0xB9F49000 ftdisk.sys
0xBA5AC000 dmload.sys
0xB9F23000 dmio.sys
0xBA330000 PartMgr.sys
0xBA0C8000 VolSnap.sys
0xB9F0B000 atapi.sys
0xBA0D8000 disk.sys
0xBA0E8000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
0xB9EEB000 fltmgr.sys
0xBA0F8000 PxHelp20.sys
0xB9ED4000 KSecDD.sys
0xB9E47000 Ntfs.sys
0xB9E1A000 NDIS.sys
0xB9E00000 Mup.sys
0xBA338000 hotcore3.sys
0xBA1E8000 \SystemRoot\system32\DRIVERS\intelppm.sys
0xB9247000 \SystemRoot\system32\DRIVERS\igxpmp32.sys
0xB9233000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0xB920B000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
0xB91D7000 \SystemRoot\system32\DRIVERS\Rtenicxp.sys
0xBA3D0000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0xB91B3000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xBA3D8000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xBA1F8000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0xB9198000 \SystemRoot\System32\drivers\keyscrambler.sys
0xBA3F0000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xBA208000 \SystemRoot\system32\DRIVERS\imapi.sys
0xBA218000 \SystemRoot\system32\DRIVERS\cdrom.sys
0xBA228000 \SystemRoot\system32\DRIVERS\redbook.sys
0xB9175000 \SystemRoot\system32\DRIVERS\ks.sys
0xBA400000 \SystemRoot\system32\drivers\InCDPass.sys
0xBA238000 \SystemRoot\system32\drivers\InCDRm.sys
0xBA410000 \SystemRoot\system32\DRIVERS\GEARAspiWDM.sys
0xBA68E000 \SystemRoot\system32\DRIVERS\audstub.sys
0xBA248000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xBA590000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0xB915E000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0xBA258000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0xBA268000 \SystemRoot\system32\DRIVERS\raspptp.sys
0xBA430000 \SystemRoot\system32\DRIVERS\TDI.SYS
0xB914D000 \SystemRoot\system32\DRIVERS\psched.sys
0xBA278000 \SystemRoot\system32\DRIVERS\msgpc.sys
0xBA440000 \SystemRoot\system32\DRIVERS\ptilink.sys
0xBA450000 \SystemRoot\system32\DRIVERS\raspti.sys
0xB911D000 \SystemRoot\system32\DRIVERS\rdpdr.sys
0xBA288000 \SystemRoot\system32\DRIVERS\termdd.sys
0xBA460000 \SystemRoot\system32\DRIVERS\mouclass.sys
0xBA5D2000 \SystemRoot\system32\DRIVERS\swenum.sys
0xB90BF000 \SystemRoot\system32\DRIVERS\update.sys
0xB9DD0000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0xBA2A8000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xBA2C8000 \SystemRoot\system32\DRIVERS\usbhub.sys
0xBA5E0000 \SystemRoot\system32\DRIVERS\USBD.SYS
0xA8A00000 \SystemRoot\system32\drivers\RtkHDAud.sys
0xA89DC000 \SystemRoot\system32\drivers\portcls.sys
0xBA2D8000 \SystemRoot\system32\drivers\drmk.sys
0xA895C000 \??\C:\Program Files\Symantec AntiVirus\savrt.sys
0xA893A000 \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS
0xA8926000 \??\C:\Program Files\Symantec AntiVirus\Savrtpel.sys
0xB9DD4000 \SystemRoot\system32\DRIVERS\hidusb.sys
0xBA308000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0xBA368000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0xB90BB000 \SystemRoot\system32\DRIVERS\mouhid.sys
0xBA600000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xBA763000 \SystemRoot\System32\Drivers\Null.SYS
0xBA606000 \SystemRoot\System32\Drivers\Beep.SYS
0xBA388000 \SystemRoot\System32\drivers\vga.sys
0xBA60C000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xBA60E000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xB9097000 \SystemRoot\system32\drivers\InCDRec.sys
0xA875B000 \SystemRoot\system32\drivers\InCDFs.sys
0xBA390000 \SystemRoot\System32\Drivers\Msfs.SYS
0xBA398000 \SystemRoot\System32\Drivers\Npfs.SYS
0xA89D0000 \SystemRoot\system32\DRIVERS\rasacd.sys
0xA8748000 \SystemRoot\system32\DRIVERS\ipsec.sys
0xA86EF000 \SystemRoot\system32\DRIVERS\tcpip.sys
0xA86C9000 \SystemRoot\system32\DRIVERS\ipnat.sys
0xA8675000 \SystemRoot\system32\drivers\pwipf6.sys
0xBA128000 \SystemRoot\system32\DRIVERS\wanarp.sys
0xA863C000 \SystemRoot\System32\Drivers\SYMTDI.SYS
0xA8614000 \SystemRoot\system32\DRIVERS\netbt.sys
0xA85F2000 \SystemRoot\System32\drivers\afd.sys
0xBA148000 \SystemRoot\system32\DRIVERS\netbios.sys
0xBA3E0000 \SystemRoot\system32\DRIVERS\ssmdrv.sys
0xA858D000 \??\C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys
0xA856B000 \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS
0xBA408000 \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
0xA8540000 \SystemRoot\system32\DRIVERS\rdbss.sys
0xA84D0000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xBA158000 \SystemRoot\System32\Drivers\Fips.SYS
0xA8472000 \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys
0xA8455000 \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys
0xA842F000 \SystemRoot\system32\DRIVERS\avipbb.sys
0xBA632000 \??\C:\Program Files\Avira\AntiVir Desktop\avgio.sys
0xBA178000 \SystemRoot\System32\Drivers\Cdfs.SYS
0xA83EF000 \SystemRoot\System32\Drivers\dump_atapi.sys
0xBA64A000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
0xBF800000 \SystemRoot\System32\win32k.sys
0xA87AF000 \SystemRoot\System32\drivers\Dxapi.sys
0xBA448000 \SystemRoot\System32\watchdog.sys
0xBF000000 \SystemRoot\System32\drivers\dxg.sys
0xBA799000 \SystemRoot\System32\drivers\dxgthk.sys
0xBF024000 \SystemRoot\System32\igxpgd32.dll
0xBF012000 \SystemRoot\System32\igxprd32.dll
0xBF04F000 \SystemRoot\System32\igxpdv32.DLL
0xBF1E7000 \SystemRoot\System32\igxpdx32.DLL
0xA829A000 \SystemRoot\system32\DRIVERS\avgntflt.sys
0xBF47A000 \SystemRoot\System32\ATMFD.DLL
0xA8357000 \SystemRoot\system32\DRIVERS\fssfltr_tdi.sys
0xA82B7000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0xA7DE5000 \SystemRoot\system32\DRIVERS\mrxdav.sys
0xA7B5D000 \SystemRoot\system32\DRIVERS\srv.sys
0xBA3F8000 \SystemRoot\System32\Drivers\TDTCP.SYS
0xA79D2000 \SystemRoot\System32\Drivers\RDPWD.SYS
0xA7625000 \SystemRoot\system32\drivers\wdmaud.sys
0xA76FA000 \SystemRoot\system32\drivers\sysaudio.sys
0xA6FF5000 \SystemRoot\System32\Drivers\HTTP.sys
0xA6F55000 \SystemRoot\System32\Drivers\SYMREDRV.SYS
0xA6711000 \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20110415.002\navex15.sys
0xA66FD000 \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20110415.002\naveng.sys
0xBA370000 \SystemRoot\system32\DRIVERS\usbprint.sys
0xA6579000 \??\C:\DOCUME~1\intel\LOCALS~1\Temp\kwlcapod.sys
0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 60):
0 System Idle Process
4 System
680 C:\WINDOWS\system32\smss.exe
732 csrss.exe
756 C:\WINDOWS\system32\winlogon.exe
800 C:\WINDOWS\system32\services.exe
812 C:\WINDOWS\system32\lsass.exe
1000 C:\WINDOWS\system32\svchost.exe
1068 svchost.exe
1164 C:\WINDOWS\system32\svchost.exe
1260 svchost.exe
1360 svchost.exe
1372 C:\Program Files\Privacyware\Privatefirewall 7.0\pfsvc.exe
1456 C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
1496 C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
1608 C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
1720 C:\WINDOWS\system32\spoolsv.exe
1772 C:\Program Files\Avira\AntiVir Desktop\sched.exe
1836 svchost.exe
548 C:\Program Files\Avira\AntiVir Desktop\avguard.exe
564 C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
672 C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
724 C:\Program Files\Bonjour\mDNSResponder.exe
880 C:\Program Files\Symantec AntiVirus\DefWatch.exe
1132 C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
1392 C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
1420 C:\Program Files\Java\jre6\bin\jqs.exe
1884 C:\Program Files\Common Files\Protexis\License Service\PSIService.exe
1984 C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
176 C:\Program Files\Symantec AntiVirus\Rtvscan.exe
488 C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe
600 C:\Program Files\Western Digital\WD SmartWare\Front Parlor\WDSmartWareBackgroundService.exe
2152 C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
2264 C:\WINDOWS\system32\searchindexer.exe
2388 C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVCM.EXE
2656 alg.exe
3296 C:\WINDOWS\explorer.exe
1276 C:\WINDOWS\system32\hkcmd.exe
2472 C:\WINDOWS\system32\igfxpers.exe
2580 C:\WINDOWS\system32\igfxsrvc.exe
2576 C:\Program Files\Common Files\Symantec Shared\ccApp.exe
2632 C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
2872 C:\Program Files\USB Disk Security\USBGuard.exe
3392 C:\Program Files\Common Files\Java\Java Update\jusched.exe
3396 C:\Program Files\Real\RealPlayer\Update\realsched.exe
4028 C:\Program Files\iTunes\iTunesHelper.exe
816 C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
384 C:\Program Files\Blue Onion Software\Desk Drive\DeskDrive.exe
2076 C:\WINDOWS\system32\ctfmon.exe
1868 C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMStatus.exe
628 C:\Program Files\iPod\bin\iPodService.exe
3984 C:\Program Files\Avira\AntiVir Desktop\avnotify.exe
1904 C:\Program Files\Mozilla Firefox\firefox.exe
3284 C:\Program Files\Mozilla Firefox\plugin-container.exe
1432 C:\Program Files\Privacyware\Privatefirewall 7.0\PFGUI.exe
4272 C:\Program Files\Orbitdownloader\orbitdm.exe
4300 C:\Program Files\Orbitdownloader\orbitnet.exe
5220 C:\Documents and Settings\intel\Desktop\MBRCheck.exe
5288 C:\WINDOWS\system32\searchprotocolhost.exe
5332 searchfilterhost.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)
\\.\D: --> \\.\PhysicalDrive0 at offset 0x00000019`d689e000 (NTFS)

PhysicalDrive0 Model Number: WDCWD3200AAJS-60M0A0, Rev: 02.03E02

Size Device Name MBR Status
--------------------------------------------
298 GB \\.\PhysicalDrive0 Windows XP MBR code detected
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A

Done!

**artkaye** · April 16th, 2011, 09:58 AM

DDS is unable to download. Whay else shall I do?

**Broni** · April 16th, 2011, 01:00 PM

Please, observe following rules:

Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
If you're stuck, or you're not sure about certain step, always ask before doing anything else.
Please refrain from running tools or applying updates other than those I suggest.
Never run more than one scan at a time.
Keep updating me regarding your computer behavior, good, or bad.
The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.

=====================================================

DDS is unable to download

Download, or run?

**artkaye** · April 18th, 2011, 03:07 AM

Thanks, Broni. I will make another attempt to download DDS and inform you about the result.

**artkaye** · April 18th, 2011, 03:23 AM

In my attempts to download DDS, Mirror 1 never seem to open. Mirror 2 opens a page with unreadable garbled text. What shall I do next?

This forum has been of great help in the past and I cannot afford to loose this assistance.

**Broni** · April 18th, 2011, 11:29 AM

Uploaded it for you here: http://www.filedropper.com/dds

**artkaye** · April 18th, 2011, 12:46 PM

I downloaded DDS and scanned as directed. The two logs are as follows:

1) DDS.txt
DDS (Ver_09-06-26.01) - NTFSx86
Run by george at 16:39:01.46 on Mon 04/18/2011
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_22
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.2037.1240 [GMT 0:00]

AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: Privatefirewall *disabled* {AF0CFAAE-AAB5-450a-8C74-0DEEB429DF4F}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Privacyware\Privatefirewall 7.0\pfsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
svchost.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Protexis\License Service\PSIService.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe
C:\Program Files\Western Digital\WD SmartWare\Front Parlor\WDSmartWareBackgroundService.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Say the Time\SayTime.exe
C:\Program Files\USB Disk Security\USBGuard.exe
C:\Program Files\Zamaan's Software\Pepsi Volume Controller 4.0\pvc.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Blue Onion Software\Desk Drive\DeskDrive.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMStatus.exe
C:\Program Files\Western Digital\WD SmartWare\Front Parlor\WDSmartWare.exe
C:\Program Files\Connection Keeper\conkeepm.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\intel\Desktop\dds.scr

============== Pseudo HJT Report ===============

uInternet Settings,ProxyOverride = *.local
BHO: Octh Class: {000123b4-9b42-4900-b3f7-f4b073efc214} - c:\program files\orbitdownloader\orbitcth.dll
BHO: KeyScramblerBHO Class: {2b9f5787-88a5-4945-90e7-c4b18563bc5e} - c:\program files\keyscrambler\KeyScramblerIE.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: QUICKfind BHO Object: {c08df07a-3e49-4e25-9ab0-d3882835f153} - c:\progra~1\idm\quickf~1\plugins\IEHelp.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: Grab Pro: {c55bbcd6-41ad-48ad-9953-3609c48eacc7} - c:\program files\orbitdownloader\GrabPro.dll
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
uRun: [DeskDriveStartup] c:\program files\blue onion software\desk drive\DeskDrive.exe
uRun: [Google Update] "c:\documents and settings\intel\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [F.lux] "c:\documents and settings\intel\local settings\apps\f.lux\flux.exe" /noshow
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [Alcmtr] ALCMTR.EXE
mRun: [Say the Time] c:\program files\say the time\SayTime.exe
mRun: [USB Antivirus] c:\program files\usb disk security\USBGuard.exe
mRun: [Privatefirewall] c:\program files\privacyware\privatefirewall 7.0\PFGUI.exe
mRun: [Pepis Volume Controller] "c:\program files\zamaan's software\pepsi volume controller 4.0\pvc.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
StartupFolder: c:\docume~1\intel\startm~1\programs\startup\connec~1.lnk - c:\program files\connection keeper\conkeepm.exe
StartupFolder: c:\docume~1\intel\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\wddmst~1.lnk - c:\program files\western digital\wd smartware\wd drive manager\WDDMStatus.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\wdsmar~1.lnk - c:\program files\western digital\wd smartware\front parlor\WDSmartWare.exe
IE: &Download by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/201
IE: &Grab video by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/204
IE: Do&wnload selected by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/202
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {53F6FCCD-9E22-4d71-86EA-6E43136192AB}
IE: {925DAB62-F9AC-4221-806A-057BFB1014AA}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {5C106A59-CC3C-4caa-81A4-6D909B5ACE23} - {B745F984-EF2E-40D6-A9AC-D8CED7230E61} - c:\program files\keyscrambler\KeyScramblerIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1272634956265
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: igfxcui - igfxdev.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
SEH: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - No File

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\intel\applic~1\mozilla\firefox\profiles\iz9slcc3.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - component: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\firefox\ext\components\nprpffbrowserrecordext.dll
FF - component: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\firefox\ext\components\nprpffbrowserrecordlegacyext.dll
FF - component: c:\program files\dap\dapfirefox\components\DAPFireFox.dll
FF - component: c:\program files\orbitdownloader\addons\oneclickyoutubedownloader\components\GrabXpcom.dll
FF - plugin: c:\documents and settings\intel\local settings\application data\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60129.0\npctrlui.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R0 hotcore3;hc3ServiceName;c:\windows\system32\drivers\hotcore3.sys [2010-5-4 40560]
R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2010-4-29 11608]
R1 pwipf6;pwipf6;c:\windows\system32\drivers\pwipf6.sys [2010-4-19 117584]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
R1 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2006-9-6 337592]
R1 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2006-9-6 54968]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2010-4-29 135336]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2010-4-29 269480]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2010-4-29 61960]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2007-5-29 192104]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2007-5-29 169576]
R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [2010-5-1 54752]
R2 PFNet;Privacyware network service;c:\program files\privacyware\privatefirewall 7.0\pfsvc.exe [2010-6-24 357000]
R2 SeaPort;SeaPort;c:\program files\microsoft\search enhancement pack\seaport\SeaPort.exe [2009-5-19 240512]
R2 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2007-10-7 1822648]
R2 WDDMService;WD SmartWare Drive Manager;c:\program files\western digital\wd smartware\wd drive manager\WDDMService.exe [2009-11-13 110592]
R2 WDSmartWareBackgroundService;WD SmartWare Background Service;c:\program files\western digital\wd smartware\front parlor\WDSmartWareBackgroundService.exe [2009-6-16 20480]
R2 wlidsvc;Windows Live ID Sign-in Assistant;c:\program files\common files\microsoft shared\windows live\WLIDSVC.EXE [2009-8-18 1529728]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-6-10 102448]
R3 KeyScrambler;KeyScrambler;c:\windows\system32\drivers\keyscrambler.sys [2011-4-12 114952]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20110417.004\naveng.sys [2011-4-18 86136]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20110417.004\navex15.sys [2011-4-18 1393144]
S2 NeroRegInCDSrv;Nero Registry InCD Service;c:\program files\nero\nero 7\incd\nbhregincdsrv.exe --> c:\program files\nero\nero 7\incd\NBHRegInCDSrv.exe [?]
S3 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2009-8-5 704864]
S3 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2007-10-7 116664]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [2010-6-15 11520]

=============== Created Last 30 ================

2011-04-14 07:13 <DIR> --d----- c:\program files\NET Bible
2011-04-13 11:56 <DIR> --d-h--- c:\windows\$hf_mig$
2011-04-12 09:42 114,952 a------- c:\windows\system32\drivers\keyscrambler.sys
2011-04-12 09:42 <DIR> --d----- c:\program files\KeyScrambler
2011-04-06 05:46 <DIR> --d----- c:\windows\system32\wbem\Logs
2011-04-05 10:52 <DIR> --d----- c:\program files\Temp File Cleaner
2011-03-28 08:09 <DIR> --d----- c:\program files\OfficeCM
2011-03-23 06:10 1,422,168 a------- c:\windows\system32\OfficeTabFunction.dll
2011-03-23 06:10 45,056 a------- c:\windows\system32\OTB_Loader.dll
2011-03-23 06:10 1,869,744 a------- c:\windows\system32\Officetab_Detong.ocx
2011-03-22 14:46 <DIR> --d----- c:\program files\2010 Verse-by-Verse Computer Bible Study Library

==================== Find3M ====================

2011-03-17 07:04 78,492 a---h--- c:\windows\system32\mlfcache.dat
2011-03-16 06:13 2,560 a------- c:\windows\_MSRSTRT.EXE
2011-03-10 17:55 249,856 -------- c:\windows\Setup1.exe
2011-03-10 17:55 73,216 a------- c:\windows\ST6UNST.EXE
2011-03-07 05:33 692,736 a------- c:\windows\system32\inetcomm.dll
2011-03-04 06:37 420,864 a------- c:\windows\system32\vbscript.dll
2011-03-03 13:21 1,857,920 a------- c:\windows\system32\win32k.sys
2011-02-22 23:06 916,480 a------- c:\windows\system32\wininet.dll
2011-02-22 23:06 43,520 a------- c:\windows\system32\licmgr10.dll
2011-02-17 12:32 5,120 a------- c:\windows\system32\xpsp4res.dll
2011-02-15 12:56 290,432 a------- c:\windows\system32\atmfd.dll
2011-02-14 15:26 348,160 a------- c:\windows\system32\msvcr71.dll
2011-02-14 15:00 413,696 a------- c:\windows\system32\wrap_oal.dll
2011-02-14 15:00 110,592 a------- c:\windows\system32\OpenAL32.dll
2011-02-09 13:53 270,848 a------- c:\windows\system32\sbe.dll
2011-02-09 13:53 186,880 a------- c:\windows\system32\encdec.dll
2011-02-08 13:33 978,944 a------- c:\windows\system32\mfc42.dll
2011-02-08 13:33 974,848 a------- c:\windows\system32\mfc42u.dll
2011-02-02 07:58 2,067,456 a------- c:\windows\system32\mstscax.dll
2011-01-27 17:15 307,200 a------- c:\windows\system32\TubeFinder.exe
2011-01-27 11:57 677,888 a------- c:\windows\system32\mstsc.exe
2011-01-21 14:44 439,296 a------- c:\windows\system32\shimgvw.dll
2010-04-29 17:24 8 ---shr-- c:\windows\system32\2D02A7C8ED.sys
2010-04-29 17:26 2,516 a--sh--- c:\windows\system32\KGyGaAvL.sys
2010-10-27 06:46 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012010102720101028\index.dat

============= FINISH: 16:39:23.60 ===============

2) Attach.txt
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-06-26.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 4/27/2010 12:57:16 AM
System Uptime: 4/18/2011 5:33:11 AM (11 hours ago)

Motherboard: MSI | | 2A78h
Processor: Intel Pentium III Xeon processor | Socket 775 | 2593/800mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 103 GiB total, 84.232 GiB free.
D: is FIXED (NTFS) - 195 GiB total, 181.422 GiB free.
E: is CDROM ()

==== Disabled Device Manager Items =============

==== System Restore Points ===================

No restore point in system.

==== Installed Programs ======================

2010 Verse-by-Verse Computer Bible Study Library
Adobe Flash Player 10 Plugin
AIMP2
Apple Application Support
Apple Mobile Device Support
Apple Software Update
µTorrent
Avira AntiVir Personal - Free Antivirus
BerBible
BibleMax English Standard Version Bible
BitTorrent
Bonjour
calibre
CCleaner
Classic Menu 3.x for Office 2007
Connection Keeper
CorelDRAW Graphics Suite X3
CorePLS_Full_QFolder
CorePLS_Min_QFolder
COWON Media Center - jetAudio Plus VX
CustomerResearchQFolder
Desk Drive
DFX for Winamp
Diskeeper Professional Premier Edition
e-Sword
eBook Organizer
eLibrary
EN
ERUNT 1.1j
F.lux
FinePrint
Folderico 3.7.2
FontNav
Foxit PDF Editor
Free FLV Converter V 6.94.0
Free Launch Bar
Google Chrome
HotFile AutoDownloader
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows XP (KB954550-v5)
HP Extended Capabilities 6.0
HP LaserJet P2015 Series 1.0
HP LaserJet P2030 Series
HP Software Update
hppFonts
hppIOFiles
hppLJP2015
hppManualsP2015
hppMSRedist
hppTLBXFXP2015
hppusgP2015
hppusgP2030
hppWebRegMM
HPSSupply
hpzTLBXFX
iDailyDiary 3.61
Intel(R) Graphics Media Accelerator Driver
iolo technologies' System Mechanic
iTunes
Java Auto Updater
Java(TM) 6 Update 22
JDownloader
Juice 2.2
Junk Mail filter update
KeyScrambler
Lingoes 2.7.1
LiveUpdate 3.2 (Symantec Corporation)
Malwarebytes' Anti-Malware
MarketResearch
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB2416447)
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Application Error Reporting
Microsoft Choice Guard
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office Live Add-in 1.5
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook Connector
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Save as PDF Add-in for 2007 Microsoft Office programs
Microsoft Search Enhancement Pack
Microsoft Silverlight
Microsoft Software Update for Web Folders (English) 12
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft SQL Server 2008 Management Objects
Microsoft SQL Server 2008 Native Client
Microsoft Sync Framework Runtime Native v1.0 (x86)
Microsoft Sync Framework Services Native v1.0 (x86)
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2005 Redistributable - KB2467175
Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Mobysaurus Thesaurus
Mozilla Firefox 4.0 (x86 en-US)
Mozilla Thunderbird (3.1.7)
MP3 Ringtone Extractor 1.1
MrvlUsgTracking
MSVCRT
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MTN F@stLink
MyCar-Monitor 4.2.0.7
MyMicroBalance
Nero 7 Essentials
neroxml
NET Bible First Edition 2009
OfficeTab 1.20
OpenAL
Orbit Downloader
Oxford Collocations Dictionary
Paragon Partition Manager™ 10.0 Personal
PDF-Viewer
Pepsi Volume Controller 4.0
PhoneSuite
Privatefirewall 7.0
Product_SF_Full_QFolder
Product_SF_Min_QFolder
QUICKfind server v1.1
QuickTime
RadioSure
REALTEK GbE & FE Ethernet PCI-E NIC Driver
Realtek High Definition Audio Driver
RegCure
Revo Uninstaller 1.91
Say the Time
Security Update for 2007 Microsoft Office System (KB2288621)
Security Update for 2007 Microsoft Office System (KB2288931)
Security Update for 2007 Microsoft Office System (KB2345043)
Security Update for 2007 Microsoft Office System (KB2466156)
Security Update for 2007 Microsoft Office System (KB2509488)
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB976321)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Security Update for Microsoft Office Access 2007 (KB979440)
Security Update for Microsoft Office Excel 2007 (KB2464583)
Security Update for Microsoft Office Groove 2007 (KB2494047)
Security Update for Microsoft Office InfoPath 2007 (KB979441)
Security Update for Microsoft Office PowerPoint 2007 (KB2464594)
Security Update for Microsoft Office PowerPoint Viewer 2007 (KB2464623)
Security Update for Microsoft Office Publisher 2007 (KB2284697)
Security Update for Microsoft Office system 2007 (972581)
Security Update for Microsoft Office system 2007 (KB974234)
Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
Security Update for Microsoft Office Word 2007 (KB2344993)
Security Update for Windows Internet Explorer 8 (KB2183461)
Security Update for Windows Internet Explorer 8 (KB2416400)
Security Update for Windows Internet Explorer 8 (KB2482017)
Security Update for Windows Internet Explorer 8 (KB2497640)
Security Update for Windows Internet Explorer 8 (KB2510531)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows XP (KB2412687)
Security Update for Windows XP (KB2485663)
Security Update for Windows XP (KB2503658)
Security Update for Windows XP (KB2506212)
Security Update for Windows XP (KB2506223)
Security Update for Windows XP (KB2507618)
Security Update for Windows XP (KB2508272)
Security Update for Windows XP (KB2508429)
Security Update for Windows XP (KB2509553)
Security Update for Windows XP (KB2511455)
Security Update for Windows XP (KB923789)
Segoe UI
SQL Server System CLR Types
STDU Viewer version 1.5.562.0
Super Internet TV v8.1 (Free Edition)
SUPERAntiSpyware
Symantec AntiVirus
Temp File Cleaner
Text To PDF Converter v1.5
The KMPlayer (remove only)
TheSage
THOMSON mp3PRO Audio Player
Tweak UI
Unlocker 1.8.8
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft Office 2007 Help for Common Features (KB963673)
Update for Microsoft Office Access 2007 Help (KB963663)
Update for Microsoft Office Excel 2007 Help (KB963678)
Update for Microsoft Office Infopath 2007 Help (KB963662)
Update for Microsoft Office OneNote 2007 (KB980729)
Update for Microsoft Office OneNote 2007 Help (KB963670)
Update for Microsoft Office Outlook 2007 (KB2509470)
Update for Microsoft Office Outlook 2007 Help (KB963677)
Update for Microsoft Office Powerpoint 2007 Help (KB963669)
Update for Microsoft Office Publisher 2007 Help (KB963667)
Update for Microsoft Office Script Editor Help (KB963671)
Update for Microsoft Office Word 2007 Help (KB963665)
Update for Outlook 2007 Junk Email Filter (KB2522999)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows Internet Explorer 8 (KB980182)
Update for Windows Internet Explorer 8 (KB980302)
Update for Windows Internet Explorer 8 (KB982632)
Update Manager
USB Disk Security 5.0.0.80
VBA
Visual Studio Tools for the Office system 3.0 Runtime
WD SmartWare
WebFldrs XP
Winamp
Winamp 5.56
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 8
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Family Safety
Windows Live ID Sign-in Assistant
Windows Live Mail
Windows Live Messenger
Windows Live Photo Gallery
Windows Live Sync
Windows Live Toolbar
Windows Live Upload Tool
Windows Live Writer
Windows Media Format 11 runtime
Windows Media Player 11
Winrar 3.93
WinRAR archiver
WordWeb Pro
Xion v1.0 (build 125)
YouTube Downloader 2.6.5

==== Event Viewer Messages From Past Week ========

4/16/2011 12:17:17 PM, error: atapi [9] - The device, \Device\Ide\IdePort0, did not respond within the timeout period.
4/15/2011 7:59:40 AM, error: MRxSmb [8003] - The master browser has received a server announcement from the computer ITLAB-PC that believes that it is the master browser for the domain on transport NetBT_Tcpip_{FFEAC820-EE03-431A-. The master browser is stopping or an election is being forced.
4/14/2011 4:26:56 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Windows Search service to connect.
4/14/2011 4:26:56 PM, error: Service Control Manager [7000] - The Windows Search service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
4/14/2011 4:26:56 PM, error: DCOM [10005] - DCOM got error "%1053" attempting to start the service WSearch with arguments "" in order to run the server: {7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}
4/13/2011 5:59:41 AM, error: Service Control Manager [7000] - The Nero Registry InCD Service service failed to start due to the following error: The system cannot find the file specified.
4/12/2011 4:16:00 PM, error: Disk [11] - The driver detected a controller error on \Device\Harddisk1\D.

==== End Of File ===========================

Thank you very much for your patience. I shall look forward to hearing from you.

**Broni** · April 18th, 2011, 12:49 PM

You're running two AV programs, Symantec AntiVirus Corporate Edition and Avira.
One of them has to go.
Your choice.

So far, I don't see much....

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

Please, never rename Combofix unless instructed.
Close any open browsers.
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
- Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
- Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
NOTE1. If Combofix asks you to install Recovery Console, please allow it.
NOTE 2. If Combofix asks you to update the program, always do so.
- Close any open browsers.
- WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
- Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
- If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.
Please post the "C:\ComboFix.txt"

**Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
**Note 2 for AVG users: ComboFix will not run until AVG is uninstalled as a protective measure against the anti-virus. This is because AVG "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG first.
Use AppRemover to uninstall it: http://www.appremover.com/
We can reinstall it when we're done with CF.
**Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.

Make sure, you re-enable your security programs, when you're done with Combofix.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

NOTE.
If, for some reason, Combofix refuses to run, try one of the following:

1. Run Combofix from Safe Mode.

2. Delete Combofix file, download fresh one, but rename combofix.exe to your_name.exe BEFORE saving it to your desktop.
Do NOT run it yet.

Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.

There are 4 different versions. If one of them won't run then download and try to run the other one.

Vista and Win7 users need to right click Rkill and choose Run as Administrator

You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

Rkill.com
Rkill.scr
Rkill.exe

Double-click on the Rkill desktop icon to run the tool.
If using Vista or Windows 7 right-click on it and choose Run As Administrator.
A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
If not, delete the file, then download and use the one provided in Link 2.
If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
Do not reboot until instructed.
If the tool does not run from any of the links provided, please let me know.

Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

If normal mode still doesn't work, run BOTH tools from safe mode.

In case #2, please post BOTH logs, rKill and Combofix.

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!

**artkaye** · April 20th, 2011, 03:01 AM

Hi, Broni

I downloaded Combofix, got it through to scan. It scanned for some time and stopped. I waited for one hour and shut down the computer. I restarted with no problem.

What next?

**Broni** · April 20th, 2011, 06:45 PM

Try to re-run.
If it still fails, try steps, I mentioned in my previous reply, what to do, if it doesn't want to run.

Thread: [Inactive] E-mail compromised

Thread Tools

Search Thread

Display

[Inactive] E-mail compromised

E-mail compromised.

E-mail compromised.

E-mail compromised.

Email compromised

Thread Information

Users Browsing this Thread

Posting Permissions