General discussion

JS/Redirector.j trojan - assistance among other things and

XP System - Running Mcafee Security Center and the real-time scanner popped up with JS/Redirector.j trojan. The log says it was "repaired" but now system is running very slow and have been getting some various issues. Please advise. Thank You.

Also getting this error:

AppName: iexplore.exe AppVer: 8.0.6001.18702 ModName: mshtml.dll
ModVer: 8.0.6001.18702 Offset: 00232ede

Prior to all of the above, the Mcafee software was up-to-date earlier that day, but after these events the mcafee software pop up told me I was not updated for atleast 8 days and run update.

I was also getting various errors when using IE8 including on this site last night. It also gave me issues trying to log into my account here to post. Atleast I am able to slowly type this message to you all today. Pleae advise. THANK YOU.

Discussion is locked

Follow
Reply to: JS/Redirector.j trojan - assistance among other things and
PLEASE NOTE: Do not post advertisements, offensive materials, profanity, or personal attacks. Please remember to be considerate of other members. If you are new to the CNET Forums, please read our CNET Forums FAQ. All submitted content is subject to our Terms of Use.
Reporting: JS/Redirector.j trojan - assistance among other things and
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Comments
- Collapse -
additional information and clarification

I was also getting various errors when using IE8 including...
"Errors on this webpage might cause it to work incorrectly"

AND

Mcafee error:

AppName: mcshell.exe AppVer: 9.15.160.0 ModName: jscript.dll
ModVer: 5.8.6001.18702 Offset: 00032e86

Thank You.

- Collapse -
Try to re-scan the computer but using...

any of these tools:

Malwarebytes' Anti-Malware
http://download.cnet.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.html

SUPERAntiSpyware Portable Scanner (no install is needed)
http://www.superantispyware.com/portablescanner.html

EmsiSoft MalAware (no install is needed)
http://www.emsisoft.com/en/software/malaware/

Or using the online scanners:
http://www.eset.com/online-scanner
http://www.emsisoft.com/en/software/ax/

See if any of the above will detect and remove any malware that is causing problems in Windows, IE and McAfee.

Note: If you can, please temporary disable Mcafee's protection when any of the above scanner found a threat and trying to remove. This is needed to prevent McAfee to interfere with the cleaning procedure by other scanner.

- Collapse -
re: update from your response.

Thank You for rsponding. I want to provide you with additional informtion. I will try to run the MalwareBytes, as it is updating right now (and is already installed on my system from a couple weeks ago.
As I am writing this, I got another MWB error.

szAppName : mbam.exe szAppVer : 1.46.0.1 szModName : hungapp
szModVer : 0.0.0.0 offset : 00000000

BUT I relaunched the program and is now at 80% downloading the latest update.

HERE IS SOME INFO TO GIVE YOU A BETTER IDEA OF THE LAST COUPLE DAYS.

Here is an overview.

Two days ago McAfee real-time scanner popped up with JS/Redirector.j trojan. The window showed that it was "repaired." But now system is running very slow and have been getting some various issues.

Prior to all of the above, the Mcafee software was up-to-date earlier yesterday, but after these events the mcafee software pop up told me I was not updated for atleast 8 days and run update. The update was run again, for only a short amount of time, then restarted.

Here is two of the Mcafee errors, which happened at different times:

AppName: mcshell.exe AppVer: 9.15.160.0 ModName: jscript.dll
ModVer: 5.8.6001.18702 Offset: 00032e86

szAppName : mcsysmon.exe szAppVer : 13.15.102.0 szModName : mccoreps.dll
szModVer : 3.15.101.0 offset : 0000a9b6

The computer system and internet access were both running very slow.

After, I ran the Malwarebytes software (already downloaded on my system for the last couple of weeks) in quick mode, and it took longer then usual, but came back with nothing. While it was running I did notice some files which I don't think I downloaded (even a while back), such as some type of anti virus software and other names which I don't know.

From there, I was getting various errors when using IE8 including ""Errors on this webpage might cause it to work incorrectly" and if I want a copy of them to click the yellow triangle in the lower left hand corner (the one that comes up with errors).

That is when I tried to launch the Malwarebytes software and got the error I Malwarebytes' Anti-Malware Error - "MBAM_ERROR_CHECK_INFECTED (1816, 7)"

Since then I was able to slowly get to the internet today, and when I went to run Mcafee scan, an error came up "Scanning has encountered a problem from which it cannnot recover. Here are the problem details: Scan failed to start; result=-2147467259" ---

Since then, I was able to download the McAfee Virtual Technician and launch it. It came back with the following 3 errors.

VirusScan - McAfee VirusScan Plus
Problem: Registry entry problem(s) detected (1)
Problem: Service startup type incorrect (1)
Problem: DAT out of date

ERROR ONE
---------------
Registry 1 Registry key(s) incorrect

Expected Registry Value not Present
Expected : 1
Existing : 0
HKEY_LOCAL_MACHINE\SOFTWARE\McAfee\VSCore\On Access Scanner\MCShield\Configuration ScanCookies

ERROR TWO
----------------
Service 1 service(s) incorrect
Expected Service Startup type Incorrect
Expected : manual
Existing : automatic
Service : mcods C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe


ERROR THREE
------------------
DAT and Engine 1 DAT / Engine update
DAT not Up-to-date
Expected : 6139
Existing: 6138
Engine Up-to-date
Expected : 5200
Existing: 5400


AFTER following the prompts it "auto fixed" the them, but then it provided a prompt to re-check and came up with the one error - ERROR Three again - DAT not Up-to-date - so I click the update link it prompted and the fix button and took a while to update DAT. It seemed to be updated, but when I checked the DAT file #, it still shows the Existing: 6138 and NOT the new one 6139.

I HOPE THIS PROVIDES YOU A BETTER IDEA OF MY CURRENT SITUATION. I THANK YOU FOR YOUR ASSISTANCE.

If you seek any additional information I will do my best to provide this to you. Thank you.

- Collapse -
Hi TRV7290, the information is quite helpful

There is definitely an infection on your computer that requires to be dealt with before dealing with errors in McAfee.

The auto-fix by McAfee VT will not help if the computer is still infected. The symptoms of infections are there which I hope you can try to scan using other scanner or run a scan using Malwarebytes Anti-Malware in Safe Mode with Networking.

We should try to fix program or system errors if we are positive that the system is clean from any types of viruses, worms, trojans or rogue software. Often, rogue programs will display fake warnings or will prevent the correct status of the antivirus program.

Kindly try the following:

1. Boot to safe mode with networking.
2. Open Malwarebytes (MBAM) program and try to update the database.
3. Run a quick scan using MBAM. If MBAM found an infection, let it remove. Proceed to restart the computer, if prompted. Try to re-scan the computer after restarting the computer to normal mode. If it finds no infection or continue to show an error message MBAM_ERROR_CHECK_INFECTED, proceed to scanning the computer using the other tools I mentioned e.g. EmsiSoft MalAware (install is not required) in normal mode. You can also try using Hitman Pro that remains freeware if no infection is detected but will activate to 30 days trial version, if it found an infection. The program will be able to remove the infected files:
http://www.hitmanpro.nl/
4. Scan using TDSSKiller - It's worth to try to scan the computer using TDSSKiller by Kaspersky because of the another symptom you mentioned.

If none of the above will get rid of the fake antivirus program (rogue program or scareware), please post back by providing the name of the unknown antivirus program or files that you are seeing. It will help us determine what family of rogue or Trojan, your PC have at the moment.

- Collapse -
re: update before I read your latest post...

I ran MBAM quick scan (before I saw your newest post) with the latest update and it did not find anything. HOWEVER, I will follow your new directions and run in safe mode. I will keep ypu updated. Thank you.

Just for reference and even though it does not show much here is the log file from the MBAM befire I read your lates post.

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4873

Windows 5.1.2600 Service Pack 2
Internet Explorer 8.0.6001.18702

10/18/2010 1:00:56 PM
mbam-log-2010-10-18 (13-00-56).txt

Scan type: Quick scan
Objects scanned: 171681
Time elapsed: 30 minute(s), 2 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

- Collapse -
Thanks!

Kindly try the next steps, if MBAM scan in safe mode continues to show no infection.

I'm glad to see your MBAM log because it shows that you are using XP with Service Pack 2 only.
Please note that support for Windows XP Service Pack 2 ended on July 13, 2010. One of the Service Pack Lifecycle Support Policy by Microsoft:

When support for a service pack ends, Microsoft will no longer provide new security updates, hotfixes or other updates for that service pack.

Note: You must not install Service Pack 3 for XP until the system is positive clean from any type of malware. Only install Service Pack 3 by visiting Windows Update website, after cleaning the computer from rogue program or malware.

- Collapse -
were getting somwhere..

Here's an update...you will have a better idea of the progress once you have read through posting. THANKS for

your assistance.

I attempted to run the programs with McAfee disabled, I am pretty sure the McAfee products were "disabled" for

most of the scans. What is the proper way to close the security suite because it runs at startup which includes

McAfee VirusScan, Mcafee Firewall, McAfee Security Center, McAfee Spyware protection and McAfee

Systemguard.

THE FOLLOWING WERE RUN IN 'NORMAL MODE' - explanation below...
While in 'normal mode' I ran MBAM - nothing found as posted log above.
Then ran EmsiSoft MalAware - Version 1.0.0.5 - (it downloads a small file to computer) - nothing found - posted

log below.
I also downloaded on computer SUPERAntiSpyware Portable Scanner to run later in 'safe mode.' You

mentioned that it needs no install, but I see that it did need to be installed? But I did not install it until I was in 'safe

mode'

THE FOLLOWING RUN IN SAFE MODE....

I then booted into 'safe mode' with networking - this computer system uses dial-up, so could not connect to the

internet within safemode, but ran MBAM again and (the file shows that it was updated today, but not sure if is

100% accurate since we established the possibility of virus on system. Anyhow, the MBAM did not show

anything.

I then ran the SUPERAntiSpyware Portable Scanner in QUICK SCAN which it DID find infected items. I have

included the log below. I did follow the prompts for removal. Although the items listed did not show the

JS/Redirector.j trojan, which Mcafee showed had "fixed" from my original posting. Should I run in 'normal mode'

or another type of scan?

McAfee launched when started in 'normal mode."
The system took a bit of time to settle in sign onto Internet.

What should I run next? Should I run the EmsiSoft MalAware in 'normal mode?'
Should I run another scanner, if so, which one do you prefer?
Should I run the TGSSKiller?

If you are seeking additional information or if I am missing a log please let me know.

I don't want to forget to thank you for your assistance.

A note about Adware, I thought I had deleted that program a while ago? You will see in the below logs.

HERE ARE THE LOGS....
==========================================
==========================================

MalAware - Version 1.0.0.5
Last update: 10/17/2010 16:29:17 PM

Scan settings:

Scan type: Quick Scan
Objects: Memory, Traces
Cleaning: Off
Scan start: 10/18/2010 13:58:18 PM

Scanned

Files: 446
Traces: 53787
Cookies: 0
Processes: 46

Found

Files: 0
Traces: 0
Cookies: 0
Processes: 0

Scan end: 10/18/2010 14:02:29 PM
Scan time: 0:04:11

==========================================
==========================================

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4873

Windows 5.1.2600 Service Pack 2 (Safe Mode)
Internet Explorer 8.0.6001.18702

10/18/2010 2:33:16 PM
mbam-log-2010-10-18 (14-33-16).txt

Scan type: Quick scan
Objects scanned: 168822
Time elapsed: 14 minute(s), 49 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

================================
================================

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 10/18/2010 at 03:22 PM

Application Version : 4.44.1000

Core Rules Database Version : 5610
Trace Rules Database Version: 3422

Scan type : Quick Scan
Total Scan Time : 00:32:22

Memory items scanned : 309
Memory threats detected : 0
Registry items scanned : 1412
Registry threats detected : 2
File items scanned : 17895
File threats detected : 21

Disabled.SecurityCenterOption
HKLM\SOFTWARE\MICROSOFT\SECURITY CENTER#ANTIVIRUSDISABLENOTIFY
HKLM\SOFTWARE\MICROSOFT\SECURITY CENTER#FIREWALLDISABLENOTIFY

Trojan.Agent/Gen-Krpytik
C:\WINDOWS\CPQDIAG\DFW_TH32.DLL

Trojan.Dropper/Win-NV
C:\WINDOWS\HELLO.EXE

Adware.Tracking Cookie
stats.manticoretechnology.com [ C:\Documents and Settings\S\Application

Data\Mozilla\Firefox\Profiles\9ulkdoo8.default\cookies.txt ]
.doubleclick.net [ C:\Documents and Settings\S\Application

Data\Mozilla\Firefox\Profiles\9ulkdoo8.default\cookies.txt ]
.harpo.122.2o7.net [ C:\Documents and Settings\S\Application

Data\Mozilla\Firefox\Profiles\9ulkdoo8.default\cookies.txt ]
.collective-media.net [ C:\Documents and Settings\S\Application

Data\Mozilla\Firefox\Profiles\9ulkdoo8.default\cookies.txt ]
.collective-media.net [ C:\Documents and Settings\S\Application

Data\Mozilla\Firefox\Profiles\9ulkdoo8.default\cookies.txt ]
.collective-media.net [ C:\Documents and Settings\S\Application

Data\Mozilla\Firefox\Profiles\9ulkdoo8.default\cookies.txt ]
.collective-media.net [ C:\Documents and Settings\S\Application

Data\Mozilla\Firefox\Profiles\9ulkdoo8.default\cookies.txt ]
.adbrite.com [ C:\Documents and Settings\S\Application

Data\Mozilla\Firefox\Profiles\9ulkdoo8.default\cookies.txt ]
.adbrite.com [ C:\Documents and Settings\S\Application

Data\Mozilla\Firefox\Profiles\9ulkdoo8.default\cookies.txt ]
.hitbox.com [ C:\Documents and Settings\S\Application

Data\Mozilla\Firefox\Profiles\9ulkdoo8.default\cookies.txt ]
.revsci.net [ C:\Documents and Settings\S\Application

Data\Mozilla\Firefox\Profiles\9ulkdoo8.default\cookies.txt ]
.revsci.net [ C:\Documents and Settings\S\Application

Data\Mozilla\Firefox\Profiles\9ulkdoo8.default\cookies.txt ]
.revsci.net [ C:\Documents and Settings\S\Application

Data\Mozilla\Firefox\Profiles\9ulkdoo8.default\cookies.txt ]
.insightexpressai.com [ C:\Documents and Settings\S\Application

Data\Mozilla\Firefox\Profiles\9ulkdoo8.default\cookies.txt ]
.insightexpressai.com [ C:\Documents and Settings\S\Application

Data\Mozilla\Firefox\Profiles\9ulkdoo8.default\cookies.txt ]
.e-2dj6wfligjajsfp.stats.esomniture.com [ C:\Documents and Settings\S\Application

Data\Mozilla\Firefox\Profiles\9ulkdoo8.default\cookies.txt ]
.fastclick.net [ C:\Documents and Settings\S\Application

Data\Mozilla\Firefox\Profiles\9ulkdoo8.default\cookies.txt ]
sales.liveperson.net [ C:\Documents and Settings\S\Application

Data\Mozilla\Firefox\Profiles\9ulkdoo8.default\cookies.txt ]
sales.liveperson.net [ C:\Documents and Settings\S\Application

Data\Mozilla\Firefox\Profiles\9ulkdoo8.default\cookies.txt ]

==========================================
==========================================

END OF POSTING

LOOK FORWARD TO HEARING BACK FROM YOU. THANK YOU.

- Collapse -
TDSSKiller Log - run in "normal' computer mode

Here is the TDSSKiller Log - run in "normal' computer mode

2010/10/18 16:54:49.0149
TDSS rootkit removing tool 2.4.4.0 Oct 4 2010 09:06:59
2010/10/18 16:54:49.0149

=============================================================================
2010/10/18 16:54:49.0149 SystemInfo:
2010/10/18 16:54:49.0149
2010/10/18 16:54:49.0149 OS Version: 5.1.2600 ServicePack: 2.0
2010/10/18 16:54:49.0149 Product type: Workstation
2010/10/18 16:54:49.0149 ComputerName: X
2010/10/18 16:54:49.0149 UserName: X
2010/10/18 16:54:49.0149 Windows directory: C:\WINDOWS
2010/10/18 16:54:49.0149 System windows directory: C:\WINDOWS
2010/10/18 16:54:49.0149 Processor architecture: Intel x86
2010/10/18 16:54:49.0149 Number of processors: 1
2010/10/18 16:54:49.0149 Page size: 0x1000
2010/10/18 16:54:49.0149 Boot type: Normal boot
2010/10/18 16:54:49.0149

==============================================================================
2010/10/18 16:54:52.0624 Initialize success
2010/10/18 16:56:06.0741

==============================================================================
2010/10/18 16:56:06.0741 Scan started
2010/10/18 16:56:06.0741 Mode: Manual;
2010/10/18 16:56:06.0741

==============================================================================
2010/10/18 16:56:09.0735 ACPI (a10c7534f7223f4a73a948967d00e69b)

C:\WINDOWS\system32\DRIVERS\ACPI.sys
2010/10/18 16:56:10.0486 ACPIEC (9859c0f6936e723e4892d7141b1327d5)

C:\WINDOWS\system32\drivers\ACPIEC.sys
2010/10/18 16:56:11.0528 aec (1ee7b434ba961ef845de136224c30fec)

C:\WINDOWS\system32\drivers\aec.sys
2010/10/18 16:56:12.0539 AFD (55e6e1c51b6d30e54335750955453702)

C:\WINDOWS\System32\drivers\afd.sys
2010/10/18 16:56:16.0645 allegro (82b81982d68ff0d2a9d233e6c7b5dfb4)

C:\WINDOWS\system32\drivers\es198x.sys
2010/10/18 16:56:21.0172 ASCTRM (d880831279ed91f9a4190a2db9539ea9)

C:\WINDOWS\system32\drivers\ASCTRM.sys
2010/10/18 16:56:21.0743 AsyncMac (02000abf34af4c218c35d257024807d6)

C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2010/10/18 16:56:22.0243 atapi (cdfe4411a69c224bd1d11b2da92dac51)

C:\WINDOWS\system32\DRIVERS\atapi.sys
2010/10/18 16:56:23.0946 Atmarpc (ec88da854ab7d7752ec8be11a741bb7f)

C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2010/10/18 16:56:24.0737 audstub (d9f724aa26c010a217c97606b160ed6Cool

C:\WINDOWS\system32\DRIVERS\audstub.sys
2010/10/18 16:56:25.0358 Beep (da1f27d85e0d1525f6621372e7b685e9)

C:\WINDOWS\system32\drivers\Beep.sys
2010/10/18 16:56:26.0079 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9)

C:\WINDOWS\system32\drivers\cbidf2k.sys
2010/10/18 16:56:26.0590 CCDECODE (6163ed60b684bab19d3352ab22fc48b2)

C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
2010/10/18 16:56:28.0202 Cdaudio (c1b486a7658353d33a10cc15211a873b)

C:\WINDOWS\system32\drivers\Cdaudio.sys
2010/10/18 16:56:28.0703 Cdfs (cd7d5152df32b47f4e36f710b35aae02)

C:\WINDOWS\system32\drivers\Cdfs.sys
2010/10/18 16:56:29.0704 Cdrom (af9c19b3100fe010496b1a27181fbf72)

C:\WINDOWS\system32\DRIVERS\cdrom.sys
2010/10/18 16:56:30.0025 CDRPDACC (f4dd5641576334e4eeabfe50b065e572) C:\Program

Files\321Studios\Shared\CDRPDACC.SYS
2010/10/18 16:56:32.0558 Compbatt (df1b1a24bf52d0ebc01ed4ece8979f50)

C:\WINDOWS\system32\DRIVERS\compbatt.sys
2010/10/18 16:56:34.0321 CpqDtct (dcec63bc500c1ea4eed6d608cc12112f)

C:\WINDOWS\System32\Drivers\Cpqdtct.sys
2010/10/18 16:56:37.0095 Disk (00ca44e4534865f8a3b64f7c0984bff0)

C:\WINDOWS\system32\DRIVERS\disk.sys
2010/10/18 16:56:37.0676 dmboot (c0fbb516e06e243f0cf31f597e7ebf7d)

C:\WINDOWS\system32\drivers\dmboot.sys
2010/10/18 16:56:38.0196 dmio (f5e7b358a732d09f4bcf2824b88b9e2Cool

C:\WINDOWS\system32\drivers\dmio.sys
2010/10/18 16:56:38.0847 dmload (e9317282a63ca4d188c0df5e09c6ac5f)

C:\WINDOWS\system32\drivers\dmload.sys
2010/10/18 16:56:39.0298 DMusic (a6f881284ac1150e37d9ae47ff601267)

C:\WINDOWS\system32\drivers\DMusic.sys
2010/10/18 16:56:41.0471 drmkaud (1ed4dbbae9f5d558dbba4cc450e3eb2e)

C:\WINDOWS\system32\drivers\drmkaud.sys
2010/10/18 16:56:41.0992 Fastfat (3117f595e9615e04f05a54fc15a03b20)

C:\WINDOWS\system32\drivers\Fastfat.sys
2010/10/18 16:56:42.0482 Fdc (ced2e8396a8838e59d8fd529c680e02c)

C:\WINDOWS\system32\DRIVERS\fdc.sys
2010/10/18 16:56:43.0113 Fips (e153ab8a11de5452bcf5ac7652dbf3ed)

C:\WINDOWS\system32\drivers\Fips.sys
2010/10/18 16:56:43.0544 Flpydisk (0dd1de43115b93f4d85e889d7a86f54Cool

C:\WINDOWS\system32\DRIVERS\flpydisk.sys
2010/10/18 16:56:44.0035 FltMgr (3d234fb6d6ee875eb009864a299bea29)

C:\WINDOWS\system32\drivers\fltmgr.sys
2010/10/18 16:56:44.0585 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a)

C:\WINDOWS\system32\drivers\Fs_Rec.sys
2010/10/18 16:56:45.0126 Ftdisk (6ac26732762483366c3969c9e4d2259d)

C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2010/10/18 16:56:45.0547 gameenum (5f92fd09e5610a5995da7d775eadcd12)

C:\WINDOWS\system32\DRIVERS\gameenum.sys
2010/10/18 16:56:45.0917 Gpc (c0f1d4a21de5a415df8170616703debf)

C:\WINDOWS\system32\DRIVERS\msgpc.sys
2010/10/18 16:56:47.0400 HidBatt (13c0d55da4b7148ef980e130b85d9f2c)

C:\WINDOWS\system32\DRIVERS\HidBatt.sys
2010/10/18 16:56:48.0191 hidusb (1de6783b918f540149aa69943bdfebaCool

C:\WINDOWS\system32\DRIVERS\hidusb.sys
2010/10/18 16:56:50.0224 HTTP (cb77bb47e67e84deb17ba29632501730)

C:\WINDOWS\system32\Drivers\HTTP.sys
2010/10/18 16:56:52.0757 i8042prt (5502b58eef7486ee6f93f3f164dcb80Cool

C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2010/10/18 16:56:53.0558 i81x (59dca2783ab1de1acd1408a383f37c37)

C:\WINDOWS\system32\DRIVERS\i81xnt5.sys
2010/10/18 16:56:54.0430 iAimFP0 (5e340d20afc5b6a5f10481e9494303e5)

C:\WINDOWS\system32\DRIVERS\wADV01nt.sys
2010/10/18 16:56:55.0221 iAimFP1 (85f1bbae67bb4c647926704bf28a342f)

C:\WINDOWS\system32\DRIVERS\wADV02NT.sys
2010/10/18 16:56:56.0072 iAimFP2 (54a2bd921c96237b1843cd5c04296ace)

C:\WINDOWS\system32\DRIVERS\wADV05NT.sys
2010/10/18 16:56:56.0873 iAimFP3 (fcc162523f20bc86e9af537a52d9b1de)

C:\WINDOWS\system32\DRIVERS\wSiINTxx.sys
2010/10/18 16:56:58.0465 iAimFP4 (eac7bd7aefc8759cf275251783cfee05)

C:\WINDOWS\system32\DRIVERS\wVchNTxx.sys
2010/10/18 16:56:59.0207 iAimFP5 (c755fd20900a45afa92c029887847501)

C:\WINDOWS\system32\DRIVERS\wADV07nt.sys
2010/10/18 16:57:00.0008 iAimFP6 (2227113717016944a977b8eaf3d9283e)

C:\WINDOWS\system32\DRIVERS\wADV08nt.sys
2010/10/18 16:57:00.0719 iAimFP7 (f16747328d80faae0dd65c1eca44bfa4)

C:\WINDOWS\system32\DRIVERS\wADV09nt.sys
2010/10/18 16:57:01.0450 iAimTV0 (52eeef81663638472879849067c69736)

C:\WINDOWS\system32\DRIVERS\wATV01nt.sys
2010/10/18 16:57:02.0171 iAimTV1 (a721f75afb8a64ebd2a21179aa8a6b66)

C:\WINDOWS\system32\DRIVERS\wATV02NT.sys
2010/10/18 16:57:04.0214 iAimTV3 (3558f4e2dafd55e67144bee8562bf475)

C:\WINDOWS\system32\DRIVERS\wATV04nt.sys
2010/10/18 16:57:04.0955 iAimTV4 (7ddf50166d0e6f97b2011de9a431e527)

C:\WINDOWS\system32\DRIVERS\wCh7xxNT.sys
2010/10/18 16:57:05.0656 iAimTV5 (53d5491b5f67d78a29cbad68da0f6593)

C:\WINDOWS\system32\DRIVERS\wATV10nt.sys
2010/10/18 16:57:06.0407 iAimTV6 (7abd62623d333dd6f32e0d4be58cbf59)

C:\WINDOWS\system32\DRIVERS\wATV06nt.sys
2010/10/18 16:57:07.0148 ICAM3NT5 (7e9dce459be666ab54f67e77cb7d1297)

C:\WINDOWS\system32\Drivers\Icam3.sys
2010/10/18 16:57:07.0518 Imapi (f8aa320c6a0409c0380e5d8a99d76ec6)

C:\WINDOWS\system32\drivers\Imapi.sys
2010/10/18 16:57:09.0672 IntelIde (2d722b2b54ab55b2fa475eb58d7b2aad)

C:\WINDOWS\system32\DRIVERS\intelide.sys
2010/10/18 16:57:10.0182 ip6fw (4448006b6bc60e6c027932cfc38d6855)

C:\WINDOWS\system32\drivers\ip6fw.sys
2010/10/18 16:57:11.0134 IpFilterDriver (731f22ba402ee4b62748adaf6363c182)

C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2010/10/18 16:57:11.0554 IpInIp (e1ec7f5da720b640cd8fb8424f1b14bb)

C:\WINDOWS\system32\DRIVERS\ipinip.sys
2010/10/18 16:57:11.0945 IpNat (e2168cbc7098ffe963c6f23f472a3593)

C:\WINDOWS\system32\DRIVERS\ipnat.sys
2010/10/18 16:57:12.0345 IPSec (64537aa5c003a6afeee1df819062d0d1)

C:\WINDOWS\system32\DRIVERS\ipsec.sys
2010/10/18 16:57:12.0706 IRENUM (50708daa1b1cbb7d6ac1cf8f56a24410)

C:\WINDOWS\system32\DRIVERS\irenum.sys
2010/10/18 16:57:13.0757 isapnp (e504f706ccb699c2596e9a3da1596e87)

C:\WINDOWS\system32\DRIVERS\isapnp.sys
2010/10/18 16:57:14.0769 Kbdclass (ebdee8a2ee5393890a1acee971c4c246)

C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2010/10/18 16:57:15.0179 kbdhid (e182fa8e49e8ee41b4adc53093f3c7e6)

C:\WINDOWS\system32\DRIVERS\kbdhid.sys
2010/10/18 16:57:15.0540 kmixer (ba5deda4d934e6288c2f66caf58d2562)

C:\WINDOWS\system32\drivers\kmixer.sys
2010/10/18 16:57:15.0971 KSecDD (eb7ffe87fd367ea8fca0506f74a87fbb)

C:\WINDOWS\system32\drivers\KSecDD.sys
2010/10/18 16:57:17.0753 mfeavfk (bafdd5e28baea99d7f4772af2f5ec7ee)

C:\WINDOWS\system32\drivers\mfeavfk.sys
2010/10/18 16:57:18.0494 mfebopk (1d003e3056a43d881597d6763e83b943)

C:\WINDOWS\system32\drivers\mfebopk.sys
2010/10/18 16:57:18.0885 mfehidk (32f7298664874715ce469a79078853c4)

C:\WINDOWS\system32\drivers\mfehidk.sys
2010/10/18 16:57:20.0107 mferkdk (41fe2f288e05a6c8ab85dd56770ffbad)

C:\WINDOWS\system32\drivers\mferkdk.sys
2010/10/18 16:57:20.0828 mfesmfk (096b52ea918aa909ba5903d79e129005)

C:\WINDOWS\system32\drivers\mfesmfk.sys
2010/10/18 16:57:21.0559 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6)

C:\WINDOWS\system32\drivers\mnmdd.sys
2010/10/18 16:57:21.0949 Modem (6fc6f9d7acc36dca9b914565a3aeda05)

C:\WINDOWS\system32\drivers\Modem.sys
2010/10/18 16:57:22.0620 MODEMCSA (1992e0d143b09653ab0f9c5e04b0fd65)

C:\WINDOWS\system32\drivers\MODEMCSA.sys
2010/10/18 16:57:23.0311 Mouclass (34e1f0031153e491910e12551400192c)

C:\WINDOWS\system32\DRIVERS\mouclass.sys
2010/10/18 16:57:24.0092 mouhid (b1c303e17fb9d46e87a98e4ba6769685)

C:\WINDOWS\system32\DRIVERS\mouhid.sys
2010/10/18 16:57:24.0493 MountMgr (65653f3b4477f3c63e68a9659f85ee2e)

C:\WINDOWS\system32\drivers\MountMgr.sys
2010/10/18 16:57:25.0875 MPFP (bc2a92cff784555ed622f861cb34f2e6)

C:\WINDOWS\system32\Drivers\Mpfp.sys
2010/10/18 16:57:27.0197 MRxDAV (29414447eb5bde2f8397dc965dbb3156)

C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2010/10/18 16:57:27.0557 MRxSmb (6f2d483b97b395544e59749c47963c6a)

C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2010/10/18 16:57:28.0038 Msfs (561b3a4333ca2dbdba28b5b956822519)

C:\WINDOWS\system32\drivers\Msfs.sys
2010/10/18 16:57:28.0499 MSKSSRV (ae431a8dd3c1d0d0610cdbac16057ad0)

C:\WINDOWS\system32\drivers\MSKSSRV.sys
2010/10/18 16:57:28.0869 MSPCLOCK (13e75fef9dfeb08eeded9d0246e1f44Cool

C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2010/10/18 16:57:29.0240 MSPQM (1988a33ff19242576c3d0ef9ce785da7)

C:\WINDOWS\system32\drivers\MSPQM.sys
2010/10/18 16:57:29.0780 mssmbios (469541f8bfd2b32659d5d463a6714bce)

C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2010/10/18 16:57:30.0161 MSTEE (bf13612142995096ab084f2db7f40f77)

C:\WINDOWS\system32\drivers\MSTEE.sys
2010/10/18 16:57:31.0633 ms_mpu401 (ca3e22598f411199adc2dfee76cd0ae0)

C:\WINDOWS\system32\drivers\msmpu401.sys
2010/10/18 16:57:31.0944 Mup (82035e0f41c2dd05ae41d27fe6cf7de1)

C:\WINDOWS\system32\drivers\Mup.sys
2010/10/18 16:57:32.0294 NABTSFEC (5c8dc6429c43dc6177c1fa5b76290d1a)

C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
2010/10/18 16:57:32.0645 NDIS (558635d3af1c7546d26067d5d9b6959e)

C:\WINDOWS\system32\drivers\NDIS.sys
2010/10/18 16:57:32.0975 NdisIP (520ce427a8b298f54112857bcf6bde15)

C:\WINDOWS\system32\DRIVERS\NdisIP.sys
2010/10/18 16:57:33.0486 NdisTapi (08d43bbdacdf23f34d79e44ed35c1b4c)

C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2010/10/18 16:57:33.0816 Ndisuio (34d6cd56409da9a7ed573e1c90a308bf)

C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2010/10/18 16:57:34.0157 NdisWan (0b90e255a9490166ab368cd55a529893)

C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2010/10/18 16:57:34.0808 NDProxy (59fc3fb44d2669bc144fd87826bb571f)

C:\WINDOWS\system32\drivers\NDProxy.sys
2010/10/18 16:57:35.0218 NetBIOS (3a2aca8fc1d7786902ca434998d7ceb4)

C:\WINDOWS\system32\DRIVERS\netbios.sys
2010/10/18 16:57:35.0539 NetBT (0c80e410cd2f47134407ee7dd19cc86b)

C:\WINDOWS\system32\DRIVERS\netbt.sys
2010/10/18 16:57:35.0869 Npfs (4f601bcb8f64ea3ac0994f98fed03f8e)

C:\WINDOWS\system32\drivers\Npfs.sys
2010/10/18 16:57:36.0811 Ntfs (19a811ef5f1ed5c926a028ce107ff1af)

C:\WINDOWS\system32\drivers\Ntfs.sys
2010/10/18 16:57:37.0592 Null (73c1e1f395918bc2c6dd67af7591a3ad)

C:\WINDOWS\system32\drivers\Null.sys
2010/10/18 16:57:38.0623 NUVision (ab777a70c67ba2596d25ba21bad7d4c2)

C:\WINDOWS\system32\DRIVERS\NUVision.sys
2010/10/18 16:57:39.0414 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57)

C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2010/10/18 16:57:39.0995 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9)

C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2010/10/18 16:57:40.0276 P3 (3e16eff2a6fed2d8d7f5a66dfe65d183)

C:\WINDOWS\system32\DRIVERS\p3.sys
2010/10/18 16:57:40.0596 Parport (29744eb4ce659dfe3b4122deb45bc47Cool

C:\WINDOWS\system32\DRIVERS\parport.sys
2010/10/18 16:57:41.0107 PartMgr (3334430c29dc338092f79c38ef7b4cd0)

C:\WINDOWS\system32\drivers\PartMgr.sys
2010/10/18 16:57:41.0658 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1)

C:\WINDOWS\system32\drivers\ParVdm.sys
2010/10/18 16:57:42.0649 PCI (8086d9979234b603ad5bc2f5d890b234)

C:\WINDOWS\system32\DRIVERS\pci.sys
2010/10/18 16:57:45.0783 Pcmcia (82a087207decec8456fbe8537947d579)

C:\WINDOWS\system32\drivers\Pcmcia.sys
2010/10/18 16:57:53.0314 Point32 (08b11f5c60edca255b18cedef8efba2a)

C:\WINDOWS\system32\DRIVERS\point32.sys
2010/10/18 16:57:54.0085 PptpMiniport (1c5cc65aac0783c344f16353e60b72ac)

C:\WINDOWS\system32\DRIVERS\raspptp.sys
2010/10/18 16:57:54.0696 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd)

C:\WINDOWS\system32\DRIVERS\ptilink.sys
2010/10/18 16:57:55.0558 Ptserial (20ad6a2c2cf291d295c0ae5da1630366)

C:\WINDOWS\system32\DRIVERS\ptserial.sys
2010/10/18 16:58:03.0739 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c)

C:\WINDOWS\system32\DRIVERS\rasacd.sys
2010/10/18 16:58:04.0030 Rasl2tp (98faeb4a4dcf812ba1c6fca4aa3e115c)

C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2010/10/18 16:58:04.0330 RasPppoe (7306eeed8895454cbed4669be9f79faa)

C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2010/10/18 16:58:05.0362 Raspti (fdbb1d60066fcfbb7452fd8f9829b242)

C:\WINDOWS\system32\DRIVERS\raspti.sys
2010/10/18 16:58:05.0692 Rdbss (03b965b1ca47f6ef60eb5e51cb50e0af)

C:\WINDOWS\system32\DRIVERS\rdbss.sys
2010/10/18 16:58:06.0253 RDPCDD (4912d5b403614ce99c28420f75353332)

C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2010/10/18 16:58:06.0553 rdpdr (a2cae2c60bc37e0751ef9dda7ceaf4ad)

C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2010/10/18 16:58:06.0834 RDPWD (b54cd38a9ebfbf2b3561426e3fe26f62)

C:\WINDOWS\system32\drivers\RDPWD.sys
2010/10/18 16:58:07.0164 redbook (b31b4588e4086d8d84adbf9845c2402b)

C:\WINDOWS\system32\DRIVERS\redbook.sys
2010/10/18 16:58:07.0825 ROOTMODEM (d8b0b4ade32574b2d9c5cc34dc0dbbe7)

C:\WINDOWS\system32\Drivers\RootMdm.sys
2010/10/18 16:58:08.0106 rtl8139 (d507c1400284176573224903819ffda3)

C:\WINDOWS\system32\DRIVERS\RTL8139.SYS
2010/10/18 16:58:08.0466 SASDIFSV (a3281aec37e0720a2bc28034c2df2a56)

C:\DOCUME~1\Scott\LOCALS~1\Temp\SAS_SelfExtract\SASDIFSV.SYS
2010/10/18 16:58:08.0787 SASKUTIL (61db0d0756a99506207fd724e3692b25)

C:\DOCUME~1\Scott\LOCALS~1\Temp\SAS_SelfExtract\SASKUTIL.SYS
2010/10/18 16:58:09.0117 Secdrv (90a3935d05b494a5a39d37e71f09a677)

C:\WINDOWS\system32\DRIVERS\secdrv.sys
2010/10/18 16:58:10.0970 Sentinel (3e7ff2405bcc1384d946dc45edc7ed61)

C:\WINDOWS\System32\Drivers\SENTINEL.SYS
2010/10/18 16:58:11.0250 serenum (a2d868aeeff612e70e213c451a70cafb)

C:\WINDOWS\system32\DRIVERS\serenum.sys
2010/10/18 16:58:11.0520 Serial (cd9404d115a00d249f70a371b46d5a26)

C:\WINDOWS\system32\DRIVERS\serial.sys
2010/10/18 16:58:11.0791 Sfloppy (0d13b6df6e9e101013a7afb0ce629fe0)

C:\WINDOWS\system32\drivers\Sfloppy.sys
2010/10/18 16:58:12.0762 SLIP (5caeed86821fa2c6139e32e9e05ccdc9)

C:\WINDOWS\system32\DRIVERS\SLIP.sys
2010/10/18 16:58:13.0483 SMC1211 (a5c6fec0a50d81715a2df0e119d635ce)

C:\WINDOWS\system32\DRIVERS\SMC1211.SYS
2010/10/18 16:58:14.0264 SONYPVU1 (a1eceeaa5c5e74b2499eb51d38185b84)

C:\WINDOWS\system32\DRIVERS\SONYPVU1.SYS
2010/10/18 16:58:15.0166 splitter (0ce218578fff5f4f7e4201539c45c78f)

C:\WINDOWS\system32\drivers\splitter.sys
2010/10/18 16:58:15.0396 sr (e41b6d037d6cd08461470af04500dc24)

C:\WINDOWS\system32\DRIVERS\sr.sys
2010/10/18 16:58:16.0428 Srv (ab9c79ed12d65e800aaad3d72a04792f)

C:\WINDOWS\system32\DRIVERS\srv.sys
2010/10/18 16:58:16.0848 streamip (284c57df5dc7abca656bc2b96a667afb)

C:\WINDOWS\system32\DRIVERS\StreamIP.sys
2010/10/18 16:58:17.0139 swenum (03c1bae4766e2450219d20b993d6e046)

C:\WINDOWS\system32\DRIVERS\swenum.sys
2010/10/18 16:58:17.0830 swmidi (94abc808fc4b6d7d2bbf42b85e25bb4d)

C:\WINDOWS\system32\drivers\swmidi.sys
2010/10/18 16:58:20.0924 sysaudio (650ad082d46bac0e64c9c0e0928492fd)

C:\WINDOWS\system32\drivers\sysaudio.sys
2010/10/18 16:58:22.0006 Tcpip (2a5554fc5b1e04e131230e3ce035c3f9)

C:\WINDOWS\system32\DRIVERS\tcpip.sys
2010/10/18 16:58:22.0416 TDPIPE (38d437cf2d98965f239b0abcd66dcb0f)

C:\WINDOWS\system32\drivers\TDPIPE.sys
2010/10/18 16:58:22.0646 TDTCP (ed0580af02502d00ad8c4c066b156be9)

C:\WINDOWS\system32\drivers\TDTCP.sys
2010/10/18 16:58:22.0907 TermDD (a540a99c281d933f3d69d55e48727f47)

C:\WINDOWS\system32\DRIVERS\termdd.sys
2010/10/18 16:58:24.0119 tunmp (87a0e9e18c10a9e454238e3330e2a26d)

C:\WINDOWS\system32\DRIVERS\tunmp.sys
2010/10/18 16:58:24.0409 Udfs (12f70256f140cd7d52c58c7048fde657)

C:\WINDOWS\system32\drivers\Udfs.sys
2010/10/18 16:58:25.0441 Update (ced744117e91bdc0beb810f7d8608183)

C:\WINDOWS\system32\DRIVERS\update.sys
2010/10/18 16:58:25.0711 usbccgp (bffd9f120cc63bcbaa3d840f3eef9f79)

C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2010/10/18 16:58:25.0961 usbhub (c72f40947f92cea56a8fb532edf025f1)

C:\WINDOWS\system32\DRIVERS\usbhub.sys
2010/10/18 16:58:26.0222 USBSTOR (6cd7b22193718f1d17a47a1cd6d37e75)

C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2010/10/18 16:58:26.0482 usbuhci (f8fd1400092e23c8f2f31406ef06167b)

C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2010/10/18 16:58:27.0714 V7 (ea8def76a1be5c770fb12d0382be632c)

C:\WINDOWS\system32\drivers\V7.sys
2010/10/18 16:58:27.0924 VgaSave (8a60edd72b4ea5aea8202daf0e427925)

C:\WINDOWS\System32\drivers\vga.sys
2010/10/18 16:58:29.0336 Vmodem (2cd2e58bc1052f424ace9921d6f2e60Cool

C:\WINDOWS\system32\DRIVERS\vmodem.sys
2010/10/18 16:58:29.0607 VolSnap (ee4660083deba849ff6c485d944b379b)

C:\WINDOWS\system32\drivers\VolSnap.sys
2010/10/18 16:58:30.0187 Vpctcom (874d91d0bed4b7852a38f84d42142375)

C:\WINDOWS\system32\DRIVERS\vpctcom.sys
2010/10/18 16:58:30.0468 vsdatant (d9feffbc7b0d553600eb726631e3efc0)

C:\WINDOWS\system32\vsdatant.sys
2010/10/18 16:58:31.0059 Vvoice (566b85083c204c6cb4099f9b5906e7e4)

C:\WINDOWS\system32\DRIVERS\vvoice.sys
2010/10/18 16:58:31.0720 wacommousefilter (427a8bc96f16c40df81c2d2f4edd32dd)

C:\WINDOWS\system32\DRIVERS\wacommousefilter.sys
2010/10/18 16:58:32.0370 wacomvhid (73e6f16a1f187d71fb26af308551e54a)

C:\WINDOWS\system32\DRIVERS\wacomvhid.sys
2010/10/18 16:58:33.0542 WacomVKHid (889459833432b161cb99cfdf84a1a9bb)

C:\WINDOWS\system32\DRIVERS\WacomVKHid.sys
2010/10/18 16:58:33.0752 Wanarp (984ef0b9788abf89974cfed4bfbaacbc)

C:\WINDOWS\system32\DRIVERS\wanarp.sys
2010/10/18 16:58:34.0003 wanatw (0a716c08cb13c3a8f4f51e882dbf7416)

C:\WINDOWS\system32\DRIVERS\wanatw4.sys
2010/10/18 16:58:35.0144 wdmaud (efd235ca22b57c81118c1aeb4798f1c1)

C:\WINDOWS\system32\drivers\wdmaud.sys
2010/10/18 16:58:35.0445 WSTCODEC (d5842484f05e12121c511aa93f6439ec)

C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
2010/10/18 16:58:35.0555

================================================================================
2010/10/18 16:58:35.0555 Scan finished
2010/10/18 16:58:35.0555

================================================================================

- Collapse -
Is your PC a Compaq?

Hi,

Good work in doing all of the above and below (TDSSKiller scan)!

I need to know though if your computer is from Compaq?

This finding below by Superantispyware (SAS) seems to me a false positive but can't confirm until you confirmed that your PC is from Compaq.
Trojan.Agent/Gen-Krpytik
C:\WINDOWS\CPQDIAG\DFW_TH32.DLL


Now, I hope you let SAS removed this obvious malware:
Trojan.Dropper/Win-NV
C:\WINDOWS\HELLO.EXE


SAS Portable should not install but if it did, I need to try that out again. Anyway, it did help in finding some stuff in your computer.

Did you let SAS quarantined/removed the above items? SAS should keep those in quarantine. If so, I need you to restore the DFW_TH32.DLL file from the SAS quarantine section, if you indeed have a Compaq machine. If not, leave it quarantined.

Is there any improvement after SAS has removed any files it detected as Trojan?

Can you scan now with McAfee without getting any errors?
Is IE8 continue to give error on a dll file?

You mentioned in your earlier post that there is unknown antivirus program and files, can you still see them? If so, please provide in your next post the name of the unknown antivirus program which I suspect a rogue program.

Also, please tell us the version number of Java Runtime you have in your computer. Please go the link below and post back the Java Version it detects:
http://www.javatester.org/version.html

- Collapse -
yes...it is...

Hi Donna...thanks again for your assistance. Before you read through my responses, I wanted to see what is the best way to know when I have new responses. I currently have this forum tracked.

I also wanted to just verify when runnning the programs you mention, should they run in "safe mode" or normal. Also something that I think you should know is that I have the system running in "selective start up" for the last couple of months.

Yes, the computer IS a Compaq system. It was originally running Windows ME, but upgraded to Windows XP when it came out.

I did let SAS remove both of the items. I am not sure if they were just quarantined or deleted from the system. I followed the prompts.

Trojan.Agent/Gen-Krpytik
C:\WINDOWS\CPQDIAG\DFW_TH32.DLL

AND

Trojan.Dropper/Win-NV
C:\WINDOWS\HELLO.EXE

So I guess I need your assistance with restoring the DFW_TH32.DLL file because it IS a Compaq.

Should I re-run any of the other programs?

On the TDSSKiller site it also showed a program called GMER, should I have also run that and post the log?

Not quite sure at the moment, if there is improvement after SAS has removed the detections, because I have also been disabling and enabling the mcafee security suite throughout the process to run the SAS and the other programs manually.

Should I try to run the Mcafee Virtual Technician to see if properly updates the DAT file which I referred to in an earlier post above?

IE8 lauched in order for me to log-into this forum, so thus far no errors that pop up. but I still see the yellow triangle in the lower left hand corner when using the IE with various errors listed depending on the site I go to.

I will try to double check the "unknown" antivirus program that I saw when MAB was scanning the files, but I am not sure if I can replicate finding the file as they scan through very fast.

I ran the http://www.javatester.org/version.html
here is what was posted in the "pink box"
Java Version 1.6.0_20 from Sun Microsystems Inc.

I know you didn't ask, but I also looked into Add/Remove Programs and found the following 3 items listed for Java. I would guess not to take anything in Add/Remove Programs at face value because programs/software could be installed and not show up in that window.

Java DB 10.2.2.0 - 57.53MB
Java 6 Update 20 - 97.35 MB
Java 6 Update 3 -168.00 MB

Any additional information, I will do my best to follow your steps and provide to you. Looking forward to hearing back from you. Thank You.

- Collapse -
Here is more Java Info..plus additional information I forgot

I neglected to tell you that the computer system was having some ActiveX issues, but don't remember where or how to find a log on that.

Also wanted to let you know that I also have the Firefox on the system too, I have run Firefox in the past - maybe 6+ months ago, but I have not used it since.

I also remember downloading Java Console (I think that's the name), but not sure where that would be.

A couple weeks ago I remember seeing a JAVA icon in the lower right hand corner on the task bar...not sure what it installed etc.

Here is the command prompt from the java tester website and came up with the following:

FROM command prompt "java -fullversion"
java full version "1.6.0_20-b02

---
FROM command prompt "java -version"
java version "1.06.0_20
Java<TM> SE Runtime Enviornment <build 1.6.0_20-b02.
Java HotSpot<TM> Client VM <build 16.3-b01, mixed mode, sharing>
--

I will look to hear from you from my last two posts. Thanks Donna.

- Collapse -
BTW, the tracking feature on replies has bug at the moment

There is known issue in forum software here and they will fix it. There's delay to receive the notification but it will arrive Grin

If you are viewing a website that requires Java, the icon will appear or if Java is updating itself. But you have plenty of Java version that needs to be removed and replace with new version Happy

Make sure you keep things up-to-date, even if you are not using it but want to keep.
Example: You have Firefox, update it. If you don't want to keep Firefox, remove it from your computer. If you want to keep it, maintain it by keeping it up-to-date.

You mentioned that you're on dial-up, which means the connection is not that fast. I suggest scheduling when to update so you can enjoy your internet connection when you want and then let the program update itself on schedule (e.g. while you are eating, taking a shower, walking the dog etc) Wink

- Collapse -
No, you don't need to run GMER

The Kaspersky website is only showing some example how other tools will detect the rootkit that TDSSKiller will also find and remove.

Only try to scan now using Hitman Pro please (in normal mode). I just want to make sure that there is no more malware. Only disable McAfee's real-time protection if Hitman Pro finds any infection that require removal.

As to the dll file that SAS has removed, it is in the quarantine section of the scanner.
Open SAS, click "Manage Quarantine". Expand the list of items in the quarantine and locate to expand also --> Trojan.Agent/Gen-Krpytik
Select to highlight "Trojan.Agent/Gen-Krpytik" then click "Restore" button at the right.
Click "yes" on prompts to restore it, and then click "No" when it asks to delete the item in the quarantine.

Next, we need to confirm that the DFW_TH32.DLL is clean (not injected or infected). Browse for DFW_TH32.DLL in C:\WINDOWS\CPQDIAG folder.
Go to VirusTotal website. Upload the DFW_TH32.DLL file and let it scan it using several antivirus scanners. Let us know of the result.

Try only to auto-fix using McAfee VT, if there is still error codes or message showing for McAfee.
If the product continue to display as out-dated virus definitions with no other error, try this:
http://www.mcafee.com/apps/downloads/security_updates/dat.asp
Download and install the new dat file for McAfee for manual installation.
Observe if Mcafee will continue to report out-dated defs.
If it it will, I suggest to try the Super DAT file from the same link but click on the Super Dat tab to download.

Glad IE is not showing an error you have previously. I need to know any error that IE display as problem on a page. Double-click the triangle item and then copy and paste the error. Often the error is not at your end but the website content only.

I suggest removing all of the Java entries in Add/Remove Programs (Thanks for taking the initiative to check that stuff).
Keeping old version can pose security risk especially if the malware is programmed to launch the component by older version. Old component maybe vulnerable still.

Remove all Java in Add/Remove Programs. Download the new version
Java Runtime Environment (JRE) 6 Update 22

After updating java, try to visit any website again and see, if IE will display error on pages again (java script issues, for example).

BTW, I forgot to ask you earlier. Please check McAfee's quarantine section or log and tell us the path of the file that it detected/removed as JS/Redirector.j trojan.

OK, you seem to be seeing only the files that MBAM is scanning but there is no actual detection by MBAM on rogue or unknown antivirus program. If so, that is good news.

- Collapse -
Mcafee DAT

Thanks for responding - I will run the directions you posted above.

After I posted the last response I ran McAfee Virtual Technician, it found two items not working properly...

1. DAT file out of date
2. Expected Service Startup type Incorrect

I let the Virtual Agent "fix" this item, by downloading a new version of DAT file, but at 30% the download had a problem, so I relaunched the Virtual Agent to restart and came back with one issue - the DAT file and let it "fix" again. It started to download then jumped to 35%, now is no longer in the task bar...I don't think it installed. Here is the log:

MVT Information
MVT Version : 5.5.2.0
System Information
Operating System : Microsoft Windows XP Professional (Build 2600)
Service Pack : Service Pack 2.0
Language : 0409
Internet Explorer Version : 8.0
Internet Explorer Language : en-us
System Drive Type : FAT32
Physical Memory Available : 96048
Physical Memory Total : 522800
Virtual Memory Available : 2056616
Virtual Memory Total : 2097024
System Architecture : x86 Family 6 Model 8 Stepping 3
Date Time : 10/19/2010 10:32:23
Time Zone : GMT -05:00
Product Details
Product Name : VirusScan - McAfee VirusScan Plus
Product Version : 13.15.117
Language : en-us
Health Check Details
Registry OK
File OK
Process OK
Service 1 service(s) incorrect
Expected Service Startup type Incorrect
Expected : manual
Existing : automatic
Service: mcods C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe


COM OK
DAT and Engine 1 DAT / Engine update
DAT not Up-to-date
DAT: Expected : 6140
Existing : 6138

Top Issues OK
SYSTEM OK

--------------------------------------------------------------------------------


Product Name : SecurityCenter
Product Version : 9.15.179
Language : en-us
Health Check Details
Registry OK
File OK
Process OK
Service OK
COM OK
Top Issues OK
SYSTEM OK

--------------------------------------------------------------------------------


Product Name : Personal Firewall - McAfee VirusScan Plus
Product Version : 10.15.106
Language : en-us
Health Check Details
Registry OK
File OK
Process OK
Service OK
COM OK
Patches OK
Top Issues OK
SYSTEM OK

------------------------------------------------------------------------

- Collapse -
re: IE Error from CNET site
- Collapse -
re: when to run...

Should I restore the Trojan.Agent/Gen-Krpytik before or after I download Hitman Pro? Thanks.

- Collapse -
Ignore that :)

I am seeing 3 errors on this website, whether I'm login or not. It's server-side and not your PC or IE.

Please restore the dll file from SAS quarantine before running Hitman Pro scan. Let's see also if Hitman will detect it or not at all.

- Collapse -
no files in quarantine

The last post in the forum told me to post here, because it reached the "limit"

There is no files in the quarantine section of the SAS scanner?

- Collapse -
Strange. There should be, but if it's not there...

you can try to check if the said dll files is still in C:\WINDOWS\CPQDIAG (just check it out).
If you can't find it, try to show hidden files and folders in Windows.

Open Windows Explorer > Tools > Folder Options.
Click View tab. Under Hidden files and folders, click the box before "Show hidden files and folders"
Click OK.

Scan using Hitman Pro if you can't find the said dll files.

- Collapse -
re: answers to your questions (from 10-20-2010)

The following was written on 10-20-2010, but could not post it, since the forum server was updating...

Hi Donna,

I see they are updating the forums server, just my luck.

Does the SAS not showing the file in quarantine (as the system is running in "normal mode") have anything to do with the fact that it found the "trojans" when I ran the computer setup in "safemode with networking?"

Anyhow, I did a search for the "C:\WINDOWS\CPQDIAG" as you requested and the search results came back with 6 items listed. Some are folders and others look like various files, not sure if any of them are the one we are looking for. Is there a way for me to copy/paste the search results and post or send them to you (similar to a log file)?

I am presently running the Hitman3.5 and its "classifying" now at around 99% (not sure what it means, but it does look like it's atleast "working." At the time of this email, its at about 43 minutes into it --- spending the last 15 or so at 99% uploading to "cloud."

By the way, when I first launched the Hitman3.5 program, it mentioned that one of my microsoft security itmes was out of date and to click on the link for an update. I did not do this because I also had disabled my McAfee anti-virus program (as you intructed) to run the Hitman program. BTW, the Hitman3.5 program told me that I had no anti-virus software program (hence the disabling.) I guess that's sign that the Hitman program is working?

I will keep my email account logged in, if you wish to respond to me this way e-mail) and I will keep on checking the forums to see when they are back up and running.

Thanks Donna, I appreciate your assistance.

- Collapse -
Completed Log from Hitman3.5 on 10-19-2010

Here is the log from Hitman3.5 that was run on 10-19-2010.

The program did find "riskware" according to the log. On the previous posting I typed in the 10-20, but it was really run the 19th.

Thanks again for your assistance. I hope the forum downtime allowed you to work on other projects.

- <Log computer="A" scan="Normal" version="3.5.7.116" date="2010-10-19T13:33:55"

timeSpentInSecs="8207" filesProcessed="51001">
- <Item type="Malware" malwareName="Riskware" score="116.0" status="Quarantiend">
- <Scanners>
<Scanner id="a-Squared" name="Adware.Win32.Aureate!A2" />
</Scanners>
<File path="C:\Documents and Settings\default\My Documents\Home Downloads\surfsect.exe"

hash="F65B28DCD813BE8B6DC9B86AE1E8013313A1F43043657E4027209311ACCA0AB1" />
</Item>
- <Item type="Repair" score="0.0" status="Deleted">
<File path="C:\Documents and Settings\S\Cookies\S@ad.wsod[3].txt" />
</Item>
- <Item type="Repair" score="0.0" status="Deleted">
</Item>
- <Item type="Repair" score="0.0" status="Deleted">
<File path="C:\Documents and Settings\S\Cookies\S@ads.pointroll[3].txt" />
</Item>
- <Item type="Repair" score="0.0" status="Deleted">
<File path="C:\Documents and Settings\S\Cookies\S@apmebf[1].txt" />
</Item>
- <Item type="Repair" score="0.0" status="Deleted">
<File path="C:\Documents and Settings\S\Cookies\S@ar.atwola[3].txt" />
</Item>
- <Item type="Repair" score="0.0" status="Deleted">
<File path="C:\Documents and Settings\S\Cookies\S@ar.atwola[5].txt" />
</Item>
- <Item type="Repair" score="0.0" status="Deleted">
<File path="C:\Documents and Settings\S\Cookies\S@at.atwola[1].txt" />
</Item>
- <Item type="Repair" score="0.0" status="Deleted">
<File path="C:\Documents and Settings\S\Cookies\S@atdmt[2].txt" />
</Item>
- <Item type="Repair" score="0.0" status="Deleted">
<File path="C:\Documents and Settings\S\Cookies\S@atwola[1].txt" />
</Item>
- <Item type="Repair" score="0.0" status="Deleted">
<File path="C:\Documents and Settings\S\Cookies\S@bs.serving-sys[3].txt" />
</Item>
- <Item type="Repair" score="0.0" status="Deleted">
<File path="C:\Documents and Settings\S\Cookies\S@cdn.at.atwola[3].txt" />
</Item>
- <Item type="Repair" score="0.0" status="Deleted">
<File path="C:\Documents and Settings\S\Cookies\S@collective-media[3].txt" />
</Item>
- <Item type="Repair" score="0.0" status="Deleted">
<File path="C:\Documents and Settings\S\Cookies\S@doubleclick[2].txt" />
</Item>
- <Item type="Repair" score="0.0" status="Deleted">
<File path="C:\Documents and Settings\S\Cookies\S@invitemedia[1].txt" />
</Item>
- <Item type="Repair" score="0.0" status="Deleted">
<File path="C:\Documents and Settings\S\Cookies\S@mediaplex[2].txt" />
</Item>
- <Item type="Repair" score="0.0" status="Deleted">
<File path="C:\Documents and Settings\S\Cookies\S@microsoftsto.112.2o7[2].txt" />
</Item>
- <Item type="Repair" score="0.0" status="Deleted">
<File path="C:\Documents and Settings\S\Cookies\S@pointroll[3].txt" />
</Item>
- <Item type="Repair" score="0.0" status="Deleted">
<File path="C:\Documents and Settings\S\Cookies\S@questionmarket[2].txt" />
</Item>
- <Item type="Repair" score="0.0" status="Deleted">
<File path="C:\Documents and Settings\S\Cookies\S@revsci[3].txt" />
</Item>
- <Item type="Repair" score="0.0" status="Deleted">
<File path="C:\Documents and Settings\S\Cookies\S@serving-sys[3].txt" />
</Item>
- <Item type="Repair" score="0.0" status="Deleted">
<File path="C:\Documents and Settings\S\Cookies\S@tribalfusion[3].txt" />
</Item>

=================================================
END

Thanks again.

- Collapse -
I'm not sure yet if that's the reason...

why SAS did not quarantine.

Is the DFW_TH32.DLL file in the said folder?

Good that Hitman has detected/removed an adware using EmsiSoft database/engine:
http://www.emsisoft.com/en/malware/?Adware.Win32.Aureate.a

Yes, Hitman only detected that there's no installed AV because you have it disabled.

Did you try installing the DATs or SUPER DATs manually? I need you to try, if you haven't. Just want to make sure that if it'll fix the database of McAfee.

Is the system still running slow? Can you try to use normal startup, instead of selective startup?

- Collapse -
re: DAT etc.

The system is running a bit faster, but still don't think how it should be.

The McAfee Virtual Technician was finally able to download the DAT file using the "fix" option. Since then, 2 days ago, I have not run it again to see if there are any new updates. I have bookmarked the site to locate the manual DAT and SuperDAT if needed in the future.

Glad, atleast that Hitman3.5 was running properly.

I did a "search" using "DFW_TH32.DLL" on the computer and nothing came up with "DFW_TH32.DLL"

Referring back to the JAVA items, should I do that now, or wait until we have solved the virus issues?

I will reboot the system into 'normal startup' from 'selective start-up' right after I post this message. For reference, there are 32 items listed in System Configuration Utility (msconfig) - Startup Tab.

Presently - in 'selective start' I have 7 items checked off to run at start up. They are as follows:
point32
mcagent
pctspk
SysTray
qttask
RunDLL deskcp16
mcupdate_1279641976

Is there a way I can send you a txt file of the items listed for verification?

Here is the search results I did using the 'cpqdiag' search name from the other day. I don't know how to copy/paste from the search function so I manually typed them here for your reference.

Cpqdiag - C:\WINDOWS Coniguration Setting - File Size 1.03 KB Size on Disk 32.0 KB

cpqdiag - C:\WINDOWS - File Folder Size 8.38MB Size on Disk 9.34

cpqdiag.cpl.disabled - C:\WINDOWS\SYSTEM32 - DISABLED File - Size 64.0 KB Size on Disk 64.0 KB

cpqdiag - C:\WINDOWS\cpqdiag - Compaq Diagnostic Application Size 1.06 MB Size on Disk 1.09 MB

cpqdiag - C:\WINDOWS\cpqdiag - Winamp Media File - Size 1.68 KB - Size on Disk 32.0 KB

Cpqdiaga - C:\WINDOWS\cpqdiag - Compaq Diagnostics Application - Size 340 KB Size on Disk 352 KB


Look forward to hearing back from you. Thanks again.

- Collapse -
I think you should just re-install the program.

You can go to:
http://www.compaq.com/support/files/armada/us/download/19228.html to download Compaq program that should put back the dll file that SUPERAntiSpyware has removed. It is not a critical system file but you might need it when you run diagnostic tool for your machine.

Please check your Mcafee program, if up-to-date. Mcafee should automatically update it without using VT.

Yes, you proceed in removing all Java programs using Add/Remove Programs. Then install the newest version.

No need to send the list of startup items to me Happy You can go to:
http://www.systemlookup.com/
http://www.sysinfo.org/
Enter the name of programs in your startup items to find out if it's safe, required or not required to load during Windows logon.

I think there's no more malware or virus to attend because you've run several tools already. SAS and Hitman Pro took care already. The error in IE is not at your end.
And you have not seen error on McAfee program again.

When you're done updating Java, review your startup items. Next, verify that Mcafee is up-to-date and there's nothing in Mcafee security center to fix.

Download and install CCleaner to get rid of unneeded temporary files. Get the slim, no toolbar installer from:
http://www.piriform.com/ccleaner/builds

Reboot the computer.

Go to:
http://windowsupdate.microsoft.com/
Install Windows XP Service Pack 3
After installation, visit Windows Update website again to install other security updates it will offer.

Visit Secunia Online Inspector:
http://secunia.com/vulnerability_scanning/online/
Run a scan to check what else you need to update. Follow the instruction in the scan result on how you can update the programs requiring an update.

- Collapse -
couple questions to tidy up.

Is there a way to make certain that the original virus - JS/Redirector.j is no longer on the system? What programs do you recommend keeping on the system or running to provide the added security? Lastly, how do I remove teh Hitman3.5 since it has the 30 day subscription. Thanks.

- Collapse -
Re-scan :)

You can verify that the system is now clean by running another scan using Mcafee or other scanners mentioned in this topic.

Try running another scan using Hitman Pro before removing the trial version.
Remove it using Add or Remove Programs utility in Windows.

For extra layer of protection, consider using the following:
1. Hosts file - Download hosts.zip. Extract the content to temporary folder. Copy hosts file from the temporary folder and paste it in C:\Windows\system32\drivers\etc folder. This hosts file will prevent your browser or computer to visiting websites that is known to serve viruses or other type of malicious software (malware).
2. Web of Trust for Internet Explorer or Firefox
3. Regularly scan Windows using on-demand scanner e.g. MBAM, SAS, EmsiSoft, Windows Defender because not all type of infection is detected by antivirus program. Or run an online scanner, if prefer to not to maintain another program. Example: Eset Online Scanner

To prevent re-infection, always keep Windows and other programs up-to-date Happy
Also, ensure that your antivirus program is also up-to-date.

- Collapse -
ESET

Hi Donna,

Working my way through the list...

I was finally able to run ESET Online Scan (from earlier posting) there seemed to be a problem with the ActiveX control and had to reset IE options to default, I hope it does not misdirect any other items.

EST found the following:

ESET Scan - Onlinescan

C:\Documents and Settings\S\My Documents\My Completed Downloads\ms2200fr.exe
probably a variant of Win32/Adware.BPSSpywareRemover.AA application deleted - quarantined

C:\Documents and Settings\S\My Documents\My Completed Downloads\ms2200fr_1.exe probably a variant of Win32/Adware.BPSSpywareRemover.AA application deleted - quarantined

I am still getting to work on the updates you listed.

Thank you for your assistance.

- Collapse -
Glad you tried ESET Online Scanner

With several tools you tried and using resident protection by McAfee, ESET found some more things to remove!

Glad you got this adware removed. Good work! I hope you'll get the important updates for Windows and other programs soon.

CNET Forums

Forum Info