Hello. Thanks in advance for your help. I first noticed a change in my microsoft office outlook ...then later in all of the office suite products. The physical appearance changed to one that appeared something more like "safe mode". After running the scan on my pc with Lightspeed Total Traffic Control, the virus w32.fakealert.gen-p was detected. I quarantined this and deleted it. After doing so, I uninstalled office, re-ran the scan, and then reinstalled office. The new install has the same issues. I read your recommendations and now am going to paste all of the log files to see if you can possibly help me. Thanks so much-


Malwarebytes' Anti-Malware 1.50

Database version: 5261

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

12/9/2010 9:29:32 AM
mbam-log-2010-12-09 (09-29-32).txt

Scan type: Full scan (C:\|)
Objects scanned: 298565
Time elapsed: 1 hour(s), 8 minute(s), 56 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


GMER - http://www.gmer.net
Rootkit quick scan 2010-12-08 14:31:17
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 ST980813AS rev.3.ADB
Running: qurh2chb.exe; Driver: C:\DOCUME~1\acryder\LOCALS~1\Temp\awliikog.sys

---- System - GMER 1.0.15 ----

SSDT 893BE5D3 ZwEnumerateKey
SSDT 893BE5FD ZwEnumerateValueKey
SSDT 893BEBE5 ZwQueryDirectoryFile
SSDT 893BEE31 ZwQuerySystemInformation

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip IpmSecurityAgent1.sys (TDI Filter Driver/Lightspeed Systems)
AttachedDevice \Driver\Tcpip \Device\Tcp IpmSecurityAgent1.sys (TDI Filter Driver/Lightspeed Systems)
AttachedDevice \Driver\Tcpip \Device\Udp IpmSecurityAgent1.sys (TDI Filter Driver/Lightspeed Systems)
AttachedDevice \Driver\Tcpip \Device\RawIp IpmSecurityAgent1.sys (TDI Filter Driver/Lightspeed Systems)

---- EOF - GMER 1.0.15 ----

GMER two

GMER - http://www.gmer.net
Rootkit scan 2010-12-09 08:17:44
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 ST980813AS rev.3.ADB
Running: qurh2chb.exe; Driver: C:\DOCUME~1\acryder\LOCALS~1\Temp\awliikog.sys

---- System - GMER 1.0.15 ----

SSDT 893BE000 ZwAcceptConnectPort
SSDT 893BE015 ZwAccessCheck
SSDT 893BE02A ZwAccessCheckAndAuditAlarm
SSDT 893BE03F ZwAccessCheckByType
SSDT 893BE054 ZwAccessCheckByTypeAndAuditAlarm
SSDT 893BE069 ZwAccessCheckByTypeResultList
SSDT 893BE07E ZwAccessCheckByTypeResultListAndAuditAlarm
SSDT 893BE093 ZwAccessCheckByTypeResultListAndAuditAlarmByHandle
SSDT 893BE0A8 ZwAddAtom
SSDT 893BE0BD ZwAddBootEntry
SSDT 893BE0D2 ZwAdjustGroupsToken
SSDT 893BE0E7 ZwAdjustPrivilegesToken
SSDT 893BE0FC ZwAlertResumeThread
SSDT 893BE111 ZwAlertThread
SSDT 893BE126 ZwAllocateLocallyUniqueId
SSDT 893BE13B ZwAllocateUserPhysicalPages
SSDT 893BE150 ZwAllocateUuids
SSDT 893BE165 ZwAllocateVirtualMemory
SSDT 893BE17A ZwAreMappedFilesTheSame
SSDT 893BE18F ZwAssignProcessToJobObject
SSDT 893BE1A4 ZwCallbackReturn
SSDT 893BE1B9 ZwCancelDeviceWakeupRequest
SSDT 893BE1CE ZwCancelIoFile
SSDT 893BE1E3 ZwCancelTimer
SSDT 893BE1F8 ZwClearEvent
SSDT 893BE20D ZwClose
SSDT 893BE222 ZwCloseObjectAuditAlarm
SSDT 893BE237 ZwCompactKeys
SSDT 893BE24C ZwCompareTokens
SSDT 893BE261 ZwCompleteConnectPort
SSDT 893BE276 ZwCompressKey
SSDT 893BE28B ZwConnectPort
SSDT 893BE2A0 ZwContinue
SSDT 893BE2B5 ZwCreateDebugObject
SSDT 893BE2CA ZwCreateDirectoryObject
SSDT 893BE2DF ZwCreateEvent
SSDT 893BE2F4 ZwCreateEventPair
SSDT 893BE309 ZwCreateFile
SSDT 893BE31E ZwCreateIoCompletion
SSDT 893BE333 ZwCreateJobObject
SSDT 893BE348 ZwCreateJobSet
SSDT 893BE35D ZwCreateKey
SSDT 893BE372 ZwCreateMailslotFile
SSDT 893BE387 ZwCreateMutant
SSDT 893BE39C ZwCreateNamedPipeFile
SSDT 893BE3B1 ZwCreatePagingFile
SSDT 893BE3C6 ZwCreatePort
SSDT 893BE3DB ZwCreateProcess
SSDT 893BE3F0 ZwCreateProcessEx
SSDT 893BE405 ZwCreateProfile
SSDT 893BE41A ZwCreateSection
SSDT 893BE42F ZwCreateSemaphore
SSDT 893BE444 ZwCreateSymbolicLinkObject
SSDT 893BE459 ZwCreateThread
SSDT 893BE46E ZwCreateTimer
SSDT 893BE483 ZwCreateToken
SSDT 893BE498 ZwCreateWaitablePort
SSDT 893BE4AD ZwDebugActiveProcess
SSDT 893BE4C2 ZwDebugContinue
SSDT 893BE4D7 ZwDelayExecution
SSDT 893BE4EC ZwDeleteAtom
SSDT 893BE501 ZwDeleteBootEntry
SSDT 893BE516 ZwDeleteFile
SSDT 893BE52B ZwDeleteKey
SSDT 893BE540 ZwDeleteObjectAuditAlarm
SSDT 893BE555 ZwDeleteValueKey
SSDT 893BE56A ZwDeviceIoControlFile
SSDT 893BE57F ZwDisplayString
SSDT 893BE594 ZwDuplicateObject
SSDT 893BE5A9 ZwDuplicateToken
SSDT 893BE5BE ZwEnumerateBootEntries
SSDT 893BE5D3 ZwEnumerateKey
SSDT 893BE5E8 ZwEnumerateSystemEnvironmentValuesEx
SSDT 893BE5FD ZwEnumerateValueKey
SSDT 893BE612 ZwExtendSection
SSDT 893BE627 ZwFilterToken
SSDT 893BE63C ZwFindAtom
SSDT 893BE651 ZwFlushBuffersFile
SSDT 893BE666 ZwFlushInstructionCache
SSDT 893BE67B ZwFlushKey
SSDT 893BE690 ZwFlushVirtualMemory
SSDT 893BE6A5 ZwFlushWriteBuffer
SSDT 893BE6BA ZwFreeUserPhysicalPages
SSDT 893BE6CF ZwFreeVirtualMemory
SSDT 893BE6E4 ZwFsControlFile
SSDT 893BE6F9 ZwGetContextThread
SSDT 893BE70E ZwGetDevicePowerState
SSDT 893BE723 ZwGetPlugPlayEvent
SSDT 893BE738 ZwGetWriteWatch
SSDT 893BE74D ZwImpersonateAnonymousToken
SSDT 893BE762 ZwImpersonateClientOfPort
SSDT 893BE777 ZwImpersonateThread
SSDT 893BE78C ZwInitializeRegistry
SSDT 893BE7A1 ZwInitiatePowerAction
SSDT 893BE7B6 ZwIsProcessInJob
SSDT 893BE7CB ZwIsSystemResumeAutomatic
SSDT 893BE7E0 ZwListenPort
SSDT 893BE7F5 ZwLoadDriver
SSDT 893BE80A ZwLoadKey
SSDT 893BE81F ZwLoadKey2
SSDT 893BE834 ZwLockFile
SSDT 893BE849 ZwLockProductActivationKeys
SSDT 893BE85E ZwLockRegistryKey
SSDT 893BE873 ZwLockVirtualMemory
SSDT 893BE888 ZwMakePermanentObject
SSDT 893BE89D ZwMakeTemporaryObject
SSDT 893BE8B2 ZwMapUserPhysicalPages
SSDT 893BE8C7 ZwMapUserPhysicalPagesScatter
SSDT 893BE8DC ZwMapViewOfSection
SSDT 893BE8F1 ZwModifyBootEntry
SSDT 893BE906 ZwNotifyChangeDirectoryFile
SSDT 893BE91B ZwNotifyChangeKey
SSDT 893BE930 ZwNotifyChangeMultipleKeys
SSDT 893BE945 ZwOpenDirectoryObject
SSDT 893BE95A ZwOpenEvent
SSDT 893BE96F ZwOpenEventPair
SSDT 893BE984 ZwOpenFile
SSDT 893BE999 ZwOpenIoCompletion
SSDT 893BE9AE ZwOpenJobObject
SSDT 893BE9C3 ZwOpenKey
SSDT 893BE9D8 ZwOpenMutant
SSDT 893BE9ED ZwOpenObjectAuditAlarm
SSDT 893BEA02 ZwOpenProcess
SSDT 893BEA17 ZwOpenProcessToken
SSDT 893BEA2C ZwOpenProcessTokenEx
SSDT 893BEA41 ZwOpenSection
SSDT 893BEA56 ZwOpenSemaphore
SSDT 893BEA6B ZwOpenSymbolicLinkObject
SSDT 893BEA80 ZwOpenThread
SSDT 893BEA95 ZwOpenThreadToken
SSDT 893BEAAA ZwOpenThreadTokenEx
SSDT 893BEABF ZwOpenTimer
SSDT 893BEAD4 ZwPlugPlayControl
SSDT 893BEAE9 ZwPowerInformation
SSDT 893BEAFE ZwPrivilegeCheck
SSDT 893BEB13 ZwPrivilegeObjectAuditAlarm
SSDT 893BEB28 ZwPrivilegedServiceAuditAlarm
SSDT 893BEB3D ZwProtectVirtualMemory
SSDT 893BEB52 ZwPulseEvent
SSDT 893BEB67 ZwQueryAttributesFile
SSDT 893BEB7C ZwQueryBootEntryOrder
SSDT 893BEB91 ZwQueryBootOptions
SSDT 893BEBA6 ZwQueryDebugFilterState
SSDT 893BEBBB ZwQueryDefaultLocale
SSDT 893BEBD0 ZwQueryDefaultUILanguage
SSDT 893BEBE5 ZwQueryDirectoryFile
SSDT 893BEBFA ZwQueryDirectoryObject
SSDT 893BEC0F ZwQueryEaFile
SSDT 893BEC24 ZwQueryEvent
SSDT 893BEC39 ZwQueryFullAttributesFile
SSDT 893BEC4E ZwQueryInformationAtom
SSDT 893BEC63 ZwQueryInformationFile
SSDT 893BEC78 ZwQueryInformationJobObject
SSDT 893BEC8D ZwQueryInformationPort
SSDT 893BECA2 ZwQueryInformationProcess
SSDT 893BECB7 ZwQueryInformationThread
SSDT 893BECCC ZwQueryInformationToken
SSDT 893BECE1 ZwQueryInstallUILanguage
SSDT 893BECF6 ZwQueryIntervalProfile
SSDT 893BED0B ZwQueryIoCompletion
SSDT 893BED20 ZwQueryKey
SSDT 893BED35 ZwQueryMultipleValueKey
SSDT 893BED4A ZwQueryMutant
SSDT 893BED5F ZwQueryObject
SSDT 893BED74 ZwQueryOpenSubKeys
SSDT 893BED89 ZwQueryPerformanceCounter
SSDT 893BED9E ZwQueryQuotaInformationFile
SSDT 893BEDB3 ZwQuerySection
SSDT 893BEDC8 ZwQuerySecurityObject
SSDT 893BEDDD ZwQuerySemaphore
SSDT 893BEDF2 ZwQuerySymbolicLinkObject
SSDT 893BEE07 ZwQuerySystemEnvironmentValue
SSDT 893BEE1C ZwQuerySystemEnvironmentValueEx
SSDT 893BEE31 ZwQuerySystemInformation
SSDT 893BEE46 ZwQuerySystemTime
SSDT 893BEE5B ZwQueryTimer
SSDT 893BEE70 ZwQueryTimerResolution
SSDT 893BEE85 ZwQueryValueKey
SSDT 893BEE9A ZwQueryVirtualMemory
SSDT 893BEEAF ZwQueryVolumeInformationFile
SSDT 893BEEC4 ZwQueueApcThread
SSDT 893BEED9 ZwRaiseException
SSDT 893BEEEE ZwRaiseHardError
SSDT 893BEF03 ZwReadFile
SSDT 893BEF18 ZwReadFileScatter
SSDT 893BEF2D ZwReadRequestData
SSDT 893BEF42 ZwReadVirtualMemory
SSDT 893BEF57 ZwRegisterThreadTerminatePort
SSDT 893BEF6C ZwReleaseMutant
SSDT 893BEF81 ZwReleaseSemaphore
SSDT 893BEF96 ZwRemoveIoCompletion
SSDT 893BEFAB ZwRemoveProcessDebug
SSDT 893BEFC0 ZwRenameKey
SSDT 893BEFD5 ZwReplaceKey
SSDT 893BEFEA ZwReplyPort
SSDT 893BEFFF ZwReplyWaitReceivePort
SSDT 893BF014 ZwReplyWaitReceivePortEx
SSDT 893BF029 ZwReplyWaitReplyPort
SSDT 893BF03E ZwRequestDeviceWakeup
SSDT 893BF053 ZwRequestPort
SSDT 893BF068 ZwRequestWaitReplyPort
SSDT 893BF07D ZwRequestWakeupLatency
SSDT 893BF092 ZwResetEvent
SSDT 893BF0A7 ZwResetWriteWatch
SSDT 893BF0BC ZwRestoreKey
SSDT 893BF0D1 ZwResumeProcess
SSDT 893BF0E6 ZwResumeThread
SSDT 893BF0FB ZwSaveKey
SSDT 893BF110 ZwSaveKeyEx
SSDT 893BF125 ZwSaveMergedKeys
SSDT 893BF13A ZwSecureConnectPort
SSDT 893BF14F ZwSetBootEntryOrder
SSDT 893BF164 ZwSetBootOptions
SSDT 893BF179 ZwSetContextThread
SSDT 893BF18E ZwSetDebugFilterState
SSDT 893BF1A3 ZwSetDefaultHardErrorPort
SSDT 893BF1B8 ZwSetDefaultLocale
SSDT 893BF1CD ZwSetDefaultUILanguage
SSDT 893BF1E2 ZwSetEaFile
SSDT 893BF1F7 ZwSetEvent
SSDT 893BF20C ZwSetEventBoostPriority
SSDT 893BF221 ZwSetHighEventPair
SSDT 893BF236 ZwSetHighWaitLowEventPair
SSDT 893BF24B ZwSetInformationDebugObject
SSDT 893BF260 ZwSetInformationFile
SSDT 893BF275 ZwSetInformationJobObject
SSDT 893BF28A ZwSetInformationKey
SSDT 893BF29F ZwSetInformationObject
SSDT 893BF2B4 ZwSetInformationProcess
SSDT 893BF2C9 ZwSetInformationThread
SSDT 893BF2DE ZwSetInformationToken
SSDT 893BF2F3 ZwSetIntervalProfile
SSDT 893BF308 ZwSetIoCompletion
SSDT 893BF31D ZwSetLdtEntries
SSDT 893BF332 ZwSetLowEventPair
SSDT 893BF347 ZwSetLowWaitHighEventPair
SSDT 893BF35C ZwSetQuotaInformationFile
SSDT 893BF371 ZwSetSecurityObject
SSDT 893BF386 ZwSetSystemEnvironmentValue
SSDT 893BF39B ZwSetSystemEnvironmentValueEx
SSDT 893BF3B0 ZwSetSystemInformation
SSDT 893BF3C5 ZwSetSystemPowerState
SSDT 893BF3DA ZwSetSystemTime
SSDT 893BF3EF ZwSetThreadExecutionState
SSDT 893BF404 ZwSetTimer
SSDT 893BF419 ZwSetTimerResolution
SSDT 893BF42E ZwSetUuidSeed
SSDT 893BF443 ZwSetValueKey
SSDT 893BF458 ZwSetVolumeInformationFile
SSDT 893BF46D ZwShutdownSystem
SSDT 893BF482 ZwSignalAndWaitForSingleObject
SSDT 893BF497 ZwStartProfile
SSDT 893BF4AC ZwStopProfile
SSDT 893BF4C1 ZwSuspendProcess
SSDT 893BF4D6 ZwSuspendThread
SSDT 893BF4EB ZwSystemDebugControl
SSDT 893BF500 ZwTerminateJobObject
SSDT 893BF515 ZwTerminateProcess
SSDT 893BF52A ZwTerminateThread
SSDT 893BF53F ZwTestAlert
SSDT 893BF554 ZwTraceEvent
SSDT 893BF569 ZwTranslateFilePath
SSDT 893BF57E ZwUnloadDriver
SSDT 893BF593 ZwUnloadKey
SSDT 893BF5A8 ZwUnloadKeyEx
SSDT 893BF5BD ZwUnlockFile
SSDT 893BF5D2 ZwUnlockVirtualMemory
SSDT 893BF5E7 ZwUnmapViewOfSection
SSDT 893BF5FC ZwVdmControl
SSDT 893BF611 ZwWaitForDebugEvent
SSDT 893BF626 ZwWaitForMultipleObjects
SSDT 893BF63B ZwWaitForSingleObject
SSDT 893BF650 ZwWaitHighEventPair
SSDT 893BF665 ZwWaitLowEventPair
SSDT 893BF67A ZwWriteFile
SSDT 893BF68F ZwWriteFileGather
SSDT 893BF6A4 ZwWriteRequestData
SSDT 893BF6B9 ZwWriteVirtualMemory
SSDT 893BF6CE ZwYieldExecution
SSDT 893BF6E3 ZwCreateKeyedEvent
SSDT 893BF6F8 ZwOpenKeyedEvent
SSDT 893BF70D ZwReleaseKeyedEvent
SSDT 893BF722 ZwWaitForKeyedEvent
SSDT 893BF737 ZwQueryPortInformationProcess

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Udfs \UdfsCdRom tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Udfs \UdfsDisk tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)

AttachedDevice \Driver\Tcpip \Device\Ip IpmSecurityAgent1.sys (TDI Filter Driver/Lightspeed Systems)
AttachedDevice \Driver\Tcpip \Device\Tcp IpmSecurityAgent1.sys (TDI Filter Driver/Lightspeed Systems)
AttachedDevice \Driver\Tcpip \Device\Udp IpmSecurityAgent1.sys (TDI Filter Driver/Lightspeed Systems)
AttachedDevice \Driver\Tcpip \Device\RawIp IpmSecurityAgent1.sys (TDI Filter Driver/Lightspeed Systems)

Device \FileSystem\Cdfs \Cdfs tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\000a9412a942
Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\000a9412a942 (not active ControlSet)
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Download@LastSuccessTime 2010-12-08 19:31:37

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\SoftwareDistribution\DataStore\Logs\tmp.edb 0 bytes

---- EOF - GMER 1.0.15 ----


DDS (Ver_09-06-26.01) - NTFSx86
Run by acryder at 10:50:00.28 on Thu 12/09/2010
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_18
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3318.2266 [GMT -5:00]

AV: Lightspeed Systems Security Agent 7.02.05 *On-access scanning disabled* (Updated) {983E71A4-EDBC-4776-A28B-07BCBC8D6457}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\Program Files\Intel\WiFi\bin\S24EvMon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Intel\WiFi\bin\EvtEng.exe
C:\Program Files\Lightspeed Systems\SecurityAgent\SecurityAgent.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Intel\WiFi\bin\WLKeeper.exe
C:\Program Files\Lightspeed Systems\SecurityAgent\SAAlert.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe
C:\Program Files\Intel\WiFi\bin\ZCfgSvc.exe
C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Lightspeed Systems\SecurityAgent\satray.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\eInstruction\Device Manager\Launch.exe
C:\Documents and Settings\acryder\Local Settings\Application Data\Google\Update\\GoogleCrashHandler.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\LanSchool\lsproxy\lskproxy.exe
C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
C:\Documents and Settings\acryder\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\acryder\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\acryder\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\acryder\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\acryder\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uInternet Settings,ProxyOverride = *.local;*.screven.k12.ga.us;<local>
uInternet Settings,ProxyServer = hxxp://
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: lsk_WebBlk Class: {1935e690-1ac1-4aa5-ba23-3d9d0ceb3a00} - c:\windows\system32\Lsk_iBlk.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
TB: {8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - No File
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MsnMsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [Palringo] "c:\program files\palringo\Palringo.exe" /hidden
uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\wcescomm.exe"
uRun: [Google Update] "c:\documents and settings\acryder\local settings\application data\google\update\GoogleUpdate.exe" /c
mRun: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
mRun: [IntelZeroConfig] "c:\program files\intel\wifi\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\common files\intel\wirelesscommon\iFrmewrk.exe" /tf Intel Wireless Tray
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [googletalk] c:\program files\google\google talk\googletalk.exe /autostart
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [SecurityAgentTray] c:\program files\lightspeed systems\securityagent\satray.exe
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
mRun: [Teacher] c:\program files\lanschool\teacher.exe
StartupFolder: c:\docume~1\acryder\startm~1\programs\startup\dropbox.lnk - c:\documents and settings\acryder\application data\dropbox\bin\Dropbox.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\einstr~1.lnk - c:\program files\einstruction\device manager\Launch.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\snagit~1.lnk - c:\program files\techsmith\snagit 9\Snagit32.exe
IE: Append to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: Send To Bluetooth - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
LSP: c:\windows\system32\lskproxy.dll
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {5D637FAD-E202-48D1-8F18-5B9C459BD1E3} - hxxp://www.photobiz.com/controlpanel/uploader/22/ImageUploader5.cab
DPF: {5D6F45B3-9043-443D-A792-115447494D24} - hxxp://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1226521382248
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1268409368787
DPF: {8569D715-FF88-44BA-8D1D-AD3E59543DDE} - hxxps://financeweb.doe.k12.ga.us/CAWEB/Reports/arview2.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\acryder\applic~1\mozilla\firefox\profiles\ljf5wdln.default\
FF - prefs.js: browser.search.selectedEngine - Bing
FF - prefs.js: browser.startup.homepage - hxxp://go.microsoft.com/fwlink/?LinkId=69157|http://www.google.com/ig?hl=en
FF - plugin: c:\documents and settings\acryder\local settings\application data\google\update\\npGoogleOneClick8.dll
FF - plugin: c:\program files\common files\research in motion\bbwebsllauncher\NPWebSLLauncher.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npatgpc.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}

FF - user.js: yahoo.homepage.dontask - truec:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\mozilla firefox\greprefs\

Recommended Answers

All 3 Replies

Hello April and welcome to daniweb. Thank you for following the steps in our Read Me sticky. You have posted two copies of the same DDS scanner log. We need to see the other log which is the one that shows Disk Partitions, Disabled Device Manager Items, System Restore Points, Installed Programs and Event Viewer Messages From Past Week. We do need to see that log.
I am not familiar with your security program, Lightspeed Total Traffic Control, research tells me it is a program used on a school network.
Since I am not that familiar with the program I cannot say how good it is so I won't pass judgment on it's findings. However, the symptoms you describe are not the "normal" or usual symptoms of a Fake.Alert infection, which is a family of Trojans by the way, not a virus. Fakealert spyware belongs to a family of Trojans that aid rogue anti-spyware programs in infecting the user's system. They generate a fake warning message and show false alerts to the user that the system is infected with spyware and Trojans, it fools the user into buying the software.They usually show themselves by very large, sometimes full screen covering "official looking" alerts. They DO look very real, often times showing what is a false scanner running and finding multiple supposed infections on the system. It will generally show you a very large number of supposedly infected files that it "claims" can only be removed by purchasing their program. These trojans generally stop the users ability to even run their normal security programs and if they can run they find nothing. But usually the scanning ability is totally disabled. Many times this warning screen disables your ability to even see most of the desktop. Did you receive any of these types of warning screens? It is also unusual for a regular anti virus program to be able to remove or quarantine these, they may be found but you will be told they cannot be removed by your regular program. MBA-M IS the program of choice for removal of these.

When your computer is infected by Trojan.Fakealert, you may notice slower computer performance, frequent warning alerts that your system has been infected with a virus or Trojan, new icons on your desktop, a switched homepage in the browser or you might even have a different desktop wallpaper.
However all you have said is your Office programs all look odd, like safe mode. You said you uninstalled them, reinstalled them but the problem remains. How did you reinstall these? I see no evidence in your DDS log of these programs being installed. I see your MBA-M install or update, Microsoft Visual Studio 8 but nothing about Microsoft Office.It should show in the log and it does not, anywhere.

There is also another concern to me is, IF this truly is one of these in this Trojan family, is one of the actions they can take is to steal your personal info, name, contacts, AND more importantly any financial info you have on the computer, bank account numbers, credit card numbers, Social Security numbers, those very important, personal items. I mention this because one listing in your log says,financeweb.doe.k12.ga.us. If I am reading this correctly it has or could have something to do with Finance,Dept.of Education Kindergarten-12 state of Georgia, U.S. There is nothing wrong with the listing itself, it's a perfectly legal listing one finds in logs, or listings of this type. Generally they come from an activex program which is required for banking or webpage access for particular sites. Any number of these can be found on a computer, it is just the fact that this appears to have to do with banking and if there is one of these on the computer then these items could be at great risk of being stolen or compromised.

As I said above, research tells me Lightspeed Total Traffic Control is a Security Suite of programs used on a school network. While I am not familiar with the program itself, I am familiar with school networks. I have a daughter who is a teacher and a granddaughter who is a college student. Both of them are connected to the internet via their respective school networks and because of this both have immediate assistance from their schools IT depts and must also follow their directives in cases of possible infections on their computers. My daughter is required to use the "in school security suite" on her school computer, it may be the same one you have, I don't know. She does not nor is required to use it on her home computer even though she uses her home computer for school work but it is not connected to the school network. My granddaughter was required to take her laptop to the IT dept when she arrived at school and they installed the anti-virus program they require for use by computers on their network. I am not certain what program it is though it is a "regular" commercial program that any of us can purchase and install, the students get it for free from the school. The school also installed MBA-M on her computer. Anyway, in both cases, if either gets a serious infection on the computer they have to consult the IT dept for assistance in cleaning. Do you have this option? If you do I believe this would be your best option if is actually connected at all times to your school network. Now if this is your home computer and you have only installed the Lightspeed program because it was available, that is a different situation and it may be we can attempt to work through this problem. But if it is on a network with other school computers then I believe you should contact your school IT dept for assistance. You will need to show them all you have done thus far including the logs.
Let me know and if it is a home computer I will be happy to try to assist.

Thanks for your help. It is a school computer. I am the Technology Coach at the high school for our county. Since submitting this log to you, i started to look at other machines. It seems that our network administrator switched from SOPHOS antivirus to Lightspeed in September. He said that he pushed out the antivirus using a script. However on the machines that I checked, the virus definitions had not been updated in 76 days and the antivirus has NEVER done a complete system scan. I did this manually on 9 machines yesterday and and all 9 had 2-6 viruses...many trojans, worms, etc. I immediately contacted the NA and he said it is not anything to be that alarmed about ...that all machines have viruses...and that it is the job of the antivirus to catch them and remove them. It seems that i am the only one concerned here. This morning when people turned on their machines about 75% of the machines are hung on the applying settings screen. I called him and he is working on it. Doesn't know what happened. Anyway, thanks again for your assistance. At the time of submitting my log files, I was under the impression that mine was an isolated case. Aren't you glad that you aren't the Network Administrator here this morning???

Oh yeah, as for the install of office, I uninstalled the program, shut down, restarted, then pulled the install file from our network. That very well could be an infected installation ...If i need further assistance after he gets his part done, I will contact you. Thanks again for your research and suggestions. I REALLY REALLY appreciate it!

Hello April, Of course this is absolutely none of my business, but sounds to me that your network administrator simply isn't doing his job! It frankly sounds, to me anyway, he doesn't know HOW to do his job!
With this install of this Lightspeed Total Traffic Control it appears that your administrator did not even follow the industry standard steps listed in the install instructions on every security program available for sale or for free to the most average home computer user; Install the program, Update the program, Do a Full Scan with the program and configure the program to do both of these automatically, daily, weekly or however often you wish these two items to be done. I could be wrong but I would think that professional network protection would certainly have those basic instructions also. You said "he pushed out the antivirus using a script". I am an average home user, I know absolutely nothing about writing scripts but it sounds to me like he forgot some very key lines of his script or wrote it incorrectly, automatically update, automatically scan and remove infections.

As I said, I am not familiar with this Lightspeed Total Traffic Control and it may be excellent, it seems to receive fairly high reviews. Reading through their website it truly appears to me your network administrator is not doing his job to assist this security system to correctly do the job it is designed to do or possibly hasn't set it up correctly or fully. You said that "virus definitions had not been updated in 76 days and the antivirus has NEVER done a complete system scan". I don't know when this security system was put into use and I don't know when school began in your school system but just reading a calendar tells me this goes back to mid-September. According to the Lightspeed Total Traffic Control website it says the following:

When we create a new virus signature we make sure that it blocks all the variants of the virus that we have in our virus collection.... Each time we make any change to a signature, such as changing the category, the changes are automatically sent to all of our customers as part of our automatic database update process...There are very few days where new viruses or virus variants are not found. Some days over 1,000 new virus signatures are added to our database and distributed to our customers.
That statement makes it sound as if he hasn't done his job, seeing that your databases are updated with new definitions each time they are sent to your network and that sounds at least that this occurs daily. Your 9 computers can't possibly be the only ones on the network to have gone 76 days without updates.

You said you manually did this on your own yesterday on 9 machines and all 9 had infections on them. Your NA's response, "all machines have viruses". I have to disagree, and being a Technology Coach I would have to assume that you would also disagree. All machines don't and won't have viruses if their security programs are configured and used correctly. Of course even the most secure systems can have an infection get through, but a good and correctly configured security system certainly lessens this possibility. Since you found infections on all 9 of the machines you worked on yesterday I would say something is definitely wrong here, especially taking into consideration this sentence from the Lightspeed website, "we make sure that it blocks all the variants of the virus". 9 computers updated and scanned, 9 computers infected tells me something isn't set up correctly. He was correct in saying, it is the job of the antivirus to catch them and remove them BUT the anti-virus program didn't DO anything until you told it to do it's job.

It sounds to me like the system WAS fully up to date when it was installed, which it likely would have been. But that is as far as he went, install. No scans, no updating, nothing. If offered protection for awhile but now, 76 days later the system is losing it's protection ability, your 2 to 6 infections on all the machines you worked on tells me this. Don't know how many machines are in this entire network but I would be willing to bet that your 9, hopefully, would fall somewhere in the middle with the number of infections found. Some likely will have many more and some will have less but if all 9 of yours tested "positive" I think everyone would have the same results on their computers too.

75% of the machines are hung on the applying settings screen.
Almost sounds as if a major update has been attempted at least. Possibly he decided he had better update this security system and the updates were so large that it may be too much for all of the computers to handle all at the same time. I also think you are right about the Office install coming from one of those infected machines too.

For your reading "pleasure" here is the Lightspeed Total Traffic Control website;


It's not an easy site to navigate and parts of it are a bit too technical for me but with time and patience eventually you do get to where you want to go.

This entire episode will be very interesting to follow. If you don't mind can you post back here with updates?

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.