Solved WinXP-Hijack/Infected-No Control Panel-No Admin Rrts

[Resolved] WinXP-Hijack/Infected-No Control Panel-No Admin Rrts

[FONT= "Arial"][/FONT]
Computer infected/hijacked. Updated and ran McAfee VS. Downloaded and ran Noadware. Each removed some stuff but problems persist: (i) No Control Panel access (error msg - not avail. due to restrictions); (ii) no admin rts (this is one user computer with full rts); (iii) start-up is 5-10 min; (iv) persistent pop-ups; (v) if Google used searches are hijacked.

DDS Reports posted below. Also, downloaded and ran HijackThis, which seems to have registered same results as DDS.

Requesting assistance on steps to rid computer of issues. Help would be greatly appreciated. Thanks!

DDS LOGS from 4/14/09 at 21:00 hours

DDS (Ver_09-03-16.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume2
Install Date: 11/2/2005 5:20:54 PM
System Uptime: 4/15/2009 8:18:18 PM (1 hours ago)

Motherboard: Dell Inc. | | 0YC523
Processor: Intel(R) Pentium(R) 4 CPU 3.00GHz | Microprocessor | 2992/800mhz

==== Disk Partitions =========================

A: is Removable
C: is FIXED (NTFS) - 144 GiB total, 99.084 GiB free.
D: is CDROM ()
E: is CDROM ()

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP38: 1/14/2009 10:52:54 PM - Software Distribution Service 3.0
RP39: 1/19/2009 4:39:09 PM - System Checkpoint
RP40: 1/20/2009 9:04:34 PM - System Checkpoint
RP41: 1/25/2009 3:56:42 PM - System Checkpoint
RP42: 1/31/2009 5:40:40 PM - Software Distribution Service 3.0
RP43: 2/1/2009 6:21:28 PM - Software Distribution Service 3.0
RP44: 2/4/2009 10:22:38 PM - System Checkpoint
RP45: 2/7/2009 7:05:24 PM - System Checkpoint
RP46: 2/9/2009 8:19:45 PM - System Checkpoint
RP47: 2/12/2009 10:10:18 PM - Software Distribution Service 3.0
RP48: 2/14/2009 9:40:25 AM - System Checkpoint
RP49: 2/21/2009 6:55:37 PM - System Checkpoint
RP50: 2/26/2009 9:07:10 PM - Software Distribution Service 3.0
RP51: 3/1/2009 2:48:08 PM - System Checkpoint
RP52: 3/11/2009 9:55:37 PM - Software Distribution Service 3.0
RP53: 3/15/2009 7:34:57 PM - System Checkpoint
RP54: 3/16/2009 12:53:31 PM - Software Distribution Service 3.0
RP55: 3/21/2009 9:14:51 PM - System Checkpoint
RP56: 3/29/2009 8:07:13 PM - System Checkpoint
RP57: 4/1/2009 9:32:13 PM - System Checkpoint
RP58: 4/4/2009 11:15:37 AM - System Checkpoint
RP59: 4/5/2009 2:08:20 PM - System Checkpoint
RP60: 4/10/2009 8:30:50 PM - Installed iTunes
RP61: 4/11/2009 7:36:09 AM - Software Distribution Service 3.0
RP62: 4/12/2009 5:02:44 PM - Removed iTunes
RP63: 4/12/2009 5:16:45 PM - Installed iTunes

==== Installed Programs ======================

Adobe Acrobat - Reader 6.0.2 Update
Adobe Flash Player 9 ActiveX
Adobe Flash Player ActiveX
Adobe Reader 6.0.1
AiO_Scan_CDA
AiOSoftwareNPI
Amazon MP3 Downloader 1.0.3
AOLIcon
Apple Mobile Device Support
Apple Software Update
Ask Toolbar
ATI Control Panel
ATI Display Driver
AutoUpdate
BitTorrent 5.0.7
BlackBerry Desktop Software 4.2
Bonjour
BufferChm
C3100
c3100_Help
Canon Camera Access Library
Canon Camera Support Core Library
Canon Camera Window DC_DV 5 for ZoomBrowser EX
Canon Camera Window DC_DV 6 for ZoomBrowser EX
Canon Camera Window MC 6 for ZoomBrowser EX
Canon G.726 WMP-Decoder
Canon MovieEdit Task for ZoomBrowser EX
Canon RAW Image Task for ZoomBrowser EX
Canon RemoteCapture Task for ZoomBrowser EX
Canon Utilities EOS Utility
Canon Utilities PhotoStitch
Comcast High-Speed Internet Install Wizard
Comcast Toolbar
Conexant D850 56K V.9x DFVc Modem
D-Link DWA-556 Xtreme N PCIe Desktop Adapter
Dell Digital Jukebox Driver
Dell Driver Reset Tool
Dell Support Center
Dell System Restore
DellSupport
Desktop Doctor
Destinations
DeviceManagementQFolder
Digital Content Portal
Digital Line Detect
DivX
DivX Player
DocProc
DocProcQFolder
EarthLink setup files
eSupportQFolder
Fax_CDA
Google Toolbar for Internet Explorer
Hawking Technologies HWP54G Wireless-G PCI Card
High Definition Audio Driver Package - KB835221
HijackThis 2.0.2
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows XP (KB952287)
HP Imaging Device Functions 7.0
HP Photosmart and Deskjet 7.0.A
HP Photosmart Essential
HP Software Update
HP Solution Center 7.0
HPPhotoSmartExpress
HPProductAssistant
InstantShareDevicesMFC
Intel Matrix Storage Manager
Intel(R) PRO Network Connections Drivers
Intel(R) PROSet for Wired Connections
Internet Explorer Default Page
iPod for Windows 2005-10-12
iPod for Windows 2006-01-10
iPod Updater 2004-11-15
iTunes
J2SE Runtime Environment 5.0 Update 1
J2SE Runtime Environment 5.0 Update 10
J2SE Runtime Environment 5.0 Update 11
J2SE Runtime Environment 5.0 Update 6
Java 2 Runtime Environment, SE v1.4.2_03
Java(TM) 6 Update 11
Java(TM) SE Runtime Environment 6 Update 1
Macromedia Flash Player
McAfee SecurityCenter
McAfee Shredder
MetaFrame Presentation Server Web Client for Win32
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Basic Edition 2003
Microsoft Plus! Digital Media Edition Installer
Microsoft Plus! Photo Story 2 LE
Modem Helper
MP3 Rocket
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
Musicmatch for Windows Media Player
MyWay Search Assistant
NetZeroInstallers
NewCopy_CDA
NoAdware v5.0
OCR Software by I.R.I.S 7.0
PanoStandAlone
PowerDVD 5.5
ProductContextNPI
Pure Networks Network Magic
Qualxserve Service Agreement
QuickBooks Simple Start Special Edition
Quicken 2006
QuickTime
Readme
Scan
ScannerCopy
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
SolutionCenter
Sonic Encoders
Status
Toolbox
TrayApp
Unload
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update Rollup 1 for Windows XP Media Center Edition 2005 with HDTV Support (KB873369)
Viewpoint Media Player
WebCyberCoach 3.2 Dell
WebFldrs XP
WebReg
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 7
Windows Media Format Runtime
Windows Media Player 10
Windows XP Media Center Edition 2005 KB895198
Windows XP Service Pack 3
WinRAR archiver
WinTouch
ZyDAS IEEE 802.11 b+g Wireless LAN - USB

==== Event Viewer Messages From Past Week ========

4/11/2009 7:20:50 AM, error: Service Control Manager [7034] - The Java Quick Starter service terminated unexpectedly. It has done this 1 time(s).
4/11/2009 7:20:37 AM, error: Service Control Manager [7034] - The Pure Networks Network Magic Service service terminated unexpectedly. It has done this 1 time(s).
4/11/2009 7:20:02 AM, error: Service Control Manager [7034] - The Application Layer Gateway Service service terminated unexpectedly. It has done this 1 time(s).
4/11/2009 7:18:22 AM, error: Service Control Manager [7000] - The Windows Overlay Components service failed to start due to the following error: The system cannot find the file specified.
4/11/2009 7:18:22 AM, error: Service Control Manager [7000] - The Net Agent service failed to start due to the following error: The system cannot find the file specified.
4/11/2009 7:18:05 AM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000243' while processing the file 'brastk.exe' on the volume 'HarddiskVolume2'. It has stopped monitoring the volume.
4/10/2009 8:37:38 PM, error: Service Control Manager [7034] - The Media Center Receiver Service service terminated unexpectedly. It has done this 1 time(s).
4/10/2009 8:37:35 PM, error: Service Control Manager [7034] - The Media Center Scheduler Service service terminated unexpectedly. It has done this 1 time(s).
4/10/2009 8:37:32 PM, error: Service Control Manager [7034] - The Bonjour Service service terminated unexpectedly. It has done this 1 time(s).
4/10/2009 8:37:29 PM, error: Service Control Manager [7034] - The Network Monitor service terminated unexpectedly. It has done this 1 time(s).
4/10/2009 8:37:15 PM, error: Service Control Manager [7034] - The Atheros Configuration Service service terminated unexpectedly. It has done this 1 time(s).
4/10/2009 8:37:06 PM, error: Service Control Manager [7034] - The Ati HotKey Poller service terminated unexpectedly. It has done this 1 time(s).
4/10/2009 8:37:02 PM, error: Service Control Manager [7034] - The Intel(R) Matrix Storage Event Monitor service terminated unexpectedly. It has done this 1 time(s).
4/10/2009 8:30:50 PM, error: Service Control Manager [7032] - The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Apple Mobile Device service, but this action failed with the following error: An instance of the service is already running.
4/10/2009 8:29:50 PM, error: Service Control Manager [7031] - The Apple Mobile Device service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
4/10/2009 8:29:09 PM, error: Service Control Manager [7031] - The Apple Mobile Device service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
4/10/2009 7:03:43 PM, error: Service Control Manager [7034] - The Machine Debug Manager service terminated unexpectedly. It has done this 1 time(s).
4/10/2009 6:54:20 PM, error: PlugPlayManager [11] - The device Root\LEGACY_2ABB73739A307DB6899FC2C165FDF2C6\0000 disappeared from the system without first being prepared for removal.
4/10/2009 6:50:41 PM, error: Service Control Manager [7000] - The Java Quick Starter service failed to start due to the following error: Access is denied.
4/11/2009 2:17:40 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the McAfee Real-time Scanner service to connect.
4/11/2009 2:17:40 PM, error: Service Control Manager [7000] - The McAfee Real-time Scanner service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
4/11/2009 3:39:02 PM, error: DCOM [10005] - DCOM got error "%1053" attempting to start the service McShield with arguments " " in order to run the server: {DC7EF8E1-824F-4110-AB43-1604DA9B4F40}
4/12/2009 9:14:48 AM, error: Service Control Manager [7000] - The Network Monitor service failed to start due to the following error: The system cannot find the file specified.
4/12/2009 9:16:22 AM, error: DCOM [10005] - DCOM got error "%1053" attempting to start the service COMSysApp with arguments " " in order to run the server: {ECABAFBC-7F19-11D2-978E-0000F8757E2A}
4/12/2009 9:16:22 AM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the COM+ System Application service to connect.
4/12/2009 9:16:22 AM, error: Service Control Manager [7000] - The COM+ System Application service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
4/12/2009 9:17:05 AM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Application Layer Gateway Service service to connect.
4/12/2009 9:17:05 AM, error: Service Control Manager [7000] - The Application Layer Gateway Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
4/12/2009 4:48:44 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the IMAPI CD-Burning COM Service service to connect.
4/12/2009 4:48:44 PM, error: Service Control Manager [7000] - The IMAPI CD-Burning COM Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
4/12/2009 4:49:32 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the McAfee SystemGuards service to connect.
4/12/2009 4:49:32 PM, error: Service Control Manager [7000] - The McAfee SystemGuards service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
4/12/2009 5:01:37 PM, error: Service Control Manager [7034] - The iPod Service service terminated unexpectedly. It has done this 1 time(s).
4/12/2009 5:09:42 PM, error: Service Control Manager [7031] - The McAfee Real-time Scanner service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
4/13/2009 9:50:08 PM, error: DCOM [10005] - DCOM got error "%1053" attempting to start the service McAfee SiteAdvisor Service with arguments " " in order to run the server: {5A90F5EE-16B8-4C2A-81B3-FD5329BA477C}
4/13/2009 9:50:08 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the McAfee SiteAdvisor Service service to connect.
4/13/2009 9:50:08 PM, error: Service Control Manager [7000] - The McAfee SiteAdvisor Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
4/11/2009 3:39:45 PM, information: Windows File Protection [64002] - File replacement was attempted on the protected system file beep.sys. This file was restored to the original version to maintain system stability. The file version of the system file is 5.1.2600.0.

==== End Of File ===========================

DDS (Ver_09-03-16.01) - NTFSx86
Run by Ted at 21:12:04.46 on Wed 04/15/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.463 [GMT -4:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated)
FW: McAfee Personal Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\D-Link\D-Link DWA-556 Xtreme N PCIe Desktop Adapter\acs.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\Program Files\Pure Networks\Network Magic\nmsrvc.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\DOCUME~1\Ted\LOCALS~1\Temp\Rar$EX00.718\SystemExplorer.exe
C:\Program Files\D-Link\D-Link DWA-556 Xtreme N PCIe Desktop Adapter\wirelesscm.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Ted\Local Settings\Temporary Internet Files\Content.IE5\PQ74U38K\dds[1].scr

============== Pseudo HJT Report ===============

uLocal Page = \blank.htm
uStart Page = hxxp://www.comcast.net/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mDefault_Search_URL = hxxp://www.google.com/ie
mSearch Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
mWindow Title = Windows Internet Explorer provided by Comcast
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
mSearchAssistant = hxxp://www.google.com
uURLSearchHooks: N/A: {4d25f926-b9fe-4682-bf72-8ab8210d6d75} - c:\program files\mywaysa\srchasde\deSrcAs.dll
mURLSearchHooks: N/A: {4d25f926-b9fe-4682-bf72-8ab8210d6d75} - c:\program files\mywaysa\srchasde\deSrcAs.dll
mWinlogon: System=kddyl.exe
mWinlogon: Userinit=userinit.exe
uWinlogon: userinit=c:\windows\system32\userinit.exe
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: {BA52B914-B692-46c4-B683-905236F6F655} - No File
TB: Comcast Toolbar: {4e7bd74f-2b8d-469e-93be-be2df4d9ae29} - c:\progra~1\comcas~1\COMCAS~1.DLL
TB: Ask Toolbar: {f0d4b239-da4b-4daf-81e4-dfee4931a4aa} - c:\program files\asksbar\bar\1.bin\ASKSBAR.DLL
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [DellSupport] "c:\program files\dellsupport\DSAgnt.exe" /startup
uRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
uRun: [SystemExplorer] "c:\docume~1\ted\locals~1\temp\rar$ex00.718\SystemExplorer.exe" /TRAY
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [BitTorrent] "c:\program files\bittorrent\bittorrent.exe" --force_start_minimized
uRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil9f.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe "
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe
mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe "
mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe "
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe "
mRun: [ddoctorv2] "c:\program files\comcast\desktop doctor\bin\sprtcmd.exe" /P ddoctorv2
mRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
mRun: [<NO NAME>]
mRun: [sysrest32.exe] c:\windows\system32\sysrest32.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [iSecurity applet] rundll32.exe iSecurity.cpl,SecurityMonitor
mRun: [nmapp] "c:\program files\pure networks\network magic\nmapp.exe" -autorun -nosplash
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe "
dRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
dRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
dRun: [userinit] c:\windows\system32\twext.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\wirele~1.lnk - c:\program files\d-link\d-link dwa-556 xtreme n pcie desktop adapter\wirelesscm.exe
uPolicies-explorer: NoControlPanel = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
Trusted Zone: internet
Trusted Zone: mcafee.com
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
TCP: NameServer = 85.255.116.72 85.255.112.140
Handler: pure-go - {4746C79A-2042-4332-8650-48966E44ABA8} - c:\program files\common files\pure networks shared\puresp.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Notify: adfacbe - c:\windows\system32\adfacbe.dll
Notify: defbbacebc - c:\windows\system32\defbbacebc.dll
Notify: winnsy32 - winnsy32.dll
AppInit_DLLs: iSecurity.cpl
SSODL: zip - {00546aff-8d54-414f-976f-fe386ae5b110} - c:\windows\installer\{00546aff-8d54-414f-976f-fe386ae5b110}\zip.dll
SSODL: CDSrv - {e0d21cb6-0860-4087-9148-8fef0b30cd14} - No File
SSODL: iSecurity - {A8311E8F-E459-4D22-89B4-CB9DCF10A425} - iSecurity.cpl
SSODL: PreBootCheck - {0bbf9902-a0a7-4b36-8c81-25bbe5f04cff} - No File
STS: compunctiously: {dec5caa7-8045-495c-8034-35aff489fedf} - c:\windows\system32\ecxwp.dll

============= SERVICES / DRIVERS ===============

R1 core;core;c:\windows\system32\drivers\core.sys [2007-6-27 72832]
R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-1-16 213640]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2009-4-11 210216]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2009-4-11 359952]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2009-4-11 144704]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2009-4-11 606736]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2009-4-11 79304]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2009-4-11 35272]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2009-4-11 40552]
R3 WSIMD;wsimd Service;c:\windows\system32\drivers\wsimd.sys [2007-8-12 55840]
S0 2abb73739a307db6899fc2c165fdf2c6;2abb73739a307db6899fc2c165fdf2c6;c:\windows\system32\2abb73739a307db6899fc2c165fdf2c6.sys --> c:\windows\system32\2abb73739a307db6899fc2c165fdf2c6.sys [?]
S2 Net Agent;Net Agent;c:\windows\dls0523pmw.exe --> c:\windows\dls0523pmw.exe [?]
S2 Windows IPSEC Monitor;Windows IPSEC Monitor; "c:\windows\system32\test12.exe" --> c:\windows\system32\test12.exe [?]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2009-4-11 34216]

=============== Created Last 30 ================

2009-04-15 20:43 <DIR> --d----- c:\program files\Trend Micro
2009-04-13 21:15 <DIR> --d----- c:\program files\NoAdware
2009-04-11 14:55 <DIR> --d----- c:\windows\pss
2009-04-11 14:14 10,983 a------- c:\windows\system32\Config.MPF
2009-04-11 13:56 79,304 a------- c:\windows\system32\drivers\mfeavfk.sys
2009-04-11 13:56 40,552 a------- c:\windows\system32\drivers\mfesmfk.sys
2009-04-11 13:56 35,272 a------- c:\windows\system32\drivers\mfebopk.sys
2009-04-11 13:56 120,136 a------- c:\windows\system32\drivers\Mpfp.sys
2009-04-11 13:55 <DIR> --d----- c:\program files\common files\McAfee
2009-04-11 13:36 34,216 a------- c:\windows\system32\drivers\mferkdk.sys
2009-04-10 20:32 <DIR> --d----- c:\program files\iTunes
2009-04-10 20:32 <DIR> --d----- c:\docume~1\alluse~1\applic~1\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-04-09 18:10 626 a------- c:\windows\system32\wini10821.exe

==================== Find3M ====================

2009-04-13 21:50 108,563 a------- c:\windows\system32\defbbacebc.dll
2009-03-19 16:32 23,400 a------- c:\windows\system32\drivers\GEARAspiWDM.sys
2009-02-09 07:13 1,846,784 a------- c:\windows\system32\win32k.sys
2009-02-09 07:13 1,846,784 -------- c:\windows\system32\dllcache\win32k.sys
2009-01-31 18:57 88,699 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-01-31 18:41 410,984 a------- c:\windows\system32\deploytk.dll
2009-01-16 22:35 3,594,752 -------- c:\windows\system32\dllcache\mshtml.dll
2008-08-04 21:13 126 a------- c:\documents and settings\ted\c200.bat
2008-03-19 20:35 4,096 a------- c:\documents and settings\ted\DesktopFWebdEditor.exe
2008-03-19 20:35 4,096 a------- c:\documents and settings\ted\Desktopfwebd.exe
2008-03-19 20:35 4,096 a------- c:\documents and settings\ted\Desktopfkwp2.0.exe
2008-03-19 20:35 4,096 a------- c:\documents and settings\ted\Desktopfkwp1.5.exe
2008-03-19 20:35 4,096 a------- c:\documents and settings\ted\Desktopfilemanagerclient.exe
2008-03-19 20:35 4,096 a------- c:\documents and settings\ted\DesktopEditorFKWP2.0.exe
2008-03-19 20:35 4,096 a------- c:\documents and settings\ted\DesktopEditorFKWP1.5.exe
2008-02-24 21:03 2,920 a------- c:\program files\xloader30029.exe
2008-02-24 19:34 8,431 ac------ c:\program files\tmp25796953.exe
2007-06-24 18:45 56 ---shr-- c:\windows\system32\BB562B75DE.sys
2007-06-24 18:45 3,766 a--sh--- c:\windows\system32\KGyGaAvL.sys

============= FINISH: 21:12:56.53 ===============

 

Hi and welcome

Severely infected here.
Follow the below instructions as close as you can.

If the need arises, download and transfer to the infected machine via Flash/USB drive or other removable media.

Print this topic or save to notepad, it will make it easier for you to follow the instructions and complete all of the necessary steps as we will need to close all windows that are open later in the fix.



Please download SmitfraudFix (by S!Ri) Extract the content (a folder named SmitfraudFix) to your Desktop.


Double-click on SmitfraudFix.exe to start the tool.

Select option #3 - Delete Trusted zone by typing 3 and press Enter
Answer Yes to the question "Restore Trusted Zone ?" by typing Yes and press Enter Notes

1. If you use SpywareBlaster and/or IE-SPYAD it will be necessary to re-install the protection both afford. For SpywareBlaster, run the program and re-protect all items. For IE-SPYAD, run the batch file and reinstall the protection.
2. As many of the variants of Smitfraud have begun invading the Hosts file, this tool will reset your Hosts file as a necessary precaution. You will also have to reset any specific modifications you may require such as Hosts MVPS.


NEXT**
Again Double-click on SmitfraudFix.exe to start the tool.

Select option #5 - "Search and Clean DNS Hijack" by typing 5 and pressing "Enter" to delete the rogue settings.

Follow the prompts and reboot if asked to do so.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~`

Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop.

Link 1
Link 2
Link 3





--------------------------------------------------------------------
Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

(Click on this link to see a list of programs that should be disabled.)
http://www.bleepingcomputer.com/forums/topic114351.html


Double click on Combo-Fix.exe & follow the prompts.

Please allow ComboFix to install, if needed, Windows Recovery Console. It is a simple procedure that will only take a few moments of your time.

No Validation is Required.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.



** Please Note:
At times ComboFix may appear to stall, please be patient.

• When finished, it will produce a report for you.
• Please post the C:\ComboFix.txt along with a HijackThis log so we can continue cleaning the system.

Please only run the tool once, ty.

Extra note: After you have installed the Recovery Console - if you reboot your computer, right after reboot, you'll see the option for the Recovery Console now as well.
Don't select to run the Recovery Console as we don't need it.
By default, your main OS is selected there. The screen stays for 2 seconds and then it proceeds to load Windows.



In your next reply post:
Smitfraud rapport.txt
ComboFix.txt
new HJT log
You may need several replies to post the requested logs, otherwise they might get cut off.

 

Thanks, Juliett, for the prompt response. I will work on these remedial steps as soon as I get a chance (perhaps as early as tonight but certainly no later than SAT morning) and will post back the logs from the fixes as instructed above. Thanks again and have a great day.

 

Thats fine but I do want to mention that this computer should not be connected to the internet while your waiting to run the scans.

 

Understood. Will take down the Internet connection ASAP.

 

good deal

 

Post-1 - Smitfraud.Rapport.txt

RAPPORT "“ NOTEPAD LOG FROM RUNNINF SMITFRAUD.EXE and SELECTING "5" 4/18/09 at 11:25 hours

SmitFraudFix v2.410

Scan done at 11:22:33.62, Sat 04/18/2009
Run from C:\Documents and Settings\Ted\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» DNS Before Fix

Description: D-Link DWA-556 Xtreme N PCIe Desktop Adapter - Packet Scheduler Miniport
DNS Server Search Order: 192.168.0.1

HKLM\SYSTEM\CCS\Services\Tcpip\..\{4BEF0A89-C086-4095-9A14-1E724A7BCC53}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{4BEF0A89-C086-4095-9A14-1E724A7BCC53}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS2\Services\Tcpip\..\{4BEF0A89-C086-4095-9A14-1E724A7BCC53}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: NameServer=85.255.116.72 85.255.112.140
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: NameServer=85.255.116.72 85.255.112.140
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: NameServer=85.255.116.72 85.255.112.140

»»»»»»»»»»»»»»»»»»»»»»»» DNS After Fix

Description: D-Link DWA-556 Xtreme N PCIe Desktop Adapter - Packet Scheduler Miniport
DNS Server Search Order: 192.168.0.1

HKLM\SYSTEM\CCS\Services\Tcpip\..\{4BEF0A89-C086-4095-9A14-1E724A7BCC53}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{4BEF0A89-C086-4095-9A14-1E724A7BCC53}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS2\Services\Tcpip\..\{4BEF0A89-C086-4095-9A14-1E724A7BCC53}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: NameServer=85.255.116.72 85.255.112.140
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: NameServer=85.255.116.72 85.255.112.140
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: NameServer=85.255.116.72 85.255.112.140

 

Post-2 - ComboFix.txt

ComboFix 09-04-18.07 - Ted 04/18/2009 11:58.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.484 [GMT -4:00]
Running from: c:\documents and settings\Ted\My Documents\EAM71765.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated)
FW: McAfee Personal Firewall *disabled*
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Rabio
c:\documents and settings\LocalService\Application Data\SSTEM3~1
c:\documents and settings\LocalService\Application Data\twain_32
c:\documents and settings\LocalService\Application Data\twain_32\user.ds
c:\documents and settings\NetworkService\Application Data\MANTEC~1
c:\documents and settings\NetworkService\Application Data\twain_32
c:\documents and settings\NetworkService\Application Data\twain_32\user.ds
c:\documents and settings\NetworkService\Local Settings\Application Data\n.ini
c:\documents and settings\NetworkService\Start Menu\Programs\Outerinfo
c:\documents and settings\NetworkService\Start Menu\Programs\Outerinfo\Terms.lnk
c:\documents and settings\NetworkService\Start Menu\Programs\Outerinfo\Uninstall.lnk
c:\documents and settings\Ted\Application Data\Anti-Virus-Pro.com
c:\documents and settings\Ted\Application Data\MBOLS~1
c:\documents and settings\Ted\Application Data\PPPATC~1
c:\documents and settings\Ted\Application Data\STEM32~1
c:\documents and settings\Ted\Application Data\WinTouch
c:\documents and settings\Ted\Desktopblackbird.jpg
c:\documents and settings\Ted\DesktopEditorFKWP1.5.exe
c:\documents and settings\Ted\DesktopEditorFKWP2.0.exe
c:\documents and settings\Ted\Desktopfilemanagerclient.exe
c:\documents and settings\Ted\Desktopfkwp1.5.exe
c:\documents and settings\Ted\Desktopfkwp2.0.exe
c:\documents and settings\Ted\Desktopfwebd.exe
c:\documents and settings\Ted\DesktopFWebdEditor.exe
c:\documents and settings\Ted\Desktopvirii
c:\documents and settings\Ted\Local Settings\Application Data\n.ini
c:\documents and settings\Ted\My Documents\CROSOF~1.NET
c:\documents and settings\Ted\My Documents\FNTS~1
c:\documents and settings\Ted\My Documents\ICROSO~1
C:\log.udt
c:\program files\amsys
c:\program files\amsys\guid.dat
c:\program files\amsys\mfc42.dll
c:\program files\amsys\msvcrt.dll
c:\program files\amsys\unis000.exe
c:\program files\amsys\winam.dat
c:\program files\cjb
c:\program files\Common Files\icroso~1.net
c:\program files\Common Files\racle~1
c:\program files\dobe~1
c:\program files\E404 Helper
c:\program files\fnts~1
c:\program files\Helper
c:\program files\icroso~1.net
c:\program files\IE Extensions
c:\program files\iSecurity
c:\program files\iSecurity\iSecurity.dat
c:\program files\iSecurity\iSecurity.html
c:\program files\iSecurity\syscleaner.bmp
c:\program files\iSecurity\syscleanerinstalled.bmp
c:\program files\iSecurity\systemdefender.bmp
c:\program files\iSecurity\systemdefenderinstalled.bmp
c:\program files\iSecurity\ucleaner.bmp
c:\program files\iSecurity\ucleaner.ico
c:\program files\iSecurity\ucleaneri.bmp
c:\program files\iSecurity\udefender.bmp
c:\program files\iSecurity\udefender.ico
c:\program files\iSecurity\udefenderi.bmp
c:\program files\iSecurity\winifixer.bmp
c:\program files\iSecurity\winifixer.ico
c:\program files\iSecurity\winifixeri.bmp
c:\program files\iSecurity\winifixerinstalled.bmp
c:\program files\Microsoft Common
c:\program files\p2pnetworks
c:\program files\SecCenter
c:\program files\sks~1
c:\program files\SoftPortal
c:\program files\SoftPortal\Soft\ATGE\ui.uim
c:\program files\SoftPortal\Soft\ATHtBt\ATHtBt.part01.rar
c:\program files\SoftPortal\Soft\ATHtBt\ATHtBt.part02.rar
c:\program files\SoftPortal\Soft\ATHtBt\ATHtBt.part03.rar
c:\program files\SoftPortal\Soft\ATHtBt\ATHtBt.part04.rar
c:\program files\SoftPortal\Soft\ATHtBt\ATHtBt.part05.rar
c:\program files\SoftPortal\Soft\ATHtBt\ATHtBt.part06.rar
c:\program files\SoftPortal\Soft\ATHtBt\ATHtBt.part07.rar
c:\program files\SoftPortal\Soft\ATHtBt\ATHtBt.part08.rar
c:\program files\SoftPortal\Soft\ATHtBt\ATHtBt.part09.rar
c:\program files\SoftPortal\Soft\ATHtBt\info.txt
c:\program files\SoftPortal\Soft\Auswise\ui.uim
c:\program files\SoftPortal\Soft\EAV\ui.uim
c:\program files\SoftPortal\Soft\INF1\ui.uim
c:\program files\SoftPortal\Soft\RTNKa\ui.uim
c:\program files\SoftPortal\Soft\XBS\ui.uim
c:\program files\SoftPortal\Soft\YellowB\ui.uim
c:\program files\tmp25796953.exe
c:\program files\wintouch
c:\program files\wintouch\config.cfg.095956de770c605e0fea787b5c69ba19
c:\program files\wintouch\config.cfg.0c1e1d68ffdc8b30566dfd5ca92f4b1d
c:\program files\wintouch\config.cfg.1a00b74d1f50133ea63702c466c5abe6
c:\program files\wintouch\config.cfg.9b849a26eb12d88928edc64cdbe914dc
c:\program files\wintouch\config.cfg.ada014d3b117ec7340fa4c4cbd3f011b
c:\program files\wintouch\config.cfg.d586c13734913031833b58b1b5e6626f
c:\program files\wintouch\config.cfg.e08d11a194a4d38bbb182508de9b535e
c:\program files\ymante~1
c:\program files\ystem~1
c:\temp\1cb
c:\temp\1cb\syscheck.log
c:\temp\fse
c:\temp\fse\tmpZTF.log
c:\temp\tn3
c:\temp\xOe
c:\windows\a.bat
c:\windows\crosof~1
c:\windows\fmark2.dat
c:\windows\IE4 Error Log.txt
c:\windows\Installer\{00546aff-8d54-414f-976f-fe386ae5b110}\zip.dll
c:\windows\mslagent
c:\windows\mslagent\2_mslagent.dll
c:\windows\PerfInfo
c:\windows\PerfInfo\fUuVD39U6R.exe.bak
c:\windows\sembly~1
c:\windows\sstem~1
c:\windows\system32\172135
c:\windows\system32\404Fix.exe
c:\windows\system32\609856
c:\windows\system32\AdCache
c:\windows\system32\AdCache\B_329_1_0_449600.gif
c:\windows\system32\AdCache\B_329_2_0_105300.htm
c:\windows\system32\AdCache\B_329_4_0_111600.htm
c:\windows\system32\AdCache\B_329_4_0_152400.htm
c:\windows\system32\AdCache\B_329_4_0_155300.htm
c:\windows\system32\AdCache\B_329_4_0_164100.htm
c:\windows\system32\Agent.OMZ.Fix.exe
c:\windows\system32\alog.txt
c:\windows\system32\asks~1
c:\windows\system32\bszip.dll
c:\windows\system32\cache329
c:\windows\system32\cache329\B_329_1_0_449600.gif
c:\windows\system32\cache329\B_329_2_0_105300.htm
c:\windows\system32\cache329\B_329_4_0_111600.htm
c:\windows\system32\cache329\B_329_4_0_152400.htm
c:\windows\system32\cache329\B_329_4_0_155300.htm
c:\windows\system32\cache329\B_329_4_0_164100.htm
c:\windows\system32\cache329\t_B_329_2_0_105300.htm
c:\windows\system32\cache329\t_B_329_4_0_111600.htm
c:\windows\system32\cache329\t_B_329_4_0_152400.htm
c:\windows\system32\cache329\t_B_329_4_0_155300.htm
c:\windows\system32\cache329\t_B_329_4_0_164100.htm
c:\windows\system32\cmds.txt
c:\windows\system32\cookie1.dat
c:\windows\system32\cs.dat
c:\windows\system32\din.ip
c:\windows\system32\drivers\4_stars.gif
c:\windows\system32\drivers\5_stars.gif
c:\windows\system32\drivers\alert_icon.gif
c:\windows\system32\drivers\arrow.gif
c:\windows\system32\drivers\buy_btn.gif
c:\windows\system32\drivers\cell_bg.gif
c:\windows\system32\drivers\cell_footer.gif
c:\windows\system32\drivers\cell_header_block.gif
c:\windows\system32\drivers\cell_header_remove.gif
c:\windows\system32\drivers\cell_header_scan.gif
c:\windows\system32\drivers\close_icon.gif
c:\windows\system32\drivers\core.cache.dsk
c:\windows\system32\drivers\core.sys
c:\windows\system32\drivers\detect.htm
c:\windows\system32\drivers\download_btn.gif
c:\windows\system32\drivers\download_btn.jpg
c:\windows\system32\drivers\download_now_btn.gif
c:\windows\system32\drivers\features.gif
c:\windows\system32\drivers\header_bg.gif
c:\windows\system32\drivers\header_red_bg.gif
c:\windows\system32\drivers\header_red_free_scan.gif
c:\windows\system32\drivers\header_red_free_scan_bg.gif
c:\windows\system32\drivers\header_red_protect_your_pc.gif
c:\windows\system32\drivers\icon_warning.gif
c:\windows\system32\drivers\logo_bg.gif
c:\windows\system32\drivers\perfect_cleaner_box.jpg
c:\windows\system32\drivers\perfect_cleaner_box_small.jpg
c:\windows\system32\drivers\perfect_cleaner_header.gif
c:\windows\system32\drivers\perfect_cleaner_header_small.gif
c:\windows\system32\drivers\protect.gif
c:\windows\system32\drivers\pt.htm
c:\windows\system32\drivers\rating.gif
c:\windows\system32\drivers\s_detect.htm
c:\windows\system32\drivers\screenshot.jpg
c:\windows\system32\drivers\secuity_center_logo.gif
c:\windows\system32\drivers\shadow.jpg
c:\windows\system32\drivers\spy_away_box.jpg
c:\windows\system32\drivers\spy_away_box_small.jpg
c:\windows\system32\drivers\spy_away_header.gif
c:\windows\system32\drivers\spy_away_header_small.gif
c:\windows\system32\drivers\users_rating.gif
c:\windows\system32\drivers\v.gif
c:\windows\system32\drivers\x.gif
c:\windows\system32\dumphive.exe
c:\windows\system32\f06WtR
c:\windows\system32\IEDFix.C.exe
c:\windows\system32\IEDFix.exe
c:\windows\system32\k.dat
c:\windows\system32\ksvcl.dll
c:\windows\system32\ldinfo.ldr
c:\windows\system32\n.ini
c:\windows\system32\n2.ini
c:\windows\system32\o4Patch.exe
c:\windows\system32\pac.txt
c:\windows\system32\Process.exe
c:\windows\system32\ps1.dat
c:\windows\system32\rc.dat
c:\windows\system32\rtnka.dll
c:\windows\system32\setup155.exe
c:\windows\system32\SrchSTS.exe
c:\windows\system32\stem~1
c:\windows\system32\stfv.bin
c:\windows\system32\sznf.ascii
c:\windows\system32\tb.dr
c:\windows\system32\tsks~1
c:\windows\system32\twain_32
c:\windows\system32\twain_32\local.ds
c:\windows\system32\twain_32\user.ds
c:\windows\system32\twain_32\user.ds.cla
c:\windows\system32\VACFix.exe
c:\windows\system32\VCCLSID.exe
c:\windows\system32\vMW06a
c:\windows\system32\wini10821.exe
c:\windows\system32\winnsy32.dll
c:\windows\system32\WS2Fix.exe
c:\windows\system32akttzn.exe
c:\windows\system32anticipator.dll
c:\windows\system32awtoolb.dll
c:\windows\system32bdn.com
c:\windows\system32bsva-egihsg52.exe
c:\windows\system32dpcproxy.exe
c:\windows\system32emesx.dll
c:\windows\system32h@tkeysh@@k.dll
c:\windows\system32hoproxy.dll
c:\windows\system32hxiwlgpm.dat
c:\windows\system32hxiwlgpm.exe
c:\windows\system32medup012.dll
c:\windows\system32medup020.dll
c:\windows\system32msgp.exe
c:\windows\system32msnbho.dll
c:\windows\system32mssecu.exe
c:\windows\system32msvchost.exe
c:\windows\system32mtr2.exe
c:\windows\system32mwin32.exe
c:\windows\system32netode.exe
c:\windows\system32newsd32.exe
c:\windows\system32ps1.exe
c:\windows\system32psof1.exe
c:\windows\system32psoft1.exe
c:\windows\system32regc64.dll
c:\windows\system32regm64.dll
c:\windows\system32Rundl1.exe
c:\windows\system32smp
c:\windows\system32smp\msrc.exe
c:\windows\system32sncntr.exe
c:\windows\system32ssurf022.dll
c:\windows\system32ssvchost.com
c:\windows\system32ssvchost.exe
c:\windows\system32sysreq.exe
c:\windows\system32taack.dat
c:\windows\system32taack.exe
c:\windows\system32temp#01.exe
c:\windows\system32thun.dll
c:\windows\system32thun32.dll
c:\windows\system32VBIEWER.OCX
c:\windows\system32vbsys2.dll
c:\windows\system32vcatchpi.dll
c:\windows\system32winlogonpc.exe
c:\windows\system32winsystem.exe
c:\windows\system32WINWGPX.EXE
c:\windows\uninst2.htm
c:\windows\unist1.htm
c:\windows\userconfig9x.dll
c:\windows\Web\def.htm

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_CMDSERVICE
-------\Legacy_CORE
-------\Legacy_LANMANDRV
-------\Legacy_NETWORK_MONITOR
-------\Legacy_NET_AGENT
-------\Legacy_PACKET
-------\Legacy_SYSREST.SYS
-------\Legacy_WINDOWS_OVERLAY_COMPONENTS
-------\Service_core
-------\Service_Net Agent


((((((((((((((((((((((((( Files Created from 2009-03-18 to 2009-04-18 )))))))))))))))))))))))))))))))
.

2009-04-16 00:43 . 2009-04-16 00:43 -------- d-----w c:\program files\Trend Micro
2009-04-16 00:29 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll
2009-04-16 00:29 . 2008-04-21 12:08 215552 ------w c:\windows\system32\dllcache\wordpad.exe
2009-04-16 00:27 . 2009-03-06 14:22 284160 ------w c:\windows\system32\dllcache\pdh.dll
2009-04-16 00:27 . 2009-02-09 12:10 401408 ------w c:\windows\system32\dllcache\rpcss.dll
2009-04-16 00:27 . 2009-02-06 11:11 110592 ------w c:\windows\system32\dllcache\services.exe
2009-04-16 00:27 . 2009-02-06 10:39 35328 ------w c:\windows\system32\dllcache\sc.exe
2009-04-16 00:27 . 2009-02-09 12:10 729088 ------w c:\windows\system32\dllcache\lsasrv.dll
2009-04-16 00:27 . 2009-02-09 12:10 617472 ------w c:\windows\system32\dllcache\advapi32.dll
2009-04-16 00:27 . 2009-02-09 12:10 473600 ------w c:\windows\system32\dllcache\fastprox.dll
2009-04-16 00:27 . 2009-02-09 12:10 453120 ------w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-16 00:27 . 2009-02-06 10:10 227840 ------w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-16 00:27 . 2009-02-09 12:10 714752 ------w c:\windows\system32\dllcache\ntdll.dll
2009-04-14 01:53 . 2009-04-14 01:53 -------- d-----w c:\windows\system32\config\systemprofile\Application Data\SACore
2009-04-14 01:15 . 2009-04-14 01:15 -------- d-----w c:\program files\NoAdware
2009-04-12 13:21 . 2009-04-12 13:21 -------- d-----w c:\documents and settings\Ted\Local Settings\Application Data\Dell
2009-04-11 18:14 . 2009-04-14 01:07 -------- d-----w c:\documents and settings\LocalService\Application Data\SACore
2009-04-11 18:14 . 2009-04-18 16:05 11725 ----a-w c:\windows\system32\Config.MPF
2009-04-11 18:08 . 2009-04-11 18:08 -------- d-----w c:\documents and settings\All Users\Application Data\SiteAdvisor
2009-04-11 17:56 . 2009-03-25 15:06 40552 ----a-w c:\windows\system32\drivers\mfesmfk.sys
2009-04-11 17:56 . 2009-03-25 15:06 79880 ----a-w c:\windows\system32\drivers\mfeavfk.sys
2009-04-11 17:56 . 2009-03-25 15:06 35272 ----a-w c:\windows\system32\drivers\mfebopk.sys
2009-04-11 17:56 . 2008-10-23 17:08 120136 ----a-w c:\windows\system32\drivers\Mpfp.sys
2009-04-11 17:55 . 2009-04-11 17:56 -------- d-----w c:\program files\Common Files\McAfee
2009-04-11 17:36 . 2009-03-25 15:05 34216 ----a-w c:\windows\system32\drivers\mferkdk.sys
2009-04-11 00:32 . 2009-04-12 21:17 -------- d-----w c:\program files\iTunes
2009-04-11 00:32 . 2009-04-11 00:32 -------- d-----w c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-03-21 14:06 . 2009-03-21 14:06 989696 ------w c:\windows\system32\dllcache\kernel32.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-18 15:22 . 2009-04-18 15:22 2124 ----a-w C:\rapport.txt
2009-04-18 14:21 . 2005-11-03 19:48 -------- d-----w c:\program files\McAfee
2009-04-14 01:35 . 2007-09-22 14:57 -------- d-----w c:\program files\Rabio
2009-04-12 21:16 . 2005-11-12 15:07 -------- d-----w c:\program files\iPod
2009-04-12 21:16 . 2008-06-28 14:49 -------- d-----w c:\program files\Common Files\Apple
2009-04-11 21:18 . 2007-06-27 10:26 -------- d-----w c:\program files\Common Files\qmoz
2009-04-11 20:49 . 2008-02-16 20:34 -------- d-----w c:\program files\Mwtlzfpw2
2009-04-11 20:46 . 2007-08-16 11:21 -------- d-----w c:\program files\Lzhmqfzd
2009-04-11 19:54 . 2006-02-20 22:20 -------- d-----w c:\documents and settings\Ted\Application Data\MP3Rocket
2009-04-11 19:53 . 2007-01-19 16:54 -------- d-----w c:\program files\MP3 Rocket
2009-04-11 18:52 . 2005-10-26 21:02 -------- d-----w c:\program files\Common Files\Real
2009-04-11 18:17 . 2005-10-26 21:05 -------- d-----w c:\documents and settings\All Users\Application Data\McAfee.com
2009-04-11 18:17 . 2005-10-26 21:04 -------- d-----w c:\program files\McAfee.com
2009-04-11 18:17 . 2005-11-03 19:48 -------- d-----w c:\documents and settings\All Users\Application Data\McAfee
2009-04-05 17:30 . 2005-11-12 22:11 -------- d-----w c:\documents and settings\Ted\Application Data\AdobeUM
2009-03-25 15:06 . 2009-01-17 00:04 214024 ----a-w c:\windows\system32\drivers\mfehidk.sys
2009-03-19 20:32 . 2008-01-29 16:01 23400 ----a-w c:\windows\system32\drivers\GEARAspiWDM.sys
2009-03-14 15:19 . 2009-03-14 15:19 -------- d-----w c:\documents and settings\All Users\Application Data\{00D89592-F643-4D8D-8F0F-AFAE0F14D4C3}
2009-03-14 15:17 . 2009-03-14 15:17 -------- d-----w c:\program files\Bonjour
2009-03-06 14:22 . 2004-08-19 20:49 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-04 01:50 . 2008-02-09 17:10 -------- d-----w c:\documents and settings\Ted\Application Data\Printer Info Cache
2009-03-04 01:50 . 2007-02-27 21:21 -------- d-----w c:\documents and settings\Ted\Application Data\Image Zone Express
2009-03-03 00:18 . 2006-05-10 05:23 826368 ------w c:\windows\system32\dllcache\wininet.dll
2009-03-03 00:18 . 2004-08-19 20:49 826368 ----a-w c:\windows\system32\wininet.dll
2009-02-28 04:54 . 2007-08-13 23:43 636072 ------w c:\windows\system32\dllcache\iexplore.exe
2009-02-20 10:20 . 2007-12-01 14:54 13824 ------w c:\windows\system32\dllcache\ieudinit.exe
2009-02-20 10:20 . 2007-08-13 23:39 70656 ------w c:\windows\system32\dllcache\ie4uinit.exe
2009-02-20 05:14 . 2007-08-13 22:56 161792 ------w c:\windows\system32\dllcache\ieakui.dll
2009-02-15 15:11 . 2005-11-12 18:28 26880 ----a-w c:\documents and settings\Ted\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-02-09 12:10 . 2004-08-19 20:49 729088 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 12:10 . 2004-08-19 20:49 401408 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 12:10 . 2004-08-19 20:49 714752 ----a-w c:\windows\system32\ntdll.dll
2009-02-09 12:10 . 2004-08-19 20:49 617472 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 11:13 . 2008-10-14 22:59 1846784 ------w c:\windows\system32\dllcache\win32k.sys
2009-02-09 11:13 . 2004-08-19 20:49 1846784 ----a-w c:\windows\system32\win32k.sys
2009-02-07 23:02 . 2008-10-14 22:59 2066048 ------w c:\windows\system32\dllcache\ntkrnlpa.exe
2009-02-06 11:11 . 2004-08-19 20:49 110592 ----a-w c:\windows\system32\services.exe
2009-02-06 11:08 . 2008-10-14 22:59 2189056 ------w c:\windows\system32\dllcache\ntoskrnl.exe
2009-02-06 11:06 . 2008-10-14 22:59 2145280 ------w c:\windows\system32\dllcache\ntkrnlmp.exe
2009-02-06 11:06 . 2004-08-19 20:49 2145280 ----a-w c:\windows\system32\ntoskrnl.exe
2009-02-06 10:39 . 2004-08-19 20:49 35328 ----a-w c:\windows\system32\sc.exe
2009-02-06 10:32 . 2008-10-14 22:59 2023936 ------w c:\windows\system32\dllcache\ntkrpamp.exe
2009-02-06 10:32 . 2004-08-04 03:59 2023936 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-02-03 19:59 . 2009-02-03 19:59 56832 ------w c:\windows\system32\dllcache\secur32.dll
2009-02-03 19:59 . 2004-08-19 20:49 56832 ----a-w c:\windows\system32\secur32.dll
2009-01-31 22:57 . 2004-08-19 21:05 88699 ----a-w c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-01-31 22:47 . 2004-08-19 20:50 250048 --sha-r C:\ntldr
2009-01-31 22:41 . 2009-01-31 22:42 410984 ----a-w c:\windows\system32\deploytk.dll
2008-08-05 01:13 . 2008-07-06 14:52 126 ----a-w c:\documents and settings\Ted\c200.bat
2008-02-25 01:03 . 2008-02-25 00:06 2920 ----a-w c:\program files\xloader30029.exe
2005-11-02 23:11 . 2005-11-02 21:21 126 ----a-w c:\documents and settings\Ted\Local Settings\Application Data\fusioncache.dat
2004-08-19 21:16 . 2004-08-19 21:16 136 ----a-w c:\documents and settings\Administrator\Local Settings\Application Data\fusioncache.dat
2007-06-24 22:45 . 2006-02-07 01:05 56 --sh--r c:\windows\system32\BB562B75DE.sys
2007-06-24 22:45 . 2006-02-07 01:05 3766 --sha-w c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS "= "c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"ctfmon.exe "= "c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"DellSupport "= "c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"DellSupportCenter "= "c:\program files\Dell Support Center\bin\sprtcmd.exe" [2007-11-15 202544]
"swg "= "c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-09-13 68856]
"BitTorrent "= "c:\program files\BitTorrent\bittorrent.exe" [2007-03-01 43008]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray "= "c:\windows\ehome\ehtray.exe" [2004-08-10 59392]
"SunJavaUpdateSched "= "c:\program files\Java\jre6\bin\jusched.exe" [2009-01-31 136600]
"IAAnotif "= "c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2005-06-17 139264]
"ATIPTA "= "c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-06 344064]
"DVDLauncher "= "c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]
"ISUSScheduler "= "c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"HP Software Update "= "c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 49152]
"dscactivate "= "c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"ddoctorv2 "= "c:\program files\Comcast\Desktop Doctor\bin\sprtcmd.exe" [2008-04-24 202560]
"DellSupportCenter "= "c:\program files\Dell Support Center\bin\sprtcmd.exe" [2007-11-15 202544]
"QuickTime Task "= "c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
"mcagent_exe "= "c:\program files\McAfee.com\Agent\mcagent.exe" [2009-01-09 645328]
"nmapp "= "c:\program files\Pure Networks\Network Magic\nmapp.exe" [2006-04-18 1042000]
"iTunesHelper "= "c:\program files\iTunes\iTunesHelper.exe" [2009-04-02 342312]
"SigmatelSysTrayApp "= "stsystra.exe" - c:\windows\stsystra.exe [2005-03-23 339968]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"swg "= "c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-09-13 68856]
"ctfmon.exe "= "c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Wireless Connection Manager.lnk - c:\program files\D-Link\D-Link DWA-556 Xtreme N PCIe Desktop Adapter\wirelesscm.exe [2007-8-12 13357056]

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32
"wave "= serwvdrv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify "=dword:00000001
"UpdatesDisableNotify "=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring "=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring "=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall "= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "=
"c:\\Program Files\\Java\\jre1.5.0_06\\bin\\javaw.exe "=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe "=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe "=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe "=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe "=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe "=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe "=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe "=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe "=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe "=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe "=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe "=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe "=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe "=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe "=
"c:\\Program Files\\MP3 Rocket\\MP3Rocket.exe "=
"c:\\Program Files\\BitTorrent\\bittorrent.exe "=
"c:\\Program Files\\Java\\jre1.6.0_01\\bin\\javaw.exe "=
"%windir%\\Network Diagnostic\\xpnetdiag.exe "=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe "=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe "=
"c:\\Program Files\\iTunes\\iTunes.exe "=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"67:UDP "= 67:UDPHCP Discovery Service

R0 2abb73739a307db6899fc2c165fdf2c6;2abb73739a307db6899fc2c165fdf2c6; [x]
R2 Windows IPSEC Monitor;Windows IPSEC Monitor; [x]
S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [2009-02-11 210216]
S3 WSIMD;wsimd Service;c:\windows\system32\DRIVERS\wsimd.sys [2006-10-31 55840]

.
Contents of the 'Scheduled Tasks' folder

2009-04-11 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-04-11 14:53]

2009-04-11 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-04-11 14:53]
.
- - - - ORPHANS REMOVED - - - -

ShellIconOverlayIdentifiers-{7957843C-9908-7587-D4C5-750804188388} - c:\windows\system32\SoUI.dll
ShellIconOverlayIdentifiers-{9149C363-87C9-A85C-A4C2-31CA0980349D} - c:\windows\system32\\rtnka.dll
HKLM-Run-sysrest32.exe - c:\windows\system32\sysrest32.exe
SharedTaskScheduler-{dec5caa7-8045-495c-8034-35aff489fedf} - c:\windows\system32\ecxwp.dll
SSODL-CDSrv-{e0d21cb6-0860-4087-9148-8fef0b30cd14} - (no file)
SSODL-PreBootCheck-{0bbf9902-a0a7-4b36-8c81-25bbe5f04cff} - (no file)
Notify-adfacbe - c:\windows\system32\adfacbe.dll
Notify-winnsy32 - winnsy32.dll


.
------- Supplementary Scan -------
.
uLocal Page = \blank.htm
uStart Page = hxxp://www.comcast.net/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mStart Page = hxxp://www.google.com
mWindow Title = Windows Internet Explorer provided by Comcast
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-18 12:09
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\core]
"ImagePath "= "system32\drivers\core.sys "
--

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\mchInjDrv]
"ImagePath "= "\??\c:\docume~1\Ted\LOCALS~1\Temp\mc2265.tmp "
--

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\Net Agent]
"ImagePath "= "c:\windows\dls0523pmw.exe "

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\mchInjDrv]
"ImagePath "= "\??\c:\docume~1\Ted\LOCALS~1\Temp\mc2265.tmp "
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(4700)
c:\program files\McAfee\SiteAdvisor\saHook.dll
c:\program files\Pure Networks\Network Magic\nmrsrc.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\program files\D-Link\D-Link DWA-556 Xtreme N PCIe Desktop Adapter\acs.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\ehome\ehRecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\COMMON~1\McAfee\MNA\McNASvc.exe
c:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe
c:\progra~1\McAfee\VIRUSS~1\Mcshield.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\McAfee\MPF\MpfSrv.exe
c:\program files\McAfee\MSK\msksrver.exe
c:\windows\system32\HPZipm12.exe
c:\program files\Comcast\Desktop Doctor\bin\sprtsvc.exe
c:\program files\Dell Support Center\bin\sprtsvc.exe
c:\program files\Pure Networks\Network Magic\nmsrvc.exe
c:\progra~1\McAfee.com\Agent\mcagent.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\windows\system32\wscntfy.exe
c:\windows\ehome\ehmsas.exe
c:\windows\system32\dllhost.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-04-18 12:14 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-18 16:14

Pre-Run: 105,993,789,440 bytes free
Post-Run: 107,001,147,392 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT= "Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS= "Windows XP Media Center Edition" /noexecute=optin /fastdetect

545 --- E O F --- 2009-04-16 01:57

 

Post 3 (Final) - HijackThis.txt (4-18-09)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:17:12 PM, on 4/18/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\D-Link\D-Link DWA-556 Xtreme N PCIe Desktop Adapter\acs.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Pure Networks\Network Magic\nmsrvc.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\Pure Networks\Network Magic\nmapp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\BitTorrent\bittorrent.exe
C:\Program Files\D-Link\D-Link DWA-556 Xtreme N PCIe Desktop Adapter\wirelesscm.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.yahoo.com/search?fr=mcafee&p=%s
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll (file missing)
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptsn.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O3 - Toolbar: Ask Toolbar - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe "
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe "
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe "
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe "
O4 - HKLM\..\Run: [ddoctorv2] "C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe" /P ddoctorv2
O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [nmapp] "C:\Program Files\Pure Networks\Network Magic\nmapp.exe" -autorun -nosplash
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe "
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKUS\S-1-5-18\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'Default user')
O4 - Global Startup: Wireless Connection Manager.lnk = C:\Program Files\D-Link\D-Link DWA-556 Xtreme N PCIe Desktop Adapter\wirelesscm.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O23 - Service: Atheros Configuration Service (ACS) - Atheros - C:\Program Files\D-Link\D-Link DWA-556 Xtreme N PCIe Desktop Adapter\acs.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Pure Networks Net2Go Service (nmraapache) - Pure Networks, Inc. - C:\Program Files\Pure Networks\Network Magic\WebServer\bin\nmraapache.exe
O23 - Service: Pure Networks Network Magic Service (nmservice) - Pure Networks, Inc. - C:\Program Files\Pure Networks\Network Magic\nmsrvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SupportSoft Sprocket Service (ddoctorv2) (sprtsvc_ddoctorv2) - SupportSoft, Inc. - C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: Windows IPSEC Monitor - Unknown owner - C:\WINDOWS\system32\test12.exe (file missing)

--
End of file - 10841 bytes

 

Welcome back

Print this topic or save to notepad, it will make it easier for you to follow the instructions and complete all of the necessary steps as we will need to close all windows that are open later in the fix.




Next: Please disable all onboard security programs (all running with back ground protection) as it may hinder the scanner from working.
This includes Antivirus, Firewall, and any Spyware scanners that run in the background.

Click on this link Here to see a list of programs that should be disabled.
The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

Please open Notepad *Do Not Use Wordpad!* or use any other text editor than Notepad or the script will fail. (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:
Save this as "CFScript.txt " including quotes and change the "Save as type" to "All Files" and place it on your desktop.

Code:

RegLockDel::
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\core]
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\Net Agent]
File:: 
C:\WINDOWS\system32\test12.exe
c:\program files\xloader30029.exe
c:\windows\dls0523pmw.exe
Folder:: 
c:\program files\Rabio
c:\program files\Common Files\qmoz
c:\program files\Mwtlzfpw2
c:\program files\Lzhmqfzd
Driver::
2abb73739a307db6899fc2c165fdf2c6
Windows IPSEC Monitor

Referring to the screenshot above, drag CFScript.txt into ComboFix.exe. ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply.
CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.




Please download ATF Cleaner by Atribune From Here and save it to your Desktop.
Follow the instructions for the browser you use.
Read the instructions about the cookies. Delete what you do not need.

Double click ATF-Cleaner.exe to run the program.
Check the boxes to the left of:
Windows Temp
Current User Temp
All Users Temp
Temporary Internet Files
Java Cache
The rest are optional - if you want to remove the lot, check "Select All ".
Finally click Empty Selected. When you get the "Done Cleaning " message, click OK.
If you use the Firefox or Opera browsers, you can use this program
as a quick way to tidy those up as well.
When you have finished, click on the Exit button in the Main menu.
========================



NEXT**
I'd like for you to run this next online scan to check for remnants or anything that might be hidden.
The below scan can take up to an hour or longer, please be patient.

*Note
It is recommended to disable onboard antivirus program and antispyware programs while performing scans so no conflicts and to speed up scan time.
Please don't go surfing while your resident protection is disabled!
Once scan is finished remember to re-enable resident antivirus protection along with whatever antispyware app you use.


Using Internet Explorer, visit http://www.kaspersky.com/service?chapter=161739400

Other available links
Kaspersky Online Scanner or from here
http://www.kaspersky.com/virusscanner

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

Click on the Accept button and install any components it needs.

• The program will install and then begin downloading the latest definition
  files.
• After the files have been downloaded on the left side of the page in the Scan section select My Computer.
• This will start the program and scan your system.
• The scan will take a while, so be patient and let it run. (At times it may appear to stall)
  * Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
  * Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  * Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
  
• Once the scan is complete, click on View scan report To obtain the report:

Click on: Save Report As
Next, in the Save as prompt, Save in area, select: Desktop
In the File name area, use KScan, or something similar In Save as type, click the drop arrow and select:
Text file [*.txt]
Then, click: Save
Please post the Kaspersky Online Scanner Report in
your reply.

Animated tutorial
http://i275.photobucket.com/albums/jj285/Bleeping/KAS/KAS9.gif

(Note.. for Internet Explorer 7 users:
If at any time you have trouble with the "Accept" button of the license, click on the "Zoom" tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%.)
Or use Firefox with IE-Tab plugin
https://addons.mozilla.org/en-US/firefox/addon/1419


In your next reply post:
ComboFix.txt
Kaspersky log
New HJT log taken after the above scans have run


You may need several replies to post the requested logs, otherwise they might get cut off.



How's the computer now?

 

Instructions for Further Cleaning

Thanks. I will proceed with the further cleaning instructions noted above but likely not until later this afternoon due to other appointments.

Right now computer is much better. I have my user account and full admin. rights back. I have AV and FW updated and running, except as noted above when I am performing the further steps.

 

If at all possible run the CFScript I posted to at least remove those infected files.

Then when you have the time to later run Kaspersky.

 

I followed the CFScript instructions above and it opened a new window and said it was running but when I cam back 30 minutes later (it was running really slow so I figured it needed time to complete its run) there was no CFScript log produced. Therefore, I am not sure it ran correctly, although I can confirm that it did take down the internet connection, which I had to re-establish manually. Should I run this again? I did not proceed with the ATFCleaner or Kaspersky as the CFScript step had not been completed.

 

Yes please try the CFScript once more, if it should follow the same previous path then cancel it and reboot.

Then continue with the rest of the fix.

 

Will do. Will work on it tonight after work.

 

That will work.

 

ComboFix - Run 2

I reviewed what I did yesterday and noted that when I cut & pasted text from your post in box for CFScript.txt, I left out the last line "Windows IPSEC Monitor "

I added that to Notepad, dragged it into ComboFix and program ran fine, including deleting 9-12 files, through Stage 49, and then Windows crashed and a blue screen warning came up re: Windows shut down to avoid damage to system.

Error msg noted:

STOP: 0x0000008E (0xC0000005, 0xF72B1AD4, 0xB663B964, 0x00000000)

sr.sys Address I72B1AD4 base at F72AE000

Date Stamp 480252c2

When computed re-booted, system came back up and noted and Error Msg as follows:

Error Signature:

BCCode: 1000008e, BCP1: C0000005, BCP2: F72B1AD4, BCP3: 663B964, BCP4: 00000000, OSVER: 5_1_2600, SP: 3_0, Product: 256-1

Error Files:

C:\DOCUME~1\TED\LOCALS~1\Temp|WER2671.dir00\MIN1042009_01.dmp
C:\DOCUME~1\TED\LOCALS~1\Temp|WER2671.sysdata.xml

In addition, when system came up and I looked at TaskManager, a program called dumprep.exe was running initially but went away after awhile. From a review of TaskManager everything else that was opened looked normal.

I downloaded and ran the ATFCleaner so that's done but did not proceed to Kaspersky due to the error above and ComboFix not finishing and not producing a log.

JIC, this will help you, here is a HijackThis log I ran after the ComboxFix aborted run:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:50:17 PM, on 4/20/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\D-Link\D-Link DWA-556 Xtreme N PCIe Desktop Adapter\acs.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Pure Networks\Network Magic\nmsrvc.exe
C:\WINDOWS\Explorer.EXE
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\D-Link\D-Link DWA-556 Xtreme N PCIe Desktop Adapter\wirelesscm.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Java\jre6\bin\jucheck.exe
C:\Program Files\McAfee\MSC\mcshell.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.yahoo.com/search?fr=mcafee&p=%s
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptsn.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe "
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe "
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe "
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe "
O4 - HKLM\..\Run: [ddoctorv2] "C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe" /P ddoctorv2
O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [nmapp] "C:\Program Files\Pure Networks\Network Magic\nmapp.exe" -autorun -nosplash
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe "
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKUS\S-1-5-18\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Wireless Connection Manager.lnk = C:\Program Files\D-Link\D-Link DWA-556 Xtreme N PCIe Desktop Adapter\wirelesscm.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O23 - Service: Atheros Configuration Service (ACS) - Atheros - C:\Program Files\D-Link\D-Link DWA-556 Xtreme N PCIe Desktop Adapter\acs.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Pure Networks Net2Go Service (nmraapache) - Pure Networks, Inc. - C:\Program Files\Pure Networks\Network Magic\WebServer\bin\nmraapache.exe
O23 - Service: Pure Networks Network Magic Service (nmservice) - Pure Networks, Inc. - C:\Program Files\Pure Networks\Network Magic\nmsrvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PsExec (PSEXESVC) - Sysinternals - C:\WINDOWS\PSEXESVC.EXE
O23 - Service: SupportSoft Sprocket Service (ddoctorv2) (sprtsvc_ddoctorv2) - SupportSoft, Inc. - C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe

--
End of file - 10624 bytes

 

Welcome back


Please download Malwarebytes' Anti-Malware to your desktop

Additional Link

* Double-click mbam-setup.exe and follow the prompts to install the program.
* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform quick scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad. Please save it to a convenient location.
* You can also access the log by doing the following:

o Click on the Malwarebytes' Anti-Malware icon to launch the program.
o Click on the Logs tab.
o Click on the log at the bottom of those listed to highlight it.
o Click Open.

Tutorial if needed
http://thespykiller.co.uk/index.php/topic,5946.0.html

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

!~~~~~~~~~~~~~~~~~~~~~~~~~~~~`



Next go Here to run Panda's ActiveScan.
Once you are on the Panda site click the Scan your PC button
A new window will open...click the Check Now button.
Enter your State/Providence
Enter your E-mail address and click send.
Select either Home user or Company.
Click the big Scan Now button

• If it wants to install an ActiveX component allow it
• It will start downloading the files it requires for the scan (Note: It may take a few minutes)

When the download is complete, click on My Computer to start the scan.

When the scan completes, if anything malicious is detected, click the See Report button, then Save report and save it to a convenient location (activescan.txt to desktop).
Post the contents of the ActiveScan report



In your next reply post:

MBAM log
Panda log


How's your computer now?

 

Thanks. The computer is running normally with normal user account and admin rts but very, very slowly. It take 5 min plus to start up, Internet is particularly slow, although does not evidence prior hijack issues - malicious pop ups, re-direction from Google searches, re-setting home page, etc.

In addition, I have recently purchased an iPod Touch but both Windows and iTunes are failing to recognize it or permit it to load MyMusic from ITunes. During the hijack/infection, I had iTunes 8.1 on the system and it had no problem recognizing my iPod 5 Gen. This weekend I took the iPod Touch to an Apple store and the tech was able to have it interface with his computer running WinXP, including loading iPod software and loading music and vid from iTunes, so its likely some part of the hijack/ infection program may be blocking the interface with the iPod touch (e.g., unlike the iPod 5 Gen, the new device has a WiFi connect using Safari software).

I will the scans from your last post tonight post-work. Thanks again for all your prompt assisatance.

 

Good deal.

Which drive on your computer is set for the iPod?

When you plug in for your iPod, if you go to the drive it uses and double click nothing happens?