Unable to access the internet, except for in safe mode

Hi guys,
Me again. This is my sisters PC, which seems to be badly infected. I am unable to get on the internet in normal mode, only in safe mode. I've downloaded Spybot, Adware se & Avast & they all found a lot of Trojans, viruses etc.
After running these I am still unable to access the internet. By the way, when I access the internet in safe mode I get a load of pop-ups constantly.
HJT log below:-

Logfile of HijackThis v1.99.1
Scan saved at 17:57:17, on 25/11/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.orange.co.uk
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {A8BD6820-6ED7-423E-9558-2D1486B0FEEA} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\program files\mcafee\virusscan\scriptcl.dll
O2 - BHO: McAfee Popup Blocker - {C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53} - c:\program files\mcafee\mps\mcpopup.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Orange - {4E7BD74F-2B8D-469E-A1FB-F862B587B57D} - C:\PROGRA~1\orange3\orange3.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\4144\SiteAdv.dll
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] "D:\New Folder\music\iTunesHelper.exe "
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\ATI-CPanel\atiptaxx.exe
O4 - HKLM\..\Run: [BearShare] "D:\rubbish\BearShare\BearShare.exe" /pause
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ACTX1] C:\WINDOWS\v1201.exe
O4 - HKLM\..\Run: [DeluxeCommunications] C:\Program Files\DeluxeCommunications\Dxc.exe
O4 - HKLM\..\Run: [adir] C:\WINDOWS\System32\adirss.exe
O4 - HKLM\..\Run: [MskAgentexe] C:\Program Files\McAfee\MSK\MskAgent.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE
O4 - HKCU\..\Run: [DeluxeCommunications] C:\Program Files\DeluxeCommunications\Dxc.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\rubbish\Reader\reader_sl.exe
O4 - Global Startup: BlueSoleil.lnk = ?
O4 - Global Startup: InterVideo WinCinema Manager.lnk = D:\rubbish\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O14 - IERESET.INF: START_PAGE_URL=http://www.orange.co.uk
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {AF2E62B6-F9E1-4D4F-A10A-9DC8E6DCBCC0} (VideoEgg ActiveX Loader) - http://update.videoegg.com/Install/Windows/Initial/VideoEggPublisher.exe
O16 - DPF: {B64F4A7C-97C9-11DA-8BDE-F66BAD1E3F3A} - http://locator1.cdn.imagesrvr.com/s.../pages/scanner/ErrorSafeNewReleaseInstall.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: siteadvisor - {3A5DC592-7723-4EAA-9EE6-AF4222BCF879} - C:\Program Files\SiteAdvisor\4144\SiteAdv.dll
O20 - Winlogon Notify: Syncmgr - C:\WINDOWS\system32\gpl8l33u1.dll (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: BlueSoleil Hid Service - Unknown owner - D:\rubbish\BTNtService.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - D:\New Folder\music\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Log Manager (McLogManagerService) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mclogsrv.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Task Scheduler (mctskshd.exe) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mctskshd.exe
O23 - Service: McAfee User Manager (mcusrmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcusrmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - C:\PROGRA~1\McAfee\MPS\mps.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe

 

Hey timeoutgang.

Delux Communications is a variant of SurfSidekick infection. Little annoying, but we can remove it fairly easy.

Also, be very cautious about being in safe mode and connecting to the Net, it's not likely the firewall loads, so you could get hammered and never know it. This infection usually carries a backdoor trojan too,


You should know this already.
Please follow these instructions, exactly, for proper HJT installation. Please place HJT into ITS OWN PERMANANT FOLDER. It also needs to be removed from the desktop.

You can do this by going to My Computer (Windows key+e) then double click on C: then right click and select New then Folder and name it HJT. (C:\HJT\HijackThis.exe)Move HijackThis.exe into this folder. When you run HijackThis.exe from C:\HJT folder and have it "Fixed checked" it will create a backup file of modifications to use if restore is necessary which is easily accessible.

Please go to Add/Remove, and if found, uninstall the following:
Bearshare


Then:
Download combofix.exe

• Double click combofix.exe & follow the prompts.
• When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

Run HJT again and post both logs back here. Let me kow if you have Net access in normal mode too.

 

Bearshare not found.
Still unable to access internet in normal mode. Logs below.
Logfile of HijackThis v1.99.1
Scan saved at 18:22:32, on 30/11/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mclogsrv.exe
C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\PROGRA~1\McAfee\MSC\mctskshd.exe
C:\PROGRA~1\McAfee\MSC\mcusrmgr.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\WINDOWS\system32\slserv.exe
C:\PROGRA~1\McAfee\MPS\mps.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\McAfee\MPS\mpsevh.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\ATI-CPanel\atiptaxx.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\adirss.exe
C:\Program Files\McAfee\MSK\MskAgent.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\System32\ctfmon.exe
D:\rubbish\Common\Bin\WinCinemaMgr.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.orange.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.orange.co.uk
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Orange UK
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\program files\mcafee\virusscan\scriptcl.dll
O2 - BHO: McAfee Popup Blocker - {C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53} - c:\program files\mcafee\mps\mcpopup.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Orange - {4E7BD74F-2B8D-469E-A1FB-F862B587B57D} - C:\PROGRA~1\orange3\orange3.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\4144\SiteAdv.dll
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] "D:\New Folder\music\iTunesHelper.exe "
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\ATI-CPanel\atiptaxx.exe
O4 - HKLM\..\Run: [BearShare] "D:\rubbish\BearShare\BearShare.exe" /pause
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ACTX1] C:\WINDOWS\v1201.exe
O4 - HKLM\..\Run: [adir] C:\WINDOWS\System32\adirss.exe
O4 - HKLM\..\Run: [MskAgentexe] C:\Program Files\McAfee\MSK\MskAgent.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [PcSync] D:\rubbish\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [_mzu_stonedrv8] c:\windows\system32\_mzu_stonedrv8.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\rubbish\Reader\reader_sl.exe
O4 - Global Startup: BlueSoleil.lnk = ?
O4 - Global Startup: InterVideo WinCinema Manager.lnk = D:\rubbish\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: orange search - file://C:\Program Files\ORANGE3\Cache\SelectedContextSearch.htm
O14 - IERESET.INF: START_PAGE_URL=http://www.orange.co.uk
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {AF2E62B6-F9E1-4D4F-A10A-9DC8E6DCBCC0} (VideoEgg ActiveX Loader) - http://update.videoegg.com/Install/Windows/Initial/VideoEggPublisher.exe
O16 - DPF: {B64F4A7C-97C9-11DA-8BDE-F66BAD1E3F3A} - http://locator1.cdn.imagesrvr.com/s.../pages/scanner/ErrorSafeNewReleaseInstall.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: siteadvisor - {3A5DC592-7723-4EAA-9EE6-AF4222BCF879} - C:\Program Files\SiteAdvisor\4144\SiteAdv.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Log Manager (McLogManagerService) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mclogsrv.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Task Scheduler (mctskshd.exe) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mctskshd.exe
O23 - Service: McAfee User Manager (mcusrmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcusrmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - C:\PROGRA~1\McAfee\MPS\mps.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe

Administrator - 06-11-30 18:13:08.68 Service Pack 1
ComboFix 06.11.27W - Running from: "C:\Documents and Settings\Administrator\Desktop "

((((((((((((((((((((((((((((((((((((((((((((( Look2Me's Log ))))))))))))))))))))))))))))))))))))))))))))))))))

REGISTRY ENTRIES REMOVED:

[HKEY_CLASSES_ROOT\clsid\{5DAD5DAF-32F6-4116-8D77-02E0F32F6056}]
@=" "

[HKEY_CLASSES_ROOT\clsid\{5DAD5DAF-32F6-4116-8D77-02E0F32F6056}\Implemented Categories]
@=" "

[HKEY_CLASSES_ROOT\clsid\{5DAD5DAF-32F6-4116-8D77-02E0F32F6056}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=" "

[HKEY_CLASSES_ROOT\clsid\{5DAD5DAF-32F6-4116-8D77-02E0F32F6056}\InprocServer32]
@= "C:\\WINDOWS\\system32\\nptui2.dll "
"ThreadingModel "= "Apartment "

[HKEY_CLASSES_ROOT\clsid\{B0BBC81E-09D6-4038-BD15-E3E3BD992FC0}]
@=" "

[HKEY_CLASSES_ROOT\clsid\{B0BBC81E-09D6-4038-BD15-E3E3BD992FC0}\Implemented Categories]
@=" "

[HKEY_CLASSES_ROOT\clsid\{B0BBC81E-09D6-4038-BD15-E3E3BD992FC0}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=" "

[HKEY_CLASSES_ROOT\clsid\{B0BBC81E-09D6-4038-BD15-E3E3BD992FC0}\InprocServer32]
@= "C:\\WINDOWS\\system32\\guard.tmp "
"ThreadingModel "= "Apartment "

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


Granting sedebugprivilege to Administrators ... successful


((((((((((((((((((((((((((((((((((((((((((( E-Give / Ssk's Log )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Documents and Settings\Administrator\Application Data\Dxccwrd.dll
C:\Documents and Settings\Administrator\Application Data\Dxcknwrd.dll
C:\Documents and Settings\Administrator\Application Data\Dxcuknwrd.dll
C:\Documents and Settings\Nick\Application Data\Dxcknwrd.dll
C:\Documents and Settings\Tasha\Application Data\Dxcknwrd.dll
C:\Documents and Settings\Tasha\Application Data\Dxcuknwrd.dll


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Program Files\Ipwins
C:\Program Files\Common Files\{3C27D632-0A33-2057-0103-05030908002c}
C:\Program Files\Common Files\{BC27D632-0A33-2057-0103-05030908002c}
C:\Program Files\Common Files\{BC27D632-0A34-2057-0103-05030908002c}

~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

Folders Quarantined:

C:\QooBox\Purity\Program Files\Common Files\DOBE~1
C:\QooBox\Purity\WINDOWS\system32\SMANTE~1
C:\QooBox\Purity\WINDOWS\system32\SMANTE~1\S?mantec


((((((((((((((((((((((((((((((( Files Created from 2030-10-06 to 2030/11/2006 ))))))))))))))))))))))))))))))))))


No new files created in this timespan


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

Rootkit driver pe386 is present. A rootkit scan is required



(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"CTFMON.EXE "= "C:\\WINDOWS\\System32\\ctfmon.exe "
"PcSync "= "D:\\rubbish\\Nokia PC Suite 6\\PcSync2.exe /NoDialog "
"msnmsgr "= "\ "C:\\Program Files\\MSN Messenger\\msnmsgr.exe\" /background "
"_mzu_stonedrv8 "= "c:\\windows\\system32\\_mzu_stonedrv8.exe "

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"NeroCheck "= "C:\\WINDOWS\\system32\\NeroCheck.exe "
"iTunesHelper "= "\ "D:\\New Folder\\music\\iTunesHelper.exe\" "
"QuickTime Task "= "\ "C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime "
"SpeedTouch USB Diagnostics "= "\ "C:\\Program Files\\Thomson\\SpeedTouch USB\\Dragdiag.exe\" /icon "
"Cmaudio "= "RunDll32 cmicnfg.cpl,CMICtrlWnd "
"ATIModeChange "= "Ati2mdxx.exe "
"ATIPTA "= "C:\\ATI-CPanel\\atiptaxx.exe "
"BearShare "= "\ "D:\\rubbish\\BearShare\\BearShare.exe\" /pause "
"SoundMan "= "SOUNDMAN.EXE "
"ACTX1 "= "C:\\WINDOWS\\v1201.exe "
"adir "= "C:\\WINDOWS\\System32\\adirss.exe "
"MskAgentexe "= "C:\\Program Files\\McAfee\\MSK\\MskAgent.exe "
"avast! "= "C:\\PROGRA~1\\ALWILS~1\\Avast4\\ashDisp.exe "

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed "= "1 "

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"NoChange "= "1 "
"Installed "= "1 "

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed "= "1 "

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonceex]
@=" "

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion "=dword:00000110
"DeskHtmlMinorVersion "=dword:00000005
"Settings "=dword:00000001
"GeneralFlags "=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source "= "About:Home "
"SubscribedURL "= "About:Home "
"FriendlyName "= "My Current Home Page "
"Flags "=dword:00000002
"Position "=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState "=hex:04,00,00,40
"OriginalStateInfo "=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo "=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"CTFMON.EXE "= "C:\\WINDOWS\\System32\\CTFMON.EXE "

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"CTFMON.EXE "= "C:\\WINDOWS\\System32\\CTFMON.EXE "

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1} "= "Browseui preloader "
"{8C7461EF-2B13-11d2-BE35-3078302C2030} "= "Component Categories cache daemon "

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972} "=" "

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun "=dword:00000091

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]
"{BC27D632-0A33-2057-0103-05030908002c} "= "\ "C:\\Program Files\\Common Files\\{BC27D632-0A33-2057-0103-05030908002c}\\Update.exe\" mc-110-12-0001232 "
"{BC27D632-0A34-2057-0103-05030908002c} "= "\ "C:\\Program Files\\Common Files\\{BC27D632-0A34-2057-0103-05030908002c}\\Update.exe\" mc-110-12-0001232 "

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername "=dword:00000000
"legalnoticecaption "=" "
"legalnoticetext "=" "
"shutdownwithoutlogon "=dword:00000001
"undockwithoutlogon "=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun "=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun "=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder "= "{7849596a-48ea-486e-8937-a2a3009f31a9} "
"CDBurn "= "{fbeb8a05-beee-4442-804e-409d6c4515e9} "
"WebCheck "= "{E6FB5E20-DE35-11CF-9C87-00AA005127ED} "
"SysTray "= "{35CEC8A3-2BE6-11D2-8773-92E220524153} "

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders "= "msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll "

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\MCODS

Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\McDefragTask.job
C:\WINDOWS\tasks\McQcTask.job

Completion time: 30/11/2006 18:18:17.85
C:\ComboFix.txt ... 30/11/2006 18:18

 

Rootkit! GAH!

New tool, please do as instructed below. As it is new, please, if at all possible, write down or try to recall any errors you get with it. It may help eliminate any bugs.

Download RustbFix from here. Save it to your desktop.

• Double click on rustbfix.exe to run the tool.
• If a Rustock.b-infection is found, you will shortly thereafter be asked to reboot the computer. The reboot will probably take quite a while, and perhaps 2 reboots will be needed. But this will happen automatically.
• After the reboot 2 logfiles will open (%root%\avenger.txt & %root%\rustbfix\pelog.txt).

Post the content of these logfiles along with a new ComboFix and HijackThis los.

 

Will do as instructed TeMerc. Is this stopping me accessing the internet?

 

Possible, yes. Btw, I forgot to ask, what exactly did you remove with the other apps, perhaps something shuold not have been removed. Check the logs for them, post em here, lets see what was removed.

 

TeMerc, can't remember what was removed with the other apps, or, how to check!
Logs for all scans below:-
Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\rcyauhjc

*******************

Script file located at: \??\C:\lxydpxqu.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Driver PE386 unloaded successfully.
Program C:\Rustbfix\2run.bat successfully set up to run once on reboot.

Completed script processing.

*******************

Finished! Terminate.

************************* Rustock.b-fix -- By ejvindh *************************
06-12-07 22:55:37.35


******************* Pre-run Status of system *******************

Rootkit driver PE386 is found. Starting the unload-procedure....
Examine the Avenger-logfile in order to assess the success of the unload-procedure

Rustock.b-ADS attached to the System32-folder:
:lzx32.sys 70724
Total size: 70724 bytes.
Attempting to remove ADS...
system32: deleted 70724 bytes in 1 streams.


******************* Post-run Status of system *******************

Rustock.b-driver on the system: NONE!

Rustock.b-ADS attached to the System32-folder:
No streams found.


******************************* End of Logfile ********************************
Logfile of HijackThis v1.99.1
Scan saved at 23:10:28, on 07/12/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.orange.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.orange.co.uk
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Orange UK
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\program files\mcafee\virusscan\scriptcl.dll
O2 - BHO: McAfee Popup Blocker - {C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53} - c:\program files\mcafee\mps\mcpopup.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Orange - {4E7BD74F-2B8D-469E-A1FB-F862B587B57D} - C:\PROGRA~1\orange3\orange3.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\4144\SiteAdv.dll
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] "D:\New Folder\music\iTunesHelper.exe "
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\ATI-CPanel\atiptaxx.exe
O4 - HKLM\..\Run: [BearShare] "D:\rubbish\BearShare\BearShare.exe" /pause
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ACTX1] C:\WINDOWS\v1201.exe
O4 - HKLM\..\Run: [adir] C:\WINDOWS\System32\adirss.exe
O4 - HKLM\..\Run: [MskAgentexe] C:\Program Files\McAfee\MSK\MskAgent.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [PcSync] D:\rubbish\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [_mzu_stonedrv8] c:\windows\system32\_mzu_stonedrv8.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\rubbish\Reader\reader_sl.exe
O4 - Global Startup: BlueSoleil.lnk = ?
O4 - Global Startup: InterVideo WinCinema Manager.lnk = D:\rubbish\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: orange search - file://C:\Program Files\ORANGE3\Cache\SelectedContextSearch.htm
O14 - IERESET.INF: START_PAGE_URL=http://www.orange.co.uk
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {AF2E62B6-F9E1-4D4F-A10A-9DC8E6DCBCC0} (VideoEgg ActiveX Loader) - http://update.videoegg.com/Install/Windows/Initial/VideoEggPublisher.exe
O16 - DPF: {B64F4A7C-97C9-11DA-8BDE-F66BAD1E3F3A} - http://locator1.cdn.imagesrvr.com/s.../pages/scanner/ErrorSafeNewReleaseInstall.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: siteadvisor - {3A5DC592-7723-4EAA-9EE6-AF4222BCF879} - C:\Program Files\SiteAdvisor\4144\SiteAdv.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - D:\New Folder\music\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Log Manager (McLogManagerService) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mclogsrv.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Task Scheduler (mctskshd.exe) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mctskshd.exe
O23 - Service: McAfee User Manager (mcusrmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcusrmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - C:\PROGRA~1\McAfee\MPS\mps.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe

Nick - 06-12-07 23:11:24.35 Service Pack 1
ComboFix 06.11.27W - Running from: "C:\Documents and Settings\Administrator\Desktop "

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))



~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

Folders Quarantined:

C:\QooBox\Purity\Program Files\Common Files\DOBE~1
C:\QooBox\Purity\WINDOWS\system32\SMANTE~1
C:\QooBox\Purity\WINDOWS\system32\SMANTE~1\S?mantec


((((((((((((((((((((((((((((((( Files Created from 2006-11-07 to 2006-12-07 ))))))))))))))))))))))))))))))))))


2006-12-07 23:00 <DIR> d-------- C:\avenger
2006-12-07 22:55 <DIR> d-------- C:\Rustbfix
2006-11-30 17:50 <DIR> d-------- C:\HJT
2006-11-25 17:53 90,112 --a------ C:\WINDOWS\system32\AVASTSS.scr
2006-11-25 17:53 87,424 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2006-11-25 17:53 85,952 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2006-11-25 17:53 666,240 --a------ C:\WINDOWS\system32\aswBoot.exe
2006-11-25 17:53 36,176 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2006-11-25 17:53 24,560 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2006-11-25 17:53 16,352 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2006-11-25 17:53 1,060,864 --a------ C:\WINDOWS\system32\MFC71.dll
2006-11-25 17:52 <DIR> d-------- C:\Program Files\Alwil Software
2006-11-24 18:53 <DIR> d-------- C:\Documents and Settings\Nick\Application Data\Lavasoft
2006-11-24 18:21 <DIR> d-------- C:\Program Files\Lavasoft
2006-11-24 18:17 <DIR> d-------- C:\Program Files\SpywareBlaster
2006-11-24 18:14 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2006-11-24 18:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2006-11-09 21:26 77,312 --a------ C:\WINDOWS\system32\TWAIN_32.DLL
2006-11-09 21:26 <DIR> d-------- C:\My Documents
2006-11-09 21:25 <DIR> d-------- C:\Program Files\ArcSoft
2006-11-09 21:23 <DIR> d-------- C:\Documents and Settings\Nick\WINDOWS
2006-11-09 21:21 <DIR> d-------- C:\Program Files\EPSON
2006-11-09 21:10 96,768 --a------ C:\WINDOWS\SlantAdj.dll
2006-11-09 21:10 73,216 --a------ C:\WINDOWS\Ade.dll
2006-11-09 21:08 306,688 --a------ C:\WINDOWS\IsUninst.exe
2006-11-08 16:05 <DIR> d-------- C:\WINDOWS\LastGood


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-12-06 23:42 -------- d-------- C:\Program Files\McAfee
2006-12-06 22:24 -------- d-------- C:\Program Files\Common Files\InstallShield
2006-11-30 18:13 -------- d-------- C:\Program Files\Common Files
2006-11-09 21:21 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-11-08 20:04 81920 --a--c--- C:\WINDOWS\system32\W32N50.dll
2006-11-08 20:04 17134 --a--c--- C:\WINDOWS\system32\PCANDIS5.sys
2006-11-03 22:05 -------- d-------- C:\Program Files\MSN Messenger
2006-11-02 20:47 -------- d-------- C:\Documents and Settings\Nick\Application Data\SiteAdvisor
2006-11-02 17:40 -------- d-------- C:\Program Files\MSN Gaming Zone
2006-11-02 17:37 -------- d-------- C:\Program Files\Online Services
2006-11-02 17:37 -------- d-------- C:\Program Files\ComPlus Applications
2006-11-02 17:33 -------- d-------- C:\Program Files\SiteAdvisor
2006-11-02 17:32 -------- d-------- C:\Program Files\Common Files\McAfee
2006-11-02 17:30 -------- d-------- C:\Program Files\McAfee.com
2006-11-02 17:28 1259 --a------ C:\WINDOWS\system32\rgk41b0d.sys
2006-11-02 17:18 73728 --a------ C:\WINDOWS\system32\next.exe
2006-11-01 18:25 50763 --a------ C:\WINDOWS\system32\adirss.exe
2006-11-01 18:13 2 --a------ C:\WINDOWS\system32\wnststr.exe
2006-10-30 12:04 100952 --a------ C:\WINDOWS\system32\drivers\Mpfp.sys
2006-10-26 09:56 71496 --a------ C:\WINDOWS\system32\drivers\mfeavfk.sys
2006-10-26 09:56 35048 --a------ C:\WINDOWS\system32\drivers\mfesmfk.sys
2006-10-26 09:56 34120 --a------ C:\WINDOWS\system32\drivers\mfebopk.sys
2006-10-26 09:56 31944 --a------ C:\WINDOWS\system32\drivers\mferkdk.sys
2006-10-26 09:56 168392 --a------ C:\WINDOWS\system32\drivers\mfehidk.sys
2006-10-24 19:11 69500 --a------ C:\WINDOWS\system32\lzx32.sys
2006-09-13 05:09 1110528 --a------ C:\WINDOWS\system32\msxml3.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"CTFMON.EXE "= "C:\\WINDOWS\\System32\\ctfmon.exe "
"PcSync "= "D:\\rubbish\\Nokia PC Suite 6\\PcSync2.exe /NoDialog "
"msnmsgr "= "\ "C:\\Program Files\\MSN Messenger\\msnmsgr.exe\" /background "
"_mzu_stonedrv8 "= "c:\\windows\\system32\\_mzu_stonedrv8.exe "

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"NeroCheck "= "C:\\WINDOWS\\system32\\NeroCheck.exe "
"iTunesHelper "= "\ "D:\\New Folder\\music\\iTunesHelper.exe\" "
"QuickTime Task "= "\ "C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime "
"SpeedTouch USB Diagnostics "= "\ "C:\\Program Files\\Thomson\\SpeedTouch USB\\Dragdiag.exe\" /icon "
"Cmaudio "= "RunDll32 cmicnfg.cpl,CMICtrlWnd "
"ATIModeChange "= "Ati2mdxx.exe "
"ATIPTA "= "C:\\ATI-CPanel\\atiptaxx.exe "
"BearShare "= "\ "D:\\rubbish\\BearShare\\BearShare.exe\" /pause "
"SoundMan "= "SOUNDMAN.EXE "
"ACTX1 "= "C:\\WINDOWS\\v1201.exe "
"adir "= "C:\\WINDOWS\\System32\\adirss.exe "
"MskAgentexe "= "C:\\Program Files\\McAfee\\MSK\\MskAgent.exe "
"avast! "= "C:\\PROGRA~1\\ALWILS~1\\Avast4\\ashDisp.exe "

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed "= "1 "

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"NoChange "= "1 "
"Installed "= "1 "

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed "= "1 "

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonceex]
@=" "

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion "=dword:00000110
"DeskHtmlMinorVersion "=dword:00000005
"Settings "=dword:00000001
"GeneralFlags "=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source "= "About:Home "
"SubscribedURL "= "About:Home "
"FriendlyName "= "My Current Home Page "
"Flags "=dword:00000002
"Position "=hex:2c,00,00,00,a0,00,00,00,00,00,00,00,80,02,00,00,3a,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState "=hex:04,00,00,40
"OriginalStateInfo "=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo "=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"CTFMON.EXE "= "C:\\WINDOWS\\System32\\CTFMON.EXE "

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"CTFMON.EXE "= "C:\\WINDOWS\\System32\\CTFMON.EXE "

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1} "= "Browseui preloader "
"{8C7461EF-2B13-11d2-BE35-3078302C2030} "= "Component Categories cache daemon "

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972} "=" "

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun "=dword:00000091

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername "=dword:00000000
"legalnoticecaption "=" "
"legalnoticetext "=" "
"shutdownwithoutlogon "=dword:00000001
"undockwithoutlogon "=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun "=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun "=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder "= "{7849596a-48ea-486e-8937-a2a3009f31a9} "
"CDBurn "= "{fbeb8a05-beee-4442-804e-409d6c4515e9} "
"WebCheck "= "{E6FB5E20-DE35-11CF-9C87-00AA005127ED} "
"SysTray "= "{35CEC8A3-2BE6-11D2-8773-92E220524153} "

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders "= "msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll "

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\MCODS

Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\McDefragTask.job
C:\WINDOWS\tasks\McQcTask.job

Completion time: 06-12-07 23:12:08.92
C:\ComboFix.txt ... 06-12-07 23:12
C:\ComboFix2.txt ... 06-11-30 18:18

 

Boy this is weird, I'd have sworn I already posted to this thread.

Deja vu I tell ya......I must need a break from all these logs, the lines are all running into eachother.

Download the Killbox from here and save it to the desktop.

• Double-click the KillBox icon on your desktop to open it
• Select "Delete on Reboot "
• Then select "All files ".

Copy the file names below to the clipboard by highlighting them and pressing Control-C:
C:\WINDOWS\system32\rgk41b0d.sys
C:\WINDOWS\system32\next.exe
C:\WINDOWS\system32\adirss.exe
C:\WINDOWS\system32\wnststr.exe
C:\WINDOWS\system32\lzx32.sys
c:\windows\system32\_mzu_ston edrv8.exe
C:\WINDOWS\SlantAdj.dll
C:\WINDOWS\v1201.exe


Return to Killbox

• Go to the File menu, and choose "Paste from Clipboard ".
• Click the red-and-white [Delete File] button.
• Click "Yes" at the Delete on Reboot prompt. Click "No" at the Delete next Reboot prompt.

Hit your [Start ]button, select Control Panel and click on 'Add or Remove Programs'. Then find the following programs and click the [Change|Remove ]button for each, if they are listed
BearShare <<<<---By using ANY form of P2P file sharing, you will be continuously open to infections EVERY time you DL something. I strongly recommend you remove all instances of it from your machine.



Open Hijackthis, select the 'Do a system scan only' button and look over the following entries I have listed, check the boxes [] next to them and press the [Fix Checked] button. When you are doing this, make sure you have No IE windows, nor any other browsers open, including this one. Reboot if I have specified below, and post a fresh HijackThis log.

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =


O4 - HKLM\..\Run: [BearShare] "D:\rubbish\BearShare\BearShare.exe" /pause

O4 - HKLM\..\Run: [ACTX1] C:\WINDOWS\v1201.exe

O4 - HKLM\..\Run: [adir] C:\WINDOWS\System32\adirss.exe

O4 - HKCU\..\Run: [_mzu_stonedrv8] c:\windows\system32\_mzu_stonedrv8.exe

Reboot and run ComboFix first, then HJT and post both logs back into this thread.

 

TeMerc,
When running Killbox The following 2 files were not copied for some reason, c:\windows\system32\_mzu_ston edrv8.exe
C:\WINDOWS\v1201.exe

Administrator - 06-12-08 18:58:59.03 Service Pack 1
ComboFix 06.11.27W - Running from: "C:\Documents and Settings\Administrator\Desktop "

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))



~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

Folders Quarantined:

C:\QooBox\Purity\Program Files\Common Files\DOBE~1
C:\QooBox\Purity\WINDOWS\system32\SMANTE~1
C:\QooBox\Purity\WINDOWS\system32\SMANTE~1\S?mantec


((((((((((((((((((((((((((((((( Files Created from 2006-11-08 to 2006-12-08 ))))))))))))))))))))))))))))))))))


2006-12-08 18:21 <DIR> d-------- C:\!KillBox
2006-12-07 23:00 <DIR> d-------- C:\avenger
2006-12-07 22:55 <DIR> d-------- C:\Rustbfix
2006-11-30 17:50 <DIR> d-------- C:\HJT
2006-11-26 19:05 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Apple Computer
2006-11-25 22:00 <DIR> d-------- C:\Documents and Settings\Administrator\Contacts
2006-11-25 17:53 90,112 --a------ C:\WINDOWS\system32\AVASTSS.scr
2006-11-25 17:53 87,424 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2006-11-25 17:53 85,952 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2006-11-25 17:53 666,240 --a------ C:\WINDOWS\system32\aswBoot.exe
2006-11-25 17:53 36,176 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2006-11-25 17:53 24,560 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2006-11-25 17:53 16,352 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2006-11-25 17:53 1,060,864 --a------ C:\WINDOWS\system32\MFC71.dll
2006-11-25 17:52 <DIR> d-------- C:\Program Files\Alwil Software
2006-11-24 18:21 <DIR> d-------- C:\Program Files\Lavasoft
2006-11-24 18:21 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Lavasoft
2006-11-24 18:17 <DIR> d-------- C:\Program Files\SpywareBlaster
2006-11-24 18:14 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2006-11-24 18:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2006-11-24 17:58 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Macromedia
2006-11-24 17:48 <DIR> dr-h----- C:\Documents and Settings\Administrator\SendTo
2006-11-24 17:48 <DIR> dr-h----- C:\Documents and Settings\Administrator\Application Data\.
2006-11-24 17:48 <DIR> dr-h----- C:\Documents and Settings\Administrator\Application Data
2006-11-24 17:48 <DIR> dr------- C:\Documents and Settings\Administrator\Start Menu
2006-11-24 17:48 <DIR> d--h----- C:\Documents and Settings\Administrator\Templates
2006-11-24 17:48 <DIR> d--h----- C:\Documents and Settings\Administrator\Recent
2006-11-24 17:48 <DIR> d--h----- C:\Documents and Settings\Administrator\PrintHood
2006-11-24 17:48 <DIR> d--h----- C:\Documents and Settings\Administrator\NetHood
2006-11-24 17:48 <DIR> d--h----- C:\Documents and Settings\Administrator\Local Settings
2006-11-24 17:48 <DIR> d---s---- C:\Documents and Settings\Administrator\Cookies
2006-11-24 17:48 <DIR> d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2006-11-24 17:48 <DIR> d-------- C:\Documents and Settings\Administrator\My Documents
2006-11-24 17:48 <DIR> d-------- C:\Documents and Settings\Administrator\Favorites
2006-11-24 17:48 <DIR> d-------- C:\Documents and Settings\Administrator\Desktop
2006-11-24 17:48 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\..
2006-11-24 17:48 <DIR> d-------- C:\Documents and Settings\Administrator\..
2006-11-24 17:48 <DIR> d-------- C:\Documents and Settings\Administrator\.
2006-11-09 21:26 77,312 --a------ C:\WINDOWS\system32\TWAIN_32.DLL
2006-11-09 21:26 <DIR> d-------- C:\My Documents
2006-11-09 21:25 <DIR> d-------- C:\Program Files\ArcSoft
2006-11-09 21:21 <DIR> d-------- C:\Program Files\EPSON
2006-11-09 21:10 73,216 --a------ C:\WINDOWS\Ade.dll
2006-11-09 21:08 306,688 --a------ C:\WINDOWS\IsUninst.exe
2006-11-08 16:05 <DIR> d-------- C:\WINDOWS\LastGood


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-12-08 18:37 -------- d-------- C:\Program Files\Messenger
2006-12-06 23:42 -------- d-------- C:\Program Files\McAfee
2006-12-06 22:24 -------- d-------- C:\Program Files\Common Files\InstallShield
2006-11-30 18:13 -------- d-------- C:\Program Files\Common Files
2006-11-09 21:21 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-11-08 20:04 81920 --a--c--- C:\WINDOWS\system32\W32N50.dll
2006-11-08 20:04 17134 --a--c--- C:\WINDOWS\system32\PCANDIS5.sys
2006-11-03 22:05 -------- d-------- C:\Program Files\MSN Messenger
2006-11-02 17:40 -------- d-------- C:\Program Files\MSN Gaming Zone
2006-11-02 17:37 -------- d-------- C:\Program Files\Online Services
2006-11-02 17:37 -------- d-------- C:\Program Files\ComPlus Applications
2006-11-02 17:33 -------- d-------- C:\Program Files\SiteAdvisor
2006-11-02 17:32 -------- d-------- C:\Program Files\Common Files\McAfee
2006-11-02 17:30 -------- d-------- C:\Program Files\McAfee.com
2006-10-30 12:04 100952 --a------ C:\WINDOWS\system32\drivers\Mpfp.sys
2006-10-26 09:56 71496 --a------ C:\WINDOWS\system32\drivers\mfeavfk.sys
2006-10-26 09:56 35048 --a------ C:\WINDOWS\system32\drivers\mfesmfk.sys
2006-10-26 09:56 34120 --a------ C:\WINDOWS\system32\drivers\mfebopk.sys
2006-10-26 09:56 31944 --a------ C:\WINDOWS\system32\drivers\mferkdk.sys
2006-10-26 09:56 168392 --a------ C:\WINDOWS\system32\drivers\mfehidk.sys
2006-09-13 05:09 1110528 --a------ C:\WINDOWS\system32\msxml3.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"CTFMON.EXE "= "C:\\WINDOWS\\System32\\CTFMON.EXE "
"msnmsgr "= "\ "C:\\Program Files\\MSN Messenger\\msnmsgr.exe\" /background "

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"NeroCheck "= "C:\\WINDOWS\\system32\\NeroCheck.exe "
"iTunesHelper "= "\ "D:\\New Folder\\music\\iTunesHelper.exe\" "
"QuickTime Task "= "\ "C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime "
"SpeedTouch USB Diagnostics "= "\ "C:\\Program Files\\Thomson\\SpeedTouch USB\\Dragdiag.exe\" /icon "
"Cmaudio "= "RunDll32 cmicnfg.cpl,CMICtrlWnd "
"ATIModeChange "= "Ati2mdxx.exe "
"ATIPTA "= "C:\\ATI-CPanel\\atiptaxx.exe "
"SoundMan "= "SOUNDMAN.EXE "
"MskAgentexe "= "C:\\Program Files\\McAfee\\MSK\\MskAgent.exe "
"avast! "= "C:\\PROGRA~1\\ALWILS~1\\Avast4\\ashDisp.exe "

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed "= "1 "

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"NoChange "= "1 "
"Installed "= "1 "

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed "= "1 "

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonceex]
@=" "

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"CTFMON.EXE "= "C:\\WINDOWS\\System32\\CTFMON.EXE "

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"CTFMON.EXE "= "C:\\WINDOWS\\System32\\CTFMON.EXE "

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1} "= "Browseui preloader "
"{8C7461EF-2B13-11d2-BE35-3078302C2030} "= "Component Categories cache daemon "

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972} "=" "

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun "=dword:00000091

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername "=dword:00000000
"legalnoticecaption "=" "
"legalnoticetext "=" "
"shutdownwithoutlogon "=dword:00000001
"undockwithoutlogon "=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun "=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun "=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder "= "{7849596a-48ea-486e-8937-a2a3009f31a9} "
"CDBurn "= "{fbeb8a05-beee-4442-804e-409d6c4515e9} "
"WebCheck "= "{E6FB5E20-DE35-11CF-9C87-00AA005127ED} "
"SysTray "= "{35CEC8A3-2BE6-11D2-8773-92E220524153} "

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders "= "msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll "

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\MCODS

Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\McDefragTask.job
C:\WINDOWS\tasks\McQcTask.job

Completion time: 06-12-08 18:59:27.89
C:\ComboFix.txt ... 06-12-08 18:59
C:\ComboFix2.txt ... 06-12-07 23:12
C:\ComboFix3.txt ... 06-11-30 18:18

Logfile of HijackThis v1.99.1
Scan saved at 19:02:24, on 08/12/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Microsoft Office\Office\WINWORD.EXE
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.orange.co.uk
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\program files\mcafee\virusscan\scriptcl.dll
O2 - BHO: McAfee Popup Blocker - {C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53} - c:\program files\mcafee\mps\mcpopup.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Orange - {4E7BD74F-2B8D-469E-A1FB-F862B587B57D} - C:\PROGRA~1\orange3\orange3.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\4144\SiteAdv.dll
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] "D:\New Folder\music\iTunesHelper.exe "
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\ATI-CPanel\atiptaxx.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [MskAgentexe] C:\Program Files\McAfee\MSK\MskAgent.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\rubbish\Reader\reader_sl.exe
O4 - Global Startup: BlueSoleil.lnk = ?
O4 - Global Startup: InterVideo WinCinema Manager.lnk = D:\rubbish\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O14 - IERESET.INF: START_PAGE_URL=http://www.orange.co.uk
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {AF2E62B6-F9E1-4D4F-A10A-9DC8E6DCBCC0} (VideoEgg ActiveX Loader) - http://update.videoegg.com/Install/Windows/Initial/VideoEggPublisher.exe
O16 - DPF: {B64F4A7C-97C9-11DA-8BDE-F66BAD1E3F3A} - http://locator1.cdn.imagesrvr.com/s.../pages/scanner/ErrorSafeNewReleaseInstall.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: siteadvisor - {3A5DC592-7723-4EAA-9EE6-AF4222BCF879} - C:\Program Files\SiteAdvisor\4144\SiteAdv.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - D:\New Folder\music\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Log Manager (McLogManagerService) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mclogsrv.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Task Scheduler (mctskshd.exe) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mctskshd.exe
O23 - Service: McAfee User Manager (mcusrmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcusrmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - C:\PROGRA~1\McAfee\MPS\mps.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe

 

That's ok, I don't see them any more in the logs, they must be gone.


Net connection in normal mode? Yes? No?

Logs all appear clear, any unusual activities or unwanted symptoms remnaining we need to address? Let me know.

 

Still unable to access internet in normal mode.

 

Try this:
Please go to Start -> Control Panel, and choose Network Connections. Then right click on your default connection, usually Local Area Connection or Dial-up Connection if you are using Dial-up, and left click on properties. Double-click on the Internet Protocol (TCP/IP) item and select the radio button that says Obtain DNS servers automatically. Click OK twice, and restart your computer.

 

No luck, I'm afraid. Did as requested, still can't get online in normal mode. When trying to the page states "Page can not be displayed "

 

It was pointed out to me that you're running two avs, you'll need to dump one in favor for the other.

Also be sure and check all your firewall settings to be sure that all the proper programs are allowed to access the Net. Most firewalls these days have settings for that.

 

OK, will get rid of McAfee later on & check firewall settings. Is there anything else I should do?