Solved Virus blocking system restore and Redirecting Websites

Shouldn't take too long. Just give it another 5-10 minutes to see if it will finish.
So, you have no CD drive?

 

Ok, no luck on the whole safemode try! Still just resets once you try to boot into safe mode. And no I do not have a CD/DVD on the laptop. I can purchase one, but then I still have to come up with the darn cd somewhere. I have my key, just cant find the darn disk.

 

Ok. Do an online scan for the following file for me. Should only take a couple of minutes.

Please go to Jotti's or to virustotal and have this file scanned. Post the results back here.

c:\windows\system32\ntsystem.exe

 

it says that i have no files named that. No files are hidden and even ran a search im on xp pro

 

Ok. I want you to try and run Combofix next. Hopefully it will run through.

Please download ComboFix by sUBs from HERE or HERE

• You must download it to and run it from your Desktop
• Physically disconnect from the internet.
• Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
• Double click combofix.exe & follow the prompts.
• When finished, it will produce a log. Please save that log to post in your next reply along with a fresh HJT log
• Re-enable all the programs that were disabled during the running of ComboFix..

Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Run Combofix ONCE only!!

 

tried to save it to desktop, then it disappeared when i tried to run it. I saved it to a old flash drive next and changed the name, plugged it into infected PC, and it disappeared as well.

 

Looks like we are running out of options, especially if we cannot get anything to run on this.

• Download Avenger by Swandog and unzip it to your Desktop.
  
  Note: This program must be run from an account with Administrator privileges.
  
  
• Open the Avenger folder and double click Avenger.exe to launch the programme.
• Copy the text in the code box below and Paste it into the Input script here: box.

Code:

Files to delete:
c:\windows\system32\ntsystem.exe
Folders to delete:
c:\windows\ecurit~1
c:\windows\system32\??crosoft.net

• Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.
  
  
• Ensure the following:
  • Scan for Rootkits is checked.
  • Automatically disable any rootkits found is Unchecked.
• Press the Execute key.
• Avenger will now process the script you've pasted (this may involve more than one re-boot), when finished it will produce a log file.
• Post the log back here please. (it can also be found at C:\avenger.txt)

 

Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP
i
*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!


Error: file "c:\windows\system32\ntsystem.exe" not found!
Deletion of file "c:\windows\system32\ntsystem.exe" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Folder "c:\windows\ecurit~1" deleted successfully.

Error: could not open folder "c:\windows\system32\??crosoft.net "
Deletion of folder "c:\windows\system32\??crosoft.net" failed!
Status: 0xc0000033 (STATUS_OBJECT_NAME_INVALID)
--> an object cannot have this name


Completed script processing.

*******************

Finished! Terminate.

 

also recieved a error when windows first started up stating that windows could not locate cleaner.exe

 

Please download Rkill by Grinler from one of these links:

Rkill.exe
Rkill.com
Rkill.scr
Rkill.pif

Save Rkill to your Desktop.
Double-click on Rkill to run it.

Note: If the first one does not run successfully, download and try the other copies (with a different file extensions) and see if one of them will run.

Once Rkill has successfully run:

Download and run exehelper and then try downloading and running Combofix as per my previous direction.

 

Well here we go! Starting day three of this! Haha I was able to get both exeHelper.exe to run and avenger. I was able to get Combofix installed, and it is now having its way with the computer. I will produce you with a log in a few minutes! Again, I just wanted to tell you how appreciative I am of you and everyone else on WindowsBBS.com! You guys(and girls) are great and I thank you so much!

 

ComboFix 10-01-26.02 - nathaniel 01/26/2010 18:14:53.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.614 [GMT -6:00]
Running from: c:\documents and settings\nathaniel\Desktop\ComboFix.exe
AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\recycler\S-1-5-21-343818398-1326574676-725345543-500
c:\windows\Downloaded Program Files\popcaploader.inf
c:\windows\system32\crosof~1.net
C:\xcrashdump.dat

Infected copy of c:\windows\system32\DRIVERS\atapi.sys was found and disinfected
Restored copy from - Kitty ate it
.
((((((((((((((((((((((((( Files Created from 2009-12-27 to 2010-01-27 )))))))))))))))))))))))))))))))
.

2010-01-26 05:09 . 2010-01-26 05:09 574 -c--a-w- C:\cleanup.bat
2010-01-26 05:09 . 2010-01-26 05:09 135168 -c--a-w- C:\zip.exe
2010-01-26 01:55 . 2009-06-30 15:37 28552 ----a-w- c:\windows\system32\drivers\pavboot.sys
2010-01-26 01:54 . 2010-01-26 01:54 -------- d-----w- c:\program files\Panda Security
2010-01-26 01:09 . 2010-01-26 01:09 52224 ----a-w- c:\documents and settings\nathaniel\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-01-26 01:09 . 2010-01-26 01:09 117760 ----a-w- c:\documents and settings\nathaniel\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-01-26 01:08 . 2010-01-26 01:08 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-01-26 01:08 . 2010-01-26 01:08 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-01-26 01:08 . 2010-01-26 01:08 -------- d-----w- c:\documents and settings\nathaniel\Application Data\SUPERAntiSpyware.com
2010-01-26 01:07 . 2010-01-26 01:07 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-01-26 01:00 . 2010-01-26 01:00 -------- d--h--r- c:\documents and settings\Scott\Application Data\yahoo!
2010-01-25 02:57 . 2010-01-25 02:57 388096 ----a-r- c:\documents and settings\nathaniel\Application Data\Microsoft\Installer\{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}\HiJackThis.exe
2010-01-25 02:57 . 2010-01-25 02:57 -------- d-----w- c:\program files\TrendMicro
2010-01-25 01:26 . 2010-01-25 01:26 -------- d--h--w- c:\windows\system32\GroupPolicy
2010-01-25 01:23 . 2010-01-25 01:23 -------- d-----w- c:\documents and settings\Scott\Local Settings\Application Data\Apple Computer
2010-01-25 01:23 . 2010-01-25 01:23 -------- d-----w- c:\documents and settings\Scott\Local Settings\Application Data\Itiva
2010-01-25 01:17 . 2010-01-25 01:17 -------- d--h--r- c:\documents and settings\Scott M\Application Data\yahoo!
2010-01-24 23:49 . 2010-01-24 23:49 -------- d-----w- c:\documents and settings\Scott M\Local Settings\Application Data\Apple Computer
2010-01-24 23:49 . 2010-01-24 23:49 -------- d-----w- c:\documents and settings\Scott M\Local Settings\Application Data\Itiva
2010-01-20 05:00 . 2010-01-26 01:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-01-20 02:20 . 2010-01-20 02:20 -------- d-----w- c:\documents and settings\nathaniel\Application Data\Malwarebytes
2010-01-20 02:20 . 2010-01-07 22:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-20 02:20 . 2010-01-20 02:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-01-20 02:20 . 2010-01-07 22:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-20 02:20 . 2010-01-25 01:47 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-20 01:47 . 2010-01-20 01:47 -------- d-----w- c:\documents and settings\nathaniel\Local Settings\Application Data\Apple
2010-01-13 03:29 . 2009-08-29 01:42 40448 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2010-01-13 03:29 . 2009-08-29 01:42 2065696 ----a-w- c:\windows\system32\usbaaplrc.dll
2010-01-13 03:28 . 2010-01-13 03:35 -------- d-----w- c:\program files\Common Files\Apple
2010-01-13 03:27 . 2010-01-13 03:54 -------- d-----w- c:\documents and settings\nathaniel\Local Settings\Application Data\Apple Computer

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-20 01:48 . 2010-01-13 03:33 -------- d-----w- c:\program files\Bonjour
2010-01-20 01:47 . 2010-01-20 01:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2010-01-20 01:47 . 2010-01-13 03:30 -------- d-----w- c:\program files\Apple Software Update
2010-01-20 01:47 . 2010-01-13 03:31 -------- d-----w- c:\program files\QuickTime
2010-01-20 01:47 . 2010-01-13 03:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2010-01-20 01:47 . 2010-01-13 03:35 -------- d-----w- c:\program files\iTunes
2010-01-20 01:46 . 2010-01-13 03:37 -------- d-----w- c:\documents and settings\nathaniel\Application Data\Apple Computer
2010-01-13 03:37 . 2010-01-13 03:35 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2010-01-13 03:35 . 2010-01-13 03:35 -------- d-----w- c:\program files\iPod
2010-01-05 10:00 . 2005-07-14 15:12 832512 ----a-w- c:\windows\system32\wininet.dll
2010-01-05 10:00 . 2005-07-14 15:10 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-01-05 10:00 . 2005-07-14 15:10 17408 ----a-w- c:\windows\system32\corpol.dll
2009-12-22 20:29 . 2009-12-22 20:29 -------- d-----w- c:\documents and settings\nathaniel\Application Data\Unity
2009-12-06 01:30 . 2006-11-11 19:55 -------- d-----w- c:\program files\Yahoo!
2009-12-06 01:28 . 2009-02-05 23:49 -------- d-----w- c:\program files\Yahoo! Games
2009-12-06 01:28 . 2009-11-24 01:26 -------- d-----w- c:\program files\Amazon
2009-11-21 15:51 . 2005-07-14 15:09 471552 ----a-w- c:\windows\AppPatch\aclayers.dll
2009-11-12 23:07 . 2009-11-12 23:07 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.2.25\SetupAdmin.exe
2009-11-05 17:08 . 2009-11-05 17:08 152576 ----a-w- c:\documents and settings\nathaniel\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Osenew "= "c:\windows\system32\??crosoft.NET\l?ass.exe" [?]
"Yahoo! Pager "= "c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2006-10-24 4662776]
"MSMSGS "= "c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"SUPERAntiSpyware "= "c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-01-05 2002160]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray "= "c:\windows\system32\igfxtray.exe" [2005-03-10 155648]
"HotKeysCmds "= "c:\windows\system32\hkcmd.exe" [2005-03-10 126976]
"HPlsKey "= "c:\program files\Panasonic\HPLSMAN\hplskey.exe" [2005-06-01 61440]
"PRunOnce "= "c:\util\prunonce\PRunOnce.exe" [2004-08-06 110592]
"PCinfo "= "c:\program files\Panasonic\PCINFO\SetDiag.exe" [2005-06-15 45056]
"Panasonic HotKey Manager "= "c:\program files\Panasonic\HotKey Appendix\HKEYAPP.EXE" [2005-06-14 974848]
"AGRSMMSG "= "AGRSMMSG.exe" [2004-12-20 88358]
"IntelWireless "= "c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2004-10-15 385024]
"Motive SmartBridge "= "c:\progra~1\Verizon\SMARTB~1\MotiveSB.exe" [2006-06-23 438359]
"Itiva Media Accelerator "= "c:\program files\Itiva\Itiva Media Accelerator\ItivaMediaAccelerator.exe" [2008-06-04 4994288]
"mcagent_exe "= "c:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-29 1218008]
"McENUI "= "c:\progra~1\McAfee\MHN\McENUI.exe" [2009-07-08 1176808]
"SunJavaUpdateSched "= "c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]
"QuickTime Task "= "c:\program files\QuickTime\qttask.exe" [2009-11-11 417792]
"iTunesHelper "= "c:\program files\iTunes\iTunesHelper.exe" [2009-11-12 141600]
"scroller "= "fpapli.exe" [2005-04-18 81920]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
Display Rotation Tool.lnk - c:\program files\Panasonic\DispRot\IDRot.exe [2005-7-14 86016]
Panasonic Hand Writing.lnk - c:\program files\Panasonic\WRITING\Writing.exe [2005-7-14 278528]
Software Keyboard.lnk - c:\program files\Panasonic\MEISKB\meiskb.exe [2005-7-14 135168]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} "= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 20:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\HPLSNTF]
2005-06-01 20:02 53248 ----a-w- c:\windows\system32\HPLSNTF.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
2004-10-15 18:27 110592 ----a-w- c:\program files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=" "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=" "

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride "=dword:00000001
"FirewallOverride "=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring "=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring "=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall "= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe "=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe "=
"c:\\Program Files\\Itiva\\Itiva Media Accelerator\\ItivaMediaAccelerator.exe "=
"%windir%\\Network Diagnostic\\xpnetdiag.exe "=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe "=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe "=
"c:\\Program Files\\iTunes\\iTunes.exe "=

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [1/25/2010 7:55 PM 28552]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [1/5/2010 7:56 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [1/5/2010 7:56 AM 74480]
R2 brecal;Panasonic Battery Recalibration Driver;c:\program files\Panasonic\BRECAL\Brecal.sys [7/14/2005 5:10 PM 7168]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [12/1/2008 10:09 AM 206096]
R2 pcinfo;Panasonic PC Info. Viewer Driver;c:\program files\Panasonic\PCINFO\PCINFO.sys [7/14/2005 5:20 PM 7168]
R2 SDKEY;Panasonic SD Misc. Function Driver;c:\program files\Panasonic\SDKEY\SDKEY.sys [7/14/2005 5:21 PM 8192]
R3 FIDMOU;Fujitsu touchpad;c:\windows\system32\drivers\Fidmou.sys [7/14/2005 9:18 AM 23463]
R3 HTKPLUS;Panasonic Hotkey PLUS Driver;c:\windows\system32\drivers\HTKPLUS.SYS [7/14/2005 9:18 AM 8448]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [1/5/2010 7:56 AM 7408]
S3 MOSUMAC;USB-Ethernet Driver;c:\windows\system32\drivers\MOSUMAC.SYS [10/26/2004 4:15 PM 31375]
S3 RICOH SmartCard Reader;RICOH SmartCard Reader;c:\windows\system32\drivers\rsmartc.sys [7/14/2005 9:18 AM 69460]
.
Contents of the 'Scheduled Tasks' folder

2010-01-13 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34]

2009-11-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2008-12-01 17:22]

2009-11-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2008-12-01 17:22]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = <local>;*.local
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
DPF: {9C23D886-43CB-43DE-B2DB-112A68D7E10A} - hxxp://lads.myspace.com/upload/MySpaceUploader2.cab
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Winstr - C:\3611010322532273703.exe
HKCU-Run-Winstp - C:\3611010322532273703.exe
HKCU-Run-Winsto - C:\3611010322532273703.exe
HKCU-Run-Winstt - C:\3611010322532273703.exe
HKCU-Run-Winsty - C:\3611010322532273703.exe
HKCU-Run-Winstj - C:\3611010322532273703.exe
HKCU-Run-Winstd - C:\3611010322532273703.exe
HKCU-Run-Winstn - C:\3611010322532273703.exe
HKCU-Run-Winsti - C:\3611010322532273703.exe
HKCU-Run-Winsts - C:\3611010322532273703.exe
HKCU-Run-Winstq - C:\3611010322532273703.exe
HKCU-Run-Winstf - C:\3611010322532273703.exe
HKCU-Run-Winstv - C:\3611010322532273703.exe
HKCU-Run-Winstl - C:\3611010322532273703.exe
HKCU-Run-Winstu - C:\3611010322532273703.exe
HKCU-Run-Winstk - C:\3611010322532273703.exe
HKCU-Run-Winsta - C:\3611010322532273703.exe
HKCU-Run-Winstg - C:\3611010322532273703.exe
HKCU-Run-Winstb - C:\3611010322532273703.exe
HKCU-Run-Winstw - C:\3611010322532273703.exe
HKCU-Run-Winsth - C:\3611010322532273703.exe
HKCU-Run-Winstx - C:\3611010322532273703.exe
HKCU-Run-Winste - C:\3611010322532273703.exe
HKCU-Run-Winstz - C:\3611010322532273703.exe
HKCU-Run-Winstm - C:\3611010322532273703.exe
HKCU-Run-Winstc - C:\3611010322532273703.exe
HKCU-Run-Betw - c:\windows\ECURIT~1\regsvr32.exe
SafeBoot-Lavasoft Ad-Aware Service
AddRemove-Imation Disk Manager II Service - c:\docume~1\NATHAN~1\LOCALS~1\Temp\Imation Disk Manager II.exe
AddRemove-{D050D7362D214723AD585B541FFB6C11} - c:\program files\DivX\DivXContentUploaderUninstall.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-26 18:25
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Winstr = C:\3611010322532273703.exe? ???F???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
Winstp = C:\3611010322532273703.exe? ???F???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
Winsto = C:\3611010322532273703.exe? ???F???k???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
Winstt = C:\3611010322532273703.exe? ???F???R???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
Winsty = C:\3611010322532273703.exe? ???F???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
Winstj = C:\3611010322532273703.exe? ???F???[???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
Winstd = C:\3611010322532273703.exe? ???F???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
Winstn = C:\3611010322532273703.exe? ???F???^???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
Winsti = C:\3611010322532273703.exe? ???F???x???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
Winsts = C:\3611010322532273703.exe? ???F???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
Winstq = C:\3611010322532273703.exe? ???F???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
Winstf = C:\3611010322532273703.exe? ???F???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
Winstv = C:\3611010322532273703.exe? ???F???D???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
Winstl = C:\3611010322532273703.exe? ???F???2???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
Winstu = C:\3611010322532273703.exe? ???F???>???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
Winstk = C:\3611010322532273703.exe? ???F???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
Winsta = C:\3611010322532273703.exe? ???F???S???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
Winstg = C:\3611010322532273703.exe? ???F???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
Winstb = C:\3611010322532273703.exe? ???F???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
Winstw = C:\3611010322532273703.exe? ???F???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
Winsth = C:\3611010322532273703.exe? ???F???A???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
Winstx = C:\3611010322532273703.exe? ???F???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
Winste = C:\3611010322532273703.exe? ???F???U???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
Winstz = C:\3611010322532273703.exe? ???F???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
Winstm = C:\3611010322532273703.exe? ???F???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
Winstc = C:\3611010322532273703.exe? ???F???k???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(728)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
c:\windows\system32\HPLSNtf.dll
c:\program files\Intel\Wireless\Bin\LgNotify.dll

- - - - - - - > 'explorer.exe'(3500)
c:\windows\system32\WININET.dll
c:\progra~1\Verizon\SMARTB~1\SBHook.dll
c:\program files\McAfee\SiteAdvisor\saHook.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\FPHOOK.DLL
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Panasonic\HPLSMAN\hplsman.exe
c:\windows\System32\SCardSvr.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\progra~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\progra~1\McAfee\VIRUSS~1\mcshield.exe
c:\program files\McAfee\MPF\MPFSrv.exe
c:\program files\Intel\Wireless\Bin\ZcfgSvc.exe
c:\program files\McAfee\MSK\MskSrver.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\progra~1\mcafee.com\agent\mcagent.exe
c:\windows\system32\UStorSrv.exe
c:\windows\AGRSMMSG.exe
c:\windows\system32\fpapli.exe
c:\windows\system32\Tprbtn.exe
c:\program files\Yahoo!\Messenger\ymsgr_tray.exe
c:\program files\iPod\bin\iPodService.exe
c:\progra~1\McAfee\VIRUSS~1\mcsysmon.exe
.
**************************************************************************
.
Completion time: 2010-01-26 18:31:19 - machine was rebooted
ComboFix-quarantined-files.txt 2010-01-27 00:31

Pre-Run: 44,610,142,208 bytes free
Post-Run: 44,727,042,048 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT= "Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS= "Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 23A0B01091E2CACF1B62B69871B7EBCB

 

heres the HJT log:

Logfile of Trend Micro HijackThis v2.0.3 (BETA)
Scan saved at 6:42:31 PM, on 1/26/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16981)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Panasonic\HPLSMAN\hplsman.exe
C:\Program Files\Panasonic\Disprot\IDRot.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\system32\UStorSrv.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Panasonic\HPLSMAN\hplskey.exe
C:\Program Files\Panasonic\HotKey Appendix\HKEYAPP.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\PROGRA~1\Verizon\SMARTB~1\MotiveSB.exe
C:\Program Files\Itiva\Itiva Media Accelerator\ItivaMediaAccelerator.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\fpapli.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\Tprbtn.exe
C:\Program Files\Panasonic\DispRot\IDRot.exe
C:\Program Files\Panasonic\WRITING\Writing.exe
C:\Program Files\Panasonic\MEISKB\meiskb.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\TrendMicro\HiJackThis\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.yahoo.com/search?fr=mcafee&p=%s
O2 - BHO: (no name) - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: McAfee Phishing Filter - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:\PROGRA~1\mcafee\msk\mskapbho.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [HPlsKey] C:\Program Files\Panasonic\HPLSMAN\hplskey.exe
O4 - HKLM\..\Run: [PRunOnce] C:\util\prunonce\PRunOnce.exe
O4 - HKLM\..\Run: [PCinfo] C:\Program Files\Panasonic\PCINFO\SetDiag.exe /FirstLogin
O4 - HKLM\..\Run: [Panasonic HotKey Manager] "C:\Program Files\Panasonic\HotKey Appendix\HKEYAPP.EXE "
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\Verizon\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [Itiva Media Accelerator] C:\Program Files\Itiva\Itiva Media Accelerator\ItivaMediaAccelerator.exe
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [McENUI] C:\PROGRA~1\McAfee\MHN\McENUI.exe /hide
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe "
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe "
O4 - HKLM\..\Run: [scroller] fpapli.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Osenew] C:\WINDOWS\system32\??crosoft.NET\l?ass.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Display Rotation Tool.lnk = ?
O4 - Global Startup: Panasonic Hand Writing.lnk = ?
O4 - Global Startup: Software Keyboard.lnk = ?
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {9191F686-7F0A-441D-8A98-2FE3AC1BD913} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
O16 - DPF: {9C23D886-43CB-43DE-B2DB-112A68D7E10A} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader2.cab
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: HPLSNTF - HPLSNtf.dll (file missing)
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: MBackMonitor - McAfee - C:\Program Files\McAfee\MBK\MBackMonitor.exe
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: UStorage Server Service - OTi - C:\WINDOWS\system32\UStorSrv.exe

--
End of file - 9677 bytes

 

1. Please open Notepad

• Click Start , then Run
• Type notepad.exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

Code:

KillAll::

Folder::
c:\windows\system32\??crosoft.NET

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
 "Osenew "=-

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Save the above as CFScript.txt

4. Physically disconnect from the internet.

5. Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.

6. Then drag the CFScript.txt into ComboFix.exe. This will start ComboFix again.



7. After reboot, (in case it asks to reboot), please post the following reports/logs into your next replyafter you re-enable all the programs that were disabled during the running of ComboFix:

• Combofix.txt
• A new HijackThis log.

Please take note:

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

==

Let me know how the pc is.

 

ComboFix 10-01-26.02 - nathaniel 01/26/2010 19:33:53.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.634 [GMT -6:00]
Running from: c:\documents and settings\nathaniel\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\nathaniel\Desktop\CFScript.txt
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.

((((((((((((((((((((((((( Files Created from 2009-12-27 to 2010-01-27 )))))))))))))))))))))))))))))))
.

2010-01-27 01:18 . 2010-01-27 01:18 503808 ----a-w- c:\documents and settings\nathaniel\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-590bfc1a-n\msvcp71.dll
2010-01-27 01:18 . 2010-01-27 01:18 348160 ----a-w- c:\documents and settings\nathaniel\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-590bfc1a-n\msvcr71.dll
2010-01-27 01:18 . 2010-01-27 01:18 499712 ----a-w- c:\documents and settings\nathaniel\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-590bfc1a-n\jmc.dll
2010-01-27 01:18 . 2010-01-27 01:18 61440 ----a-w- c:\documents and settings\nathaniel\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-19841297-n\decora-sse.dll
2010-01-27 01:18 . 2010-01-27 01:18 12800 ----a-w- c:\documents and settings\nathaniel\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-19841297-n\decora-d3d.dll
2010-01-27 00:59 . 2010-01-27 00:59 -------- dc----w- C:\util2
2010-01-26 05:09 . 2010-01-26 05:09 574 -c--a-w- C:\cleanup.bat
2010-01-26 05:09 . 2010-01-26 05:09 135168 -c--a-w- C:\zip.exe
2010-01-26 01:54 . 2010-01-27 00:46 -------- d-----w- c:\program files\Panda Security
2010-01-26 01:08 . 2010-01-26 01:08 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-01-26 01:08 . 2010-01-27 00:47 -------- d-----w- c:\documents and settings\nathaniel\Application Data\SUPERAntiSpyware.com
2010-01-26 01:08 . 2010-01-27 00:46 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-01-25 01:17 . 2010-01-25 01:17 -------- d--h--r- c:\documents and settings\Scott M\Application Data\yahoo!
2010-01-24 23:49 . 2010-01-24 23:49 -------- d-----w- c:\documents and settings\Scott M\Local Settings\Application Data\Apple Computer
2010-01-24 23:49 . 2010-01-24 23:49 -------- d-----w- c:\documents and settings\Scott M\Local Settings\Application Data\Itiva
2010-01-20 05:00 . 2010-01-26 01:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-01-20 02:20 . 2010-01-20 02:20 -------- d-----w- c:\documents and settings\nathaniel\Application Data\Malwarebytes
2010-01-20 02:20 . 2010-01-20 02:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-01-20 01:47 . 2010-01-20 01:47 -------- d-----w- c:\documents and settings\nathaniel\Local Settings\Application Data\Apple
2010-01-13 03:29 . 2009-08-29 01:42 40448 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2010-01-13 03:29 . 2009-08-29 01:42 2065696 ----a-w- c:\windows\system32\usbaaplrc.dll
2010-01-13 03:28 . 2010-01-13 03:35 -------- d-----w- c:\program files\Common Files\Apple
2010-01-13 03:27 . 2010-01-13 03:54 -------- d-----w- c:\documents and settings\nathaniel\Local Settings\Application Data\Apple Computer

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-27 01:18 . 2006-04-07 10:45 -------- d-----w- c:\program files\Java
2010-01-26 01:00 . 2010-01-26 01:00 -------- d--h--r- c:\documents and settings\Scott\Application Data\yahoo!
2010-01-25 02:57 . 2010-01-25 02:57 388096 ----a-r- c:\documents and settings\nathaniel\Application Data\Microsoft\Installer\{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}\HiJackThis.exe
2010-01-25 02:57 . 2010-01-25 02:57 -------- d-----w- c:\program files\TrendMicro
2010-01-20 01:48 . 2010-01-13 03:33 -------- d-----w- c:\program files\Bonjour
2010-01-20 01:47 . 2010-01-20 01:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2010-01-20 01:47 . 2010-01-13 03:30 -------- d-----w- c:\program files\Apple Software Update
2010-01-20 01:47 . 2010-01-13 03:31 -------- d-----w- c:\program files\QuickTime
2010-01-20 01:47 . 2010-01-13 03:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2010-01-20 01:47 . 2010-01-13 03:35 -------- d-----w- c:\program files\iTunes
2010-01-20 01:46 . 2010-01-13 03:37 -------- d-----w- c:\documents and settings\nathaniel\Application Data\Apple Computer
2010-01-13 03:37 . 2010-01-13 03:35 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2010-01-13 03:35 . 2010-01-13 03:35 -------- d-----w- c:\program files\iPod
2010-01-05 10:00 . 2005-07-14 15:12 832512 ------w- c:\windows\system32\wininet.dll
2010-01-05 10:00 . 2005-07-14 15:10 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-01-05 10:00 . 2005-07-14 15:10 17408 ----a-w- c:\windows\system32\corpol.dll
2009-12-22 20:29 . 2009-12-22 20:29 -------- d-----w- c:\documents and settings\nathaniel\Application Data\Unity
2009-12-17 23:14 . 2009-09-20 21:14 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-12-06 01:30 . 2006-11-11 19:55 -------- d-----w- c:\program files\Yahoo!
2009-12-06 01:28 . 2009-02-05 23:49 -------- d-----w- c:\program files\Yahoo! Games
2009-12-06 01:28 . 2009-11-24 01:26 -------- d-----w- c:\program files\Amazon
2009-11-21 15:51 . 2005-07-14 15:09 471552 ----a-w- c:\windows\AppPatch\aclayers.dll
2009-11-12 23:07 . 2009-11-12 23:07 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.2.25\SetupAdmin.exe
2009-11-05 17:08 . 2009-11-05 17:08 152576 ----a-w- c:\documents and settings\nathaniel\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager "= "c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2006-10-24 4662776]
"MSMSGS "= "c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray "= "c:\windows\system32\igfxtray.exe" [2005-03-10 155648]
"HotKeysCmds "= "c:\windows\system32\hkcmd.exe" [2005-03-10 126976]
"HPlsKey "= "c:\program files\Panasonic\HPLSMAN\hplskey.exe" [2005-06-01 61440]
"PRunOnce "= "c:\util\prunonce\PRunOnce.exe" [2004-08-06 110592]
"PCinfo "= "c:\program files\Panasonic\PCINFO\SetDiag.exe" [2005-06-15 45056]
"Panasonic HotKey Manager "= "c:\program files\Panasonic\HotKey Appendix\HKEYAPP.EXE" [2005-06-14 974848]
"AGRSMMSG "= "AGRSMMSG.exe" [2004-12-20 88358]
"IntelWireless "= "c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2004-10-15 385024]
"Motive SmartBridge "= "c:\progra~1\Verizon\SMARTB~1\MotiveSB.exe" [2006-06-23 438359]
"Itiva Media Accelerator "= "c:\program files\Itiva\Itiva Media Accelerator\ItivaMediaAccelerator.exe" [2008-06-04 4994288]
"mcagent_exe "= "c:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-29 1218008]
"McENUI "= "c:\progra~1\McAfee\MHN\McENUI.exe" [2009-07-08 1176808]
"QuickTime Task "= "c:\program files\QuickTime\qttask.exe" [2009-11-11 417792]
"iTunesHelper "= "c:\program files\iTunes\iTunesHelper.exe" [2009-11-12 141600]
"McAfee Backup "= "c:\program files\McAfee\MBK\McAfeeDataBackup.exe" [2009-07-09 5134864]
"scroller "= "fpapli.exe" [2005-04-18 81920]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
Display Rotation Tool.lnk - c:\program files\Panasonic\DispRot\IDRot.exe [2005-7-14 86016]
Panasonic Hand Writing.lnk - c:\program files\Panasonic\WRITING\Writing.exe [2005-7-14 278528]
Software Keyboard.lnk - c:\program files\Panasonic\MEISKB\meiskb.exe [2005-7-14 135168]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\HPLSNTF]
2005-06-01 20:02 53248 ----a-w- c:\windows\system32\HPLSNTF.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
2004-10-15 18:27 110592 ----a-w- c:\program files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=" "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=" "

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride "=dword:00000001
"FirewallOverride "=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring "=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring "=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall "= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe "=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe "=
"c:\\Program Files\\Itiva\\Itiva Media Accelerator\\ItivaMediaAccelerator.exe "=
"%windir%\\Network Diagnostic\\xpnetdiag.exe "=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe "=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe "=
"c:\\Program Files\\iTunes\\iTunes.exe "=

R2 brecal;Panasonic Battery Recalibration Driver;c:\program files\Panasonic\BRECAL\Brecal.sys [7/14/2005 5:10 PM 7168]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [12/1/2008 10:09 AM 206096]
R2 pcinfo;Panasonic PC Info. Viewer Driver;c:\program files\Panasonic\PCINFO\PCINFO.sys [7/14/2005 5:20 PM 7168]
R2 SDKEY;Panasonic SD Misc. Function Driver;c:\program files\Panasonic\SDKEY\SDKEY.sys [7/14/2005 5:21 PM 8192]
R3 FIDMOU;Fujitsu touchpad;c:\windows\system32\drivers\Fidmou.sys [7/14/2005 9:18 AM 23463]
R3 HTKPLUS;Panasonic Hotkey PLUS Driver;c:\windows\system32\drivers\HTKPLUS.SYS [7/14/2005 9:18 AM 8448]
S3 MOSUMAC;USB-Ethernet Driver;c:\windows\system32\drivers\MOSUMAC.SYS [10/26/2004 4:15 PM 31375]
S3 RICOH SmartCard Reader;RICOH SmartCard Reader;c:\windows\system32\drivers\rsmartc.sys [7/14/2005 9:18 AM 69460]
.
Contents of the 'Scheduled Tasks' folder

2010-01-13 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34]

2009-11-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2008-12-01 17:22]

2009-11-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2008-12-01 17:22]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = <local>;*.local
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
DPF: {9C23D886-43CB-43DE-B2DB-112A68D7E10A} - hxxp://lads.myspace.com/upload/MySpaceUploader2.cab
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-SunJavaUpdateSched - c:\program files\Java\jre6\bin\jusched.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-26 19:43
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(564)
c:\windows\system32\HPLSNtf.dll
c:\program files\Intel\Wireless\Bin\LgNotify.dll

- - - - - - - > 'explorer.exe'(3064)
c:\windows\system32\WININET.dll
c:\progra~1\Verizon\SMARTB~1\SBHook.dll
c:\program files\McAfee\SiteAdvisor\saHook.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\FPHOOK.DLL
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Panasonic\HPLSMAN\hplsman.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\windows\System32\SCardSvr.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\progra~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\progra~1\McAfee\VIRUSS~1\mcshield.exe
c:\program files\McAfee\MPF\MPFSrv.exe
c:\program files\McAfee\MSK\MskSrver.exe
c:\program files\Intel\Wireless\Bin\ZcfgSvc.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\windows\system32\UStorSrv.exe
c:\progra~1\mcafee.com\agent\mcagent.exe
c:\windows\AGRSMMSG.exe
c:\windows\system32\fpapli.exe
c:\windows\system32\Tprbtn.exe
c:\program files\Yahoo!\Messenger\ymsgr_tray.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2010-01-26 19:48:26 - machine was rebooted
ComboFix-quarantined-files.txt 2010-01-27 01:48
ComboFix2.txt 2010-01-27 00:31

Pre-Run: 44,719,927,296 bytes free
Post-Run: 44,786,749,440 bytes free

- - End Of File - - 330CBD1CC2459CB4897E5A0F7A323C9B












hjt log:

Logfile of Trend Micro HijackThis v2.0.3 (BETA)
Scan saved at 7:53:07 PM, on 1/26/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16981)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Panasonic\HPLSMAN\hplsman.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Panasonic\Disprot\IDRot.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\UStorSrv.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Panasonic\HPLSMAN\hplskey.exe
C:\Program Files\Panasonic\HotKey Appendix\HKEYAPP.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\PROGRA~1\Verizon\SMARTB~1\MotiveSB.exe
C:\Program Files\Itiva\Itiva Media Accelerator\ItivaMediaAccelerator.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe
C:\WINDOWS\system32\fpapli.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\Tprbtn.exe
C:\Program Files\Panasonic\DispRot\IDRot.exe
C:\Program Files\Panasonic\WRITING\Writing.exe
C:\Program Files\Panasonic\MEISKB\meiskb.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\TrendMicro\HiJackThis\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.yahoo.com/search?fr=mcafee&p=%s
O2 - BHO: (no name) - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: McAfee Phishing Filter - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:\PROGRA~1\mcafee\msk\mskapbho.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [HPlsKey] C:\Program Files\Panasonic\HPLSMAN\hplskey.exe
O4 - HKLM\..\Run: [PRunOnce] C:\util\prunonce\PRunOnce.exe
O4 - HKLM\..\Run: [PCinfo] C:\Program Files\Panasonic\PCINFO\SetDiag.exe /FirstLogin
O4 - HKLM\..\Run: [Panasonic HotKey Manager] "C:\Program Files\Panasonic\HotKey Appendix\HKEYAPP.EXE "
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\Verizon\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [Itiva Media Accelerator] C:\Program Files\Itiva\Itiva Media Accelerator\ItivaMediaAccelerator.exe
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [McENUI] C:\PROGRA~1\McAfee\MHN\McENUI.exe /hide
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe "
O4 - HKLM\..\Run: [McAfee Backup] "C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe "
O4 - HKLM\..\Run: [scroller] fpapli.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Display Rotation Tool.lnk = ?
O4 - Global Startup: Panasonic Hand Writing.lnk = ?
O4 - Global Startup: Software Keyboard.lnk = ?
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {9C23D886-43CB-43DE-B2DB-112A68D7E10A} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader2.cab
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O20 - Winlogon Notify: HPLSNTF - HPLSNtf.dll (file missing)
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: MBackMonitor - McAfee - C:\Program Files\McAfee\MBK\MBackMonitor.exe
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: UStorage Server Service - OTi - C:\WINDOWS\system32\UStorSrv.exe

--
End of file - 9052 bytes




Computer seems to be running way better now! I have gone to probably close to 30 sites via google and no redirects. Seems to be running awesome!

 

Ok. Sounds good. We need you to try the Kaspersky online scan again now as per post #12.

Post up the results.

 

report:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Tuesday, January 26, 2010
Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Wednesday, January 27, 2010 01:55:06
Records in database: 3375042
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
C:\

Scan statistics:
Objects scanned: 57584
Threats found: 1
Infected objects found: 1
Suspicious objects found: 0
Scan duration: 02:12:41


File name / Threat / Threats count
C:\System Volume Information\_restore{BE959B95-A66F-4CF2-9CDC-422171C38F5C}\RP538\A0070028.exe Infected: not-a-virus:WebToolbar.Win32.WhenU.a 1

Selected area has been scanned.

 

Ok. We will get rid of that by disabling system restore, but first I want to make sure all is well with your machine.
Put it through it's paces and let me know if you have any problems. Do not do the system restore until then.

 

ok, well it seems like the computer is running almost perfect! Everything seems to be running great, and no more redirects. So again thankyou! I think it is fixed! Do you have any recommendations on a good vs or malware program that I should purchase? I made sure all P2P software is deleted, and going to make sure the wife dosen't click on any attachments! Also, I highly doubt that it would have anything to do with malware, but i can not keep my touchscreen calibrated. I have uninstalled the drivers, restarted the computer (No longer had touchscreen), reloaded the current driver from panasonics website, and its doing the same thing. I can calibrate it, it will work great for about a minute, then its almost a half inch off on the touchscreen.

 

MBA-M would be a good program to have full-time. As for an AV. Free ones I would suggest would be; Comodo, Avast and Avira.

For system restore;

==

Let's get rid of Combofix now that we are finished with it.

• Click START then RUN
• Now type Click Start > Run and copy/paste the following bolded text into the Run box and click OK:
  
  ComboFix /Uninstall in the runbox and click OK. Note the space between the X and the /, it needs to be there.
  
  

==

Happy surfing