Solved Google redirct, pop-ups and fake scans.

KRE09 · 2009/12/17

[Resolved] Google redirct, pop-ups and fake scans.

I'm having the same problem as many other people here. Google redirects me when I click a link while web surfing, pop-ups come in new tabs, sometimes leading to fake Virus scans and alerts. Both IE8 and Firefox.

Since switching to McAfee today the redirects have been happening a little less do to McAfee's SiteAdvisor. But it still dose happen.

I've tried SUPERAntiSpyware, Malwarebytes and McAfee several times, some scans have picked up and removed some things but the issue still remains. I also have SpywareBlaster and SpywareGuard to help prevent spyware and such.

DDS (Ver_09-12-01.01) - NTFSx86
Run by Owner at 10:09:09.08 on Fri 12/18/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_16
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.383.34 [GMT -8:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Digital Media Reader\shwiconem.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\zHotkey.exe
svchost.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Google\Quick Search Box\GoogleQuickSearchBox.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\Program Files\SpywareGuard\sgbhp.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\Program Files\Java\jre6\bin\jucheck.exe
c:\PROGRA~1\mcafee\VIRUSS~1\mcvsshld.exe
C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\msiexec.exe
C:\Documents and Settings\Owner\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page =
BHO: {01e9bc75-8b09-4101-9368-15b50ab093db} - mizojuna.dll
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: SpywareGuardDLBLOCK.CBrowserHelper: {4a368e80-174f-4872-96b5-0b27ddd11db2} - c:\program files\spywareguard\dlprotect.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.4.4525.1752\swg.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Easy-WebPrint: {327c2873-e90d-4c37-aa9d-10ac9baba46c} - c:\program files\canon\easy-webprint\Toolband.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe "
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [SunKistEM] c:\program files\digital media reader\shwiconem.exe
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe "
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [CHotkey] zHotkey.exe
mRun: [High Definition Audio Property Page Shortcut] HDAShCut.exe
mRun: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
mRun: [Reminder] %WINDIR%\Creator\Remind_XP.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Google Quick Search Box] "c:\program files\google\quick search box\GoogleQuickSearchBox.exe" /autorun
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe "
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [McENUI] c:\progra~1\mcafee\mhn\McENUI.exe /hide
mRun: [McAfee Backup] "c:\program files\mcafee\mbk\McAfeeDataBackup.exe "
StartupFolder: c:\docume~1\owner\startm~1\programs\startup\spywar~1.lnk - c:\program files\spywareguard\sgmain.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Easy-WebPrint Add To Print List - c:\program files\canon\easy-webprint\Resource.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\canon\easy-webprint\Resource.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\canon\easy-webprint\Resource.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\canon\easy-webprint\Resource.dll/RC_Print.html
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} - hxxp://offers.e-centives.com/cif/download/bin/actxcab.cab
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
SSODL: nonokivav - {9143b163-d5c6-483c-bde2-7c777e5240f5} - c:\windows\system32\popavifu.dll
STS: jugezatag: {9143b163-d5c6-483c-bde2-7c777e5240f5} - c:\windows\system32\popavifu.dll
SEH: SpywareGuard.Handler: {81559c35-8464-49f7-bb0e-07a383bef910} - c:\program files\spywareguard\spywareguard.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\sd3cnal8.default\
FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npMozCouponPrinter.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref( "security.ssl3.rsa_seed_sha ", true);

============= SERVICES / DRIVERS ===============

R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-11-4 214664]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2009-12-17 79816]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2009-12-17 35272]
R3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2009-12-17 34248]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2009-12-17 40552]

=============== Created Last 30 ================

2009-12-17 20:50:46 12753 ----a-w- c:\windows\system32\Config.MPF
2009-12-17 20:41:43 79816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2009-12-17 20:41:43 40552 ----a-w- c:\windows\system32\drivers\mfesmfk.sys
2009-12-17 20:41:43 35272 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2009-12-17 20:41:33 120136 ----a-w- c:\windows\system32\drivers\Mpfp.sys
2009-12-17 20:40:13 0 d-----w- c:\program files\common files\McAfee
2009-12-17 20:40:10 0 d-----w- c:\program files\McAfee.com
2009-12-17 20:31:59 34248 ----a-w- c:\windows\system32\drivers\mferkdk.sys
2009-12-17 02:17:16 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-12-17 02:16:59 0 d-----w- c:\program files\SUPERAntiSpyware
2009-12-17 02:16:59 0 d-----w- c:\docume~1\owner\applic~1\SUPERAntiSpyware.com
2009-12-17 02:11:05 0 d-----w- c:\program files\SpywareGuard
2009-12-17 01:52:28 0 d-----w- c:\program files\SpywareBlaster
2009-12-17 00:57:41 0 d-----w- c:\program files\Enigma Software Group
2009-12-16 20:11:44 2910 ----a-w- c:\documents and settings\owner\.recently-used.xbel
2009-12-15 23:37:25 0 ----a-w- c:\windows\system32\18467.exe
2009-12-15 23:36:57 0 d-----w- c:\docume~1\owner\applic~1\Malwarebytes
2009-12-15 23:36:50 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-15 23:36:48 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-15 23:36:48 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-12-15 23:36:47 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-02 23:30:46 202072 ----a-r- c:\windows\cpnprt2.cid
2009-12-02 23:30:41 202072 ------w- c:\windows\system32\cpnprt2.cid
2009-12-02 23:30:35 0 d-----w- c:\windows\Cache
2009-12-02 23:30:33 0 d-----w- c:\program files\Coupons
2009-11-21 17:59:17 0 d-----w- c:\docume~1\alluse~1\applic~1\Kodak

==================== Find3M ====================

2009-12-17 08:38:56 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2009-11-05 00:54:12 214664 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2009-11-02 21:47:57 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-11-01 23:42:48 8552 ----a-w- c:\windows\system32\drivers\asctrm.sys
2009-10-29 07:45:38 916480 ----a-w- c:\windows\system32\wininet.dll
2009-10-21 05:38:36 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38:36 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-20 16:20:16 265728 ----a-w- c:\windows\system32\drivers\http.sys
2009-10-13 10:30:16 270336 ----a-w- c:\windows\system32\oakley.dll
2009-10-12 13:38:19 149504 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:38:18 79872 ----a-w- c:\windows\system32\raschap.dll
2009-09-25 05:48:59 81920 ------w- c:\windows\system32\ieencode.dll

============= FINISH: 10:14:43.89 ===============

KRE09 · 2009/12/17

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-12-01.01)

Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume1
Install Date: 11/1/2009 5:18:23 PM
System Uptime: 12/17/2009 1:07:09 PM (21 hours ago)

Motherboard: To be filled by O.E.M. | | MS-7207
Processor: AMD Athlon(tm) 64 Processor 3700+ | CPU 1 | 2210/200mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 144 GiB total, 115.244 GiB free.
D: is FIXED (FAT32) - 5 GiB total, 2.233 GiB free.
E: is CDROM ()
F: is Removable
G: is Removable
H: is Removable
I: is Removable

==== Disabled Device Manager Items =============

==== Installed Programs ======================

Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 7.0
AOL Spyware Protection
Canon iP1600
Canon Utilities Easy-PhotoPrint
Coupon Printer for Windows
Digital Media Reader
Easy-WebPrint
GIMP 2.6.7
Google Toolbar for Internet Explorer
High Definition Audio Driver Package - KB888111
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Java(TM) 6 Update 16
Malwarebytes' Anti-Malware
McAfee SecurityCenter
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB953297)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Digital Image Library 9 - Blocker
Microsoft Digital Image Starter Edition 2006
Microsoft Digital Image Starter Edition 2006 Editor
Microsoft Digital Image Starter Edition 2006 Library
Microsoft Money 2005
Microsoft Office Standard Edition 2003
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Works
Mozilla Firefox (3.5.6)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
Multimedia Keyboard Driver
Napster
Napster Burn Engine
NVIDIA Drivers
PowerDVD
QuickTime
RealPlayer Basic
Realtek High Definition Audio Driver
Recovery Software Suite eMachines
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB974455)
Security Update for Windows Internet Explorer 8 (KB976325)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371-v2)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974455)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
SoftV92 Data Fax Modem with SmartCP
SpywareBlaster 4.2
SpywareGuard v2.2
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 8 (KB975364)
Update for Windows Internet Explorer 8 (KB976749)
Update for Windows XP (KB951978)
Update for Windows XP (KB953356)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Viewpoint Media Player
WebFldrs XP
Windows Backup Utility
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 8
Windows Media Format Runtime
Windows Media Player 10
Windows XP Service Pack 3

==== End Of File ===========================

broni · 2009/12/18

Please download ComboFix from [color= "Red"]Here[/color] to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

Please, never rename Combofix unless instructed.

Close any open browsers.

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results ".

Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

NOTE. If Combofix asks you to install Recovery Console, please allow it.

Close any open browsers.

WARNING: Combofix will disconnect your machine from the Internet as soon as it starts

Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.

If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

Double click on combofix.exe & follow the prompts.

When finished, it will produce a report for you.

Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Make sure, you re-enable your security programs, when you're done with Combofix.

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!

Download HijackThis:
http://www.trendsecure.com/portal/en-US/tools/security_tools/hijackthis/download
by clicking on Download HijackThis Installer
Install, and run it.
Post HijackTHis log.
Do NOT attempt to fix anything!

NOTE. If you're using Vista, right click on HijackThis, and click Run as Administrator

KRE09 · 2009/12/18

Had to run combofix three times. The first time My computer shunted down out of the blue. Second time It worked, found and removed a few things, but a log was not made. Third time worked and the log is below. All three times combfix said McAfee virus scan was running, but I had it turned off on the control center. Windows task manager didn't show it as running ether. This is my first time using HijackThis, hope This is right.

ComboFix 09-12-18.02 - Owner 12/18/2009 23:11:23.4.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.383.115 [GMT -8:00]
Running from: c:\documents and settings\Owner\My Documents\Downloads\KittyFix.exe
AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
c:\windows\COUPON~1.OCX
c:\windows\CouponPrinter.ocx
c:\windows\system32\18467.exe
c:\windows\system32\BSTIEPrintCtl1.dll

.
((((((((((((((((((((((((( Files Created from 2009-11-19 to 2009-12-19 )))))))))))))))))))))))))))))))
.

2009-12-19 06:08 . 2009-12-19 06:08 128 ----a-w- c:\documents and settings\Owner\Local Settings\Application Data\fusioncache.dat
2009-12-18 17:55 . 2009-12-18 17:55 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Help
2009-12-17 21:21 . 2009-12-17 21:21 -------- d-----w- c:\documents and settings\LocalService\Application Data\SACore
2009-12-17 20:49 . 2009-12-17 20:49 -------- d-----w- c:\documents and settings\All Users\Application Data\SiteAdvisor
2009-12-17 20:41 . 2009-11-05 00:54 79816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2009-12-17 20:41 . 2009-11-05 00:54 40552 ----a-w- c:\windows\system32\drivers\mfesmfk.sys
2009-12-17 20:41 . 2009-11-05 00:54 35272 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2009-12-17 20:41 . 2009-07-16 20:32 120136 ----a-w- c:\windows\system32\drivers\Mpfp.sys
2009-12-17 20:40 . 2009-12-17 20:41 -------- d-----w- c:\program files\Common Files\McAfee
2009-12-17 20:40 . 2009-12-17 20:40 -------- d-----w- c:\program files\McAfee.com
2009-12-17 20:31 . 2009-11-05 00:53 34248 ----a-w- c:\windows\system32\drivers\mferkdk.sys
2009-12-17 20:23 . 2009-12-19 06:09 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-12-17 02:17 . 2009-12-17 02:17 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-12-17 02:16 . 2009-12-17 20:58 -------- d-----w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com
2009-12-17 02:16 . 2009-12-17 20:58 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-12-17 02:11 . 2009-12-17 20:42 -------- d-----w- c:\program files\SpywareGuard
2009-12-17 01:53 . 2009-12-19 05:56 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-12-17 01:52 . 2009-12-17 01:52 -------- d-----w- c:\program files\SpywareBlaster
2009-12-17 00:57 . 2009-12-17 00:57 -------- d-----w- c:\program files\Enigma Software Group
2009-12-15 23:36 . 2009-12-15 23:36 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
2009-12-15 23:36 . 2009-12-04 00:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-15 23:36 . 2009-12-15 23:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-12-15 23:36 . 2009-12-04 00:13 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-15 23:36 . 2009-12-17 00:09 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-04 02:21 . 2009-12-04 02:21 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Identities
2009-12-02 23:30 . 2009-12-02 23:30 -------- d-----w- c:\windows\Cache
2009-12-02 23:30 . 2009-12-02 23:30 -------- d-----w- c:\program files\Coupons
2009-11-29 19:32 . 2009-11-29 19:32 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2009-11-22 19:19 . 2009-11-22 19:19 -------- d-----w- c:\windows\Sun
2009-11-21 17:59 . 2009-11-21 17:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Kodak

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-19 06:07 . 2009-11-01 23:48 -------- d-----w- c:\program files\McAfee
2009-12-18 18:00 . 2009-11-01 23:26 -------- d-----w- c:\program files\Ahead
2009-12-17 08:38 . 2007-11-29 16:43 96512 ----a-w- c:\windows\system32\drivers\atapi.svs
2009-12-17 08:38 . 2007-11-29 16:43 96512 ------w- c:\windows\system32\drivers\atapi.sys
2009-12-17 00:09 . 2009-11-01 23:47 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee.com
2009-12-17 00:08 . 2009-11-07 07:32 -------- d-----w- c:\documents and settings\Owner\Application Data\gtk-2.0
2009-11-29 18:42 . 2009-11-02 02:59 33120 ----a-w- c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-11-21 17:59 . 2009-11-21 17:59 114688 ----a-w- c:\documents and settings\All Users\Application Data\Kodak\EasyShareSetup\$Registration\KodakCameraAPI_7.2.20.2.dll
2009-11-17 23:30 . 2009-11-17 23:30 -------- d-----w- c:\documents and settings\Owner\Application Data\CyberLink
2009-11-17 23:27 . 2009-11-17 23:27 -------- d-----w- c:\documents and settings\All Users\Application Data\CyberLink
2009-11-15 11:10 . 2009-11-15 11:10 -------- d-----w- c:\program files\MSBuild
2009-11-15 11:09 . 2009-11-15 11:09 -------- d-----w- c:\program files\Reference Assemblies
2009-11-11 02:21 . 2009-11-11 00:15 -------- d-----w- c:\program files\Canon
2009-11-11 00:17 . 2009-11-11 00:17 -------- d--h--w- c:\documents and settings\All Users\Application Data\CanonBJ
2009-11-10 23:36 . 2009-11-01 23:42 -------- d-----w- c:\documents and settings\All Users\Application Data\QuickTime
2009-11-10 23:28 . 2004-08-26 18:03 76487 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-11-10 23:07 . 2009-11-10 23:03 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Drivers HeadQuarters
2009-11-10 23:03 . 2009-11-10 23:03 -------- d-----w- c:\documents and settings\All Users\Application Data\UAB
2009-11-08 12:55 . 2009-11-08 12:55 -------- d-----w- c:\documents and settings\Owner\Application Data\AdobeUM
2009-11-06 02:48 . 2009-11-06 02:48 -------- d-----w- c:\documents and settings\Owner\Application Data\SampleView
2009-11-05 02:23 . 2009-11-05 02:23 1961720 ----a-w- c:\documents and settings\Owner\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\fpupdateax\fpupdateax.exe
2009-11-05 00:54 . 2009-11-05 00:54 214664 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2009-11-04 13:17 . 2009-11-02 02:30 -------- d-----w- c:\documents and settings\Owner\Application Data\McAfee.com Personal Firewall
2009-11-02 21:47 . 2009-11-02 21:48 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-11-02 21:47 . 2009-11-01 23:35 -------- d-----w- c:\program files\Java
2009-11-02 21:47 . 2009-11-02 21:47 152576 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\jre1.6.0_16\lzma.dll
2009-11-02 21:43 . 2009-11-01 23:31 -------- d-----w- c:\program files\Google
2009-11-02 02:31 . 2009-11-02 02:31 -------- d-----w- c:\documents and settings\LocalService\Application Data\McAfee.com Personal Firewall
2009-11-02 02:27 . 2009-11-01 23:42 -------- d-----w- c:\program files\Pure Networks
2009-11-02 01:38 . 2009-11-02 01:38 -------- d-----w- c:\documents and settings\All Users\Application Data\nView_Profiles
2009-11-02 01:19 . 2009-11-02 01:19 -------- d-----w- c:\program files\MSXML 4.0
2009-11-02 00:53 . 2009-11-02 00:52 -------- d-----w- c:\program files\GIMP-2.0
2009-11-02 00:18 . 2009-11-02 00:18 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\SampleView
2009-11-01 23:57 . 2004-08-26 18:04 -------- d-----w- c:\program files\microsoft frontpage
2009-11-01 23:44 . 2009-11-02 00:18 49152 ----a-r- c:\windows\system32\config\systemprofile\Application Data\Microsoft\Installer\{15377C3E-9655-400F-B441-E69F0A6BEAFE}\NewShortcut3_15377C3E9655400FB441E69F0A6BEAFE.EXE
2009-11-01 23:44 . 2009-11-02 00:18 45056 ----a-r- c:\windows\system32\config\systemprofile\Application Data\Microsoft\Installer\{15377C3E-9655-400F-B441-E69F0A6BEAFE}\NewShortcut2_15377C3E9655400FB441E69F0A6BEAFE.EXE
2009-11-01 23:44 . 2009-11-02 00:18 45056 ----a-r- c:\windows\system32\config\systemprofile\Application Data\Microsoft\Installer\{15377C3E-9655-400F-B441-E69F0A6BEAFE}\NewShortcut1_15377C3E9655400FB441E69F0A6BEAFE.exe
2009-11-01 23:44 . 2009-11-02 00:18 10134 ----a-r- c:\windows\system32\config\systemprofile\Application Data\Microsoft\Installer\{15377C3E-9655-400F-B441-E69F0A6BEAFE}\ARPPRODUCTICON.exe
2009-11-01 23:44 . 2009-11-01 23:44 49152 ----a-r- c:\documents and settings\Owner\Application Data\Microsoft\Installer\{15377C3E-9655-400F-B441-E69F0A6BEAFE}\NewShortcut3_15377C3E9655400FB441E69F0A6BEAFE.EXE
2009-11-01 23:44 . 2009-11-01 23:44 45056 ----a-r- c:\documents and settings\Owner\Application Data\Microsoft\Installer\{15377C3E-9655-400F-B441-E69F0A6BEAFE}\NewShortcut2_15377C3E9655400FB441E69F0A6BEAFE.EXE
2009-11-01 23:44 . 2009-11-01 23:44 45056 ----a-r- c:\documents and settings\Owner\Application Data\Microsoft\Installer\{15377C3E-9655-400F-B441-E69F0A6BEAFE}\NewShortcut1_15377C3E9655400FB441E69F0A6BEAFE.exe
2009-11-01 23:44 . 2009-11-01 23:44 10134 ----a-r- c:\documents and settings\Owner\Application Data\Microsoft\Installer\{15377C3E-9655-400F-B441-E69F0A6BEAFE}\ARPPRODUCTICON.exe
2009-11-01 23:43 . 2009-11-02 00:18 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\You've Got Pictures Screensaver
2009-11-01 23:43 . 2009-11-01 23:43 -------- d-----w- c:\documents and settings\Owner\Application Data\You've Got Pictures Screensaver
2009-11-01 23:43 . 2009-11-01 23:43 -------- d-----w- c:\program files\Common Files\Nullsoft
2009-11-01 23:43 . 2009-11-01 23:42 -------- d-----w- c:\program files\QuickTime
2009-11-01 23:42 . 2009-11-01 23:42 8552 ----a-w- c:\windows\system32\drivers\asctrm.sys
2009-11-01 23:42 . 2009-11-01 23:42 -------- d-----w- c:\program files\Common Files\Real
2009-11-01 23:42 . 2009-11-01 23:42 -------- d-----w- c:\program files\Real
2009-11-01 23:42 . 2009-11-01 23:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2009-11-01 23:42 . 2009-11-01 23:42 -------- d-----w- c:\program files\Viewpoint
2009-11-01 23:42 . 2009-11-01 23:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Pure Networks
2009-11-01 23:41 . 2009-11-01 23:41 335 ----a-w- c:\windows\nsreg.dat
2009-11-01 23:41 . 2009-11-01 23:41 -------- d-----w- c:\program files\Microsoft Money 2005
2009-11-01 23:40 . 2009-11-01 23:40 -------- d-----w- c:\program files\MSN Encarta Plus
2009-11-01 23:40 . 2009-11-01 23:40 -------- d-----w- c:\program files\Common Files\Adobe
2009-11-01 23:39 . 2009-11-01 23:39 -------- d-----w- c:\program files\Realtek
2009-11-01 23:39 . 2009-11-01 23:31 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-11-01 23:38 . 2009-11-01 23:37 -------- d-----w- c:\program files\Napster
2009-11-01 23:38 . 2009-11-01 23:38 -------- d-----w- c:\program files\Common Files\Roxio Shared
2009-11-01 23:38 . 2009-11-01 23:38 -------- d-----w- c:\documents and settings\All Users\Application Data\Napster
2009-11-01 23:37 . 2009-11-01 23:36 -------- d-----w- c:\program files\Microsoft Digital Image 2006
2009-11-01 23:36 . 2009-11-01 23:36 4 ----a-w- c:\windows\Pix11.dat
2009-11-01 23:35 . 2009-11-01 23:35 -------- d-----w- c:\program files\Common Files\Java
2009-11-01 23:35 . 2009-11-01 23:35 -------- d-----w- c:\program files\CyberLink
2009-11-01 23:35 . 2009-11-01 23:26 -------- d-----w- c:\program files\Common Files\InstallShield
2009-11-01 23:32 . 2009-11-01 23:32 -------- d-----w- c:\program files\Microsoft ActiveSync
2009-11-01 23:31 . 2009-11-01 23:31 -------- d-----w- c:\program files\Microsoft.NET
2009-11-01 23:30 . 2009-11-01 23:30 -------- d-----w- c:\program files\Digital Media Reader
2009-11-01 23:30 . 2009-11-01 23:29 -------- d-----w- c:\program files\Microsoft Works
2009-11-01 23:22 . 2009-11-01 23:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Prism Deploy
2009-11-01 23:22 . 2009-11-01 23:22 -------- d-----w- c:\program files\Common Files\New Boundary
2009-11-01 23:18 . 2009-11-01 23:18 -------- d-----w- c:\program files\CONEXANT
2009-10-29 07:45 . 2007-11-29 16:46 916480 ------w- c:\windows\system32\wininet.dll
2009-10-21 05:38 . 2007-11-29 16:46 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38 . 2007-11-29 16:44 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-20 16:20 . 2007-11-29 16:44 265728 ----a-w- c:\windows\system32\drivers\http.sys
2009-10-13 10:30 . 2007-11-29 16:46 270336 ----a-w- c:\windows\system32\oakley.dll
2009-10-12 13:38 . 2007-11-29 16:46 149504 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:38 . 2007-11-29 16:46 79872 ----a-w- c:\windows\system32\raschap.dll
2009-09-25 05:48 . 2009-09-25 05:48 81920 ------w- c:\windows\system32\ieencode.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{01e9bc75-8b09-4101-9368-15b50ab093db}]
mizojuna.dll [BU]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg "= "c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-11-02 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunKistEM "= "c:\program files\Digital Media Reader\shwiconem.exe" [2004-11-15 135168]
"RemoteControl "= "c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-03 32768]
"NvCplDaemon "= "c:\windows\system32\NvCpl.dll" [2005-09-18 7204864]
"nwiz "= "nwiz.exe" [2005-09-18 1519616]
"NvMediaCenter "= "c:\windows\system32\NvMcTray.dll" [2005-09-18 86016]
"CHotkey "= "zHotkey.exe" [2004-12-09 550912]
"High Definition Audio Property Page Shortcut "= "HDAShCut.exe" [2005-01-08 61952]
"Recguard "= "c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]
"Reminder "= "c:\windows\Creator\Remind_XP.exe" [2005-02-26 966656]
"RTHDCPL "= "RTHDCPL.EXE" [2005-09-14 14820864]
"Google Quick Search Box "= "c:\program files\Google\Quick Search Box\GoogleQuickSearchBox.exe" [2009-11-02 122880]
"SunJavaUpdateSched "= "c:\program files\Java\jre6\bin\jusched.exe" [2009-11-02 149280]
"QuickTime Task "= "c:\program files\QuickTime\qttask.exe" [2009-11-01 98304]
"mcagent_exe "= "c:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-29 1218008]
"McENUI "= "c:\progra~1\McAfee\MHN\McENUI.exe" [2009-07-08 1176808]
"McAfee Backup "= "c:\program files\McAfee\MBK\McAfeeDataBackup.exe" [2009-07-09 5134864]

c:\documents and settings\Owner\Start Menu\Programs\Startup\
SpywareGuard.lnk - c:\program files\SpywareGuard\sgmain.exe [2003-8-29 360448]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\SharedTaskScheduler]
"{9143b163-d5c6-483c-bde2-7c777e5240f5} "= "c:\windows\system32\popavifu.dll" [BU]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"nonokivav "= {9143b163-d5c6-483c-bde2-7c777e5240f5} - c:\windows\system32\popavifu.dll [BU]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=" "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=" "

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride "=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring "=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring "=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall "= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "=
"%windir%\\Network Diagnostic\\xpnetdiag.exe "=
"c:\\Program Files\\Google\\GoogleToolbarNotifier\\GoogleToolbarNotifier.exe "=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe "=

R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [12/17/2009 12:48 PM 203280]
.
------- Supplementary Scan -------
.
uStart Page =
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Easy-WebPrint Add To Print List - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\sd3cnal8.default\
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npMozCouponPrinter.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-18 23:21
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1800)
c:\windows\system32\WININET.dll
c:\program files\McAfee\SiteAdvisor\saHook.dll
c:\program files\Google\Quick Search Box\bin\1.2.1150.162\qsb.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
Completion time: 2009-12-18 23:35:27
ComboFix-quarantined-files.txt 2009-12-19 07:35

Pre-Run: 123,731,349,504 bytes free
Post-Run: 123,539,148,800 bytes free

- - End Of File - - E3B8B0471552005D8F58D5E9B49A78E2

KRE09 · 2009/12/18

HijackThis log

Logfile of Trend Micro HijackThis v2.0.3 (BETA)
Scan saved at 11:40:19 PM, on 12/18/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Digital Media Reader\shwiconem.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\zHotkey.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Google\Quick Search Box\GoogleQuickSearchBox.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre6\bin\jucheck.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\TrendMicro\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: (no name) - {01e9bc75-8b09-4101-9368-15b50ab093db} - mizojuna.dll (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.4.4525.1752\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe "
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Google Quick Search Box] "C:\Program Files\Google\Quick Search Box\GoogleQuickSearchBox.exe" /autorun
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe "
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [McENUI] C:\PROGRA~1\McAfee\MHN\McENUI.exe /hide
O4 - HKLM\..\Run: [McAfee Backup] "C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe "
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe "
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O21 - SSODL: nonokivav - {9143b163-d5c6-483c-bde2-7c777e5240f5} - c:\windows\system32\popavifu.dll (file missing)
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: jugezatag - {9143b163-d5c6-483c-bde2-7c777e5240f5} - c:\windows\system32\popavifu.dll (file missing)
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

--
End of file - 8035 bytes

broni · 2009/12/19

Upload following file to http://www.virustotal.com/ for security check:
- c:\windows\Pix11.dat
Post scan results.

1. Please open Notepad

Click Start , then Run

Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:
Code:
File::
c:\windows\system32\popavifu.dll


Folder::

Driver::

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{01e9bc75-8b09-4101-9368-15b50ab093db}]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\SharedTaskScheduler]
 "{9143b163-d5c6-483c-bde2-7c777e5240f5} "=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
 "nonokivav "=-


RegLockDel::
3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

Combofix.txt

A new HijackThis log.

KRE09 · 2009/12/20

VirusTotal log

File Pix11.dat received on 2009.12.20 17:33:36 (UTC)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED

Result: 0/41 (0%)

Antivirus;Version;Last Update;Result
a-squared;4.5.0.43;2009.12.20;-
AhnLab-V3;5.0.0.2;2009.12.19;-
AntiVir;7.9.1.114;2009.12.18;-
Antiy-AVL;2.0.3.7;2009.12.18;-
Authentium;5.2.0.5;2009.12.02;-
Avast;4.8.1351.0;2009.12.20;-
AVG;8.5.0.427;2009.12.20;-
BitDefender;7.2;2009.12.20;-
CAT-QuickHeal;10.00;2009.12.19;-
ClamAV;0.94.1;2009.12.20;-
Comodo;3310;2009.12.20;-
DrWeb;5.0.0.12182;2009.12.20;-
eSafe;7.0.17.0;2009.12.20;-
eTrust-Vet;35.1.7185;2009.12.19;-
F-Prot;4.5.1.85;2009.12.20;-
F-Secure;9.0.15370.0;2009.12.20;-
Fortinet;4.0.14.0;2009.12.20;-
GData;19;2009.12.20;-
Ikarus;T3.1.1.79.0;2009.12.20;-
Jiangmin;13.0.900;2009.12.20;-
K7AntiVirus;7.10.923;2009.12.17;-
Kaspersky;7.0.0.125;2009.12.20;-
McAfee;5838;2009.12.20;-
McAfee+Artemis;5838;2009.12.20;-
McAfee-GW-Edition;6.8.5;2009.12.20;-
Microsoft;1.5302;2009.12.20;-
NOD32;4703;2009.12.20;-
Norman;6.04.03;2009.12.20;-
nProtect;2009.1.8.0;2009.12.18;-
Panda;10.0.2.2;2009.12.15;-
PCTools;7.0.3.5;2009.12.20;-
Prevx;3.0;2009.12.20;-
Rising;22.26.06.04;2009.12.20;-
Sophos;4.49.0;2009.12.20;-
Sunbelt;3.2.1858.2;2009.12.20;-
Symantec;1.4.4.12;2009.12.20;-
TheHacker;6.5.0.3.100;2009.12.20;-
TrendMicro;9.100.0.1001;2009.12.20;-
VBA32;3.12.12.0;2009.12.19;-
ViRobot;2009.12.18.2097;2009.12.18;-
VirusBuster;5.0.21.0;2009.12.20;-

Additional information
File size: 4 bytes
MD5...: 66832a1548dba116d9950132dcec1cab
SHA1..: 60e0f91eea8a8a73cd94a37fc1894417e139093b
SHA256: 9f5b7fba936a0c9e3bae88ca1a5dc3553eb44d6de3de6e34e93cea89bfb37c2c
ssdeep: 3:jn:jn 
PEiD..: -
PEInfo: -
RDS...: NSRL Reference Data Set -
pdfid.: -
trid..: Unknown!
sigcheck: publisher....: n/a copyright....: n/a product......: n/a description..: n/a original name: n/a internal name: n/a file version.: n/a comments.....: n/a signers......: - signing date.: - verified.....: Unsigned

KRE09 · 2009/12/20

Fallowed instructions, computer did not reboot. I have had no redirection or pop-ups since post #4. Thank you so much for helping me.

broni · 2009/12/20

I have had no redirection or pop-ups since post #4.
Click to expand...

Very good, but we're not done here, yet

I need Combofix log from after running my script along with fresh HJT log.

KRE09 · 2009/12/20

ComboFix 09-12-18.02 - Owner 12/20/2009 11:58:46.5.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.383.171 [GMT -8:00]
Running from: c:\documents and settings\Owner\Desktop\KittyFix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

FILE ::
"c:\windows\system32\popavifu.dll "
.

((((((((((((((((((((((((( Files Created from 2009-11-20 to 2009-12-20 )))))))))))))))))))))))))))))))
.

2009-12-19 07:39 . 2009-12-19 07:39 -------- d-----w- c:\program files\TrendMicro
2009-12-19 07:08 . 2009-12-19 07:35 -------- d-----w- C:\KittyFix
2009-12-19 06:08 . 2009-12-19 06:08 128 ----a-w- c:\documents and settings\Owner\Local Settings\Application Data\fusioncache.dat
2009-12-18 17:55 . 2009-12-18 17:55 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Help
2009-12-17 21:21 . 2009-12-17 21:21 -------- d-----w- c:\documents and settings\LocalService\Application Data\SACore
2009-12-17 20:49 . 2009-12-17 20:49 -------- d-----w- c:\documents and settings\All Users\Application Data\SiteAdvisor
2009-12-17 20:41 . 2009-11-05 00:54 79816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2009-12-17 20:41 . 2009-11-05 00:54 40552 ----a-w- c:\windows\system32\drivers\mfesmfk.sys
2009-12-17 20:41 . 2009-11-05 00:54 35272 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2009-12-17 20:41 . 2009-07-16 20:32 120136 ----a-w- c:\windows\system32\drivers\Mpfp.sys
2009-12-17 20:40 . 2009-12-17 20:41 -------- d-----w- c:\program files\Common Files\McAfee
2009-12-17 20:40 . 2009-12-17 20:40 -------- d-----w- c:\program files\McAfee.com
2009-12-17 20:31 . 2009-11-05 00:53 34248 ----a-w- c:\windows\system32\drivers\mferkdk.sys
2009-12-17 20:23 . 2009-12-19 06:09 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-12-17 02:17 . 2009-12-17 02:17 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-12-17 02:16 . 2009-12-17 20:58 -------- d-----w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com
2009-12-17 02:16 . 2009-12-17 20:58 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-12-17 02:11 . 2009-12-17 20:42 -------- d-----w- c:\program files\SpywareGuard
2009-12-17 01:53 . 2009-12-19 08:01 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-12-17 01:52 . 2009-12-17 01:52 -------- d-----w- c:\program files\SpywareBlaster
2009-12-17 00:57 . 2009-12-17 00:57 -------- d-----w- c:\program files\Enigma Software Group
2009-12-15 23:36 . 2009-12-15 23:36 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
2009-12-15 23:36 . 2009-12-04 00:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-15 23:36 . 2009-12-15 23:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-12-15 23:36 . 2009-12-04 00:13 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-15 23:36 . 2009-12-17 00:09 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-04 02:21 . 2009-12-04 02:21 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Identities
2009-12-02 23:30 . 2009-12-02 23:30 -------- d-----w- c:\windows\Cache
2009-12-02 23:30 . 2009-12-02 23:30 -------- d-----w- c:\program files\Coupons
2009-11-29 19:32 . 2009-11-29 19:32 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2009-11-22 19:19 . 2009-11-22 19:19 -------- d-----w- c:\windows\Sun
2009-11-21 17:59 . 2009-11-21 17:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Kodak

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-19 07:39 . 2009-12-19 07:39 388096 ----a-r- c:\documents and settings\Owner\Application Data\Microsoft\Installer\{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}\HiJackThis.exe
2009-12-19 06:07 . 2009-11-01 23:48 -------- d-----w- c:\program files\McAfee
2009-12-18 18:00 . 2009-11-01 23:26 -------- d-----w- c:\program files\Ahead
2009-12-17 08:38 . 2007-11-29 16:43 96512 ----a-w- c:\windows\system32\drivers\atapi.svs
2009-12-17 08:38 . 2007-11-29 16:43 96512 ------w- c:\windows\system32\drivers\atapi.sys
2009-12-17 00:09 . 2009-11-01 23:47 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee.com
2009-12-17 00:08 . 2009-11-07 07:32 -------- d-----w- c:\documents and settings\Owner\Application Data\gtk-2.0
2009-11-29 18:42 . 2009-11-02 02:59 33120 ----a-w- c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-11-21 17:59 . 2009-11-21 17:59 114688 ----a-w- c:\documents and settings\All Users\Application Data\Kodak\EasyShareSetup\$Registration\KodakCameraAPI_7.2.20.2.dll
2009-11-17 23:30 . 2009-11-17 23:30 -------- d-----w- c:\documents and settings\Owner\Application Data\CyberLink
2009-11-17 23:27 . 2009-11-17 23:27 -------- d-----w- c:\documents and settings\All Users\Application Data\CyberLink
2009-11-15 11:10 . 2009-11-15 11:10 -------- d-----w- c:\program files\MSBuild
2009-11-15 11:09 . 2009-11-15 11:09 -------- d-----w- c:\program files\Reference Assemblies
2009-11-11 02:21 . 2009-11-11 00:15 -------- d-----w- c:\program files\Canon
2009-11-11 00:17 . 2009-11-11 00:17 -------- d--h--w- c:\documents and settings\All Users\Application Data\CanonBJ
2009-11-10 23:36 . 2009-11-01 23:42 -------- d-----w- c:\documents and settings\All Users\Application Data\QuickTime
2009-11-10 23:28 . 2004-08-26 18:03 76487 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-11-10 23:07 . 2009-11-10 23:03 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Drivers HeadQuarters
2009-11-10 23:03 . 2009-11-10 23:03 -------- d-----w- c:\documents and settings\All Users\Application Data\UAB
2009-11-08 12:55 . 2009-11-08 12:55 -------- d-----w- c:\documents and settings\Owner\Application Data\AdobeUM
2009-11-06 02:48 . 2009-11-06 02:48 -------- d-----w- c:\documents and settings\Owner\Application Data\SampleView
2009-11-05 02:23 . 2009-11-05 02:23 1961720 ----a-w- c:\documents and settings\Owner\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\fpupdateax\fpupdateax.exe
2009-11-05 00:54 . 2009-11-05 00:54 214664 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2009-11-04 13:17 . 2009-11-02 02:30 -------- d-----w- c:\documents and settings\Owner\Application Data\McAfee.com Personal Firewall
2009-11-02 21:47 . 2009-11-02 21:48 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-11-02 21:47 . 2009-11-01 23:35 -------- d-----w- c:\program files\Java
2009-11-02 21:47 . 2009-11-02 21:47 152576 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\jre1.6.0_16\lzma.dll
2009-11-02 21:43 . 2009-11-01 23:31 -------- d-----w- c:\program files\Google
2009-11-02 02:31 . 2009-11-02 02:31 -------- d-----w- c:\documents and settings\LocalService\Application Data\McAfee.com Personal Firewall
2009-11-02 02:27 . 2009-11-01 23:42 -------- d-----w- c:\program files\Pure Networks
2009-11-02 01:38 . 2009-11-02 01:38 -------- d-----w- c:\documents and settings\All Users\Application Data\nView_Profiles
2009-11-02 01:19 . 2009-11-02 01:19 -------- d-----w- c:\program files\MSXML 4.0
2009-11-02 00:53 . 2009-11-02 00:52 -------- d-----w- c:\program files\GIMP-2.0
2009-11-02 00:18 . 2009-11-02 00:18 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\SampleView
2009-11-01 23:57 . 2004-08-26 18:04 -------- d-----w- c:\program files\microsoft frontpage
2009-11-01 23:44 . 2009-11-02 00:18 49152 ----a-r- c:\windows\system32\config\systemprofile\Application Data\Microsoft\Installer\{15377C3E-9655-400F-B441-E69F0A6BEAFE}\NewShortcut3_15377C3E9655400FB441E69F0A6BEAFE.EXE
2009-11-01 23:44 . 2009-11-02 00:18 45056 ----a-r- c:\windows\system32\config\systemprofile\Application Data\Microsoft\Installer\{15377C3E-9655-400F-B441-E69F0A6BEAFE}\NewShortcut2_15377C3E9655400FB441E69F0A6BEAFE.EXE
2009-11-01 23:44 . 2009-11-02 00:18 45056 ----a-r- c:\windows\system32\config\systemprofile\Application Data\Microsoft\Installer\{15377C3E-9655-400F-B441-E69F0A6BEAFE}\NewShortcut1_15377C3E9655400FB441E69F0A6BEAFE.exe
2009-11-01 23:44 . 2009-11-02 00:18 10134 ----a-r- c:\windows\system32\config\systemprofile\Application Data\Microsoft\Installer\{15377C3E-9655-400F-B441-E69F0A6BEAFE}\ARPPRODUCTICON.exe
2009-11-01 23:44 . 2009-11-01 23:44 49152 ----a-r- c:\documents and settings\Owner\Application Data\Microsoft\Installer\{15377C3E-9655-400F-B441-E69F0A6BEAFE}\NewShortcut3_15377C3E9655400FB441E69F0A6BEAFE.EXE
2009-11-01 23:44 . 2009-11-01 23:44 45056 ----a-r- c:\documents and settings\Owner\Application Data\Microsoft\Installer\{15377C3E-9655-400F-B441-E69F0A6BEAFE}\NewShortcut2_15377C3E9655400FB441E69F0A6BEAFE.EXE
2009-11-01 23:44 . 2009-11-01 23:44 45056 ----a-r- c:\documents and settings\Owner\Application Data\Microsoft\Installer\{15377C3E-9655-400F-B441-E69F0A6BEAFE}\NewShortcut1_15377C3E9655400FB441E69F0A6BEAFE.exe
2009-11-01 23:44 . 2009-11-01 23:44 10134 ----a-r- c:\documents and settings\Owner\Application Data\Microsoft\Installer\{15377C3E-9655-400F-B441-E69F0A6BEAFE}\ARPPRODUCTICON.exe
2009-11-01 23:43 . 2009-11-02 00:18 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\You've Got Pictures Screensaver
2009-11-01 23:43 . 2009-11-01 23:43 -------- d-----w- c:\documents and settings\Owner\Application Data\You've Got Pictures Screensaver
2009-11-01 23:43 . 2009-11-01 23:43 -------- d-----w- c:\program files\Common Files\Nullsoft
2009-11-01 23:43 . 2009-11-01 23:42 -------- d-----w- c:\program files\QuickTime
2009-11-01 23:42 . 2009-11-01 23:42 8552 ----a-w- c:\windows\system32\drivers\asctrm.sys
2009-11-01 23:42 . 2009-11-01 23:42 -------- d-----w- c:\program files\Common Files\Real
2009-11-01 23:42 . 2009-11-01 23:42 -------- d-----w- c:\program files\Real
2009-11-01 23:42 . 2009-11-01 23:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2009-11-01 23:42 . 2009-11-01 23:42 -------- d-----w- c:\program files\Viewpoint
2009-11-01 23:42 . 2009-11-01 23:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Pure Networks
2009-11-01 23:41 . 2009-11-01 23:41 335 ----a-w- c:\windows\nsreg.dat
2009-11-01 23:41 . 2009-11-01 23:41 -------- d-----w- c:\program files\Microsoft Money 2005
2009-11-01 23:40 . 2009-11-01 23:40 -------- d-----w- c:\program files\MSN Encarta Plus
2009-11-01 23:40 . 2009-11-01 23:40 -------- d-----w- c:\program files\Common Files\Adobe
2009-11-01 23:39 . 2009-11-01 23:39 -------- d-----w- c:\program files\Realtek
2009-11-01 23:39 . 2009-11-01 23:31 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-11-01 23:38 . 2009-11-01 23:37 -------- d-----w- c:\program files\Napster
2009-11-01 23:38 . 2009-11-01 23:38 -------- d-----w- c:\program files\Common Files\Roxio Shared
2009-11-01 23:38 . 2009-11-01 23:38 -------- d-----w- c:\documents and settings\All Users\Application Data\Napster
2009-11-01 23:37 . 2009-11-01 23:36 -------- d-----w- c:\program files\Microsoft Digital Image 2006
2009-11-01 23:36 . 2009-11-01 23:36 4 ----a-w- c:\windows\Pix11.dat
2009-11-01 23:35 . 2009-11-01 23:35 -------- d-----w- c:\program files\Common Files\Java
2009-11-01 23:35 . 2009-11-01 23:35 -------- d-----w- c:\program files\CyberLink
2009-11-01 23:35 . 2009-11-01 23:26 -------- d-----w- c:\program files\Common Files\InstallShield
2009-11-01 23:32 . 2009-11-01 23:32 -------- d-----w- c:\program files\Microsoft ActiveSync
2009-11-01 23:31 . 2009-11-01 23:31 -------- d-----w- c:\program files\Microsoft.NET
2009-11-01 23:30 . 2009-11-01 23:30 -------- d-----w- c:\program files\Digital Media Reader
2009-11-01 23:30 . 2009-11-01 23:29 -------- d-----w- c:\program files\Microsoft Works
2009-11-01 23:22 . 2009-11-01 23:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Prism Deploy
2009-11-01 23:22 . 2009-11-01 23:22 -------- d-----w- c:\program files\Common Files\New Boundary
2009-11-01 23:18 . 2009-11-01 23:18 -------- d-----w- c:\program files\CONEXANT
2009-10-29 07:45 . 2007-11-29 16:46 916480 ------w- c:\windows\system32\wininet.dll
2009-10-21 05:38 . 2007-11-29 16:46 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38 . 2007-11-29 16:44 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-20 16:20 . 2007-11-29 16:44 265728 ----a-w- c:\windows\system32\drivers\http.sys
2009-10-13 10:30 . 2007-11-29 16:46 270336 ----a-w- c:\windows\system32\oakley.dll
2009-10-12 13:38 . 2007-11-29 16:46 149504 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:38 . 2007-11-29 16:46 79872 ----a-w- c:\windows\system32\raschap.dll
2009-09-25 05:48 . 2009-09-25 05:48 81920 ------w- c:\windows\system32\ieencode.dll
.

((((((((((((((((((((((((((((( SnapShot_2009-12-19_06.39.26 )))))))))))))))))))))))))))))))))))))))))
.
+ 2004-08-26 18:07 . 2009-12-20 15:59 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2004-08-26 18:07 . 2009-12-19 06:19 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-12-19 11:11 . 2009-12-20 15:59 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2009-12-19 07:39 . 2009-12-19 07:39 1093632 c:\windows\Installer\2c3484.msi
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg "= "c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-11-02 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunKistEM "= "c:\program files\Digital Media Reader\shwiconem.exe" [2004-11-15 135168]
"RemoteControl "= "c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-03 32768]
"NvCplDaemon "= "c:\windows\system32\NvCpl.dll" [2005-09-18 7204864]
"nwiz "= "nwiz.exe" [2005-09-18 1519616]
"NvMediaCenter "= "c:\windows\system32\NvMcTray.dll" [2005-09-18 86016]
"CHotkey "= "zHotkey.exe" [2004-12-09 550912]
"High Definition Audio Property Page Shortcut "= "HDAShCut.exe" [2005-01-08 61952]
"Recguard "= "c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]
"Reminder "= "c:\windows\Creator\Remind_XP.exe" [2005-02-26 966656]
"RTHDCPL "= "RTHDCPL.EXE" [2005-09-14 14820864]
"Google Quick Search Box "= "c:\program files\Google\Quick Search Box\GoogleQuickSearchBox.exe" [2009-11-02 122880]
"SunJavaUpdateSched "= "c:\program files\Java\jre6\bin\jusched.exe" [2009-11-02 149280]
"QuickTime Task "= "c:\program files\QuickTime\qttask.exe" [2009-11-01 98304]
"mcagent_exe "= "c:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-29 1218008]
"McENUI "= "c:\progra~1\McAfee\MHN\McENUI.exe" [2009-07-08 1176808]
"McAfee Backup "= "c:\program files\McAfee\MBK\McAfeeDataBackup.exe" [2009-07-09 5134864]

c:\documents and settings\Owner\Start Menu\Programs\Startup\
SpywareGuard.lnk - c:\program files\SpywareGuard\sgmain.exe [2003-8-29 360448]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=" "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=" "

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride "=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring "=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring "=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall "= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "=
"%windir%\\Network Diagnostic\\xpnetdiag.exe "=
"c:\\Program Files\\Google\\GoogleToolbarNotifier\\GoogleToolbarNotifier.exe "=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe "=

R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [12/17/2009 12:48 PM 203280]
.
------- Supplementary Scan -------
.
uStart Page =
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Easy-WebPrint Add To Print List - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\sd3cnal8.default\
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npMozCouponPrinter.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-20 12:07
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2684)
c:\windows\system32\WININET.dll
c:\program files\McAfee\SiteAdvisor\saHook.dll
c:\program files\Google\Quick Search Box\bin\1.2.1150.162\qsb.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
Completion time: 2009-12-20 12:13:10
ComboFix-quarantined-files.txt 2009-12-20 20:13
ComboFix2.txt 2009-12-19 07:35

Pre-Run: 123,526,299,648 bytes free
Post-Run: 123,484,807,168 bytes free

- - End Of File - - 3FFF2BFF3B3BCC35E55DEFBE4B460247

broni · 2009/12/20

Uninstall Combofix:
Go Start > Run [Vista users, go Start> "Start search"]
Type in:
Combofix /Uninstall
Note the space between the "Combofix" and the "/Uninstall "
Restart computer.

Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe

Doubleclick the drweb-cureit.exe file and click Scan to run express scan. Click OK in pop-up window to allow scan.

This will scan the files currently running in memory and when something is found, click the Yes button when it asks you if you want to cure it. This is only a short scan.

Once the short scan has finished, select Complete scan.

Click the green arrow at the right, and the scan will start.

Click Yes to all if it asks if you want to cure/move the file.

When the scan has finished, in the menu, click File and choose Save report list

Save the report to your desktop. The report will be called DrWeb.csv

Close Dr.Web Cureit.

Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.

Copy and paste that log in the next reply. You can use Notepad to open the DrWeb.cvs report.

NOTE. During the scan, pop-up window will open asking for full version purchase. Simply close the window by clicking on X in upper right corner.

Post fresh HijackThis log as well.

KRE09 · 2009/12/20

HijackThis log #2

Logfile of Trend Micro HijackThis v2.0.3 (BETA)
Scan saved at 4:52:07 PM, on 12/20/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Digital Media Reader\shwiconem.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\zHotkey.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Google\Quick Search Box\GoogleQuickSearchBox.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre6\bin\jucheck.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\TrendMicro\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.4.4525.1752\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe "
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Google Quick Search Box] "C:\Program Files\Google\Quick Search Box\GoogleQuickSearchBox.exe" /autorun
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe "
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [McENUI] C:\PROGRA~1\McAfee\MHN\McENUI.exe /hide
O4 - HKLM\..\Run: [McAfee Backup] "C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe "
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe "
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

--
End of file - 7779 bytes

broni · 2009/12/20

...and Dr.Web?

KRE09 · 2009/12/20

"broni said: ↑

...and Dr.Web?
Click to expand...

Doing that now, Hijack this log #2 is what I got after fallowing the instructions in post #6.

KRE09 · 2009/12/20

Dr.web Dose not seem to be working, I click run and nothing happens. Do I need to turn off McAfee first?

broni · 2009/12/20

Download, and install AVP Tool.
After installation, leave all settings as they're, and simply click on Scan button.
When scan is done, and any objects are found, click on Neutralize all button.
Next, click Reports... button, then Save to file....
Save the file to know location as report.txt.
Open report.txt in Notepad, copy all content, and post it in your next reply.

Post fresh HijackThis log as well.

KRE09 · 2009/12/20

Installing AVP, But now I cant remove Dr.web from my desktop.

Edit: Removed Dr.web, it tried to start upon computer restart.

broni · 2009/12/20

We'll worry about it later.
What exactly happens, when you try to delete it?
Make sure Dr.Web process is not running.

KRE09 · 2009/12/20

"broni said: ↑

We'll worry about it later.
What exactly happens, when you try to delete it?
Make sure Dr.Web process is not running.
Click to expand...

It said access denied, Make sure disk is not full or write protected and that it's not running. Dr. web was trying to run but not doing so.

Removed Dr.web, it tried to start upon computer restart but stopped.

AVP scan did not say if it found anything or if anything was deleted. This is all it says when I clicked Report.

Autoscan: completed 29 minutes ago (events: 2, objects: 3231, time: 00:07:01)

Save to file was not an option anywhere, not even when I right clicked.

broni · 2009/12/20

OK. Let me review your final HJT log...

Log in or Sign up

Solved Google redirct, pop-ups and fake scans.

KRE09 Inactive Thread Starter

KRE09 Inactive Thread Starter

broni Moderator Malware Analyst

KRE09 Inactive Thread Starter

KRE09 Inactive Thread Starter

broni Moderator Malware Analyst

KRE09 Inactive Thread Starter

KRE09 Inactive Thread Starter

broni Moderator Malware Analyst

KRE09 Inactive Thread Starter

broni Moderator Malware Analyst

KRE09 Inactive Thread Starter

broni Moderator Malware Analyst

KRE09 Inactive Thread Starter

KRE09 Inactive Thread Starter

broni Moderator Malware Analyst

KRE09 Inactive Thread Starter

broni Moderator Malware Analyst

KRE09 Inactive Thread Starter

broni Moderator Malware Analyst

Share This Page

Log in or Sign up

Solved Google redirct, pop-ups and fake scans.

KRE09 Inactive Thread Starter

KRE09 Inactive Thread Starter

broni Moderator Malware Analyst

KRE09 Inactive Thread Starter

KRE09 Inactive Thread Starter

broni Moderator Malware Analyst

KRE09 Inactive Thread Starter

KRE09 Inactive Thread Starter

broni Moderator Malware Analyst

KRE09 Inactive Thread Starter

broni Moderator Malware Analyst

KRE09 Inactive Thread Starter

broni Moderator Malware Analyst

KRE09 Inactive Thread Starter

KRE09 Inactive Thread Starter

broni Moderator Malware Analyst

KRE09 Inactive Thread Starter

broni Moderator Malware Analyst

KRE09 Inactive Thread Starter

broni Moderator Malware Analyst

Share This Page

Useful Searches