Solved Google redirect/can't update virus signature

[Resolved] Google redirect/can't update virus signature

Hello,

I am getting redirected to other sites when using google. If I hit the back button I can usually get to the intended site. Also, my Mcafee icon is missing in the system tray and I have not been able to update for more than a week and when I try to go to mcafee.com I get nothing but "waiting for reply ". I have ran Malwarebytes, SuperAnitspyware, and Pareto Logic's Anit-virus plus, with each finding something but none clearing up my problem.

I have downloaded DDS but it does nothing when I try to run it, so I have nothing to post but will wait for your advice. Thank you.

 

Hi and welcome

I'm going to go out on a limb here by not knowing which OP system you have.

This because I am not trained/familiar with Vista.


We can try this.


Please download RegQuery by Noviciate to your desktop

• Copy the following registry keypath by highlighting the text and pressing CTRL and C at the same time
  • [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
• Double click RegQuery.exe to run the program
• Paste the text you have copied using CRTL and V, into the textbox
• Click the Query button
• A Notepad file will open. Please paste the contents in your next reply
• You may now close the RegQuery program

Also, I would like to see the first log when you ran MBAM

Click on the Malwarebytes' Anti-Malware icon to launch the program.
o Click on the Logs tab.
o Click on the log at the bottom of those listed to highlight it.
o Click Open.



In your next reply post:
RegQuery log
MBAM log

 

Juliet, thank for your help, here are the logs you requested.

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"midimapper "= "midimap.dll "
"msacm.imaadpcm "= "imaadp32.acm "
"msacm.msadpcm "= "msadp32.acm "
"msacm.msg711 "= "msg711.acm "
"msacm.msgsm610 "= "msgsm32.acm "
"msacm.trspch "= "tssoft32.acm "
"vidc.cvid "= "iccvid.dll "
"VIDC.IYUV "= "iyuv_32.dll "
"vidc.mrle "= "msrle32.dll "
"vidc.msvc "= "msvidc32.dll "
"VIDC.UYVY "= "msyuv.dll "
"VIDC.YUY2 "= "msyuv.dll "
"VIDC.YVYU "= "msyuv.dll "
"wavemapper "= "msacm32.drv "
"msacm.msg723 "= "msg723.acm "
"vidc.M263 "= "msh263.drv "
"vidc.M261 "= "msh261.drv "
"msacm.msaudio1 "= "msaud32.acm "
"msacm.sl_anet "= "sl_anet.acm "
"msacm.l3acm "= "C:\\WINDOWS\\system32\\l3codeca.acm "
"msacm.iac2 "= "C:\\WINDOWS\\system32\\iac25_32.ax "
"vidc.iv50 "= "ir50_32.dll "
"msacm.ctmp3 "= "C:\\WINDOWS\\System32\\ctmp3.acm "
"MSVideo8 "= "VfWWDM32.dll "
"vidc.XVID "= "xvidvfw.dll "
"msacm.lameacm "= "lameACM.acm "
"vidc.3iv2 "= "3ivxVfWCodec.dll "
"VIDC.HFYU "= "huffyuv.dll "
"VIDC.wmv3 "= "wmv9vcm.dll "
"VIDC.VP60 "= "vp6vfw.dll "
"VIDC.VP61 "= "vp6vfw.dll "
"VIDC.VP62 "= "vp6vfw.dll "
"VIDC.VP31 "= "vp31vfw.dll "
"vidc.MPG4 "= "Mpg4c32.dll "
"vidc.MP42 "= "Mpg4c32.dll "
"vidc.MP43 "= "Mpg4c32.dll "
"msacm.ac3acm "= "ac3acm.acm "
"wave1 "= "wdmaud.drv "
"midi1 "= "wdmaud.drv "
"mixer1 "= "wdmaud.drv "
"VIDC.YVU9 "= "tsbyuv.dll "
"msacm.dvacm "= "C:\\PROGRA~1\\COMMON~1\\ULEADS~1\\Vio\\Dvacm.acm "
"msacm.MPEGacm "= "C:\\PROGRA~1\\COMMON~1\\ULEADS~1\\MPEG\\MPEGacm.acm "
"msacm.ulmp3acm "= "C:\\PROGRA~1\\COMMON~1\\ULEADS~1\\MPEG\\ulmp3acm.acm "
"VIDC.MJPX "= "PICVideo MJPEG Codec "
"vidc.DIVX "= "DivX.dll "
"vidc.yv12 "= "DivX.dll "
"wave2 "= "wdmaud.drv "
"mixer2 "= "wdmaud.drv "
"wave3 "= "wdmaud.drv "
"mixer3 "= "wdmaud.drv "
"wave4 "= "wdmaud.drv "
"mixer4 "= "wdmaud.drv "
"wave5 "= "wdmaud.drv "
"mixer5 "= "wdmaud.drv "
"wave6 "= "wdmaud.drv "
"mixer6 "= "wdmaud.drv "
"wave7 "= "wdmaud.drv "
"mixer7 "= "wdmaud.drv "
"wave8 "= "wdmaud.drv "
"mixer8 "= "wdmaud.drv "
"wave "= "wdmaud.drv "
"midi "= "wdmaud.drv "
"mixer "= "wdmaud.drv "
"aux "= "C:\\WINDOWS\\system32\\..\\uga.fhr "

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32\Terminal Server]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32\Terminal Server\RDP]
"wave "= "rdpsnd.dll "
"MaxBandwidth "=dword:000056b9
"wavemapper "= "msacm32.drv "
"EnableMP3Codec "=dword:00000001
"midimapper "= "midimap.dll "




Malwarebytes' Anti-Malware 1.36
Database version: 1945
Windows 5.1.2600 Service Pack 3

4/11/2009 6:07:05 PM
mbam-log-2009-04-11 (18-07-05).txt

Scan type: Full Scan (C:\|F:\|H:\|L:\|M:\|)
Objects scanned: 345251
Time elapsed: 3 hour(s), 30 minute(s), 44 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 6
Registry Values Infected: 1
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{386a771c-e96a-421f-8ba7-32f1b706892f} (Adware.ISTBar) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{42f2c9ba-614f-47c0-b3e3-ecfd34eed658} (Adware.ISTBar) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{7c559105-9ecf-42b8-b3f7-832e75edd959} (Adware.ISTBar) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{549b5ca7-4a86-11d7-a4df-000874180bb3} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{7149e79c-dc19-4c5e-a53c-a54ddf75eee9} (Adware.MediaMotor) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{8fcdf9d9-a28b-480f-8c3d-581f119a8ab8} (Adware.180Solutions) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost.exe (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


Again thank you for helping.

 

Juliet,
I noticed that while running the ReqQuery that Windows had updated and is requesting a restart. I selected "Restart Now" and an "End Program" box pops up for C:\WINDOWS\system32\Reg.exe should I select "End Now" and allow the restart or cancel the restart?

 

I'm afraid if we allow it to restart right now it will mess up up with what we need to do next.

If you can hold off for right now I think it best.


NEXT**
I want you to download this next tool to your desktop.

Download Trend Micro Hijack Thisâ„¢ and save to desktop.
It is important that you uninstall any previous versions by using Add/Remove programs in your control panel before installing a newer version.
Doubleclick the HJTInstall.exe to start it.
By default it will install HijackThis in the Program Files\Trendmicro folder and create a desktop shortcut.

It will look like this

Accept the license agreement by clicking the "I Accept" button.


Open HijackThis. Click on Open the Misc Tools Section.

* On the screen, click on "Delete a file on reboot... ".
* Copy/paste the following path into the dialog box that popped up, and click 'Open':

C:\WINDOWS\uga.fhr

* HJT will ask you if you want to reboot, now. Click "NO ".




NEXT**
Next, launch Notepad, (Start > Run, type in: notepad) copy and paste just the text in blue below in it(don't forget to copy and paste REGEDIT4)

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32]
"aux "=-

Save this as fix.reg and change the "Save as type" to "All Files" and place it on your desktop. It should look like this:
Double-click on it and when it asks you if you want to merge the contents to the registry, click "Yes" or "OK ". You should receive a message that it was successful. You may delete the file afterwards.

Now it is important to reboot your computer.


In your next reply post:
new DDS log

 

Did not restart. Followed as instructed and when I double clicked on fix.reg my screen went to the desktop picture with no icons. If I alt + Tab I can still see this website in IE but nothing esle, no taskbar or clock. I can still access task manager, should I restart. Also, I could not download HJT from the link provided (white screen) so I use my lap top and a USB flash drive.

 

OK
File deletion was to go first....then the reg delete....then the reboot.

See if you can get HJT onboard first.
Then move to the file delete.


Run ReqQuery again and post the log it creates.

 

I'm not sure I understand your last post. To review: I have downloaded and installed HJT and followed the instructions to create the reg.fix file when I clicked on reg.fix no prompt to merge files happened. At this point I'm still staring at my Desktop picture with no icons. It looks like explorer.exe has been stopped by double clicking on the fix.reg file. Obviously I have to reboot...what should I do after the restart.

 

Please run ReqQuery again.

 

Juliet,
I did reboot and the previous procedures may have took. I am able to run DDS and will post logs, also for the fist time in a week I see the Mcafee icon in my system tray, although it still says that full protection is not enabled and when I select the fix option I'm told that "one or more problems cannot be fixed because of an error. Here are the logs.

DDS (Ver_09-03-16.01) - NTFSx86
Run by Jon at 12:29:17.14 on Thu 04/16/2009
Internet Explorer: 7.0.5700.6
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2559.2005 [GMT -5:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated)
FW: McAfee Personal Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
svchost.exe
C:\Program Files\IOGEAR\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\Program Files\Pinnacle\MediaServer\Microsoft SQL Server\MSSQL$PINNACLESYS\Binn\sqlservr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Common Files\ParetoLogic\PLAS\plasservice.exe
C:\WINDOWS\system32\WDBtnMgr.exe
C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
C:\Program Files\Seagate\SystemTray\StxMenuMgr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Adobe\Photoshop Elements 6.0\apdproxy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Jon\Desktop\dds.pif
\\?\C:\WINDOWS\system32\WBEM\WMIADAP.EXE

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uDefault_Page_URL = hxxp://www.dellnet.com
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyServer = http=cache.midco.net:3128
uInternet Settings,ProxyOverride = <local>;*.local
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: {089fd14d-132b-48fc-8861-0048ae113215} - c:\program files\siteadvisor\6261\SiteAdv.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\progra~1\mcafee\viruss~1\scriptsn.dll
BHO: IEPlugin Class: {cf7c3cf0-4b15-11d1-abed-709549c10000} - c:\program files\advanced system optimizer\IEHelper.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: McAfee SiteAdvisor: {0bf43445-2f28-4351-9252-17fe6e806aa0} - c:\program files\siteadvisor\6261\SiteAdv.dll
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\ahead\lib\NMBgMonitor.exe "
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [P2kAutostart] c:\documents and settings\jon\my documents\games\P2kAutostart.exe
uRun: [ISUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [WD Button Manager] WDBtnMgr.exe
mRun: [PinnacleDriverCheck] c:\windows\system32\\PSDrvCheck.exe
mRun: [SiteAdvisor] c:\program files\siteadvisor\6253\SiteAdv.exe
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [Logitech Utility] Logi_MwX.Exe
mRun: [StxTrayMenu] "c:\program files\seagate\systemtray\StxMenuMgr.exe "
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [NWEReboot]
mRun: [Adobe Photo Downloader] "c:\program files\adobe\photoshop elements 6.0\apdproxy.exe "
StartupFolder: c:\docume~1\jon\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\desktop messenger\8876480\program\LDMConf.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
mPolicies-explorer: <NO NAME> =
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
IE: Send To &Bluetooth - c:\program files\iogear\bluetooth software\btsendto_ie_ctx.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\iogear\bluetooth software\btsendto_ie.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {F4430FE8-2638-42e5-B849-800749B94EED} - c:\program files\partypoker.net\partypokernet.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
LSP: c:\windows\system32\INetHTTPFilter.dll
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {15589FA1-C456-11CE-BF01-00AA0055595A} - hxxp://w4s.work4sure.com/c/ge/w4sgeen9.exe
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {2AF5BD25-90C5-4EEC-88C5-B44DC2905D8B} - hxxp://dlmanager.akamaitools.com.edgesuite.net/dlmanager/versions/activex/dlm-activex-2.0.3.8.cab
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://www2.snapfish.com/SnapfishActivia.cab
DPF: {44C1E3A2-B594-401C-B27A-D1B4476E4797} - hxxps://remote.nisc.coop/XTSAC.cab
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,84/mcinsctl.cab
DPF: {5D637FAD-E202-48D1-8F18-5B9C459BD1E3} - hxxp://cdn.smugmug.com/photos/activex/ImageUploader5-5.5.1.0-082608.cab
DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - hxxp://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/abarth/us/win/QuickTimeInstaller.exe
DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} - hxxps://remote.nisc.coop/msrdp.cab
DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} - hxxp://www.nick.com/common/groove/gx/GrooveAX27.cab
DPF: {88D969C0-F192-11D4-A65F-0040963251E5} - hxxp://www.cardbox.net/download/msxml4.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - hxxp://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,21/mcgdmgr.cab
DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_03-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://active.macromedia.com/flash2/cabs/swflash.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://nisc.webex.com/client/T25L/support/ieatgpc.cab
DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - hxxp://download.abacast.com/download/files/abasetup144.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: siteadvisor - {3A5DC592-7723-4EAA-9EE6-AF4222BCF879} - c:\program files\siteadvisor\6261\SiteAdv.dll
Handler: widimg - {EE7C2AFF-5742-44FF-BD0E-E521B0D3C3BA} - c:\windows\system32\BTXPPanel.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
AppInit_DLLs: pushow11.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
STS: IE Component Categories cache daemon: {553858a7-4922-4e7e-b1c1-97140c1c16ef} - c:\windows\system32\ieframe.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\jon\applic~1\mozilla\firefox\profiles\cyvl7iz7.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - component: c:\program files\real\realplayer\browserrecord\components\nprpbrowserrecordplugin.dll
FF - component: c:\program files\siteadvisor\6261\ff\components\FFHook.dll

---- FIREFOX POLICIES ----
FF - user.js: dom.disable_open_during_load - true // Popupblocker control handled by McAfee Privacy Service
c:\program files\mozilla firefox\greprefs\all.js - pref( "network.cookie.p3plevel ", 1); // 0=low, 1=medium, 2=high, 3=custom
c:\program files\mozilla firefox\greprefs\all.js - pref( "network.enablePad ", false); // Allow client to do proxy autodiscovery
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "browser.search.param.Google.1.default ", "chrome://branding/content/searchconfig.properties ");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "browser.search.param.Google.1.custom ", "chrome://branding/content/searchconfig.properties ");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "signon.prefillForms ", true);

============= SERVICES / DRIVERS ===============

R1 KLIF;KLIF;c:\windows\system32\drivers\klif.sys [2009-4-11 186128]
R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2007-2-24 213640]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-3-23 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-3-23 72944]
R2 AdobeActiveFileMonitor6.0;Adobe Active File Monitor V6;c:\program files\adobe\photoshop elements 6.0\PhotoshopElementsFileAgent.exe [2007-9-11 124832]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2007-2-24 359952]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2007-2-24 144704]
R2 ZeppelinService;plasservice;c:\program files\common files\paretologic\plas\plasservice.exe [2009-2-18 587216]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2007-2-24 606736]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2007-2-24 79304]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2007-2-24 35272]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2007-2-24 40552]
S0 ntcdrdrv;ntcdrdrv;c:\windows\system32\drivers\ntcdrdrv.sys --> c:\windows\system32\drivers\ntcdrdrv.sys [?]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2007-2-24 34216]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [2007-12-10 17920]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [2007-8-12 7680]
S3 MotDev;Motorola Inc. USB Device;c:\windows\system32\drivers\motodrv.sys [2007-8-12 42112]
S3 motport;Motorola USB Diagnostic Port;c:\windows\system32\drivers\motport.sys [2007-12-10 23680]
S3 MovRVDrv32;MovRVDrv32;c:\windows\system32\drivers\MovRVDrv32.sys [2007-12-16 3768]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-3-23 7408]
S3 W3ksrvmi;W3ksrvmi; [x]
S3 Wmbplervicr;Wmbplervicr; [x]

=============== Created Last 30 ================

2009-04-16 08:20 2,560 -------- c:\windows\system32\xpsp4res.dll
2009-04-16 08:20 1,203,922 -------- c:\windows\system32\dllcache\sysmain.sdb
2009-04-16 08:20 215,552 -------- c:\windows\system32\dllcache\wordpad.exe
2009-04-13 13:28 <DIR> --d----- c:\docume~1\jon\applic~1\True Sword
2009-04-13 13:28 <DIR> --d----- c:\program files\True Sword 5
2009-04-13 10:50 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-04-13 10:50 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-04-13 10:50 <DIR> --d----- c:\docume~1\jon\applic~1\SUPERAntiSpyware.com
2009-04-13 09:12 <DIR> --d----- c:\program files\Trend Micro
2009-04-11 18:51 7,426,080 a--sh--- c:\windows\system32\drivers\fidbox.dat
2009-04-11 18:51 187,424 a--sh--- c:\windows\system32\drivers\fidbox2.dat
2009-04-11 18:51 104,456 a--sh--- c:\windows\system32\drivers\fidbox.idx
2009-04-11 18:51 20,636 a--sh--- c:\windows\system32\drivers\fidbox2.idx
2009-04-11 18:51 3,117 a------- C:\rollback.ini
2009-04-11 18:42 <DIR> --d----- c:\program files\ParetoLogic
2009-04-11 18:42 <DIR> --d----- c:\program files\common files\ParetoLogic
2009-04-11 18:42 <DIR> --d----- c:\docume~1\alluse~1\applic~1\ParetoLogic Anti-Virus PLUS
2009-04-11 18:42 <DIR> --d----- c:\docume~1\alluse~1\applic~1\ParetoLogic
2009-04-11 14:19 <DIR> --d----- c:\docume~1\jon\applic~1\Malwarebytes
2009-04-11 14:19 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-04-11 14:18 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-11 14:18 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-04-11 14:18 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-03-23 22:40 <DIR> --d----- C:\NIKONCORPORATION
2009-03-21 09:06 989,696 -------- c:\windows\system32\dllcache\kernel32.dll

==================== Find3M ====================

2009-03-06 09:22 284,160 a------- c:\windows\system32\pdh.dll
2009-03-06 09:22 284,160 -------- c:\windows\system32\dllcache\pdh.dll
2009-02-18 14:43 243,024 a------- c:\windows\system32\LSPInstall.dll
2009-02-18 14:43 111,960 a------- c:\windows\system32\INetHTTPFilter.dll
2009-02-09 07:10 729,088 a------- c:\windows\system32\lsasrv.dll
2009-02-09 07:10 729,088 -------- c:\windows\system32\dllcache\lsasrv.dll
2009-02-09 07:10 714,752 a------- c:\windows\system32\ntdll.dll
2009-02-09 07:10 617,472 a------- c:\windows\system32\advapi32.dll
2009-02-09 07:10 401,408 a------- c:\windows\system32\rpcss.dll
2009-02-09 07:10 714,752 -------- c:\windows\system32\dllcache\ntdll.dll
2009-02-09 07:10 617,472 -------- c:\windows\system32\dllcache\advapi32.dll
2009-02-09 07:10 473,600 -------- c:\windows\system32\dllcache\fastprox.dll
2009-02-09 07:10 453,120 -------- c:\windows\system32\dllcache\wmiprvsd.dll
2009-02-09 07:10 401,408 -------- c:\windows\system32\dllcache\rpcss.dll
2009-02-09 06:13 1,846,784 a------- c:\windows\system32\win32k.sys
2009-02-09 06:13 1,846,784 -------- c:\windows\system32\dllcache\win32k.sys
2009-02-07 19:02 2,066,048 -------- c:\windows\system32\dllcache\ntkrnlpa.exe
2009-02-06 06:11 110,592 a------- c:\windows\system32\services.exe
2009-02-06 06:11 110,592 -------- c:\windows\system32\dllcache\services.exe
2009-02-06 06:08 2,189,056 -------- c:\windows\system32\dllcache\ntoskrnl.exe
2009-02-06 06:06 2,145,280 a------- c:\windows\system32\ntoskrnl.exe
2009-02-06 06:06 2,145,280 -------- c:\windows\system32\dllcache\ntkrnlmp.exe
2009-02-06 05:39 35,328 a------- c:\windows\system32\sc.exe
2009-02-06 05:39 35,328 -------- c:\windows\system32\dllcache\sc.exe
2009-02-06 05:32 2,023,936 a------- c:\windows\system32\ntkrnlpa.exe
2009-02-06 05:32 2,023,936 -------- c:\windows\system32\dllcache\ntkrpamp.exe
2009-02-06 05:10 227,840 -------- c:\windows\system32\dllcache\wmiprvse.exe
2009-02-03 14:59 56,832 a------- c:\windows\system32\secur32.dll
2009-02-03 14:59 56,832 -------- c:\windows\system32\dllcache\secur32.dll
2008-07-29 23:07 87,608 a------- c:\docume~1\jon\applic~1\inst.exe
2008-07-29 23:07 47,360 a------- c:\docume~1\jon\applic~1\pcouffin.sys
2008-04-28 22:55 20 ----h--- c:\docume~1\alluse~1\applic~1\PKP_DLbz.DAT
2007-12-10 21:26 92,064 a------- c:\documents and settings\jon\mqdmmdm.sys
2007-12-10 21:26 79,328 a------- c:\documents and settings\jon\mqdmserd.sys
2007-12-10 21:26 66,656 a------- c:\documents and settings\jon\mqdmbus.sys
2007-12-10 21:26 9,232 a------- c:\documents and settings\jon\mqdmmdfl.sys
2007-12-10 21:26 6,208 a------- c:\documents and settings\jon\mqdmcmnt.sys
2007-12-10 21:26 5,936 a------- c:\documents and settings\jon\mqdmwhnt.sys
2007-12-10 21:26 4,048 a------- c:\documents and settings\jon\mqdmcr.sys
2007-12-10 21:26 25,600 a------- c:\documents and settings\jon\usbsermptxp.sys
2007-12-10 21:26 22,768 a------- c:\documents and settings\jon\usbsermpt.sys
2007-11-30 11:55 0 a------- c:\documents and settings\jon\hayhayall.zip
2004-10-01 10:32 13,824 a------- c:\documents and settings\jon\atwbxdet.dll
2004-05-17 11:42 3,889,374 a------- c:\documents and settings\jon\ShowBiz.exe
2003-02-21 05:42 348,160 a------- c:\program files\msvcr71.dll
2008-03-17 16:41 1,056 a--sh--- c:\windows\system32\KGyGaAvL.sys
2008-09-18 20:55 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008091820080919\index.dat

============= FINISH: 12:31:11.60 ===============


UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-03-16.01)

Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume2
Install Date: 11/9/2003 12:00:51 PM
System Uptime: 4/16/2009 12:24:03 PM (0 hours ago)

Motherboard: Dell Computer Corp. | | 0M2035
Processor: Intel(R) Pentium(R) 4 CPU 2.80GHz | Microprocessor | 2793/800mhz

==== Disk Partitions =========================

A: is Removable
C: is FIXED (NTFS) - 74 GiB total, 13.199 GiB free.
D: is CDROM ()
E: is CDROM ()
F: is FIXED (NTFS) - 112 GiB total, 37.05 GiB free.
G: is CDROM ()
I: is CDROM ()

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP2017: 1/27/2009 11:38:42 PM - System Checkpoint
RP2018: 1/29/2009 12:38:42 AM - System Checkpoint
RP2019: 1/30/2009 1:39:00 AM - System Checkpoint
RP2020: 1/31/2009 2:13:44 AM - System Checkpoint
RP2021: 2/1/2009 4:33:45 PM - System Checkpoint
RP2022: 2/2/2009 6:43:13 PM - System Checkpoint
RP2023: 2/3/2009 6:56:41 PM - System Checkpoint
RP2024: 2/4/2009 7:13:23 PM - System Checkpoint
RP2025: 2/5/2009 9:38:20 PM - System Checkpoint
RP2026: 2/7/2009 12:02:11 AM - System Checkpoint
RP2027: 2/8/2009 12:07:50 AM - System Checkpoint
RP2028: 2/8/2009 8:38:33 PM - Installed Noiseware Professional Edition
RP2029: 2/8/2009 10:25:09 PM - Installed Noiseware Professional Plug-in
RP2030: 2/10/2009 2:37:51 AM - System Checkpoint
RP2031: 2/11/2009 11:54:16 AM - System Checkpoint
RP2032: 2/12/2009 3:00:26 AM - Software Distribution Service 3.0
RP2033: 2/13/2009 3:07:43 AM - System Checkpoint
RP2034: 2/14/2009 4:06:53 AM - System Checkpoint
RP2035: 2/15/2009 5:54:51 AM - System Checkpoint
RP2036: 2/16/2009 11:09:32 AM - System Checkpoint
RP2037: 2/17/2009 5:11:44 PM - System Checkpoint
RP2038: 2/18/2009 5:41:36 PM - System Checkpoint
RP2039: 2/19/2009 6:05:55 PM - System Checkpoint
RP2040: 2/20/2009 6:13:35 PM - System Checkpoint
RP2041: 2/21/2009 7:11:34 PM - System Checkpoint
RP2042: 2/22/2009 11:31:29 PM - System Checkpoint
RP2043: 2/24/2009 10:19:08 AM - System Checkpoint
RP2044: 2/25/2009 3:00:20 AM - Software Distribution Service 3.0
RP2045: 2/25/2009 9:27:28 AM - Removed Lightroom.
RP2046: 2/25/2009 9:30:19 AM - Installed Lightroom.
RP2047: 2/26/2009 12:17:11 PM - System Checkpoint
RP2048: 2/27/2009 6:17:45 PM - System Checkpoint
RP2049: 2/28/2009 11:53:39 PM - System Checkpoint
RP2050: 3/2/2009 5:39:32 AM - System Checkpoint
RP2051: 3/3/2009 6:05:46 AM - System Checkpoint
RP2052: 3/4/2009 9:20:40 AM - System Checkpoint
RP2053: 3/5/2009 12:31:06 PM - System Checkpoint
RP2054: 3/6/2009 4:41:59 PM - System Checkpoint
RP2055: 3/7/2009 3:29:34 PM - Installed RealGrain Plug-in
RP2056: 3/8/2009 5:23:06 PM - System Checkpoint
RP2057: 3/9/2009 6:28:01 PM - System Checkpoint
RP2058: 3/10/2009 8:45:23 PM - System Checkpoint
RP2059: 3/10/2009 10:33:32 PM - Software Distribution Service 3.0
RP2060: 3/12/2009 8:50:04 AM - System Checkpoint
RP2061: 3/13/2009 9:04:21 AM - System Checkpoint
RP2062: 3/14/2009 7:31:40 PM - System Checkpoint
RP2063: 3/15/2009 3:00:18 AM - Software Distribution Service 3.0
RP2064: 3/16/2009 8:33:34 AM - System Checkpoint
RP2065: 3/17/2009 9:47:08 AM - System Checkpoint
RP2066: 3/18/2009 12:05:31 AM - Installed Adobe Photoshop Lightroom 2.
RP2067: 3/18/2009 12:11:01 AM - Installed Adobe Photoshop Lightroom 2.3.
RP2068: 3/18/2009 12:12:04 AM - Removed Adobe Photoshop Lightroom 2.
RP2069: 3/19/2009 7:10:10 AM - System Checkpoint
RP2070: 3/20/2009 10:11:53 AM - System Checkpoint
RP2071: 3/21/2009 12:29:15 PM - System Checkpoint
RP2072: 3/22/2009 4:21:01 PM - System Checkpoint
RP2073: 3/23/2009 4:32:29 PM - System Checkpoint
RP2074: 3/24/2009 5:13:21 PM - System Checkpoint
RP2075: 3/25/2009 5:20:25 PM - System Checkpoint
RP2076: 3/26/2009 5:58:42 PM - System Checkpoint
RP2077: 3/27/2009 6:26:19 PM - System Checkpoint
RP2078: 3/28/2009 7:08:23 PM - System Checkpoint
RP2079: 3/29/2009 10:56:44 PM - System Checkpoint
RP2080: 3/30/2009 11:42:08 PM - System Checkpoint
RP2081: 4/1/2009 1:00:32 AM - System Checkpoint
RP2082: 4/2/2009 1:01:53 AM - System Checkpoint
RP2083: 4/3/2009 5:45:06 AM - System Checkpoint
RP2084: 4/4/2009 10:08:13 AM - System Checkpoint
RP2085: 4/5/2009 1:45:57 PM - System Checkpoint
RP2086: 4/6/2009 2:42:02 PM - System Checkpoint
RP2087: 4/7/2009 5:31:53 PM - System Checkpoint
RP2088: 4/8/2009 7:14:54 PM - System Checkpoint
RP2089: 4/9/2009 8:37:13 PM - System Checkpoint
RP2090: 4/10/2009 9:54:29 PM - Installed Windows XP KB958644.
RP2091: 4/11/2009 6:42:12 PM - Installed ParetoLogic Anti-Virus PLUS.
RP2092: 4/12/2009 9:14:12 AM - Removed FinePixViewer
RP2093: 4/12/2009 9:15:31 AM - Removed ImageMixer VCD2
RP2094: 4/12/2009 9:32:37 AM - Removed Lightroom.
RP2095: 4/13/2009 10:39:05 AM - System Checkpoint
RP2096: 4/13/2009 10:50:34 AM - Installed SUPERAntiSpyware Free Edition
RP2097: 4/14/2009 11:58:45 AM - System Checkpoint
RP2098: 4/15/2009 2:08:41 PM - System Checkpoint
RP2099: 4/16/2009 8:30:37 AM - Software Distribution Service 3.0

==== Installed Programs ======================



3D Groove Playback Engine
Abacast Client
ABBYY FineReader 5.0 Sprint
Acoustica Effects Pack
Adobe Anchor Service CS3
Adobe Asset Services CS3
Adobe Bridge 1.0
Adobe Bridge CS3
Adobe Bridge Start Meeting
Adobe Camera Raw 4.0
Adobe CMaps
Adobe Color - Photoshop Specific
Adobe Color Common Settings
Adobe Color EU Extra Settings
Adobe Color JA Extra Settings
Adobe Color NA Recommended Settings
Adobe Common File Installer
Adobe Default Language CS3
Adobe Device Central CS3
Adobe ExtendScript Toolkit 2
Adobe Flash Player 10 ActiveX
Adobe Fonts All
Adobe Help Center 2.1
Adobe Help Viewer CS3
Adobe Linguistics CS3
Adobe PDF Library Files
Adobe Photoshop CS3
Adobe Photoshop Elements 6.0
Adobe Photoshop Lightroom 2.3
Adobe Premiere Elements 3.0
Adobe Premiere Elements 3.0 Templates
Adobe Premiere Pro 2.0
Adobe Reader 7.0.8
Adobe Setup
Adobe Shockwave Player
Adobe Stock Photos 1.0
Adobe Stock Photos CS3
Adobe Type Support
Adobe Update Manager CS3
Adobe Version Cue CS3 Client
Adobe WinSoft Linguistics Plugin
Adobe XMP Panels CS3
Advanced System Optimizer 2.01
Alien Skin Image Doctor 2
Apple Mobile Device Support
Apple Software Update
ArcSoft MediaConverter 2
ArcSoft ShowBiz DVD 2.0 (Shared Components)
Audio Record Wizard v3.7
AutoUpdate
Avanquest update
Banctec Service Agreement
BCM V.92 56K Modem
Boggle Supreme V1.0.0.0
Business Contact Manager for Outlook 2003
Critical Update for Windows Media Player 11 (KB959772)
DAO
Data Lifeguard
Dell AIO Printer A940
Dell Digital Jukebox Driver
Dell Networking Guide
Dell Solution Center
Dell Support 5.0.0 (766)
DesertCombat 0.6F
Dexster V2.9
DiscAPI (Studio 10)
DiscWizard for Windows
DivX Codec
DivX Content Uploader
DivX Converter
DivX Player
DivX Web Player
Driver Cleaner 3
Drivers Install For Linksys Easylink Advisor
DS21Patch
DVD-CLONER V2.32
DVD Decrypter (Remove Only)
DVD Shrink 3.2
DVD to VCD AVI DivX Converter v3.2 (build 062)
DVD to VCD AVI DivX Converter v3.2 (build 069)
DVDFab (Platinum/Gold/HD Decrypter) (Option: Mobile) 5.2.3.2
DVDFab Decrypter 3.0.2.2 Beta
DVDFab HD Decrypter 4.1.2.0
DVDSentry
El-Co Color ROES Retail
EZ Photo Calendar Creator
FreeAgent Pro Tools
FUJIFILM USB Driver
Help and Support Customization
HijackThis 2.0.2
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
Imagenomic Portraiture 2.0 Plug-in (build 2006)
Intel(R) PRO Network Adapters and Drivers
Intel(R) PROSet
IOGEAR Bluetooth Software
iTunes
J2SE Runtime Environment 5.0 Update 3
J2SE Runtime Environment 5.0 Update 6
Java 2 Runtime Environment, SE v1.4.2
K-Lite Codec Pack 2.36 Full
LeechFTP
Linksys EasyLink Advisor 1.6 (0032)
Logitech Desktop Messenger
Logitech Gaming Software
Logitech MouseWare 9.79
Logitech Resource Center
Malwarebytes' Anti-Malware
McAfee SecurityCenter
McAfee Shredder
Medi@Show
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Data Access Components KB870669
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
Microsoft National Language Support Downlevel APIs
Microsoft Office Small Business Edition 2003
Microsoft Office XP Professional with FrontPage
Microsoft SQL Server Desktop Engine (PINNACLESYS)
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Microsoft XML Parser
MicroStaff WINASPI
Modem Helper
Motorola Driver Installation
Motorola Phone Tools
Motorola Software Update
Move Networks Media Player for Internet Explorer
Mozilla Firefox (1.5)
MP3 Splitter & Joiner
MSN Music Assistant
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 6.0 Parser (KB933579)
Nero PhotoShow Elite
Nero Suite
NeroMIX
Noise Ninja 2 (Standalone Version)
Noiseware Professional Edition
Noiseware Professional Plug-in
NVIDIA Drivers
OpenMG AAC Add-on Module 1.0.00
OpenMG Limited Patch 4.5-06-05-12-01
OpenMG Secure Module 4.5.01
ParetoLogic Anti-Virus PLUS
PCLink
PDF Settings
PhotoNow! 1.0
Picaboo 1.8.216
Pinnacle Instant DVD Recorder
Pinnacle MediaServer
PowerDirector
PowerDVD
QPST
QuickTime
RAPID (Studio 10)
RAW FILE CONVERTER LE
RealGrain Plug-in
RealPlayer
Rhapsody Player Engine
RM to MP3 Converter 1.21
Samsung USB Driver (MCCI 3.40)
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Media Encoder (KB954156)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB961373)
SmartSound Quicktracks Plugin
Sonic RecordNow!
Sonic Update Manager
SonicStage 2.3.00
Sony USB Driver
Sound Blaster Live!
Studio 10
SUPERAntiSpyware Free Edition
TMPGEnc 3.0 XPress
TMPGEnc DVD Author 1.6
TMPGEnc Sound Player
Ulead VideoStudio 10
Uniblue Registry Booster
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
USB Driver Vers. 3.2
Vertus Fluid Mask 3 3.0.10
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
WD Backup
WD Diagnostics
WD Firewire HID Driver
WebCyberCoach 3.2 Dell
WebEx
WebFldrs XP
Winamp
Windows Backup Utility
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage v1.3.0254.0
Windows Internet Explorer 7
Windows Media Encoder 9 Series
Windows Media Format 11 runtime
Windows Media Player 11
Windows XP Service Pack 3
WinRAR archiver
WinTasks Trial
WinZip
Yahoo! Toolbar

==== Event Viewer Messages From Past Week ========

4/14/2009 3:58:21 PM, error: Service Control Manager [7000] - The StarWind iSCSI Service service failed to start due to the following error: The system cannot find the file specified.
4/14/2009 3:58:21 PM, error: Service Control Manager [7000] - The Wmbplervicr service failed to start due to the following error: The system cannot find the file specified.
4/14/2009 3:12:13 PM, error: Service Control Manager [7034] - The plasservice service terminated unexpectedly. It has done this 1 time(s).
4/13/2009 10:59:53 PM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the mcmscsvc service.
4/13/2009 10:53:03 PM, error: Service Control Manager [7034] - The LexBce Server service terminated unexpectedly. It has done this 1 time(s).
4/13/2009 8:54:39 PM, error: Cdrom [15] - The device, \Device\CdRom3, is not ready for access yet.
4/13/2009 8:54:39 PM, error: Cdrom [15] - The device, \Device\CdRom2, is not ready for access yet.
4/13/2009 7:43:19 PM, error: Service Control Manager [7034] - The ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## service terminated unexpectedly. It has done this 1 time(s).
4/13/2009 7:09:07 PM, error: Service Control Manager [7031] - The Bluetooth Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
4/13/2009 7:02:41 PM, error: Service Control Manager [7034] - The Creative Service for CDROM Access service terminated unexpectedly. It has done this 1 time(s).

==== End Of File ===========================

 

I apologize if I jumped the gun by not waiting for your response.
Do you still want me to run ReqQuery?

 

Yes please, with another set of instructions to do as well.


Go to My Computer->Tools->Folder Options->View tab:

• Under the Hidden files and folders heading:
• Select - Show hidden files and folders.
• Uncheck- Hide protected operating system files (recommended) option.
• Also, make sure there is no checkmark beside Hide file extensions for known file types.
• Click OK. (Remember to Hide files and folders once done)

Please go to: VirusTotal

• 
  
  
  
  
  
• Click the Browse button and search for the following file: c:\documents and settings\jon\hayhayall.zip
• Click Open
• Then click Send File
• Please be patient while the file is scanned.
• Once the scan results appear, please provide them in your next reply.

If it says already scanned -- click "reanalyze now "




Your version of Java is outdated.

Please download JavaRa to your desktop and unzip it to its own folder

Run JavaRa.exe, pick the language of your choice and click Select. Then click Remove Older Versions.
Accept any prompts.
Open JavaRa.exe again and select Search For Updates.
Select Update Using Sun Java's Website then click Search and click on the Open Webpage button. Download and install the latest Java Runtime Environment (JRE) version for your computer.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Please download ATF Cleaner by Atribune From Here and save it to your Desktop.
Follow the instructions for the browser you use.
Read the instructions about the cookies. Delete what you do not need.

Double click ATF-Cleaner.exe to run the program.
Check the boxes to the left of:
Windows Temp
Current User Temp
All Users Temp
Temporary Internet Files
Java Cache
The rest are optional - if you want to remove the lot, check "Select All ".
Finally click Empty Selected. When you get the "Done Cleaning " message, click OK.
If you use the Firefox or Opera browsers, you can use this program
as a quick way to tidy those up as well.
When you have finished, click on the Exit button in the Main menu.
========================



NEXT**
I'd like for you to run this next online scan to check for remnants or anything that might be hidden.
The below scan can take up to an hour or longer, please be patient.

*Note
It is recommended to disable onboard antivirus program and antispyware programs while performing scans so no conflicts and to speed up scan time.
Please don't go surfing while your resident protection is disabled!
Once scan is finished remember to re-enable resident antivirus protection along with whatever antispyware app you use.


Using Internet Explorer, visit http://www.kaspersky.com/service?chapter=161739400

Other available links
Kaspersky Online Scanner or from here
http://www.kaspersky.com/virusscanner

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

Click on the Accept button and install any components it needs.

• The program will install and then begin downloading the latest definition
  files.
• After the files have been downloaded on the left side of the page in the Scan section select My Computer.
• This will start the program and scan your system.
• The scan will take a while, so be patient and let it run. (At times it may appear to stall)
  * Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
  * Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  * Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
  
• Once the scan is complete, click on View scan report To obtain the report:

Click on: Save Report As
Next, in the Save as prompt, Save in area, select: Desktop
In the File name area, use KScan, or something similar In Save as type, click the drop arrow and select:
Text file [*.txt]
Then, click: Save
Please post the Kaspersky Online Scanner Report in
your reply.

Animated tutorial
http://i275.photobucket.com/albums/jj285/Bleeping/KAS/KAS9.gif

(Note.. for Internet Explorer 7 users:
If at any time you have trouble with the "Accept" button of the license, click on the "Zoom" tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%.)
Or use Firefox with IE-Tab plugin
https://addons.mozilla.org/en-US/firefox/addon/1419


In your next reply post:
ReqQuery log
Kaspersky log
New HJT log taken after the above scans have run


You may need several replies to post the requested logs, otherwise they might get cut off.

 

Juliet,

I cannot run Kaspersky, when trying to download I get a message "Starting Jave applet has failed!. Please go online to use this program." Also I can not disable Mcafee, while performing all the above tasks it finally was able to update and now is requesting a restart to finish update. I can not access the Security Center to disable virus scan without a restart. Should I restart or skip step and run HJT? Please advise.

 

To clarify the message is happening when Kaspersky is trying to download its updates.

 

Forget Kaspersky we'll use a different one.
Yes, to make sure McAfee is updated and working restart the computer when it's finished downloading the latest definitions.


MCAFEE ANTIVIRUS
Please navigate to the system tray on the bottom right hand corner and look for a sign.

• Right-click it -> chose "Exit. "
• A popup will warn that protection will now be disabled. Click on "Yes" to disable the Antivirus guard.

You successfully disabled the McAfee Guard.

MCAFEE SECURITY CENTER 7.1
Please navigate to the system tray and double-click the taskbar icon to open Security Center.

• Click Advanced Menu (bottom mid-left).
• Click Configure (left).
• Click Computer & Files (top left).
• VirusScan can be disabled in the right-hand module and set when it should resume or you can do that manually later on.

Do the same via Internet & Network for Firewall Plus.




Perform an online scan with Panda ActiveScan
* Click on Scan Your PC Now
* A "pop up" window will appear, or a new tab will open.
* Click on Register
* Choose the option you like most, but we recommend the Free Registration.

Click on Register
# Enter your e-mail address, and create a password.
# Select "I do not want to receive any type of information ". (unless you want to receive such information)
# Click on Send
# Confirm registration, and continue by entering your user name and password, then click on Enter
# Select Full Scan, then Click on Scan Now
# Wait for the components to be loaded and installed. Don't close this window or go to another page while it is downloading. You can continue using the Internet by opening another window in your browser.

# Please ignore the offer to buy the program. Click on Export To


* Export the log and save it to your desktop.
* Please post the contents of that log in your next reply.
* Turn off the real time scanner of any existing antivirus program while performing the online scan


In your next reply post:
ReqQuery log
Panda log
New HJT log taken after the above scans have run


You may need several replies to post the requested logs, otherwise they might get cut off.


How's your computer now?

 

Juliet,

Seems to be much better now.

The VirusTotal scan turned up the following.
0 bytes size received / Se ha recibido un archivo vacio

Here are the logs from ReqQuery, Panda, and HJT

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"midimapper "= "midimap.dll "
"msacm.imaadpcm "= "imaadp32.acm "
"msacm.msadpcm "= "msadp32.acm "
"msacm.msg711 "= "msg711.acm "
"msacm.msgsm610 "= "msgsm32.acm "
"msacm.trspch "= "tssoft32.acm "
"vidc.cvid "= "iccvid.dll "
"VIDC.IYUV "= "iyuv_32.dll "
"vidc.mrle "= "msrle32.dll "
"vidc.msvc "= "msvidc32.dll "
"VIDC.UYVY "= "msyuv.dll "
"VIDC.YUY2 "= "msyuv.dll "
"VIDC.YVYU "= "msyuv.dll "
"wavemapper "= "msacm32.drv "
"msacm.msg723 "= "msg723.acm "
"vidc.M263 "= "msh263.drv "
"vidc.M261 "= "msh261.drv "
"msacm.msaudio1 "= "msaud32.acm "
"msacm.sl_anet "= "sl_anet.acm "
"msacm.l3acm "= "C:\\WINDOWS\\system32\\l3codeca.acm "
"msacm.iac2 "= "C:\\WINDOWS\\system32\\iac25_32.ax "
"vidc.iv50 "= "ir50_32.dll "
"msacm.ctmp3 "= "C:\\WINDOWS\\System32\\ctmp3.acm "
"MSVideo8 "= "VfWWDM32.dll "
"vidc.XVID "= "xvidvfw.dll "
"msacm.lameacm "= "lameACM.acm "
"vidc.3iv2 "= "3ivxVfWCodec.dll "
"VIDC.HFYU "= "huffyuv.dll "
"VIDC.wmv3 "= "wmv9vcm.dll "
"VIDC.VP60 "= "vp6vfw.dll "
"VIDC.VP61 "= "vp6vfw.dll "
"VIDC.VP62 "= "vp6vfw.dll "
"VIDC.VP31 "= "vp31vfw.dll "
"vidc.MPG4 "= "Mpg4c32.dll "
"vidc.MP42 "= "Mpg4c32.dll "
"vidc.MP43 "= "Mpg4c32.dll "
"msacm.ac3acm "= "ac3acm.acm "
"wave1 "= "wdmaud.drv "
"midi1 "= "wdmaud.drv "
"mixer1 "= "wdmaud.drv "
"VIDC.YVU9 "= "tsbyuv.dll "
"msacm.dvacm "= "C:\\PROGRA~1\\COMMON~1\\ULEADS~1\\Vio\\Dvacm.acm "
"msacm.MPEGacm "= "C:\\PROGRA~1\\COMMON~1\\ULEADS~1\\MPEG\\MPEGacm.acm "
"msacm.ulmp3acm "= "C:\\PROGRA~1\\COMMON~1\\ULEADS~1\\MPEG\\ulmp3acm.acm "
"VIDC.MJPX "= "PICVideo MJPEG Codec "
"vidc.DIVX "= "DivX.dll "
"vidc.yv12 "= "DivX.dll "
"wave2 "= "wdmaud.drv "
"mixer2 "= "wdmaud.drv "
"wave3 "= "wdmaud.drv "
"mixer3 "= "wdmaud.drv "
"wave4 "= "wdmaud.drv "
"mixer4 "= "wdmaud.drv "
"wave5 "= "wdmaud.drv "
"mixer5 "= "wdmaud.drv "
"wave6 "= "wdmaud.drv "
"mixer6 "= "wdmaud.drv "
"wave7 "= "wdmaud.drv "
"mixer7 "= "wdmaud.drv "
"wave8 "= "wdmaud.drv "
"mixer8 "= "wdmaud.drv "
"wave "= "wdmaud.drv "
"midi "= "wdmaud.drv "
"mixer "= "wdmaud.drv "
"aux "= "C:\\WINDOWS\\system32\\..\\uga.fhr "

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32\Terminal Server]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32\Terminal Server\RDP]
"wave "= "rdpsnd.dll "
"MaxBandwidth "=dword:000056b9
"wavemapper "= "msacm32.drv "
"EnableMP3Codec "=dword:00000001
"midimapper "= "midimap.dll "


Panda

;***********************************************************************************************************************************************************************************
ANALYSIS: 2009-04-16 18:39:59
PROTECTIONS: 1
MALWARE: 24
SUSPECTS: 0
;***********************************************************************************************************************************************************************************
PROTECTIONS
Description Version Active Updated
;===================================================================================================================================================================================
McAfee VirusScan No Yes
;===================================================================================================================================================================================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===================================================================================================================================================================================
00005468 dialer.bb Dialers No 0 Yes No HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{0191ABF4-9421-435E-9FFD-CD827A2A82D8}
00018331 adware/gator Adware No 0 Yes No c:\documents and settings\all users\start menu\programs\gain
00020942 adware/exact.bargainbuddy Adware No 0 Yes No HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{0878B424-1F95-4e26-B5AB-F0D349D89650}
00029459 spyware/betterinet Spyware No 1 Yes No HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{36A59337-6EEF-40AE-94B1-ED443A0C4740}
00034463 adware/wupd Adware No 0 Yes No HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6}
00034463 adware/wupd Adware No 0 Yes No HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6}
00040415 adware/wintools Adware No 0 Yes No HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{87067F04-DE4C-4688-BC3C-4FCF39D609E7}
00046490 adware/azesearch Adware No 0 Yes No HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{d7bf3304-138b-4dd5-86ee-491bb6a2286c}
00047863 adware/ieplugin Adware No 0 Yes No HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{886DDE35-E955-11D0-A707-000000521958}
00047863 adware/ieplugin Adware No 0 Yes No HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{886DDE35-E585-11D0-A707-000000521958}
00048485 spyware/bundleware Spyware No 0 Yes No HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DDFFA75A-E81D-4454-89FC-B9FD0631E726}
00048498 adware/topconvert Adware No 0 Yes No HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{79849612-A98F-45B8-95E9-4D13C7B6B35C}
00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No C:\Documents and Settings\Jon\Cookies\jon@doubleclick[2].txt
00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\Jon\Cookies\jon@atdmt[1].txt
00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No C:\Documents and Settings\Jon\Cookies\jon@tribalfusion[1].txt
00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No C:\Documents and Settings\Jon\Cookies\jon@tribalfusion[2].txt
00145770 Cookie/CentrPort TrackingCookie No 0 Yes No C:\Documents and Settings\Jana\Application Data\Mozilla\Firefox\Profiles\zyr4x6e3.default\cookies.txt[.centrport.net/]
00147806 Cookie/7search TrackingCookie No 0 Yes No C:\Documents and Settings\Jon\Application Data\Mozilla\Firefox\Profiles\cyvl7iz7.default\cookies.txt[.7search.com/]
00147806 Cookie/7search TrackingCookie No 0 Yes No C:\Documents and Settings\Jon\Application Data\Mozilla\Firefox\Profiles\cyvl7iz7.default\cookies.txt[.7search.com/]
00167642 Cookie/Com.com TrackingCookie No 0 Yes No C:\Documents and Settings\Jana\Application Data\Mozilla\Firefox\Profiles\zyr4x6e3.default\cookies.txt[.com.com/]
00167642 Cookie/Com.com TrackingCookie No 0 Yes No C:\Documents and Settings\Jana\Application Data\Mozilla\Firefox\Profiles\zyr4x6e3.default\cookies.txt[.com.com/]
00167672 Cookie/DomainSponsor TrackingCookie No 0 Yes No C:\Documents and Settings\Jana\Application Data\Mozilla\Firefox\Profiles\zyr4x6e3.default\cookies.txt[.landing.domainsponsor.com/]
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\Jon\Cookies\jon@ad.yieldmanager[2].txt
00194327 Cookie/Go TrackingCookie No 0 Yes No C:\Documents and Settings\Jana\Application Data\Mozilla\Firefox\Profiles\zyr4x6e3.default\cookies.txt[.go.com/]
00194327 Cookie/Go TrackingCookie No 0 Yes No C:\Documents and Settings\Jana\Application Data\Mozilla\Firefox\Profiles\zyr4x6e3.default\cookies.txt[.go.com/]
00194327 Cookie/Go TrackingCookie No 0 Yes No C:\Documents and Settings\Jana\Application Data\Mozilla\Firefox\Profiles\zyr4x6e3.default\cookies.txt[.go.com/]
00207338 Cookie/Target TrackingCookie No 0 Yes No C:\Documents and Settings\Jana\Application Data\Mozilla\Firefox\Profiles\zyr4x6e3.default\cookies.txt[.target.com/]
00207338 Cookie/Target TrackingCookie No 0 Yes No C:\Documents and Settings\Jana\Application Data\Mozilla\Firefox\Profiles\zyr4x6e3.default\cookies.txt[.target.com/]
01692698 Generic Malware Virus/Trojan No 0 Yes No C:\Documents and Settings\Jana\Application Data\Macromedia\Shockwave Player\xtras\download\TheGrooveAlliance\3DGrooveXtrav181\Groove.x32
01692698 Generic Malware Virus/Trojan No 0 Yes No C:\Documents and Settings\Jon\Application Data\Macromedia\Shockwave Player\xtras\download\TheGrooveAlliance\3DGrooveXtrav181\Groove.x32
02990320 Application/BoontyGames HackTools Yes 0 Yes No C:\Program Files\Common Files\element5 Shared\Service\Licence Manager ESD.exe
03074964 Trj/CI.A Virus/Trojan No 0 Yes No C:\Program Files\WebEx\ieatgpc.dll
03919041 Generic Malware Virus/Trojan No 0 Yes No C:\Program Files\SlySoft\Slysoft.exe
03919041 Generic Malware Virus/Trojan No 0 Yes No C:\Program Files\SlySoft\AnyDVD\Slysoft.exe
;===================================================================================================================================================================================
SUSPECTS
Sent Location Ux
;===================================================================================================================================================================================
;===================================================================================================================================================================================
VULNERABILITIES
Id Severity Description Ux
;===================================================================================================================================================================================
;===================================================================================================================================================================================


HJT

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:51:14 PM, on 4/16/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5700.0006)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\IOGEAR\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\Program Files\Pinnacle\MediaServer\Microsoft SQL Server\MSSQL$PINNACLESYS\Binn\sqlservr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Common Files\ParetoLogic\PLAS\plasservice.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\WDBtnMgr.exe
C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Seagate\SystemTray\StxMenuMgr.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Adobe\Photoshop Elements 6.0\apdproxy.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wscntfy.exe
c:\PROGRA~1\mcafee\msc\mcshell.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=54729
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=55245&clcid={SUB_CLCID}
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=cache.midco.net:3128
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: IEPlugin Class - {CF7C3CF0-4B15-11D1-ABED-709549C10000} - C:\Program Files\Advanced System Optimizer\IEHelper.dll (file missing)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\\PSDrvCheck.exe
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [StxTrayMenu] "C:\Program Files\Seagate\SystemTray\StxMenuMgr.exe "
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Elements 6.0\apdproxy.exe "
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe "
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe "
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [P2kAutostart] C:\Documents and Settings\Jon\My Documents\Games\P2kAutostart.exe
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\IOGEAR\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\IOGEAR\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\IOGEAR\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyPoker.net\partypokernet.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyPoker.net\partypokernet.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\inethttpfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\inethttpfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\inethttpfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\inethttpfilter.dll
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
O16 - DPF: {15589FA1-C456-11CE-BF01-00AA0055595A} - http://w4s.work4sure.com/c/ge/w4sgeen9.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2AF5BD25-90C5-4EEC-88C5-B44DC2905D8B} (DownloadManager Control) - http://dlmanager.akamaitools.com.edgesuite.net/dlmanager/versions/activex/dlm-activex-2.0.3.8.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www2.snapfish.com/SnapfishActivia.cab
O16 - DPF: {44C1E3A2-B594-401C-B27A-D1B4476E4797} (XTSAC Control) - https://remote.nisc.coop/XTSAC.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,84/mcinsctl.cab
O16 - DPF: {5D637FAD-E202-48D1-8F18-5B9C459BD1E3} (Image Uploader Control) - http://cdn.smugmug.com/photos/activex/ImageUploader5-5.5.1.0-082608.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52...pple.com/abarth/us/win/QuickTimeInstaller.exe
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - https://remote.nisc.coop/msrdp.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - http://www.cardbox.net/download/msxml4.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,21/mcgdmgr.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://nisc.webex.com/client/T25L/support/ieatgpc.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup144.cab
O20 - AppInit_DLLs: pushow11.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O22 - SharedTaskScheduler: IE Component Categories cache daemon - {553858A7-4922-4e7e-B1C1-97140C1C16EF} - C:\WINDOWS\system32\ieframe.dll
O23 - Service: McAfee Application Installer Cleanup (0279701239904340) (0279701239904340mcinstcleanup) - Unknown owner - C:\WINDOWS\TEMP\027970~1.EXE (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Active File Monitor V6 (AdobeActiveFileMonitor6.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\IOGEAR\Bluetooth Software\bin\btwdins.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: License Management Service ESD - element5 - C:\Program Files\Common Files\element5 Shared\Service\Licence Manager ESD.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Mqdfm2vc - McAfee, Inc. - (no file)
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Pinnacle Systems Media Service (PinnacleSys.MediaServer) - Pinnacle Systems - c:\program files\pinnacle\shared files\programs\mediaserver\pmshost.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Unknown owner - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe (file missing)
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Unknown owner - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe (file missing)
O23 - Service: stllssvr - Unknown owner - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe (file missing)
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: plasservice (ZeppelinService) - ParetoLogic Inc. - C:\Program Files\Common Files\ParetoLogic\PLAS\plasservice.exe

--
End of file - 14613 bytes

 

OK, since things are working better let's try this again.


Open HijackThis. Click on Open the Misc Tools Section.

* On the screen, click on "Delete a file on reboot... ".
* Copy/paste the following path into the dialog box that popped up, and click 'Open':

C:\WINDOWS\uga.fhr

* HJT will ask you if you want to reboot, now. Click "NO ".





Next, launch Notepad, (Start > Run, type in: notepad) copy and paste just the text in blue below in it (don't forget to copy and paste REGEDIT4)

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32]
"aux "=-

Save this as fix2.reg and change the "Save as type" to "All Files" and place it on your desktop. It should look like this:
Double-click on it and when it asks you if you want to merge the contents to the registry, click "Yes" or "OK ". You should receive a message that it was successful. You may delete the file afterwards.

Now reboot the machine. <--Important.




Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop.

Link 1
Link 2
Link 3





--------------------------------------------------------------------
Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

(Click on this link to see a list of programs that should be disabled.)
http://www.bleepingcomputer.com/forums/topic114351.html


Double click on Combo-Fix.exe & follow the prompts.

Please allow ComboFix to install, if needed, Windows Recovery Console. It is a simple procedure that will only take a few moments of your time.

No Validation is Required.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.



** Please Note:
At times ComboFix may appear to stall, please be patient.

• When finished, it will produce a report for you.
• Please post the C:\ComboFix.txt along with a HijackThis log so we can continue cleaning the system.

Please only run the tool once, ty.

Extra note: After you have installed the Recovery Console - if you reboot your computer, right after reboot, you'll see the option for the Recovery Console now as well.
Don't select to run the Recovery Console as we don't need it.
By default, your main OS is selected there. The screen stays for 2 seconds and then it proceeds to load Windows.

You may need several replies to post the requested logs, otherwise they might get cut off.

 

Juliet,

When I clicked on Combofix I got an error saying "pv.cfexe encountered a problem and needs to close ". I hit "Dismiss" and then was prompted to install the recovery console. After quite some time the install completed and I was asked to start scan. Clicked "yes" and the same error as above popped up again and again I selected "dismsiss and the scan continued to completion. Hopefully this ran successfully. Logs for ComboFix and HJT are included in the next post.

 

ComboFix

ComboFix 09-04-17.01 - Jon 04/16/2009 20:28.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2559.2045 [GMT -5:00]
Running from: c:\documents and settings\Jon\Desktop\jon091969.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated)
FW: McAfee Personal Firewall *disabled*
* Created a new restore point
.
ADS - WINDOWS: deleted 24 bytes in 1 streams.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Jon\Application Data\inst.exe
c:\documents and settings\Jon\Local Settings\Temporary Internet Files\temp.dmf
c:\documents and settings\Jon\Local Settings\Temporary Internet Files\zap87.tmp
c:\documents and settings\Jon\Local Settings\Temporary Internet Files\zapAE.tmp
c:\windows\IE4 Error Log.txt
c:\windows\system32\lsprst7.dll
c:\windows\system32\prsgrc.dll
c:\windows\system32\ssprs.dll

.
((((((((((((((((((((((((( Files Created from 2009-03-17 to 2009-04-17 )))))))))))))))))))))))))))))))
.

2009-04-16 20:47 . 2008-06-19 21:24 28544 ----a-w c:\windows\system32\drivers\pavboot.sys
2009-04-16 20:46 . 2009-04-16 20:46 -------- d-----w c:\program files\Panda Security
2009-04-16 18:28 . 2009-04-16 18:27 73728 ----a-w c:\windows\system32\javacpl.cpl
2009-04-16 18:28 . 2009-04-16 18:27 410984 ----a-w c:\windows\system32\deploytk.dll
2009-04-16 18:22 . 2009-04-16 18:29 -------- d-----w c:\documents and settings\Jon\.SunDownloadManager
2009-04-16 13:21 . 2009-03-06 14:22 284160 ------w c:\windows\system32\dllcache\pdh.dll
2009-04-16 13:21 . 2009-02-06 10:39 35328 ------w c:\windows\system32\dllcache\sc.exe
2009-04-16 13:21 . 2009-02-09 12:10 401408 ------w c:\windows\system32\dllcache\rpcss.dll
2009-04-16 13:21 . 2009-02-06 11:11 110592 ------w c:\windows\system32\dllcache\services.exe
2009-04-16 13:21 . 2009-02-09 12:10 473600 ------w c:\windows\system32\dllcache\fastprox.dll
2009-04-16 13:21 . 2009-02-09 12:10 453120 ------w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-16 13:21 . 2009-02-06 10:10 227840 ------w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-16 13:21 . 2009-02-09 12:10 729088 ------w c:\windows\system32\dllcache\lsasrv.dll
2009-04-16 13:21 . 2009-02-09 12:10 714752 ------w c:\windows\system32\dllcache\ntdll.dll
2009-04-16 13:21 . 2009-02-09 12:10 617472 ------w c:\windows\system32\dllcache\advapi32.dll
2009-04-16 13:20 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll
2009-04-16 13:20 . 2009-03-27 06:58 1203922 ------w c:\windows\system32\dllcache\sysmain.sdb
2009-04-16 13:20 . 2008-04-21 12:08 215552 ------w c:\windows\system32\dllcache\wordpad.exe
2009-04-13 21:13 . 2009-04-13 21:13 -------- d-----w c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2009-04-13 18:28 . 2009-04-13 18:28 -------- d-----w c:\documents and settings\Jon\Application Data\True Sword
2009-04-13 18:28 . 2009-04-13 19:11 -------- d-----w c:\program files\True Sword 5
2009-04-13 15:50 . 2009-04-13 15:50 -------- d-----w c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-04-13 15:50 . 2009-04-13 15:50 -------- d-----w c:\program files\SUPERAntiSpyware
2009-04-13 15:50 . 2009-04-13 15:50 -------- d-----w c:\documents and settings\Jon\Application Data\SUPERAntiSpyware.com
2009-04-13 14:12 . 2009-04-16 16:15 -------- d-----w c:\program files\Trend Micro
2009-04-12 07:03 . 2009-04-12 07:03 -------- d-----w c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-04-11 23:51 . 2009-04-17 01:32 7728928 --sha-w c:\windows\system32\drivers\fidbox.dat
2009-04-11 23:51 . 2009-04-17 01:32 205344 --sha-w c:\windows\system32\drivers\fidbox2.dat
2009-04-11 23:51 . 2009-04-17 01:05 21908 --sha-w c:\windows\system32\drivers\fidbox2.idx
2009-04-11 23:51 . 2009-04-17 01:05 108272 --sha-w c:\windows\system32\drivers\fidbox.idx
2009-04-11 23:51 . 2009-04-13 20:31 3117 ----a-w C:\rollback.ini
2009-04-11 23:42 . 2009-04-11 23:42 -------- d-----w c:\program files\Common Files\ParetoLogic
2009-04-11 23:42 . 2009-04-11 23:42 -------- d-----w c:\documents and settings\All Users\Application Data\ParetoLogic Anti-Virus PLUS
2009-04-11 23:42 . 2009-04-11 23:42 -------- d-----w c:\program files\ParetoLogic
2009-04-11 23:42 . 2009-04-11 23:42 -------- d-----w c:\documents and settings\All Users\Application Data\ParetoLogic
2009-04-11 19:19 . 2009-04-11 19:19 -------- d-----w c:\documents and settings\Jon\Application Data\Malwarebytes
2009-04-11 19:19 . 2009-04-06 20:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-11 19:18 . 2009-04-06 20:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-11 19:18 . 2009-04-11 19:18 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-11 19:18 . 2009-04-11 19:19 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-11 03:19 . 2009-04-12 06:04 -------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft
2009-04-02 04:24 . 2009-04-02 04:25 -------- d-----w c:\documents and settings\Jon\Application Data\Move Networks
2009-03-24 03:40 . 2009-03-24 03:40 -------- d-----w C:\NIKONCORPORATION
2009-03-21 14:06 . 2009-03-21 14:06 989696 ------w c:\windows\system32\dllcache\kernel32.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-16 18:27 . 2003-10-28 13:24 -------- d-----w c:\program files\Java
2009-04-16 18:12 . 2009-04-16 18:12 10384 ----a-w C:\JavaRa.log
2009-04-16 17:51 . 2004-10-30 14:40 -------- d-----w c:\program files\McAfee
2009-04-15 17:00 . 2006-01-11 06:25 -------- d-----w c:\documents and settings\All Users\Application Data\DVD Shrink
2009-04-13 19:43 . 2006-01-02 18:29 -------- d-----w c:\program files\Advanced System Optimizer
2009-04-13 18:42 . 2009-04-13 18:29 0 ----a-w C:\log2.txt
2009-04-13 18:42 . 2009-04-13 18:29 0 ----a-w C:\log1.txt
2009-04-13 17:33 . 2004-04-07 15:08 -------- d-----w c:\program files\Lavasoft
2009-04-13 17:25 . 2005-03-13 00:38 -------- d-----w c:\documents and settings\Jon\Application Data\Shareaza
2009-04-13 17:22 . 2003-12-11 05:47 -------- d-----w c:\program files\PokerRoom.com
2009-04-13 15:49 . 2006-01-03 16:31 -------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-04-13 14:18 . 2006-03-22 17:10 -------- d-----w c:\program files\Dexster
2009-04-13 14:18 . 2007-12-11 00:23 -------- d-----w c:\program files\Avanquest update
2009-04-12 14:16 . 2004-02-12 21:09 -------- d-----w c:\program files\PIXELA
2009-04-12 14:15 . 2003-10-28 13:33 -------- d--h--w c:\program files\InstallShield Installation Information
2009-04-12 14:14 . 2004-02-12 21:07 -------- d-----w c:\program files\FinePixViewer
2009-04-12 06:39 . 2006-01-01 15:53 111544 ----a-w c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-11 14:37 . 2007-02-24 14:36 -------- d-----w c:\documents and settings\Jon\Application Data\SiteAdvisor
2009-04-07 21:23 . 2007-07-07 01:04 -------- d-----w c:\documents and settings\Jon\Application Data\Vso
2009-04-07 21:23 . 2008-05-28 12:05 -------- d-----w c:\program files\DVDFab 5
2009-03-25 16:06 . 2007-02-24 14:33 40552 ----a-w c:\windows\system32\drivers\mfesmfk.sys
2009-03-25 16:06 . 2007-02-24 14:33 35272 ----a-w c:\windows\system32\drivers\mfebopk.sys
2009-03-25 16:06 . 2007-02-24 14:33 214024 ----a-w c:\windows\system32\drivers\mfehidk.sys
2009-03-25 16:06 . 2007-02-24 14:33 79880 ----a-w c:\windows\system32\drivers\mfeavfk.sys
2009-03-25 16:05 . 2007-02-24 14:33 34216 ----a-w c:\windows\system32\drivers\mferkdk.sys
2009-03-07 21:31 . 2009-02-09 04:30 -------- d-----w c:\documents and settings\Jon\Application Data\Imagenomic
2009-03-07 21:29 . 2009-02-09 02:38 -------- d-----w c:\program files\Imagenomic
2009-03-07 20:44 . 2009-03-07 20:44 -------- d-----w c:\documents and settings\Jon\Application Data\Thinstall
2009-03-06 14:22 . 2002-08-29 11:00 284160 ----a-w c:\windows\SYSTEM32\pdh.dll
2009-02-26 02:55 . 2009-02-26 02:55 -------- d-----w c:\documents and settings\Jon\Application Data\Alien Skin
2009-02-26 02:53 . 2009-02-26 02:53 -------- d-----w c:\program files\Alien Skin
2009-02-18 19:43 . 2009-02-18 19:43 243024 ----a-w c:\windows\SYSTEM32\LSPInstall.dll
2009-02-18 19:43 . 2009-02-18 19:43 111960 ----a-w c:\windows\SYSTEM32\INetHTTPFilter.dll
2009-02-16 16:20 . 2009-02-16 16:20 -------- d-----w c:\program files\Vertus Fluid Mask 3
2009-02-16 16:20 . 2009-02-16 16:20 -------- d-----w c:\documents and settings\All Users\Application Data\VertusTech
2009-02-09 12:10 . 2002-08-29 11:00 729088 ----a-w c:\windows\SYSTEM32\lsasrv.dll
2009-02-09 12:10 . 2004-04-13 20:14 401408 ----a-w c:\windows\SYSTEM32\rpcss.dll
2009-02-09 12:10 . 2002-08-29 11:00 714752 ----a-w c:\windows\SYSTEM32\ntdll.dll
2009-02-09 12:10 . 2002-08-29 11:00 617472 ----a-w c:\windows\SYSTEM32\advapi32.dll
2009-02-09 11:13 . 2008-10-15 19:41 1846784 ------w c:\windows\SYSTEM32\DLLCACHE\win32k.sys
2009-02-09 11:13 . 2002-08-29 11:00 1846784 ----a-w c:\windows\SYSTEM32\win32k.sys
2009-02-08 00:02 . 2008-10-15 19:41 2066048 ------w c:\windows\SYSTEM32\DLLCACHE\ntkrnlpa.exe
2009-02-06 11:11 . 2002-08-29 11:00 110592 ----a-w c:\windows\SYSTEM32\services.exe
2009-02-06 11:08 . 2008-10-15 19:41 2189056 ------w c:\windows\SYSTEM32\DLLCACHE\ntoskrnl.exe
2009-02-06 11:06 . 2008-10-15 19:41 2145280 ------w c:\windows\SYSTEM32\DLLCACHE\ntkrnlmp.exe
2009-02-06 11:06 . 1980-01-01 06:00 2145280 ----a-w c:\windows\SYSTEM32\ntoskrnl.exe
2009-02-06 10:39 . 2002-08-29 11:00 35328 ----a-w c:\windows\SYSTEM32\sc.exe
2009-02-06 10:32 . 2008-10-15 19:41 2023936 ------w c:\windows\SYSTEM32\DLLCACHE\ntkrpamp.exe
2009-02-06 10:32 . 1980-01-01 06:00 2023936 ----a-w c:\windows\SYSTEM32\ntkrnlpa.exe
2009-02-03 19:59 . 2009-02-03 19:59 56832 ------w c:\windows\SYSTEM32\DLLCACHE\secur32.dll
2009-02-03 19:59 . 2002-08-29 11:00 56832 ----a-w c:\windows\SYSTEM32\secur32.dll
2009-01-24 01:47 . 2006-03-03 05:17 92 ----a-w C:\ResumeOmgApDeliveryMgrCntrl_SonicStage_EmdDownloadObj.dmf
2008-12-24 18:02 . 2003-11-09 19:37 111544 ----a-w c:\documents and settings\Jana\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2008-12-21 23:06 . 2003-11-09 18:11 111544 ----a-w c:\documents and settings\Jon\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2008-07-30 04:07 . 2007-07-07 01:04 47360 ----a-w c:\documents and settings\Jon\Application Data\pcouffin.sys
2008-04-29 03:55 . 2008-04-29 03:34 20 ---h--w c:\documents and settings\All Users\Application Data\PKP_DLbz.DAT
2007-12-11 02:26 . 2007-01-23 22:08 9232 ----a-w c:\documents and settings\Jon\mqdmmdfl.sys
2007-12-11 02:26 . 2007-01-23 22:08 92064 ----a-w c:\documents and settings\Jon\mqdmmdm.sys
2007-12-11 02:26 . 2007-01-23 22:08 79328 ----a-w c:\documents and settings\Jon\mqdmserd.sys
2007-12-11 02:26 . 2007-01-23 22:08 66656 ----a-w c:\documents and settings\Jon\mqdmbus.sys
2007-12-11 02:26 . 2007-01-23 22:08 6208 ----a-w c:\documents and settings\Jon\mqdmcmnt.sys
2007-12-11 02:26 . 2007-01-23 22:08 5936 ----a-w c:\documents and settings\Jon\mqdmwhnt.sys
2007-12-11 02:26 . 2007-01-23 22:08 4048 ----a-w c:\documents and settings\Jon\mqdmcr.sys
2007-12-11 02:26 . 2006-02-12 20:13 25600 ----a-w c:\documents and settings\Jon\usbsermptxp.sys
2007-12-11 02:26 . 2006-02-12 20:13 22768 ----a-w c:\documents and settings\Jon\usbsermpt.sys
2007-11-30 16:55 . 2007-11-30 16:55 0 ----a-w c:\documents and settings\Jon\hayhayall.zip
2007-11-18 01:25 . 2006-08-14 02:20 284 ----a-w c:\documents and settings\Jana\Application Data\ViewerApp.dat
2004-10-01 15:32 . 2004-10-01 15:32 13824 ----a-w c:\documents and settings\Jon\atwbxdet.dll
2004-05-17 16:42 . 2006-10-14 03:29 3889374 ----a-w c:\documents and settings\Jon\ShowBiz.exe
2003-11-29 23:57 . 2003-11-27 04:02 103871345 ------w c:\documents and settings\GameSpot DLX Secure Delivery\tiger2004demo.exe
2003-11-29 23:18 . 2003-11-27 14:00 139727532 ------w c:\documents and settings\GameSpot DLX Secure Delivery\bf1942spdemo.zip
2003-11-29 23:11 . 2003-11-27 14:00 136512494 ------w c:\documents and settings\GameSpot DLX Secure Delivery\bf1942_mp_demo.exe
2003-11-09 19:41 . 2003-11-09 19:41 127 ----a-w c:\documents and settings\Jana\Local Settings\Application Data\fusioncache.dat
2003-11-09 19:34 . 2003-11-09 19:34 126 ----a-w c:\documents and settings\Jon\Local Settings\Application Data\fusioncache.dat
2003-10-28 13:33 . 2004-04-25 22:31 12328 ----a-w c:\documents and settings\Guest\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2003-02-21 10:42 . 2003-02-21 10:42 348160 ----a-w c:\program files\msvcr71.dll
2007-02-16 14:2006-10-07 15:07 37:59 . c:\program files\mozilla firefox\components\jar50.dll
2007-02-16 14:2006-10-07 15:07 37:59 . c:\program files\mozilla firefox\components\jsd3250.dll
2007-02-16 14:2006-10-07 15:07 37:59 . c:\program files\mozilla firefox\components\xpinstal.dll
2008-04-30 21:07 . 2008-04-30 20:48 72 --sh--w c:\windows\SC6E38F9E.tmp
2008-03-17 21:41 . 2007-07-25 16:43 1056 --sha-w c:\windows\SYSTEM32\KGyGaAvL.sys
2008-09-19 01:55 . 2008-09-19 01:55 32768 --sha-w c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\MSHist012008091820080919\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe "= "c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"ISUSPM "= "c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 218032]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon "= "c:\windows\system32\NvCpl.dll" [2005-12-10 7311360]
"PinnacleDriverCheck "= "c:\windows\system32\\PSDrvCheck.exe" [2004-03-10 406016]
"SiteAdvisor "= "c:\program files\SiteAdvisor\6253\SiteAdv.exe" [2007-02-09 36904]
"mcagent_exe "= "c:\program files\McAfee.com\Agent\mcagent.exe" [2009-01-09 645328]
"StxTrayMenu "= "c:\program files\Seagate\SystemTray\StxMenuMgr.exe" [2007-01-18 190008]
"TkBellExe "= "c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-01-31 185896]
"Adobe Photo Downloader "= "c:\program files\Adobe\Photoshop Elements 6.0\apdproxy.exe" [2007-09-11 67488]
"SunJavaUpdateSched "= "c:\program files\Java\jre6\bin\jusched.exe" [2009-04-16 148888]
"WD Button Manager "= "WDBtnMgr.exe" - c:\windows\SYSTEM32\WDBtnMgr.exe [2006-08-14 339968]
"Logitech Utility "= "Logi_MwX.Exe" - c:\windows\LOGI_MWX.EXE [2003-11-07 19968]

c:\documents and settings\Jana\Start Menu\Programs\Startup\
Picaboo.lnk - c:\program files\Picaboo\Picaboo\PicabooMain.exe [2007-6-22 577536]

c:\documents and settings\Jon\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-4-14 113664]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
Logitech Desktop Messenger.lnk - c:\program files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe [2007-9-5 169472]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} "= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 17:05 356352 ----a-w c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs "=pushow11.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.ctmp3 "= c:\windows\System32\ctmp3.acm
"vidc.3iv2 "= 3ivxVfWCodec.dll
"VIDC.HFYU "= huffyuv.dll
"VIDC.VP31 "= vp31vfw.dll
"msacm.dvacm "= c:\progra~1\COMMON~1\ULEADS~1\Vio\Dvacm.acm
"msacm.MPEGacm "= c:\progra~1\COMMON~1\ULEADS~1\MPEG\MPEGacm.acm
"msacm.ulmp3acm "= c:\progra~1\COMMON~1\ULEADS~1\MPEG\ulmp3acm.acm
"VIDC.MJPX "= PICVideo MJPEG Codec

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BTTray.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\BTTray.lnk
backup=c:\windows\pss\BTTray.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Jon^Start Menu^Programs^Startup^Picaboo.lnk]
path=c:\documents and settings\Jon\Start Menu\Programs\Startup\Picaboo.lnk
backup=c:\windows\pss\Picaboo.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD]
2004-09-13 09:51 1450096 ------w c:\program files\Ahead\InCD\InCD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2008-02-19 18:10 267048 ----a-w c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring "=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring "=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe "=
"c:\\WINDOWS\\SYSTEM32\\LEXPPS.EXE "=
"c:\\Program Files\\Pinnacle\\Studio 10\\programs\\RM.exe "=
"c:\\Program Files\\Pinnacle\\Studio 10\\programs\\Studio.exe "=
"c:\\Program Files\\Pinnacle\\Studio 10\\programs\\PMSRegisterFile.exe "=
"c:\\Program Files\\Pinnacle\\Studio 10\\programs\\umi.exe "=
"%windir%\\Network Diagnostic\\xpnetdiag.exe "=
"c:\\Program Files\\Motorola\\Software Update\\msu.exe "=
"c:\\Program Files\\LeechFTP\\Leechftp.exe "=
"c:\\Documents and Settings\\Jon\\Local Settings\\Application Data\\Abacast\\Abaclient.exe "=
"c:\\WINDOWS\\SYSTEM32\\ftp.exe "=
"c:\\Program Files\\CyberLink\\PowerDirector\\PDR.exe "=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe "=
"c:\\Program Files\\iTunes\\iTunes.exe "=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe "=

R0 ntcdrdrv;ntcdrdrv; [x]
R2 0279701239904340mcinstcleanup;McAfee Application Installer Cleanup (0279701239904340); [x]
R2 ZeppelinService;plasservice;c:\program files\Common Files\ParetoLogic\PLAS\plasservice.exe [2009-02-18 587216]
R3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\DRIVERS\motccgp.sys [2007-06-20 17920]
R3 motccgpfl;MotCcgpFlService;c:\windows\system32\DRIVERS\motccgpfl.sys [2007-01-24 7680]
R3 MotDev;Motorola Inc. USB Device;c:\windows\system32\DRIVERS\motodrv.sys [2007-05-04 42112]
R3 motport;Motorola USB Diagnostic Port;c:\windows\system32\DRIVERS\motport.sys [2007-06-20 23680]
R3 MovRVDrv32;MovRVDrv32;c:\windows\system32\DRIVERS\MovRVDrv32.sys [2007-12-14 3768]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-03-23 7408]
R3 W3ksrvmi;W3ksrvmi; [x]
R3 Wmbplervicr;Wmbplervicr; [x]
S0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2008-06-19 28544]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2009-03-23 9968]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2009-03-23 72944]
S2 AdobeActiveFileMonitor6.0;Adobe Active File Monitor V6;c:\program files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe [2007-09-11 124832]


--- Other Services/Drivers In Memory ---

*NewlyCreated* - PAVBOOT
.
Contents of the 'Scheduled Tasks' folder

2009-04-15 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 22:57]

2009-03-15 c:\windows\Tasks\McDefragTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2007-02-24 15:53]

2009-04-01 c:\windows\Tasks\McQcTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2007-02-24 15:53]

2009-04-13 c:\windows\Tasks\ParetoLogic Anti-Virus PLUS.job
- c:\program files\ParetoLogic\Anti-Virus PLUS\Pareto_AV.exe [2009-02-18 19:43]

2009-04-16 c:\windows\Tasks\ParetoLogic Anti-Virus PLUS_dbsummary.job
- c:\program files\ParetoLogic\Anti-Virus PLUS\Pareto_AV.exe [2009-02-18 19:43]

2009-04-16 c:\windows\Tasks\ParetoLogic Registration.job
- c:\program files\Common Files\ParetoLogic\UUS2\UUS.dll [2008-02-22 17:25]

2009-04-13 c:\windows\Tasks\ParetoLogic Update Version2.job
- c:\program files\Common Files\ParetoLogic\UUS2\Pareto_Update.exe [2008-02-22 17:25]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA} - c:\program files\Common Files\Ahead\lib\NMBgMonitor.exe
HKCU-Run-P2kAutostart - c:\documents and settings\Jon\My Documents\Games\P2kAutostart.exe
HKLM-Run-NWEReboot - (no file)
MSConfigStartUp-MimBoot - c:\progra~1\MUSICM~1\MUSICM~1\mimboot.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyServer = http=cache.midco.net:3128
uInternet Settings,ProxyOverride = <local>;*.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
IE: Send To &Bluetooth - c:\program files\IOGEAR\Bluetooth Software\btsendto_ie_ctx.htm
LSP: c:\windows\system32\INetHTTPFilter.dll
FF - ProfilePath - c:\documents and settings\Jon\Application Data\Mozilla\Firefox\Profiles\cyvl7iz7.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
FF - component: c:\program files\Real\RealPlayer\browserrecord\components\nprpbrowserrecordplugin.dll
FF - component: c:\program files\SiteAdvisor\6261\FF\components\FFHook.dll

---- FIREFOX POLICIES ----
FF - user.js: dom.disable_open_during_load - true // Popupblocker control handled by McAfee Privacy Service
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "network.cookie.p3plevel ", 1); // 0=low, 1=medium, 2=high, 3=custom
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "network.enablePad ", false); // Allow client to do proxy autodiscovery
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "browser.search.param.Google.1.default ", "chrome://branding/content/searchconfig.properties ");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "browser.search.param.Google.1.custom ", "chrome://branding/content/searchconfig.properties ");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "signon.prefillForms ", true);
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-16 20:32
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
P2kAutostart = c:\documents and settings\Jon\My Documents\Games\P2kAutostart.exe?0???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...


**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-137204461-1868627130-1733552116-1009\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-137204461-1868627130-1733552116-1009\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.** "*%\OpenWithList]
@Class= "Shell "

[HKEY_USERS\S-1-5-21-137204461-1868627130-1733552116-1009\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*4*Y%€%]
@Class= "Shell "
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-137204461-1868627130-1733552116-1009\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*4*Y%€%\OpenWithList]
@Class= "Shell "

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32*]
"ThreadingModel "= "Apartment "
@= "c:\\WINDOWS\\system32\\OLE32.DLL "
"cd042efbbd7f7af1647644e76e06692b "=hex:c8,28,51,af,b0,29,a3,98,f5,17,ae,e0,c8,
02,6b,32,e2,63,26,f1,3f,c8,ff,68,7a,94,91,bf,2c,a5,f8,ca,e2,63,26,f1,3f,c8,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32*]
"ThreadingModel "= "Apartment "
@= "c:\\WINDOWS\\system32\\OLE32.DLL "
"bca643cdc5c2726b20d2ecedcc62c59b "=hex:71,3b,04,66,8b,46,0d,96,88,12,5d,c0,31,
12,41,3b,6a,9c,d6,61,af,45,84,18,e3,5d,58,17,79,2d,8e,2c,6a,9c,d6,61,af,45,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32*]
"ThreadingModel "= "Apartment "
@= "c:\\WINDOWS\\system32\\OLE32.DLL "
"2c81e34222e8052573023a60d06dd016 "=hex:25,da,ec,7e,55,20,c9,26,8e,41,4a,d1,2f,
34,36,ca,ff,7c,85,e0,43,d4,0e,fe,04,bd,66,05,b5,c5,a5,1e,ff,7c,85,e0,43,d4,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32*]
"ThreadingModel "= "Apartment "
@= "c:\\WINDOWS\\system32\\OLE32.DLL "
"2582ae41fb52324423be06337561aa48 "=hex:86,8c,21,01,be,91,eb,e7,ca,b9,88,ea,4a,
06,b2,6e,86,8c,21,01,be,91,eb,e7,af,64,8e,d8,d1,e8,a7,ec,86,8c,21,01,be,91,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32*]
"ThreadingModel "= "Apartment "
@= "c:\\WINDOWS\\system32\\OLE32.DLL "
"caaeda5fd7a9ed7697d9686d4b818472 "=hex:f5,1d,4d,73,a8,13,5c,05,db,db,c8,38,8d,
35,88,f0,f5,1d,4d,73,a8,13,5c,05,ad,c3,d6,46,8a,6e,64,61,f5,1d,4d,73,a8,13,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32*]
"ThreadingModel "= "Apartment "
@= "c:\\WINDOWS\\system32\\OLE32.DLL "
"a4a1bcf2cc2b8bc3716b74b2b4522f5d "=hex:df,20,58,62,78,6b,cf,c8,cf,5b,ca,28,e1,
9b,d7,67,df,20,58,62,78,6b,cf,c8,ec,a8,c9,69,3b,18,b1,da,df,20,58,62,78,6b,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32*]
"ThreadingModel "= "Apartment "
@= "c:\\WINDOWS\\system32\\OLE32.DLL "
"4d370831d2c43cd13623e232fed27b7b "=hex:fb,a7,78,e6,12,2f,9a,ea,fd,20,bf,ae,ae,
07,e9,b7,fb,a7,78,e6,12,2f,9a,ea,0f,6d,53,db,37,e3,a0,28,fb,a7,78,e6,12,2f,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{BEB3C0C7-B648-4257-96D9-B5D024816E27}\Version*Version]
"Version "=hex:d5,13,3c,50,5e,a6,de,51,56,e1,d4,4c,4f,47,d4,f3,20,8e,51,9b,67,
09,45,31,55,28,76,18,d2,bf,5a,76,a2,ae,d8,07,06,bd,7f,a3,2f,42,b4,d2,11,9c,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32*]
"ThreadingModel "= "Apartment "
@= "c:\\WINDOWS\\system32\\OLE32.DLL "
"1d68fe701cdea33e477eb204b76f993d "=hex:83,6c,56,8b,a0,85,96,ab,58,e5,27,bf,84,
e2,bd,bf,01,3a,48,fc,e8,04,4a,f1,c5,a5,2c,9c,f6,64,c7,c9,01,3a,48,fc,e8,04,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32*]
"ThreadingModel "= "Apartment "
@= "c:\\WINDOWS\\system32\\OLE32.DLL "
"1fac81b91d8e3c5aa4b0a51804d844a3 "=hex:51,fa,6e,91,28,9e,14,cc,66,fc,04,e9,31,
cc,29,ed,f6,0f,4e,58,98,5b,89,c9,11,4c,e8,73,7e,dd,2e,eb,f6,0f,4e,58,98,5b,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32*]
"ThreadingModel "= "Apartment "
@= "c:\\WINDOWS\\system32\\OLE32.DLL "
"f5f62a6129303efb32fbe080bb27835b "=hex:b1,cd,45,5a,a8,c4,f8,b9,5e,34,3d,1c,38,
fe,53,a5,3d,ce,ea,26,2d,45,aa,78,2c,ef,9f,d8,08,3a,75,4c,3d,ce,ea,26,2d,45,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32*]
"ThreadingModel "= "Apartment "
@= "c:\\WINDOWS\\system32\\OLE32.DLL "
"fd4e2e1a3940b94dceb5a6a021f2e3c6 "=hex:e3,0e,66,d5,eb,bc,2f,6b,84,1b,10,f7,3d,
64,94,c4,2a,b7,cc,b5,b9,7f,41,e7,28,81,c0,4d,bb,7a,c8,ca,2a,b7,cc,b5,b9,7f,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32*]
"ThreadingModel "= "Apartment "
@= "c:\\WINDOWS\\system32\\OLE32.DLL "
"8a8aec57dd6508a385616fbc86791ec2 "=hex:6c,43,2d,1e,aa,22,2f,9c,dc,bd,83,8d,f3,
76,1c,7c,6c,43,2d,1e,aa,22,2f,9c,39,e7,a1,53,3d,bd,02,50,6c,43,2d,1e,aa,22,\

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\Main\FeatureControl]
@DACL=(02 0000)

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_HONOR_XUNSENT_IN_FILE]
@DACL=(02 0000)
"msimn.exe "=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_IMAGING_USE_ART]
@DACL=(02 0000)
@=" "
"waol.exe "=dword:00000001
"cs.exe "=dword:00000001
"wm.exe "=dword:00000001
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(888)
c:\program files\SUPERAntiSpyware\SASWINLO.dll

- - - - - - - > 'lsass.exe'(948)
c:\windows\system32\INetHTTPFilter.dll
.
Completion time: 2009-04-17 20:37
ComboFix-quarantined-files.txt 2009-04-17 01:35

Pre-Run: 19,581,837,312 bytes free
Post-Run: 19,684,560,896 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT= "Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS= "Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

401 --- E O F --- 2009-04-16 13:35


HJT

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:40:38 PM, on 4/16/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5700.0006)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\IOGEAR\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\Program Files\Pinnacle\MediaServer\Microsoft SQL Server\MSSQL$PINNACLESYS\Binn\sqlservr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\System32\MsPMSPSv.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\system32\WDBtnMgr.exe
C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=55245&clcid={SUB_CLCID}
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=cache.midco.net:3128
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: IEPlugin Class - {CF7C3CF0-4B15-11D1-ABED-709549C10000} - C:\Program Files\Advanced System Optimizer\IEHelper.dll (file missing)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\\PSDrvCheck.exe
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [StxTrayMenu] "C:\Program Files\Seagate\SystemTray\StxMenuMgr.exe "
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Elements 6.0\apdproxy.exe "
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe "
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\IOGEAR\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\IOGEAR\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\IOGEAR\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyPoker.net\partypokernet.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyPoker.net\partypokernet.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\inethttpfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\inethttpfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\inethttpfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\inethttpfilter.dll
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2AF5BD25-90C5-4EEC-88C5-B44DC2905D8B} (DownloadManager Control) - http://dlmanager.akamaitools.com.edgesuite.net/dlmanager/versions/activex/dlm-activex-2.0.3.8.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www2.snapfish.com/SnapfishActivia.cab
O16 - DPF: {44C1E3A2-B594-401C-B27A-D1B4476E4797} (XTSAC Control) - https://remote.nisc.coop/XTSAC.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,84/mcinsctl.cab
O16 - DPF: {5D637FAD-E202-48D1-8F18-5B9C459BD1E3} (Image Uploader Control) - http://cdn.smugmug.com/photos/activex/ImageUploader5-5.5.1.0-082608.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52...pple.com/abarth/us/win/QuickTimeInstaller.exe
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - https://remote.nisc.coop/msrdp.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - http://www.cardbox.net/download/msxml4.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,21/mcgdmgr.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://nisc.webex.com/client/T25L/support/ieatgpc.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup144.cab
O20 - AppInit_DLLs: pushow11.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O22 - SharedTaskScheduler: IE Component Categories cache daemon - {553858A7-4922-4e7e-B1C1-97140C1C16EF} - C:\WINDOWS\system32\ieframe.dll
O23 - Service: McAfee Application Installer Cleanup (0279701239904340) (0279701239904340mcinstcleanup) - Unknown owner - C:\WINDOWS\TEMP\027970~1.EXE (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Active File Monitor V6 (AdobeActiveFileMonitor6.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\IOGEAR\Bluetooth Software\bin\btwdins.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: License Management Service ESD - element5 - C:\Program Files\Common Files\element5 Shared\Service\Licence Manager ESD.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Mqdfm2vc - McAfee, Inc. - (no file)
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Pinnacle Systems Media Service (PinnacleSys.MediaServer) - Pinnacle Systems - c:\program files\pinnacle\shared files\programs\mediaserver\pmshost.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Unknown owner - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe (file missing)
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Unknown owner - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe (file missing)
O23 - Service: stllssvr - Unknown owner - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe (file missing)
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: plasservice (ZeppelinService) - ParetoLogic Inc. - C:\Program Files\Common Files\ParetoLogic\PLAS\plasservice.exe

--
End of file - 13982 bytes

 

It had a hiccup of sorts I reckon......

Seeing any improvements yet?

Print this topic or save to notepad, it will make it easier for you to follow the instructions and complete all of the necessary steps as we will need to close all windows that are open later in the fix.



Next: Please disable all onboard security programs (all running with back ground protection) as it may hinder the scanner from working.
This includes Antivirus, Firewall, and any Spyware scanners that run in the background.

Click on this link Here to see a list of programs that should be disabled.
The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

Please open Notepad *Do Not Use Wordpad!* or use any other text editor than Notepad or the script will fail. (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the CODE box below:
Save this as "CFScript.txt " including quotes and change the "Save as type" to "All Files" and place it on your desktop.

Code:

Reglock::
[HKEY_USERS\S-1-5-21-137204461-1868627130-1733552116-1009\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.** "*%\OpenWithList]
[HKEY_USERS\S-1-5-21-137204461-1868627130-1733552116-1009\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*4*Y%€%]
[HKEY_USERS\S-1-5-21-137204461-1868627130-1733552116-1009\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*4*Y%€%\OpenWithList]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{BEB3C0C7-B648-4257-96D9-B5D024816E27}\Version*Version]
[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\Main\FeatureControl]
[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_HONOR_XUNSENT_IN_FILE]
[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_IMAGING_USE_ART]
RegNULL::
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32*]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32*]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32*]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32*]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32*]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32*]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32*]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32*]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32*]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32*]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32*]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32*]
Driver::
W3ksrvmi
Wmbplervicr
Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
 "AppInit_DLLs "=" " 

Referring to the screenshot above, drag CFScript.txt into ComboFix.exe. ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply.
CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.






Please download ATF Cleaner by Atribune From Here and save it to your Desktop.
Follow the instructions for the browser you use.
Read the instructions about the cookies. Delete what you do not need.

Double click ATF-Cleaner.exe to run the program.
Check the boxes to the left of:
Windows Temp
Current User Temp
All Users Temp
Temporary Internet Files
Java Cache
The rest are optional - if you want to remove the lot, check "Select All ".
Finally click Empty Selected. When you get the "Done Cleaning " message, click OK.
If you use the Firefox or Opera browsers, you can use this program
as a quick way to tidy those up as well.
When you have finished, click on the Exit button in the Main menu.
========================



NEXT**
I'd like for you to run this next online scan to check for remnants or anything that might be hidden.
The below scan can take up to an hour or longer, please be patient.

*Note
It is recommended to disable onboard antivirus program and antispyware programs while performing scans so no conflicts and to speed up scan time.
Please don't go surfing while your resident protection is disabled!
Once scan is finished remember to re-enable resident antivirus protection along with whatever antispyware app you use.


Using Internet Explorer, visit http://www.kaspersky.com/service?chapter=161739400

Other available links
Kaspersky Online Scanner or from here
http://www.kaspersky.com/virusscanner

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

Click on the Accept button and install any components it needs.

• The program will install and then begin downloading the latest definition
  files.
• After the files have been downloaded on the left side of the page in the Scan section select My Computer.
• This will start the program and scan your system.
• The scan will take a while, so be patient and let it run. (At times it may appear to stall)
  * Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
  * Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  * Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
  
• Once the scan is complete, click on View scan report To obtain the report:

Click on: Save Report As
Next, in the Save as prompt, Save in area, select: Desktop
In the File name area, use KScan, or something similar In Save as type, click the drop arrow and select:
Text file [*.txt]
Then, click: Save
Please post the Kaspersky Online Scanner Report in
your reply.

Animated tutorial
http://i275.photobucket.com/albums/jj285/Bleeping/KAS/KAS9.gif

(Note.. for Internet Explorer 7 users:
If at any time you have trouble with the "Accept" button of the license, click on the "Zoom" tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%.)
Or use Firefox with IE-Tab plugin
https://addons.mozilla.org/en-US/firefox/addon/1419


In your next reply post:
Kaspersky log
New HJT log taken after the above scans have run


You may need several replies to post the requested logs, otherwise they might get cut off.