Solved Iexplore Hidden process

subbuteorob · 2010/09/05

[Resolved] Iexplore Hidden process

Hi there

Have the dreaded Iexplore.exe virus I think. Hidden finder program finds it from time to time. Seems to reinstall on boot. I use Firefox as web browser and have changed the LAN settings on Internet Explorer to 0.0.0.0 Port 80 to deactivate it. No popups now but still running in background. Am I still in danger ?

Here is log file

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 20:17:56, on 05/09/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
C:\Program Files\Prevx\prevx.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\wltray.exe
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
C:\Program Files\BT Broadband Desktop Help\btbb\BTHelpNotifier.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\Nikon\NkView6\NkvMon.exe
C:\Program Files\Common Files\Sage SData\Sage.SData.Service.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Prevx\prevx.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/...b/*http://uk.docs.yahoo.com/info/bt_side.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.euro.dell.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.euro.dell.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 0.0.0.0:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
R3 - URLSearchHook: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: PriceGong - {1631550F-191D-4826-B069-D9439253D926} - C:\Program Files\PriceGong\2.1.0\PriceGongIE.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SafeOnline BHO - {69D72956-317C-44bd-B369-8E44D4EF9801} - C:\WINDOWS\system32\PxSecure.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\Common Files\McAfee\SystemCore\ScriptSn.20100826201113.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.4.4525.1752\swg.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe "
O4 - HKLM\..\Run: [wltray.exe] C:\WINDOWS\system32\wltray.exe
O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [btbb_McciTrayApp] "C:\Program Files\BT Broadband Desktop Help\btbb\BTHelpNotifier.exe "
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe "
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll "
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe "
O4 - HKLM\..\Run: [mcui_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [HiddenFinder] C:\Program Files\HiddenFinder\hiddenfinder.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe "
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\RunOnce: [Shockwave Updater] C:\WINDOWS\system32\Adobe\SHOCKW~1\SWHELP~1.EXE -Update -1103472 - "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.8.1.20) Gecko/20081217 Firefox/2.0.0.20 (.NET CLR 3.5.30729)" - "http://news.bbc.co.uk/sport1/hi/football/fa_cup/virtual_replay/6636845.stm?goalid=501071 "
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [tpasokag] C:\Documents and Settings\NetworkService\Local Settings\Application Data\lakeyiflw\vadxyidshdw.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe
O9 - Extra button: BT Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper20073151.dll
O18 - Protocol: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Broadcom ASF IP Monitor (ASFIPmon) - Broadcom Corporation - C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
O23 - Service: Automatic LiveUpdate Scheduler - Unknown owner - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe (file missing)
O23 - Service: CSIScanner - Prevx - C:\Program Files\Prevx\prevx.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: IRIS Email Monitor Service (IrisEmailMonitorService) - Unknown owner - C:\IRIS\IrisEmailMonitorService.exe (file missing)
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LiveUpdate - Unknown owner - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE (file missing)
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: McAfee SiteAdvisor Service - McAfee, Inc. - C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
O23 - Service: McciCMService - Alcatel-Lucent - C:\Program Files\Common Files\Motive\McciCMService.exe
O23 - Service: McAfee Personal Firewall (McMPFSvc) - McAfee, Inc. - C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
O23 - Service: McAfee VirusScan Announcer (McNaiAnn) - McAfee, Inc. - C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
O23 - Service: McShield - McAfee, Inc. - C:\Program Files\Common Files\McAfee\SystemCore\\mcshield.exe
O23 - Service: McAfee Firewall Core Service (mfefire) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\SystemCore\\mfefire.exe
O23 - Service: McAfee Validation Trust Protection Service (mfevtp) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe
O23 - Service: Sage SData Service - Sage (UK) Limited - C:\Program Files\Common Files\Sage SData\Sage.SData.Service.exe
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

--
End of file - 11780 bytes

Please help I'm a bit out of my depth here.

PeteC · 2010/09/05

Welcome to WindowsBBS

Please read this as indicated at the head of the forum and post the logs requested in this thread.

An HJT log is not required unless specifically asked for by a Malware Analyst.

subbuteorob · 2010/09/05

Hi Pete

Thanks for the information. Here are the logs:

DDS (Ver_10-03-17.01) - NTFSx86
Run by Robert Jones at 21:53:22.37 on 05/09/2010
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1014.431 [GMT 1:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
C:\Program Files\Prevx\prevx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
svchost.exe 4
C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe
C:\Program Files\Common Files\Sage SData\Sage.SData.Service.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\wltray.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
C:\Program Files\BT Broadband Desktop Help\btbb\BTHelpNotifier.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
svchost.exe 4
C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
C:\Program Files\Nikon\NkView6\NkvMon.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\Prevx\prevx.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Robert Jones\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.co.uk/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
mStart Page = hxxp://www.euro.dell.com
mSearch Bar = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sb/*http://uk.docs.yahoo.com/info/bt_side.html
uInternet Connection Wizard,ShellNext = hxxp://www.euro.dell.com/
uInternet Settings,ProxyOverride = 127.0.0.1
uInternet Settings,ProxyServer = 0.0.0.0:80
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
mURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
mURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: PriceGongBHO Class: {1631550f-191d-4826-b069-d9439253d926} - c:\program files\pricegong\2.1.0\PriceGongIE.dll
BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\progra~1\yahoo!\common\yiesrvc.dll
BHO: SafeOnline BHO: {69d72956-317c-44bd-b369-8e44d4ef9801} - c:\windows\system32\PxSecure.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\common files\mcafee\systemcore\ScriptSn.20100826201113.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.4.4525.1752\swg.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_B7C5AC242193BB3E.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SidebarAutoLaunch Class: {f2aa9440-6328-4933-b7c9-a6ccdf9cbf6d} - c:\program files\yahoo!\browser\YSidebarIEBHO.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [Yahoo! Pager] c:\progra~1\yahoo!\messen~1\ypager.exe -quiet
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe "
uRunOnce: [Shockwave Updater] c:\windows\system32\adobe\shockw~1\SWHELP~1.EXE -Update -1103472 - "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.8.1.20) Gecko/20081217 Firefox/2.0.0.20 (.NET CLR 3.5.30729)" - "http://news.bbc.co.uk/sport1/hi/football/fa_cup/virtual_replay/6636845.stm?goalid=501071 "
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe "
mRun: [wltray.exe] c:\windows\system32\wltray.exe
mRun: [YBrowser] c:\progra~1\yahoo!\browser\ybrwicon.exe
mRun: [btbb_McciTrayApp] "c:\program files\bt broadband desktop help\btbb\BTHelpNotifier.exe "
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe "
mRun: [Symantec PIF AlertEng] "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\pifsvc.exe" /a /m "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\AlertEng.dll "
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe "
mRun: [mcui_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [HiddenFinder] c:\program files\hiddenfinder\hiddenfinder.exe
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
dRun: [tpasokag] c:\documents and settings\networkservice\local settings\application data\lakeyiflw\vadxyidshdw.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\nkvmon~1.lnk - c:\program files\nikon\nkview6\NkvMon.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\progra~1\yahoo!\common\yiesrvc.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper20073151.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\robert~1\applic~1\mozilla\firefox\profiles\sv16cfl2.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.startup.homepage - hxxp://en-GB.start3.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-GBfficial
FF - prefs.js: keyword.URL - hxxp://search.alot.com/web?&src_id=11649&client_id=c4d42c4882e2233ea88844c4&camp_id=1500&install_time=2010-07-20T21:24:03Z&tb_version=2.4.4000%28F%29&pr=auto&q=
FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll
FF - component: c:\program files\mozilla firefox\components\Scriptff.dll
FF - component: c:\program files\pricegong\2.1.0\ff\components\PriceGongFF.dll
FF - plugin: c:\program files\common files\motive\npMotive.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: dom.disable_open_during_load - false // Popupblocker control handled by McAfee Privacy Service
FF - user.js: yahoo.homepage.dontask - truec:\program files\mozilla firefox\greprefs\all.js - pref( "network.IDN.whitelist.lu ", true);
c:\program files\mozilla firefox\greprefs\all.js - pref( "network.IDN.whitelist.nu ", true);
c:\program files\mozilla firefox\greprefs\all.js - pref( "network.IDN.whitelist.nz ", true);
c:\program files\mozilla firefox\greprefs\all.js - pref( "network.IDN.whitelist.xn--mgbaam7a8h ", true);
c:\program files\mozilla firefox\greprefs\all.js - pref( "network.IDN.whitelist.xn--mgberp4a5d4ar ", true);
c:\program files\mozilla firefox\greprefs\all.js - pref( "network.IDN.whitelist.xn--p1ai ", true);
c:\program files\mozilla firefox\greprefs\all.js - pref( "network.IDN.whitelist.xn--mgbayh7gpa ", true);
c:\program files\mozilla firefox\greprefs\all.js - pref( "network.IDN.whitelist.tel ", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref( "security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref ", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref( "security.ssl.renego_unrestricted_hosts ", " ");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref( "security.ssl.treat_unsafe_negotiation_as_broken ", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref( "security.ssl.require_safe_negotiation ", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref( "security.ssl3.rsa_seed_sha ", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref( "app.update.url.manual ", "http://www.firefox.com ");

============= SERVICES / DRIVERS ===============

R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-4-10 385880]
R0 pxscan;pxscan;c:\windows\system32\drivers\pxscan.sys [2010-9-5 30320]
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [2010-8-26 82952]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
R2 ASFIPmon;Broadcom ASF IP Monitor;c:\program files\broadcom\asfipmon\AsfIpMon.exe [2006-3-17 65536]
R2 CSIScanner;CSIScanner;c:\program files\prevx\prevx.exe [2010-9-5 6394368]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service; "c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-8-26 271480]
R2 McMPFSvc;McAfee Personal Firewall; "c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-8-26 271480]
R2 McNaiAnn;McAfee VirusScan Announcer; "c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-8-26 271480]
R2 McProxy;McAfee Proxy Service; "c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-8-26 271480]
R2 McShield;McShield;c:\program files\common files\mcafee\systemcore\mcshield.exe [2010-8-26 170144]
R2 mfefire;McAfee Firewall Core Service;c:\program files\common files\mcafee\systemcore\mfefire.exe [2010-8-26 188136]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\common files\mcafee\systemcore\mfevtps.exe [2010-8-26 141792]
R2 MSSQL$IRISPRACTICE;SQL Server (IRISPRACTICE);c:\program files\microsoft sql server\mssql.1\mssql\binn\sqlservr.exe [2009-5-27 29262680]
R2 pxrts;pxrts;c:\windows\system32\drivers\pxrts.sys [2010-9-5 69736]
R2 Sage SData Service;Sage SData Service;c:\program files\common files\sage sdata\Sage.SData.Service.exe [2009-8-21 49152]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2010-8-26 55456]
R3 KProcWatch;KProcWatch;c:\windows\system32\drivers\KProcWatch.sys [2010-9-5 8576]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2009-4-10 152320]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2009-4-10 51688]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2010-8-26 312616]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [2010-8-26 88480]
R3 pxkbf;pxkbf;c:\windows\system32\drivers\pxkbf.sys [2010-9-5 24400]
S3 IrisEmailMonitorService;IRIS Email Monitor Service;c:\iris\irisemailmonitorservice.exe --> c:\iris\IrisEmailMonitorService.exe [?]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [2010-8-26 88480]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2010-8-26 83496]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2009-4-10 34248]
S3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2009-4-10 40552]

=============== Created Last 30 ================

==================== Find3M ====================

2010-06-14 14:30:28 743936 ------w- c:\windows\system32\dllcache\helpsvc.exe
2002-04-16 11:27:54 5 --sha-w- c:\windows\system32\CdI5T.drv
1998-03-20 00:00:00 1048 --sha-w- c:\windows\system32\flfnlf.sys
1998-03-20 00:00:00 1048 --sha-w- c:\windows\system32\rlfnlf.sys
1998-03-20 00:00:00 1048 --sha-w- c:\windows\system32\TMail3FL.SYS
1998-03-20 00:00:00 1048 --sha-w- c:\windows\system32\TMailRL.sys

============= FINISH: 21:54:35.73 ===============

DDS (Ver_10-03-17.01) - NTFSx86
Run by Robert Jones at 21:53:22.37 on 05/09/2010
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1014.431 [GMT 1:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
C:\Program Files\Prevx\prevx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
svchost.exe 4
C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe
C:\Program Files\Common Files\Sage SData\Sage.SData.Service.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\wltray.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
C:\Program Files\BT Broadband Desktop Help\btbb\BTHelpNotifier.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
svchost.exe 4
C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
C:\Program Files\Nikon\NkView6\NkvMon.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\Prevx\prevx.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Robert Jones\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.co.uk/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
mStart Page = hxxp://www.euro.dell.com
mSearch Bar = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sb/*http://uk.docs.yahoo.com/info/bt_side.html
uInternet Connection Wizard,ShellNext = hxxp://www.euro.dell.com/
uInternet Settings,ProxyOverride = 127.0.0.1
uInternet Settings,ProxyServer = 0.0.0.0:80
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
mURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
mURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: PriceGongBHO Class: {1631550f-191d-4826-b069-d9439253d926} - c:\program files\pricegong\2.1.0\PriceGongIE.dll
BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\progra~1\yahoo!\common\yiesrvc.dll
BHO: SafeOnline BHO: {69d72956-317c-44bd-b369-8e44d4ef9801} - c:\windows\system32\PxSecure.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\common files\mcafee\systemcore\ScriptSn.20100826201113.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.4.4525.1752\swg.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_B7C5AC242193BB3E.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SidebarAutoLaunch Class: {f2aa9440-6328-4933-b7c9-a6ccdf9cbf6d} - c:\program files\yahoo!\browser\YSidebarIEBHO.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [Yahoo! Pager] c:\progra~1\yahoo!\messen~1\ypager.exe -quiet
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe "
uRunOnce: [Shockwave Updater] c:\windows\system32\adobe\shockw~1\SWHELP~1.EXE -Update -1103472 - "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.8.1.20) Gecko/20081217 Firefox/2.0.0.20 (.NET CLR 3.5.30729)" - "http://news.bbc.co.uk/sport1/hi/football/fa_cup/virtual_replay/6636845.stm?goalid=501071 "
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe "
mRun: [wltray.exe] c:\windows\system32\wltray.exe
mRun: [YBrowser] c:\progra~1\yahoo!\browser\ybrwicon.exe
mRun: [btbb_McciTrayApp] "c:\program files\bt broadband desktop help\btbb\BTHelpNotifier.exe "
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe "
mRun: [Symantec PIF AlertEng] "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\pifsvc.exe" /a /m "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\AlertEng.dll "
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe "
mRun: [mcui_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [HiddenFinder] c:\program files\hiddenfinder\hiddenfinder.exe
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
dRun: [tpasokag] c:\documents and settings\networkservice\local settings\application data\lakeyiflw\vadxyidshdw.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\nkvmon~1.lnk - c:\program files\nikon\nkview6\NkvMon.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\progra~1\yahoo!\common\yiesrvc.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper20073151.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\robert~1\applic~1\mozilla\firefox\profiles\sv16cfl2.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.startup.homepage - hxxp://en-GB.start3.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-GBfficial
FF - prefs.js: keyword.URL - hxxp://search.alot.com/web?&src_id=11649&client_id=c4d42c4882e2233ea88844c4&camp_id=1500&install_time=2010-07-20T21:24:03Z&tb_version=2.4.4000%28F%29&pr=auto&q=
FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll
FF - component: c:\program files\mozilla firefox\components\Scriptff.dll
FF - component: c:\program files\pricegong\2.1.0\ff\components\PriceGongFF.dll
FF - plugin: c:\program files\common files\motive\npMotive.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: dom.disable_open_during_load - false // Popupblocker control handled by McAfee Privacy Service
FF - user.js: yahoo.homepage.dontask - truec:\program files\mozilla firefox\greprefs\all.js - pref( "network.IDN.whitelist.lu ", true);
c:\program files\mozilla firefox\greprefs\all.js - pref( "network.IDN.whitelist.nu ", true);
c:\program files\mozilla firefox\greprefs\all.js - pref( "network.IDN.whitelist.nz ", true);
c:\program files\mozilla firefox\greprefs\all.js - pref( "network.IDN.whitelist.xn--mgbaam7a8h ", true);
c:\program files\mozilla firefox\greprefs\all.js - pref( "network.IDN.whitelist.xn--mgberp4a5d4ar ", true);
c:\program files\mozilla firefox\greprefs\all.js - pref( "network.IDN.whitelist.xn--p1ai ", true);
c:\program files\mozilla firefox\greprefs\all.js - pref( "network.IDN.whitelist.xn--mgbayh7gpa ", true);
c:\program files\mozilla firefox\greprefs\all.js - pref( "network.IDN.whitelist.tel ", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref( "security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref ", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref( "security.ssl.renego_unrestricted_hosts ", " ");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref( "security.ssl.treat_unsafe_negotiation_as_broken ", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref( "security.ssl.require_safe_negotiation ", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref( "security.ssl3.rsa_seed_sha ", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref( "app.update.url.manual ", "http://www.firefox.com ");

============= SERVICES / DRIVERS ===============

R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-4-10 385880]
R0 pxscan;pxscan;c:\windows\system32\drivers\pxscan.sys [2010-9-5 30320]
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [2010-8-26 82952]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
R2 ASFIPmon;Broadcom ASF IP Monitor;c:\program files\broadcom\asfipmon\AsfIpMon.exe [2006-3-17 65536]
R2 CSIScanner;CSIScanner;c:\program files\prevx\prevx.exe [2010-9-5 6394368]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service; "c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-8-26 271480]
R2 McMPFSvc;McAfee Personal Firewall; "c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-8-26 271480]
R2 McNaiAnn;McAfee VirusScan Announcer; "c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-8-26 271480]
R2 McProxy;McAfee Proxy Service; "c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-8-26 271480]
R2 McShield;McShield;c:\program files\common files\mcafee\systemcore\mcshield.exe [2010-8-26 170144]
R2 mfefire;McAfee Firewall Core Service;c:\program files\common files\mcafee\systemcore\mfefire.exe [2010-8-26 188136]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\common files\mcafee\systemcore\mfevtps.exe [2010-8-26 141792]
R2 MSSQL$IRISPRACTICE;SQL Server (IRISPRACTICE);c:\program files\microsoft sql server\mssql.1\mssql\binn\sqlservr.exe [2009-5-27 29262680]
R2 pxrts;pxrts;c:\windows\system32\drivers\pxrts.sys [2010-9-5 69736]
R2 Sage SData Service;Sage SData Service;c:\program files\common files\sage sdata\Sage.SData.Service.exe [2009-8-21 49152]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2010-8-26 55456]
R3 KProcWatch;KProcWatch;c:\windows\system32\drivers\KProcWatch.sys [2010-9-5 8576]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2009-4-10 152320]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2009-4-10 51688]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2010-8-26 312616]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [2010-8-26 88480]
R3 pxkbf;pxkbf;c:\windows\system32\drivers\pxkbf.sys [2010-9-5 24400]
S3 IrisEmailMonitorService;IRIS Email Monitor Service;c:\iris\irisemailmonitorservice.exe --> c:\iris\IrisEmailMonitorService.exe [?]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [2010-8-26 88480]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2010-8-26 83496]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2009-4-10 34248]
S3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2009-4-10 40552]

=============== Created Last 30 ================

==================== Find3M ====================

2010-06-14 14:30:28 743936 ------w- c:\windows\system32\dllcache\helpsvc.exe
2002-04-16 11:27:54 5 --sha-w- c:\windows\system32\CdI5T.drv
1998-03-20 00:00:00 1048 --sha-w- c:\windows\system32\flfnlf.sys
1998-03-20 00:00:00 1048 --sha-w- c:\windows\system32\rlfnlf.sys
1998-03-20 00:00:00 1048 --sha-w- c:\windows\system32\TMail3FL.SYS
1998-03-20 00:00:00 1048 --sha-w- c:\windows\system32\TMailRL.sys

============= FINISH: 21:54:35.73 ===============

subbuteorob · 2010/09/05

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-03-17.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume2
Install Date: 08/11/2007 22:05:54
System Uptime: 09/05/2010 21:47:49 (2856 hours ago)

Motherboard: Dell Inc. | | 0RF705
Processor: Intel(R) Core(TM)2 CPU 6300 @ 1.86GHz | Microprocessor | 1860/1066mhz
Processor: Intel(R) Core(TM)2 CPU 6300 @ 1.86GHz | Microprocessor | 1860/1066mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 74 GiB total, 4.889 GiB free.
D: is CDROM ()

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP739: 08/06/2010 19:42:32 - System Checkpoint
RP740: 09/06/2010 07:51:46 - Software Distribution Service 3.0
RP741: 10/06/2010 19:13:25 - System Checkpoint
RP742: 11/06/2010 22:09:14 - Software Distribution Service 3.0
RP743: 13/06/2010 19:17:37 - System Checkpoint
RP744: 15/06/2010 08:28:38 - System Checkpoint
RP745: 16/06/2010 19:02:39 - System Checkpoint
RP746: 18/06/2010 08:44:13 - System Checkpoint
RP747: 20/06/2010 23:18:09 - System Checkpoint
RP748: 22/06/2010 22:10:54 - System Checkpoint
RP749: 22/06/2010 22:55:33 - Software Distribution Service 3.0
RP750: 25/06/2010 08:58:34 - System Checkpoint
RP751: 26/06/2010 09:55:21 - System Checkpoint
RP752: 27/06/2010 10:55:56 - System Checkpoint
RP753: 29/06/2010 22:25:22 - System Checkpoint
RP754: 01/07/2010 22:12:12 - System Checkpoint
RP755: 03/07/2010 09:32:37 - System Checkpoint
RP756: 04/07/2010 16:40:27 - System Checkpoint
RP757: 04/07/2010 22:01:51 - Software Distribution Service 3.0
RP758: 05/07/2010 23:00:11 - Software Distribution Service 3.0
RP759: 07/07/2010 22:15:18 - System Checkpoint
RP760: 08/07/2010 04:43:58 - Software Distribution Service 3.0
RP761: 08/07/2010 22:19:51 - Software Distribution Service 3.0
RP762: 10/07/2010 09:00:54 - System Checkpoint
RP763: 10/07/2010 23:16:49 - Software Distribution Service 3.0
RP764: 11/07/2010 22:53:16 - Software Distribution Service 3.0
RP765: 13/07/2010 15:11:37 - Software Distribution Service 3.0
RP766: 14/07/2010 18:40:50 - Software Distribution Service 3.0
RP767: 14/07/2010 22:58:47 - Software Distribution Service 3.0
RP768: 15/07/2010 23:26:16 - System Checkpoint
RP769: 18/07/2010 10:26:31 - Software Distribution Service 3.0
RP770: 19/07/2010 03:00:15 - Software Distribution Service 3.0
RP771: 20/07/2010 04:00:59 - Software Distribution Service 3.0
RP772: 20/07/2010 22:55:38 - Software Distribution Service 3.0
RP773: 21/07/2010 22:08:56 - Software Distribution Service 3.0
RP774: 05/08/2010 19:27:46 - System Checkpoint
RP775: 05/08/2010 23:05:16 - Software Distribution Service 3.0
RP776: 06/08/2010 08:24:06 - Software Distribution Service 3.0
RP777: 06/08/2010 23:19:22 - Software Distribution Service 3.0
RP778: 07/08/2010 22:57:22 - Software Distribution Service 3.0
RP779: 08/08/2010 22:40:24 - Software Distribution Service 3.0
RP780: 11/08/2010 19:07:40 - System Checkpoint
RP781: 13/08/2010 14:00:43 - System Checkpoint
RP782: 14/08/2010 13:15:36 - Software Distribution Service 3.0
RP783: 16/08/2010 18:57:55 - System Checkpoint
RP784: 17/08/2010 03:00:14 - Software Distribution Service 3.0
RP785: 17/08/2010 18:24:04 - Software Distribution Service 3.0
RP786: 17/08/2010 22:58:13 - Software Distribution Service 3.0
RP787: 18/08/2010 22:22:07 - Software Distribution Service 3.0
RP788: 19/08/2010 07:23:56 - Software Distribution Service 3.0
RP789: 19/08/2010 22:31:55 - Software Distribution Service 3.0
RP790: 19/08/2010 22:56:03 - Software Distribution Service 3.0
RP791: 20/08/2010 07:55:52 - Software Distribution Service 3.0
RP792: 21/08/2010 08:39:46 - System Checkpoint
RP793: 22/08/2010 10:07:18 - Software Distribution Service 3.0
RP794: 24/08/2010 18:58:22 - Software Distribution Service 3.0
RP795: 25/08/2010 20:27:51 - System Checkpoint
RP796: 25/08/2010 22:54:22 - Software Distribution Service 3.0
RP797: 26/08/2010 22:27:56 - Software Distribution Service 3.0
RP798: 28/08/2010 11:58:01 - System Checkpoint
RP799: 28/08/2010 22:48:42 - Software Distribution Service 3.0
RP800: 30/08/2010 18:53:55 - System Checkpoint
RP801: 01/09/2010 18:51:36 - System Checkpoint
RP802: 02/09/2010 22:25:48 - System Checkpoint
RP803: 03/09/2010 17:56:57 - Software Distribution Service 3.0
RP804: 04/09/2010 19:17:33 - System Checkpoint
RP805: 05/09/2010 20:14:19 - Installed HiJackThis

==== Installed Programs ======================

7-Zip 4.65
Accounts
Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742)
Adobe Flash Player 10 Plugin
Adobe Flash Player ActiveX
Adobe Photoshop 5.5
Adobe Reader 8.1.2
Adobe Reader 8.1.2 Security Update 1 (KB403742)
Adobe Shockwave Player 11
Audacity 1.2.6
Broadcom ASF Management Applications
Broadcom Management Programs
BT Broadband Desktop Help
BT Broadband Talk Softphone 2.0
BT Home Hub
BT NetProtect Plus
BT Voyager Wireless Utility
BT Wireless Connection Manager
BT Yahoo! Applications
CCleaner
Critical Update for Windows Media Player 11 (KB959772)
Dell ETS Factory Installation
EasyWeather
Exterminate It!
GDR 4053 for SQL Server Database Services 2005 ENU (KB970892)
GDR 4053 for SQL Server Tools and Workstation Components 2005 ENU (KB970892)
Google Earth
Google Toolbar for Internet Explorer
Hidden Finder 1.5.6 Pro
High Definition Audio Driver Package - KB835221
HiJackThis
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB896256)
Hotfix for Windows XP (KB908673)
Hotfix for Windows XP (KB909095)
Hotfix for Windows XP (KB921411)
Hotfix for Windows XP (KB924455)
Hotfix for Windows XP (KB926239)
Hotfix for Windows XP (KB935448)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976002-v5)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
Hotfix for Windows XP (KB981793)
Intel(R) Graphics Media Accelerator Driver
IRIS Foundation Services Customer
IRIS Practice - Microsoft SQLExpress Environment setup
IRIS Practice SQL Instance Wrapper
IRIS Practice Suite
IRIS Practice Workstation Configuration Utility v5.6.0
J2SE Runtime Environment 5.0 Update 6
Java(TM) 6 Update 17
LiveUpdate Notice (Symantec Corporation)
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Office 2000 Premium
Microsoft Silverlight
Microsoft SQL Server 2005
Microsoft SQL Server 2005 Express Edition (IRISPRACTICE)
Microsoft SQL Server 2005 Tools Express Edition
Microsoft SQL Server Management Objects Collection
Microsoft SQL Server Native Client
Microsoft SQL Server Setup Support Files (English)
Microsoft SQL Server VSS Writer
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
ML-1200 Series
Mozilla Firefox (3.5.11)
MSXML 6 Service Pack 2 (KB973686)
Nikon View 6
picture-shark 1.0
PowerDVD 5.7
Prevx
PriceGong 2.1.0
RealPlayer
Sage 50 Accounts
Sage 50 Accounts 2008
Sage 50 Accounts 2010
Sage Accounts 2007
Sage Accounts V10.00
Sage MIS 3.01
SageAcc
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB936782)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB929969)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931768)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB937894)
Security Update for Windows XP (KB938127)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB939653)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB941644)
Security Update for Windows XP (KB941693)
Security Update for Windows XP (KB942615)
Security Update for Windows XP (KB943055)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944338)
Security Update for Windows XP (KB944533)
Security Update for Windows XP (KB944653)
Security Update for Windows XP (KB945553)
Security Update for Windows XP (KB946026)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB947864)
Security Update for Windows XP (KB948590)
Security Update for Windows XP (KB948881)
Security Update for Windows XP (KB950749)
Security Update for Windows XP (KB950759)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953838)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956390)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958215)
Security Update for Windows XP (KB958470)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960714)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB963027)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969897)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971032)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972260)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974455)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB976325)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB981350)
Security Update for Windows XP (KB982381)
SUPERAntiSpyware
Turbo Lister 2
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB912945)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB925720)
Update for Windows XP (KB927891)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
Update for Windows XP (KB933360)
Update for Windows XP (KB936357)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
Update for Windows XP (KB942840)
Update for Windows XP (KB946627)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Update for Windows XP (KB976749)
Update for Windows XP (KB978207)
Update for Windows XP (KB980182)
VTech® Photo Editor
WebFldrs XP
Windows Genuine Advantage Notifications (KB905474)
Windows Imaging Component
Windows Installer 3.1 (KB893803)
Windows Media Format 11 runtime
Windows Media Player 11
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB889673
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
WinZip 14.0
Yahoo! Toolbar

==== Event Viewer Messages From Past Week ========

29/08/2010 22:13:17, error: MRxSmb [8003] - The master browser has received a server announcement from the computer JONES-PC that believes that it is the master browser for the domain on transport NetBT_Tcpip_{DEC956A7-41C5-4314-. The master browser is stopping or an election is being forced.
29/08/2010 15:33:43, error: BROWSER [8007] - The browser was unable to update the service status bits. The data is the error.
05/09/2010 10:45:49, information: Windows File Protection [64002] - File replacement was attempted on the protected system file c:\program files\internet explorer\iexplore.exe. This file was restored to the original version to maintain system stability. The file version of the system file is 6.0.2900.2180.
05/09/2010 10:44:31, information: Windows File Protection [64002] - File replacement was attempted on the protected system file iexplore.exe. This file was restored to the original version to maintain system stability. The file version of the system file is 6.0.2900.2180.
05/09/2010 10:43:38, information: Windows File Protection [64002] - File replacement was attempted on the protected system file alg.exe. This file was restored to the original version to maintain system stability. The file version of the system file is 5.1.2600.2180.
05/09/2010 10:43:27, error: Service Control Manager [7034] - The Application Layer Gateway Service service terminated unexpectedly. It has done this 1 time(s).
03/09/2010 22:21:21, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service McAfee SiteAdvisor Service with arguments " " in order to run the server: {5A90F5EE-16B8-4C2A-81B3-FD5329BA477C}
03/09/2010 21:44:17, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000001' while processing the file '' on the volume 'HarddiskVolume2'. It has stopped monitoring the volume.
03/09/2010 20:21:22, error: Service Control Manager [7000] - The Automatic LiveUpdate Scheduler service failed to start due to the following error: The system cannot find the file specified.
03/09/2010 19:57:55, error: Service Control Manager [7034] - The McAfee Scanner service terminated unexpectedly. It has done this 1 time(s).
03/09/2010 19:57:55, error: Service Control Manager [7031] - The McShield service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 5000 milliseconds: Restart the service.
03/09/2010 19:52:18, error: System Error [1003] - Error code 00000006, parameter1 00000000, parameter2 00000000, parameter3 00000000, parameter4 00000000.
03/09/2010 17:57:59, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the McNaiAnn service.
03/09/2010 17:57:00, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the mcmscsvc service.
02/09/2010 23:07:07, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments " " in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
02/09/2010 23:06:46, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments " " in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
02/09/2010 22:42:17, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service McNaiAnn with arguments " " in order to run the server: {DC7EF8E1-824F-4110-AB43-1604DA9B4F40}
02/09/2010 22:38:41, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD Fips intelppm IPSec mfehidk mfetdi2k MRxSmb NetBIOS NetBT RasAcd Rdbss SASDIFSV SASKUTIL Tcpip
02/09/2010 22:38:41, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.
02/09/2010 22:38:41, error: Service Control Manager [7001] - The McShield service depends on the McAfee Validation Trust Protection Service service which failed to start because of the following error: The dependency service or group failed to start.
02/09/2010 22:38:41, error: Service Control Manager [7001] - The McAfee Validation Trust Protection Service service depends on the McAfee Inc. mfehidk service which failed to start because of the following error: A device attached to the system is not functioning.
02/09/2010 22:38:41, error: Service Control Manager [7001] - The McAfee Proxy Service service depends on the McAfee Firewall Core Service service which failed to start because of the following error: The dependency service or group failed to start.
02/09/2010 22:38:41, error: Service Control Manager [7001] - The McAfee Personal Firewall service depends on the McAfee Firewall Core Service service which failed to start because of the following error: The dependency service or group failed to start.
02/09/2010 22:38:41, error: Service Control Manager [7001] - The McAfee Network Agent service depends on the McAfee Firewall Core Service service which failed to start because of the following error: The dependency service or group failed to start.
02/09/2010 22:38:41, error: Service Control Manager [7001] - The McAfee Firewall Core Service service depends on the McAfee Validation Trust Protection Service service which failed to start because of the following error: The dependency service or group failed to start.
02/09/2010 22:38:41, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
02/09/2010 22:38:41, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
01/09/2010 20:29:47, error: Service Control Manager [7022] - The Windows Time service hung on starting.
01/09/2010 20:29:45, error: Service Control Manager [7022] - The Sage SData Service service hung on starting.
01/09/2010 19:41:54, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD Fips intelppm IPSec mfehidk mfetdi2k MRxSmb NetBIOS NetBT RasAcd Rdbss Tcpip

==== End Of File ===========================

Thanks

PeteC · 2010/09/05

Thanks

One of our trained malware analysts will take a look at your logs ASAP, but it may be a day or so before you get a response as they are always very busy. All logs are dealt with in the order received.

Thank you for your patience.

broni · 2010/09/05

STEP 1. Download Malwarebytes' Anti-Malware (aka MBAM): http://www.malwarebytes.org/mbam.php to your desktop.
(Malwarebytes is free to use as a manual scanner. Payment is only required if you wish to have it run and update automatically which is not necessary for our purposes)

* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform Quick Scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad.
* Post the log back here.

The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt

STEP 2. Download GMER: http://www.gmer.net/files.php, by clicking on Download EXE button.
Alternative downloads:
- http://majorgeeks.com/GMER_d5198.html
- http://www.softpedia.com/get/Interne...ers/GMER.shtml
Double click on downloaded .exe file, select Rootkit tab and click the Scan button.
Do NOT use the computer while GMER is running!
When scan is completed, click Save button, and save the results as gmer.log
Warning ! Please, do not select the "Show all" checkbox during the scan.
Post the log to your next reply.

IMPORTANT! If for some reason GMER refuses to run, try again.
If it still fails, try to UN-check "Devices" in right pane.
If still no joy, try to run it from Safe Mode.

STEP 3. Download MBRCheck to your desktop

Double click MBRCheck.exe to run (Vista and Windows 7 users, right click and select Run as Administrator).
It will show a black screen with some data on it.
A report called MBRcheckxxxx.txt will be on your desktop
Open this report and post its content in your next reply.

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!

subbuteorob · 2010/09/06

Thanks Pete and Broni

Just for your info I am in UK and problems are on my home computer so it will be this evening before I post the logs.

Thanks so much for your help.

Robert

broni · 2010/09/06

No problem

subbuteorob · 2010/09/06

Having trouble with GMER. Went down to eat on my return blue error screen. Will try once more

This one looks interesting ?!

MBRCheck, version 1.2.3
(c) 2010, AD

Command-line:
Windows Version: Windows XP Professional
Windows Information: Service Pack 2 (build 2600)
Logical Drives Mask: 0x0000000c

Kernel Drivers (total 130):
0x804D7000 \WINDOWS\system32\ntkrnlpa.exe
0x806E3000 \WINDOWS\system32\hal.dll
0xF7A72000 \WINDOWS\system32\KDCOM.DLL
0xF7982000 \WINDOWS\system32\BOOTVID.dll
0xF7443000 ACPI.sys
0xF7A74000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
0xF7432000 pci.sys
0xF7572000 isapnp.sys
0xF7B3A000 pciide.sys
0xF77F2000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
0xF7582000 MountMgr.sys
0xF7413000 ftdisk.sys
0xF7A76000 dmload.sys
0xF73ED000 dmio.sys
0xF77FA000 PartMgr.sys
0xF7802000 pxscan.sys
0xF7592000 VolSnap.sys
0xF73D5000 atapi.sys
0xF75A2000 disk.sys
0xF75B2000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
0xF73B5000 fltMgr.sys
0xF73A3000 sr.sys
0xF7346000 mfehidk.sys
0xF732F000 KSecDD.sys
0xF731C000 WudfPf.sys
0xF728F000 Ntfs.sys
0xF7262000 NDIS.sys
0xF7247000 Mup.sys
0xF77A2000 \SystemRoot\system32\DRIVERS\intelppm.sys
0xF6B8E000 \SystemRoot\system32\DRIVERS\igxpmp32.sys
0xF6B7A000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0xF78F2000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0xF6B57000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xF78FA000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xF6B31000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
0xF6B07000 \SystemRoot\system32\DRIVERS\b57xp32.sys
0xF6AF3000 \SystemRoot\system32\DRIVERS\parport.sys
0xF77B2000 \SystemRoot\system32\DRIVERS\serial.sys
0xF7A62000 \SystemRoot\system32\DRIVERS\serenum.sys
0xF77C2000 \SystemRoot\system32\DRIVERS\imapi.sys
0xF77D2000 \SystemRoot\system32\DRIVERS\cdrom.sys
0xF77E2000 \SystemRoot\system32\DRIVERS\redbook.sys
0xF6AD0000 \SystemRoot\system32\DRIVERS\ks.sys
0xF7C53000 \SystemRoot\system32\DRIVERS\audstub.sys
0xF6ABC000 \SystemRoot\system32\DRIVERS\mfendisk.sys
0xF75D2000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xF7A6E000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0xF6AA5000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0xF75E2000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0xF75F2000 \SystemRoot\system32\DRIVERS\raspptp.sys
0xF7902000 \SystemRoot\system32\DRIVERS\TDI.SYS
0xF6A94000 \SystemRoot\system32\DRIVERS\psched.sys
0xF7602000 \SystemRoot\system32\DRIVERS\msgpc.sys
0xF6A70000 \SystemRoot\system32\drivers\mfeavfk.sys
0xF6A25000 \SystemRoot\system32\drivers\mfefirek.sys
0xF790A000 \SystemRoot\system32\DRIVERS\ptilink.sys
0xF7912000 \SystemRoot\system32\DRIVERS\raspti.sys
0xF69CC000 \SystemRoot\system32\DRIVERS\rdpdr.sys
0xF7612000 \SystemRoot\system32\DRIVERS\termdd.sys
0xF791A000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xF7922000 \SystemRoot\system32\DRIVERS\mouclass.sys
0xF7AA4000 \SystemRoot\system32\DRIVERS\swenum.sys
0xF6973000 \SystemRoot\system32\DRIVERS\update.sys
0xF6C9E000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0xF7642000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xF7652000 \SystemRoot\system32\DRIVERS\usbhub.sys
0xF7AAE000 \SystemRoot\system32\DRIVERS\USBD.SYS
0xA9EFA000 \SystemRoot\system32\drivers\ADIHdAud.sys
0xA9ED8000 \SystemRoot\system32\drivers\portcls.sys
0xF7662000 \SystemRoot\system32\drivers\drmk.sys
0xA9E78000 \SystemRoot\system32\drivers\Senfilt.sys
0xF7AB2000 \SystemRoot\System32\Drivers\i2omgmt.SYS
0xF7A5A000 \SystemRoot\system32\DRIVERS\hidusb.sys
0xF7682000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0xF793A000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0xF7AB4000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xF7BD8000 \SystemRoot\System32\Drivers\Null.SYS
0xF7AB6000 \SystemRoot\System32\Drivers\Beep.SYS
0xF794A000 \SystemRoot\System32\drivers\vga.sys
0xF7AB8000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xF7ABA000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xF7952000 \SystemRoot\System32\Drivers\Msfs.SYS
0xF795A000 \SystemRoot\System32\Drivers\Npfs.SYS
0xF6A05000 \SystemRoot\system32\DRIVERS\rasacd.sys
0xA9D7D000 \SystemRoot\system32\DRIVERS\ipsec.sys
0xA9D25000 \SystemRoot\system32\DRIVERS\tcpip.sys
0xA9D12000 \SystemRoot\system32\drivers\mfetdi2k.sys
0xA9CF1000 \SystemRoot\system32\DRIVERS\ipnat.sys
0xA9CC9000 \SystemRoot\system32\DRIVERS\netbt.sys
0xF76A2000 \SystemRoot\system32\DRIVERS\wanarp.sys
0xA9CA7000 \SystemRoot\System32\drivers\afd.sys
0xF76B2000 \SystemRoot\system32\DRIVERS\netbios.sys
0xA9C85000 \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS
0xF7962000 \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
0xA9C5A000 \SystemRoot\system32\DRIVERS\rdbss.sys
0xA9BEB000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xF76C2000 \SystemRoot\System32\Drivers\Fips.SYS
0xF69FD000 \SystemRoot\system32\DRIVERS\kbdhid.sys
0xF797A000 \SystemRoot\System32\drivers\pxkbf.sys
0xF6CAE000 \SystemRoot\system32\DRIVERS\mouhid.sys
0xF7882000 \SystemRoot\system32\DRIVERS\usbprint.sys
0xF7782000 \SystemRoot\System32\Drivers\Cdfs.SYS
0xA9BE7000 \SystemRoot\system32\DRIVERS\usb8023.sys
0xF788A000 \SystemRoot\system32\DRIVERS\RNDISMPK.SYS
0xA9BAB000 \SystemRoot\System32\Drivers\dump_atapi.sys
0xF7A7C000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
0xBF800000 \SystemRoot\System32\win32k.sys
0xA9BCF000 \SystemRoot\System32\drivers\Dxapi.sys
0xF7892000 \SystemRoot\System32\watchdog.sys
0xBF000000 \SystemRoot\System32\drivers\dxg.sys
0xF7C9E000 \SystemRoot\System32\drivers\dxgthk.sys
0xBF022000 \SystemRoot\System32\igxpgd32.dll
0xBF012000 \SystemRoot\System32\igxprd32.dll
0xBF049000 \SystemRoot\System32\igxpdv32.DLL
0xBF186000 \SystemRoot\System32\igxpdx32.DLL
0xBFFA0000 \SystemRoot\System32\ATMFD.DLL
0xF76D2000 \SystemRoot\System32\drivers\pxrts.sys
0xA9A87000 \SystemRoot\system32\DRIVERS\AegisP.sys
0xA9A83000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0xA980F000 \SystemRoot\system32\DRIVERS\mrxdav.sys
0xF7AAA000 \??\C:\Program Files\Broadcom\ASFIPMon\BASFND.sys
0xA970A000 \SystemRoot\system32\drivers\wdmaud.sys
0xA98B3000 \SystemRoot\system32\drivers\sysaudio.sys
0xA9355000 \SystemRoot\system32\DRIVERS\srv.sys
0xA8941000 \SystemRoot\system32\drivers\cfwids.sys
0xA864C000 \SystemRoot\System32\Drivers\HTTP.sys
0xA87A5000 \??\C:\WINDOWS\system32\drivers\KProcWatch.sys
0xA842E000 \SystemRoot\system32\drivers\mfeapfk.sys
0xA8879000 \SystemRoot\system32\drivers\mfebopk.sys
0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 56):
0 System Idle Process
4 System
964 C:\WINDOWS\system32\smss.exe
1288 csrss.exe
1340 C:\WINDOWS\system32\winlogon.exe
1384 C:\WINDOWS\system32\services.exe
1396 C:\WINDOWS\system32\lsass.exe
1580 C:\WINDOWS\system32\svchost.exe
1628 svchost.exe
1668 C:\WINDOWS\system32\svchost.exe
1708 C:\WINDOWS\system32\svchost.exe
1888 svchost.exe
248 C:\WINDOWS\system32\wltrysvc.exe
328 C:\WINDOWS\system32\bcmwltry.exe
412 C:\WINDOWS\system32\spoolsv.exe
520 svchost.exe
564 C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
636 C:\Program Files\Prevx\prevx.exe
860 C:\Program Files\Java\jre6\bin\jqs.exe
872 C:\WINDOWS\explorer.exe
1028 C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
1056 C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
1084 C:\Program Files\Common Files\Motive\McciCMService.exe
1144 C:\Program Files\Common Files\Mcafee\SystemCore\mfevtps.exe
1148 C:\WINDOWS\system32\svchost.exe
1184 sqlservr.exe
1760 C:\WINDOWS\system32\hkcmd.exe
1784 C:\WINDOWS\system32\igfxpers.exe
1792 C:\Program Files\Analog Devices\Core\smax4pnp.exe
1816 C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
1836 C:\WINDOWS\system32\wltray.exe
1852 C:\Program Files\Yahoo!\browser\ybrwicon.exe
1884 C:\Program Files\BT Broadband Desktop Help\btbb\BTHelpNotifier.exe
1988 C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
2020 C:\Program Files\Java\jre6\bin\jusched.exe
2040 C:\Program Files\Yahoo!\browser\ycommon.exe
144 C:\Program Files\McAfee.com\Agent\mcagent.exe
196 C:\Program Files\HiddenFinder\hiddenfinder.exe
1932 C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
732 C:\Program Files\Nikon\NkView6\NkvMon.exe
1256 C:\Program Files\Common Files\Sage SData\Sage.SData.Service.exe
1264 C:\WINDOWS\system32\svchost.exe
1280 C:\Program Files\Yahoo!\Messenger\Ymsgr_tray.exe
1956 sqlbrowser.exe
2060 C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
2076 C:\Program Files\Prevx\prevx.exe
2104 C:\WINDOWS\system32\svchost.exe
2152 C:\Program Files\Common Files\Mcafee\SystemCore\mcshield.exe
2300 C:\Program Files\Common Files\Mcafee\SystemCore\mfefire.exe
2336 C:\WINDOWS\system32\wuauclt.exe
3508 wmiprvse.exe
3632 alg.exe
2332 C:\Program Files\Mozilla Firefox\firefox.exe
2508 C:\WINDOWS\system32\svchost.exe
3284 C:\WINDOWS\system32\wuauclt.exe
3424 C:\Documents and Settings\Robert Jones\My Documents\Downloads\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`02f10c00 (NTFS)

PhysicalDrive0 Model Number: WDCWD800JD-75MSA3, Rev: 10.01E04

Size Device Name MBR Status
--------------------------------------------
74 GB \\.\PhysicalDrive0 Known-bad MBR code detected (Whistler / Black Internet)!
SHA1: 03E1192C8D2906347379C165AD0106C4AF7F0559

Found non-standard or infected MBR.
Enter 'Y' and hit ENTER for more options, or 'N' to exit:

and malwarebytes looks clean but I did run that a few times before I sought your help.

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4538

Windows 5.1.2600 Service Pack 2
Internet Explorer 6.0.2900.2180

06/09/2010 18:31:19
mbam-log-2010-09-06 (18-31-19).txt

Scan type: Quick scan
Objects scanned: 146799
Time elapsed: 9 minute(s), 43 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

broni · 2010/09/06

Skip GMER for now.
You're infected with a bootkit.

Please download ComboFix from [color= "Red"]Here[/color] or [color= "#FF0000"]Here[/color] to your Desktop.

[color= "Blue"]**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**[/color]

Please, never rename Combofix unless instructed.

Close any open browsers.

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results ".

Click on [color= "Red"]this link[/color] to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

NOTE1. If Combofix asks you to install Recovery Console, please allow it.
NOTE 2. If Combofix asks you to update the program, always do so.

Close any open browsers.

[color= "Red"]WARNING:[/color] Combofix will disconnect your machine from the Internet as soon as it starts

Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.

If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

Double click on combofix.exe & follow the prompts.

When finished, it will produce a report for you.

Please post the "C:\ComboFix.txt"

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Make sure, you re-enable your security programs, when you're done with Combofix.

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!

subbuteorob · 2010/09/06

ComboFix 10-09-06.02 - Robert Jones 06/09/2010 22:03:45.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1014.531 [GMT 1:00]
Running from: c:\documents and settings\Robert Jones\Desktop\ComboFix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\LocalService\Application Data\PriceGong
c:\documents and settings\LocalService\Application Data\PriceGong\Data\1.xml
c:\documents and settings\LocalService\Application Data\PriceGong\Data\a.xml
c:\documents and settings\LocalService\Application Data\PriceGong\Data\b.xml
c:\documents and settings\LocalService\Application Data\PriceGong\Data\c.xml
c:\documents and settings\LocalService\Application Data\PriceGong\Data\d.xml
c:\documents and settings\LocalService\Application Data\PriceGong\Data\e.xml
c:\documents and settings\LocalService\Application Data\PriceGong\Data\f.xml
c:\documents and settings\LocalService\Application Data\PriceGong\Data\g.xml
c:\documents and settings\LocalService\Application Data\PriceGong\Data\h.xml
c:\documents and settings\LocalService\Application Data\PriceGong\Data\i.xml
c:\documents and settings\LocalService\Application Data\PriceGong\Data\J.xml
c:\documents and settings\LocalService\Application Data\PriceGong\Data\k.xml
c:\documents and settings\LocalService\Application Data\PriceGong\Data\l.xml
c:\documents and settings\LocalService\Application Data\PriceGong\Data\m.xml
c:\documents and settings\LocalService\Application Data\PriceGong\Data\mru.xml
c:\documents and settings\LocalService\Application Data\PriceGong\Data\n.xml
c:\documents and settings\LocalService\Application Data\PriceGong\Data\o.xml
c:\documents and settings\LocalService\Application Data\PriceGong\Data\p.xml
c:\documents and settings\LocalService\Application Data\PriceGong\Data\q.xml
c:\documents and settings\LocalService\Application Data\PriceGong\Data\r.xml
c:\documents and settings\LocalService\Application Data\PriceGong\Data\s.xml
c:\documents and settings\LocalService\Application Data\PriceGong\Data\t.xml
c:\documents and settings\LocalService\Application Data\PriceGong\Data\u.xml
c:\documents and settings\LocalService\Application Data\PriceGong\Data\v.xml
c:\documents and settings\LocalService\Application Data\PriceGong\Data\w.xml
c:\documents and settings\LocalService\Application Data\PriceGong\Data\x.xml
c:\documents and settings\LocalService\Application Data\PriceGong\Data\y.xml
c:\documents and settings\LocalService\Application Data\PriceGong\Data\z.xml
c:\documents and settings\NetworkService\Application Data\alot
c:\documents and settings\NetworkService\Application Data\PriceGong
c:\documents and settings\NetworkService\Application Data\PriceGong\Data\1.xml
c:\documents and settings\NetworkService\Application Data\PriceGong\Data\a.xml
c:\documents and settings\NetworkService\Application Data\PriceGong\Data\b.xml
c:\documents and settings\NetworkService\Application Data\PriceGong\Data\c.xml
c:\documents and settings\NetworkService\Application Data\PriceGong\Data\d.xml
c:\documents and settings\NetworkService\Application Data\PriceGong\Data\e.xml
c:\documents and settings\NetworkService\Application Data\PriceGong\Data\f.xml
c:\documents and settings\NetworkService\Application Data\PriceGong\Data\g.xml
c:\documents and settings\NetworkService\Application Data\PriceGong\Data\h.xml
c:\documents and settings\NetworkService\Application Data\PriceGong\Data\i.xml
c:\documents and settings\NetworkService\Application Data\PriceGong\Data\J.xml
c:\documents and settings\NetworkService\Application Data\PriceGong\Data\k.xml
c:\documents and settings\NetworkService\Application Data\PriceGong\Data\l.xml
c:\documents and settings\NetworkService\Application Data\PriceGong\Data\m.xml
c:\documents and settings\NetworkService\Application Data\PriceGong\Data\mru.xml
c:\documents and settings\NetworkService\Application Data\PriceGong\Data\n.xml
c:\documents and settings\NetworkService\Application Data\PriceGong\Data\o.xml
c:\documents and settings\NetworkService\Application Data\PriceGong\Data\p.xml
c:\documents and settings\NetworkService\Application Data\PriceGong\Data\q.xml
c:\documents and settings\NetworkService\Application Data\PriceGong\Data\r.xml
c:\documents and settings\NetworkService\Application Data\PriceGong\Data\s.xml
c:\documents and settings\NetworkService\Application Data\PriceGong\Data\t.xml
c:\documents and settings\NetworkService\Application Data\PriceGong\Data\u.xml
c:\documents and settings\NetworkService\Application Data\PriceGong\Data\v.xml
c:\documents and settings\NetworkService\Application Data\PriceGong\Data\w.xml
c:\documents and settings\NetworkService\Application Data\PriceGong\Data\x.xml
c:\documents and settings\NetworkService\Application Data\PriceGong\Data\y.xml
c:\documents and settings\NetworkService\Application Data\PriceGong\Data\z.xml
c:\documents and settings\Robert Jones\Application Data\PriceGong
c:\documents and settings\Robert Jones\Application Data\PriceGong\Data\1.xml
c:\documents and settings\Robert Jones\Application Data\PriceGong\Data\a.xml
c:\documents and settings\Robert Jones\Application Data\PriceGong\Data\b.xml
c:\documents and settings\Robert Jones\Application Data\PriceGong\Data\c.xml
c:\documents and settings\Robert Jones\Application Data\PriceGong\Data\d.xml
c:\documents and settings\Robert Jones\Application Data\PriceGong\Data\e.xml
c:\documents and settings\Robert Jones\Application Data\PriceGong\Data\f.xml
c:\documents and settings\Robert Jones\Application Data\PriceGong\Data\g.xml
c:\documents and settings\Robert Jones\Application Data\PriceGong\Data\h.xml
c:\documents and settings\Robert Jones\Application Data\PriceGong\Data\i.xml
c:\documents and settings\Robert Jones\Application Data\PriceGong\Data\J.xml
c:\documents and settings\Robert Jones\Application Data\PriceGong\Data\k.xml
c:\documents and settings\Robert Jones\Application Data\PriceGong\Data\l.xml
c:\documents and settings\Robert Jones\Application Data\PriceGong\Data\m.xml
c:\documents and settings\Robert Jones\Application Data\PriceGong\Data\mru.xml
c:\documents and settings\Robert Jones\Application Data\PriceGong\Data\n.xml
c:\documents and settings\Robert Jones\Application Data\PriceGong\Data\o.xml
c:\documents and settings\Robert Jones\Application Data\PriceGong\Data\p.xml
c:\documents and settings\Robert Jones\Application Data\PriceGong\Data\q.xml
c:\documents and settings\Robert Jones\Application Data\PriceGong\Data\r.xml
c:\documents and settings\Robert Jones\Application Data\PriceGong\Data\s.xml
c:\documents and settings\Robert Jones\Application Data\PriceGong\Data\t.xml
c:\documents and settings\Robert Jones\Application Data\PriceGong\Data\u.xml
c:\documents and settings\Robert Jones\Application Data\PriceGong\Data\v.xml
c:\documents and settings\Robert Jones\Application Data\PriceGong\Data\w.xml
c:\documents and settings\Robert Jones\Application Data\PriceGong\Data\x.xml
c:\documents and settings\Robert Jones\Application Data\PriceGong\Data\y.xml
c:\documents and settings\Robert Jones\Application Data\PriceGong\Data\z.xml
C:\Thumbs.db
c:\windows\system32\config\systemprofile\Application Data\alot

.
\\.\PhysicalDrive0 - Bootkit Whistler was found and disinfected
.
\\.\PhysicalDrive0 - Bootkit Whistler was found and disinfected
.
((((((((((((((((((((((((( Files Created from 2010-08-06 to 2010-09-06 )))))))))))))))))))))))))))))))
.

2010-09-05 19:14 . 2010-09-05 19:14 388096 ----a-r- c:\documents and settings\Robert Jones\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-09-05 19:14 . 2010-09-05 19:14 -------- d-----w- c:\program files\Trend Micro
2010-09-05 18:34 . 2010-09-05 18:34 68120 ----a-w- c:\windows\system32\PxSecure.dll
2010-09-05 18:34 . 2010-09-05 18:34 69736 ----a-w- c:\windows\system32\drivers\pxrts.sys
2010-09-05 18:34 . 2010-09-05 18:34 30320 ----a-w- c:\windows\system32\drivers\pxscan.sys
2010-09-05 18:34 . 2010-09-05 18:34 24400 ----a-w- c:\windows\system32\drivers\pxkbf.sys
2010-09-05 18:34 . 2010-09-05 18:34 -------- d-----w- c:\program files\Prevx
2010-09-05 18:34 . 2010-09-05 19:11 -------- d-----w- c:\documents and settings\All Users\Application Data\PrevxCSI
2010-09-05 18:17 . 2010-09-05 18:17 -------- d-----w- c:\program files\CCleaner
2010-09-05 09:40 . 2010-09-05 09:40 -------- d-----w- c:\documents and settings\NetworkService\Application Data\viklcoygg
2010-09-05 09:40 . 2010-09-05 09:40 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\viklcoygg
2010-09-05 09:20 . 2010-09-05 09:20 -------- d-----w- c:\program files\HiddenFinder
2010-09-05 09:20 . 2006-02-23 21:03 8576 ----a-w- c:\windows\system32\drivers\KProcWatch.sys
2010-09-05 09:00 . 2010-09-05 09:11 -------- d-----w- c:\program files\HiddenFinderRegistered
2010-09-03 20:20 . 2010-09-03 20:20 -------- d-----w- c:\documents and settings\Robert Jones\Application Data\Malwarebytes
2010-09-03 20:20 . 2010-04-29 14:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-09-03 20:20 . 2010-09-03 20:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-09-03 20:20 . 2010-04-29 14:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-09-03 20:20 . 2010-09-03 20:20 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-09-03 17:39 . 2010-09-03 17:39 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\wmrpmplcm
2010-09-02 19:39 . 2010-09-02 19:39 63488 ----a-w- c:\documents and settings\Robert Jones\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
2010-09-02 19:39 . 2010-09-02 19:39 52224 ----a-w- c:\documents and settings\Robert Jones\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-09-02 19:39 . 2010-09-02 19:39 117760 ----a-w- c:\documents and settings\Robert Jones\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-09-02 19:38 . 2010-09-02 19:38 -------- d-----w- c:\documents and settings\Robert Jones\Application Data\SUPERAntiSpyware.com
2010-09-02 19:38 . 2010-09-02 19:38 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-09-02 19:37 . 2010-09-02 19:38 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-08-28 21:51 . 2010-08-28 21:51 -------- d-----w- c:\windows\SQLTools9_KB970892_ENU
2010-08-28 21:49 . 2010-08-28 21:49 -------- d-----w- c:\windows\SQL9_KB970892_ENU
2010-08-26 19:11 . 2010-04-27 16:16 9344 ----a-w- c:\windows\system32\drivers\mfeclnk.sys
2010-08-26 19:11 . 2010-04-27 16:16 88480 ----a-w- c:\windows\system32\drivers\mfendisk.sys
2010-08-26 19:11 . 2010-04-27 16:16 83496 ----a-w- c:\windows\system32\drivers\mferkdet.sys
2010-08-26 19:11 . 2010-04-27 16:16 82952 ----a-w- c:\windows\system32\drivers\mfetdi2k.sys
2010-08-26 19:11 . 2010-04-27 16:16 55456 ----a-w- c:\windows\system32\drivers\cfwids.sys
2010-08-26 19:11 . 2010-04-27 16:16 312616 ----a-w- c:\windows\system32\drivers\mfefirek.sys
2010-08-26 19:10 . 2010-08-26 19:11 -------- d-----w- c:\program files\Common Files\Mcafee
2010-08-26 19:10 . 2010-08-26 19:10 -------- d-----w- c:\program files\McAfee.com
2010-08-26 19:10 . 2010-08-28 09:02 -------- d-----w- c:\program files\McAfee
2010-08-24 21:31 . 2010-09-02 21:33 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google
2010-08-21 08:44 . 2010-09-05 19:02 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Google
2010-08-19 06:24 . 2010-08-19 07:08 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\lakeyiflw
2010-08-18 21:49 . 2010-09-05 19:04 -------- d-----w- c:\program files\Exterminate It!

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-03 17:58 . 2010-07-03 21:33 -------- d-----w- c:\program files\Microsoft Silverlight
2010-09-02 21:31 . 2007-11-18 13:52 -------- d-----w- c:\program files\Google
2010-08-28 21:51 . 2007-11-10 12:52 -------- d-----w- c:\program files\Microsoft SQL Server
2010-08-28 09:08 . 2007-08-27 13:14 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2010-07-20 21:11 . 2010-07-20 21:11 -------- d-----w- c:\program files\7-Zip
2010-07-20 21:11 . 2010-07-20 21:11 -------- d-----w- c:\program files\PriceGong
2010-06-14 14:30 . 2004-08-11 16:12 743936 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe
2010-04-27 16:16 . 2010-08-26 19:11 24376 ----a-w- c:\program files\mozilla firefox\components\Scriptff.dll
2002-04-16 11:27 . 2002-04-16 11:27 5 --sha-w- c:\windows\system32\CdI5T.drv
1998-03-20 00:00 . 1998-03-20 00:00 1048 --sha-w- c:\windows\system32\flfnlf.sys
1998-03-20 00:00 . 1998-03-20 00:00 1048 --sha-w- c:\windows\system32\rlfnlf.sys
1998-03-20 00:00 . 1998-03-20 00:00 1048 --sha-w- c:\windows\system32\TMail3FL.SYS
1998-03-20 00:00 . 1998-03-20 00:00 1048 --sha-w- c:\windows\system32\TMailRL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1631550F-191D-4826-B069-D9439253D926}]
2010-03-28 19:47 353656 ----a-w- c:\program files\PriceGong\2.1.0\PriceGongIE.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager "= "c:\progra~1\Yahoo!\MESSEN~1\ypager.exe" [2005-08-31 2478080]
"swg "= "c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-04-09 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray "= "c:\windows\system32\igfxtray.exe" [2006-07-21 98304]
"HotKeysCmds "= "c:\windows\system32\hkcmd.exe" [2006-07-21 86016]
"Persistence "= "c:\windows\system32\igfxpers.exe" [2006-07-21 81920]
"SoundMAXPnP "= "c:\program files\Analog Devices\Core\smax4pnp.exe" [2006-05-01 843776]
"DVDLauncher "= "c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-12-09 49152]
"wltray.exe "= "c:\windows\system32\wltray.exe" [2005-01-29 696422]
"YBrowser "= "c:\progra~1\Yahoo!\browser\ybrwicon.exe" [2006-07-21 129536]
"btbb_McciTrayApp "= "c:\program files\BT Broadband Desktop Help\btbb\BTHelpNotifier.exe" [2009-09-14 1584640]
"Adobe Reader Speed Launcher "= "c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"Symantec PIF AlertEng "= "c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 583048]
"SunJavaUpdateSched "= "c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]
"mcui_exe "= "c:\program files\McAfee.com\Agent\mcagent.exe" [2010-08-04 1180976]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE "= "c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]
"DWQueuedReporting "= "c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.exe.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-11-11 113664]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]
NkvMon.exe.lnk - c:\program files\Nikon\NkView6\NkvMon.exe [2007-11-11 241664]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} "= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=" "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=" "

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring "=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring "=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring "=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring "=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring "=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall "= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "=
"c:\\Program Files\\Yahoo!\\Messenger\\ypager.exe "=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe "=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe "=
"c:\\Program Files\\Common Files\\Mcafee\\McSvcHost\\McSvHost.exe "=

R0 pxscan;pxscan;c:\windows\system32\drivers\pxscan.sys [05/09/2010 19:34 30320]
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [26/08/2010 20:11 82952]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [17/02/2010 19:25 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [10/05/2010 19:41 67656]
R2 ASFIPmon;Broadcom ASF IP Monitor;c:\program files\Broadcom\ASFIPMon\AsfIpMon.exe [17/03/2006 17:25 65536]
R2 CSIScanner;CSIScanner;c:\program files\Prevx\prevx.exe [05/09/2010 19:34 6394368]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service; "c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [26/08/2010 20:10 271480]
R2 McMPFSvc;McAfee Personal Firewall; "c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [26/08/2010 20:10 271480]
R2 McNaiAnn;McAfee VirusScan Announcer; "c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [26/08/2010 20:10 271480]
R2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\Mcafee\SystemCore\mfefire.exe [26/08/2010 20:11 188136]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\Common Files\Mcafee\SystemCore\mfevtps.exe [26/08/2010 20:11 141792]
R2 MSSQL$IRISPRACTICE;SQL Server (IRISPRACTICE);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [27/05/2009 03:27 29262680]
R2 pxrts;pxrts;c:\windows\system32\drivers\pxrts.sys [05/09/2010 19:34 69736]
R2 Sage SData Service;Sage SData Service;c:\program files\Common Files\Sage SData\Sage.SData.Service.exe [21/08/2009 16:52 49152]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [26/08/2010 20:11 55456]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [26/08/2010 20:11 312616]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [26/08/2010 20:11 88480]
R3 pxkbf;pxkbf;c:\windows\system32\drivers\pxkbf.sys [05/09/2010 19:34 24400]
S3 IrisEmailMonitorService;IRIS Email Monitor Service;c:\iris\IrisEmailMonitorService.exe --> c:\iris\IrisEmailMonitorService.exe [?]
S3 KProcWatch;KProcWatch;c:\windows\system32\drivers\KProcWatch.sys [05/09/2010 10:20 8576]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [26/08/2010 20:11 88480]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [26/08/2010 20:11 83496]

--- Other Services/Drivers In Memory ---

*Deregistered* - mfeavfk01
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
mStart Page = hxxp://www.euro.dell.com
mSearch Bar = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sb/*http://uk.docs.yahoo.com/info/bt_side.html
uInternet Connection Wizard,ShellNext = hxxp://www.euro.dell.com/
uInternet Settings,ProxyOverride = 127.0.0.1
uInternet Settings,ProxyServer = 0.0.0.0:80
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Robert Jones\Application Data\Mozilla\Firefox\Profiles\sv16cfl2.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.startup.homepage - hxxp://en-GB.start3.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-GBfficial
FF - prefs.js: keyword.URL - hxxp://search.alot.com/web?&src_id=11649&client_id=c4d42c4882e2233ea88844c4&camp_id=1500&install_time=2010-07-20T21:24Z&tb_version=2.4.4000%28F%29&pr=auto&q=
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - component: c:\program files\Mozilla Firefox\components\Scriptff.dll
FF - component: c:\program files\PriceGong\2.1.0\FF\components\PriceGongFF.dll
FF - plugin: c:\program files\Common Files\Motive\npMotive.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: dom.disable_open_during_load - false // Popupblocker control handled by McAfee Privacy Service
FF - user.js: yahoo.homepage.dontask - truec:\program files\Mozilla Firefox\greprefs\all.js - pref( "network.IDN.whitelist.xn--mgbaam7a8h ", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "network.IDN.whitelist.xn--mgberp4a5d4ar ", true);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-09-06 22:15
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1340)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\System32\BCMLogon.dll
.
Completion time: 2010-09-06 22:18:25
ComboFix-quarantined-files.txt 2010-09-06 21:18

Pre-Run: 5,241,999,360 bytes free
Post-Run: 5,477,228,544 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT= "Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug= "do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS= "Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - C410731ACAF5F0731932B2A94C961AF3

subbuteorob · 2010/09/06

Log on its way (being moderated). Off to bed now. Thanks for your help I think we might have it beat.

broni · 2010/09/06

1. Please open Notepad

Click Start , then Run

Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:
Code:
Folder::
c:\documents and settings\NetworkService\Application Data\viklcoygg
c:\documents and settings\NetworkService\Local Settings\Application Data\viklcoygg
c:\documents and settings\NetworkService\Local Settings\Application Data\wmrpmplcm
c:\documents and settings\NetworkService\Local Settings\Application Data\lakeyiflw
c:\program files\PriceGong

DDS::
uInternet Settings,ProxyOverride = 127.0.0.1
uInternet Settings,ProxyServer = 0.0.0.0:80

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
 "DisableMonitoring "=-
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
 "DisableMonitoring "=-
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
 "DisableMonitoring "=-
3. Save the above as CFScript.txt

4. Close/disable all anti virus and anti malware programs again, so they do not interfere with the running of ComboFix.

5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

Combofix.txt

subbuteorob · 2010/09/07

Hi Broni

Thanks again. Will implement this evening.

Could I ask what this does ? Presumably it doesn't make IE my default web browser again as I manually reset the Lan settings again on IE to 0.0.0.0 and port 80 to disable it after Combifix had completed its work. I haven't done anything else at all. I just thought I'd mention this in case I need to reset the LAN settings to default again !!

Also why is Macafee being disabled ?

Robert

subbuteorob · 2010/09/07

ComboFix 10-09-07.01 - Robert Jones 07/09/2010 22:36:17.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1014.550 [GMT 1:00]
Running from: c:\documents and settings\Robert Jones\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Robert Jones\Desktop\CFscript.txt
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\NetworkService\Application Data\viklcoygg
c:\documents and settings\NetworkService\Local Settings\Application Data\lakeyiflw
c:\documents and settings\NetworkService\Local Settings\Application Data\viklcoygg
c:\documents and settings\NetworkService\Local Settings\Application Data\wmrpmplcm
c:\documents and settings\Robert Jones\Application Data\PriceGong
c:\documents and settings\Robert Jones\Application Data\PriceGong\Data\1.xml
c:\documents and settings\Robert Jones\Application Data\PriceGong\Data\a.xml
c:\documents and settings\Robert Jones\Application Data\PriceGong\Data\b.xml
c:\documents and settings\Robert Jones\Application Data\PriceGong\Data\c.xml
c:\documents and settings\Robert Jones\Application Data\PriceGong\Data\d.xml
c:\documents and settings\Robert Jones\Application Data\PriceGong\Data\e.xml
c:\documents and settings\Robert Jones\Application Data\PriceGong\Data\f.xml
c:\documents and settings\Robert Jones\Application Data\PriceGong\Data\g.xml
c:\documents and settings\Robert Jones\Application Data\PriceGong\Data\h.xml
c:\documents and settings\Robert Jones\Application Data\PriceGong\Data\i.xml
c:\documents and settings\Robert Jones\Application Data\PriceGong\Data\J.xml
c:\documents and settings\Robert Jones\Application Data\PriceGong\Data\k.xml
c:\documents and settings\Robert Jones\Application Data\PriceGong\Data\l.xml
c:\documents and settings\Robert Jones\Application Data\PriceGong\Data\m.xml
c:\documents and settings\Robert Jones\Application Data\PriceGong\Data\mru.xml
c:\documents and settings\Robert Jones\Application Data\PriceGong\Data\n.xml
c:\documents and settings\Robert Jones\Application Data\PriceGong\Data\o.xml
c:\documents and settings\Robert Jones\Application Data\PriceGong\Data\p.xml
c:\documents and settings\Robert Jones\Application Data\PriceGong\Data\q.xml
c:\documents and settings\Robert Jones\Application Data\PriceGong\Data\r.xml
c:\documents and settings\Robert Jones\Application Data\PriceGong\Data\s.xml
c:\documents and settings\Robert Jones\Application Data\PriceGong\Data\t.xml
c:\documents and settings\Robert Jones\Application Data\PriceGong\Data\u.xml
c:\documents and settings\Robert Jones\Application Data\PriceGong\Data\v.xml
c:\documents and settings\Robert Jones\Application Data\PriceGong\Data\w.xml
c:\documents and settings\Robert Jones\Application Data\PriceGong\Data\x.xml
c:\documents and settings\Robert Jones\Application Data\PriceGong\Data\y.xml
c:\documents and settings\Robert Jones\Application Data\PriceGong\Data\z.xml
c:\program files\PriceGong
c:\program files\PriceGong\2.1.0\FF\chrome.manifest
c:\program files\PriceGong\2.1.0\FF\components\PriceGong.xpt
c:\program files\PriceGong\2.1.0\FF\components\PriceGongFF.dll
c:\program files\PriceGong\2.1.0\FF\content\options.js
c:\program files\PriceGong\2.1.0\FF\content\options.xul
c:\program files\PriceGong\2.1.0\FF\content\PriceGong.png
c:\program files\PriceGong\2.1.0\FF\install.rdf
c:\program files\PriceGong\2.1.0\PriceGongIE.dll
c:\program files\PriceGong\uninst.exe

.
((((((((((((((((((((((((( Files Created from 2010-08-07 to 2010-09-07 )))))))))))))))))))))))))))))))
.

2010-09-05 19:14 . 2010-09-05 19:14 388096 ----a-r- c:\documents and settings\Robert Jones\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-09-05 19:14 . 2010-09-05 19:14 -------- d-----w- c:\program files\Trend Micro
2010-09-05 18:34 . 2010-09-05 18:34 68120 ----a-w- c:\windows\system32\PxSecure.dll
2010-09-05 18:34 . 2010-09-05 18:34 69736 ----a-w- c:\windows\system32\drivers\pxrts.sys
2010-09-05 18:34 . 2010-09-05 18:34 30320 ----a-w- c:\windows\system32\drivers\pxscan.sys
2010-09-05 18:34 . 2010-09-05 18:34 24400 ----a-w- c:\windows\system32\drivers\pxkbf.sys
2010-09-05 18:34 . 2010-09-05 18:34 -------- d-----w- c:\program files\Prevx
2010-09-05 18:34 . 2010-09-05 19:11 -------- d-----w- c:\documents and settings\All Users\Application Data\PrevxCSI
2010-09-05 18:17 . 2010-09-05 18:17 -------- d-----w- c:\program files\CCleaner
2010-09-05 09:20 . 2010-09-05 09:20 -------- d-----w- c:\program files\HiddenFinder
2010-09-05 09:20 . 2006-02-23 21:03 8576 ----a-w- c:\windows\system32\drivers\KProcWatch.sys
2010-09-05 09:00 . 2010-09-05 09:11 -------- d-----w- c:\program files\HiddenFinderRegistered
2010-09-03 20:20 . 2010-09-03 20:20 -------- d-----w- c:\documents and settings\Robert Jones\Application Data\Malwarebytes
2010-09-03 20:20 . 2010-04-29 14:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-09-03 20:20 . 2010-09-03 20:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-09-03 20:20 . 2010-04-29 14:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-09-03 20:20 . 2010-09-03 20:20 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-09-02 19:39 . 2010-09-02 19:39 63488 ----a-w- c:\documents and settings\Robert Jones\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
2010-09-02 19:39 . 2010-09-02 19:39 52224 ----a-w- c:\documents and settings\Robert Jones\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-09-02 19:39 . 2010-09-02 19:39 117760 ----a-w- c:\documents and settings\Robert Jones\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-09-02 19:38 . 2010-09-02 19:38 -------- d-----w- c:\documents and settings\Robert Jones\Application Data\SUPERAntiSpyware.com
2010-09-02 19:38 . 2010-09-02 19:38 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-09-02 19:37 . 2010-09-02 19:38 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-08-28 21:51 . 2010-08-28 21:51 -------- d-----w- c:\windows\SQLTools9_KB970892_ENU
2010-08-28 21:49 . 2010-08-28 21:49 -------- d-----w- c:\windows\SQL9_KB970892_ENU
2010-08-26 19:11 . 2010-04-27 16:16 9344 ----a-w- c:\windows\system32\drivers\mfeclnk.sys
2010-08-26 19:11 . 2010-04-27 16:16 88480 ----a-w- c:\windows\system32\drivers\mfendisk.sys
2010-08-26 19:11 . 2010-04-27 16:16 83496 ----a-w- c:\windows\system32\drivers\mferkdet.sys
2010-08-26 19:11 . 2010-04-27 16:16 82952 ----a-w- c:\windows\system32\drivers\mfetdi2k.sys
2010-08-26 19:11 . 2010-04-27 16:16 55456 ----a-w- c:\windows\system32\drivers\cfwids.sys
2010-08-26 19:11 . 2010-04-27 16:16 312616 ----a-w- c:\windows\system32\drivers\mfefirek.sys
2010-08-26 19:10 . 2010-08-26 19:11 -------- d-----w- c:\program files\Common Files\Mcafee
2010-08-26 19:10 . 2010-08-26 19:10 -------- d-----w- c:\program files\McAfee.com
2010-08-26 19:10 . 2010-08-28 09:02 -------- d-----w- c:\program files\McAfee
2010-08-24 21:31 . 2010-09-02 21:33 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google
2010-08-21 08:44 . 2010-09-05 19:02 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Google
2010-08-18 21:49 . 2010-09-05 19:04 -------- d-----w- c:\program files\Exterminate It!

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-03 17:58 . 2010-07-03 21:33 -------- d-----w- c:\program files\Microsoft Silverlight
2010-09-02 21:31 . 2007-11-18 13:52 -------- d-----w- c:\program files\Google
2010-08-28 21:51 . 2007-11-10 12:52 -------- d-----w- c:\program files\Microsoft SQL Server
2010-08-28 09:08 . 2007-08-27 13:14 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2010-07-20 21:11 . 2010-07-20 21:11 -------- d-----w- c:\program files\7-Zip
2010-06-14 14:30 . 2004-08-11 16:12 743936 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe
2010-04-27 16:16 . 2010-08-26 19:11 24376 ----a-w- c:\program files\mozilla firefox\components\Scriptff.dll
2002-04-16 11:27 . 2002-04-16 11:27 5 --sha-w- c:\windows\system32\CdI5T.drv
1998-03-20 00:00 . 1998-03-20 00:00 1048 --sha-w- c:\windows\system32\flfnlf.sys
1998-03-20 00:00 . 1998-03-20 00:00 1048 --sha-w- c:\windows\system32\rlfnlf.sys
1998-03-20 00:00 . 1998-03-20 00:00 1048 --sha-w- c:\windows\system32\TMail3FL.SYS
1998-03-20 00:00 . 1998-03-20 00:00 1048 --sha-w- c:\windows\system32\TMailRL.sys
.

((((((((((((((((((((((((((((( SnapShot@2010-09-06_21.15.25 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-09-07 17:33 . 2010-09-07 17:33 16384 c:\windows\Temp\Perflib_Perfdata_350.dat
+ 2007-10-24 13:35 . 2010-09-07 18:00 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2007-10-24 13:35 . 2010-09-06 20:54 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2007-10-24 13:35 . 2010-09-07 18:00 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2007-10-24 13:35 . 2010-09-06 20:54 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2010-09-07 17:59 . 2010-09-07 18:00 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager "= "c:\progra~1\Yahoo!\MESSEN~1\ypager.exe" [2005-08-31 2478080]
"swg "= "c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-04-09 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray "= "c:\windows\system32\igfxtray.exe" [2006-07-21 98304]
"HotKeysCmds "= "c:\windows\system32\hkcmd.exe" [2006-07-21 86016]
"Persistence "= "c:\windows\system32\igfxpers.exe" [2006-07-21 81920]
"SoundMAXPnP "= "c:\program files\Analog Devices\Core\smax4pnp.exe" [2006-05-01 843776]
"DVDLauncher "= "c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-12-09 49152]
"wltray.exe "= "c:\windows\system32\wltray.exe" [2005-01-29 696422]
"YBrowser "= "c:\progra~1\Yahoo!\browser\ybrwicon.exe" [2006-07-21 129536]
"btbb_McciTrayApp "= "c:\program files\BT Broadband Desktop Help\btbb\BTHelpNotifier.exe" [2009-09-14 1584640]
"Adobe Reader Speed Launcher "= "c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"Symantec PIF AlertEng "= "c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 583048]
"SunJavaUpdateSched "= "c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]
"mcui_exe "= "c:\program files\McAfee.com\Agent\mcagent.exe" [2010-08-04 1180976]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE "= "c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]
"DWQueuedReporting "= "c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.exe.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-11-11 113664]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]
NkvMon.exe.lnk - c:\program files\Nikon\NkView6\NkvMon.exe [2007-11-11 241664]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} "= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=" "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=" "

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring "=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring "=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall "= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "=
"c:\\Program Files\\Yahoo!\\Messenger\\ypager.exe "=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe "=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe "=
"c:\\Program Files\\Common Files\\Mcafee\\McSvcHost\\McSvHost.exe "=

R0 pxscan;pxscan;c:\windows\system32\drivers\pxscan.sys [05/09/2010 19:34 30320]
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [26/08/2010 20:11 82952]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [17/02/2010 19:25 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [10/05/2010 19:41 67656]
R2 ASFIPmon;Broadcom ASF IP Monitor;c:\program files\Broadcom\ASFIPMon\AsfIpMon.exe [17/03/2006 17:25 65536]
R2 CSIScanner;CSIScanner;c:\program files\Prevx\prevx.exe [05/09/2010 19:34 6394368]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service; "c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [26/08/2010 20:10 271480]
R2 McMPFSvc;McAfee Personal Firewall; "c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [26/08/2010 20:10 271480]
R2 McNaiAnn;McAfee VirusScan Announcer; "c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [26/08/2010 20:10 271480]
R2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\Mcafee\SystemCore\mfefire.exe [26/08/2010 20:11 188136]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\Common Files\Mcafee\SystemCore\mfevtps.exe [26/08/2010 20:11 141792]
R2 MSSQL$IRISPRACTICE;SQL Server (IRISPRACTICE);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [27/05/2009 03:27 29262680]
R2 pxrts;pxrts;c:\windows\system32\drivers\pxrts.sys [05/09/2010 19:34 69736]
R2 Sage SData Service;Sage SData Service;c:\program files\Common Files\Sage SData\Sage.SData.Service.exe [21/08/2009 16:52 49152]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [26/08/2010 20:11 55456]
R3 KProcWatch;KProcWatch;c:\windows\system32\drivers\KProcWatch.sys [05/09/2010 10:20 8576]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [26/08/2010 20:11 312616]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [26/08/2010 20:11 88480]
R3 pxkbf;pxkbf;c:\windows\system32\drivers\pxkbf.sys [05/09/2010 19:34 24400]
S3 IrisEmailMonitorService;IRIS Email Monitor Service;c:\iris\IrisEmailMonitorService.exe --> c:\iris\IrisEmailMonitorService.exe [?]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [26/08/2010 20:11 88480]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [26/08/2010 20:11 83496]

--- Other Services/Drivers In Memory ---

*Deregistered* - mfeavfk01
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mStart Page = hxxp://www.euro.dell.com
mSearch Bar = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sb/*http://uk.docs.yahoo.com/info/bt_side.html
uInternet Connection Wizard,ShellNext = hxxp://www.euro.dell.com/
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Robert Jones\Application Data\Mozilla\Firefox\Profiles\sv16cfl2.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.startup.homepage - hxxp://en-GB.start3.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-GBfficial
FF - prefs.js: keyword.URL - hxxp://search.alot.com/web?&src_id=11649&client_id=c4d42c4882e2233ea88844c4&camp_id=1500&install_time=2010-07-20T21:24Z&tb_version=2.4.4000%28F%29&pr=auto&q=
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - component: c:\program files\Mozilla Firefox\components\Scriptff.dll
FF - plugin: c:\program files\Common Files\Motive\npMotive.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: dom.disable_open_during_load - false // Popupblocker control handled by McAfee Privacy Service
FF - user.js: yahoo.homepage.dontask - truec:\program files\Mozilla Firefox\greprefs\all.js - pref( "network.IDN.whitelist.xn--mgbaam7a8h ", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "network.IDN.whitelist.xn--mgberp4a5d4ar ", true);
.
- - - - ORPHANS REMOVED - - - -

BHO-{1631550F-191D-4826-B069-D9439253D926} - c:\program files\PriceGong\2.1.0\PriceGongIE.dll
AddRemove-PriceGong - c:\program files\PriceGong\uninst.exe

**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1336)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\System32\BCMLogon.dll
.
Completion time: 2010-09-07 22:46:51
ComboFix-quarantined-files.txt 2010-09-07 21:46
ComboFix2.txt 2010-09-06 21:18

Pre-Run: 5,601,832,960 bytes free
Post-Run: 5,580,513,280 bytes free

- - End Of File - - D9EEF6723B76116308C24618A36E6947

broni · 2010/09/07

Looks good

How is computer doing?

I'd like to see fresh MBRCheck log.

broni · 2010/09/12

Are you still out there?

subbuteorob · 2010/09/12

Sorry didn't see your last post. Went quiet for a few days so thought you might be away.

Will post a log up in the next day or so.

No problems at this end - think it is sorted but will post up a log.

Can't thank you enough for your help !

broni · 2010/09/12

You're welcome, but we're definitely not done yet.

What do you mean by "quiet "? I posted and you didn't reply...hmmmm

subbuteorob · 2010/09/12

I do apologize I didn't see the second page. Silly me. Didn't get a notification of that post.

Log in or Sign up

Solved Iexplore Hidden process

subbuteorob Inactive Thread Starter

PeteC SuperGeek Staff

subbuteorob Inactive Thread Starter

subbuteorob Inactive Thread Starter

PeteC SuperGeek Staff

broni Moderator Malware Analyst

subbuteorob Inactive Thread Starter

broni Moderator Malware Analyst

subbuteorob Inactive Thread Starter

broni Moderator Malware Analyst

subbuteorob Inactive Thread Starter

subbuteorob Inactive Thread Starter

broni Moderator Malware Analyst

subbuteorob Inactive Thread Starter

subbuteorob Inactive Thread Starter

broni Moderator Malware Analyst

broni Moderator Malware Analyst

subbuteorob Inactive Thread Starter

broni Moderator Malware Analyst

subbuteorob Inactive Thread Starter

Share This Page

Log in or Sign up

Solved Iexplore Hidden process

subbuteorob Inactive Thread Starter

PeteC SuperGeek Staff

subbuteorob Inactive Thread Starter

subbuteorob Inactive Thread Starter

PeteC SuperGeek Staff

broni Moderator Malware Analyst

subbuteorob Inactive Thread Starter

broni Moderator Malware Analyst

subbuteorob Inactive Thread Starter

broni Moderator Malware Analyst

subbuteorob Inactive Thread Starter

subbuteorob Inactive Thread Starter

broni Moderator Malware Analyst

subbuteorob Inactive Thread Starter

subbuteorob Inactive Thread Starter

broni Moderator Malware Analyst

broni Moderator Malware Analyst

subbuteorob Inactive Thread Starter

broni Moderator Malware Analyst

subbuteorob Inactive Thread Starter

Share This Page

Useful Searches