ie browser search hijack

[Superdave]

Please look in the C:\QooBox folder and see if you can find the .txt log and post it here.

[dhammer]

no ComboFix log

 

No log from yesterday either on my desktop or in Qoobox folder. Only ones are from the scans you had me do on 2/27 and 2/24.

 

An odd thing - and I don't know if this is relevant - when I did a standard Windows search for the log files, the result was showing 35 indentical instances of each of the logs in that folder before I just stopped the search. File dates, times, location, everything identical.

[Superdave]

Ok. Please run a regular scan with ComboFix and post the log.

[dhammer]

combofix log

 

Before ComboFix ran, McAfee updated itself to secrity center ver 10.5 which had a one-button turn off for the virus scans. Then there was an update to ComboFix. It seemed to run without a report of conflict with McAfee.

 

As in previous runs, it had to reboot due to "Rootkit TDL3 activity" (although the log will say Bootkit TDL4). During the scan after reboot, it gave a warning 3 times which I have seen before in similar versions as a symptom of the infection: "PEV.cfxxe \pagefile.sys is corrupt. Run Chkdsk utility"

 

Here is the scan log:

 

ComboFix 11-03-02.05 - David Hammer MA MFT 03/03/2011 7:54.3.2 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1348 [GMT -8:00]

Running from: c:\documents and settings\David Hammer MA MFT\Desktop\ComboFix.exe

AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}

FW: McAfee Firewall *Enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

.

 

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

 

c:\documents and settings\All Users\Application Data\PCDr\5744\Downloads\ceb06396-ae9d-42b7-a00f-867e3e8710fd.dll

c:\documents and settings\All Users\Application Data\PCDr\5744\Downloads\fb37c43e-fc6b-476d-8936-e95ecdba3cf7.dll

 

.

\\.\PhysicalDrive0 - Bootkit TDL4 was found and disinfected

.

((((((((((((((((((((((((( Files Created from 2011-02-03 to 2011-03-03 )))))))))))))))))))))))))))))))

.

 

2011-03-03 15:06 . 2010-10-14 06:28 9344 ----a-w- c:\windows\system32\drivers\mfeclnk.sys

2011-03-03 15:06 . 2010-10-14 06:28 141792 ----a-w- c:\windows\system32\mfevtps.exe

2011-03-03 15:06 . 2010-10-14 06:28 88544 ----a-w- c:\windows\system32\drivers\mfendisk.sys

2011-03-03 15:06 . 2010-10-14 06:28 84264 ----a-w- c:\windows\system32\drivers\mferkdet.sys

2011-03-03 15:06 . 2010-10-14 06:28 84072 ------w- c:\windows\system32\drivers\mfetdi2k.sys

2011-03-03 15:06 . 2010-10-14 06:28 313288 ----a-w- c:\windows\system32\drivers\mfefirek.sys

2011-03-03 15:06 . 2010-10-14 06:28 95600 ----a-w- c:\windows\system32\drivers\mfeapfk.sys

2011-03-03 15:06 . 2010-10-14 06:28 55840 ----a-w- c:\windows\system32\drivers\cfwids.sys

2011-02-28 21:23 . 2011-02-28 21:23 -------- d-----w- c:\documents and settings\David Hammer MA MFT\Local Settings\Application Data\Temp

2011-02-27 15:01 . 2011-02-27 15:02 -------- d-----w- c:\program files\CCleaner

2011-02-26 15:01 . 2011-02-26 15:01 -------- d-----w- c:\program files\Common Files\Adobe AIR

2011-02-23 05:52 . 2011-02-23 05:52 -------- d-----w- c:\documents and settings\David Hammer MA MFT\Application Data\SUPERAntiSpyware.com

2011-02-23 05:52 . 2011-02-23 05:52 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com

2011-02-23 05:52 . 2011-02-23 05:52 -------- d-----w- c:\program files\SUPERAntiSpyware

2011-02-21 17:47 . 2011-02-21 17:47 -------- d-----w- c:\windows\system32\winrm

2011-02-21 17:47 . 2011-02-21 17:47 -------- d-----w- c:\windows\system32\GroupPolicy

2011-02-21 17:47 . 2011-02-21 17:47 -------- dc-h--w- c:\windows\$968930Uinstall_KB968930$

2011-02-08 23:53 . 2011-02-08 23:53 -------- d-----w- c:\documents and settings\David Hammer MA MFT\Application Data\IObit

2011-02-08 23:53 . 2011-02-08 23:53 -------- d-----w- c:\documents and settings\All Users\Application Data\IObit

2011-02-08 23:53 . 2011-02-08 23:53 -------- d-----w- c:\program files\IObit

2011-02-07 21:22 . 2011-02-07 21:22 -------- d-----w- C:\skin

2011-02-01 20:34 . 2001-08-17 21:53 6784 ----a-w- c:\windows\system32\drivers\serscan.sys

2011-02-01 20:34 . 2001-08-17 21:53 6784 ----a-w- c:\windows\system32\dllcache\serscan.sys

2011-02-01 20:25 . 2010-06-15 00:04 273256 ------w- c:\windows\system32\HPDiscoPM5312.dll

2011-02-01 20:25 . 2010-06-14 19:58 1907560 ----a-w- c:\windows\system32\HPScanMiniDrv_OJ8500_A910.dll

2011-02-01 20:25 . 2010-06-14 19:58 264552 ----a-w- c:\windows\system32\hpinksts5312LM.dll

2011-02-01 20:25 . 2010-06-14 19:58 232296 ----a-w- c:\windows\system32\hpinksts5312.dll

2011-02-01 20:25 . 2010-06-14 19:58 213352 ----a-w- c:\windows\system32\hpinkcoi5312.dll

 

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-02-03 05:40 . 2010-04-22 14:21 472808 ----a-w- c:\windows\system32\deployJava1.dll

2011-02-03 03:19 . 2007-12-15 21:56 73728 ----a-w- c:\windows\system32\javacpl.cpl

2011-01-21 14:44 . 2004-08-10 18:51 439296 ----a-w- c:\windows\system32\shimgvw.dll

2011-01-07 14:09 . 2004-08-10 18:50 290048 ----a-w- c:\windows\system32\atmfd.dll

2010-12-31 13:10 . 2004-08-10 18:51 1854976 ----a-w- c:\windows\system32\win32k.sys

2010-12-22 12:34 . 2004-08-10 18:51 301568 ----a-w- c:\windows\system32\kerberos.dll

2010-12-21 02:09 . 2009-04-16 16:33 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-12-21 02:08 . 2009-04-16 16:33 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-12-20 23:59 . 2004-08-10 18:51 916480 ----a-w- c:\windows\system32\wininet.dll

2010-12-20 23:59 . 2004-08-10 18:51 43520 ----a-w- c:\windows\system32\licmgr10.dll

2010-12-20 23:59 . 2004-08-10 18:51 1469440 ------w- c:\windows\system32\inetcpl.cpl

2010-12-20 17:26 . 2004-08-10 18:51 730112 ----a-w- c:\windows\system32\lsasrv.dll

2010-12-20 12:55 . 2004-08-10 18:51 385024 ----a-w- c:\windows\system32\html.iec

2010-12-16 15:54 . 2006-10-18 11:00 45200 ----a-w- c:\windows\system32\drivers\pxhelp20.sys

2010-12-09 15:15 . 2004-08-10 18:51 718336 ----a-w- c:\windows\system32\ntdll.dll

2010-12-09 14:30 . 2004-08-10 18:50 33280 ----a-w- c:\windows\system32\csrsrv.dll

2010-12-09 13:42 . 2004-08-10 18:51 2148864 ----a-w- c:\windows\system32\ntoskrnl.exe

2010-12-09 13:07 . 2004-08-04 04:59 2027008 ----a-w- c:\windows\system32\ntkrnlpa.exe

2009-12-17 03:57 203776 --sh--w- c:\windows\system32\unrar.exe

.

 

((((((((((((((((((((((((((((( SnapShot@2011-02-25_07.02.48 )))))))))))))))))))))))))))))))))))))))))

.

+ 2011-03-03 15:51 . 2011-03-03 15:51 16384 c:\windows\Temp\Perflib_Perfdata_380.dat

+ 2009-03-29 22:45 . 2010-10-14 06:28 52104 c:\windows\system32\drivers\mfebopk.sys

- 2011-02-22 02:09 . 2011-02-25 03:52 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat

+ 2011-02-22 02:09 . 2011-03-03 15:09 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat

+ 2007-12-15 21:24 . 2011-03-03 15:09 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat

- 2007-12-15 21:24 . 2011-02-25 03:52 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat

+ 2011-02-27 19:15 . 2011-03-03 15:09 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat

- 2007-12-15 21:24 . 2011-02-25 03:52 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat

+ 2007-12-18 21:32 . 2011-02-28 16:16 29809 c:\windows\nsreg.dat

- 2007-12-18 21:32 . 2011-02-24 15:29 29809 c:\windows\nsreg.dat

+ 2011-02-26 15:01 . 2011-02-26 15:01 28160 c:\windows\Installer\30a2604.msi

+ 2010-11-10 20:49 . 2010-11-10 20:49 17304 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0000000010\10.0.0\ViewerPS.dll

+ 2010-11-10 20:49 . 2010-11-10 20:49 35736 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0000000010\10.0.0\reader_sl.exe

+ 2010-11-10 20:49 . 2010-11-10 20:49 84896 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0000000010\10.0.0\PDFPrevHndlr.dll

+ 2010-11-10 20:49 . 2010-11-10 20:49 94608 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0000000010\10.0.0\eula.exe

+ 2010-11-10 20:49 . 2010-11-10 20:49 49064 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0000000010\10.0.0\acrotextextractor.exe

+ 2010-11-10 20:49 . 2010-11-10 20:49 17824 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0000000010\10.0.0\AcroRd32Info.exe

+ 2010-11-10 20:49 . 2010-11-10 20:49 62376 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0000000010\10.0.0\acroiehelpershim.dll

+ 2010-11-10 20:49 . 2010-11-10 20:49 64928 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0000000010\10.0.0\AcroIEHelper.dll

+ 2010-11-10 20:49 . 2010-11-10 20:49 63384 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0000000010\10.0.0\Acrofx32.dll

+ 2011-02-25 20:44 . 2011-02-03 05:40 157472 c:\windows\system32\javaws.exe

- 2010-12-23 05:08 . 2010-11-13 02:53 157472 c:\windows\system32\javaws.exe

- 2010-12-23 05:08 . 2010-11-13 02:53 145184 c:\windows\system32\javaw.exe

+ 2011-02-25 20:44 . 2011-02-03 05:40 145184 c:\windows\system32\javaw.exe

- 2010-12-23 05:08 . 2010-11-13 02:53 145184 c:\windows\system32\java.exe

+ 2011-02-25 20:44 . 2011-02-03 05:40 145184 c:\windows\system32\java.exe

+ 2009-03-29 22:45 . 2010-10-14 06:28 386840 c:\windows\system32\drivers\mfehidk.sys

+ 2009-03-29 22:45 . 2010-10-14 06:28 152960 c:\windows\system32\drivers\mfeavfk.sys

- 2010-08-12 04:57 . 2011-02-25 03:52 262144 c:\windows\system32\config\systemprofile\IETldCache\index.dat

+ 2010-08-12 04:57 . 2011-03-03 15:09 262144 c:\windows\system32\config\systemprofile\IETldCache\index.dat

+ 2011-02-25 20:44 . 2011-02-25 20:44 180224 c:\windows\Installer\2fdec66.msi

+ 2010-11-10 20:49 . 2010-11-10 20:49 390552 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0000000010\10.0.0\pdfshell.dll

+ 2010-11-10 20:49 . 2010-11-10 20:49 101288 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0000000010\10.0.0\PDFPrevHndlrShim.exe

+ 2010-11-10 20:49 . 2010-11-10 20:49 135568 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0000000010\10.0.0\nppdf32.dll

+ 2010-11-10 20:49 . 2010-11-10 20:49 681872 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0000000010\10.0.0\JP2KLib.dll

+ 2010-11-10 20:49 . 2010-11-10 20:49 104344 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0000000010\10.0.0\AiodLite.dll

+ 2010-11-10 20:49 . 2010-11-10 20:49 702352 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0000000010\10.0.0\AcroPDF.dll

+ 2010-11-10 20:49 . 2010-11-10 20:49 294808 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0000000010\10.0.0\acrobroker.exe

+ 2010-11-10 20:49 . 2010-11-10 20:49 205720 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0000000010\10.0.0\a3dutils.dll

+ 2011-02-26 15:04 . 2011-02-26 15:04 2283008 c:\windows\Installer\30a26c0.msi

+ 2010-11-10 20:49 . 2010-11-10 20:49 2207632 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0000000010\10.0.0\rt3d.dll

+ 2010-11-10 20:49 . 2010-11-10 20:49 6222744 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0000000010\10.0.0\authplay.dll

+ 2010-11-10 20:49 . 2010-11-10 20:49 5503368 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0000000010\10.0.0\AGM.dll

+ 2010-11-10 20:49 . 2010-11-10 20:49 1216416 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0000000010\10.0.0\AdobeCollabSync.exe

+ 2010-11-10 20:49 . 2010-11-10 20:49 1289624 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0000000010\10.0.0\AcroRd32.exe

+ 2011-01-30 20:44 . 2011-01-30 20:44 12425728 c:\windows\Installer\30a26c1.msp

+ 2010-11-10 20:49 . 2010-11-10 20:49 23724952 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0000000010\10.0.0\AcroRd32.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]

"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2011-02-18 2423752]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-10-26 1024000]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-06-09 13537280]

"nwiz"="nwiz.exe" [2008-06-09 1630208]

"OEM02Mon.exe"="c:\windows\OEM02Mon.exe" [2007-08-28 36864]

"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2008-10-25 2220032]

"DELL Webcam Manager"="c:\program files\Dell\Dell Webcam Manager\DellWMgr.exe" [2007-07-27 118784]

"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2007-07-20 1228800]

"KADxMain"="c:\windows\system32\KADxMain.exe" [2006-11-02 282624]

"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-10-03 221184]

"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-10-03 81920]

"IObit Security 360"="c:\program files\IObit\IObit Security 360\IS360tray.exe" [2010-06-12 1280344]

"TkBellExe"="c:\program files\real\realplayer\update\realsched.exe" [2011-01-01 274608]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2011-01-30 35736]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-11-10 932288]

"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2011-01-18 1193848]

 

c:\documents and settings\David Hammer MA MFT\Start Menu\Programs\Startup\

OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]

 

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2007-5-17 568176]

Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2007-12-10 50688]

 

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]

2008-01-09 22:45 10792 ----a-w- c:\program files\Citrix\GoToAssist\480\g2awinlogon.dll

 

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]

BootExecute REG_MULTI_SZ \0

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]

@=""

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]

@=""

 

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Google Updater.lnk

backup=c:\windows\pss\Google Updater.lnkCommon Startup

 

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]

backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

 

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Photosmart Premier Fast Start.lnk]

backup=c:\windows\pss\HP Photosmart Premier Fast Start.lnkCommon Startup

 

[HKLM\~\startupfolder\C:^Documents and Settings^David Hammer MA MFT^Start Menu^Programs^Startup^eFax 4.4.lnk]

backup=c:\windows\pss\eFax 4.4.lnkStartup

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]

2010-11-10 20:49 932288 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eFax 4.4]

2010-07-02 18:24 95744 ----a-w- c:\program files\eFax Messenger 4.4\J2GDllCmd.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]

2008-12-08 23:50 54576 ----a-w- c:\program files\HP inkjet\HP Software Update\hpwuschd2.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Pando Media Booster]

2010-04-10 04:17 2937528 ----a-w- c:\program files\Pando Networks\Media Booster\PMB.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]

2007-04-16 22:10 184320 ----a-w- c:\program files\Dell\MediaDirect\PCMService.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

2010-09-08 18:17 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\REGSHAVE]

2002-02-05 05:32 53248 ------w- c:\program files\REGSHAVE\REGSHAVE.EXE

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxWatchTray]

2006-11-05 19:22 221184 ----a-w- c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]

2011-01-01 22:17 274608 ----a-w- c:\program files\Real\realplayer\Update\realsched.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TomTomHOME.exe]

2008-12-09 10:12 234856 ----a-w- c:\program files\TomTom HOME 2\HOMERunner.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]

2006-10-19 04:05 204288 ----a-w- c:\program files\Windows Media Player\wmpnscfg.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\XWMSUSBAPI]

2001-10-09 22:09 45056 ----a-w- c:\windows\system32\drivers\xwmsapi.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"RoxWatch9"=2 (0x2)

 

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]

"DisableMonitoring"=dword:00000001

 

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]

"DisableMonitoring"=dword:00000001

 

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]

"DisableMonitoring"=dword:00000001

 

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

 

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Dell\\MediaDirect\\PCMService.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

"c:\\Program Files\\HP inkjet\\Digital Imaging\\bin\\hpqtra08.exe"=

"c:\\Program Files\\HP inkjet\\Digital Imaging\\bin\\hpqste08.exe"=

"c:\\Program Files\\HP inkjet\\Digital Imaging\\bin\\hpofxm08.exe"=

"c:\\Program Files\\HP inkjet\\Digital Imaging\\bin\\hposfx08.exe"=

"c:\\Program Files\\HP inkjet\\Digital Imaging\\bin\\hposid01.exe"=

"c:\\Program Files\\HP inkjet\\Digital Imaging\\bin\\hpqscnvw.exe"=

"c:\\Program Files\\HP inkjet\\Digital Imaging\\bin\\hpqkygrp.exe"=

"c:\\Program Files\\HP inkjet\\Digital Imaging\\bin\\hpzwiz01.exe"=

"c:\\Program Files\\HP inkjet\\Digital Imaging\\Unload\\HpqPhUnl.exe"=

"c:\\Program Files\\HP inkjet\\Digital Imaging\\Unload\\HpqDIA.exe"=

"c:\\Program Files\\HP inkjet\\Digital Imaging\\bin\\hpqnrs08.exe"=

"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=

"c:\\Program Files\\WebLoad\\WS_FTP95.exe"=

"c:\\WINDOWS\\system32\\fxsclnt.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

"c:\\Program Files\\Common Files\\McAfee\\McSvcHost\\McSvHost.exe"=

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"10421:UDP"= 10421:UDP:SingleClick Discovery Protocol

"10426:UDP"= 10426:UDP:SingleClick ICC

"56797:TCP"= 56797:TCP:Pando Media Booster

"56797:UDP"= 56797:UDP:Pando Media Booster

"5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management

 

R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [3/3/2011 07:06 AM 84072]

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 10:25 AM 12872]

R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 10:41 AM 67656]

R2 IS360service;IS360service;c:\program files\IObit\IObit Security 360\is360srv.exe [2/8/2011 03:53 PM 312152]

R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [3/29/2009 02:48 PM 93320]

R2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [3/3/2011 07:05 AM 271480]

R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [3/3/2011 07:05 AM 271480]

R2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\McAfee\SystemCore\mfefire.exe [3/3/2011 07:06 AM 188136]

R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [3/3/2011 07:06 AM 141792]

R2 XWMSMFP1;XWMSPAC;c:\windows\system32\drivers\xwmspac.sys [10/9/2001 02:10 PM 31712]

R2 XWMSMFP2;XWMSPRO;c:\windows\system32\drivers\xwmspro.sys [10/9/2001 02:10 PM 22828]

R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [3/3/2011 07:06 AM 55840]

R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [3/3/2011 07:06 AM 313288]

R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [3/3/2011 07:06 AM 88544]

S0 gtpa;gtpa;c:\windows\system32\drivers\dnqyr.sys --> c:\windows\system32\drivers\dnqyr.sys [?]

S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [3/3/2011 07:06 AM 88544]

S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [3/3/2011 07:06 AM 84264]

S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [8/10/2004 10:51 AM 14336]

 

--- Other Services/Drivers In Memory ---

 

*Deregistered* - mfeavfk01

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

WINRM REG_MULTI_SZ WINRM

 

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A8D647C8-65AC-409F-B7B2-3C0FEE1A32F2}]

2010-02-17 03:02 114688 ----a-w- c:\program files\PixiePack Codec Pack\InstallerHelper.exe

.

Contents of the 'Scheduled Tasks' folder

 

2011-02-25 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]

 

2011-02-10 c:\windows\Tasks\PCDoctorBackgroundMonitorTask.job

- c:\program files\Dell Support Center\uaclauncher.exe [2010-11-18 15:13]

 

2011-03-03 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-2956238909-2091042218-426631039-1006.job

- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-11-05 19:33]

 

2011-03-03 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-2956238909-2091042218-426631039-1006.job

- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-11-05 19:33]

 

2011-03-02 c:\windows\Tasks\SystemToolsDailyTest.job

- c:\program files\Dell Support Center\pcdrcui.exe [2010-11-18 15:13]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://news.google.com/nwshp?hl=en&tab=wn

uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=6071210

uInternet Settings,ProxyOverride = 127.0.0.1

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000

IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm

Trusted Zone: internet

Trusted Zone: mcafee.com

DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab

.

 

**************************************************************************

 

disk not found C:\

 

please note that you need administrator rights to perform deep scan

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

scan completed successfully

hidden files:

 

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

 

[HKEY_USERS\S-1-5-21-2956238909-2091042218-426631039-1006\Software\Microsoft\SystemCertificates\AddressBook*]

@Allowed: (Read) (RestrictedCode)

@Allowed: (Read) (RestrictedCode)

 

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"

 

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]

"Enabled"=dword:00000001

 

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]

@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"

 

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

 

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]

@Denied: (A 2) (Everyone)

@="IFlashBroker4"

 

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

 

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

 

- - - - - - - > 'winlogon.exe'(1384)

c:\program files\SUPERAntiSpyware\SASWINLO.DLL

c:\windows\system32\WININET.dll

c:\documents and settings\David Hammer MA MFT\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL

c:\documents and settings\David Hammer MA MFT\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll

c:\documents and settings\David Hammer MA MFT\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll

c:\documents and settings\David Hammer MA MFT\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10007.dll

c:\program files\Citrix\GoToAssist\480\G2AWinLogon.dll

.

Completion time: 2011-03-03 08:09:30

ComboFix-quarantined-files.txt 2011-03-03 16:09

ComboFix2.txt 2011-02-27 16:30

ComboFix3.txt 2011-02-25 07:05

 

Pre-Run: 18,332,348,416 bytes free

Post-Run: 18,346,729,472 bytes free

 

- - End Of File - - EB777402D788FAC733FA4DBD9B4F9E0C

[Superdave]

SysProt Antirootkit

 

Download

SysProt Antirootkit from the link below (you will find it at the bottom

of the page under attachments, or you can get it from one of the

mirrors).

 

http://sites.google.com/site/sysprotantirootkit/

 

Unzip it into a folder on your desktop.

• Double click Sysprot.exe to start the program.
  
• Click on the Log tab.
  
• In the Write to log box select the following items.
  
  • Process << Selected
    
  • Kernel Modules << Selected
    
  • SSDT << Selected
    
  • Kernel Hooks << Selected
    
  • IRP Hooks << NOT Selected
    
  • Ports << NOT Selected
    
  • Hidden Files << Selected
    

  [*]At the bottom of the page

  • Hidden Objects Only << Selected
    

  [*]Click on the Create Log button on the bottom right.

  [*]After a few seconds a new window should appear.

  [*]Select Scan Root Drive. Click on the Start button.

  [*]When it is complete a new window will appear to indicate that the scan is finished.

  [*]The log will be saved automatically in the same folder Sysprot.exe was extracted to. Open the text file and copy/paste the log here.

[dhammer]

SysProt log

 

I noticed something in this log called "catchme.sys" Is this hacker taunting people to uncover his malware?

 

SysProt AntiRootkit v1.0.1.0

by swatkat

 

******************************************************************************************

******************************************************************************************

 

No Hidden Processes found

 

******************************************************************************************

******************************************************************************************

Kernel Modules:

Module Name: \SystemRoot\System32\Drivers\dump_atapi.sys

Service Name: ---

Module Base: B52B8000

Module End: B52D0000

Hidden: Yes

 

Module Name: \SystemRoot\System32\Drivers\dump_WMILIB.SYS

Service Name: ---

Module Base: B8608000

Module End: B860A000

Hidden: Yes

 

Module Name: \??\C:\DOCUME~1\DAVIDH~1\LOCALS~1\Temp\catchme.sys

Service Name: catchme

Module Base: B83C8000

Module End: B83D0000

Hidden: Yes

 

Module Name: \??\C:\WINDOWS\system32\Drivers\PROCEXP113.SYS

Service Name: ---

Module Base: B8658000

Module End: B865A000

Hidden: Yes

 

Module Name: \SystemRoot\System32\Drivers\hiber_WMILIB.SYS

Service Name: ---

Module Base: B85F2000

Module End: B85F4000

Hidden: Yes

 

******************************************************************************************

******************************************************************************************

No SSDT Hooks found

 

******************************************************************************************

******************************************************************************************

Kernel Hooks:

Hooked Function: ZwYieldExecution

At Address: 80504B08

Jump To: B7E17164

Module Name: C:\WINDOWS\system32\drivers\mfehidk.sys

 

Hooked Function: ZwUnmapViewOfSection

At Address: 805B2E48

Jump To: B7E17190

Module Name: C:\WINDOWS\system32\drivers\mfehidk.sys

 

Hooked Function: ZwTerminateProcess

At Address: 805D29E2

Jump To: B7E171A4

Module Name: C:\WINDOWS\system32\drivers\mfehidk.sys

 

Hooked Function: ZwSetValueKey

At Address: 80622662

Jump To: B7E1713A

Module Name: C:\WINDOWS\system32\drivers\mfehidk.sys

 

Hooked Function: ZwSetSecurityObject

At Address: 805C062E

Jump To: B7E17150

Module Name: C:\WINDOWS\system32\drivers\mfehidk.sys

 

Hooked Function: ZwRenameKey

At Address: 80623B12

Jump To: B7E1710E

Module Name: C:\WINDOWS\system32\drivers\mfehidk.sys

 

Hooked Function: ZwOpenThread

At Address: 805CB6CC

Jump To: B7E170BC

Module Name: C:\WINDOWS\system32\drivers\mfehidk.sys

 

Hooked Function: ZwOpenProcess

At Address: 805CB440

Jump To: B7E170A8

Module Name: C:\WINDOWS\system32\drivers\mfehidk.sys

 

Hooked Function: ZwOpenKey

At Address: 806254CE

Jump To: B7E170D0

Module Name: C:\WINDOWS\system32\drivers\mfehidk.sys

 

Hooked Function: ZwMapViewOfSection

At Address: 805B203A

Jump To: B7E1717A

Module Name: C:\WINDOWS\system32\drivers\mfehidk.sys

 

Hooked Function: ZwDeleteValueKey

At Address: 8062475C

Jump To: B7E17124

Module Name: C:\WINDOWS\system32\drivers\mfehidk.sys

 

Hooked Function: ZwDeleteKey

At Address: 8062458C

Jump To: B7E170F8

Module Name: C:\WINDOWS\system32\drivers\mfehidk.sys

 

Hooked Function: ZwCreateKey

At Address: 806240F0

Jump To: B7E170E4

Module Name: C:\WINDOWS\system32\drivers\mfehidk.sys

 

******************************************************************************************

******************************************************************************************

Hidden files/folders:

Object: C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\Quarantine\AP83747916.exe

Status: Access denied

 

Object: C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\Quarantine\APCD4903A6.exe

Status: Access denied

 

Object: C:\Qoobox\BackEnv\AppData.folder.dat

Status: Access denied

 

Object: C:\Qoobox\BackEnv\Cache.folder.dat

Status: Access denied

 

Object: C:\Qoobox\BackEnv\Cookies.folder.dat

Status: Access denied

 

Object: C:\Qoobox\BackEnv\Desktop.folder.dat

Status: Access denied

 

Object: C:\Qoobox\BackEnv\Favorites.folder.dat

Status: Access denied

 

Object: C:\Qoobox\BackEnv\History.folder.dat

Status: Access denied

 

Object: C:\Qoobox\BackEnv\LocalAppData.folder.dat

Status: Access denied

 

Object: C:\Qoobox\BackEnv\LocalSettings.folder.dat

Status: Access denied

 

Object: C:\Qoobox\BackEnv\Music.folder.dat

Status: Access denied

 

Object: C:\Qoobox\BackEnv\NetHood.folder.dat

Status: Access denied

 

Object: C:\Qoobox\BackEnv\Personal.folder.dat

Status: Access denied

 

Object: C:\Qoobox\BackEnv\Pictures.folder.dat

Status: Access denied

 

Object: C:\Qoobox\BackEnv\PrintHood.folder.dat

Status: Access denied

 

Object: C:\Qoobox\BackEnv\Profiles.Folder.dat

Status: Access denied

 

Object: C:\Qoobox\BackEnv\Profiles.Folder.folder.dat

Status: Access denied

 

Object: C:\Qoobox\BackEnv\Programs.folder.dat

Status: Access denied

 

Object: C:\Qoobox\BackEnv\Recent.folder.dat

Status: Access denied

 

Object: C:\Qoobox\BackEnv\SendTo.folder.dat

Status: Access denied

 

Object: C:\Qoobox\BackEnv\SetPath.bat

Status: Access denied

 

Object: C:\Qoobox\BackEnv\StartMenu.folder.dat

Status: Access denied

 

Object: C:\Qoobox\BackEnv\StartUp.folder.dat

Status: Access denied

 

Object: C:\Qoobox\BackEnv\SysPath.dat

Status: Access denied

 

Object: C:\Qoobox\BackEnv\Templates.folder.dat

Status: Access denied

 

Object: C:\Qoobox\BackEnv\VikPev00

Status: Access denied

[Superdave]

I noticed something in this log called "catchme.sys" Is this hacker taunting people to uncover his malware?

That file is a file for ComboFix and GMER but it shouldn't be running in a temp folder. Please do this:

 

AVENGER

 

• Download The Avenger by Swandog46 from here.
  
• Unzip/extract it to a folder on your desktop.
  
• Double click on avenger.exe to run The Avenger.
  
• Click OK.
  
• Make sure that the box next to Scan for rootkits has a tick in it and that the box next to Automatically disable any rootkits found does not have a tick in it.
  
• Click the Execute button.
  
• You will be asked No script has been entered. Do you want to execute a rootkit scan only?.
  
• Click Yes.
  
• You will now be asked First step completed --- The Avenger has been successfully set up to run on next boot. Reboot now?.
  
• Click Yes.
  
• Your PC will now be rebooted.
  
• After your PC has completed the necessary reboots, a log should automatically open. If it does not automatically open, then the log can be found at %systemdrive%\avenger.txt (typically C:\avenger.txt).
  
• Please post this log, along with a new HijackThis log in your next reply.
  

[dhammer]

Avenger and IObit 360 hijack logs

 

Hopefully this ran as it should. On the first Avenger run, McAfee removed a trojan called ZapChast.gen. On re-boot, Avenger did not run. I ran it manually a second time, and again it did not run on re-boot. Nevertheless, here is the log:

 

Logfile of The Avenger Version 2.0, © by Swandog46

http://swandog46.geekstogo.com

 

Platform: Windows XP

 

*******************

 

Script file opened successfully.

Script file read successfully.

 

Backups directory opened successfully at C:\Avenger

 

*******************

 

Beginning to process script file:

 

Rootkit scan active.

No rootkits found!

 

 

Completed script processing.

 

*******************

 

Finished! Terminate.

 

 

Logfile of IObit HijackScan v0.2.0.0

Scan saved at 19:28:31, on 2011-3-5

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\WLTRYSVC.EXE

C:\WINDOWS\System32\bcmwltry.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\IObit\IObit Security 360\IS360srv.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\McAfee\SiteAdvisor\McSACore.exe

C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe

C:\WINDOWS\system32\mfevtps.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\PSIService.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\MsPMSPSv.exe

C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe

C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe

C:\Program Files\Windows Media Player\WMPNetwk.exe

C:\WINDOWS\system32\wbem\wmiapsrv.exe

C:\WINDOWS\System32\alg.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\WINDOWS\OEM02Mon.exe

C:\WINDOWS\system32\WLTRAY.exe

C:\Program Files\Dell\Dell Webcam Manager\DellWMgr.exe

C:\Program Files\Dell\QuickSet\quickset.exe

C:\WINDOWS\system32\KADxMain.exe

C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

C:\Program Files\Discover\SOAN\DISCOV~1.EXE

C:\Program Files\IObit\IObit Security 360\IS360tray.exe

C:\Program Files\real\realplayer\update\realsched.exe

C:\Program Files\McAfee.com\Agent\mcagent.exe

C:\Program Files\Windows Media Player\WMPNSCFG.exe

C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

C:\WINDOWS\system32\OBroker.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe

C:\Program Files\Digital Line Detect\DLG.exe

C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE

C:\Program Files\IObit\IObit Security 360\is360.exe

C:\WINDOWS\system32\NOTEPAD.EXE

C:\Program Files\IObit\IObit Security 360\a_hijackscan.exe

C:\WINDOWS\system32\NOTEPAD.EXE

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

 

O2 - BHO: Adobe PDF Link Helper - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll

O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll

O2 - BHO: Secure Online Account Numbers Helper - {435EAA86-D32B-484F-869C-53745FCB1642} - C:\Program Files\Discover\SOAN\DiscoverSOANHelper.dll

O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\Common Files\McAfee\SystemCore\ScriptSn.20110303070624.dll

O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\Program Files\mcafee\SITEAD~1\mcieplg.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl Class - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\Program Files\mcafee\SITEAD~1\mcieplg.dll

O3 - Toolbar: Secure Online Account Numbers - {A8C7C2CA-6DFD-4E16-8458-592361564D38} - C:\Program Files\Discover\SOAN\DiscoverSOANToolbar.dll

O4 - HKLM\Software\Microsoft\Windows\CurrentVersion\Run\: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\Software\Microsoft\Windows\CurrentVersion\Run\: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\Software\Microsoft\Windows\CurrentVersion\Run\: [nwiz] nwiz.exe /installquiet

O4 - HKLM\Software\Microsoft\Windows\CurrentVersion\Run\: [OEM02Mon.exe] C:\WINDOWS\OEM02Mon.exe

O4 - HKLM\Software\Microsoft\Windows\CurrentVersion\Run\: [broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe

O4 - HKLM\Software\Microsoft\Windows\CurrentVersion\Run\: [DELL Webcam Manager] "C:\Program Files\Dell\Dell Webcam Manager\DellWMgr.exe" /s

O4 - HKLM\Software\Microsoft\Windows\CurrentVersion\Run\: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe

O4 - HKLM\Software\Microsoft\Windows\CurrentVersion\Run\: [KADxMain] C:\WINDOWS\system32\KADxMain.exe

O4 - HKLM\Software\Microsoft\Windows\CurrentVersion\Run\: [iSUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup

O4 - HKLM\Software\Microsoft\Windows\CurrentVersion\Run\: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

O4 - HKLM\Software\Microsoft\Windows\CurrentVersion\Run\: [secure Online Account Numbers] C:\PROGRA~1\Discover\SOAN\DISCOV~1.EXE /dontopenmycards

O4 - HKLM\Software\Microsoft\Windows\CurrentVersion\Run\: [iObit Security 360] "C:\Program Files\IObit\IObit Security 360\IS360tray.exe" /autostart

O4 - HKLM\Software\Microsoft\Windows\CurrentVersion\Run\: [TkBellExe] "C:\Program Files\real\realplayer\update\realsched.exe" -osboot

O4 - HKLM\Software\Microsoft\Windows\CurrentVersion\Run\: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 10.0\Reader\Reader_sl.exe"

O4 - HKLM\Software\Microsoft\Windows\CurrentVersion\Run\: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"

O4 - HKLM\Software\Microsoft\Windows\CurrentVersion\Run\: [mcui_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey

O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} -

O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} -

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL

O9 - Extra button: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL

O9 - Extra button: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089}Office.awsdc.1 - http://office.microsoft.com/sites/production/ieawsdc32.cab

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700}LegitCheckControl.LegitCheck.1 - http://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab}YInstHelper.YInstStarter.1 - C:\Program Files\Yahoo!\Common\Yinsthelper.dll

O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93}Java Plug-in 1.6.0_24 - http://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab

O16 - DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}Java Plug-in 1.6.0_24 - http://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab

O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}Java Plug-in 1.6.0_24 - http://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab

O23 - Service: Automatic LiveUpdate Scheduler - Unknown - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

O23 - Service: Bluetooth Service - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe

O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\480\g2aservice.exe

O23 - Service: Google Updater Service - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: InstallDriver Table Manager - Macrovision Corporation - C:\Program Files\Roxio\Roxio MyDVD DE\InstallShield\Driver\1050\Intel 32\IDriverT.exe

O23 - Service: IS360service - IObit - C:\Program Files\IObit\IObit Security 360\IS360srv.exe

O23 - Service: Java Quick Starter - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: LiveUpdate - Unknown - C:\Program Files\Symantec\LIVEUP~1\LUCOMS~1.EXE

O23 - Service: McAfee SiteAdvisor Service - McAfee, Inc. - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe

O23 - Service: McAfee Personal Firewall Service - McAfee, Inc. - C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe

O23 - Service: McAfee Services - McAfee, Inc. - C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe

O23 - Service: McAfee VirusScan Announcer - McAfee, Inc. - C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe

O23 - Service: McAfee Network Agent - McAfee, Inc. - C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe

O23 - Service: McAfee Scanner - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\mcods.exe

O23 - Service: McAfee Proxy Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe

O23 - Service: McShield - McAfee, Inc. - C:\Program Files\Common Files\McAfee\SystemCore\\mcshield.exe

O23 - Service: McAfee Firewall Core Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\SystemCore\\mfefire.exe

O23 - Service: McAfee Validation Trust Protection Service - McAfee, Inc. - C:\WINDOWS\system32\mfevtps.exe

O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: ProtexisLicensing - Unknown - C:\WINDOWS\system32\PSIService.exe

O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe

O23 - Service: Roxio Hard Drive Watcher 9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe

O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe

O23 - Service: Dell Wireless WLAN Tray Service - Unknown - C:\WINDOWS\System32\WLTRYSVC.EXE %SystemRoot%\System32\bcmwltry.exe

[Superdave]

ESET Online Scan

 

Scan your computer with the ESET FREE Online Virus Scan

 

* Click the ESET Online Scanner button.

 

* For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)

* Click on the esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop

* Double click on the esetsmartinstaller_enu.exe icon on your desktop.

* Place a check mark next to YES, I accept the Terms of Use.

 

* Click the Start button.

* Accept any security warnings from your browser.

* Leave the check mark next to Remove found threats and place a check next to Scan archives.

* Click the Start button.

* ESET will then download updates, install, and begin scanning your computer. Please be patient as this can take some time.

* When the scan completes, click List of found threats.

* Next click Export to text file and save the file to your desktop using a name such as ESETScan. Include the contents of this report in your next reply.

* Click the Back button then click Finish.

 

In your next reply please include the ESET Online Scan Log

[dhammer]

ESET online won't run

 

After I accept the EULA in the small window , something downloads, crashes the IE tab, it recovers and the small window again asks me to agree to the EULA. I have designated the URLs as trusted like the help section suggests.

 

It also mentions something about using regedit to remove a "killbit" but I thought I would check with you first.

 

Also, on rare occasions, a program will act like I don't have Administrator priveleges, so I don't know if this has anything to do with it. On my normal Windows start-up, only my name appears, but if I boot into Safe mode, it gives me a second choice of Administrator. I have always thought that odd, but possibly a remnant from years ago when I deleted my wife's secondary log-on with her settings.

[Superdave]

Ok. Let's try this one:

 

Run the BitDefender Online scanner

 

Agree to the license and then select Scan. DO NOT CHANGE THE OPTIONS TO SHOW ALL FILES SCANNED. That will make your logs huge and we don't need to see clean files.

 

Once Bitdefender completes the scan:

Click-on the Detected Problems tab.

Then select Click here to export the scan report.

 

When the window comes up to save the report, change the Save as type: box to:

Text (Tab Delimited) (*.txt) and then in the File name box enter change to bdscan then click Save.

 

This will save a file named bdscan.txt. I would suggest saving it to the Desktop so you can easily find it. (take notice of where you save it so you can find it later).

This bdcan.txt file will actually contain HTML code that we can easily view later while reviewing your log. All we have to do is rename the file to bdscan.html.

 

If you do not follow these step, you will have an incorrect log or worse a log summary which is useless to us.

Post the bdscan.txt file as an Attachment.

[dhammer]

2nd online scan won't run

 

BitDefender wouldn't run either. I tried an older browser, but it didn't run with that either. I booted into "safe mode with networking" but that didn't have an internet connection for access to the scan.

[Superdave]

Are you still having any problems with your computer?

[dhammer]

no redirects at last !

 

I just tested out 5 or 6 links after doing two different Google searches, and it went to the right page each time, no re-directs hijacking my browser. I'm not sure when it happened because I have been copying and pasting the links most of the time to avoid the problem.

 

Thank you so much for fixing that mess. I did a lot of virus scans and malware scans prior to turning to you for help, but nothing stopped it. You really hung in there with a thorny problem.

 

Should I be concerned that neither of those two online scans would run?

[Superdave]

Should I be concerned that neither of those two online scans would run?

I really would like to finish off with an on-line scan.

 

Please download the latest version of Kaspersky GetSystemInfo (GSI) from Kaspersky and save it to your Desktop.

 

Note: please close all other applications running on your system.

 

Double click GetSystemInfo.exe to open it. It will display an agreement. Click on I Agree to continue.

 

Click the Settings button.

 

Set the slider to Maximum.

 

IMPORTANT! Then, click Customize - choose Driver / Ports tab and uncheck Scan Ports.

 

http://img683.imageshack.us/img683/9388/generaltab.png

 

On the General tab, make sure all of the boxes are checked.

 

http://img687.imageshack.us/img687/4604/misce.png

 

On the Misc tab, make sure all the checkboxes are checked.

 

Then, click OK on the windows that you launched.

 

http://i44.tinypic.com/2ekm73m.gif

Click Create Report to run it.

 

http://img227.imageshack.us/img227/371/beginscanning.png

It will begin scanning.

 

It will create a zip folder called GetSystemInfo_XXXXXXXXXXXXXX.zip on your Desktop.

 

It should automatically upload it to http://www.getsysteminfo.com. If it does not, then please submit it manually by going to the site and doing the upload process.

 

It will redirect to a page, where it will provide a sharing URL for specialists. Copy and paste the url of the GSI Parser report in your next reply..

[dhammer]

Kaspersky report

 

I appreciate your thoroughness. Here is where it posted the report:

 

http://www.getsysteminfo.com/read.php?file=f0dfbdda2cbfbaca2a5e88f039a79ff6

 

 

By the way, McAfee completed a scan before I saw your post and didn't find anything.

[Superdave]

It also mentions something about using regedit to remove a "killbit" but I thought I would check with you first.

Killbit is legit according to this thread.

I'm more concerned that we can't get an on-line scan. Let's try this one.

 

Please go to Kaspersky website and perform an online antivirus scan.

 

1. Read through the requirements and privacy statement and click on Accept button.

2. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.

3. When the downloads have finished, click on Settings.

4. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:

Spyware, Adware, Dialers, and other potentially dangerous programs

Archives

 

5. Click on My Computer under Scan.

6. Once the scan is complete, it will display the results. Click on View Scan Report.

7. You will see a list of infected items there. Click on Save Report As....

8. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.

9. Please post this log in your next reply along with a fresh HijackThis log.

[dhammer]

Kaspersky error

 

I turned off McAfee, IObit, and closed all other programs, but this is the error that occurred when Kaspersky got about 80% of the way thru downloading the virus definitions:

 

The program is starting. Please wait...

Updates source is selected: http://www.kaspersky.com

File download: packages/kos-extras.jar

The program is started.

 

Updating the anti-virus database. Please wait...

 

Update has failed The program could not be started. Please close the window of Kaspersky Online Scanner 7.0 and start the program again from the web site of Kaspersky Lab. Successful updating of Kaspersky Online Scanner 7.0 and scanning of your computer requires uninterrupted Internet connection. Please make sure that the Internet connection is established. [ERROR: License has expired]

 

Dave:

I tried the link to the "online" scanner which actually had me download the program to my computer. Well when I went to run it, Kaspersky wanted me to REMOVE McAfee and IObit. I didn't want to do that and stopped.

[Superdave]

Please just hang tight on this. I'm going to get some help.

[Superdave]

Which browser are you using?

[dhammer]

IE

 

Internet Explorer 8.0.6001.18702

[Superdave]

Please try running ESET using Firefox.

[dhammer]

it worked with Firefox

 

Here are the ESET scan results done with Mozilla Firefox which removed 3 trojans, followed by a new IObit360 Hijackthis scan. Should I now try an online scan with Internet Explorer?

 

C:\Documents and Settings\David Hammer MA MFT\My Documents\My Music\Crusaders\assorted\crusaders modern life - greatest hits.wma probably a variant of Win32/Agent.FNYAFOD trojan cleaned by deleting - quarantined

C:\Music editing\installer-28350-19-Adobe-Soundbooth-CS3-Beta-3-English.exe a variant of Win32/Downloader.Ircfast application cleaned by deleting - quarantined

C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP17\A0005748.exe a variant of Win32/Downloader.Ircfast application cleaned by deleting - quarantined

 

Logfile of IObit HijackScan v1.0.2.0

Scan saved at 16:27:36, on 2011-3-14

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\WLTRYSVC.EXE

C:\WINDOWS\System32\bcmwltry.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\McAfee\SiteAdvisor\McSACore.exe

C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe

C:\WINDOWS\system32\mfevtps.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\PSIService.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\MsPMSPSv.exe

C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe

C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe

C:\Program Files\Windows Media Player\WMPNetwk.exe

C:\WINDOWS\system32\wbem\wmiapsrv.exe

C:\WINDOWS\System32\alg.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\WINDOWS\OEM02Mon.exe

C:\WINDOWS\system32\WLTRAY.exe

C:\Program Files\Dell\Dell Webcam Manager\DellWMgr.exe

C:\Program Files\Dell\QuickSet\quickset.exe

C:\WINDOWS\system32\KADxMain.exe

C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

C:\Program Files\Discover\SOAN\DISCOV~1.EXE

C:\Program Files\real\realplayer\update\realsched.exe

C:\Program Files\McAfee.com\Agent\mcagent.exe

C:\Program Files\Windows Media Player\WMPNSCFG.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\system32\OBroker.exe

C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe

C:\Program Files\Digital Line Detect\DLG.exe

C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\ESET\ESET Online Scanner\OnlineScannerApp.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Program Files\ESET\ESET Online Scanner\OnlineCmdLineScanner.exe

C:\Program Files\IObit\IObit Security 360\is360.exe

C:\Program Files\IObit\IObit Security 360\IS360tray.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe

C:\Program Files\IObit\IObit Security 360\IS360srv.exe

C:\Program Files\IObit\IObit Security 360\a_hijackscan.exe

 

O2 - BHO: Adobe PDF Link Helper - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll

O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll

O2 - BHO: Secure Online Account Numbers Helper - {435EAA86-D32B-484F-869C-53745FCB1642} - C:\Program Files\Discover\SOAN\DiscoverSOANHelper.dll

O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\Common Files\McAfee\SystemCore\ScriptSn.20110303070624.dll

O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\Program Files\mcafee\SITEAD~1\mcieplg.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl Class - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\Program Files\mcafee\SITEAD~1\mcieplg.dll

O3 - Toolbar: Secure Online Account Numbers - {A8C7C2CA-6DFD-4E16-8458-592361564D38} - C:\Program Files\Discover\SOAN\DiscoverSOANToolbar.dll

O4 - HKCU|\Software\Microsoft\Windows\CurrentVersion\Run\: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe

O4 - HKCU|\Software\Microsoft\Windows\CurrentVersion\Run\: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKLM|\Software\Microsoft\Windows\CurrentVersion\Run\: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM|\Software\Microsoft\Windows\CurrentVersion\Run\: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM|\Software\Microsoft\Windows\CurrentVersion\Run\: [nwiz] nwiz.exe /installquiet

O4 - HKLM|\Software\Microsoft\Windows\CurrentVersion\Run\: [OEM02Mon.exe] C:\WINDOWS\OEM02Mon.exe

O4 - HKLM|\Software\Microsoft\Windows\CurrentVersion\Run\: [broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe

O4 - HKLM|\Software\Microsoft\Windows\CurrentVersion\Run\: [DELL Webcam Manager] "C:\Program Files\Dell\Dell Webcam Manager\DellWMgr.exe" /s

O4 - HKLM|\Software\Microsoft\Windows\CurrentVersion\Run\: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe

O4 - HKLM|\Software\Microsoft\Windows\CurrentVersion\Run\: [KADxMain] C:\WINDOWS\system32\KADxMain.exe

O4 - HKLM|\Software\Microsoft\Windows\CurrentVersion\Run\: [iSUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup

O4 - HKLM|\Software\Microsoft\Windows\CurrentVersion\Run\: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

O4 - HKLM|\Software\Microsoft\Windows\CurrentVersion\Run\: [secure Online Account Numbers] C:\PROGRA~1\Discover\SOAN\DISCOV~1.EXE /dontopenmycards

O4 - HKLM|\Software\Microsoft\Windows\CurrentVersion\Run\: [iObit Security 360] "C:\Program Files\IObit\IObit Security 360\IS360tray.exe" /autostart

O4 - HKLM|\Software\Microsoft\Windows\CurrentVersion\Run\: [TkBellExe] "C:\Program Files\real\realplayer\update\realsched.exe" -osboot

O4 - HKLM|\Software\Microsoft\Windows\CurrentVersion\Run\: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 10.0\Reader\Reader_sl.exe"

O4 - HKLM|\Software\Microsoft\Windows\CurrentVersion\Run\: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"

O4 - HKLM|\Software\Microsoft\Windows\CurrentVersion\Run\: [mcui_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey

O4 - HKLM|\Software\Microsoft\Windows\CurrentVersion\Run\: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000

O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm

O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} -

O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} -

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL

O9 - Extra button: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL

O9 - Extra button: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089}Office.awsdc.1 - http://office.microsoft.com/sites/production/ieawsdc32.cab

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700}LegitCheckControl.LegitCheck.1 - http://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab}YInstHelper.YInstStarter.1 - C:\Program Files\Yahoo!\Common\Yinsthelper.dll

O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93}Java Plug-in 1.6.0_24 - http://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab

O16 - DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}Java Plug-in 1.6.0_24 - http://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab

O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}Java Plug-in 1.6.0_24 - http://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab

O23 - Service: Automatic LiveUpdate Scheduler (Automatic LiveUpdate Scheduler) - Unknown - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe

O23 - Service: GoToAssist (GoToAssist) - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\480\g2aservice.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Roxio\Roxio MyDVD DE\InstallShield\Driver\1050\Intel 32\IDriverT.exe

O23 - Service: IS360service (IS360service) - IObit - C:\Program Files\IObit\IObit Security 360\IS360srv.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: LiveUpdate (LiveUpdate) - Unknown - C:\Program Files\Symantec\LIVEUP~1\LUCOMS~1.EXE

O23 - Service: McAfee SiteAdvisor Service (McAfee SiteAdvisor Service) - McAfee, Inc. - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe

O23 - Service: McAfee Personal Firewall Service (McMPFSvc) - McAfee, Inc. - C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe

O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe

O23 - Service: McAfee VirusScan Announcer (McNaiAnn) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe

O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe

O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\mcods.exe

O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe

O23 - Service: McShield (McShield) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\SystemCore\\mcshield.exe

O23 - Service: McAfee Firewall Core Service (mfefire) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\SystemCore\\mfefire.exe

O23 - Service: McAfee Validation Trust Protection Service (mfevtp) - McAfee, Inc. - C:\WINDOWS\system32\mfevtps.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: ProtexisLicensing (ProtexisLicensing) - Unknown - C:\WINDOWS\system32\PSIService.exe

O23 - Service: RoxMediaDB9 (RoxMediaDB9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe

O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe

O23 - Service: stllssvr (stllssvr) - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe

O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown - C:\WINDOWS\System32\WLTRYSVC.EXE %SystemRoot%\System32\bcmwltry.exe

[Superdave]

Should I now try an online scan with Internet Explorer?

No. That's good. If there are no other issues, it's time for some cleanup.

 

To uninstall ComboFix

 

• Click the Start button. Click Run. For Vista: type in Run in the Start search, and click on Run in the results pane.
  
• In the field, type in ComboFix /uninstall
  

 

http://i582.photobucket.com/albums/ss269/Cat_Byte/Combofix_uninstall_image.jpg

 

(Note: Make sure there's a space between the word ComboFix and the forward-slash.)

 

• Then, press Enter, or click OK.
  
• This will uninstall ComboFix, delete its folders and files, hides System files and folders, and resets System Restore.
  

***********************************************

Clean out your temporary internet files and temp files.

Download TFC by OldTimer to your desktop.

 

Double-click TFC.exe to run it.

 

Note: If you are running on Vista, right-click on the file and choose Run As Administrator

 

TFC will close all programs when run, so make sure you have saved all your work before you begin.

 

* Click the Start button to begin the cleaning process.

* Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two.

* Please let TFC run uninterrupted until it is finished.

 

Once TFC is finished it should restart your computer. If it does not, please manually restart the computer yourself to ensure a complete cleaning.

*************************************************

Use the Secunia Software Inspector to check for out of date software.

 

•Click Start Now

 

•Check the box next to Enable thorough system inspection.

 

•Click Start

 

•Allow the scan to finish and scroll down to see if any updates are needed.

•Update anything listed.

.

----------

 

Go to Microsoft Windows Update and get all critical updates.

 

----------

 

I suggest using WOT - Web of Trust. WOT is a free Internet security addon for your browser. It will keep you safe from online scams, identity theft, spyware, spam, viruses and unreliable shopping sites. WOT warns you before you interact with a risky website. It's easy and it's free.

 

SpywareBlaster- Secure your Internet Explorer to make it harder for ActiveX programs to run on your computer. Also stop certain cookies from being added to your computer when running Mozilla based browsers like Firefox.

* Using SpywareBlaster to protect your computer from Spyware and Malware

* If you don't know what ActiveX controls are, see here

 

Protect yourself against spyware using the Immunize feature in Spybot - Search & Destroy. Guide: Use Spybot's Immunize Feature to prevent spyware infection in real-time. Note: To ensure you have the latest Immunizations always update Spybot - Search & Destroy before Immunizing. Spybot - Search & Destroy FAQ

 

Check out Keeping Yourself Safe On The Web for tips and free tools to help keep you safe in the future.

 

Also see Slow Computer? It may not be Malware for free cleaning/maintenance tools to help keep your computer running smoothly.

Safe Surfing!

[dhammer]

clean -up questions

 

There were a few glitches in the process. TFC's clean-up run produced one of those corrupt file messages about a file named "info" in a "recycled" folder and suggesting Chkdsk be run.

 

Secunia had to be re-run multiple times because each update would necessitate a reboot. It still shows Macromedia Flash v5 AND v7 despite having updated to v10

 

It shows Internet Explorer 7 despite upgrade to IE8 years ago.

 

It shows maybe 30 or 40 KBxxxxx updates some of them duplicates, needing to be done for each component, despite having done all that previously through automatic Windows updates. It even shows these updates are needed for Outlook Express 6, despite that no longer being supported.

 

Is any of this problematic?

 

I also still have in my Control Panel list of programs the one I mentioned named "aaa" published by "bbb" with comments "ccc"

 

When I install Web Of Trust and Spywareblaster, should I remove McAfee's websit monitoring that is incorporated into my browsers?