drgill_co

Consider it closed All scans are clean an dI re installed IE and fixed that error

Attached you will find the runnscanner log Runscanner logfile http://www.runscanner.net * = signed file - = file not found 000 General info ---------------- Computer name : OFFICE Creation time : 6/27/2008 8:51:46 PM Hosts <> 127.0.0.1 : 0 Hosts file location : %SystemRoot%\System32\drivers\etc IE version : 7.0.5730.11 OS : Microsoft Windows XP OS Build : 2600 OS SP : Service Pack 2 RunScanner Version : 1.6.3.0 User Language : English (United States) User rights : Administrator Windows folder : C:\WINDOWS 001 Running processes --------------------- * c:\program files\lavasoft\ad-aware\aawservice.exe (Lavasoft) c:\program files\common files\roxio shared\sharedcom8\roxmediadb.exe (Sonic Solutions) c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe (Apple, Inc.) * c:\windows\system32\alg.exe (Microsoft Corporation) c:\program files\bonjour\mdnsresponder.exe (Apple Inc.) * c:\windows\system32\csrss.exe (Microsoft Corporation) * c:\program files\mozilla firefox\firefox.exe (Mozilla Corporation) * c:\windows\system32\svchost.exe (Microsoft Corporation) * c:\windows\system32\svchost.exe (Microsoft Corporation) * c:\windows\system32\svchost.exe (Microsoft Corporation) * c:\windows\system32\svchost.exe (Microsoft Corporation) * c:\windows\system32\svchost.exe (Microsoft Corporation) * c:\windows\system32\svchost.exe (Microsoft Corporation) * c:\documents and settings\owner\my documents\downloads\hijackthis.exe (Trend Micro Inc.) * c:\program files\ipod\bin\ipodservice.exe (Apple Inc.) * c:\windows\system32\lsass.exe (Microsoft Corporation) c:\program files\common files\lightscribe\lssrvc.exe (Hewlett-Packard Company) * c:\program files\common files\microsoft shared\vs7debug\mdm.exe (Microsoft Corporation) * c:\program files\common files\mcafee\hackerwatch\hwapi.exe (McAfee, Inc.) * c:\progra~1\mcafee\msc\mcpromgr.exe (McAfee, Inc.) * c:\progra~1\mcafee.com\agent\mcagent.exe (McAfee, Inc.) * c:\progra~1\common~1\mcafee\mna\mcnasvc.exe (McAfee, Inc.) * c:\program files\mcafee\mpf\mpfsrv.exe (McAfee, Inc.) * c:\progra~1\mcafee\mps\mps.exe (McAfee, Inc.) * c:\program files\mcafee\mps\mpsevh.exe (McAfee, Inc.) * c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe (McAfee, Inc.) * c:\progra~1\common~1\mcafee\redirsvc\redirsvc.exe (McAfee, Inc.) * c:\progra~1\mcafee\viruss~1\mcsysmon.exe (McAfee, Inc.) * c:\progra~1\mcafee\viruss~1\mcods.exe (McAfee, Inc.) * c:\windows\system32\wisptis.exe (Microsoft Corporation) * c:\progra~1\mcafee\msc\mcmscsvc.exe (McAfee, Inc.) * c:\progra~1\mcafee\viruss~1\mcshield.exe (McAfee, Inc.) * c:\documents and settings\owner\local settings\temp\runscanner.exe (Runscanner.net) * c:\windows\system32\services.exe (Microsoft Corporation) * c:\windows\system32\spoolsv.exe (Microsoft Corporation) * c:\program files\maxtor\sync\syncservices.exe (Seagate Technology LLC) * c:\windows\explorer.exe (Microsoft Corporation) * c:\windows\explorer.exe (Microsoft Corporation) * c:\windows\system32\winlogon.exe (Microsoft Corporation) * c:\windows\system32\smss.exe (Microsoft Corporation) c:\progra~1\winzip\winzip32.exe (WinZip Computing, Inc.) 010 HKLM\SYSTEM\CurrentControlSet\Services (Services) ----------------------------------------------------- c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe (Apple Mobile Device) c:\program files\bonjour\mdnsresponder.exe (Bonjour Service) * c:\program files\ipod\bin\ipodservice.exe (iPod Service) * c:\program files\lavasoft\ad-aware\aawservice.exe (Lavasoft Ad-Aware Service) c:\program files\common files\lightscribe\lssrvc.exe (LightScribeService Direct Disc Labeling Service) * c:\program files\maxtor\sync\syncservices.exe (Maxtor Service) * c:\progra~1\common~1\mcafee\emproxy\emproxy.exe (McAfee E-mail Proxy) * c:\program files\common files\mcafee\hackerwatch\hwapi.exe (McAfee HackerWatch Service) * c:\progra~1\common~1\mcafee\mna\mcnasvc.exe (McAfee Network Agent) * c:\program files\mcafee\mpf\mpfsrv.exe (McAfee Personal Firewall Service) * c:\progra~1\mcafee\mps\mps.exe (McAfee Privacy Service) * c:\progra~1\mcafee\msc\mcpromgr.exe (McAfee Protection Manager) * c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service) * c:\progra~1\mcafee\viruss~1\mcshield.exe (McAfee Real-time Scanner) * c:\progra~1\common~1\mcafee\redirsvc\redirsvc.exe (McAfee Redirector Service) * c:\progra~1\mcafee\viruss~1\mcods.exe (McAfee Scanner) * c:\progra~1\mcafee\msc\mcmscsvc.exe (McAfee Services) * c:\progra~1\mcafee\viruss~1\mcsysmon.exe (McAfee SystemGuards) * c:\progra~1\mcafee\msc\mcupdmgr.exe (McAfee Update Manager) c:\program files\common files\roxio shared\sharedcom8\roxwatch.exe (Roxio Hard Drive Watcher) c:\program files\common files\roxio shared\sharedcom8\roxmediadb.exe (RoxMediaDB) c:\program files\common files\roxio shared\sharedcom\roxupnprenderer.exe (RoxUpnpRenderer) c:\program files\roxio\easy media creator 8\digital home\roxupnpserver.exe (RoxUpnpServer) c:\program files\common files\sony shared\avlib\sptisrv.exe (Sony SPTI Service) c:\windows\microsoft.net\framework\v3.0\windows communication foundation\infocard.exe (Windows CardSpace) 011 HKLM\SYSTEM\CurrentControlSet\Services (drivers) ---------------------------------------------------- c:\windows\system32\drivers\aspi32.sys (Aspi32) - c:\combofix\catchme.sys (catchme) c:\windows\system32\drivers\cdr4_xp.sys (Cdr4_xp) c:\windows\system32\drivers\cdralw2k.sys (Cdralw2k) c:\windows\system32\drivers\cdudf_xp.sys (cdudf_xp) - c:\windows\system32\drivers\changer.sys (Changer) C:\WINDOWS\system32\drivers\drvmcdb.sys (drvmcdb) c:\windows\system32\drivers\dvd_2k.sys (dvd_2K) C:\WINDOWS\system32\drivers\dvd43llh.sys (dvd43llh) * C:\WINDOWS\system32\drivers\gearaspiwdm.sys (GEARAspiWDM) C:\WINDOWS\system32\drivers\http.sys (HTTP) - c:\windows\system32\drivers\i2omgmt.sys (i2omgmt) - c:\windows\system32\drivers\lbrtfdc.sys (lbrtfdc) C:\WINDOWS\system32\drivers\mxopswd.sys (Maxtor OneTouch Security Driver) * C:\WINDOWS\system32\drivers\mferkdk.sys (McAfee Inc.) * C:\WINDOWS\system32\drivers\mfesmfk.sys (McAfee Inc.) * C:\WINDOWS\system32\drivers\mfeavfk.sys (McAfee Inc.) * C:\WINDOWS\system32\drivers\mfebopk.sys (McAfee Inc.) * C:\WINDOWS\system32\drivers\mfehidk.sys (McAfee Inc.) c:\windows\system32\drivers\mcstrm.sys (MCSTRM) c:\windows\system32\drivers\mmc_2k.sys (mmc_2K) * C:\WINDOWS\system32\drivers\mpfp.sys (MPFP) c:\windows\system32\drivers\npdriver.sys (Norton UnErase Protection Driver) c:\windows\system32\drivers\omci.sys (OMCI) C:\WINDOWS\system32\drivers\pfc.sys (Padus ASPI Shell) - c:\windows\system32\drivers\pcidump.sys (PCIDump) - c:\windows\system32\drivers\pdcomp.sys (PDCOMP) - c:\windows\system32\drivers\pdframe.sys (PDFRAME) - c:\windows\system32\drivers\pdreli.sys (PDRELI) - c:\windows\system32\drivers\pdrframe.sys (PDRFRAME) c:\windows\system32\drivers\pwd_2k.sys (pwd_2k) C:\WINDOWS\system32\drivers\pxhelp20.sys (PxHelp20) C:\WINDOWS\system32\drivers\rxfilter.sys (RxFilter) c:\windows\system32\drivers\sddriver.sys (SDdriver) - c:\program files\common files\symantec shared\spbbc\spbbcdrv.sys (SPBBCDrv) - c:\program files\symantec\symevent.sys (SymEvent) C:\WINDOWS\system32\drivers\tucbdriverv32.sys (TucbDriverV32) C:\WINDOWS\system32\drivers\tucbvideo32.sys (TucbVideo32) * C:\WINDOWS\system32\drivers\tbhsd.sys (Tunebite High-Speed Dubbing) C:\WINDOWS\system32\drivers\usr_xp.sys (U.S. Robotics 10/100/1000 PCI NIC NDIS XP Driver) c:\windows\system32\drivers\udfreadr_xp.sys (UdfReadr_xp) - c:\windows\system32\drivers\wdica.sys (WDICA) 031 HKLM\SOFTWARE\Classes\PROTOCOLS\Handler ------------------------------------------- c:\program files\common files\microsoft shared\information retrieval\msitss.dll (Microsoft Corporation) {0A9007C0-4076-11D3-8789-0000F8105754} 035 HKLM-HKCU\SOFTWARE\Microsoft\Active Setup\Installed Components ------------------------------------------------------------------ c:\program files\pixiepack codec pack\installerhelper.exe {61E3FE32-07B9-4563-A3E0-2DE2D620FE10} 042 HKLM\Software\Microsoft\Internet Explorer\Extensions -------------------------------------------------------- c:\program files\aim\aim.exe (America Online, Inc.) {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} c:\program files\messenger\msmsgs.exe (Microsoft Corporation) {FB5F1910-F110-11d2-BB9E-00C04F795683} 047 Trusted zones ----------------- Zone: : msn Zone: turbotax.com : https://turbotax.com 052 HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects ---------------------------------------------------------------------------------- * c:\progra~1\spybot~1\sdhelper.dll (Safer Networking Limited) {53707962-6F74-2D53-2644-206D7942484F} * c:\progra~1\mcafee\viruss~1\scriptcl.dll (McAfee, Inc.) {7DB2D5A0-7241-4E79-B68D-6309F01C5231} 061 HKLM-HCKU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved --------------------------------------------------------------------------------- c:\program files\adobe\acrobat 6.0\acrobat elements\contextmenu.dll (Adobe Systems Inc.) {D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802} c:\program files\red chair software\anapod explorer\anapodpw.dll (Red Chair Software, Inc.) {BBA7EB3F-97AB-4EBD-BCA2-C3C8DBED4490} c:\program files\red chair software\anapod explorer\anapodps.dll (Red Chair Software, Inc.) {BBA7EB3F-97AB-4EBD-BCA2-C3C8DBED4491} * f:\itunes new\itunesminiplayer.dll (Apple Inc.) {B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF} c:\program files\roxio\easy media creator 8\drag to disc\shellex.dll (Sonic Solutions) {5E44E225-A408-11CF-B581-008029601108} c:\program files\roxio\easy media creator 8\virtual drive\dc_shellext.dll {0FB82570-BB2D-23D3-8D3B-AC2F34F1FA3C} c:\progra~1\common~1\tishar~1\ticonn~1\tishlext.dll (Texas Instruments Incorporated) {3FCEF010-09A4-11D4-8D3B-D12F9D3D8B02} c:\program files\winace\arcext.dll (e-merge GmbH) {8FF88D21-7BD0-11D1-BFB7-00AA00262A11} c:\program files\winace\arcext.dll (e-merge GmbH) {8FF88D27-7BD0-11D1-BFB7-00AA00262A11} c:\program files\winace\arcext.dll (e-merge GmbH) {8FF88D25-7BD0-11D1-BFB7-00AA00262A11} c:\program files\winace\arcext.dll (e-merge GmbH) {8FF88D23-7BD0-11D1-BFB7-00AA00262A11} c:\progra~1\winzip\wzshlstb.dll (WinZip Computing, Inc.) {E0D79304-84BE-11CE-9641-444553540000} c:\progra~1\winzip\wzshlstb.dll (WinZip Computing, Inc.) {E0D79305-84BE-11CE-9641-444553540000} c:\progra~1\winzip\wzshlstb.dll (WinZip Computing, Inc.) {E0D79306-84BE-11CE-9641-444553540000} c:\progra~1\winzip\wzshlstb.dll (WinZip Computing, Inc.) {E0D79307-84BE-11CE-9641-444553540000} 063 HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\BootExecute --------------------------------------------------------------------- * C:\WINDOWS\system32\lsdelete.exe 069 HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors -------------------------------------------------------- c:\windows\system32\adobepdf.dll (Adobe Systems Incorporated.) 073 %windir%\Tasks ------------------ AppleSoftwareUpdate.job : c:\program files\apple software update\softwareupdate.exe (Apple Inc.) McDefragTask.job : c:\progra~1\mcafee\mqc\qcconsol.exe (McAfee, Inc.) Uniblue SpyEraser Nag.job : c:\program files\uniblue\spyeraser\spyeraser.exe Uniblue SpyEraser.job : c:\program files\uniblue\spyeraser\spyeraser.exe 100 Internet Explorer settings ------------------------------ Start Page HKCU : http://www.msn.com/ Start Page HKLM : http://www.msn.com/ 102 HKLM - HKCU\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars ------------------------------------------------------------------ GUID / CLSID not found {182EC0BE-5110-49C8-A062-BEB1D02A220B} GUID / CLSID not found {32683183-48a0-441b-a342-7c2a440a9478} GUID / CLSID not found {4528BBE0-4E08-11D5-AD55-00010333D0AD} GUID / CLSID not found {4528BBE0-4E08-11D5-AD55-00010333D0AD} 104 HKLM\Software\Microsoft\Code Store Database\Distribution Units ------------------------------------------------------------------ GUID / CLSID not found {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} c:\program files\java\jre1.5.0_06\bin\npjpi150_06.dll (Sun Microsystems, Inc.) {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} c:\program files\java\jre1.5.0_09\bin\npjpi150_09.dll (Sun Microsystems, Inc.) {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} 105 HKCU\Software\Microsoft\Internet Explorer\MenuExt ----------------------------------------------------- E&xport to Microsoft Excel : res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000 107 HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5 --------------------------------------------------------------------------------- c:\program files\bonjour\mdnsnsp.dll (Apple Inc.) 170 HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2 ------------------------------------------------------------------------ {e9b8babe-a0fd-11da-a013-806d6172696f} : E:\Autorun.exe 173 HKCR\*\shellex\ContextMenuHandlers -------------------------------------- GUID / CLSID not found c:\program files\adobe\acrobat 6.0\acrobat elements\contextmenu.dll (Adobe Systems Inc.) {D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802} * c:\progra~1\mcafee\viruss~1\mcodsax.dll (McAfee, Inc.) {162EFDC5-2957-465D-887B-590AF4A7E84D} c:\program files\roxio\easy media creator 8\virtual drive\dc_shellext.dll {0FB82570-BB2D-23D3-8D3B-AC2F34F1FA3C} c:\progra~1\winzip\wzshlstb.dll (WinZip Computing, Inc.) {E0D79304-84BE-11CE-9641-444553540000} c:\program files\winace\arcext.dll (e-merge GmbH) {8FF88D27-7BD0-11D1-BFB7-00AA00262A11} 221 HKLM\Software\Classes\*\ShellEx\ContextMenuHandlers ------------------------------------------------------- GUID / CLSID not found c:\program files\adobe\acrobat 6.0\acrobat elements\contextmenu.dll (Adobe Systems Inc.) {D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802} * c:\progra~1\mcafee\viruss~1\mcodsax.dll (McAfee, Inc.) {162EFDC5-2957-465D-887B-590AF4A7E84D} c:\program files\roxio\easy media creator 8\virtual drive\dc_shellext.dll {0FB82570-BB2D-23D3-8D3B-AC2F34F1FA3C} c:\progra~1\winzip\wzshlstb.dll (WinZip Computing, Inc.) {E0D79304-84BE-11CE-9641-444553540000} c:\program files\winace\arcext.dll (e-merge GmbH) {8FF88D27-7BD0-11D1-BFB7-00AA00262A11} 223 HKLM\Software\Classes\AllFileSystemObjects\ShellEx\ContextMenuHandlers -------------------------------------------------------------------------- * c:\program files\malwarebytes' anti-malware\mbamext.dll (Malwarebytes) {57CE581A-0CB6-4266-9CA0-19364C90A0B3} 225 HKCU\Software\Classes\Folder\ShellEx\ContextMenuHandlers ------------------------------------------------------------ * c:\program files\malwarebytes' anti-malware\mbamext.dll (Malwarebytes) {57CE581A-0CB6-4266-9CA0-19364C90A0B3} * c:\program files\malwarebytes' anti-malware\mbamext.dll (Malwarebytes) {57CE581A-0CB6-4266-9CA0-19364C90A0B3} * c:\progra~1\mcafee\viruss~1\mcodsax.dll (McAfee, Inc.) {162EFDC5-2957-465D-887B-590AF4A7E84D} * c:\progra~1\mcafee\viruss~1\mcodsax.dll (McAfee, Inc.) {162EFDC5-2957-465D-887B-590AF4A7E84D} c:\program files\roxio\easy media creator 8\virtual drive\dc_shellext.dll {0FB82570-BB2D-23D3-8D3B-AC2F34F1FA3C} c:\program files\roxio\easy media creator 8\virtual drive\dc_shellext.dll {0FB82570-BB2D-23D3-8D3B-AC2F34F1FA3C} c:\progra~1\winzip\wzshlstb.dll (WinZip Computing, Inc.) {E0D79304-84BE-11CE-9641-444553540000} c:\progra~1\winzip\wzshlstb.dll (WinZip Computing, Inc.) {E0D79304-84BE-11CE-9641-444553540000} 227 HKLM\Software\Classes\Directory\ShellEx\ContextMenuHandlers --------------------------------------------------------------- GUID / CLSID not found c:\progra~1\winzip\wzshlstb.dll (WinZip Computing, Inc.) {E0D79304-84BE-11CE-9641-444553540000} c:\program files\winace\arcext.dll (e-merge GmbH) {8FF88D27-7BD0-11D1-BFB7-00AA00262A11}

Hi I decided to have a look using CCleaner at my startup files and found a strange file GMT.exe. When I tried to select it it would not allow selection but any other file would. got a error about not finding the file. Could this be the bug??

Hi I too saw MBAM log as clean so I tried IE, it is still hijacked and opens Firefox from any thing typed in the url line. I am getting the Java updates done, I have Windows automatic updates enables and have all patches installed. I had to disable Windows recovery due to lack of disk space. Kids music was hogging HDD.. Anymore suggestions, When I first got this virus it tried to get me to download the IE Antivirus stuff. Maybe a mutant of that is still floating around and hijacking IE. Not that I am heart broken about losing IE but I am worried about it hijacking passwords etc... thanks for your suggestions drgill_co

Hi I downloaded todays update to MBAM and checked the settings page all were previously checked except for terminate IE, I checked it and reran a quick scan log follows as does a HJT log ran after teh MBAM scan Malwarebytes' Anti-Malware 1.18 Database version: 894 6:59:06 PM 6/26/2008 mbam-log-6-26-2008 (18-59-06).txt Scan type: Quick Scan Objects scanned: 41351 Time elapsed: 45 minute(s), 3 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) HJT LOG Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 7:00:55 PM, on 6/26/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16674) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\Common Files\LightScribe\LSSrvc.exe C:\Program Files\Maxtor\Sync\SyncServices.exe C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe C:\PROGRA~1\McAfee\MSC\mcpromgr.exe c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\Program Files\McAfee\MPF\MPFSrv.exe C:\PROGRA~1\McAfee\MPS\mps.exe C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxMediaDB.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE c:\PROGRA~1\mcafee.com\agent\mcagent.exe C:\Program Files\McAfee\MPS\mpsevh.exe C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\WINDOWS\system32\NOTEPAD.EXE C:\Documents and Settings\Owner\My Documents\Downloads\HiJackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/ R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptcl.dll O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll O15 - Trusted Zone: www.91x.com O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204 O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - http://a516.g.akamai.net/f/516/25175/7d/ru...cat-no-eula.cab O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/m...,26/mcgdmgr.cab O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe O23 - Service: Maxtor Service (Maxtor Sync Service) - Seagate Technology LLC - C:\Program Files\Maxtor\Sync\SyncServices.exe O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - C:\PROGRA~1\McAfee\MPS\mps.exe O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\System32\HPHipm11.exe O23 - Service: RoxMediaDB - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxMediaDB.exe O23 - Service: RoxUpnpRenderer (RoxUPnPRenderer) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCom\RoxUpnpRenderer.exe O23 - Service: RoxUpnpServer - Sonic Solutions - C:\Program Files\Roxio\Easy Media Creator 8\Digital Home\RoxUpnpServer.exe O23 - Service: Roxio Hard Drive Watcher (RoxWatch) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatch.exe O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe -- End of file - 7764 bytes

Hi Jean in Montana further information, I found the files you wanted in the MBAM quarantine area. Where is this so I can collect and send them on? Also, another characteristic of what is going on is anytime I run a SSB S&D or MBAM the windows Taskbar and alll desk top Icons disappear. Thanks for your help drgill_co

Hi Jean in Montana thanks very much for your reply. Following you will find the MBAM and HJT logs. I had done a scan or two with SB S&D before your reply trying to isolate it. so this last scan it found SB S&D found nothing. I was not able to find either of the files you requested. I emptied the recycle bin thinking the offender was hiding there. I can tell you anytime I use IE it gets hijacked into the Firefox 3.0 URL line. No other programs appear to be affected. I can go to pages off my Yahoo home page in IE but any URL gets hijacked. Also, I thought I found it when I saw a SAHagent in a SB run so I ran combofix.exe and have added its log for your info. thanks for your help drgill_co HJT Log Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 9:16:57 PM, on 6/25/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16674) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\Common Files\LightScribe\LSSrvc.exe C:\Program Files\Maxtor\Sync\SyncServices.exe C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe C:\PROGRA~1\McAfee\MSC\mcpromgr.exe c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\Program Files\McAfee\MPF\MPFSrv.exe C:\PROGRA~1\McAfee\MPS\mps.exe C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxMediaDB.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE c:\PROGRA~1\mcafee.com\agent\mcagent.exe C:\Program Files\McAfee\MPS\mpsevh.exe C:\WINDOWS\explorer.exe C:\Documents and Settings\Owner\My Documents\Downloads\HiJackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/ R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptcl.dll O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll O15 - Trusted Zone: www.91x.com O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204 O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - http://a516.g.akamai.net/f/516/25175/7d/ru...cat-no-eula.cab O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/m...,26/mcgdmgr.cab O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe O23 - Service: Maxtor Service (Maxtor Sync Service) - Seagate Technology LLC - C:\Program Files\Maxtor\Sync\SyncServices.exe O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - C:\PROGRA~1\McAfee\MPS\mps.exe O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\System32\HPHipm11.exe O23 - Service: RoxMediaDB - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxMediaDB.exe O23 - Service: RoxUpnpRenderer (RoxUPnPRenderer) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCom\RoxUpnpRenderer.exe O23 - Service: RoxUpnpServer - Sonic Solutions - C:\Program Files\Roxio\Easy Media Creator 8\Digital Home\RoxUpnpServer.exe O23 - Service: Roxio Hard Drive Watcher (RoxWatch) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatch.exe O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe -- End of file - 7656 bytes MBAM Log Malwarebytes' Anti-Malware 1.18 Database version: 888 5:42:35 AM 6/25/2008 mbam-log-6-25-2008 (05-42-29).txt Scan type: Full Scan (C:\|F:\|) Objects scanned: 137394 Time elapsed: 4 hour(s), 34 minute(s), 25 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 3 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 2 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: HKEY_CLASSES_ROOT\Interface\{4937d5d1-2039-409a-bd83-fec9b39b2356} (Trojan.FakeAlert) -> No action taken. HKEY_CLASSES_ROOT\Interface\{caf9d798-c659-4b9b-8e19-ee27c3d04ee7} (Trojan.FakeAlert) -> No action taken. HKEY_CLASSES_ROOT\Typelib\{15c7d7ad-a87a-4c0d-9d8b-637fcd3488ef} (Trojan.FakeAlert) -> No action taken. Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: C:\RECYCLER\S-1-5-21-1801674531-562591055-725345543-1003\Dc409.exe (Trojan.FakeAlert) -> No action taken. C:\WINDOWS\system32\idef.dll (Trojan.FakeAlert) -> No action taken. Combofix log ComboFix 08-06-20.4 - Owner 2008-06-25 6:12:39.1 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.559 [GMT -6:00] Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe * Created a new restore point * Resident AV is active WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows Media\10.0\WMSDKNSD.XML C:\WINDOWS\Downloaded Program Files\setup.inf F:\Autorun.inf . ((((((((((((((((((((((((( Files Created from 2008-05-25 to 2008-06-25 ))))))))))))))))))))))))))))))) . 2008-06-23 17:50 . 2008-06-23 17:52 <DIR> d-------- C:\Program Files\Panda Security 2008-06-23 06:16 . 2008-06-23 06:16 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Malwarebytes 2008-06-23 06:15 . 2008-06-24 20:27 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware 2008-06-23 06:15 . 2008-06-23 06:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes 2008-06-23 06:15 . 2008-06-19 17:48 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys 2008-06-23 06:15 . 2008-06-19 17:47 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys 2008-06-23 05:58 . 2008-06-23 05:58 <DIR> d-------- C:\Program Files\Enigma Software Group 2008-06-23 05:38 . 2007-10-04 17:10 79,688 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys 2008-06-23 05:38 . 2007-10-04 17:10 62,280 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys 2008-06-23 05:38 . 2007-10-04 17:10 41,288 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys 2008-06-23 05:38 . 2007-10-04 17:11 29,000 --a------ C:\WINDOWS\system32\drivers\kcom.sys 2008-06-23 05:37 . 2008-06-23 17:15 <DIR> d-------- C:\Program Files\Spyware Doctor 2008-06-23 05:37 . 2008-06-23 05:37 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\PC Tools 2008-06-23 05:37 . 2005-09-23 07:29 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll 2008-06-22 22:59 . 2008-06-22 22:58 691,545 --a------ C:\WINDOWS\unins000.exe 2008-06-22 22:59 . 2008-06-22 22:59 2,541 --a------ C:\WINDOWS\unins000.dat 2008-06-22 20:45 . 2008-06-22 20:45 <DIR> d-------- C:\Program Files\Bonjour 2008-06-22 20:42 . 2008-06-22 20:44 <DIR> d-------- C:\Program Files\QuickTime 2008-06-22 20:09 . 2008-06-22 20:09 54,156 --ah----- C:\WINDOWS\QTFont.qfn 2008-06-22 20:09 . 2008-06-22 20:09 1,409 --a------ C:\WINDOWS\QTFont.for 2008-06-22 20:08 . 2008-06-22 20:08 <DIR> d----c--- C:\Converted 2008-06-22 20:03 . 2008-06-22 20:06 <DIR> d-------- C:\Program Files\TuneCab 2008-06-22 20:03 . 2008-06-04 10:24 508,544 --a------ C:\WINDOWS\system32\TucbDriverV32.sys 2008-06-22 20:03 . 2008-06-04 10:24 508,544 --a------ C:\WINDOWS\system32\drivers\TucbDriverV32.sys 2008-06-22 20:03 . 2008-06-04 12:05 184,320 --a------ C:\WINDOWS\system32\snmvtsvc.exe 2008-06-22 20:03 . 2008-06-04 10:24 10,936 --a------ C:\WINDOWS\system32\TucbVideo32.dll 2008-06-22 20:03 . 2008-06-04 10:24 3,993 --a------ C:\WINDOWS\system32\TucbDriverV32.inf 2008-06-22 20:03 . 2008-06-04 10:24 3,768 --a------ C:\WINDOWS\system32\TucbVideo32.sys 2008-06-22 20:03 . 2008-06-04 10:24 3,768 --a------ C:\WINDOWS\system32\drivers\TucbVideo32.sys 2008-06-22 20:03 . 2008-06-04 10:24 2,659 --a------ C:\WINDOWS\system32\TucbVideo32.inf 2008-06-22 19:14 . 2008-06-23 01:34 <DIR> d-------- C:\Program Files\FolderMatch 2008-06-22 19:14 . 2004-06-07 10:21 874,248 --a------ C:\WINDOWS\system32\SmartUI2.ocx 2008-06-22 19:14 . 2002-02-05 10:59 599,800 --a------ C:\WINDOWS\system32\Cfx4032.ocx 2008-06-22 19:14 . 2003-04-04 13:37 319,488 --a------ C:\WINDOWS\system32\SNTP Wizard2.ocx 2008-06-22 19:14 . 2006-09-04 13:57 270,880 --a------ C:\WINDOWS\system32\MyCommandButton.ocx 2008-06-22 19:14 . 1999-05-07 01:00 244,232 --a------ C:\WINDOWS\system32\Msflxgrd.ocx 2008-06-22 19:14 . 2005-07-07 10:57 159,744 --a------ C:\WINDOWS\system32\stamin32.dll 2008-06-22 19:14 . 2001-10-08 08:46 136,976 --a------ C:\WINDOWS\system32\SfxBar.dll 2008-06-22 06:48 . 2008-06-22 06:48 <DIR> d-------- C:\Program Files\uTorrent 2008-06-22 06:48 . 2008-06-22 19:06 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\uTorrent 2008-06-14 20:21 . 2008-06-14 20:21 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\RTPlayer 2008-06-01 11:10 . 2008-06-01 11:10 <DIR> d-------- C:\Program Files\Red Chair Software 2008-06-01 11:10 . 2008-06-01 11:10 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Red Chair Software 2008-05-27 10:50 . 2008-05-27 10:50 90,112 --a------ C:\WINDOWS\system32\QuickTimeVR.qtx 2008-05-27 10:50 . 2008-05-27 10:50 57,344 --a------ C:\WINDOWS\system32\QuickTime.qts 2008-05-26 19:51 . 2008-05-26 19:51 <DIR> d-------- C:\Program Files\Heavy Weather 2008-05-26 19:41 . 2008-05-26 19:41 <DIR> d-------- C:\WINDOWS\system32\cvirte 2008-05-26 19:41 . 2008-06-22 19:26 <DIR> d----c--- C:\HeavyWeather 2008-05-26 19:41 . 2001-08-01 02:00 1,826,816 --a------ C:\WINDOWS\system32\cvirte.dll 2008-05-26 19:41 . 2001-08-01 02:00 45,056 --a------ C:\WINDOWS\system32\cvirt.dll . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-06-25 12:12 --------- d-----w C:\Program Files\Panorama 2008-06-25 11:52 --------- d-----w C:\Documents and Settings\Owner\Application Data\Tunebite 2008-06-23 23:19 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy 2008-06-23 23:15 --------- d-----w C:\Program Files\Spybot - Search & Destroy 2008-06-23 12:14 --------- d-----w C:\Program Files\Common Files\Download Manager 2008-06-23 11:54 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP 2008-06-23 06:06 --------- d-----w C:\Program Files\EphPod 2008-06-23 05:21 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft 2008-06-23 05:18 --------- d-----w C:\Program Files\Lavasoft 2008-06-23 05:16 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard 2008-06-23 02:46 --------- d-----w C:\Program Files\iPod 2008-06-23 02:31 --------- d-----w C:\Program Files\LimeWire 2008-06-15 18:08 --------- d-----w C:\Program Files\Quicken 2008-06-15 02:24 --------- d-----w C:\Program Files\WinAce 2008-06-14 18:33 --------- d-----w C:\Documents and Settings\Owner\Application Data\AdobeUM 2008-06-14 17:47 --------- d-----w C:\Documents and Settings\All Users\Application Data\RapidSolution 2008-06-13 13:10 272,128 ------w C:\WINDOWS\system32\drivers\bthport.sys 2008-05-25 00:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help 2008-05-20 09:02 --------- d-----w C:\Program Files\Microsoft Silverlight 2008-05-17 13:05 --------- d-----w C:\Documents and Settings\Owner\Application Data\VideoReDo-TVSuite 2008-05-17 12:21 --------- d-----w C:\Program Files\OpenOffice.org 2.4 2008-05-17 12:10 --------- d--h--w C:\Program Files\InstallShield Installation Information 2008-05-17 12:10 --------- d-----w C:\Program Files\Motorola Phone Tools 2008-05-17 12:10 --------- d-----w C:\Documents and Settings\All Users\Application Data\BVRP Software 2008-05-16 17:58 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe 2008-05-10 13:27 --------- d-----w C:\Program Files\WMA-MP3.com 2008-05-10 01:49 --------- d-----w C:\Program Files\PixiePack Codec Pack 2008-05-10 01:42 --------- d-----w C:\Program Files\RapidSolution 2008-05-09 11:12 --------- d-----w C:\Program Files\Music Rescue 2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys 2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll 2008-05-03 04:35 --------- d-----w C:\Program Files\Java 2008-04-29 17:20 15,648 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys 2008-04-29 17:19 15,648 ----a-w C:\WINDOWS\system32\drivers\Awrtrd.sys 2008-04-29 17:19 12,960 ----a-w C:\WINDOWS\system32\drivers\Awrtpd.sys 2008-04-29 02:20 --------- d-----w C:\Documents and Settings\All Users\Application Data\Maxtor 2008-04-29 02:11 --------- d-----w C:\Program Files\Maxtor 2008-04-26 19:03 --------- d-----w C:\Program Files\Windows Media Connect 2 2008-04-23 04:16 826,368 ----a-w C:\WINDOWS\system32\wininet.dll 2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll 2007-11-26 00:17 132,896 -c--a-w C:\Documents and Settings\Owner\Application Data\GDIPFONTCACHEV1.DAT 2007-06-28 00:21 92,064 -c--a-w C:\Documents and Settings\Owner\mqdmmdm.sys 2007-06-28 00:21 9,232 -c--a-w C:\Documents and Settings\Owner\mqdmmdfl.sys 2007-06-28 00:21 79,328 -c--a-w C:\Documents and Settings\Owner\mqdmserd.sys 2007-06-28 00:21 66,656 -c--a-w C:\Documents and Settings\Owner\mqdmbus.sys 2007-06-28 00:21 6,208 -c--a-w C:\Documents and Settings\Owner\mqdmcmnt.sys 2007-06-28 00:21 5,936 -c--a-w C:\Documents and Settings\Owner\mqdmwhnt.sys 2007-06-28 00:21 4,048 -c--a-w C:\Documents and Settings\Owner\mqdmcr.sys 2007-06-28 00:21 25,600 -c--a-w C:\Documents and Settings\Owner\usbsermptxp.sys 2007-06-28 00:21 22,768 -c--a-w C:\Documents and Settings\Owner\usbsermpt.sys 2006-09-02 14:46 0 -c--a-w C:\Program Files\Common Files\dht342 2006-02-24 05:06 326 -c-ha-w C:\Documents and Settings\Owner\hpothb07.dat 2006-02-24 05:06 164 -c-ha-w C:\Documents and Settings\All Users\hpothb07.dat 2006-02-24 05:05 0 -c-ha-w C:\Documents and Settings\Default User\hpothb07.dat 2006-02-24 05:05 0 -c-ha-w C:\Documents and Settings\Administrator\hpothb07.dat 2004-10-16 13:38 359 -c-ha-w C:\Documents and Settings\Owner\Application Data\hpothb07.dat 2004-10-01 22:00 40,960 -c--a-w C:\Program Files\Uninstall_CDS.exe . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Tunebite"="C:\Program Files\RapidSolution\Tunebite\Tunebite.exe" [2008-04-24 13:28 6366512] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2005-10-19 08:59 155648] "HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2005-10-19 08:59 126976] "RoxioDragToDisc"="C:\Program Files\Roxio\Easy Media Creator 8\Drag to Disc\DrgToDsc.exe" [2005-10-20 22:47 1687552] "RoxWatchTray"="C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatchTray.exe" [2005-10-21 17:13 163840] "ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 17:50 221184] "BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 04:59 122880 C:\WINDOWS\BCMSMMSG.exe] "QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-05-27 10:50 413696] "iTunesHelper"="F:\iTunes new\iTunesHelper.exe" [2008-06-02 11:13 267048] C:\Documents and Settings\Owner\Start Menu\Programs\Startup\ Anapod Manager.lnk - C:\Program Files\Red Chair Software\Anapod Explorer\anamgr.exe [2008-03-02 13:54:50 1076276] Panorama 32.lnk - C:\Program Files\Panorama\Panorama.exe [2004-02-05 19:25:03 708608] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer] "AllowLegacyWebView"= 1 (0x1) "AllowUnhashedWebView"= 1 (0x1) [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders] SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^GStartup.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\GStartup.lnk backup=C:\WINDOWS\pss\GStartup.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe] --a------ 2004-08-04 00:56 15360 C:\WINDOWS\System32\ctfmon.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SAHAgent] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "wscsvc"=2 (0x2) "WZCSVC"=2 (0x2) "Symantec Core LC"=2 (0x2) "Speed Disk service"=2 (0x2) "SPBBCSvc"=2 (0x2) "ScReadSpool"=2 (0x2) "RoxLiveShare"=2 (0x2) "NSCService"=3 (0x3) "NProtectService"=2 (0x2) "IDriverT"=3 (0x3) "ewido anti-spyware 4.0 guard"=2 (0x2) "ccSetMgr"=2 (0x2) "ccEvtMgr"=2 (0x2) [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusDisableNotify"=dword:00000001 "FirewallDisableNotify"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) "DisableNotifications"= 1 (0x1) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "C:\\WINDOWS\\system32\\sessmgr.exe"= "C:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"= "C:\\Program Files\\LimeWire\\LimeWire.exe"= "C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"= "C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"= "C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"= "C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"= "C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"= "C:\\Program Files\\Roxio\\Easy Media Creator 8\\Digital Home\\RoxUpnpServer.exe"= "C:\\Program Files\\Red Chair Software\\Anapod Explorer\\anamgr.exe"= "C:\\Program Files\\uTorrent\\uTorrent.exe"= "C:\\Program Files\\Bonjour\\mDNSResponder.exe"= "F:\\iTunes new\\iTunes.exe"= R2 Maxtor Sync Service;Maxtor Service;"C:\Program Files\Maxtor\Sync\SyncServices.exe" [2007-09-28 12:24] R3 TucbDriverV32;TucbDriverV32;C:\WINDOWS\system32\drivers\TucbDriverV32.sys [2008-06-04 10:24] R3 TucbVideo32;TucbVideo32;C:\WINDOWS\system32\DRIVERS\TucbVideo32.sys [2008-06-04 10:24] S3 SoundMovieServer;SoundMovieServer;"C:\WINDOWS\system32\snmvtsvc.exe" [2008-06-04 12:05] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e9b8babe-a0fd-11da-a013-806d6172696f}] \Shell\AutoRun\command - E:\Autorun.exe *Newly Created Service* - CATCHME [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{61E3FE32-07B9-4563-A3E0-2DE2D620FE10}] C:\Program Files\PixiePack Codec Pack\InstallerHelper.exe . Contents of the 'Scheduled Tasks' folder "2008-06-22 03:47:09 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job" - C:\Program Files\Apple Software Update\SoftwareUpdate.exe "2008-05-15 07:15:33 C:\WINDOWS\Tasks\McDefragTask.job" - c:\PROGRA~1\mcafee\mqc\QcConsol.exe' "2006-12-23 07:00:11 C:\WINDOWS\Tasks\MP Scheduled Scan.job" - C:\Program Files\Windows Defender\MpCmdRun.exe "2008-06-25 03:10:01 C:\WINDOWS\Tasks\Uniblue SpyEraser Nag.job" - C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe "2007-07-01 01:24:55 C:\WINDOWS\Tasks\Uniblue SpyEraser.job" - C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe . ************************************************************************** catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-06-25 06:18:17 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . Completion time: 2008-06-25 6:22:11 ComboFix-quarantined-files.txt 2008-06-25 12:21:24 Pre-Run: 19,401,936,896 bytes free Post-Run: 19,649,327,104 bytes free 231 --- E O F --- 2008-06-20 02:06:09

Here are the log files from my PC. I have the free-viruscan issue. Something strange is recently anything typed in to the URL line in IE gets re-directs to open in Firefox 3.0 MBAM Malwarebytes' Anti-Malware 1.17 Database version: 846 5:11:41 PM 6/23/2008 mbam-log-6-23-2008 (17-11-41).txt Scan type: Quick Scan Objects scanned: 41927 Time elapsed: 1 hour(s), 41 minute(s), 53 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 6 Registry Values Infected: 0 Registry Data Items Infected: 2 Folders Infected: 0 Files Infected: 2 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: HKEY_CLASSES_ROOT\Interface\{e4e3e0f8-cd30-4380-8ce9-b96904bdefca} (Adware.PopCap) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Interface\{fe8a736f-4124-4d9c-b4b1-3b12381efabe} (Adware.PopCap) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Typelib\{c9c5deaf-0a1f-4660-8279-9edfad6fefe1} (Adware.PopCap) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Interface\{90ce74cc-788a-4a00-b38d-cbca08cc9e8f} (Adware.ISTBar) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Typelib\{cc257918-f435-4a33-8231-2b8195990cca} (Adware.ISTBar) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\Software\The Weather Channel (Adware.Hotbar) -> Quarantined and deleted successfully. Registry Values Infected: (No malicious items detected) Registry Data Items Infected: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowSearch (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowMyComputer (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully. Folders Infected: (No malicious items detected) Files Infected: C:\WINDOWS\Fonts\acrsecB.fon (Trojan.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\Fonts\acrsecI.fon (Trojan.Agent) -> Quarantined and deleted successfully. Panda ;******************************************************************************* ******************************************************************************** * ******************* ANALYSIS: 2008-06-24 18:00:04 PROTECTIONS: 1 MALWARE: 2 SUSPECTS: 0 ;******************************************************************************* ******************************************************************************** * ******************* PROTECTIONS Description Version Active Updated ;=============================================================================== ================================================================================ = =================== McAfee VirusScan Yes Yes ;=============================================================================== ================================================================================ = =================== MALWARE Id Description Type Active Severity Disinfectable Disinfected Location ;=============================================================================== ================================================================================ = =================== 03104652 Adware/BHO Adware No 0 Yes No C:\WINDOWS\system32\idef.dll 03105191 Adware/BHO Adware No 0 Yes No C:\RECYCLER\S-1-5-21-1801674531-562591055-725345543-1003\Dc409.exe ;=============================================================================== ================================================================================ = =================== SUSPECTS Sent Location ;=============================================================================== ================================================================================ = =================== ;=============================================================================== ================================================================================ = =================== VULNERABILITIES Id Severity Description ;=============================================================================== ================================================================================ = =================== 120815 HIGH MS06-022 ;=============================================================================== ================================================================================ = =================== HJT Logfile of HijackThis v1.99.1 Scan saved at 6:02:09 PM, on 6/24/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16674) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\hkcmd.exe C:\Program Files\Roxio\Easy Media Creator 8\Drag to Disc\DrgToDsc.exe C:\WINDOWS\BCMSMMSG.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\Common Files\LightScribe\LSSrvc.exe C:\Program Files\Panorama\Panorama.exe C:\Program Files\Maxtor\Sync\SyncServices.exe C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe C:\PROGRA~1\McAfee\MSC\mcpromgr.exe c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\Program Files\McAfee\MPF\MPFSrv.exe C:\PROGRA~1\McAfee\MPS\mps.exe c:\PROGRA~1\mcafee.com\agent\mcagent.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\McAfee\MPS\mpsevh.exe C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\WINDOWS\system32\taskmgr.exe C:\Documents and Settings\Owner\Desktop\New Folder\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Comcast R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptcl.dll O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy Media Creator 8\Drag to Disc\DrgToDsc.exe" O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatchTray.exe" O4 - HKLM\..\Run: [iSUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup O4 - HKLM\..\Run: [bCMSMMSG] BCMSMMSG.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "F:\iTunes new\iTunesHelper.exe" O4 - Startup: Anapod Manager.lnk = C:\Program Files\Red Chair Software\Anapod Explorer\anamgr.exe O4 - Startup: Panorama 32.lnk = C:\Program Files\Panorama\Panorama.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll O9 - Extra button: Rip YouTube File - {38E51477-DDB4-4aed-9D61-D0C193E10749} - C:\Program Files\TuneCab\YouTubeRipper.dll O9 - Extra 'Tools' menuitem: Rip YouTube file embedded in this page - {38E51477-DDB4-4aed-9D61-D0C193E10749} - C:\Program Files\TuneCab\YouTubeRipper.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra button: (no name) - SolidConverterPDF - (no file) (HKCU) O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll O11 - Options group: [iNTERNATIONAL] International* O15 - Trusted Zone: www.91x.com O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204 O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - http://a516.g.akamai.net/f/516/25175/7d/ru...cat-no-eula.cab O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/m...,26/mcgdmgr.cab O16 - DPF: {C6D25826-96AE-462F-A852-BB33B882B723} (SFImageUpload1_4.ImageUpload) - http://kingsoopers.storefront.com/images/g...geUpload1_4.CAB O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe O23 - Service: Maxtor Service (Maxtor Sync Service) - Seagate Technology LLC - C:\Program Files\Maxtor\Sync\SyncServices.exe O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - C:\PROGRA~1\McAfee\MPS\mps.exe O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\System32\HPHipm11.exe O23 - Service: RoxMediaDB - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxMediaDB.exe O23 - Service: RoxUpnpRenderer (RoxUPnPRenderer) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCom\RoxUpnpRenderer.exe O23 - Service: RoxUpnpServer - Sonic Solutions - C:\Program Files\Roxio\Easy Media Creator 8\Digital Home\RoxUpnpServer.exe O23 - Service: Roxio Hard Drive Watcher (RoxWatch) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatch.exe O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe O23 - Service: SoundMovieServer - SoundMovieServer - C:\WINDOWS\system32\snmvtsvc.exe O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe

I did the spybot and the MBAM, panda is still running, do you need all 3 or should I post in pieces? thanks Dave

Here is the MBAM LOG Malwarebytes' Anti-Malware 1.17 Database version: 846 5:11:41 PM 6/23/2008 mbam-log-6-23-2008 (17-11-41).txt Scan type: Quick Scan Objects scanned: 41927 Time elapsed: 1 hour(s), 41 minute(s), 53 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 6 Registry Values Infected: 0 Registry Data Items Infected: 2 Folders Infected: 0 Files Infected: 2 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: HKEY_CLASSES_ROOT\Interface\{e4e3e0f8-cd30-4380-8ce9-b96904bdefca} (Adware.PopCap) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Interface\{fe8a736f-4124-4d9c-b4b1-3b12381efabe} (Adware.PopCap) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Typelib\{c9c5deaf-0a1f-4660-8279-9edfad6fefe1} (Adware.PopCap) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Interface\{90ce74cc-788a-4a00-b38d-cbca08cc9e8f} (Adware.ISTBar) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Typelib\{cc257918-f435-4a33-8231-2b8195990cca} (Adware.ISTBar) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\Software\The Weather Channel (Adware.Hotbar) -> Quarantined and deleted successfully. Registry Values Infected: (No malicious items detected) Registry Data Items Infected: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowSearch (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowMyComputer (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully. Folders Infected: (No malicious items detected) Files Infected: C:\WINDOWS\Fonts\acrsecB.fon (Trojan.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\Fonts\acrsecI.fon (Trojan.Agent) -> Quarantined and deleted successfully.

Hi I have managed to contract this malware on my Windows XP PC. hxxp://free-viruscan.com/id/4912933/4/1/ Is there a way to remove it? thanks for your help Dave