Free-viruscan logs

[drgill_co]

Here are the log files from my PC. I have the free-viruscan issue. Something strange is recently anything typed in to the URL line in IE gets re-directs to open in Firefox 3.0

MBAM

Malwarebytes' Anti-Malware 1.17

Database version: 846

5:11:41 PM 6/23/2008

mbam-log-6-23-2008 (17-11-41).txt

Scan type: Quick Scan

Objects scanned: 41927

Time elapsed: 1 hour(s), 41 minute(s), 53 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 6

Registry Values Infected: 0

Registry Data Items Infected: 2

Folders Infected: 0

Files Infected: 2

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_CLASSES_ROOT\Interface\{e4e3e0f8-cd30-4380-8ce9-b96904bdefca} (Adware.PopCap) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Interface\{fe8a736f-4124-4d9c-b4b1-3b12381efabe} (Adware.PopCap) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Typelib\{c9c5deaf-0a1f-4660-8279-9edfad6fefe1} (Adware.PopCap) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Interface\{90ce74cc-788a-4a00-b38d-cbca08cc9e8f} (Adware.ISTBar) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Typelib\{cc257918-f435-4a33-8231-2b8195990cca} (Adware.ISTBar) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\Software\The Weather Channel (Adware.Hotbar) -> Quarantined and deleted successfully.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowSearch (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowMyComputer (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\Fonts\acrsecB.fon (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\Fonts\acrsecI.fon (Trojan.Agent) -> Quarantined and deleted successfully.

Panda

;*******************************************************************************

********************************************************************************

*

*******************

ANALYSIS: 2008-06-24 18:00:04

PROTECTIONS: 1

MALWARE: 2

SUSPECTS: 0

;*******************************************************************************

********************************************************************************

*

*******************

PROTECTIONS

Description Version Active Updated

;===============================================================================

================================================================================

=

===================

McAfee VirusScan Yes Yes

;===============================================================================

================================================================================

=

===================

MALWARE

Id Description Type Active Severity Disinfectable Disinfected Location

;===============================================================================

================================================================================

=

===================

03104652 Adware/BHO Adware No 0 Yes No C:\WINDOWS\system32\idef.dll

03105191 Adware/BHO Adware No 0 Yes No C:\RECYCLER\S-1-5-21-1801674531-562591055-725345543-1003\Dc409.exe

;===============================================================================

================================================================================

=

===================

SUSPECTS

Sent Location

;===============================================================================

================================================================================

=

===================

;===============================================================================

================================================================================

=

===================

VULNERABILITIES

Id Severity Description

;===============================================================================

================================================================================

=

===================

120815 HIGH MS06-022

;===============================================================================

================================================================================

=

===================

HJT

Logfile of HijackThis v1.99.1

Scan saved at 6:02:09 PM, on 6/24/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16674)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\hkcmd.exe

C:\Program Files\Roxio\Easy Media Creator 8\Drag to Disc\DrgToDsc.exe

C:\WINDOWS\BCMSMMSG.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\Program Files\Panorama\Panorama.exe

C:\Program Files\Maxtor\Sync\SyncServices.exe

C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe

C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe

C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe

C:\PROGRA~1\McAfee\MSC\mcpromgr.exe

c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe

c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe

C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe

C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\Program Files\McAfee\MPF\MPFSrv.exe

C:\PROGRA~1\McAfee\MPS\mps.exe

c:\PROGRA~1\mcafee.com\agent\mcagent.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\McAfee\MPS\mpsevh.exe

C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\WINDOWS\system32\taskmgr.exe

C:\Documents and Settings\Owner\Desktop\New Folder\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Comcast

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll

O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptcl.dll

O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy Media Creator 8\Drag to Disc\DrgToDsc.exe"

O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatchTray.exe"

O4 - HKLM\..\Run: [iSUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup

O4 - HKLM\..\Run: [bCMSMMSG] BCMSMMSG.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "F:\iTunes new\iTunesHelper.exe"

O4 - Startup: Anapod Manager.lnk = C:\Program Files\Red Chair Software\Anapod Explorer\anamgr.exe

O4 - Startup: Panorama 32.lnk = C:\Program Files\Panorama\Panorama.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll

O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra button: Rip YouTube File - {38E51477-DDB4-4aed-9D61-D0C193E10749} - C:\Program Files\TuneCab\YouTubeRipper.dll

O9 - Extra 'Tools' menuitem: Rip YouTube file embedded in this page - {38E51477-DDB4-4aed-9D61-D0C193E10749} - C:\Program Files\TuneCab\YouTubeRipper.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra button: (no name) - SolidConverterPDF - (no file) (HKCU)

O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll

O11 - Options group: [iNTERNATIONAL] International*

O15 - Trusted Zone: www.91x.com

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204

O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - http://a516.g.akamai.net/f/516/25175/7d/ru...cat-no-eula.cab

O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/m...,26/mcgdmgr.cab

O16 - DPF: {C6D25826-96AE-462F-A852-BB33B882B723} (SFImageUpload1_4.ImageUpload) - http://kingsoopers.storefront.com/images/g...geUpload1_4.CAB

O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll

O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL

O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll

O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll

O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe

O23 - Service: Maxtor Service (Maxtor Sync Service) - Seagate Technology LLC - C:\Program Files\Maxtor\Sync\SyncServices.exe

O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe

O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe

O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe

O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe

O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe

O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe

O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe

O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe

O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe

O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe

O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - C:\PROGRA~1\McAfee\MPS\mps.exe

O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\System32\HPHipm11.exe

O23 - Service: RoxMediaDB - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxMediaDB.exe

O23 - Service: RoxUpnpRenderer (RoxUPnPRenderer) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCom\RoxUpnpRenderer.exe

O23 - Service: RoxUpnpServer - Sonic Solutions - C:\Program Files\Roxio\Easy Media Creator 8\Digital Home\RoxUpnpServer.exe

O23 - Service: Roxio Hard Drive Watcher (RoxWatch) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatch.exe

O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe

O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe

O23 - Service: SoundMovieServer - SoundMovieServer - C:\WINDOWS\system32\snmvtsvc.exe

O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe

[JeanInMontana]

Hi drgill_co and welcome to Malwarebytes.

Make sure your running as an administrator on the machine. Allow email from Malwarebytes.org and set your preferences in the User Control Panel to email notifications for replies to your topics. This ensures you make prompt replies back and we get you cleaned in the fastest way possible.

Please set your system to show

all files; Click Start.

Open My Computer.

Select the Tools menu and click Folder Options.

Select the View Tab.

Under the Hidden files and folders heading select Show hidden files and folders.

Uncheck the Hide protected operating system files (recommended) option.

Click Yes to confirm.

Click OK.

If you haven't already, please get this program, update and run a complete scan removing all items found.

Spybot Search & Destroy Be sure to use the immunize feature. But do not enable TeaTimer at this time.

Open SB S&D

Make sure you are in Advanced Mode. Click on the Mode [b/]link at the top of the program and then Advanced Mode.

Click on the Tools section and then Resident.

You will see two items.

1. Resident "SD helper" (Internet Explorer bad download blocker.) active

2. Resident "Tea Timer" (Protection of over-all system settings.) active.

Uncheck number 2..

Leave number 1 checked always.

You can enable Tea Timer again if you wish once all special fixes have been done.

Please get this version of HighJack This! and run a scan with it. HiJack This! The version you used is outdated and I will be better able to help you with the added information the newer version gives.

Please also find these files

C:\WINDOWS\system32\idef.dll

C:\RECYCLER\S-1-5-21-1801674531-562591055-725345543-1003\Dc409.exe

Put them into a zipped folder by either dragging them both to a folder you create and then zipping by right clicking and selecting Send to zipped folder or zipping each one individually. Then upload them to here http://uploads.malwarebytes.org/ .

Download the new version of MBAM also you have an outdated version. Install the new version, update it and run a quick scan, post that log and the log from the newest version of HJT.

You are running an outdated and unsafe version of Java. You need to uninstall it via Add/Remove programs and delete the program file also. Then go here http://java.sun.com/javase/downloads/index.jsp and install the correct version for your system. Choose the offline installation.

Edited June 25, 2008 by JeanInMontana
to add instructions

[drgill_co]

Hi Jean in Montana

thanks very much for your reply. Following you will find the MBAM and HJT logs. I had done a scan or two with SB S&D before your reply trying to isolate it. so this last scan it found SB S&D found nothing. I was not able to find either of the files you requested. I emptied the recycle bin thinking the offender was hiding there.

I can tell you anytime I use IE it gets hijacked into the Firefox 3.0 URL line. No other programs appear to be affected. I can go to pages off my Yahoo home page in IE but any URL gets hijacked.

Also, I thought I found it when I saw a SAHagent in a SB run so I ran combofix.exe and have added its log for your info.

thanks for your help

drgill_co

HJT Log

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 9:16:57 PM, on 6/25/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16674)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\Program Files\Maxtor\Sync\SyncServices.exe

C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe

C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe

C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe

C:\PROGRA~1\McAfee\MSC\mcpromgr.exe

c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe

c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe

C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe

C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\Program Files\McAfee\MPF\MPFSrv.exe

C:\PROGRA~1\McAfee\MPS\mps.exe

C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxMediaDB.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

c:\PROGRA~1\mcafee.com\agent\mcagent.exe

C:\Program Files\McAfee\MPS\mpsevh.exe

C:\WINDOWS\explorer.exe

C:\Documents and Settings\Owner\My Documents\Downloads\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll

O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptcl.dll

O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll

O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll

O15 - Trusted Zone: www.91x.com

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204

O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - http://a516.g.akamai.net/f/516/25175/7d/ru...cat-no-eula.cab

O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/m...,26/mcgdmgr.cab

O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe

O23 - Service: Maxtor Service (Maxtor Sync Service) - Seagate Technology LLC - C:\Program Files\Maxtor\Sync\SyncServices.exe

O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe

O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe

O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe

O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe

O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe

O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe

O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe

O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe

O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe

O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe

O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - C:\PROGRA~1\McAfee\MPS\mps.exe

O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\System32\HPHipm11.exe

O23 - Service: RoxMediaDB - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxMediaDB.exe

O23 - Service: RoxUpnpRenderer (RoxUPnPRenderer) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCom\RoxUpnpRenderer.exe

O23 - Service: RoxUpnpServer - Sonic Solutions - C:\Program Files\Roxio\Easy Media Creator 8\Digital Home\RoxUpnpServer.exe

O23 - Service: Roxio Hard Drive Watcher (RoxWatch) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatch.exe

O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe

--

End of file - 7656 bytes

MBAM Log

Malwarebytes' Anti-Malware 1.18

Database version: 888

5:42:35 AM 6/25/2008

mbam-log-6-25-2008 (05-42-29).txt

Scan type: Full Scan (C:\|F:\|)

Objects scanned: 137394

Time elapsed: 4 hour(s), 34 minute(s), 25 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 3

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 2

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_CLASSES_ROOT\Interface\{4937d5d1-2039-409a-bd83-fec9b39b2356} (Trojan.FakeAlert) -> No action taken.

HKEY_CLASSES_ROOT\Interface\{caf9d798-c659-4b9b-8e19-ee27c3d04ee7} (Trojan.FakeAlert) -> No action taken.

HKEY_CLASSES_ROOT\Typelib\{15c7d7ad-a87a-4c0d-9d8b-637fcd3488ef} (Trojan.FakeAlert) -> No action taken.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\RECYCLER\S-1-5-21-1801674531-562591055-725345543-1003\Dc409.exe (Trojan.FakeAlert) -> No action taken.

C:\WINDOWS\system32\idef.dll (Trojan.FakeAlert) -> No action taken.

Combofix log

ComboFix 08-06-20.4 - Owner 2008-06-25 6:12:39.1 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.559 [GMT -6:00]

Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe

* Created a new restore point

* Resident AV is active

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows Media\10.0\WMSDKNSD.XML

C:\WINDOWS\Downloaded Program Files\setup.inf

F:\Autorun.inf

.

((((((((((((((((((((((((( Files Created from 2008-05-25 to 2008-06-25 )))))))))))))))))))))))))))))))

.

2008-06-23 17:50 . 2008-06-23 17:52 <DIR> d-------- C:\Program Files\Panda Security

2008-06-23 06:16 . 2008-06-23 06:16 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Malwarebytes

2008-06-23 06:15 . 2008-06-24 20:27 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware

2008-06-23 06:15 . 2008-06-23 06:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes

2008-06-23 06:15 . 2008-06-19 17:48 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys

2008-06-23 06:15 . 2008-06-19 17:47 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys

2008-06-23 05:58 . 2008-06-23 05:58 <DIR> d-------- C:\Program Files\Enigma Software Group

2008-06-23 05:38 . 2007-10-04 17:10 79,688 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys

2008-06-23 05:38 . 2007-10-04 17:10 62,280 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys

2008-06-23 05:38 . 2007-10-04 17:10 41,288 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys

2008-06-23 05:38 . 2007-10-04 17:11 29,000 --a------ C:\WINDOWS\system32\drivers\kcom.sys

2008-06-23 05:37 . 2008-06-23 17:15 <DIR> d-------- C:\Program Files\Spyware Doctor

2008-06-23 05:37 . 2008-06-23 05:37 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\PC Tools

2008-06-23 05:37 . 2005-09-23 07:29 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll

2008-06-22 22:59 . 2008-06-22 22:58 691,545 --a------ C:\WINDOWS\unins000.exe

2008-06-22 22:59 . 2008-06-22 22:59 2,541 --a------ C:\WINDOWS\unins000.dat

2008-06-22 20:45 . 2008-06-22 20:45 <DIR> d-------- C:\Program Files\Bonjour

2008-06-22 20:42 . 2008-06-22 20:44 <DIR> d-------- C:\Program Files\QuickTime

2008-06-22 20:09 . 2008-06-22 20:09 54,156 --ah----- C:\WINDOWS\QTFont.qfn

2008-06-22 20:09 . 2008-06-22 20:09 1,409 --a------ C:\WINDOWS\QTFont.for

2008-06-22 20:08 . 2008-06-22 20:08 <DIR> d----c--- C:\Converted

2008-06-22 20:03 . 2008-06-22 20:06 <DIR> d-------- C:\Program Files\TuneCab

2008-06-22 20:03 . 2008-06-04 10:24 508,544 --a------ C:\WINDOWS\system32\TucbDriverV32.sys

2008-06-22 20:03 . 2008-06-04 10:24 508,544 --a------ C:\WINDOWS\system32\drivers\TucbDriverV32.sys

2008-06-22 20:03 . 2008-06-04 12:05 184,320 --a------ C:\WINDOWS\system32\snmvtsvc.exe

2008-06-22 20:03 . 2008-06-04 10:24 10,936 --a------ C:\WINDOWS\system32\TucbVideo32.dll

2008-06-22 20:03 . 2008-06-04 10:24 3,993 --a------ C:\WINDOWS\system32\TucbDriverV32.inf

2008-06-22 20:03 . 2008-06-04 10:24 3,768 --a------ C:\WINDOWS\system32\TucbVideo32.sys

2008-06-22 20:03 . 2008-06-04 10:24 3,768 --a------ C:\WINDOWS\system32\drivers\TucbVideo32.sys

2008-06-22 20:03 . 2008-06-04 10:24 2,659 --a------ C:\WINDOWS\system32\TucbVideo32.inf

2008-06-22 19:14 . 2008-06-23 01:34 <DIR> d-------- C:\Program Files\FolderMatch

2008-06-22 19:14 . 2004-06-07 10:21 874,248 --a------ C:\WINDOWS\system32\SmartUI2.ocx

2008-06-22 19:14 . 2002-02-05 10:59 599,800 --a------ C:\WINDOWS\system32\Cfx4032.ocx

2008-06-22 19:14 . 2003-04-04 13:37 319,488 --a------ C:\WINDOWS\system32\SNTP Wizard2.ocx

2008-06-22 19:14 . 2006-09-04 13:57 270,880 --a------ C:\WINDOWS\system32\MyCommandButton.ocx

2008-06-22 19:14 . 1999-05-07 01:00 244,232 --a------ C:\WINDOWS\system32\Msflxgrd.ocx

2008-06-22 19:14 . 2005-07-07 10:57 159,744 --a------ C:\WINDOWS\system32\stamin32.dll

2008-06-22 19:14 . 2001-10-08 08:46 136,976 --a------ C:\WINDOWS\system32\SfxBar.dll

2008-06-22 06:48 . 2008-06-22 06:48 <DIR> d-------- C:\Program Files\uTorrent

2008-06-22 06:48 . 2008-06-22 19:06 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\uTorrent

2008-06-14 20:21 . 2008-06-14 20:21 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\RTPlayer

2008-06-01 11:10 . 2008-06-01 11:10 <DIR> d-------- C:\Program Files\Red Chair Software

2008-06-01 11:10 . 2008-06-01 11:10 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Red Chair Software

2008-05-27 10:50 . 2008-05-27 10:50 90,112 --a------ C:\WINDOWS\system32\QuickTimeVR.qtx

2008-05-27 10:50 . 2008-05-27 10:50 57,344 --a------ C:\WINDOWS\system32\QuickTime.qts

2008-05-26 19:51 . 2008-05-26 19:51 <DIR> d-------- C:\Program Files\Heavy Weather

2008-05-26 19:41 . 2008-05-26 19:41 <DIR> d-------- C:\WINDOWS\system32\cvirte

2008-05-26 19:41 . 2008-06-22 19:26 <DIR> d----c--- C:\HeavyWeather

2008-05-26 19:41 . 2001-08-01 02:00 1,826,816 --a------ C:\WINDOWS\system32\cvirte.dll

2008-05-26 19:41 . 2001-08-01 02:00 45,056 --a------ C:\WINDOWS\system32\cvirt.dll

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-06-25 12:12 --------- d-----w C:\Program Files\Panorama

2008-06-25 11:52 --------- d-----w C:\Documents and Settings\Owner\Application Data\Tunebite

2008-06-23 23:19 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy

2008-06-23 23:15 --------- d-----w C:\Program Files\Spybot - Search & Destroy

2008-06-23 12:14 --------- d-----w C:\Program Files\Common Files\Download Manager

2008-06-23 11:54 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP

2008-06-23 06:06 --------- d-----w C:\Program Files\EphPod

2008-06-23 05:21 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft

2008-06-23 05:18 --------- d-----w C:\Program Files\Lavasoft

2008-06-23 05:16 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard

2008-06-23 02:46 --------- d-----w C:\Program Files\iPod

2008-06-23 02:31 --------- d-----w C:\Program Files\LimeWire

2008-06-15 18:08 --------- d-----w C:\Program Files\Quicken

2008-06-15 02:24 --------- d-----w C:\Program Files\WinAce

2008-06-14 18:33 --------- d-----w C:\Documents and Settings\Owner\Application Data\AdobeUM

2008-06-14 17:47 --------- d-----w C:\Documents and Settings\All Users\Application Data\RapidSolution

2008-06-13 13:10 272,128 ------w C:\WINDOWS\system32\drivers\bthport.sys

2008-05-25 00:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help

2008-05-20 09:02 --------- d-----w C:\Program Files\Microsoft Silverlight

2008-05-17 13:05 --------- d-----w C:\Documents and Settings\Owner\Application Data\VideoReDo-TVSuite

2008-05-17 12:21 --------- d-----w C:\Program Files\OpenOffice.org 2.4

2008-05-17 12:10 --------- d--h--w C:\Program Files\InstallShield Installation Information

2008-05-17 12:10 --------- d-----w C:\Program Files\Motorola Phone Tools

2008-05-17 12:10 --------- d-----w C:\Documents and Settings\All Users\Application Data\BVRP Software

2008-05-16 17:58 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe

2008-05-10 13:27 --------- d-----w C:\Program Files\WMA-MP3.com

2008-05-10 01:49 --------- d-----w C:\Program Files\PixiePack Codec Pack

2008-05-10 01:42 --------- d-----w C:\Program Files\RapidSolution

2008-05-09 11:12 --------- d-----w C:\Program Files\Music Rescue

2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys

2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll

2008-05-03 04:35 --------- d-----w C:\Program Files\Java

2008-04-29 17:20 15,648 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys

2008-04-29 17:19 15,648 ----a-w C:\WINDOWS\system32\drivers\Awrtrd.sys

2008-04-29 17:19 12,960 ----a-w C:\WINDOWS\system32\drivers\Awrtpd.sys

2008-04-29 02:20 --------- d-----w C:\Documents and Settings\All Users\Application Data\Maxtor

2008-04-29 02:11 --------- d-----w C:\Program Files\Maxtor

2008-04-26 19:03 --------- d-----w C:\Program Files\Windows Media Connect 2

2008-04-23 04:16 826,368 ----a-w C:\WINDOWS\system32\wininet.dll

2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll

2007-11-26 00:17 132,896 -c--a-w C:\Documents and Settings\Owner\Application Data\GDIPFONTCACHEV1.DAT

2007-06-28 00:21 92,064 -c--a-w C:\Documents and Settings\Owner\mqdmmdm.sys

2007-06-28 00:21 9,232 -c--a-w C:\Documents and Settings\Owner\mqdmmdfl.sys

2007-06-28 00:21 79,328 -c--a-w C:\Documents and Settings\Owner\mqdmserd.sys

2007-06-28 00:21 66,656 -c--a-w C:\Documents and Settings\Owner\mqdmbus.sys

2007-06-28 00:21 6,208 -c--a-w C:\Documents and Settings\Owner\mqdmcmnt.sys

2007-06-28 00:21 5,936 -c--a-w C:\Documents and Settings\Owner\mqdmwhnt.sys

2007-06-28 00:21 4,048 -c--a-w C:\Documents and Settings\Owner\mqdmcr.sys

2007-06-28 00:21 25,600 -c--a-w C:\Documents and Settings\Owner\usbsermptxp.sys

2007-06-28 00:21 22,768 -c--a-w C:\Documents and Settings\Owner\usbsermpt.sys

2006-09-02 14:46 0 -c--a-w C:\Program Files\Common Files\dht342

2006-02-24 05:06 326 -c-ha-w C:\Documents and Settings\Owner\hpothb07.dat

2006-02-24 05:06 164 -c-ha-w C:\Documents and Settings\All Users\hpothb07.dat

2006-02-24 05:05 0 -c-ha-w C:\Documents and Settings\Default User\hpothb07.dat

2006-02-24 05:05 0 -c-ha-w C:\Documents and Settings\Administrator\hpothb07.dat

2004-10-16 13:38 359 -c-ha-w C:\Documents and Settings\Owner\Application Data\hpothb07.dat

2004-10-01 22:00 40,960 -c--a-w C:\Program Files\Uninstall_CDS.exe

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Tunebite"="C:\Program Files\RapidSolution\Tunebite\Tunebite.exe" [2008-04-24 13:28 6366512]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2005-10-19 08:59 155648]

"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2005-10-19 08:59 126976]

"RoxioDragToDisc"="C:\Program Files\Roxio\Easy Media Creator 8\Drag to Disc\DrgToDsc.exe" [2005-10-20 22:47 1687552]

"RoxWatchTray"="C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatchTray.exe" [2005-10-21 17:13 163840]

"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 17:50 221184]

"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 04:59 122880 C:\WINDOWS\BCMSMMSG.exe]

"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-05-27 10:50 413696]

"iTunesHelper"="F:\iTunes new\iTunesHelper.exe" [2008-06-02 11:13 267048]

C:\Documents and Settings\Owner\Start Menu\Programs\Startup\

Anapod Manager.lnk - C:\Program Files\Red Chair Software\Anapod Explorer\anamgr.exe [2008-03-02 13:54:50 1076276]

Panorama 32.lnk - C:\Program Files\Panorama\Panorama.exe [2004-02-05 19:25:03 708608]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]

"AllowLegacyWebView"= 1 (0x1)

"AllowUnhashedWebView"= 1 (0x1)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]

SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^GStartup.lnk]

path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\GStartup.lnk

backup=C:\WINDOWS\pss\GStartup.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]

--a------ 2004-08-04 00:56 15360 C:\WINDOWS\System32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SAHAgent]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"wscsvc"=2 (0x2)

"WZCSVC"=2 (0x2)

"Symantec Core LC"=2 (0x2)

"Speed Disk service"=2 (0x2)

"SPBBCSvc"=2 (0x2)

"ScReadSpool"=2 (0x2)

"RoxLiveShare"=2 (0x2)

"NSCService"=3 (0x3)

"NProtectService"=2 (0x2)

"IDriverT"=3 (0x3)

"ewido anti-spyware 4.0 guard"=2 (0x2)

"ccSetMgr"=2 (0x2)

"ccEvtMgr"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusDisableNotify"=dword:00000001

"FirewallDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"C:\\WINDOWS\\system32\\sessmgr.exe"=

"C:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=

"C:\\Program Files\\LimeWire\\LimeWire.exe"=

"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=

"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=

"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

"C:\\Program Files\\Roxio\\Easy Media Creator 8\\Digital Home\\RoxUpnpServer.exe"=

"C:\\Program Files\\Red Chair Software\\Anapod Explorer\\anamgr.exe"=

"C:\\Program Files\\uTorrent\\uTorrent.exe"=

"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"F:\\iTunes new\\iTunes.exe"=

R2 Maxtor Sync Service;Maxtor Service;"C:\Program Files\Maxtor\Sync\SyncServices.exe" [2007-09-28 12:24]

R3 TucbDriverV32;TucbDriverV32;C:\WINDOWS\system32\drivers\TucbDriverV32.sys [2008-06-04 10:24]

R3 TucbVideo32;TucbVideo32;C:\WINDOWS\system32\DRIVERS\TucbVideo32.sys [2008-06-04 10:24]

S3 SoundMovieServer;SoundMovieServer;"C:\WINDOWS\system32\snmvtsvc.exe" [2008-06-04 12:05]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e9b8babe-a0fd-11da-a013-806d6172696f}]

\Shell\AutoRun\command - E:\Autorun.exe

*Newly Created Service* - CATCHME

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{61E3FE32-07B9-4563-A3E0-2DE2D620FE10}]

C:\Program Files\PixiePack Codec Pack\InstallerHelper.exe

.

Contents of the 'Scheduled Tasks' folder

"2008-06-22 03:47:09 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"

- C:\Program Files\Apple Software Update\SoftwareUpdate.exe

"2008-05-15 07:15:33 C:\WINDOWS\Tasks\McDefragTask.job"

- c:\PROGRA~1\mcafee\mqc\QcConsol.exe'

"2006-12-23 07:00:11 C:\WINDOWS\Tasks\MP Scheduled Scan.job"

- C:\Program Files\Windows Defender\MpCmdRun.exe

"2008-06-25 03:10:01 C:\WINDOWS\Tasks\Uniblue SpyEraser Nag.job"

- C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe

"2007-07-01 01:24:55 C:\WINDOWS\Tasks\Uniblue SpyEraser.job"

- C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe

.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-06-25 06:18:17

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

Completion time: 2008-06-25 6:22:11

ComboFix-quarantined-files.txt 2008-06-25 12:21:24

Pre-Run: 19,401,936,896 bytes free

Post-Run: 19,649,327,104 bytes free

231 --- E O F --- 2008-06-20 02:06:09

Edited June 26, 2008 by JeanInMontana
Remove quote no need to quote, save the scroll time.

[drgill_co]

Hi Jean in Montana

further information, I found the files you wanted in the MBAM quarantine area. Where is this so I can collect and send them on?

Also, another characteristic of what is going on is anytime I run a SSB S&D or MBAM the windows Taskbar and alll desk top Icons disappear.

Thanks for your help

drgill_co

[JeanInMontana]

You really need to follow my instructions. Never run tools like Combofix unless you are asked to do so. You do not have MBAM configured to remove anything. Open the program go to the settings tab and put a check in all the boxes. The HJT log is always the last thing you post. It's useless to me if it isn't done after the removal. The files I wanted you to upload are not in MBAM quarantine

Now please update MBAM and run a quick scan and post that log then a new HJT log.

[drgill_co]

Hi

I downloaded todays update to MBAM and checked the settings page all were previously checked except for terminate IE, I checked it and reran a quick scan log follows as does a HJT log ran after teh MBAM scan

Malwarebytes' Anti-Malware 1.18

Database version: 894

6:59:06 PM 6/26/2008

mbam-log-6-26-2008 (18-59-06).txt

Scan type: Quick Scan

Objects scanned: 41351

Time elapsed: 45 minute(s), 3 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

HJT LOG

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 7:00:55 PM, on 6/26/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16674)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\Program Files\Maxtor\Sync\SyncServices.exe

C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe

C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe

C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe

C:\PROGRA~1\McAfee\MSC\mcpromgr.exe

c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe

c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe

C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe

C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\Program Files\McAfee\MPF\MPFSrv.exe

C:\PROGRA~1\McAfee\MPS\mps.exe

C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxMediaDB.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

c:\PROGRA~1\mcafee.com\agent\mcagent.exe

C:\Program Files\McAfee\MPS\mpsevh.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\WINDOWS\system32\NOTEPAD.EXE

C:\Documents and Settings\Owner\My Documents\Downloads\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll

O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptcl.dll

O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll

O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll

O15 - Trusted Zone: www.91x.com

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204

O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - http://a516.g.akamai.net/f/516/25175/7d/ru...cat-no-eula.cab

O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/m...,26/mcgdmgr.cab

O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe

O23 - Service: Maxtor Service (Maxtor Sync Service) - Seagate Technology LLC - C:\Program Files\Maxtor\Sync\SyncServices.exe

O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe

O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe

O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe

O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe

O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe

O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe

O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe

O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe

O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe

O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe

O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - C:\PROGRA~1\McAfee\MPS\mps.exe

O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\System32\HPHipm11.exe

O23 - Service: RoxMediaDB - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxMediaDB.exe

O23 - Service: RoxUpnpRenderer (RoxUPnPRenderer) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCom\RoxUpnpRenderer.exe

O23 - Service: RoxUpnpServer - Sonic Solutions - C:\Program Files\Roxio\Easy Media Creator 8\Digital Home\RoxUpnpServer.exe

O23 - Service: Roxio Hard Drive Watcher (RoxWatch) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatch.exe

O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe

--

End of file - 7764 bytes

[JeanInMontana]

Hi again MBAM log is clean. How are you running? Things are looking pretty good. Do you have any problems still?

You are running an outdated and unsafe version of Java. You need to uninstall it via Add/Remove programs and delete the program file also. Then go here http://java.sun.com/javase/downloads/index.jsp and install the correct version for your system. Choose the offline installation.

Adobe is also very outdated, and a known security risk. You should get the current version 8. Windows is also outdated and in need of update, current Service Pack is 3.

I reccomend you read this also. How to install and use the Windows XP Recovery Console and make sure it is installed on your machine. This is important shouldl anything go wrong and you need to recover your PC and not lose all the data.

[drgill_co]

Hi

I too saw MBAM log as clean so I tried IE, it is still hijacked and opens Firefox from any thing typed in the url line.

I am getting the Java updates done, I have Windows automatic updates enables and have all patches installed. I had to disable Windows recovery due to lack of disk space. Kids music was hogging HDD..

Anymore suggestions, When I first got this virus it tried to get me to download the IE Antivirus stuff. Maybe a mutant of that is still floating around and hijacking IE. Not that I am heart broken about losing IE but I am worried about it hijacking passwords etc...

thanks for your suggestions

drgill_co

[drgill_co]

Hi

I decided to have a look using CCleaner at my startup files and found a strange file GMT.exe. When I tried to select it it would not allow selection but any other file would. got a error about not finding the file.

Could this be the bug??

[JeanInMontana]

Your Windows System is not up to date. The current service pack is 3 and you have 2. If your going to decide how we do this it's not going to work. I can't stress it enough you do as instructed, when instructed, not what you decide.

Please get this http://www.runscanner.net/download.aspx install it and do a full scan , then click save .text file. Name it drgill and save to your desk top post in your next reply.

[drgill_co]

Attached you will find the runnscanner log

Runscanner logfile http://www.runscanner.net

* = signed file

- = file not found

000 General info

----------------

Computer name : OFFICE

Creation time : 6/27/2008 8:51:46 PM

Hosts <> 127.0.0.1 : 0

Hosts file location : %SystemRoot%\System32\drivers\etc

IE version : 7.0.5730.11

OS : Microsoft Windows XP

OS Build : 2600

OS SP : Service Pack 2

RunScanner Version : 1.6.3.0

User Language : English (United States)

User rights : Administrator

Windows folder : C:\WINDOWS

001 Running processes

---------------------

* c:\program files\lavasoft\ad-aware\aawservice.exe (Lavasoft)

c:\program files\common files\roxio shared\sharedcom8\roxmediadb.exe (Sonic Solutions)

c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe (Apple, Inc.)

* c:\windows\system32\alg.exe (Microsoft Corporation)

c:\program files\bonjour\mdnsresponder.exe (Apple Inc.)

* c:\windows\system32\csrss.exe (Microsoft Corporation)

* c:\program files\mozilla firefox\firefox.exe (Mozilla Corporation)

* c:\windows\system32\svchost.exe (Microsoft Corporation)

* c:\windows\system32\svchost.exe (Microsoft Corporation)

* c:\windows\system32\svchost.exe (Microsoft Corporation)

* c:\windows\system32\svchost.exe (Microsoft Corporation)

* c:\windows\system32\svchost.exe (Microsoft Corporation)

* c:\windows\system32\svchost.exe (Microsoft Corporation)

* c:\documents and settings\owner\my documents\downloads\hijackthis.exe (Trend Micro Inc.)

* c:\program files\ipod\bin\ipodservice.exe (Apple Inc.)

* c:\windows\system32\lsass.exe (Microsoft Corporation)

c:\program files\common files\lightscribe\lssrvc.exe (Hewlett-Packard Company)

* c:\program files\common files\microsoft shared\vs7debug\mdm.exe (Microsoft Corporation)

* c:\program files\common files\mcafee\hackerwatch\hwapi.exe (McAfee, Inc.)

* c:\progra~1\mcafee\msc\mcpromgr.exe (McAfee, Inc.)

* c:\progra~1\mcafee.com\agent\mcagent.exe (McAfee, Inc.)

* c:\progra~1\common~1\mcafee\mna\mcnasvc.exe (McAfee, Inc.)

* c:\program files\mcafee\mpf\mpfsrv.exe (McAfee, Inc.)

* c:\progra~1\mcafee\mps\mps.exe (McAfee, Inc.)

* c:\program files\mcafee\mps\mpsevh.exe (McAfee, Inc.)

* c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe (McAfee, Inc.)

* c:\progra~1\common~1\mcafee\redirsvc\redirsvc.exe (McAfee, Inc.)

* c:\progra~1\mcafee\viruss~1\mcsysmon.exe (McAfee, Inc.)

* c:\progra~1\mcafee\viruss~1\mcods.exe (McAfee, Inc.)

* c:\windows\system32\wisptis.exe (Microsoft Corporation)

* c:\progra~1\mcafee\msc\mcmscsvc.exe (McAfee, Inc.)

* c:\progra~1\mcafee\viruss~1\mcshield.exe (McAfee, Inc.)

* c:\documents and settings\owner\local settings\temp\runscanner.exe (Runscanner.net)

* c:\windows\system32\services.exe (Microsoft Corporation)

* c:\windows\system32\spoolsv.exe (Microsoft Corporation)

* c:\program files\maxtor\sync\syncservices.exe (Seagate Technology LLC)

* c:\windows\explorer.exe (Microsoft Corporation)

* c:\windows\explorer.exe (Microsoft Corporation)

* c:\windows\system32\winlogon.exe (Microsoft Corporation)

* c:\windows\system32\smss.exe (Microsoft Corporation)

c:\progra~1\winzip\winzip32.exe (WinZip Computing, Inc.)

010 HKLM\SYSTEM\CurrentControlSet\Services (Services)

-----------------------------------------------------

c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe (Apple Mobile Device)

c:\program files\bonjour\mdnsresponder.exe (Bonjour Service)

* c:\program files\ipod\bin\ipodservice.exe (iPod Service)

* c:\program files\lavasoft\ad-aware\aawservice.exe (Lavasoft Ad-Aware Service)

c:\program files\common files\lightscribe\lssrvc.exe (LightScribeService Direct Disc Labeling Service)

* c:\program files\maxtor\sync\syncservices.exe (Maxtor Service)

* c:\progra~1\common~1\mcafee\emproxy\emproxy.exe (McAfee E-mail Proxy)

* c:\program files\common files\mcafee\hackerwatch\hwapi.exe (McAfee HackerWatch Service)

* c:\progra~1\common~1\mcafee\mna\mcnasvc.exe (McAfee Network Agent)

* c:\program files\mcafee\mpf\mpfsrv.exe (McAfee Personal Firewall Service)

* c:\progra~1\mcafee\mps\mps.exe (McAfee Privacy Service)

* c:\progra~1\mcafee\msc\mcpromgr.exe (McAfee Protection Manager)

* c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service)

* c:\progra~1\mcafee\viruss~1\mcshield.exe (McAfee Real-time Scanner)

* c:\progra~1\common~1\mcafee\redirsvc\redirsvc.exe (McAfee Redirector Service)

* c:\progra~1\mcafee\viruss~1\mcods.exe (McAfee Scanner)

* c:\progra~1\mcafee\msc\mcmscsvc.exe (McAfee Services)

* c:\progra~1\mcafee\viruss~1\mcsysmon.exe (McAfee SystemGuards)

* c:\progra~1\mcafee\msc\mcupdmgr.exe (McAfee Update Manager)

c:\program files\common files\roxio shared\sharedcom8\roxwatch.exe (Roxio Hard Drive Watcher)

c:\program files\common files\roxio shared\sharedcom8\roxmediadb.exe (RoxMediaDB)

c:\program files\common files\roxio shared\sharedcom\roxupnprenderer.exe (RoxUpnpRenderer)

c:\program files\roxio\easy media creator 8\digital home\roxupnpserver.exe (RoxUpnpServer)

c:\program files\common files\sony shared\avlib\sptisrv.exe (Sony SPTI Service)

c:\windows\microsoft.net\framework\v3.0\windows communication foundation\infocard.exe (Windows CardSpace)

011 HKLM\SYSTEM\CurrentControlSet\Services (drivers)

----------------------------------------------------

c:\windows\system32\drivers\aspi32.sys (Aspi32)

- c:\combofix\catchme.sys (catchme)

c:\windows\system32\drivers\cdr4_xp.sys (Cdr4_xp)

c:\windows\system32\drivers\cdralw2k.sys (Cdralw2k)

c:\windows\system32\drivers\cdudf_xp.sys (cdudf_xp)

- c:\windows\system32\drivers\changer.sys (Changer)

C:\WINDOWS\system32\drivers\drvmcdb.sys (drvmcdb)

c:\windows\system32\drivers\dvd_2k.sys (dvd_2K)

C:\WINDOWS\system32\drivers\dvd43llh.sys (dvd43llh)

* C:\WINDOWS\system32\drivers\gearaspiwdm.sys (GEARAspiWDM)

C:\WINDOWS\system32\drivers\http.sys (HTTP)

- c:\windows\system32\drivers\i2omgmt.sys (i2omgmt)

- c:\windows\system32\drivers\lbrtfdc.sys (lbrtfdc)

C:\WINDOWS\system32\drivers\mxopswd.sys (Maxtor OneTouch Security Driver)

* C:\WINDOWS\system32\drivers\mferkdk.sys (McAfee Inc.)

* C:\WINDOWS\system32\drivers\mfesmfk.sys (McAfee Inc.)

* C:\WINDOWS\system32\drivers\mfeavfk.sys (McAfee Inc.)

* C:\WINDOWS\system32\drivers\mfebopk.sys (McAfee Inc.)

* C:\WINDOWS\system32\drivers\mfehidk.sys (McAfee Inc.)

c:\windows\system32\drivers\mcstrm.sys (MCSTRM)

c:\windows\system32\drivers\mmc_2k.sys (mmc_2K)

* C:\WINDOWS\system32\drivers\mpfp.sys (MPFP)

c:\windows\system32\drivers\npdriver.sys (Norton UnErase Protection Driver)

c:\windows\system32\drivers\omci.sys (OMCI)

C:\WINDOWS\system32\drivers\pfc.sys (Padus ASPI Shell)

- c:\windows\system32\drivers\pcidump.sys (PCIDump)

- c:\windows\system32\drivers\pdcomp.sys (PDCOMP)

- c:\windows\system32\drivers\pdframe.sys (PDFRAME)

- c:\windows\system32\drivers\pdreli.sys (PDRELI)

- c:\windows\system32\drivers\pdrframe.sys (PDRFRAME)

c:\windows\system32\drivers\pwd_2k.sys (pwd_2k)

C:\WINDOWS\system32\drivers\pxhelp20.sys (PxHelp20)

C:\WINDOWS\system32\drivers\rxfilter.sys (RxFilter)

c:\windows\system32\drivers\sddriver.sys (SDdriver)

- c:\program files\common files\symantec shared\spbbc\spbbcdrv.sys (SPBBCDrv)

- c:\program files\symantec\symevent.sys (SymEvent)

C:\WINDOWS\system32\drivers\tucbdriverv32.sys (TucbDriverV32)

C:\WINDOWS\system32\drivers\tucbvideo32.sys (TucbVideo32)

* C:\WINDOWS\system32\drivers\tbhsd.sys (Tunebite High-Speed Dubbing)

C:\WINDOWS\system32\drivers\usr_xp.sys (U.S. Robotics 10/100/1000 PCI NIC NDIS XP Driver)

c:\windows\system32\drivers\udfreadr_xp.sys (UdfReadr_xp)

- c:\windows\system32\drivers\wdica.sys (WDICA)

031 HKLM\SOFTWARE\Classes\PROTOCOLS\Handler

-------------------------------------------

c:\program files\common files\microsoft shared\information retrieval\msitss.dll (Microsoft Corporation) {0A9007C0-4076-11D3-8789-0000F8105754}

035 HKLM-HKCU\SOFTWARE\Microsoft\Active Setup\Installed Components

------------------------------------------------------------------

c:\program files\pixiepack codec pack\installerhelper.exe {61E3FE32-07B9-4563-A3E0-2DE2D620FE10}

042 HKLM\Software\Microsoft\Internet Explorer\Extensions

--------------------------------------------------------

c:\program files\aim\aim.exe (America Online, Inc.) {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45}

c:\program files\messenger\msmsgs.exe (Microsoft Corporation) {FB5F1910-F110-11d2-BB9E-00C04F795683}

047 Trusted zones

-----------------

Zone: : msn

Zone: turbotax.com : https://turbotax.com

052 HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects

----------------------------------------------------------------------------------

* c:\progra~1\spybot~1\sdhelper.dll (Safer Networking Limited) {53707962-6F74-2D53-2644-206D7942484F}

* c:\progra~1\mcafee\viruss~1\scriptcl.dll (McAfee, Inc.) {7DB2D5A0-7241-4E79-B68D-6309F01C5231}

061 HKLM-HCKU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved

---------------------------------------------------------------------------------

c:\program files\adobe\acrobat 6.0\acrobat elements\contextmenu.dll (Adobe Systems Inc.) {D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802}

c:\program files\red chair software\anapod explorer\anapodpw.dll (Red Chair Software, Inc.) {BBA7EB3F-97AB-4EBD-BCA2-C3C8DBED4490}

c:\program files\red chair software\anapod explorer\anapodps.dll (Red Chair Software, Inc.) {BBA7EB3F-97AB-4EBD-BCA2-C3C8DBED4491}

* f:\itunes new\itunesminiplayer.dll (Apple Inc.) {B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}

c:\program files\roxio\easy media creator 8\drag to disc\shellex.dll (Sonic Solutions) {5E44E225-A408-11CF-B581-008029601108}

c:\program files\roxio\easy media creator 8\virtual drive\dc_shellext.dll {0FB82570-BB2D-23D3-8D3B-AC2F34F1FA3C}

c:\progra~1\common~1\tishar~1\ticonn~1\tishlext.dll (Texas Instruments Incorporated) {3FCEF010-09A4-11D4-8D3B-D12F9D3D8B02}

c:\program files\winace\arcext.dll (e-merge GmbH) {8FF88D21-7BD0-11D1-BFB7-00AA00262A11}

c:\program files\winace\arcext.dll (e-merge GmbH) {8FF88D27-7BD0-11D1-BFB7-00AA00262A11}

c:\program files\winace\arcext.dll (e-merge GmbH) {8FF88D25-7BD0-11D1-BFB7-00AA00262A11}

c:\program files\winace\arcext.dll (e-merge GmbH) {8FF88D23-7BD0-11D1-BFB7-00AA00262A11}

c:\progra~1\winzip\wzshlstb.dll (WinZip Computing, Inc.) {E0D79304-84BE-11CE-9641-444553540000}

c:\progra~1\winzip\wzshlstb.dll (WinZip Computing, Inc.) {E0D79305-84BE-11CE-9641-444553540000}

c:\progra~1\winzip\wzshlstb.dll (WinZip Computing, Inc.) {E0D79306-84BE-11CE-9641-444553540000}

c:\progra~1\winzip\wzshlstb.dll (WinZip Computing, Inc.) {E0D79307-84BE-11CE-9641-444553540000}

063 HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\BootExecute

---------------------------------------------------------------------

* C:\WINDOWS\system32\lsdelete.exe

069 HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors

--------------------------------------------------------

c:\windows\system32\adobepdf.dll (Adobe Systems Incorporated.)

073 %windir%\Tasks

------------------

AppleSoftwareUpdate.job : c:\program files\apple software update\softwareupdate.exe (Apple Inc.)

McDefragTask.job : c:\progra~1\mcafee\mqc\qcconsol.exe (McAfee, Inc.)

Uniblue SpyEraser Nag.job : c:\program files\uniblue\spyeraser\spyeraser.exe

Uniblue SpyEraser.job : c:\program files\uniblue\spyeraser\spyeraser.exe

100 Internet Explorer settings

------------------------------

Start Page HKCU : http://www.msn.com/

Start Page HKLM : http://www.msn.com/

102 HKLM - HKCU\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars

------------------------------------------------------------------

GUID / CLSID not found {182EC0BE-5110-49C8-A062-BEB1D02A220B}

GUID / CLSID not found {32683183-48a0-441b-a342-7c2a440a9478}

GUID / CLSID not found {4528BBE0-4E08-11D5-AD55-00010333D0AD}

GUID / CLSID not found {4528BBE0-4E08-11D5-AD55-00010333D0AD}

104 HKLM\Software\Microsoft\Code Store Database\Distribution Units

------------------------------------------------------------------

GUID / CLSID not found {BCC0FF27-31D9-4614-A68E-C18E1ADA4389}

c:\program files\java\jre1.5.0_06\bin\npjpi150_06.dll (Sun Microsystems, Inc.) {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA}

c:\program files\java\jre1.5.0_09\bin\npjpi150_09.dll (Sun Microsystems, Inc.) {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA}

105 HKCU\Software\Microsoft\Internet Explorer\MenuExt

-----------------------------------------------------

E&xport to Microsoft Excel : res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000

107 HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5

---------------------------------------------------------------------------------

c:\program files\bonjour\mdnsnsp.dll (Apple Inc.)

170 HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2

------------------------------------------------------------------------

{e9b8babe-a0fd-11da-a013-806d6172696f} : E:\Autorun.exe

173 HKCR\*\shellex\ContextMenuHandlers

--------------------------------------

GUID / CLSID not found

c:\program files\adobe\acrobat 6.0\acrobat elements\contextmenu.dll (Adobe Systems Inc.) {D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802}

* c:\progra~1\mcafee\viruss~1\mcodsax.dll (McAfee, Inc.) {162EFDC5-2957-465D-887B-590AF4A7E84D}

c:\program files\roxio\easy media creator 8\virtual drive\dc_shellext.dll {0FB82570-BB2D-23D3-8D3B-AC2F34F1FA3C}

c:\progra~1\winzip\wzshlstb.dll (WinZip Computing, Inc.) {E0D79304-84BE-11CE-9641-444553540000}

c:\program files\winace\arcext.dll (e-merge GmbH) {8FF88D27-7BD0-11D1-BFB7-00AA00262A11}

221 HKLM\Software\Classes\*\ShellEx\ContextMenuHandlers

-------------------------------------------------------

GUID / CLSID not found

c:\program files\adobe\acrobat 6.0\acrobat elements\contextmenu.dll (Adobe Systems Inc.) {D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802}

* c:\progra~1\mcafee\viruss~1\mcodsax.dll (McAfee, Inc.) {162EFDC5-2957-465D-887B-590AF4A7E84D}

c:\program files\roxio\easy media creator 8\virtual drive\dc_shellext.dll {0FB82570-BB2D-23D3-8D3B-AC2F34F1FA3C}

c:\progra~1\winzip\wzshlstb.dll (WinZip Computing, Inc.) {E0D79304-84BE-11CE-9641-444553540000}

c:\program files\winace\arcext.dll (e-merge GmbH) {8FF88D27-7BD0-11D1-BFB7-00AA00262A11}

223 HKLM\Software\Classes\AllFileSystemObjects\ShellEx\ContextMenuHandlers

--------------------------------------------------------------------------

* c:\program files\malwarebytes' anti-malware\mbamext.dll (Malwarebytes) {57CE581A-0CB6-4266-9CA0-19364C90A0B3}

225 HKCU\Software\Classes\Folder\ShellEx\ContextMenuHandlers

------------------------------------------------------------

* c:\program files\malwarebytes' anti-malware\mbamext.dll (Malwarebytes) {57CE581A-0CB6-4266-9CA0-19364C90A0B3}

* c:\program files\malwarebytes' anti-malware\mbamext.dll (Malwarebytes) {57CE581A-0CB6-4266-9CA0-19364C90A0B3}

* c:\progra~1\mcafee\viruss~1\mcodsax.dll (McAfee, Inc.) {162EFDC5-2957-465D-887B-590AF4A7E84D}

* c:\progra~1\mcafee\viruss~1\mcodsax.dll (McAfee, Inc.) {162EFDC5-2957-465D-887B-590AF4A7E84D}

c:\program files\roxio\easy media creator 8\virtual drive\dc_shellext.dll {0FB82570-BB2D-23D3-8D3B-AC2F34F1FA3C}

c:\program files\roxio\easy media creator 8\virtual drive\dc_shellext.dll {0FB82570-BB2D-23D3-8D3B-AC2F34F1FA3C}

c:\progra~1\winzip\wzshlstb.dll (WinZip Computing, Inc.) {E0D79304-84BE-11CE-9641-444553540000}

c:\progra~1\winzip\wzshlstb.dll (WinZip Computing, Inc.) {E0D79304-84BE-11CE-9641-444553540000}

227 HKLM\Software\Classes\Directory\ShellEx\ContextMenuHandlers

---------------------------------------------------------------

GUID / CLSID not found

c:\progra~1\winzip\wzshlstb.dll (WinZip Computing, Inc.) {E0D79304-84BE-11CE-9641-444553540000}

c:\program files\winace\arcext.dll (e-merge GmbH) {8FF88D27-7BD0-11D1-BFB7-00AA00262A11}

[ShadowPuterDude]

Why do you insist on editing your logs?

Your Runscanner log is missing the following information:

002 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run (+subkeys)

003 HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run (+subkeys)

005 C:\Documents and Settings\All Users\Start Menu\Programs\Startup)

Your previous HijackThis logs have been edited as well, to remove the Startup information. What are you hiding?

By not providing complete information the individual helping you can not make an accurate assessment and provide a proper solution. Because, they do not have all the information.

Start Runscanner and select Beginner Mode.

Click 'OK'

Click 'Start full scan'

When prompted save the binary .run file to your Desktop as drgill_co.run.

When prompted save the runscanner scan log to your Desktop as drgill_co.log.

Now attach both files in your next reply. DO NOT edit your runscanner log.

[JeanInMontana]

drgill_co you will need to comply with our requests or we will simply close this thread to prevent others from posting into it. I will give 24 hours for a proper response.

[drgill_co]

Consider it closed

All scans are clean an dI re installed IE and fixed that error

[JeanInMontana]

Since this issue is resolved I will close the thread to prevent others from posting into it. If you need assistance please start your own topic and someone will be happy to assist you.

The fixes and advice in this thread are for this machine only. Do not apply to your machine. Please start a thread of your own and someone will be happy to help you.