Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Browser hijacked by windowsclick.com

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Browser hijacked by windowsclick.com

Unread postby goalie7960 » March 16th, 2009, 7:14 pm

Greetings. I've been battling spyware for about a week or so. I've had some success using SpyBot and McAffee, but I still have problems with GoogleUpdater.exe saying it failed. And all my internet traffic in Firefox is being redirected to windowsclick.com. Here's my HiJackThis log. If you need anything else, please let me know.



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:07:46 PM, on 3/16/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\MATLAB6p1\webserver\bin\win32\matlabserver.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
c:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\memcached\memcached-1.2.4-Win32-Preview-20080309_bin\memcached.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\DirectX Extensions\DXDebugService.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\system32\dllhost.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\ESPNRunTime\DIGServices.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\iPod\bin\iPodService.exe
c:\PROGRA~1\mcafee\msc\mcupdui.exe
C:\Program Files\iTunes\iTunes.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceHelper.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\distnoted.exe
C:\Documents and Settings\Chris\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Chris\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Chris\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Chris\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Chris\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O1 - Hosts: 195.245.119.131 browser-security.microsoft.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: McAfee Phishing Filter - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:\PROGRA~1\mcafee\msk\mskapbho.dll
O2 - BHO: (no name) - {36903468-7ea2-46b9-9dc2-e5b13c3552be} - C:\WINDOWS\system32\zoyuhovo.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\DOCUME~1\Chris\Desktop\asdf\SDHelper.dll (file missing)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptsn.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll
O2 - BHO: GoogleAFE - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\Program Files\GoogleAFE\GoogleAE.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [DIGServices] C:\Program Files\ESPNRunTime\DIGServices.exe /brand=ESPN /priority=0 /poll=24
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKCU\..\Run: [system tool] C:\WINDOWS\sysguard.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKUS\S-1-5-19\..\Run: [rundll32.exe] rundll32.exe "C:\Documents and Settings\LocalService\Application Data\Macromedia\Common\d54360741.dll"" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [rundll32.exe] rundll32.exe "C:\Documents and Settings\NetworkService\Application Data\Macromedia\Common\d54360741.dll"" (User 'NETWORK SERVICE')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\DOCUME~1\Chris\Desktop\asdf\SDHelper.dll (file missing)
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\DOCUME~1\Chris\Desktop\asdf\SDHelper.dll (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/share ... insctl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 9608335250
O20 - AppInit_DLLs: C:\WINDOWS\system32\dawayafe.dll suxpko.dll c:\windows\system32\haguhiko.dll
O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - (no file)
O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - (no file)
O23 - Service: McAfee Application Installer Cleanup (0020821236795795) (0020821236795795mcinstcleanup) - McAfee, Inc. - C:\WINDOWS\TEMP\002082~1.EXE
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Imapi Helper - Alex Feinman - C:\Program Files\Alex Feinman\ISO Recorder\ImapiHelper.exe
O23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: MATLAB Server (matlabserver) - Unknown owner - C:\MATLAB6p1\webserver\bin\win32\matlabserver.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: memcached Server - Danga Interactive, Inc. - C:\memcached\memcached-1.2.4-Win32-Preview-20080309_bin\memcached.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: Subversion Repository (svn.local) - Unknown owner - c:\program files\subversion\bin\svnserve.exe (file missing)

--
End of file - 11582 bytes
goalie7960
Active Member
 
Posts: 12
Joined: March 16th, 2009, 7:10 pm
Advertisement
Register to Remove

Re: Browser hijacked by windowsclick.com

Unread postby dan12 » March 16th, 2009, 7:35 pm

welcome to malwareremoval forums

My name is Dan, and I will be helping you to remove any infection(s) that you may have.

Please note! that all instructions given are customised for this computer only, the tools used may cause damage if used on a computer with different infections.

Please observe these rules while we work:
  • Perform all actions in the order given.
  • If you don't know, stop and ask! Don't keep going on.
  • Please reply to this thread. Do not start a new topic.
  • Stick with it till you're given the all clear.
  • REMEMBER, ABSENCE OF SYMPTOMS DOES NOT MEAN THE INFECTION IS ALL GONE.
If you can do these things, everything should go smoothly.
  • Please note you'll need to have Administrator priviledges to perform the fixes. (XP accounts are Administrator by default)
  • Please let me know if you are using a computer with multiple accounts, as this can affect the instructions given.

Unless informed of in advance, failure to post replies within 5 days will result in this thread being closed.


It may be helpful to you to print out or take a copy of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.


Installed Programs

Please could you give me a list of the programs that are installed.
  • Start HijackThis
  • Click on the Misc Tools button
  • Click on the Open Uninstall Manager button.
You will see a list with the programs installed in your computer.
Click on save list button and specify where you would like to save this file.
When you press Save button a notepad will open with the contents of that file.
Simply copy and paste the contents of that notepad into your next post.

I'm presently looking over your log and hope not to be too long.
Will be back with you as soon as I can.
Thanks dan
User avatar
dan12
MRU Honors Grad Emeritus
 
Posts: 6123
Joined: March 30th, 2006, 3:22 am
Location: Leicestershire

Re: Browser hijacked by windowsclick.com

Unread postby goalie7960 » March 16th, 2009, 8:20 pm

Thx for the quick reply. Here's my log.

3ivx D4 4.5.1 (remove only)
7-Zip 4.62
ABBYY FineReader 5.0 Sprint Plus
Adobe AIR
Adobe AIR
Adobe AIR
Adobe Flash Player 10 Plugin
Adobe Flash Player ActiveX
Adobe Flex Builder 3
Adobe Media Player
Adobe Media Player
Adobe Reader 7.0.7
AnswerWorks 4.0 Runtime - English
AnswerWorks 5.0 English Runtime
AOL Instant Messenger
Apple Mobile Device Support
Apple Software Update
Aspera Connect
Aspera Connect
ATI Control Panel
ATI Display Driver
BabycamAndMotionDetection_CS
BattleTank 2005 Units - CS
Bonjour
Castle Project RC3 1.0.0
Crystal Reports Basic for Visual Studio 2008
Data Lifeguard Tools
Dell Digital Jukebox Driver
Dell Driver Reset Tool
Dell Support Center (Support Software)
DellSupport
Digital Content Portal
DivX Content Uploader
DivX Web Player
DVD Decrypter (Remove Only)
EA Download Manager
EPSON Printer Software
ESPN RunTime
Ethereal 0.99.0
Google AFE
Google Talk (remove only)
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft Visual Studio 2008 Professional Edition - ENU (KB946581)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB961118)
HP Customer Participation Program 7.0
HP Imaging Device Functions 7.0
HP Photosmart Essential
HP Photosmart, Officejet and Deskjet 7.0.A
HP Solution Center 7.0
HP Update
ImTOO DVD to iPod Converter
ImTOO MP4 Video Converter
Intel Matrix Storage Manager
Intel(R) PRO Network Connections Drivers
Intel(R) PROSet for Wired Connections
ISO Recorder
IsoBuster 2.1
iTunes
J2SE Runtime Environment 5.0 Update 6
Java 2 Runtime Environment, SE v1.4.2_03
Java(TM) 6 Update 12
Java(TM) 6 Update 2
Learn2 Player (Uninstall Only)
Macromedia Flash Player
Magic Online
MATLAB 6.1
McAfee SecurityCenter
McAfee Uninstaller
MCU
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1
Microsoft Device Emulator version 3.0 - ENU
Microsoft DirectX SDK (June 2006)
Microsoft Document Explorer 2005
Microsoft Document Explorer 2005
Microsoft Document Explorer 2008
Microsoft Document Explorer 2008
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Visual Web Developer 2007
Microsoft Office Visual Web Developer MUI (English) 2007
Microsoft Office XP Professional with FrontPage
Microsoft Platform SDK (3790.1830)
Microsoft Plus! Digital Media Edition Installer
Microsoft Plus! Photo Story 2 LE
Microsoft Silverlight
Microsoft SQL Server 2005
Microsoft SQL Server 2005 Express Edition
Microsoft SQL Server 2005 Express Edition (SQLEXPRESS)
Microsoft SQL Server 2005 Mobile [ENU] Developer Tools
Microsoft SQL Server 2005 Samples
Microsoft SQL Server 2005 Tools Express Edition
Microsoft SQL Server Compact 3.5 Design Tools ENU
Microsoft SQL Server Compact 3.5 ENU
Microsoft SQL Server Compact 3.5 for Devices ENU
Microsoft SQL Server Database Publishing Wizard 1.2
Microsoft SQL Server Management Studio Express
Microsoft SQL Server Native Client
Microsoft SQL Server Setup Support Files (English)
Microsoft SQL Server VSS Writer
Microsoft Visual C# 2005 Express Edition - ENU
Microsoft Visual C# 2005 Express Edition - ENU
Microsoft Visual C# 2005 Express Edition - ENU Service Pack 1 (KB926749)
Microsoft Visual J# .NET Redistributable Package 1.1
Microsoft Visual J# 2.0 Redistributable Package
Microsoft Visual SourceSafe 2005 - ENU
Microsoft Visual Studio .NET Professional 2003 - English
Microsoft Visual Studio 2005 Professional Edition - ENU
Microsoft Visual Studio 2005 Tools for Office Runtime
Microsoft Visual Studio 2008 Professional Edition - ENU
Microsoft Visual Studio 6.0 Professional Edition
Microsoft Visual Studio Web Authoring Component
Microsoft Web Publishing Wizard 1.53
Microsoft Windows SDK for Visual Studio 2008 .NET Framework Tools
Microsoft Windows SDK for Visual Studio 2008 Express Tools for Web
Microsoft Windows SDK for Visual Studio 2008 Headers and Libraries
Microsoft Windows SDK for Visual Studio 2008 SDK Reference Assemblies and IntelliSense
Microsoft Windows SDK for Visual Studio 2008 Tools
Microsoft Windows SDK for Visual Studio 2008 Win32 Tools
Microsoft XNA Framework Redistributable 1.0 Refresh
Microsoft XNA Game Studio Express 1.0 Refresh
MobileMe Control Panel
Mozilla Firefox (3.0.6)
MSDN Library for Visual Studio 2005
MSDN Library for Visual Studio 2005
MSDN Library for Visual Studio 2008 - ENU
MSDN Library for Visual Studio 2008 - ENU
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 6 Service Pack 2 (KB954459)
Musicmatch for Windows Media Player
PunkBuster Services
Qualxserve Service Agreement
QuickTime
Return to Castle Wolfenstein - Game of The Year Edition
ScanToWeb
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950759)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953155)
Security Update for Windows XP (KB953838)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956390)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958215)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960714)
Security Update for Windows XP (KB960715)
Setup Wizard
SmartSVN 3.0.6
Sonic DLA
Sonic RecordNow Audio
Sonic RecordNow Copy
Sonic RecordNow Data
SPORE™
Spybot - Search & Destroy
TurboTax 2008
TurboTax 2008 WinPerFedFormset
TurboTax 2008 WinPerProgramHelp
TurboTax 2008 WinPerReleaseEngine
TurboTax 2008 WinPerTaxSupport
TurboTax 2008 WinPerUserEducation
TurboTax 2008 wnyiper
TurboTax 2008 wrapper
TurboTax Deluxe 2007
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
VideoLAN VLC media player 0.8.5
Visual Studio 2005 Tools for Office Second Edition Runtime
Visual Studio Tools for the Office system 3.0 Runtime
Visual Studio Tools for the Office system 3.0 Runtime
WinAce Archiver
Winamp (remove only)
Windows Defender
Windows Genuine Advantage v1.3.0254.0
Windows Imaging Component
Windows Media Format Runtime
Windows Media Player 10
Windows Media Player 10
Windows Mobile 5.0 SDK R2 for Pocket PC
Windows Mobile 5.0 SDK R2 for Smartphone
Windows XP Service Pack 3
WinPcap 3.1
World of Warcraft
XP Codec Pack
Xvid 1.1.3 final uninstall
goalie7960
Active Member
 
Posts: 12
Joined: March 16th, 2009, 7:10 pm

Re: Browser hijacked by windowsclick.com

Unread postby dan12 » March 16th, 2009, 8:42 pm

Punkbuster warning

I see you have Punkbuster installed. This is spyware. Punkbuster can take control over various aspects of your computer, and some gaming tools not unlike Punkbuster also hinder their removals. By the definition we handle here, Punkbuster is actual spyware. Therefore, I now ask you to decide the following:
  • Either we try to leave Punkbuster alone but there is no guarantee a spyware component doesn't 'accidentally' get taken out; so Punkbuster might break. This will, of course, also break your ability to play games using Punkbuster enabled servers.
  • Or we can just remove Punkbuster. You can reinstall it afterwards if you wish, but please keep in mind that it is spyware.
  • Another option is to not clean this computer at all. This ensures Punkbuster will continue to function.
Please let me know what you would like to do.


Download ATF (Atribune Temp File) Cleaner© by Atribune to your desktop.

Double-click ATF Cleaner.exe to open it

Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache

*The other boxes are optional*
Then click the Empty Selected button.

If you use Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

If you use Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Click Exit on the Main menu to close the program.



: Malwarebytes' Anti-Malware :

Please download Malwarebytes' Anti-Malware to your desktop.

  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to
    • Update Malwarebytes' Anti-Malware
    • and Launch Malwarebytes' Anti-Malware
  • then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform full scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply
    • If you accidently close it, the log file is saved here and will be named like this:
    • C:\\Documents and Settings\\Username\\Application Data\\Malwarebytes\\Malwarebytes' Anti-Malware\\Logs\\mbam-log-date (time).txt

Post malwarebytes report and a fresh HJT log
dan
User avatar
dan12
MRU Honors Grad Emeritus
 
Posts: 6123
Joined: March 30th, 2006, 3:22 am
Location: Leicestershire

Re: Browser hijacked by windowsclick.com

Unread postby goalie7960 » March 17th, 2009, 10:06 pm

Here's the Malware log..

Malwarebytes' Anti-Malware 1.34
Database version: 1749
Windows 5.1.2600 Service Pack 3

3/17/2009 10:03:38 PM
mbam-log-2009-03-17 (22-03-38).txt

Scan type: Full Scan (C:\|G:\|)
Objects scanned: 402128
Time elapsed: 2 hour(s), 46 minute(s), 37 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 3
Files Infected: 22

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{36903468-7ea2-46b9-9dc2-e5b13c3552be} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{36903468-7ea2-46b9-9dc2-e5b13c3552be} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{c9c42510-9b21-41c1-9dcd-8382a2d07c61} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\dslcnnct (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ssodl (Trojan.BHO) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Documents and Settings\Chris\Application Data\MalwareRemovalBot (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully.
C:\Documents and Settings\Chris\Application Data\MalwareRemovalBot\Log (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully.
C:\Documents and Settings\Chris\Application Data\MalwareRemovalBot\Settings (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully.

Files Infected:
C:\Documents and Settings\Chris\Local Settings\Temp\UACc330.tmp (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\UACjfflqxcu.dll (Rootkit.TDSS) -> Delete on reboot.
C:\WINDOWS\system32\UACmnawvcbw.dll (Rootkit.TDSS) -> Delete on reboot.
C:\WINDOWS\system32\UACnueslhct.dll (Trojan.TDSS) -> Delete on reboot.
C:\WINDOWS\system32\drivers\UACrytprfuk.sys (Rootkit.TDSS) -> Delete on reboot.
C:\WINDOWS\Temp\UAC44c6.tmp (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\UAC45d0.tmp (Trojan.TDSS) -> Delete on reboot.
C:\WINDOWS\Temp\UAC46d9.tmp (Rootkit.TDSS) -> Delete on reboot.
C:\WINDOWS\Temp\UAC47e3.tmp (Rootkit.TDSS) -> Delete on reboot.
C:\WINDOWS\Temp\UACb320.tmp (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\UACb488.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\UACb5df.tmp (Rootkit.TDSS) -> Delete on reboot.
C:\WINDOWS\Temp\UACb728.tmp (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\Documents and Settings\Chris\Application Data\MalwareRemovalBot\rs.dat (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully.
C:\Documents and Settings\Chris\Application Data\MalwareRemovalBot\Log\2009 Mar 03 - 08_55_49 AM_984.log (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully.
C:\Documents and Settings\Chris\Application Data\MalwareRemovalBot\Settings\ScanResults.pie (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\uacinit.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\shell31.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\UACujcnydnk.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\UACvjqkaetn.log (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\UACxqavlkhq.dat (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\UACyisonvkr.dll (Trojan.Agent) -> Delete on reboot.



And here's the HijackThis log


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:05:50 PM, on 3/17/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\MATLAB6p1\webserver\bin\win32\matlabserver.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
c:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\memcached\memcached-1.2.4-Win32-Preview-20080309_bin\memcached.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\DirectX Extensions\DXDebugService.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\system32\dllhost.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\ESPNRunTime\DIGServices.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\iPod\bin\iPodService.exe
c:\PROGRA~1\mcafee\msc\mcupdui.exe
C:\Program Files\iTunes\iTunes.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceHelper.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\distnoted.exe
C:\Documents and Settings\Chris\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Chris\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Chris\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Chris\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Chris\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\SyncServer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O1 - Hosts: 195.245.119.131 browser-security.microsoft.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: McAfee Phishing Filter - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:\PROGRA~1\mcafee\msk\mskapbho.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\DOCUME~1\Chris\Desktop\asdf\SDHelper.dll (file missing)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptsn.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll
O2 - BHO: GoogleAFE - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\Program Files\GoogleAFE\GoogleAE.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [DIGServices] C:\Program Files\ESPNRunTime\DIGServices.exe /brand=ESPN /priority=0 /poll=24
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKLM\..\RunOnce: [Malwarebytes Anti-Malware (reboot)] "C:\Documents and Settings\Chris\Desktop\asdf\asdf.exe" /runcleanupscript
O4 - HKCU\..\Run: [system tool] C:\WINDOWS\sysguard.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKUS\S-1-5-19\..\Run: [rundll32.exe] rundll32.exe "C:\Documents and Settings\LocalService\Application Data\Macromedia\Common\d54360741.dll"" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [rundll32.exe] rundll32.exe "C:\Documents and Settings\NetworkService\Application Data\Macromedia\Common\d54360741.dll"" (User 'NETWORK SERVICE')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\DOCUME~1\Chris\Desktop\asdf\SDHelper.dll (file missing)
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\DOCUME~1\Chris\Desktop\asdf\SDHelper.dll (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/share ... insctl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 9608335250
O20 - AppInit_DLLs: C:\WINDOWS\system32\dawayafe.dll suxpko.dll c:\windows\system32\haguhiko.dll
O23 - Service: McAfee Application Installer Cleanup (0020821236795795) (0020821236795795mcinstcleanup) - Unknown owner - C:\WINDOWS\TEMP\002082~1.EXE (file missing)
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Imapi Helper - Alex Feinman - C:\Program Files\Alex Feinman\ISO Recorder\ImapiHelper.exe
O23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: MATLAB Server (matlabserver) - Unknown owner - C:\MATLAB6p1\webserver\bin\win32\matlabserver.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: memcached Server - Danga Interactive, Inc. - C:\memcached\memcached-1.2.4-Win32-Preview-20080309_bin\memcached.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: Subversion Repository (svn.local) - Unknown owner - c:\program files\subversion\bin\svnserve.exe (file missing)

--
End of file - 11666 bytes



We can remove Punkbuster if you want. Thanks.
goalie7960
Active Member
 
Posts: 12
Joined: March 16th, 2009, 7:10 pm

Re: Browser hijacked by windowsclick.com

Unread postby dan12 » March 18th, 2009, 2:46 am

Download and run Combofix
This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


Please download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Image
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Image
Click on Yes, to continue scanning for malware.
When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a fresh HijackThis log.

If you need help, see this link:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
----------------------------------------------
Post back:
Combofix report.
A new HijackThis log.
User avatar
dan12
MRU Honors Grad Emeritus
 
Posts: 6123
Joined: March 30th, 2006, 3:22 am
Location: Leicestershire

Re: Browser hijacked by windowsclick.com

Unread postby goalie7960 » March 18th, 2009, 11:45 pm

Here's combofix log

ComboFix 09-03-18.01 - Chris 2009-03-18 21:39:53.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1445 [GMT -4:00]
Running from: c:\documents and settings\Chris\Desktop\what.exe
AV: McAfee VirusScan *On-access scanning enabled* (Updated)
FW: McAfee Personal Firewall *enabled*
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\IE4 Error Log.txt
c:\windows\system\oeminfo.ini
c:\windows\system32\Cache
c:\windows\system32\config\systemprofile\Application Data\Macromedia\Common
c:\windows\system32\mdm.exe
c:\windows\system32\win32x.exe
c:\windows\wiaserviv.log

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_WIN32X
-------\Service_UACd.sys
-------\Service_win32x


((((((((((((((((((((((((( Files Created from 2009-02-19 to 2009-03-19 )))))))))))))))))))))))))))))))
.

2009-03-16 23:19 . 2009-03-16 23:19 <DIR> d-------- c:\documents and settings\Chris\Application Data\Malwarebytes
2009-03-16 23:17 . 2009-02-11 10:19 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-03-16 23:16 . 2009-03-16 23:20 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-03-16 23:16 . 2009-03-16 23:16 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-03-16 23:16 . 2009-02-11 10:19 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-16 19:06 . 2009-03-16 19:06 <DIR> d-------- c:\program files\Trend Micro
2009-03-09 20:31 . 2009-03-09 20:31 <DIR> d-------- c:\program files\Windows Defender
2009-03-09 19:38 . 2009-03-09 19:38 410,984 --a------ c:\windows\system32\deploytk.dll
2009-03-09 19:31 . 2009-03-09 19:31 <DIR> d-------- c:\program files\uTorrent
2009-03-09 19:31 . 2009-03-16 19:06 <DIR> d-------- c:\documents and settings\Chris\Application Data\uTorrent
2009-03-08 15:18 . 2009-03-09 19:54 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2009-03-08 15:18 . 2009-03-09 20:04 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-03-01 19:53 . 2009-03-01 19:53 107,832 --a------ c:\windows\system32\PnkBstrB.exe
2009-03-01 19:53 . 2009-03-01 19:53 22,328 --a------ c:\windows\system32\drivers\PnkBstrK.sys
2009-03-01 19:53 . 2009-03-01 19:53 22,328 --a------ c:\documents and settings\Chris\Application Data\PnkBstrK.sys
2009-03-01 19:52 . 2009-03-01 19:52 2,246,144 --a------ c:\windows\system32\pbsvc.exe
2009-03-01 19:52 . 2009-03-01 19:52 66,872 --a------ c:\windows\system32\PnkBstrA.exe
2009-02-24 17:59 . 2009-01-09 15:19 1,089,593 -----c--- c:\windows\system32\dllcache\ntprint.cat
2009-02-21 18:02 . 2009-02-21 18:02 <DIR> d-------- c:\program files\Common Files\AnswerWorks 5.0

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-17 03:16 --------- d-----w c:\program files\Warcraft III
2009-03-11 18:23 --------- d-----w c:\program files\McAfee
2009-03-11 02:53 --------- d-----w c:\documents and settings\All Users\Application Data\DIGStream
2009-03-09 23:38 --------- d-----w c:\program files\Java
2009-02-22 21:21 --------- d-----w c:\program files\Microsoft Silverlight
2009-02-21 22:00 --------- d-----w c:\program files\Common Files\Intuit
2009-02-21 22:00 --------- d-----w c:\documents and settings\All Users\Application Data\Intuit
2009-02-21 21:58 --------- d-----w c:\program files\TurboTax
2009-02-12 21:51 --------- d-----w c:\documents and settings\All Users\Application Data\McAfee
2008-12-30 15:32 60,744 ----a-w c:\documents and settings\Chris\g2mdlhlpx.exe
2007-12-18 00:32 3,902,784 ----a-w c:\documents and settings\Chris\gosetup.exe
2006-11-18 06:10 92,064 ----a-w c:\documents and settings\Chris\mqdmmdm.sys
2006-11-18 06:10 9,232 ----a-w c:\documents and settings\Chris\mqdmmdfl.sys
2006-11-18 06:10 79,328 ----a-w c:\documents and settings\Chris\mqdmserd.sys
2006-11-18 06:10 66,656 ----a-w c:\documents and settings\Chris\mqdmbus.sys
2006-11-18 06:10 6,208 ----a-w c:\documents and settings\Chris\mqdmcmnt.sys
2006-11-18 06:10 5,936 ----a-w c:\documents and settings\Chris\mqdmwhnt.sys
2006-11-18 06:10 4,048 ----a-w c:\documents and settings\Chris\mqdmcr.sys
2006-11-18 06:10 25,600 ----a-w c:\documents and settings\Chris\usbsermptxp.sys
2006-11-18 06:10 22,768 ----a-w c:\documents and settings\Chris\usbsermpt.sys
2006-04-27 22:20 18,048 ----a-w c:\documents and settings\Chris\Application Data\GDIPFONTCACHEV1.DAT
2006-05-06 16:42 7,260,160 ----a-w c:\program files\mozilla firefox\plugins\libvlc.dll
2006-02-11 21:17 56 --sha-r c:\windows\system32\BFD3CF9B63.sys
2006-02-11 21:17 3,350 --sha-w c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 132496]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2005-06-17 139264]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-05 344064]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"DIGServices"="c:\program files\ESPNRunTime\DIGServices.exe" [2005-10-31 101888]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 49152]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-01-08 645328]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-10-01 111936]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-03 866584]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-23 c:\windows\stsystra.exe]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-24 29696]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.3IV2"= 3ivxVfWCodec.dll
"vidc.ffds"= ffdshow.ax

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk /k:C *

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\procexp90.Sys]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
--a------ 2007-03-15 11:09 460784 c:\program files\DellSupport\DSAgnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupportCenter]
--a------ 2008-08-13 18:32 206064 c:\program files\Dell Support Center\bin\sprtcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DIGStream]
--a------ 2005-10-31 11:05 278528 c:\program files\DIGStream\digstream.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dscactivate]
--a------ 2007-11-15 09:24 16384 c:\program files\Dell Support Center\gs_agent\custom\dsca.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EA Core]
--a------ 2008-07-21 14:07 2752512 c:\program files\Electronic Arts\EADM\Core.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
--a----t- 2008-09-10 20:30 133104 c:\documents and settings\Chris\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]
--a------ 2007-01-01 17:22 3739648 c:\program files\Google\Google Talk\googletalk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
--a------ 2005-06-10 12:44 249856 c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
--a------ 2005-06-10 12:44 81920 c:\program files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2007-06-21 12:48 68856 c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
--a------ 2005-10-24 15:53 307200 c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\Return to Castle Wolfenstein - Game of The Year Edition\\WolfMP.exe"=
"c:\\Program Files\\Java\\jre1.5.0_06\\bin\\javaw.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-1.11.0-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-1.11.1.5462-to-1.11.2.5464-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-1.11.2.5464-to-1.12.0.5595-enUS-downloader.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\SAGENT4.EXE"=
"c:\\Program Files\\World of Warcraft\\WoW-1.12.0.5595-to-1.12.1.5875-enUS-downloader.exe"=
"c:\\TEST\\SocketsServer\\Debug\\SocketsServer.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\TEST\\UdpSender\\bin\\Debug\\UdpSender.exe"=
"c:\\Program Files\\Airlink101\\AIC250W\\Setup Wizard.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-1.12.x-to-2.0.1-enUS-patch-downloader.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\Warcraft III\\Frozen Throne.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Program Files\\Aspera\\FASP\\bin\\scp.aspera.exe"=
"c:\\Program Files\\Aspera\\FASP\\bin\\ascp.exe"=
"c:\\Program Files\\Microsoft SQL Server\\90\\Shared\\sqlbrowser.exe"=
"c:\\Program Files\\Microsoft SQL Server\\MSSQL.2\\MSSQL\\Binn\\sqlservr.exe"=
"c:\\Program Files\\Microsoft SQL Server\\MSSQL.1\\MSSQL\\Binn\\sqlservr.exe"=
"c:\\Program Files\\Microsoft Visual Studio 9.0\\Common7\\IDE\\devenv.exe"=
"c:\\Program Files\\Warcraft III\\Warcraft III.exe"=
"c:\\Program Files\\Adobe\\Flex Builder 3\\jre\\bin\\javaw.exe"=
"c:\\Program Files\\Electronic Arts\\EADM\\Core.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Aspera\\Aspera Connect\\bin\\ascp.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\drivers\\svchost.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\memcached\\memcached-1.2.4-Win32-Preview-20080309_bin\\memcached.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"6112:TCP"= 6112:TCP:war6112
"6113:TCP"= 6113:TCP:war6113
"6114:TCP"= 6114:TCP:war6114
"6115:TCP"= 6115:TCP:war6115
"6116:TCP"= 6116:TCP:war6116
"6117:TCP"= 6117:TCP:war6117
"6118:TCP"= 6118:TCP:war6118
"6119:TCP"= 6119:TCP:war6119
"13335:TCP"= 13335:TCP:BitComet 13335 TCP
"13335:UDP"= 13335:UDP:BitComet 13335 UDP

R1 vcdrom;Virtual CD-ROM Device Driver;c:\documents and settings\Chris\My Documents\virtualdrive\VCdRom.sys [2007-12-17 8576]
R2 IntuitUpdateService;Intuit Update Service;c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe [2008-10-10 13088]
R2 memcached Server;memcached Server;c:\memcached\memcached-1.2.4-Win32-Preview-20080309_bin\memcached.exe [2009-02-14 172032]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [2006-11-03 13592]
S2 0020821236795795mcinstcleanup;McAfee Application Installer Cleanup (0020821236795795);c:\windows\TEMP\002082~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service --> c:\windows\TEMP\002082~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service [?]
S2 svn.local;Subversion Repository;"c:\program files\subversion\bin\svnserve.exe" --service --root c:\sourcecode --> c:\program files\subversion\bin\svnserve.exe [?]
S3 ASPI;Advanced SCSI Programming Interface Driver;c:\windows\system32\drivers\ASPI32.SYS [2007-08-27 16512]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2005-08-02 32512]
S4 cdawdm;CDAWDM;c:\windows\system32\DRIVERS\CDAWDM.sys --> c:\windows\system32\DRIVERS\CDAWDM.sys [?]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [2005-09-23 2799808]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\Z]
\Shell\AutoRun\command - Z:\autorun.exe
.
Contents of the 'Scheduled Tasks' folder

2009-03-17 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2009-03-16 c:\windows\Tasks\dfrg.job
- c:\windows\system32\dfrg.msc [2004-08-04 13:00]

2009-03-19 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2684849038-1165274592-3421407881-1006.job
- c:\documents and settings\Chris\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-10 20:30]

2009-03-18 c:\windows\Tasks\MalwareRemovalBot Scheduled Scan.job
- c:\program files\MalwareRemovalBot\MalwareRemovalBot.exe []

2009-03-18 c:\windows\Tasks\MalwareRemovalBot Scheduled Scan.job
- c:\program files\MalwareRemovalBot []

2009-03-15 c:\windows\Tasks\McDefragTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2009-01-09 11:53]

2009-03-01 c:\windows\Tasks\McQcTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2009-01-09 11:53]

2009-03-19 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 19:20]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-system tool - c:\windows\sysguard.exe
MSConfigStartUp-MalwareRemovalBot - c:\program files\MalwareRemovalBot\MalwareRemovalBot.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office10\EXCEL.EXE/3000
Trusted Zone: turbotax.com
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Chris\Application Data\Mozilla\Firefox\Profiles\uugiba8t.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - component: c:\documents and settings\Chris\Application Data\Mozilla\Firefox\Profiles\uugiba8t.default\extensions\ubiquity@labs.mozilla.com\platform\WINNT_x86-msvc\components\ubiquity.dll
FF - plugin: c:\documents and settings\Chris\Application Data\Mozilla\Firefox\Profiles\uugiba8t.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp07051001.dll
FF - plugin: c:\documents and settings\Chris\Local Settings\Application Data\Google\Update\1.2.141.5\npGoogleOneClick7.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npasperaweb.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npvlc.dll

---- FIREFOX POLICIES ----
FF - user.js: dom.disable_open_during_load - false // Popupblocker control handled by McAfee Privacy Service
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-18 23:08:37
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\windows\TEMP\UAC6378.tmp 24576 bytes
c:\windows\TEMP\UAC6a4e.tmp 81408 bytes executable
c:\windows\TEMP\UACe3b9.tmp 45056 bytes
c:\windows\TEMP\WGAErrLog.txt 483 bytes
c:\windows\TEMP\sqlite_Ly9QpHfb9eks4NE 0 bytes
c:\windows\TEMP\sqlite_LZ9sZZd9gg4jVgj 0 bytes
c:\windows\TEMP\sqlite_mhU8OaYjI27KZbo 0 bytes
c:\windows\TEMP\sqlite_mmz6VoFFdGXK3Ud 0 bytes
c:\windows\TEMP\sqlite_MNOJybeDsDUT4dn 0 bytes
c:\windows\TEMP\sqlite_mskKV27kkkNIUiu 0 bytes
c:\windows\TEMP\sqlite_mSnZ0wCTsTYxBap 0 bytes
c:\windows\TEMP\sqlite_muatsEr1cmNEsxr 0 bytes
c:\windows\TEMP\sqlite_mWAa5ZHZbweTn2t 0 bytes
c:\windows\TEMP\sqlite_NFjCwjK1RmZ5I8W 0 bytes
c:\windows\TEMP\sqlite_NhEWjdqad0R4uYJ 0 bytes
c:\windows\TEMP\sqlite_NlL7pkiF2wjYmR7 0 bytes
c:\windows\TEMP\sqlite_nsSXjkSviPNhXjR 0 bytes
c:\windows\TEMP\sqlite_o3bupObZRKdRXkO 0 bytes
c:\windows\TEMP\sqlite_o94lGw0anEAHS0c 0 bytes
c:\windows\TEMP\sqlite_OdgOjpsoytu9pAp 0 bytes
c:\windows\TEMP\sqlite_odnUG7vlHP7ls1c 0 bytes
c:\windows\TEMP\sqlite_odZqI41yVu612Fc 0 bytes
c:\windows\TEMP\sqlite_OIikzhfCjnatPu4 0 bytes
c:\windows\TEMP\sqlite_ojgZusRu894ij7v 0 bytes
c:\windows\TEMP\sqlite_TxODT3mfIuA9k1g 0 bytes
c:\windows\TEMP\sqlite_tzkawF6yD7CbkX5 0 bytes
c:\windows\TEMP\sqlite_u3OM4bkhIhLnl99 0 bytes
c:\windows\TEMP\sqlite_U75rSUe8TVaTKbR 0 bytes
c:\windows\TEMP\sqlite_UoYF6VbUkn88w5R 0 bytes
c:\windows\TEMP\sqlite_ur2QBM1ePrMem1c 0 bytes
c:\windows\TEMP\sqlite_urssgzZt7b9jhjx 0 bytes
c:\windows\TEMP\sqlite_UW6DqqeONOehdiF 0 bytes
c:\windows\TEMP\sqlite_v8mma3Vml9gRVqt 0 bytes
c:\windows\TEMP\sqlite_VAom6GIG9vZxCF0 0 bytes
c:\windows\TEMP\sqlite_vgKAo46karuzIao 0 bytes
c:\windows\TEMP\sqlite_VgVyIIA5XxDVSXX 0 bytes
c:\windows\TEMP\sqlite_Vj7MFsFP0RR3hiM 0 bytes
c:\windows\TEMP\sqlite_VT3X9MkeQk1WQnf 0 bytes
c:\windows\TEMP\sqlite_VXNKShfNDacbFfI 0 bytes
c:\windows\TEMP\sqlite_W7YgWLwAwY5LD5V 0 bytes
c:\windows\TEMP\sqlite_wEzmfcfTk7OZiYp 0 bytes
c:\windows\TEMP\sqlite_wOjaeT7FAorgLyx 0 bytes
c:\windows\TEMP\sqlite_ws9YrE67xnC2Pbc 0 bytes
c:\windows\TEMP\sqlite_Wvk05EWTrgx2Ctd 0 bytes
c:\windows\TEMP\sqlite_WZkMX6ZAVVN8ev5 0 bytes
c:\windows\TEMP\sqlite_xbqxkhnZVjwT5BN 0 bytes
c:\windows\TEMP\sqlite_XDCXyXeIAcYAFRu 0 bytes
c:\windows\TEMP\sqlite_E1QWTdmYBcCQ1jX 0 bytes
c:\windows\TEMP\sqlite_EaKHIkbgtKjKuZf 0 bytes
c:\windows\TEMP\sqlite_EgbV7u3APmEloBU 0 bytes
c:\windows\TEMP\sqlite_eP5znRBkn0ZQrUK 0 bytes
c:\windows\TEMP\sqlite_eU7Z9Sj1P4g4vUc 0 bytes
c:\windows\TEMP\sqlite_ex9YeXBsimvdFPD 0 bytes
c:\windows\TEMP\sqlite_eXCTzPSHwhqZQDh 0 bytes
c:\windows\TEMP\sqlite_eXqMGICLi5vTYKg 0 bytes
c:\windows\TEMP\sqlite_EZb9ubP89PfB5Xt 0 bytes
c:\windows\TEMP\sqlite_F9REjVYbv5cfaLD 0 bytes
c:\windows\TEMP\sqlite_ffpLvbcYzLqmIDv 0 bytes
c:\windows\TEMP\sqlite_FMdx0YgfZAvbcSO 0 bytes
c:\windows\TEMP\sqlite_FSpAbWjyPd1faPo 0 bytes
c:\windows\TEMP\sqlite_fxUjaJ4MC8CELAI 0 bytes
c:\windows\TEMP\sqlite_G7thdSxQNlCzf6H 0 bytes
c:\windows\TEMP\sqlite_gair4OslICI6zQU 0 bytes
c:\windows\TEMP\sqlite_gdLSXoOdJmTlm62 0 bytes
c:\windows\TEMP\sqlite_BaWLnJxqB2zO1iw 0 bytes
c:\windows\TEMP\sqlite_bE7JwElrrDHl9UG 0 bytes
c:\windows\TEMP\sqlite_bhaPcN1h1nsL26I 0 bytes
c:\windows\TEMP\sqlite_BiM8QgnoYCR3buM 0 bytes
c:\windows\TEMP\sqlite_BlCr5FJjQvAqLQ7 0 bytes
c:\windows\TEMP\sqlite_bn18jdMf65qfCuA 0 bytes
c:\windows\TEMP\sqlite_bsTdb7ffsvfe3uu 0 bytes
c:\windows\TEMP\sqlite_bwxumv30F2iDwGb 0 bytes
c:\windows\TEMP\sqlite_C2FYGsa8ho1t6MJ 0 bytes
c:\windows\TEMP\sqlite_cBszxR8wEao2Kgu 0 bytes
c:\windows\TEMP\sqlite_CbVrm1SvCqjyrU1 0 bytes
c:\windows\TEMP\sqlite_cd19G2RHKetd9mC 0 bytes
c:\windows\TEMP\sqlite_cDX8WdoMXbpjHOs 0 bytes
c:\windows\TEMP\sqlite_cgTX6eK8Dant77U 0 bytes
c:\windows\TEMP\sqlite_ChanrJc8srwcCzj 0 bytes
c:\windows\TEMP\sqlite_xDTHkUJPJHiiTuH 0 bytes
c:\windows\TEMP\sqlite_xFjQaBDBZv3c9jw 0 bytes
c:\windows\TEMP\sqlite_xFZjBHdPlw8OvKn 0 bytes
c:\windows\TEMP\sqlite_XGaAZ3Ga56EYR1b 0 bytes
c:\windows\TEMP\sqlite_XSxy3mdNHMqSXXc 0 bytes
c:\windows\TEMP\sqlite_XTOED2RLddS5izE 0 bytes
c:\windows\TEMP\sqlite_XY3TKQhpnnka45d 0 bytes
c:\windows\TEMP\sqlite_y90GzSkkqwDNkUZ 0 bytes
c:\windows\TEMP\sqlite_YDKia0WEp3DZMiR 0 bytes
c:\windows\TEMP\sqlite_Ydw3yLa9Kof7Vp7 0 bytes
c:\windows\TEMP\sqlite_yNI3HQ5bJ8y3r8U 0 bytes
c:\windows\TEMP\sqlite_YNrvhKMiJIhGZE7 0 bytes
c:\windows\TEMP\sqlite_yocARGZevnZ42lp 0 bytes
c:\windows\TEMP\sqlite_z8lBteDjf9UFgRD 0 bytes
c:\windows\TEMP\sqlite_ZeBu6nMlCvYG3yf 0 bytes
c:\windows\TEMP\sqlite_zevyO2a2dN7eUxf 0 bytes
c:\windows\TEMP\sqlite_zLdcZYTwzd0utY0 0 bytes
c:\windows\TEMP\sqlite_i9afDyAGX6PXOLL 0 bytes
c:\windows\TEMP\sqlite_I9KyqYhon1M4135 0 bytes
c:\windows\TEMP\sqlite_iaaezdoaBnz68BS 0 bytes
c:\windows\TEMP\sqlite_IgdYEfrjOObLHnf 0 bytes
c:\windows\TEMP\sqlite_IiSk7o25jZgJrL7 0 bytes
c:\windows\TEMP\sqlite_iku8NriQ5eHC1E7 0 bytes
c:\windows\TEMP\sqlite_ImYAeLUyYhaNJd7 0 bytes
c:\windows\TEMP\sqlite_IQvCh37T6urmfsy 0 bytes
c:\windows\TEMP\sqlite_iQXHD7TZJEmUnUk 0 bytes
c:\windows\TEMP\sqlite_J1Uw0k89AQ2pRGK 0 bytes
c:\windows\TEMP\sqlite_J6AfIaDdfPihKP4 1024 bytes
c:\windows\TEMP\sqlite_JHGAG8FdCzmFOm0 0 bytes
c:\windows\TEMP\sqlite_JOqwWR5ghtwwqKN 0 bytes
c:\windows\TEMP\sqlite_jYHcFARw2QXo1oQ 0 bytes
c:\windows\TEMP\sqlite_r6Wk8nlKo1A56Um 0 bytes
c:\windows\TEMP\sqlite_rBYYnwYUu0O5emo 0 bytes
c:\windows\TEMP\sqlite_Rfk5xMWVr8dHiXO 0 bytes
c:\windows\TEMP\sqlite_Rhi6n5KfYmirhsT 0 bytes
c:\windows\TEMP\sqlite_rOIVA1hEH7w8YDQ 0 bytes
c:\windows\TEMP\sqlite_rsFDdsvz4NI2AAc 0 bytes
c:\windows\TEMP\sqlite_rTg4eondWRFglUT 0 bytes
c:\windows\TEMP\sqlite_rTvvX6ihjhPlxJ8 0 bytes
c:\windows\TEMP\sqlite_rUqn1uRixbjFJHJ 0 bytes
c:\windows\TEMP\sqlite_rvm1wnfXmHLBoEy 0 bytes
c:\windows\TEMP\sqlite_RZuox3vb5Ycr26e 0 bytes
c:\windows\TEMP\sqlite_s0dHjMRjB8GqbPr 0 bytes
c:\windows\TEMP\sqlite_S2xjRIo9phByZlm 0 bytes
c:\windows\TEMP\sqlite_S4LmfRX2SYGDe8e 0 bytes
c:\windows\TEMP\mcafee_4ulDB1LZ0vrDGD6 2048 bytes
c:\windows\TEMP\mcmsc_03v6mgRGpAct9mH 0 bytes
c:\windows\TEMP\mcmsc_5BczZevWoXDZeZW 1024 bytes
c:\windows\TEMP\mcmsc_KxyTKPd3d4lLF4H 1024 bytes
c:\windows\TEMP\mcmsc_rIDhWs0OwnHAEmI 1024 bytes
c:\windows\TEMP\MpCmdRun.log 882 bytes
c:\windows\TEMP\Perflib_Perfdata_620.dat 16384 bytes
c:\windows\TEMP\sqlite_OP7YavI7tMoOLih 0 bytes
c:\windows\TEMP\sqlite_OSTbrXTRhJzfWUo 0 bytes
c:\windows\TEMP\sqlite_Ow9Unfwk2E9v672 0 bytes
c:\windows\TEMP\sqlite_OX1tOcJa3SbfNZk 0 bytes
c:\windows\TEMP\sqlite_p2Qne2HZzB83CbR 0 bytes
c:\windows\TEMP\sqlite_p7QqFyvnAfHbCwq 1024 bytes
c:\windows\TEMP\sqlite_pbbmKHUdAiepV3J 0 bytes
c:\windows\TEMP\sqlite_Pml4FzP3ufKmXS9 0 bytes
c:\windows\TEMP\sqlite_PsWXvgzenGeuTdk 0 bytes
c:\windows\TEMP\sqlite_PVvcrhbVX3nc8Zy 0 bytes
c:\windows\TEMP\sqlite_PxJiwhiyYDql3tY 0 bytes
c:\windows\TEMP\sqlite_q2AbVNCWkXvunXw 0 bytes
c:\windows\TEMP\sqlite_qFnDbfrungzRd7v 0 bytes
c:\windows\TEMP\sqlite_QgMSjvjEMQOn6HN 0 bytes
c:\windows\TEMP\sqlite_qgSqDOjjIjww2Jd 0 bytes
c:\windows\TEMP\sqlite_Qonat4co5QR51cs 0 bytes
c:\windows\TEMP\sqlite_QsamfWzBW4Exru7 0 bytes
c:\windows\TEMP\sqlite_7AjtUX5UpOfz5zE 0 bytes
c:\windows\TEMP\sqlite_7WvM2JIbrDvDyUS 0 bytes
c:\windows\TEMP\sqlite_8dRa3jW5kquNLRd
c:\windows\TEMP\sqlite_8KcpIdGm0Af2lFp 0 bytes
c:\windows\TEMP\sqlite_9Gm35jeKX8eWgNS 0 bytes
c:\windows\TEMP\sqlite_9hNkM4QlDt7B4Ac 0 bytes
c:\windows\TEMP\sqlite_9vNeZoc0YKKYXz9 0 bytes
c:\windows\TEMP\sqlite_a2n1lbxLOGhVrCo 0 bytes
c:\windows\TEMP\sqlite_a4nJPMJqGQbNGl8 0 bytes
c:\windows\TEMP\sqlite_AcgN0vtGI4Ak1v6 0 bytes
c:\windows\TEMP\sqlite_aI6M6OU6qRyoe2r 0 bytes
c:\windows\TEMP\sqlite_ai6uRPclYMUuPeV 0 bytes
c:\windows\TEMP\sqlite_AmL6xvU9Tcgigfp 0 bytes
c:\windows\TEMP\sqlite_aNh0DOsOsSSxLeJ 0 bytes
c:\windows\TEMP\sqlite_Apoj07sPYAtw1ni 0 bytes
c:\windows\TEMP\sqlite_Auyb0BiNJovbyFp 0 bytes
c:\windows\TEMP\sqlite_aZKyzdsLZdAVQo8 0 bytes
c:\windows\TEMP\sqlite_ZObbojvTY0hCpMd 0 bytes
c:\windows\TEMP\sqlite_zR0qzRoBfCSEse4 0 bytes
c:\windows\TEMP\T30DebugLogFile.txt 0 bytes
c:\windows\TEMP\Temporary Internet Files
c:\windows\TEMP\Temporary Internet Files\Content.IE5
c:\windows\TEMP\Temporary Internet Files\Content.IE5\desktop.ini 67 bytes
c:\windows\TEMP\Temporary Internet Files\Content.IE5\G810H2CU
c:\windows\TEMP\Temporary Internet Files\Content.IE5\G810H2CU\061-4603.English[1].dist 27444 bytes
c:\windows\TEMP\Temporary Internet Files\Content.IE5\G810H2CU\061-5859.English[1].dist 33164 bytes
c:\windows\TEMP\Temporary Internet Files\Content.IE5\G810H2CU\061-3452.English[1].dist 3742 bytes
c:\windows\TEMP\Temporary Internet Files\Content.IE5\G810H2CU\061-3626.English[1].dist 19313 bytes
c:\windows\TEMP\Temporary Internet Files\Content.IE5\G810H2CU\061-3989.English[1].dist 32376 bytes
c:\windows\TEMP\Temporary Internet Files\Content.IE5\G810H2CU\061-4066.English[1].dist 19965 bytes
c:\windows\TEMP\Temporary Internet Files\Content.IE5\G810H2CU\061-4200.English[1].dist 6293 bytes
c:\windows\TEMP\Temporary Internet Files\Content.IE5\G810H2CU\061-4249.English[1].dist 6025 bytes
c:\windows\TEMP\Temporary Internet Files\Content.IE5\G810H2CU\061-4271.English[1].dist 32545 bytes
c:\windows\TEMP\Temporary Internet Files\Content.IE5\G810H2CU\061-4478.English[1].dist 33174 bytes
c:\windows\TEMP\Temporary Internet Files\Content.IE5\G810H2CU\061-4608.English[1].dist 18478 bytes
c:\windows\TEMP\Temporary Internet Files\Content.IE5\G810H2CU\061-4608.English[2].dist 18478 bytes
c:\windows\TEMP\Temporary Internet Files\Content.IE5\G810H2CU\061-4642.English[1].dist 24669 bytes
c:\windows\TEMP\Temporary Internet Files\Content.IE5\G810H2CU\061-4972.English[1].dist 17087 bytes
c:\windows\TEMP\Temporary Internet Files\Content.IE5\G810H2CU\061-5350.English[1].dist 17918 bytes
c:\windows\TEMP\Temporary Internet Files\Content.IE5\G810H2CU\061-5790.English[1].dist 17755 bytes
c:\windows\TEMP\Temporary Internet Files\Content.IE5\G810H2CU\061-5807.English[1].dist 27138 bytes
c:\windows\TEMP\Temporary Internet Files\Content.IE5\G810H2CU\061-5844.English[1].dist 17140 bytes
c:\windows\TEMP\Temporary Internet Files\Content.IE5\G810H2CU\061-5850.English[1].dist 17749 bytes
c:\windows\TEMP\Temporary Internet Files\Content.IE5\G810H2CU\061-5859.English[2].dist 33164 bytes
c:\windows\TEMP\Temporary Internet Files\Content.IE5\G810H2CU\CAB9WM5Y.lpk 1843 bytes
c:\windows\TEMP\Temporary Internet Files\Content.IE5\G810H2CU\CAEN8XI3.lpk 1843 bytes
c:\windows\TEMP\Temporary Internet Files\Content.IE5\G810H2CU\CAFC6G0G.lpk 1843 bytes
c:\windows\TEMP\Temporary Internet Files\Content.IE5\G810H2CU\CAGJW3AR.lpk 1843 bytes
c:\windows\TEMP\Temporary Internet Files\Content.IE5\G810H2CU\CAKTYVAT.lpk 1843 bytes
c:\windows\TEMP\Temporary Internet Files\Content.IE5\G810H2CU\CAO7GLA7.lpk 1843 bytes
c:\windows\TEMP\Temporary Internet Files\Content.IE5\G810H2CU\CAUVKPTN.lpk 1843 bytes
c:\windows\TEMP\Temporary Internet Files\Content.IE5\G810H2CU\CAYF81YJ.lpk 1843 bytes
c:\windows\TEMP\Temporary Internet Files\Content.IE5\G810H2CU\CAYJ05YT.lpk 1843 bytes
c:\windows\TEMP\Temporary Internet Files\Content.IE5\G810H2CU\desktop.ini 67 bytes
c:\windows\TEMP\Temporary Internet Files\Content.IE5\G810H2CU\index-windows-1[1].sucatalog 70021 bytes
c:\windows\TEMP\Temporary Internet Files\Content.IE5\G810H2CU\iTunesSetupAdmin[1].exe 75048 bytes executable
c:\windows\TEMP\Temporary Internet Files\Content.IE5\HJU7358O
c:\windows\TEMP\Temporary Internet Files\Content.IE5\HJU7358O\061-2916.English[1].dist 23694 bytes
c:\windows\TEMP\Temporary Internet Files\Content.IE5\HJU7358O\061-3452.English[1].dist 3742 bytes
c:\windows\TEMP\Temporary Internet Files\Content.IE5\HJU7358O\061-3638.English[1].dist 18179 bytes
c:\windows\TEMP\Temporary Internet Files\Content.IE5\HJU7358O\061-3936.English[1].dist 3747 bytes
c:\windows\TEMP\Temporary Internet Files\Content.IE5\HJU7358O\061-3964.English[1].dist 18279 bytes
c:\windows\TEMP\Temporary Internet Files\Content.IE5\HJU7358O\061-4184.English[1].dist 31566 bytes
c:\windows\TEMP\Temporary Internet Files\Content.IE5\HJU7358O\061-4212.English[1].dist 20136 bytes
c:\windows\TEMP\Temporary Internet Files\Content.IE5\HJU7358O\061-4513.English[1].dist 6869 bytes
c:\windows\TEMP\Temporary Internet Files\Content.IE5\HJU7358O\061-4516.English[1].dist 25801 bytes
c:\windows\TEMP\Temporary Internet Files\Content.IE5\HJU7358O\061-4588.English[1].dist 26457 bytes
c:\windows\TEMP\Temporary Internet Files\Content.IE5\HJU7358O\061-4638.English[1].dist 33351 bytes
c:\windows\TEMP\Temporary Internet Files\Content.IE5\HJU7358O\061-4708.English[1].dist 24639 bytes
c:\windows\TEMP\Temporary Internet Files\Content.IE5\HJU7358O\061-4827.English[1].dist 18669 bytes
c:\windows\TEMP\Temporary Internet Files\Content.IE5\HJU7358O\061-4827.English[2].dist 18669 bytes
c:\windows\TEMP\Temporary Internet Files\Content.IE5\HJU7358O\061-5374.English[1].dist 24564 bytes
c:\windows\TEMP\Temporary Internet Files\Content.IE5\HJU7358O\061-5748.English[1].dist 17153 bytes
c:\windows\TEMP\Temporary Internet Files\Content.IE5\HJU7358O\061-5797.English[1].dist 17234 bytes
c:\windows\TEMP\Temporary Internet Files\Content.IE5\HJU7358O\061-5815.English[1].dist 33164 bytes
c:\windows\TEMP\Temporary Internet Files\Content.IE5\HJU7358O\061-5850.English[1].dist 17749 bytes
c:\windows\TEMP\Temporary Internet Files\Content.IE5\HJU7358O\061-6193.English[1].dist 33281 bytes
c:\windows\TEMP\Temporary Internet Files\Content.IE5\HJU7358O\AppleMobileDeviceSupport[1].msi 12390400 bytes
c:\windows\TEMP\Temporary Internet Files\Content.IE5\HJU7358O\CA1S91IC.lpk 1843 bytes
c:\windows\TEMP\Temporary Internet Files\Content.IE5\HJU7358O\CA4NE7QR.lpk 1843 bytes
c:\windows\TEMP\Temporary Internet Files\Content.IE5\HJU7358O\CAEZSHEF.lpk 1843 bytes
c:\windows\TEMP\Temporary Internet Files\Content.IE5\HJU7358O\CANWEZT8.lpk 1843 bytes
c:\windows\TEMP\Temporary Internet Files\Content.IE5\HJU7358O\CAOKFJXE.lpk 1843 bytes
c:\windows\TEMP\Temporary Internet Files\Content.IE5\HJU7358O\CAQVG5EB.lpk 1843 bytes
c:\windows\TEMP\Temporary Internet Files\Content.IE5\HJU7358O\CASMYWWK.lpk 1843 bytes
c:\windows\TEMP\Temporary Internet Files\Content.IE5\HJU7358O\CAXOBG9U.lpk 1843 bytes
c:\windows\TEMP\Temporary Internet Files\Content.IE5\HJU7358O\CAZGPVQJ.lpk 1843 bytes
c:\windows\TEMP\Temporary Internet Files\Content.IE5\HJU7358O\desktop.ini 67 bytes
c:\windows\TEMP\Temporary Internet Files\Content.IE5\HJU7358O\index-windows-1[1].sucatalog 70021 bytes
c:\windows\TEMP\Temporary Internet Files\Content.IE5\HJU7358O\mcltvers[1].ini 2657 bytes
c:\windows\TEMP\Temporary Internet Files\Content.IE5\index.dat 81920 bytes
c:\windows\TEMP\Temporary Internet Files\Content.IE5\O12VITG3
c:\windows\TEMP\Temporary Internet Files\Content.IE5\O12VITG3\061-5814.English[1].dist 33892 bytes
c:\windows\TEMP\Temporary Internet Files\Content.IE5\O12VITG3\061-2802.English[1].dist 16876 bytes
c:\windows\TEMP\Temporary Internet Files\Content.IE5\O12VITG3\061-3637.English[1].dist 18178 bytes
c:\windows\TEMP\Temporary Internet Files\Content.IE5\O12VITG3\061-3872.English[1].dist 17006 bytes
c:\windows\TEMP\Temporary Internet Files\Content.IE5\O12VITG3\061-4026.English[1].dist 24340 bytes
c:\windows\TEMP\Temporary Internet Files\Content.IE5\O12VITG3\061-4125.English[1].dist 23827 bytes
c:\windows\TEMP\Temporary Internet Files\Content.IE5\O12VITG3\061-4280.English[1].dist 24537 bytes
c:\windows\TEMP\Temporary Internet Files\Content.IE5\O12VITG3\061-4480.English[1].dist 32560 bytes
c:\windows\TEMP\Temporary Internet Files\Content.IE5\O12VITG3\061-4512.English[1].dist 6760 bytes
c:\windows\TEMP\Temporary Internet Files\Content.IE5\O12VITG3\061-4513.English[1].dist 6869 bytes
c:\windows\TEMP\Temporary Internet Files\Content.IE5\O12VITG3\061-4514.English[1].dist 6484 bytes
c:\windows\TEMP\Temporary Internet Files\Content.IE5\O12VITG3\061-4609.English[1].dist 18471 bytes
c:\windows\TEMP\Temporary Internet Files\Content.IE5\O12VITG3\061-4609.English[2].dist 18471 bytes
c:\windows\TEMP\Temporary Internet Files\Content.IE5\O12VITG3\061-4633.English[1].dist 26292 bytes
c:\windows\TEMP\Temporary Internet Files\Content.IE5\O12VITG3\061-5351.English[1].dist 17924 bytes
c:\windows\TEMP\Temporary Internet Files\Content.IE5\O12VITG3\061-5374.English[1].dist 24564 bytes
c:\windows\TEMP\Temporary Internet Files\Content.IE5\O12VITG3\061-5749.English[1].dist 17138 bytes
c:\windows\TEMP\Temporary Internet Files\Content.IE5\O12VITG3\061-5849.English[1].dist 3161 bytes
c:\windows\TEMP\Temporary Internet Files\Content.IE5\O12VITG3\061-5849.English[2].dist 3161 bytes
c:\windows\TEMP\Temporary Internet Files\Content.IE5\O12VITG3\061-5926.English[1].dist 27394 bytes
c:\windows\TEMP\Temporary Internet Files\Content.IE5\O12VITG3\061-6192.English[1].dist 34009 bytes
c:\windows\TEMP\Temporary Internet Files\Content.IE5\O12VITG3\CA2HO8RH.lpk 1843 bytes
c:\windows\TEMP\Temporary Internet Files\Content.IE5\O12VITG3\CA5PD93S.lpk 1843 bytes
c:\windows\TEMP\Temporary Internet Files\Content.IE5\O12VITG3\CA6Z4DYZ.lpk 1843 bytes
c:\windows\TEMP\Temporary Internet Files\Content.IE5\O12VITG3\CACDK38J.lpk 1843 bytes
c:\windows\TEMP\Temporary Internet Files\Content.IE5\O12VITG3\CAFSFZ8T.lpk 1843 bytes
c:\windows\TEMP\Temporary Internet Files\Content.IE5\O12VITG3\CAGF2D4P.lpk 1843 bytes
c:\windows\TEMP\Temporary Internet Files\Content.IE5\O12VITG3\CAJCLMRA.lpk 1843 bytes
c:\windows\TEMP\Temporary Internet Files\Content.IE5\O12VITG3\CAODK6BG.lpk 1843 bytes
c:\windows\TEMP\Temporary Internet Files\Content.IE5\O12VITG3\CAQ7GXYN.lpk 1843 bytes
c:\windows\TEMP\Temporary Internet Files\Content.IE5\O12VITG3\desktop.ini 67 bytes
c:\windows\TEMP\Temporary Internet Files\Content.IE5\O12VITG3\iTunes[1].msi 26886656 bytes
c:\windows\TEMP\Temporary Internet Files\Content.IE5\O12VITG3\valert[1].ui 22112 bytes
c:\windows\TEMP\Temporary Internet Files\Content.IE5\OBRTXPBL
c:\windows\TEMP\Temporary Internet Files\Content.IE5\OBRTXPBL\061-3613.English[1].dist 31181 bytes
c:\windows\TEMP\Temporary Internet Files\Content.IE5\OBRTXPBL\061-3829.English[1].dist 31565 bytes
c:\windows\TEMP\Temporary Internet Files\Content.IE5\OBRTXPBL\061-3946.English[1].dist 31819 bytes
c:\windows\TEMP\Temporary Internet Files\Content.IE5\OBRTXPBL\061-3965.English[1].dist 18272 bytes
c:\windows\TEMP\Temporary Internet Files\Content.IE5\OBRTXPBL\061-3988.English[1].dist 33002 bytes
c:\windows\TEMP\Temporary Internet Files\Content.IE5\OBRTXPBL\061-4200.English[1].dist 6293 bytes
c:\windows\TEMP\Temporary Internet Files\Content.IE5\OBRTXPBL\061-4270.English[1].dist 33159 bytes
c:\windows\TEMP\Temporary Internet Files\Content.IE5\OBRTXPBL\061-4319.English[1].dist 24473 bytes
c:\windows\TEMP\Temporary Internet Files\Content.IE5\OBRTXPBL\061-4339.English[1].dist 17288 bytes
c:\windows\TEMP\Temporary Internet Files\Content.IE5\OBRTXPBL\061-4514.English[1].dist 6484 bytes
c:\windows\TEMP\Temporary Internet Files\Content.IE5\OBRTXPBL\061-4639.English[1].dist 32747 bytes
c:\windows\TEMP\Temporary Internet Files\Content.IE5\OBRTXPBL\061-4828.English[1].dist 18660 bytes
c:\windows\TEMP\Temporary Internet Files\Content.IE5\OBRTXPBL\061-4972.English[1].dist 17087 bytes
c:\windows\TEMP\Temporary Internet Files\Content.IE5\OBRTXPBL\061-5749.English[1].dist 17138 bytes
c:\windows\TEMP\Temporary Internet Files\Content.IE5\OBRTXPBL\061-5790.English[1].dist 17755 bytes
c:\windows\TEMP\Temporary Internet Files\Content.IE5\OBRTXPBL\061-5798.English[1].dist 17219 bytes
c:\windows\TEMP\Temporary Internet Files\Content.IE5\OBRTXPBL\061-5843.English[1].dist 17149 bytes
c:\windows\TEMP\Temporary Internet Files\Content.IE5\OBRTXPBL\061-5858.English[1].dist 33892 bytes
c:\windows\TEMP\Temporary Internet Files\Content.IE5\OBRTXPBL\061-5858.English[2].dist 33892 bytes
c:\windows\TEMP\Temporary Internet Files\Content.IE5\OBRTXPBL\061-5926.English[1].dist 27394 bytes
c:\windows\TEMP\Temporary Internet Files\Content.IE5\OBRTXPBL\CA4704WH.lpk 1843 bytes
c:\windows\TEMP\Temporary Internet Files\Content.IE5\OBRTXPBL\CA4XOJU3.lpk 1843 bytes
c:\windows\TEMP\Temporary Internet Files\Content.IE5\OBRTXPBL\CA63SH6Z.lpk 1843 bytes
c:\windows\TEMP\Temporary Internet Files\Content.IE5\OBRTXPBL\CAE34LAB.lpk 1843 bytes
c:\windows\TEMP\Temporary Internet Files\Content.IE5\OBRTXPBL\CAI381AZ.lpk 1843 bytes
c:\windows\TEMP\Temporary Internet Files\Content.IE5\OBRTXPBL\CAJFA5PJ.lpk 1843 bytes
c:\windows\TEMP\Temporary Internet Files\Content.IE5\OBRTXPBL\CAMF8XAB.lpk 1843 bytes
c:\windows\TEMP\Temporary Internet Files\Content.IE5\OBRTXPBL\CAYF0XQF.lpk 1843 bytes
c:\windows\TEMP\Temporary Internet Files\Content.IE5\OBRTXPBL\CAYFYDSX.lpk 1843 bytes
c:\windows\TEMP\Temporary Internet Files\Content.IE5\OBRTXPBL\desktop.ini 67 bytes
c:\windows\TEMP\Temporary Internet Files\Content.IE5\OBRTXPBL\mcscins[1].cfg 49 bytes
c:\windows\TEMP\Temporary Internet Files\Content.IE5\OBRTXPBL\QuickTime[1].msi 29433856 bytes
c:\windows\TEMP\TFR245B.tmp 8196 bytes
c:\windows\TEMP\sqlite_Ck29XAiqvbYg5Kw 0 bytes
c:\windows\TEMP\sqlite_CkaRJEA3I55bdfb 0 bytes
c:\windows\TEMP\sqlite_cLws40HqSW54PEX 0 bytes
c:\windows\TEMP\sqlite_co3Fis2FxRAjeIJ 0 bytes
c:\windows\TEMP\sqlite_cpLIYkNPUilG2Sx 0 bytes
c:\windows\TEMP\sqlite_cVBXa7iN5ujwpta 0 bytes
c:\windows\TEMP\sqlite_D4TXLQq3PNlHfVO 0 bytes
c:\windows\TEMP\sqlite_d5qNnVX0rXQ4OXP 0 bytes
c:\windows\TEMP\sqlite_DafehLRTJFXqenZ 0 bytes
c:\windows\TEMP\sqlite_daYwovMYx42PbzN 0 bytes
c:\windows\TEMP\sqlite_dcHrCF5iLjmRU8i 0 bytes
c:\windows\TEMP\sqlite_DjBqjynP5NvpClx 0 bytes
c:\windows\TEMP\sqlite_dKXo9ffRd9a3RTQ 0 bytes
c:\windows\TEMP\sqlite_dm3xbgPMQXCWlrD 0 bytes
c:\windows\TEMP\sqlite_DsKzqSCavYXTpcp 0 bytes
c:\windows\TEMP\sqlite_dvKr1sbqw5FpHx5 0 bytes
c:\windows\TEMP\sqlite_dWqwp9T0dFI8pSk 0 bytes
c:\windows\TEMP\sqlite_gDziWhLC5ajG7gc 0 bytes
c:\windows\TEMP\sqlite_GeUkKPifCKcNYAX 0 bytes
c:\windows\TEMP\sqlite_GFUWahBFVQR3PTD 0 bytes
c:\windows\TEMP\sqlite_Gjfi2l2Fi1RNsjF 0 bytes
c:\windows\TEMP\sqlite_gQqlPHsfdyukLWB 0 bytes
c:\windows\TEMP\sqlite_Gr5JH18IPfCeuft 0 bytes
c:\windows\TEMP\sqlite_GTGUmXJBwPH7jz6 0 bytes
c:\windows\TEMP\sqlite_H5HduTKfyFxhEjJ 0 bytes
c:\windows\TEMP\sqlite_H5ysyTXQK3zX7R6 0 bytes
c:\windows\TEMP\sqlite_HiV7I5J5d2UOYGp 0 bytes
c:\windows\TEMP\sqlite_Hj5ByPFdmQP4CQi 0 bytes
c:\windows\TEMP\sqlite_Hnp0bR6rdjzBrf3 0 bytes
c:\windows\TEMP\sqlite_hO3wirMJ2sZCVkI 1024 bytes
c:\windows\TEMP\sqlite_hodvsMyVEsDHsjP 0 bytes
c:\windows\TEMP\sqlite_hRdPlkGiWd99Qkg 0 bytes
c:\windows\TEMP\sqlite_hvIKehUF7sETKh6 0 bytes
c:\windows\TEMP\sqlite_Hvw1kroJd7OsiXM 0 bytes
c:\windows\TEMP\sqlite_hXH0AbNOIoiFvIF 0 bytes
c:\windows\TEMP\sqlite_HxYQk62DvglLpN3 0 bytes
c:\windows\TEMP\sqlite_kcoItQI6lMofJtH 0 bytes
c:\windows\TEMP\sqlite_KEiYkEARr7WUslp 0 bytes
c:\windows\TEMP\sqlite_KhAhNHmvX25d3GJ 0 bytes
c:\windows\TEMP\sqlite_KpZsZgzywTQSN1k 0 bytes
c:\windows\TEMP\sqlite_kqXgygg8m052Sp6 0 bytes
c:\windows\TEMP\sqlite_kR9j2CSceKXrvLH 0 bytes
c:\windows\TEMP\sqlite_ks9rB8CFceExOJ2 0 bytes
c:\windows\TEMP\sqlite_ktf7bpgpi0trz4K 0 bytes
c:\windows\TEMP\sqlite_kvIF24Dz5pKI98B 0 bytes
c:\windows\TEMP\sqlite_kW1z2XUfn2hMmFr 0 bytes
c:\windows\TEMP\sqlite_Kwhx1jZiQfQMqtt 0 bytes
c:\windows\TEMP\sqlite_llri11AXDNhCTYE 0 bytes
c:\windows\TEMP\sqlite_LS6YNgNeWm2uupP 0 bytes
c:\windows\TEMP\sqlite_LtKQ4ooZaGeytiW 0 bytes
c:\windows\TEMP\sqlite_sd8UT1jtfHnGp9Z 0 bytes
c:\windows\TEMP\sqlite_sHZ7r4LKpsNY04k 0 bytes
c:\windows\TEMP\sqlite_SijZt7wIp9IrA8S 0 bytes
c:\windows\TEMP\sqlite_Sr9hCkPvxOvz7Dv 0 bytes
c:\windows\TEMP\sqlite_sYVyUPWre5sK24B 0 bytes
c:\windows\TEMP\sqlite_T8wQM083cAWHhY3 0 bytes
c:\windows\TEMP\sqlite_tCh34T7wCfV4qdd 0 bytes
c:\windows\TEMP\sqlite_Tgbsei9jBhcJR3j 0 bytes
c:\windows\TEMP\sqlite_tI1Cio36s8JYNvu 0 bytes
c:\windows\TEMP\sqlite_Tn57n8aVqOP2M6d 0 bytes
c:\windows\TEMP\sqlite_tpBb10ftp9m2Zun 0 bytes
c:\windows\TEMP\sqlite_TtwWyUQ1poIaOgI 0 bytes
c:\windows\TEMP\sqlite_tUqzxWhhpm1qFSx 0 bytes
c:\windows\TEMP\sqlite_B88V3piYjAprRO2 0 bytes
c:\windows\TEMP\sqlite_cIjr4N3wdfwh9kD 0 bytes
c:\windows\TEMP\sqlite_dYkdvVtxBDRvY7N 0 bytes
c:\windows\TEMP\sqlite_gdow7BFn8i9byil 0 bytes
c:\windows\TEMP\sqlite_I5z1YACkWKwF71Z 0 bytes
c:\windows\TEMP\sqlite_JZQnrd82lmu1Lio 0 bytes
c:\windows\TEMP\sqlite_Lw4OG3CgBdEP2OB 0 bytes
c:\windows\TEMP\sqlite_ooB6q5GGEJSlFMJ 0 bytes
c:\windows\TEMP\sqlite_qzYgCJIPPtTCQut 0 bytes
c:\windows\TEMP\sqlite_SbAteSZudtVI4aZ 0 bytes
c:\windows\TEMP\sqlite_tVwRFUdy5EjHpFp 0 bytes
c:\windows\TEMP\sqlite_xDoiPuGplAdSStM 0 bytes
c:\windows\TEMP\sqlite_Zmgh7eGI25smPpr 0 bytes
c:\windows\TEMP\TFR5A9.tmp 8196 bytes

scan completed successfully
hidden files: 384

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\PSSdk21]
"ImagePath"="\??\c:\windows\system32\Drivers\HNPsSdk.drv"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-2684849038-1165274592-3421407881-1006\Software\SecuROM\License information*]
"datasecu"=hex:a3,5e,08,21,3c,cb,a7,f4,3e,30,52,de,aa,aa,e7,2b,fe,40,4f,ff,ac,
0a,bf,14,61,79,75,6d,1e,dc,5b,c4,e5,aa,36,03,a2,8e,b2,a7,66,92,17,36,d4,9f,\
"rkeysecu"=hex:3e,80,9e,c4,40,b4,90,83,87,8e,33,49,64,ac,f8,d9
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
c:\windows\system32\inetsrv\inetinfo.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\program files\Common Files\McAfee\MNA\McNASvc.exe
c:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe
c:\progra~1\McAfee\VIRUSS~1\Mcshield.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\program files\McAfee\MPF\MpfSrv.exe
c:\program files\McAfee\MSK\msksrver.exe
c:\windows\system32\HPZipm12.exe
c:\windows\system32\PnkBstrA.exe
c:\windows\system32\PnkBstrB.exe
c:\program files\Dell Support Center\bin\sprtsvc.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\windows\system32\wdfmgr.exe
c:\program files\Common Files\Microsoft Shared\DirectX Extensions\DXDebugService.exe
c:\progra~1\McAfee\VIRUSS~1\mcsysmon.exe
c:\progra~1\McAfee.com\Agent\mcagent.exe
.
**************************************************************************
.
Completion time: 2009-03-18 23:27:33 - machine was rebooted [Chris]
ComboFix-quarantined-files.txt 2009-03-19 03:27:28

Pre-Run: 183,620,698,112 bytes free
Post-Run: 183,405,531,136 bytes free

Current=2 Default=2 Failed=1 LastKnownGood=4 Sets=1,2,3,4
689 --- E O F --- 2009-03-11 07:00:46


And HiJackThis log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:45:31 PM, on 3/18/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
c:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\memcached\memcached-1.2.4-Win32-Preview-20080309_bin\memcached.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\DirectX Extensions\DXDebugService.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\ESPNRunTime\DIGServices.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Chris\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Chris\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Chris\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: McAfee Phishing Filter - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:\PROGRA~1\mcafee\msk\mskapbho.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\DOCUME~1\Chris\Desktop\asdf\SDHelper.dll (file missing)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptsn.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll
O2 - BHO: GoogleAFE - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\Program Files\GoogleAFE\GoogleAE.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [DIGServices] C:\Program Files\ESPNRunTime\DIGServices.exe /brand=ESPN /priority=0 /poll=24
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\DOCUME~1\Chris\Desktop\asdf\SDHelper.dll (file missing)
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\DOCUME~1\Chris\Desktop\asdf\SDHelper.dll (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/share ... insctl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 9608335250
O23 - Service: McAfee Application Installer Cleanup (0020821236795795) (0020821236795795mcinstcleanup) - Unknown owner - C:\WINDOWS\TEMP\002082~1.EXE (file missing)
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Imapi Helper - Alex Feinman - C:\Program Files\Alex Feinman\ISO Recorder\ImapiHelper.exe
O23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: MATLAB Server (matlabserver) - Unknown owner - C:\MATLAB6p1\webserver\bin\win32\matlabserver.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: memcached Server - Danga Interactive, Inc. - C:\memcached\memcached-1.2.4-Win32-Preview-20080309_bin\memcached.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: Subversion Repository (svn.local) - Unknown owner - c:\program files\subversion\bin\svnserve.exe (file missing)

--
End of file - 10473 bytes
goalie7960
Active Member
 
Posts: 12
Joined: March 16th, 2009, 7:10 pm

Re: Browser hijacked by windowsclick.com

Unread postby dan12 » March 19th, 2009, 4:37 pm

IMPORTANT I notice there are signs of one or more P2P (Peer to Peer) File Sharing Programs on your computer.

uTorrent

I'd like you to read the MRU policy for P2P Programs.

Please go to Control Panel > Add/Remove Programs and uninstall the programs listed above (in red).


Did you uninstall pnkbuster via control panel?





Submit a File For Analysis
We need to have the files below Scanned by Uploading them/it to Jotti

Please visit Jotti
Copy/paste the the following file path into the window
c:\windows\system32\BFD3CF9B63.sys

Click Submit/Send File
Please post back, to let me know the results.

If Jotti is too busy please try Virustotal



Download and Run OTMoveIt3

Download OTMoveIt3 by Old Timer and save it to your Desktop.
  • Double-click OTMoveIt3.exe. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
  • Copy the lines in the codebox below.
Code: Select all
:commands
[emptytemp]
[start explorer]
:files 
c:\windows\Tasks\MalwareRemovalBot Scheduled Scan.job
c:\program files\MalwareRemovalBot 
    

  • Return to OTMoveIt3, right click in the Paste Instructions for Items to be Moved window (under the yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar), and paste it in your next reply.
  • Close OTMoveIt3


Post jott's report
otmoveit report
User avatar
dan12
MRU Honors Grad Emeritus
 
Posts: 6123
Joined: March 30th, 2006, 3:22 am
Location: Leicestershire

Re: Browser hijacked by windowsclick.com

Unread postby goalie7960 » March 22nd, 2009, 9:06 pm

Here's the log from Jotti I think

Scan taken on 23 Mar 2009 01:01:21 (GMT)
A-Squared
Found nothing
AntiVir
Found nothing
ArcaVir
Found nothing
Avast
Found nothing
AVG Antivirus
Found nothing
BitDefender
Found nothing
ClamAV
Found nothing
CPsecure
Found nothing
Dr.Web
Found nothing
F-Prot Antivirus
Found nothing
F-Secure Anti-Virus
Found nothing
Ikarus
Found nothing
Kaspersky Anti-Virus
Found nothing
NOD32
Found nothing
Norman Virus Control
Found nothing
Panda Antivirus
Found nothing
Quick Heal
Found nothing
Sophos Antivirus
Found nothing
VirusBuster
Found nothing
VBA32
Found nothing


Here's the OTMoveIt3 log

========== COMMANDS ==========
File delete failed. C:\DOCUME~1\Chris\LOCALS~1\Temp\etilqs_6oaPkFljpIZ7xdj scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\Chris\LOCALS~1\Temp\etilqs_lJjh4yX9gbJMrnQ scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\Chris\LOCALS~1\Temp\etilqs_v7ww1prRkDWOBeU scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\Chris\LOCALS~1\Temp\MAR16.tmp scheduled to be deleted on reboot.
User's Temp folder emptied.
User's Temporary Internet Files folder emptied.
User's Internet Explorer cache folder emptied.
Local Service Temp folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
Windows Temp folder emptied.
Java cache emptied.
FireFox cache emptied.
Temp folders emptied.
Explorer started successfully
========== FILES ==========
c:\windows\Tasks\MalwareRemovalBot Scheduled Scan.job moved successfully.
File/Folder c:\program files\MalwareRemovalBot not found.

OTMoveIt3 by OldTimer - Version 1.0.9.0 log created on 03222009_210536
goalie7960
Active Member
 
Posts: 12
Joined: March 16th, 2009, 7:10 pm

Re: Browser hijacked by windowsclick.com

Unread postby dan12 » March 23rd, 2009, 3:41 pm

I'd like you to open up malwarebytes and update the program then do me a full scan.

Please go to Kaspersky website and perform an online antivirus scan.

  1. Read through the requirements and privacy statement and click on Accept button.
  2. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  3. When the downloads have finished, click on Settings.
  4. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
      Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
      Mail databases
  5. Click on My Computer under Scan.
  6. Once the scan is complete, it will display the results. Click on View Scan Report.
  7. You will see a list of infected items there. Click on Save Report As....
  8. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  9. Please post this log in your next reply.

let me see malwarebytes report and kaspersky plus a HJT log
User avatar
dan12
MRU Honors Grad Emeritus
 
Posts: 6123
Joined: March 30th, 2006, 3:22 am
Location: Leicestershire

Re: Browser hijacked by windowsclick.com

Unread postby goalie7960 » March 28th, 2009, 10:40 am

Ok, didn't realize it had been so long. I'm running the tests now.
goalie7960
Active Member
 
Posts: 12
Joined: March 16th, 2009, 7:10 pm

Re: Browser hijacked by windowsclick.com

Unread postby goalie7960 » March 28th, 2009, 11:32 am

Ok the scan is 30 minutes in, and 1% complete, so it might take awhile...
goalie7960
Active Member
 
Posts: 12
Joined: March 16th, 2009, 7:10 pm

Re: Browser hijacked by windowsclick.com

Unread postby dan12 » March 28th, 2009, 4:00 pm

ok, will await scan reports :)
User avatar
dan12
MRU Honors Grad Emeritus
 
Posts: 6123
Joined: March 30th, 2006, 3:22 am
Location: Leicestershire

Re: Browser hijacked by windowsclick.com

Unread postby goalie7960 » March 28th, 2009, 10:11 pm

Ok here's the Kaspersky report

KASPERSKY ONLINE SCANNER 7 REPORT
Saturday, March 28, 2009
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Saturday, March 28, 2009 14:57:05
Records in database: 1981142

Scan settings
Scan using the following database extended
Scan archives yes
Scan mail databases yes

Scan area My Computer
C:\
D:\
E:\
G:\

Scan statistics
Files scanned 307624
Threat name 0
Infected objects 0
Suspicious objects 0
Duration of the scan 04:58:56

No malware has been detected. The scan area is clean.
The selected area was scanned.


Here's the Malware log.

Malwarebytes' Anti-Malware 1.34
Database version: 1749
Windows 5.1.2600 Service Pack 3

3/28/2009 10:05:56 PM
mbam-log-2009-03-28 (22-05-56).txt

Scan type: Full Scan (C:\|G:\|)
Objects scanned: 404790
Time elapsed: 2 hour(s), 19 minute(s), 38 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


Here's Hijack this

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:11:11 PM, on 3/28/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
c:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\memcached\memcached-1.2.4-Win32-Preview-20080309_bin\memcached.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\ESPNRunTime\DIGServices.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\DirectX Extensions\DXDebugService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Documents and Settings\Chris\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\iTunes\iTunes.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceHelper.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\distnoted.exe
c:\PROGRA~1\mcafee\msc\mcupdui.exe
C:\Documents and Settings\Chris\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Chris\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Chris\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Chris\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: McAfee Phishing Filter - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:\PROGRA~1\mcafee\msk\mskapbho.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\DOCUME~1\Chris\Desktop\asdf\SDHelper.dll (file missing)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll
O2 - BHO: GoogleAFE - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\Program Files\GoogleAFE\GoogleAE.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [DIGServices] C:\Program Files\ESPNRunTime\DIGServices.exe /brand=ESPN /priority=0 /poll=24
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\RunOnce: [OTMoveIt] C:\Documents and Settings\Chris\Desktop\OTMoveIt3.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\DOCUME~1\Chris\Desktop\asdf\SDHelper.dll (file missing)
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\DOCUME~1\Chris\Desktop\asdf\SDHelper.dll (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/share ... insctl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 9608335250
O23 - Service: McAfee Application Installer Cleanup (0230141237865847) (0230141237865847mcinstcleanup) - McAfee, Inc. - C:\WINDOWS\TEMP\023014~1.EXE
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Imapi Helper - Alex Feinman - C:\Program Files\Alex Feinman\ISO Recorder\ImapiHelper.exe
O23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: MATLAB Server (matlabserver) - Unknown owner - C:\MATLAB6p1\webserver\bin\win32\matlabserver.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: memcached Server - Danga Interactive, Inc. - C:\memcached\memcached-1.2.4-Win32-Preview-20080309_bin\memcached.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: Subversion Repository (svn.local) - Unknown owner - c:\program files\subversion\bin\svnserve.exe (file missing)

--
End of file - 10785 bytes
goalie7960
Active Member
 
Posts: 12
Joined: March 16th, 2009, 7:10 pm

Re: Browser hijacked by windowsclick.com

Unread postby dan12 » March 29th, 2009, 12:10 pm

Run HijackThis, select Do a system scan only and place checks against the following entries (if they are still present)

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\DOCUME~1\Chris\Desktop\asdf\SDHelper.dll (file missing)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\DOCUME~1\Chris\Desktop\asdf\SDHelper.dll (file missing)
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\DOCUME~1\Chris\Desktop\asdf\SDHelper.dll (file missing)

WITH ALL OTHER WINDOWS CLOSED Click on Fix Checked and exit



Please go into the Control Panel, Add/Remove and for now remove ALL versions of JAVA

Then run this tool to help cleanup any left over Java
Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.
Please download JavaRa and unzip it to your desktop.
***Please close any instances of Internet Explorer (or other web browser) before continuing!***
  • Double-click on JavaRa.exe to start the program.
  • From the drop-down menu, choose English and click on Select.
  • JavaRa will open; click on Remove Older Versions to remove the older versions of Java installed on your computer.
  • Click Yes when prompted. When JavaRa is done, a notice will appear that a logfile has been produced. Click OK.
  • A logfile will pop up. Please save it to a convenient location and post it back when you reply

    Then look for the following Java folders and if found delete them.
    C:\Program Files\Java
    C:\Program Files\Common Files\Java
    C:\Documents and Settings\All Users\Application Data\Java
    C:\Documents and Settings\All Users\Application Data\Sun\Java
    C:\Documents and Settings\username\Application Data\Java
    C:\Documents and Settings\username\Application Data\Sun\Java


Download and Update Java Runtime
The most current version of Sun Java is: Java Runtime Environment (JRE) 6 Update 13.
  • Go to http://java.sun.com/javase/downloads/index.jsp
  • Go to Java Runtime Environment (JRE) 6 Update 13 about half way down the page and click on the Download button.
  • In Platform box choose Windows.
  • Check the box to Accept License Agreement and click Continue.
  • Click on Windows Offline Installation, click on the link under it which says jre-6u12-windows-i586-p.exe and save the downloaded file to your desktop.
  • Install the new version by running the newly-downloaded file with the java icon which will be on your desktop, and follow the on-screen instructions.
  • Uncheck the Toolbar button (unless you want the toolbar)
  • Reboot your computer

Post a fresh HJT log,let me know how things are!
User avatar
dan12
MRU Honors Grad Emeritus
 
Posts: 6123
Joined: March 30th, 2006, 3:22 am
Location: Leicestershire
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 89 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware