Free Malware Removal Forum

by **Carolyn** » June 27th, 2009, 8:33 am

Hi Phil,

Peku was without internet access for a few days and will be back to continue assisting you in short order.

by **peevee** » June 27th, 2009, 9:45 am

Hi carolyn,

Thanks for the update

Phil

by **Carolyn** » June 29th, 2009, 4:38 pm

Hi Phil,

It appears that Peku is still having problems with his internet access. Rather than have you wait for him to resolve the issue, I will take over and help you finish cleaning your computer.

All done, although I notice that I still have an ASK Search Toolbar on the Admin account Firefox browser.

I need you to run a scan while logged on to that account....

Please log on to the computer using the Administrator's account now.

Next

Download DDS and save it to your desktop from here or here or here.
Disable any script blocker, and then double click dds.scr to run the tool.

When done, DDS will open two (2) logs:
1. DDS.txt
2. Attach.txt
Save both reports to your desktop.

After saving the reports, please reboot the computer and log into your usual account.

In your next reply, please post:

DDS.txt
Attach.txt

by **peevee** » June 30th, 2009, 3:28 am

Hi Carolyn,

Thanks for taking the time to reply.

The logs that you requested are:

DDS:

DDS (Ver_09-06-26.01) - NTFSx86
Run by phil at 8:21:53.85 on 30/06/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.1918.1232 [GMT 1:00]

AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\TODDSrv.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\TOSHIBA\TOSHIBA Direct Disc Writer\ddwmon.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Hewlett-Packard\hp business inkjet 1100 series\Toolbox\mpm.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\BBC iPlayer Desktop\BBC iPlayer Desktop.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\phil\Desktop\dds.com

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.co.uk/
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [SkyTel] SkyTel.EXE
mRun: [DDWMon] c:\program files\toshiba\toshiba direct disc writer\\ddwmon.exe
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [HPWH myPrintMileage Agent] c:\program files\hewlett-packard\hp business inkjet 1100 series\toolbox\mpm.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\phil\startm~1\programs\startup\bbcipl~1.lnk - c:\program files\bbc iplayer desktop\BBC iPlayer Desktop.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\ramasst.lnk - c:\windows\system32\RAMASST.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftup ... 4465004859
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\phil\applic~1\mozilla\firefox\profiles\lui9ho22.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Ask
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk
FF - prefs.js: keyword.URL - hxxp://toolbar.ask.com/toolbarv/askRedi ... t=&gc=1&q=
FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll
FF - plugin: c:\documents and settings\phil\application data\mozilla\firefox\profiles\lui9ho22.default\extensions\{e2883e8f-472f-4fb0-9522-ac9bf37916a7}\plugins\np_gp.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-3-25 214024]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2009-6-7 203280]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2009-6-7 359952]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2009-6-7 144704]
R2 tdudf;TOSHIBA UDF File System Driver;c:\windows\system32\drivers\tdudf.sys [2006-6-28 98816]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2009-6-7 79880]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2009-6-7 35272]
S3 getPlus(R) Helper;getPlus(R) Helper;c:\program files\nos\bin\getPlus_HelperSvc.exe [2009-6-16 66048]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2009-6-7 34216]
S3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2009-6-7 40552]
S4 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2009-6-7 606736]

=============== Created Last 30 ================

2009-06-26 17:46 <DIR> -cd----- c:\windows\system32\dllcache\cache
2009-06-26 17:40 <DIR> --ds---- C:\ComboFix
2009-06-24 22:59 32,128 ac------ c:\windows\system32\dllcache\usbccgp.sys
2009-06-24 22:59 32,128 a------- c:\windows\system32\drivers\usbccgp.sys
2009-06-24 22:59 53,248 a------- c:\windows\system32\mmlsts.exe
2009-06-24 22:59 <DIR> --d----- C:\Develop_D_13F
2009-06-24 22:59 <DIR> --d----- c:\program files\common files\MURATEC
2009-06-22 20:29 <DIR> --d----- c:\docume~1\phil\applic~1\BBCiPlayerDesktop.61DB7A798358575D6A969CCD73DDBBD723A6DA9D.1
2009-06-22 20:29 <DIR> --d----- c:\program files\BBC iPlayer Desktop
2009-06-20 21:12 <DIR> a-dshr-- C:\cmdcons
2009-06-20 21:10 161,792 a------- c:\windows\SWREG.exe
2009-06-20 21:10 155,136 a------- c:\windows\PEV.exe
2009-06-20 21:10 98,816 a------- c:\windows\sed.exe
2009-06-20 21:10 <DIR> --ds---- C:\peeveecomb
2009-06-20 17:52 <DIR> --d----- c:\docume~1\phil\applic~1\Malwarebytes
2009-06-20 12:53 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-20 12:53 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-06-20 12:53 <DIR> --d----- c:\program files\Malware
2009-06-20 12:53 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-06-18 18:28 999,424 a------- c:\windows\system32\SPR32X30.OCX
2009-06-18 18:27 <DIR> --d----- C:\SUBARUEX
2009-06-18 14:04 <DIR> --d----- c:\program files\CC-leaner
2009-06-16 13:32 <DIR> --d----- c:\program files\Trend Micro
2009-06-13 19:59 380,928 a------- c:\windows\system32\ac3filter.acm
2009-06-13 19:59 <DIR> --d----- c:\program files\AC3Filter
2009-06-13 19:53 <DIR> --d----- c:\program files\GPL MPEG Decoder
2009-06-13 00:41 <DIR> --d----- c:\program files\common files\DivX Shared
2009-06-13 00:41 <DIR> --d----- c:\program files\DivX
2009-06-12 13:40 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Azureus
2009-06-11 13:22 <DIR> --d----- c:\program files\Windows Media Connect 2
2009-06-11 13:18 <DIR> --d----- c:\windows\system32\LogFiles
2009-06-10 21:46 <DIR> --d----- c:\windows\RegisteredPackages
2009-06-10 21:43 <DIR> --d----- c:\program files\common files\Hypnotizer
2009-06-10 13:28 61,440 a------- c:\windows\scrub2k.exe
2009-06-10 13:28 104 a------- c:\windows\hpw1100k.ini
2009-06-10 13:27 25,856 ac------ c:\windows\system32\dllcache\usbprint.sys
2009-06-10 13:27 25,856 a------- c:\windows\system32\drivers\usbprint.sys
2009-06-10 13:26 1,102,457 a------- c:\windows\hpbj1100.his
2009-06-10 13:26 16,259 a------- c:\windows\hpbj1100.ini
2009-06-08 18:13 <DIR> --d----- c:\windows\system32\CatRoot_bak
2009-06-08 18:05 <DIR> --d----- c:\windows\system32\scripting
2009-06-08 18:05 <DIR> --d----- c:\windows\system32\en
2009-06-08 18:05 <DIR> --d----- c:\windows\l2schemas
2009-06-08 18:05 <DIR> --d----- c:\windows\system32\bits
2009-06-08 18:02 <DIR> --d----- c:\windows\ServicePackFiles
2009-06-08 17:58 <DIR> --d----- c:\windows\network diagnostic
2009-06-08 17:45 268,648 a------- c:\windows\system32\mucltui.dll
2009-06-08 17:45 27,496 a------- c:\windows\system32\mucltui.dll.mui
2009-06-08 14:06 327,040 -------- c:\windows\system32\drivers\ati2mtaa.sys
2009-06-08 08:04 203,136 -c------ c:\windows\system32\dllcache\rmcast.sys
2009-06-08 08:04 331,776 -c------ c:\windows\system32\dllcache\msadce.dll
2009-06-08 08:03 2,560 -------- c:\windows\system32\xpsp4res.dll
2009-06-08 08:03 215,552 -c------ c:\windows\system32\dllcache\wordpad.exe
2009-06-08 08:03 455,296 -c------ c:\windows\system32\dllcache\mrxsmb.sys
2009-06-08 08:03 333,952 -c------ c:\windows\system32\dllcache\srv.sys
2009-06-08 08:02 691,712 -c------ c:\windows\system32\dllcache\inetcomm.dll
2009-06-08 08:02 337,408 -c------ c:\windows\system32\dllcache\netapi32.dll
2009-06-08 03:00 <DIR> --d----- c:\windows\system32\PreInstall
2009-06-07 19:04 <DIR> --d----- c:\windows\system32\SoftwareDistribution
2009-06-07 16:54 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-06-07 16:05 <DIR> --d----- c:\program files\SpywareBlaster
2009-06-07 16:02 <DIR> --d----- c:\program files\CCleaner
2009-06-07 12:45 13,221 a------- c:\windows\system32\Config.MPF
2009-06-07 12:27 79,880 a------- c:\windows\system32\drivers\mfeavfk.sys
2009-06-07 12:27 40,552 a------- c:\windows\system32\drivers\mfesmfk.sys
2009-06-07 12:27 35,272 a------- c:\windows\system32\drivers\mfebopk.sys
2009-06-07 12:27 120,136 a------- c:\windows\system32\drivers\Mpfp.sys
2009-06-07 12:26 <DIR> --d----- c:\program files\common files\McAfee
2009-06-07 12:26 <DIR> --d----- c:\program files\McAfee.com
2009-06-07 12:26 <DIR> --d----- c:\program files\McAfee
2009-06-07 12:23 34,216 a------- c:\windows\system32\drivers\mferkdk.sys
2009-06-07 12:21 221,184 a------- c:\windows\system32\wmpns.dll
2009-06-07 12:12 410,984 a------- c:\windows\system32\deploytk.dll
2009-06-07 12:12 73,728 a------- c:\windows\system32\javacpl.cpl
2009-06-07 02:12 107,368 a------- c:\windows\system32\GEARAspi.dll
2009-06-07 02:12 23,400 a------- c:\windows\system32\drivers\GEARAspiWDM.sys
2009-06-07 02:12 <DIR> --d----- c:\program files\iPod
2009-06-07 02:12 <DIR> --d----- c:\program files\iTunes
2009-06-07 02:12 <DIR> --d----- c:\docume~1\alluse~1\applic~1\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-06-07 02:12 <DIR> --d----- c:\program files\Bonjour
2009-06-07 00:56 376 a------- c:\windows\ODBC.INI
2009-06-07 00:56 <DIR> --d----- c:\program files\Microsoft ActiveSync
2009-06-07 00:55 <DIR> --d----- c:\windows\ShellNew
2009-06-07 00:55 <DIR> --d----- c:\program files\common files\L&H
2009-06-07 00:44 <DIR> --dsh--- c:\documents and settings\phil\UserData
2009-06-07 00:35 128,113 a------- c:\windows\system32\csellang.ini
2009-06-07 00:35 110,592 a------- c:\windows\system32\cselect.exe
2009-06-07 00:35 89,541 a------- c:\windows\agrsmmsg.exe
2009-06-07 00:35 77,824 a------- c:\windows\system32\tosmreg.exe
2009-06-07 00:35 45,056 a------- c:\windows\system32\csellang.dll
2009-06-07 00:35 10,147 a------- c:\windows\system32\tosmreg.ini
2009-06-07 00:35 7,671 a------- c:\windows\system32\cseltbl.ini
2009-06-07 00:35 <DIR> --d----- c:\program files\ltmoh
2009-06-07 00:35 68,096 -------- c:\windows\agrsmdel.exe
2009-06-07 00:32 940,794 a------- c:\windows\system32\LoopyMusic.wav
2009-06-07 00:32 146,650 a------- c:\windows\system32\BuzzingBee.wav
2009-06-07 00:32 <DIR> --d----- c:\windows\system32\Lang
2009-06-07 00:32 22 a------- c:\windows\system32\ati64hlp.stb
2009-06-07 00:30 114,688 a------- c:\windows\system32\TODDSrv.exe
2009-06-07 00:29 <DIR> --d----- c:\program files\TOSHIBA
2009-06-07 00:29 155,648 a------- c:\windows\system32\RAMASST.exe
2009-06-07 00:29 135,168 a------- c:\windows\system32\DVDMenu.dll
2009-06-07 00:29 110,592 a------- c:\windows\system32\DVDRAMSV.exe
2009-06-07 00:29 102,384 a------- c:\windows\system32\drivers\meiudf.sys
2009-06-07 00:29 <DIR> --d----- c:\program files\DVD-RAM
2009-06-07 00:28 6,272 a------- c:\windows\system32\drivers\splitter.sys
2009-06-07 00:28 83,072 a------- c:\windows\system32\drivers\wdmaud.sys
2009-06-07 00:28 52,864 a------- c:\windows\system32\drivers\dmusic.sys
2009-06-07 00:28 56,576 a------- c:\windows\system32\drivers\swmidi.sys
2009-06-07 00:28 142,592 a------- c:\windows\system32\drivers\aec.sys
2009-06-07 00:28 172,416 a------- c:\windows\system32\drivers\kmixer.sys
2009-06-07 00:28 2,944 a------- c:\windows\system32\drivers\drmkaud.sys
2009-06-07 00:28 60,800 a------- c:\windows\system32\drivers\sysaudio.sys
2009-06-07 00:28 7,552 a------- c:\windows\system32\drivers\mskssrv.sys
2009-06-07 00:28 4,992 a------- c:\windows\system32\drivers\mspqm.sys
2009-06-07 00:28 5,376 a------- c:\windows\system32\drivers\mspclock.sys
2009-06-07 00:25 16,248,320 a------- c:\windows\RTHDCPL.exe
2009-06-07 00:25 2,158,592 a------- c:\windows\MicCal.exe
2009-06-07 00:25 2,808,832 a------- c:\windows\alcwzrd.exe
2009-06-07 00:25 299,008 a------- c:\windows\system32\ALSndMgr.Cpl
2009-06-07 00:25 69,632 a------- c:\windows\Alcmtr.exe
2009-06-07 00:25 487,424 a------- c:\windows\RtlExUpd.dll
2009-06-07 00:25 <DIR> --d----- c:\windows\system32\ReinstallBackups
2009-06-07 00:25 81,408 a------- c:\windows\system32\drivers\Rtnicxp.sys
2009-06-07 00:25 <DIR> --d----- c:\windows\OPTIONS
2009-06-07 00:25 <DIR> --d----- c:\program files\Realtek
2009-06-07 00:23 <DIR> --d----- c:\documents and settings\phil
2009-06-07 00:21 <DIR> --d----- c:\program files\ATI Technologies
2009-06-07 00:11 13,644 a------- c:\windows\system32\wpa.bak
2009-06-07 00:08 <DIR> --ds---- c:\windows\system32\Microsoft
2009-06-06 22:19 3,072 a------- c:\windows\system32\drivers\audstub.sys
2009-06-06 22:19 57,600 a------- c:\windows\system32\drivers\redbook.sys
2009-06-06 22:18 20,992 a------- c:\windows\system32\drivers\RTL8139.sys
2009-06-06 22:18 74,240 a------- c:\windows\system32\usbui.dll
2009-06-06 22:18 10,240 a------- c:\windows\system32\drivers\compbatt.sys
2009-06-06 22:18 14,208 a------- c:\windows\system32\drivers\battc.sys
2009-06-06 22:18 13,952 a------- c:\windows\system32\drivers\cmbatt.sys
2009-06-06 22:17 355,794 a------- c:\windows\system32\PerfStringBackup.INI
2009-06-06 22:17 <DIR> --dsh--- c:\windows\Installer
2009-06-06 22:17 4,161 a------- c:\windows\ODBCINST.INI
2009-06-06 22:17 <DIR> --d----- c:\program files\common files\ODBC
2009-06-06 22:17 61,440 ac------ c:\windows\system32\dllcache\spcplui.dll
2009-06-06 22:17 77,824 ac------ c:\windows\system32\dllcache\spcommon.dll
2009-06-06 22:17 1,685,606 ac------ c:\windows\system32\dllcache\sam.spd
2009-06-06 22:17 888 ac------ c:\windows\system32\dllcache\sam.sdf
2009-06-06 22:17 774,144 ac------ c:\windows\system32\dllcache\spttseng.dll
2009-06-06 22:17 605,050 ac------ c:\windows\system32\dllcache\r1033tts.lxa
2009-06-06 22:17 643,717 ac------ c:\windows\system32\dllcache\ltts1033.lxa
2009-06-06 22:17 36,864 ac------ c:\windows\system32\dllcache\sapisvr.exe
2009-06-06 22:17 <DIR> --d----- c:\program files\common files\SpeechEngines
2009-06-06 22:17 <DIR> --d--r-- C:\Program Files
2009-06-06 22:16 <DIR> --d--r-- c:\documents and settings\all users\Documents
2009-06-06 22:15 <DIR> --d----- C:\Documents and Settings
2009-06-06 22:14 261 a------- c:\windows\system32\$winnt$.inf
2009-06-06 21:38 <DIR> --dsh--- c:\documents and settings\all users\DRM
2009-06-06 21:37 <DIR> --d-h--- c:\program files\WindowsUpdate
2009-06-06 21:36 <DIR> --d----- c:\program files\common files\MSSoap
2009-06-06 21:34 <DIR> --d----- c:\program files\Online Services
2009-06-06 21:34 <DIR> --d----- c:\program files\Messenger
2009-06-06 21:34 <DIR> --d----- c:\program files\MSN Gaming Zone
2009-06-06 21:33 <DIR> --d----- c:\program files\Windows NT

==================== Find3M ====================

2009-06-08 18:08 86,327 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-06-06 21:35 21,640 a------- c:\windows\system32\emptyregdb.dat
2009-05-07 16:32 345,600 a------- c:\windows\system32\localspl.dll
2009-05-01 22:03 129,784 -------- c:\windows\system32\pxafs.dll
2009-05-01 22:03 120,056 -------- c:\windows\system32\pxcpyi64.exe
2009-05-01 22:03 118,520 -------- c:\windows\system32\pxinsi64.exe
2009-05-01 22:03 43,528 -------- c:\windows\system32\drivers\PxHelp20.sys
2009-05-01 22:03 9,464 -------- c:\windows\system32\drivers\cdralw2k.sys
2009-05-01 22:03 9,336 -------- c:\windows\system32\drivers\cdr4_xp.sys
2009-05-01 22:02 90,112 a------- c:\windows\system32\dpl100.dll
2009-05-01 22:02 823,296 a------- c:\windows\system32\divx_xx0c.dll
2009-05-01 22:02 823,296 a------- c:\windows\system32\divx_xx07.dll
2009-05-01 22:02 815,104 a------- c:\windows\system32\divx_xx0a.dll
2009-05-01 22:02 811,008 a------- c:\windows\system32\divx_xx16.dll
2009-05-01 22:02 802,816 a------- c:\windows\system32\divx_xx11.dll
2009-05-01 22:02 685,056 a------- c:\windows\system32\DivX.dll
2009-04-29 05:56 827,392 a------- c:\windows\system32\wininet.dll
2009-04-29 05:55 78,336 a------- c:\windows\system32\ieencode.dll
2009-04-17 13:26 1,847,168 a------- c:\windows\system32\win32k.sys
2009-04-15 15:51 585,216 a------- c:\windows\system32\rpcrt4.dll

============= FINISH: 8:22:24.81 ===============

Attach:

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-06-26.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 06/06/2009 21:42:35
System Uptime: 27/06/2009 23:04:53 (57 hours ago)

Motherboard: TOSHIBA | | Satellite L30
Processor: Intel(R) Celeron(R) M CPU 410 @ 1.46GHz | U23 | 1466/100mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 56 GiB total, 46.17 GiB free.
D: is CDROM (CDFS)
E: is FIXED (NTFS) - 233 GiB total, 137.739 GiB free.

==== Disabled Device Manager Items =============

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: Ethernet Controller
Device ID: PCI\VEN_168C&DEV_001A&SUBSYS_7094144F&REV_01\4&FCF0450&0&20A4
Manufacturer:
Name: Ethernet Controller
PNP Device ID: PCI\VEN_168C&DEV_001A&SUBSYS_7094144F&REV_01\4&FCF0450&0&20A4
Service:

==== System Restore Points ===================

RP1: 07/06/2009 00:12:12 - System Checkpoint
RP2: 07/06/2009 00:25:28 - Installed REALTEK GbE & FE Ethernet PCI NIC Driver
RP3: 07/06/2009 00:25:57 - Installed Realtek High Definition Audio Driver
RP4: 07/06/2009 00:26:07 - Installed Windows XP KB888111WXPSP2.
RP5: 07/06/2009 00:29:22 - Installed InstallShield Restore Point
RP6: 07/06/2009 00:29:25 - Installed DVD-RAM Driver
RP7: 07/06/2009 00:29:57 - Zainstalowano: TOSHIBA Direct Disc Writer
RP8: 07/06/2009 00:42:15 - Installed REALTEK GbE & FE Ethernet PCI NIC Driver
RP9: 07/06/2009 00:55:28 - Installed Microsoft Office XP Professional with FrontPage
RP10: 07/06/2009 02:12:09 - Installed iTunes
RP11: 07/06/2009 12:12:44 - Installed Java(TM) 6 Update 13
RP12: 08/06/2009 03:00:16 - Software Distribution Service 3.0
RP13: 08/06/2009 13:39:29 - Software Distribution Service 3.0
RP14: 08/06/2009 13:54:02 - Software Distribution Service 3.0
RP15: 08/06/2009 14:11:01 - Software Distribution Service 3.0
RP16: 08/06/2009 17:48:22 - Software Distribution Service 3.0
RP17: 08/06/2009 20:25:14 - Software Distribution Service 3.0
RP18: 08/06/2009 21:37:31 - Installed Windows XP WgaNotify.
RP19: 08/06/2009 21:39:03 - Software Distribution Service 3.0
RP20: 08/06/2009 21:48:48 - Software Distribution Service 3.0
RP21: 09/06/2009 21:50:11 - System Checkpoint
RP22: 10/06/2009 03:00:26 - Software Distribution Service 3.0
RP23: 10/06/2009 13:28:02 - Installed hp business inkjet 1100
RP24: 10/06/2009 21:46:43 - Installed Windows Media Format Runtime
RP25: 11/06/2009 13:17:34 - Installed Windows Media Player 11
RP26: 11/06/2009 13:18:22 - Installed Windows XP Wudf01000.
RP27: 11/06/2009 13:23:43 - Installed Windows XP MSCompPackV1.
RP28: 11/06/2009 20:12:56 - Software Distribution Service 3.0
RP29: 11/06/2009 20:24:26 - Software Distribution Service 3.0
RP30: 12/06/2009 03:00:17 - Software Distribution Service 3.0
RP31: 13/06/2009 03:33:59 - System Checkpoint
RP32: 13/06/2009 19:53:33 - Installed GPL MPEG-1/2 DirectShow Decoder Filter
RP33: 21/06/2009 03:00:19 - Software Distribution Service 3.0
RP34: 22/06/2009 22:58:35 - System Checkpoint
RP35: 23/06/2009 23:05:52 - System Checkpoint
RP36: 24/06/2009 22:59:02 - Installed Develop D 13F PCL
RP37: 24/06/2009 23:06:12 - Installed Develop D 13F GDI
RP38: 24/06/2009 23:15:18 - Installed Develop D 13F PCL
RP39: 25/06/2009 00:28:42 - Removed Develop D 13F GDI
RP40: 26/06/2009 01:03:23 - System Checkpoint
RP41: 27/06/2009 01:16:04 - System Checkpoint
RP42: 28/06/2009 02:09:15 - System Checkpoint
RP43: 29/06/2009 03:09:14 - System Checkpoint
RP44: 30/06/2009 03:22:16 - System Checkpoint

==== Installed Programs ======================

AAC Decoder
AC3Filter (remove only)
Acrobat.com
Adobe AIR
Adobe Download Manager
Adobe Flash Player 10 Plugin
Adobe Reader 9.1.2
Apple Mobile Device Support
Apple Software Update
ATI Control Panel
ATI Display Driver
AutoUpdate
BBC iPlayer Desktop
Bonjour
CCleaner (remove only)
Critical Update for Windows Media Player 11 (KB959772)
Develop D 13F PCL
DivX Codec
DivX Converter
DivX Player
DivX Plus DirectShow Filters
DivX Version Checker
DivX Web Player
DVD-RAM Driver
GPL MPEG-1/2 DirectShow Decoder Filter
H.264 Decoder
High Definition Audio Driver Package - KB888111
HijackThis 2.0.2
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
hp business inkjet 1100
iTunes
Java(TM) 6 Update 13
Malwarebytes' Anti-Malware
McAfee SecurityCenter
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office XP Professional with FrontPage
Microsoft User-Mode Driver Framework Feature Pack 1.0
MKV Splitter
Mozilla Firefox (3.0.11)
QuickTime
REALTEK GbE & FE Ethernet PCI NIC Driver
Realtek High Definition Audio Driver
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB963027)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB970238)
SpywareBlaster 4.2
SUBARU-FAST 2
TOSHIBA Direct Disc Writer
TOSHIBA Software Modem
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
VC80CRTRedist - 8.0.50727.762
WebFldrs XP
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 7
Windows Media Format 11 runtime
Windows Media Player 11
Windows XP Service Pack 3

==== Event Viewer Messages From Past Week ========

28/06/2009 11:30:13, error: DCOM [10001] - Unable to start a DCOM Server: {C7E39D60-7A9F-42BF-ABB1-03DC0FA4F493} as /. The error: "%233" Happened while starting this command: c:\PROGRA~1\mcafee.com\agent\mcagent.exe -Embedding
27/06/2009 23:05:26, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000001' while processing the file '' on the volume 'HarddiskVolume1'. It has stopped monitoring the volume.
26/06/2009 17:45:48, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the PEVSystemStart service to connect.
26/06/2009 17:45:19, error: Service Control Manager [7034] - The McAfee Services service terminated unexpectedly. It has done this 3 time(s).
26/06/2009 17:45:19, error: Service Control Manager [7034] - The McAfee Real-time Scanner service terminated unexpectedly. It has done this 3 time(s).
26/06/2009 17:45:19, error: Service Control Manager [7034] - The McAfee Proxy Service service terminated unexpectedly. It has done this 3 time(s).
26/06/2009 17:45:19, error: Service Control Manager [7034] - The McAfee Network Agent service terminated unexpectedly. It has done this 3 time(s).
26/06/2009 17:45:19, error: Service Control Manager [7031] - The McAfee Personal Firewall Service service terminated unexpectedly. It has done this 3 time(s). The following corrective action will be taken in 5000 milliseconds: Run the configured recovery program.
26/06/2009 17:43:06, error: Service Control Manager [7031] - The McAfee Services service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
26/06/2009 17:43:06, error: Service Control Manager [7031] - The McAfee Real-time Scanner service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
26/06/2009 17:43:06, error: Service Control Manager [7031] - The McAfee Proxy Service service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
26/06/2009 17:43:06, error: Service Control Manager [7031] - The McAfee Personal Firewall Service service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 5000 milliseconds: Run the configured recovery program.
26/06/2009 17:43:06, error: Service Control Manager [7031] - The McAfee Network Agent service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
26/06/2009 17:40:33, error: Service Control Manager [7031] - The McAfee Services service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
26/06/2009 17:40:33, error: Service Control Manager [7031] - The McAfee Real-time Scanner service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
26/06/2009 17:40:33, error: Service Control Manager [7031] - The McAfee Proxy Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
26/06/2009 17:40:33, error: Service Control Manager [7031] - The McAfee Personal Firewall Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 5000 milliseconds: Run the configured recovery program.
26/06/2009 17:40:33, error: Service Control Manager [7031] - The McAfee Network Agent service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.

==== End Of File ===========================

Phil

by **Carolyn** » July 1st, 2009, 10:56 am

Hi,

Please run this Custom CFScript

1. Close any open browsers.

2. Open notepad and copy/paste the text in the quotebox below into it:

Code: Select all

Firefox::
FF - ProfilePath - c:\docume~1\phil\applic~1\mozilla\firefox\profiles\lui9ho22.default\
FF - prefs.js: browser.search.selectedEngine - Ask
FF - prefs.js: keyword.URL - hxxp://toolbar.ask.com/toolbarv/askRedi ... t=&gc=1&q=

Save this as CFScript.txt, in the same location as ComboFix.exe

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt"

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Please post the ComboFix log along with a fresh HijackThis log. Also please let me know your computer is behaving.

by **peevee** » July 1st, 2009, 4:43 pm

Hi Carolyn,

I seem to have control over my web browsers again & everything appears ok thanks, although Firefox has just told me that it is not the default browser again, so I have once again told it that it should be.

I also have to confess that when I did not hear from peku for 4 days I got a bit impatient & took the Opportunity to update MBAM, "as I could not origonally do that when I was infected" and it found another infection.

I have run the logs as requested, but was logged in as the administrator. I hope this is ok:

ComboFix 09-07-01.01 - phil 01/07/2009 21:15.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.1918.1519 [GMT 1:00]
Running from: c:\documents and settings\phil\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\phil\Desktop\CFScript.txt
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.

((((((((((((((((((((((((( Files Created from 2009-06-01 to 2009-07-01 )))))))))))))))))))))))))))))))
.

2009-06-26 12:11 . 2009-06-26 12:11 -------- d-----w- c:\documents and settings\Kasia\Application Data\Malwarebytes
2009-06-24 21:59 . 2008-04-13 18:45 32128 -c--a-w- c:\windows\system32\dllcache\usbccgp.sys
2009-06-24 21:59 . 2008-04-13 18:45 32128 ----a-w- c:\windows\system32\drivers\usbccgp.sys
2009-06-24 21:59 . 2009-06-24 22:06 -------- d-----w- C:\Develop_D_13F
2009-06-24 21:59 . 2006-12-04 09:26 53248 ----a-w- c:\windows\system32\mmlsts.exe
2009-06-24 21:59 . 2009-06-24 21:59 -------- d-----w- c:\program files\Common Files\MURATEC
2009-06-24 08:14 . 2009-06-24 08:14 -------- d-----w- c:\documents and settings\Kasia\Local Settings\Application Data\Apple
2009-06-22 19:39 . 2009-06-22 19:39 -------- d-----w- c:\documents and settings\Kasia\Application Data\BBCiPlayerDesktop.61DB7A798358575D6A969CCD73DDBBD723A6DA9D.1
2009-06-22 19:38 . 2009-02-12 09:35 38208 ----a-w- c:\documents and settings\Kasia\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2009-06-22 19:32 . 2009-06-22 19:32 -------- d-----w- c:\documents and settings\Administrator\Application Data\BBCiPlayerDesktop.61DB7A798358575D6A969CCD73DDBBD723A6DA9D.1
2009-06-22 19:32 . 2009-02-12 09:35 38208 ----a-w- c:\documents and settings\Administrator\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2009-06-22 19:29 . 2009-06-22 19:29 -------- d-----w- c:\documents and settings\phil\Application Data\BBCiPlayerDesktop.61DB7A798358575D6A969CCD73DDBBD723A6DA9D.1
2009-06-22 19:29 . 2009-02-12 09:35 38208 ----a-w- c:\documents and settings\phil\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2009-06-22 19:29 . 2009-06-22 19:29 -------- d-----w- c:\program files\BBC iPlayer Desktop
2009-06-20 20:10 . 2009-06-20 20:28 -------- d-s---w- C:\peeveecomb
2009-06-20 16:52 . 2009-06-20 16:52 -------- d-----w- c:\documents and settings\phil\Application Data\Malwarebytes
2009-06-20 16:29 . 2009-06-20 16:29 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-06-20 12:03 . 2009-06-20 12:03 -------- d-----w- C:\rsit
2009-06-20 11:53 . 2009-06-17 10:27 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-20 11:53 . 2009-06-20 16:04 -------- d-----w- c:\program files\Malware
2009-06-20 11:53 . 2009-06-20 11:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-06-20 11:53 . 2009-06-17 10:27 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-18 17:31 . 2009-06-19 20:32 -------- d-----w- c:\documents and settings\Kasia\Local Settings\Application Data\Adobe
2009-06-18 17:28 . 1998-06-12 19:01 81184 ----a-w- c:\windows\system32\GAPI.DLL
2009-06-18 17:28 . 2009-06-18 17:40 -------- d-----w- C:\SUBARUEX2
2009-06-18 17:28 . 1999-04-23 21:22 430080 ----a-w- c:\windows\system32\MSREPL35.DLL
2009-06-18 17:28 . 1999-04-23 21:22 1056768 ----a-w- c:\windows\system32\MSJET35.DLL
2009-06-18 17:28 . 1998-06-17 23:00 89360 ----a-w- c:\windows\system32\VB5DB.DLL
2009-06-18 17:28 . 1998-04-23 23:00 252176 ----a-w- c:\windows\system32\MSRD2X35.DLL
2009-06-18 17:28 . 1998-04-23 23:00 24848 ----a-w- c:\windows\system32\MSJTER35.DLL
2009-06-18 17:28 . 1998-04-23 23:00 123664 ----a-w- c:\windows\system32\MSJINT35.DLL
2009-06-18 17:27 . 2009-06-18 17:27 -------- d-----w- C:\SUBARUEX
2009-06-18 13:04 . 2009-06-18 13:04 -------- d-----w- c:\program files\CC-leaner
2009-06-16 12:32 . 2009-06-20 17:38 -------- d-----w- c:\program files\Trend Micro
2009-06-16 12:24 . 2009-06-16 12:25 -------- d-----w- c:\program files\Common Files\Adobe
2009-06-16 12:23 . 2009-06-16 12:23 -------- d-----w- c:\program files\Common Files\Adobe AIR
2009-06-16 12:23 . 2009-06-24 22:25 -------- d-----w- c:\documents and settings\phil\Local Settings\Application Data\Adobe
2009-06-16 12:23 . 2009-06-16 12:23 86016 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe
2009-06-16 12:22 . 2009-06-16 12:35 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-06-16 12:22 . 2009-06-16 12:22 -------- d-----w- c:\program files\NOS
2009-06-16 12:22 . 2009-06-04 09:53 31944 ----a-w- c:\documents and settings\phil\Application Data\Mozilla\Firefox\Profiles\lui9ho22.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
2009-06-16 12:22 . 2009-06-04 09:53 22848 ----a-w- c:\documents and settings\phil\Application Data\Mozilla\Firefox\Profiles\lui9ho22.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\chrome\content\getPlusPlus_Adobe_reg_bootstrap.exe
2009-06-16 12:22 . 2009-06-04 09:53 18776 ----a-w- c:\documents and settings\phil\Application Data\Mozilla\Firefox\Profiles\lui9ho22.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\chrome\content\getPlusPlus_Adobe_reg.exe
2009-06-13 22:09 . 2009-06-13 22:09 -------- d-----w- c:\documents and settings\NetworkService\Application Data\DivX
2009-06-13 18:59 . 2009-06-13 18:59 -------- d-----w- c:\program files\AC3Filter
2009-06-13 18:53 . 2009-06-13 18:53 -------- d-----w- c:\program files\GPL MPEG Decoder
2009-06-13 13:49 . 2009-06-13 13:55 -------- d-----w- c:\documents and settings\phil\Application Data\DivX
2009-06-12 23:44 . 2009-06-12 23:56 -------- d-----w- c:\documents and settings\Kasia\Application Data\DivX
2009-06-12 23:41 . 2009-06-25 21:26 -------- d-----w- c:\program files\Common Files\DivX Shared
2009-06-12 23:41 . 2009-06-25 21:27 -------- d-----w- c:\program files\DivX
2009-06-12 12:52 . 2009-06-12 12:52 6516755 ----a-w- c:\documents and settings\Kasia\Application Data\Azureus\plugins\vuzexcode\ffmpeg.exe
2009-06-12 12:52 . 2009-06-12 12:52 4141117 ----a-w- c:\documents and settings\Kasia\Application Data\Azureus\plugins\vuzexcode\mediainfo.exe
2009-06-12 12:49 . 2009-06-12 12:49 15884 ----a-w- c:\documents and settings\Kasia\Application Data\Azureus\plugins\azitunes\libProcessAccess.dll
2009-06-12 12:49 . 2009-06-12 12:49 102400 ----a-w- c:\documents and settings\Kasia\Application Data\Azureus\plugins\azitunes\jacob-1.14.3-x86.dll
2009-06-12 12:46 . 2009-06-15 12:33 -------- d-----w- c:\documents and settings\Kasia\Application Data\Azureus
2009-06-12 12:40 . 2009-06-12 12:40 20328 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-12 12:40 . 2009-06-12 12:40 -------- d-----w- c:\documents and settings\All Users\Application Data\Azureus
2009-06-12 12:40 . 2009-06-12 12:46 -------- d-----w- c:\documents and settings\Administrator\Application Data\Azureus
2009-06-11 12:24 . 2008-04-14 00:12 26624 ----a-w- c:\documents and settings\LocalService\Application Data\Microsoft\UPnP Device Host\upnphost\udhisapi.dll
2009-06-11 12:22 . 2009-06-11 12:22 -------- d-----w- c:\program files\Windows Media Connect 2
2009-06-11 12:18 . 2009-06-11 12:19 -------- d-----w- c:\windows\system32\drivers\UMDF
2009-06-11 12:18 . 2009-06-11 12:18 -------- d-----w- c:\windows\system32\LogFiles
2009-06-10 20:43 . 2009-06-10 20:43 -------- d-----w- c:\program files\Common Files\Hypnotizer
2009-06-10 20:27 . 2009-06-10 20:27 -------- d-----w- c:\documents and settings\Administrator\Application Data\Media Player Classic
2009-06-10 12:28 . 2003-11-18 17:14 61440 ----a-w- c:\windows\scrub2k.exe
2009-06-10 12:28 . 2009-06-10 12:28 -------- d-----w- c:\program files\Hewlett-Packard
2009-06-10 12:27 . 2008-04-13 18:47 25856 -c--a-w- c:\windows\system32\dllcache\usbprint.sys
2009-06-10 12:27 . 2008-04-13 18:47 25856 ----a-w- c:\windows\system32\drivers\usbprint.sys
2009-06-10 08:14 . 2009-06-10 08:14 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple
2009-06-09 21:45 . 2009-06-09 21:45 20328 ----a-w- c:\documents and settings\Kasia\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-09 12:40 . 2009-06-09 12:45 664 ----a-w- c:\documents and settings\Kasia\Local Settings\Application Data\d3d9caps.dat
2009-06-09 12:35 . 2009-06-12 23:40 -------- d-----w- c:\documents and settings\Kasia\Application Data\Apple Computer
2009-06-08 17:13 . 2009-06-08 17:13 -------- d-----w- c:\windows\system32\CatRoot_bak
2009-06-08 17:05 . 2009-06-08 17:05 -------- d-----w- c:\windows\system32\scripting
2009-06-08 17:05 . 2009-06-08 17:05 -------- d-----w- c:\windows\system32\en
2009-06-08 17:05 . 2009-06-08 17:05 -------- d-----w- c:\windows\l2schemas
2009-06-08 17:05 . 2009-06-08 17:05 -------- d-----w- c:\windows\system32\bits
2009-06-08 17:02 . 2009-06-08 17:05 -------- d-----w- c:\windows\ServicePackFiles
2009-06-08 16:45 . 2008-10-16 13:06 268648 ----a-w- c:\windows\system32\mucltui.dll
2009-06-08 13:06 . 2004-08-03 21:29 73216 ------w- c:\windows\system32\drivers\atintuxx.sys
2009-06-08 07:04 . 2008-05-08 14:02 203136 -c----w- c:\windows\system32\dllcache\rmcast.sys
2009-06-08 07:04 . 2008-05-01 14:33 331776 -c----w- c:\windows\system32\dllcache\msadce.dll
2009-06-08 07:03 . 2008-05-03 11:55 2560 ------w- c:\windows\system32\xpsp4res.dll
2009-06-08 07:03 . 2008-04-21 12:08 215552 -c----w- c:\windows\system32\dllcache\wordpad.exe
2009-06-08 07:03 . 2008-10-24 11:21 455296 -c----w- c:\windows\system32\dllcache\mrxsmb.sys
2009-06-08 07:03 . 2008-12-11 10:57 333952 -c----w- c:\windows\system32\dllcache\srv.sys
2009-06-08 07:02 . 2008-04-11 19:04 691712 -c----w- c:\windows\system32\dllcache\inetcomm.dll
2009-06-08 07:02 . 2008-10-15 16:34 337408 -c----w- c:\windows\system32\dllcache\netapi32.dll
2009-06-07 19:53 . 2009-06-07 19:53 -------- d-----w- c:\documents and settings\Kasia\Local Settings\Application Data\Identities
2009-06-07 18:31 . 2009-06-07 18:31 -------- d-----w- c:\documents and settings\Kasia\Local Settings\Application Data\Google
2009-06-07 18:31 . 2009-01-19 04:48 43008 ----a-w- c:\documents and settings\Kasia\Application Data\Mozilla\Firefox\Profiles\puamwk1i.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\metricsloader.dll
2009-06-07 18:31 . 2009-01-19 04:48 43008 ----a-w- c:\documents and settings\Kasia\Application Data\Mozilla\Firefox\Profiles\puamwk1i.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbarloader.dll
2009-06-07 18:31 . 2009-01-19 04:48 245248 ----a-w- c:\documents and settings\Kasia\Application Data\Mozilla\Firefox\Profiles\puamwk1i.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\metrics-ff2.dll
2009-06-07 18:31 . 2009-01-19 04:48 239616 ----a-w- c:\documents and settings\Kasia\Application Data\Mozilla\Firefox\Profiles\puamwk1i.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff3.dll
2009-06-07 18:31 . 2009-01-19 04:48 233984 ----a-w- c:\documents and settings\Kasia\Application Data\Mozilla\Firefox\Profiles\puamwk1i.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff2.dll
2009-06-07 18:31 . 2009-01-19 04:48 243200 ----a-w- c:\documents and settings\Kasia\Application Data\Mozilla\Firefox\Profiles\puamwk1i.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\metrics-ff3.dll
2009-06-07 18:29 . 2009-06-07 18:29 -------- d-----w- c:\documents and settings\Kasia\Local Settings\Application Data\Mozilla
2009-06-07 18:27 . 2009-06-07 18:27 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Google
2009-06-07 18:27 . 2009-01-19 04:48 43008 ----a-w- c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\u9rjn57j.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\metricsloader.dll
2009-06-07 18:27 . 2009-01-19 04:48 43008 ----a-w- c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\u9rjn57j.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbarloader.dll
2009-06-07 18:27 . 2009-01-19 04:48 245248 ----a-w- c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\u9rjn57j.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\metrics-ff2.dll
2009-06-07 18:27 . 2009-01-19 04:48 243200 ----a-w- c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\u9rjn57j.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\metrics-ff3.dll
2009-06-07 18:27 . 2009-01-19 04:48 239616 ----a-w- c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\u9rjn57j.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff3.dll
2009-06-07 18:27 . 2009-01-19 04:48 233984 ----a-w- c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\u9rjn57j.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff2.dll
2009-06-07 18:24 . 2009-06-07 18:24 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2009-06-07 15:54 . 2009-06-14 12:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-06-07 15:05 . 2009-06-18 14:12 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-06-07 15:05 . 2009-06-18 14:10 -------- d-----w- c:\program files\SpywareBlaster
2009-06-07 15:02 . 2009-06-07 15:02 -------- d-----w- c:\program files\CCleaner
2009-06-07 14:59 . 2009-06-23 12:25 -------- d-----w- c:\documents and settings\LocalService\Application Data\SACore
2009-06-07 11:30 . 2009-06-07 11:30 -------- d-----w- c:\documents and settings\All Users\Application Data\SiteAdvisor
2009-06-07 11:27 . 2009-03-25 10:06 40552 ----a-w- c:\windows\system32\drivers\mfesmfk.sys
2009-06-07 11:27 . 2009-03-25 10:06 79880 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2009-06-07 11:27 . 2009-03-25 10:06 35272 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2009-06-07 11:27 . 2008-10-23 12:08 120136 ----a-w- c:\windows\system32\drivers\Mpfp.sys
2009-06-07 11:26 . 2009-06-07 11:27 -------- d-----w- c:\program files\Common Files\McAfee
2009-06-07 11:26 . 2009-06-07 11:27 -------- d-----w- c:\program files\McAfee.com
2009-06-07 11:26 . 2009-06-08 12:47 -------- d-----w- c:\program files\McAfee
2009-06-07 11:23 . 2009-03-25 10:05 34216 ----a-w- c:\windows\system32\drivers\mferkdk.sys
2009-06-07 11:21 . 2008-04-14 00:12 221184 ----a-w- c:\windows\system32\wmpns.dll
2009-06-07 11:13 . 2009-06-07 11:13 -------- d-----w- c:\windows\Sun
2009-06-07 11:12 . 2009-06-07 11:12 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-06-07 11:12 . 2009-06-07 11:12 -------- d-----w- c:\program files\Java
2009-06-07 11:12 . 2009-06-07 11:12 152576 ----a-w- c:\documents and settings\phil\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
2009-06-07 11:05 . 2009-06-13 19:20 20328 ----a-w- c:\documents and settings\phil\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-08 17:08 . 2009-06-06 20:38 86327 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-06-07 01:12 . 2009-06-07 01:12 -------- d-----w- c:\documents and settings\phil\Application Data\Apple Computer
2009-06-07 01:12 . 2009-06-07 01:12 -------- d-----w- c:\program files\iTunes
2009-06-07 01:12 . 2009-06-07 01:12 -------- d-----w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-06-07 01:12 . 2009-06-07 01:12 -------- d-----w- c:\program files\iPod
2009-06-07 01:12 . 2009-06-07 01:11 -------- d-----w- c:\program files\Common Files\Apple
2009-06-07 01:12 . 2009-06-07 01:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2009-06-07 01:12 . 2009-06-07 01:12 -------- d-----w- c:\program files\Bonjour
2009-06-07 01:11 . 2009-06-07 01:11 -------- d-----w- c:\program files\QuickTime
2009-06-07 01:11 . 2009-06-07 01:11 -------- d-----w- c:\program files\Apple Software Update
2009-06-06 20:40 . 2009-06-06 20:40 -------- d-----w- c:\program files\microsoft frontpage
2009-06-06 20:35 . 2009-06-06 20:35 21640 ----a-w- c:\windows\system32\emptyregdb.dat
2009-05-30 11:50 . 2009-05-30 11:50 75048 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.2.0.23\SetupAdmin.exe
2009-05-07 15:32 . 2006-02-28 12:00 345600 ----a-w- c:\windows\system32\localspl.dll
2009-05-01 21:03 . 2009-06-12 23:42 9464 ------w- c:\windows\system32\drivers\cdralw2k.sys
2009-05-01 21:03 . 2009-06-12 23:42 9336 ------w- c:\windows\system32\drivers\cdr4_xp.sys
2009-05-01 21:03 . 2009-06-12 23:42 43528 ------w- c:\windows\system32\drivers\PxHelp20.sys
2009-05-01 21:03 . 2009-06-12 23:42 129784 ------w- c:\windows\system32\pxafs.dll
2009-05-01 21:03 . 2009-06-12 23:42 120056 ------w- c:\windows\system32\pxcpyi64.exe
2009-05-01 21:03 . 2009-06-12 23:42 118520 ------w- c:\windows\system32\pxinsi64.exe
2009-05-01 21:02 . 2009-05-01 21:02 90112 ----a-w- c:\windows\system32\dpl100.dll
2009-05-01 21:02 . 2009-05-01 21:02 823296 ----a-w- c:\windows\system32\divx_xx0c.dll
2009-05-01 21:02 . 2009-05-01 21:02 823296 ----a-w- c:\windows\system32\divx_xx07.dll
2009-05-01 21:02 . 2009-05-01 21:02 815104 ----a-w- c:\windows\system32\divx_xx0a.dll
2009-05-01 21:02 . 2009-05-01 21:02 811008 ----a-w- c:\windows\system32\divx_xx16.dll
2009-05-01 21:02 . 2009-05-01 21:02 802816 ----a-w- c:\windows\system32\divx_xx11.dll
2009-05-01 21:02 . 2009-05-01 21:02 685056 ----a-w- c:\windows\system32\DivX.dll
2009-04-29 04:56 . 2006-02-28 12:00 827392 ----a-w- c:\windows\system32\wininet.dll
2009-04-29 04:55 . 2006-02-28 12:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-04-17 12:26 . 2006-02-28 12:00 1847168 ----a-w- c:\windows\system32\win32k.sys
2009-04-15 14:51 . 2006-02-28 12:00 585216 ----a-w- c:\windows\system32\rpcrt4.dll
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-06-20_20.26.26 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-06-30 07:30 . 2009-06-30 07:30 16384 c:\windows\Temp\Perflib_Perfdata_5ec.dat
+ 2009-06-26 19:28 . 2009-07-01 18:19 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2009-06-06 23:08 . 2009-06-20 19:52 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-06-06 23:08 . 2009-07-01 18:19 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2009-06-06 23:08 . 2009-06-20 19:52 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2009-06-06 23:08 . 2009-07-01 18:19 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2009-06-06 23:56 . 2009-06-21 02:01 90112 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\xlicons.exe
- 2009-06-06 23:56 . 2009-06-11 19:27 90112 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\xlicons.exe
+ 2009-06-06 23:56 . 2009-06-21 02:01 45056 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\wordicon.exe
- 2009-06-06 23:56 . 2009-06-11 19:27 45056 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\wordicon.exe
- 2009-06-06 23:56 . 2009-06-11 19:28 22528 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\unbndico.exe
+ 2009-06-06 23:56 . 2009-06-21 02:01 22528 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\unbndico.exe
+ 2009-06-06 23:56 . 2009-06-21 02:01 30720 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\pptico.exe
- 2009-06-06 23:56 . 2009-06-11 19:27 30720 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\pptico.exe
+ 2009-06-06 23:56 . 2009-06-21 02:01 16384 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\PEicons.exe
- 2009-06-06 23:56 . 2009-06-11 19:27 16384 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\PEicons.exe
+ 2009-06-06 23:56 . 2009-06-21 02:01 34304 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\misc.exe
- 2009-06-06 23:56 . 2009-06-11 19:27 34304 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\misc.exe
+ 2009-06-06 23:56 . 2009-06-21 02:01 81920 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\fpicon.exe
- 2009-06-06 23:56 . 2009-06-11 19:27 81920 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\fpicon.exe
- 2009-06-06 23:56 . 2009-06-11 19:28 3584 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\opwicon.exe
+ 2009-06-06 23:56 . 2009-06-21 02:01 3584 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\opwicon.exe
- 2009-06-06 23:56 . 2009-06-11 19:27 8192 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\mspicons.exe
+ 2009-06-06 23:56 . 2009-06-21 02:01 8192 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\mspicons.exe
- 2009-06-06 23:56 . 2009-06-11 19:27 2560 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\cagicon.exe
+ 2009-06-06 23:56 . 2009-06-21 02:01 2560 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\cagicon.exe
+ 2009-06-24 21:59 . 2007-02-23 08:29 203050 c:\windows\system32\spool\drivers\w32x86\indeXL.dll
+ 2009-06-24 21:59 . 2007-02-23 08:31 995328 c:\windows\system32\spool\drivers\w32x86\indeuixl.dll
+ 2009-06-24 21:59 . 2007-02-23 08:29 203050 c:\windows\system32\spool\drivers\w32x86\3\indeXL.dll
+ 2009-06-24 21:59 . 2007-02-23 08:31 995328 c:\windows\system32\spool\drivers\w32x86\3\indeuixl.dll
+ 2009-06-24 21:59 . 2007-02-23 08:29 362364 c:\windows\system32\spool\drivers\w32x86\3\indercXL.dll
+ 2006-02-28 12:00 . 2007-06-26 21:10 317440 c:\windows\system32\dllcache\unregmp2.exe
+ 2009-06-06 23:56 . 2009-06-21 02:01 114688 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\outicon.exe
- 2009-06-06 23:56 . 2009-06-11 19:28 114688 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\outicon.exe
+ 2009-06-06 23:56 . 2009-06-21 02:01 167936 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\accicons.exe
- 2009-06-06 23:56 . 2009-06-11 19:27 167936 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\accicons.exe
+ 2009-01-18 15:05 . 2009-01-18 15:05 675840 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0100000010\9.1.0\JP2KLib.dll
+ 2006-02-28 12:00 . 2007-06-26 21:10 317440 c:\windows\inf\unregmp2.exe
+ 2008-12-18 15:48 . 2008-12-18 15:48 3645440 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0100000010\9.1.0\authplay.dll
+ 2009-02-27 15:37 . 2009-02-27 15:37 20403568 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0100000010\9.1.0\AcroRd32.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-12-11 344064]
"DDWMon"="c:\program files\TOSHIBA\TOSHIBA Direct Disc Writer\\ddwmon.exe" [2006-04-28 262144]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-05-30 292136]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-06-07 148888]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-03-25 645328]
"HPWH myPrintMileage Agent"="c:\program files\Hewlett-Packard\hp business inkjet 1100 series\Toolbox\mpm.exe" [2003-11-19 102400]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2006-06-28 16248320]
"SkyTel"="SkyTel.EXE" - c:\windows\SkyTel.exe [2006-05-16 2879488]
"AGRSMMSG"="AGRSMMSG.exe" - c:\windows\agrsmmsg.exe [2006-03-18 89541]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\
BBC iPlayer Desktop.lnk - c:\program files\BBC iPlayer Desktop\BBC iPlayer Desktop.exe [2009-6-22 95744]

c:\documents and settings\Kasia\Start Menu\Programs\Startup\
BBC iPlayer Desktop.lnk - c:\program files\BBC iPlayer Desktop\BBC iPlayer Desktop.exe [2009-6-22 95744]

c:\documents and settings\phil\Start Menu\Programs\Startup\
BBC iPlayer Desktop.lnk - c:\program files\BBC iPlayer Desktop\BBC iPlayer Desktop.exe [2009-6-22 95744]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
RAMASST.lnk - c:\windows\system32\RAMASST.exe [2009-6-7 155648]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [07/06/2009 12:29 203280]
R2 tdudf;TOSHIBA UDF File System Driver;c:\windows\system32\drivers\tdudf.sys [28/06/2006 11:50 98816]
S3 getPlus(R) Helper;getPlus(R) Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe [16/06/2009 13:22 66048]
.
Contents of the 'Scheduled Tasks' folder

2009-07-01 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2009-06-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-06-07 09:53]

2009-07-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-06-07 09:53]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\phil\Application Data\Mozilla\Firefox\Profiles\lui9ho22.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - plugin: c:\documents and settings\phil\Application Data\Mozilla\Firefox\Profiles\lui9ho22.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-01 21:20
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(512)
c:\windows\system32\Ati2evxx.dll
c:\program files\McAfee\SiteAdvisor\saHook.dll

- - - - - - - > 'winlogon.exe'(3628)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(2680)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-07-01 21:21
ComboFix-quarantined-files.txt 2009-07-01 20:21
ComboFix2.txt 2009-06-26 16:47
ComboFix3.txt 2009-06-20 20:28

Pre-Run: 49,555,279,872 bytes free
Post-Run: 49,621,696,512 bytes free

312 --- E O F --- 2009-06-21 02:01

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:35:29, on 01/07/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16850)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\TODDSrv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\TOSHIBA\TOSHIBA Direct Disc Writer\ddwmon.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Hewlett-Packard\hp business inkjet 1100 series\Toolbox\mpm.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\BBC iPlayer Desktop\BBC iPlayer Desktop.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Hewlett-Packard\hp business inkjet 1100 series\Toolbox\HPWHTBX.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [DDWMon] C:\Program Files\TOSHIBA\TOSHIBA Direct Disc Writer\\ddwmon.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [HPWH myPrintMileage Agent] C:\Program Files\Hewlett-Packard\hp business inkjet 1100 series\Toolbox\mpm.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-21-1757981266-879983540-725345543-1003\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'Kasia')
O4 - HKUS\S-1-5-21-1757981266-879983540-725345543-1003\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime (User 'Kasia')
O4 - HKUS\S-1-5-21-1757981266-879983540-725345543-1003\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (User 'Kasia')
O4 - HKUS\S-1-5-21-1757981266-879983540-725345543-1003\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe (User 'Kasia')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - S-1-5-21-1757981266-879983540-725345543-1003 Startup: BBC iPlayer Desktop.lnk = C:\Program Files\BBC iPlayer Desktop\BBC iPlayer Desktop.exe (User 'Kasia')
O4 - S-1-5-21-1757981266-879983540-725345543-1003 User Startup: BBC iPlayer Desktop.lnk = C:\Program Files\BBC iPlayer Desktop\BBC iPlayer Desktop.exe (User 'Kasia')
O4 - Startup: BBC iPlayer Desktop.lnk = C:\Program Files\BBC iPlayer Desktop\BBC iPlayer Desktop.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 4465004859
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: getPlus(R) Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: TOSHIBA Optical Disc Drive Service (TODDSrv) - TOSHIBA Corporation - C:\WINDOWS\system32\TODDSrv.exe

--
End of file - 8232 bytes

I was just about to post this and have noticed that the admin account still has an ASK search bar in the Firefox browser.

The IE browser is clean in Admin & both the IE & Firefox browsers in the user acc are ok.

Phil

by **Carolyn** » July 3rd, 2009, 11:20 am

I was just about to post this and have noticed that the admin account still has an ASK search bar in the Firefox browser.

Please log into that again and run DDS, then post the resulting logs for my review.

by **peevee** » July 3rd, 2009, 12:46 pm

Hi Carolyn,

The ASK search bar has now dissapeared from all browsers, but here is the log anyway.

DDS (Ver_09-06-26.01) - NTFSx86
Run by phil at 17:44:50.17 on 03/07/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.1918.1165 [GMT 1:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\TODDSrv.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\TOSHIBA\TOSHIBA Direct Disc Writer\ddwmon.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Hewlett-Packard\hp business inkjet 1100 series\Toolbox\mpm.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\BBC iPlayer Desktop\BBC iPlayer Desktop.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\phil\Desktop\dds.com

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.co.uk/
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [SkyTel] SkyTel.EXE
mRun: [DDWMon] c:\program files\toshiba\toshiba direct disc writer\\ddwmon.exe
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [HPWH myPrintMileage Agent] c:\program files\hewlett-packard\hp business inkjet 1100 series\toolbox\mpm.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\phil\startm~1\programs\startup\bbcipl~1.lnk - c:\program files\bbc iplayer desktop\BBC iPlayer Desktop.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\ramasst.lnk - c:\windows\system32\RAMASST.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftup ... 4465004859
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\phil\applic~1\mozilla\firefox\profiles\lui9ho22.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll
FF - plugin: c:\documents and settings\phil\application data\mozilla\firefox\profiles\lui9ho22.default\extensions\{e2883e8f-472f-4fb0-9522-ac9bf37916a7}\plugins\np_gp.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-3-25 214024]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2009-6-7 203280]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2009-6-7 359952]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2009-6-7 144704]
R2 tdudf;TOSHIBA UDF File System Driver;c:\windows\system32\drivers\tdudf.sys [2006-6-28 98816]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2009-6-7 79880]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2009-6-7 35272]
R3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2009-6-7 34216]
S3 getPlus(R) Helper;getPlus(R) Helper;c:\program files\nos\bin\getPlus_HelperSvc.exe [2009-6-16 66048]
S3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2009-6-7 40552]
S4 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2009-6-7 606736]

=============== Created Last 30 ================

2009-06-26 17:46 <DIR> -cd----- c:\windows\system32\dllcache\cache
2009-06-24 22:59 32,128 ac------ c:\windows\system32\dllcache\usbccgp.sys
2009-06-24 22:59 32,128 a------- c:\windows\system32\drivers\usbccgp.sys
2009-06-24 22:59 53,248 a------- c:\windows\system32\mmlsts.exe
2009-06-24 22:59 <DIR> --d----- C:\Develop_D_13F
2009-06-24 22:59 <DIR> --d----- c:\program files\common files\MURATEC
2009-06-22 20:29 <DIR> --d----- c:\docume~1\phil\applic~1\BBCiPlayerDesktop.61DB7A798358575D6A969CCD73DDBBD723A6DA9D.1
2009-06-22 20:29 <DIR> --d----- c:\program files\BBC iPlayer Desktop
2009-06-20 21:12 <DIR> a-dshr-- C:\cmdcons
2009-06-20 21:10 161,792 a------- c:\windows\SWREG.exe
2009-06-20 21:10 155,136 a------- c:\windows\PEV.exe
2009-06-20 21:10 98,816 a------- c:\windows\sed.exe
2009-06-20 21:10 <DIR> --ds---- C:\peeveecomb
2009-06-20 17:52 <DIR> --d----- c:\docume~1\phil\applic~1\Malwarebytes
2009-06-20 12:53 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-20 12:53 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-06-20 12:53 <DIR> --d----- c:\program files\Malware
2009-06-20 12:53 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-06-18 18:28 999,424 a------- c:\windows\system32\SPR32X30.OCX
2009-06-18 18:27 <DIR> --d----- C:\SUBARUEX
2009-06-18 14:04 <DIR> --d----- c:\program files\CC-leaner
2009-06-16 13:32 <DIR> --d----- c:\program files\Trend Micro
2009-06-13 19:59 380,928 a------- c:\windows\system32\ac3filter.acm
2009-06-13 19:59 <DIR> --d----- c:\program files\AC3Filter
2009-06-13 19:53 <DIR> --d----- c:\program files\GPL MPEG Decoder
2009-06-13 00:41 <DIR> --d----- c:\program files\common files\DivX Shared
2009-06-13 00:41 <DIR> --d----- c:\program files\DivX
2009-06-12 13:40 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Azureus
2009-06-11 13:22 <DIR> --d----- c:\program files\Windows Media Connect 2
2009-06-11 13:18 <DIR> --d----- c:\windows\system32\LogFiles
2009-06-10 21:46 <DIR> --d----- c:\windows\RegisteredPackages
2009-06-10 21:43 <DIR> --d----- c:\program files\common files\Hypnotizer
2009-06-10 13:28 61,440 a------- c:\windows\scrub2k.exe
2009-06-10 13:28 104 a------- c:\windows\hpw1100k.ini
2009-06-10 13:27 25,856 ac------ c:\windows\system32\dllcache\usbprint.sys
2009-06-10 13:27 25,856 a------- c:\windows\system32\drivers\usbprint.sys
2009-06-10 13:26 1,102,457 a------- c:\windows\hpbj1100.his
2009-06-10 13:26 16,259 a------- c:\windows\hpbj1100.ini
2009-06-08 18:13 <DIR> --d----- c:\windows\system32\CatRoot_bak
2009-06-08 18:05 <DIR> --d----- c:\windows\system32\scripting
2009-06-08 18:05 <DIR> --d----- c:\windows\system32\en
2009-06-08 18:05 <DIR> --d----- c:\windows\l2schemas
2009-06-08 18:05 <DIR> --d----- c:\windows\system32\bits
2009-06-08 18:02 <DIR> --d----- c:\windows\ServicePackFiles
2009-06-08 17:58 <DIR> --d----- c:\windows\network diagnostic
2009-06-08 17:45 268,648 a------- c:\windows\system32\mucltui.dll
2009-06-08 17:45 27,496 a------- c:\windows\system32\mucltui.dll.mui
2009-06-08 14:06 327,040 -------- c:\windows\system32\drivers\ati2mtaa.sys
2009-06-08 08:04 203,136 -c------ c:\windows\system32\dllcache\rmcast.sys
2009-06-08 08:04 331,776 -c------ c:\windows\system32\dllcache\msadce.dll
2009-06-08 08:03 2,560 -------- c:\windows\system32\xpsp4res.dll
2009-06-08 08:03 215,552 -c------ c:\windows\system32\dllcache\wordpad.exe
2009-06-08 08:03 455,296 -c------ c:\windows\system32\dllcache\mrxsmb.sys
2009-06-08 08:03 333,952 -c------ c:\windows\system32\dllcache\srv.sys
2009-06-08 08:02 691,712 -c------ c:\windows\system32\dllcache\inetcomm.dll
2009-06-08 08:02 337,408 -c------ c:\windows\system32\dllcache\netapi32.dll
2009-06-08 03:00 <DIR> --d----- c:\windows\system32\PreInstall
2009-06-07 19:04 <DIR> --d----- c:\windows\system32\SoftwareDistribution
2009-06-07 16:54 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-06-07 16:05 <DIR> --d----- c:\program files\SpywareBlaster
2009-06-07 16:02 <DIR> --d----- c:\program files\CCleaner
2009-06-07 12:45 13,221 a------- c:\windows\system32\Config.MPF
2009-06-07 12:27 79,880 a------- c:\windows\system32\drivers\mfeavfk.sys
2009-06-07 12:27 40,552 a------- c:\windows\system32\drivers\mfesmfk.sys
2009-06-07 12:27 35,272 a------- c:\windows\system32\drivers\mfebopk.sys
2009-06-07 12:27 120,136 a------- c:\windows\system32\drivers\Mpfp.sys
2009-06-07 12:26 <DIR> --d----- c:\program files\common files\McAfee
2009-06-07 12:26 <DIR> --d----- c:\program files\McAfee.com
2009-06-07 12:26 <DIR> --d----- c:\program files\McAfee
2009-06-07 12:23 34,216 a------- c:\windows\system32\drivers\mferkdk.sys
2009-06-07 12:21 221,184 a------- c:\windows\system32\wmpns.dll
2009-06-07 12:12 410,984 a------- c:\windows\system32\deploytk.dll
2009-06-07 12:12 73,728 a------- c:\windows\system32\javacpl.cpl
2009-06-07 02:12 107,368 a------- c:\windows\system32\GEARAspi.dll
2009-06-07 02:12 23,400 a------- c:\windows\system32\drivers\GEARAspiWDM.sys
2009-06-07 02:12 <DIR> --d----- c:\program files\iPod
2009-06-07 02:12 <DIR> --d----- c:\program files\iTunes
2009-06-07 02:12 <DIR> --d----- c:\docume~1\alluse~1\applic~1\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-06-07 02:12 <DIR> --d----- c:\program files\Bonjour
2009-06-07 00:56 376 a------- c:\windows\ODBC.INI
2009-06-07 00:56 <DIR> --d----- c:\program files\Microsoft ActiveSync
2009-06-07 00:55 <DIR> --d----- c:\windows\ShellNew
2009-06-07 00:55 <DIR> --d----- c:\program files\common files\L&H
2009-06-07 00:44 <DIR> --dsh--- c:\documents and settings\phil\UserData
2009-06-07 00:35 128,113 a------- c:\windows\system32\csellang.ini
2009-06-07 00:35 110,592 a------- c:\windows\system32\cselect.exe
2009-06-07 00:35 89,541 a------- c:\windows\agrsmmsg.exe
2009-06-07 00:35 77,824 a------- c:\windows\system32\tosmreg.exe
2009-06-07 00:35 45,056 a------- c:\windows\system32\csellang.dll
2009-06-07 00:35 10,147 a------- c:\windows\system32\tosmreg.ini
2009-06-07 00:35 7,671 a------- c:\windows\system32\cseltbl.ini
2009-06-07 00:35 <DIR> --d----- c:\program files\ltmoh
2009-06-07 00:35 68,096 -------- c:\windows\agrsmdel.exe
2009-06-07 00:32 940,794 a------- c:\windows\system32\LoopyMusic.wav
2009-06-07 00:32 146,650 a------- c:\windows\system32\BuzzingBee.wav
2009-06-07 00:32 <DIR> --d----- c:\windows\system32\Lang
2009-06-07 00:32 22 a------- c:\windows\system32\ati64hlp.stb
2009-06-07 00:30 114,688 a------- c:\windows\system32\TODDSrv.exe
2009-06-07 00:29 <DIR> --d----- c:\program files\TOSHIBA
2009-06-07 00:29 155,648 a------- c:\windows\system32\RAMASST.exe
2009-06-07 00:29 135,168 a------- c:\windows\system32\DVDMenu.dll
2009-06-07 00:29 110,592 a------- c:\windows\system32\DVDRAMSV.exe
2009-06-07 00:29 102,384 a------- c:\windows\system32\drivers\meiudf.sys
2009-06-07 00:29 <DIR> --d----- c:\program files\DVD-RAM
2009-06-07 00:28 6,272 a------- c:\windows\system32\drivers\splitter.sys
2009-06-07 00:28 83,072 a------- c:\windows\system32\drivers\wdmaud.sys
2009-06-07 00:28 52,864 a------- c:\windows\system32\drivers\dmusic.sys
2009-06-07 00:28 56,576 a------- c:\windows\system32\drivers\swmidi.sys
2009-06-07 00:28 142,592 a------- c:\windows\system32\drivers\aec.sys
2009-06-07 00:28 172,416 a------- c:\windows\system32\drivers\kmixer.sys
2009-06-07 00:28 2,944 a------- c:\windows\system32\drivers\drmkaud.sys
2009-06-07 00:28 60,800 a------- c:\windows\system32\drivers\sysaudio.sys
2009-06-07 00:28 7,552 a------- c:\windows\system32\drivers\mskssrv.sys
2009-06-07 00:28 4,992 a------- c:\windows\system32\drivers\mspqm.sys
2009-06-07 00:28 5,376 a------- c:\windows\system32\drivers\mspclock.sys
2009-06-07 00:25 16,248,320 a------- c:\windows\RTHDCPL.exe
2009-06-07 00:25 2,158,592 a------- c:\windows\MicCal.exe
2009-06-07 00:25 2,808,832 a------- c:\windows\alcwzrd.exe
2009-06-07 00:25 299,008 a------- c:\windows\system32\ALSndMgr.Cpl
2009-06-07 00:25 69,632 a------- c:\windows\Alcmtr.exe
2009-06-07 00:25 487,424 a------- c:\windows\RtlExUpd.dll
2009-06-07 00:25 <DIR> --d----- c:\windows\system32\ReinstallBackups
2009-06-07 00:25 81,408 a------- c:\windows\system32\drivers\Rtnicxp.sys
2009-06-07 00:25 <DIR> --d----- c:\windows\OPTIONS
2009-06-07 00:25 <DIR> --d----- c:\program files\Realtek
2009-06-07 00:23 <DIR> --d----- c:\documents and settings\phil
2009-06-07 00:21 <DIR> --d----- c:\program files\ATI Technologies
2009-06-07 00:11 13,644 a------- c:\windows\system32\wpa.bak
2009-06-07 00:08 <DIR> --ds---- c:\windows\system32\Microsoft
2009-06-06 22:19 3,072 a------- c:\windows\system32\drivers\audstub.sys
2009-06-06 22:19 57,600 a------- c:\windows\system32\drivers\redbook.sys
2009-06-06 22:18 20,992 a------- c:\windows\system32\drivers\RTL8139.sys
2009-06-06 22:18 74,240 a------- c:\windows\system32\usbui.dll
2009-06-06 22:18 10,240 a------- c:\windows\system32\drivers\compbatt.sys
2009-06-06 22:18 14,208 a------- c:\windows\system32\drivers\battc.sys
2009-06-06 22:18 13,952 a------- c:\windows\system32\drivers\cmbatt.sys
2009-06-06 22:17 355,794 a------- c:\windows\system32\PerfStringBackup.INI
2009-06-06 22:17 <DIR> --dsh--- c:\windows\Installer
2009-06-06 22:17 4,161 a------- c:\windows\ODBCINST.INI
2009-06-06 22:17 <DIR> --d----- c:\program files\common files\ODBC
2009-06-06 22:17 61,440 ac------ c:\windows\system32\dllcache\spcplui.dll
2009-06-06 22:17 77,824 ac------ c:\windows\system32\dllcache\spcommon.dll
2009-06-06 22:17 1,685,606 ac------ c:\windows\system32\dllcache\sam.spd
2009-06-06 22:17 888 ac------ c:\windows\system32\dllcache\sam.sdf
2009-06-06 22:17 774,144 ac------ c:\windows\system32\dllcache\spttseng.dll
2009-06-06 22:17 605,050 ac------ c:\windows\system32\dllcache\r1033tts.lxa
2009-06-06 22:17 643,717 ac------ c:\windows\system32\dllcache\ltts1033.lxa
2009-06-06 22:17 36,864 ac------ c:\windows\system32\dllcache\sapisvr.exe
2009-06-06 22:17 <DIR> --d----- c:\program files\common files\SpeechEngines
2009-06-06 22:17 <DIR> --d--r-- C:\Program Files
2009-06-06 22:16 <DIR> --d--r-- c:\documents and settings\all users\Documents
2009-06-06 22:15 <DIR> --d----- C:\Documents and Settings
2009-06-06 22:14 261 a------- c:\windows\system32\$winnt$.inf
2009-06-06 21:38 <DIR> --dsh--- c:\documents and settings\all users\DRM
2009-06-06 21:37 <DIR> --d-h--- c:\program files\WindowsUpdate
2009-06-06 21:36 <DIR> --d----- c:\program files\common files\MSSoap
2009-06-06 21:34 <DIR> --d----- c:\program files\Online Services
2009-06-06 21:34 <DIR> --d----- c:\program files\Messenger
2009-06-06 21:34 <DIR> --d----- c:\program files\MSN Gaming Zone
2009-06-06 21:33 <DIR> --d----- c:\program files\Windows NT

==================== Find3M ====================

2009-06-08 18:08 86,327 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-06-06 21:35 21,640 a------- c:\windows\system32\emptyregdb.dat
2009-05-07 16:32 345,600 a------- c:\windows\system32\localspl.dll
2009-05-01 22:03 129,784 -------- c:\windows\system32\pxafs.dll
2009-05-01 22:03 120,056 -------- c:\windows\system32\pxcpyi64.exe
2009-05-01 22:03 118,520 -------- c:\windows\system32\pxinsi64.exe
2009-05-01 22:02 90,112 a------- c:\windows\system32\dpl100.dll
2009-05-01 22:02 823,296 a------- c:\windows\system32\divx_xx0c.dll
2009-05-01 22:02 823,296 a------- c:\windows\system32\divx_xx07.dll
2009-05-01 22:02 815,104 a------- c:\windows\system32\divx_xx0a.dll
2009-05-01 22:02 811,008 a------- c:\windows\system32\divx_xx16.dll
2009-05-01 22:02 802,816 a------- c:\windows\system32\divx_xx11.dll
2009-05-01 22:02 685,056 a------- c:\windows\system32\DivX.dll
2009-04-29 05:56 827,392 a------- c:\windows\system32\wininet.dll
2009-04-29 05:55 78,336 a------- c:\windows\system32\ieencode.dll
2009-04-17 13:26 1,847,168 a------- c:\windows\system32\win32k.sys
2009-04-15 15:51 585,216 a------- c:\windows\system32\rpcrt4.dll

============= FINISH: 17:45:18.61 ===============

Thanks
Phil

by **Carolyn** » July 4th, 2009, 4:19 pm

Hi Phil,

This is my general post for when your logs show no more signs of malware

- Please let me know if you still are having problems with your computer and what these problems are

Your log now appears to be clean. Congratulations!

Please delete DDS.exe from your computer.

Please take the time to tell us what you would like to be done about the people who are behind all the problems you have had. We can only get something done about this if the people that we help, like you, are prepared to complain. We have a dedicated forum for collecting these complaints Malware Complaints. You need to be registered to post as, unfortunately, we were hit with too many spam posts to allow guest posting to continue. Just find your country room and register your complaint.

Delete ComboFix and Clean Up

Start

Run

combofix /u

OK

Please advise if this step is missed for any reason as it performs some important actions.

Protection Programs

General Security and Computer Health

Set correct settings for files
- Click Start > My Computer > Tools menu (at top of page) > Folder Options > View tab.
- Under Hidden files and folders if necessary select Do not show hidden files and folders.
- If unchecked please check Hide protected operating system files (Recommended)
- If necessary check Display content of system folders
- If necessary Uncheck Hide file extensions for known file types.
- Click OK
Make sure that you keep your antivirus updated
New viruses come out every minute, so it is essential that you have the latest signatures for your antivirus program to provide you with the best possible protection from malicious software.
Note: You should only have one antivirus installed at a time. Having more than one antivirus program installed at once is likely to cause conflicts and may well decrease your overall protection as well as impairing the performance of your PC.
Security Updates for Windows, Internet Explorer & Microsoft Office
Whenever a security problem in its software is found, Microsoft will usually create a patch so that after the patch is installed, attackers can't use the vulnerability to install malicious software on your PC. Keeping up with these patches will help to prevent malicious software being installed on your PC. Ensure you are registered for Windows updates via Start > right-click on My Computer > Properties > Automatic Updates tab or visit the Microsoft Update site on a regular basis.
Note: The update process uses ActiveX, so you will need to use internet explorer for it and allow the ActiveX control to install.
Update Non-Microsoft Programs
Microsoft isn't the only company whose products can contain security vulnerabilities. To check whether other programs running on your PC are in need of an update, you can use the Secunia Software Inspector - I suggest that you run it at least once a month.
Make Internet Explorer More Secure
You are using Internet Explorer v. 7. Therefore please read and follow the recommendations at this SITE

Recommended Programs

and the updating of them on a regular basis

WinPatrol
As a robust security monitor, WinPatrol will alert you to hijackings, malware attacks and critical changes made to your computer without your permission. WinPatrol takes snapshot of your critical system resources and alerts you to any changes that may occur without your knowledge. For more information, please visit HERE.
SpywareBlaster
SpywareBlaster sets killbits in the registry to prevent known malicious ActiveX controls from installing on your computer. If you don't know what ActiveX controls are, see HERE. You can download SpywareBlaster from HERE.
Malwarebytes' Anti-Malware or SuperAntiSpyware
These are anti-malware applications that can thoroughly remove even the most advanced malware. They include a number of features, including a built in protection monitor that blocks malicious processes before they even start.
You can download Malwarebytes' Anti-Malware from HERE. You can find a tutorial HERE.
You can download SuperAntiSpyware from HERE.
Use an alternative Internet Browser
Many of the exploits are directed to users of Internet Explorer. Try using a different browser instead:
Firefox
Opera

Finally I am trying to make one point very clear. It is absolutely essential to keep all of your security programs up to date.

Also please read this great article by Tony Klein So How Did I Get Infected In First Place

I'd be grateful if you could reply to this post so that I know you have read it and, if you've no other questions, the thread can be closed.

by **peevee** » July 5th, 2009, 11:15 am

Carolyn,

I can't thank you enough for your help

I have completed all of your instructions and everything now appears to be back to normal

Thanks once again
Phil :cheers:

by **Carolyn** » July 5th, 2009, 11:44 am

As this issue appears to be resolved, this topic is now closed.

We are pleased we could help you resolve your computer's malware issues.

If you would like to make a comment or leave a compliment regarding the help you have received, please see Feedback for Our Helpers - Say "Thanks" Here.

Free Malware Removal Forum

Hyjacked Browsers & Blocked From Runnig Certain exe Files

Re: Hyjacked Browsers & Blocked From Runnig Certain exe Files

Re: Hyjacked Browsers & Blocked From Runnig Certain exe Files

Re: Hyjacked Browsers & Blocked From Runnig Certain exe Files

Re: Hyjacked Browsers & Blocked From Runnig Certain exe Files

Re: Hyjacked Browsers & Blocked From Runnig Certain exe Files

Re: Hyjacked Browsers & Blocked From Runnig Certain exe Files

Re: Hyjacked Browsers & Blocked From Runnig Certain exe Files

Re: Hyjacked Browsers & Blocked From Runnig Certain exe Files

Re: Hyjacked Browsers & Blocked From Runnig Certain exe Files

Re: Hyjacked Browsers & Blocked From Runnig Certain exe Files

Re: Hyjacked Browsers & Blocked From Runnig Certain exe Files

Who is online