185 replies to this topic

[rsre15]

Fixwareout ver 1.003 Last edited 8/11/2006 Post this report in the forums please Reg Entries that were deleted HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}0F4CCD86E3AC-F42A-F464-C618-8C8EAE5E{ HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}8C8CB7F7B248-1D3A-9D74-4A1E-2B767F7B{ HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}25E2EC57B609-3ACA-35E4-0686-29137690{ HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}5219A89B2904-A0C8-A274-09F8-C489DBC5{ HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}6ACB3836D8AB-BE39-6414-AAD2-F13682F8{ HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}B42ED141FCFF-1FDB-C3F4-5826-097BCBE3{ HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}458C25A12AA7-5C3B-C884-F655-1A3DF3A3{ HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}2778C374F5DA-7C7A-6F94-AE12-CF18DB7C{ HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}CE94E236D35D-848B-5194-88DB-A0AA3512{ HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}63C3136C53E5-2548-F024-DF12-22CCCB65{ HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}6BE440862ECA-05A8-2F44-4BD4-88B0926A{ HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}83B5416FBBDD-B34A-36A4-E314-B082907E{ HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}9059A9B4B750-A6CA-C464-4E85-F8E251A3{ HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}A741590A690A-F7DB-5BF4-B778-5173FFFA{ HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}3BEAA3742F19-6AD9-7964-ED03-8886EFA4{ HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}87D1BAFA63F1-4539-8FA4-9FA9-0ACF74C8{ HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}009FB7F67950-8EB9-B624-261F-5D05BD0D{ HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\rqnmd HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\1mdm HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\0mdm ... Microsoft ® Windows Script Host Version 5.6 Random Runs removed from HKLM "dmnqr.exe"=- ... PLEASE NOTE, There WILL be LEGITIMATE FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE. »»»»» Searching by size/names... »»»»» Search five digit cs, dm and jb files. This WILL/CAN also list Legit Files, Submit them at Virustotal C:\WINDOWS\SYSTEM32\DMNQR.EXE 60,949 2004-08-12 Other suspects. Directory of C:\WINDOWS\system32 »»»»» Misc files. »»»»» Checking for older varients covered by the Rem3 tool.

[beynac]

First, I would like you to check the settings in AVG Anti-Spyware and make sure that it is up to date:

• Open AVG Anti-Spyware
• Click the Update icon at the top and under Manual Update click the Start update button.
• The program will either update or inform you that no update was available.

Please check the following settings:

• Click the Shield icon at the top and check that Resident shield is... shows inactive.
• Click the Update icon and confirm that the automatic update option is not ticked.
• Click the Scanner icon at the top and then click the Settings Tab.
• Under How to act? confirm that Quarantine is shown.

You can now close AVG Anti-Spyware. Do not scan yet.

------------------------------------------------------------------

Please download Killbox and save it to your desktop: http://www.killbox.n...ads/KillBox.exe

Copy the entire text within the quote box below.

C:\WINDOWS\system32\ipv6mons.dll
C:\WINDOWS\system32\agysteo.exe
C:\WINDOWS\SYSTEM32\DMNQR.EXE

• Open Killbox
• Click the option Delete on Reboot
• Click on the All Files button
• Go to File and click on Paste from Clipboard
• If no files appear in the drop-down box, please stop and let me know
• Click on the red button with the white 'X' on it (Delete File)
• Wait for the confirmation message that will ask you to Reboot Now
• Click NO This is very important!
• Exit the program

Do NOT reboot your computer

------------------------------------------------------------------

We now need to run FixWareout again. You may want to print out these instructions for reference, since you will have to restart your computer during the fix.

Run FixWareout. The fix will begin - follow the prompts. You will be asked to reboot your computer. Please do so (your system may take longer than usual to load - this is normal).

At the end of the fix, you may need to restart your computer again.

------------------------------------------------------------------

Run HijackThis and click Scan and then check (tick) the following, if present (don't worry if any are missing):

O2 - BHO: (no name) - {73364D99-1240-4dff-B12A-67E448373148} - C:\WINDOWS\system32\ipv6mons.dll
O4 - HKLM\..\Run: [port windows] C:\WINDOWS\system32\agysteo.exe
O4 - HKCU\..\Run: [port windows] C:\WINDOWS\system32\agysteo.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{59D676E0-3A42-4268-968A-63FAC66D85BA}: NameServer = 85.255.114.60,85.255.112.226
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.114.60 85.255.112.226
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.114.60 85.255.112.226
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.114.60 85.255.112.226
O20 - AppInit_DLLs:

Close down all programs, browsers and other open windows. Make sure that only the above items are checked and then click on Fix checked.

-----------------------------------------------------------------

You will need to reboot your computer into Safe Mode for the next steps. It would be a good idea for you to print these instructions, as you will not have access to the internet.

Important: If you have an always on connection to the internet, physically disconnect that connection until you are finished with Safe Mode and have rebooted back into normal mode.

Boot to Safe Mode. To do this:

• Restart your computer.
• Continually tap the F8 button as your computer is booting (a menu appears).
• Use up-arrow key to select Safe Mode and press Enter.

Close all open windows and then start AVG Anti-Spyware, which you downloaded earlier

• Click on Scanner on the toolbar.
• Click on the Settings tab.
  • Under How to act? - make sure that Quarantine is selected.
  • Under How to scan? - All checkboxes should be ticked.
  • Under Possibly unwanted software - All checkboxes should be ticked.
  • Under Reports - Select Automatically generate report after every scan and uncheck Only if threats were found.
  • Under What to scan? - Select Scan every file.
• Click on the Scan tab.
• Click on Complete System Scan to start the scan process.
• Let the program scan your computer.
• When the scan has finished, follow the instructions below:
  • Make sure that Set all elements to: shows Quarantine
  • Important: Click on the Apply all Actions button (*** This must done before saving the report ***)
  • When the program has finished, it will display the message All actions have been applied.
  • Then click the Save Scan Report button.
  • Click the Save Report as button.
  • Save the report to your Desktop.
• Right-click the AVG Tray Icon and select Exit.

Reboot in Normal Mode.

----------------------------------------------------------------

Now lets check some settings on your system.

Click on Start and then Control Panel.
If you are using Windows XP's Category View, select the Network and Internet Connections category otherwise double-click on Network Connections.
Then right-click on your default connection, usually Local Area Connection, and left-click on Properties. Click the Networking tab.
Double-click on the Internet Protocol (TCP/IP) item and select the radio button that says Obtain DNS servers automatically.
Press OK twice to get out of the properties screen and reboot if it asks.

Next, click on Start, then Run, type cmd and click OK. A command prompt (black window) will open.
Type ipconfig /flushdns (that space between g and / is needed)
Hit the Enter key, type exit then hit Enter again.

----------------------------------------------------------------

Download Hoster and unzip/extract it to your Desktop.

• Double click on Hoster.exe to launch the program.
• If you see red text in the box under Editing Tools:
  • Press the Make Hosts Writable button
• Press the Restore Microsoft's Original Hosts File button and OK
• Click on Make Hosts Read Only to secure it against further infection.
• Exit the programme.

---------------------------------------------------------

Please post, as a reply to this thread:

• The FixWareout logfile (C:\fixwareout\report.txt)
• The AVG Anti-Spyware report
• A new HijackThis log

[rsre15]

Logfile of HijackThis v1.99.1
Scan saved at 3:25:20 PM, on 11/12/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\WINDOWS\Explorer.EXE
c:\PROGRA~1\mcafee.com\vso\OasClnt.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Rick\Desktop\Hijackthis\NoHiding.exe.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://bfc.myway.com...de_srchlft.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: McBrwHelper Class - {227B8AA8-DAF2-4892-BD1D-73F568BCB24E} - c:\program files\mcafee.com\mps\mcbrhlpr.dll
O2 - BHO: McAfee Privacy Service Popup Blocker - {3EC8255F-E043-4cae-8B3B-B191550C2A22} - c:\program files\mcafee.com\mps\popupkiller.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\VERIZO~1\HELPSU~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [MPSExe] c:\PROGRA~1\mcafee.com\mps\mscifapp.exe /embedding
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [A Verizon App] C:\PROGRA~1\VERIZO~1\HELPSU~1\VERIZO~1.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [McRegWiz] c:\PROGRA~1\mcafee.com\agent\mcregwiz.exe /autorun
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemyds...DSL/tgctlcm.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcaf...90/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcaf...,23/mcgdmgr.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...881/mcfscan.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe

[rsre15]

Fixwareout ver 1.003 Last edited 8/11/2006 Post this report in the forums please Reg Entries that were deleted ... Microsoft ® Windows Script Host Version 5.6 Random Runs removed from HKLM ... PLEASE NOTE, There WILL be LEGITIMATE FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE. »»»»» Searching by size/names... »»»»» Search five digit cs, dm and jb files. This WILL/CAN also list Legit Files, Submit them at Virustotal Other suspects. Directory of C:\WINDOWS\system32 »»»»» Misc files. »»»»» Checking for older varients covered by the Rem3 tool.

[rsre15]

REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SoundMAXPnP"="C:\\Program Files\\Analog Devices\\Core\\smax4pnp.exe" "IntelMeM"="C:\\Program Files\\Intel\\Modem Event Monitor\\IntelMEM.exe" "VSOCheckTask"="\"C:\\PROGRA~1\\McAfee.com\\VSO\\mcmnhdlr.exe\" /checktask" "MCAgentExe"="c:\\PROGRA~1\\mcafee.com\\agent\\mcagent.exe" "MCUpdateExe"="c:\\PROGRA~1\\mcafee.com\\agent\\mcupdate.exe" "UpdateManager"="\"C:\\Program Files\\Common Files\\Sonic\\Update Manager\\sgtray.exe\" /r" "dla"="C:\\WINDOWS\\system32\\dla\\tfswctrl.exe" "VirusScan Online"="C:\\Program Files\\McAfee.com\\VSO\\mcvsshld.exe" "Motive SmartBridge"="C:\\PROGRA~1\\VERIZO~1\\HELPSU~1\\SMARTB~1\\MotiveSB.exe" "MPSExe"="c:\\PROGRA~1\\mcafee.com\\mps\\mscifapp.exe /embedding" "mmtask"="\"C:\\Program Files\\MUSICMATCH\\Musicmatch Jukebox\\mmtask.exe\"" "OASClnt"="C:\\Program Files\\McAfee.com\\VSO\\oasclnt.exe" "UserFaultCheck"=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,65,\ 6d,33,32,5c,64,75,6d,70,72,65,70,20,30,20,2d,75,00 "QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime" "MPFExe"="C:\\PROGRA~1\\McAfee.com\\PERSON~1\\MpfTray.exe" "Microsoft Works Update Detection"="C:\\Program Files\\Common Files\\Microsoft Shared\\Works Shared\\WkUFind.exe" "igfxtray"="C:\\WINDOWS\\system32\\igfxtray.exe" "igfxhkcmd"="C:\\WINDOWS\\system32\\hkcmd.exe" "igfxpers"="C:\\WINDOWS\\system32\\igfxpers.exe" "A Verizon App"="C:\\PROGRA~1\\VERIZO~1\\HELPSU~1\\VERIZO~1.EXE" "SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_09\\bin\\jusched.exe\"" "McRegWiz"="c:\\PROGRA~1\\mcafee.com\\agent\\mcregwiz.exe /autorun" "port windows"="C:\\WINDOWS\\system32\\agysteo.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL] "Installed"="1" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI] "Installed"="1" "NoChange"="1" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS] "Installed"="1"

[rsre15]

AVG Anti-Spyware - Scan Report --------------------------------------------------------- + Created at: 3:11:06 PM 11/12/2006 + Scan result: C:\!KillBox\ipv6mons.dll -> Logger.BZub.fm : Cleaned with backup (quarantined). C:\Documents and Settings\Rick\Local Settings\Temp\urmdk.exe -> Logger.BZub.fm : Cleaned with backup (quarantined). C:\Documents and Settings\Rick\Cookies\rick@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned. C:\Documents and Settings\Erica\Cookies\erica@adbrite[2].txt -> TrackingCookie.Adbrite : Cleaned. C:\Documents and Settings\Erica\Cookies\erica@adrevolver[2].txt -> TrackingCookie.Adrevolver : Cleaned. C:\Documents and Settings\Erica\Cookies\erica@adtech[1].txt -> TrackingCookie.Adtech : Cleaned. C:\Documents and Settings\Erica\Cookies\erica@advertising[2].txt -> TrackingCookie.Advertising : Cleaned. C:\Documents and Settings\Rick\Cookies\rick@advertising[2].txt -> TrackingCookie.Advertising : Cleaned. C:\Documents and Settings\Erica\Cookies\erica@adviva[2].txt -> TrackingCookie.Adviva : Cleaned. C:\Documents and Settings\Erica\Cookies\erica@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned. C:\Documents and Settings\Rick\Cookies\rick@atdmt[1].txt -> TrackingCookie.Atdmt : Cleaned. C:\Documents and Settings\Erica\Cookies\erica@burstnet[1].txt -> TrackingCookie.Burstnet : Cleaned. C:\Documents and Settings\Rick\Cookies\rick@clickbank[1].txt -> TrackingCookie.Clickbank : Cleaned. C:\Documents and Settings\Erica\Cookies\erica@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned. C:\Documents and Settings\Rick\Cookies\rick@doubleclick[2].txt -> TrackingCookie.Doubleclick : Cleaned. C:\Documents and Settings\Rick\Cookies\rick@enhance[2].txt -> TrackingCookie.Enhance : Cleaned. C:\Documents and Settings\Erica\Cookies\erica@fastclick[1].txt -> TrackingCookie.Fastclick : Cleaned. C:\Documents and Settings\Rick\Cookies\rick@findwhat[1].txt -> TrackingCookie.Findwhat : Cleaned. C:\Documents and Settings\Erica\Cookies\erica@linksynergy[2].txt -> TrackingCookie.Linksynergy : Cleaned. C:\Documents and Settings\Rick\Cookies\rick@server.iad.liveperson[1].txt -> TrackingCookie.Liveperson : Cleaned. C:\Documents and Settings\Erica\Cookies\erica@mediaplex[1].txt -> TrackingCookie.Mediaplex : Cleaned. C:\Documents and Settings\Rick\Cookies\rick@data4.perf.overture[1].txt -> TrackingCookie.Overture : Cleaned. C:\Documents and Settings\Rick\Cookies\rick@perf.overture[1].txt -> TrackingCookie.Overture : Cleaned. C:\Documents and Settings\Rick\Cookies\rick@edge.ru4[2].txt -> TrackingCookie.Ru4 : Cleaned. C:\Documents and Settings\Erica\Cookies\erica@www.smartadserver[1].txt -> TrackingCookie.Smartadserver : Cleaned. C:\Documents and Settings\Rick\Cookies\rick@tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned. C:\Documents and Settings\Erica\Cookies\erica@tribalfusion[2].txt -> TrackingCookie.Tribalfusion : Cleaned. C:\Documents and Settings\Erica\Cookies\erica@ad.yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned. C:\WINDOWS\SYSTEM32\bak\agysteo.exe -> Trojan.Agent.aad : Cleaned with backup (quarantined). ::Report end

[beynac]

The latest HijackThis log is clean. Has your McAfee Security Center returned or, if not, are you able to re-instate it?

I would like you to run FixWareout yet again and then a Kaspersky scan.

---------------------------------------------------------------------------------

Run FixWareout. You may want to print out these instructions for reference, since you will have to restart your computer during the fix.

Run FixWareout. The fix will begin - follow the prompts. You will be asked to reboot your computer. Please do so (your system may take longer than usual to load - this is normal).

At the end of the fix, you may need to restart your computer again.

---------------------------------------------------------------------------------

Kaspersky Online Scanner

Using Internet Explorer, click on Kaspersky Online Scanner

• You will be prompted to install an ActiveX component from Kaspersky, Click 'Yes'.
• The program will launch and then start to download the latest definition files.
• Once the scanner is installed and the definitions downloaded, click 'Next'.
• Now click on 'Scan Settings'
• In the scan settings make sure that the following are selected:
  • Scan using the following Anti-Virus database: 'Extended' (If available, otherwise 'Standard')
  • Scan Options: 'Scan Archives' and 'Scan Mail Bases'
• Click 'OK'
• Now under 'Select a target to scan' select 'My Computer'
• The scan will take a while, so be patient and let it run. Once the scan is complete, it will display whether your system has been infected.
• Now click on the 'Save as Text' button:
• Save the file to your desktop.

------------------------------------------------------------------------

Please post, as a reply to this thread:

• The FixWareout logfile (C:\fixwareout\report.txt)
• The Kaspersky report
• A new HijackThis log

[rsre15]

I did not try to reinstall McAfee. It still isn't available on the computer. I try clicking the icons and nothing happens. I will try to reinstall it if you think that is what's best. I will not be home until 4 or 5 east coast time so I gues that will be 9 or 10 your time.

[beynac]

I will try to reinstall it if you think that is what's best.

Perhaps it would be best to wait until I've had a look at the latest logs. Let's make sure that your computer's clean first.

[rsre15]

Logfile of HijackThis v1.99.1
Scan saved at 5:35:27 PM, on 11/13/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
C:\WINDOWS\Explorer.EXE
c:\program files\mcafee.com\agent\mcupdate.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Rick\Desktop\Hijackthis\NoHiding.exe.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://bfc.myway.com...de_srchlft.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: McBrwHelper Class - {227B8AA8-DAF2-4892-BD1D-73F568BCB24E} - c:\program files\mcafee.com\mps\mcbrhlpr.dll
O2 - BHO: McAfee Privacy Service Popup Blocker - {3EC8255F-E043-4cae-8B3B-B191550C2A22} - c:\program files\mcafee.com\mps\popupkiller.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\VERIZO~1\HELPSU~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [MPSExe] c:\PROGRA~1\mcafee.com\mps\mscifapp.exe /embedding
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [A Verizon App] C:\PROGRA~1\VERIZO~1\HELPSU~1\VERIZO~1.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [McRegWiz] c:\PROGRA~1\mcafee.com\agent\mcregwiz.exe /autorun
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemyds...DSL/tgctlcm.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcaf...90/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcaf...,23/mcgdmgr.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...881/mcfscan.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe

[rsre15]

KASPERSKY ONLINE SCANNER REPORT Monday, November 13, 2006 5:33:58 PM Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600) Kaspersky Online Scanner version: 5.0.83.0 Kaspersky Anti-Virus database last update: 13/11/2006 Kaspersky Anti-Virus database records: 241101 Scan Settings Scan using the following antivirus database extended Scan Archives true Scan Mail Bases true Scan Target My Computer A:\ C:\ D:\ Scan Statistics Total number of scanned objects 46252 Number of viruses found 3 Number of infected objects 25 / 0 Number of suspicious objects 0 Duration of the scan process 00:43:57 Infected Object Name Virus Name Last Action C:\!KillBox\agysteo.exe Infected: Trojan-Downloader.Win32.Agent.bbf skipped C:\!KillBox\rpcc.dll Infected: Trojan.Win32.Obfuscated.ae skipped C:\Documents and Settings\All Users\Application Data\McAfee.com\Agent\Logs\TaskScheduler\McTskshd002.log Object is locked skipped C:\Documents and Settings\All Users\Application Data\McAfee.com\VSO\OASLogs\OAS.log Object is locked skipped C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\INDEX.DAT Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped C:\Documents and Settings\Rick\Cookies\index.dat Object is locked skipped C:\Documents and Settings\Rick\Desktop\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped C:\Documents and Settings\Rick\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\Rick\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\Rick\Local Settings\History\History.IE5\INDEX.DAT Object is locked skipped C:\Documents and Settings\Rick\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped C:\Documents and Settings\Rick\NTUSER.DAT Object is locked skipped C:\Documents and Settings\Rick\ntuser.dat.LOG Object is locked skipped C:\Documents and Settings\Rick\UserData\index.dat Object is locked skipped C:\Program Files\Analog Devices\Core\smax4pnp.exe Infected: Trojan-Downloader.Win32.Agent.bbf skipped C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe Infected: Trojan-Downloader.Win32.Agent.bbf skipped C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe Infected: Trojan-Downloader.Win32.Agent.bbf skipped C:\Program Files\Dell Support\DSAgnt.exe Infected: Trojan-Downloader.Win32.Agent.bbf skipped C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe Infected: Trojan-Downloader.Win32.Agent.bbf skipped C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe Infected: Trojan-Downloader.Win32.Agent.bbf skipped C:\Program Files\McAfee.com\Agent\mcagent.exe Infected: Trojan-Downloader.Win32.Agent.bbf skipped C:\Program Files\McAfee.com\Agent\mcregwiz.exe Infected: Trojan-Downloader.Win32.Agent.bbf skipped C:\Program Files\McAfee.com\Agent\mcupdate.exe Infected: Trojan-Downloader.Win32.Agent.bbf skipped C:\Program Files\McAfee.com\MPS\mscifapp.exe Infected: Trojan-Downloader.Win32.Agent.bbf skipped C:\Program Files\McAfee.com\Personal Firewall\MpfTray.exe Infected: Trojan-Downloader.Win32.Agent.bbf skipped C:\Program Files\McAfee.com\VSO\mcmnhdlr.exe Infected: Trojan-Downloader.Win32.Agent.bbf skipped C:\Program Files\McAfee.com\VSO\mcvsshld.exe Infected: Trojan-Downloader.Win32.Agent.bbf skipped C:\Program Files\McAfee.com\VSO\oasclnt.exe Infected: Trojan-Downloader.Win32.Agent.bbf skipped C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe Infected: Trojan-Downloader.Win32.Agent.bbf skipped C:\Program Files\QuickTime\qttask.exe Infected: Trojan-Downloader.Win32.Agent.bbf skipped C:\Program Files\Verizon Online\Help Support\SmartBridge\MotiveSB.exe Infected: Trojan-Downloader.Win32.Agent.bbf skipped C:\Program Files\Verizon Online\Help Support\VerizonSupport.exe Infected: Trojan-Downloader.Win32.Agent.bbf skipped C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped C:\WINDOWS\SchedLgU.Txt Object is locked skipped C:\WINDOWS\SoftwareDistribution\EventCache\{280AA363-C2D5-47F5-AA3D-8E12A25BC03A}.bin Object is locked skipped C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped C:\WINDOWS\SYSTEM32\CONFIG\AppEvent.Evt Object is locked skipped C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT Object is locked skipped C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT.LOG Object is locked skipped C:\WINDOWS\SYSTEM32\CONFIG\SAM Object is locked skipped C:\WINDOWS\SYSTEM32\CONFIG\SAM.LOG Object is locked skipped C:\WINDOWS\SYSTEM32\CONFIG\SecEvent.Evt Object is locked skipped C:\WINDOWS\SYSTEM32\CONFIG\SECURITY Object is locked skipped C:\WINDOWS\SYSTEM32\CONFIG\SECURITY.LOG Object is locked skipped C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE Object is locked skipped C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE.LOG Object is locked skipped C:\WINDOWS\SYSTEM32\CONFIG\SysEvent.Evt Object is locked skipped C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM Object is locked skipped C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.LOG Object is locked skipped C:\WINDOWS\SYSTEM32\dla\tfswctrl.exe Infected: Trojan-Downloader.Win32.Agent.bbf skipped C:\WINDOWS\SYSTEM32\H323LOG.TXT Object is locked skipped C:\WINDOWS\SYSTEM32\hkcmd.exe Infected: Trojan-Downloader.Win32.Agent.bbf skipped C:\WINDOWS\SYSTEM32\igfxpers.exe Infected: Trojan-Downloader.Win32.Agent.bbf skipped C:\WINDOWS\SYSTEM32\igfxtray.exe Infected: Trojan-Downloader.Win32.Agent.bbf skipped C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.BTR Object is locked skipped C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.MAP Object is locked skipped C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING.VER Object is locked skipped C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING1.MAP Object is locked skipped C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING2.MAP Object is locked skipped C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.DATA Object is locked skipped C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.MAP Object is locked skipped C:\WINDOWS\Temp\History\History.IE5\MSHist012006111320061114\index.dat Object is locked skipped C:\WINDOWS\WindowsUpdate.log Object is locked skipped Scan process completed.

[rsre15]

Fixwareout ver 1.003 Last edited 8/11/2006 Post this report in the forums please Reg Entries that were deleted ... Microsoft ® Windows Script Host Version 5.6 Random Runs removed from HKLM ... PLEASE NOTE, There WILL be LEGITIMATE FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE. »»»»» Searching by size/names... »»»»» Search five digit cs, dm and jb files. This WILL/CAN also list Legit Files, Submit them at Virustotal Other suspects. Directory of C:\WINDOWS\system32 »»»»» Misc files. »»»»» Checking for older varients covered by the Rem3 tool.

[beynac]

Download the Dr.Web CureIT! scanner from here and save it on your desktop. Run the scanner, save the report and post it here.

This looks as if it could be nasty. I suggest that you back up your important files but do NOT back up any .exe files - documents only.

[rsre15]

smax4pnp.exe;c:\program files\analog devices\core;Probably BACKDOOR.Trojan;; wkufind.exe;c:\program files\common files\microsoft shared\works shared;Probably BACKDOOR.Trojan;; sgtray.exe;c:\program files\common files\sonic\update manager;Probably BACKDOOR.Trojan;; dsagnt.exe;c:\program files\dell support;Probably BACKDOOR.Trojan;; intelmem.exe;c:\program files\intel\modem event monitor;Probably BACKDOOR.Trojan;; jusched.exe;c:\program files\java\jre1.5.0_09\bin;Probably BACKDOOR.Trojan;; mcagent.exe;c:\program files\mcafee.com\agent;Probably BACKDOOR.Trojan;; mcregwiz.exe;c:\program files\mcafee.com\agent;Probably BACKDOOR.Trojan;; mcupdate.exe;c:\program files\mcafee.com\agent;Probably BACKDOOR.Trojan;; mscifapp.exe;c:\program files\mcafee.com\mps;Probably BACKDOOR.Trojan;; mpftray.exe;c:\program files\mcafee.com\personal firewall;Probably BACKDOOR.Trojan;; mcmnhdlr.exe;c:\program files\mcafee.com\vso;Probably BACKDOOR.Trojan;; mcvsshld.exe;c:\program files\mcafee.com\vso;Probably BACKDOOR.Trojan;; oasclnt.exe;c:\program files\mcafee.com\vso;Probably BACKDOOR.Trojan;; mmtask.exe;c:\program files\musicmatch\musicmatch jukebox;Probably BACKDOOR.Trojan;; qttask.exe;c:\program files\quicktime;Probably BACKDOOR.Trojan;; motivesb.exe;c:\program files\verizon online\help support\smartbridge;Probably BACKDOOR.Trojan;; verizonsupport.exe;c:\program files\verizon online\help support;Probably BACKDOOR.Trojan;; tfswctrl.exe;c:\windows\system32\dla;Probably BACKDOOR.Trojan;; hkcmd.exe;c:\windows\system32;Probably BACKDOOR.Trojan;; igfxpers.exe;c:\windows\system32;Probably BACKDOOR.Trojan;; igfxtray.exe;c:\windows\system32;Probably BACKDOOR.Trojan;;

[beynac]

Dr.Web CureIT! found the same files as Kaspersky. Unfortunately it didn't identify the infection and so would be unable to 'cure it'.

Panda ActiveScan

Using Internet Explorer, please go HERE to run Panda's ActiveScan.

• Once you are on the Panda site click the Check your PC Online button
• A new window will open...click the Check Now button
• Enter your Country
• Enter your State/Province
• Enter your e-mail address and click Send
• Select either Home User or Company
• Click the big Scan Now button
• If it wants to install an ActiveX component allow it
• It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
• When download is complete, click on My Computer to start the scan
• When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.

Post the report as a reply to this thread.