185 replies to this topic

[beynac]

It would be best to carry out this next part in Safe Mode. You need to end those processes again so log in as the user you used to get the FindAWF report. If it won't run in Safe Mode then try it in Normal Mode.

Important: Make sure that you are not connected to the internet while you are in Safe Mode. You will need to print these instructions.

Boot to Safe Mode. To do this:

• Restart your computer.
• Continually tap the F8 button as your computer is booting a menu appears.
• Use up-arrow key to select Safe Mode and press Enter.

---------------------------------------------------------------------

We need to make sure that none of the following processes are running. To check, you need to press the Ctrl+Alt+Del keys to open Task Manager. Click on the Processes tab and then click on Image Name (this will put the processes in order). If any of the following are running, right-click on them and select End process.

hkcmd.exe
igfxpers.exe
igfxtray.exe
mcagent.exe
mcdetect.exe
mcmnhdlr.exe
mcregwiz.exe
mcshield.exe
mctskshd.exe
mcupdate.exe
mcvsshld.exe
mmtask.exe
MotiveSB.exe
MpfService.exe
MpfTray.exe
mscifapp.exe
oasclnt.exe
qttask.exe
tfswctrl.exe
VerizonSupport.exe

-------------------------------------------------------------------

Please open Notepad and copy/paste all of the text in the quote box into it:

@echo off

if exist "C:\Program Files\Analog Devices\Core\smax4pnp.exe" copy "C:\Program Files\Analog Devices\Core\bak\smax4pnp.exe" "C:\Program Files\Analog Devices\Core"

if exist "C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" copy "C:\Program Files\Common Files\Microsoft Shared\Works Shared\bak\WkUFind.exe" "C:\Program Files\Common Files\Microsoft Shared\Works Shared"

if exist "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" copy "C:\Program Files\Common Files\Sonic\Update Manager\bak\sgtray.exe" "C:\Program Files\Common Files\Sonic\Update Manager"

if exist "C:\Program Files\Dell Support\DSAgnt.exe" copy "C:\Program Files\Dell Support\bak\DSAgnt.exe" "C:\Program Files\Dell Support"

if exist "C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe" copy "C:\Program Files\Intel\Modem Event Monitor\bak\IntelMEM.exe" "C:\Program Files\Intel\Modem Event Monitor"

if exist "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe" copy "C:\Program Files\Java\jre1.5.0_09\bin\bak\jusched.exe" "C:\Program Files\Java\jre1.5.0_09\bin"

if exist "C:\Program Files\McAfee.com\Agent\mcagent.exe" copy "C:\Program Files\McAfee.com\Agent\bak\mcagent.exe" "C:\Program Files\McAfee.com\Agent"

if exist "C:\Program Files\McAfee.com\Agent\mcregwiz.exe" copy "C:\Program Files\McAfee.com\Agent\bak\mcregwiz.exe" "C:\Program Files\McAfee.com\Agent"

if exist "C:\Program Files\McAfee.com\Agent\mcupdate.exe" copy "C:\Program Files\McAfee.com\Agent\bak\mcupdate.exe" "C:\Program Files\McAfee.com\Agent"

if exist "C:\Program Files\McAfee.com\MPS\mscifapp.exe" copy "C:\Program Files\McAfee.com\MPS\bak\mscifapp.exe" "C:\Program Files\McAfee.com\MPS"

if exist "C:\Program Files\McAfee.com\Personal Firewall\MpfTray.exe" copy "C:\Program Files\McAfee.com\Personal Firewall\bak\MpfTray.exe" "C:\Program Files\McAfee.com\Personal Firewall"

if exist "C:\Program Files\McAfee.com\VSO\mcmnhdlr.exe" copy "C:\Program Files\McAfee.com\VSO\bak\mcmnhdlr.exe" "C:\Program Files\McAfee.com\VSO"

if exist "C:\Program Files\McAfee.com\VSO\mcvsshld.exe" copy "C:\Program Files\McAfee.com\VSO\bak\mcvsshld.exe" "C:\Program Files\McAfee.com\VSO"

if exist "C:\Program Files\McAfee.com\VSO\oasclnt.exe" copy "C:\Program Files\McAfee.com\VSO\bak\oasclnt.exe" "C:\Program Files\McAfee.com\VSO"

if exist "C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe" copy "C:\Program Files\MUSICMATCH\Musicmatch Jukebox\bak\mmtask.exe" "C:\Program Files\MUSICMATCH\Musicmatch Jukebox"

if exist "C:\Program Files\QuickTime\qttask.exe" copy "C:\Program Files\QuickTime\bak\qttask.exe" "C:\Program Files\QuickTime"

if exist "C:\Program Files\Verizon Online\Help Support\SmartBridge\MotiveSB.exe" copy "C:\Program Files\Verizon Online\Help Support\SmartBridge\bak\MotiveSB.exe" "C:\Program Files\Verizon Online\Help Support\SmartBridge"

if exist "C:\Program Files\Verizon Online\Help Support\VerizonSupport.exe" copy "C:\Program Files\Verizon Online\Help Support\bak\VerizonSupport.exe" "C:\Program Files\Verizon Online\Help Support"

if exist "C:\WINDOWS\SYSTEM32\dla\tfswctrl.exe" copy "C:\WINDOWS\SYSTEM32\dla\bak\tfswctrl.exe" "C:\WINDOWS\SYSTEM32\dla"

if exist "C:\WINDOWS\SYSTEM32\hkcmd.exe" copy "C:\WINDOWS\SYSTEM32\bak\hkcmd.exe" "C:\WINDOWS\SYSTEM32"

if exist "C:\WINDOWS\SYSTEM32\igfxpers.exe" copy "C:\WINDOWS\SYSTEM32\bak\igfxpers.exe" "C:\WINDOWS\SYSTEM32"

if exist "C:\WINDOWS\SYSTEM32\igfxtray.exe" copy "C:\WINDOWS\SYSTEM32\bak\igfxtray.exe" "C:\WINDOWS\SYSTEM32"

del replace.bat

Still in Notepad, go to Format (upper menu bar) and untick Word Wrap
Go to File (upper menu bar), and select: Save as
In the Save as prompt:
Save in: Desktop
File Name: replace.bat
Save as Type: Any file
Click: Save
Exit out of Notepad.

Next, on the Desktop, double-click on replace.bat

--------------------------------------------------------------------------------------------------

Run ATF Cleaner by Atribune ©

• Double-click the shortcut on your desktop to run the program.
• Under Main, choose Select All
• Untick Prefetch
• Click Empty Selected
• If you use Firefox browser,
  • Click Firefox at the top and choose Select All
  • Click on Empty Selected
  • NOTE: If you would like to keep any saved passwords, please untick that option.
• Click Exit to close.
• If you use Opera browser,
  • Click Opera at the top and choose Select All
  • Click on Empty Selected
  • NOTE: If you would like to keep any saved passwords, please untick that option.
• Click Exit to close.

Reboot your computer in normal windows.

----------------------------------------------------------------------------------------------

Also, please run the following:

DelDomains

http://www.mvps.org/.../DelDomains.inf
Right click the above link, Save Target as or Save Link as, and save to the Desktop.
To delete all entries in the Restricted & Trusted Zone list, right click DelDomains.inf
Select: Install

ResetProtocolDefaults

http://www.mvps.org/...colDefaults.reg
Right click the above link, Save Target as or Save Link as, and save to the Desktop.
Right-click ResetProtocolDefaults.reg
Select: Merge
OK the prompt

-----------------------------------------------------------------------------------------

Run FindAWF again and post the log here.

Edited by beynac, 15 November 2006 - 06:38 PM.

[rsre15]

This will take a bit, thank you, good night!

[beynac]

Good night and good luck! I'm off to bed now.

[rsre15]

This doesn't seem right but here it is. ” ¤  ´  Ä Ô  ä  ô  
 
 $
 4
 D
 T
 d
 t
 „
 ”
 ¤
 ´
 Ä
 Ô
 ä
 ô
 !  " $ # 4 $ D % T & d ' t ( ” ) ¤ * D + T , d - t . Ä /  0 ä 1 ¬ 2 ¼ ÿÿÿÿ Ì 4  5  6 $ 7 4 8 D 9 T : d ; t < „ = ” > ¤ ? ´ @ Ä A Ô B ä C ô D 
E 
F $
G 4
H D
I T
J d
K t
L „
M ”
N ¤
O ´
P Ä
Q Ô
R ä
S  T $ U D V  W  X 4 Y t Z „ [ ´ \ ô ] Ô ^ " _ 2 ÿÿÿÿ B a  b   c p  d ð  ÿÿÿÿ
 f  g À  ÿÿÿÿ Ð  i  j  k 0  ÿÿÿÿ @  m  n  o $ p 0  q 4 r D s T t d u ” v ¤ w ´ x Ä y ä z ô { 
| 
} $
~ T
 d
€ t
� „
‚ ˆ
ƒ ˜
„  
… ¬
† . ‡ > ˆ @  ‰ P  Š `  ÿÿÿÿ p  Œ  �  Ž $ � 4 � D ‘ T ’ d “ t ” „ • ” – ¤ — ô ˜ 
™ Ô š ä › ” œ Ô � ò ÿÿÿÿ þ Ÿ    $ ¡ D ¢ T £ „ ¤  ÿÿÿÿ  ¦  §  ¨ $ © 4 ª D « T ¬ d ­ t ® „ ¯ ” ° ¤ ± ´ ² Ä ³ D ´ ¤ µ ” ¶ H · t ÿÿÿÿ  ¹  º  » T ¼ $ ½ Š ÿÿÿÿ ” ¿  À  Á $  4 à ô Ä Ä Å ú ÿÿÿÿ  Ç  È  É $ Ê ¤ Ë Ô Ì ä Í t
Î ”
Ï ¤
Ð ´
Ñ ô
Ò  Ó $ Ô 4 Õ T Ö d × „ Ø ” Ù ¤ Ú Ô Û ä Ü ” Ý ¤ Þ Ô ß ô à d á t â „ ã ” ä ¤ å ´ æ â ç ò è  ÿÿÿÿ  ê  ë 4 ì D í ä î ô ï 
ð 
ñ 4 ò D ó T ô  õ ¤ ö < ÿÿÿÿ ¢ ø  ÿÿÿÿ   ÿÿÿÿ  û  ü  ý  þ $ ÿ 4
D

T 
ô 
´

Ì
ÿÿÿÿ Ö

 
  
0 
` 
p  
0  
ð 
@  ÿÿÿÿ P  
 
 
> ÿÿÿÿ @ 
 
À  ÿÿÿÿ   \ D E V I C E \ H A R D D I S K V O L U M E 2 \ W I N D O W S \ S Y S T E M 3 2 \ N T D L L . D L L \ D E V I C E \ H A R D D I S K V O L U M E 2 \ W I N D O W S \ S Y S T E M 3 2 \ K E R N E L 3 2 . D L L \ D E V I C E \ H A R D D I S K V O L U M E 2 \ W I N D O W S \ S Y S T E M 3 2 \ U N I C O D E . N L S \ D E V I C E \ H A R D D I S K V O L U M E 2 \ W I N D O W S \ S Y S T E M 3 2 \ L O C A L E . N L S \ D E V I C E \ H A R D D I S K V O L U M E 2 \ W I N D O W S \ S Y S T E M 3 2 \ S O R T T B L S . N L S \ D E V I C E \ H A R D D I S K V O L U M E 2 \ D O C U M E N T S A N D S E T T I N G S \ E R I C A \ D E S K T O P \ F I N D A W F . E X E \ D E V I C E \ H A R D D I S K V O L U M E 2 \ W I N D O W S \ S Y S T E M 3 2 \ U S E R 3 2 . D L L \ D E V I C E \ H A R D D I S K V O L U M E 2 \ W I N D O W S \ S Y S T E M 3 2 \ G D I 3 2 . D L L \ D E V I C E \ H A R D D I S K V O L U M E 2 \ W I N D O W S \ S Y S T E M 3 2 \ A D V A P I 3 2 . D L L \ D E V I C E \ H A R D D I S K V O L U M E 2 \ W I N D O W S \ S Y S T E M 3 2 \ R P C R T 4 . D L L \ D E V I C E \ H A R D D I S K V O L U M E 2 \ W I N D O W S \ S Y S T E M 3 2 \ O L E A U T 3 2 . D L L \ D E V I C E \ H A R D D I S K V O L U M E 2 \ W I N D O W S \ S Y S T E M 3 2 \ M S V C R T . D L L \ D E V I C E \ H A R D D I S K V O L U M E 2 \ W I N D O W S \ S Y S T E M 3 2 \ O L E 3 2 . D L L \ D E V I C E \ H A R D D I S K V O L U M E 2 \ W I N D O W S \ S Y S T E M 3 2 \ C T Y P E . N L S \ D E V I C E \ H A R D D I S K V O L U M E 2 \ W I N D O W S \ S Y S T E M 3 2 \ S O R T K E Y . N L S \ D E V I C E \ H A R D D I S K V O L U M E 2 \ W I N D O W S \ S Y S T E M 3 2 \ A P P H E L P . D L L \ D E V I C E \ H A R D D I S K V O L U M E 2 \ W I N D O W S \ A P P P A T C H \ S Y S M A I N . S D B \ D E V I C E \ H A R D D I S K V O L U M E 2 \ W I N D O W S \ S Y S T E M 3 2 \ V E R S I O N . D L L \ D E V I C E \ H A R D D I S K V O L U M E 2 \ W I N D O W S \ S Y S T E M 3 2 \ C M D . E X E (  |½FÅ
ÖÐH�X è @
\ D E V I C E \ H A R D D I S K V O L U M E 2
 Ð3 î3& '  L M Á Â ½ ñ    Š1 ‹1ˆ1 ‰1ü ý�1 ‚1‚1 ƒ1 ! B C 8 9 ° ö„1 …1…1 †1  �: �:{f  ­f  “f  –f  6 64 47 7 \ D E V I C E \ H A R D D I S K V O L U M E 2 \ / \ D E V I C E \ H A R D D I S K V O L U M E 2 \ D O C U M E N T S A N D S E T T I N G S \ 5 \ D E V I C E \ H A R D D I S K V O L U M E 2 \ D O C U M E N T S A N D S E T T I N G S \ E R I C A \ = \ D E V I C E \ H A R D D I S K V O L U M E 2 \ D O C U M E N T S A N D S E T T I N G S \ E R I C A \ D E S K T O P \ D \ D E V I C E \ H A R D D I S K V O L U M E 2 \ D O C U M E N T S A N D S E T T I N G S \ E R I C A \ L O C A L S E T T I N G S \ I \ D E V I C E \ H A R D D I S K V O L U M E 2 \ D O C U M E N T S A N D S E T T I N G S \ E R I C A \ L O C A L S E T T I N G S \ T E M P \ \ D E V I C E \ H A R D D I S K V O L U M E 2 \ W I N D O W S \ ) \ D E V I C E \ H A R D D I S K V O L U M E 2 \ W I N D O W S \ A P P P A T C H \ ) \ D E V I C E \ H A R D D I S K V O L U M E 2 \ W I N D O W S \ S Y S T E M 3 2 \

[beynac]

This doesn't seem right but here it is.

No, it doesn't! Something has got corrupted. Please delete FindAWF from your desktop (both yours and the other user's).

Kaspersky Online Scanner

I would like you to run another Kaspersky scan. If it won't run on your user account, then log in as the other user again.

Using Internet Explorer, click on Kaspersky Online Scanner

• You may be prompted to install an ActiveX component from Kaspersky, Click 'Yes'.
• The program will launch and then start to download the latest definition files.
• Once the scanner is installed and the definitions downloaded, click 'Next'.
• Now click on 'Scan Settings'
• In the scan settings make sure that the following are selected:
  • Scan using the following Anti-Virus database: 'Extended' (If available, otherwise 'Standard')
  • Scan Options: 'Scan Archives' and 'Scan Mail Bases'
• Click 'OK'
• Now under 'Select a target to scan' select 'My Computer'
• The scan will take a while, so be patient and let it run. Once the scan is complete, it will display whether your system has been infected.
• Now click on the 'Save as Text' button:
• Save the file to your desktop.

------------------------------------------------------------

Please post the Kaspersky report and a new HijackThis log.

[rsre15]

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Rick\Desktop\Hijackthis\NoHiding.exe.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://bfc.myway.com...de_srchlft.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: McBrwHelper Class - {227B8AA8-DAF2-4892-BD1D-73F568BCB24E} - c:\program files\mcafee.com\mps\mcbrhlpr.dll
O2 - BHO: McAfee Privacy Service Popup Blocker - {3EC8255F-E043-4cae-8B3B-B191550C2A22} - c:\program files\mcafee.com\mps\popupkiller.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemyds...DSL/tgctlcm.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcaf...90/mcinsctl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcaf...,23/mcgdmgr.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...881/mcfscan.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe

[rsre15]

KASPERSKY ONLINE SCANNER REPORT Thursday, November 16, 2006 4:18:24 PM Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600) Kaspersky Online Scanner version: 5.0.83.0 Kaspersky Anti-Virus database last update: 16/11/2006 Kaspersky Anti-Virus database records: 242458 ------------------------------------------------------------------------------- Scan Settings: Scan using the following antivirus database: extended Scan Archives: true Scan Mail Bases: true Scan Target - My Computer: A:\ C:\ D:\ Scan Statistics: Total number of scanned objects: 41043 Number of viruses found: 2 Number of infected objects: 2 / 0 Number of suspicious objects: 0 Duration of the scan process: 00:42:26 Infected Object Name / Virus Name / Last Action C:\!KillBox\rpcc.dll Infected: Trojan.Win32.Obfuscated.ae skipped C:\Documents and Settings\All Users\Application Data\McAfee.com\Agent\Logs\TaskScheduler\McTskshd001.log Object is locked skipped C:\Documents and Settings\All Users\Application Data\McAfee.com\VSO\OASLogs\OAS.log Object is locked skipped C:\Documents and Settings\Erica\Cookies\index.dat Object is locked skipped C:\Documents and Settings\Erica\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\Erica\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\Erica\Local Settings\History\History.IE5\INDEX.DAT Object is locked skipped C:\Documents and Settings\Erica\Local Settings\History\History.IE5\MSHist012006111520061116\index.dat Object is locked skipped C:\Documents and Settings\Erica\Local Settings\History\History.IE5\MSHist012006111620061117\index.dat Object is locked skipped C:\Documents and Settings\Erica\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped C:\Documents and Settings\Erica\NTUSER.DAT Object is locked skipped C:\Documents and Settings\Erica\ntuser.dat.LOG Object is locked skipped C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\INDEX.DAT Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped C:\Documents and Settings\Rick\Cookies\index.dat Object is locked skipped C:\Documents and Settings\Rick\Desktop\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped C:\Documents and Settings\Rick\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\Rick\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\Rick\Local Settings\History\History.IE5\INDEX.DAT Object is locked skipped C:\Documents and Settings\Rick\Local Settings\History\History.IE5\MSHist012006111620061117\index.dat Object is locked skipped C:\Documents and Settings\Rick\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped C:\Documents and Settings\Rick\NTUSER.DAT Object is locked skipped C:\Documents and Settings\Rick\ntuser.dat.LOG Object is locked skipped C:\Documents and Settings\Rick\UserData\index.dat Object is locked skipped C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped C:\WINDOWS\SchedLgU.Txt Object is locked skipped C:\WINDOWS\SoftwareDistribution\EventCache\{B0A40818-1AE4-4826-B7F7-5C0D97DC797C}.bin Object is locked skipped C:\WINDOWS\SoftwareDistribution\EventCache\{EFAB8A85-2630-45D0-93A4-136EDDD6962E}.bin Object is locked skipped C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped C:\WINDOWS\SYSTEM32\CONFIG\AppEvent.Evt Object is locked skipped C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT Object is locked skipped C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT.LOG Object is locked skipped C:\WINDOWS\SYSTEM32\CONFIG\SAM Object is locked skipped C:\WINDOWS\SYSTEM32\CONFIG\SAM.LOG Object is locked skipped C:\WINDOWS\SYSTEM32\CONFIG\SecEvent.Evt Object is locked skipped C:\WINDOWS\SYSTEM32\CONFIG\SECURITY Object is locked skipped C:\WINDOWS\SYSTEM32\CONFIG\SECURITY.LOG Object is locked skipped C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE Object is locked skipped C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE.LOG Object is locked skipped C:\WINDOWS\SYSTEM32\CONFIG\SysEvent.Evt Object is locked skipped C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM Object is locked skipped C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.LOG Object is locked skipped C:\WINDOWS\SYSTEM32\H323LOG.TXT Object is locked skipped C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.BTR Object is locked skipped C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.MAP Object is locked skipped C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING.VER Object is locked skipped C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING1.MAP Object is locked skipped C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING2.MAP Object is locked skipped C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.DATA Object is locked skipped C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.MAP Object is locked skipped C:\WINDOWS\WindowsUpdate.log Object is locked skipped Scan process completed.

[beynac]

Some good progress made! The Kaspersky report and the HijackThis log appear to be clean. However, some of the processes have not started as they should have.

Please reboot the computer and open HijackThis.

• Click on the Open the Misc Tools section button
• In the Startup List section:
  • Tick List also minor sections (full)
  • Tick List empty sections (complete)
• Click the Generate Startup List log button
• Click Yes
• Copy/paste the contents of the log, as a reply to this post

---------------------------------------------------------------------

Check the settings in AVG Anti-Spyware and make sure that it is up to date:

• Open AVG Anti-Spyware
• Click the Update icon at the top and under Manual Update click the Start update button.
• The program will either update or inform you that no update was available.

Please check the following settings:

• Click the Shield icon at the top and check that Resident shield is... shows inactive.
• Click the Update icon and confirm that the automatic update option is not ticked.
• Click the Scanner icon at the top and then click the Settings Tab.
• Under How to act? confirm that Quarantine is shown.

You can now close AVG Anti-Spyware. Do not scan yet.

-------------------------------------------------------------------------

You will need to reboot your computer into Safe Mode for the next steps. It would be a good idea for you to print these instructions, as you will not have access to the internet.

Important: If you have an always on connection to the internet, physically disconnect that connection until you are finished with Safe Mode and have rebooted back into normal mode.

Boot to Safe Mode. To do this:

• Restart your computer.
• Continually tap the F8 button as your computer is booting (a menu appears).
• Use up-arrow key to select Safe Mode and press Enter.

------------------------------------------------------------------------

Close all open windows and then start AVG Anti-Spyware

• Click on Scanner on the toolbar.
• Click on the Settings tab.
  • Under How to act? - make sure that Quarantine is selected.
  • Under How to scan? - All checkboxes should be ticked.
  • Under Possibly unwanted software - All checkboxes should be ticked.
  • Under Reports - Select Automatically generate report after every scan and uncheck Only if threats were found.
  • Under What to scan? - Select Scan every file.
• Click on the Scan tab.
• Click on Complete System Scan to start the scan process.
• Let the program scan your computer.
• When the scan has finished, follow the instructions below:
  • Make sure that Set all elements to: shows Quarantine
  • Important: Click on the Apply all Actions button (*** This must done before saving the report ***)
  • When the program has finished, it will display the message All actions have been applied.
  • Then click the Save Scan Report button.
  • Click the Save Report as button.
  • Save the report to your Desktop.
• Right-click the AVG Tray Icon and select Exit.

Reboot in Normal Mode.

------------------------------------------------------------------------

Some questions:

• How is the computer running now?
• Is McAfee functioning? Is the Security Center back?
• We will need to uninstall and re-install McAfee. Have you got the disk/download?
• Please see if you have the following files (not the 'bak' folder this time):
• C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
• C:\Program Files\Dell Support\DSAgnt.exe
• C:\Program Files\McAfee.com\Agent\mcagent.exe

----------------------------------------------------------------------

Please post:

• The HijackThis Startup log
• The answers to my questions
• The AVG Anti-Spyware report
• A new HijackThis log

[rsre15]

StartupList report, 11/16/2006, 7:02:34 PM
StartupList version: 1.52.2
Started from : C:\Documents and Settings\Rick\Desktop\Hijackthis\NoHiding.exe.EXE
Detected: Windows XP SP2 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP2 (6.00.2900.2180)
* Using default options
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Rick\Desktop\Hijackthis\NoHiding.exe.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

MsnMsgr = "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

[Srv32 spool service]
Adware.Srv32 =

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=C:\WINDOWS\system32\SSPIPES.SCR
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry value not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------


Enumerating Browser Helper Objects:

(no name) - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) - c:\program files\mcafee.com\mps\mcbrhlpr.dll - {227B8AA8-DAF2-4892-BD1D-73F568BCB24E}
(no name) - c:\program files\mcafee.com\mps\popupkiller.dll - {3EC8255F-E043-4cae-8B3B-B191550C2A22}
(no name) - C:\WINDOWS\system32\dla\tfswshx.dll - {5CA3D70E-1895-11CF-8E15-001234567890}
(no name) - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}
(no name) - (no file) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC}

--------------------------------------------------

Enumerating Task Scheduler jobs:

McAfee.com Scan for Viruses - My Computer (ROSSITER-Rick).job

--------------------------------------------------

Enumerating Download Program Files:

[Support.com Configuration Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\tgctlcm.dll
CODEBASE = https://activatemyds...DSL/tgctlcm.cab

[CKAVWebScan Object]
InProcServer32 = C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll
CODEBASE = http://www.kaspersky...can_unicode.cab

[Shockwave ActiveX Control]
InProcServer32 = C:\WINDOWS\system32\macromed\Director\SwDir.dll
CODEBASE = http://fpdownload.ma...director/sw.cab

[McAfee.com Operating System Class]
InProcServer32 = C:\WINDOWS\system32\mcinsctl.dll
CODEBASE = http://download.mcaf...90/mcinsctl.cab

[{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}]
CODEBASE = http://fpdownload.ma...h/ultrashim.cab

[ActiveScan Installer Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\asinst.dll
CODEBASE = http://acs.pandasoft...free/asinst.cab

[DwnldGroupMgr Class]
InProcServer32 = C:\WINDOWS\system32\mcgdmgr.dll
CODEBASE = http://download.mcaf...,23/mcgdmgr.cab

[McFreeScan Class]
InProcServer32 = C:\WINDOWS\McAfee.com\FreeScan\mcfscan.dll
CODEBASE = http://download.mcaf...881/mcfscan.cab

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\system32\webcheck.dll
SysTray: C:\WINDOWS\system32\stobject.dll

--------------------------------------------------
End of report, 5,605 bytes
Report generated in 0.171 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

[rsre15]

Logfile of HijackThis v1.99.1
Scan saved at 9:15:27 PM, on 11/16/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Rick\Desktop\Hijackthis\NoHiding.exe.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://bfc.myway.com...de_srchlft.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: McBrwHelper Class - {227B8AA8-DAF2-4892-BD1D-73F568BCB24E} - c:\program files\mcafee.com\mps\mcbrhlpr.dll
O2 - BHO: McAfee Privacy Service Popup Blocker - {3EC8255F-E043-4cae-8B3B-B191550C2A22} - c:\program files\mcafee.com\mps\popupkiller.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemyds...DSL/tgctlcm.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcaf...90/mcinsctl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcaf...,23/mcgdmgr.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...881/mcfscan.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe

[rsre15]

OOOOOOOOOOKKKKKKKKKKKKK, here goes! I think I have some good news and some bad news but I guess you will be the judge of that. First, as you can see I posted the "startup log" and the "normal" log above. Second, the AVG scan showed nothing so no report was generated. Now, the answers to your questions... 1. The computer seems to be running fine, I have not been using the internet too much for obvious reasons but seems to be running smoothly when I get on to reply to you or download something you request. 2. McAfee icons are back but the security center and virus protection still say "not installed". My McAfee service comes from their website, I have no disc. 3. Now for the bad news...maybe. The "bak" files are all still there. They read: C:\Program Files\Java\jre1.5.0_09\bin\bak\jusched.exe C:\Program Files\Dell Support\bak\DSAgnt.exe C:\Program Files\McAfee.com\Agent\bak\mcagent.exe

[beynac]

Actually, it's all good news! I expected the 'bak' folders to still be there. It was the original folders that I asked about - no problem though. The malware had copied the files from the original folders and placed them in the 'bak' folders. It had then corrupted/replaced the original file in the original folder. The batch file you ran copied the good files back into the original folders and overwrote the bad ones. We have kept the 'bak' folders because they contain a backup of the good files. Does that make sense? It's not easy to explain. We mustn't get complacent, but the clean scans and logs are a very good sign. Some registry entries have been removed and we need to replace them. These include the startup entries for McAfee. I want to re-instate the registry entries and check if everything is working. Whatever happens, I think that you will need to re-install McAfee. We don't know exactly what the malware has done to the settings. Have you got the uninstall/re-install instructions? If not, let me know exactly which program(s) you have and I will try to get them for you. I'm waiting to have my registry fix checked by an expert. In the meantime, please let me know about your McAfee program(s).

Edited by beynac, 17 November 2006 - 04:40 PM.

[rsre15]

For McAfee, I believe I can just go to their site and reinstall from there. I can't find the exact version I am running for the the firewall, security center and virus scan as I am unable to acess the properties. Would it be best to uninstall and try to reinstall from their website. Please let me know and I will look for a response from you on Saturday. Thanks again!

[beynac]

Would it be best to uninstall and try to reinstall from their website.

Yes, but not yet! We'll take it one step at a time. Don't do anything yet - I'll post again as soon as I get approval for my registry fix.

[beynac]

Good morning.

A change of plan. I haven't had an answer back yet on my registry fix, but I've been looking into McAfee uninstallation. I wanted to tidy up after the infection before uninstalling it because anti-virus programs can cause difficulties if they don't uninstall cleanly. However, there is a McAfee tool for removing all remnants of their products if a clean uninstall doesn't work.

I suggest that you find all of the documentation relating to your McAfee purchase (presumably an email). Note any codes or procedures for re-installation.

Download and run the McAfee Removal tool

• Download the removal tool from here
• Click Save and save the file to your desktop.
• Double-click MCPR.exe.
• Click Run. A Command Line window will be displayed, and then close automatically.
• Wait for a second Command Line window to be displayed. (Do not double-click MCPR.exe again.) The program will begin the cleanup.
• Observe the installation, which could take several minutes. The following message will be displayed in the Command Line window:
  "The machine must reboot to complete the un-installation. Reboot now? [y.n]"
• Press Y on the keyboard.
• Wait for the computer to restart.

All McAfee products are now removed from your computer.

------------------------------------------------------------------

Re-install your McAfee programs. Follow any instructions given in your purchase documentation. If you need any further help, try these links:

Installation of your McAfee programs: here. The instructions for Subscription Installation (which I believe you have) are at the bottom of the page.

If the download doesn't include the Security Center, go here.

------------------------------------------------------------------

Let me know how you get on. I'll get back to you with the revised registry fix as soon as I get approval.