185 replies to this topic

[beynac]

I'll look into the problem of the blank browser windows. Thanks for letting me know that that the file has definitely gone.

Once you have clicked the Copy button in GMER, as you say, the report has been copied to your clipboard. No file is created. When you come to post it, right-click in the reply box and select Paste. The report should now be there. If you are unable to post straight away, you can open Notepad and paste it into a blank document and save it to your desktop.

Please run GMER again and post the report, together with a new HijackThis log.

[rsre15]

Hello! Sorry for the delay! I have bad news, the malware, adware, spywhere or whatever ware is back. I went on the internet for the first time in two days and my Google search results are sending me to different sites-EBAY, Stopzilla etc. I will post a new hijack this log below.

[rsre15]

Logfile of HijackThis v1.99.1
Scan saved at 1:59:54 PM, on 11/22/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\mcafee.com\mps\mscifapp.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\PROGRA~1\VERIZO~1\HELPSU~1\SMARTB~1\MotiveSB.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Rick\Desktop\Hijackthis\NoHiding.exe.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://bfc.myway.com...de_srchlft.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.google.com/news?ned=us
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: McBrwHelper Class - {227B8AA8-DAF2-4892-BD1D-73F568BCB24E} - c:\program files\mcafee.com\mps\mcbrhlpr.dll
O2 - BHO: McAfee PopupKiller - {3EC8255F-E043-4cae-8B3B-B191550C2A22} - c:\program files\mcafee.com\mps\popupkiller.dll
O2 - BHO: McAfee AntiPhishing Filter - {41D68ED8-4CFF-4115-88A6-6EBB8AF19000} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe /startup
O4 - HKLM\..\Run: [MPSExe] c:\PROGRA~1\mcafee.com\mps\mscifapp.exe /embedding
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\VERIZO~1\HELPSU~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [A Verizon App] C:\PROGRA~1\VERIZO~1\HELPSU~1\VERIZO~1.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: (no name) - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O9 - Extra 'Tools' menuitem: McAfee AntiPhishing Filter - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemyds...DSL/tgctlcm.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcaf...90/mcinsctl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcaf...,23/mcgdmgr.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...881/mcfscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{59D676E0-3A42-4268-968A-63FAC66D85BA}: NameServer = 85.255.115.19,85.255.112.71
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.115.19 85.255.112.71
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.115.19 85.255.112.71
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.115.19 85.255.112.71
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
O23 - Service: McAfee SpamKiller Server (MskService) - McAfee Inc. - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe

[beynac]

Hi.

How disappointing!! There is obviously something hiding. The only other alternative is that you have re-visited the site that originally infected the computer. Please let me know if this is likely. Please run a GMER scan and post the report. I will post with some more advice once I have seen the GMER report.

[rsre15]

Logfile of HijackThis v1.99.1
Scan saved at 1:59:54 PM, on 11/22/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\mcafee.com\mps\mscifapp.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\PROGRA~1\VERIZO~1\HELPSU~1\SMARTB~1\MotiveSB.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Rick\Desktop\Hijackthis\NoHiding.exe.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://bfc.myway.com...de_srchlft.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.google.com/news?ned=us
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: McBrwHelper Class - {227B8AA8-DAF2-4892-BD1D-73F568BCB24E} - c:\program files\mcafee.com\mps\mcbrhlpr.dll
O2 - BHO: McAfee PopupKiller - {3EC8255F-E043-4cae-8B3B-B191550C2A22} - c:\program files\mcafee.com\mps\popupkiller.dll
O2 - BHO: McAfee AntiPhishing Filter - {41D68ED8-4CFF-4115-88A6-6EBB8AF19000} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe /startup
O4 - HKLM\..\Run: [MPSExe] c:\PROGRA~1\mcafee.com\mps\mscifapp.exe /embedding
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\VERIZO~1\HELPSU~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [A Verizon App] C:\PROGRA~1\VERIZO~1\HELPSU~1\VERIZO~1.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: (no name) - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O9 - Extra 'Tools' menuitem: McAfee AntiPhishing Filter - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemyds...DSL/tgctlcm.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcaf...90/mcinsctl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcaf...,23/mcgdmgr.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...881/mcfscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{59D676E0-3A42-4268-968A-63FAC66D85BA}: NameServer = 85.255.115.19,85.255.112.71
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.115.19 85.255.112.71
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.115.19 85.255.112.71
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.115.19 85.255.112.71
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
O23 - Service: McAfee SpamKiller Server (MskService) - McAfee Inc. - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe

[rsre15]

I guess it is possible that we revisited the site. Four people use this computer. While we were in the process of cleaning the infection I did not allow anyone to use the internet. In the last two days we(wife and kids) started using the internet a bit more because it looked as if everything was just about back to normal. What kind of site would have caused the infection-porn, not likely in this house. My kids enjoy going on different "gaming" sites. I know some of the gambling sites are known to cause problems but the only ones I go on are free-Party Poker, ESPN poker.

[beynac]

Hi. It doesn't sound as if you have reloaded the malware. In most cases, you have to actually agree to download something. If not, your McAfee software should protect you.

You have re-posted the HijackThis log. I was after a GMER scan.

Please run a GMER rootkit scan:
Important: Close all open windows and do not use the computer during the scan.

• Double-click GMER.exe to start the program.
• Do not select the Show all checkbox.
• If it gives you a warning at program start about rootkit activity and asks if you want to run scan...say Ok.
• If no warning, click the Rootkit tab and then the Scan button.
• When the scan has completed, click the Copy button.
• Paste the results in your next reply.

Note: Once you have clicked the Copy button in GMER the report has been copied to your clipboard. No file is created. When you come to post it, right-click in the reply box and select Paste. The report should now be there. If you want to save a copy, you can open Notepad and paste it into a blank document and save it to your desktop.

[rsre15]

GMER 1.0.12.11889 - http://www.gmer.net
Rootkit scan 2006-11-23 07:11:08
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.12 ----

SSDT \??\C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys ZwOpenProcess
SSDT \??\C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys ZwTerminateProcess

---- User code sections - GMER 1.0.12 ----

.text C:\WINDOWS\SYSTEM32\winlogon.exe[652] ntdll.dll!NtCreateThread 7C90D7D2 5 Bytes JMP 00BF5B5A
.text C:\WINDOWS\SYSTEM32\winlogon.exe[652] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 00BF5D3A
.text C:\WINDOWS\SYSTEM32\winlogon.exe[652] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 00BF5EB0
.text C:\WINDOWS\SYSTEM32\winlogon.exe[652] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 00BF61EE
.text C:\WINDOWS\SYSTEM32\winlogon.exe[652] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 00BF60ED
.text C:\WINDOWS\SYSTEM32\winlogon.exe[652] ntdll.dll!NtQueryValueKey 7C90E1FE 5 Bytes JMP 00BF5FC3
.text C:\WINDOWS\SYSTEM32\winlogon.exe[652] ntdll.dll!NtSetValueKey 7C90E7BC 5 Bytes JMP 00BF5C2D
.text C:\WINDOWS\explorer.exe[1288] ntdll.dll!NtCreateThread 7C90D7D2 5 Bytes JMP 00A87600
.text C:\WINDOWS\explorer.exe[1288] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 009D5D3A
.text C:\WINDOWS\explorer.exe[1288] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 009D5EB0
.text C:\WINDOWS\explorer.exe[1288] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 009D61EE
.text C:\WINDOWS\explorer.exe[1288] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 009D60ED
.text C:\WINDOWS\explorer.exe[1288] ntdll.dll!NtQueryValueKey 7C90E1FE 5 Bytes JMP 009D5FC3
.text C:\WINDOWS\explorer.exe[1288] ntdll.dll!NtResumeThread 7C90E45F 5 Bytes JMP 00A87650
.text C:\WINDOWS\explorer.exe[1288] ntdll.dll!NtSetValueKey 7C90E7BC 5 Bytes JMP 009D5C2D
.text C:\WINDOWS\explorer.exe[1288] WS2_32.dll!connect 71AB406A 5 Bytes JMP 10003E00 c:\progra~1\mcafee.com\vso\McVSSkt.dll
.text C:\PROGRA~1\McAfee\SPAMKI~1\MSKAgent.exe[2068] ntdll.dll!NtCreateThread 7C90D7D2 5 Bytes JMP 00875B5A
.text C:\PROGRA~1\McAfee\SPAMKI~1\MSKAgent.exe[2068] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 00875D3A
.text C:\PROGRA~1\McAfee\SPAMKI~1\MSKAgent.exe[2068] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 00875EB0
.text C:\PROGRA~1\McAfee\SPAMKI~1\MSKAgent.exe[2068] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 008761EE
.text C:\PROGRA~1\McAfee\SPAMKI~1\MSKAgent.exe[2068] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 008760ED
.text C:\PROGRA~1\McAfee\SPAMKI~1\MSKAgent.exe[2068] ntdll.dll!NtQueryValueKey 7C90E1FE 5 Bytes JMP 00875FC3
.text C:\PROGRA~1\McAfee\SPAMKI~1\MSKAgent.exe[2068] ntdll.dll!NtSetValueKey 7C90E7BC 5 Bytes JMP 00875C2D
.text C:\PROGRA~1\McAfee\SPAMKI~1\MSKAgent.exe[2068] WS2_32.dll!connect 71AB406A 5 Bytes JMP 00923E00 c:\progra~1\mcafee.com\vso\McVSSkt.dll
.text C:\PROGRA~1\McAfee.com\Agent\mcagent.exe[2084] ntdll.dll!NtCreateThread 7C90D7D2 5 Bytes JMP 008C5B5A
.text C:\PROGRA~1\McAfee.com\Agent\mcagent.exe[2084] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 008C5D3A
.text C:\PROGRA~1\McAfee.com\Agent\mcagent.exe[2084] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 008C5EB0
.text C:\PROGRA~1\McAfee.com\Agent\mcagent.exe[2084] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 008C61EE
.text C:\PROGRA~1\McAfee.com\Agent\mcagent.exe[2084] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 008C60ED
.text C:\PROGRA~1\McAfee.com\Agent\mcagent.exe[2084] ntdll.dll!NtQueryValueKey 7C90E1FE 5 Bytes JMP 008C5FC3
.text C:\PROGRA~1\McAfee.com\Agent\mcagent.exe[2084] ntdll.dll!NtSetValueKey 7C90E7BC 5 Bytes JMP 008C5C2D
.text C:\PROGRA~1\McAfee.com\Agent\mcagent.exe[2084] WS2_32.dll!connect 71AB406A 5 Bytes JMP 016E3E00 c:\progra~1\mcafee.com\vso\McVSSkt.dll
.text C:\PROGRA~1\McAfee.com\MPS\mscifapp.exe[2108] ntdll.dll!NtCreateThread 7C90D7D2 5 Bytes JMP 003A5B5A
.text C:\PROGRA~1\McAfee.com\MPS\mscifapp.exe[2108] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 003A5D3A
.text C:\PROGRA~1\McAfee.com\MPS\mscifapp.exe[2108] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 003A5EB0
.text C:\PROGRA~1\McAfee.com\MPS\mscifapp.exe[2108] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 003A61EE
.text C:\PROGRA~1\McAfee.com\MPS\mscifapp.exe[2108] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 003A60ED
.text C:\PROGRA~1\McAfee.com\MPS\mscifapp.exe[2108] ntdll.dll!NtQueryValueKey 7C90E1FE 5 Bytes JMP 003A5FC3
.text C:\PROGRA~1\McAfee.com\MPS\mscifapp.exe[2108] ntdll.dll!NtSetValueKey 7C90E7BC 5 Bytes JMP 003A5C2D
.text C:\PROGRA~1\McAfee.com\MPS\mscifapp.exe[2108] WS2_32.dll!connect 71AB406A 5 Bytes JMP 01FD3E00 c:\progra~1\mcafee.com\vso\McVSSkt.dll
.text C:\Program Files\McAfee.com\VSO\mcvsshld.exe[2128] ntdll.dll!NtCreateThread 7C90D7D2 5 Bytes JMP 00895B5A
.text C:\Program Files\McAfee.com\VSO\mcvsshld.exe[2128] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 00895D3A
.text C:\Program Files\McAfee.com\VSO\mcvsshld.exe[2128] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 00895EB0
.text C:\Program Files\McAfee.com\VSO\mcvsshld.exe[2128] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 008961EE
.text C:\Program Files\McAfee.com\VSO\mcvsshld.exe[2128] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 008960ED
.text C:\Program Files\McAfee.com\VSO\mcvsshld.exe[2128] ntdll.dll!NtQueryValueKey 7C90E1FE 5 Bytes JMP 00895FC3
.text C:\Program Files\McAfee.com\VSO\mcvsshld.exe[2128] ntdll.dll!NtSetValueKey 7C90E7BC 5 Bytes JMP 00895C2D
.text C:\Program Files\McAfee.com\VSO\mcvsshld.exe[2128] WS2_32.dll!connect 71AB406A 5 Bytes JMP 00943E00 c:\progra~1\mcafee.com\vso\McVSSkt.dll
.text C:\Program Files\McAfee.com\VSO\oasclnt.exe[2136] ntdll.dll!NtCreateThread 7C90D7D2 5 Bytes JMP 00865B5A
.text C:\Program Files\McAfee.com\VSO\oasclnt.exe[2136] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 00865D3A
.text C:\Program Files\McAfee.com\VSO\oasclnt.exe[2136] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 00865EB0
.text C:\Program Files\McAfee.com\VSO\oasclnt.exe[2136] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 008661EE
.text C:\Program Files\McAfee.com\VSO\oasclnt.exe[2136] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 008660ED
.text C:\Program Files\McAfee.com\VSO\oasclnt.exe[2136] ntdll.dll!NtQueryValueKey 7C90E1FE 5 Bytes JMP 00865FC3
.text C:\Program Files\McAfee.com\VSO\oasclnt.exe[2136] ntdll.dll!NtSetValueKey 7C90E7BC 5 Bytes JMP 00865C2D
.text C:\Program Files\McAfee.com\VSO\oasclnt.exe[2136] WS2_32.dll!connect 71AB406A 5 Bytes JMP 00913E00 c:\progra~1\mcafee.com\vso\McVSSkt.dll
.text C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe[2144] ntdll.dll!NtCreateThread 7C90D7D2 5 Bytes JMP 003C5B5A
.text C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe[2144] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 003C5D3A
.text C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe[2144] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 003C5EB0
.text C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe[2144] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 003C61EE
.text C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe[2144] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 003C60ED
.text C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe[2144] ntdll.dll!NtQueryValueKey 7C90E1FE 5 Bytes JMP 003C5FC3
.text C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe[2144] ntdll.dll!NtSetValueKey 7C90E7BC 5 Bytes JMP 003C5C2D
.text C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe[2144] WS2_32.dll!connect 71AB406A 5 Bytes JMP 02313E00 c:\progra~1\mcafee.com\vso\McVSSkt.dll
.text C:\Program Files\Analog Devices\Core\smax4pnp.exe[2152] ntdll.dll!NtCreateThread 7C90D7D2 5 Bytes JMP 00AE5B5A
.text C:\Program Files\Analog Devices\Core\smax4pnp.exe[2152] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 00AE5D3A
.text C:\Program Files\Analog Devices\Core\smax4pnp.exe[2152] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 00AE5EB0
.text C:\Program Files\Analog Devices\Core\smax4pnp.exe[2152] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 00AE61EE
.text C:\Program Files\Analog Devices\Core\smax4pnp.exe[2152] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 00AE60ED
.text C:\Program Files\Analog Devices\Core\smax4pnp.exe[2152] ntdll.dll!NtQueryValueKey 7C90E1FE 5 Bytes JMP 00AE5FC3
.text C:\Program Files\Analog Devices\Core\smax4pnp.exe[2152] ntdll.dll!NtSetValueKey 7C90E7BC 5 Bytes JMP 00AE5C2D
.text C:\Program Files\Analog Devices\Core\smax4pnp.exe[2152] WS2_32.dll!connect 71AB406A 5 Bytes JMP 01363E00 c:\progra~1\mcafee.com\vso\McVSSkt.dll
.text C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe[2160] ntdll.dll!NtCreateThread 7C90D7D2 5 Bytes JMP 00955B5A
.text C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe[2160] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 00955D3A
.text C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe[2160] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 00955EB0
.text C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe[2160] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 009561EE
.text C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe[2160] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 009560ED
.text C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe[2160] ntdll.dll!NtQueryValueKey 7C90E1FE 5 Bytes JMP 00955FC3
.text C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe[2160] ntdll.dll!NtSetValueKey 7C90E7BC 5 Bytes JMP 00955C2D
.text C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe[2160] WS2_32.dll!connect 71AB406A 5 Bytes JMP 009E3E00 c:\progra~1\mcafee.com\vso\McVSSkt.dll
.text C:\WINDOWS\SYSTEM32\dla\tfswctrl.exe[2176] ntdll.dll!NtCreateThread 7C90D7D2 5 Bytes JMP 00925B5A
.text C:\WINDOWS\SYSTEM32\dla\tfswctrl.exe[2176] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 00925D3A
.text C:\WINDOWS\SYSTEM32\dla\tfswctrl.exe[2176] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 00925EB0
.text C:\WINDOWS\SYSTEM32\dla\tfswctrl.exe[2176] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 009261EE
.text C:\WINDOWS\SYSTEM32\dla\tfswctrl.exe[2176] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 009260ED
.text C:\WINDOWS\SYSTEM32\dla\tfswctrl.exe[2176] ntdll.dll!NtQueryValueKey 7C90E1FE 5 Bytes JMP 00925FC3
.text C:\WINDOWS\SYSTEM32\dla\tfswctrl.exe[2176] ntdll.dll!NtSetValueKey 7C90E7BC 5 Bytes JMP 00925C2D
.text C:\WINDOWS\SYSTEM32\dla\tfswctrl.exe[2176] WS2_32.dll!connect 71AB406A 5 Bytes JMP 009B3E00 c:\progra~1\mcafee.com\vso\McVSSkt.dll
.text C:\PROGRA~1\VERIZO~1\HELPSU~1\SMARTB~1\MotiveSB.exe[2184] ntdll.dll!NtCreateThread 7C90D7D2 5 Bytes JMP 00965B5A
.text C:\PROGRA~1\VERIZO~1\HELPSU~1\SMARTB~1\MotiveSB.exe[2184] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 00965D3A
.text C:\PROGRA~1\VERIZO~1\HELPSU~1\SMARTB~1\MotiveSB.exe[2184] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 00965EB0
.text C:\PROGRA~1\VERIZO~1\HELPSU~1\SMARTB~1\MotiveSB.exe[2184] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 009661EE
.text C:\PROGRA~1\VERIZO~1\HELPSU~1\SMARTB~1\MotiveSB.exe[2184] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 009660ED
.text C:\PROGRA~1\VERIZO~1\HELPSU~1\SMARTB~1\MotiveSB.exe[2184] ntdll.dll!NtQueryValueKey 7C90E1FE 5 Bytes JMP 00965FC3
.text C:\PROGRA~1\VERIZO~1\HELPSU~1\SMARTB~1\MotiveSB.exe[2184] ntdll.dll!NtSetValueKey 7C90E7BC 5 Bytes JMP 00965C2D
.text C:\PROGRA~1\VERIZO~1\HELPSU~1\SMARTB~1\MotiveSB.exe[2184] WS2_32.dll!connect 71AB406A 5 Bytes JMP 02933E00 c:\progra~1\mcafee.com\vso\McVSSkt.dll
.text C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe[2192] ntdll.dll!NtCreateThread 7C90D7D2 5 Bytes JMP 00385B5A
.text C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe[2192] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 00385D3A
.text C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe[2192] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 00385EB0
.text C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe[2192] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 003861EE
.text C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe[2192] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 003860ED
.text C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe[2192] ntdll.dll!NtQueryValueKey 7C90E1FE 5 Bytes JMP 00385FC3
.text C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe[2192] ntdll.dll!NtSetValueKey 7C90E7BC 5 Bytes JMP 00385C2D
.text C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe[2192] WS2_32.dll!connect 71AB406A 5 Bytes JMP 10003E00 c:\progra~1\mcafee.com\vso\McVSSkt.dll
.text C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe[2208] ntdll.dll!NtCreateThread 7C90D7D2 5 Bytes JMP 00275B5A
.text C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe[2208] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 00275D3A
.text C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe[2208] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 00275EB0
.text C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe[2208] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 002761EE
.text C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe[2208] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 002760ED
.text C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe[2208] ntdll.dll!NtQueryValueKey 7C90E1FE 5 Bytes JMP 00275FC3
.text C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe[2208] ntdll.dll!NtSetValueKey 7C90E7BC 5 Bytes JMP 00275C2D
.text C:\WINDOWS\SYSTEM32\hkcmd.exe[2224] ntdll.dll!NtCreateThread 7C90D7D2 5 Bytes JMP 00885B5A
.text C:\WINDOWS\SYSTEM32\hkcmd.exe[2224] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 00885D3A
.text C:\WINDOWS\SYSTEM32\hkcmd.exe[2224] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 00885EB0
.text C:\WINDOWS\SYSTEM32\hkcmd.exe[2224] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 008861EE
.text C:\WINDOWS\SYSTEM32\hkcmd.exe[2224] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 008860ED
.text C:\WINDOWS\SYSTEM32\hkcmd.exe[2224] ntdll.dll!NtQueryValueKey 7C90E1FE 5 Bytes JMP 00885FC3
.text C:\WINDOWS\SYSTEM32\hkcmd.exe[2224] ntdll.dll!NtSetValueKey 7C90E7BC 5 Bytes JMP 00885C2D
.text C:\WINDOWS\SYSTEM32\hkcmd.exe[2224] WS2_32.dll!connect 71AB406A 5 Bytes JMP 00933E00 c:\progra~1\mcafee.com\vso\McVSSkt.dll
.text C:\WINDOWS\SYSTEM32\igfxpers.exe[2232] ntdll.dll!NtCreateThread 7C90D7D2 5 Bytes JMP 00875B5A
.text C:\WINDOWS\SYSTEM32\igfxpers.exe[2232] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 00875D3A
.text C:\WINDOWS\SYSTEM32\igfxpers.exe[2232] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 00875EB0
.text C:\WINDOWS\SYSTEM32\igfxpers.exe[2232] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 008761EE
.text C:\WINDOWS\SYSTEM32\igfxpers.exe[2232] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 008760ED
.text C:\WINDOWS\SYSTEM32\igfxpers.exe[2232] ntdll.dll!NtQueryValueKey 7C90E1FE 5 Bytes JMP 00875FC3
.text C:\WINDOWS\SYSTEM32\igfxpers.exe[2232] ntdll.dll!NtSetValueKey 7C90E7BC 5 Bytes JMP 00875C2D
.text C:\WINDOWS\SYSTEM32\igfxpers.exe[2232] WS2_32.dll!connect 71AB406A 5 Bytes JMP 00923E00 c:\progra~1\mcafee.com\vso\McVSSkt.dll
.text C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe[2240] ntdll.dll!NtCreateThread 7C90D7D2 5 Bytes JMP 00395B5A
.text C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe[2240] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 00395D3A
.text C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe[2240] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 00395EB0
.text C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe[2240] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 003961EE
.text C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe[2240] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 003960ED
.text C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe[2240] ntdll.dll!NtQueryValueKey 7C90E1FE 5 Bytes JMP 00395FC3
.text C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe[2240] ntdll.dll!NtSetValueKey 7C90E7BC 5 Bytes JMP 00395C2D
.text C:\PROGRA~1\McAfee.com\VSO\McVSEscn.exe[2760] ntdll.dll!NtCreateThread 7C90D7D2 5 Bytes JMP 003A5B5A
.text C:\PROGRA~1\McAfee.com\VSO\McVSEscn.exe[2760] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 003A5D3A
.text C:\PROGRA~1\McAfee.com\VSO\McVSEscn.exe[2760] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 003A5EB0
.text C:\PROGRA~1\McAfee.com\VSO\McVSEscn.exe[2760] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 003A61EE
.text C:\PROGRA~1\McAfee.com\VSO\McVSEscn.exe[2760] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 003A60ED
.text C:\PROGRA~1\McAfee.com\VSO\McVSEscn.exe[2760] ntdll.dll!NtQueryValueKey 7C90E1FE 5 Bytes JMP 003A5FC3
.text C:\PROGRA~1\McAfee.com\VSO\McVSEscn.exe[2760] ntdll.dll!NtSetValueKey 7C90E7BC 5 Bytes JMP 003A5C2D
.text C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe[3548] WS2_32.dll!connect 71AB406A 5 Bytes JMP 00EA3E00 c:\progra~1\mcafee.com\vso\McVSSkt.dll
.text C:\WINDOWS\SYSTEM32\igfxsrvc.exe[3840] WS2_32.dll!connect 71AB406A 5 Bytes JMP 00D73E00 c:\progra~1\mcafee.com\vso\McVSSkt.dll
.text C:\Documents and Settings\Rick\Desktop\gmer.exe[4032] ntdll.dll!NtCreateThread 7C90D7D2 5 Bytes JMP 008F5B5A
.text C:\Documents and Settings\Rick\Desktop\gmer.exe[4032] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 008F5D3A
.text C:\Documents and Settings\Rick\Desktop\gmer.exe[4032] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 008F5EB0
.text C:\Documents and Settings\Rick\Desktop\gmer.exe[4032] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 008F61EE
.text C:\Documents and Settings\Rick\Desktop\gmer.exe[4032] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 008F60ED
.text C:\Documents and Settings\Rick\Desktop\gmer.exe[4032] ntdll.dll!NtQueryValueKey 7C90E1FE 5 Bytes JMP 008F5FC3
.text C:\Documents and Settings\Rick\Desktop\gmer.exe[4032] ntdll.dll!NtSetValueKey 7C90E7BC 5 Bytes JMP 008F5C2D
.text C:\Documents and Settings\Rick\Desktop\gmer.exe[4032] WS2_32.dll!connect 71AB406A 5 Bytes JMP 012D3E00 c:\progra~1\mcafee.com\vso\McVSSkt.dll

---- Devices - GMER 1.0.12 ----

Device \FileSystem\Fastfat \Fat IRP_MJ_CREATE EF296C8A
Device \FileSystem\Fastfat \Fat IRP_MJ_CLOSE EF2937C8
Device \FileSystem\Fastfat \Fat IRP_MJ_READ EF28F60A
Device \FileSystem\Fastfat \Fat IRP_MJ_WRITE EF28FAED
Device \FileSystem\Fastfat \Fat IRP_MJ_QUERY_INFORMATION EF29A958
Device \FileSystem\Fastfat \Fat IRP_MJ_SET_INFORMATION EF29D821
Device \FileSystem\Fastfat \Fat IRP_MJ_QUERY_EA EF2A638A
Device \FileSystem\Fastfat \Fat IRP_MJ_SET_EA EF2A5D49
Device \FileSystem\Fastfat \Fat IRP_MJ_FLUSH_BUFFERS EF29FBBE
Device \FileSystem\Fastfat \Fat IRP_MJ_QUERY_VOLUME_INFORMATION EF2A0331
Device \FileSystem\Fastfat \Fat IRP_MJ_SET_VOLUME_INFORMATION EF2AE4F4
Device \FileSystem\Fastfat \Fat IRP_MJ_DIRECTORY_CONTROL EF296B37
Device \FileSystem\Fastfat \Fat IRP_MJ_FILE_SYSTEM_CONTROL EF292948
Device \FileSystem\Fastfat \Fat IRP_MJ_DEVICE_CONTROL EF29C46B
Device \FileSystem\Fastfat \Fat IRP_MJ_SHUTDOWN EF2AD79D
Device \FileSystem\Fastfat \Fat IRP_MJ_LOCK_CONTROL EF2ACC4A
Device \FileSystem\Fastfat \Fat IRP_MJ_CLEANUP EF2932FD
Device \FileSystem\Fastfat \Fat IRP_MJ_PNP EF2AD1DB
Device \FileSystem\Fastfat \Fat FastIoCheckIfPossible EF2A81F9
Device \FileSystem\Fs_Rec \FileSystem\UdfsCdRomRecognizer IRP_MJ_FILE_SYSTEM_CONTROL [F049A701] tfsnifs.sys
Device \FileSystem\Fs_Rec \FileSystem\CdfsRecognizer IRP_MJ_FILE_SYSTEM_CONTROL [F049A701] tfsnifs.sys
Device \FileSystem\Fs_Rec \FileSystem\FatCdRomRecognizer IRP_MJ_FILE_SYSTEM_CONTROL [F049A701] tfsnifs.sys
Device \FileSystem\Fs_Rec \FileSystem\FatDiskRecognizer IRP_MJ_FILE_SYSTEM_CONTROL [F049A701] tfsnifs.sys
Device \FileSystem\Fs_Rec \FileSystem\UdfsDiskRecognizer IRP_MJ_FILE_SYSTEM_CONTROL [F049A701] tfsnifs.sys
Device \FileSystem\Cdfs \Cdfs IRP_MJ_FILE_SYSTEM_CONTROL [F049A89D] tfsnifs.sys

---- Registry - GMER 1.0.12 ----

Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{8CBB57C9-9D9A-4BDF-99F2-91DE0D6A1048}
Reg \Registry\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion@rzdsc 0xC9 0x57 0xBB 0x8C ...
Reg \Registry\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion@rzdsc 0xC9 0x57 0xBB 0x8C ...
Reg \Registry\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion@rzdsc 0xC9 0x57 0xBB 0x8C ...
Reg \Registry\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion@rzdsc 0xC9 0x57 0xBB 0x8C ...
Reg \Registry\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion@rzdsc 0xC9 0x57 0xBB 0x8C ...
Reg \Registry\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion@rzdsc 0xC9 0x57 0xBB 0x8C ...
Reg \Registry\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion@rzdsc 0xC9 0x57 0xBB 0x8C ...
Reg \Registry\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion@rzdsc 0xC9 0x57 0xBB 0x8C ...
Reg \Registry\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion@rzdsc 0xC9 0x57 0xBB 0x8C ...
Reg \Registry\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion@rzdsc 0xC9 0x57 0xBB 0x8C ...
Reg \Registry\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion@rzdsc 0xC9 0x57 0xBB 0x8C ...
Reg \Registry\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion@rzdsc 0xC9 0x57 0xBB 0x8C ...
Reg \Registry\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion@rzdsc 0xC9 0x57 0xBB 0x8C ...
Reg \Registry\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion@rzdsc 0xC9 0x57 0xBB 0x8C ...
Reg \Registry\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion@rzdsc 0xC9 0x57 0xBB 0x8C ...
Reg \Registry\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion@rzdsc 0xC9 0x57 0xBB 0x8C ...
Reg \Registry\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion@rzdsc 0xC9 0x57 0xBB 0x8C ...
Reg \Registry\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion@rzdsc 0xC9 0x57 0xBB 0x8C ...
Reg \Registry\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion@rzdsc 0xC9 0x57 0xBB 0x8C ...
Reg \Registry\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion@rzdsc 0xC9 0x57 0xBB 0x8C ...
Reg \Registry\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion@rzdsc 0xC9 0x57 0xBB 0x8C ...
Reg \Registry\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion@rzdsc 0xC9 0x57 0xBB 0x8C ...
Reg \Registry\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion@rzdsc 0xC9 0x57 0xBB 0x8C ...
Reg \Registry\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion@rzdsc 0xC9 0x57 0xBB 0x8C ...
Reg \Registry\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion@rzdsc 0xC9 0x57 0xBB 0x8C ...
Reg \Registry\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion@rzdsc 0xC9 0x57 0xBB 0x8C ...
Reg \Registry\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion@rzdsc 0xC9 0x57 0xBB 0x8C ...
Reg \Registry\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins
Reg \Registry\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins@}0F798E0C3F81-127B-6594-0B61-0B81FDB3{ 0x25 0x4A 0x00 0x00 ...
Reg \Registry\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins@}4C3F80904BD4-4ED8-E834-2E2E-5A6392B7{ 0x05 0x30 0x00 0x00 ...
Reg \Registry\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins@mulmd 0x6D 0x0C 0x00 0x00 ...
Reg \Registry\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion@rzdsc 0xC9 0x57 0xBB 0x8C ...
Reg \Registry\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run@dmlum.exe C:\WINDOWS\system32\dmlum.exe
Reg \Registry\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run@dmlum.exe C:\WINDOWS\system32\dmlum.exe
Reg \Registry\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion@rzdsc 0xC9 0x57 0xBB 0x8C ...
Reg \Registry\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion@rzdsc 0xC9 0x57 0xBB 0x8C ...
Reg \Registry\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion@rzdsc 0xC9 0x57 0xBB 0x8C ...
Reg \Registry\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion@rzdsc 0xC9 0x57 0xBB 0x8C ...
Reg \Registry\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion@rzdsc 0xC9 0x57 0xBB 0x8C ...
Reg \Registry\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion@rzdsc 0xC9 0x57 0xBB 0x8C ...
Reg \Registry\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion@rzdsc 0xC9 0x57 0xBB 0x8C ...
Reg \Registry\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion@rzdsc 0xC9 0x57 0xBB 0x8C ...
Reg \Registry\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion@rzdsc 0xC9 0x57 0xBB 0x8C ...
Reg \Registry\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion@rzdsc 0xC9 0x57 0xBB 0x8C ...
Reg \Registry\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion@rzdsc 0xC9 0x57 0xBB 0x8C ...
Reg \Registry\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion@rzdsc 0xC9 0x57 0xBB 0x8C ...
Reg \Registry\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion@rzdsc 0xC9 0x57 0xBB 0x8C ...
Reg \Registry\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion@rzdsc 0xC9 0x57 0xBB 0x8C ...
Reg \Registry\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion@rzdsc 0xC9 0x57 0xBB 0x8C ...
Reg \Registry\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion@rzdsc 0xC9 0x57 0xBB 0x8C ...
Reg \Registry\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion@rzdsc 0xC9 0x57 0xBB 0x8C ...
Reg \Registry\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion@rzdsc 0xC9 0x57 0xBB 0x8C ...
Reg \Registry\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion@rzdsc 0xC9 0x57 0xBB 0x8C ...
Reg \Registry\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion@rzdsc 0xC9 0x57 0xBB 0x8C ...
Reg \Registry\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion@rzdsc 0xC9 0x57 0xBB 0x8C ...
Reg \Registry\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion@rzdsc 0xC9 0x57 0xBB 0x8C ...
Reg \Registry\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion@rzdsc 0xC9 0x57 0xBB 0x8C ...
Reg \Registry\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion@rzdsc 0xC9 0x57 0xBB 0x8C ...
Reg \Registry\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon@system csdzr.exe
Reg \Registry\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon@system csdzr.exe
Reg \Registry\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon@system csdzr.exe
Reg \Registry\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon@system csdzr.exe
Reg \Registry\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon@system csdzr.exe
Reg \Registry\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon@system csdzr.exe
Reg \Registry\USER\S-1-5-21-4286219616-3432336093-1662344221-1006\Software\Microsoft\Windows\ShellNoRoam\MUICache@C:\WINDOWS\system32\dmiap.exe dmiap

---- Files - GMER 1.0.12 ----

ADS C:\Documents and Settings\Rick\Desktop\Hijackthis\NoHiding.exe.exe:SummaryInformation
ADS C:\Documents and Settings\Rick\Desktop\Hijackthis\NoHiding.exe.exe:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
ADS C:\Program Files\Doras 3-D Driving Adventure\dorarace.exe:{0156560E-1815-FA3F-E64D-8C05FEA2BA59}
File C:\WINDOWS\SYSTEM32\csdzr.exe
File C:\WINDOWS\SYSTEM32\dmlum.exe

---- EOF - GMER 1.0.12 ----

[beynac]

Thanks for the GMER report. I am going to get some advice on this. I've had a quick look through the report. I can see the Wareout infection, which is the one we started with, but not much else. I don't want to deal with this until I've had a chance to go through the report in detail and, as I said, get a second opinion on it. One point - your copy of HijackThis (NoHiding) had shown up on the report. It shouldn't!! Please delete it immediately. I'm not sure what has happened but let's get rid of it straight away. I'll get you to download a fresh copy when we need it. I'll get back to you as soon as I can.

[beynac]

Hi.

The Wareout infection has returned. The expert I referred this to, believes that the re-infection has come from Party Poker and other poker/online gaming sites. Please avoid these until we have cleaned the computer. I will get some further information for you, to help you decide what is safe and what isn't. The good news is that there is no sign of a rootkit. So, let's get it cleaned up again!

----------------------------------------------------------------------

Your copy of HijackThis wasn't infected. Still - better safe than sorry. Please download another copy from here. Extract the program into the Hijackthis folder on your desktop. You don't need to rename it this time.

----------------------------------------------------------------------

Please make sure that AVG Anti-Spyware is up to date.

• Open the program
• Click the Update icon at the top and under Manual Update click the Start update button.
• The program will either update or inform you that no update was available.
• Close the program

-----------------------------------------------------------------

Open Killbox

Copy the entire text within the quote box below.

C:\WINDOWS\SYSTEM32\csdzr.exe
C:\WINDOWS\SYSTEM32\dmlum.exe
C:\WINDOWS\system32\dmiap.exe

• Open Killbox
• Click the option Delete on Reboot
• Click on the All Files button
• Go to File and click on Paste from Clipboard
• If no files appear in the drop-down box, please stop and let me know
• Click on the red button with the white 'X' on it (Delete File)
• Wait for the confirmation message that will ask you to Reboot Now
• Click NO This is very important!
• Exit the program

Do NOT reboot your computer

------------------------------------------------------------------

We now need to run FixWareout again. You may want to print out these instructions for reference, since you will have to restart your computer during the fix.

Run FixWareout. The fix will begin - follow the prompts. You will be asked to reboot your computer. Please do so (your system may take longer than usual to load - this is normal).

At the end of the fix, you may need to restart your computer again.

------------------------------------------------------------------

Run HijackThis and click Scan and then check (tick) the following, if present (don't worry if any are missing):

O17 - HKLM\System\CCS\Services\Tcpip\..\{59D676E0-3A42-4268-968A-63FAC66D85BA}: NameServer = 85.255.115.19,85.255.112.71
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.115.19 85.255.112.71
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.115.19 85.255.112.71
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.115.19 85.255.112.71

Close down all programs, browsers and other open windows. Make sure that only the above items are checked and then click on Fix checked.

-----------------------------------------------------------------

You will need to reboot your computer into Safe Mode for the next steps. It would be a good idea for you to print these instructions, as you will not have access to the internet.

Important: If you have an always on connection to the internet, physically disconnect that connection until you are finished with Safe Mode and have rebooted back into normal mode.

Boot to Safe Mode. To do this:

• Restart your computer.
• Continually tap the F8 button as your computer is booting (a menu appears).
• Use up-arrow key to select Safe Mode and press Enter.

Close all open windows and then start AVG Anti-Spyware, which you downloaded earlier

• Click on Scanner on the toolbar.
• Click on the Settings tab.
  • Under How to act? - make sure that Quarantine is selected.
  • Under How to scan? - All checkboxes should be ticked.
  • Under Possibly unwanted software - All checkboxes should be ticked.
  • Under Reports - Select Automatically generate report after every scan and uncheck Only if threats were found.
  • Under What to scan? - Select Scan every file.
• Click on the Scan tab.
• Click on Complete System Scan to start the scan process.
• Let the program scan your computer.
• When the scan has finished, follow the instructions below:
  • Make sure that Set all elements to: shows Quarantine
  • Important: Click on the Apply all Actions button (*** This must done before saving the report ***)
  • When the program has finished, it will display the message All actions have been applied.
  • Then click the Save Scan Report button.
  • Click the Save Report as button.
  • Save the report to your Desktop.
• Right-click the AVG Tray Icon and select Exit.

Reboot in Normal Mode.

----------------------------------------------------------------

Now lets check some settings on your system.

Click on Start and then Control Panel.
If you are using Windows XP's Category View, select the Network and Internet Connections category otherwise double-click on Network Connections.
Then right-click on your default connection, usually Local Area Connection, and left-click on Properties. Click the Networking tab.
Double-click on the Internet Protocol (TCP/IP) item and select the radio button that says Obtain DNS servers automatically.
Press OK twice to get out of the properties screen and reboot if it asks.

Next, click on Start, then Run, type cmd and click OK. A command prompt (black window) will open.
Type ipconfig /flushdns (that space between g and / is needed)
Hit the Enter key, type exit then hit Enter again.

---------------------------------------------------------------

Please post:

• The FixWareout report (C:\fixwareout\report.txt)
• The AVG Anti-Spyware report
• A new HijackThis log

Edited by beynac, 23 November 2006 - 03:46 PM.

[rsre15]

No files appeared in the drop-down box of Killbox!

[beynac]

Hi.

No problem, it probably means that the file names have changed since the GMER scan. We'll have to do it in two stages.

We need to run FixWareout again. You may want to print out these instructions for reference, since you will have to restart your computer during the fix.

Run FixWareout. The fix will begin - follow the prompts. You will be asked to reboot your computer. Please do so (your system may take longer than usual to load - this is normal).

Important: Do not reboot your computer until I post again.

-------------------------------------------------------------------

I would like to confirm that none of those files are still there. Select the contents of the Quote Box below, right-click and copy it, then paste into Notepad.

@echo off
echo List of files: >> beynac.txt
echo ************* >> beynac.txt
if exist "C:\WINDOWS\system32\dmiap.exe" (echo C:\WINDOWS\system32\dmiap.exe - present>> beynac.txt) else (echo C:\WINDOWS\system32\dmiap.exe - missing >> beynac.txt)
if exist "C:\WINDOWS\SYSTEM32\csdzr.exe" (echo C:\WINDOWS\SYSTEM32\csdzr.exe - present>> beynac.txt) else (echo C:\WINDOWS\SYSTEM32\csdzr.exe - missing >> beynac.txt)
if exist "C:\WINDOWS\SYSTEM32\dmlum.exe" (echo C:\WINDOWS\SYSTEM32\dmlum.exe - present>> beynac.txt) else (echo C:\WINDOWS\SYSTEM32\dmlum.exe - missing >> beynac.txt)
notepad beynac.txt
del beynac.bat

Still in Notepad, go to Format (upper menu bar) and untick Word Wrap
Go to File (upper menu bar), and select: Save as
In the Save as prompt:
Save in: Desktop
File Name: beynac.bat
Save as Type: Any file
Click: Save
Exit out of Notepad.

On the Desktop, double-click on beynac.bat. This will create a text file (beynac.txt).

-------------------------------------------------------------

Finally, please post:

• The FixWareout logfile (C:\fixwareout\report.txt)
• The contents of the text file (beynac.txt)
• A new HijackThis log

[rsre15]

List of files: ************* C:\WINDOWS\system32\dmiap.exe - missing C:\WINDOWS\SYSTEM32\csdzr.exe - missing C:\WINDOWS\SYSTEM32\dmlum.exe - missing

[rsre15]

Logfile of HijackThis v1.99.1
Scan saved at 8:33:26 AM, on 11/24/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\mcafee.com\mps\mscifapp.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\PROGRA~1\VERIZO~1\HELPSU~1\SMARTB~1\MotiveSB.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Rick\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://bfc.myway.com...de_srchlft.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: McBrwHelper Class - {227B8AA8-DAF2-4892-BD1D-73F568BCB24E} - c:\program files\mcafee.com\mps\mcbrhlpr.dll
O2 - BHO: McAfee PopupKiller - {3EC8255F-E043-4cae-8B3B-B191550C2A22} - c:\program files\mcafee.com\mps\popupkiller.dll
O2 - BHO: McAfee AntiPhishing Filter - {41D68ED8-4CFF-4115-88A6-6EBB8AF19000} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe /startup
O4 - HKLM\..\Run: [MPSExe] c:\PROGRA~1\mcafee.com\mps\mscifapp.exe /embedding
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\VERIZO~1\HELPSU~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [A Verizon App] C:\PROGRA~1\VERIZO~1\HELPSU~1\VERIZO~1.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: (no name) - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O9 - Extra 'Tools' menuitem: McAfee AntiPhishing Filter - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemyds...DSL/tgctlcm.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcaf...90/mcinsctl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcaf...,23/mcgdmgr.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...881/mcfscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{59D676E0-3A42-4268-968A-63FAC66D85BA}: NameServer = 85.255.116.66,85.255.112.80
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.66 85.255.112.80
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.116.66 85.255.112.80
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.66 85.255.112.80
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
O23 - Service: McAfee SpamKiller Server (MskService) - McAfee Inc. - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe

[rsre15]

Fixwareout ver 1.003 Last edited 8/11/2006 Post this report in the forums please Reg Entries that were deleted HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}0F798E0C3F81-127B-6594-0B61-0B81FDB3{ HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}4C3F80904BD4-4ED8-E834-2E2E-5A6392B7{ HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\pnumd HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\0mdm HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\1mdm ... Microsoft ® Windows Script Host Version 5.6 Random Runs removed from HKLM "dmunp.exe"=- ... PLEASE NOTE, There WILL be LEGITIMATE FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE. »»»»» Searching by size/names... »»»»» Search five digit cs, dm and jb files. This WILL/CAN also list Legit Files, Submit them at Virustotal C:\WINDOWS\SYSTEM32\CSPLJ.EXE 51,730 2006-11-22 C:\WINDOWS\SYSTEM32\DMUNP.EXE 60,462 2004-08-12 Other suspects. Directory of C:\WINDOWS\system32 »»»»» Misc files. »»»»» Checking for older varients covered by the Rem3 tool.