32 replies to this topic

[sk2200]

I randomly started having a system meltdown.

I got errors in system32 folders, acpi.sys, and \i386\ntkrnlmp.exe

I got the blue screen of death for a bit. I am on my faulty computer right now. Unfortunetly I cannot copy, paste, or drag. If I could, I would want to just copy all my information onto cd's and flash drives and then just re-install windows. That is my plan at least. I don't know what to do. any information would be useful. Here is my hijackthis printout. I have no clue what one should look like. so here.

please help. let me know if there is more information that you need.

---------------------------------------------------------------------------------------------------------------------------------------


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:59:04 PM, on 11/28/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINNT\system32\taskmgr.exe
C:\Program Files\Hijackthis\HijackThis.exe
C:\WINNT\system32\NOTEPAD.EXE
C:\WINNT\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.bellsouth.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gateway.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by BellSouth
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: (no name) - {20EC3D2D-33C1-4C9D-BC37-C2D500688DA2} - (no file)
F2 - REG:system.ini: UserInit=C:\WINNT\System32\Userinit.exe
O2 - BHO: (no name) - SOFTWARE - (no file)
O2 - BHO: (no name) - {00000000-0000-41CD-A9C3-9E7A8D54F67E} - (no file)
O2 - BHO: (no name) - {00000000-0000-41D0-AC34-2F527C5D73C0} - (no file)
O2 - BHO: (no name) - {00000000-0000-44B9-93E9-7C06E053E603} - (no file)
O2 - BHO: (no name) - {00000000-0000-454D-846D-C58A4703BB13} - (no file)
O2 - BHO: (no name) - {00000000-0000-459C-9431-DCC79EBD28D5} - (no file)
O2 - BHO: (no name) - {00000000-0000-4605-AF20-2FE6FDC0C8BA} - (no file)
O2 - BHO: (no name) - {00000000-0000-471D-B8DD-14A86375FAB8} - (no file)
O2 - BHO: (no name) - {00000000-0000-4902-9464-3B4B93C142DA} - (no file)
O2 - BHO: (no name) - {00000000-0000-4A51-8416-487F2E9D62E4} - (no file)
O2 - BHO: (no name) - {00000000-0000-4A72-8CDA-5F621B3A2BAB} - (no file)
O2 - BHO: (no name) - {00000000-0000-4B5D-9A9D-F09A0D172484} - (no file)
O2 - BHO: (no name) - {00000000-0000-4C21-848F-5E2A5D6D2373} - (no file)
O2 - BHO: (no name) - {00000000-0000-4C22-A31A-0FDB9B1781A4} - (no file)
O2 - BHO: (no name) - {00000000-0000-4E80-83AE-71AC3A168AE7} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {10ADCD4E-EE28-4064-B4E2-6A953BCB32A6} - (no file)
O2 - BHO: (no name) - {1E9DCE57-D1D0-4C51-A7D4-E01677B945F3} - (no file)
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: (no name) - {3196C868-83C9-47A5-8109-177F24711B3D} - (no file)
O2 - BHO: (no name) - {345D7CF0-2C6E-4A47-A422-35232366E9E7} - (no file)
O2 - BHO: (no name) - {3C55DBE7-C6B8-475E-971B-8FB86AB07703} - (no file)
O2 - BHO: (no name) - {48259238-FC92-4AE4-B632-5FE0682D48C7} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {58B0CDBD-0B90-4F6A-89AD-3133C234B375} - (no file)
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: (no name) - {753302A0-037A-4089-967F-5C0F1476039E} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: (no name) - {7908953C-7477-4950-A7BF-B9BDB79C1217} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {8D6A1F08-F7DD-4F85-9B2E-3AF604354328} - (no file)
O2 - BHO: (no name) - {92C260D1-8BAC-4095-85CD-DAF6A1D67CB4} - (no file)
O2 - BHO: (no name) - {AD4BB598-B97A-40F8-A227-F17CCC978192} - (no file)
O2 - BHO: (no name) - {AED2C40A-9BE6-4436-9ACF-16AFF65CD426} - (no file)
O2 - BHO: (no name) - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - (no file)
O2 - BHO: (no name) - {BAEF0FFA-0068-4B3D-B8F9-188345032399} - (no file)
O2 - BHO: (no name) - {C0F6BFE3-109E-4E66-8699-E78721DB5C76} - (no file)
O2 - BHO: (no name) - {D2574F54-A61B-4915-A64C-DFC15D8B5D93} - (no file)
O2 - BHO: (no name) - {DC8B6358-6D67-4AF6-ACB0-9E9BA5A9099F} - (no file)
O2 - BHO: (no name) - {E64E4E12-84DC-4A1E-A75D-CE60F41B9712} - (no file)
O2 - BHO: (no name) - {F0CF53D0-C629-4EAC-AA96-DFF78E317D72} - (no file)
O2 - BHO: (no name) - {F52973A8-8AA5-4F92-8472-22F85EACB176} - (no file)
O2 - BHO: (no name) - {FAC19AC3-A3B6-4154-9588-0EE7142B2D4E} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: (no name) - {4E7BD74F-2B8D-469E-D4F3-F66DA787AD2D} - (no file)
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\RunServices: [System Support] system32.exe
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - S-1-5-21-3621179708-1224430818-1101987789-1003 Startup: Yahoo! Widget Engine.lnk = C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe (User '?')
O4 - Startup: Yahoo! Widget Engine.lnk = C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Web Savings - file://C:\Program Files\WebSavingsfromEbates\System\Temp\ebateswebsavings_script0.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINNT\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINNT\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://www.bellsouth.net
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1227850960890
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative....15035/CTPID.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{15E421B4-E934-4E29-96E7-03BBA8F5AE93}: NameServer = 24.197.160.17,24.197.160.18
O17 - HKLM\System\CCS\Services\Tcpip\..\{595E5B4E-2A92-4812-9197-B81B6698D7A2}: NameServer = 24.197.160.17,24.197.160.18
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: McAfee Real-time Scanner (McShield) - Unknown owner - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe (file missing)

--
End of file - 8527 bytes

[Tomk]

Hi sk2200,



My name is Tomk. I would be glad to take a look at your log and help you with solving any malware problems. HijackThis logs can take a while to research, so please be patient and I'd be grateful if you would note the following:

• I will be working on your Malware issues, this may or may not, solve other issues you have with your machine.
• The fixes are specific to your problem and should only be used for the issues on this machine.
• Please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear.
• It's often worth reading through these instructions and printing them for ease of reference.
• If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
• Please reply to this thread. Do not start a new topic.

Download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link --> http://www.bleepingc...opic114351.html
  
  
• Double click on ComboFix.exe & follow the prompts.
  
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:




Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.


Notes:

1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.
3. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
4. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
5. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

[sk2200]

Hello, thanks tomk for taking the time to help me out.

My computer basically wouldnt turn on last night so i ran a repair install. As a result im back to service pack 1 with Xp.

Here is my combofix report. I tried to look through it and understand some of it. A lot of the files a recognize, but some i dont. My copy paste and drag work again. I can now again see my start menu and bar. I'm still concerned though. I pulled my important data and put it onto flashes and cd's, so it could break now and not much would be lost.


I tried to load service pack 2, but it just freezes. I know a repair install doesnt fix everything and the only way to do so really is a fresh install of xp. So, my plan is, if you can't help me identify the problems here, i will just go through the trouble of doing a fresh install.

thank you tom, I hope you can help me identify what exactly went wrong.


-----------------------------------------------------


ComboFix 08-11-29.01 - Owner 2008-11-29 13:55:30.1 - NTFSx86
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Owner\Local Settings\Temporary Internet Files\Tvm.log
c:\program files\INSTALL.LOG
c:\winnt\bar.exe
c:\winnt\didduid.ini
c:\winnt\Downloaded Program Files\setup.inf
c:\winnt\Readme.txt
c:\winnt\system32\foyz.exe
c:\winnt\system32\fpifurs.exe
c:\winnt\system32\wnjwrlc.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_SVCPROC


((((((((((((((((((((((((( Files Created from 2008-10-28 to 2008-11-29 )))))))))))))))))))))))))))))))
.

2008-11-29 12:15 . 2008-11-29 12:17 <DIR> d-------- C:\4830a2c041b2b3a704
2008-11-29 12:00 . 2008-11-29 12:01 <DIR> d-------- C:\f9b443ae62945c483f7b
2008-11-28 23:12 . 2001-08-17 22:36 112,640 --a--c--- c:\winnt\system32\dllcache\xrxwiadr.dll
2008-11-28 23:12 . 2001-08-17 22:37 99,865 --a--c--- c:\winnt\system32\dllcache\xlog.exe
2008-11-28 23:12 . 2001-08-17 22:37 27,648 --a--c--- c:\winnt\system32\dllcache\xrxftplt.exe
2008-11-28 23:12 . 2001-08-17 22:36 23,040 --a--c--- c:\winnt\system32\dllcache\xrxwbtmp.dll
2008-11-28 23:12 . 2001-08-17 12:49 18,688 --a--c--- c:\winnt\system32\dllcache\wvchntxx.sys
2008-11-28 23:12 . 2001-08-17 22:36 17,408 --a--c--- c:\winnt\system32\dllcache\xrxscnui.dll
2008-11-28 23:12 . 2001-08-17 12:11 16,970 --a--c--- c:\winnt\system32\dllcache\xem336n5.sys
2008-11-28 23:12 . 2001-08-17 12:49 12,160 --a--c--- c:\winnt\system32\dllcache\wsiintxx.sys
2008-11-28 23:12 . 2001-08-17 22:36 7,680 --a--c--- c:\winnt\system32\dllcache\wshirda.dll
2008-11-28 23:12 . 2001-08-17 22:37 4,608 --a--c--- c:\winnt\system32\dllcache\xrxflnch.exe
2008-11-28 23:10 . 2001-08-17 13:28 899,146 --a--c--- c:\winnt\system32\dllcache\r2mdkxga.sys
2008-11-28 23:09 . 2002-08-29 01:04 1,947,904 --a--c--- c:\winnt\system32\dllcache\ntkrnlpa.exe
2008-11-28 23:08 . 2001-08-17 13:28 802,683 --a--c--- c:\winnt\system32\dllcache\ltsm.sys
2008-11-28 23:07 . 2001-08-17 14:56 1,733,120 --a--c--- c:\winnt\system32\dllcache\g400d.dll
2008-11-28 23:06 . 2001-08-17 12:13 980,034 --a--c--- c:\winnt\system32\dllcache\cicap.sys
2008-11-28 23:05 . 2002-08-29 02:03 2,042,240 --a--c--- c:\winnt\system32\dllcache\ntoskrnl.exe
2008-11-28 23:05 . 2001-08-17 14:56 66,048 --a--c--- c:\winnt\system32\dllcache\s3legacy.dll
2008-11-28 23:02 . 2008-11-29 13:59 <DIR> d--hs---- c:\documents and settings\NetworkService.NT AUTHORITY
2008-11-28 23:02 . 2008-11-28 23:02 <DIR> d--hs---- c:\documents and settings\LocalService.NT AUTHORITY
2008-11-28 22:55 . 2003-03-31 07:00 13,463,552 --a--c--- c:\winnt\system32\dllcache\hwxjpn.dll
2008-11-28 22:54 . 2001-08-17 22:36 2,134,528 --a--c--- c:\winnt\system32\dllcache\EXCH_smtpsnap.dll
2008-11-28 22:53 . 2001-08-17 22:36 171,008 --a------ c:\winnt\system32\LXAESUI.DLL
2008-11-28 22:53 . 2001-07-21 14:40 3,144 --a--c--- c:\winnt\system32\dllcache\srgb.icm
2008-11-28 22:52 . 2003-03-31 07:00 3,346,432 --a--c--- c:\winnt\system32\dllcache\msgr3en.dll
2008-11-28 22:52 . 2003-03-31 07:00 106,562 --a--c--- c:\winnt\system32\dllcache\srchctls.dll
2008-11-28 22:52 . 2008-11-28 22:52 749 -rah----- c:\winnt\WindowsShell.Manifest
2008-11-28 22:52 . 2008-11-28 22:52 749 -rah----- c:\winnt\system32\wuaucpl.cpl.manifest
2008-11-28 22:52 . 2008-11-28 22:52 749 -rah----- c:\winnt\system32\sapi.cpl.manifest
2008-11-28 22:52 . 2008-11-28 22:52 749 -rah----- c:\winnt\system32\ncpa.cpl.manifest
2008-11-28 22:52 . 2008-11-28 22:52 488 -rah----- c:\winnt\system32\logonui.exe.manifest
2008-11-28 22:50 . 2003-03-31 07:00 1,267,712 --a--c--- c:\winnt\system32\dllcache\cimwin32.dll
2008-11-28 22:49 . 2002-08-29 01:06 182,400 --a------ c:\winnt\system32\drivers\rdpdr.sys
2008-11-28 22:49 . 2002-08-29 01:06 182,400 --a--c--- c:\winnt\system32\dllcache\rdpdr.sys
2008-11-28 22:47 . 2002-08-29 01:27 56,576 --a------ c:\winnt\system32\drivers\redbook.sys
2008-11-28 22:47 . 2002-08-29 01:27 56,576 --a--c--- c:\winnt\system32\dllcache\redbook.sys
2008-11-28 22:47 . 2001-08-17 13:59 50,048 --a------ c:\winnt\system32\drivers\DMusic.sys
2008-11-28 22:47 . 2001-08-17 13:59 50,048 --a--c--- c:\winnt\system32\dllcache\dmusic.sys
2008-11-28 22:47 . 2002-08-29 01:32 5,888 --a------ c:\winnt\system32\drivers\splitter.sys
2008-11-28 22:47 . 2002-08-29 01:32 5,888 --a--c--- c:\winnt\system32\dllcache\splitter.sys
2008-11-28 22:36 . 2002-08-29 03:46 38,024 --a------ c:\winnt\system32\drivers\termdd.sys
2008-11-28 22:36 . 2002-08-29 03:46 38,024 --a--c--- c:\winnt\system32\dllcache\termdd.sys
2008-11-28 20:58 . 2008-11-28 20:58 <DIR> d-------- c:\program files\Trend Micro
2008-11-28 20:49 . 2008-11-28 20:49 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-11-28 20:49 . 2008-11-28 20:49 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-11-28 20:49 . 2008-10-26 21:53 38,496 --a------ c:\winnt\system32\drivers\mbamswissarmy.sys
2008-11-28 20:49 . 2008-10-26 21:53 15,504 --a------ c:\winnt\system32\drivers\mbam.sys
2008-11-28 17:24 . 2008-11-29 11:14 1,609,388,032 --a------ c:\winnt\MEMORY.DMP
2008-11-28 00:58 . 2008-11-28 00:58 <DIR> d-------- c:\program files\Microsoft CAPICOM 2.1.0.2
2008-11-27 15:45 . 2008-11-27 15:45 <DIR> d-------- c:\documents and settings\All Users\Application Data\ATI
2008-11-27 15:15 . 2003-06-26 13:02 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Symantec
2008-11-27 15:15 . 2003-06-26 12:58 <DIR> d-------- c:\documents and settings\Administrator\Application Data\InterTrust
2008-11-27 15:15 . 2008-11-27 15:15 <DIR> d-------- c:\documents and settings\Administrator
2008-11-27 10:21 . 2008-11-27 10:21 <DIR> d-------- c:\winnt\tmp
2008-11-26 12:53 . 2008-11-26 12:53 <DIR> d-------- c:\program files\iTunes
2008-11-26 12:53 . 2008-11-26 12:53 <DIR> d-------- c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-11-26 12:50 . 2008-11-26 12:51 <DIR> d-------- c:\program files\QuickTime
2008-11-20 15:44 . 2008-11-20 15:44 42,320 --a------ c:\winnt\system32\xfcodec.dll
2008-11-20 01:34 . 2007-10-07 21:24 60,041 --a------ C:\300-1.jpg
2008-11-20 01:33 . 2004-09-07 14:29 41,190 --a------ C:\pie.jpg
2008-11-19 16:02 . 2008-08-13 12:10 170,920 --a------ C:\yowzurrr.jpg
2008-11-19 16:02 . 2007-10-13 21:18 48,872 --a------ C:\rear.jpg
2008-11-19 16:02 . 2008-11-15 01:23 15,380 --a------ C:\lips.jpg
2008-11-19 08:28 . 2008-11-19 08:35 <DIR> d-------- c:\documents and settings\Owner\Contacts
2008-11-19 08:25 . 2008-11-19 08:25 268 --ah----- C:\sqmdata00.sqm
2008-11-19 08:25 . 2008-11-19 08:25 244 --ah----- C:\sqmnoopt00.sqm
2008-11-19 08:24 . 2008-11-19 08:24 <DIR> d-------- c:\program files\MSN Messenger
2008-11-12 13:07 . 2008-11-12 13:07 82,934 --a------ C:\hph.jpg
2008-11-12 11:00 . 2008-11-12 11:00 <DIR> d-------- c:\program files\MSXML 4.0
2008-11-04 10:30 . 2008-11-04 10:30 90,112 --a------ c:\winnt\system32\QuickTimeVR.qtx
2008-11-04 10:30 . 2008-11-04 10:30 57,344 --a------ c:\winnt\system32\QuickTime.qts

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-29 18:40 --------- d-s---w c:\program files\Xfire
2008-11-29 18:36 --------- d-----w c:\documents and settings\Owner\Application Data\Xfire
2008-11-29 18:35 --------- d-----w c:\program files\Steam
2008-11-27 20:47 --------- d-----w c:\program files\ATI
2008-11-27 20:42 --------- d-----w c:\program files\ATI Technologies
2008-11-26 17:53 --------- d-----w c:\program files\iPod
2008-11-26 17:53 --------- d-----w c:\program files\Common Files\Apple
2008-11-25 23:29 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-11-25 19:14 --------- d-----w c:\program files\Viewpoint
2008-11-24 08:34 --------- d-----w c:\documents and settings\Owner\Application Data\uTorrent
2008-10-29 03:10 3,341,824 ----a-w c:\winnt\system32\drivers\ati2mtag.sys
2008-10-29 01:18 53,248 ----a-w c:\winnt\system32\drivers\ati2erec.dll
2008-10-16 18:35 --------- d-----w c:\program files\Activision
2008-10-16 17:24 --------- d--h--w c:\program files\InstallShield Installation Information
2008-10-13 19:33 --------- d-----w c:\documents and settings\Owner\Application Data\ATI
2008-10-13 19:23 --------- d-----w c:\program files\DAEMON Tools Lite
2008-10-13 19:17 717,296 ----a-w c:\winnt\system32\drivers\sptd.sys
2008-10-13 17:03 --------- d-----w c:\program files\SAS
2008-10-03 20:15 --------- d-----w c:\program files\Creative
2008-10-01 20:21 --------- d-----w c:\program files\Windows Media Connect 2
2008-10-01 20:01 --------- d-----w c:\documents and settings\Owner\Application Data\Creative
2008-10-01 19:49 --------- d-----w c:\program files\Decisioneering
2008-10-01 19:33 --------- d-----w c:\program files\Bonjour
2008-09-30 16:11 --------- d-----w c:\program files\Common Files\InstallShield
2008-09-30 16:11 --------- d-----w c:\documents and settings\Owner\Application Data\Decisioneering
2008-09-30 16:11 --------- d-----w c:\documents and settings\All Users\Application Data\InstallShield
2008-09-30 16:11 --------- d-----w c:\documents and settings\All Users\Application Data\Decisioneering
2008-09-30 15:29 --------- d-----w c:\program files\Microsoft ActiveSync
2008-01-21 07:06 32 -c--a-w c:\documents and settings\All Users\Application Data\ezsid.dat
2005-03-16 05:08 41 -c--a-w c:\documents and settings\Owner\Application Data\tvmuknwrd.dll
2005-03-16 05:08 34 -c--a-w c:\documents and settings\Owner\Application Data\tvmcwrd.dll
2005-03-15 13:01 268,607 ----a-w c:\documents and settings\Owner\Application Data\tvmknwrd.dll
2004-10-18 20:40 60,288 -c--a-w c:\documents and settings\Owner\Application Data\GDIPFONTCACHEV1.DAT
2004-09-26 02:46 430,315 -c--a-w c:\documents and settings\Owner\CdStart.exe
2004-01-23 21:24 9,380,112 ------w c:\documents and settings\GameSpot DLX Secure Delivery\ff7demo.zip
1784-02-06 00:28 65,536 -c----w c:\winnt\inf\copyinf.exe
1784-02-06 00:28 242,432 -c----w c:\winnt\inf\rt2500usb.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTSysVol"="c:\program files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe" [2005-10-31 57344]
"GWMDMMSG"="GWMDMMSG.exe" [2002-08-06 c:\winnt\GWMDMMSG.exe]
"Hot Key Kbd 9910 Daemon"="SK9910DM.EXE" [2001-01-03 c:\winnt\system32\SK9910DM.EXE]
"P17Helper"="P17.dll" [2006-03-17 c:\winnt\system32\P17.dll]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"SetDefaultMIDI"="MIDIDef.exe" [2002-12-03 c:\winnt\MIDIDEF.EXE]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"tscuninstall"="c:\winnt\system32\tscupgrd.exe" [2003-03-31 40960]
"DefaultP17MIDI"="MIDIDEF.EXE" [2002-12-03 c:\winnt\MIDIDEF.EXE]
"DefaultP17"="P17Def.Exe" [2005-05-03 c:\winnt\P17DEF.EXE]

c:\documents and settings\Owner\Start Menu\Programs\Startup\
Yahoo! Widget Engine.lnk - c:\program files\Yahoo!\Widgets\YahooWidgetEngine.exe [2007-05-04 2913840]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.XFR1"= xfcodec.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=c:\winnt\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\winnt\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
backup=c:\winnt\pss\QuickBooks Update Agent.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^WkCalRem.LNK]
path=c:\documents and settings\Owner\Start Menu\Programs\Startup\WkCalRem.LNK
backup=c:\winnt\pss\WkCalRem.LNKStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load]
???? [?]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Run]
???? [?]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\winnt\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-10-15 01:04 39792 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
--a------ 2008-09-03 19:12 111936 c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATI Launchpad]
--a--c--- 2003-01-20 21:57 106574 c:\program files\ATI Multimedia\main\LaunchPd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICustomerCare]
--a------ 2007-10-04 17:38 307200 c:\program files\ATI\ATICustomerCare\ATICustomerCare.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
--a------ 2005-08-30 20:05 344064 c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2003-03-31 07:00 13312 c:\winnt\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
--a------ 2008-08-08 07:11 490952 c:\program files\DAEMON Tools Lite\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GWMDMpi]
--a------ 2002-08-06 14:24 53248 c:\winnt\GWMDMpi.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
--a------ 2004-08-09 05:03 221184 c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
--a------ 2004-08-09 05:03 81920 c:\program files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-11-20 13:20 290088 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection]
--a--c--- 2002-07-16 19:21 28672 c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2008-04-13 19:12 1695232 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2003-04-02 12:40 4616192 c:\winnt\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-11-04 10:30 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
-rahs---- 2008-09-16 12:16 1833296 c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
--a------ 2008-08-29 16:11 61440 c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
--a------ 2008-10-10 10:28 1410296 c:\program files\Steam\Steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a--c--- 2006-11-09 15:07 49263 c:\program files\Java\jre1.5.0_10\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Symantec NetDriver Monitor]
--a--c--- 2005-06-16 10:24 100056 c:\progra~1\SYMNET~1\SNDMon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a--c--- 2004-08-21 14:20 180269 c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
--------- 2000-05-11 01:00 90112 c:\winnt\Updreg.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ViewMgr]
--a--c--- 2004-04-19 11:06 102400 c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GWMDMMSG]
--a------ 2002-08-06 14:24 90112 c:\winnt\GWMDMMSG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Hot Key Kbd 9910 Daemon]
--a------ 2001-01-03 13:50 66048 c:\winnt\system32\SK9910DM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\P17Helper]
--a------ 2006-03-17 16:11 81408 c:\winnt\system32\P17.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"SymWSC"=2 (0x2)
"MskService"=2 (0x2)
"Symantec Core LC"=2 (0x2)
"SvcProc"=2 (0x2)
"SNDSrvc"=3 (0x3)
"RSVP"=3 (0x3)
"ose"=3 (0x3)
"NetSvc"=3 (0x3)
"iPod Service"=3 (0x3)
"IDriverT"=3 (0x3)
"CryptSvc"=3 (0x3)
"aspnet_state"=3 (0x3)
"Automatic LiveUpdate Scheduler"=2 (0x2)
"Apple Mobile Device"=2 (0x2)
"LiveUpdate"=3 (0x3)
"Ati HotKey Poller"=2 (0x2)
"0157391197826520mcinstcleanup"=2 (0x2)
"MSK80Service"=2 (0x2)
"MpfService"=2 (0x2)
"McSysmon"=3 (0x3)
"McShield"=2 (0x2)
"McProxy"=2 (0x2)
"McODS"=3 (0x3)
"McNASvc"=2 (0x2)
"mcmscsvc"=2 (0x2)
"NVSvc"=2 (0x2)
"Creative Service for CDROM Access"=2 (0x2)
"WMPNetworkSvc"=3 (0x3)
"usnjsvc"=3 (0x3)
"Bonjour Service"=2 (0x2)
"ATI Smart"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Kazaa Lite K++\\Kazaa.kpp"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Steam\\SteamApps\\jkenney5@bellsouth.net\\counter-strike source\\hl2.exe"=
"c:\\Program Files\\Trillian\\trillian.exe"=
"c:\\Program Files\\Xfire\\Xfire.exe"=
"c:\\Program Files\\ABC\\abc.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Steam\\Steam.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

.
Contents of the 'Scheduled Tasks' folder

2008-11-26 c:\winnt\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]
.
- - - - ORPHANS REMOVED - - - -

BHO-{00000000-0000-41CD-A9C3-9E7A8D54F67E} - (no file)
BHO-{00000000-0000-41D0-AC34-2F527C5D73C0} - (no file)
BHO-{00000000-0000-44B9-93E9-7C06E053E603} - (no file)
BHO-{00000000-0000-454D-846D-C58A4703BB13} - (no file)
BHO-{00000000-0000-459C-9431-DCC79EBD28D5} - (no file)
BHO-{00000000-0000-4605-AF20-2FE6FDC0C8BA} - (no file)
BHO-{00000000-0000-471D-B8DD-14A86375FAB8} - (no file)
BHO-{00000000-0000-4902-9464-3B4B93C142DA} - (no file)
BHO-{00000000-0000-4A51-8416-487F2E9D62E4} - (no file)
BHO-{00000000-0000-4A72-8CDA-5F621B3A2BAB} - (no file)
BHO-{00000000-0000-4B5D-9A9D-F09A0D172484} - (no file)
BHO-{00000000-0000-4C21-848F-5E2A5D6D2373} - (no file)
BHO-{00000000-0000-4C22-A31A-0FDB9B1781A4} - (no file)
BHO-{00000000-0000-4E80-83AE-71AC3A168AE7} - (no file)
BHO-{10ADCD4E-EE28-4064-B4E2-6A953BCB32A6} - (no file)
BHO-{1E9DCE57-D1D0-4C51-A7D4-E01677B945F3} - (no file)
BHO-{3196C868-83C9-47A5-8109-177F24711B3D} - (no file)
BHO-{345D7CF0-2C6E-4A47-A422-35232366E9E7} - (no file)
BHO-{3C55DBE7-C6B8-475E-971B-8FB86AB07703} - (no file)
BHO-{48259238-FC92-4AE4-B632-5FE0682D48C7} - (no file)
BHO-{58B0CDBD-0B90-4F6A-89AD-3133C234B375} - (no file)
BHO-{753302A0-037A-4089-967F-5C0F1476039E} - (no file)
BHO-{7908953C-7477-4950-A7BF-B9BDB79C1217} - (no file)
BHO-{8D6A1F08-F7DD-4F85-9B2E-3AF604354328} - (no file)
BHO-{92C260D1-8BAC-4095-85CD-DAF6A1D67CB4} - (no file)
BHO-{AD4BB598-B97A-40F8-A227-F17CCC978192} - (no file)
BHO-{AED2C40A-9BE6-4436-9ACF-16AFF65CD426} - (no file)
BHO-{BAEF0FFA-0068-4B3D-B8F9-188345032399} - (no file)
BHO-{C0F6BFE3-109E-4E66-8699-E78721DB5C76} - (no file)
BHO-{D2574F54-A61B-4915-A64C-DFC15D8B5D93} - (no file)
BHO-{DC8B6358-6D67-4AF6-ACB0-9E9BA5A9099F} - (no file)
BHO-{E64E4E12-84DC-4A1E-A75D-CE60F41B9712} - (no file)
BHO-{F0CF53D0-C629-4EAC-AA96-DFF78E317D72} - (no file)
BHO-{F52973A8-8AA5-4F92-8472-22F85EACB176} - (no file)
BHO-{FAC19AC3-A3B6-4154-9588-0EE7142B2D4E} - (no file)
HKLM-RunServices-System Support - system32.exe
MSConfigStartUp-ATICCC - c:\program files\ATI Technologies\ATI.ACE\CLIStart.exe
MSConfigStartUp-BellSouthWCC_McciTrayApp - c:\program files\BellSouthWCC\McciTrayApp.exe
MSConfigStartUp-BJCFD - c:\program files\BroadJump\Client Foundation\CFD.exe
MSConfigStartUp-cintgqkw - c:\winnt\system32\sigsxx.exe
MSConfigStartUp-DAEMON Tools Pro Agent - c:\program files\DAEMON Tools Pro\DTProAgent.exe
MSConfigStartUp-egpqtlt - c:\winnt\system32\pqdvzi.exe
MSConfigStartUp-ixpfqpcp - c:\program files\ixpfqpcp\ixpfqpcp.exe
MSConfigStartUp-Keyboard Preload Check - c:\oemdrvrs\KEYB\Preload.exe
MSConfigStartUp-KLog - c:\program files\Keyboard Logger\Keyspy.exe
MSConfigStartUp-mcagent_exe - c:\program files\McAfee.com\Agent\mcagent.exe
MSConfigStartUp-MPFExe - c:\progra~1\McAfee.com\PERSON~1\MpfTray.exe
MSConfigStartUp-MPSExe - c:\progra~1\mcafee.com\mps\mscifapp.exe
MSConfigStartUp-MSKDetectorExe - c:\progra~1\McAfee\SPAMKI~1\MSKDetct.exe
MSConfigStartUp-OASClnt - c:\program files\McAfee.com\VSO\oasclnt.exe
MSConfigStartUp-otxysb - c:\winnt\system32\rgvtzvnb.exe
MSConfigStartUp-updateMgr - c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe
MSConfigStartUp-uxxet - c:\winnt\system32\aqbk.exe
MSConfigStartUp-VirusScan Online - c:\program files\McAfee.com\VSO\mcvsshld.exe
MSConfigStartUp-VSOCheckTask - c:\progra~1\McAfee.com\VSO\mcmnhdlr.exe
MSConfigStartUp-WTSS - c:\winnt\System32\wapitr.exe
MSConfigStartUp-CTXFIREG - CTxfiReg.exe
MSConfigStartUp-System Support - system32.exe


.
------- Supplementary Scan -------
.
FireFox -: Profile - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\yfxom20q.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - www.google.com
FF -: plugin - c:\program files\DivX\DivX Content Uploader\npUpload.dll
FF -: plugin - c:\program files\iTunes\Mozilla Plugins\npitunes.dll
FF -: plugin - c:\program files\Java\jre1.5.0_10\bin\NPJava11.dll
FF -: plugin - c:\program files\Java\jre1.5.0_10\bin\NPJava12.dll
FF -: plugin - c:\program files\Java\jre1.5.0_10\bin\NPJava13.dll
FF -: plugin - c:\program files\Java\jre1.5.0_10\bin\NPJava14.dll
FF -: plugin - c:\program files\Java\jre1.5.0_10\bin\NPJava32.dll
FF -: plugin - c:\program files\Java\jre1.5.0_10\bin\NPJPI150_10.dll
FF -: plugin - c:\program files\Java\jre1.5.0_10\bin\NPOJI610.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\npyaxmpb.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-29 13:59:55
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(776)
c:\winnt\System32\ODBC32.dll
c:\winnt\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll
c:\winnt\system32\Ati2evxx.dll

- - - - - - - > 'lsass.exe'(832)
c:\winnt\System32\dssenh.dll
.
------------------------ Other Running Processes ------------------------
.
c:\winnt\system32\ati2evxx.exe
c:\winnt\system32\ati2evxx.exe
c:\winnt\system32\rundll32.exe
c:\winnt\system32\wpabaln.exe
c:\winnt\system32\WgaTray.exe
.
**************************************************************************
.
Completion time: 2008-11-29 14:04:17 - machine was rebooted
ComboFix-quarantined-files.txt 2008-11-29 19:04:06

Pre-Run: 17,595,215,872 bytes free
Post-Run: 17,698,848,768 bytes free

winxpsp1_en_hom_bf.exe
[boot loader]
timeout=30
default=multi(0)disk(0)rdisk(0)partition(1)\WINNT
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINNT="Microsoft Windows XP Home Edition" /fastdetect /noexecute=optin

395 --- E O F --- 2008-11-12 16:02:12

[sk2200]

oh, since I i did do the repair install. Here is what my hijackthis print out looks like now.

Looks a little better, not so much stuff going on, at least from my inexperienced view point.

----------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:27:41 PM, on 11/29/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
C:\WINNT\GWMDMMSG.exe
C:\WINNT\System32\SK9910DM.EXE
C:\WINNT\System32\Rundll32.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
C:\WINNT\System32\wpabaln.exe
C:\WINNT\System32\WgaTray.exe
C:\WINNT\explorer.exe
C:\WINNT\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gateway.net/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - SOFTWARE - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKUS\S-1-5-18\..\Run: [SetDefaultMIDI] MIDIDef.exe (User '?')
O4 - HKUS\S-1-5-18\..\RunOnce: [DefaultP17MIDI] MIDIDEF.EXE (User '?')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User '?')
O4 - HKUS\.DEFAULT\..\Run: [SetDefaultMIDI] MIDIDef.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [DefaultP17MIDI] MIDIDEF.EXE (User 'Default user')
O4 - S-1-5-21-3621179708-1224430818-1101987789-1003 Startup: Yahoo! Widget Engine.lnk = C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe (User '?')
O4 - Startup: Yahoo! Widget Engine.lnk = C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Web Savings - file://C:\Program Files\WebSavingsfromEbates\System\Temp\ebateswebsavings_script0.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINNT\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINNT\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1227850960890
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative....15035/CTPID.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{15E421B4-E934-4E29-96E7-03BBA8F5AE93}: NameServer = 24.197.160.17,24.197.160.18
O17 - HKLM\System\CCS\Services\Tcpip\..\{595E5B4E-2A92-4812-9197-B81B6698D7A2}: NameServer = 24.197.160.17,24.197.160.18
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: McAfee Real-time Scanner (McShield) - Unknown owner - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe (file missing)

--
End of file - 6648 bytes

[Tomk]

sk2200,

Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:

• Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
• Scroll down to where it says "Java Runtime Environment (JRE) 6 Update 10...allows end-users to run Java applications".
• Click the "Download" button to the right.
• Select your Platform: "Windows".
• Select your Language: "Multi-language".
• Read the License Agreement, and then check the box that says: "Accept License Agreement".
• Click Continue and the page will refresh.
• Click on the link to download Windows Offline Installation and save the file to your desktop.
• Close any programs you may have running - especially your web browser.
• Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
• Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
• Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
• Repeat as many times as necessary to remove each Java versions.
• Reboot your computer once all Java components are removed.
• Then from your desktop double-click on jre-6u10-windows-i586-p.exe to install the newest version.

Now to Clean out the Java cache:

Go into the Control Panel and double-click the Java Icon.

• Under Temporary Internet Files, click the Settings... button
• click the Delete Files button.
• There are three options in the window to clear the cache - Leave all 3 Checked
  
  • Downloaded Applets
    Downloaded Applications
    Other Files
• Click OK on Delete Temporary Files Window
  Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
• Click OK to leave the Temporary Files Settings
• Click OK to leave the Java Control Panel.

Next

• Please open HijackThis and run Do a system scan only
• Check the boxes next to ONLY the entries listed below(if present):
  
  • R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
    O2 - BHO: (no name) - SOFTWARE - (no file)
    O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O2 - BHO: (no name) - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - (no file)
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
    O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
    O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
    O9 - Extra button: (no name) - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
• Close all programs except for HijackThis.
• Click on Fix checked
• A box will pop up asking you if you wish to fix the selected items. Please choose YES.
• Once it has fixed them, please exit/close HijackThis.

Then

Using Windows Explorer (Windows Key + E), locate the following files/folders, and DELETE them (if still present):
C:\WINNT\web\related.htm <--This file
C:\Program Files\Ebates_MoeMoneyMaker <--This folder

and Finally

Please go to Kaspersky website and perform an online antivirus scan.

• Read through the requirements and privacy statement and click on Accept button.
• It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
• When the downloads have finished, click on Settings.
• Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
  • Spyware, Adware, Dialers, and other potentially dangerous programs
    Archives
    Mail databases
• Click on My Computer under Scan.
• Once the scan is complete, it will display the results. Click on View Scan Report.
• You will see a list of infected items there. Click on Save Report As....
• Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
• Please post this log in your next reply along with a new HijackThis log.

[sk2200]

thanks tomk, ive done everything you listed.

first here is my new hijackthis log followed by my kaspersky log.

---------------------------------Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:46:33 PM, on 11/29/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
C:\WINNT\GWMDMMSG.exe
C:\WINNT\System32\SK9910DM.EXE
C:\WINNT\System32\Rundll32.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\WgaTray.exe
C:\WINNT\System32\wpabaln.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINNT\System32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Java\jre6\bin\java.exe
C:\Documents and Settings\Owner\Local Settings\temp\jkos-Owner\binaries\ScanningProcess.exe
C:\Documents and Settings\Owner\Local Settings\temp\jkos-Owner\binaries\ScanningProcess.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gateway.net/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKUS\S-1-5-18\..\Run: [SetDefaultMIDI] MIDIDef.exe (User '?')
O4 - HKUS\S-1-5-18\..\RunOnce: [DefaultP17MIDI] MIDIDEF.EXE (User '?')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User '?')
O4 - HKUS\.DEFAULT\..\Run: [SetDefaultMIDI] MIDIDef.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [DefaultP17MIDI] MIDIDEF.EXE (User 'Default user')
O4 - S-1-5-21-3621179708-1224430818-1101987789-1003 Startup: Yahoo! Widget Engine.lnk = C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe (User '?')
O4 - Startup: Yahoo! Widget Engine.lnk = C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Web Savings - file://C:\Program Files\WebSavingsfromEbates\System\Temp\ebateswebsavings_script0.htm
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINNT\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINNT\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1227850960890
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative....15035/CTPID.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{15E421B4-E934-4E29-96E7-03BBA8F5AE93}: NameServer = 24.197.160.17,24.197.160.18
O17 - HKLM\System\CCS\Services\Tcpip\..\{595E5B4E-2A92-4812-9197-B81B6698D7A2}: NameServer = 24.197.160.17,24.197.160.18
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McAfee Real-time Scanner (McShield) - Unknown owner - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe (file missing)

--
End of file - 5995 bytes

------------------------------------------------


--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Saturday, November 29, 2008
Operating System: Microsoft Windows XP Home Edition Service Pack 1 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Saturday, November 29, 2008 20:22:01
Records in database: 1428083
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\

Scan statistics:
Files scanned: 114058
Threat name: 4
Infected objects: 13
Suspicious objects: 0
Duration of the scan: 02:25:02


File name / Threat name / Threats count
C:\Qoobox\Quarantine\C\WINNT\bar.exe.vir Infected: not-a-virus:AdWare.Win32.IeSearchBar 1
C:\System Volume Information\_restore{CF79470C-79F7-4821-8E34-8E6EA7D3E7B5}\RP1\A0003580.exe Infected: not-a-virus:AdWare.Win32.IeSearchBar 1
C:\ubcd4win\BartPE\I386\SYSTEM32\WM_HOOKS.DLL Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 1
C:\ubcd4win\BartPE\PROGRAMS\ultravnc\vnchooks.dll Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.e 1
C:\ubcd4win\BartPE\PROGRAMS\ultravnc\winvnc.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.e 1
C:\ubcd4win\BartPE\PROGRAMS\vncserver\vncconfig.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 1
C:\ubcd4win\BartPE\PROGRAMS\vncserver\winvnc4.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 1
C:\ubcd4win\plugin\Network\netcat\files\nc.exe Infected: not-a-virus:RemoteAdmin.Win32.NetCat.a 1
C:\ubcd4win\plugin\Network\ultravnc\files\vnchooks.dll Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.e 1
C:\ubcd4win\plugin\Network\ultravnc\files\winvnc.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.e 1
C:\ubcd4win\plugin\Network\VNCServer\vncconfig.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 1
C:\ubcd4win\plugin\Network\VNCServer\winvnc4.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 1
C:\ubcd4win\plugin\Network\VNCServer\wm_hooks.dll Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 1

The selected area was scanned.

[Tomk]

sk2200,

• Click Start, then Settings, then click Control Panel.
• In Control Panel, double-click Add or Remove Programs.
• In Add or Remove Programs, Remove Adware.TopMoxie
• Do the same for any reference to ebates.

• Please open HijackThis and run Do a system scan only
• Check the boxes next to ONLY the entries listed below(if present):
  
  • O8 - Extra context menu item: Web Savings - file://C:\Program Files\WebSavingsfromEbates\System\Temp\ebateswebsavings_script0.htm
• Close all programs except for HijackThis.
• Click on Fix checked
• A box will pop up asking you if you wish to fix the selected items. Please choose YES.
• Once it has fixed them, please exit/close HijackThis.

Then

Using Windows Explorer (Windows Key + E), locate the following folder and DELETE it (if still present):
C:\Program Files\WebSavingsfromEbates <--This folder

Don't be concerned if you don't find these folders. It just means that it was already removed in a previous step.


Please provide a new HijackThis log.

[sk2200]

tomk,

on the first step, there was nothing referencing ebates in my add/remove programs display.

I deleted the file through hijackthis, however.

Again though, the file for ebates was not present in my program files folder. I did a search on my computer for anything containing some of the key words and my computer came up with nothing.


here is my new log.


I don't know if i should have done this yet, but i have tried to install service pack 2, as i am reduced back to 1 from 3 after i did that repair install. It keeps getting stuck at the "looking for space" phase. maybe that may help and it is something with my RAM sticks or something.


-----------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:20:07 PM, on 11/29/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
C:\WINNT\GWMDMMSG.exe
C:\WINNT\System32\SK9910DM.EXE
C:\WINNT\System32\Rundll32.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\WgaTray.exe
C:\WINNT\System32\wpabaln.exe
C:\Documents and Settings\Owner\Desktop\WindowsXP-KB835935-SP2-ENU(2).exe
c:\045596894cc6c0bc6bdd98dbae\i386\update\update.exe
C:\WINNT\System32\wuauclt.exe
c:\045596894cc6c0bc6bdd98dbae\i386\update\fixccs.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINNT\system32\rundll32.exe
C:\WINNT\System32\wuauclt.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gateway.net/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKUS\S-1-5-18\..\Run: [SetDefaultMIDI] MIDIDef.exe (User '?')
O4 - HKUS\S-1-5-18\..\RunOnce: [DefaultP17MIDI] MIDIDEF.EXE (User '?')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User '?')
O4 - HKUS\.DEFAULT\..\Run: [SetDefaultMIDI] MIDIDef.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [DefaultP17MIDI] MIDIDEF.EXE (User 'Default user')
O4 - S-1-5-21-3621179708-1224430818-1101987789-1003 Startup: Yahoo! Widget Engine.lnk = C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe (User '?')
O4 - Startup: Yahoo! Widget Engine.lnk = C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINNT\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINNT\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1227850960890
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative....15035/CTPID.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{15E421B4-E934-4E29-96E7-03BBA8F5AE93}: NameServer = 24.197.160.17,24.197.160.18
O17 - HKLM\System\CCS\Services\Tcpip\..\{595E5B4E-2A92-4812-9197-B81B6698D7A2}: NameServer = 24.197.160.17,24.197.160.18
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McAfee Real-time Scanner (McShield) - Unknown owner - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe (file missing)

--
End of file - 5882 bytes

[Tomk]

sk2200,

Log looks good


Time for some housekeeping

• Click START then RUN
• Now type Combofix /u in the runbox and click OK
• Note the space between the X and the U, it needs to be there.
• 

The above procedure will:

• Delete the following:
  • ComboFix and its associated files and folders.
  • VundoFix backups, if present
  • The C:\Deckard folder, if present
  • The C:_OtMoveIt folder, if present
• Reset the clock settings.
• Hide file extensions, if required.
• Hide System/Hidden files, if required.
• Reset System Restore.

Please re-enable any security that was disabled.

Update your AntiVirus Software - It is imperative that you update your Antivirus software at least once a week
(Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

Use a Firewall - I can not stress how important it is that you use a Firewall on your computer.
Without a firewall your computer is succeptible to being hacked and taken over.
I am very serious about this and see it happen almost every day with my clients.
Simply using a Firewall in its default configuration can lower your risk greatly.

For a tutorial on Firewalls and a listing of some available ones see the link below:

Understanding and Using Firewalls

Keep Microsoft Windows Updated - This will ensure your computer has always the latest security updates available installed on your computer. The easiest way to do this is to turn on Automatic Updates. Do this by:

• From your desktop, right-click on My Computer,
• click on Properties
• Select the Automatic Updates tab
• Click on Automatic
• Click on Apply button
• Click on OK to exit.

If there are new updates to install, install them immediately, until there are no more critical updates.

Install SpywareBlaster - SpywareBlaster will add a large list of programs and sites into your Internet Explorer
settings that will protect you from running and downloading known malicious programs.

A tutorial on installing & using this product can be found here:

Using SpywareBlaster to protect your computer from Spyware and Malware

Download and install the free version of WinPatrol - This program protects your computer in a variety of ways and will work well with your existing security software.
Winpatrol


Update all these programs regularly - Make sure you update all the programs I have listed regularly.
Without regular updates you WILL NOT be protected when new malicious programs are released.


Only run one Anti-Virus and Firewall program.

I would also suggest you read this:
So how did I get infected in the first place?
by Tony Klein

Also: "How to prevent malware"
by miekiemoes

Once you have everything all set, reboot your computer.

After you restart, try to install your windows update.

Please let me know how it goes.

[sk2200]

ok, ive done the housekeeping and im trying to install the windows updates. like i said, I am back to windows service pack 1 due to the repair install. WIndows automatic update has 55 updates. most likely more. the update fails however with a copy error "ntoskrnl.exe"

[Tomk]

sk2200,

We need to repair some of windows' internal registration settings

• Please download Dial-A-Fix from one of the following mirrors:
  
  • Primary Mirror
  • Secondary Mirror
• Extract the zip file to your desktop.
• Double click Dial-a-Fix.exe to start the program.
• Press the green double checkmark box (Looks like this: )
• UNcheck "Empty Temp Folders", as well as "Adjust Time/Date" in the prep section.
• Press the GO button in the bottom of the window.
• Exit/Close Dial-A-Fix

Then try updates again.

Let me know how it goes.

[sk2200]

I did as you asked, but no improvement. still the same error with the update. dial-a-fix had two errors. C:\WINNT\system32\wups.dll C:\WINNT\system32\wups2.dll I tried to just do the service pack 2 again, and it says access denied. Thank you for all your help.

[Tomk]

sk2200,

I've got one more suggestion to try.

• Open Spybot Search & Destroy.
• In the Mode menu click Advanced mode if not already selected.
• Choose Yes at the Warning prompt.
• Expand the Tools menu.
• Click Resident.
• Uncheck the Resident "TeaTimer" (Protection of overall system settings) active. box.
• In the File menu click Exit to exit Spybot Search & Destroy.

Now give it another try.

[sk2200]

that value is already unchecked. still no change i tried to reregister a few files too. still nothing.

[Tomk]

sk2200,

Then my final suggestion is that you pose a question to the Tech Team here.
If you do that, please provide a link there to this thread so that the Tech Team can see your logs here.