links rediercted

**wingman23** · 18-05-2010

Hello, I got the xp security center 2010 malware, I used malware bytes to stop it, it went away, came back once, then went away again, I havent seen it since and have been updating malware bytes manually from a clean computer because it wont update on the infected machine, maleware bytes finds nothing, my problem is google links are redirected so I know theres still something going on, I downloaded, installed, updated, and ran a scan with spybot, it found some problems and fixed them, ran it again and nothing came up, updated my mcafee and ran a scan and it came back clean, links are still being redirected. here is my hijackthis log and uninstall list. thank you for any help.

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 11:28:27 AM, on 5/18/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Dell\DellDock\DockLogin.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\HijackThis\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = Hotmail, News, Sport, Music, Movies, Money, Cars, Shopping, Windows Live from MSN UK
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = Home - Windows Live
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = Hotmail, News, Sport, Music, Movies, Money, Cars, Shopping, Windows Live from MSN UK
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = Laptops, PCs, Desktop Computers, Monitors, Printers & PC Accessories | Dell UK
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = Laptops, PCs, Desktop Computers, Monitors, Printers & PC Accessories | Dell UK
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = Hotmail, News, Sport, Music, Movies, Money, Cars, Shopping, Windows Live from MSN UK
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\Common Files\McAfee\SystemCore\ScriptSn.20100517180127.dl l
O2 - BHO: (no name) - {7e214c1d-5fb4-4a80-aab4-ebccf5238b6c} - jevaziji.dll (file missing)
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [mcui_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - S-1-5-21-891181735-1526272075-3916826846-500 Startup: Dell Dock First Run.lnk = C:\Program Files\Dell\DellDock\DellDock.exe (User 'Administrator')
O4 - S-1-5-21-891181735-1526272075-3916826846-500 User Startup: Dell Dock First Run.lnk = C:\Program Files\Dell\DellDock\DellDock.exe (User 'Administrator')
O4 - .DEFAULT User Startup: Dell Dock First Run.lnk = C:\Program Files\Dell\DellDock\DellDock.exe (User 'Default user')
O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: En&queue current page with BID - file://C:\Program Files\Bulk Image Downloader\iemenu\iebidqueue.htm
O8 - Extra context menu item: Enqueue link tar&get with BID - file://C:\Program Files\Bulk Image Downloader\iemenu\iebidlinkqueue.htm
O8 - Extra context menu item: Open &link target with BID - file://C:\Program Files\Bulk Image Downloader\iemenu\iebidlink.htm
O8 - Extra context menu item: Open current page with BI&D - file://C:\Program Files\Bulk Image Downloader\iemenu\iebid.htm
O8 - Extra context menu item: Open current page with BID Link Explorer - file://C:\Program Files\Bulk Image Downloader\iemenu\iebidlinkexplorer.htm
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O20 - AppInit_DLLs: defohesi.dll
O20 - Winlogon Notify: GoToAssist - C:\Program Files\Citrix\GoToAssist\514\G2AWinLogon.dll
O21 - SSODL: duzorifov - {9d2a2d58-9fce-4af2-88ff-ea61bb3be1ae} - c:\windows\system32\tukuhegu.dll (file missing)
O21 - SSODL: wapigozah - {f408984f-3b8e-43ba-8319-4551f090240b} - c:\windows\system32\pamepusu.dll (file missing)
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: kupuhivus - {9d2a2d58-9fce-4af2-88ff-ea61bb3be1ae} - c:\windows\system32\tukuhegu.dll (file missing)
O22 - SharedTaskScheduler: tokatiluy - {f408984f-3b8e-43ba-8319-4551f090240b} - c:\windows\system32\pamepusu.dll (file missing)
O23 - Service: McAfee Application Installer Cleanup (0162601274137993) (0162601274137993mcinstcleanup) - Unknown owner - C:\WINDOWS\TEMP\016260~1.EXE (file missing)
O23 - Service: Dock Login Service (DockLoginService) - Stardock Corporation - C:\Program Files\Dell\DellDock\DockLogin.exe
O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\514\g2aservice.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McAfee Personal Firewall (McMPFSvc) - McAfee, Inc. - C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
O23 - Service: McAfee VirusScan Announcer (McNaiAnn) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
O23 - Service: McShield - McAfee, Inc. - C:\Program Files\Common Files\McAfee\SystemCore\\mcshield.exe
O23 - Service: McAfee Firewall Core Service (mfefire) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\SystemCore\\mfefire.exe
O23 - Service: McAfee Validation Trust Protection Service (mfevtp) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe
O23 - Service: SupportSoft Sprocket Service (DellSupportCenter) (sprtsvc_DellSupportCenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 8285 bytes

UNINSTALL LIST

Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 8.1.3
Advanced Audio FX Engine
Battery Meter
CCleaner (remove only)
Choice Guard
Compatibility Pack for the 2007 Office system
CyberLink PowerDVD 8.0 SE
CyberLink PowerDVD 8.0 SE
Dell Box.net Launcher
Dell Dock
Dell Media Experience
Dell Media Experience
Dell Support Center (Support Software)
Dell Webcam Central
Dell Wireless WLAN Card Utility
ETDWare PS/2-x86 7.0.4.6 WHQL
GoToAssist 8.0.0.514
HiJackThis
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows XP (KB915800-v4)
Hotfix for Windows XP (KB932716-v2)
Hotfix for Windows XP (KB954708)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
Integrated Webcam Driver (1.01.01.0116)
Java(TM) 6 Update 11
Junk Mail filter update
K-Lite Codec Pack 5.1.0 (Full)
Malwarebytes' Anti-Malware
McAfee AntiVirus Plus
McAfee SiteAdvisor
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB953297)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1
Microsoft Kernel-Mode Driver Framework Feature Pack 1.7
Microsoft Kernel-Mode Driver Framework Feature Pack 1.9
Microsoft Office PowerPoint Viewer 2007 (English)
Microsoft Search Enhancement Pack
Microsoft Silverlight
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft Sync Framework Runtime Native v1.0 (x86)
Microsoft Sync Framework Services Native v1.0 (x86)
Microsoft User-Mode Driver Framework Feature Pack 1.9
Microsoft Visual C++ 2005 Redistributable
Microsoft WinUsb 1.0
Microsoft Works
Mozilla Firefox (3.5.9)
MSN
MSVCRT
MSXML 6.0 Parser (KB927977)
Realtek High Definition Audio Driver
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Search 4 - KB963093
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371-v2)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972260)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974455)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB976325)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978706)
Segoe UI
Spybot - Search & Destroy
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows XP (KB898461)
Update for Windows XP (KB955759)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Update for Windows XP (KB976749)
Update for Windows XP (KB978207)
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Essentials
Windows Live Mail
Windows Live Messenger
Windows Live Photo Gallery
Windows Live Sign-in Assistant
Windows Live Sync
Windows Live Toolbar
Windows Live Upload Tool
Windows Live Writer
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Presentation Foundation
Windows Search 4.0

**broni** · 18-05-2010

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

Please, never rename Combofix unless instructed.
Close any open browsers.
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
- Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
- Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
NOTE1. If Combofix asks you to install Recovery Console, please allow it.
NOTE 2. If Combofix asks you to update the program, always do so.
- Close any open browsers.
- WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
- Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
- If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.
Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Make sure, you re-enable your security programs, when you're done with Combofix.

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!

**wingman23** · 18-05-2010

here is my combo fix log followed by a new hijackthis log, after scanning, links are still redirected.

ComboFix 10-05-17.01 - Robb 05/18/2010 16:41:40.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.481 [GMT -5:00]
Running from: c:\documents and settings\Robb\Desktop\ComboFix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\hkcmd .exe
c:\windows\system32\igfxtray .exe
c:\windows\system32\persistencethread .exe
c:\windows\system32\rundll32 .exe
c:\windows\system32\wltray .exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_6TO4
-------\Legacy_IAS
-------\Legacy_NPF
-------\Legacy_SEAGATE

((((((((((((((((((((((((( Files Created from 2010-04-18 to 2010-05-18 )))))))))))))))))))))))))))))))
.

2010-05-18 16:23 . 2010-05-18 16:23 388096 ----a-r- c:\documents and settings\Robb\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-05-18 01:18 . 2010-05-18 02:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-05-18 01:18 . 2010-05-18 01:22 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-05-17 23:01 . 2010-04-27 22:16 9344 ----a-w- c:\windows\system32\drivers\mfeclnk.sys
2010-05-17 23:01 . 2010-04-27 22:16 88480 ----a-w- c:\windows\system32\drivers\mfendisk.sys
2010-05-17 23:01 . 2010-04-27 22:16 83496 ----a-w- c:\windows\system32\drivers\mferkdet.sys
2010-05-17 23:01 . 2010-04-27 22:16 82952 ----a-w- c:\windows\system32\drivers\mfetdi2k.sys
2010-05-17 23:01 . 2010-04-27 22:16 312616 ----a-w- c:\windows\system32\drivers\mfefirek.sys
2010-05-17 23:01 . 2010-04-27 22:16 95568 ----a-w- c:\windows\system32\drivers\mfeapfk.sys
2010-05-17 23:01 . 2010-04-27 22:16 55456 ----a-w- c:\windows\system32\drivers\cfwids.sys
2010-05-17 22:45 . 2010-05-17 23:14 15944 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-05-17 22:41 . 2010-05-17 22:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro
2010-05-17 22:41 . 2010-05-17 22:41 -------- d-----w- c:\program files\Hitman Pro 3.5

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2010-05-18 01:15 . 2009-12-25 00:52 -------- d-----w- c:\program files\Zune
2010-05-18 01:10 . 2009-09-14 02:15 -------- d-----w- c:\documents and settings\Robb\Application Data\uTorrent
2010-05-17 23:07 . 2009-09-08 22:16 -------- d-----w- c:\program files\McAfee
2010-05-17 23:07 . 2009-09-08 22:03 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2010-05-17 23:07 . 2009-09-08 22:16 -------- d-----w- c:\program files\Common Files\McAfee
2010-05-17 02:00 . 2009-08-19 07:48 10240 ----a-w- c:\windows\system32\drivers\compbatt.sys
2010-04-27 22:16 . 2009-09-08 22:18 51688 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2010-04-27 22:16 . 2009-09-08 22:18 152320 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2010-04-27 22:16 . 2009-07-08 18:44 385880 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2010-04-20 23:53 . 2010-04-05 21:37 0 ----a-w- c:\windows\Mkohaquz.bin
2010-04-20 23:53 . 2010-04-05 21:37 120 ----a-w- c:\windows\Hsuzifum.dat
2010-04-13 01:58 . 2010-04-12 23:45 -------- d-----w- c:\documents and settings\All Users\Application Data\cebf0
2010-04-13 01:58 . 2009-08-19 07:51 -------- d-----w- c:\program files\Elantech
2010-04-13 01:13 . 2009-08-19 01:11 -------- d-----w- c:\program files\Battery Meter
2010-04-13 01:13 . 2009-08-19 01:10 -------- d-----w- c:\program files\WSED
2010-04-13 00:03 . 2010-04-06 21:58 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-12 23:54 . 2010-04-12 23:54 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-04-12 23:54 . 2010-04-12 23:54 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-04-12 23:54 . 2010-04-12 23:54 -------- d-----w- c:\documents and settings\All Users\Application Data\avG
2010-04-12 23:45 . 2010-04-12 23:45 -------- d-sh--w- c:\documents and settings\All Users\Application Data\SGZKUKOKUD
2010-04-06 21:22 . 2010-04-06 21:22 96512 ----a-w- c:\windows\system32\drivers\tsk5E.tmp
2010-04-06 21:22 . 2010-04-06 21:22 36488 ----a-w- c:\windows\system32\drivers\klmdb.sys
2010-04-06 02:26 . 2010-04-06 02:26 53088 ----a-w- c:\windows\system32\drivers\pxrts.sys
2010-04-06 02:26 . 2010-04-06 02:26 30280 ----a-w- c:\windows\system32\drivers\pxscan.sys
2010-04-06 02:26 . 2010-04-06 02:26 24368 ----a-w- c:\windows\system32\drivers\pxkbf.sys
2010-04-06 01:52 . 2008-04-14 00:10 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-04-05 22:17 . 2010-04-05 22:17 -------- d-----w- c:\documents and settings\Robb\Application Data\Malwarebytes
2010-04-05 22:01 . 2010-04-05 22:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-03-29 20:24 . 2010-04-06 21:58 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-29 20:24 . 2010-04-06 21:58 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-22 02:22 . 2010-02-23 21:13 197712 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2010-03-15 15:44 . 2009-08-27 20:59 34400 -c--a-w- c:\documents and settings\Robb\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-03-10 04:33 . 2010-03-10 04:33 1509888 ----a-w- c:\windows\system32\SET34.tmp
2010-03-10 04:33 . 2010-03-10 04:33 1025024 ----a-w- c:\windows\system32\SET37.tmp
2010-02-26 05:43 . 2010-02-26 05:43 667136 ----a-w- c:\windows\system32\SET31.tmp
2010-02-26 05:43 . 2010-02-26 05:43 627712 ----a-w- c:\windows\system32\SET32.tmp
2010-02-26 05:43 . 2010-02-26 05:43 3073024 ----a-w- c:\windows\system32\SET35.tmp
2010-02-26 05:43 . 2008-04-25 20:33 81920 ----a-w- c:\windows\system32\ieencode.dll
2010-04-27 22:16 . 2010-05-17 23:01 24376 ----a-w- c:\program files\mozilla firefox\components\Scriptff.dll
.

Code:

<pre>
c:\program files\Adobe\Reader 8.0\Reader\reader_sl .exe
c:\program files\Battery Meter\btmeter .exe
c:\program files\Dell\Media Experience\pcmagent .exe
c:\program files\Dell\Media Experience\Kernel\CLML\clmlsvc .exe
c:\program files\Dell Support Center\bin\sprtcmd .exe
c:\program files\Elantech\etdctrl .exe
c:\program files\McAfee.com\Agent\mcagent .exe
c:\program files\McAfee.com\Agent\rundll32 .exe
c:\program files\Messenger\msmsgs .exe
c:\program files\WSED\wsed .exe
c:\program files\Zune\zunelauncher .exe
</pre>

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2010-04-02 1180976]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[hkey_local_machine\software\microsoft\windows\curr entversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2009-08-19 01:15 10536 ----a-w- c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\WudfSvc]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PlayMovie]
2008-12-11 17:46 177384 -c----w- c:\program files\Dell\PlayMovie\PMVService.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\McAfee\\VirusScan\\mcvsmap.exe"=

R0 EMSC;COMPAL Embedded System Control;c:\windows\system32\drivers\EMSC.sys [11/4/2008 8:24 PM 14248]
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [5/17/2010 6:01 PM 82952]
R2 DockLoginService;Dock Login Service;c:\program files\Dell\DellDock\DockLogin.exe [12/18/2008 2:05 PM 155648]
R2 McMPFSvc;McAfee Personal Firewall;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [5/17/2010 6:00 PM 271480]
R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [5/17/2010 6:00 PM 271480]
R2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\McAfee\SystemCore\mfefire.exe [5/17/2010 6:01 PM 188136]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\Common Files\McAfee\SystemCore\mfevtps.exe [5/17/2010 6:01 PM 141792]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [5/17/2010 6:01 PM 55456]
R3 CtClsFlt;Creative Camera Class Upper Filter Driver;c:\windows\system32\drivers\CtClsFlt.sys [8/18/2009 8:18 PM 143840]
R3 ETD;ELAN PS/2 Port Input Device;c:\windows\system32\drivers\ETD.sys [8/18/2009 10:42 PM 129024]
R3 igd;igd;c:\windows\system32\drivers\igxpmp32.sys [8/18/2009 10:42 PM 5088896]
R3 IntcHdmiAddService;Intel(R) High Definition Audio HDMI Service;c:\windows\system32\drivers\IntcHdmi.sys [8/18/2009 10:42 PM 110080]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [5/17/2010 6:01 PM 312616]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\ mfendisk.sys [5/17/2010 6:01 PM 88480]
R3 OA012Afx;Provides a software interface to control audio effects of OA012 camera.;c:\windows\system32\drivers\OA012Afx.sys [8/18/2009 10:42 PM 148056]
R3 OA012Ufd;Creative Camera OA012 Upper Filter Driver;c:\windows\system32\drivers\OA012Ufd.sys [8/18/2009 10:42 PM 133472]
R3 OA012Vid;Creative Camera OA012 Function Driver;c:\windows\system32\drivers\OA012Vid.sys [8/18/2009 10:42 PM 271328]
R3 RSUSBSTOR;RTS5121.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RTS5121.sys [8/18/2009 10:42 PM 157696]
S2 0162601274137993mcinstcleanup;McAfee Application Installer Cleanup (0162601274137993);c:\windows\TEMP\016260~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service --> c:\windows\TEMP\016260~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service [?]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfil t.sys [8/18/2009 10:41 PM 1684736]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [5/17/2010 6:01 PM 88480]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [5/17/2010 6:01 PM 83496]

--- Other Services/Drivers In Memory ---

*Deregistered* - mfeavfk01
.
Contents of the 'Scheduled Tasks' folder

2010-05-18 c:\windows\Tasks\shutdown.job
- c:\windows\system32\shutdown.exe [2008-04-25 12:00]
.
.
------- Supplementary Scan -------
.
mStart Page = hxxp://www.dell.com
uInternet Connection Wizard,ShellNext = iexplore
IE: En&queue current page with BID - file://c:\program files\Bulk Image Downloader\iemenu\iebidqueue.htm
IE: Enqueue link tar&get with BID - file://c:\program files\Bulk Image Downloader\iemenu\iebidlinkqueue.htm
IE: Open &link target with BID - file://c:\program files\Bulk Image Downloader\iemenu\iebidlink.htm
IE: Open current page with BI&D - file://c:\program files\Bulk Image Downloader\iemenu\iebid.htm
IE: Open current page with BID Link Explorer - file://c:\program files\Bulk Image Downloader\iemenu\iebidlinkexplorer.htm
FF - ProfilePath - c:\documents and settings\Robb\Application Data\Mozilla\Firefox\Profiles\gsruqyvl.default\
FF - prefs.js: browser.startup.homepage - hxxps://my.screenname.aol.com/_cqr/login/login.psp?sitedomain=sns.webmail.aol.com&lang=en&l ocale=us&authLev=0&siteState=ver%3a4%7crt%3aSTANDA RD%7cat%3aSNS%7cld%3awebmail.aol.com%7cuv%3aAOL%7c lc%3aen-us%7cmt%3aAOL%7csnt%3aScreenName%7csid%3a3d8d8755-0f48-4204-8a8f-7bcc046d5ae1&offerId=newmail-en-us-v2&seamless=novl&xchk=false
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - component: c:\program files\Mozilla Firefox\components\Scriptff.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
FF - HiddenExtension: XULRunner: {D4E37D92-CE5F-4651-B4F4-AC5D440F063C} - c:\documents and settings\Robb\Local Settings\Application Data\{D4E37D92-CE5F-4651-B4F4-AC5D440F063C}

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_every where__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_bro ken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
.
- - - - ORPHANS REMOVED - - - -

BHO-{7e214c1d-5fb4-4a80-aab4-ebccf5238b6c} - jevaziji.dll
SharedTaskScheduler-{9d2a2d58-9fce-4af2-88ff-ea61bb3be1ae} - c:\windows\system32\tukuhegu.dll
SharedTaskScheduler-{f408984f-3b8e-43ba-8319-4551f090240b} - c:\windows\system32\pamepusu.dll
SSODL-duzorifov-{9d2a2d58-9fce-4af2-88ff-ea61bb3be1ae} - c:\windows\system32\tukuhegu.dll
SSODL-wapigozah-{f408984f-3b8e-43ba-8319-4551f090240b} - c:\windows\system32\pamepusu.dll
SafeBoot-klmdb.sys
SafeBoot-WudfPf
SafeBoot-WudfRd
AddRemove-{35ED3F83-4BDC-4c44-8EC6-6A8301C7413A} - c:\program files\McAfee\SiteAdvisor\Uninstall.exe

************************************************** ************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover
Rootkit scan 2010-05-18 16:59
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

************************************************** ************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, GMER - Rootkit Detector and Remover

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x86AC8AC8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf761af28
\Driver\ACPI -> ACPI.sys @ 0xf74adcb8
\Driver\atapi -> tsk5E.tmp @ 0xf7465852
IoDeviceObjectType ->\Device\Harddisk0\DR0 ->NDIS: Dell Wireless 1397 WLAN Mini-Card -> SendCompleteHandler -> NDIS.sys @ 0xf72fdbb0
PacketIndicateHandler -> NDIS.sys @ 0xf730aa21
SendHandler -> NDIS.sys @ 0xf72e887b
user & kernel MBR OK

************************************************** ************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\a tapi]
"ImagePath"="system32\drivers\tsk5E.tmp"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(332)
c:\program files\Citrix\GoToAssist\514\G2AWinLogon.dll

- - - - - - - > 'explorer.exe'(1944)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\WLTRYSVC.EXE
c:\windows\System32\bcmwltry.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files\Dell Support Center\bin\sprtsvc.exe
c:\program files\Common Files\McAfee\SystemCore\mcshield.exe
c:\windows\system32\SearchIndexer.exe
c:\windows\system32\wscntfy.exe
.
************************************************** ************************
.
Completion time: 2010-05-18 17:08:09 - machine was rebooted
ComboFix-quarantined-files.txt 2010-05-18 22:07

Pre-Run: 151,364,902,912 bytes free
Post-Run: 151,279,411,200 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOW S
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Micro soft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - A1D8641F91721DC04FAFED7B782FC64F

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 5:09:20 PM, on 5/18/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Dell\DellDock\DockLogin.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\HijackThis\Trend Micro\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = Hotmail, News, Sport, Music, Movies, Money, Cars, Shopping, Windows Live from MSN UK
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = Hotmail, News, Sport, Music, Movies, Money, Cars, Shopping, Windows Live from MSN UK
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Bing
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Bing
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = Laptops, PCs, Desktop Computers, Monitors, Printers & PC Accessories | Dell UK
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = Hotmail, News, Sport, Music, Movies, Money, Cars, Shopping, Windows Live from MSN UK
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\Common Files\McAfee\SystemCore\ScriptSn.20100517180127.dl l
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O4 - HKLM\..\Run: [mcui_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - .DEFAULT User Startup: Dell Dock First Run.lnk = C:\Program Files\Dell\DellDock\DellDock.exe (User 'Default user')
O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: En&queue current page with BID - file://C:\Program Files\Bulk Image Downloader\iemenu\iebidqueue.htm
O8 - Extra context menu item: Enqueue link tar&get with BID - file://C:\Program Files\Bulk Image Downloader\iemenu\iebidlinkqueue.htm
O8 - Extra context menu item: Open &link target with BID - file://C:\Program Files\Bulk Image Downloader\iemenu\iebidlink.htm
O8 - Extra context menu item: Open current page with BI&D - file://C:\Program Files\Bulk Image Downloader\iemenu\iebid.htm
O8 - Extra context menu item: Open current page with BID Link Explorer - file://C:\Program Files\Bulk Image Downloader\iemenu\iebidlinkexplorer.htm
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O20 - Winlogon Notify: GoToAssist - C:\Program Files\Citrix\GoToAssist\514\G2AWinLogon.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: McAfee Application Installer Cleanup (0162601274137993) (0162601274137993mcinstcleanup) - Unknown owner - C:\WINDOWS\TEMP\016260~1.EXE (file missing)
O23 - Service: Dock Login Service (DockLoginService) - Stardock Corporation - C:\Program Files\Dell\DellDock\DockLogin.exe
O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\514\g2aservice.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McAfee Personal Firewall (McMPFSvc) - McAfee, Inc. - C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
O23 - Service: McAfee VirusScan Announcer (McNaiAnn) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
O23 - Service: McShield - McAfee, Inc. - C:\Program Files\Common Files\McAfee\SystemCore\\mcshield.exe
O23 - Service: McAfee Firewall Core Service (mfefire) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\SystemCore\\mfefire.exe
O23 - Service: McAfee Validation Trust Protection Service (mfevtp) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe
O23 - Service: SupportSoft Sprocket Service (DellSupportCenter) (sprtsvc_DellSupportCenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 7197 bytes

thank you for helping

**broni** · 18-05-2010

Download GMER: GMER - Rootkit Detector and Remover, by clicking on Download EXE button.
Alternative downloads:
- |MG| GMER 1.0.15.15281 Download
- http://www.softpedia.com/get/Interne...ers/GMER.shtml
Double click on downloaded .exe file, select Rootkit tab and click the Scan button.
Do NOT use the computer while GMER is running!
When scan is completed, click Save button, and save the results as gmer.log
Warning ! Please, do not select the "Show all" checkbox during the scan.
Post the log.

IMPORTANT! If for some reason GMER refuses to run, try again.
If it still fails, try to UN-check "Devices" in right pane.
If still no joy, try to run it from Safe Mode.

================================================== =============

1. Please open Notepad

Click Start , then Run
Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

Code:

File::
c:\windows\Mkohaquz.bin
c:\windows\Hsuzifum.dat
c:\windows\system32\drivers\tsk5E.tmp
c:\windows\system32\SET34.tmp
c:\windows\system32\SET37.tmp
c:\windows\system32\SET31.tmp
c:\windows\system32\SET32.tmp
c:\windows\system32\SET35.tmp


Folder::
c:\documents and settings\All Users\Application Data\avG
c:\documents and settings\All Users\Application Data\SGZKUKOKUD

RenV::
c:\program files\Adobe\Reader 8.0\Reader\reader_sl .exe
c:\program files\Battery Meter\btmeter .exe
c:\program files\Dell\Media Experience\pcmagent .exe
c:\program files\Dell\Media Experience\Kernel\CLML\clmlsvc .exe
c:\program files\Dell Support Center\bin\sprtcmd .exe
c:\program files\Elantech\etdctrl .exe
c:\program files\McAfee.com\Agent\mcagent .exe
c:\program files\McAfee.com\Agent\rundll32 .exe
c:\program files\Messenger\msmsgs .exe
c:\program files\WSED\wsed .exe
c:\program files\Zune\zunelauncher .exe


Driver::
0162601274137993mcinstcleanup


Registry::
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\atapi]
"ImagePath"="system32\drivers\atapi.sys"

RegLockDel::

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

Combofix.txt
A new HijackThis log.

**wingman23** · 19-05-2010

I downloaded gmer and ran a scan, it has been stuck at /svyfhri for quite some time, not sure what i should do

**broni** · 19-05-2010

If for some reason GMER refuses to run, try again.
If it still fails, try to UN-check "Devices" in right pane.
If still no joy, try to run it from Safe Mode.

...

**wingman23** · 19-05-2010

just wanted to update, gmer has been running since last night around 8 cst, it's still running so I havent given up and will post logs when it finishes

**broni** · 19-05-2010

Thank you for letting me know

**wingman23** · 20-05-2010

Ok I'm officially stumped...gmer ran with the devices box unchecked in normal mode from 8 pm cst tuesday night, all day yesterday, and was still going today thursday and windows crashed, around 12 pm cst, I've tried running it in safe mode but there is no scan, or save buttons, all I get is ok and cancel. Is there something I'm missing? Anything else I can try to get it to work?

**broni** · 20-05-2010

Skip GMER for now.
Please, continue with my Combofix script.

links rediercted

links rediercted

Similar Threads

help with links

no links

links go nowhere

More Links

Need help with links!