Trojan.dnschanger Taken Over Pc - Cannot Update Anything![RESOLVED]

rswox · January 21, 2009

Hi,

I have encountered a problem with my PC that I just cannot resolve after nearly 4, soul searching, days. Whenever I try to run IE7, it either crashes or does not run at all. All Google searches are redirected to anything but what I want. This is especially noticable if I try to navigate (either from Google or entering the address straight into the address bar) to 'Malwarebytes'. BT Yahoo runs (posting this from there) however I cannot navigate to any 'Malwarbytes' sites once again.

I also cannot get PC Tools 'Spyware Doctor' to update. I simply get a message saying that it is unavailable at the moment and to try again later - There is no Firewall stopping this service - access is allowed. Whenever I run MABM, it always picks up that I have an infection from the 'Trojan.DNSChanger', removes the item, however, when I then re-boot my PC and run MABM again it picks up the infection once again! The file reference on my PC for this is:

C:\WINDOWS\system32\gaopdxctqrsnom.dll (Trojan.DNSChanger) -> Quarantined and deleted successfully.

However, this file does not exist in that form (hidden files shown in explorer) at all. It does not even show up on a complete C: Drive search.

I have run MABM and McAfee AV several (full and quick scans) times but cannot get rid of this infection, it just re-creates itself again once removed. Both these programs are fully up to date.

Any help would be most appreciated as I am at my wits end with this. Thank you.

I have completed all the pre-post directions as required.

My Hijack this log is:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 13:03:37, on 21/01/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16762)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\eHome\ehRecvr.exe

C:\WINDOWS\eHome\ehSched.exe

C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\Program Files\McAfee\SiteAdvisor\McSACore.exe

C:\Program Files\Common Files\Motive\McciCMService.exe

C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe

c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe

C:\WINDOWS\Explorer.EXE

C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZIPM12.EXE

c:\PROGRA~1\mcafee.com\agent\mcagent.exe

C:\Program Files\Spyware Doctor New\pctsTray.exe

C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe

C:\WINDOWS\RTHDCPL.EXE

C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe

C:\PROGRA~1\Yahoo!\browser\ycommon.exe

C:\Program Files\HP DigitalMedia Archive\DMAScheduler.exe

C:\Program Files\BT Broadband Desktop Help\btbb_wcm\McciTrayApp.exe

C:\Program Files\BT Broadband Desktop Help\btbb\BTHelpNotifier.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\system32\rundll32.exe

C:\PROGRA~1\Webshots\Webshots.scr

C:\Program Files\Spyware Doctor New\pctsAuxs.exe

C:\Program Files\Spyware Doctor New\pctsSvc.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\ehome\mcrdsvc.exe

C:\Program Files\Intel\IntelDH\Intel® Quick Resume Technology\ELService.exe

C:\HP\KBD\KBD.EXE

C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe

C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe

C:\WINDOWS\system32\dllhost.exe

C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe

C:\WINDOWS\System32\alg.exe

C:\Program Files\McAfee\MPF\MPFSrv.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\regedit.exe

C:\Program Files\Yahoo!\browser\ybrowser.exe

C:\WINDOWS\system32\NOTEPAD.EXE

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/customi...fo/bt_side.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://uk.red.clientapps.yahoo.com/customi...arch.yahoo.com/

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.bt.yahoo.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://uk.red.clientapps.yahoo.com/customi...arch.yahoo.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/customi...fo/bt_side.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://uk.red.clientapps.yahoo.com/customi...arch.yahoo.com/

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.red.clientapps.yahoo.com/customi...arch.yahoo.com/

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1

O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll

O2 - BHO: Adobe PDF Link Helper - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - D:\Program Files\FlashGet\jccatch.dll

O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll

O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll

O2 - BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll

O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl Class - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - D:\Program Files\FlashGet\getflash.dll

O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll

O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll

O3 - Toolbar: Webshots Toolbar - {C17590D2-ECB4-4b15-8820-F58798DCC118} - C:\Program Files\Webshots\WSToolbar4IE.dll

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - D:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll

O4 - HKLM\..\Run: [iSTray] "C:\Program Files\Spyware Doctor New\pctsTray.exe"

O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE

O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey

O4 - HKLM\..\Run: [iAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe

O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run

O4 - HKLM\..\Run: [ftutil2] rundll32.exe ftutil2.dll,SetWriteCacheMode

O4 - HKLM\..\Run: [DMAScheduler] "c:\Program Files\HP DigitalMedia Archive\DMAScheduler.exe"

O4 - HKLM\..\Run: [btbb_wcm_McciTrayApp] "C:\Program Files\BT Broadband Desktop Help\btbb_wcm\McciTrayApp.exe"

O4 - HKLM\..\Run: [btbb_McciTrayApp] "C:\Program Files\BT Broadband Desktop Help\btbb\BTHelpNotifier.exe"

O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')

O4 - S-1-5-18 Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'SYSTEM')

O4 - .DEFAULT Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')

O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')

O4 - Global Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe

O8 - Extra context menu item: &Download All with FlashGet - D:\Program Files\FlashGet\jc_all.htm

O8 - Extra context menu item: &Download with FlashGet - D:\Program Files\FlashGet\jc_link.htm

O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html

O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html

O8 - Extra context menu item: &Webshots Photo Search - res://C:\Program Files\Webshots\WSToolbar4IE.dll/MENUSEARCH.HTM

O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html

O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html

O8 - Extra context menu item: Convert link target to Adobe PDF - res://D:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert link target to existing PDF - res://D:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert selected links to Adobe PDF - res://D:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

O8 - Extra context menu item: Convert selected links to existing PDF - res://D:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

O8 - Extra context menu item: Convert selection to Adobe PDF - res://D:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert selection to existing PDF - res://D:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert to Adobe PDF - res://D:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert to existing PDF - res://D:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000

O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html

O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html

O9 - Extra button: BT Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL

O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - D:\Program Files\FlashGet\FlashGet.exe

O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - D:\Program Files\FlashGet\FlashGet.exe

O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm

O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1230402189703

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/get/shock...ash/swflash.cab

O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll

O20 - AppInit_DLLs: acaptuser32.dll qmwekq.dll

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: IntelÂ® Quick Resume Technology Drivers (ELService) - Intel Corporation - C:\Program Files\Intel\IntelDH\Intel® Quick Resume Technology\ELService.exe

O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe

O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe

O23 - Service: McciCMService - Motive Communications, Inc. - C:\Program Files\Common Files\Motive\McciCMService.exe

O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe

O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe

O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe

O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe

O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe

O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe

O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe

O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZIPM12.EXE

O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe

O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe

O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe

O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe

O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor New\pctsAuxs.exe

O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor New\pctsSvc.exe

O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

--

End of file - 15544 bytes

My MABM Log is (which identifies the 'invisible file'):

Malwarebytes' Anti-Malware 1.33

Database version: 1673

Windows 5.1.2600 Service Pack 3

21/01/2009 12:51:00

mbam-log-2009-01-21 (12-51-00).txt

Scan type: Quick Scan

Objects scanned: 61314

Time elapsed: 3 minute(s), 52 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\system32\gaopdxctqrsnom.dll (Trojan.DNSChanger) -> Quarantined and deleted successfully.

Many thanks in advance for any help given!!

Rorschach112 · January 22, 2009

hello

Download ComboFix from one of these locations:

Link 1

Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt log in your next reply.

rswox · January 22, 2009

Hi,

Many thanks for your prompt reply!!

I've now run Combofix and the following is the log file it created:

ComboFix 09-01-21.04 - HP_Administrator 2009-01-22 16:30:34.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1590 [GMT 0:00]

Running from: c:\documents and settings\HP_Administrator\Desktop\ComboFix.exe

AV: McAfee VirusScan *On-access scanning disabled* (Updated)

FW: McAfee Personal Firewall *enabled*

* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\HP_Administrator\Local Settings\Temporary Internet Files\mcc23.tmp

c:\documents and settings\HP_Administrator\Local Settings\Temporary Internet Files\mcc241.tmp

c:\documents and settings\HP_Administrator\Local Settings\Temporary Internet Files\mcc2DB.tmp

c:\documents and settings\HP_Administrator\Local Settings\Temporary Internet Files\mcc6F.tmp

c:\windows\system32\Agent.OMZ.Fix.exe

c:\windows\system32\drivers\gaopdxgrquvjmm.sys

c:\windows\system32\gaopdxctqrsnom.dll

c:\windows\system32\IEDFix.C.exe

c:\windows\system32\o4Patch.exe

c:\windows\system32\Ole32drv.DLL

c:\windows\system32\SrchSTS.exe

D:\resycled

d:\resycled\ntldr.com

E:\resycled

e:\resycled\ntldr.com

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Service_gaopdxserv.sys

((((((((((((((((((((((((( Files Created from 2008-12-22 to 2009-01-22 )))))))))))))))))))))))))))))))

.

2009-01-21 12:35 . 2009-01-21 12:36 <DIR> d-------- C:\unzipped

2009-01-20 17:26 . 2009-01-21 21:30 <DIR> d-------- c:\program files\Spyware Doctor New

2009-01-20 17:26 . 2009-01-20 17:26 <DIR> d-------- c:\documents and settings\HP_Administrator\Application Data\PC Tools

2009-01-20 17:26 . 2008-08-25 12:36 81,288 --a------ c:\windows\system32\drivers\iksyssec.sys

2009-01-20 17:26 . 2008-08-25 12:36 66,952 --a------ c:\windows\system32\drivers\iksysflt.sys

2009-01-20 17:26 . 2008-08-25 12:36 40,840 --a------ c:\windows\system32\drivers\ikfilesec.sys

2009-01-20 17:26 . 2008-06-02 16:19 29,576 --a------ c:\windows\system32\drivers\kcom.sys

2009-01-20 13:01 . 2009-01-20 13:01 112 --a------ c:\windows\system\hpsysdrv.DAT

2009-01-20 11:44 . 2009-01-20 11:44 <DIR> d-------- c:\program files\Trend Micro

2009-01-19 20:17 . 2009-01-19 20:17 <DIR> d-------- c:\documents and settings\HP_Administrator\Application Data\Yahoo!

2009-01-17 08:13 . 2009-01-17 08:13 <DIR> d-------- c:\documents and settings\HP_Administrator\Application Data\TomTom

2009-01-17 08:12 . 2009-01-17 08:12 <DIR> d-------- c:\program files\TomTom HOME 2

2009-01-13 10:42 . 2009-01-13 10:42 <DIR> d-------- c:\windows\system32\XPSViewer

2009-01-13 10:42 . 2009-01-13 10:42 <DIR> d-------- c:\program files\Reference Assemblies

2009-01-13 10:42 . 2009-01-13 10:42 <DIR> d-------- c:\program files\MSBuild

2009-01-13 10:42 . 2006-06-29 13:07 14,048 --------- c:\windows\system32\spmsg2.dll

2009-01-09 12:27 . 2009-01-09 12:37 99 --a------ c:\windows\ParrotFlashWiz.INI

2009-01-09 12:17 . 2009-01-09 12:24 <DIR> d-------- c:\program files\Parrot Software Update Tool

2009-01-08 07:27 . 2009-01-08 07:27 391 --a------ c:\windows\COVERE~1.INI

2009-01-07 18:52 . 2009-01-07 18:52 <DIR> d-------- c:\documents and settings\HP_Administrator\Application Data\EPSON

2009-01-06 16:54 . 2009-01-06 16:54 <DIR> d-------- c:\program files\Common Files\Motive

2009-01-06 16:54 . 2009-01-06 16:54 <DIR> d-------- c:\documents and settings\All Users\Application Data\Motive

2009-01-05 19:39 . 2009-01-05 19:39 <DIR> d-------- c:\documents and settings\Dave

2009-01-03 17:21 . 2009-01-03 17:21 <DIR> d-------- c:\documents and settings\HP_Administrator\Application Data\blg

2009-01-03 17:21 . 2009-01-03 17:21 <DIR> d-------- c:\documents and settings\All Users\Application Data\blg

2009-01-03 16:44 . 2009-01-03 16:44 <DIR> d-------- c:\documents and settings\HP_Administrator\Application Data\Blackberry Desktop

2009-01-03 16:41 . 2009-01-03 16:41 <DIR> d-------- c:\documents and settings\HP_Administrator\Application Data\Research In Motion

2009-01-03 16:41 . 2009-01-10 11:57 256 --a------ c:\windows\system32\pool.bin

2009-01-03 08:24 . 2009-01-03 08:24 <DIR> d-------- c:\windows\Sun

2009-01-03 08:03 . 2009-01-03 08:03 268 --ah----- C:\sqmdata19.sqm

2009-01-03 08:03 . 2009-01-03 08:03 244 --ah----- C:\sqmnoopt19.sqm

2009-01-02 20:16 . 2009-01-02 20:16 268 --ah----- C:\sqmdata18.sqm

2009-01-02 20:16 . 2009-01-02 20:16 244 --ah----- C:\sqmnoopt18.sqm

2009-01-02 09:45 . 2009-01-02 09:45 268 --ah----- C:\sqmdata17.sqm

2009-01-02 09:45 . 2009-01-02 09:45 244 --ah----- C:\sqmnoopt17.sqm

2009-01-01 17:19 . 2009-01-01 17:19 <DIR> d-------- c:\documents and settings\HP_Administrator\Application Data\Fabulous Finds

2009-01-01 17:12 . 2009-01-01 17:12 268 --ah----- C:\sqmdata16.sqm

2009-01-01 17:12 . 2009-01-01 17:12 244 --ah----- C:\sqmnoopt16.sqm

2009-01-01 12:04 . 2009-01-01 12:04 <DIR> d-------- c:\documents and settings\HP_Administrator\Application Data\GlobalSCAPE

2009-01-01 11:46 . 2009-01-21 19:27 40 --a------ c:\windows\iltwain.ini

2009-01-01 11:43 . 2009-01-09 07:17 <DIR> d-------- c:\program files\EzGenerator3

2009-01-01 11:25 . 2009-01-01 11:25 268 --ah----- C:\sqmdata15.sqm

2009-01-01 11:25 . 2009-01-01 11:25 244 --ah----- C:\sqmnoopt15.sqm

2009-01-01 10:45 . 2005-05-26 15:34 2,297,552 --a------ c:\windows\system32\d3dx9_26.dll

2009-01-01 10:43 . 2009-01-01 10:43 <DIR> d-------- c:\windows\Logs

2009-01-01 10:36 . 2009-01-01 10:38 <DIR> d-------- c:\documents and settings\HP_Administrator\Application Data\Jetsetter

2009-01-01 10:25 . 2009-01-01 10:25 268 --ah----- C:\sqmdata14.sqm

2009-01-01 10:25 . 2009-01-01 10:25 244 --ah----- C:\sqmnoopt14.sqm

2009-01-01 09:50 . 2009-01-01 09:50 268 --ah----- C:\sqmdata13.sqm

2009-01-01 09:50 . 2009-01-01 09:50 244 --ah----- C:\sqmnoopt13.sqm

2008-12-31 09:19 . 2008-12-31 09:19 <DIR> d-------- c:\program files\Webshots

2008-12-31 09:19 . 2008-12-31 09:19 <DIR> d-------- c:\documents and settings\HP_Administrator\Application Data\Webshots

2008-12-31 08:54 . 2008-12-31 08:54 <DIR> d-------- c:\documents and settings\All Users\Application Data\Adobe Systems

2008-12-31 08:53 . 2008-12-31 08:53 <DIR> d-------- c:\program files\Common Files\Adobe Systems Shared

2008-12-31 08:13 . 2008-12-31 08:13 268 --ah----- C:\sqmdata12.sqm

2008-12-31 08:13 . 2008-12-31 08:13 244 --ah----- C:\sqmnoopt12.sqm

2008-12-30 10:28 . 2008-12-30 10:28 <DIR> d-------- c:\program files\SmartSound Software

2008-12-30 10:28 . 2008-12-30 10:28 <DIR> d-------- c:\documents and settings\All Users\Application Data\SmartSound Software Inc

2008-12-30 10:27 . 2008-12-30 10:28 <DIR> d-------- c:\program files\QuickTime

2008-12-30 10:27 . 2008-12-30 10:27 <DIR> d-------- c:\documents and settings\All Users\Application Data\Apple Computer

2008-12-30 08:49 . 2008-12-30 08:49 268 --ah----- C:\sqmdata11.sqm

2008-12-30 08:49 . 2008-12-30 08:49 244 --ah----- C:\sqmnoopt11.sqm

2008-12-30 08:45 . 2008-12-30 08:45 <DIR> d-------- c:\documents and settings\LocalService\Application Data\DivX

2008-12-29 17:59 . 2008-12-29 17:59 <DIR> d-------- c:\program files\K-Lite Codec Pack

2008-12-29 16:48 . 2008-12-29 16:48 268 --ah----- C:\sqmdata10.sqm

2008-12-29 16:48 . 2008-12-29 16:48 244 --ah----- C:\sqmnoopt10.sqm

2008-12-29 16:15 . 2008-12-29 16:15 268 --ah----- C:\sqmdata09.sqm

2008-12-29 16:15 . 2008-12-29 16:15 244 --ah----- C:\sqmnoopt09.sqm

2008-12-29 11:46 . 2008-12-29 11:46 <DIR> d-------- c:\documents and settings\All Users\Application Data\Yahoo! Companion

2008-12-29 11:44 . 2009-01-06 16:56 <DIR> d-------- c:\documents and settings\HP_Administrator\Application Data\Motive

2008-12-29 11:37 . 2009-01-06 16:55 <DIR> d-------- c:\program files\BT Broadband Desktop Help

2008-12-29 11:21 . 2008-12-29 11:36 <DIR> d-------- c:\program files\BT Home Hub

2008-12-29 10:58 . 2008-12-29 10:58 <DIR> d-------- c:\documents and settings\HP_Administrator\Application Data\Malwarebytes

2008-12-29 10:58 . 2009-01-14 16:11 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys

2008-12-29 10:58 . 2009-01-14 16:11 15,504 --a------ c:\windows\system32\drivers\mbam.sys

2008-12-29 10:57 . 2009-01-20 12:23 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware

2008-12-29 10:57 . 2008-12-29 10:57 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes

2008-12-29 10:42 . 2004-10-25 15:18 131,072 --a------ c:\windows\system32\ypclsp.dll

2008-12-29 10:42 . 2003-05-19 16:07 86,016 --a------ c:\windows\system32\YPcservice.exe

2008-12-29 10:41 . 2002-02-21 17:56 24,576 --a------ c:\windows\system32\msxml3a.dll

2008-12-29 10:40 . 2009-01-19 20:19 <DIR> d-------- c:\documents and settings\All Users\Application Data\yahoo!

2008-12-29 10:39 . 2008-12-29 11:38 <DIR> d-------- c:\windows\Motive

2008-12-29 10:39 . 2008-12-29 11:22 <DIR> d-------- c:\program files\Yahoo!

2008-12-29 10:39 . 2002-01-05 05:18 84,992 --a------ c:\windows\system32\ATL70.DLL

2008-12-29 10:39 . 2001-10-11 10:26 65,536 --a------ c:\windows\system32\YCRWin32.dll

2008-12-29 10:37 . 2008-12-29 10:37 <DIR> d-------- c:\program files\BT Yahoo!

2008-12-29 10:29 . 2008-12-29 10:29 268 --ah----- C:\sqmdata08.sqm

2008-12-29 10:29 . 2008-12-29 10:29 244 --ah----- C:\sqmnoopt08.sqm

2008-12-29 10:20 . 2008-12-29 10:20 268 --ah----- C:\sqmdata07.sqm

2008-12-29 10:20 . 2008-12-29 10:20 244 --ah----- C:\sqmnoopt07.sqm

2008-12-29 09:06 . 2008-12-29 09:06 268 --ah----- C:\sqmdata06.sqm

2008-12-29 09:06 . 2008-12-29 09:06 244 --ah----- C:\sqmnoopt06.sqm

2008-12-29 08:56 . 2009-01-06 16:50 268 --ah----- C:\sqmdata05.sqm

2008-12-29 08:56 . 2009-01-06 16:50 244 --ah----- C:\sqmnoopt05.sqm

2008-12-28 18:50 . 2009-01-22 16:37 10,699 --a------ c:\windows\system32\Config.MPF

2008-12-28 18:48 . 2008-08-26 14:35 120,136 --a------ c:\windows\system32\drivers\Mpfp.sys

2008-12-28 18:48 . 2008-10-20 20:51 79,272 --a------ c:\windows\system32\drivers\mfeavfk.sys

2008-12-28 18:48 . 2008-10-20 20:51 40,488 --a------ c:\windows\system32\drivers\mfesmfk.sys

2008-12-28 18:48 . 2008-10-20 20:51 35,240 --a------ c:\windows\system32\drivers\mfebopk.sys

2008-12-28 18:47 . 2008-12-28 18:47 <DIR> d-------- c:\program files\McAfee.com

2008-12-28 18:47 . 2009-01-14 08:07 <DIR> d-------- c:\program files\McAfee

2008-12-28 18:47 . 2008-12-28 18:48 <DIR> d-------- c:\program files\Common Files\McAfee

2008-12-28 18:44 . 2008-10-20 20:51 34,216 --a------ c:\windows\system32\drivers\mferkdk.sys

2008-12-28 18:41 . 2009-01-06 12:09 268 --ah----- C:\sqmdata04.sqm

2008-12-28 18:41 . 2009-01-06 12:09 244 --ah----- C:\sqmnoopt04.sqm

2008-12-28 17:25 . 2008-12-28 17:25 <DIR> d-------- c:\documents and settings\All Users\Application Data\HP Product Assistant

2008-12-28 17:25 . 2008-12-28 17:25 227 --a------ c:\windows\HP_CounterReport_Update_HPSU.ini

2008-12-28 16:21 . 2008-12-28 16:21 <DIR> d-------- c:\documents and settings\HP_Administrator\Application Data\WinBatch

2008-12-28 16:15 . 2009-01-05 15:57 268 --ah----- C:\sqmdata03.sqm

2008-12-28 16:15 . 2009-01-05 15:57 244 --ah----- C:\sqmnoopt03.sqm

2008-12-28 11:34 . 2009-01-21 21:03 69 --a------ c:\windows\NeroDigital.ini

2008-12-28 11:28 . 2008-12-28 11:28 <DIR> d-------- c:\documents and settings\HP_Administrator\Application Data\CyberLink

2008-12-28 11:27 . 2008-12-28 11:27 <DIR> d-------- c:\program files\Digital Photo Navigator 1.5

2008-12-28 11:23 . 2008-12-28 11:27 <DIR> d-------- c:\program files\CyberLink

2008-12-28 11:12 . 2008-10-16 14:06 268,648 --a------ c:\windows\system32\mucltui.dll

2008-12-28 11:12 . 2008-10-16 14:06 27,496 --a------ c:\windows\system32\mucltui.dll.mui

2008-12-28 08:53 . 2009-01-20 17:20 <DIR> d-------- c:\program files\Spyware Doctor

2008-12-28 08:50 . 2009-01-05 12:56 268 --ah----- C:\sqmdata02.sqm

2008-12-28 08:50 . 2009-01-05 12:56 244 --ah----- C:\sqmnoopt02.sqm

2008-12-27 21:12 . 2009-01-20 17:26 <DIR> dr------- C:\Program Files

2008-12-27 21:11 . 2009-01-17 19:03 <DIR> dr------- c:\documents and settings\All Users\Documents

2008-12-27 21:07 . 2009-01-14 12:53 <DIR> dr-hs---- c:\windows\system32\dllcache

2008-12-27 19:39 . 2009-01-04 08:02 268 --ah----- C:\sqmdata01.sqm

2008-12-27 19:39 . 2009-01-04 08:02 244 --ah----- C:\sqmnoopt01.sqm

2008-12-27 19:30 . 2009-01-03 16:16 268 --ah----- C:\sqmdata00.sqm

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-01-01 12:04 --------- d--h--w c:\program files\InstallShield Installation Information

2008-12-30 09:53 --------- d-----w c:\documents and settings\All Users\Application Data\CyberLink

2008-12-29 11:20 --------- d-----w c:\program files\PC-Doctor 5 for Windows

2008-12-29 11:20 --------- d-----w c:\program files\Hewlett-Packard

2008-12-28 17:27 --------- d-----w c:\program files\HP

2008-12-27 17:29 --------- d-----w c:\documents and settings\All Users\Application Data\Sonic

2008-12-27 16:53 --------- d-----w c:\program files\Java

2008-12-27 15:48 --------- d-----w c:\program files\Common Files\Symantec Shared

2008-12-27 15:48 --------- d-----w c:\documents and settings\All Users\Application Data\Symantec

2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

"Yahoo! Pager"="c:\program files\Yahoo!\Messenger\ypager.exe" [2005-08-31 2478080]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"YBrowser"="c:\progra~1\Yahoo!\browser\ybrwicon.exe" [2003-12-09 57344]

"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2005-07-22 237568]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-02-14 7557120]

"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2008-11-26 645328]

"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2005-10-12 139264]

"HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2006-02-15 249856]

"DMAScheduler"="c:\program files\HP DigitalMedia Archive\DMAScheduler.exe" [2006-03-20 90112]

"btbb_wcm_McciTrayApp"="c:\program files\BT Broadband Desktop Help\btbb_wcm\McciTrayApp.exe" [2008-08-28 1516032]

"btbb_McciTrayApp"="c:\program files\BT Broadband Desktop Help\btbb\BTHelpNotifier.exe" [2008-09-11 1517056]

"RTHDCPL"="RTHDCPL.EXE" [2006-03-08 c:\windows\RTHDCPL.EXE]

"nwiz"="nwiz.exe" [2006-02-14 c:\windows\system32\nwiz.exe]

"ftutil2"="ftutil2.dll" [2004-06-07 c:\windows\system32\ftutil2.dll]

c:\documents and settings\Default User\Start Menu\Programs\Startup\

Pin.lnk - c:\hp\bin\CLOAKER.EXE [2006-06-09 27136]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Webshots.lnk - c:\program files\Webshots\Launcher.exe [2008-12-31 45056]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"vidc.i263"= i263_32.drv

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 7.0]

--a------ 2006-01-12 20:52 483328 d:\program files\Adobe\Distillr\acrotray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]

--a------ 2008-06-12 02:38 34672 c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]

--a------ 2005-08-05 19:56 64512 c:\windows\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EverioService]

--------- 2007-11-01 17:13 151552 c:\program files\CyberLink\PCM4Everio\EverioService.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]

--a------ 2007-05-08 16:24 54840 c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHUPD08]

--a------ 2005-06-02 06:35 49152 c:\program files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]

--a------ 2007-10-18 11:34 5724184 c:\program files\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]

--a------ 2007-03-09 18:53 153136 c:\program files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxWatchTray]

--a------ 2008-06-08 12:24 236016 c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

--a------ 2008-12-27 16:54 136600 c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TomTomHOME.exe]

--a------ 2008-12-09 10:12 234856 c:\program files\TomTom HOME 2\HOMERunner.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

"d:\\Program Files\\FlashGet\\flashget.exe"=

"c:\\Program Files\\BT Broadband Desktop Help\\btbb\\BTHelpBrowser.exe"=

"c:\\Program Files\\BT Broadband Desktop Help\\btbb\\BTHelpNotifier.exe"=

"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

R3 3xHybrid;ASUSTek SAA713x PCI Card;c:\windows\system32\drivers\3xHybrid.sys [2006-06-09 2831232]

R3 libusb0;LibUsb-Win32 - Kernel Driver 24/09/2008, 0.1.12.2;c:\windows\system32\drivers\libusb0.sys [2008-09-24 28672]

R3 WN5301;LIteon Wireless PCI Network Adapter Service;c:\windows\system32\drivers\wn5301.sys [2006-06-09 468768]

R4 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [2008-12-28 206096]

S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor New\pctsAuxs.exe [2009-01-20 356920]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f57629ec-d435-11dd-bb1e-001731f79383}]

\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL resycled\ntldr.com l:

\Shell\Open\command - l:\resycled\ntldr.com l:

.

Contents of the 'Scheduled Tasks' folder

2008-12-28 c:\windows\Tasks\McDefragTask.job

- c:\progra~1\mcafee\mqc\QcConsol.exe [2008-10-20 07:13]

2008-12-28 c:\windows\Tasks\McQcTask.job

- c:\progra~1\mcafee\mqc\QcConsol.exe [2008-10-20 07:13]

.

- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-eyeBeam SIP Client - c:\program files\BT Broadband Talk Softphone\BTSoftphone.exe

.

------- Supplementary Scan -------

.

uStart Page = hxxp://home.bt.yahoo.com/

uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_GB&c=63&bd=PAVILION&pf=desktop

mSearch Bar = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sb/*http://uk.docs.yahoo.com/info/bt_side.html

uInternet Settings,ProxyOverride = 127.0.0.1

uSearchURL,(Default) = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/su/*http://uk.search.yahoo.com/

IE: &Download All with FlashGet - d:\program files\FlashGet\jc_all.htm

IE: &Download with FlashGet - d:\program files\FlashGet\jc_link.htm

IE: &Google Search - c:\program files\Google\GoogleToolbar1.dll/cmsearch.html

IE: &Translate English Word - c:\program files\Google\GoogleToolbar1.dll/cmwordtrans.html

IE: &Webshots Photo Search - c:\program files\Webshots\WSToolbar4IE.dll/MENUSEARCH.HTM

IE: Backward Links - c:\program files\Google\GoogleToolbar1.dll/cmbacklinks.html

IE: Cached Snapshot of Page - c:\program files\Google\GoogleToolbar1.dll/cmcache.html

IE: Convert link target to Adobe PDF - d:\program files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert link target to existing PDF - d:\program files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert selected links to Adobe PDF - d:\program files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

IE: Convert selected links to existing PDF - d:\program files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

IE: Convert selection to Adobe PDF - d:\program files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert selection to existing PDF - d:\program files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert to Adobe PDF - d:\program files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert to existing PDF - d:\program files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000

IE: Similar Pages - c:\program files\Google\GoogleToolbar1.dll/cmsimilar.html

IE: Translate Page into English - c:\program files\Google\GoogleToolbar1.dll/cmtrans.html

DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab

.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-01-22 16:37:04

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

------------------------ Other Running Processes ------------------------

.

c:\windows\ehome\ehrecvr.exe

c:\windows\ehome\ehSched.exe

c:\program files\Intel\Intel Matrix Storage Manager\IAANTMon.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\Common Files\LightScribe\LSSrvc.exe

c:\program files\Common Files\Motive\McciCMService.exe

c:\progra~1\McAfee\MSC\mcmscsvc.exe

c:\progra~1\COMMON~1\McAfee\MNA\McNASvc.exe

c:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe

c:\progra~1\McAfee\VIRUSS~1\Mcshield.exe

c:\windows\system32\nvsvc32.exe

c:\windows\system32\spool\drivers\w32x86\3\HPZIPM12.EXE

c:\progra~1\McAfee.com\Agent\mcagent.exe

c:\progra~1\Yahoo!\browser\ycommon.exe

c:\windows\system32\rundll32.exe

c:\windows\ehome\mcrdsvc.exe

c:\program files\Intel\IntelDH\Intel® Quick Resume Technology\ELService.exe

c:\progra~1\Webshots\Webshots.scr

c:\program files\Yahoo!\Messenger\Ymsgr_tray.exe

c:\hp\KBD\kbd.exe

c:\program files\Java\jre1.5.0_05\bin\jusched.exe

c:\windows\system32\dllhost.exe

c:\program files\McAfee\MPF\MpfSrv.exe

.

**************************************************************************

.

Completion time: 2009-01-22 16:39:35 - machine was rebooted

ComboFix-quarantined-files.txt 2009-01-22 16:39:31

Pre-Run: 173,650,264,064 bytes free

Post-Run: 173,529,587,712 bytes free

338 --- E O F --- 2009-01-14 12:54:02

Any further help is most appreciated,

Regards,

Rorschach112 · January 22, 2009

hello

1 - Flash Drive Disinfector
Download Flash_Disinfector.exe by sUBs from

>here< and save it to your desktop.

Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
Wait until it has finished scanning and then exit the program.
Reboot your computer when done.

Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder...it will help protect your drives from future infection.

Please download the OTMoveIt3 by OldTimer

Save it to your desktop.
Please double-click OTMoveIt3.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).

Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

:Processes
explorer.exe

:Services

:Reg
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f57629ec-d435-11dd-bb1e-001731f79383}]

:Files

:Commands
[purity]
[emptytemp]
[start explorer]
[Reboot]

Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
Click the red Moveit! button.
Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
Close OTMoveIt3

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

Download the GMER Rootkit Scanner. Unzip it to your Desktop.

Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.

Double-click gmer.exe. The program will begin to run.

**Caution**

These types of scans can produce false positives. Do NOT take any action on any "<--- ROOKIT" entries unless advised by a trained Security Analyst

If possible rootkit activity is found, you will be asked if you would like to perform a full scan.

Click NO
In the right panel, you will see a bunch of boxes that have been checked ... leave everything checked and ensure the Show all box is Unchecked.
Now click the Scan button.
Once the scan is complete, you may receive another notice about rootkit activity.
Click OK.
GMER will produce a log. Click on the [save..] button, and in the File name area, type in "GMER.txt"
Save it where you can easily find it, such as your desktop.

Post the contents of GMER.txt in your next reply.

rswox · January 22, 2009

Rorschach112,

I have now completed the requested steps. The following are the requested log file entries:

OTMoveIt3.exe

========== PROCESSES ==========

Process explorer.exe killed successfully.

========== SERVICES/DRIVERS ==========

========== REGISTRY ==========

Registry key HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f57629ec-d435-11dd-bb1e-001731f79383}\\ deleted successfully.

========== FILES ==========

========== COMMANDS ==========

User's Temp folder emptied.

User's Temporary Internet Files folder emptied.

User's Internet Explorer cache folder emptied.

File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.

File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat scheduled to be deleted on reboot.

File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat scheduled to be deleted on reboot.

Local Service Temp folder emptied.

Local Service Temporary Internet Files folder emptied.

File delete failed. C:\WINDOWS\temp\mcmsc_r1aBDxL6yzkqYRu scheduled to be deleted on reboot.

File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_1ac.dat scheduled to be deleted on reboot.

File delete failed. C:\WINDOWS\temp\sqlite_35dCoAjW6oA6lYb scheduled to be deleted on reboot.

File delete failed. C:\WINDOWS\temp\sqlite_xQlbIlzsZdfo4Bu scheduled to be deleted on reboot.

File delete failed. C:\WINDOWS\temp\sqlite_YrZd7rQVPBn8kuy scheduled to be deleted on reboot.

File delete failed. C:\WINDOWS\temp\WFV9.tmp scheduled to be deleted on reboot.

Windows Temp folder emptied.

Java cache emptied.

Temp folders emptied.

Explorer started successfully

OTMoveIt3 by OldTimer - Version 1.0.8.0 log created on 01222009_171700

Files moved on Reboot...

File move failed. C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat scheduled to be moved on reboot.

File move failed. C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat scheduled to be moved on reboot.

File move failed. C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat scheduled to be moved on reboot.

File C:\WINDOWS\temp\mcmsc_r1aBDxL6yzkqYRu not found!

File C:\WINDOWS\temp\Perflib_Perfdata_1ac.dat not found!

C:\WINDOWS\temp\sqlite_35dCoAjW6oA6lYb moved successfully.

C:\WINDOWS\temp\sqlite_xQlbIlzsZdfo4Bu moved successfully.

C:\WINDOWS\temp\sqlite_YrZd7rQVPBn8kuy moved successfully.

File C:\WINDOWS\temp\WFV9.tmp not found!

gmer.exe

GMER 1.0.14.14536 - http://www.gmer.net

Rootkit scan 2009-01-22 17:28:11

Windows 5.1.2600 Service Pack 3

---- System - GMER 1.0.14 ----

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0xAAA5F2BA]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateKey [0xAAA5F351]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0xAAA5F268]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcessEx [0xAAA5F27C]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteKey [0xAAA5F365]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xAAA5F391]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateKey [0xAAA5F3FF]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateValueKey [0xAAA5F3E9]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xAAA5F2FA]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwNotifyChangeKey [0xAAA5F42B]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenKey [0xAAA5F33D]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenProcess [0xAAA5F240]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenThread [0xAAA5F254]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xAAA5F2CE]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryKey [0xAAA5F467]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryMultipleValueKey [0xAAA5F3D3]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryValueKey [0xAAA5F3BD]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRenameKey [0xAAA5F37B]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwReplaceKey [0xAAA5F453]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRestoreKey [0xAAA5F43F]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetContextThread [0xAAA5F2A6]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetInformationProcess [0xAAA5F292]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetValueKey [0xAAA5F3A7]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0xAAA5F329]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnloadKey [0xAAA5F415]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xAAA5F310]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0xAAA5F2E4]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenProcess

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenThread

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtSetInformationProcess

---- Devices - GMER 1.0.14 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

AttachedDevice \FileSystem\Fastfat \Fat mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

AttachedDevice \Driver\Tcpip \Device\Ip Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

AttachedDevice \Driver\Tcpip \Device\Tcp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

AttachedDevice \Driver\Tcpip \Device\Udp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

AttachedDevice \Driver\Tcpip \Device\RawIp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 ELkbd.sys (Intel Corporation)

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 ELkbd.sys (Intel Corporation)

---- EOF - GMER 1.0.14 ----

No possible rootkit activity messages came up.

Thanks in advance,

Rorschach112 · January 22, 2009

looking good

Please download ATF Cleaner by Atribune.

Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

If you use Firefox browser

Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.

Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.

Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Go to Kaspersky website and perform an online antivirus scan.

Read through the requirements and privacy statement and click on Accept button.
It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
When the downloads have finished, click on Settings.
Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
- Spyware, Adware, Dialers, and other potentially dangerous programs
  Archives
  Mail databases

[*]Click on My Computer under Scan.

[*]Once the scan is complete, it will display the results. Click on View Scan Report.

[*]You will see a list of infected items there. Click on Save Report As....

[*]Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button. Then post it here.

rswox · January 22, 2009

Rorschach112,

Sorry for the delay, the scan took 2 1/2 hours!

My MBAM report is:

Malwarebytes' Anti-Malware 1.33

Database version: 1679

Windows 5.1.2600 Service Pack 3

22/01/2009 17:46:14

mbam-log-2009-01-22 (17-46-14).txt

Scan type: Quick Scan

Objects scanned: 61280

Time elapsed: 2 minute(s), 41 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

My Kaspersky saved scan log is:

--------------------------------------------------------------------------------

KASPERSKY ONLINE SCANNER 7 REPORT

Thursday, January 22, 2009

Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)

Kaspersky Online Scanner 7 version: 7.0.25.0

Program database last update: Thursday, January 22, 2009 17:28:07

Records in database: 1668742

--------------------------------------------------------------------------------

Scan settings:

Scan using the following database: extended

Scan archives: yes

Scan mail databases: yes

Scan area - My Computer:

C:\

D:\

E:\

F:\

G:\

H:\

I:\

J:\

K:\

N:\

Scan statistics:

Files scanned: 142701

Threat name: 6

Infected objects: 8

Suspicious objects: 0

Duration of the scan: 02:30:42

File name / Threat name / Threats count

C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst Infected: Net-Worm.Win32.Mytob.be 1

C:\Program Files\EasyBits\KidsReady\Setup.exe Infected: Trojan.Win32.KillWin.iy 1

C:\Program Files\Online Services\BTYahoo\HPPre05.msi Infected: not-a-virus:Dialer.Win32.BT.g 1

C:\Qoobox\Quarantine\C\WINDOWS\system32\gaopdxctqrsnom.dll.vir Infected: Trojan-PSW.Win32.Agent.lqj 1

C:\WINDOWS\Motive\btbb\UninstallHelper.exe Infected: not-a-virus:RiskTool.Win32.PsKill.1101 1

D:\Settings Backup\full271208.pst Infected: Net-Worm.Win32.Mytob.be 1

D:\Settings Backup\inbox271208.pst Infected: Net-Worm.Win32.Mytob.be 1

E:\System Volume Information\_restore{F7149EC7-4FA5-4148-81FA-2F7A6348FD9A}\RP0\A0000022.com Infected: Packed.Win32.Tdss.a 1

The selected area was scanned.

Thanks again,

Rorschach112 · January 22, 2009

hello

Please download the OTMoveIt3 by OldTimer

Save it to your desktop.
Please double-click OTMoveIt3.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).

Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

:Processes
explorer.exe

:Services

:Reg

:Files
C:\Program Files\EasyBits\KidsReady\Setup.exe
C:\Program Files\Online Services\BTYahoo\HPPre05.msi
C:\WINDOWS\Motive\btbb\UninstallHelper.exe


:Commands
[purity]
[emptytemp]
[start explorer]
[Reboot]

Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
Click the red Moveit! button.
Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
Close OTMoveIt3

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

Also post a new HJT log

rswox · January 23, 2009

Rorschach112,

My MoveIt Log is:

========== PROCESSES ==========

Process explorer.exe killed successfully.

========== SERVICES/DRIVERS ==========

========== REGISTRY ==========

========== FILES ==========

C:\Program Files\EasyBits\KidsReady\Setup.exe moved successfully.

C:\Program Files\Online Services\BTYahoo\HPPre05.msi moved successfully.

C:\WINDOWS\Motive\btbb\UninstallHelper.exe moved successfully.

========== COMMANDS ==========

User's Temp folder emptied.

User's Temporary Internet Files folder emptied.

User's Internet Explorer cache folder emptied.

File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.

File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat scheduled to be deleted on reboot.

File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat scheduled to be deleted on reboot.

Local Service Temp folder emptied.

File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.

Local Service Temporary Internet Files folder emptied.

File delete failed. C:\WINDOWS\temp\mcafee_AyU8agiwVc7EMZm scheduled to be deleted on reboot.

File delete failed. C:\WINDOWS\temp\mcmsc_APwzQLyKaZF27c4 scheduled to be deleted on reboot.

File delete failed. C:\WINDOWS\temp\mcmsc_m9ZVjvXFwejyt82 scheduled to be deleted on reboot.

File delete failed. C:\WINDOWS\temp\mcmsc_Qb6nD8DxgHiEzDU scheduled to be deleted on reboot.

File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_220.dat scheduled to be deleted on reboot.

File delete failed. C:\WINDOWS\temp\sqlite_FPWyjNCDVE0EKci scheduled to be deleted on reboot.

File delete failed. C:\WINDOWS\temp\sqlite_kOdnt0gySCdbuXQ scheduled to be deleted on reboot.

File delete failed. C:\WINDOWS\temp\WFV3E.tmp scheduled to be deleted on reboot.

Windows Temp folder emptied.

Java cache emptied.

Temp folders emptied.

Explorer started successfully

OTMoveIt3 by OldTimer - Version 1.0.8.0 log created on 01232009_070811

Files moved on Reboot...

File move failed. C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat scheduled to be moved on reboot.

File move failed. C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat scheduled to be moved on reboot.

File move failed. C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat scheduled to be moved on reboot.

File move failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be moved on reboot.

File C:\WINDOWS\temp\mcafee_AyU8agiwVc7EMZm not found!

File C:\WINDOWS\temp\mcmsc_APwzQLyKaZF27c4 not found!

File C:\WINDOWS\temp\mcmsc_m9ZVjvXFwejyt82 not found!

File C:\WINDOWS\temp\mcmsc_Qb6nD8DxgHiEzDU not found!

File C:\WINDOWS\temp\Perflib_Perfdata_220.dat not found!

C:\WINDOWS\temp\sqlite_FPWyjNCDVE0EKci moved successfully.

C:\WINDOWS\temp\sqlite_kOdnt0gySCdbuXQ moved successfully.

File C:\WINDOWS\temp\WFV3E.tmp not found!

My HijackThis log is:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 07:14:52, on 23/01/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16762)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\eHome\ehRecvr.exe

C:\WINDOWS\eHome\ehSched.exe

C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\Program Files\McAfee\SiteAdvisor\McSACore.exe

C:\Program Files\Common Files\Motive\McciCMService.exe

C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe

c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe

C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZIPM12.EXE

C:\Program Files\Spyware Doctor New\pctsAuxs.exe

C:\Program Files\Spyware Doctor New\pctsSvc.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Spyware Doctor New\pctsTray.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\ehome\mcrdsvc.exe

C:\Program Files\Intel\IntelDH\Intel® Quick Resume Technology\ELService.exe

C:\WINDOWS\Explorer.EXE

c:\PROGRA~1\mcafee.com\agent\mcagent.exe

C:\WINDOWS\system32\wuauclt.exe

C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe

C:\PROGRA~1\Yahoo!\browser\ycommon.exe

C:\WINDOWS\RTHDCPL.EXE

C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\HP DigitalMedia Archive\DMAScheduler.exe

C:\Program Files\BT Broadband Desktop Help\btbb_wcm\McciTrayApp.exe

C:\Program Files\BT Broadband Desktop Help\btbb\BTHelpNotifier.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\system32\dllhost.exe

C:\PROGRA~1\Webshots\Webshots.scr

C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe

C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe

C:\WINDOWS\System32\alg.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Yahoo!\browser\ybrowser.exe

C:\Program Files\McAfee\MPF\MPFSrv.exe

C:\HP\KBD\KBD.EXE

C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.bt.yahoo.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/customi...fo/bt_side.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896