Here are most recent developments. I reformatted the 20GB drive and made a second installation of XP. Booting to that installation, I was able to see seneka* filenames on the other drive, which I deleted. (Interestingly, having partitioned the reformatted drive and directed the installer to partition 2, when I returned after being called away I found it had adopted partition 1 of the clean drive as system root. I'd done the same just a few days before - partitioned and installed - but in that instance the system root remained on the drive with the old installation.) Also, I got rid of the orphaned BHOs listed in the DDS report in my previous post.
Some things have improved. The mysterious appearance in Task Manager of a CPU-hogging processes seems to have ceased, as also their requests for Internet access. There do still occur, however, what appear to me anomalous spikes in CPU and network usage.
The problem at Google was that, if I moved the mouse pointer over a link while a search-returns page was loading I would see its correct Web address in the status bar, but as soon as the search-returns page had loaded the status bar would display "Looking up v1.adwarefeed.com", after which mouseovers of links on the page would no longer display addresses, only the word "Done". Clicking on a link then would yield a completely different site than that in the search return list.
This redirection seems no longer to be happening but I continue to see the status bar message about looking for v1.adwarefeed.com and page-wait time has increased by a multiple of at least four. In the same sluggish vein, shutdown time has greatly increased and now includes a new "Closing Network Connections" message that I've never seen before.
The graphical and mouse anomalies continue.
Also, ComboFix was not able to make a Restore Point (at least so far as I can see). System Restore has not been working for at least the last couple of weeks. I don't know why not.
ComboFix 09-04-04.01 - Dee Huston 2009-04-10 2:51:35.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.502.299 [GMT -7:00]
Running from: c:\documents and settings\Dee Huston\Desktop\ComboFix.exe
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\windows\system32\mdm.exe
----- BITS: Possible infected sites -----
hxxp://82.98.235.205
.
((((((((((((((((((((((((( Files Created from 2009-03-10 to 2009-04-10 )))))))))))))))))))))))))))))))
.
2009-04-08 23:04 . 2009-04-08 23:04 <DIR> d-------- C:\Intel
2009-04-08 23:00 . 2005-01-23 14:30 163,840 --a------ c:\windows\system32\igfxres.dll
2009-04-07 23:17 . 2009-04-10 03:03 2,148 --a------ c:\windows\system32\wpa.dbl
2009-04-07 02:18 . 2009-04-07 02:18 310 --a------ C:\boot.in_
2009-04-06 04:27 . 2009-04-06 08:12 66 --a------ c:\windows\wininit.ini
2009-04-06 02:06 . 2009-04-06 02:06 0 --a------ C:\CEPxAC83.tmp
2009-04-06 00:58 . 2009-04-06 00:59 <DIR> d-------- c:\program files\Neuber TaskMan
2009-04-05 00:59 . 2009-04-09 14:29 <DIR> d-------- C:\_virus-related
2009-04-04 23:52 . 2009-04-04 23:52 229,584 --a------ C:\boot.ini - vlaurie.com^computers2^Articles^bootini.htm.pdf
2009-04-04 23:42 . 2009-04-04 23:42 <DIR> d-------- c:\documents and settings\LocalService\Application Data\AdobeUM
2009-04-03 23:15 . 2009-04-03 23:15 <DIR> d-------- c:\documents and settings\NetworkService\Application Data\AdobeUM
2009-04-03 12:05 . 2009-04-03 12:05 <DIR> d-------- c:\program files\WD
2009-04-03 12:05 . 2009-04-03 12:05 <DIR> d-------- c:\program files\Common Files\eSellerate
2009-04-03 12:05 . 2009-04-03 12:05 <DIR> d-------- c:\documents and settings\Dee Huston\Application Data\WD
2009-04-03 12:05 . 2009-04-03 12:05 <DIR> d---s---- c:\documents and settings\All Users\Application Data\WD
2009-04-03 11:49 . 2009-04-03 11:49 <DIR> d-------- c:\program files\Western Digital
2009-04-02 16:07 . 2009-04-02 16:07 <DIR> d-------- c:\documents and settings\All Users\Application Data\Dell
2009-04-02 15:13 . 2009-04-02 15:13 <DIR> d-------- c:\windows\system32\FxsTmp
2009-04-01 16:54 . 2009-04-01 16:54 <DIR> d-------- c:\documents and settings\NetworkService\Application Data\McAfee.com Personal Firewall
2009-04-01 14:45 . 2009-04-10 03:03 37,152 --a------ c:\windows\system32\Status.MPF
2009-03-23 13:01 . 2009-03-23 13:01 <DIR> d-------- c:\documents and settings\Dee Huston\Application Data\STOIK
2009-03-21 02:48 . 2009-03-22 06:01 <DIR> d-------- c:\program files\AVS4YOU
2009-03-21 02:48 . 2009-03-21 02:48 <DIR> d-------- c:\documents and settings\All Users\Application Data\AVS4YOU
2009-03-21 02:38 . 2009-03-21 02:43 <DIR> d-------- c:\program files\mp3DirectCut
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-08 16:43 --------- d-----w c:\program files\TextPad
2009-04-06 09:05 --------- d-----w c:\program files\Sonique
2009-04-03 19:05 --------- d--h--w c:\program files\InstallShield Installation Information
2009-04-03 19:00 --------- d-----w c:\program files\Google
2009-04-03 18:45 --------- d-----w c:\program files\Thunderbird2
2009-04-03 02:38 --------- d-----w c:\program files\Paint Shop Pro 5
2009-04-03 01:56 --------- d-----w c:\program files\QuickTime
2009-04-02 23:04 --------- d-----w c:\documents and settings\All Users\Application Data\avg8
2009-04-02 23:03 --------- d-----w c:\program files\Audacity1.2.4
2009-04-02 23:02 --------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft
2009-04-02 20:52 --------- d-----w c:\program files\GlaryUtilities
2009-04-01 20:16 --------- d-----w c:\program files\Windows Desktop Search
2009-03-22 13:21 --------- d-----w c:\program files\VLC9.6
2009-03-22 13:01 --------- d-----w c:\program files\Common Files\AVSMedia
2009-03-21 09:48 --------- d-----w c:\documents and settings\Dee Huston\Application Data\AVS4YOU
2009-03-05 14:54 --------- d-----w c:\program files\Intel
2009-03-05 14:54 --------- d-----w c:\program files\Canon
2009-03-05 10:46 --------- d-----w c:\program files\IrfanView3.61
2009-03-05 10:21 --------- d-----w c:\documents and settings\Dee Huston\Application Data\GlarySoft
2009-03-01 05:54 --------- d-----w c:\program files\IrfanView4.20
2009-02-25 11:35 --------- d-----w c:\program files\CyberLink
2009-02-22 11:48 --------- d-----w c:\program files\RAR Extract Frog
2009-02-17 16:49 --------- d-----w c:\program files\Opera9
2009-02-16 10:15 --------- d-----w c:\documents and settings\Dee Huston\Application Data\vlc
2009-02-16 08:43 --------- d-----w c:\program files\IrfanView4.23
2008-11-13 20:20 67,696 ----a-w c:\program files\mozilla firefox\components\jar50.dll
2008-11-13 20:20 54,376 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll
2008-11-13 20:20 34,952 ----a-w c:\program files\mozilla firefox\components\myspell.dll
2008-11-13 20:20 46,720 ----a-w c:\program files\mozilla firefox\components\spellchk.dll
2008-11-13 20:20 172,144 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MPFEXE"="c:\program files\McAfee.com\Personal Firewall\MPFTray.exe" [2005-11-11 1005096]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-01-23 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-01-23 126976]
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
backup=c:\windows\pss\QuickBooks Update Agent.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WD Anywhere Backup Launcher.lnk]
backup=c:\windows\pss\WD Anywhere Backup Launcher.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
backup=c:\windows\pss\Windows Search.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^Dee Huston^Start Menu^Programs^Startup^Shortcut to taskman.exe.lnk]
backup=c:\windows\pss\Shortcut to taskman.exe.lnkStartup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG8_TRAY
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Bart Station
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OmniPage
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OpScheduler
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Opware15
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QUAD Scheduler
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QUAD Windows service
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinProx32_1
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CanonMyPrinter]
--a------ 2007-09-13 18:50 1603152 c:\program files\Canon\MyPrinter\BJMYPRT.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
--a------ 2006-08-28 21:57 395776 c:\program files\Dell Support\DSAgnt.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
--a------ 2005-01-23 14:31 126976 c:\windows\system32\hkcmd.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
--a------ 2005-01-23 14:36 155648 c:\windows\system32\igfxtray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
--a------ 2005-02-16 16:15 221184 c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
--a------ 2005-02-16 16:15 81920 c:\program files\Common Files\InstallShield\UpdateService\issch.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCAgentExe]
--a------ 2005-09-22 18:29 303104 c:\progra~1\McAfee.com\Agent\mcagent.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCUpdateExe]
--a------ 2006-01-11 12:05 212992 c:\progra~1\McAfee.com\Agent\mcupdate.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MPFEXE]
--a------ 2005-11-11 17:00 1005096 c:\progra~1\McAfee.com\PERSON~1\MpfTray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSConfig]
--a------ 2004-08-04 03:00 158208 c:\windows\pchealth\helpctr\binaries\msconfig.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
--a------ 2005-09-06 19:23 26112 c:\program files\Real\RealPlayer\realplay.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoniqueQuickStart]
--a------ 1999-10-08 22:13 46432 c:\progra~1\Sonique\sqstart.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
--a------ 2004-10-14 17:42 1404928 c:\program files\Analog Devices\Core\smax4pnp.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2003-11-19 15:48 32881 c:\program files\Java\j2re1.4.2_03\bin\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LTMSG]
--a------ 2003-07-14 10:52 40960 c:\windows\ltmsg.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WLSetupSvc"=3 (0x3)
"usnjsvc"=3 (0x3)
"NetSvc"=2 (0x2)
"MemeoBackgroundService"=2 (0x2)
"mcupdmgr.exe"=3 (0x3)
"McDetect.exe"=3 (0x3)
"IDriverT"=2 (0x2)
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)
S1 AEC671X;AEC671X;c:\windows\system32\drivers\aec671x.sys [2008-05-23 12128]
S1 DMX3191;DMX3191;c:\windows\system32\drivers\dmx3191.sys [2008-05-23 17540]
S2 UDNT;UDNT;c:\windows\system32\drivers\udnt.sys [2008-07-09 76260]
S4 MemeoBackgroundService;MemeoBackgroundService;c:\program files\WD\WD Anywhere Backup\MemeoBackgroundService.exe [2008-07-10 25824]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7a3c99e9-2e03-11dc-aeda-d55ec796d40b}]
\Shell\AutoRun\command - L:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder
2009-04-01 c:\windows\Tasks\GlaryInitialize.job
- c:\program files\GlaryUtilities\initialize.exe [2009-02-12 17:10]
.
- - - - ORPHANS REMOVED - - - -
MSConfigStartUp-QuickTime Task - c:\program files\QuickTime\qttask.exe
MSConfigStartUp-SSBkgdUpdate - c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe
.
------- Supplementary Scan -------
.
uStart Page = about
:blank
uInternet Connection Wizard,ShellNext = hxxp://www.dell4me.com/mywaybiz
FF - ProfilePath - c:\documents and settings\Dee Huston\Application Data\Mozilla\Firefox\Profiles\ek174873.default\
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
.
.
------- File Associations -------
.
regfile\shell\edit\command="c:\program files\TextPad\TXTPAD32.EXE" "%1"
.
**************************************************************************
catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.net
Rootkit scan 2009-04-10 03:03:44
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
MPFEXE = "c:\program files\McAfee.com\Personal Firewall\MPFTray.exe"?????????????????????????????????????????????????
??????????????????????????????????????????????????????????????????????
??????????????????????????????????????????????????????????????????????
???????????
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\netdde.exe
c:\windows\system32\msdtc.exe
c:\windows\system32\dllhost.exe
c:\progra~1\McAfee.com\PERSON~1\MpfService.exe
c:\windows\system32\msiexec.exe
c:\windows\system32\tcpsvcs.exe
c:\windows\system32\snmp.exe
c:\windows\system32\snmptrap.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\vssvc.exe
c:\windows\system32\wbem\wmiapsrv.exe
c:\progra~1\McAfee.com\PERSON~1\MpfAgent.exe
.
**************************************************************************
.
Completion time: 2009-04-10 3:05:11 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-10 10:05:09
Pre-Run: 66,805,878,784 bytes free
Post-Run: 66,758,578,176 bytes free
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(1)partition(2)\WINDOWS
[operating systems]
e:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(1)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="testbed" /noexecute=optin /fastdetect /noguiboot /sos
225