Multiple pop ups, slowdown, hardrive hidden, taskmanager blocked, IE hijacked

[Chris H]

Hi,

I hope someone can help and many many thanks in advance.

I'm running XP.

The symptoms:

Performance extremely hampered, often to the point of virtual gridlock.

Constant pop-ups (chiefly to fake Antivirus 2008 site).

VIRUS ALERT! displayed at bottom right in place of clock.

Desktop internet shortcuts to various other bogus software.

IE is constantly hijacked - can just about do a Yahoo!/Google search but clicking on a link redirects me to junk sites (including pharmacy/'meet-a-friend' types). Also displays a toolbar which is named as random letters (which change). IE loads onto a bogus anti-spyware site as its default homepage now.

C & D drives are hidden and inaccessible unless in safe mode.

Ditto for registry edit and taskmanager.

As for the 5 steps, couldn't find anything suspect in Add/Remove programs. The Panda scan couldn't be done - kept telling me to click the yellow bar to accept ActiveX download, the yellow bar would not display. Almost as if this bug is actively resisting any attempts to stop it.Step 3 seemed okay.

I couldn't update my OS because of the bug hijacking IE. Normally I thought my laptop did this automatically - and an automatic update warning keeps flashing now, however when I click to activate there is an error and it isn't completed.

Because of IE problems I'm having to transfer any suggested downloads from my dad's laptop by using my iPod as a USB device. Combined with the performance issues this is becoming extremely hard work. Hijack This was tranferred in this way but clicking on the install icon is unresponsive - nothing happens.

The DSS log would only run in safe mode, which is here:

Deckard's System Scanner v20071014.68
Run by Administrator on 2008-07-13 15:05:40
Computer is in Safe Mode with Networking.
--------------------------------------------------------------------------------

-- HijackThis Clone ------------------------------------------------------------

Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-07-13 15:05:47
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (7.00.6000.16674)
Boot mode: Safe mode with network support
Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\McAfee\MSC\mcmscsvc.exe
C:\Program Files\McAfee\MPF\MpfSrv.exe
C:\WINDOWS\explorer.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\McAfee\MSC\mcuimgr.exe
C:\Documents and Settings\Administrator\Desktop\dss.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.msn.com/spbasic.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.microsoft.com/isapi/redir...ie&ar=iesearch
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O2 - BHO: (no name) - {5472D353-F204-4640-8578-D20519F48AF5} - C:\WINDOWS\system32\jkkKbATk.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {7a1b56c1-91a7-4f7e-8ab5-6cf7c0232139} - C:\WINDOWS\system32\atljoj.dll
O2 - BHO: QXK Olive - {B364AADE-53FA-4779-8643-D833B8969F10} - C:\WINDOWS\wbxdpgfedxa.dll
O2 - BHO: (no name) - {F8AC36D7-F602-4B69-99B5-2A812E05779F} - C:\WINDOWS\system32\urqRIApO.dll
O3 - Toolbar: (no name) - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - (no file)
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O3 - Toolbar: sqvgnrpx - {88BD6C7F-49B8-4873-AF65-38706E659377} - C:\WINDOWS\sqvgnrpx.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [LaunchApp] Alaunch
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [ADMTray.exe] "C:\Acer\Empowering Technology\admtray.exe"
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [EPM-DM] c:\acer\Empowering Technology\ePower\epm-dm.exe
O4 - HKLM\..\Run: [Acer ePower Management] C:\Acer\Empowering Technology\ePower\Acer ePower Management.exe boot
O4 - HKLM\..\Run: [eRecoveryService] C:\Acer\Empowering Technology\eRecovery\Monitor.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "D:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [320d18a1] rundll32.exe "C:\WINDOWS\system32\obukiwhf.dll",b
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user')
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: (no name) - CmdMapping - (file missing)
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\npjpi160_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\npjpi160_05.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Broken Internet access because of LSP provider 'C:\Program Files\NewDotNet\newdotnet7_22.dll' missing
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab
O16 - DPF: {4CCA4E80-9259-11D9-AC6E-444553544200} (FixController Control) - http://h30155.www3.hp.com/ediags/dd/...lMgr_v01_4.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-GB/.../GAME_UNO1.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} () - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} () - http://fpdownload.macromedia.com/get.../ultrashim.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub...sh/swflash.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary...n.cab31267.cab
O18 - Protocol: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\MSN Messenger\msgrapp.8.1.0178.00.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\MSN Messenger\msgrapp.8.1.0178.00.dll
O18 - Protocol: siteadvisor - {3A5DC592-7723-4EAA-9EE6-AF4222BCF879} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O20 - Winlogon Notify: urqRIApO - C:\WINDOWS\system32\urqRIApO.dll
O21 - SSODL: fsrpknov - {4027FA85-5D87-4C1C-A07B-B06E154D00CA} - C:\WINDOWS\fsrpknov.dll
O21 - SSODL: fdxbameg - {6FF46CCE-1D62-4175-ADBA-DF2A3BCA609B} - C:\WINDOWS\fdxbameg.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\ati2evxx.exe
O23 - Service: AdminWorks Agent X6 (AWService) - Avocent Inc. - C:\Acer\Empowering Technology\admServ.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: hpdj - Unknown owner - C:\DOCUME~1\Chris\LOCALS~1\Temp\hpdj.exe -servicerunning=true -uninstall=hp deskjet 5100 series -product=
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\Program Files\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\McProxy\McProxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\Mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MpfSrv.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6253\SAService.exe

--
End of file - 9656 bytes
-- Files created between 2008-06-13 and 2008-07-13 -----------------------------
2008-08-26 16:48:13 0 d-------- C:\Program Files\iPod
2008-08-26 16:46:25 0 d-------- C:\Program Files\QuickTime
2008-07-25 20:50:42 0 d-------- C:\Documents and Settings\Chris\Application Data\Google
2008-07-25 20:49:10 0 d-------- C:\Documents and Settings\All Users\Application Data\Google
2008-07-24 20:57:58 0 d-------- C:\Program Files\Inventel
2008-07-24 20:57:58 278528 --a------ C:\Program Files\Common Files\FDEUnInstaller.exe <Not Verified; ; FDEUninstaller>
2008-07-24 20:57:35 0 d-------- C:\Program Files\Orange
2008-07-22 15:08:47 81920 --a------ C:\WINDOWS\system32\W32N50.dll <Not Verified; Printing Communications Assoc., Inc. (PCAUSA); PCAUSA Rawether for Windows>
2008-07-22 15:08:47 17134 --a------ C:\WINDOWS\system32\PCANDIS5.sys <Not Verified; Printing Communications Assoc., Inc. (PCAUSA); PCAUSA Rawether for Windows>
2008-07-15 14:43:41 47360 --a------ C:\WINDOWS\system32\drivers\pcouffin.sys <Not Verified; VSO Software; Patin couffin engine>
2008-07-15 14:43:41 47360 --a------ C:\Documents and Settings\Chris\Application Data\pcouffin.sys <Not Verified; VSO Software; Patin couffin engine>
2008-07-15 14:43:40 0 d-------- C:\Documents and Settings\Chris\Application Data\Vso
2008-07-13 14:04:32 0 dr-h----- C:\Documents and Settings\Administrator\Recent
2008-07-13 13:40:26 0 d-------- C:\ie-spyad_zo
2008-07-13 13:35:09 0 d-------- C:\Program Files\SpywareBlaster
2008-07-13 12:15:12 0 d-------- C:\Documents and Settings\Administrator\Application Data\Macromedia
2008-07-13 12:14:03 0 d-------- C:\Documents and Settings\Administrator\Application Data\Adobe
2008-07-13 12:11:09 47360 --a------ C:\Documents and Settings\Administrator\Application Data\pcouffin.sys <Not Verified; VSO Software; Patin couffin engine>
2008-07-13 12:11:08 0 d-------- C:\Documents and Settings\Administrator\Application Data\Vso
2008-07-13 10:57:26 0 dr-h----- C:\Documents and Settings\Chris\Recent
2008-07-13 10:50:48 0 d-------- C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2008-07-13 10:42:05 1478367 --a------ C:\Program Files\SmitfraudFix.exe
2008-07-13 10:37:26 0 d-------- C:\Documents and Settings\Administrator\Application Data\WinRAR
2008-07-13 10:30:44 0 d-------- C:\Program Files\CCleaner
2008-07-13 09:44:32 0 dr-h----- C:\Documents and Settings\Administrator\SendTo
2008-07-13 09:44:32 0 d--h----- C:\Documents and Settings\Administrator\PrintHood
2008-07-13 09:44:32 0 d--h----- C:\Documents and Settings\Administrator\NetHood
2008-07-13 09:44:32 0 dr------- C:\Documents and Settings\Administrator\My Documents
2008-07-13 09:44:32 0 dr------- C:\Documents and Settings\Administrator\Favorites
2008-07-13 09:44:32 0 d-------- C:\Documents and Settings\Administrator\Desktop
2008-07-13 09:44:32 0 d--hs---- C:\Documents and Settings\Administrator\Cookies
2008-07-13 09:44:32 0 dr-h----- C:\Documents and Settings\Administrator\Application Data
2008-07-13 09:44:32 0 d-------- C:\Documents and Settings\Administrator\Application Data\You've Got Pictures Screensaver
2008-07-13 09:44:32 0 d-------- C:\Documents and Settings\Administrator\Application Data\Identities
2008-07-13 09:44:32 0 d-------- C:\Documents and Settings\Administrator\Application Data\AOL
2008-07-13 09:44:32 0 d-------- C:\Documents and Settings\Administrator\Application Data\Acer
2008-07-13 09:44:31 0 d--h----- C:\Documents and Settings\Administrator\Templates
2008-07-13 09:44:31 0 dr------- C:\Documents and Settings\Administrator\Start Menu
2008-07-13 09:44:31 0 d--h----- C:\Documents and Settings\Administrator\Local Settings
2008-07-13 09:44:30 1048576 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT
2008-07-13 09:27:42 116864 --a------ C:\WINDOWS\system32\atljoj.dll
2008-07-13 09:27:41 116864 --a------ C:\WINDOWS\system32\prwchraw.dll
2008-07-13 09:27:39 93184 --a------ C:\WINDOWS\system32\obukiwhf.dll
2008-07-13 00:07:07 0 d-------- C:\Documents and Settings\Laura\Application Data\TmpRecentIcons
2008-07-12 23:35:54 116864 --a------ C:\WINDOWS\system32\irqzrt.dll
2008-07-12 23:35:52 116864 --a------ C:\WINDOWS\system32\nehyopns.dll
2008-07-12 23:34:58 238201 --ahs---- C:\WINDOWS\system32\kTAbKkkj.ini2
2008-07-12 23:34:46 322816 --a------ C:\WINDOWS\system32\jkkKbATk.dll
2008-07-12 23:11:11 33152 --a------ C:\WINDOWS\system32\efcCrOhg.dll
2008-07-12 23:11:10 33152 --a------ C:\WINDOWS\system32\urqRIApO.dll
2008-07-12 23:10:43 0 d-------- C:\Documents and Settings\Chris\Application Data\TmpRecentIcons
2008-07-12 23:09:39 458752 --a------ C:\WINDOWS\wbxdpgfedxa.dll
2008-07-12 23:09:39 155648 --a------ C:\WINDOWS\sqvgnrpx.dll
2008-07-12 23:09:39 180224 --a------ C:\WINDOWS\gpefaowr.exe
2008-07-12 23:09:39 360448 --a------ C:\WINDOWS\fsrpknov.dll
2008-07-12 23:09:39 376832 --a------ C:\WINDOWS\fdxbameg.dll
2008-07-12 23:09:39 163840 --a------ C:\WINDOWS\espk.exe
2008-07-06 21:49:23 0 d-------- C:\Documents and Settings\Chris\Application Data\Real

-- Find3M Report ---------------------------------------------------------------
2008-07-13 12:11:12 33 --a------ C:\Documents and Settings\Administrator\Application Data\pcouffin.log
2008-07-13 12:11:10 1144 --a------ C:\Documents and Settings\Administrator\Application Data\pcouffin.inf
2008-07-13 12:11:10 7887 --a------ C:\Documents and Settings\Administrator\Application Data\pcouffin.cat
2008-06-02 09:47:36 0 d-------- C:\Program Files\Common Files\Adobe
2008-05-27 23:29:36 0 d-------- C:\Program Files\uTorrent

-- Registry Dump ---------------------------------------------------------------
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5472D353-F204-4640-8578-D20519F48AF5}]
12/07/2008 23:34 322816 --a------ C:\WINDOWS\system32\jkkKbATk.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7a1b56c1-91a7-4f7e-8ab5-6cf7c0232139}]
13/07/2008 09:27 116864 --a------ C:\WINDOWS\system32\atljoj.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B364AADE-53FA-4779-8643-D833B8969F10}]
12/07/2008 18:47 458752 --a------ C:\WINDOWS\wbxdpgfedxa.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F8AC36D7-F602-4B69-99B5-2A812E05779F}]
12/07/2008 23:11 33152 --a------ C:\WINDOWS\system32\urqRIApO.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LaunchApp"="Alaunch" []
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [07/01/2005 16:17]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [07/01/2005 16:16]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [04/08/2004 05:00]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [04/08/2004 05:00]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [04/08/2004 05:00]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [04/08/2004 05:00]
"ADMTray.exe"="C:\Acer\Empowering Technology\admtray.exe" [24/10/2005 16:45]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [18/07/2005 04:09]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [18/07/2005 04:06]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [18/07/2005 04:10]
"EPM-DM"="c:\acer\Empowering Technology\ePower\epm-dm.exe" [25/11/2005 15:59]
"Acer ePower Management"="C:\Acer\Empowering Technology\ePower\Acer ePower Management.exe" [09/11/2005 11:04]
"eRecoveryService"="C:\Acer\Empowering Technology\eRecovery\Monitor.exe" [24/01/2006 18:00]
"RTHDCPL"="RTHDCPL.EXE" [22/09/2005 13:36 C:\WINDOWS\RTHDCPL.EXE]
"Alcmtr"="ALCMTR.EXE" [03/05/2005 18:43 C:\WINDOWS\ALCMTR.EXE]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [22/02/2008 04:25]
"HP Software Update"="C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe" [25/06/2003 11:24]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [12/05/2004 15:18]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe" [13/01/2006 07:58]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [03/08/2007 22:33]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6253\SiteAdv.exe" [24/08/2007 21:57]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [28/03/2008 23:37]
"iTunesHelper"="D:\Program Files\iTunes\iTunesHelper.exe" [30/03/2008 10:36]
"320d18a1"="C:\WINDOWS\system32\obukiwhf.dll" [13/07/2008 09:27]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [13/10/2004 17:24]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [04/08/2004 05:00]
[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Picasa Media Detector"=C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Find Fast.lnk - C:\Program Files\Microsoft Office\Office\FINDFAST.EXE [01/08/1997]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [23/04/2008 03:38:16]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=0 (0x0)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=0 (0x0)
"NoDispAppearancePage"=0 (0x0)
"NoColorChoice"=0 (0x0)
"NoSizeChoice"=0 (0x0)
"NoDispBackgroundPage"=0 (0x0)
"NoDispScrSavPage"=0 (0x0)
"NoDispCPL"=0 (0x0)
"NoVisualStyleChoice"=0 (0x0)
"NoDispSettingsPage"=0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoActiveDesktopChanges"=0 (0x0)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoActiveDesktop"=0 (0x0)
"NoSaveSettings"=0 (0x0)
"NoThemesTab"=0 (0x0)
"ForceActiveDesktopOn"=0 (0x0)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{F8AC36D7-F602-4B69-99B5-2A812E05779F}"= C:\WINDOWS\system32\urqRIApO.dll [12/07/2008 23:11 33152]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"fsrpknov"= {4027FA85-5D87-4C1C-A07B-B06E154D00CA} - C:\WINDOWS\fsrpknov.dll [12/07/2008 18:47 360448]
"fdxbameg"= {6FF46CCE-1D62-4175-ADBA-DF2A3BCA609B} - C:\WINDOWS\fdxbameg.dll [12/07/2008 18:47 376832]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\urqRIApO]
urqRIApO.dll 12/07/2008 23:11 33152 C:\WINDOWS\system32\urqRIApO.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\jkkKbATk
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bdx scan
*Newly Created Service* - MDMXSDK

-- End of Deckard's System Scanner: finished at 2008-07-13 1548 ------------

I couldn't save this as a notepad document either. I had to copy and paste and then email it to myself.

Please help, I had the Zlob tojan last year but that was nothing in comparison to this. It's just about ruined my laptop. I in turn promise to check back here daily.

Regards,
Chris

[Chris H]

Bump, please, 72 hours +.

[tetonbob]

Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/comb...o-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first.

The Windows Recovery Console will allow you to boot up into a special recovery mode if needed. This allows us to help you in the case that your computer has a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

As part of installing the Recovery Console, ComboFix will begin to run. Follow the prompts to install the Recovery Console. Your desktop may disappear. This is normal. It will return.

Once the Recovery Console is installed using ComboFix, you should see a message that says:

The Recovery Console was successfully installed.



Please continue as follows:

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.

If you have any questions along the way, STOP and ask them before proceeding.

[Chris H]

Hi there,

I can't complete the recovery console stage. I've downloaded SP2 and when I drag it into the Combofix icon, nothing happens at all.

Should I skip this and run Combofix?

Thanks for your time and consideration on this matter.

[tetonbob]

Just to be clear....you downloaded one of the setup packages from this site?

http://support.microsoft.com/kb/310994

[Chris H]

Yes, the full name of the file I downloaded is:

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU

I'm running XP home SP2.

I know I probably shouldn't have, but I did try and launch Combofix withou doing this. The egg timer shows for a fraction of a second and then just vanishes and the program doesn't load. Exactly the same happens with Hijack this. Can a virus prevent me from launching applications?

I'm getting worried now!

[Chris H]

Would a reformat be an alternative?

[tetonbob]

It's always an alternative.

Let's try this:

Delete your existing version of ComboFix. Download a new version from one of these links:

Link 1
Link 2
Link 3

When you download ComboFix, you must rename it before it is saved. Rename is as CombiFxx.exe Everything else on the page, perform as instructed.

[Chris H]

I had a breakthrough. I renamed Combofix.exe to McLovin.exe (lol) and it worked, which seems to confirm my suspicion that the bugs were reacting to what I was doing.

I've had a remarkable performance improvement, the clock is normal, the pop-ups have stopped, although I am being redirected to a 'Ucleaner' site when I open IE (I do understand there is still work to be done). I am getting a lot of calls to run chkdisk.

And what's more, I can now run Hijack This!

Thanks very much for your assistance thus far; I'll await your reply eagerly.

Combofix log:

ComboFix 08-07-15.4 - Chris 2008-07-17 14:16:17.1 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.576 [GMT 1:00]
Running from: C:\Documents and Settings\Chris\Desktop\McLovin.exe
Command switches used :: C:\Documents and Settings\Chris\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
* Created a new restore point
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Administrator\Application Data\inst.exe
C:\Documents and Settings\Chris\Application Data\inst.exe
C:\Documents and Settings\Chris\Application Data\SpamBlocker
C:\Documents and Settings\Chris\Application Data\SpamBlockerUtility
C:\Documents and Settings\Chris\Desktop\Error Cleaner.url
C:\Documents and Settings\Chris\Desktop\Privacy Protector.url
C:\Documents and Settings\Chris\Desktop\Spyware&Malware Protection.url
C:\Documents and Settings\Chris\Favorites\Error Cleaner.url
C:\Documents and Settings\Chris\Favorites\Privacy Protector.url
C:\Documents and Settings\Chris\Favorites\Spyware&Malware Protection.url
C:\Documents and Settings\Chris\Start Menu\Programs\Antivirus 2008 PRO
C:\Documents and Settings\Laura\Application Data\FunWebProducts
C:\Documents and Settings\Laura\Favorites\Error Cleaner.url
C:\Documents and Settings\Laura\Favorites\Online Security Test.url
C:\Documents and Settings\Laura\Favorites\Privacy Protector.url
C:\Documents and Settings\Laura\Favorites\Spyware&Malware Protection.url
C:\WINDOWS\cookies.ini
C:\WINDOWS\espk.exe
C:\WINDOWS\fdxbameg.dll
C:\WINDOWS\fsrpknov.dll
C:\WINDOWS\gpefaowr.exe
C:\WINDOWS\sqvgnrpx.dll
C:\WINDOWS\system32\aipcbakv.dll
C:\WINDOWS\system32\atljoj.dll
C:\WINDOWS\system32\clbdll.dll
C:\WINDOWS\system32\clbdll.old
C:\WINDOWS\system32\clbinit.dll
C:\WINDOWS\system32\dhvegcgg.ini
C:\WINDOWS\system32\drivers\clbdriver.sys
C:\WINDOWS\system32\drivers\npf.sys
C:\WINDOWS\system32\efcCrOhg.dll
C:\WINDOWS\system32\irqzrt.dll
C:\WINDOWS\system32\jkkKbATk.dll
C:\WINDOWS\system32\kTAbKkkj.ini
C:\WINDOWS\system32\kTAbKkkj.ini2
C:\WINDOWS\system32\nehyopns.dll
C:\WINDOWS\system32\packet.dll
C:\WINDOWS\system32\prwchraw.dll
C:\WINDOWS\system32\qnnsgd.dll
C:\WINDOWS\system32\urqRIApO.dll
C:\WINDOWS\system32\vkabcpia.ini
C:\WINDOWS\system32\yiqogtng.dll
C:\WINDOWS\wbxdpgfedxa.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_CLBDRIVER


((((((((((((((((((((((((( Files Created from 2008-06-17 to 2008-07-17 )))))))))))))))))))))))))))))))
.

2008-08-26 16:48 . 2008-08-26 16:48 <DIR> d-------- C:\Program Files\iPod
2008-08-26 16:48 . 2008-07-17 14:08 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-08-26 16:48 . 2008-08-26 16:48 1,409 --a------ C:\WINDOWS\QTFont.for
2008-08-26 16:46 . 2008-08-26 16:46 <DIR> d-------- C:\Program Files\QuickTime
2008-07-28 19:04 . 2008-07-28 19:04 244 --ah----- C:\sqmnoopt07.sqm
2008-07-28 19:04 . 2008-07-28 19:04 232 --ah----- C:\sqmdata07.sqm
2008-07-28 18:32 . 2008-07-28 18:32 244 --ah----- C:\sqmnoopt06.sqm
2008-07-28 18:32 . 2008-07-28 18:32 232 --ah----- C:\sqmdata06.sqm
2008-07-24 20:57 . 2008-07-24 20:57 <DIR> d-------- C:\Program Files\Orange
2008-07-24 20:57 . 2008-07-24 20:58 <DIR> d-------- C:\Program Files\Inventel
2008-07-24 20:57 . 2008-07-24 20:58 278,528 --a------ C:\Program Files\Common Files\FDEUnInstaller.exe
2008-07-22 15:41 . 2008-07-22 15:41 5,632 --ahs---- C:\WINDOWS\system32\Thumbs.db
2008-07-22 15:08 . 2008-07-24 21:09 81,920 --a------ C:\WINDOWS\system32\W32N50.dll
2008-07-22 15:08 . 2008-07-24 21:09 17,134 --a------ C:\WINDOWS\system32\PCANDIS5.sys
2008-07-16 17:52 . 2008-07-13 17:09 294 --ahs---- C:\WINDOWS\system32\fhwikubo.ini
2008-07-15 14:43 . 2008-07-15 14:43 <DIR> d-------- C:\Documents and Settings\Chris\Application Data\Vso
2008-07-15 14:43 . 2008-07-21 20:33 47,360 --a------ C:\WINDOWS\system32\drivers\pcouffin.sys
2008-07-15 14:43 . 2008-07-21 20:33 47,360 --a------ C:\Documents and Settings\Chris\Application Data\pcouffin.sys
2008-07-13 16:41 . 2008-07-13 16:41 1,773,835 ---hs---- C:\WINDOWS\system32\fhwikubo.tmp
2008-07-13 16:01 . 2008-07-13 16:01 <DIR> d-------- C:\Program Files\VS Revo Group
2008-07-13 14:16 . 2008-07-13 14:16 <DIR> d-------- C:\Deckard
2008-07-13 13:40 . 2008-07-13 13:40 <DIR> d-------- C:\ie-spyad_zo
2008-07-13 12:11 . 2008-07-13 12:11 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Vso
2008-07-13 12:11 . 2008-07-13 12:11 47,360 --a------ C:\Documents and Settings\Administrator\Application Data\pcouffin.sys
2008-07-13 10:42 . 2008-07-13 10:35 1,478,367 --a------ C:\Program Files\SmitfraudFix.exe
2008-07-13 10:42 . 2008-07-13 10:42 35,262 --a------ C:\WINDOWS\Administrator.acl
2008-07-13 10:30 . 2008-07-13 10:30 <DIR> d-------- C:\Program Files\CCleaner
2008-07-13 09:44 . 2006-06-02 15:46 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\You've Got Pictures Screensaver
2008-07-13 09:44 . 2006-06-02 15:46 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\AOL
2008-07-13 09:44 . 2006-06-02 15:26 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Acer
2008-07-13 09:44 . 2008-07-13 09:44 <DIR> d-------- C:\Documents and Settings\Administrator
2008-07-13 00:07 . 2008-07-13 00:07 <DIR> d-------- C:\Documents and Settings\Laura\Application Data\TmpRecentIcons
2008-07-12 23:11 . 2004-08-04 05:00 4,224 --a------ C:\WINDOWS\system32\beep.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-06 20:49 499,712 ----a-w C:\WINDOWS\system32\msvcp71.dll
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\dllcache\mswsock.dll
2008-06-20 17:41 148,992 ----a-w C:\WINDOWS\system32\dllcache\dnsapi.dll
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\dllcache\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\dllcache\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\dllcache\tcpip6.sys
2008-06-13 13:10 272,128 ------w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-13 13:10 272,128 ------w C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-02 16:03 --------- d-----w C:\Documents and Settings\Chris\Application Data\DVD Profiler
2008-06-02 08:47 --------- d-----w C:\Program Files\Common Files\Adobe
2008-05-27 22:29 --------- d-----w C:\Program Files\uTorrent
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\dllcache\rmcast.sys
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\dllcache\quartz.dll
2008-04-23 21:16 3,591,680 ----a-w C:\WINDOWS\system32\dllcache\mshtml.dll
2008-04-22 07:40 625,664 ----a-w C:\WINDOWS\system32\dllcache\iexplore.exe
2008-04-22 07:39 70,656 ----a-w C:\WINDOWS\system32\dllcache\ie4uinit.exe
2008-04-22 07:39 13,824 ------w C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-04-20 05:07 161,792 ----a-w C:\WINDOWS\system32\dllcache\ieakui.dll
2006-10-13 21:27 0 ----a-w C:\Documents and Settings\Laura\Application Data\wklnhst.dat
2006-10-13 18:56 148 ----a-w C:\Documents and Settings\Chris\Application Data\wklnhst.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LaunchApp"="Alaunch" [X]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2005-01-07 16:17 102491]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2005-01-07 16:16 692315]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 05:00 208952]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 05:00 59392]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 05:00 455168]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 05:00 455168]
"ADMTray.exe"="C:\Acer\Empowering Technology\admtray.exe" [2005-10-24 16:45 2462208]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-07-18 04:09 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-07-18 04:06 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-07-18 04:10 114688]
"EPM-DM"="c:\acer\Empowering Technology\ePower\epm-dm.exe" [2005-11-25 15:59 212992]
"Acer ePower Management"="C:\Acer\Empowering Technology\ePower\Acer ePower Management.exe" [2005-11-09 11:04 3084288]
"eRecoveryService"="C:\Acer\Empowering Technology\eRecovery\Monitor.exe" [2006-01-24 18:00 397312]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"HP Software Update"="C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe" [2003-06-25 11:24 49152]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2004-05-12 15:18 241664]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe" [2006-01-13 07:58 188416]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-08-03 22:33 582992]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6253\SiteAdv.exe" [2007-08-24 21:57 36640]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-03-28 23:37 413696]
"iTunesHelper"="D:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]
"RTHDCPL"="RTHDCPL.EXE" [2005-09-22 13:36 14854144 C:\WINDOWS\RTHDCPL.EXE]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2008-02-26 02:23 443968]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Find Fast.lnk - C:\Program Files\Microsoft Office\Office\FINDFAST.EXE [1997-08-01 111376]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 03:38:16 29696]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Messenger\\MSMSGS.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\utorrent\\utorrent.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"D:\\Program Files\\iTunes\\iTunes.exe"=

R1 OsaFsLoc;OsaFsLoc;C:\WINDOWS\system32\drivers\OsaFsLoc.sys [2005-10-15 18:20]
R2 EpmPsd;Acer EPM Power Scheme Driver;C:\WINDOWS\system32\drivers\epm-psd.sys [2004-07-19 13:10]
R2 EpmShd;Acer EPM System Hardware Driver;C:\WINDOWS\system32\drivers\epm-shd.sys [2005-04-07 18:08]
R2 int15.sys;int15.sys;C:\Acer\Empowering Technology\eRecovery\int15.sys [2005-01-13 14:46]
R2 osaio;osaio;C:\WINDOWS\system32\drivers\osaio.sys [2005-06-30 16:58]
R2 osanbm;osanbm;C:\WINDOWS\system32\drivers\osanbm.sys [2005-01-14 15:57]
R3 NdisFilt;OSA NdisFilter Protocol;C:\WINDOWS\system32\Drivers\NdisFilt.sys [2005-09-13 15:34]
S3 W700bus;Sony Ericsson W700 Driver driver (WDM);C:\WINDOWS\system32\DRIVERS\W700bus.sys [2006-09-15 11:39]
S3 W700mdfl;Sony Ericsson W700 USB WMC Modem Filter;C:\WINDOWS\system32\DRIVERS\W700mdfl.sys [2006-09-15 11:39]
S3 W700mdm;Sony Ericsson W700 USB WMC Modem Driver;C:\WINDOWS\system32\DRIVERS\W700mdm.sys [2006-09-15 11:39]
S3 W700mgmt;Sony Ericsson W700 USB WMC Device Management Drivers (WDM);C:\WINDOWS\system32\DRIVERS\W700mgmt.sys [2006-09-15 11:39]
S3 W700obex;Sony Ericsson W700 USB WMC OBEX Interface;C:\WINDOWS\system32\DRIVERS\W700obex.sys [2006-09-15 11:39]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bdx REG_MULTI_SZ scan
.
Contents of the 'Scheduled Tasks' folder
"2008-06-01 00:00:50 C:\WINDOWS\Tasks\McQcTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe
"2007-10-28 14:27:42 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe'
"2008-08-19 14:31:08 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-eyeBeam SIP Client - (no file)
HKLM-Run-320d18a1 - C:\WINDOWS\system32\aipcbakv.dll
SSODL-fsrpknov-{4027FA85-5D87-4C1C-A07B-B06E154D00CA} - C:\WINDOWS\fsrpknov.dll
SSODL-fdxbameg-{6FF46CCE-1D62-4175-ADBA-DF2A3BCA609B} - C:\WINDOWS\fdxbameg.dll


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-17 14:28:51
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


C:\WINDOWS\TEMP\MCE00005\C:\WINDOWS\TEMP\MCE00005\bÆC:\WINDOWS\TEMP\MCE00005\4CÌ¥;Â_Ä.óÃc -1714618368 bytes
C:\WINDOWS\TEMP\MCE00005\
wûC:\WINDOWS\TEMP\MCE00005\ò_¦C:\WINDOWS\TEMP\MCE00005\#C:\WINDOWS\TEMP\MCE00005\%×cC:\WINDOWS\TEMP\MCE00005\haC:\WINDOWS\TEMP\MCE00005\C:\WINDOWS\TEMP\MCE00005\I»ò.C:\WINDOWS\TEMP\MCE00005\cØû¨Ð«·.ã`â
C:\WINDOWS\TEMP\MCE00005\~eÑV¿0C:\WINDOWS\TEMP\MCE00005\ÙV¦/8C:\WINDOWS\TEMP\MCE00005\ß1zC:\WINDOWS\TEMP\MCE00005\;äìmC:\WINDOWS\TEMP\MCE00005\¢C:\WINDOWS\TEMP\MCE00005\Åsß9C:\WINDOWS\TEMP\MCE00005\IC:\WINDOWS\TEMP\MCE00005\Gè!ìXC:\WINDOWS\TEMP\MCE00005\wõrªHûM9.C:\WINDOWS\TEMP\MCE00005\Ýë^ðövC:\WINDOWS\TEMP\MCE00005\C:\WINDOWS\TEMP\MCE00005\ë:C:\WINDOWS\TEMP\MCE00005\}C:\WINDOWS\TEMP\MCE00005\ú[¬(ºC:\WINDOWS\TEMP\MCE00005\Ù× ¦3rÛë.¶*' 180387840 bytes
C:\WINDOWS\TEMP\MCE00005\Ês`ÝÀ°rC:\WINDOWS\TEMP\MCE00005\C:\WINDOWS\TEMP\MCE00005\yó.¹mø~.C:\WINDOWS\TEMP\MCE00005\8wÊçïZI.B&
C:\WINDOWS\TEMP\MCE00005\cÆÂÓ jC:\WINDOWS\TEMP\MCE00005\C:\WINDOWS\TEMP\MCE00005\Ìfaf²s.á¢
C:\WINDOWS\TEMP\MCE00005\@C:\WINDOWS\TEMP\MCE00005\>ÇVC:\WINDOWS\TEMP\MCE00005\O*QC:\WINDOWS\TEMP\MCE00005\#3f,c~a.s,x -907149312 bytes
C:\WINDOWS\TEMP\MCE00005\öÏC:\WINDOWS\TEMP\MCE00005\C:\WINDOWS\TEMP\MCE00005\ÛqáÍC:\WINDOWS\TEMP\MCE00005\ÎÉj
C:\WINDOWS\TEMP\MCE00005\oo½÷fpñÆ.¶?5
C:\WINDOWS\TEMP\MCE00005\
C:\WINDOWS\TEMP\MCE00005\¼ë

scan completed successfully
hidden files: 49

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\explorer.exe
-> C:\Program Files\SiteAdvisor\6253\saHook.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Acer\Empowering Technology\admServ.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\SiteAdvisor\6253\SAService.exe
C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
.
**************************************************************************
.
Completion time: 2008-07-17 14:31:29 - machine was rebooted
ComboFix-quarantined-files.txt 2008-07-17 13:31:24

Pre-Run: 21,353,496,576 bytes free
Post-Run: 21,414,805,504 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
multi(0)disk(0)rdisk(0)partition(1)\Minint="Microsoft Windows 2003 Professional (on Volume 1)"
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

262 --- E O F --- 2008-07-08 18:51:30

And Hijack log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:38, on 17/07/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Acer\Empowering Technology\admServ.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\SiteAdvisor\6253\SAService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Acer\Empowering Technology\eRecovery\Monitor.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Acer\Empowering Technology\admtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\acer\Empowering Technology\ePower\epm-dm.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
D:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php...MjI6Ojg5&lid=2
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O3 - Toolbar: (no name) - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - (no file)
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O4 - HKLM\..\Run: [LaunchApp] Alaunch
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [ADMTray.exe] "C:\Acer\Empowering Technology\admtray.exe"
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [EPM-DM] c:\acer\Empowering Technology\ePower\epm-dm.exe
O4 - HKLM\..\Run: [Acer ePower Management] C:\Acer\Empowering Technology\ePower\Acer ePower Management.exe boot
O4 - HKLM\..\Run: [eRecoveryService] C:\Acer\Empowering Technology\eRecovery\Monitor.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "D:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMed