[SOLVED] jump or redirected

[mca1293]

Hi, I was refered to this site by a person who responded to my thread that I posted on Mcafee.
The problem is
Almost everytime I use Yahoo search, Google search, MSN Live search, when I click search result link, it jumps or redirects me to other search site that I've never heard of. Which search site I'm taken to is random. I haven't seen same search site twice so far.
I don't know what kind of bad stuff my computer got, and I don't know how to get rid of it.
I scaned my computer with virus scan many times, but it dosen't fix the problem. I don't know what to do. If you have any knowledge about this problem, Please help me!

[mca1293]

Hi, I attached extra.txt, and here is main.txt

Deckard's System Scanner v20070819.64
Run by Owner on 2007-08-26 11:38:31
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
36: 2007-08-26 18:38:42 UTC - RP429 - Deckard's System Scanner Restore Point
35: 2007-08-25 20:13:43 UTC - RP428 - System Checkpoint
34: 2007-08-24 18:17:30 UTC - RP427 - System Checkpoint
33: 2007-08-23 16:45:10 UTC - RP426 - System Checkpoint
32: 2007-08-22 09:28:14 UTC - RP425 - System Checkpoint


-- First Restore Point --
1: 2007-07-17 02:42:01 UTC - RP394 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 383 MiB (512 MiB recommended).


-- HijackThis Clone ------------------------------------------------------------

Emulating logfile of HijackThis v1.99.1
Scan saved at 2007-08-26 11:40:46
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (7.00.6000.16512)

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\soundman.exe
C:\WINDOWS\system32\CTSVCCDA.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Digital Media Reader\readericon45G.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\lg_fwupdate\fwupdate.exe
C:\Program Files\SiteAdvisor\6066\SiteAdv.exe
C:\Program Files\McAfee\MSC\mcmscsvc.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Common Files\McAfee\McProxy\McProxy.exe
C:\Program Files\McAfee\VirusScan\Mcshield.exe
C:\Program Files\McAfee\MPF\MpfSrv.exe
C:\Program Files\McAfee\MSK\msksrver.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\SiteAdvisor\6066\SAService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\alg.exe
C:\Program Files\McAfee\VirusScan\mcsysmon.exe
C:\Documents and Settings\Owner\Desktop\dss.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.gateway.com/g/sidepanel.h...ys=DTP&M=T3418
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sandiego.cox.net/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = iexplore
R1 - HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main,Search Page =
R0 - HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sandiego.cox.net/
R1 - HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.gateway.com/g/sidepanel.h...ys=DTP&M=T3418
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6066\SiteAdv.dll
O2 - BHO: McAntiPhishingBHO - {377C180E-6F0E-4D4C-980F-F45BD3D40CF4} - C:\Program Files\McAfee\MSK\mcapbho.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\GoogleToolbar4.dll
O2 - BHO: CBrowserHelperObject Object - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\WINDOWS\system32\bae.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\GoogleToolbar4.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6066\SiteAdv.dll
O4 - HKEY_LOCAL_MACHINE\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKEY_LOCAL_MACHINE\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKEY_LOCAL_MACHINE\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKEY_LOCAL_MACHINE\..\Run: [nwiz] nwiz.exe /install
O4 - HKEY_LOCAL_MACHINE\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKEY_LOCAL_MACHINE\..\Run: [readericon] C:\Program Files\Digital Media Reader\readericon45G.exe
O4 - HKEY_LOCAL_MACHINE\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKEY_LOCAL_MACHINE\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKEY_LOCAL_MACHINE\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKEY_LOCAL_MACHINE\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKEY_LOCAL_MACHINE\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKEY_LOCAL_MACHINE\..\Run: [LGODDFU] "C:\Program Files\lg_fwupdate\fwupdate.exe" blrun
O4 - HKEY_LOCAL_MACHINE\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6066\SiteAdv.exe
O4 - HKEY_LOCAL_MACHINE\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKEY_LOCAL_MACHINE\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Power2GoExpress] NA
O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra 'Tools' menuitem: (no name) - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (file missing)
O9 - Extra 'Tools' menuitem: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://anitube.blogspot.com (HKCU)
O15 - Trusted Zone: https://www.overstock.com (HKCU)
O15 - Trusted Zone: https://autoins2.progressivedirect.com (HKCU)
O15 - Trusted Zone: http://www.yahoo.com (HKCU)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/sh...1/mcinsctl.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub...sh/swflash.cab
O18 - Protocol: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\msitss.dll
O18 - Protocol: siteadvisor - {3A5DC592-7723-4EAA-9EE6-AF4222BCF879} - C:\Program Files\SiteAdvisor\6066\SiteAdv.dll
O23 - Service: McAfee Application Installer Cleanup (0272381188146883) (0272381188146883mcinstcleanup) - Unknown owner - C:\WINDOWS\TEMP\027238~1.EXE C:\PROGRA~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTSVCCDA.EXE
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - "C:\Program Files\Common Files\LightScribe\LSSrvc.exe"
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Viewpoint Manager Service - Unknown owner - "C:\Program Files\Viewpoint\Common\ViewpointService.exe"


-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

S3 krdpdre - c:\docume~1\owner\locals~1\temp\krdpdre.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 CCALib8 (Canon Camera Access Library 8) - c:\program files\canon\cal\calmain.exe <Not Verified; Canon Inc.; >

S2 0272381188146883mcinstcleanup (McAfee Application Installer Cleanup (0272381188146883)) - c:\windows\temp\027238~1.exe c:\progra~1\common~1\mcafee\instal~1\cleanup.ini -cleanup -nolog -service (file missing)
S2 Viewpoint Manager Service - "c:\program files\viewpoint\common\viewpointservice.exe" (file missing)


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2007-08-26 11:08:12 422 --ah----- C:\WINDOWS\Tasks\User_Feed_Synchronization-{E5350ADB-32B3-41DE-A50B-A10877F01DF5}.job
2007-08-25 11:44:00 406 --a------ C:\WINDOWS\Tasks\McQcTask.job
2007-08-15 03:48:13 350 --a------ C:\WINDOWS\Tasks\McDefragTask.job
2006-05-09 09:20:25 300 --a------ C:\WINDOWS\Tasks\XoftSpy.job


-- Files created between 2007-07-26 and 2007-08-26 -----------------------------

2007-08-26 09:47:56 0 d-------- C:\WINDOWS\LastGood
2007-08-15 22:35:56 1156 --a------ C:\WINDOWS\mozver.dat
2007-08-15 22:30:44 0 d-------- C:\Documents and Settings\Owner\Application Data\Mozilla
2007-08-12 18:29:57 0 d-------- C:\WINDOWS\system32\URTTEMP


-- Find3M Report ---------------------------------------------------------------

2007-08-26 09:47:56 0 d-------- C:\Program Files\McAfee
2007-08-26 09:42:14 0 d-------- C:\Program Files\lg_fwupdate
2007-08-24 14:26:09 0 d-------- C:\Documents and Settings\Owner\Application Data\BitTorrent
2007-08-17 14:05:35 0 d-------- C:\Documents and Settings\Owner\Application Data\McAfee
2007-08-01 10:04:33 0 d-------- C:\Program Files\Common Files\McAfee
2007-07-19 16:42:54 0 d-------- C:\Program Files\Yahoo!
2007-07-19 16:42:51 0 d-------- C:\Program Files\Common Files\Scanner
2007-07-19 16:34:55 0 d-------- C:\Program Files\Common Files


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{377C180E-6F0E-4D4C-980F-F45BD3D40CF4}]
07/27/2007 06:20 AM 324936 --a------ C:\Program Files\McAfee\MSK\mcapbho.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [01/12/2005 04:01 AM]
"SoundMan"="SOUNDMAN.EXE" [09/26/2005 04:07 PM C:\WINDOWS\soundman.exe]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [09/18/2005 09:32 AM]
"nwiz"="nwiz.exe" [09/18/2005 09:32 AM C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [09/18/2005 09:32 AM]
"readericon"="C:\Program Files\Digital Media Reader\readericon45G.exe" [08/27/2005 06:09 AM]
"Recguard"="%WINDIR%\SMINST\RECGUARD.EXE" []
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [01/31/2006 05:42 PM]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [08/21/2006 11:44 PM]
"InCD"="C:\Program Files\Ahead\InCD\InCD.exe" [03/16/2006 01:00 AM]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [07/09/2001 10:50 AM]
"LGODDFU"="C:\Program Files\lg_fwupdate\fwupdate.exe" [04/06/2007 07:28 AM]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6066\SiteAdv.exe" [01/17/2007 12:24 PM]
"KernelFaultCheck"="C:\WINDOWS\system32\dumprep 0 -k" []
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [08/04/2007 02:33 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 12:00 PM]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [10/13/2004 09:24 AM]
"Power2GoExpress"="NA" []
"Creative Detector"="C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" [12/02/2004 06:23 PM]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [10/18/2006 09:05 PM]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Power2GoExpress"=NA

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [9/23/2005 11:05:26 PM]
Kodak EasyShare software.lnk - C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [8/11/2004 2:22:40 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"System"="kdrrt.exe"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{dbef03f5-9bec-11da-9785-806d6172696f}]
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480




-- End of Deckard's System Scanner: finished at 2007-08-26 11:42:41 ------------

[tetonbob]

Hello and Welcome. Please subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe.

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

---------------------------------------------------------------------------------------------

You may want to print out these instructions for reference, since you will have to restart your computer during the fix.

Please download FixWareout from on of these sites:

http://download.bleepingcomputer.com...Fixwareout.exe

http://downloads.subratam.org/Fixwareout.exe

Save it to your desktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish.
The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.

Once the desktop loads a text file will open (report.txt), you can close it - the file has already been saved.

Please post the contents of the text file that opened earlier (you can find it at C:\fixwareout\report.txt ), along with a new log from DSS.

**If you receive an error message while trying to run FixWareout, copy autoexec.nt from the C:\WINDOWS\repair folder to C:\WINDOWS\system32 folder, and run FixWareout again.
----------------------------------------------------------------------------------------------------------

[mca1293]

Hi,
I ran FixWareout. Here is the text file, and I attached DSS main.txt and extra.txt logs.

Username "Owner" - 2007-08-27 22:32:42 [Fixwareout edited 2007/07/05]

»»»»»Prerun check
HKLM\SOFTWARE\~\Winlogon\ "System"="kdrrt.exe"

Successfully flushed the DNS Resolver Cache.


System was rebooted successfully.

»»»»» Postrun check
HKLM\SOFTWARE\~\Winlogon\ "system"=""
....
....
»»»»» Misc files.
....
»»»»» Checking for older varients.
....
»»»»» Other
C:\WINDOWS\Temp\kdrrt.ren 66183 08/04/2004

»»»»» Current runs (hklm hkcu "run" Keys Only)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RemoteControl"="\"C:\\Program Files\\CyberLink\\PowerDVD\\PDVDServ.exe\""
"SoundMan"="SOUNDMAN.EXE"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"nwiz"="nwiz.exe /install"
"NvMediaCenter"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvMcTray.dll,NvTaskbarInit"
"readericon"="C:\\Program Files\\Digital Media Reader\\readericon45G.exe"
"Recguard"=hex(2):25,57,49,4e,44,49,52,25,5c,53,4d,49,4e,53,54,5c,52,45,43,47,\
55,41,52,44,2e,45,58,45,00
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"InCD"="C:\\Program Files\\Ahead\\InCD\\InCD.exe"
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"LGODDFU"="\"C:\\Program Files\\lg_fwupdate\\fwupdate.exe\" blrun"
"SiteAdvisor"="C:\\Program Files\\SiteAdvisor\\6066\\SiteAdv.exe"
"KernelFaultCheck"=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,\
65,6d,33,32,5c,64,75,6d,70,72,65,70,20,30,20,2d,6b,00
"mcagent_exe"="C:\\Program Files\\McAfee.com\\Agent\\mcagent.exe /runkey"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"Power2GoExpress"="NA"
"Creative Detector"="C:\\Program Files\\Creative\\MediaSource\\Detector\\CTDetect.exe /R"
"WMPNSCFG"="C:\\Program Files\\Windows Media Player\\WMPNSCFG.exe"
....
Hosts file was reset, If you use a custom hosts file please replace it
»»»»» End report »»»»»

Deckard's System Scanner v20070826.66
Run by Owner on 2007-08-27 22:42:07
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
39: 2007-08-28 05:42:14 UTC - RP432 - Deckard's System Scanner Restore Point
38: 2007-08-27 16:00:48 UTC - RP431 - Software Distribution Service 3.0
37: 2007-08-27 10:40:24 UTC - RP430 - Software Distribution Service 3.0
36: 2007-08-26 18:38:42 UTC - RP429 - Deckard's System Scanner Restore Point
35: 2007-08-25 20:13:43 UTC - RP428 - System Checkpoint


-- First Restore Point --
1: 2007-07-17 02:42:01 UTC - RP394 - System Checkpoint


Performed disk cleanup.

Percentage of Memory in Use: 79% (more than 75%).
Total Physical Memory: 383 MiB (512 MiB recommended).


-- HijackThis (run as Owner.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:43:09 PM, on 8/27/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\SiteAdvisor\6066\SAService.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Digital Media Reader\readericon45G.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\lg_fwupdate\fwupdate.exe
C:\Program Files\SiteAdvisor\6066\SiteAdv.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcvsshld.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Documents and Settings\Owner\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Owner.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.gateway.com/g/sidepanel.h...ys=DTP&M=T3418
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sandiego.cox.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sandiego.cox.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.gateway.com/g/sidepanel.h...ys=DTP&M=T3418
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6066\SiteAdv.dll
O2 - BHO: McAntiPhishingBHO - {377C180E-6F0E-4D4C-980F-F45BD3D40CF4} - C:\Program Files\McAfee\MSK\mcapbho.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: CBrowserHelperObject Object - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\windows\system32\BAE.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6066\SiteAdv.dll
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [readericon] C:\Program Files\Digital Media Reader\readericon45G.exe
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [LGODDFU] "C:\Program Files\lg_fwupdate\fwupdate.exe" blrun
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6066\SiteAdv.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Power2GoExpress] NA
O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\RunOnce: [DelayShred] "C:\program files\mcafee.com\shredder\SHRED32.EXE" /q C:\DOCUME~1\Owner\MYDOCU~1\MYVIDE~1\SAIUNK~1.SH! C:\DOCUME~1\Owner\MYDOCU~1\BITTOR~1\_RAW_C~1.SH!
O4 - HKUS\S-1-5-18\..\Run: [Power2GoExpress] NA (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Power2GoExpress] NA (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://anitube.blogspot.com
O15 - Trusted Zone: http://www.scasp.com
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} -
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/sh...1/mcinsctl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: SiteAdvisor Service - McAfee, Inc. - C:\Program Files\SiteAdvisor\6066\SAService.exe
O23 - Service: Viewpoint Manager Service - Unknown owner - C:\Program Files\Viewpoint\Common\ViewpointService.exe (file missing)
O24 - Desktop Component 0: My Current Home Page - http://images.eluxury.com/assets_ser...44_ph_hero.jpg
O24 - Desktop Component 1: My Current Home Page - About:Home

--
End of file - 10786 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

S3 krdpdre - c:\docume~1\owner\locals~1\temp\krdpdre.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 CCALib8 (Canon Camera Access Library 8) - c:\program files\canon\cal\calmain.exe <Not Verified; Canon Inc.; >

S2 Viewpoint Manager Service - "c:\program files\viewpoint\common\viewpointservice.exe" (file missing)


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2007-08-27 22:30:35 422 --ah----- C:\WINDOWS\Tasks\User_Feed_Synchronization-{E5350ADB-32B3-41DE-A50B-A10877F01DF5}.job
2007-08-27 01:22:25 406 --a------ C:\WINDOWS\Tasks\McQcTask.job
2007-08-15 03:48:13 350 --a------ C:\WINDOWS\Tasks\McDefragTask.job
2006-05-09 09:20:25 300 --a------ C:\WINDOWS\Tasks\XoftSpy.job


-- Files created between 2007-07-27 and 2007-08-27 -----------------------------

2007-08-27 22:42:54 0 d-------- C:\Program Files\Trend Micro
2007-08-27 22:32:44 6835 --a------ C:\dnsbak.reg
2007-08-27 1509 0 d-------- C:\WINDOWS\system32\ActiveScan
2007-08-15 22:35:56 1156 --a------ C:\WINDOWS\mozver.dat
2007-08-15 22:30:44 0 d-------- C:\Documents and Settings\Owner\Application Data\Mozilla
2007-08-12 18:29:57 0 d-------- C:\WINDOWS\system32\URTTEMP


-- Find3M Report ---------------------------------------------------------------

2007-08-27 22:41:05 0 d-------- C:\Program Files\lg_fwupdate
2007-08-27 10:12:57 0 d-------- C:\Program Files\McAfee
2007-08-24 14:26:09 0 d-------- C:\Documents and Settings\Owner\Application Data\BitTorrent
2007-08-17 14:05:35 0 d-------- C:\Documents and Settings\Owner\Application Data\McAfee
2007-08-01 10:04:33 0 d-------- C:\Program Files\Common Files\McAfee
2007-07-19 16:42:54 0 d-------- C:\Program Files\Yahoo!
2007-07-19 16:42:51 0 d-------- C:\Program Files\Common Files\Scanner
2007-07-19 16:34:55 0 d-------- C:\Program Files\Common Files


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{377C180E-6F0E-4D4C-980F-F45BD3D40CF4}]
07/27/2007 06:20 AM 324936 --a------ C:\Program Files\McAfee\MSK\mcapbho.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [01/12/2005 04:01 AM]
"SoundMan"="SOUNDMAN.EXE" [09/26/2005 04:07 PM C:\WINDOWS\soundman.exe]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [09/18/2005 09:32 AM]
"nwiz"="nwiz.exe" [09/18/2005 09:32 AM C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [09/18/2005 09:32 AM]
"readericon"="C:\Program Files\Digital Media Reader\readericon45G.exe" [08/27/2005 06:09 AM]
"Recguard"="%WINDIR%\SMINST\RECGUARD.EXE" []
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [01/31/2006 05:42 PM]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [08/21/2006 11:44 PM]
"InCD"="C:\Program Files\Ahead\InCD\InCD.exe" [03/16/2006 01:00 AM]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [07/09/2001 10:50 AM]
"LGODDFU"="C:\Program Files\lg_fwupdate\fwupdate.exe" [04/06/2007 07:28 AM]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6066\SiteAdv.exe" [01/17/2007 12:24 PM]
"KernelFaultCheck"="C:\WINDOWS\system32\dumprep 0 -k" []
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [08/04/2007 02:33 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 12:00 PM]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [10/13/2004 09:24 AM]
"Power2GoExpress"="NA" []
"Creative Detector"="C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" [12/02/2004 06:23 PM]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [10/18/2006 09:05 PM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\runonce]
"DelayShred"="C:\program files\mcafee.com\shredder\SHRED32.EXE" /q C:\DOCUME~1\Owner\MYDOCU~1\MYVIDE~1\SAIUNK~1.SH! C:\DOCUME~1\Owner\MYDOCU~1\BITTOR~1\_RAW_C~1.SH!

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Power2GoExpress"=NA

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [9/23/2005 11:05:26 PM]
Kodak EasyShare software.lnk - C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [8/11/2004 2:22:40 AM]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{dbef03f5-9bec-11da-9785-806d6172696f}]
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480




-- End of Deckard's System Scanner: finished at 2007-08-27 22:44:35 ------------

[tetonbob]

The redirects should be abated at this point. Let me know if this is not the case.

Perform this online scan, and post the results:

Establish an internet connection & perform an online scan with Internet Explorer at Kaspersky Online Scanner

Answer Yes, when prompted to install an ActiveX component.

• The program will then begin downloading the latest definition files.
• Once the files have been downloaded click on NEXT
• Locate the Scan Settings button & configure to:
  • Scan using the following Anti-Virus database:
    • Extended
  • Scan Options:
    • Scan Archives
    • Scan Mail Bases
• Click OK & have it scan My Computer
• Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
• Click the Save as Text button to save the file to your desktop so that you may post it in your next reply

* Turn off the real time scanner of any existing antivirus program while performing the online scan

Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the licence, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.

---------------------------------------------------------------------------------------------

[mca1293]

Thank you, I haven't been redirected yet.

I ran Kaspersky Online Scanner, and this is the result.

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Tuesday, August 28, 2007 2:15:55 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.0
Kaspersky Anti-Virus database last update: 28/08/2007
Kaspersky Anti-Virus database records: 395323
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\
F:\
G:\
H:\
I:\

Scan Statistics:
Total number of scanned objects: 57032
Number of viruses found: 1
Number of infected objects: 2
Number of suspicious objects: 0
Duration of the scan process: 01:18:16

Infected Object Name / Virus Name / Last Action
C:\Deckard\System Scanner\backup\WINDOWS\temp\kdrrt.ren Infected: Packed.Win32.PolyCrypt.b skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MNA\NAData Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MPF\data\log.edb Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MSC\Logs\Events.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MSC\Logs\{36FCEA1D-D2E6-4CEF-9915-C4A5E01D8412}.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MSC\Logs\{9ADFC6FD-39EB-48E0-A449-214DF2BBE492}.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MSC\McUsers.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MSK\MSKWMDB.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MSK\settingsdb.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Data\TFR2.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Logs\OAS.Log Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Owner\Application Data\SiteAdvisor\SiteAdv.csh Object is locked skipped
C:\Documents and Settings\Owner\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Feeds\#l33t-raws @ irc~dimmortal-anime~dnet~.feed-ms Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Feeds\D-Addicts RSS Feed~.feed-ms Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Feeds\FeedsStore.feedsdb-ms Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Feeds\NyaaTorrents' Latest Torrents~.feed-ms Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Feeds\SaiyaMan~dINFO - BT~.feed-ms Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Feeds\Tokyo Toshokan~.feed-ms Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temp\sqlite_roxC1b4rruAUFM3 Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temp\~DF4D66.tmp Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temp\~DF53C5.tmp Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temp\~DF5413.tmp Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temp\~DF54F3.tmp Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temp\~DF564C.tmp Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temp\~DF56EF.tmp Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temp\~DF5776.tmp Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temp\~DF5800.tmp Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temp\~DF5829.tmp Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temp\~DF58AD.tmp Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temp\~DF58F4.tmp Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temp\~DF5AFC.tmp Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temp\~DF5B0A.tmp Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temp\~DF635E.tmp Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temp\~DF63BE.tmp Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Owner\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Owner\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Kodak\Kodak EasyShare software\Catalog\EasyShare.me Object is locked skipped
C:\Program Files\Kodak\Kodak EasyShare software\Catalog\EasyShare.mm Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP431\A0034478.exe Infected: Packed.Win32.PolyCrypt.b skipped
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP432\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{5E6EDA55-63C1-48AE-9B98-A6B333088109}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\mcafee_G0lsqZmkCb7q8fY Object is locked skipped
C:\WINDOWS\Temp\mcmsc_ccgLB53rBOyvuHZ Object is locked skipped
C:\WINDOWS\Temp\mcmsc_ckd1KNuXZe0fdbb Object is locked skipped
C:\WINDOWS\Temp\mcmsc_cxJuYBImdDRM0HU Object is locked skipped
C:\WINDOWS\Temp\mcmsc_FRhEH4HbqgX1M23 Object is locked skipped
C:\WINDOWS\Temp\sqlite_lFxfSN10qC3Qi9n Object is locked skipped
C:\WINDOWS\Temp\sqlite_lyag687O8MdviF0 Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

[tetonbob]

Good job....

Your logs appear clean.You should be good to go. We still have a few items to address.

C:\Deckard is DSS working folder. Please delete it. Also delete DSS.exe

C:\System Volume Information\ is where System Restore's cache is stored. Whatever is in there can't harm you unless you choose to perform a manual restore. Nevertheless, we shall be reseting/clearing the cache in a little while.

---------------------------------------------------------------------------------------------

P2P - I see you have P2P software ( Limewire, BitTorrent 5.0.7 ) installed on your machine. We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections. It may be contributing to your current situation. This page will give you further information.

Please note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares.

References for the risk of these programs are here,
here and here.

I would strongly recommend that you uninstall them, however that choice is up to you. If you choose to remove these programs, you can do so via Control Panel >> Add or Remove Programs.

---------------------------------------------------------------------------------------------


Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.

Updating Java:

• Download the latest version of Java Runtime Environment (JRE) 6 u2.
• Scroll down to where it says "The Java SE Runtime Environment (JRE) allows end-users to run Java applications". (4th one down)
• Click the "Download" button to the right.
• Check the box that says: "Accept License Agreement".
• The page will refresh.
• Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
• Close any programs you may have running - especially your web browser.
• Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
• Check any item with Java Runtime Environment (JRE or J2SE) in the name.
• Click the Remove or Change/Remove button.
• Repeat as many times as necessary to remove each Java versions.
• Reboot your computer once all Java components are removed.
• Then from your desktop double-click on jre-6u2-windowsi586-p.exe to install the newest version.

• After the install is complete, go into the Control Panel and double-click the Java Icon. (looks like a coffee cup)
  • On the General tab, under Temporary Internet Files, click the Settings button.
  • Next, click on the Delete Files button
  • There are two options in the window to clear the cache - Leave BOTH Checked
    • Applications and Applets
      Trace and Log Files
  • Click OK on Delete Temporary Files Window
    Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
  • Click OK to leave the Temporary Files Window
  • Click OK to leave the Java Control Panel.

---------------------------------------------------------------------------------------------


Reset hidden/system files and folders

• Click Start.
• Open My Computer.
• Select the Tools menu and click Folder Options.
• Select the View tab.
• Deselect the Show hidden files and folders option.
• Select the Hide file extensions for known types option.
• Select the Hide protected operating system files option.
• Click Yes to confirm.
• Click OK.

Clear & Reset System Restore's Cache

• click Start >> Run - type SYSDM.CPL & press Enter
• select the System Restore Tab
• tick on the checkbox - "Turn off System Restore on all drives"
• click Apply
• then untick the same checkbox & click OK

Enable Windows Auto Update

• Go to Start>Run - type wuaucpl.cpl
• tick on the checkbox - "Automatically download the updates, and install them on the schedule that I specify".
• Click on "OK".

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programs if you don't have them already:

• SpywareBlaster to help prevent spyware from installing in the first place.
  • Install & update SpywareBlaster with the latest definitions.
    After you have updated, click the button - enable protection for all unprotected items
• SpywareGuard to catch and block spyware before it can execute.
  
• SPYBOT - SEARCH & DESTROY
  Download and install Spybot - Search & Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with the program on a regular basis just as you would an antivirus software. A tutorial on installing & using this product can be found here
  
• IE-SPYAD - IE/Spyad places more than 4000 dubious websites and domains in the IE Restricted list. This severely impairs attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
  • Download IE-SpyAD - Extract the contents to a new folder
    From within the folder, double-click install.bat
    Select Option #2 - Install the new IE-SPYAD list.
    Then return to the main menu.
    Select option #4 - Add the old porn sites domain
  
  
• MVPS HOST FILE
  The MVPS Hosts file replaces your current HOSTS file with one that will restrict known ad sites form serving you unsolicited advertisements. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is the IP of your local computer.
  • Download Host.zip to your desktop.
  • From your Desktop right-click (hosts.zip) and select:
    Extract All from the menu.
    
  • Click Next, click Next, select the option:
    "Show Extracted files", click Finish
    
  • This will open the newly created hosts folder on your Desktop.
    
  • Double-click on the included mvps.bat file, this will rename the existing HOSTS file to HOSTS.MVP, then it will copy the included updated HOSTS file to the correct location on your machine.
    
  • Once updated you should see another prompt that the task was completed.
  
  
  
• ANTIVIRUS SOFTWARE
  It is very important that you have anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.
  
  Here are a few very good free Antivirus products which are available:
  • Avast!
  • AVG
  • Avira PersonalEdition Classic
  Select one of these, or another of your choice. Do not install more than one antivirus program because they will conflict with each other. It is imperative that you update your antivirus software at least once a week (even more if you wish). If you do not update your antivirus software then it will not be able to catch new malware that may have come out.
  

  See this link for a listing of some online antivirus scanners:
  
  Anti-Spyware Tutorial

• FIREWALL
  If you do not have a firewall, here are a couple of great free ones available for personal use. Using a third-party firewall will allow you to give/deny access for applications that want to go online. Select one of these, or another of your choice:
  
  Do not install more than one firewall program because they will conflict with each other.

• Comodo Personal Firewall
• ZoneAlarm

In light of your recent troubles, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles

• HOW DID I GET INFECTED IN THE FIRST PLACE?
• THE ANTI-SPYWARE TUTORIAL
• MAKING INTERNET EXPLORER SAFER

If you want to fight back the Malware Writers that have made your life a misery, please take a look here and read what you can do against it.

Please respond to this thread one more time so we can mark this thread as resolved.

[mca1293]

Hi, I did everything that you told me to do, and came up with two question.

1. I have McAfee on my computer with 2 years of subscription left.
Should I still download those programs: spyware, anti-virus, firewall
that you mentioned on the last post?

2. When I reboot the computer (I rebooted twice so far), this black
window shows up and says "this batch removes FixWareout ... blah
blah blah ...Use with your own risk...blah blah .. Press any key to
continue_" This window showed up both time that I rebooted the
computer. Did I do somethig wrong?

[tetonbob]

Quote:

Originally Posted by mca1293

Hi, I did everything that you told me to do, and came up with two question.

1. I have McAfee on my computer with 2 years of subscription left.
Should I still download those programs: spyware, anti-virus, firewall
that you mentioned on the last post?

Not the AntiVirus or Firewall, you have that covered.

2. When I reboot the computer (I rebooted twice so far), this black
window shows up and says "this batch removes FixWareout ... blah
blah blah ...Use with your own risk...blah blah .. Press any key to
continue_" This window showed up both time that I rebooted the
computer. Did I do somethig wrong?

That doesn't seem right....let me check into it and get back to you.

Also, can you post a new HijackThis log, please?

[tetonbob]

When it says "Press any key to
continue_", have you again?

[mca1293]

After I press space key, the black window gose away, and the computer gose back to rebooting picking up from where it's left off.

This is HijackThis log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:28:00 PM, on 8/28/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\SiteAdvisor\6066\SAService.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Digital Media Reader\readericon45G.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\lg_fwupdate\fwupdate.exe
C:\Program Files\SiteAdvisor\6066\SiteAdv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.gateway.com/g/sidepanel.h...ys=DTP&M=T3418
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sandiego.cox.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sandiego.cox.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.gateway.com/g/sidepanel.h...ys=DTP&M=T3418
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6066\SiteAdv.dll
O2 - BHO: McAntiPhishingBHO - {377C180E-6F0E-4D4C-980F-F45BD3D40CF4} - C:\Program Files\McAfee\MSK\mcapbho.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: CBrowserHelperObject Object - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\windows\system32\BAE.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6066\SiteAdv.dll
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [readericon] C:\Program Files\Digital Media Reader\readericon45G.exe
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [LGODDFU] "C:\Program Files\lg_fwupdate\fwupdate.exe" blrun
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6066\SiteAdv.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Power2GoExpress] NA
O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\RunOnce: [DelayShred] "C:\program files\mcafee.com\shredder\SHRED32.EXE" /q C:\DOCUME~1\Owner\MYDOCU~1\MYVIDE~1\SAIUNK~1.SH! C:\DOCUME~1\Owner\MYDOCU~1\BITTOR~1\_RAW_C~1.SH!
O4 - HKUS\S-1-5-18\..\Run: [Power2GoExpress] NA (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Power2GoExpress] NA (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O15 - Trusted Zone: http://anitube.blogspot.com
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} -
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/sh...1/mcinsctl.cab
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: SiteAdvisor Service - McAfee, Inc. - C:\Program Files\SiteAdvisor\6066\SAService.exe
O23 - Service: Viewpoint Manager Service - Unknown owner - C:\Program Files\Viewpoint\Common\ViewpointService.exe (file missing)
O24 - Desktop Component 0: My Current Home Page - http://images.eluxury.com/assets_ser...44_ph_hero.jpg
O24 - Desktop Component 1: My Current Home Page - About:Home

--
End of file - 10290 bytes

[tetonbob]

Hello, mca1293 -

Please do this:

Open notepad and copy/paste the text in the codebox below into it:

Code:

@ echo off
regedit /a runonceex.txt "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx"
start notepad runonceex.txt

Save this as look.bat Choose to "Save type as - All Files"
It should look like this:
Double click on look.bat & allow it to run

A text file will open. Please post the contents of that file in your next reply.

[mca1293]

Hi,
This is the result

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]
@=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\0001]
"*FixWareOut"="C:\\WINDOWS\\system32\\cmd.exe /c C:\\fixwareout\\FindT\\XP-2K2.cmd"

[LonnyRJones]

Hi mca1293 & tetonbob

Copy the contents of the code box below into a new notepad document (not wordpad).
Click file> save as...> call it check.bat > file types *all files*> and save it to desktop.

Code:

cd %systemdrive%\fixwareout\findt
swreg acl "hklm\software\microsoft\windows\currentversion\runonceex\0001" >runeex.txt
swreg acl "hklm\software\microsoft\windows\currentversion\runonceex\0001" /RESET
swreg delete "hklm\software\microsoft\windows\currentversion\runonceex\0001" >nul
swreg query "hklm\software\microsoft\windows\currentversion\runonceex\0001" >>runeex.txt 2>nul
start notepad %systemdrive%\fixwareout\findt\runeex.txt & exit

Run check.bat then post the text that will open please

[mca1293]

Hi, LonnyRJones,

This is the result from running check.bat

*******************************************************************************
Registrykey: HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonceex\0001

Permissions:
*******************************************************************************
Username
Type Permissions Inheritance
*******************************************************************************
YOUR-96D087D881\Owner
Denied Special (DCBA2) This Key Only
YOUR-96D087D881\Users
Allowed Read This Key Only (Inherited)
YOUR-96D087D881\Users
Allowed Special (Unknown) Subkeys only (Inherited)
YOUR-96D087D881\Administrators
Allowed Full Control This Key Only (Inherited)
YOUR-96D087D881\Administrators
Allowed Special (Unknown) Subkeys only (Inherited)
NT AUTHORITY\SYSTEM
Allowed Full Control This Key Only (Inherited)
NT AUTHORITY\SYSTEM
Allowed Special (Unknown) Subkeys only (Inherited)
YOUR-96D087D881\Owner
Allowed Full Control This Key Only (Inherited)
\CREATOR OWNER
Allowed Special (Unknown) Subkeys only (Inherited)

No Auditing set

Owner: Owner (YOUR-96D087D881\Owner)

SteelWerX Registry Console Tool 2.0
Written by Bobbi Flekman 2006 (C)

Error: Key: software\microsoft\windows\currentversion\runonceex\0001 does not exist!

[mca1293]

This morning, I started my computer, it happened again.
The black window showed up.

[LonnyRJones]

There must be something else going on with your system, we need to know
Has your pc been crashing ? if so we need details

deleted c:\fixwareout
run look.bat again and post the text that will open

[mca1293]

My computer has never had any problem except the redirects.

This is the result from Look.bat

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]
@=""

[LonnyRJones]

Quote:

This morning, I started my computer, it happened again.
The black window showed up.

Reboot your PC and describe that window in as much detail as possible please, it shouldnt be there now.

One more log:
Post a combofix log
1. Download this file - combofix.exe
http://www.techsupportforum.com/sect...s/ComboFix.exe
alternate link
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
The PC's time will appear to change, ignore it, it is temporary.

[mca1293]

the black window didn't show up this time.

ComboFix log

ComboFix 07-08-30.2 - "Owner" 2007-08-29 1858.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.113 [GMT -7:00]
* Created a new restore point


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\DOCUME~1\Owner\Desktop\internet.lnk
D:\Autorun.inf


((((((((((((((((((((((((( Files Created from 2007-07-28 to 2007-08-30 )))))))))))))))))))))))))))))))


2007-08-29 18:02 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-27 22:42 <DIR> d-------- C:\Program Files\Trend Micro
2007-08-27 22:32 6,835 --a------ C:\dnsbak.reg
2007-08-15 22:35 1,156 --a------ C:\WINDOWS\mozver.dat
2007-08-12 18:29 <DIR> d-------- C:\WINDOWS\system32\URTTEMP
2007-07-30 20:09 79,304 --a------ C:\WINDOWS\system32\drivers\mfeavfk.sys
2007-07-30 20:09 40,488 --a------ C:\WINDOWS\system32\drivers\mfesmfk.sys
2007-07-30 20:09 35,240 --a------ C:\WINDOWS\system32\drivers\mfebopk.sys
2007-07-30 20:09 33,800 --a------ C:\WINDOWS\system32\drivers\mferkdk.sys
2007-07-30 20:09 201,288 --a------ C:\WINDOWS\system32\drivers\mfehidk.sys


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-29 11:06 --------- d-------- C:\Program Files\lg_fwupdate
2007-08-29 11:04 --------- d-------- C:\Program Files\McAfee
2007-08-24 14:26 --------- d-------- C:\DOCUME~1\Owner\APPLIC~1\BitTorrent
2007-08-17 14:05 --------- d-------- C:\DOCUME~1\Owner\APPLIC~1\McAfee
2007-08-17 14:05 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\McAfee
2007-08-01 10:04 --------- d-------- C:\Program Files\Common Files\McAfee
2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\cdm.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\wuapi.dll
2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\wuauclt.exe
2007-07-30 19:19 43352 --a------ C:\WINDOWS\system32\wups2.dll
2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\wucltui.dll
2007-07-30 19:19 271224 --a------ C:\WINDOWS\system32\mucltui.dll
2007-07-30 19:19 207736 --a------ C:\WINDOWS\system32\muweb.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\wuweb.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\wuaueng.dll
2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\wups.dll
2007-07-20 00:00 --------- d-------- C:\DOCUME~1\LOCALS~1\APPLIC~1\SiteAdvisor
2007-07-19 16:42 --------- d-------- C:\Program Files\Yahoo!
2007-07-19 16:42 --------- d-------- C:\Program Files\Common Files\Scanner
2007-07-13 09:20 113952 --a------ C:\WINDOWS\system32\drivers\Mpfp.sys
2007-06-25 23:08 1104896 --a------ C:\WINDOWS\system32\msxml3.dll
2007-06-19 06:31 282112 --a------ C:\WINDOWS\system32\gdi32.dll
2007-06-13 03:23 1033216 --a------ C:\WINDOWS\explorer.exe
2004-10-01 15:00 40960 --a--c--- C:\Program Files\Uninstall_CDS.exe


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2005-01-12 04:01]
"SoundMan"="SOUNDMAN.EXE" [2005-09-26 16:07 C:\WINDOWS\soundman.exe]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2005-09-18 09:32]
"nwiz"="nwiz.exe" [2005-09-18 09:32 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2005-09-18 09:32]
"readericon"="C:\Program Files\Digital Media Reader\readericon45G.exe" [2005-08-27 06:09]
"Recguard"="%WINDIR%\SMINST\RECGUARD.EXE" []
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-01-31 17:42]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-08-21 23:44]
"InCD"="C:\Program Files\Ahead\InCD\InCD.exe" [2006-03-16 01:00]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50]
"LGODDFU"="C:\Program Files\lg_fwupdate\fwupdate.exe" [2007-04-06 07:28]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6066\SiteAdv.exe" [2007-01-17 12:24]
"KernelFaultCheck"="C:\WINDOWS\system32\dumprep 0 -k" []
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-08-04 02:33]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 12:00]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 09:24]
"Power2GoExpress"="NA" []
"Creative Detector"="C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" [2004-12-02 18:23]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 21:05]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\runonce]
"DelayShred"="C:\program files\mcafee.com\shredder\SHRED32.EXE" /q C:\DOCUME~1\Owner\MYDOCU~1\MYVIDE~1\SAIUNK~1.SH! C:\DOCUME~1\Owner\MYDOCU~1\BITTOR~1\_RAW_C~1.SH!

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Power2GoExpress"=NA

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

S3 krdpdre;krdpdre;\??\C:\DOCUME~1\Owner\LOCALS~1\Temp\krdpdre.sys


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{dbef03f5-9bec-11da-9785-806d6172696f}]
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480

*Newly Created Service* - CATCHME

Contents of the 'Scheduled Tasks' folder
2007-08-15 10:48:13 C:\WINDOWS\Tasks\McDefragTask.job - c:\program files\mcafee\mqc\QcConsol.exe
2007-08-29 08:21:43 C:\WINDOWS\Tasks\McQcTask.job - c:\program files\mcafee\mqc\QcConsol.exe
2007-08-29 22:55:30 C:\WINDOWS\Tasks\User_Feed_Synchronization-{E5350ADB-32B3-41DE-A50B-A10877F01DF5}.job - C:\WINDOWS\system32\msfeedssync.exe
2006-05-09 16:20:25 C:\WINDOWS\Tasks\XoftSpy.job - C:\Program Files\XoftSpy\XoftSpy.exe

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-29 18:09:45
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-08-29 18:10:31
C:\ComboFix-quarantined-files.txt ... 2007-08-29 18:10

--- E O F ---