Trojan Clicker and ZLOB? Internet Problem

[Sharona7060]

I have been having problems with my internet explorer. When I use a search engine (doesn't matter which one) and I click on one of the results it does not take me to that site, but jumps me to a completely different site. I see "rc12goldwebsearch", "Auut", "Redirect", "Jump" in the search bar when this happens. I can manually type the website in the address bar and it will take me to the original site I wanted.

I ran adaware, spybot search and destroy and AVG. Spybot came up with ZLOB as well as 3 browser viruses and AVG came up with Trojan Clicker. Even after using these programs the problem still exists.

I am a beginner when it comes to these types of issues so I'm not sure if you will be able to walk me through it or if I should take it to a shop for repair. I previously had contacted Dell and they had me reset my computer to the original factory settings on October 9th and didn't have any problems until this past weekend when my son was staying at our house!

[chemist]

Hello and Welcome to TSF.

Please Subscribe to this Thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant notification by email, then click Add Subscription.

Please note that the forum is very busy and if I don't hear from you within three days this thread will be closed.

Please copy this page to Notepad and Save it to your Desktop in order to assist you when carrying out the following instructions.

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding.
Ensure that there aren't any opened browsers when you are carrying out the procedures below.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

------------------------------------------------------

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Please stay with me until given the 'all clear' even if symptoms seemingly abate.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by a helper.

------------------------------------------------------

It appears that you have two antivirus programs installed and running, Telus eProtect and AVG. While this may seem like better protection, they can actually conflict with one another and cause system instability or even system hangs. Please choose one to keep and uninstall the other via Add or Remove Programs in your Control Panel.

------------------------------------------------------

Quote:

C:\Documents and Settings\Mine\Local Settings\Temporary Internet Files\Content.IE5\X8V2L8IU\dds[1].scr

Please note that tools are best Run from the Desktop. Save to the Desktop and then Run from the Desktop.

Easier to find and perform specialized functions which may be required. Thanks.

------------------------------------------------------

Please uninstall the following via Start->(or My Computer)->Control Panel->Add or Remove Programs if it still exists:

MyWay Search Assistant<<Please read this

------------------------------------------------------

Please uninstall the following via Start->(or My Computer)->Control Panel->Add or Remove Programs if it still exists:

Viewpoint Media Player<<This is considered foistware instead of malware since it is installed without users approval, but doesn't spy or do anything "bad". Please read here and here

If you decide to uninstall it, also delete the following Folders if they still exist:

C:\Program Files\Viewpoint
C:\Documents and Settings\All Users\Application Data\Viewpoint

------------------------------------------------------

Download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right-click on the System Tray icon. They may otherwise interfere with our tools.
  
• Double-click on ComboFix.exe & follow the prompts.
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.





Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:




Click on Yes to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

------------------------------------------------------

Open HijackThis and click on 'Do a System Scan and Save a Logfile'.

Save the logfile and post it here. Please close HijackThis now.

------------------------------------------------------

Please post the following in your next reply:

ComboFix.txt
new HijackThis log

If you have any questions along the way...STOP and ask them before proceeding.

[Sharona7060]

Hi Chemist!

I removed AVG antivirus - I'm not sure how good Telus eprotect is but that is my internet supplier.

I could not find C:\Documents and Settings\Mine\Local Settings\Temporary Internet Files\Content.IE5\X8V2L8IU\dds[1].scr - I could get as far as Content.IE5 but no further. But I did go back and save the DDS tool to my desktop.

I uninstalled MyWay Search Assistant and the Viewpoint Media Player. I could not find the other Viewpoint files so assume they were removed.

I have attached the ComboFix Log and the HijackThis log


Thank you very much for helping me with this!
Sharon

ComboFix 08-11-18.A2 - Mine 2008-11-19 13:13:46.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.528 [GMT -8:00]
Running from: c:\documents and settings\Mine\Desktop\1ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2008-10-19 to 2008-11-19 )))))))))))))))))))))))))))))))
.

2008-11-19 11:05 . 2008-11-19 11:05 <DIR> d-------- c:\documents and settings\All Users\Application Data\Avg8
2008-11-17 14:46 . 2008-11-17 14:46 <DIR> d-------- c:\program files\Common Files\Adobe AIR
2008-11-16 14:48 . 2008-11-16 14:48 250 --a------ c:\windows\gmer.ini
2008-11-16 12:09 . 2008-11-19 11:24 <DIR> d-------- c:\program files\Enigma Software Group
2008-11-15 15:20 . 2008-11-15 15:20 <DIR> d-------- c:\program files\AVG
2008-11-15 15:20 . 2008-11-15 17:26 <DIR> d-------- c:\documents and settings\Mine\Application Data\AVGTOOLBAR
2008-11-15 00:08 . 2008-11-15 00:08 <DIR> d-------- c:\program files\Phantom EFX
2008-11-13 10:37 . 2008-11-16 14:41 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-11-13 10:37 . 2008-11-16 14:41 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-11-12 18:26 . 2008-11-16 13:44 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2008-11-11 12:52 . 2008-11-11 12:54 <DIR> d-------- c:\program files\PokerStars.NET
2008-11-08 18:20 . 2008-11-08 18:20 <DIR> d-------- c:\documents and settings\George\Application Data\Corel Photo Album
2008-11-08 17:35 . 2008-11-08 17:35 77,825 --a------ c:\windows\system32\pmgubxiwlojaqzbiz.exe
2008-11-08 17:35 . 2008-11-08 17:35 53,973 --a------ c:\windows\system32\cont_mxlivemedia-remove.exe
2008-11-08 17:13 . 2008-11-08 17:13 <DIR> d-------- c:\documents and settings\All Users\Application Data\Solt Lake Software
2008-11-08 15:31 . 2008-11-08 15:31 <DIR> d-------- c:\documents and settings\George\Application Data\TELUS
2008-11-07 22:05 . 2008-11-07 22:11 <DIR> d-------- c:\program files\eGames
2008-11-07 22:05 . 1999-05-07 00:00 140,288 --a------ c:\windows\system32\Comdlg32.ocx
2008-11-07 22:05 . 1999-03-25 23:00 101,888 --a------ c:\windows\system32\Vb6stkit.dll
2008-11-07 22:05 . 1999-05-07 00:00 82,960 --a------ c:\windows\system32\Picclp32.ocx
2008-11-07 22:05 . 2000-07-17 13:41 70,088 --a------ c:\windows\system32\Project2-1.ocx
2008-11-07 22:05 . 2000-03-21 15:37 1,760 --a------ c:\windows\system32\objsafe.tlb
2008-11-07 22:05 . 2000-04-06 14:58 1,453 --a------ c:\windows\system32\Project2.INF
2008-11-07 21:59 . 2008-11-08 18:27 <DIR> d-------- c:\program files\MasqueGames
2008-11-04 08:01 . 2008-11-04 08:01 555,008 --a------ c:\windows\system32\nslE9.dll
2008-11-03 22:47 . 2008-11-03 22:47 <DIR> d-------- c:\program files\Oberon Media
2008-11-03 22:47 . 2008-11-03 23:49 <DIR> d-------- c:\program files\MSN Games
2008-11-03 22:47 . 2008-11-03 23:47 <DIR> d-a------ c:\documents and settings\All Users\Application Data\TEMP
2008-11-03 22:22 . 2008-11-03 22:22 <DIR> d-------- c:\documents and settings\All Users\Application Data\GameHouse
2008-11-03 21:42 . 2008-11-03 21:42 <DIR> d-------- c:\windows\Sun
2008-11-02 19:51 . 2008-11-02 19:51 <DIR> d-------- c:\program files\directx
2008-11-02 19:48 . 2008-11-07 22:15 <DIR> d-------- c:\program files\Phantom
2008-10-29 22:49 . 2008-10-29 22:49 <DIR> d-------- c:\program files\Windows Media Connect 2
2008-10-29 22:47 . 2008-10-29 22:47 <DIR> d-------- c:\windows\system32\LogFiles
2008-10-29 22:47 . 2008-10-29 22:48 <DIR> d-------- c:\windows\system32\drivers\UMDF
2008-10-27 17:13 . 2008-10-27 17:13 <DIR> d-------- c:\program files\Raxco
2008-10-27 17:13 . 2008-10-27 17:13 <DIR> d-------- c:\documents and settings\All Users\Application Data\Raxco
2008-10-27 17:05 . 2008-10-27 17:05 <DIR> d--h----- c:\windows\PIF
2008-10-27 16:59 . 2008-10-27 17:12 53,192 --a------ c:\windows\system32\drivers\rp_skt32.sys
2008-10-27 16:59 . 2007-04-19 10:36 48,384 --a------ c:\windows\system32\drivers\rp_pkt32.sys
2008-10-27 16:58 . 2008-10-27 17:03 <DIR> d-------- c:\program files\Common Files\Scanner
2008-10-27 16:58 . 2008-10-27 16:58 <DIR> d-------- c:\program files\Common Files\Authentium
2008-10-27 16:58 . 2008-10-27 16:58 <DIR> d-------- c:\program files\CA
2008-10-27 16:57 . 2008-10-27 16:58 <DIR> d-------- c:\program files\TELUS
2008-10-27 16:57 . 2008-10-27 16:57 <DIR> d-------- c:\documents and settings\Mine\Application Data\TELUS
2008-10-27 16:56 . 2008-10-27 16:58 <DIR> d-------- c:\documents and settings\All Users\Application Data\TELUS
2008-10-27 16:55 . 2008-10-27 16:55 <DIR> d-------- c:\documents and settings\Mine\Application Data\InstallShield
2008-10-27 16:34 . 2008-10-27 16:34 <DIR> d-------- c:\documents and settings\Mine\Application Data\Runaware
2008-10-27 16:34 . 2008-10-27 16:34 <DIR> d-------- c:\documents and settings\Mine\Application Data\ICAClient
2008-10-23 09:21 . 2008-10-15 08:34 337,408 --------- c:\windows\system32\dllcache\netapi32.dll
2008-10-22 18:47 . 2008-10-22 18:47 70,272 --a------ c:\documents and settings\Mine\Application Data\GDIPFONTCACHEV1.DAT
2008-10-20 18:53 . 2008-10-20 18:53 <DIR> d-------- c:\documents and settings\Mine\Application Data\Apple Computer
2008-10-20 18:53 . 2008-04-17 12:12 107,368 --a------ c:\windows\system32\GEARAspi.dll
2008-10-20 18:53 . 2008-04-17 12:12 15,464 --a------ c:\windows\system32\drivers\GEARAspiWDM.sys
2008-10-20 18:52 . 2008-10-20 18:52 <DIR> d-------- c:\program files\QuickTime
2008-10-20 18:52 . 2008-10-20 18:53 <DIR> d-------- c:\program files\iTunes
2008-10-20 18:52 . 2008-10-20 18:52 <DIR> d-------- c:\program files\iPod
2008-10-20 18:52 . 2008-10-20 18:52 <DIR> d-------- c:\program files\Bonjour
2008-10-20 18:52 . 2008-10-20 18:52 <DIR> d-------- c:\documents and settings\All Users\Application Data\Apple Computer
2008-10-20 18:52 . 2008-10-20 18:53 <DIR> d-------- c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-10-20 18:51 . 2008-10-20 18:53 <DIR> d----c--- c:\windows\system32\DRVSTORE
2008-10-20 18:51 . 2008-10-20 18:52 <DIR> d-------- c:\program files\Common Files\Apple
2008-10-20 18:51 . 2008-10-20 18:51 <DIR> d-------- c:\program files\Apple Software Update
2008-10-20 18:51 . 2008-10-20 18:51 <DIR> d-------- c:\documents and settings\All Users\Application Data\Apple
2008-10-20 12:53 . 2008-10-20 12:53 <DIR> d-------- c:\documents and settings\Mine\Application Data\Corel Photo Album
2008-10-20 12:53 . 2008-11-17 14:02 3,350 --ahs---- c:\windows\system32\KGyGaAvL.sys
2008-10-20 12:53 . 2008-11-17 14:02 56 -r-hs---- c:\windows\system32\6E962D0515.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-18 22:48 1,164 ----a-w c:\documents and settings\Mine\Application Data\wklnhst.dat
2008-11-18 17:32 --------- d-----w c:\program files\NOS
2008-11-18 17:32 --------- d-----w c:\documents and settings\All Users\Application Data\NOS
2008-11-17 22:45 --------- d-----w c:\program files\Common Files\Adobe
2008-11-16 22:39 --------- d--h--w c:\program files\InstallShield Installation Information
2008-11-16 00:27 --------- d-----w c:\program files\DIGStream
2008-10-27 15:38 --------- d-----w c:\documents and settings\Mine\Application Data\AdobeUM
2008-10-18 02:37 --------- d-----w c:\documents and settings\Mine\Application Data\Viewpoint
2008-10-13 19:03 --------- d-----w c:\documents and settings\Mine\Application Data\U3
2008-10-12 22:20 --------- d-----w c:\documents and settings\LocalService\Application Data\McAfee
2008-10-10 22:48 --------- d-----w c:\documents and settings\Guest\Application Data\GTek
2008-10-10 22:46 --------- d-----w c:\documents and settings\Guest\Application Data\McAfee.com Personal Firewall
2008-10-09 09:01 --------- d-----w c:\program files\MSXML 4.0
2008-10-09 04:30 --------- d-----w c:\program files\Common Files\AOL
2008-10-09 04:30 --------- d-----w c:\documents and settings\All Users\Application Data\AOL
2008-10-09 04:29 --------- d-----w c:\documents and settings\George\Application Data\GTek
2008-10-09 04:29 --------- d-----w c:\documents and settings\All Users\Application Data\Dell
2008-10-09 04:27 --------- d-----w c:\documents and settings\George\Application Data\McAfee.com Personal Firewall
2008-10-09 02:34 --------- d-----w c:\documents and settings\LocalService\Application Data\McAfee.com Personal Firewall
2008-10-09 02:32 --------- d-----w c:\program files\Google
2008-10-08 04:24 --------- d-----w c:\documents and settings\Mine\Application Data\HP
2008-10-08 04:18 --------- d-----w c:\documents and settings\All Users\Application Data\HP
2008-10-08 04:17 --------- d-----w c:\program files\Common Files\Sonic Shared
2008-10-08 04:17 --------- d-----w c:\documents and settings\All Users\Application Data\Sonic
2008-10-08 04:16 --------- d-----w c:\program files\Common Files\HP
2008-10-08 04:15 --------- d-----w c:\program files\HP
2008-10-08 04:15 --------- d-----w c:\program files\Hewlett-Packard
2008-10-08 04:14 --------- d-----w c:\program files\Common Files\Hewlett-Packard
2008-10-08 02:42 --------- d-----w c:\windows\system32\config\systemprofile\Application Data\McAfee
2008-10-07 21:55 --------- d--h--w c:\documents and settings\Mine\Application Data\Gtek
2008-10-07 21:50 --------- d-----w c:\program files\Java
2008-10-07 21:46 --------- d-----w c:\documents and settings\Mine\Application Data\McAfee.com Personal Firewall
2008-10-07 21:43 --------- d-----w c:\documents and settings\All Users\Application Data\McAfee.com Personal Firewall
2008-10-07 21:42 --------- d-----w c:\program files\DellSupport
2008-10-07 21:37 --------- d-----w c:\windows\system32\config\systemprofile\Application Data\McAfee.com Personal Firewall
2008-10-03 17:41 6,066,176 ------w c:\windows\system32\dllcache\ieframe.dll
2008-09-15 12:12 1,846,400 ----a-w c:\windows\system32\win32k.sys
2008-09-15 12:12 1,846,400 ------w c:\windows\system32\dllcache\win32k.sys
2008-09-08 10:41 333,824 ------w c:\windows\system32\dllcache\srv.sys
2008-08-29 17:18 87,336 ----a-w c:\windows\system32\dns-sd.exe
2008-08-29 16:53 61,440 ----a-w c:\windows\system32\dnssd.dll
2008-08-27 08:24 3,593,216 ------w c:\windows\system32\dllcache\mshtml.dll
2008-08-25 08:38 13,824 ------w c:\windows\system32\dllcache\ieudinit.exe
2008-08-25 08:37 70,656 ------w c:\windows\system32\dllcache\ie4uinit.exe
2008-08-23 05:56 635,848 ------w c:\windows\system32\dllcache\iexplore.exe
2008-08-23 05:54 161,792 ------w c:\windows\system32\dllcache\ieakui.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{aa64dfd2-6348-2d24-7aca-6c57cdecc6a8}]
2008-11-04 08:01 555008 --a------ c:\windows\system32\nslE9.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-05 344064]
"DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2005-10-05 94208]
"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2006-02-25 26112]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"MMTray"="c:\progra~1\MUSICM~1\MUSICM~3\mm_tray.exe" [2005-09-08 110592]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
"MimBoot"="c:\progra~1\MUSICM~1\MUSICM~3\mimboot.exe" [2005-09-08 8192]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-11 49152]
"Corel Photo Downloader"="c:\program files\Corel\Corel Photo Album 6\MediaDetect.exe" [2005-08-31 106496]
"MSKDetectorExe"="c:\program files\McAfee\SpamKiller\MSKDetct.exe" [2005-07-12 1117184]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-10-01 289576]
"TEPA.exe"="c:\program files\TELUS\eProtect Advisor\TEPA.exe" [2007-05-14 2061816]
"TELUS eProtect"="c:\program files\TELUS\TELUS eProtect\Rps.exe" [2007-09-13 310000]
"-FreedomNeedsReboot"="c:\program files\TELUS\TELUS eProtect\ZkRunOnceR.exe" [2007-09-13 13552]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-22 c:\windows\stsystra.exe]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-05-11 282624]
HP Image Zone Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2005-05-11 73728]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-12 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

S3 Radialpoint Security Services;TELUS eProtect;c:\windows\system32\dllhost.exe /Processid:{80098F68-1220-4F43-80A8-15C7395B8874} [2005-08-16 5120]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe

*Newly Created Service* - CATCHME
*Newly Created Service* - PROCEXP90
.
Contents of the 'Scheduled Tasks' folder

2008-11-18 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-19 13:14:39
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-11-19 13:15:16
ComboFix-quarantined-files.txt 2008-11-19 21:15:13
ComboFix2.txt 2008-11-19 21:09:43

Pre-Run: 137,364,230,144 bytes free
Post-Run: 137,351,024,640 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

214 --- E O F --- 2008-11-05 07:00:38

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:21:22 PM, on 11/19/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TELUS\TELUS eProtect\Fws.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\TELUS\TELUS eProtect\rpsupdaterR.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\PROGRA~1\MUSICM~1\MUSICM~3\mm_tray.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\PROGRA~1\MUSICM~1\MUSICM~3\MMDiag.exe
C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\TELUS\eProtect Advisor\TEPA.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mim.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\WINDOWS\explorer.exe
C:\DOCUME~1\Mine\LOCALS~1\Temp\Temporary Directory 1 for HiJackThis[1].zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.ca/myway
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.ca/myway
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Pop-Up Blocker BHO - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\TELUS\TELUS eProtect\pkR.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: mxlivemedia - {aa64dfd2-6348-2d24-7aca-6c57cdecc6a8} - C:\WINDOWS\system32\nslE9.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MMTray] C:\PROGRA~1\MUSICM~1\MUSICM~3\mm_tray.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Corel Photo Downloader] C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [TEPA.exe] "C:\Program Files\TELUS\eProtect Advisor\TEPA.exe" /AUTORUN
O4 - HKLM\..\Run: [TELUS eProtect] "C:\Program Files\TELUS\TELUS eProtect\Rps.exe"
O4 - HKLM\..\Run: [-FreedomNeedsReboot] "C:\Program Files\TELUS\TELUS eProtect\ZkRunOnceR.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.mcafee.com
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10...I.cab55579.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games – Buddy Invite) - http://zone.msn.com/BinFrameWork/v10...y.cab55579.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10...t.cab55579.cab
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/de...e/HPDEXAXO.cab
O16 - DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} (GMNRev Class) - http://h20270.www2.hp.com/ediags/gmn...tDetection.cab
O16 - DPF: {8C279F4E-917E-4CD2-8DF0-D9C73C0CE763} (ZPA_WheelOfFortune Object) - http://zone.msn.com/bingame/zpagames...f.cab55579.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramewor...o.cab56649.cab
O16 - DPF: {C86FF4B0-AA1D-46D4-8612-025FB86583C7} (AstoundLauncher Control) - http://zone.msn.com/bingame/jobo/def...ndLauncher.cab
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://zone.msn.com/bingame/feed/def...utLauncher.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games – Game Communicator) - http://zone.msn.com/binframework/v10...y.cab55579.cab
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: TELUS eProtect Update Service (RPSUpdaterR) - Radialpoint Inc. - C:\Program Files\TELUS\TELUS eProtect\rpsupdaterR.exe
O23 - Service: TELUS eProtect Firewall (RP_FWS) - TELUS - C:\Program Files\TELUS\TELUS eProtect\Fws.exe

--
End of file - 10138 bytes

[chemist]

Hello, Sharona7060.

Quote:

C:\DOCUME~1\Mine\LOCALS~1\Temp\Temporary Directory 1 for HiJackThis[1].zip\HijackThis.exe

You are running HijackThis from a temporary folder. HijackThis makes backups which could be lost if in a temporary folder.

Please uninstall HijackThis in the Add or Remove Programs section of your Control Panel and delete your current version.

Please download HijackThis and Save it to your Desktop.

Alternate link

Double-click on the file you just downloaded. Click 'Run' or 'Install' and follow the prompts to install.

It will by default install to the directory - C:\Program Files\Trend Micro\HijackThis

Upon install, HijackThis should open for you. If it does, just close it please.

------------------------------------------------------

It appears that you ran ComboFix twice. I need to see the first log.

Go to Start > Run and copy/paste the following into the Run box and click OK:

C:\Qoobox\ComboFix2.txt

A text file should open. Please post the contents of that file in your next reply.

------------------------------------------------------

[Sharona7060]

I'm sorry about that....I am a newbie!

I unistalled and re-installed HijackThis per your instructions.

I ran ComboFix twice because the first time I didn't have the internet open and ran it by mistake without the Windows Recovery Console then freaked out and ran it again!!

Attaching the ComboFix2

S

[chemist]

Hello again, Sharona7060.

Please copy this page to Notepad and Save it to your Desktop in order to assist you when carrying out the following instructions.

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding.
Ensure that there aren't any opened browsers when you are carrying out the procedures below.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

------------------------------------------------------

Please do NOT attach logs unless specifically requested by a helper. Thanks.

------------------------------------------------------

I see you have SpyHunter installed on your system. This application was previously listed as a rogue program because of deceptive advertising. Please read here

Although no longer listed as such, we recommend uninstalling it via Add or Remove Programs in your Control Panel and downloading antispyware programs that have proven themselves tried and true. See here for a list of trustworthy antispyware products.

------------------------------------------------------

You have remnants of McAfee AntiVirus on your system. They can conflict with your installed AntiVirus program and cause undesirable system behavior.

Please download the McAfee Removal Tool MCPR.exe and Save it to your Desktop.

• Close all programs and double-click MCPR.exe then click Run
• Follow the on-screen instructions.
• Restart the computer if asked.
• Then delete MCPR.exe from your desktop.

------------------------------------------------------

Close any open browsers.

Disable your antivirus and antispyware applications, usually via a right-click on the System Tray icon. They may otherwise interfere with ComboFix.

Open Notepad and copy/paste all the text in the quotebox below into Notepad:

Quote:

Folder::
c:\documents and settings\All Users\Application Data\Avg8
c:\program files\Enigma Software Group
c:\program files\AVG
c:\documents and settings\Mine\Application Data\AVGTOOLBAR
c:\documents and settings\Mine\Application Data\Viewpoint

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{aa64dfd2-6348-2d24-7aca-6c57cdecc6a8}]
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.ca/myway
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.ca/myway

File::
c:\windows\system32\pmgubxiwlojaqzbiz.exe
c:\windows\system32\cont_mxlivemedia-remove.exe
c:\windows\system32\nslE9.dll

Save this Notepad file as CFScript.txt to your Desktop and then close the file.





Referring to the picture above, drag CFScript onto ComboFix

If you are prompted to update ComboFix, please click Yes

Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.

When finished, it shall produce a log for you. Please post that log, ComboFix.txt in your next reply.

Note:
Do not mouseclick ComboFix's window whilst it's running. That may cause it to stall.

------------------------------------------------------

Open HijackThis and click on 'Do a System Scan and Save a Logfile'.

Save the logfile and post it here. Please close HijackThis now.

------------------------------------------------------

Please post the following in your next reply:

ComboFix.txt
new HijackThis log

[Sharona7060]

OK....I got a little side tracked reading all that great info you sent...still not sure of which anti-virus, etc. to use??

Anyway I removed SpyHunter just showed up recently I'm not exactly sure how it arrived on my computer as I don't remember downloading it! I removed McAfee (it came with my computer software from Dell) as well.

Here are the two new log files....

ComboFix 08-11-18.A2 - Mine 2008-11-19 19:52:23.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.564 [GMT -8:00]
Running from: c:\documents and settings\Mine\Desktop\1ComboFix.exe
Command switches used :: c:\documents and settings\Mine\Desktop\CFScript.txt
* Created a new restore point

FILE ::
c:\windows\system32\cont_mxlivemedia-remove.exe
c:\windows\system32\nslE9.dll
c:\windows\system32\pmgubxiwlojaqzbiz.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Avg8
c:\documents and settings\Mine\Application Data\AVGTOOLBAR
c:\documents and settings\Mine\Application Data\AVGTOOLBAR\avglinks.bmp
c:\documents and settings\Mine\Application Data\AVGTOOLBAR\avglogo.bmp
c:\documents and settings\Mine\Application Data\AVGTOOLBAR\avgstatus.bmp
c:\documents and settings\Mine\Application Data\AVGTOOLBAR\avgstatus_error.bmp
c:\documents and settings\Mine\Application Data\AVGTOOLBAR\avgtoolbartb0502.cfg
c:\documents and settings\Mine\Application Data\AVGTOOLBAR\brandlogo.bmp
c:\documents and settings\Mine\Application Data\AVGTOOLBAR\COMBOSEARCH.acs
c:\documents and settings\Mine\Application Data\AVGTOOLBAR\p_yahoo.bmp
c:\documents and settings\Mine\Application Data\AVGTOOLBAR\safesearch.bmp
c:\documents and settings\Mine\Application Data\AVGTOOLBAR\safesearch_off.bmp
c:\documents and settings\Mine\Application Data\AVGTOOLBAR\safesearch_on.bmp
c:\documents and settings\Mine\Application Data\AVGTOOLBAR\safesurf.bmp
c:\documents and settings\Mine\Application Data\AVGTOOLBAR\safesurf_off.bmp
c:\documents and settings\Mine\Application Data\AVGTOOLBAR\safesurf_on.bmp
c:\documents and settings\Mine\Application Data\AVGTOOLBAR\slider.bmp
c:\documents and settings\Mine\Application Data\Viewpoint
c:\documents and settings\Mine\Application Data\Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_00\-920016760.mtj&p2=1&p3=13628889503440113430122022044687&p4=50463258
c:\documents and settings\Mine\Application Data\Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_00\URLCache.ini
c:\documents and settings\Mine\Application Data\Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_01\URLCache.ini
c:\documents and settings\Mine\Application Data\Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_02\URLCache.ini
c:\documents and settings\Mine\Application Data\Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_03\URLCache.ini
c:\documents and settings\Mine\Application Data\Viewpoint\Viewpoint Experience Technology\Resources\UpdateVersionList_v2.mtx
c:\program files\AVG
c:\program files\AVG\AVG8\fixfp.exe
c:\program files\Enigma Software Group
c:\windows\system32\cont_mxlivemedia-remove.exe
c:\windows\system32\nslE9.dll
c:\windows\system32\pmgubxiwlojaqzbiz.exe

.
((((((((((((((((((((((((( Files Created from 2008-10-20 to 2008-11-20 )))))))))))))))))))))))))))))))
.

2008-11-19 16:39 . 2008-11-19 16:39 <DIR> d-------- c:\program files\Trend Micro
2008-11-17 14:46 . 2008-11-17 14:46 <DIR> d-------- c:\program files\Common Files\Adobe AIR
2008-11-16 14:48 . 2008-11-16 14:48 250 --a------ c:\windows\gmer.ini
2008-11-15 00:08 . 2008-11-15 00:08 <DIR> d-------- c:\program files\Phantom EFX
2008-11-13 10:37 . 2008-11-16 14:41 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-11-13 10:37 . 2008-11-16 14:41 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-11-12 18:26 . 2008-11-16 13:44 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2008-11-11 12:52 . 2008-11-11 12:54 <DIR> d-------- c:\program files\PokerStars.NET
2008-11-08 18:20 . 2008-11-08 18:20 <DIR> d-------- c:\documents and settings\George\Application Data\Corel Photo Album
2008-11-08 17:13 . 2008-11-08 17:13 <DIR> d-------- c:\documents and settings\All Users\Application Data\Solt Lake Software
2008-11-08 15:31 . 2008-11-08 15:31 <DIR> d-------- c:\documents and settings\George\Application Data\TELUS
2008-11-07 22:05 . 2008-11-07 22:11 <DIR> d-------- c:\program files\eGames
2008-11-07 22:05 . 1999-05-07 00:00 140,288 --a------ c:\windows\system32\Comdlg32.ocx
2008-11-07 22:05 . 1999-03-25 23:00 101,888 --a------ c:\windows\system32\Vb6stkit.dll
2008-11-07 22:05 . 1999-05-07 00:00 82,960 --a------ c:\windows\system32\Picclp32.ocx
2008-11-07 22:05 . 2000-07-17 13:41 70,088 --a------ c:\windows\system32\Project2-1.ocx
2008-11-07 22:05 . 2000-03-21 15:37 1,760 --a------ c:\windows\system32\objsafe.tlb
2008-11-07 22:05 . 2000-04-06 14:58 1,453 --a------ c:\windows\system32\Project2.INF
2008-11-07 21:59 . 2008-11-08 18:27 <DIR> d-------- c:\program files\MasqueGames
2008-11-03 22:47 . 2008-11-03 22:47 <DIR> d-------- c:\program files\Oberon Media
2008-11-03 22:47 . 2008-11-03 23:49 <DIR> d-------- c:\program files\MSN Games
2008-11-03 22:47 . 2008-11-03 23:47 <DIR> d-a------ c:\documents and settings\All Users\Application Data\TEMP
2008-11-03 22:22 . 2008-11-03 22:22 <DIR> d-------- c:\documents and settings\All Users\Application Data\GameHouse
2008-11-03 21:42 . 2008-11-03 21:42 <DIR> d-------- c:\windows\Sun
2008-11-02 19:51 . 2008-11-02 19:51 <DIR> d-------- c:\program files\directx
2008-11-02 19:48 . 2008-11-07 22:15 <DIR> d-------- c:\program files\Phantom
2008-10-29 22:49 . 2008-10-29 22:49 <DIR> d-------- c:\program files\Windows Media Connect 2
2008-10-29 22:47 . 2008-10-29 22:47 <DIR> d-------- c:\windows\system32\LogFiles
2008-10-29 22:47 . 2008-10-29 22:48 <DIR> d-------- c:\windows\system32\drivers\UMDF
2008-10-27 17:13 . 2008-10-27 17:13 <DIR> d-------- c:\program files\Raxco
2008-10-27 17:13 . 2008-10-27 17:13 <DIR> d-------- c:\documents and settings\All Users\Application Data\Raxco
2008-10-27 17:05 . 2008-10-27 17:05 <DIR> d--h----- c:\windows\PIF
2008-10-27 16:59 . 2008-10-27 17:12 53,192 --a------ c:\windows\system32\drivers\rp_skt32.sys
2008-10-27 16:59 . 2007-04-19 10:36 48,384 --a------ c:\windows\system32\drivers\rp_pkt32.sys
2008-10-27 16:58 . 2008-10-27 17:03 <DIR> d-------- c:\program files\Common Files\Scanner
2008-10-27 16:58 . 2008-10-27 16:58 <DIR> d-------- c:\program files\Common Files\Authentium
2008-10-27 16:58 . 2008-10-27 16:58 <DIR> d-------- c:\program files\CA
2008-10-27 16:57 . 2008-10-27 16:58 <DIR> d-------- c:\program files\TELUS
2008-10-27 16:57 . 2008-10-27 16:57 <DIR> d-------- c:\documents and settings\Mine\Application Data\TELUS
2008-10-27 16:56 . 2008-10-27 16:58 <DIR> d-------- c:\documents and settings\All Users\Application Data\TELUS
2008-10-27 16:55 . 2008-10-27 16:55 <DIR> d-------- c:\documents and settings\Mine\Application Data\InstallShield
2008-10-27 16:34 . 2008-10-27 16:34 <DIR> d-------- c:\documents and settings\Mine\Application Data\Runaware
2008-10-27 16:34 . 2008-10-27 16:34 <DIR> d-------- c:\documents and settings\Mine\Application Data\ICAClient
2008-10-23 09:21 . 2008-10-15 08:34 337,408 --------- c:\windows\system32\dllcache\netapi32.dll
2008-10-22 18:47 . 2008-10-22 18:47 70,272 --a------ c:\documents and settings\Mine\Application Data\GDIPFONTCACHEV1.DAT
2008-10-20 18:53 . 2008-10-20 18:53 <DIR> d-------- c:\documents and settings\Mine\Application Data\Apple Computer
2008-10-20 18:53 . 2008-04-17 12:12 107,368 --a------ c:\windows\system32\GEARAspi.dll
2008-10-20 18:53 . 2008-04-17 12:12 15,464 --a------ c:\windows\system32\drivers\GEARAspiWDM.sys
2008-10-20 18:52 . 2008-10-20 18:52 <DIR> d-------- c:\program files\QuickTime
2008-10-20 18:52 . 2008-10-20 18:53 <DIR> d-------- c:\program files\iTunes
2008-10-20 18:52 . 2008-10-20 18:52 <DIR> d-------- c:\program files\iPod
2008-10-20 18:52 . 2008-10-20 18:52 <DIR> d-------- c:\program files\Bonjour
2008-10-20 18:52 . 2008-10-20 18:52 <DIR> d-------- c:\documents and settings\All Users\Application Data\Apple Computer
2008-10-20 18:52 . 2008-10-20 18:53 <DIR> d-------- c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-10-20 18:51 . 2008-10-20 18:53 <DIR> d----c--- c:\windows\system32\DRVSTORE
2008-10-20 18:51 . 2008-10-20 18:52 <DIR> d-------- c:\program files\Common Files\Apple
2008-10-20 18:51 . 2008-10-20 18:51 <DIR> d-------- c:\program files\Apple Software Update
2008-10-20 18:51 . 2008-10-20 18:51 <DIR> d-------- c:\documents and settings\All Users\Application Data\Apple
2008-10-20 12:53 . 2008-10-20 12:53 <DIR> d-------- c:\documents and settings\Mine\Application Data\Corel Photo Album
2008-10-20 12:53 . 2008-11-17 14:02 3,350 --ahs---- c:\windows\system32\KGyGaAvL.sys
2008-10-20 12:53 . 2008-11-17 14:02 56 -r-hs---- c:\windows\system32\6E962D0515.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-20 03:35 1,324 ----a-w c:\documents and settings\Mine\Application Data\wklnhst.dat
2008-11-18 17:32 --------- d-----w c:\program files\NOS
2008-11-18 17:32 --------- d-----w c:\documents and settings\All Users\Application Data\NOS
2008-11-17 22:45 --------- d-----w c:\program files\Common Files\Adobe
2008-11-16 22:39 --------- d--h--w c:\program files\InstallShield Installation Information
2008-11-16 00:27 --------- d-----w c:\program files\DIGStream
2008-10-27 15:38 --------- d-----w c:\documents and settings\Mine\Application Data\AdobeUM
2008-10-13 19:03 --------- d-----w c:\documents and settings\Mine\Application Data\U3
2008-10-10 22:48 --------- d-----w c:\documents and settings\Guest\Application Data\GTek
2008-10-09 09:01 --------- d-----w c:\program files\MSXML 4.0
2008-10-09 04:30 --------- d-----w c:\program files\Common Files\AOL
2008-10-09 04:30 --------- d-----w c:\documents and settings\All Users\Application Data\AOL
2008-10-09 04:29 --------- d-----w c:\documents and settings\George\Application Data\GTek
2008-10-09 04:29 --------- d-----w c:\documents and settings\All Users\Application Data\Dell
2008-10-09 02:32 --------- d-----w c:\program files\Google
2008-10-08 04:24 --------- d-----w c:\documents and settings\Mine\Application Data\HP
2008-10-08 04:18 --------- d-----w c:\documents and settings\All Users\Application Data\HP
2008-10-08 04:17 --------- d-----w c:\program files\Common Files\Sonic Shared
2008-10-08 04:17 --------- d-----w c:\documents and settings\All Users\Application Data\Sonic
2008-10-08 04:16 --------- d-----w c:\program files\Common Files\HP
2008-10-08 04:15 --------- d-----w c:\program files\HP
2008-10-08 04:15 --------- d-----w c:\program files\Hewlett-Packard
2008-10-08 04:14 --------- d-----w c:\program files\Common Files\Hewlett-Packard
2008-10-08 02:42 --------- d-----w c:\windows\system32\config\systemprofile\Application Data\McAfee
2008-10-07 21:55 --------- d--h--w c:\documents and settings\Mine\Application Data\Gtek
2008-10-07 21:50 --------- d-----w c:\program files\Java
2008-10-07 21:42 --------- d-----w c:\program files\DellSupport
2008-10-03 17:41 6,066,176 ------w c:\windows\system32\dllcache\ieframe.dll
2008-09-15 12:12 1,846,400 ----a-w c:\windows\system32\win32k.sys
2008-09-15 12:12 1,846,400 ------w c:\windows\system32\dllcache\win32k.sys
2008-09-08 10:41 333,824 ------w c:\windows\system32\dllcache\srv.sys
2008-08-29 17:18 87,336 ----a-w c:\windows\system32\dns-sd.exe
2008-08-29 16:53 61,440 ----a-w c:\windows\system32\dnssd.dll
2008-08-27 08:24 3,593,216 ------w c:\windows\system32\dllcache\mshtml.dll
2008-08-25 08:38 13,824 ------w c:\windows\system32\dllcache\ieudinit.exe
2008-08-25 08:37 70,656 ------w c:\windows\system32\dllcache\ie4uinit.exe
2008-08-23 05:56 635,848 ------w c:\windows\system32\dllcache\iexplore.exe
2008-08-23 05:54 161,792 ------w c:\windows\system32\dllcache\ieakui.dll
.

((((((((((((((((((((((((((((( snapshot@2008-11-19_13.09.22.67 )))))))))))))))))))))))))))))))))))))))))
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-05 344064]
"DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2005-10-05 94208]
"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2006-02-25 26112]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"MMTray"="c:\progra~1\MUSICM~1\MUSICM~3\mm_tray.exe" [2005-09-08 110592]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
"MimBoot"="c:\progra~1\MUSICM~1\MUSICM~3\mimboot.exe" [2005-09-08 8192]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-11 49152]
"Corel Photo Downloader"="c:\program files\Corel\Corel Photo Album 6\MediaDetect.exe" [2005-08-31 106496]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-10-01 289576]
"TEPA.exe"="c:\program files\TELUS\eProtect Advisor\TEPA.exe" [2007-05-14 2061816]
"TELUS eProtect"="c:\program files\TELUS\TELUS eProtect\Rps.exe" [2007-09-13 310000]
"-FreedomNeedsReboot"="c:\program files\TELUS\TELUS eProtect\ZkRunOnceR.exe" [2007-09-13 13552]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-22 c:\windows\stsystra.exe]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-05-11 282624]
HP Image Zone Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2005-05-11 73728]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-12 83360]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

S3 Radialpoint Security Services;TELUS eProtect;c:\windows\system32\dllhost.exe /Processid:{80098F68-1220-4F43-80A8-15C7395B8874} [2005-08-16 5120]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe
.
Contents of the 'Scheduled Tasks' folder

2008-11-18 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-19 19:53:49
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-11-19 19:54:29
ComboFix-quarantined-files.txt 2008-11-20 03:54:24
ComboFix2.txt 2008-11-19 21:15:17
ComboFix3.txt 2008-11-19 21:09:43

Pre-Run: 137,321,488,384 bytes free
Post-Run: 137,309,364,224 bytes free

227 --- E O F --- 2008-11-05 07:00:38

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:55:50 PM, on 11/19/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TELUS\TELUS eProtect\Fws.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\PROGRA~1\MUSICM~1\MUSICM~3\mm_tray.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\PROGRA~1\MUSICM~1\MUSICM~3\MMDiag.exe
C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mim.exe
C:\Program Files\TELUS\eProtect Advisor\TEPA.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\TELUS\TELUS eProtect\rpsupdaterR.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\imapi.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Pop-Up Blocker BHO - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\TELUS\TELUS eProtect\pkR.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MMTray] C:\PROGRA~1\MUSICM~1\MUSICM~3\mm_tray.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Corel Photo Downloader] C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [TEPA.exe] "C:\Program Files\TELUS\eProtect Advisor\TEPA.exe" /AUTORUN
O4 - HKLM\..\Run: [TELUS eProtect] "C:\Program Files\TELUS\TELUS eProtect\Rps.exe"
O4 - HKLM\..\Run: [-FreedomNeedsReboot] "C:\Program Files\TELUS\TELUS eProtect\ZkRunOnceR.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.mcafee.com
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10...I.cab55579.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games – Buddy Invite) - http://zone.msn.com/BinFrameWork/v10...y.cab55579.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10...t.cab55579.cab
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/de...e/HPDEXAXO.cab
O16 - DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} (GMNRev Class) - http://h20270.www2.hp.com/ediags/gmn...tDetection.cab
O16 - DPF: {8C279F4E-917E-4CD2-8DF0-D9C73C0CE763} (ZPA_WheelOfFortune Object) - http://zone.msn.com/bingame/zpagames...f.cab55579.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramewor...o.cab56649.cab
O16 - DPF: {C86FF4B0-AA1D-46D4-8612-025FB86583C7} (AstoundLauncher Control) - http://zone.msn.com/bingame/jobo/def...ndLauncher.cab
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://zone.msn.com/bingame/feed/def...utLauncher.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games – Game Communicator) - http://zone.msn.com/binframework/v10...y.cab55579.cab
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: TELUS eProtect Update Service (RPSUpdaterR) - Radialpoint Inc. - C:\Program Files\TELUS\TELUS eProtect\rpsupdaterR.exe
O23 - Service: TELUS eProtect Firewall (RP_FWS) - TELUS - C:\Program Files\TELUS\TELUS eProtect\Fws.exe

--
End of file - 9969 bytes

[chemist]

Hello again, Sharona. Please tell us how your system is behaving.

Please copy this page to Notepad and Save it to your Desktop in order to assist you when carrying out the following instructions.

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding.
Ensure that there aren't any opened browsers when you are carrying out the procedures below.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

------------------------------------------------------

Quote:

still not sure of which anti-virus, etc. to use??

Do you want a free one or one to purchase?

------------------------------------------------------

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older version Java components and update.

• Download the latest version of Java Runtime Environment (JRE) 6 Update 10 and Save it to your Desktop.
• Scroll down to where it says Java Runtime Environment (JRE) 6 Update 10 The Java SE Runtime Environment (JRE) allows end-users to run Java applications.
• Click the Download button to the right.
• Select the Windows platform from the dropdown menu.
• Read the License Agreement and then check the box that says: I agree to the Java SE Runtime Environment 6 License Agreement.
• Click Continue
• Click on the link to download Windows Offline Installation and Save the file to your Desktop.
• Close any programs you may have running - especially your web browser.
• Go to Start(or My Computer) > Control Panel and click on Add or Remove Programs
• Click (highlight) any item with Java Runtime Environment (JRE, J2SE, Java(TM) SE or Java(TM) 6) in the name.
• Click the Remove or Change/Remove button.
• Repeat as many times as necessary to remove each Java version.
• Reboot your computer once all Java components are removed.
• Then from your desktop double-click on jre-6u10-windows-i586-p.exe to install the newest version.

• After the install is complete, go back to your Control Panel and click the Java icon. (looks like a coffee cup)
  • On the General tab, under Temporary Internet Files, click the Settings button.
  • Next, click on the Delete Files button.
  • There are two options in the window to clear the cache - Leave BOTH Checked
    • Applications and Applets
    • Trace and Log Files
  • Click OK on Delete Temporary Files Window.
    Note: This deletes ALL the Downloaded Applications and Applets from the CACHE
  • Click OK to leave the Temporary Files Window.
  • Click OK to leave the Java Control Panel.
  • Delete jre-6u10-windows-i586-p.exe from your desktop.

------------------------------------------------------

Please download ATF-Cleaner by Atribune and Save it to your Desktop.

• Double-click ATF-Cleaner.exe to run the program.
• Under Main choose: Select All
• Click the Empty Selected button.

If you use Firefox browser

• Click Firefox at the top and choose: Select All
• Click the Empty Selected button.
• NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

• Click Opera at the top and choose: Select All
• Click the Empty Selected button.
• NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

------------------------------------------------------

Please run this online scan to help look for remnants.

Establish an internet connection & perform an online scan with Internet Explorer at Kaspersky Online Scanner

Click Accept, when prompted to download and install the program files and database of malware definitions.

• Click Run at any Security prompt.
• The program will then begin downloading and installing and will also update the database.
• Please be patient as this can take several minutes.
• Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
• Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
• Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
• Click View scan report at the bottom.
• Click the Save Report As... button.
• Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.

**Note**

To optimize scanning time and produce a more sensible report for review:

• Close any open programs.
• Turn off the real-time scanner of all antivirus or antispyware programs while performing the online scan.

Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.

------------------------------------------------------

Open HijackThis and click on 'Do a System Scan and Save a Logfile'.

Save the logfile and post it here. Please close HijackThis now.

------------------------------------------------------

Please post the following in your next reply:

Kaspersky report
new HijackThis log
report on system behavior

[Sharona7060]

Hi Chemist!

It would be nice to have a free anti-virus but if it is better to purchase one then I could do that as long as it isn't too expensive.

I have started working through these new instructions and am in the process of removing the old Java - do you want me to remove Java 2 Runtime Environment SE v1.4.2_03? I remvoed java TM 6 Update 7. Also there is a notice to update the Java that I just downloaded to my desktop - when do I click to do the updates?

I was on the internet last night and the first website I went to was MSN.com and my Logitec cordless mouse was acting weird as in not responding properly so I was frustrated and shut my computer completely down. When I started it up this morning and went into the internet everything seems to be perfectly normal (other than my home website was Dell but for some strange reason is now MSN???? But the mouse is ok and when I click on a website it actually takes me to that website!!

I will wait to hear back from you!
S

[chemist]

As far as a free antivirus, I usually recommend AVG. For a purchased one, I would recommend NOD32:

http://www.eset.com/

------------------------------------------------------

Yes, remove Java 2 Runtime Environment, SE v1.4.2_03 and then follow the instructions for installing Java Runtime Environment (JRE) 6 Update 10. Just ignore the update notice.

You can change your homepage back if you want.

Let me know if your machine is still behaving OK.

------------------------------------------------------

[Sharona7060]

Hi Chemist!

System (other than being a little slow) is running fine! Internet is running great as well.

Thank you for the anti-virus info!

Here are the reports...

S

[chemist]

Read here to help with your slow system:

http://www.techsupportforum.com/secu...ning-slow.html

------------------------------------------------------

Congratulations. Well done! Your logs appear clean. You should be good to go.

Go to Start >> Run and Copy/Paste the following single-line command into the Run box and click OK:

C:\WINDOWS\gmer_uninstall.cmd

Press any key to continue once you see that message.

------------------------------------------------------

Go to Start >> Run and Copy/Paste the following single-line command into the Run box and click OK:

combofix /u

This will uninstall ComboFix and delete ComboFix's quarantine folder. It will also implement some cleanup procedures, remove old System Restore points which contain previous infections, and create a fresh, clean System Restore point.

Please re-enable your antivirus program and any other antispyware programs disabled earlier if you haven't already.

You can safely delete any tools downloaded or any logs, files, and any shortcuts on your desktop that were created during this fix.

------------------------------------------------------

MICROSOFT UPDATES
It is very important that you get all of the critical updates for your Operating System and Internet Explorer. Keeping your OS and browser up to date will help make you less susceptible to attacks by Trojans and viruses. Please go to Microsoft and download all the critical updates to help prevent possible re-infection.

SPYWARE PREVENTION
This is a good time to set up protection against further attacks. In light of your recent problem, I'm sure you'd like to avoid any future infections. Please read these well written articles:

• How Did I Get Infected In The First Place? by TonyKlein
• PC Safety and Security--What Do I Need?

To help protect your computer in the future I recommend that you get the following free programs if you do not already have them:

• SpywareBlaster prevents the installation of ActiveX-based malware, blocks cookies, and restricts the actions of "bad" sites in Internet Explorer. See tutorial here
  
• IE-Spyad is another excellent program that places over 5000 dubious websites and domains in the IE Restricted list, which will help prevent attempts to infect your system. It basically prevents any downloads from the sites listed, although you will still be able to connect to the site. See tutorial here
  
• MVPS HOSTS FILE replaces your current HOSTS file with one that will restrict known ad sites from serving you unsolicited advertisements. It basically prevents your computer from connecting to those sites by redirecting them to 127.0.0.1, which is the IP of your local computer. See guide here and for Windows Vista here
  
• Spybot - Search & Destroy is an excellent spyware remover and also offers real-time protection against critical registry changes. Don't use the Immunize feature in Spybot if you use SpywareBlaster. See tutorial here

Keep your antivirus program and antispyware programs updated and scan with them on a regular basis.

Please respond to this thread one more time so we can mark this thread as resolved.

[Sharona7060]

You are the BEST!!!!

Thank you so much for helping with this problem I have completed the rest of this up to the spyware protection which I will take my time to read.

Is it advisable to use another browser such as Firefox? I was reading that Internet Explorer can be a problem....or do you think AVG will be enough?
I did read the suggest to run more than one anti-virus, is this a good idea - you indicated that they can interfere with one another?

I'm not sure about the Telus eprotect....it says it has anti-spyware, anti-virus, anti-fraud and a firewall but how good is it?

I cannot express to you how much I have appreciated your patience and help with this problem!!!!
Sharon

[chemist]

Hello Sharon. You are very welcome! Glad to have helped.

I'm afraid I'm not familiar with Telus eProtect. Antivirus programs provided by ISP providers are often bundles of different products, I believe. You actually have Authentium Antivirus, RPS(Radial Point Security), and Telus eProtect installed on your system. You might want to check with your ISP provider about that. I wouldn't like that on my system. I'm not saying they're no good. I just don't have any experience with them.

Quote:

I did read the suggest to run more than one anti-virus, is this a good idea - you indicated that they can interfere with one another?

It is never advisable to have more than one antivirus installed, much less running. Not sure where you read that. They can conflict with each other, slowing down your system.

Quote:

Is it advisable to use another browser such as Firefox? I was reading that Internet Explorer can be a problem....or do you think AVG will be enough?

Malware writers target IE more than other browsers. I definitely suggest trying Firefox. You will soon love it.

http://www.mozilla.com/en-US/firefox/

AVG Free is as good as any free antivirus. But no one product can protect your system from everything. Use a good antivirus and one or more antispyware scanners. Keep them updated and scan regularly. Keep Windows updated. Surf safely. Don't click on suspicious emails or attachments. That's what will keep you protected.

See here for a list of trustworthy antispyware products.

Hope this helps. Let me know if I can be of further assistance.

[Sharona7060]

I have turned off Telus Eprotect - I think the other anti-virus program is attached to that one as Telus is our phone service and Internet provider up here in Canada.

I was really excited after watching the video for Firefox and have downloaded it immediately!!!

I will now load AVG and Spyware Blaster and was thinking of Windows Defender as well.

Thanks again for the info....you are an IT Angel and I am one happy customer

Sharon

[chemist]

Surf Safely!