Desktop Hijacked!

[bud3783]

My homepage always is dealhrfind.com no matter what. I have tried many things. I believe other systems are affected by this. Help with this would be greatly appreciated. I also had a problem with my yahoo! account being hacked and changed to the point of being non- accessible by me.

I already posted a thread, but nobody has gotten back to me in quite sometime. This probably because the tech i was consulting with was busy or something, but its been awhile and my computer its fixed. The info the tech had me collect is on my previous thread titled: Hijacked. Please help.

[sUBs]

Please follow the instructs from this webpage (sticky):

http://www.techsupportforum.com/secu...oval-help.html

You shall have a proper set of logs for us after that. Someone shall be along shortly

* Kindly note that threads without the proper logs is likely be ignored.

[bud3783]

My logs.


DDS (Version 1.0) - NTFSx86
Run by KEN at 22:01:42.35 on Mon 12/08/2008
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.521 [GMT -8:00]

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\ehome\RMSvc.exe
C:\Program Files\Roxio\Roxio MyDVD DE\Digital Home 9\RoxioUpnpService9.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
svchost.exe
c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Toshiba\Windows Utilities\Hotkey.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\toshiba\ivp\ism\pinger.exe
C:\Program Files\Synaptics\SynTP\Toshiba.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxext.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Protector Suite QL\psqltray.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\CPSHelpRunner.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\WINDOWS\ehome\RMSysTry.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\ArcSoft\TotalMedia Backup & Record\uBBMonitor.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
C:\Program Files\Java\jre1.6.0_07\bin\jucheck.exe
C:\Documents and Settings\KEN\Desktop\dds.scr

============== Psuedo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
uSearch Bar = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html
mDefault_Page_URL = hxxp://www.toshibadirect.com/dpdstart
mDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: {9CB65206-89C4-402c-BA80-02D8C59F9B1D} - c:\program files\asktbar\srchastt\2.bin\A5SRCHAS.DLL
BHO: {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - c:\program files\bitcomet\tools\BitCometBHO_1.2.8.7.dll
BHO: {4E7BD74F-2B8D-469E-94BE-FD60BB9AAE29} - c:\progra~1\atttoo~1\ATTTOO~1.DLL
BHO: {5CA3D70E-1895-11CF-8E15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - c:\program files\common files\symantec shared\coshared\browser\2.6\coIEPlg.dll
BHO: {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - c:\progra~1\common~1\symant~1\ids\IPSBHO.dll
BHO: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
BHO: {9CB65201-89C4-402c-BA80-02D8C59F9B1D} - c:\program files\asktbar\srchastt\2.bin\A5SRCHAS.DLL
BHO: {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
BHO: {FE063DB1-4EC0-403e-8DD8-394C54984B2C} - c:\program files\asktbar\bar\2.bin\ASKTBAR.DLL
TB: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
TB: {4E7BD74F-2B8D-469E-94BE-FD60BB9AAE29} - c:\progra~1\atttoo~1\ATTTOO~1.DLL
TB: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - c:\program files\common files\symantec shared\coshared\browser\2.6\CoIEPlg.dll
TB: {FE063DB9-4EC0-403e-8DD8-394C54984B2C} - c:\program files\asktbar\bar\2.bin\ASKTBAR.DLL
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
TB: {4E7BD74F-2B8D-469E-94BE-FD60BB9AAE29} - c:\progra~1\atttoo~1\ATTTOO~1.DLL
TB: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - c:\program files\common files\symantec shared\coshared\browser\2.6\CoIEPlg.dll
TB: {FE063DB9-4EC0-403E-8DD8-394C54984B2C} - c:\program files\asktbar\bar\2.bin\ASKTBAR.DLL
uRun: [TOSCDSPD] c:\program files\toshiba\toscdspd\toscdspd.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [ISUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler
uRun: [EPSON Stylus CX8400 Series] c:\windows\system32\spool\drivers\w32x86\3\e_faticea.exe /fu "c:\windows\temp\E_SC2.tmp" /EF "HKCU"
uRun: [DVDXGhost]
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [Toshiba Hotkey Utility] "c:\program files\toshiba\windows utilities\Hotkey.exe" /lang en
mRun: [SmoothView] c:\program files\toshiba\toshiba zooming utility\SmoothView.exe
mRun: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
mRun: [PSQLLauncher] "c:\program files\protector suite ql\launcher.exe" /startup
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [MSKDetectorExe] c:\program files\mcafee\spamkiller\MSKDetct.exe /uninstall
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [<NO NAME>]
mRun: [RoxWatchTray] "c:\program files\common files\roxio shared\9.0\sharedcom\RoxWatchTray9.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_07\bin\jusched.exe"
mRun: [Adobe Photo Downloader] "c:\program files\adobe\photoshop elements 6.0\apdproxy.exe"
mRun: [COMODO Firewall Pro] "c:\program files\comodo\firewall\cfp.exe" -h
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [UpdateManager] "c:\program files\common files\sonic\update manager\sgtray.exe" /r
mRun: [CFSServ.exe] CFSServ.exe -NoClient
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [osCheck] "c:\program files\norton 360\osCheck.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
StartupFolder: c:\docume~1\ken\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\deskto~1.lnk - c:\program files\research in motion\blackberry\DesktopMgr.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\extend~1.lnk - c:\windows\ehome\RMSysTry.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\ramasst.lnk - c:\windows\system32\RAMASST.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\totalm~1.lnk - c:\program files\arcsoft\totalmedia backup & record\uBBMonitor.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\winzip~1.lnk - c:\program files\winzip\WZQKPICK.EXE
IE: &D&ownload &with BitComet - c:\program files\bitcomet\BitComet.exe/AddLink.htm
IE: &D&ownload all video with BitComet - c:\program files\bitcomet\BitComet.exe/AddVideo.htm
IE: &D&ownload all with BitComet - c:\program files\bitcomet\BitComet.exe/AddAllLink.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://c:\program files\bitcomet\tools\BitCometBHO_1.2.8.7.dll/206
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://c:\program files\bitcomet\tools\BitCometBHO_1.2.8.7.dll/206
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\micros~2\office12\GR99D3~1.DLL
Notify: igfxcui - igfxdev.dll
Notify: psfus - psqlpwd.dll
AppInit_DLLs:
SEH: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL
SEH: {569DAC0F-2791-46ab-8EFC-A54B77C04C20} - c:\program files\dvd ghost\ExecuteHooker.dll
LSA: Authentication Packages = msv1_0 c:\windows\system32\ssqNeCTm
LSA: Notification Packages = scecli psqlpwd

============= SERVICES / DRIVERS ===============

R2 FdRedir;FdRedir;\??\c:\program files\common files\protector suite ql\drivers\FdRedir.sys [2005-12-21 13568]
R2 FileDisk2;FileDisk Protector Kernel Driver;\??\c:\program files\common files\protector suite ql\drivers\filedisk.sys [2005-12-21 33024]
R2 LiveUpdate Notice;LiveUpdate Notice;"c:\program files\common files\symantec shared\ccSvcHst.exe" /h ccCommon [2008-2-18 149352]
R2 McciCMService;McciCMService;"c:\program files\common files\motive\McciCMService.exe" [2008-11-17 303104]
R2 RMSvc;Media Center Extender Resource Monitor;c:\windows\ehome\RMSvc.exe [2005-10-20 28160]
R2 smihlp;SMI helper driver;\??\c:\program files\protector suite ql\smihlp.sys [2005-12-21 3456]
R3 BoiHwsetup;Access 32bits INT15 routine;c:\windows\system32\drivers\BoiHwSetup.sys [2005-6-10 5504]
R3 qkbfiltr;Quanta HotKey Keyboard Filter Driver;c:\windows\system32\drivers\qkbfiltr.sys [2006-1-12 31872]
R3 qmofiltr;Quanta HotKey Mouse Filter Driver;c:\windows\system32\drivers\qmofiltr.sys [2005-5-5 7936]
S2 BitComet AntiARP;BitComet AntiARP;c:\program files\bitcometantiarp\BitCometAntiARP.exe [2007-5-7 484864]
S3 COH_Mon;COH_Mon;\??\c:\windows\system32\drivers\COH_Mon.sys [2008-1-12 23888]
S3 DSI_SiUSBXp_3_1;DSI_SiUSBXp_3_1;c:\windows\system32\drivers\DSI_SiUSBXp_3_1.sys [2008-9-27 14848]
S3 MREMP50;MREMP50 NDIS Protocol Driver;\??\c:\progra~1\common~1\motive\MREMP50.SYS [2008-11-17 19712]
S3 MREMP50a64;MREMP50a64 NDIS Protocol Driver;\??\c:\progra~1\common~1\motive\MREMP50a64.SYS []
S3 MRESP50;MRESP50 NDIS Protocol Driver;\??\c:\progra~1\common~1\motive\MRESP50.SYS [2008-11-17 18304]
S3 MRESP50a64;MRESP50a64 NDIS Protocol Driver;\??\c:\progra~1\common~1\motive\MRESP50a64.SYS []
S3 QWAVE;QWAVE service;c:\windows\system32\svchost.exe -k QWAVE [2006-3-2 14336]
S3 SMCB000;SMSC CIR HID Miniport Device Driver;c:\windows\system32\drivers\hidsmsc.sys [2006-3-3 15744]

=============== Created Last 30 ================

2008-11-30 00:15 250 a------- c:\windows\gmer.ini
2008-11-29 23:01 <DIR> --d----- c:\program files\iPod
2008-11-29 23:01 <DIR> --d----- c:\docume~1\alluse~1\applic~1\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-11-29 22:55 <DIR> --d----- c:\program files\Bonjour
2008-11-26 18:17 <DIR> --d----- c:\program files\AskTBar
2008-11-26 13:41 <DIR> --d----- c:\docume~1\ken\applic~1\NeroDigital(TM)
2008-11-25 23:17 <DIR> --d----- c:\program files\DVD Ghost
2008-11-25 18:20 123,952 a------- c:\windows\system32\drivers\SYMEVENT.SYS
2008-11-25 18:20 60,800 a------- c:\windows\system32\S32EVNT1.DLL
2008-11-25 18:20 10,671 a------- c:\windows\system32\drivers\SYMEVENT.CAT
2008-11-25 18:20 805 a------- c:\windows\system32\drivers\SYMEVENT.INF
2008-11-25 18:20 <DIR> --d----- c:\program files\Symantec
2008-11-25 15:14 1,645,320 a------- c:\windows\system32\gdiplus.dll
2008-11-25 15:13 <DIR> --d----- c:\docume~1\alluse~1\applic~1\DVD X Studios
2008-11-25 15:13 87,608 a------- c:\docume~1\ken\applic~1\inst.exe
2008-11-25 15:13 47,360 a------- c:\windows\system32\drivers\pcouffin.sys
2008-11-25 15:13 47,360 a------- c:\docume~1\ken\applic~1\pcouffin.sys
2008-11-25 15:13 <DIR> --d----- c:\docume~1\ken\applic~1\Vso
2008-11-25 15:13 <DIR> --d----- c:\docume~1\alluse~1\applic~1\DVDXStudio
2008-11-25 14:21 <DIR> --d----- c:\documents and settings\all users\Symantec Temporary Files
2008-11-20 11:14 <DIR> --d----- c:\documents and settings\ken\dwhelper
2008-11-20 07:56 <DIR> --d----- c:\docume~1\alluse~1\applic~1\ATTToolbar
2008-11-20 07:56 <DIR> --d----- c:\program files\ATTToolbar
2008-11-20 07:56 <DIR> --d----- c:\docume~1\ken\applic~1\ATTToolbar
2008-11-18 08:18 0 a------- c:\windows\iPlayer.INI
2008-11-18 08:16 <DIR> --d----- c:\program files\InterActual
2008-11-17 23:52 455,296 -c------ c:\windows\system32\dllcache\mrxsmb.sys
2008-11-17 23:52 1,106,944 -c------ c:\windows\system32\dllcache\msxml3.dll
2008-11-17 14:12 <DIR> --d-h--- c:\windows\PIF
2008-11-17 14:08 <DIR> --d----- c:\program files\common files\Command Software
2008-11-17 14:08 <DIR> --d----- c:\program files\Radialpoint
2008-11-17 14:08 <DIR> --d----- c:\program files\common files\PestPatrol
2008-11-17 14:08 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Radialpoint
2008-11-17 14:08 <DIR> --d----- c:\windows\Downloaded Installations
2008-11-17 13:41 <DIR> --d----- c:\program files\att-nap
2008-11-17 13:41 <DIR> --d----- c:\program files\common files\Motive
2008-11-12 18:09 <DIR> --d-h--- c:\windows\system32\GroupPolicy
2008-11-12 18:02 295,424 -c------ c:\windows\system32\dllcache\termsrv.dll
2008-11-12 12:07 69 a------- c:\windows\NeroDigital.ini
2008-11-12 11:19 14 a------- c:\windows\system32\SysEngine2.SYS

==================== Find3M ====================

2008-12-07 14:38 <DIR> --d----- c:\program files\common files\Symantec Shared
2008-12-04 21:35 <DIR> --d----- c:\docume~1\ken\applic~1\Move Networks
2008-11-30 06:31 <DIR> --d----- c:\program files\Sonic
2008-11-29 23:02 <DIR> --d----- c:\program files\iTunes
2008-11-29 22:31 <DIR> --d----- c:\program files\The Rosetta Stone
2008-11-29 21:52 <DIR> --d----- c:\program files\MagicISO
2008-11-29 17:55 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Symantec
2008-11-29 06:47 <DIR> --d----- c:\program files\COMODO
2008-11-29 06:47 <DIR> --d----- c:\docume~1\ken\applic~1\Comodo
2008-11-29 06:32 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Nero
2008-11-29 06:32 <DIR> --d----- c:\program files\Nero
2008-11-25 19:52 <DIR> --d----- c:\program files\Norton 360
2008-11-25 18:25 <DIR> --d----- c:\docume~1\ken\applic~1\Symantec
2008-11-25 15:20 <DIR> --d----- c:\docume~1\alluse~1\applic~1\WinZipSE
2008-11-10 22:34 <DIR> --d----- c:\docume~1\ken\applic~1\FrostWire
2008-11-06 17:11 <DIR> --d----- c:\docume~1\alluse~1\applic~1\WildTangent
2008-11-05 20:01 <DIR> --d----- c:\docume~1\ken\applic~1\NT Registry Analyzer
2008-11-01 07:04 <DIR> --d----- c:\docume~1\alluse~1\applic~1\espionServerData
2008-10-31 21:35 <DIR> --d----- c:\program files\BitCometAntiARP
2008-10-30 19:57 <DIR> --d----- c:\program files\FrostWire
2008-10-29 09:40 <DIR> --d----- c:\program files\common files\Sonic
2008-10-29 08:55 <DIR> --d----- c:\program files\Native Instruments
2008-10-29 08:50 <DIR> --d----- c:\program files\SmartMusic 9
2008-10-29 08:48 <DIR> a-d----- c:\docume~1\alluse~1\applic~1\MakeMusic
2008-10-28 22:36 <DIR> --d----- c:\program files\BitComet
2008-10-28 22:25 <DIR> --d----- c:\program files\eMule
2008-10-17 21:17 <DIR> --d----- c:\program files\NT Registry Tweaker
2008-10-17 21:16 <DIR> --d----- c:\program files\NT Registry Analyzer
2008-10-14 13:25 902,830 a--sh--- c:\windows\system32\mTCeNqss.ini2
2008-10-13 05:43 <DIR> --d----- c:\program files\NETPDTC
2008-10-10 08:48 <DIR> --d----- c:\program files\DesktopDialer
2008-10-09 14:03 857,237 a--sh--- c:\windows\system32\GPXIOqss.ini2
2008-10-08 19:31 <DIR> --d----- c:\docume~1\ken\applic~1\vlc
2008-10-01 20:31 87,931 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2008-09-30 16:43 1,286,152 a------- c:\windows\system32\msxml4.dll
2008-09-30 10:16 <DIR> --d----- c:\docume~1\ken\applic~1\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
2008-09-29 22:34 <DIR> --d----- c:\docume~1\ken\applic~1\Malwarebytes
2008-09-29 22:33 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2008-09-29 16:44 <DIR> --d----- c:\docume~1\alluse~1\applic~1\EPSON
2008-09-28 19:23 <DIR> --d----- c:\docume~1\ken\applic~1\LimeWire
2008-09-27 18:07 <DIR> --d----- c:\docume~1\ken\applic~1\Blackberry Desktop
2008-09-27 17:46 <DIR> --d----- c:\docume~1\ken\applic~1\Research In Motion
2008-09-27 16:20 <DIR> --d----- c:\docume~1\ken\applic~1\GARMIN
2008-09-27 16:20 <DIR> --d----- c:\docume~1\alluse~1\applic~1\GARMIN
2008-09-27 14:57 <DIR> --d----- c:\docume~1\ken\applic~1\AOL
2008-09-26 21:31 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Intel
2008-09-26 21:30 <DIR> --d----- c:\docume~1\ken\applic~1\Intel
2008-09-26 19:41 <DIR> --d----- c:\docume~1\alluse~1\applic~1\McAfee.com Personal Firewall
2008-09-26 19:38 <DIR> --d----- c:\docume~1\ken\applic~1\McAfee.com Personal Firewall
2008-09-26 19:37 <DIR> --d----- c:\docume~1\ken\applic~1\Protector Suite
2008-09-15 04:12 1,846,400 a------- c:\windows\system32\win32k.sys
2006-08-25 13:32 <DIR> --d----- c:\docume~1\alluse~1\applic~1\McAfee.com
2006-03-02 16:03 <DIR> --d----- c:\docume~1\ken\applic~1\You've Got Pictures Screensaver
2006-03-02 16:02 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Viewpoint
2006-03-02 16:02 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Pure Networks
2006-03-02 15:54 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Intuit

============= FINISH: 22:02:22.68 ===============

[sUBs]

Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/comb...o-use-combofix

Post the log from ComboFix when you've accomplished that.

[bud3783]

While trying to do the recovery console from the combofix instructions, found that those instructions don't work for XP MCE 2005. I have the CD inserted but the file it says to find, only brings up errors of "No file found in that location". I know I'm looking n the right location. What should i do.

[sUBs]

Skip that. Double click on ComboFix & it shall prompt you.

[bud3783]

These are what the combofix pulled up.


ComboFix 08-12-07.04 - KEN 2008-12-09 12:52:16.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.492 [GMT -8:00]
Running from: c:\documents and settings\KEN\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\KEN\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2008-11-09 to 2008-12-09 )))))))))))))))))))))))))))))))
.

2008-12-08 22:50 . 2008-12-09 12:24 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-11-30 06:37 . 2008-11-30 06:37 <DIR> d-------- c:\documents and settings\KEN\Application Data\Yahoo!
2008-11-30 00:15 . 2008-12-08 22:04 250 --a------ c:\windows\gmer.ini
2008-11-29 23:01 . 2008-11-29 23:01 <DIR> d-------- c:\program files\iPod
2008-11-29 23:01 . 2008-11-29 23:02 <DIR> d-------- c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-11-29 22:55 . 2008-11-29 22:55 <DIR> d-------- c:\program files\Bonjour
2008-11-29 22:53 . 2008-11-29 22:54 <DIR> d-------- c:\program files\QuickTime
2008-11-26 18:17 . 2008-11-26 18:17 <DIR> d-------- c:\program files\AskTBar
2008-11-26 13:41 . 2008-11-26 13:41 <DIR> d-------- c:\documents and settings\KEN\Application Data\NeroDigital(TM)
2008-11-25 23:17 . 2008-12-08 22:30 <DIR> d-------- c:\program files\DVD Ghost
2008-11-25 20:31 . 2008-11-25 20:31 <DIR> d-------- c:\program files\Alwil Software
2008-11-25 18:20 . 2008-11-29 18:00 <DIR> d-------- c:\program files\Symantec
2008-11-25 18:20 . 2008-11-29 18:00 123,952 --a------ c:\windows\system32\drivers\SYMEVENT.SYS
2008-11-25 18:20 . 2008-11-29 18:00 60,800 --a------ c:\windows\system32\S32EVNT1.DLL
2008-11-25 18:20 . 2008-11-29 18:00 10,671 --a------ c:\windows\system32\drivers\SYMEVENT.CAT
2008-11-25 18:20 . 2008-11-29 18:00 805 --a------ c:\windows\system32\drivers\SYMEVENT.INF
2008-11-25 15:14 . 2007-12-01 17:10 1,645,320 --a------ c:\windows\system32\gdiplus.dll
2008-11-25 15:13 . 2008-11-25 20:11 <DIR> d-------- c:\documents and settings\KEN\Application Data\Vso
2008-11-25 15:13 . 2008-11-25 20:11 <DIR> d-------- c:\documents and settings\All Users\Application Data\DVDXStudio
2008-11-25 15:13 . 2008-11-25 20:11 <DIR> d-------- c:\documents and settings\All Users\Application Data\DVD X Studios
2008-11-25 15:13 . 2008-11-25 15:13 47,360 --a------ c:\windows\system32\drivers\pcouffin.sys
2008-11-25 15:13 . 2008-11-25 20:11 47,360 --a------ c:\documents and settings\KEN\Application Data\pcouffin.sys
2008-11-25 14:21 . 2008-11-25 14:21 <DIR> d-------- c:\documents and settings\All Users\Symantec Temporary Files
2008-11-20 11:14 . 2008-11-20 13:12 <DIR> d-------- c:\documents and settings\KEN\dwhelper
2008-11-20 07:56 . 2008-11-20 07:56 <DIR> d-------- c:\program files\ATTToolbar
2008-11-20 07:56 . 2008-11-25 19:31 <DIR> d-------- c:\documents and settings\KEN\Application Data\ATTToolbar
2008-11-20 07:56 . 2008-12-07 14:35 <DIR> d-------- c:\documents and settings\All Users\Application Data\ATTToolbar
2008-11-18 08:18 . 2008-11-18 08:18 0 --a------ c:\windows\iPlayer.INI
2008-11-18 08:16 . 2008-11-18 08:16 <DIR> d-------- c:\program files\InterActual
2008-11-17 23:52 . 2008-09-04 09:15 1,106,944 -----c--- c:\windows\system32\dllcache\msxml3.dll
2008-11-17 23:52 . 2008-10-24 03:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys
2008-11-17 14:12 . 2008-11-17 14:12 <DIR> d--h----- c:\windows\PIF
2008-11-17 14:08 . 2008-11-17 14:08 <DIR> d-------- c:\windows\Downloaded Installations
2008-11-17 14:08 . 2008-11-17 14:08 <DIR> d-------- c:\program files\Radialpoint
2008-11-17 14:08 . 2008-11-17 14:12 <DIR> d-------- c:\program files\Common Files\PestPatrol
2008-11-17 14:08 . 2008-11-17 14:09 <DIR> d-------- c:\program files\Common Files\Command Software
2008-11-17 14:08 . 2008-11-17 14:08 <DIR> d-------- c:\documents and settings\All Users\Application Data\Radialpoint
2008-11-17 13:42 . 2008-11-20 07:54 <DIR> d-------- c:\documents and settings\KEN\Application Data\Motive
2008-11-17 13:41 . 2008-11-20 07:56 <DIR> d-------- c:\program files\Common Files\Motive
2008-11-17 13:41 . 2008-11-17 13:41 <DIR> d-------- c:\program files\att-nap
2008-11-17 13:40 . 2008-11-17 13:40 <DIR> d-------- c:\documents and settings\All Users\Application Data\Motive
2008-11-12 18:13 . 2006-03-02 16:03 <DIR> d-------- c:\documents and settings\MCX1\Application Data\You've Got Pictures Screensaver
2008-11-12 18:13 . 2006-03-02 16:29 <DIR> d-------- c:\documents and settings\MCX1\Application Data\toshiba
2008-11-12 18:13 . 2006-03-03 10:22 <DIR> d-------- c:\documents and settings\MCX1\Application Data\InterVideo
2008-11-12 18:13 . 2008-09-26 21:30 <DIR> d-------- c:\documents and settings\MCX1\Application Data\Intel
2008-11-12 18:13 . 2008-09-27 14:57 <DIR> d-------- c:\documents and settings\MCX1\Application Data\AOL
2008-11-12 18:13 . 2008-11-12 18:13 <DIR> d-------- c:\documents and settings\MCX1
2008-11-12 18:09 . 2008-11-12 18:09 <DIR> d--h----- c:\windows\system32\GroupPolicy
2008-11-12 18:02 . 2008-04-15 07:17 295,424 -----c--- c:\windows\system32\dllcache\termsrv.dll
2008-11-12 12:07 . 2008-11-12 12:26 69 --a------ c:\windows\NeroDigital.ini
2008-11-12 11:19 . 2008-11-12 11:19 14 --a------ c:\windows\system32\SysEngine2.SYS

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-09 20:59 --------- d-----w c:\program files\Common Files\Symantec Shared
2008-12-09 20:30 --------- d-----w c:\documents and settings\KEN\Application Data\FrostWire
2008-12-09 06:28 --------- d-----w c:\program files\FrostWire
2008-12-09 06:28 --------- d-----w c:\program files\BitLord
2008-12-09 06:27 --------- d-----w c:\program files\BitCometAntiARP
2008-12-09 06:27 --------- d-----w c:\program files\BitComet
2008-12-05 05:35 --------- d-----w c:\documents and settings\KEN\Application Data\Move Networks
2008-11-30 14:44 --------- d-----w c:\documents and settings\All Users\Application Data\WinZip
2008-11-30 14:31 --------- d-----w c:\program files\Sonic
2008-11-30 07:02 --------- d-----w c:\program files\iTunes
2008-11-30 07:01 --------- d-----w c:\program files\Common Files\Apple
2008-11-30 06:31 --------- d-----w c:\program files\The Rosetta Stone
2008-11-30 06:28 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-11-30 05:52 --------- d-----w c:\program files\MagicISO
2008-11-30 01:55 --------- d-----w c:\documents and settings\All Users\Application Data\Symantec
2008-11-29 14:47 --------- d-----w c:\program files\COMODO
2008-11-29 14:47 --------- d-----w c:\documents and settings\KEN\Application Data\Comodo
2008-11-29 14:32 --------- d-----w c:\program files\Nero
2008-11-29 14:32 --------- d-----w c:\program files\Common Files\Nero
2008-11-29 14:32 --------- d-----w c:\documents and settings\All Users\Application Data\Nero
2008-11-29 07:26 --------- d-----w c:\program files\Common Files\Adobe
2008-11-28 07:20 --------- d-----w c:\documents and settings\KEN\Application Data\U3
2008-11-27 06:44 --------- d-----w c:\documents and settings\All Users\Application Data\Apple Computer
2008-11-26 03:52 --------- d-----w c:\program files\Norton 360
2008-11-26 02:25 --------- d-----w c:\documents and settings\KEN\Application Data\Symantec
2008-11-25 23:20 --------- d-----w c:\documents and settings\All Users\Application Data\WinZipSE
2008-11-17 22:09 --------- d--h--w c:\program files\InstallShield Installation Information
2008-11-07 01:11 --------- d-----w c:\documents and settings\All Users\Application Data\WildTangent
2008-11-06 19:39 --------- d-----w c:\documents and settings\KEN\Application Data\toshiba
2008-11-06 04:01 --------- d-----w c:\documents and settings\KEN\Application Data\NT Registry Analyzer
2008-11-03 16:17 --------- d-----w c:\documents and settings\MEL\Application Data\Sonic
2008-11-01 15:04 --------- d-----w c:\documents and settings\All Users\Application Data\espionServerData
2008-10-29 17:43 --------- d-----w c:\documents and settings\KEN\Application Data\Leadertech
2008-10-29 17:41 --------- d-----w c:\documents and settings\KEN\Application Data\Sonic
2008-10-29 17:40 --------- d-----w c:\program files\Common Files\Sonic
2008-10-29 16:55 --------- d-----w c:\program files\Native Instruments
2008-10-29 16:50 --------- d-----w c:\program files\SmartMusic 9
2008-10-29 16:48 --------- d---a-w c:\documents and settings\All Users\Application Data\MakeMusic
2008-10-29 06:25 --------- d-----w c:\program files\eMule
2008-10-29 05:50 361,600 ----a-w c:\windows\system32\drivers\TCPIP.SYS.ORIGINAL
2008-10-29 05:50 361,600 ----a-w c:\windows\system32\drivers\TCPIP.SYS
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-20 18:49 0 ----a-w c:\documents and settings\MEL\Application Data\wklnhst.dat
2008-10-20 18:49 --------- d-----w c:\documents and settings\MEL\Application Data\Template
2008-10-20 05:57 --------- d-----w c:\documents and settings\MEL\Application Data\U3
2008-10-18 19:26 126 ----a-w c:\documents and settings\KEN\Application Data\wklnhst.dat
2008-10-18 05:17 --------- d-----w c:\program files\NT Registry Tweaker
2008-10-18 05:16 --------- d-----w c:\program files\NT Registry Analyzer
2008-10-17 17:14 --------- d-----w c:\documents and settings\MEL\Application Data\Comodo
2008-10-13 13:43 --------- d-----w c:\program files\NETPDTC
2008-10-11 03:55 --------- d-----w c:\documents and settings\KEN\Application Data\Nero
2008-10-11 03:25 --------- d-----w c:\program files\Windows Sidebar
2008-10-10 17:00 --------- d-----w c:\documents and settings\MEL\Application Data\Symantec
2008-10-10 16:48 --------- d-----w c:\program files\DesktopDialer
2008-10-10 16:44 --------- d-----w c:\documents and settings\MEL\Application Data\ArcSoft
2008-10-10 16:43 --------- d-----w c:\documents and settings\MEL\Application Data\Roxio
2008-10-10 16:43 --------- d-----w c:\documents and settings\MEL\Application Data\Research In Motion
2008-10-10 16:42 --------- d-----w c:\documents and settings\MEL\Application Data\Protector Suite
2008-10-10 16:42 --------- d-----w c:\documents and settings\MEL\Application Data\InstallShield
2008-10-09 07:57 --------- d-----w c:\documents and settings\KEN\Application Data\ArcSoft
2008-10-09 07:56 --------- d-----w c:\program files\Common Files\ArcSoft
2008-10-09 07:56 --------- d-----w c:\program files\ArcSoft
2008-10-09 03:31 --------- d-----w c:\documents and settings\KEN\Application Data\vlc
2008-10-09 03:29 --------- d-----w c:\program files\VideoLAN
2008-10-09 03:15 --------- d-----w c:\program files\Xvid
.

------- Sigcheck -------

2005-05-25 11:07 359936 63fdfea54eb53de2d863ee454937ce1e c:\windows\$hf_mig$\KB893066\SP2QFE\tcpip.sys
2008-06-20 02:44 360960 744e57c99232201ae98c49168b918f48 c:\windows\$hf_mig$\KB951748\SP2QFE\tcpip.sys
2008-06-20 03:51 361600 9aefa14bd6b182d61e3119fa5f436d3d c:\windows\$hf_mig$\KB951748\SP3GDR\tcpip.sys
2008-06-20 03:59 361600 ad978a1b783b5719720cff204b666c8e c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
2008-06-20 02:45 360320 2a5554fc5b1e04e131230e3ce035c3f9 c:\windows\$NtServicePackUninstall$\tcpip.sys
2004-08-10 04:00 359040 9f4b36614a0fc234525ba224957de55c c:\windows\$NtUninstallKB893066$\tcpip.sys
2008-04-13 11:20 361344 93ea8d04ec73a85db02eb8805988f733 c:\windows\$NtUninstallKB951748$\tcpip.sys
2005-05-25 11:04 359808 88763a98a4c26c409741b4aa162720c9 c:\windows\$NtUninstallKB951748_0$\tcpip.sys
2008-04-13 11:20 361344 93ea8d04ec73a85db02eb8805988f733 c:\windows\ServicePackFiles\i386\TCPIP.SYS
2008-10-28 21:50 361600 d24ea301e2b36c4e975fd216ca85d8e7 c:\windows\system32\dllcache\TCPIP.SYS
2008-10-28 21:50 361600 d24ea301e2b36c4e975fd216ca85d8e7 c:\windows\system32\drivers\TCPIP.SYS
.
((((((((((((((((((((((((((((( snapshot@2008-12-09_12.38.26.98 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-12-09 20:57:00 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_388.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{9CB65206-89C4-402c-BA80-02D8C59F9B1D}"= "c:\program files\AskTBar\SrchAstt\2.bin\A5SRCHAS.DLL" [2008-11-26 57344]

[HKEY_CLASSES_ROOT\clsid\{9cb65206-89c4-402c-ba80-02d8c59f9b1d}]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\OverlayExcluded]
@="{4433A54A-1AC8-432F-90FC-85F045CF383C}"
[HKEY_CLASSES_ROOT\CLSID\{4433A54A-1AC8-432F-90FC-85F045CF383C}]
2008-10-31 12:24 576352 --a------ c:\program files\Common Files\Symantec Shared\Backup\buShell.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\OverlayPending]
@="{F17C0B1E-EF8E-4AD4-8E1B-7D7E8CB23225}"
[HKEY_CLASSES_ROOT\CLSID\{F17C0B1E-EF8E-4AD4-8E1B-7D7E8CB23225}]
2008-10-31 12:24 576352 --a------ c:\program files\Common Files\Symantec Shared\Backup\buShell.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\OverlayProtected]
@="{476D0EA3-80F9-48B5-B70B-05E677C9C148}"
[HKEY_CLASSES_ROOT\CLSID\{476D0EA3-80F9-48B5-B70B-05E677C9C148}]
2008-10-31 12:24 576352 --a------ c:\program files\Common Files\Symantec Shared\Backup\buShell.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2004-12-30 65536]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 218032]
"EPSON Stylus CX8400 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATICEA.EXE" [2007-02-15 179200]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-12-16 761945]
"Toshiba Hotkey Utility"="c:\program files\Toshiba\Windows Utilities\Hotkey.exe" [2006-02-20 1589248]
"SmoothView"="c:\program files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2005-04-26 122880]
"Pinger"="c:\toshiba\ivp\ism\pinger.exe" [2005-03-17 151552]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-11-03 98304]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-11-03 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-11-03 118784]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-12-05 667718]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-11-28 602182]
"PSQLLauncher"="c:\program files\Protector Suite QL\launcher.exe" [2005-12-21 30208]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-09-11 218032]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-09-11 86960]
"MSKDetectorExe"="c:\program files\McAfee\SpamKiller\MSKDetct.exe" [2005-08-12 1121792]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-26 31016]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2007-08-16 236016]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-03-10 118837]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 110592]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-10-17 51048]
"osCheck"="c:\program files\Norton 360\osCheck.exe" [2008-02-26 988512]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"High Definition Audio Property Page Shortcut"="CHDAudPropShortcut.exe" [2005-12-29 c:\windows\system32\CHDAudPropShortcut.exe]
"CFSServ.exe"="CFSServ.exe" [BU]

c:\documents and settings\KEN\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 98632]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Desktop Manager.lnk - c:\program files\Research In Motion\BlackBerry\DesktopMgr.exe [2007-11-12 1447184]
Extender Resource Monitor.lnk - c:\windows\ehome\RMSysTry.exe [2005-10-20 18432]
RAMASST.lnk - c:\windows\system32\RAMASST.exe [2006-03-02 155648]
TotalMedia Backup Monitor.lnk - c:\program files\ArcSoft\TotalMedia Backup & Record\uBBMonitor.exe [2008-10-08 270336]
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2008-09-09 525664]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
2005-12-21 20:42 40448 c:\windows\system32\psqlpwd.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli psqlpwd

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\TOSHIBA\\ivp\\NetInt\\Netint.exe"=
"c:\\TOSHIBA\\Ivp\\ISM\\pinger.exe"= c:\\TOSHIBA\\IVP\\ISM\\pinger.exe
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\FrostWire\\FrostWire.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\WINDOWS\\system32\\ftp.exe"=
"c:\\Program Files\\Roxio\\Roxio MyDVD DE\\Media Manager 9\\MediaManager9.exe"=
"c:\\Program Files\\Roxio\\Roxio MyDVD DE\\Digital Home 9\\RoxioUpnpService9.exe"=
"c:\\Program Files\\BitComet\\plugin_emule\\plugin_eMule.exe"=
"c:\\Program Files\\eMule\\emule.exe"=
"c:\\Program Files\\Java\\jre1.6.0_07\\bin\\javaw.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Toshiba\\ConfigFree\\CFXFER.exe"=
"c:\\Program Files\\att-nap\\McciBrowser.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26553:TCP"= 26553:TCP:BitComet 26553 TCP
"26553:UDP"= 26553:UDP:BitComet 26553 UDP
"19383:TCP"= 19383:TCP:BitComet 19383 TCP(ED2K)
"19383:UDP"= 19383:UDP:BitComet 19383 UDP(ED2K)
"3776:UDP"= 3776:UDP:Media Center Extender Service
"3390:TCP"= 3390:TCP:Remote Media Center Experience

R2 FdRedir;FdRedir;\??\c:\program files\Common Files\Protector Suite QL\Drivers\FdRedir.sys [2005-12-21 13568]
R2 FileDisk2;FileDisk Protector Kernel Driver;\??\c:\program files\Common Files\Protector Suite QL\Drivers\filedisk.sys [2005-12-21 33024]
R2 LiveUpdate Notice;LiveUpdate Notice;"c:\program files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon [2008-02-18 149352]
R2 McciCMService;McciCMService;"c:\program files\Common Files\Motive\McciCMService.exe" [2008-11-17 303104]
R2 RMSvc;Media Center Extender Resource Monitor;c:\windows\ehome\RMSvc.exe [2005-10-20 28160]
R2 smihlp;SMI helper driver;\??\c:\program files\Protector Suite QL\smihlp.sys [2005-12-21 3456]
R3 BoiHwsetup;Access 32bits INT15 routine;c:\windows\system32\drivers\BoiHwSetup.sys [2005-06-10 5504]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;\??\c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2008-11-25 99376]
R3 qkbfiltr;Quanta HotKey Keyboard Filter Driver;c:\windows\system32\drivers\qkbfiltr.sys [2006-01-12 31872]
R3 qmofiltr;Quanta HotKey Mouse Filter Driver;c:\windows\system32\drivers\qmofiltr.sys [2005-05-05 7936]
S3 COH_Mon;COH_Mon;\??\c:\windows\system32\Drivers\COH_Mon.sys [2008-01-12 23888]
S3 DSI_SiUSBXp_3_1;DSI_SiUSBXp_3_1;c:\windows\system32\drivers\DSI_SiUSBXp_3_1.sys [2008-09-27 14848]
S3 QWAVE;QWAVE service;c:\windows\system32\svchost.exe -k QWAVE [2006-03-02 14336]
S3 SMCB000;SMSC CIR HID Miniport Device Driver;c:\windows\system32\DRIVERS\hidsmsc.sys [2006-03-03 15744]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
QWAVE REG_MULTI_SZ QWAVE

*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder

2008-12-07 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FireFox -: Profile - c:\documents and settings\KEN\Application Data\Mozilla\Firefox\Profiles\u4d4u7vn.default\
FireFox -: prefs.js - SEARCH.DEFAULTURL - hxxp://search.yahoo.com/search?fr=ffsp1&p=
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.yahoo.com/
FF -: plugin - c:\documents and settings\KEN\Application Data\Mozilla\Firefox\Profiles\u4d4u7vn.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071101000055.dll
FF -: plugin - c:\program files\iTunes\Mozilla Plugins\npitunes.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\npclntax_ZangoSA.dll
FF -: plugin - c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-09 12:58:07
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1320)
c:\windows\system32\psqlpwd.dll
c:\program files\Protector Suite QL\infra.dll
c:\program files\Protector Suite QL\homefus2.dll
c:\windows\system32\biologon.dll
c:\program files\Protector Suite QL\homepass.dll
c:\program files\Protector Suite QL\bio.dll
c:\program files\Protector Suite QL\remote.dll
c:\program files\Protector Suite QL\crypto.dll
c:\program files\Protector Suite QL\biokmd.dll
c:\program files\Protector Suite QL\mysafe.dll

- - - - - - - > 'lsass.exe'(1388)
c:\windows\system32\psqlpwd.dll
c:\program files\Protector Suite QL\infra.dll
c:\program files\Protector Suite QL\homefus2.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Toshiba\ConfigFree\CFSvcs.exe
c:\windows\system32\DVDRAMSV.exe
c:\program files\Common Files\Command Software\dvpapi.exe
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\Roxio\Roxio MyDVD DE\Digital Home 9\RoxioUpnpService9.exe
c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
c:\toshiba\IVP\swupdate\swupdtmr.exe
c:\windows\ehome\McrdSvc.exe
c:\windows\system32\dllhost.exe
c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
c:\windows\ehome\ehmsas.exe
c:\windows\system32\igfxext.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\Synaptics\SynTP\Toshiba.exe
c:\program files\Protector Suite QL\psqltray.exe
c:\program files\Toshiba\ConfigFree\CFSServ.exe
c:\progra~1\Intel\Wireless\Bin\Dot1XCfg.exe
c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\CPSHelpRunner.exe
c:\program files\Toshiba\ConfigFree\CFXFER.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Common Files\Research In Motion\RIMDeviceManager\RIMDeviceManager.exe
c:\program files\Common Files\Research In Motion\USB Drivers\BbDevMgr.exe
.
**************************************************************************
.
Completion time: 2008-12-09 13:00:47 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-09 21:00:43
ComboFix2.txt 2008-12-09 20:39:01

Pre-Run: 85,664,538,624 bytes free
Post-Run: 85,655,527,424 bytes free

350 --- E O F --- 2008-11-18 11:04:51

[sUBs]

Using Internet Explorer, visit http://www.kaspersky.com/service?chapter=161739400

Vista users right click on the Internet Explorer shortcut, and choose Run As Administrator.

**Note**

To optimize scanning time and produce a more sensible report for review:

• Close any open programs
• Turn off the real time scanner of any existing antivirus program while performing the online scan.

Click Accept, when prompted to download and install the program files and database of malware definitions.

• Click Run at the Security prompt.
• The program will then begin downloading and installing and will also update the database.
• Please be patient as this can take several minutes.
• Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
• Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
• Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
• Click View scan report at the bottom.
• Click the Save Report As... button.
• Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.

Please update us on how the computer behaves now

[bud3783]

The kaspersky scanner didn't find anything but here is the log.

[sUBs]

Quote:

My homepage always is dealhrfind.com no matter what

Is it still the same?

[bud3783]

Yes it is unchanged. I can change it if I use a bookmark, but if I hit the home button, it goes right back to dealhrfind.com even though i just changed it. I am also unable type in a new homepage in the the space provided for it in internet options.

[sUBs]

Which browser are we talking about here? Firefox or IE ?

[bud3783]

Sorry about that. I was referring to Firefox. IE comes up right.

[sUBs]

Close Firefox now. Then go to this folder.

c:\documents and settings\KEN\Application Data\Mozilla\Firefox\Profiles\u4d4u7vn.default\

See if you can see a file named user.js. If you see the file, move it to your desktop
If you dont see the file, look for this other file, pref.js
Don't delete pref.js. It contains your settings. Move it to Desktop
Now launch Firefox. Is your homepage still Hijacked?

Let me know how that went

[bud3783]

Could not locate user.js, but found pref.js. Moved it to desktop. Opened firefox and the following opened on different tabs:

hXXp://en-us.www.mozilla.com/en-US/firefox/3.0.4/firstrun/
hXXp://dealhrfind.com/
hXXp://www.downloadhelper.net/welcome.php?version=3.5.1
hXXp://noscript.net/?ver=1.8.7&prev=
hXXp://foxyproxy.mozdev.org/help.html

the homepage is still unalterable.

[bud3783]

I shut it down and tried it again. It didn't bring all those tabs again, but the homepage situation still persists.

[sUBs]

Okay, that narrows it down a bit for me. Please move pref.js back to it's original location.
Make sure Firefox remains shut down & then locate/delete this file.

c:\program files\Mozilla Firefox\plugins\npclntax_ZangoSA.dll

[bud3783]

I look at that location and even used a search, but no file.

[sUBs]

Just a quick note. I haven't given up on you. Still checking up on a few leads. Shall get back to you when I find something.

[sUBs]

Since this is isolated on Firefox, here's something I want you to try.

FireFox has a special mode called "SafeMode"
With Firefox already shut down, go to Start > Run - type Firefox -safe-mode & click OK

This shall launch Firefox is this special mode. A small window shall initially open. Click the "Continue in Safe Mode" button. Then change your homepage whilst in that mode

Once done, close Firefox & then restart it once more in SafeMode
Check if your homepage has reverted to dealhrfind.com

IF if has not reverted to the hijacked page, restart Firefox in normal mode
Then type this into the address bar - About:Plugins
When the page opens, use CTRL+C to copy the entire page
Then Ctrl+V to paste into your next reply to me