Generic Rootkit.d!.rootkit Trojan Win XP SP3

[or8it]

Hello. I've managed to get infected with the above Trojan.
I am running McAffe which continually picks it up, says it removes it but it returns straight away. i've run in safe mode and have system restore switched off.
McAffe identifies it as file NTOSKRNL-HOOK.
So far it seems to Hijack IE7 links in google.
Could anyone help?

Many thanks



DDS (Ver_09-03-16.01) - NTFSx86
Run by Russell at 17:32:28.67 on 27/03/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.2406 [GMT 0:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated)
FW: McAfee Personal Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Intel\WiFi\bin\S24EvMon.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Intel\WiFi\bin\EvtEng.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Program Files\McAfee\VirusScan\McShield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Intel\WiFi\bin\WLKeeper.exe
C:\WINDOWS\system32\SearchIndexer.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\OEM02Mon.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Dell\Dell Webcam Manager\DellWMgr.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\system32\KADxMain.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Dell\MediaDirect\PCMService.exe
C:\Program Files\Intel\WiFi\bin\ZCfgSvc.exe
C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe
C:\Documents and Settings\All Users\Application Data\Macrovision\FLEXnet Connect\6\ISUSPM.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\Wcescomm.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\WINDOWS\system32\svchost.exe -k HPService
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_clipbook.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Documents and Settings\Russell\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.co.uk/
uSearch Page = hxxp://www.google.com/hws/sb/dell-usuk/en/side.html?channel=uk-smb
uDefault_Page_URL = hxxp://partnerpage.google.com/smallbiz.dell.com/en_uk?hl=en&client=dell-usuk&channel=uk-smb&ibd=3080125
uSearch Bar = hxxp://www.google.com/hws/sb/dell-usuk/en/side.html?channel=uk-smb
uInternet Connection Wizard,ShellNext = hxxp://partnerpage.google.com/smallbiz.dell.com/en_uk?hl=en&client=dell-usuk&channel=uk-smb&ibd=3080125
mSearchAssistant = hxxp://www.google.com/hws/sb/dell-usuk/en/side.html?channel=uk-smb
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: McAfee Phishing Filter: {377c180e-6f0e-4d4c-980f-f45bd3d40cf4} - c:\progra~1\mcafee\msk\mcapbho.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\progra~1\mcafee\viruss~1\scriptsn.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\dell\bae\BAE.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
uRun: [ISUSPM] "c:\documents and settings\all users\application data\macrovision\flexnet connect\6\ISUSPM.exe" -scheduler
uRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [PMCRemote]
uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\Wcescomm.exe"
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /installquiet
mRun: [NVHotkey] rundll32.exe nvHotkey.dll,Start
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [OEM02Mon.exe] c:\windows\OEM02Mon.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [DELL Webcam Manager] "c:\program files\dell\dell webcam manager\DellWMgr.exe" /s
mRun: [Dell QuickSet] c:\program files\dell\quickset\quickset.exe
mRun: [KADxMain] c:\windows\system32\KADxMain.exe
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [<NO NAME>]
mRun: [mcagent_exe] c:\program files\mcafee.com\agent\mcagent.exe /runkey
mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
mRun: [PCMService] "c:\program files\dell\mediadirect\PCMService.exe"
mRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [IntelZeroConfig] "c:\program files\intel\wifi\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\common files\intel\wirelesscommon\iFrmewrk.exe" /tf Intel Wireless Tray
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1236894200015
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
TCP: NameServer = 85.255.112.202,85.255.112.190
TCP: {2C3DA80A-2C59-4611-850E-5F3BA27D9B8D} = 85.255.112.202,85.255.112.190
TCP: {EC38E322-B66C-49C9-A40C-90839E166770} = 85.255.112.202,85.255.112.190
TCP: {F821F863-013C-47E5-B9AC-D34E2EDE7360} = 85.255.112.202,85.255.112.190
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

============= SERVICES / DRIVERS ===============

R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2008-1-24 201320]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2008-1-24 359248]
R2 McShield;McAfee Real-time Scanner;c:\program files\mcafee\virusscan\Mcshield.exe [2008-1-24 144704]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2008-1-24 695624]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2008-1-24 79304]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2008-1-24 35240]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2008-1-24 40488]
R3 OEM02Afx;Provides a software interface to control audio effects of OEM002 camera.;c:\windows\system32\drivers\OEM02Afx.sys [2008-1-24 141376]
R3 OEM02Dev;Creative Camera OEM002 Driver;c:\windows\system32\drivers\OEM02Dev.sys [2008-1-24 235648]
R3 OEM02Vfx;Creative Camera OEM002 Video VFX Driver;c:\windows\system32\drivers\OEM02Vfx.sys [2008-1-24 7424]
S2 gupdate1c9a97bd3b01a58;Google Update Service (gupdate1c9a97bd3b01a58);c:\program files\google\update\GoogleUpdate.exe [2009-3-20 133104]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2008-1-24 33832]
S3 MODRC;DiBcom Infrared Receiver;c:\windows\system32\drivers\modrc.sys [2009-3-12 13440]

=============== Created Last 30 ================

2009-03-27 12:57 <DIR> --d----- c:\program files\Trend Micro
2009-03-26 21:47 794,624 a------- c:\windows\system32\spr32d35.dll
2009-03-26 21:41 <DIR> --d----- c:\program files\Punch! Home Design - Platinum
2009-03-25 17:03 <DIR> --d----- c:\docume~1\russell\applic~1\id Software
2009-03-25 17:02 22,328 a------- c:\windows\system32\drivers\PnkBstrK.sys
2009-03-25 17:02 22,328 a------- c:\docume~1\russell\applic~1\PnkBstrK.sys
2009-03-25 17:02 107,832 a------- c:\windows\system32\PnkBstrB.exe
2009-03-25 17:02 2,246,144 a------- c:\windows\system32\pbsvc.exe
2009-03-25 17:02 66,872 a------- c:\windows\system32\PnkBstrA.exe
2009-03-25 17:02 <DIR> --d----- c:\docume~1\alluse~1\applic~1\id Software
2009-03-23 17:31 <DIR> --d----- c:\program files\Microsoft ActiveSync
2009-03-22 18:33 189,571 a------- c:\windows\system32\nvapps.nvb
2009-03-22 18:32 446,464 a------- c:\windows\system32\NVUNINST.EXE
2009-03-22 18:32 147,456 a------- c:\windows\system32\nvcolor.exe
2009-03-22 18:32 327,680 a------- c:\windows\system32\nvwrsesm.dll
2009-03-22 18:32 274,432 a------- c:\windows\system32\nvrsesm.dll
2009-03-22 18:32 1,241,088 a------- c:\windows\system32\nvcuda.dll
2009-03-21 21:16 <DIR> --d----- c:\program files\TagRename
2009-03-21 20:55 <DIR> --d----- c:\program files\common files\Intel
2009-03-21 20:50 <DIR> --d----- c:\docume~1\russell\applic~1\Intel
2009-03-21 20:19 3,636,864 a------- c:\windows\system32\drivers\NETw5x32.sys
2009-03-21 20:19 2,756,608 a------- c:\windows\system32\NETw5r32.dll
2009-03-21 20:19 663,552 a------- c:\windows\system32\NETw5c32.dll
2009-03-20 08:47 <DIR> --d----- c:\windows\pss
2009-03-19 19:28 <DIR> --d----- c:\docume~1\alluse~1\applic~1\WEBREG
2009-03-19 19:24 <DIR> --d----- c:\program files\common files\Hewlett-Packard
2009-03-19 19:24 <DIR> --d----- c:\program files\common files\HP
2009-03-19 19:23 118,272 a------- c:\windows\system32\hpz3l5ha.dll
2009-03-19 19:23 6,784 a------- c:\windows\system32\drivers\serscan.sys
2009-03-19 19:23 6,784 a------- c:\windows\system32\dllcache\serscan.sys
2009-03-19 19:20 271,704 a------- c:\windows\system32\hpzids01.dll
2009-03-19 19:20 970,752 a------- c:\windows\system32\hpotiop5.dll
2009-03-19 19:20 729,088 a------- c:\windows\system32\hpowiax5.dll
2009-03-19 19:20 364,544 a------- c:\windows\system32\hppldcoi.dll
2009-03-19 19:20 309,760 a------- c:\windows\system32\difxapi.dll
2009-03-19 19:20 303,104 a------- c:\windows\system32\hpovst12.dll
2009-03-19 19:20 <DIR> --d----- c:\program files\HP
2009-03-19 19:20 25,856 a------- c:\windows\system32\drivers\usbprint.sys
2009-03-19 19:20 25,856 a------- c:\windows\system32\dllcache\usbprint.sys
2009-03-19 19:18 164,807 a------- c:\windows\hpoins21.dat
2009-03-19 19:18 7,262 -------- c:\windows\hpomdl21.dat
2009-03-16 15:40 15,232 a------- c:\windows\system32\drivers\MPE.sys
2009-03-16 15:40 15,232 a------- c:\windows\system32\dllcache\mpe.sys
2009-03-16 15:39 363,520 a------- c:\windows\system32\PsisDecd.dll
2009-03-16 15:39 363,520 a------- c:\windows\system32\dllcache\psisdecd.dll
2009-03-16 15:39 56,832 a------- c:\windows\system32\MSDvbNP.ax
2009-03-16 15:39 56,832 a------- c:\windows\system32\dllcache\msdvbnp.ax
2009-03-16 15:39 33,280 a------- c:\windows\system32\PsisRndr.ax
2009-03-16 15:39 33,280 a------- c:\windows\system32\dllcache\psisrndr.ax
2009-03-16 15:39 18,432 a------- c:\windows\system32\dllcache\bdaplgin.ax
2009-03-16 15:39 18,432 a------- c:\windows\system32\BdaPlgIn.ax
2009-03-16 15:39 11,776 a------- c:\windows\system32\drivers\BdaSup.sys
2009-03-16 15:39 11,776 a------- c:\windows\system32\dllcache\bdasup.sys
2009-03-14 22:33 <DIR> --d----- c:\documents and settings\russell\Bluetooth Software
2009-03-14 22:32 106,557 a------- c:\windows\system32\btw_ci.dll
2009-03-14 22:32 67,960 a------- c:\windows\system32\drivers\btwusb.sys
2009-03-14 22:32 37,280 a------- c:\windows\system32\drivers\btwmodem.sys
2009-03-14 22:32 876,384 a------- c:\windows\system32\drivers\btkrnl.sys
2009-03-14 22:32 149,123 a------- c:\windows\system32\drivers\btwdndis.sys
2009-03-14 22:32 37,424 a------- c:\windows\system32\drivers\btport.sys
2009-03-14 22:32 539,072 a------- c:\windows\system32\drivers\btaudio.sys
2009-03-14 22:32 <DIR> --d----- c:\program files\WIDCOMM
2009-03-14 20:37 120,056 -------- c:\windows\system32\pxcpyi64.exe
2009-03-14 20:37 118,520 -------- c:\windows\system32\pxinsi64.exe
2009-03-14 20:36 <DIR> --d----- c:\program files\common files\DivX Shared
2009-03-14 20:36 <DIR> --d----- c:\program files\DivX
2009-03-13 11:01 <DIR> --d----- c:\program files\NewsBin
2009-03-13 10:18 268,648 a------- c:\windows\system32\mucltui.dll
2009-03-13 10:18 27,496 a------- c:\windows\system32\mucltui.dll.mui
2009-03-12 22:32 473,728 a------- c:\windows\system32\drivers\mod7700.sys
2009-03-12 22:32 53,248 a------- c:\windows\system32\ModrcCoInstall.dll
2009-03-12 22:32 13,440 a------- c:\windows\system32\drivers\modrc.sys
2009-03-12 22:32 196,096 -------- c:\windows\system32\MACD32.DLL
2009-03-12 22:32 138,752 -------- c:\windows\system32\MASE32.DLL
2009-03-12 22:32 136,192 -------- c:\windows\system32\MAMC32.DLL
2009-03-12 22:32 57,856 -------- c:\windows\system32\MASD32.DLL
2009-03-12 22:32 27,648 -------- c:\windows\system32\MA32.DLL
2009-03-12 22:31 544,768 -------- c:\windows\system32\msvcr71d.dll
2009-03-12 22:31 385,100 -------- c:\windows\system32\MSVCRTD.DLL
2009-03-12 22:31 2,179,072 -------- c:\windows\system32\mfc71d.dll
2009-03-12 22:31 765,952 -------- c:\windows\system32\msvcp71d.dll
2009-03-12 22:31 737,280 -------- c:\windows\system32\msvcp70d.dll
2009-03-12 22:31 536,576 -------- c:\windows\system32\msvcr70d.dll
2009-03-12 22:31 446,464 -------- c:\windows\system32\HHActiveX.dll
2009-03-12 22:31 <DIR> --d----- c:\program files\Pinnacle
2009-03-12 22:31 626,688 -------- c:\windows\system32\msvcr80.dll
2009-03-12 22:31 548,864 -------- c:\windows\system32\msvcp80.dll
2009-03-12 22:31 487,424 -------- c:\windows\system32\MSVCP70.DLL
2009-03-12 22:31 344,064 -------- c:\windows\system32\MSVCR70.DLL
2009-03-12 21:11 32,592 a------- c:\windows\system32\msonpmon.dll
2009-03-12 21:07 <DIR> --d----- c:\program files\Microsoft Visual Studio 8
2009-03-12 21:06 <DIR> --d----- c:\windows\SHELLNEW
2009-03-12 20:31 1,089,593 -------- c:\windows\system32\dllcache\ntprint.cat
2009-03-12 20:22 <DIR> --d----- c:\windows\system32\XPSViewer
2009-03-12 20:21 597,504 -------- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-03-12 20:21 575,488 -------- c:\windows\system32\xpsshhdr.dll
2009-03-12 20:21 575,488 -------- c:\windows\system32\dllcache\xpsshhdr.dll
2009-03-12 20:21 117,760 -------- c:\windows\system32\prntvpt.dll
2009-03-12 20:21 89,088 -------- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-03-12 20:21 <DIR> --d----- C:\3f8a250b2b4c0b8039d58a55447312b8
2009-03-12 20:21 1,676,288 -------- c:\windows\system32\xpssvcs.dll
2009-03-12 20:21 1,676,288 -------- c:\windows\system32\dllcache\xpssvcs.dll
2009-03-12 20:17 <DIR> --d----- c:\docume~1\russell\applic~1\Windows Desktop Search
2009-03-12 20:17 <DIR> --d----- c:\windows\system32\GroupPolicy
2009-03-12 20:17 <DIR> --d----- c:\program files\Windows Desktop Search
2009-03-12 20:16 192,000 -------- c:\windows\system32\dllcache\offfilt.dll
2009-03-12 20:16 98,304 -------- c:\windows\system32\dllcache\nlhtml.dll
2009-03-12 20:16 29,696 -------- c:\windows\system32\dllcache\mimefilt.dll
2009-03-12 20:15 <DIR> --d----- c:\program files\Windows Media Connect 2
2009-03-12 20:14 <DIR> --d----- c:\windows\system32\LogFiles
2009-03-12 19:48 <DIR> --d----- c:\program files\MSXML 4.0
2009-03-12 19:37 <DIR> --d----- c:\windows\system32\scripting
2009-03-12 19:37 <DIR> --d----- c:\windows\system32\en
2009-03-12 19:37 <DIR> --d----- c:\windows\l2schemas
2009-03-12 19:37 <DIR> --d----- c:\windows\system32\bits
2009-03-12 19:35 <DIR> --d----- c:\windows\ServicePackFiles
2009-03-12 19:13 1,041,536 -------- c:\windows\system32\drivers\hsfdpsp2.sys
2009-03-12 18:58 272,128 -------- c:\windows\system32\dllcache\bthport.sys
2009-03-12 18:57 2,145,280 -------- c:\windows\system32\dllcache\ntkrnlmp.exe
2009-03-12 18:57 2,189,184 -------- c:\windows\system32\dllcache\ntoskrnl.exe
2009-03-12 18:57 2,023,936 -------- c:\windows\system32\dllcache\ntkrpamp.exe
2009-03-12 18:57 2,066,048 -------- c:\windows\system32\dllcache\ntkrnlpa.exe
2009-03-12 18:54 203,136 -------- c:\windows\system32\dllcache\rmcast.sys
2009-03-12 18:54 455,296 -------- c:\windows\system32\dllcache\mrxsmb.sys
2009-03-12 18:54 333,952 -------- c:\windows\system32\dllcache\srv.sys
2009-03-12 18:53 331,776 -------- c:\windows\system32\dllcache\msadce.dll
2009-03-12 18:53 691,712 -------- c:\windows\system32\dllcache\inetcomm.dll
2009-03-12 18:53 337,408 -------- c:\windows\system32\dllcache\netapi32.dll
2009-03-12 18:53 1,106,944 -------- c:\windows\system32\dllcache\msxml3.dll
2009-03-12 18:51 <DIR> --d----- c:\windows\system32\PreInstall
2009-03-12 18:50 410,984 a------- c:\windows\system32\deploytk.dll
2009-03-12 18:50 73,728 a------- c:\windows\system32\javacpl.cpl
2009-03-12 18:46 21,504 a------- c:\windows\system32\hidserv.dll
2009-03-12 18:46 14,592 a------- c:\windows\system32\drivers\kbdhid.sys
2009-03-10 21:36 <DIR> --d----- c:\docume~1\russell\applic~1\2K Games
2009-03-10 21:35 2,297,552 a------- c:\windows\system32\d3dx9_26.dll
2009-03-10 21:03 12,160 a------- c:\windows\system32\drivers\mouhid.sys
2009-03-10 21:03 12,160 a------- c:\windows\system32\dllcache\mouhid.sys
2009-03-10 21:03 10,368 a------- c:\windows\system32\drivers\hidusb.sys
2009-03-10 21:03 4,128 a------- C:\INFCACHE.1
2009-03-10 20:56 0 a------- c:\docume~1\russell\applic~1\wklnhst.dat
2009-03-10 19:35 <DIR> --d----- c:\windows\SxsCaPendDel
2009-03-10 18:19 <DIR> --d----- c:\windows\network diagnostic
2009-03-10 18:13 459,264 -------- c:\windows\system32\dllcache\msfeeds.dll
2009-03-10 18:13 267,776 -------- c:\windows\system32\dllcache\iertutil.dll
2009-03-10 18:13 52,224 -------- c:\windows\system32\dllcache\msfeedsbs.dll
2009-03-10 18:13 2,455,488 -------- c:\windows\system32\dllcache\ieapfltr.dat
2009-03-10 18:13 991,232 -------- c:\windows\system32\dllcache\ieframe.dll.mui
2009-03-10 18:13 383,488 -------- c:\windows\system32\dllcache\ieapfltr.dll
2009-03-10 18:13 63,488 -------- c:\windows\system32\dllcache\icardie.dll
2009-03-10 18:13 13,824 -------- c:\windows\system32\dllcache\ieudinit.exe
2009-03-10 18:13 6,066,688 -------- c:\windows\system32\dllcache\ieframe.dll
2009-03-10 18:10 33,792 a------- c:\windows\system32\dllcache\custsat.dll
2009-03-10 17:25 0 a------- c:\windows\system32\null
2009-03-10 16:58 <DIR> --d----- c:\windows\system32\appmgmt
2009-03-10 16:48 <DIR> --d----- c:\docume~1\russell\applic~1\Macrovision
2009-03-10 16:29 <DIR> --dsh--- c:\documents and settings\russell\UserData
2009-03-10 16:29 <DIR> --d----- c:\windows\system32\SoftwareDistribution
2009-03-10 16:26 101,120 a----r-- c:\windows\system32\drivers\ewusbmdm.sys
2009-03-10 16:26 <DIR> --d----- c:\program files\Vodafone
2009-03-10 16:22 <DIR> --d----- c:\docume~1\russell\applic~1\Dell
2009-03-10 16:22 <DIR> --d----- c:\documents and settings\Russell
2009-03-10 16:18 8,192 a------- c:\windows\REGLOCS.OLD

==================== Find3M ====================

2009-03-25 17:13 57,101 a------- c:\windows\system32\nvModes.dat
2009-03-21 20:51 319,488 a------- c:\windows\system32\AegisI5Installer.exe
2009-03-12 19:40 88,319 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-02-09 11:13 1,846,784 a------- c:\windows\system32\win32k.sys
2009-02-09 11:13 1,846,784 -------- c:\windows\system32\dllcache\win32k.sys
2009-01-27 01:35 129,784 -------- c:\windows\system32\PxAFS.DLL
2009-01-27 01:35 43,528 -------- c:\windows\system32\drivers\pxhelp20.sys
2009-01-27 01:34 90,112 a------- c:\windows\system32\dpl100.dll
2009-01-27 01:34 823,296 a------- c:\windows\system32\divx_xx0c.dll
2009-01-27 01:34 823,296 a------- c:\windows\system32\divx_xx07.dll
2009-01-27 01:34 815,104 a------- c:\windows\system32\divx_xx0a.dll
2009-01-27 01:34 802,816 a------- c:\windows\system32\divx_xx11.dll
2009-01-27 01:34 684,032 a------- c:\windows\system32\DivX.dll
2009-01-16 21:35 3,594,752 -------- c:\windows\system32\dllcache\mshtml.dll
2008-01-24 19:23 76 ---shr-- c:\windows\CT4CET.bin

============= FINISH: 17:32:58.00 ===============

[tetonbob]

Hello, or8it.

Please subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe.

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

---------------------------------------------------------------------------------------------

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Stay with me until given the 'all clear' even if symptoms diminish. Lack of symptoms does not always mean the job is complete.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by me or another helper at this forum.

---------------------------------------------------------------------------------------------

1. Download ComboFix from one of these locations:
   
   Link 1
   Link 2
   Link 3
   
   * IMPORTANT !!! Place combofix.exe on your Desktop
   
2. Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
   
   McAfee:
   
   Double-click the taskbar icon to open the Security Center
   Click Advanced Menu (lower left)
   Click Configure (left)
   Click Computer & Files (upper left)
   VirusScan can be disabled on the right.
   
   
3. Double click on combofix.exe & follow the prompts.
   
4. As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
   
   Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
   
   
   
   
   
   The Windows recovery console will allow you to boot up into a special recovery mode that allows us to help you in the case that your computer has a problem after an attempted removal of malware.
   
   With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal.
   
   Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement.
   
   ComboFix will now automatically install the Microsoft Windows Recovery Console onto your computer, which will show up as a new option when booting up your computer. Do not select the Microsoft Windows Recovery Console option when you start your computer unless requested to by a helper.
   
   Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see a message that says:
   
   The Recovery Console was successfully installed.
   
   
   
   Click on Yes, to continue scanning for malware.
   
5. Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
   
6. When finished, it shall produce a log for you. Post that log in your next reply
   
   Note:
   Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
   
   ---------------------------------------------------------------------------------------------
   
7. Ensure your AntiVirus and AntiSpyware applications are re-enabled. A reboot should have done this.
   
   ---------------------------------------------------------------------------------------------

[or8it]

Hi tetonbob,

Thanks for taking the time to help. I've followed your instructions and here's the log file.

ComboFix 09-03-28.06 - Russell 2009-03-29 10:13:05.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.2633 [GMT 1:00]
Running from: c:\documents and settings\Russell\Desktop\ComboFix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated)
FW: McAfee Personal Firewall *enabled*
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\recycler\S-5-3-78-100018744-100032697-100009464-4579.com
c:\windows\system32\drivers\gaopdxapmtkvlajknikkevqghiapmdgbumgvcd.sys
c:\windows\system32\gaopdxcounter
c:\windows\system32\gaopdxedrvnfvawfmijonwnutltelasqsnbhwf.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_gaopdxserv.sys


((((((((((((((((((((((((( Files Created from 2009-02-28 to 2009-03-29 )))))))))))))))))))))))))))))))
.

2009-03-28 09:24 . 2009-03-28 09:24 <DIR> d-------- c:\documents and settings\TEMP
2009-03-27 13:57 . 2009-03-27 13:57 <DIR> d-------- c:\program files\Trend Micro
2009-03-26 22:47 . 2002-08-18 20:43 794,624 --a------ c:\windows\system32\spr32d35.dll
2009-03-26 22:41 . 2009-03-27 13:50 <DIR> d-------- c:\program files\Punch! Home Design - Platinum
2009-03-25 18:03 . 2009-03-25 18:03 <DIR> d-------- c:\documents and settings\Russell\Application Data\id Software
2009-03-25 18:02 . 2009-03-25 18:02 <DIR> d-------- c:\documents and settings\All Users\Application Data\id Software
2009-03-25 18:02 . 2009-03-25 18:02 2,246,144 --a------ c:\windows\system32\pbsvc.exe
2009-03-25 18:02 . 2009-03-25 18:02 107,832 --a------ c:\windows\system32\PnkBstrB.exe
2009-03-25 18:02 . 2009-03-25 18:02 66,872 --a------ c:\windows\system32\PnkBstrA.exe
2009-03-25 18:02 . 2009-03-25 18:02 22,328 --a------ c:\windows\system32\drivers\PnkBstrK.sys
2009-03-25 18:02 . 2009-03-25 18:02 22,328 --a------ c:\documents and settings\Russell\Application Data\PnkBstrK.sys
2009-03-23 18:31 . 2009-03-23 18:31 <DIR> d-------- c:\program files\Microsoft ActiveSync
2009-03-22 19:33 . 2008-06-09 08:23 189,571 --a------ c:\windows\system32\nvapps.nvb
2009-03-22 19:32 . 2008-06-09 08:23 1,241,088 --a------ c:\windows\system32\nvcuda.dll
2009-03-22 19:32 . 2008-06-07 13:29 446,464 --a------ c:\windows\system32\NVUNINST.EXE
2009-03-22 19:32 . 2008-06-09 08:23 327,680 --a------ c:\windows\system32\nvwrsesm.dll
2009-03-22 19:32 . 2008-06-09 08:23 274,432 --a------ c:\windows\system32\nvrsesm.dll
2009-03-22 19:32 . 2008-06-09 08:23 147,456 --a------ c:\windows\system32\nvcolor.exe
2009-03-22 19:16 . 2009-03-22 19:16 <DIR> d-------- c:\documents and settings\All Users\Application Data\nView_Profiles
2009-03-22 01:37 . 2009-03-22 01:37 <DIR> d-------- c:\program files\QuickTime
2009-03-22 01:37 . 2009-03-22 01:37 <DIR> d-------- c:\documents and settings\All Users\Application Data\Apple Computer
2009-03-22 01:36 . 2009-03-22 01:36 <DIR> d-------- c:\program files\Apple Software Update
2009-03-22 01:36 . 2009-03-22 01:36 <DIR> d-------- c:\documents and settings\All Users\Application Data\Apple
2009-03-21 22:16 . 2009-03-21 22:16 <DIR> d-------- c:\program files\TagRename
2009-03-21 21:55 . 2009-03-21 21:55 <DIR> d-------- c:\program files\Common Files\Intel
2009-03-21 21:55 . 2009-03-21 21:55 <DIR> d-------- c:\documents and settings\NetworkService\Application Data\Intel
2009-03-21 21:55 . 2009-03-21 21:55 <DIR> d-------- c:\documents and settings\LocalService\Application Data\Intel
2009-03-21 21:55 . 2009-03-21 21:55 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Intel
2009-03-21 21:50 . 2009-03-21 21:50 <DIR> d-------- c:\documents and settings\Russell\Application Data\Intel
2009-03-21 21:50 . 2009-03-21 21:50 <DIR> d-------- c:\documents and settings\All Users\Application Data\Intel
2009-03-21 21:20 . 2009-03-21 21:20 <DIR> d-------- c:\program files\DIFX
2009-03-21 21:19 . 2008-11-17 08:23 3,636,864 --a------ c:\windows\system32\drivers\NETw5x32.sys
2009-03-21 21:19 . 2008-06-20 10:33 2,756,608 --a------ c:\windows\system32\NETw5r32.dll
2009-03-21 21:19 . 2008-06-20 10:32 663,552 --a------ c:\windows\system32\NETw5c32.dll
2009-03-19 20:43 . 2009-03-29 09:55 <DIR> d-------- c:\documents and settings\Russell\Application Data\HPAppData
2009-03-19 20:28 . 2009-03-19 20:28 <DIR> d-------- c:\documents and settings\Russell\Application Data\HP
2009-03-19 20:28 . 2009-03-19 20:28 <DIR> d-------- c:\documents and settings\All Users\Application Data\WEBREG
2009-03-19 20:25 . 2009-03-19 20:25 <DIR> d-------- c:\documents and settings\All Users\Application Data\HP Product Assistant
2009-03-19 20:25 . 2009-03-19 20:25 <DIR> d-------- c:\documents and settings\All Users\Application Data\HP
2009-03-19 20:24 . 2009-03-19 20:24 <DIR> d-------- c:\program files\Hewlett-Packard
2009-03-19 20:24 . 2009-03-19 20:24 <DIR> d-------- c:\program files\Common Files\HP
2009-03-19 20:24 . 2009-03-19 20:24 <DIR> d-------- c:\program files\Common Files\Hewlett-Packard
2009-03-19 20:24 . 2009-03-19 20:24 <DIR> d-------- c:\documents and settings\All Users\Application Data\Hewlett-Packard
2009-03-19 20:23 . 2007-03-15 16:32 118,272 --a------ c:\windows\system32\hpz3l5ha.dll
2009-03-19 20:23 . 2001-08-17 14:53 6,784 --a------ c:\windows\system32\drivers\serscan.sys
2009-03-19 20:23 . 2001-08-17 14:53 6,784 --a------ c:\windows\system32\dllcache\serscan.sys
2009-03-19 20:20 . 2009-03-21 21:19 <DIR> d----c--- c:\windows\system32\DRVSTORE
2009-03-19 20:20 . 2009-03-19 20:28 <DIR> d-------- c:\program files\HP
2009-03-19 20:20 . 2007-11-02 03:28 970,752 --a------ c:\windows\system32\hpotiop5.dll
2009-03-19 20:20 . 2007-11-02 03:28 729,088 --a------ c:\windows\system32\hpowiax5.dll
2009-03-19 20:20 . 2007-11-02 03:28 364,544 --a------ c:\windows\system32\hppldcoi.dll
2009-03-19 20:20 . 2007-11-02 03:28 309,760 --a------ c:\windows\system32\difxapi.dll
2009-03-19 20:20 . 2007-11-02 03:28 303,104 --a------ c:\windows\system32\hpovst12.dll
2009-03-19 20:20 . 2007-12-07 16:55 271,704 --a------ c:\windows\system32\hpzids01.dll
2009-03-19 20:20 . 2008-04-13 19:47 25,856 --a------ c:\windows\system32\drivers\usbprint.sys
2009-03-19 20:20 . 2008-04-13 19:47 25,856 --a------ c:\windows\system32\dllcache\usbprint.sys
2009-03-19 20:18 . 2009-03-19 20:28 164,807 --a------ c:\windows\hpoins21.dat
2009-03-19 20:18 . 2008-01-24 02:34 7,262 --------- c:\windows\hpomdl21.dat
2009-03-16 16:40 . 2008-04-13 19:46 15,232 --a------ c:\windows\system32\drivers\MPE.sys
2009-03-16 16:40 . 2008-04-13 19:46 15,232 --a------ c:\windows\system32\dllcache\mpe.sys
2009-03-16 16:39 . 2008-04-14 01:12 363,520 --a------ c:\windows\system32\PsisDecd.dll
2009-03-16 16:39 . 2008-04-14 01:12 363,520 --a------ c:\windows\system32\dllcache\psisdecd.dll
2009-03-16 16:39 . 2008-04-14 01:12 56,832 --a------ c:\windows\system32\MSDvbNP.ax
2009-03-16 16:39 . 2008-04-14 01:12 56,832 --a------ c:\windows\system32\dllcache\msdvbnp.ax
2009-03-16 16:39 . 2008-04-14 01:12 33,280 --a------ c:\windows\system32\PsisRndr.ax
2009-03-16 16:39 . 2008-04-14 01:12 33,280 --a------ c:\windows\system32\dllcache\psisrndr.ax
2009-03-16 16:39 . 2008-04-14 01:12 18,432 --a------ c:\windows\system32\dllcache\bdaplgin.ax
2009-03-16 16:39 . 2008-04-14 01:12 18,432 --a------ c:\windows\system32\BdaPlgIn.ax
2009-03-16 16:39 . 2008-04-13 19:46 11,776 --a------ c:\windows\system32\drivers\BdaSup.sys
2009-03-16 16:39 . 2008-04-13 19:46 11,776 --a------ c:\windows\system32\dllcache\bdasup.sys
2009-03-14 23:33 . 2009-03-14 23:33 <DIR> d-------- c:\documents and settings\Russell\Bluetooth Software
2009-03-14 23:32 . 2009-03-14 23:32 <DIR> d-------- c:\program files\WIDCOMM
2009-03-14 23:32 . 2007-03-31 14:02 876,384 --a------ c:\windows\system32\drivers\btkrnl.sys
2009-03-14 23:32 . 2007-03-23 11:49 539,072 --a------ c:\windows\system32\drivers\btaudio.sys
2009-03-14 23:32 . 2007-03-23 11:50 149,123 --a------ c:\windows\system32\drivers\btwdndis.sys
2009-03-14 23:32 . 2007-03-23 11:50 106,557 --a------ c:\windows\system32\btw_ci.dll
2009-03-14 23:32 . 2007-03-23 11:50 67,960 --a------ c:\windows\system32\drivers\btwusb.sys
2009-03-14 23:32 . 2007-03-23 11:50 37,424 --a------ c:\windows\system32\drivers\btport.sys
2009-03-14 23:32 . 2007-03-23 11:50 37,280 --a------ c:\windows\system32\drivers\btwmodem.sys
2009-03-14 22:11 . 2009-03-14 22:11 <DIR> d-------- c:\program files\Microsoft Silverlight
2009-03-14 21:38 . 2009-03-14 21:38 <DIR> d-------- c:\documents and settings\Russell\Application Data\DivX
2009-03-14 21:37 . 2009-01-27 02:35 120,056 --------- c:\windows\system32\pxcpyi64.exe
2009-03-14 21:37 . 2009-01-27 02:35 118,520 --------- c:\windows\system32\pxinsi64.exe
2009-03-14 21:36 . 2009-03-14 21:37 <DIR> d-------- c:\program files\DivX
2009-03-14 21:36 . 2009-03-14 21:36 <DIR> d-------- c:\program files\Common Files\DivX Shared
2009-03-13 12:01 . 2009-03-13 12:06 <DIR> d-------- c:\program files\NewsBin
2009-03-13 11:18 . 2008-10-16 15:06 268,648 --a------ c:\windows\system32\mucltui.dll
2009-03-13 11:18 . 2008-10-16 15:06 27,496 --a------ c:\windows\system32\mucltui.dll.mui
2009-03-12 23:32 . 2007-04-18 17:30 473,728 --a------ c:\windows\system32\drivers\mod7700.sys
2009-03-12 23:32 . 1998-11-02 20:57 196,096 --------- c:\windows\system32\MACD32.DLL
2009-03-12 23:32 . 1998-11-02 20:57 138,752 --------- c:\windows\system32\MASE32.DLL
2009-03-12 23:32 . 1998-11-02 20:57 136,192 --------- c:\windows\system32\MAMC32.DLL
2009-03-12 23:32 . 1998-11-02 20:57 57,856 --------- c:\windows\system32\MASD32.DLL
2009-03-12 23:32 . 2006-06-29 17:49 53,248 --a------ c:\windows\system32\ModrcCoInstall.dll
2009-03-12 23:32 . 1998-11-02 20:57 27,648 --------- c:\windows\system32\MA32.DLL
2009-03-12 23:32 . 2007-02-06 12:10 13,440 --a------ c:\windows\system32\drivers\modrc.sys
2009-03-12 23:31 . 2009-03-12 23:31 <DIR> d-------- c:\program files\Pinnacle
2009-03-12 23:31 . 2003-03-19 06:28 2,179,072 --------- c:\windows\system32\mfc71d.dll
2009-03-12 23:31 . 2003-03-19 05:04 765,952 --------- c:\windows\system32\msvcp71d.dll
2009-03-12 23:31 . 2002-01-05 21:16 737,280 --------- c:\windows\system32\msvcp70d.dll
2009-03-12 23:31 . 2006-12-01 23:54 626,688 --------- c:\windows\system32\msvcr80.dll
2009-03-12 23:31 . 2006-12-01 23:54 548,864 --------- c:\windows\system32\msvcp80.dll
2009-03-12 23:31 . 2003-03-19 05:03 544,768 --------- c:\windows\system32\msvcr71d.dll
2009-03-12 23:31 . 2002-01-05 21:16 536,576 --------- c:\windows\system32\msvcr70d.dll
2009-03-12 23:31 . 2002-01-05 13:40 487,424 --------- c:\windows\system32\MSVCP70.DLL
2009-03-12 23:31 . 2004-07-23 09:00 446,464 --------- c:\windows\system32\HHActiveX.dll
2009-03-12 23:31 . 2004-06-03 12:47 385,100 --------- c:\windows\system32\MSVCRTD.DLL
2009-03-12 23:31 . 2002-01-05 13:37 344,064 --------- c:\windows\system32\MSVCR70.DLL
2009-03-12 23:26 . 2009-03-12 23:26 <DIR> d-------- c:\documents and settings\All Users\Application Data\Pinnacle
2009-03-12 22:11 . 2006-10-26 20:56 32,592 --a------ c:\windows\system32\msonpmon.dll
2009-03-12 22:08 . 2009-03-12 22:08 <DIR> d-------- c:\program files\Microsoft.NET
2009-03-12 22:07 . 2009-03-12 22:07 <DIR> d-------- c:\program files\Microsoft Visual Studio 8
2009-03-12 22:06 . 2009-03-12 22:09 <DIR> d-------- c:\windows\SHELLNEW
2009-03-12 22:05 . 2009-03-12 22:05 <DIR> dr-h----- C:\MSOCache
2009-03-12 22:05 . 2009-03-12 23:08 <DIR> d-------- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-03-12 21:31 . 2009-01-09 20:19 1,089,593 --------- c:\windows\system32\dllcache\ntprint.cat
2009-03-12 21:22 . 2009-03-12 21:22 <DIR> d-------- c:\windows\system32\XPSViewer
2009-03-12 21:22 . 2009-03-12 21:22 <DIR> d-------- c:\program files\Reference Assemblies
2009-03-12 21:22 . 2009-03-12 22:09 <DIR> d-------- c:\program files\MSBuild
2009-03-12 21:21 . 2009-03-12 21:22 <DIR> d-------- C:\3f8a250b2b4c0b8039d58a55447312b8
2009-03-12 21:21 . 2008-07-06 13:06 1,676,288 --------- c:\windows\system32\xpssvcs.dll
2009-03-12 21:21 . 2008-07-06 13:06 1,676,288 --------- c:\windows\system32\dllcache\xpssvcs.dll
2009-03-12 21:21 . 2008-07-06 11:50 597,504 --------- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-03-12 21:21 . 2008-07-06 13:06 575,488 --------- c:\windows\system32\xpsshhdr.dll
2009-03-12 21:21 . 2008-07-06 13:06 575,488 --------- c:\windows\system32\dllcache\xpsshhdr.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-21 20:55 --------- d-----w c:\program files\Intel
2009-03-21 20:51 319,488 ----a-w c:\windows\system32\AegisI5Installer.exe
2009-03-20 16:50 --------- d-----w c:\program files\Google
2009-03-12 22:31 --------- d--h--w c:\program files\InstallShield Installation Information
2009-03-12 22:03 --------- d-----w c:\program files\Microsoft Works
2009-03-12 18:49 --------- d-----w c:\program files\Java
2009-03-10 19:36 --------- d-----w c:\program files\Common Files\Adobe
2009-03-10 18:26 --------- d-----w c:\program files\McAfee
2009-03-10 17:30 --------- d-----w c:\documents and settings\All Users\Application Data\Dell
2009-02-09 11:13 1,846,784 ----a-w c:\windows\system32\win32k.sys
2009-02-09 11:13 1,846,784 ------w c:\windows\system32\dllcache\win32k.sys
2009-01-27 01:35 129,784 ------w c:\windows\system32\PxAFS.DLL
2009-01-27 01:34 90,112 ----a-w c:\windows\system32\dpl100.dll
2009-01-27 01:34 823,296 ----a-w c:\windows\system32\divx_xx0c.dll
2009-01-27 01:34 823,296 ----a-w c:\windows\system32\divx_xx07.dll
2009-01-27 01:34 815,104 ----a-w c:\windows\system32\divx_xx0a.dll
2009-01-27 01:34 802,816 ----a-w c:\windows\system32\divx_xx11.dll
2009-01-27 01:34 684,032 ----a-w c:\windows\system32\DivX.dll
2009-01-16 21:35 3,594,752 ------w c:\windows\system32\dllcache\mshtml.dll
2008-01-24 19:23 76 --sh--r c:\windows\CT4CET.bin
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSPM"="c:\documents and settings\All Users\Application Data\Macrovision\FLEXnet Connect\6\ISUSPM.exe" [2007-03-29 222128]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\Wcescomm.exe" [2006-11-13 1289000]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-06-03 851968]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-06-09 13537280]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-06-09 86016]
"OEM02Mon.exe"="c:\windows\OEM02Mon.exe" [2007-08-28 36864]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-12 136600]
"DELL Webcam Manager"="c:\program files\Dell\Dell Webcam Manager\DellWMgr.exe" [2007-07-27 118784]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2007-07-20 1228800]
"KADxMain"="c:\windows\system32\KADxMain.exe" [2006-11-02 282624]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-10-03 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-10-03 81920]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2007-11-01 582992]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"PCMService"="c:\program files\Dell\MediaDirect\PCMService.exe" [2007-12-21 184320]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"IntelZeroConfig"="c:\program files\Intel\WiFi\bin\ZCfgSvc.exe" [2008-10-16 1368064]
"IntelWireless"="c:\program files\Common Files\Intel\WirelessCommon\iFrmewrk.exe" [2008-10-16 1191936]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
"nwiz"="nwiz.exe" [2008-06-09 c:\windows\system32\nwiz.exe]
"NVHotkey"="nvHotkey.dll" [2008-06-09 c:\windows\system32\nvhotkey.dll]
"SigmatelSysTrayApp"="stsystra.exe" [2007-06-06 c:\windows\stsystra.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2007-05-17 568176]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2008-01-24 50688]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2008-05-26 304128]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
backup=c:\windows\pss\Windows Search.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
--a------ 2007-08-24 08:00 33648 c:\program files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2007-10-14 22:17 49152 c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpqSRMon]
--a------ 2007-08-22 17:31 80896 c:\program files\HP\Digital Imaging\bin\HpqSRmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]
--a------ 2006-08-17 10:00 1116920 c:\program files\Roxio\Drag-to-Disc\DrgToDsc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxWatchTray]
--a------ 2006-11-05 12:22 221184 c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Dell\\MediaDirect\\PCMService.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Documents and Settings\\Russell\\Application Data\\2K Games\\Firaxis Games\\Sid Meier's Civilization 4 Complete\\Civilization4.exe"=
"c:\\Documents and Settings\\Russell\\Application Data\\2K Games\\Firaxis Games\\Sid Meier's Civilization 4 Complete\\Warlords\\Civ4Warlords.exe"=
"c:\\Documents and Settings\\Russell\\Application Data\\2K Games\\Firaxis Games\\Sid Meier's Civilization 4 Complete\\Beyond the Sword\\Civ4BeyondSword.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\NewsBin\\nbpro.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R3 OEM02Afx;Provides a software interface to control audio effects of OEM002 camera.;c:\windows\system32\drivers\OEM02Afx.sys [2008-01-24 141376]
R3 OEM02Dev;Creative Camera OEM002 Driver;c:\windows\system32\drivers\OEM02Dev.sys [2008-01-24 235648]
R3 OEM02Vfx;Creative Camera OEM002 Video VFX Driver;c:\windows\system32\drivers\OEM02Vfx.sys [2008-01-24 7424]
S2 gupdate1c9a97bd3b01a58;Google Update Service (gupdate1c9a97bd3b01a58);c:\program files\Google\Update\GoogleUpdate.exe [2009-03-20 133104]
S3 MODRC;DiBcom Infrared Receiver;c:\windows\system32\drivers\modrc.sys [2009-03-12 13440]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ HPSLPSVC
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2009-03-23 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 13:34]

2009-03-29 c:\windows\Tasks\GoogleUpdateTaskMachine.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-20 17:49]

2008-01-24 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-12-04 14:32]

2008-01-24 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-12-04 14:32]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-PMCRemote - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
uInternet Connection Wizard,ShellNext = hxxp://partnerpage.google.com/smallbiz.dell.com/en_uk?hl=en&client=dell-usuk&channel=uk-smb&ibd=3080125
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-29 10:17:09
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"cd042efbbd7f7af1647644e76e06692b"=hex:e2,63,26,f1,3f,c8,ff,68,af,7f,97,0d,18,
72,1d,c6,c8,28,51,af,b0,29,a3,98,81,da,a5,0e,d0,46,d4,dd,e2,63,26,f1,3f,c8,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"bca643cdc5c2726b20d2ecedcc62c59b"=hex:71,3b,04,66,8b,46,0d,96,9b,66,7b,bc,00,
ac,45,b9,71,3b,04,66,8b,46,0d,96,84,e2,21,2a,a9,77,a1,a7,6a,9c,d6,61,af,45,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"2c81e34222e8052573023a60d06dd016"=hex:7a,45,05,fd,91,e8,6f,31,bb,5a,c9,cb,2e,
6b,89,c5,25,da,ec,7e,55,20,c9,26,ee,04,89,4f,65,91,c5,75,ff,7c,85,e0,43,d4,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"2582ae41fb52324423be06337561aa48"=hex:3e,1e,9e,e0,57,5a,93,61,f0,0f,36,a8,0f,
1b,7b,38,3e,1e,9e,e0,57,5a,93,61,56,77,b8,8b,8b,59,13,66,86,8c,21,01,be,91,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"caaeda5fd7a9ed7697d9686d4b818472"=hex:f5,1d,4d,73,a8,13,5c,05,6a,a0,b7,26,94,
62,47,12,cd,44,cd,b9,a6,33,6c,cd,12,0d,dd,45,69,39,8e,0b,f5,1d,4d,73,a8,13,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"a4a1bcf2cc2b8bc3716b74b2b4522f5d"=hex:df,20,58,62,78,6b,cf,c8,e9,0e,f9,9a,44,
90,41,e9,b0,18,ed,a7,3f,8d,37,a4,29,b5,2d,64,6f,d0,ab,24,df,20,58,62,78,6b,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"4d370831d2c43cd13623e232fed27b7b"=hex:fb,a7,78,e6,12,2f,9a,ea,22,5b,c8,0e,15,
f9,d0,df,31,77,e1,ba,b1,f8,68,02,4c,d9,4d,fe,2a,83,4f,11,fb,a7,78,e6,12,2f,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"1d68fe701cdea33e477eb204b76f993d"=hex:aa,52,c6,00,84,3c,26,64,20,16,8b,b0,d5,
40,6d,2b,83,6c,56,8b,a0,85,96,ab,67,f4,40,c1,49,cd,6a,f4,01,3a,48,fc,e8,04,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"1fac81b91d8e3c5aa4b0a51804d844a3"=hex:f6,0f,4e,58,98,5b,89,c9,87,b0,f7,a9,4a,
0a,06,c7,51,fa,6e,91,28,9e,14,cc,26,10,f5,58,e7,0a,fd,24,f6,0f,4e,58,98,5b,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"f5f62a6129303efb32fbe080bb27835b"=hex:b1,cd,45,5a,a8,c4,f8,b9,10,af,af,5b,d3,
77,b3,cc,b1,cd,45,5a,a8,c4,f8,b9,cc,6c,5d,88,47,9b,64,e4,3d,ce,ea,26,2d,45,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"fd4e2e1a3940b94dceb5a6a021f2e3c6"=hex:2a,b7,cc,b5,b9,7f,41,e7,7b,6d,43,9f,f0,
4f,a1,ca,e3,0e,66,d5,eb,bc,2f,6b,6e,2d,3a,66,d0,54,67,7d,2a,b7,cc,b5,b9,7f,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"8a8aec57dd6508a385616fbc86791ec2"=hex:6c,43,2d,1e,aa,22,2f,9c,d4,ff,61,8a,9f,
2f,13,51,fa,ea,66,7f,d4,3b,6b,70,e4,68,ce,6e,95,37,3b,dd,6c,43,2d,1e,aa,22,\
.
Completion time: 2009-03-29 10:19:12
ComboFix-quarantined-files.txt 2009-03-29 09:18:14

Pre-Run: 127,155,433,472 bytes free
Post-Run: 128,207,876,096 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

373 --- E O F --- 2009-03-12 20:40:41

[tetonbob]

Looks much better.

Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs):

J2SE Runtime Environment 5.0 Update 6

These are all outdated, and security risks by having them installed still. Unfortunately, Java does not uninstall these older versions when you update, nor tell you that you should. Java(TM) 6 Update 11 can be updated from the Java control panel Start > Control Panel (Classic View) > Java (looks like a coffee cup) > Update Tab > Update Now. An update should begin; follow the prompts. If it does not, let me know.

Going forward, Java will overwrite existing installs, so removing older versions should not be required after this.

---------------------------------------------------------------------------------------------

Go here to run an online scannner from ESET.

• Note: You will need to use Internet explorer for this scan
• Turn off the real time scanner of any existing antivirus program while performing the online scan
• Tick the box next to YES, I accept the Terms of Use.
• Click Start
• When asked, allow the activex control to install
• Click Start
• Make sure that the option Remove found threats is unticked, and the option Scan unwanted applications is checked
• Click Scan
• Wait for the scan to finish
• Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
• Copy and paste that log as a reply to this topic and also let me know how things are now.

[or8it]

Ok, I've removed J2SE Runtime Environment 5.0 Update 6. When I updated Java it said it was already up to date.

Here is the log file from ESET. It has detected a threat.

# version=4
# OnlineScanner.ocx=1.0.0.635
# OnlineScannerDLLA.dll=1, 0, 0, 79
# OnlineScannerDLLW.dll=1, 0, 0, 78
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=3972 (20090328)
# vers_arch_module=1.064 (20080214)
# vers_adv_heur_module=1.066 (20070917)
# EOSSerial=f9b119f5ecd00e45a67f370c83ed90d9
# end=finished
# remove_checked=false
# unwanted_checked=true
# utc_time=2009-03-29 04:04:42
# local_time=2009-03-29 05:04:42 (+0000, GMT Standard Time)
# country="United Kingdom"
# osver=5.1.2600 NT Service Pack 3
# scanned=298264
# found=1
# scan_time=2282
C:\Qoobox\Quarantine\C\RECYCLER\S-5-3-78-100018744-100032697-100009464-4579.com.vir Win32/AutoRun.Agent.MD worm 524F4EEBB04489553FDC27539D609952

[tetonbob]

Hi -

That's odd, but it seems to happen sometimes when using the Java Control Panel updater.

Java is actually two versions past the one I see installed. You're showing j6u11, latest is j6u13

You can manually download and install it from here:

http://java.sun.com/javase/downloads/index.jsp

The new version should overwrite the j6u11.

The other item Eset found is in ComboFix quarantine, and will be addressed by uninstalling ComboFix as instructed below. If there are no other symptoms....

Your logs appear clean.You should be good to go. We still have a few items to address.

Go to -> Run -> copy/paste in the following single line command & click OK

combofix /u

This will uninstall ComboFix. It will also implement some cleanup procedures and reset System Restore points.

Now that your system is clean, to help protect your computer in the future I recommend that you follow these steps and look into the following free programs:

• Microsoft Windows Update - http://www.windowsupdate.com
  Visit regularly. This will ensure your computer always has the latest security updates. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
  
  
• SpywareBlaster to help prevent spyware from installing in the first place.
  • Install & update SpywareBlaster with the latest definitions.
    After you have updated, click the button - enable protection for all unprotected items
• McAfee Site Advisor--free version. The folks there check out websites and based on their findings, rate it as Safe, Unknown, Caution, or Bad.
  
• Winpatrol
  
  Winpatrol is heuristic protection program, meaning it looks for patterns in codes that work like malware. It also takes a snapshot of your system's critical resources and alerts you to any changes that may occur without you knowing. You can read more about Winpatrol's features here.
  
  You can get a free copy of Winpatrol or use the Plus version for more features.
  
  You can read Winpatrol's FAQ if you run into problems.
  
  
• MVPS HOST FILE
  The MVPS Hosts file replaces your current HOSTS file with one that will restrict known ad sites form serving you unsolicited advertisements. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is the IP of your local computer.
  • Download Host.zip to your desktop.
  • From your Desktop right-click (hosts.zip) and select:
    Extract All from the menu.
    
  • Click Next, click Next, select the option:
    "Show Extracted files", click Finish
    
  • This will open the newly created hosts folder on your Desktop.
    
  • Double-click on the included mvps.bat file, this will rename the existing HOSTS file to HOSTS.MVP, then it will copy the included updated HOSTS file to the correct location on your machine.
    
  • Once updated you should see another prompt that the task was completed.
• ANTIVIRUS SOFTWARE
  It is very important that you have anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future. It is imperative that you update your antivirus software at least once a week (even more if you wish). If you do not update your antivirus software then it will not be able to catch new malware that may have come out.
  
  Do not install more than one AntiVirus program because they will conflict with each other.
  
  
• Scan here http://secunia.com/software_inspector/ for out of date & vulnerable common applications on your computer
  
  
• http://www.trillian.cc ? Trillian or http://www.miranda-im.com ? Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)
  
  
• http://www.aumha.org/downloads/erunt-setup.exe - ERUNT - A useful freeware utility for users of Windows 2000/XP//Vista. It's made up of two parts - ERUNT & NTREGOPT.
  
  ERUNT will create daily complete backups of your computer's Registry. Whilst System Restore does the same thing, a corrupt registry file may prevent Windows from booting & this effectively renders disables System Restore. With ERUNT, you're able to restore the damaged Registry.
  
  NTREGOPT works by recreating each registry hive "from scratch", thus removing any slack space that may be left from previously modified or deleted keys. In other words, it compacts the Registry to a small size which allows Windows to load & perform faster.

In light of your recent troubles, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles

• How did I get infected in the first place?
• PC Safety and Security--What Do I Need?

If you want to fight back the Malware Writers that have made your life a misery, please take a look here and read what you can do against it.

Please respond to this thread one more time so we can mark this thread as resolved.

[or8it]

Many thanks for your help.

Manually updated Java and uninstalled combofix.

Have taken your advice and installed Spyware Blaster, McAfee Site Adviser and Winpatrol. I currently have McAffee installed as my anti-virus but this runs out shortly. Not sure if I should stick with them or look at another anti-virus. Will check this forum out for consenus.

Once again many thanks.

[tetonbob]

Glad to help.

If you want to look at some comparatives, have a look here:

www.av-comparatives.org

I like Avira as free (it also has a paid version which is very good) and NOD32(Eset) and Kaspersky for paid.

Surf Safely, and Think Prevention!

Since this issue is resolved, this topic will be archived.