NTOSKRNL-HOOK malware

[KNewman]

I seem to have picked up a bit of malware over the weekend. My symptoms are Yahoo searches redirect & Mcafee finds NTOSKRNL-HOOK and removes it; but, it returns. Thanks in advance for any help cleaning this item from my system. KNewman


DDS (Ver_09-06-26.01) - NTFSx86
Run by Bob at 20:58:16.79 on Tue 06/30/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.255.45 [GMT -5:00]

AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

F:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
F:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
F:\WINDOWS\system32\spoolsv.exe
F:\WINDOWS\Explorer.EXE
F:\Program Files\Verizon\Servicepoint\VerizonServicepoint.exe
F:\Program Files\SiteAdvisor\6172\SiteAdv.exe
F:\WINDOWS\system32\Rundll32.exe
svchost.exe
F:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
F:\Program Files\Bonjour\mDNSResponder.exe
F:\Program Files\Java\jre6\bin\jqs.exe
F:\Program Files\Verizon\McciTrayApp.exe
F:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
F:\Program Files\Common Files\Real\Update_OB\realsched.exe
F:\Program Files\Java\jre6\bin\jusched.exe
F:\WINDOWS\system32\ctfmon.exe
F:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
F:\WINDOWS\system32\svchost.exe -k imgsvc
F:\Program Files\Viewpoint\Common\ViewpointService.exe
F:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
f:\PROGRA~1\mcafee\msc\mcshell.exe
f:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
F:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
F:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
f:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
f:\PROGRA~1\mcafee.com\agent\mcagent.exe
F:\Program Files\McAfee\MPF\MPFSrv.exe
F:\Program Files\Internet Explorer\iexplore.exe
F:\Program Files\Internet Explorer\iexplore.exe
F:\Documents and Settings\Bob\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://my.yahoo.com/
uInternet Settings,ProxyOverride = *.local
BHO: {06647158-359E-4D10-A8DE-E6145DA90BE9} - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - f:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: {089fd14d-132b-48fc-8861-0048ae113215} - f:\program files\siteadvisor\6253\SiteAdv.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - f:\progra~1\mcafee\viruss~1\scriptsn.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - f:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - f:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: McAfee SiteAdvisor: {0bf43445-2f28-4351-9252-17fe6e806aa0} - f:\program files\siteadvisor\6253\SiteAdv.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
TB: {871F91FD-3A92-4988-A842-16AB2CFF5AF1} - No File
uRun: [ctfmon.exe] f:\windows\system32\ctfmon.exe
mRun: [VerizonServicepoint.exe] f:\program files\verizon\servicepoint\VerizonServicepoint.exe
mRun: [mcagent_exe] "f:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [SiteAdvisor] f:\program files\siteadvisor\6172\SiteAdv.exe
mRun: [P17Helper] Rundll32 P17.dll,P17Helper
mRun: [UpdReg] f:\windows\UpdReg.EXE
mRun: [EPSON Stylus Photo R200 Series (Copy 1)] f:\windows\system32\spool\drivers\w32x86\3\E_S4I2H1.EXE /P39 "EPSON Stylus Photo R200 Series (Copy 1)" /O5 "LPT1:" /M "Stylus Photo R200"
mRun: [Verizon_McciTrayApp] f:\program files\verizon\McciTrayApp.exe
mRun: [ArcSoft Connection Service] f:\program files\common files\arcsoft\connection service\bin\ACDaemon.exe
mRun: [TkBellExe] "f:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [Ad-Watch] f:\program files\lavasoft\ad-aware\AAWTray.exe
mRun: [SunJavaUpdateSched] "f:\program files\java\jre6\bin\jusched.exe"
StartupFolder: f:\docume~1\bob\startm~1\programs\startup\msimn.lnk - f:\program files\outlook express\msimn.exe
StartupFolder: f:\docume~1\alluse~1\startm~1\programs\startup\hpoddt~1.lnk - f:\program files\hewlett-packard\digital imaging\bin\hpotdd01.exe
StartupFolder: f:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - f:\program files\microsoft office\office10\OSA.EXE
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - f:\program files\messenger\msmsgs.exe
Trusted Zone: internet
Trusted Zone: mcafee.com
Trusted Zone: turbotax.com
DPF: vzTCPConfig - hxxp://www2.verizon.net/help/fios_settings/include/vzTCPConfig.CAB
DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} - hxxp://www.musicnotes.com/download/mnviewer.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/5/b/0/5b0d4654-aa20-495c-b89f-c1c34c691085/LegitCheckControl.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0015-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_07-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} - hxxp://www.creative.com/su2/CTL_V02002/ocx/15034/CTPID.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - f:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: siteadvisor - {3A5DC592-7723-4EAA-9EE6-AF4222BCF879} - f:\program files\siteadvisor\6253\SiteAdv.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - f:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;f:\windows\system32\drivers\Lbd.sys [2009-6-27 64160]
R1 mfehidk;McAfee Inc. mfehidk;f:\windows\system32\drivers\mfehidk.sys [2008-1-19 214024]
R2 McProxy;McAfee Proxy Service;f:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2008-1-19 359952]
R2 McShield;McAfee Real-time Scanner;f:\progra~1\mcafee\viruss~1\mcshield.exe [2008-1-19 144704]
R2 Viewpoint Manager Service;Viewpoint Manager Service;f:\program files\viewpoint\common\ViewpointService.exe [2007-1-11 24652]
R3 mfeavfk;McAfee Inc. mfeavfk;f:\windows\system32\drivers\mfeavfk.sys [2008-1-19 79880]
R3 mfebopk;McAfee Inc. mfebopk;f:\windows\system32\drivers\mfebopk.sys [2008-1-19 35272]
S2 RDFLabel;RDFLabel;f:\program files\icraplus\rdflabel\rdflabel.exe -picraplusid01f --> f:\program files\icraplus\rdflabel\RDFLabel.exe -PICRAplusID01F [?]
S3 idmc1aud;Intel(r) Play(tm) USB Audio Filter (WDM);f:\windows\system32\drivers\idmc1aud.sys [2007-1-9 15188]
S3 IDMC1Blk;Intel Play DMC Download Driver;f:\windows\system32\drivers\IDMC1Blk.sys [2007-1-9 14628]
S3 IDMC1Vxp;Intel(r) Play(tm) DMC Camera;f:\windows\system32\drivers\idmc1vme.sys [2007-1-9 416564]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;f:\program files\lavasoft\ad-aware\AAWService.exe [2009-3-9 1003344]
S3 libusb0;LibUsb-Win32 - Kernel Driver, Version 0.1.12.1;f:\windows\system32\drivers\libusb0.sys [2009-5-6 28672]
S3 mferkdk;McAfee Inc. mferkdk;f:\windows\system32\drivers\mferkdk.sys [2008-1-19 34216]
S3 mfesmfk;McAfee Inc. mfesmfk;f:\windows\system32\drivers\mfesmfk.sys [2008-1-19 40552]
S3 p17filt;p17filt;f:\windows\system32\drivers\p17filt.sys [2006-3-20 1452032]
S4 AdobeActiveFileMonitor;Adobe Active File Monitor;f:\program files\adobe\photoshop elements 3.0\PhotoshopElementsFileAgent.exe [2004-10-4 98304]
S4 IntuitUpdateService;Intuit Update Service;f:\program files\common files\intuit\update service\IntuitUpdateService.exe [2009-2-25 13088]
S4 McSysmon;McAfee SystemGuards;f:\progra~1\mcafee\viruss~1\mcsysmon.exe [2008-1-19 606736]
S4 PhotoshopElementsDeviceConnect;Photoshop Elements Device Connect;f:\program files\adobe\photoshop elements 3.0\PhotoshopElementsDeviceConnect.exe [2004-10-4 118784]

=============== Created Last 30 ================

2009-06-28 11:05 <DIR> -cd----- f:\windows\system32\dllcache\cache
2009-06-27 19:26 15,688 a------- f:\windows\system32\lsdelete.exe
2009-06-27 17:35 64,160 a------- f:\windows\system32\drivers\Lbd.sys
2009-06-27 17:31 <DIR> -cd-h--- f:\docume~1\alluse~1\applic~1\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-06-27 13:46 <DIR> --d----- f:\docume~1\bob\applic~1\McAfee
2009-06-26 19:16 <DIR> --d----- f:\windows\pss
2009-06-10 21:54 246,272 -c------ f:\windows\system32\dllcache\ieproxy.dll
2009-06-10 21:54 12,800 -c------ f:\windows\system32\dllcache\xpshims.dll
2009-06-08 19:52 60,744 a------- f:\documents and settings\bob\g2mdlhlpx.exe

==================== Find3M ====================

2009-05-13 00:15 915,456 a------- f:\windows\system32\wininet.dll
2009-05-09 19:21 170,952 a------- f:\windows\pchealth\helpctr\config\cache\Professional_32_1033.dat
2009-05-07 10:32 345,600 a------- f:\windows\system32\localspl.dll
2009-04-17 07:26 1,847,168 a------- f:\windows\system32\win32k.sys
2009-04-15 09:51 585,216 a------- f:\windows\system32\rpcrt4.dll
2009-03-12 19:52 52,872 ac------ f:\docume~1\bob\applic~1\GDIPFONTCACHEV1.DAT
2008-10-28 20:55 30 ac------ f:\documents and settings\bob\jagex_runescape_preferences.dat
2008-02-29 00:51 159 ac--h--- f:\documents and settings\bob\hpothb07.dat
2008-02-29 00:46 164 ac--h--- f:\documents and settings\all users\hpothb07.dat
2008-07-22 20:02 32,768 ac-sh--- f:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008072220080723\index.dat

============= FINISH: 21:00:35.38 ===============

[chemist]

Hello and Welcome to TSF.

Please Subscribe to this Thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant notification by email, then click Add Subscription.

Please note that the forum is very busy and if I don't hear from you within three days this thread will be closed.

------------------------------------------------------

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Please stay with me until given the 'all clear' even if symptoms seemingly abate.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by a helper.

------------------------------------------------------

Please visit this webpage for download links, and instructions for running ComboFix:

http://www.bleepingcomputer.com/comb...o-use-combofix

* Ensure you have disabled all antivirus and antimalware programs so they do not interfere with the running of ComboFix.

Please see this > http://img.photobucket.com/albums/v6...ee_disable.gif

Please post the C:\ComboFix.txt in your next reply for further review.

------------------------------------------------------

[KNewman]

Hello, Chemist

Here's the ComboFix.txt log.

I also ran into a problem restoring my internet connection. The repair didn't work, the message is:

Windows could not finish repairing the problem because the following action cannot be completed: Renewing your IP address.

Any advise how to renew an IP address.

ComboFix 09-07-04.09 - Bob 07/05/2009 13:23.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.255.50 [GMT -5:00]
Running from: f:\documents and settings\Bob\Desktop\ComboFix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Installer\1063ad6.msi
c:\windows\Installer\17a06ae.msi
c:\windows\Installer\17a0796.msp
c:\windows\Installer\1a8a316.msp
c:\windows\Installer\23e03.msi
c:\windows\Installer\28d184e.msi
c:\windows\Installer\2a0e3.msp
c:\windows\Installer\3073b2d.msi
c:\windows\Installer\3e4a7.msi
c:\windows\Installer\463b4.msi
c:\windows\Installer\4a581e.msi
c:\windows\Installer\61c880.msi
c:\windows\Installer\6e4c7.msi
c:\windows\Installer\758710.msi
c:\windows\Installer\758777.msp
c:\windows\Installer\758804.msp
c:\windows\Installer\758809.msi
c:\windows\Installer\85593.msp
c:\windows\Installer\855a8.msp
c:\windows\Installer\855bd.msp
c:\windows\Installer\855d2.msp
c:\windows\Installer\855e8.msp
c:\windows\Installer\a49375.msp
c:\windows\Installer\a4938a.msp
c:\windows\Installer\a4939f.msp
c:\windows\Installer\a493d3.msp
c:\windows\Installer\a493ea.msp
c:\windows\Installer\a49400.msp
c:\windows\Installer\a49414.msp
c:\windows\Installer\b0f93.msp
c:\windows\Installer\b0fa8.msp
c:\windows\Installer\b5d8e7a.msi
c:\windows\Installer\b5d8e8b.msi
c:\windows\Installer\b5d8ef2.msi
c:\windows\Installer\b5d8ef7.msi
c:\windows\Installer\c13a.msi
c:\windows\Installer\dfc1f1.msi
c:\windows\Installer\dfc1f2.msi
c:\windows\Installer\f0554.msi
c:\windows\Installer\f055e.msi
f:\windows\system32\Data
f:\windows\system32\drivers\beep.sys
f:\windows\system32\drivers\hjgruixufrlldk.sys
f:\windows\system32\drivers\null.sys
f:\windows\system32\hjgruibxvjdmba.dat
f:\windows\system32\hjgruimxbnykrw.dll
f:\windows\system32\hjgruioqoyppkb.dat
f:\windows\system32\hjgruivbuthqdi.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_hjgruisfthpyme
-------\Service_hjgruisfthpyme


((((((((((((((((((((((((( Files Created from 2009-06-05 to 2009-07-05 )))))))))))))))))))))))))))))))
.

2009-06-28 16:12 . 2009-06-28 16:12 152576 ----a-w- f:\documents and settings\Bob\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
2009-06-28 00:26 . 2009-06-27 22:34 15688 ----a-w- f:\windows\system32\lsdelete.exe
2009-06-27 22:35 . 2009-06-27 22:34 64160 ----a-w- f:\windows\system32\drivers\Lbd.sys
2009-06-27 22:31 . 2009-03-12 08:17 2902048 -c--a-w- f:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}\Ad-AwareAE.exe
2009-06-27 22:31 . 2009-06-27 22:31 -------- dc-h--w- f:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-06-27 18:46 . 2009-06-27 18:46 -------- d-----w- f:\documents and settings\Bob\Application Data\McAfee
2009-06-27 18:46 . 2009-06-27 18:46 49152 ----a-r- f:\documents and settings\Bob\Application Data\Microsoft\Installer\{FCC07EEA-FA18-4A21-9105-9666603C6885}\IconFCC07EEA1.exe
2009-06-27 18:46 . 2009-06-27 18:46 49152 ----a-r- f:\documents and settings\Bob\Application Data\Microsoft\Installer\{FCC07EEA-FA18-4A21-9105-9666603C6885}\IconFCC07EEA.exe
2009-06-11 02:54 . 2009-04-30 21:22 12800 -c----w- f:\windows\system32\dllcache\xpshims.dll
2009-06-11 02:54 . 2009-04-30 21:22 246272 -c----w- f:\windows\system32\dllcache\ieproxy.dll
2009-06-09 00:52 . 2009-06-09 00:52 60744 ----a-w- f:\documents and settings\Bob\g2mdlhlpx.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-05 18:36 . 2009-03-07 16:38 720 ----a-w- f:\documents and settings\All Users\Application Data\ArcSoft\kodak-printcreations-22-080812-oem\acforall.dll
2009-06-29 22:44 . 2009-06-27 22:34 0 ----a-w- f:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\threatwork.exe
2009-06-29 22:43 . 2009-06-27 22:34 25440 ----a-w- f:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\savapibridge.dll
2009-06-29 22:42 . 2009-06-27 22:34 169312 ----a-w- f:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lavamessage.dll
2009-06-29 22:42 . 2009-06-27 22:34 348496 ----a-w- f:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lavalicense.dll
2009-06-29 22:42 . 2009-06-27 22:34 298336 ----a-w- f:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\UpdateManager.dll
2009-06-29 22:42 . 2009-06-27 22:34 84832 ----a-w- f:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\ShellExt.dll
2009-06-29 22:42 . 2009-06-27 22:34 1630560 ----a-w- f:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Resources.dll
2009-06-29 22:40 . 2009-06-27 22:34 246128 ----a-w- f:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\RPAPI.dll
2009-06-29 22:40 . 2009-06-27 22:34 40288 ----a-w- f:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\PrivacyClean.dll
2009-06-29 22:40 . 2009-06-27 22:34 85352 ----a-w- f:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Drivers\32\AAWDriverTool.exe
2009-06-29 22:40 . 2009-06-27 22:34 664424 ----a-w- f:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\CEAPI.dll
2009-06-29 22:40 . 2009-06-27 22:34 563064 ----a-w- f:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareCommand.exe
2009-06-29 22:39 . 2009-06-27 22:34 566632 ----a-w- f:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareAdmin.exe
2009-06-29 22:39 . 2009-06-27 22:34 2352968 ----a-w- f:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-Aware.exe
2009-06-29 22:39 . 2009-06-27 22:34 629072 ----a-w- f:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWWSC.exe
2009-06-29 22:38 . 2009-06-27 22:34 520024 ----a-w- f:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWTray.exe
2009-06-29 22:38 . 2009-06-27 22:34 1029456 ----a-w- f:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWService.exe
2009-06-29 02:03 . 2006-06-01 19:29 -------- d--h--w- f:\program files\InstallShield Installation Information
2009-06-28 16:13 . 2006-06-24 22:08 -------- d-----w- f:\program files\Java
2009-06-27 22:34 . 2009-06-27 22:34 15688 ----a-w- f:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lsdelete.exe
2009-06-27 22:34 . 2009-06-27 22:34 64160 ----a-w- f:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Drivers\32\lbd.sys
2009-06-27 22:31 . 2008-02-09 03:25 -------- d-----w- f:\program files\Lavasoft
2009-06-27 22:31 . 2008-02-09 03:25 -------- d-----w- f:\documents and settings\All Users\Application Data\Lavasoft
2009-06-27 19:28 . 2008-01-19 16:20 -------- d-----w- f:\documents and settings\Bob\Application Data\SiteAdvisor
2009-06-27 18:46 . 2008-01-19 16:17 -------- d-----w- f:\program files\McAfee
2009-06-27 18:46 . 2008-01-19 16:16 -------- d-----w- f:\documents and settings\All Users\Application Data\McAfee
2009-06-01 00:57 . 2009-06-01 00:57 -------- d-----w- f:\program files\Citrix
2009-05-13 05:15 . 2004-08-04 12:00 915456 ----a-w- f:\windows\system32\wininet.dll
2009-05-10 11:15 . 2006-06-01 22:23 52872 -c--a-w- f:\documents and settings\Bob\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-10 00:59 . 2009-05-10 00:59 -------- d-----w- f:\program files\MSBuild
2009-05-10 00:58 . 2009-05-10 00:58 -------- d-----w- f:\program files\Reference Assemblies
2009-05-10 00:21 . 2009-05-10 00:22 170952 ----a-w- f:\windows\pchealth\helpctr\Config\Cache\Professional_32_1033.dat
2009-05-07 15:32 . 2004-08-04 12:00 345600 ----a-w- f:\windows\system32\localspl.dll
2009-05-07 01:37 . 2009-05-07 01:37 -------- d-----w- f:\program files\LibUSB-Win32
2009-05-07 01:36 . 2009-05-07 01:34 -------- d-----w- f:\program files\QuickFreedom
2009-04-17 12:26 . 2004-08-04 12:00 1847168 ----a-w- f:\windows\system32\win32k.sys
2009-04-15 14:51 . 2004-08-04 12:00 585216 ----a-w- f:\windows\system32\rpcrt4.dll
2009-04-12 13:00 . 2009-04-12 13:00 679936 -c--a-w- f:\documents and settings\All Users\Application Data\Intuit\Quicken\Inet\Common\patch\Update\17175-17182.dll
2009-04-12 13:00 . 2009-04-12 13:00 634880 -c--a-w- f:\documents and settings\All Users\Application Data\Intuit\Quicken\Inet\Common\patch\Update\17182-17192.dll
2009-04-12 13:00 . 2008-01-12 14:14 242976 ----a-w- f:\documents and settings\All Users\Application Data\Intuit\Quicken\Inet\Common\patch\Update\QWPATCH.EXE
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="f:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VerizonServicepoint.exe"="f:\program files\Verizon\Servicepoint\VerizonServicepoint.exe" [2006-02-01 1880064]
"mcagent_exe"="f:\program files\McAfee.com\Agent\mcagent.exe" [2009-01-09 645328]
"SiteAdvisor"="f:\program files\SiteAdvisor\6172\SiteAdv.exe" [2007-08-24 36640]
"UpdReg"="f:\windows\UpdReg.EXE" [2000-05-11 90112]
"EPSON Stylus Photo R200 Series (Copy 1)"="f:\windows\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE" [2003-07-08 99840]
"Verizon_McciTrayApp"="f:\program files\Verizon\McciTrayApp.exe" [2007-09-28 936960]
"ArcSoft Connection Service"="f:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2009-04-29 188728]
"TkBellExe"="f:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-06-27 180269]
"Ad-Watch"="f:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-06-27 518488]
"SunJavaUpdateSched"="f:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"P17Helper"="P17.dll" - f:\windows\system32\P17.dll [2005-05-03 64512]

f:\documents and settings\Bob\Start Menu\Programs\Startup\
msimn.lnk - f:\program files\Outlook Express\msimn.exe [2006-5-31 60416]

f:\documents and settings\All Users\Start Menu\Programs\Startup\
hpoddt01.exe.lnk - f:\program files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2003-4-6 28672]
Microsoft Office.lnk - f:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\dmadmin]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\dmboot.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\dmio.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\dmload.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\dmserver]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sr.sys]
@="FSFilter System Recovery"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SRService]
@="Service"

[HKLM\~\startupfolder\F:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=f:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=f:\windows\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\F:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=f:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=f:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\F:^Documents and Settings^All Users^Start Menu^Programs^Startup^Forget Me Not.lnk]
path=f:\documents and settings\All Users\Start Menu\Programs\Startup\Forget Me Not.lnk
backup=f:\windows\pss\Forget Me Not.lnkCommon Startup

[HKLM\~\startupfolder\F:^Documents and Settings^All Users^Start Menu^Programs^Startup^hp psc 2000 Series.lnk]
path=f:\documents and settings\All Users\Start Menu\Programs\Startup\hp psc 2000 Series.lnk
backup=f:\windows\pss\hp psc 2000 Series.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WZCSVC"=2 (0x2)
"UPS"=3 (0x3)
"PhotoshopElementsDeviceConnect"=2 (0x2)
"mnmsrvc"=3 (0x3)
"Lavasoft Ad-Aware Service"=2 (0x2)
"iPod Service"=3 (0x3)
"IntuitUpdateService"=2 (0x2)
"Apple Mobile Device"=2 (0x2)
"AdobeActiveFileMonitor"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"f:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"f:\\Program Files\\Firefly Studios\\Stronghold 2\\Stronghold2.exe"=
"f:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"f:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"f:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"= %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019
"%windir%\\Network Diagnostic\\xpnetdiag.exe"= %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"= %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019
"f:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"= f:\program files\Common Files\AOL\Loader\aolload.exe:*:Enabled:AOL Loader
"%windir%\\Network Diagnostic\\xpnetdiag.exe"= %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000
"f:\\Program Files\\Firefly Studios\\Stronghold 2\\Stronghold2.exe"= f:\program files\Firefly Studios\Stronghold 2\Stronghold2.exe:*:Enabled:Stronghold 2
"f:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"= f:\program files\Common Files\McAfee\MNA\McNASvc.exe:*:Enabled:McAfee Network Agent
"f:\\Program Files\\Bonjour\\mDNSResponder.exe"= f:\program files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour
"f:\\Program Files\\iTunes\\iTunes.exe"= f:\program files\iTunes\iTunes.exe:*:Enabled:iTunes
"f:\\Program Files\\Common Files\\Intuit\\Update Service\\IntuitUpdateService.exe"= f:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe:LocalSubNet:Disabled:Intuit Update Shared Downloads Server

R0 Lbd;Lbd;f:\windows\system32\drivers\Lbd.sys [6/27/2009 5:35 PM 64160]
R2 Viewpoint Manager Service;Viewpoint Manager Service;f:\program files\Viewpoint\Common\ViewpointService.exe [1/11/2007 6:14 PM 24652]
S2 RDFLabel;RDFLabel;f:\program files\ICRAplus\RDFLabel\RDFLabel.exe -PICRAplusID01F --> f:\program files\ICRAplus\RDFLabel\RDFLabel.exe -PICRAplusID01F [?]
S3 idmc1aud;Intel(r) Play(tm) USB Audio Filter (WDM);f:\windows\system32\drivers\idmc1aud.sys [1/9/2007 7:31 PM 15188]
S3 IDMC1Blk;Intel Play DMC Download Driver;f:\windows\system32\drivers\IDMC1Blk.sys [1/9/2007 7:31 PM 14628]
S3 IDMC1Vxp;Intel(r) Play(tm) DMC Camera;f:\windows\system32\drivers\idmc1vme.sys [1/9/2007 7:31 PM 416564]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;f:\program files\Lavasoft\Ad-Aware\AAWService.exe [3/9/2009 2:06 PM 1003344]
S3 libusb0;LibUsb-Win32 - Kernel Driver, Version 0.1.12.1;f:\windows\system32\drivers\libusb0.sys [5/6/2009 8:37 PM 28672]
S3 p17filt;p17filt;f:\windows\system32\drivers\p17filt.sys [3/20/2006 7:34 PM 1452032]
S4 AdobeActiveFileMonitor;Adobe Active File Monitor;f:\program files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe [10/4/2004 4:47 AM 98304]
S4 IntuitUpdateService;Intuit Update Service;f:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe [2/25/2009 6:06 PM 13088]
S4 PhotoshopElementsDeviceConnect;Photoshop Elements Device Connect;f:\program files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe [10/4/2004 3:40 AM 118784]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter
DcomLaunch REG_MULTI_SZ DcomLaunch TermService
WudfServiceGroup REG_MULTI_SZ WUDFSvc
eapsvcs REG_MULTI_SZ eaphost
dot3svc REG_MULTI_SZ dot3svc

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - LocalService
Alerter
LmHosts


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"f:\windows\system32\rundll32.exe" "f:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-06-29 f:\windows\Tasks\Ad-Aware Update (Weekly).job
- f:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 22:34]

2007-12-27 f:\windows\Tasks\FRU Task 2003-04-06 08:52ewlett-Packard2003-04-06 08:52p psc 2170 series5E771253C1676EBED677BF361FDFC537825E15B8190810616.job
- f:\program files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2003-04-06 05:52]

2009-06-14 f:\windows\Tasks\McDefragTask.job
- f:\progra~1\mcafee\mqc\QcConsol.exe [2008-01-19 16:53]

2009-06-06 f:\windows\Tasks\QuickClean.job
- f:\progra~1\mcafee\mqc\QcConsol.exe [2008-01-19 16:53]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://my.yahoo.com/
uInternet Settings,ProxyOverride = *.local
Trusted Zone: internet
Trusted Zone: mcafee.com
Trusted Zone: turbotax.com
DPF: vzTCPConfig - hxxp://www2.verizon.net/help/fios_settings/include/vzTCPConfig.CAB
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-05 13:38
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


f:\docume~1\Bob\LOCALS~1\Temp\WER2358.dir00\appcompat.txt 20152 bytes
f:\docume~1\Bob\LOCALS~1\Temp\WER2358.dir00\manifest.txt 1740 bytes
f:\docume~1\Bob\LOCALS~1\Temp\WER2358.dir00\msimn.exe.hdmp 7458872 bytes
f:\docume~1\Bob\LOCALS~1\Temp\WER2358.dir00\msimn.exe.mdmp 64243 bytes

scan completed successfully
hidden files: 4

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\softwareSoftware\Classes\CLSID\{0BE09CC1-42E0-11DD-AE16-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@f:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10b.exe,-101"

[HKEY_LOCAL_MACHINE\softwareSoftware\Classes\CLSID\{0BE09CC1-42E0-11DD-AE16-0800200C9A66}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\softwareSoftware\Classes\CLSID\{0BE09CC1-42E0-11DD-AE16-0800200C9A66}\LocalServer32]
@="f:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10b.exe"

[HKEY_LOCAL_MACHINE\softwareSoftware\Classes\CLSID\{0BE09CC1-42E0-11DD-AE16-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\softwareSoftware\Classes\CLSID\{8D8763AB-E93B-4812-964E-F04E0008FD50}\Version]
@Denied: (A) (Everyone)
@="{8D8763AB-E93B-4812-964E-F04E0008FD50}"
"GlobalState"=hex:78,06,b0,32,5d,06,20,b5,8b,a7,1e,69,85,06,ec,8f,8c,1e,5e,c1
"RevocationList"=hex:78,6c,36,dd,1e,f9,49,01,7a,29,4f,a8,73,e4,50,1f,e6,43,85,
25
"{E3E513EA-C130-4082-88A7-4314AD485440}"=hex:22,eb,82,50,00,a0,a0,90,78,cc,4d,
ad,3e,7a,de,bf,36,15,bc,d1
"{431FF505-5F2D-4E42-9A0B-882BFFD80DDB}"=hex:d3,94,77,73,e3,59,88,40,fa,07,09,
31,db,ab,dd,28,a8,a3,cf,b5
"{03F8C7D2-6A16-48A6-A5FD-8F46FAB9A8AC}"=hex:f2,5f,e9,29,20,8c,d5,84,3b,3b,23,
eb,8f,81,9c,9e,50,f8,6a,da
"{04B06814-3FE9-4666-9157-51631027590F}"=hex:b9,29,ff,4c,c6,9f,f2,20,bb,58,56,
d5,60,10,f8,cf,b4,19,54,c9
"{C20FB55E-686E-40CB-98AA-2E091493CC05}"=hex:19,04,dd,35,a3,e1,c6,27,ec,fa,c2,
38,02,26,39,73,6a,84,05,e9

[HKEY_LOCAL_MACHINE\softwareSoftware\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"

[HKEY_LOCAL_MACHINE\softwareSoftware\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="f:\\WINDOWS\\system32\\Macromed\\Flash\\Flash10b.ocx"
"ThreadingModel"="Apartment"

[HKEY_LOCAL_MACHINE\softwareSoftware\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"

[HKEY_LOCAL_MACHINE\softwareSoftware\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"

[HKEY_LOCAL_MACHINE\softwareSoftware\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="f:\\WINDOWS\\system32\\Macromed\\Flash\\Flash10b.ocx, 1"

[HKEY_LOCAL_MACHINE\softwareSoftware\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

[HKEY_LOCAL_MACHINE\softwareSoftware\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"

[HKEY_LOCAL_MACHINE\softwareSoftware\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"

[HKEY_LOCAL_MACHINE\softwareSoftware\Classes\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"

[HKEY_LOCAL_MACHINE\softwareSoftware\Classes\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="f:\\WINDOWS\\system32\\Macromed\\Flash\\Flash10b.ocx"
"ThreadingModel"="Apartment"

[HKEY_LOCAL_MACHINE\softwareSoftware\Classes\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"

[HKEY_LOCAL_MACHINE\softwareSoftware\Classes\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="f:\\WINDOWS\\system32\\Macromed\\Flash\\Flash10b.ocx, 1"

[HKEY_LOCAL_MACHINE\softwareSoftware\Classes\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

[HKEY_LOCAL_MACHINE\softwareSoftware\Classes\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"

[HKEY_LOCAL_MACHINE\softwareSoftware\Classes\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"

[HKEY_LOCAL_MACHINE\softwareSoftware\Classes\Interface\{DDF4CE26-4BDA-42BC-B0F0-0E75243AD285}]
@Denied: (A 2) (Everyone)
@="IFlashBroker2"

[HKEY_LOCAL_MACHINE\softwareSoftware\Classes\Interface\{DDF4CE26-4BDA-42BC-B0F0-0E75243AD285}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\softwareSoftware\Classes\Interface\{DDF4CE26-4BDA-42BC-B0F0-0E75243AD285}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"

[HKEY_LOCAL_MACHINE\softwareSoftware\Classes\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}]
@Denied: (A 2) (Everyone)

[HKEY_LOCAL_MACHINE\softwareSoftware\Classes\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0]
@="Shockwave Flash"

[HKEY_LOCAL_MACHINE\softwareSoftware\Classes\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}]
@Denied: (A 2) (Everyone)
@=""

[HKEY_LOCAL_MACHINE\softwareSoftware\Classes\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0]
@="FlashBroker"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3656)
f:\windows\system32\WININET.dll
f:\program files\SiteAdvisor\6172\saHook.dll
f:\windows\system32\webcheck.dll
f:\windows\system32\IEFRAME.dll
f:\windows\system32\WPDShServiceObj.dll
f:\windows\system32\PortableDeviceTypes.dll
f:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
f:\windows\system32\rundll32.exe
f:\program files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
f:\program files\Bonjour\mDNSResponder.exe
f:\program files\Java\jre6\bin\jqs.exe
f:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe
f:\progra~1\COMMON~1\McAfee\MNA\McNASvc.exe
f:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe
f:\progra~1\McAfee\VIRUSS~1\Mcshield.exe
f:\progra~1\McAfee\MSC\mcmscsvc.exe
f:\progra~1\McAfee.com\Agent\mcagent.exe
f:\program files\McAfee\MPF\MpfSrv.exe
.
**************************************************************************
.
Completion time: 2009-07-05 13:49 - machine was rebooted
ComboFix-quarantined-files.txt 2009-07-05 18:48
ComboFix2.txt 2009-06-30 03:35

Pre-Run: 32,531,853,312 bytes free
Post-Run: 32,435,544,064 bytes free

382 --- E O F --- 2009-06-11 23:41

[chemist]

Hello KNewman.

One or more of the identified infections was a backdoor trojan.

This type of infection allows hackers to remotely control your computer, log keystrokes, steal critical system information, and download and execute files without your knowledge.

If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Please read this: How Do I Handle Possible Identify Theft, Internet Fraud, and CC Fraud?

------------------------------------------------------

• Go Start > Run then type cmd and click OK
• Type ipconfig /flushdns (that space between g and / is needed)
• Press Enter
• Type ipconfig /renew (that space between g and / is needed)
• Press Enter
• Type exit
• Press Enter

Are you able to connect now?

------------------------------------------------------

[KNewman]

No, message is

An error occurred while renewing interface local area connection 4: The RPC server is unavailable.

[chemist]

Hello again, KNewman. Sorry you are having trouble.

Go Start > Run and copy/paste services.msc and click OK.

Scroll down to and double-click DNS Client and set to Automatic under Startup Type.

Click Apply, then click Start under Service Status, then click OK.

------------------------------------------------------

Repeat the above steps for DHCP Client and Remote Procedure Call (RPC)

Are you able to connect now?

------------------------------------------------------

[KNewman]

Chemist, here's the results,

DNS Client and RPC were already setup as Automatic and started.

DHCP Client was setup as automatic; but, stopped. I click on start and received the following message:

Could not start the DHCP Client sevice on Local Computer.
Error 1075: The dependency service does not exist or has been marked for deletion.

[chemist]

Hello again, KNewman.

Go Start > Run and copy/paste the following into the Run box and click OK:

cmd /c sc qc dhcp > c:\dhcp.txt

A DOS window will open and close. This is normal.

------------------------------------------------------

Go Start > Run and copy/paste the following into the Run box and click OK:

c:\dhcp.txt

A Notepad file should open. Please post the contents of the log here.

------------------------------------------------------

[KNewman]

Chemist, here's the contents,

[SC] GetServiceConfig SUCCESS

SERVICE_NAME: dhcp
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : F:\WINDOWS\system32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP : TDI
TAG : 0
DISPLAY_NAME : DHCP Client
DEPENDENCIES : NSI
: Tdx
: Afd
SERVICE_START_NAME : LocalSystem

[chemist]

Hello again, KNewman. That log doesn't look right.

• Go Start > Run then type cmd and click OK
• Type ipconfig /all (that space between g and / is needed)
• Press Enter
• Right-click the cmd window and choose 'Select All'
• Paste(Ctrl+v) that information in your next reply.
• Type exit
• Press Enter

------------------------------------------------------

[KNewman]

Chemist, here's the contents.

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

F:\Documents and Settings\Bob>ipconfig /all

Windows IP Configuration

Host Name . . . . . . . . . . . . : idol
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Mixed
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No

Ethernet adapter Local Area Connection 4:

Connection-specific DNS Suffix . : home
Description . . . . . . . . . . . : VIA Rhine II Fast Ethernet Adapter
Physical Address. . . . . . . . . : 00-0D-87-B8-A6-63
Dhcp Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IP Address. . . . . . . . . . . . : 0.0.0.0
Subnet Mask . . . . . . . . . . . : 0.0.0.0
Default Gateway . . . . . . . . . :
DHCP Server . . . . . . . . . . . : 192.168.1.1
DNS Servers . . . . . . . . . . . : 192.168.1.1

F:\Documents and Settings\Bob>

[chemist]

Hello again, KNewman. Are you using Verizon FiOS? Have you tried rebooting your router?

http://www.verizon.net/central/vzc.p...ay&objId=16305

------------------------------------------------------

[KNewman]

Chemist, I am on Verizon FIOS, I tried rebooting, no luck. FYI, another computer is able to get to the internet via the router.

[chemist]

Just to be sure, you had internet connection before running ComboFix, correct?

[KNewman]

Yes I did.

[chemist]

Hello again, KNewman.

• Download RegSearch.zip and Save it to your Desktop.
• Double-click on the regsearch.zip folder and click Extract all files
• Follow the Extraction Wizard by clicking Next, and finally Finish
• Double-click RegSearch.exe to launch the program and click Run
• Enter the following bolded text into the very first Enter search strings box and click OK
  
  DependOnService
  
  
• After completion Notepad will be opened with all the found instances of the string.
• The resulting file is saved in the same location as RegSearch.exe
• Please attach that file to your next reply.

------------------------------------------------------

[KNewman]

Chemist, here's the file.

[chemist]

Hello again, KNewman.

Quote:

FYI, another computer is able to get to the internet via the router.

Is that computer an XP also? If so, on that computer...

Go Start > Run and copy/paste the following into the Run box and click OK:

cmd /c sc qc dhcp > c:\dhcp.txt

A DOS window will open and close. This is normal.

------------------------------------------------------

Go Start > Run and copy/paste the following into the Run box and click OK:

c:\dhcp.txt

A Notepad file should open. Please post the contents of the log here.

------------------------------------------------------

[KNewman]

Chemist, yes it is XP, here's the contents from that computer.


[SC] GetServiceConfig SUCCESS

SERVICE_NAME: dhcp
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP : TDI
TAG : 0
DISPLAY_NAME : DHCP Client
DEPENDENCIES : Tcpip
: Afd
: NetBT
SERVICE_START_NAME : LocalSystem

[chemist]

Hello again, KNewman. On the affected computer...

Open Notepad and copy/paste the entire contents of the codebox below into Notepad (don't forget to copy and paste Windows Registry Editor Version 5.00):

Code:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dhcp]
"DependOnService"=hex(7):54,00,63,00,70,00,69,00,70,00,00,00,41,00,66,00,64,00,\
  00,00,4e,00,65,00,74,00,42,00,54,00,00,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Dhcp]
"DependOnService"=hex(7):54,00,63,00,70,00,69,00,70,00,00,00,41,00,66,00,64,00,\
  00,00,4e,00,65,00,74,00,42,00,54,00,00,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dhcp]
"DependOnService"=hex(7):54,00,63,00,70,00,69,00,70,00,00,00,41,00,66,00,64,00,\
  00,00,4e,00,65,00,74,00,42,00,54,00,00,00,00,00

Save the file as fix.reg and choose to Save as type: - All Files then close the Notepad file.
It should look like this:

Double-click on fix.reg and choose Yes to merge/add it to the registry. Please delete the file afterwards.

------------------------------------------------------

Right-click on 'My Computer' then click 'Properties' and under the 'Hardware' tab click 'Device Manager'.

Click 'View' then click 'Show hidden drivers'.

Scroll down to 'Non-Plug and Play Drivers'.

Double-click AFD and under the 'Driver' tab set Startup Type to 'System'.

------------------------------------------------------

Repeat for NetBios over Tcpip and TCP/IP Protocol Driver

Were any of the settings different?

Restart your computer. Are you able to connect now?

------------------------------------------------------