Tech Support banner

Status
Not open for further replies.
1 - 6 of 6 Posts

·
Registered
Joined
·
3 Posts
Discussion Starter #1
In early December, started getting redirect from Google search results. On clicking search result, get redirected to other search engines (including porno) and occassionally direct to a site. Only my profile (which is the admin profile) was affected. Also lost Windows update and McAfee update functions.

Restored the McAfee updating late December with the help of McAfee Technical Support by manually inserting two IP addresses in a file (driver?).

Early this week, children reported similar redirects on their profiles when using myspace. (Parental controls now successfully blocking the unsavourily sites.) The other profile on the machine appears unaffected.
Remain unable to connect to Windows update site.

I have followed the instructions I think successfully and attach the logs.
I would be very greatful if you can clear this problem particularly from the kids profiles.

Audaxbike

Deckard's System Scanner v20071014.68
Run by Robert on 2008-01-31 22:59:53
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
77: 2008-01-31 23:00:04 UTC - RP357 - Deckard's System Scanner Restore Point
76: 2008-01-31 18:35:48 UTC - RP356 - System Checkpoint
75: 2008-01-29 16:11:24 UTC - RP355 - System Checkpoint
74: 2008-01-24 20:58:07 UTC - RP354 - System Checkpoint
73: 2008-01-23 17:35:54 UTC - RP353 - System Checkpoint


-- First Restore Point --
1: 2007-10-31 23:21:25 UTC - RP281 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.



-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-01-31 23:03:44
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\CTSVCCDA.EXE
C:\Program Files\Creative\Shared Files\CTDevSrv.exe
C:\Program Files\Iomega\System32\AppServices.exe
C:\Program Files\Kontiki\KService.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\McAfee\MSC\mcmscsvc.exe
C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe
C:\Program Files\Common Files\McAfee\McProxy\McProxy.exe
C:\Program Files\McAfee\VirusScan\Mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\McAfee\MPF\MpfSrv.exe
C:\Program Files\McAfee\MSK\msksrver.exe
C:\Program Files\ZyXEL\AG-225H\NICServ.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\SiteAdvisor\6253\SAService.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\WINDOWS\system32\alg.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\McAfee\VirusScan\mcsysmon.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft Money\System\mnyexpr.exe
C:\Program Files\Creative\MediaSource\RemoteControl\RcMan.exe
C:\Program Files\Creative\Creative Media Lite\CTZDetec.exe
C:\Program Files\Belkin\F1U201.401\usbshare.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\ZyXEL\AG-225H\AG-225H.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\Microsoft Office\Office10\MSOFFICE.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\Program Files\Creative\MediaSource\RemoteControl\OSDMenu.exe
C:\WINDOWS\system32\vssvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\msdtc.exe
C:\Documents and Settings\Robert\Desktop\dss.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.virgin.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O1 - Hosts: 221.135.111.122 download.mcafee.com
O1 - Hosts: 221.135.111.121 download.mcafee.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: McAntiPhishingBHO - {377C180E-6F0E-4D4C-980F-F45BD3D40CF4} - C:\Program Files\McAfee\MSK\mcapbho.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [RemoteCenter] C:\Program Files\Creative\MediaSource\RemoteControl\RCMan.EXE
O4 - HKCU\..\Run: [CTZDetec.exe] C:\Program Files\Creative\Creative Media Lite\CTZDetec.exe
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKCU\..\RunOnce: [DelayShred] "c:\program files\mcafee\mshr\ShrCL.EXE" /P7 /q C:\DOCUME~1\Robert\LOCALS~1\TEMPOR~1\Content.IE5\UQGTGHWQ\ADBRIT~4.SH! C:\DOCUME~1\Robert\LOCALS~1\TEMPOR~1\Content.IE5\TG18MHKZ\WEB_AN~1.SH! C:\DOCUME~1\Robert\LOCALS~1\TEMPOR~1\Content.IE5\LUX2XH40\WEB_AN~2.SH! C:\DOCUME~1\Robert\LOCALS~1\TEMPOR~1\ANTIPH~1.SH! C:\DOCUME~1\Robert\LOCALS~1\TEMPOR~1\Content.IE5\4UNKGZ4U\SITE_1~1.SH! C:\DOCUME~1\Robert\LOCALS~1\TEMPOR~1\Content.IE5\Q36A2V0I\YOURIP~1.SH! C:\DOCUME~1\Robert\LOCALS~1\TEMPOR~1\Content.IE5\43Z3ZGPW\CONTRO~1.SH! C:\DOCUME~1\Robert\LOCALS~1\TEMPOR~1\Content.IE5\5W19BB2L\CURREN~1.SH! C:\DOCUME~1\Robert\LOCALS~1\TEMPOR~1\Content.IE5\2AVD72TI\INDEX_~2.SH! C:\DOCUME~1\Robert\LOCALS~1\TEMPOR~1\Content.IE5\SHRVRA6X\0001PA~2.SH! C:\DOCUME~1\Robert\LOCALS~1\TEMPOR~1\Content.IE5\SHRVRA6X\FA9455~1.SH! C:\DOCUME~1\Robert\LOCALS~1\TEMPOR~1\Content.IE5\NPI3W6OB\0001PA~1.SH! C:\DOCUME~1\Robert\LOCALS~1\TEMPOR~1\Content.IE5\20G5B8SG\FAAC72~1.SH! C:\DOCUME~1\Robert\LOCALS~1\TEMPOR~1\Content.IE5\20G5B8SG\0001PA~2.SH! C:\DOCUME~1\Robert\LOCALS~1\TEMPOR~1\Content.IE5\20G5B8SG\FA1929~1.SH! C:\DOCUME~1\Robert\LOCALS~1\TEMPOR~1\Content.IE5\AAJGI82S\FAVICO~1.SH! C:\DOCUME~1\Robert\LOCALS~1\TEMPOR~1\Content.IE5\NPI3W6OB\FA9C55~1.SH! C:\DOCUME~1\Robert\LOCALS~1\TEMPOR~1\Content.IE5\20G5B8SG\0001PA~3.SH! C:\DOCUME~1\Robert\LOCALS~1\TEMPOR~1\Content.IE5\20G5B8SG\TURBOU~2.SH! C:\DOCUME~1\Robert\LOCALS~1\TEMPOR~1\Content.IE5\0XXYE11H\FAVICO~1.SH! C:\DOCUME~1\Robert\LOCALS~1\TEMPOR~1\Content.IE5\FJCHLMFO\YOURIP~1.SH! C:\DOCUME~1\Robert\LOCALS~1\TEMPOR~1\Content.IE5\1FQLLFR3\FAVICO~2.SH! C:\DOCUME~1\Robert\LOCALS~1\TEMPOR~1\Content.IE5\1FQLLFR3\GOOGLE~1.SH! C:\DOCUME~1\Robert\LOCALS~1\TEMPOR~1\Content.IE5\DBLO9US4\FAVICO~2.SH! I:\DISCDU~1\ROS_SU~1.SH! C:\DOCUME~1\Robert\LOCALS~1\TEMPOR~1\Content.IE5\8GJRC2HA\YOURIP~1.SH! C:\DOCUME~1\Robert\LOCALS~1\TEMPOR~1\Content.IE5\1FQLLFR3\ICON_1~1.SH! C:\DOCUME~1\Robert\LOCALS~1\TEMPOR~1\Content.IE5\KCT5MCUO\FACA80~1.SH! C:\DOCUME~1\Robert\LOCALS~1\TEMPOR~1\Content.IE5\DBLO9US4\FA9065~1.SH! C:\DOCUME~1\Robert\LOCALS~1\TEMPOR~1\Content.IE5\1TBJ2J8H\FA9465~1.SH! C:\DOCUME~1\Robert\LOCALS~1\TEMPOR~1\Content.IE5\4PRX30S2\FAVICO~2.SH! C:\DOCUME~1\Robert\LOCALS~1\TEMPOR~1\Content.IE5\1FQLLFR3\FAVICO~4.SH! C:\DOCUME~1\Robert\LOCALS~1\TEMPOR~1\Content.IE5\1TBJ2J8H\FAAC74~1.SH! C:\DOCUME~1\Robert\LOCALS~1\TEMPOR~1\Content.IE5\1TBJ2J8H\FAAC72~1.SH! C:\DOCUME~1\Robert\LOCALS~1\TEMPOR~1\Content.IE5\0XXYE11H\FA9465~1.SH! C:\DOCUME~1\Robert\LOCALS~1\TEMPOR~1\Content.IE5\KCT5MCUO\GOOGLE~1.SH! C:\DOCUME~1\Robert\LOCALS~1\TEMPOR~1\Content.IE5\2C8VDG20\YOURIP~1.SH! C:\DOCUME~1\Robert\LOCALS~1\TEMPOR~1\Content.IE5\KCT5MCUO\YOURIP~1.SH!
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: F1U201.401.lnk = C:\Program Files\Belkin\F1U201.401\usbshare.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: ZyXEL AG-225H Utility.lnk = C:\Program Files\ZyXEL\AG-225H\AG-225H.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Money Viewer - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1170889504406
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/win/ActiveXPlugin.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {D821DC4A-0814-435E-9820-661C543A4679} (CRLDownloadWrapper Class) - http://drmlicense.one.microsoft.com/crlupdate/en/crlocx.ocx
O18 - Protocol: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - C:\Program Files\Common Files\Microsoft Shared\Web Folders\PKMCDO.DLL
O18 - Protocol: lid - {5C135180-9973-46D9-ABF4-148267CBB8BF} - C:\WINDOWS\system32\msvidctl.dll
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\MSN Messenger\msgrapp.8.1.0178.00.dll
O18 - Protocol: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\msitss.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\MSN Messenger\msgrapp.8.1.0178.00.dll
O18 - Protocol: mso-offdap - {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL
O18 - Protocol: siteadvisor - {3A5DC592-7723-4EAA-9EE6-AF4222BCF879} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O23 - Service: McAfee Application Installer Cleanup (0038891201796498) (0038891201796498mcinstcleanup) - Unknown owner - C:\WINDOWS\TEMP\003889~1.EXE C:\PROGRA~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTSVCCDA.EXE
O23 - Service: CT Device Query service (CTDevice_Srv) - Creative Technology Ltd - C:\Program Files\Creative\Shared Files\CTDevSrv.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Iomega Activity Disk2 - Unknown owner - C:\WINDOWS\system32
O23 - Service: Iomega App Services - Iomega Corporation - C:\Program Files\Iomega\System32\AppServices.exe
O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\Program Files\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\McProxy\McProxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\Mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MpfSrv.exe
O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\msksrver.exe
O23 - Service: NICSer_AG225H - Unknown owner - C:\Program Files\ZyXEL\AG-225H\NICServ.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6253\SAService.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - C:\Program Files\Iomega\AutoDisk\ADService.exe


--
End of file - 14437 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 drvmcdb - c:\windows\system32\drivers\drvmcdb.sys <Not Verified; VERITAS Software, Inc.; >
R0 iomdisk (Iomega Devices Disk Filter Services) - c:\windows\system32\drivers\iomdisk.sys <Not Verified; Iomega Corporation; Microsoft(R) Windows NT(R) Operating System>
R1 Asapi - c:\windows\system32\drivers\asapi.sys <Not Verified; VOB Computersysteme GmbH; asapi>
R3 pfc (Padus ASPI Shell) - c:\windows\system32\drivers\pfc.sys <Not Verified; Padus, Inc.; Padus(R) ASPI Shell>

S3 SDTHOOK - c:\windows\system32\drivers\sdthook.sys <Not Verified; Panda Software; Panda® Antivirus>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 _IOMEGA_ACTIVE_DISK_SERVICE_ (Iomega Active Disk) - "c:\program files\iomega\autodisk\adservice.exe" <Not Verified; Iomega Corporation; Iomega Active Disk>
R2 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>
R2 CTDevice_Srv (CT Device Query service) - c:\program files\creative\shared files\ctdevsrv.exe <Not Verified; Creative Technology Ltd; CTDevSrv Application>
R2 Iomega App Services - "c:\progra~1\iomega\system32\appservices.exe" <Not Verified; Iomega Corporation; Iomega App Services>
R2 KService - "c:\program files\kontiki\kservice.exe" <Not Verified; Kontiki Inc.; Delivery Manager>
R2 NICSer_AG225H - c:\program files\zyxel\ag-225h\nicserv.exe

S2 0038891201796498mcinstcleanup (McAfee Application Installer Cleanup (0038891201796498)) - c:\windows\temp\003889~1.exe c:\progra~1\common~1\mcafee\instal~1\cleanup.ini -cleanup -nolog -service (file missing)
S4 Iomega Activity Disk2 - ""


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2008-01-27 01:08:00 408 --ah----- C:\WINDOWS\Tasks\MSK_ABImport_Weekly_Robert.job
2008-01-19 17:11:00 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
2008-01-15 01:14:41 342 --a------ C:\WINDOWS\Tasks\McDefragTask.job
2008-01-06 00:10:29 334 --a------ C:\WINDOWS\Tasks\McQcTask.job
2008-01-05 22:00:00 742 --a------ C:\WINDOWS\Tasks\McAfee Cleanup.job


-- Files created between 2007-12-31 and 2008-01-31 -----------------------------

2008-01-31 21:59:56 0 d-------- C:\ie-spyad_zo
2008-01-31 21:46:30 0 d-------- C:\Program Files\SpywareBlaster
2008-01-31 16:21:35 0 d-------- C:\WINDOWS\LastGood
2008-01-29 21:05:32 44928 --a------ C:\WINDOWS\system32\drivers\SDTHOOK.SYS <Not Verified; Panda Software; Panda® Antivirus>
2008-01-29 21:04:52 8576 --a------ C:\WINDOWS\system32\drivers\oiqeeinkoqqp.sys <Not Verified; Panda Software International; RKPavProc Driver>
2008-01-29 19:58:45 0 d-------- C:\WINDOWS\system32\ActiveScan
2008-01-11 18:12:01 0 d-------- C:\Documents and Settings\All Users\Application Data\Adobe
2008-01-07 12:59:56 0 d-------- C:\Documents and Settings\Katharine\Application Data\SiteAdvisor
2008-01-06 12:53:35 0 d-------- C:\Documents and Settings\Catriona\Application Data\SiteAdvisor
2008-01-06 10:47:14 0 d-------- C:\Documents and Settings\Jennifer\Application Data\SiteAdvisor
2008-01-06 00:46:07 143360 --a------ C:\WINDOWS\system32\dunzip32.dll <Not Verified; Inner Media, Inc.; DynaZIP-32 Multi-Threading UnZIP DLL>
2008-01-06 00:10:15 0 d-------- C:\Program Files\McAfee.com
2008-01-06 00:10:11 0 d-------- C:\Program Files\Common Files\McAfee
2008-01-06 00:10:06 0 d-------- C:\Program Files\McAfee
2008-01-04 23:22:52 0 d-------- C:\Documents and Settings\Katharine\Application Data\GARMIN
2008-01-04 14:43:15 0 d-------- C:\Documents and Settings\Robert\Application Data\McAfee
2007-12-31 15:38:54 0 d-------- C:\Program Files\iPod


-- Find3M Report ---------------------------------------------------------------

2008-01-30 02:55:50 0 d-------- C:\Program Files\QuickTime
2008-01-30 02:55:37 0 d-------- C:\Program Files\MSN Messenger
2008-01-30 02:46:02 0 d-------- C:\Program Files\Kontiki
2008-01-30 02:41:07 0 d-------- C:\Program Files\Common Files\LightScribe
2008-01-29 19:43:23 0 d-------- C:\Program Files\Messenger Plus! Live
2008-01-12 21:30:50 0 d-------- C:\Documents and Settings\Robert\Application Data\Adobe
2008-01-11 18:12:07 0 d-------- C:\Program Files\Common Files\Adobe
2008-01-09 17:21:38 0 d-------- C:\Program Files\SiteAdvisor
2008-01-07 21:55:13 0 d-------- C:\Program Files\Sibelius Software
2008-01-07 12:15:13 0 d-------- C:\Documents and Settings\Robert\Application Data\AdobeUM
2008-01-07 09:14:28 0 d-------- C:\Program Files\iTunes
2008-01-06 00:19:51 0 d-------- C:\Documents and Settings\Robert\Application Data\SiteAdvisor
2008-01-06 00:10:11 0 d-------- C:\Program Files\Common Files
2007-12-31 15:34:12 0 d--h----- C:\Program Files\InstallShield Installation Information
2007-12-26 23:26:54 0 d-------- C:\Program Files\QuickTime(2)
2007-12-26 23:26:54 0 d-------- C:\Program Files\iTunes(3)
2007-12-26 23:26:54 0 d-------- C:\Program Files\iTunes(2)
2007-12-26 23:20:46 0 d-------- C:\Program Files\Apple Software Update
2007-12-26 10:52:11 0 d-------- C:\Program Files\iTunes(4)
2007-12-25 21:52:29 0 d-------- C:\Program Files\Common Files\Apple
2007-12-15 21:23:51 0 d-------- C:\Program Files\Neuratron PhotoScore Ultimate
2007-12-14 13:49:30 0 d-------- C:\Documents and Settings\Robert\Application Data\vlc
2007-12-14 13:47:33 0 d-------- C:\Program Files\VideoLAN
2007-12-11 22:22:18 0 d-------- C:\Documents and Settings\Robert\Application Data\GARMIN
2007-12-09 23:25:00 122896 --a------ C:\Documents and Settings\Robert\Application Data\GDIPFONTCACHEV1.DAT
2007-12-09 22:47:54 0 d-------- C:\Documents and Settings\Robert\Application Data\Leadertech


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{377C180E-6F0E-4D4C-980F-F45BD3D40CF4}]
19/09/2007 06:15 329032 --a------ c:\PROGRA~1\mcafee\msk\mcapbho.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"InCD"="C:\Program Files\Ahead\InCD\InCD.exe" [08/07/2005 15:25]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [22/10/2006 12:22]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [28/01/2007 00:47]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [28/01/2007 00:35]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [03/08/2007 22:33]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6253\SiteAdv.exe" [24/08/2007 21:57]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [10/10/2007 19:51]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [04/08/2004 00:56]
"MoneyAgent"="C:\Program Files\Microsoft Money\System\mnyexpr.exe" [17/07/2002 11:00]
"RemoteCenter"="C:\Program Files\Creative\MediaSource\RemoteControl\RCMan.EXE" [25/06/2004 09:21]
"CTZDetec.exe"="C:\Program Files\Creative\Creative Media Lite\CTZDetec.exe" [15/05/2007 19:25]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\runonce]
"DelayShred"="c:\program files\mcafee\mshr\ShrCL.EXE" /P7 /q C:\DOCUME~1\Robert\LOCALS~1\TEMPOR~1\Content.IE5\UQGTGHWQ\ADBRIT~4.SH! C:\DOCUME~1\Robert\LOCALS~1\TEMPOR~1\Content.IE5\TG18MHKZ\WEB_AN~1.SH! C:\DOCUME~1\Robert\LOCALS~1\TEMPOR~1\Content.IE5\LUX2XH40\WEB_AN~2.SH! C:\DOCUME~1\Robert\LOCALS~1\TEMPOR~1\ANTIPH~1.SH! C:\DOCUME~1\Robert\LOCALS~1\TEMPOR~1\Content.IE5\4UNKGZ4U\SITE_1~1.SH! C:\DOCUME~1\Robert\LOCALS~1\TEMPOR~1\Content.IE5\Q36A2V0I\YOURIP~1.SH! C:\DOCUME~1\Robert\LOCALS~1\TEMPOR~1\Content.IE5\43Z3ZGPW\CONTRO~1.SH! C:\DOCUME~1\Robert\LOCALS~1\TEMPOR~1\Content.IE5\5W19BB2L\CURREN~1.SH! C:\DOCUME~1\Robert\LOCALS~1\TEMPOR~1\Content.IE5\2AVD72TI\INDEX_~2.SH! C:\DOCUME~1\Robert\LOCALS~1\TEMPOR~1\Content.IE5\SHRVRA6X\0001PA~2.SH! C:\DOCUME~1\Robert\LOCALS~1\TEMPOR~1\Content.IE5\SHRVRA6X\FA9455~1.SH! C:\DOCUME~1\Robert\LOCALS~1\TEMPOR~1\Content.IE5\NPI3W6OB\0001PA~1.SH! C:\DOCUME~1\Robert\LOCALS~1\TEMPOR~1\Content.IE5\20G5B8SG\FAAC72~1.SH! C:\DOCUME~1\Robert\LOCALS~1\TEMPOR~1\Content.IE5\20G5B8SG\0001PA~2.SH! C:\DOCUME~1\Robert\LOCALS~1\TEMPOR~1\Content.IE5\20G5B8SG\FA1929~1.SH! C:\DOCUME~1\Robert\LOCALS~1\TEMPOR~1\Content.IE5\AAJGI82S\FAVICO~1.SH! C:\DOCUME~1\Robert\LOCALS~1\TEMPOR~1\Content.IE5\NPI3W6OB\FA9C55~1.SH! C:\DOCUME~1\Robert\LOCALS~1\TEMPOR~1\Content.IE5\20G5B8SG\0001PA~3.SH! C:\DOCUME~1\Robert\LOCALS~1\TEMPOR~1\Content.IE5\20G5B8SG\TURBOU~2.SH! C:\DOCUME~1\Robert\LOCALS~1\TEMPOR~1\Content.IE5\0XXYE11H\FAVICO~1.SH! C:\DOCUME~1\Robert\LOCALS~1\TEMPOR~1\Content.IE5\FJCHLMFO\YOURIP~1.SH! C:\DOCUME~1\Robert\LOCALS~1\TEMPOR~1\Content.IE5\1FQLLFR3\FAVICO~2.SH! C:\DOCUME~1\Robert\LOCALS~1\TEMPOR~1\Content.IE5\1FQLLFR3\GOOGLE~1.SH! C:\DOCUME~1\Robert\LOCALS~1\TEMPOR~1\Content.IE5\DBLO9US4\FAVICO~2.SH! I:\DISCDU~1\ROS_SU~1.SH! C:\DOCUME~1\Robert\LOCALS~1\TEMPOR~1\Content.IE5\8GJRC2HA\YOURIP~1.SH! C:\DOCUME~1\Robert\LOCALS~1\TEMPOR~1\Content.IE5\1FQLLFR3\ICON_1~1.SH! C:\DOCUME~1\Robert\LOCALS~1\TEMPOR~1\Content.IE5\KCT5MCUO\FACA80~1.SH! C:\DOCUME~1\Robert\LOCALS~1\TEMPOR~1\Content.IE5\DBLO9US4\FA9065~1.SH! C:\DOCUME~1\Robert\LOCALS~1\TEMPOR~1\Content.IE5\1TBJ2J8H\FA9465~1.SH! C:\DOCUME~1\Robert\LOCALS~1\TEMPOR~1\Content.IE5\4PRX30S2\FAVICO~2.SH! C:\DOCUME~1\Robert\LOCALS~1\TEMPOR~1\Content.IE5\1FQLLFR3\FAVICO~4.SH! C:\DOCUME~1\Robert\LOCALS~1\TEMPOR~1\Content.IE5\1TBJ2J8H\FAAC74~1.SH! C:\DOCUME~1\Robert\LOCALS~1\TEMPOR~1\Content.IE5\1TBJ2J8H\FAAC72~1.SH! C:\DOCUME~1\Robert\LOCALS~1\TEMPOR~1\Content.IE5\0XXYE11H\FA9465~1.SH! C:\DOCUME~1\Robert\LOCALS~1\TEMPOR~1\Content.IE5\KCT5MCUO\GOOGLE~1.SH! C:\DOCUME~1\Robert\LOCALS~1\TEMPOR~1\Content.IE5\2C8VDG20\YOURIP~1.SH! C:\DOCUME~1\Robert\LOCALS~1\TEMPOR~1\Content.IE5\KCT5MCUO\YOURIP~1.SH!

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
F1U201.401.lnk - C:\Program Files\Belkin\F1U201.401\usbshare.exe [24/01/2007 22:04:16]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [11/05/2005 23:23:26]
HP Image Zone Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [12/05/2005 00:49:24]
InterVideo WinCinema Manager.lnk - C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe [24/01/2007 21:15:59]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [13/02/2001 01:01:04]
ZyXEL AG-225H Utility.lnk - C:\Program Files\ZyXEL\AG-225H\AG-225H.exe [01/02/2007 21:49:45]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"System"="kdfue.exe"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"




-- Hosts -----------------------------------------------------------------------

221.135.111.122 download.mcafee.com
221.135.111.121 download.mcafee.com


-- End of Deckard's System Scanner: finished at 2008-01-31 23:05:51 ------------
 

Attachments

·
Registered
Joined
·
5,264 Posts
Hello and welcome to TSF


Apologises for the delay getting to your log. The helpers here are all volunteers and we have been very busy lately. If you are still having malware problems,follow instructions below.

=============

Download HijackThis to your desktop

Alternate link

Double-click on the file you just downloaded.
Click on the "Unzip" button to install. It will by default install to the directory - C:\Program Files\Trend Micro\HijackThis

Upon install, HijackThis should open for you.

Should it not open, navigate to C:\Program Files\Trend Micro\HijackThis and double click on HijackThis.exe

1. If it gives you an intro screen, just choose 'Do a system scan and save a logfile'.
2. If you don't get the intro screen, just hit Scan and then click on Save log.
3. Do not post that log, instead, do this next:

Please run Deckard System Scanner(DSS) once again, thanks.

===============
Log Required
C:\Deckard\System Scanner\main.txt
 

·
Registered
Joined
·
3 Posts
Discussion Starter #3
Thank you for your reply.

Unfortunately, before I had opportunity to follow your instructions, I had a full blown attack or a hard disc failure. Happened when one of kids was on Bebo. Screen went blank because output to screen lost.

Attempted restart. Boot screens - first has lots of "$" signs (during video card set-up?) . Subsequent screens full of spelling mistakes in messages. Windows attempted to load but failed very early in attempt. Attempted to do Windows "safe mode" start but could not get beyond the "safemode" selection screen.

I need to find my recovery discs and reformat the boot hard drive. Fortunately, I have a full data back-up.

I would appreciate you comments/advice on the following.
Do you suspect malware attack or hardware failure from the description?
Could the BIOS have been attacked?
There are two other internal data hard drives on the machine, any advice on isolation or handling of them before connection to a clean system?

I appreciate what you guys do. Bad things happen at times and at least this time I have a days old back-up unlike the last time I had a failure.

Audaxbike
 

·
Registered
Joined
·
5,264 Posts
Hello again

Audaxbike said:
Do you suspect malware attack or hardware failure from the description?
It can be either,but most likely caused by the infections that were present.

Audaxbike said:
Could the BIOS have been attacked?
No.

Audaxbike said:
There are two other internal data hard drives on the machine, any advice on isolation or handling of them before connection to a clean system?
Not something i am familiar with are internal hard drives, i use external devices such as USB Stick, Flasdrive, CD-R, ect for my back-ups.

Your would be better asking that question in our XP forum. As our focus in this section is malware removal, you would be better served in the Windows XP section of this forum.
 
1 - 6 of 6 Posts
Status
Not open for further replies.
Top