Annoying Ad Keeps Coming Back

ramping · Apr 19, 2008

When I boot up IE, a second IE appears, on top, and blocks my view with an annoying ad.

The ad is for url: http://www.rebateprocessortools.com/?ref=&cid=CD25092

The email address, at the bottom of that page is: customercare@penbrookproductions.com.

I noticed that in msconfig>Startup, "Rundll32 c:\windows\system32\gnrxqpyt.dll" would be checked. Repeatedly, I unchecked it and rebooted, but the line would automatically get re-checked.

"BMa7f4595c0.dll" would repeatedly try to make a change to my registry.

The problem appeared to commence, a couple of days ago, when I clicked on a deceptive link and it said that my computer was infected and tried to sell me a virus scanner.

I, however, refuse to give into blackmail - which is what I think is happening.

My Firefox also appears to be effected.

My browsing, yesterday, was slow and unresponsive.

I ran McAfee twice, in normal mode, and did a DOS scan via McAfee's sdat5277.exe. Yet, no viruses were found.

Any thoughts on how I can fix this? :blink:

ramping · Apr 19, 2008

It just happened, again.

This time IE popped up with an ad for: http://www.partypoker.com/marketing/popunder/index_red_us.htm?wm=2895918&p=1

This instance was immediately preceeded by BMa7f495c0.dll trying to make another change to my registry.

Please help!!!

Blade81 · Apr 19, 2008

Hi

We have to see your HijackThis log.

Download and install TrendMicro HijackThis
* Once installed open HijackThis by clicking Start > Programs > HijackThis and click the button labeled
Do a system scan only

* Click the scan button in the lower left hand corner of the interface and HijackThis will quickly scan your system.
* Once the scan is complete the scan button will now read save log. Click this button to save the log file to your PC. Once you select where you would like to save the file it will open in your systems default text editor. Typically this application is Notepad. Post the log here.

ramping · Apr 19, 2008

Following is the log file:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:59:34 PM, on 19/04/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\System32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MAILLOOP6\Binn\sqlservr.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\Program Files\SiteAdvisor\6253\SAService.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Winamp Remote\bin\OrbTray.exe
C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\PROGRA~1\Webshots\webshots.scr
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Browsers\Firefox\firefox.exe
C:\Program Files\GetRight\GetRight.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft.com/fwlink/?LinkId=54843
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 80.80.12.124:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/bookmark/7_2/home.html"); (C:\Documents and Settings\DELCO CLUB\Application Data\Mozilla\Profiles\default\l4hnnkbr.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CInternet%5CBrowsers%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\DELCO CLUB\Application Data\Mozilla\Profiles\default\l4hnnkbr.slt\prefs.js)
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Burn4Free Toolbar - {55FAF0F2-44D4-425F-B5F5-6B275B621EAB} - C:\Program Files\Burn4Free Toolbar\v3.2.0.0\Burn4Free_Toolbar.dll
O3 - Toolbar: PimpFish Basic - {D593DE91-7B41-45C2-830E-E9A99AB142AA} - C:\Program Files\PimpFish\PimpFish.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Update Service] "C:\Program Files\Common Files\Teknum Systems\update.exe" /startup
O4 - HKCU\..\Run: [Orb] "C:\Program Files\Winamp Remote\bin\OrbTray.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {193B17B0-7C9F-4D5B-AEAB-8D3605EFC084} - C:\PROGRA~1\SEARCH~1\COPERN~1\COPERN~1.EXE
O9 - Extra 'Tools' menuitem: Launch Copernic Agent - {193B17B0-7C9F-4D5B-AEAB-8D3605EFC084} - C:\PROGRA~1\SEARCH~1\COPERN~1\COPERN~1.EXE
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Run WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\Website Copiers\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra 'Tools' menuitem: Launch WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\Website Copiers\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra button: FlashFavorite - {4335F0BE-9AAF-4023-9929-681B937B814A} - C:\PROGRA~1\FLASHF~1\FFCom.dll
O9 - Extra 'Tools' menuitem: Flash Favorite - {4335F0BE-9AAF-4023-9929-681B937B814A} - C:\PROGRA~1\FLASHF~1\FFCom.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Copernic Agent - {688DC797-DC11-46A7-9F1B-445F4F58CE6E} - C:\PROGRA~1\SEARCH~1\COPERN~1\COPERN~1.EXE
O9 - Extra button: Movies Extractor Scout LITE - {8C51D131-81D2-4844-A4F8-E46AC238D815} - C:\Program Files\Movies Extractor Scout LITE\flashextract.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.mcafee.com
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab
O16 - DPF: {106E49CF-797A-11D2-81A2-00E02C015623} (AlternaTIFF ActiveX) - http://www.alternatiff.com/install/00/alttiff.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2A6BEC01-15E2-46F0-8ED3-D715DE09A8F9} - http://www.homepageprotector.com/data/homeproinstall.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://appldnld.m7z.net/qtinstall.info.apple.com/tramper/us/win/QuickTimeInstaller.exe
O16 - DPF: {4CF5275B-CDBC-11D3-A8AF-0090279A5978} - http://www.portalsearching.com/toolbar/bho.cab
O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} (Microsoft.WinRep) - https://webresponse.one.microsoft.com/oas/ActiveX/winrep.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,83/mcinsctl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by14fd.bay14.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {5CB1506E-1DEA-4E63-89A7-E40E52AEA1FD} (OnagerCtrl Class) - http://fulfillment.puretracks.com/onager.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.safety.live.com/resource/download/scanner/wlscbase8460.cab
O16 - DPF: {5F0C30E4-1E72-4DCC-85E5-57810F1CA97B} (McUpdatePortalFactory Class) - http://www.amiuptodate.com/vsc/bin/1,0,0,7/McUpdatePortal.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1126634216187
O16 - DPF: {74C861A1-D548-4916-BC8A-FDE92EDFF62C} - http://mediaplayer.walmart.com/installer/install.cab
O16 - DPF: {814EA0DA-E0D9-4AA4-833C-A1A6D38E79E9} (DASWebDownload Class) - http://das.microsoft.com/activate/cab/x86/i486/NTANSI/retail/DASAct.cab
O16 - DPF: {9C024426-7859-4B2D-AB4C-B1E370AE7549} - http://us.mcafee.com/Apps/WSC/en-us/WscWlanScannerCtrl.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,20/mcgdmgr.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O16 - DPF: {F919FBD3-A96B-4679-AF26-F551439BB5FD} - http://locator1.cdn.imagesrvr.com/s...wnload/2006/WinAntiSpyware2006FreeInstall.cab
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6253\SAService.exe
O24 - Desktop Component 0: (no name) - http://www.webstats4u.com/images/bg.gif
O24 - Desktop Component 1: (no name) - http://www.wezv.com/navlogoeasy.gif
O24 - Desktop Component 2: (no name) - http://www.885thejewel.com/images/jwlpghdlft.JPG

--
End of file - 11750 bytes

Blade81 · Apr 19, 2008

Hi

Navigate into C:\Program Files\Trend Micro\HijackThis folder and rename HijackThis.exe -> ramping.exe. Post a fresh hjt log after renaming is done.

ramping · Apr 20, 2008

I renamed hijackthis.exe to ramping.exe and following is the new log file:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:32:34 PM, on 19/04/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\System32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MAILLOOP6\Binn\sqlservr.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\SiteAdvisor\6253\SAService.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\fxssvc.exe
C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Winamp Remote\bin\OrbTray.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\PROGRA~1\Webshots\webshots.scr
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Browsers\Firefox\firefox.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Trend Micro\HijackThis\ramping.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft.com/fwlink/?LinkId=54843
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 80.80.12.124:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/bookmark/7_2/home.html"); (C:\Documents and Settings\DELCO CLUB\Application Data\Mozilla\Profiles\default\l4hnnkbr.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CInternet%5CBrowsers%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\DELCO CLUB\Application Data\Mozilla\Profiles\default\l4hnnkbr.slt\prefs.js)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O2 - BHO: (no name) - {268EA2E0-4D5B-472A-9B2C-E363CBE7BEA6} - (no file)
O2 - BHO: PimpFish Basic Toolbar Opcode Handler - {29C88E20-4234-41B9-A9DB-982958C95FB1} - C:\Program Files\PimpFish\PimpFish.dll
O2 - BHO: dsWebAllowBHO Class - {2F85D76C-0569-466F-A488-493E6BD0E955} - C:\Program Files\Windows Desktop Search\dsWebAllow.dll
O2 - BHO: IE to GetRight Helper - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program Files\GetRight\xx2gr.dll
O2 - BHO: McAntiPhishingBHO - {377C180E-6F0E-4D4C-980F-F45BD3D40CF4} - c:\PROGRA~1\mcafee\msk\mcapbho.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: Burn4Free Toolbar Helper - {60BF5EE3-0105-4858-AD98-17C19F86B042} - C:\Program Files\Burn4Free Toolbar\v3.2.0.0\Burn4Free_Toolbar.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: (no name) - {6AABE68F-3ABA-4DBD-BF1A-9272700B97C2} - (no file)
O2 - BHO: FloatBar Class - {75B1A646-CDCE-4C06-B52F-84F4463B4FC8} - C:\Program Files\PimpFish\FloatBar.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7C803229-47A5-4E09-B503-D98D3BE7062C} - (no file)
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {933E7167-F302-48C8-A4E9-19C4D4C15B3B} - C:\PROGRA~1\3web\AFE.dll
O2 - BHO: (no name) - {9C4F2E80-316B-45D7-8ED7-9D465A9E2C1C} - C:\WINDOWS\system32\iifgecay.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: (no name) - {E0C08FD0-1768-4DAA-999D-29B33C4B9620} - (no file)
O2 - BHO: (no name) - {FB422E7B-3D5E-4D9B-84C2-91B6C888CDE2} - C:\WINDOWS\system32\rqrsppnk.dll (file missing)
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Burn4Free Toolbar - {55FAF0F2-44D4-425F-B5F5-6B275B621EAB} - C:\Program Files\Burn4Free Toolbar\v3.2.0.0\Burn4Free_Toolbar.dll
O3 - Toolbar: PimpFish Basic - {D593DE91-7B41-45C2-830E-E9A99AB142AA} - C:\Program Files\PimpFish\PimpFish.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Update Service] "C:\Program Files\Common Files\Teknum Systems\update.exe" /startup
O4 - HKCU\..\Run: [Orb] "C:\Program Files\Winamp Remote\bin\OrbTray.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {193B17B0-7C9F-4D5B-AEAB-8D3605EFC084} - C:\PROGRA~1\SEARCH~1\COPERN~1\COPERN~1.EXE
O9 - Extra 'Tools' menuitem: Launch Copernic Agent - {193B17B0-7C9F-4D5B-AEAB-8D3605EFC084} - C:\PROGRA~1\SEARCH~1\COPERN~1\COPERN~1.EXE
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Run WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\Website Copiers\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra 'Tools' menuitem: Launch WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\Website Copiers\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra button: FlashFavorite - {4335F0BE-9AAF-4023-9929-681B937B814A} - C:\PROGRA~1\FLASHF~1\FFCom.dll
O9 - Extra 'Tools' menuitem: Flash Favorite - {4335F0BE-9AAF-4023-9929-681B937B814A} - C:\PROGRA~1\FLASHF~1\FFCom.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Copernic Agent - {688DC797-DC11-46A7-9F1B-445F4F58CE6E} - C:\PROGRA~1\SEARCH~1\COPERN~1\COPERN~1.EXE
O9 - Extra button: Movies Extractor Scout LITE - {8C51D131-81D2-4844-A4F8-E46AC238D815} - C:\Program Files\Movies Extractor Scout LITE\flashextract.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.mcafee.com
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab
O16 - DPF: {106E49CF-797A-11D2-81A2-00E02C015623} (AlternaTIFF ActiveX) - http://www.alternatiff.com/install/00/alttiff.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2A6BEC01-15E2-46F0-8ED3-D715DE09A8F9} - http://www.homepageprotector.com/data/homeproinstall.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://appldnld.m7z.net/qtinstall.info.apple.com/tramper/us/win/QuickTimeInstaller.exe
O16 - DPF: {4CF5275B-CDBC-11D3-A8AF-0090279A5978} - http://www.portalsearching.com/toolbar/bho.cab
O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} (Microsoft.WinRep) - https://webresponse.one.microsoft.com/oas/ActiveX/winrep.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,83/mcinsctl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by14fd.bay14.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {5CB1506E-1DEA-4E63-89A7-E40E52AEA1FD} (OnagerCtrl Class) - http://fulfillment.puretracks.com/onager.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.safety.live.com/resource/download/scanner/wlscbase8460.cab
O16 - DPF: {5F0C30E4-1E72-4DCC-85E5-57810F1CA97B} (McUpdatePortalFactory Class) - http://www.amiuptodate.com/vsc/bin/1,0,0,7/McUpdatePortal.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1126634216187
O16 - DPF: {74C861A1-D548-4916-BC8A-FDE92EDFF62C} - http://mediaplayer.walmart.com/installer/install.cab
O16 - DPF: {814EA0DA-E0D9-4AA4-833C-A1A6D38E79E9} (DASWebDownload Class) - http://das.microsoft.com/activate/cab/x86/i486/NTANSI/retail/DASAct.cab
O16 - DPF: {9C024426-7859-4B2D-AB4C-B1E370AE7549} - http://us.mcafee.com/Apps/WSC/en-us/WscWlanScannerCtrl.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,20/mcgdmgr.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O16 - DPF: {F919FBD3-A96B-4679-AF26-F551439BB5FD} - http://locator1.cdn.imagesrvr.com/s...wnload/2006/WinAntiSpyware2006FreeInstall.cab
O20 - Winlogon Notify: rqrsppnk - rqrsppnk.dll (file missing)
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6253\SAService.exe
O24 - Desktop Component 0: (no name) - http://www.webstats4u.com/images/bg.gif
O24 - Desktop Component 1: (no name) - http://www.wezv.com/navlogoeasy.gif
O24 - Desktop Component 2: (no name) - http://www.885thejewel.com/images/jwlpghdlft.JPG

--
End of file - 14288 bytes

Blade81 · Apr 20, 2008

Hi

1. Download combofix from any of these links and save it to Desktop:
Link 1
Link 2
Link 3

**Note: It is important that it is saved directly to your desktop**

2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you (C:\ComboFix.txt). Post that log & a fresh hjt log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

If you have problems with Combofix usage, see here

ramping · Apr 20, 2008

I ran ComboFix 4 times.

Each time, ComboFix would delete files.

Also, every time, I had to stop the program well after the 20 minute mark (ctl + alt + del). So, there is no c:\combofix.txt.

Shortly after ComboFix started, my McAfee would report: "Virus Quarantined. EICAR test file (Virus). Quarentined from: c:\Documents and Settings\Temp\Av-test.txt". (Beats me why this did not show up in earlier scans!)

The problem still persists.

When I start up my browser, Spybot reports that something is trying to make a change to my registry. Shortly after that, an ad pops up - either as a new tab (Firfox) or in a new instance of the browser (IE).

This is curious: In IE, a mysterious add-on, "iifgecay.dll", keeps activating itself. I have not been able to delete it.

Following is a new HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:45, on 2008-04-20
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\System32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MAILLOOP6\Binn\sqlservr.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\Program Files\SiteAdvisor\6253\SAService.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\fxssvc.exe
C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\PROGRA~1\Webshots\webshots.scr
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Windows Desktop Search\wds_sl.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Browsers\Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\ramping.exe

--
End of file - 1762 bytes

ramping · Apr 20, 2008

I just received another ad - but not just any ad; this one confirms my suspicion that this has been about blackmailing me.

According to the ad: "The page at http://winanonymous.com says: WinAnonymous may find dangerous traces that need to be cleaned. Don't let your privacy and reputation to be ruined by them. Making your private information public can cause problems with your boss, family or friends. Click 'OK' to start WinAnonymous scanner to remove compromising traces and setup controls to protect your privacy by cleaning or removing dangerous information."

Blade81 · Apr 20, 2008

Hi

Please reboot into safe mode and run ComboFix there.

ramping · Apr 20, 2008

During the second run, of ComboFix in Safe Mode, ComboFix did not reboot and generated ComboFix.txt.

Yet, the problem returned.

Following, however, is a new Hijack This report:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:29, on 2008-04-20
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\brss01a.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MAILLOOP6\Binn\sqlservr.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\Program Files\SiteAdvisor\6253\SAService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\fxssvc.exe
C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\PROGRA~1\Webshots\webshots.scr
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Browsers\Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\ramping.exe
C:\WINDOWS\system32\wuauclt.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft.com/fwlink/?LinkId=54843
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 80.80.12.124:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/bookmark/7_2/home.html"); (C:\Documents and Settings\DELCO CLUB\Application Data\Mozilla\Profiles\default\l4hnnkbr.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CInternet%5CBrowsers%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\DELCO CLUB\Application Data\Mozilla\Profiles\default\l4hnnkbr.slt\prefs.js)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O2 - BHO: (no name) - {268EA2E0-4D5B-472A-9B2C-E363CBE7BEA6} - (no file)
O2 - BHO: PimpFish Basic Toolbar Opcode Handler - {29C88E20-4234-41B9-A9DB-982958C95FB1} - C:\Program Files\PimpFish\PimpFish.dll
O2 - BHO: dsWebAllowBHO Class - {2F85D76C-0569-466F-A488-493E6BD0E955} - C:\Program Files\Windows Desktop Search\dsWebAllow.dll
O2 - BHO: IE to GetRight Helper - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program Files\GetRight\xx2gr.dll
O2 - BHO: McAntiPhishingBHO - {377C180E-6F0E-4D4C-980F-F45BD3D40CF4} - c:\PROGRA~1\mcafee\msk\mcapbho.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: Burn4Free Toolbar Helper - {60BF5EE3-0105-4858-AD98-17C19F86B042} - C:\Program Files\Burn4Free Toolbar\v3.2.0.0\Burn4Free_Toolbar.dll
O2 - BHO: (no name) - {65CAD538-71A0-4BCD-863A-371F6143222D} - C:\WINDOWS\system32\iifgecay.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: (no name) - {6AABE68F-3ABA-4DBD-BF1A-9272700B97C2} - (no file)
O2 - BHO: (no name) - {6bf48cd4-3634-41b0-9366-d9c6d7d1cdec} - (no file)
O2 - BHO: FloatBar Class - {75B1A646-CDCE-4C06-B52F-84F4463B4FC8} - C:\Program Files\PimpFish\FloatBar.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7C803229-47A5-4E09-B503-D98D3BE7062C} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {933E7167-F302-48C8-A4E9-19C4D4C15B3B} - C:\PROGRA~1\3web\AFE.dll
O2 - BHO: (no name) - {B5661452-8764-42F8-B746-850D71C82D72} - (no file)
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Burn4Free Toolbar - {55FAF0F2-44D4-425F-B5F5-6B275B621EAB} - C:\Program Files\Burn4Free Toolbar\v3.2.0.0\Burn4Free_Toolbar.dll
O3 - Toolbar: PimpFish Basic - {D593DE91-7B41-45C2-830E-E9A99AB142AA} - C:\Program Files\PimpFish\PimpFish.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [BMa7f495c0] Rundll32.exe "C:\WINDOWS\system32\aydlnjav.dll",s
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Update Service] "C:\Program Files\Common Files\Teknum Systems\update.exe" /startup
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {193B17B0-7C9F-4D5B-AEAB-8D3605EFC084} - C:\PROGRA~1\SEARCH~1\COPERN~1\COPERN~1.EXE
O9 - Extra 'Tools' menuitem: Launch Copernic Agent - {193B17B0-7C9F-4D5B-AEAB-8D3605EFC084} - C:\PROGRA~1\SEARCH~1\COPERN~1\COPERN~1.EXE
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Run WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\Website Copiers\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra 'Tools' menuitem: Launch WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\Website Copiers\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra button: FlashFavorite - {4335F0BE-9AAF-4023-9929-681B937B814A} - C:\PROGRA~1\FLASHF~1\FFCom.dll
O9 - Extra 'Tools' menuitem: Flash Favorite - {4335F0BE-9AAF-4023-9929-681B937B814A} - C:\PROGRA~1\FLASHF~1\FFCom.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Copernic Agent - {688DC797-DC11-46A7-9F1B-445F4F58CE6E} - C:\PROGRA~1\SEARCH~1\COPERN~1\COPERN~1.EXE
O9 - Extra button: Movies Extractor Scout LITE - {8C51D131-81D2-4844-A4F8-E46AC238D815} - C:\Program Files\Movies Extractor Scout LITE\flashextract.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.mcafee.com
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab
O16 - DPF: {106E49CF-797A-11D2-81A2-00E02C015623} (AlternaTIFF ActiveX) - http://www.alternatiff.com/install/00/alttiff.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2A6BEC01-15E2-46F0-8ED3-D715DE09A8F9} - http://www.homepageprotector.com/data/homeproinstall.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://appldnld.m7z.net/qtinstall.info.apple.com/tramper/us/win/QuickTimeInstaller.exe
O16 - DPF: {4CF5275B-CDBC-11D3-A8AF-0090279A5978} - http://www.portalsearching.com/toolbar/bho.cab
O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} (Microsoft.WinRep) - https://webresponse.one.microsoft.com/oas/ActiveX/winrep.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,83/mcinsctl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by14fd.bay14.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {5CB1506E-1DEA-4E63-89A7-E40E52AEA1FD} (OnagerCtrl Class) - http://fulfillment.puretracks.com/onager.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.safety.live.com/resource/download/scanner/wlscbase8460.cab
O16 - DPF: {5F0C30E4-1E72-4DCC-85E5-57810F1CA97B} (McUpdatePortalFactory Class) - http://www.amiuptodate.com/vsc/bin/1,0,0,7/McUpdatePortal.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1126634216187
O16 - DPF: {74C861A1-D548-4916-BC8A-FDE92EDFF62C} - http://mediaplayer.walmart.com/installer/install.cab
O16 - DPF: {814EA0DA-E0D9-4AA4-833C-A1A6D38E79E9} (DASWebDownload Class) - http://das.microsoft.com/activate/cab/x86/i486/NTANSI/retail/DASAct.cab
O16 - DPF: {9C024426-7859-4B2D-AB4C-B1E370AE7549} - http://us.mcafee.com/Apps/WSC/en-us/WscWlanScannerCtrl.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,20/mcgdmgr.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O16 - DPF: {F919FBD3-A96B-4679-AF26-F551439BB5FD} - http://locator1.cdn.imagesrvr.com/s...wnload/2006/WinAntiSpyware2006FreeInstall.cab
O20 - Winlogon Notify: rqrsppnk - rqrsppnk.dll (file missing)
O23 - Service: McAfee Application Installer Cleanup (0248841208696533) (0248841208696533mcinstcleanup) - Unknown owner - C:\WINDOWS\TEMP\024884~1.EXE (file missing)
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6253\SAService.exe
O24 - Desktop Component 0: (no name) - http://www.webstats4u.com/images/bg.gif
O24 - Desktop Component 1: (no name) - http://www.wezv.com/navlogoeasy.gif
O24 - Desktop Component 2: (no name) - http://www.885thejewel.com/images/jwlpghdlft.JPG

--
End of file - 14034 bytes

Following is the ComboFix.txt:

ComboFix 08-04-18.3 - Administrator 2008-04-20 14:59:49.5 - NTFSx86 MINIMAL
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.783 [GMT -4:00]Running from: C:\Documents and Settings\Delco Club\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
C:\Documents and Settings\Delco Club\Local Settings\Temporary Internet Files\MF21175ED.gif
C:\WINDOWS\Downloaded Program Files\setup.inf
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\achimewg.dll
C:\WINDOWS\system32\apxydfkq.dll
C:\WINDOWS\system32\cgkijawf.dll
C:\WINDOWS\system32\cmlbrwbb.dll
C:\WINDOWS\system32\ecpuwoqd.dll
C:\WINDOWS\system32\fwajikgc.ini
C:\WINDOWS\system32\gnjqykrf.dll
C:\WINDOWS\system32\hktlflnx.ini
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\qkfdyxpa.ini
C:\WINDOWS\system32\vgxdcxgm.dll
C:\WINDOWS\system32\vxomlgrh.dll
C:\WINDOWS\system32\xnlfltkh.dll
C:\WINDOWS\system32\yacegfii.ini
C:\WINDOWS\system32\yacegfii.ini2
C:\WINDOWS\winhelp.ini

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_6TO4
-------\Legacy_IPRIP
-------\Service_6to4
-------\Service_Iprip
-------\Legacy_6TO4
-------\Legacy_IPRIP

((((((((((((((((((((((((( Files Created from 2008-03-20 to 2008-04-20 )))))))))))))))))))))))))))))))
.

2008-04-20 11:30 . 2008-04-20 13:57 18 --a------ C:\WINDOWS\pskt(DELETETHIS).ini
2008-04-20 10:20 . 2008-04-20 11:30 109,734 --a------ C:\WINDOWS\BMa7f495c0(DELETTHIS).xml
2008-04-19 22:17 . 2008-04-19 22:17 <DIR> d-------- C:\Documents and Settings\Delco Club\Application Data\PCF-VLC
2008-04-19 16:20 . 2008-04-19 16:20 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-19 11:56 . 2008-04-20 14:37 13,588 --a------ C:\WINDOWS\system32\wpa.dbl
2008-04-19 11:53 . 2008-04-20 14:55 11,940 --a------ C:\WINDOWS\system32\Config.MPF
2008-04-19 11:43 . 2008-04-19 13:28 <DIR> d-------- C:\WINDOWS\system32\TRASH
2008-04-19 10:56 . 2008-04-19 10:56 294 ---hs---- C:\WINDOWS\system32\caqgqsvo.ini
2008-04-18 15:36 . 2008-04-18 15:17 44,659,067 --a------ C:\sdat5277.exe
2008-04-18 15:34 . 2008-04-18 16:24 <DIR> d-------- C:\SDAT
2008-04-18 13:35 . 2008-04-18 13:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Citrix
2008-04-18 10:58 . 2008-04-18 10:58 294 ---hs---- C:\WINDOWS\system32\cxblwbim.ini
2008-04-17 19:52 . 2008-04-17 19:52 <DIR> d-------- C:\Program Files\Microsoft Silverlight
2008-04-17 19:50 . 2008-04-17 19:50 <DIR> d-------- C:\Program Files\MSBuild
2008-04-17 19:46 . 2008-04-17 19:46 <DIR> d-------- C:\WINDOWS\system32\XPSViewer
2008-04-17 19:45 . 2008-04-17 19:45 <DIR> d-------- C:\Program Files\Reference Assemblies
2008-04-17 12:27 . 2008-04-17 13:23 266 --a------ C:\WINDOWS\wininit.ini
2008-04-17 11:37 . 2008-04-17 11:34 691,545 --a------ C:\WINDOWS\unins000.exe
2008-04-17 11:37 . 2008-04-17 11:37 2,555 --a------ C:\WINDOWS\unins000.dat
2008-04-17 10:55 . 2008-04-17 13:21 1,528,325 ---hs---- C:\WINDOWS\system32\naipdwtx.ini
2008-04-17 10:51 . 2008-04-17 10:51 395,218 --a------ C:\WINDOWS\system32\iifgecay.dll
2008-04-17 10:46 . 2008-04-17 10:46 <DIR> d-------- C:\WINDOWS\system32\xcsDd01
2008-04-17 10:46 . 2008-04-17 10:46 <DIR> d-------- C:\TEMP\berDrv11
2008-04-13 20:23 . 2008-04-13 20:23 <DIR> d-------- C:\Program Files\iPod
2008-04-13 20:22 . 2008-04-13 20:23 <DIR> d-------- C:\Program Files\iTunes
2008-04-13 06:14 . 2008-04-13 06:14 <DIR> d-------- C:\Program Files\SOFTplus
2008-04-12 13:23 . 2008-04-12 13:23 <DIR> d-------- C:\Documents and Settings\Delco Club\Application Data\Mach5 Enterprises
2008-04-12 13:22 . 2008-04-12 13:22 <DIR> d-------- C:\Program Files\Mach5 Development
2008-04-12 11:02 . 2008-04-20 09:09 <DIR> d-------- C:\Program Files\Deep Log Analyzer
2008-04-12 11:02 . 2008-04-12 11:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\DLA Storage
2008-04-12 11:02 . 2008-04-20 09:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\DLA
2008-04-12 10:55 . 2008-04-12 10:55 <DIR> d-------- C:\Program Files\SmarterTools
2008-04-12 10:18 . 2008-04-12 10:22 <DIR> d-------- C:\Program Files\gsitecrawler
2008-04-11 20:45 . 2008-04-11 20:46 <DIR> d-------- C:\Program Files\strawberry
2008-04-11 20:31 . 2008-04-11 20:32 <DIR> d-------- C:\Program Files\Perl Express
2008-04-11 17:57 . 2008-04-11 17:57 <DIR> d-------- C:\Program Files\perl
2008-04-11 17:41 . 2008-04-11 19:49 <DIR> d-------- C:\Program Files\awstats
2008-04-11 17:33 . 2008-04-11 17:39 <DIR> d-------- C:\Program Files\ActivePerl-5.10.0.1002-MSWin32-x64-283697
2008-04-11 16:56 . 2008-04-12 15:18 <DIR> d-------- C:\Program Files\Ka Log Analyzer
2008-04-11 16:36 . 2008-04-11 16:36 <DIR> d-------- C:\Program Files\Hardcoded Software
2008-04-11 16:36 . 2008-04-11 16:36 <DIR> d-------- C:\Documents and Settings\Delco Club\Application Data\Hardcoded Software
2008-04-11 11:44 . 2008-04-11 11:45 <DIR> d-------- C:\Program Files\WebLog Expert Lite
2008-04-11 11:44 . 2008-04-11 11:44 <DIR> d-------- C:\Program Files\Common Files\Software FX Shared
2008-04-11 11:41 . 2008-04-11 11:42 <DIR> d-------- C:\Program Files\Web Log Expert
2008-04-11 10:56 . 2008-04-11 10:57 <DIR> d-------- C:\Program Files\Logalizer
2008-04-11 10:50 . 2008-04-11 10:50 <DIR> d-------- C:\Program Files\bello network monitoring
2008-04-06 15:40 . 2006-01-26 08:26 327,680 --a------ C:\WINDOWS\system32\DartZip.dll
2008-04-06 15:40 . 1998-04-23 23:00 287,504 --a------ C:\WINDOWS\system32\MSXBSE.dll
2008-04-06 15:40 . 2005-06-02 14:36 276,352 --a------ C:\WINDOWS\system32\XceedSco.dll
2008-04-06 15:40 . 2006-01-26 08:24 221,184 --a------ C:\WINDOWS\system32\DartSock.dll
2008-04-06 15:40 . 2006-01-26 08:26 196,608 --a------ C:\WINDOWS\system32\DartSecureFtp.dll
2008-04-06 15:40 . 2006-01-26 08:24 196,608 --a------ C:\WINDOWS\system32\DartSecure2.dll
2008-04-06 15:40 . 2006-01-26 08:26 196,608 --a------ C:\WINDOWS\system32\DartFtp.dll
2008-04-06 15:40 . 2006-01-26 08:24 155,648 --a------ C:\WINDOWS\system32\DartCertificate.dll
2008-03-28 23:37 . 2008-03-28 23:37 90,112 --a------ C:\WINDOWS\system32\QuickTimeVR.qtx
2008-03-28 23:37 . 2008-03-28 23:37 57,344 --a------ C:\WINDOWS\system32\QuickTime.qts
2008-03-26 14:28 . 2008-03-26 14:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\HeidiSQL
2008-03-25 15:59 . 2008-03-25 15:59 <DIR> d-------- C:\Program Files\MySQL
2008-03-24 10:30 . 2008-03-24 10:33 <DIR> d-------- C:\Program Files\HeidiSQL (OLD (March 24, 2008))

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-20 13:36 --------- d-----w C:\Program Files\GetRight
2008-04-20 13:02 --------- d-----w C:\Program Files\McAfee
2008-04-20 00:56 --------- d-----w C:\Program Files\Napster
2008-04-19 15:35 57,344 ----a-w C:\WINDOWS\ALCXMNTRDELETTHIS.EXE
2008-04-19 15:35 --------- d-----w C:\Program Files\Clean Disk Security
2008-04-17 16:26 --------- d-----w C:\Program Files\RegistrySmart
2008-04-17 15:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-17 15:42 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-04-14 00:18 --------- d-----w C:\Program Files\QuickTime
2008-04-13 18:16 --------- d-----w C:\Program Files\HeidiSQL
2008-04-13 10:43 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-12 00:30 724,992 ----a-w C:\WINDOWS\iun6002.exe
2008-04-10 00:53 --------- d-----w C:\Program Files\Winamp
2008-03-23 15:05 --------- d-----w C:\Documents and Settings\Delco Club\Application Data\SiteAdvisor
2008-03-19 12:58 --------- d-----w C:\Program Files\MySQL-Front
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-19 00:53 --------- d-----w C:\Documents and Settings\Delco Club\Application Data\Star-Tools
2008-03-16 14:12 --------- d-----w C:\Documents and Settings\All Users\Application Data\WinZip
2008-03-16 01:20 --------- d-----w C:\Program Files\UltimateZip
2008-03-15 21:03 --------- d-----w C:\Program Files\Ace Zip
2008-03-15 20:49 --------- d-----w C:\Program Files\Ken Ward's Zipper
2008-03-15 15:02 --------- d-----w C:\Program Files\Mentat Technologies
2008-03-15 14:52 --------- d-----w C:\Program Files\Mobiliti
2008-03-10 19:59 --------- d-----w C:\Program Files\Windows Live
2008-03-09 19:34 --------- d-----w C:\Program Files\Microsoft SQL Server Compact Edition
2008-03-09 19:32 --------- dcsh--w C:\Program Files\Common Files\WindowsLiveInstaller
2008-03-09 19:25 --------- d-----w C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-03-07 02:27 --------- d-----w C:\Program Files\Bonjour
2008-03-01 13:06 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2008-02-01 15:11 586,240 ----a-w C:\WINDOWS\WLXPGSS.SCR
2008-01-29 16:02 107,368 ----a-w C:\WINDOWS\system32\GEARAspi.dll
2007-07-23 02:53 3,655,608 ----a-w C:\Program Files\FLV PlayerRCATSetup.exe
2007-07-23 02:52 25,990,432 ----a-w C:\Program Files\FLV PlayerRCSetup.exe
2006-05-08 19:13 5,632 --sha-w C:\Program Files\Thumbs.db
2005-12-17 13:31 0 ----a-w C:\Program Files\INTERNET EXPLe
2004-11-06 23:51 16,214,136 ----a-w C:\Program Files\TrellixWeb2.6 multihost (November 6, 2004).exe
2004-11-06 22:42 17,193,656 ----a-w C:\Program Files\CompuServeTrellixWeb17982451 (Trellix 25 (November 6, 2004)).exe
2004-11-06 22:07 2,647,591 ----a-w C:\Program Files\Trellix_Web_v.2.7_PA_Upgrade (November 6, 2004).zip
2004-09-07 23:34 560 ----a-w C:\Documents and Settings\Delco Club\PCDOC.BAT
2004-08-26 23:36 141 ----a-w C:\Program Files\pcdocrx_order.html
2004-01-31 23:54 331,776 ----a-w C:\WINDOWS\inf\pdfinst2.exe
2003-08-27 18:19 36,963 ----a-r C:\Program Files\Common Files\SM1updtr.dll
2002-11-28 13:55 25,762 ----a-w C:\Program Files\Common Files\wbc2jpg243 (Covert Webshots to JPG File (November 28, 2002)).zip
2001-03-11 14:59 766 ----a-w C:\Program Files\pcdoc.ico
.

Code:

<pre>
----a-w         2,339,511 2004-10-25 19:45:17  C:\Downloads\burn4free_setup (Burn4Free v100602 (October 25, 2004)) .exe
----a-w            37,378 2004-09-20 20:28:44  C:\Downloads\epson11183 (Web-to-Page Utility (September 20, 2004)) .exe
----a-w           652,745 2004-10-27 01:15:29  C:\Downloads\ftpnavigator (FTP - Navigator 741 (October 26, 2004)) .exe
----a-w           403,546 2007-12-13 00:25:11  C:\Downloads\metakey (Meta Keywords Finder v11 (December 12, 2007))1 .exe
----a-w         1,148,148 2004-12-19 01:26:54  C:\Downloads\simpleftpclientsetup (Simple FTP Client (December 18, 2004)) .exe
----a-w         1,034,895 2002-12-14 01:51:38  C:\Downloads\stocksetup (Active Stock Analysis 338 (December 13, 2002))   .exe
</pre>

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{44C17748-CF84-4905-8431-AE4432B72244}]
2008-04-17 10:51 395218 --a------ C:\WINDOWS\system32\iifgecay.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 00:56 15360]
"Update Service"="C:\Program Files\Common Files\Teknum Systems\update.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 00:56 15360]

C:\Documents and Settings\Delco Club\Start Menu\Programs\Startup\
Webshots.lnk - C:\Program Files\Webshots\Launcher.exe [2005-06-04 19:42:02 157008]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll [2006-11-21 15:50 233472]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\rqrsppnk]
rqrsppnk.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\a4c7a65c]
C:\WINDOWS\system32\mibwlbxc.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 23:16 39792 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcxMonitor]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BMa7f495c0]
C:\WINDOWS\system32\vddrkhkc.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-03-30 10:36 267048 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-03-28 23:37 413696 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WinDefend"=2 (0x2)
"iPodService"=3 (0x3)
"WMP54GSVC"=2 (0x2)
"UleadBurningHelper"=2 (0x2)
"NVSvc"=2 (0x2)
"iPod Service"=3 (0x3)
"IDriverT"=3 (0x3)
"Bonjour Service"=2 (0x2)
"WBA_Agent_Client"=2 (0x2)
"idsvc"=3 (0x3)
"Apple Mobile Device"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Search Tools\\FerretSoft\\WebFerret\\WebFerret.exe"=
"C:\\Program Files\\Music\\realplay.exe"=
"C:\\WINDOWS\\system32\\mmc.exe"=
"C:\\WINDOWS\\system32\\javaw.exe"=
"C:\\Program Files\\FTP\\FTP Commander\\Ftpcomm.exe"=
"C:\\WINDOWS\\system32\\rundll32.exe"=
"C:\Program Files\Toronto Star Alerts\torontostaralerts.exe"= C:\Program Files\Toronto Star Alerts\torontostaralerts.exe
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3587:TCP"= 3587:TCP:Windows Peer-to-Peer Grouping
"3540:UDP"= 3540:UDP

eer Name Resolution Protocol (PNRP)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R1 crlscsi;crlscsi;C:\WINDOWS\system32\drivers\crlscsi.sys [1995-11-07 05:57]
S1 AEC671X;AEC671X;C:\WINDOWS\system32\drivers\AEC671X.SYS [1998-05-05 12:36]
S1 DMX3191;DMX3191;C:\WINDOWS\system32\drivers\DMX3191.SYS [1999-02-23 02:42]
S2 0248841208696533mcinstcleanup;McAfee Application Installer Cleanup (0248841208696533);C:\WINDOWS\TEMP\024884~1.EXE C:\PROGRA~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini []
S2 MSSQL$MAILLOOP6;MSSQL$MAILLOOP6;C:\Program Files\Microsoft SQL Server\MSSQL$MAILLOOP6\Binn\sqlservr.exe [2002-12-17 16:26]
S2 PV8630;PV8631 WDM Device Driver;C:\WINDOWS\system32\pv8630.sys [2000-07-05 12:13]
S2 UDNT;UDNT;C:\WINDOWS\system32\drivers\UDNT.sys [1998-09-18 10:18]
S3 hcwPVRP2;Hauppauge WinTV-PVR PCI II (Encoder-16);C:\WINDOWS\system32\DRIVERS\hcwPVRP2.sys [2004-09-22 09:01]
S3 p2pgasvc;Peer Networking Group Authentication;C:\WINDOWS\System32\svchost.exe [2004-08-04 00:56]
S3 p2pimsvc;Peer Networking Identity Manager;C:\WINDOWS\System32\svchost.exe [2004-08-04 00:56]
S3 p2psvc;Peer Networking;C:\WINDOWS\System32\svchost.exe [2004-08-04 00:56]
S3 PNRPSvc;Peer Name Resolution Protocol;C:\WINDOWS\System32\svchost.exe [2004-08-04 00:56]
S3 SQLAgent$MAILLOOP6;SQLAgent$MAILLOOP6;C:\Program Files\Microsoft SQL Server\MSSQL$MAILLOOP6\Binn\sqlagent.EXE [2002-12-17 16:23]
S4 WBA_Agent_Client;Brother Web BRAdmin Agent;C:\Program Files\Brother\BRAgent\BRAgtSrv.exe [2003-01-20 17:55]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\setupSNK.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-01-20 03:53:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-04-20 15:29:03 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
"2007-12-11 18:36:10 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe'
"2007-12-11 18:36:10 C:\WINDOWS\Tasks\McQcTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe
"2008-04-20 17:39:35 C:\WINDOWS\Tasks\User_Feed_Synchronization-{5F3EB75D-9323-4B1E-B75E-43F13ACBACC4}.job"
- C:\WINDOWS\system32\msfeedssync.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-20 15:05:22
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-04-20 15:10:55
ComboFix-quarantined-files.txt 2008-04-20 19:10:52

Pre-Run: 14,760,546,304 bytes free
Post-Run: 14,744,502,272 bytes free

275 --- E O F --- 2008-04-20 16:10:24

Incidentally, like the blackmail ad, my FireFox just collapsed into a small box which read:

"The page at http://antispywaresuite.com says:

"NOTICE: If your computer is infected, you could suffer data loss, erratic PC behavior, PC freezes and crashes.

Detect and remove viruses before they activate themselves on your PC to prevent all these problems.

Do you want to install AntiSpywareSuite to scan your PC for malware now? (Recommended)"

Blade81 · Apr 20, 2008

Hi

Disable Spybot's TeaTimer

Run Spybot-S&D in Advanced Mode
If it is not already set to do this, go to the Mode menu
select
Advanced Mode
On the left hand side, click on Tools
Then click on the Resident icon in the list
Uncheck
Resident TeaTimer
and OK any prompts.
Restart your computer

Disable also McAfee so that it won't interfere ComboFix.

Open notepad and copy/paste the text in the quotebox below into it:

Code:

KILLALL::

File::
C:\WINDOWS\pskt(DELETETHIS).ini
C:\WINDOWS\BMa7f495c0(DELETTHIS).xml
C:\WINDOWS\system32\caqgqsvo.ini
C:\WINDOWS\system32\cxblwbim.ini
C:\WINDOWS\system32\naipdwtx.ini
C:\WINDOWS\system32\iifgecay.dll

Folder::
C:\WINDOWS\system32\xcsDd01
C:\TEMP\berDrv11

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{44C17748-CF84-4905-8431-AE4432B72244}]

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\rqrsppnk]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\a4c7a65c]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcxMonitor]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BMa7f495c0]

Save this as
CFScript

Refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

Download ATF (Atribune Temp File) Cleaner© by Atribune to your desktop.

Double-click ATF Cleaner.exe to open it

Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.

If you use Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

If you use Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Click Exit on the Main menu to close the program.

Please download Malwarebytes' Anti-Malware to your desktop.

Double-click mbam-setup.exe and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform full scan, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected.
When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be found here: C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Please post contents of that file & a fresh hjt log in your next reply.

ramping · Apr 20, 2008

1. I ran ComboFix twice, again, in safemode.

The first time, ComboFix deleted files and rebooted.

The second time, however, no files were deleted and there was no reboot.

2. This is odd: I just noticed that a new icon appear on my Desktop.

It looks identical to my Internet Explorer shortcut. It even says "Internet Explorer".

But the new icon is actually a shortcut to: "http://go.microsoft.com/fwlink/?LinkId=69157"

So, I deleted it.

3. Following is the new Hijack This report:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:11, on 2008-04-20
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\brss01a.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MAILLOOP6\Binn\sqlservr.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\SiteAdvisor\6253\SAService.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\fxssvc.exe
C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\PROGRA~1\Webshots\webshots.scr
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Trend Micro\HijackThis\ramping.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft.com/fwlink/?LinkId=54843
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 80.80.12.124:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/bookmark/7_2/home.html"); (C:\Documents and Settings\DELCO CLUB\Application Data\Mozilla\Profiles\default\l4hnnkbr.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CInternet%5CBrowsers%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\DELCO CLUB\Application Data\Mozilla\Profiles\default\l4hnnkbr.slt\prefs.js)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O2 - BHO: (no name) - {268EA2E0-4D5B-472A-9B2C-E363CBE7BEA6} - (no file)
O2 - BHO: PimpFish Basic Toolbar Opcode Handler - {29C88E20-4234-41B9-A9DB-982958C95FB1} - C:\Program Files\PimpFish\PimpFish.dll
O2 - BHO: dsWebAllowBHO Class - {2F85D76C-0569-466F-A488-493E6BD0E955} - C:\Program Files\Windows Desktop Search\dsWebAllow.dll
O2 - BHO: IE to GetRight Helper - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program Files\GetRight\xx2gr.dll
O2 - BHO: McAntiPhishingBHO - {377C180E-6F0E-4D4C-980F-F45BD3D40CF4} - c:\PROGRA~1\mcafee\msk\mcapbho.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: Burn4Free Toolbar Helper - {60BF5EE3-0105-4858-AD98-17C19F86B042} - C:\Program Files\Burn4Free Toolbar\v3.2.0.0\Burn4Free_Toolbar.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: (no name) - {6AABE68F-3ABA-4DBD-BF1A-9272700B97C2} - (no file)
O2 - BHO: (no name) - {6bf48cd4-3634-41b0-9366-d9c6d7d1cdec} - (no file)
O2 - BHO: FloatBar Class - {75B1A646-CDCE-4C06-B52F-84F4463B4FC8} - C:\Program Files\PimpFish\FloatBar.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7C803229-47A5-4E09-B503-D98D3BE7062C} - (no file)
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {933E7167-F302-48C8-A4E9-19C4D4C15B3B} - C:\PROGRA~1\3web\AFE.dll
O2 - BHO: (no name) - {B5661452-8764-42F8-B746-850D71C82D72} - (no file)
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: (no name) - {E7009428-FF40-4B3D-9EF4-5928C0AB81FD} - C:\WINDOWS\system32\iifgecay.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Burn4Free Toolbar - {55FAF0F2-44D4-425F-B5F5-6B275B621EAB} - C:\Program Files\Burn4Free Toolbar\v3.2.0.0\Burn4Free_Toolbar.dll
O3 - Toolbar: PimpFish Basic - {D593DE91-7B41-45C2-830E-E9A99AB142AA} - C:\Program Files\PimpFish\PimpFish.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [BMa7f495c0] Rundll32.exe "C:\WINDOWS\system32\xxlsalrv.dll",s
O4 - HKLM\..\Run: [a4c7a65c] rundll32.exe "C:\WINDOWS\system32\cwisahwq.dll",b
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Update Service] "C:\Program Files\Common Files\Teknum Systems\update.exe" /startup
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {193B17B0-7C9F-4D5B-AEAB-8D3605EFC084} - C:\PROGRA~1\SEARCH~1\COPERN~1\COPERN~1.EXE
O9 - Extra 'Tools' menuitem: Launch Copernic Agent - {193B17B0-7C9F-4D5B-AEAB-8D3605EFC084} - C:\PROGRA~1\SEARCH~1\COPERN~1\COPERN~1.EXE
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Run WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\Website Copiers\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra 'Tools' menuitem: Launch WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\Website Copiers\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra button: FlashFavorite - {4335F0BE-9AAF-4023-9929-681B937B814A} - C:\PROGRA~1\FLASHF~1\FFCom.dll
O9 - Extra 'Tools' menuitem: Flash Favorite - {4335F0BE-9AAF-4023-9929-681B937B814A} - C:\PROGRA~1\FLASHF~1\FFCom.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Copernic Agent - {688DC797-DC11-46A7-9F1B-445F4F58CE6E} - C:\PROGRA~1\SEARCH~1\COPERN~1\COPERN~1.EXE
O9 - Extra button: Movies Extractor Scout LITE - {8C51D131-81D2-4844-A4F8-E46AC238D815} - C:\Program Files\Movies Extractor Scout LITE\flashextract.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.mcafee.com
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab
O16 - DPF: {106E49CF-797A-11D2-81A2-00E02C015623} (AlternaTIFF ActiveX) - http://www.alternatiff.com/install/00/alttiff.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2A6BEC01-15E2-46F0-8ED3-D715DE09A8F9} - http://www.homepageprotector.com/data/homeproinstall.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://appldnld.m7z.net/qtinstall.info.apple.com/tramper/us/win/QuickTimeInstaller.exe
O16 - DPF: {4CF5275B-CDBC-11D3-A8AF-0090279A5978} - http://www.portalsearching.com/toolbar/bho.cab
O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} (Microsoft.WinRep) - https://webresponse.one.microsoft.com/oas/ActiveX/winrep.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,83/mcinsctl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by14fd.bay14.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {5CB1506E-1DEA-4E63-89A7-E40E52AEA1FD} (OnagerCtrl Class) - http://fulfillment.puretracks.com/onager.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.safety.live.com/resource/download/scanner/wlscbase8460.cab
O16 - DPF: {5F0C30E4-1E72-4DCC-85E5-57810F1CA97B} (McUpdatePortalFactory Class) - http://www.amiuptodate.com/vsc/bin/1,0,0,7/McUpdatePortal.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1126634216187
O16 - DPF: {74C861A1-D548-4916-BC8A-FDE92EDFF62C} - http://mediaplayer.walmart.com/installer/install.cab
O16 - DPF: {814EA0DA-E0D9-4AA4-833C-A1A6D38E79E9} (DASWebDownload Class) - http://das.microsoft.com/activate/cab/x86/i486/NTANSI/retail/DASAct.cab
O16 - DPF: {9C024426-7859-4B2D-AB4C-B1E370AE7549} - http://us.mcafee.com/Apps/WSC/en-us/WscWlanScannerCtrl.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,20/mcgdmgr.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O16 - DPF: {F919FBD3-A96B-4679-AF26-F551439BB5FD} - http://locator1.cdn.imagesrvr.com/s...wnload/2006/WinAntiSpyware2006FreeInstall.cab
O20 - Winlogon Notify: rqrsppnk - rqrsppnk.dll (file missing)
O23 - Service: McAfee Application Installer Cleanup (0248841208696533) (0248841208696533mcinstcleanup) - Unknown owner - C:\WINDOWS\TEMP\024884~1.EXE (file missing)
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6253\SAService.exe
O24 - Desktop Component 0: (no name) - http://www.webstats4u.com/images/bg.gif
O24 - Desktop Component 1: (no name) - http://www.wezv.com/navlogoeasy.gif
O24 - Desktop Component 2: (no name) - http://www.885thejewel.com/images/jwlpghdlft.JPG

--
End of file - 14147 bytes

4. Following is the last ComboFix.txt:

ComboFix 08-04-18.3 - Administrator 2008-04-20 16:33:53.7 - NTFSx86 MINIMAL
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.792 [GMT -4:00]
Running from: C:\Documents and Settings\Delco Club\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-03-20 to 2008-04-20 )))))))))))))))))))))))))))))))
.

2008-04-20 16:32 . 2008-04-20 14:25 791 --a------ C:\ComboFix.lnk
2008-04-20 15:25 . 2008-04-20 15:25 109,734 --a------ C:\WINDOWS\BMa7f495c0.xml
2008-04-20 11:30 . 2008-04-20 13:57 18 --a------ C:\WINDOWS\pskt(DELETETHIS).ini
2008-04-20 10:20 . 2008-04-20 11:30 109,734 --a------ C:\WINDOWS\BMa7f495c0(DELETTHIS).xml
2008-04-19 22:17 . 2008-04-19 22:17 <DIR> d-------- C:\Documents and Settings\Delco Club\Application Data\PCF-VLC
2008-04-19 16:20 . 2008-04-19 16:20 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-19 11:56 . 2008-04-20 15:14 13,588 --a------ C:\WINDOWS\system32\wpa.dbl
2008-04-19 11:53 . 2008-04-20 15:52 11,940 --a------ C:\WINDOWS\system32\Config.MPF
2008-04-19 11:43 . 2008-04-19 13:28 <DIR> d-------- C:\WINDOWS\system32\TRASH
2008-04-19 10:56 . 2008-04-19 10:56 294 ---hs---- C:\WINDOWS\system32\caqgqsvo.ini
2008-04-18 15:36 . 2008-04-18 15:17 44,659,067 --a------ C:\sdat5277.exe
2008-04-18 15:34 . 2008-04-18 16:24 <DIR> d-------- C:\SDAT
2008-04-18 13:35 . 2008-04-18 13:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Citrix
2008-04-18 10:58 . 2008-04-18 10:58 294 ---hs---- C:\WINDOWS\system32\cxblwbim.ini
2008-04-17 19:52 . 2008-04-17 19:52 <DIR> d-------- C:\Program Files\Microsoft Silverlight
2008-04-17 19:50 . 2008-04-17 19:50 <DIR> d-------- C:\Program Files\MSBuild
2008-04-17 19:46 . 2008-04-17 19:46 <DIR> d-------- C:\WINDOWS\system32\XPSViewer
2008-04-17 19:45 . 2008-04-17 19:45 <DIR> d-------- C:\Program Files\Reference Assemblies
2008-04-17 12:27 . 2008-04-17 13:23 266 --a------ C:\WINDOWS\wininit.ini
2008-04-17 11:37 . 2008-04-17 11:34 691,545 --a------ C:\WINDOWS\unins000.exe
2008-04-17 11:37 . 2008-04-17 11:37 2,555 --a------ C:\WINDOWS\unins000.dat
2008-04-17 10:55 . 2008-04-17 13:21 1,528,325 ---hs---- C:\WINDOWS\system32\naipdwtx.ini
2008-04-17 10:51 . 2008-04-17 10:51 395,218 --a------ C:\WINDOWS\system32\iifgecay.dll
2008-04-17 10:46 . 2008-04-17 10:46 <DIR> d-------- C:\WINDOWS\system32\xcsDd01
2008-04-17 10:46 . 2008-04-17 10:46 <DIR> d-------- C:\TEMP\berDrv11
2008-04-13 20:23 . 2008-04-13 20:23 <DIR> d-------- C:\Program Files\iPod
2008-04-13 20:22 . 2008-04-13 20:23 <DIR> d-------- C:\Program Files\iTunes
2008-04-13 06:14 . 2008-04-13 06:14 <DIR> d-------- C:\Program Files\SOFTplus
2008-04-12 13:23 . 2008-04-12 13:23 <DIR> d-------- C:\Documents and Settings\Delco Club\Application Data\Mach5 Enterprises
2008-04-12 13:22 . 2008-04-12 13:22 <DIR> d-------- C:\Program Files\Mach5 Development
2008-04-12 11:02 . 2008-04-20 09:09 <DIR> d-------- C:\Program Files\Deep Log Analyzer
2008-04-12 11:02 . 2008-04-12 11:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\DLA Storage
2008-04-12 11:02 . 2008-04-20 09:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\DLA
2008-04-12 10:55 . 2008-04-12 10:55 <DIR> d-------- C:\Program Files\SmarterTools
2008-04-12 10:18 . 2008-04-12 10:22 <DIR> d-------- C:\Program Files\gsitecrawler
2008-04-11 20:45 . 2008-04-11 20:46 <DIR> d-------- C:\Program Files\strawberry
2008-04-11 20:31 . 2008-04-11 20:32 <DIR> d-------- C:\Program Files\Perl Express
2008-04-11 17:57 . 2008-04-11 17:57 <DIR> d-------- C:\Program Files\perl
2008-04-11 17:41 . 2008-04-11 19:49 <DIR> d-------- C:\Program Files\awstats
2008-04-11 17:33 . 2008-04-11 17:39 <DIR> d-------- C:\Program Files\ActivePerl-5.10.0.1002-MSWin32-x64-283697
2008-04-11 16:56 . 2008-04-12 15:18 <DIR> d-------- C:\Program Files\Ka Log Analyzer
2008-04-11 16:36 . 2008-04-11 16:36 <DIR> d-------- C:\Program Files\Hardcoded Software
2008-04-11 16:36 . 2008-04-11 16:36 <DIR> d-------- C:\Documents and Settings\Delco Club\Application Data\Hardcoded Software
2008-04-11 11:44 . 2008-04-11 11:45 <DIR> d-------- C:\Program Files\WebLog Expert Lite
2008-04-11 11:44 . 2008-04-11 11:44 <DIR> d-------- C:\Program Files\Common Files\Software FX Shared
2008-04-11 11:41 . 2008-04-11 11:42 <DIR> d-------- C:\Program Files\Web Log Expert
2008-04-11 10:56 . 2008-04-11 10:57 <DIR> d-------- C:\Program Files\Logalizer
2008-04-11 10:50 . 2008-04-11 10:50 <DIR> d-------- C:\Program Files\bello network monitoring
2008-04-06 15:40 . 2006-01-26 08:26 327,680 --a------ C:\WINDOWS\system32\DartZip.dll
2008-04-06 15:40 . 1998-04-23 23:00 287,504 --a------ C:\WINDOWS\system32\MSXBSE.dll
2008-04-06 15:40 . 2005-06-02 14:36 276,352 --a------ C:\WINDOWS\system32\XceedSco.dll
2008-04-06 15:40 . 2006-01-26 08:24 221,184 --a------ C:\WINDOWS\system32\DartSock.dll
2008-04-06 15:40 . 2006-01-26 08:26 196,608 --a------ C:\WINDOWS\system32\DartSecureFtp.dll
2008-04-06 15:40 . 2006-01-26 08:24 196,608 --a------ C:\WINDOWS\system32\DartSecure2.dll
2008-04-06 15:40 . 2006-01-26 08:26 196,608 --a------ C:\WINDOWS\system32\DartFtp.dll
2008-04-06 15:40 . 2006-01-26 08:24 155,648 --a------ C:\WINDOWS\system32\DartCertificate.dll
2008-03-28 23:37 . 2008-03-28 23:37 90,112 --a------ C:\WINDOWS\system32\QuickTimeVR.qtx
2008-03-28 23:37 . 2008-03-28 23:37 57,344 --a------ C:\WINDOWS\system32\QuickTime.qts
2008-03-26 14:28 . 2008-03-26 14:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\HeidiSQL
2008-03-25 15:59 . 2008-03-25 15:59 <DIR> d-------- C:\Program Files\MySQL
2008-03-24 10:30 . 2008-03-24 10:33 <DIR> d-------- C:\Program Files\HeidiSQL (OLD (March 24, 2008))

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-20 13:36 --------- d-----w C:\Program Files\GetRight
2008-04-20 13:02 --------- d-----w C:\Program Files\McAfee
2008-04-20 00:56 --------- d-----w C:\Program Files\Napster
2008-04-19 15:35 57,344 ----a-w C:\WINDOWS\ALCXMNTRDELETTHIS.EXE
2008-04-19 15:35 --------- d-----w C:\Program Files\Clean Disk Security
2008-04-17 16:26 --------- d-----w C:\Program Files\RegistrySmart
2008-04-17 15:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-17 15:42 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-04-14 00:18 --------- d-----w C:\Program Files\QuickTime
2008-04-13 18:16 --------- d-----w C:\Program Files\HeidiSQL
2008-04-13 10:43 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-12 00:30 724,992 ----a-w C:\WINDOWS\iun6002.exe
2008-04-10 00:53 --------- d-----w C:\Program Files\Winamp
2008-03-23 15:05 --------- d-----w C:\Documents and Settings\Delco Club\Application Data\SiteAdvisor
2008-03-19 12:58 --------- d-----w C:\Program Files\MySQL-Front
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-19 00:53 --------- d-----w C:\Documents and Settings\Delco Club\Application Data\Star-Tools
2008-03-16 14:12 --------- d-----w C:\Documents and Settings\All Users\Application Data\WinZip
2008-03-16 01:20 --------- d-----w C:\Program Files\UltimateZip
2008-03-15 21:03 --------- d-----w C:\Program Files\Ace Zip
2008-03-15 20:49 --------- d-----w C:\Program Files\Ken Ward's Zipper
2008-03-15 15:02 --------- d-----w C:\Program Files\Mentat Technologies
2008-03-15 14:52 --------- d-----w C:\Program Files\Mobiliti
2008-03-10 19:59 --------- d-----w C:\Program Files\Windows Live
2008-03-09 19:34 --------- d-----w C:\Program Files\Microsoft SQL Server Compact Edition
2008-03-09 19:32 --------- dcsh--w C:\Program Files\Common Files\WindowsLiveInstaller
2008-03-09 19:25 --------- d-----w C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-03-07 02:27 --------- d-----w C:\Program Files\Bonjour
2008-03-01 13:06 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2008-02-01 15:11 586,240 ----a-w C:\WINDOWS\WLXPGSS.SCR
2008-01-29 16:02 107,368 ----a-w C:\WINDOWS\system32\GEARAspi.dll
2007-07-23 02:53 3,655,608 ----a-w C:\Program Files\FLV PlayerRCATSetup.exe
2007-07-23 02:52 25,990,432 ----a-w C:\Program Files\FLV PlayerRCSetup.exe
2006-05-08 19:13 5,632 --sha-w C:\Program Files\Thumbs.db
2005-12-17 13:31 0 ----a-w C:\Program Files\INTERNET EXPLe
2004-11-06 23:51 16,214,136 ----a-w C:\Program Files\TrellixWeb2.6 multihost (November 6, 2004).exe
2004-11-06 22:42 17,193,656 ----a-w C:\Program Files\CompuServeTrellixWeb17982451 (Trellix 25 (November 6, 2004)).exe
2004-11-06 22:07 2,647,591 ----a-w C:\Program Files\Trellix_Web_v.2.7_PA_Upgrade (November 6, 2004).zip
2004-09-07 23:34 560 ----a-w C:\Documents and Settings\Delco Club\PCDOC.BAT
2004-08-26 23:36 141 ----a-w C:\Program Files\pcdocrx_order.html
2004-01-31 23:54 331,776 ----a-w C:\WINDOWS\inf\pdfinst2.exe
2003-08-27 18:19 36,963 ----a-r C:\Program Files\Common Files\SM1updtr.dll
2002-11-28 13:55 25,762 ----a-w C:\Program Files\Common Files\wbc2jpg243 (Covert Webshots to JPG File (November 28, 2002)).zip
2001-03-11 14:59 766 ----a-w C:\Program Files\pcdoc.ico
.

Code:

<pre>
----a-w         2,339,511 2004-10-25 19:45:17  C:\Downloads\burn4free_setup (Burn4Free v100602 (October 25, 2004)) .exe
----a-w            37,378 2004-09-20 20:28:44  C:\Downloads\epson11183 (Web-to-Page Utility (September 20, 2004)) .exe
----a-w           652,745 2004-10-27 01:15:29  C:\Downloads\ftpnavigator (FTP - Navigator 741 (October 26, 2004)) .exe
----a-w           403,546 2007-12-13 00:25:11  C:\Downloads\metakey (Meta Keywords Finder v11 (December 12, 2007))1 .exe
----a-w         1,148,148 2004-12-19 01:26:54  C:\Downloads\simpleftpclientsetup (Simple FTP Client (December 18, 2004)) .exe
----a-w         1,034,895 2002-12-14 01:51:38  C:\Downloads\stocksetup (Active Stock Analysis 338 (December 13, 2002))   .exe
</pre>

((((((((((((((((((((((((((((( snapshot@2008-04-20_15.10.44.89 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-04-20 18:57:07 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-04-20 20:30:18 2,048 --s-a-w C:\WINDOWS\bootstat.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C7A00865-E966-40B4-ABA9-A7F2B275A9E2}]
2008-04-17 10:51 395218 --a------ C:\WINDOWS\system32\iifgecay.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 00:56 15360]
"Update Service"="C:\Program Files\Common Files\Teknum Systems\update.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 00:56 15360]

C:\Documents and Settings\Delco Club\Start Menu\Programs\Startup\
Webshots.lnk - C:\Program Files\Webshots\Launcher.exe [2005-06-04 19:42:02 157008]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll [2006-11-21 15:50 233472]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\rqrsppnk]
rqrsppnk.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\a4c7a65c]
C:\WINDOWS\system32\mibwlbxc.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 23:16 39792 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcxMonitor]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BMa7f495c0]
C:\WINDOWS\system32\vddrkhkc.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-03-30 10:36 267048 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-03-28 23:37 413696 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WinDefend"=2 (0x2)
"iPodService"=3 (0x3)
"WMP54GSVC"=2 (0x2)
"UleadBurningHelper"=2 (0x2)
"NVSvc"=2 (0x2)
"iPod Service"=3 (0x3)
"IDriverT"=3 (0x3)
"Bonjour Service"=2 (0x2)
"WBA_Agent_Client"=2 (0x2)
"idsvc"=3 (0x3)
"Apple Mobile Device"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Search Tools\\FerretSoft\\WebFerret\\WebFerret.exe"=
"C:\\Program Files\\Music\\realplay.exe"=
"C:\\WINDOWS\\system32\\mmc.exe"=
"C:\\WINDOWS\\system32\\javaw.exe"=
"C:\\Program Files\\FTP\\FTP Commander\\Ftpcomm.exe"=
"C:\\WINDOWS\\system32\\rundll32.exe"=
"C:\Program Files\Toronto Star Alerts\torontostaralerts.exe"= C:\Program Files\Toronto Star Alerts\torontostaralerts.exe
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3587:TCP"= 3587:TCP:Windows Peer-to-Peer Grouping
"3540:UDP"= 3540:UDP

eer Name Resolution Protocol (PNRP)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R1 crlscsi;crlscsi;C:\WINDOWS\system32\drivers\crlscsi.sys [1995-11-07 05:57]
S1 AEC671X;AEC671X;C:\WINDOWS\system32\drivers\AEC671X.SYS [1998-05-05 12:36]
S1 DMX3191;DMX3191;C:\WINDOWS\system32\drivers\DMX3191.SYS [1999-02-23 02:42]
S2 0248841208696533mcinstcleanup;McAfee Application Installer Cleanup (0248841208696533);C:\WINDOWS\TEMP\024884~1.EXE C:\PROGRA~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini []
S2 MSSQL$MAILLOOP6;MSSQL$MAILLOOP6;C:\Program Files\Microsoft SQL Server\MSSQL$MAILLOOP6\Binn\sqlservr.exe [2002-12-17 16:26]
S2 PV8630;PV8631 WDM Device Driver;C:\WINDOWS\system32\pv8630.sys [2000-07-05 12:13]
S2 UDNT;UDNT;C:\WINDOWS\system32\drivers\UDNT.sys [1998-09-18 10:18]
S3 hcwPVRP2;Hauppauge WinTV-PVR PCI II (Encoder-16);C:\WINDOWS\system32\DRIVERS\hcwPVRP2.sys [2004-09-22 09:01]
S3 p2pgasvc;Peer Networking Group Authentication;C:\WINDOWS\System32\svchost.exe [2004-08-04 00:56]
S3 p2pimsvc;Peer Networking Identity Manager;C:\WINDOWS\System32\svchost.exe [2004-08-04 00:56]
S3 p2psvc;Peer Networking;C:\WINDOWS\System32\svchost.exe [2004-08-04 00:56]
S3 PNRPSvc;Peer Name Resolution Protocol;C:\WINDOWS\System32\svchost.exe [2004-08-04 00:56]
S3 SQLAgent$MAILLOOP6;SQLAgent$MAILLOOP6;C:\Program Files\Microsoft SQL Server\MSSQL$MAILLOOP6\Binn\sqlagent.EXE [2002-12-17 16:23]
S4 WBA_Agent_Client;Brother Web BRAdmin Agent;C:\Program Files\Brother\BRAgent\BRAgtSrv.exe [2003-01-20 17:55]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\setupSNK.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-01-20 03:53:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-04-20 19:29:03 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
"2007-12-11 18:36:10 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe'
"2007-12-11 18:36:10 C:\WINDOWS\Tasks\McQcTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe
"2008-04-20 17:39:35 C:\WINDOWS\Tasks\User_Feed_Synchronization-{5F3EB75D-9323-4B1E-B75E-43F13ACBACC4}.job"
- C:\WINDOWS\system32\msfeedssync.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-20 16:39:20
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-04-20 16:44:55
ComboFix-quarantined-files.txt 2008-04-20 20:44:52
ComboFix2.txt 2008-04-20 20:23:15
ComboFix3.txt 2008-04-20 19:10:55

Pre-Run: 15,872,868,352 bytes free
Post-Run: 15,856,582,656 bytes free

251 --- E O F --- 2008-04-20 16:10:24

ramping · Apr 20, 2008

1. I ran ComboFix twice, again, in safemode.

The first time, ComboFix deleted files and rebooted.

The second time, however, no files were deleted and there was no reboot.

2. This is odd: I just noticed that a new icon appear on my Desktop.

It looks identical to my Internet Explorer shortcut. It even says "Internet Explorer".

But the new icon is actually a shortcut to: "http://go.microsoft.com/fwlink/?LinkId=69157"

So, I deleted it.

3. Following is the new Hijack This report:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:11, on 2008-04-20
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\brss01a.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MAILLOOP6\Binn\sqlservr.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\SiteAdvisor\6253\SAService.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\fxssvc.exe
C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\PROGRA~1\Webshots\webshots.scr
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Trend Micro\HijackThis\ramping.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft.com/fwlink/?LinkId=54843
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 80.80.12.124:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/bookmark/7_2/home.html"); (C:\Documents and Settings\DELCO CLUB\Application Data\Mozilla\Profiles\default\l4hnnkbr.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CInternet%5CBrowsers%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\DELCO CLUB\Application Data\Mozilla\Profiles\default\l4hnnkbr.slt\prefs.js)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O2 - BHO: (no name) - {268EA2E0-4D5B-472A-9B2C-E363CBE7BEA6} - (no file)
O2 - BHO: PimpFish Basic Toolbar Opcode Handler - {29C88E20-4234-41B9-A9DB-982958C95FB1} - C:\Program Files\PimpFish\PimpFish.dll
O2 - BHO: dsWebAllowBHO Class - {2F85D76C-0569-466F-A488-493E6BD0E955} - C:\Program Files\Windows Desktop Search\dsWebAllow.dll
O2 - BHO: IE to GetRight Helper - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program Files\GetRight\xx2gr.dll
O2 - BHO: McAntiPhishingBHO - {377C180E-6F0E-4D4C-980F-F45BD3D40CF4} - c:\PROGRA~1\mcafee\msk\mcapbho.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: Burn4Free Toolbar Helper - {60BF5EE3-0105-4858-AD98-17C19F86B042} - C:\Program Files\Burn4Free Toolbar\v3.2.0.0\Burn4Free_Toolbar.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: (no name) - {6AABE68F-3ABA-4DBD-BF1A-9272700B97C2} - (no file)
O2 - BHO: (no name) - {6bf48cd4-3634-41b0-9366-d9c6d7d1cdec} - (no file)
O2 - BHO: FloatBar Class - {75B1A646-CDCE-4C06-B52F-84F4463B4FC8} - C:\Program Files\PimpFish\FloatBar.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7C803229-47A5-4E09-B503-D98D3BE7062C} - (no file)
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {933E7167-F302-48C8-A4E9-19C4D4C15B3B} - C:\PROGRA~1\3web\AFE.dll
O2 - BHO: (no name) - {B5661452-8764-42F8-B746-850D71C82D72} - (no file)
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: (no name) - {E7009428-FF40-4B3D-9EF4-5928C0AB81FD} - C:\WINDOWS\system32\iifgecay.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Burn4Free Toolbar - {55FAF0F2-44D4-425F-B5F5-6B275B621EAB} - C:\Program Files\Burn4Free Toolbar\v3.2.0.0\Burn4Free_Toolbar.dll
O3 - Toolbar: PimpFish Basic - {D593DE91-7B41-45C2-830E-E9A99AB142AA} - C:\Program Files\PimpFish\PimpFish.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [BMa7f495c0] Rundll32.exe "C:\WINDOWS\system32\xxlsalrv.dll",s
O4 - HKLM\..\Run: [a4c7a65c] rundll32.exe "C:\WINDOWS\system32\cwisahwq.dll",b
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Update Service] "C:\Program Files\Common Files\Teknum Systems\update.exe" /startup
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {193B17B0-7C9F-4D5B-AEAB-8D3605EFC084} - C:\PROGRA~1\SEARCH~1\COPERN~1\COPERN~1.EXE
O9 - Extra 'Tools' menuitem: Launch Copernic Agent - {193B17B0-7C9F-4D5B-AEAB-8D3605EFC084} - C:\PROGRA~1\SEARCH~1\COPERN~1\COPERN~1.EXE
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Run WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\Website Copiers\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra 'Tools' menuitem: Launch WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\Website Copiers\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra button: FlashFavorite - {4335F0BE-9AAF-4023-9929-681B937B814A} - C:\PROGRA~1\FLASHF~1\FFCom.dll
O9 - Extra 'Tools' menuitem: Flash Favorite - {4335F0BE-9AAF-4023-9929-681B937B814A} - C:\PROGRA~1\FLASHF~1\FFCom.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Copernic Agent - {688DC797-DC11-46A7-9F1B-445F4F58CE6E} - C:\PROGRA~1\SEARCH~1\COPERN~1\COPERN~1.EXE
O9 - Extra button: Movies Extractor Scout LITE - {8C51D131-81D2-4844-A4F8-E46AC238D815} - C:\Program Files\Movies Extractor Scout LITE\flashextract.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.mcafee.com
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab
O16 - DPF: {106E49CF-797A-11D2-81A2-00E02C015623} (AlternaTIFF ActiveX) - http://www.alternatiff.com/install/00/alttiff.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2A6BEC01-15E2-46F0-8ED3-D715DE09A8F9} - http://www.homepageprotector.com/data/homeproinstall.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://appldnld.m7z.net/qtinstall.info.apple.com/tramper/us/win/QuickTimeInstaller.exe
O16 - DPF: {4CF5275B-CDBC-11D3-A8AF-0090279A5978} - http://www.portalsearching.com/toolbar/bho.cab
O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} (Microsoft.WinRep) - https://webresponse.one.microsoft.com/oas/ActiveX/winrep.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,83/mcinsctl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by14fd.bay14.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {5CB1506E-1DEA-4E63-89A7-E40E52AEA1FD} (OnagerCtrl Class) - http://fulfillment.puretracks.com/onager.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.safety.live.com/resource/download/scanner/wlscbase8460.cab
O16 - DPF: {5F0C30E4-1E72-4DCC-85E5-57810F1CA97B} (McUpdatePortalFactory Class) - http://www.amiuptodate.com/vsc/bin/1,0,0,7/McUpdatePortal.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1126634216187
O16 - DPF: {74C861A1-D548-4916-BC8A-FDE92EDFF62C} - http://mediaplayer.walmart.com/installer/install.cab
O16 - DPF: {814EA0DA-E0D9-4AA4-833C-A1A6D38E79E9} (DASWebDownload Class) - http://das.microsoft.com/activate/cab/x86/i486/NTANSI/retail/DASAct.cab
O16 - DPF: {9C024426-7859-4B2D-AB4C-B1E370AE7549} - http://us.mcafee.com/Apps/WSC/en-us/WscWlanScannerCtrl.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,20/mcgdmgr.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O16 - DPF: {F919FBD3-A96B-4679-AF26-F551439BB5FD} - http://locator1.cdn.imagesrvr.com/s...wnload/2006/WinAntiSpyware2006FreeInstall.cab
O20 - Winlogon Notify: rqrsppnk - rqrsppnk.dll (file missing)
O23 - Service: McAfee Application Installer Cleanup (0248841208696533) (0248841208696533mcinstcleanup) - Unknown owner - C:\WINDOWS\TEMP\024884~1.EXE (file missing)
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6253\SAService.exe
O24 - Desktop Component 0: (no name) - http://www.webstats4u.com/images/bg.gif
O24 - Desktop Component 1: (no name) - http://www.wezv.com/navlogoeasy.gif
O24 - Desktop Component 2: (no name) - http://www.885thejewel.com/images/jwlpghdlft.JPG

--
End of file - 14147 bytes

4. Following is the lastest ComboFix.txt:

ComboFix 08-04-18.3 - Administrator 2008-04-20 16:33:53.7 - NTFSx86 MINIMAL
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.792 [GMT -4:00]
Running from: C:\Documents and Settings\Delco Club\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-03-20 to 2008-04-20 )))))))))))))))))))))))))))))))
.

2008-04-20 16:32 . 2008-04-20 14:25 791 --a------ C:\ComboFix.lnk
2008-04-20 15:25 . 2008-04-20 15:25 109,734 --a------ C:\WINDOWS\BMa7f495c0.xml
2008-04-20 11:30 . 2008-04-20 13:57 18 --a------ C:\WINDOWS\pskt(DELETETHIS).ini
2008-04-20 10:20 . 2008-04-20 11:30 109,734 --a------ C:\WINDOWS\BMa7f495c0(DELETTHIS).xml
2008-04-19 22:17 . 2008-04-19 22:17 <DIR> d-------- C:\Documents and Settings\Delco Club\Application Data\PCF-VLC
2008-04-19 16:20 . 2008-04-19 16:20 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-19 11:56 . 2008-04-20 15:14 13,588 --a------ C:\WINDOWS\system32\wpa.dbl
2008-04-19 11:53 . 2008-04-20 15:52 11,940 --a------ C:\WINDOWS\system32\Config.MPF
2008-04-19 11:43 . 2008-04-19 13:28 <DIR> d-------- C:\WINDOWS\system32\TRASH
2008-04-19 10:56 . 2008-04-19 10:56 294 ---hs---- C:\WINDOWS\system32\caqgqsvo.ini
2008-04-18 15:36 . 2008-04-18 15:17 44,659,067 --a------ C:\sdat5277.exe
2008-04-18 15:34 . 2008-04-18 16:24 <DIR> d-------- C:\SDAT
2008-04-18 13:35 . 2008-04-18 13:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Citrix
2008-04-18 10:58 . 2008-04-18 10:58 294 ---hs---- C:\WINDOWS\system32\cxblwbim.ini
2008-04-17 19:52 . 2008-04-17 19:52 <DIR> d-------- C:\Program Files\Microsoft Silverlight
2008-04-17 19:50 . 2008-04-17 19:50 <DIR> d-------- C:\Program Files\MSBuild
2008-04-17 19:46 . 2008-04-17 19:46 <DIR> d-------- C:\WINDOWS\system32\XPSViewer
2008-04-17 19:45 . 2008-04-17 19:45 <DIR> d-------- C:\Program Files\Reference Assemblies
2008-04-17 12:27 . 2008-04-17 13:23 266 --a------ C:\WINDOWS\wininit.ini
2008-04-17 11:37 . 2008-04-17 11:34 691,545 --a------ C:\WINDOWS\unins000.exe
2008-04-17 11:37 . 2008-04-17 11:37 2,555 --a------ C:\WINDOWS\unins000.dat
2008-04-17 10:55 . 2008-04-17 13:21 1,528,325 ---hs---- C:\WINDOWS\system32\naipdwtx.ini
2008-04-17 10:51 . 2008-04-17 10:51 395,218 --a------ C:\WINDOWS\system32\iifgecay.dll
2008-04-17 10:46 . 2008-04-17 10:46 <DIR> d-------- C:\WINDOWS\system32\xcsDd01
2008-04-17 10:46 . 2008-04-17 10:46 <DIR> d-------- C:\TEMP\berDrv11
2008-04-13 20:23 . 2008-04-13 20:23 <DIR> d-------- C:\Program Files\iPod
2008-04-13 20:22 . 2008-04-13 20:23 <DIR> d-------- C:\Program Files\iTunes
2008-04-13 06:14 . 2008-04-13 06:14 <DIR> d-------- C:\Program Files\SOFTplus
2008-04-12 13:23 . 2008-04-12 13:23 <DIR> d-------- C:\Documents and Settings\Delco Club\Application Data\Mach5 Enterprises
2008-04-12 13:22 . 2008-04-12 13:22 <DIR> d-------- C:\Program Files\Mach5 Development
2008-04-12 11:02 . 2008-04-20 09:09 <DIR> d-------- C:\Program Files\Deep Log Analyzer
2008-04-12 11:02 . 2008-04-12 11:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\DLA Storage
2008-04-12 11:02 . 2008-04-20 09:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\DLA
2008-04-12 10:55 . 2008-04-12 10:55 <DIR> d-------- C:\Program Files\SmarterTools
2008-04-12 10:18 . 2008-04-12 10:22 <DIR> d-------- C:\Program Files\gsitecrawler
2008-04-11 20:45 . 2008-04-11 20:46 <DIR> d-------- C:\Program Files\strawberry
2008-04-11 20:31 . 2008-04-11 20:32 <DIR> d-------- C:\Program Files\Perl Express
2008-04-11 17:57 . 2008-04-11 17:57 <DIR> d-------- C:\Program Files\perl
2008-04-11 17:41 . 2008-04-11 19:49 <DIR> d-------- C:\Program Files\awstats
2008-04-11 17:33 . 2008-04-11 17:39 <DIR> d-------- C:\Program Files\ActivePerl-5.10.0.1002-MSWin32-x64-283697
2008-04-11 16:56 . 2008-04-12 15:18 <DIR> d-------- C:\Program Files\Ka Log Analyzer
2008-04-11 16:36 . 2008-04-11 16:36 <DIR> d-------- C:\Program Files\Hardcoded Software
2008-04-11 16:36 . 2008-04-11 16:36 <DIR> d-------- C:\Documents and Settings\Delco Club\Application Data\Hardcoded Software
2008-04-11 11:44 . 2008-04-11 11:45 <DIR> d-------- C:\Program Files\WebLog Expert Lite
2008-04-11 11:44 . 2008-04-11 11:44 <DIR> d-------- C:\Program Files\Common Files\Software FX Shared
2008-04-11 11:41 . 2008-04-11 11:42 <DIR> d-------- C:\Program Files\Web Log Expert
2008-04-11 10:56 . 2008-04-11 10:57 <DIR> d-------- C:\Program Files\Logalizer
2008-04-11 10:50 . 2008-04-11 10:50 <DIR> d-------- C:\Program Files\bello network monitoring
2008-04-06 15:40 . 2006-01-26 08:26 327,680 --a------ C:\WINDOWS\system32\DartZip.dll
2008-04-06 15:40 . 1998-04-23 23:00 287,504 --a------ C:\WINDOWS\system32\MSXBSE.dll
2008-04-06 15:40 . 2005-06-02 14:36 276,352 --a------ C:\WINDOWS\system32\XceedSco.dll
2008-04-06 15:40 . 2006-01-26 08:24 221,184 --a------ C:\WINDOWS\system32\DartSock.dll
2008-04-06 15:40 . 2006-01-26 08:26 196,608 --a------ C:\WINDOWS\system32\DartSecureFtp.dll
2008-04-06 15:40 . 2006-01-26 08:24 196,608 --a------ C:\WINDOWS\system32\DartSecure2.dll
2008-04-06 15:40 . 2006-01-26 08:26 196,608 --a------ C:\WINDOWS\system32\DartFtp.dll
2008-04-06 15:40 . 2006-01-26 08:24 155,648 --a------ C:\WINDOWS\system32\DartCertificate.dll
2008-03-28 23:37 . 2008-03-28 23:37 90,112 --a------ C:\WINDOWS\system32\QuickTimeVR.qtx
2008-03-28 23:37 . 2008-03-28 23:37 57,344 --a------ C:\WINDOWS\system32\QuickTime.qts
2008-03-26 14:28 . 2008-03-26 14:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\HeidiSQL
2008-03-25 15:59 . 2008-03-25 15:59 <DIR> d-------- C:\Program Files\MySQL
2008-03-24 10:30 . 2008-03-24 10:33 <DIR> d-------- C:\Program Files\HeidiSQL (OLD (March 24, 2008))

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-20 13:36 --------- d-----w C:\Program Files\GetRight
2008-04-20 13:02 --------- d-----w C:\Program Files\McAfee
2008-04-20 00:56 --------- d-----w C:\Program Files\Napster
2008-04-19 15:35 57,344 ----a-w C:\WINDOWS\ALCXMNTRDELETTHIS.EXE
2008-04-19 15:35 --------- d-----w C:\Program Files\Clean Disk Security
2008-04-17 16:26 --------- d-----w C:\Program Files\RegistrySmart
2008-04-17 15:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-17 15:42 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-04-14 00:18 --------- d-----w C:\Program Files\QuickTime
2008-04-13 18:16 --------- d-----w C:\Program Files\HeidiSQL
2008-04-13 10:43 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-12 00:30 724,992 ----a-w C:\WINDOWS\iun6002.exe
2008-04-10 00:53 --------- d-----w C:\Program Files\Winamp
2008-03-23 15:05 --------- d-----w C:\Documents and Settings\Delco Club\Application Data\SiteAdvisor
2008-03-19 12:58 --------- d-----w C:\Program Files\MySQL-Front
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-19 00:53 --------- d-----w C:\Documents and Settings\Delco Club\Application Data\Star-Tools
2008-03-16 14:12 --------- d-----w C:\Documents and Settings\All Users\Application Data\WinZip
2008-03-16 01:20 --------- d-----w C:\Program Files\UltimateZip
2008-03-15 21:03 --------- d-----w C:\Program Files\Ace Zip
2008-03-15 20:49 --------- d-----w C:\Program Files\Ken Ward's Zipper
2008-03-15 15:02 --------- d-----w C:\Program Files\Mentat Technologies
2008-03-15 14:52 --------- d-----w C:\Program Files\Mobiliti
2008-03-10 19:59 --------- d-----w C:\Program Files\Windows Live
2008-03-09 19:34 --------- d-----w C:\Program Files\Microsoft SQL Server Compact Edition
2008-03-09 19:32 --------- dcsh--w C:\Program Files\Common Files\WindowsLiveInstaller
2008-03-09 19:25 --------- d-----w C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-03-07 02:27 --------- d-----w C:\Program Files\Bonjour
2008-03-01 13:06 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2008-02-01 15:11 586,240 ----a-w C:\WINDOWS\WLXPGSS.SCR
2008-01-29 16:02 107,368 ----a-w C:\WINDOWS\system32\GEARAspi.dll
2007-07-23 02:53 3,655,608 ----a-w C:\Program Files\FLV PlayerRCATSetup.exe
2007-07-23 02:52 25,990,432 ----a-w C:\Program Files\FLV PlayerRCSetup.exe
2006-05-08 19:13 5,632 --sha-w C:\Program Files\Thumbs.db
2005-12-17 13:31 0 ----a-w C:\Program Files\INTERNET EXPLe
2004-11-06 23:51 16,214,136 ----a-w C:\Program Files\TrellixWeb2.6 multihost (November 6, 2004).exe
2004-11-06 22:42 17,193,656 ----a-w C:\Program Files\CompuServeTrellixWeb17982451 (Trellix 25 (November 6, 2004)).exe
2004-11-06 22:07 2,647,591 ----a-w C:\Program Files\Trellix_Web_v.2.7_PA_Upgrade (November 6, 2004).zip
2004-09-07 23:34 560 ----a-w C:\Documents and Settings\Delco Club\PCDOC.BAT
2004-08-26 23:36 141 ----a-w C:\Program Files\pcdocrx_order.html
2004-01-31 23:54 331,776 ----a-w C:\WINDOWS\inf\pdfinst2.exe
2003-08-27 18:19 36,963 ----a-r C:\Program Files\Common Files\SM1updtr.dll
2002-11-28 13:55 25,762 ----a-w C:\Program Files\Common Files\wbc2jpg243 (Covert Webshots to JPG File (November 28, 2002)).zip
2001-03-11 14:59 766 ----a-w C:\Program Files\pcdoc.ico
.

Code:

<pre>
----a-w         2,339,511 2004-10-25 19:45:17  C:\Downloads\burn4free_setup (Burn4Free v100602 (October 25, 2004)) .exe
----a-w            37,378 2004-09-20 20:28:44  C:\Downloads\epson11183 (Web-to-Page Utility (September 20, 2004)) .exe
----a-w           652,745 2004-10-27 01:15:29  C:\Downloads\ftpnavigator (FTP - Navigator 741 (October 26, 2004)) .exe
----a-w           403,546 2007-12-13 00:25:11  C:\Downloads\metakey (Meta Keywords Finder v11 (December 12, 2007))1 .exe
----a-w         1,148,148 2004-12-19 01:26:54  C:\Downloads\simpleftpclientsetup (Simple FTP Client (December 18, 2004)) .exe
----a-w         1,034,895 2002-12-14 01:51:38  C:\Downloads\stocksetup (Active Stock Analysis 338 (December 13, 2002))   .exe
</pre>

((((((((((((((((((((((((((((( snapshot@2008-04-20_15.10.44.89 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-04-20 18:57:07 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-04-20 20:30:18 2,048 --s-a-w C:\WINDOWS\bootstat.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C7A00865-E966-40B4-ABA9-A7F2B275A9E2}]
2008-04-17 10:51 395218 --a------ C:\WINDOWS\system32\iifgecay.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 00:56 15360]
"Update Service"="C:\Program Files\Common Files\Teknum Systems\update.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 00:56 15360]

C:\Documents and Settings\Delco Club\Start Menu\Programs\Startup\
Webshots.lnk - C:\Program Files\Webshots\Launcher.exe [2005-06-04 19:42:02 157008]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll [2006-11-21 15:50 233472]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\rqrsppnk]
rqrsppnk.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\a4c7a65c]
C:\WINDOWS\system32\mibwlbxc.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 23:16 39792 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcxMonitor]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BMa7f495c0]
C:\WINDOWS\system32\vddrkhkc.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-03-30 10:36 267048 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-03-28 23:37 413696 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WinDefend"=2 (0x2)
"iPodService"=3 (0x3)
"WMP54GSVC"=2 (0x2)
"UleadBurningHelper"=2 (0x2)
"NVSvc"=2 (0x2)
"iPod Service"=3 (0x3)
"IDriverT"=3 (0x3)
"Bonjour Service"=2 (0x2)
"WBA_Agent_Client"=2 (0x2)
"idsvc"=3 (0x3)
"Apple Mobile Device"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Search Tools\\FerretSoft\\WebFerret\\WebFerret.exe"=
"C:\\Program Files\\Music\\realplay.exe"=
"C:\\WINDOWS\\system32\\mmc.exe"=
"C:\\WINDOWS\\system32\\javaw.exe"=
"C:\\Program Files\\FTP\\FTP Commander\\Ftpcomm.exe"=
"C:\\WINDOWS\\system32\\rundll32.exe"=
"C:\Program Files\Toronto Star Alerts\torontostaralerts.exe"= C:\Program Files\Toronto Star Alerts\torontostaralerts.exe
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3587:TCP"= 3587:TCP:Windows Peer-to-Peer Grouping
"3540:UDP"= 3540:UDP

eer Name Resolution Protocol (PNRP)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R1 crlscsi;crlscsi;C:\WINDOWS\system32\drivers\crlscsi.sys [1995-11-07 05:57]
S1 AEC671X;AEC671X;C:\WINDOWS\system32\drivers\AEC671X.SYS [1998-05-05 12:36]
S1 DMX3191;DMX3191;C:\WINDOWS\system32\drivers\DMX3191.SYS [1999-02-23 02:42]
S2 0248841208696533mcinstcleanup;McAfee Application Installer Cleanup (0248841208696533);C:\WINDOWS\TEMP\024884~1.EXE C:\PROGRA~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini []
S2 MSSQL$MAILLOOP6;MSSQL$MAILLOOP6;C:\Program Files\Microsoft SQL Server\MSSQL$MAILLOOP6\Binn\sqlservr.exe [2002-12-17 16:26]
S2 PV8630;PV8631 WDM Device Driver;C:\WINDOWS\system32\pv8630.sys [2000-07-05 12:13]
S2 UDNT;UDNT;C:\WINDOWS\system32\drivers\UDNT.sys [1998-09-18 10:18]
S3 hcwPVRP2;Hauppauge WinTV-PVR PCI II (Encoder-16);C:\WINDOWS\system32\DRIVERS\hcwPVRP2.sys [2004-09-22 09:01]
S3 p2pgasvc;Peer Networking Group Authentication;C:\WINDOWS\System32\svchost.exe [2004-08-04 00:56]
S3 p2pimsvc;Peer Networking Identity Manager;C:\WINDOWS\System32\svchost.exe [2004-08-04 00:56]
S3 p2psvc;Peer Networking;C:\WINDOWS\System32\svchost.exe [2004-08-04 00:56]
S3 PNRPSvc;Peer Name Resolution Protocol;C:\WINDOWS\System32\svchost.exe [2004-08-04 00:56]
S3 SQLAgent$MAILLOOP6;SQLAgent$MAILLOOP6;C:\Program Files\Microsoft SQL Server\MSSQL$MAILLOOP6\Binn\sqlagent.EXE [2002-12-17 16:23]
S4 WBA_Agent_Client;Brother Web BRAdmin Agent;C:\Program Files\Brother\BRAgent\BRAgtSrv.exe [2003-01-20 17:55]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\setupSNK.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-01-20 03:53:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-04-20 19:29:03 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
"2007-12-11 18:36:10 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe'
"2007-12-11 18:36:10 C:\WINDOWS\Tasks\McQcTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe
"2008-04-20 17:39:35 C:\WINDOWS\Tasks\User_Feed_Synchronization-{5F3EB75D-9323-4B1E-B75E-43F13ACBACC4}.job"
- C:\WINDOWS\system32\msfeedssync.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-20 16:39:20
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-04-20 16:44:55
ComboFix-quarantined-files.txt 2008-04-20 20:44:52
ComboFix2.txt 2008-04-20 20:23:15
ComboFix3.txt 2008-04-20 19:10:55

Pre-Run: 15,872,868,352 bytes free
Post-Run: 15,856,582,656 bytes free

251 --- E O F --- 2008-04-20 16:10:24

ramping · Apr 20, 2008

Oops!

Sorry for the repetition, above. I thought I was just making a small edit, by backspacing. I never thought it would repeat everything.

Again, sorry!

ramping · Apr 21, 2008

1. I ran SpyBot, again, and it fixed several problems.

Then I switched back to safe mode and re-ran ComboFix. It, too, deleted files and re-booted.

2. Soon afterwards, I ran Hijack This and here is its report:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:16, on 2008-04-20
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\brss01a.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MAILLOOP6\Binn\sqlservr.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\Program Files\SiteAdvisor\6253\SAService.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\fxssvc.exe
C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\PROGRA~1\Webshots\webshots.scr
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Browsers\Firefox\firefox.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Trend Micro\HijackThis\ramping.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft.com/fwlink/?LinkId=54843
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 80.80.12.124:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/bookmark/7_2/home.html"); (C:\Documents and Settings\DELCO CLUB\Application Data\Mozilla\Profiles\default\l4hnnkbr.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CInternet%5CBrowsers%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\DELCO CLUB\Application Data\Mozilla\Profiles\default\l4hnnkbr.slt\prefs.js)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O2 - BHO: (no name) - {1AAE3C98-E2A5-4409-B4FB-D5C7F101F7F7} - C:\WINDOWS\system32\iifgecay.dll
O2 - BHO: (no name) - {268EA2E0-4D5B-472A-9B2C-E363CBE7BEA6} - (no file)
O2 - BHO: PimpFish Basic Toolbar Opcode Handler - {29C88E20-4234-41B9-A9DB-982958C95FB1} - C:\Program Files\PimpFish\PimpFish.dll
O2 - BHO: dsWebAllowBHO Class - {2F85D76C-0569-466F-A488-493E6BD0E955} - C:\Program Files\Windows Desktop Search\dsWebAllow.dll
O2 - BHO: IE to GetRight Helper - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program Files\GetRight\xx2gr.dll
O2 - BHO: McAntiPhishingBHO - {377C180E-6F0E-4D4C-980F-F45BD3D40CF4} - c:\PROGRA~1\mcafee\msk\mcapbho.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: Burn4Free Toolbar Helper - {60BF5EE3-0105-4858-AD98-17C19F86B042} - C:\Program Files\Burn4Free Toolbar\v3.2.0.0\Burn4Free_Toolbar.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: (no name) - {6AABE68F-3ABA-4DBD-BF1A-9272700B97C2} - (no file)
O2 - BHO: (no name) - {6bf48cd4-3634-41b0-9366-d9c6d7d1cdec} - (no file)
O2 - BHO: FloatBar Class - {75B1A646-CDCE-4C06-B52F-84F4463B4FC8} - C:\Program Files\PimpFish\FloatBar.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7C803229-47A5-4E09-B503-D98D3BE7062C} - (no file)
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {933E7167-F302-48C8-A4E9-19C4D4C15B3B} - C:\PROGRA~1\3web\AFE.dll
O2 - BHO: (no name) - {B5661452-8764-42F8-B746-850D71C82D72} - (no file)
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Burn4Free Toolbar - {55FAF0F2-44D4-425F-B5F5-6B275B621EAB} - C:\Program Files\Burn4Free Toolbar\v3.2.0.0\Burn4Free_Toolbar.dll
O3 - Toolbar: PimpFish Basic - {D593DE91-7B41-45C2-830E-E9A99AB142AA} - C:\Program Files\PimpFish\PimpFish.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.EXE /auto
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Update Service] "C:\Program Files\Common Files\Teknum Systems\update.exe" /startup
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {193B17B0-7C9F-4D5B-AEAB-8D3605EFC084} - C:\PROGRA~1\SEARCH~1\COPERN~1\COPERN~1.EXE
O9 - Extra 'Tools' menuitem: Launch Copernic Agent - {193B17B0-7C9F-4D5B-AEAB-8D3605EFC084} - C:\PROGRA~1\SEARCH~1\COPERN~1\COPERN~1.EXE
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Run WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\Website Copiers\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra 'Tools' menuitem: Launch WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\Website Copiers\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra button: FlashFavorite - {4335F0BE-9AAF-4023-9929-681B937B814A} - C:\PROGRA~1\FLASHF~1\FFCom.dll
O9 - Extra 'Tools' menuitem: Flash Favorite - {4335F0BE-9AAF-4023-9929-681B937B814A} - C:\PROGRA~1\FLASHF~1\FFCom.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Copernic Agent - {688DC797-DC11-46A7-9F1B-445F4F58CE6E} - C:\PROGRA~1\SEARCH~1\COPERN~1\COPERN~1.EXE
O9 - Extra button: Movies Extractor Scout LITE - {8C51D131-81D2-4844-A4F8-E46AC238D815} - C:\Program Files\Movies Extractor Scout LITE\flashextract.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.mcafee.com
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab
O16 - DPF: {106E49CF-797A-11D2-81A2-00E02C015623} (AlternaTIFF ActiveX) - http://www.alternatiff.com/install/00/alttiff.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2A6BEC01-15E2-46F0-8ED3-D715DE09A8F9} - http://www.homepageprotector.com/data/homeproinstall.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://appldnld.m7z.net/qtinstall.info.apple.com/tramper/us/win/QuickTimeInstaller.exe
O16 - DPF: {4CF5275B-CDBC-11D3-A8AF-0090279A5978} - http://www.portalsearching.com/toolbar/bho.cab
O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} (Microsoft.WinRep) - https://webresponse.one.microsoft.com/oas/ActiveX/winrep.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,83/mcinsctl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by14fd.bay14.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {5CB1506E-1DEA-4E63-89A7-E40E52AEA1FD} (OnagerCtrl Class) - http://fulfillment.puretracks.com/onager.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.safety.live.com/resource/download/scanner/wlscbase8460.cab
O16 - DPF: {5F0C30E4-1E72-4DCC-85E5-57810F1CA97B} (McUpdatePortalFactory Class) - http://www.amiuptodate.com/vsc/bin/1,0,0,7/McUpdatePortal.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1126634216187
O16 - DPF: {74C861A1-D548-4916-BC8A-FDE92EDFF62C} - http://mediaplayer.walmart.com/installer/install.cab
O16 - DPF: {814EA0DA-E0D9-4AA4-833C-A1A6D38E79E9} (DASWebDownload Class) - http://das.microsoft.com/activate/cab/x86/i486/NTANSI/retail/DASAct.cab
O16 - DPF: {9C024426-7859-4B2D-AB4C-B1E370AE7549} - http://us.mcafee.com/Apps/WSC/en-us/WscWlanScannerCtrl.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,20/mcgdmgr.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O16 - DPF: {F919FBD3-A96B-4679-AF26-F551439BB5FD} - http://locator1.cdn.imagesrvr.com/s...wnload/2006/WinAntiSpyware2006FreeInstall.cab
O20 - Winlogon Notify: rqrsppnk - rqrsppnk.dll (file missing)
O23 - Service: McAfee Application Installer Cleanup (0248841208696533) (0248841208696533mcinstcleanup) - Unknown owner - C:\WINDOWS\TEMP\024884~1.EXE (file missing)
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6253\SAService.exe
O24 - Desktop Component 0: (no name) - http://www.webstats4u.com/images/bg.gif
O24 - Desktop Component 1: (no name) - http://www.wezv.com/navlogoeasy.gif
O24 - Desktop Component 2: (no name) - http://www.885thejewel.com/images/jwlpghdlft.JPG

--
End of file - 14140 bytes

3. Following is the resultant combofix.txt:

ComboFix 08-04-18.3 - Administrator 2008-04-20 21:40:48.8 - NTFSx86 MINIMAL
Running from: C:\Documents and Settings\Delco Club\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\yacegfii.ini
C:\WINDOWS\system32\yacegfii.ini2

.
((((((((((((((((((((((((( Files Created from 2008-03-21 to 2008-04-21 )))))))))))))))))))))))))))))))
.

2008-04-20 17:09 . 2008-04-20 21:31 1,540,617 ---hs---- C:\WINDOWS\system32\qwhasiwc.ini
2008-04-20 16:32 . 2008-04-20 14:25 791 --a------ C:\ComboFix.lnk
2008-04-20 15:25 . 2008-04-20 17:09 109,734 --a------ C:\WINDOWS\BMa7f495c0.xml
2008-04-20 11:30 . 2008-04-20 13:57 18 --a------ C:\WINDOWS\pskt(DELETETHIS).ini
2008-04-20 10:20 . 2008-04-20 11:30 109,734 --a------ C:\WINDOWS\BMa7f495c0(DELETTHIS).xml
2008-04-19 22:17 . 2008-04-19 22:17 <DIR> d-------- C:\Documents and Settings\Delco Club\Application Data\PCF-VLC
2008-04-19 16:20 . 2008-04-19 16:20 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-19 11:56 . 2008-04-20 16:50 13,588 --a------ C:\WINDOWS\system32\wpa.dbl
2008-04-19 11:53 . 2008-04-20 21:36 11,940 --a------ C:\WINDOWS\system32\Config.MPF
2008-04-19 11:43 . 2008-04-19 13:28 <DIR> d-------- C:\WINDOWS\system32\TRASH
2008-04-19 10:56 . 2008-04-19 10:56 294 ---hs---- C:\WINDOWS\system32\caqgqsvo.ini
2008-04-18 15:36 . 2008-04-18 15:17 44,659,067 --a------ C:\sdat5277.exe
2008-04-18 15:34 . 2008-04-18 16:24 <DIR> d-------- C:\SDAT
2008-04-18 13:35 . 2008-04-18 13:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Citrix
2008-04-18 10:58 . 2008-04-18 10:58 294 ---hs---- C:\WINDOWS\system32\cxblwbim.ini
2008-04-17 19:52 . 2008-04-17 19:52 <DIR> d-------- C:\Program Files\Microsoft Silverlight
2008-04-17 19:50 . 2008-04-17 19:50 <DIR> d-------- C:\Program Files\MSBuild
2008-04-17 19:46 . 2008-04-17 19:46 <DIR> d-------- C:\WINDOWS\system32\XPSViewer
2008-04-17 19:45 . 2008-04-17 19:45 <DIR> d-------- C:\Program Files\Reference Assemblies
2008-04-17 12:27 . 2008-04-20 21:32 615 --a------ C:\WINDOWS\wininit.ini
2008-04-17 11:37 . 2008-04-17 11:34 691,545 --a------ C:\WINDOWS\unins000.exe
2008-04-17 11:37 . 2008-04-17 11:37 2,555 --a------ C:\WINDOWS\unins000.dat
2008-04-17 10:55 . 2008-04-17 13:21 1,528,325 ---hs---- C:\WINDOWS\system32\naipdwtx.ini
2008-04-17 10:51 . 2008-04-17 10:51 395,218 --a------ C:\WINDOWS\system32\iifgecay.dll
2008-04-17 10:46 . 2008-04-17 10:46 <DIR> d-------- C:\WINDOWS\system32\xcsDd01
2008-04-17 10:46 . 2008-04-17 10:46 <DIR> d-------- C:\TEMP\berDrv11
2008-04-13 20:23 . 2008-04-13 20:23 <DIR> d-------- C:\Program Files\iPod
2008-04-13 20:22 . 2008-04-13 20:23 <DIR> d-------- C:\Program Files\iTunes
2008-04-13 06:14 . 2008-04-13 06:14 <DIR> d-------- C:\Program Files\SOFTplus
2008-04-12 13:23 . 2008-04-12 13:23 <DIR> d-------- C:\Documents and Settings\Delco Club\Application Data\Mach5 Enterprises
2008-04-12 13:22 . 2008-04-12 13:22 <DIR> d-------- C:\Program Files\Mach5 Development
2008-04-12 11:02 . 2008-04-20 09:09 <DIR> d-------- C:\Program Files\Deep Log Analyzer
2008-04-12 11:02 . 2008-04-12 11:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\DLA Storage
2008-04-12 11:02 . 2008-04-20 09:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\DLA
2008-04-12 10:55 . 2008-04-12 10:55 <DIR> d-------- C:\Program Files\SmarterTools
2008-04-12 10:18 . 2008-04-12 10:22 <DIR> d-------- C:\Program Files\gsitecrawler
2008-04-11 20:45 . 2008-04-11 20:46 <DIR> d-------- C:\Program Files\strawberry
2008-04-11 20:31 . 2008-04-11 20:32 <DIR> d-------- C:\Program Files\Perl Express
2008-04-11 17:57 . 2008-04-11 17:57 <DIR> d-------- C:\Program Files\perl
2008-04-11 17:41 . 2008-04-11 19:49 <DIR> d-------- C:\Program Files\awstats
2008-04-11 17:33 . 2008-04-11 17:39 <DIR> d-------- C:\Program Files\ActivePerl-5.10.0.1002-MSWin32-x64-283697
2008-04-11 16:56 . 2008-04-12 15:18 <DIR> d-------- C:\Program Files\Ka Log Analyzer
2008-04-11 16:36 . 2008-04-11 16:36 <DIR> d-------- C:\Program Files\Hardcoded Software
2008-04-11 16:36 . 2008-04-11 16:36 <DIR> d-------- C:\Documents and Settings\Delco Club\Application Data\Hardcoded Software
2008-04-11 11:44 . 2008-04-11 11:45 <DIR> d-------- C:\Program Files\WebLog Expert Lite
2008-04-11 11:44 . 2008-04-11 11:44 <DIR> d-------- C:\Program Files\Common Files\Software FX Shared
2008-04-11 11:41 . 2008-04-11 11:42 <DIR> d-------- C:\Program Files\Web Log Expert
2008-04-11 10:56 . 2008-04-11 10:57 <DIR> d-------- C:\Program Files\Logalizer
2008-04-11 10:50 . 2008-04-11 10:50 <DIR> d-------- C:\Program Files\bello network monitoring
2008-04-06 15:40 . 2006-01-26 08:26 327,680 --a------ C:\WINDOWS\system32\DartZip.dll
2008-04-06 15:40 . 1998-04-23 23:00 287,504 --a------ C:\WINDOWS\system32\MSXBSE.dll
2008-04-06 15:40 . 2005-06-02 14:36 276,352 --a------ C:\WINDOWS\system32\XceedSco.dll
2008-04-06 15:40 . 2006-01-26 08:24 221,184 --a------ C:\WINDOWS\system32\DartSock.dll
2008-04-06 15:40 . 2006-01-26 08:26 196,608 --a------ C:\WINDOWS\system32\DartSecureFtp.dll
2008-04-06 15:40 . 2006-01-26 08:24 196,608 --a------ C:\WINDOWS\system32\DartSecure2.dll
2008-04-06 15:40 . 2006-01-26 08:26 196,608 --a------ C:\WINDOWS\system32\DartFtp.dll
2008-04-06 15:40 . 2006-01-26 08:24 155,648 --a------ C:\WINDOWS\system32\DartCertificate.dll
2008-03-28 23:37 . 2008-03-28 23:37 90,112 --a------ C:\WINDOWS\system32\QuickTimeVR.qtx
2008-03-28 23:37 . 2008-03-28 23:37 57,344 --a------ C:\WINDOWS\system32\QuickTime.qts
2008-03-26 14:28 . 2008-03-26 14:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\HeidiSQL
2008-03-25 15:59 . 2008-03-25 15:59 <DIR> d-------- C:\Program Files\MySQL
2008-03-24 10:30 . 2008-03-24 10:33 <DIR> d-------- C:\Program Files\HeidiSQL (OLD (March 24, 2008))

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-20 13:36 --------- d-----w C:\Program Files\GetRight
2008-04-20 13:02 --------- d-----w C:\Program Files\McAfee
2008-04-20 00:56 --------- d-----w C:\Program Files\Napster
2008-04-19 15:35 57,344 ----a-w C:\WINDOWS\ALCXMNTRDELETTHIS.EXE
2008-04-19 15:35 --------- d-----w C:\Program Files\Clean Disk Security
2008-04-17 16:26 --------- d-----w C:\Program Files\RegistrySmart
2008-04-17 15:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-17 15:42 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-04-14 00:18 --------- d-----w C:\Program Files\QuickTime
2008-04-13 18:16 --------- d-----w C:\Program Files\HeidiSQL
2008-04-13 10:43 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-12 00:30 724,992 ----a-w C:\WINDOWS\iun6002.exe
2008-04-10 00:53 --------- d-----w C:\Program Files\Winamp
2008-03-23 15:05 --------- d-----w C:\Documents and Settings\Delco Club\Application Data\SiteAdvisor
2008-03-19 12:58 --------- d-----w C:\Program Files\MySQL-Front
2008-03-19 00:53 --------- d-----w C:\Documents and Settings\Delco Club\Application Data\Star-Tools
2008-03-16 14:12 --------- d-----w C:\Documents and Settings\All Users\Application Data\WinZip
2008-03-16 01:20 --------- d-----w C:\Program Files\UltimateZip
2008-03-15 21:03 --------- d-----w C:\Program Files\Ace Zip
2008-03-15 20:49 --------- d-----w C:\Program Files\Ken Ward's Zipper
2008-03-15 15:02 --------- d-----w C:\Program Files\Mentat Technologies
2008-03-15 14:52 --------- d-----w C:\Program Files\Mobiliti
2008-03-10 19:59 --------- d-----w C:\Program Files\Windows Live
2008-03-09 19:34 --------- d-----w C:\Program Files\Microsoft SQL Server Compact Edition
2008-03-09 19:32 --------- dcsh--w C:\Program Files\Common Files\WindowsLiveInstaller
2008-03-09 19:25 --------- d-----w C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-03-07 02:27 --------- d-----w C:\Program Files\Bonjour
2008-02-01 15:11 586,240 ----a-w C:\WINDOWS\WLXPGSS.SCR
2007-07-23 02:53 3,655,608 ----a-w C:\Program Files\FLV PlayerRCATSetup.exe
2007-07-23 02:52 25,990,432 ----a-w C:\Program Files\FLV PlayerRCSetup.exe
2006-05-08 19:13 5,632 --sha-w C:\Program Files\Thumbs.db
2005-12-17 13:31 0 ----a-w C:\Program Files\INTERNET EXPLe
2004-11-06 23:51 16,214,136 ----a-w C:\Program Files\TrellixWeb2.6 multihost (November 6, 2004).exe
2004-11-06 22:42 17,193,656 ----a-w C:\Program Files\CompuServeTrellixWeb17982451 (Trellix 25 (November 6, 2004)).exe
2004-11-06 22:07 2,647,591 ----a-w C:\Program Files\Trellix_Web_v.2.7_PA_Upgrade (November 6, 2004).zip
2004-09-07 23:34 560 ----a-w C:\Documents and Settings\Delco Club\PCDOC.BAT
2004-08-26 23:36 141 ----a-w C:\Program Files\pcdocrx_order.html
2003-08-27 18:19 36,963 ----a-r C:\Program Files\Common Files\SM1updtr.dll
2002-11-28 13:55 25,762 ----a-w C:\Program Files\Common Files\wbc2jpg243 (Covert Webshots to JPG File (November 28, 2002)).zip
2001-03-11 14:59 766 ----a-w C:\Program Files\pcdoc.ico
.

Code:

<pre>
----a-w         2,339,511 2004-10-25 19:45:17  C:\Downloads\burn4free_setup (Burn4Free v100602 (October 25, 2004)) .exe
----a-w            37,378 2004-09-20 20:28:44  C:\Downloads\epson11183 (Web-to-Page Utility (September 20, 2004)) .exe
----a-w           652,745 2004-10-27 01:15:29  C:\Downloads\ftpnavigator (FTP - Navigator 741 (October 26, 2004)) .exe
----a-w           403,546 2007-12-13 00:25:11  C:\Downloads\metakey (Meta Keywords Finder v11 (December 12, 2007))1 .exe
----a-w         1,148,148 2004-12-19 01:26:54  C:\Downloads\simpleftpclientsetup (Simple FTP Client (December 18, 2004)) .exe
----a-w         1,034,895 2002-12-14 01:51:38  C:\Downloads\stocksetup (Active Stock Analysis 338 (December 13, 2002))   .exe
</pre>

((((((((((((((((((((((((((((( snapshot@2008-04-20_15.10.44.89 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-04-20 18:57:07 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-04-21 01:51:14 2,048 --s-a-w C:\WINDOWS\bootstat.dat
- 2008-04-20 17:44:08 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2008-04-20 23:42:26 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2008-04-20 17:44:08 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-04-20 23:42:26 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-04-20 17:44:08 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-04-20 23:42:26 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{268EA2E0-4D5B-472A-9B2C-E363CBE7BEA6}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6AABE68F-3ABA-4DBD-BF1A-9272700B97C2}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6bf48cd4-3634-41b0-9366-d9c6d7d1cdec}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7C803229-47A5-4E09-B503-D98D3BE7062C}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B5661452-8764-42F8-B746-850D71C82D72}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D8B33597-BFEA-4C77-80A6-00A0BE757FDC}]
2008-04-17 10:51 395218 --a------ C:\WINDOWS\system32\iifgecay.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 00:56 15360]
"Update Service"="C:\Program Files\Common Files\Teknum Systems\update.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]
"BMa7f495c0"="C:\WINDOWS\system32\xxlsalrv.dll" [ ]
"MSConfig"="C:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.exe" [2004-08-04 00:56 158208]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 00:56 15360]

C:\Documents and Settings\Delco Club\Start Menu\Programs\Startup\
Webshots.lnk - C:\Program Files\Webshots\Launcher.exe [2005-06-04 19:42:02 157008]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll [2006-11-21 15:50 233472]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\rqrsppnk]
rqrsppnk.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\a4c7a65c]
C:\WINDOWS\system32\mibwlbxc.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 23:16 39792 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcxMonitor]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BMa7f495c0]
C:\WINDOWS\system32\vddrkhkc.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-03-30 10:36 267048 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-03-28 23:37 413696 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WinDefend"=2 (0x2)
"iPodService"=3 (0x3)
"WMP54GSVC"=2 (0x2)
"UleadBurningHelper"=2 (0x2)
"NVSvc"=2 (0x2)
"iPod Service"=3 (0x3)
"IDriverT"=3 (0x3)
"Bonjour Service"=2 (0x2)
"WBA_Agent_Client"=2 (0x2)
"idsvc"=3 (0x3)
"Apple Mobile Device"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Search Tools\\FerretSoft\\WebFerret\\WebFerret.exe"=
"C:\\Program Files\\Music\\realplay.exe"=
"C:\\WINDOWS\\system32\\mmc.exe"=
"C:\\WINDOWS\\system32\\javaw.exe"=
"C:\\Program Files\\FTP\\FTP Commander\\Ftpcomm.exe"=
"C:\\WINDOWS\\system32\\rundll32.exe"=
"C:\Program Files\Toronto Star Alerts\torontostaralerts.exe"= C:\Program Files\Toronto Star Alerts\torontostaralerts.exe
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3587:TCP"= 3587:TCP:Windows Peer-to-Peer Grouping
"3540:UDP"= 3540:UDP

eer Name Resolution Protocol (PNRP)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R1 crlscsi;crlscsi;C:\WINDOWS\system32\drivers\crlscsi.sys [1995-11-07 05:57]
S1 AEC671X;AEC671X;C:\WINDOWS\system32\drivers\AEC671X.SYS [1998-05-05 12:36]
S1 DMX3191;DMX3191;C:\WINDOWS\system32\drivers\DMX3191.SYS [1999-02-23 02:42]
S2 0248841208696533mcinstcleanup;McAfee Application Installer Cleanup (0248841208696533);C:\WINDOWS\TEMP\024884~1.EXE C:\PROGRA~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini []
S2 MSSQL$MAILLOOP6;MSSQL$MAILLOOP6;C:\Program Files\Microsoft SQL Server\MSSQL$MAILLOOP6\Binn\sqlservr.exe [2002-12-17 16:26]
S2 PV8630;PV8631 WDM Device Driver;C:\WINDOWS\system32\pv8630.sys [2000-07-05 12:13]
S2 UDNT;UDNT;C:\WINDOWS\system32\drivers\UDNT.sys [1998-09-18 10:18]
S3 hcwPVRP2;Hauppauge WinTV-PVR PCI II (Encoder-16);C:\WINDOWS\system32\DRIVERS\hcwPVRP2.sys [2004-09-22 09:01]
S3 p2pgasvc;Peer Networking Group Authentication;C:\WINDOWS\System32\svchost.exe [2004-08-04 00:56]
S3 p2pimsvc;Peer Networking Identity Manager;C:\WINDOWS\System32\svchost.exe [2004-08-04 00:56]
S3 p2psvc;Peer Networking;C:\WINDOWS\System32\svchost.exe [2004-08-04 00:56]
S3 PNRPSvc;Peer Name Resolution Protocol;C:\WINDOWS\System32\svchost.exe [2004-08-04 00:56]
S3 SQLAgent$MAILLOOP6;SQLAgent$MAILLOOP6;C:\Program Files\Microsoft SQL Server\MSSQL$MAILLOOP6\Binn\sqlagent.EXE [2002-12-17 16:23]
S4 WBA_Agent_Client;Brother Web BRAdmin Agent;C:\Program Files\Brother\BRAgent\BRAgtSrv.exe [2003-01-20 17:55]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\setupSNK.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-01-20 03:53:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-04-21 01:29:01 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
"2007-12-11 18:36:10 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe'
"2007-12-11 18:36:10 C:\WINDOWS\Tasks\McQcTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe
"2008-04-20 17:39:35 C:\WINDOWS\Tasks\User_Feed_Synchronization-{5F3EB75D-9323-4B1E-B75E-43F13ACBACC4}.job"
- C:\WINDOWS\system32\msfeedssync.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-20 21:52:05
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
C:\PROGRA~1\McAfee\MSC\mcuimgr.exe
.
**************************************************************************
.
Completion time: 2008-04-20 22:01:33 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-21 02:01:28
ComboFix2.txt 2008-04-20 20:44:56
ComboFix3.txt 2008-04-20 20:23:15
ComboFix4.txt 2008-04-20 19:10:55

Pre-Run: 15,941,005,312 bytes free
Post-Run: 15,926,325,248 bytes free

273 --- E O F --- 2008-04-20 16:10:24

Blade81 · Apr 21, 2008

Hi

It looks like you didn't follow my instructions exactly. First of all, I didn't ask you to run ComboFix twice. I asked to create CFScript.txt file and drag 'n' drop it over ComboFix.exe file. Now please follow these instructions below without making something not meantioned there. That way we can hopefully get your system cleaned

If any part of instructions is unclear, please ask.

Disable Spybot's TeaTimer

Run Spybot-S&D in Advanced Mode
If it is not already set to do this, go to the Mode menu
select
Advanced Mode
On the left hand side, click on Tools
Then click on the Resident icon in the list
Uncheck
Resident TeaTimer
and OK any prompts.
Restart your computer

Disable also McAfee so that it won't interfere ComboFix.

Open notepad and copy/paste the text in the quotebox below into it:

Code:

KILLALL::

File::
C:\WINDOWS\system32\qwhasiwc.ini
C:\WINDOWS\BMa7f495c0.xml
C:\WINDOWS\pskt(DELETETHIS).ini
C:\WINDOWS\BMa7f495c0(DELETTHIS).xml
C:\WINDOWS\system32\caqgqsvo.ini
C:\WINDOWS\system32\cxblwbim.ini
C:\WINDOWS\system32\naipdwtx.ini
C:\WINDOWS\system32\iifgecay.dll


Folder::
C:\WINDOWS\system32\xcsDd01
C:\TEMP\berDrv11

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{268EA2E0-4D5B-472A-9B2C-E363CBE7BEA6}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6AABE68F-3ABA-4DBD-BF1A-9272700B97C2}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6bf48cd4-3634-41b0-9366-d9c6d7d1cdec}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7C803229-47A5-4E09-B503-D98D3BE7062C}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B5661452-8764-42F8-B746-850D71C82D72}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D8B33597-BFEA-4C77-80A6-00A0BE757FDC}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BMa7f495c0"=-

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\rqrsppnk]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\a4c7a65c]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcxMonitor]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BMa7f495c0]

Save this as
CFScript

Refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

Download ATF (Atribune Temp File) Cleaner© by Atribune to your desktop.

Double-click ATF Cleaner.exe to open it

Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.

If you use Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

If you use Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Click Exit on the Main menu to close the program.

Please download Malwarebytes' Anti-Malware to your desktop.

Double-click mbam-setup.exe and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform full scan, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected.
When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be found here: C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Please post contents of that file & a fresh hjt log in your next reply.

Summary of logs I want you to post:
-ComboFix log after drag 'n' drop the CFScript.txt file over ComboFix.exe
-Malwarebytes Anti-malware report
-a fresh hjt log

ramping · Apr 22, 2008

Following are:

-ComboFix log after drag 'n' drop the CFScript.txt file over ComboFix.exe
-Malwarebytes Anti-malware report
-a fresh hjt log

Note: The ATF-Clean's FireFox tab remained grayed-out and inactive.

Part I:

Following is the ComboFix log:

ComboFix 08-04-18.3 - Administrator 2008-04-21 13:20:29.10 - NTFSx86 MINIMAL
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.792 [GMT -4:00]
Running from: C:\Documents and Settings\Delco Club\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Administrator\Desktop\cfscript.lnk

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\etbehngq.ini
C:\WINDOWS\system32\pocahccn.dll
C:\WINDOWS\system32\qgnhebte.dll
C:\WINDOWS\system32\ukpjxawu.dll
C:\WINDOWS\system32\yacegfii.ini
C:\WINDOWS\system32\yacegfii.ini2
.
---- Previous Run -------
.
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\hnpyrbth.ini
C:\WINDOWS\system32\htbrypnh.dll
C:\WINDOWS\system32\ijdqqjup.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\nitrxsoy.dll
C:\WINDOWS\system32\yacegfii.ini
C:\WINDOWS\system32\yacegfii.ini2

.
((((((((((((((((((((((((( Files Created from 2008-03-21 to 2008-04-21 )))))))))))))))))))))))))))))))
.

2008-04-21 11:46 . 2008-04-21 11:46 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-04-21 11:46 . 2008-04-21 11:46 <DIR> d-------- C:\Documents and Settings\Delco Club\Application Data\Malwarebytes
2008-04-21 11:46 . 2008-04-21 11:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-21 09:52 . 2008-04-21 09:52 1,349 --a------ C:\cfscript
2008-04-20 23:11 . 2008-04-21 11:42 109,734 --a------ C:\WINDOWS\BMa7f495c0.xml
2008-04-20 17:09 . 2008-04-20 21:31 1,540,617 ---hs---- C:\WINDOWS\system32\qwhasiwc.ini
2008-04-20 16:32 . 2008-04-20 14:25 791 --a------ C:\ComboFix.lnk
2008-04-20 15:25 . 2008-04-20 17:09 109,734 --a------ C:\WINDOWS\BMa7f495c0(DELETETHIS)3.xml
2008-04-20 11:30 . 2008-04-20 13:57 18 --a------ C:\WINDOWS\pskt(DELETETHIS).ini
2008-04-20 10:20 . 2008-04-20 11:30 109,734 --a------ C:\WINDOWS\BMa7f495c0(DELETTHIS).xml
2008-04-19 22:17 . 2008-04-19 22:17 <DIR> d-------- C:\Documents and Settings\Delco Club\Application Data\PCF-VLC
2008-04-19 16:20 . 2008-04-19 16:20 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-19 11:56 . 2008-04-21 13:14 13,588 --a------ C:\WINDOWS\system32\wpa.dbl
2008-04-19 11:53 . 2008-04-21 13:12 12,116 --a------ C:\WINDOWS\system32\Config.MPF
2008-04-19 11:43 . 2008-04-19 13:28 <DIR> d-------- C:\WINDOWS\system32\TRASH
2008-04-19 10:56 . 2008-04-19 10:56 294 ---hs---- C:\WINDOWS\system32\caqgqsvo.ini
2008-04-18 15:36 . 2008-04-18 15:17 44,659,067 --a------ C:\sdat5277.exe
2008-04-18 15:34 . 2008-04-18 16:24 <DIR> d-------- C:\SDAT
2008-04-18 13:35 . 2008-04-18 13:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Citrix
2008-04-18 10:58 . 2008-04-18 10:58 294 ---hs---- C:\WINDOWS\system32\cxblwbim.ini
2008-04-17 19:52 . 2008-04-17 19:52 <DIR> d-------- C:\Program Files\Microsoft Silverlight
2008-04-17 19:50 . 2008-04-17 19:50 <DIR> d-------- C:\Program Files\MSBuild
2008-04-17 19:46 . 2008-04-17 19:46 <DIR> d-------- C:\WINDOWS\system32\XPSViewer
2008-04-17 19:45 . 2008-04-17 19:45 <DIR> d-------- C:\Program Files\Reference Assemblies
2008-04-17 12:27 . 2008-04-20 21:32 615 --a------ C:\WINDOWS\wininit.ini
2008-04-17 11:37 . 2008-04-17 11:34 691,545 --a------ C:\WINDOWS\unins000.exe
2008-04-17 11:37 . 2008-04-17 11:37 2,555 --a------ C:\WINDOWS\unins000.dat
2008-04-17 10:55 . 2008-04-17 13:21 1,528,325 ---hs---- C:\WINDOWS\system32\naipdwtx.ini
2008-04-17 10:51 . 2008-04-17 10:51 395,218 --a------ C:\WINDOWS\system32\iifgecay.dll
2008-04-17 10:46 . 2008-04-17 10:46 <DIR> d-------- C:\WINDOWS\system32\xcsDd01
2008-04-17 10:46 . 2008-04-17 10:46 <DIR> d-------- C:\TEMP\berDrv11
2008-04-13 20:23 . 2008-04-13 20:23 <DIR> d-------- C:\Program Files\iPod
2008-04-13 20:22 . 2008-04-13 20:23 <DIR> d-------- C:\Program Files\iTunes
2008-04-13 06:14 . 2008-04-13 06:14 <DIR> d-------- C:\Program Files\SOFTplus
2008-04-12 13:23 . 2008-04-12 13:23 <DIR> d-------- C:\Documents and Settings\Delco Club\Application Data\Mach5 Enterprises
2008-04-12 13:22 . 2008-04-12 13:22 <DIR> d-------- C:\Program Files\Mach5 Development
2008-04-12 11:02 . 2008-04-20 09:09 <DIR> d-------- C:\Program Files\Deep Log Analyzer
2008-04-12 11:02 . 2008-04-12 11:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\DLA Storage
2008-04-12 11:02 . 2008-04-20 09:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\DLA
2008-04-12 10:55 . 2008-04-12 10:55 <DIR> d-------- C:\Program Files\SmarterTools
2008-04-12 10:18 . 2008-04-12 10:22 <DIR> d-------- C:\Program Files\gsitecrawler
2008-04-11 20:45 . 2008-04-11 20:46 <DIR> d-------- C:\Program Files\strawberry
2008-04-11 20:31 . 2008-04-11 20:32 <DIR> d-------- C:\Program Files\Perl Express
2008-04-11 17:57 . 2008-04-11 17:57 <DIR> d-------- C:\Program Files\perl
2008-04-11 17:41 . 2008-04-11 19:49 <DIR> d-------- C:\Program Files\awstats
2008-04-11 17:33 . 2008-04-11 17:39 <DIR> d-------- C:\Program Files\ActivePerl-5.10.0.1002-MSWin32-x64-283697
2008-04-11 16:56 . 2008-04-12 15:18 <DIR> d-------- C:\Program Files\Ka Log Analyzer
2008-04-11 16:36 . 2008-04-11 16:36 <DIR> d-------- C:\Program Files\Hardcoded Software
2008-04-11 16:36 . 2008-04-11 16:36 <DIR> d-------- C:\Documents and Settings\Delco Club\Application Data\Hardcoded Software
2008-04-11 11:44 . 2008-04-11 11:45 <DIR> d-------- C:\Program Files\WebLog Expert Lite
2008-04-11 11:44 . 2008-04-11 11:44 <DIR> d-------- C:\Program Files\Common Files\Software FX Shared
2008-04-11 11:41 . 2008-04-11 11:42 <DIR> d-------- C:\Program Files\Web Log Expert
2008-04-11 10:56 . 2008-04-11 10:57 <DIR> d-------- C:\Program Files\Logalizer
2008-04-11 10:50 . 2008-04-11 10:50 <DIR> d-------- C:\Program Files\bello network monitoring
2008-04-06 15:40 . 2006-01-26 08:26 327,680 --a------ C:\WINDOWS\system32\DartZip.dll
2008-04-06 15:40 . 1998-04-23 23:00 287,504 --a------ C:\WINDOWS\system32\MSXBSE.dll
2008-04-06 15:40 . 2005-06-02 14:36 276,352 --a------ C:\WINDOWS\system32\XceedSco.dll
2008-04-06 15:40 . 2006-01-26 08:24 221,184 --a------ C:\WINDOWS\system32\DartSock.dll
2008-04-06 15:40 . 2006-01-26 08:26 196,608 --a------ C:\WINDOWS\system32\DartSecureFtp.dll
2008-04-06 15:40 . 2006-01-26 08:24 196,608 --a------ C:\WINDOWS\system32\DartSecure2.dll
2008-04-06 15:40 . 2006-01-26 08:26 196,608 --a------ C:\WINDOWS\system32\DartFtp.dll
2008-04-06 15:40 . 2006-01-26 08:24 155,648 --a------ C:\WINDOWS\system32\DartCertificate.dll
2008-03-28 23:37 . 2008-03-28 23:37 90,112 --a------ C:\WINDOWS\system32\QuickTimeVR.qtx
2008-03-28 23:37 . 2008-03-28 23:37 57,344 --a------ C:\WINDOWS\system32\QuickTime.qts
2008-03-26 14:28 . 2008-03-26 14:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\HeidiSQL
2008-03-25 15:59 . 2008-03-25 15:59 <DIR> d-------- C:\Program Files\MySQL
2008-03-24 10:30 . 2008-03-24 10:33 <DIR> d-------- C:\Program Files\HeidiSQL (OLD (March 24, 2008))

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-21 13:39 --------- d-----w C:\Program Files\McAfee
2008-04-20 13:36 --------- d-----w C:\Program Files\GetRight
2008-04-20 00:56 --------- d-----w C:\Program Files\Napster
2008-04-19 15:35 57,344 ----a-w C:\WINDOWS\ALCXMNTRDELETTHIS.EXE
2008-04-19 15:35 --------- d-----w C:\Program Files\Clean Disk Security
2008-04-17 16:26 --------- d-----w C:\Program Files\RegistrySmart
2008-04-17 15:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-17 15:42 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-04-14 00:18 --------- d-----w C:\Program Files\QuickTime
2008-04-13 18:16 --------- d-----w C:\Program Files\HeidiSQL
2008-04-13 10:43 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-12 00:30 724,992 ----a-w C:\WINDOWS\iun6002.exe
2008-04-10 00:53 --------- d-----w C:\Program Files\Winamp
2008-03-23 15:05 --------- d-----w C:\Documents and Settings\Delco Club\Application Data\SiteAdvisor
2008-03-19 12:58 --------- d-----w C:\Program Files\MySQL-Front
2008-03-19 00:53 --------- d-----w C:\Documents and Settings\Delco Club\Application Data\Star-Tools
2008-03-16 14:12 --------- d-----w C:\Documents and Settings\All Users\Application Data\WinZip
2008-03-16 01:20 --------- d-----w C:\Program Files\UltimateZip
2008-03-15 21:03 --------- d-----w C:\Program Files\Ace Zip
2008-03-15 20:49 --------- d-----w C:\Program Files\Ken Ward's Zipper
2008-03-15 15:02 --------- d-----w C:\Program Files\Mentat Technologies
2008-03-15 14:52 --------- d-----w C:\Program Files\Mobiliti
2008-03-10 19:59 --------- d-----w C:\Program Files\Windows Live
2008-03-09 19:34 --------- d-----w C:\Program Files\Microsoft SQL Server Compact Edition
2008-03-09 19:32 --------- dcsh--w C:\Program Files\Common Files\WindowsLiveInstaller
2008-03-09 19:25 --------- d-----w C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-03-07 02:27 --------- d-----w C:\Program Files\Bonjour
2008-02-01 15:11 586,240 ----a-w C:\WINDOWS\WLXPGSS.SCR
2007-07-23 02:53 3,655,608 ----a-w C:\Program Files\FLV PlayerRCATSetup.exe
2007-07-23 02:52 25,990,432 ----a-w C:\Program Files\FLV PlayerRCSetup.exe
2006-05-08 19:13 5,632 --sha-w C:\Program Files\Thumbs.db
2005-12-17 13:31 0 ----a-w C:\Program Files\INTERNET EXPLe
2004-11-06 23:51 16,214,136 ----a-w C:\Program Files\TrellixWeb2.6 multihost (November 6, 2004).exe
2004-11-06 22:42 17,193,656 ----a-w C:\Program Files\CompuServeTrellixWeb17982451 (Trellix 25 (November 6, 2004)).exe
2004-11-06 22:07 2,647,591 ----a-w C:\Program Files\Trellix_Web_v.2.7_PA_Upgrade (November 6, 2004).zip
2004-09-07 23:34 560 ----a-w C:\Documents and Settings\Delco Club\PCDOC.BAT
2004-08-26 23:36 141 ----a-w C:\Program Files\pcdocrx_order.html
2003-08-27 18:19 36,963 ----a-r C:\Program Files\Common Files\SM1updtr.dll
2002-11-28 13:55 25,762 ----a-w C:\Program Files\Common Files\wbc2jpg243 (Covert Webshots to JPG File (November 28, 2002)).zip
2001-03-11 14:59 766 ----a-w C:\Program Files\pcdoc.ico
.

Code:

<pre>
----a-w         2,339,511 2004-10-25 19:45:17  C:\Downloads\burn4free_setup (Burn4Free v100602 (October 25, 2004)) .exe
----a-w            37,378 2004-09-20 20:28:44  C:\Downloads\epson11183 (Web-to-Page Utility (September 20, 2004)) .exe
----a-w           652,745 2004-10-27 01:15:29  C:\Downloads\ftpnavigator (FTP - Navigator 741 (October 26, 2004)) .exe
----a-w           403,546 2007-12-13 00:25:11  C:\Downloads\metakey (Meta Keywords Finder v11 (December 12, 2007))1 .exe
----a-w         1,148,148 2004-12-19 01:26:54  C:\Downloads\simpleftpclientsetup (Simple FTP Client (December 18, 2004)) .exe
----a-w         1,034,895 2002-12-14 01:51:38  C:\Downloads\stocksetup (Active Stock Analysis 338 (December 13, 2002))   .exe
</pre>

((((((((((((((((((((((((((((( snapshot@2008-04-20_15.10.44.89 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-04-20 18:57:07 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-04-21 17:30:31 2,048 --s-a-w C:\WINDOWS\bootstat.dat
- 2008-04-20 17:44:08 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2008-04-21 13:04:09 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2008-04-20 17:44:08 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-04-21 13:04:09 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-04-20 17:44:08 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-04-21 13:04:09 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A87DA3DF-71D2-4A6F-9C30-A38D12D9BB24}]
2008-04-17 10:51 395218 --a------ C:\WINDOWS\system32\iifgecay.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 00:56 15360]
"Update Service"="C:\Program Files\Common Files\Teknum Systems\update.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 00:56 15360]

C:\Documents and Settings\Delco Club\Start Menu\Programs\Startup\
Webshots.lnk - C:\Program Files\Webshots\Launcher.exe [2005-06-04 19:42:02 157008]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll [2006-11-21 15:50 233472]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\rqrsppnk]
rqrsppnk.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\a4c7a65c]
C:\WINDOWS\system32\qgnhebte.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 23:16 39792 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcxMonitor]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BMa7f495c0]
C:\WINDOWS\system32\pocahccn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-03-30 10:36 267048 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-03-28 23:37 413696 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WinDefend"=2 (0x2)
"iPodService"=3 (0x3)
"WMP54GSVC"=2 (0x2)
"UleadBurningHelper"=2 (0x2)
"NVSvc"=2 (0x2)
"iPod Service"=3 (0x3)
"IDriverT"=3 (0x3)
"Bonjour Service"=2 (0x2)
"WBA_Agent_Client"=2 (0x2)
"idsvc"=3 (0x3)
"Apple Mobile Device"=2 (0x2)
"SiteAdvisor Service"=2 (0x2)
"MSK80Service"=2 (0x2)
"MpfService"=2 (0x2)
"McSysmon"=3 (0x3)
"McShield"=2 (0x2)
"McProxy"=2 (0x2)
"McODS"=3 (0x3)
"McNASvc"=2 (0x2)
"mcmscsvc"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Search Tools\\FerretSoft\\WebFerret\\WebFerret.exe"=
"C:\\Program Files\\Music\\realplay.exe"=
"C:\\WINDOWS\\system32\\mmc.exe"=
"C:\\WINDOWS\\system32\\javaw.exe"=
"C:\\Program Files\\FTP\\FTP Commander\\Ftpcomm.exe"=
"C:\\WINDOWS\\system32\\rundll32.exe"=
"C:\Program Files\Toronto Star Alerts\torontostaralerts.exe"= C:\Program Files\Toronto Star Alerts\torontostaralerts.exe
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3587:TCP"= 3587:TCP:Windows Peer-to-Peer Grouping
"3540:UDP"= 3540:UDP

eer Name Resolution Protocol (PNRP)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R1 crlscsi;crlscsi;C:\WINDOWS\system32\drivers\crlscsi.sys [1995-11-07 05:57]
S1 AEC671X;AEC671X;C:\WINDOWS\system32\drivers\AEC671X.SYS [1998-05-05 12:36]
S1 DMX3191;DMX3191;C:\WINDOWS\system32\drivers\DMX3191.SYS [1999-02-23 02:42]
S2 MSSQL$MAILLOOP6;MSSQL$MAILLOOP6;C:\Program Files\Microsoft SQL Server\MSSQL$MAILLOOP6\Binn\sqlservr.exe [2002-12-17 16:26]
S2 PV8630;PV8631 WDM Device Driver;C:\WINDOWS\system32\pv8630.sys [2000-07-05 12:13]
S2 UDNT;UDNT;C:\WINDOWS\system32\drivers\UDNT.sys [1998-09-18 10:18]
S3 hcwPVRP2;Hauppauge WinTV-PVR PCI II (Encoder-16);C:\WINDOWS\system32\DRIVERS\hcwPVRP2.sys [2004-09-22 09:01]
S3 p2pgasvc;Peer Networking Group Authentication;C:\WINDOWS\System32\svchost.exe [2004-08-04 00:56]
S3 p2pimsvc;Peer Networking Identity Manager;C:\WINDOWS\System32\svchost.exe [2004-08-04 00:56]
S3 p2psvc;Peer Networking;C:\WINDOWS\System32\svchost.exe [2004-08-04 00:56]
S3 PNRPSvc;Peer Name Resolution Protocol;C:\WINDOWS\System32\svchost.exe [2004-08-04 00:56]
S3 SQLAgent$MAILLOOP6;SQLAgent$MAILLOOP6;C:\Program Files\Microsoft SQL Server\MSSQL$MAILLOOP6\Binn\sqlagent.EXE [2002-12-17 16:23]
S4 WBA_Agent_Client;Brother Web BRAdmin Agent;C:\Program Files\Brother\BRAgent\BRAgtSrv.exe [2003-01-20 17:55]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\setupSNK.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-01-20 03:53:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-04-21 15:29:04 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
"2007-12-11 18:36:10 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe'
"2007-12-11 18:36:10 C:\WINDOWS\Tasks\McQcTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe
"2008-04-21 17:11:33 C:\WINDOWS\Tasks\User_Feed_Synchronization-{5F3EB75D-9323-4B1E-B75E-43F13ACBACC4}.job"
- C:\WINDOWS\system32\msfeedssync.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-21 13:31:19
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-04-21 13:40:42 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-21 17:40:37
ComboFix2.txt 2008-04-21 02:01:33
ComboFix3.txt 2008-04-20 20:44:56
ComboFix4.txt 2008-04-20 20:23:15
ComboFix5.txt 2008-04-20 19:10:55

Pre-Run: 15,882,571,776 bytes free
Post-Run: 15,867,367,424 bytes free

289 --- E O F --- 2008-04-20 16:10:24

Part II:

Following is the Malwarebytes Anti-malware report:

Malwarebytes' Anti-Malware 1.11
Database version: 666

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 435848
Time elapsed: 5 hour(s), 5 minute(s), 12 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 26
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 1
Files Infected: 6

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\iifgecay.dll (Trojan.Vundo) -> Unloaded module successfully.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0480e143-61e5-4f44-9a56-f87c211a126e} (Trojan.Vundo) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{0480e143-61e5-4f44-9a56-f87c211a126e} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{f919fbd3-a96b-4679-af26-f551439bb5fd} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{1611fdda-445b-11d2-85de-00c04fa35c89} (Rogue.AntiSpamBoy) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{2275c71f-2368-4889-b03c-8c19dc9c7b6c} (Rogue.AntiSpamBoy) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{47c922a2-3dd5-11d2-bf8b-00c04fb93661} (Rogue.AntiSpamBoy) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{72423e8f-8011-11d2-be79-00a0c9a83da1} (Rogue.AntiSpamBoy) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{72423e8f-8011-11d2-be79-00a0c9a83da2} (Rogue.AntiSpamBoy) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{72423e8f-8011-11d2-be79-00a0c9a83da3} (Rogue.AntiSpamBoy) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{ba9239a4-3dd5-11d2-bf8b-00c04fb93661} (Rogue.AntiSpamBoy) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{fa663f6e-30a1-4a37-bb70-bfa253f0985c} (Rogue.AntiSpamBoy) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{b5f1f553-3f7c-4725-b3d0-02df2a529c36} (Rogue.AntiSpamBoy) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{4340df8e-d7a3-4675-be74-80077b2b3e81} (Rogue.AntiSpamBoy) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{d12fb216-99da-4eb3-9cc0-c0f760b174a0} (Rogue.AntiSpamBoy) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{d56c1af1-3fde-471c-9bc2-c52515f260c1} (Rogue.AntiSpamBoy) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{e7009428-ff40-4b3d-9ef4-5928c0ab81fd} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\xpre (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\aldd (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\The Weather Channel (Adware.Hotbar) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\iifgecay -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\iifgecay -> Delete on reboot.

Folders Infected:
C:\WINDOWS\system32\xcsDd01 (Trojan.Agent) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\iifgecay.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\yacegfii.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\yacegfii.ini2 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Downloads\VideoAccessCodecInstall(2).exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Program Files\Wordprocessors\Corel\Office7\AppMan\Setup\QFCI7.DLL (Trojan.Clicker) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\shdocvw.oca (Rogue.AntiSpamBoy) -> Quarantined and deleted successfully.

Part III:

Following is the hjt log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:16, on 2008-04-21
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\System32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MAILLOOP6\Binn\sqlservr.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Webshots\webshots.scr
C:\Program Files\Windows NT\Accessories\wordpad.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\ramping.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft.com/fwlink/?LinkId=54843
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 80.80.12.124:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/bookmark/7_2/home.html"); (C:\Documents and Settings\DELCO CLUB\Application Data\Mozilla\Profiles\default\l4hnnkbr.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CInternet%5CBrowsers%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\DELCO CLUB\Application Data\Mozilla\Profiles\default\l4hnnkbr.slt\prefs.js)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O2 - BHO: PimpFish Basic Toolbar Opcode Handler - {29C88E20-4234-41B9-A9DB-982958C95FB1} - C:\Program Files\PimpFish\PimpFish.dll
O2 - BHO: dsWebAllowBHO Class - {2F85D76C-0569-466F-A488-493E6BD0E955} - C:\Program Files\Windows Desktop Search\dsWebAllow.dll
O2 - BHO: IE to GetRight Helper - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program Files\GetRight\xx2gr.dll
O2 - BHO: McAntiPhishingBHO - {377C180E-6F0E-4D4C-980F-F45BD3D40CF4} - c:\PROGRA~1\mcafee\msk\mcapbho.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: Burn4Free Toolbar Helper - {60BF5EE3-0105-4858-AD98-17C19F86B042} - C:\Program Files\Burn4Free Toolbar\v3.2.0.0\Burn4Free_Toolbar.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: FloatBar Class - {75B1A646-CDCE-4C06-B52F-84F4463B4FC8} - C:\Program Files\PimpFish\FloatBar.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {933E7167-F302-48C8-A4E9-19C4D4C15B3B} - C:\PROGRA~1\3web\AFE.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Burn4Free Toolbar - {55FAF0F2-44D4-425F-B5F5-6B275B621EAB} - C:\Program Files\Burn4Free Toolbar\v3.2.0.0\Burn4Free_Toolbar.dll
O3 - Toolbar: PimpFish Basic - {D593DE91-7B41-45C2-830E-E9A99AB142AA} - C:\Program Files\PimpFish\PimpFish.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Update Service] "C:\Program Files\Common Files\Teknum Systems\update.exe" /startup
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {193B17B0-7C9F-4D5B-AEAB-8D3605EFC084} - C:\PROGRA~1\SEARCH~1\COPERN~1\COPERN~1.EXE
O9 - Extra 'Tools' menuitem: Launch Copernic Agent - {193B17B0-7C9F-4D5B-AEAB-8D3605EFC084} - C:\PROGRA~1\SEARCH~1\COPERN~1\COPERN~1.EXE
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Run WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\Website Copiers\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra 'Tools' menuitem: Launch WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\Website Copiers\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra button: FlashFavorite - {4335F0BE-9AAF-4023-9929-681B937B814A} - C:\PROGRA~1\FLASHF~1\FFCom.dll
O9 - Extra 'Tools' menuitem: Flash Favorite - {4335F0BE-9AAF-4023-9929-681B937B814A} - C:\PROGRA~1\FLASHF~1\FFCom.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Copernic Agent - {688DC797-DC11-46A7-9F1B-445F4F58CE6E} - C:\PROGRA~1\SEARCH~1\COPERN~1\COPERN~1.EXE
O9 - Extra button: Movies Extractor Scout LITE - {8C51D131-81D2-4844-A4F8-E46AC238D815} - C:\Program Files\Movies Extractor Scout LITE\flashextract.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.mcafee.com
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab
O16 - DPF: {106E49CF-797A-11D2-81A2-00E02C015623} (AlternaTIFF ActiveX) - http://www.alternatiff.com/install/00/alttiff.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2A6BEC01-15E2-46F0-8ED3-D715DE09A8F9} - http://www.homepageprotector.com/data/homeproinstall.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://appldnld.m7z.net/qtinstall.info.apple.com/tramper/us/win/QuickTimeInstaller.exe
O16 - DPF: {4CF5275B-CDBC-11D3-A8AF-0090279A5978} - http://www.portalsearching.com/toolbar/bho.cab
O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} (Microsoft.WinRep) - https://webresponse.one.microsoft.com/oas/ActiveX/winrep.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,83/mcinsctl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by14fd.bay14.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {5CB1506E-1DEA-4E63-89A7-E40E52AEA1FD} (OnagerCtrl Class) - http://fulfillment.puretracks.com/onager.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.safety.live.com/resource/download/scanner/wlscbase8460.cab
O16 - DPF: {5F0C30E4-1E72-4DCC-85E5-57810F1CA97B} (McUpdatePortalFactory Class) - http://www.amiuptodate.com/vsc/bin/1,0,0,7/McUpdatePortal.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1126634216187
O16 - DPF: {74C861A1-D548-4916-BC8A-FDE92EDFF62C} - http://mediaplayer.walmart.com/installer/install.cab
O16 - DPF: {814EA0DA-E0D9-4AA4-833C-A1A6D38E79E9} (DASWebDownload Class) - http://das.microsoft.com/activate/cab/x86/i486/NTANSI/retail/DASAct.cab
O16 - DPF: {9C024426-7859-4B2D-AB4C-B1E370AE7549} - http://us.mcafee.com/Apps/WSC/en-us/WscWlanScannerCtrl.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,20/mcgdmgr.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O20 - Winlogon Notify: rqrsppnk - rqrsppnk.dll (file missing)
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O24 - Desktop Component 0: (no name) - http://www.webstats4u.com/images/bg.gif
O24 - Desktop Component 1: (no name) - http://www.wezv.com/navlogoeasy.gif
O24 - Desktop Component 2: (no name) - http://www.885thejewel.com/images/jwlpghdlft.JPG

--
End of file - 11666 bytes

Blade81 · Apr 22, 2008

Good. A bit more left to do

Start hjt, do a system scan, check:O20 - Winlogon Notify: rqrsppnk - rqrsppnk.dll (file missing)
Close browsers and fix checked.

Reboot and post a fresh hjt log with a description of how's the system running.

ramping · Apr 22, 2008

Although I am maintaining a 'health does of skepticism', the malware appears to be gone, now.

So, the system seems to be running well.

Following is the new Hijack This log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 09:07, on 2008-04-22
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\brss01a.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MAILLOOP6\Binn\sqlservr.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Webshots\webshots.scr
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Trend Micro\HijackThis\ramping.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft.com/fwlink/?LinkId=54843
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 80.80.12.124:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/bookmark/7_2/home.html"); (C:\Documents and Settings\DELCO CLUB\Application Data\Mozilla\Profiles\default\l4hnnkbr.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CInternet%5CBrowsers%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\DELCO CLUB\Application Data\Mozilla\Profiles\default\l4hnnkbr.slt\prefs.js)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O2 - BHO: PimpFish Basic Toolbar Opcode Handler - {29C88E20-4234-41B9-A9DB-982958C95FB1} - C:\Program Files\PimpFish\PimpFish.dll
O2 - BHO: dsWebAllowBHO Class - {2F85D76C-0569-466F-A488-493E6BD0E955} - C:\Program Files\Windows Desktop Search\dsWebAllow.dll
O2 - BHO: IE to GetRight Helper - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program Files\GetRight\xx2gr.dll
O2 - BHO: McAntiPhishingBHO - {377C180E-6F0E-4D4C-980F-F45BD3D40CF4} - c:\PROGRA~1\mcafee\msk\mcapbho.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: Burn4Free Toolbar Helper - {60BF5EE3-0105-4858-AD98-17C19F86B042} - C:\Program Files\Burn4Free Toolbar\v3.2.0.0\Burn4Free_Toolbar.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: FloatBar Class - {75B1A646-CDCE-4C06-B52F-84F4463B4FC8} - C:\Program Files\PimpFish\FloatBar.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {933E7167-F302-48C8-A4E9-19C4D4C15B3B} - C:\PROGRA~1\3web\AFE.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Burn4Free Toolbar - {55FAF0F2-44D4-425F-B5F5-6B275B621EAB} - C:\Program Files\Burn4Free Toolbar\v3.2.0.0\Burn4Free_Toolbar.dll
O3 - Toolbar: PimpFish Basic - {D593DE91-7B41-45C2-830E-E9A99AB142AA} - C:\Program Files\PimpFish\PimpFish.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Update Service] "C:\Program Files\Common Files\Teknum Systems\update.exe" /startup
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {193B17B0-7C9F-4D5B-AEAB-8D3605EFC084} - C:\PROGRA~1\SEARCH~1\COPERN~1\COPERN~1.EXE
O9 - Extra 'Tools' menuitem: Launch Copernic Agent - {193B17B0-7C9F-4D5B-AEAB-8D3605EFC084} - C:\PROGRA~1\SEARCH~1\COPERN~1\COPERN~1.EXE
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Run WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\Website Copiers\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra 'Tools' menuitem: Launch WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\Website Copiers\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra button: FlashFavorite - {4335F0BE-9AAF-4023-9929-681B937B814A} - C:\PROGRA~1\FLASHF~1\FFCom.dll
O9 - Extra 'Tools' menuitem: Flash Favorite - {4335F0BE-9AAF-4023-9929-681B937B814A} - C:\PROGRA~1\FLASHF~1\FFCom.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Copernic Agent - {688DC797-DC11-46A7-9F1B-445F4F58CE6E} - C:\PROGRA~1\SEARCH~1\COPERN~1\COPERN~1.EXE
O9 - Extra button: Movies Extractor Scout LITE - {8C51D131-81D2-4844-A4F8-E46AC238D815} - C:\Program Files\Movies Extractor Scout LITE\flashextract.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.mcafee.com
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab
O16 - DPF: {106E49CF-797A-11D2-81A2-00E02C015623} (AlternaTIFF ActiveX) - http://www.alternatiff.com/install/00/alttiff.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2A6BEC01-15E2-46F0-8ED3-D715DE09A8F9} - http://www.homepageprotector.com/data/homeproinstall.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://appldnld.m7z.net/qtinstall.info.apple.com/tramper/us/win/QuickTimeInstaller.exe
O16 - DPF: {4CF5275B-CDBC-11D3-A8AF-0090279A5978} - http://www.portalsearching.com/toolbar/bho.cab
O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} (Microsoft.WinRep) - https://webresponse.one.microsoft.com/oas/ActiveX/winrep.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,83/mcinsctl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by14fd.bay14.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {5CB1506E-1DEA-4E63-89A7-E40E52AEA1FD} (OnagerCtrl Class) - http://fulfillment.puretracks.com/onager.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.safety.live.com/resource/download/scanner/wlscbase8460.cab
O16 - DPF: {5F0C30E4-1E72-4DCC-85E5-57810F1CA97B} (McUpdatePortalFactory Class) - http://www.amiuptodate.com/vsc/bin/1,0,0,7/McUpdatePortal.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1126634216187
O16 - DPF: {74C861A1-D548-4916-BC8A-FDE92EDFF62C} - http://mediaplayer.walmart.com/installer/install.cab
O16 - DPF: {814EA0DA-E0D9-4AA4-833C-A1A6D38E79E9} (DASWebDownload Class) - http://das.microsoft.com/activate/cab/x86/i486/NTANSI/retail/DASAct.cab
O16 - DPF: {9C024426-7859-4B2D-AB4C-B1E370AE7549} - http://us.mcafee.com/Apps/WSC/en-us/WscWlanScannerCtrl.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,20/mcgdmgr.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O24 - Desktop Component 0: (no name) - http://www.webstats4u.com/images/bg.gif
O24 - Desktop Component 1: (no name) - http://www.wezv.com/navlogoeasy.gif
O24 - Desktop Component 2: (no name) - http://www.885thejewel.com/images/jwlpghdlft.JPG

--
End of file - 12717 bytes

Annoying Ad Keeps Coming Back

New member

New member

Security Expert: Emeritus

New member

Security Expert: Emeritus

New member

Security Expert: Emeritus

New member

New member

Security Expert: Emeritus

New member

Security Expert: Emeritus

New member

New member

New member

New member

Security Expert: Emeritus

New member

Security Expert: Emeritus

New member