Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

search results hijacker


  • This topic is locked This topic is locked
23 replies to this topic

#1 digger102

digger102

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:06:20 PM

Posted 20 April 2010 - 01:44 PM

After I've done a search, the links on the search results page are hijacked and when I use them, I end up somewhere unexpected. For example, using the yahoo search engine, I searched for Volvo. The search results showed "http://volvocars.us" when I scrolled over it, but it actually takes me to <http://c.ppcxml.net/?d=kkkkZGx5YwtjYwH1YwR5Y2qiYaObpQ9xLKEuCKMZnUyOI3uZnzudoyqnrzMWqUAJFHchGHqmqSpkEz5PAJ4lGyEgG2fjZmMvpyblEKSBpmu5o29mATAVG3LlpQM0ZwOfGIEdZTcMZJ1JoxplFmqAEaNkMzpjn214MHgeBGuLD1ygq0uVZzc2ARbyZxWSAQyJpRfmIaMcIIcgnxgVoxb0GSDjDayHEKqRLzghD2WzLKyZEwMnFRcbFHuDqSt5pxAhHKIMoaOSoyOuMyI2JxyEAx8mpRAaDHtlMwZ4HmuDI0ASrTL0DGA4LJkSE01lWGWPrR95MJqwp3A1HaMaWGWTFGScJwMxnHkVElHlEaAYIzyzHzDjFSq2GHufDwNyZxMKAzAdZQEgIRqbJJWhZKSeoaOWE0I1DKSiEJjyZxMTM1yFZUR4BTj0BH1GoRyenQtkWGWTLxcLpHMaAwIdL215WGWPozV4nKSMDxu4DzRmFTuyDKyeGQEhASyLqxZ1rH9mMUc5EH56GGAIZQEeG2EAp0L3FIOfJwpjWGWPZ3LjIzpkpJj5oUMAnQt0GyyGBT9EoJWKo1OTHTuvpaIWAz44IISUEzqgHT8kImHjBTZ3HJSWDypmEQVmnx85EKM3qwVkIyV0E25Go0uuEIDyZxMTISV4oR5gIRExnmuvGHEYpQE2oTWWnGWGIQIepx1YH0ZyZxWcIJWYpKAUpmSvD09MMGV0A0k0LIA3EGElqIWJoauKGHc5nHq0FwSanGAUIKuJEwIepScTZPHlDx11JQDkJTIUBHVkZaMKM1uwBIcGqIV3MyM0BGOYEJMUAUSQZyMDpvHlEzyLIRp5MyAUAGWOFxgKF1IBIH1Co0IIL2WvFyuOqSuTGJpjrxIHqz0kE1IOA3WnEH1wGmyIWGWTJKAAGxk1AzydIvHlEzjkJzcDZyOYMKqdMSIWH21EZTH5n1OMJx85o2InBSAZoGMapyqJqQqaqap4G0gGLzgTDIW1F0uWFzL4MyHjJxIfFwARJQtjFUpyZxWSLHqbAH1XrzqAq3uZI1carKH4M2ShH3EILaEZEvHlDzMhq1xyZ0E8ZmRlZKjlZQO8AQLjZUk2o2k2o3jkZQH3ZGu8BGZlsQZ3BGR5ZwM8ATWwMTLjLGA8AGt1AGIxAQI8ZUj4BGIzZQt3Maj0ZJWxLmtkLKk3MJW2nJEuYzAioD==cffa921d1e6b>

Another link on the results page shows <http:// www.volvo.com> , but takes me to <http://c.ppcxml.net/?d=kkkkZGx5YwtjYwH1YwR5Y2qiYaObpQ9xLKEuCKMZnUyOI3uZnzudoyqnrzMWqUAJFHchGHqmqSpkEz5PAJ4lGyEgG2fjZmMvpyblEKSBpmu5o29mATAVG3LlpQM0ZwOfGIEdZTcMZJ1JoxplFmqAEaNkMzpjn214MHgeBGuLD1ygq0uVZzc2ARbyZxWSAQyJpRfmIaMcIIcgnxgVoxb0GSDjDayHEKqRLzghD2WzLKyZEwMnFRcbFHuDqSt5pxAhHKIMoaOSoyOuMyI2JxyEAx8mpRAaDHtlMwZ4HmuDI0ASrTL0DGA4LJkSE01lWGWPrR95MJqwp3A1HaMaWGWTFGScJwMxnHkVElHlEaAYIzyzHzDjFSq2GHufDwNyZxMKAzAdZQEgIRqbJJWhZKSeoaOWE0I1DKSiEJjyZxMTM1yFZUR4BTj0BH1GoRyenQtkWGWTLxcLpHMaAwIdL215WGWPozV4nKSMDxu4DzRmFTuyDKyeGQEhASyLqxZ1rH9mMUc5EH56GGAIZQEeG2EAp0L3FIOfJwpjWGWPZ3LjIzpkpJj5oUMAnQt0GyyGBT9EoJWKo1OTHTuvpaIWAz44IISUEzqgHT8kImHjBTZ3HJSWDypmEQVmnx85EKM3qwVkIyV0E25Go0uuEIDyZxMTISV4oR5gIRExnmuvGHEYpQE2oTWWnGWGIQIepx1YH0ZyZxWcIJWYpKAUpmSvD09MMGV0A0k0LIA3EGElqIWJoauKGHc5nHq0FwSanGAUIKuJEwIepScTZPHlDx11JQDkJTIUBHVkZaMKM1uwBIcGqIV3MyM0BGOYEJMUAUSQZyMDpvHlEzyLIRp5MyAUAGWOFxgKF1IBIH1Co0IIL2WvFyuOqSuTGJpjrxIHqz0kE1IOA3WnEH1wGmyIWGWTJKAAGxk1AzydIvHlEzjkJzcDZyOYMKqdMSIWH21EZTH5n1OMJx85o2InBSAZoGMapyqJqQqaqap4G0gGLzgTDIW1F0uWFzL4MyHjJxIfFwARJQtjFUpyZxWSLHqbAH1XrzqAq3uZI1carKH4M2ShH3EILaEZEvHlDzMhq1xyZ0E8ZmRlZKjlZQO8AQLjZUk2o2k2o3jkZQH3ZGu8BGZlsQZ3BGR5ZwM8ATWwMTLjLGA8AGt1AGIxAQI8ZUj4BGIzZQt3Maj0ZJWxLmtkLKk3MJW2nJEuYzAioD==cffa921d1e6b>

I get the same kind of results when I use Bing or Google to search with. On Google a link to <www.volvocars.com> just took me to <http://www.mylocalhero.com/profile.php?id=37778887&c=volvo&l=erie%2Cpa&p=28&s=48731187>

dds.txt:


DDS (Ver_10-03-17.01) - NTFSx86
Run by Sergeant Major at 12:38:09.01 on Tue 04/20/2010
Internet Explorer: 8.0.6001.18904 BrowserJavaVersion: 1.6.0_20
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2037.825 [GMT -4:00]

SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
SP: SUPERAntiSpyware *enabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
c:\Program Files\Microsoft Security Essentials\MsMpEng.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\Common Files\Intel\IntelDH\NMS\Support\IntelHCTAgent.exe
C:\Windows\zHotkey.exe
C:\Windows\ModPS2Key.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Common Files\PC Tools\sMonitor\SSDMonitor.exe
C:\Program Files\HP\Digital Imaging\bin\HpqSRmon.exe
C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe
C:\Program Files\dvd43\DVD43_Tray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Microsoft Security Essentials\msseces.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Secunia\PSI\psi.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\system32\agrsmsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Windows\system32\rundll32.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Program Files\Common Files\PC Tools\sMonitor\StartManSvc.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\Windows\system32\svchost.exe -k HPService
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\Sergeant Major\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = about:blank
uWindow Title = MS Internet Explorer
uInternet Settings,ProxyOverride = 127.0.0.1;*.local
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: McAfee Phishing Filter: {27b4851a-3207-45a2-b947-be8afe6163ab} - c:\progra~1\mcafee\msk\mskapbho.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\programdata\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\google\BAE.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
EB: HP Smart Web Printing: {555d4d79-4bd2-4094-a395-cfc534424a05} - c:\program files\hp\digital imaging\smart web printing\hpswp_bho.dll
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [Power2GoExpress]
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [NMSSupport] "c:\program files\common files\intel\inteldh\nms\support\IntelHCTAgent.exe" /startup
mRun: [CHotkey] zHotkey.exe
mRun: [ShowWnd] ShowWnd.exe
mRun: [ModPS2] ModPS2Key.exe
mRun: [IAAnotif] "c:\program files\intel\intel matrix storage manager\Iaanotif.exe"
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [McENUI] c:\progra~1\mcafee\mhn\McENUI.exe /hide
mRun: [SSDMonitor] c:\program files\common files\pc tools\smonitor\SSDMonitor.exe
mRun: [hpqSRMon] c:\program files\hp\digital imaging\bin\hpqSRMon.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [McAfee Backup] "c:\program files\mcafee\mbk\McAfeeDataBackup.exe"
mRun: [dvd43] c:\program files\dvd43\dvd43_tray.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [MSSE] "c:\program files\microsoft security essentials\msseces.exe" -hide -runkey
dRun: [DelayShred] c:\progra~1\mcafee\mshr\shrcl.exe /p7 /q c:\users\sergea~1\appdata\local\micros~1\windows\tempor~1\content.ie5\32di7kp1\1715_3~1.SH!
dRunOnce: [DelayShred] "c:\program files\mcafee\mshr\shrcl.exe" /p7 /q c:\users\sergea~1\appdata\local\temp\low\HSPERF~1.SH!
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
Trusted Zone: army.mil\eportal.ctnosc
Trusted Zone: army.mil\fportal.ctnosc
Trusted Zone: army.mil\fsso.ctnosc
Trusted Zone: army.mil\help.us
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: igfxcui - igfxdev.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\users\sergea~1\appdata\roaming\mozilla\firefox\profiles\03oipv5l.default\
FF - prefs.js: browser.search.selectedEngine - Bing
FF - prefs.js: browser.startup.homepage - about:blank
FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll
FF - component: c:\programdata\real\realplayer\browserrecordplugin\firefox\ext\components\nprpffbrowserrecordext.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPTURNMED.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - plugin: c:\programdata\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5videoshim.dll
FF - plugin: c:\users\sergeant major\appdata\roaming\move networks\plugins\npqmp071503000010.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-4-19 64288]
R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-5-13 214664]
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2009-12-2 149040]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-2-17 66632]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2010-2-4 1265264]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2009-8-5 93320]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2009-8-5 359952]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2009-8-5 144704]
R2 nmsgopro;GoProto Protocol Driver for NMS;c:\windows\system32\drivers\nmsgopro.sys [2006-9-27 28672]
R2 nmsunidr;UniDriver for NMS;c:\windows\system32\drivers\nmsunidr.sys [2006-10-19 7424]
R2 PCToolsSSDMonitorSvc;PC Tools Startup and Shutdown Monitor service;c:\program files\common files\pc tools\smonitor\StartManSvc.exe [2009-10-28 632792]
R2 PPCLASS;PPCLASS;c:\windows\system32\drivers\ppclass.sys [2007-7-6 85868]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2007-5-13 24652]
R3 IntelDH;IntelDH Driver;c:\windows\system32\drivers\IntelDH.sys [2007-1-25 5504]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2009-8-5 606736]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2009-8-5 79816]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2009-8-5 35272]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2009-8-5 40552]
R3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\drivers\MpNWMon.sys [2009-12-2 42368]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2010-2-17 12872]
S2 aawservice;Ad-Aware 2007 Service;"c:\program files\lavasoft\ad-aware 2007\aawservice.exe" --> c:\program files\lavasoft\ad-aware 2007\aawservice.exe [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2009-12-23 135664]
S2 PPSCAN;PPSCAN;c:\windows\system32\drivers\ppscan.sys [2007-7-6 120544]
S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-9-16 21504]
S3 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr.sys [2010-1-27 54632]
S3 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2009-8-5 704864]
S3 MCLServiceATL;Intel® Application Tracker;c:\program files\intel\inteldh\intel media server\shells\MCLServiceATL.exe [2006-11-18 174552]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2009-8-5 34248]
S3 NETw2v32;Intel® PRO/Wireless 2200BG Network Connection Driver for Windows Vista;c:\windows\system32\drivers\NETw2v32.sys [2006-11-2 2589184]
S3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [2009-6-17 12648]
S4 DQLWinService;DQLWinService;c:\program files\common files\intel\inteldh\nms\adpplugins\DQLWinService.exe [2006-10-29 208896]

=============== Created Last 30 ================

2010-04-20 16:28:00 0 ----a-w- c:\users\sergeant major\defogger_reenable
2010-04-20 11:45:59 0 d-----w- c:\program files\Windows Installer Clean Up
2010-04-19 17:13:41 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-04-19 17:13:36 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-04-19 17:11:27 0 dc-h--w- c:\programdata\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}
2010-04-19 17:09:49 0 d-----w- c:\program files\Lavasoft
2010-04-19 16:37:07 0 d-----w- c:\program files\Microsoft Security Essentials
2010-04-19 02:55:35 0 d-----w- c:\programdata\Spybot - Search & Destroy
2010-04-19 02:55:35 0 d-----w- c:\program files\Spybot - Search & Destroy
2010-04-19 01:31:17 0 d-----w- c:\programdata\SUPERAntiSpyware.com
2010-04-19 01:31:00 0 d-----w- c:\users\sergea~1\appdata\roaming\SUPERAntiSpyware.com
2010-04-19 01:31:00 0 d-----w- c:\program files\SUPERAntiSpyware
2010-04-19 01:30:04 0 d-----w- c:\program files\common files\Wise Installation Wizard
2010-04-19 01:04:26 0 d-----w- c:\users\sergea~1\appdata\roaming\Malwarebytes
2010-04-19 01:00:13 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-19 01:00:10 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-19 01:00:10 0 d-----w- c:\programdata\Malwarebytes
2010-04-19 01:00:10 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-18 23:08:16 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-04-18 22:58:06 0 d-----w- c:\programdata\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-04-18 22:51:27 0 d-----w- c:\program files\Bonjour
2010-04-18 22:20:36 0 d-----w- c:\program files\Secunia
2010-04-18 02:59:49 0 d-----w- c:\program files\dvd43(29)
2010-04-16 18:53:10 0 d-----w- c:\program files\common files\Symantec Shared
2010-04-16 18:35:26 0 d-----w- c:\users\sergea~1\appdata\roaming\Tific
2010-04-16 18:34:18 0 d-----w- c:\programdata\NortonInstaller
2010-04-15 03:10:43 65536 --sha-w- c:\users\sergeant major\ntuser.dat{24a99a6f-480f-11df-a2d0-0019d152c760}.TM.blf
2010-04-15 03:10:43 524288 --sha-w- c:\users\sergeant major\ntuser.dat{24a99a6f-480f-11df-a2d0-0019d152c760}.TMContainer00000000000000000002.regtrans-ms
2010-04-15 03:10:43 524288 --sha-w- c:\users\sergeant major\ntuser.dat{24a99a6f-480f-11df-a2d0-0019d152c760}.TMContainer00000000000000000001.regtrans-ms
2010-04-14 19:45:39 0 d-sh--w- c:\programdata\SysWoW32
2010-04-14 19:45:25 203776 --sh--w- c:\programdata\unrar.exe
2010-04-14 18:47:00 0 d-----w- c:\users\sergea~1\appdata\roaming\FrostWire
2010-04-14 15:30:46 79360 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2010-04-14 15:30:46 212992 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2010-04-14 15:30:46 106496 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-04-14 15:30:41 3600776 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-04-14 15:30:41 3548040 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-04-14 15:30:38 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-04-14 15:30:35 62464 ----a-w- c:\windows\system32\l3codeca.acm
2010-04-14 15:30:35 220672 ----a-w- c:\windows\system32\l3codecp.acm
2010-04-14 15:30:31 904576 ----a-w- c:\windows\system32\drivers\tcpip.sys
2010-04-14 15:30:30 25088 ----a-w- c:\windows\system32\drivers\tunnel.sys
2010-04-14 15:30:30 200704 ----a-w- c:\windows\system32\iphlpsvc.dll
2010-04-14 15:29:40 172032 ----a-w- c:\windows\system32\wintrust.dll
2010-04-14 15:29:27 98304 ----a-w- c:\windows\system32\cabview.dll
2010-03-22 11:09:20 0 d-----w- c:\program files\common files\xing shared

==================== Find3M ====================

2010-04-19 17:13:30 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-04-18 22:52:42 51200 ----a-w- c:\windows\inf\infpub.dat
2010-04-18 22:52:42 143360 ----a-w- c:\windows\inf\infstrng.dat
2010-04-18 22:52:42 143360 ----a-w- c:\windows\inf\infstor.dat
2010-04-11 18:21:57 1588 ----a-w- c:\users\sergea~1\appdata\roaming\wklnhst.dat
2010-02-25 01:33:40 18816 ----a-w- c:\windows\system32\drivers\dvd43llh.sys
2010-02-24 14:16:06 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-02-23 06:39:13 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-23 06:33:45 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-02-23 06:33:45 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-02-23 04:55:36 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2010-02-20 23:06:41 24064 ----a-w- c:\windows\system32\nshhttp.dll
2010-02-20 23:05:14 30720 ----a-w- c:\windows\system32\httpapi.dll
2010-02-20 20:53:34 411648 ----a-w- c:\windows\system32\drivers\http.sys
2010-02-12 15:46:14 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-02-12 15:46:14 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-01-25 12:00:35 471552 ----a-w- c:\windows\system32\secproc_isv.dll
2010-01-25 12:00:35 152576 ----a-w- c:\windows\system32\secproc_ssp_isv.dll
2010-01-25 12:00:35 152064 ----a-w- c:\windows\system32\secproc_ssp.dll
2010-01-25 12:00:22 471552 ----a-w- c:\windows\system32\secproc.dll
2010-01-25 11:58:52 332288 ----a-w- c:\windows\system32\msdrm.dll
2010-01-25 08:21:20 526336 ----a-w- c:\windows\system32\RMActivate_isv.exe
2010-01-25 08:21:20 346624 ----a-w- c:\windows\system32\RMActivate_ssp_isv.exe
2010-01-25 08:21:18 518144 ----a-w- c:\windows\system32\RMActivate.exe
2010-01-25 08:21:18 347136 ----a-w- c:\windows\system32\RMActivate_ssp.exe
2010-01-23 09:26:13 2048 ----a-w- c:\windows\system32\tzres.dll
2009-11-16 23:49:48 665600 ----a-w- c:\windows\inf\drvindex.dat
2008-09-17 00:33:52 174 --sha-w- c:\program files\desktop.ini
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2009-10-19 15:01:49 245760 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\ietldcache\index.dat
2007-05-21 23:01:04 32768 --sha-w- c:\windows\system32\config\systemprofile\appdata\local\microsoft\windows\history\history.ie5\mshist012007051420070521\index.dat
2007-05-21 23:01:04 32768 --sha-w- c:\windows\system32\config\systemprofile\appdata\local\microsoft\windows\history\history.ie5\mshist012007052120070522\index.dat

============= FINISH: 12:40:06.76 ===============


Note: When I closed GEMR after running it, my computer did a blue screen crash and rebooted itself too fast for me to remember the message on the screen.

Attached Files



BC AdBot (Login to Remove)

 


#2 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,702 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:06:20 PM

Posted 25 April 2010 - 02:46 PM

Hello, and welcome.gif to the Malware Removal forum! My online alias is Blade Zephon, or Blade for short, and I will be assisting you with your malware issues!

If you have since resolved the original problem you were having, we would appreciate you letting us know.

In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. By doing this and then choosing Immediate E-Mail notification and then clicking on Proceed you will be advised when we respond to your topic and facilitate the cleaning of your machine.

Before we begin cleaning your machine, I'd like to lay out some guidelines for us to follow while we are working together.
  • I will be assisting you with your malware issues. This may or may not resolve other problems you are having with your computer. If you are still having problems after your machine has been determined clean, I will be glad to direct you to the proper forum for assistance.
  • Even if things appear better, that does not mean we are finished. Please continue to follow my instructions until I give you the all clean. Absence of symptoms does not mean that all the malware has been removed. If a piece of the infection is left, it can regenerate and reinfect your machine.
  • Attention to detail is important! Since I cannot see or directly interact with your computer I am dependent on you to "be my eyes" and provide as much information as you can regarding the current state of your computer.
  • I ask that you please refrain from running tools other than those I suggest to you while I am cleaning up your computer. The reason for this is so I know what is going on with the machine at any time. If you act independently it will cause changes to your system that I will not be aware of, which will make the process of cleaning the machine a much slower and more difficult process. Additionally, some programs can interfere with others and hamper the recovery process.
  • Please perform all steps in the order received. If you are unsure or confused about any instructions I give you, you should ask me to clarify before doing anything. Additionally, if you run into any problems while carrying out instructions, you should STOP and reply back here explaining what happened.
  • After 5 days if a topic is not replied to we assume it has been abandoned and it is closed. If you need additional time, that is perfectly alright; you just need to let us know beforehand. smile.gif

***************************************************

Please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

~Blade

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#3 digger102

digger102
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:06:20 PM

Posted 27 April 2010 - 06:56 AM

The problem has become much worse than just the search results being hijacked. Now:

1 ) Internet Explorer no longer opens.

2) Mozilla Firefox no longer opens.

3) Windows Live Mail opens but cannot connect to the Internet and download mail.

4) Programs are locking up when I try to shut them down.

5) The computer will not shut down properly. On the last shutdown, the computer froze after clearing the icons off the desktop and would go no further in the process.

6) The cd/dvr burner driver file got corrupted when I removed the DVR43 prgram and the cd/dvr no longer works.

7) When I tried to put the DDS.txt file on an SD card to transfer it to this computer to send it to you, the computer told me the drive needed to be formatted (?).

Before I contacted this forum, I tried repairing the hijack problem using the methods on this page: Mozilla Firefox Support Website which is where i got the bleeping computer address. I've also run Registry Mechanic by PCTools several times as well as a program called Hijack This!


I've attached today's DDS.txt. If I did it wrong, hollar!

:)

Attached Files

  • Attached File  DDS.txt   23.91KB   4 downloads

Edited by digger102, 27 April 2010 - 12:40 PM.


#4 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,702 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:06:20 PM

Posted 28 April 2010 - 06:34 PM

Hello digger102.

Why did you remove DVR43? I'm not sure at this point. . . but I think that was part of the software for your CD drive, which would explain why it no longer works.

We'll see if we can fix that later, for now let's get rid of that infection.


Note that you can download any requested programs using an uninfected computer, then transfer them to the infected one via Flash drive if your internet is not working.

Download Combofix from any of the links below but rename it to renamed.exe before saving it to your desktop.


Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • VERY IMPORTANT: Disable all running antivirus, antimalware and firewall programs as they may interfere with the proper running of ComboFix. Click on this link to see a list of programs that should be disabled. NOTE: This list is not all-inclusive. If yours is not listed and you do not know how to disable it, please ask.
  • Double click on renamed.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own.
This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


~Blade


In your next reply, please include the following:
ComboFix Log

Edited by Blade Zephon, 28 April 2010 - 06:35 PM.

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#5 digger102

digger102
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:06:20 PM

Posted 28 April 2010 - 09:39 PM

Hi Blaze,

DVD43 was a program to allow my burner to copy protected dvds. I didn't like it , so I got rid of it and I think it damaged the windows driver file; cdrom.sys in the removal process.

The computer we are working on won't read a flash drive, so I had to download combofix to an external (usb) hard drive to transfer it and even then I had to boot to Windows safe mode. When I downloaded Combofix from the link2 you provided it saved as an exe file without me renaming it. I rebooted to the normal mode and ran it with no problems. The log is attached. Note: When I got done I shut down the computer and it went all the way through the process without hanging up. So, I rebooted and tried to open Firefox - it opened, but then locked up, so I shut down again. This time it stopped with "shutting down" on the screen. After about five minutes, I cut the power. I made no attempt to change anything; just tested my browser. -digger102

ComboFix 10-04-28.03 - Sergeant Major 04/28/2010 21:40:02.1.2 - x86
Microsoft® Windows Vistaâ„¢ Home Premium 6.0.6002.2.1252.1.1033.18.2037.1347 [GMT -4:00]
Running from: c:\users\Sergeant Major\Desktop\ComboFix.exe
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\autorun.inf
c:\users\Sergeant Major\AppData\Roaming\0200000063aedb80879C.manifest
c:\users\Sergeant Major\AppData\Roaming\0200000063aedb80879O.manifest
c:\users\Sergeant Major\AppData\Roaming\0200000063aedb80879P.manifest
c:\users\Sergeant Major\AppData\Roaming\0200000063aedb80879S.manifest
c:\users\Sergeant Major\AppData\Roaming\Mozilla\Firefox\Profiles\03oipv5l.default\extensions\{dc09e78d-c4e5-46fe-9d8b-948037d1d16e}
c:\users\Sergeant Major\AppData\Roaming\Mozilla\Firefox\Profiles\03oipv5l.default\extensions\{dc09e78d-c4e5-46fe-9d8b-948037d1d16e}\chrome.manifest
c:\users\Sergeant Major\AppData\Roaming\Mozilla\Firefox\Profiles\03oipv5l.default\extensions\{dc09e78d-c4e5-46fe-9d8b-948037d1d16e}\chrome\xulcache.jar
c:\users\Sergeant Major\AppData\Roaming\Mozilla\Firefox\Profiles\03oipv5l.default\extensions\{dc09e78d-c4e5-46fe-9d8b-948037d1d16e}\defaults\preferences\xulcache.js
c:\users\Sergeant Major\AppData\Roaming\Mozilla\Firefox\Profiles\03oipv5l.default\extensions\{dc09e78d-c4e5-46fe-9d8b-948037d1d16e}\install.rdf
D:\autorun.inf

.
((((((((((((((((((((((((( Files Created from 2010-03-28 to 2010-04-29 )))))))))))))))))))))))))))))))
.

2010-04-29 01:50 . 2010-04-29 01:51 -------- d-----w- c:\users\Sergeant Major\AppData\Local\temp
2010-04-24 00:36 . 2010-04-24 00:36 680 ----a-w- c:\users\Sergeant Major\AppData\Local\d3d9caps.dat
2010-04-22 21:25 . 2010-01-05 22:04 9344 ----a-w- c:\windows\system32\drivers\mfeclnk.sys
2010-04-22 21:25 . 2010-01-05 22:04 160720 ----a-w- c:\windows\system32\drivers\mfewfpk.sys
2010-04-22 21:25 . 2010-01-05 22:04 83496 ----a-w- c:\windows\system32\drivers\mferkdet.sys
2010-04-22 21:25 . 2010-01-05 22:04 385536 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2010-04-22 21:25 . 2010-01-05 22:04 312584 ----a-w- c:\windows\system32\drivers\mfefirek.sys
2010-04-22 21:25 . 2010-01-05 22:04 95568 ----a-w- c:\windows\system32\drivers\mfeapfk.sys
2010-04-22 21:25 . 2010-01-05 22:04 51688 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2010-04-22 21:25 . 2010-01-05 22:04 152320 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2010-04-22 21:24 . 2010-03-10 16:40 985288 ----a-w- c:\programdata\McAfee\MSC\Updates\Installs\1\msc\mcappcfg.exe
2010-04-22 21:24 . 2010-03-10 16:40 266336 ----a-w- c:\programdata\McAfee\MSC\Updates\Installs\1\msc\mcutil.dll
2010-04-22 21:24 . 2010-03-10 16:21 822048 ----a-w- c:\programdata\McAfee\MSC\Updates\Installs\1\msc\McInst.exe
2010-04-22 21:24 . 2010-03-10 16:40 985288 ----a-w- c:\programdata\McAfee\MSC\Updates\Installs\Download_Files\vso\mcappcfg.exe
2010-04-22 21:24 . 2010-03-10 16:40 266336 ----a-w- c:\programdata\McAfee\MSC\Updates\Installs\Download_Files\vso\mcutil.dll
2010-04-22 21:24 . 2010-03-10 16:21 822048 ----a-w- c:\programdata\McAfee\MSC\Updates\Installs\Download_Files\vso\McInst.exe
2010-04-22 21:24 . 2010-03-10 16:40 985288 ----a-w- c:\programdata\McAfee\MSC\Updates\Installs\Download_Files\msc\mcappcfg.exe
2010-04-22 21:24 . 2010-03-10 16:40 266336 ----a-w- c:\programdata\McAfee\MSC\Updates\Installs\Download_Files\msc\mcutil.dll
2010-04-22 21:24 . 2010-03-10 16:21 822048 ----a-w- c:\programdata\McAfee\MSC\Updates\Installs\Download_Files\msc\McInst.exe
2010-04-22 00:22 . 2010-04-22 00:22 52224 ----a-w- c:\users\Sergeant Major\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-04-22 00:22 . 2010-04-22 00:22 117760 ----a-w- c:\users\Sergeant Major\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-04-21 03:55 . 2010-04-21 03:55 -------- d-----w- C:\inetpub
2010-04-20 11:46 . 2010-04-20 11:46 3584 ----a-r- c:\users\Sergeant Major\AppData\Roaming\Microsoft\Installer\{121634B0-2F4B-11D3-ADA3-00C04F52DD52}\Icon386ED4E3.exe
2010-04-20 11:45 . 2010-04-20 11:46 -------- d-----w- c:\program files\Windows Installer Clean Up
2010-04-19 17:13 . 2010-04-19 17:13 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-04-19 16:37 . 2010-04-19 16:37 -------- d-----w- c:\program files\Microsoft Security Essentials
2010-04-19 02:55 . 2010-04-23 20:29 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2010-04-19 01:31 . 2010-04-19 01:31 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2010-04-19 01:31 . 2010-04-23 20:29 -------- d-----w- c:\users\Sergeant Major\AppData\Roaming\SUPERAntiSpyware.com
2010-04-19 01:04 . 2010-04-19 01:04 -------- d-----w- c:\users\Sergeant Major\AppData\Roaming\Malwarebytes
2010-04-19 01:00 . 2010-04-19 01:00 -------- d-----w- c:\programdata\Malwarebytes
2010-04-19 00:09 . 2010-04-19 00:09 -------- d-----w- c:\users\Sergeant Major\AppData\Local\Netscape
2010-04-18 23:35 . 2010-04-18 23:34 38784 ----a-w- c:\users\Default\AppData\Roaming\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-04-18 23:08 . 2010-04-18 23:07 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-04-18 22:58 . 2010-04-18 23:00 -------- d-----w- c:\programdata\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-04-18 22:55 . 2010-04-18 23:20 -------- d-----w- c:\program files\QuickTime
2010-04-18 22:53 . 2010-04-18 22:53 -------- d-----w- c:\program files\Apple Software Update
2010-04-16 18:53 . 2010-04-16 18:53 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-04-16 18:36 . 2010-04-16 18:38 -------- d-----w- c:\users\Sergeant Major\AppData\Local\Tific
2010-04-16 18:35 . 2010-04-16 18:35 -------- d-----w- c:\users\Sergeant Major\AppData\Roaming\Tific
2010-04-16 18:34 . 2010-04-16 18:34 -------- d-----w- c:\programdata\NortonInstaller
2010-04-14 19:45 . 2010-04-15 12:00 -------- d-sh--w- c:\programdata\SysWoW32
2010-04-14 19:45 . 2010-04-14 19:45 203776 --sh--w- c:\programdata\unrar.exe
2010-04-14 18:58 . 2010-04-14 18:58 0 ----a-w- c:\users\Sergeant Major\AppData\Roaming\FrostWire\.NetworkShare\Incomplete\T-4506256-LimeWireWin4.16.6.exe
2010-04-14 18:47 . 2010-04-14 19:59 -------- d-----w- c:\users\Sergeant Major\AppData\Roaming\FrostWire
2010-04-14 16:28 . 2010-04-14 16:28 -------- d-----w- c:\users\Sergeant Major\AppData\Local\Ares
2010-04-14 15:30 . 2010-02-23 11:10 212992 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2010-04-14 15:30 . 2010-02-23 11:10 79360 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2010-04-14 15:30 . 2010-02-23 11:10 106496 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-04-14 15:30 . 2010-02-18 14:07 3600776 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-04-14 15:30 . 2010-02-18 14:07 3548040 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-04-14 15:30 . 2010-03-05 14:01 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-04-14 15:30 . 2010-02-18 14:07 904576 ----a-w- c:\windows\system32\drivers\tcpip.sys
2010-04-14 15:30 . 2010-02-18 13:30 200704 ----a-w- c:\windows\system32\iphlpsvc.dll
2010-04-14 15:30 . 2010-02-18 11:28 25088 ----a-w- c:\windows\system32\drivers\tunnel.sys
2010-04-14 15:29 . 2009-12-23 11:33 172032 ----a-w- c:\windows\system32\wintrust.dll
2010-04-14 15:29 . 2010-01-13 17:34 98304 ----a-w- c:\windows\system32\cabview.dll
2010-03-31 21:16 . 2010-03-31 21:16 690952 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
2010-03-30 19:55 . 2010-03-30 19:56 20846064 ----a-w- c:\users\Sergeant Major\AppData\Roaming\Real\Update\setup3.11\rp\RealPlayerSPGold.exe
2010-03-30 19:55 . 2010-03-30 19:55 79368 ----a-w- c:\users\Sergeant Major\AppData\Roaming\Real\Update\setup3.11\RUP\vista.exe
2010-03-30 19:55 . 2010-03-30 19:55 64000 ----a-w- c:\users\Sergeant Major\AppData\Roaming\Real\Update\setup3.11\RUP\inst_config\gcapi_dll.dll
2010-03-30 19:55 . 2010-03-30 19:55 52288 ----a-w- c:\users\Sergeant Major\AppData\Roaming\Real\Update\setup3.11\RUP\inst_config\gtapi.dll
2010-03-30 19:55 . 2010-03-30 19:55 50688 ----a-w- c:\users\Sergeant Major\AppData\Roaming\Real\Update\setup3.11\RUP\inst_config\fftbapi.dll
2010-03-30 19:55 . 2010-03-30 19:55 49152 ----a-w- c:\users\Sergeant Major\AppData\Roaming\Real\Update\setup3.11\RUP\inst_config\CarboniteCompatibility.dll
2010-03-30 19:55 . 2010-03-30 19:55 118784 ----a-w- c:\users\Sergeant Major\AppData\Roaming\Real\Update\setup3.11\RUP\inst_config\compat.dll
2010-03-30 11:55 . 2010-04-22 11:56 439816 ----a-w- c:\users\Sergeant Major\AppData\Roaming\Real\Update\setup3.11\setup.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-26 05:24 . 2009-08-05 14:31 -------- d-----w- c:\program files\McAfee.com
2010-04-26 05:24 . 2009-08-05 14:31 -------- d-----w- c:\program files\McAfee
2010-04-23 20:29 . 2007-07-05 18:15 -------- d-----w- c:\programdata\Lavasoft
2010-04-23 20:29 . 2007-01-25 19:36 -------- d-----w- c:\programdata\McAfee
2010-04-23 20:29 . 2009-08-05 14:31 -------- d-----w- c:\program files\Common Files\McAfee
2010-04-23 20:29 . 2007-09-17 13:49 -------- d-----w- c:\program files\Common Files\Apple
2010-04-21 14:34 . 2007-08-09 13:11 -------- d-----w- c:\programdata\Apple Computer
2010-04-21 14:33 . 2010-03-06 04:09 -------- d-----w- c:\program files\iPod
2010-04-20 11:45 . 2008-05-14 23:40 -------- d-----w- c:\program files\MSECache
2010-04-20 02:04 . 2007-09-17 13:52 -------- d-----w- c:\users\Sergeant Major\AppData\Roaming\Apple Computer
2010-04-19 00:11 . 2007-04-13 15:25 -------- d-----w- c:\program files\Netscape
2010-04-19 00:09 . 2007-04-10 16:24 -------- d-----w- c:\users\Sergeant Major\AppData\Roaming\Netscape
2010-04-18 23:58 . 2007-11-26 14:03 -------- d-----w- c:\programdata\WebEx
2010-04-18 23:35 . 2009-04-06 17:16 -------- d-----w- c:\program files\Common Files\Adobe AIR
2010-04-18 23:34 . 2009-04-06 17:24 38784 ----a-w- c:\users\Sergeant Major\AppData\Roaming\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-04-18 23:31 . 2007-01-25 19:32 -------- d-----w- c:\program files\Java
2010-04-18 23:31 . 2007-01-25 19:32 -------- d-----w- c:\program files\Common Files\Java
2010-04-18 23:00 . 2010-03-06 04:09 -------- d-----w- c:\program files\iTunes
2010-04-18 20:59 . 2009-10-28 19:17 -------- d-----w- c:\users\Sergeant Major\AppData\Roaming\Registry Mechanic
2010-04-18 12:58 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Journal
2010-04-18 12:58 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Collaboration
2010-04-18 12:58 . 2007-01-25 19:30 -------- d-----w- c:\program files\Google
2010-04-16 18:51 . 2004-05-12 20:34 -------- d-----w- c:\programdata\Symantec
2010-04-14 16:59 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-04-13 15:07 . 2007-01-25 19:29 -------- d-----w- c:\program files\Microsoft Works
2010-04-11 18:21 . 2009-01-10 23:13 1588 ----a-w- c:\users\Sergeant Major\AppData\Roaming\wklnhst.dat
2010-03-26 05:48 . 2010-03-26 05:48 73000 ----a-w- c:\programdata\Apple Computer\Installer Cache\iTunes 9.1.0.79\SetupAdmin.exe
2010-03-22 11:10 . 2010-03-22 11:10 45056 ----a-w- c:\programdata\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimwmp.dll
2010-03-22 11:10 . 2010-03-22 11:10 45056 ----a-w- c:\programdata\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimswf.dll
2010-03-22 11:10 . 2010-03-22 11:10 45056 ----a-w- c:\programdata\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimrp.dll
2010-03-22 11:10 . 2010-03-22 11:10 45056 ----a-w- c:\programdata\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimqt.dll
2010-03-22 11:10 . 2010-03-22 11:10 49152 ----a-w- c:\programdata\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext\Components\nprpffbrowserrecordext.dll
2010-03-22 11:10 . 2010-03-22 11:10 40960 ----a-w- c:\programdata\Real\RealPlayer\BrowserRecordPlugin\Chrome\Hook\rpchromebrowserrecordhelper.dll
2010-03-22 11:10 . 2010-03-22 11:10 308808 ----a-w- c:\programdata\Real\RealPlayer\BrowserRecordPlugin\Common\rpmainbrowserrecordplugin.dll
2010-03-22 11:10 . 2010-03-22 11:10 14848 ----a-w- c:\programdata\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll
2010-03-22 11:10 . 2010-03-22 11:10 341600 ----a-w- c:\programdata\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
2010-03-22 11:09 . 2008-03-18 23:48 -------- d-----w- c:\program files\Common Files\Real
2010-03-22 11:09 . 2007-04-19 20:35 -------- d-----w- c:\program files\real
2010-03-22 11:09 . 2010-03-22 11:09 -------- d-----w- c:\program files\Common Files\xing shared
2010-03-10 15:38 . 2010-03-10 15:38 439816 ----a-w- c:\users\Sergeant Major\AppData\Roaming\Real\Update\setup3.10\setup.exe
2010-03-06 04:03 . 2010-03-06 04:03 72488 ----a-w- c:\programdata\Apple Computer\Installer Cache\iTunes 9.0.3.15\SetupAdmin.exe
2010-02-24 16:47 . 2007-04-09 21:34 71712 ----a-w- c:\users\Sergeant Major\AppData\Local\GDIPFONTCACHEV1.DAT
2010-02-24 14:16 . 2010-01-03 17:46 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-02-23 06:39 . 2010-03-31 11:33 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-23 06:33 . 2010-03-31 11:33 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-02-23 06:33 . 2010-03-31 11:33 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-02-23 04:55 . 2010-03-31 11:33 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2010-02-22 01:38 . 2010-02-22 01:38 102 ----a-w- c:\users\Sergeant Major\AppData\Local\fusioncache.dat
2010-02-20 23:06 . 2010-03-10 21:44 24064 ----a-w- c:\windows\system32\nshhttp.dll
2010-02-20 23:05 . 2010-03-10 21:44 30720 ----a-w- c:\windows\system32\httpapi.dll
2010-02-20 20:53 . 2010-03-10 21:44 411648 ----a-w- c:\windows\system32\drivers\http.sys
2010-01-05 22:04 . 2010-04-22 21:25 24376 ----a-w- c:\program files\mozilla firefox\components\Scriptff.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]
"RegistryMechanic"="c:\program files\Registry Mechanic\RMTray.exe" [2009-10-14 292824]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"CCUTRAYICON"="c:\program files\Intel\IntelDH\CCU\CCU_TrayIcon.exe" [2006-11-18 182744]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-12-11 49152]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-03-22 202256]
"SSDMonitor"="c:\program files\Common Files\PC Tools\sMonitor\SSDMonitor.exe" [2009-10-14 104408]
"ShowWnd"="ShowWnd.exe" [2005-01-27 36864]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-18 421888]
"Persistence"="c:\windows\system32\igfxpers.exe" [2006-12-12 81920]
"NMSSupport"="c:\program files\Common Files\Intel\IntelDH\NMS\Support\IntelHCTAgent.exe" [2006-09-26 423424]
"MSSE"="c:\program files\Microsoft Security Essentials\msseces.exe" [2010-02-21 1093208]
"ModPS2"="ModPS2Key.exe" [2006-11-07 53248]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-29 1218008]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2006-12-12 98304]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-09-29 151552]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2008-07-22 150528]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2006-12-12 106496]
"CHotkey"="zHotkey.exe" [2006-11-07 547840]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04 36272]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-03-26 05:10 142120 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PrintUtil]
2007-11-26 17:08 651264 ----a-w- c:\program files\HP\HP Print Utility\PrintUtil.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(cool.gif:ac,8c,a6,eb,9c,33,ca,01

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-1503100673-2415758853-3373541529-1001]
"EnableNotificationsRef"=dword:00000002

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-1503100673-2415758853-3373541529-500]
"EnableNotificationsRef"=dword:00000002

R1 SASDIFSV;SASDIFSV; [x]
R1 SASKUTIL;SASKUTIL; [x]
R2 0301931271954769mcinstcleanup;McAfee Application Installer Cleanup (0301931271954769);c:\windows\TEMP\030193~1.EXE [x]
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2009-12-23 135664]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [2009-12-23 93320]
R2 McMPFSvc;McAfee Personal Firewall;c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe [2009-12-15 271480]
R2 McNaiAnn;McAfee VirusScan Announcer;c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe [2009-12-15 271480]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\Common Files\McAfee\SystemCore\mfevtps.exe [2010-01-05 141792]
R2 PPSCAN;PPSCAN; [x]
R3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2010-01-05 83496]
R3 NETw2v32;Intel® PRO/Wireless 2200BG Network Connection Driver for Windows Vista;c:\windows\system32\DRIVERS\NETw2v32.sys [2006-11-02 2589184]
R3 SASENUM;SASENUM; [x]
S1 mfewfpk;McAfee Inc. mfewfpk;c:\windows\system32\drivers\mfewfpk.sys [2010-01-05 160720]
S2 DQLWinService;DQLWinService;c:\program files\Common Files\Intel\IntelDH\NMS\AdpPlugins\DQLWinService.exe [2006-10-29 208896]
S2 nmsgopro;GoProto Protocol Driver for NMS;c:\windows\system32\DRIVERS\nmsgopro.sys [2006-09-28 28672]
S2 nmsunidr;UniDriver for NMS;c:\windows\system32\DRIVERS\nmsunidr.sys [2006-10-19 7424]
S2 PCToolsSSDMonitorSvc;PC Tools Startup and Shutdown Monitor service;c:\program files\Common Files\PC Tools\sMonitor\StartManSvc.exe [2010-03-11 632792]
S2 PPCLASS;PPCLASS; [x]
S2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652]
S3 IntelDH;IntelDH Driver;c:\windows\system32\Drivers\IntelDH.sys [2007-01-25 5504]
S3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2010-01-05 312584]
S3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\DRIVERS\MpNWMon.sys [2009-12-02 42368]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
HPService REG_MULTI_SZ HPSLPSVC
.
Contents of the 'Scheduled Tasks' folder

2010-04-29 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-23 22:43]

2010-04-29 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-23 22:43]

2010-04-29 c:\windows\Tasks\User_Feed_Synchronization-{B0CDF7D1-02D6-4709-A110-22CBF88EED65}.job
- c:\windows\system32\msfeedssync.exe [2010-03-31 04:54]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Settings,ProxyOverride = 127.0.0.1
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: army.mil\eportal.ctnosc
Trusted Zone: army.mil\fportal.ctnosc
Trusted Zone: army.mil\fsso.ctnosc
Trusted Zone: army.mil\help.us
FF - ProfilePath - c:\users\Sergeant Major\AppData\Roaming\Mozilla\Firefox\Profiles\03oipv5l.default\
FF - prefs.js: browser.startup.homepage - about:blank
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - component: c:\programdata\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext\components\nprpffbrowserrecordext.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPTURNMED.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: c:\programdata\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll
FF - plugin: c:\users\Sergeant Major\AppData\Roaming\Move Networks\plugins\npqmp071503000010.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Power2GoExpress - (no file)
HKU-Default-RunOnce-DelayShred - c:\program files\mcafee\mshr\ShrCL.EXE
ShellExecuteHooks-{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - (no file)
AddRemove-Agere Systems Soft Modem - c:\windows\agrsmdel



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-28 21:51
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2010-04-28 21:56:20
ComboFix-quarantined-files.txt 2010-04-29 01:56

Pre-Run: 160,184,500,224 bytes free
Post-Run: 160,202,059,776 bytes free

- - End Of File - - D3D98A1A07599C4703E12D6FABE22ACA

Attached Files


Edited by Blade Zephon, 29 April 2010 - 01:02 AM.
Posted log in reply to facilitate analysis. Please do not attach logs unless the board software will not let you post them directly. Thanks!


#6 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,702 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:06:20 PM

Posted 30 April 2010 - 08:26 AM

Hello digger101

Sorry for the delay; exams are this week >.<

1. Open notepad and copy/paste the text in the codebox below into it:

CODE
Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=-

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-1503100673-2415758853-3373541529-1001]
"EnableNotificationsRef"=-

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-1503100673-2415758853-3373541529-500]
"EnableNotificationsRef"=-


Save this as CFScript.txt, in the same location as ComboFix.exe

2. Close any open browsers.

3. VERY IMPORTANT: Disable all running antivirus, antimalware and firewall programs as they may interfere with the proper running of ComboFix. Click on this link to see a list of programs that should be disabled. NOTE: This list is not all-inclusive. If yours is not listed and you do not know how to disable it, please ask.



Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

~Blade


In your next reply, please include the following:
ComboFix Log
How is the computer running now?

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#7 digger102

digger102
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:06:20 PM

Posted 30 April 2010 - 12:39 PM

Here's the new combofix.txt you wanted. The computer is still not well. http://www.bleepingcomputer.com/forums/sty...default/mad.gif Mozilla Firefox would not open. Windows Live Mail opened, but would not connect to the server. Combofix left a window named "Administrator" on the desktop which would not close even with Windows Task manager. The computer would not execute the shut down process and I finally just killed the power.

I will be off the net for about a week starting now; I will send you a PM when I'm back. Thanx -digger102

ComboFix 10-04-28.03 - Sergeant Major 04/28/2010 21:40:02.1.2 - x86
Microsoft® Windows Vistaâ„¢ Home Premium 6.0.6002.2.1252.1.1033.18.2037.1347 [GMT -4:00]
Running from: c:\users\Sergeant Major\Desktop\ComboFix.exe
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\autorun.inf
c:\users\Sergeant Major\AppData\Roaming\0200000063aedb80879C.manifest
c:\users\Sergeant Major\AppData\Roaming\0200000063aedb80879O.manifest
c:\users\Sergeant Major\AppData\Roaming\0200000063aedb80879P.manifest
c:\users\Sergeant Major\AppData\Roaming\0200000063aedb80879S.manifest
c:\users\Sergeant Major\AppData\Roaming\Mozilla\Firefox\Profiles\03oipv5l.default\extensions\{dc09e78d-c4e5-46fe-9d8b-948037d1d16e}
c:\users\Sergeant Major\AppData\Roaming\Mozilla\Firefox\Profiles\03oipv5l.default\extensions\{dc09e78d-c4e5-46fe-9d8b-948037d1d16e}\chrome.manifest
c:\users\Sergeant Major\AppData\Roaming\Mozilla\Firefox\Profiles\03oipv5l.default\extensions\{dc09e78d-c4e5-46fe-9d8b-948037d1d16e}\chrome\xulcache.jar
c:\users\Sergeant Major\AppData\Roaming\Mozilla\Firefox\Profiles\03oipv5l.default\extensions\{dc09e78d-c4e5-46fe-9d8b-948037d1d16e}\defaults\preferences\xulcache.js
c:\users\Sergeant Major\AppData\Roaming\Mozilla\Firefox\Profiles\03oipv5l.default\extensions\{dc09e78d-c4e5-46fe-9d8b-948037d1d16e}\install.rdf
D:\autorun.inf

.
((((((((((((((((((((((((( Files Created from 2010-03-28 to 2010-04-29 )))))))))))))))))))))))))))))))
.

2010-04-29 01:50 . 2010-04-29 01:51 -------- d-----w- c:\users\Sergeant Major\AppData\Local\temp
2010-04-24 00:36 . 2010-04-24 00:36 680 ----a-w- c:\users\Sergeant Major\AppData\Local\d3d9caps.dat
2010-04-22 21:25 . 2010-01-05 22:04 9344 ----a-w- c:\windows\system32\drivers\mfeclnk.sys
2010-04-22 21:25 . 2010-01-05 22:04 160720 ----a-w- c:\windows\system32\drivers\mfewfpk.sys
2010-04-22 21:25 . 2010-01-05 22:04 83496 ----a-w- c:\windows\system32\drivers\mferkdet.sys
2010-04-22 21:25 . 2010-01-05 22:04 385536 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2010-04-22 21:25 . 2010-01-05 22:04 312584 ----a-w- c:\windows\system32\drivers\mfefirek.sys
2010-04-22 21:25 . 2010-01-05 22:04 95568 ----a-w- c:\windows\system32\drivers\mfeapfk.sys
2010-04-22 21:25 . 2010-01-05 22:04 51688 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2010-04-22 21:25 . 2010-01-05 22:04 152320 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2010-04-22 21:24 . 2010-03-10 16:40 985288 ----a-w- c:\programdata\McAfee\MSC\Updates\Installs\1\msc\mcappcfg.exe
2010-04-22 21:24 . 2010-03-10 16:40 266336 ----a-w- c:\programdata\McAfee\MSC\Updates\Installs\1\msc\mcutil.dll
2010-04-22 21:24 . 2010-03-10 16:21 822048 ----a-w- c:\programdata\McAfee\MSC\Updates\Installs\1\msc\McInst.exe
2010-04-22 21:24 . 2010-03-10 16:40 985288 ----a-w- c:\programdata\McAfee\MSC\Updates\Installs\Download_Files\vso\mcappcfg.exe
2010-04-22 21:24 . 2010-03-10 16:40 266336 ----a-w- c:\programdata\McAfee\MSC\Updates\Installs\Download_Files\vso\mcutil.dll
2010-04-22 21:24 . 2010-03-10 16:21 822048 ----a-w- c:\programdata\McAfee\MSC\Updates\Installs\Download_Files\vso\McInst.exe
2010-04-22 21:24 . 2010-03-10 16:40 985288 ----a-w- c:\programdata\McAfee\MSC\Updates\Installs\Download_Files\msc\mcappcfg.exe
2010-04-22 21:24 . 2010-03-10 16:40 266336 ----a-w- c:\programdata\McAfee\MSC\Updates\Installs\Download_Files\msc\mcutil.dll
2010-04-22 21:24 . 2010-03-10 16:21 822048 ----a-w- c:\programdata\McAfee\MSC\Updates\Installs\Download_Files\msc\McInst.exe
2010-04-22 00:22 . 2010-04-22 00:22 52224 ----a-w- c:\users\Sergeant Major\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-04-22 00:22 . 2010-04-22 00:22 117760 ----a-w- c:\users\Sergeant Major\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-04-21 03:55 . 2010-04-21 03:55 -------- d-----w- C:\inetpub
2010-04-20 11:46 . 2010-04-20 11:46 3584 ----a-r- c:\users\Sergeant Major\AppData\Roaming\Microsoft\Installer\{121634B0-2F4B-11D3-ADA3-00C04F52DD52}\Icon386ED4E3.exe
2010-04-20 11:45 . 2010-04-20 11:46 -------- d-----w- c:\program files\Windows Installer Clean Up
2010-04-19 17:13 . 2010-04-19 17:13 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-04-19 16:37 . 2010-04-19 16:37 -------- d-----w- c:\program files\Microsoft Security Essentials
2010-04-19 02:55 . 2010-04-23 20:29 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2010-04-19 01:31 . 2010-04-19 01:31 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2010-04-19 01:31 . 2010-04-23 20:29 -------- d-----w- c:\users\Sergeant Major\AppData\Roaming\SUPERAntiSpyware.com
2010-04-19 01:04 . 2010-04-19 01:04 -------- d-----w- c:\users\Sergeant Major\AppData\Roaming\Malwarebytes
2010-04-19 01:00 . 2010-04-19 01:00 -------- d-----w- c:\programdata\Malwarebytes
2010-04-19 00:09 . 2010-04-19 00:09 -------- d-----w- c:\users\Sergeant Major\AppData\Local\Netscape
2010-04-18 23:35 . 2010-04-18 23:34 38784 ----a-w- c:\users\Default\AppData\Roaming\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-04-18 23:08 . 2010-04-18 23:07 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-04-18 22:58 . 2010-04-18 23:00 -------- d-----w- c:\programdata\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-04-18 22:55 . 2010-04-18 23:20 -------- d-----w- c:\program files\QuickTime
2010-04-18 22:53 . 2010-04-18 22:53 -------- d-----w- c:\program files\Apple Software Update
2010-04-16 18:53 . 2010-04-16 18:53 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-04-16 18:36 . 2010-04-16 18:38 -------- d-----w- c:\users\Sergeant Major\AppData\Local\Tific
2010-04-16 18:35 . 2010-04-16 18:35 -------- d-----w- c:\users\Sergeant Major\AppData\Roaming\Tific
2010-04-16 18:34 . 2010-04-16 18:34 -------- d-----w- c:\programdata\NortonInstaller
2010-04-14 19:45 . 2010-04-15 12:00 -------- d-sh--w- c:\programdata\SysWoW32
2010-04-14 19:45 . 2010-04-14 19:45 203776 --sh--w- c:\programdata\unrar.exe
2010-04-14 18:58 . 2010-04-14 18:58 0 ----a-w- c:\users\Sergeant Major\AppData\Roaming\FrostWire\.NetworkShare\Incomplete\T-4506256-LimeWireWin4.16.6.exe
2010-04-14 18:47 . 2010-04-14 19:59 -------- d-----w- c:\users\Sergeant Major\AppData\Roaming\FrostWire
2010-04-14 16:28 . 2010-04-14 16:28 -------- d-----w- c:\users\Sergeant Major\AppData\Local\Ares
2010-04-14 15:30 . 2010-02-23 11:10 212992 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2010-04-14 15:30 . 2010-02-23 11:10 79360 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2010-04-14 15:30 . 2010-02-23 11:10 106496 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-04-14 15:30 . 2010-02-18 14:07 3600776 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-04-14 15:30 . 2010-02-18 14:07 3548040 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-04-14 15:30 . 2010-03-05 14:01 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-04-14 15:30 . 2010-02-18 14:07 904576 ----a-w- c:\windows\system32\drivers\tcpip.sys
2010-04-14 15:30 . 2010-02-18 13:30 200704 ----a-w- c:\windows\system32\iphlpsvc.dll
2010-04-14 15:30 . 2010-02-18 11:28 25088 ----a-w- c:\windows\system32\drivers\tunnel.sys
2010-04-14 15:29 . 2009-12-23 11:33 172032 ----a-w- c:\windows\system32\wintrust.dll
2010-04-14 15:29 . 2010-01-13 17:34 98304 ----a-w- c:\windows\system32\cabview.dll
2010-03-31 21:16 . 2010-03-31 21:16 690952 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
2010-03-30 19:55 . 2010-03-30 19:56 20846064 ----a-w- c:\users\Sergeant Major\AppData\Roaming\Real\Update\setup3.11\rp\RealPlayerSPGold.exe
2010-03-30 19:55 . 2010-03-30 19:55 79368 ----a-w- c:\users\Sergeant Major\AppData\Roaming\Real\Update\setup3.11\RUP\vista.exe
2010-03-30 19:55 . 2010-03-30 19:55 64000 ----a-w- c:\users\Sergeant Major\AppData\Roaming\Real\Update\setup3.11\RUP\inst_config\gcapi_dll.dll
2010-03-30 19:55 . 2010-03-30 19:55 52288 ----a-w- c:\users\Sergeant Major\AppData\Roaming\Real\Update\setup3.11\RUP\inst_config\gtapi.dll
2010-03-30 19:55 . 2010-03-30 19:55 50688 ----a-w- c:\users\Sergeant Major\AppData\Roaming\Real\Update\setup3.11\RUP\inst_config\fftbapi.dll
2010-03-30 19:55 . 2010-03-30 19:55 49152 ----a-w- c:\users\Sergeant Major\AppData\Roaming\Real\Update\setup3.11\RUP\inst_config\CarboniteCompatibility.dll
2010-03-30 19:55 . 2010-03-30 19:55 118784 ----a-w- c:\users\Sergeant Major\AppData\Roaming\Real\Update\setup3.11\RUP\inst_config\compat.dll
2010-03-30 11:55 . 2010-04-22 11:56 439816 ----a-w- c:\users\Sergeant Major\AppData\Roaming\Real\Update\setup3.11\setup.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-26 05:24 . 2009-08-05 14:31 -------- d-----w- c:\program files\McAfee.com
2010-04-26 05:24 . 2009-08-05 14:31 -------- d-----w- c:\program files\McAfee
2010-04-23 20:29 . 2007-07-05 18:15 -------- d-----w- c:\programdata\Lavasoft
2010-04-23 20:29 . 2007-01-25 19:36 -------- d-----w- c:\programdata\McAfee
2010-04-23 20:29 . 2009-08-05 14:31 -------- d-----w- c:\program files\Common Files\McAfee
2010-04-23 20:29 . 2007-09-17 13:49 -------- d-----w- c:\program files\Common Files\Apple
2010-04-21 14:34 . 2007-08-09 13:11 -------- d-----w- c:\programdata\Apple Computer
2010-04-21 14:33 . 2010-03-06 04:09 -------- d-----w- c:\program files\iPod
2010-04-20 11:45 . 2008-05-14 23:40 -------- d-----w- c:\program files\MSECache
2010-04-20 02:04 . 2007-09-17 13:52 -------- d-----w- c:\users\Sergeant Major\AppData\Roaming\Apple Computer
2010-04-19 00:11 . 2007-04-13 15:25 -------- d-----w- c:\program files\Netscape
2010-04-19 00:09 . 2007-04-10 16:24 -------- d-----w- c:\users\Sergeant Major\AppData\Roaming\Netscape
2010-04-18 23:58 . 2007-11-26 14:03 -------- d-----w- c:\programdata\WebEx
2010-04-18 23:35 . 2009-04-06 17:16 -------- d-----w- c:\program files\Common Files\Adobe AIR
2010-04-18 23:34 . 2009-04-06 17:24 38784 ----a-w- c:\users\Sergeant Major\AppData\Roaming\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-04-18 23:31 . 2007-01-25 19:32 -------- d-----w- c:\program files\Java
2010-04-18 23:31 . 2007-01-25 19:32 -------- d-----w- c:\program files\Common Files\Java
2010-04-18 23:00 . 2010-03-06 04:09 -------- d-----w- c:\program files\iTunes
2010-04-18 20:59 . 2009-10-28 19:17 -------- d-----w- c:\users\Sergeant Major\AppData\Roaming\Registry Mechanic
2010-04-18 12:58 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Journal
2010-04-18 12:58 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Collaboration
2010-04-18 12:58 . 2007-01-25 19:30 -------- d-----w- c:\program files\Google
2010-04-16 18:51 . 2004-05-12 20:34 -------- d-----w- c:\programdata\Symantec
2010-04-14 16:59 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-04-13 15:07 . 2007-01-25 19:29 -------- d-----w- c:\program files\Microsoft Works
2010-04-11 18:21 . 2009-01-10 23:13 1588 ----a-w- c:\users\Sergeant Major\AppData\Roaming\wklnhst.dat
2010-03-26 05:48 . 2010-03-26 05:48 73000 ----a-w- c:\programdata\Apple Computer\Installer Cache\iTunes 9.1.0.79\SetupAdmin.exe
2010-03-22 11:10 . 2010-03-22 11:10 45056 ----a-w- c:\programdata\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimwmp.dll
2010-03-22 11:10 . 2010-03-22 11:10 45056 ----a-w- c:\programdata\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimswf.dll
2010-03-22 11:10 . 2010-03-22 11:10 45056 ----a-w- c:\programdata\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimrp.dll
2010-03-22 11:10 . 2010-03-22 11:10 45056 ----a-w- c:\programdata\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimqt.dll
2010-03-22 11:10 . 2010-03-22 11:10 49152 ----a-w- c:\programdata\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext\Components\nprpffbrowserrecordext.dll
2010-03-22 11:10 . 2010-03-22 11:10 40960 ----a-w- c:\programdata\Real\RealPlayer\BrowserRecordPlugin\Chrome\Hook\rpchromebrowserrecordhelper.dll
2010-03-22 11:10 . 2010-03-22 11:10 308808 ----a-w- c:\programdata\Real\RealPlayer\BrowserRecordPlugin\Common\rpmainbrowserrecordplugin.dll
2010-03-22 11:10 . 2010-03-22 11:10 14848 ----a-w- c:\programdata\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll
2010-03-22 11:10 . 2010-03-22 11:10 341600 ----a-w- c:\programdata\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
2010-03-22 11:09 . 2008-03-18 23:48 -------- d-----w- c:\program files\Common Files\Real
2010-03-22 11:09 . 2007-04-19 20:35 -------- d-----w- c:\program files\real
2010-03-22 11:09 . 2010-03-22 11:09 -------- d-----w- c:\program files\Common Files\xing shared
2010-03-10 15:38 . 2010-03-10 15:38 439816 ----a-w- c:\users\Sergeant Major\AppData\Roaming\Real\Update\setup3.10\setup.exe
2010-03-06 04:03 . 2010-03-06 04:03 72488 ----a-w- c:\programdata\Apple Computer\Installer Cache\iTunes 9.0.3.15\SetupAdmin.exe
2010-02-24 16:47 . 2007-04-09 21:34 71712 ----a-w- c:\users\Sergeant Major\AppData\Local\GDIPFONTCACHEV1.DAT
2010-02-24 14:16 . 2010-01-03 17:46 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-02-23 06:39 . 2010-03-31 11:33 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-23 06:33 . 2010-03-31 11:33 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-02-23 06:33 . 2010-03-31 11:33 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-02-23 04:55 . 2010-03-31 11:33 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2010-02-22 01:38 . 2010-02-22 01:38 102 ----a-w- c:\users\Sergeant Major\AppData\Local\fusioncache.dat
2010-02-20 23:06 . 2010-03-10 21:44 24064 ----a-w- c:\windows\system32\nshhttp.dll
2010-02-20 23:05 . 2010-03-10 21:44 30720 ----a-w- c:\windows\system32\httpapi.dll
2010-02-20 20:53 . 2010-03-10 21:44 411648 ----a-w- c:\windows\system32\drivers\http.sys
2010-01-05 22:04 . 2010-04-22 21:25 24376 ----a-w- c:\program files\mozilla firefox\components\Scriptff.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]
"RegistryMechanic"="c:\program files\Registry Mechanic\RMTray.exe" [2009-10-14 292824]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"CCUTRAYICON"="c:\program files\Intel\IntelDH\CCU\CCU_TrayIcon.exe" [2006-11-18 182744]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-12-11 49152]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-03-22 202256]
"SSDMonitor"="c:\program files\Common Files\PC Tools\sMonitor\SSDMonitor.exe" [2009-10-14 104408]
"ShowWnd"="ShowWnd.exe" [2005-01-27 36864]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-18 421888]
"Persistence"="c:\windows\system32\igfxpers.exe" [2006-12-12 81920]
"NMSSupport"="c:\program files\Common Files\Intel\IntelDH\NMS\Support\IntelHCTAgent.exe" [2006-09-26 423424]
"MSSE"="c:\program files\Microsoft Security Essentials\msseces.exe" [2010-02-21 1093208]
"ModPS2"="ModPS2Key.exe" [2006-11-07 53248]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-29 1218008]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2006-12-12 98304]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-09-29 151552]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2008-07-22 150528]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2006-12-12 106496]
"CHotkey"="zHotkey.exe" [2006-11-07 547840]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04 36272]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-03-26 05:10 142120 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PrintUtil]
2007-11-26 17:08 651264 ----a-w- c:\program files\HP\HP Print Utility\PrintUtil.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(cool.gif:ac,8c,a6,eb,9c,33,ca,01

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-1503100673-2415758853-3373541529-1001]
"EnableNotificationsRef"=dword:00000002

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-1503100673-2415758853-3373541529-500]
"EnableNotificationsRef"=dword:00000002

R1 SASDIFSV;SASDIFSV; [x]
R1 SASKUTIL;SASKUTIL; [x]
R2 0301931271954769mcinstcleanup;McAfee Application Installer Cleanup (0301931271954769);c:\windows\TEMP\030193~1.EXE [x]
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2009-12-23 135664]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [2009-12-23 93320]
R2 McMPFSvc;McAfee Personal Firewall;c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe [2009-12-15 271480]
R2 McNaiAnn;McAfee VirusScan Announcer;c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe [2009-12-15 271480]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\Common Files\McAfee\SystemCore\mfevtps.exe [2010-01-05 141792]
R2 PPSCAN;PPSCAN; [x]
R3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2010-01-05 83496]
R3 NETw2v32;Intel® PRO/Wireless 2200BG Network Connection Driver for Windows Vista;c:\windows\system32\DRIVERS\NETw2v32.sys [2006-11-02 2589184]
R3 SASENUM;SASENUM; [x]
S1 mfewfpk;McAfee Inc. mfewfpk;c:\windows\system32\drivers\mfewfpk.sys [2010-01-05 160720]
S2 DQLWinService;DQLWinService;c:\program files\Common Files\Intel\IntelDH\NMS\AdpPlugins\DQLWinService.exe [2006-10-29 208896]
S2 nmsgopro;GoProto Protocol Driver for NMS;c:\windows\system32\DRIVERS\nmsgopro.sys [2006-09-28 28672]
S2 nmsunidr;UniDriver for NMS;c:\windows\system32\DRIVERS\nmsunidr.sys [2006-10-19 7424]
S2 PCToolsSSDMonitorSvc;PC Tools Startup and Shutdown Monitor service;c:\program files\Common Files\PC Tools\sMonitor\StartManSvc.exe [2010-03-11 632792]
S2 PPCLASS;PPCLASS; [x]
S2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652]
S3 IntelDH;IntelDH Driver;c:\windows\system32\Drivers\IntelDH.sys [2007-01-25 5504]
S3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2010-01-05 312584]
S3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\DRIVERS\MpNWMon.sys [2009-12-02 42368]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
HPService REG_MULTI_SZ HPSLPSVC
.
Contents of the 'Scheduled Tasks' folder

2010-04-29 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-23 22:43]

2010-04-29 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-23 22:43]

2010-04-29 c:\windows\Tasks\User_Feed_Synchronization-{B0CDF7D1-02D6-4709-A110-22CBF88EED65}.job
- c:\windows\system32\msfeedssync.exe [2010-03-31 04:54]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Settings,ProxyOverride = 127.0.0.1
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: army.mil\eportal.ctnosc
Trusted Zone: army.mil\fportal.ctnosc
Trusted Zone: army.mil\fsso.ctnosc
Trusted Zone: army.mil\help.us
FF - ProfilePath - c:\users\Sergeant Major\AppData\Roaming\Mozilla\Firefox\Profiles\03oipv5l.default\
FF - prefs.js: browser.startup.homepage - about:blank
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - component: c:\programdata\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext\components\nprpffbrowserrecordext.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPTURNMED.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: c:\programdata\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll
FF - plugin: c:\users\Sergeant Major\AppData\Roaming\Move Networks\plugins\npqmp071503000010.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Power2GoExpress - (no file)
HKU-Default-RunOnce-DelayShred - c:\program files\mcafee\mshr\ShrCL.EXE
ShellExecuteHooks-{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - (no file)
AddRemove-Agere Systems Soft Modem - c:\windows\agrsmdel



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-28 21:51
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2010-04-28 21:56:20
ComboFix-quarantined-files.txt 2010-04-29 01:56

Pre-Run: 160,184,500,224 bytes free
Post-Run: 160,202,059,776 bytes free

- - End Of File - - D3D98A1A07599C4703E12D6FABE22ACA

Attached Files


Edited by Blade Zephon, 12 May 2010 - 11:49 PM.
Posted log in reply to facilitate analysis. Please do not attach logs unless the board software will not let you post them directly. Thanks!


#8 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,702 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:06:20 PM

Posted 13 May 2010 - 12:39 AM

Hello digger102.

Sorry for the delay. . . I mistakenly overlooked your first PM poster_oops.gif

We need to take a look at the machine's state from outside of Windows. We will do this using a special CD.

You will need a clean computer to create this disc...

Print these instructions out so that you know what you are doing

On a clean computer:


First
    Download ISOBurner. Click Here for ISOBurner Instructions. Install the program, and follow the next set of steps.
SecondOn the infected computer
  • Boot the non-working computer using the boot CD you just created.
  • In order to do so, the computer must be set to boot from the CD first
    Note : For information click here
  • Your system should now display a REATOGO-X-PE desktop.
  • Double-click on the OTLPE icon.
  • When asked "Do you wish to load the remote registry", select Yes
  • When asked "Do you wish to load remote user profile(s) for scanning", select Yes
  • Ensure the box "Automatically Load All Remaining Users" is checked and press OK
  • OTL should now start
  • Copy and Paste the following code into the textbox. Do not include the word "Code"

    Please note: Double click the Firefox Icon on the desktop to connect to this thread if you have a Wired connection otherwise you can use a flash drive and copy this script into a txt file from a clean computer to transfer to this computer.

    CODE
    netsvcs
    msconfig
    safebootminimal
    safebootnetwork
    activex
    drivers32
    %ALLUSERSPROFILE%\Application Data\*.
    %ALLUSERSPROFILE%\Application Data\*.exe /s
    %APPDATA%\*.
    %APPDATA%\*.exe /s
    %SYSTEMDRIVE%\*.exe
    /md5start
    userinit.exe
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    nvstor32.sys
    ahcix86s.sys
    /md5stop
    %systemroot%\system32\drivers\*.sys /lockedfiles
    %systemroot%\System32\config\*.sav
    %systemroot%\*. /mp /s
    %systemroot%\system32\*.dll /lockedfiles
    CREATERESTOREPOINT

  • Push
  • When finished, the file will be saved in drive C:\OTL.txt
  • Please post the contents of the C:\OTL.txt file in your next reply.
  • Copy this file to your USB drive if you do not have an internet connection.
~Blade


[b]In your next reply, please include the following:
[color=blue]OTL.txt

Edited by Blade Zephon, 13 May 2010 - 12:40 AM.

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#9 digger102

digger102
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:06:20 PM

Posted 13 May 2010 - 07:31 PM

I downloaded and burned the ISO disk, booted the infected computer, got the REATOGO-X-PE desktop and when I double clicked on OTLPE, a window labeled "Browse For Folder" opened and in the window it said "Choose Windows Directory" and showed me "my computer" with the following drives listed: Ramdisk (B:), Removable Drives C:, D:, E:, F:, G:, and ReatogoPE X:. There is no windows dir. on any of those and none of them appear to be the hard drive of the infected computer. wacko.gif If I try to choose one of them, I get a run scanner error which says "Target is not windows 2000 or later" This boot disk does not seem to recognize my hard drive. -digger102

#10 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,702 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:06:20 PM

Posted 14 May 2010 - 12:53 AM

Hello digger102.

It is possible that the disk did not burn correctly. Could you try burning a new copy? If you receive the same results. . . let me know please.

~Blade

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#11 digger102

digger102
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:06:20 PM

Posted 14 May 2010 - 09:33 AM

New download, New burn, Same results. Could it be that the OTLPE scanner does not recognize Windows VISTA as an operating system? -digger102

#12 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,702 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:06:20 PM

Posted 16 May 2010 - 02:38 AM

Hello digger102.

Could you please try the disc on another machine? No need to post the log from the other machine. . . just let me know if you're able to or not.

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#13 digger102

digger102
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:06:20 PM

Posted 16 May 2010 - 11:53 AM

I used the disk on this computer and it worked correctly. I have the hard drive on this computer partitioned with Windows XP on 1/2 and Linux Ubuntu on the other half. On the REATOGO Desktop I opened "my computer" which showed only the Windows XP partition. I think we need to see if there is a REATOGO for Windows VISTA Home Premium SP2. -digger102 mellow.gif

#14 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,702 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:06:20 PM

Posted 18 May 2010 - 12:27 AM

Hi digger102.

OTLPE is fully compatible with HDDs having Vista on them, as it is not reliant on the OS to work. Thus it wouldn't be an issue with this sort of thing. I'm going to speak with the developer to see if he can shed some light on the issue.

In the meantime, let us use an alternative boot disk and see if we have better results.

*** Please print these instructions ***
  1. Download Hiren's BootCD Iso to the desktop of a clean computer.
  2. Extract the zipped HirensBootCD.zip to your desktop.
  3. Open the extracted HirensBootCD folder and extract the zipped HirensBootCD.iso.
  4. Double click the BurnToCD.cmd bat file contained in the HirensBootCD folder. This will launch BurnCDCC.
  5. Insert a blank CD in your drive.
  6. Press Start. This will burn the image to disc. After it has completed...
  7. Restart your sick computer and boot from the HBCD you created.
    • If your PC is not booting from the CD, you need to change the boot order:
      • Restart your PC
      • As soon as you get an image, press the Setup key. This is usually F2, F10, F12 or Del. On some machines the key can also be a different one. It should, however, be stated on the screen which key is the setup key.
      • Once you enter the computer's BIOS, use the arrow keys and tab key to move between elements. Press enter to select an item to change.
      • Navigate to the tab, where you can set the boot order. It should be called Boot or Boot order
      • The tab should now show your current boot order.
      • If the CD-drive is not at the top, please navigate to the CD-Rom drive with the keys arrows. Then move it to the top of the list. The keys for switching boot position are usually + to move up and - to move down. However they can be different, but they should be stated in the help, so that you can find them easily.
      • Once the CD-drive is on top of the boot order, navigate to Exit and select Exit saving changes.
    • Your PC should now boot from your CD.
    • Click to select any options that are required to start the computer from the CD-ROM drive if you are prompted.
  8. When the CD boots choose "Start MiniWindowsXP". Allow Windows to load. You will see a typical Windows Desktop.
  9. You will be able to access your sick drive and save files/folders from here.
  10. Create an ethernet (wired) Internet Connection
    • Double click the Network Support icon on the HBCD desktop
    • A computer screen will appear in the lower right corner system tray
    • Double click HBCD Menu on your HDCD desktop
    • Choose Menu
    • Then Browsers
    • Then Opera
    • Success?
  11. You should now be connected to the internet.
  12. Navigate here to the forum and click this link.
  13. Download the program and save it to the desktop.
  14. Once saved, close all other windows then double click the program to run it.
  15. When completed, a log will open.
  16. Save the log to the desktop using File>Save as, then post the log in a reply.

    Please note: If you are unable to connect to the internet then please download to a flash drive on a clean computer and transfer to the sick computer to run!

  17. In addition you now have access to all your files and folders amongst many other utilities that we might need to use later. wink.gif
  18. If you double click your Windows Explorer icon on your desktop you will be able to access your hard drive.

~Blade


In your next reply, please include the following:
DDS.txt

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#15 digger102

digger102
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:06:20 PM

Posted 18 May 2010 - 04:38 PM

When I ran dds-bootcd.exe from the desktop, I got the following error message: "C:Windows\System32\regsvr32.exe is not a valid Win32 application" Each time I clicked on "OK" (the only choice) on the error window the phrase "access is denied" showed up in the "C:\D.D.S." prompt window behind the error window. Aftern four "OKs" and "Acess is denied" , the error box disappeared, but the program didn't run. I moved the exe file to the root directory (C:\) and tried again with the same result. The sick computer booted to the Mini Windows XP Desktop OK and I'm sending this from it. -digger102




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users