Solved Google redirect, AV & IE damage

OTLPE Quick Scan

OTL logfile created on: 10/18/2011 10:07:04 AM - Run
OTLPE by OldTimer - Version 3.1.48.0 Folder = X:\Programs\OTLPE
Microsoft Windows XP Service Pack 3 (Version = 5.1.2600) - Type = SYSTEM
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 88.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 97.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 148.92 Gb Total Space | 113.35 Gb Free Space | 76.12% Space Free | Partition Type: NTFS
Drive D: | 1003.27 Mb Total Space | 1003.21 Mb Free Space | 99.99% Space Free | Partition Type: FAT32
Drive X: | 436.59 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS

Computer Name: REATOGO | User Name: SYSTEM
Boot Mode: Normal | Scan Mode: All users | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days
Using ControlSet: ControlSet001

========== Win32 Services (SafeList) ==========

SRV - [2010/10/13 17:28:54 | 000,188,136 | ---- | M] (McAfee, Inc.) [Auto] -- C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe -- (mfefire)
SRV - [2010/10/13 17:28:54 | 000,171,168 | ---- | M] (McAfee, Inc.) [Auto] -- C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe -- (McShield)
SRV - [2010/10/13 17:28:54 | 000,141,792 | ---- | M] (McAfee, Inc.) [Auto] -- C:\WINDOWS\System32\mfevtps.exe -- (mfevtp)
SRV - [2010/10/07 15:34:28 | 000,364,216 | ---- | M] (McAfee, Inc.) [On_Demand] -- C:\Program Files\McAfee\VirusScan\mcods.exe -- (McODS)
SRV - [2010/03/10 05:14:44 | 000,271,480 | ---- | M] (McAfee, Inc.) [Auto] -- C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe -- (McProxy)
SRV - [2010/03/10 05:14:44 | 000,271,480 | ---- | M] (McAfee, Inc.) [Auto] -- C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe -- (McNASvc)
SRV - [2010/03/10 05:14:44 | 000,271,480 | ---- | M] (McAfee, Inc.) [Auto] -- C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe -- (McNaiAnn)
SRV - [2010/03/10 05:14:44 | 000,271,480 | ---- | M] (McAfee, Inc.) [Auto] -- C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe -- (mcmscsvc)
SRV - [2010/03/10 05:14:44 | 000,271,480 | ---- | M] (McAfee, Inc.) [Auto] -- C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe -- (McMPFSvc)
SRV - [2009/11/17 07:07:46 | 001,528,624 | ---- | M] (Cisco Systems, Inc.) [Auto] -- C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe -- (CVPND)
SRV - [2009/01/23 05:46:14 | 000,203,280 | ---- | M] () [Auto] -- C:\Program Files\McAfee\SiteAdvisor\McSACore.exe -- (McAfee SiteAdvisor Service)
SRV - [2004/03/29 11:08:16 | 000,049,152 | ---- | M] () [Auto] -- C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe -- (Belkin Wireless USB Network Adapter Service)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand] -- -- (WDICA)
DRV - File not found [Kernel | On_Demand] -- -- (PDRFRAME)
DRV - File not found [Kernel | On_Demand] -- -- (PDRELI)
DRV - File not found [Kernel | On_Demand] -- -- (PDFRAME)
DRV - File not found [Kernel | On_Demand] -- -- (PDCOMP)
DRV - File not found [Kernel | System] -- -- (PCIDump)
DRV - File not found [Kernel | On_Demand] -- -- (mfeavfk01)
DRV - File not found [Kernel | On_Demand] -- -- (MBAMSwissArmy)
DRV - File not found [Kernel | System] -- -- (lbrtfdc)
DRV - File not found [Kernel | System] -- -- (i2omgmt)
DRV - File not found [Kernel | System] -- -- (csmbrqkp)
DRV - File not found [Kernel | System] -- -- (Changer)
DRV - [2010/10/13 17:28:54 | 000,386,840 | ---- | M] (McAfee, Inc.) [Kernel | Boot] -- C:\WINDOWS\system32\drivers\mfehidk.sys -- (mfehidk)
DRV - [2010/10/13 17:28:54 | 000,313,288 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\mfefirek.sys -- (mfefirek)
DRV - [2010/10/13 17:28:54 | 000,152,960 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\mfeavfk.sys -- (mfeavfk)
DRV - [2010/10/13 17:28:54 | 000,095,600 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\mfeapfk.sys -- (mfeapfk)
DRV - [2010/10/13 17:28:54 | 000,088,544 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\mfendisk.sys -- (mfendiskmp)
DRV - [2010/10/13 17:28:54 | 000,088,544 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\mfendisk.sys -- (mfendisk)
DRV - [2010/10/13 17:28:54 | 000,084,264 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\mferkdet.sys -- (mferkdet)
DRV - [2010/10/13 17:28:54 | 000,084,072 | ---- | M] (McAfee, Inc.) [Kernel | System] -- C:\WINDOWS\system32\drivers\mfetdi2k.sys -- (mfetdi2k)
DRV - [2010/10/13 17:28:54 | 000,055,840 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\cfwids.sys -- (cfwids)
DRV - [2010/10/13 17:28:54 | 000,052,104 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\mfebopk.sys -- (mfebopk)
DRV - [2009/11/17 07:07:06 | 000,308,859 | ---- | M] (Cisco Systems, Inc.) [Kernel | Auto] -- C:\WINDOWS\system32\drivers\CVPNDRVA.sys -- (CVPNDRVA)
DRV - [2009/10/07 08:01:04 | 000,102,528 | ---- | M] (Huawei Technologies Co., Ltd.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\ewusbmdm.sys -- (hwdatacard)
DRV - [2008/11/16 13:39:44 | 000,131,984 | ---- | M] (Deterministic Networks, Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\dne2000.sys -- (DNE)
DRV - [2007/01/18 15:28:02 | 000,005,275 | ---- | M] (Cisco Systems, Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\CVirtA.sys -- (CVirtA)
DRV - [2005/12/13 10:10:00 | 000,007,040 | ---- | M] (Freecom) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\Gonzales.sys -- (Gonzales)
DRV - [2005/11/28 16:55:46 | 000,012,160 | ---- | M] (Freecom) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\Bonifay.sys -- (Bonifay)
DRV - [2005/09/20 06:22:37 | 000,009,344 | ---- | M] (Hewlett Packard) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\hpfxbulk.sys -- (HPFXBULK)
DRV - [2005/08/02 18:00:36 | 000,232,192 | ---- | M] (Ralink Technology, Corp.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\rt73.sys -- (RT73)
DRV - [2005/03/17 11:30:10 | 000,132,608 | R--- | M] (Broadcom Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\b57xp32.sys -- (b57w2k)
DRV - [2004/09/17 04:02:54 | 000,732,928 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\senfilt.sys -- (senfilt)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========



IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\Russell_Dobash_ON_C\Software\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Yahoo! Search
IE - HKU\Russell_Dobash_ON_C\Software\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
IE - HKU\Russell_Dobash_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
IE - HKU\Russell_Dobash_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://uk.msn.com/?rd=1
IE - HKU\Russell_Dobash_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
IE - HKU\Russell_Dobash_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 2E 74 E1 15 8A 27 CC 01 [binary data]
IE - HKU\Russell_Dobash_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0


FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.69\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.69\npGoogleUpdate3.dll (Google Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{B7082FAA-CB62-4872-9106-E42DD88EDE45}: C:\Program Files\McAfee\SiteAdvisor [2011/10/07 08:30:31 | 000,000,000 | ---D | M]


O1 HOSTS File: ([2011/09/13 09:27:04 | 000,000,761 | RHS- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (scriptproxy) - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\Common Files\McAfee\SystemCore\ScriptSn.20110402175609.dll (McAfee, Inc.)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.7.6406.1642\swg.dll (Google Inc.)
O2 - BHO: (McAfee SiteAdvisor BHO) - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - C:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll ()
O3 - HKLM\..\Toolbar: (McAfee SiteAdvisor Toolbar) - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - C:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll ()
O3 - HKLM\..\Toolbar: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
O3 - HKU\Russell_Dobash_ON_C\..\Toolbar\WebBrowser: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
O4 - HKLM..\Run: [mcui_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe (McAfee, Inc.)
O4 - HKLM..\Run: [ToolBoxFX] C:\Program Files\HP\ToolBoxFX\bin\HPTLBXFX.exe (HP)
O4 - HKU\.DEFAULT..\Run: [LmlLhkfv] C:\Documents and Settings\LocalService\Local Settings\Application Data\dgtvwkvi\lmllhkfv.exe ()
O4 - HKU\Russell_Dobash_ON_C..\Run: [{059917AA-2371-A9CF-E2EB-599F7AF29392}] File not found
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\VPN Client.lnk = C:\WINDOWS\Installer\{21E247D4-5E27-4BEA-AA4D-19A81203FE2A}\Icon3E5562ED7.ico ()
O4 - Startup: C:\Documents and Settings\Russell Dobash\Start Menu\Programs\Startup\Freecom Personal Media Suite.lnk = C:\Program Files\Freecom Personal Media Suite\FCPMS.exe (Freecom)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\LocalService_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\NetworkService_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\Russell_Dobash_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://download.microsoft.com/downl...-4d68-a152-f7252adaa4f2/LegitCheckControl.cab (Windows Genuine Advantage Validation Tool)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1243236794562 (MUWebControl Class)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.2.1
O18 - Protocol\Handler\sacore {5513F07E-936B-4E52-9B00-067394E91CC5} - C:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll ()
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\Documents and Settings\LocalService\Local Settings\Application Data\dgtvwkvi\lmllhkfv.exe) - C:\Documents and Settings\LocalService\Local Settings\Application Data\dgtvwkvi\lmllhkfv.exe ()
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/07/10 07:30:17 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2006/03/24 07:06:41 | 000,000,053 | R--- | M] () - X:\AUTORUN.INF -- [ CDFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/10/18 00:07:08 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\LocalService\Recent
[2011/10/17 20:22:36 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\McAfee
[2011/10/17 20:22:32 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\dgtvwkvi
[2011/10/16 14:48:04 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Russell Dobash\Desktop\Graham
[2011/10/15 11:50:26 | 000,150,392 | ---- | C] (Sysinternals - www.sysinternals.com) -- C:\WINDOWS\junction.exe
[2011/10/14 16:44:40 | 000,000,000 | ---D | C] -- C:\_OTL
[2011/10/13 16:35:35 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Russell Dobash\My Documents\My Videos
[2011/10/13 16:35:34 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Russell Dobash\Start Menu\Programs\Administrative Tools
[2011/10/13 13:11:32 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes' Anti-Malware
[2011/10/13 13:11:28 | 000,022,216 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2011/10/13 13:11:28 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2011/10/10 07:12:50 | 000,000,000 | ---D | C] -- C:\WINDOWS\pss
[2011/10/08 11:26:41 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Russell Dobash\Local Settings\Application Data\PCHealth
[2011/10/03 08:06:11 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\EndNote
[2011/09/28 08:41:43 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\MpEngineStore

========== Files - Modified Within 30 Days ==========

[2011/10/17 20:34:57 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011/10/17 20:23:20 | 000,002,447 | ---- | M] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\VPN Client.lnk
[2011/10/17 20:23:07 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2011/10/17 20:22:57 | 000,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2011/10/17 20:22:36 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Start Menu\Programs\McAfee
[2011/10/17 20:22:31 | 000,114,035 | --S- | M] () -- C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Startup\lmllhkfv.exe
[2011/10/17 17:02:00 | 000,001,014 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-725345543-1482476501-839522115-1003UA.job
[2011/10/17 16:57:00 | 000,000,886 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2011/10/17 12:08:04 | 000,002,311 | ---- | M] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Adobe Reader 8.lnk
[2011/10/17 12:07:47 | 000,001,729 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Adobe Reader 8.lnk
[2011/10/17 06:02:00 | 000,000,962 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-725345543-1482476501-839522115-1003Core.job
[2011/10/15 05:41:56 | 000,000,815 | ---- | M] () -- C:\Documents and Settings\Russell Dobash\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk
[2011/10/14 05:56:03 | 000,383,254 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2011/10/14 05:56:03 | 000,053,608 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2011/10/13 13:11:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes' Anti-Malware
[2011/10/13 13:09:53 | 000,001,475 | ---- | M] () -- C:\Documents and Settings\Russell Dobash\Desktop\Windows Explorer.lnk
[2011/10/08 05:53:39 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\Russell Dobash\Local Settings\Application Data\{1B656103-8EBE-4A37-9FFD-96C2B7FC51F5}
[2011/10/03 08:39:20 | 000,015,360 | ---- | M] () -- C:\Documents and Settings\Russell Dobash\My Documents\Test.2 Endnote R2D2.enl
[2011/10/03 08:06:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Start Menu\Programs\EndNote
[2011/09/28 09:45:42 | 003,052,387 | ---- | M] () -- C:\Documents and Settings\Russell Dobash\My Documents\Interval International.pdf
[2011/09/28 08:41:43 | 000,000,127 | ---- | M] () -- C:\WINDOWS\System32\MRT.INI
[2011/09/28 08:35:19 | 000,327,348 | ---- | M] () -- C:\Documents and Settings\Russell Dobash\Desktop\Become a Contestant America's Outstanding Mom-Grethen Pope.mht
[2011/09/28 08:27:00 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2011/09/27 10:13:48 | 000,077,521 | ---- | M] () -- C:\Documents and Settings\Russell Dobash\Desktop\2004Murder in Florida.pdf

========== Files Created - No Company Name ==========

[2011/10/17 20:22:32 | 000,114,035 | --S- | C] () -- C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Startup\lmllhkfv.exe
[2011/10/17 12:07:47 | 000,001,729 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Adobe Reader 8.lnk
[2011/10/13 13:09:51 | 000,001,475 | ---- | C] () -- C:\Documents and Settings\Russell Dobash\Desktop\Windows Explorer.lnk
[2011/10/08 05:53:39 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Russell Dobash\Local Settings\Application Data\{1B656103-8EBE-4A37-9FFD-96C2B7FC51F5}
[2011/10/03 08:36:43 | 000,029,076 | ---- | C] () -- C:\Documents and Settings\All Users\Documents\R2D2- LIBRARY- ALL REFS 29Aug2011 Copy Copy Copy.enl
[2011/09/29 08:27:14 | 000,029,076 | ---- | C] () -- C:\Documents and Settings\Russell Dobash\My Documents\R2D2- all.refs Note7, aug29.enl
[2011/09/29 05:48:03 | 000,015,360 | ---- | C] () -- C:\Documents and Settings\Russell Dobash\My Documents\Test.2 Endnote R2D2.enl
[2011/09/28 09:45:42 | 003,052,387 | ---- | C] () -- C:\Documents and Settings\Russell Dobash\My Documents\Interval International.pdf
[2011/09/28 08:41:43 | 000,000,127 | ---- | C] () -- C:\WINDOWS\System32\MRT.INI
[2011/09/28 08:35:19 | 000,327,348 | ---- | C] () -- C:\Documents and Settings\Russell Dobash\Desktop\Become a Contestant America's Outstanding Mom-Grethen Pope.mht
[2011/09/27 10:13:48 | 000,077,521 | ---- | C] () -- C:\Documents and Settings\Russell Dobash\Desktop\2004Murder in Florida.pdf
[2011/07/17 14:48:30 | 000,001,052 | R--- | C] () -- \reatogoMenu.ini
[2011/07/17 14:43:36 | 000,000,000 | R--- | C] () -- \WIN51IP.SP2
[2011/07/17 14:43:36 | 000,000,000 | R--- | C] () -- \WIN51IP
[2010/03/09 09:26:56 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2009/11/17 07:08:34 | 000,197,424 | ---- | C] () -- C:\WINDOWS\System32\vpnapi.dll
[2009/11/17 07:07:44 | 000,193,328 | ---- | C] () -- C:\WINDOWS\System32\CSGina.dll
[2007/09/05 09:54:59 | 000,000,137 | ---- | C] () -- C:\Documents and Settings\Russell Dobash\Local Settings\Application Data\fusioncache.dat
[2007/06/25 09:23:50 | 000,000,462 | ---- | C] () -- C:\WINDOWS\hpbvspst.ini
[2007/06/25 09:23:39 | 000,001,359 | ---- | C] () -- C:\WINDOWS\hpbvnstp.ini
[2007/06/25 09:19:34 | 000,093,585 | ---- | C] () -- C:\WINDOWS\hppins03.dat
[2007/06/25 09:19:34 | 000,001,822 | ---- | C] () -- C:\WINDOWS\hppmdl03.dat
[2007/06/25 06:08:57 | 000,237,568 | R--- | C] () -- C:\WINDOWS\System32\hppapr02.DLL
[2007/06/25 06:08:57 | 000,000,526 | R--- | C] () -- C:\WINDOWS\System32\hppapr02.DAT
[2007/06/23 06:15:56 | 000,000,074 | ---- | C] () -- C:\WINDOWS\hpntwksetup.ini
[2007/06/23 06:10:16 | 000,093,474 | ---- | C] () -- C:\WINDOWS\hppins03.dat.temp
[2007/06/23 06:10:16 | 000,001,822 | ---- | C] () -- C:\WINDOWS\hppmdl03.dat.temp
[2007/03/16 10:33:58 | 000,000,072 | ---- | C] () -- C:\WINDOWS\hdkctnts.ini
[2006/12/02 06:52:48 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\nsprs.dll
[2006/09/20 08:38:45 | 000,040,960 | ---- | C] () -- C:\WINDOWS\System32\B11gUSB.dll
[2006/09/20 08:38:44 | 000,094,208 | ---- | C] () -- C:\WINDOWS\System32\GTW32N50.dll
[2006/08/28 09:04:31 | 000,001,025 | ---- | C] () -- C:\WINDOWS\System32\sysprs7.dll
[2006/08/28 09:04:31 | 000,001,025 | ---- | C] () -- C:\WINDOWS\System32\clauth2.dll
[2006/08/28 09:04:31 | 000,001,025 | ---- | C] () -- C:\WINDOWS\System32\clauth1.dll
[2006/08/28 09:04:31 | 000,000,473 | ---- | C] () -- C:\WINDOWS\System32\lsprst7.dll
[2006/08/28 09:04:31 | 000,000,073 | ---- | C] () -- C:\WINDOWS\System32\ssprs.dll
[2006/08/24 07:15:21 | 000,006,144 | ---- | C] () -- C:\Documents and Settings\Russell Dobash\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2006/07/10 08:11:52 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2006/07/10 08:10:48 | 000,307,600 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2006/07/10 07:42:14 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2006/07/10 07:32:16 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2006/07/10 07:27:36 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2006/03/24 07:06:41 | 000,000,053 | R--- | C] () -- \AUTORUN.INF
[2005/07/16 17:36:50 | 000,240,128 | R--- | C] () -- \reatogoMenu.exe
[2004/08/04 08:00:00 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2004/08/04 08:00:00 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2004/08/04 08:00:00 | 000,383,254 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2004/08/04 08:00:00 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2004/08/04 08:00:00 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2004/08/04 08:00:00 | 000,053,608 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2004/08/04 08:00:00 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2004/08/04 08:00:00 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2004/08/04 08:00:00 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2004/08/04 08:00:00 | 000,004,463 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2004/08/04 08:00:00 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\dcache.bin
[2004/08/04 08:00:00 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat
[2003/01/07 10:05:08 | 000,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI
[2001/07/06 11:30:00 | 000,003,399 | ---- | C] () -- C:\WINDOWS\System32\hptcpmon.ini

========== LOP Check ==========

[2011/10/05 12:38:20 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\SACore
[2011/10/03 08:54:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Russell Dobash\Application Data\EndNote
[2007/11/28 13:27:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Russell Dobash\Application Data\Leadertech
[2010/09/20 08:26:57 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Russell Dobash\Application Data\MSNInstaller
[2009/12/21 13:58:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Russell Dobash\Application Data\Tatara Systems
[2009/12/21 12:27:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\O2CM-CE
[2010/03/09 09:26:15 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SafeNet Sentinel
[2010/03/09 09:24:47 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SPSS

========== Purity Check ==========


< End of report >
 
Do this on the computer you are posting from:
Copy the text in the codebox below:


Code:
:OTL
DRV - File not found [Kernel | System] -- -- (csmbrqkp)
O4 - HKU\.DEFAULT..\Run: [LmlLhkfv] C:\Documents and Settings\LocalService\Local Settings\Application Data\dgtvwkvi\lmllhkfv.exe ()
O4 - HKU\Russell_Dobash_ON_C..\Run: [{059917AA-2371-A9CF-E2EB-599F7AF29392}] File not found
O20 - HKLM Winlogon: UserInit - (C:\Documents and Settings\LocalService\Local Settings\Application Data\dgtvwkvi\lmllhkfv.exe) - C:\Documents and Settings\LocalService\Local Settings\Application Data\dgtvwkvi\lmllhkfv.exe ()
[2011/10/17 20:22:31 | 000,114,035 | --S- | M] () -- C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Startup\lmllhkfv.exe


:Services

:Reg

:Files
C:\Documents and Settings\LocalService\Local Settings\Application Data\dgtvwkvi
C:\Documents and Settings\LocalService\Local Settings\Application Data\dgtvwkvi\lmllhkfv.exe


:Commands
[purity]

Open Notepad and paste it.
Save the document as Fix.txt on to a USB flash drive


On the infected computer the following...

Run OTLPE

  • Insert USB stick and find the file Fix.txt. Drag the file Fix.txt and drop it under the Custom Scans/Fixes box at the bottom.
    • (The content of Fix.txt should appear in the box)
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot the PC when it is done
  • Post the log produced (you'll need to transfer it with USB stick)
  • Attempt to reboot normally into Windows.
 
OTLPE Fix Log

========== OTL ==========
Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\csmbrqkp deleted successfully.
Registry value HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run\\LmlLhkfv deleted successfully.
C:\Documents and Settings\LocalService\Local Settings\Application Data\dgtvwkvi\lmllhkfv.exe moved successfully.
Registry value HKEY_USERS\Russell_Dobash_ON_C\Software\Microsoft\Windows\CurrentVersion\Run\\{059917AA-2371-A9CF-E2EB-599F7AF29392} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{059917AA-2371-A9CF-E2EB-599F7AF29392}\ not found.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\UserInit:C:\Documents and Settings\LocalService\Local Settings\Application Data\dgtvwkvi\lmllhkfv.exe deleted successfully.
File C:\Documents and Settings\LocalService\Local Settings\Application Data\dgtvwkvi\lmllhkfv.exe not found.
C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Startup\lmllhkfv.exe moved successfully.
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
========== FILES ==========
C:\Documents and Settings\LocalService\Local Settings\Application Data\dgtvwkvi folder moved successfully.
File\Folder C:\Documents and Settings\LocalService\Local Settings\Application Data\dgtvwkvi\lmllhkfv.exe not found.
========== COMMANDS ==========

OTLPE by OldTimer - Version 3.1.48.0 log created on 10182011_214908
 
Once rebooted normally I took a look at the Winlogon registry key. It once again has the lmllhkfv.exe tagged on.

Can I check I have carried out the process correctly?

a) run the fix on OLTPE
b) reboot normally

or was I meant to reboot into OLTPE first?

I'm out now for a couple of hours but should be able to follow instructions later tonight, thanks.
 
OTPE Quick Scan log

OTL logfile created on: 10/19/2011 2:02:30 AM - Run
OTLPE by OldTimer - Version 3.1.48.0 Folder = X:\Programs\OTLPE
Microsoft Windows XP Service Pack 3 (Version = 5.1.2600) - Type = SYSTEM
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 88.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 97.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 148.92 Gb Total Space | 113.34 Gb Free Space | 76.11% Space Free | Partition Type: NTFS
Drive D: | 1003.27 Mb Total Space | 1003.26 Mb Free Space | 100.00% Space Free | Partition Type: FAT32
Drive X: | 436.59 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS

Computer Name: REATOGO | User Name: SYSTEM
Boot Mode: Normal | Scan Mode: All users | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days
Using ControlSet: ControlSet001

========== Win32 Services (SafeList) ==========

SRV - [2010/10/13 17:28:54 | 000,188,136 | ---- | M] (McAfee, Inc.) [Auto] -- C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe -- (mfefire)
SRV - [2010/10/13 17:28:54 | 000,171,168 | ---- | M] (McAfee, Inc.) [Auto] -- C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe -- (McShield)
SRV - [2010/10/13 17:28:54 | 000,141,792 | ---- | M] (McAfee, Inc.) [Auto] -- C:\WINDOWS\System32\mfevtps.exe -- (mfevtp)
SRV - [2010/10/07 15:34:28 | 000,364,216 | ---- | M] (McAfee, Inc.) [On_Demand] -- C:\Program Files\McAfee\VirusScan\mcods.exe -- (McODS)
SRV - [2010/03/10 05:14:44 | 000,271,480 | ---- | M] (McAfee, Inc.) [Auto] -- C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe -- (McProxy)
SRV - [2010/03/10 05:14:44 | 000,271,480 | ---- | M] (McAfee, Inc.) [Auto] -- C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe -- (McNASvc)
SRV - [2010/03/10 05:14:44 | 000,271,480 | ---- | M] (McAfee, Inc.) [Auto] -- C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe -- (McNaiAnn)
SRV - [2010/03/10 05:14:44 | 000,271,480 | ---- | M] (McAfee, Inc.) [Auto] -- C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe -- (mcmscsvc)
SRV - [2010/03/10 05:14:44 | 000,271,480 | ---- | M] (McAfee, Inc.) [Auto] -- C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe -- (McMPFSvc)
SRV - [2009/11/17 07:07:46 | 001,528,624 | ---- | M] (Cisco Systems, Inc.) [Auto] -- C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe -- (CVPND)
SRV - [2009/01/23 05:46:14 | 000,203,280 | ---- | M] () [Auto] -- C:\Program Files\McAfee\SiteAdvisor\McSACore.exe -- (McAfee SiteAdvisor Service)
SRV - [2004/03/29 11:08:16 | 000,049,152 | ---- | M] () [Auto] -- C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe -- (Belkin Wireless USB Network Adapter Service)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand] -- -- (WDICA)
DRV - File not found [Kernel | On_Demand] -- -- (PDRFRAME)
DRV - File not found [Kernel | On_Demand] -- -- (PDRELI)
DRV - File not found [Kernel | On_Demand] -- -- (PDFRAME)
DRV - File not found [Kernel | On_Demand] -- -- (PDCOMP)
DRV - File not found [Kernel | System] -- -- (PCIDump)
DRV - File not found [Kernel | On_Demand] -- -- (mfeavfk01)
DRV - File not found [Kernel | On_Demand] -- -- (MBAMSwissArmy)
DRV - File not found [Kernel | System] -- -- (lbrtfdc)
DRV - File not found [Kernel | System] -- -- (i2omgmt)
DRV - File not found [Kernel | System] -- -- (Changer)
DRV - [2010/10/13 17:28:54 | 000,386,840 | ---- | M] (McAfee, Inc.) [Kernel | Boot] -- C:\WINDOWS\system32\drivers\mfehidk.sys -- (mfehidk)
DRV - [2010/10/13 17:28:54 | 000,313,288 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\mfefirek.sys -- (mfefirek)
DRV - [2010/10/13 17:28:54 | 000,152,960 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\mfeavfk.sys -- (mfeavfk)
DRV - [2010/10/13 17:28:54 | 000,095,600 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\mfeapfk.sys -- (mfeapfk)
DRV - [2010/10/13 17:28:54 | 000,088,544 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\mfendisk.sys -- (mfendiskmp)
DRV - [2010/10/13 17:28:54 | 000,088,544 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\mfendisk.sys -- (mfendisk)
DRV - [2010/10/13 17:28:54 | 000,084,264 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\mferkdet.sys -- (mferkdet)
DRV - [2010/10/13 17:28:54 | 000,084,072 | ---- | M] (McAfee, Inc.) [Kernel | System] -- C:\WINDOWS\system32\drivers\mfetdi2k.sys -- (mfetdi2k)
DRV - [2010/10/13 17:28:54 | 000,055,840 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\cfwids.sys -- (cfwids)
DRV - [2010/10/13 17:28:54 | 000,052,104 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\mfebopk.sys -- (mfebopk)
DRV - [2009/11/17 07:07:06 | 000,308,859 | ---- | M] (Cisco Systems, Inc.) [Kernel | Auto] -- C:\WINDOWS\system32\drivers\CVPNDRVA.sys -- (CVPNDRVA)
DRV - [2009/10/07 08:01:04 | 000,102,528 | ---- | M] (Huawei Technologies Co., Ltd.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\ewusbmdm.sys -- (hwdatacard)
DRV - [2008/11/16 13:39:44 | 000,131,984 | ---- | M] (Deterministic Networks, Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\dne2000.sys -- (DNE)
DRV - [2007/01/18 15:28:02 | 000,005,275 | ---- | M] (Cisco Systems, Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\CVirtA.sys -- (CVirtA)
DRV - [2005/12/13 10:10:00 | 000,007,040 | ---- | M] (Freecom) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\Gonzales.sys -- (Gonzales)
DRV - [2005/11/28 16:55:46 | 000,012,160 | ---- | M] (Freecom) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\Bonifay.sys -- (Bonifay)
DRV - [2005/09/20 06:22:37 | 000,009,344 | ---- | M] (Hewlett Packard) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\hpfxbulk.sys -- (HPFXBULK)
DRV - [2005/08/02 18:00:36 | 000,232,192 | ---- | M] (Ralink Technology, Corp.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\rt73.sys -- (RT73)
DRV - [2005/03/17 11:30:10 | 000,132,608 | R--- | M] (Broadcom Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\b57xp32.sys -- (b57w2k)
DRV - [2004/09/17 04:02:54 | 000,732,928 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\senfilt.sys -- (senfilt)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========



IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\Russell_Dobash_ON_C\Software\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Yahoo! Search
IE - HKU\Russell_Dobash_ON_C\Software\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
IE - HKU\Russell_Dobash_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
IE - HKU\Russell_Dobash_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://uk.msn.com/?rd=1
IE - HKU\Russell_Dobash_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
IE - HKU\Russell_Dobash_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 2E 74 E1 15 8A 27 CC 01 [binary data]
IE - HKU\Russell_Dobash_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0


FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.69\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.69\npGoogleUpdate3.dll (Google Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{B7082FAA-CB62-4872-9106-E42DD88EDE45}: C:\Program Files\McAfee\SiteAdvisor [2011/10/07 08:30:31 | 000,000,000 | ---D | M]


O1 HOSTS File: ([2011/09/13 09:27:04 | 000,000,761 | RHS- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (scriptproxy) - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\Common Files\McAfee\SystemCore\ScriptSn.20110402175609.dll (McAfee, Inc.)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.7.6406.1642\swg.dll (Google Inc.)
O2 - BHO: (McAfee SiteAdvisor BHO) - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - C:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll ()
O3 - HKLM\..\Toolbar: (McAfee SiteAdvisor Toolbar) - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - C:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll ()
O3 - HKLM\..\Toolbar: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
O3 - HKU\Russell_Dobash_ON_C\..\Toolbar\WebBrowser: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
O4 - HKLM..\Run: [mcui_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe (McAfee, Inc.)
O4 - HKLM..\Run: [ToolBoxFX] C:\Program Files\HP\ToolBoxFX\bin\HPTLBXFX.exe (HP)
O4 - HKU\.DEFAULT..\Run: [LmlLhkfv] C:\Documents and Settings\LocalService\Local Settings\Application Data\dgtvwkvi\lmllhkfv.exe ()
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\VPN Client.lnk = C:\WINDOWS\Installer\{21E247D4-5E27-4BEA-AA4D-19A81203FE2A}\Icon3E5562ED7.ico ()
O4 - Startup: C:\Documents and Settings\Russell Dobash\Start Menu\Programs\Startup\Freecom Personal Media Suite.lnk = C:\Program Files\Freecom Personal Media Suite\FCPMS.exe (Freecom)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\LocalService_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\NetworkService_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\Russell_Dobash_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://download.microsoft.com/downl...-4d68-a152-f7252adaa4f2/LegitCheckControl.cab (Windows Genuine Advantage Validation Tool)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1243236794562 (MUWebControl Class)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.2.1
O18 - Protocol\Handler\sacore {5513F07E-936B-4E52-9B00-067394E91CC5} - C:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll ()
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\Documents and Settings\LocalService\Local Settings\Application Data\dgtvwkvi\lmllhkfv.exe) - C:\Documents and Settings\LocalService\Local Settings\Application Data\dgtvwkvi\lmllhkfv.exe ()
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/07/10 07:30:17 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2006/03/24 07:06:41 | 000,000,053 | R--- | M] () - X:\AUTORUN.INF -- [ CDFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/10/18 16:59:36 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\McAfee
[2011/10/18 16:59:33 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\dgtvwkvi
[2011/10/18 00:07:08 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\LocalService\Recent
[2011/10/16 14:48:04 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Russell Dobash\Desktop\Graham
[2011/10/15 11:50:26 | 000,150,392 | ---- | C] (Sysinternals - www.sysinternals.com) -- C:\WINDOWS\junction.exe
[2011/10/14 16:44:40 | 000,000,000 | ---D | C] -- C:\_OTL
[2011/10/13 16:35:35 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Russell Dobash\My Documents\My Videos
[2011/10/13 16:35:34 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Russell Dobash\Start Menu\Programs\Administrative Tools
[2011/10/13 13:11:32 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes' Anti-Malware
[2011/10/13 13:11:28 | 000,022,216 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2011/10/13 13:11:28 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2011/10/10 07:12:50 | 000,000,000 | ---D | C] -- C:\WINDOWS\pss
[2011/10/08 11:26:41 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Russell Dobash\Local Settings\Application Data\PCHealth
[2011/10/03 08:06:11 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\EndNote
[2011/09/28 08:41:43 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\MpEngineStore

========== Files - Modified Within 30 Days ==========

[2011/10/18 17:10:54 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011/10/18 17:02:00 | 000,001,014 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-725345543-1482476501-839522115-1003UA.job
[2011/10/18 17:00:18 | 000,002,447 | ---- | M] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\VPN Client.lnk
[2011/10/18 17:00:06 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2011/10/18 17:00:00 | 000,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2011/10/18 16:59:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Start Menu\Programs\McAfee
[2011/10/18 16:59:32 | 000,114,035 | --S- | M] () -- C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Startup\lmllhkfv.exe
[2011/10/17 16:57:00 | 000,000,886 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2011/10/17 12:08:04 | 000,002,311 | ---- | M] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Adobe Reader 8.lnk
[2011/10/17 12:07:47 | 000,001,729 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Adobe Reader 8.lnk
[2011/10/17 06:02:00 | 000,000,962 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-725345543-1482476501-839522115-1003Core.job
[2011/10/15 05:41:56 | 000,000,815 | ---- | M] () -- C:\Documents and Settings\Russell Dobash\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk
[2011/10/14 05:56:03 | 000,383,254 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2011/10/14 05:56:03 | 000,053,608 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2011/10/13 13:11:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes' Anti-Malware
[2011/10/13 13:09:53 | 000,001,475 | ---- | M] () -- C:\Documents and Settings\Russell Dobash\Desktop\Windows Explorer.lnk
[2011/10/08 05:53:39 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\Russell Dobash\Local Settings\Application Data\{1B656103-8EBE-4A37-9FFD-96C2B7FC51F5}
[2011/10/03 08:39:20 | 000,015,360 | ---- | M] () -- C:\Documents and Settings\Russell Dobash\My Documents\Test.2 Endnote R2D2.enl
[2011/10/03 08:06:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Start Menu\Programs\EndNote
[2011/09/28 09:45:42 | 003,052,387 | ---- | M] () -- C:\Documents and Settings\Russell Dobash\My Documents\Interval International.pdf
[2011/09/28 08:41:43 | 000,000,127 | ---- | M] () -- C:\WINDOWS\System32\MRT.INI
[2011/09/28 08:35:19 | 000,327,348 | ---- | M] () -- C:\Documents and Settings\Russell Dobash\Desktop\Become a Contestant America's Outstanding Mom-Grethen Pope.mht
[2011/09/28 08:27:00 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2011/09/27 10:13:48 | 000,077,521 | ---- | M] () -- C:\Documents and Settings\Russell Dobash\Desktop\2004Murder in Florida.pdf

========== Files Created - No Company Name ==========

[2011/10/18 16:59:33 | 000,114,035 | --S- | C] () -- C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Startup\lmllhkfv.exe
[2011/10/17 12:07:47 | 000,001,729 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Adobe Reader 8.lnk
[2011/10/13 13:09:51 | 000,001,475 | ---- | C] () -- C:\Documents and Settings\Russell Dobash\Desktop\Windows Explorer.lnk
[2011/10/08 05:53:39 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Russell Dobash\Local Settings\Application Data\{1B656103-8EBE-4A37-9FFD-96C2B7FC51F5}
[2011/10/03 08:36:43 | 000,029,076 | ---- | C] () -- C:\Documents and Settings\All Users\Documents\R2D2- LIBRARY- ALL REFS 29Aug2011 Copy Copy Copy.enl
[2011/09/29 08:27:14 | 000,029,076 | ---- | C] () -- C:\Documents and Settings\Russell Dobash\My Documents\R2D2- all.refs Note7, aug29.enl
[2011/09/29 05:48:03 | 000,015,360 | ---- | C] () -- C:\Documents and Settings\Russell Dobash\My Documents\Test.2 Endnote R2D2.enl
[2011/09/28 09:45:42 | 003,052,387 | ---- | C] () -- C:\Documents and Settings\Russell Dobash\My Documents\Interval International.pdf
[2011/09/28 08:41:43 | 000,000,127 | ---- | C] () -- C:\WINDOWS\System32\MRT.INI
[2011/09/28 08:35:19 | 000,327,348 | ---- | C] () -- C:\Documents and Settings\Russell Dobash\Desktop\Become a Contestant America's Outstanding Mom-Grethen Pope.mht
[2011/09/27 10:13:48 | 000,077,521 | ---- | C] () -- C:\Documents and Settings\Russell Dobash\Desktop\2004Murder in Florida.pdf
[2011/07/17 14:48:30 | 000,001,052 | R--- | C] () -- \reatogoMenu.ini
[2011/07/17 14:43:36 | 000,000,000 | R--- | C] () -- \WIN51IP.SP2
[2011/07/17 14:43:36 | 000,000,000 | R--- | C] () -- \WIN51IP
[2010/03/09 09:26:56 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2009/11/17 07:08:34 | 000,197,424 | ---- | C] () -- C:\WINDOWS\System32\vpnapi.dll
[2009/11/17 07:07:44 | 000,193,328 | ---- | C] () -- C:\WINDOWS\System32\CSGina.dll
[2007/09/05 09:54:59 | 000,000,137 | ---- | C] () -- C:\Documents and Settings\Russell Dobash\Local Settings\Application Data\fusioncache.dat
[2007/06/25 09:23:50 | 000,000,462 | ---- | C] () -- C:\WINDOWS\hpbvspst.ini
[2007/06/25 09:23:39 | 000,001,359 | ---- | C] () -- C:\WINDOWS\hpbvnstp.ini
[2007/06/25 09:19:34 | 000,093,585 | ---- | C] () -- C:\WINDOWS\hppins03.dat
[2007/06/25 09:19:34 | 000,001,822 | ---- | C] () -- C:\WINDOWS\hppmdl03.dat
[2007/06/25 06:08:57 | 000,237,568 | R--- | C] () -- C:\WINDOWS\System32\hppapr02.DLL
[2007/06/25 06:08:57 | 000,000,526 | R--- | C] () -- C:\WINDOWS\System32\hppapr02.DAT
[2007/06/23 06:15:56 | 000,000,074 | ---- | C] () -- C:\WINDOWS\hpntwksetup.ini
[2007/06/23 06:10:16 | 000,093,474 | ---- | C] () -- C:\WINDOWS\hppins03.dat.temp
[2007/06/23 06:10:16 | 000,001,822 | ---- | C] () -- C:\WINDOWS\hppmdl03.dat.temp
[2007/03/16 10:33:58 | 000,000,072 | ---- | C] () -- C:\WINDOWS\hdkctnts.ini
[2006/12/02 06:52:48 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\nsprs.dll
[2006/09/20 08:38:45 | 000,040,960 | ---- | C] () -- C:\WINDOWS\System32\B11gUSB.dll
[2006/09/20 08:38:44 | 000,094,208 | ---- | C] () -- C:\WINDOWS\System32\GTW32N50.dll
[2006/08/28 09:04:31 | 000,001,025 | ---- | C] () -- C:\WINDOWS\System32\sysprs7.dll
[2006/08/28 09:04:31 | 000,001,025 | ---- | C] () -- C:\WINDOWS\System32\clauth2.dll
[2006/08/28 09:04:31 | 000,001,025 | ---- | C] () -- C:\WINDOWS\System32\clauth1.dll
[2006/08/28 09:04:31 | 000,000,473 | ---- | C] () -- C:\WINDOWS\System32\lsprst7.dll
[2006/08/28 09:04:31 | 000,000,073 | ---- | C] () -- C:\WINDOWS\System32\ssprs.dll
[2006/08/24 07:15:21 | 000,006,144 | ---- | C] () -- C:\Documents and Settings\Russell Dobash\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2006/07/10 08:11:52 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2006/07/10 08:10:48 | 000,307,600 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2006/07/10 07:42:14 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2006/07/10 07:32:16 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2006/07/10 07:27:36 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2006/03/24 07:06:41 | 000,000,053 | R--- | C] () -- \AUTORUN.INF
[2005/07/16 17:36:50 | 000,240,128 | R--- | C] () -- \reatogoMenu.exe
[2004/08/04 08:00:00 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2004/08/04 08:00:00 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2004/08/04 08:00:00 | 000,383,254 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2004/08/04 08:00:00 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2004/08/04 08:00:00 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2004/08/04 08:00:00 | 000,053,608 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2004/08/04 08:00:00 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2004/08/04 08:00:00 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2004/08/04 08:00:00 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2004/08/04 08:00:00 | 000,004,463 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2004/08/04 08:00:00 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\dcache.bin
[2004/08/04 08:00:00 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat
[2003/01/07 10:05:08 | 000,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI
[2001/07/06 11:30:00 | 000,003,399 | ---- | C] () -- C:\WINDOWS\System32\hptcpmon.ini

========== LOP Check ==========

[2011/10/05 12:38:20 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\SACore
[2011/10/03 08:54:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Russell Dobash\Application Data\EndNote
[2007/11/28 13:27:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Russell Dobash\Application Data\Leadertech
[2010/09/20 08:26:57 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Russell Dobash\Application Data\MSNInstaller
[2009/12/21 13:58:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Russell Dobash\Application Data\Tatara Systems
[2009/12/21 12:27:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\O2CM-CE
[2010/03/09 09:26:15 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SafeNet Sentinel
[2010/03/09 09:24:47 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SPSS

========== Purity Check ==========


< End of report >
 
Boot back to OTLPE CD.
Plugin USB stick where you have Combofix file saved.

While on REATOGO-X-PE desktop, using "My Computer" copy Combofix file to some known location like root directory C:\

Restart computer normally and see if you access and run Combofix.
 
ComboFix

It has started running, displaying a blue command prompt window now, latest line reads:
"Attempting to create new System Restore Point"

On top of this has appeared windows Message:
"Windows cannot find Nirkmd."
Should I click OK to this?

There has been no change for several minutes
 
ComboFix log

ComboFix 11-10-18.04 - Russell Dobash 10/19/2011 4:04.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1679 [GMT 1:00]
Running from: C:\ComboFix.exe
FW: McAfee Firewall *Enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
* Resident AV is active
.
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\LocalService\Local Settings\Application Data\bvdbobao.log
c:\documents and settings\LocalService\Local Settings\Application Data\fkvqtkwm.log
c:\documents and settings\LocalService\Local Settings\Application Data\nesqejrr.log
c:\documents and settings\LocalService\Local Settings\Application Data\obigcqqa.log
c:\documents and settings\LocalService\Local Settings\Application Data\rwgxkfbp.log
c:\documents and settings\LocalService\Local Settings\Application Data\ydmeccsi.log
c:\documents and settings\Russell Dobash\Local Settings\Application Data\bvdbobao.log
c:\documents and settings\Russell Dobash\Local Settings\Application Data\fkvqtkwm.log
c:\documents and settings\Russell Dobash\Local Settings\Application Data\mnldimku.log
c:\documents and settings\Russell Dobash\Local Settings\Application Data\nesqejrr.log
c:\documents and settings\Russell Dobash\Local Settings\Application Data\obigcqqa.log
c:\documents and settings\Russell Dobash\Local Settings\Application Data\rwgxkfbp.log
c:\documents and settings\Russell Dobash\Local Settings\Application Data\ydmeccsi.log
c:\documents and settings\Russell Dobash\WINDOWS
c:\program files\Common Files\Uninstall
c:\program files\PAV
c:\windows\system32\d3d9caps.dat
c:\windows\system32\lsprst7.dll
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_MICORSOFT_WINDOWS_SERVICE
-------\Service_Micorsoft Windows Service
.
.
((((((((((((((((((((((((( Files Created from 2011-09-19 to 2011-10-19 )))))))))))))))))))))))))))))))
.
.
2011-10-18 20:59 . 2011-10-19 03:14 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\dgtvwkvi
2011-10-15 15:50 . 2010-09-07 14:39 150392 ----a-w- c:\windows\junction.exe
2011-10-14 20:44 . 2011-10-14 20:44 -------- d-----w- C:\_OTL
2011-10-13 17:11 . 2011-10-13 17:11 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-10-13 17:11 . 2011-08-31 16:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-10-08 15:26 . 2011-10-08 15:26 -------- d-----w- c:\documents and settings\Russell Dobash\Local Settings\Application Data\PCHealth
2011-09-28 12:41 . 2011-09-28 12:41 -------- d-----w- c:\windows\system32\MpEngineStore
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-10-14 09:51 . 2004-08-04 12:00 187776 ----a-w- c:\windows\system32\drivers\acpi.sys
2011-10-07 14:24 . 2011-08-25 08:51 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-09-09 09:12 . 2004-08-04 12:00 599040 ----a-w- c:\windows\system32\crypt32.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-08-29 68856]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ToolBoxFX"="c:\program files\HP\ToolBoxFX\bin\HPTLBXFX.exe" [2005-11-21 45056]
"VirtualCloneDrive"="c:\program files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" [2009-05-26 85160]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2011-01-17 1193848]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2011-10-15 1404928]
.
c:\documents and settings\Russell Dobash\Start Menu\Programs\Startup\
Freecom Personal Media Suite.lnk - c:\program files\Freecom Personal Media Suite\FCPMS.exe [2006-9-14 3338296]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
VPN Client.lnk - c:\windows\Installer\{21E247D4-5E27-4BEA-AA4D-19A81203FE2A}\Icon3E5562ED7.ico [2011-4-3 6144]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="c:\windows\system32\userinit.exe,,c:\documents and settings\LocalService\Local Settings\Application Data\dgtvwkvi\lmllhkfv.exe"
.
SafeBoot registry key needs repairs. This machine cannot enter Safe Mode.
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\File system]
@="Driver Group"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vgasave.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}]
@="DiskDrive"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96A-E325-11CE-BFC1-08002BE10318}]
@="Hdc"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96B-E325-11CE-BFC1-08002BE10318}]
@="Keyboard"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96F-E325-11CE-BFC1-08002BE10318}]
@="Mouse"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E97D-E325-11CE-BFC1-08002BE10318}]
@="System"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{71A27CDD-812A-11D0-BEC7-08002BE2092F}]
@="Volume"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\SPSSInc\\PASWStatistics18\\WinWrapIDE.exe"=
"c:\\Program Files\\SPSSInc\\PASWStatistics18\\paswstat.exe"=
"c:\\Program Files\\SPSSInc\\PASWStatistics18\\paswstat.com"=
"c:\\Program Files\\Common Files\\McAfee\\McSvcHost\\McSvHost.exe"=
.
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [4/2/2011 5:56 PM 84072]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [9/19/2010 3:05 PM 203280]
R2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [4/2/2011 5:55 PM 271480]
R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [4/2/2011 5:55 PM 271480]
R2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\McAfee\SystemCore\mfefire.exe [4/2/2011 5:56 PM 188136]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [4/2/2011 5:56 PM 141792]
R3 Bonifay;Bonifay;c:\windows\system32\drivers\Bonifay.sys [9/14/2006 3:23 PM 12160]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [4/2/2011 5:56 PM 55840]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [4/2/2011 5:56 PM 313288]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [4/2/2011 5:56 PM 88544]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [3/1/2010 12:55 PM 135664]
S3 Gonzales;Gonzales;c:\windows\system32\drivers\Gonzales.sys [9/14/2006 3:23 PM 7040]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [3/1/2010 12:55 PM 135664]
S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [4/2/2011 5:56 PM 88544]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [4/2/2011 5:56 PM 84264]
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - mfeavfk01
.
Contents of the 'Scheduled Tasks' folder
.
2011-10-19 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-01 11:55]
.
2011-10-19 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-01 11:55]
.
2011-10-17 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-725345543-1482476501-839522115-1003Core.job
- c:\documents and settings\Russell Dobash\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-07-04 14:41]
.
2011-10-18 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-725345543-1482476501-839522115-1003UA.job
- c:\documents and settings\Russell Dobash\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-07-04 14:41]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uStart Page = hxxp://www.google.co.uk/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html
TCP: DhcpNameServer = 192.168.2.1
.
- - - - ORPHANS REMOVED - - - -
.
HKU-Default-Run-LmlLhkfv - c:\documents and settings\LocalService\Local Settings\Application Data\dgtvwkvi\lmllhkfv.exe
AddRemove-EndNote - c:\progra~1\ENDNOT~2\UNWISE.EXE
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-10-19 04:15
Windows 5.1.2600 Service Pack 3 NTFS
.
detected NTDLL code modification:
ZwQueryDirectoryFile
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(2520)
c:\windows\system32\WININET.dll
c:\program files\McAfee\SiteAdvisor\saHook.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Belkin\Belkin Wireless Network Utility\WLService.exe
c:\program files\Cisco Systems\VPN Client\cvpnd.exe
c:\program files\Belkin\Belkin Wireless Network Utility\WLanCfgG.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Common Files\McAfee\SystemCore\mcshield.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2011-10-19 04:27:04 - machine was rebooted
ComboFix-quarantined-files.txt 2011-10-19 03:26
.
Pre-Run: 121,508,352,000 bytes free
Post-Run: 121,815,048,192 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
- - End Of File - - 8D47F9A2204DF8A2D05E4C26F5FF0D93
 
Good job :)

1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box
  • Click OK
Windows Vista/7 users: click Start, in "Start search" type notepad and press Enter.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

Code:
Folder::
c:\documents and settings\LocalService\Local Settings\Application Data\dgtvwkvi

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="c:\windows\system32\userinit.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000000


3. Save the above as CFScript.txt

4. Close/disable all anti virus and anti malware programs again, so they do not interfere with the running of ComboFix.

5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

CFScript.gif



6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
 
Left combofix.exe on C:\ and dragged cfscript.txt to it from USB drive.
Windows message: "Windows cannot access the specified device, path, file"

Tried putting cfscript.txt on C:\ and dragging to combofix. Same result.

I still have no access to McAfee. If it is this that is causing the problem I am very happy to get rid of it and use one of the free ones.
 
Lets run the following tool. This will help determine which files need permissions restored.

Please download and save Junction.zip

Unzip it and place Junction.exe in the Windows directory (C:\Windows).
Go to Start>Run (Vista and Windows 7 users use "Start search" box).
Copy and paste the following command in the Run box and click OK (Vista and Windows 7 users press "Enter"):

cmd /c junction -s c:\ >log.txt&log.txt& del log.txt

A command window opens starting to scan the system.
Wait until a log file opens.
Copy and paste the log in your next reply.
 
JUnction Output

Junction v1.06 - Windows junction creator and reparse point viewer
Copyright (C) 2000-2010 Mark Russinovich
Sysinternals - www.sysinternals.com


Failed to open \\?\c:\\pagefile.sys: The process cannot access the file because it is being used by another process.


...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

.
Failed to open \\?\c:\\Qoobox\BackEnv\AppData.folder.dat: Access is denied.



Failed to open \\?\c:\\Qoobox\BackEnv\Cache.folder.dat: Access is denied.



Failed to open \\?\c:\\Qoobox\BackEnv\Cookies.folder.dat: Access is denied.



Failed to open \\?\c:\\Qoobox\BackEnv\Desktop.folder.dat: Access is denied.



Failed to open \\?\c:\\Qoobox\BackEnv\Favorites.folder.dat: Access is denied.



Failed to open \\?\c:\\Qoobox\BackEnv\History.folder.dat: Access is denied.



Failed to open \\?\c:\\Qoobox\BackEnv\LocalAppData.folder.dat: Access is denied.



Failed to open \\?\c:\\Qoobox\BackEnv\LocalSettings.folder.dat: Access is denied.



Failed to open \\?\c:\\Qoobox\BackEnv\Music.folder.dat: Access is denied.



Failed to open \\?\c:\\Qoobox\BackEnv\NetHood.folder.dat: Access is denied.



Failed to open \\?\c:\\Qoobox\BackEnv\Personal.folder.dat: Access is denied.



Failed to open \\?\c:\\Qoobox\BackEnv\Pictures.folder.dat: Access is denied.



Failed to open \\?\c:\\Qoobox\BackEnv\PrintHood.folder.dat: Access is denied.



Failed to open \\?\c:\\Qoobox\BackEnv\Profiles.Folder.dat: Access is denied.



Failed to open \\?\c:\\Qoobox\BackEnv\Profiles.Folder.folder.dat: Access is denied.



Failed to open \\?\c:\\Qoobox\BackEnv\Programs.folder.dat: Access is denied.



Failed to open \\?\c:\\Qoobox\BackEnv\Recent.folder.dat: Access is denied.



Failed to open \\?\c:\\Qoobox\BackEnv\SendTo.folder.dat: Access is denied.



Failed to open \\?\c:\\Qoobox\BackEnv\SetPath.bat: Access is denied.



Failed to open \\?\c:\\Qoobox\BackEnv\StartMenu.folder.dat: Access is denied.



Failed to open \\?\c:\\Qoobox\BackEnv\StartUp.folder.dat: Access is denied.



Failed to open \\?\c:\\Qoobox\BackEnv\SysPath.dat: Access is denied.



Failed to open \\?\c:\\Qoobox\BackEnv\Templates.folder.dat: Access is denied.



Failed to open \\?\c:\\Qoobox\BackEnv\VikPev00: Access is denied.



Failed to open \\?\c:\\System Volume Information\1590912drv.isw: Access is denied.



Failed to open \\?\c:\\System Volume Information\7234949drv.isw: Access is denied.



Failed to open \\?\c:\\System Volume Information\mdllog.dat: Access is denied.


..

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

No reparse points found.
 
Please download GrantPerms.zip and save it to your desktop.
Unzip the file and depending on the system run GrantPerms.exe (32-bit system) or GrantPerms64.exe (64-bit system)
Copy and paste the following in the edit box:

Code:
c:\\System Volume Information\mdllog.dat
c:\\System Volume Information\7234949drv.isw
c:\\System Volume Information\1590912drv.isw
c:\\Qoobox\BackEnv\VikPev00
c:\\Qoobox\BackEnv\Templates.folder.dat
c:\\Qoobox\BackEnv\SysPath.dat
c:\\Qoobox\BackEnv\StartUp.folder.dat
c:\\Qoobox\BackEnv\StartMenu.folder.dat
c:\\Qoobox\BackEnv\SetPath.bat
c:\\Qoobox\BackEnv\SendTo.folder.dat
c:\\Qoobox\BackEnv\Recent.folder.dat
c:\\Qoobox\BackEnv\Programs.folder.dat
c:\\Qoobox\BackEnv\Profiles.Folder.folder.dat
c:\\Qoobox\BackEnv\Profiles.Folder.dat
c:\\Qoobox\BackEnv\PrintHood.folder.dat
c:\\Qoobox\BackEnv\Pictures.folder.dat
c:\\Qoobox\BackEnv\Personal.folder.dat
c:\\Qoobox\BackEnv\NetHood.folder.dat
c:\\Qoobox\BackEnv\Music.folder.dat
c:\\Qoobox\BackEnv\LocalSettings.folder.dat
c:\\Qoobox\BackEnv\LocalAppData.folder.dat
c:\\Qoobox\BackEnv\History.folder.dat
c:\\Qoobox\BackEnv\Favorites.folder.dat
c:\\Qoobox\BackEnv\Desktop.folder.dat
c:\\Qoobox\BackEnv\Cookies.folder.dat
c:\\Qoobox\BackEnv\Cache.folder.dat
c:\\Qoobox\BackEnv\AppData.folder.dat

Click Unlock. When it is done click "OK".
Click List Permissions and post the result of Perms.txt file that pops up.
A copy of Perms.txt will be saved in the same directory the tool is run.

You should be able to run Combofix fix now.
 
Grant Perms Ouput

GrantPerms by Farbar
Ran by Russell Dobash at 2011-10-20 02:58:00

===============================================
\\?\c:\\System Volume Information\mdllog.dat

Owner: BUILTIN\Administrators

DACL(P)(AI):
BUILTIN\Administrators FULL ALLOW (CI)(OI)
NT AUTHORITY\SYSTEM FULL ALLOW (CI)(OI)
BUILTIN\Users READ/EXECUTE ALLOW (CI)(OI)


\\?\c:\\System Volume Information\7234949drv.isw

Owner: BUILTIN\Administrators

DACL(P)(AI):
BUILTIN\Administrators FULL ALLOW (CI)(OI)
NT AUTHORITY\SYSTEM FULL ALLOW (CI)(OI)
BUILTIN\Users READ/EXECUTE ALLOW (CI)(OI)


\\?\c:\\System Volume Information\1590912drv.isw

Owner: BUILTIN\Administrators

DACL(P)(AI):
BUILTIN\Administrators FULL ALLOW (CI)(OI)
NT AUTHORITY\SYSTEM FULL ALLOW (CI)(OI)
BUILTIN\Users READ/EXECUTE ALLOW (CI)(OI)


\\?\c:\\Qoobox\BackEnv\VikPev00

Owner: BUILTIN\Administrators

DACL(NP)(AI):
Everyone FULL DENY (CI)(OI)(I)
BUILTIN\Administrators FULL ALLOW (CI)(OI)(I)
NT AUTHORITY\SYSTEM FULL ALLOW (CI)(OI)(I)
CREATOR OWNER FULL ALLOW (CI)(OI)(IO)(I)
BUILTIN\Users READ/EXECUTE ALLOW (CI)(OI)(I)
BUILTIN\Users ADD SUBDIRECTORY ALLOW (CI)(I)
BUILTIN\Users ADD FILE ALLOW (CI)(I)


\\?\c:\\Qoobox\BackEnv\Templates.folder.dat

Owner: BUILTIN\Administrators

DACL(NP)(AI):
Everyone FULL DENY (CI)(OI)(I)
BUILTIN\Administrators FULL ALLOW (CI)(OI)(I)
NT AUTHORITY\SYSTEM FULL ALLOW (CI)(OI)(I)
CREATOR OWNER FULL ALLOW (CI)(OI)(IO)(I)
BUILTIN\Users READ/EXECUTE ALLOW (CI)(OI)(I)
BUILTIN\Users ADD SUBDIRECTORY ALLOW (CI)(I)
BUILTIN\Users ADD FILE ALLOW (CI)(I)


\\?\c:\\Qoobox\BackEnv\SysPath.dat

Owner: BUILTIN\Administrators

DACL(NP)(AI):
Everyone FULL DENY (CI)(OI)(I)
BUILTIN\Administrators FULL ALLOW (CI)(OI)(I)
NT AUTHORITY\SYSTEM FULL ALLOW (CI)(OI)(I)
CREATOR OWNER FULL ALLOW (CI)(OI)(IO)(I)
BUILTIN\Users READ/EXECUTE ALLOW (CI)(OI)(I)
BUILTIN\Users ADD SUBDIRECTORY ALLOW (CI)(I)
BUILTIN\Users ADD FILE ALLOW (CI)(I)


\\?\c:\\Qoobox\BackEnv\StartUp.folder.dat

Owner: BUILTIN\Administrators

DACL(NP)(AI):
Everyone FULL DENY (CI)(OI)(I)
BUILTIN\Administrators FULL ALLOW (CI)(OI)(I)
NT AUTHORITY\SYSTEM FULL ALLOW (CI)(OI)(I)
CREATOR OWNER FULL ALLOW (CI)(OI)(IO)(I)
BUILTIN\Users READ/EXECUTE ALLOW (CI)(OI)(I)
BUILTIN\Users ADD SUBDIRECTORY ALLOW (CI)(I)
BUILTIN\Users ADD FILE ALLOW (CI)(I)


\\?\c:\\Qoobox\BackEnv\StartMenu.folder.dat

Owner: BUILTIN\Administrators

DACL(NP)(AI):
Everyone FULL DENY (CI)(OI)(I)
BUILTIN\Administrators FULL ALLOW (CI)(OI)(I)
NT AUTHORITY\SYSTEM FULL ALLOW (CI)(OI)(I)
CREATOR OWNER FULL ALLOW (CI)(OI)(IO)(I)
BUILTIN\Users READ/EXECUTE ALLOW (CI)(OI)(I)
BUILTIN\Users ADD SUBDIRECTORY ALLOW (CI)(I)
BUILTIN\Users ADD FILE ALLOW (CI)(I)


\\?\c:\\Qoobox\BackEnv\SetPath.bat

Owner: BUILTIN\Administrators

DACL(NP)(AI):
Everyone FULL DENY (CI)(OI)(I)
BUILTIN\Administrators FULL ALLOW (CI)(OI)(I)
NT AUTHORITY\SYSTEM FULL ALLOW (CI)(OI)(I)
CREATOR OWNER FULL ALLOW (CI)(OI)(IO)(I)
BUILTIN\Users READ/EXECUTE ALLOW (CI)(OI)(I)
BUILTIN\Users ADD SUBDIRECTORY ALLOW (CI)(I)
BUILTIN\Users ADD FILE ALLOW (CI)(I)


\\?\c:\\Qoobox\BackEnv\SendTo.folder.dat

Owner: BUILTIN\Administrators

DACL(NP)(AI):
Everyone FULL DENY (CI)(OI)(I)
BUILTIN\Administrators FULL ALLOW (CI)(OI)(I)
NT AUTHORITY\SYSTEM FULL ALLOW (CI)(OI)(I)
CREATOR OWNER FULL ALLOW (CI)(OI)(IO)(I)
BUILTIN\Users READ/EXECUTE ALLOW (CI)(OI)(I)
BUILTIN\Users ADD SUBDIRECTORY ALLOW (CI)(I)
BUILTIN\Users ADD FILE ALLOW (CI)(I)


\\?\c:\\Qoobox\BackEnv\Recent.folder.dat

Owner: BUILTIN\Administrators

DACL(NP)(AI):
Everyone FULL DENY (CI)(OI)(I)
BUILTIN\Administrators FULL ALLOW (CI)(OI)(I)
NT AUTHORITY\SYSTEM FULL ALLOW (CI)(OI)(I)
CREATOR OWNER FULL ALLOW (CI)(OI)(IO)(I)
BUILTIN\Users READ/EXECUTE ALLOW (CI)(OI)(I)
BUILTIN\Users ADD SUBDIRECTORY ALLOW (CI)(I)
BUILTIN\Users ADD FILE ALLOW (CI)(I)


\\?\c:\\Qoobox\BackEnv\Programs.folder.dat

Owner: BUILTIN\Administrators

DACL(NP)(AI):
Everyone FULL DENY (CI)(OI)(I)
BUILTIN\Administrators FULL ALLOW (CI)(OI)(I)
NT AUTHORITY\SYSTEM FULL ALLOW (CI)(OI)(I)
CREATOR OWNER FULL ALLOW (CI)(OI)(IO)(I)
BUILTIN\Users READ/EXECUTE ALLOW (CI)(OI)(I)
BUILTIN\Users ADD SUBDIRECTORY ALLOW (CI)(I)
BUILTIN\Users ADD FILE ALLOW (CI)(I)


\\?\c:\\Qoobox\BackEnv\Profiles.Folder.folder.dat

Owner: BUILTIN\Administrators

DACL(NP)(AI):
Everyone FULL DENY (CI)(OI)(I)
BUILTIN\Administrators FULL ALLOW (CI)(OI)(I)
NT AUTHORITY\SYSTEM FULL ALLOW (CI)(OI)(I)
CREATOR OWNER FULL ALLOW (CI)(OI)(IO)(I)
BUILTIN\Users READ/EXECUTE ALLOW (CI)(OI)(I)
BUILTIN\Users ADD SUBDIRECTORY ALLOW (CI)(I)
BUILTIN\Users ADD FILE ALLOW (CI)(I)


\\?\c:\\Qoobox\BackEnv\Profiles.Folder.dat

Owner: BUILTIN\Administrators

DACL(NP)(AI):
Everyone FULL DENY (CI)(OI)(I)
BUILTIN\Administrators FULL ALLOW (CI)(OI)(I)
NT AUTHORITY\SYSTEM FULL ALLOW (CI)(OI)(I)
CREATOR OWNER FULL ALLOW (CI)(OI)(IO)(I)
BUILTIN\Users READ/EXECUTE ALLOW (CI)(OI)(I)
BUILTIN\Users ADD SUBDIRECTORY ALLOW (CI)(I)
BUILTIN\Users ADD FILE ALLOW (CI)(I)


\\?\c:\\Qoobox\BackEnv\PrintHood.folder.dat

Owner: BUILTIN\Administrators

DACL(NP)(AI):
Everyone FULL DENY (CI)(OI)(I)
BUILTIN\Administrators FULL ALLOW (CI)(OI)(I)
NT AUTHORITY\SYSTEM FULL ALLOW (CI)(OI)(I)
CREATOR OWNER FULL ALLOW (CI)(OI)(IO)(I)
BUILTIN\Users READ/EXECUTE ALLOW (CI)(OI)(I)
BUILTIN\Users ADD SUBDIRECTORY ALLOW (CI)(I)
BUILTIN\Users ADD FILE ALLOW (CI)(I)


\\?\c:\\Qoobox\BackEnv\Pictures.folder.dat

Owner: BUILTIN\Administrators

DACL(NP)(AI):
Everyone FULL DENY (CI)(OI)(I)
BUILTIN\Administrators FULL ALLOW (CI)(OI)(I)
NT AUTHORITY\SYSTEM FULL ALLOW (CI)(OI)(I)
CREATOR OWNER FULL ALLOW (CI)(OI)(IO)(I)
BUILTIN\Users READ/EXECUTE ALLOW (CI)(OI)(I)
BUILTIN\Users ADD SUBDIRECTORY ALLOW (CI)(I)
BUILTIN\Users ADD FILE ALLOW (CI)(I)


\\?\c:\\Qoobox\BackEnv\Personal.folder.dat

Owner: BUILTIN\Administrators

DACL(NP)(AI):
Everyone FULL DENY (CI)(OI)(I)
BUILTIN\Administrators FULL ALLOW (CI)(OI)(I)
NT AUTHORITY\SYSTEM FULL ALLOW (CI)(OI)(I)
CREATOR OWNER FULL ALLOW (CI)(OI)(IO)(I)
BUILTIN\Users READ/EXECUTE ALLOW (CI)(OI)(I)
BUILTIN\Users ADD SUBDIRECTORY ALLOW (CI)(I)
BUILTIN\Users ADD FILE ALLOW (CI)(I)


\\?\c:\\Qoobox\BackEnv\NetHood.folder.dat

Owner: BUILTIN\Administrators

DACL(NP)(AI):
Everyone FULL DENY (CI)(OI)(I)
BUILTIN\Administrators FULL ALLOW (CI)(OI)(I)
NT AUTHORITY\SYSTEM FULL ALLOW (CI)(OI)(I)
CREATOR OWNER FULL ALLOW (CI)(OI)(IO)(I)
BUILTIN\Users READ/EXECUTE ALLOW (CI)(OI)(I)
BUILTIN\Users ADD SUBDIRECTORY ALLOW (CI)(I)
BUILTIN\Users ADD FILE ALLOW (CI)(I)


\\?\c:\\Qoobox\BackEnv\Music.folder.dat

Owner: BUILTIN\Administrators

DACL(NP)(AI):
Everyone FULL DENY (CI)(OI)(I)
BUILTIN\Administrators FULL ALLOW (CI)(OI)(I)
NT AUTHORITY\SYSTEM FULL ALLOW (CI)(OI)(I)
CREATOR OWNER FULL ALLOW (CI)(OI)(IO)(I)
BUILTIN\Users READ/EXECUTE ALLOW (CI)(OI)(I)
BUILTIN\Users ADD SUBDIRECTORY ALLOW (CI)(I)
BUILTIN\Users ADD FILE ALLOW (CI)(I)


\\?\c:\\Qoobox\BackEnv\LocalSettings.folder.dat

Owner: BUILTIN\Administrators

DACL(NP)(AI):
Everyone FULL DENY (CI)(OI)(I)
BUILTIN\Administrators FULL ALLOW (CI)(OI)(I)
NT AUTHORITY\SYSTEM FULL ALLOW (CI)(OI)(I)
CREATOR OWNER FULL ALLOW (CI)(OI)(IO)(I)
BUILTIN\Users READ/EXECUTE ALLOW (CI)(OI)(I)
BUILTIN\Users ADD SUBDIRECTORY ALLOW (CI)(I)
BUILTIN\Users ADD FILE ALLOW (CI)(I)


\\?\c:\\Qoobox\BackEnv\LocalAppData.folder.dat

Owner: BUILTIN\Administrators

DACL(NP)(AI):
Everyone FULL DENY (CI)(OI)(I)
BUILTIN\Administrators FULL ALLOW (CI)(OI)(I)
NT AUTHORITY\SYSTEM FULL ALLOW (CI)(OI)(I)
CREATOR OWNER FULL ALLOW (CI)(OI)(IO)(I)
BUILTIN\Users READ/EXECUTE ALLOW (CI)(OI)(I)
BUILTIN\Users ADD SUBDIRECTORY ALLOW (CI)(I)
BUILTIN\Users ADD FILE ALLOW (CI)(I)


\\?\c:\\Qoobox\BackEnv\History.folder.dat

Owner: BUILTIN\Administrators

DACL(NP)(AI):
Everyone FULL DENY (CI)(OI)(I)
BUILTIN\Administrators FULL ALLOW (CI)(OI)(I)
NT AUTHORITY\SYSTEM FULL ALLOW (CI)(OI)(I)
CREATOR OWNER FULL ALLOW (CI)(OI)(IO)(I)
BUILTIN\Users READ/EXECUTE ALLOW (CI)(OI)(I)
BUILTIN\Users ADD SUBDIRECTORY ALLOW (CI)(I)
BUILTIN\Users ADD FILE ALLOW (CI)(I)


\\?\c:\\Qoobox\BackEnv\Favorites.folder.dat

Owner: BUILTIN\Administrators

DACL(NP)(AI):
Everyone FULL DENY (CI)(OI)(I)
BUILTIN\Administrators FULL ALLOW (CI)(OI)(I)
NT AUTHORITY\SYSTEM FULL ALLOW (CI)(OI)(I)
CREATOR OWNER FULL ALLOW (CI)(OI)(IO)(I)
BUILTIN\Users READ/EXECUTE ALLOW (CI)(OI)(I)
BUILTIN\Users ADD SUBDIRECTORY ALLOW (CI)(I)
BUILTIN\Users ADD FILE ALLOW (CI)(I)


\\?\c:\\Qoobox\BackEnv\Desktop.folder.dat

Owner: BUILTIN\Administrators

DACL(NP)(AI):
Everyone FULL DENY (CI)(OI)(I)
BUILTIN\Administrators FULL ALLOW (CI)(OI)(I)
NT AUTHORITY\SYSTEM FULL ALLOW (CI)(OI)(I)
CREATOR OWNER FULL ALLOW (CI)(OI)(IO)(I)
BUILTIN\Users READ/EXECUTE ALLOW (CI)(OI)(I)
BUILTIN\Users ADD SUBDIRECTORY ALLOW (CI)(I)
BUILTIN\Users ADD FILE ALLOW (CI)(I)


\\?\c:\\Qoobox\BackEnv\Cookies.folder.dat

Owner: BUILTIN\Administrators

DACL(NP)(AI):
Everyone FULL DENY (CI)(OI)(I)
BUILTIN\Administrators FULL ALLOW (CI)(OI)(I)
NT AUTHORITY\SYSTEM FULL ALLOW (CI)(OI)(I)
CREATOR OWNER FULL ALLOW (CI)(OI)(IO)(I)
BUILTIN\Users READ/EXECUTE ALLOW (CI)(OI)(I)
BUILTIN\Users ADD SUBDIRECTORY ALLOW (CI)(I)
BUILTIN\Users ADD FILE ALLOW (CI)(I)


\\?\c:\\Qoobox\BackEnv\Cache.folder.dat

Owner: BUILTIN\Administrators

DACL(NP)(AI):
Everyone FULL DENY (CI)(OI)(I)
BUILTIN\Administrators FULL ALLOW (CI)(OI)(I)
NT AUTHORITY\SYSTEM FULL ALLOW (CI)(OI)(I)
CREATOR OWNER FULL ALLOW (CI)(OI)(IO)(I)
BUILTIN\Users READ/EXECUTE ALLOW (CI)(OI)(I)
BUILTIN\Users ADD SUBDIRECTORY ALLOW (CI)(I)
BUILTIN\Users ADD FILE ALLOW (CI)(I)


\\?\c:\\Qoobox\BackEnv\AppData.folder.dat

Owner: BUILTIN\Administrators

DACL(NP)(AI):
Everyone FULL DENY (CI)(OI)(I)
BUILTIN\Administrators FULL ALLOW (CI)(OI)(I)
NT AUTHORITY\SYSTEM FULL ALLOW (CI)(OI)(I)
CREATOR OWNER FULL ALLOW (CI)(OI)(IO)(I)
BUILTIN\Users READ/EXECUTE ALLOW (CI)(OI)(I)
BUILTIN\Users ADD SUBDIRECTORY ALLOW (CI)(I)
BUILTIN\Users ADD FILE ALLOW (CI)(I)
 
ComboFix

This time I could drag ComboFix to the desktop and when I dragged cfscript.txt onto it, it ran. It's now showing the blue command and coming up with the Nirkmd messages to which I'm replying OK. There were about 50 of them las time
 
Curiously I got a message saying Windows update needed to restart the computer despite not being connected to the Internet. I clicked Restart Later
 
Combofix Output

ComboFix 11-10-18.04 - Russell Dobash 10/20/2011 3:08.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1384 [GMT 1:00]
Running from: c:\documents and settings\Russell Dobash\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Russell Dobash\Desktop\cfscript.txt
FW: McAfee Firewall *Enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
* Resident AV is active
.
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\LocalService\Local Settings\Application Data\bvdbobao.log
c:\documents and settings\LocalService\Local Settings\Application Data\fkvqtkwm.log
c:\documents and settings\LocalService\Local Settings\Application Data\mnldimku.log
c:\documents and settings\LocalService\Local Settings\Application Data\nesqejrr.log
c:\documents and settings\LocalService\Local Settings\Application Data\obigcqqa.log
c:\documents and settings\LocalService\Local Settings\Application Data\rwgxkfbp.log
c:\documents and settings\LocalService\Local Settings\Application Data\ydmeccsi.log
c:\windows\system32\_000005_.tmp.dll
c:\documents and settings\LocalService\Local Settings\Application Data\dgtvwkvi . . . . Failed to delete
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_MICORSOFT_WINDOWS_SERVICE
-------\Service_Micorsoft Windows Service
.
.
((((((((((((((((((((((((( Files Created from 2011-09-20 to 2011-10-20 )))))))))))))))))))))))))))))))
.
.
2011-10-18 20:59 . 2011-10-20 02:22 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\dgtvwkvi
2011-10-15 15:50 . 2010-09-07 14:39 150392 ----a-w- c:\windows\junction.exe
2011-10-14 20:44 . 2011-10-14 20:44 -------- d-----w- C:\_OTL
2011-10-13 17:11 . 2011-10-13 17:11 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-10-13 17:11 . 2011-08-31 16:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-10-08 15:26 . 2011-10-08 15:26 -------- d-----w- c:\documents and settings\Russell Dobash\Local Settings\Application Data\PCHealth
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-10-14 09:51 . 2004-08-04 12:00 187776 ----a-w- c:\windows\system32\drivers\acpi.sys
2011-10-07 14:24 . 2011-08-25 08:51 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-09-09 09:12 . 2004-08-04 12:00 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-09-06 13:20 . 2004-08-04 12:00 1858944 ----a-w- c:\windows\system32\win32k.sys
2011-08-22 23:48 . 2004-08-04 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2011-08-22 23:48 . 2004-08-04 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-08-22 23:48 . 2004-08-04 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-08-22 11:56 . 2004-08-04 12:00 385024 ----a-w- c:\windows\system32\html.iec
2011-08-17 13:49 . 2004-08-04 12:00 138496 ----a-w- c:\windows\system32\drivers\afd.sys
.
.
((((((((((((((((((((((((((((( SnapShot@2011-10-19_03.15.21 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-10-20 02:24 . 2011-10-20 02:24 56200 c:\windows\Temp\offreg.dll
+ 2004-08-04 12:00 . 2011-08-22 23:48 66560 c:\windows\system32\mshtmled.dll
- 2004-08-04 12:00 . 2011-06-23 18:36 66560 c:\windows\system32\mshtmled.dll
- 2006-11-07 21:03 . 2011-06-23 18:36 55296 c:\windows\system32\msfeedsbs.dll
+ 2006-11-07 21:03 . 2011-08-22 23:48 55296 c:\windows\system32\msfeedsbs.dll
- 2004-08-04 12:00 . 2011-06-23 18:36 25600 c:\windows\system32\jsproxy.dll
+ 2004-08-04 12:00 . 2011-08-22 23:48 25600 c:\windows\system32\jsproxy.dll
- 2009-07-17 08:48 . 2011-06-23 18:36 12800 c:\windows\system32\dllcache\xpshims.dll
+ 2009-07-17 08:48 . 2011-08-22 23:48 12800 c:\windows\system32\dllcache\xpshims.dll
- 2004-08-04 12:00 . 2011-06-23 18:36 66560 c:\windows\system32\dllcache\mshtmled.dll
+ 2004-08-04 12:00 . 2011-08-22 23:48 66560 c:\windows\system32\dllcache\mshtmled.dll
+ 2007-05-09 07:50 . 2011-08-22 23:48 55296 c:\windows\system32\dllcache\msfeedsbs.dll
- 2007-05-09 07:50 . 2011-06-23 18:36 55296 c:\windows\system32\dllcache\msfeedsbs.dll
+ 2004-08-04 12:00 . 2011-08-22 23:48 43520 c:\windows\system32\dllcache\licmgr10.dll
- 2004-08-04 12:00 . 2011-06-23 18:36 43520 c:\windows\system32\dllcache\licmgr10.dll
+ 2004-08-04 12:00 . 2011-08-22 23:48 25600 c:\windows\system32\dllcache\jsproxy.dll
- 2004-08-04 12:00 . 2011-06-23 18:36 25600 c:\windows\system32\dllcache\jsproxy.dll
- 2010-09-23 14:55 . 2010-09-23 14:55 81920 c:\windows\Microsoft.NET\Framework\v1.1.4322\System.Security.dll
+ 2011-07-08 13:00 . 2011-07-08 13:00 81920 c:\windows\Microsoft.NET\Framework\v1.1.4322\System.Security.dll
+ 2011-07-07 11:04 . 2011-07-07 11:04 77824 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorsn.dll
- 2010-09-23 01:26 . 2010-09-23 01:26 77824 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorsn.dll
+ 2011-07-07 11:04 . 2011-07-07 11:04 86016 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorie.dll
- 2010-09-23 01:26 . 2010-09-23 01:26 86016 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorie.dll
+ 2011-07-07 11:03 . 2011-07-07 11:03 81920 c:\windows\Microsoft.NET\Framework\v1.1.4322\CORPerfMonExt.dll
- 2010-09-23 01:26 . 2010-09-23 01:26 81920 c:\windows\Microsoft.NET\Framework\v1.1.4322\CORPerfMonExt.dll
- 2010-09-23 02:17 . 2010-09-23 02:17 32768 c:\windows\Microsoft.NET\Framework\v1.1.4322\aspnet_wp.exe
+ 2011-07-07 12:09 . 2011-07-07 12:09 32768 c:\windows\Microsoft.NET\Framework\v1.1.4322\aspnet_wp.exe
- 2010-09-23 02:17 . 2010-09-23 02:17 24576 c:\windows\Microsoft.NET\Framework\v1.1.4322\aspnet_filter.dll
+ 2011-07-07 12:09 . 2011-07-07 12:09 24576 c:\windows\Microsoft.NET\Framework\v1.1.4322\aspnet_filter.dll
+ 2011-10-20 02:02 . 2011-06-23 18:36 66560 c:\windows\ie8updates\KB2586448-IE8\mshtmled.dll
+ 2011-10-20 02:02 . 2011-06-23 18:36 55296 c:\windows\ie8updates\KB2586448-IE8\msfeedsbs.dll
+ 2011-10-20 02:02 . 2011-06-23 18:36 43520 c:\windows\ie8updates\KB2586448-IE8\licmgr10.dll
+ 2011-10-20 02:02 . 2011-06-23 18:36 25600 c:\windows\ie8updates\KB2586448-IE8\jsproxy.dll
+ 2011-10-20 02:01 . 2011-10-20 02:01 90112 c:\windows\assembly\NativeImages1_v1.1.4322\System.Drawing.Design\1.0.5000.0__b03f5f7f11d50a3a_a11d3fd6\System.Drawing.Design.dll
+ 2011-10-20 02:01 . 2011-10-20 02:01 61440 c:\windows\assembly\NativeImages1_v1.1.4322\CustomMarshalers\1.0.5000.0__b03f5f7f11d50a3a_fa26395a\CustomMarshalers.dll
- 2010-10-06 17:13 . 2010-10-06 17:13 81920 c:\windows\assembly\GAC\System.Security\1.0.5000.0__b03f5f7f11d50a3a\System.Security.dll
+ 2011-10-20 02:00 . 2011-10-20 02:00 81920 c:\windows\assembly\GAC\System.Security\1.0.5000.0__b03f5f7f11d50a3a\System.Security.dll
+ 2011-10-20 02:22 . 2011-10-20 02:22 114035 c:\windows\Temp\drggmmefohcljxih.exe
- 2011-10-19 03:14 . 2011-10-19 03:14 114035 c:\windows\Temp\drggmmefohcljxih.exe
- 2004-08-04 12:00 . 2011-06-23 18:36 105984 c:\windows\system32\url.dll
+ 2004-08-04 12:00 . 2011-08-22 23:48 105984 c:\windows\system32\url.dll
- 2004-08-04 12:00 . 2011-06-23 18:36 206848 c:\windows\system32\occache.dll
+ 2004-08-04 12:00 . 2011-08-22 23:48 206848 c:\windows\system32\occache.dll
+ 2004-08-04 12:00 . 2011-08-22 23:48 611840 c:\windows\system32\mstime.dll
- 2004-08-04 12:00 . 2011-06-23 18:36 611840 c:\windows\system32\mstime.dll
- 2006-11-07 21:03 . 2011-06-23 18:36 602112 c:\windows\system32\msfeeds.dll
+ 2006-11-07 21:03 . 2011-08-22 23:48 602112 c:\windows\system32\msfeeds.dll
+ 2004-08-04 12:00 . 2011-08-22 23:48 184320 c:\windows\system32\iepeers.dll
- 2004-08-04 12:00 . 2011-06-23 18:36 184320 c:\windows\system32\iepeers.dll
+ 2004-08-04 12:00 . 2011-08-22 23:48 387584 c:\windows\system32\iedkcs32.dll
- 2004-08-04 12:00 . 2011-06-23 18:36 387584 c:\windows\system32\iedkcs32.dll
+ 2004-08-04 12:00 . 2011-08-22 11:56 174080 c:\windows\system32\ie4uinit.exe
+ 2006-07-10 12:10 . 2011-10-20 02:22 307600 c:\windows\system32\FNTCACHE.DAT
- 2006-07-10 12:10 . 2011-07-14 09:01 307600 c:\windows\system32\FNTCACHE.DAT
- 2004-08-04 12:00 . 2011-06-23 18:36 916480 c:\windows\system32\dllcache\wininet.dll
+ 2004-08-04 12:00 . 2011-08-22 23:48 916480 c:\windows\system32\dllcache\wininet.dll
+ 2004-08-04 12:00 . 2011-08-22 23:48 105984 c:\windows\system32\dllcache\url.dll
- 2004-08-04 12:00 . 2011-06-23 18:36 105984 c:\windows\system32\dllcache\url.dll
+ 2004-08-04 12:00 . 2011-08-22 23:48 206848 c:\windows\system32\dllcache\occache.dll
- 2004-08-04 12:00 . 2011-06-23 18:36 206848 c:\windows\system32\dllcache\occache.dll
- 2004-08-04 12:00 . 2011-06-23 18:36 611840 c:\windows\system32\dllcache\mstime.dll
+ 2004-08-04 12:00 . 2011-08-22 23:48 611840 c:\windows\system32\dllcache\mstime.dll
- 2007-05-09 07:50 . 2011-06-23 18:36 602112 c:\windows\system32\dllcache\msfeeds.dll
+ 2007-05-09 07:50 . 2011-08-22 23:48 602112 c:\windows\system32\dllcache\msfeeds.dll
+ 2009-07-17 08:48 . 2011-08-22 23:48 247808 c:\windows\system32\dllcache\ieproxy.dll
- 2009-07-17 08:48 . 2011-06-23 18:36 247808 c:\windows\system32\dllcache\ieproxy.dll
+ 2004-08-04 12:00 . 2011-08-22 23:48 184320 c:\windows\system32\dllcache\iepeers.dll
- 2004-08-04 12:00 . 2011-06-23 18:36 184320 c:\windows\system32\dllcache\iepeers.dll
+ 2010-06-13 14:58 . 2011-08-22 23:48 743424 c:\windows\system32\dllcache\iedvtool.dll
- 2010-06-13 14:58 . 2011-06-23 18:36 743424 c:\windows\system32\dllcache\iedvtool.dll
- 2004-08-04 12:00 . 2011-06-23 18:36 387584 c:\windows\system32\dllcache\iedkcs32.dll
+ 2004-08-04 12:00 . 2011-08-22 23:48 387584 c:\windows\system32\dllcache\iedkcs32.dll
+ 2004-08-04 12:00 . 2011-08-22 11:56 174080 c:\windows\system32\dllcache\ie4uinit.exe
- 2008-06-20 11:40 . 2011-02-16 13:22 138496 c:\windows\system32\dllcache\afd.sys
+ 2008-06-20 11:40 . 2011-08-17 13:49 138496 c:\windows\system32\dllcache\afd.sys
+ 2011-10-18 20:59 . 2011-10-20 02:22 114035 c:\windows\system32\config\systemprofile\Start Menu\Programs\Startup\lmllhkfv.exe
- 2010-09-23 01:26 . 2010-09-23 01:26 102400 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorld.dll
+ 2011-07-07 11:04 . 2011-07-07 11:04 102400 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorld.dll
- 2010-09-23 01:25 . 2010-09-23 01:25 315392 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorjit.dll
+ 2011-07-07 11:01 . 2011-07-07 11:01 315392 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorjit.dll
- 2010-09-23 02:17 . 2010-09-23 02:17 258048 c:\windows\Microsoft.NET\Framework\v1.1.4322\aspnet_isapi.dll
+ 2011-07-07 12:09 . 2011-07-07 12:09 258048 c:\windows\Microsoft.NET\Framework\v1.1.4322\aspnet_isapi.dll
+ 2011-10-20 02:03 . 2011-06-23 18:36 130043 c:\windows\ie8updates\KB2586448-IE8\xpshims.dll
+ 2011-10-20 02:02 . 2011-06-23 18:36 916480 c:\windows\ie8updates\KB2586448-IE8\wininet.dll
+ 2011-10-20 02:02 . 2011-06-23 18:36 105984 c:\windows\ie8updates\KB2586448-IE8\url.dll
+ 2011-10-20 02:03 . 2010-07-05 13:16 382840 c:\windows\ie8updates\KB2586448-IE8\spuninst\updspapi.dll
+ 2011-10-20 02:03 . 2010-07-05 13:15 231288 c:\windows\ie8updates\KB2586448-IE8\spuninst\spuninst.exe
+ 2011-10-20 02:02 . 2011-06-23 18:36 206848 c:\windows\ie8updates\KB2586448-IE8\occache.dll
+ 2011-10-20 02:02 . 2011-06-23 18:36 611840 c:\windows\ie8updates\KB2586448-IE8\mstime.dll
+ 2011-10-20 02:02 . 2011-06-23 18:36 602112 c:\windows\ie8updates\KB2586448-IE8\msfeeds.dll
+ 2011-10-20 02:03 . 2011-06-23 18:36 364892 c:\windows\ie8updates\KB2586448-IE8\ieproxy.dll
+ 2011-10-20 02:02 . 2011-06-23 18:36 184320 c:\windows\ie8updates\KB2586448-IE8\iepeers.dll
+ 2011-10-20 02:03 . 2011-06-23 18:36 860696 c:\windows\ie8updates\KB2586448-IE8\iedvtool.dll
+ 2011-10-20 02:02 . 2011-06-23 18:36 387584 c:\windows\ie8updates\KB2586448-IE8\iedkcs32.dll
+ 2011-10-20 02:03 . 2011-06-23 12:05 173568 c:\windows\ie8updates\KB2586448-IE8\ie4uinit.exe
+ 2011-10-20 02:01 . 2011-10-20 02:01 835584 c:\windows\assembly\NativeImages1_v1.1.4322\System.Drawing\1.0.5000.0__b03f5f7f11d50a3a_8685ae70\System.Drawing.dll
+ 2011-10-20 02:23 . 2011-10-20 02:24 7269712 c:\windows\Temp\MPENGINE.DLL
- 2004-08-04 12:00 . 2011-06-23 18:36 1212416 c:\windows\system32\urlmon.dll
+ 2004-08-04 12:00 . 2011-08-22 23:48 1212416 c:\windows\system32\urlmon.dll
+ 2004-08-04 12:00 . 2011-10-03 08:35 5971456 c:\windows\system32\mshtml.dll
+ 2006-10-17 11:57 . 2011-08-22 23:48 2000384 c:\windows\system32\iertutil.dll
- 2008-10-16 11:53 . 2011-06-02 14:02 1858944 c:\windows\system32\dllcache\win32k.sys
+ 2008-10-16 11:53 . 2011-09-06 13:20 1858944 c:\windows\system32\dllcache\win32k.sys
- 2004-08-04 12:00 . 2011-06-23 18:36 1212416 c:\windows\system32\dllcache\urlmon.dll
+ 2004-08-04 12:00 . 2011-08-22 23:48 1212416 c:\windows\system32\dllcache\urlmon.dll
+ 2004-08-04 12:00 . 2011-10-03 08:35 5971456 c:\windows\system32\dllcache\mshtml.dll
+ 2007-05-09 07:50 . 2011-08-22 23:48 2000384 c:\windows\system32\dllcache\iertutil.dll
+ 2011-07-08 12:59 . 2011-07-08 12:59 1265664 c:\windows\Microsoft.NET\Framework\v1.1.4322\System.Web.dll
- 2010-09-23 14:55 . 2010-09-23 14:55 1265664 c:\windows\Microsoft.NET\Framework\v1.1.4322\System.Web.dll
- 2010-09-23 14:55 . 2010-09-23 14:55 1232896 c:\windows\Microsoft.NET\Framework\v1.1.4322\System.dll
+ 2011-07-08 12:59 . 2011-07-08 12:59 1232896 c:\windows\Microsoft.NET\Framework\v1.1.4322\System.dll
+ 2011-07-07 11:02 . 2011-07-07 11:02 2514944 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorwks.dll
- 2010-09-23 01:26 . 2010-09-23 01:26 2514944 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorwks.dll
+ 2011-07-07 11:02 . 2011-07-07 11:02 2527232 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorsvr.dll
- 2010-09-23 14:55 . 2010-09-23 14:55 2142208 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorlib.dll
+ 2011-07-08 12:59 . 2011-07-08 12:59 2142208 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorlib.dll
+ 2011-10-20 02:02 . 2011-06-23 18:36 1212416 c:\windows\ie8updates\KB2586448-IE8\urlmon.dll
+ 2011-10-20 02:02 . 2011-07-25 15:17 5969920 c:\windows\ie8updates\KB2586448-IE8\mshtml.dll
+ 2011-10-20 02:02 . 2011-06-23 18:36 1991680 c:\windows\ie8updates\KB2586448-IE8\iertutil.dll
+ 2011-10-20 02:01 . 2011-10-20 02:01 1966080 c:\windows\assembly\NativeImages1_v1.1.4322\System\1.0.5000.0__b77a5c561934e089_006ebf2b\System.dll
+ 2011-10-20 02:01 . 2011-10-20 02:01 2088960 c:\windows\assembly\NativeImages1_v1.1.4322\System.Xml\1.0.5000.0__b77a5c561934e089_a1e531e9\System.Xml.dll
+ 2011-10-20 02:01 . 2011-10-20 02:01 3018752 c:\windows\assembly\NativeImages1_v1.1.4322\System.Windows.Forms\1.0.5000.0__b77a5c561934e089_f00b8d1f\System.Windows.Forms.dll
+ 2011-10-20 02:01 . 2011-10-20 02:01 1470464 c:\windows\assembly\NativeImages1_v1.1.4322\System.Design\1.0.5000.0__b03f5f7f11d50a3a_316aa935\System.Design.dll
+ 2011-10-20 02:01 . 2011-10-20 02:01 3391488 c:\windows\assembly\NativeImages1_v1.1.4322\mscorlib\1.0.5000.0__b77a5c561934e089_df620e42\mscorlib.dll
- 2010-10-06 17:13 . 2010-10-06 17:13 1232896 c:\windows\assembly\GAC\System\1.0.5000.0__b77a5c561934e089\System.dll
+ 2011-10-20 02:00 . 2011-10-20 02:00 1232896 c:\windows\assembly\GAC\System\1.0.5000.0__b77a5c561934e089\System.dll
+ 2011-10-20 02:00 . 2011-10-20 02:00 1265664 c:\windows\assembly\GAC\System.Web\1.0.5000.0__b03f5f7f11d50a3a\System.Web.dll
- 2010-10-06 17:13 . 2010-10-06 17:13 1265664 c:\windows\assembly\GAC\System.Web\1.0.5000.0__b03f5f7f11d50a3a\System.Web.dll
+ 2006-09-21 15:00 . 2011-10-20 02:03 48324552 c:\windows\system32\MRT.exe
- 2006-11-07 21:03 . 2011-06-23 18:36 11081728 c:\windows\system32\ieframe.dll
+ 2006-11-07 21:03 . 2011-08-23 16:48 11081728 c:\windows\system32\ieframe.dll
- 2007-05-09 07:50 . 2011-06-23 18:36 11081728 c:\windows\system32\dllcache\ieframe.dll
+ 2007-05-09 07:50 . 2011-08-23 16:48 11081728 c:\windows\system32\dllcache\ieframe.dll
+ 2011-07-12 21:49 . 2011-07-12 21:49 11459584 c:\windows\Microsoft.NET\Framework\v1.1.4322\Updates\M2572067\M2572067Uninstall.msp
+ 2011-07-12 14:50 . 2011-07-12 14:50 17555968 c:\windows\Installer\126fa2f.msp
+ 2011-10-20 02:02 . 2011-06-23 18:36 11081728 c:\windows\ie8updates\KB2586448-IE8\ieframe.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-08-29 68856]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ToolBoxFX"="c:\program files\HP\ToolBoxFX\bin\HPTLBXFX.exe" [2005-11-21 45056]
"VirtualCloneDrive"="c:\program files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" [2009-05-26 85160]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2011-01-17 1193848]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2011-10-15 1404928]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"LmlLhkfv"="c:\documents and settings\LocalService\Local Settings\Application Data\dgtvwkvi\lmllhkfv.exe" [2011-10-20 114035]
.
c:\windows\system32\config\systemprofile\Start Menu\Programs\Startup\
lmllhkfv.exe [2011-10-20 114035]
.
c:\documents and settings\Russell Dobash\Start Menu\Programs\Startup\
Freecom Personal Media Suite.lnk - c:\program files\Freecom Personal Media Suite\FCPMS.exe [2006-9-14 3338296]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
VPN Client.lnk - c:\windows\Installer\{21E247D4-5E27-4BEA-AA4D-19A81203FE2A}\Icon3E5562ED7.ico [2011-4-3 6144]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="c:\windows\system32\userinit.exe,,c:\documents and settings\LocalService\Local Settings\Application Data\dgtvwkvi\lmllhkfv.exe"
.
SafeBoot registry key needs repairs. This machine cannot enter Safe Mode.
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\File system]
@="Driver Group"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vgasave.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}]
@="DiskDrive"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96A-E325-11CE-BFC1-08002BE10318}]
@="Hdc"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96B-E325-11CE-BFC1-08002BE10318}]
@="Keyboard"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96F-E325-11CE-BFC1-08002BE10318}]
@="Mouse"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E97D-E325-11CE-BFC1-08002BE10318}]
@="System"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{71A27CDD-812A-11D0-BEC7-08002BE2092F}]
@="Volume"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\SPSSInc\\PASWStatistics18\\WinWrapIDE.exe"=
"c:\\Program Files\\SPSSInc\\PASWStatistics18\\paswstat.exe"=
"c:\\Program Files\\SPSSInc\\PASWStatistics18\\paswstat.com"=
"c:\\Program Files\\Common Files\\McAfee\\McSvcHost\\McSvHost.exe"=
.
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [4/2/2011 5:56 PM 84072]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [9/19/2010 3:05 PM 203280]
R2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [4/2/2011 5:55 PM 271480]
R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [4/2/2011 5:55 PM 271480]
R2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\McAfee\SystemCore\mfefire.exe [4/2/2011 5:56 PM 188136]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [4/2/2011 5:56 PM 141792]
R3 Bonifay;Bonifay;c:\windows\system32\drivers\Bonifay.sys [9/14/2006 3:23 PM 12160]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [4/2/2011 5:56 PM 55840]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [4/2/2011 5:56 PM 313288]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [4/2/2011 5:56 PM 88544]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [3/1/2010 12:55 PM 135664]
S3 Gonzales;Gonzales;c:\windows\system32\drivers\Gonzales.sys [9/14/2006 3:23 PM 7040]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [3/1/2010 12:55 PM 135664]
S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [4/2/2011 5:56 PM 88544]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [4/2/2011 5:56 PM 84264]
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - mfeavfk01
.
Contents of the 'Scheduled Tasks' folder
.
2011-10-20 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-01 11:55]
.
2011-10-20 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-01 11:55]
.
2011-10-17 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-725345543-1482476501-839522115-1003Core.job
- c:\documents and settings\Russell Dobash\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-07-04 14:41]
.
2011-10-20 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-725345543-1482476501-839522115-1003UA.job
- c:\documents and settings\Russell Dobash\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-07-04 14:41]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uStart Page = hxxp://www.google.co.uk/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-10-20 03:24
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(3216)
c:\windows\system32\WININET.dll
c:\program files\McAfee\SiteAdvisor\saHook.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Belkin\Belkin Wireless Network Utility\WLService.exe
c:\program files\Belkin\Belkin Wireless Network Utility\WLanCfgG.exe
c:\program files\Cisco Systems\VPN Client\cvpnd.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Common Files\McAfee\SystemCore\mcshield.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\MRT.exe
.
**************************************************************************
.
Completion time: 2011-10-20 03:30:57 - machine was rebooted
ComboFix-quarantined-files.txt 2011-10-20 02:30
ComboFix2.txt 2011-10-19 03:27
.
Pre-Run: 118,658,908,160 bytes free
Post-Run: 118,891,155,456 bytes free
.
- - End Of File - - D023BFFABFF0FFBBA95A892C9E6983C0
 
The offending entry is still there....

Download the FixTDSS.exe

Save the file to your Windows desktop.
Close all running programs.
If you are running Windows XP, turn off System Restore. How to turn off or turn on Windows XP System Restore
Double-click the FixTDSS.exe file to start the removal tool.
Click Start to begin the process, and then allow the tool to run.
Restart the computer when prompted by the tool.
After the computer has started, the tool will inform you of the state of infection (make sure to let me know what it said)
If you are running Windows XP, re-enable System Restore.
 
FixTDSS

One message:

Backdor.Tidserv has been found on your computer.


BTW the USB stick is no longer being corrupted and the McAfee icon has reappeared in the notification area although it has no function.
 
Back