web hijacked

[tsteele2005]

Hi There,

When im using Mozilla firefox after just about a minute is closes on me... I then have to restart it where it takes me back to where i was before it closed down. Also when I do a simple search in google I get redirected to these different search sites? I have ad-adware installed and it always says it had detected malicious programs running in the background. I then run ad aware and remove it, where it then tells me to restart to remove it... But it doesnt and it is still constantly happening? I am not very techy so can some please give me instuctions on how to remove this hijacker in laymans terms? I also cannot install any other spyware (like spybot etc) when i try to download from a search in google I am taken to page which reads "Oops! This link appears to be broken." I get this with any spyware software i am trying to install in firefox, safari and google chrome. I already have adaware installed. I have posted my first steps below.

Thanks.

DDS (Ver_09-07-30.01) - NTFSx86
Run by Tanya at 20:35:54.26 on 03/09/2009
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Home Edition 5.1.2600.2.1252.44.1033.18.1279.754 [GMT 1:00]

AV: McAfee VirusScan Enterprise *On-access scanning enabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\oodag.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\PopUp Killer\popupkiller.EXE
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\vsnpstd2.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\sm56hlpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Documents and Settings\Tanya\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Tanya\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Tanya\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Tanya\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uWindow Title = Internet Explorer Provided By Sky Broadband
uDefault_Search_URL = hxxp://www.google.com/ie
uDefault_Page_URL = hxxp://www.sky.com
uSearch Bar = hxxp://www.google.com/ie
uSearch Page = hxxp://www.google.com
mDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Windows Live OneCare Family Safety Browser Helper Class: {4f3ed5cd-0726-42a9-87f5-d13f3d2976ac} - c:\program files\windows live\family safety\fssbho.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan enterprise\Scriptcl.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.15642\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
TB: {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - No File
EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Magentic] c:\progra~1\magentic\bin\Magentic.exe /c
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [ccleaner] "c:\program files\ccleaner\ccleaner.exe" /AUTO
uRun: [updateMgr] "c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
uRun: [Google Update] "c:\documents and settings\tanya\local settings\application data\google\update\GoogleUpdate.exe" /c
mRun: [PAC7302_Monitor] c:\windows\pixart\pac7302\Monitor.exe
mRun: [FlashGuard] "c:\program files\flashguard\FlashGuard.exe" -run
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [NapsterShell] c:\program files\napster\napster.exe /systray
mRun: [PopUpKiller] c:\program files\popup killer\popupkiller.EXE
mRun: [ssdiag] c:\windows\ssdiag.exe
mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [SNPSTD2] c:\windows\vsnpstd2.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [AlcWzrd] ALCWZRD.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [SMSERIAL] sm56hlpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [ShStatEXE] "c:\program files\mcafee\virusscan enterprise\SHSTAT.EXE" /STANDALONE
mRun: [McAfeeUpdaterUI] "c:\program files\mcafee\common framework\UdaterUI.exe" /StartedFromRunKey
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRunOnce: [RunNarrator] Narrator.exe
dRunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office12\EXCEL.EXE/3000
IE: eBay Search - c:\program files\ebay\ebay toolbar2\eBayTb.dll/RCSearch.html
IE: {08E730A4-FB02-45BD-A900-01E4AD8016F6} - http://www.sky.com
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\jp2iexp.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office12\REFIEBAR.DLL
DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} - hxxps://www-secure.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} - hxxps://www-secure.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
DPF: {05F914B8-447B-49A4-B09B-F878B7D783F6} - hxxp://www.skyfolder.com/agent.cab
DPF: {0A46CB52-CFA0-4E78-A181-948D5E361BE3} - hxxp://esupport.epson-europe.com/ePC/activex/EpsonSetup.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?LinkID=39204
DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} - hxxps://www-secure.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1143728338546
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} - hxxp://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7}
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
TCP: NameServer = 85.255.112.180,85.255.112.173
TCP: {6A1EA249-EEA4-48C3-9427-F3A7D3ECB60E} = 85.255.112.180,85.255.112.173
TCP: {D2DD1987-7255-4417-AD91-6DE93C6DF083} = 85.255.112.180,85.255.112.173
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\tanya\applic~1\mozilla\firefox\profiles\pw62eqhr.default\
FF - prefs.js: browser.startup.homepage - www.yahoo.co.uk
FF - plugin: c:\documents and settings\tanya\local settings\application data\google\update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.2.183.7\npGoogleOneClick8.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: dom.disable_open_during_load - true // Popupblocker control handled by McAfee Privacy Service
FF - user.js: yahoo.homepage.dontask - truec:\program files\mozilla firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\mozilla firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\mozilla firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-7-18 64160]
R1 mferkdk;VSCore mferkdk;c:\program files\mcafee\virusscan enterprise\mferkdk.sys [2006-11-30 31944]
R2 AdobeActiveFileMonitor;Adobe Active File Monitor;c:\program files\adobe\photoshop elements 3.0\PhotoshopElementsFileAgent.exe [2004-10-20 98304]
R2 AdobeActiveFileMonitor7.0;Adobe Active File Monitor V7;c:\program files\adobe\photoshop elements 7.0\PhotoshopElementsFileAgent.exe [2008-9-16 169312]
R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr.sys [2008-5-28 43816]
R2 fsssvc;Windows Live OneCare Family Safety;c:\program files\windows live\family safety\fsssvc.exe [2007-12-17 523816]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-7-3 1029456]
R2 McAfeeFramework;McAfee Framework Service;c:\program files\mcafee\common framework\FrameworkService.exe [2009-7-29 104000]
R2 McShield;McAfee McShield;c:\program files\mcafee\virusscan enterprise\Mcshield.exe [2007-2-22 144960]
R2 McTaskManager;McAfee Task Manager;c:\program files\mcafee\virusscan enterprise\VsTskMgr.exe [2007-2-22 54872]
R2 Symantec Core LC;Symantec Core LC;c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [2006-2-10 1119888]
R3 mfeavfk;McAfee Inc.;c:\windows\system32\drivers\mfeavfk.sys [2009-7-29 72264]
R3 mfebopk;McAfee Inc.;c:\windows\system32\drivers\mfebopk.sys [2009-7-29 34152]
R3 mfehidk;McAfee Inc.;c:\windows\system32\drivers\mfehidk.sys [2009-7-29 170408]
S2 gupdate1c9d3e05567f582;Google Update Service (gupdate1c9d3e05567f582);c:\program files\google\update\GoogleUpdate.exe [2009-5-13 133104]
S3 SE2Ebus;Sony Ericsson Device 046 Driver driver (WDM);c:\windows\system32\drivers\SE2Ebus.sys [2006-11-11 61600]
S3 SE2Emdfl;Sony Ericsson Device 046 USB WMC Modem Filter;c:\windows\system32\drivers\SE2Emdfl.sys [2006-11-11 9360]
S3 SE2Emdm;Sony Ericsson Device 046 USB WMC Modem Driver;c:\windows\system32\drivers\SE2Emdm.sys [2006-11-11 97184]
S3 SE2Emgmt;Sony Ericsson Device 046 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\SE2Emgmt.sys [2006-5-1 88688]
S3 se2End5;Sony Ericsson Device 046 USB Ethernet Emulation SEMC46 (NDIS);c:\windows\system32\drivers\se2End5.sys [2006-11-11 18704]
S3 SE2Eobex;Sony Ericsson Device 046 USB WMC OBEX Interface;c:\windows\system32\drivers\SE2Eobex.sys [2006-11-11 86560]
S3 se2Eunic;Sony Ericsson Device 046 USB Ethernet Emulation SEMC46 (WDM);c:\windows\system32\drivers\se2Eunic.sys [2006-5-1 90800]
S3 sea1bus;Sony Ericsson Device 0A1 driver (WDM);c:\windows\system32\drivers\sea1bus.sys [2007-5-11 61536]
S3 sea1mdfl;Sony Ericsson Device 0A1 USB WMC Modem Filter;c:\windows\system32\drivers\sea1mdfl.sys [2007-5-11 9360]
S3 sea1mdm;Sony Ericsson Device 0A1 USB WMC Modem Driver;c:\windows\system32\drivers\sea1mdm.sys [2007-5-11 97088]
S3 sea1mgmt;Sony Ericsson Device 0A1 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\sea1mgmt.sys [2007-5-11 88624]
S3 sea1obex;Sony Ericsson Device 0A1 USB WMC OBEX Interface;c:\windows\system32\drivers\sea1obex.sys [2007-5-11 86432]
S3 sea1unic;Sony Ericsson Device 0A1 USB Ethernet Emulation SEMCA1 (WDM);c:\windows\system32\drivers\sea1unic.sys [2007-8-19 90800]

=============== Created Last 30 ================

2009-09-02 22:50 78,556 a---h--- c:\windows\system32\mlfcache.dat
2009-09-02 22:37 <DIR> --d----- c:\docume~1\alluse~1\applic~1\espionServerData
2009-09-02 21:47 <DIR> --d----- c:\program files\common files\Macrovision Shared
2009-09-02 21:38 9,464 -------- c:\windows\system32\drivers\cdralw2k.sys
2009-09-02 21:38 9,336 -------- c:\windows\system32\drivers\cdr4_xp.sys
2009-09-02 21:38 129,784 -------- c:\windows\system32\pxafs.dll
2009-09-02 19:34 <DIR> --d----- c:\program files\Trend Micro
2009-09-02 19:18 102,664 a------- c:\windows\system32\drivers\tmcomm.sys
2009-09-02 19:16 <DIR> --d----- c:\docume~1\tanya\applic~1\GetRightToGo
2009-09-02 19:14 <DIR> --d----- c:\documents and settings\tanya\.housecall6.6
2009-08-12 20:22 <DIR> -cd----- C:\isnowsoft

==================== Find3M ====================

2009-08-03 13:36 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-03 13:36 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-07-17 21:50 87,608 a------- c:\docume~1\tanya\applic~1\inst.exe
2009-07-17 21:50 47,360 a------- c:\windows\system32\drivers\pcouffin.sys
2009-07-17 21:50 47,360 a------- c:\docume~1\tanya\applic~1\pcouffin.sys
2009-07-03 15:49 15,688 a------- c:\windows\system32\lsdelete.exe
2009-04-19 18:57 81,920 a------- c:\docume~1\tanya\applic~1\ezpinst.exe
2008-05-09 22:40 9,100 a------- c:\docume~1\tanya\applic~1\wklnhst.dat
2008-06-23 15:37 321 a--sh--- c:\windows\system32\807132013.sys

============= FINISH: 20:36:46.31 ===============

[Angelfire777]

Please visit this webpage for download links, and instructions for running combofix:

http://www.bleepingcomputer.com/comb...o-use-combofix

Note: Please rename combofix.exe to cfix.exe

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please include the C:\ComboFix.txt in your next reply for further review.

[tsteele2005]

Hi There,

Please find attached the combofix log like you requested. after running combofix I connected to net to check my email. I was connected for moments then I got blue sreen (no desktop)... Blue screen only with this text below:
**********************************************************
Stop: C000021a (Fatal system error)
The windows subsystem system process terminated unexpectedly with status of OX COOOOOO5 (0X7c9106C3 oxoo52f36c)

The system hs been shut down
Beginning dump of physical memory
Dumping physical memory to disk (It Then it counted up from 1 to 54 and by that point I switched laptop off and back on again)?

What does this mean dumping physical memory?


ComboFix 09-09-03.02 - Tanya 05/09/2009 14:26.1.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.44.1033.18.1279.884 [GMT 1:00]
Running from: c:\documents and settings\Tanya\Desktop\ComboFix.exe
FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Tanya\Application Data\inst.exe
c:\program files\PluginVideo
c:\program files\PluginVideo\Uninstall.exe
c:\recycler\S-1-5-21-676306313-1671959365-1106152895-1003
C:\setuplog.exe
c:\windows\AegisP.inf
c:\windows\Installer\25631b.msp
c:\windows\Installer\38454.msp
c:\windows\Installer\40e58.msi
c:\windows\Installer\4a26e9.msp
c:\windows\Installer\55c73a.msp
c:\windows\Installer\5b5c0f.msp
c:\windows\Installer\ae389.msp
c:\windows\Installer\ba5fe.msp
c:\windows\system\WINASPI.DLL
c:\windows\system\WOWPOST.EXE
c:\windows\system32\drivers\gxvxcvcvjcjdvdollabaitqlnpebrnrvekxdi.sys
c:\windows\system32\drivers\gxvxcyksiboblxewswulbairrnrvqwbvxigff.sys
c:\windows\system32\gxvxccounter
c:\windows\system32\gxvxcdypqgoxdutyxypepxjnynthoyrqhaarv.dll
c:\windows\system32\skinboxer43.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_gxvxcserv.sys
-------\Legacy_gxvxcserv.sys


((((((((((((((((((((((((( Files Created from 2009-08-05 to 2009-09-05 )))))))))))))))))))))))))))))))
.

2009-09-02 21:50 . 2009-09-02 21:50 78556 ---ha-w- c:\windows\system32\mlfcache.dat
2009-09-02 21:48 . 2009-09-02 21:49 -------- d-----w- c:\program files\Safari
2009-09-02 21:37 . 2009-09-02 21:37 -------- d-----w- c:\documents and settings\All Users\Application Data\espionServerData
2009-09-02 20:55 . 2009-09-02 20:55 -------- d-----w- c:\documents and settings\All Users\Application Data\FLEXnet
2009-09-02 20:47 . 2009-09-02 20:47 -------- d-----w- c:\program files\Common Files\Macrovision Shared
2009-09-02 20:38 . 2009-09-02 20:38 9464 ------w- c:\windows\system32\drivers\cdralw2k.sys
2009-09-02 20:38 . 2009-09-02 20:38 9336 ------w- c:\windows\system32\drivers\cdr4_xp.sys
2009-09-02 20:38 . 2009-09-02 20:38 129784 ------w- c:\windows\system32\pxafs.dll
2009-09-02 18:34 . 2009-09-02 18:34 -------- d-----w- c:\program files\Trend Micro
2009-09-02 18:18 . 2009-09-02 18:14 102664 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2009-09-02 18:16 . 2009-09-02 18:53 -------- d-----w- c:\documents and settings\Tanya\Application Data\GetRightToGo
2009-09-02 18:14 . 2009-09-02 18:20 -------- d-----w- c:\documents and settings\Tanya\.housecall6.6
2009-08-17 17:57 . 2009-08-31 14:02 -------- d-----w- c:\documents and settings\Tanya\Local Settings\Application Data\Temp
2009-08-12 19:22 . 2009-08-12 19:22 -------- dc----w- C:\isnowsoft

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-05 13:23 . 2009-02-11 14:43 -------- d-----w- c:\program files\PopUp Killer
2009-09-05 13:09 . 2009-02-11 14:31 -------- d-----w- c:\program files\Lavasoft
2009-09-05 13:09 . 2009-07-18 18:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-09-05 13:06 . 2009-02-11 14:31 -------- d-----w- c:\documents and settings\Tanya\Application Data\Lavasoft
2009-09-05 13:05 . 2007-11-26 21:24 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-09-02 22:20 . 2009-02-10 14:14 -------- d-----w- c:\documents and settings\Tanya\Application Data\uTorrent
2009-09-02 22:03 . 2006-02-10 14:49 99328 ----a-w- c:\documents and settings\Tanya\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-02 22:01 . 2009-01-05 14:03 -------- d-----w- c:\program files\Enigma Software Group
2009-09-02 22:00 . 2006-02-26 16:50 -------- d-----w- c:\program files\Mingjong
2009-09-02 21:58 . 2006-02-12 09:42 -------- d-----w- c:\program files\epson
2009-09-02 21:55 . 2009-02-10 20:26 -------- d-----w- c:\program files\Avi2Dvd
2009-09-02 21:55 . 2008-01-03 16:09 -------- d-----w- c:\program files\AoA DVD to iPod Converter
2009-09-02 21:49 . 2006-03-03 14:09 -------- d-----w- c:\documents and settings\Tanya\Application Data\Apple Computer
2009-09-02 20:47 . 2006-01-24 16:33 -------- d-----w- c:\program files\Common Files\Adobe
2009-08-30 10:44 . 2008-01-03 16:12 -------- d-----w- c:\documents and settings\Tanya\Application Data\dvdcss
2009-08-19 21:26 . 2008-05-04 16:35 -------- d-----w- c:\documents and settings\Sal\Application Data\uTorrent
2009-08-12 19:16 . 2008-09-26 20:36 -------- d-----w- c:\documents and settings\Tanya\Application Data\Vso
2009-08-05 18:36 . 2009-06-09 18:19 -------- d-----w- c:\documents and settings\All Users\Application Data\WinZip
2009-07-29 15:32 . 2009-04-19 17:13 -------- d-----w- c:\program files\DVD Flick
2009-07-29 15:32 . 2009-02-11 14:38 -------- d-----w- c:\program files\Astonsoft
2009-07-29 15:30 . 2006-02-17 20:10 -------- d-----w- c:\program files\Google
2009-07-29 15:27 . 2009-07-29 15:27 -------- d-----w- c:\program files\Common Files\Cisco Systems
2009-07-17 21:37 . 2007-12-16 11:57 -------- d-----w- c:\program files\AviSynth 2.5
2009-07-17 20:50 . 2008-09-26 20:36 47360 ----a-w- c:\windows\system32\drivers\pcouffin.sys
2009-07-17 20:50 . 2008-09-26 20:36 47360 ----a-w- c:\documents and settings\Tanya\Application Data\pcouffin.sys
2009-07-17 20:50 . 2009-07-15 13:26 -------- d-----w- c:\program files\VSO
2009-07-17 20:43 . 2006-02-10 15:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Ulead Systems
2009-07-17 18:46 . 2006-02-10 15:29 -------- d-----w- c:\program files\Ulead Systems
2009-07-17 18:46 . 2006-01-24 16:35 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-07-15 19:38 . 2009-07-15 19:38 -------- d-----w- c:\documents and settings\All Users\Application Data\vsosdk
2008-06-23 14:37 . 2008-06-23 14:37 321 --sha-w- c:\windows\system32\807132013.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-17 68856]
"Google Update"="c:\documents and settings\Tanya\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-08-17 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-10-01 111936]
"PopUpKiller"="c:\program files\PopUp Killer\popupkiller.EXE" [2002-03-23 108032]
"ssdiag"="c:\windows\ssdiag.exe" [2004-07-14 57401]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2006-09-21 127036]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"SNPSTD2"="c:\windows\vsnpstd2.exe" [2004-01-05 40960]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-04-01 148888]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-08-01 708697]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-04-02 342312]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\SOUNDMAN.EXE [2005-08-01 90112]
"AlcWzrd"="ALCWZRD.EXE" - c:\windows\ALCWZRD.EXE [2005-08-01 2806272]
"SMSERIAL"="sm56hlpr.exe" - c:\windows\sm56hlpr.exe [2005-09-16 557056]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"tscuninstall"="c:\windows\system32\tscupgrd.exe" [2004-08-04 44544]
"RunNarrator"="Narrator.exe" - c:\windows\system32\narrator.exe [2004-08-04 53760]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0OODBS

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Audible Download Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Audible Download Manager.lnk
backup=c:\windows\pss\Audible Download Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^DSLMON.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\DSLMON.lnk
backup=c:\windows\pss\DSLMON.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Ulead Photo Express 4.0 SE Calendar Checker .lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Ulead Photo Express 4.0 SE Calendar Checker .lnk
backup=c:\windows\pss\Ulead Photo Express 4.0 SE Calendar Checker .lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\Msmsgs.exe"=
"c:\\Program Files\\BitTorrent_DNA\\dna.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\StubInstaller.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\system32\\dpnsvr.exe"=

R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr.sys [28/05/2008 12:22 43816]
R2 fsssvc;Windows Live OneCare Family Safety;c:\program files\Windows Live\Family Safety\fsssvc.exe [17/12/2007 11:13 523816]
S2 AdobeActiveFileMonitor;Adobe Active File Monitor;c:\program files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe [20/10/2004 05:47 98304]
S2 AdobeActiveFileMonitor7.0;Adobe Active File Monitor V7;c:\program files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe [16/09/2008 12:03 169312]
S2 gupdate1c9d3e05567f582;Google Update Service (gupdate1c9d3e05567f582);c:\program files\Google\Update\GoogleUpdate.exe [13/05/2009 16:34 133104]
S3 sea1bus;Sony Ericsson Device 0A1 driver (WDM);c:\windows\system32\drivers\sea1bus.sys [11/05/2007 17:59 61536]
S3 sea1mdfl;Sony Ericsson Device 0A1 USB WMC Modem Filter;c:\windows\system32\drivers\sea1mdfl.sys [11/05/2007 17:59 9360]
S3 sea1mdm;Sony Ericsson Device 0A1 USB WMC Modem Driver;c:\windows\system32\drivers\sea1mdm.sys [11/05/2007 17:59 97088]
S3 sea1mgmt;Sony Ericsson Device 0A1 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\sea1mgmt.sys [11/05/2007 18:00 88624]
S3 sea1obex;Sony Ericsson Device 0A1 USB WMC OBEX Interface;c:\windows\system32\drivers\sea1obex.sys [11/05/2007 18:00 86432]
S3 sea1unic;Sony Ericsson Device 0A1 USB Ethernet Emulation SEMCA1 (WDM);c:\windows\system32\drivers\sea1unic.sys [19/08/2007 18:02 90800]
.
Contents of the 'Scheduled Tasks' folder

2009-04-28 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 11:34]

2009-08-22 c:\windows\Tasks\Disk Cleanup.job
- c:\windows\system32\cleanmgr.exe [2004-08-04 12:00]

2009-09-05 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-13 15:34]

2009-09-05 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-13 15:34]

2009-09-04 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1596805024-719007556-2338071259-1006Core.job
- c:\documents and settings\Tanya\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-08-17 17:57]

2009-09-05 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1596805024-719007556-2338071259-1006UA.job
- c:\documents and settings\Tanya\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-08-17 17:57]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Magentic - c:\progra~1\Magentic\bin\Magentic.exe
HKCU-Run-ccleaner - c:\program files\CCleaner\ccleaner.exe
HKCU-Run-updateMgr - c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe
HKLM-Run-PAC7302_Monitor - c:\windows\PixArt\PAC7302\Monitor.exe
HKLM-Run-FlashGuard - c:\program files\FlashGuard\FlashGuard.exe
HKLM-Run-NapsterShell - c:\program files\Napster\napster.exe


.
------- Supplementary Scan -------
.
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
IE: eBay Search - c:\program files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
IE: {{08E730A4-FB02-45BD-A900-01E4AD8016F6} - http://www.sky.com
DPF: {05F914B8-447B-49A4-B09B-F878B7D783F6} - hxxp://www.skyfolder.com/agent.cab
DPF: {0A46CB52-CFA0-4E78-A181-948D5E361BE3} - hxxp://esupport.epson-europe.com/ePC/activex/EpsonSetup.cab
FF - ProfilePath - c:\documents and settings\Tanya\Application Data\Mozilla\Firefox\Profiles\pw62eqhr.default\
FF - prefs.js: browser.startup.homepage - www.yahoo.co.uk
FF - plugin: c:\documents and settings\Tanya\Local Settings\Application Data\Google\Update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\Google\Update\1.2.183.7\npGoogleOneClick8.dll

---- FIREFOX POLICIES ----
FF - user.js: dom.disable_open_during_load - true // Popupblocker control handled by McAfee Privacy Service
FF - user.js: yahoo.homepage.dontask - true.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-05 14:35
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\System*]
"OODEFRAG10.00.00.01WORKSTATION"=
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(748)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2009-09-05 14:37
ComboFix-quarantined-files.txt 2009-09-05 13:37

Pre-Run: 8,879,140,864 bytes free
Post-Run: 9,455,693,824 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

Current=3 Default=3 Failed=1 LastKnownGood=4 Sets=1,2,3,4
229 --- E O F --- 2009-04-30 16:50



Thanks

[Angelfire777]

Hi,

Did you uninstall Mcafee?

Quote:

What does this mean dumping physical memory?

The OS is creating some sort of log to record some information about the error.


*I see you have P2P software ( µTorrent) installed on your machine. We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections. It may be contributing to your current situation. This page will give you further information.

Please note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares.

Please see this topic for more information:

http://www.techsupportforum.com/secu...e-sharing.html

I would strongly recommend that you uninstall this. You can do so via Control Panel >> Add or Remove Programs.

----------------------------

*Open notepad.
Copy and paste the text inside the code box below to notepad

Code:

http://www.techsupportforum.com/security-center/virus-trojan-spyware-help/410785-web-hijacked.html
Suspect::
C:\Qoobox\Quarantine\c\windows\system\WINASPI.DLL.vir
C:\Qoobox\Quarantine\c\windows\system\WOWPOST.EXE.vir
SecCenter::
FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
RegLock::
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\gxvxcserv.sys]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\gxvxcserv.sys]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\gxvxcserv.sys]
DDS::
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
TB: {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - No File
EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File
DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7}
TCP: NameServer = 85.255.112.180,85.255.112.173

• Save and Name it as "CFScript"
• Drag and drop CFScript.txt to your copy of combofix.

Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you. Post that log in your next reply.

**Note**

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.

• Ensure you are connected to the internet and click OK on the message box.

If you do not get a message box, please do the following:

There should be a file named [4]-Submit_date@time.zip with today's date, located here:

C:\QooBox\Quarantine\[4]-Submit_date@time.zip

Using the 'Browse' button, please submit it to this site ==> http://www.bleepingcomputer.com/subm....php?channel=4

Please let me know if you successfully submitted the file. Thanks.

----------------------------

Your Java is out of date.

Java(TM) 6 Update 13 can be updated from the Java control panel

Start > Control Panel (Classic View) > Java (looks like a coffee cup) > Update Tab > Update Now. An update should begin; follow the prompts.

----------------------------

Next, it's important to run this online scan to search for any remnants. It can take some time, so please be patient and allow it to run it's full course:

Using Internet Explorer or Firefox, visit http://www.kaspersky.com/kos/eng/par...avwebscan.html

1. Click Accept, when prompted to download and install the program files and database of malware definitions.


2. To optimize scanning time and produce a more sensible report for review:

• Close any open programs
  
• Turn off the real time scanner of any existing antivirus program while performing the online scan

3. Click Run at the Security prompt. The program will then begin downloading and installing and will also update the database. Please be patient as this can take several minutes.

• Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
• Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
• Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
• Click View scan report at the bottom.
  
  
  
  
• Click the Save as Text button to save the file to your desktop so that you may post it in your next reply

On your next reply, please include a

• kaspersky scan log
• combofix log

[tsteele2005]

Hi Angelfire,

Thanks for info have updated java as you requested. I did uninstall mcafee and have installed avg 8.5 instead. Please find attached my combofix and kaspersky logs. Thanks again.

kind regards,
tsteele2005

[Angelfire777]

Click start > run > copy and paste:

C:\Qoobox\ComboFix-quarantined-files.txt

press enter.

Post the contents of the text please.

[tsteele2005]

2009-09-07 20:03:08 . 2009-09-07 20:03:09 8,496 -c--a-w- C:\Qoobox\Quarantine\[4]-Submit_2009-09-07_21.03.00.zip
2009-09-05 13:43:19 . 2009-09-05 15:56:11 0 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\w32apiw.dll.vir
2009-09-05 13:36:17 . 2009-09-05 13:36:17 147 -c--a-w- C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-NapsterShell.reg.dat
2009-09-05 13:36:17 . 2009-09-05 13:36:17 151 -c--a-w- C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-FlashGuard.reg.dat
2009-09-05 13:36:17 . 2009-09-05 13:36:17 143 -c--a-w- C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-PAC7302_Monitor.reg.dat
2009-09-05 13:36:16 . 2009-09-05 13:36:16 189 -c--a-w- C:\Qoobox\Quarantine\Registry_backups\HKCU-Run-updateMgr.reg.dat
2009-09-05 13:36:16 . 2009-09-05 13:36:16 145 -c--a-w- C:\Qoobox\Quarantine\Registry_backups\HKCU-Run-ccleaner.reg.dat
2009-09-05 13:36:16 . 2009-09-05 13:36:16 138 -c--a-w- C:\Qoobox\Quarantine\Registry_backups\HKCU-Run-Magentic.reg.dat
2009-09-05 13:32:37 . 2009-09-07 20:09:57 13,230 -c--a-w- C:\Qoobox\Quarantine\Registry_backups\tcpip.reg
2009-09-05 13:17:58 . 2009-09-05 13:18:06 854 -c--a-w- C:\Qoobox\Quarantine\Registry_backups\Service_gxvxcserv.sys.reg.dat
2009-09-05 13:12:59 . 2009-09-07 20:01:19 102 -c--a-w- C:\Qoobox\Quarantine\catchme.log
2009-09-04 16:08:02 . 2009-09-04 16:08:02 26,625 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\gxvxcdypqgoxdutyxypepxjnynthoyrqhaarv.dll.vir
2009-05-14 20:00:13 . 2009-05-14 20:00:13 62,208 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\gxvxcvcvjcjdvdollabaitqlnpebrnrvekxdi.sys.vir
2009-05-10 17:33:27 . 2009-09-05 13:10:30 4 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\gxvxccounter.vir
2009-05-10 17:33:26 . 2009-05-10 17:33:26 66,944 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\gxvxcyksiboblxewswulbairrnrvqwbvxigff.sys.vir
2009-05-10 17:32:25 . 2009-05-10 17:32:25 68,690 ----a-w- C:\Qoobox\Quarantine\C\Program Files\PluginVideo\Uninstall.exe.vir
2008-10-13 17:29:32 . 2009-07-17 20:50:58 87,608 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Tanya\Application Data\inst.exe.vir
2008-01-03 16:09:35 . 2002-07-17 15:22:34 3,535 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system\WOWPOST.EXE.vir
2008-01-03 16:09:35 . 2002-07-17 15:22:26 4,455 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system\WINASPI.DLL.vir
2007-11-27 00:45:25 . 2007-11-27 00:53:39 13,984 -c--a-w- C:\Qoobox\Quarantine\C\WINDOWS\AegisP.inf.vir
2007-05-11 15:46:29 . 2007-05-11 15:46:29 39,656,448 -c--a-w- C:\Qoobox\Quarantine\C\WINDOWS\Installer\40e58.msi.vir
2007-04-25 14:10:22 . 2007-04-25 14:10:22 6,835,712 -c--a-w- C:\Qoobox\Quarantine\C\WINDOWS\Installer\ae389.msp.vir
2007-04-25 14:10:22 . 2007-04-25 14:10:22 6,835,712 -c--a-w- C:\Qoobox\Quarantine\C\WINDOWS\Installer\ba5fe.msp.vir
2007-01-10 10:05:44 . 2007-01-10 10:05:44 9,921,024 -c--a-w- C:\Qoobox\Quarantine\C\WINDOWS\Installer\5b5c0f.msp.vir
2006-02-17 19:12:32 . 2006-02-17 19:12:52 184 -c--a-w- C:\Qoobox\Quarantine\C\setuplog.exe.vir
2006-01-30 14:10:26 . 2006-01-30 14:10:26 13,048,832 -c--a-w- C:\Qoobox\Quarantine\C\WINDOWS\Installer\25631b.msp.vir
2006-01-30 14:10:26 . 2006-01-30 14:10:26 13,048,832 -c--a-w- C:\Qoobox\Quarantine\C\WINDOWS\Installer\38454.msp.vir
2006-01-30 14:10:26 . 2006-01-30 14:10:26 13,048,832 -c--a-w- C:\Qoobox\Quarantine\C\WINDOWS\Installer\4a26e9.msp.vir
2006-01-30 14:10:26 . 2006-01-30 14:10:26 13,048,832 -c--a-w- C:\Qoobox\Quarantine\C\WINDOWS\Installer\55c73a.msp.vir
2003-07-20 21:13:12 . 2003-07-20 21:13:12 253,952 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\skinboxer43.dll.vir

[Angelfire777]

Hi,

C:\Qoobox\Quarantine\[4]-Submit_2009-09-07_21.03.00.zip

Using the 'Browse' button, please submit the above file to this site ==> http://www.bleepingcomputer.com/subm....php?channel=4

Please let me know if you successfully submitted the file. Thanks.

[tsteele2005]

Hi Angelfire,

I have now posted up the file that you requested onto bleeping computer. Thanks again.

Kind regards,
Tanya

[Angelfire777]

I can't seem to find the file.

Please try again and use this link instead:

http://www.bleepingcomputer.com/subm...php?channel=55

[tsteele2005]

hi angelfire,

have re-submitted file as requested. Thanks.

tsteele20005

[Angelfire777]

Thanks

How is it running?

[tsteele2005]

Hi Angelfire,

Its running great actually... No hi-jackness thank god! Thanks very much for your help.

Regards,
tsteele2005

[Angelfire777]

Click start > run > copy and paste:

combofix /u

That will hide your system files, clear your system restore cache and uninstall combofix.

Note: Make sure you update your Antivirus programs and other security products regularly to avoid new threats that could infect your system.

Read TonyKlein's How Did I Get Infected In The First Place?.

Please check out miekiemoes' "How to Prevent Malware"

Happy safe surfing!

Note: Please reply to this thread one last time so I could mark it as resolved.

[tsteele2005]

Hi Angelfire,

All fine here now... Thanks very much for your assistance.

tsteele2005