Go Back   Tech Support Forum > Security Center > Virus/Trojan/Spyware Help > Resolved HJT Threads

User Tag List

Malware/popup/redirects

This is a discussion on Malware/popup/redirects within the Resolved HJT Threads forums, part of the Tech Support Forum category. Hi Recently my machines been running very slow (Win XP, SP 4), then recently on Mozilla 4.0 new tabs started


 
 
Thread Tools Search this Thread
Old 04-05-2011, 01:32 AM   #1
Registered Member
 
Join Date: Apr 2011
Posts: 26
OS: Win XP



Hi

Recently my machines been running very slow (Win XP, SP 4), then recently on Mozilla 4.0 new tabs started appearing. I found a folder in Documents and Settings/Network Service/Local Settings which was 'temp' which had lots of jpgs/html/javascript, like these were the dodgy HTML pages appearing about ****** etc.

As soon as i tried deleting them then 10 minutes later my machine would go slow and its like theyre being 'copied' back onto it.

I've got a paid version of AVG (Used to have McAfee but took that off, some rogue files might be left), ran Malware Anti-Bytes and they both find files which i 'fix' but alas nothing really seems to happen.

Also when i go to Mozilla my home page has been changed from google.co.uk to gcoogle.co.uk. After a few days away I came back and now Firefox has a crappy search bar attached (Searchqu).

I've had a look at other posts and have ran a few files, thanks for listening and I hope you can help...

Hijackthis....

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:25:16, on 03/04/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\PROGRA~1\AVG\AVG10\avgchsvx.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\LSI SoftModem\agrsmsvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG10\avgfws.exe
C:\Program Files\AVG\AVG10\avgwdsvc.exe
C:\Program Files\AVG\AVG PC Tuneup 2011\BoostSpeed.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SupServ.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\AVG\AVG10\avgam.exe
C:\Program Files\AVG\AVG10\avgnsx.exe
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Common Files\BSD\AppUpdater\BSDChecker.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\AVG\AVG10\avgtray.exe
C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe
C:\Program Files\AVG\AVG10\avgcsrvx.exe
C:\Program Files\AVG\AVG10\avgui.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\PROGRA~1\AVG\AVG10\avgrsx.exe
C:\Program Files\AVG\AVG10\avgcsrvx.exe
C:\Program Files\Common Files\Microsoft Shared\office12\offlb.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = Search
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG10\avgssie.dll
O2 - BHO: Searchqu Toolbar - {99079a25-328f-4bd4-be04-00955acaa0a7} - C:\PROGRA~1\WINDOW~3\ToolBar\searchqudtx.dll
O2 - BHO: UrlHelper Class - {A40DC6C5-79D0-4ca8-A185-8FF989AF1115} - C:\PROGRA~1\WINDOW~3\Datamngr\IEBHO.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Searchqu Toolbar - {99079a25-328f-4bd4-be04-00955acaa0a7} - C:\PROGRA~1\WINDOW~3\ToolBar\searchqudtx.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [BSDAppUpdater] C:\Program Files\Common Files\BSD\AppUpdater\BSDChecker.exe
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVG_TRAY] C:\Program Files\AVG\AVG10\avgtray.exe
O4 - HKLM\..\Run: [DATAMNGR] C:\PROGRA~1\WINDOW~3\Datamngr\DATAMN~1.EXE
O4 - HKCU\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe" /systray /nologon
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: Save video on Savevid.com - C:\Program Files\Savevid\redirect.htm
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG10\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\WINDOW~3\Datamngr\datamngr.dll C:\PROGRA~1\WINDOW~3\Datamngr\IEBHO.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - LSI Corporation - C:\Program Files\LSI SoftModem\agrsmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: AVG Firewall (avgfws) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG10\avgfws.exe
O23 - Service: AVGIDSAgent - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe
O23 - Service: AVG WatchDog (avgwd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG10\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McAfee Validation Trust Protection Service (mfevtp) - Unknown owner - C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe (file missing)
O23 - Service: Sony Ericsson OMSI download service (OMSI download service) - Unknown owner - C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SupServ.exe

--
End of file - 6193 bytes

DDS.TXT...

.
DDS (Ver_11-03-05.01) - NTFSx86
Run by Paul at 13:29:01.03 on 03/04/2011
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_20
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2038.1198 [GMT 1:00]
.
AV: AVG Internet Security 2011 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: McAfee VirusScan *Enabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *Enabled*
FW: AVG Firewall *Disabled*
.
============== Running Processes ===============
.
C:\PROGRA~1\AVG\AVG10\avgchsvx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\LSI SoftModem\agrsmsvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG10\avgfws.exe
C:\Program Files\AVG\AVG10\avgwdsvc.exe
C:\Program Files\AVG\AVG PC Tuneup 2011\BoostSpeed.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SupServ.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\AVG\AVG10\avgam.exe
C:\Program Files\AVG\AVG10\avgnsx.exe
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Common Files\BSD\AppUpdater\BSDChecker.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\AVG\AVG10\avgtray.exe
C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe
C:\Program Files\AVG\AVG10\avgcsrvx.exe
C:\Program Files\AVG\AVG10\avgui.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\PROGRA~1\AVG\AVG10\avgrsx.exe
C:\Program Files\AVG\AVG10\avgcsrvx.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Documents and Settings\Paul\My Documents\Downloads\dds.scr
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.searchqu.com/405
uDefault_Search_URL = hxxp://www.google.com/ie
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg10\avgssie.dll
BHO: Searchqu Toolbar: {99079a25-328f-4bd4-be04-00955acaa0a7} - c:\progra~1\window~3\toolbar\searchqudtx.dll
BHO: UrlHelper Class: {a40dc6c5-79d0-4ca8-a185-8ff989af1115} - c:\progra~1\window~3\datamngr\IEBHO.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Searchqu Toolbar: {99079a25-328f-4bd4-be04-00955acaa0a7} - c:\progra~1\window~3\toolbar\searchqudtx.dll
uRun: [Sony Ericsson PC Suite] "c:\program files\sony ericsson\sony ericsson pc suite\SEPCSuite.exe" /systray /nologon
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [BSDAppUpdater] c:\program files\common files\bsd\appupdater\BSDChecker.exe
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [AVG_TRAY] c:\program files\avg\avg10\avgtray.exe
mRun: [DATAMNGR] c:\progra~1\window~3\datamngr\DATAMN~1.EXE
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
IE: Save video on Savevid.com - c:\program files\savevid\redirect.htm
Trusted Zone: internet
Trusted Zone: mcafee.com
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg10\avgpp.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: igfxcui - igfxdev.dll
Notify: LMIinit - LMIinit.dll
AppInit_DLLs: c:\progra~1\window~3\datamngr\datamngr.dll c:\progra~1\window~3\datamngr\IEBHO.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll
uASetup: {194467C8-7736-4FF3-9D4C-DBA752D954CC} - msiexec /fauvs {194467C8-7736-4FF3-9D4C-DBA752D954CC} /qb
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\docume~1\paul\applic~1\mozilla\firefox\profiles\xqr6h879.default\
FF - prefs.js: browser.search.selectedEngine - Web Search
FF - prefs.js: browser.startup.homepage - hxxp://gcoogle.co.uk/
FF - prefs.js: keyword.URL - hxxp://www.searchqu.com/web?src=ffb&systemid=405&q=
FF - component: c:\program files\avg\avg9\firefox\components\avgssff.dll
FF - plugin: c:\documents and settings\paul\local settings\application data\unity\webplayer\loader\npUnity3D32.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.51204.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\np32neur.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
.
---- FIREFOX POLICIES ----
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
FF - user.js: browser.startup.homepage - hxxp://gcoogle.co.uk/
FF - user.js: browser.startup.page - 1
.
============= SERVICES / DRIVERS ===============
.
R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2010-9-13 25680]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2010-9-7 26064]
R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2010-1-5 385536]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2010-12-8 251728]
R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2010-9-7 34384]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2010-11-12 299984]
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [2010-3-19 82952]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-10-12 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-10-12 74480]
R2 avgfws;AVG Firewall;c:\program files\avg\avg10\avgfws.exe [2010-11-22 3226632]
R2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg10\identity protection\agent\bin\AVGIDSAgent.exe [2011-1-6 6128720]
R2 avgwd;AVG WatchDog;c:\program files\avg\avg10\avgwdsvc.exe [2010-10-22 265400]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\logmein\x86\rainfo.sys [2010-9-17 12856]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2011-1-17 47640]
R2 OMSI download service;Sony Ericsson OMSI download service;c:\program files\sony ericsson\sony ericsson pc suite\SupServ.exe [2009-12-14 90112]
R3 Avgfwdx;Avgfwdx;c:\windows\system32\drivers\avgfwdx.sys [2010-7-12 30432]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2010-8-3 123472]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2010-8-3 30288]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2010-8-3 26192]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2010-3-19 152320]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2010-3-19 312616]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [2010-3-19 88480]
R3 PhTVTune;ASUS WDM TV Tuner;c:\windows\system32\drivers\PhTVTune.sys [2003-12-25 24192]
R3 seehcri;Sony Ericsson seehcri Device Driver;c:\windows\system32\drivers\seehcri.sys [2009-12-14 27632]
S2 mfevtp;McAfee Validation Trust Protection Service;"c:\program files\common files\mcafee\systemcore\mfevtps.exe" --> c:\program files\common files\mcafee\systemcore\mfevtps.exe [?]
S2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2009-11-24 1684736]
S3 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwdx.sys [2010-7-12 30432]
S3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2010-3-19 55456]
S3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2010-3-19 51688]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [2010-3-19 88480]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2010-3-19 83496]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2010-3-19 34248]
S3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2009-11-25 40552]
S3 s0017bus;Sony Ericsson Device 0017 driver (WDM);c:\windows\system32\drivers\s0017bus.sys [2009-12-14 86824]
S3 s0017mdfl;Sony Ericsson Device 0017 USB WMC Modem Filter;c:\windows\system32\drivers\s0017mdfl.sys [2009-12-14 15016]
S3 s0017mdm;Sony Ericsson Device 0017 USB WMC Modem Driver;c:\windows\system32\drivers\s0017mdm.sys [2009-12-14 114600]
S3 s0017mgmt;Sony Ericsson Device 0017 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\s0017mgmt.sys [2009-12-14 108328]
S3 s0017nd5;Sony Ericsson Device 0017 USB Ethernet Emulation SEMC0017 (NDIS);c:\windows\system32\drivers\s0017nd5.sys [2009-12-14 26024]
S3 s0017obex;Sony Ericsson Device 0017 USB WMC OBEX Interface;c:\windows\system32\drivers\s0017obex.sys [2009-12-14 104616]
S3 s0017unic;Sony Ericsson Device 0017 USB Ethernet Emulation SEMC0017 (WDM);c:\windows\system32\drivers\s0017unic.sys [2009-12-14 109736]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-10-12 7408]
S4 LMIGuardianSvc;LMIGuardianSvc;c:\program files\logmein\x86\LMIGuardianSvc.exe [2010-12-8 374152]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]
S4 McProxy;McAfee Proxy Service;"c:\program files\common files\mcafee\mcsvchost\mcsvhost.exe" /mccoresvc --> c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [?]
S4 McShield;McShield;"c:\program files\common files\mcafee\systemcore\\mcshield.exe" --> c:\program files\common files\mcafee\systemcore\\mcshield.exe [?]
S4 mfefire;McAfee Firewall Core Service;"c:\program files\common files\mcafee\systemcore\\mfefire.exe" --> c:\program files\common files\mcafee\systemcore\\mfefire.exe [?]
.
=============== Created Last 30 ================
.
2011-03-31 13:18:25 -------- d-----w- c:\docume~1\paul\applic~1\searchqutoolbar
2011-03-31 13:18:16 -------- d-----w- c:\program files\Windows Savevid Toolbar
2011-03-31 13:18:14 -------- dc-h--w- c:\docume~1\alluse~1\applic~1\{4DC9D39F-E342-4826-8E99-5A0EFA8682D7}
2011-03-31 13:18:13 -------- d-----w- c:\program files\Savevid
2011-03-31 13:18:04 -------- d-----w- c:\docume~1\paul\locals~1\applic~1\PackageAware
2011-03-30 07:03:09 -------- d-s---w- C:\ComboFix
2011-03-28 09:44:15 -------- d-----w- c:\docume~1\paul\applic~1\AVG
2011-03-25 17:29:39 -------- d-----w- c:\docume~1\paul\applic~1\AVG10
2011-03-25 17:27:37 -------- d-----w- c:\windows\system32\drivers\AVG
2011-03-25 17:27:36 -------- d-----w- c:\docume~1\alluse~1\applic~1\AVG10
2011-03-25 16:50:07 -------- d-----w- c:\docume~1\alluse~1\applic~1\MFAData
2011-03-23 13:26:30 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
2011-03-23 13:26:29 781272 ----a-w- c:\program files\mozilla firefox\mozsqlite3.dll
2011-03-23 13:26:29 728024 ----a-w- c:\program files\mozilla firefox\libGLESv2.dll
2011-03-23 13:26:29 1975768 ----a-w- c:\program files\mozilla firefox\D3DCompiler_42.dll
2011-03-23 13:26:29 1893336 ----a-w- c:\program files\mozilla firefox\d3dx9_42.dll
2011-03-23 13:26:29 1874904 ----a-w- c:\program files\mozilla firefox\mozjs.dll
2011-03-23 13:26:29 15832 ----a-w- c:\program files\mozilla firefox\mozalloc.dll
2011-03-23 13:26:29 142296 ----a-w- c:\program files\mozilla firefox\libEGL.dll
2011-03-20 12:34:32 -------- d-----w- c:\windows\E357C0E5050940F38216F70BD9F39441.TMP
2011-03-20 12:32:59 -------- d-----w- c:\docume~1\alluse~1\applic~1\Flypaper Studio
2011-03-20 12:31:17 -------- d-----w- c:\program files\Flypaper
2011-03-20 12:24:27 -------- d-----w- c:\program files\Trivantis
2011-03-15 09:02:43 -------- d--h--w- c:\docume~1\alluse~1\applic~1\Common Files
2011-03-14 15:48:07 -------- d-----w- C:\Working
2011-03-07 08:27:28 -------- d-----w- c:\program files\iPod
.
==================== Find3M ====================
.
2011-02-18 16:36:58 4184352 ----a-w- c:\windows\system32\usbaaplrc.dll
2011-01-21 14:44:37 439296 ----a-w- c:\windows\system32\shimgvw.dll
2011-01-07 14:09:02 290048 ----a-w- c:\windows\system32\atmfd.dll
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, https://www.gmer.net
Windows 5.1.2600 Disk: MAXTOR_STM3200820A rev.3.AAD -> Harddisk0\DR0 -> \Device\Ide\IdePort0 P0T1L0-c
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
\Device\Ide\IdeDeviceP0T1L0-c -> \??\IDE#DiskMAXTOR_STM3200820A______________________3.AAD___#6&107fc3b4&0&0 .1.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
\Driver\atapi DriverStartIo -> 0x8A34427F
user & kernel MBR OK
.
============= FINISH: 13:36:14.52 ===============

attach.txt is attached

Many thanks

Paul
Attached Files
File Type: zip Attach.zip (5.2 KB, 65 views)
psj3809 is offline  
Sponsored Links
Advertisement
 
Old 04-08-2011, 06:01 AM   #2
TSF-Emeritus
 
Join Date: Jun 2006
Location: here & there and everywhere
Posts: 15,384
OS: XP Win7 Win 8.1 Ubuntu 10.10



Hello and welcome to TSF.

I am not seeing the GMER scan results (Ark.txt) attached. Did you have problem running it?

Let's try this special version of gmer.


Download GMER Rootkit Scanner from here to your desktop.
  • Double click the exe file. If asked to allow gmer.sys driver to load, please consent .
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.


    Click the image to enlarge it
  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • IAT/EAT
    • Drives/Partition other than System drive (typically C:\)
    • Show All (don't miss this one)
  • Then click the Scan button & wait for it to finish.
  • Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.
  • Save it where you can easily find it, such as your desktop, and post it in reply.

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries


If you still have trouble, try running the scan in Safe Mode.

Restart your computer and boot into Safe Mode by tapping the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work. Login on your usual account. Make sure to close any open browsers.

---------------------------------

If you still have difficulty, run the scan with ONLY the Sections and C drive boxes ticked.


Click the image to enlarge it
amateur is offline  
Old 04-09-2011, 01:22 AM   #3
Registered Member
 
Join Date: Apr 2011
Posts: 26
OS: Win XP



Hi

Thanks for getting back to me. I downloaded that file and ran it, the report is attached.

That' biggie' in red down the bottom of the list doesnt look good ! (MBR code has been found !).

Look forward to hearing from you
Attached Files
File Type: txt gmer.txt (11.5 KB, 71 views)
psj3809 is offline  
Sponsored Links
Advertisement
 
Old 04-09-2011, 04:25 AM   #4
TSF-Emeritus
 
Join Date: Jun 2006
Location: here & there and everywhere
Posts: 15,384
OS: XP Win7 Win 8.1 Ubuntu 10.10



Yes, GMER confirms that the Master Boot Record is infected.

We'll need to employ Combofix. However, AVG incorrectly targets ComboFix's embedded files. ComboFix will not run with AVG installed. Please uninstall AVG before continuing. You can reinstall it, or another antivirus such as Avira or avast!, after we've used ComboFix to clear the infection.

After uninstalling AVG from the Control Panel, also run the AVG remover from their site.

AVG - Download tools

direct link to the AVG Remover:

https://download.avg.com/filedir/util..._2011_1149.exe

You may also use this tool to uninstall AVG:
https://www.appremover.com/appremover/avg/AppRemover.exe

Instructions:
Using AppRemover &mdash; OPSWAT AppRemover

======================

I also see some remnants of McAfee, probably from an earlier installation. Use the following tool for complete removal of McAfee.

Download the McAfee Removal Tool.

Double click on MCPR.exe to launch it, then Click Run. A window should appear and disappear, this is normal. A new window should popup and begin the uninstall. When prompted to reboot your computer type Y.

--------------

Meanwhile, please do not surf the web until the machine is cleaned and re-furnished with an antivirus. Until then, use the computer only to communicate with us.

======================

Please download ComboFix from one of these locations:

Link 1
Link 2
* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you don't know how, please look in here:

    How to disable your security applications

  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.




Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:




Click on Yes, to continue scanning for malware.

# Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
amateur is offline  
Old 04-09-2011, 09:41 AM   #5
Registered Member
 
Join Date: Apr 2011
Posts: 26
OS: Win XP



Hi, i ran that program to de-install AVG, tried to do it for McAfee but still had issues with that

Ran combofix and the report is attached, thanks


ComboFix 11-04-08.03 - Paul 09/04/2011 17:29:45.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2038.1657 [GMT 1:00]
Running from: c:\documents and settings\Paul\Desktop\ComboFix.exe
AV: McAfee VirusScan *Enabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: AVG Firewall *Disabled* {8decf618-9569-4340-b34a-d78d28969b66}
FW: McAfee Personal Firewall *Enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Paul\Application Data\Adobe\plugs
c:\documents and settings\Paul\Application Data\Adobe\shed
c:\documents and settings\Paul\Application Data\Mozilla\Firefox\Profiles\xqr6h879.default\searchplugins\SearchquWebSearch.xml
c:\documents and settings\Paul\GoToAssistDownloadHelper.exe
c:\documents and settings\Paul\Templates\704g2smt3les0vhg27bh254kl6878srlwy60
c:\documents and settings\Paul\Templates\d370ib50k8d5s35bk41t72fyy28xc84
c:\documents and settings\Paul\Templates\y4e5e16p1jmqr7q2nr5e267h1
c:\documents and settings\Paul\WINDOWS
c:\program files\Mozilla Firefox\searchplugins\SearchquWebSearch.xml
c:\windows\system32\system
.
.
\\.\PhysicalDrive0 - Bootkit TDL4 was found and disinfected
.
((((((((((((((((((((((((( Files Created from 2011-03-09 to 2011-04-09 )))))))))))))))))))))))))))))))
.
.
2011-04-09 15:59 . 2011-04-09 16:00 -------- d-----w- C:\32788R22FWJFW
2011-04-07 10:15 . 2011-04-07 10:15 -------- d-----w- c:\windows\system32\wbem\Repository
2011-04-07 09:53 . 2011-04-07 10:14 -------- d-----w- c:\program files\Avanquest update
2011-04-06 08:58 . 2011-04-06 08:58 -------- d-----w- c:\documents and settings\Paul\Local Settings\Application Data\Identities
2011-04-06 08:58 . 2011-04-06 08:58 -------- d-----w- c:\documents and settings\Paul\Application Data\Umny
2011-04-05 12:17 . 2011-04-05 12:17 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple Computer
2011-04-05 08:56 . 2011-04-05 10:57 -------- d-----w- c:\documents and settings\Paul\Application Data\2D6B690E48292164B1809414B9AD3840
2011-04-04 07:03 . 2011-04-04 07:03 -------- d-----w- C:\found.000
2011-03-31 13:18 . 2011-04-03 15:26 -------- d-----w- c:\documents and settings\Paul\Application Data\searchqutoolbar
2011-03-31 13:18 . 2011-04-03 15:26 -------- d-----w- c:\program files\Windows Savevid Toolbar
2011-03-31 13:18 . 2011-04-03 15:26 -------- dc----w- c:\documents and settings\All Users\Application Data\{4DC9D39F-E342-4826-8E99-5A0EFA8682D7}
2011-03-31 13:18 . 2011-03-31 13:18 -------- d-----w- c:\program files\Savevid
2011-03-25 16:50 . 2011-03-25 17:03 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData
2011-03-23 13:26 . 2011-03-18 17:57 142296 ----a-w- c:\program files\Mozilla Firefox\components\browsercomps.dll
2011-03-23 13:26 . 2011-03-18 17:57 781272 ----a-w- c:\program files\Mozilla Firefox\mozsqlite3.dll
2011-03-23 13:26 . 2011-03-18 17:57 728024 ----a-w- c:\program files\Mozilla Firefox\libGLESv2.dll
2011-03-23 13:26 . 2011-03-18 17:57 1975768 ----a-w- c:\program files\Mozilla Firefox\D3DCompiler_42.dll
2011-03-23 13:26 . 2011-03-18 17:57 1893336 ----a-w- c:\program files\Mozilla Firefox\d3dx9_42.dll
2011-03-23 13:26 . 2011-03-18 17:57 1874904 ----a-w- c:\program files\Mozilla Firefox\mozjs.dll
2011-03-23 13:26 . 2011-03-18 17:57 15832 ----a-w- c:\program files\Mozilla Firefox\mozalloc.dll
2011-03-23 13:26 . 2011-03-18 17:57 142296 ----a-w- c:\program files\Mozilla Firefox\libEGL.dll
2011-03-20 12:37 . 2011-03-20 12:37 -------- d-----w- c:\program files\TechSmith
2011-03-20 12:34 . 2011-03-20 12:51 -------- d-----w- c:\windows\E357C0E5050940F38216F70BD9F39441.TMP
2011-03-20 12:32 . 2011-03-20 12:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Flypaper Studio
2011-03-20 12:31 . 2011-03-20 12:50 -------- d-----w- c:\program files\Flypaper
2011-03-20 12:24 . 2011-03-20 12:28 -------- d-----w- c:\program files\Trivantis
2011-03-15 09:02 . 2011-03-15 09:02 -------- d--h--w- c:\documents and settings\All Users\Application Data\Common Files
2011-03-14 15:48 . 2011-03-14 15:48 -------- d-----w- C:\Working
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-02-18 16:36 . 2011-01-10 08:23 41984 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2011-02-18 16:36 . 2011-01-10 08:23 4184352 ----a-w- c:\windows\system32\usbaaplrc.dll
2011-01-21 14:44 . 2008-04-14 12:00 439296 ----a-w- c:\windows\system32\shimgvw.dll
2011-03-18 17:57 . 2011-03-23 13:26 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
2010-04-14 11:29 . 2010-04-29 12:50 24376 ----a-w- c:\program files\mozilla firefox\components\Scriptff.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\1TortoiseNormal]
@="{C5994560-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994560-53D9-4125-87C9-F193FC689CB2}]
2009-08-13 18:55 85768 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\2TortoiseModified]
@="{C5994561-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994561-53D9-4125-87C9-F193FC689CB2}]
2009-08-13 18:55 85768 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\3TortoiseConflict]
@="{C5994562-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994562-53D9-4125-87C9-F193FC689CB2}]
2009-08-13 18:55 85768 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\4TortoiseLocked]
@="{C5994563-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994563-53D9-4125-87C9-F193FC689CB2}]
2009-08-13 18:55 85768 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\5TortoiseReadOnly]
@="{C5994564-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994564-53D9-4125-87C9-F193FC689CB2}]
2009-08-13 18:55 85768 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\6TortoiseDeleted]
@="{C5994565-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994565-53D9-4125-87C9-F193FC689CB2}]
2009-08-13 18:55 85768 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\7TortoiseAdded]
@="{C5994566-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994566-53D9-4125-87C9-F193FC689CB2}]
2009-08-13 18:55 85768 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\8TortoiseIgnored]
@="{C5994567-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994567-53D9-4125-87C9-F193FC689CB2}]
2009-08-13 18:55 85768 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\9TortoiseUnversioned]
@="{C5994568-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994568-53D9-4125-87C9-F193FC689CB2}]
2009-08-13 18:55 85768 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sony Ericsson PC Suite"="c:\program files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe" [2009-09-24 434176]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2009-10-06 18750976]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-28 141848]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-28 137752]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-03-01 421160]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2010-12-08 13:11 87424 ----a-w- c:\windows\system32\LMIinit.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"mfevtp"=2 (0x2)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:TCP"= 5353:TCP:*:Disabled:Adobe CSI CS4
.
R3 PhTVTune;ASUS WDM TV Tuner;c:\windows\system32\drivers\PhTVTune.sys [25/12/2003 05:00 24192]
R3 seehcri;Sony Ericsson seehcri Device Driver;c:\windows\system32\drivers\seehcri.sys [14/12/2009 17:45 27632]
S2 LMIInfo;LogMeIn Kernel Information Provider;\??\c:\program files\LogMeIn\x86\RaInfo.sys --> c:\program files\LogMeIn\x86\RaInfo.sys [?]
S2 OMSI download service;Sony Ericsson OMSI download service;c:\program files\Sony Ericsson\Sony Ericsson PC Suite\SupServ.exe [14/12/2009 17:44 90112]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [24/11/2009 15:02 1684736]
S3 s0017bus;Sony Ericsson Device 0017 driver (WDM);c:\windows\system32\drivers\s0017bus.sys [14/12/2009 17:45 86824]
S3 s0017mdfl;Sony Ericsson Device 0017 USB WMC Modem Filter;c:\windows\system32\drivers\s0017mdfl.sys [14/12/2009 17:45 15016]
S3 s0017mdm;Sony Ericsson Device 0017 USB WMC Modem Driver;c:\windows\system32\drivers\s0017mdm.sys [14/12/2009 17:45 114600]
S3 s0017mgmt;Sony Ericsson Device 0017 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\s0017mgmt.sys [14/12/2009 17:45 108328]
S3 s0017nd5;Sony Ericsson Device 0017 USB Ethernet Emulation SEMC0017 (NDIS);c:\windows\system32\drivers\s0017nd5.sys [14/12/2009 17:45 26024]
S3 s0017obex;Sony Ericsson Device 0017 USB WMC OBEX Interface;c:\windows\system32\drivers\s0017obex.sys [14/12/2009 17:45 104616]
S3 s0017unic;Sony Ericsson Device 0017 USB Ethernet Emulation SEMC0017 (WDM);c:\windows\system32\drivers\s0017unic.sys [14/12/2009 17:45 109736]
S4 AMService;AMService;c:\windows\TEMP\sbji\setup.exe run --> c:\windows\TEMP\sbji\setup.exe run [?]
.
Contents of the 'Scheduled Tasks' folder
.
2010-05-13 c:\windows\Tasks\AdobeAAMUpdater-1.0-HOME-285AD67F9B-Paul.job
- c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe [2010-05-12 02:44]
.
2011-04-09 c:\windows\Tasks\User_Feed_Synchronization-{8DFAE4A4-EE69-412A-88C8-7F920EF938F0}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 04:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
uDefault_Search_URL = hxxp://www.google.com/ie
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
Trusted Zone: internet
Trusted Zone: mcafee.com
FF - ProfilePath - c:\documents and settings\Paul\Application Data\Mozilla\Firefox\Profiles\xqr6h879.default\
FF - prefs.js: browser.search.selectedEngine - Web Search
FF - prefs.js: browser.startup.homepage - hxxp://gcoogle.co.uk/
FF - prefs.js: keyword.URL - hxxp://www.searchqu.com/web?src=ffb&systemid=405&q=
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
FF - user.js: browser.startup.homepage - hxxp://gcoogle.co.uk/
FF - user.js: browser.startup.page - 1
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover
Rootkit scan 2011-04-09 17:38
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files:
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Cryptography\RNG*]
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(540)
c:\windows\system32\LMIinit.dll
.
Completion time: 2011-04-09 17:39:34
ComboFix-quarantined-files.txt 2011-04-09 16:39
ComboFix2.txt 2010-05-13 16:27
.
Pre-Run: 74,342,502,400 bytes free
Post-Run: 74,674,372,608 bytes free
.
- - End Of File - - E81D57F2AB7E7315C00F6425664B305E
Attached Files
File Type: txt ComboFix.txt (15.9 KB, 51 views)
psj3809 is offline  
Old 04-09-2011, 12:30 PM   #6
TSF-Emeritus
 
Join Date: Jun 2006
Location: here & there and everywhere
Posts: 15,384
OS: XP Win7 Win 8.1 Ubuntu 10.10



Hi,

Have the redirects stopped now?

We have more work to do, but I would like to clear up a couple of points first.

First of all, I see that you have also posted for help at TSG. Please advise them that you've received help and ask them to close the topic since you have not received a reply there yet, as stated in our pre-posting sticky:

Quote:
NOTE: We are aware that users sometimes seek help from several Forums at the same time. Unfortunately, this can cause confusion and actually wastes time and resources - yours, ours and other Volunteers across the community. If you have already
posted at another Forum, please advise us, or them, and choose just one.
=====================

Quote:
i ran that program to de-install AVG, tried to do it for McAfee but still had issues with that
Good. What kind of issues with McAfee? Are you still using the McAfee firewall?

=====================
  • Open notepad (Start>All programs>accessories>notepad ) (It must be notepad, not wordpad, or it won’t work)
  • Copy the entire contents of the Quote Box below to Notepad.
  • Name the file as CFScript.txt
  • Change the Save as Type to All Files
  • and Save it on the desktop
  • Click Format and ensure Wordwrap is unchecked.

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Code:
DirLook::
c:\documents and settings\Paul\Application Data\2D6B690E48292164B1809414B9AD3840

Firefox::
FF - ProfilePath - c:\documents and settings\Paul\Application Data\Mozilla\Firefox\Profiles\xqr6h879.default\
FF - prefs.js: keyword.URL - hxxp://www.searchqu.com/web?src=ffb&systemid=405&q=

File::
c:\documents and settings\Paul\Application Data\searchqutoolbar
c:\windows\E357C0E5050940F38216F70BD9F39441.TMP
C:\found.000
Save this as CFScript.txt on your Desktop.



  • Referring to the picture above, drag CFScript into ComboFix.exe
  • ComboFix may request an update; please allow it.
  • When finished, please post the log it produced in your next reply.
Note:
Do not mouseclick ComboFix's window whilst it's running. That may cause it to stall.


=================

I see that you have Malwarebyte's Anti-Malware already installed.
  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to the following:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • If an update is found, it will download and install the latest version.
  • Launch Malwarebyte's, and select Perform Quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. Save it to your desktop.
Note: Malwarebytes' Anti-Malware may require a reboot to complete removals. After a reboot, if required, post that saved log in your next reply.

P.S: We prefer if you post the logs rather than attach, unless specifically asked to do so or you have problem posting.
amateur is offline  
Old 04-09-2011, 01:24 PM   #7
Registered Member
 
Join Date: Apr 2011
Posts: 26
OS: Win XP



Apologies, i originally posted at that other site who are very good but my post seemed to have been ignored (newer posts had been replied to) so i posted here.

I havent used McAfee Firewall for quite some time, been trying to cleanse my machine of McAfee but there still seems to be remants. I bought AVG a while back so i dont use McAfee at all

Anyway here are the files...

Combofix....

ComboFix 11-04-08.03 - Paul 09/04/2011 21:04:48.2.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2038.1555 [GMT 1:00]
Running from: c:\documents and settings\Paul\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Paul\Desktop\CFScript.txt
AV: McAfee VirusScan *Enabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: AVG Firewall *Disabled* {8decf618-9569-4340-b34a-d78d28969b66}
FW: McAfee Personal Firewall *Enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.
FILE ::
"c:\documents and settings\Paul\Application Data\searchqutoolbar"
"C:\found.000"
"c:\windows\E357C0E5050940F38216F70BD9F39441.TMP"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
H:\Autorun.inf
.
.
((((((((((((((((((((((((( Files Created from 2011-03-09 to 2011-04-09 )))))))))))))))))))))))))))))))
.
.
2011-04-07 10:15 . 2011-04-07 10:15 -------- d-----w- c:\windows\system32\wbem\Repository
2011-04-07 09:53 . 2011-04-07 10:14 -------- d-----w- c:\program files\Avanquest update
2011-04-06 08:58 . 2011-04-06 08:58 -------- d-----w- c:\documents and settings\Paul\Local Settings\Application Data\Identities
2011-04-06 08:58 . 2011-04-06 08:58 -------- d-----w- c:\documents and settings\Paul\Application Data\Umny
2011-04-05 12:17 . 2011-04-05 12:17 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple Computer
2011-04-05 08:56 . 2011-04-05 10:57 -------- d-----w- c:\documents and settings\Paul\Application Data\2D6B690E48292164B1809414B9AD3840
2011-04-04 07:03 . 2011-04-04 07:03 -------- d-----w- C:\found.000
2011-03-31 13:18 . 2011-04-03 15:26 -------- d-----w- c:\documents and settings\Paul\Application Data\searchqutoolbar
2011-03-31 13:18 . 2011-04-03 15:26 -------- d-----w- c:\program files\Windows Savevid Toolbar
2011-03-31 13:18 . 2011-04-03 15:26 -------- dc----w- c:\documents and settings\All Users\Application Data\{4DC9D39F-E342-4826-8E99-5A0EFA8682D7}
2011-03-31 13:18 . 2011-03-31 13:18 -------- d-----w- c:\program files\Savevid
2011-03-25 16:50 . 2011-03-25 17:03 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData
2011-03-23 13:26 . 2011-03-18 17:57 142296 ----a-w- c:\program files\Mozilla Firefox\components\browsercomps.dll
2011-03-23 13:26 . 2011-03-18 17:57 781272 ----a-w- c:\program files\Mozilla Firefox\mozsqlite3.dll
2011-03-23 13:26 . 2011-03-18 17:57 728024 ----a-w- c:\program files\Mozilla Firefox\libGLESv2.dll
2011-03-23 13:26 . 2011-03-18 17:57 1975768 ----a-w- c:\program files\Mozilla Firefox\D3DCompiler_42.dll
2011-03-23 13:26 . 2011-03-18 17:57 1893336 ----a-w- c:\program files\Mozilla Firefox\d3dx9_42.dll
2011-03-23 13:26 . 2011-03-18 17:57 1874904 ----a-w- c:\program files\Mozilla Firefox\mozjs.dll
2011-03-23 13:26 . 2011-03-18 17:57 15832 ----a-w- c:\program files\Mozilla Firefox\mozalloc.dll
2011-03-23 13:26 . 2011-03-18 17:57 142296 ----a-w- c:\program files\Mozilla Firefox\libEGL.dll
2011-03-20 12:37 . 2011-03-20 12:37 -------- d-----w- c:\program files\TechSmith
2011-03-20 12:34 . 2011-03-20 12:51 -------- d-----w- c:\windows\E357C0E5050940F38216F70BD9F39441.TMP
2011-03-20 12:32 . 2011-03-20 12:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Flypaper Studio
2011-03-20 12:31 . 2011-03-20 12:50 -------- d-----w- c:\program files\Flypaper
2011-03-20 12:24 . 2011-03-20 12:28 -------- d-----w- c:\program files\Trivantis
2011-03-15 09:02 . 2011-03-15 09:02 -------- d--h--w- c:\documents and settings\All Users\Application Data\Common Files
2011-03-14 15:48 . 2011-03-14 15:48 -------- d-----w- C:\Working
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-02-18 16:36 . 2011-01-10 08:23 41984 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2011-02-18 16:36 . 2011-01-10 08:23 4184352 ----a-w- c:\windows\system32\usbaaplrc.dll
2011-01-21 14:44 . 2008-04-14 12:00 439296 ----a-w- c:\windows\system32\shimgvw.dll
2011-03-18 17:57 . 2011-03-23 13:26 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
2010-04-14 11:29 . 2010-04-29 12:50 24376 ----a-w- c:\program files\mozilla firefox\components\Scriptff.dll
.
.
(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of c:\documents and settings\Paul\Application Data\2D6B690E48292164B1809414B9AD3840 ----
.
.
.
((((((((((((((((((((((((((((( [email protected]_16.38.19 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-04-09 19:58 . 2011-04-09 19:58 16384 c:\windows\temp\Perflib_Perfdata_510.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\1TortoiseNormal]
@="{C5994560-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994560-53D9-4125-87C9-F193FC689CB2}]
2009-08-13 18:55 85768 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\2TortoiseModified]
@="{C5994561-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994561-53D9-4125-87C9-F193FC689CB2}]
2009-08-13 18:55 85768 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\3TortoiseConflict]
@="{C5994562-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994562-53D9-4125-87C9-F193FC689CB2}]
2009-08-13 18:55 85768 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\4TortoiseLocked]
@="{C5994563-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994563-53D9-4125-87C9-F193FC689CB2}]
2009-08-13 18:55 85768 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\5TortoiseReadOnly]
@="{C5994564-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994564-53D9-4125-87C9-F193FC689CB2}]
2009-08-13 18:55 85768 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\6TortoiseDeleted]
@="{C5994565-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994565-53D9-4125-87C9-F193FC689CB2}]
2009-08-13 18:55 85768 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\7TortoiseAdded]
@="{C5994566-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994566-53D9-4125-87C9-F193FC689CB2}]
2009-08-13 18:55 85768 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\8TortoiseIgnored]
@="{C5994567-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994567-53D9-4125-87C9-F193FC689CB2}]
2009-08-13 18:55 85768 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\9TortoiseUnversioned]
@="{C5994568-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994568-53D9-4125-87C9-F193FC689CB2}]
2009-08-13 18:55 85768 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sony Ericsson PC Suite"="c:\program files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe" [2009-09-24 434176]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2009-10-06 18750976]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-28 141848]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-28 137752]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-03-01 421160]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2010-12-08 13:11 87424 ----a-w- c:\windows\system32\LMIinit.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"mfevtp"=2 (0x2)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:TCP"= 5353:TCP:*:Disabled:Adobe CSI CS4
.
R3 PhTVTune;ASUS WDM TV Tuner;c:\windows\system32\drivers\PhTVTune.sys [25/12/2003 05:00 24192]
R3 seehcri;Sony Ericsson seehcri Device Driver;c:\windows\system32\drivers\seehcri.sys [14/12/2009 17:45 27632]
S2 LMIInfo;LogMeIn Kernel Information Provider;\??\c:\program files\LogMeIn\x86\RaInfo.sys --> c:\program files\LogMeIn\x86\RaInfo.sys [?]
S2 OMSI download service;Sony Ericsson OMSI download service;c:\program files\Sony Ericsson\Sony Ericsson PC Suite\SupServ.exe [14/12/2009 17:44 90112]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [24/11/2009 15:02 1684736]
S3 s0017bus;Sony Ericsson Device 0017 driver (WDM);c:\windows\system32\drivers\s0017bus.sys [14/12/2009 17:45 86824]
S3 s0017mdfl;Sony Ericsson Device 0017 USB WMC Modem Filter;c:\windows\system32\drivers\s0017mdfl.sys [14/12/2009 17:45 15016]
S3 s0017mdm;Sony Ericsson Device 0017 USB WMC Modem Driver;c:\windows\system32\drivers\s0017mdm.sys [14/12/2009 17:45 114600]
S3 s0017mgmt;Sony Ericsson Device 0017 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\s0017mgmt.sys [14/12/2009 17:45 108328]
S3 s0017nd5;Sony Ericsson Device 0017 USB Ethernet Emulation SEMC0017 (NDIS);c:\windows\system32\drivers\s0017nd5.sys [14/12/2009 17:45 26024]
S3 s0017obex;Sony Ericsson Device 0017 USB WMC OBEX Interface;c:\windows\system32\drivers\s0017obex.sys [14/12/2009 17:45 104616]
S3 s0017unic;Sony Ericsson Device 0017 USB Ethernet Emulation SEMC0017 (WDM);c:\windows\system32\drivers\s0017unic.sys [14/12/2009 17:45 109736]
S4 AMService;AMService;c:\windows\TEMP\sbji\setup.exe run --> c:\windows\TEMP\sbji\setup.exe run [?]
.
Contents of the 'Scheduled Tasks' folder
.
2010-05-13 c:\windows\Tasks\AdobeAAMUpdater-1.0-HOME-285AD67F9B-Paul.job
- c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe [2010-05-12 02:44]
.
2011-04-09 c:\windows\Tasks\User_Feed_Synchronization-{8DFAE4A4-EE69-412A-88C8-7F920EF938F0}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 04:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
uDefault_Search_URL = hxxp://www.google.com/ie
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
Trusted Zone: internet
Trusted Zone: mcafee.com
FF - ProfilePath - c:\documents and settings\Paul\Application Data\Mozilla\Firefox\Profiles\xqr6h879.default\
FF - prefs.js: browser.search.selectedEngine - Web Search
FF - prefs.js: browser.startup.homepage - hxxp://gcoogle.co.uk/
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
FF - user.js: browser.startup.homepage - hxxp://gcoogle.co.uk/
FF - user.js: browser.startup.page - 1
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover
Rootkit scan 2011-04-09 21:13
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files:
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Cryptography\RNG*]
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(536)
c:\windows\system32\LMIinit.dll
.
Completion time: 2011-04-09 21:14:15
ComboFix-quarantined-files.txt 2011-04-09 20:14
ComboFix2.txt 2011-04-09 16:39
ComboFix3.txt 2010-05-13 16:27
.
Pre-Run: 74,693,455,872 bytes free
Post-Run: 74,671,026,176 bytes free
.
- - End Of File - - 1CBB8FCBCE32C9FA3760AF939CE1EAD4


Malware bytes - Now i couldnt update the program for this as i dont seem to have net connection on that machine, i'll explain more after this paste..

Malwarebytes' Anti-Malware 1.45
Malwarebytes

Database version: 3930

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

09/04/2011 21:18:47
mbam-log-2011-04-09 (21-18-47).txt

Scan type: Quick scan
Objects scanned: 91251
Time elapsed: 2 minute(s), 55 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Before i ran combofix i could get on to the internet. I've had a look at the device manager and under Network adapters...

Realtek RTL8169/8110 Family Gigabit Ethernet NIC (all working)
Realtek RTL8169/8110 Family Gigabit Ethernet NIC - McAfee Core NDIS Intermediate Filter Miniport (yellow exclamation next to it)
Sony Ericsson Device 0017 USB Ethernet Emulation (NDIS 5) - McAfee Core NDIS Intermediate Filter Miniport (yellow exclamation next to it)
WAN Miniport (IP) - McAfee Core NDIS Intermediate Filter Miniport (yellow exclamation next to it)

Unsure how to fix the above, despite having my network cable plugged in it wont connect to the net or anything (presume because of the above)

Many thanks for reading
psj3809 is offline  
Old 04-09-2011, 02:38 PM   #8
TSF-Emeritus
 
Join Date: Jun 2006
Location: here & there and everywhere
Posts: 15,384
OS: XP Win7 Win 8.1 Ubuntu 10.10



Hi,

It's important that I get a reply to this question.

Quote:
Have the redirects stopped now?
====================

About the internet connection issue, reboot the machine and see if you can connect to the internet.

If the issues continue, uninstall McAfee Core NDIS Intermediate Filter Miniport if they are still present in your Device Manager. They should have been removed by the McAfee Removal Tool which I linked you to earlier.

You can follow the steps outlined below to uninstall the adapters, but do not re-install them.

https://kc.mcafee.com/corporate/inde...ent&id=KB51676

-------------

If still no connection, continue with the following:

Right click on Network icon in the notification area in the lower right corner of Desktop & select "Repair".

Go to Start -> Control Panel. If you are using Windows XP's Category View, select the Network and Internet Connections category otherwise double click on Network Connections.
  • Right click on your default connection, usually Local Area Connection or Dial-up Connection if you are using Dial-up, and left click on Properties.
  • Select the Networking Tab
  • Double click on the Internet Protocol (TCP/IP) item and select the radio button that says Obtain DNS servers automatically.

Click OK twice, and restart your computer. If still no connection, try the following:

Click Start>Run type cmd and hit OK
Next, type in the following text:

ipconfig /flushdns

(**Note: that space between g and / is needed)

Press Enter
Type Exit.

------------

Reset WINSOCK entries to installation defaults:

Open a command window (Start -> Run -> type cmd and press Enter)

type or copy/paste the following at the command prompt, then press Enter.

netsh winsock reset catalog

--------------

Reset TCP/IP stack to installation defaults:

type or copy/paste the following at the command prompt, then press Enter.

netsh int ip reset reset.log

Reboot the machine and check your connection and let me know.


====================

Your native Windows firewall was disabled by McAfee when installed. We'll re-enable it now and clean up the remnants of McAfee.
  • Open notepad (Start>All programs>accessories>notepad ) (It must be notepad, not wordpad, or it won’t work)
  • Copy the entire contents of the Quote Box below to Notepad.
  • Name the file as CFScript.txt
  • Change the Save as Type to All Files
  • and Save it on the desktop
  • Click Format and ensure Wordwrap is unchecked.

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. If combofix prompts for an update, please allow it.

Code:
DDS::
Trusted Zone: internet
Trusted Zone: mcafee.com

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"mfevtp"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
[-HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"=dword:00000001
"DisableNotifications"=dword:00000000

SecCenter::
AV: McAfee VirusScan *Enabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *Enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

File::
c:\windows\TEMP\sbji\setup.exe

Driver::
AMService
Save this as CFScript.txt on your Desktop.



  • Referring to the picture above, drag CFScript into ComboFix.exe
  • ComboFix may request an update; please allow it.
  • When finished, please post the log it produced in your next reply.
Note:
Do not mouseclick ComboFix's window whilst it's running. That may cause it to stall.
amateur is offline  
Old 04-09-2011, 08:03 PM   #9
Registered Member
 
Join Date: Apr 2011
Posts: 26
OS: Win XP



Hi, thanks for the quick replies.

The redirection doesnt seem to be happening but without net connection I cant tell for sure. In a temp folder under Local Settings/Network Services there were often strange named directories full of 'web pages' which i tried deleting previous to your emails but they just kept re-appearing seconds after I tried deleting them. They all seemed to have disappeared and have not come back.

I ran the MCPR file again and it finished with 'cleanup successful' and I rebooted, still mentions McAfee though under the network adapters. Theres nothing with McAfee in the title under add/remove programs.

I tried following those steps on the webpage about uninstalling McAfee NDIS, everytime i type in any of those commands it says System error 1060 has occured. The specified services does not exist as an installed service so it 'seems' to be suggesting its not installed (but obviously under my device manager it seems to show its there !?). Those 3 options under Network adapters, should i right click and choose uninstall so it leaves the one remaining one (which is green) ?

Under Network connections its blank, nothing showing.

I tried to create a new connection by selecting -

Create a new connection/Connect to the internet/Set up my connection manually/Connect using a broadband connection that is always on/Finish but nothing appears

I then started running through those commands you mentioned via the command prompt and rebooted when you mentioned. Still nothing when i try to connect to the net (because there doesnt seem to be anything set up under network services).

I created that CFScript and ran it with ComboFix. The results are....

ComboFix 11-04-08.03 - Paul 10/04/2011 3:47.3.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2038.1555 [GMT 1:00]
Running from: c:\documents and settings\Paul\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Paul\Desktop\CFScript.txt
FW: AVG Firewall *Disabled* {8decf618-9569-4340-b34a-d78d28969b66}
* Created a new restore point
.
FILE ::
"c:\windows\TEMP\sbji\setup.exe"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_AMSERVICE
-------\Service_AMService
.
.
((((((((((((((((((((((((( Files Created from 2011-03-10 to 2011-04-10 )))))))))))))))))))))))))))))))
.
.
2011-04-09 20:15 . 2010-03-29 23:46 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-04-09 20:15 . 2011-04-09 20:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-04-09 20:15 . 2011-04-09 20:15 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-04-09 20:15 . 2010-03-29 23:45 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-04-07 10:15 . 2011-04-07 10:15 -------- d-----w- c:\windows\system32\wbem\Repository
2011-04-07 09:53 . 2011-04-07 10:14 -------- d-----w- c:\program files\Avanquest update
2011-04-06 08:58 . 2011-04-06 08:58 -------- d-----w- c:\documents and settings\Paul\Local Settings\Application Data\Identities
2011-04-06 08:58 . 2011-04-06 08:58 -------- d-----w- c:\documents and settings\Paul\Application Data\Umny
2011-04-05 12:17 . 2011-04-05 12:17 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple Computer
2011-04-05 08:56 . 2011-04-05 10:57 -------- d-----w- c:\documents and settings\Paul\Application Data\2D6B690E48292164B1809414B9AD3840
2011-04-04 07:03 . 2011-04-04 07:03 -------- d-----w- C:\found.000
2011-03-31 13:18 . 2011-04-03 15:26 -------- d-----w- c:\documents and settings\Paul\Application Data\searchqutoolbar
2011-03-31 13:18 . 2011-04-03 15:26 -------- d-----w- c:\program files\Windows Savevid Toolbar
2011-03-31 13:18 . 2011-04-03 15:26 -------- dc----w- c:\documents and settings\All Users\Application Data\{4DC9D39F-E342-4826-8E99-5A0EFA8682D7}
2011-03-31 13:18 . 2011-03-31 13:18 -------- d-----w- c:\program files\Savevid
2011-03-25 16:50 . 2011-03-25 17:03 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData
2011-03-23 13:26 . 2011-03-18 17:57 142296 ----a-w- c:\program files\Mozilla Firefox\components\browsercomps.dll
2011-03-23 13:26 . 2011-03-18 17:57 781272 ----a-w- c:\program files\Mozilla Firefox\mozsqlite3.dll
2011-03-23 13:26 . 2011-03-18 17:57 728024 ----a-w- c:\program files\Mozilla Firefox\libGLESv2.dll
2011-03-23 13:26 . 2011-03-18 17:57 1975768 ----a-w- c:\program files\Mozilla Firefox\D3DCompiler_42.dll
2011-03-23 13:26 . 2011-03-18 17:57 1893336 ----a-w- c:\program files\Mozilla Firefox\d3dx9_42.dll
2011-03-23 13:26 . 2011-03-18 17:57 1874904 ----a-w- c:\program files\Mozilla Firefox\mozjs.dll
2011-03-23 13:26 . 2011-03-18 17:57 15832 ----a-w- c:\program files\Mozilla Firefox\mozalloc.dll
2011-03-23 13:26 . 2011-03-18 17:57 142296 ----a-w- c:\program files\Mozilla Firefox\libEGL.dll
2011-03-20 12:37 . 2011-03-20 12:37 -------- d-----w- c:\program files\TechSmith
2011-03-20 12:34 . 2011-03-20 12:51 -------- d-----w- c:\windows\E357C0E5050940F38216F70BD9F39441.TMP
2011-03-20 12:32 . 2011-03-20 12:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Flypaper Studio
2011-03-20 12:31 . 2011-03-20 12:50 -------- d-----w- c:\program files\Flypaper
2011-03-20 12:24 . 2011-03-20 12:28 -------- d-----w- c:\program files\Trivantis
2011-03-15 09:02 . 2011-03-15 09:02 -------- d--h--w- c:\documents and settings\All Users\Application Data\Common Files
2011-03-14 15:48 . 2011-03-14 15:48 -------- d-----w- C:\Working
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-02-18 16:36 . 2011-01-10 08:23 41984 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2011-02-18 16:36 . 2011-01-10 08:23 4184352 ----a-w- c:\windows\system32\usbaaplrc.dll
2011-01-21 14:44 . 2008-04-14 12:00 439296 ----a-w- c:\windows\system32\shimgvw.dll
2011-03-18 17:57 . 2011-03-23 13:26 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
2010-04-14 11:29 . 2010-04-29 12:50 24376 ----a-w- c:\program files\mozilla firefox\components\Scriptff.dll
.
.
((((((((((((((((((((((((((((( [email protected]_16.38.19 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-04-10 02:57 . 2011-04-10 02:57 16384 c:\windows\temp\Perflib_Perfdata_508.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\1TortoiseNormal]
@="{C5994560-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994560-53D9-4125-87C9-F193FC689CB2}]
2009-08-13 18:55 85768 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\2TortoiseModified]
@="{C5994561-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994561-53D9-4125-87C9-F193FC689CB2}]
2009-08-13 18:55 85768 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\3TortoiseConflict]
@="{C5994562-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994562-53D9-4125-87C9-F193FC689CB2}]
2009-08-13 18:55 85768 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\4TortoiseLocked]
@="{C5994563-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994563-53D9-4125-87C9-F193FC689CB2}]
2009-08-13 18:55 85768 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\5TortoiseReadOnly]
@="{C5994564-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994564-53D9-4125-87C9-F193FC689CB2}]
2009-08-13 18:55 85768 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\6TortoiseDeleted]
@="{C5994565-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994565-53D9-4125-87C9-F193FC689CB2}]
2009-08-13 18:55 85768 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\7TortoiseAdded]
@="{C5994566-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994566-53D9-4125-87C9-F193FC689CB2}]
2009-08-13 18:55 85768 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\8TortoiseIgnored]
@="{C5994567-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994567-53D9-4125-87C9-F193FC689CB2}]
2009-08-13 18:55 85768 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\9TortoiseUnversioned]
@="{C5994568-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994568-53D9-4125-87C9-F193FC689CB2}]
2009-08-13 18:55 85768 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sony Ericsson PC Suite"="c:\program files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe" [2009-09-24 434176]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2009-10-06 18750976]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-28 141848]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-28 137752]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-03-01 421160]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2010-12-08 13:11 87424 ----a-w- c:\windows\system32\LMIinit.dll
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:TCP"= 5353:TCP:*:Disabled:Adobe CSI CS4
.
R2 OMSI download service;Sony Ericsson OMSI download service;c:\program files\Sony Ericsson\Sony Ericsson PC Suite\SupServ.exe [14/12/2009 17:44 90112]
R3 PhTVTune;ASUS WDM TV Tuner;c:\windows\system32\drivers\PhTVTune.sys [25/12/2003 05:00 24192]
R3 seehcri;Sony Ericsson seehcri Device Driver;c:\windows\system32\drivers\seehcri.sys [14/12/2009 17:45 27632]
S2 LMIInfo;LogMeIn Kernel Information Provider;\??\c:\program files\LogMeIn\x86\RaInfo.sys --> c:\program files\LogMeIn\x86\RaInfo.sys [?]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [24/11/2009 15:02 1684736]
S3 s0017bus;Sony Ericsson Device 0017 driver (WDM);c:\windows\system32\drivers\s0017bus.sys [14/12/2009 17:45 86824]
S3 s0017mdfl;Sony Ericsson Device 0017 USB WMC Modem Filter;c:\windows\system32\drivers\s0017mdfl.sys [14/12/2009 17:45 15016]
S3 s0017mdm;Sony Ericsson Device 0017 USB WMC Modem Driver;c:\windows\system32\drivers\s0017mdm.sys [14/12/2009 17:45 114600]
S3 s0017mgmt;Sony Ericsson Device 0017 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\s0017mgmt.sys [14/12/2009 17:45 108328]
S3 s0017nd5;Sony Ericsson Device 0017 USB Ethernet Emulation SEMC0017 (NDIS);c:\windows\system32\drivers\s0017nd5.sys [14/12/2009 17:45 26024]
S3 s0017obex;Sony Ericsson Device 0017 USB WMC OBEX Interface;c:\windows\system32\drivers\s0017obex.sys [14/12/2009 17:45 104616]
S3 s0017unic;Sony Ericsson Device 0017 USB Ethernet Emulation SEMC0017 (WDM);c:\windows\system32\drivers\s0017unic.sys [14/12/2009 17:45 109736]
.
Contents of the 'Scheduled Tasks' folder
.
2010-05-13 c:\windows\Tasks\AdobeAAMUpdater-1.0-HOME-285AD67F9B-Paul.job
- c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe [2010-05-12 02:44]
.
2011-04-10 c:\windows\Tasks\User_Feed_Synchronization-{8DFAE4A4-EE69-412A-88C8-7F920EF938F0}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 04:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
uDefault_Search_URL = hxxp://www.google.com/ie
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
FF - ProfilePath - c:\documents and settings\Paul\Application Data\Mozilla\Firefox\Profiles\xqr6h879.default\
FF - prefs.js: browser.search.selectedEngine - Web Search
FF - prefs.js: browser.startup.homepage - hxxp://gcoogle.co.uk/
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
FF - user.js: browser.startup.homepage - hxxp://gcoogle.co.uk/
FF - user.js: browser.startup.page - 1
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover
Rootkit scan 2011-04-10 03:57
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files:
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Cryptography\RNG*]
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(532)
c:\windows\system32\LMIinit.dll
.
- - - - - - - > 'explorer.exe'(3720)
c:\windows\system32\WININET.dll
c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
c:\program files\TortoiseSVN\bin\TortoiseStub.dll
c:\program files\TortoiseSVN\bin\TortoiseSVN.dll
c:\program files\TortoiseSVN\bin\intl3_tsvn.dll
c:\windows\system32\msi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\LSI SoftModem\agrsmsvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\wscntfy.exe
c:\program files\TortoiseSVN\bin\TSVNCache.exe
c:\windows\RTHDCPL.EXE
c:\windows\system32\igfxsrvc.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2011-04-10 04:01:07 - machine was rebooted
ComboFix-quarantined-files.txt 2011-04-10 03:01
ComboFix2.txt 2011-04-09 20:14
ComboFix3.txt 2011-04-09 16:39
ComboFix4.txt 2010-05-13 16:27
.
Pre-Run: 74,639,532,032 bytes free
Post-Run: 74,617,982,976 bytes free
.
- - End Of File - - 82023F286B260DE6E765726DE1726958
psj3809 is offline  
Old 04-09-2011, 08:44 PM   #10
TSF-Emeritus
 
Join Date: Jun 2006
Location: here & there and everywhere
Posts: 15,384
OS: XP Win7 Win 8.1 Ubuntu 10.10



Hi,

Quote:
Those 3 options under Network adapters, should i right click and choose uninstall so it leaves the one remaining one (which is green) ?
I am inclined to say "yes, go ahead and uninstall them in safe mode", but this is a networking issue and not quite my cup of tea. So, I would like to get some consultation on that if you don't mind waiting a while.
amateur is offline  
Old 04-09-2011, 09:51 PM   #11
2xg
TSF Team, Emeritus
 
Join Date: Aug 2009
Location: SoCal
Posts: 20,454
OS: Windows O/S'es



Hello,

Amateur has invited me here and I'll see what I can do. Pls. try the following recommendations:

Can't find anywhere in your Posts if your XP has SP3? Make sure that you have SP3.

Check your browser's settings, remove or uncheck any proxy settings if found ,here's how.

Try resetting your Windows Hosts File to default by clicking on the Fix It Tool button here's how.

Test your internet connection after.

If you can't still connect, please provide us snap shots of the Device Manager and expand Network Adapters.

Pls. provide an ipconfig /all:
Click on Start => in run or search box type cmd, press enter. Open up a command prompt then Copy and Paste these ipconfig /all >c:\ipconfig.txt . Please attach the .txt file to be found in your Local Disk 'C' on your next post.

Please post your progress.
2xg is offline  
Old 04-09-2011, 11:59 PM   #12
Registered Member
 
Join Date: Apr 2011
Posts: 26
OS: Win XP



Hi, yes its SP3.

I tried doing all those proxy settings in IE and firefox. Still nothing. I created that new hosts file (I opened up the old one to check and it only had that one line at the bottom, basically the same as the new one)

I've attached a screenshot of the network adapters. Like i say under network connections its blank, if i try to create a new connection and go through the steps at the end nothing appears like an icon. Theres no TCP/IP icon or anything either. Windows doesnt seem to have any network adapters set up at all

I ran that line in DOS about ipconfig. It created the ipconfig.txt file and the reason i havent attached it is if i open it up...

Windows IP Configuration

Thats all it has, no other settings/lines etc
Attached Images
File Type: bmp network.bmp (222.4 KB, 58 views)
psj3809 is offline  
Old 04-10-2011, 12:13 AM   #13
2xg
TSF Team, Emeritus
 
Join Date: Aug 2009
Location: SoCal
Posts: 20,454
OS: Windows O/S'es



Thanks for the snap shots, go ahead and right click each one with Yellow ! and choose uninstall, reboot your computer and let Windows reinstall all the Drivers needed.

Verify that all your Network Services are Started. Type services.msc from the run box then press enter:
• COM+ Event System (for WZC issues)
• Computer Browser
• DHCP Client
• DNS Client
• Network Connections
• Network Location Awareness
• Remote Procedure Call (RPC)
• Server
• TCP/IP Netbios helper
• Workstation
2xg is offline  
Old 04-10-2011, 12:31 AM   #14
Registered Member
 
Join Date: Apr 2011
Posts: 26
OS: Win XP



I've disabled those 3 network adapters as it wouldnt let me uninstall them. When i tried to uninstall them it would say 'Failed to uninstall the device. The device may be required to boot up the computer'

I've gone into safe mode to see if i could do it there but the same thing.

I typed services.msc and could see all of those names you mentioned in the list so that all seems there.

But again under network theres nothing there whatsoever

Another thing - probably tiny. When the 'malware' took over my computer all the programs i had pinned to the task bar at the bottom disappeared and the 'draggable' tab seems constantly locked right next to the start button. Its not locked or anything but i cant drag this away or drag anything onto the taskbar which is quite weird.
psj3809 is offline  
Old 04-10-2011, 12:34 AM   #15
2xg
TSF Team, Emeritus
 
Join Date: Aug 2009
Location: SoCal
Posts: 20,454
OS: Windows O/S'es



Do you have your XP CD? Let's try an XP Repair.
2xg is offline  
Old 04-10-2011, 02:12 AM   #16
Registered Member
 
Join Date: Apr 2011
Posts: 26
OS: Win XP



Okay well i followed the instructions about the XP Repair.

Did the long set up with the Win XP cd. Finally finished, back into windows, I checked the device manager and it still had those 3 'rogue' network connections. Only this time i could right click and uninstall without XP moaning.

Rebooted as you said Windows would attempt to fix/install these itself.

Gone back into the device manager and the only one active and htere is Realteck RTL8169/8110 Family Gigabit Ethernet NIC

(Still cant get online)

Despite changing the homepage to Google its still reverted back to the dodgy gcoogle.co.uk
psj3809 is offline  
Old 04-10-2011, 04:51 AM   #17
TSF-Emeritus
 
Join Date: Jun 2006
Location: here & there and everywhere
Posts: 15,384
OS: XP Win7 Win 8.1 Ubuntu 10.10



Thanks 2xg.


Paul,

How are you connected to the internet, wired or wireless? Are you able to connect to the internet via ethernet cable?

Please post a fresh set of logs from DDS and GMER. You may need to rename Attach.txt to Attach2.txt.
amateur is offline  
Old 04-10-2011, 07:31 AM   #18
Registered Member
 
Join Date: Apr 2011
Posts: 26
OS: Win XP



Here are the scans below. Twice now a popup appears which says Microsoft Feeds Synchronization, an error has occured, send error report/dont send etc. Unsure what thats about.

DDS scan....

.
DDS (Ver_11-03-05.01) - NTFSx86
Run by Paul at 15:23:48.53 on 10/04/2011
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_20
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2038.1582 [GMT 1:00]
.
FW: AVG Firewall *Disabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\LSI SoftModem\agrsmsvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SupServ.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\Explorer.EXE
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Paul\My Documents\Downloads\dds.scr
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.co.uk/
uDefault_Search_URL = hxxp://www.google.com/ie
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No File
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [Sony Ericsson PC Suite] "c:\program files\sony ericsson\sony ericsson pc suite\SEPCSuite.exe" /systray /nologon
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [RTHDCPL] RTHDCPL.EXE
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll
Notify: LMIinit - LMIinit.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\docume~1\paul\applic~1\mozilla\firefox\profiles\xqr6h879.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://gcoogle.co.uk/
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\documents and settings\paul\local settings\application data\unity\webplayer\loader\npUnity3D32.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.51204.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\np32neur.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
.
---- FIREFOX POLICIES ----
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
FF - user.js: browser.startup.homepage - hxxp://gcoogle.co.uk/
FF - user.js: browser.startup.page - 1
.
============= SERVICES / DRIVERS ===============
.
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2011-1-17 47640]
R2 OMSI download service;Sony Ericsson OMSI download service;c:\program files\sony ericsson\sony ericsson pc suite\SupServ.exe [2009-12-14 90112]
R3 PhTVTune;ASUS WDM TV Tuner;c:\windows\system32\drivers\PhTVTune.sys [2003-12-25 24192]
R3 seehcri;Sony Ericsson seehcri Device Driver;c:\windows\system32\drivers\seehcri.sys [2009-12-14 27632]
S2 LMIInfo;LogMeIn Kernel Information Provider;\??\c:\program files\logmein\x86\rainfo.sys --> c:\program files\logmein\x86\RaInfo.sys [?]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2009-11-24 1684736]
S3 s0017bus;Sony Ericsson Device 0017 driver (WDM);c:\windows\system32\drivers\s0017bus.sys [2009-12-14 86824]
S3 s0017mdfl;Sony Ericsson Device 0017 USB WMC Modem Filter;c:\windows\system32\drivers\s0017mdfl.sys [2009-12-14 15016]
S3 s0017mdm;Sony Ericsson Device 0017 USB WMC Modem Driver;c:\windows\system32\drivers\s0017mdm.sys [2009-12-14 114600]
S3 s0017mgmt;Sony Ericsson Device 0017 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\s0017mgmt.sys [2009-12-14 108328]
S3 s0017nd5;Sony Ericsson Device 0017 USB Ethernet Emulation SEMC0017 (NDIS);c:\windows\system32\drivers\s0017nd5.sys [2009-12-14 26024]
S3 s0017obex;Sony Ericsson Device 0017 USB WMC OBEX Interface;c:\windows\system32\drivers\s0017obex.sys [2009-12-14 104616]
S3 s0017unic;Sony Ericsson Device 0017 USB Ethernet Emulation SEMC0017 (WDM);c:\windows\system32\drivers\s0017unic.sys [2009-12-14 109736]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]
.
=============== Created Last 30 ================
.
2011-04-10 0924 172032 ----a-r- c:\windows\system32\igfxres.dll
2011-04-10 08:54:59 59904 -c--a-w- c:\windows\system32\dllcache\imkrinst.exe
2011-04-10 08:53:58 20540 -c--a-w- c:\windows\system32\dllcache\admin.dll
2011-04-10 08:52:53 -------- d--h--w- c:\program files\WindowsUpdate
2011-04-10 08:52:45 16384 -c--a-w- c:\windows\system32\dllcache\isignup.exe
2011-04-10 08:52:45 16384 ----a-w- c:\program files\internet explorer\connection wizard\isignup.exe
2011-04-10 08:51:00 44544 -c--a-w- c:\windows\system32\dllcache\tscupgrd.exe
2011-04-10 08:51:00 44544 ----a-w- c:\windows\system32\tscupgrd.exe
2011-04-10 08:10:55 24661 -c--a-w- c:\windows\system32\dllcache\spxcoins.dll
2011-04-10 08:10:55 24661 ----a-w- c:\windows\system32\spxcoins.dll
2011-04-10 08:10:55 13312 -c--a-w- c:\windows\system32\dllcache\irclass.dll
2011-04-10 08:10:55 13312 ----a-w- c:\windows\system32\irclass.dll
2011-04-10 08:10:38 13753 ----a-r- c:\windows\SET140.tmp
2011-04-10 08:10:36 1086058 ----a-r- c:\windows\SET134.tmp
2011-04-10 08:10:34 1042903 ----a-r- c:\windows\SET133.tmp
2011-04-09 20:15:37 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-04-09 20:15:36 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2011-04-09 20:15:35 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-04-09 20:15:35 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-04-09 16:00:54 89088 ----a-w- c:\windows\MBR.exe
2011-04-09 16:00:53 98816 ----a-w- c:\windows\sed.exe
2011-04-09 16:00:53 256512 ----a-w- c:\windows\PEV.exe
2011-04-09 16:00:53 161792 ----a-w- c:\windows\SWREG.exe
2011-04-07 10:15:31 -------- d-----w- c:\windows\system32\wbem\repository\FS
2011-04-07 10:15:31 -------- d-----w- c:\windows\system32\wbem\Repository
2011-04-07 09:53:17 -------- d-----w- c:\program files\Avanquest update
2011-04-06 08:58:44 -------- d-----w- c:\docume~1\paul\locals~1\applic~1\Identities
2011-04-06 08:58:35 -------- d-----w- c:\docume~1\paul\applic~1\Umny
2011-04-05 08:56:50 -------- d-----w- c:\docume~1\paul\applic~1\2D6B690E48292164B1809414B9AD3840
2011-04-04 07:03:52 -------- d-----w- C:\found.000
2011-03-31 13:18:25 -------- d-----w- c:\docume~1\paul\applic~1\searchqutoolbar
2011-03-31 13:18:16 -------- d-----w- c:\program files\Windows Savevid Toolbar
2011-03-31 13:18:14 -------- dc----w- c:\docume~1\alluse~1\applic~1\{4DC9D39F-E342-4826-8E99-5A0EFA8682D7}
2011-03-31 13:18:13 -------- d-----w- c:\program files\Savevid
2011-03-25 16:50:07 -------- d-----w- c:\docume~1\alluse~1\applic~1\MFAData
2011-03-23 13:26:30 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
2011-03-23 13:26:29 781272 ----a-w- c:\program files\mozilla firefox\mozsqlite3.dll
2011-03-23 13:26:29 728024 ----a-w- c:\program files\mozilla firefox\libGLESv2.dll
2011-03-23 13:26:29 1975768 ----a-w- c:\program files\mozilla firefox\D3DCompiler_42.dll
2011-03-23 13:26:29 1893336 ----a-w- c:\program files\mozilla firefox\d3dx9_42.dll
2011-03-23 13:26:29 1874904 ----a-w- c:\program files\mozilla firefox\mozjs.dll
2011-03-23 13:26:29 15832 ----a-w- c:\program files\mozilla firefox\mozalloc.dll
2011-03-23 13:26:29 142296 ----a-w- c:\program files\mozilla firefox\libEGL.dll
2011-03-20 12:34:32 -------- d-----w- c:\windows\E357C0E5050940F38216F70BD9F39441.TMP
2011-03-20 12:32:59 -------- d-----w- c:\docume~1\alluse~1\applic~1\Flypaper Studio
2011-03-20 12:31:17 -------- d-----w- c:\program files\Flypaper
2011-03-20 12:24:27 -------- d-----w- c:\program files\Trivantis
2011-03-15 09:02:43 -------- d--h--w- c:\docume~1\alluse~1\applic~1\Common Files
2011-03-14 15:48:07 -------- d-----w- C:\Working
.
==================== Find3M ====================
.
2011-02-18 16:36:58 4184352 ----a-w- c:\windows\system32\usbaaplrc.dll
.
============= FINISH: 15:24:39.75 ===============


Attach.txt...

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_11-03-05.01)
.
Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume1
Install Date: 10/04/2011 09:55:53
System Uptime: 10/04/2011 15:22:18 (0 hours ago)
.
Motherboard: FOXCONN | | G33M03
Processor: Intel(R) Core(TM)2 Duo CPU E6550 @ 2.33GHz | SOCKET775 M/B | 2332/333mhz
Processor: Intel(R) Core(TM)2 Duo CPU E6550 @ 2.33GHz | SOCKET775 M/B | 2332/333mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 186 GiB total, 74.624 GiB free.
D: is FIXED (FAT32) - 466 GiB total, 94.652 GiB free.
E: is CDROM ()
F: is CDROM ()
.
==== Disabled Device Manager Items =============
.
Class GUID: {4D36E96F-E325-11CE-BFC1-08002BE10318}
Description: Microsoft PS/2 Mouse
Device ID: ACPI\PNP0F03\4&1400782C&0
Manufacturer: Microsoft
Name: Microsoft PS/2 Mouse
PNP Device ID: ACPI\PNP0F03\4&1400782C&0
Service: i8042prt
.
==== System Restore Points ===================
.
RP1: 10/04/2011 1038 - System Checkpoint
.
==== Installed Programs ======================
.
#1 DVD Ripper 8.0.6
Acrobat.com
Adobe AIR
Adobe Anchor Service CS3
Adobe Anchor Service CS4
Adobe Asset Services CS3
Adobe Bridge CS3
Adobe Bridge CS4
Adobe Bridge Start Meeting
Adobe Camera Raw 4.0
Adobe Captivate 4
Adobe Captivate 5
Adobe Captivate Quiz Results Analyzer
Adobe Captivate Reviewer
Adobe Captivate Reviewer 1.0
Adobe CMaps CS4
Adobe Color - Photoshop Specific CS4
Adobe Color EU Extra Settings CS4
Adobe Color EU Recommended Settings CS4
Adobe Color JA Extra Settings CS4
Adobe Color NA Extra Settings CS4
Adobe Color NA Recommended Settings CS4
Adobe Color Video Profiles CS CS4
Adobe Community Help
Adobe CSI CS4
Adobe Default Language CS4
Adobe Device Central CS3
Adobe Device Central CS4
Adobe Dreamweaver CS3
Adobe Drive CS4
Adobe Dynamiclink Support
Adobe ExtendScript Toolkit 2
Adobe ExtendScript Toolkit CS4
Adobe Extension Manager CS3
Adobe Extension Manager CS4
Adobe Flash CS3
Adobe Flash CS3 Professional
Adobe Flash CS4
Adobe Flash CS4 Extension - Flash Lite STI en
Adobe Flash CS4 Professional
Adobe Flash CS4 STI-en
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Flash Video Encoder
Adobe Fonts All
Adobe Help Viewer CS3
Adobe Linguistics CS3
Adobe Linguistics CS4
Adobe Media Encoder CS4
Adobe Media Encoder CS4 Importer
Adobe Media Player
Adobe Output Module
Adobe PDF Library Files CS4
Adobe Photoshop CS3
Adobe Photoshop CS4
Adobe Photoshop CS4 Support
Adobe Reader 9.1
Adobe Search for Help
Adobe Service Manager Extension
Adobe Setup
Adobe Stock Photos CS3
Adobe Type Support CS4
Adobe Update Manager CS3
Adobe Update Manager CS4
Adobe Version Cue CS3 Client
Adobe WinSoft Linguistics Plugin
Adobe XMP Panels CS3
Adobe XMP Panels CS4
AdobeColorCommonSetCMYK
AdobeColorCommonSetRGB
Advertising Center
Apple Application Support
Apple Mobile Device Support
Apple Software Update
Articulate Studio '09 Pro
Audacity 1.2.6
AutoUpdate
AVG 2011
Bonjour
CCleaner
CDisplay 1.8
CoffeeCup Flash Website Search - Registered
CoffeeCup Photo Gallery - Registered
CoffeeCup Web Video Player - Registered
Connect
Convert AVI to MP4 1.3
CuteFTP 8 Professional
DivX
DivX Player
DolbyFiles
EditPlus 3
EPSON Scan
EPSON SX600FW Series Printer Uninstall
ESET Online Scanner v3
ffdshow [rev 2975] [2009-05-28]
Flypaper For Lectora
Free FLV Converter V 6.7.4
Free Video to MP3 Converter version 3.2
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
ImagXpress
Intel(R) Graphics Media Accelerator Driver
iTunes
Java Auto Updater
Java(TM) 6 Update 20
kuler
LAME v3.98.2 for Audacity
Lectora Inspire Demo
LSI PCI Soft Modem
LucasArts' Jedi Knight
LucasArts' Mysteries of the Sith
Madden NFL 07
Malwarebytes' Anti-Malware
Menu Templates - Starter Kit
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Application Error Reporting
Microsoft Choice Guard
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Professional Plus 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Silverlight
Microsoft Software Update for Web Folders (English) 12
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual Studio 2005 Tools for Office Runtime
Microsoft_VC80_ATL_x86
Microsoft_VC80_CRT_x86
Microsoft_VC80_MFC_x86
Microsoft_VC80_MFCLOC_x86
Microsoft_VC90_ATL_x86
Microsoft_VC90_CRT_x86
Microsoft_VC90_MFC_x86
Movie Templates - Starter Kit
Mozilla Firefox 4.0 (x86 en-GB)
MSVCRT
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 4.0 SP2 Parser and SDK
Nero 9
Nero 9 Lite
Nero 9 Trial
Nero BurnRights
Nero ControlCenter
Nero CoverDesigner
Nero DiscSpeed
Nero DriveSpeed
Nero InfoTool
Nero Installer
Nero PhotoSnap
Nero Recode
Nero Rescue Agent
Nero ShowTime
Nero StartSmart
Nero Vision
Nero WaveEditor
NeroBurningROM
NeroExpress
neroxml
NVIDIA Drivers
PDF Settings CS4
Photoshop Camera Raw
Picasa 3
Pixel Bender Toolkit
PowerDVD
QuickTime
Raptivity Presenter
Raptivity Presenter Essential Pack
Raptivity Presenter Office Extension
REALTEK GbE & FE Ethernet PCI NIC Driver
Realtek High Definition Audio Driver
Security Update for 2007 Microsoft Office System (KB2288621)
Security Update for 2007 Microsoft Office System (KB2288931)
Security Update for 2007 Microsoft Office System (KB2289158)
Security Update for 2007 Microsoft Office System (KB2344875)
Security Update for 2007 Microsoft Office System (KB2345043)
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB976321)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Security Update for Microsoft Office Access 2007 (KB979440)
Security Update for Microsoft Office Excel 2007 (KB2345035)
Security Update for Microsoft Office InfoPath 2007 (KB979441)
Security Update for Microsoft Office PowerPoint 2007 (KB982158)
Security Update for Microsoft Office PowerPoint Viewer (KB2413381)
Security Update for Microsoft Office Publisher 2007 (KB2284697)
Security Update for Microsoft Office system 2007 (972581)
Security Update for Microsoft Office system 2007 (KB974234)
Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
Security Update for Microsoft Office Word 2007 (KB2344993)
Security Update for Windows XP (KB923789)
Segoe UI
Skype™ 5.1
Sonne Video Converter 11.1.0.2042
Sony Ericsson PC Suite 6.009.00
SoundTrax
Spectaculator 7.0.1
Star Wars Battlefront II
Star Wars JK II Jedi Outcast
Suite Shared Configuration CS4
TortoiseSVN 1.6.6.17493 (32 bit)
Tweak UI
Ultra Video Joiner 5.1.1104
Uninstall 1.0.0.1
Unity Web Player
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft Office Outlook 2007 (KB2412171)
Update for Outlook 2007 Junk Email Filter (KB2492475)
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
Visual Studio 2005 Tools for Office Second Edition Runtime
VLC media player 1.0.3
WebFldrs XP
WinAVI Video Converter
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Messenger
Windows Media Format 11 runtime
Windows Media Player 11
WinRAR archiver
XviD MPEG-4 Video Codec
Zune Desktop Theme
.
==== Event Viewer Messages From Past Week ========
.
10/04/2011 09:58:26, error: Setup [60055] - Windows Setup encountered non-fatal errors during installation. Please check the setuperr.log found in your Windows directory for more information.
10/04/2011 09:53:32, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service SENS with arguments "" in order to run the server: {D3938AB0-5B9D-11D1-8DD2-00AA004ABD5E}
10/04/2011 08:28:02, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD Fips intelppm IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss Tcpip
09/04/2011 17:04:39, error: Service Control Manager [7034] - The Sony Ericsson OMSI download service service terminated unexpectedly. It has done this 1 time(s).
06/04/2011 14:56:47, error: Service Control Manager [7000] - The McAfee Validation Trust Protection Service service failed to start due to the following error: The system cannot find the path specified.
06/04/2011 14:56:47, error: Service Control Manager [7000] - The LogMeIn Kernel Information Provider service failed to start due to the following error: The system cannot find the file specified.
06/04/2011 13:40:07, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the stisvc service.
06/04/2011 10:19:25, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
06/04/2011 10:18:15, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD Avgldx86 Avgmfx86 Avgtdix Fips intelppm IPSec mfehidk mfetdi2k MRxSmb NetBIOS NetBT RasAcd Rdbss SASDIFSV SASKUTIL Tcpip
06/04/2011 10:18:15, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.
06/04/2011 10:18:15, error: Service Control Manager [7001] - The McAfee Validation Trust Protection Service service depends on the McAfee Inc. mfehidk service which failed to start because of the following error: A device attached to the system is not functioning.
06/04/2011 10:18:15, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
06/04/2011 10:18:15, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
06/04/2011 10:18:15, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
06/04/2011 10:18:15, error: Service Control Manager [7001] - The Bonjour Service service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
06/04/2011 10:18:15, error: Service Control Manager [7001] - The Apple Mobile Device service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
06/04/2011 10:18:00, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
06/04/2011 10:13:53, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
05/04/2011 17:17:42, error: Service Control Manager [7022] - The Automatic Updates service hung on starting.
05/04/2011 16:04:35, error: Service Control Manager [7031] - The Apple Mobile Device service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
05/04/2011 11:55:42, error: Service Control Manager [7034] - The iPod Service service terminated unexpectedly. It has done this 1 time(s).
04/04/2011 09:12:19, error: Service Control Manager [7034] - The Windows Installer service terminated unexpectedly. It has done this 1 time(s).
04/04/2011 08:42:45, error: Service Control Manager [7023] - The Application Management service terminated with the following error: The specified module could not be found.
03/04/2011 17:08:50, error: Service Control Manager [7034] - The LogMeIn service terminated unexpectedly. It has done this 4 time(s).
03/04/2011 17:08:50, error: Service Control Manager [7034] - The LMIGuardianSvc service terminated unexpectedly. It has done this 2 time(s).
03/04/2011 17:08:50, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the IMAPI CD-Burning COM Service service to connect.
03/04/2011 17:08:50, error: Service Control Manager [7000] - The IMAPI CD-Burning COM Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
03/04/2011 16:38:59, error: Service Control Manager [7034] - The LogMeIn service terminated unexpectedly. It has done this 3 time(s).
03/04/2011 16:37:44, error: Service Control Manager [7034] - The LogMeIn service terminated unexpectedly. It has done this 2 time(s).
03/04/2011 16:35:42, error: Service Control Manager [7034] - The LogMeIn service terminated unexpectedly. It has done this 1 time(s).
03/04/2011 16:35:40, error: Service Control Manager [7034] - The LMIGuardianSvc service terminated unexpectedly. It has done this 1 time(s).
.
==== End Of File ===========================


GMER scan....


GMER 1.0.15.15570 - GMER - Rootkit Detector and Remover
Rootkit scan 2011-04-10 15:30:14
Windows 5.1.2600 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T1L0-c MAXTOR_STM3200820A rev.3.AAD
Running: lt4njewd.exe; Driver: C:\DOCUME~1\Paul\LOCALS~1\Temp\awpcqfow.sys


---- Kernel code sections - GMER 1.0.15 ----

? C:\DOCUME~1\Paul\LOCALS~1\Temp\mbr.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe[220] USER32.dll!SetPropW + 11B 77D4DECE 7 Bytes JMP 10031D10 C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\NewUI.dll (New UI/Avanquest Software)
.text C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe[220] USER32.dll!SetWindowRgn + 2BD 77D5209D 7 Bytes JMP 10031C80 C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\NewUI.dll (New UI/Avanquest Software)
.text C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe[220] USER32.dll!SetClipboardData + 259 77D70169 7 Bytes JMP 10031CF0 C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\NewUI.dll (New UI/Avanquest Software)

---- EOF - GMER 1.0.15 ----


Many thanks
psj3809 is offline  
Old 04-10-2011, 08:36 AM   #19
TSF-Emeritus
 
Join Date: Jun 2006
Location: here & there and everywhere
Posts: 15,384
OS: XP Win7 Win 8.1 Ubuntu 10.10



Hi Paul,

Your IE has reverted back to IE6 and Microsoft Service Pack is now SP2. The re-install of the operating system may have done that. We'll need to update them, but just not yet. First, let's make sure the machine is free of malware as well as can be done. The logs do not show the rootkit infection, which was present before, but that does not always mean that the system is clean. Let's try to sort this out.

Open notepad and copy/paste the text in the quotebox below into it:

Quote:
ipconfig /all>log.txt
ping google.com>>log.txt
ping 74.125.47.103>>log.txt
start notepad log.txt
Save this as peek.bat Choose to "Save type as - All Files"
It should look like this:
Double click on peek.bat & allow it to run. A notepad file will open. Copy that information into your next reply, please.

===========

Quote:
How are you connected to the internet, wired or wireless? Are you able to connect to the internet via ethernet cable?
If you do not have internet connection, you'll need to use a USB flash drive to transfer the tools to the affected machine. As a precaution, you might like to run the Flash_Disinfector.exe on the clean machine and the flash drive first to protect against any possible transfer of infection via USB.

Please delete the present copy of Combofix from the desktop of the affected machine and download a fresh copy on a USB stick and transfer it to the affected machine's desktop. Run Combofix as per previous instructions and post the log please.
amateur is offline  
Old 04-10-2011, 09:45 AM   #20
Registered Member
 
Join Date: Apr 2011
Posts: 26
OS: Win XP



Hi, i ran that peek.bat file and the results were....

Windows IP Configuration

Ping request could not find host google.com. Please check the name and try again.

Pinging 74.125.47.103 with 32 bytes of data:

Destination host unreachable.

Destination host unreachable.

Destination host unreachable.

Destination host unreachable.

Ping statistics for 74.125.47.103:

Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

I then downloaded a new combofix.exe and ran that. The results were too long and it wouldnt paste it here so i've had to attach it (sorry).
Attached Files
File Type: txt combofix_sunday.txt (607.8 KB, 43 views)
psj3809 is offline  
 

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is on
Smilies are on
[IMG] code is on
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off


Post a Question


» Site Navigation
 > FAQ
  > 10.0.0.2
Powered by vBadvanced CMPS v3.2.3


All times are GMT -7. The time now is 12:03 PM.


Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2020, vBulletin Solutions, Inc.
vBulletin Security provided by vBSecurity v2.2.2 (Pro) - vBulletin Mods & Addons Copyright © 2020 DragonByte Technologies Ltd.
User Alert System provided by Advanced User Tagging v3.1.0 (Pro) - vBulletin Mods & Addons Copyright © 2020 DragonByte Technologies Ltd.
Copyright 2001 - 2018, Tech Support Forum

Windows 10 - Windows 7 - Windows XP - Windows Vista - Trojan Removal - Spyware Removal - Virus Removal - Networking - Security - Top Web Hosts