steve jones

My old Sinclair Spectrum had 48k (not Meg - kilobytes!) of Ram, and (I think) 16k of that was used by the OS. Programs were loaded off a cassette tape, and in the remaining 32k programmers fitted some great little games - in COLOUR! The processsor ran (again memory is foggy) at 4.7MHz, but I'm sure someone can correct me there. A great little computer!

In case it's of help to anyone similarly afflicted....I searched everywhere and tried every registry fix etc etc I could find, but could not get the dongle to connect. So I did a repair reinstall of XP Home - you need a disc with Service pack updates that match your current installation, and the Windows validation code - and it worked great. All files / apps remained intact, and the dongle now works! The problem was definitely caused by the Rasman service not being able to start, but I just could not find out the reason. Hope this helps someone in the future. Steve

Hi again! I have input the commands as instructed and I'm afraid no improvement - I connect normally using my laptop's wireless card but the broadband dongle still gives "the connect attempt failed - check your settings". As a matter of interest, I've just discovered the Event Log in Control Panel. When I try to start my dongle it doesn't report anything good or bad - just nothing. Updated MBAM and run a quick scan - it found nothing, but results as follows; Malwarebytes' Anti-Malware 1.45 www.malwarebytes.org Database version: 3945 Windows 5.1.2600 Service Pack 3 Internet Explorer 6.0.2900.5512 02/04/2010 11:20:19 mbam-log-2010-04-02 (11-20-19).txt Scan type: Quick scan Objects scanned: 106068 Time elapsed: 4 minute(s), 47 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) I really am at my wits end with this!

Hi again and thanks for the suggestion. I'm looking at the link which says "Here is a Windows installer to create the IP Policy shortcuts. It basically runs the REG command line tool and sets the registry values or removes them.", and wondering if this could be worth trying, but I'm not strong on networking in general. I've done a lot of digging on the internet and this issue arises a lot but never seems to be solved! It appears to be happening because my Remote Access Connection Manager service won't start (called RASMAN I think), and when I try to start it I get an error code? I've run Scannow and it seems to have repaired some system files, but I don't know which. I have tried fixes from Microsoft's site, uninstalled and reinstalled my modem a zillion times. I am dreading a reinstall of XP, but it looks like this is the only solution. Is it possible to do a repair of the XP files that will not delete my photos, email addresses, apps etc?

Hi - I wondered if anyone had experience of losing connection with a '3' network broadband dongle after clearing a virus? Witht the fantastic support from here I have cleared the Antivirus XP malware off, and everything is back to normal except I can't get my broadband dongle to work. Assumedly a setting has been changed with all the messing about. It finds the network but reports it cannot make a connection. I have checked it's allowed access by the firewall, I have checked USB sockets are not being turned off to save power, I have tried to ensure that the same COM port is being used wherever the dongle is seen, but no luck. Could it be something simple / stupid I'm missing? Quite possible lol Steve

Passwords being changed today! I assume the password stealer has been deleted / quarantined. The only problem I have now is my broadband USB dongle is not connecting when I use the laptop away from home, but I'll get that sorted. I assume the malware has messed up one of my settings somewhere. Thanks again - fantastic support. Steve

Hi again! I have emailed the file as requested. I have uninstalled Combofix. Re Avermeida, I have been downloading all kinds of drivers in the last week in an attempt to get my TV tuner card working. This laptop came with Vista, which I immediately changed to XP because I prefer it. But that meant my Acer TV didn't work so I've been trying hard with that recently, to no avail. That's where any references to Avermedia / AverTV / A310 come from, and I'll be removing them all again soon! The laptop is now looking exactly as did before the attack. You have no idea how happy and relieved I am. I cannot thank you enough. I had just removed AVG because it kept pestering me to update and buy when the virus slipped through. I will now be installing Avira to give that a try. Thanks again for all your efforts. Steve Jones

File sent off to Bleepingcomputer. Combofix report below; ComboFix 10-03-24.01 - Steve Jones 24/03/2010 20:09:56.4.2 - x86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3069.2687 [GMT 0:00] Running from: c:\documents and settings\Steve Jones\Desktop\Firefox.exe Command switches used :: c:\documents and settings\Steve Jones\Desktop\CFScript.txt file zipped: c:\documents and settings\Steve Jones\Local Settings\Application Data\2383446155.dll . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\documents and settings\Steve Jones\Local Settings\Application Data\2383446155.dll . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_GEL90XNE -------\Service_gel90xne ((((((((((((((((((((((((( Files Created from 2010-02-24 to 2010-03-24 ))))))))))))))))))))))))))))))) . 2010-03-24 19:46 . 2010-03-24 19:46 5115824 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe 2010-03-23 10:25 . 2010-01-07 16:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2010-03-23 10:25 . 2010-03-24 19:51 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2010-03-23 10:25 . 2010-01-07 16:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys 2010-03-20 20:57 . 2010-03-20 20:57 -------- d-----w- c:\documents and settings\Steve Jones\Local Settings\Application Data\AVerMeida 2010-03-20 20:57 . 2010-03-23 09:57 -------- d-----w- c:\program files\Common Files\AVerMedia 2010-03-20 19:59 . 2010-03-20 20:56 27461837 ----a-w- c:\program files\E506R_6.0.12.08041002_080428.exe 2010-03-20 14:51 . 2007-11-29 10:41 -------- d-----w- c:\program files\A310_V1.1.0.22_vista_x86(WHQL) 2010-03-20 14:51 . 2010-03-20 14:51 459625 ----a-w- c:\program files\TV tuner-A310_V1.1.0.22_vista_x86(WHQL).zip 2010-03-18 12:52 . 2010-03-18 12:58 -------- d-----w- c:\program files\coolpro2 2010-03-18 12:26 . 2010-03-18 12:26 319792 ----a-w- c:\program files\utorrent.exe 2010-03-04 20:59 . 2010-03-04 21:09 24805112 ----a-w- c:\documents and settings\All Users\Application Data\Birdstep Technology\EasyConnect\Update\3Connect_Flasher_Huawei.exe 2010-02-26 17:34 . 2010-02-26 17:37 13432816 ----a-w- c:\documents and settings\All Users\Application Data\Birdstep Technology\EasyConnect\Update\3UK_2.7.0.77_AUP_Huawei.exe 2010-02-26 17:33 . 2010-02-26 17:33 -------- d-----w- c:\documents and settings\Steve Jones\Application Data\Birdstep Technology 2010-02-26 17:33 . 2007-05-28 18:00 10240 ------w- c:\windows\system32\drivers\mdvrmng.sys 2010-02-26 17:32 . 2008-03-17 09:56 103168 ----a-w- c:\windows\system32\drivers\ewusbfake.sys 2010-02-26 17:32 . 2008-03-17 09:03 101376 ----a-w- c:\windows\system32\drivers\ewusbmdm.sys 2010-02-26 17:32 . 2008-03-16 12:47 872192 ----a-w- c:\windows\system32\drivers\mod7700.sys 2010-02-26 17:32 . 2008-01-22 13:09 100992 ----a-w- c:\windows\system32\drivers\ewusbnet.sys 2010-02-26 17:32 . 2007-08-09 02:13 24448 ----a-w- c:\windows\system32\drivers\ewdcsc.sys . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2010-03-23 09:58 . 2009-05-03 15:42 -------- d--h--w- c:\program files\InstallShield Installation Information 2010-03-18 12:54 . 2009-07-28 20:24 -------- d-----w- c:\documents and settings\Steve Jones\Application Data\Syntrillium 2010-03-15 11:02 . 2010-02-21 01:06 43520 ----a-w- c:\windows\system32\CmdLineExt03.dll 2010-03-15 09:36 . 2010-01-05 20:34 -------- d-----w- c:\documents and settings\Steve Jones\Application Data\vlc 2010-02-26 17:31 . 2009-05-03 19:39 76118 ----a-w- c:\windows\Huawei ModemsUninstall.exe 2010-02-26 13:24 . 2009-05-03 19:40 -------- d-----w- c:\documents and settings\All Users\Application Data\Birdstep Technology 2010-02-25 10:45 . 2009-08-19 13:56 -------- d-----w- c:\program files\CCleaner 2010-02-23 09:54 . 2010-01-05 20:34 -------- d-----w- c:\documents and settings\Steve Jones\Application Data\dvdcss 2010-02-21 15:55 . 2009-05-09 08:56 -------- d-----w- c:\documents and settings\Steve Jones\Application Data\LimeWire 2010-02-13 17:44 . 2010-01-11 23:06 -------- d-----w- c:\program files\Doom 3 2010-02-13 17:43 . 2009-12-30 11:09 -------- d-----w- c:\documents and settings\Steve Jones\Application Data\runic games 2010-02-13 17:43 . 2009-12-30 11:07 -------- d-----w- c:\program files\Runic Games 2010-02-13 17:41 . 2010-02-11 18:53 -------- d-----w- c:\program files\Joustra 2010-02-13 16:18 . 2010-02-13 15:56 -------- d-----w- c:\program files\LG PC Suite II 2010-02-13 15:56 . 2010-02-13 15:56 -------- d-----w- c:\documents and settings\Steve Jones\Application Data\LG Electronics 2010-02-13 15:54 . 2010-02-13 15:54 -------- d-----w- c:\documents and settings\Steve Jones\Application Data\InstallShield 2010-02-13 15:52 . 2009-08-19 14:41 -------- d-----w- c:\program files\LG Electronics 2010-01-15 11:57 . 2009-05-03 18:54 59400 ----a-w- c:\documents and settings\Steve Jones\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2010-01-15 11:56 . 2010-01-15 11:56 10583552 ----a-w- c:\program files\InstallScorch.msi 2010-01-05 20:31 . 2010-01-05 20:28 18030130 ----a-w- c:\program files\vlc-1.0.3-win32.exe 2010-01-05 20:25 . 2010-01-05 20:25 286720 ------w- c:\windows\Setup1.exe 2010-01-05 20:25 . 2010-01-05 20:25 73216 ----a-w- c:\windows\ST6UNST.EXE 2010-01-05 20:24 . 2010-01-05 20:24 2489250 ----a-w- c:\program files\PlayDVD.zip 2009-12-29 19:31 . 2009-12-29 19:25 29375592 ----a-w- c:\program files\A16AR_6.0.18.09070601_091110.zip 2009-12-27 21:19 . 2009-12-27 21:16 5436525 ----a-w- c:\program files\ITE_MIR_IT8512E-komku.blogspot.com-.zip 2009-11-18 12:30 . 2009-11-18 12:30 8157274 ----a-w- c:\program files\11.Camera-Bison driver package V7.96.701.12a_Vistax86x64(WHQL).zip 2009-11-09 18:49 . 2009-11-09 18:45 98224311 ----a-w- c:\program files\QX3Plus.exe 2009-10-23 22:02 . 2009-10-23 22:02 69722473 ----a-w- c:\program files\FXhome_VisionLab_Studio_1005014_Demo_Installer.exe 2009-08-13 20:11 . 2009-08-13 20:11 202071 ----a-w- c:\program files\RipIt4Me.zip 2009-08-04 10:07 . 2009-08-04 10:06 2496707 ----a-w- c:\program files\vsoDivxToDVD_setup_v0.5.2b.exe 2009-06-21 17:42 . 2009-06-21 17:42 608578 ----a-w- c:\program files\700_DDI_CB.exe 2009-05-15 08:46 . 2009-05-15 08:46 4669067 ----a-w- c:\program files\ICS_Dx32.exe 2009-05-13 09:54 . 2009-05-13 09:54 7303913 ----a-w- c:\program files\12.2.0.0_X_Drivers.zip 2007-03-21 20:19 . 2010-01-14 08:50 643072 ----a-w- c:\program files\RipIt4Me.exe . (((((((((((((((((((((((((((((((((((((((((((( Look ))))))))))))))))))))))))))))))))))))))))))))))))))))))))) . --- c:\windows\Setup1.exe --- Company: Microsoft Corporation File Description: Visual Basic 6.0 Setup Toolkit File Version: 6.00.8171 Product Name: Microsoft Visual Basic for Windows Copyright: Copyright © 1987-1998 Microsoft Corporation Original Filename: setup1.exe File size: 286720 Created time: 2010-01-05 20:25 Modified time: 2010-01-05 20:25 MD5: E40041E0CA436C712332EDAA9DB7DF08 SHA1: DEB8EAD922F4F1ACBADEBF0DB998F6BA2DC53DB0 ---- Directory of c:\documents and settings\Steve Jones\Local Settings\Application Data\AVerMeida ---- 2010-03-20 20:57 . 2010-03-20 20:57 67 ----a-w- c:\documents and settings\Steve Jones\Local Settings\Application Data\AVerMeida\Steve Jones.xml ((((((((((((((((((((((((((((( SnapShot@2010-03-24_19.12.15 ))))))))))))))))))))))))))))))))))))))))) . - 2004-08-04 12:00 . 2010-03-24 19:09 68558 c:\windows\system32\perfc009.dat + 2004-08-04 12:00 . 2010-03-24 20:12 68558 c:\windows\system32\perfc009.dat + 2004-08-04 12:00 . 2010-03-24 20:12 435828 c:\windows\system32\perfh009.dat - 2004-08-04 12:00 . 2010-03-24 19:09 435828 c:\windows\system32\perfh009.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "IntelZeroConfig"="c:\program files\Intel\WiFi\bin\ZCfgSvc.exe" [2008-08-20 1368064] "IntelWireless"="c:\program files\Common Files\Intel\WirelessCommon\iFrmewrk.exe" [2008-08-20 1191936] "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-12-06 1024000] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-12-08 13594624] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360] "DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264] [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa] Security Packages REG_MULTI_SZ msv1_0 schannel wdigest [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Update Agent.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Update Agent.lnk backup=c:\windows\pss\Update Agent.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON Stylus Photo R220 Series] 2006-12-25 04:00 177664 ----a-w- c:\windows\system32\spool\drivers\w32x86\3\E_FATIAIE.EXE [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusOverride"=dword:00000001 "FirewallOverride"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) "DisableNotifications"= 1 (0x1) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\WINDOWS\\system32\\dpvsetup.exe"= "c:\\Program Files\\Messenger\\msmsgs.exe"= "c:\\Program Files\\Mozilla Firefox\\firefox.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "3724:TCP"= 3724:TCP:*:Disabled:Blizzard Downloader: 3724 "8095:TCP"= 8095:TCP:test S3 A310;AVerMedia A310 DVB-T;c:\windows\system32\drivers\AVerA310USB.sys [11/09/2009 07:57 26496] S3 BDASwCap;AVerMedia A310 BDA DVBT Capture Device;c:\windows\system32\drivers\AVerA310Cap.sys [11/09/2009 07:57 42496] S3 itecir;ITECIR Infrared Receiver;c:\windows\system32\DRIVERS\itecir.sys --> c:\windows\system32\DRIVERS\itecir.sys [?] S3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32.sys [24/09/2008 15:09 41376] S3 STVqx3;Intel Play QX3 Microscope;c:\windows\system32\drivers\STVqx3.SYS [09/11/2009 18:53 131776] S4 gupdate1c9fdad1e7e45f2;Google Update Service (gupdate1c9fdad1e7e45f2);c:\program files\Google\Update\GoogleUpdate.exe [05/07/2009 20:13 133104] . Contents of the 'Scheduled Tasks' folder 2009-09-02 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job - c:\program files\Google\Update\GoogleUpdate.exe [2009-07-05 20:13] 2009-09-02 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job - c:\program files\Google\Update\GoogleUpdate.exe [2009-07-05 20:13] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.google.co.uk/ IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm IE: Send To Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm FF - ProfilePath - c:\documents and settings\Steve Jones\Application Data\Mozilla\Firefox\Profiles\crhzgivt.default\ FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/ FF - plugin: c:\program files\Google\Update\1.2.183.7\npGoogleOneClick8.dll FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2010-03-24 20:16 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(680) c:\windows\system32\netprovcredman.dll . ------------------------ Other Running Processes ------------------------ . c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe c:\program files\Intel\WiFi\bin\S24EvMon.exe c:\windows\system32\agrsmsvc.exe c:\program files\Intel\WiFi\bin\EvtEng.exe c:\windows\system32\nvsvc32.exe c:\program files\Common Files\Intel\WirelessCommon\RegSrvc.exe c:\windows\system32\wbem\unsecapp.exe c:\\?\c:\windows\system32\WBEM\WMIADAP.EXE . ************************************************************************** . Completion time: 2010-03-24 20:19:51 - machine was rebooted ComboFix-quarantined-files.txt 2010-03-24 20:19 ComboFix2.txt 2010-03-24 19:15 Pre-Run: 215,190,683,648 bytes free Post-Run: 215,158,820,864 bytes free - - End Of File - - 7AB37B25A098A54ECC9A0A24F0D4470E

Oops - just seen your post re AverMeida. I will go ahead and follow your instructions.

Hi - I will do as asked but can I just check did you mean to say 'AVerMeida ' in your instructions or should it read 'Avermedia'? Plus I have a confession - I was SO relieved to see Combofix run and report that I could resist updating and doing a quick scan with MBAM. It's found a few problems and the log is pasted below. Apologies for being hasty - I hope I haven't messed up. Am I OK to tell MBAM to delete the infections it's found? Malwarebytes' Anti-Malware 1.44 Database version: 3909 Windows 5.1.2600 Service Pack 3 Internet Explorer 6.0.2900.5512 24/03/2010 19:51:59 mbam-log-2010-03-24 (19-51-52).txt Scan type: Quick Scan Objects scanned: 124887 Time elapsed: 3 minute(s), 4 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 4 Registry Values Infected: 1 Registry Data Items Infected: 1 Folders Infected: 0 Files Infected: 7 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: HKEY_CURRENT_USER\Software\Malware Defense (Rogue.MalwareDefense) -> No action taken. HKEY_LOCAL_MACHINE\SOFTWARE\Paladin Antivirus (Rogue.PaladinAntivirus) -> No action taken. HKEY_CURRENT_USER\SOFTWARE\Paladin Antivirus (Rogue.PaladinAntivirus) -> No action taken. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\peresvc (Backdoor.Bot) -> No action taken. Registry Values Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\mbt (Backdoor.Bot) -> No action taken. Registry Data Items Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\Steve Jones\Local Settings\Application Data\ave.exe" /START "C:\Program Files\Mozilla Firefox\firefox.exe" -safe-mode) Good: (firefox.exe -safe-mode) -> No action taken. Folders Infected: (No malicious items detected) Files Infected: C:\Documents and Settings\All Users\Desktop\spam001.exe (Malware.Packer.Gen) -> No action taken. C:\Documents and Settings\All Users\Desktop\spam003.exe (Malware.Packer.Gen) -> No action taken. C:\Documents and Settings\All Users\Desktop\troj000.exe (Malware.Packer.Gen) -> No action taken. C:\WINDOWS\system32\opear.exe (Backdoor.Bot) -> No action taken. C:\WINDOWS\system32\PowerDes.exe (Backdoor.Bot) -> No action taken. C:\WINDOWS\system32\msctc.sys (Backdoor.Bot) -> No action taken. C:\WINDOWS\system32\PereSvc.exe (Backdoor.Bot) -> No action taken.

Combofix log; ComboFix 10-03-24.01 - Steve Jones 24/03/2010 19:05:34.3.2 - x86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3069.2735 [GMT 0:00] Running from: c:\documents and settings\Steve Jones\Desktop\Firefox.exe . The following files were disabled during the run: c:\documents and settings\Steve Jones\Local Settings\Application Data\Windows Server\ffjpbs.dll ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\docume~1\STEVEJ~1\LOCALS~1\Temp\csrss.exe c:\documents and settings\All Users\Desktop\nudetube.com.lnk c:\documents and settings\All Users\Desktop\pornotube.com.lnk c:\documents and settings\All Users\Desktop\youporn.com.lnk c:\documents and settings\All Users\Favorites\_favdata.dat c:\documents and settings\Steve Jones\Local Settings\Application Data\ave.exe c:\documents and settings\Steve Jones\Local Settings\Application Data\Windows Server c:\documents and settings\Steve Jones\Local Settings\Application Data\Windows Server\ffjpbs.dll c:\program files\User Protection c:\windows\_VOIDmxbyfuxdst c:\windows\_VOIDmxbyfuxdst\_VOIDd.sys c:\windows\Install.txt c:\windows\system32\_VOIDbxhcqpuamj.dat c:\windows\system32\_VOIDppiypethxw.dll c:\windows\system32\_VOIDuvbtubsqxd.dll c:\windows\system32\_VOIDxxubnlrfvl.dll c:\windows\system32\3498.exe c:\windows\system32\BtwSvc.dll c:\windows\system32\drivers\_VOIDnkfycdjnkl.sys c:\windows\system32\drivers\llafexn.sys c:\windows\system32\FInstall.sys c:\windows\system32\Install.txt c:\windows\system32\owmcfsdyq.dll c:\windows\TEMP\mta13187.dll . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Service__VOIDd.sys -------\Legacy__VOIDd.sys -------\Service__VOIDmxbyfuxdst -------\Legacy__VOIDmxbyfuxdst -------\Legacy_BTWSVC -------\Service_BtwSvc -------\Legacy_llafexn -------\Service_llafexn ((((((((((((((((((((((((( Files Created from 2010-02-24 to 2010-03-24 ))))))))))))))))))))))))))))))) . 2010-03-23 10:25 . 2009-09-10 14:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2010-03-23 10:25 . 2010-03-24 18:51 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2010-03-23 10:25 . 2009-09-10 14:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys 2010-03-20 22:47 . 2010-03-20 22:47 202752 --sha-w- c:\documents and settings\Steve Jones\Local Settings\Application Data\2383446155.dll 2010-03-20 20:57 . 2010-03-20 20:57 -------- d-----w- c:\documents and settings\Steve Jones\Local Settings\Application Data\AVerMeida 2010-03-20 20:57 . 2010-03-23 09:57 -------- d-----w- c:\program files\Common Files\AVerMedia 2010-03-20 19:59 . 2010-03-20 20:56 27461837 ----a-w- c:\program files\E506R_6.0.12.08041002_080428.exe 2010-03-20 14:51 . 2007-11-29 10:41 -------- d-----w- c:\program files\A310_V1.1.0.22_vista_x86(WHQL) 2010-03-20 14:51 . 2010-03-20 14:51 459625 ----a-w- c:\program files\TV tuner-A310_V1.1.0.22_vista_x86(WHQL).zip 2010-03-18 12:52 . 2010-03-18 12:58 -------- d-----w- c:\program files\coolpro2 2010-03-18 12:26 . 2010-03-18 12:26 319792 ----a-w- c:\program files\utorrent.exe 2010-03-04 20:59 . 2010-03-04 21:09 24805112 ----a-w- c:\documents and settings\All Users\Application Data\Birdstep Technology\EasyConnect\Update\3Connect_Flasher_Huawei.exe 2010-02-26 17:34 . 2010-02-26 17:37 13432816 ----a-w- c:\documents and settings\All Users\Application Data\Birdstep Technology\EasyConnect\Update\3UK_2.7.0.77_AUP_Huawei.exe 2010-02-26 17:33 . 2010-02-26 17:33 -------- d-----w- c:\documents and settings\Steve Jones\Application Data\Birdstep Technology 2010-02-26 17:33 . 2007-05-28 18:00 10240 ------w- c:\windows\system32\drivers\mdvrmng.sys 2010-02-26 17:32 . 2008-03-17 09:56 103168 ----a-w- c:\windows\system32\drivers\ewusbfake.sys 2010-02-26 17:32 . 2008-03-17 09:03 101376 ----a-w- c:\windows\system32\drivers\ewusbmdm.sys 2010-02-26 17:32 . 2008-03-16 12:47 872192 ----a-w- c:\windows\system32\drivers\mod7700.sys 2010-02-26 17:32 . 2008-01-22 13:09 100992 ----a-w- c:\windows\system32\drivers\ewusbnet.sys 2010-02-26 17:32 . 2007-08-09 02:13 24448 ----a-w- c:\windows\system32\drivers\ewdcsc.sys . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2010-03-23 09:58 . 2009-05-03 15:42 -------- d--h--w- c:\program files\InstallShield Installation Information 2010-03-18 12:54 . 2009-07-28 20:24 -------- d-----w- c:\documents and settings\Steve Jones\Application Data\Syntrillium 2010-03-15 11:02 . 2010-02-21 01:06 43520 ----a-w- c:\windows\system32\CmdLineExt03.dll 2010-03-15 09:36 . 2010-01-05 20:34 -------- d-----w- c:\documents and settings\Steve Jones\Application Data\vlc 2010-02-26 17:31 . 2009-05-03 19:39 76118 ----a-w- c:\windows\Huawei ModemsUninstall.exe 2010-02-26 13:24 . 2009-05-03 19:40 -------- d-----w- c:\documents and settings\All Users\Application Data\Birdstep Technology 2010-02-25 10:45 . 2009-08-19 13:56 -------- d-----w- c:\program files\CCleaner 2010-02-23 09:54 . 2010-01-05 20:34 -------- d-----w- c:\documents and settings\Steve Jones\Application Data\dvdcss 2010-02-21 15:55 . 2009-05-09 08:56 -------- d-----w- c:\documents and settings\Steve Jones\Application Data\LimeWire 2010-02-13 17:44 . 2010-01-11 23:06 -------- d-----w- c:\program files\Doom 3 2010-02-13 17:43 . 2009-12-30 11:09 -------- d-----w- c:\documents and settings\Steve Jones\Application Data\runic games 2010-02-13 17:43 . 2009-12-30 11:07 -------- d-----w- c:\program files\Runic Games 2010-02-13 17:41 . 2010-02-11 18:53 -------- d-----w- c:\program files\Joustra 2010-02-13 16:18 . 2010-02-13 15:56 -------- d-----w- c:\program files\LG PC Suite II 2010-02-13 15:56 . 2010-02-13 15:56 -------- d-----w- c:\documents and settings\Steve Jones\Application Data\LG Electronics 2010-02-13 15:54 . 2010-02-13 15:54 -------- d-----w- c:\documents and settings\Steve Jones\Application Data\InstallShield 2010-02-13 15:52 . 2009-08-19 14:41 -------- d-----w- c:\program files\LG Electronics 2010-01-15 11:57 . 2009-05-03 18:54 59400 ----a-w- c:\documents and settings\Steve Jones\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2010-01-15 11:56 . 2010-01-15 11:56 10583552 ----a-w- c:\program files\InstallScorch.msi 2010-01-05 20:31 . 2010-01-05 20:28 18030130 ----a-w- c:\program files\vlc-1.0.3-win32.exe 2010-01-05 20:25 . 2010-01-05 20:25 286720 ------w- c:\windows\Setup1.exe 2010-01-05 20:25 . 2010-01-05 20:25 73216 ----a-w- c:\windows\ST6UNST.EXE 2010-01-05 20:24 . 2010-01-05 20:24 2489250 ----a-w- c:\program files\PlayDVD.zip 2009-12-29 19:31 . 2009-12-29 19:25 29375592 ----a-w- c:\program files\A16AR_6.0.18.09070601_091110.zip 2009-12-27 21:19 . 2009-12-27 21:16 5436525 ----a-w- c:\program files\ITE_MIR_IT8512E-komku.blogspot.com-.zip 2009-11-18 12:30 . 2009-11-18 12:30 8157274 ----a-w- c:\program files\11.Camera-Bison driver package V7.96.701.12a_Vistax86x64(WHQL).zip 2009-11-09 18:49 . 2009-11-09 18:45 98224311 ----a-w- c:\program files\QX3Plus.exe 2009-10-23 22:02 . 2009-10-23 22:02 69722473 ----a-w- c:\program files\FXhome_VisionLab_Studio_1005014_Demo_Installer.exe 2009-08-13 20:11 . 2009-08-13 20:11 202071 ----a-w- c:\program files\RipIt4Me.zip 2009-08-04 10:07 . 2009-08-04 10:06 2496707 ----a-w- c:\program files\vsoDivxToDVD_setup_v0.5.2b.exe 2009-06-21 17:42 . 2009-06-21 17:42 608578 ----a-w- c:\program files\700_DDI_CB.exe 2009-05-15 08:46 . 2009-05-15 08:46 4669067 ----a-w- c:\program files\ICS_Dx32.exe 2009-05-13 09:54 . 2009-05-13 09:54 7303913 ----a-w- c:\program files\12.2.0.0_X_Drivers.zip 2007-03-21 20:19 . 2010-01-14 08:50 643072 ----a-w- c:\program files\RipIt4Me.exe . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "IntelZeroConfig"="c:\program files\Intel\WiFi\bin\ZCfgSvc.exe" [2008-08-20 1368064] "IntelWireless"="c:\program files\Common Files\Intel\WirelessCommon\iFrmewrk.exe" [2008-08-20 1191936] "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-12-06 1024000] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-12-08 13594624] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360] "DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264] [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa] Security Packages REG_MULTI_SZ msv1_0 schannel wdigest [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Update Agent.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Update Agent.lnk backup=c:\windows\pss\Update Agent.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON Stylus Photo R220 Series] 2006-12-25 04:00 177664 ----a-w- c:\windows\system32\spool\drivers\w32x86\3\E_FATIAIE.EXE [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes Anti-Malware (reboot)] 2009-09-10 14:53 1312080 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbam.exe [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusOverride"=dword:00000001 "FirewallOverride"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) "DisableNotifications"= 1 (0x1) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\WINDOWS\\system32\\dpvsetup.exe"= "c:\\Program Files\\Messenger\\msmsgs.exe"= "c:\\Program Files\\Mozilla Firefox\\firefox.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "3724:TCP"= 3724:TCP:*:Disabled:Blizzard Downloader: 3724 "8095:TCP"= 8095:TCP:test S3 A310;AVerMedia A310 DVB-T;c:\windows\system32\drivers\AVerA310USB.sys [11/09/2009 07:57 26496] S3 BDASwCap;AVerMedia A310 BDA DVBT Capture Device;c:\windows\system32\drivers\AVerA310Cap.sys [11/09/2009 07:57 42496] S3 itecir;ITECIR Infrared Receiver;c:\windows\system32\DRIVERS\itecir.sys --> c:\windows\system32\DRIVERS\itecir.sys [?] S3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32.sys [24/09/2008 15:09 41376] S3 STVqx3;Intel Play QX3 Microscope;c:\windows\system32\drivers\STVqx3.SYS [09/11/2009 18:53 131776] S4 gel90xne;gel90xne;\??\c:\docume~1\STEVEJ~1\LOCALS~1\Temp\gel90xne.sys --> c:\docume~1\STEVEJ~1\LOCALS~1\Temp\gel90xne.sys [?] S4 gupdate1c9fdad1e7e45f2;Google Update Service (gupdate1c9fdad1e7e45f2);c:\program files\Google\Update\GoogleUpdate.exe [05/07/2009 20:13 133104] S4 peresvc;peresvc Service;c:\windows\system32\PereSvc.exe [04/08/2004 12:00 33280] . Contents of the 'Scheduled Tasks' folder 2009-09-02 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job - c:\program files\Google\Update\GoogleUpdate.exe [2009-07-05 20:13] 2009-09-02 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job - c:\program files\Google\Update\GoogleUpdate.exe [2009-07-05 20:13] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.google.co.uk/ IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm IE: Send To Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm FF - ProfilePath - c:\documents and settings\Steve Jones\Application Data\Mozilla\Firefox\Profiles\crhzgivt.default\ FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/ FF - plugin: c:\program files\Google\Update\1.2.183.7\npGoogleOneClick8.dll FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ . - - - - ORPHANS REMOVED - - - - BHO-{A9BA40A1-74F1-52BD-F434-00B15A2C8953} - c:\windows\system32\owmcfsdyq.dll SharedTaskScheduler-{A9BA40A1-74F1-52BD-F434-00B15A2C8953} - c:\windows\system32\owmcfsdyq.dll ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2010-03-24 19:12 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(680) c:\windows\system32\netprovcredman.dll . ------------------------ Other Running Processes ------------------------ . c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe c:\program files\Intel\WiFi\bin\S24EvMon.exe c:\windows\system32\agrsmsvc.exe c:\program files\Intel\WiFi\bin\EvtEng.exe c:\windows\system32\nvsvc32.exe c:\program files\Common Files\Intel\WirelessCommon\RegSrvc.exe c:\windows\system32\wbem\unsecapp.exe . ************************************************************************** . Completion time: 2010-03-24 19:15:13 - machine was rebooted ComboFix-quarantined-files.txt 2010-03-24 19:15 Pre-Run: 215,264,534,528 bytes free Post-Run: 215,215,009,792 bytes free - - End Of File - - B11AA164036414FC3579679DBA46E5F2

Just thought I should mention that before C/fix started the checking stages it reported finding files trying to attach to C/fix, plus it reported rootkit activity. I've noted all the file names but will it give you this info in its final report or do you need me to note these separately?

Yess!! It appears to be running as Firefox. Thankyou. Will await results

Ok now I'm worried...I downloaded conbofix onto my clean PC and copied it via a memory stick to to the infected desktop. But it won't run...nothing happens when I double click the icon.

Yes, MBAM.com is in the right folder. Tried to run fix.reg and got the message "Registry editing has been disabled by your administrator". I have attached "attach" file - didn't know how to zip it up, sorry. DDS pasted below; DDS (Ver_10-03-17.01) - NTFSx86 Run by Steve Jones at 18:57:10.07 on 23/03/2010 Internet Explorer: 6.0.2900.5512 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3069.2664 [GMT 0:00] ============== Running Processes =============== C:\WINDOWS\system32\svchost -k DcomLaunch svchost.exe C:\WINDOWS\System32\svchost.exe -k netsvcs C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe C:\Program Files\Intel\WiFi\bin\S24EvMon.exe svchost.exe svchost.exe C:\WINDOWS\system32\spoolsv.exe svchost.exe C:\WINDOWS\system32\agrsmsvc.exe C:\WINDOWS\system32\svchost.exe -k netsvcs C:\Program Files\Intel\WiFi\bin\EvtEng.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe C:\WINDOWS\system32\svchost.exe -k imgsvc C:\Program Files\Intel\WiFi\bin\ZCfgSvc.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\DOCUME~1\STEVEJ~1\LOCALS~1\Temp\ej5efw0bhs.exe C:\DOCUME~1\STEVEJ~1\LOCALS~1\Temp\diskperfxp.exe C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe C:\Documents and Settings\Steve Jones\Local Settings\Application Data\ave.exe C:\WINDOWS\system32\wbem\unsecapp.exe C:\DOCUME~1\STEVEJ~1\LOCALS~1\Temp\asd4.tmp.exe C:\Documents and Settings\Steve Jones\Desktop\dds.scr ============== Pseudo HJT Report =============== uStart Page = hxxp://www.google.co.uk/ BHO: AutorunsDisabled - No File BHO: c:\windows\system32\owmcfsdyq.dll: {a9ba40a1-74f1-52bd-f434-00b15a2c8953} - c:\windows\system32\owmcfsdyq.dll uRun: [diskperfxp.exe] c:\docume~1\stevej~1\locals~1\temp\diskperfxp.exe uRun: [hsa8ffushf83hoigjhs98jgijg9sd8e] c:\docume~1\stevej~1\locals~1\temp\ej5efw0bhs.exe uRun: [hsf87efjhdsf87f3jfsdi7fhsujfd] c:\docume~1\stevej~1\locals~1\temp\csrss.exe mRun: [intelZeroConfig] "c:\program files\intel\wifi\bin\ZCfgSvc.exe" mRun: [intelWireless] "c:\program files\common files\intel\wirelesscommon\iFrmewrk.exe" /tf Intel Wireless Tray mRun: [synTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t uPolicies-explorer: NoFolderOptions = 1 (0x1) uPolicies-system: DisableRegistryTools = 1 (0x1) uPolicies-system: DisableTaskMgr = 1 (0x1) mPolicies-system: DisableTaskMgr = 1 (0x1) IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000 IE: Send to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm IE: Send To Bluetooth - c:\program files\widcomm\bluetooth software\btsendto_ie.htm IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab STS: c:\windows\system32\owmcfsdyq.dll: {a9ba40a1-74f1-52bd-f434-00b15a2c8953} - c:\windows\system32\owmcfsdyq.dll IFEO: AutorunsDisabled - ntsd -d ================= FIREFOX =================== FF - ProfilePath - c:\docume~1\stevej~1\applic~1\mozilla\firefox\profiles\crhzgivt.default\ FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/ FF - plugin: c:\program files\google\update\1.2.183.7\npGoogleOneClick8.dll FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\ ============= SERVICES / DRIVERS =============== R2 BtwSvc;BtwSvc;c:\windows\system32\svchost.exe -k netsvcs [2004-8-4 14336] S3 A310;AVerMedia A310 DVB-T;c:\windows\system32\drivers\AVerA310USB.sys [2009-9-11 26496] S3 BDASwCap;AVerMedia A310 BDA DVBT Capture Device;c:\windows\system32\drivers\AVerA310Cap.sys [2009-9-11 42496] S3 itecir;ITECIR Infrared Receiver;c:\windows\system32\drivers\itecir.sys --> c:\windows\system32\drivers\itecir.sys [?] S3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32.sys [2008-9-24 41376] S3 STVqx3;Intel Play QX3 Microscope;c:\windows\system32\drivers\STVqx3.SYS [2009-11-9 131776] S4 gel90xne;gel90xne;\??\c:\docume~1\stevej~1\locals~1\temp\gel90xne.sys --> c:\docume~1\stevej~1\locals~1\temp\gel90xne.sys [?] S4 gupdate1c9fdad1e7e45f2;Google Update Service (gupdate1c9fdad1e7e45f2);c:\program files\google\update\GoogleUpdate.exe [2009-7-5 133104] S4 peresvc;peresvc Service;c:\windows\system32\PereSvc.exe [2004-8-4 33280] ============== File Associations =============== .exe=secfile =============== Created Last 30 ================ 2010-03-23 10:25:50 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2010-03-23 10:25:49 19160 ----a-w- c:\windows\system32\drivers\mbam.sys 2010-03-23 10:25:49 0 d-----w- c:\program files\Malwarebytes' Anti-Malware 2010-03-21 20:15:29 0 d-----w- c:\program files\User Protection 2010-03-20 22:46:16 860672 ----a-w- c:\windows\system32\drivers\llafexn.sys 2010-03-20 22:46:01 20000 ----a-w- c:\windows\system32\owmcfsdyq.dll 2010-03-20 20:57:20 0 d-----w- c:\program files\common files\AVerMedia 2010-03-20 19:59:26 27461837 ----a-w- c:\program files\E506R_6.0.12.08041002_080428.exe 2010-03-20 14:51:45 0 d-----w- c:\program files\A310_V1.1.0.22_vista_x86(WHQL) 2010-03-20 14:51:26 459625 ----a-w- c:\program files\TV tuner-A310_V1.1.0.22_vista_x86(WHQL).zip 2010-03-18 12:52:54 0 d-----w- c:\program files\coolpro2 2010-03-18 12:26:17 319792 ----a-w- c:\program files\utorrent.exe 2010-02-26 17:33:34 0 d-----w- c:\docume~1\stevej~1\applic~1\Birdstep Technology 2010-02-26 17:33:18 10240 ------w- c:\windows\system32\drivers\mdvrmng.sys 2010-02-26 17:32:12 872192 ----a-w- c:\windows\system32\drivers\mod7700.sys 2010-02-26 17:32:12 24448 ----a-w- c:\windows\system32\drivers\ewdcsc.sys 2010-02-26 17:32:12 103168 ----a-w- c:\windows\system32\drivers\ewusbfake.sys 2010-02-26 17:32:12 101376 ----a-w- c:\windows\system32\drivers\ewusbmdm.sys 2010-02-26 17:32:12 100992 ----a-w- c:\windows\system32\drivers\ewusbnet.sys ==================== Find3M ==================== 2010-03-15 11:02:17 43520 ----a-w- c:\windows\system32\CmdLineExt03.dll 2010-02-26 17:31:47 76118 ----a-w- c:\windows\Huawei ModemsUninstall.exe 2010-01-15 11:56:06 10583552 ----a-w- c:\program files\InstallScorch.msi 2010-01-05 20:31:41 18030130 ----a-w- c:\program files\vlc-1.0.3-win32.exe 2010-01-05 20:25:13 286720 ------w- c:\windows\Setup1.exe 2010-01-05 20:25:12 73216 ----a-w- c:\windows\ST6UNST.EXE 2010-01-05 20:24:44 2489250 ----a-w- c:\program files\PlayDVD.zip 2009-12-29 19:31:47 29375592 ----a-w- c:\program files\A16AR_6.0.18.09070601_091110.zip 2009-12-27 21:19:39 5436525 ----a-w- c:\program files\ITE_MIR_IT8512E-komku.blogspot.com-.zip 2009-11-18 12:30:42 8157274 ----a-w- c:\program files\11.Camera-Bison driver package V7.96.701.12a_Vistax86x64(WHQL).zip 2009-11-09 18:49:46 98224311 ----a-w- c:\program files\QX3Plus.exe 2009-10-23 22:02:17 69722473 ----a-w- c:\program files\FXhome_VisionLab_Studio_1005014_Demo_Installer.exe 2009-08-13 20:11:25 202071 ----a-w- c:\program files\RipIt4Me.zip 2009-08-04 10:07:32 2496707 ----a-w- c:\program files\vsoDivxToDVD_setup_v0.5.2b.exe 2009-06-21 17:42:42 608578 ----a-w- c:\program files\700_DDI_CB.exe 2009-05-15 08:46:51 4669067 ----a-w- c:\program files\ICS_Dx32.exe 2009-05-13 09:54:03 7303913 ----a-w- c:\program files\12.2.0.0_X_Drivers.zip 2007-03-21 20:19:52 643072 ----a-w- c:\program files\RipIt4Me.exe ============= FINISH: 18:57:34.45 =============== I hope this is all done as needed. Many thanks Attach.txt

Hi again. I copied the renamed MBAM.com onto the infected PC. I couldn't put the Rules.ref file where you suggested because C:\Documents and Settings\All Users\Application Data folder doesn't show on my infected PC (I did a search though and it does exist - it's just hidden). So I tried to run MBAM.com and got an error code 730 (0,0)? Re the "missing option to show file extensions" - under the Tools tab I don't get the 'Folder Options' which would allow me to display file extns. Thanks again - at least I feel like I am making progress with your help.

Thanks for the quick response! I cannot get file extns to display, and after some searching it seems that the virus has taken away my rights to display them (not explained very well - sorry). So I renamed the MBAM installation file to .com on my clean PC, then copied that onto a memory stick then onto the infected PC desktop. That allowed me to install MBAM. I didn't tick the update box as I cannot connect to internet. I ticked the box to start MBAM after installation but nothing happened. Could I find mbam.exe on my clean machine, rename it to mbam.com, copy it to the MBAM folder on my infected machine, and try running it there?

I have decided to start a fresh post in the HiJack This Logs section. I didn't know where to put my questions re internet access so I have repeated the content of the above post there. I hope this is OK. Thanks again for all the help.

Hi - I have posted an appeal for help in the general forum and as instructed I'm starting a new post here. I was asked to refer to instructions for downloading and installing MBAM and Defogger etc, but as the virus is stoppping my internet access I am wondering if I can download them to a clean PC and copy them accross to the infected PC's desktop? I put a reply on my other post but I'm thinking I should have put it on a fresh post here (?) so I am repeating below what I put in that post - I hope that's OK to do! "I had been regularly using MBAM on my now infected PC, but when I got this infection, and couldn't get MBAM to run, I deleted MBAM because I had read that I would have to re-install it. Have I also read on these forums that I need to run a 'deep cleaning' program as well to remove all refences to MBAM? If so, I haven't done this so it may affect my next attempt to start MBAM when reloaded. I cannot access the internet via my usual methods so I took a copy of mbam-setup.exe from a good PC (after first updating it) and pasted it on the desktop of my infected PC. (Is that an acceptable approach?)I then tried to get the exe extension to display, following the instructions shown in the virus removal guide, so that I could change it to a .com extension. However, I could not for the life of me find the option to display file extensions in My computer/tools/options? Is it possible that the virus could be removing that option? I'm running XP by the way." I won't do anything now until I am told how to get MBAM etc onto my infected PC. Many thanks for the help.

Many thanks for the rapid response! I had been regularly using MBAM on my now infected PC, but when I got this infection, and couldn't get MBAM to run, I deleted MBAM because I had read that I would have to re-install it. Have I also read on these forums that I need to run a 'deep cleaning' program as well to remove all refences to MBAM? If so, I haven't done this so it may affect my next attempt to start MBAM when reloaded. I cannot access the internet via my usual methods so I took a copy of mbam-setup.exe from a good PC (after first updating it) and pasted it on the desktop of my infected PC. (Is that an acceptable approach?)I then tried to get the exe extension to display, following the instructions shown in the virus removal guide, so that I could change it to a .com extension. However, I could not for the life of me find the option to display file extensions in My computer/tools/options? Is it possible that the virus could be removing that option? I'm running XP by the way. I'm at work now so can't take another stab until this evening, but I will look again then. Thanks again

I appear to have picked up something called Antivirus XP on my other PC. It is flashing up warnings of infections and asking me to register, which of course I am not doing. I cannot get MBAM to run, and when I try to access the internet it does not allow Firefox to start. Can anyone advise best action to take please? Any help gratefully received. Steve

Marvellous - after boasting about 60 secs to load, I've just downloaded SP3 and it now takes 90 secs!!

All done! Many thanks again.

lol YoKenny1! You are right there. In the UK, an inch of snow brings us all to a stop...

Hi Sjpritch25 - I know you guys are very busy but I'm just checking you are not waiting for me to reply. I'm happy to close this post now if you are? One satisfied customer - many thanks for your expert help Steve