Cheshire Cat

Hello Borislav, Everything appears to be ok at present. Many thanks again for your help. Donation via PayPal has been made. Regards, Brian

Hello Borislav, Thanks for the information. Ill get to it! Just one point, as ComboFix was renamed to Combo-Fix, should I type, Combo-Fix /uninstall? Also, I still have defogger on my laptop so I presume that I can use that ather than downloading a new version? Again, many many thanks. Regards, Brian.

Hello Borislav I have now used my laptop for 2 days without any recurrence of the problem. I can't believe that this is coincidental so I must assume that Combofix has done the trick! Thank you very much! Although I have not made a payment yet, I surely will. I guess we now need to put back all the things that have been uninstalled etc? Regards, Brian.

Hello Borislav, I'm not sure! Because Stopzilla warned me of infections, I thought it best to leave it until you contacted me. I have just done a few searches and there has been no redirections and no new windows have popped up, so I am cautiously optimistic. I would like to continue to test it over the week-end and then get back to you on Monday, if that's OK? HOWEVER, in the meantime what do I do about the Stopzilla warning? It says I have 27 infections, of which 23 are "CatchMe" a trojan found at HKLM\SYSTEM\CurrentControlSet... and 4 infections of "SystemPolicies" a Hijacker found at hkus\S-1-5-21-1766507506-170469... and hklm\Software\microsoft\windows\... Thanks for all your help. Brian.

Hello Borislav, I followed your instructions and after several restarts, ComboFix eventually finished and produced a log which is attached below. However, before posting this, I re-enabled McAfee and Stopzilla. Within a minute or so, SZ alerted me that it had detected "System Policies. DisabledRegistryTools" and "CatchMe". I have not deleted nor scanned but await your instructions. regards, Brian. ComboFix 10-08-12.03 - Brian Dunning 13/08/2010 11:33:06.1.1 - x86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.1526.946 [GMT 1:00] Running from: c:\documents and settings\Brian Dunning\Desktop\Combo-Fix.exe AV: McAfee Anti-Virus and Anti-Spyware *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83} FW: McAfee Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8} . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\documents and settings\All Users.\documents\settings c:\documents and settings\Brian Dunning\GoToAssistDownloadHelper.exe c:\windows\system32\_000006_.tmp.dll c:\windows\system32\_000009_.tmp.dll Infected copy of c:\windows\system32\drivers\termdd.sys was found and disinfected Restored copy from - Kitty had a snack . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_SSHNAS ((((((((((((((((((((((((( Files Created from 2010-07-13 to 2010-08-13 ))))))))))))))))))))))))))))))) . 2010-08-04 12:55 . 2010-08-04 12:55 -------- d-----w- c:\documents and settings\Brian Dunning\Application Data\Malwarebytes 2010-08-04 12:55 . 2010-04-29 14:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2010-08-04 12:55 . 2010-08-04 12:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes 2010-08-04 12:55 . 2010-08-04 12:55 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2010-08-04 12:55 . 2010-04-29 14:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys 2010-08-03 14:57 . 2010-08-03 14:57 503808 ----a-w- c:\documents and settings\Brian Dunning\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-258a427d-n\msvcp71.dll 2010-08-03 14:57 . 2010-08-03 14:57 61440 ----a-w- c:\documents and settings\Brian Dunning\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-3868ecb8-n\decora-sse.dll 2010-08-03 14:57 . 2010-08-03 14:57 499712 ----a-w- c:\documents and settings\Brian Dunning\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-258a427d-n\jmc.dll 2010-08-03 14:57 . 2010-08-03 14:57 348160 ----a-w- c:\documents and settings\Brian Dunning\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-258a427d-n\msvcr71.dll 2010-08-03 14:57 . 2010-08-03 14:57 12800 ----a-w- c:\documents and settings\Brian Dunning\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-3868ecb8-n\decora-d3d.dll 2010-08-03 11:32 . 2010-08-04 11:50 -------- d-----w- c:\program files\Spybot - Search & Destroy 2010-08-03 11:32 . 2010-08-04 11:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy 2010-07-28 12:08 . 2010-08-03 11:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software 2010-07-28 12:08 . 2010-07-28 12:08 -------- d-----w- c:\program files\Alwil Software 2010-07-28 11:38 . 2010-07-28 11:38 -------- d-----w- c:\documents and settings\Brian Dunning\Local Settings\Application Data\Threat Expert . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2010-08-13 10:54 . 2010-06-08 15:19 -------- d-----w- c:\documents and settings\All Users\Application Data\STOPzilla! 2010-08-13 10:52 . 2008-06-19 14:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Kontiki 2010-08-12 11:08 . 2008-09-09 08:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater 2010-08-11 10:25 . 2006-02-22 18:25 -------- d-----w- c:\program files\Common Files\Adobe 2010-08-09 11:05 . 2007-12-13 14:18 -------- d-----w- c:\program files\Norton SystemWorks Basic Edition 2010-07-28 11:43 . 2008-09-09 09:01 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP 2010-06-24 19:01 . 2010-06-08 15:23 2215936 ---ha-w- C:\SZKGFS.dat 2010-05-27 18:44 . 2010-05-27 18:44 503808 ----a-w- c:\documents and settings\Brian Dunning\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-19b4f9e3-n\msvcp71.dll 2010-05-27 18:44 . 2010-05-27 18:44 499712 ----a-w- c:\documents and settings\Brian Dunning\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-19b4f9e3-n\jmc.dll 2010-05-27 18:44 . 2010-05-27 18:44 348160 ----a-w- c:\documents and settings\Brian Dunning\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-19b4f9e3-n\msvcr71.dll 2010-05-27 18:44 . 2010-05-27 18:44 12800 ----a-w- c:\documents and settings\Brian Dunning\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-185a99c8-n\decora-d3d.dll 2010-05-27 18:44 . 2010-05-27 18:44 61440 ----a-w- c:\documents and settings\Brian Dunning\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-185a99c8-n\decora-sse.dll 2010-05-27 18:43 . 2010-05-27 18:43 411368 ----a-w- c:\windows\system32\deployJava1.dll 2010-05-25 20:23 . 2010-05-25 20:24 300384 ----a-w- c:\documents and settings\Brian Dunning\Application Data\McAfee\Supportability\MVTLogs\Results\detect.dll 2010-05-25 20:23 . 2010-05-25 20:23 300384 ----a-w- c:\documents and settings\All Users\Application Data\McAfee\Supportability\Content\MVT\XMLFiles\detect.dll 2010-05-21 13:14 . 2009-12-11 13:03 221568 ------w- c:\windows\system32\MpSigStub.exe 2010-04-27 16:16 . 2010-04-22 13:02 24376 ----a-w- c:\program files\mozilla firefox\components\Scriptff.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-09-06 68856] "kdx"="c:\program files\Kontiki\khost.exe" [2007-04-23 1032640] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Apoint"="c:\program files\Apoint\Apoint.exe" [2003-11-07 114688] "Mouse Suite 98 Daemon"="ICO.EXE" [2002-03-14 45056] "SonyPowerCfg"="c:\program files\Sony\VAIO Power Management\SPMgr.exe" [2005-10-19 184320] "ISBMgr.exe"="c:\program files\Sony\ISB Utility\ISBMgr.exe" [2004-02-20 32768] "PDService.exe"="c:\program files\Utimaco\SafeGuard PrivateDisk\pdservice.exe" [2004-07-06 40960] "RTHDCPL"="RTHDCPL.EXE" [2005-06-29 14720000] "AzMixerSel"="c:\program files\Realtek\InstallShield\AzMixerSel.exe" [2005-04-29 45056] "igfxtray"="c:\windows\system32\igfxtray.exe" [2005-08-05 94208] "igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-08-05 77824] "igfxpers"="c:\windows\system32\igfxpers.exe" [2005-08-05 114688] "SsAAD.exe"="c:\progra~1\Sony\SONICS~1\SsAAD.exe" [2006-01-07 81920] "ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-10-17 51048] "NSWosCheck"="c:\program files\Norton SystemWorks Basic Edition\osCheck.exe" [2007-09-18 25472] "mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2010-06-24 1193848] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360] "DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-7-20 113664] Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc] @="" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS] @="" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice] @="" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice] @="" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend] @="Service" [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= R0 szkg5;szkg5;c:\windows\system32\drivers\SZKG.sys [07/12/2009 17:59 61328] R0 szkgfs;szkgfs;c:\windows\system32\drivers\SZKGFS.sys [24/02/2010 15:06 173328] R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [22/04/2010 14:02 82952] R1 PrivateDisk;PrivateDisk;c:\windows\system32\drivers\privatediskm.sys [06/07/2004 15:07 45627] R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [03/12/2008 17:22 93320] R2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [22/04/2010 14:01 271480] R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [22/04/2010 14:01 271480] R2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\McAfee\SystemCore\mfefire.exe [22/04/2010 14:02 188136] R2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\Common Files\McAfee\SystemCore\mfevtps.exe [22/04/2010 14:02 141792] R2 MSSQL$VAIO_VEDB;MSSQL$VAIO_VEDB;c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe -sVAIO_VEDB --> c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe -sVAIO_VEDB [?] R2 NProtectService;Norton UnErase Protection;c:\progra~1\NORTON~2\NORTON~1\NPROTECT.EXE [04/11/2005 04:08 95832] R2 SlingAgentService;SlingAgentService;c:\program files\Sling Media\SlingAgent\SlingAgentService.exe [25/09/2009 13:16 93960] R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [03/11/2006 19:19 13592] R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [22/04/2010 14:02 55456] R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [03/09/2008 17:30 99376] R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [22/04/2010 14:02 312616] R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [22/04/2010 14:02 88480] S0 is3srv;is3srv;c:\windows\system32\drivers\is3srv.sys [07/12/2009 17:59 61328] S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [07/01/2010 18:50 135664] S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [22/04/2010 14:02 88480] S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [22/04/2010 14:02 83496] S3 SQLAgent$VAIO_VEDB;SQLAgent$VAIO_VEDB;c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlagent.EXE -i VAIO_VEDB --> c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlagent.EXE -i VAIO_VEDB [?] --- Other Services/Drivers In Memory --- *Deregistered* - mfeavfk01 . Contents of the 'Scheduled Tasks' folder 2010-08-13 c:\windows\Tasks\Google Software Updater.job - c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-02-02 11:52] 2010-08-13 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job - c:\program files\Google\Update\GoogleUpdate.exe [2010-01-07 17:50] 2010-08-13 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job - c:\program files\Google\Update\GoogleUpdate.exe [2010-01-07 17:50] 2010-08-13 c:\windows\Tasks\MP Scheduled Scan.job - c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 18:20] 2010-08-09 c:\windows\Tasks\Norton SystemWorks One Button Checkup.job - c:\program files\Norton SystemWorks Basic Edition\OBC.exe [2007-09-18 08:22] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.bbc.co.uk/ uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8 uInternet Connection Wizard,ShellNext = hxxp://www.club-vaio.com/en/ uSearchAssistant = hxxp://www.google.com/ie uSearchURL,(Default) = hxxp://uk.search.yahoo.com/search?fr=mcafee&p=%s IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200 IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html Trusted Zone: internet Trusted Zone: mcafee.com Trusted Zone: sony-europe.com Trusted Zone: sonystyle-europe.com Trusted Zone: vaio-link.com FF - ProfilePath - c:\documents and settings\Brian Dunning\Application Data\Mozilla\Firefox\Profiles\yyxhe552.default\ FF - prefs.js: browser.startup.homepage - hxxp://www.tesco.net/ FF - component: c:\documents and settings\All Users\Application Data\Google\Toolbar for Firefox\{3112ca9c-de6d-4884-a869-9855de68056c}\components\DictionaryCompressionFF.dll FF - component: c:\documents and settings\All Users\Application Data\Google\Toolbar for Firefox\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll FF - component: c:\documents and settings\All Users\Application Data\Google\Toolbar for Firefox\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbarloader.dll FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll FF - plugin: c:\program files\Picasa2\npPicasa2.dll FF - plugin: c:\program files\Picasa2\npPicasa3.dll FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ . - - - - ORPHANS REMOVED - - - - Toolbar-SITEguard - (no file) Notify-TPSvc - TPSvc.dll ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2010-08-13 11:59 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'explorer.exe'(1768) c:\windows\system32\WININET.dll c:\progra~1\WINDOW~2\wmpband.dll c:\windows\system32\ieframe.dll c:\windows\system32\mshtml.dll c:\windows\system32\msls31.dll c:\windows\system32\webcheck.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . ------------------------ Other Running Processes ------------------------ . c:\program files\Common Files\iS3\Anti-Spyware\SZServer.exe c:\program files\Intel\Wireless\Bin\EvtEng.exe c:\program files\Intel\Wireless\Bin\S24EvMon.exe c:\program files\Common Files\Symantec Shared\ccSvcHst.exe c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifSvc.exe c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe c:\program files\Kontiki\KService.exe c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe c:\program files\Intel\Wireless\Bin\RegSrvc.exe c:\progra~1\NORTON~2\NORTON~1\SPEEDD~1\NOPDB.EXE c:\program files\Sony\VAIO Event Service\VESMgr.exe c:\program files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe c:\windows\system32\igfxext.exe c:\program files\Common Files\McAfee\SystemCore\mcshield.exe c:\windows\system32\igfxsrvc.exe c:\program files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe c:\program files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe c:\windows\system32\ICO.EXE c:\windows\RTHDCPL.EXE c:\program files\Apoint\Apntex.exe c:\program files\Common Files\Symantec Shared\ccSvcHst.exe c:\windows\system32\wscntfy.exe c:\program files\STOPzilla!\STOPzilla.exe . ************************************************************************** . Completion time: 2010-08-13 12:07:16 - machine was rebooted ComboFix-quarantined-files.txt 2010-08-13 11:06 Pre-Run: 8,412,479,488 bytes free Post-Run: 15,946,162,176 bytes free - - End Of File - - BD0ADD5A5E1CB62F8AD93B4C0529D28B

Hello Borislav, Please read my last post of yesterday along with this one for the full picture. After I posted last evening I did a full Stopzilla scan. It found 30+ infections most of which were tracking cookies. However, it did find the two problems I told you about yesterday plus 2 trojans (GSAF) and 2 adware (Cognac). I removed them and re-scanned. It found 1 more GSAF and one more Cognac. I removed those and re-scanned this morning and that came up clean. Before I started this post I tried a search but was immediately re-directed to an unrelated site and after I had logged on here a new window opened up again - so the problem still exists! I await your further instructions. Regards, Brian.

Hello Borislav, I'm afraid we have a problem. I followed the instructions and ran Combofix. After downloading the Windows Recovery Console it started to scan but after about 1 minute the screen went blank and the laptop started to reboot. When it had all loaded up, I ran Combofix again but exactly the same thing happened. After it had rebooted the second time, I re-enabled my anti-virus and spyware programmes so that I could post this message. Almost immediately, Stopzilla warned me that it had identified a bug "System Policies. DisabledRegistry Tools". I'm not sure if this is real or something caused by Combofix. I eagerly await your instructions. Regards, Brian.

Hello Borislav, I have now undertakem your latest instructions, but please note: 1. I had a slight problem uninstalling Adobe Reader 7.1.0. There was a link to Microsoft Office 2000 and I had to allow it to reconfigure this program before it would delete Adobe. I do not know what effect this will have on the operation of MS Office. Also in Program Files there is still a reference to Adobe 7.0.5 but Adobe does not now appear in the "Show all Programs" list and all my pdfs on the desktop do not have the adobe logo but show the default windows logo so I presume Adobe has gone? 2. The only reference to Java that I could find (after running JavaRa) was at C:\Windows\Sun, which I deleted. I couldn't find any other folders at the addresses you provided. It seemed easier to zip all of the files and so they are all in the attched. Hope this is OK. Regards, Brian. Scans_110810.zip

Hello Borislav, I have now run the scans. DDS follows this message. the other two are in the zipped file attached. After ARK.txt had saved, my machine froze! I had to manually restart to get going again. Regards, Brian. DDS (Ver_10-03-17.01) - NTFSx86 Run by Brian Dunning at 12:29:46.10 on 09/08/2010 Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_20 Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.1526.904 [GMT 1:00] AV: McAfee Anti-Virus and Anti-Spyware *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83} FW: McAfee Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8} ============== Running Processes =============== C:\WINDOWS\system32\svchost -k DcomLaunch C:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exe svchost.exe C:\Program Files\Windows Defender\MsMpEng.exe C:\WINDOWS\System32\svchost.exe -k netsvcs C:\Program Files\Intel\Wireless\Bin\EvtEng.exe C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe C:\WINDOWS\Explorer.EXE svchost.exe svchost.exe C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifSvc.exe C:\WINDOWS\system32\spoolsv.exe svchost.exe C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Kontiki\KService.exe C:\Program Files\McAfee\SiteAdvisor\McSACore.exe C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe C:\Program Files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe C:\PROGRA~1\NORTON~2\NORTON~1\NPROTECT.EXE C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe C:\Program Files\Sling Media\SlingAgent\SlingAgentService.exe C:\PROGRA~1\NORTON~2\NORTON~1\SPEEDD~1\NOPDB.EXE C:\WINDOWS\system32\svchost.exe -k imgsvc C:\Program Files\Sony\VAIO Event Service\VESMgr.exe C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe C:\WINDOWS\System32\svchost.exe -k HTTPFilter C:\Program Files\Apoint\Apoint.exe C:\WINDOWS\system32\ICO.EXE C:\Program Files\Sony\VAIO Power Management\SPMgr.exe C:\Program Files\Sony\ISB Utility\ISBMgr.exe C:\Program Files\Utimaco\SafeGuard PrivateDisk\pdservice.exe C:\Program Files\Apoint\Apntex.exe C:\WINDOWS\RTHDCPL.EXE C:\WINDOWS\system32\igfxpers.exe C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe C:\Program Files\Common Files\Java\Java Update\jusched.exe C:\Program Files\McAfee.com\Agent\mcagent.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe C:\Program Files\Kontiki\khost.exe C:\Program Files\STOPzilla!\STOPzilla.exe C:\WINDOWS\system32\wscntfy.exe C:\Documents and Settings\Brian Dunning\Desktop\dds.com ============== Pseudo HJT Report =============== uStart Page = hxxp://www.bbc.co.uk/ uSearch Page = hxxp://www.google.com uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8 uInternet Connection Wizard,ShellNext = hxxp://www.club-vaio.com/en/ uSearchAssistant = hxxp://www.google.com/ie uSearchURL,(Default) = hxxp://uk.search.yahoo.com/search?fr=mcafee&p=%s mSearchAssistant = hxxp://www.google.com/ie uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll BHO: McAfee Phishing Filter: {27b4851a-3207-45a2-b947-be8afe6163ab} - c:\progra~1\mcafee\msk\mskapbho.dll BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.5126.1836\swg.dll BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll BHO: STOPzilla Browser Helper Object: {e3215f20-3212-11d6-9f8b-00d0b743919d} - c:\program files\stopzilla!\SZIEBHO.dll BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll TB: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File TB: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe" uRun: [kdx] c:\program files\kontiki\khost.exe -all mRun: [Apoint] c:\program files\apoint\Apoint.exe mRun: [Mouse Suite 98 Daemon] ICO.EXE mRun: [sonyPowerCfg] c:\program files\sony\vaio power management\SPMgr.exe mRun: [iSBMgr.exe] c:\program files\sony\isb utility\ISBMgr.exe mRun: [PDService.exe] c:\program files\utimaco\safeguard privatedisk\pdservice.exe mRun: [RTHDCPL] RTHDCPL.EXE mRun: [Alcmtr] ALCMTR.EXE mRun: [AzMixerSel] c:\program files\realtek\installshield\AzMixerSel.exe mRun: [igfxtray] c:\windows\system32\igfxtray.exe mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe mRun: [igfxpers] c:\windows\system32\igfxpers.exe mRun: [ssAAD.exe] c:\progra~1\sony\sonics~1\SsAAD.exe mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe" mRun: [NSWosCheck] "c:\program files\norton systemworks basic edition\osCheck.exe" mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe" mRun: [mcui_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t dRun: [QNB2EB90WX] c:\windows\temp\Mph.exe dRun: [Windows Firewall] c:\windows\temp\lsass.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE uPolicies-explorer: NoViewOnDrive = 0 (0x0) mPolicies-system: EnableLUA = 0 (0x0) IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200 IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html IE: {5E638779-1818-4754-A595-EF1C63B87A56} - c:\program files\norton systemworks basic edition\norton cleanup\WCQuick.lnk IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\jp2iexp.dll Trusted Zone: internet Trusted Zone: mcafee.com Trusted Zone: sony-europe.com Trusted Zone: sonystyle-europe.com Trusted Zone: vaio-link.com DPF: {34F12AFD-E9B5-492A-85D2-40FA4535BE83} - hxxp://www.symantec.com/techsupp/activedata/nprdtinf.cab DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} - hxxps://webdl.symantec.com/activex/symdlmgr.cab DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab DPF: {CFCDAA03-8BE4-11CF-B84B-0020AFBBCCFA} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll AppInit_DLLs: c:\progra~1\google\google~3\GOEC62~1.DLL SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\window~4\MpShHook.dll ================= FIREFOX =================== FF - ProfilePath - c:\docume~1\briand~1\applic~1\mozilla\firefox\profiles\yyxhe552.default\ FF - prefs.js: browser.startup.homepage - hxxp://www.tesco.net/ FF - component: c:\documents and settings\all users\application data\google\toolbar for firefox\{3112ca9c-de6d-4884-a869-9855de68056c}\components\DictionaryCompressionFF.dll FF - component: c:\documents and settings\all users\application data\google\toolbar for firefox\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll FF - component: c:\documents and settings\all users\application data\google\toolbar for firefox\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbarloader.dll FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll FF - plugin: c:\program files\google\update\1.2.183.13\npGoogleOneClick8.dll FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava11.dll FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava12.dll FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava13.dll FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava14.dll FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava32.dll FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJPI150_06.dll FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPOJI610.dll FF - plugin: c:\program files\picasa2\npPicasa2.dll FF - plugin: c:\program files\picasa2\npPicasa3.dll FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\ FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} ---- FIREFOX POLICIES ---- c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true); ============= SERVICES / DRIVERS =============== R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2008-12-3 385880] R0 szkg5;szkg5;c:\windows\system32\drivers\SZKG.sys [2009-12-7 61328] R0 szkgfs;szkgfs;c:\windows\system32\drivers\SZKGFS.sys [2010-2-24 173328] R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [2010-4-22 82952] R1 PrivateDisk;PrivateDisk;c:\windows\system32\drivers\privatediskm.sys [2004-7-6 45627] R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\CCSVCHST.EXE [2007-8-25 149352] R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\CCSVCHST.EXE [2007-8-25 149352] R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2008-12-3 93320] R2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-4-22 271480] R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-4-22 271480] R2 McProxy;McAfee Proxy Service;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-4-22 271480] R2 McShield;McShield;c:\program files\common files\mcafee\systemcore\mcshield.exe [2010-4-22 170144] R2 mfefire;McAfee Firewall Core Service;c:\program files\common files\mcafee\systemcore\mfefire.exe [2010-4-22 188136] R2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\common files\mcafee\systemcore\mfevtps.exe [2010-4-22 141792] R2 MSSQL$VAIO_VEDB;MSSQL$VAIO_VEDB;c:\program files\microsoft sql server\mssql$vaio_vedb\binn\sqlservr.exe -svaio_vedb --> c:\program files\microsoft sql server\mssql$vaio_vedb\binn\sqlservr.exe -sVAIO_VEDB [?] R2 NProtectService;Norton UnErase Protection;c:\progra~1\norton~2\norton~1\NPROTECT.EXE [2005-11-4 95832] R2 SlingAgentService;SlingAgentService;c:\program files\sling media\slingagent\SlingAgentService.exe [2009-9-25 93960] R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592] R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2010-4-22 55456] R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2008-9-3 99376] R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2008-12-3 152320] R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2010-4-22 312616] R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [2010-4-22 88480] S0 is3srv;is3srv;c:\windows\system32\drivers\is3srv.sys [2009-12-7 61328] S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-1-7 135664] S3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2008-12-3 51688] S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [2010-4-22 88480] S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2010-4-22 83496] S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2008-12-3 34248] S3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2008-12-3 40552] S3 SQLAgent$VAIO_VEDB;SQLAgent$VAIO_VEDB;c:\program files\microsoft sql server\mssql$vaio_vedb\binn\sqlagent.exe -i vaio_vedb --> c:\program files\microsoft sql server\mssql$vaio_vedb\binn\sqlagent.EXE -i VAIO_VEDB [?] S3 Symantec Core LC;Symantec Core LC;c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [2006-2-22 1251720] =============== Created Last 30 ================ 2010-08-09 11:18:04 1160 ----a-w- c:\windows\system32\drivers\kgpcpy.cfg 2010-08-09 10:24:00 0 ----a-w- c:\documents and settings\brian dunning\defogger_reenable 2010-08-04 12:55:47 0 d-----w- c:\docume~1\briand~1\applic~1\Malwarebytes 2010-08-04 12:55:26 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2010-08-04 12:55:25 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes 2010-08-04 12:55:24 20952 ----a-w- c:\windows\system32\drivers\mbam.sys 2010-08-04 12:55:24 0 d-----w- c:\program files\Malwarebytes' Anti-Malware 2010-08-03 11:32:23 0 d-----w- c:\program files\Spybot - Search & Destroy 2010-08-03 11:32:23 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy 2010-07-28 12:08:12 0 d-----w- c:\docume~1\alluse~1\applic~1\Alwil Software ==================== Find3M ==================== 2010-06-24 19:01:17 2039808 ---ha-w- C:\SZKGFS.dat 2010-05-27 18:43:05 411368 ----a-w- c:\windows\system32\deployJava1.dll 2010-05-26 16:36:58 103784 ----a-w- c:\documents and settings\brian dunning\GoToAssistDownloadHelper.exe 2010-05-21 13:14:28 221568 ------w- c:\windows\system32\MpSigStub.exe 2008-10-27 17:30:57 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008102720081028\index.dat ============= FINISH: 12:31:42.42 =============== Attach.zip

I thought I'd better check with you before continuing. I'll download and do that now. Regards,

Hello again Borislav, This morning I downloaded and ran DeFogger. During the process, I did not receive an error message but it produced the file defogger_disable on my desktop, which follows this message. Also, it did not ask me to reboot. I await your further instructions. Regards, Brian. defogger_disable by jpshortstuff (23.02.10.1) Log created at 11:24 on 09/08/2010 (Brian Dunning) Checking for autostart values... HKCU\~\Run values retrieved. HKLM\~\Run values retrieved. Checking for services/drivers... -=E.O.F=-

Hello Borislav, Thank you for your very quick response to my post. I have read the contents of the link you supplied but I am not at all technically adept in computers beyond the basics, so a few questions to start with as I do not wish to make matters worse! As I undrstand it, I need to: Download DeFogger and disable my CD emulation drivers. What effect will this have on my computer? Download DDS. How do I disable a script blocker and where do I find it? Then run the program. Download GMER root scanner and follow the instructions to produce attach.txt and ark.txt I then copy DDS.txt into my reply and attch ark.txt and attach.txt Have I understood everything correctly? Regards,

Hi, This is my first post. I've had a problem since May of this year in that when I click on search engine results, I am redirected to an unrelated site. On occasions new windows also open up. At the time this first occurred I was and still am running McAfee Internet Security. Since then I have obtained Stopzilla and although they get rid of a lot of bugs (whih I presume are being downloaded as a result of the unwanted redirections) neither programme has got rid of the bug that's at the root of all this. Recently I have tried Avast and Spybot. They find the odd thing but the main problem still remains. The same also goes for Malwarebytes. Any help you can give me would be really appreceiated. This problem's driving me nuts!! Below is the text from the latest Malwarebytes scan - but it doesn't say very much except everything's OK - which clearly it is not! Regards, Malwarebytes' Anti-Malware 1.46 www.malwarebytes.org Database version: 4393 Windows 5.1.2600 Service Pack 3 Internet Explorer 8.0.6001.18702 05/08/2010 17:19:58 mbam-log-2010-08-05 (17-19-58).txt Scan type: Full scan (C:\|D:\|) Objects scanned: 221937 Time elapsed: 1 hour(s), 33 minute(s), 53 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected)