AVG, AVAST, NOD32, SB and MWB cant solve this prob! Help!

[opencube]

Im really struggling with this stubborn problem.

Its redirecting my firefox on occasions. firstly ii will direct to a page which seems to show 1 of 2 consistent favicons (1 is in the screen shot below), then redirects me another page, often for antivirus and spyware solutions.

Ive run AVG FREE, AVAST Free, and NOd32 trial as well as SB s&D and MWB (all in safemode too) with no joy...can anyone help?

Heres my HJT log:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 19:31:36, on 08/03/2010

Platform: Windows XP SP3, v.5913 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

Running processes:

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

c:\program files\idt\intelxpv_v103\wdm\STacSV.exe

C:\Program Files\Common Files\Sony Ericsson\Emma Core\Services\EmmaDeviceMgmt.exe

C:\Program Files\Common Files\Sony Ericsson\Emma Core\Services\EmmaUpdateMgmt.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\LogMeIn\x86\RaMaint.exe

C:\Program Files\LogMeIn\x86\LogMeIn.exe

C:\Program Files\LogMeIn\x86\LMIGuardian.exe

C:\Program Files\Mediafour\MacDrive 8\MacDriveService.exe

C:\Program Files\CDBurnerXP\NMSAccessU.exe

C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SupServ.exe

C:\Program Files\Sandboxie\SbieSvc.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\explorer.exe

C:\Program Files\IDT\WDM\sttray.exe

C:\Program Files\Mediafour\MacDrive 8\MacDrive.exe

C:\Program Files\Common Files\Adobe\Installers\4dcfd9b7e901b57f81f667144603236\Acrobat 8.0\Acrobat\Acrotray.exe

C:\Program Files\LogMeIn\x86\LogMeInSystray.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\Program Files\Sandboxie\SbieCtrl.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\Program Files\LogMeIn\x86\LMIGuardian.exe

C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\mskgld32.exe,

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll (file missing)

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Common Files\Adobe\Installers\4dcfd9b7e901b57f81f667144603236\Acrobat 8.0\Acrobat\AcroIEFavClient.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\PROGRA~1\FlashFXP\IEFlash.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Installers\4dcfd9b7e901b57f81f667144603236\Acrobat 8.0\Acrobat\AcroIEFavClient.dll

O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"

O4 - HKLM\..\Run: [sysTrayApp] %ProgramFiles%\IDT\WDM\sttray.exe

O4 - HKLM\..\Run: [MacDrive 8 application] "C:\Program Files\Mediafour\MacDrive 8\MacDrive.exe"

O4 - HKLM\..\Run: [Getting started with MacDrive 8] "C:\Program Files\Mediafour\MacDrive 8\MDGetStarted.exe" /auto

O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Common Files\Adobe\Installers\4dcfd9b7e901b57f81f667144603236\Acrobat 8.0\Acrobat\Acrotray.exe"

O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"

O4 - HKLM\..\Run: [bluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent

O4 - HKLM\..\Run: [AdobeCS4ServiceManager] "C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKLM\..\Run: [sgajowaq] rundll32.exe "C:\WINDOWS\ovejogux.dll",Startup

O4 - HKCU\..\Run: [sandboxieControl] "C:\Program Files\Sandboxie\SbieCtrl.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [TomTomHOME.exe] "C:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe"

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Common Files\Adobe\Installers\4dcfd9b7e901b57f81f667144603236\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Installers\4dcfd9b7e901b57f81f667144603236\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Common Files\Adobe\Installers\4dcfd9b7e901b57f81f667144603236\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Installers\4dcfd9b7e901b57f81f667144603236\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Common Files\Adobe\Installers\4dcfd9b7e901b57f81f667144603236\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Installers\4dcfd9b7e901b57f81f667144603236\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Common Files\Adobe\Installers\4dcfd9b7e901b57f81f667144603236\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Installers\4dcfd9b7e901b57f81f667144603236\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownlo...sreqlab_nvd.cab

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1261948062531

O17 - HKLM\System\CCS\Services\Tcpip\..\{5914D5F4-B019-47F7-B75E-B4CD067D1C2B}: NameServer = 194.168.4.100,194.168.8.100

O17 - HKLM\System\CS1\Services\Tcpip\..\{5914D5F4-B019-47F7-B75E-B4CD067D1C2B}: NameServer = 194.168.4.100,194.168.8.100

O17 - HKLM\System\CS2\Services\Tcpip\..\{5914D5F4-B019-47F7-B75E-B4CD067D1C2B}: NameServer = 194.168.4.100,194.168.8.100

O23 - Service: Emma Device Management (EmmaDevMgmtSvc) - Sony Ericsson Mobile Communications - C:\Program Files\Common Files\Sony Ericsson\Emma Core\Services\EmmaDeviceMgmt.exe

O23 - Service: Emma Update Management (EmmaUpdMgmtSvc) - Sony Ericsson Mobile Communications - C:\Program Files\Common Files\Sony Ericsson\Emma Core\Services\EmmaUpdateMgmt.exe

O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe

O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe

O23 - Service: MacDrive service (MacDriveService) - Mediafour Corporation - C:\Program Files\Mediafour\MacDrive 8\MacDriveService.exe

O23 - Service: NMSAccessU - Unknown owner - C:\Program Files\CDBurnerXP\NMSAccessU.exe

O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: Sony Ericsson OMSI download service (OMSI download service) - Unknown owner - C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SupServ.exe

O23 - Service: Sandboxie Service (SbieSvc) - tzuk - C:\Program Files\Sandboxie\SbieSvc.exe

O23 - Service: Audio Service (STacSV) - IDT, Inc. - c:\program files\idt\intelxpv_v103\wdm\STacSV.exe

O23 - Service: TomTomHOMEService - TomTom - C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe

--

End of file - 10650 bytes

[kahdah]

Hello opencube

Welcome to Malwarebytes.

=====================

• Download OTL to your desktop.
  
• Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  
• When the window appears, underneath Output at the top change it to Minimal Output.
  
• Under the Standard Registry box change it to All.
  
• Under Custom scan's and fixes section paste in the below in bold
  

  
  

  netsvcs
  
  
  %SYSTEMDRIVE%\*.exe
  
  
  /md5start
  
  
  eventlog.dll
  
  
  scecli.dll
  
  
  netlogon.dll
  
  
  cngaudit.dll
  
  
  sceclt.dll
  
  
  ntelogon.dll
  
  
  logevent.dll
  
  
  iaStor.sys
  
  
  nvstor.sys
  
  
  atapi.sys
  
  
  IdeChnDr.sys
  
  
  viasraid.sys
  
  
  AGP440.sys
  
  
  vaxscsi.sys
  
  
  nvatabus.sys
  
  
  viamraid.sys
  
  
  nvata.sys
  
  
  nvgts.sys
  
  
  iastorv.sys
  
  
  ViPrt.sys
  
  
  eNetHook.dll
  
  
  ahcix86.sys
  
  
  KR10N.sys
  
  
  nvstor32.sys
  
  
  ahcix86s.sys
  
  
  nvrd32.sys
  
  
  symmpi.sys
  
  
  adp3132.sys
  
  
  mv61xx.sys
  
  
  /md5stop
  
  
  %systemroot%\*. /mp /s
  
  
  CREATERESTOREPOINT
  
  
  %systemroot%\system32\*.dll /lockedfiles
  
  
  %systemroot%\Tasks\*.job /lockedfiles
  
  
  %systemroot%\system32\drivers\*.sys /lockedfiles
  
  
  %systemroot%\System32\config\*.sav

  
  

• Check the boxes beside LOP Check and Purity Check.
  
• Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
    
  • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply.
    

====================

Download the following GMER Rootkit Scanner from Here

• Download the randomly named EXE file to your Desktop. Remember what its name is since it is randomly named.
  
• Double click on the new random named exe file you downloaded and run it. If prompted about the Security Warning and Unknown Publisher go ahead and click on Run
  
• It may take a minute to load and become available.
  
• If it gives you a warning about rootkit activity and asks if you want to run a full scan...click on NO, then use the following settings for a more complete scan..
  
• In the right panel, you will see several boxes that have been checked. Ensure the following are UNCHECKED
  

  
  

• Sections
  
  
• IAT/EAT
  
  
• Drives/Partition other than Systemdrive (typically only C:\ should be checked)
  
  
• Show All (don't miss this one)

  
  

• Then click the Scan button & wait for it to finish.
  
• Once done click on the [save..] button, and in the File name area, type in "ark.txt" or it will save as a .log file which cannot be uploaded to your post.
  
• Save it where you can easily find it, such as your desktop
  
• **Caution** Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries
  
• Click OK and quit the GMER program.
  
• Note: On Firefox you need to go to Tools/Options/Main then under the Downloads section, click on Always ask me where to save files so that you can choose the name and where to save to, in this case your Desktop.
  
• Post that log in your next reply.
  

[opencube]

Thank you for helping me out.

Here are the reports:

OTL logfile created on: 09/03/2010 10:47:28 - Run 1

OTL by OldTimer - Version 3.1.35.0 Folder = C:\Documents and Settings\Michael McNevin.MTOWER\Desktop

Windows XP Professional Edition Service Pack 3, v.5913 (Version = 5.1.2600) - Type = NTWorkstation

Internet Explorer (Version = 8.0.6001.18702)

Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

2.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 76.00% Memory free

4.00 Gb Paging File | 4.00 Gb Available in Paging File | 92.00% Paging File free

Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files

Drive C: | 232.88 Gb Total Space | 188.85 Gb Free Space | 81.09% Space Free | Partition Type: NTFS

Drive D: | 298.09 Gb Total Space | 2.42 Gb Free Space | 0.81% Space Free | Partition Type: NTFS

Drive E: | 465.76 Gb Total Space | 178.57 Gb Free Space | 38.34% Space Free | Partition Type: NTFS

Drive F: | 931.51 Gb Total Space | 27.87 Gb Free Space | 2.99% Space Free | Partition Type: NTFS

G: Drive not present or media not loaded

H: Drive not present or media not loaded

I: Drive not present or media not loaded

Computer Name: MTOWER

Current User Name: Michael McNevin

Logged in as Administrator.

Current Boot Mode: Normal

Scan Mode: Current user

Company Name Whitelist: Off

Skip Microsoft Files: Off

File Age = 30 Days

Output = Minimal

========== Processes (SafeList) ==========

PRC - C:\Documents and Settings\Michael McNevin.MTOWER\Desktop\OTL.exe (OldTimer Tools)

PRC - C:\Documents and Settings\Michael McNevin.MTOWER\Local Settings\Application Data\av.exe ()

PRC - C:\Program Files\Common Files\Sony Ericsson\Emma Core\Services\EmmaDeviceMgmt.exe (Sony Ericsson Mobile Communications)

PRC - C:\Program Files\Common Files\Sony Ericsson\Emma Core\Services\EmmaUpdateMgmt.exe (Sony Ericsson Mobile Communications)

PRC - C:\Program Files\Sandboxie\SbieSvc.exe (tzuk)

PRC - C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe (TomTom)

PRC - C:\Program Files\LogMeIn\x86\ramaint.exe (LogMeIn, Inc.)

PRC - C:\Program Files\LogMeIn\x86\LMIGuardian.exe (LogMeIn, Inc.)

PRC - C:\Program Files\CDBurnerXP\NMSAccessU.exe ()

PRC - C:\Program Files\Mediafour\MacDrive 8\MacDriveService.exe (Mediafour Corporation)

PRC - C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SupServ.exe ()

PRC - c:\Program Files\IDT\IntelXPV_v103\WDM\stacsv.exe (IDT, Inc.)

PRC - C:\Program Files\LogMeIn\x86\LogMeIn.exe (LogMeIn, Inc.)

PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)

========== Modules (SafeList) ==========

MOD - C:\Documents and Settings\Michael McNevin.MTOWER\Desktop\OTL.exe (OldTimer Tools)

MOD - C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.3300_x-ww_d7ca0dc2\comctl32.dll (Microsoft Corporation)

========== Win32 Services (SafeList) ==========

SRV - (FLEXnet Licensing Service) -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe (Acresso Software Inc.)

SRV - (EmmaDevMgmtSvc) -- C:\Program Files\Common Files\Sony Ericsson\Emma Core\Services\EmmaDeviceMgmt.exe (Sony Ericsson Mobile Communications)

SRV - (EmmaUpdMgmtSvc) -- C:\Program Files\Common Files\Sony Ericsson\Emma Core\Services\EmmaUpdateMgmt.exe (Sony Ericsson Mobile Communications)

SRV - (SbieSvc) -- C:\Program Files\Sandboxie\SbieSvc.exe (tzuk)

SRV - (TomTomHOMEService) -- C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe (TomTom)

SRV - (LMIMaint) -- C:\Program Files\LogMeIn\x86\RaMaint.exe (LogMeIn, Inc.)

SRV - (NMSAccessU) -- C:\Program Files\CDBurnerXP\NMSAccessU.exe ()

SRV - (MacDriveService) -- C:\Program Files\Mediafour\MacDrive 8\MacDriveService.exe (Mediafour Corporation)

SRV - (OMSI download service) -- C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SupServ.exe ()

SRV - (STacSV) -- c:\Program Files\IDT\IntelXPV_v103\WDM\stacsv.exe (IDT, Inc.)

SRV - (LogMeIn) -- C:\Program Files\LogMeIn\x86\LogMeIn.exe (LogMeIn, Inc.)

========== Driver Services (SafeList) ==========

DRV - (SbieDrv) -- C:\Program Files\Sandboxie\SbieDrv.sys (tzuk)

DRV - (nv) -- C:\WINDOWS\system32\drivers\nv4_mini.sys (NVIDIA Corporation)

DRV - (StarOpen) -- C:\WINDOWS\system32\drivers\StarOpen.sys ()

DRV - (LMIRfsClientNP) -- C:\WINDOWS\system32\LMIRfsClientNP.dll (LogMeIn, Inc.)

DRV - (e1express) Intel® -- C:\WINDOWS\system32\drivers\e1e5132.sys (Intel Corporation)

DRV - (MDFSYSNT) -- C:\WINDOWS\system32\drivers\MDFSYSNT.SYS (Mediafour Corporation)

DRV - (MDPMGRNT) -- C:\WINDOWS\system32\drivers\MDPMGRNT.SYS (Mediafour Corporation)

DRV - (ggsemc) -- C:\WINDOWS\system32\drivers\ggsemc.sys (Sony Ericsson Mobile Communications)

DRV - (ggflt) -- C:\WINDOWS\system32\drivers\ggflt.sys (Sony Ericsson Mobile Communications)

DRV - (s1018mdm) -- C:\WINDOWS\system32\drivers\s1018mdm.sys (MCCI Corporation)

DRV - (s1018unic) Sony Ericsson Device 1018 USB Ethernet Emulation (WDM) -- C:\WINDOWS\system32\drivers\s1018unic.sys (MCCI Corporation)

DRV - (s1018mgmt) Sony Ericsson Device 1018 USB WMC Device Management Drivers (WDM) -- C:\WINDOWS\system32\drivers\s1018mgmt.sys (MCCI Corporation)

DRV - (s1018obex) -- C:\WINDOWS\system32\drivers\s1018obex.sys (MCCI Corporation)

DRV - (s1018bus) Sony Ericsson Device 1018 driver (WDM) -- C:\WINDOWS\system32\drivers\s1018bus.sys (MCCI Corporation)

DRV - (s1018nd5) Sony Ericsson Device 1018 USB Ethernet Emulation (NDIS) -- C:\WINDOWS\system32\drivers\s1018nd5.sys (MCCI Corporation)

DRV - (s1018mdfl) -- C:\WINDOWS\system32\drivers\s1018mdfl.sys (MCCI Corporation)

DRV - (STHDA) -- C:\WINDOWS\system32\drivers\sthda.sys (IDT, Inc.)

DRV - (PORTIO) -- C:\Program Files\xbox 360 software\JungleFlasher v0.1.71 Beta (98)\portio32.sys ()

DRV - (LMIRfsDriver) -- C:\WINDOWS\system32\drivers\LMIRfsDriver.sys (LogMeIn, Inc.)

DRV - (LMIInfo) -- C:\Program Files\LogMeIn\x86\rainfo.sys (LogMeIn, Inc.)

DRV - (usbaudio) USB Audio Driver (WDM) -- C:\WINDOWS\system32\drivers\USBAUDIO.sys (Microsoft Corporation)

DRV - (seehcri) -- C:\WINDOWS\system32\drivers\seehcri.sys (Sony Ericsson Mobile Communications)

DRV - (FileDisk) -- C:\WINDOWS\system32\drivers\filedisk.sys (Bo Brant

[kahdah]

Ok post that oner when you can.

[opencube]

Will do...its still scanning! (Only scanning the C drive and made sure the options were unticked)

[opencube]

GMER 1.0.15.15281 - http://www.gmer.net

Rootkit scan 2010-03-09 14:41:43

Windows 5.1.2600 Service Pack 3, v.5913

Running: isp4dskb.exe; Driver: C:\DOCUME~1\MICHAE~1.MTO\LOCALS~1\Temp\uftdypob.sys

---- System - GMER 1.0.15 ----

Code 892A9BAC ZwRequestPort

Code 892A9C4C ZwRequestWaitReplyPort

Code 892A9B0C ZwTraceEvent

Code 892A9BAB NtRequestPort

Code 892A9C4B NtRequestWaitReplyPort

Code 892A9B0B NtTraceEvent

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs MDFSYSNT.sys (MacDrive file system driver/Mediafour Corporation)

Device \FileSystem\MRxDAV \Device\WebDavRedirector MDFSYSNT.sys (MacDrive file system driver/Mediafour Corporation)

Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver MDFSYSNT.sys (MacDrive file system driver/Mediafour Corporation)

Device \FileSystem\MRxSmb \Device\LanmanRedirector MDFSYSNT.sys (MacDrive file system driver/Mediafour Corporation)

Device \FileSystem\Fs_Rec \FileSystem\UdfsCdRomRecognizer MDFSYSNT.sys (MacDrive file system driver/Mediafour Corporation)

Device \FileSystem\Fs_Rec \FileSystem\FatCdRomRecognizer MDFSYSNT.sys (MacDrive file system driver/Mediafour Corporation)

Device \FileSystem\Fs_Rec \FileSystem\CdfsRecognizer MDFSYSNT.sys (MacDrive file system driver/Mediafour Corporation)

Device \FileSystem\Fs_Rec \FileSystem\FatDiskRecognizer MDFSYSNT.sys (MacDrive file system driver/Mediafour Corporation)

Device \FileSystem\Fs_Rec \FileSystem\UdfsDiskRecognizer MDFSYSNT.sys (MacDrive file system driver/Mediafour Corporation)

Device \FileSystem\Cdfs \Cdfs MDFSYSNT.sys (MacDrive file system driver/Mediafour Corporation)

Device -> \Driver\atapi \Device\Harddisk0\DR0 89D0FCA1

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\001f81000250

Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\001f81000250 (not active ControlSet)

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----

[kahdah]

Looking at your system now, one or more of the identified infections is a backdoor Trojan.

If this computer is ever used for on-line banking, I suggest you do the following immediately:

1. Call all of your banks, credit card companies, financial institutions and inform them that you may be a victim of identity theft and to put a watch on your accounts or change all your account numbers.

2. From a clean computer, change ALL your on-line passwords for email, for banks, financial accounts, PayPal, eBay, on-line companies, any on-line forums or groups you belong to.

Do NOT change passwords or do any transactions while using the infected computer because the attacker will get the new passwords and transaction information.

====================

First temporarily disable any antivirus program or any real time shields that are present:

If you do not know how then you can refer to this link:

http://www.bleepingcomputer.com/forums/topic114351.html

================

Then Download Combofix from any of the links below. You must rename it before saving it. Rename it to kahdah.com then save it to your desktop.

Link 1

Link 2

--------------------------------------------------------------------

Double click on kahdah.com & follow the prompts.

• When finished, it will produce a report for you.
  
• Please post the C:\ComboFix.txt
  

============================

We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please include the C:\ComboFix.txt in your next reply for further review.

[opencube]

thank you.

Ive changed important passwords, but will contact bank tomorrow with the details.

If its any more help, since i removed my anti virus software yesterday (was going to install another after trying the three i mentioned) I now have a new 'false' anti virus program on my machine.

Called Antivirus XP 2010.

It keeps on popping up some quite convincing (but fake windows) saying i have viruses and need to download more stuff.

I have only seen this happen to my machine in the last 24 hrs. Does this mean that ive probably been safe before then?

Any idea where all of this malware/virus may have come from?

Only things I have recently installed (say over last 3 weeks) have been Sopcash, Jungleflasher for some personal xbox 360 modding, mIRC, and recently looking at ways to modify my TomTom (downloaded a recommended prog called Easytools from here: http://www.megaupload.com/?d=60M4Y8PK).

All should have been scanned, but my suspicion may be with the Easytool prog. Any ideas?

I just recently did a re install of xp because of a virus attack. This time round I used AVAST Free as many now say AVG Free isnt that good...however it seems more have gotten through with Avast.

[kahdah]

I am not sure where it came from and it is possible it could have come from a program install who knows.

I would take precautionary actions regardless.

Post that Combofix log when it get's done please.

[opencube]

I am not sure where it came from and it is possible it could have come from a program install who knows.

I would take precautionary actions regardless.

Post that Combofix log when it get's done please.

After I ran Combofix as described, my machine hasnt been able to boot again into normal or safe mode. On normal boot It stops just after the wallpaper loads. I run Task Manager, and try to run explorer from it, but it says it cant find a missing dll called msls51.dll.

Any ideas what to do?

[opencube]

im considering a clean install again... if it is that bad an infection i may do. I would however like to backup some files before doing so... most the stuff id like to backup is on my desktop... so if i could get access to it that would be good.

[kahdah]

Well we can try to repair the system I am not sure what has been removed to cause that but if you want to reformat then let me know and I will help you get your information off the system.

Or if you want to try to repair it then let me know and we will begin with that.

It is up to you.

[opencube]

Well we can try to repair the system I am not sure what has been removed to cause that but if you want to reformat then let me know and I will help you get your information off the system.

Or if you want to try to repair it then let me know and we will begin with that.

It is up to you.

Hi Kadah, just bought myself a usb to eSATA adapter, so will prob look to try get what i need off my machine using that. Dont think there is much to backup as it is only a recent re install anyway. A shame only did it 3 months ago. Oh well suppose thats life!

Thanks for your help.

Just out of interest...do you know what particular problem I had? And any idea where it may have been sourced from. i.e a website (i use FF), an infected download?

AVAST Free obviously missed this one so unlikely to use that again...may go back to AVG Free although AVG Free and NOD32 (Trial) failed to fix/detect this particular problem... so what would you recommend as best protection?

Thanks Again

[kahdah]

Not sure where it came from but you have\had an infection that is a rootkit called TDL3.

Here is a writeup about it.

http://rootbiez.blogspot.com/2009/11/rootk...s-lets-put.html

To try to recover your items you can try the following method.

http://www.howtogeek.com/howto/windows-vis...ndows-computer/

Let me know if that get's you where you need to go.

Also a note on the security programs nothing is 100% and most av's don't stop this rootkit code when launched but what I prefer is kaspersky it is a paid for program but it works very well as opposed to a free antivirus program.

But again nothing is 100% and it could still happen again even with a paid for program.

But in my opinion Kaspersky is the best simply because of it's heuristic detection and behavioral detections it has served me well.