Jump to content

Recommended Posts

Hi

A couple of days ago I visited a website I often visit with no problems. However, this time everything went crazy! My various antimalware tools began popping up messages about having blocked/removed all kinds of malware. Needless to say, I immediately closed down the browser and then carried out scans with my various tools (including MBAM). These scans identified and removed a lot more malware. Thinking I was clean, I carried on as usual until I noticed that search results in my browser were being redirected to other URLs than the one expected. I ran scans again and cleared out more malware. This time I also paid for MBAM and setup the protection. Now I am getting multiple popups saying MBAM has blocked access to a possible malicious website along with an IP address (which changes each time). Obvioously my computyer still has an infection, possibly a rootkit, and I need assistance in removing it please.

Note I'm in the UK, with a subsctantial time difference. Also, I will be away tomorrow (Sunday, May 2nd) until evening (my time). I will be checking for responses and following instructions as soon as I am able, so please bear with me.

Here is my DDS.txt log, attached are the latest MBAM log plus Attach.txt and Ark.txt:

DDS (Ver_10-03-17.01) - NTFSx86

Run by spearson at 16:48:53.18 on 01/05/2010

Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_13

Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.3070.2103 [GMT 1:00]

AV: McAfee VirusScan Enterprise *On-access scanning enabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup

C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe

C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe

svchost.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\acs.exe

svchost.exe

C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe

svchost.exe

C:\Program Files\Motorola Media Link\NServiceEntry.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Google\Update\1.2.183.23\GoogleCrashHandler.exe

C:\WINDOWS\system32\lxducoms.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\McAfee\Common Framework\FrameworkService.exe

C:\Program Files\CheckPoint\SecuRemote\bin\SR_GUI.Exe

C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe

C:\Program Files\Motorola\MotoConnectService\MotoConnectService.exe

c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\WINDOWS\system32\vmnat.exe

C:\Program Files\VMware\VMware vCenter Converter Standalone\vmware-converter-a.exe

C:\Program Files\Motorola\MotoConnectService\MotoConnect.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\Genesys PC Camera Device\GenePccMon.exe

C:\Program Files\Atheros\ACU.exe

C:\Program Files\Lexmark 5600-6600 Series\lxdumon.exe

C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe

C:\Program Files\Nitro PDF\Professional\NitroPDFPrinterMonitor.exe

C:\Program Files\McAfee\Common Framework\UdaterUI.exe

C:\WINDOWS\RTHDCPL.EXE

C:\Program Files\McAfee\Common Framework\McTray.exe

C:\Program Files\Motorola\Software Update\mumservice.exe

C:\Program Files\Lexmark 5600-6600 Series\lxduMsdMon.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe

C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

C:\Program Files\Uniblue\RegistryBooster\RegistryBooster.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\BBC Alerts\BBC_Alerts.exe

C:\Program Files\VMware\VMware vCenter Converter Standalone\vmware-converter.exe

C:\Program Files\Logitech\SetPoint\SetPoint.exe

C:\Program Files\WinZip\WZQKPICK.EXE

C:\Program Files\PdaNet for Android\PdaNetPC.exe

C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe

C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe

C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE

C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe

C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\system32\vmnetdhcp.exe

C:\WINDOWS\System32\svchost.exe -k HTTPFilter

C:\Program Files\Trusteer\Rapport\bin\RapportService.exe

C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Documents and Settings\spearson\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearch Page = hxxp://uk.rd.yahoo.com/customize/ie/defaults/sp/msgr10/*http://uk.search.yahoo.com

uStart Page = about:blank

mDefault_Page_URL = hxxp://www.yahoo.com

mDefault_Search_URL = hxxp://uk.rd.yahoo.com/customize/ie/defaults/su/msgr10/*http://uk.search.yahoo.com

mSearch Page = hxxp://uk.rd.yahoo.com/customize/ie/defaults/sp/msgr10/*http://uk.search.yahoo.com

mStart Page = hxxp://www.yahoo.com

uSearchURL,(Default) = hxxp://uk.rd.yahoo.com/customize/ie/defaults/su/msgr10/*http://uk.search.yahoo.com

uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll

BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: Yahooo Search Protection: {25bc7718-0bfa-40ea-b381-4b2d9732d686} - c:\program files\yahoo!\search protection\ysp.dll

BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll

BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File

BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan enterprise\scriptcl.dll

BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: Skype add-on for Internet Explorer: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll

BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll

BHO: Lexmark Printable Web: {d2c5e510-be6d-42cc-9f61-e4f939078474} - c:\program files\lexmark printable web\bho.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn0\YTSingleInstance.dll

TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll

uRun: [Google Update] "c:\documents and settings\spearson\local settings\application data\google\update\GoogleUpdate.exe" /c

uRun: [sUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe

uRun: [uniblue RegistryBooster 2009] c:\program files\uniblue\registrybooster\RegistryBooster.exe /S

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [P2kAutostart] V600

uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe

uRun: [search Protection] c:\program files\yahoo!\search protection\SearchProtection.exe

uRun: [bBC Alerts] "c:\program files\bbc alerts\BBC_Alerts.exe"

uRun: [browserChoice] "c:\windows\system32\browserchoice.exe" /run

uRunOnce: [shockwave Updater] c:\windows\system32\adobe\shockw~1\SWHELP~1.EXE -Update -1103472 -"Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET CLR 1.1.4322; OfficeLiveConnector.1.3; OfficeLivePatch.0.0)" -"http://www.shockwave.com/contentPlay/shockwave.jsp?id=inklink&dwin=1&memberStatus=SignedInStandard&brand="

mRun: [bluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent

mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

mRun: [nwiz] nwiz.exe /installquiet

mRun: [GenePccMon.exe] c:\program files\genesys pc camera device\GenePccMon.exe

mRun: [ACU] "c:\program files\atheros\ACU.exe" -nogui

mRun: [lxdumon.exe] "c:\program files\lexmark 5600-6600 series\lxdumon.exe"

mRun: [Adobe Photo Downloader] "c:\program files\adobe\photoshop album starter edition\3.2\apps\apdproxy.exe"

mRun: [Nitro PDF Printer Monitor] "c:\program files\nitro pdf\professional\NitroPDFPrinterMonitor.exe"

mRun: [shStatEXE] "c:\program files\mcafee\virusscan enterprise\SHSTAT.EXE" /STANDALONE

mRun: [McAfeeUpdaterUI] "c:\program files\mcafee\common framework\UdaterUI.exe" /StartedFromRunKey

mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE

mRun: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE

mRun: [lxduamon] "c:\program files\lexmark 5600-6600 series\lxduamon.exe"

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [RTHDCPL] RTHDCPL.EXE

mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

mRun: [mumservice] c:\program files\motorola\software update\mumservice.exe

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"

mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray

dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE

StartupFolder: c:\docume~1\spearson\startm~1\programs\startup\pdanet~1.lnk - c:\program files\pdanet for android\PdaNetPC.exe

StartupFolder: c:\docume~1\spearson\startm~1\programs\startup\shortc~1.lnk - c:\timset.bat

StartupFolder: c:\docume~1\spearson\startm~1\programs\startup\thoosj~2.lnk - c:\program files\thoosje vista sidebar\Thoosje Vista Sidebar.exe

StartupFolder: c:\docume~1\spearson\startm~1\programs\startup\yahoo!~1.lnk - c:\program files\yahoo!\widgets\YahooWidgets.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\winzip~1.lnk - c:\program files\winzip\WZQKPICK.EXE

mPolicies-system: EnableLUA = 0 (0x0)

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000

IE: Sothink SWF Catcher - c:\program files\common files\sourcetec\swf catcher\InternetExplorer.htm

IE: {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - c:\program files\common files\sourcetec\swf catcher\InternetExplorer.htm

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL

IE: {BBF74FB9-ABCD-4678-880A-2511DAABB5E1} - {25BC7718-0BFA-40EA-B381-4B2D9732D686} - c:\program files\yahoo!\search protection\ysp.dll

IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll

LSP: c:\program files\vmware\vmware server\vsocklib.dll

Trusted Zone: hsbc.co.uk\www.business

DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll

DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1236445695875

DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1236444432234

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://dl8-cdn-09.sun.com/s/ESD7/JSCDL/jdk/6u13-b03/jinstall-6u13-windows-i586-jc.cab?e=1238681560298&h=a2e4f89f72b7ca579f5921fcb3620e2c/&filename=jinstall-6u13-windows-i586-jc.cab

DPF: {9122D757-5A4F-4768-82C5-B4171D8556A7} - hxxp://appdirectory.messenger.msn.com/AppDirectory/P4Apps/PhotoSwap/PhtPkMSN.cab

DPF: {B94C2238-346E-4C5E-9B36-8CC627F35574}

DPF: {C52439A0-2693-4E40-B141-9F9AD5257241} - hxxps://ediagnostics.lexmark.com/serval.cab

DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab

DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} - hxxp://wwwimages.adobe.com/www.adobe.com/products/acrobat/nos/gp.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

TCP: {7D28A40F-2B98-4095-8DFB-1293E795FD07} = 100.1.1.1

Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll

Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll

Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL

Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL

Notify: ckpNotify - ckpNotify.dll

Notify: LBTWlgn - c:\program files\common files\logitech\bluetooth\LBTWlgn.dll

AppInit_DLLs: wbsys.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

mASetup: Nitro PDF Professional - cscript //B "c:\program files\nitro pdf\professional\RemoveOldAddins.vbs"

Hosts: 127.0.0.1 www.spywareinfo.com

Hosts: 100.1.1.3 gandalf

Hosts: 100.1.1.2 elrond

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\spearson\applic~1\mozilla\firefox\profiles\zuq5tayl.default\

FF - prefs.js: browser.search.defaulturl - hxxp://uk.search.yahoo.com/search?fr=ffsp1&p=

FF - prefs.js: browser.search.selectedEngine - Yahoo

FF - prefs.js: browser.startup.homepage - hxxp://uk.yahoo.com

FF - prefs.js: keyword.URL - hxxp://uk.search.yahoo.com/search?fr=ffds1&p=

FF - component: c:\program files\mozilla firefox\extensions\{1b2ae334-76b7-f844-9694-fe767bc313b9}\components\5f3e93fd.dll

FF - plugin: c:\documents and settings\spearson\local settings\application data\google\update\1.2.183.23\npGoogleOneClick8.dll

FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll

FF - plugin: c:\program files\google\google updater\2.4.1636.7222\npCIDetect13.dll

FF - plugin: c:\program files\google\update\1.2.183.13\npGoogleOneClick8.dll

FF - plugin: c:\program files\google\update\1.2.183.17\npGoogleOneClick8.dll

FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll

FF - plugin: c:\program files\google\update\1.2.183.7\npGoogleOneClick8.dll

FF - plugin: c:\program files\microsoft\office live\npOLW.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npsharedview.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npyaxmpb.dll

FF - plugin: c:\program files\opera\program\plugins\np_gp.dll

FF - plugin: c:\program files\opera\program\plugins\npdivx32.dll

FF - plugin: c:\program files\opera\program\plugins\nppl3260.dll

FF - plugin: c:\program files\opera\program\plugins\nppl3260.dll

FF - plugin: c:\program files\opera\program\plugins\nprpjplug.dll

FF - plugin: c:\program files\opera\program\plugins\nprpjplug.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

FF - HiddenExtension: z: No Registry Reference - c:\program files\mozilla firefox\extensions\{1b2ae334-76b7-f844-9694-fe767bc313b9}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----

FF - user.js: yahoo.homepage.dontask - true

FF - user.js: google.toolbar.linkdoctor.enabled - false

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);

c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);

c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr

ef", true);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 mferkdk;VSCore mferkdk;c:\program files\mcafee\virusscan enterprise\mferkdk.sys [2008-10-6 31816]

R1 RapportBuka;RapportBuka;c:\windows\system32\drivers\RapportBuka.sys [2010-3-1 390528]

R1 RapportKELL;RapportKELL;c:\program files\trusteer\rapport\bin\RapportKELL.sys [2010-3-15 58984]

R1 RapportPG;RapportPG;c:\program files\trusteer\rapport\bin\RapportPG.sys [2010-3-15 116328]

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\SASDIFSV.SYS [2009-2-17 12872]

R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-2-17 61440]

R2 CP_OMDRV;Check Point Office Mode Module;c:\windows\system32\drivers\omdrv.sys [2009-3-7 36400]

R2 DeviceMonitorService;DeviceMonitorService;c:\program files\motorola media link\NServiceEntry.exe [2009-10-12 87336]

R2 lxdu_device;lxdu_device;c:\windows\system32\lxducoms.exe -service --> c:\windows\system32\lxducoms.exe -service [?]

R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2010-2-19 304464]

R2 McAfeeFramework;McAfee Framework Service;c:\program files\mcafee\common framework\FrameworkService.exe [2009-3-11 104000]

R2 McShield;McAfee McShield;c:\program files\mcafee\virusscan enterprise\Mcshield.exe [2008-10-6 144704]

R2 McTaskManager;McAfee Task Manager;c:\program files\mcafee\virusscan enterprise\VsTskMgr.exe [2008-10-6 54608]

R2 MotoConnect Service;MotoConnect Service;c:\program files\motorola\motoconnectservice\MotoConnectService.exe [2010-3-26 91392]

R2 RapportMgmtService;Rapport Management Service;c:\program files\trusteer\rapport\bin\RapportMgmtService.exe [2010-3-15 779496]

R2 V7;V7;c:\windows\system32\drivers\V7.sys [2009-3-10 6880]

R2 vmci;VMware vmci;c:\windows\system32\drivers\vmci.sys [2009-3-26 54960]

R2 vmware-converter-agent;VMware vCenter Converter Agent;c:\program files\vmware\vmware vcenter converter standalone\vmware-converter-a.exe [2009-2-5 428592]

R2 vmware-converter-server;VMware vCenter Converter Server;c:\program files\vmware\vmware vcenter converter standalone\vmware-converter.exe [2009-2-5 428592]

R2 VNASC;Check Point Virtual Network Adapter - SecureClient;c:\windows\system32\drivers\vnasc.sys [2009-3-7 109072]

R2 VPN-1;VPN-1 Module;c:\windows\system32\drivers\vpn.sys [2009-3-7 671408]

R2 vstor2-mntapi10;Vstor2 MntApi 1.0 Driver;c:\program files\vmware\vmware vcenter converter standalone\vstor2-mntapi10.sys [2009-2-5 22448]

R3 DCamUSBGene;GenesysLogic USB2.0 PC Camera;c:\windows\system32\drivers\USBGENE.sys [2009-2-25 131584]

R3 FW1;SecuRemote Miniport;c:\windows\system32\drivers\fw.sys [2009-3-7 2234320]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2010-2-19 20952]

R3 mfeavfk;McAfee Inc.;c:\windows\system32\drivers\mfeavfk.sys [2009-3-11 72904]

R3 mfebopk;McAfee Inc.;c:\windows\system32\drivers\mfebopk.sys [2009-3-11 34344]

R3 mfehidk;McAfee Inc.;c:\windows\system32\drivers\mfehidk.sys [2009-3-11 177672]

R3 pnetmdm;PdaNet Modem;c:\windows\system32\drivers\pnetmdm.sys [2010-4-20 9472]

R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RtsUStor.sys [2010-3-12 181792]

S0 mbhysq;mbhysq; [x]

S2 gupdate1ca0b93caf0f20;Google Update Service (gupdate1ca0b93caf0f20);c:\program files\google\update\GoogleUpdate.exe [2009-7-23 133104]

S2 lxduCATSCustConnectService;lxduCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxduserv.exe [2009-3-9 98984]

S2 VMwareHostd;VMware Host Agent;c:\program files\vmware\vmware server\vmware-hostd.exe [2009-3-26 322096]

S2 VMwareServerWebAccess;VMware Server Web Access;c:\program files\vmware\vmware server\tomcat\bin\tomcat6.exe [2009-3-27 57344]

S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\ambfilt.sys [2009-11-18 1691480]

S3 bmdrvr;Modified Clusters Tracking Driver;c:\windows\system32\drivers\bmdrvr.sys [2009-2-5 27312]

S3 BTCFilterService;USB Networking Driver Filter Service;c:\windows\system32\drivers\motfilt.sys [2010-3-26 6016]

S3 HTCAND32;HTC Device Driver;c:\windows\system32\drivers\ANDROIDUSB.sys [2010-3-25 24576]

S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [2010-3-26 19712]

S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [2010-3-26 8320]

S3 MotDev;Motorola Inc. USB Device;c:\windows\system32\drivers\motodrv.sys [2010-3-26 42752]

S3 Motousbnet;Motorola USB Networking Driver Service;c:\windows\system32\drivers\Motousbnet.sys [2010-3-26 23552]

S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-2-17 12872]

S3 vmwriter;VMware VSS Writer;c:\program files\vmware\vmware server\vmVssWriter.exe [2009-3-26 29744]

=============== Created Last 30 ================

2010-05-01 15:35:27 20 ----a-w- c:\documents and settings\spearson\defogger_reenable

2010-05-01 14:24:51 5136 ----a-w- c:\windows\system32\youja_.dll

2010-04-30 11:10:23 711168 ----a-w- c:\windows\is-0DSP4.exe

2010-04-30 11:10:23 399 ----a-w- c:\windows\is-0DSP4.lst

2010-04-30 11:10:23 10562 ----a-w- c:\windows\is-0DSP4.msg

2010-04-29 10:21:15 96704 ----a-w- c:\windows\system32\6397ca1c.exe

2010-04-29 10:20:54 50994 ----a-w- c:\windows\system32\bgvudgdifwuxqk.exe

2010-04-29 02:39:37 293376 ------w- c:\windows\system32\browserchoice.exe

2010-04-28 17:48:45 0 d-----w- C:\SkullShade

2010-04-28 12:58:46 0 d-----w- c:\docume~1\spearson\applic~1\5F4037E30AD7026B8E514816F36D09C7

2010-04-20 18:08:52 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_WinUSB_01007.Wdf

2010-04-20 18:04:25 581192 ----a-w- c:\windows\system32\WinUSBCoInstaller.dll

2010-04-20 18:04:24 9472 ----a-w- c:\windows\system32\drivers\pnetmdm.sys

2010-04-20 18:04:23 0 d-----w- c:\program files\PdaNet for Android

==================== Find3M ====================

2010-04-29 14:39:38 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-04-29 14:39:26 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-03-26 16:02:02 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_Motousbnet_01007.Wdf

2010-03-26 16:02:02 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_motfilt_01007.Wdf

2010-03-26 16:01:50 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_motmodem_01007.Wdf

2010-03-26 16:01:33 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_motccgpfl_01007.Wdf

2010-03-26 16:01:33 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_motccgp_01007.Wdf

2010-03-25 12:20:33 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_ANDROIDUSB_01007.Wdf

2010-03-25 12:20:32 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01007_Coinstaller_Critical.Wdf

2010-03-12 17:11:35 315392 ----a-w- c:\windows\HideWin.exe

2010-03-11 12:38:54 832512 ----a-w- c:\windows\system32\wininet.dll

2010-03-11 12:38:52 78336 ----a-w- c:\windows\system32\ieencode.dll

2010-03-11 12:38:51 17408 ----a-w- c:\windows\system32\corpol.dll

2010-03-09 11:09:18 430080 ----a-w- c:\windows\system32\vbscript.dll

2010-02-22 17:57:04 84512 ----a-w- c:\windows\SOUNDMAN.EXE

2010-02-22 17:57:04 358944 ----a-w- c:\windows\vncutil.exe

2010-02-22 17:57:00 1833504 ----a-w- c:\windows\SkyTel.exe

2010-02-22 17:57:00 1489440 ----a-w- c:\windows\RtlUpd.exe

2010-02-22 17:56:58 9721888 ----a-w- c:\windows\RTLCPL.EXE

2010-02-22 17:56:52 51232 ----a-w- c:\windows\system32\RtkCoInstXP.dll

2010-02-22 17:56:52 129568 ----a-w- c:\windows\RtkAudioService.exe

2010-02-22 17:56:46 18791456 ----a-w- c:\windows\RTHDCPL.EXE

2010-02-22 17:56:40 64032 ----a-w- c:\windows\ALCMTR.EXE

2010-02-22 17:56:40 2815520 ----a-w- c:\windows\ALCWZRD.EXE

2010-02-22 17:56:40 2177568 ----a-w- c:\windows\MicCal.exe

2010-02-16 14:08:49 2146304 ----a-w- c:\windows\system32\ntoskrnl.exe

2010-02-16 13:25:04 2024448 ----a-w- c:\windows\system32\ntkrnlpa.exe

2010-02-12 04:33:11 100864 ----a-w- c:\windows\system32\6to4svc.dll

2008-09-29 12:06:36 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008092920080930\index.dat

2009-03-30 15:33:50 16384 --sha-w- c:\windows\temp\cookies\index.dat

2009-03-30 15:33:50 16384 --sha-w- c:\windows\temp\history\history.ie5\index.dat

2009-03-30 15:33:50 32768 --sha-w- c:\windows\temp\temporary internet files\content.ie5\index.dat

============= FINISH: 16:51:43.28 ===============

attach.zip

mbam_log_2010_05_01__16_17_50_.txt

Link to post
Share on other sites

Hi spaceace And Welcome to Malwarebytes!

Your PC has a rootkit that has replaced your ide driver file with malware. That causing most of your PC problems. This might be a tough one. Lets see what we can do. Most likely came from

Link to post
Share on other sites

DeFogger

Download DeFogger by jpshortstuff from here & save it to your desktop.

  • Right click DeFogger then choose Run as Administrator Or you can double-click to run the tool
  • The application window will appear
  • Click the Disable button to disable your CD Emulation drivers
  • Click Yes to continue
  • A Finished! message will appear
  • Click OK
  • DeFogger will now ask to reboot the machine - click OK. If not restart your PC

IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.

Do not re-enable these drivers until otherwise instructed.

Next

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Stay with me until given the 'all clear' even if symptoms diminish. Lack of symptoms does not always mean the job is complete.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by me or another helper.

---------------------------------------------------------------------------------------------

  1. Download ComboFix from below:
    Combofix download
    * IMPORTANT !!! Place combofix.exe on your Desktop
  2. Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
    You can get help on disabling your protection programs here
  3. Double click on combofix.exe & follow the prompts.
  4. As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
    cfRC_screen_1.png
    The Windows recovery console will allow you to boot up into a special recovery mode that allows us to help you in the case that your computer has a problem after an attempted removal of malware.
    With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal.
    Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement.
    ComboFix will now automatically install the Microsoft Windows Recovery Console onto your computer, which will show up as a new option when booting up your computer. Do not select the Microsoft Windows Recovery Console option when you start your computer unless requested to by a helper.
    Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see a message that says:
    The Recovery Console was successfully installed.
    cfRC_screen_2.png
    Click on Yes, to continue scanning for malware.
  5. Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
  6. When finished, it shall produce a log for you. Post that log in your next reply
    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
    ---------------------------------------------------------------------------------------------
  7. Ensure your AntiVirus and AntiSpyware applications are re-enabled.
    ---------------------------------------------------------------------------------------------

Link to post
Share on other sites

I'd already run Defogger before my initial post.

Here is my Copmbofix log:

ComboFix 10-05-02.01 - spearson 02/05/2010 20:51:34.1.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.3070.2351 [GMT 1:00]

Running from: c:\documents and settings\spearson\Desktop\ComboFix.exe

AV: McAfee VirusScan Enterprise *On-access scanning disabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}

* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\All Users.\documents\settings

c:\documents and settings\spearson\Application Data\5F4037E30AD7026B8E514816F36D09C7

c:\documents and settings\spearson\Application Data\5F4037E30AD7026B8E514816F36D09C7\enemies-names.txt

c:\program files\WindowsUpdate

c:\windows\system32\bgvudgdifwuxqk.exe

c:\windows\system32\Ijl11.dll

c:\windows\system32\uZQEtNDuIS.dll

c:\windows\system32\vmnat.exe

Infected copy of c:\windows\system32\drivers\VMM.sys was found and disinfected

Restored copy from - Kitty had a snack :)

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_PRAGMAmqbvtneeis

-------\Service_PRAGMAmqbvtneeis

((((((((((((((((((((((((( Files Created from 2010-04-02 to 2010-05-02 )))))))))))))))))))))))))))))))

.

2010-04-30 11:10 . 2010-04-30 11:10 711168 ----a-w- c:\windows\is-0DSP4.exe

2010-04-29 10:24 . 2010-04-29 10:25 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe

2010-04-29 10:21 . 2010-04-29 10:21 96704 ----a-w- c:\windows\system32\6397ca1c.exe

2010-04-29 10:21 . 2010-04-29 10:25 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Yahoo!

2010-04-29 02:39 . 2010-02-12 10:03 293376 ------w- c:\windows\system32\browserchoice.exe

2010-04-28 17:48 . 2010-04-28 18:03 -------- d-----w- C:\SkullShade

2010-04-28 16:29 . 2010-04-28 16:29 862872 ------w- c:\documents and settings\spearson\Application Data\Yahoo!\SearchProtection\fudogs_2.0.1.13_msgr_bts_setup.2010.04.01.01.exe

2010-04-28 13:07 . 2010-04-29 22:01 6153352 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe

2010-04-20 18:04 . 2009-11-08 00:41 581192 ----a-w- c:\windows\system32\WinUSBCoInstaller.dll

2010-04-20 18:04 . 2006-09-28 13:32 9472 ----a-w- c:\windows\system32\drivers\pnetmdm.sys

2010-04-20 18:04 . 2010-04-20 18:04 -------- d-----w- c:\program files\PdaNet for Android

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-05-02 20:05 . 2009-04-14 16:13 -------- d-----w- c:\documents and settings\NetworkService\Application Data\VMware

2010-05-02 20:05 . 2009-04-14 16:01 -------- d-----w- c:\documents and settings\All Users\Application Data\VMware

2010-05-02 20:05 . 2010-03-26 14:44 -------- d-----w- c:\program files\Motorola Media Link

2010-05-02 19:29 . 2009-03-19 16:35 -------- d-----w- c:\program files\3D Super Skull

2010-05-02 18:39 . 2009-03-09 11:21 -------- d-----w- c:\program files\uTorrent

2010-05-02 18:39 . 2009-03-30 15:52 -------- d-----w- c:\documents and settings\spearson\Application Data\uTorrent

2010-05-02 18:38 . 2009-03-28 00:15 117760 ----a-w- c:\documents and settings\spearson\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL

2010-05-02 04:05 . 2009-04-14 17:11 664 ----a-w- c:\windows\system32\d3d9caps.dat

2010-05-01 14:33 . 2010-02-19 12:23 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-05-01 14:32 . 2009-03-08 17:52 -------- d-----w- c:\program files\SUPERAntiSpyware

2010-04-29 17:37 . 2009-04-17 16:54 -------- d-----w- c:\program files\Motorola

2010-04-29 14:39 . 2010-02-19 12:23 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-04-29 14:39 . 2010-02-19 12:23 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-04-28 16:29 . 2009-03-09 11:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo!

2010-04-28 16:29 . 2009-03-09 11:31 -------- d-----w- c:\program files\Yahoo!

2010-04-28 07:24 . 2010-03-26 15:23 409136 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat

2010-04-26 09:39 . 2009-04-14 17:11 -------- d-----w- c:\documents and settings\spearson\Application Data\VMware

2010-04-20 18:08 . 2010-04-20 18:08 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_WinUSB_01007.Wdf

2010-04-16 08:51 . 2008-09-29 12:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help

2010-04-15 02:35 . 2009-07-02 13:23 -------- d-----w- c:\program files\motosound

2010-04-13 13:27 . 2009-07-23 12:39 -------- d-----w- c:\program files\Google

2010-04-03 02:06 . 2009-03-08 18:18 -------- d-----w- c:\program files\Spybot - Search & Destroy

2010-03-26 16:02 . 2010-03-26 16:02 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_Motousbnet_01007.Wdf

2010-03-26 16:02 . 2010-03-26 16:02 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_motfilt_01007.Wdf

2010-03-26 16:01 . 2010-03-26 16:01 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_motmodem_01007.Wdf

2010-03-26 16:01 . 2010-03-26 16:01 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_motccgpfl_01007.Wdf

2010-03-26 16:01 . 2010-03-26 16:01 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_motccgp_01007.Wdf

2010-03-26 15:38 . 2010-03-26 15:37 20584185 ----a-w- c:\documents and settings\All Users\Application Data\motorola\motorola media link\UpDate\Download\Motorola Media Link\1.00.25.0\patch\patch.exe

2010-03-26 15:36 . 2010-03-26 15:36 -------- d-----w- c:\documents and settings\spearson\Application Data\motorola

2010-03-26 15:36 . 2010-03-26 15:36 -------- d-----w- c:\documents and settings\All Users\Application Data\motorola

2010-03-26 14:45 . 2010-03-26 14:45 -------- d-----w- c:\program files\Common Files\Nero

2010-03-26 14:44 . 2010-03-26 14:44 -------- d-----w- c:\documents and settings\All Users\Application Data\Nero

2010-03-25 18:58 . 2009-03-09 12:38 -------- d-----w- c:\documents and settings\spearson\Application Data\Skype

2010-03-25 17:53 . 2009-03-09 12:41 -------- d-----w- c:\documents and settings\spearson\Application Data\skypePM

2010-03-25 12:29 . 2010-03-25 11:38 -------- d-----w- c:\documents and settings\spearson\Application Data\Teleca

2010-03-25 12:20 . 2010-03-25 12:20 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_ANDROIDUSB_01007.Wdf

2010-03-25 12:20 . 2010-03-25 12:20 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01007_Coinstaller_Critical.Wdf

2010-03-25 11:32 . 2010-03-25 11:22 -------- d-----w- c:\program files\HTC

2010-03-25 11:23 . 2010-03-25 11:23 -------- d-----w- c:\program files\Spirent Communications

2010-03-25 11:04 . 2009-03-09 14:59 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP

2010-03-23 14:36 . 2009-03-08 17:19 -------- d-----w- c:\program files\Opera

2010-03-18 03:26 . 2009-04-14 08:14 -------- d-----w- c:\program files\everest

2010-03-16 12:19 . 2009-04-02 11:49 -------- d-----w- c:\program files\Safari

2010-03-12 18:21 . 2010-03-12 18:21 -------- d-----w- c:\program files\VIA

2010-03-12 17:12 . 2009-02-25 16:29 -------- d-----w- c:\program files\Realtek

2010-03-12 17:12 . 2009-02-25 16:29 -------- d--h--w- c:\program files\InstallShield Installation Information

2010-03-12 17:11 . 2010-03-12 17:11 315392 ----a-w- c:\windows\HideWin.exe

2010-03-12 16:48 . 2010-03-12 16:43 40656136 ----a-w- c:\documents and settings\All Users\Application Data\PC Drivers HeadQuarters\Driver Detective\Downloads\XFXA_PCDRV_LB_1_04_0090.exe

2010-03-12 16:35 . 2009-03-09 13:43 -------- d-----w- c:\program files\NCH Swift Sound

2010-03-12 15:43 . 2010-03-12 15:43 2402840 ----a-w- c:\documents and settings\All Users\Application Data\PC Drivers HeadQuarters\Driver Detective\Downloads\infinst_autol.exe

2010-03-12 15:21 . 2010-03-12 15:46 170802 ----a-w- c:\windows\pchealth\helpctr\Config\Cache\Professional_32_1033.dat

2010-03-11 12:38 . 2004-08-04 12:00 832512 ----a-w- c:\windows\system32\wininet.dll

2010-03-11 12:38 . 2004-08-04 12:00 78336 ----a-w- c:\windows\system32\ieencode.dll

2010-03-11 12:38 . 2004-08-04 12:00 17408 ----a-w- c:\windows\system32\corpol.dll

2010-03-10 18:26 . 2010-03-10 18:26 -------- d-----w- c:\program files\Cisco Systems

2010-03-09 11:09 . 2004-08-04 12:00 430080 ----a-w- c:\windows\system32\vbscript.dll

2010-03-05 14:17 . 2010-03-05 14:17 -------- d-----w- c:\program files\Common Files\Skype

2010-03-04 04:00 . 2010-03-04 04:00 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\Safari 5.31.22.7\SetupAdmin.exe

2010-03-01 10:34 . 2010-03-01 10:34 390528 ----a-w- c:\windows\system32\drivers\RapportBuka.sys

2010-03-01 10:34 . 2010-03-01 10:34 390528 ----a-w- c:\documents and settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportBukaBroom\13897\RapportBuka.sys

2010-03-01 10:34 . 2010-03-01 10:34 249856 ----a-w- c:\documents and settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportBukaBroom\13897\RapportBukaBroom.dll

2010-02-24 13:11 . 2004-08-04 12:00 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys

2010-02-22 17:57 . 2010-02-22 17:57 84512 ----a-w- c:\windows\SOUNDMAN.EXE

2010-02-22 17:57 . 2010-02-22 17:57 358944 ----a-w- c:\windows\vncutil.exe

2010-02-22 17:57 . 2010-02-22 17:57 1833504 ----a-w- c:\windows\SkyTel.exe

2010-02-22 17:57 . 2010-02-22 17:57 1489440 ----a-w- c:\windows\RtlUpd.exe

2010-02-22 17:56 . 2010-02-22 17:56 9721888 ----a-w- c:\windows\RTLCPL.EXE

2010-02-22 17:56 . 2010-02-22 17:56 129568 ----a-w- c:\windows\RtkAudioService.exe

2010-02-22 17:56 . 2009-03-30 15:30 51232 ----a-w- c:\windows\system32\RtkCoInstXP.dll

2010-02-22 17:56 . 2010-02-22 17:56 18791456 ----a-w- c:\windows\RTHDCPL.EXE

2010-02-22 17:56 . 2010-02-22 17:56 64032 ----a-w- c:\windows\ALCMTR.EXE

2010-02-22 17:56 . 2010-02-22 17:56 2815520 ----a-w- c:\windows\ALCWZRD.EXE

2010-02-22 17:56 . 2010-02-22 17:56 2177568 ----a-w- c:\windows\MicCal.exe

2010-02-22 17:28 . 2010-02-22 17:28 5862432 ----a-w- c:\windows\system32\drivers\RtkHDAud.sys

2010-02-16 14:08 . 2004-08-04 12:00 2146304 ----a-w- c:\windows\system32\ntoskrnl.exe

2010-02-16 13:25 . 2004-08-03 22:59 2024448 ----a-w- c:\windows\system32\ntkrnlpa.exe

2010-02-12 04:33 . 2004-08-04 12:00 100864 ----a-w- c:\windows\system32\6to4svc.dll

2010-02-11 12:02 . 2004-08-04 12:00 226880 ----a-w- c:\windows\system32\drivers\tcpip6.sys

2009-09-25 16:41 . 2009-09-25 16:41 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll

2009-09-25 16:41 . 2009-09-25 16:41 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll

.

------- Sigcheck -------

[-] 2009-04-16 . CBEEBEB899E31EF52B962CB31FC8CA5C . 361600 . . [5.1.2600.5625] . . c:\windows\system32\drivers\tcpip.sys

[7] 2008-06-20 . AD978A1B783B5719720CFF204B666C8E . 361600 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys

[7] 2008-06-20 . 9AEFA14BD6B182D61E3119FA5F436D3D . 361600 . . [5.1.2600.5625] . . c:\windows\system32\dllcache\tcpip.sys

[7] 2008-04-13 . 93EA8D04EC73A85DB02EB8805988F733 . 361344 . . [5.1.2600.5512] . . c:\windows\$NtUninstallKB951748$\tcpip.sys

[7] 2008-04-13 . 93EA8D04EC73A85DB02EB8805988F733 . 361344 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\tcpip.sys

[7] 2004-08-04 . 9F4B36614A0FC234525BA224957DE55C . 359040 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\tcpip.sys

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{25BC7718-0BFA-40EA-B381-4B2D9732D686}]

2010-04-01 03:34 578872 ----a-w- c:\program files\Yahoo!\Search Protection\ysp.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"P2kAutostart"="V600" [X]

"Google Update"="c:\documents and settings\spearson\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-03-08 133104]

"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-04-30 2020592]

"Uniblue RegistryBooster 2009"="c:\program files\Uniblue\RegistryBooster\RegistryBooster.exe" [2008-08-26 2019624]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-07-23 39408]

"BBC Alerts"="c:\program files\BBC Alerts\BBC_Alerts.exe" [2008-01-11 759728]

"BrowserChoice"="c:\windows\system32\browserchoice.exe" [2010-02-12 293376]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-10-24 8495104]

"nwiz"="nwiz.exe" [2009-01-30 1657376]

"GenePccMon.exe"="c:\program files\Genesys PC Camera Device\GenePccMon.exe" [2007-02-14 36864]

"ACU"="c:\program files\Atheros\ACU.exe" [2007-05-03 376921]

"lxdumon.exe"="c:\program files\Lexmark 5600-6600 Series\lxdumon.exe" [2008-11-03 684712]

"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 63712]

"Nitro PDF Printer Monitor"="c:\program files\Nitro PDF\Professional\NitroPDFPrinterMonitor.exe" [2009-03-04 209216]

"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2008-10-06 111952]

"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\UdaterUI.exe" [2006-12-19 136768]

"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2008-12-18 76304]

"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2008-12-18 76304]

"lxduamon"="c:\program files\Lexmark 5600-6600 Series\lxduamon.exe" [2008-11-03 16040]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]

"RTHDCPL"="RTHDCPL.EXE" [2010-02-22 18791456]

"mumservice"="c:\program files\Motorola\Software Update\mumservice.exe" [2010-02-10 1066240]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04 36272]

"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2010-04-29 437584]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\spearson\Start Menu\Programs\Startup\

PdaNet Desktop.lnk - c:\program files\PdaNet for Android\PdaNetPC.exe [2010-4-20 447952]

Shortcut to timset.bat.lnk - C:\timset.bat [2009-3-7 26]

Thoosje Vista Sidebar.lnk - c:\program files\Thoosje Vista Sidebar\Thoosje Vista Sidebar.exe [2009-7-7 605696]

Yahoo! Widgets.lnk - c:\program files\Yahoo!\Widgets\YahooWidgets.exe [2008-3-19 4742184]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2009-6-5 809488]

WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2009-3-9 118784]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2009-09-05 07:49 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ckpNotify]

2005-06-19 13:01 24669 ----a-w- c:\windows\system32\ckpNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]

2009-02-18 23:30 72208 ----a-w- c:\program files\Common Files\Logitech\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]

"AppInit_DLLs"=c:\windows\system32\wbsys.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]

@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]

@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"c:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_Service.exe"=

"c:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_GUI.exe"=

"c:\\Program Files\\CheckPoint\\SecuRemote\\bin\\scc.exe"=

"c:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_SDS.exe"=

"c:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_Diagnostics.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\WINDOWS\\system32\\lxducoms.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

"c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=

"c:\\Program Files\\VMware\\VMware Server\\vmware-authd.exe"=

"c:\\Program Files\\VMware\\VMware Server\\vmware-hostd.exe"=

"c:\\Program Files\\Opera\\opera.exe"=

"c:\program files\BBC Alerts\BBC_Alerts.exe"= c:\program files\BBC Alerts\BBC_Alerts.exe

"c:\\Program Files\\BUFFALO\\AirStation\\ecset\\ecset.exe"=

"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R1 RapportBuka;RapportBuka;c:\windows\system32\drivers\RapportBuka.sys [01/03/2010 11:34 390528]

R1 RapportKELL;RapportKELL;c:\program files\Trusteer\Rapport\bin\RapportKELL.sys [15/03/2010 14:47 58984]

R1 RapportPG;RapportPG;c:\program files\Trusteer\Rapport\bin\RapportPG.sys [15/03/2010 14:47 116328]

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [17/02/2009 12:43 12872]

R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [17/02/2009 12:43 61440]

R2 CP_OMDRV;Check Point Office Mode Module;c:\windows\system32\drivers\omdrv.sys [07/03/2009 20:00 36400]

R2 DeviceMonitorService;DeviceMonitorService;c:\program files\Motorola Media Link\NServiceEntry.exe [12/10/2009 10:46 87336]

R2 lxdu_device;lxdu_device;c:\windows\system32\lxducoms.exe -service --> c:\windows\system32\lxducoms.exe -service [?]

R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [19/02/2010 13:23 304464]

R2 MotoConnect Service;MotoConnect Service;c:\program files\Motorola\MotoConnectService\MotoConnectService.exe [26/03/2010 16:13 91392]

R2 RapportMgmtService;Rapport Management Service;c:\program files\Trusteer\Rapport\bin\RapportMgmtService.exe [15/03/2010 14:47 779496]

R2 V7;V7;c:\windows\system32\drivers\V7.sys [10/03/2009 15:00 6880]

R2 vmci;VMware vmci;c:\windows\system32\drivers\vmci.sys [26/03/2009 20:56 54960]

R2 vmware-converter-agent;VMware vCenter Converter Agent;c:\program files\VMware\VMware vCenter Converter Standalone\vmware-converter-a.exe [05/02/2009 15:20 428592]

R2 vmware-converter-server;VMware vCenter Converter Server;c:\program files\VMware\VMware vCenter Converter Standalone\vmware-converter.exe [05/02/2009 15:33 428592]

R2 VMwareHostd;VMware Host Agent;c:\program files\VMware\VMware Server\vmware-hostd.exe [26/03/2009 20:55 322096]

R2 VMwareServerWebAccess;VMware Server Web Access;c:\program files\VMware\VMware Server\tomcat\bin\tomcat6.exe [27/03/2009 03:56 57344]

R2 VNASC;Check Point Virtual Network Adapter - SecureClient;c:\windows\system32\drivers\vnasc.sys [07/03/2009 20:00 109072]

R2 VPN-1;VPN-1 Module;c:\windows\system32\drivers\vpn.sys [07/03/2009 20:00 671408]

R2 vstor2-mntapi10;Vstor2 MntApi 1.0 Driver;c:\program files\VMware\VMware vCenter Converter Standalone\vstor2-mntapi10.sys [05/02/2009 15:20 22448]

R3 DCamUSBGene;GenesysLogic USB2.0 PC Camera;c:\windows\system32\drivers\USBGENE.sys [25/02/2009 17:46 131584]

R3 FW1;SecuRemote Miniport;c:\windows\system32\drivers\fw.sys [07/03/2009 20:00 2234320]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [19/02/2010 13:23 20952]

R3 pnetmdm;PdaNet Modem;c:\windows\system32\drivers\pnetmdm.sys [20/04/2010 19:04 9472]

R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RtsUStor.sys [12/03/2010 17:41 181792]

S0 mbhysq;mbhysq; [x]

S2 gupdate1ca0b93caf0f20;Google Update Service (gupdate1ca0b93caf0f20);c:\program files\Google\Update\GoogleUpdate.exe [23/07/2009 13:42 133104]

S2 lxduCATSCustConnectService;lxduCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxduserv.exe [09/03/2009 10:40 98984]

S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\ambfilt.sys [18/11/2009 08:16 1691480]

S3 bmdrvr;Modified Clusters Tracking Driver;c:\windows\system32\drivers\bmdrvr.sys [05/02/2009 15:19 27312]

S3 BTCFilterService;USB Networking Driver Filter Service;c:\windows\system32\drivers\motfilt.sys [26/03/2010 16:15 6016]

S3 HTCAND32;HTC Device Driver;c:\windows\system32\drivers\ANDROIDUSB.sys [25/03/2010 12:24 24576]

S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [26/03/2010 15:42 19712]

S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [26/03/2010 15:42 8320]

S3 MotDev;Motorola Inc. USB Device;c:\windows\system32\drivers\motodrv.sys [26/03/2010 16:15 42752]

S3 Motousbnet;Motorola USB Networking Driver Service;c:\windows\system32\drivers\Motousbnet.sys [26/03/2010 16:15 23552]

S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [17/02/2009 12:43 12872]

S3 vmwriter;VMware VSS Writer;c:\program files\VMware\VMware Server\vmVssWriter.exe [26/03/2009 20:56 29744]

S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [14/04/2009 19:50 717296]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

getPlusHelper REG_MULTI_SZ getPlusHelper

.

Contents of the 'Scheduled Tasks' folder

2009-08-27 c:\windows\Tasks\back up staging site.job

- c:\program files\Ipswitch\WS_FTP Professional\ftpsync.exe [2009-03-09 14:33]

2009-08-14 c:\windows\Tasks\backup live site.job

- c:\program files\Ipswitch\WS_FTP Professional\ftpsync.exe [2009-03-09 14:33]

2010-03-12 c:\windows\Tasks\expressburnSevenDaysInit.job

- c:\program files\NCH Swift Sound\ExpressBurn\expressburn.exe [2010-03-12 16:35]

2010-05-02 c:\windows\Tasks\Google Software Updater.job

- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-07-23 12:39]

2010-05-02 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2009-07-23 12:42]

2010-05-02 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2009-07-23 12:42]

2010-05-01 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3245026140-2724869982-1914955602-1008Core.job

- c:\documents and settings\spearson\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-03-08 17:25]

2010-05-02 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3245026140-2724869982-1914955602-1008UA.job

- c:\documents and settings\spearson\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-03-08 17:25]

2010-05-02 c:\windows\Tasks\User_Feed_Synchronization-{8BE1BDED-0FDF-4739-8BBA-0B71066434BD}.job

- c:\windows\system32\msfeedssync.exe [2007-08-13 17:36]

.

.

------- Supplementary Scan -------

.

uStart Page = about:blank

mStart Page = hxxp://www.yahoo.com

uSearchURL,(Default) = hxxp://uk.rd.yahoo.com/customize/ie/defaults/su/msgr10/*http://uk.search.yahoo.com

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000

IE: Sothink SWF Catcher - c:\program files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm

IE: {{898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll

IE: {{BBF74FB9-ABCD-4678-880A-2511DAABB5E1} - {25BC7718-0BFA-40EA-B381-4B2D9732D686} - c:\program files\Yahoo!\Search Protection\ysp.dll

LSP: c:\program files\VMware\VMware Server\vsocklib.dll

Trusted Zone: hsbc.co.uk\www.business

TCP: {7D28A40F-2B98-4095-8DFB-1293E795FD07} = 100.1.1.1

DPF: {B94C2238-346E-4C5E-9B36-8CC627F35574}

FF - ProfilePath - c:\documents and settings\spearson\Application Data\Mozilla\Firefox\Profiles\zuq5tayl.default\

FF - prefs.js: browser.search.defaulturl - hxxp://uk.search.yahoo.com/search?fr=ffsp1&p=

FF - prefs.js: browser.search.selectedEngine - Yahoo

FF - prefs.js: browser.startup.homepage - hxxp://uk.yahoo.com

FF - prefs.js: keyword.URL - hxxp://uk.search.yahoo.com/search?fr=ffds1&p=

FF - component: c:\program files\Mozilla Firefox\extensions\{1b2ae334-76b7-f844-9694-fe767bc313b9}\components\5f3e93fd.dll

FF - plugin: c:\documents and settings\spearson\Local Settings\Application Data\Google\Update\1.2.183.23\npGoogleOneClick8.dll

FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll

FF - plugin: c:\program files\Google\Google Updater\2.4.1636.7222\npCIDetect13.dll

FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll

FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npsharedview.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npyaxmpb.dll

FF - plugin: c:\program files\Opera\program\plugins\npdivx32.dll

FF - plugin: c:\program files\Opera\program\plugins\nppl3260.dll

FF - plugin: c:\program files\Opera\program\plugins\nppl3260.dll

FF - plugin: c:\program files\Opera\program\plugins\nprpjplug.dll

FF - plugin: c:\program files\Opera\program\plugins\nprpjplug.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----

FF - user.js: yahoo.homepage.dontask - true

c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr

ef", true);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);

c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");

c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

.

- - - - ORPHANS REMOVED - - - -

HKCU-Run-Search Protection - c:\program files\Yahoo!\Search Protection\SearchProtection.exe

Notify-WBSrv - (no file)

ActiveSetup-Nitro PDF Professional - (no file)

AddRemove-bgvudgdifwuxqk - c:\windows\system32\bgvudgdifwuxqk.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-05-02 21:06

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

GenePccMon.exe = c:\program files\Genesys PC Camera Device\GenePccMon.exe???????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{564572D7-BA6B-A81E-17332C14105A24EF}\{35AC4256-1B84-66D8-7C4583AC3B4AA35B}\{791C0703-8CF5-813B-67470F66B09458B3}*]

"1D1OWFM6WKF6TLM3S2BGKKUUDG1"=hex:01,00,01,00,00,00,00,00,71,4a,e0,45,b7,4f,44,

fb,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{AB53ABC9-60C7-8B2C-A2AB126EB1F03A59}\{6511FF0A-0202-CA71-9BBA47A5377501DE}\{CE12CB05-B8C7-0E6B-6DC342F04A20B600}*]

"{3EE4C831-B7E0-4ed1-B9FC-EDC523C9612F}1"=hex:01,00,01,00,0c,00,00,00,64,9a,a4,

d6,b9,d8,cd,f7,44,95,e1,67,88,1e,f6,cc,02,df,62,f5,79,14,0a,6c,20,8a,5b,87,\

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1932)

c:\windows\system32\VMGINA.DLL

c:\program files\SUPERAntiSpyware\SASWINLO.DLL

c:\windows\system32\WININET.dll

c:\program files\common files\logitech\bluetooth\LBTWlgn.dll

c:\program files\common files\logitech\bluetooth\LBTServ.dll

c:\windows\system32\msacm32.drv

- - - - - - - > 'explorer.exe'(7508)

c:\windows\system32\WININET.dll

c:\program files\Trusteer\Rapport\bin\rooksbas.dll

c:\program files\Logitech\SetPoint\lgscroll.dll

c:\windows\system32\msi.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\WPDShServiceObj.dll

c:\program files\Microsoft Virtual PC\VPCShExH.DLL

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\CheckPoint\SecuRemote\bin\SR_Service.exe

c:\program files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe

c:\windows\system32\acs.exe

c:\program files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\Google\Update\1.2.183.23\GoogleCrashHandler.exe

c:\windows\system32\lxducoms.exe

c:\program files\McAfee\Common Framework\FrameworkService.exe

c:\program files\McAfee\VirusScan Enterprise\Mcshield.exe

c:\program files\McAfee\VirusScan Enterprise\VsTskMgr.exe

c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe

c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe

c:\program files\McAfee\Common Framework\naPrdMgr.exe

c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe

c:\program files\VMware\VMware Server\vmware-authd.exe

c:\windows\system32\vmnetdhcp.exe

c:\program files\CheckPoint\SecuRemote\bin\SR_GUI.Exe

c:\windows\system32\rundll32.exe

c:\program files\Lexmark 5600-6600 Series\lxduMsdMon.exe

c:\windows\RTHDCPL.EXE

c:\program files\McAfee\Common Framework\McTray.exe

c:\program files\Motorola\MotoConnectService\MotoConnect.exe

c:\program files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE

.

**************************************************************************

.

Completion time: 2010-05-02 21:18:57 - machine was rebooted

ComboFix-quarantined-files.txt 2010-05-02 20:18

Pre-Run: 141,939,232,768 bytes free

Post-Run: 144,523,984,896 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=AlwaysOff /fastdetect

- - End Of File - - DF5F75C34F3AAA6EDAD2532C9DD4ACAB

Link to post
Share on other sites

Looks good spaceace. Lets make sure all is gone. And I want to check your Security so this will not happen again.... :lol:

ESET Online Scanner

Note: You can use either Internet Explorer or Mozilla FireFox for this scan. You will however may need to disable your current installed Anti-Virus, how to do so can be read here.

  • Please go here then click on: EOLS1.gif
  • Select the option YES, I accept the Terms of Use then click on: EOLS2.gif
  • When prompted allow the Add-On/Active X to install.
  • Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
  • Now click on Advanced Settings and select the following:

    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology

[*]Now click on: EOLS3.gif

[*]The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.

[*]When completed the Online Scan will begin automatically.

[*]Do not touch either the Mouse or keyboard during the scan otherwise it may stall.

[*]When completed select Uninstall application on close if you so wish, make sure you copy the logfile first!

[*]Now click on: EOLS4.gif

[*]Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.

[*]Copy and paste that log as a reply to this topic.

Note: Do not forget to re-enable your Anti-Virus application after running the above scan!

Next

Download Security Check from here or here.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

In your next reply, please include these log(s):

EsetOnlineScanner\log.txt

checkup.txt

Also, please let me know how things are running now and if you encountered any problems while you were following the instructions I posted.

Link to post
Share on other sites

OK - this is the ESET log:

ESETSmartInstaller@High as CAB hook log:

OnlineScanner.ocx - registred OK

# version=7

# iexplore.exe=7.00.6000.17023 (vista_gdr.100222-0012)

# OnlineScanner.ocx=1.0.0.6211

# api_version=3.0.2

# EOSSerial=b4a5e8e0ed12a24e9da0003a7db16cf3

# end=finished

# remove_checked=false

# archives_checked=true

# unwanted_checked=true

# unsafe_checked=true

# antistealth_checked=true

# utc_time=2010-05-03 01:39:51

# local_time=2010-05-03 02:39:51 (+0000, GMT Daylight Time)

# country="United Kingdom"

# lang=1033

# osver=5.1.2600 NT Service Pack 3

# compatibility_mode=512 16777215 100 0 36288143 36288143 0 0

# compatibility_mode=8192 67108863 100 0 308 308 0 0

# scanned=133010

# found=9

# cleaned=0

# scan_time=12105

C:\bits and bobs\SmileyCentralSetup2.0.4.3.left_narrow.exe Win32/AdInstaller application 00000000000000000000000000000000 I

C:\bits and bobs\dap\downloads\new\marinefree.exe multiple threats 00000000000000000000000000000000 I

C:\Documents and Settings\spearson\Application Data\Sun\Java\Deployment\cache\6.0\57\4839f1b9-7b21e8d3 multiple threats 00000000000000000000000000000000 I

C:\Documents and Settings\spearson\My Documents\BBDesktopHelpInstallDV.exe probably a variant of Win32/Adware.Agent application 00000000000000000000000000000000 I

C:\Documents and Settings\spearson\My Documents\snis2514.zip probably a variant of Win32/TrojanDownloader.Agent trojan 00000000000000000000000000000000 I

C:\Documents and Settings\spearson\My Documents\unlocker1.8.6.exe a variant of Win32/Adware.ADON application 00000000000000000000000000000000 I

C:\Documents and Settings\spearson\My Documents\simon\work\Infomap2.dot probably a variant of WM/Muck.BQ virus 00000000000000000000000000000000 I

C:\Program Files\Unlocker\eBay_shortcuts_1016.exe a variant of Win32/Adware.ADON application 00000000000000000000000000000000 I

C:\Qoobox\Quarantine\C\WINDOWS\system32\Drivers\VMM.sys.vir Win32/Patched.EQ trojan 00000000000000000000000000000000 I

And here is the Security Check log:

Results of screen317's Security Check version 0.99.4

Windows XP Service Pack 3

Internet Explorer 7 Out of date!

``````````````````````````````

Antivirus/Firewall Check:

Windows Firewall Disabled!

ESET Online Scanner v3

McAfee VirusScan Enterprise

Antivirus up to date! (On Access scanning disabled!)

```````````````````````````````

Anti-malware/Other Utilities Check:

Malwarebytes' Anti-Malware

HijackThis 2.0.2

Java 6 Update 13

Out of date Java installed!

Adobe Flash Player 10.0.45.2

Adobe Reader 9.3.2

Mozilla Firefox (3.6.3)

````````````````````````````````

Process Check:

objlist.exe by Laurent

Malwarebytes' Anti-Malware mbamservice.exe

Malwarebytes' Anti-Malware mbamgui.exe

McAfee VirusScan Enterprise VsTskMgr.exe

McAfee VirusScan Enterprise Mcshield.exe

Microsoft Small Business Business Contact Manager BcmSqlStartupSvc.exe

````````````````````````````````

DNS Vulnerability Check:

GREAT! (Not vulnerable to DNS cache poisoning)

``````````End of Log````````````

Note: The Windows firewall is off because I have an external firewall built into my router.

I had no problems following your instructions - just the amount of time the scans took :-)

Things seem to be running much better - the messages from MBAM about blocking access to malicious websites seemed to have stopped after I ran Combofix. Also, the computer seems to be running faster than it was before.

Link to post
Share on other sites

Unlocker is fine. EST thinks it's a virus, but it's not. Qoobox is ComboFix. We'll remove it and I'll give you some tip so this does not happen again..... :lol:

In my next reply.

Using Windows Explorer (to get there right-click your Start button and go to "Explore"), please delete these Folders/Files

C:\bits and bobs\SmileyCentralSetup2.0.4.3.left_narrow.exe

C:\bits and bobs\dap\downloads\new\marinefree.exe

C:\Documents and Settings\spearson\Application Data\Sun\Java\Deployment\cache\

C:\Documents and Settings\spearson\My Documents\BBDesktopHelpInstallDV.exe

C:\Documents and Settings\spearson\My Documents\snis2514.zip

C:\Documents and Settings\spearson\My Documents\simon\work\Infomap2.dot

Next

There are some older versions of Java on your computer. These can be a source of infection.

[javaicon.gif

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.

  • Download the latest version of Java Runtime Environment (JRE) 6 and save it to your desktop.
  • Scroll down to where it says Java SE Runtime Environment (JRE) - JRE 6 Update 20 -
  • Click the Download button to the right.
  • Select the Windows platform from the dropdown menu.
  • Read the License Agreement and then check the box that says: I agree to the Java SE Runtime Environment 6u16 with JavaFX 1 License Agreement. Click on Continue.The page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE or Java) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u120 -windows-i586-p.exe to install the newest version.

  • After the install is complete, go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup)
    • On the General tab, under Temporary Internet Files, click the Settings button.
    • Next, click on the Delete Files button
    • There are two options in the window to clear the cache - Leave BOTH Checked
      • Applications and Applets
        Trace and Log Files

      [*]Click OK on Delete Temporary Files Window

      Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.

      [*]Click OK to leave the Temporary Files Window

      [*]Click OK to leave the Java Control Panel.

To test your Java Run-time, you may go to this page http://www.java.com/en/download/help/testvm.xml

When all is well, you should see Java Version: 1.6.0_20 from Sun Microsystems Inc.

With that done, please post back and let me know all is well.

Link to post
Share on other sites

I've done all that and things generally appear to be OK apart from one oddity.

After I rebooted and before installing the new Java, I got a popup from Windows Scurity Centre telling me that McAfee Virus Scan Enterprise is turned off (which it isn't). I clciked the balloon to open Security Centre and when it opened it showed that Virus Protection was ON.

I closed Security centre, and proceeded with the Java installation, which went fine and showed it was correctly installed on the test page. Then the Security Centre popup reappeared to tell me Mcafee was off again. This time, when I opened Security centre, it showed Virus Protection OFF but a couple of seconds later it changed to ON without me doing anything. This is something I have not seen before, could there be any connection with the fact that I have MBAM protection running now, which I didn;t have before this whole infection thing started?

Many thanks for all your efforts to help me with this!

Link to post
Share on other sites

Yes you want MBAM protection and Mcafee on. Both in the background all the time the PC is turned on and running.

Both should work well together if not let me know.

Your Computer is Clean

CLEAN-1.jpg

Some final items:

Follow these steps to uninstall Combofix and tools used in the removal of malware

  • Please press the Windows Key and R on your keyboard. This will bring up the Run... command.
  • Now type in Combofix /Uninstall in the runbox and click OK. (Notice the space between the x and /)
    CF_Uninstall-1.jpg
  • Please follow the prompts to uninstall Combofix.
  • You will then recieve a message saying Combofix was uninstalled successfully once it's done uninstalling itself.

This will uninstall Combofix and anything assoicated with it.

Here are some additional links for you to check out to help you with your computer security.

Browsers

Just because your computer came loaded with Internet Explorer doesn't mean that you have to use it, there are other free alternatives, FIREFOX and OPERA, both are free to use and are more secure than IE.

If you are using firefox you can stay more secure by adding NoScript and WOT (Web Of Trust)

NoScript stops Java scripts from starting on a web page unless you give permission for them, and WOT (Web Of Trust) has a comprehensive list of ratings for different websites allowing you to easily see if a website that you are about to go to has a bad reputation; in fact it will warn you to check if you are sure that you want to continue to a bad website.

  • Make your Internet Explorer more secure - This can be done by following these simple instructions:
  • From within Internet Explorer click on the Tools menu and then click on Options.
  • Click once on the Security tab
  • Click once on the Internet icon so it becomes highlighted.
  • Click once on the Custom Level button.
  • Change the Download signed ActiveX controls to Prompt
  • Change the Download unsigned ActiveX controls to Disable
  • Change the Initialize and script ActiveX controls not marked as safe to Disable
  • Change the Installation of desktop items to Prompt
  • Change the Launching programs and files in an IFRAME to Prompt
  • Change the Navigate sub-frames across different domains to Prompt
  • When all these settings have been made, click on the OK button
  • If it prompts you as to whether or not you want to save the settings, press the Yes button.
  • Next press the Apply button and then the OK to exit the Internet Properties page.

Additional Security Measures

Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

SpywareBlaster- SpywareBlaster will add a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

Cookienator- Scans your PC for tracking cookies in multiple browsers as well as in Adobe Flash.

Winpatrol Download and install the free version of Winpatrol. WinPatrol takes snapshot of your critical system resources and alerts you to any changes that may occur without your knowledge.

Secunia software inspector & update checker

My Blog Malware And Spyware Tips

Also, see here for system improvement: Help! My computer is slow!

It was a pleasure working with you spaceace.

6567E80CC55576485246E130E48A9FA8.png

Link to post
Share on other sites

Thanks for all your help Kenny!

One thing though - I removed all the tools we used during the clean up and set my overnight scans to run as normal. This morning I checked the log for SuperAntiSpyware and found the following:

SUPERAntiSpyware Scan Log

http://www.superantispyware.com

Generated 05/04/2010 at 03:50 AM

Application Version : 4.36.1006

Core Rules Database Version : 4886

Trace Rules Database Version: 2698

Scan type : Complete Scan

Total Scan Time : 00:24:48

Memory items scanned : 786

Memory threats detected : 0

Registry items scanned : 7256

Registry threats detected : 2

File items scanned : 27975

File threats detected : 0

Rogue.AntivirusSoft

HKU\.DEFAULT\Software\avsoft

HKU\S-1-5-18\Software\avsoft

Is this something to be concerned about?

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.