Redirects, programme not responding

[Chamomile Shark]

hi, I hope you can help.

I am getting redirects, additional IE windows opening, I think both Chrome and Mozilla no longer connect. I'm also getting as lot of programmes going to "not responding".

Malawarebytes found nothing.

I've been able to do most of the scans. BUT the GMER one I can't get the log file. I've tried about 8 times- I've been trying for about 8 hrs! Either it goes not responding, reboots part way through. Twice it completed but then the log file would not save. So close but so far. I have managed to save the initial script it produced though.

So here is DDS log

DDS (Ver_10-03-17.01) - NTFSx86

Run by Owner at 11:51:23.87 on 06/06/2010

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_16

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2047.1399 [GMT 1:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}

FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

svchost.exe

C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

C:\Program Files\McAfee\SiteAdvisor\McSACore.exe

C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe

c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe

C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\Program Files\McAfee\MPF\MPFSrv.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\System32\svchost.exe -k imgsvc

c:\PROGRA~1\mcafee.com\agent\mcagent.exe

C:\windows\system\hpsysdrv.exe

C:\Program Files\USB Storage RW\shwicon.exe

C:\HP\KBD\KBD.EXE

C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Program Files\Palm\Hotsync.exe

C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\PROGRA~1\Yahoo!\browser\ycommon.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Documents and Settings\Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://home.bt.yahoo.com/

uSearch Page = hxxp://www.google.com

uDefault_Search_URL = hxxp://srch-gb7.hpwis.com/

uSearch Bar = hxxp://www.google.com/ie

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/keyword/%s

mSearchAssistant = hxxp://www.google.com/ie

uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll

BHO: {243b17de-77c7-46bf-b94b-0b5f309a0e64} - c:\program files\microsoft money\system\mnyside.dll

BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll

BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\progra~1\yahoo!\common\yiesrvc.dll

BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll

BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.5126.1836\swg.dll

BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

BHO: SidebarAutoLaunch Class: {f2aa9440-6328-4933-b7c9-a6ccdf9cbf6d} - c:\program files\yahoo!\browser\YSidebarIEBHO.dll

TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll

TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll

TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File

TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File

TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File

TB: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File

EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File

EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File

uRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NVMCTRAY.DLL,NvTaskbarInit

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [McAfee.InstantUpdate.Monitor] "c:\program files\mcafee\mcafee shared components\instant updater\RuLaunch.exe" /STARTMONITOR

uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"

uRun: [Google Update] "c:\documents and settings\owner\local settings\application data\goo

Attach.zip

[screen317]

Hi and welcome to Malwarebytes.

Please update MBAM, run a Quick Scan, and post its log.

Next, see if you can attach DDS.txt to your reply.

[Chamomile Shark]

hi, thank you!!

I am having major problems posting here so please bear with me, I will do the dds log as a zip because it seems trying to past large amounts of text causes it to fail.

also I keep getting something about "generic host 32" on the pc in addition to redirects, freezes etc.

mban log

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4174

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

07/06/2010 10:05:31

mbam-log-2010-06-07 (10-05-31).txt

Scan type: Quick scan

Objects scanned: 139680

Time elapsed: 21 minute(s), 44 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

DDS.zip

[Chamomile Shark]

Not bumping..but after something like the 9th attempt I got gmer to work, see attached zip

ark.zip

[screen317]

Hi,

Please visit this webpage for instructions for running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

• When the tool is finished, it will produce a report for you.
  
• Please post the C:\ComboFix.txt along with a new DDS log so we may continue cleaning the system.
  

-screen317

[Chamomile Shark]

thank you so much for your reply - I am truely grateful! I see you are in LA, I am in the UK so we are out of sync so you will find I will be replying out of sync to you but I will be replying!

so here are the log files...

Combofix

ComboFix 10-06-08.03 - Owner 09/06/2010 10:49:57.1.1 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2047.1567 [GMT 1:00]

Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe

AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}

FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

* Created a new restore point

* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\Owner\Local Settings\Temporary Internet Files\1km1b.jpg

c:\documents and settings\Owner\Local Settings\Temporary Internet Files\4M04Pjy.jpg

c:\documents and settings\Owner\Local Settings\Temporary Internet Files\5Moa6abk.jpg

c:\documents and settings\Owner\Local Settings\Temporary Internet Files\XmaxP.jpg

c:\documents and settings\Owner\Recent\Thumbs.db

c:\windows\system\Pncrt.dll

c:\windows\system32\fonts

c:\windows\system32\fonts\ACADEMY_.PFB

c:\windows\system32\fonts\ACADEMY_.PFM

c:\windows\system32\fonts\ACADEMY_.TTF

c:\windows\system32\Thumbs.db

D:\Autorun.inf

L:\Autorun.inf

Infected copy of c:\windows\system32\drivers\ipsec.sys was found and disinfected

Restored copy from - Kitty had a snack

.

((((((((((((((((((((((((( Files Created from 2010-05-09 to 2010-06-09 )))))))))))))))))))))))))))))))

.

2010-06-05 16:23 . 2010-06-06 09:30 -------- d-----w- c:\program files\Common Files\PC Tools

2010-06-04 15:12 . 2010-06-04 15:12 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\wthlxmtvg

2010-06-02 14:26 . 2010-06-02 14:26 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-06-09 09:47 . 2009-02-22 20:32 0 ----a-w- c:\windows\system32\drivers\lvuvc.hs

2010-06-09 09:47 . 2009-02-22 20:31 0 ----a-w- c:\windows\system32\drivers\logiflt.iad

2010-06-08 21:46 . 2009-02-25 21:05 -------- d-----w- c:\documents and settings\Owner\Application Data\Skype

2010-06-08 20:29 . 2009-02-25 21:08 -------- d-----w- c:\documents and settings\Owner\Application Data\skypePM

2010-06-05 18:40 . 2003-12-04 18:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2010-06-05 17:13 . 2003-12-04 18:32 -------- d-----w- c:\program files\Spybot - Search & Destroy

2010-06-05 16:38 . 2007-08-03 20:23 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP

2010-06-02 15:31 . 2005-05-29 14:18 -------- d-----w- c:\documents and settings\Owner\Application Data\Soamad

2010-06-02 14:36 . 2006-02-21 06:13 -------- d-----w- c:\documents and settings\Owner\Application Data\Izva

2010-05-27 12:28 . 2004-01-24 21:49 -------- d-----w- c:\program files\ICQ

2010-05-15 16:05 . 2003-12-04 21:19 -------- d-----w- c:\program files\Palm

2010-04-30 14:32 . 2010-02-17 11:39 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-04-29 14:39 . 2010-02-17 11:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-04-29 14:39 . 2010-02-17 11:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-04-27 21:05 . 2010-04-27 21:05 -------- d-----w- c:\program files\Common Files\Skype

2010-04-19 19:43 . 2010-04-19 19:43 276591 ----a-w- c:\windows\CUBE Demo Uninstaller.exe

2010-04-19 19:43 . 2010-04-19 19:43 -------- d-----w- c:\program files\VirSyn Software Synthesizer

2007-06-16 12:33 . 2007-06-16 12:33 475844 -c--a-w- c:\program files\OggDS0995.exe

2007-06-15 08:36 . 2007-06-15 08:36 1207026 -c--a-w- c:\program files\wrar370.exe

2004-01-24 22:17 . 2004-01-19 21:14 10012 -c--a-w- c:\program files\ambt.dat

2002-11-11 13:56 . 2002-11-11 13:56 155648 -c--a-w- c:\program files\Common Files\MTron Sounds Installer.exe

.

------- Sigcheck -------

[7] 2008-04-13 . 08FD04AA961BDC77FB983F328334E3D7 . 42368 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\agp440.sys

[-] 2004-08-04 . 2C428FA0C3E3A01ED93C9B2A27D8D4BB . 42368 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\agp440.sys

[-] 2004-08-04 . 2C428FA0C3E3A01ED93C9B2A27D8D4BB . 42368 . . [5.1.2600.2180] . . c:\windows\system32\drivers\agp440.sys

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NvMediaCenter"="c:\windows\System32\NVMCTRAY.DLL" [2003-07-28 49152]

"McAfee.InstantUpdate.Monitor"="c:\program files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" [2003-06-03 122948]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-06-10 68856]

"Google Update"="c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-02-26 133104]

"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"KYE_Showicon"="c:\program files\USB Storage RW\shwicon.exe -tKYE\USB Storage RW" [X]

"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]

"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2002-10-16 114688]

"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]

"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2003-07-28 4841472]

"nwiz"="nwiz.exe" [2003-07-28 323584]

"KBD"="c:\hp\KBD\KBD.EXE" [2003-02-11 61440]

"SpeedTouch USB Diagnostics"="c:\program files\Thomson\SpeedTouch USB\Dragdiag.exe" [2004-01-26 866816]

"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-29 1218008]

"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2010-04-29 437584]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"SRUUninstall"="c:\windows\System32\msiexec.exe" [2008-04-14 78848]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

HOTSYNCSHORTCUTNAME.lnk - c:\program files\Palm\Hotsync.exe [2004-6-9 471040]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2009-10-25 11:48 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"wave9"=Echo24Wrap.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]

@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]

@=""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]

"MoneyAgent"="c:\program files\Microsoft Money\System\mnyexpr.exe"

"Yahoo! Pager"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" -quiet

"swg"=c:\program files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe

"YSearchProtection"=c:\program files\Yahoo!\Search Protection\SearchProtection.exe

"SUPERAntiSpyware"=c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]

"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe"

"HP Software Update"=c:\program files\HP\HP Software Update\HPWuSchd2.exe

"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" /startup

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

"YBrowser"=c:\progra~1\Yahoo!\browser\ybrwicon.exe

"YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe"

"StorageGuard"="c:\program files\VERITAS Software\Update Manager\sgtray.exe" /r

"WCOLOREAL"="c:\program files\Coloreal\coloreal.exe"

"ATIModeChange"=Ati2mdxx.exe

"PS2"=c:\windows\system32\ps2.exe

"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam\Quickcam.exe" /hide

"Ad-Watch"=c:\program files\Lavasoft\Ad-Aware\AAWTray.exe

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Palm\\HOTSYNC.EXE"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\Yahoo!\\browser\\ybrowser.exe"=

"c:\\PROGRA~1\\Yahoo!\\MESSEN~1\\yserver.exe"=

"c:\\Program Files\\SmartFTP Client 2.0\\SmartFTP.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [24/02/2009 20:15 64160]

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [28/05/2008 10:33 9968]

R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [28/05/2008 10:33 74480]

R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [17/02/2010 12:39 304464]

R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [18/04/2009 19:45 93320]

R3 AVMWAN;AVM NDIS WAN CAPI Driver;c:\windows\system32\drivers\avmwan.sys [03/12/2003 22:19 37568]

R3 echo24;Mia Service;c:\windows\system32\drivers\echo24.sys [19/05/2003 13:14 546560]

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [26/02/2009 00:01 101936]

R3 fpcibase;AVM ISDN-Controller FRITZ!Card PCI;c:\windows\system32\drivers\fpcibase.sys [03/12/2003 22:19 444416]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [17/02/2010 12:39 20952]

R3 SynasUSB;eLicenser;c:\windows\system32\drivers\synasusb.sys [05/12/2003 18:32 23696]

S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [29/01/2010 19:06 135664]

S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [28/05/2008 10:33 7408]

.

Contents of the 'Scheduled Tasks' folder

2010-06-07 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2010-06-09 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-29 18:06]

2010-06-09 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-29 18:06]

2010-06-07 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1402589321-493697589-2058370646-1003Core.job

- c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-02-26 12:18]

2010-06-09 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1402589321-493697589-2058370646-1003UA.job

- c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-02-26 12:18]

2010-05-15 c:\windows\Tasks\McDefragTask.job

- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-04-18 11:22]

2009-04-18 c:\windows\Tasks\McQcTask.job

- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-04-18 11:22]

2010-06-08 c:\windows\Tasks\User_Feed_Synchronization-{F72CFE1E-F4B6-41A1-A43F-BFFA77BBAF9F}.job

- c:\windows\system32\msfeedssync.exe [2006-10-17 03:31]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://home.bt.yahoo.com/

uDefault_Search_URL = hxxp://srch-gb7.hpwis.com/

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/keyword/%s

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000

IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_2EC7709873947E87.dll/cmsidewiki.html

Trusted Zone: arbitermt.co.uk\www

Trusted Zone: filesmonster.com

Trusted Zone: http

Trusted Zone: uploaded.to

Trusted Zone: uploading.com

DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab

DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab

DPF: {161A7465-FEEE-4B40-8A85-ED752B93F73E} - file://F:\IntraLaunch.CAB

DPF: {1DA3C4AB-E6B6-47A6-B0F3-1BD81524B51B} - hxxp://www.activeworlds.com/products/ActiveWorldsDownload.cab

FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\laxxm14v.default\

FF - prefs.js: browser.startup.homepage - hxxp://dailystrength.org/home

FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll

FF - plugin: c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\1.2.183.23\npGoogleOneClick8.dll

FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll

FF - plugin: c:\program files\Real\RealOne Player\Netscape6\nppl3260.dll

FF - plugin: c:\program files\Real\RealOne Player\Netscape6\nprjplug.dll

FF - plugin: c:\program files\Real\RealOne Player\Netscape6\nprpjplug.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----

FF - user.js: network.cookie.cookieBehavior - 0

FF - user.js: privacy.clearOnShutdown.cookies - false

FF - user.js: security.warn_viewing_mixed - false

FF - user.js: security.warn_viewing_mixed.show_once - false

FF - user.js: security.warn_submit_insecure - false

FF - user.js: security.warn_submit_insecure.show_once - false

c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr

ef", true);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

.

- - - - ORPHANS REMOVED - - - -

AddRemove-HijackThis - k:\arc\arc3\Download\HijackThis.exe

AddRemove-Wusik Free Reaktor Collection_is1 - c:\program files\Native Instruments\Reaktor 4\Library\Ensembles\Synths\Wusik.com\ReaktorCollection\unins000.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-06-09 11:06

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(592)

c:\program files\SUPERAntiSpyware\SASWINLO.DLL

c:\windows\system32\WININET.dll

.

Completion time: 2010-06-09 11:10:20

ComboFix-quarantined-files.txt 2010-06-09 10:10

Pre-Run: 12,713,025,536 bytes free

Post-Run: 12,989,534,208 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe

[boot loader]

default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

- - End Of File - - 16739F67CA7F752B041DB47DA9BDFCE5

DDS run just now after running combofix

DDS (Ver_10-03-17.01) - NTFSx86

Run by Owner at 11:16:55.84 on 09/06/2010

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_16

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2047.1504 [GMT 1:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}

FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

C:\Program Files\McAfee\SiteAdvisor\McSACore.exe

C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe

c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe

C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\Program Files\McAfee\MPF\MPFSrv.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\System32\svchost.exe -k imgsvc

c:\PROGRA~1\mcafee.com\agent\mcagent.exe

C:\WINDOWS\system32\notepad.exe

C:\WINDOWS\explorer.exe

C:\WINDOWS\system32\ctfmon.exe

C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Program Files\internet explorer\iexplore.exe

C:\Program Files\internet explorer\iexplore.exe

C:\PROGRA~1\Yahoo!\browser\ycommon.exe

C:\Documents and Settings\Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://home.bt.yahoo.com/

uDefault_Search_URL = hxxp://srch-gb7.hpwis.com/

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/keyword/%s

uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll

BHO: {243b17de-77c7-46bf-b94b-0b5f309a0e64} - c:\program files\microsoft money\system\mnyside.dll

BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll

BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\progra~1\yahoo!\common\yiesrvc.dll

BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll

BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.5126.1836\swg.dll

BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

BHO: SidebarAutoLaunch Class: {f2aa9440-6328-4933-b7c9-a6ccdf9cbf6d} - c:\program files\yahoo!\browser\YSidebarIEBHO.dll

TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll

TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll

TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File

TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File

TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File

TB: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File

EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File

EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File

uRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NVMCTRAY.DLL,NvTaskbarInit

uRun: [McAfee.InstantUpdate.Monitor] "c:\program files\mcafee\mcafee shared components\instant updater\RuLaunch.exe" /STARTMONITOR

uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"

uRun: [Google Update] "c:\documents and settings\owner\local settings\application data\google\update\GoogleUpdate.exe" /c

uRun: [spybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

mRun: [hpsysdrv] c:\windows\system\hpsysdrv.exe

mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe

mRun: [KYE_Showicon] "c:\program files\usb storage rw\shwicon.exe" -t"kye\USB Storage RW"

mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE

mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

mRun: [nwiz] nwiz.exe /install

mRun: [KBD] c:\hp\kbd\KBD.EXE

mRun: [speedTouch USB Diagnostics] "c:\program files\thomson\speedtouch usb\Dragdiag.exe" /icon

mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey

mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

dRunOnce: [sRUUninstall] "c:\windows\system32\msiexec.exe" /l*v c:\windows\temp\SND532unin.txt /x {6AF90EF6-F7F9-466C-99F4-1774826FBB40} /qn REBOOT=ReallySuppress

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hotsyn~1.lnk - c:\program files\palm\Hotsync.exe

mPolicies-explorer: <NO NAME> =

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000

IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_2EC7709873947E87.dll/cmsidewiki.html

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\progra~1\yahoo!\common\yiesrvc.dll

IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll

IE: {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - {DD6687B5-CB43-4211-BFC9-2942CCBDCB3E} - c:\program files\microsoft money\system\mnyside.dll

Trusted Zone: arbitermt.co.uk\www

Trusted Zone: filesmonster.com

Trusted Zone: http

Trusted Zone: uploaded.to

Trusted Zone: uploading.com

DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab

DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab

DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab

DPF: {15B782AF-55D8-11D1-B477-006097098764} - hxxp://download.macromedia.com/pub/shockwave/cabs/authorware/awswaxd.cab

DPF: {161A7465-FEEE-4B40-8A85-ED752B93F73E} - file://F:\IntraLaunch.CAB

DPF: {1DA3C4AB-E6B6-47A6-B0F3-1BD81524B51B} - hxxp://www.activeworlds.com/products/ActiveWorldsDownload.cab

DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll

DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader1006.cab

DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} - hxxps://webresponse.one.microsoft.com/oas/ActiveX/winrep.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab

DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37959.3170601852

DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} - hxxp://download.yahoo.com/dl/installs/ymail/ymmapi.dll

DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} - hxxp://www.crucial.com/controls/cpcScanner.cab

DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - hxxp://download.yahoo.com/dl/installs/yab_af.cab

DPF: {BD8667B7-38D8-4C77-B580-18C3E146372C} - hxxp://www.imgag.com/cp/install/Crusher.cab

DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab

DPF: {EC5A4E7B-02EB-451D-B310-D5F2E0A4D8C3} - hxxp://register.btinternet.com/templates/btwebcontrol023.cab

TCP: {5F5AF907-6CC7-419E-8739-3F357B4758FA} = 194.74.65.69 194.72.9.34

Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL

Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll

Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll

Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll

Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL

Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL

Notify: igfxcui - igfxsrvc.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\laxxm14v.default\

FF - prefs.js: browser.startup.homepage - hxxp://dailystrength.org/home

FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll

FF - plugin: c:\documents and settings\owner\local settings\application data\google\update\1.2.183.23\npGoogleOneClick8.dll

FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll

FF - plugin: c:\program files\real\realone player\netscape6\nppl3260.dll

FF - plugin: c:\program files\real\realone player\netscape6\nprjplug.dll

FF - plugin: c:\program files\real\realone player\netscape6\nprpjplug.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----

FF - user.js: network.cookie.cookieBehavior - 0

FF - user.js: privacy.clearOnShutdown.cookies - false

FF - user.js: security.warn_viewing_mixed - false

FF - user.js: security.warn_viewing_mixed.show_once - false

FF - user.js: security.warn_submit_insecure - false

FF - user.js: security.warn_submit_insecure.show_once - false

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);

c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);

c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr

ef", true);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-2-24 64160]

R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-4-18 214664]

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\SASDIFSV.SYS [2008-5-28 9968]

R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2008-5-28 74480]

R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2010-2-17 304464]

R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2009-4-18 93320]

R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2009-4-18 359952]

R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2009-4-18 144704]

R3 AVMWAN;AVM NDIS WAN CAPI Driver;c:\windows\system32\drivers\avmwan.sys [2003-12-3 37568]

R3 echo24;Mia Service;c:\windows\system32\drivers\echo24.sys [2003-5-19 546560]

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-2-26 101936]

R3 fpcibase;AVM ISDN-Controller FRITZ!Card PCI;c:\windows\system32\drivers\fpcibase.sys [2003-12-3 444416]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2010-2-17 20952]

R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2009-4-18 606736]

R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2009-4-18 79816]

R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2009-4-18 35272]

R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2009-4-18 40552]

R3 SynasUSB;eLicenser;c:\windows\system32\drivers\synasusb.sys [2003-12-5 23696]

S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-1-29 135664]

S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2009-4-18 34248]

S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2008-5-28 7408]

S4 Symantec Core LC;Symantec Core LC;"c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe" --> c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [?]

=============== Created Last 30 ================

2010-06-09 09:37:52 0 d-sha-r- C:\cmdcons

2010-06-09 09:25:15 77312 ----a-w- c:\windows\MBR.exe

2010-06-09 09:25:15 256512 ----a-w- c:\windows\PEV.exe

2010-06-09 09:25:15 161792 ----a-w- c:\windows\SWREG.exe

2010-06-09 09:25:14 98816 ----a-w- c:\windows\sed.exe

2010-06-06 10:37:41 0 ----a-w- c:\documents and settings\owner\defogger_reenable

2010-06-05 16:23:02 0 d-----w- c:\program files\common files\PC Tools

==================== Find3M ====================

2010-06-09 09:47:35 0 ----a-w- c:\windows\system32\drivers\lvuvc.hs

2010-06-09 09:47:15 0 ----a-w- c:\windows\system32\drivers\logiflt.iad

2010-04-29 14:39:38 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-04-29 14:39:26 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-04-19 19:43:53 276591 ----a-w- c:\windows\CUBE Demo Uninstaller.exe

2007-06-16 12:33:57 475844 -c--a-w- c:\program files\OggDS0995.exe

2007-06-15 08:36:37 1207026 -c--a-w- c:\program files\wrar370.exe

2004-01-24 22:17:01 10012 -c--a-w- c:\program files\ambt.dat

2002-11-11 13:56:56 155648 -c--a-w- c:\program files\common files\MTron Sounds Installer.exe

2008-08-21 11:38:49 32768 -csha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008082120080822\index.dat

============= FINISH: 11:17:33.29 ===============

finally, I've attached, attach

Attach.zip

[screen317]

Hi,

Before we continue, please go to VirusTotal, and upload the following file for analysis:

c:\windows\system32\drivers\agp440.sys

Post the results in your reply.

Next, please use the Internet Explorer browser and click here to use the F-Secure Online Scanner.

• Click Start Scanning.
  
• You should get a notification bar (on top) to install the ActiveX control.
  
• Click on it and select to install the ActiveX.
  
• Once the ActiveX is installed, you should accept the License terms by clicking OK below to start the scan.
  
• In case you are having problems with installing the ActiveX/starting the scan, please read here.
  
• Click the Full System Scan button.
  
• It will start to download scanner components and databases. This can take a while.
  
• The main scan will start.
  
• Once the scan has finished scanning, click the Automatic cleaning (recommended) button
  
• It could be possible that your firewall gives an alert - allow it, because that's a connection you establish to submit infected files to F-Secure.
  
• The cleaning can take a while, so please be patient.
  
• Then click the Show report button and Copy/Paste what is present under results in your next reply.
  

Next, download my Security Check from here or here.

• Save it to your Desktop.
  
• Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  
• A Notepad document should open automatically called checkup.txt; please post the contents of that document.
  

Let me know how things are running now and what issues remain.

-screen317

[Chamomile Shark]

hi, thanks.

After the combofix ate something I am no longer getting redirects in IE. No more additional windows opening in IE. Chrome and Mozilla now connect and open properly. Generally programmes don't go to not responding BUT...

IE is freezing when I first open it. I have to close it, it tells me it's non responsive etc so I need to close the application via the windows alt/crtl/delete. When I try and open a second time, it does ok and goes to the appropriate start up page.

A note on the logs. I think the "Active World" one is ok. It is an old virtual world programme a bit like second life, it just didn't uninstall properly. My ISP is BT (I see it found a dialer)

Many, many thanks for your time and help on this. Mark

The logs.

Agp440.sys analysis

File agp440.sys.2010.8.6.11.15.pvr.per received on 2010.06.09 14:47:35 (UTC)

Current status: finished

Result: 1/41 (2.44%)

Compact

Print results

Antivirus Version Last Update Result

a-squared 5.0.0.26 2010.06.09 -

AhnLab-V3 2010.06.09.04 2010.06.09 -

AntiVir 8.2.2.6 2010.06.09 -

Antiy-AVL 2.0.3.7 2010.06.08 -

Authentium 5.2.0.5 2010.06.09 -

Avast 4.8.1351.0 2010.06.09 -

Avast5 5.0.332.0 2010.06.09 -

AVG 9.0.0.787 2010.06.09 -

BitDefender 7.2 2010.06.09 -

CAT-QuickHeal 10.00 2010.06.09 -

ClamAV 0.96.0.3-git 2010.06.09 -

Comodo 5040 2010.06.09 -

DrWeb 5.0.2.03300 2010.06.09 -

eSafe 7.0.17.0 2010.06.09 -

eTrust-Vet 36.1.7622 2010.06.09 -

F-Prot 4.6.0.103 2010.06.09 -

F-Secure 9.0.15370.0 2010.06.09 -

Fortinet 4.1.133.0 2010.06.09 -

GData 21 2010.06.09 -

Ikarus T3.1.1.84.0 2010.06.09 -

Jiangmin 13.0.900 2010.06.09 -

Kaspersky 7.0.0.125 2010.06.09 -

McAfee 5.400.0.1158 2010.06.09 -

McAfee-GW-Edition 2010.1 2010.06.09 Heuristic.LooksLike.Trojan.Patched.I

Microsoft 1.5802 2010.06.09 -

NOD32 5184 2010.06.09 -

Norman 6.04.12 2010.06.09 -

nProtect 2010-06-09.02 2010.06.09 -

Panda 10.0.2.7 2010.06.08 -

PCTools 7.0.3.5 2010.06.09 -

Prevx 3.0 2010.06.09 -

Rising 22.51.02.03 2010.06.09 -

Sophos 4.53.0 2010.06.09 -

Sunbelt 6424 2010.06.09 -

Symantec 20101.1.0.89 2010.06.09 -

TheHacker 6.5.2.0.295 2010.06.08 -

TrendMicro 9.120.0.1004 2010.06.09 -

TrendMicro-HouseCall 9.120.0.1004 2010.06.09 -

VBA32 3.12.12.5 2010.06.09 -

ViRobot 2010.6.9.2346 2010.06.09 -

VirusBuster 5.0.27.0 2010.06.09 -

Additional information

File size: 42368 bytes

MD5 : 2c428fa0c3e3a01ed93c9b2a27d8d4bb

SHA1 : 4102b86336950f4b108fd32d8b43fd0a9cfdb1fd

SHA256: a11aa25c0ff052578ae342717c85aed26b79cce39040c42c69105868f6059a34

PEInfo: PE Structure information

( base data )

entrypointaddress.: 0x8D85

timedatestamp.....: 0x41107D2C (Wed Aug 4 08:07:40 2004)

machinetype.......: 0x14C (Intel I386)

( 7 sections )

name viradd virsiz rawdsiz ntrpy md5

.text 0x300 0x22D2 0x2300 6.62 c6c4a6dc5b4fdf67208639f72ff1c7c7

.rdata 0x2600 0x18B 0x200 3.72 493e63071bd75f61547e38b0a124cdcb

.data 0x2800 0xA0 0x100 1.26 e20e4b85c1aef19d673f909b40ea536f

PAGE 0x2900 0x647B 0x6480 6.63 17ad2b01bd41736f54e824d45aef67c4

INIT 0x8D80 0xA6E 0xA80 6.15 21b7ca3f4f81e46e8b2e03bc4f7de930

.rsrc 0x9800 0x3F0 0x400 3.38 cbc8253ce1d5d060f47236db753d0f2e

.reloc 0x9C00 0x91C 0x980 6.27 5d76cdd7e95135993cc90baf5d0a5eab

( 0 imports )

( 0 exports )

TrID : File type identification

Win32 Executable Generic (68.0%)

Generic Win/DOS Executable (15.9%)

DOS Executable Generic (15.9%)

Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)

ssdeep: 768:5+mbAAr7jYSoQsUyWVo/3pzj6o0LhlSIrHJb984BRy:5Ff7jpoQsUWg9lSIdb9BRy

sigcheck: publisher....: Microsoft Corporation

copyright....: © Microsoft Corporation. All rights reserved.

product......: Microsoft_ Windows_ Operating System

description..: 440 NT AGP Filter

original name: agp440.sys

internal name: agp440.sys

file version.: 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)

comments.....: n/a

signers......: -

signing date.: -

verified.....: Unsigned

PEiD : -

packers (Kaspersky): PE_Patch

RDS : NSRL Reference Data Set

( Gateway )

Gateway Operating System Windows XP Pro Edition SP2: agp440.sys

( Microsoft )

Disc 2438.5: agp440.sysMSDN Disc 2428.4: agp440.sysMSDN Disc 2428.5: agp440.sysMSDN Disc 2428.8: agp440.sysMSDN Disc 2438.7: agp440.sysMSDN Disc 2438.8: agp440.sysMSDN Disc 2439.6: agp440.sysMSDN Disc 2439.7: agp440.sysMSDN Disc 2439.8: agp440.sysMSDN Disc 2440.3: agp440.sysMSDN Disc 2440.4: agp440.sysMSDN Disc 2440.5: agp440.sysMSDN Disc 2441.5: agp440.sysMSDN Disc 2441.6: agp440.sysMSDN Disc 2441.7: agp440.sysMSDN Disc 2442.4: agp440.sysMSDN Disc 2442.6: agp440.sysMSDN Disc 2443.2: agp440.sysMSDN Disc 2443.4: agp440.sysMSDN Disc 2444.3: agp440.sysMSDN Disc 2444.3: agp440.sysMSDN Disc 2444.4: agp440.sysMSDN Disc 2444.6: agp440.sysMSDN Disc 2455.6: agp440.sysMSDN Disc 2464.5: agp440.sysMSDN Disc 2465.4: agp440.sysMSDN Disc 2465.5: agp440.sysMSDN Disc 2466.2: agp440.sysMSDN Disc 2466.4: agp440.sysMSDN Disc 2476.2: agp440.sysMSDN Disc 2476.4: agp440.sysMSDN Disc 2477.2: agp440.sysOperating System Reinstallation CD Microsoft Windows XP Professional Service Pack 2: agp440.sysVirtual PC for Mac Windows XP Home Edition: agp440.sysVirtual PC for Mac Windows XP Professional Edition: agp440.sys

F-secure scan

Scanning Report

Friday, June 11, 2010 23:43:49 - 08:47:38

Computer name: URIEL

Scanning type: Scan system for malware, spyware and rootkits

Target: C:\ D:\ L:\ Z:\

13 malware found

TrackingCookie.Atdmt (spyware)

[Chamomile Shark]

ok, just noticed another problem. I'm using BT Yaho webmail. When I type a message I keep finding letters or spaces missing. It's happening posting here too. But it does not seem to be a problem with the keyboard as my typing in Word is fine.

[Chamomile Shark]

Now another problem. Every few seconds I'm getting this message

"RUNDLL c\windows\fgmcds.dll missing entry : jep" Help!!!

[screen317]

Hi,

Please download SystemLook from one of the links below and save it to your Desktop.

Download Mirror #1

Download Mirror #2

• Double-click SystemLook.exe to run it.
  
• Copy the content of the following codebox into the main textfield:
  

  :filefind
  fgmcds.dll
  :regfind
  fgmcds.dll

  
  

• Click the Look button to start the scan.
  
• When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
  

Note: The log can also be found on your Desktop entitled SystemLook.txt

After that, navigate to Start --> Control Panel --> Add or Remove Programs, and uninstall the following programs (if present):

Java

[Chamomile Shark]

thanks for your reply.

re the rundll problem I ran malwarebytes and it found a virus in that file and removed the virus so those errors have stopped. still a few freezes but it seems better.

the log

SystemLook v1.0 by jpshortstuff (11.01.10)

Log created at 09:41 on 15/06/2010 by Owner (Administrator - Elevation successful)

========== filefind ==========

Searching for "fgmcds.dll"

No files found.

========== regfind ==========

Searching for "fgmcds.dll"

No data found.

-=End Of File=-

[screen317]

Hi,

Navigate to Start --> Run, and type Combofix /uninstall in the box that appears. Click OK afterward. Notice the space between the X and the /uninstall

This uninstalls all of ComboFix's components.

Delete SecurityCheck and SystemLook.

Next, please run the PCPitstop Full Tests here. When the tests are complete, a results page will pop up. Copy and paste the URL of the Results screen and post it here for me.

[Chamomile Shark]

re the Combofix - it looks as if I have sone something stupid, I assumed what I had on the desktop was just the icon and deleted it a few days ago. Clearly it wasn't just the icon because it's not finding it for an uninstall. I don't think the old system restore works anymore - seems to have stopped working years ago. What do I need to do to uninstall it if I've done that?

thanks for all your help and patience.

I think this is the URL http://www.pcpitstop.com/betapit/sec.asp?conid=23669759

[screen317]

Download a new copy of ComboFix, put it on your Desktop (do not run it), then try the uninstall command again.

Let me know if it works, then we will address PCPitStop's results.

[Chamomile Shark]

Hi, that seems to have worked..it came up and said it's been uninstalled.

[screen317]

Hi,

PCPitStop noted several things that you can do to improve the shape your computer is in.

Pay particular attention to these items:

[Chamomile Shark]

thanks, I've been able to do most of these.

I have a huge number of programmes which are related to my music production, I go through and uninstall regularly so there is not much else I can remove. However, I've moved 7GB of photos which is 10% of the C drive. I have a lot of music data files but they take time to move, they need to be individually exported (but I have to back them up anyway).

I've used the defrager you sugested and the cleaner. They both seem better that what I currently have as I do regualrly defrag and clean and these programmes still found plenty to do.

WHAT'S STILL NOT WORKING - I've had a few crashes on start up, e.g the PC telling me Windows has to close.it also had something with Dr Watson Debugger failing ...but the past day as far as I can tell the problems are confined to IE. If I try and work on my e-mail (web based) or on a forum like this, spaces and letters get missed. Also IE often fails to open and freezes.

If that is my only issue I am thinking of uninstalling and re-installing IE..or simply switch to using Firefox or Chrome. On Firefox at least there are no missing leters or spaces.

Really many thanks for all your help.

[screen317]

Hi,

Navigate to Start --> Run, and type in cmd.exe; press Enter.

In the black box that appears, enter this command:

chkdsk /r

Press Enter.

Allow the disk check to finish, or if prompted to, allow it to restart your computer to do the disk check.

After it finishes, restart your computer and see if Windows is still throwing up errors. If so, please describe them in as much detail as possible.

[Chamomile Shark]

ok, a few days have gone by and I've been watching for any problems.

Good news - the throwing of random windows errors on start up seem to have gone.

IE is still sick (as in the start up is very slow) but with Firefox and Chrome loaded here that is liveable. I will either re-install IE or simply stop using it.

Many thanks for all your help.

Am I supposed to do something with the CD autorun now?

[screen317]

Do try reinstalling IE.

Let me know if there's anything else I can do for you, or if you'd like me to close this topic.

[Chamomile Shark]

hi, I will try a re-install.

I've found a problem.

Despite re-nabling the CD autorun, putting in a CD is not producing a window asking me to play, rip etc.

Similarly when I plug my camera in.

Help?

[screen317]

ComboFix disables this by default. It's a security measure to prevent the automatic execution of infected flash drives. Can you access your CD and camera from My Computer?

[Chamomile Shark]

Hi, I've managed to get CDs ripped via Windows Media player.

Re the camera, the "get pictures" wizard is useless as my device is not found, not in the list to add etc etc. It looks like I can simply copy the pictures as it appears as a "M disk" and then delete them off the camera via the camera itself. Does that sound right?

..Unfortunately when I ran Spybot it found a trojan. It removed it.

I am now getting .dll errors again. Specifically "error loading c\windows\atckonejqualuh.dll module cannot be found".

I updated malawarebytes and ran it, it didn't find anything.

I ran checkdisk again - still happening.

[screen317]

Hi,

Yes that's right regarding the camera.

Post a fresh DDS log and we'll take it from there.