Jump to content

Redirection of google search results


Recommended Posts

Hi,

I've got what appears to be a typical google search redirect problem. After numerous attempts at failing to solve the problem myself, I'd thought I'd turn to the experts.

Logs posted below as requested, along with attachment containing ark.txt and attach.txt.

Malwarebytes' Anti-Malware 1.51.1.1800

www.malwarebytes.org

Database version: 7538

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

22/08/2011 21:55:06

mbam-log-2011-08-22 (21-55-06).txt

Scan type: Quick scan

Objects scanned: 157689

Time elapsed: 6 minute(s), 15 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

.

DDS (Ver_2011-06-23.01) - NTFSx86

Internet Explorer: 8.0.6001.18702

Run by Neil Spurr at 22:19:05 on 2011-08-22

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2047.1431 [GMT 1:00]

.

AV: AntiVir Desktop *Enabled/Outdated* {AD166499-45F9-482A-A743-FDD3350758C7}

.

============== Running Processes ===============

.

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Avira\AntiVir Desktop\sched.exe

C:\WINDOWS\Explorer.EXE

svchost.exe

C:\Program Files\Analog Devices\Core\smax4pnp.exe

C:\Program Files\Analog Devices\SoundMAX\Smax4.exe

C:\Program Files\Avira\AntiVir Desktop\avgnt.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe

C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe

C:\WINDOWS\system32\netdde.exe

C:\Program Files\Avira\AntiVir Desktop\avguard.exe

C:\Program Files\Avira\AntiVir Desktop\avshadow.exe

C:\Program Files\CDBurnerXP\NMSAccessU.exe

C:\WINDOWS\system32\rsvp.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Program Files\Mozilla Firefox\firefox.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://www.google.co.uk/

uInternet Settings,ProxyOverride = *.local

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe

mRun: [JMB36X IDE Setup] c:\windows\jm\JMInsIDE.exe

mRun: [JMB36X Configure] c:\windows\system32\JMRaidSetup.exe boot

mRun: [soundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe

mRun: [soundMAX] "c:\program files\analog devices\soundmax\Smax4.exe" /tray

mRun: [updateLBPShortCut] "c:\program files\cyberlink\labelprint\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\labelprint" updatewithcreateonce "software\cyberlink\labelprint\2.5"

mRun: [updateP2GoShortCut] "c:\program files\cyberlink\power2go\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\power2go" updatewithcreateonce "software\cyberlink\power2go\6.0"

mRun: [updatePSTShortCut] "c:\program files\cyberlink\dvd suite\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\dvd suite" updatewithcreateonce "software\cyberlink\PowerStarter"

mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min

mRun: [startCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun

dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE

IE: {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\partygaming\partypoker\RunApp.exe

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

Trusted Zone: clonewarsadventures.com

Trusted Zone: freerealms.com

Trusted Zone: soe.com

Trusted Zone: sony.com

DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204

DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1261161643125

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

TCP: DhcpNameServer = 192.168.1.254

TCP: Interfaces\{2D41B2F1-F3C0-4C1B-8309-814DE58F2002} : DhcpNameServer = 192.168.1.254

Notify: AtiExtEvent - Ati2evxx.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

Hosts: 127.0.0.1 www.spywareinfo.com

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\documents and settings\neil spurr\application data\mozilla\firefox\profiles\pahbpxa0.default\

FF - prefs.js: browser.startup.homepage - www.google.co.uk

FF - prefs.js: network.proxy.http - 127.0.0.1

FF - prefs.js: network.proxy.http_port - 60505

FF - prefs.js: network.proxy.type - 0

FF - plugin: c:\documents and settings\neil spurr\local settings\application data\google\update\1.3.21.65\npGoogleUpdate3.dll

FF - plugin: c:\program files\adobe\reader 9.0\reader\air\nppdf32.dll

FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll

FF - plugin: c:\program files\google\update\1.2.183.13\npGoogleOneClick8.dll

FF - plugin: c:\program files\google\update\1.2.183.29\npGoogleOneClick8.dll

FF - plugin: c:\program files\google\update\1.3.21.53\npGoogleUpdate3.dll

FF - plugin: c:\program files\google\update\1.3.21.57\npGoogleUpdate3.dll

FF - plugin: c:\program files\google\update\1.3.21.65\npGoogleUpdate3.dll

FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll

FF - plugin: c:\program files\veetle\player\npvlc.dll

FF - plugin: c:\program files\veetle\plugins\npVeetle.dll

FF - plugin: c:\program files\veetle\vlcbroadcast\npvbp.dll

.

---- FIREFOX POLICIES ----

FF - user.js: network.cookie.cookieBehavior - 0

FF - user.js: privacy.clearOnShutdown.cookies - false

FF - user.js: security.warn_viewing_mixed - false

FF - user.js: security.warn_viewing_mixed.show_once - false

FF - user.js: security.warn_submit_insecure - false

FF - user.js: security.warn_submit_insecure.show_once - false

.

============= SERVICES / DRIVERS ===============

.

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-2-10 64288]

R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2011-8-14 11608]

R1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\drivers\dtsoftbus01.sys [2011-7-4 218688]

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2011-8-14 136360]

R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2011-8-14 269480]

R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2011-8-14 66616]

R2 cpuz135;cpuz135;c:\windows\system32\drivers\cpuz135_x32.sys [2011-2-4 21992]

S2 AMService;AMService;c:\windows\temp\aeaw\setup.exe run --> c:\windows\temp\aeaw\setup.exe run [?]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-1-3 135664]

S2 kjmnsxwb;Time Image;c:\windows\system32\svchost.exe -k netsvcs [2004-8-4 14336]

S2 SSPORT;SSPORT;\??\c:\windows\system32\drivers\ssport.sys --> c:\windows\system32\drivers\SSPORT.sys [?]

S2 ubhlrbdw;Center Universal;c:\windows\system32\svchost.exe -k netsvcs [2004-8-4 14336]

S2 vlgfshx;Config Helper;c:\windows\system32\svchost.exe -k netsvcs [2004-8-4 14336]

S2 wkppd;Helper Time;c:\windows\system32\svchost.exe -k netsvcs [2004-8-4 14336]

S3 cpuz130;cpuz130;\??\c:\docume~1\neilsp~1\locals~1\temp\cpuz130\cpuz_x32.sys --> c:\docume~1\neilsp~1\locals~1\temp\cpuz130\cpuz_x32.sys [?]

S3 DAUpdaterSvc;Dragon Age: Origins - Content Updater;c:\program files\steam\steamapps\common\dragon age origins\bin_ship\daupdatersvc.service.exe [2010-9-18 25832]

S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-1-3 135664]

S3 Lavasoft Kernexplorer;Lavasoft helper driver;\??\c:\program files\lavasoft\ad-aware\kernexplorer.sys --> c:\program files\lavasoft\ad-aware\KernExplorer.sys [?]

S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\5.tmp --> c:\windows\system32\5.tmp [?]

S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]

.

=============== Created Last 30 ================

.

2011-08-14 15:21:26 -------- d-----w- c:\program files\AMD APP

2011-08-14 15:20:01 462848 ----a-w- c:\windows\system32\ATIDEMGX.dll

2011-08-14 15:19:59 311296 ----a-w- c:\windows\system32\atiiiexx.dll

2011-08-14 12:54:49 -------- d-----w- c:\documents and settings\neil spurr\application data\Avira

2011-08-14 12:53:47 -------- d-----w- c:\windows\system32\NtmsData

2011-08-14 12:50:22 66616 ----a-w- c:\windows\system32\drivers\avgntflt.sys

2011-08-14 12:50:19 -------- d-----w- c:\program files\Avira

2011-08-14 12:50:19 -------- d-----w- c:\documents and settings\all users\application data\Avira

2011-08-14 12:06:03 139656 -c----w- c:\windows\system32\dllcache\rdpwd.sys

2011-08-14 12:05:11 10496 -c----w- c:\windows\system32\dllcache\ndistapi.sys

2011-08-13 09:31:54 -------- d-----w- c:\documents and settings\neil spurr\local settings\application data\PassMark

2011-08-13 09:31:14 -------- d-----w- c:\documents and settings\all users\application data\PassMark

2011-08-13 09:31:13 -------- d-----w- c:\program files\PerformanceTest

2011-08-13 08:20:32 -------- d-----w- c:\program files\common files\Futuremark Shared

2011-08-13 08:17:29 -------- d-----w- c:\program files\Futuremark

2011-07-24 12:01:21 56400 ----a-w- c:\windows\system32\drivers\tmrkb.sys

.

==================== Find3M ====================

.

2011-08-19 19:23:38 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-08-13 09:25:09 23624 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys

2011-08-13 08:21:05 444952 ----a-w- c:\windows\system32\wrap_oal.dll

2011-08-13 08:21:05 109080 ----a-w- c:\windows\system32\OpenAL32.dll

2011-07-15 13:29:31 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys

2011-07-09 11:11:38 12872 ----a-w- c:\windows\system32\bootdelete.exe

2011-07-08 14:02:00 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys

2011-07-08 04:12:46 7023104 ----a-w- c:\windows\system32\drivers\ati2mtag.sys

2011-07-08 03:45:16 57344 ----a-w- c:\windows\system32\aticalrt.dll

2011-07-08 03:45:06 53248 ----a-w- c:\windows\system32\aticalcl.dll

2011-07-08 03:42:12 5111808 ----a-w- c:\windows\system32\aticaldd.dll

2011-07-08 03:38:30 17989632 ----a-w- c:\windows\system32\atioglxx.dll

2011-07-08 03:22:08 302592 ----a-w- c:\windows\system32\ati2dvag.dll

2011-07-08 03:21:34 4091648 ----a-w- c:\windows\system32\ati3duag.dll

2011-07-08 03:15:26 956160 ----a-w- c:\windows\system32\ativvamv.dll

2011-07-08 03:05:16 212992 ----a-w- c:\windows\system32\atipdlxx.dll

2011-07-08 03:05:04 155648 ----a-w- c:\windows\system32\Oemdspif.dll

2011-07-08 03:04:56 26112 ----a-w- c:\windows\system32\Ati2mdxx.exe

2011-07-08 03:04:48 43520 ----a-w- c:\windows\system32\ati2edxx.dll

2011-07-08 03:04:36 188416 ----a-w- c:\windows\system32\ati2evxx.dll

2011-07-08 03:03:20 643072 ----a-w- c:\windows\system32\ati2evxx.exe

2011-07-08 03:03:12 3155072 ----a-w- c:\windows\system32\ativvaxx.dll

2011-07-08 03:01:58 53248 ----a-w- c:\windows\system32\ATIDDC.DLL

2011-07-08 03:00:38 151552 ----a-w- c:\windows\system32\atiapfxx.exe

2011-07-08 02:56:52 651264 ----a-w- c:\windows\system32\atikvmag.dll

2011-07-08 02:53:32 507904 ----a-w- c:\windows\system32\atiok3x2.dll

2011-07-08 02:53:14 208896 ----a-w- c:\windows\system32\atiadlxx.dll

2011-07-08 02:52:54 17408 ----a-w- c:\windows\system32\atitvo32.dll

2011-07-08 02:47:44 868352 ----a-w- c:\windows\system32\ati2cqag.dll

2011-07-08 02:46:38 64512 ----a-w- c:\windows\system32\atimpc32.dll

2011-07-08 02:46:38 64512 ----a-w- c:\windows\system32\amdpcom32.dll

2011-07-08 02:46:24 53248 ----a-w- c:\windows\system32\drivers\ati2erec.dll

2011-07-07 22:37:28 53760 ----a-w- c:\windows\system32\OVDecode.dll

2011-07-07 22:36:46 13904896 ----a-w- c:\windows\system32\amdocl.dll

2011-07-06 18:52:42 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-07-06 18:52:42 22712 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-07-04 18:10:02 218688 ----a-w- c:\windows\system32\drivers\dtsoftbus01.sys

2011-07-03 21:08:26 215128 ----a-w- c:\windows\system32\PnkBstrB.xtr

2011-07-03 21:07:39 138056 ----a-w- c:\documents and settings\neil spurr\application data\PnkBstrK.sys

2011-06-28 17:46:43 101720 ----a-w- c:\windows\system32\drivers\SBREDrv.sys

2011-06-24 14:10:36 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys

2011-06-24 13:00:13 0 ----a-w- c:\windows\Emovowelijos.bin

2011-06-23 18:36:30 916480 ----a-w- c:\windows\system32\wininet.dll

2011-06-23 18:36:30 43520 ----a-w- c:\windows\system32\licmgr10.dll

2011-06-23 18:36:30 1469440 ----a-w- c:\windows\system32\inetcpl.cpl

2011-06-23 12:05:13 385024 ----a-w- c:\windows\system32\html.iec

2011-06-20 17:44:52 293376 ----a-w- c:\windows\system32\winsrv.dll

2011-06-16 02:34:06 79872 ----a-w- c:\windows\system32\SlotMaximizerAg.dll

2011-06-16 02:34:06 2117632 ----a-w- c:\windows\system32\SlotMaximizerBe.dll

2011-06-03 14:35:45 43520 ----a-w- c:\windows\system32\CmdLineExt03.dll

2011-06-02 14:02:05 1858944 ----a-w- c:\windows\system32\win32k.sys

.

============= FINISH: 22:20:10.31 ===============

Link to post
Share on other sites

  • Staff

Hi and welcome to Malwarebytes.

Please update MBAM, run a Quick Scan, and post its log.

Next, please visit this webpage for instructions for running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

  • When the tool is finished, it will produce a report for you.
  • Please post the contents of C:\ComboFix.txt along with a new DDS log so we may continue cleaning the system.

Link to post
Share on other sites

Hi, thanks for the reply. Updated logs posted below, cheers.

Malwarebytes' Anti-Malware 1.51.1.1800

www.malwarebytes.org

Database version: 7604

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

29/08/2011 10:27:50

mbam-log-2011-08-29 (10-27-50).txt

Scan type: Quick scan

Objects scanned: 158662

Time elapsed: 5 minute(s), 19 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

ComboFix 11-08-29.01 - Neil Spurr 29/08/2011 10:42:08.1.2 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2047.1576 [GMT 1:00]

Running from: c:\documents and settings\Neil Spurr\Desktop\ComboFix.exe

AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\documents and settings\Neil Spurr\Application Data\67F2.F11

c:\documents and settings\Neil Spurr\Application Data\inst.exe

c:\documents and settings\Neil Spurr\Local Settings\Application Data\{B0CCFC4D-D916-4A4D-98B2-7B1A4197A1CE}

c:\documents and settings\Neil Spurr\Local Settings\Application Data\{B0CCFC4D-D916-4A4D-98B2-7B1A4197A1CE}\chrome.manifest

c:\documents and settings\Neil Spurr\Local Settings\Application Data\{B0CCFC4D-D916-4A4D-98B2-7B1A4197A1CE}\chrome\content\_cfg.js

c:\documents and settings\Neil Spurr\Local Settings\Application Data\{B0CCFC4D-D916-4A4D-98B2-7B1A4197A1CE}\chrome\content\overlay.xul

c:\documents and settings\Neil Spurr\Local Settings\Application Data\{B0CCFC4D-D916-4A4D-98B2-7B1A4197A1CE}\install.rdf

C:\Install.exe

c:\program files\Steam\Steam.exe

c:\windows\iun6002.exe

.

.

((((((((((((((((((((((((( Files Created from 2011-07-28 to 2011-08-29 )))))))))))))))))))))))))))))))

.

.

2011-08-14 15:23 . 2011-08-14 15:23 -------- d-----w- c:\documents and settings\All Users\Application Data\ATI

2011-08-14 15:21 . 2011-08-14 15:21 -------- d-----w- c:\program files\AMD APP

2011-08-14 15:20 . 2011-07-08 03:23 462848 ----a-w- c:\windows\system32\ATIDEMGX.dll

2011-08-14 15:19 . 2011-07-08 04:09 311296 ----a-w- c:\windows\system32\atiiiexx.dll

2011-08-14 12:54 . 2011-08-14 12:54 -------- d-----w- c:\documents and settings\Neil Spurr\Application Data\Avira

2011-08-14 12:53 . 2011-08-14 13:23 -------- d-----w- c:\windows\system32\NtmsData

2011-08-14 12:50 . 2011-08-15 19:40 66616 ----a-w- c:\windows\system32\drivers\avgntflt.sys

2011-08-14 12:50 . 2011-08-15 19:40 138192 ----a-w- c:\windows\system32\drivers\avipbb.sys

2011-08-14 12:50 . 2010-06-17 14:27 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys

2011-08-14 12:50 . 2010-06-17 14:27 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys

2011-08-14 12:50 . 2011-08-14 12:50 -------- d-----w- c:\program files\Avira

2011-08-14 12:50 . 2011-08-14 12:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira

2011-08-14 12:06 . 2011-06-24 14:10 139656 -c----w- c:\windows\system32\dllcache\rdpwd.sys

2011-08-14 12:05 . 2011-07-08 14:02 10496 -c----w- c:\windows\system32\dllcache\ndistapi.sys

2011-08-13 09:31 . 2011-08-13 09:31 -------- d-----w- c:\documents and settings\Neil Spurr\Local Settings\Application Data\PassMark

2011-08-13 09:31 . 2011-08-13 09:31 -------- d-----w- c:\documents and settings\All Users\Application Data\PassMark

2011-08-13 09:31 . 2011-08-13 09:31 -------- d-----w- c:\program files\PerformanceTest

2011-08-13 08:20 . 2011-08-13 08:20 -------- d-----w- c:\program files\Common Files\Futuremark Shared

2011-08-13 08:17 . 2011-08-13 08:17 -------- d-----w- c:\program files\Futuremark

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-08-19 19:23 . 2011-07-07 20:50 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-08-13 09:25 . 2011-07-09 11:06 23624 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys

2011-08-13 08:21 . 2011-03-11 14:56 444952 ----a-w- c:\windows\system32\wrap_oal.dll

2011-08-13 08:21 . 2011-03-11 14:56 109080 ----a-w- c:\windows\system32\OpenAL32.dll

2011-07-24 12:01 . 2011-07-24 12:01 56400 ----a-w- c:\windows\system32\drivers\tmrkb.sys

2011-07-15 13:29 . 2004-08-04 12:00 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys

2011-07-09 11:11 . 2011-07-09 11:11 12872 ----a-w- c:\windows\system32\bootdelete.exe

2011-07-08 14:02 . 2004-08-04 12:00 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys

2011-07-08 04:12 . 2009-12-18 18:37 7023104 ----a-w- c:\windows\system32\drivers\ati2mtag.sys

2011-07-08 03:45 . 2010-09-19 10:13 57344 ----a-w- c:\windows\system32\aticalrt.dll

2011-07-08 03:45 . 2010-09-19 10:13 53248 ----a-w- c:\windows\system32\aticalcl.dll

2011-07-08 03:42 . 2010-09-19 10:13 5111808 ----a-w- c:\windows\system32\aticaldd.dll

2011-07-08 03:38 . 2010-09-19 10:13 17989632 ----a-w- c:\windows\system32\atioglxx.dll

2011-07-08 03:22 . 2009-12-18 18:37 302592 ----a-w- c:\windows\system32\ati2dvag.dll

2011-07-08 03:21 . 2009-12-18 18:37 4091648 ----a-w- c:\windows\system32\ati3duag.dll

2011-07-08 03:15 . 2011-02-01 21:59 956160 ----a-w- c:\windows\system32\ativvamv.dll

2011-07-08 03:05 . 2010-09-19 10:13 212992 ----a-w- c:\windows\system32\atipdlxx.dll

2011-07-08 03:05 . 2010-09-19 10:13 155648 ----a-w- c:\windows\system32\Oemdspif.dll

2011-07-08 03:04 . 2010-09-19 10:13 26112 ----a-w- c:\windows\system32\Ati2mdxx.exe

2011-07-08 03:04 . 2010-09-19 10:13 43520 ----a-w- c:\windows\system32\ati2edxx.dll

2011-07-08 03:04 . 2010-09-19 10:13 188416 ----a-w- c:\windows\system32\ati2evxx.dll

2011-07-08 03:03 . 2010-09-19 10:13 643072 ----a-w- c:\windows\system32\ati2evxx.exe

2011-07-08 03:03 . 2009-12-18 18:37 3155072 ----a-w- c:\windows\system32\ativvaxx.dll

2011-07-08 03:01 . 2010-09-19 10:13 53248 ----a-w- c:\windows\system32\ATIDDC.DLL

2011-07-08 03:00 . 2010-09-19 10:13 151552 ----a-w- c:\windows\system32\atiapfxx.exe

2011-07-08 02:56 . 2010-09-19 10:13 651264 ----a-w- c:\windows\system32\atikvmag.dll

2011-07-08 02:53 . 2010-09-19 10:13 507904 ----a-w- c:\windows\system32\atiok3x2.dll

2011-07-08 02:53 . 2010-09-19 10:13 208896 ----a-w- c:\windows\system32\atiadlxx.dll

2011-07-08 02:52 . 2010-09-19 10:13 17408 ----a-w- c:\windows\system32\atitvo32.dll

2011-07-08 02:47 . 2009-12-18 18:37 868352 ----a-w- c:\windows\system32\ati2cqag.dll

2011-07-08 02:46 . 2010-09-19 10:13 64512 ----a-w- c:\windows\system32\atimpc32.dll

2011-07-08 02:46 . 2010-09-19 10:13 64512 ----a-w- c:\windows\system32\amdpcom32.dll

2011-07-08 02:46 . 2010-09-19 10:13 53248 ----a-w- c:\windows\system32\drivers\ati2erec.dll

2011-07-07 22:37 . 2011-07-07 22:37 53760 ----a-w- c:\windows\system32\OVDecode.dll

2011-07-07 22:36 . 2011-07-07 22:36 13904896 ----a-w- c:\windows\system32\amdocl.dll

2011-07-06 18:52 . 2011-06-05 10:12 22712 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-07-06 18:52 . 2010-08-15 10:36 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-07-04 18:10 . 2011-07-04 18:10 218688 ----a-w- c:\windows\system32\drivers\dtsoftbus01.sys

2011-07-03 21:08 . 2011-07-03 21:08 215128 ----a-w- c:\windows\system32\PnkBstrB.xtr

2011-07-03 21:07 . 2011-07-03 21:07 138056 ----a-w- c:\documents and settings\Neil Spurr\Application Data\PnkBstrK.sys

2011-06-28 17:46 . 2010-09-26 12:49 101720 ----a-w- c:\windows\system32\drivers\SBREDrv.sys

2011-06-24 14:10 . 2009-12-18 13:40 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys

2011-06-23 18:36 . 2004-08-04 12:00 916480 ----a-w- c:\windows\system32\wininet.dll

2011-06-23 18:36 . 2004-08-04 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll

2011-06-23 18:36 . 2004-08-04 12:00 1469440 ----a-w- c:\windows\system32\inetcpl.cpl

2011-06-23 12:05 . 2004-08-04 12:00 385024 ----a-w- c:\windows\system32\html.iec

2011-06-20 17:44 . 2004-08-04 12:00 293376 ----a-w- c:\windows\system32\winsrv.dll

2011-06-16 02:34 . 2011-06-16 02:34 79872 ----a-w- c:\windows\system32\SlotMaximizerAg.dll

2011-06-16 02:34 . 2011-06-16 02:34 2117632 ----a-w- c:\windows\system32\SlotMaximizerBe.dll

2011-06-03 14:35 . 2011-06-03 14:35 43520 ----a-w- c:\windows\system32\CmdLineExt03.dll

2011-06-02 14:02 . 2004-08-04 12:00 1858944 ----a-w- c:\windows\system32\win32k.sys

2011-08-17 21:29 . 2011-06-25 14:26 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"JMB36X IDE Setup"="c:\windows\JM\JMInsIDE.exe" [2006-10-30 36864]

"JMB36X Configure"="c:\windows\system32\JMRaidSetup.exe" [2006-10-30 1953792]

"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2007-03-16 868352]

"UpdateLBPShortCut"="c:\program files\CyberLink\LabelPrint\MUITransfer\MUIStartMenu.exe" [2009-05-19 222504]

"UpdateP2GoShortCut"="c:\program files\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe" [2009-05-19 222504]

"UpdatePSTShortCut"="c:\program files\CyberLink\DVD Suite\MUITransfer\MUIStartMenu.exe" [2009-09-25 210216]

"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2011-04-21 281768]

"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2011-07-07 98304]

.

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]

2011-03-30 04:59 937920 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]

2011-06-08 04:02 37296 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CLMLServer]

2009-06-03 19:59 103720 ------w- c:\program files\CyberLink\Power2Go\CLMLSvc.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]

2011-01-20 09:20 1305408 ----a-w- c:\program files\DAEMON Tools Lite\DTLite.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]

2009-12-19 01:06 135664 ----atw- c:\documents and settings\Neil Spurr\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LGODDFU]

2010-07-25 11:56 557056 ----a-w- c:\program files\lg_fwupdate\fwupdate.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]

2008-04-14 00:12 1695232 ------w- c:\program files\Messenger\msmsgs.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

2009-11-10 23:08 417792 ----a-w- c:\program files\QuickTime\QTTask.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Samsung PanelMgr]

2008-09-03 07:52 536576 ----a-w- c:\windows\Samsung\PanelMgr\SSMMgr.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TrojanScanner]

2009-10-17 19:35 1070984 ----a-w- c:\program files\Trojan Remover\Trjscan.exe

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\uTorrent\\uTorrent.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\Steam\\steamapps\\common\\dragon age origins\\bin_ship\\DAOrigins.exe"=

"c:\\Program Files\\Steam\\steamapps\\common\\dragon age origins\\docs\\EA Help\\Electronic_Arts_Technical_Support.htm"=

"c:\\Program Files\\Steam\\steamapps\\common\\dragon age origins\\bin_ship\\daupdatersvc.service.exe"=

"c:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"=

"c:\\Program Files\\SopCast\\SopCast.exe"=

"c:\\Program Files\\SopCast\\adv\\SopAdver.exe"=

"c:\\Program Files\\Google\\Google Earth\\plugin\\geplugin.exe"=

"c:\\Program Files\\Eidos\\Batman Arkham Asylum\\Binaries\\ShippingPC-BmGame.exe"=

"c:\\Program Files\\Sports Interactive\\Football Manager 2011\\fm.exe"=

"c:\\Program Files\\Steam\\steamapps\\common\\magicka\\Magicka.exe"=

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"8694:TCP"= 8694:TCP:lnzhz

.

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [10/02/2010 13:43 64288]

R1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\drivers\dtsoftbus01.sys [04/07/2011 19:10 218688]

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [14/08/2011 13:50 136360]

R2 cpuz135;cpuz135;c:\windows\system32\drivers\cpuz135_x32.sys [04/02/2011 12:19 21992]

S2 AMService;AMService;c:\windows\TEMP\aeaw\setup.exe run --> c:\windows\TEMP\aeaw\setup.exe run [?]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [18/03/2010 13:16 130384]

S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [03/01/2010 19:39 135664]

S2 kjmnsxwb;Time Image;c:\windows\system32\svchost.exe -k netsvcs [04/08/2004 13:00 14336]

S2 SSPORT;SSPORT;\??\c:\windows\system32\Drivers\SSPORT.sys --> c:\windows\system32\Drivers\SSPORT.sys [?]

S2 ubhlrbdw;Center Universal;c:\windows\system32\svchost.exe -k netsvcs [04/08/2004 13:00 14336]

S2 vlgfshx;Config Helper;c:\windows\system32\svchost.exe -k netsvcs [04/08/2004 13:00 14336]

S2 wkppd;Helper Time;c:\windows\system32\svchost.exe -k netsvcs [04/08/2004 13:00 14336]

S3 cpuz130;cpuz130;\??\c:\docume~1\NEILSP~1\LOCALS~1\Temp\cpuz130\cpuz_x32.sys --> c:\docume~1\NEILSP~1\LOCALS~1\Temp\cpuz130\cpuz_x32.sys [?]

S3 DAUpdaterSvc;Dragon Age: Origins - Content Updater;c:\program files\Steam\steamapps\common\dragon age origins\bin_ship\daupdatersvc.service.exe [18/09/2010 08:45 25832]

S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [03/01/2010 19:39 135664]

S3 Lavasoft Kernexplorer;Lavasoft helper driver;\??\c:\program files\Lavasoft\Ad-Aware\KernExplorer.sys --> c:\program files\Lavasoft\Ad-Aware\KernExplorer.sys [?]

S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\5.tmp --> c:\windows\system32\5.tmp [?]

S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [18/03/2010 13:16 753504]

S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [19/12/2009 13:38 691696]

.

Contents of the 'Scheduled Tasks' folder

.

2011-08-29 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-03 18:39]

.

2011-08-29 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-03 18:39]

.

2011-08-28 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-854245398-796845957-839522115-1004Core.job

- c:\documents and settings\Neil Spurr\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-12-19 01:06]

.

2011-08-28 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-854245398-796845957-839522115-1004UA.job

- c:\documents and settings\Neil Spurr\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-12-19 01:06]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.co.uk/

uInternet Settings,ProxyOverride = *.local

Trusted Zone: clonewarsadventures.com

Trusted Zone: freerealms.com

Trusted Zone: soe.com

Trusted Zone: sony.com

TCP: DhcpNameServer = 192.168.1.254

FF - ProfilePath - c:\documents and settings\Neil Spurr\Application Data\Mozilla\Firefox\Profiles\pahbpxa0.default\

FF - prefs.js: browser.startup.homepage - www.google.co.uk

FF - prefs.js: network.proxy.http - 127.0.0.1

FF - prefs.js: network.proxy.http_port - 60505

FF - prefs.js: network.proxy.type - 0

FF - user.js: network.cookie.cookieBehavior - 0

FF - user.js: privacy.clearOnShutdown.cookies - false

FF - user.js: security.warn_viewing_mixed - false

FF - user.js: security.warn_viewing_mixed.show_once - false

FF - user.js: security.warn_submit_insecure - false

FF - user.js: security.warn_submit_insecure.show_once - false

.

- - - - ORPHANS REMOVED - - - -

.

SafeBoot-klmdb.sys

MSConfigStartUp-ATICustomerCare - c:\program files\ATI\ATICustomerCare\ATICustomerCare.exe

MSConfigStartUp-AVG9_TRAY - c:\progra~1\AVG\AVG9\avgtray.exe

MSConfigStartUp-iTunesHelper - c:\program files\iTunes\iTunesHelper.exe

MSConfigStartUp-LightScribe Control Panel - c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe

MSConfigStartUp-Steam - c:\program files\Steam\Steam.exe

MSConfigStartUp-SunJavaUpdateSched - c:\program files\Common Files\Java\Java Update\jusched.exe

MSConfigStartUp-{CB6C989A-4626-380B-E27C-507F0C6FEAE0} - c:\documents and settings\Neil Spurr\Application Data\Hifazy\ybofu.exe

AddRemove-HighwayToTheReichv2070 - c:\windows\iun6002.exe

AddRemove-Weird Worlds - c:\program files\Shrapnel Games\Weird Worlds\uninstall.exe

AddRemove-Steam App 17450 - c:\program files\Steam\steam.exe

AddRemove-Steam App 42910 - c:\program files\Steam\steam.exe

.

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-08-29 10:47

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MEMSWEEP2]

"ImagePath"="\??\c:\windows\system32\5.tmp"

.

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\kjmnsxwb]

"ServiceDll"="c:\windows\system32\boqqprbx.dll"

--

.

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ubhlrbdw]

"ServiceDll"="c:\windows\system32\boqqprbx.dll"

--

.

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\vlgfshx]

"ServiceDll"="c:\windows\system32\boqqprbx.dll"

--

.

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\wkppd]

"ServiceDll"="c:\windows\system32\boqqprbx.dll"

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_USERS\S-1-5-21-854245398-796845957-839522115-1004\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]

@Allowed: (Read) (RestrictedCode)

@Allowed: (Read) (RestrictedCode)

"??"=hex:dd,a0,67,92,8f,48,4e,32,99,b7,d7,9d,ec,05,7f,0c,4f,9d,ba,69,f8,a0,31,

b7,3f,ed,bd,42,19,4d,54,b9,e3,2f,1b,3d,35,e2,cb,e9,09,31,3b,29,47,b1,77,4b,\

"??"=hex:35,fc,c6,3d,c9,02,ad,db,37,1f,61,de,0f,33,8f,50

.

[HKEY_USERS\S-1-5-21-854245398-796845957-839522115-1004\Software\SecuROM\License information*]

"datasecu"=hex:33,c3,51,d5,6a,ed,69,84,50,90,a9,14,e7,39,83,cc,21,6d,1f,5c,2c,

98,76,ba,a0,36,fe,b8,55,dd,86,50,d5,c5,03,03,2c,dd,56,2c,ba,2c,5d,91,bd,da,\

"rkeysecu"=hex:ee,10,28,18,8c,93,c6,0a,9a,05,e0,aa,2c,35,d9,64

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'winlogon.exe'(672)

c:\windows\system32\Ati2evxx.dll

c:\windows\system32\atiadlxx.dll

.

Completion time: 2011-08-29 10:50:11

ComboFix-quarantined-files.txt 2011-08-29 09:49

.

Pre-Run: 52,370,579,456 bytes free

Post-Run: 52,539,789,312 bytes free

.

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

UnsupportedDebug="do not select this" /debug

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptOut

.

- - End Of File - - 7DEB2CC82FC5A038D49F793FEDAFD238

.

DDS (Ver_2011-08-26.01) - NTFSx86

Internet Explorer: 8.0.6001.18702

Run by Neil Spurr at 10:58:10 on 2011-08-29

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2047.1527 [GMT 1:00]

.

AV: AntiVir Desktop *Enabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}

.

============== Running Processes ===============

.

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Avira\AntiVir Desktop\sched.exe

svchost.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Analog Devices\Core\smax4pnp.exe

C:\Program Files\Avira\AntiVir Desktop\avgnt.exe

C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe

C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe

C:\WINDOWS\system32\netdde.exe

C:\Program Files\Avira\AntiVir Desktop\avguard.exe

C:\Program Files\CDBurnerXP\NMSAccessU.exe

C:\Program Files\Avira\AntiVir Desktop\avshadow.exe

C:\WINDOWS\system32\rsvp.exe

C:\WINDOWS\system32\wuauclt.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://www.google.co.uk/

uInternet Settings,ProxyOverride = *.local

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

mRun: [JMB36X IDE Setup] c:\windows\jm\JMInsIDE.exe

mRun: [JMB36X Configure] c:\windows\system32\JMRaidSetup.exe boot

mRun: [soundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe

mRun: [updateLBPShortCut] "c:\program files\cyberlink\labelprint\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\labelprint" updatewithcreateonce "software\cyberlink\labelprint\2.5"

mRun: [updateP2GoShortCut] "c:\program files\cyberlink\power2go\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\power2go" updatewithcreateonce "software\cyberlink\power2go\6.0"

mRun: [updatePSTShortCut] "c:\program files\cyberlink\dvd suite\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\dvd suite" updatewithcreateonce "software\cyberlink\PowerStarter"

mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min

mRun: [startCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun

dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE

IE: {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\partygaming\partypoker\RunApp.exe

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

Trusted Zone: clonewarsadventures.com

Trusted Zone: freerealms.com

Trusted Zone: soe.com

Trusted Zone: sony.com

DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204

DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1261161643125

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

TCP: DhcpNameServer = 192.168.1.254

TCP: Interfaces\{2D41B2F1-F3C0-4C1B-8309-814DE58F2002} : DhcpNameServer = 192.168.1.254

Notify: AtiExtEvent - Ati2evxx.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\documents and settings\neil spurr\application data\mozilla\firefox\profiles\pahbpxa0.default\

FF - prefs.js: browser.startup.homepage - www.google.co.uk

FF - prefs.js: network.proxy.http - 127.0.0.1

FF - prefs.js: network.proxy.http_port - 60505

FF - prefs.js: network.proxy.type - 0

FF - plugin: c:\documents and settings\neil spurr\local settings\application data\google\update\1.3.21.65\npGoogleUpdate3.dll

FF - plugin: c:\program files\adobe\reader 9.0\reader\air\nppdf32.dll

FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll

FF - plugin: c:\program files\google\update\1.3.21.65\npGoogleUpdate3.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll

FF - plugin: c:\program files\veetle\player\npvlc.dll

FF - plugin: c:\program files\veetle\plugins\npVeetle.dll

FF - plugin: c:\program files\veetle\vlcbroadcast\npvbp.dll

.

---- FIREFOX POLICIES ----

FF - user.js: network.cookie.cookieBehavior - 0

FF - user.js: privacy.clearOnShutdown.cookies - false

FF - user.js: security.warn_viewing_mixed - false

FF - user.js: security.warn_viewing_mixed.show_once - false

FF - user.js: security.warn_submit_insecure - false

FF - user.js: security.warn_submit_insecure.show_once - false

.

============= SERVICES / DRIVERS ===============

.

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-2-10 64288]

R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2011-8-14 11608]

R1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\drivers\dtsoftbus01.sys [2011-7-4 218688]

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2011-8-14 136360]

R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2011-8-14 269480]

R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2011-8-14 66616]

R2 cpuz135;cpuz135;c:\windows\system32\drivers\cpuz135_x32.sys [2011-2-4 21992]

S2 AMService;AMService;c:\windows\temp\aeaw\setup.exe run --> c:\windows\temp\aeaw\setup.exe run [?]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-1-3 135664]

S2 kjmnsxwb;Time Image;c:\windows\system32\svchost.exe -k netsvcs [2004-8-4 14336]

S2 SSPORT;SSPORT;\??\c:\windows\system32\drivers\ssport.sys --> c:\windows\system32\drivers\SSPORT.sys [?]

S2 ubhlrbdw;Center Universal;c:\windows\system32\svchost.exe -k netsvcs [2004-8-4 14336]

S2 vlgfshx;Config Helper;c:\windows\system32\svchost.exe -k netsvcs [2004-8-4 14336]

S2 wkppd;Helper Time;c:\windows\system32\svchost.exe -k netsvcs [2004-8-4 14336]

S3 cpuz130;cpuz130;\??\c:\docume~1\neilsp~1\locals~1\temp\cpuz130\cpuz_x32.sys --> c:\docume~1\neilsp~1\locals~1\temp\cpuz130\cpuz_x32.sys [?]

S3 DAUpdaterSvc;Dragon Age: Origins - Content Updater;c:\program files\steam\steamapps\common\dragon age origins\bin_ship\daupdatersvc.service.exe [2010-9-18 25832]

S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-1-3 135664]

S3 Lavasoft Kernexplorer;Lavasoft helper driver;\??\c:\program files\lavasoft\ad-aware\kernexplorer.sys --> c:\program files\lavasoft\ad-aware\KernExplorer.sys [?]

S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\5.tmp --> c:\windows\system32\5.tmp [?]

S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]

.

=============== Created Last 30 ================

.

2011-08-29 09:38:19 -------- d-sha-r- C:\cmdcons

2011-08-29 09:36:18 98816 ----a-w- c:\windows\sed.exe

2011-08-29 09:36:18 518144 ----a-w- c:\windows\SWREG.exe

2011-08-29 09:36:18 256000 ----a-w- c:\windows\PEV.exe

2011-08-29 09:36:18 208896 ----a-w- c:\windows\MBR.exe

2011-08-14 15:21:26 -------- d-----w- c:\program files\AMD APP

2011-08-14 15:20:01 462848 ----a-w- c:\windows\system32\ATIDEMGX.dll

2011-08-14 15:19:59 311296 ----a-w- c:\windows\system32\atiiiexx.dll

2011-08-14 12:54:49 -------- d-----w- c:\documents and settings\neil spurr\application data\Avira

2011-08-14 12:53:47 -------- d-----w- c:\windows\system32\NtmsData

2011-08-14 12:50:22 66616 ----a-w- c:\windows\system32\drivers\avgntflt.sys

2011-08-14 12:50:19 -------- d-----w- c:\program files\Avira

2011-08-14 12:50:19 -------- d-----w- c:\documents and settings\all users\application data\Avira

2011-08-14 12:06:03 139656 -c----w- c:\windows\system32\dllcache\rdpwd.sys

2011-08-14 12:05:11 10496 -c----w- c:\windows\system32\dllcache\ndistapi.sys

2011-08-13 09:31:54 -------- d-----w- c:\documents and settings\neil spurr\local settings\application data\PassMark

2011-08-13 09:31:14 -------- d-----w- c:\documents and settings\all users\application data\PassMark

2011-08-13 09:31:13 -------- d-----w- c:\program files\PerformanceTest

2011-08-13 08:20:32 -------- d-----w- c:\program files\common files\Futuremark Shared

2011-08-13 08:17:29 -------- d-----w- c:\program files\Futuremark

.

==================== Find3M ====================

.

2011-08-19 19:23:38 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-08-13 09:25:09 23624 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys

2011-08-13 08:21:05 444952 ----a-w- c:\windows\system32\wrap_oal.dll

2011-08-13 08:21:05 109080 ----a-w- c:\windows\system32\OpenAL32.dll

2011-07-24 12:01:21 56400 ----a-w- c:\windows\system32\drivers\tmrkb.sys

2011-07-15 13:29:31 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys

2011-07-09 11:11:38 12872 ----a-w- c:\windows\system32\bootdelete.exe

2011-07-08 14:02:00 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys

2011-07-08 04:12:46 7023104 ----a-w- c:\windows\system32\drivers\ati2mtag.sys

2011-07-08 03:45:16 57344 ----a-w- c:\windows\system32\aticalrt.dll

2011-07-08 03:45:06 53248 ----a-w- c:\windows\system32\aticalcl.dll

2011-07-08 03:42:12 5111808 ----a-w- c:\windows\system32\aticaldd.dll

2011-07-08 03:38:30 17989632 ----a-w- c:\windows\system32\atioglxx.dll

2011-07-08 03:22:08 302592 ----a-w- c:\windows\system32\ati2dvag.dll

2011-07-08 03:21:34 4091648 ----a-w- c:\windows\system32\ati3duag.dll

2011-07-08 03:15:26 956160 ----a-w- c:\windows\system32\ativvamv.dll

2011-07-08 03:05:16 212992 ----a-w- c:\windows\system32\atipdlxx.dll

2011-07-08 03:05:04 155648 ----a-w- c:\windows\system32\Oemdspif.dll

2011-07-08 03:04:56 26112 ----a-w- c:\windows\system32\Ati2mdxx.exe

2011-07-08 03:04:48 43520 ----a-w- c:\windows\system32\ati2edxx.dll

2011-07-08 03:04:36 188416 ----a-w- c:\windows\system32\ati2evxx.dll

2011-07-08 03:03:20 643072 ----a-w- c:\windows\system32\ati2evxx.exe

2011-07-08 03:03:12 3155072 ----a-w- c:\windows\system32\ativvaxx.dll

2011-07-08 03:01:58 53248 ----a-w- c:\windows\system32\ATIDDC.DLL

2011-07-08 03:00:38 151552 ----a-w- c:\windows\system32\atiapfxx.exe

2011-07-08 02:56:52 651264 ----a-w- c:\windows\system32\atikvmag.dll

2011-07-08 02:53:32 507904 ----a-w- c:\windows\system32\atiok3x2.dll

2011-07-08 02:53:14 208896 ----a-w- c:\windows\system32\atiadlxx.dll

2011-07-08 02:52:54 17408 ----a-w- c:\windows\system32\atitvo32.dll

2011-07-08 02:47:44 868352 ----a-w- c:\windows\system32\ati2cqag.dll

2011-07-08 02:46:38 64512 ----a-w- c:\windows\system32\atimpc32.dll

2011-07-08 02:46:38 64512 ----a-w- c:\windows\system32\amdpcom32.dll

2011-07-08 02:46:24 53248 ----a-w- c:\windows\system32\drivers\ati2erec.dll

2011-07-07 22:37:28 53760 ----a-w- c:\windows\system32\OVDecode.dll

2011-07-07 22:36:46 13904896 ----a-w- c:\windows\system32\amdocl.dll

2011-07-06 18:52:42 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-07-06 18:52:42 22712 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-07-04 18:10:02 218688 ----a-w- c:\windows\system32\drivers\dtsoftbus01.sys

2011-07-03 21:08:26 215128 ----a-w- c:\windows\system32\PnkBstrB.xtr

2011-07-03 21:07:39 138056 ----a-w- c:\documents and settings\neil spurr\application data\PnkBstrK.sys

2011-06-28 17:46:43 101720 ----a-w- c:\windows\system32\drivers\SBREDrv.sys

2011-06-24 14:10:36 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys

2011-06-24 13:00:13 0 ----a-w- c:\windows\Emovowelijos.bin

2011-06-23 18:36:30 916480 ----a-w- c:\windows\system32\wininet.dll

2011-06-23 18:36:30 43520 ----a-w- c:\windows\system32\licmgr10.dll

2011-06-23 18:36:30 1469440 ----a-w- c:\windows\system32\inetcpl.cpl

2011-06-23 12:05:13 385024 ----a-w- c:\windows\system32\html.iec

2011-06-20 17:44:52 293376 ----a-w- c:\windows\system32\winsrv.dll

2011-06-16 02:34:06 79872 ----a-w- c:\windows\system32\SlotMaximizerAg.dll

2011-06-16 02:34:06 2117632 ----a-w- c:\windows\system32\SlotMaximizerBe.dll

2011-06-03 14:35:45 43520 ----a-w- c:\windows\system32\CmdLineExt03.dll

2011-06-02 14:02:05 1858944 ----a-w- c:\windows\system32\win32k.sys

.

============= FINISH: 10:59:10.23 ===============

Link to post
Share on other sites

  • Staff

Hi,

Next, please run a free online scan with the ESET Online Scanner

Note: You will need to use Internet Explorer for this scan.

  1. Tick the box next to YES, I accept the Terms of Use.
  2. Click Start
  3. When asked, allow the ActiveX control to install
  4. Click Start
  5. Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  6. Click Scan
    Wait for the scan to finish
  7. Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  8. Copy and paste that log as a reply to this topic

Next, download my Security Check from here or here.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Let me know how things are running now and what issues remain.

Link to post
Share on other sites

Logs requested copied below - at the moment things seem to be running fine and I still haven't experienced any internet site redirects since installation of Avira. It has caught and removed a number of suspicious files since my first post.

ESETSmartInstaller@High as downloader log:

all ok

# version=7

# OnlineScannerApp.exe=1.0.0.1

# OnlineScanner.ocx=1.0.0.6528

# api_version=3.0.2

# EOSSerial=ec582f388afc7443932ca7b6f69475e3

# end=finished

# remove_checked=true

# archives_checked=false

# unwanted_checked=true

# unsafe_checked=false

# antistealth_checked=true

# utc_time=2011-09-05 11:23:55

# local_time=2011-09-06 12:23:55 (+0000, GMT Daylight Time)

# country="United Kingdom"

# lang=1033

# osver=5.1.2600 NT Service Pack 3

# compatibility_mode=1024 16777215 100 0 48654667 48654667 0 0

# compatibility_mode=1797 16775125 100 93 26495 51791443 22880 0

# compatibility_mode=8192 67108863 100 0 152 152 0 0

# scanned=235084

# found=0

# cleaned=0

# scan_time=6543

Results of screen317's Security Check version 0.99.18

Windows XP Service Pack 3

Internet Explorer 8

``````````````````````````````

Antivirus/Firewall Check:

Windows Firewall Enabled!

Avira AntiVir Personal - Free Antivirus

ESET Online Scanner v3

Avira successfully updated!

```````````````````````````````

Anti-malware/Other Utilities Check:

Malwarebytes' Anti-Malware

CCleaner

Adobe Flash Player 10.3.183.5

Mozilla Firefox (x86 en-GB..)

````````````````````````````````

Process Check:

objlist.exe by Laurent

Avira Antivir avgnt.exe

Avira Antivir avguard.exe

``````````End of Log````````````

Link to post
Share on other sites

  • Staff

Hi,

Great!

Navigate to Start --> Run, and type Combofix /uninstall in the box that appears. Click OK afterward. Notice the space between the X and the /uninstall

This uninstalls all of ComboFix's components.

Delete SecurityCheck.

After that, navigate to Start --> Control Panel --> Add or Remove Programs, and uninstall the following program(s) (if present):

ESET Online Scanner v3

Adobe Reader 9.0

Restart your computer.

Get the latest version of Adobe Reader.

Let me know what issues remain.

-screen317

Link to post
Share on other sites

Hi,

Great!

Navigate to Start --> Run, and type Combofix /uninstall in the box that appears. Click OK afterward. Notice the space between the X and the /uninstall

This uninstalls all of ComboFix's components.

Delete SecurityCheck.

After that, navigate to Start --> Control Panel --> Add or Remove Programs, and uninstall the following program(s) (if present):

ESET Online Scanner v3

Adobe Reader 9.0

Restart your computer.

Get the latest version of Adobe Reader.

Let me know what issues remain.

-screen317

Ok Chris, many thanks for your help, I don't seem to have any current issues. My redirection problem seems to have been handled by Avira, and since I assume nothing else has appeared in my scans, I guess I'm all clean.

Link to post
Share on other sites

  • Staff

Great!

I highly recommend the PRO version of MBAM; with it, it's likely that this issue would have been prevented in the first place.

Now that your computer seems to be in proper working order, please take the following steps to help prevent reinfection:

1) Download and install Javacool's SpywareBlaster, which will prevent malware from being installed on your computer. A tutorial on it can be found here.

2) Go to Windows Update frequently to get all of the latest updates (security or otherwise) for Windows.

3) Make sure your programs are up to date! Older versions may contain security risks. To find out what programs need to be updated, please run Secunia's Software Inspector.

4) WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:

  • Green to go
  • Yellow for caution
  • Red to stop

WOT has an addon available for both Firefox and IE.

5) Be sure to update your Antivirus and Antispyware programs often!

Finally, please also take the time to read Tony Klein's excellent article on: So How Did I Get Infected in the First Place?

Safe surfing,

-screen317

Link to post
Share on other sites

  • 4 weeks later...
  • Staff

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.