[Closed] Suspected malware or virus

Combofix quarantined files - 1

Qoobox files deleted by Bobbye

Combofix quarantined files - 2

Qoobox files deleted by Bobbye

Combofix Quarantined files - 3

Qoobox files Deleted by Bobbye

Combofix quarantined files 4

Qoobox logs deleted by Bobbye

Is this what you are looking for?

This file is very large - Should I continue posting it or not? Probably another 15 pages to go!

CKScanner

Could you send me a link for CKScanner as when I search for it I get redirected.
Thanks.

Please stop sending all these logs! I don't even know how or why Qoobox was included. Please don't run any scan or leave any more logs unless I ask you to.

Sorry about the CK scanner- link didn't set up right. Try this:

Download CKScanner and save to your desktop.

• Doubleclick CKScanner.exe and click Search For Files.
• When the cursor hourglass disappears, click Save List To File.
• A message box will verify that the file is saved.
• Double-click the CKFiles.txt icon on your desktop and copy/paste the contents
  in your next reply.

Please leave the log.

CKScanner

I get "HTTP 404 not found" when I try link for CKScanner. What next please?

Can you separate the Combofix log from the deletions section and just paste in the rest of it?

Much of what was deleted are images from c:\apps\DOC\01\Common\howto\01....
from HERE

Another group is from c:\apps\CyberLink\PowerDVD\AVSettings\.....

What is the source of these please?

Combofix log

Not sure what you mean by separating log from deleted files etc.
If you mean by the source of the files from the scan i can only identify Cyberlink.com's Power DVD video player which since scan is inactive/not working.

The deletions showing in Combofix are unusual> The CyberLink\PowerDVD\ should be running from the program files. Combofix deletions were from apps. What was your source for Cyberlink?

I was trying to see the rest of the log starting with the ection:
((((((((((((((((((((((((( Files Created from 2011-08-15 to 2011-09-15 )))))))))))))))))))))))))))))))
=======================================
Please download CKScanner and save to your desktop.

• Doubleclick CKScanner.exe and click Search For Files.
• When the cursor hourglass disappears, click Save List To File.
• A message box will verify that the file is saved.
• Double-click the CKFiles.txt icon on your desktop and copy/paste the contents
  in your next reply.

After I review the log from above, I'll make the decision of what to do.

Please do not leave me any other logs unless I request them.

cyberlink source

Powerdvd was already installed on PC when bought new from PC World.

CKScanner log

CKScanner - Additional Security Risks - These are not necessarily bad
c:\program files\gimp-2.0\share\gimp\2.0\patterns\cracked.pat
scanner sequence 3.NA.11.TSAPOX
----- EOF -----

Please run the MGA Diagnostics tool

• You will be prompted to either “Run” or “Save” the tool. Choose to “Run” the tool and follow the on-screen prompts.
• You will receive an Internet Explorer-Security Warning dialog box for the Windows Genuine Advantage Diagnostic Tool>
• You must choose to Run this tool when prompted.
• Once you are presented with the Diagnostics tool choose Continue to run the diagnostic report.
• If the RESOLVE button is available after running the diagnostics, please click RESOLVE to allow the diagnostic tool to attempt a repair.
• After running the MGA Diagnostic tool, click on the Windows tab and then click on Copy
• Please return to this thread and Paste the results here for review.

------------------------------------------
This tool will is to look on the computer itself, in the documentation you received with the computer or with your retail purchase of Windows to see if you have a Certificate of Authenticity (COA). If you have one, tell us about the COA. Tell us:

1. What edition of Windows XP is it for, Home, Pro, or Media Center, or another version of Windows?
2. Does it read "OEM Software" or "OEM Product" in black lettering?
3. Or, does it have the computer manufacturer's name in black lettering?
4. DO NOT post the Product Key.

NOTE: The data collected with the Genuine Diagnostics Tool does NOT contain any information that can personally identify you and can be fully reviewed, by you, before being posted.
================================================
Uninstall ComboFix and all Backups of the files it deleted

• Click START> then RUN
• Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
  
  =====================================================
  Now download it new and run it again:
  --------------------------------------
  Download Combofix from HERE or HERE and save to the desktop
  • Double click combofix.exe & follow the prompts.
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed. It is recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode if needed.
    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  • Once installed, you should see a blue screen prompt that says:
    The Recovery Console was successfully installed.
  • .Click on Yes, to continue scanning for malware
  • .If Combofix asks you to update the program, allow
  • .Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • .Close any open browsers.
  • .Double click combofix.exe & follow the prompts to run.
  • When the scan completes , a report will be generated-it will open a text window. Please paste the C:\ComboFix.txt in next reply..
  Re-enable your Antivirus software.
  
  Note 1:Do not mouse-click Combofix's window while it is running. That may cause it to stall.
  Note 2: ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
  Note 3: Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
  Note 4: CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
  Note 5: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion", restart computer to fix the issue.
  =======================================
  Please leave only the 2 logs from these scans> Nothing else.
  
  
  > Leave that log in your nexr post>
  
  Do not leave any other logs at this time.

mga diagnostics

Diagnostic Report (1.9.0027.0):
-----------------------------------------
Windows Validation Data-->
Validation Status: Genuine
Validation Code: 0
Cached Validation Code: N/A
Windows Product Key: *****-*****-YXDGW-VHYVW-9QK9M
Windows Product Key Hash: H7Smr1ocYUxDDsppdbyzUwQFi5U=
Windows Product ID: 76487-OEM-2211906-00824
Windows Product ID Type: 2
Windows License Type: OEM SLP
Windows OS version: 5.1.2600.2.00010100.3.0.med
ID: {A061C278-C822-4EC9-BAB7-DECBA45F6AFA}(3)
Is Admin: Yes
TestCab: 0x0
LegitcheckControl ActiveX: Registered, 1.7.69.2
Signed By: Microsoft
Product Name: N/A
Architecture: N/A
Build lab: N/A
TTS Error: N/A
Validation Diagnostic: 025D1FF3-230-1
Resolution Status: N/A

Vista WgaER Data-->
ThreatID(s): N/A
Version: N/A

Windows XP Notifications Data-->
Cached Result: N/A, hr = 0x80070002
File Exists: No
Version: N/A, hr = 0x80070002
WgaTray.exe Signed By: N/A, hr = 0x80070002
WgaLogon.dll Signed By: N/A, hr = 0x80070002

OGA Notifications Data-->
Cached Result: N/A, hr = 0x80070002
Version: N/A, hr = 0x80070002
OGAExec.exe Signed By: N/A, hr = 0x80070002
OGAAddin.dll Signed By: N/A, hr = 0x80070002

OGA Data-->
Office Status: 100 Genuine
Microsoft Office Enterprise 2007 - 100 Genuine
OGA Version: N/A, 0x80070002
Signed By: N/A, hr = 0x80070002
Office Diagnostics: 025D1FF3-230-1

Browser Data-->
Proxy settings: N/A
User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Win32)
Default Browser: C:\Program Files\Internet Explorer\iexplore.exe
Download signed ActiveX controls: Prompt
Download unsigned ActiveX controls: Disabled
Run ActiveX controls and plug-ins: Allowed
Initialize and script ActiveX controls not marked as safe: Disabled
Allow scripting of Internet Explorer Webbrowser control: Disabled
Active scripting: Allowed
Script ActiveX controls marked as safe for scripting: Allowed

File Scan Data-->

Other data-->
Office Details: <GenuineResults><MachineData><UGUID>{A061C278-C822-4EC9-BAB7-DECBA45F6AFA}</UGUID><Version>1.9.0027.0</Version><OS>5.1.2600.2.00010100.3.0.med</OS><Architecture>x32</Architecture><PKey>*****-*****-*****-*****-9QK9M</PKey><PID>76487-OEM-2211906-00824</PID><PIDType>2</PIDType><SID>S-1-5-21-2768898766-1709843061-3480073571</SID><SYSTEM><Manufacturer>Packard Bell BV</Manufacturer><Model>00000000000000000000000</Model></SYSTEM><BIOS><Manufacturer>Phoenix Technologies, LTD</Manufacturer><Version>20Q</Version><SMBIOSVersion major="2" minor="3"/><Date>20060719000000.000000+000</Date><SLPBIOS>NECC_,NEC-PC,NEC Computers,NEC_Product</SLPBIOS></BIOS><HWID>F52B3C070184C06C</HWID><UserLCID>0809</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>GMT Standard Time(GMT+00:00)</TimeZone><iJoin>0</iJoin><SBID><stat>2</stat><msppid></msppid><name>Packard Bell</name><model>Packard Bell Computer</model></SBID><OEM/><GANotification/></MachineData><Software><Office><Result>100</Result><Products><Product GUID="{90120000-0030-0000-0000-0000000FF1CE}"><LegitResult>100</LegitResult><Name>Microsoft Office Enterprise 2007</Name><Ver>12</Ver><Val>64BC76978749586</Val><Hash>GW6PzcEVEDTVKeO5Ym5UUm41dBk=</Hash><Pid>89388-707-0441865-65050</Pid><PidType>14</PidType></Product></Products><Applications><App Id="15" Version="12" Result="100"/><App Id="16" Version="12" Result="100"/><App Id="18" Version="12" Result="100"/><App Id="19" Version="12" Result="100"/><App Id="1A" Version="12" Result="100"/><App Id="1B" Version="12" Result="100"/><App Id="44" Version="12" Result="100"/><App Id="A1" Version="12" Result="100"/><App Id="BA" Version="12" Result="100"/></Applications></Office></Software></GenuineResults>

Licensing Data-->
N/A

Windows Activation Technologies-->
N/A

HWID Data-->
N/A

OEM Activation 1.0 Data-->
BIOS string matches: yes
Marker string from BIOS: 100A0ackard Bell B.V|100A0ackard Bell B.V|1FA67ackard Bell B.V|1FA67ackard Bell B.V
Marker string from OEMBIOS.DAT: NECC_,NEC-PC,NEC Computers,NEC_Product

OEM Activation 2.0 Data-->
N/A

Combofix scan

ComboFix 11-09-24.04 - Owner 25/09/2011 8:10.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.1022.417 [GMT 1:00]
Running from: d:\documents and settings\Owner\Desktop\ComboFix.exe
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: AVG Firewall *Disabled* {8decf618-9569-4340-b34a-d78d28969b66}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
C:\apps
d:\documents and settings\Administrator\Local Settings\Application Data\ApplicationHistory
d:\documents and settings\Owner\Local Settings\Application Data\ApplicationHistory
.
.
((((((((((((((((((((((((( Files Created from 2011-08-25 to 2011-09-25 )))))))))))))))))))))))))))))))
.
.
2011-09-25 05:55 . 2011-09-25 05:55 -------- d-----w- d:\documents and settings\All Users\Application Data\Office Genuine Advantage
2011-09-25 05:45 . 2011-09-25 05:45 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-09-15 22:01 . 2011-09-15 22:01 -------- d-----w- c:\program files\ESET
2011-09-15 21:36 . 2011-06-24 14:10 139656 ------w- c:\windows\system32\dllcache\rdpwd.sys
2011-09-15 21:35 . 2011-07-08 14:02 10496 ------w- c:\windows\system32\dllcache\ndistapi.sys
2011-09-09 17:03 . 2011-09-09 17:03 -------- d--h--w- c:\windows\system32\GroupPolicy
2011-09-09 09:12 . 2011-09-09 09:12 599040 ------w- c:\windows\system32\dllcache\crypt32.dll
2011-09-04 22:17 . 2011-07-06 18:52 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-09-04 22:17 . 2011-07-06 18:52 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-09-04 19:59 . 2011-09-06 20:37 320856 ----a-w- c:\windows\system32\drivers\aswSP.sys
2011-09-04 19:59 . 2011-09-06 20:36 20568 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2011-09-04 19:59 . 2011-09-06 20:36 34392 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2011-09-04 19:59 . 2011-09-06 20:38 442200 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2011-09-04 19:59 . 2011-09-06 20:36 52568 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2011-09-04 19:59 . 2011-09-06 20:36 110552 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2011-09-04 19:59 . 2011-09-06 20:36 104536 ----a-w- c:\windows\system32\drivers\aswmon.sys
2011-09-04 19:59 . 2011-09-06 20:33 30808 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2011-09-04 19:59 . 2011-09-06 20:45 41184 ----a-w- c:\windows\avastSS.scr
2011-09-04 19:59 . 2011-09-06 20:45 199304 ----a-w- c:\windows\system32\aswBoot.exe
2011-09-04 19:59 . 2011-09-04 19:59 -------- d-----w- d:\documents and settings\All Users\Application Data\AVAST Software
2011-09-04 19:59 . 2011-09-04 19:59 -------- d-----w- c:\program files\AVAST Software
2011-09-04 19:32 . 2011-09-04 19:32 -------- d-----w- d:\documents and settings\All Users\Application Data\{3C0AACBF-B491-4BE5-BAF9-AA46E0629E42}
2011-09-04 15:36 . 2011-09-04 15:37 -------- d-----w- d:\documents and settings\Owner\Local Settings\Application Data\Facebook
2011-09-03 15:20 . 2011-09-04 22:17 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-09-02 15:50 . 2009-06-15 04:11 3866528 ----a-w- c:\windows\system32\Flash10b.ocx
2011-09-02 15:50 . 2011-09-02 15:50 -------- d-----w- c:\program files\BRC
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-09-09 09:12 . 2004-09-10 13:56 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-07-15 13:29 . 2004-09-10 13:57 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-07-08 14:02 . 2004-09-10 13:57 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2011-09-06 20:45 122512 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTSyncU.exe"="c:\program files\Creative\Sync Manager Unicode\CTSyncU.exe" [2006-06-12 700416]
"NokiaOviSuite2"="c:\program files\Nokia\Nokia Ovi Suite\NokiaOviSuite.exe" [2010-02-24 385928]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2011-04-01 39408]
"Facebook Update"="d:\documents and settings\Owner\Local Settings\Application Data\Facebook\Update\FacebookUpdate.exe" [2011-09-04 137536]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NokiaMServer"="c:\program files\Common Files\Nokia\MPlatform\NokiaMServer" [X]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-10 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-10 455168]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"SMSERIAL"="sm56hlpr.exe" [2005-10-18 557056]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-04-27 7573504]
"nwiz"="nwiz.exe" [2006-04-27 1519616]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-04-27 86016]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2005-01-07 61952]
"RTHDCPL"="RTHDCPL.EXE" [2005-12-09 15691264]
"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2006-08-10 26112]
"Vade Retro Outlook Express"="c:\progra~1\GOTOSO~1\VADERE~1\Vaderetro_oe.exe" [2004-10-04 310272]
"DetectorApp"="c:\program files\Sonic\DigitalMedia LE v7\MyDVD LE\DetectorApp.exe" [2005-10-20 102400]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-10 208952]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2011-09-06 3722416]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"AvgUninstallURL"="start http://www.avg.com/ww.special-uninstallation-feedback-appf?lic=NFVMV0gtR0JZUzQtOU5USEQtUUE3WEQtQzJRSEgtTkZGS0o&inst=NzctNjg4NjgxMTE5LVZJUCsxLVNQMSsxLUZMMTArMS1YTzEwKzExLVRVRyszLUREVCsxNjE1MC1MU0QrMi1ERDEwRisxLVNUMTBGQVBQKzE&prod=90&ver=10.0.1392" [?]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%ProgramFiles%\\AOL 9.0\\aol.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Research In Motion\\BlackBerry Desktop\\Rim.Desktop.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
.
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [04/09/2011 20:59 442200]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [04/09/2011 20:59 320856]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [04/09/2011 20:59 20568]
R2 NAUpdate;@c:\program files\Nero\Update\NASvc.exe,-200;c:\program files\Nero\Update\NASvc.exe [04/05/2010 13:07 503080]
R3 3xHybrid;3xHybrid service;c:\windows\system32\drivers\3xHybrid.sys [10/08/2006 13:47 825600]
R3 X10Hid;X10 Hid Device;c:\windows\system32\drivers\x10hid.sys [10/08/2006 13:47 7040]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [01/04/2011 11:29 135664]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [01/04/2011 11:29 135664]
S3 KKSJF;KKSJF;d:\docume~1\Owner\LOCALS~1\Temp\KKSJF.exe --> d:\docume~1\Owner\LOCALS~1\Temp\KKSJF.exe [?]
.
Contents of the 'Scheduled Tasks' folder
.
2011-05-18 c:\windows\Tasks\doxillionShakeIcon.job
- c:\program files\NCH Software\Doxillion\doxillion.exe [2011-05-02 18:10]
.
2011-09-24 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-2768898766-1709843061-3480073571-1005Core.job
- d:\documents and settings\Owner\Local Settings\Application Data\Facebook\Update\FacebookUpdate.exe [2011-09-04 15:36]
.
2011-09-25 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-2768898766-1709843061-3480073571-1005UA.job
- d:\documents and settings\Owner\Local Settings\Application Data\Facebook\Update\FacebookUpdate.exe [2011-09-04 15:36]
.
2011-09-25 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-04-01 10:28]
.
2011-09-25 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-04-01 10:28]
.
2011-09-24 c:\windows\Tasks\User_Feed_Synchronization-{7ABDF7C0-AAD1-4552-9F1F-BDAF6DC4EAF8}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 03:31]
.
2011-05-02 c:\windows\Tasks\videopadShakeIcon.job
- c:\program files\NCH Software\VideoPad\videopad.exe [2011-04-24 11:50]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.co.uk/
uInternet Connection Wizard,ShellNext = hxxp://bt.yahoo.com/start?.pd=l%3Danthonygodfrey11@btinternet.com%26c%3DK1gXhD2p2e7uH.80E1C6CGax
uSearchURL,(Default) = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/su/*http://uk.search.yahoo.com/
TCP: DhcpNameServer = 192.168.0.1
DPF: {E7DA7F8D-27AB-4EE9-8FC0-3FEC9ECFE758} - hxxps://xchecker.reed.co.uk/Scanning/DynamicWebTwain.cab
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-09-25 08:21
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(600)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\atiadlxx.dll
.
- - - - - - - > 'explorer.exe'(1768)
c:\windows\system32\WININET.dll
c:\windows\system32\msi.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2011-09-25 08:26:00
ComboFix-quarantined-files.txt 2011-09-25 07:25
.
Pre-Run: 18,054,897,664 bytes free
Post-Run: 18,058,801,152 bytes free
.
- - End Of File - - BB91B1C95E8C95908984C7150EDF7759

Update

The redirect problem is getting worse. Were the combofix logs all pesent?

I am using laptop to post this message as the PC we are trying to fix is now virtually unuseable. Please help.

If you can do anything at all, please run this:

Please run this Custom CFScript:

• 
  [1]. Close any open browsers.
  [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  [3]. Open notepad> click on Format> Uncheck 'Word Wrap'> and copy/paste the text in the code below into it:Be sure to scroll down to include ALL lines.

Code:

File::
d:\docume~1\Owner\LOCALS~1\Temp\KKSJF.exe 
Folder::
DDS::
mSearch Page =
uInternet Connection Wizard,ShellNext = hxxp://bt.yahoo.com/start?.pd=l%3Danthonygodfrey11@btinternet.com%26c%3DK1gXhD2p2e7uH.80E1C6CGa x
uSearchURL,(Default) = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/su/*http://uk.search.yahoo.com/
BHO: MediaBar: {0974ba1e-64ec-11de-b2a5-e43756d89593} - c:\progra~1\bearsh~1\mediabar\toolbar\BearshareMediabarDx.dll
mSearchAssistant = hxxp://search.babylon.com/?babsrc=SP_ss&q={searchTerms}&mntrId=24421b500000000000000016e61b4c16&tlver =1.4.19.19&affID=17160
TB: MediaBar: {0974ba1e-64ec-11de-b2a5-e43756d89593} - c:\progra~1\bearsh~1\mediabar\toolbar\BearshareMediabarDx.dll
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
mRunOnce: [AvgUninstallURL] cmd.exe /c start http://www.avg.com/ww.special-uninstallation-feedback-appf?lic=NFVMV0gtR0JZUzQtOU5USEQtUUE3WEQtQzJRSEgtTkZGS0o"&"inst=NzctNjg4Njg xMTE5LVZJUCsxLVNQMSsxLUZMMTArMS1YTzEwKzExLVRVRyszLUREVCsxNjE1MC1MU0QrMi1ERD EwRisxLVNUMTBGQVBQKzE"&"prod=90"&"ver=10.0.1392
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_04-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Auth orizedApplications\List]
"c:\\Program Files\\uTorrent\\uTorrent.exe"=-
Driver::
KKSJF

Save this as CFScript.txt, in the same location as ComboFix.exe


Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please paste in your next reply.
====================
I suggest removing these from Scheduled TasK:
Click on Start> Run> type in cmd> enter> at the blinking C Prompt type in each of the following with 'enter after each:
Note: there is a space before each /

Code:

schtasks /end /FacebookUpdateTaskUse>>> 2 entries for this

schtasks /end /NCH Software\Doxillion\doxillion.ex

In response, SchTasks.exe stops the instance of Notepad.exe that the task started, and it displays the following success message:

SUCCESS: The Scheduled Task "xxxxxx" has been terminated successfully.

If you have a problem or want to see other options, check HERE for the specific Commands.
/schtasks.mspx?mfr=true
=================================================
red(windows?) shield with a white"x" on it and a bubble saying firewall is not on and I may be at risk.
That will be emedies.

combofix scan

Hi - followed above instructions to run combofix. combofix runs for approx 30 seconds and then stops/disappears/ends? I am not sure if it has completed what it needs to do but I cannot find any log produced from this scan to post.
Will continue now with the scheduled tast suggestions.