Solved 'Google redirect' problem again

[mummyal]

Hi there

I had this problem back in February and it has re-appeared again today. For the past couple of days, I did notice that my pc/internet seemed a bit slower than usual - and today, whilst googling, clicking on the search results took me to other pages.

I have tried to carry out the 'step by step' procedure but somehow, I haven't been able to start MBAM. I have installed it (or think I have installed it) and after clicking 'Finish', nothing happens (no updates etc). Even clicking the shortcut on the desktop doesn't start the programme. I have done TFC and DDS (and have attached the logs). GMER crashed when I tried downloading it for other previous problems, so I don't think I will attempt that one again this time (unless absolutely necessary).

Would be grateful for any help once again.

Thank you.

Alice




UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-03-17.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 18/11/2006 14:14:45
System Uptime: 31/08/2010 20:21:49 (0 hours ago)

Motherboard: ASUSTek Computer INC. | | Basswood
Processor: Intel(R) Core(TM)2 CPU 6400 @ 2.13GHz | Socket 775 | 2133/266mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 226 GiB total, 181.449 GiB free.
D: is FIXED (FAT32) - 7 GiB total, 0.713 GiB free.
E: is CDROM ()
G: is Removable
H: is Removable
I: is Removable
J: is Removable

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP36: 04/06/2010 18:06:24 - System Checkpoint
RP37: 05/06/2010 20:22:26 - System Checkpoint
RP38: 07/06/2010 09:55:41 - System Checkpoint
RP39: 08/06/2010 14:43:10 - System Checkpoint
RP40: 09/06/2010 17:36:04 - System Checkpoint
RP41: 10/06/2010 00:08:06 - Software Distribution Service 3.0
RP42: 11/06/2010 10:27:40 - System Checkpoint
RP43: 13/06/2010 12:27:33 - System Checkpoint
RP44: 15/06/2010 09:01:27 - System Checkpoint
RP45: 16/06/2010 09:35:31 - System Checkpoint
RP46: 17/06/2010 18:04:17 - System Checkpoint
RP47: 18/06/2010 18:09:19 - System Checkpoint
RP48: 20/06/2010 08:09:27 - System Checkpoint
RP49: 21/06/2010 08:27:04 - System Checkpoint
RP50: 22/06/2010 12:14:41 - Avg Update
RP51: 22/06/2010 12:15:49 - Avg Update
RP52: 23/06/2010 23:07:08 - Software Distribution Service 3.0
RP53: 25/06/2010 16:23:03 - System Checkpoint
RP54: 26/06/2010 18:11:04 - System Checkpoint
RP55: 27/06/2010 20:57:28 - System Checkpoint
RP56: 29/06/2010 08:25:10 - Avg Update
RP57: 29/06/2010 08:25:22 - Avg Update
RP58: 02/07/2010 08:42:50 - System Checkpoint
RP59: 03/07/2010 20:45:12 - System Checkpoint
RP60: 05/07/2010 08:41:43 - System Checkpoint
RP61: 06/07/2010 09:35:37 - System Checkpoint
RP62: 08/07/2010 21:40:41 - System Checkpoint
RP63: 10/07/2010 09:02:59 - System Checkpoint
RP64: 11/07/2010 10:47:49 - System Checkpoint
RP65: 12/07/2010 16:25:51 - System Checkpoint
RP66: 13/07/2010 17:15:52 - System Checkpoint
RP67: 14/07/2010 17:40:03 - System Checkpoint
RP68: 14/07/2010 23:04:13 - Software Distribution Service 3.0
RP69: 16/07/2010 12:52:38 - System Checkpoint
RP70: 18/07/2010 10:19:48 - System Checkpoint
RP71: 19/07/2010 14:20:20 - System Checkpoint
RP72: 20/07/2010 16:20:52 - System Checkpoint
RP73: 21/07/2010 09:18:55 - Avg Update
RP74: 11/08/2010 13:15:40 - System Checkpoint
RP75: 12/08/2010 16:22:11 - System Checkpoint
RP76: 12/08/2010 23:29:06 - Software Distribution Service 3.0
RP77: 14/08/2010 14:17:32 - System Checkpoint
RP78: 16/08/2010 14:11:45 - System Checkpoint
RP79: 17/08/2010 14:19:03 - System Checkpoint
RP80: 19/08/2010 18:24:13 - System Checkpoint
RP81: 20/08/2010 18:45:48 - System Checkpoint
RP82: 22/08/2010 18:01:22 - System Checkpoint
RP83: 24/08/2010 10:28:57 - System Checkpoint
RP84: 25/08/2010 18:20:08 - System Checkpoint
RP85: 27/08/2010 16:43:02 - System Checkpoint
RP86: 28/08/2010 18:23:23 - System Checkpoint
RP87: 30/08/2010 10:12:37 - System Checkpoint
RP88: 31/08/2010 11:34:16 - System Checkpoint
RP89: 31/08/2010 20:38:13 - Removed Java(TM) 6 Update 18
RP90: 31/08/2010 20:46:58 - Installed Java(TM) 6 Update 21

==== Installed Programs ======================

Acrobat.com
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Reader 9.3.2
AVG 9.0
AXIS Media Control
Barbie Girls
Bonusprint Photoservice
CCleaner
Critical Update for Windows Media Player 11 (KB959772)
Email Updater
ESET Online Scanner v3
Google Earth
Google Update Helper
Google Updater
HijackThis 2.0.2
HMV Digital Downloads
hmv jukebox and digital downloads
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976002-v5)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
Hotfix for Windows XP (KB981793)
Java Auto Updater
Java(TM) 6 Update 21
Logitech QuickCam
Logitech QuickCam Driver Package
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.0 Hotfix (KB953295)
Microsoft .NET Framework 1.0 Hotfix (KB979904)
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Visual C++ 2005 Redistributable
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
Seagate Manager Installer
Security Update for Windows Internet Explorer 7 (KB2183461)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 7 (KB972260)
Security Update for Windows Internet Explorer 7 (KB974455)
Security Update for Windows Internet Explorer 7 (KB976325)
Security Update for Windows Internet Explorer 7 (KB978207)
Security Update for Windows Internet Explorer 7 (KB982381)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2160329)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2286198)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981349)
Security Update for Windows XP (KB981852)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982214)
Security Update for Windows XP (KB982665)
Skype™ 4.2
Spybot - Search & Destroy
SUPERAntiSpyware Free Edition
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 7 (KB976749)
Update for Windows Internet Explorer 7 (KB980182)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
Windows Live Messenger
Windows XP Media Center Edition 2005 KB973768
Windows XP Service Pack 3
WinRAR archiver

==== Event Viewer Messages From Past Week ========

31/08/2010 20:24:20, error: System Error [1003] - Error code 000000c2, parameter1 00000007, parameter2 00000cd4, parameter3 00000000, parameter4 e3e5fec0.
31/08/2010 20:24:02, error: System Error [1003] - Error code 100000d1, parameter1 00006788, parameter2 00000002, parameter3 00000001, parameter4 b823848f.
31/08/2010 20:23:45, error: System Error [1003] - Error code 1000000a, parameter1 efc6238c, parameter2 00000002, parameter3 00000000, parameter4 8050ef28.
31/08/2010 20:04:14, error: Service Control Manager [7034] - The AVG Firewall service terminated unexpectedly. It has done this 1 time(s).
31/08/2010 20:04:11, error: Service Control Manager [7034] - The Seagate Service service terminated unexpectedly. It has done this 1 time(s).
31/08/2010 20:04:11, error: Service Control Manager [7034] - The Process Monitor service terminated unexpectedly. It has done this 1 time(s).
31/08/2010 20:04:11, error: Service Control Manager [7034] - The LightScribeService Direct Disc Labeling Service service terminated unexpectedly. It has done this 1 time(s).
31/08/2010 20:04:11, error: Service Control Manager [7034] - The Java Quick Starter service terminated unexpectedly. It has done this 1 time(s).
31/08/2010 20:04:11, error: Service Control Manager [7034] - The Intel(R) Quick Resume technology service terminated unexpectedly. It has done this 1 time(s).
31/08/2010 20:04:11, error: Service Control Manager [7034] - The Intel(R) Matrix Storage Event Monitor service terminated unexpectedly. It has done this 1 time(s).
31/08/2010 20:04:11, error: Service Control Manager [7034] - The AVG9IDSAgent service terminated unexpectedly. It has done this 1 time(s).
31/08/2010 20:04:11, error: Service Control Manager [7031] - The AVG WatchDog service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 0 milliseconds: Restart the service.
28/08/2010 23:12:38, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 15 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)
27/08/2010 14:51:59, error: Dhcp [1001] - Your computer was not assigned an address from the network (by the DHCP Server) for the Network Card with network address 0030BD9C8CE3. The following error occurred: The operation was canceled by the user. . Your computer will continue to try and obtain an address on its own from the network address (DHCP) server.
26/08/2010 08:25:50, error: Service Control Manager [7034] - The NVIDIA Display Driver Service service terminated unexpectedly. It has done this 1 time(s).

==== End Of File ===========================

 

[mummyal]

DDS (Ver_10-03-17.01) - NTFSx86
Run by Compaq_Administrator at 20:47:56.40 on 31/08/2010
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.2046.1289 [GMT 1:00]

AV: AVG Internet Security *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: AVG Firewall *enabled* {8decf618-9569-4340-b34a-d78d28969b66}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVG\AVG9\Identity Protection\Agent\Bin\AVGIDSAgent.exe
svchost.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\AVG\AVG9\avgfws9.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\Program Files\AVG\AVG9\avgam.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\WINDOWS\system32\nvsvc32.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Intel\IntelDH\Intel(R) Quick Resume Technology Drivers\Elservice.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\AVG\AVG9\Identity Protection\agent\bin\avgidsmonitor.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Java\jre6\bin\javaws.exe
C:\Program Files\Java\jre6\bin\javaw.exe
C:\Documents and Settings\Compaq_Administrator\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.virginmedia.com/
mStart Page = hxxp://www.google.com
uSearchAssistant = hxxp://www.google.com
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Easy-WebPrint: {327c2873-e90d-4c37-aa9d-10ac9baba46c} - c:\program files\canon\easy-webprint\Toolband.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [ftutil2] rundll32.exe ftutil2.dll,SetWriteCacheMode
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\Iaanotif.exe
mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [MaxMenuMgr] "c:\program files\seagate\seagatemanager\freeagent status\StxMenuMgr.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office10\EXCEL.EXE/3000
IE: Easy-WebPrint Add To Print List - c:\program files\canon\easy-webprint\Toolband.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\canon\easy-webprint\Toolband.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\canon\easy-webprint\Toolband.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\canon\easy-webprint\Toolband.dll/RC_Print.html
IE: {E2D4D26B-0180-43a4-B05F-462D6D54C789} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\iebutton\support.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
Trusted Zone: hmv.com
DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/2.9.2.0/GarminAxControl.CAB
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {195B4BBF-E1E4-4020-9773-0A8C6F65EA35} - hxxp://p.playfirst.com/play/game/cookingdash/CookingDashWeb.1.0.0.9.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {3D0D2821-8011-4B1F-BE9C-27B8E74CFBEF} - hxxp://downloads.virginmedia.com/CST/ver1/VM_ActX_2.cab
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0}
DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} - hxxp://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-24-0.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx2.hotmail.com/mail/w2/pr02/resources/MSNPUpld.cab
DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader3.cab
DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {9C024426-7859-4B2D-AB4C-B1E370AE7549} - hxxp://uk.mcafee.com/Apps/WSC/en-gb/WscWlanScannerCtrl.cab
DPF: {A1F35586-A5A8-4D37-947A-81875350B11F} - hxxp://webalbum.bonusprint.com/ukipc01/downloads//ImageUploader4.cab
DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} - hxxp://www.sibelius.com/download/software/win/ActiveXPlugin.cab
DPF: {A922B6AB-3B87-11D3-B3C2-0008C7DA6CB9} - hxxps://media.pineconeresearch.com/ActiveX/downloadcontrol.cab
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader4_5.cab
DPF: {DBFECB3F-B78F-442E-AE46-4952E6F17545} - hxxp://webalbum.bonusprint.com/ukipc01/downloads//ImageUploader3.cab
DPF: {DC75FEF6-165D-4D25-A518-C8C4BDA7BAA6} - hxxp://www.playfirst.com/play/game/dinerdash/DinerDash.1.0.0.93.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {FD0EBBED-0C42-4D0F-82DA-44399B5C420A} - hxxp://downloads.virginmedia.com/CST/ver1/xp_mail.cab
TCP: NameServer = 93.188.162.74,93.188.161.7
TCP: {5A3A49FE-DBD7-4740-A224-FE86CC9B687E} = 93.188.162.74,93.188.161.7
TCP: {F64DFC4F-12A2-4986-A7FE-1F63AB3935D6} = 93.188.162.74,93.188.161.7
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

============= SERVICES / DRIVERS ===============

R0 AVGIDSErHrxpx;AVG9IDSErHr;c:\windows\system32\drivers\AVGIDSxx.sys [2010-5-6 25168]
R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [2010-5-6 52872]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2010-5-6 216400]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2010-5-6 29584]
R1 AvgTdiX;AVG Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2010-5-6 243024]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-1-5 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-1-5 74480]
R2 avg9wd;AVG WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-6-22 308136]
R2 avgfws9;AVG Firewall;c:\program files\avg\avg9\avgfws9.exe [2010-6-22 2331032]
R2 AVGIDSAgent;AVG9IDSAgent;c:\program files\avg\avg9\identity protection\agent\bin\AVGIDSAgent.exe [2010-6-22 5897808]
R2 FreeAgentGoNext Service;Seagate Service;c:\program files\seagate\seagatemanager\sync\FreeAgentService.exe [2008-10-28 156968]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R3 Avgfwdx;Avgfwdx;c:\windows\system32\drivers\avgfwdx.sys [2010-5-6 30104]
R3 AVGIDSDriverxpx;AVG9IDSDriver;c:\program files\avg\avg9\identity protection\agent\driver\platform_xp\AVGIDSDriver.sys [2010-5-6 122448]
R3 AVGIDSFilterxpx;AVG9IDSFilter;c:\program files\avg\avg9\identity protection\agent\driver\platform_xp\AVGIDSFilter.sys [2010-5-6 30288]
R3 AVGIDSShimxpx;AVG9IDSShim;c:\program files\avg\avg9\identity protection\agent\driver\platform_xp\AVGIDSShim.sys [2010-5-6 26192]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2009-12-21 135664]
S3 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwdx.sys [2010-5-6 30104]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2010-1-5 7408]

=============== Created Last 30 ================

2010-08-31 19:47:17 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-08-31 19:47:17 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-08-31 19:36:41 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-08-31 19:36:40 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-08-16 12:04:49 36 ----a-w- c:\windows\system32\?å

==================== Find3M ====================

2010-08-31 19:22:07 0 ----a-w- c:\windows\system32\drivers\logiflt.iad
2010-08-31 18:11:45 0 ----a-w- c:\windows\system32\drivers\lvuvc.hs
2010-07-27 06:30:35 8462336 ------w- c:\windows\system32\dllcache\shell32.dll
2010-06-30 12:31:35 149504 ----a-w- c:\windows\system32\schannel.dll
2010-06-30 12:31:35 149504 ------w- c:\windows\system32\dllcache\schannel.dll
2010-06-23 13:44:04 1851904 ----a-w- c:\windows\system32\win32k.sys
2010-06-23 13:44:04 1851904 ------w- c:\windows\system32\dllcache\win32k.sys
2010-06-23 12:06:51 70656 ----a-w- c:\windows\system32\dllcache\ie4uinit.exe
2010-06-23 12:06:51 13824 ------w- c:\windows\system32\dllcache\ieudinit.exe
2010-06-22 11:15:42 12536 ----a-w- c:\windows\system32\avgrsstx.dll
2010-06-21 15:27:11 354304 ------w- c:\windows\system32\dllcache\srv.sys
2010-06-18 13:36:12 3558912 ------w- c:\windows\system32\dllcache\moviemk.exe
2010-06-17 15:12:57 634656 ----a-w- c:\windows\system32\dllcache\iexplore.exe
2010-06-17 15:11:25 161792 ----a-w- c:\windows\system32\dllcache\ieakui.dll
2010-06-17 14:03:00 80384 ----a-w- c:\windows\system32\iccvid.dll
2010-06-14 14:31:20 744448 ------w- c:\windows\system32\dllcache\helpsvc.exe
2010-06-14 07:41:45 1172480 ----a-w- c:\windows\system32\msxml3.dll
2010-06-14 07:41:45 1172480 ------w- c:\windows\system32\dllcache\msxml3.dll
2006-12-19 10:50:26 22 -csha-w- c:\windows\sminst\HPCD.sys
2010-05-06 07:26:40 32768 --sha-w- c:\windows\system32\config\systemprofile\cookies\index.dat
2009-07-16 21:45:15 16384 -csha-w- c:\windows\system32\config\systemprofile\ietldcache\index.dat
2008-09-01 07:30:46 32768 -csha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008090120080902\index.dat

============= FINISH: 20:49:52.20 ===============

 

[Bobbye]

Hello again! Gotta laugh- first thing I looked for was 'Barbie'! Checking the logs now.

Please uninstall the Malwarebytes you have now and install it new- if it was from here last time, it was only good for those scans, unless you paid for it:

Malwarebytes' Anti-Malware

• Please download Malwarebytes' Anti-Malware from from HERE
• Double-click mbam-setup.exe and follow the prompts to install the program.
• At the end, be sure a checkmark is placed next to
  [o] Update Malwarebytes' Anti-Malware
  [o] and Launch Malwarebytes' Anti-Malware
• then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select Perform Quick scan, then click Scan.
  * When the scan is complete, click OK, then Show Results to view the results.
• Be sure that everything is checked, and click Remove Selected.
• When completed, a log will open in Notepad. please attach this log with your reply
  [o] If you accidentally close it, the log file is saved here and will be named like this:
  [o] C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

========================
Hold on GMER til I check these. Put Barbie on hold til we finish!

Edit: Alice, please take hmv.com out of the Trusted Zone. That is a music and game download site, not something that shouid pass through lower security:
Access Internet Options through the Control Panel or Tools in IE> Security tab> Trusted Sites> Sites> type in *.hmv.com> Click on Remove> Click on OK> Apply> OK.

 

[Bobbye]

Okay, your browser has been hijacked. Your searches are being directed to a site in the Ukraine:

You will need to do a DNS Flush, then reset your router.
Start> Run> type cmd> enter> at the C prompt type ipconfig /flushdns (note space before the /)

Exit the Command prompt when finished and shut the system down.-

• 
  [1]. Shut down your computer, and any other computer connected to your router.
  [2]. On the back of the router, there should be a small hole or button labelled RESET. Using a bent paper clip or similar item, hold that in continuously for twenty seconds.
  [3]. Unplug the router. Wait sixty seconds.
  [4].Now holding again the reset button, plug it back in. Continue holding the reset button for twenty seconds. Unplug the router again.
  [5].With the router unplugged, start your computer. Run MBAM again.
  [6].Connect to the router again. The turn the router back on.
  [7].When it stabilizes, reboot your workstation and try to access the internet. If you have any issues, access the Router configuration page and re-enter your authentication information.
  [8]. Reboot the system and test the internet. You may have to reconfigure the router settings based on your setup.

Looks like you might have picked this up on 8/16. Let's run the following after above and Mbam have been done:


Please download ComboFix from Here and save to your Desktop.

• 
  [1]. Do NOT rename Combofix unless instructed.
  [2].Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  [3].Close any open browsers.
  [4]. Double click combofix.exe & follow the prompts to run.
• NOTE: Combofix will disconnect your machine from the Internet as soon as it starts. The connection is automatically restored before CF completes its run. If it does not, restart your computer to restore your connection.
  [5]. If Combofix asks you to install Recovery Console, please allow it.
  [6]. If Combofix asks you to update the program, always allow.
• Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  [7]. A report will be generated after the scan. Please post the C:\ComboFix.txt in next reply.

Note: Do not mouseclick combofix's window while it's running. That may cause it to stall.
Note: Make sure you re-enable your security programs, when you're done with Combofix..

 

[mummyal]

lol !! I did think about Barbie when I was just going through the log

I have uninstalled the previous version on MBAM and installed the new one but I still can't seem to get it to work.

Just about to run DNS now but just before I do so, I better go look for the wireless password first before I do anything else lol. It's just that someone else set it up for me ages ago and I don't think I'd remember how to do it again. I can cope with the usual downloading/cleaning bits but this is getting a bit too technical for me. I might not be back online for a while lol.

Just edited to add: Before I do anything else.... there is already a password (or the 'key' or code) for our wireless at the moment (we don't have a machine that's connected to the router at all as the router's in a different room). If I were to reset the router etc, does that mean there'll be a new password/code etc? Sorry, might sound a bit daft but just wanted to be clear in my mind. Thanks.

 

[Bobbye]

Yes, you will. See #7. Try the generic password which is 'password'. Tech may have used that. IF you go in though, advise you set up something more secure.

Try this before Mbam:

Please download and run the tool below named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.

There are 4 different versions. If one of them won't run then download and try to run the other one.

Vista and Win7 users need to right click Rkill and choose Run as Administrator

You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

• Rkill.com
• Rkill.scr
• Rkill.pif
• Rkill.exe
  
• Double-click on the Rkill desktop icon to run the tool.
• If using Vista or Windows 7 right-click on it and choose Run As Administrator.
• A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
• If not, delete the file, then download and use the one provided in Link 2.
• If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
• Do not reboot until instructed.
• If the tool does not run from any of the links provided, please let me know.

Once you've gotten one of them to run then try to immediately run the following>>>>.

Please download exeHelper by Raktor and save it to your desktop.

• Double-click on exeHelper.com or exeHelper.scr to run the fix tool.
• A black window should pop up, press any key to close once the fix is completed.
• A log file called exehelperlog.txt will be created and should open at the end of the scan)
• A copy of that log will also be saved in the directory where you ran exeHelper.com
• Copy and paste the contents of exehelperlog.txt in your next reply.

Note: If the window shows a message that says "Error deleting file", please re-run the tool again before posting a log and then post the two logs together (they both will be in the one file).

Then try Mbam.

 

[mummyal]

I have managed to reset/reconfigure router (had to speak to someone from Belkin).

I have run rkill and exehelper and here's the log (looks suspiciously short lol).

xeHelper by Raktor
Build 20100414
Run at 15:52:10 on 09/01/10
Now searching...
Checking for numerical processes...
Checking for sysguard processes...
Checking for bad processes...
Checking for bad files...
Checking for bad registry entries...
Resetting filetype association for .exe
Resetting filetype association for .com
Resetting userinit and shell values...
Resetting policies...
--Finished--


Still having probs with MBAM. Seems to have installed ok but nothing happens after that.

Also, sometime during the day, AVG started its scan (before I actually got round to resetting router etc) and 'Resident Shield' came up with trojan called 'adload_r.AKO'.

 

[Bobbye]

Please go ahead with these 2 programs- maybe I'll see what is stopping Mbam. You're not getting any error message, right? It just doesn't scan?

I notice you have these 3 showing installed on the system. They are probably from last time and sould be removed and freshly installed:
ESET Online Scanner v3> new version available
HijackThis 2.0.2> newer version available
Malwarebytes' Anti-Malware> done

Please download ComboFix from Here and save to your Desktop.

• 
  [1]. Do NOT rename Combofix unless instructed.
  [2].Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  [3].Close any open browsers.
  [4]. Double click combofix.exe & follow the prompts to run.
• NOTE: Combofix will disconnect your machine from the Internet as soon as it starts. The connection is automatically restored before CF completes its run. If it does not, restart your computer to restore your connection.
  [5]. If Combofix asks you to install Recovery Console, please allow it.
  [6]. If Combofix asks you to update the program, always allow.
• Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  [7]. A report will be generated after the scan. Please post the C:\ComboFix.txt in next reply.

Note: Do not mouseclick combofix's window while it's running. That may cause it to stall.
Note: Make sure you re-enable your security programs, when you're done with Combofix..
======================================
Run Eset NOD32 Online AntiVirus scan HEREhttp://www.eset.eu/online-scanner

1. Tick the box next to YES, I accept the Terms of Use.
2. Click Start
3. When asked, allow the Active X control to install
4. Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
5. Click Start
6. Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
7. Click Scan
8. Wait for the scan to finish
9. Re-enable your Antivirus software.
10. A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

 

[mummyal]

Oh dear, I'm getting a tad worried now. Combofix won't run after I've clicked run. Neither will Eset. Well, I clicked yes to accept the terms of use. Then on the next screen, it's just blank and at the bottom, it just says 'Done' but with yellow exclamation mark/triangle.

 

[Bobbye]

Is the internet connection working okay since you reset the router? Take the system all the way down> close to shut down. Wait a few seconds, then reboot.

See if it will run HijackThis, but get current version. The yellow triangle with black exclamation point is error icon, but we don't know where the error is yet.

 

[mummyal]

Hurrah, HJT works lol.

The internet connection has been working fine after resetting the router.

----------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:45:34, on 01/09/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.17080)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVG\AVG9\Identity Protection\Agent\Bin\AVGIDSAgent.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AVG\AVG9\Identity Protection\agent\bin\avgidsmonitor.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\AVG\AVG9\avgfws9.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\AVG\AVG9\avgam.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\IntelDH\Intel(R) Quick Resume Technology Drivers\Elservice.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.virginmedia.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [ftutil2] rundll32.exe ftutil2.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MaxMenuMgr] "C:\Program Files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - .DEFAULT User Startup: PinMcLnk.lnk = C:\hp\bin\cloaker.exe (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Garmin Communicator Plug-In - https://static.garmincdn.com/gcp/ie/2.9.2.0/GarminAxControl.CAB
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
O16 - DPF: {195B4BBF-E1E4-4020-9773-0A8C6F65EA35} (CPlayFirstCookingDasControl Object) - http://p.playfirst.com/play/game/cookingdash/CookingDashWeb.1.0.0.9.cab
O16 - DPF: {3D0D2821-8011-4B1F-BE9C-27B8E74CFBEF} (VM_ActX_2 Control) - http://downloads.virginmedia.com/CST/ver1/VM_ActX_2.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) -
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-24-0.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/pr02/resources/MSNPUpld.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/FacebookPhotoUploader3.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - http://download.eset.com/special/eos/OnlineScanner.cab
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
O16 - DPF: {9C024426-7859-4B2D-AB4C-B1E370AE7549} - http://uk.mcafee.com/Apps/WSC/en-gb/WscWlanScannerCtrl.cab
O16 - DPF: {A1F35586-A5A8-4D37-947A-81875350B11F} (Bonusprint Image Uploader Version 4.5 Control) - http://webalbum.bonusprint.com/ukipc01/downloads//ImageUploader4.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} - http://www.sibelius.com/download/software/win/ActiveXPlugin.cab
O16 - DPF: {A922B6AB-3B87-11D3-B3C2-0008C7DA6CB9} (InetDownload Class) - https://media.pineconeresearch.com/ActiveX/downloadcontrol.cab
O16 - DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} (Facebook Photo Uploader 4) - http://upload.facebook.com/controls/FacebookPhotoUploader4_5.cab
O16 - DPF: {DBFECB3F-B78F-442E-AE46-4952E6F17545} (Bonusprint Image Uploader Version 3.5) - http://webalbum.bonusprint.com/ukipc01/downloads//ImageUploader3.cab
O16 - DPF: {DC75FEF6-165D-4D25-A518-C8C4BDA7BAA6} (CPlayFirstDinerDashControl Object) - http://www.playfirst.com/play/game/dinerdash/DinerDash.1.0.0.93.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O16 - DPF: {FD0EBBED-0C42-4D0F-82DA-44399B5C420A} (VM_1.VM_Control) - http://downloads.virginmedia.com/CST/ver1/xp_mail.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{5A3A49FE-DBD7-4740-A224-FE86CC9B687E}: NameServer = 93.188.162.74,93.188.161.7
O17 - HKLM\System\CCS\Services\Tcpip\..\{F64DFC4F-12A2-4986-A7FE-1F63AB3935D6}: NameServer = 93.188.162.74,93.188.161.7
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 93.188.162.74,93.188.161.7
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 93.188.162.74,93.188.161.7
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 93.188.162.74,93.188.161.7
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: AVG WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: AVG Firewall (avgfws9) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgfws9.exe
O23 - Service: AVG9IDSAgent (AVGIDSAgent) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\Identity Protection\Agent\Bin\AVGIDSAgent.exe
O23 - Service: Intel(R) Quick Resume technology (ELService) - Intel Corporation - C:\Program Files\Intel\IntelDH\Intel(R) Quick Resume Technology Drivers\Elservice.exe
O23 - Service: Seagate Service (FreeAgentGoNext Service) - Seagate Technology LLC - C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 11683 bytes

 

[Bobbye]

I see this running when you start up. It may be preventing the scan:

Reopen HJT to 'do system scan only[ and check the following:

O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent

Close all Windows except HJT and click on "Fix Checked."

Go to the start up menu and uncheck Mbam. Reboot. Then see if you can update and run Mbam.

I'd also like you to do a date search on the computer:
2010-08-16 12:04:49 36 ----a-w- c:\windows\system32\?å

Look for this date and tell me what you did on that date.

 

[mummyal]

Guess what? I can't find that entry on HJT anymore. How strange. I haven't done anything (scan/remove progs etc) since I posted my last message on here.

Anyway, on that date, I was basically looking at/uploading holiday pictures and general web-surfing (Facebook, my parenting forums etc). Found this in the search though. Decided to attach the picture - had to split them into two. Does this help?

 

[Bobbye]

First image, third from the bottom> file says C:\WINDOWS\system 32, but no file name. There is a strange icon to the left. I'm thinking that might be this: 2010-08-16 12:04:49 36 ----a-w- c:\windows\system32\?å. You won't be able to open this and I don't even want you to try, but do a right click> Properties and see if there is any info.

In the second image, there is an unnamed 1KB file at 13:04. Allowing for daylight savings time, that' s the file I need to ID.

Run this then try Mbam again:
Please download randmbam.exe

It will try to create random names and shortcuts for Malwarebytes Anti Malware(MBAM) if you have it installed already.

Once done, try running a scan again

 

[mummyal]

We have success with randmabm The log is at the end of this msg.

I right-clicked on that particular file name but unfortunately, nothing useful came up in the properties box.


Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4052

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.11

02/09/2010 23:05:24
mbam-log-2010-09-02 (23-05-24).txt

Scan type: Quick scan
Objects scanned: 142510
Time elapsed: 12 minute(s), 10 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 3
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 93.188.162.74,93.188.161.7 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{5a3a49fe-dbd7-4740-a224-fe86cc9b687e}\NameServer (Trojan.DNSChanger) -> Data: 93.188.162.74,93.188.161.7 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{f64dfc4f-12a2-4986-a7fe-1f63ab3935d6}\NameServer (Trojan.DNSChanger) -> Data: 93.188.162.74,93.188.161.7 -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

 

[Bobbye]

Yes! Should have given you that instead of the other! Must have had a brain drain! Do you see DNS Changer? That's why you had to do the flush and reset.

See if you can run Combofix and the Eset scan now. Be sure to get current versions. Post #8.

 

[mummyal]

Still nothing happens after I click Run for Combofix. If I remember correctly, a blue window or something pops up, doesn't it?

Managed to run Eset though. Here's the log:

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=7.00.6000.17080 (vista_gdr.100616-0452)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=53848ace982d1f40bf5e518ec9e446f3
# end=finished
# remove_checked=false
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-09-03 09:36:12
# local_time=2010-09-03 10:36:12 (+0000, GMT Daylight Time)
# country="United Kingdom"
# lang=9
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 131473 131473 0 0
# compatibility_mode=1031 16777173 100 93 2005 10353273 0 0
# compatibility_mode=8192 67108863 100 0 167 167 0 0
# scanned=115509
# found=0
# cleaned=0
# scan_time=2796

 

[Bobbye]

Okay, it's still hiding- Eset log doesn't show anything.

Go to your desktop and right click on combofix.exe> choose 'rename'> change to alice.exe
Try running Combofix again. I believe you have a Worm that has protected itself by changing some files that are needed to run these programs.

Hopefully, this will 'fool it'.

 

[mummyal]

Renamed the file and it did "fool it" for a couple of seconds but after that, nothing. This time, after clicking Run, the tiny 'Combofix' box with green bars appeared. Got my hopes up lol and then nothing else happened after that.

 

[Bobbye]

I'd like you to run this please:

Resolve is the name for a set of small, downloadable Sophos utilities designed to remove and undo the changes made by certain viruses, Trojans and worms. They terminate any virus processes and reset any registry keys that the virus changed. Existing infections can be cleaned up quickly and easily, both on individual workstations and over networks with large numbers of computers.

Download Resolve for SDBOT and save to your desktop.

• Open SDBOTGUI on the desktop.
• Double click to Run
• Click on Go
• Follow any online prompts.

This tool reverses the disabling of the registry editor by W32/Sdbot (by default the registry editor is enabled).

If Combofix doesn't run after this, I'll have you uninstall current Combofix, then install new with rename at beginning.

 

[mummyal]

Resolve didn't pick anything up (and Combofix is still not running).

Thks for your help & time on this so far.

Edited to add:
It didn't pop up this morning when I switched the pc on but this has just popped up a few mins ago (via AVG).

Malware detected
File name: C:\32788R22FWJFW\NIRCMD.CFXXE
Threat name: Tool-Nircmd
Category: PUA - Potentially Unwanted Application.

Then there was an option to quarantine or allow. I quarantined it and then AVG started to remove the Malware.

After that was done, then another pop up box with another file name: C:\32788R22FWJFW\N.PIF

Quarantined/removed.

Then another one: C:\32788R22FWJFW\IEXPLORE.EXE

Quarantined/removed.


Also, my Windows Media Player was fine yesterday. But today, when I wanted to play some music and when I clicked on a track, a pop up box asked whether I wanted to install some software called fhg.CAB (publisher: Microsoft Corporation). Looks genuine but I've never had that before. Thing is, I can't even google it to find out lol. Is it safe?

 

[Bobbye]

Note: All content and images for avz4 courtesy geekstogo.com:

Download avz4.zip from HERE

1. Unzip it to your desktop to a folder named avz4
2. Double click on AVZ.exe to run it.
3. Run an update by clicking the Auto Update button on the Right of the Log window:
   
4. Click Start to begin the update

Note: If you recieve an error message, chose a different source, then click Start again

1. Start AVZ.
2. Choose from the menu "File" => "Standard scripts " and mark the "Advanced System Analysis with malware removal mode enabled" check box.
   
   
3. Click on the “Execute selected scripts”.
4. Automatic scanning, healing and system check will be executed.
5. A logfile (avz_sysinfo.htm) will be created and saved in the LOG folder in the AVZ directory as virusinfo_syscure.zip.
6. It is necessary to reboot your machine, because AVZ might disturb some program operations (like antiviruses and firewall) during the system scan.

When restarted:

1. Start AVZ.
2. Choose from the menu "File" => "Standard scripts " and mark the “Advanced System Analysis" check box.
   
   
3. Click on the "Execute selected scripts".
4. A system check will be automatically performed, and the created logfile (avz_sysinfo.htm) will be saved in the LOG folder in the AVZ directory as virusinfo_syscheck.zip.

Attach both virusinfo_syscure.zip and virusinfo_syscheck.zip to your next post

 

[mummyal]

Um, I think I might have messed up here. When it said (in step 5 before reboot) 'a logfile (avz_sysinfo.htm) will be created and saved in the LOG folder in the AVZ directory as virusinfo_syscure.zip', I assumed that it will automatically save the log without me having to do anything. When I checked back in the AVZ directory (the zip file), I didn't see any file by that name.

I rebooted the machine and carried out the 2nd part. Again, I can't find the log file anywhere - am I looking in the wrong place? This time round though, I saved it as a txt file (I spotted the 'save' button on the side).

ps. Not sure whether you saw the additional message which I added to my post #21.

ps2. No idea whether it's related but the sound seems to have vanished from my pc.


Here's the log from the 2nd part of the AVZ scan.

AVZ Antiviral Toolkit log; AVZ version is 4.35
Scanning started at 04.09.2010 15:21:40
Database loaded: signatures - 278154, NN profile(s) - 2, malware removal microprograms - 56, signature database released 25.08.2010 16:40
Heuristic microprograms loaded: 383
PVS microprograms loaded: 9
Digital signatures of system files loaded: 220217
Heuristic analyzer mode: Maximum heuristics mode
Malware removal mode: disabled
Windows version is: 5.1.2600, Service Pack 3 ; AVZ is run with administrator rights
System Restore: enabled
1. Searching for Rootkits and other software intercepting API functions
1.1 Searching for user-mode API hooks
Analysis: kernel32.dll, export table found in section .text
Analysis: ntdll.dll, export table found in section .text
Analysis: user32.dll, export table found in section .text
Analysis: advapi32.dll, export table found in section .text
Analysis: ws2_32.dll, export table found in section .text
Analysis: wininet.dll, export table found in section .text
Analysis: rasapi32.dll, export table found in section .text
Analysis: urlmon.dll, export table found in section .text
Analysis: netapi32.dll, export table found in section .text
1.2 Searching for kernel-mode API hooks
Driver loaded successfully
SDT found (RVA=085700)
Kernel ntkrnlpa.exe found in memory at address 804D7000
SDT = 8055C700
KiST = 80504480 (284)
Function NtOpenProcess (7A) intercepted (805CB3FA->B118E670), hook C:\Program Files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSShim.sys
Function NtTerminateProcess (101) intercepted (805D2982->B118E720), hook C:\Program Files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSShim.sys
Function NtTerminateThread (102) intercepted (805D2B7C->B118E7C0), hook C:\Program Files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSShim.sys
Function NtWriteVirtualMemory (115) intercepted (805B4378->B118E860), hook C:\Program Files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSShim.sys
Functions checked: 284, intercepted: 4, restored: 0
1.3 Checking IDT and SYSENTER
Analyzing CPU 1
Analyzing CPU 2
Checking IDT and SYSENTER - complete
1.4 Searching for masking processes and drivers
Checking not performed: extended monitoring driver (AVZPM) is not installed
1.5 Checking IRP handlers
Driver loaded successfully
Checking - complete
2. Scanning RAM
Number of processes found: 52
Extended process analysis: 724 C:\Program Files\AVG\AVG9\Identity Protection\agent\bin\avgidsmonitor.exe
[ES]rogram code includes networking-related functionality
[ES]:Application has no visible windows
Extended process analysis: 3012 C:\Program Files\Intel\IntelDH\Intel(R) Quick Resume Technology Drivers\Elservice.exe
[ES]rogram code includes networking-related functionality
[ES]:Application has no visible windows
[ES]:Registered for automatic startup !!
Number of modules loaded: 354
Scanning RAM - complete
3. Scanning disks
4. Checking Winsock Layered Service Provider (SPI/LSP)
LSP settings checked. No errors detected
5. Searching for keyboard/mouse/windows events hooks (Keyloggers, Trojan DLLs)
6. Searching for opened TCP/UDP ports used by malicious software
Checking - disabled by user
7. Heuristic system check
Checking - complete
8. Searching for vulnerabilities
>> Services: potentially dangerous service allowed: RemoteRegistry (Remote Registry)
>> Services: potentially dangerous service allowed: TermService (Terminal Services)
>> Services: potentially dangerous service allowed: SSDPSRV (SSDP Discovery Service)
>> Services: potentially dangerous service allowed: TlntSvr (Telnet)
>> Services: potentially dangerous service allowed: Schedule (Task Scheduler)
>> Services: potentially dangerous service allowed: mnmsrvc (NetMeeting Remote Desktop Sharing)
>> Services: potentially dangerous service allowed: RDSessMgr (Remote Desktop Help Session Manager)
> Services: please bear in mind that the set of services depends on the use of the PC (home PC, office PC connected to corporate network, etc)!
>> Security: disk drives' autorun is enabled
>> Security: administrative shares (C$, D$ ...) are enabled
>> Security: anonymous user access is enabled
>> Security: sending Remote Assistant queries is enabled
Checking - complete
9. Troubleshooting wizard
>> HDD autorun is allowed
>> Network drives autorun is allowed
>> Removable media autorun is allowed
Checking - complete
Files scanned: 406, extracted from archives: 0, malicious software found 0, suspicions - 0
Scanning finished at 04.09.2010 15:22:11
Time of scanning: 00:00:33
If you have a suspicion on presence of viruses or questions on the suspected objects,
you can address http://virusinfo.info conference
System Analysis in progress
System Analysis - complete

 

[Bobbye]

I still don't have anything to run script in. Please do the following search: You are going to look for the presence of and then deletion of a specific file. You're going to set Folder Options to show hidden files and folders. If you find the file, you will do a right click only. This will be done to delete the file if present. Under no circumstance are you to click to open.

Step 1:
Boot into Safe Mode

• Restart your computer and start pressing the F8 key on your keyboard.
• Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.

Step 2
Show Hidden Folders/Files

• Click on Start> Search
• Click on All files and folders
• Go to Tools > Folder Options.
• Select the View tab.
• Scroll down to Hidden files and folders.
• Select Show hidden files and folders.
• Uncheck (untick) Hide extensions of known file types.
• Uncheck (untick) Hide protected operating system files (Recommended).
• Click Yes when prompted.
• Click OK.

Step 3: The Search:

• Make sure the Location box in Search is set to the Local Drive (C)
• Type the following in the search box:
  I5Eexplore.exe
  (Note: this is the uppercase letter 'eye' followed by numeral 5)
• If file is found> do a right click> Delete

Rehide Hidden/System Files & Folders

Step 4: Backing up the Registry:

• Click on Start> Run> type in REGEDIT> Enter
  (After short pause, a 2 pane screen will display resembling Windows Explorer)
• Click on File> Export
• Browse to location where you want to store the backup (desktop?)
• Type name for the Backup
• Click on Save[/b]

Step 5: Removing Registry entries

• Click on Start> Run> type in REGEDIT> OK and click OK to open the Registry Editor
• In the right pane, delete any file that refers to this file> [b]"Config Loadatiorin"="<I5Eexplore.exe>"[/b]in the following:
  HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
  HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
  HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
  HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
  HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
• Exit the Registry Editor
• Restart the computer and check the Registry again for the trojan

You created a backup of the Registry and it can be used if any problem was caused by the deletion. It is a large amount of text so after we establish that no more direct Regedit will be needed, I will have you remove the backup.

Please see if this will now allow you to run Combofix. I do not like to send anyone to do a Regedit. But considering that the Worm is messing with programs to remove it completely, we'll see if this takes a bit of wind out of it's sails.

 

[mummyal]

Hiya, I thought you had given up on me lol.

For some reason, the 'search' function wasn't working in Safe Mode. I'd click to search all files/folders, the box opens, the little puppy appears...and nothing else (no space for me to type file name etc). Shd I look for the named file in 'normal' mode?

However, I did manage to run Combofix (or alice.exe) in safe mode. The only thing is after it rebooted (into normal mode) and where it got to the screen where is says 'preparing log' etc, it hung there. Well, I let it run for 1.5 hrs and it didn't progress any further. So I closed it and ran it again in Safe Mode. And this time, it completed the scan and automatically rebooted back into safe mode and produced a log.

I'm not sure whether running it twice wld affect the results? Sorry.

Here's the log:

ComboFix 10-09-06.02 - Compaq_Administrator 06/09/2010 23:02:03.6.2 - x86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.2046.1674 [GMT 1:00]
Running from: c:\documents and settings\Compaq_Administrator\Desktop\alice.exe
AV: AVG Internet Security *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: AVG Firewall *disabled* {8decf618-9569-4340-b34a-d78d28969b66}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
C:\prefs.js

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_USNJSVC
-------\Service_usnjsvc


((((((((((((((((((((((((( Files Created from 2010-08-06 to 2010-09-06 )))))))))))))))))))))))))))))))
.

2010-09-03 22:03 . 2010-09-03 22:21 -------- d-----w- C:\32788R22FWJFW.4.tmp
2010-09-03 22:02 . 2010-09-03 22:03 -------- d-----w- C:\32788R22FWJFW.3.tmp
2010-09-03 22:02 . 2010-09-03 22:02 -------- d-----w- C:\32788R22FWJFW.2.tmp
2010-09-03 22:01 . 2010-09-03 22:02 -------- d-----w- C:\32788R22FWJFW.1.tmp
2010-09-03 08:46 . 2010-09-03 08:46 -------- d-----w- c:\program files\ESET
2010-09-01 20:18 . 2010-09-01 20:18 -------- d-----w- c:\program files\Trend Micro
2010-09-01 07:02 . 2010-04-29 14:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-09-01 07:02 . 2010-09-02 21:48 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-09-01 07:02 . 2010-04-29 14:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-08-31 19:47 . 2010-08-31 19:47 503808 ----a-w- c:\documents and settings\Compaq_Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-13cb64ad-n\msvcp71.dll
2010-08-31 19:47 . 2010-08-31 19:47 499712 ----a-w- c:\documents and settings\Compaq_Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-13cb64ad-n\jmc.dll
2010-08-31 19:47 . 2010-08-31 19:47 348160 ----a-w- c:\documents and settings\Compaq_Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-13cb64ad-n\msvcr71.dll
2010-08-31 19:47 . 2010-08-31 19:47 61440 ----a-w- c:\documents and settings\Compaq_Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-4395f031-n\decora-sse.dll
2010-08-31 19:47 . 2010-08-31 19:47 12800 ----a-w- c:\documents and settings\Compaq_Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-4395f031-n\decora-d3d.dll
2010-08-31 19:47 . 2010-08-31 19:47 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-08-31 19:47 . 2010-08-31 19:47 -------- d-----w- c:\program files\Java

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-05 22:48 . 2009-02-01 20:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2010-09-05 07:03 . 2010-02-15 22:37 0 ----a-w- c:\windows\system32\drivers\lvuvc.hs
2010-09-05 07:03 . 2010-02-24 13:56 0 ----a-w- c:\windows\system32\drivers\logiflt.iad
2010-09-04 17:14 . 2010-04-27 22:47 -------- d-----w- c:\documents and settings\Compaq_Administrator\Application Data\Skype
2010-09-04 17:14 . 2009-08-25 20:11 -------- d-----w- c:\documents and settings\Compaq_Administrator\Application Data\skypePM
2010-08-31 19:47 . 2006-09-08 01:19 -------- d-----w- c:\program files\Common Files\Java
2010-07-15 22:48 . 2010-07-15 22:48 143120 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2010-07-15 16:45 . 2010-07-15 16:43 -------- d-----w- c:\documents and settings\Compaq_Administrator\Application Data\GARMIN
2010-07-07 08:13 . 2006-11-21 20:26 61448 ----a-w- c:\documents and settings\Compaq_Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-06-30 12:31 . 2004-08-09 21:00 149504 ----a-w- c:\windows\system32\schannel.dll
2010-06-24 12:15 . 2004-08-09 21:00 832512 ----a-w- c:\windows\system32\wininet.dll
2010-06-24 12:15 . 2009-07-10 22:14 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-06-24 12:15 . 2004-08-09 21:00 17408 ----a-w- c:\windows\system32\corpol.dll
2010-06-23 13:44 . 2004-08-09 21:00 1851904 ----a-w- c:\windows\system32\win32k.sys
2010-06-22 11:15 . 2010-05-06 12:55 243024 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-06-22 11:15 . 2010-06-22 11:15 12536 ----a-w- c:\windows\system32\avgrsstx.dll
2010-06-22 11:15 . 2010-05-06 12:55 25168 ----a-w- c:\windows\system32\drivers\AVGIDSxx.sys
2010-06-22 11:15 . 2010-05-06 12:55 216400 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-06-21 15:27 . 2004-08-09 21:00 354304 ----a-w- c:\windows\system32\drivers\srv.sys
2010-06-17 14:03 . 2004-08-09 21:00 80384 ----a-w- c:\windows\system32\iccvid.dll
2010-06-14 14:31 . 2004-08-09 21:00 744448 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe
2010-06-14 07:41 . 2004-08-09 21:00 1172480 ----a-w- c:\windows\system32\msxml3.dll
2006-12-19 10:50 . 2006-12-19 10:50 22 -csha-w- c:\windows\SMINST\HPCD.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-04-19 2117704]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2010-04-19 09:25 2117704 ----a-w- c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-04-19 2117704]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-04-19 2117704]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"ftutil2"="ftutil2.dll" [2004-06-07 106496]
"RTHDCPL"="RTHDCPL.EXE" [2006-07-21 16261632]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-07-06 151552]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2005-07-22 237568]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-09-01 282624]
"MaxMenuMgr"="c:\program files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe" [2008-10-28 181544]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-06-20 7622656]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04 36272]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2010-06-22 2065760]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

c:\documents and settings\Default User\Start Menu\Programs\Startup\
Pin.lnk - c:\hp\bin\CLOAKER.EXE [2006-9-8 27136]
PinMcLnk.lnk - c:\hp\bin\cloaker.exe [2006-9-8 27136]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-06-22 11:15 12536 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechQuickCamRibbon]
2008-12-20 06:50 2656528 ----a-w- c:\program files\Logitech\QuickCam\Quickcam.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgam.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgdiagex.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0 AVGIDSErHrxpx;AVG9IDSErHr;c:\windows\system32\drivers\AVGIDSxx.sys [06/05/2010 13:55 25168]
R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [06/05/2010 13:55 52872]
S1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [06/05/2010 13:55 216400]
S1 AvgTdiX;AVG Network Redirector;c:\windows\system32\drivers\avgtdix.sys [06/05/2010 13:55 243024]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [05/01/2010 08:56 9968]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [05/01/2010 08:56 74480]
S2 avg9wd;AVG WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [22/06/2010 12:15 308136]
S2 avgfws9;AVG Firewall;c:\program files\AVG\AVG9\avgfws9.exe [22/06/2010 12:15 2331032]
S2 AVGIDSAgent;AVG9IDSAgent;c:\program files\AVG\AVG9\Identity Protection\Agent\Bin\AVGIDSAgent.exe [22/06/2010 12:15 5897808]
S2 FreeAgentGoNext Service;Seagate Service;c:\program files\Seagate\SeagateManager\Sync\FreeAgentService.exe [28/10/2008 16:42 156968]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [21/12/2009 22:51 135664]
S3 Avgfwdx;Avgfwdx;c:\windows\system32\drivers\avgfwdx.sys [06/05/2010 13:54 30104]
S3 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwdx.sys [06/05/2010 13:54 30104]
S3 AVGIDSDriverxpx;AVG9IDSDriver;c:\program files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSDriver.sys [06/05/2010 13:55 122448]
S3 AVGIDSFilterxpx;AVG9IDSFilter;c:\program files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSFilter.sys [06/05/2010 13:55 30288]
S3 AVGIDSShimxpx;AVG9IDSShim;c:\program files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSShim.sys [06/05/2010 13:55 26192]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [05/01/2010 08:56 7408]
.
Contents of the 'Scheduled Tasks' folder

2007-01-09 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2006-08-29 14:21]

2010-09-06 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-02-01 17:57]

2010-09-06 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-21 21:50]

2010-09-06 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-21 21:50]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.virginmedia.com/
mStart Page = hxxp://www.google.com
uSearchAssistant = hxxp://www.google.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office10\EXCEL.EXE/3000
IE: Easy-WebPrint Add To Print List - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html
DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/2.9.2.0/GarminAxControl.CAB
DPF: {3D0D2821-8011-4B1F-BE9C-27B8E74CFBEF} - hxxp://downloads.virginmedia.com/CST/ver1/VM_ActX_2.cab
DPF: {DBFECB3F-B78F-442E-AE46-4952E6F17545} - hxxp://webalbum.bonusprint.com/ukipc01/downloads//ImageUploader3.cab
DPF: {DC75FEF6-165D-4D25-A518-C8C4BDA7BAA6} - hxxp://www.playfirst.com/play/game/dinerdash/DinerDash.1.0.0.93.cab
DPF: {FD0EBBED-0C42-4D0F-82DA-44399B5C420A} - hxxp://downloads.virginmedia.com/CST/ver1/xp_mail.cab
.

**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@DACL=(02 0010)
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@DACL=(02 0010)
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@DACL=(02 0010)
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1412)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
.
Completion time: 2010-09-06 23:08:16
ComboFix-quarantined-files.txt 2010-09-06 22:08

Pre-Run: 196,725,231,616 bytes free
Post-Run: 196,711,284,736 bytes free

- - End Of File - - 0DD283A6583241A3FE71EBA41841558B