Inactive HELP! Nasties over-running my laptop

Status
Not open for further replies.

jonny utah

Posts: 21   +0
Hi everyone. Great site.

My laptop at home (I'm running wondows xp) seems to be having a bit of a breakdown right now. Every time I click on a google link following a google search, I am re-directed to random un related websites.

I have run malware bytes anti-malware, selected and successfully removed 130 different nasties. However, now I have logged back on in normal mode, the same probelm keeps occurring.

Please help!

ps - unfortunately I'm not at home right at this minute so I cannot copy and paste any logs or anything like that. Hope the info above is enough, otherwise I'll be back on when I'm home from work.

Thanks in advance for any help.
 
When you are home and have access to the computer:

If you would like us to check the system for malware, please follow the steps in the Preliminary Virus and Malware Removal thread HERE.

When you have finished, leave the logs for review in your next reply .
NOTE: Logs must be pasted in the replies. Attached logs will not be reviewed.

The description doesn't give me anything to work with.

Please do not use any other cleaning programs or scans while I'm helping you, unless I direct you to. Do not use a Registry cleaner or make any changes in the Registry.
 
Hi Bobbye.

What a nightmare that was. My Virgin Media security does not scan properly. I ge a message along the lines of VMS has encountered a proble or an error and must terminate.... Something like that.

Anyway, I followed the steps afterwrds. I've no idea whther this is any help whatsoever but here goes:

Malwarebytes' Anti-Malware 1.50
www.malwarebytes.org

Database version: 5257

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.11

07/12/2010 21:08:54
mbam-log-2010-12-07 (21-08-53).txt

Scan type: Quick scan
Objects scanned: 153945
Time elapsed: 7 minute(s), 15 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


GMER 1.0.15.15530 - http://www.gmer.net
Rootkit quick scan 2010-12-07 21:29:28
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 WDC_WD600UE-22HCT0 rev.09.07D09
Running: g5k4elui.exe; Driver: C:\DOCUME~1\Dan\LOCALS~1\Temp\fwtcapow.sys


---- Devices - GMER 1.0.15 ----

Device Ntfs.sys (NT File System Driver/Microsoft Corporation)
Device Fastfat.SYS (Fast FAT File System Driver/Microsoft Corporation)

AttachedDevice fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \Driver\Tcpip \Device\Ip rp_skt32.sys (Radialpoint Filter/Radialpoint Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp rp_skt32.sys (Radialpoint Filter/Radialpoint Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp rp_skt32.sys (Radialpoint Filter/Radialpoint Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp rp_skt32.sys (Radialpoint Filter/Radialpoint Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)

---- EOF - GMER 1.0.15 ----





DDS (Ver_10-12-05.01) - NTFSx86
Run by Dan at 21:33:44.62 on 07/12/2010
Internet Explorer: 7.0.5730.11

============== Running Processes ===============

C:\Program Files\Virgin Media\Security\Fws.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Virgin Media\Security\rps.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\APPS\Powercinema\Kernel\TV\CLCapSvc.exe
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
c:\APPS\HIDSERVICE\HIDSERVICE.exe
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLService.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\Program Files\Virgin Media\Security\RpsSecurityAwareR.exe
C:\Program Files\Virgin Media\HUB\ServicepointService.exe
C:\WINDOWS\system32\slmdmsr.exe
c:\APPS\Powercinema\Kernel\TV\CLSched.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Virgin Media\HUB\VirginMediaHUBComHandler.exe
C:\Documents and Settings\Dan\Desktop\dds.scr
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k imgsvc

============== Pseudo HJT Report ===============

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://www.virginmedia.com/
mStart Page = about:blank
uInternet Settings,ProxyOverride = <local>
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar1.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.5612.1312\swg.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: {043C5167-00BB-4324-AF7E-62013FAEDACF} - No File
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
IE: {08E730A4-FB02-45BD-A900-01E4AD8016F6} - http://www.skybroadband.com
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0014-0002-0005-ABCDEFFEDCBC}
IE: {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - {7DD73374-7187-4103-8F29-622AA25E7C40} - c:\program files\mcafee\spamkiller\mcapfbho.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
Trusted Zone: boxingscene.com\www
Trusted Zone: google.co.uk
Trusted Zone: italymag.co.uk\www
Trusted Zone: liverpoolecho.co.uk\www
Trusted Zone: liverpoolfc.tv\www
Trusted Zone: tvants
Trusted Zone: tvu
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.4.2/jinstall-1_4_2_05-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {C45B1500-7B63-47C2-AB25-C28CB46AFDEE} - hxxp://sib1.od2.com/common/musicmanager/installation/MusicManagerPlugin.CAB
DPF: {CAFEEFAC-0014-0002-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.4.2/jinstall-1_4_2_05-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {D4003189-95B1-4A2F-9A87-F2B03665960D} - hxxp://www.vexcast.com/download/vexcast.cab
TCP: {A4AA025A-9A5C-4936-B08F-E79DDFCEBDB2} = 192.168.0.1
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
Hosts: 74.125.45.100 www.getantivirusplusnow.com
Hosts: 74.125.45.100 www.secure-plus-payments.com
Hosts: 74.125.45.100 test1111.com
Hosts: 74.125.45.100 test1112.com
Hosts: 74.125.45.100 4-open-davinci.com

Note: multiple HOSTS entries found. Please refer to Attach.txt

============= SERVICES / DRIVERS ===============

R? ggflt;SEMC USB Flash Driver Filter
R? STDSB;STDSB
S? McAfee SiteAdvisor Service;McAfee SiteAdvisor Service
S? MTC0007_STDSB;Scroll Bar Driver
S? Radialpoint Security Services;Virgin Media Security
S? RadialpointIDSAgent;RadialpointIDSAgent
S? RadialpointIDSDriver;RadialpointIDSDriver
S? RadialpointIDSEH;RadialpointIDSEH
S? RadialpointIDSFilter;RadialpointIDSFilter
S? RadialpointIDSShim;RadialpointIDSShim
S? ServicepointService;ServicepointService

=============== Created Last 30 ================

2010-12-06 21:06:33 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-06 21:06:30 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-12-06 21:06:29 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-12-05 23:30:11 -------- d-----w- c:\program files\tmp
2010-12-05 22:15:39 25608 ----a-w- c:\windows\system32\drivers\AVGIDSEH.sys
2010-12-05 22:13:45 285704 ----a-w- c:\windows\system32\drivers\bdfsfltr.sys
2010-12-05 22:13:02 53192 ----a-w- c:\windows\system32\drivers\rp_skt32.sys
2010-12-05 22:12:25 48384 ----a-w- c:\windows\system32\drivers\rp_pkt32.sys
2010-12-05 22:11:45 -------- d-----w- c:\program files\Raxco
2010-12-02 12:54:57 -------- d-----w- c:\program files\etkvhlXN
2010-12-02 09:42:54 -------- d-----w- c:\program files\windows
2010-11-29 12:25:40 -------- d-----w- c:\docume~1\dan\applic~1\Virgin Media
2010-11-29 12:25:28 -------- d-----w- c:\docume~1\alluse~1\applic~1\Radialpoint
2010-11-29 12:25:15 -------- d-----w- c:\program files\Virgin Media
2010-11-29 12:25:15 -------- d-----w- c:\docume~1\alluse~1\applic~1\Virgin Media
2010-11-10 20:55:43 -------- d-----w- c:\docume~1\dan\applic~1\Leyw
2010-11-10 20:55:43 -------- d-----w- c:\docume~1\dan\applic~1\Awsog

==================== Find3M ====================

2010-10-31 14:29:48 256 ----a-w- c:\windows\system32\pool.bin
2010-09-18 11:23:26 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53:25 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53:25 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:53:25 953856 ----a-w- c:\windows\system32\mfc40u.dll
2010-09-09 13:38:01 832512 ----a-w- c:\windows\system32\wininet.dll
2010-09-09 13:38:01 1830912 ------w- c:\windows\system32\inetcpl.cpl
2010-09-09 13:38:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-09-09 13:38:00 17408 ------w- c:\windows\system32\corpol.dll
2006-07-25 22:11:30 11817800 -c--a-w- c:\program files\GoogleEarth.exe

============= FINISH: 21:36:18.85 ===============




UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-12-05.01)

Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume2
Install Date: 10/05/2006 19:39:57
System Uptime: 07/12/2010 21:17:09 (0 hours ago)

Motherboard: NEC COMPUTERS INTERNATIONAL | | NEC Versa Premium
Processor: Intel(R) Celeron(R) M processor 1.50GHz | mPGA478 | 1492/100mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 50 GiB total, 34.468 GiB free.
D: is CDROM ()

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP1: 04/12/2010 10:30:21 - System Checkpoint
RP2: 06/12/2010 14:33:45 - System Checkpoint

==== Hosts File Hijack ======================

Hosts: 74.125.45.100 www.getantivirusplusnow.com
Hosts: 74.125.45.100 www.secure-plus-payments.com
Hosts: 74.125.45.100 test1111.com
Hosts: 74.125.45.100 test1112.com
Hosts: 74.125.45.100 4-open-davinci.com
Hosts: 74.125.45.100 securitysoftwarepayments.com
Hosts: 74.125.45.100 privatesecuredpayments.com
Hosts: 74.125.45.100 secure.privatesecuredpayments.com
Hosts: 74.125.45.100 www.getavplusnow.com

==== Installed Programs ======================


Adobe Flash Player 10 ActiveX
Adobe Reader 7.0
Apple Mobile Device Support
Apple Software Update
BlackBerry Desktop Software 5.0.1
BlackBerry® Media Sync
Compatibility Pack for the 2007 Office system
Google Toolbar for Internet Explorer
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows XP (KB2158563)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976002-v5)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
Hotfix for Windows XP (KB981793)
iPod for Windows 2005-09-23
iTunes
Java 2 Runtime Environment, SE v1.4.2_05
Learn2 Player (Uninstall Only)
Lexmark 510 Series
Macromedia Shockwave Player
Malwarebytes' Anti-Malware
McAfee Uninstall Wizard
MediaBar
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB2416447)
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
Microsoft National Language Support Downlevel APIs
Microsoft Office PowerPoint Viewer 2003
Microsoft Office Professional Edition 2003
Microsoft Office Standard Edition 2003
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
Nokia Nseries Skin for Microsoft Windows Media Player
Packard Bell Toolbar 1.0
PerfectDisk 10 Professional
QuickTime
Roxio Media Manager
RPS CRT
RPS PerfectDiskStub
RPS RpsCore
S3GSetup
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB2183461)
Security Update for Windows Internet Explorer 7 (KB2360131)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 7 (KB972260)
Security Update for Windows Internet Explorer 7 (KB974455)
Security Update for Windows Internet Explorer 7 (KB976325)
Security Update for Windows Internet Explorer 7 (KB978207)
Security Update for Windows Internet Explorer 7 (KB982381)
Security Update for Windows Media Player (KB2378111)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2121546)
Security Update for Windows XP (KB2160329)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2259922)
Security Update for Windows XP (KB2279986)
Security Update for Windows XP (KB2286198)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981349)
Security Update for Windows XP (KB981852)
Security Update for Windows XP (KB981957)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982214)
Security Update for Windows XP (KB982665)
Security Update for Windows XP (KB982802)
Shockwave
Sky Broadband
Smart Link 56K Modem
Sonic MyDVD
Sonic RecordNow!
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 7 (KB976749)
Update for Windows Internet Explorer 7 (KB980182)
Update for Windows XP (KB2141007)
Update for Windows XP (KB2345886)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
VIA/S3G Display Driver
Viewpoint Media Player
Virgin Media HUB 3.5.12
Virgin Media Security
WebFldrs XP
Windows Genuine Advantage Notifications (KB905474)
Windows Internet Explorer 7
Windows Media Format 11 runtime
Windows Media Player 10
Windows XP Service Pack 3
Works Suite OS Pack
Works Synchronization
Yahoo! Install Manager

==== Event Viewer Messages From Past Week ========

07/12/2010 21:24:41, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the Spooler service.
07/12/2010 21:14:40, error: atapi [9] - The device, \Device\Ide\IdePort0, did not respond within the timeout period.
07/12/2010 20:41:15, error: Service Control Manager [7034] - The Roxio Upnp Server 9 service terminated unexpectedly. It has done this 1 time(s).
07/12/2010 20:41:15, error: Service Control Manager [7034] - The LiveShare P2P Server 9 service terminated unexpectedly. It has done this 1 time(s).
07/12/2010 20:41:13, error: Service Control Manager [7022] - The CyberLink Task Scheduler (CTS) service hung on starting.
07/12/2010 20:36:39, error: Service Control Manager [7034] - The ServicepointService service terminated unexpectedly. It has done this 1 time(s).
07/12/2010 20:36:39, error: Service Control Manager [7034] - The CyberLink Task Scheduler (CTS) service terminated unexpectedly. It has done this 1 time(s).
07/12/2010 20:36:38, error: Service Control Manager [7034] - The SmartLinkService service terminated unexpectedly. It has done this 1 time(s).
07/12/2010 20:36:38, error: Service Control Manager [7034] - The McAfee SiteAdvisor Service service terminated unexpectedly. It has done this 1 time(s).
07/12/2010 20:36:37, error: Service Control Manager [7034] - The Generic Service for HID Keyboard Input Collections service terminated unexpectedly. It has done this 1 time(s).
07/12/2010 20:36:37, error: Service Control Manager [7034] - The CyberLink Media Library Service service terminated unexpectedly. It has done this 1 time(s).
07/12/2010 20:36:37, error: Service Control Manager [7034] - The CyberLink Background Capture Service (CBCS) service terminated unexpectedly. It has done this 1 time(s).
07/12/2010 20:36:36, error: Service Control Manager [7034] - The Virgin Media Security Firewall service terminated unexpectedly. It has done this 1 time(s).
07/12/2010 20:36:36, error: Service Control Manager [7034] - The LexBce Server service terminated unexpectedly. It has done this 1 time(s).
07/12/2010 20:36:36, error: Service Control Manager [7031] - The Apple Mobile Device service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
06/12/2010 21:28:03, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD bdfsfltr Fips intelppm IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss Tcpip WS2IFSL
06/12/2010 21:28:03, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.
06/12/2010 21:28:03, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
06/12/2010 21:28:03, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
06/12/2010 21:28:03, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
06/12/2010 21:28:03, error: Service Control Manager [7001] - The Apple Mobile Device service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
06/12/2010 21:27:15, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
06/12/2010 21:20:02, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: abp480n5 adpu160m agpCPQ Aha154x aic78u2 aic78xx AliIde alim1541 amdagp amsint asc asc3350p asc3550 cbidf cd20xrnt CmdIde Cpqarray dac2w2k dac960nt dpti2o hpn i2omp ini910u IntelIde mraid35x PCIIde perc2 perc2hib ql1080 Ql10wnt ql12160 ql1240 ql1280 Sparrow symc810 symc8xx sym_hi sym_u3 TosIde ultra viaagp
06/12/2010 20:40:52, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: bdfsfltr Fips intelppm
06/12/2010 20:39:54, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
06/12/2010 19:48:19, error: Service Control Manager [7034] - The Virgin Media Security service terminated unexpectedly. It has done this 2 time(s).
06/12/2010 19:42:53, error: Service Control Manager [7034] - The Virgin Media Security service terminated unexpectedly. It has done this 1 time(s).
04/12/2010 21:52:42, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Roxio Hard Drive Watcher 9 service to connect.
04/12/2010 21:52:42, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the McAfee SiteAdvisor Service service to connect.
04/12/2010 21:52:42, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the McAfee Services service to connect.
04/12/2010 21:52:42, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the McAfee Proxy Service service to connect.
04/12/2010 21:52:42, error: Service Control Manager [7000] - The STDSB service failed to start due to the following error: The system cannot find the file specified.
04/12/2010 21:52:42, error: Service Control Manager [7000] - The McAfee SiteAdvisor Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
04/12/2010 21:52:42, error: Service Control Manager [7000] - The McAfee Services service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
04/12/2010 21:52:42, error: Service Control Manager [7000] - The McAfee Proxy Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
04/12/2010 10:34:47, error: DCOM [10005] - DCOM got error "%1053" attempting to start the service McMSCSvc with arguments "" in order to run the server: {B299BB78-EBBE-48F9-8725-E6A84C4E7C1D}
04/12/2010 10:34:44, error: DCOM [10005] - DCOM got error "%1053" attempting to start the service McMSCSvc with arguments "" in order to run the server: {03082469-BA75-44A5-89CB-D187F313E572}
04/12/2010 10:31:09, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the McAfee SystemGuards service to connect.
04/12/2010 10:31:09, error: Service Control Manager [7000] - The McAfee SystemGuards service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
02/12/2010 19:30:09, error: DCOM [10005] - DCOM got error "%1053" attempting to start the service McMSCSvc with arguments "" in order to run the server: {DDA1154C-204B-41D7-BFE7-7907C6BA9D56}
02/12/2010 17:14:32, error: DCOM [10005] - DCOM got error "%1053" attempting to start the service McMSCSvc with arguments "" in order to run the server: {AB92D412-E57E-473B-B9A2-3BAE647D9C8C}

==== End Of File ===========================
 
Bobbye. Problem with my virgin media security. It shuts itself down fairly soon after it has started to scan stuff Saying: Virgin Media Security has encountered an error and must restart imeiately. In any case I continued through the remaining steps. The logs are coming up....
 
mbam log

07/12/2010 21:08:54
mbam-log-2010-12-07 (21-08-53).txt

Scan type: Quick scan
Objects scanned: 153945
Time elapsed: 7 minute(s), 15 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
 
gmer log

GMER 1.0.15.15530 - http://www.gmer.net
Rootkit quick scan 2010-12-07 21:29:28
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 WDC_WD600UE-22HCT0 rev.09.07D09
Running: g5k4elui.exe; Driver: C:\DOCUME~1\Dan\LOCALS~1\Temp\fwtcapow.sys


---- Devices - GMER 1.0.15 ----

Device Ntfs.sys (NT File System Driver/Microsoft Corporation)
Device Fastfat.SYS (Fast FAT File System Driver/Microsoft Corporation)

AttachedDevice fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \Driver\Tcpip \Device\Ip rp_skt32.sys (Radialpoint Filter/Radialpoint Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp rp_skt32.sys (Radialpoint Filter/Radialpoint Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp rp_skt32.sys (Radialpoint Filter/Radialpoint Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp rp_skt32.sys (Radialpoint Filter/Radialpoint Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)

---- EOF - GMER 1.0.15 ----
 
dds text

DDS (Ver_10-12-05.01) - NTFSx86
Run by Dan at 21:33:44.62 on 07/12/2010
Internet Explorer: 7.0.5730.11

============== Running Processes ===============

C:\Program Files\Virgin Media\Security\Fws.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Virgin Media\Security\rps.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\APPS\Powercinema\Kernel\TV\CLCapSvc.exe
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
c:\APPS\HIDSERVICE\HIDSERVICE.exe
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLService.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\Program Files\Virgin Media\Security\RpsSecurityAwareR.exe
C:\Program Files\Virgin Media\HUB\ServicepointService.exe
C:\WINDOWS\system32\slmdmsr.exe
c:\APPS\Powercinema\Kernel\TV\CLSched.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Virgin Media\HUB\VirginMediaHUBComHandler.exe
C:\Documents and Settings\Dan\Desktop\dds.scr
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k imgsvc

============== Pseudo HJT Report ===============

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://www.virginmedia.com/
mStart Page = about:blank
uInternet Settings,ProxyOverride = <local>
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar1.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.5612.1312\swg.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: {043C5167-00BB-4324-AF7E-62013FAEDACF} - No File
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
IE: {08E730A4-FB02-45BD-A900-01E4AD8016F6} - http://www.skybroadband.com
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0014-0002-0005-ABCDEFFEDCBC}
IE: {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - {7DD73374-7187-4103-8F29-622AA25E7C40} - c:\program files\mcafee\spamkiller\mcapfbho.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
Trusted Zone: boxingscene.com\www
Trusted Zone: google.co.uk
Trusted Zone: italymag.co.uk\www
Trusted Zone: liverpoolecho.co.uk\www
Trusted Zone: liverpoolfc.tv\www
Trusted Zone: tvants
Trusted Zone: tvu
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.4.2/jinstall-1_4_2_05-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {C45B1500-7B63-47C2-AB25-C28CB46AFDEE} - hxxp://sib1.od2.com/common/musicmanager/installation/MusicManagerPlugin.CAB
DPF: {CAFEEFAC-0014-0002-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.4.2/jinstall-1_4_2_05-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {D4003189-95B1-4A2F-9A87-F2B03665960D} - hxxp://www.vexcast.com/download/vexcast.cab
TCP: {A4AA025A-9A5C-4936-B08F-E79DDFCEBDB2} = 192.168.0.1
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
Hosts: 74.125.45.100 www.getantivirusplusnow.com
Hosts: 74.125.45.100 www.secure-plus-payments.com
Hosts: 74.125.45.100 test1111.com
Hosts: 74.125.45.100 test1112.com
Hosts: 74.125.45.100 4-open-davinci.com

Note: multiple HOSTS entries found. Please refer to Attach.txt

============= SERVICES / DRIVERS ===============

R? ggflt;SEMC USB Flash Driver Filter
R? STDSB;STDSB
S? McAfee SiteAdvisor Service;McAfee SiteAdvisor Service
S? MTC0007_STDSB;Scroll Bar Driver
S? Radialpoint Security Services;Virgin Media Security
S? RadialpointIDSAgent;RadialpointIDSAgent
S? RadialpointIDSDriver;RadialpointIDSDriver
S? RadialpointIDSEH;RadialpointIDSEH
S? RadialpointIDSFilter;RadialpointIDSFilter
S? RadialpointIDSShim;RadialpointIDSShim
S? ServicepointService;ServicepointService

=============== Created Last 30 ================

2010-12-06 21:06:33 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-06 21:06:30 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-12-06 21:06:29 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-12-05 23:30:11 -------- d-----w- c:\program files\tmp
2010-12-05 22:15:39 25608 ----a-w- c:\windows\system32\drivers\AVGIDSEH.sys
2010-12-05 22:13:45 285704 ----a-w- c:\windows\system32\drivers\bdfsfltr.sys
2010-12-05 22:13:02 53192 ----a-w- c:\windows\system32\drivers\rp_skt32.sys
2010-12-05 22:12:25 48384 ----a-w- c:\windows\system32\drivers\rp_pkt32.sys
2010-12-05 22:11:45 -------- d-----w- c:\program files\Raxco
2010-12-02 12:54:57 -------- d-----w- c:\program files\etkvhlXN
2010-12-02 09:42:54 -------- d-----w- c:\program files\windows
2010-11-29 12:25:40 -------- d-----w- c:\docume~1\dan\applic~1\Virgin Media
2010-11-29 12:25:28 -------- d-----w- c:\docume~1\alluse~1\applic~1\Radialpoint
2010-11-29 12:25:15 -------- d-----w- c:\program files\Virgin Media
2010-11-29 12:25:15 -------- d-----w- c:\docume~1\alluse~1\applic~1\Virgin Media
2010-11-10 20:55:43 -------- d-----w- c:\docume~1\dan\applic~1\Leyw
2010-11-10 20:55:43 -------- d-----w- c:\docume~1\dan\applic~1\Awsog

==================== Find3M ====================

2010-10-31 14:29:48 256 ----a-w- c:\windows\system32\pool.bin
2010-09-18 11:23:26 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53:25 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53:25 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:53:25 953856 ----a-w- c:\windows\system32\mfc40u.dll
2010-09-09 13:38:01 832512 ----a-w- c:\windows\system32\wininet.dll
2010-09-09 13:38:01 1830912 ------w- c:\windows\system32\inetcpl.cpl
2010-09-09 13:38:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-09-09 13:38:00 17408 ------w- c:\windows\system32\corpol.dll
2006-07-25 22:11:30 11817800 -c--a-w- c:\program files\GoogleEarth.exe

============= FINISH: 21:36:18.85 ===============
 
attach txt

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-12-05.01)

Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume2
Install Date: 10/05/2006 19:39:57
System Uptime: 07/12/2010 21:17:09 (0 hours ago)

Motherboard: NEC COMPUTERS INTERNATIONAL | | NEC Versa Premium
Processor: Intel(R) Celeron(R) M processor 1.50GHz | mPGA478 | 1492/100mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 50 GiB total, 34.468 GiB free.
D: is CDROM ()

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP1: 04/12/2010 10:30:21 - System Checkpoint
RP2: 06/12/2010 14:33:45 - System Checkpoint

==== Hosts File Hijack ======================

Hosts: 74.125.45.100 www.getantivirusplusnow.com
Hosts: 74.125.45.100 www.secure-plus-payments.com
Hosts: 74.125.45.100 test1111.com
Hosts: 74.125.45.100 test1112.com
Hosts: 74.125.45.100 4-open-davinci.com
Hosts: 74.125.45.100 securitysoftwarepayments.com
Hosts: 74.125.45.100 privatesecuredpayments.com
Hosts: 74.125.45.100 secure.privatesecuredpayments.com
Hosts: 74.125.45.100 www.getavplusnow.com

==== Installed Programs ======================


Adobe Flash Player 10 ActiveX
Adobe Reader 7.0
Apple Mobile Device Support
Apple Software Update
BlackBerry Desktop Software 5.0.1
BlackBerry® Media Sync
Compatibility Pack for the 2007 Office system
Google Toolbar for Internet Explorer
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows XP (KB2158563)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976002-v5)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
Hotfix for Windows XP (KB981793)
iPod for Windows 2005-09-23
iTunes
Java 2 Runtime Environment, SE v1.4.2_05
Learn2 Player (Uninstall Only)
Lexmark 510 Series
Macromedia Shockwave Player
Malwarebytes' Anti-Malware
McAfee Uninstall Wizard
MediaBar
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB2416447)
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
Microsoft National Language Support Downlevel APIs
Microsoft Office PowerPoint Viewer 2003
Microsoft Office Professional Edition 2003
Microsoft Office Standard Edition 2003
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
Nokia Nseries Skin for Microsoft Windows Media Player
Packard Bell Toolbar 1.0
PerfectDisk 10 Professional
QuickTime
Roxio Media Manager
RPS CRT
RPS PerfectDiskStub
RPS RpsCore
S3GSetup
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB2183461)
Security Update for Windows Internet Explorer 7 (KB2360131)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 7 (KB972260)
Security Update for Windows Internet Explorer 7 (KB974455)
Security Update for Windows Internet Explorer 7 (KB976325)
Security Update for Windows Internet Explorer 7 (KB978207)
Security Update for Windows Internet Explorer 7 (KB982381)
Security Update for Windows Media Player (KB2378111)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2121546)
Security Update for Windows XP (KB2160329)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2259922)
Security Update for Windows XP (KB2279986)
Security Update for Windows XP (KB2286198)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981349)
Security Update for Windows XP (KB981852)
Security Update for Windows XP (KB981957)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982214)
Security Update for Windows XP (KB982665)
Security Update for Windows XP (KB982802)
Shockwave
Sky Broadband
Smart Link 56K Modem
Sonic MyDVD
Sonic RecordNow!
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 7 (KB976749)
Update for Windows Internet Explorer 7 (KB980182)
Update for Windows XP (KB2141007)
Update for Windows XP (KB2345886)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
VIA/S3G Display Driver
Viewpoint Media Player
Virgin Media HUB 3.5.12
Virgin Media Security
WebFldrs XP
Windows Genuine Advantage Notifications (KB905474)
Windows Internet Explorer 7
Windows Media Format 11 runtime
Windows Media Player 10
Windows XP Service Pack 3
Works Suite OS Pack
Works Synchronization
Yahoo! Install Manager

==== Event Viewer Messages From Past Week ========

07/12/2010 21:24:41, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the Spooler service.
07/12/2010 21:14:40, error: atapi [9] - The device, \Device\Ide\IdePort0, did not respond within the timeout period.
07/12/2010 20:41:15, error: Service Control Manager [7034] - The Roxio Upnp Server 9 service terminated unexpectedly. It has done this 1 time(s).
07/12/2010 20:41:15, error: Service Control Manager [7034] - The LiveShare P2P Server 9 service terminated unexpectedly. It has done this 1 time(s).
07/12/2010 20:41:13, error: Service Control Manager [7022] - The CyberLink Task Scheduler (CTS) service hung on starting.
07/12/2010 20:36:39, error: Service Control Manager [7034] - The ServicepointService service terminated unexpectedly. It has done this 1 time(s).
07/12/2010 20:36:39, error: Service Control Manager [7034] - The CyberLink Task Scheduler (CTS) service terminated unexpectedly. It has done this 1 time(s).
07/12/2010 20:36:38, error: Service Control Manager [7034] - The SmartLinkService service terminated unexpectedly. It has done this 1 time(s).
07/12/2010 20:36:38, error: Service Control Manager [7034] - The McAfee SiteAdvisor Service service terminated unexpectedly. It has done this 1 time(s).
07/12/2010 20:36:37, error: Service Control Manager [7034] - The Generic Service for HID Keyboard Input Collections service terminated unexpectedly. It has done this 1 time(s).
07/12/2010 20:36:37, error: Service Control Manager [7034] - The CyberLink Media Library Service service terminated unexpectedly. It has done this 1 time(s).
07/12/2010 20:36:37, error: Service Control Manager [7034] - The CyberLink Background Capture Service (CBCS) service terminated unexpectedly. It has done this 1 time(s).
07/12/2010 20:36:36, error: Service Control Manager [7034] - The Virgin Media Security Firewall service terminated unexpectedly. It has done this 1 time(s).
07/12/2010 20:36:36, error: Service Control Manager [7034] - The LexBce Server service terminated unexpectedly. It has done this 1 time(s).
07/12/2010 20:36:36, error: Service Control Manager [7031] - The Apple Mobile Device service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
06/12/2010 21:28:03, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD bdfsfltr Fips intelppm IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss Tcpip WS2IFSL
06/12/2010 21:28:03, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.
06/12/2010 21:28:03, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
06/12/2010 21:28:03, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
06/12/2010 21:28:03, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
06/12/2010 21:28:03, error: Service Control Manager [7001] - The Apple Mobile Device service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
06/12/2010 21:27:15, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
06/12/2010 21:20:02, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: abp480n5 adpu160m agpCPQ Aha154x aic78u2 aic78xx AliIde alim1541 amdagp amsint asc asc3350p asc3550 cbidf cd20xrnt CmdIde Cpqarray dac2w2k dac960nt dpti2o hpn i2omp ini910u IntelIde mraid35x PCIIde perc2 perc2hib ql1080 Ql10wnt ql12160 ql1240 ql1280 Sparrow symc810 symc8xx sym_hi sym_u3 TosIde ultra viaagp
06/12/2010 20:40:52, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: bdfsfltr Fips intelppm
06/12/2010 20:39:54, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
06/12/2010 19:48:19, error: Service Control Manager [7034] - The Virgin Media Security service terminated unexpectedly. It has done this 2 time(s).
06/12/2010 19:42:53, error: Service Control Manager [7034] - The Virgin Media Security service terminated unexpectedly. It has done this 1 time(s).
04/12/2010 21:52:42, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Roxio Hard Drive Watcher 9 service to connect.
04/12/2010 21:52:42, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the McAfee SiteAdvisor Service service to connect.
04/12/2010 21:52:42, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the McAfee Services service to connect.
04/12/2010 21:52:42, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the McAfee Proxy Service service to connect.
04/12/2010 21:52:42, error: Service Control Manager [7000] - The STDSB service failed to start due to the following error: The system cannot find the file specified.
04/12/2010 21:52:42, error: Service Control Manager [7000] - The McAfee SiteAdvisor Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
04/12/2010 21:52:42, error: Service Control Manager [7000] - The McAfee Services service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
04/12/2010 21:52:42, error: Service Control Manager [7000] - The McAfee Proxy Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
04/12/2010 10:34:47, error: DCOM [10005] - DCOM got error "%1053" attempting to start the service McMSCSvc with arguments "" in order to run the server: {B299BB78-EBBE-48F9-8725-E6A84C4E7C1D}
04/12/2010 10:34:44, error: DCOM [10005] - DCOM got error "%1053" attempting to start the service McMSCSvc with arguments "" in order to run the server: {03082469-BA75-44A5-89CB-D187F313E572}
04/12/2010 10:31:09, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the McAfee SystemGuards service to connect.
04/12/2010 10:31:09, error: Service Control Manager [7000] - The McAfee SystemGuards service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
02/12/2010 19:30:09, error: DCOM [10005] - DCOM got error "%1053" attempting to start the service McMSCSvc with arguments "" in order to run the server: {DDA1154C-204B-41D7-BFE7-7907C6BA9D56}
02/12/2010 17:14:32, error: DCOM [10005] - DCOM got error "%1053" attempting to start the service McMSCSvc with arguments "" in order to run the server: {AB92D412-E57E-473B-B9A2-3BAE647D9C8C}

==== End Of File ===========================
 
last virgin log FYI

Virgin Media Security - Scan Report
Scan Date: 06/12/2010 16:24:17 Scan Type: Standard Definition file: 1291620096 Last Update on: 06/12/2010 15:23:28

Folders and files selected to scan
C:\

Results
Master Boot Records and Fixed Disk Boot Sectors
Scanned 1 Master Boot Record(s).
Your Master Boot Record(s)/Boot Sector(s) are not infected.
Memory
Scanned: 15 item(s)
Infected files on HDD (C:)
Scanned: 71538 item(s) File: C:\WINDOWS\explorer.exe Warning: The restoration of this OS protected file failed.
Virus: Trojan.Generic.5115567
File: C:\WINDOWS\system32\winlogon.exe Warning: The restoration of this OS protected file failed.
Virus: Trojan.Generic.5126187

Startup programs
Scanned: 245 item(s) File: C:\WINDOWS\explorer.exe Warning: The restoration of this OS protected file failed.
Virus: Trojan.Generic.5115567

Rootkits
Found: 0 item(s)
Cookies
Scanned: 33 item(s)
 
Please run the following in the order I give them:

1. Your Host files have been hijacked so we'll need to remove those sites.
Note: Uninstall the HijackThis v2.0.2 that you have installed- it is outdated. Use the current downlaod instead, below:
Download HijackThis http://download.bleepingcomputer.com/hijackthis/HijackThis.zipand save to your desktop.
  • Extract it to a directory on your hard drive called c:\HijackThis.
  • Then navigate to that directory and double-click on the hijackthis.exe file.
  • When started click on the Scan button and then the Save Log button to create a log of your information.
  • The log file and then the log will open in notepad. Be sure to click on Format> Uncheck Word Wrap when you open Notepad
  • Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
  • Come back here to this thread and paste (Ctrl+V) the log in your next reply.

NOTE: Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.
===================================================
2. Download Combofix to your desktop from one of these locations:
Link 1
Link 2
  • Double click combofix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. It is strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode if needed.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  • Query- Recovery Console image
    RcAuto1.gif

    WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
    whatnext.png
  • .Click on Yes, to continue scanning for malware
  • .If Combofix asks you to update the program, allow
  • .Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • .Close any open browsers.
  • .Double click combofix.exe
    cf-icon.jpg
    & follow the prompts to run.
  • When the scan completes it will open a text window. Please paste that log in your next reply.
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
===========================================
Please remove these from the Trusted Zone> Nothing need to be in this zone. The security settings are lower:
Open Internet Options through the Control Panel or Tools in IE> Security tab> Trusted Sites> Sites> click to highlight each> click on Remove:
*.boxingscene.com
*.google.co.uk
*.italymag.co.uk
*.liverpoolecho.co.uk
*.liverpoolfc.tv
*.tvants.com
*.tvunetworks.com

When finished> Click on OK> Apply> OK.
Please note: This does not prevent you from accessing the sites, nor does it prevent anything being received from the Domains. What it does do is have the Domains under Internet Security setting which are much safer than Trusted. Please use the * as it acts as a wild card for the Domain.
=============================================
I don't need any more scans from Virgin Media. You'll be getting that free from the ISP- right? Looks like they use Radialpoint Security Services. I'm not familiar with that but will mention that many user have found that free security from the ISP doesn't do the job they would like.

A question: Do you have another language besides English on the system. There are some entries that suggest that.
 
Bobbye. Thanks heaps for the help. Again, I'll have to do this once I get in. I'll report back asap.

Re your question about another language I'm a little unclear. I did get married in italy this year and had to correspond a lot of the time over email in italian. I don't know if this is what you are referring to?

Thanks again.
 
Hijack this log

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 20:14:05, on 08/12/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.17091)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Virgin Media\Security\Fws.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Virgin Media\Security\AVG\Identity Protection\agent\Bin\AVGIDSAgent.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\APPS\Powercinema\Kernel\TV\CLCapSvc.exe
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
c:\APPS\HIDSERVICE\HIDSERVICE.exe
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLService.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\Program Files\Virgin Media\HUB\ServicepointService.exe
C:\WINDOWS\system32\slmdmsr.exe
C:\WINDOWS\system32\svchost.exe
c:\APPS\Powercinema\Kernel\TV\CLSched.exe
C:\WINDOWS\system32\wuauclt.exe
C:\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.virginmedia.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O1 - Hosts: 74.125.45.100 www.getantivirusplusnow.com
O1 - Hosts: 74.125.45.100 www.secure-plus-payments.com
O1 - Hosts: 74.125.45.100 test1111.com
O1 - Hosts: 74.125.45.100 test1112.com
O1 - Hosts: 74.125.45.100 4-open-davinci.com
O1 - Hosts: 74.125.45.100 securitysoftwarepayments.com
O1 - Hosts: 74.125.45.100 privatesecuredpayments.com
O1 - Hosts: 74.125.45.100 secure.privatesecuredpayments.com
O1 - Hosts: 74.125.45.100 www.getavplusnow.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.6.5612.1312\swg.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Sky - {08E730A4-FB02-45BD-A900-01E4AD8016F6} - http://www.skybroadband.com (file missing)
O9 - Extra button: (no name) - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll (file missing)
O9 - Extra 'Tools' menuitem: McAfee AntiPhishing Filter - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=file://C:\APPS\IE\offline\uk.htm
O15 - Trusted Zone: http://www.italymag.co.uk
O16 - DPF: {C45B1500-7B63-47C2-AB25-C28CB46AFDEE} (MediaBar) - http://sib1.od2.com/common/musicmanager/installation/MusicManagerPlugin.CAB
O16 - DPF: {D4003189-95B1-4A2F-9A87-F2B03665960D} (VodClient Control Class) - http://www.vexcast.com/download/vexcast.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A4AA025A-9A5C-4936-B08F-E79DDFCEBDB2}: NameServer = 192.168.0.1
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - c:\APPS\Powercinema\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - c:\APPS\Powercinema\Kernel\TV\CLSched.exe
O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
O23 - Service: Generic Service for HID Keyboard Input Collections (GenericHidService) - Unknown owner - c:\APPS\HIDSERVICE\HIDSERVICE.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk10\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk10\PDEngine.exe
O23 - Service: Virgin Media Security (Radialpoint Security Services) - Virgin Media - C:\Program Files\Virgin Media\Security\RpsSecurityAwareR.exe
O23 - Service: RadialpointIDSAgent - AVG Technologies CZ, s.r.o. - C:\Program Files\Virgin Media\Security\AVG\Identity Protection\agent\Bin\AVGIDSAgent.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: Virgin Media Security Firewall (RP_FWS) - Virgin Media - C:\Program Files\Virgin Media\Security\Fws.exe
O23 - Service: ServicepointService - Radialpoint Inc. - C:\Program Files\Virgin Media\HUB\ServicepointService.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slmdmsr.exe

--
End of file - 8046 bytes
 
Hi bobbye. I've a bit of a problem. I can't seem to disable windows firewall. I've click "off" but it still says it is active. I've also tried to run the combofix but no log appeared after the scan and the programme terminated.

Is this because windows system suite is active? I've absolutely no idea how to disable it.
 
combo log now attached

ComboFix 10-12-07.06 - Dan 08/12/2010 22:22:59.4.1 - x86
Running from: c:\documents and settings\Dan\Desktop\ComboFix.exe
AV: Virgin Media Security Anti-Virus *On-access scanning disabled* (Updated) {5B5A3BD7-8573-4672-AEA8-C9BB713B6755}
AV: Windows System Suite *On-access scanning enabled* (Updated) {CB235AA9-0891-4FB3-BE94-4F82B43A0AB8}
FW: Virgin Media Security Firewall *disabled* {80593BF4-D969-4EC5-ADAE-A22F2DFC7A22}
FW: Windows System Suite *enabled* {7600FCED-EDF0-4333-8DC7-009E1BAEAA59}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
c:\documents and settings\All Users\Application Data\WSYSSSys\wsyss.cfg
c:\documents and settings\Dan\Application Data\Emwo\ygad.exe
c:\documents and settings\Dan\Application Data\Erezp\ecwun.exe
c:\documents and settings\Dan\Application Data\Leyw\gaov.exe
c:\documents and settings\Dan\Recent\ANTIGEN.sys
c:\program files\Internet Explorer\complete.dat
c:\program files\Internet Explorer\dmlconf.dat
c:\windows\struct~.ini
c:\windows\system32\drivers\eicon.txt

-- Previous Run --

c:\windows\system32\winlogon.exe . . . is infected!!

c:\windows\system32\winlogon.exe . . . is infected!!

Infected copy of c:\windows\explorer.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\explorer.exe

--------

Infected copy of c:\windows\system32\winlogon.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\winlogon.exe

Infected copy of c:\windows\explorer.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\explorer.exe

.
((((((((((((((((((((((((( Files Created from 2010-11-08 to 2010-12-08 )))))))))))))))))))))))))))))))
.

2010-12-08 20:10 . 2010-12-08 20:11 -------- d-----w- C:\HijackThis
2010-12-07 19:29 . 2010-12-07 19:29 -------- d-----w- c:\documents and settings\Tash\Application Data\Virgin Media
2010-12-06 21:06 . 2010-11-29 17:42 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-06 21:06 . 2010-11-29 17:42 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-12-06 21:06 . 2010-12-06 21:06 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-12-05 23:30 . 2010-12-05 23:31 -------- d-----w- c:\program files\tmp
2010-12-05 22:15 . 2009-11-02 15:27 25608 ----a-w- c:\windows\system32\drivers\AVGIDSEH.sys
2010-12-05 22:13 . 2009-10-23 13:25 285704 ----a-w- c:\windows\system32\drivers\bdfsfltr.sys
2010-12-05 22:13 . 2010-12-05 22:13 53192 ----a-w- c:\windows\system32\drivers\rp_skt32.sys
2010-12-05 22:12 . 2010-12-05 22:12 48384 ----a-w- c:\windows\system32\drivers\rp_pkt32.sys
2010-12-05 22:11 . 2010-12-05 22:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Raxco
2010-12-05 22:11 . 2010-12-05 22:11 -------- d-----w- c:\program files\Raxco
2010-12-02 12:54 . 2010-12-06 10:06 -------- d-----w- c:\program files\etkvhlXN
2010-12-02 09:42 . 2010-12-05 21:35 -------- d-----w- c:\program files\windows
2010-11-29 12:25 . 2010-12-05 22:19 -------- d-----w- c:\documents and settings\Dan\Application Data\Virgin Media
2010-11-29 12:25 . 2010-11-29 12:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Radialpoint
2010-11-29 12:25 . 2010-12-05 22:09 -------- d-----w- c:\program files\Virgin Media
2010-11-29 12:25 . 2010-12-05 22:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Virgin Media
2010-11-10 20:55 . 2010-12-03 10:31 -------- d-----w- c:\documents and settings\Dan\Application Data\Awsog

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-18 11:23 . 2004-08-10 15:37 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53 . 2004-08-10 15:37 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53 . 2004-08-10 15:37 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:53 . 2004-08-10 15:37 953856 ----a-w- c:\windows\system32\mfc40u.dll
2006-07-25 22:11 . 2006-07-25 22:11 11817800 -c--a-w- c:\program files\GoogleEarth.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ PDBoot.exe\0autocheck autochk *

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Radialpoint Security Services]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Virgin Media\\HUB\\ServicepointService.exe"=

R2 STDSB;STDSB;c:\windows\system32\DRIVERS\STDSB.sys [2005-08-25 11279]
R3 ggflt;SEMC USB Flash Driver Filter;c:\windows\system32\DRIVERS\ggflt.sys [2008-08-30 13352]
S0 RadialpointIDSEH;RadialpointIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2009-11-02 25608]
S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [2009-01-23 203280]
S2 MTC0007_STDSB;Scroll Bar Driver;c:\windows\system32\drivers\STDSB.sys [2005-08-25 11279]
S2 Radialpoint Security Services;Virgin Media Security;c:\program files\Virgin Media\Security\RpsSecurityAwareR.exe [2010-01-04 165408]
S2 RadialpointIDSAgent;RadialpointIDSAgent;c:\program files\Virgin Media\Security\AVG\Identity Protection\agent\Bin\AVGIDSAgent.exe RadialpointIDSAgent [x]
S2 ServicepointService;ServicepointService;c:\program files\Virgin Media\HUB\ServicepointService.exe [2009-12-14 668912]
S3 RadialpointIDSDriver;RadialpointIDSDriver;c:\program files\Virgin Media\Security\AVG\Identity Protection\agent\drivers\AVGIDSDriver.sys [2009-11-02 122376]
S3 RadialpointIDSFilter;RadialpointIDSFilter;c:\program files\Virgin Media\Security\AVG\Identity Protection\agent\drivers\AVGIDSFilter.sys [2009-11-02 30216]
S3 RadialpointIDSShim;RadialpointIDSShim;c:\program files\Virgin Media\Security\AVG\Identity Protection\agent\drivers\AVGIDSShim.sys [2009-11-02 25736]


--- Other Services/Drivers In Memory ---

*NewlyCreated* - 39BC6DE5
*Deregistered* - 39bc6de5

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
vvdsvc REG_MULTI_SZ vvdsvc
bdx REG_MULTI_SZ scan sysagent
.
Contents of the 'Scheduled Tasks' folder

2010-12-06 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2006-05-10 c:\windows\Tasks\Registration reminder 1.job
- c:\windows\system32\OOBE\oobebaln.exe [2004-08-10 00:12]

2006-05-10 c:\windows\Tasks\Registration reminder 2.job
- c:\windows\system32\OOBE\oobebaln.exe [2004-08-10 00:12]

2006-05-10 c:\windows\Tasks\Registration reminder 3.job
- c:\windows\system32\OOBE\oobebaln.exe [2004-08-10 00:12]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://www.virginmedia.com/
mStart Page = about:blank
uInternet Settings,ProxyOverride = <local>
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
Trusted Zone: boxingscene.com\www
Trusted Zone: google.co.uk
Trusted Zone: liverpoolecho.co.uk\www
Trusted Zone: liverpoolfc.tv\www
Trusted Zone: tvants
Trusted Zone: tvu
TCP: {A4AA025A-9A5C-4936-B08F-E79DDFCEBDB2} = 192.168.0.1
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-12-08 22:36
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2544)
c:\windows\system32\WININET.dll
c:\program files\McAfee\SiteAdvisor\saHook.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Virgin Media\Security\Fws.exe
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\apps\Powercinema\Kernel\TV\CLCapSvc.exe
c:\program files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
c:\apps\HIDSERVICE\HIDSERVICE.exe
c:\program files\CyberLink\Shared Files\CLML_NTService\CLMLService.exe
c:\windows\system32\slmdmsr.exe
c:\apps\Powercinema\Kernel\TV\CLSched.exe
c:\program files\Virgin Media\Security\rps.exe
.
**************************************************************************
.
Completion time: 2010-12-08 22:47:12 - machine was rebooted
ComboFix-quarantined-files.txt 2010-12-08 22:47
ComboFix2.txt 2009-04-02 17:52
ComboFix3.txt 2009-04-02 09:57

Pre-Run: 37,765,861,376 bytes free
Post-Run: 37,749,882,880 bytes free

- - End Of File - - 1089DF2682135E080BF3FF9D7CBD4B8D
 
If you have a question to ask or comment to add, please use the Edit feature instead of a new reply. I get email feedback every time there is even one sentence in a reply. This does not include logs however.
========================================
Please reopen HijackThis to 'do system scan only.' Check each of the following, if present:

C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLService.exe
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O1 - Hosts: 74.125.45.100 www.getantivirusplusnow.com
O1 - Hosts: 74.125.45.100 www.secure-plus-payments.com
O1 - Hosts: 74.125.45.100 test1111.com
O1 - Hosts: 74.125.45.100 test1112.com
O1 - Hosts: 74.125.45.100 4-open-davinci.com
O1 - Hosts: 74.125.45.100 securitysoftwarepayments.com
O1 - Hosts: 74.125.45.100 privatesecuredpayments.com
O1 - Hosts: 74.125.45.100 secure.privatesecuredpayments.com
O1 - Hosts: 74.125.45.100 www.getavplusnow.com


Close all Windows except HijackThis and click on "Fix Checked."
=========================================
Boot into Safe Mode
  • Restart your computer and start pressing the F8 key on your keyboard.
  • Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.

Click on Start> Run> type in services.msc> double click on the following and set startup type as instructed:
All CyberLink Services> Set to Manual Startup> Stop the Services.
Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - c:\APPS\Powercinema\Kernel\TV\CLCapSvc.exe
Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - c:\APPS\Powercinema\Kernel\TV\CLSched.exe
Service: CyberLink Media Library Service - Cyberlink - C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe

All Roxio Services> Set to Manual Startup> Stop the Services.
Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
Exit Services.
=============================================
Do you have the McAfee AntiPhishing Filter & Spamkiller disabled?
=================================================
Update both of the following. Then remove the old version in Add/Remove Programs:
Check this site.Java Updates
Visit this Adobe Reader site
=======
Consider removing these from Scheduled Tasks in the Control Panel:
2006-05-10 c:\windows\Tasks\Registration reminder 1.job
- c:\windows\system32\OOBE\oobebaln.exe [2004-08-10 00:12]
2006-05-10 c:\windows\Tasks\Registration reminder 2.job
- c:\windows\system32\OOBE\oobebaln.exe [2004-08-10 00:12]
2006-05-10 c:\windows\Tasks\Registration reminder 3.job
- c:\windows\system32\OOBE\oobebaln.exe [2004-08-10 00:12]

oobebaln.exe is Windows Out Of the Box Experience Balloon Reminder.Probably a Registration reminder but either you no longer have the program to register, or after 6 years, you can remove the reminder:.

To remove a scheduled task
1. Open Scheduled Tasks in Control Panel.
2. Right click the task that you want to remove and then click Delete.

You can also remove a scheduled task by selecting it and then pressing
DELETE.
==============================================
Do you know what this is?
2010-12-06 10:06 > c:\program files\etkvhlXN

Please finish with this, then go on to the next reply.
 
Continue with this after completing instrucrions in Reply #18:

Run Eset NOD32 Online AntiVirus scan HEREhttp://www.eset.eu/online-scanner
  1. Tick the box next to YES, I accept the Terms of Use.
  2. Click Start
  3. When asked, allow the Active X control to install
  4. Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
  5. Click Start
  6. Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
  7. Click Scan
  8. Wait for the scan to finish
  9. Re-enable your Antivirus software.
  10. A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.
======================================
Please run this Custom CFScript:

  • [1]. Close any open browsers.
    [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    [3]. Open notepad> click on Format> Uncheck 'Word Wrap'> and copy/paste the text in the code below into it:[Be sure to scroll down to include ALL lines.
Code:
File::
SecCenter::
{CB235AA9-0891-4FB3-BE94-4F82B43A0AB8}
{7600FCED-EDF0-4333-8DC7-009E1BAEAA59}
DDS::
mStart Page = about:blank
TB: {043C5167-00BB-4324-AF7E-62013FAEDACF} - No File
Hosts: 74.125.45.100 www.getantivirusplusnow.com
Hosts: 74.125.45.100 www.secure-plus-payments.com
Hosts: 74.125.45.100 test1111.com
Hosts: 74.125.45.100 test1112.com
Hosts: 74.125.45.100 4-open-davinci.com
Hosts: 74.125.45.100 www.getantivirusplusnow.com
Hosts: 74.125.45.100 www.secure-plus-payments.com
Hosts: 74.125.45.100 test1111.com
Hosts: 74.125.45.100 test1112.com
Hosts: 74.125.45.100 4-open-davinci.com
Hosts: 74.125.45.100 securitysoftwarepayments.com
Hosts: 74.125.45.100 privatesecuredpayments.com
Hosts: 74.125.45.100 secure.privatesecuredpayments.com
Hosts: 74.125.45.100 www.getavplusnow.com

DirLook::
c:\program files\windows
c:\docume~1\dan\applic~1\Leyw
c:\docume~1\dan\applic~1\Awsog

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"FirewallOverride"=-
Driver::
Save this as CFScript.txt, in the same location as ComboFix.exe
CFScriptB-4.gif


Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please paste in your next reply.
====================
 
log file pasted and attached

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=7.00.6000.17091 (vista_gdr.100824-1500)
# OnlineScanner.ocx=1.0.0.6415
# api_version=3.0.2
# EOSSerial=565cc4c6c279f6498d509fe567ec2a1b
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-12-09 09:21:43
# local_time=2010-12-09 09:21:43 (+0000, GMT Standard Time)
# country="United Kingdom"
# lang=9
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 0 0 0 0
# compatibility_mode=8192 67108863 100 0 3916 3916 0 0
# scanned=65952
# found=12
# cleaned=0
# scan_time=4300
C:\Documents and Settings\All Users\Documents\Server\hlp.dat Win32/Bamital.DZ trojan (unable to clean) 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\Documents and Settings\Dan\Application Data\Emwo\ygad.exe.vir Win32/Spy.Zbot.ZR trojan (unable to clean) 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\Documents and Settings\Dan\Application Data\Erezp\ecwun.exe.vir Win32/Spy.Zbot.ZR trojan (unable to clean) 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\explorer.exe.vir Win32/Bamital.EV trojan (unable to clean) 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\winlogon.exe.vir Win32/Bamital.EV trojan (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP1\A0000009.exe Win32/Spy.Zbot.ZR trojan (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP2\A0003445.exe Win32/Spy.Zbot.ZR trojan (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP3\A0006628.exe Win32/Bamital.EV trojan (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP3\A0006630.exe Win32/Spy.Zbot.ZR trojan (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP3\A0006631.exe Win32/Spy.Zbot.ZR trojan (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP3\A0006820.exe Win32/Bamital.EV trojan (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP3\A0006823.exe Win32/Bamital.EV trojan (unable to clean) 00000000000000000000000000000000 I
 

Attachments

  • log.txt
    2.6 KB · Views: 1
combofix log

ComboFix 10-12-08.04 - Dan 09/12/2010 21:42:00.5.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.447.142 [GMT 0:00]
Running from: c:\documents and settings\Dan\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Dan\Desktop\CFScript.txt
AV: Virgin Media Security Anti-Virus *On-access scanning disabled* (Updated) {5B5A3BD7-8573-4672-AEA8-C9BB713B6755}
FW: Virgin Media Security Firewall *disabled* {80593BF4-D969-4EC5-ADAE-A22F2DFC7A22}
.

((((((((((((((((((((((((( Files Created from 2010-11-09 to 2010-12-09 )))))))))))))))))))))))))))))))
.

2010-12-09 20:04 . 2010-12-09 20:04 -------- d-----w- c:\program files\ESET
2010-12-09 19:41 . 2010-12-09 19:39 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-12-09 19:41 . 2010-12-09 19:39 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-12-08 20:10 . 2010-12-09 19:04 -------- d-----w- C:\HijackThis
2010-12-07 19:29 . 2010-12-07 19:29 -------- d-----w- c:\documents and settings\Tash\Application Data\Virgin Media
2010-12-06 21:06 . 2010-11-29 17:42 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-06 21:06 . 2010-11-29 17:42 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-12-06 21:06 . 2010-12-06 21:06 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-12-05 23:30 . 2010-12-05 23:31 -------- d-----w- c:\program files\tmp
2010-12-05 22:15 . 2009-11-02 15:27 25608 ----a-w- c:\windows\system32\drivers\AVGIDSEH.sys
2010-12-05 22:13 . 2009-10-23 13:25 285704 ----a-w- c:\windows\system32\drivers\bdfsfltr.sys
2010-12-05 22:13 . 2010-12-05 22:13 53192 ----a-w- c:\windows\system32\drivers\rp_skt32.sys
2010-12-05 22:12 . 2010-12-05 22:12 48384 ----a-w- c:\windows\system32\drivers\rp_pkt32.sys
2010-12-05 22:11 . 2010-12-05 22:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Raxco
2010-12-05 22:11 . 2010-12-05 22:11 -------- d-----w- c:\program files\Raxco
2010-12-02 09:42 . 2010-12-05 21:35 -------- d-----w- c:\program files\windows
2010-11-29 12:25 . 2010-12-05 22:19 -------- d-----w- c:\documents and settings\Dan\Application Data\Virgin Media
2010-11-29 12:25 . 2010-11-29 12:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Radialpoint
2010-11-29 12:25 . 2010-12-05 22:09 -------- d-----w- c:\program files\Virgin Media
2010-11-29 12:25 . 2010-12-05 22:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Virgin Media
2010-11-10 20:55 . 2010-12-03 10:31 -------- d-----w- c:\documents and settings\Dan\Application Data\Awsog

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-18 11:23 . 2004-08-10 15:37 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53 . 2004-08-10 15:37 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53 . 2004-08-10 15:37 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:53 . 2004-08-10 15:37 953856 ----a-w- c:\windows\system32\mfc40u.dll
2006-07-25 22:11 . 2006-07-25 22:11 11817800 -c--a-w- c:\program files\GoogleEarth.exe
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of c:\docume~1\dan\applic~1\Awsog ----


---- Directory of c:\docume~1\dan\applic~1\Leyw ----


---- Directory of c:\program files\windows ----



((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ PDBoot.exe\0autocheck autochk *

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Radialpoint Security Services]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Virgin Media\\HUB\\ServicepointService.exe"=

R0 RadialpointIDSEH;RadialpointIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [05/12/2010 22:15 25608]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [03/08/2010 19:04 203280]
R2 MTC0007_STDSB;Scroll Bar Driver;c:\windows\system32\drivers\STDSB.sys [29/03/2006 11:48 11279]
R2 Radialpoint Security Services;Virgin Media Security;c:\program files\Virgin Media\Security\RpsSecurityAwareR.exe [04/01/2010 12:17 165408]
R2 RadialpointIDSAgent;RadialpointIDSAgent;c:\program files\Virgin Media\Security\AVG\Identity Protection\agent\bin\AVGIDSAgent.exe [05/12/2010 22:15 5832712]
R2 ServicepointService;ServicepointService;c:\program files\Virgin Media\HUB\ServicepointService.exe [29/11/2010 12:25 668912]
R3 RadialpointIDSDriver;RadialpointIDSDriver;c:\program files\Virgin Media\Security\AVG\Identity Protection\agent\drivers\AVGIDSDriver.sys [05/12/2010 22:15 122376]
R3 RadialpointIDSFilter;RadialpointIDSFilter;c:\program files\Virgin Media\Security\AVG\Identity Protection\agent\drivers\AVGIDSfilter.sys [05/12/2010 22:15 30216]
R3 RadialpointIDSShim;RadialpointIDSShim;c:\program files\Virgin Media\Security\AVG\Identity Protection\agent\drivers\AVGIDSShim.sys [05/12/2010 22:15 25736]
S2 STDSB;STDSB;c:\windows\system32\drivers\STDSB.sys [29/03/2006 11:48 11279]
S3 ggflt;SEMC USB Flash Driver Filter;c:\windows\system32\drivers\ggflt.sys [30/08/2008 14:57 13352]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - 3A77365A
*NewlyCreated* - JAVAQUICKSTARTERSERVICE
*Deregistered* - 3a77365a

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
vvdsvc REG_MULTI_SZ vvdsvc
bdx REG_MULTI_SZ scan sysagent
.
Contents of the 'Scheduled Tasks' folder

2010-12-06 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://www.virginmedia.com/
uInternet Settings,ProxyOverride = <local>
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
TCP: {A4AA025A-9A5C-4936-B08F-E79DDFCEBDB2} = 192.168.0.1
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-SunJavaUpdateSched - c:\program files\Java\jre6\bin\jusched.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-12-09 21:53
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1700)
c:\windows\system32\WININET.dll
c:\program files\McAfee\SiteAdvisor\saHook.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-12-09 21:59:30
ComboFix-quarantined-files.txt 2010-12-09 21:59
ComboFix2.txt 2010-12-08 22:47
ComboFix3.txt 2009-04-02 17:52
ComboFix4.txt 2009-04-02 09:57

Pre-Run: 37,433,937,920 bytes free
Post-Run: 37,445,730,304 bytes free

- - End Of File - - ADF81B39D77A457079FFB25BE06B6658
 
Question> Important!
In the instructions with the Eset online virus scan, there is a line saying this:
Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked

Tell me please if you missed it and did check for removal? All of the entries suggest you did as they are marked unable to clean. I think that is because they have already been handled. Qoobox is the qurantine folder from Combofix and System Volumn is restore points which I'll have you remove later. There is only one entry that is showing as 'new' but I think it also has been handled./

So:
1. Did you check for removal in Eset?
2. Are you still having the original malware-related problems?

I'll move the one Eset entry- in case it is still active:

Please download color=blue]OTMovit by Old Timer[/color] and save to your desktop.
  • Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
    Code:
    :Processes	
    :Files 
    C:\Documents and Settings\All Users\Documents\Server\hlp.dat 
    :Commands
    [purity]
    [emptytemp]
    [start explorer]
    [Reboot]
  • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
  • Click the red Moveit! button.
  • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt3
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
==============================================
Please run this Custom CFScript

  • [1]. Close any open browsers.
    [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    [3]. Open notepad> click on Format> Uncheck 'Word Wrap> and copy/paste the text in the code below into it:
Code:
File::

Folder::
c:\program files\windows
c:\docume~1\dan\applic~1\Leyw
c:\docume~1\dan\applic~1\Awsog
c:\program files\tmp

NetSvc::
vvdsvc
Save this as CFScript.txt, in the same location as ComboFix.exe
CFScriptB-4.gif


Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please paste into to your next reply.
====================
You're almost there!
 
OTM log

Bobbye,

Log pasted below, but in answer to your questions:

I didn't miss the instruction about unchecking for removal and checking the unwanted items. However, whilst I did uncheck for removal, the second option stated "scan archives", and not "scan unwanted items". I took this to mean the same thing and checked that item.

Also, internet seems to be relatively normal now. Google searches are not redirecting anyway.




All processes killed
========== PROCESSES ==========
========== FILES ==========
C:\Documents and Settings\All Users\Documents\Server\hlp.dat moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: All Users

User: Dan
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 4499169 bytes
->Java cache emptied: 0 bytes
->Flash cache emptied: 405 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32902 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32902 bytes

User: Tash
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Java cache emptied: 0 bytes
->Flash cache emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 4018 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 4.00 mb


OTM by OldTimer - Version 3.1.17.2 log created on 12112010_164645

Files moved on Reboot...

Registry entries deleted on Reboot...
 
combo log

ComboFix 10-12-08.04 - Dan 11/12/2010 17:10:27.6.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.447.97 [GMT 0:00]
Running from: c:\documents and settings\Dan\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Dan\Desktop\CFScript.txt
AV: Virgin Media Security Anti-Virus *On-access scanning disabled* (Updated) {5B5A3BD7-8573-4672-AEA8-C9BB713B6755}
FW: Virgin Media Security Firewall *disabled* {80593BF4-D969-4EC5-ADAE-A22F2DFC7A22}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\dan\applic~1\Awsog
c:\program files\tmp
c:\program files\windows

.
((((((((((((((((((((((((( Files Created from 2010-11-11 to 2010-12-11 )))))))))))))))))))))))))))))))
.

2010-12-11 17:05 . 2010-12-11 17:06 -------- d-----w- C:\32788R22FWJFW
2010-12-11 16:46 . 2010-12-11 16:46 -------- d-----w- C:\_OTM
2010-12-09 20:04 . 2010-12-09 20:04 -------- d-----w- c:\program files\ESET
2010-12-09 19:41 . 2010-12-09 19:39 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-12-09 19:41 . 2010-12-09 19:39 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-12-08 20:10 . 2010-12-09 19:04 -------- d-----w- C:\HijackThis
2010-12-07 19:29 . 2010-12-07 19:29 -------- d-----w- c:\documents and settings\Tash\Application Data\Virgin Media
2010-12-06 21:06 . 2010-11-29 17:42 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-06 21:06 . 2010-11-29 17:42 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-12-06 21:06 . 2010-12-06 21:06 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-12-05 22:15 . 2009-11-02 15:27 25608 ----a-w- c:\windows\system32\drivers\AVGIDSEH.sys
2010-12-05 22:13 . 2009-10-23 13:25 285704 ----a-w- c:\windows\system32\drivers\bdfsfltr.sys
2010-12-05 22:13 . 2010-12-05 22:13 53192 ----a-w- c:\windows\system32\drivers\rp_skt32.sys
2010-12-05 22:12 . 2010-12-05 22:12 48384 ----a-w- c:\windows\system32\drivers\rp_pkt32.sys
2010-12-05 22:11 . 2010-12-05 22:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Raxco
2010-12-05 22:11 . 2010-12-05 22:11 -------- d-----w- c:\program files\Raxco
2010-11-29 12:25 . 2010-12-05 22:19 -------- d-----w- c:\documents and settings\Dan\Application Data\Virgin Media
2010-11-29 12:25 . 2010-11-29 12:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Radialpoint
2010-11-29 12:25 . 2010-12-05 22:09 -------- d-----w- c:\program files\Virgin Media
2010-11-29 12:25 . 2010-12-05 22:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Virgin Media

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-18 11:23 . 2004-08-10 15:37 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53 . 2004-08-10 15:37 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53 . 2004-08-10 15:37 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:53 . 2004-08-10 15:37 953856 ----a-w- c:\windows\system32\mfc40u.dll
2006-07-25 22:11 . 2006-07-25 22:11 11817800 -c--a-w- c:\program files\GoogleEarth.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ PDBoot.exe\0autocheck autochk *

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Radialpoint Security Services]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Virgin Media\\HUB\\ServicepointService.exe"=

R0 RadialpointIDSEH;RadialpointIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [05/12/2010 22:15 25608]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [03/08/2010 19:04 203280]
R2 MTC0007_STDSB;Scroll Bar Driver;c:\windows\system32\drivers\STDSB.sys [29/03/2006 11:48 11279]
R2 Radialpoint Security Services;Virgin Media Security;c:\program files\Virgin Media\Security\RpsSecurityAwareR.exe [04/01/2010 12:17 165408]
R2 RadialpointIDSAgent;RadialpointIDSAgent;c:\program files\Virgin Media\Security\AVG\Identity Protection\agent\bin\AVGIDSAgent.exe [05/12/2010 22:15 5832712]
R2 ServicepointService;ServicepointService;c:\program files\Virgin Media\HUB\ServicepointService.exe [29/11/2010 12:25 668912]
R3 RadialpointIDSDriver;RadialpointIDSDriver;c:\program files\Virgin Media\Security\AVG\Identity Protection\agent\drivers\AVGIDSDriver.sys [05/12/2010 22:15 122376]
R3 RadialpointIDSFilter;RadialpointIDSFilter;c:\program files\Virgin Media\Security\AVG\Identity Protection\agent\drivers\AVGIDSfilter.sys [05/12/2010 22:15 30216]
R3 RadialpointIDSShim;RadialpointIDSShim;c:\program files\Virgin Media\Security\AVG\Identity Protection\agent\drivers\AVGIDSShim.sys [05/12/2010 22:15 25736]
S2 STDSB;STDSB;c:\windows\system32\drivers\STDSB.sys [29/03/2006 11:48 11279]
S3 ggflt;SEMC USB Flash Driver Filter;c:\windows\system32\drivers\ggflt.sys [30/08/2008 14:57 13352]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - EE5C7596
*Deregistered* - ee5c7596

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
vvdsvc REG_MULTI_SZ vvdsvc
bdx REG_MULTI_SZ scan sysagent
.
Contents of the 'Scheduled Tasks' folder

2010-12-06 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://www.virginmedia.com/
uInternet Settings,ProxyOverride = <local>
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
TCP: {A4AA025A-9A5C-4936-B08F-E79DDFCEBDB2} = 192.168.0.1
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-12-11 17:23
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3360)
c:\windows\system32\WININET.dll
c:\program files\McAfee\SiteAdvisor\saHook.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-12-11 17:28:58
ComboFix-quarantined-files.txt 2010-12-11 17:28
ComboFix2.txt 2010-12-09 21:59
ComboFix3.txt 2010-12-08 22:47
ComboFix4.txt 2009-04-02 17:52
ComboFix5.txt 2010-12-11 17:07

Pre-Run: 37,418,622,976 bytes free
Post-Run: 37,409,447,936 bytes free

- - End Of File - - 4BA8231A59A0BBA8722C87EF9FE0269F
 
The entry foun by Eset shows "unable to clean." But the directions say not to click for removal. I know that sounds confusing, but it's not to me. These logs look good.

Are the 'nasties' gone? I'd like you to run HijackThis and after I review that log to make sure no bad entries are running, I'll have you remove the cleaning tools and log:

Download the HijackThis Installer and save to the desktop:
  1. Double-click on HJTInstall.exe to run the program.
  2. By default it will install to C:\Program Files\Trend Micro\HijackThis.
  3. Accept the license agreement by clicking the "I Accept" button.
  4. Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log.
  5. Click "Save log" to save the log file and then the log will open in notepad.
  6. Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
  7. Come back here to this thread and paste (Ctrl+V) the log in your next reply.

NOTE: Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.
 
Status
Not open for further replies.
Back