HELP! Nasties over-running my laptop

Inactive
By jonny utah
Dec 7, 2010
Topic Status:
Not open for further replies.
  1. Hi everyone. Great site.

    My laptop at home (I'm running wondows xp) seems to be having a bit of a breakdown right now. Every time I click on a google link following a google search, I am re-directed to random un related websites.

    I have run malware bytes anti-malware, selected and successfully removed 130 different nasties. However, now I have logged back on in normal mode, the same probelm keeps occurring.

    Please help!

    ps - unfortunately I'm not at home right at this minute so I cannot copy and paste any logs or anything like that. Hope the info above is enough, otherwise I'll be back on when I'm home from work.

    Thanks in advance for any help.
  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +35

    When you are home and have access to the computer:

    If you would like us to check the system for malware, please follow the steps in the Preliminary Virus and Malware Removal thread HERE.

    When you have finished, leave the logs for review in your next reply .
    NOTE: Logs must be pasted in the replies. Attached logs will not be reviewed.

    The description doesn't give me anything to work with.

    Please do not use any other cleaning programs or scans while I'm helping you, unless I direct you to. Do not use a Registry cleaner or make any changes in the Registry.
  3. jonny utah

    jonny utah Newcomer, in training Topic Starter Posts: 25

    Hi Bobbye. Thanks for the info. I'll do exactly that once i get home.
  4. jonny utah

    jonny utah Newcomer, in training Topic Starter Posts: 25

    Hi Bobbye.

    What a nightmare that was. My Virgin Media security does not scan properly. I ge a message along the lines of VMS has encountered a proble or an error and must terminate.... Something like that.

    Anyway, I followed the steps afterwrds. I've no idea whther this is any help whatsoever but here goes:

    Malwarebytes' Anti-Malware 1.50
    www.malwarebytes.org

    Database version: 5257

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 7.0.5730.11

    07/12/2010 21:08:54
    mbam-log-2010-12-07 (21-08-53).txt

    Scan type: Quick scan
    Objects scanned: 153945
    Time elapsed: 7 minute(s), 15 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)


    GMER 1.0.15.15530 - http://www.gmer.net
    Rootkit quick scan 2010-12-07 21:29:28
    Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 WDC_WD600UE-22HCT0 rev.09.07D09
    Running: g5k4elui.exe; Driver: C:\DOCUME~1\Dan\LOCALS~1\Temp\fwtcapow.sys


    ---- Devices - GMER 1.0.15 ----

    Device Ntfs.sys (NT File System Driver/Microsoft Corporation)
    Device Fastfat.SYS (Fast FAT File System Driver/Microsoft Corporation)

    AttachedDevice fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
    AttachedDevice \Driver\Tcpip \Device\Ip rp_skt32.sys (Radialpoint Filter/Radialpoint Inc.)
    AttachedDevice \Driver\Tcpip \Device\Tcp rp_skt32.sys (Radialpoint Filter/Radialpoint Inc.)
    AttachedDevice \Driver\Tcpip \Device\Udp rp_skt32.sys (Radialpoint Filter/Radialpoint Inc.)
    AttachedDevice \Driver\Tcpip \Device\RawIp rp_skt32.sys (Radialpoint Filter/Radialpoint Inc.)
    AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
    AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)

    ---- EOF - GMER 1.0.15 ----





    DDS (Ver_10-12-05.01) - NTFSx86
    Run by Dan at 21:33:44.62 on 07/12/2010
    Internet Explorer: 7.0.5730.11

    ============== Running Processes ===============

    C:\Program Files\Virgin Media\Security\Fws.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Virgin Media\Security\rps.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    c:\APPS\Powercinema\Kernel\TV\CLCapSvc.exe
    C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
    c:\APPS\HIDSERVICE\HIDSERVICE.exe
    C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLService.exe
    C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
    C:\Program Files\Virgin Media\Security\RpsSecurityAwareR.exe
    C:\Program Files\Virgin Media\HUB\ServicepointService.exe
    C:\WINDOWS\system32\slmdmsr.exe
    c:\APPS\Powercinema\Kernel\TV\CLSched.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\System32\alg.exe
    C:\Program Files\Virgin Media\HUB\VirginMediaHUBComHandler.exe
    C:\Documents and Settings\Dan\Desktop\dds.scr
    C:\WINDOWS\system32\wbem\wmiprvse.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
    C:\WINDOWS\system32\svchost.exe -k NetworkService
    C:\WINDOWS\system32\svchost.exe -k LocalService
    C:\WINDOWS\system32\svchost.exe -k LocalService
    C:\WINDOWS\system32\svchost.exe -k imgsvc

    ============== Pseudo HJT Report ===============

    uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
    uStart Page = hxxp://www.virginmedia.com/
    mStart Page = about:blank
    uInternet Settings,ProxyOverride = <local>
    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
    BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
    BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar1.dll
    BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.5612.1312\swg.dll
    BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
    TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll
    TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
    TB: {043C5167-00BB-4324-AF7E-62013FAEDACF} - No File
    uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
    IE: {08E730A4-FB02-45BD-A900-01E4AD8016F6} - http://www.skybroadband.com
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0014-0002-0005-ABCDEFFEDCBC}
    IE: {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - {7DD73374-7187-4103-8F29-622AA25E7C40} - c:\program files\mcafee\spamkiller\mcapfbho.dll
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
    Trusted Zone: boxingscene.com\www
    Trusted Zone: google.co.uk
    Trusted Zone: italymag.co.uk\www
    Trusted Zone: liverpoolecho.co.uk\www
    Trusted Zone: liverpoolfc.tv\www
    Trusted Zone: tvants
    Trusted Zone: tvu
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.4.2/jinstall-1_4_2_05-windows-i586.cab
    DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
    DPF: {C45B1500-7B63-47C2-AB25-C28CB46AFDEE} - hxxp://sib1.od2.com/common/musicmanager/installation/MusicManagerPlugin.CAB
    DPF: {CAFEEFAC-0014-0002-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.4.2/jinstall-1_4_2_05-windows-i586.cab
    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    DPF: {D4003189-95B1-4A2F-9A87-F2B03665960D} - hxxp://www.vexcast.com/download/vexcast.cab
    TCP: {A4AA025A-9A5C-4936-B08F-E79DDFCEBDB2} = 192.168.0.1
    Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
    Hosts: 74.125.45.100 www.getantivirusplusnow.com
    Hosts: 74.125.45.100 www.secure-plus-payments.com
    Hosts: 74.125.45.100 test1111.com
    Hosts: 74.125.45.100 test1112.com
    Hosts: 74.125.45.100 4-open-davinci.com

    Note: multiple HOSTS entries found. Please refer to Attach.txt

    ============= SERVICES / DRIVERS ===============

    R? ggflt;SEMC USB Flash Driver Filter
    R? STDSB;STDSB
    S? McAfee SiteAdvisor Service;McAfee SiteAdvisor Service
    S? MTC0007_STDSB;Scroll Bar Driver
    S? Radialpoint Security Services;Virgin Media Security
    S? RadialpointIDSAgent;RadialpointIDSAgent
    S? RadialpointIDSDriver;RadialpointIDSDriver
    S? RadialpointIDSEH;RadialpointIDSEH
    S? RadialpointIDSFilter;RadialpointIDSFilter
    S? RadialpointIDSShim;RadialpointIDSShim
    S? ServicepointService;ServicepointService

    =============== Created Last 30 ================

    2010-12-06 21:06:33 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-12-06 21:06:30 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-12-06 21:06:29 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-12-05 23:30:11 -------- d-----w- c:\program files\tmp
    2010-12-05 22:15:39 25608 ----a-w- c:\windows\system32\drivers\AVGIDSEH.sys
    2010-12-05 22:13:45 285704 ----a-w- c:\windows\system32\drivers\bdfsfltr.sys
    2010-12-05 22:13:02 53192 ----a-w- c:\windows\system32\drivers\rp_skt32.sys
    2010-12-05 22:12:25 48384 ----a-w- c:\windows\system32\drivers\rp_pkt32.sys
    2010-12-05 22:11:45 -------- d-----w- c:\program files\Raxco
    2010-12-02 12:54:57 -------- d-----w- c:\program files\etkvhlXN
    2010-12-02 09:42:54 -------- d-----w- c:\program files\windows
    2010-11-29 12:25:40 -------- d-----w- c:\docume~1\dan\applic~1\Virgin Media
    2010-11-29 12:25:28 -------- d-----w- c:\docume~1\alluse~1\applic~1\Radialpoint
    2010-11-29 12:25:15 -------- d-----w- c:\program files\Virgin Media
    2010-11-29 12:25:15 -------- d-----w- c:\docume~1\alluse~1\applic~1\Virgin Media
    2010-11-10 20:55:43 -------- d-----w- c:\docume~1\dan\applic~1\Leyw
    2010-11-10 20:55:43 -------- d-----w- c:\docume~1\dan\applic~1\Awsog

    ==================== Find3M ====================

    2010-10-31 14:29:48 256 ----a-w- c:\windows\system32\pool.bin
    2010-09-18 11:23:26 974848 ----a-w- c:\windows\system32\mfc42u.dll
    2010-09-18 06:53:25 974848 ----a-w- c:\windows\system32\mfc42.dll
    2010-09-18 06:53:25 954368 ----a-w- c:\windows\system32\mfc40.dll
    2010-09-18 06:53:25 953856 ----a-w- c:\windows\system32\mfc40u.dll
    2010-09-09 13:38:01 832512 ----a-w- c:\windows\system32\wininet.dll
    2010-09-09 13:38:01 1830912 ------w- c:\windows\system32\inetcpl.cpl
    2010-09-09 13:38:00 78336 ----a-w- c:\windows\system32\ieencode.dll
    2010-09-09 13:38:00 17408 ------w- c:\windows\system32\corpol.dll
    2006-07-25 22:11:30 11817800 -c--a-w- c:\program files\GoogleEarth.exe

    ============= FINISH: 21:36:18.85 ===============




    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT

    DDS (Ver_10-12-05.01)

    Microsoft Windows XP Home Edition
    Boot Device: \Device\HarddiskVolume2
    Install Date: 10/05/2006 19:39:57
    System Uptime: 07/12/2010 21:17:09 (0 hours ago)

    Motherboard: NEC COMPUTERS INTERNATIONAL | | NEC Versa Premium
    Processor: Intel(R) Celeron(R) M processor 1.50GHz | mPGA478 | 1492/100mhz

    ==== Disk Partitions =========================

    C: is FIXED (NTFS) - 50 GiB total, 34.468 GiB free.
    D: is CDROM ()

    ==== Disabled Device Manager Items =============

    ==== System Restore Points ===================

    RP1: 04/12/2010 10:30:21 - System Checkpoint
    RP2: 06/12/2010 14:33:45 - System Checkpoint

    ==== Hosts File Hijack ======================

    Hosts: 74.125.45.100 www.getantivirusplusnow.com
    Hosts: 74.125.45.100 www.secure-plus-payments.com
    Hosts: 74.125.45.100 test1111.com
    Hosts: 74.125.45.100 test1112.com
    Hosts: 74.125.45.100 4-open-davinci.com
    Hosts: 74.125.45.100 securitysoftwarepayments.com
    Hosts: 74.125.45.100 privatesecuredpayments.com
    Hosts: 74.125.45.100 secure.privatesecuredpayments.com
    Hosts: 74.125.45.100 www.getavplusnow.com

    ==== Installed Programs ======================


    Adobe Flash Player 10 ActiveX
    Adobe Reader 7.0
    Apple Mobile Device Support
    Apple Software Update
    BlackBerry Desktop Software 5.0.1
    BlackBerry® Media Sync
    Compatibility Pack for the 2007 Office system
    Google Toolbar for Internet Explorer
    HijackThis 2.0.2
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    Hotfix for Windows Internet Explorer 7 (KB947864)
    Hotfix for Windows Media Format 11 SDK (KB929399)
    Hotfix for Windows XP (KB2158563)
    Hotfix for Windows XP (KB952287)
    Hotfix for Windows XP (KB954550-v5)
    Hotfix for Windows XP (KB961118)
    Hotfix for Windows XP (KB970653-v3)
    Hotfix for Windows XP (KB976002-v5)
    Hotfix for Windows XP (KB976098-v2)
    Hotfix for Windows XP (KB979306)
    Hotfix for Windows XP (KB981793)
    iPod for Windows 2005-09-23
    iTunes
    Java 2 Runtime Environment, SE v1.4.2_05
    Learn2 Player (Uninstall Only)
    Lexmark 510 Series
    Macromedia Shockwave Player
    Malwarebytes' Anti-Malware
    McAfee Uninstall Wizard
    MediaBar
    Microsoft .NET Framework 1.1
    Microsoft .NET Framework 1.1 Security Update (KB2416447)
    Microsoft .NET Framework 1.1 Security Update (KB979906)
    Microsoft .NET Framework 2.0 Service Pack 2
    Microsoft .NET Framework 3.0 Service Pack 2
    Microsoft .NET Framework 3.5 SP1
    Microsoft Internationalized Domain Names Mitigation APIs
    Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
    Microsoft National Language Support Downlevel APIs
    Microsoft Office PowerPoint Viewer 2003
    Microsoft Office Professional Edition 2003
    Microsoft Office Standard Edition 2003
    Microsoft User-Mode Driver Framework Feature Pack 1.0
    Microsoft Visual C++ 2005 Redistributable
    MSXML 4.0 SP2 (KB927978)
    MSXML 4.0 SP2 (KB936181)
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    Nokia Nseries Skin for Microsoft Windows Media Player
    Packard Bell Toolbar 1.0
    PerfectDisk 10 Professional
    QuickTime
    Roxio Media Manager
    RPS CRT
    RPS PerfectDiskStub
    RPS RpsCore
    S3GSetup
    Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
    Security Update for Step By Step Interactive Training (KB898458)
    Security Update for Step By Step Interactive Training (KB923723)
    Security Update for Windows Internet Explorer 7 (KB2183461)
    Security Update for Windows Internet Explorer 7 (KB2360131)
    Security Update for Windows Internet Explorer 7 (KB938127)
    Security Update for Windows Internet Explorer 7 (KB939653)
    Security Update for Windows Internet Explorer 7 (KB942615)
    Security Update for Windows Internet Explorer 7 (KB944533)
    Security Update for Windows Internet Explorer 7 (KB950759)
    Security Update for Windows Internet Explorer 7 (KB953838)
    Security Update for Windows Internet Explorer 7 (KB956390)
    Security Update for Windows Internet Explorer 7 (KB958215)
    Security Update for Windows Internet Explorer 7 (KB960714)
    Security Update for Windows Internet Explorer 7 (KB961260)
    Security Update for Windows Internet Explorer 7 (KB963027)
    Security Update for Windows Internet Explorer 7 (KB969897)
    Security Update for Windows Internet Explorer 7 (KB972260)
    Security Update for Windows Internet Explorer 7 (KB974455)
    Security Update for Windows Internet Explorer 7 (KB976325)
    Security Update for Windows Internet Explorer 7 (KB978207)
    Security Update for Windows Internet Explorer 7 (KB982381)
    Security Update for Windows Media Player (KB2378111)
    Security Update for Windows Media Player (KB911564)
    Security Update for Windows Media Player (KB952069)
    Security Update for Windows Media Player (KB954155)
    Security Update for Windows Media Player (KB968816)
    Security Update for Windows Media Player (KB973540)
    Security Update for Windows Media Player (KB975558)
    Security Update for Windows Media Player (KB978695)
    Security Update for Windows Media Player 10 (KB911565)
    Security Update for Windows Media Player 10 (KB917734)
    Security Update for Windows Media Player 10 (KB936782)
    Security Update for Windows Media Player 6.4 (KB925398)
    Security Update for Windows XP (KB2079403)
    Security Update for Windows XP (KB2115168)
    Security Update for Windows XP (KB2121546)
    Security Update for Windows XP (KB2160329)
    Security Update for Windows XP (KB2229593)
    Security Update for Windows XP (KB2259922)
    Security Update for Windows XP (KB2279986)
    Security Update for Windows XP (KB2286198)
    Security Update for Windows XP (KB2296011)
    Security Update for Windows XP (KB2347290)
    Security Update for Windows XP (KB2360937)
    Security Update for Windows XP (KB2387149)
    Security Update for Windows XP (KB923561)
    Security Update for Windows XP (KB923689)
    Security Update for Windows XP (KB938464-v2)
    Security Update for Windows XP (KB938464)
    Security Update for Windows XP (KB941569)
    Security Update for Windows XP (KB946648)
    Security Update for Windows XP (KB950760)
    Security Update for Windows XP (KB950762)
    Security Update for Windows XP (KB950974)
    Security Update for Windows XP (KB951066)
    Security Update for Windows XP (KB951376-v2)
    Security Update for Windows XP (KB951376)
    Security Update for Windows XP (KB951698)
    Security Update for Windows XP (KB951748)
    Security Update for Windows XP (KB952004)
    Security Update for Windows XP (KB952954)
    Security Update for Windows XP (KB953839)
    Security Update for Windows XP (KB954211)
    Security Update for Windows XP (KB954459)
    Security Update for Windows XP (KB954600)
    Security Update for Windows XP (KB955069)
    Security Update for Windows XP (KB956391)
    Security Update for Windows XP (KB956572)
    Security Update for Windows XP (KB956744)
    Security Update for Windows XP (KB956802)
    Security Update for Windows XP (KB956803)
    Security Update for Windows XP (KB956841)
    Security Update for Windows XP (KB956844)
    Security Update for Windows XP (KB957095)
    Security Update for Windows XP (KB957097)
    Security Update for Windows XP (KB958644)
    Security Update for Windows XP (KB958687)
    Security Update for Windows XP (KB958690)
    Security Update for Windows XP (KB958869)
    Security Update for Windows XP (KB959426)
    Security Update for Windows XP (KB960225)
    Security Update for Windows XP (KB960715)
    Security Update for Windows XP (KB960803)
    Security Update for Windows XP (KB960859)
    Security Update for Windows XP (KB961371)
    Security Update for Windows XP (KB961373)
    Security Update for Windows XP (KB961501)
    Security Update for Windows XP (KB968537)
    Security Update for Windows XP (KB969059)
    Security Update for Windows XP (KB969898)
    Security Update for Windows XP (KB969947)
    Security Update for Windows XP (KB970238)
    Security Update for Windows XP (KB970430)
    Security Update for Windows XP (KB971468)
    Security Update for Windows XP (KB971486)
    Security Update for Windows XP (KB971557)
    Security Update for Windows XP (KB971633)
    Security Update for Windows XP (KB971657)
    Security Update for Windows XP (KB971961)
    Security Update for Windows XP (KB972270)
    Security Update for Windows XP (KB973346)
    Security Update for Windows XP (KB973354)
    Security Update for Windows XP (KB973507)
    Security Update for Windows XP (KB973525)
    Security Update for Windows XP (KB973869)
    Security Update for Windows XP (KB973904)
    Security Update for Windows XP (KB974112)
    Security Update for Windows XP (KB974318)
    Security Update for Windows XP (KB974392)
    Security Update for Windows XP (KB974571)
    Security Update for Windows XP (KB975025)
    Security Update for Windows XP (KB975467)
    Security Update for Windows XP (KB975560)
    Security Update for Windows XP (KB975561)
    Security Update for Windows XP (KB975562)
    Security Update for Windows XP (KB975713)
    Security Update for Windows XP (KB977165)
    Security Update for Windows XP (KB977816)
    Security Update for Windows XP (KB977914)
    Security Update for Windows XP (KB978037)
    Security Update for Windows XP (KB978251)
    Security Update for Windows XP (KB978262)
    Security Update for Windows XP (KB978338)
    Security Update for Windows XP (KB978542)
    Security Update for Windows XP (KB978601)
    Security Update for Windows XP (KB978706)
    Security Update for Windows XP (KB979309)
    Security Update for Windows XP (KB979482)
    Security Update for Windows XP (KB979559)
    Security Update for Windows XP (KB979683)
    Security Update for Windows XP (KB979687)
    Security Update for Windows XP (KB980195)
    Security Update for Windows XP (KB980218)
    Security Update for Windows XP (KB980232)
    Security Update for Windows XP (KB980436)
    Security Update for Windows XP (KB981322)
    Security Update for Windows XP (KB981349)
    Security Update for Windows XP (KB981852)
    Security Update for Windows XP (KB981957)
    Security Update for Windows XP (KB981997)
    Security Update for Windows XP (KB982132)
    Security Update for Windows XP (KB982214)
    Security Update for Windows XP (KB982665)
    Security Update for Windows XP (KB982802)
    Shockwave
    Sky Broadband
    Smart Link 56K Modem
    Sonic MyDVD
    Sonic RecordNow!
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    Update for Windows Internet Explorer 7 (KB976749)
    Update for Windows Internet Explorer 7 (KB980182)
    Update for Windows XP (KB2141007)
    Update for Windows XP (KB2345886)
    Update for Windows XP (KB951072-v2)
    Update for Windows XP (KB951978)
    Update for Windows XP (KB955759)
    Update for Windows XP (KB955839)
    Update for Windows XP (KB967715)
    Update for Windows XP (KB968389)
    Update for Windows XP (KB971737)
    Update for Windows XP (KB973687)
    Update for Windows XP (KB973815)
    VIA/S3G Display Driver
    Viewpoint Media Player
    Virgin Media HUB 3.5.12
    Virgin Media Security
    WebFldrs XP
    Windows Genuine Advantage Notifications (KB905474)
    Windows Internet Explorer 7
    Windows Media Format 11 runtime
    Windows Media Player 10
    Windows XP Service Pack 3
    Works Suite OS Pack
    Works Synchronization
    Yahoo! Install Manager

    ==== Event Viewer Messages From Past Week ========

    07/12/2010 21:24:41, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the Spooler service.
    07/12/2010 21:14:40, error: atapi [9] - The device, \Device\Ide\IdePort0, did not respond within the timeout period.
    07/12/2010 20:41:15, error: Service Control Manager [7034] - The Roxio Upnp Server 9 service terminated unexpectedly. It has done this 1 time(s).
    07/12/2010 20:41:15, error: Service Control Manager [7034] - The LiveShare P2P Server 9 service terminated unexpectedly. It has done this 1 time(s).
    07/12/2010 20:41:13, error: Service Control Manager [7022] - The CyberLink Task Scheduler (CTS) service hung on starting.
    07/12/2010 20:36:39, error: Service Control Manager [7034] - The ServicepointService service terminated unexpectedly. It has done this 1 time(s).
    07/12/2010 20:36:39, error: Service Control Manager [7034] - The CyberLink Task Scheduler (CTS) service terminated unexpectedly. It has done this 1 time(s).
    07/12/2010 20:36:38, error: Service Control Manager [7034] - The SmartLinkService service terminated unexpectedly. It has done this 1 time(s).
    07/12/2010 20:36:38, error: Service Control Manager [7034] - The McAfee SiteAdvisor Service service terminated unexpectedly. It has done this 1 time(s).
    07/12/2010 20:36:37, error: Service Control Manager [7034] - The Generic Service for HID Keyboard Input Collections service terminated unexpectedly. It has done this 1 time(s).
    07/12/2010 20:36:37, error: Service Control Manager [7034] - The CyberLink Media Library Service service terminated unexpectedly. It has done this 1 time(s).
    07/12/2010 20:36:37, error: Service Control Manager [7034] - The CyberLink Background Capture Service (CBCS) service terminated unexpectedly. It has done this 1 time(s).
    07/12/2010 20:36:36, error: Service Control Manager [7034] - The Virgin Media Security Firewall service terminated unexpectedly. It has done this 1 time(s).
    07/12/2010 20:36:36, error: Service Control Manager [7034] - The LexBce Server service terminated unexpectedly. It has done this 1 time(s).
    07/12/2010 20:36:36, error: Service Control Manager [7031] - The Apple Mobile Device service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
    06/12/2010 21:28:03, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD bdfsfltr Fips intelppm IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss Tcpip WS2IFSL
    06/12/2010 21:28:03, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.
    06/12/2010 21:28:03, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
    06/12/2010 21:28:03, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
    06/12/2010 21:28:03, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
    06/12/2010 21:28:03, error: Service Control Manager [7001] - The Apple Mobile Device service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
    06/12/2010 21:27:15, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
    06/12/2010 21:20:02, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: abp480n5 adpu160m agpCPQ Aha154x aic78u2 aic78xx AliIde alim1541 amdagp amsint asc asc3350p asc3550 cbidf cd20xrnt CmdIde Cpqarray dac2w2k dac960nt dpti2o hpn i2omp ini910u IntelIde mraid35x PCIIde perc2 perc2hib ql1080 Ql10wnt ql12160 ql1240 ql1280 Sparrow symc810 symc8xx sym_hi sym_u3 TosIde ultra viaagp
    06/12/2010 20:40:52, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: bdfsfltr Fips intelppm
    06/12/2010 20:39:54, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
    06/12/2010 19:48:19, error: Service Control Manager [7034] - The Virgin Media Security service terminated unexpectedly. It has done this 2 time(s).
    06/12/2010 19:42:53, error: Service Control Manager [7034] - The Virgin Media Security service terminated unexpectedly. It has done this 1 time(s).
    04/12/2010 21:52:42, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Roxio Hard Drive Watcher 9 service to connect.
    04/12/2010 21:52:42, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the McAfee SiteAdvisor Service service to connect.
    04/12/2010 21:52:42, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the McAfee Services service to connect.
    04/12/2010 21:52:42, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the McAfee Proxy Service service to connect.
    04/12/2010 21:52:42, error: Service Control Manager [7000] - The STDSB service failed to start due to the following error: The system cannot find the file specified.
    04/12/2010 21:52:42, error: Service Control Manager [7000] - The McAfee SiteAdvisor Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
    04/12/2010 21:52:42, error: Service Control Manager [7000] - The McAfee Services service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
    04/12/2010 21:52:42, error: Service Control Manager [7000] - The McAfee Proxy Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
    04/12/2010 10:34:47, error: DCOM [10005] - DCOM got error "%1053" attempting to start the service McMSCSvc with arguments "" in order to run the server: {B299BB78-EBBE-48F9-8725-E6A84C4E7C1D}
    04/12/2010 10:34:44, error: DCOM [10005] - DCOM got error "%1053" attempting to start the service McMSCSvc with arguments "" in order to run the server: {03082469-BA75-44A5-89CB-D187F313E572}
    04/12/2010 10:31:09, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the McAfee SystemGuards service to connect.
    04/12/2010 10:31:09, error: Service Control Manager [7000] - The McAfee SystemGuards service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
    02/12/2010 19:30:09, error: DCOM [10005] - DCOM got error "%1053" attempting to start the service McMSCSvc with arguments "" in order to run the server: {DDA1154C-204B-41D7-BFE7-7907C6BA9D56}
    02/12/2010 17:14:32, error: DCOM [10005] - DCOM got error "%1053" attempting to start the service McMSCSvc with arguments "" in order to run the server: {AB92D412-E57E-473B-B9A2-3BAE647D9C8C}

    ==== End Of File ===========================
  5. jonny utah

    jonny utah Newcomer, in training Topic Starter Posts: 25

    Bobbye. Problem with my virgin media security. It shuts itself down fairly soon after it has started to scan stuff Saying: Virgin Media Security has encountered an error and must restart imeiately. In any case I continued through the remaining steps. The logs are coming up....
  6. jonny utah

    jonny utah Newcomer, in training Topic Starter Posts: 25

    mbam log

    07/12/2010 21:08:54
    mbam-log-2010-12-07 (21-08-53).txt

    Scan type: Quick scan
    Objects scanned: 153945
    Time elapsed: 7 minute(s), 15 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)
  7. jonny utah

    jonny utah Newcomer, in training Topic Starter Posts: 25

    gmer log

    GMER 1.0.15.15530 - http://www.gmer.net
    Rootkit quick scan 2010-12-07 21:29:28
    Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 WDC_WD600UE-22HCT0 rev.09.07D09
    Running: g5k4elui.exe; Driver: C:\DOCUME~1\Dan\LOCALS~1\Temp\fwtcapow.sys


    ---- Devices - GMER 1.0.15 ----

    Device Ntfs.sys (NT File System Driver/Microsoft Corporation)
    Device Fastfat.SYS (Fast FAT File System Driver/Microsoft Corporation)

    AttachedDevice fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
    AttachedDevice \Driver\Tcpip \Device\Ip rp_skt32.sys (Radialpoint Filter/Radialpoint Inc.)
    AttachedDevice \Driver\Tcpip \Device\Tcp rp_skt32.sys (Radialpoint Filter/Radialpoint Inc.)
    AttachedDevice \Driver\Tcpip \Device\Udp rp_skt32.sys (Radialpoint Filter/Radialpoint Inc.)
    AttachedDevice \Driver\Tcpip \Device\RawIp rp_skt32.sys (Radialpoint Filter/Radialpoint Inc.)
    AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
    AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)

    ---- EOF - GMER 1.0.15 ----
  8. jonny utah

    jonny utah Newcomer, in training Topic Starter Posts: 25

    Gmer

    Duplicate GMER log deleted.
  9. jonny utah

    jonny utah Newcomer, in training Topic Starter Posts: 25

    dds text

    DDS (Ver_10-12-05.01) - NTFSx86
    Run by Dan at 21:33:44.62 on 07/12/2010
    Internet Explorer: 7.0.5730.11

    ============== Running Processes ===============

    C:\Program Files\Virgin Media\Security\Fws.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Virgin Media\Security\rps.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    c:\APPS\Powercinema\Kernel\TV\CLCapSvc.exe
    C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
    c:\APPS\HIDSERVICE\HIDSERVICE.exe
    C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLService.exe
    C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
    C:\Program Files\Virgin Media\Security\RpsSecurityAwareR.exe
    C:\Program Files\Virgin Media\HUB\ServicepointService.exe
    C:\WINDOWS\system32\slmdmsr.exe
    c:\APPS\Powercinema\Kernel\TV\CLSched.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\System32\alg.exe
    C:\Program Files\Virgin Media\HUB\VirginMediaHUBComHandler.exe
    C:\Documents and Settings\Dan\Desktop\dds.scr
    C:\WINDOWS\system32\wbem\wmiprvse.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
    C:\WINDOWS\system32\svchost.exe -k NetworkService
    C:\WINDOWS\system32\svchost.exe -k LocalService
    C:\WINDOWS\system32\svchost.exe -k LocalService
    C:\WINDOWS\system32\svchost.exe -k imgsvc

    ============== Pseudo HJT Report ===============

    uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
    uStart Page = hxxp://www.virginmedia.com/
    mStart Page = about:blank
    uInternet Settings,ProxyOverride = <local>
    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
    BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
    BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar1.dll
    BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.5612.1312\swg.dll
    BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
    TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll
    TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
    TB: {043C5167-00BB-4324-AF7E-62013FAEDACF} - No File
    uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
    IE: {08E730A4-FB02-45BD-A900-01E4AD8016F6} - http://www.skybroadband.com
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0014-0002-0005-ABCDEFFEDCBC}
    IE: {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - {7DD73374-7187-4103-8F29-622AA25E7C40} - c:\program files\mcafee\spamkiller\mcapfbho.dll
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
    Trusted Zone: boxingscene.com\www
    Trusted Zone: google.co.uk
    Trusted Zone: italymag.co.uk\www
    Trusted Zone: liverpoolecho.co.uk\www
    Trusted Zone: liverpoolfc.tv\www
    Trusted Zone: tvants
    Trusted Zone: tvu
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.4.2/jinstall-1_4_2_05-windows-i586.cab
    DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
    DPF: {C45B1500-7B63-47C2-AB25-C28CB46AFDEE} - hxxp://sib1.od2.com/common/musicmanager/installation/MusicManagerPlugin.CAB
    DPF: {CAFEEFAC-0014-0002-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.4.2/jinstall-1_4_2_05-windows-i586.cab
    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    DPF: {D4003189-95B1-4A2F-9A87-F2B03665960D} - hxxp://www.vexcast.com/download/vexcast.cab
    TCP: {A4AA025A-9A5C-4936-B08F-E79DDFCEBDB2} = 192.168.0.1
    Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
    Hosts: 74.125.45.100 www.getantivirusplusnow.com
    Hosts: 74.125.45.100 www.secure-plus-payments.com
    Hosts: 74.125.45.100 test1111.com
    Hosts: 74.125.45.100 test1112.com
    Hosts: 74.125.45.100 4-open-davinci.com

    Note: multiple HOSTS entries found. Please refer to Attach.txt

    ============= SERVICES / DRIVERS ===============

    R? ggflt;SEMC USB Flash Driver Filter
    R? STDSB;STDSB
    S? McAfee SiteAdvisor Service;McAfee SiteAdvisor Service
    S? MTC0007_STDSB;Scroll Bar Driver
    S? Radialpoint Security Services;Virgin Media Security
    S? RadialpointIDSAgent;RadialpointIDSAgent
    S? RadialpointIDSDriver;RadialpointIDSDriver
    S? RadialpointIDSEH;RadialpointIDSEH
    S? RadialpointIDSFilter;RadialpointIDSFilter
    S? RadialpointIDSShim;RadialpointIDSShim
    S? ServicepointService;ServicepointService

    =============== Created Last 30 ================

    2010-12-06 21:06:33 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-12-06 21:06:30 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-12-06 21:06:29 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-12-05 23:30:11 -------- d-----w- c:\program files\tmp
    2010-12-05 22:15:39 25608 ----a-w- c:\windows\system32\drivers\AVGIDSEH.sys
    2010-12-05 22:13:45 285704 ----a-w- c:\windows\system32\drivers\bdfsfltr.sys
    2010-12-05 22:13:02 53192 ----a-w- c:\windows\system32\drivers\rp_skt32.sys
    2010-12-05 22:12:25 48384 ----a-w- c:\windows\system32\drivers\rp_pkt32.sys
    2010-12-05 22:11:45 -------- d-----w- c:\program files\Raxco
    2010-12-02 12:54:57 -------- d-----w- c:\program files\etkvhlXN
    2010-12-02 09:42:54 -------- d-----w- c:\program files\windows
    2010-11-29 12:25:40 -------- d-----w- c:\docume~1\dan\applic~1\Virgin Media
    2010-11-29 12:25:28 -------- d-----w- c:\docume~1\alluse~1\applic~1\Radialpoint
    2010-11-29 12:25:15 -------- d-----w- c:\program files\Virgin Media
    2010-11-29 12:25:15 -------- d-----w- c:\docume~1\alluse~1\applic~1\Virgin Media
    2010-11-10 20:55:43 -------- d-----w- c:\docume~1\dan\applic~1\Leyw
    2010-11-10 20:55:43 -------- d-----w- c:\docume~1\dan\applic~1\Awsog

    ==================== Find3M ====================

    2010-10-31 14:29:48 256 ----a-w- c:\windows\system32\pool.bin
    2010-09-18 11:23:26 974848 ----a-w- c:\windows\system32\mfc42u.dll
    2010-09-18 06:53:25 974848 ----a-w- c:\windows\system32\mfc42.dll
    2010-09-18 06:53:25 954368 ----a-w- c:\windows\system32\mfc40.dll
    2010-09-18 06:53:25 953856 ----a-w- c:\windows\system32\mfc40u.dll
    2010-09-09 13:38:01 832512 ----a-w- c:\windows\system32\wininet.dll
    2010-09-09 13:38:01 1830912 ------w- c:\windows\system32\inetcpl.cpl
    2010-09-09 13:38:00 78336 ----a-w- c:\windows\system32\ieencode.dll
    2010-09-09 13:38:00 17408 ------w- c:\windows\system32\corpol.dll
    2006-07-25 22:11:30 11817800 -c--a-w- c:\program files\GoogleEarth.exe

    ============= FINISH: 21:36:18.85 ===============
  10. jonny utah

    jonny utah Newcomer, in training Topic Starter Posts: 25

    attach txt

    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT

    DDS (Ver_10-12-05.01)

    Microsoft Windows XP Home Edition
    Boot Device: \Device\HarddiskVolume2
    Install Date: 10/05/2006 19:39:57
    System Uptime: 07/12/2010 21:17:09 (0 hours ago)

    Motherboard: NEC COMPUTERS INTERNATIONAL | | NEC Versa Premium
    Processor: Intel(R) Celeron(R) M processor 1.50GHz | mPGA478 | 1492/100mhz

    ==== Disk Partitions =========================

    C: is FIXED (NTFS) - 50 GiB total, 34.468 GiB free.
    D: is CDROM ()

    ==== Disabled Device Manager Items =============

    ==== System Restore Points ===================

    RP1: 04/12/2010 10:30:21 - System Checkpoint
    RP2: 06/12/2010 14:33:45 - System Checkpoint

    ==== Hosts File Hijack ======================

    Hosts: 74.125.45.100 www.getantivirusplusnow.com
    Hosts: 74.125.45.100 www.secure-plus-payments.com
    Hosts: 74.125.45.100 test1111.com
    Hosts: 74.125.45.100 test1112.com
    Hosts: 74.125.45.100 4-open-davinci.com
    Hosts: 74.125.45.100 securitysoftwarepayments.com
    Hosts: 74.125.45.100 privatesecuredpayments.com
    Hosts: 74.125.45.100 secure.privatesecuredpayments.com
    Hosts: 74.125.45.100 www.getavplusnow.com

    ==== Installed Programs ======================


    Adobe Flash Player 10 ActiveX
    Adobe Reader 7.0
    Apple Mobile Device Support
    Apple Software Update
    BlackBerry Desktop Software 5.0.1
    BlackBerry® Media Sync
    Compatibility Pack for the 2007 Office system
    Google Toolbar for Internet Explorer
    HijackThis 2.0.2
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    Hotfix for Windows Internet Explorer 7 (KB947864)
    Hotfix for Windows Media Format 11 SDK (KB929399)
    Hotfix for Windows XP (KB2158563)
    Hotfix for Windows XP (KB952287)
    Hotfix for Windows XP (KB954550-v5)
    Hotfix for Windows XP (KB961118)
    Hotfix for Windows XP (KB970653-v3)
    Hotfix for Windows XP (KB976002-v5)
    Hotfix for Windows XP (KB976098-v2)
    Hotfix for Windows XP (KB979306)
    Hotfix for Windows XP (KB981793)
    iPod for Windows 2005-09-23
    iTunes
    Java 2 Runtime Environment, SE v1.4.2_05
    Learn2 Player (Uninstall Only)
    Lexmark 510 Series
    Macromedia Shockwave Player
    Malwarebytes' Anti-Malware
    McAfee Uninstall Wizard
    MediaBar
    Microsoft .NET Framework 1.1
    Microsoft .NET Framework 1.1 Security Update (KB2416447)
    Microsoft .NET Framework 1.1 Security Update (KB979906)
    Microsoft .NET Framework 2.0 Service Pack 2
    Microsoft .NET Framework 3.0 Service Pack 2
    Microsoft .NET Framework 3.5 SP1
    Microsoft Internationalized Domain Names Mitigation APIs
    Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
    Microsoft National Language Support Downlevel APIs
    Microsoft Office PowerPoint Viewer 2003
    Microsoft Office Professional Edition 2003
    Microsoft Office Standard Edition 2003
    Microsoft User-Mode Driver Framework Feature Pack 1.0
    Microsoft Visual C++ 2005 Redistributable
    MSXML 4.0 SP2 (KB927978)
    MSXML 4.0 SP2 (KB936181)
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    Nokia Nseries Skin for Microsoft Windows Media Player
    Packard Bell Toolbar 1.0
    PerfectDisk 10 Professional
    QuickTime
    Roxio Media Manager
    RPS CRT
    RPS PerfectDiskStub
    RPS RpsCore
    S3GSetup
    Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
    Security Update for Step By Step Interactive Training (KB898458)
    Security Update for Step By Step Interactive Training (KB923723)
    Security Update for Windows Internet Explorer 7 (KB2183461)
    Security Update for Windows Internet Explorer 7 (KB2360131)
    Security Update for Windows Internet Explorer 7 (KB938127)
    Security Update for Windows Internet Explorer 7 (KB939653)
    Security Update for Windows Internet Explorer 7 (KB942615)
    Security Update for Windows Internet Explorer 7 (KB944533)
    Security Update for Windows Internet Explorer 7 (KB950759)
    Security Update for Windows Internet Explorer 7 (KB953838)
    Security Update for Windows Internet Explorer 7 (KB956390)
    Security Update for Windows Internet Explorer 7 (KB958215)
    Security Update for Windows Internet Explorer 7 (KB960714)
    Security Update for Windows Internet Explorer 7 (KB961260)
    Security Update for Windows Internet Explorer 7 (KB963027)
    Security Update for Windows Internet Explorer 7 (KB969897)
    Security Update for Windows Internet Explorer 7 (KB972260)
    Security Update for Windows Internet Explorer 7 (KB974455)
    Security Update for Windows Internet Explorer 7 (KB976325)
    Security Update for Windows Internet Explorer 7 (KB978207)
    Security Update for Windows Internet Explorer 7 (KB982381)
    Security Update for Windows Media Player (KB2378111)
    Security Update for Windows Media Player (KB911564)
    Security Update for Windows Media Player (KB952069)
    Security Update for Windows Media Player (KB954155)
    Security Update for Windows Media Player (KB968816)
    Security Update for Windows Media Player (KB973540)
    Security Update for Windows Media Player (KB975558)
    Security Update for Windows Media Player (KB978695)
    Security Update for Windows Media Player 10 (KB911565)
    Security Update for Windows Media Player 10 (KB917734)
    Security Update for Windows Media Player 10 (KB936782)
    Security Update for Windows Media Player 6.4 (KB925398)
    Security Update for Windows XP (KB2079403)
    Security Update for Windows XP (KB2115168)
    Security Update for Windows XP (KB2121546)
    Security Update for Windows XP (KB2160329)
    Security Update for Windows XP (KB2229593)
    Security Update for Windows XP (KB2259922)
    Security Update for Windows XP (KB2279986)
    Security Update for Windows XP (KB2286198)
    Security Update for Windows XP (KB2296011)
    Security Update for Windows XP (KB2347290)
    Security Update for Windows XP (KB2360937)
    Security Update for Windows XP (KB2387149)
    Security Update for Windows XP (KB923561)
    Security Update for Windows XP (KB923689)
    Security Update for Windows XP (KB938464-v2)
    Security Update for Windows XP (KB938464)
    Security Update for Windows XP (KB941569)
    Security Update for Windows XP (KB946648)
    Security Update for Windows XP (KB950760)
    Security Update for Windows XP (KB950762)
    Security Update for Windows XP (KB950974)
    Security Update for Windows XP (KB951066)
    Security Update for Windows XP (KB951376-v2)
    Security Update for Windows XP (KB951376)
    Security Update for Windows XP (KB951698)
    Security Update for Windows XP (KB951748)
    Security Update for Windows XP (KB952004)
    Security Update for Windows XP (KB952954)
    Security Update for Windows XP (KB953839)
    Security Update for Windows XP (KB954211)
    Security Update for Windows XP (KB954459)
    Security Update for Windows XP (KB954600)
    Security Update for Windows XP (KB955069)
    Security Update for Windows XP (KB956391)
    Security Update for Windows XP (KB956572)
    Security Update for Windows XP (KB956744)
    Security Update for Windows XP (KB956802)
    Security Update for Windows XP (KB956803)
    Security Update for Windows XP (KB956841)
    Security Update for Windows XP (KB956844)
    Security Update for Windows XP (KB957095)
    Security Update for Windows XP (KB957097)
    Security Update for Windows XP (KB958644)
    Security Update for Windows XP (KB958687)
    Security Update for Windows XP (KB958690)
    Security Update for Windows XP (KB958869)
    Security Update for Windows XP (KB959426)
    Security Update for Windows XP (KB960225)
    Security Update for Windows XP (KB960715)
    Security Update for Windows XP (KB960803)
    Security Update for Windows XP (KB960859)
    Security Update for Windows XP (KB961371)
    Security Update for Windows XP (KB961373)
    Security Update for Windows XP (KB961501)
    Security Update for Windows XP (KB968537)
    Security Update for Windows XP (KB969059)
    Security Update for Windows XP (KB969898)
    Security Update for Windows XP (KB969947)
    Security Update for Windows XP (KB970238)
    Security Update for Windows XP (KB970430)
    Security Update for Windows XP (KB971468)
    Security Update for Windows XP (KB971486)
    Security Update for Windows XP (KB971557)
    Security Update for Windows XP (KB971633)
    Security Update for Windows XP (KB971657)
    Security Update for Windows XP (KB971961)
    Security Update for Windows XP (KB972270)
    Security Update for Windows XP (KB973346)
    Security Update for Windows XP (KB973354)
    Security Update for Windows XP (KB973507)
    Security Update for Windows XP (KB973525)
    Security Update for Windows XP (KB973869)
    Security Update for Windows XP (KB973904)
    Security Update for Windows XP (KB974112)
    Security Update for Windows XP (KB974318)
    Security Update for Windows XP (KB974392)
    Security Update for Windows XP (KB974571)
    Security Update for Windows XP (KB975025)
    Security Update for Windows XP (KB975467)
    Security Update for Windows XP (KB975560)
    Security Update for Windows XP (KB975561)
    Security Update for Windows XP (KB975562)
    Security Update for Windows XP (KB975713)
    Security Update for Windows XP (KB977165)
    Security Update for Windows XP (KB977816)
    Security Update for Windows XP (KB977914)
    Security Update for Windows XP (KB978037)
    Security Update for Windows XP (KB978251)
    Security Update for Windows XP (KB978262)
    Security Update for Windows XP (KB978338)
    Security Update for Windows XP (KB978542)
    Security Update for Windows XP (KB978601)
    Security Update for Windows XP (KB978706)
    Security Update for Windows XP (KB979309)
    Security Update for Windows XP (KB979482)
    Security Update for Windows XP (KB979559)
    Security Update for Windows XP (KB979683)
    Security Update for Windows XP (KB979687)
    Security Update for Windows XP (KB980195)
    Security Update for Windows XP (KB980218)
    Security Update for Windows XP (KB980232)
    Security Update for Windows XP (KB980436)
    Security Update for Windows XP (KB981322)
    Security Update for Windows XP (KB981349)
    Security Update for Windows XP (KB981852)
    Security Update for Windows XP (KB981957)
    Security Update for Windows XP (KB981997)
    Security Update for Windows XP (KB982132)
    Security Update for Windows XP (KB982214)
    Security Update for Windows XP (KB982665)
    Security Update for Windows XP (KB982802)
    Shockwave
    Sky Broadband
    Smart Link 56K Modem
    Sonic MyDVD
    Sonic RecordNow!
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    Update for Windows Internet Explorer 7 (KB976749)
    Update for Windows Internet Explorer 7 (KB980182)
    Update for Windows XP (KB2141007)
    Update for Windows XP (KB2345886)
    Update for Windows XP (KB951072-v2)
    Update for Windows XP (KB951978)
    Update for Windows XP (KB955759)
    Update for Windows XP (KB955839)
    Update for Windows XP (KB967715)
    Update for Windows XP (KB968389)
    Update for Windows XP (KB971737)
    Update for Windows XP (KB973687)
    Update for Windows XP (KB973815)
    VIA/S3G Display Driver
    Viewpoint Media Player
    Virgin Media HUB 3.5.12
    Virgin Media Security
    WebFldrs XP
    Windows Genuine Advantage Notifications (KB905474)
    Windows Internet Explorer 7
    Windows Media Format 11 runtime
    Windows Media Player 10
    Windows XP Service Pack 3
    Works Suite OS Pack
    Works Synchronization
    Yahoo! Install Manager

    ==== Event Viewer Messages From Past Week ========

    07/12/2010 21:24:41, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the Spooler service.
    07/12/2010 21:14:40, error: atapi [9] - The device, \Device\Ide\IdePort0, did not respond within the timeout period.
    07/12/2010 20:41:15, error: Service Control Manager [7034] - The Roxio Upnp Server 9 service terminated unexpectedly. It has done this 1 time(s).
    07/12/2010 20:41:15, error: Service Control Manager [7034] - The LiveShare P2P Server 9 service terminated unexpectedly. It has done this 1 time(s).
    07/12/2010 20:41:13, error: Service Control Manager [7022] - The CyberLink Task Scheduler (CTS) service hung on starting.
    07/12/2010 20:36:39, error: Service Control Manager [7034] - The ServicepointService service terminated unexpectedly. It has done this 1 time(s).
    07/12/2010 20:36:39, error: Service Control Manager [7034] - The CyberLink Task Scheduler (CTS) service terminated unexpectedly. It has done this 1 time(s).
    07/12/2010 20:36:38, error: Service Control Manager [7034] - The SmartLinkService service terminated unexpectedly. It has done this 1 time(s).
    07/12/2010 20:36:38, error: Service Control Manager [7034] - The McAfee SiteAdvisor Service service terminated unexpectedly. It has done this 1 time(s).
    07/12/2010 20:36:37, error: Service Control Manager [7034] - The Generic Service for HID Keyboard Input Collections service terminated unexpectedly. It has done this 1 time(s).
    07/12/2010 20:36:37, error: Service Control Manager [7034] - The CyberLink Media Library Service service terminated unexpectedly. It has done this 1 time(s).
    07/12/2010 20:36:37, error: Service Control Manager [7034] - The CyberLink Background Capture Service (CBCS) service terminated unexpectedly. It has done this 1 time(s).
    07/12/2010 20:36:36, error: Service Control Manager [7034] - The Virgin Media Security Firewall service terminated unexpectedly. It has done this 1 time(s).
    07/12/2010 20:36:36, error: Service Control Manager [7034] - The LexBce Server service terminated unexpectedly. It has done this 1 time(s).
    07/12/2010 20:36:36, error: Service Control Manager [7031] - The Apple Mobile Device service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
    06/12/2010 21:28:03, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD bdfsfltr Fips intelppm IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss Tcpip WS2IFSL
    06/12/2010 21:28:03, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.
    06/12/2010 21:28:03, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
    06/12/2010 21:28:03, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
    06/12/2010 21:28:03, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
    06/12/2010 21:28:03, error: Service Control Manager [7001] - The Apple Mobile Device service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
    06/12/2010 21:27:15, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
    06/12/2010 21:20:02, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: abp480n5 adpu160m agpCPQ Aha154x aic78u2 aic78xx AliIde alim1541 amdagp amsint asc asc3350p asc3550 cbidf cd20xrnt CmdIde Cpqarray dac2w2k dac960nt dpti2o hpn i2omp ini910u IntelIde mraid35x PCIIde perc2 perc2hib ql1080 Ql10wnt ql12160 ql1240 ql1280 Sparrow symc810 symc8xx sym_hi sym_u3 TosIde ultra viaagp
    06/12/2010 20:40:52, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: bdfsfltr Fips intelppm
    06/12/2010 20:39:54, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
    06/12/2010 19:48:19, error: Service Control Manager [7034] - The Virgin Media Security service terminated unexpectedly. It has done this 2 time(s).
    06/12/2010 19:42:53, error: Service Control Manager [7034] - The Virgin Media Security service terminated unexpectedly. It has done this 1 time(s).
    04/12/2010 21:52:42, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Roxio Hard Drive Watcher 9 service to connect.
    04/12/2010 21:52:42, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the McAfee SiteAdvisor Service service to connect.
    04/12/2010 21:52:42, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the McAfee Services service to connect.
    04/12/2010 21:52:42, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the McAfee Proxy Service service to connect.
    04/12/2010 21:52:42, error: Service Control Manager [7000] - The STDSB service failed to start due to the following error: The system cannot find the file specified.
    04/12/2010 21:52:42, error: Service Control Manager [7000] - The McAfee SiteAdvisor Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
    04/12/2010 21:52:42, error: Service Control Manager [7000] - The McAfee Services service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
    04/12/2010 21:52:42, error: Service Control Manager [7000] - The McAfee Proxy Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
    04/12/2010 10:34:47, error: DCOM [10005] - DCOM got error "%1053" attempting to start the service McMSCSvc with arguments "" in order to run the server: {B299BB78-EBBE-48F9-8725-E6A84C4E7C1D}
    04/12/2010 10:34:44, error: DCOM [10005] - DCOM got error "%1053" attempting to start the service McMSCSvc with arguments "" in order to run the server: {03082469-BA75-44A5-89CB-D187F313E572}
    04/12/2010 10:31:09, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the McAfee SystemGuards service to connect.
    04/12/2010 10:31:09, error: Service Control Manager [7000] - The McAfee SystemGuards service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
    02/12/2010 19:30:09, error: DCOM [10005] - DCOM got error "%1053" attempting to start the service McMSCSvc with arguments "" in order to run the server: {DDA1154C-204B-41D7-BFE7-7907C6BA9D56}
    02/12/2010 17:14:32, error: DCOM [10005] - DCOM got error "%1053" attempting to start the service McMSCSvc with arguments "" in order to run the server: {AB92D412-E57E-473B-B9A2-3BAE647D9C8C}

    ==== End Of File ===========================
  11. jonny utah

    jonny utah Newcomer, in training Topic Starter Posts: 25

    last virgin log FYI

    Virgin Media Security - Scan Report
    Scan Date: 06/12/2010 16:24:17 Scan Type: Standard Definition file: 1291620096 Last Update on: 06/12/2010 15:23:28

    Folders and files selected to scan
    C:\

    Results
    Master Boot Records and Fixed Disk Boot Sectors
    Scanned 1 Master Boot Record(s).
    Your Master Boot Record(s)/Boot Sector(s) are not infected.
    Memory
    Scanned: 15 item(s)
    Infected files on HDD (C:)
    Scanned: 71538 item(s) File: C:\WINDOWS\explorer.exe Warning: The restoration of this OS protected file failed.
    Virus: Trojan.Generic.5115567
    File: C:\WINDOWS\system32\winlogon.exe Warning: The restoration of this OS protected file failed.
    Virus: Trojan.Generic.5126187

    Startup programs
    Scanned: 245 item(s) File: C:\WINDOWS\explorer.exe Warning: The restoration of this OS protected file failed.
    Virus: Trojan.Generic.5115567

    Rootkits
    Found: 0 item(s)
    Cookies
    Scanned: 33 item(s)
     
  12. jonny utah

    jonny utah Newcomer, in training Topic Starter Posts: 25

    oops

    Sorry for the amount of logs pasted here. I didn't think they were working...... :blush:
  13. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +35

    Please run the following in the order I give them:

    1. Your Host files have been hijacked so we'll need to remove those sites.
    Note: Uninstall the HijackThis v2.0.2 that you have installed- it is outdated. Use the current downlaod instead, below:
    Download HijackThis and save to your desktop.
    • Extract it to a directory on your hard drive called c:\HijackThis.
    • Then navigate to that directory and double-click on the hijackthis.exe file.
    • When started click on the Scan button and then the Save Log button to create a log of your information.
    • The log file and then the log will open in notepad. Be sure to click on Format> Uncheck Word Wrap when you open Notepad
    • Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
    • Come back here to this thread and paste (Ctrl+V) the log in your next reply.

    NOTE: Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.
    ===================================================
    2. Download Combofix to your desktop from one of these locations:
    Link 1
    Link 2
    • Double click combofix.exe & follow the prompts.
    • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. It is strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode if needed.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
    • Query- Recovery Console image
      [​IMG]
    • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
      [​IMG]
    • .Click on Yes, to continue scanning for malware
    • .If Combofix asks you to update the program, allow
    • .Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • .Close any open browsers.
    • .Double click combofix.exe[​IMG] & follow the prompts to run.
    • When the scan completes it will open a text window. Please paste that log in your next reply.
    Notes:
    1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
    2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
    3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
    4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
    ===========================================
    Please remove these from the Trusted Zone> Nothing need to be in this zone. The security settings are lower:
    Open Internet Options through the Control Panel or Tools in IE> Security tab> Trusted Sites> Sites> click to highlight each> click on Remove:
    *.boxingscene.com
    *.google.co.uk
    *.italymag.co.uk
    *.liverpoolecho.co.uk
    *.liverpoolfc.tv
    *.tvants.com
    *.tvunetworks.com

    When finished> Click on OK> Apply> OK.
    Please note: This does not prevent you from accessing the sites, nor does it prevent anything being received from the Domains. What it does do is have the Domains under Internet Security setting which are much safer than Trusted. Please use the * as it acts as a wild card for the Domain.
    =============================================
    I don't need any more scans from Virgin Media. You'll be getting that free from the ISP- right? Looks like they use Radialpoint Security Services. I'm not familiar with that but will mention that many user have found that free security from the ISP doesn't do the job they would like.

    A question: Do you have another language besides English on the system. There are some entries that suggest that.
  14. jonny utah

    jonny utah Newcomer, in training Topic Starter Posts: 25

    Bobbye. Thanks heaps for the help. Again, I'll have to do this once I get in. I'll report back asap.

    Re your question about another language I'm a little unclear. I did get married in italy this year and had to correspond a lot of the time over email in italian. I don't know if this is what you are referring to?

    Thanks again.
  15. jonny utah

    jonny utah Newcomer, in training Topic Starter Posts: 25

    Hijack this log

    Logfile of Trend Micro HijackThis v2.0.4
    Scan saved at 20:14:05, on 08/12/2010
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.17091)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Virgin Media\Security\Fws.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\Program Files\Virgin Media\Security\AVG\Identity Protection\agent\Bin\AVGIDSAgent.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Messenger\msmsgs.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    c:\APPS\Powercinema\Kernel\TV\CLCapSvc.exe
    C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
    c:\APPS\HIDSERVICE\HIDSERVICE.exe
    C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLService.exe
    C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
    C:\Program Files\Virgin Media\HUB\ServicepointService.exe
    C:\WINDOWS\system32\slmdmsr.exe
    C:\WINDOWS\system32\svchost.exe
    c:\APPS\Powercinema\Kernel\TV\CLSched.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.virginmedia.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    O1 - Hosts: 74.125.45.100 www.getantivirusplusnow.com
    O1 - Hosts: 74.125.45.100 www.secure-plus-payments.com
    O1 - Hosts: 74.125.45.100 test1111.com
    O1 - Hosts: 74.125.45.100 test1112.com
    O1 - Hosts: 74.125.45.100 4-open-davinci.com
    O1 - Hosts: 74.125.45.100 securitysoftwarepayments.com
    O1 - Hosts: 74.125.45.100 privatesecuredpayments.com
    O1 - Hosts: 74.125.45.100 secure.privatesecuredpayments.com
    O1 - Hosts: 74.125.45.100 www.getavplusnow.com
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.6.5612.1312\swg.dll
    O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\shdocvw.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\shdocvw.dll
    O9 - Extra button: Sky - {08E730A4-FB02-45BD-A900-01E4AD8016F6} - http://www.skybroadband.com (file missing)
    O9 - Extra button: (no name) - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll (file missing)
    O9 - Extra 'Tools' menuitem: McAfee AntiPhishing Filter - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll (file missing)
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O14 - IERESET.INF: START_PAGE_URL=file://C:\APPS\IE\offline\uk.htm
    O15 - Trusted Zone: http://www.italymag.co.uk
    O16 - DPF: {C45B1500-7B63-47C2-AB25-C28CB46AFDEE} (MediaBar) - http://sib1.od2.com/common/musicmanager/installation/MusicManagerPlugin.CAB
    O16 - DPF: {D4003189-95B1-4A2F-9A87-F2B03665960D} (VodClient Control Class) - http://www.vexcast.com/download/vexcast.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{A4AA025A-9A5C-4936-B08F-E79DDFCEBDB2}: NameServer = 192.168.0.1
    O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
    O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
    O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - c:\APPS\Powercinema\Kernel\TV\CLCapSvc.exe
    O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - c:\APPS\Powercinema\Kernel\TV\CLSched.exe
    O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
    O23 - Service: Generic Service for HID Keyboard Input Collections (GenericHidService) - Unknown owner - c:\APPS\HIDSERVICE\HIDSERVICE.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
    O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
    O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk10\PDAgent.exe
    O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk10\PDEngine.exe
    O23 - Service: Virgin Media Security (Radialpoint Security Services) - Virgin Media - C:\Program Files\Virgin Media\Security\RpsSecurityAwareR.exe
    O23 - Service: RadialpointIDSAgent - AVG Technologies CZ, s.r.o. - C:\Program Files\Virgin Media\Security\AVG\Identity Protection\agent\Bin\AVGIDSAgent.exe
    O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
    O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
    O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
    O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
    O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
    O23 - Service: Virgin Media Security Firewall (RP_FWS) - Virgin Media - C:\Program Files\Virgin Media\Security\Fws.exe
    O23 - Service: ServicepointService - Radialpoint Inc. - C:\Program Files\Virgin Media\HUB\ServicepointService.exe
    O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slmdmsr.exe

    --
    End of file - 8046 bytes
  16. jonny utah

    jonny utah Newcomer, in training Topic Starter Posts: 25

    Hi bobbye. I've a bit of a problem. I can't seem to disable windows firewall. I've click "off" but it still says it is active. I've also tried to run the combofix but no log appeared after the scan and the programme terminated.

    Is this because windows system suite is active? I've absolutely no idea how to disable it.
  17. jonny utah

    jonny utah Newcomer, in training Topic Starter Posts: 25

    combo log now attached

    ComboFix 10-12-07.06 - Dan 08/12/2010 22:22:59.4.1 - x86
    Running from: c:\documents and settings\Dan\Desktop\ComboFix.exe
    AV: Virgin Media Security Anti-Virus *On-access scanning disabled* (Updated) {5B5A3BD7-8573-4672-AEA8-C9BB713B6755}
    AV: Windows System Suite *On-access scanning enabled* (Updated) {CB235AA9-0891-4FB3-BE94-4F82B43A0AB8}
    FW: Virgin Media Security Firewall *disabled* {80593BF4-D969-4EC5-ADAE-A22F2DFC7A22}
    FW: Windows System Suite *enabled* {7600FCED-EDF0-4333-8DC7-009E1BAEAA59}
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    ---- Previous Run -------
    .
    c:\documents and settings\All Users\Application Data\WSYSSSys\wsyss.cfg
    c:\documents and settings\Dan\Application Data\Emwo\ygad.exe
    c:\documents and settings\Dan\Application Data\Erezp\ecwun.exe
    c:\documents and settings\Dan\Application Data\Leyw\gaov.exe
    c:\documents and settings\Dan\Recent\ANTIGEN.sys
    c:\program files\Internet Explorer\complete.dat
    c:\program files\Internet Explorer\dmlconf.dat
    c:\windows\struct~.ini
    c:\windows\system32\drivers\eicon.txt

    -- Previous Run --

    c:\windows\system32\winlogon.exe . . . is infected!!

    c:\windows\system32\winlogon.exe . . . is infected!!

    Infected copy of c:\windows\explorer.exe was found and disinfected
    Restored copy from - c:\windows\ServicePackFiles\i386\explorer.exe

    --------

    Infected copy of c:\windows\system32\winlogon.exe was found and disinfected
    Restored copy from - c:\windows\ServicePackFiles\i386\winlogon.exe

    Infected copy of c:\windows\explorer.exe was found and disinfected
    Restored copy from - c:\windows\ServicePackFiles\i386\explorer.exe

    .
    ((((((((((((((((((((((((( Files Created from 2010-11-08 to 2010-12-08 )))))))))))))))))))))))))))))))
    .

    2010-12-08 20:10 . 2010-12-08 20:11 -------- d-----w- C:\HijackThis
    2010-12-07 19:29 . 2010-12-07 19:29 -------- d-----w- c:\documents and settings\Tash\Application Data\Virgin Media
    2010-12-06 21:06 . 2010-11-29 17:42 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-12-06 21:06 . 2010-11-29 17:42 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-12-06 21:06 . 2010-12-06 21:06 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-12-05 23:30 . 2010-12-05 23:31 -------- d-----w- c:\program files\tmp
    2010-12-05 22:15 . 2009-11-02 15:27 25608 ----a-w- c:\windows\system32\drivers\AVGIDSEH.sys
    2010-12-05 22:13 . 2009-10-23 13:25 285704 ----a-w- c:\windows\system32\drivers\bdfsfltr.sys
    2010-12-05 22:13 . 2010-12-05 22:13 53192 ----a-w- c:\windows\system32\drivers\rp_skt32.sys
    2010-12-05 22:12 . 2010-12-05 22:12 48384 ----a-w- c:\windows\system32\drivers\rp_pkt32.sys
    2010-12-05 22:11 . 2010-12-05 22:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Raxco
    2010-12-05 22:11 . 2010-12-05 22:11 -------- d-----w- c:\program files\Raxco
    2010-12-02 12:54 . 2010-12-06 10:06 -------- d-----w- c:\program files\etkvhlXN
    2010-12-02 09:42 . 2010-12-05 21:35 -------- d-----w- c:\program files\windows
    2010-11-29 12:25 . 2010-12-05 22:19 -------- d-----w- c:\documents and settings\Dan\Application Data\Virgin Media
    2010-11-29 12:25 . 2010-11-29 12:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Radialpoint
    2010-11-29 12:25 . 2010-12-05 22:09 -------- d-----w- c:\program files\Virgin Media
    2010-11-29 12:25 . 2010-12-05 22:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Virgin Media
    2010-11-10 20:55 . 2010-12-03 10:31 -------- d-----w- c:\documents and settings\Dan\Application Data\Awsog

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-09-18 11:23 . 2004-08-10 15:37 974848 ----a-w- c:\windows\system32\mfc42u.dll
    2010-09-18 06:53 . 2004-08-10 15:37 974848 ----a-w- c:\windows\system32\mfc42.dll
    2010-09-18 06:53 . 2004-08-10 15:37 954368 ----a-w- c:\windows\system32\mfc40.dll
    2010-09-18 06:53 . 2004-08-10 15:37 953856 ----a-w- c:\windows\system32\mfc40u.dll
    2006-07-25 22:11 . 2006-07-25 22:11 11817800 -c--a-w- c:\program files\GoogleEarth.exe
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
    BootExecute REG_MULTI_SZ PDBoot.exe\0autocheck autochk *

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Radialpoint Security Services]
    @="Service"

    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "FirewallOverride"=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=
    "c:\\Program Files\\Virgin Media\\HUB\\ServicepointService.exe"=

    R2 STDSB;STDSB;c:\windows\system32\DRIVERS\STDSB.sys [2005-08-25 11279]
    R3 ggflt;SEMC USB Flash Driver Filter;c:\windows\system32\DRIVERS\ggflt.sys [2008-08-30 13352]
    S0 RadialpointIDSEH;RadialpointIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2009-11-02 25608]
    S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [2009-01-23 203280]
    S2 MTC0007_STDSB;Scroll Bar Driver;c:\windows\system32\drivers\STDSB.sys [2005-08-25 11279]
    S2 Radialpoint Security Services;Virgin Media Security;c:\program files\Virgin Media\Security\RpsSecurityAwareR.exe [2010-01-04 165408]
    S2 RadialpointIDSAgent;RadialpointIDSAgent;c:\program files\Virgin Media\Security\AVG\Identity Protection\agent\Bin\AVGIDSAgent.exe RadialpointIDSAgent [x]
    S2 ServicepointService;ServicepointService;c:\program files\Virgin Media\HUB\ServicepointService.exe [2009-12-14 668912]
    S3 RadialpointIDSDriver;RadialpointIDSDriver;c:\program files\Virgin Media\Security\AVG\Identity Protection\agent\drivers\AVGIDSDriver.sys [2009-11-02 122376]
    S3 RadialpointIDSFilter;RadialpointIDSFilter;c:\program files\Virgin Media\Security\AVG\Identity Protection\agent\drivers\AVGIDSFilter.sys [2009-11-02 30216]
    S3 RadialpointIDSShim;RadialpointIDSShim;c:\program files\Virgin Media\Security\AVG\Identity Protection\agent\drivers\AVGIDSShim.sys [2009-11-02 25736]


    --- Other Services/Drivers In Memory ---

    *NewlyCreated* - 39BC6DE5
    *Deregistered* - 39bc6de5

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    vvdsvc REG_MULTI_SZ vvdsvc
    bdx REG_MULTI_SZ scan sysagent
    .
    Contents of the 'Scheduled Tasks' folder

    2010-12-06 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

    2006-05-10 c:\windows\Tasks\Registration reminder 1.job
    - c:\windows\system32\OOBE\oobebaln.exe [2004-08-10 00:12]

    2006-05-10 c:\windows\Tasks\Registration reminder 2.job
    - c:\windows\system32\OOBE\oobebaln.exe [2004-08-10 00:12]

    2006-05-10 c:\windows\Tasks\Registration reminder 3.job
    - c:\windows\system32\OOBE\oobebaln.exe [2004-08-10 00:12]
    .
    .
    ------- Supplementary Scan -------
    .
    uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
    uStart Page = hxxp://www.virginmedia.com/
    mStart Page = about:blank
    uInternet Settings,ProxyOverride = <local>
    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
    Trusted Zone: boxingscene.com\www
    Trusted Zone: google.co.uk
    Trusted Zone: liverpoolecho.co.uk\www
    Trusted Zone: liverpoolfc.tv\www
    Trusted Zone: tvants
    Trusted Zone: tvu
    TCP: {A4AA025A-9A5C-4936-B08F-E79DDFCEBDB2} = 192.168.0.1
    .

    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-12-08 22:36
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'explorer.exe'(2544)
    c:\windows\system32\WININET.dll
    c:\program files\McAfee\SiteAdvisor\saHook.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files\Virgin Media\Security\Fws.exe
    c:\windows\system32\LEXBCES.EXE
    c:\windows\system32\LEXPPS.EXE
    c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    c:\apps\Powercinema\Kernel\TV\CLCapSvc.exe
    c:\program files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
    c:\apps\HIDSERVICE\HIDSERVICE.exe
    c:\program files\CyberLink\Shared Files\CLML_NTService\CLMLService.exe
    c:\windows\system32\slmdmsr.exe
    c:\apps\Powercinema\Kernel\TV\CLSched.exe
    c:\program files\Virgin Media\Security\rps.exe
    .
    **************************************************************************
    .
    Completion time: 2010-12-08 22:47:12 - machine was rebooted
    ComboFix-quarantined-files.txt 2010-12-08 22:47
    ComboFix2.txt 2009-04-02 17:52
    ComboFix3.txt 2009-04-02 09:57

    Pre-Run: 37,765,861,376 bytes free
    Post-Run: 37,749,882,880 bytes free

    - - End Of File - - 1089DF2682135E080BF3FF9D7CBD4B8D
  18. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +35

    If you have a question to ask or comment to add, please use the Edit feature instead of a new reply. I get email feedback every time there is even one sentence in a reply. This does not include logs however.
    ========================================
    Please reopen HijackThis to 'do system scan only.' Check each of the following, if present:

    C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
    C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLService.exe
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    O1 - Hosts: 74.125.45.100 www.getantivirusplusnow.com
    O1 - Hosts: 74.125.45.100 www.secure-plus-payments.com
    O1 - Hosts: 74.125.45.100 test1111.com
    O1 - Hosts: 74.125.45.100 test1112.com
    O1 - Hosts: 74.125.45.100 4-open-davinci.com
    O1 - Hosts: 74.125.45.100 securitysoftwarepayments.com
    O1 - Hosts: 74.125.45.100 privatesecuredpayments.com
    O1 - Hosts: 74.125.45.100 secure.privatesecuredpayments.com
    O1 - Hosts: 74.125.45.100 www.getavplusnow.com


    Close all Windows except HijackThis and click on "Fix Checked."
    =========================================
    Boot into Safe Mode
    • Restart your computer and start pressing the F8 key on your keyboard.
    • Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.

    Click on Start> Run> type in services.msc> double click on the following and set startup type as instructed:
    All CyberLink Services> Set to Manual Startup> Stop the Services.
    Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - c:\APPS\Powercinema\Kernel\TV\CLCapSvc.exe
    Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - c:\APPS\Powercinema\Kernel\TV\CLSched.exe
    Service: CyberLink Media Library Service - Cyberlink - C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe

    All Roxio Services> Set to Manual Startup> Stop the Services.
    Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
    Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
    Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
    Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
    Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
    Exit Services.
    =============================================
    Do you have the McAfee AntiPhishing Filter & Spamkiller disabled?
    =================================================
    Update both of the following. Then remove the old version in Add/Remove Programs:
    Check this site.Java Updates
    Visit this Adobe Reader site
    =======
    Consider removing these from Scheduled Tasks in the Control Panel:
    2006-05-10 c:\windows\Tasks\Registration reminder 1.job
    - c:\windows\system32\OOBE\oobebaln.exe [2004-08-10 00:12]
    2006-05-10 c:\windows\Tasks\Registration reminder 2.job
    - c:\windows\system32\OOBE\oobebaln.exe [2004-08-10 00:12]
    2006-05-10 c:\windows\Tasks\Registration reminder 3.job
    - c:\windows\system32\OOBE\oobebaln.exe [2004-08-10 00:12]

    oobebaln.exe is Windows Out Of the Box Experience Balloon Reminder.Probably a Registration reminder but either you no longer have the program to register, or after 6 years, you can remove the reminder:.

    To remove a scheduled task
    1. Open Scheduled Tasks in Control Panel.
    2. Right click the task that you want to remove and then click Delete.

    You can also remove a scheduled task by selecting it and then pressing
    DELETE.
    ==============================================
    Do you know what this is?
    2010-12-06 10:06 > c:\program files\etkvhlXN

    Please finish with this, then go on to the next reply.
  19. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +35

    Continue with this after completing instrucrions in Reply #18:

    Run Eset NOD32 Online AntiVirus scan HERE
    1. Tick the box next to YES, I accept the Terms of Use.
    2. Click Start
    3. When asked, allow the Active X control to install
    4. Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
    5. Click Start
    6. Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
    7. Click Scan
    8. Wait for the scan to finish
    9. Re-enable your Antivirus software.
    10. A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.
    ======================================
    Please run this Custom CFScript:

    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad> click on Format> Uncheck 'Word Wrap'> and copy/paste the text in the code below into it:[Be sure to scroll down to include ALL lines.
    Code:
    File::
    SecCenter::
    {CB235AA9-0891-4FB3-BE94-4F82B43A0AB8}
    {7600FCED-EDF0-4333-8DC7-009E1BAEAA59}
    DDS::
    mStart Page = about:blank
    TB: {043C5167-00BB-4324-AF7E-62013FAEDACF} - No File
    Hosts: 74.125.45.100 www.getantivirusplusnow.com
    Hosts: 74.125.45.100 www.secure-plus-payments.com
    Hosts: 74.125.45.100 test1111.com
    Hosts: 74.125.45.100 test1112.com
    Hosts: 74.125.45.100 4-open-davinci.com
    Hosts: 74.125.45.100 www.getantivirusplusnow.com
    Hosts: 74.125.45.100 www.secure-plus-payments.com
    Hosts: 74.125.45.100 test1111.com
    Hosts: 74.125.45.100 test1112.com
    Hosts: 74.125.45.100 4-open-davinci.com
    Hosts: 74.125.45.100 securitysoftwarepayments.com
    Hosts: 74.125.45.100 privatesecuredpayments.com
    Hosts: 74.125.45.100 secure.privatesecuredpayments.com
    Hosts: 74.125.45.100 www.getavplusnow.com
    
    DirLook::
    c:\program files\windows
    c:\docume~1\dan\applic~1\Leyw
    c:\docume~1\dan\applic~1\Awsog
    
    Registry::
    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "FirewallOverride"=-
    Driver::
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please paste in your next reply.
    ====================
  20. jonny utah

    jonny utah Newcomer, in training Topic Starter Posts: 25

    log file pasted and attached

    ESETSmartInstaller@High as CAB hook log:
    OnlineScanner.ocx - registred OK
    # version=7
    # iexplore.exe=7.00.6000.17091 (vista_gdr.100824-1500)
    # OnlineScanner.ocx=1.0.0.6415
    # api_version=3.0.2
    # EOSSerial=565cc4c6c279f6498d509fe567ec2a1b
    # end=finished
    # remove_checked=false
    # archives_checked=true
    # unwanted_checked=true
    # unsafe_checked=false
    # antistealth_checked=true
    # utc_time=2010-12-09 09:21:43
    # local_time=2010-12-09 09:21:43 (+0000, GMT Standard Time)
    # country="United Kingdom"
    # lang=9
    # osver=5.1.2600 NT Service Pack 3
    # compatibility_mode=512 16777215 100 0 0 0 0 0
    # compatibility_mode=8192 67108863 100 0 3916 3916 0 0
    # scanned=65952
    # found=12
    # cleaned=0
    # scan_time=4300
    C:\Documents and Settings\All Users\Documents\Server\hlp.dat Win32/Bamital.DZ trojan (unable to clean) 00000000000000000000000000000000 I
    C:\Qoobox\Quarantine\C\Documents and Settings\Dan\Application Data\Emwo\ygad.exe.vir Win32/Spy.Zbot.ZR trojan (unable to clean) 00000000000000000000000000000000 I
    C:\Qoobox\Quarantine\C\Documents and Settings\Dan\Application Data\Erezp\ecwun.exe.vir Win32/Spy.Zbot.ZR trojan (unable to clean) 00000000000000000000000000000000 I
    C:\Qoobox\Quarantine\C\WINDOWS\explorer.exe.vir Win32/Bamital.EV trojan (unable to clean) 00000000000000000000000000000000 I
    C:\Qoobox\Quarantine\C\WINDOWS\system32\winlogon.exe.vir Win32/Bamital.EV trojan (unable to clean) 00000000000000000000000000000000 I
    C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP1\A0000009.exe Win32/Spy.Zbot.ZR trojan (unable to clean) 00000000000000000000000000000000 I
    C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP2\A0003445.exe Win32/Spy.Zbot.ZR trojan (unable to clean) 00000000000000000000000000000000 I
    C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP3\A0006628.exe Win32/Bamital.EV trojan (unable to clean) 00000000000000000000000000000000 I
    C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP3\A0006630.exe Win32/Spy.Zbot.ZR trojan (unable to clean) 00000000000000000000000000000000 I
    C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP3\A0006631.exe Win32/Spy.Zbot.ZR trojan (unable to clean) 00000000000000000000000000000000 I
    C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP3\A0006820.exe Win32/Bamital.EV trojan (unable to clean) 00000000000000000000000000000000 I
    C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP3\A0006823.exe Win32/Bamital.EV trojan (unable to clean) 00000000000000000000000000000000 I

    Attached Files:

    • log.txt
      File size:
      2.6 KB
      Views:
      1
  21. jonny utah

    jonny utah Newcomer, in training Topic Starter Posts: 25

    combofix log

    ComboFix 10-12-08.04 - Dan 09/12/2010 21:42:00.5.1 - x86
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.447.142 [GMT 0:00]
    Running from: c:\documents and settings\Dan\Desktop\ComboFix.exe
    Command switches used :: c:\documents and settings\Dan\Desktop\CFScript.txt
    AV: Virgin Media Security Anti-Virus *On-access scanning disabled* (Updated) {5B5A3BD7-8573-4672-AEA8-C9BB713B6755}
    FW: Virgin Media Security Firewall *disabled* {80593BF4-D969-4EC5-ADAE-A22F2DFC7A22}
    .

    ((((((((((((((((((((((((( Files Created from 2010-11-09 to 2010-12-09 )))))))))))))))))))))))))))))))
    .

    2010-12-09 20:04 . 2010-12-09 20:04 -------- d-----w- c:\program files\ESET
    2010-12-09 19:41 . 2010-12-09 19:39 73728 ----a-w- c:\windows\system32\javacpl.cpl
    2010-12-09 19:41 . 2010-12-09 19:39 472808 ----a-w- c:\windows\system32\deployJava1.dll
    2010-12-08 20:10 . 2010-12-09 19:04 -------- d-----w- C:\HijackThis
    2010-12-07 19:29 . 2010-12-07 19:29 -------- d-----w- c:\documents and settings\Tash\Application Data\Virgin Media
    2010-12-06 21:06 . 2010-11-29 17:42 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-12-06 21:06 . 2010-11-29 17:42 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-12-06 21:06 . 2010-12-06 21:06 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-12-05 23:30 . 2010-12-05 23:31 -------- d-----w- c:\program files\tmp
    2010-12-05 22:15 . 2009-11-02 15:27 25608 ----a-w- c:\windows\system32\drivers\AVGIDSEH.sys
    2010-12-05 22:13 . 2009-10-23 13:25 285704 ----a-w- c:\windows\system32\drivers\bdfsfltr.sys
    2010-12-05 22:13 . 2010-12-05 22:13 53192 ----a-w- c:\windows\system32\drivers\rp_skt32.sys
    2010-12-05 22:12 . 2010-12-05 22:12 48384 ----a-w- c:\windows\system32\drivers\rp_pkt32.sys
    2010-12-05 22:11 . 2010-12-05 22:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Raxco
    2010-12-05 22:11 . 2010-12-05 22:11 -------- d-----w- c:\program files\Raxco
    2010-12-02 09:42 . 2010-12-05 21:35 -------- d-----w- c:\program files\windows
    2010-11-29 12:25 . 2010-12-05 22:19 -------- d-----w- c:\documents and settings\Dan\Application Data\Virgin Media
    2010-11-29 12:25 . 2010-11-29 12:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Radialpoint
    2010-11-29 12:25 . 2010-12-05 22:09 -------- d-----w- c:\program files\Virgin Media
    2010-11-29 12:25 . 2010-12-05 22:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Virgin Media
    2010-11-10 20:55 . 2010-12-03 10:31 -------- d-----w- c:\documents and settings\Dan\Application Data\Awsog

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-09-18 11:23 . 2004-08-10 15:37 974848 ----a-w- c:\windows\system32\mfc42u.dll
    2010-09-18 06:53 . 2004-08-10 15:37 974848 ----a-w- c:\windows\system32\mfc42.dll
    2010-09-18 06:53 . 2004-08-10 15:37 954368 ----a-w- c:\windows\system32\mfc40.dll
    2010-09-18 06:53 . 2004-08-10 15:37 953856 ----a-w- c:\windows\system32\mfc40u.dll
    2006-07-25 22:11 . 2006-07-25 22:11 11817800 -c--a-w- c:\program files\GoogleEarth.exe
    .

    (((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    ---- Directory of c:\docume~1\dan\applic~1\Awsog ----


    ---- Directory of c:\docume~1\dan\applic~1\Leyw ----


    ---- Directory of c:\program files\windows ----



    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
    BootExecute REG_MULTI_SZ PDBoot.exe\0autocheck autochk *

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Radialpoint Security Services]
    @="Service"

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=
    "c:\\Program Files\\Virgin Media\\HUB\\ServicepointService.exe"=

    R0 RadialpointIDSEH;RadialpointIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [05/12/2010 22:15 25608]
    R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [03/08/2010 19:04 203280]
    R2 MTC0007_STDSB;Scroll Bar Driver;c:\windows\system32\drivers\STDSB.sys [29/03/2006 11:48 11279]
    R2 Radialpoint Security Services;Virgin Media Security;c:\program files\Virgin Media\Security\RpsSecurityAwareR.exe [04/01/2010 12:17 165408]
    R2 RadialpointIDSAgent;RadialpointIDSAgent;c:\program files\Virgin Media\Security\AVG\Identity Protection\agent\bin\AVGIDSAgent.exe [05/12/2010 22:15 5832712]
    R2 ServicepointService;ServicepointService;c:\program files\Virgin Media\HUB\ServicepointService.exe [29/11/2010 12:25 668912]
    R3 RadialpointIDSDriver;RadialpointIDSDriver;c:\program files\Virgin Media\Security\AVG\Identity Protection\agent\drivers\AVGIDSDriver.sys [05/12/2010 22:15 122376]
    R3 RadialpointIDSFilter;RadialpointIDSFilter;c:\program files\Virgin Media\Security\AVG\Identity Protection\agent\drivers\AVGIDSfilter.sys [05/12/2010 22:15 30216]
    R3 RadialpointIDSShim;RadialpointIDSShim;c:\program files\Virgin Media\Security\AVG\Identity Protection\agent\drivers\AVGIDSShim.sys [05/12/2010 22:15 25736]
    S2 STDSB;STDSB;c:\windows\system32\drivers\STDSB.sys [29/03/2006 11:48 11279]
    S3 ggflt;SEMC USB Flash Driver Filter;c:\windows\system32\drivers\ggflt.sys [30/08/2008 14:57 13352]

    --- Other Services/Drivers In Memory ---

    *NewlyCreated* - 3A77365A
    *NewlyCreated* - JAVAQUICKSTARTERSERVICE
    *Deregistered* - 3a77365a

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    vvdsvc REG_MULTI_SZ vvdsvc
    bdx REG_MULTI_SZ scan sysagent
    .
    Contents of the 'Scheduled Tasks' folder

    2010-12-06 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]
    .
    .
    ------- Supplementary Scan -------
    .
    uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
    uStart Page = hxxp://www.virginmedia.com/
    uInternet Settings,ProxyOverride = <local>
    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
    TCP: {A4AA025A-9A5C-4936-B08F-E79DDFCEBDB2} = 192.168.0.1
    .
    - - - - ORPHANS REMOVED - - - -

    HKLM-Run-SunJavaUpdateSched - c:\program files\Java\jre6\bin\jusched.exe



    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-12-09 21:53
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'explorer.exe'(1700)
    c:\windows\system32\WININET.dll
    c:\program files\McAfee\SiteAdvisor\saHook.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    Completion time: 2010-12-09 21:59:30
    ComboFix-quarantined-files.txt 2010-12-09 21:59
    ComboFix2.txt 2010-12-08 22:47
    ComboFix3.txt 2009-04-02 17:52
    ComboFix4.txt 2009-04-02 09:57

    Pre-Run: 37,433,937,920 bytes free
    Post-Run: 37,445,730,304 bytes free

    - - End Of File - - ADF81B39D77A457079FFB25BE06B6658
  22. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +35

    Question> Important!
    In the instructions with the Eset online virus scan, there is a line saying this:
    Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked

    Tell me please if you missed it and did check for removal? All of the entries suggest you did as they are marked unable to clean. I think that is because they have already been handled. Qoobox is the qurantine folder from Combofix and System Volumn is restore points which I'll have you remove later. There is only one entry that is showing as 'new' but I think it also has been handled./

    So:
    1. Did you check for removal in Eset?
    2. Are you still having the original malware-related problems?

    I'll move the one Eset entry- in case it is still active:

    Please download color=blue]OTMovit by Old Timer[/color] and save to your desktop.
    • Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
    • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
      Code:
      :Processes	
      :Files 
      C:\Documents and Settings\All Users\Documents\Server\hlp.dat 
      :Commands
      [purity]
      [emptytemp]
      [start explorer]
      [Reboot]
    • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
    • Click the red Moveit! button.
    • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
    • Close OTMoveIt3
    If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
    ==============================================
    Please run this Custom CFScript

    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad> click on Format> Uncheck 'Word Wrap> and copy/paste the text in the code below into it:
    Code:
    File::
    
    Folder::
    c:\program files\windows
    c:\docume~1\dan\applic~1\Leyw
    c:\docume~1\dan\applic~1\Awsog
    c:\program files\tmp
    
    NetSvc::
    vvdsvc
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please paste into to your next reply.
    ====================
    You're almost there!
  23. jonny utah

    jonny utah Newcomer, in training Topic Starter Posts: 25

    OTM log

    Bobbye,

    Log pasted below, but in answer to your questions:

    I didn't miss the instruction about unchecking for removal and checking the unwanted items. However, whilst I did uncheck for removal, the second option stated "scan archives", and not "scan unwanted items". I took this to mean the same thing and checked that item.

    Also, internet seems to be relatively normal now. Google searches are not redirecting anyway.




    All processes killed
    ========== PROCESSES ==========
    ========== FILES ==========
    C:\Documents and Settings\All Users\Documents\Server\hlp.dat moved successfully.
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: Administrator
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: All Users

    User: Dan
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 4499169 bytes
    ->Java cache emptied: 0 bytes
    ->Flash cache emptied: 405 bytes

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: LocalService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 32902 bytes

    User: NetworkService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 32902 bytes

    User: Tash
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
    ->Java cache emptied: 0 bytes
    ->Flash cache emptied: 0 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 0 bytes
    %systemroot%\System32 .tmp files removed: 0 bytes
    %systemroot%\System32\dllcache .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 4018 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
    RecycleBin emptied: 0 bytes

    Total Files Cleaned = 4.00 mb


    OTM by OldTimer - Version 3.1.17.2 log created on 12112010_164645

    Files moved on Reboot...

    Registry entries deleted on Reboot...
  24. jonny utah

    jonny utah Newcomer, in training Topic Starter Posts: 25

    combo log

    ComboFix 10-12-08.04 - Dan 11/12/2010 17:10:27.6.1 - x86
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.447.97 [GMT 0:00]
    Running from: c:\documents and settings\Dan\Desktop\ComboFix.exe
    Command switches used :: c:\documents and settings\Dan\Desktop\CFScript.txt
    AV: Virgin Media Security Anti-Virus *On-access scanning disabled* (Updated) {5B5A3BD7-8573-4672-AEA8-C9BB713B6755}
    FW: Virgin Media Security Firewall *disabled* {80593BF4-D969-4EC5-ADAE-A22F2DFC7A22}
    * Created a new restore point
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\docume~1\dan\applic~1\Awsog
    c:\program files\tmp
    c:\program files\windows

    .
    ((((((((((((((((((((((((( Files Created from 2010-11-11 to 2010-12-11 )))))))))))))))))))))))))))))))
    .

    2010-12-11 17:05 . 2010-12-11 17:06 -------- d-----w- C:\32788R22FWJFW
    2010-12-11 16:46 . 2010-12-11 16:46 -------- d-----w- C:\_OTM
    2010-12-09 20:04 . 2010-12-09 20:04 -------- d-----w- c:\program files\ESET
    2010-12-09 19:41 . 2010-12-09 19:39 73728 ----a-w- c:\windows\system32\javacpl.cpl
    2010-12-09 19:41 . 2010-12-09 19:39 472808 ----a-w- c:\windows\system32\deployJava1.dll
    2010-12-08 20:10 . 2010-12-09 19:04 -------- d-----w- C:\HijackThis
    2010-12-07 19:29 . 2010-12-07 19:29 -------- d-----w- c:\documents and settings\Tash\Application Data\Virgin Media
    2010-12-06 21:06 . 2010-11-29 17:42 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-12-06 21:06 . 2010-11-29 17:42 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-12-06 21:06 . 2010-12-06 21:06 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-12-05 22:15 . 2009-11-02 15:27 25608 ----a-w- c:\windows\system32\drivers\AVGIDSEH.sys
    2010-12-05 22:13 . 2009-10-23 13:25 285704 ----a-w- c:\windows\system32\drivers\bdfsfltr.sys
    2010-12-05 22:13 . 2010-12-05 22:13 53192 ----a-w- c:\windows\system32\drivers\rp_skt32.sys
    2010-12-05 22:12 . 2010-12-05 22:12 48384 ----a-w- c:\windows\system32\drivers\rp_pkt32.sys
    2010-12-05 22:11 . 2010-12-05 22:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Raxco
    2010-12-05 22:11 . 2010-12-05 22:11 -------- d-----w- c:\program files\Raxco
    2010-11-29 12:25 . 2010-12-05 22:19 -------- d-----w- c:\documents and settings\Dan\Application Data\Virgin Media
    2010-11-29 12:25 . 2010-11-29 12:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Radialpoint
    2010-11-29 12:25 . 2010-12-05 22:09 -------- d-----w- c:\program files\Virgin Media
    2010-11-29 12:25 . 2010-12-05 22:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Virgin Media

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-09-18 11:23 . 2004-08-10 15:37 974848 ----a-w- c:\windows\system32\mfc42u.dll
    2010-09-18 06:53 . 2004-08-10 15:37 974848 ----a-w- c:\windows\system32\mfc42.dll
    2010-09-18 06:53 . 2004-08-10 15:37 954368 ----a-w- c:\windows\system32\mfc40.dll
    2010-09-18 06:53 . 2004-08-10 15:37 953856 ----a-w- c:\windows\system32\mfc40u.dll
    2006-07-25 22:11 . 2006-07-25 22:11 11817800 -c--a-w- c:\program files\GoogleEarth.exe
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
    BootExecute REG_MULTI_SZ PDBoot.exe\0autocheck autochk *

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Radialpoint Security Services]
    @="Service"

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=
    "c:\\Program Files\\Virgin Media\\HUB\\ServicepointService.exe"=

    R0 RadialpointIDSEH;RadialpointIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [05/12/2010 22:15 25608]
    R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [03/08/2010 19:04 203280]
    R2 MTC0007_STDSB;Scroll Bar Driver;c:\windows\system32\drivers\STDSB.sys [29/03/2006 11:48 11279]
    R2 Radialpoint Security Services;Virgin Media Security;c:\program files\Virgin Media\Security\RpsSecurityAwareR.exe [04/01/2010 12:17 165408]
    R2 RadialpointIDSAgent;RadialpointIDSAgent;c:\program files\Virgin Media\Security\AVG\Identity Protection\agent\bin\AVGIDSAgent.exe [05/12/2010 22:15 5832712]
    R2 ServicepointService;ServicepointService;c:\program files\Virgin Media\HUB\ServicepointService.exe [29/11/2010 12:25 668912]
    R3 RadialpointIDSDriver;RadialpointIDSDriver;c:\program files\Virgin Media\Security\AVG\Identity Protection\agent\drivers\AVGIDSDriver.sys [05/12/2010 22:15 122376]
    R3 RadialpointIDSFilter;RadialpointIDSFilter;c:\program files\Virgin Media\Security\AVG\Identity Protection\agent\drivers\AVGIDSfilter.sys [05/12/2010 22:15 30216]
    R3 RadialpointIDSShim;RadialpointIDSShim;c:\program files\Virgin Media\Security\AVG\Identity Protection\agent\drivers\AVGIDSShim.sys [05/12/2010 22:15 25736]
    S2 STDSB;STDSB;c:\windows\system32\drivers\STDSB.sys [29/03/2006 11:48 11279]
    S3 ggflt;SEMC USB Flash Driver Filter;c:\windows\system32\drivers\ggflt.sys [30/08/2008 14:57 13352]

    --- Other Services/Drivers In Memory ---

    *NewlyCreated* - EE5C7596
    *Deregistered* - ee5c7596

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    vvdsvc REG_MULTI_SZ vvdsvc
    bdx REG_MULTI_SZ scan sysagent
    .
    Contents of the 'Scheduled Tasks' folder

    2010-12-06 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]
    .
    .
    ------- Supplementary Scan -------
    .
    uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
    uStart Page = hxxp://www.virginmedia.com/
    uInternet Settings,ProxyOverride = <local>
    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
    TCP: {A4AA025A-9A5C-4936-B08F-E79DDFCEBDB2} = 192.168.0.1
    .

    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-12-11 17:23
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'explorer.exe'(3360)
    c:\windows\system32\WININET.dll
    c:\program files\McAfee\SiteAdvisor\saHook.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    Completion time: 2010-12-11 17:28:58
    ComboFix-quarantined-files.txt 2010-12-11 17:28
    ComboFix2.txt 2010-12-09 21:59
    ComboFix3.txt 2010-12-08 22:47
    ComboFix4.txt 2009-04-02 17:52
    ComboFix5.txt 2010-12-11 17:07

    Pre-Run: 37,418,622,976 bytes free
    Post-Run: 37,409,447,936 bytes free

    - - End Of File - - 4BA8231A59A0BBA8722C87EF9FE0269F
  25. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +35

    The entry foun by Eset shows "unable to clean." But the directions say not to click for removal. I know that sounds confusing, but it's not to me. These logs look good.

    Are the 'nasties' gone? I'd like you to run HijackThis and after I review that log to make sure no bad entries are running, I'll have you remove the cleaning tools and log:

    Download the HijackThis Installer and save to the desktop:
    1. Double-click on HJTInstall.exe to run the program.
    2. By default it will install to C:\Program Files\Trend Micro\HijackThis.
    3. Accept the license agreement by clicking the "I Accept" button.
    4. Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log.
    5. Click "Save log" to save the log file and then the log will open in notepad.
    6. Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
    7. Come back here to this thread and paste (Ctrl+V) the log in your next reply.

    NOTE: Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.