Inactive Iexplore eating physical memory:(

[dangermouseyork]

Hi folks,

I've noticed iexplore.exe is eating physical memory on my partners laptop.
this has only just happened recently and there are always 2 instances of iexplore.exe running in task manager.
Its really slowing down browsing the net, just loading a page can take 5 minutes sometimes, and links tend to be non functioning.
After scanning the forums i see this may be a virus or malware problem, but i am a complete noob in this department!
I know this has been covered before but dont want to start following instuctions for other people as i am nervous of making things worse!
Any advice or fixes would be very much appreciated, but please bear in mind my computer skills are fairly minimal!


Appreciation in advance

Mouse.

 

[Broni]

Welcome aboard

Please, complete all steps listed here: https://www.techspot.com/community/...lware-removal-preliminary-instructions.58138/
Make sure, you PASTE all logs. If some log exceeds 50,000 characters post limit, split it between couple of replies.
Attached logs won't be reviewed.

Please, observe following rules:

• Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
• If you're stuck, or you're not sure about certain step, always ask before doing anything else.
• Please refrain from running tools or applying updates other than those I suggest.
• Never run more than one scan at a time.
• Keep updating me regarding your computer behavior, good, or bad.
• The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
• If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
• I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.

 

[dangermouseyork]

will do

Broni,

Thanks for your reply, i will begin the process today and keep you informed!

(edit) Shall i post the logs as i go?

Mouse

 

[dangermouseyork]

malware bytes log

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 5475

Windows 6.0.6001 Service Pack 1
Internet Explorer 7.0.6001.18000

07/01/2011 13:10:25
mbam-log-2011-01-07 (13-10-25).txt

Scan type: Quick scan
Objects scanned: 152744
Time elapsed: 11 minute(s), 40 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\AppID\activex.DLL (Adware.180Solutions) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

 

[dangermouseyork]

gmer log

GMER 1.0.15.15530 - http://www.gmer.net
Rootkit quick scan 2011-01-07 13:17:39
Windows 6.0.6001 Service Pack 1 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 ST9160310AS rev.0303
Running: 8oc7pqpi.exe; Driver: C:\Users\Sammy\AppData\Local\Temp\kglcypoc.sys


---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\tdx \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\tdx \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\tdx \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----

 

[dangermouseyork]

dds log

DDS (Ver_10-12-12.02) - NTFSx86
Run by Sammy at 13:27:06.09 on 07/01/2011
Internet Explorer: 7.0.6001.18000
Microsoft® Windows Vista™ Home Basic 6.0.6001.1.1252.44.1033.18.765.164 [GMT 0:00]

AV: Norton 360 *Disabled/Outdated* {88C95A36-8C3B-2F2C-1B8B-30FCCFDC4855}
AV: AntiVir Desktop *Enabled/Updated* {090F9C29-64CE-6C6F-379C-5901B49A85B7}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: AntiVir Desktop *Enabled/Updated* {B26E7DCD-42F4-63E1-0D2C-6273CF1DCF0A}
SP: Norton 360 *Disabled/Outdated* {33A8BBD2-AA01-20A2-213B-0B8EB45B02E8}
FW: Norton 360 *Enabled* {B0F2DB13-C654-2E74-30D4-99C9310F0F2E}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\system32\Ati2evxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\Ati2evxx.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\WLANExt.exe
C:\Windows\System32\spoolsv.exe
c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\NewTech Infosystems\NTI Backup Now 5\Client\Agentsvc.exe
C:\Program Files\EMACHINES\eMachines Recovery Management\Service\ETService.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe
C:\Program Files\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Virgin Media\HUB\ServicepointService.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
c:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\NewTech Infosystems\NTI Backup Now 5\BkupTray.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Launch Manager\LManager.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Virgin Media\HUB\VirginMediaHUB.exe
C:\Program Files\DivX\DivX Update\DivXUpdate.exe
C:\Program Files\DivX\DivX Plus Web Player\DDMService.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Users\Sammy\AppData\Local\Temp\RtkBtMnt.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files\Google\Google Toolbar\GoogleToolbarUser_32.exe
C:\Windows\system32\Macromed\Flash\FlashUtil10e.exe
C:\Program Files\Virgin Media\HUB\VirginMediaHUBComHandler.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Users\Sammy\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.co.uk/
uSearch Page = hxxp://www.google.com
uDefault_Page_URL = hxxp://homepage.emachines.com/rdr.aspx?b=ACEW&l=0809&s=2&o=vb32&d=1208&m=d620
uSearch Bar = hxxp://www.google.com/ie
mStart Page = hxxp://homepage.emachines.com/rdr.aspx?b=ACEW&l=0809&s=2&o=vb32&d=1208&m=d620
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: DivX Plus Web Player HTML5 <video>: {326e768d-4182-46fd-9c16-1449a49795f4} - c:\program files\divx\divx plus web player\npdivx32.dll
BHO: DivX HiQ: {593ddec6-7468-4cdd-90e1-42dadaa222e9} - c:\program files\divx\divx plus web player\npdivx32.dll
BHO: NCO 2.0 IE BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\common files\symantec shared\coshared\browser\2.6\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\progra~1\common~1\symant~1\ids\IPSBHO.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.5805.1910\swg.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Show Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\common files\symantec shared\coshared\browser\2.6\CoIEPlg.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRunOnce: [Shockwave Updater] c:\windows\system32\adobe\shockwave 11\SwHelper_1150596.exe -Update -1150596 -"Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; GTB6.4; SLCC1; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30618)" -"http://www.shockwave.com/gamelanding/steeplechase2.jsp"
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [osCheck] "c:\program files\norton 360\osCheck.exe"
mRun: [BkupTray] "c:\program files\newtech infosystems\nti backup now 5\BkupTray.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [LManager] c:\progra~1\launch~1\LManager.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [eRecoveryService]
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [WarReg_PopUp] c:\program files\emachines\wr_popup\WarReg_PopUp.exe
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [VirginMediaHUB.exe] "c:\program files\virgin media\hub\VirginMediaHUB.exe" /AUTORUN
mRun: [DivXUpdate] "c:\program files\divx\divx update\DivXUpdate.exe" /CHECKNOW
mRun: [DivX Download Manager] "c:\program files\divx\divx plus web player\DDmService.exe" start
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
StartupFolder: c:\users\sammy\appdata\roaming\micros~1\windows\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_E11712C84EA7E12B.dll/cmsidewiki.html
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {000F1EA4-5E08-4564-A29B-29076F63A37A} - hxxp://launch.soe.com/plugin/web/SOEWebInstaller.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {21BB8360-F943-447E-98F3-3C22345375A7} - hxxp://www.shockwave.com/content/chocolatier/sis/ChocolatierWeb.1.0.0.13.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} - hxxp://download.shockwave.com/pub/otoy/OTOYAX.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {D0C0F75C-683A-4390-A791-1ACFD5599AB8} - hxxp://nationalgeographic.oberon-media.com/Gameshell/GameHost/1.0/OberonGameHost.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
AppInit_DLLs: c:\progra~1\google\google~1\GOEC62~1.DLL

============= SERVICES / DRIVERS ===============

R1 IDSvix86;Symantec Intrusion Prevention Driver;c:\progra~2\symantec\defini~1\symcdata\ipsdefs\20090506.001\IDSvix86.sys [2009-5-9 272432]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2011-1-7 61960]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2008-1-12 23888]

=============== Created Last 30 ================

2011-01-07 12:56:42 -------- d-----w- c:\users\sammy\appdata\roaming\Malwarebytes
2011-01-07 12:56:13 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-01-07 12:56:10 -------- d-----w- c:\progra~2\Malwarebytes
2011-01-07 12:56:06 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-01-07 12:56:05 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-01-07 12:03:08 -------- d-----w- c:\users\sammy\appdata\roaming\Avira
2011-01-07 11:53:09 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2011-01-07 11:52:37 -------- d-----w- c:\program files\Avira
2011-01-07 11:52:37 -------- d-----w- c:\progra~2\Avira
2011-01-04 22:35:31 -------- d-----w- c:\users\sammy\appdata\roaming\Local
2011-01-04 22:22:18 -------- d-----w- c:\progra~2\DivX
2011-01-04 18:29:47 -------- d-----w- c:\program files\BitTorrent
2011-01-04 18:28:45 -------- d-----w- c:\users\sammy\appdata\roaming\BitTorrent
2010-12-21 14:50:23 -------- d-----w- c:\program files\common files\Windows Live
2010-12-17 18:02:05 66048 ----a-w- c:\program files\windows mail\wabmig.exe
2010-12-17 18:02:05 515584 ----a-w- c:\program files\windows mail\wab.exe
2010-12-17 18:02:05 33280 ----a-w- c:\program files\windows mail\wabfind.dll
2010-12-17 18:01:58 2037248 ----a-w- c:\windows\system32\win32k.sys
2010-12-17 18:01:44 603648 ----a-w- c:\windows\system32\schedsvc.dll
2010-12-17 18:01:44 357376 ----a-w- c:\windows\system32\taskschd.dll
2010-12-17 18:01:43 345088 ----a-w- c:\windows\system32\wmicmiplugin.dll
2010-12-17 18:01:43 171520 ----a-w- c:\windows\system32\taskeng.exe
2010-12-17 18:01:42 270336 ----a-w- c:\windows\system32\taskcomp.dll
2010-12-17 18:01:19 81920 ----a-w- c:\windows\system32\consent.exe
2010-12-17 18:01:07 292352 ----a-w- c:\windows\system32\atmfd.dll
2010-12-17 18:01:06 34304 ----a-w- c:\windows\system32\atmlib.dll
2010-12-17 18:01:05 72704 ----a-w- c:\windows\system32\fontsub.dll
2010-12-17 17:59:16 2048 ----a-w- c:\windows\system32\tzres.dll
2010-12-17 17:57:15 2409784 ----a-w- c:\program files\windows mail\OESpamFilter.dat
2010-12-17 12:55:10 -------- d-----w- c:\users\sammy\appdata\roaming\Virgin Media
2010-12-17 12:54:44 -------- d-----w- c:\progra~2\Radialpoint
2010-12-17 12:54:38 -------- d-----w- c:\program files\Virgin Media
2010-12-17 12:54:38 -------- d-----w- c:\progra~2\Virgin Media
2010-12-15 21:07:19 -------- d-----w- c:\progra~2\Oberonv1005
2010-12-12 20:10:34 -------- d-----w- c:\progra~2\Oberon Games

==================== Find3M ====================

2010-11-12 00:44:54 94208 ----a-w- c:\windows\system32\dpl100.dll
2010-11-08 22:57:04 353592 ----a-w- c:\windows\system32\DivXControlPanelApplet.cpl
2010-10-20 17:45:29 833024 ----a-w- c:\windows\system32\wininet.dll
2010-10-20 17:41:28 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-10-20 16:16:50 389632 ----a-w- c:\windows\system32\html.iec
2010-10-20 15:51:56 1383424 ----a-w- c:\windows\system32\mshtml.tlb

============= FINISH: 13:28:54.42 ===============

 

[dangermouseyork]

dds attach log

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-12-12.02)

Microsoft® Windows Vista™ Home Basic
Boot Device: \Device\HarddiskVolume2
Install Date: 26/12/2008 16:34:06
System Uptime: 07/01/2011 12:27:47 (1 hours ago)

Motherboard: eMachines | | eMachines D620
Processor: AMD Athlon(tm) Processor 2650e | Socket M2/S1G1 | 1600/200mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 139 GiB total, 65.699 GiB free.
D: is CDROM ()

==== Disabled Device Manager Items =============

==== System Restore Points ===================


==== Installed Programs ======================


Acrobat.com
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Reader 9
Adobe Shockwave Player 11.5
Agatha Christie Death on the Nile
Alice Greenfingers
Amazing Adventures The Lost Tomb
AMD USB Audio Driver Filter
AppCore
Apple Application Support
Apple Mobile Device Support
Apple Software Update
ATI Catalyst Install Manager
Avira AntiVir Personal - Free Antivirus
Azada
Backup
Bejeweled 2 Deluxe
BitTorrent
Bonjour
Bookworm Deluxe
Bricks of Egypt
Build-a-lot
Cake Mania
CAM UnZip 4.42
Catalyst Control Center Core Implementation
Catalyst Control Center Graphics Full Existing
Catalyst Control Center Graphics Full New
Catalyst Control Center Graphics Light
Catalyst Control Center Graphics Previews Vista
Catalyst Control Center InstallProxy
Catalyst Control Center Localization Chinese Standard
Catalyst Control Center Localization Chinese Traditional
Catalyst Control Center Localization Czech
Catalyst Control Center Localization Danish
Catalyst Control Center Localization Dutch
Catalyst Control Center Localization Finnish
Catalyst Control Center Localization French
Catalyst Control Center Localization German
Catalyst Control Center Localization Greek
Catalyst Control Center Localization Hungarian
Catalyst Control Center Localization Italian
Catalyst Control Center Localization Japanese
Catalyst Control Center Localization Korean
Catalyst Control Center Localization Norwegian
Catalyst Control Center Localization Polish
Catalyst Control Center Localization Portuguese
Catalyst Control Center Localization Russian
Catalyst Control Center Localization Spanish
Catalyst Control Center Localization Swedish
Catalyst Control Center Localization Thai
Catalyst Control Center Localization Turkish
ccc-core-static
ccc-utility
CCC Help Chinese Standard
CCC Help Chinese Traditional
CCC Help Czech
CCC Help Danish
CCC Help Dutch
CCC Help English
CCC Help Finnish
CCC Help French
CCC Help German
CCC Help Greek
CCC Help Hungarian
CCC Help Italian
CCC Help Japanese
CCC Help Korean
CCC Help Norwegian
CCC Help Polish
CCC Help Portuguese
CCC Help Russian
CCC Help Spanish
CCC Help Swedish
CCC Help Thai
CCC Help Turkish
ccCommon
Chuzzle
Compatibility Pack for the 2007 Office system
Diner Dash
DivX Converter
DivX Plus DirectShow Filters
DivX Setup
DivX Version Checker
Dream Day First Home
eMachines
eMachines Recovery Management
Farm Frenzy
Galapago
GameShadow
GearDrvs
Google Desktop
Google Toolbar for Internet Explorer
Google Update Helper
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
InterVideo WinDVD 8
iTunes
Java Auto Updater
Java(TM) 6 Update 18
Launch Manager
LightScribe 1.4.142.1
LiveUpdate (Symantec Corporation)
Luxor
Mahjong Escape Ancient China
Malwarebytes' Anti-Malware
Marvell Miniport Driver
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 4 Client Profile
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Excel MUI (English) 2007
Microsoft Office Home and Student 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office PowerPoint Viewer 2007 (English)
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Suite Activation Assistant
Microsoft Office Word MUI (English) 2007
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Works
MobileMe Control Panel
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
Musicnotes Software Suite 1.4.1
Mystery Case Files - Huntsville
Mystery Solitaire - Secret Island
Norton 360
Norton 360 (Symantec Corporation)
Norton 360 HTMLHelp
Norton Confidential Core
Norton Security Scan
NTI Backup Now 5
NTI Backup Now Standard
NTI Media Maker 8
QuickTime
Realtek High Definition Audio Driver
Rome - Total War
Safari
Security Update for 2007 Microsoft Office System (KB2288621)
Security Update for 2007 Microsoft Office System (KB2288931)
Security Update for 2007 Microsoft Office System (KB2289158)
Security Update for 2007 Microsoft Office System (KB2344875)
Security Update for 2007 Microsoft Office System (KB2345043)
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB976321)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Security Update for Microsoft Office Excel 2007 (KB2345035)
Security Update for Microsoft Office InfoPath 2007 (KB979441)
Security Update for Microsoft Office PowerPoint 2007 (KB982158)
Security Update for Microsoft Office PowerPoint Viewer (KB2413381)
Security Update for Microsoft Office system 2007 (972581)
Security Update for Microsoft Office system 2007 (KB974234)
Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
Security Update for Microsoft Office Word 2007 (KB2344993)
Sid Meier's Railroad Tycoon
Silent Hunter III
Skins
SPBBC 32bit
Steel Panthers World At War v8.20
Symantec Real Time Storage Protection Component
Symantec Technical Support Controls
SymNet
Synaptics Pointing Device Driver
Turbo Pizza
Unity Web Player
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft Office 2007 Help for Common Features (KB963673)
Update for Microsoft Office Excel 2007 Help (KB963678)
Update for Microsoft Office OneNote 2007 (KB980729)
Update for Microsoft Office OneNote 2007 Help (KB963670)
Update for Microsoft Office Powerpoint 2007 Help (KB963669)
Update for Microsoft Office Script Editor Help (KB963671)
Update for Microsoft Office Word 2007 Help (KB963665)
VC80CRTRedist - 8.0.50727.4053
Virgin Media HUB 3.5.12
Westward
WinZip 12.0
Youda Camper
Zuma Deluxe

==== End Of File ===========================

 

[dangermouseyork]

got there in the end!

Ok managed to complete all the steps, took a couple of tries due to links not working, and it taking forever to load pages.

seem to be updated with windows, java and adobe.

let me know if i have messed up anywhere along the line!

your time and help is greatly appreciated.

Thanks again.

Mouse

 

[Broni]

You're running two AV programs, Norton and Avira.
One of them has to go.
If Norton, make sure to use this tool to uninstall it: http://us.norton.com/support/kb/web_view.jsp?wv_type=public_web&docurl=20080710133834EN

========================================================================

Download MBRCheck to your desktop

Double click MBRCheck.exe to run (Vista and Windows 7 users, right click and select Run as Administrator).
It will show a black screen with some data on it.
Enter N to exit.
A report called MBRcheckxxxx.txt will be on your desktop
Open this report and post its content in your next reply.

=======================================================================

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

1. Please, never rename Combofix unless instructed.
2. Close any open browsers.
3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
   • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
   • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
   NOTE1. If Combofix asks you to install Recovery Console, please allow it.
   NOTE 2. If Combofix asks you to update the program, always do so.
   • Close any open browsers.
   • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
   • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
   • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
4. Double click on combofix.exe & follow the prompts.
5. When finished, it will produce a report for you.
6. Please post the "C:\ComboFix.txt"

**Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
**Note 2 for AVG users: ComboFix will not run until AVG is uninstalled as a protective measure against the anti-virus. This is because AVG "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG first.
Use AppRemover to uninstall it: https://www.techspot.com/downloads/5514-appremover.html
We can reinstall it when we're done with CF.
**Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.



Make sure, you re-enable your security programs, when you're done with Combofix.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

NOTE.
If, for some reason, Combofix refuses to run, try one of the following:

1. Run Combofix from Safe Mode.

2. Delete Combofix file, download fresh one, but rename combofix.exe to your_name.exe BEFORE saving it to your desktop.
Do NOT run it yet.

Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.

There are 4 different versions. If one of them won't run then download and try to run the other one.

Vista and Win7 users need to right click Rkill and choose Run as Administrator

You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

Rkill.com
Rkill.scr
Rkill.exe

• Double-click on the Rkill desktop icon to run the tool.
• If using Vista or Windows 7 right-click on it and choose Run As Administrator.
• A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
• If not, delete the file, then download and use the one provided in Link 2.
• If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
• Do not reboot until instructed.
• If the tool does not run from any of the links provided, please let me know.

Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

If normal mode still doesn't work, run BOTH tools from safe mode.

In case #2, please post BOTH logs, rKill and Combofix.

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!

 

[dangermouseyork]

OK

Ok, will remove norton first thing in the morning, continue with the steps you requested, and keep you updated.

(edit) norton was a free trial so should have removed it long ago as it has been doing nothing for about six months!

many thanks once again.

Mouse

 

[Broni]

Sure thing

 

[dangermouseyork]

?

This may be a very stupid question, but how do i know which version of norton 360 i have installed?

Thanks.

Mouse.

 

[dangermouseyork]

MBR check log

MBRCheck, version 1.2.3
(c) 2010, AD

Command-line:
Windows Version: Windows Vista Home Basic Edition
Windows Information: Service Pack 1 (build 6001), 32-bit
Base Board Manufacturer: eMachines
BIOS Manufacturer: Phoenix Technologies LTD
System Manufacturer: eMachines
System Product Name: eMachines D620
Logical Drives Mask: 0x0000000c

Kernel Drivers (total 138):
0x81E05000 \SystemRoot\system32\ntkrnlpa.exe
0x821BE000 \SystemRoot\system32\hal.dll
0x8040F000 \SystemRoot\system32\kdcom.dll
0x80417000 \SystemRoot\system32\PSHED.dll
0x80428000 \SystemRoot\system32\BOOTVID.dll
0x80430000 \SystemRoot\system32\CLFS.SYS
0x80471000 \SystemRoot\system32\CI.dll
0x80551000 \SystemRoot\system32\drivers\Wdf01000.sys
0x805CD000 \SystemRoot\system32\drivers\WDFLDR.SYS
0x8060F000 \SystemRoot\system32\drivers\acpi.sys
0x80655000 \SystemRoot\system32\drivers\WMILIB.SYS
0x8065E000 \SystemRoot\system32\drivers\msisadrv.sys
0x80666000 \SystemRoot\system32\drivers\pci.sys
0x8068D000 \SystemRoot\System32\drivers\partmgr.sys
0x8069C000 \SystemRoot\system32\DRIVERS\compbatt.sys
0x8069F000 \SystemRoot\system32\DRIVERS\BATTC.SYS
0x806A9000 \SystemRoot\system32\drivers\volmgr.sys
0x806B8000 \SystemRoot\System32\drivers\volmgrx.sys
0x80702000 \SystemRoot\system32\drivers\pciide.sys
0x80709000 \SystemRoot\system32\drivers\PCIIDEX.SYS
0x80717000 \SystemRoot\System32\drivers\mountmgr.sys
0x80727000 \SystemRoot\System32\Drivers\UBHelper.sys
0x8072F000 \SystemRoot\system32\drivers\atapi.sys
0x80737000 \SystemRoot\system32\drivers\ataport.SYS
0x80755000 \SystemRoot\system32\drivers\fltmgr.sys
0x80787000 \SystemRoot\system32\drivers\fileinfo.sys
0x85A0D000 \SystemRoot\System32\Drivers\ksecdd.sys
0x85A7E000 \SystemRoot\system32\drivers\ndis.sys
0x85B89000 \SystemRoot\system32\drivers\msrpc.sys
0x85BB4000 \SystemRoot\system32\drivers\NETIO.SYS
0x85C07000 \SystemRoot\System32\drivers\tcpip.sys
0x85CF0000 \SystemRoot\System32\drivers\fwpkclnt.sys
0x85E0F000 \SystemRoot\System32\Drivers\Ntfs.sys
0x85F1E000 \SystemRoot\system32\drivers\volsnap.sys
0x85F57000 \SystemRoot\System32\Drivers\spldr.sys
0x85F5F000 \SystemRoot\System32\Drivers\mup.sys
0x85F6E000 \SystemRoot\System32\drivers\ecache.sys
0x85F95000 \SystemRoot\system32\drivers\disk.sys
0x85FA6000 \SystemRoot\system32\drivers\CLASSPNP.SYS
0x85FC7000 \SystemRoot\system32\DRIVERS\AtiPcie.sys
0x85FCF000 \SystemRoot\system32\drivers\crcdisk.sys
0x85E00000 \SystemRoot\system32\DRIVERS\tunnel.sys
0x85D0B000 \SystemRoot\system32\DRIVERS\tunmp.sys
0x85D14000 \SystemRoot\system32\DRIVERS\amdk8.sys
0x85D24000 \SystemRoot\system32\DRIVERS\wmiacpi.sys
0x89609000 \SystemRoot\system32\DRIVERS\atikmdag.sys
0x85D2D000 \SystemRoot\System32\drivers\dxgkrnl.sys
0x89BA0000 \SystemRoot\System32\drivers\watchdog.sys
0x89BAD000 \SystemRoot\system32\DRIVERS\yk60x86.sys
0x89E08000 \SystemRoot\system32\DRIVERS\bcmwl6.sys
0x89F0A000 \SystemRoot\system32\DRIVERS\cdrom.sys
0x89F22000 \SystemRoot\system32\DRIVERS\NTIDrvr.sys
0x89F2A000 \SystemRoot\System32\Drivers\GEARAspiWDM.sys
0x89F30000 \SystemRoot\system32\DRIVERS\usbohci.sys
0x89F3A000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0x89F78000 \SystemRoot\system32\DRIVERS\usbfilter.sys
0x89F81000 \SystemRoot\system32\DRIVERS\USBD.SYS
0x89F83000 \SystemRoot\system32\DRIVERS\usbehci.sys
0x89F92000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
0x89FA4000 \SystemRoot\system32\DRIVERS\CmBatt.sys
0x89FA8000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0x89FBB000 \SystemRoot\system32\DRIVERS\DKbFltr.sys
0x89FC5000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0x89FD0000 \SystemRoot\system32\DRIVERS\SynTP.sys
0x85DCC000 \SystemRoot\system32\DRIVERS\mouclass.sys
0x80797000 \SystemRoot\system32\DRIVERS\msiscsi.sys
0x8A006000 \SystemRoot\system32\DRIVERS\storport.sys
0x8A047000 \SystemRoot\system32\DRIVERS\TDI.SYS
0x8A052000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0x8A069000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0x8A074000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0x8A097000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0x8A0A6000 \SystemRoot\system32\DRIVERS\raspptp.sys
0x8A0BA000 \SystemRoot\system32\DRIVERS\rassstp.sys
0x8A0CF000 \SystemRoot\system32\DRIVERS\termdd.sys
0x8A0DF000 \SystemRoot\system32\DRIVERS\swenum.sys
0x8A0E1000 \SystemRoot\system32\DRIVERS\ks.sys
0x8A10B000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0x8A115000 \SystemRoot\system32\DRIVERS\umbus.sys
0x8A122000 \SystemRoot\system32\DRIVERS\usbhub.sys
0x8A156000 \SystemRoot\System32\Drivers\NDProxy.SYS
0x8A40A000 \SystemRoot\system32\drivers\RTKVHDA.sys
0x8A617000 \SystemRoot\system32\drivers\portcls.sys
0x8A644000 \SystemRoot\system32\drivers\drmk.sys
0x8A669000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0x8A672000 \SystemRoot\System32\Drivers\Null.SYS
0x8A679000 \SystemRoot\System32\Drivers\Beep.SYS
0x8A680000 \SystemRoot\System32\drivers\vga.sys
0x8A68C000 \SystemRoot\System32\drivers\VIDEOPRT.SYS
0x8A6AD000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0x8A6B5000 \SystemRoot\system32\drivers\rdpencdd.sys
0x8A6BD000 \SystemRoot\System32\Drivers\Msfs.SYS
0x8A6C8000 \SystemRoot\System32\Drivers\Npfs.SYS
0x8A6D6000 \SystemRoot\System32\DRIVERS\rasacd.sys
0x8A6DF000 \SystemRoot\system32\DRIVERS\tdx.sys
0x8A6F5000 \SystemRoot\system32\DRIVERS\smb.sys
0x8A709000 \SystemRoot\system32\drivers\afd.sys
0x8A751000 \SystemRoot\System32\DRIVERS\netbt.sys
0x8A783000 \SystemRoot\system32\DRIVERS\pacer.sys
0x8A799000 \SystemRoot\system32\DRIVERS\netbios.sys
0x8A7A7000 \SystemRoot\system32\DRIVERS\wanarp.sys
0x8A7BA000 \SystemRoot\system32\DRIVERS\ssmdrv.sys
0x8A7C0000 \SystemRoot\system32\DRIVERS\rdbss.sys
0x8A400000 \SystemRoot\system32\drivers\nsiproxy.sys
0x8A167000 \SystemRoot\System32\Drivers\dfsc.sys
0x8A17E000 \SystemRoot\system32\DRIVERS\avipbb.sys
0x8A1A4000 \SystemRoot\System32\Drivers\crashdmp.sys
0x8A1B1000 \SystemRoot\System32\Drivers\dump_dumpata.sys
0x8A1BC000 \SystemRoot\System32\Drivers\dump_atapi.sys
0x91820000 \SystemRoot\System32\win32k.sys
0x8A1C4000 \SystemRoot\System32\drivers\Dxapi.sys
0x8A1CE000 \SystemRoot\system32\DRIVERS\monitor.sys
0x91A40000 \SystemRoot\System32\TSDDD.dll
0x91A60000 \SystemRoot\System32\cdd.dll
0x8A1DD000 \SystemRoot\system32\drivers\luafv.sys
0x85FD8000 \SystemRoot\system32\DRIVERS\avgntflt.sys
0x85FED000 \SystemRoot\system32\DRIVERS\lltdio.sys
0x807C5000 \SystemRoot\system32\DRIVERS\nwifi.sys
0x85DD7000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0x85DE1000 \SystemRoot\system32\DRIVERS\rspndr.sys
0x94C0D000 \SystemRoot\system32\drivers\HTTP.sys
0x94C7A000 \SystemRoot\system32\drivers\spsys.sys
0x94D29000 \SystemRoot\System32\DRIVERS\srvnet.sys
0x94D46000 \SystemRoot\system32\DRIVERS\bowser.sys
0x94D5F000 \SystemRoot\System32\drivers\mpsdrv.sys
0x94D74000 \SystemRoot\system32\drivers\mrxdav.sys
0x94D94000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0x94DB3000 \SystemRoot\system32\DRIVERS\mrxsmb10.sys
0x805DA000 \SystemRoot\system32\DRIVERS\mrxsmb20.sys
0x95807000 \SystemRoot\System32\DRIVERS\srv2.sys
0x9582F000 \SystemRoot\System32\DRIVERS\srv.sys
0x95895000 \??\C:\Windows\system32\drivers\int15.sys
0x9589C000 \SystemRoot\system32\drivers\peauth.sys
0x9597A000 \SystemRoot\system32\drivers\regi.sys
0x9597C000 \SystemRoot\System32\Drivers\secdrv.SYS
0x95986000 \SystemRoot\System32\drivers\tcpipreg.sys
0x95992000 \SystemRoot\system32\DRIVERS\cdfs.sys
0x771E0000 \Windows\System32\ntdll.dll

Processes (total 74):
0 System Idle Process
4 System
412 C:\Windows\System32\smss.exe
480 csrss.exe
540 C:\Windows\System32\wininit.exe
548 csrss.exe
592 C:\Windows\System32\winlogon.exe
620 C:\Windows\System32\services.exe
636 C:\Windows\System32\lsass.exe
644 C:\Windows\System32\lsm.exe
840 C:\Windows\System32\svchost.exe
920 C:\Windows\System32\svchost.exe
1100 C:\Windows\System32\Ati2evxx.exe
1116 C:\Windows\System32\svchost.exe
1148 C:\Windows\System32\svchost.exe
1168 C:\Windows\System32\svchost.exe
1252 C:\Windows\System32\audiodg.exe
1272 C:\Windows\System32\svchost.exe
1296 C:\Windows\System32\SLsvc.exe
1316 C:\Windows\System32\svchost.exe
1444 C:\Windows\System32\Ati2evxx.exe
1492 C:\Windows\System32\svchost.exe
1700 C:\Windows\System32\wlanext.exe
1812 C:\Windows\System32\spoolsv.exe
1872 C:\Program Files\Avira\AntiVir Desktop\sched.exe
1892 C:\Windows\System32\svchost.exe
296 C:\Program Files\Avira\AntiVir Desktop\avguard.exe
396 C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
436 C:\Program Files\Bonjour\mDNSResponder.exe
460 C:\Program Files\NewTech Infosystems\NTI Backup Now 5\Client\Agentsvc.exe
536 C:\Program Files\EMACHINES\eMachines Recovery Management\Service\ETService.exe
788 C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
1008 C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
1328 C:\Program Files\Common Files\LightScribe\LSSrvc.exe
1484 C:\Program Files\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe
616 C:\Program Files\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe
1936 C:\Windows\System32\svchost.exe
1736 C:\Program Files\Virgin Media\HUB\ServicepointService.exe
1244 C:\Windows\System32\svchost.exe
1964 C:\Windows\System32\svchost.exe
2072 C:\Windows\System32\SearchIndexer.exe
2316 C:\Windows\System32\taskeng.exe
2648 C:\Windows\System32\taskeng.exe
2224 C:\Windows\System32\dwm.exe
2468 C:\Windows\explorer.exe
3148 C:\Windows\RtHDVCpl.exe
3436 C:\Program Files\NewTech Infosystems\NTI Backup Now 5\BkupTray.exe
3524 C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
3504 C:\Windows\System32\wuauclt.exe
3336 C:\Program Files\Launch Manager\LManager.exe
3472 C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
3636 C:\Program Files\iTunes\iTunesHelper.exe
1852 C:\Program Files\Common Files\Java\Java Update\jusched.exe
3904 C:\Program Files\Virgin Media\HUB\VirginMediaHUB.exe
3900 C:\Program Files\DivX\DivX Update\DivXUpdate.exe
3944 C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
3232 C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
1360 C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
3228 C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
2688 C:\Users\Sammy\AppData\Local\Temp\RtkBtMnt.exe
2356 C:\Program Files\iPod\bin\iPodService.exe
1640 C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
1004 WmiPrvSE.exe
4844 C:\Program Files\Virgin Media\HUB\VirginMediaHUBComHandler.exe
3460 C:\Program Files\Internet Explorer\iexplore.exe
4868 C:\Program Files\Internet Explorer\iexplore.exe
2436 C:\Program Files\Google\Google Toolbar\GoogleToolbarUser_32.exe
5144 C:\Windows\System32\Macromed\Flash\FlashUtil10e.exe
6020 C:\Program Files\Internet Explorer\iexplore.exe
3512 C:\Windows\System32\SearchProtocolHost.exe
4184 C:\Windows\System32\SearchFilterHost.exe
1672 WmiPrvSE.exe
4628 <unknown>
3664 C:\Users\Sammy\Desktop\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000002`71100000 (NTFS)

PhysicalDrive0 Model Number: ST9160310AS, Rev: 0303

Size Device Name MBR Status
--------------------------------------------
149 GB \\.\PhysicalDrive0 Unknown MBR code
SHA1: F85B7CD526802923C3EA061081FBF03E1B7455C7


Found non-standard or infected MBR.
Enter 'Y' and hit ENTER for more options, or 'N' to exit:

Done!

 

[dangermouseyork]

combfix log

ComboFix 11-01-07.02 - Sammy 08/01/2011 18:01:49.1.1 - x86
Microsoft® Windows Vista™ Home Basic 6.0.6001.1.1252.44.1033.18.765.293 [GMT 0:00]
Running from: c:\users\Sammy\Desktop\ComboFix.exe
AV: AntiVir Desktop *Disabled/Updated* {090F9C29-64CE-6C6F-379C-5901B49A85B7}
SP: AntiVir Desktop *Disabled/Updated* {B26E7DCD-42F4-63E1-0D2C-6273CF1DCF0A}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\users\Sammy\AppData\Roaming\Local

.
((((((((((((((((((((((((( Files Created from 2010-12-08 to 2011-01-08 )))))))))))))))))))))))))))))))
.

2011-01-08 18:14 . 2011-01-08 18:14 -------- d-----w- c:\users\Sammy\AppData\Local\temp
2011-01-07 14:02 . 2010-10-19 04:27 7680 ----a-w- c:\program files\Internet Explorer\iecompat.dll
2011-01-07 13:59 . 2010-11-02 06:03 638232 ----a-w- c:\program files\Internet Explorer\iexplore.exe
2011-01-07 12:56 . 2011-01-07 12:56 -------- d-----w- c:\users\Sammy\AppData\Roaming\Malwarebytes
2011-01-07 12:56 . 2010-12-20 18:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-01-07 12:56 . 2011-01-07 12:56 -------- d-----w- c:\programdata\Malwarebytes
2011-01-07 12:56 . 2010-12-20 18:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-01-07 12:56 . 2011-01-07 12:56 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-01-07 12:03 . 2011-01-07 12:03 -------- d-----w- c:\users\Sammy\AppData\Roaming\Avira
2011-01-07 11:53 . 2010-12-13 08:40 135096 ----a-w- c:\windows\system32\drivers\avipbb.sys
2011-01-07 11:53 . 2010-12-13 08:40 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2011-01-07 11:52 . 2011-01-07 11:52 -------- d-----w- c:\programdata\Avira
2011-01-07 11:52 . 2011-01-07 11:52 -------- d-----w- c:\program files\Avira
2011-01-04 22:22 . 2011-01-04 22:35 -------- d-----w- c:\programdata\DivX
2011-01-04 18:29 . 2011-01-04 18:29 -------- d-----w- c:\program files\BitTorrent
2011-01-04 18:28 . 2011-01-07 01:51 -------- d-----w- c:\users\Sammy\AppData\Roaming\BitTorrent
2010-12-31 01:33 . 2010-12-31 01:33 -------- d-----w- c:\users\Matthew\AppData\Roaming\Apple Computer
2010-12-31 01:33 . 2010-12-31 01:33 -------- d-----w- c:\users\Matthew\AppData\Roaming\Virgin Media
2010-12-21 14:50 . 2010-12-21 14:50 -------- d-----w- c:\program files\Common Files\Windows Live
2010-12-17 18:02 . 2010-10-12 15:48 33280 ----a-w- c:\program files\Windows Mail\wabfind.dll
2010-12-17 18:02 . 2010-10-12 13:52 66048 ----a-w- c:\program files\Windows Mail\wabmig.exe
2010-12-17 18:02 . 2010-10-12 13:52 515584 ----a-w- c:\program files\Windows Mail\wab.exe
2010-12-17 18:01 . 2010-10-18 13:56 2037248 ----a-w- c:\windows\system32\win32k.sys
2010-12-17 18:01 . 2010-11-06 11:10 357376 ----a-w- c:\windows\system32\taskschd.dll
2010-12-17 18:01 . 2010-11-06 11:09 603648 ----a-w- c:\windows\system32\schedsvc.dll
2010-12-17 18:01 . 2010-11-06 11:10 345088 ----a-w- c:\windows\system32\wmicmiplugin.dll
2010-12-17 18:01 . 2010-11-05 00:53 171520 ----a-w- c:\windows\system32\taskeng.exe
2010-12-17 18:01 . 2010-11-06 11:10 270336 ----a-w- c:\windows\system32\taskcomp.dll
2010-12-17 18:01 . 2010-10-18 14:01 81920 ----a-w- c:\windows\system32\consent.exe
2010-12-17 18:01 . 2010-10-28 13:03 292352 ----a-w- c:\windows\system32\atmfd.dll
2010-12-17 18:01 . 2010-10-28 15:02 34304 ----a-w- c:\windows\system32\atmlib.dll
2010-12-17 18:01 . 2010-06-16 15:12 72704 ----a-w- c:\windows\system32\fontsub.dll
2010-12-17 17:59 . 2010-10-28 12:56 2048 ----a-w- c:\windows\system32\tzres.dll
2010-12-17 17:57 . 2010-11-03 10:51 2409784 ----a-w- c:\program files\Windows Mail\OESpamFilter.dat
2010-12-17 12:55 . 2010-12-17 12:55 -------- d-----w- c:\users\Sammy\AppData\Roaming\Virgin Media
2010-12-17 12:54 . 2010-12-17 12:55 -------- d-----w- c:\programdata\Radialpoint
2010-12-17 12:54 . 2010-12-17 12:54 -------- d-----w- c:\programdata\Virgin Media
2010-12-17 12:54 . 2010-12-17 12:54 -------- d-----w- c:\program files\Virgin Media
2010-12-15 21:07 . 2010-12-15 21:07 -------- d-----w- c:\programdata\Oberonv1005
2010-12-12 20:10 . 2010-12-12 20:10 -------- d-----w- c:\programdata\Oberon Games

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-11-12 00:44 . 2010-11-12 00:44 94208 ----a-w- c:\windows\system32\dpl100.dll
2010-11-08 22:57 . 2010-11-08 22:57 353592 ----a-w- c:\windows\system32\DivXControlPanelApplet.cpl
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-03-15 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-01-21 61440]
"RtHDVCpl"="RtHDVCpl.exe" [2008-07-14 6253088]
"BkupTray"="c:\program files\NewTech Infosystems\NTI Backup Now 5\BkupTray.exe" [2008-04-07 34040]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"LManager"="c:\progra~1\LAUNCH~1\LManager.exe" [2008-09-02 809480]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-04-25 1049896]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2010-08-30 30192]
"WarReg_PopUp"="c:\program files\eMachines\WR_PopUp\WarReg_PopUp.exe" [2008-05-09 49152]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-08-13 177440]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-01-22 141608]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-18 421888]
"VirginMediaHUB.exe"="c:\program files\Virgin Media\HUB\VirginMediaHUB.exe" [2009-12-14 4277488]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2010-12-09 1226608]
"DivX Download Manager"="c:\program files\DivX\DivX Plus Web Player\DDmService.exe" [2010-12-08 63360]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-12-13 281768]

c:\users\Sammy\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~1\GoogleDesktopNetwork3.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-02-08 135664]
R2 NTISchedulerSvc;NTI Backup Now 5 Scheduler Service;c:\program files\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe [2008-04-04 131072]
R3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2010-08-30 30192]
R3 WisINT15;WisINT15;c:\windows\System32\OEM\factory\WisINT15.SYS [x]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2010-12-13 135336]
S2 BUNAgentSvc;NTI Backup Now 5 Agent Service;c:\program files\NewTech Infosystems\NTI Backup Now 5\Client\Agentsvc.exe [2008-03-03 16384]
S2 ETService;Empowering Technology Service;c:\program files\EMACHINES\eMachines Recovery Management\Service\ETService.exe [2008-06-11 24576]
S2 NTIBackupSvc;NTI Backup Now 5 Backup Service;c:\program files\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe [2008-04-07 50424]
S2 regi;regi;c:\windows\system32\drivers\regi.sys [2007-04-18 11032]
S2 ServicepointService;ServicepointService;c:\program files\Virgin Media\HUB\ServicepointService.exe [2009-12-14 668912]
S3 usbfilter;AMD USB Filter Driver;c:\windows\system32\DRIVERS\usbfilter.sys [2008-05-29 22072]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
.
Contents of the 'Scheduled Tasks' folder

2011-01-08 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-08 13:29]

2011-01-08 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-08 13:29]

2011-01-07 c:\windows\Tasks\Norton Security Scan for Sammy.job
- c:\program files\Norton Security Scan\Engine\2.7.3.34\Nss.exe [2010-09-21 05:32]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
mStart Page = hxxp://homepage.emachines.com/rdr.aspx?b=ACEW&l=0809&s=2&o=vb32&d=1208&m=d620
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_E11712C84EA7E12B.dll/cmsidewiki.html
DPF: {000F1EA4-5E08-4564-A29B-29076F63A37A} - hxxp://launch.soe.com/plugin/web/SOEWebInstaller.cab
DPF: {21BB8360-F943-447E-98F3-3C22345375A7} - hxxp://www.shockwave.com/content/chocolatier/sis/ChocolatierWeb.1.0.0.13.cab
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-eRecoveryService - (no file)
AddRemove-{7B63B2922B174135AFC0E1377DD81EC2} - c:\program files\DivX\DivXCodecUninstall.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-01-08 18:14
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2011-01-08 18:20:23
ComboFix-quarantined-files.txt 2011-01-08 18:20

Pre-Run: 70,448,586,752 bytes free
Post-Run: 70,421,819,392 bytes free

- - End Of File - - D15F581842AF88D14820578F3674F100

 

[Broni]

Combofix looks good, but MBR doesn't.
We need to double check it....

Download Bootkit Remover to your Desktop.

• You then need to extract the remover.exe file from the RAR using a program capable of extracing RAR compressed files. If you don't have an extraction program, you can use 7-Zip: http://www.7-zip.org/
• After extracing remover.exe to your Desktop, double-click on remover.exe to run the program (Vista/7 users,right click on remover.exe and click Run As Administrator).
• It will show a Black screen with some data on it.
• Right click on the screen and click Select All.
• Press CTRL+C
• Open a Notepad and press CTRL+V
• Post the output back here.

 

[dangermouseyork]

Was it me?

Did i do something wrong along the way?

I was also wondering what I am actually doing with these tools?

Might help me understand a little more!

Thanks again, you have been fantastic!

Mouse

Bootkit Remover
(c) 2009 eSage Lab
www.esagelab.com

Program version: 1.2.0.0
OS Version: Microsoft Windows Vista Home Basic Edition Service Pack 1 (build 600
1), 32-bit

System volume is \\.\C:
\\.\C: -> \\.\PhysicalDrive0 at offset 0x00000002`71100000
Boot sector MD5 is: c3f4814ee2c87f8f4fc3acd72454a04d

Size Device Name MBR Status
--------------------------------------------
149 GB \\.\PhysicalDrive0 Unknown boot code

Unknown boot code has been found on some of your physical disks.
To inspect the boot code manually, dump the master boot sector:
remover.exe dump <device_name> [output_file]
To disinfect the master boot sector, use the following command:
remover.exe fix <device_name>


Done;
Press any key to quit...

 

[Broni]

You did everything just fine.
What are we doing?
Checking, if your computer is clean.

We need to fix your MBR...

Please download NTBR by noahdfear and save it to your Desktop.
File size: 2.44 MB (2,565,432 bytes)

• Place a blank CD in your CD drive.
• Double click on NTBR_CD.exe file and a folder of the same name will appear.
• Open the folder and double click on BurnItCD.cmd file. If your CD drive will open, simply close it back.
• Follow the prompts to burn the CD.

• Now you will need to set the CD-Rom as first boot device if it isn't already (if you don't know how to do it, see HERE)
• If you have any questions about this step, ask before you proceed. If you enter the BIOS and are unsure if you have carried out the step correctly, there should be an option to exit without keeping changes, so you won't do any harm.

• Insert the newly created CD into your infected PC and reboot your computer.
• Once you have rebooted please press Enter when prompted to continue booting from CD - you have a whole 15 seconds to do this!
• Read the warning and then continue as prompted.
• You first need to select your keyboard layout - press Enter for English.
• Next you want to select the appropriate tool. Enter 1 to choose 1. MBRWORK
• On the following screen enter 5 to select Install Standard MBR code.
• Enter 1 to overwrite the infected MBR Code with the Standard MBR code.
• When asked to confirm please do so.
• Afterwards, please enter E to leave MBRWORK, then 6 to leave the bootable CD.
• Eject the disc and then press ctrl+alt+del to reboot the PC.

Once rebooted, run MBRCheck again and post its log.

**Important note to Dell users - fixing the MBR may prevent access the the Dell Restore Utility, which allows you to press a key on startup and revert your computer to a factory delivered state. If this is Dell computer, let me know before proceeding.