TechSpot

Search engine link hijack virus

By nwesson
May 7, 2011
  1. Hello,

    I have recently discovered a virus that hijacks any link i select in Google and re-directs me to other random sites.

    I use Google Chrome but seems to be happening in firefox and IE. I am running windows 7 and have virgin media security (anti virus, firewall etc) installed. I have tried a few virus scans to no avail.

    I have completed the steps you requested in your log and post them below. Any help would be greatly appreciated.

    Thanks,
    Nick

    ==========================================================
    Malwarebytes Anti-Malware log:

    Malwarebytes' Anti-Malware 1.50.1.1100
    www.malwarebytes.org

    Database version: 6526

    Windows 6.1.7600
    Internet Explorer 8.0.7600.16385

    07/05/2011 18:03:08
    mbam-log-2011-05-07 (18-03-08).txt

    Scan type: Quick scan
    Objects scanned: 150393
    Time elapsed: 7 minute(s), 48 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 1
    Registry Values Infected: 7
    Registry Data Items Infected: 0
    Folders Infected: 3
    Files Infected: 31

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    HKEY_CLASSES_ROOT\.fsharproj (Trojan.BHO) -> Quarantined and deleted successfully.

    Registry Values Infected:
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mferrorwow.exe (Trojan.TracurW.Gen) -> Value: mferrorwow.exe -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KBDLAOwow.exe (Trojan.TracurW.Gen) -> Value: KBDLAOwow.exe -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SmiEnginewow.exe (Trojan.TracurW.Gen) -> Value: SmiEnginewow.exe -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\d3dx9_36wow.exe (Trojan.TracurW.Gen) -> Value: d3dx9_36wow.exe -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KBDMONwow.exe (Trojan.TracurW.Gen) -> Value: KBDMONwow.exe -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WpdMtpUSwow.exe (Trojan.TracurW.Gen) -> Value: WpdMtpUSwow.exe -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WLanConnwow.exe (Trojan.TracurW.Gen) -> Value: WLanConnwow.exe -> Quarantined and deleted successfully.

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    c:\programdata\381046608 (Rogue.Multiple) -> Quarantined and deleted successfully.
    c:\programdata\992198056 (Rogue.Multiple) -> Quarantined and deleted successfully.
    c:\Users\Nick\AppData\Roaming\SysWin (Trojan.Agent) -> Quarantined and deleted successfully.

    Files Infected:
    c:\Windows\System32\config\systemprofile\AppData\Roaming\AA53.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
    c:\Windows\System32\api-ms-win-security-sddl-l1-1-032.exe (Trojan.Agent) -> Quarantined and deleted successfully.
    c:\Windows\System32\02000000ef1e447f1255c.manifest (Malware.Trace) -> Quarantined and deleted successfully.
    c:\Windows\System32\02000000ef1e447f1255o.manifest (Malware.Trace) -> Quarantined and deleted successfully.
    c:\Windows\System32\02000000ef1e447f1255p.manifest (Malware.Trace) -> Quarantined and deleted successfully.
    c:\Windows\System32\02000000ef1e447f1255s.manifest (Malware.Trace) -> Quarantined and deleted successfully.
    c:\programdata\381046608\frt1.rar (Rogue.Multiple) -> Quarantined and deleted successfully.
    c:\programdata\381046608\new.i0.kwd (Rogue.Multiple) -> Quarantined and deleted successfully.
    c:\programdata\381046608\new.i1.kwd (Rogue.Multiple) -> Quarantined and deleted successfully.
    c:\programdata\381046608\new.i2.kwd (Rogue.Multiple) -> Quarantined and deleted successfully.
    c:\programdata\381046608\new.i3.kwd (Rogue.Multiple) -> Quarantined and deleted successfully.
    c:\programdata\381046608\new.i4.kwd (Rogue.Multiple) -> Quarantined and deleted successfully.
    c:\programdata\381046608\new.i5.kwd (Rogue.Multiple) -> Quarantined and deleted successfully.
    c:\programdata\381046608\new.i6.kwd (Rogue.Multiple) -> Quarantined and deleted successfully.
    c:\programdata\381046608\new.i7.kwd (Rogue.Multiple) -> Quarantined and deleted successfully.
    c:\programdata\992198056\frt0.rar (Rogue.Multiple) -> Quarantined and deleted successfully.
    c:\programdata\992198056\frt0.rar.ver (Rogue.Multiple) -> Quarantined and deleted successfully.
    c:\programdata\992198056\frt1.rar (Rogue.Multiple) -> Quarantined and deleted successfully.
    c:\programdata\992198056\frt1.rar.ver (Rogue.Multiple) -> Quarantined and deleted successfully.
    c:\programdata\992198056\frt2.rar (Rogue.Multiple) -> Quarantined and deleted successfully.
    c:\programdata\992198056\frt2.rar.ver (Rogue.Multiple) -> Quarantined and deleted successfully.
    c:\programdata\992198056\frt3.rar (Rogue.Multiple) -> Quarantined and deleted successfully.
    c:\programdata\992198056\frt3.rar.ver (Rogue.Multiple) -> Quarantined and deleted successfully.
    c:\programdata\992198056\frt4.rar (Rogue.Multiple) -> Quarantined and deleted successfully.
    c:\programdata\992198056\frt4.rar.ver (Rogue.Multiple) -> Quarantined and deleted successfully.
    c:\programdata\992198056\frt5.rar (Rogue.Multiple) -> Quarantined and deleted successfully.
    c:\programdata\992198056\frt5.rar.ver (Rogue.Multiple) -> Quarantined and deleted successfully.
    c:\programdata\992198056\frt6.rar (Rogue.Multiple) -> Quarantined and deleted successfully.
    c:\programdata\992198056\frt6.rar.ver (Rogue.Multiple) -> Quarantined and deleted successfully.
    c:\programdata\992198056\frt7.rar (Rogue.Multiple) -> Quarantined and deleted successfully.
    c:\programdata\992198056\frt7.rar.ver (Rogue.Multiple) -> Quarantined and deleted successfully.


    ==========================================================
    GMER log

    GMER 1.0.15.15572 - http://www.gmer.net
    Rootkit scan 2011-05-07 18:33:14
    Windows 6.1.7600 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 HTS541010G9SA00 rev.MBZOC60D
    Running: zykqcqds.exe; Driver: C:\Users\Nick\AppData\Local\Temp\kxdiqpoc.sys


    ---- System - GMER 1.0.15 ----

    SSDT \??\C:\Program Files\Virgin Media\Security\AVG\Identity Protection\agent\drivers\AVGIDSShim.sys ZwOpenProcess [0xA8298620]
    SSDT \??\C:\Program Files\Virgin Media\Security\AVG\Identity Protection\agent\drivers\AVGIDSShim.sys ZwTerminateProcess [0xA82986D0]
    SSDT \??\C:\Program Files\Virgin Media\Security\AVG\Identity Protection\agent\drivers\AVGIDSShim.sys ZwTerminateThread [0xA8298770]
    SSDT \??\C:\Program Files\Virgin Media\Security\AVG\Identity Protection\agent\drivers\AVGIDSShim.sys ZwWriteVirtualMemory [0xA8298810]

    ---- Kernel code sections - GMER 1.0.15 ----

    .text ntkrnlpa.exe!ZwSaveKeyEx + 13BD 8188D589 1 Byte [06]
    .text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 818B2092 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
    .text ntkrnlpa.exe!RtlSidHashLookup + 4E8 818B9AF8 4 Bytes [20, 86, 29, A8]
    .text ntkrnlpa.exe!RtlSidHashLookup + 7B8 818B9DC8 8 Bytes [D0, 86, 29, A8, 70, 87, 29, ...]
    .text ntkrnlpa.exe!RtlSidHashLookup + 82C 818B9E3C 4 Bytes [10, 88, 29, A8]
    ? System32\drivers\jpeh.sys The system cannot find the path specified. !
    ? System32\Drivers\112f7958.sys The system cannot find the path specified. !

    ---- User code sections - GMER 1.0.15 ----

    .text C:\Users\Nick\AppData\Local\Google\Chrome\Application\chrome.exe[852] ntdll.dll!NtCreateFile + 6 77834876 4 Bytes [28, 00, 17, 00]
    .text C:\Users\Nick\AppData\Local\Google\Chrome\Application\chrome.exe[852] ntdll.dll!NtCreateFile + B 7783487B 1 Byte [E2]
    .text C:\Users\Nick\AppData\Local\Google\Chrome\Application\chrome.exe[852] ntdll.dll!NtMapViewOfSection + 6 77834ED6 1 Byte [28]
    .text C:\Users\Nick\AppData\Local\Google\Chrome\Application\chrome.exe[852] ntdll.dll!NtMapViewOfSection + 6 77834ED6 4 Bytes [28, 03, 17, 00]
    .text C:\Users\Nick\AppData\Local\Google\Chrome\Application\chrome.exe[852] ntdll.dll!NtMapViewOfSection + B 77834EDB 1 Byte [E2]
    .text C:\Users\Nick\AppData\Local\Google\Chrome\Application\chrome.exe[852] ntdll.dll!NtOpenFile + 6 77834F86 4 Bytes [68, 00, 17, 00]
    .text C:\Users\Nick\AppData\Local\Google\Chrome\Application\chrome.exe[852] ntdll.dll!NtOpenFile + B 77834F8B 1 Byte [E2]
    .text C:\Users\Nick\AppData\Local\Google\Chrome\Application\chrome.exe[852] ntdll.dll!NtOpenProcess + 6 77835036 4 Bytes [A8, 01, 17, 00]
    .text C:\Users\Nick\AppData\Local\Google\Chrome\Application\chrome.exe[852] ntdll.dll!NtOpenProcess + B 7783503B 1 Byte [E2]
    .text C:\Users\Nick\AppData\Local\Google\Chrome\Application\chrome.exe[852] ntdll.dll!NtOpenProcessToken + B 7783504B 1 Byte [E2]
    .text C:\Users\Nick\AppData\Local\Google\Chrome\Application\chrome.exe[852] ntdll.dll!NtOpenProcessTokenEx + 6 77835056 4 Bytes [A8, 02, 17, 00]
    .text C:\Users\Nick\AppData\Local\Google\Chrome\Application\chrome.exe[852] ntdll.dll!NtOpenProcessTokenEx + B 7783505B 1 Byte [E2]
    .text C:\Users\Nick\AppData\Local\Google\Chrome\Application\chrome.exe[852] ntdll.dll!NtOpenThread + 6 778350B6 4 Bytes [68, 01, 17, 00]
    .text C:\Users\Nick\AppData\Local\Google\Chrome\Application\chrome.exe[852] ntdll.dll!NtOpenThread + B 778350BB 1 Byte [E2]
    .text C:\Users\Nick\AppData\Local\Google\Chrome\Application\chrome.exe[852] ntdll.dll!NtOpenThreadToken + 6 778350C6 4 Bytes [68, 02, 17, 00]
    .text C:\Users\Nick\AppData\Local\Google\Chrome\Application\chrome.exe[852] ntdll.dll!NtOpenThreadToken + B 778350CB 1 Byte [E2]
    .text C:\Users\Nick\AppData\Local\Google\Chrome\Application\chrome.exe[852] ntdll.dll!NtOpenThreadTokenEx + B 778350DB 1 Byte [E2]
    .text C:\Users\Nick\AppData\Local\Google\Chrome\Application\chrome.exe[852] ntdll.dll!NtQueryAttributesFile + 6 778351E6 4 Bytes [A8, 00, 17, 00]
    .text C:\Users\Nick\AppData\Local\Google\Chrome\Application\chrome.exe[852] ntdll.dll!NtQueryAttributesFile + B 778351EB 1 Byte [E2]
    .text C:\Users\Nick\AppData\Local\Google\Chrome\Application\chrome.exe[852] ntdll.dll!NtQueryFullAttributesFile + B 7783529B 1 Byte [E2]
    .text C:\Users\Nick\AppData\Local\Google\Chrome\Application\chrome.exe[852] ntdll.dll!NtSetInformationFile + 6 778358E6 4 Bytes [28, 01, 17, 00]
    .text C:\Users\Nick\AppData\Local\Google\Chrome\Application\chrome.exe[852] ntdll.dll!NtSetInformationFile + B 778358EB 1 Byte [E2]
    .text C:\Users\Nick\AppData\Local\Google\Chrome\Application\chrome.exe[852] ntdll.dll!NtSetInformationThread + 6 77835946 4 Bytes [28, 02, 17, 00]
    .text C:\Users\Nick\AppData\Local\Google\Chrome\Application\chrome.exe[852] ntdll.dll!NtSetInformationThread + B 7783594B 1 Byte [E2]
    .text C:\Users\Nick\AppData\Local\Google\Chrome\Application\chrome.exe[852] ntdll.dll!NtUnmapViewOfSection + 6 77835C66 1 Byte [68]
    .text C:\Users\Nick\AppData\Local\Google\Chrome\Application\chrome.exe[852] ntdll.dll!NtUnmapViewOfSection + 6 77835C66 4 Bytes [68, 03, 17, 00]
    .text C:\Users\Nick\AppData\Local\Google\Chrome\Application\chrome.exe[852] ntdll.dll!NtUnmapViewOfSection + B 77835C6B 1 Byte [E2]
    .text C:\Users\Nick\AppData\Local\Google\Chrome\Application\chrome.exe[2696] ntdll.dll!NtCreateFile + 6 77834876 4 Bytes [28, 00, 17, 00]
    .text C:\Users\Nick\AppData\Local\Google\Chrome\Application\chrome.exe[2696] ntdll.dll!NtCreateFile + B 7783487B 1 Byte [E2]
    .text C:\Users\Nick\AppData\Local\Google\Chrome\Application\chrome.exe[2696] ntdll.dll!NtMapViewOfSection + 6 77834ED6 1 Byte [28]
    .text C:\Users\Nick\AppData\Local\Google\Chrome\Application\chrome.exe[2696] ntdll.dll!NtMapViewOfSection + 6 77834ED6 4 Bytes [28, 03, 17, 00]
    .text C:\Users\Nick\AppData\Local\Google\Chrome\Application\chrome.exe[2696] ntdll.dll!NtMapViewOfSection + B 77834EDB 1 Byte [E2]
    .text C:\Users\Nick\AppData\Local\Google\Chrome\Application\chrome.exe[2696] ntdll.dll!NtOpenFile + 6 77834F86 4 Bytes [68, 00, 17, 00]
    .text C:\Users\Nick\AppData\Local\Google\Chrome\Application\chrome.exe[2696] ntdll.dll!NtOpenFile + B 77834F8B 1 Byte [E2]
    .text C:\Users\Nick\AppData\Local\Google\Chrome\Application\chrome.exe[2696] ntdll.dll!NtOpenProcess + 6 77835036 4 Bytes [A8, 01, 17, 00]
    .text C:\Users\Nick\AppData\Local\Google\Chrome\Application\chrome.exe[2696] ntdll.dll!NtOpenProcess + B 7783503B 1 Byte [E2]
    .text C:\Users\Nick\AppData\Local\Google\Chrome\Application\chrome.exe[2696] ntdll.dll!NtOpenProcessToken + B 7783504B 1 Byte [E2]
    .text C:\Users\Nick\AppData\Local\Google\Chrome\Application\chrome.exe[2696] ntdll.dll!NtOpenProcessTokenEx + 6 77835056 4 Bytes [A8, 02, 17, 00]
    .text C:\Users\Nick\AppData\Local\Google\Chrome\Application\chrome.exe[2696] ntdll.dll!NtOpenProcessTokenEx + B 7783505B 1 Byte [E2]
    .text C:\Users\Nick\AppData\Local\Google\Chrome\Application\chrome.exe[2696] ntdll.dll!NtOpenThread + 6 778350B6 4 Bytes [68, 01, 17, 00]
    .text C:\Users\Nick\AppData\Local\Google\Chrome\Application\chrome.exe[2696] ntdll.dll!NtOpenThread + B 778350BB 1 Byte [E2]
    .text C:\Users\Nick\AppData\Local\Google\Chrome\Application\chrome.exe[2696] ntdll.dll!NtOpenThreadToken + 6 778350C6 4 Bytes [68, 02, 17, 00]
    .text C:\Users\Nick\AppData\Local\Google\Chrome\Application\chrome.exe[2696] ntdll.dll!NtOpenThreadToken + B 778350CB 1 Byte [E2]
    .text C:\Users\Nick\AppData\Local\Google\Chrome\Application\chrome.exe[2696] ntdll.dll!NtOpenThreadTokenEx + B 778350DB 1 Byte [E2]
    .text C:\Users\Nick\AppData\Local\Google\Chrome\Application\chrome.exe[2696] ntdll.dll!NtQueryAttributesFile + 6 778351E6 4 Bytes [A8, 00, 17, 00]
    .text C:\Users\Nick\AppData\Local\Google\Chrome\Application\chrome.exe[2696] ntdll.dll!NtQueryAttributesFile + B 778351EB 1 Byte [E2]
    .text C:\Users\Nick\AppData\Local\Google\Chrome\Application\chrome.exe[2696] ntdll.dll!NtQueryFullAttributesFile + B 7783529B 1 Byte [E2]
    .text C:\Users\Nick\AppData\Local\Google\Chrome\Application\chrome.exe[2696] ntdll.dll!NtSetInformationFile + 6 778358E6 4 Bytes [28, 01, 17, 00]
    .text C:\Users\Nick\AppData\Local\Google\Chrome\Application\chrome.exe[2696] ntdll.dll!NtSetInformationFile + B 778358EB 1 Byte [E2]
    .text C:\Users\Nick\AppData\Local\Google\Chrome\Application\chrome.exe[2696] ntdll.dll!NtSetInformationThread + 6 77835946 4 Bytes [28, 02, 17, 00]
    .text C:\Users\Nick\AppData\Local\Google\Chrome\Application\chrome.exe[2696] ntdll.dll!NtSetInformationThread + B 7783594B 1 Byte [E2]
    .text C:\Users\Nick\AppData\Local\Google\Chrome\Application\chrome.exe[2696] ntdll.dll!NtUnmapViewOfSection + 6 77835C66 1 Byte [68]
    .text C:\Users\Nick\AppData\Local\Google\Chrome\Application\chrome.exe[2696] ntdll.dll!NtUnmapViewOfSection + 6 77835C66 4 Bytes [68, 03, 17, 00]
    .text C:\Users\Nick\AppData\Local\Google\Chrome\Application\chrome.exe[2696] ntdll.dll!NtUnmapViewOfSection + B 77835C6B 1 Byte [E2]

    ---- User IAT/EAT - GMER 1.0.15 ----

    IAT C:\Windows\system32\rundll32.exe[1664] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [75865E25] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
    IAT C:\Windows\system32\rundll32.exe[1664] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [75865E25] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
    IAT C:\Windows\system32\rundll32.exe[1664] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [75865E25] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
    IAT C:\Windows\system32\rundll32.exe[1664] @ C:\Windows\system32\WININET.dll [KERNEL32.dll!GetProcAddress] [75865E25] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
    IAT C:\Windows\system32\rundll32.exe[1664] @ C:\Windows\system32\ADVAPI32.dll [KERNEL32.dll!GetProcAddress] [75865E25] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
    IAT C:\Windows\system32\rundll32.exe[1664] @ C:\Windows\system32\CRYPT32.dll [KERNEL32.dll!GetProcAddress] [75865E25] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
    IAT C:\Windows\System32\rundll32.exe[2748] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [75865E25] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
    IAT C:\Windows\System32\rundll32.exe[2748] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [75865E25] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
    IAT C:\Windows\System32\rundll32.exe[2748] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [75865E25] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
    IAT C:\Windows\System32\rundll32.exe[2748] @ C:\Windows\system32\ADVAPI32.dll [KERNEL32.dll!GetProcAddress] [75865E25] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)

    ---- Devices - GMER 1.0.15 ----

    AttachedDevice \FileSystem\Ntfs \Ntfs AVGIDSFilter.sys
    AttachedDevice \FileSystem\Ntfs \Ntfs trufos.sys

    Device \Driver\ACPI_HAL \Device\00000051 halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)

    AttachedDevice \Driver\tdx \Device\Tcp rp_skt32.sys (Radialpoint Filter/Radialpoint Inc.)
    AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
    AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)
    AttachedDevice \Driver\tdx \Device\Udp rp_skt32.sys (Radialpoint Filter/Radialpoint Inc.)
    AttachedDevice \Driver\tdx \Device\RawIp rp_skt32.sys (Radialpoint Filter/Radialpoint Inc.)

    ---- EOF - GMER 1.0.15 ----


    ==========================================================
    DDS logs: DDS.txt

    .
    DDS (Ver_11-03-05.01) - NTFSx86
    Run by Nick at 18:33:44.67 on 07/05/2011
    Internet Explorer: 8.0.7600.16385
    Microsoft Windows 7 Home Premium 6.1.7600.0.1252.44.1033.18.3318.1686 [GMT 1:00]
    .
    AV: Virgin Media Security Anti-Virus *Disabled/Updated* {A61154FD-4365-E00F-9A33-13A09AD54B56}
    SP: Virgin Media Security Anti-Spyware *Disabled/Updated* {1D70B519-655F-EF81-A083-28D2E15201EB}
    SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    FW: Virgin Media Security Firewall *Disabled* {9E2AD5D8-090A-E157-B16C-BA9564060C2D}
    .
    ============== Running Processes ===============
    .
    C:\Windows\system32\wininit.exe
    C:\Windows\system32\lsm.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Windows\system32\svchost.exe -k RPCSS
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Windows\system32\svchost.exe -k LocalService
    C:\Program Files\Virgin Media\Security\Fws.exe
    C:\Windows\system32\svchost.exe -k NetworkService
    C:\Windows\System32\spoolsv.exe
    C:\Program Files\Virgin Media\Security\AVG\Identity Protection\agent\Bin\AVGIDSAgent.exe
    C:\Windows\system32\taskhost.exe
    C:\Windows\system32\Dwm.exe
    C:\Windows\Explorer.EXE
    C:\Program Files\Virgin Media\Security\rps.exe
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Virgin Media\Security\RpsSecurityAwareR.exe
    C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
    C:\Program Files\Virgin Media\Service Manager\ServicepointService.exe
    C:\Windows\system32\svchost.exe -k imgsvc
    C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe
    C:\Program Files\Western Digital\WD SmartWare\Front Parlor\WDSmartWareBackgroundService.exe
    C:\Program Files\Virgin Media\Service Manager\ServiceManagerComHandler.exe
    C:\Windows\System32\rundll32.exe
    C:\Windows\system32\SearchIndexer.exe
    C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
    C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
    C:\Windows\AGRSMMSG.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
    C:\Windows\System32\igfxtray.exe
    C:\Windows\System32\igfxpers.exe
    C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe
    C:\Windows\system32\igfxsrvc.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Virgin Media\Service Manager\ServiceManager.exe
    C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMStatus.exe
    C:\Program Files\Western Digital\WD SmartWare\Front Parlor\WDSmartWare.exe
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
    C:\Windows\system32\wbem\wmiprvse.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Windows\System32\svchost.exe -k secsvcs
    C:\Program Files\Windows Media Player\wmpnetwk.exe
    C:\Users\Nick\AppData\Local\Google\Chrome\Application\chrome.exe
    C:\Users\Nick\AppData\Local\Google\Chrome\Application\chrome.exe
    C:\Windows\system32\rundll32.exe
    C:\Users\Nick\AppData\Local\Google\Chrome\Application\chrome.exe
    C:\Windows\system32\wuauclt.exe
    C:\Windows\system32\taskeng.exe
    C:\Windows\system32\SearchProtocolHost.exe
    C:\Windows\system32\SearchFilterHost.exe
    C:\Windows\system32\DllHost.exe
    C:\Windows\system32\DllHost.exe
    C:\Users\Nick\Desktop\dds.scr
    C:\Windows\system32\conhost.exe
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = hxxp://www.google.co.uk/
    mStart Page = about:blank
    uInternet Settings,ProxyOverride = *.local
    BHO: vShare Plugin: {043c5167-00bb-4324-af7e-62013faedacf} - c:\program files\vshare\vshare_toolbar.dll
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
    BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    TB: vShare Plugin: {043c5167-00bb-4324-af7e-62013faedacf} - c:\program files\vshare\vshare_toolbar.dll
    uRun: [Google Update] "c:\users\nick\appdata\local\google\update\GoogleUpdate.exe" /c
    uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
    uRun: [api-ms-win-core-sysinfo-l1-1-0wow.exe] c:\windows\api-ms-win-core-sysinfo-l1-1-0wow.exe
    mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
    mRun: [AGRSMMSG] AGRSMMSG.exe
    mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
    mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
    mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
    mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
    mRun: [Persistence] c:\windows\system32\igfxpers.exe
    mRun: [VirtualCloneDrive] "c:\program files\elaborate bytes\virtualclonedrive\VCDDaemon.exe" /s
    mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
    mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
    mRun: [ServiceManager.exe] "c:\program files\virgin media\service manager\ServiceManager.exe" /AUTORUN
    mRun: [Malwarebytes' Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
    StartupFolder: c:\users\nick\appdata\roaming\micros~1\windows\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
    StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\wddmst~1.lnk - c:\program files\western digital\wd smartware\wd drive manager\WDDMStatus.exe
    StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\wdsmar~1.lnk - c:\program files\western digital\wd smartware\front parlor\WDSmartWare.exe
    mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
    mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
    mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
    IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
    IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
    Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
    Handler: vsharechrome - {3F3A4B8A-86FC-43A4-BB00-6D7EBE9D4484} - c:\program files\vshare\vshare_toolbar.dll
    Notify: igfxcui - igfxdev.dll
    SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
    .
    ================= FIREFOX ===================
    .
    FF - ProfilePath - c:\users\nick\appdata\roaming\mozilla\firefox\profiles\vr4sgge4.default\
    FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
    FF - plugin: c:\program files\veetle\player\npvlc.dll
    FF - plugin: c:\program files\veetle\plugins\npVeetle.dll
    FF - plugin: c:\program files\virgin media\service manager\nprpspa.dll
    FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
    FF - plugin: c:\users\nick\appdata\local\google\update\1.2.183.39\npGoogleOneClick8.dll
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: XUL Cache: {bf4d35f9-ec05-4ce8-beee-360524750e6c} - %profile%\extensions\{bf4d35f9-ec05-4ce8-beee-360524750e6c}
    .
    ============= SERVICES / DRIVERS ===============
    .
    R0 RadialpointIDSEH;RadialpointIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2011-4-28 25608]
    R2 Radialpoint Security Services;Virgin Media Security;c:\program files\virgin media\security\RpsSecurityAwareR.exe [2011-4-28 166944]
    R2 RadialpointIDSAgent;RadialpointIDSAgent;c:\program files\virgin media\security\avg\identity protection\agent\bin\AVGIDSAgent.exe [2011-4-28 5832712]
    R2 ServicepointService;ServicepointService;c:\program files\virgin media\service manager\ServicepointService.exe [2011-5-1 689464]
    R2 WDDMService;WD SmartWare Drive Manager;c:\program files\western digital\wd smartware\wd drive manager\WDDMService.exe [2009-11-13 110592]
    R2 WDSmartWareBackgroundService;WD SmartWare Background Service;c:\program files\western digital\wd smartware\front parlor\WDSmartWareBackgroundService.exe [2009-6-16 20480]
    R3 netw5v32;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\drivers\netw5v32.sys [2009-6-10 4231168]
    R3 RadialpointIDSDriver;RadialpointIDSDriver;c:\program files\virgin media\security\avg\identity protection\agent\drivers\AVGIDSDriver.sys [2011-4-28 122376]
    R3 RadialpointIDSFilter;RadialpointIDSFilter;c:\program files\virgin media\security\avg\identity protection\agent\drivers\AVGIDSfilter.sys [2011-4-28 30216]
    R3 RadialpointIDSShim;RadialpointIDSShim;c:\program files\virgin media\security\avg\identity protection\agent\drivers\AVGIDSShim.sys [2011-4-28 21208]
    R3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\drivers\yk62x86.sys [2009-7-13 311296]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
    S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
    S3 fssfltr;fssfltr;c:\windows\system32\drivers\fssfltr.sys [2010-6-5 54632]
    S3 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2010-4-28 704872]
    S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-7-4 1343400]
    S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [2009-2-13 11520]
    .
    =============== Created Last 30 ================
    .
    2011-05-07 16:53:00 -------- d-----w- c:\users\nick\appdata\roaming\Malwarebytes
    2011-05-07 16:52:51 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-05-07 16:52:50 -------- d-----w- c:\progra~2\Malwarebytes
    2011-05-07 16:52:46 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-05-07 16:52:45 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-05-07 09:22:28 7071056 ----a-w- c:\progra~2\microsoft\windows defender\definition updates\{a4549f5d-9d04-4e24-8f6a-6bc788c2b019}\mpengine.dll
    2011-04-30 13:01:16 -------- d-----w- C:\_OTM
    2011-04-28 09:09:29 25608 ----a-w- c:\windows\system32\drivers\AVGIDSEH.sys
    2011-04-28 09:08:57 285704 ----a-w- c:\windows\system32\drivers\bdfsfltr.sys
    2011-04-28 09:08:31 53192 ----a-w- c:\windows\system32\drivers\rp_skt32.sys
    2011-04-28 09:08:21 48384 ----a-w- c:\windows\system32\drivers\rp_pkt32.sys
    2011-04-28 09:08:01 -------- d-----w- c:\program files\Raxco
    2011-04-27 15:37:04 442880 ----a-w- c:\windows\system32\XpsPrint.dll
    2011-04-27 15:36:52 143744 ----a-w- c:\windows\system32\drivers\nvstor.sys
    2011-04-27 15:36:52 1210240 ----a-w- c:\windows\system32\drivers\ntfs.sys
    2011-04-27 15:36:51 80256 ----a-w- c:\windows\system32\drivers\amdsata.sys
    2011-04-27 15:36:51 332160 ----a-w- c:\windows\system32\drivers\iaStorV.sys
    2011-04-27 15:36:51 22400 ----a-w- c:\windows\system32\drivers\amdxata.sys
    2011-04-27 15:36:51 1686016 ----a-w- c:\windows\system32\esent.dll
    2011-04-27 15:36:51 146304 ----a-w- c:\windows\system32\drivers\storport.sys
    2011-04-27 15:36:51 117120 ----a-w- c:\windows\system32\drivers\nvraid.sys
    2011-04-27 15:36:50 74240 ----a-w- c:\windows\system32\fsutil.exe
    2011-04-27 15:36:46 31232 ----a-w- c:\windows\system32\prevhost.exe
    2011-04-27 15:36:43 2614784 ----a-w- c:\windows\explorer.exe
    2011-04-22 09:02:01 -------- d-sh--w- c:\progra~2\SysWoW32
    2011-04-22 09:01:48 203776 --sh--w- c:\progra~2\unrar.exe
    2011-04-22 09:01:38 -------- d-sh--w- c:\progra~2\1D064B63695DC6EE73B9E514D6D0B7E5
    2011-04-22 08:48:56 -------- d-----w- c:\program files\Outlook Import Wizard
    2011-04-14 20:05:54 1164288 ----a-w- c:\windows\system32\mfc42u.dll
    2011-04-14 20:05:54 1137664 ----a-w- c:\windows\system32\mfc42.dll
    2011-04-14 20:05:52 191488 ----a-w- c:\windows\system32\FXSCOVER.exe
    2011-04-14 20:05:50 2331136 ----a-w- c:\windows\system32\win32k.sys
    2011-04-14 20:05:46 740864 ----a-w- c:\windows\system32\inetcomm.dll
    2011-04-14 20:05:44 288256 ----a-w- c:\windows\system32\XpsGdiConverter.dll
    2011-04-14 20:05:42 95744 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
    2011-04-14 20:05:42 69632 ----a-w- c:\windows\system32\drivers\bowser.sys
    2011-04-14 20:05:42 221696 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
    2011-04-14 20:05:42 123392 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
    .
    ==================== Find3M ====================
    .
    2011-03-03 05:29:23 132608 ----a-w- c:\windows\system32\dnsrslvr.dll
    2011-03-03 05:27:30 28672 ----a-w- c:\windows\system32\dnscacheugc.exe
    2011-02-24 05:32:44 981504 ----a-w- c:\windows\system32\wininet.dll
    2011-02-24 05:30:16 44544 ----a-w- c:\windows\system32\licmgr10.dll
    2011-02-24 04:23:48 386048 ----a-w- c:\windows\system32\html.iec
    2011-02-24 03:50:26 1638912 ----a-w- c:\windows\system32\mshtml.tlb
    2011-02-19 05:33:11 802304 ----a-w- c:\windows\system32\FntCache.dll
    2011-02-19 05:32:48 1074176 ----a-w- c:\windows\system32\DWrite.dll
    2011-02-19 05:32:35 739840 ----a-w- c:\windows\system32\d2d1.dll
    2011-02-19 05:32:08 34304 ----a-w- c:\windows\system32\atmlib.dll
    2011-02-19 03:37:02 294912 ----a-w- c:\windows\system32\atmfd.dll
    2011-02-18 16:36:58 4184352 ----a-w- c:\windows\system32\usbaaplrc.dll
    2011-02-18 05:36:26 428032 ----a-w- c:\windows\system32\vbscript.dll
    .
    ============= FINISH: 18:34:18.88 ===============


    ==========================================================
    DDS logs: Attach.txt

    .
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_11-03-05.01)
    .
    Microsoft Windows 7 Home Premium
    Boot Device: \Device\HarddiskVolume1
    Install Date: 28/04/2010 21:32:59
    System Uptime: 07/05/2011 18:04:22 (0 hours ago)
    .
    Motherboard: Acer, Inc. | | Prespa1
    Processor: Intel(R) Core(TM)2 CPU T5200 @ 1.60GHz | U2E1 | 1600/133mhz
    .
    ==== Disk Partitions =========================
    .
    C: is FIXED (NTFS) - 93 GiB total, 29.452 GiB free.
    D: is CDROM ()
    E: is CDROM ()
    .
    ==== Disabled Device Manager Items =============
    .
    Class GUID:
    Description: Mass Storage Controller
    Device ID: PCI\VEN_104C&DEV_803B&SUBSYS_01101025&REV_00\4&3156CA1E&0&4AF0
    Manufacturer:
    Name: Mass Storage Controller
    PNP Device ID: PCI\VEN_104C&DEV_803B&SUBSYS_01101025&REV_00\4&3156CA1E&0&4AF0
    Service:
    .
    ==== System Restore Points ===================
    .
    RP123: 11/04/2011 20:59:14 - Scheduled Checkpoint
    RP124: 11/04/2011 22:28:18 - Windows Update
    RP125: 16/04/2011 11:12:06 - Windows Update
    RP126: 19/04/2011 22:00:42 - Windows Update
    RP127: 20/04/2011 21:19:14 - Windows Update
    RP128: 25/04/2011 14:20:35 - Windows Update
    RP129: 27/04/2011 17:01:31 - Windows Update
    RP131: 28/04/2011 09:51:42 - Windows Defender Checkpoint
    RP132: 30/04/2011 12:56:24 - Windows Update
    RP133: 07/05/2011 10:21:52 - Windows Update
    .
    ==== Installed Programs ======================
    .
    Update for Microsoft Office 2007 (KB2508958)
    Adobe Anchor Service CS3
    Adobe Asset Services CS3
    Adobe Bridge CS3
    Adobe Bridge Start Meeting
    Adobe Camera Raw 4.0
    Adobe CMaps
    Adobe Color - Photoshop Specific
    Adobe Color Common Settings
    Adobe Color EU Extra Settings
    Adobe Color EU Recommended Settings
    Adobe Color JA Extra Settings
    Adobe Color NA Extra Settings
    Adobe Color NA Recommended Settings
    Adobe Default Language CS3
    Adobe Device Central CS3
    Adobe ExtendScript Toolkit 2
    Adobe Flash Player 10 ActiveX
    Adobe Flash Player 10 Plugin
    Adobe Fonts All
    Adobe Help Viewer CS3
    Adobe Illustrator CS3
    Adobe Linguistics CS3
    Adobe PDF Library Files
    Adobe Photoshop CS3
    Adobe Reader 9.3
    Adobe Setup
    Adobe Stock Photos CS3
    Adobe Type Support
    Adobe Update Manager CS3
    Adobe Version Cue CS3 Client
    Adobe WinSoft Linguistics Plugin
    Adobe XMP Panels CS3
    Agere Systems HDA Modem
    Any Video Converter 3.1.0
    Apple Application Support
    Apple Mobile Device Support
    Apple Software Update
    µTorrent
    BitTorrent
    Bonjour
    Core FTP LE 2.1
    DHTML Editing Component
    FM Genie Scout 11 version 1.00 beta 2
    Football Manager 2010
    Football Manager 2011
    Football Manager 2011 Demo
    FrostWire 4.21.1
    Google Chrome
    Intel(R) Graphics Media Accelerator Driver
    Internet TV for Windows Media Center
    iTunes
    Java Auto Updater
    Java(TM) 6 Update 20
    Malwarebytes' Anti-Malware
    Microsoft .NET Framework 4 Client Profile
    Microsoft Application Error Reporting
    Microsoft Choice Guard
    Microsoft Office 2007 Service Pack 2 (SP2)
    Microsoft Office Access MUI (English) 2007
    Microsoft Office Access Setup Metadata MUI (English) 2007
    Microsoft Office Enterprise 2007
    Microsoft Office Excel MUI (English) 2007
    Microsoft Office Groove MUI (English) 2007
    Microsoft Office Groove Setup Metadata MUI (English) 2007
    Microsoft Office InfoPath MUI (English) 2007
    Microsoft Office OneNote MUI (English) 2007
    Microsoft Office Outlook MUI (English) 2007
    Microsoft Office PowerPoint MUI (English) 2007
    Microsoft Office Proof (English) 2007
    Microsoft Office Proof (French) 2007
    Microsoft Office Proof (Spanish) 2007
    Microsoft Office Proofing (English) 2007
    Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
    Microsoft Office Publisher MUI (English) 2007
    Microsoft Office Shared MUI (English) 2007
    Microsoft Office Shared Setup Metadata MUI (English) 2007
    Microsoft Office Word MUI (English) 2007
    Microsoft Search Enhancement Pack
    Microsoft Silverlight
    Mozilla Firefox (3.6.12)
    MSVCRT
    PDF Settings
    PerfectDisk 10 Professional
    QuickTime
    RPS CRT
    RPS PerfectDiskStub
    RPS RpsCore
    Security Update for 2007 Microsoft Office System (KB2288621)
    Security Update for 2007 Microsoft Office System (KB2288931)
    Security Update for 2007 Microsoft Office System (KB2345043)
    Security Update for 2007 Microsoft Office System (KB2466156)
    Security Update for 2007 Microsoft Office System (KB2509488)
    Security Update for 2007 Microsoft Office System (KB969559)
    Security Update for 2007 Microsoft Office System (KB976321)
    Security Update for CAPICOM (KB931906)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)
    Security Update for Microsoft Office Access 2007 (KB979440)
    Security Update for Microsoft Office Excel 2007 (KB2464583)
    Security Update for Microsoft Office Groove 2007 (KB2494047)
    Security Update for Microsoft Office InfoPath 2007 (KB979441)
    Security Update for Microsoft Office PowerPoint 2007 (KB2464594)
    Security Update for Microsoft Office PowerPoint Viewer 2007 (KB2464623)
    Security Update for Microsoft Office Publisher 2007 (KB2284697)
    Security Update for Microsoft Office system 2007 (972581)
    Security Update for Microsoft Office system 2007 (KB974234)
    Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
    Security Update for Microsoft Office Word 2007 (KB2344993)
    Skype™ 4.2
    SmartFTP Client
    SmartFTP Client 4.0 Setup Files (remove only)
    Update for 2007 Microsoft Office System (KB967642)
    Update for Microsoft Office 2007 Help for Common Features (KB963673)
    Update for Microsoft Office Access 2007 Help (KB963663)
    Update for Microsoft Office Excel 2007 Help (KB963678)
    Update for Microsoft Office Infopath 2007 Help (KB963662)
    Update for Microsoft Office OneNote 2007 (KB980729)
    Update for Microsoft Office OneNote 2007 Help (KB963670)
    Update for Microsoft Office Outlook 2007 (KB2412171)
    Update for Microsoft Office Outlook 2007 Help (KB963677)
    Update for Microsoft Office Powerpoint 2007 Help (KB963669)
    Update for Microsoft Office Publisher 2007 Help (KB963667)
    Update for Microsoft Office Script Editor Help (KB963671)
    Update for Microsoft Office Word 2007 Help (KB963665)
    Update for Outlook 2007 Junk Email Filter (KB2522999)
    Veetle TV 0.9.18
    Virgin Media Security
    Virgin Media Service Manager 3.7.47
    VirtualCloneDrive
    VLC media player 1.0.1
    vShare Plugin
    WD SmartWare
    Windows Live Communications Platform
    Windows Live Essentials
    Windows Live Family Safety
    Windows Live Movie Maker
    Windows Live Photo Gallery
    Windows Live Writer
    Windows Media Center Add-in for Silverlight
    Windows Media Player Firefox Plugin
    WinRAR archiver
    .
    ==== Event Viewer Messages From Past Week ========
    .
    30/04/2011 14:09:02, Error: Service Control Manager [7023] - The Windows Defender service terminated with the following error: %%-2147416365
    30/04/2011 14:08:42, Error: Service Control Manager [7038] - The WerSvc service was unable to log on as NT AUTHORITY\SYSTEM with the currently configured password due to the following error: The RPC server is unavailable. To ensure that the service is configured properly, use the Services snap-in in Microsoft Management Console (MMC).
    30/04/2011 14:08:35, Error: Service Control Manager [7038] - The WMPNetworkSvc service was unable to log on as NT AUTHORITY\NetworkService with the currently configured password due to the following error: The RPC server is unavailable. To ensure that the service is configured properly, use the Services snap-in in Microsoft Management Console (MMC).
    30/04/2011 14:08:35, Error: Service Control Manager [7000] - The Windows Media Player Network Sharing Service service failed to start due to the following error: The service did not start due to a logon failure.
    30/04/2011 14:08:05, Error: Service Control Manager [7034] - The WD SmartWare Drive Manager service terminated unexpectedly. It has done this 1 time(s).
    30/04/2011 14:08:05, Error: Service Control Manager [7034] - The WD SmartWare Background Service service terminated unexpectedly. It has done this 1 time(s).
    30/04/2011 14:08:05, Error: Service Control Manager [7034] - The Virgin Media Security service terminated unexpectedly. It has done this 1 time(s).
    30/04/2011 14:08:05, Error: Service Control Manager [7034] - The iPod Service service terminated unexpectedly. It has done this 1 time(s).
    30/04/2011 14:08:05, Error: Service Control Manager [7031] - The Windows Media Player Network Sharing Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 30000 milliseconds: Restart the service.
    30/04/2011 14:08:05, Error: Service Control Manager [7031] - The Software Protection service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 120000 milliseconds: Restart the service.
    30/04/2011 14:08:04, Error: Service Control Manager [7034] - The ServicepointService service terminated unexpectedly. It has done this 1 time(s).
    30/04/2011 14:08:04, Error: Service Control Manager [7034] - The SeaPort service terminated unexpectedly. It has done this 1 time(s).
    30/04/2011 14:08:04, Error: Service Control Manager [7034] - The Bonjour Service service terminated unexpectedly. It has done this 1 time(s).
    30/04/2011 14:08:04, Error: Service Control Manager [7031] - The Apple Mobile Device service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
    30/04/2011 12:48:46, Error: Service Control Manager [7000] - The Windows Search service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
    30/04/2011 12:48:46, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1053" attempting to start the service WSearch with arguments "" in order to run the server: {9E175B6D-F52A-11D8-B9A5-505054503030}
    30/04/2011 12:48:45, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Windows Search service to connect.
    07/05/2011 18:05:24, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: StarOpen
    07/05/2011 17:45:48, Error: Service Control Manager [7034] - The Virgin Media Security Firewall service terminated unexpectedly. It has done this 1 time(s).
    07/05/2011 17:26:47, Error: Service Control Manager [7034] - The Themes service terminated unexpectedly. It has done this 1 time(s).
    .
    ==== End Of File ===========================
     
  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Welcome to TechSpot! I'll be glad to help with the redirect. You should take notice of the following:

    A straight road to malware is file sharing! You have the following P2P programs:
    µTorrent
    BitTorrent
    FrostWire 4.21.1
    The Vshare plug-in

    Please either uninstall these or disable them. Do not use them while I am trying to clean the system.

    P2P or 'file sharing' Warning:
    Note: Even if you are using a "safe" P2P program, it is only the program that is safe.
    • As long as you are using file sharing networks and programs which are from sources that are not documented, you cannot verity that a download is legitimate.
    • Malware writers use these program to include malicious content.
    • File sharing is usually unmonitored and there is a danger that your private files might be accessed.
    • The 'sharing' also includes malware that the shared system has on it.
    • Files that are illegal can be spread through file sharing.

    Please read the information on P2P Warning to help you better understand these dangers.

    An example would be: The Vshare plug-in itself is safe if you download it from a reputable source such as Firefox. However, beware when downloading the plug-in from sites you do not know or trust, such as file-sharing websites. Then, you run the risk of downloading a virus to your computer.
    ================================================
    Please run the following scans:
    • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
      ESETOnlineScan
    • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
      [o] Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
      [o] Double click on the [​IMG]on your desktop.
    • Check 'Yes I accept terms of use.'
    • Click Start button
    • Accept any security warnings from your browser.
    • Uncheck 'Remove found threats'
    • Check 'Scan archives/
    • Press the Start button.
    • ESET will then download updates for itself, install itself, and begin scanning your computer. Please wait for the scan to finish.
    • When the scan completes, press List of found threats
    • Push Export of text file and save the file to your desktop using a unique name, such as ESETScan. Paste this log in your next reply.
    • Push the Back button
    • Push Finish
    NOTE: If no malware is found then no log will be produced. Let me know if this is the case.
    ==========================================
    It appears that Virgin Media may be using AVG for the antivirus. This next scan won't run with AVG on the system. When you start Combofix, if you get a notice that AVG is on the system, please come back and let me know and I'll give you removal instructions. If not, just go on:

    Please note: If you have Combofix on the desktop already, please uninstall it. The download the current version and do the scan:
    Uninstall ComboFix if needed
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    -------------
    Download Combofix from HERE or HERE and save to the desktop
    • Double click combofix.exe & follow the prompts.
    • ComboFix will check to see if the Microsoft Windows Recovery Console is installed. It is recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode if needed.
      **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
    • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
      [​IMG]
    • .Click on Yes, to continue scanning for malware
    • .If Combofix asks you to update the program, allow
    • .Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • .Close any open browsers.
    • .Double click combofix.exe[​IMG] & follow the prompts to run.
    • When the scan completes , a report will be generated-it will open a text window. Please paste the C:\ComboFix.txt in next reply..
    Re-enable your Antivirus software.
    Notes:
    1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
    2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
    3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
    4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
    =========================================
    Note: Mbam removed numerous entries for Trojans. One is called Rogue.Multiple Rogue programs give inaccurate alerts to get the user to click on a site to remove the problem. If you get any alerts of this nature, do not act on them!
     
  3. nwesson

    nwesson TS Rookie Topic Starter

    Thankyou very much for your help - i have completed what you have asked, included uninstalling all of the P2P programs. Please see logs below:

    ============================================
    ESETscan log:


    C:\ProgramData\1D064B63695DC6EE73B9E514D6D0B7E5\b\binm1 a variant of Win32/Kryptik.NCM trojan
    C:\ProgramData\ReviverSoft\Registry Reviver\InstallCache\{05B64610-ED45-40AC-89A3-507F6B6A25B9}\Registry Reviver.msi a variant of Win32/SlowPCfighter application
    C:\ProgramData\SysWoW32\@u2128507501v1 a variant of Win32/Kryptik.NCM trojan
    C:\ProgramData\SysWoW32\@u2128507501v2 Win32/TrojanDownloader.Tracur.B trojan
    C:\ProgramData\SysWoW32\@u2128507501v3 a variant of Win32/Kryptik.NCM trojan
    C:\ProgramData\SysWoW32\wu2128507501v1 a variant of Win32/Kryptik.NCM trojan
    C:\ProgramData\SysWoW32\wu2128507501v2 a variant of Win32/Kryptik.NCM trojan
    C:\ProgramData\SysWoW32\wu2128507501v3 a variant of Win32/Kryptik.NCM trojan
    C:\ProgramData\SysWoW32\_u2128507501v1 a variant of Win32/Kryptik.NCM trojan
    C:\ProgramData\SysWoW32\_u2128507501v2 a variant of Win32/Kryptik.NCM trojan
    C:\ProgramData\SysWoW32\_u2128507501v3 a variant of Win32/Kryptik.NCM trojan
    C:\Users\All Users\ReviverSoft\Registry Reviver\InstallCache\{05B64610-ED45-40AC-89A3-507F6B6A25B9}\Registry Reviver.msi a variant of Win32/SlowPCfighter application
    C:\Users\All Users\SysWoW32\@u2128507501v1 a variant of Win32/Kryptik.NCM trojan
    C:\Users\All Users\SysWoW32\@u2128507501v2 Win32/TrojanDownloader.Tracur.B trojan
    C:\Users\All Users\SysWoW32\@u2128507501v3 a variant of Win32/Kryptik.NCM trojan
    C:\Users\All Users\SysWoW32\wu2128507501v1 a variant of Win32/Kryptik.NCM trojan
    C:\Users\All Users\SysWoW32\wu2128507501v2 a variant of Win32/Kryptik.NCM trojan
    C:\Users\All Users\SysWoW32\wu2128507501v3 a variant of Win32/Kryptik.NCM trojan
    C:\Users\All Users\SysWoW32\_u2128507501v1 a variant of Win32/Kryptik.NCM trojan
    C:\Users\All Users\SysWoW32\_u2128507501v2 a variant of Win32/Kryptik.NCM trojan
    C:\Users\All Users\SysWoW32\_u2128507501v3 a variant of Win32/Kryptik.NCM trojan
    C:\Users\Nick\AppData\Local\Google\Chrome\User Data\Default\Default\ocnfijioaejokcicpacidoaepkdlfibk\contentscript.js Win32/TrojanDownloader.Tracur.F trojan
    C:\Users\Nick\AppData\Roaming\Mozilla\Firefox\Profiles\vr4sgge4.default\extensions\{bf4d35f9-ec05-4ce8-beee-360524750e6c}\chrome.manifest Win32/TrojanDownloader.Tracur.F trojan
    C:\Users\Nick\AppData\Roaming\Mozilla\Firefox\Profiles\vr4sgge4.default\extensions\{bf4d35f9-ec05-4ce8-beee-360524750e6c}\chrome\xulcache.jar JS/Agent.NDB trojan
    C:\Users\Nick\Documents\FrostWire\Saved\(serial) outlook imoprt (gafoba).zip a variant of Win32/Kryptik.NCM trojan
    C:\Users\Nick\Documents\FrostWire\Saved\outlook imoprt [crack][fixed].zip a variant of Win32/Kryptik.NCM trojan

    ==========================================================
    combofix log:

    ComboFix 11-05-07.01 - Nick 07/05/2011 23:13:29.1.2 - x86
    Microsoft Windows 7 Home Premium 6.1.7600.0.1252.44.1033.18.3318.1545 [GMT 1:00]
    Running from: c:\users\Nick\Desktop\ComboFix.exe
    AV: Virgin Media Security Anti-Virus *Disabled/Updated* {A61154FD-4365-E00F-9A33-13A09AD54B56}
    FW: Virgin Media Security Firewall *Disabled* {9E2AD5D8-090A-E157-B16C-BA9564060C2D}
    SP: Virgin Media Security Anti-Spyware *Disabled/Updated* {1D70B519-655F-EF81-A083-28D2E15201EB}
    SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    * Resident AV is active
    .
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\programdata\SysWoW32
    c:\programdata\SysWoW32\@u2128507501v0
    c:\programdata\SysWoW32\@u2128507501v1
    c:\programdata\SysWoW32\@u2128507501v2
    c:\programdata\SysWoW32\@u2128507501v3
    c:\programdata\SysWoW32\_u2128507501v0
    c:\programdata\SysWoW32\_u2128507501v1
    c:\programdata\SysWoW32\_u2128507501v2
    c:\programdata\SysWoW32\_u2128507501v3
    c:\programdata\SysWoW32\_u2128507501v4
    c:\programdata\SysWoW32\_u2128507501v5
    c:\programdata\SysWoW32\_u2128507501v6
    c:\programdata\SysWoW32\_u2128507501v7
    c:\programdata\SysWoW32\mu2128507501v4
    c:\programdata\SysWoW32\mu2128507501v4.kwd
    c:\programdata\SysWoW32\mu2128507501v5
    c:\programdata\SysWoW32\mu2128507501v5.kwd
    c:\programdata\SysWoW32\mu2128507501v6
    c:\programdata\SysWoW32\mu2128507501v6.kwd
    c:\programdata\SysWoW32\mu2128507501v7
    c:\programdata\SysWoW32\mu2128507501v7.kwd
    c:\programdata\SysWoW32\wu2128507501v0
    c:\programdata\SysWoW32\wu2128507501v0.kwd
    c:\programdata\SysWoW32\wu2128507501v1
    c:\programdata\SysWoW32\wu2128507501v1.kwd
    c:\programdata\SysWoW32\wu2128507501v2
    c:\programdata\SysWoW32\wu2128507501v2.kwd
    c:\programdata\SysWoW32\wu2128507501v3
    c:\programdata\SysWoW32\wu2128507501v3.kwd
    c:\programdata\unrar.exe
    c:\users\Nick\AppData\Roaming\Mozilla\Firefox\Profiles\vr4sgge4.default\extensions\{bf4d35f9-ec05-4ce8-beee-360524750e6c}
    c:\users\Nick\AppData\Roaming\Mozilla\Firefox\Profiles\vr4sgge4.default\extensions\{bf4d35f9-ec05-4ce8-beee-360524750e6c}\chrome.manifest
    c:\users\Nick\AppData\Roaming\Mozilla\Firefox\Profiles\vr4sgge4.default\extensions\{bf4d35f9-ec05-4ce8-beee-360524750e6c}\chrome\xulcache.jar
    c:\users\Nick\AppData\Roaming\Mozilla\Firefox\Profiles\vr4sgge4.default\extensions\{bf4d35f9-ec05-4ce8-beee-360524750e6c}\defaults\preferences\xulcache.js
    c:\users\Nick\AppData\Roaming\Mozilla\Firefox\Profiles\vr4sgge4.default\extensions\{bf4d35f9-ec05-4ce8-beee-360524750e6c}\install.rdf
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-04-07 to 2011-05-07 )))))))))))))))))))))))))))))))
    .
    .
    2011-05-07 22:23 . 2011-05-07 22:23 -------- d-----w- c:\users\Default\AppData\Local\temp
    2011-05-07 22:10 . 2011-05-07 22:11 -------- d-----w- C:\32788R22FWJFW
    2011-05-07 19:36 . 2011-05-07 19:36 -------- d-----w- c:\program files\ESET
    2011-05-07 16:53 . 2011-05-07 16:53 -------- d-----w- c:\users\Nick\AppData\Roaming\Malwarebytes
    2011-05-07 16:52 . 2010-12-20 17:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-05-07 16:52 . 2011-05-07 16:52 -------- d-----w- c:\programdata\Malwarebytes
    2011-05-07 16:52 . 2010-12-20 17:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-05-07 16:52 . 2011-05-07 16:52 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-05-07 09:22 . 2011-04-11 07:04 7071056 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{A4549F5D-9D04-4E24-8F6A-6BC788C2B019}\mpengine.dll
    2011-04-30 13:01 . 2011-04-30 13:01 -------- d-----w- C:\_OTM
    2011-04-28 09:09 . 2009-11-02 14:27 25608 ----a-w- c:\windows\system32\drivers\AVGIDSEH.sys
    2011-04-28 09:08 . 2009-10-23 12:25 285704 ----a-w- c:\windows\system32\drivers\bdfsfltr.sys
    2011-04-28 09:08 . 2011-04-28 09:08 53192 ----a-w- c:\windows\system32\drivers\rp_skt32.sys
    2011-04-28 09:08 . 2011-04-28 09:08 48384 ----a-w- c:\windows\system32\drivers\rp_pkt32.sys
    2011-04-28 09:08 . 2011-04-28 09:08 -------- d-----w- c:\programdata\Raxco
    2011-04-28 09:08 . 2011-04-28 09:08 -------- d-----w- c:\program files\Raxco
    2011-04-28 09:06 . 2011-04-28 09:06 -------- d--h--w- c:\program files\InstallShield Installation Information
    2011-04-27 15:37 . 2011-03-12 11:31 442880 ----a-w- c:\windows\system32\XpsPrint.dll
    2011-04-27 15:36 . 2011-03-11 05:44 143744 ----a-w- c:\windows\system32\drivers\nvstor.sys
    2011-04-27 15:36 . 2011-03-11 05:44 1210240 ----a-w- c:\windows\system32\drivers\ntfs.sys
    2011-04-27 15:36 . 2011-03-11 05:44 146304 ----a-w- c:\windows\system32\drivers\storport.sys
    2011-04-27 15:36 . 2011-03-11 05:44 117120 ----a-w- c:\windows\system32\drivers\nvraid.sys
    2011-04-27 15:36 . 2011-03-11 05:43 332160 ----a-w- c:\windows\system32\drivers\iaStorV.sys
    2011-04-27 15:36 . 2011-03-11 05:43 80256 ----a-w- c:\windows\system32\drivers\amdsata.sys
    2011-04-27 15:36 . 2011-03-11 05:43 22400 ----a-w- c:\windows\system32\drivers\amdxata.sys
    2011-04-27 15:36 . 2011-03-11 05:39 1686016 ----a-w- c:\windows\system32\esent.dll
    2011-04-27 15:36 . 2011-03-11 05:37 74240 ----a-w- c:\windows\system32\fsutil.exe
    2011-04-27 15:36 . 2011-02-18 05:33 31232 ----a-w- c:\windows\system32\prevhost.exe
    2011-04-27 15:36 . 2011-02-26 05:33 2614784 ----a-w- c:\windows\explorer.exe
    2011-04-22 09:01 . 2011-05-07 16:22 -------- d-sh--w- c:\programdata\1D064B63695DC6EE73B9E514D6D0B7E5
    2011-04-22 08:48 . 2011-04-22 08:49 -------- d-----w- c:\program files\Outlook Import Wizard
    2011-04-14 20:05 . 2011-03-11 05:40 1164288 ----a-w- c:\windows\system32\mfc42u.dll
    2011-04-14 20:05 . 2011-03-11 05:40 1137664 ----a-w- c:\windows\system32\mfc42.dll
    2011-04-14 20:05 . 2011-02-12 05:30 191488 ----a-w- c:\windows\system32\FXSCOVER.exe
    2011-04-14 20:05 . 2011-03-03 03:31 2331136 ----a-w- c:\windows\system32\win32k.sys
    2011-04-14 20:05 . 2011-03-08 05:38 740864 ----a-w- c:\windows\system32\inetcomm.dll
    2011-04-14 20:05 . 2011-02-24 05:32 288256 ----a-w- c:\windows\system32\XpsGdiConverter.dll
    2011-04-14 20:05 . 2011-02-23 05:05 221696 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
    2011-04-14 20:05 . 2011-02-23 05:05 95744 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
    2011-04-14 20:05 . 2011-02-23 05:05 123392 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
    2011-04-14 20:05 . 2011-02-23 05:05 69632 ----a-w- c:\windows\system32\drivers\bowser.sys
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-02-19 05:33 . 2011-03-20 11:24 802304 ----a-w- c:\windows\system32\FntCache.dll
    2011-02-19 05:32 . 2011-03-20 11:24 1074176 ----a-w- c:\windows\system32\DWrite.dll
    2011-02-19 05:32 . 2011-03-20 11:24 739840 ----a-w- c:\windows\system32\d2d1.dll
    2011-02-18 16:36 . 2011-02-18 16:36 41984 ----a-w- c:\windows\system32\drivers\usbaapl.sys
    2011-02-18 16:36 . 2011-02-18 16:36 4184352 ----a-w- c:\windows\system32\usbaaplrc.dll
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
    "AGRSMMSG"="AGRSMMSG.exe" [2004-10-08 88363]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-09-23 141848]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-09-23 173592]
    "Persistence"="c:\windows\system32\igfxpers.exe" [2009-09-23 150552]
    "VirtualCloneDrive"="c:\program files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" [2009-06-17 85160]
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-03-07 421160]
    "ServiceManager.exe"="c:\program files\Virgin Media\Service Manager\ServiceManager.exe" [2011-03-25 4371768]
    "Malwarebytes' Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-12-20 963976]
    .
    c:\users\Nick\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
    OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
    .
    c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
    WDDMStatus.lnk - c:\program files\Western Digital\WD SmartWare\WD Drive Manager\WDDMStatus.exe [2009-11-13 2057536]
    WDSmartWare.lnk - c:\program files\Western Digital\WD SmartWare\Front Parlor\WDSmartWare.exe [2009-11-13 9117504]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "ConsentPromptBehaviorAdmin"= 5 (0x5)
    "ConsentPromptBehaviorUser"= 3 (0x3)
    "EnableUIADesktopToggle"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
    BootExecute REG_MULTI_SZ PDBoot.exe\0autocheck autochk *
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Radialpoint Security Services]
    @="Service"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ServicepointService]
    @="Service"
    .
    R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
    R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-07-04 1343400]
    R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\DRIVERS\wdcsam.sys [2009-02-13 11520]
    S0 RadialpointIDSEH;RadialpointIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2009-11-02 25608]
    S2 Radialpoint Security Services;Virgin Media Security;c:\program files\Virgin Media\Security\RpsSecurityAwareR.exe [2011-04-28 166944]
    S2 RadialpointIDSAgent;RadialpointIDSAgent;c:\program files\Virgin Media\Security\AVG\Identity Protection\agent\Bin\AVGIDSAgent.exe RadialpointIDSAgent [x]
    S2 ServicepointService;ServicepointService;c:\program files\Virgin Media\Service Manager\ServicepointService.exe [2011-03-25 689464]
    S2 WDDMService;WD SmartWare Drive Manager;c:\program files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe [2009-11-13 110592]
    S2 WDSmartWareBackgroundService;WD SmartWare Background Service;c:\program files\Western Digital\WD SmartWare\Front Parlor\WDSmartWareBackgroundService.exe [2009-06-16 20480]
    S3 netw5v32;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\DRIVERS\netw5v32.sys [2009-07-13 4231168]
    S3 RadialpointIDSDriver;RadialpointIDSDriver;c:\program files\Virgin Media\Security\AVG\Identity Protection\agent\drivers\AVGIDSDriver.sys [2009-11-02 122376]
    S3 RadialpointIDSFilter;RadialpointIDSFilter;c:\program files\Virgin Media\Security\AVG\Identity Protection\agent\drivers\AVGIDSFilter.sys [2009-11-02 30216]
    S3 RadialpointIDSShim;RadialpointIDSShim;c:\program files\Virgin Media\Security\AVG\Identity Protection\agent\drivers\AVGIDSShim.sys [2009-11-02 21208]
    S3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk62x86.sys [2009-07-13 311296]
    .
    .
    --- Other Services/Drivers In Memory ---
    .
    *NewlyCreated* - 13ECBEC4
    *Deregistered* - 13ecbec4
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    bdx REG_MULTI_SZ scan sysagent
    .
    Contents of the 'Scheduled Tasks' folder
    c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2755048422-3352278054-1094013794-1000Core.job
    c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2755048422-3352278054-1094013794-1000UA.job
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.co.uk/
    mStart Page = about:blank
    uInternet Settings,ProxyOverride = *.local
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
    FF - ProfilePath - c:\users\Nick\AppData\Roaming\Mozilla\Firefox\Profiles\vr4sgge4.default\
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    .
    - - - - ORPHANS REMOVED - - - -
    .
    HKCU-Run-msnmsgr - c:\program files\Windows Live\Messenger\msnmsgr.exe
    HKCU-Run-api-ms-win-core-sysinfo-l1-1-0wow.exe - c:\windows\api-ms-win-core-sysinfo-l1-1-0wow.exe
    .
    .
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_USERS\S-1-5-21-2755048422-3352278054-1094013794-1000\Software\G*e*n*i*e*"!\FM Genie Scout 11]
    "GameDir"="c:\\Users\\Nick\\Documents\\Sports Interactive\\Football Manager 2011\\games"
    "ShortlistDir"="c:\\Users\\Nick\\Documents\\Sports Interactive\\Football Manager 2011\\shortlists"
    "FMPath"=""
    "ScreenshotsDir"="c:\\Users\\Nick\\Documents\\Sports Interactive\\Football Manager 2011"
    "SaveDir"="c:\\Users\\Nick\\Documents\\Sports Interactive\\Football Manager 2011\\"
    "HistoryDir"="c:\\FM Genie Scout 11\\History Points"
    "LangDB"="c:\\FM Genie Scout 11\\lang_db.dat"
    "LastSaveGame"="c:\\Users\\Nick\\Documents\\Sports Interactive\\Football Manager 2011\\games\\manchesterUnited.fm"
    "Language"="English"
    "LoadLangDB"=dword:00000001
    "CompressHistoryPoints"=dword:00000000
    "HighlightedAttributes"=dword:00000000
    "MinCondition"=dword:00000050
    "GraphStep"=dword:00000000
    "SkinName"="PSV Eindhoven"
    "LastUpdateCheck"=dword:00009edd
    "HighQualityGUI"=dword:00000001
    "AutomaticallyUpdateCheck"=dword:00000001
    "AdvancedGeneration"=dword:00000000
    "TranslateStaffSkills"=dword:00000001
    "TranslatePlayerSkills"=dword:00000001
    "TranslatePositions"=dword:00000001
    "ShowHistory"=dword:00000001
    "Version"=dword:00000080
    "UniqueID"="14-8500-E1BF"
    "Currency"=dword:00000056
    "UseProxy"=dword:00000000
    "ProxyHost"=""
    "ProxyPort"=""
    "UseAuthentication"=dword:00000000
    "UserName"=""
    "UserPassword"=""
    "PlayerSearchFeatureNum"=dword:00000004
    "StaffSearchFeatureNum"=dword:00000000
    "ClubSearchFeatureNum"=dword:00000001
    "FilterByClubFeatureNum"=dword:00000000
    "CompareFeatureNum"=dword:00000000
    "ShortlistFeatureNum"=dword:00000000
    "ExportFeatureNum"=dword:00000000
    "HistoryFeatureNum"=dword:00000000
    "LanguageDBFeatureNum"=dword:00000005
    "HintsFeatureNum"=dword:00000000
    "GenieReportFeatureNum"=dword:00000000
    "TopFormationFeatureNum"=dword:00000000
    "ScreenshotFeatureNum"=dword:00000000
    .
    [HKEY_USERS\S-1-5-21-2755048422-3352278054-1094013794-1000\Software\G*e*n*i*e*"!\FM Genie Scout 11g]
    "PicturesNumber"=dword:00000000
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    "MSCurrentCountry"=dword:000000b5
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
    @Denied: (Full) (Everyone)
    .
    Completion time: 2011-05-07 23:26:05
    ComboFix-quarantined-files.txt 2011-05-07 22:26
    ComboFix2.txt 2009-06-18 13:38
    .
    Pre-Run: 29,972,336,640 bytes free
    Post-Run: 29,893,529,600 bytes free
    .
    - - End Of File - - B8591FA45C9D66CECF5363F05D51EBB1
     
  4. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Please go ahead and run this while I finish checking the Combofix log:

    Please download OTMovit by Old Timer and save to your desktop.
    • Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
    • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
      Code:
      :Files  
      C:\ProgramData\1D064B63695DC6EE73B9E514D6D0B7E5\b\binm1 
      C:\ProgramData\ReviverSoft\Registry Reviver\InstallCache\{05B64610-ED45-40AC-89A3-507F6B6A25B9}\Registry Reviver.msi
      C:\ProgramData\SysWoW32\@u2128507501v1 
      C:\ProgramData\SysWoW32\@u2128507501v2 
      C:\ProgramData\SysWoW32\@u2128507501v3 
      C:\ProgramData\SysWoW32\wu2128507501v1 
      C:\ProgramData\SysWoW32\wu2128507501v2 
      C:\ProgramData\SysWoW32\wu2128507501v3 
      C:\ProgramData\SysWoW32\_u2128507501v1 
      C:\ProgramData\SysWoW32\_u2128507501v2 
      C:\ProgramData\SysWoW32\_u2128507501v3 
      C:\Users\All Users\ReviverSoft\Registry Reviver\InstallCache\{05B64610-ED45-40AC-89A3-507F6B6A25B9}\Registry Reviver.msi 
      C:\Users\All Users\SysWoW32\@u2128507501v1 
      C:\Users\All Users\SysWoW32\@u2128507501v2 
      C:\Users\All Users\SysWoW32\@u2128507501v3 
      C:\Users\All Users\SysWoW32\wu2128507501v1 
      C:\Users\All Users\SysWoW32\wu2128507501v2 
      C:\Users\All Users\SysWoW32\wu2128507501v3 
      C:\Users\All Users\SysWoW32\_u2128507501v1 
      C:\Users\All Users\SysWoW32\_u2128507501v2 
      C:\Users\All Users\SysWoW32\_u2128507501v3 
      C:\Users\Nick\AppData\Roaming\Mozilla\Firefox\Profiles\vr4sgge4.default\ext ensions\{bf4d35f9-ec05-4ce8-beee-360524750e6c}\chrome.manifest 
      C:\Users\Nick\Documents\FrostWire\Saved\(serial) outlook imoprt (gafoba).zip 
      C:\Users\Nick\Documents\FrostWire\Saved\outlook imoprt [crack][fixed].zip 
      C:\Users\Nick\AppData\Local\Google\Chrome\User Data\Default\Default\ocnfijioaejokcicpacidoaepkdlfibk\contentscript.js 
      C:\Users\Nick\AppData\Roaming\Mozilla\Firefox\Profiles\vr4sgge4.default\ext ensions\{bf4d35f9-ec05-4ce8-beee-360524750e6c}\chrome\xulcache.jar 
      :Commands
      [purity]
      [emptytemp]
      [start explorer]
      [Reboot]
    • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
    • Click the red Moveit! button.
    • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
    • Close OTMoveIt3
    If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
    ================================================
    Two of the entries above are in the Java cache so you will need to empty that:
    1. . Click Start > Control Panel.
    2. . Double-click the Java icon [​IMG]in the control panel.
      The Java Control Panel appears.
    3. . Click Settings under Temporary Internet Files.
      [​IMG]
      There are three options on this window to clear the cache.(Version dependent)
      [o]. Delete Files
      [o]. View Applications
      [o]. View Applets
    4. .Click OK on Delete Temporary Files window.
      Note: This deletes all the Downloaded Applications and Applets from the cache.
    5. . Click OK on Temporary Files Settings window.
    ======================================
    You made a wise decision in uninstalling the P2P programs. It is obvious from the Eset scan that they contributed a lot to the malware.
     
  5. nwesson

    nwesson TS Rookie Topic Starter

    Thanks again for your help on this. I completed the further steps you requested and paste the log below.

    In regards to the P2P - all this because i was searching for a program that converts your old windows mail items into outlook format and decided i didnt want to pay for it as it was only a one off task. You live from your mistakes i suppose and something i wont be doing again! i will happily pay for it next time...

    ==============================
    OTM Log:


    All processes killed
    ========== FILES ==========
    File/Folder C:\ProgramData\1D064B63695DC6EE73B9E514D6D0B7E5\b\binm1 not found.
    C:\ProgramData\ReviverSoft\Registry Reviver\InstallCache\{05B64610-ED45-40AC-89A3-507F6B6A25B9}\Registry Reviver.msi moved successfully.
    File/Folder C:\ProgramData\SysWoW32\@u2128507501v1 not found.
    File/Folder C:\ProgramData\SysWoW32\@u2128507501v2 not found.
    File/Folder C:\ProgramData\SysWoW32\@u2128507501v3 not found.
    File/Folder C:\ProgramData\SysWoW32\wu2128507501v1 not found.
    File/Folder C:\ProgramData\SysWoW32\wu2128507501v2 not found.
    File/Folder C:\ProgramData\SysWoW32\wu2128507501v3 not found.
    File/Folder C:\ProgramData\SysWoW32\_u2128507501v1 not found.
    File/Folder C:\ProgramData\SysWoW32\_u2128507501v2 not found.
    File/Folder C:\ProgramData\SysWoW32\_u2128507501v3 not found.
    File/Folder C:\Users\All Users\ReviverSoft\Registry Reviver\InstallCache\{05B64610-ED45-40AC-89A3-507F6B6A25B9}\Registry Reviver.msi not found.
    File/Folder C:\Users\All Users\SysWoW32\@u2128507501v1 not found.
    File/Folder C:\Users\All Users\SysWoW32\@u2128507501v2 not found.
    File/Folder C:\Users\All Users\SysWoW32\@u2128507501v3 not found.
    File/Folder C:\Users\All Users\SysWoW32\wu2128507501v1 not found.
    File/Folder C:\Users\All Users\SysWoW32\wu2128507501v2 not found.
    File/Folder C:\Users\All Users\SysWoW32\wu2128507501v3 not found.
    File/Folder C:\Users\All Users\SysWoW32\_u2128507501v1 not found.
    File/Folder C:\Users\All Users\SysWoW32\_u2128507501v2 not found.
    File/Folder C:\Users\All Users\SysWoW32\_u2128507501v3 not found.
    File/Folder C:\Users\Nick\AppData\Roaming\Mozilla\Firefox\Profiles\vr4sgge4.default\ext ensions\{bf4d35f9-ec05-4ce8-beee-360524750e6c}\chrome.manifest not found.
    C:\Users\Nick\Documents\FrostWire\Saved\(serial) outlook imoprt (gafoba).zip moved successfully.
    C:\Users\Nick\Documents\FrostWire\Saved\outlook imoprt [crack][fixed].zip moved successfully.
    C:\Users\Nick\AppData\Local\Google\Chrome\User Data\Default\Default\ocnfijioaejokcicpacidoaepkdlfibk\contentscript.js moved successfully.
    File/Folder C:\Users\Nick\AppData\Roaming\Mozilla\Firefox\Profiles\vr4sgge4.default\ext ensions\{bf4d35f9-ec05-4ce8-beee-360524750e6c}\chrome\xulcache.jar not found.
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: All Users

    User: Default
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: Nick
    ->Temp folder emptied: 227742 bytes
    ->Temporary Internet Files folder emptied: 544750 bytes
    ->Java cache emptied: 0 bytes
    ->FireFox cache emptied: 0 bytes
    ->Google Chrome cache emptied: 73123886 bytes
    ->Flash cache emptied: 538 bytes

    User: Public
    ->Temp folder emptied: 0 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 0 bytes
    %systemroot%\System32 .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 3354 bytes
    RecycleBin emptied: 0 bytes

    Total Files Cleaned = 70.00 mb


    OTM by OldTimer - Version 3.1.17.2 log created on 05082011_093750

    Files moved on Reboot...
    C:\Windows\temp\ZKT{DD4B34F7-5822-4237-B391-856D4D055AEA}.tmp moved successfully.

    Registry entries deleted on Reboot...
     
  6. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Some of the entries in OTM that say 'not found' had been removed in Combofix already.
    Please run this Custom CFScript:

    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad> click on Format> Uncheck 'Word Wrap'> and copy/paste the text in the code below into it:Be sure to scroll down to include ALL lines.
    Code:
    File::
    DDS::
    BHO: vShare Plugin: {043c5167-00bb-4324-af7e-62013faedacf} - c:\program files\vshare\vshare_toolbar.dll
    TB: vShare Plugin: {043c5167-00bb-4324-af7e-62013faedacf} - c:\program files\vshare\vshare_toolbar.dll
    uRun: [api-ms-win-core-sysinfo-l1-1-0wow.exe] c:\windows\api-ms-win-core-sysinfo-l1-1-0wow.exe
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
    Handler: vsharechrome - {3F3A4B8A-86FC-43A4-BB00-6D7EBE9D4484} - c:\program files\vshare\vshare_toolbar.dll
    
    DirLook::
    c:\programdata\1D064B63695DC6EE73B9E514D6D0B7E5
    
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please paste in your next reply.
    ====================
    We need to make sure any other entries for the following have been removed:
    Boot into Safe Mode
    • Restart your computer and start pressing the F8 key on your keyboard.
    • Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.
    Show Hidden Files and Folders:
    • Click on the Start button and select Computer
    • Press the Alt key on your keyboard and click on Tools
    • Select Folder Options
    • Click the View tab and CheckShow hidden files and folders
    • Unchec Hide protected operating system files (Recommended)
    • Uncheck Hide extensions for known filetypes> Click [b[Yes[/b] to confirm
    • Click Apply > > click OK
    ----===================================
    1. Registry ReviverIt is a Registry Software located in the "Applications Data" folder for all users. The exact program is "Reviversoft".
    Click All Users> Application Data> Do a right click> Delete on folder for [b[Reviversoft[/b]
    2. Win32/TrojanDownloader.Tracur.B trojan> show in both Firefox & Chrome
    Now Click on Windows System 32> look for and do> right click> Delete on fde.dll if found.
    [b[Go back and rehide the files and folders.
    ==============================
    Are you noticing any improvement on the system?
     
  7. nwesson

    nwesson TS Rookie Topic Starter

    Hi again,

    Some interesting results - first of all i am guessing you pasted your last post twice so i only completed the instructions once.

    Combofix log is below - for some strange reason i cant get into safe mode- everytime i restart and either tap/hold F8 it just goes to a black screen until i manually switch it off. I have however tried to delete the files in normal mode which i could do for Reviversoft but the fde.dll will ot allow me permission to do so. Not really sure what to do next?

    computer is stating to speed up again but im tring not to use it at all until this problem is resolved.

    Thanks again,
    Nick

    ===========================================
    combofix log:

    ComboFix 11-05-07.01 - Nick 09/05/2011 20:38:15.2.2 - x86
    Microsoft Windows 7 Home Premium 6.1.7600.0.1252.44.1033.18.3318.2063 [GMT 1:00]
    Running from: c:\users\Nick\Desktop\ComboFix.exe
    Command switches used :: c:\users\Nick\Desktop\CFScript.txt
    AV: Virgin Media Security Anti-Virus *Disabled/Updated* {A61154FD-4365-E00F-9A33-13A09AD54B56}
    FW: Virgin Media Security Firewall *Disabled* {9E2AD5D8-090A-E157-B16C-BA9564060C2D}
    SP: Virgin Media Security Anti-Spyware *Disabled/Updated* {1D70B519-655F-EF81-A083-28D2E15201EB}
    SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    * Created a new restore point
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-04-09 to 2011-05-09 )))))))))))))))))))))))))))))))
    .
    .
    2011-05-09 19:48 . 2011-05-09 19:48 -------- d-----w- c:\users\Default\AppData\Local\temp
    2011-05-07 19:36 . 2011-05-07 19:36 -------- d-----w- c:\program files\ESET
    2011-05-07 16:53 . 2011-05-07 16:53 -------- d-----w- c:\users\Nick\AppData\Roaming\Malwarebytes
    2011-05-07 16:52 . 2010-12-20 17:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-05-07 16:52 . 2011-05-07 16:52 -------- d-----w- c:\programdata\Malwarebytes
    2011-05-07 16:52 . 2010-12-20 17:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-05-07 16:52 . 2011-05-07 16:52 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-05-07 09:22 . 2011-04-11 07:04 7071056 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{A4549F5D-9D04-4E24-8F6A-6BC788C2B019}\mpengine.dll
    2011-04-30 13:01 . 2011-04-30 13:01 -------- d-----w- C:\_OTM
    2011-04-28 09:09 . 2009-11-02 14:27 25608 ----a-w- c:\windows\system32\drivers\AVGIDSEH.sys
    2011-04-28 09:08 . 2009-10-23 12:25 285704 ----a-w- c:\windows\system32\drivers\bdfsfltr.sys
    2011-04-28 09:08 . 2011-04-28 09:08 53192 ----a-w- c:\windows\system32\drivers\rp_skt32.sys
    2011-04-28 09:08 . 2011-04-28 09:08 48384 ----a-w- c:\windows\system32\drivers\rp_pkt32.sys
    2011-04-28 09:08 . 2011-04-28 09:08 -------- d-----w- c:\programdata\Raxco
    2011-04-28 09:08 . 2011-04-28 09:08 -------- d-----w- c:\program files\Raxco
    2011-04-28 09:06 . 2011-04-28 09:06 -------- d--h--w- c:\program files\InstallShield Installation Information
    2011-04-27 15:37 . 2011-03-12 11:31 442880 ----a-w- c:\windows\system32\XpsPrint.dll
    2011-04-27 15:36 . 2011-03-11 05:44 143744 ----a-w- c:\windows\system32\drivers\nvstor.sys
    2011-04-27 15:36 . 2011-03-11 05:44 1210240 ----a-w- c:\windows\system32\drivers\ntfs.sys
    2011-04-27 15:36 . 2011-03-11 05:44 146304 ----a-w- c:\windows\system32\drivers\storport.sys
    2011-04-27 15:36 . 2011-03-11 05:44 117120 ----a-w- c:\windows\system32\drivers\nvraid.sys
    2011-04-27 15:36 . 2011-03-11 05:43 332160 ----a-w- c:\windows\system32\drivers\iaStorV.sys
    2011-04-27 15:36 . 2011-03-11 05:43 80256 ----a-w- c:\windows\system32\drivers\amdsata.sys
    2011-04-27 15:36 . 2011-03-11 05:43 22400 ----a-w- c:\windows\system32\drivers\amdxata.sys
    2011-04-27 15:36 . 2011-03-11 05:39 1686016 ----a-w- c:\windows\system32\esent.dll
    2011-04-27 15:36 . 2011-03-11 05:37 74240 ----a-w- c:\windows\system32\fsutil.exe
    2011-04-27 15:36 . 2011-02-18 05:33 31232 ----a-w- c:\windows\system32\prevhost.exe
    2011-04-27 15:36 . 2011-02-26 05:33 2614784 ----a-w- c:\windows\explorer.exe
    2011-04-22 09:01 . 2011-05-07 16:22 -------- d-sh--w- c:\programdata\1D064B63695DC6EE73B9E514D6D0B7E5
    2011-04-22 08:48 . 2011-04-22 08:49 -------- d-----w- c:\program files\Outlook Import Wizard
    2011-04-14 20:05 . 2011-03-11 05:40 1164288 ----a-w- c:\windows\system32\mfc42u.dll
    2011-04-14 20:05 . 2011-03-11 05:40 1137664 ----a-w- c:\windows\system32\mfc42.dll
    2011-04-14 20:05 . 2011-02-12 05:30 191488 ----a-w- c:\windows\system32\FXSCOVER.exe
    2011-04-14 20:05 . 2011-03-03 03:31 2331136 ----a-w- c:\windows\system32\win32k.sys
    2011-04-14 20:05 . 2011-03-08 05:38 740864 ----a-w- c:\windows\system32\inetcomm.dll
    2011-04-14 20:05 . 2011-02-24 05:32 288256 ----a-w- c:\windows\system32\XpsGdiConverter.dll
    2011-04-14 20:05 . 2011-02-23 05:05 221696 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
    2011-04-14 20:05 . 2011-02-23 05:05 95744 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
    2011-04-14 20:05 . 2011-02-23 05:05 123392 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
    2011-04-14 20:05 . 2011-02-23 05:05 69632 ----a-w- c:\windows\system32\drivers\bowser.sys
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-02-19 05:33 . 2011-03-20 11:24 802304 ----a-w- c:\windows\system32\FntCache.dll
    2011-02-19 05:32 . 2011-03-20 11:24 1074176 ----a-w- c:\windows\system32\DWrite.dll
    2011-02-19 05:32 . 2011-03-20 11:24 739840 ----a-w- c:\windows\system32\d2d1.dll
    2011-02-18 16:36 . 2011-02-18 16:36 41984 ----a-w- c:\windows\system32\drivers\usbaapl.sys
    2011-02-18 16:36 . 2011-02-18 16:36 4184352 ----a-w- c:\windows\system32\usbaaplrc.dll
    .
    .
    (((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    ---- Directory of c:\programdata\1D064B63695DC6EE73B9E514D6D0B7E5 ----
    .
    2011-04-22 09:07 . 2011-04-22 08:11 2 ----a-w- c:\programdata\1D064B63695DC6EE73B9E514D6D0B7E5\b\version
    2011-04-22 09:07 . 2011-04-22 09:07 2344788 --sha-w- c:\programdata\1D064B63695DC6EE73B9E514D6D0B7E5\bin
    2011-04-22 09:01 . 2011-04-22 09:01 64 --sh--w- c:\programdata\1D064B63695DC6EE73B9E514D6D0B7E5\ntuser.dat
    2011-04-22 09:01 . 2011-04-22 09:01 203776 --sh--w- c:\programdata\1D064B63695DC6EE73B9E514D6D0B7E5\unrar.exe
    2011-04-22 09:01 . 2011-04-22 09:01 0 ----a-w- c:\programdata\1D064B63695DC6EE73B9E514D6D0B7E5\lock
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
    "AGRSMMSG"="AGRSMMSG.exe" [2004-10-08 88363]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-09-23 141848]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-09-23 173592]
    "Persistence"="c:\windows\system32\igfxpers.exe" [2009-09-23 150552]
    "VirtualCloneDrive"="c:\program files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" [2009-06-17 85160]
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-03-07 421160]
    "ServiceManager.exe"="c:\program files\Virgin Media\Service Manager\ServiceManager.exe" [2011-03-25 4371768]
    "Malwarebytes' Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-12-20 963976]
    .
    c:\users\Nick\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
    OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
    .
    c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
    WDDMStatus.lnk - c:\program files\Western Digital\WD SmartWare\WD Drive Manager\WDDMStatus.exe [2009-11-13 2057536]
    WDSmartWare.lnk - c:\program files\Western Digital\WD SmartWare\Front Parlor\WDSmartWare.exe [2009-11-13 9117504]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "ConsentPromptBehaviorAdmin"= 5 (0x5)
    "ConsentPromptBehaviorUser"= 3 (0x3)
    "EnableUIADesktopToggle"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
    BootExecute REG_MULTI_SZ PDBoot.exe\0autocheck autochk *
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Radialpoint Security Services]
    @="Service"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ServicepointService]
    @="Service"
    .
    R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
    R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-07-04 1343400]
    R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\DRIVERS\wdcsam.sys [2009-02-13 11520]
    S0 RadialpointIDSEH;RadialpointIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2009-11-02 25608]
    S2 Radialpoint Security Services;Virgin Media Security;c:\program files\Virgin Media\Security\RpsSecurityAwareR.exe [2011-04-28 166944]
    S2 RadialpointIDSAgent;RadialpointIDSAgent;c:\program files\Virgin Media\Security\AVG\Identity Protection\agent\Bin\AVGIDSAgent.exe RadialpointIDSAgent [x]
    S2 ServicepointService;ServicepointService;c:\program files\Virgin Media\Service Manager\ServicepointService.exe [2011-03-25 689464]
    S2 WDDMService;WD SmartWare Drive Manager;c:\program files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe [2009-11-13 110592]
    S2 WDSmartWareBackgroundService;WD SmartWare Background Service;c:\program files\Western Digital\WD SmartWare\Front Parlor\WDSmartWareBackgroundService.exe [2009-06-16 20480]
    S3 netw5v32;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\DRIVERS\netw5v32.sys [2009-07-13 4231168]
    S3 RadialpointIDSDriver;RadialpointIDSDriver;c:\program files\Virgin Media\Security\AVG\Identity Protection\agent\drivers\AVGIDSDriver.sys [2009-11-02 122376]
    S3 RadialpointIDSFilter;RadialpointIDSFilter;c:\program files\Virgin Media\Security\AVG\Identity Protection\agent\drivers\AVGIDSFilter.sys [2009-11-02 30216]
    S3 RadialpointIDSShim;RadialpointIDSShim;c:\program files\Virgin Media\Security\AVG\Identity Protection\agent\drivers\AVGIDSShim.sys [2009-11-02 21208]
    S3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk62x86.sys [2009-07-13 311296]
    .
    .
    --- Other Services/Drivers In Memory ---
    .
    *NewlyCreated* - D90E2585
    *Deregistered* - d90e2585
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    bdx REG_MULTI_SZ scan sysagent
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-05-07 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2755048422-3352278054-1094013794-1000Core.job
    - c:\users\Nick\AppData\Local\Google\Update\GoogleUpdate.exe [2010-05-08 16:19]
    .
    2011-05-09 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2755048422-3352278054-1094013794-1000UA.job
    - c:\users\Nick\AppData\Local\Google\Update\GoogleUpdate.exe [2010-05-08 16:19]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.co.uk/
    mStart Page = about:blank
    uInternet Settings,ProxyOverride = *.local
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
    FF - ProfilePath - c:\users\Nick\AppData\Roaming\Mozilla\Firefox\Profiles\vr4sgge4.default\
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    .
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_USERS\S-1-5-21-2755048422-3352278054-1094013794-1000\Software\G*e*n*i*e*"!\FM Genie Scout 11]
    "GameDir"="c:\\Users\\Nick\\Documents\\Sports Interactive\\Football Manager 2011\\games"
    "ShortlistDir"="c:\\Users\\Nick\\Documents\\Sports Interactive\\Football Manager 2011\\shortlists"
    "FMPath"=""
    "ScreenshotsDir"="c:\\Users\\Nick\\Documents\\Sports Interactive\\Football Manager 2011"
    "SaveDir"="c:\\Users\\Nick\\Documents\\Sports Interactive\\Football Manager 2011\\"
    "HistoryDir"="c:\\FM Genie Scout 11\\History Points"
    "LangDB"="c:\\FM Genie Scout 11\\lang_db.dat"
    "LastSaveGame"="c:\\Users\\Nick\\Documents\\Sports Interactive\\Football Manager 2011\\games\\manchesterUnited.fm"
    "Language"="English"
    "LoadLangDB"=dword:00000001
    "CompressHistoryPoints"=dword:00000000
    "HighlightedAttributes"=dword:00000000
    "MinCondition"=dword:00000050
    "GraphStep"=dword:00000000
    "SkinName"="PSV Eindhoven"
    "LastUpdateCheck"=dword:00009edd
    "HighQualityGUI"=dword:00000001
    "AutomaticallyUpdateCheck"=dword:00000001
    "AdvancedGeneration"=dword:00000000
    "TranslateStaffSkills"=dword:00000001
    "TranslatePlayerSkills"=dword:00000001
    "TranslatePositions"=dword:00000001
    "ShowHistory"=dword:00000001
    "Version"=dword:00000080
    "UniqueID"="14-8500-E1BF"
    "Currency"=dword:00000056
    "UseProxy"=dword:00000000
    "ProxyHost"=""
    "ProxyPort"=""
    "UseAuthentication"=dword:00000000
    "UserName"=""
    "UserPassword"=""
    "PlayerSearchFeatureNum"=dword:00000004
    "StaffSearchFeatureNum"=dword:00000000
    "ClubSearchFeatureNum"=dword:00000001
    "FilterByClubFeatureNum"=dword:00000000
    "CompareFeatureNum"=dword:00000000
    "ShortlistFeatureNum"=dword:00000000
    "ExportFeatureNum"=dword:00000000
    "HistoryFeatureNum"=dword:00000000
    "LanguageDBFeatureNum"=dword:00000005
    "HintsFeatureNum"=dword:00000000
    "GenieReportFeatureNum"=dword:00000000
    "TopFormationFeatureNum"=dword:00000000
    "ScreenshotFeatureNum"=dword:00000000
    .
    [HKEY_USERS\S-1-5-21-2755048422-3352278054-1094013794-1000\Software\G*e*n*i*e*"!\FM Genie Scout 11g]
    "PicturesNumber"=dword:00000000
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    "MSCurrentCountry"=dword:000000b5
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
    @Denied: (Full) (Everyone)
    .
    Completion time: 2011-05-09 20:50:31
    ComboFix-quarantined-files.txt 2011-05-09 19:50
    ComboFix2.txt 2011-05-07 22:26
    ComboFix3.txt 2009-06-18 13:38
    .
    Pre-Run: 31,342,198,784 bytes free
    Post-Run: 31,268,499,456 bytes free
    .
    - - End Of File - - 8E15BCDB573351792981632F1F395D67
     
  8. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Sorry about that I have cleaned it up. Thought I had lost the text when I went back a page, so recovered it. Didn't realize I hadn't lost it after all! Apologies for the confusion.

    Do you have any idea what this is? I did a DirectoryLook but didn't learn much!
    This ran again on 5/7/2011.
     
  9. nwesson

    nwesson TS Rookie Topic Starter

    Hi again,

    No problem at all - im afraid i have no idea what that program is - i looked in the programData folder and there is nothing in there....
     
  10. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    We're going to have to check for identification of this file:

    Please go to VirSCAN.org FREE on-line scan service:
    If busy, you can use one of the following: ( you only need one)
    VirusTotal
    Jotti

    • [1]. Copy and paste each of the following file paths, one at a time, into the Suspicious files to scan box on the top of the page.

      Code:
      c:\programdata\unrar.exe
      
      c:\programdata\1D064B63695DC6EE73B9E514D6D0B7E5
      
      
      [2]. At the upload site, click once inside the window next to Browse.
      [3]. Press Ctrl+V on the keyboard (both at the same time) to paste the file path into the window.
      [4]. Click on the Upload button.
      This will perform a scan across multiple different virus scanning engines.
      Your file will possibly be entered into a queue which normally takes less than a minute to clear.
      Important: Wait for all of the scanning engines to complete.
      [5]. Once the Scan is completed scroll down and click on the Copy to Clipboard button. This will copy the link of the report into the Clipboard.
      [6]. Paste the contents of the Clipboard in your next reply.

    I don't want to leave an executable file in dirctory that can't be identified or removed and continues to gather program data.

    Let's see if this turns up anything.
     
  11. nwesson

    nwesson TS Rookie Topic Starter

    hmmm

    it cant find a file called c:\programdata\unrar.exe

    and in this directory there is an empy file called lock in c:\programdata\1D064B63695DC6EE73B9E514D6D0B7E5 which it cannot upload either.

    I have tried all three sites to no avail
     
  12. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    One more try:
    Show Hidden Folders/Files
    • Open My Computer.
      [*] Go to Tools > Folder Options.
      [*] Select the View tab.
      [*] Scroll down to Hidden files and folders.
      [*] Select Show hidden files and folders.
      [*] Uncheck (untick) Hide extensions of known file types.
      [*] Uncheck (untick) Hide protected operating system files (Recommended).
      [*] Click Yes when prompted.
      [*] Click OK.


    Okay, this might be a folder that was set up by encryption:
    Navigate back to this file and do a right click> Properties:
    c:\programdata\1D064B63695DC6EE73B9E514D6D0B7E5\lock
    Then click on the Advanced tab.(if there is one)
    Is this box checked>> "Encrypt contents to secure data"

    Go ahead then and do a right click> Delete on the file.
    Then go back and rehide the files and folders. (This is important, so don't skip it)
    ================================
    Then run the script blow one more time:
    Custom CFScript

    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad> click on Format> Uncheck 'Word Wrap> and copy/paste the text in the code below into it:
    Code:
    KillAll::
    File::
    c:\programdata\1D064B63695DC6EE73B9E514D6D0B7E5\bin
    c:\programdata\1D064B63695DC6EE73B9E514D6D0B7E5\ntuser.dat
    c:\programdata\1D064B63695DC6EE73B9E514D6D0B7E5\unrar.exe
    c:\programdata\1D064B63695DC6EE73B9E514D6D0B7E5\b\version
    c:\programdata\1D064B63695DC6EE73B9E514D6D0B7E5\lock 
    Folder::
    c:\programdata\1D064B63695DC6EE73B9E514D6D0B7E5
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please paste into to your next reply.
    ====================
    Sometime a bit of paranoia can be constructively used. But other times, it can simply drive one nuts!

    2011-04-22 09:07 . 2011-04-22 08:11 2 ----a-w-
    2011-04-22 09:07 . 2011-04-22 09:07 2344788 --sha-w-
    2011-04-22 09:01 . 2011-04-22 09:01 64 --sh--w-
     
  13. nwesson

    nwesson TS Rookie Topic Starter

    managed to do that now. here is the log:


    ComboFix 11-05-13.02 - Nick 14/05/2011 10:49:48.3.2 - x86
    Microsoft Windows 7 Home Premium 6.1.7600.0.1252.44.1033.18.3318.1627 [GMT 1:00]
    Running from: c:\users\Nick\Desktop\ComboFix.exe
    Command switches used :: c:\users\Nick\Desktop\CFScript.txt
    AV: Virgin Media Security Anti-Virus *Disabled/Updated* {A61154FD-4365-E00F-9A33-13A09AD54B56}
    FW: Virgin Media Security Firewall *Disabled* {9E2AD5D8-090A-E157-B16C-BA9564060C2D}
    SP: Virgin Media Security Anti-Spyware *Disabled/Updated* {1D70B519-655F-EF81-A083-28D2E15201EB}
    SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    FILE ::
    "c:\programdata\1D064B63695DC6EE73B9E514D6D0B7E5\b\version"
    "c:\programdata\1D064B63695DC6EE73B9E514D6D0B7E5\bin"
    "c:\programdata\1D064B63695DC6EE73B9E514D6D0B7E5\lock"
    "c:\programdata\1D064B63695DC6EE73B9E514D6D0B7E5\ntuser.dat"
    "c:\programdata\1D064B63695DC6EE73B9E514D6D0B7E5\unrar.exe"
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-04-14 to 2011-05-14 )))))))))))))))))))))))))))))))
    .
    .
    2011-05-14 09:58 . 2011-05-14 09:58 -------- d-----w- c:\users\Default\AppData\Local\temp
    2011-05-14 09:20 . 2011-04-11 07:04 7071056 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{C4177243-2FD1-4634-A008-BC2A3932B41D}\mpengine.dll
    2011-05-11 18:10 . 2011-03-25 03:06 284160 ----a-w- c:\windows\system32\drivers\usbport.sys
    2011-05-11 18:10 . 2011-03-25 03:06 43008 ----a-w- c:\windows\system32\drivers\usbehci.sys
    2011-05-11 18:10 . 2011-03-25 03:06 258560 ----a-w- c:\windows\system32\drivers\usbhub.sys
    2011-05-11 18:10 . 2011-03-25 03:06 75776 ----a-w- c:\windows\system32\drivers\usbccgp.sys
    2011-05-11 18:10 . 2011-03-25 03:06 24064 ----a-w- c:\windows\system32\drivers\usbuhci.sys
    2011-05-11 18:09 . 2011-03-25 03:06 20480 ----a-w- c:\windows\system32\drivers\usbohci.sys
    2011-05-11 18:09 . 2011-03-25 03:06 5888 ----a-w- c:\windows\system32\drivers\usbd.sys
    2011-05-11 18:09 . 2011-04-09 06:13 3957632 ----a-w- c:\windows\system32\ntkrnlpa.exe
    2011-05-11 18:09 . 2011-04-09 06:13 3901824 ----a-w- c:\windows\system32\ntoskrnl.exe
    2011-05-07 19:36 . 2011-05-07 19:36 -------- d-----w- c:\program files\ESET
    2011-05-07 16:53 . 2011-05-07 16:53 -------- d-----w- c:\users\Nick\AppData\Roaming\Malwarebytes
    2011-05-07 16:52 . 2010-12-20 17:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-05-07 16:52 . 2011-05-07 16:52 -------- d-----w- c:\programdata\Malwarebytes
    2011-05-07 16:52 . 2010-12-20 17:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-05-07 16:52 . 2011-05-07 16:52 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-04-30 13:01 . 2011-04-30 13:01 -------- d-----w- C:\_OTM
    2011-04-28 09:09 . 2009-11-02 14:27 25608 ----a-w- c:\windows\system32\drivers\AVGIDSEH.sys
    2011-04-28 09:08 . 2009-10-23 12:25 285704 ----a-w- c:\windows\system32\drivers\bdfsfltr.sys
    2011-04-28 09:08 . 2011-04-28 09:08 53192 ----a-w- c:\windows\system32\drivers\rp_skt32.sys
    2011-04-28 09:08 . 2011-04-28 09:08 48384 ----a-w- c:\windows\system32\drivers\rp_pkt32.sys
    2011-04-28 09:08 . 2011-04-28 09:08 -------- d-----w- c:\programdata\Raxco
    2011-04-28 09:08 . 2011-04-28 09:08 -------- d-----w- c:\program files\Raxco
    2011-04-28 09:06 . 2011-04-28 09:06 -------- d--h--w- c:\program files\InstallShield Installation Information
    2011-04-27 15:37 . 2011-03-12 11:31 442880 ----a-w- c:\windows\system32\XpsPrint.dll
    2011-04-27 15:36 . 2011-03-11 05:44 143744 ----a-w- c:\windows\system32\drivers\nvstor.sys
    2011-04-27 15:36 . 2011-03-11 05:44 1210240 ----a-w- c:\windows\system32\drivers\ntfs.sys
    2011-04-27 15:36 . 2011-03-11 05:44 146304 ----a-w- c:\windows\system32\drivers\storport.sys
    2011-04-27 15:36 . 2011-03-11 05:44 117120 ----a-w- c:\windows\system32\drivers\nvraid.sys
    2011-04-27 15:36 . 2011-03-11 05:43 332160 ----a-w- c:\windows\system32\drivers\iaStorV.sys
    2011-04-27 15:36 . 2011-03-11 05:43 80256 ----a-w- c:\windows\system32\drivers\amdsata.sys
    2011-04-27 15:36 . 2011-03-11 05:43 22400 ----a-w- c:\windows\system32\drivers\amdxata.sys
    2011-04-27 15:36 . 2011-03-11 05:39 1686016 ----a-w- c:\windows\system32\esent.dll
    2011-04-27 15:36 . 2011-03-11 05:37 74240 ----a-w- c:\windows\system32\fsutil.exe
    2011-04-27 15:36 . 2011-02-18 05:33 31232 ----a-w- c:\windows\system32\prevhost.exe
    2011-04-27 15:36 . 2011-02-26 05:33 2614784 ----a-w- c:\windows\explorer.exe
    2011-04-22 08:48 . 2011-04-22 08:49 -------- d-----w- c:\program files\Outlook Import Wizard
    2011-04-14 20:05 . 2011-03-11 05:40 1164288 ----a-w- c:\windows\system32\mfc42u.dll
    2011-04-14 20:05 . 2011-03-11 05:40 1137664 ----a-w- c:\windows\system32\mfc42.dll
    2011-04-14 20:05 . 2011-02-12 05:30 191488 ----a-w- c:\windows\system32\FXSCOVER.exe
    2011-04-14 20:05 . 2011-03-03 03:31 2331136 ----a-w- c:\windows\system32\win32k.sys
    2011-04-14 20:05 . 2011-03-08 05:38 740864 ----a-w- c:\windows\system32\inetcomm.dll
    2011-04-14 20:05 . 2011-02-24 05:32 288256 ----a-w- c:\windows\system32\XpsGdiConverter.dll
    2011-04-14 20:05 . 2011-02-23 05:05 221696 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
    2011-04-14 20:05 . 2011-02-23 05:05 95744 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
    2011-04-14 20:05 . 2011-02-23 05:05 123392 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
    2011-04-14 20:05 . 2011-02-23 05:05 69632 ----a-w- c:\windows\system32\drivers\bowser.sys
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-02-19 05:33 . 2011-03-20 11:24 802304 ----a-w- c:\windows\system32\FntCache.dll
    2011-02-19 05:32 . 2011-03-20 11:24 1074176 ----a-w- c:\windows\system32\DWrite.dll
    2011-02-19 05:32 . 2011-03-20 11:24 739840 ----a-w- c:\windows\system32\d2d1.dll
    2011-02-18 16:36 . 2011-02-18 16:36 41984 ----a-w- c:\windows\system32\drivers\usbaapl.sys
    2011-02-18 16:36 . 2011-02-18 16:36 4184352 ----a-w- c:\windows\system32\usbaaplrc.dll
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
    "AGRSMMSG"="AGRSMMSG.exe" [2004-10-08 88363]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-09-23 141848]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-09-23 173592]
    "Persistence"="c:\windows\system32\igfxpers.exe" [2009-09-23 150552]
    "VirtualCloneDrive"="c:\program files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" [2009-06-17 85160]
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-03-07 421160]
    "ServiceManager.exe"="c:\program files\Virgin Media\Service Manager\ServiceManager.exe" [2011-03-25 4371768]
    "Malwarebytes' Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-12-20 963976]
    .
    c:\users\Nick\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
    OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
    .
    c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
    WDDMStatus.lnk - c:\program files\Western Digital\WD SmartWare\WD Drive Manager\WDDMStatus.exe [2009-11-13 2057536]
    WDSmartWare.lnk - c:\program files\Western Digital\WD SmartWare\Front Parlor\WDSmartWare.exe [2009-11-13 9117504]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "ConsentPromptBehaviorAdmin"= 5 (0x5)
    "ConsentPromptBehaviorUser"= 3 (0x3)
    "EnableUIADesktopToggle"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
    BootExecute REG_MULTI_SZ PDBoot.exe\0autocheck autochk *
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Radialpoint Security Services]
    @="Service"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ServicepointService]
    @="Service"
    .
    R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
    R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-07-04 1343400]
    R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\DRIVERS\wdcsam.sys [2009-02-13 11520]
    S0 RadialpointIDSEH;RadialpointIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2009-11-02 25608]
    S2 Radialpoint Security Services;Virgin Media Security;c:\program files\Virgin Media\Security\RpsSecurityAwareR.exe [2011-04-28 166944]
    S2 RadialpointIDSAgent;RadialpointIDSAgent;c:\program files\Virgin Media\Security\AVG\Identity Protection\agent\Bin\AVGIDSAgent.exe RadialpointIDSAgent [x]
    S2 ServicepointService;ServicepointService;c:\program files\Virgin Media\Service Manager\ServicepointService.exe [2011-03-25 689464]
    S2 WDDMService;WD SmartWare Drive Manager;c:\program files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe [2009-11-13 110592]
    S2 WDSmartWareBackgroundService;WD SmartWare Background Service;c:\program files\Western Digital\WD SmartWare\Front Parlor\WDSmartWareBackgroundService.exe [2009-06-16 20480]
    S3 netw5v32;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\DRIVERS\netw5v32.sys [2009-07-13 4231168]
    S3 RadialpointIDSDriver;RadialpointIDSDriver;c:\program files\Virgin Media\Security\AVG\Identity Protection\agent\drivers\AVGIDSDriver.sys [2009-11-02 122376]
    S3 RadialpointIDSFilter;RadialpointIDSFilter;c:\program files\Virgin Media\Security\AVG\Identity Protection\agent\drivers\AVGIDSFilter.sys [2009-11-02 30216]
    S3 RadialpointIDSShim;RadialpointIDSShim;c:\program files\Virgin Media\Security\AVG\Identity Protection\agent\drivers\AVGIDSShim.sys [2009-11-02 21208]
    S3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk62x86.sys [2009-07-13 311296]
    .
    .
    --- Other Services/Drivers In Memory ---
    .
    *NewlyCreated* - 4AD4256B
    *Deregistered* - 4ad4256b
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    bdx REG_MULTI_SZ scan sysagent
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-05-11 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2755048422-3352278054-1094013794-1000Core.job
    - c:\users\Nick\AppData\Local\Google\Update\GoogleUpdate.exe [2010-05-08 16:19]
    .
    2011-05-14 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2755048422-3352278054-1094013794-1000UA.job
    - c:\users\Nick\AppData\Local\Google\Update\GoogleUpdate.exe [2010-05-08 16:19]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.co.uk/
    mStart Page = about:blank
    uInternet Settings,ProxyOverride = *.local
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
    FF - ProfilePath - c:\users\Nick\AppData\Roaming\Mozilla\Firefox\Profiles\vr4sgge4.default\
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    .
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_USERS\S-1-5-21-2755048422-3352278054-1094013794-1000\Software\G*e*n*i*e*"!\FM Genie Scout 11]
    "GameDir"="c:\\Users\\Nick\\Documents\\Sports Interactive\\Football Manager 2011\\games"
    "ShortlistDir"="c:\\Users\\Nick\\Documents\\Sports Interactive\\Football Manager 2011\\shortlists"
    "FMPath"=""
    "ScreenshotsDir"="c:\\Users\\Nick\\Documents\\Sports Interactive\\Football Manager 2011"
    "SaveDir"="c:\\Users\\Nick\\Documents\\Sports Interactive\\Football Manager 2011\\"
    "HistoryDir"="c:\\FM Genie Scout 11\\History Points"
    "LangDB"="c:\\FM Genie Scout 11\\lang_db.dat"
    "LastSaveGame"="c:\\Users\\Nick\\Documents\\Sports Interactive\\Football Manager 2011\\games\\manchesterUnited.fm"
    "Language"="English"
    "LoadLangDB"=dword:00000001
    "CompressHistoryPoints"=dword:00000000
    "HighlightedAttributes"=dword:00000000
    "MinCondition"=dword:00000050
    "GraphStep"=dword:00000000
    "SkinName"="PSV Eindhoven"
    "LastUpdateCheck"=dword:00009edd
    "HighQualityGUI"=dword:00000001
    "AutomaticallyUpdateCheck"=dword:00000001
    "AdvancedGeneration"=dword:00000000
    "TranslateStaffSkills"=dword:00000001
    "TranslatePlayerSkills"=dword:00000001
    "TranslatePositions"=dword:00000001
    "ShowHistory"=dword:00000001
    "Version"=dword:00000080
    "UniqueID"="14-8500-E1BF"
    "Currency"=dword:00000056
    "UseProxy"=dword:00000000
    "ProxyHost"=""
    "ProxyPort"=""
    "UseAuthentication"=dword:00000000
    "UserName"=""
    "UserPassword"=""
    "PlayerSearchFeatureNum"=dword:00000004
    "StaffSearchFeatureNum"=dword:00000000
    "ClubSearchFeatureNum"=dword:00000001
    "FilterByClubFeatureNum"=dword:00000000
    "CompareFeatureNum"=dword:00000000
    "ShortlistFeatureNum"=dword:00000000
    "ExportFeatureNum"=dword:00000000
    "HistoryFeatureNum"=dword:00000000
    "LanguageDBFeatureNum"=dword:00000005
    "HintsFeatureNum"=dword:00000000
    "GenieReportFeatureNum"=dword:00000000
    "TopFormationFeatureNum"=dword:00000000
    "ScreenshotFeatureNum"=dword:00000000
    .
    [HKEY_USERS\S-1-5-21-2755048422-3352278054-1094013794-1000\Software\G*e*n*i*e*"!\FM Genie Scout 11g]
    "PicturesNumber"=dword:00000000
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    "MSCurrentCountry"=dword:000000b5
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
    @Denied: (Full) (Everyone)
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files\Virgin Media\Security\Fws.exe
    c:\windows\system32\taskhost.exe
    c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    c:\program files\Bonjour\mDNSResponder.exe
    c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
    c:\windows\system32\conhost.exe
    c:\windows\system32\sppsvc.exe
    c:\program files\Windows Media Player\wmpnetwk.exe
    c:\windows\system32\msfeedssync.exe
    .
    **************************************************************************
    .
    Completion time: 2011-05-14 11:06:32 - machine was rebooted
    ComboFix-quarantined-files.txt 2011-05-14 10:06
    ComboFix2.txt 2011-05-09 19:50
    ComboFix3.txt 2011-05-07 22:26
    ComboFix4.txt 2009-06-18 13:38
    .
    Pre-Run: 31,674,556,416 bytes free
    Post-Run: 31,649,992,704 bytes free
    .
    - - End Of File - - BD1A215FB338CDA910DDFB057F3BF0B2
     
  14. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Combofix scan looks good. I may have mentioned this before, but in case I did not: There are 2 locked Registry keys for this:
    [HKEY_USERS\S-1-5-21-2755048422-3352278054-1094013794-1000\Software\G*e*n*i*e*"!\FM Genie Scout 11]. The first contains a large number of processes with settings. I can open the key with script, but I doubt it would show me anything more than what I see. These appear to be special settings for the Genie Scout. Please rake a look in the log an assure me that you have made all of the settings.
    ================================
    Please run one more Eset scan. Let's make sure there are no new entries. The link and directions can be found in Reply #2. If there are no new entries, then I'll have you remove the cleaning tools.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...