TechSpot

Virus seems to start before windows

By chix2k10
Feb 21, 2011
  1. Every time I start the laptop i get this message

    Media test failure.Check cable
    Exiting pxe rom.

    In task manager i see many processes of
    Schlpr.exe
    Taskhost.exe
    Conhost.exe
    Scrlink.exe

    Im unable to browse my regular sites as it puts the t-mobile age lock (I have none)asking me to verify my age with my credit card details!
    This problem started after clicking a video link via Facebook! Because I am actually using a dongle, every month all my monthly internet allowance is being used by whatever is infecting me. It also sometimes places an offline tab the top of firefox. Any help would be greatly appreciated

    Im using Windows 7
    scan logs below

    No threats found using Avast free edition.

    Malwarebytes' Anti-Malware 1.50.1.1100
    www.malwarebytes.org

    Database version: 5828

    Windows 6.1.7600
    Internet Explorer 8.0.7600.16385

    21/02/2011 11:46:54
    mbam-log-2011-02-21 (11-46-54).txt

    Scan type: Quick scan
    Objects scanned: 163897
    Time elapsed: 5 minute(s), 19 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 1
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\RunDll32Policy\f3ScrCtr.dll (Adware.MyWebSearch) -> Quarantined and deleted successfully.

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)


    GMER 1.0.15.15530 - http://www.gmer.net
    Rootkit scan 2011-02-21 19:35:26
    Windows 6.1.7600 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP3T0L0-5 Hitachi_HTS545016B9A300 rev.PBBOC64G
    Running: 4pgjyon0.exe; Driver: C:\Users\Mum\AppData\Local\Temp\awpdapod.sys


    ---- Kernel code sections - GMER 1.0.15 ----

    .text ntkrnlpa.exe!ZwSaveKeyEx + 13BD 81E85589 1 Byte [06]
    .text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 81EAA092 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}

    ---- EOF - GMER 1.0.15 ----

    DDS (Ver_10-12-12.02) - NTFSx86
    Run by Mum at 14:33:45.97 on 21/02/2011
    Internet Explorer: 8.0.7600.16385 BrowserJavaVersion: 1.6.0_23
    Microsoft Windows 7 Professional 6.1.7600.0.1252.44.1033.18.766.162 [GMT 0:00]

    AV: avast! Antivirus *Enabled/Updated* {C37D8F93-0602-E43C-40AA-47DAD597F308}
    SP: avast! Antivirus *Enabled/Updated* {781C6E77-2038-EBB2-7A1A-7CA8AE10B9B5}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    FW: ZoneAlarm Firewall *Disabled* {D17DF357-CFF5-F001-D1C1-FCD21DFE3D5E}

    ============== Running Processes ===============

    C:\Windows\system32\wininit.exe
    C:\Windows\system32\lsm.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Windows\system32\svchost.exe -k RPCSS
    C:\Windows\system32\atiesrxx.exe
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Windows\system32\svchost.exe -k LocalService
    C:\Windows\system32\atieclxx.exe
    C:\Windows\system32\svchost.exe -k NetworkService
    C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
    C:\Windows\System32\spoolsv.exe
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
    C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
    C:\Windows\system32\TODDSrv.exe
    C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
    C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
    C:\Windows\system32\WUDFHost.exe
    C:\Windows\system32\Dwm.exe
    C:\Windows\Explorer.EXE
    C:\Program Files\TOSHIBA\Utilities\KeNotify.exe
    C:\Program Files\T-Mobile\T-Mobile Internet Manager\DataCardMonitor.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\Program Files\T-Mobile\T-Mobile Internet Manager\T-Mobile Internet Manager.exe
    C:\Users\Mum\AppData\Roaming\T-Mobile Internet Manager\ouc.exe
    C:\Windows\system32\SearchIndexer.exe
    C:\Windows\system32\taskmgr.exe
    C:\Program Files\Windows Media Player\wmpnetwk.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Mozilla Firefox\plugin-container.exe
    C:\Windows\system32\SearchProtocolHost.exe
    C:\Windows\system32\SearchFilterHost.exe
    C:\Windows\System32\svchost.exe -k WerSvcGroup
    C:\Users\Mum\Desktop\dds.scr
    C:\Windows\system32\conhost.exe
    C:\Windows\system32\wbem\wmiprvse.exe

    ============== Pseudo HJT Report ===============

    uStart Page = hxxp://google.com/
    BHO: txthlpBHO Class: {060235dc-6d84-47bd-95d7-a4ef5099a59d} - c:\progra~1\texthe~1\readan~1\TE4470~1.DLL
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
    BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    TB: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File
    uRun: [HW_OPENEYE_OUC_T-Mobile Internet Manager] "c:\program files\t-mobile\t-mobile internet manager\updatedog\ouc.exe"
    uRun: [scrlink] c:\program files\scbackup\scrlink.lnk
    uRun: [Mobile Partner] "c:\program files\t-mobile\t-mobile internet manager\T-Mobile Internet Manager.exe"
    uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
    mRun: [KeNotify] c:\program files\toshiba\utilities\KeNotify.exe
    mRun: [TWebCamera] "%ProgramFiles%\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe" autorun
    mRun: [DataCardMonitor] c:\program files\t-mobile\t-mobile internet manager\DataCardMonitor.exe
    mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
    mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
    mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
    StartupFolder: c:\users\mum\appdata\roaming\micros~1\windows\startm~1\programs\startup\bbcipl~1.lnk - c:\program files\bbc iplayer desktop\BBC iPlayer Desktop.exe
    mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
    mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
    mPolicies-system: EnableLUA = 0 (0x0)
    mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
    mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~1\office12\EXCEL.EXE/3000
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~1\office12\REFIEBAR.DLL
    DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
    DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

    ================= FIREFOX ===================

    FF - ProfilePath - c:\users\mum\appdata\roaming\mozilla\firefox\profiles\9b5tlkvs.default\
    FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT1060933&SearchSource=3&q={searchTerms}
    FF - prefs.js: browser.search.selectedEngine - Search the Web
    FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/
    FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
    FF - plugin: c:\program files\microsoft\office live\npOLW.dll
    FF - plugin: c:\users\mum\appdata\roaming\mozilla\firefox\profiles\9b5tlkvs.default\extensions\{e2883e8f-472f-4fb0-9522-ac9bf37916a7}\plugins\np_gp.dll
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
    FF - Ext: WOT: {a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7} - %profile%\extensions\{a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7}
    FF - Ext: Adobe DLM (powered by getPlus(R)): {E2883E8F-472F-4fb0-9522-AC9BF37916A7} - %profile%\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}
    FF - Ext: Gamers Unite! Snag Bar: {afe43e80-0abc-4df2-81a0-3fe44b74abe8} - %profile%\extensions\{afe43e80-0abc-4df2-81a0-3fe44b74abe8}

    ============= SERVICES / DRIVERS ===============

    R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-8-17 294608]
    R1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\drivers\vwififlt.sys [2009-7-13 48128]
    R2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2009-8-18 176128]
    R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-8-17 17744]
    R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2010-8-17 51280]
    R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2011-1-20 40384]
    R3 PGEffect;Pangu effect driver;c:\windows\system32\drivers\PGEffect.sys [2010-5-7 24064]
    R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\drivers\Rt86win7.sys [2009-9-8 167936]
    R3 rtl8192se;Realtek Wireless LAN 802.11n PCI-E NIC NT Driver;c:\windows\system32\drivers\rtl8192se.sys [2009-12-22 991776]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
    S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
    S3 hwusbdev;Huawei DataCard USB PNP Device;c:\windows\system32\drivers\ewusbdev.sys [2010-7-6 101120]
    S3 nosGetPlusHelper;getPlus(R) Helper 3004;c:\windows\system32\svchost.exe -k nosGetPlusHelper [2009-7-13 20992]
    S3 StorSvc;Storage Service;c:\windows\system32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 20992]
    S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-5-19 1343400]
    S4 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2009-9-8 359952]

    =============== Created Last 30 ================

    2011-02-21 12:44:16 -------- d-----w- c:\users\mum\appdata\local\{D19E1DB4-699C-413C-99FE-497A2B3B4122}
    2011-02-21 11:40:12 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-02-21 11:40:05 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-02-21 11:23:28 -------- d-----w- c:\users\mum\appdata\local\{A74757E3-B3E1-4829-8355-FB1D95085076}
    2011-02-21 10:33:03 -------- d-sh--w- C:\$RECYCLE.BIN
    2011-02-21 10:33:00 -------- d-----w- c:\users\mum\appdata\local\temp
    2011-02-21 10:22:35 98816 ----a-w- c:\windows\sed.exe
    2011-02-21 10:22:35 89088 ----a-w- c:\windows\MBR.exe
    2011-02-21 10:22:35 256512 ----a-w- c:\windows\PEV.exe
    2011-02-21 10:22:35 161792 ----a-w- c:\windows\SWREG.exe
    2011-02-21 10:05:34 -------- d-----w- c:\users\mum\appdata\local\{B615B4BB-8ED6-4CCC-91EC-DEB117E21355}
    2011-02-12 18:29:17 -------- d-----w- c:\users\mum\appdata\local\{7C741CBC-2630-4A21-A39A-A116D5983BF8}
    2011-02-11 15:02:32 2329088 ----a-w- c:\windows\system32\win32k.sys
    2011-02-11 15:02:25 541184 ----a-w- c:\windows\system32\kerberos.dll
    2011-02-11 15:02:21 428032 ----a-w- c:\windows\system32\vbscript.dll
    2011-02-11 15:02:01 860160 ----a-w- c:\program files\internet explorer\iedvtool.dll
    2011-02-11 15:00:57 1389568 ----a-w- c:\windows\system32\msxml6.dll
    2011-02-11 15:00:56 981504 ----a-w- c:\windows\system32\wininet.dll
    2011-02-11 15:00:54 1236992 ----a-w- c:\windows\system32\msxml3.dll
    2011-02-11 15:00:51 80384 ----a-w- c:\windows\system32\davclnt.dll
    2011-02-11 15:00:51 350720 ----a-w- c:\windows\system32\winhttp.dll
    2011-02-11 15:00:51 204800 ----a-w- c:\windows\system32\WebClnt.dll
    2011-02-11 15:00:50 51200 ----a-w- c:\windows\system32\wscapi.dll
    2011-02-11 15:00:50 14336 ----a-w- c:\windows\system32\slwga.dll
    2011-02-11 15:00:49 73728 ----a-w- c:\windows\system32\wscsvc.dll
    2011-02-11 15:00:26 219008 ----a-w- c:\windows\system32\drivers\dxgmms1.sys
    2011-02-06 22:02:41 -------- d-----w- c:\users\mum\appdata\local\{853BBB57-FBAA-406E-A5A1-7B8E5C8C63E8}
    2011-02-04 08:39:54 -------- d-----w- c:\users\mum\appdata\local\{9CCC493B-40FF-451D-8B69-D5718E1EE451}
    2011-02-03 16:17:34 -------- d-----w- c:\users\mum\appdata\local\{F10F75B2-515A-43FA-A64C-AD80F264BBD5}
    2011-02-02 20:52:23 -------- d-----w- c:\users\mum\appdata\local\{7BF89808-3A0B-4A53-9D24-EB1828DBAC8A}
    2011-02-02 20:37:18 -------- d-----w- C:\7b948f167fc0ed9f8bf22971
    2011-01-30 14:57:00 103864 ----a-w- c:\program files\mozilla firefox\plugins\nppdf32.dll

    ==================== Find3M ====================

    2011-01-13 08:47:35 38848 ----a-w- c:\windows\avastSS.scr
    2011-01-07 07:27:11 34304 ----a-w- c:\windows\system32\atmlib.dll
    2011-01-07 05:33:11 294400 ----a-w- c:\windows\system32\atmfd.dll
    2010-12-21 05:38:19 204288 ----a-w- c:\windows\system32\upnp.dll
    2010-12-18 05:29:40 44544 ----a-w- c:\windows\system32\licmgr10.dll
    2010-12-18 04:20:55 386048 ----a-w- c:\windows\system32\html.iec
    2010-12-18 03:47:59 1638912 ----a-w- c:\windows\system32\mshtml.tlb
    2010-12-10 21:07:59 737280 ----a-w- c:\windows\iun6002.exe

    ============= FINISH: 14:34:50.70 ===============


    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT

    DDS (Ver_10-12-12.02)

    Microsoft Windows 7 Professional
    Boot Device: \Device\HarddiskVolume2
    Install Date: 31/05/2010 23:51:58
    System Uptime: 21/02/2011 12:42:19 (2 hours ago)

    Motherboard: TOSHIBA | | NBWAE
    Processor: AMD Sempron(tm) SI-42 | Socket M2/S1G1 | 2100/200mhz

    ==== Disk Partitions =========================

    C: is FIXED (NTFS) - 130 GiB total, 80.421 GiB free.
    D: is CDROM (UDF)
    E: is CDROM (CDFS)
    F: is Removable

    ==== Disabled Device Manager Items =============

    ==== System Restore Points ===================

    RP41: 08/10/2010 03:18:47 - Scheduled Checkpoint
    RP42: 10/10/2010 09:37:03 - Windows Update
    RP43: 15/10/2010 16:20:25 - Windows Update
    RP44: 28/10/2010 17:48:21 - ComboFix created restore point
    RP45: 31/10/2010 19:35:29 - Installed Java(TM) 6 Update 22
    RP46: 01/11/2010 03:00:49 - Windows Update
    RP47: 02/11/2010 03:00:15 - Windows Update
    RP48: 04/11/2010 20:13:25 - Windows Update
    RP50: 09/11/2010 07:02:00 - Installed LEGO® Indiana Jones™
    RP52: 09/11/2010 07:04:59 - Installed LEGO® Indiana Jones™
    RP53: 11/11/2010 03:00:46 - Windows Update
    RP54: 15/11/2010 08:48:38 - ComboFix created restore point
    RP56: 20/11/2010 14:29:51 - Windows Live Essentials
    RP57: 20/11/2010 14:31:38 - WLSetup
    RP58: 25/11/2010 03:00:28 - Windows Update
    RP59: 27/11/2010 19:01:30 - ComboFix created restore point
    RP60: 27/11/2010 19:36:04 - Windows Modules Installer
    RP61: 01/12/2010 08:40:33 - Windows Update
    RP62: 11/12/2010 02:52:23 - Scheduled Checkpoint
    RP63: 18/12/2010 09:56:22 - Windows Update
    RP64: 18/12/2010 10:10:34 - Windows Update
    RP65: 20/12/2010 15:34:46 - Removed BBC iPlayer Desktop
    RP66: 04/01/2011 03:00:57 - Scheduled Checkpoint
    RP67: 13/01/2011 11:01:20 - Windows Update
    RP68: 16/01/2011 08:30:32 - Installed Java(TM) 6 Update 23
    RP70: 18/01/2011 17:21:08 - Windows Live Essentials
    RP71: 18/01/2011 17:23:09 - Windows Update
    RP73: 18/01/2011 17:24:15 - Installed DirectX
    RP75: 18/01/2011 17:25:31 - Installed DirectX
    RP76: 18/01/2011 17:31:06 - WLSetup
    RP78: 21/01/2011 14:37:04 - Windows Live Essentials
    RP79: 21/01/2011 14:38:13 - WLSetup
    RP81: 02/02/2011 20:35:49 - Windows Live Essentials
    RP83: 02/02/2011 20:41:04 - Windows Live Essentials
    RP84: 02/02/2011 20:44:18 - WLSetup
    RP85: 06/02/2011 21:56:23 - Windows Modules Installer
    RP86: 12/02/2011 07:55:09 - Windows Update
    RP87: 16/02/2011 11:47:26 - Windows Update

    ==== Installed Programs ======================

    Acrobat.com
    Adobe AIR
    Adobe Download Manager
    Adobe Flash Player 10 ActiveX
    Adobe Flash Player 10 Plugin
    Adobe Reader 9.4.2
    Adobe Shockwave Player 11.5
    avast! Free Antivirus
    BECTA Home Access Activation Tool
    CCleaner
    D3DX10
    Java Auto Updater
    Java(TM) 6 Update 23
    Malwarebytes' Anti-Malware
    Microsoft .NET Framework 4 Client Profile
    Microsoft Application Error Reporting
    Microsoft Office 2007 Service Pack 2 (SP2)
    Microsoft Office Excel MUI (English) 2007
    Microsoft Office Live Add-in 1.5
    Microsoft Office Outlook Connector
    Microsoft Office Outlook MUI (English) 2007
    Microsoft Office PowerPoint MUI (English) 2007
    Microsoft Office Proof (English) 2007
    Microsoft Office Proof (French) 2007
    Microsoft Office Proof (Spanish) 2007
    Microsoft Office Proofing (English) 2007
    Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
    Microsoft Office Shared MUI (English) 2007
    Microsoft Office Shared Setup Metadata MUI (English) 2007
    Microsoft Office Standard 2007
    Microsoft Office Word MUI (English) 2007
    Microsoft Search Enhancement Pack
    Microsoft Silverlight
    Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    Mozilla Firefox (3.6.13)
    MSVCRT
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    OGA Notifier 2.0.0048.0
    Paint.NET v3.5.5
    PlayReady PC Runtime x86
    Read And Write Home Access
    Realtek 8136 8168 8169 Ethernet Driver
    Security Update for 2007 Microsoft Office System (KB2288621)
    Security Update for 2007 Microsoft Office System (KB2288931)
    Security Update for 2007 Microsoft Office System (KB2289158)
    Security Update for 2007 Microsoft Office System (KB2344875)
    Security Update for 2007 Microsoft Office System (KB2345043)
    Security Update for 2007 Microsoft Office System (KB969559)
    Security Update for 2007 Microsoft Office System (KB976321)
    Security Update for Microsoft Office Excel 2007 (KB2345035)
    Security Update for Microsoft Office InfoPath 2007 (KB979441)
    Security Update for Microsoft Office PowerPoint 2007 (KB982158)
    Security Update for Microsoft Office PowerPoint Viewer (KB2413381)
    Security Update for Microsoft Office system 2007 (972581)
    Security Update for Microsoft Office system 2007 (KB974234)
    Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
    Security Update for Microsoft Office Word 2007 (KB2344993)
    Spelling Dictionaries Support For Adobe Reader 9
    T-Mobile Internet Manager
    TOSHIBA Assist
    TOSHIBA Disc Creator
    TOSHIBA Extended Tiles for Windows Mobility Center
    TOSHIBA Flash Cards Support Utility
    Toshiba Manuals
    TOSHIBA Value Added Package
    TOSHIBA Web Camera Application
    Update for 2007 Microsoft Office System (KB967642)
    Update for Microsoft Office 2007 Help for Common Features (KB963673)
    Update for Microsoft Office Excel 2007 Help (KB963678)
    Update for Microsoft Office Outlook 2007 (KB2412171)
    Update for Microsoft Office Outlook 2007 Help (KB963677)
    Update for Microsoft Office Powerpoint 2007 Help (KB963669)
    Update for Microsoft Office Script Editor Help (KB963671)
    Update for Microsoft Office Word 2007 Help (KB963665)
    Update for Outlook 2007 Junk Email Filter (KB2492475)
    Utility Common Driver
    VLC media player 1.0.1
    Windows Live Communications Platform
    Windows Live Essentials
    Windows Live ID Sign-in Assistant
    Windows Live Installer
    Windows Live Mesh ActiveX Control for Remote Connections
    Windows Live Messenger
    Windows Live Photo Common
    Windows Live PIMT Platform
    Windows Live SOXE
    Windows Live SOXE Definitions
    Windows Live Sync
    Windows Live UX Platform
    Windows Live UX Platform Language Pack
    ZoneAlarm

    ==== Event Viewer Messages From Past Week ========

    21/02/2011 12:43:06, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: tcpipBM
    21/02/2011 12:42:49, Error: atikmdag [52236] - CPLIB :: General - Invalid Parameter
    21/02/2011 12:42:49, Error: atikmdag [43029] - Display is not active
    21/02/2011 12:03:10, Error: Service Control Manager [7001] - The Network List Service service depends on the Network Location Awareness service which failed to start because of the following error: The dependency service or group failed to start.
    21/02/2011 12:03:10, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {9E175B6D-F52A-11D8-B9A5-505054503030}
    21/02/2011 12:03:10, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}
    21/02/2011 12:03:09, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service netprofm with arguments "" in order to run the server: {A47979D2-C419-11D9-A5B4-001185AD2B89}
    21/02/2011 12:03:09, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service netman with arguments "" in order to run the server: {BA126AD1-2166-11D1-B1D0-00805FC1270E}
    21/02/2011 12:03:08, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
    21/02/2011 12:03:02, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service ShellHWDetection with arguments "" in order to run the server: {DD522ACC-F821-461A-A407-50B198B896DC}
    21/02/2011 12:02:48, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD aswRdr aswSP aswTdi CSC DfsC discache MPFP NetBIOS NetBT nsiproxy Psched rdbss spldr Tcpip tcpipBM tdx Vsdatant vwififlt Wanarpv6 WfpLwf
    21/02/2011 12:02:48, Error: Service Control Manager [7001] - The Workstation service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.
    21/02/2011 12:02:48, Error: Service Control Manager [7001] - The TrueVector Internet Monitor service depends on the Zone Alarm Firewall Driver service which failed to start because of the following error: A device attached to the system is not functioning.
    21/02/2011 12:02:48, Error: Service Control Manager [7001] - The TCP/IP Registry Compatibility service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
    21/02/2011 12:02:48, Error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the Ancillary Function Driver for Winsock service which failed to start because of the following error: A device attached to the system is not functioning.
    21/02/2011 12:02:48, Error: Service Control Manager [7001] - The SMB MiniRedirector Wrapper and Engine service depends on the Redirected Buffering Sub Sysytem service which failed to start because of the following error: A device attached to the system is not functioning.
    21/02/2011 12:02:48, Error: Service Control Manager [7001] - The SMB 2.0 MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error: The dependency service or group failed to start.
    21/02/2011 12:02:48, Error: Service Control Manager [7001] - The SMB 1.x MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error: The dependency service or group failed to start.
    21/02/2011 12:02:48, Error: Service Control Manager [7001] - The Network Store Interface Service service depends on the NSI proxy service driver. service which failed to start because of the following error: A device attached to the system is not functioning.
    21/02/2011 12:02:48, Error: Service Control Manager [7001] - The Network Location Awareness service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
    21/02/2011 12:02:48, Error: Service Control Manager [7001] - The Network Connections service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.
    21/02/2011 12:02:48, Error: Service Control Manager [7001] - The IP Helper service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.
    21/02/2011 12:02:48, Error: Service Control Manager [7001] - The DNS Client service depends on the NetIO Legacy TDI Support Driver service which failed to start because of the following error: A device attached to the system is not functioning.
    21/02/2011 12:02:48, Error: Service Control Manager [7001] - The DHCP Client service depends on the Ancillary Function Driver for Winsock service which failed to start because of the following error: A device attached to the system is not functioning.
    21/02/2011 11:31:59, Error: Service Control Manager [7034] - The AMD External Events Utility service terminated unexpectedly. It has done this 1 time(s).
    21/02/2011 10:31:22, Error: Service Control Manager [7030] - The PEVSystemStart service is marked as an interactive service. However, the system is configured to not allow interactive services. This service may not function properly.
    20/02/2011 09:39:03, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Windows Error Reporting Service service to connect.
    18/02/2011 04:29:42, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the Netman service.
    16/02/2011 07:56:30, Error: atapi [11] - The driver detected a controller error on \Device\Ide\IdePort3.

    ==== End Of File ===========================
     
  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Welcome to Techsop! I'll help with the malware.

    It's all about location, location, location!!!

    conhost.exe can be either a legitimate OS file when located in the %WINDIR%\%System%-or-malware added by the Troj/DwnLdr-IQK if located in \%AppData%\ .

    Taskhost.exe is a generic host process for Windows 7 32-bit services when location is C:\Windows\System32\Taskhost.exe. If located in \%AppData%\, it has been added by the W32/AutoRun-BM WORM! Note: Spreads via removable media.

    Schlpr.exe is part of CGI / FastCGI, an open extension to CGI that provides high performance for all Internet applications without any of the limitations of existing Web server APIs. http://www.fastcgi.com/drupal/

    Scrlink.exe belongs to SCBackup which to backup your mobile phone data
    http://www.scbackup.fi/what_is_scbackup.html

    Media test failure.Check cable/Exiting pxe rom. Please see this site for description, cause and resolution with links: http://www.computerhope.com/issues/ch000706.htm
    =====================================================
    Please run the following while I finish checking these logs:

    Run Eset NOD32 Online AntiVirus scan HERE
    1. Tick the box next to YES, I accept the Terms of Use.
    2. Click Start
    3. When asked, allow the Active X control to install
    4. Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
    5. Click Start
    6. Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
    7. Click Scan
    8. Wait for the scan to finish
    9. Click on "Copy to Clipboard"> (you won't see the 'clipboard')
    10. Click anywhere in the post where you want the logs to go, the do Ctrl V. The log will be sent from the clipboard and pasted in the post.
    11. Re-enable your Antivirus software.
      NOTE: If you forget to copy to the clipboard, you can find the log here:
      C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.
    ============================================
    Download Combofix to your desktop from one of these locations:
    Link 1
    Link 2
    • Double click combofix.exe & follow the prompts.
    • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. It is strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode if needed.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
    • Query- Recovery Console image
      [​IMG]
    • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
      [​IMG]
    • .Click on Yes, to continue scanning for malware
    • .If Combofix asks you to update the program, allow
    • .Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • .Close any open browsers.
    • .Double click combofix.exe[​IMG] & follow the prompts to run.
    • When the scan completes it will open a text window. Please paste that log in your next reply.
    Re-enable your Antivirus software.
    Notes:
    1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
    2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
    3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
    4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
     
  3. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    I think I found your main problem:

    You have this on the system:
    S4 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2009-9-8 359952]

    It won't let the user open a site it is blocking, It starts up at any time when your system is On- some times it appears even when you close it from Task Manager. You should run the McAfee Removal Tool. If that doesn't remove it, you can do it manually. and if it's still causing the problem, I can remove it with script you'll run through Combofix.

    First, run the Uninstall: McAfee Removal

    Second, if process still runs: Click on Start> Run> type in services.msc> enter> Double click on McAfee Proxy Service> Stop the Service> Change the Startup type to Disable.> then click on the LogOn tab> it will show Profile 1 Enabled- this is the default hardware profile> click on the Disable button> Apply> OK

    EDIT to delete image and URL for possibly embedded adware.
     
  4. chix2k10

    chix2k10 TS Rookie Topic Starter

    Ok, firstly thanks very much for the speedy reply! I used the Eset online scanner and found nothing, so was unable to copy any results.I then used Combofix the results will be below. I then read your advice on the Mcafee proxy thing. I looked on add/remove prorams and nothing is there regarding that, nor in the windows task manager, Although something has clearly been deleted using MCPR.exe. Upon trying to use firefox to access internet, after using combofix I had an error message saying 'illegal operation attempted on a registry key that has been marked for deletion, It may have been moved, renamed or deleted' the same for I.E too. I was only able to use after rebooting. Once the internet was accessed i got a bar at the top of the page telling me that i am now earning gamers unite coins for my purchase of mcafee for $11. I have attached the screen print of this message. i certainly didnt purchase this and I haven't installed Mcafee.. I still have multiple processes of what i named in last mail, maybe 4 of each. The sites that this problem is blocking are always used, so I dont understand how it started blocking them after clicking that link.

    Its all very strange


    ComboFix 11-02-21.02 - Mum 22/02/2011 19:11:55.7.1 - x86
    Microsoft Windows 7 Professional 6.1.7600.0.1252.44.1033.18.766.243 [GMT 0:00]
    Running from: c:\users\Mum\Desktop\cumbyfix.exe
    AV: avast! Antivirus *Disabled/Updated* {C37D8F93-0602-E43C-40AA-47DAD597F308}
    FW: ZoneAlarm Firewall *Enabled* {D17DF357-CFF5-F001-D1C1-FCD21DFE3D5E}
    SP: avast! Antivirus *Disabled/Updated* {781C6E77-2038-EBB2-7A1A-7CA8AE10B9B5}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .

    ((((((((((((((((((((((((( Files Created from 2011-01-22 to 2011-02-22 )))))))))))))))))))))))))))))))
    .

    2011-02-21 10:05 . 2011-02-21 10:05 -------- d-----w- c:\users\Mum\AppData\Local\{B615B4BB-8ED6-4CCC-91EC-DEB117E21355}
    2011-02-12 18:29 . 2011-02-12 18:29 -------- d-----w- c:\users\Mum\AppData\Local\{7C741CBC-2630-4A21-A39A-A116D5983BF8}
    2011-02-11 15:02 . 2011-01-05 03:37 2329088 ----a-w- c:\windows\system32\win32k.sys
    2011-02-11 15:02 . 2010-12-18 05:29 541184 ----a-w- c:\windows\system32\kerberos.dll
    2011-02-11 15:02 . 2011-01-05 05:37 428032 ----a-w- c:\windows\system32\vbscript.dll
    2011-02-11 15:02 . 2010-12-18 05:29 860160 ----a-w- c:\program files\Internet Explorer\iedvtool.dll
    2011-02-11 15:02 . 2010-12-18 05:33 673040 ----a-w- c:\program files\Internet Explorer\iexplore.exe
    2011-02-11 15:00 . 2010-12-21 05:36 1389568 ----a-w- c:\windows\system32\msxml6.dll
    2011-02-11 15:00 . 2010-12-21 05:38 981504 ----a-w- c:\windows\system32\wininet.dll
    2011-02-11 15:00 . 2010-12-21 05:36 1236992 ----a-w- c:\windows\system32\msxml3.dll
    2011-02-11 15:00 . 2010-12-21 05:38 350720 ----a-w- c:\windows\system32\winhttp.dll
    2011-02-11 15:00 . 2010-12-21 05:38 204800 ----a-w- c:\windows\system32\WebClnt.dll
    2011-02-11 15:00 . 2010-12-21 05:34 80384 ----a-w- c:\windows\system32\davclnt.dll
    2011-02-11 15:00 . 2010-12-21 05:38 51200 ----a-w- c:\windows\system32\wscapi.dll
    2011-02-11 15:00 . 2010-12-21 05:38 14336 ----a-w- c:\windows\system32\slwga.dll
    2011-02-11 15:00 . 2010-12-21 05:38 73728 ----a-w- c:\windows\system32\wscsvc.dll
    2011-02-11 15:00 . 2011-02-03 05:45 219008 ----a-w- c:\windows\system32\drivers\dxgmms1.sys
    2011-02-06 22:02 . 2011-02-06 22:02 -------- d-----w- c:\users\Mum\AppData\Local\{853BBB57-FBAA-406E-A5A1-7B8E5C8C63E8}
    2011-02-04 08:39 . 2011-02-04 08:40 -------- d-----w- c:\users\Mum\AppData\Local\{9CCC493B-40FF-451D-8B69-D5718E1EE451}
    2011-02-03 16:17 . 2011-02-03 16:17 -------- d-----w- c:\users\Mum\AppData\Local\{F10F75B2-515A-43FA-A64C-AD80F264BBD5}
    2011-02-02 20:52 . 2011-02-02 20:52 -------- d-----w- c:\users\Mum\AppData\Local\{7BF89808-3A0B-4A53-9D24-EB1828DBAC8A}
    2011-02-02 20:37 . 2011-02-02 20:37 -------- d-----w- C:\7b948f167fc0ed9f8bf22971
    2011-01-30 14:57 . 2011-01-30 14:57 103864 ----a-w- c:\program files\Mozilla Firefox\plugins\nppdf32.dll

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-01-13 08:47 . 2010-08-17 13:03 38848 ----a-w- c:\windows\avastSS.scr
    2011-01-13 08:47 . 2010-08-17 13:03 188216 ----a-w- c:\windows\system32\aswBoot.exe
    2011-01-13 08:41 . 2010-08-17 13:04 294608 ----a-w- c:\windows\system32\drivers\aswSP.sys
    2011-01-13 08:40 . 2010-08-17 13:04 47440 ----a-w- c:\windows\system32\drivers\aswTdi.sys
    2011-01-13 08:37 . 2010-08-17 13:04 23632 ----a-w- c:\windows\system32\drivers\aswRdr.sys
    2011-01-13 08:37 . 2010-08-17 13:04 51280 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
    2011-01-13 08:37 . 2010-08-17 13:04 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
    2010-12-23 12:20 . 2010-08-22 17:20 2594584 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\UpdateableMarkup\markup.dll
    2010-12-23 12:19 . 2010-08-22 17:19 42776 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\dSM\StartResources.dll
    2010-12-23 12:19 . 2010-08-22 17:19 710976 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
    2010-12-20 13:40 . 2010-08-30 11:24 2594584 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\UpdateableMarkup-2\markup.dll
    2010-12-20 13:40 . 2010-08-30 11:23 42776 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\dSM-2\StartResources.dll
    2010-12-20 13:40 . 2010-09-08 00:10 710976 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight-2\SpotlightResources.dll
    2010-12-10 21:07 . 2010-12-10 21:09 737280 ----a-w- c:\windows\iun6002.exe
    .

    ((((((((((((((((((((((((((((( SnapShot@2011-02-21_10.31.25 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2009-09-08 13:42 . 2011-02-22 19:06 36680 c:\windows\System32\wdi\ShutdownPerformanceDiagnostics_SystemData.bin
    + 2009-07-14 04:55 . 2011-02-22 19:06 57114 c:\windows\System32\wdi\BootPerformanceDiagnostics_SystemData.bin
    + 2010-07-07 07:17 . 2011-02-22 19:07 11748 c:\windows\System32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2365872316-2932340085-2808364130-1003_UserData.bin
    + 2009-07-13 23:43 . 2009-07-14 01:14 83968 c:\windows\System32\RegisterIEPKEYs.exe
    + 2011-02-21 11:40 . 2010-12-20 18:09 38224 c:\windows\System32\drivers\mbamswissarmy.sys
    + 2011-02-21 11:40 . 2010-12-20 18:08 20952 c:\windows\System32\drivers\mbam.sys
    + 2010-05-19 17:06 . 2011-02-22 19:03 16384 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    - 2010-05-19 17:06 . 2011-02-21 10:10 16384 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    - 2010-05-19 17:06 . 2011-02-21 10:10 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
    + 2010-05-19 17:06 . 2011-02-22 19:03 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
    - 2009-07-14 04:41 . 2011-02-21 10:10 16384 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    + 2009-07-14 04:41 . 2011-02-22 19:03 16384 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    + 2009-07-14 04:34 . 2011-02-22 19:07 87304 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform\Cache\cache.dat
    + 2010-07-06 17:23 . 2011-02-22 19:07 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    - 2010-07-06 17:23 . 2011-02-21 10:07 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    + 2010-07-06 17:23 . 2011-02-22 19:07 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    - 2010-07-06 17:23 . 2011-02-21 10:07 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    + 2009-07-13 23:19 . 2009-07-14 01:04 69120 c:\windows\diagnostics\system\IESecurity\DiagPackage.dll
    + 2009-07-13 23:19 . 2009-07-14 01:04 92160 c:\windows\diagnostics\system\IEBrowseWeb\DiagPackage.dll
    + 2010-07-07 20:54 . 2011-02-22 19:01 9202 c:\windows\System32\wdi\ERCQueuedResolutions.dat
    - 2010-07-07 20:54 . 2011-02-21 10:02 9202 c:\windows\System32\wdi\ERCQueuedResolutions.dat
    - 2011-02-21 10:17 . 2011-02-21 10:17 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
    + 2011-02-22 19:03 . 2011-02-22 19:03 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
    - 2011-02-21 10:17 . 2011-02-21 10:17 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
    + 2011-02-22 19:03 . 2011-02-22 19:03 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
    + 2010-01-20 15:17 . 2011-02-22 18:08 205416 c:\windows\System32\wdi\SuspendPerformanceDiagnostics_SystemData_S4.bin
    - 2009-07-14 02:05 . 2011-02-11 10:52 631364 c:\windows\System32\perfh009.dat
    + 2009-07-14 02:05 . 2011-02-21 10:45 631364 c:\windows\System32\perfh009.dat
    - 2009-07-14 02:05 . 2011-02-11 10:52 111456 c:\windows\System32\perfc009.dat
    + 2009-07-14 02:05 . 2011-02-21 10:45 111456 c:\windows\System32\perfc009.dat
    - 2009-07-14 04:47 . 2011-02-21 10:15 387236 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
    + 2009-07-14 04:47 . 2011-02-22 19:01 387236 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
    + 2010-09-25 09:16 . 2011-02-22 19:01 388004 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-2365872316-2932340085-2808364130-1003-12288.dat
    - 2010-09-25 09:16 . 2011-02-21 10:15 388004 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-2365872316-2932340085-2808364130-1003-12288.dat
    + 2009-07-14 02:03 . 2011-02-22 19:17 7077888 c:\windows\System32\SMI\Store\Machine\schema.dat
    - 2009-07-14 02:03 . 2011-02-21 09:01 7077888 c:\windows\System32\SMI\Store\Machine\schema.dat
    - 2009-07-14 04:34 . 2011-02-12 18:24 3917646 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform\tokens.dat
    + 2009-07-14 04:34 . 2011-02-22 19:07 3917646 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform\tokens.dat
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "HW_OPENEYE_OUC_T-Mobile Internet Manager"="c:\program files\T-Mobile\T-Mobile Internet Manager\UpdateDog\ouc.exe" [2009-12-31 110592]
    "scrlink"="c:\program files\SCBackup\scrlink.lnk" [2010-08-01 686]
    "Mobile Partner"="c:\program files\T-Mobile\T-Mobile Internet Manager\T-Mobile Internet Manager.exe" [2010-07-06 114688]
    "msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2010-11-10 4240760]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "TWebCamera"="%ProgramFiles%\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe autorun" [X]
    "KeNotify"="c:\program files\TOSHIBA\Utilities\KeNotify.exe" [2009-01-14 34088]
    "DataCardMonitor"="c:\program files\T-Mobile\T-Mobile Internet Manager\DataCardMonitor.exe" [2010-07-06 253952]
    "ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2010-06-23 1043968]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-01-31 35760]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-20 932288]

    c:\users\Mum\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
    BBC iPlayer Desktop.lnk - c:\program files\BBC iPlayer Desktop\BBC iPlayer Desktop.exe [N/A]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "ConsentPromptBehaviorAdmin"= 0 (0x0)
    "ConsentPromptBehaviorUser"= 3 (0x3)
    "EnableLUA"= 0 (0x0)
    "EnableUIADesktopToggle"= 0 (0x0)
    "PromptOnSecureDesktop"= 0 (0x0)

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
    "aux1"=wdmaud.drv

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
    Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\rootrepeal.sys]
    @=""

    R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
    R3 hwusbdev;Huawei DataCard USB PNP Device;c:\windows\system32\DRIVERS\ewusbdev.sys [2009-10-12 101120]
    R3 nosGetPlusHelper;getPlus(R) Helper 3004;c:\windows\System32\svchost.exe [2009-07-14 20992]
    R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-05-19 1343400]
    S1 aswSP;aswSP; [x]
    S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-13 48128]
    S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2009-08-18 176128]
    S2 aswFsBlk;aswFsBlk; [x]
    S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2011-01-13 51280]
    S3 PGEffect;Pangu effect driver;c:\windows\system32\DRIVERS\pgeffect.sys [2009-06-23 24064]
    S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [2009-05-22 167936]
    S3 rtl8192se;Realtek Wireless LAN 802.11n PCI-E NIC NT Driver;c:\windows\system32\DRIVERS\rtl8192se.sys [2009-12-22 991776]


    --- Other Services/Drivers In Memory ---

    *Deregistered* - BMLoad

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    nosGetPlusHelper REG_MULTI_SZ nosGetPlusHelper
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://google.com/
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000
    FF - ProfilePath - c:\users\Mum\AppData\Roaming\Mozilla\Firefox\Profiles\9b5tlkvs.default\
    FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT1060933&SearchSource=3&q={searchTerms}
    FF - prefs.js: browser.search.selectedEngine - Search the Web
    FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
    FF - Ext: WOT: {a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7} - %profile%\extensions\{a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7}
    FF - Ext: Adobe DLM (powered by getPlus(R)): {E2883E8F-472F-4fb0-9522-AC9BF37916A7} - %profile%\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}
    FF - Ext: Gamers Unite! Snag Bar: {afe43e80-0abc-4df2-81a0-3fe44b74abe8} - %profile%\extensions\{afe43e80-0abc-4df2-81a0-3fe44b74abe8}
    .
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000

    [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000

    [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000

    [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000

    [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0004\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000

    [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0005\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000

    [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
    @Denied: (Full) (Everyone)
    .
    Completion time: 2011-02-22 19:24:36
    ComboFix-quarantined-files.txt 2011-02-22 19:24
    ComboFix2.txt 2011-02-21 10:32
    ComboFix3.txt 2010-11-27 19:14
    ComboFix4.txt 2010-11-15 09:02
    ComboFix5.txt 2011-02-22 19:10

    Pre-Run: 87,051,280,384 bytes free
    Post-Run: 87,004,692,480 bytes free

    - - End Of File - - F2309E920D8E26FC66848CE6AEA03C54
     

    Attached Files:

  5. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    The image appears to be part of the McAfee Removal Tool. And it may be that an ad was embedded in the image I left with the URL below it. I am going to delete both. Give me a bit to go over the Combofix log.

    BTW< I also noticed that you have previous scans of Combofix:
    ComboFix3.txt 2010-11-27 19:14
    ComboFix4.txt 2010-11-15 09:02

    Did you get help somewhere for those scans because we have you uninstall Combofix , it's logs and backupds at the end of cleaning.
     
  6. chix2k10

    chix2k10 TS Rookie Topic Starter

    I did try at another site but never got very far :dead:
    The first time this laptop was infected I seeked help at another site. They advised using combofix, which I did. It helped me get back online but after some time It was appearing again. Each time I used combofix to bail me out. I was never guided to the right help (my opinion)

    Ive been told to download a program called Rkill, from an uninfected machine, and to delete all my protection, as its now corrupt by this virus but wanted to check by someone I know is going to guide me properly. This thing is stealing my broadband at the turn of each month too. Im totally stuck as to what this is. The first time, it was even disconnecting me saying that it had been terminated by a remote source.
     
  7. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Did you do this?
    When helping someone clean malware, when we feel it is appropriate, we have the user run Combofix. Then, after checking the log, if needed, we write script for the user to run through Combofix to move or change an entry. At the end of cleaning, we have the user uninstall Combofix, it's logs and the backups it created. It shouldn't be left on the system.
    =======================================
    You have a keylogger running. This isn't a drive by- it has to be manually installed. The full name is "Omniquad Desktop Surveillance Personal Edition 6.0.3" but you may see only Spyware.DsktopSurveilThe program can have 2 Two modes of operation: Misuse Prevention and Stealth Surveillance.
    It has the abilities to capture screen shots, log key strokes and steal information.It can run hidden. I only find one entry visible, but I will want you to reveal hidden files and folders when you go to uninstall it. So if you did not intentionally install it for misuse prevention, then it becomes a stealth surveillance program.
    First, go to the Control Panel> Folder Options> View tab> Check 'show hidden files and folders' and uncheck 'hide protected system operating system files (Recommended)> Confirm with a Yes> Click on Apply> OK:
    To remove a program in Windows 7:
    1. Go to the Control Panel> Programs and Features> NOTE: The options will be either Uninstall, Change, Uninstall/Change, Repair, or Change/Repair.
    2. A program may not have all the options available for it>
    3. Choose 'uninstall a program'> To confirm, answer Yes.
    4. Look for"Omniquad Desktop Surveillance Personal Edition 6.0.3"[/b[ or possibly just Spyware.DsktopSurveil> Click to Highlight> Uninstall.
      [*] Exit.

    If you have found and uninstallled the above named program: Use Windows Explorer to access the program folders> do a right click> Delete on this program folders. Exit Windows Explorer
    =======================================
    Please run this Custom CFScript:

    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad> click on Format> Uncheck 'Word Wrap'> and copy/paste the text in the code below into it:Be sure to scroll down to include ALL lines.
    Code:
    File::
    c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe
    c:\windows\iun6002.exe
    
    DirLook::
    c:\users\mum\appdata\local\{D19E1DB4-699C-413C-99FE-497A2B3B4122}
    c:\users\mum\appdata\local\{A74757E3-B3E1-4829-8355-FB1D95085076}
    c:\users\mum\appdata\local\{B615B4BB-8ED6-4CCC-91EC-DEB117E21355}
    c:\users\mum\appdata\local\{7C741CBC-2630-4A21-A39A-A116D5983BF8}
    c:\users\mum\appdata\local\{853BBB57-FBAA-406E-A5A1-7B8E5C8C63E8}
    c:\users\mum\appdata\local\{9CCC493B-40FF-451D-8B69-D5718E1EE451}
    c:\users\mum\appdata\local\{F10F75B2-515A-43FA-A64C-AD80F264BBD5}
    c:\users\mum\appdata\local\{7BF89808-3A0B-4A53-9D24-EB1828DBAC8A}
    Extra::
    File::
    c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
    c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
    c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
    Firefox:: 
    Firefox-:-Profile- c:\users\Mum\AppData\Roaming\Mozilla\Firefox\Profiles\9b5tlkvs.default\
    
    Registry::
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\rootrepeal.sys]
    RegLock::
    [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
    Driver::
    McProxy
    
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please paste in your next reply.
    ====================
    Please go back and rehide the files and folders when fnished.
     
  8. chix2k10

    chix2k10 TS Rookie Topic Starter

    Ok I have tried locating McAfee in srvices.msc but its not there, The program Omniquad Desktop Surveillance Personal Edition 6.0.3 or Spyware.DsktopSurveil are not visible in add/remove either? I have checked the appropriate boxes in folder options. Im not sure if I should carry on as instructed in your previous post, so will wait.
     
  9. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Our posts have overlapped. Please continue on with directions. I have included the entries in the script.
     
  10. chix2k10

    chix2k10 TS Rookie Topic Starter

    ComboFix 11-02-25.02 - Mum 26/02/2011 20:52:44.8.1 - x86
    Microsoft Windows 7 Professional 6.1.7600.0.1252.44.1033.18.766.321 [GMT 0:00]
    Running from: c:\users\Mum\Desktop\cumbyfix.exe
    Command switches used :: c:\users\Mum\Desktop\CFScript.txt
    AV: avast! Antivirus *Disabled/Updated* {C37D8F93-0602-E43C-40AA-47DAD597F308}
    FW: ZoneAlarm Firewall *Disabled* {D17DF357-CFF5-F001-D1C1-FCD21DFE3D5E}
    SP: avast! Antivirus *Disabled/Updated* {781C6E77-2038-EBB2-7A1A-7CA8AE10B9B5}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    * Created a new restore point

    FILE ::
    "c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe"
    "c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}"
    "c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}"
    "c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}"
    "c:\windows\iun6002.exe"
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\windows\iun6002.exe

    .
    ((((((((((((((((((((((((( Files Created from 2011-01-26 to 2011-02-26 )))))))))))))))))))))))))))))))
    .

    2011-02-26 20:59 . 2011-02-26 20:59 -------- d-----w- c:\users\Mum\AppData\Local\temp
    2011-02-26 20:59 . 2011-02-26 20:59 -------- d-----w- c:\users\Public\AppData\Local\temp
    2011-02-26 20:59 . 2011-02-26 20:59 -------- d-----w- c:\users\Guest\AppData\Local\temp
    2011-02-26 20:59 . 2011-02-26 20:59 -------- d-----w- c:\users\Default\AppData\Local\temp
    2011-02-26 20:59 . 2011-02-26 20:59 -------- d-----w- c:\users\Administrator\AppData\Local\temp
    2011-02-24 03:00 . 2010-09-14 06:07 276992 ----a-w- c:\windows\system32\wcncsvc.dll
    2011-02-23 20:28 . 2011-02-23 20:28 -------- d-----w- c:\users\Mum\AppData\Local\{A4E16013-81FA-45AC-8C49-1DD50110D88F}
    2011-02-23 08:58 . 2011-01-07 07:31 442880 ----a-w- c:\windows\system32\XpsPrint.dll
    2011-02-23 08:58 . 2011-01-07 07:31 288256 ----a-w- c:\windows\system32\XpsGdiConverter.dll
    2011-02-23 07:43 . 2011-02-23 07:44 -------- d-----w- c:\users\Mum\AppData\Local\{974BBBD6-A588-437A-986D-DD1F744D0A46}
    2011-02-22 19:05 . 2011-02-22 19:05 -------- d-----w- c:\users\Mum\AppData\Local\{A10B346B-ED05-4BF9-A6E0-68A5F88F11AE}
    2011-02-22 18:14 . 2011-02-22 18:14 -------- d-----w- c:\program files\ESET
    2011-02-21 12:44 . 2011-02-21 12:44 -------- d-----w- c:\users\Mum\AppData\Local\{D19E1DB4-699C-413C-99FE-497A2B3B4122}
    2011-02-21 11:40 . 2010-12-20 18:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-02-21 11:40 . 2010-12-20 18:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-02-21 11:23 . 2011-02-21 11:23 -------- d-----w- c:\users\Mum\AppData\Local\{A74757E3-B3E1-4829-8355-FB1D95085076}
    2011-02-21 10:05 . 2011-02-21 10:05 -------- d-----w- c:\users\Mum\AppData\Local\{B615B4BB-8ED6-4CCC-91EC-DEB117E21355}
    2011-02-12 18:29 . 2011-02-12 18:29 -------- d-----w- c:\users\Mum\AppData\Local\{7C741CBC-2630-4A21-A39A-A116D5983BF8}
    2011-02-11 15:02 . 2011-01-05 03:37 2329088 ----a-w- c:\windows\system32\win32k.sys
    2011-02-11 15:02 . 2010-12-18 05:29 541184 ----a-w- c:\windows\system32\kerberos.dll
    2011-02-11 15:02 . 2011-01-05 05:37 428032 ----a-w- c:\windows\system32\vbscript.dll
    2011-02-11 15:02 . 2010-12-18 05:29 860160 ----a-w- c:\program files\Internet Explorer\iedvtool.dll
    2011-02-11 15:02 . 2010-12-18 05:33 673040 ----a-w- c:\program files\Internet Explorer\iexplore.exe
    2011-02-11 15:00 . 2010-12-21 05:36 1389568 ----a-w- c:\windows\system32\msxml6.dll
    2011-02-11 15:00 . 2010-12-21 05:38 981504 ----a-w- c:\windows\system32\wininet.dll
    2011-02-11 15:00 . 2010-12-21 05:36 1236992 ----a-w- c:\windows\system32\msxml3.dll
    2011-02-11 15:00 . 2010-12-21 05:38 350720 ----a-w- c:\windows\system32\winhttp.dll
    2011-02-11 15:00 . 2010-12-21 05:38 204800 ----a-w- c:\windows\system32\WebClnt.dll
    2011-02-11 15:00 . 2010-12-21 05:34 80384 ----a-w- c:\windows\system32\davclnt.dll
    2011-02-11 15:00 . 2010-12-21 05:38 51200 ----a-w- c:\windows\system32\wscapi.dll
    2011-02-11 15:00 . 2010-12-21 05:38 14336 ----a-w- c:\windows\system32\slwga.dll
    2011-02-11 15:00 . 2010-12-21 05:38 73728 ----a-w- c:\windows\system32\wscsvc.dll
    2011-02-11 15:00 . 2011-02-03 05:45 219008 ----a-w- c:\windows\system32\drivers\dxgmms1.sys
    2011-02-06 22:02 . 2011-02-06 22:02 -------- d-----w- c:\users\Mum\AppData\Local\{853BBB57-FBAA-406E-A5A1-7B8E5C8C63E8}
    2011-02-04 08:39 . 2011-02-04 08:40 -------- d-----w- c:\users\Mum\AppData\Local\{9CCC493B-40FF-451D-8B69-D5718E1EE451}
    2011-02-03 16:17 . 2011-02-03 16:17 -------- d-----w- c:\users\Mum\AppData\Local\{F10F75B2-515A-43FA-A64C-AD80F264BBD5}
    2011-02-02 20:52 . 2011-02-02 20:52 -------- d-----w- c:\users\Mum\AppData\Local\{7BF89808-3A0B-4A53-9D24-EB1828DBAC8A}
    2011-02-02 20:37 . 2011-02-02 20:37 -------- d-----w- C:\7b948f167fc0ed9f8bf22971
    2011-01-30 14:57 . 2011-01-30 14:57 103864 ----a-w- c:\program files\Mozilla Firefox\plugins\nppdf32.dll

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-01-13 08:47 . 2010-08-17 13:03 38848 ----a-w- c:\windows\avastSS.scr
    2011-01-13 08:47 . 2010-08-17 13:03 188216 ----a-w- c:\windows\system32\aswBoot.exe
    2011-01-13 08:41 . 2010-08-17 13:04 294608 ----a-w- c:\windows\system32\drivers\aswSP.sys
    2011-01-13 08:40 . 2010-08-17 13:04 47440 ----a-w- c:\windows\system32\drivers\aswTdi.sys
    2011-01-13 08:37 . 2010-08-17 13:04 23632 ----a-w- c:\windows\system32\drivers\aswRdr.sys
    2011-01-13 08:37 . 2010-08-17 13:04 51280 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
    2011-01-13 08:37 . 2010-08-17 13:04 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
    2010-12-23 12:20 . 2010-08-22 17:20 2594584 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\UpdateableMarkup\markup.dll
    2010-12-23 12:19 . 2010-08-22 17:19 42776 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\dSM\StartResources.dll
    2010-12-23 12:19 . 2010-08-22 17:19 710976 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
    2010-12-20 13:40 . 2010-08-30 11:24 2594584 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\UpdateableMarkup-2\markup.dll
    2010-12-20 13:40 . 2010-08-30 11:23 42776 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\dSM-2\StartResources.dll
    2010-12-20 13:40 . 2010-09-08 00:10 710976 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight-2\SpotlightResources.dll
    .

    (((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    ---- Directory of c:\users\mum\appdata\local\{7BF89808-3A0B-4A53-9D24-EB1828DBAC8A} ----


    ---- Directory of c:\users\mum\appdata\local\{7C741CBC-2630-4A21-A39A-A116D5983BF8} ----


    ---- Directory of c:\users\mum\appdata\local\{853BBB57-FBAA-406E-A5A1-7B8E5C8C63E8} ----


    ---- Directory of c:\users\mum\appdata\local\{9CCC493B-40FF-451D-8B69-D5718E1EE451} ----


    ---- Directory of c:\users\mum\appdata\local\{A74757E3-B3E1-4829-8355-FB1D95085076} ----


    ---- Directory of c:\users\mum\appdata\local\{B615B4BB-8ED6-4CCC-91EC-DEB117E21355} ----


    ---- Directory of c:\users\mum\appdata\local\{D19E1DB4-699C-413C-99FE-497A2B3B4122} ----


    ---- Directory of c:\users\mum\appdata\local\{F10F75B2-515A-43FA-A64C-AD80F264BBD5} ----



    ((((((((((((((((((((((((((((( SnapShot@2011-02-21_10.31.25 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2009-07-13 23:52 . 2009-07-14 01:16 20992 c:\windows\winsxs\x86_microsoft-windows-wcn-config-registrar_31bf3856ad364e35_6.1.7600.20801_none_2dcf2c8f3c1dab98\WcnEapPeerProxy.dll
    + 2009-07-13 23:52 . 2009-07-14 01:16 20480 c:\windows\winsxs\x86_microsoft-windows-wcn-config-registrar_31bf3856ad364e35_6.1.7600.20801_none_2dcf2c8f3c1dab98\WcnEapAuthProxy.dll
    + 2009-07-13 23:53 . 2009-07-14 01:16 86528 c:\windows\winsxs\x86_microsoft-windows-wcn-config-registrar_31bf3856ad364e35_6.1.7600.20801_none_2dcf2c8f3c1dab98\WcnApi.dll
    + 2009-07-13 23:53 . 2009-07-14 01:15 81920 c:\windows\winsxs\x86_microsoft-windows-wcn-config-registrar_31bf3856ad364e35_6.1.7600.20801_none_2dcf2c8f3c1dab98\fdWCN.dll
    + 2009-07-13 23:52 . 2009-07-14 01:16 20992 c:\windows\winsxs\x86_microsoft-windows-wcn-config-registrar_31bf3856ad364e35_6.1.7600.16675_none_2cfddf922335379a\WcnEapPeerProxy.dll
    + 2009-07-13 23:52 . 2009-07-14 01:16 20480 c:\windows\winsxs\x86_microsoft-windows-wcn-config-registrar_31bf3856ad364e35_6.1.7600.16675_none_2cfddf922335379a\WcnEapAuthProxy.dll
    + 2009-07-13 23:53 . 2009-07-14 01:16 86528 c:\windows\winsxs\x86_microsoft-windows-wcn-config-registrar_31bf3856ad364e35_6.1.7600.16675_none_2cfddf922335379a\WcnApi.dll
    + 2009-07-13 23:53 . 2009-07-14 01:15 81920 c:\windows\winsxs\x86_microsoft-windows-wcn-config-registrar_31bf3856ad364e35_6.1.7600.16675_none_2cfddf922335379a\fdWCN.dll
    + 2009-09-08 13:42 . 2011-02-23 20:29 37020 c:\windows\System32\wdi\ShutdownPerformanceDiagnostics_SystemData.bin
    + 2009-07-14 04:55 . 2011-02-23 20:29 57114 c:\windows\System32\wdi\BootPerformanceDiagnostics_SystemData.bin
    + 2010-07-07 07:17 . 2011-02-23 20:29 11918 c:\windows\System32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2365872316-2932340085-2808364130-1003_UserData.bin
    + 2009-07-13 23:43 . 2009-07-14 01:14 83968 c:\windows\System32\RegisterIEPKEYs.exe
    - 2010-05-19 17:06 . 2011-02-21 10:10 16384 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    + 2010-05-19 17:06 . 2011-02-26 19:13 16384 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    + 2010-05-19 17:06 . 2011-02-26 19:13 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
    - 2010-05-19 17:06 . 2011-02-21 10:10 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
    + 2009-07-14 04:41 . 2011-02-26 19:13 16384 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    - 2009-07-14 04:41 . 2011-02-21 10:10 16384 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    + 2009-07-14 04:34 . 2011-02-22 19:47 87512 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform\Cache\cache.dat
    - 2009-07-14 04:34 . 2011-02-21 10:06 87512 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform\Cache\cache.dat
    + 2010-07-06 17:23 . 2011-02-26 20:11 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    - 2010-07-06 17:23 . 2011-02-21 10:07 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    - 2010-07-06 17:23 . 2011-02-21 10:07 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    + 2010-07-06 17:23 . 2011-02-26 20:11 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    + 2009-07-13 23:19 . 2009-07-14 01:04 69120 c:\windows\diagnostics\system\IESecurity\DiagPackage.dll
    + 2009-07-13 23:19 . 2009-07-14 01:04 92160 c:\windows\diagnostics\system\IEBrowseWeb\DiagPackage.dll
    - 2010-07-07 20:54 . 2011-02-21 10:02 9202 c:\windows\System32\wdi\ERCQueuedResolutions.dat
    + 2010-07-07 20:54 . 2011-02-23 20:25 9202 c:\windows\System32\wdi\ERCQueuedResolutions.dat
    - 2010-07-07 15:54 . 2011-02-16 16:42 3000 c:\windows\System32\wdi\{88d4896f-f553-446a-9c75-9dec124ff8b7}.bin
    + 2010-07-07 15:54 . 2011-02-23 00:15 3000 c:\windows\System32\wdi\{88d4896f-f553-446a-9c75-9dec124ff8b7}.bin
    - 2011-02-21 10:17 . 2011-02-21 10:17 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
    + 2011-02-23 20:26 . 2011-02-23 20:26 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
    - 2011-02-21 10:17 . 2011-02-21 10:17 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
    + 2011-02-23 20:26 . 2011-02-23 20:26 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
    + 2011-02-24 03:00 . 2010-09-20 04:35 276992 c:\windows\winsxs\x86_microsoft-windows-wcn-config-registrar_31bf3856ad364e35_6.1.7600.20801_none_2dcf2c8f3c1dab98\wcncsvc.dll
    + 2011-02-24 03:00 . 2010-09-14 06:07 276992 c:\windows\winsxs\x86_microsoft-windows-wcn-config-registrar_31bf3856ad364e35_6.1.7600.16675_none_2cfddf922335379a\wcncsvc.dll
    + 2011-02-23 08:58 . 2011-01-07 07:34 870912 c:\windows\winsxs\x86_microsoft-windows-printing-xpsprint_31bf3856ad364e35_6.1.7601.21636_none_ae208a9c88b972b5\XpsPrint.dll
    + 2011-02-23 08:58 . 2011-01-07 07:46 870912 c:\windows\winsxs\x86_microsoft-windows-printing-xpsprint_31bf3856ad364e35_6.1.7601.17537_none_ad97ee1b6f9aec42\XpsPrint.dll
    + 2011-02-23 08:58 . 2011-01-07 07:38 442880 c:\windows\winsxs\x86_microsoft-windows-printing-xpsprint_31bf3856ad364e35_6.1.7600.20875_none_ac0ded9c8bb45d36\XpsPrint.dll
    + 2011-02-23 08:58 . 2011-01-07 07:31 442880 c:\windows\winsxs\x86_microsoft-windows-printing-xpsprint_31bf3856ad364e35_6.1.7600.16734_none_abae903772773451\XpsPrint.dll
    + 2011-02-23 08:58 . 2011-01-07 07:34 288256 c:\windows\winsxs\x86_microsoft-windows-c..ent-xpsgdiconverter_31bf3856ad364e35_6.1.7601.21636_none_1569dcfc62beeaee\XpsGdiConverter.dll
    + 2011-02-23 08:58 . 2011-01-07 07:46 288256 c:\windows\winsxs\x86_microsoft-windows-c..ent-xpsgdiconverter_31bf3856ad364e35_6.1.7601.17537_none_14e1407b49a0647b\XpsGdiConverter.dll
    + 2011-02-23 08:58 . 2011-01-07 07:38 288256 c:\windows\winsxs\x86_microsoft-windows-c..ent-xpsgdiconverter_31bf3856ad364e35_6.1.7600.20875_none_13573ffc65b9d56f\XpsGdiConverter.dll
    + 2011-02-23 08:58 . 2011-01-07 07:31 288256 c:\windows\winsxs\x86_microsoft-windows-c..ent-xpsgdiconverter_31bf3856ad364e35_6.1.7600.16734_none_12f7e2974c7cac8a\XpsGdiConverter.dll
    + 2010-01-20 15:17 . 2011-02-26 19:11 207610 c:\windows\System32\wdi\SuspendPerformanceDiagnostics_SystemData_S4.bin
    + 2010-05-07 18:03 . 2011-02-25 13:53 386566 c:\windows\System32\wdi\SuspendPerformanceDiagnostics_SystemData_S3.bin
    - 2009-07-14 02:05 . 2011-02-11 10:52 631364 c:\windows\System32\perfh009.dat
    + 2009-07-14 02:05 . 2011-02-21 10:45 631364 c:\windows\System32\perfh009.dat
    - 2009-07-14 02:05 . 2011-02-11 10:52 111456 c:\windows\System32\perfc009.dat
    + 2009-07-14 02:05 . 2011-02-21 10:45 111456 c:\windows\System32\perfc009.dat
    + 2011-02-22 19:55 . 2011-02-22 19:55 262144 c:\windows\System32\config\TxR\NTUSER.DAT
    + 2011-02-22 19:55 . 2011-02-22 19:55 262144 c:\windows\System32\config\RegBack\NTUSER.DAT
    + 2011-02-22 19:55 . 2011-02-22 19:55 262144 c:\windows\System32\config\Journal\NTUSER.DAT
    - 2009-07-14 04:47 . 2011-02-21 10:15 387236 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
    + 2009-07-14 04:47 . 2011-02-23 20:25 387236 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
    + 2010-09-25 09:16 . 2011-02-23 20:25 388004 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-2365872316-2932340085-2808364130-1003-12288.dat
    - 2010-09-25 09:16 . 2011-02-21 10:15 388004 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-2365872316-2932340085-2808364130-1003-12288.dat
    - 2009-07-14 02:03 . 2011-02-21 09:01 7077888 c:\windows\System32\SMI\Store\Machine\schema.dat
    + 2009-07-14 02:03 . 2011-02-26 12:37 7077888 c:\windows\System32\SMI\Store\Machine\schema.dat
    + 2009-07-14 04:34 . 2011-02-22 19:07 3917646 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform\tokens.dat
    - 2009-07-14 04:34 . 2011-02-12 18:24 3917646 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform\tokens.dat
    + 2011-01-13 11:26 . 2011-02-24 03:00 16739055 c:\windows\winsxs\ManifestCache\ee9f676b8aa4122b_blobs.bin
    .
    -- Snapshot reset to current date --
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "HW_OPENEYE_OUC_T-Mobile Internet Manager"="c:\program files\T-Mobile\T-Mobile Internet Manager\UpdateDog\ouc.exe" [2009-12-31 110592]
    "scrlink"="c:\program files\SCBackup\scrlink.lnk" [2010-08-01 686]
    "Mobile Partner"="c:\program files\T-Mobile\T-Mobile Internet Manager\T-Mobile Internet Manager.exe" [2010-07-06 114688]
    "msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2010-11-10 4240760]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "TWebCamera"="%ProgramFiles%\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe autorun" [X]
    "KeNotify"="c:\program files\TOSHIBA\Utilities\KeNotify.exe" [2009-01-14 34088]
    "DataCardMonitor"="c:\program files\T-Mobile\T-Mobile Internet Manager\DataCardMonitor.exe" [2010-07-06 253952]
    "ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2010-06-23 1043968]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-01-31 35760]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-20 932288]

    c:\users\Mum\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
    BBC iPlayer Desktop.lnk - c:\program files\BBC iPlayer Desktop\BBC iPlayer Desktop.exe [N/A]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "ConsentPromptBehaviorAdmin"= 0 (0x0)
    "ConsentPromptBehaviorUser"= 3 (0x3)
    "EnableLUA"= 0 (0x0)
    "EnableUIADesktopToggle"= 0 (0x0)
    "PromptOnSecureDesktop"= 0 (0x0)

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
    "aux1"=wdmaud.drv

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
    Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\rootrepeal.sys]
    @=""

    R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
    R3 hwusbdev;Huawei DataCard USB PNP Device;c:\windows\system32\DRIVERS\ewusbdev.sys [2009-10-12 101120]
    R3 nosGetPlusHelper;getPlus(R) Helper 3004;c:\windows\System32\svchost.exe [2009-07-14 20992]
    R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-05-19 1343400]
    S1 aswSP;aswSP; [x]
    S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-13 48128]
    S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2009-08-18 176128]
    S2 aswFsBlk;aswFsBlk; [x]
    S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2011-01-13 51280]
    S3 PGEffect;Pangu effect driver;c:\windows\system32\DRIVERS\pgeffect.sys [2009-06-23 24064]
    S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [2009-05-22 167936]
    S3 rtl8192se;Realtek Wireless LAN 802.11n PCI-E NIC NT Driver;c:\windows\system32\DRIVERS\rtl8192se.sys [2009-12-22 991776]


    --- Other Services/Drivers In Memory ---

    *Deregistered* - BMLoad

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    nosGetPlusHelper REG_MULTI_SZ nosGetPlusHelper
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://google.com/
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000
    FF - ProfilePath - c:\users\Mum\AppData\Roaming\Mozilla\Firefox\Profiles\9b5tlkvs.default\
    FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT1060933&SearchSource=3&q={searchTerms}
    FF - prefs.js: browser.search.selectedEngine - Search the Web
    FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
    FF - Ext: WOT: {a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7} - %profile%\extensions\{a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7}
    FF - Ext: Adobe DLM (powered by getPlus(R)): {E2883E8F-472F-4fb0-9522-AC9BF37916A7} - %profile%\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}
    FF - Ext: Gamers Unite! Snag Bar: {afe43e80-0abc-4df2-81a0-3fe44b74abe8} - %profile%\extensions\{afe43e80-0abc-4df2-81a0-3fe44b74abe8}
    .
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000

    [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000

    [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000

    [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000

    [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0004\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000

    [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0005\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    Completion time: 2011-02-26 21:03:03
    ComboFix-quarantined-files.txt 2011-02-26 21:03
    ComboFix2.txt 2011-02-22 19:24
    ComboFix3.txt 2011-02-21 10:32
    ComboFix4.txt 2010-11-27 19:14
    ComboFix5.txt 2011-02-26 20:49

    Pre-Run: 87,013,773,312 bytes free
    Post-Run: 86,958,129,152 bytes free

    - - End Of File - - D979DDB5A0F03C9E12ECE79D44E20B3E
     
  11. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Please be patient with me a bit longer. I'm looking into the appdata entries such as this:
    2011-02-21 11:23 . 2011-02-21 11:23 -------- d-----w- c:\users\Mum\AppData\Local\{A74757E3-B3E1-4829-8355-FB1D95085076}[/b

    I can't ID any of the strings and the folders come up empty. I'm hoping to learn what the apps are. I remove some, and other come back. I'm not sure if this is a Windows 7 'thing'! You are not the only member with these entries.
     
  12. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Safe to delete because they are empty! But still don't know what's creating them!

    Please run this Custom CFScript:

    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad> click on Format> Uncheck 'Word Wrap> and copy/paste the text in the code below into it:
    Code:
    File::
    Registry::
    c:\users\Mum\AppData\Local\{A4E16013-81FA-45AC-8C49-1DD50110D88F}
    c:\users\Mum\AppData\Local\{974BBBD6-A588-437A-986D-DD1F744D0A46}
    c:\users\Mum\AppData\Local\{A10B346B-ED05-4BF9-A6E0-68A5F88F11AE}
    c:\users\Mum\AppData\Local\{D19E1DB4-699C-413C-99FE-497A2B3B4122}
    c:\users\Mum\AppData\Local\{A74757E3-B3E1-4829-8355-FB1D95085076}
    c:\users\Mum\AppData\Local\{B615B4BB-8ED6-4CCC-91EC-DEB117E21355}
    c:\users\Mum\AppData\Local\{7C741CBC-2630-4A21-A39A-A116D5983BF8}
    c:\users\Mum\AppData\Local\{853BBB57-FBAA-406E-A5A1-7B8E5C8C63E8}
    c:\users\Mum\AppData\Local\{9CCC493B-40FF-451D-8B69-D5718E1EE451}
    c:\users\Mum\AppData\Local\{F10F75B2-515A-43FA-A64C-AD80F264BBD5}
    c:\users\Mum\AppData\Local\{7BF89808-3A0B-4A53-9D24-EB1828DBAC8A}
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . No need to leave log.
    ====================
    Did you run the Eset online virus scan? I haven't seen the log.

    If you processes you asked about are coming up when you start the computer, they may be on the Startup menu. Verify the locations I gave you and remove from Startup accordingly.
    ===================================
    One last scan: Download HijackThis and save to your desktop.
    • Extract it to a directory on your hard drive called c:\HijackThis.
    • Then navigate to that directory and double-click on the hijackthis.exe file.
    • When started click on the Scan button and then the Save Log button to create a log of your information.
    • The log file and then the log will open in notepad. Be sure to click on Format> Uncheck Word Wrap when you open Notepad
    • Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
    • Come back here to this thread and paste (Ctrl+V) the log in your next reply.

    NOTE: Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.

    If no entries need to be removed, I'll have you remove the cleaning tools- which will include all of the 'left over' Combofix entries.
     
  13. chix2k10

    chix2k10 TS Rookie Topic Starter

    Have dragged the CFScript to combofix. Upon opening a warning popped up saying 'it appears you have a corrupt download please download a fresh copy of combofix'. Not sure if i should do this or just let it run? I also dont know what you mean by 'Verify the locations I gave you and remove from Startup accordingly.'

    I know nothing about computers so you may need a LOT of patience :)
     
  14. chix2k10

    chix2k10 TS Rookie Topic Starter

    I did do the online scan as directed but it gave me no log! perhaps because it found nothing?
     
  15. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Just go ahead with the HijackThis scan please.
     
  16. chix2k10

    chix2k10 TS Rookie Topic Starter

    Logfile of Trend Micro HijackThis v2.0.4
    Scan saved at 11:59:18, on 03/03/2011
    Platform: Windows 7 (WinNT 6.00.3504)
    MSIE: Internet Explorer v8.00 (8.00.7600.16722)
    Boot mode: Normal

    Running processes:
    C:\Windows\system32\taskhost.exe
    C:\Windows\system32\Dwm.exe
    C:\Program Files\TOSHIBA\Utilities\KeNotify.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\Windows\Explorer.exe
    C:\Program Files\Alwil Software\Avast5\AvastUI.exe
    C:\Windows\System32\taskmgr.exe
    C:\Program Files\Common Files\Java\Java Update\jucheck.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Mozilla Firefox\plugin-container.exe
    C:\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    O2 - BHO: txthlpBHO Class - {060235DC-6D84-47BD-95D7-A4EF5099A59D} - C:\PROGRA~1\TEXTHE~1\READAN~1\TE4470~1.DLL
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
    O2 - BHO: avast! WebRep - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\Alwil Software\Avast5\aswWebRepIE.dll
    O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O3 - Toolbar: avast! WebRep - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\Alwil Software\Avast5\aswWebRepIE.dll
    O4 - HKLM\..\Run: [KeNotify] C:\Program Files\TOSHIBA\Utilities\KeNotify.exe
    O4 - HKLM\..\Run: [TWebCamera] "%ProgramFiles%\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe" autorun
    O4 - HKLM\..\Run: [DataCardMonitor] C:\Program Files\T-Mobile\T-Mobile Internet Manager\DataCardMonitor.exe
    O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
    O4 - HKCU\..\Run: [HW_OPENEYE_OUC_T-Mobile Internet Manager] "C:\Program Files\T-Mobile\T-Mobile Internet Manager\UpdateDog\ouc.exe"
    O4 - HKCU\..\Run: [scrlink] C:\Program Files\SCBackup\scrlink.lnk
    O4 - HKCU\..\Run: [Mobile Partner] "C:\Program Files\T-Mobile\T-Mobile Internet Manager\T-Mobile Internet Manager.exe"
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
    O4 - Startup: BBC iPlayer Desktop.lnk = C:\Program Files\BBC iPlayer Desktop\BBC iPlayer Desktop.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL
    O10 - Unknown file in Winsock LSP: c:\program files\common files\microsoft shared\windows live\wlidnsp.dll
    O10 - Unknown file in Winsock LSP: c:\program files\common files\microsoft shared\windows live\wlidnsp.dll
    O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} (get_atlcom Class) - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    O23 - Service: AMD External Events Utility - AMD - C:\Windows\system32\atiesrxx.exe
    O23 - Service: avast! Antivirus - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
    O23 - Service: TOSHIBA Optical Disc Drive Service (TODDSrv) - TOSHIBA Corporation - C:\Windows\system32\TODDSrv.exe
    O23 - Service: TOSHIBA Power Saver (TosCoSrv) - TOSHIBA Corporation - C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe
    O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\Windows\System32\ZoneLabs\vsmon.exe

    --
    End of file - 4611 bytes
     
  17. chix2k10

    chix2k10 TS Rookie Topic Starter

    At first when opened, it told me that hijackthis seems to have started from a temporary folder and asked me to install it to proram files instead ??
     
  18. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    That is correct. HijackThis creates backups, these are needed in case of any recovery issues. I would have had you remove any entries. But the log is okay and nothing needs to be removed.

    I will give you some basic references to learn about the machine you're using. We have to study and take a test to get a license to drive. Yet nothing is required to get behind the keyboard of a computer and possibly create havoc on the internet, including spreading malware. Doesn't seem right!

    What is different about running the script in Combofix now than when you ran it the first time? When you copied the script, did you Save as CFScript.txt, in the same location as ComboFix.exe

    Do any of the original problems remain?
     
  19. chix2k10

    chix2k10 TS Rookie Topic Starter

    Things were running ok but today the multiple processes of Schlpr.exe
    Taskhost.exe, Conhost.exe and Scrlink.exe are back! Maybe 5 of each process. It took a long time to boot up also. I did save the script as directed.
    I completely agree with you about learning to safely use a computer :) just wish I had learned before I needed help. Thanks for your patience :)
     
  20. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    I described these processes in Reply #2:
    ======================================
    There has been no reply from you for 3 days. I suggested that you confirm the location of the processes to make sure they were legitimate. Perhaps you didn't do that.

    First of all, you are loading processes for T Mobile:
    Scrlink.exe belongs to SCBackup which to backup your mobile phone data
    http://www.scbackup.fi/what_is_scbackup.html


    You also mentioned:
    Please contact T Mobil about your account with them.

    FastCGI could also be a process used by T Mobile.

    Please confirm the locations of the following:
    Full path: C:\Windows\System32\Taskhost.exe.
    Full path: C:\Windows\System32\ conhost.exe

    Using Windows Explorer: Right click on start> Explore> Computer> Double click on Local Drive(C)> Windows> click to open System 32> look for Taskhost.exe and conhost.exe. If there, they are legitimate entries.

    FYI:
    The conhost.exe process fixes a fundamental problem in the way previous versions of Windows handled console windows, which broke drag & drop in Vista. It’s a completely legitimate executable —as long as it’s running from the system32 folder, and is signed by Microsoft.

    Is the HijackThis log still on the system or did it get removed?

    Are you experiencing any problems other than seeing these processes?

    You need to use the search capabilities of Google or other search engine to learn what a processes ifs for.
     
  21. chix2k10

    chix2k10 TS Rookie Topic Starter

    Sorry for the MASSIVE delay in replying! Few home issues going on. The processes were in system32.

    Thats the only problem Im having....Why are there multiple processes?

    Thanks again for the help and patience
     
  22. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    If they were in the System 32 folder, they are okay. As for your questions about "why are there so many processes?" You will need to be more specific.

    Removing all of the tools we used and the files and folders they created
    • Uninstall ComboFix and all Backups of the files it deleted
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
      [​IMG]
    • Download OTCleanIt by OldTimer and save it to your Desktop.
    • Double click OTCleanIt.exe.
    • Click the CleanUp! button.
    • If you are prompted to Reboot during the cleanup, select Yes.
    • The tool will delete itself once it finishes.
    Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.

    • You should now set a new Restore Point and remove the old restore points to prevent infection from any previous Restore Points.

      Creating a Restore Point in Windows 7:
      • Click on Start> right click on Computer> Properties
      • Select System Protection
      • Click on the Create button (near bottom)
      • Type a name for the Restore Point
      • Click on Create again to save the restore point.

      Deleting all but the most recent System Protection point in Windows 7
      1. Click Start> Computer> right click the C Drive and choose Properties> enter.
      2. Click Disk Cleanup from there.
        [​IMG]
      3. Click Clean up system files
        This restarts Disk Cleanup to run in elevated mode.
      4. Click the More Options tab
        [​IMG]
      5. Click the Clean up under System Restore and Shadow Copies.
      6. Click OK.
      7. You will get a confirmation screen> Just click Delete.
      8. Click OK on the Disk Cleanup Screen.
      9. Click Delete Files on the Confirmation screen.
      [​IMG]
      It will run the Disk Cleanup utility along with other selections if you have chosen any. (if you had a lot System Restore points, you will see a significant change in the free space in C drive)
      Images courtesy lytebyte.

      Empty the Recycle Bin
     
  23. chix2k10

    chix2k10 TS Rookie Topic Starter

    Stuck at first hurdle as usual! :\ It wont allow me to unistall combofix. Ive left the spaces after X and before U but the first time I tried it told me again that I had a corrupt copy, then scanned.
     
  24. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Do you have a log from the scan?
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...