Inactive Virus seems to start before windows

[chix2k10]

Every time I start the laptop i get this message

Media test failure.Check cable
Exiting pxe rom.

In task manager i see many processes of
Schlpr.exe
Taskhost.exe
Conhost.exe
Scrlink.exe

Im unable to browse my regular sites as it puts the t-mobile age lock (I have none)asking me to verify my age with my credit card details!
This problem started after clicking a video link via Facebook! Because I am actually using a dongle, every month all my monthly internet allowance is being used by whatever is infecting me. It also sometimes places an offline tab the top of firefox. Any help would be greatly appreciated

Im using Windows 7
scan logs below

No threats found using Avast free edition.

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 5828

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

21/02/2011 11:46:54
mbam-log-2011-02-21 (11-46-54).txt

Scan type: Quick scan
Objects scanned: 163897
Time elapsed: 5 minute(s), 19 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\RunDll32Policy\f3ScrCtr.dll (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


GMER 1.0.15.15530 - http://www.gmer.net
Rootkit scan 2011-02-21 19:35:26
Windows 6.1.7600 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP3T0L0-5 Hitachi_HTS545016B9A300 rev.PBBOC64G
Running: 4pgjyon0.exe; Driver: C:\Users\Mum\AppData\Local\Temp\awpdapod.sys


---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwSaveKeyEx + 13BD 81E85589 1 Byte [06]
.text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 81EAA092 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}

---- EOF - GMER 1.0.15 ----

DDS (Ver_10-12-12.02) - NTFSx86
Run by Mum at 14:33:45.97 on 21/02/2011
Internet Explorer: 8.0.7600.16385 BrowserJavaVersion: 1.6.0_23
Microsoft Windows 7 Professional 6.1.7600.0.1252.44.1033.18.766.162 [GMT 0:00]

AV: avast! Antivirus *Enabled/Updated* {C37D8F93-0602-E43C-40AA-47DAD597F308}
SP: avast! Antivirus *Enabled/Updated* {781C6E77-2038-EBB2-7A1A-7CA8AE10B9B5}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
FW: ZoneAlarm Firewall *Disabled* {D17DF357-CFF5-F001-D1C1-FCD21DFE3D5E}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\atieclxx.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Windows\system32\TODDSrv.exe
C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\TOSHIBA\Utilities\KeNotify.exe
C:\Program Files\T-Mobile\T-Mobile Internet Manager\DataCardMonitor.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\T-Mobile\T-Mobile Internet Manager\T-Mobile Internet Manager.exe
C:\Users\Mum\AppData\Roaming\T-Mobile Internet Manager\ouc.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\taskmgr.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Users\Mum\Desktop\dds.scr
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://google.com/
BHO: txthlpBHO Class: {060235dc-6d84-47bd-95d7-a4ef5099a59d} - c:\progra~1\texthe~1\readan~1\TE4470~1.DLL
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File
uRun: [HW_OPENEYE_OUC_T-Mobile Internet Manager] "c:\program files\t-mobile\t-mobile internet manager\updatedog\ouc.exe"
uRun: [scrlink] c:\program files\scbackup\scrlink.lnk
uRun: [Mobile Partner] "c:\program files\t-mobile\t-mobile internet manager\T-Mobile Internet Manager.exe"
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
mRun: [KeNotify] c:\program files\toshiba\utilities\KeNotify.exe
mRun: [TWebCamera] "%ProgramFiles%\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe" autorun
mRun: [DataCardMonitor] c:\program files\t-mobile\t-mobile internet manager\DataCardMonitor.exe
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
StartupFolder: c:\users\mum\appdata\roaming\micros~1\windows\startm~1\programs\startup\bbcipl~1.lnk - c:\program files\bbc iplayer desktop\BBC iPlayer Desktop.exe
mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~1\office12\EXCEL.EXE/3000
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~1\office12\REFIEBAR.DLL
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

================= FIREFOX ===================

FF - ProfilePath - c:\users\mum\appdata\roaming\mozilla\firefox\profiles\9b5tlkvs.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT1060933&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine - Search the Web
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\users\mum\appdata\roaming\mozilla\firefox\profiles\9b5tlkvs.default\extensions\{e2883e8f-472f-4fb0-9522-ac9bf37916a7}\plugins\np_gp.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
FF - Ext: WOT: {a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7} - %profile%\extensions\{a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7}
FF - Ext: Adobe DLM (powered by getPlus(R)): {E2883E8F-472F-4fb0-9522-AC9BF37916A7} - %profile%\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}
FF - Ext: Gamers Unite! Snag Bar: {afe43e80-0abc-4df2-81a0-3fe44b74abe8} - %profile%\extensions\{afe43e80-0abc-4df2-81a0-3fe44b74abe8}

============= SERVICES / DRIVERS ===============

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-8-17 294608]
R1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\drivers\vwififlt.sys [2009-7-13 48128]
R2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2009-8-18 176128]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-8-17 17744]
R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2010-8-17 51280]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2011-1-20 40384]
R3 PGEffect;Pangu effect driver;c:\windows\system32\drivers\PGEffect.sys [2010-5-7 24064]
R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\drivers\Rt86win7.sys [2009-9-8 167936]
R3 rtl8192se;Realtek Wireless LAN 802.11n PCI-E NIC NT Driver;c:\windows\system32\drivers\rtl8192se.sys [2009-12-22 991776]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 hwusbdev;Huawei DataCard USB PNP Device;c:\windows\system32\drivers\ewusbdev.sys [2010-7-6 101120]
S3 nosGetPlusHelper;getPlus(R) Helper 3004;c:\windows\system32\svchost.exe -k nosGetPlusHelper [2009-7-13 20992]
S3 StorSvc;Storage Service;c:\windows\system32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 20992]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-5-19 1343400]
S4 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2009-9-8 359952]

=============== Created Last 30 ================

2011-02-21 12:44:16 -------- d-----w- c:\users\mum\appdata\local\{D19E1DB4-699C-413C-99FE-497A2B3B4122}
2011-02-21 11:40:12 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-02-21 11:40:05 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-02-21 11:23:28 -------- d-----w- c:\users\mum\appdata\local\{A74757E3-B3E1-4829-8355-FB1D95085076}
2011-02-21 10:33:03 -------- d-sh--w- C:\$RECYCLE.BIN
2011-02-21 10:33:00 -------- d-----w- c:\users\mum\appdata\local\temp
2011-02-21 10:22:35 98816 ----a-w- c:\windows\sed.exe
2011-02-21 10:22:35 89088 ----a-w- c:\windows\MBR.exe
2011-02-21 10:22:35 256512 ----a-w- c:\windows\PEV.exe
2011-02-21 10:22:35 161792 ----a-w- c:\windows\SWREG.exe
2011-02-21 10:05:34 -------- d-----w- c:\users\mum\appdata\local\{B615B4BB-8ED6-4CCC-91EC-DEB117E21355}
2011-02-12 18:29:17 -------- d-----w- c:\users\mum\appdata\local\{7C741CBC-2630-4A21-A39A-A116D5983BF8}
2011-02-11 15:02:32 2329088 ----a-w- c:\windows\system32\win32k.sys
2011-02-11 15:02:25 541184 ----a-w- c:\windows\system32\kerberos.dll
2011-02-11 15:02:21 428032 ----a-w- c:\windows\system32\vbscript.dll
2011-02-11 15:02:01 860160 ----a-w- c:\program files\internet explorer\iedvtool.dll
2011-02-11 15:00:57 1389568 ----a-w- c:\windows\system32\msxml6.dll
2011-02-11 15:00:56 981504 ----a-w- c:\windows\system32\wininet.dll
2011-02-11 15:00:54 1236992 ----a-w- c:\windows\system32\msxml3.dll
2011-02-11 15:00:51 80384 ----a-w- c:\windows\system32\davclnt.dll
2011-02-11 15:00:51 350720 ----a-w- c:\windows\system32\winhttp.dll
2011-02-11 15:00:51 204800 ----a-w- c:\windows\system32\WebClnt.dll
2011-02-11 15:00:50 51200 ----a-w- c:\windows\system32\wscapi.dll
2011-02-11 15:00:50 14336 ----a-w- c:\windows\system32\slwga.dll
2011-02-11 15:00:49 73728 ----a-w- c:\windows\system32\wscsvc.dll
2011-02-11 15:00:26 219008 ----a-w- c:\windows\system32\drivers\dxgmms1.sys
2011-02-06 22:02:41 -------- d-----w- c:\users\mum\appdata\local\{853BBB57-FBAA-406E-A5A1-7B8E5C8C63E8}
2011-02-04 08:39:54 -------- d-----w- c:\users\mum\appdata\local\{9CCC493B-40FF-451D-8B69-D5718E1EE451}
2011-02-03 16:17:34 -------- d-----w- c:\users\mum\appdata\local\{F10F75B2-515A-43FA-A64C-AD80F264BBD5}
2011-02-02 20:52:23 -------- d-----w- c:\users\mum\appdata\local\{7BF89808-3A0B-4A53-9D24-EB1828DBAC8A}
2011-02-02 20:37:18 -------- d-----w- C:\7b948f167fc0ed9f8bf22971
2011-01-30 14:57:00 103864 ----a-w- c:\program files\mozilla firefox\plugins\nppdf32.dll

==================== Find3M ====================

2011-01-13 08:47:35 38848 ----a-w- c:\windows\avastSS.scr
2011-01-07 07:27:11 34304 ----a-w- c:\windows\system32\atmlib.dll
2011-01-07 05:33:11 294400 ----a-w- c:\windows\system32\atmfd.dll
2010-12-21 05:38:19 204288 ----a-w- c:\windows\system32\upnp.dll
2010-12-18 05:29:40 44544 ----a-w- c:\windows\system32\licmgr10.dll
2010-12-18 04:20:55 386048 ----a-w- c:\windows\system32\html.iec
2010-12-18 03:47:59 1638912 ----a-w- c:\windows\system32\mshtml.tlb
2010-12-10 21:07:59 737280 ----a-w- c:\windows\iun6002.exe

============= FINISH: 14:34:50.70 ===============


UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-12-12.02)

Microsoft Windows 7 Professional
Boot Device: \Device\HarddiskVolume2
Install Date: 31/05/2010 23:51:58
System Uptime: 21/02/2011 12:42:19 (2 hours ago)

Motherboard: TOSHIBA | | NBWAE
Processor: AMD Sempron(tm) SI-42 | Socket M2/S1G1 | 2100/200mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 130 GiB total, 80.421 GiB free.
D: is CDROM (UDF)
E: is CDROM (CDFS)
F: is Removable

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP41: 08/10/2010 03:18:47 - Scheduled Checkpoint
RP42: 10/10/2010 09:37:03 - Windows Update
RP43: 15/10/2010 16:20:25 - Windows Update
RP44: 28/10/2010 17:48:21 - ComboFix created restore point
RP45: 31/10/2010 19:35:29 - Installed Java(TM) 6 Update 22
RP46: 01/11/2010 03:00:49 - Windows Update
RP47: 02/11/2010 03:00:15 - Windows Update
RP48: 04/11/2010 20:13:25 - Windows Update
RP50: 09/11/2010 07:02:00 - Installed LEGO® Indiana Jones™
RP52: 09/11/2010 07:04:59 - Installed LEGO® Indiana Jones™
RP53: 11/11/2010 03:00:46 - Windows Update
RP54: 15/11/2010 08:48:38 - ComboFix created restore point
RP56: 20/11/2010 14:29:51 - Windows Live Essentials
RP57: 20/11/2010 14:31:38 - WLSetup
RP58: 25/11/2010 03:00:28 - Windows Update
RP59: 27/11/2010 19:01:30 - ComboFix created restore point
RP60: 27/11/2010 19:36:04 - Windows Modules Installer
RP61: 01/12/2010 08:40:33 - Windows Update
RP62: 11/12/2010 02:52:23 - Scheduled Checkpoint
RP63: 18/12/2010 09:56:22 - Windows Update
RP64: 18/12/2010 10:10:34 - Windows Update
RP65: 20/12/2010 15:34:46 - Removed BBC iPlayer Desktop
RP66: 04/01/2011 03:00:57 - Scheduled Checkpoint
RP67: 13/01/2011 11:01:20 - Windows Update
RP68: 16/01/2011 08:30:32 - Installed Java(TM) 6 Update 23
RP70: 18/01/2011 17:21:08 - Windows Live Essentials
RP71: 18/01/2011 17:23:09 - Windows Update
RP73: 18/01/2011 17:24:15 - Installed DirectX
RP75: 18/01/2011 17:25:31 - Installed DirectX
RP76: 18/01/2011 17:31:06 - WLSetup
RP78: 21/01/2011 14:37:04 - Windows Live Essentials
RP79: 21/01/2011 14:38:13 - WLSetup
RP81: 02/02/2011 20:35:49 - Windows Live Essentials
RP83: 02/02/2011 20:41:04 - Windows Live Essentials
RP84: 02/02/2011 20:44:18 - WLSetup
RP85: 06/02/2011 21:56:23 - Windows Modules Installer
RP86: 12/02/2011 07:55:09 - Windows Update
RP87: 16/02/2011 11:47:26 - Windows Update

==== Installed Programs ======================

Acrobat.com
Adobe AIR
Adobe Download Manager
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 9.4.2
Adobe Shockwave Player 11.5
avast! Free Antivirus
BECTA Home Access Activation Tool
CCleaner
D3DX10
Java Auto Updater
Java(TM) 6 Update 23
Malwarebytes' Anti-Malware
Microsoft .NET Framework 4 Client Profile
Microsoft Application Error Reporting
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Excel MUI (English) 2007
Microsoft Office Live Add-in 1.5
Microsoft Office Outlook Connector
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Standard 2007
Microsoft Office Word MUI (English) 2007
Microsoft Search Enhancement Pack
Microsoft Silverlight
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Mozilla Firefox (3.6.13)
MSVCRT
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
OGA Notifier 2.0.0048.0
Paint.NET v3.5.5
PlayReady PC Runtime x86
Read And Write Home Access
Realtek 8136 8168 8169 Ethernet Driver
Security Update for 2007 Microsoft Office System (KB2288621)
Security Update for 2007 Microsoft Office System (KB2288931)
Security Update for 2007 Microsoft Office System (KB2289158)
Security Update for 2007 Microsoft Office System (KB2344875)
Security Update for 2007 Microsoft Office System (KB2345043)
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB976321)
Security Update for Microsoft Office Excel 2007 (KB2345035)
Security Update for Microsoft Office InfoPath 2007 (KB979441)
Security Update for Microsoft Office PowerPoint 2007 (KB982158)
Security Update for Microsoft Office PowerPoint Viewer (KB2413381)
Security Update for Microsoft Office system 2007 (972581)
Security Update for Microsoft Office system 2007 (KB974234)
Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
Security Update for Microsoft Office Word 2007 (KB2344993)
Spelling Dictionaries Support For Adobe Reader 9
T-Mobile Internet Manager
TOSHIBA Assist
TOSHIBA Disc Creator
TOSHIBA Extended Tiles for Windows Mobility Center
TOSHIBA Flash Cards Support Utility
Toshiba Manuals
TOSHIBA Value Added Package
TOSHIBA Web Camera Application
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft Office 2007 Help for Common Features (KB963673)
Update for Microsoft Office Excel 2007 Help (KB963678)
Update for Microsoft Office Outlook 2007 (KB2412171)
Update for Microsoft Office Outlook 2007 Help (KB963677)
Update for Microsoft Office Powerpoint 2007 Help (KB963669)
Update for Microsoft Office Script Editor Help (KB963671)
Update for Microsoft Office Word 2007 Help (KB963665)
Update for Outlook 2007 Junk Email Filter (KB2492475)
Utility Common Driver
VLC media player 1.0.1
Windows Live Communications Platform
Windows Live Essentials
Windows Live ID Sign-in Assistant
Windows Live Installer
Windows Live Mesh ActiveX Control for Remote Connections
Windows Live Messenger
Windows Live Photo Common
Windows Live PIMT Platform
Windows Live SOXE
Windows Live SOXE Definitions
Windows Live Sync
Windows Live UX Platform
Windows Live UX Platform Language Pack
ZoneAlarm

==== Event Viewer Messages From Past Week ========

21/02/2011 12:43:06, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: tcpipBM
21/02/2011 12:42:49, Error: atikmdag [52236] - CPLIB :: General - Invalid Parameter
21/02/2011 12:42:49, Error: atikmdag [43029] - Display is not active
21/02/2011 12:03:10, Error: Service Control Manager [7001] - The Network List Service service depends on the Network Location Awareness service which failed to start because of the following error: The dependency service or group failed to start.
21/02/2011 12:03:10, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {9E175B6D-F52A-11D8-B9A5-505054503030}
21/02/2011 12:03:10, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}
21/02/2011 12:03:09, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service netprofm with arguments "" in order to run the server: {A47979D2-C419-11D9-A5B4-001185AD2B89}
21/02/2011 12:03:09, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service netman with arguments "" in order to run the server: {BA126AD1-2166-11D1-B1D0-00805FC1270E}
21/02/2011 12:03:08, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
21/02/2011 12:03:02, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service ShellHWDetection with arguments "" in order to run the server: {DD522ACC-F821-461A-A407-50B198B896DC}
21/02/2011 12:02:48, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD aswRdr aswSP aswTdi CSC DfsC discache MPFP NetBIOS NetBT nsiproxy Psched rdbss spldr Tcpip tcpipBM tdx Vsdatant vwififlt Wanarpv6 WfpLwf
21/02/2011 12:02:48, Error: Service Control Manager [7001] - The Workstation service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.
21/02/2011 12:02:48, Error: Service Control Manager [7001] - The TrueVector Internet Monitor service depends on the Zone Alarm Firewall Driver service which failed to start because of the following error: A device attached to the system is not functioning.
21/02/2011 12:02:48, Error: Service Control Manager [7001] - The TCP/IP Registry Compatibility service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
21/02/2011 12:02:48, Error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the Ancillary Function Driver for Winsock service which failed to start because of the following error: A device attached to the system is not functioning.
21/02/2011 12:02:48, Error: Service Control Manager [7001] - The SMB MiniRedirector Wrapper and Engine service depends on the Redirected Buffering Sub Sysytem service which failed to start because of the following error: A device attached to the system is not functioning.
21/02/2011 12:02:48, Error: Service Control Manager [7001] - The SMB 2.0 MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error: The dependency service or group failed to start.
21/02/2011 12:02:48, Error: Service Control Manager [7001] - The SMB 1.x MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error: The dependency service or group failed to start.
21/02/2011 12:02:48, Error: Service Control Manager [7001] - The Network Store Interface Service service depends on the NSI proxy service driver. service which failed to start because of the following error: A device attached to the system is not functioning.
21/02/2011 12:02:48, Error: Service Control Manager [7001] - The Network Location Awareness service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
21/02/2011 12:02:48, Error: Service Control Manager [7001] - The Network Connections service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.
21/02/2011 12:02:48, Error: Service Control Manager [7001] - The IP Helper service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.
21/02/2011 12:02:48, Error: Service Control Manager [7001] - The DNS Client service depends on the NetIO Legacy TDI Support Driver service which failed to start because of the following error: A device attached to the system is not functioning.
21/02/2011 12:02:48, Error: Service Control Manager [7001] - The DHCP Client service depends on the Ancillary Function Driver for Winsock service which failed to start because of the following error: A device attached to the system is not functioning.
21/02/2011 11:31:59, Error: Service Control Manager [7034] - The AMD External Events Utility service terminated unexpectedly. It has done this 1 time(s).
21/02/2011 10:31:22, Error: Service Control Manager [7030] - The PEVSystemStart service is marked as an interactive service. However, the system is configured to not allow interactive services. This service may not function properly.
20/02/2011 09:39:03, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Windows Error Reporting Service service to connect.
18/02/2011 04:29:42, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the Netman service.
16/02/2011 07:56:30, Error: atapi [11] - The driver detected a controller error on \Device\Ide\IdePort3.

==== End Of File ===========================

 

[Bobbye]

Welcome to Techsop! I'll help with the malware.

It's all about location, location, location!!!

conhost.exe can be either a legitimate OS file when located in the %WINDIR%\%System%-or-malware added by the Troj/DwnLdr-IQK if located in \%AppData%\ .

Taskhost.exe is a generic host process for Windows 7 32-bit services when location is C:\Windows\System32\Taskhost.exe. If located in \%AppData%\, it has been added by the W32/AutoRun-BM WORM! Note: Spreads via removable media.

Schlpr.exe is part of CGI / FastCGI, an open extension to CGI that provides high performance for all Internet applications without any of the limitations of existing Web server APIs. http://www.fastcgi.com/drupal/

Scrlink.exe belongs to SCBackup which to backup your mobile phone data
http://www.scbackup.fi/what_is_scbackup.html

Media test failure.Check cable/Exiting pxe rom. Please see this site for description, cause and resolution with links: http://www.computerhope.com/issues/ch000706.htm
=====================================================
Please run the following while I finish checking these logs:

Run Eset NOD32 Online AntiVirus scan HEREhttp://www.eset.eu/online-scanner

1. Tick the box next to YES, I accept the Terms of Use.
2. Click Start
3. When asked, allow the Active X control to install
4. Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
5. Click Start
6. Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
7. Click Scan
8. Wait for the scan to finish
9. Click on "Copy to Clipboard"> (you won't see the 'clipboard')
10. Click anywhere in the post where you want the logs to go, the do Ctrl V. The log will be sent from the clipboard and pasted in the post.
11. Re-enable your Antivirus software.
    NOTE: If you forget to copy to the clipboard, you can find the log here:
    C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

============================================
Download Combofix to your desktop from one of these locations:
Link 1
Link 2http://www.forospyware.com/sUBs/ComboFix.exe

• Double click combofix.exe & follow the prompts.
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. It is strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode if needed.
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
• Query- Recovery Console image
  
  
  
  

  WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

• Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
  
  
• .Click on Yes, to continue scanning for malware
• .If Combofix asks you to update the program, allow
• .Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
• .Close any open browsers.
• .Double click combofix.exe
  
  & follow the prompts to run.
• When the scan completes it will open a text window. Please paste that log in your next reply.

Re-enable your Antivirus software.
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

 

[Bobbye]

I think I found your main problem:

You have this on the system:
S4 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2009-9-8 359952]

It won't let the user open a site it is blocking, It starts up at any time when your system is On- some times it appears even when you close it from Task Manager. You should run the McAfee Removal Tool. If that doesn't remove it, you can do it manually. and if it's still causing the problem, I can remove it with script you'll run through Combofix.

First, run the Uninstall: McAfee Removal

Second, if process still runs: Click on Start> Run> type in services.msc> enter> Double click on McAfee Proxy Service> Stop the Service> Change the Startup type to Disable.> then click on the LogOn tab> it will show Profile 1 Enabled- this is the default hardware profile> click on the Disable button> Apply> OK

EDIT to delete image and URL for possibly embedded adware.

 

[chix2k10]

Ok, firstly thanks very much for the speedy reply! I used the Eset online scanner and found nothing, so was unable to copy any results.I then used Combofix the results will be below. I then read your advice on the Mcafee proxy thing. I looked on add/remove prorams and nothing is there regarding that, nor in the windows task manager, Although something has clearly been deleted using MCPR.exe. Upon trying to use firefox to access internet, after using combofix I had an error message saying 'illegal operation attempted on a registry key that has been marked for deletion, It may have been moved, renamed or deleted' the same for I.E too. I was only able to use after rebooting. Once the internet was accessed I got a bar at the top of the page telling me that I am now earning gamers unite coins for my purchase of mcafee for $11. I have attached the screen print of this message. I certainly didnt purchase this and I haven't installed Mcafee.. I still have multiple processes of what I named in last mail, maybe 4 of each. The sites that this problem is blocking are always used, so I dont understand how it started blocking them after clicking that link.

Its all very strange


ComboFix 11-02-21.02 - Mum 22/02/2011 19:11:55.7.1 - x86
Microsoft Windows 7 Professional 6.1.7600.0.1252.44.1033.18.766.243 [GMT 0:00]
Running from: c:\users\Mum\Desktop\cumbyfix.exe
AV: avast! Antivirus *Disabled/Updated* {C37D8F93-0602-E43C-40AA-47DAD597F308}
FW: ZoneAlarm Firewall *Enabled* {D17DF357-CFF5-F001-D1C1-FCD21DFE3D5E}
SP: avast! Antivirus *Disabled/Updated* {781C6E77-2038-EBB2-7A1A-7CA8AE10B9B5}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((( Files Created from 2011-01-22 to 2011-02-22 )))))))))))))))))))))))))))))))
.

2011-02-21 10:05 . 2011-02-21 10:05 -------- d-----w- c:\users\Mum\AppData\Local\{B615B4BB-8ED6-4CCC-91EC-DEB117E21355}
2011-02-12 18:29 . 2011-02-12 18:29 -------- d-----w- c:\users\Mum\AppData\Local\{7C741CBC-2630-4A21-A39A-A116D5983BF8}
2011-02-11 15:02 . 2011-01-05 03:37 2329088 ----a-w- c:\windows\system32\win32k.sys
2011-02-11 15:02 . 2010-12-18 05:29 541184 ----a-w- c:\windows\system32\kerberos.dll
2011-02-11 15:02 . 2011-01-05 05:37 428032 ----a-w- c:\windows\system32\vbscript.dll
2011-02-11 15:02 . 2010-12-18 05:29 860160 ----a-w- c:\program files\Internet Explorer\iedvtool.dll
2011-02-11 15:02 . 2010-12-18 05:33 673040 ----a-w- c:\program files\Internet Explorer\iexplore.exe
2011-02-11 15:00 . 2010-12-21 05:36 1389568 ----a-w- c:\windows\system32\msxml6.dll
2011-02-11 15:00 . 2010-12-21 05:38 981504 ----a-w- c:\windows\system32\wininet.dll
2011-02-11 15:00 . 2010-12-21 05:36 1236992 ----a-w- c:\windows\system32\msxml3.dll
2011-02-11 15:00 . 2010-12-21 05:38 350720 ----a-w- c:\windows\system32\winhttp.dll
2011-02-11 15:00 . 2010-12-21 05:38 204800 ----a-w- c:\windows\system32\WebClnt.dll
2011-02-11 15:00 . 2010-12-21 05:34 80384 ----a-w- c:\windows\system32\davclnt.dll
2011-02-11 15:00 . 2010-12-21 05:38 51200 ----a-w- c:\windows\system32\wscapi.dll
2011-02-11 15:00 . 2010-12-21 05:38 14336 ----a-w- c:\windows\system32\slwga.dll
2011-02-11 15:00 . 2010-12-21 05:38 73728 ----a-w- c:\windows\system32\wscsvc.dll
2011-02-11 15:00 . 2011-02-03 05:45 219008 ----a-w- c:\windows\system32\drivers\dxgmms1.sys
2011-02-06 22:02 . 2011-02-06 22:02 -------- d-----w- c:\users\Mum\AppData\Local\{853BBB57-FBAA-406E-A5A1-7B8E5C8C63E8}
2011-02-04 08:39 . 2011-02-04 08:40 -------- d-----w- c:\users\Mum\AppData\Local\{9CCC493B-40FF-451D-8B69-D5718E1EE451}
2011-02-03 16:17 . 2011-02-03 16:17 -------- d-----w- c:\users\Mum\AppData\Local\{F10F75B2-515A-43FA-A64C-AD80F264BBD5}
2011-02-02 20:52 . 2011-02-02 20:52 -------- d-----w- c:\users\Mum\AppData\Local\{7BF89808-3A0B-4A53-9D24-EB1828DBAC8A}
2011-02-02 20:37 . 2011-02-02 20:37 -------- d-----w- C:\7b948f167fc0ed9f8bf22971
2011-01-30 14:57 . 2011-01-30 14:57 103864 ----a-w- c:\program files\Mozilla Firefox\plugins\nppdf32.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-01-13 08:47 . 2010-08-17 13:03 38848 ----a-w- c:\windows\avastSS.scr
2011-01-13 08:47 . 2010-08-17 13:03 188216 ----a-w- c:\windows\system32\aswBoot.exe
2011-01-13 08:41 . 2010-08-17 13:04 294608 ----a-w- c:\windows\system32\drivers\aswSP.sys
2011-01-13 08:40 . 2010-08-17 13:04 47440 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2011-01-13 08:37 . 2010-08-17 13:04 23632 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2011-01-13 08:37 . 2010-08-17 13:04 51280 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2011-01-13 08:37 . 2010-08-17 13:04 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-12-23 12:20 . 2010-08-22 17:20 2594584 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\UpdateableMarkup\markup.dll
2010-12-23 12:19 . 2010-08-22 17:19 42776 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\dSM\StartResources.dll
2010-12-23 12:19 . 2010-08-22 17:19 710976 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
2010-12-20 13:40 . 2010-08-30 11:24 2594584 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\UpdateableMarkup-2\markup.dll
2010-12-20 13:40 . 2010-08-30 11:23 42776 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\dSM-2\StartResources.dll
2010-12-20 13:40 . 2010-09-08 00:10 710976 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight-2\SpotlightResources.dll
2010-12-10 21:07 . 2010-12-10 21:09 737280 ----a-w- c:\windows\iun6002.exe
.

((((((((((((((((((((((((((((( SnapShot@2011-02-21_10.31.25 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-09-08 13:42 . 2011-02-22 19:06 36680 c:\windows\System32\wdi\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2009-07-14 04:55 . 2011-02-22 19:06 57114 c:\windows\System32\wdi\BootPerformanceDiagnostics_SystemData.bin
+ 2010-07-07 07:17 . 2011-02-22 19:07 11748 c:\windows\System32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2365872316-2932340085-2808364130-1003_UserData.bin
+ 2009-07-13 23:43 . 2009-07-14 01:14 83968 c:\windows\System32\RegisterIEPKEYs.exe
+ 2011-02-21 11:40 . 2010-12-20 18:09 38224 c:\windows\System32\drivers\mbamswissarmy.sys
+ 2011-02-21 11:40 . 2010-12-20 18:08 20952 c:\windows\System32\drivers\mbam.sys
+ 2010-05-19 17:06 . 2011-02-22 19:03 16384 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2010-05-19 17:06 . 2011-02-21 10:10 16384 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2010-05-19 17:06 . 2011-02-21 10:10 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2010-05-19 17:06 . 2011-02-22 19:03 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-07-14 04:41 . 2011-02-21 10:10 16384 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-07-14 04:41 . 2011-02-22 19:03 16384 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-07-14 04:34 . 2011-02-22 19:07 87304 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform\Cache\cache.dat
+ 2010-07-06 17:23 . 2011-02-22 19:07 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2010-07-06 17:23 . 2011-02-21 10:07 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2010-07-06 17:23 . 2011-02-22 19:07 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2010-07-06 17:23 . 2011-02-21 10:07 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-07-13 23:19 . 2009-07-14 01:04 69120 c:\windows\diagnostics\system\IESecurity\DiagPackage.dll
+ 2009-07-13 23:19 . 2009-07-14 01:04 92160 c:\windows\diagnostics\system\IEBrowseWeb\DiagPackage.dll
+ 2010-07-07 20:54 . 2011-02-22 19:01 9202 c:\windows\System32\wdi\ERCQueuedResolutions.dat
- 2010-07-07 20:54 . 2011-02-21 10:02 9202 c:\windows\System32\wdi\ERCQueuedResolutions.dat
- 2011-02-21 10:17 . 2011-02-21 10:17 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2011-02-22 19:03 . 2011-02-22 19:03 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2011-02-21 10:17 . 2011-02-21 10:17 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2011-02-22 19:03 . 2011-02-22 19:03 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2010-01-20 15:17 . 2011-02-22 18:08 205416 c:\windows\System32\wdi\SuspendPerformanceDiagnostics_SystemData_S4.bin
- 2009-07-14 02:05 . 2011-02-11 10:52 631364 c:\windows\System32\perfh009.dat
+ 2009-07-14 02:05 . 2011-02-21 10:45 631364 c:\windows\System32\perfh009.dat
- 2009-07-14 02:05 . 2011-02-11 10:52 111456 c:\windows\System32\perfc009.dat
+ 2009-07-14 02:05 . 2011-02-21 10:45 111456 c:\windows\System32\perfc009.dat
- 2009-07-14 04:47 . 2011-02-21 10:15 387236 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
+ 2009-07-14 04:47 . 2011-02-22 19:01 387236 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
+ 2010-09-25 09:16 . 2011-02-22 19:01 388004 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-2365872316-2932340085-2808364130-1003-12288.dat
- 2010-09-25 09:16 . 2011-02-21 10:15 388004 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-2365872316-2932340085-2808364130-1003-12288.dat
+ 2009-07-14 02:03 . 2011-02-22 19:17 7077888 c:\windows\System32\SMI\Store\Machine\schema.dat
- 2009-07-14 02:03 . 2011-02-21 09:01 7077888 c:\windows\System32\SMI\Store\Machine\schema.dat
- 2009-07-14 04:34 . 2011-02-12 18:24 3917646 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform\tokens.dat
+ 2009-07-14 04:34 . 2011-02-22 19:07 3917646 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform\tokens.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HW_OPENEYE_OUC_T-Mobile Internet Manager"="c:\program files\T-Mobile\T-Mobile Internet Manager\UpdateDog\ouc.exe" [2009-12-31 110592]
"scrlink"="c:\program files\SCBackup\scrlink.lnk" [2010-08-01 686]
"Mobile Partner"="c:\program files\T-Mobile\T-Mobile Internet Manager\T-Mobile Internet Manager.exe" [2010-07-06 114688]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2010-11-10 4240760]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TWebCamera"="%ProgramFiles%\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe autorun" [X]
"KeNotify"="c:\program files\TOSHIBA\Utilities\KeNotify.exe" [2009-01-14 34088]
"DataCardMonitor"="c:\program files\T-Mobile\T-Mobile Internet Manager\DataCardMonitor.exe" [2010-07-06 253952]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2010-06-23 1043968]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-01-31 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-20 932288]

c:\users\Mum\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
BBC iPlayer Desktop.lnk - c:\program files\BBC iPlayer Desktop\BBC iPlayer Desktop.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux1"=wdmaud.drv

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\rootrepeal.sys]
@=""

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R3 hwusbdev;Huawei DataCard USB PNP Device;c:\windows\system32\DRIVERS\ewusbdev.sys [2009-10-12 101120]
R3 nosGetPlusHelper;getPlus(R) Helper 3004;c:\windows\System32\svchost.exe [2009-07-14 20992]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-05-19 1343400]
S1 aswSP;aswSP; [x]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-13 48128]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2009-08-18 176128]
S2 aswFsBlk;aswFsBlk; [x]
S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2011-01-13 51280]
S3 PGEffect;Pangu effect driver;c:\windows\system32\DRIVERS\pgeffect.sys [2009-06-23 24064]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [2009-05-22 167936]
S3 rtl8192se;Realtek Wireless LAN 802.11n PCI-E NIC NT Driver;c:\windows\system32\DRIVERS\rtl8192se.sys [2009-12-22 991776]


--- Other Services/Drivers In Memory ---

*Deregistered* - BMLoad

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
nosGetPlusHelper REG_MULTI_SZ nosGetPlusHelper
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://google.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\users\Mum\AppData\Roaming\Mozilla\Firefox\Profiles\9b5tlkvs.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT1060933&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine - Search the Web
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
FF - Ext: WOT: {a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7} - %profile%\extensions\{a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7}
FF - Ext: Adobe DLM (powered by getPlus(R)): {E2883E8F-472F-4fb0-9522-AC9BF37916A7} - %profile%\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}
FF - Ext: Gamers Unite! Snag Bar: {afe43e80-0abc-4df2-81a0-3fe44b74abe8} - %profile%\extensions\{afe43e80-0abc-4df2-81a0-3fe44b74abe8}
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0004\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0005\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2011-02-22 19:24:36
ComboFix-quarantined-files.txt 2011-02-22 19:24
ComboFix2.txt 2011-02-21 10:32
ComboFix3.txt 2010-11-27 19:14
ComboFix4.txt 2010-11-15 09:02
ComboFix5.txt 2011-02-22 19:10

Pre-Run: 87,051,280,384 bytes free
Post-Run: 87,004,692,480 bytes free

- - End Of File - - F2309E920D8E26FC66848CE6AEA03C54

 

[Bobbye]

The image appears to be part of the McAfee Removal Tool. And it may be that an ad was embedded in the image I left with the URL below it. I am going to delete both. Give me a bit to go over the Combofix log.

BTW< I also noticed that you have previous scans of Combofix:
ComboFix3.txt 2010-11-27 19:14
ComboFix4.txt 2010-11-15 09:02

Did you get help somewhere for those scans because we have you uninstall Combofix , it's logs and backupds at the end of cleaning.

 

[chix2k10]

I did try at another site but never got very far :dead:
The first time this laptop was infected I seeked help at another site. They advised using combofix, which I did. It helped me get back online but after some time It was appearing again. Each time I used combofix to bail me out. I was never guided to the right help (my opinion)

Ive been told to download a program called Rkill, from an uninfected machine, and to delete all my protection, as its now corrupt by this virus but wanted to check by someone I know is going to guide me properly. This thing is stealing my broadband at the turn of each month too. Im totally stuck as to what this is. The first time, it was even disconnecting me saying that it had been terminated by a remote source.

 

[Bobbye]

Did you do this?

Second, if process still runs: Click on Start> Run> type in services.msc> enter> Double click on McAfee Proxy Service> Stop the Service> Change the Startup type to Disable.> then click on the LogOn tab> it will show Profile 1 Enabled- this is the default hardware profile> click on the Disable button> Apply> OK

When helping someone clean malware, when we feel it is appropriate, we have the user run Combofix. Then, after checking the log, if needed, we write script for the user to run through Combofix to move or change an entry. At the end of cleaning, we have the user uninstall Combofix, it's logs and the backups it created. It shouldn't be left on the system.
=======================================
You have a keylogger running. This isn't a drive by- it has to be manually installed. The full name is "Omniquad Desktop Surveillance Personal Edition 6.0.3" but you may see only Spyware.DsktopSurveilThe program can have 2 Two modes of operation: Misuse Prevention and Stealth Surveillance.
It has the abilities to capture screen shots, log key strokes and steal information.It can run hidden. I only find one entry visible, but I will want you to reveal hidden files and folders when you go to uninstall it. So if you did not intentionally install it for misuse prevention, then it becomes a stealth surveillance program.
First, go to the Control Panel> Folder Options> View tab> Check 'show hidden files and folders' and uncheck 'hide protected system operating system files (Recommended)> Confirm with a Yes> Click on Apply> OK:
To remove a program in Windows 7:

1. Go to the Control Panel> Programs and Features> NOTE: The options will be either Uninstall, Change, Uninstall/Change, Repair, or Change/Repair.
2. A program may not have all the options available for it>
3. Choose 'uninstall a program'> To confirm, answer Yes.
4. Look for"Omniquad Desktop Surveillance Personal Edition 6.0.3"[/b[ or possibly just Spyware.DsktopSurveil> Click to Highlight> Uninstall.
   [*] Exit.

If you have found and uninstallled the above named program: Use Windows Explorer to access the program folders> do a right click> Delete on this program folders. Exit Windows Explorer
=======================================
Please run this Custom CFScript:

• 
  [1]. Close any open browsers.
  [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  [3]. Open notepad> click on Format> Uncheck 'Word Wrap'> and copy/paste the text in the code below into it:Be sure to scroll down to include ALL lines.

File::
c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe
c:\windows\iun6002.exe

DirLook::
c:\users\mum\appdata\local\{D19E1DB4-699C-413C-99FE-497A2B3B4122}
c:\users\mum\appdata\local\{A74757E3-B3E1-4829-8355-FB1D95085076}
c:\users\mum\appdata\local\{B615B4BB-8ED6-4CCC-91EC-DEB117E21355}
c:\users\mum\appdata\local\{7C741CBC-2630-4A21-A39A-A116D5983BF8}
c:\users\mum\appdata\local\{853BBB57-FBAA-406E-A5A1-7B8E5C8C63E8}
c:\users\mum\appdata\local\{9CCC493B-40FF-451D-8B69-D5718E1EE451}
c:\users\mum\appdata\local\{F10F75B2-515A-43FA-A64C-AD80F264BBD5}
c:\users\mum\appdata\local\{7BF89808-3A0B-4A53-9D24-EB1828DBAC8A}
Extra::
File::
c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
Firefox:: 
Firefox-:-Profile- c:\users\Mum\AppData\Roaming\Mozilla\Firefox\Profiles\9b5tlkvs.default\

Registry::
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\rootrepeal.sys]
RegLock::
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
Driver::
McProxy

Save this as CFScript.txt, in the same location as ComboFix.exe

Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please paste in your next reply.
====================
Please go back and rehide the files and folders when fnished.

 

[chix2k10]

Ok I have tried locating McAfee in srvices.msc but its not there, The program Omniquad Desktop Surveillance Personal Edition 6.0.3 or Spyware.DsktopSurveil are not visible in add/remove either? I have checked the appropriate boxes in folder options. Im not sure if I should carry on as instructed in your previous post, so will wait.

 

[Bobbye]

Our posts have overlapped. Please continue on with directions. I have included the entries in the script.

 

[chix2k10]

ComboFix 11-02-25.02 - Mum 26/02/2011 20:52:44.8.1 - x86
Microsoft Windows 7 Professional 6.1.7600.0.1252.44.1033.18.766.321 [GMT 0:00]
Running from: c:\users\Mum\Desktop\cumbyfix.exe
Command switches used :: c:\users\Mum\Desktop\CFScript.txt
AV: avast! Antivirus *Disabled/Updated* {C37D8F93-0602-E43C-40AA-47DAD597F308}
FW: ZoneAlarm Firewall *Disabled* {D17DF357-CFF5-F001-D1C1-FCD21DFE3D5E}
SP: avast! Antivirus *Disabled/Updated* {781C6E77-2038-EBB2-7A1A-7CA8AE10B9B5}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point

FILE ::
"c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe"
"c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}"
"c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}"
"c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}"
"c:\windows\iun6002.exe"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\iun6002.exe

.
((((((((((((((((((((((((( Files Created from 2011-01-26 to 2011-02-26 )))))))))))))))))))))))))))))))
.

2011-02-26 20:59 . 2011-02-26 20:59 -------- d-----w- c:\users\Mum\AppData\Local\temp
2011-02-26 20:59 . 2011-02-26 20:59 -------- d-----w- c:\users\Public\AppData\Local\temp
2011-02-26 20:59 . 2011-02-26 20:59 -------- d-----w- c:\users\Guest\AppData\Local\temp
2011-02-26 20:59 . 2011-02-26 20:59 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-02-26 20:59 . 2011-02-26 20:59 -------- d-----w- c:\users\Administrator\AppData\Local\temp
2011-02-24 03:00 . 2010-09-14 06:07 276992 ----a-w- c:\windows\system32\wcncsvc.dll
2011-02-23 20:28 . 2011-02-23 20:28 -------- d-----w- c:\users\Mum\AppData\Local\{A4E16013-81FA-45AC-8C49-1DD50110D88F}
2011-02-23 08:58 . 2011-01-07 07:31 442880 ----a-w- c:\windows\system32\XpsPrint.dll
2011-02-23 08:58 . 2011-01-07 07:31 288256 ----a-w- c:\windows\system32\XpsGdiConverter.dll
2011-02-23 07:43 . 2011-02-23 07:44 -------- d-----w- c:\users\Mum\AppData\Local\{974BBBD6-A588-437A-986D-DD1F744D0A46}
2011-02-22 19:05 . 2011-02-22 19:05 -------- d-----w- c:\users\Mum\AppData\Local\{A10B346B-ED05-4BF9-A6E0-68A5F88F11AE}
2011-02-22 18:14 . 2011-02-22 18:14 -------- d-----w- c:\program files\ESET
2011-02-21 12:44 . 2011-02-21 12:44 -------- d-----w- c:\users\Mum\AppData\Local\{D19E1DB4-699C-413C-99FE-497A2B3B4122}
2011-02-21 11:40 . 2010-12-20 18:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-02-21 11:40 . 2010-12-20 18:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-02-21 11:23 . 2011-02-21 11:23 -------- d-----w- c:\users\Mum\AppData\Local\{A74757E3-B3E1-4829-8355-FB1D95085076}
2011-02-21 10:05 . 2011-02-21 10:05 -------- d-----w- c:\users\Mum\AppData\Local\{B615B4BB-8ED6-4CCC-91EC-DEB117E21355}
2011-02-12 18:29 . 2011-02-12 18:29 -------- d-----w- c:\users\Mum\AppData\Local\{7C741CBC-2630-4A21-A39A-A116D5983BF8}
2011-02-11 15:02 . 2011-01-05 03:37 2329088 ----a-w- c:\windows\system32\win32k.sys
2011-02-11 15:02 . 2010-12-18 05:29 541184 ----a-w- c:\windows\system32\kerberos.dll
2011-02-11 15:02 . 2011-01-05 05:37 428032 ----a-w- c:\windows\system32\vbscript.dll
2011-02-11 15:02 . 2010-12-18 05:29 860160 ----a-w- c:\program files\Internet Explorer\iedvtool.dll
2011-02-11 15:02 . 2010-12-18 05:33 673040 ----a-w- c:\program files\Internet Explorer\iexplore.exe
2011-02-11 15:00 . 2010-12-21 05:36 1389568 ----a-w- c:\windows\system32\msxml6.dll
2011-02-11 15:00 . 2010-12-21 05:38 981504 ----a-w- c:\windows\system32\wininet.dll
2011-02-11 15:00 . 2010-12-21 05:36 1236992 ----a-w- c:\windows\system32\msxml3.dll
2011-02-11 15:00 . 2010-12-21 05:38 350720 ----a-w- c:\windows\system32\winhttp.dll
2011-02-11 15:00 . 2010-12-21 05:38 204800 ----a-w- c:\windows\system32\WebClnt.dll
2011-02-11 15:00 . 2010-12-21 05:34 80384 ----a-w- c:\windows\system32\davclnt.dll
2011-02-11 15:00 . 2010-12-21 05:38 51200 ----a-w- c:\windows\system32\wscapi.dll
2011-02-11 15:00 . 2010-12-21 05:38 14336 ----a-w- c:\windows\system32\slwga.dll
2011-02-11 15:00 . 2010-12-21 05:38 73728 ----a-w- c:\windows\system32\wscsvc.dll
2011-02-11 15:00 . 2011-02-03 05:45 219008 ----a-w- c:\windows\system32\drivers\dxgmms1.sys
2011-02-06 22:02 . 2011-02-06 22:02 -------- d-----w- c:\users\Mum\AppData\Local\{853BBB57-FBAA-406E-A5A1-7B8E5C8C63E8}
2011-02-04 08:39 . 2011-02-04 08:40 -------- d-----w- c:\users\Mum\AppData\Local\{9CCC493B-40FF-451D-8B69-D5718E1EE451}
2011-02-03 16:17 . 2011-02-03 16:17 -------- d-----w- c:\users\Mum\AppData\Local\{F10F75B2-515A-43FA-A64C-AD80F264BBD5}
2011-02-02 20:52 . 2011-02-02 20:52 -------- d-----w- c:\users\Mum\AppData\Local\{7BF89808-3A0B-4A53-9D24-EB1828DBAC8A}
2011-02-02 20:37 . 2011-02-02 20:37 -------- d-----w- C:\7b948f167fc0ed9f8bf22971
2011-01-30 14:57 . 2011-01-30 14:57 103864 ----a-w- c:\program files\Mozilla Firefox\plugins\nppdf32.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-01-13 08:47 . 2010-08-17 13:03 38848 ----a-w- c:\windows\avastSS.scr
2011-01-13 08:47 . 2010-08-17 13:03 188216 ----a-w- c:\windows\system32\aswBoot.exe
2011-01-13 08:41 . 2010-08-17 13:04 294608 ----a-w- c:\windows\system32\drivers\aswSP.sys
2011-01-13 08:40 . 2010-08-17 13:04 47440 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2011-01-13 08:37 . 2010-08-17 13:04 23632 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2011-01-13 08:37 . 2010-08-17 13:04 51280 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2011-01-13 08:37 . 2010-08-17 13:04 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-12-23 12:20 . 2010-08-22 17:20 2594584 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\UpdateableMarkup\markup.dll
2010-12-23 12:19 . 2010-08-22 17:19 42776 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\dSM\StartResources.dll
2010-12-23 12:19 . 2010-08-22 17:19 710976 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
2010-12-20 13:40 . 2010-08-30 11:24 2594584 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\UpdateableMarkup-2\markup.dll
2010-12-20 13:40 . 2010-08-30 11:23 42776 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\dSM-2\StartResources.dll
2010-12-20 13:40 . 2010-09-08 00:10 710976 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight-2\SpotlightResources.dll
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of c:\users\mum\appdata\local\{7BF89808-3A0B-4A53-9D24-EB1828DBAC8A} ----


---- Directory of c:\users\mum\appdata\local\{7C741CBC-2630-4A21-A39A-A116D5983BF8} ----


---- Directory of c:\users\mum\appdata\local\{853BBB57-FBAA-406E-A5A1-7B8E5C8C63E8} ----


---- Directory of c:\users\mum\appdata\local\{9CCC493B-40FF-451D-8B69-D5718E1EE451} ----


---- Directory of c:\users\mum\appdata\local\{A74757E3-B3E1-4829-8355-FB1D95085076} ----


---- Directory of c:\users\mum\appdata\local\{B615B4BB-8ED6-4CCC-91EC-DEB117E21355} ----


---- Directory of c:\users\mum\appdata\local\{D19E1DB4-699C-413C-99FE-497A2B3B4122} ----


---- Directory of c:\users\mum\appdata\local\{F10F75B2-515A-43FA-A64C-AD80F264BBD5} ----



((((((((((((((((((((((((((((( SnapShot@2011-02-21_10.31.25 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-07-13 23:52 . 2009-07-14 01:16 20992 c:\windows\winsxs\x86_microsoft-windows-wcn-config-registrar_31bf3856ad364e35_6.1.7600.20801_none_2dcf2c8f3c1dab98\WcnEapPeerProxy.dll
+ 2009-07-13 23:52 . 2009-07-14 01:16 20480 c:\windows\winsxs\x86_microsoft-windows-wcn-config-registrar_31bf3856ad364e35_6.1.7600.20801_none_2dcf2c8f3c1dab98\WcnEapAuthProxy.dll
+ 2009-07-13 23:53 . 2009-07-14 01:16 86528 c:\windows\winsxs\x86_microsoft-windows-wcn-config-registrar_31bf3856ad364e35_6.1.7600.20801_none_2dcf2c8f3c1dab98\WcnApi.dll
+ 2009-07-13 23:53 . 2009-07-14 01:15 81920 c:\windows\winsxs\x86_microsoft-windows-wcn-config-registrar_31bf3856ad364e35_6.1.7600.20801_none_2dcf2c8f3c1dab98\fdWCN.dll
+ 2009-07-13 23:52 . 2009-07-14 01:16 20992 c:\windows\winsxs\x86_microsoft-windows-wcn-config-registrar_31bf3856ad364e35_6.1.7600.16675_none_2cfddf922335379a\WcnEapPeerProxy.dll
+ 2009-07-13 23:52 . 2009-07-14 01:16 20480 c:\windows\winsxs\x86_microsoft-windows-wcn-config-registrar_31bf3856ad364e35_6.1.7600.16675_none_2cfddf922335379a\WcnEapAuthProxy.dll
+ 2009-07-13 23:53 . 2009-07-14 01:16 86528 c:\windows\winsxs\x86_microsoft-windows-wcn-config-registrar_31bf3856ad364e35_6.1.7600.16675_none_2cfddf922335379a\WcnApi.dll
+ 2009-07-13 23:53 . 2009-07-14 01:15 81920 c:\windows\winsxs\x86_microsoft-windows-wcn-config-registrar_31bf3856ad364e35_6.1.7600.16675_none_2cfddf922335379a\fdWCN.dll
+ 2009-09-08 13:42 . 2011-02-23 20:29 37020 c:\windows\System32\wdi\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2009-07-14 04:55 . 2011-02-23 20:29 57114 c:\windows\System32\wdi\BootPerformanceDiagnostics_SystemData.bin
+ 2010-07-07 07:17 . 2011-02-23 20:29 11918 c:\windows\System32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2365872316-2932340085-2808364130-1003_UserData.bin
+ 2009-07-13 23:43 . 2009-07-14 01:14 83968 c:\windows\System32\RegisterIEPKEYs.exe
- 2010-05-19 17:06 . 2011-02-21 10:10 16384 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2010-05-19 17:06 . 2011-02-26 19:13 16384 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2010-05-19 17:06 . 2011-02-26 19:13 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2010-05-19 17:06 . 2011-02-21 10:10 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-07-14 04:41 . 2011-02-26 19:13 16384 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-07-14 04:41 . 2011-02-21 10:10 16384 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-07-14 04:34 . 2011-02-22 19:47 87512 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform\Cache\cache.dat
- 2009-07-14 04:34 . 2011-02-21 10:06 87512 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform\Cache\cache.dat
+ 2010-07-06 17:23 . 2011-02-26 20:11 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2010-07-06 17:23 . 2011-02-21 10:07 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2010-07-06 17:23 . 2011-02-21 10:07 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2010-07-06 17:23 . 2011-02-26 20:11 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-07-13 23:19 . 2009-07-14 01:04 69120 c:\windows\diagnostics\system\IESecurity\DiagPackage.dll
+ 2009-07-13 23:19 . 2009-07-14 01:04 92160 c:\windows\diagnostics\system\IEBrowseWeb\DiagPackage.dll
- 2010-07-07 20:54 . 2011-02-21 10:02 9202 c:\windows\System32\wdi\ERCQueuedResolutions.dat
+ 2010-07-07 20:54 . 2011-02-23 20:25 9202 c:\windows\System32\wdi\ERCQueuedResolutions.dat
- 2010-07-07 15:54 . 2011-02-16 16:42 3000 c:\windows\System32\wdi\{88d4896f-f553-446a-9c75-9dec124ff8b7}.bin
+ 2010-07-07 15:54 . 2011-02-23 00:15 3000 c:\windows\System32\wdi\{88d4896f-f553-446a-9c75-9dec124ff8b7}.bin
- 2011-02-21 10:17 . 2011-02-21 10:17 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2011-02-23 20:26 . 2011-02-23 20:26 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2011-02-21 10:17 . 2011-02-21 10:17 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2011-02-23 20:26 . 2011-02-23 20:26 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2011-02-24 03:00 . 2010-09-20 04:35 276992 c:\windows\winsxs\x86_microsoft-windows-wcn-config-registrar_31bf3856ad364e35_6.1.7600.20801_none_2dcf2c8f3c1dab98\wcncsvc.dll
+ 2011-02-24 03:00 . 2010-09-14 06:07 276992 c:\windows\winsxs\x86_microsoft-windows-wcn-config-registrar_31bf3856ad364e35_6.1.7600.16675_none_2cfddf922335379a\wcncsvc.dll
+ 2011-02-23 08:58 . 2011-01-07 07:34 870912 c:\windows\winsxs\x86_microsoft-windows-printing-xpsprint_31bf3856ad364e35_6.1.7601.21636_none_ae208a9c88b972b5\XpsPrint.dll
+ 2011-02-23 08:58 . 2011-01-07 07:46 870912 c:\windows\winsxs\x86_microsoft-windows-printing-xpsprint_31bf3856ad364e35_6.1.7601.17537_none_ad97ee1b6f9aec42\XpsPrint.dll
+ 2011-02-23 08:58 . 2011-01-07 07:38 442880 c:\windows\winsxs\x86_microsoft-windows-printing-xpsprint_31bf3856ad364e35_6.1.7600.20875_none_ac0ded9c8bb45d36\XpsPrint.dll
+ 2011-02-23 08:58 . 2011-01-07 07:31 442880 c:\windows\winsxs\x86_microsoft-windows-printing-xpsprint_31bf3856ad364e35_6.1.7600.16734_none_abae903772773451\XpsPrint.dll
+ 2011-02-23 08:58 . 2011-01-07 07:34 288256 c:\windows\winsxs\x86_microsoft-windows-c..ent-xpsgdiconverter_31bf3856ad364e35_6.1.7601.21636_none_1569dcfc62beeaee\XpsGdiConverter.dll
+ 2011-02-23 08:58 . 2011-01-07 07:46 288256 c:\windows\winsxs\x86_microsoft-windows-c..ent-xpsgdiconverter_31bf3856ad364e35_6.1.7601.17537_none_14e1407b49a0647b\XpsGdiConverter.dll
+ 2011-02-23 08:58 . 2011-01-07 07:38 288256 c:\windows\winsxs\x86_microsoft-windows-c..ent-xpsgdiconverter_31bf3856ad364e35_6.1.7600.20875_none_13573ffc65b9d56f\XpsGdiConverter.dll
+ 2011-02-23 08:58 . 2011-01-07 07:31 288256 c:\windows\winsxs\x86_microsoft-windows-c..ent-xpsgdiconverter_31bf3856ad364e35_6.1.7600.16734_none_12f7e2974c7cac8a\XpsGdiConverter.dll
+ 2010-01-20 15:17 . 2011-02-26 19:11 207610 c:\windows\System32\wdi\SuspendPerformanceDiagnostics_SystemData_S4.bin
+ 2010-05-07 18:03 . 2011-02-25 13:53 386566 c:\windows\System32\wdi\SuspendPerformanceDiagnostics_SystemData_S3.bin
- 2009-07-14 02:05 . 2011-02-11 10:52 631364 c:\windows\System32\perfh009.dat
+ 2009-07-14 02:05 . 2011-02-21 10:45 631364 c:\windows\System32\perfh009.dat
- 2009-07-14 02:05 . 2011-02-11 10:52 111456 c:\windows\System32\perfc009.dat
+ 2009-07-14 02:05 . 2011-02-21 10:45 111456 c:\windows\System32\perfc009.dat
+ 2011-02-22 19:55 . 2011-02-22 19:55 262144 c:\windows\System32\config\TxR\NTUSER.DAT
+ 2011-02-22 19:55 . 2011-02-22 19:55 262144 c:\windows\System32\config\RegBack\NTUSER.DAT
+ 2011-02-22 19:55 . 2011-02-22 19:55 262144 c:\windows\System32\config\Journal\NTUSER.DAT
- 2009-07-14 04:47 . 2011-02-21 10:15 387236 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
+ 2009-07-14 04:47 . 2011-02-23 20:25 387236 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
+ 2010-09-25 09:16 . 2011-02-23 20:25 388004 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-2365872316-2932340085-2808364130-1003-12288.dat
- 2010-09-25 09:16 . 2011-02-21 10:15 388004 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-2365872316-2932340085-2808364130-1003-12288.dat
- 2009-07-14 02:03 . 2011-02-21 09:01 7077888 c:\windows\System32\SMI\Store\Machine\schema.dat
+ 2009-07-14 02:03 . 2011-02-26 12:37 7077888 c:\windows\System32\SMI\Store\Machine\schema.dat
+ 2009-07-14 04:34 . 2011-02-22 19:07 3917646 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform\tokens.dat
- 2009-07-14 04:34 . 2011-02-12 18:24 3917646 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform\tokens.dat
+ 2011-01-13 11:26 . 2011-02-24 03:00 16739055 c:\windows\winsxs\ManifestCache\ee9f676b8aa4122b_blobs.bin
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HW_OPENEYE_OUC_T-Mobile Internet Manager"="c:\program files\T-Mobile\T-Mobile Internet Manager\UpdateDog\ouc.exe" [2009-12-31 110592]
"scrlink"="c:\program files\SCBackup\scrlink.lnk" [2010-08-01 686]
"Mobile Partner"="c:\program files\T-Mobile\T-Mobile Internet Manager\T-Mobile Internet Manager.exe" [2010-07-06 114688]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2010-11-10 4240760]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TWebCamera"="%ProgramFiles%\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe autorun" [X]
"KeNotify"="c:\program files\TOSHIBA\Utilities\KeNotify.exe" [2009-01-14 34088]
"DataCardMonitor"="c:\program files\T-Mobile\T-Mobile Internet Manager\DataCardMonitor.exe" [2010-07-06 253952]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2010-06-23 1043968]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-01-31 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-20 932288]

c:\users\Mum\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
BBC iPlayer Desktop.lnk - c:\program files\BBC iPlayer Desktop\BBC iPlayer Desktop.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux1"=wdmaud.drv

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\rootrepeal.sys]
@=""

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R3 hwusbdev;Huawei DataCard USB PNP Device;c:\windows\system32\DRIVERS\ewusbdev.sys [2009-10-12 101120]
R3 nosGetPlusHelper;getPlus(R) Helper 3004;c:\windows\System32\svchost.exe [2009-07-14 20992]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-05-19 1343400]
S1 aswSP;aswSP; [x]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-13 48128]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2009-08-18 176128]
S2 aswFsBlk;aswFsBlk; [x]
S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2011-01-13 51280]
S3 PGEffect;Pangu effect driver;c:\windows\system32\DRIVERS\pgeffect.sys [2009-06-23 24064]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [2009-05-22 167936]
S3 rtl8192se;Realtek Wireless LAN 802.11n PCI-E NIC NT Driver;c:\windows\system32\DRIVERS\rtl8192se.sys [2009-12-22 991776]


--- Other Services/Drivers In Memory ---

*Deregistered* - BMLoad

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
nosGetPlusHelper REG_MULTI_SZ nosGetPlusHelper
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://google.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\users\Mum\AppData\Roaming\Mozilla\Firefox\Profiles\9b5tlkvs.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT1060933&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine - Search the Web
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
FF - Ext: WOT: {a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7} - %profile%\extensions\{a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7}
FF - Ext: Adobe DLM (powered by getPlus(R)): {E2883E8F-472F-4fb0-9522-AC9BF37916A7} - %profile%\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}
FF - Ext: Gamers Unite! Snag Bar: {afe43e80-0abc-4df2-81a0-3fe44b74abe8} - %profile%\extensions\{afe43e80-0abc-4df2-81a0-3fe44b74abe8}
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0004\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0005\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2011-02-26 21:03:03
ComboFix-quarantined-files.txt 2011-02-26 21:03
ComboFix2.txt 2011-02-22 19:24
ComboFix3.txt 2011-02-21 10:32
ComboFix4.txt 2010-11-27 19:14
ComboFix5.txt 2011-02-26 20:49

Pre-Run: 87,013,773,312 bytes free
Post-Run: 86,958,129,152 bytes free

- - End Of File - - D979DDB5A0F03C9E12ECE79D44E20B3E

 

[Bobbye]

Please be patient with me a bit longer. I'm looking into the appdata entries such as this:
2011-02-21 11:23 . 2011-02-21 11:23 -------- d-----w- c:\users\Mum\AppData\Local\{A74757E3-B3E1-4829-8355-FB1D95085076}[/b

I can't ID any of the strings and the folders come up empty. I'm hoping to learn what the apps are. I remove some, and other come back. I'm not sure if this is a Windows 7 'thing'! You are not the only member with these entries.

 

[Bobbye]

Safe to delete because they are empty! But still don't know what's creating them!

Please run this Custom CFScript:

• 
  [1]. Close any open browsers.
  [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  [3]. Open notepad> click on Format> Uncheck 'Word Wrap> and copy/paste the text in the code below into it:

File::
Registry::
c:\users\Mum\AppData\Local\{A4E16013-81FA-45AC-8C49-1DD50110D88F}
c:\users\Mum\AppData\Local\{974BBBD6-A588-437A-986D-DD1F744D0A46}
c:\users\Mum\AppData\Local\{A10B346B-ED05-4BF9-A6E0-68A5F88F11AE}
c:\users\Mum\AppData\Local\{D19E1DB4-699C-413C-99FE-497A2B3B4122}
c:\users\Mum\AppData\Local\{A74757E3-B3E1-4829-8355-FB1D95085076}
c:\users\Mum\AppData\Local\{B615B4BB-8ED6-4CCC-91EC-DEB117E21355}
c:\users\Mum\AppData\Local\{7C741CBC-2630-4A21-A39A-A116D5983BF8}
c:\users\Mum\AppData\Local\{853BBB57-FBAA-406E-A5A1-7B8E5C8C63E8}
c:\users\Mum\AppData\Local\{9CCC493B-40FF-451D-8B69-D5718E1EE451}
c:\users\Mum\AppData\Local\{F10F75B2-515A-43FA-A64C-AD80F264BBD5}
c:\users\Mum\AppData\Local\{7BF89808-3A0B-4A53-9D24-EB1828DBAC8A}

Save this as CFScript.txt, in the same location as ComboFix.exe

Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . No need to leave log.
====================
Did you run the Eset online virus scan? I haven't seen the log.

If you processes you asked about are coming up when you start the computer, they may be on the Startup menu. Verify the locations I gave you and remove from Startup accordingly.
===================================
One last scan: Download HijackThis http://download.bleepingcomputer.com/hijackthis/HijackThis.zipand save to your desktop.

• Extract it to a directory on your hard drive called c:\HijackThis.
• Then navigate to that directory and double-click on the hijackthis.exe file.
• When started click on the Scan button and then the Save Log button to create a log of your information.
• The log file and then the log will open in notepad. Be sure to click on Format> Uncheck Word Wrap when you open Notepad
• Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
• Come back here to this thread and paste (Ctrl+V) the log in your next reply.

NOTE: Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.

If no entries need to be removed, I'll have you remove the cleaning tools- which will include all of the 'left over' Combofix entries.

 

[chix2k10]

Have dragged the CFScript to combofix. Upon opening a warning popped up saying 'it appears you have a corrupt download please download a fresh copy of combofix'. Not sure if i should do this or just let it run? I also dont know what you mean by 'Verify the locations I gave you and remove from Startup accordingly.'

I know nothing about computers so you may need a LOT of patience

 

[chix2k10]

I did do the online scan as directed but it gave me no log! perhaps because it found nothing?

 

[Bobbye]

Just go ahead with the HijackThis scan please.

 

[chix2k10]

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 11:59:18, on 03/03/2011
Platform: Windows 7 (WinNT 6.00.3504)
MSIE: Internet Explorer v8.00 (8.00.7600.16722)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Program Files\TOSHIBA\Utilities\KeNotify.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Windows\Explorer.exe
C:\Program Files\Alwil Software\Avast5\AvastUI.exe
C:\Windows\System32\taskmgr.exe
C:\Program Files\Common Files\Java\Java Update\jucheck.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: txthlpBHO Class - {060235DC-6D84-47BD-95D7-A4EF5099A59D} - C:\PROGRA~1\TEXTHE~1\READAN~1\TE4470~1.DLL
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
O2 - BHO: avast! WebRep - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\Alwil Software\Avast5\aswWebRepIE.dll
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: avast! WebRep - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\Alwil Software\Avast5\aswWebRepIE.dll
O4 - HKLM\..\Run: [KeNotify] C:\Program Files\TOSHIBA\Utilities\KeNotify.exe
O4 - HKLM\..\Run: [TWebCamera] "%ProgramFiles%\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe" autorun
O4 - HKLM\..\Run: [DataCardMonitor] C:\Program Files\T-Mobile\T-Mobile Internet Manager\DataCardMonitor.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKCU\..\Run: [HW_OPENEYE_OUC_T-Mobile Internet Manager] "C:\Program Files\T-Mobile\T-Mobile Internet Manager\UpdateDog\ouc.exe"
O4 - HKCU\..\Run: [scrlink] C:\Program Files\SCBackup\scrlink.lnk
O4 - HKCU\..\Run: [Mobile Partner] "C:\Program Files\T-Mobile\T-Mobile Internet Manager\T-Mobile Internet Manager.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - Startup: BBC iPlayer Desktop.lnk = C:\Program Files\BBC iPlayer Desktop\BBC iPlayer Desktop.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL
O10 - Unknown file in Winsock LSP: c:\program files\common files\microsoft shared\windows live\wlidnsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\microsoft shared\windows live\wlidnsp.dll
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} (get_atlcom Class) - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O23 - Service: AMD External Events Utility - AMD - C:\Windows\system32\atiesrxx.exe
O23 - Service: avast! Antivirus - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: TOSHIBA Optical Disc Drive Service (TODDSrv) - TOSHIBA Corporation - C:\Windows\system32\TODDSrv.exe
O23 - Service: TOSHIBA Power Saver (TosCoSrv) - TOSHIBA Corporation - C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\Windows\System32\ZoneLabs\vsmon.exe

--
End of file - 4611 bytes

 

[chix2k10]

At first when opened, it told me that hijackthis seems to have started from a temporary folder and asked me to install it to proram files instead ??

 

[Bobbye]

That is correct. HijackThis creates backups, these are needed in case of any recovery issues. I would have had you remove any entries. But the log is okay and nothing needs to be removed.

I know nothing about computers so you may need a LOT of patience

I will give you some basic references to learn about the machine you're using. We have to study and take a test to get a license to drive. Yet nothing is required to get behind the keyboard of a computer and possibly create havoc on the internet, including spreading malware. Doesn't seem right!

What is different about running the script in Combofix now than when you ran it the first time? When you copied the script, did you Save as CFScript.txt, in the same location as ComboFix.exe

Do any of the original problems remain?

 

[chix2k10]

Things were running ok but today the multiple processes of Schlpr.exe
Taskhost.exe, Conhost.exe and Scrlink.exe are back! Maybe 5 of each process. It took a long time to boot up also. I did save the script as directed.
I completely agree with you about learning to safely use a computer just wish I had learned before I needed help. Thanks for your patience

 

[Bobbye]

I described these processes in Reply #2:

conhost.exe can be either a legitimate OS file when located in the %WINDIR%\%System%-or-malware added by the Troj/DwnLdr-IQK if located in \%AppData%\ .

Taskhost.exe is a generic host process for Windows 7 32-bit services when location is C:\Windows\System32\Taskhost.exe. If located in \%AppData%\, it has been added by the W32/AutoRun-BM WORM! Note: Spreads via removable media.

Schlpr.exe is part of CGI / FastCGI, an open extension to CGI that provides high performance for all Internet applications without any of the limitations of existing Web server APIs. http://www.fastcgi.com/drupal/

Scrlink.exe belongs to SCBackup which to backup your mobile phone data
http://www.scbackup.fi/what_is_scbackup.html

======================================
There has been no reply from you for 3 days. I suggested that you confirm the location of the processes to make sure they were legitimate. Perhaps you didn't do that.

First of all, you are loading processes for T Mobile:

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HW_OPENEYE_OUC_T-Mobile Internet Manager"="c:\program files\T-Mobile\T-Mobile Internet Manager\UpdateDog\ouc.exe" [2009-12-31 110592]
"scrlink"="c:\program files\SCBackup\scrlink.lnk" [2010-08-01 686]
"Mobile Partner"="c:\program files\T-Mobile\T-Mobile Internet Manager\T-Mobile Internet Manager.exe" [2010-07-06 114688]

Scrlink.exe belongs to SCBackup which to backup your mobile phone data
http://www.scbackup.fi/what_is_scbackup.html

You also mentioned:

Im unable to browse my regular sites as it puts the t-mobile age lock (I have none)asking me to verify my age with my credit card details!

Please contact T Mobil about your account with them.

FastCGI could also be a process used by T Mobile.

Please confirm the locations of the following:
Full path: C:\Windows\System32\Taskhost.exe.
Full path: C:\Windows\System32\ conhost.exe

Using Windows Explorer: Right click on start> Explore> Computer> Double click on Local Drive(C)> Windows> click to open System 32> look for Taskhost.exe and conhost.exe. If there, they are legitimate entries.

FYI:
The conhost.exe process fixes a fundamental problem in the way previous versions of Windows handled console windows, which broke drag & drop in Vista. It’s a completely legitimate executable —as long as it’s running from the system32 folder, and is signed by Microsoft.

Is the HijackThis log still on the system or did it get removed?

Are you experiencing any problems other than seeing these processes?

You need to use the search capabilities of Google or other search engine to learn what a processes ifs for.

 

[chix2k10]

Sorry for the MASSIVE delay in replying! Few home issues going on. The processes were in system32.

Thats the only problem Im having....Why are there multiple processes?

Thanks again for the help and patience

 

[Bobbye]

If they were in the System 32 folder, they are okay. As for your questions about "why are there so many processes?" You will need to be more specific.

Removing all of the tools we used and the files and folders they created

• Uninstall ComboFix and all Backups of the files it deleted
• Click START> then RUN
• Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
  
  

• Download OTCleanIt by OldTimer and save it to your Desktop.
• Double click OTCleanIt.exe.
• Click the CleanUp! button.
• If you are prompted to Reboot during the cleanup, select Yes.
• The tool will delete itself once it finishes.

Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.

• You should now set a new Restore Point and remove the old restore points to prevent infection from any previous Restore Points.
  
  Creating a Restore Point in Windows 7:
  • Click on Start> right click on Computer> Properties
  • Select System Protection
  • Click on the Create button (near bottom)
  • Type a name for the Restore Point
  • Click on Create again to save the restore point.
  
  Deleting all but the most recent System Protection point in Windows 7
  1. Click Start> Computer> right click the C Drive and choose Properties> enter.
  2. Click Disk Cleanup from there.
     
     
  3. Click Clean up system files
     This restarts Disk Cleanup to run in elevated mode.
  4. Click the More Options tab
     
     
  5. Click the Clean up under System Restore and Shadow Copies.
  6. Click OK.
  7. You will get a confirmation screen> Just click Delete.
  8. Click OK on the Disk Cleanup Screen.
  9. Click Delete Files on the Confirmation screen.
  
  
  It will run the Disk Cleanup utility along with other selections if you have chosen any. (if you had a lot System Restore points, you will see a significant change in the free space in C drive)
  Images courtesy lytebyte.
  
  Empty the Recycle Bin

 

[chix2k10]

Stuck at first hurdle as usual! :\ It wont allow me to unistall combofix. Ive left the spaces after X and before U but the first time I tried it told me again that I had a corrupt copy, then scanned.

 

[Bobbye]

Do you have a log from the scan?