Solved Browser redirect virus and McAfee being disabled

[bababoo]

Combofix log below, then followed by Hijack this log. All external drives conntected during both scans.


ComboFix 11-10-24.05 - Kerry and Matt 25/10/2011 21:14:03.4.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.61.1033.18.1023.508 [GMT 10.5:30]
Running from: c:\documents and settings\Kerry and Matt\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Kerry and Matt\Desktop\CFScript.txt
AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Firewall *Disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Kerry and Matt\UserData
c:\documents and settings\Kerry and Matt\UserData\index.dat
.
.
((((((((((((((((((((((((( Files Created from 2011-09-25 to 2011-10-25 )))))))))))))))))))))))))))))))
.
.
2011-10-13 11:16 . 2011-10-13 11:16 -------- d-----w- c:\program files\McAfeeMOBK
2011-10-13 11:16 . 2010-04-13 09:40 54776 ----a-w- c:\windows\system32\drivers\MOBK.sys
2011-10-13 11:15 . 2011-10-13 11:16 -------- d-----w- c:\program files\McAfee Online Backup
2011-10-13 11:15 . 2011-04-11 03:59 64048 ----a-w- c:\windows\system32\drivers\McPvDrv.sys
2011-10-13 11:11 . 2011-10-06 06:12 28504 ----a-w- c:\program files\Mozilla Firefox\ScriptFF.dll
2011-10-13 11:11 . 2011-08-14 23:30 9344 ----a-w- c:\windows\system32\drivers\mfeclnk.sys
2011-10-13 11:11 . 2011-08-14 23:30 89624 ----a-w- c:\windows\system32\drivers\mfetdi2k.sys
2011-10-13 11:11 . 2011-08-14 23:30 87808 ----a-w- c:\windows\system32\drivers\mferkdet.sys
2011-10-13 11:11 . 2011-08-14 23:30 83688 ----a-w- c:\windows\system32\drivers\mfendisk.sys
2011-10-13 11:11 . 2011-08-14 23:30 59288 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2011-10-13 11:11 . 2011-08-14 23:30 57432 ----a-w- c:\windows\system32\drivers\cfwids.sys
2011-10-13 11:11 . 2011-08-14 23:30 338040 ----a-w- c:\windows\system32\drivers\mfefirek.sys
2011-10-13 11:11 . 2011-08-14 23:30 180072 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2011-10-13 11:11 . 2011-10-13 11:12 -------- d-----w- c:\program files\Common Files\Mcafee
2011-10-13 10:55 . 2011-10-06 06:14 148520 ----a-w- c:\windows\system32\mfevtps.exe
2011-10-11 11:00 . 2011-10-11 11:00 -------- d-----w- c:\program files\ESET
2011-10-07 21:45 . 2011-10-07 21:45 -------- d-----w- c:\program files\Common Files\Java
2011-10-07 21:44 . 2011-10-07 21:43 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-10-07 21:44 . 2011-10-07 21:43 476904 ----a-w- c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
2011-10-07 21:44 . 2011-10-07 21:43 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-10-07 21:33 . 2011-10-07 21:33 -------- d-----w- c:\program files\Common Files\Adobe AIR
2011-10-07 08:43 . 2011-10-07 08:43 -------- d-----w- c:\documents and settings\Kerry and Matt\Application Data\Malwarebytes
2011-10-07 08:43 . 2011-10-07 08:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-10-07 08:43 . 2011-08-31 06:30 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-10-07 08:43 . 2011-10-07 08:43 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-10-04 06:52 . 2011-10-04 06:52 -------- d-----w- c:\program files\Citrix
2011-09-26 07:47 . 2011-09-26 07:50 -------- d-----w- c:\documents and settings\Administrator
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-09-03 10:17 . 2004-08-10 04:50 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-08-14 23:30 . 2011-03-13 00:50 461864 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2011-08-14 23:30 . 2011-03-13 00:50 119808 ----a-w- c:\windows\system32\drivers\mfeapfk.sys
2006-11-23 11:48 . 2006-11-23 11:48 317248 ----a-w- c:\program files\dxwebsetup.exe
2011-09-03 06:18 . 2011-09-11 10:13 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2011-10-14_05.26.10 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-10-25 06:35 . 2011-10-25 06:35 16384 c:\windows\Temp\Perflib_Perfdata_584.dat
+ 2011-10-25 06:35 . 2011-10-25 06:35 16384 c:\windows\Temp\Perflib_Perfdata_52c.dat
+ 2011-10-25 06:35 . 2011-10-25 06:35 16384 c:\windows\Temp\Perflib_Perfdata_4ac.dat
- 2005-05-13 11:28 . 2011-10-14 01:30 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2005-05-13 11:28 . 2011-10-25 06:44 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2005-05-13 11:28 . 2011-10-14 01:30 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2005-05-13 11:28 . 2011-10-25 06:45 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2010-04-01 04:21 . 2011-10-25 06:44 16384 c:\windows\system32\config\systemprofile\IETldCache\index.dat
- 2010-04-01 04:21 . 2011-10-14 01:30 16384 c:\windows\system32\config\systemprofile\IETldCache\index.dat
+ 2011-10-20 10:25 . 2011-10-25 06:45 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2011-10-07 23:20 . 2011-10-14 01:30 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2011-10-24 08:16 . 2011-10-24 08:16 22016 c:\windows\Installer\f5168.msi
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\MOBK]
@="{3c3f3c1a-9153-7c05-f938-622e7003894d}"
[HKEY_CLASSES_ROOT\CLSID\{3c3f3c1a-9153-7c05-f938-622e7003894d}]
2010-04-13 09:41 2872120 ----a-w- c:\program files\McAfee Online Backup\MOBKshell.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\MOBK2]
@="{e6ea1d7d-144e-b977-98c4-84c53c1a69d0}"
[HKEY_CLASSES_ROOT\CLSID\{e6ea1d7d-144e-b977-98c4-84c53c1a69d0}]
2010-04-13 09:41 2872120 ----a-w- c:\program files\McAfee Online Backup\MOBKshell.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\MOBK3]
@="{b4caf489-1eec-c617-49ad-8d7088598c06}"
[HKEY_CLASSES_ROOT\CLSID\{b4caf489-1eec-c617-49ad-8d7088598c06}]
2010-04-13 09:41 2872120 ----a-w- c:\program files\McAfee Online Backup\MOBKshell.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-06-21 39408]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2004-09-13 155648]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2004-10-30 385024]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-05 344064]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-05 127035]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-06-07 421160]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2011-09-16 1318552]
"McPvTray_exe"="c:\program files\McAfee\MAT\McPvTray.exe" [2011-04-08 419904]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
2004-09-07 08:08 110592 ----a-w- c:\program files\Intel\Wireless\Bin\LgNotify.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk.disabled]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech Desktop Messenger.lnk.disabled
backup=c:\windows\pss\Logitech Desktop Messenger.lnk.disabledCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Smart Wizard Wireless Settings.lnk.disabled]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Smart Wizard Wireless Settings.lnk.disabled
backup=c:\windows\pss\Smart Wizard Wireless Settings.lnk.disabledCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^VideoCam Suite 2.0.lnk.disabled]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\VideoCam Suite 2.0.lnk.disabled
backup=c:\windows\pss\VideoCam Suite 2.0.lnk.disabledCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FPCCSMiddleware]
2008-03-06 23:19 536184 ------w- c:\program files\Fisher-Price\Computer Cool School\FPCCSMiddleware.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelliPoint]
2006-07-07 23:15 600896 ----a-w- c:\program files\Microsoft IntelliPoint\ipoint.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\itype]
2006-07-07 23:14 576320 ----a-w- c:\program files\Microsoft IntelliType Pro\itype.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-11-29 07:08 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2010-06-21 05:28 39408 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
"updateMgr"=c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Dell Photo AIO Printer 922"="c:\program files\Dell Photo AIO Printer 922\dlbtbmgr.exe"
"CanonSolutionMenu"=c:\program files\Canon\SolutionMenu\CNSLMAIN.exe /logon
"CanonMyPrinter"=c:\program files\Canon\MyPrinter\BJMyPrt.exe /logon
"Dell QuickSet"=c:\program files\Dell\QuickSet\quickset.exe
"DivX Download Manager"="c:\program files\DivX\DivX Plus Web Player\DDmService.exe" start
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW
"DMXLauncher"=c:\program files\Dell\Media Experience\DMXLauncher.exe
"DTVRemote"="c:\program files\LifeView MVP\RemoteControl.exe"
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe"
"IJNetworkScanUtility"=c:\program files\Canon\Canon IJ Network Scan Utility\CNMNSUT.exe
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe"
"Nokia FastStart"="c:\program files\Nokia\Nokia Music\NokiaMusic.exe" /command:faststart
"NokiaMServer"=c:\program files\Common Files\Nokia\MPlatform\NokiaMServer /watchfiles
"PCSuiteTrayApplication"=c:\program files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" -atboottime
"snpstd"=c:\windows\vsnpstd.exe
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" /r
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\LifeView MVP\\LIFEVIEWMVP.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"c:\\Program Files\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"=
"c:\\Program Files\\Common Files\\Mcafee\\McSvcHost\\McSvHost.exe"=
.
R0 McPvDrv;McPvDrv Driver;c:\windows\system32\drivers\McPvDrv.sys [13/10/2011 9:45 PM 64048]
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [13/10/2011 9:41 PM 89624]
R1 MOBKFilter;MOBKFilter;c:\windows\system32\drivers\MOBK.sys [13/10/2011 9:46 PM 54776]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [13/10/2011 9:41 PM 214904]
R2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [13/10/2011 9:41 PM 214904]
R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [13/10/2011 9:41 PM 214904]
R2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\Mcafee\SystemCore\mfefire.exe [13/10/2011 9:42 PM 160344]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [13/10/2011 9:25 PM 148520]
R2 MOBKbackup;McAfee Online Backup;c:\program files\McAfee Online Backup\MOBKbackup.exe [13/04/2010 8:11 PM 229688]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [13/10/2011 9:41 PM 57432]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [13/10/2011 9:41 PM 338040]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [13/10/2011 9:41 PM 83688]
S1 M9207;LifeView M9207 USB Digital TV BOX;c:\windows\system32\drivers\M9207BDA.sys [25/01/2007 10:54 PM 43264]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [21/06/2010 4:02 PM 135664]
S3 cmusbnet;WAN Driver @ 3GPP (6280);c:\windows\system32\drivers\cmusbnet.sys [12/12/2007 1:18 PM 81152]
S3 cmusbser;%CMUSBSER%;c:\windows\system32\drivers\cmusbser.sys [12/12/2007 1:18 PM 87040]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [21/06/2010 4:02 PM 135664]
S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [13/10/2011 9:41 PM 83688]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [13/10/2011 9:41 PM 87808]
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - mfeavfk01
.
Contents of the 'Scheduled Tasks' folder
.
2011-10-14 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 03:04]
.
2011-10-25 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-06-21 05:32]
.
2011-10-25 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-06-21 05:32]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html
Trusted Zone: colesonline.com.au\www
TCP: DhcpNameServer = 10.0.0.138
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
FF - ProfilePath - c:\documents and settings\Kerry and Matt\Application Data\Mozilla\Firefox\Profiles\vcr1mlqh.default\
FF - prefs.js: browser.search.selectedEngine - Secure Search
FF - prefs.js: keyword.URL - hxxp://au.search.yahoo.com/search?fr=mcafee&p=
FF - prefs.js: network.proxy.type - 0
FF - user.js: dom.disable_open_during_load - true // Popupblocker control handled by McAfee Privacy Service
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-10-25 21:28
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1556)
c:\windows\system32\Ati2evxx.dll
c:\program files\Intel\Wireless\Bin\LgNotify.dll
.
Completion time: 2011-10-25 21:34:20
ComboFix-quarantined-files.txt 2011-10-25 11:04
ComboFix2.txt 2011-10-19 11:51
ComboFix3.txt 2011-10-14 05:30
ComboFix4.txt 2011-10-07 22:57
.
Pre-Run: 7,416,356,864 bytes free
Post-Run: 7,394,697,216 bytes free
.
- - End Of File - - 24B7D95662EF34D2671A83BE1EF9AF37

-------------l----------------------------------------------------------------------------------------
Hijack this Log


Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 9:53:23 PM, on 25/10/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\WINDOWS\system32\bgsvcgen.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\mfevtps.exe
C:\Program Files\McAfee Online Backup\MOBKbackup.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\McAfee\MAT\McPvTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=5812
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Increase performance and video formats for your HTML5 <video> - {326E768D-4182-46FD-9C16-1449A49795F4} - C:\Program Files\DivX\DivX Plus Web Player\npdivx32.dll
O2 - BHO: Use the DivX Plus Web Player to watch web videos with less interruptions and smoother playback on supported sites - {593DDEC6-7468-4cdd-90E1-42DADAA222E9} - C:\Program Files\DivX\DivX Plus Web Player\npdivx32.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\Common Files\McAfee\SystemCore\ScriptSn.20111013214158.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.7.6406.1642\swg.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [mcui_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [McPvTray_exe] "C:\Program Files\McAfee\MAT\McPvTray.exe"
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{50102F0B-22FD-40ED-914D-10B13E23B08E}: Domain = sa.bigpond.net.au
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O18 - Filter: application/x-mfe-ipt - {3EF5086B-5478-4598-A054-786C45D75692} - c:\progra~1\mcafee\msc\mcsniepl.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: B's Recorder GOLD Library General Service (bgsvcgen) - B.H.A Corporation - C:\WINDOWS\system32\bgsvcgen.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: dlbt_device - Dell - C:\WINDOWS\system32\dlbtcoms.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Unknown owner - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (file missing)
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McAfee SiteAdvisor Service - McAfee, Inc. - C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
O23 - Service: McAfee Personal Firewall Service (McMPFSvc) - McAfee, Inc. - C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
O23 - Service: McAfee VirusScan Announcer (McNaiAnn) - McAfee, Inc. - C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\SystemCore\\mcshield.exe
O23 - Service: McAfee Firewall Core Service (mfefire) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\SystemCore\\mfefire.exe
O23 - Service: McAfee Validation Trust Protection Service (mfevtp) - McAfee, Inc. - C:\WINDOWS\system32\mfevtps.exe
O23 - Service: McAfee Online Backup (MOBKbackup) - McAfee, Inc. - C:\Program Files\McAfee Online Backup\MOBKbackup.exe
O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
O23 - Service: Nero BackItUp Scheduler 4.0 - Nero AG - C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Nokia\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 11596 bytes

 

[Bobbye]

I remember we went over some of the processes I said didn't need to Start on boot. I gave instructions for handling the associated Services.

These were to be unchecked on the Startup Menu
Uncheck any processes you do not need to start on boot.Uncheck process for following:
[o]Logitech Desktop Messenger
[o]Smart Wizard Wireless Settings.
[o]VideoCam Suite 2.0.

Then I referred you to the Service settings:
Click on Start> Run> type in services.msc> enter> check for Services related to any of the following:
[o]Logitech Desktop Messenger
[o]Smart Wizard Wireless Settings.
[o]VideoCam Suite 2.0.
If found> double click to open each> Change Startup Type to Manual for each> Exit when through.

I don't understand where these entries are coming from in the current Combofix log:

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk.disabled]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech Desktop Messenger.lnk.disabled
backup=c:\windows\pss\Logitech Desktop Messenger.lnk.disabledCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Smart Wizard Wireless Settings.lnk.disabled]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Smart Wizard Wireless Settings.lnk.disabled
backup=c:\windows\pss\Smart Wizard Wireless Settings.lnk.disabledCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^VideoCam Suite 2.0.lnk.disabled]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\VideoCam Suite 2.0.lnk.disabled
backup=c:\windows\pss\VideoCam Suite 2.0.lnk.disabledCommon Startup

These are just shortcuts. Why have the system load disabled shortcuts?

-------------------------------------------------
Plus: You are running 2 printers> Dell and Canon
CyberLink
PowerDVD
Nokia FastStart>
None of these are required or not recommended - typically infrequently used tasks that can be started manually if necessary

There are numerous auto-updaters running. This first one is an excellent example of why running auto-updates is neither necessary or recommended:

You have the AdobeUpdateManager running. What good has it done when the current version is v10 and your version is only v7!? This is not only a vulnerability to the system because it's outdated, but it also allows frequent, daily internet connections from your system

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"updateMgr"=c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9

More auto-updates: none needed:

Sonic\Update Manage
iTunes
QuickTime
DivXUpdate> CHECKNOW

=========================================
There is no malware in these logs. But your system is at risk, system resources are being used needlessly.

But your issues were a redirect and McAfee being disabled. Have they been resolved?

 

[bababoo]

Bobbye

Thanks for your help. McAfee is now running, and had not disabled. Firefox will now load and the redirect seems to have been fixed. These are the issue I needed resolved. Thankyou for that. If my computer is clean then you can close this thread.

I will have a look at the processes that are running on start up. I believe that the disabled links are due to Spybot changes, that I will undo. I have not used this computer for anything much, until you gave the all clear. I have not done any upgrades, downloads or system changes unless you directed me to. I will now change some of those other items you have mentioned

thanks once again for your help, very much appreciated.

Bababoo

 

[Bobbye]

You're very welcome. Glad to hear problems have been resolved. Let's clean up:

Removing all of the tools we used and the files and folders they created

• Uninstall ComboFix and all Backups of the files it deleted
• Click START> then RUN
• Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
  
  

• Download OTCleanIt by OldTimer and save it to your Desktop.
• Double click OTCleanIt.exe.
• Click the CleanUp! button.
• Select Yes when the "Begin cleanup Process?" prompt appears.
• If you are prompted to Reboot during the cleanup, select Yes.
• The tool will delete itself once it finishes.

-----
Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.

Note: If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.
------------------------------------------

• You should now set a new Restore Point and remove the old restore points to prevent infection from any previous Restore Points.
• Go to Start > All Programs > Accessories > System Tools
• Click "System Restore".
• Choose "Create a Restore Point" on the first screen then click "Next".
• Give the Restore Point a name> click "Create".
  
• Go back and follow the path to > System Tools.
  [*]Choose Disc Cleanup
  [*]Click "OK" to select the partition or drive you want.
  [*]Click the "More Options" Tab.
  [*]Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one.

Empty the Recycle Bin
===============================================
Here are some tips for added security and safer browsing: (Links are in Bold Blue)

1. Browser Security
   [o] Safe Settings (Please ignore the suggestion to use the Registry Editor in this section "Creating a Custom Security Zone")
   [o] ZonedOut. This manages the Zones in Internet Explorer. (For IE7 and IE8, Windows 2000 thru Vista. No Windows 7)
   [o] Replace the Host Files
   [o] Google Toolbar Pop Up Blocker
   [o]Web of Trust (WOT) Site Advisor. Traffic-light rating symbols show which rate the site for Trustworthiness, Vendor Reliability, Privacy, Child Safety.
   
2. Have layered Security:
   [o]Antivirus :(only one):Both of the following programs are free and known to be good:
   [o]Avira-AntiVir-Personal-Free-Antivirus
   [o]Avast-Free Antivirus
   [o]Firewall (only one): Use bi-directional firewall. Both of the following programs are free and known to be good:
   [o]Comodo
   [o]Zone Alarm
   
3. Antimalware: I recommend all of the following:
   [o]Spywareblaster: SpywareBlaster protects against bad ActiveX.
   [o]Spybot Search & Destroy
   
4. Updates: Stay current:
   [o] the Microsoft Download Sitefrequently. All updates marked Critical and the current SP updates.
   [o]Adobe Reader Install current, uninstall old.
   [o]Java Updates Install current, uninstall old.
   
5. Tracking Cookies
   Reset Cookie:
   [o]For Internet Explorer: Internet Options (through Tools or Control Panel) Privacy tab> Advanced button> check 'override automatic Cookie handling'> check 'accept first party Cookies'> check 'Block third party Cookies'> check 'allow per session Cookies'> Apply> OK.
   [o]For Firefox: Tools> Options> Privacy> Cookies> check ‘accept Cookies from Sites’> Uncheck 'accept third party Cookies'> Set Keep until 'they expire'. This will allow you to keep Cookies for registered sites and prevent or remove others. (Note: for Firefox v3.5, after Privacy click on 'use custom settings for History.')
   I suggest using the following two add-on for Firefox. They will prevent the Tracking Cookies that come from ads and banners and other sources:
   AdBlock Plus
   Easy List
   [o]For Chrome: Tools> Options> Under The Hood> Privacy Section> CHECK 'Restrict how third party Cookies can be used'> Close.
   
6. Do regular Maintenance
   Clean the temporary internet files often:
   [o] Temporary File Cleaner]
   or
   [o] ATF Cleaner by Atribune
7. Restore Points:
   [o]See System Restore Guide
8. Safe Email Handling
   [o] Don't open email from anyone you don't know.
   [o] Don't open Attachments in the email. Safe to your desktop and scan for viruses using a right click
   [o] Don't leave your personal email address on the internet. Have a separate email account at one of the free web-based emails like Yahoo.

Please let me know if you find any bad link.