Inactive Search engine link hijack virus

[nwesson]

Hello,

I have recently discovered a virus that hijacks any link i select in Google and re-directs me to other random sites.

I use Google Chrome but seems to be happening in firefox and IE. I am running windows 7 and have virgin media security (anti virus, firewall etc) installed. I have tried a few virus scans to no avail.

I have completed the steps you requested in your log and post them below. Any help would be greatly appreciated.

Thanks,
Nick

==========================================================
Malwarebytes Anti-Malware log:

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6526

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

07/05/2011 18:03:08
mbam-log-2011-05-07 (18-03-08).txt

Scan type: Quick scan
Objects scanned: 150393
Time elapsed: 7 minute(s), 48 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 7
Registry Data Items Infected: 0
Folders Infected: 3
Files Infected: 31

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\.fsharproj (Trojan.BHO) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mferrorwow.exe (Trojan.TracurW.Gen) -> Value: mferrorwow.exe -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KBDLAOwow.exe (Trojan.TracurW.Gen) -> Value: KBDLAOwow.exe -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SmiEnginewow.exe (Trojan.TracurW.Gen) -> Value: SmiEnginewow.exe -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\d3dx9_36wow.exe (Trojan.TracurW.Gen) -> Value: d3dx9_36wow.exe -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KBDMONwow.exe (Trojan.TracurW.Gen) -> Value: KBDMONwow.exe -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WpdMtpUSwow.exe (Trojan.TracurW.Gen) -> Value: WpdMtpUSwow.exe -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WLanConnwow.exe (Trojan.TracurW.Gen) -> Value: WLanConnwow.exe -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
c:\programdata\381046608 (Rogue.Multiple) -> Quarantined and deleted successfully.
c:\programdata\992198056 (Rogue.Multiple) -> Quarantined and deleted successfully.
c:\Users\Nick\AppData\Roaming\SysWin (Trojan.Agent) -> Quarantined and deleted successfully.

Files Infected:
c:\Windows\System32\config\systemprofile\AppData\Roaming\AA53.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
c:\Windows\System32\api-ms-win-security-sddl-l1-1-032.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\Windows\System32\02000000ef1e447f1255c.manifest (Malware.Trace) -> Quarantined and deleted successfully.
c:\Windows\System32\02000000ef1e447f1255o.manifest (Malware.Trace) -> Quarantined and deleted successfully.
c:\Windows\System32\02000000ef1e447f1255p.manifest (Malware.Trace) -> Quarantined and deleted successfully.
c:\Windows\System32\02000000ef1e447f1255s.manifest (Malware.Trace) -> Quarantined and deleted successfully.
c:\programdata\381046608\frt1.rar (Rogue.Multiple) -> Quarantined and deleted successfully.
c:\programdata\381046608\new.i0.kwd (Rogue.Multiple) -> Quarantined and deleted successfully.
c:\programdata\381046608\new.i1.kwd (Rogue.Multiple) -> Quarantined and deleted successfully.
c:\programdata\381046608\new.i2.kwd (Rogue.Multiple) -> Quarantined and deleted successfully.
c:\programdata\381046608\new.i3.kwd (Rogue.Multiple) -> Quarantined and deleted successfully.
c:\programdata\381046608\new.i4.kwd (Rogue.Multiple) -> Quarantined and deleted successfully.
c:\programdata\381046608\new.i5.kwd (Rogue.Multiple) -> Quarantined and deleted successfully.
c:\programdata\381046608\new.i6.kwd (Rogue.Multiple) -> Quarantined and deleted successfully.
c:\programdata\381046608\new.i7.kwd (Rogue.Multiple) -> Quarantined and deleted successfully.
c:\programdata\992198056\frt0.rar (Rogue.Multiple) -> Quarantined and deleted successfully.
c:\programdata\992198056\frt0.rar.ver (Rogue.Multiple) -> Quarantined and deleted successfully.
c:\programdata\992198056\frt1.rar (Rogue.Multiple) -> Quarantined and deleted successfully.
c:\programdata\992198056\frt1.rar.ver (Rogue.Multiple) -> Quarantined and deleted successfully.
c:\programdata\992198056\frt2.rar (Rogue.Multiple) -> Quarantined and deleted successfully.
c:\programdata\992198056\frt2.rar.ver (Rogue.Multiple) -> Quarantined and deleted successfully.
c:\programdata\992198056\frt3.rar (Rogue.Multiple) -> Quarantined and deleted successfully.
c:\programdata\992198056\frt3.rar.ver (Rogue.Multiple) -> Quarantined and deleted successfully.
c:\programdata\992198056\frt4.rar (Rogue.Multiple) -> Quarantined and deleted successfully.
c:\programdata\992198056\frt4.rar.ver (Rogue.Multiple) -> Quarantined and deleted successfully.
c:\programdata\992198056\frt5.rar (Rogue.Multiple) -> Quarantined and deleted successfully.
c:\programdata\992198056\frt5.rar.ver (Rogue.Multiple) -> Quarantined and deleted successfully.
c:\programdata\992198056\frt6.rar (Rogue.Multiple) -> Quarantined and deleted successfully.
c:\programdata\992198056\frt6.rar.ver (Rogue.Multiple) -> Quarantined and deleted successfully.
c:\programdata\992198056\frt7.rar (Rogue.Multiple) -> Quarantined and deleted successfully.
c:\programdata\992198056\frt7.rar.ver (Rogue.Multiple) -> Quarantined and deleted successfully.


==========================================================
GMER log

GMER 1.0.15.15572 - http://www.gmer.net
Rootkit scan 2011-05-07 18:33:14
Windows 6.1.7600 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 HTS541010G9SA00 rev.MBZOC60D
Running: zykqcqds.exe; Driver: C:\Users\Nick\AppData\Local\Temp\kxdiqpoc.sys


---- System - GMER 1.0.15 ----

SSDT \??\C:\Program Files\Virgin Media\Security\AVG\Identity Protection\agent\drivers\AVGIDSShim.sys ZwOpenProcess [0xA8298620]
SSDT \??\C:\Program Files\Virgin Media\Security\AVG\Identity Protection\agent\drivers\AVGIDSShim.sys ZwTerminateProcess [0xA82986D0]
SSDT \??\C:\Program Files\Virgin Media\Security\AVG\Identity Protection\agent\drivers\AVGIDSShim.sys ZwTerminateThread [0xA8298770]
SSDT \??\C:\Program Files\Virgin Media\Security\AVG\Identity Protection\agent\drivers\AVGIDSShim.sys ZwWriteVirtualMemory [0xA8298810]

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwSaveKeyEx + 13BD 8188D589 1 Byte [06]
.text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 818B2092 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
.text ntkrnlpa.exe!RtlSidHashLookup + 4E8 818B9AF8 4 Bytes [20, 86, 29, A8]
.text ntkrnlpa.exe!RtlSidHashLookup + 7B8 818B9DC8 8 Bytes [D0, 86, 29, A8, 70, 87, 29, ...]
.text ntkrnlpa.exe!RtlSidHashLookup + 82C 818B9E3C 4 Bytes [10, 88, 29, A8]
? System32\drivers\jpeh.sys The system cannot find the path specified. !
? System32\Drivers\112f7958.sys The system cannot find the path specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\Users\Nick\AppData\Local\Google\Chrome\Application\chrome.exe[852] ntdll.dll!NtCreateFile + 6 77834876 4 Bytes [28, 00, 17, 00]
.text C:\Users\Nick\AppData\Local\Google\Chrome\Application\chrome.exe[852] ntdll.dll!NtCreateFile + B 7783487B 1 Byte [E2]
.text C:\Users\Nick\AppData\Local\Google\Chrome\Application\chrome.exe[852] ntdll.dll!NtMapViewOfSection + 6 77834ED6 1 Byte [28]
.text C:\Users\Nick\AppData\Local\Google\Chrome\Application\chrome.exe[852] ntdll.dll!NtMapViewOfSection + 6 77834ED6 4 Bytes [28, 03, 17, 00]
.text C:\Users\Nick\AppData\Local\Google\Chrome\Application\chrome.exe[852] ntdll.dll!NtMapViewOfSection + B 77834EDB 1 Byte [E2]
.text C:\Users\Nick\AppData\Local\Google\Chrome\Application\chrome.exe[852] ntdll.dll!NtOpenFile + 6 77834F86 4 Bytes [68, 00, 17, 00]
.text C:\Users\Nick\AppData\Local\Google\Chrome\Application\chrome.exe[852] ntdll.dll!NtOpenFile + B 77834F8B 1 Byte [E2]
.text C:\Users\Nick\AppData\Local\Google\Chrome\Application\chrome.exe[852] ntdll.dll!NtOpenProcess + 6 77835036 4 Bytes [A8, 01, 17, 00]
.text C:\Users\Nick\AppData\Local\Google\Chrome\Application\chrome.exe[852] ntdll.dll!NtOpenProcess + B 7783503B 1 Byte [E2]
.text C:\Users\Nick\AppData\Local\Google\Chrome\Application\chrome.exe[852] ntdll.dll!NtOpenProcessToken + B 7783504B 1 Byte [E2]
.text C:\Users\Nick\AppData\Local\Google\Chrome\Application\chrome.exe[852] ntdll.dll!NtOpenProcessTokenEx + 6 77835056 4 Bytes [A8, 02, 17, 00]
.text C:\Users\Nick\AppData\Local\Google\Chrome\Application\chrome.exe[852] ntdll.dll!NtOpenProcessTokenEx + B 7783505B 1 Byte [E2]
.text C:\Users\Nick\AppData\Local\Google\Chrome\Application\chrome.exe[852] ntdll.dll!NtOpenThread + 6 778350B6 4 Bytes [68, 01, 17, 00]
.text C:\Users\Nick\AppData\Local\Google\Chrome\Application\chrome.exe[852] ntdll.dll!NtOpenThread + B 778350BB 1 Byte [E2]
.text C:\Users\Nick\AppData\Local\Google\Chrome\Application\chrome.exe[852] ntdll.dll!NtOpenThreadToken + 6 778350C6 4 Bytes [68, 02, 17, 00]
.text C:\Users\Nick\AppData\Local\Google\Chrome\Application\chrome.exe[852] ntdll.dll!NtOpenThreadToken + B 778350CB 1 Byte [E2]
.text C:\Users\Nick\AppData\Local\Google\Chrome\Application\chrome.exe[852] ntdll.dll!NtOpenThreadTokenEx + B 778350DB 1 Byte [E2]
.text C:\Users\Nick\AppData\Local\Google\Chrome\Application\chrome.exe[852] ntdll.dll!NtQueryAttributesFile + 6 778351E6 4 Bytes [A8, 00, 17, 00]
.text C:\Users\Nick\AppData\Local\Google\Chrome\Application\chrome.exe[852] ntdll.dll!NtQueryAttributesFile + B 778351EB 1 Byte [E2]
.text C:\Users\Nick\AppData\Local\Google\Chrome\Application\chrome.exe[852] ntdll.dll!NtQueryFullAttributesFile + B 7783529B 1 Byte [E2]
.text C:\Users\Nick\AppData\Local\Google\Chrome\Application\chrome.exe[852] ntdll.dll!NtSetInformationFile + 6 778358E6 4 Bytes [28, 01, 17, 00]
.text C:\Users\Nick\AppData\Local\Google\Chrome\Application\chrome.exe[852] ntdll.dll!NtSetInformationFile + B 778358EB 1 Byte [E2]
.text C:\Users\Nick\AppData\Local\Google\Chrome\Application\chrome.exe[852] ntdll.dll!NtSetInformationThread + 6 77835946 4 Bytes [28, 02, 17, 00]
.text C:\Users\Nick\AppData\Local\Google\Chrome\Application\chrome.exe[852] ntdll.dll!NtSetInformationThread + B 7783594B 1 Byte [E2]
.text C:\Users\Nick\AppData\Local\Google\Chrome\Application\chrome.exe[852] ntdll.dll!NtUnmapViewOfSection + 6 77835C66 1 Byte [68]
.text C:\Users\Nick\AppData\Local\Google\Chrome\Application\chrome.exe[852] ntdll.dll!NtUnmapViewOfSection + 6 77835C66 4 Bytes [68, 03, 17, 00]
.text C:\Users\Nick\AppData\Local\Google\Chrome\Application\chrome.exe[852] ntdll.dll!NtUnmapViewOfSection + B 77835C6B 1 Byte [E2]
.text C:\Users\Nick\AppData\Local\Google\Chrome\Application\chrome.exe[2696] ntdll.dll!NtCreateFile + 6 77834876 4 Bytes [28, 00, 17, 00]
.text C:\Users\Nick\AppData\Local\Google\Chrome\Application\chrome.exe[2696] ntdll.dll!NtCreateFile + B 7783487B 1 Byte [E2]
.text C:\Users\Nick\AppData\Local\Google\Chrome\Application\chrome.exe[2696] ntdll.dll!NtMapViewOfSection + 6 77834ED6 1 Byte [28]
.text C:\Users\Nick\AppData\Local\Google\Chrome\Application\chrome.exe[2696] ntdll.dll!NtMapViewOfSection + 6 77834ED6 4 Bytes [28, 03, 17, 00]
.text C:\Users\Nick\AppData\Local\Google\Chrome\Application\chrome.exe[2696] ntdll.dll!NtMapViewOfSection + B 77834EDB 1 Byte [E2]
.text C:\Users\Nick\AppData\Local\Google\Chrome\Application\chrome.exe[2696] ntdll.dll!NtOpenFile + 6 77834F86 4 Bytes [68, 00, 17, 00]
.text C:\Users\Nick\AppData\Local\Google\Chrome\Application\chrome.exe[2696] ntdll.dll!NtOpenFile + B 77834F8B 1 Byte [E2]
.text C:\Users\Nick\AppData\Local\Google\Chrome\Application\chrome.exe[2696] ntdll.dll!NtOpenProcess + 6 77835036 4 Bytes [A8, 01, 17, 00]
.text C:\Users\Nick\AppData\Local\Google\Chrome\Application\chrome.exe[2696] ntdll.dll!NtOpenProcess + B 7783503B 1 Byte [E2]
.text C:\Users\Nick\AppData\Local\Google\Chrome\Application\chrome.exe[2696] ntdll.dll!NtOpenProcessToken + B 7783504B 1 Byte [E2]
.text C:\Users\Nick\AppData\Local\Google\Chrome\Application\chrome.exe[2696] ntdll.dll!NtOpenProcessTokenEx + 6 77835056 4 Bytes [A8, 02, 17, 00]
.text C:\Users\Nick\AppData\Local\Google\Chrome\Application\chrome.exe[2696] ntdll.dll!NtOpenProcessTokenEx + B 7783505B 1 Byte [E2]
.text C:\Users\Nick\AppData\Local\Google\Chrome\Application\chrome.exe[2696] ntdll.dll!NtOpenThread + 6 778350B6 4 Bytes [68, 01, 17, 00]
.text C:\Users\Nick\AppData\Local\Google\Chrome\Application\chrome.exe[2696] ntdll.dll!NtOpenThread + B 778350BB 1 Byte [E2]
.text C:\Users\Nick\AppData\Local\Google\Chrome\Application\chrome.exe[2696] ntdll.dll!NtOpenThreadToken + 6 778350C6 4 Bytes [68, 02, 17, 00]
.text C:\Users\Nick\AppData\Local\Google\Chrome\Application\chrome.exe[2696] ntdll.dll!NtOpenThreadToken + B 778350CB 1 Byte [E2]
.text C:\Users\Nick\AppData\Local\Google\Chrome\Application\chrome.exe[2696] ntdll.dll!NtOpenThreadTokenEx + B 778350DB 1 Byte [E2]
.text C:\Users\Nick\AppData\Local\Google\Chrome\Application\chrome.exe[2696] ntdll.dll!NtQueryAttributesFile + 6 778351E6 4 Bytes [A8, 00, 17, 00]
.text C:\Users\Nick\AppData\Local\Google\Chrome\Application\chrome.exe[2696] ntdll.dll!NtQueryAttributesFile + B 778351EB 1 Byte [E2]
.text C:\Users\Nick\AppData\Local\Google\Chrome\Application\chrome.exe[2696] ntdll.dll!NtQueryFullAttributesFile + B 7783529B 1 Byte [E2]
.text C:\Users\Nick\AppData\Local\Google\Chrome\Application\chrome.exe[2696] ntdll.dll!NtSetInformationFile + 6 778358E6 4 Bytes [28, 01, 17, 00]
.text C:\Users\Nick\AppData\Local\Google\Chrome\Application\chrome.exe[2696] ntdll.dll!NtSetInformationFile + B 778358EB 1 Byte [E2]
.text C:\Users\Nick\AppData\Local\Google\Chrome\Application\chrome.exe[2696] ntdll.dll!NtSetInformationThread + 6 77835946 4 Bytes [28, 02, 17, 00]
.text C:\Users\Nick\AppData\Local\Google\Chrome\Application\chrome.exe[2696] ntdll.dll!NtSetInformationThread + B 7783594B 1 Byte [E2]
.text C:\Users\Nick\AppData\Local\Google\Chrome\Application\chrome.exe[2696] ntdll.dll!NtUnmapViewOfSection + 6 77835C66 1 Byte [68]
.text C:\Users\Nick\AppData\Local\Google\Chrome\Application\chrome.exe[2696] ntdll.dll!NtUnmapViewOfSection + 6 77835C66 4 Bytes [68, 03, 17, 00]
.text C:\Users\Nick\AppData\Local\Google\Chrome\Application\chrome.exe[2696] ntdll.dll!NtUnmapViewOfSection + B 77835C6B 1 Byte [E2]

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Windows\system32\rundll32.exe[1664] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [75865E25] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
IAT C:\Windows\system32\rundll32.exe[1664] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [75865E25] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
IAT C:\Windows\system32\rundll32.exe[1664] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [75865E25] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
IAT C:\Windows\system32\rundll32.exe[1664] @ C:\Windows\system32\WININET.dll [KERNEL32.dll!GetProcAddress] [75865E25] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
IAT C:\Windows\system32\rundll32.exe[1664] @ C:\Windows\system32\ADVAPI32.dll [KERNEL32.dll!GetProcAddress] [75865E25] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
IAT C:\Windows\system32\rundll32.exe[1664] @ C:\Windows\system32\CRYPT32.dll [KERNEL32.dll!GetProcAddress] [75865E25] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
IAT C:\Windows\System32\rundll32.exe[2748] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [75865E25] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
IAT C:\Windows\System32\rundll32.exe[2748] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [75865E25] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
IAT C:\Windows\System32\rundll32.exe[2748] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [75865E25] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
IAT C:\Windows\System32\rundll32.exe[2748] @ C:\Windows\system32\ADVAPI32.dll [KERNEL32.dll!GetProcAddress] [75865E25] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs AVGIDSFilter.sys
AttachedDevice \FileSystem\Ntfs \Ntfs trufos.sys

Device \Driver\ACPI_HAL \Device\00000051 halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)

AttachedDevice \Driver\tdx \Device\Tcp rp_skt32.sys (Radialpoint Filter/Radialpoint Inc.)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)
AttachedDevice \Driver\tdx \Device\Udp rp_skt32.sys (Radialpoint Filter/Radialpoint Inc.)
AttachedDevice \Driver\tdx \Device\RawIp rp_skt32.sys (Radialpoint Filter/Radialpoint Inc.)

---- EOF - GMER 1.0.15 ----


==========================================================
DDS logs: DDS.txt

.
DDS (Ver_11-03-05.01) - NTFSx86
Run by Nick at 18:33:44.67 on 07/05/2011
Internet Explorer: 8.0.7600.16385
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.44.1033.18.3318.1686 [GMT 1:00]
.
AV: Virgin Media Security Anti-Virus *Disabled/Updated* {A61154FD-4365-E00F-9A33-13A09AD54B56}
SP: Virgin Media Security Anti-Spyware *Disabled/Updated* {1D70B519-655F-EF81-A083-28D2E15201EB}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
FW: Virgin Media Security Firewall *Disabled* {9E2AD5D8-090A-E157-B16C-BA9564060C2D}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Program Files\Virgin Media\Security\Fws.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Program Files\Virgin Media\Security\AVG\Identity Protection\agent\Bin\AVGIDSAgent.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Virgin Media\Security\rps.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Virgin Media\Security\RpsSecurityAwareR.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files\Virgin Media\Service Manager\ServicepointService.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe
C:\Program Files\Western Digital\WD SmartWare\Front Parlor\WDSmartWareBackgroundService.exe
C:\Program Files\Virgin Media\Service Manager\ServiceManagerComHandler.exe
C:\Windows\System32\rundll32.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Windows\AGRSMMSG.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Virgin Media\Service Manager\ServiceManager.exe
C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMStatus.exe
C:\Program Files\Western Digital\WD SmartWare\Front Parlor\WDSmartWare.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\System32\svchost.exe -k secsvcs
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Users\Nick\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Nick\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\system32\rundll32.exe
C:\Users\Nick\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\Nick\Desktop\dds.scr
C:\Windows\system32\conhost.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.co.uk/
mStart Page = about:blank
uInternet Settings,ProxyOverride = *.local
BHO: vShare Plugin: {043c5167-00bb-4324-af7e-62013faedacf} - c:\program files\vshare\vshare_toolbar.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: vShare Plugin: {043c5167-00bb-4324-af7e-62013faedacf} - c:\program files\vshare\vshare_toolbar.dll
uRun: [Google Update] "c:\users\nick\appdata\local\google\update\GoogleUpdate.exe" /c
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [api-ms-win-core-sysinfo-l1-1-0wow.exe] c:\windows\api-ms-win-core-sysinfo-l1-1-0wow.exe
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [VirtualCloneDrive] "c:\program files\elaborate bytes\virtualclonedrive\VCDDaemon.exe" /s
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [ServiceManager.exe] "c:\program files\virgin media\service manager\ServiceManager.exe" /AUTORUN
mRun: [Malwarebytes' Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
StartupFolder: c:\users\nick\appdata\roaming\micros~1\windows\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\wddmst~1.lnk - c:\program files\western digital\wd smartware\wd drive manager\WDDMStatus.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\wdsmar~1.lnk - c:\program files\western digital\wd smartware\front parlor\WDSmartWare.exe
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Handler: vsharechrome - {3F3A4B8A-86FC-43A4-BB00-6D7EBE9D4484} - c:\program files\vshare\vshare_toolbar.dll
Notify: igfxcui - igfxdev.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\nick\appdata\roaming\mozilla\firefox\profiles\vr4sgge4.default\
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\veetle\player\npvlc.dll
FF - plugin: c:\program files\veetle\plugins\npVeetle.dll
FF - plugin: c:\program files\virgin media\service manager\nprpspa.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - plugin: c:\users\nick\appdata\local\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: XUL Cache: {bf4d35f9-ec05-4ce8-beee-360524750e6c} - %profile%\extensions\{bf4d35f9-ec05-4ce8-beee-360524750e6c}
.
============= SERVICES / DRIVERS ===============
.
R0 RadialpointIDSEH;RadialpointIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2011-4-28 25608]
R2 Radialpoint Security Services;Virgin Media Security;c:\program files\virgin media\security\RpsSecurityAwareR.exe [2011-4-28 166944]
R2 RadialpointIDSAgent;RadialpointIDSAgent;c:\program files\virgin media\security\avg\identity protection\agent\bin\AVGIDSAgent.exe [2011-4-28 5832712]
R2 ServicepointService;ServicepointService;c:\program files\virgin media\service manager\ServicepointService.exe [2011-5-1 689464]
R2 WDDMService;WD SmartWare Drive Manager;c:\program files\western digital\wd smartware\wd drive manager\WDDMService.exe [2009-11-13 110592]
R2 WDSmartWareBackgroundService;WD SmartWare Background Service;c:\program files\western digital\wd smartware\front parlor\WDSmartWareBackgroundService.exe [2009-6-16 20480]
R3 netw5v32;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\drivers\netw5v32.sys [2009-6-10 4231168]
R3 RadialpointIDSDriver;RadialpointIDSDriver;c:\program files\virgin media\security\avg\identity protection\agent\drivers\AVGIDSDriver.sys [2011-4-28 122376]
R3 RadialpointIDSFilter;RadialpointIDSFilter;c:\program files\virgin media\security\avg\identity protection\agent\drivers\AVGIDSfilter.sys [2011-4-28 30216]
R3 RadialpointIDSShim;RadialpointIDSShim;c:\program files\virgin media\security\avg\identity protection\agent\drivers\AVGIDSShim.sys [2011-4-28 21208]
R3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\drivers\yk62x86.sys [2009-7-13 311296]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 fssfltr;fssfltr;c:\windows\system32\drivers\fssfltr.sys [2010-6-5 54632]
S3 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2010-4-28 704872]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-7-4 1343400]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [2009-2-13 11520]
.
=============== Created Last 30 ================
.
2011-05-07 16:53:00 -------- d-----w- c:\users\nick\appdata\roaming\Malwarebytes
2011-05-07 16:52:51 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-05-07 16:52:50 -------- d-----w- c:\progra~2\Malwarebytes
2011-05-07 16:52:46 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-05-07 16:52:45 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-05-07 09:22:28 7071056 ----a-w- c:\progra~2\microsoft\windows defender\definition updates\{a4549f5d-9d04-4e24-8f6a-6bc788c2b019}\mpengine.dll
2011-04-30 13:01:16 -------- d-----w- C:\_OTM
2011-04-28 09:09:29 25608 ----a-w- c:\windows\system32\drivers\AVGIDSEH.sys
2011-04-28 09:08:57 285704 ----a-w- c:\windows\system32\drivers\bdfsfltr.sys
2011-04-28 09:08:31 53192 ----a-w- c:\windows\system32\drivers\rp_skt32.sys
2011-04-28 09:08:21 48384 ----a-w- c:\windows\system32\drivers\rp_pkt32.sys
2011-04-28 09:08:01 -------- d-----w- c:\program files\Raxco
2011-04-27 15:37:04 442880 ----a-w- c:\windows\system32\XpsPrint.dll
2011-04-27 15:36:52 143744 ----a-w- c:\windows\system32\drivers\nvstor.sys
2011-04-27 15:36:52 1210240 ----a-w- c:\windows\system32\drivers\ntfs.sys
2011-04-27 15:36:51 80256 ----a-w- c:\windows\system32\drivers\amdsata.sys
2011-04-27 15:36:51 332160 ----a-w- c:\windows\system32\drivers\iaStorV.sys
2011-04-27 15:36:51 22400 ----a-w- c:\windows\system32\drivers\amdxata.sys
2011-04-27 15:36:51 1686016 ----a-w- c:\windows\system32\esent.dll
2011-04-27 15:36:51 146304 ----a-w- c:\windows\system32\drivers\storport.sys
2011-04-27 15:36:51 117120 ----a-w- c:\windows\system32\drivers\nvraid.sys
2011-04-27 15:36:50 74240 ----a-w- c:\windows\system32\fsutil.exe
2011-04-27 15:36:46 31232 ----a-w- c:\windows\system32\prevhost.exe
2011-04-27 15:36:43 2614784 ----a-w- c:\windows\explorer.exe
2011-04-22 09:02:01 -------- d-sh--w- c:\progra~2\SysWoW32
2011-04-22 09:01:48 203776 --sh--w- c:\progra~2\unrar.exe
2011-04-22 09:01:38 -------- d-sh--w- c:\progra~2\1D064B63695DC6EE73B9E514D6D0B7E5
2011-04-22 08:48:56 -------- d-----w- c:\program files\Outlook Import Wizard
2011-04-14 20:05:54 1164288 ----a-w- c:\windows\system32\mfc42u.dll
2011-04-14 20:05:54 1137664 ----a-w- c:\windows\system32\mfc42.dll
2011-04-14 20:05:52 191488 ----a-w- c:\windows\system32\FXSCOVER.exe
2011-04-14 20:05:50 2331136 ----a-w- c:\windows\system32\win32k.sys
2011-04-14 20:05:46 740864 ----a-w- c:\windows\system32\inetcomm.dll
2011-04-14 20:05:44 288256 ----a-w- c:\windows\system32\XpsGdiConverter.dll
2011-04-14 20:05:42 95744 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2011-04-14 20:05:42 69632 ----a-w- c:\windows\system32\drivers\bowser.sys
2011-04-14 20:05:42 221696 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2011-04-14 20:05:42 123392 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
.
==================== Find3M ====================
.
2011-03-03 05:29:23 132608 ----a-w- c:\windows\system32\dnsrslvr.dll
2011-03-03 05:27:30 28672 ----a-w- c:\windows\system32\dnscacheugc.exe
2011-02-24 05:32:44 981504 ----a-w- c:\windows\system32\wininet.dll
2011-02-24 05:30:16 44544 ----a-w- c:\windows\system32\licmgr10.dll
2011-02-24 04:23:48 386048 ----a-w- c:\windows\system32\html.iec
2011-02-24 03:50:26 1638912 ----a-w- c:\windows\system32\mshtml.tlb
2011-02-19 05:33:11 802304 ----a-w- c:\windows\system32\FntCache.dll
2011-02-19 05:32:48 1074176 ----a-w- c:\windows\system32\DWrite.dll
2011-02-19 05:32:35 739840 ----a-w- c:\windows\system32\d2d1.dll
2011-02-19 05:32:08 34304 ----a-w- c:\windows\system32\atmlib.dll
2011-02-19 03:37:02 294912 ----a-w- c:\windows\system32\atmfd.dll
2011-02-18 16:36:58 4184352 ----a-w- c:\windows\system32\usbaaplrc.dll
2011-02-18 05:36:26 428032 ----a-w- c:\windows\system32\vbscript.dll
.
============= FINISH: 18:34:18.88 ===============


==========================================================
DDS logs: Attach.txt

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_11-03-05.01)
.
Microsoft Windows 7 Home Premium
Boot Device: \Device\HarddiskVolume1
Install Date: 28/04/2010 21:32:59
System Uptime: 07/05/2011 18:04:22 (0 hours ago)
.
Motherboard: Acer, Inc. | | Prespa1
Processor: Intel(R) Core(TM)2 CPU T5200 @ 1.60GHz | U2E1 | 1600/133mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 93 GiB total, 29.452 GiB free.
D: is CDROM ()
E: is CDROM ()
.
==== Disabled Device Manager Items =============
.
Class GUID:
Description: Mass Storage Controller
Device ID: PCI\VEN_104C&DEV_803B&SUBSYS_01101025&REV_00\4&3156CA1E&0&4AF0
Manufacturer:
Name: Mass Storage Controller
PNP Device ID: PCI\VEN_104C&DEV_803B&SUBSYS_01101025&REV_00\4&3156CA1E&0&4AF0
Service:
.
==== System Restore Points ===================
.
RP123: 11/04/2011 20:59:14 - Scheduled Checkpoint
RP124: 11/04/2011 22:28:18 - Windows Update
RP125: 16/04/2011 11:12:06 - Windows Update
RP126: 19/04/2011 22:00:42 - Windows Update
RP127: 20/04/2011 21:19:14 - Windows Update
RP128: 25/04/2011 14:20:35 - Windows Update
RP129: 27/04/2011 17:01:31 - Windows Update
RP131: 28/04/2011 09:51:42 - Windows Defender Checkpoint
RP132: 30/04/2011 12:56:24 - Windows Update
RP133: 07/05/2011 10:21:52 - Windows Update
.
==== Installed Programs ======================
.
Update for Microsoft Office 2007 (KB2508958)
Adobe Anchor Service CS3
Adobe Asset Services CS3
Adobe Bridge CS3
Adobe Bridge Start Meeting
Adobe Camera Raw 4.0
Adobe CMaps
Adobe Color - Photoshop Specific
Adobe Color Common Settings
Adobe Color EU Extra Settings
Adobe Color EU Recommended Settings
Adobe Color JA Extra Settings
Adobe Color NA Extra Settings
Adobe Color NA Recommended Settings
Adobe Default Language CS3
Adobe Device Central CS3
Adobe ExtendScript Toolkit 2
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Fonts All
Adobe Help Viewer CS3
Adobe Illustrator CS3
Adobe Linguistics CS3
Adobe PDF Library Files
Adobe Photoshop CS3
Adobe Reader 9.3
Adobe Setup
Adobe Stock Photos CS3
Adobe Type Support
Adobe Update Manager CS3
Adobe Version Cue CS3 Client
Adobe WinSoft Linguistics Plugin
Adobe XMP Panels CS3
Agere Systems HDA Modem
Any Video Converter 3.1.0
Apple Application Support
Apple Mobile Device Support
Apple Software Update
µTorrent
BitTorrent
Bonjour
Core FTP LE 2.1
DHTML Editing Component
FM Genie Scout 11 version 1.00 beta 2
Football Manager 2010
Football Manager 2011
Football Manager 2011 Demo
FrostWire 4.21.1
Google Chrome
Intel(R) Graphics Media Accelerator Driver
Internet TV for Windows Media Center
iTunes
Java Auto Updater
Java(TM) 6 Update 20
Malwarebytes' Anti-Malware
Microsoft .NET Framework 4 Client Profile
Microsoft Application Error Reporting
Microsoft Choice Guard
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Search Enhancement Pack
Microsoft Silverlight
Mozilla Firefox (3.6.12)
MSVCRT
PDF Settings
PerfectDisk 10 Professional
QuickTime
RPS CRT
RPS PerfectDiskStub
RPS RpsCore
Security Update for 2007 Microsoft Office System (KB2288621)
Security Update for 2007 Microsoft Office System (KB2288931)
Security Update for 2007 Microsoft Office System (KB2345043)
Security Update for 2007 Microsoft Office System (KB2466156)
Security Update for 2007 Microsoft Office System (KB2509488)
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB976321)
Security Update for CAPICOM (KB931906)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)
Security Update for Microsoft Office Access 2007 (KB979440)
Security Update for Microsoft Office Excel 2007 (KB2464583)
Security Update for Microsoft Office Groove 2007 (KB2494047)
Security Update for Microsoft Office InfoPath 2007 (KB979441)
Security Update for Microsoft Office PowerPoint 2007 (KB2464594)
Security Update for Microsoft Office PowerPoint Viewer 2007 (KB2464623)
Security Update for Microsoft Office Publisher 2007 (KB2284697)
Security Update for Microsoft Office system 2007 (972581)
Security Update for Microsoft Office system 2007 (KB974234)
Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
Security Update for Microsoft Office Word 2007 (KB2344993)
Skype™ 4.2
SmartFTP Client
SmartFTP Client 4.0 Setup Files (remove only)
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft Office 2007 Help for Common Features (KB963673)
Update for Microsoft Office Access 2007 Help (KB963663)
Update for Microsoft Office Excel 2007 Help (KB963678)
Update for Microsoft Office Infopath 2007 Help (KB963662)
Update for Microsoft Office OneNote 2007 (KB980729)
Update for Microsoft Office OneNote 2007 Help (KB963670)
Update for Microsoft Office Outlook 2007 (KB2412171)
Update for Microsoft Office Outlook 2007 Help (KB963677)
Update for Microsoft Office Powerpoint 2007 Help (KB963669)
Update for Microsoft Office Publisher 2007 Help (KB963667)
Update for Microsoft Office Script Editor Help (KB963671)
Update for Microsoft Office Word 2007 Help (KB963665)
Update for Outlook 2007 Junk Email Filter (KB2522999)
Veetle TV 0.9.18
Virgin Media Security
Virgin Media Service Manager 3.7.47
VirtualCloneDrive
VLC media player 1.0.1
vShare Plugin
WD SmartWare
Windows Live Communications Platform
Windows Live Essentials
Windows Live Family Safety
Windows Live Movie Maker
Windows Live Photo Gallery
Windows Live Writer
Windows Media Center Add-in for Silverlight
Windows Media Player Firefox Plugin
WinRAR archiver
.
==== Event Viewer Messages From Past Week ========
.
30/04/2011 14:09:02, Error: Service Control Manager [7023] - The Windows Defender service terminated with the following error: %%-2147416365
30/04/2011 14:08:42, Error: Service Control Manager [7038] - The WerSvc service was unable to log on as NT AUTHORITY\SYSTEM with the currently configured password due to the following error: The RPC server is unavailable. To ensure that the service is configured properly, use the Services snap-in in Microsoft Management Console (MMC).
30/04/2011 14:08:35, Error: Service Control Manager [7038] - The WMPNetworkSvc service was unable to log on as NT AUTHORITY\NetworkService with the currently configured password due to the following error: The RPC server is unavailable. To ensure that the service is configured properly, use the Services snap-in in Microsoft Management Console (MMC).
30/04/2011 14:08:35, Error: Service Control Manager [7000] - The Windows Media Player Network Sharing Service service failed to start due to the following error: The service did not start due to a logon failure.
30/04/2011 14:08:05, Error: Service Control Manager [7034] - The WD SmartWare Drive Manager service terminated unexpectedly. It has done this 1 time(s).
30/04/2011 14:08:05, Error: Service Control Manager [7034] - The WD SmartWare Background Service service terminated unexpectedly. It has done this 1 time(s).
30/04/2011 14:08:05, Error: Service Control Manager [7034] - The Virgin Media Security service terminated unexpectedly. It has done this 1 time(s).
30/04/2011 14:08:05, Error: Service Control Manager [7034] - The iPod Service service terminated unexpectedly. It has done this 1 time(s).
30/04/2011 14:08:05, Error: Service Control Manager [7031] - The Windows Media Player Network Sharing Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 30000 milliseconds: Restart the service.
30/04/2011 14:08:05, Error: Service Control Manager [7031] - The Software Protection service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 120000 milliseconds: Restart the service.
30/04/2011 14:08:04, Error: Service Control Manager [7034] - The ServicepointService service terminated unexpectedly. It has done this 1 time(s).
30/04/2011 14:08:04, Error: Service Control Manager [7034] - The SeaPort service terminated unexpectedly. It has done this 1 time(s).
30/04/2011 14:08:04, Error: Service Control Manager [7034] - The Bonjour Service service terminated unexpectedly. It has done this 1 time(s).
30/04/2011 14:08:04, Error: Service Control Manager [7031] - The Apple Mobile Device service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
30/04/2011 12:48:46, Error: Service Control Manager [7000] - The Windows Search service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
30/04/2011 12:48:46, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1053" attempting to start the service WSearch with arguments "" in order to run the server: {9E175B6D-F52A-11D8-B9A5-505054503030}
30/04/2011 12:48:45, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Windows Search service to connect.
07/05/2011 18:05:24, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: StarOpen
07/05/2011 17:45:48, Error: Service Control Manager [7034] - The Virgin Media Security Firewall service terminated unexpectedly. It has done this 1 time(s).
07/05/2011 17:26:47, Error: Service Control Manager [7034] - The Themes service terminated unexpectedly. It has done this 1 time(s).
.
==== End Of File ===========================

 

[Bobbye]

Welcome to TechSpot! I'll be glad to help with the redirect. You should take notice of the following:

A straight road to malware is file sharing! You have the following P2P programs:
µTorrent
BitTorrent
FrostWire 4.21.1
The Vshare plug-in
Please either uninstall these or disable them. Do not use them while I am trying to clean the system.

P2P or 'file sharing' Warning:
Note: Even if you are using a "safe" P2P program, it is only the program that is safe.

• As long as you are using file sharing networks and programs which are from sources that are not documented, you cannot verity that a download is legitimate.
• Malware writers use these program to include malicious content.
• File sharing is usually unmonitored and there is a danger that your private files might be accessed.
• The 'sharing' also includes malware that the shared system has on it.
• Files that are illegal can be spread through file sharing.

Please read the information on P2P Warning to help you better understand these dangers.

An example would be: The Vshare plug-in itself is safe if you download it from a reputable source such as Firefox. However, beware when downloading the plug-in from sites you do not know or trust, such as file-sharing websites. Then, you run the risk of downloading a virus to your computer.
================================================
Please run the following scans:

• Hold down Control and click on the following link to open ESET OnlineScan in a new window.
  ESETOnlineScan
• For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
  [o] Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
  [o] Double click on the
  
  on your desktop.
• Check 'Yes I accept terms of use.'
• Click Start button
• Accept any security warnings from your browser.
• Uncheck 'Remove found threats'
• Check 'Scan archives/
• Press the Start button.
• ESET will then download updates for itself, install itself, and begin scanning your computer. Please wait for the scan to finish.
• When the scan completes, press List of found threats
• Push Export of text file and save the file to your desktop using a unique name, such as ESETScan. Paste this log in your next reply.
• Push the Back button
• Push Finish

NOTE: If no malware is found then no log will be produced. Let me know if this is the case.
==========================================
It appears that Virgin Media may be using AVG for the antivirus. This next scan won't run with AVG on the system. When you start Combofix, if you get a notice that AVG is on the system, please come back and let me know and I'll give you removal instructions. If not, just go on:

Please note: If you have Combofix on the desktop already, please uninstall it. The download the current version and do the scan:
Uninstall ComboFix if needed

• Click START> then RUN
• Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.

-------------
Download Combofix from HERE or HEREhttp://www.forospyware.com/sUBs/ComboFix.exe and save to the desktop

• Double click combofix.exe & follow the prompts.
• ComboFix will check to see if the Microsoft Windows Recovery Console is installed. It is recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode if needed.
  **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
• Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
  
  
• .Click on Yes, to continue scanning for malware
• .If Combofix asks you to update the program, allow
• .Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
• .Close any open browsers.
• .Double click combofix.exe
  
  & follow the prompts to run.
• When the scan completes , a report will be generated-it will open a text window. Please paste the C:\ComboFix.txt in next reply..

Re-enable your Antivirus software.
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
=========================================
Note: Mbam removed numerous entries for Trojans. One is called Rogue.Multiple Rogue programs give inaccurate alerts to get the user to click on a site to remove the problem. If you get any alerts of this nature, do not act on them!

 

[nwesson]

Thankyou very much for your help - i have completed what you have asked, included uninstalling all of the P2P programs. Please see logs below:

============================================
ESETscan log:


C:\ProgramData\1D064B63695DC6EE73B9E514D6D0B7E5\b\binm1 a variant of Win32/Kryptik.NCM trojan
C:\ProgramData\ReviverSoft\Registry Reviver\InstallCache\{05B64610-ED45-40AC-89A3-507F6B6A25B9}\Registry Reviver.msi a variant of Win32/SlowPCfighter application
C:\ProgramData\SysWoW32\@u2128507501v1 a variant of Win32/Kryptik.NCM trojan
C:\ProgramData\SysWoW32\@u2128507501v2 Win32/TrojanDownloader.Tracur.B trojan
C:\ProgramData\SysWoW32\@u2128507501v3 a variant of Win32/Kryptik.NCM trojan
C:\ProgramData\SysWoW32\wu2128507501v1 a variant of Win32/Kryptik.NCM trojan
C:\ProgramData\SysWoW32\wu2128507501v2 a variant of Win32/Kryptik.NCM trojan
C:\ProgramData\SysWoW32\wu2128507501v3 a variant of Win32/Kryptik.NCM trojan
C:\ProgramData\SysWoW32\_u2128507501v1 a variant of Win32/Kryptik.NCM trojan
C:\ProgramData\SysWoW32\_u2128507501v2 a variant of Win32/Kryptik.NCM trojan
C:\ProgramData\SysWoW32\_u2128507501v3 a variant of Win32/Kryptik.NCM trojan
C:\Users\All Users\ReviverSoft\Registry Reviver\InstallCache\{05B64610-ED45-40AC-89A3-507F6B6A25B9}\Registry Reviver.msi a variant of Win32/SlowPCfighter application
C:\Users\All Users\SysWoW32\@u2128507501v1 a variant of Win32/Kryptik.NCM trojan
C:\Users\All Users\SysWoW32\@u2128507501v2 Win32/TrojanDownloader.Tracur.B trojan
C:\Users\All Users\SysWoW32\@u2128507501v3 a variant of Win32/Kryptik.NCM trojan
C:\Users\All Users\SysWoW32\wu2128507501v1 a variant of Win32/Kryptik.NCM trojan
C:\Users\All Users\SysWoW32\wu2128507501v2 a variant of Win32/Kryptik.NCM trojan
C:\Users\All Users\SysWoW32\wu2128507501v3 a variant of Win32/Kryptik.NCM trojan
C:\Users\All Users\SysWoW32\_u2128507501v1 a variant of Win32/Kryptik.NCM trojan
C:\Users\All Users\SysWoW32\_u2128507501v2 a variant of Win32/Kryptik.NCM trojan
C:\Users\All Users\SysWoW32\_u2128507501v3 a variant of Win32/Kryptik.NCM trojan
C:\Users\Nick\AppData\Local\Google\Chrome\User Data\Default\Default\ocnfijioaejokcicpacidoaepkdlfibk\contentscript.js Win32/TrojanDownloader.Tracur.F trojan
C:\Users\Nick\AppData\Roaming\Mozilla\Firefox\Profiles\vr4sgge4.default\extensions\{bf4d35f9-ec05-4ce8-beee-360524750e6c}\chrome.manifest Win32/TrojanDownloader.Tracur.F trojan
C:\Users\Nick\AppData\Roaming\Mozilla\Firefox\Profiles\vr4sgge4.default\extensions\{bf4d35f9-ec05-4ce8-beee-360524750e6c}\chrome\xulcache.jar JS/Agent.NDB trojan
C:\Users\Nick\Documents\FrostWire\Saved\(serial) outlook imoprt (gafoba).zip a variant of Win32/Kryptik.NCM trojan
C:\Users\Nick\Documents\FrostWire\Saved\outlook imoprt [crack][fixed].zip a variant of Win32/Kryptik.NCM trojan

==========================================================
combofix log:

ComboFix 11-05-07.01 - Nick 07/05/2011 23:13:29.1.2 - x86
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.44.1033.18.3318.1545 [GMT 1:00]
Running from: c:\users\Nick\Desktop\ComboFix.exe
AV: Virgin Media Security Anti-Virus *Disabled/Updated* {A61154FD-4365-E00F-9A33-13A09AD54B56}
FW: Virgin Media Security Firewall *Disabled* {9E2AD5D8-090A-E157-B16C-BA9564060C2D}
SP: Virgin Media Security Anti-Spyware *Disabled/Updated* {1D70B519-655F-EF81-A083-28D2E15201EB}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Resident AV is active
.
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\programdata\SysWoW32
c:\programdata\SysWoW32\@u2128507501v0
c:\programdata\SysWoW32\@u2128507501v1
c:\programdata\SysWoW32\@u2128507501v2
c:\programdata\SysWoW32\@u2128507501v3
c:\programdata\SysWoW32\_u2128507501v0
c:\programdata\SysWoW32\_u2128507501v1
c:\programdata\SysWoW32\_u2128507501v2
c:\programdata\SysWoW32\_u2128507501v3
c:\programdata\SysWoW32\_u2128507501v4
c:\programdata\SysWoW32\_u2128507501v5
c:\programdata\SysWoW32\_u2128507501v6
c:\programdata\SysWoW32\_u2128507501v7
c:\programdata\SysWoW32\mu2128507501v4
c:\programdata\SysWoW32\mu2128507501v4.kwd
c:\programdata\SysWoW32\mu2128507501v5
c:\programdata\SysWoW32\mu2128507501v5.kwd
c:\programdata\SysWoW32\mu2128507501v6
c:\programdata\SysWoW32\mu2128507501v6.kwd
c:\programdata\SysWoW32\mu2128507501v7
c:\programdata\SysWoW32\mu2128507501v7.kwd
c:\programdata\SysWoW32\wu2128507501v0
c:\programdata\SysWoW32\wu2128507501v0.kwd
c:\programdata\SysWoW32\wu2128507501v1
c:\programdata\SysWoW32\wu2128507501v1.kwd
c:\programdata\SysWoW32\wu2128507501v2
c:\programdata\SysWoW32\wu2128507501v2.kwd
c:\programdata\SysWoW32\wu2128507501v3
c:\programdata\SysWoW32\wu2128507501v3.kwd
c:\programdata\unrar.exe
c:\users\Nick\AppData\Roaming\Mozilla\Firefox\Profiles\vr4sgge4.default\extensions\{bf4d35f9-ec05-4ce8-beee-360524750e6c}
c:\users\Nick\AppData\Roaming\Mozilla\Firefox\Profiles\vr4sgge4.default\extensions\{bf4d35f9-ec05-4ce8-beee-360524750e6c}\chrome.manifest
c:\users\Nick\AppData\Roaming\Mozilla\Firefox\Profiles\vr4sgge4.default\extensions\{bf4d35f9-ec05-4ce8-beee-360524750e6c}\chrome\xulcache.jar
c:\users\Nick\AppData\Roaming\Mozilla\Firefox\Profiles\vr4sgge4.default\extensions\{bf4d35f9-ec05-4ce8-beee-360524750e6c}\defaults\preferences\xulcache.js
c:\users\Nick\AppData\Roaming\Mozilla\Firefox\Profiles\vr4sgge4.default\extensions\{bf4d35f9-ec05-4ce8-beee-360524750e6c}\install.rdf
.
.
((((((((((((((((((((((((( Files Created from 2011-04-07 to 2011-05-07 )))))))))))))))))))))))))))))))
.
.
2011-05-07 22:23 . 2011-05-07 22:23 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-05-07 22:10 . 2011-05-07 22:11 -------- d-----w- C:\32788R22FWJFW
2011-05-07 19:36 . 2011-05-07 19:36 -------- d-----w- c:\program files\ESET
2011-05-07 16:53 . 2011-05-07 16:53 -------- d-----w- c:\users\Nick\AppData\Roaming\Malwarebytes
2011-05-07 16:52 . 2010-12-20 17:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-05-07 16:52 . 2011-05-07 16:52 -------- d-----w- c:\programdata\Malwarebytes
2011-05-07 16:52 . 2010-12-20 17:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-05-07 16:52 . 2011-05-07 16:52 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-05-07 09:22 . 2011-04-11 07:04 7071056 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{A4549F5D-9D04-4E24-8F6A-6BC788C2B019}\mpengine.dll
2011-04-30 13:01 . 2011-04-30 13:01 -------- d-----w- C:\_OTM
2011-04-28 09:09 . 2009-11-02 14:27 25608 ----a-w- c:\windows\system32\drivers\AVGIDSEH.sys
2011-04-28 09:08 . 2009-10-23 12:25 285704 ----a-w- c:\windows\system32\drivers\bdfsfltr.sys
2011-04-28 09:08 . 2011-04-28 09:08 53192 ----a-w- c:\windows\system32\drivers\rp_skt32.sys
2011-04-28 09:08 . 2011-04-28 09:08 48384 ----a-w- c:\windows\system32\drivers\rp_pkt32.sys
2011-04-28 09:08 . 2011-04-28 09:08 -------- d-----w- c:\programdata\Raxco
2011-04-28 09:08 . 2011-04-28 09:08 -------- d-----w- c:\program files\Raxco
2011-04-28 09:06 . 2011-04-28 09:06 -------- d--h--w- c:\program files\InstallShield Installation Information
2011-04-27 15:37 . 2011-03-12 11:31 442880 ----a-w- c:\windows\system32\XpsPrint.dll
2011-04-27 15:36 . 2011-03-11 05:44 143744 ----a-w- c:\windows\system32\drivers\nvstor.sys
2011-04-27 15:36 . 2011-03-11 05:44 1210240 ----a-w- c:\windows\system32\drivers\ntfs.sys
2011-04-27 15:36 . 2011-03-11 05:44 146304 ----a-w- c:\windows\system32\drivers\storport.sys
2011-04-27 15:36 . 2011-03-11 05:44 117120 ----a-w- c:\windows\system32\drivers\nvraid.sys
2011-04-27 15:36 . 2011-03-11 05:43 332160 ----a-w- c:\windows\system32\drivers\iaStorV.sys
2011-04-27 15:36 . 2011-03-11 05:43 80256 ----a-w- c:\windows\system32\drivers\amdsata.sys
2011-04-27 15:36 . 2011-03-11 05:43 22400 ----a-w- c:\windows\system32\drivers\amdxata.sys
2011-04-27 15:36 . 2011-03-11 05:39 1686016 ----a-w- c:\windows\system32\esent.dll
2011-04-27 15:36 . 2011-03-11 05:37 74240 ----a-w- c:\windows\system32\fsutil.exe
2011-04-27 15:36 . 2011-02-18 05:33 31232 ----a-w- c:\windows\system32\prevhost.exe
2011-04-27 15:36 . 2011-02-26 05:33 2614784 ----a-w- c:\windows\explorer.exe
2011-04-22 09:01 . 2011-05-07 16:22 -------- d-sh--w- c:\programdata\1D064B63695DC6EE73B9E514D6D0B7E5
2011-04-22 08:48 . 2011-04-22 08:49 -------- d-----w- c:\program files\Outlook Import Wizard
2011-04-14 20:05 . 2011-03-11 05:40 1164288 ----a-w- c:\windows\system32\mfc42u.dll
2011-04-14 20:05 . 2011-03-11 05:40 1137664 ----a-w- c:\windows\system32\mfc42.dll
2011-04-14 20:05 . 2011-02-12 05:30 191488 ----a-w- c:\windows\system32\FXSCOVER.exe
2011-04-14 20:05 . 2011-03-03 03:31 2331136 ----a-w- c:\windows\system32\win32k.sys
2011-04-14 20:05 . 2011-03-08 05:38 740864 ----a-w- c:\windows\system32\inetcomm.dll
2011-04-14 20:05 . 2011-02-24 05:32 288256 ----a-w- c:\windows\system32\XpsGdiConverter.dll
2011-04-14 20:05 . 2011-02-23 05:05 221696 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2011-04-14 20:05 . 2011-02-23 05:05 95744 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2011-04-14 20:05 . 2011-02-23 05:05 123392 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-04-14 20:05 . 2011-02-23 05:05 69632 ----a-w- c:\windows\system32\drivers\bowser.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-02-19 05:33 . 2011-03-20 11:24 802304 ----a-w- c:\windows\system32\FntCache.dll
2011-02-19 05:32 . 2011-03-20 11:24 1074176 ----a-w- c:\windows\system32\DWrite.dll
2011-02-19 05:32 . 2011-03-20 11:24 739840 ----a-w- c:\windows\system32\d2d1.dll
2011-02-18 16:36 . 2011-02-18 16:36 41984 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2011-02-18 16:36 . 2011-02-18 16:36 4184352 ----a-w- c:\windows\system32\usbaaplrc.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"AGRSMMSG"="AGRSMMSG.exe" [2004-10-08 88363]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-09-23 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-09-23 173592]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-09-23 150552]
"VirtualCloneDrive"="c:\program files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" [2009-06-17 85160]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-03-07 421160]
"ServiceManager.exe"="c:\program files\Virgin Media\Service Manager\ServiceManager.exe" [2011-03-25 4371768]
"Malwarebytes' Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-12-20 963976]
.
c:\users\Nick\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
WDDMStatus.lnk - c:\program files\Western Digital\WD SmartWare\WD Drive Manager\WDDMStatus.exe [2009-11-13 2057536]
WDSmartWare.lnk - c:\program files\Western Digital\WD SmartWare\Front Parlor\WDSmartWare.exe [2009-11-13 9117504]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ PDBoot.exe\0autocheck autochk *
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Radialpoint Security Services]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ServicepointService]
@="Service"
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-07-04 1343400]
R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\DRIVERS\wdcsam.sys [2009-02-13 11520]
S0 RadialpointIDSEH;RadialpointIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2009-11-02 25608]
S2 Radialpoint Security Services;Virgin Media Security;c:\program files\Virgin Media\Security\RpsSecurityAwareR.exe [2011-04-28 166944]
S2 RadialpointIDSAgent;RadialpointIDSAgent;c:\program files\Virgin Media\Security\AVG\Identity Protection\agent\Bin\AVGIDSAgent.exe RadialpointIDSAgent [x]
S2 ServicepointService;ServicepointService;c:\program files\Virgin Media\Service Manager\ServicepointService.exe [2011-03-25 689464]
S2 WDDMService;WD SmartWare Drive Manager;c:\program files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe [2009-11-13 110592]
S2 WDSmartWareBackgroundService;WD SmartWare Background Service;c:\program files\Western Digital\WD SmartWare\Front Parlor\WDSmartWareBackgroundService.exe [2009-06-16 20480]
S3 netw5v32;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\DRIVERS\netw5v32.sys [2009-07-13 4231168]
S3 RadialpointIDSDriver;RadialpointIDSDriver;c:\program files\Virgin Media\Security\AVG\Identity Protection\agent\drivers\AVGIDSDriver.sys [2009-11-02 122376]
S3 RadialpointIDSFilter;RadialpointIDSFilter;c:\program files\Virgin Media\Security\AVG\Identity Protection\agent\drivers\AVGIDSFilter.sys [2009-11-02 30216]
S3 RadialpointIDSShim;RadialpointIDSShim;c:\program files\Virgin Media\Security\AVG\Identity Protection\agent\drivers\AVGIDSShim.sys [2009-11-02 21208]
S3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk62x86.sys [2009-07-13 311296]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - 13ECBEC4
*Deregistered* - 13ecbec4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bdx REG_MULTI_SZ scan sysagent
.
Contents of the 'Scheduled Tasks' folder
c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2755048422-3352278054-1094013794-1000Core.job
c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2755048422-3352278054-1094013794-1000UA.job
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
mStart Page = about:blank
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\users\Nick\AppData\Roaming\Mozilla\Firefox\Profiles\vr4sgge4.default\
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
.
- - - - ORPHANS REMOVED - - - -
.
HKCU-Run-msnmsgr - c:\program files\Windows Live\Messenger\msnmsgr.exe
HKCU-Run-api-ms-win-core-sysinfo-l1-1-0wow.exe - c:\windows\api-ms-win-core-sysinfo-l1-1-0wow.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-2755048422-3352278054-1094013794-1000\Software\G*e*n*i*e*"!\FM Genie Scout 11]
"GameDir"="c:\\Users\\Nick\\Documents\\Sports Interactive\\Football Manager 2011\\games"
"ShortlistDir"="c:\\Users\\Nick\\Documents\\Sports Interactive\\Football Manager 2011\\shortlists"
"FMPath"=""
"ScreenshotsDir"="c:\\Users\\Nick\\Documents\\Sports Interactive\\Football Manager 2011"
"SaveDir"="c:\\Users\\Nick\\Documents\\Sports Interactive\\Football Manager 2011\\"
"HistoryDir"="c:\\FM Genie Scout 11\\History Points"
"LangDB"="c:\\FM Genie Scout 11\\lang_db.dat"
"LastSaveGame"="c:\\Users\\Nick\\Documents\\Sports Interactive\\Football Manager 2011\\games\\manchesterUnited.fm"
"Language"="English"
"LoadLangDB"=dword:00000001
"CompressHistoryPoints"=dword:00000000
"HighlightedAttributes"=dword:00000000
"MinCondition"=dword:00000050
"GraphStep"=dword:00000000
"SkinName"="PSV Eindhoven"
"LastUpdateCheck"=dword:00009edd
"HighQualityGUI"=dword:00000001
"AutomaticallyUpdateCheck"=dword:00000001
"AdvancedGeneration"=dword:00000000
"TranslateStaffSkills"=dword:00000001
"TranslatePlayerSkills"=dword:00000001
"TranslatePositions"=dword:00000001
"ShowHistory"=dword:00000001
"Version"=dword:00000080
"UniqueID"="14-8500-E1BF"
"Currency"=dword:00000056
"UseProxy"=dword:00000000
"ProxyHost"=""
"ProxyPort"=""
"UseAuthentication"=dword:00000000
"UserName"=""
"UserPassword"=""
"PlayerSearchFeatureNum"=dword:00000004
"StaffSearchFeatureNum"=dword:00000000
"ClubSearchFeatureNum"=dword:00000001
"FilterByClubFeatureNum"=dword:00000000
"CompareFeatureNum"=dword:00000000
"ShortlistFeatureNum"=dword:00000000
"ExportFeatureNum"=dword:00000000
"HistoryFeatureNum"=dword:00000000
"LanguageDBFeatureNum"=dword:00000005
"HintsFeatureNum"=dword:00000000
"GenieReportFeatureNum"=dword:00000000
"TopFormationFeatureNum"=dword:00000000
"ScreenshotFeatureNum"=dword:00000000
.
[HKEY_USERS\S-1-5-21-2755048422-3352278054-1094013794-1000\Software\G*e*n*i*e*"!\FM Genie Scout 11g]
"PicturesNumber"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2011-05-07 23:26:05
ComboFix-quarantined-files.txt 2011-05-07 22:26
ComboFix2.txt 2009-06-18 13:38
.
Pre-Run: 29,972,336,640 bytes free
Post-Run: 29,893,529,600 bytes free
.
- - End Of File - - B8591FA45C9D66CECF5363F05D51EBB1

 

[Bobbye]

Please go ahead and run this while I finish checking the Combofix log:

Please download OTMovit by Old Timer and save to your desktop.

• Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
• Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  

  :Files  
  C:\ProgramData\1D064B63695DC6EE73B9E514D6D0B7E5\b\binm1 
  C:\ProgramData\ReviverSoft\Registry Reviver\InstallCache\{05B64610-ED45-40AC-89A3-507F6B6A25B9}\Registry Reviver.msi
  C:\ProgramData\SysWoW32\@u2128507501v1 
  C:\ProgramData\SysWoW32\@u2128507501v2 
  C:\ProgramData\SysWoW32\@u2128507501v3 
  C:\ProgramData\SysWoW32\wu2128507501v1 
  C:\ProgramData\SysWoW32\wu2128507501v2 
  C:\ProgramData\SysWoW32\wu2128507501v3 
  C:\ProgramData\SysWoW32\_u2128507501v1 
  C:\ProgramData\SysWoW32\_u2128507501v2 
  C:\ProgramData\SysWoW32\_u2128507501v3 
  C:\Users\All Users\ReviverSoft\Registry Reviver\InstallCache\{05B64610-ED45-40AC-89A3-507F6B6A25B9}\Registry Reviver.msi 
  C:\Users\All Users\SysWoW32\@u2128507501v1 
  C:\Users\All Users\SysWoW32\@u2128507501v2 
  C:\Users\All Users\SysWoW32\@u2128507501v3 
  C:\Users\All Users\SysWoW32\wu2128507501v1 
  C:\Users\All Users\SysWoW32\wu2128507501v2 
  C:\Users\All Users\SysWoW32\wu2128507501v3 
  C:\Users\All Users\SysWoW32\_u2128507501v1 
  C:\Users\All Users\SysWoW32\_u2128507501v2 
  C:\Users\All Users\SysWoW32\_u2128507501v3 
  C:\Users\Nick\AppData\Roaming\Mozilla\Firefox\Profiles\vr4sgge4.default\ext ensions\{bf4d35f9-ec05-4ce8-beee-360524750e6c}\chrome.manifest 
  C:\Users\Nick\Documents\FrostWire\Saved\(serial) outlook imoprt (gafoba).zip 
  C:\Users\Nick\Documents\FrostWire\Saved\outlook imoprt [crack][fixed].zip 
  C:\Users\Nick\AppData\Local\Google\Chrome\User Data\Default\Default\ocnfijioaejokcicpacidoaepkdlfibk\contentscript.js 
  C:\Users\Nick\AppData\Roaming\Mozilla\Firefox\Profiles\vr4sgge4.default\ext ensions\{bf4d35f9-ec05-4ce8-beee-360524750e6c}\chrome\xulcache.jar 
  :Commands
  [purity]
  [emptytemp]
  [start explorer]
  [Reboot]

• Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
• Click the red Moveit! button.
• A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
• Close OTMoveIt3

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
================================================
Two of the entries above are in the Java cache so you will need to empty that:

1. . Click Start > Control Panel.
2. . Double-click the Java icon
   
   in the control panel.
   The Java Control Panel appears.
3. . Click Settings under Temporary Internet Files.
   
   
   
   There are three options on this window to clear the cache.(Version dependent)
   [o]. Delete Files
   [o]. View Applications
   [o]. View Applets
4. .Click OK on Delete Temporary Files window.
   Note: This deletes all the Downloaded Applications and Applets from the cache.
5. . Click OK on Temporary Files Settings window.

======================================
You made a wise decision in uninstalling the P2P programs. It is obvious from the Eset scan that they contributed a lot to the malware.

 

[nwesson]

Thanks again for your help on this. I completed the further steps you requested and paste the log below.

In regards to the P2P - all this because i was searching for a program that converts your old windows mail items into outlook format and decided i didnt want to pay for it as it was only a one off task. You live from your mistakes i suppose and something i wont be doing again! i will happily pay for it next time...

==============================
OTM Log:


All processes killed
========== FILES ==========
File/Folder C:\ProgramData\1D064B63695DC6EE73B9E514D6D0B7E5\b\binm1 not found.
C:\ProgramData\ReviverSoft\Registry Reviver\InstallCache\{05B64610-ED45-40AC-89A3-507F6B6A25B9}\Registry Reviver.msi moved successfully.
File/Folder C:\ProgramData\SysWoW32\@u2128507501v1 not found.
File/Folder C:\ProgramData\SysWoW32\@u2128507501v2 not found.
File/Folder C:\ProgramData\SysWoW32\@u2128507501v3 not found.
File/Folder C:\ProgramData\SysWoW32\wu2128507501v1 not found.
File/Folder C:\ProgramData\SysWoW32\wu2128507501v2 not found.
File/Folder C:\ProgramData\SysWoW32\wu2128507501v3 not found.
File/Folder C:\ProgramData\SysWoW32\_u2128507501v1 not found.
File/Folder C:\ProgramData\SysWoW32\_u2128507501v2 not found.
File/Folder C:\ProgramData\SysWoW32\_u2128507501v3 not found.
File/Folder C:\Users\All Users\ReviverSoft\Registry Reviver\InstallCache\{05B64610-ED45-40AC-89A3-507F6B6A25B9}\Registry Reviver.msi not found.
File/Folder C:\Users\All Users\SysWoW32\@u2128507501v1 not found.
File/Folder C:\Users\All Users\SysWoW32\@u2128507501v2 not found.
File/Folder C:\Users\All Users\SysWoW32\@u2128507501v3 not found.
File/Folder C:\Users\All Users\SysWoW32\wu2128507501v1 not found.
File/Folder C:\Users\All Users\SysWoW32\wu2128507501v2 not found.
File/Folder C:\Users\All Users\SysWoW32\wu2128507501v3 not found.
File/Folder C:\Users\All Users\SysWoW32\_u2128507501v1 not found.
File/Folder C:\Users\All Users\SysWoW32\_u2128507501v2 not found.
File/Folder C:\Users\All Users\SysWoW32\_u2128507501v3 not found.
File/Folder C:\Users\Nick\AppData\Roaming\Mozilla\Firefox\Profiles\vr4sgge4.default\ext ensions\{bf4d35f9-ec05-4ce8-beee-360524750e6c}\chrome.manifest not found.
C:\Users\Nick\Documents\FrostWire\Saved\(serial) outlook imoprt (gafoba).zip moved successfully.
C:\Users\Nick\Documents\FrostWire\Saved\outlook imoprt [crack][fixed].zip moved successfully.
C:\Users\Nick\AppData\Local\Google\Chrome\User Data\Default\Default\ocnfijioaejokcicpacidoaepkdlfibk\contentscript.js moved successfully.
File/Folder C:\Users\Nick\AppData\Roaming\Mozilla\Firefox\Profiles\vr4sgge4.default\ext ensions\{bf4d35f9-ec05-4ce8-beee-360524750e6c}\chrome\xulcache.jar not found.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Nick
->Temp folder emptied: 227742 bytes
->Temporary Internet Files folder emptied: 544750 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 0 bytes
->Google Chrome cache emptied: 73123886 bytes
->Flash cache emptied: 538 bytes

User: Public
->Temp folder emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 3354 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 70.00 mb


OTM by OldTimer - Version 3.1.17.2 log created on 05082011_093750

Files moved on Reboot...
C:\Windows\temp\ZKT{DD4B34F7-5822-4237-B391-856D4D055AEA}.tmp moved successfully.

Registry entries deleted on Reboot...

 

[Bobbye]

Some of the entries in OTM that say 'not found' had been removed in Combofix already.
Please run this Custom CFScript:

• 
  [1]. Close any open browsers.
  [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  [3]. Open notepad> click on Format> Uncheck 'Word Wrap'> and copy/paste the text in the code below into it:Be sure to scroll down to include ALL lines.

File::
DDS::
BHO: vShare Plugin: {043c5167-00bb-4324-af7e-62013faedacf} - c:\program files\vshare\vshare_toolbar.dll
TB: vShare Plugin: {043c5167-00bb-4324-af7e-62013faedacf} - c:\program files\vshare\vshare_toolbar.dll
uRun: [api-ms-win-core-sysinfo-l1-1-0wow.exe] c:\windows\api-ms-win-core-sysinfo-l1-1-0wow.exe
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
Handler: vsharechrome - {3F3A4B8A-86FC-43A4-BB00-6D7EBE9D4484} - c:\program files\vshare\vshare_toolbar.dll

DirLook::
c:\programdata\1D064B63695DC6EE73B9E514D6D0B7E5

Save this as CFScript.txt, in the same location as ComboFix.exe

Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please paste in your next reply.
====================
We need to make sure any other entries for the following have been removed:
Boot into Safe Mode

• Restart your computer and start pressing the F8 key on your keyboard.
• Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.

Show Hidden Files and Folders:

• Click on the Start button and select Computer
• Press the Alt key on your keyboard and click on Tools
• Select Folder Options
• Click the View tab and CheckShow hidden files and folders
• Unchec Hide protected operating system files (Recommended)
• Uncheck Hide extensions for known filetypes> Click [b[Yes[/b] to confirm
• Click Apply > > click OK

----===================================
1. Registry ReviverIt is a Registry Software located in the "Applications Data" folder for all users. The exact program is "Reviversoft".
Click All Users> Application Data> Do a right click> Delete on folder for [b[Reviversoft[/b]
2. Win32/TrojanDownloader.Tracur.B trojan> show in both Firefox & Chrome
Now Click on Windows System 32> look for and do> right click> Delete on fde.dll if found.
[b[Go back and rehide the files and folders.
==============================
Are you noticing any improvement on the system?

 

[nwesson]

Hi again,

Some interesting results - first of all i am guessing you pasted your last post twice so i only completed the instructions once.

Combofix log is below - for some strange reason i cant get into safe mode- everytime i restart and either tap/hold F8 it just goes to a black screen until i manually switch it off. I have however tried to delete the files in normal mode which i could do for Reviversoft but the fde.dll will ot allow me permission to do so. Not really sure what to do next?

computer is stating to speed up again but im tring not to use it at all until this problem is resolved.

Thanks again,
Nick

===========================================
combofix log:

ComboFix 11-05-07.01 - Nick 09/05/2011 20:38:15.2.2 - x86
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.44.1033.18.3318.2063 [GMT 1:00]
Running from: c:\users\Nick\Desktop\ComboFix.exe
Command switches used :: c:\users\Nick\Desktop\CFScript.txt
AV: Virgin Media Security Anti-Virus *Disabled/Updated* {A61154FD-4365-E00F-9A33-13A09AD54B56}
FW: Virgin Media Security Firewall *Disabled* {9E2AD5D8-090A-E157-B16C-BA9564060C2D}
SP: Virgin Media Security Anti-Spyware *Disabled/Updated* {1D70B519-655F-EF81-A083-28D2E15201EB}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((( Files Created from 2011-04-09 to 2011-05-09 )))))))))))))))))))))))))))))))
.
.
2011-05-09 19:48 . 2011-05-09 19:48 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-05-07 19:36 . 2011-05-07 19:36 -------- d-----w- c:\program files\ESET
2011-05-07 16:53 . 2011-05-07 16:53 -------- d-----w- c:\users\Nick\AppData\Roaming\Malwarebytes
2011-05-07 16:52 . 2010-12-20 17:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-05-07 16:52 . 2011-05-07 16:52 -------- d-----w- c:\programdata\Malwarebytes
2011-05-07 16:52 . 2010-12-20 17:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-05-07 16:52 . 2011-05-07 16:52 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-05-07 09:22 . 2011-04-11 07:04 7071056 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{A4549F5D-9D04-4E24-8F6A-6BC788C2B019}\mpengine.dll
2011-04-30 13:01 . 2011-04-30 13:01 -------- d-----w- C:\_OTM
2011-04-28 09:09 . 2009-11-02 14:27 25608 ----a-w- c:\windows\system32\drivers\AVGIDSEH.sys
2011-04-28 09:08 . 2009-10-23 12:25 285704 ----a-w- c:\windows\system32\drivers\bdfsfltr.sys
2011-04-28 09:08 . 2011-04-28 09:08 53192 ----a-w- c:\windows\system32\drivers\rp_skt32.sys
2011-04-28 09:08 . 2011-04-28 09:08 48384 ----a-w- c:\windows\system32\drivers\rp_pkt32.sys
2011-04-28 09:08 . 2011-04-28 09:08 -------- d-----w- c:\programdata\Raxco
2011-04-28 09:08 . 2011-04-28 09:08 -------- d-----w- c:\program files\Raxco
2011-04-28 09:06 . 2011-04-28 09:06 -------- d--h--w- c:\program files\InstallShield Installation Information
2011-04-27 15:37 . 2011-03-12 11:31 442880 ----a-w- c:\windows\system32\XpsPrint.dll
2011-04-27 15:36 . 2011-03-11 05:44 143744 ----a-w- c:\windows\system32\drivers\nvstor.sys
2011-04-27 15:36 . 2011-03-11 05:44 1210240 ----a-w- c:\windows\system32\drivers\ntfs.sys
2011-04-27 15:36 . 2011-03-11 05:44 146304 ----a-w- c:\windows\system32\drivers\storport.sys
2011-04-27 15:36 . 2011-03-11 05:44 117120 ----a-w- c:\windows\system32\drivers\nvraid.sys
2011-04-27 15:36 . 2011-03-11 05:43 332160 ----a-w- c:\windows\system32\drivers\iaStorV.sys
2011-04-27 15:36 . 2011-03-11 05:43 80256 ----a-w- c:\windows\system32\drivers\amdsata.sys
2011-04-27 15:36 . 2011-03-11 05:43 22400 ----a-w- c:\windows\system32\drivers\amdxata.sys
2011-04-27 15:36 . 2011-03-11 05:39 1686016 ----a-w- c:\windows\system32\esent.dll
2011-04-27 15:36 . 2011-03-11 05:37 74240 ----a-w- c:\windows\system32\fsutil.exe
2011-04-27 15:36 . 2011-02-18 05:33 31232 ----a-w- c:\windows\system32\prevhost.exe
2011-04-27 15:36 . 2011-02-26 05:33 2614784 ----a-w- c:\windows\explorer.exe
2011-04-22 09:01 . 2011-05-07 16:22 -------- d-sh--w- c:\programdata\1D064B63695DC6EE73B9E514D6D0B7E5
2011-04-22 08:48 . 2011-04-22 08:49 -------- d-----w- c:\program files\Outlook Import Wizard
2011-04-14 20:05 . 2011-03-11 05:40 1164288 ----a-w- c:\windows\system32\mfc42u.dll
2011-04-14 20:05 . 2011-03-11 05:40 1137664 ----a-w- c:\windows\system32\mfc42.dll
2011-04-14 20:05 . 2011-02-12 05:30 191488 ----a-w- c:\windows\system32\FXSCOVER.exe
2011-04-14 20:05 . 2011-03-03 03:31 2331136 ----a-w- c:\windows\system32\win32k.sys
2011-04-14 20:05 . 2011-03-08 05:38 740864 ----a-w- c:\windows\system32\inetcomm.dll
2011-04-14 20:05 . 2011-02-24 05:32 288256 ----a-w- c:\windows\system32\XpsGdiConverter.dll
2011-04-14 20:05 . 2011-02-23 05:05 221696 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2011-04-14 20:05 . 2011-02-23 05:05 95744 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2011-04-14 20:05 . 2011-02-23 05:05 123392 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-04-14 20:05 . 2011-02-23 05:05 69632 ----a-w- c:\windows\system32\drivers\bowser.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-02-19 05:33 . 2011-03-20 11:24 802304 ----a-w- c:\windows\system32\FntCache.dll
2011-02-19 05:32 . 2011-03-20 11:24 1074176 ----a-w- c:\windows\system32\DWrite.dll
2011-02-19 05:32 . 2011-03-20 11:24 739840 ----a-w- c:\windows\system32\d2d1.dll
2011-02-18 16:36 . 2011-02-18 16:36 41984 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2011-02-18 16:36 . 2011-02-18 16:36 4184352 ----a-w- c:\windows\system32\usbaaplrc.dll
.
.
(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of c:\programdata\1D064B63695DC6EE73B9E514D6D0B7E5 ----
.
2011-04-22 09:07 . 2011-04-22 08:11 2 ----a-w- c:\programdata\1D064B63695DC6EE73B9E514D6D0B7E5\b\version
2011-04-22 09:07 . 2011-04-22 09:07 2344788 --sha-w- c:\programdata\1D064B63695DC6EE73B9E514D6D0B7E5\bin
2011-04-22 09:01 . 2011-04-22 09:01 64 --sh--w- c:\programdata\1D064B63695DC6EE73B9E514D6D0B7E5\ntuser.dat
2011-04-22 09:01 . 2011-04-22 09:01 203776 --sh--w- c:\programdata\1D064B63695DC6EE73B9E514D6D0B7E5\unrar.exe
2011-04-22 09:01 . 2011-04-22 09:01 0 ----a-w- c:\programdata\1D064B63695DC6EE73B9E514D6D0B7E5\lock
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"AGRSMMSG"="AGRSMMSG.exe" [2004-10-08 88363]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-09-23 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-09-23 173592]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-09-23 150552]
"VirtualCloneDrive"="c:\program files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" [2009-06-17 85160]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-03-07 421160]
"ServiceManager.exe"="c:\program files\Virgin Media\Service Manager\ServiceManager.exe" [2011-03-25 4371768]
"Malwarebytes' Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-12-20 963976]
.
c:\users\Nick\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
WDDMStatus.lnk - c:\program files\Western Digital\WD SmartWare\WD Drive Manager\WDDMStatus.exe [2009-11-13 2057536]
WDSmartWare.lnk - c:\program files\Western Digital\WD SmartWare\Front Parlor\WDSmartWare.exe [2009-11-13 9117504]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ PDBoot.exe\0autocheck autochk *
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Radialpoint Security Services]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ServicepointService]
@="Service"
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-07-04 1343400]
R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\DRIVERS\wdcsam.sys [2009-02-13 11520]
S0 RadialpointIDSEH;RadialpointIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2009-11-02 25608]
S2 Radialpoint Security Services;Virgin Media Security;c:\program files\Virgin Media\Security\RpsSecurityAwareR.exe [2011-04-28 166944]
S2 RadialpointIDSAgent;RadialpointIDSAgent;c:\program files\Virgin Media\Security\AVG\Identity Protection\agent\Bin\AVGIDSAgent.exe RadialpointIDSAgent [x]
S2 ServicepointService;ServicepointService;c:\program files\Virgin Media\Service Manager\ServicepointService.exe [2011-03-25 689464]
S2 WDDMService;WD SmartWare Drive Manager;c:\program files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe [2009-11-13 110592]
S2 WDSmartWareBackgroundService;WD SmartWare Background Service;c:\program files\Western Digital\WD SmartWare\Front Parlor\WDSmartWareBackgroundService.exe [2009-06-16 20480]
S3 netw5v32;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\DRIVERS\netw5v32.sys [2009-07-13 4231168]
S3 RadialpointIDSDriver;RadialpointIDSDriver;c:\program files\Virgin Media\Security\AVG\Identity Protection\agent\drivers\AVGIDSDriver.sys [2009-11-02 122376]
S3 RadialpointIDSFilter;RadialpointIDSFilter;c:\program files\Virgin Media\Security\AVG\Identity Protection\agent\drivers\AVGIDSFilter.sys [2009-11-02 30216]
S3 RadialpointIDSShim;RadialpointIDSShim;c:\program files\Virgin Media\Security\AVG\Identity Protection\agent\drivers\AVGIDSShim.sys [2009-11-02 21208]
S3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk62x86.sys [2009-07-13 311296]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - D90E2585
*Deregistered* - d90e2585
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bdx REG_MULTI_SZ scan sysagent
.
Contents of the 'Scheduled Tasks' folder
.
2011-05-07 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2755048422-3352278054-1094013794-1000Core.job
- c:\users\Nick\AppData\Local\Google\Update\GoogleUpdate.exe [2010-05-08 16:19]
.
2011-05-09 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2755048422-3352278054-1094013794-1000UA.job
- c:\users\Nick\AppData\Local\Google\Update\GoogleUpdate.exe [2010-05-08 16:19]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
mStart Page = about:blank
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\users\Nick\AppData\Roaming\Mozilla\Firefox\Profiles\vr4sgge4.default\
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-2755048422-3352278054-1094013794-1000\Software\G*e*n*i*e*"!\FM Genie Scout 11]
"GameDir"="c:\\Users\\Nick\\Documents\\Sports Interactive\\Football Manager 2011\\games"
"ShortlistDir"="c:\\Users\\Nick\\Documents\\Sports Interactive\\Football Manager 2011\\shortlists"
"FMPath"=""
"ScreenshotsDir"="c:\\Users\\Nick\\Documents\\Sports Interactive\\Football Manager 2011"
"SaveDir"="c:\\Users\\Nick\\Documents\\Sports Interactive\\Football Manager 2011\\"
"HistoryDir"="c:\\FM Genie Scout 11\\History Points"
"LangDB"="c:\\FM Genie Scout 11\\lang_db.dat"
"LastSaveGame"="c:\\Users\\Nick\\Documents\\Sports Interactive\\Football Manager 2011\\games\\manchesterUnited.fm"
"Language"="English"
"LoadLangDB"=dword:00000001
"CompressHistoryPoints"=dword:00000000
"HighlightedAttributes"=dword:00000000
"MinCondition"=dword:00000050
"GraphStep"=dword:00000000
"SkinName"="PSV Eindhoven"
"LastUpdateCheck"=dword:00009edd
"HighQualityGUI"=dword:00000001
"AutomaticallyUpdateCheck"=dword:00000001
"AdvancedGeneration"=dword:00000000
"TranslateStaffSkills"=dword:00000001
"TranslatePlayerSkills"=dword:00000001
"TranslatePositions"=dword:00000001
"ShowHistory"=dword:00000001
"Version"=dword:00000080
"UniqueID"="14-8500-E1BF"
"Currency"=dword:00000056
"UseProxy"=dword:00000000
"ProxyHost"=""
"ProxyPort"=""
"UseAuthentication"=dword:00000000
"UserName"=""
"UserPassword"=""
"PlayerSearchFeatureNum"=dword:00000004
"StaffSearchFeatureNum"=dword:00000000
"ClubSearchFeatureNum"=dword:00000001
"FilterByClubFeatureNum"=dword:00000000
"CompareFeatureNum"=dword:00000000
"ShortlistFeatureNum"=dword:00000000
"ExportFeatureNum"=dword:00000000
"HistoryFeatureNum"=dword:00000000
"LanguageDBFeatureNum"=dword:00000005
"HintsFeatureNum"=dword:00000000
"GenieReportFeatureNum"=dword:00000000
"TopFormationFeatureNum"=dword:00000000
"ScreenshotFeatureNum"=dword:00000000
.
[HKEY_USERS\S-1-5-21-2755048422-3352278054-1094013794-1000\Software\G*e*n*i*e*"!\FM Genie Scout 11g]
"PicturesNumber"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2011-05-09 20:50:31
ComboFix-quarantined-files.txt 2011-05-09 19:50
ComboFix2.txt 2011-05-07 22:26
ComboFix3.txt 2009-06-18 13:38
.
Pre-Run: 31,342,198,784 bytes free
Post-Run: 31,268,499,456 bytes free
.
- - End Of File - - 8E15BCDB573351792981632F1F395D67

 

[Bobbye]

Sorry about that I have cleaned it up. Thought I had lost the text when I went back a page, so recovered it. Didn't realize I hadn't lost it after all! Apologies for the confusion.

Do you have any idea what this is? I did a DirectoryLook but didn't learn much!

---- ---- Directory of c:\programdata\1D064B63695DC6EE73B9E514D6D0B7E5 ----
.
2011-04-22 09:07 . 2011-04-22 08:11 2 ----a-w- c:\programdata\1D064B63695DC6EE73B9E514D6D0B7E5\b\version
2011-04-22 09:07 . 2011-04-22 09:07 2344788 --sha-w- c:\programdata\1D064B63695DC6EE73B9E514D6D0B7E5\bin
2011-04-22 09:01 . 2011-04-22 09:01 64 --sh--w- c:\programdata\1D064B63695DC6EE73B9E514D6D0B7E5\ntuser.dat
2011-04-22 09:01 . 2011-04-22 09:01 203776 --sh--w- c:\programdata\1D064B63695DC6EE73B9E514D6D0B7E5\unrar.exe
2011-04-22 09:01 . 2011-04-22 09:01 0 ----a-w- c:\programdata\1D064B63695DC6EE73B9E514D6D0B7E5\lock

This ran again on 5/7/2011.

 

[nwesson]

Hi again,

No problem at all - im afraid i have no idea what that program is - i looked in the programData folder and there is nothing in there....

 

[Bobbye]

We're going to have to check for identification of this file:

Please go to VirSCAN.org FREE on-line scan service:
If busy, you can use one of the following: ( you only need one)
VirusTotal
Jotti

• 
  [1]. Copy and paste each of the following file paths, one at a time, into the Suspicious files to scan box on the top of the page.
  
  

  c:\programdata\unrar.exe
  
  c:\programdata\1D064B63695DC6EE73B9E514D6D0B7E5

  [2]. At the upload site, click once inside the window next to Browse.
  [3]. Press Ctrl+V on the keyboard (both at the same time) to paste the file path into the window.
  [4]. Click on the Upload button.
  This will perform a scan across multiple different virus scanning engines.
  Your file will possibly be entered into a queue which normally takes less than a minute to clear.
  Important: Wait for all of the scanning engines to complete.
  [5]. Once the Scan is completed scroll down and click on the Copy to Clipboard button. This will copy the link of the report into the Clipboard.
  [6]. Paste the contents of the Clipboard in your next reply.

I don't want to leave an executable file in dirctory that can't be identified or removed and continues to gather program data.

Let's see if this turns up anything.

 

[nwesson]

hmmm

it cant find a file called c:\programdata\unrar.exe

and in this directory there is an empy file called lock in c:\programdata\1D064B63695DC6EE73B9E514D6D0B7E5 which it cannot upload either.

I have tried all three sites to no avail

 

[Bobbye]

One more try:

and in this directory there is an empy file called lock in c:\programdata\1D064B63695DC6EE73B9E514D6D0B7E5 which it cannot upload either.

Show Hidden Folders/Files

• Open My Computer.
  [*] Go to Tools > Folder Options.
  [*] Select the View tab.
  [*] Scroll down to Hidden files and folders.
  [*] Select Show hidden files and folders.
  [*] Uncheck (untick) Hide extensions of known file types.
  [*] Uncheck (untick) Hide protected operating system files (Recommended).
  [*] Click Yes when prompted.
  [*] Click OK.

Okay, this might be a folder that was set up by encryption:
Navigate back to this file and do a right click> Properties:
c:\programdata\1D064B63695DC6EE73B9E514D6D0B7E5\lock
Then click on the Advanced tab.(if there is one)
Is this box checked>> "Encrypt contents to secure data"

Go ahead then and do a right click> Delete on the file.
Then go back and rehide the files and folders. (This is important, so don't skip it)
================================
Then run the script blow one more time:
Custom CFScript

• 
  [1]. Close any open browsers.
  [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  [3]. Open notepad> click on Format> Uncheck 'Word Wrap> and copy/paste the text in the code below into it:

KillAll::
File::
c:\programdata\1D064B63695DC6EE73B9E514D6D0B7E5\bin
c:\programdata\1D064B63695DC6EE73B9E514D6D0B7E5\ntuser.dat
c:\programdata\1D064B63695DC6EE73B9E514D6D0B7E5\unrar.exe
c:\programdata\1D064B63695DC6EE73B9E514D6D0B7E5\b\version
c:\programdata\1D064B63695DC6EE73B9E514D6D0B7E5\lock 
Folder::
c:\programdata\1D064B63695DC6EE73B9E514D6D0B7E5

Save this as CFScript.txt, in the same location as ComboFix.exe

Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please paste into to your next reply.
====================
Sometime a bit of paranoia can be constructively used. But other times, it can simply drive one nuts!

2011-04-22 09:07 . 2011-04-22 08:11 2 ----a-w-
2011-04-22 09:07 . 2011-04-22 09:07 2344788 --sha-w-
2011-04-22 09:01 . 2011-04-22 09:01 64 --sh--w-

 

[nwesson]

managed to do that now. here is the log:


ComboFix 11-05-13.02 - Nick 14/05/2011 10:49:48.3.2 - x86
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.44.1033.18.3318.1627 [GMT 1:00]
Running from: c:\users\Nick\Desktop\ComboFix.exe
Command switches used :: c:\users\Nick\Desktop\CFScript.txt
AV: Virgin Media Security Anti-Virus *Disabled/Updated* {A61154FD-4365-E00F-9A33-13A09AD54B56}
FW: Virgin Media Security Firewall *Disabled* {9E2AD5D8-090A-E157-B16C-BA9564060C2D}
SP: Virgin Media Security Anti-Spyware *Disabled/Updated* {1D70B519-655F-EF81-A083-28D2E15201EB}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
FILE ::
"c:\programdata\1D064B63695DC6EE73B9E514D6D0B7E5\b\version"
"c:\programdata\1D064B63695DC6EE73B9E514D6D0B7E5\bin"
"c:\programdata\1D064B63695DC6EE73B9E514D6D0B7E5\lock"
"c:\programdata\1D064B63695DC6EE73B9E514D6D0B7E5\ntuser.dat"
"c:\programdata\1D064B63695DC6EE73B9E514D6D0B7E5\unrar.exe"
.
.
((((((((((((((((((((((((( Files Created from 2011-04-14 to 2011-05-14 )))))))))))))))))))))))))))))))
.
.
2011-05-14 09:58 . 2011-05-14 09:58 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-05-14 09:20 . 2011-04-11 07:04 7071056 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{C4177243-2FD1-4634-A008-BC2A3932B41D}\mpengine.dll
2011-05-11 18:10 . 2011-03-25 03:06 284160 ----a-w- c:\windows\system32\drivers\usbport.sys
2011-05-11 18:10 . 2011-03-25 03:06 43008 ----a-w- c:\windows\system32\drivers\usbehci.sys
2011-05-11 18:10 . 2011-03-25 03:06 258560 ----a-w- c:\windows\system32\drivers\usbhub.sys
2011-05-11 18:10 . 2011-03-25 03:06 75776 ----a-w- c:\windows\system32\drivers\usbccgp.sys
2011-05-11 18:10 . 2011-03-25 03:06 24064 ----a-w- c:\windows\system32\drivers\usbuhci.sys
2011-05-11 18:09 . 2011-03-25 03:06 20480 ----a-w- c:\windows\system32\drivers\usbohci.sys
2011-05-11 18:09 . 2011-03-25 03:06 5888 ----a-w- c:\windows\system32\drivers\usbd.sys
2011-05-11 18:09 . 2011-04-09 06:13 3957632 ----a-w- c:\windows\system32\ntkrnlpa.exe
2011-05-11 18:09 . 2011-04-09 06:13 3901824 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-05-07 19:36 . 2011-05-07 19:36 -------- d-----w- c:\program files\ESET
2011-05-07 16:53 . 2011-05-07 16:53 -------- d-----w- c:\users\Nick\AppData\Roaming\Malwarebytes
2011-05-07 16:52 . 2010-12-20 17:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-05-07 16:52 . 2011-05-07 16:52 -------- d-----w- c:\programdata\Malwarebytes
2011-05-07 16:52 . 2010-12-20 17:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-05-07 16:52 . 2011-05-07 16:52 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-04-30 13:01 . 2011-04-30 13:01 -------- d-----w- C:\_OTM
2011-04-28 09:09 . 2009-11-02 14:27 25608 ----a-w- c:\windows\system32\drivers\AVGIDSEH.sys
2011-04-28 09:08 . 2009-10-23 12:25 285704 ----a-w- c:\windows\system32\drivers\bdfsfltr.sys
2011-04-28 09:08 . 2011-04-28 09:08 53192 ----a-w- c:\windows\system32\drivers\rp_skt32.sys
2011-04-28 09:08 . 2011-04-28 09:08 48384 ----a-w- c:\windows\system32\drivers\rp_pkt32.sys
2011-04-28 09:08 . 2011-04-28 09:08 -------- d-----w- c:\programdata\Raxco
2011-04-28 09:08 . 2011-04-28 09:08 -------- d-----w- c:\program files\Raxco
2011-04-28 09:06 . 2011-04-28 09:06 -------- d--h--w- c:\program files\InstallShield Installation Information
2011-04-27 15:37 . 2011-03-12 11:31 442880 ----a-w- c:\windows\system32\XpsPrint.dll
2011-04-27 15:36 . 2011-03-11 05:44 143744 ----a-w- c:\windows\system32\drivers\nvstor.sys
2011-04-27 15:36 . 2011-03-11 05:44 1210240 ----a-w- c:\windows\system32\drivers\ntfs.sys
2011-04-27 15:36 . 2011-03-11 05:44 146304 ----a-w- c:\windows\system32\drivers\storport.sys
2011-04-27 15:36 . 2011-03-11 05:44 117120 ----a-w- c:\windows\system32\drivers\nvraid.sys
2011-04-27 15:36 . 2011-03-11 05:43 332160 ----a-w- c:\windows\system32\drivers\iaStorV.sys
2011-04-27 15:36 . 2011-03-11 05:43 80256 ----a-w- c:\windows\system32\drivers\amdsata.sys
2011-04-27 15:36 . 2011-03-11 05:43 22400 ----a-w- c:\windows\system32\drivers\amdxata.sys
2011-04-27 15:36 . 2011-03-11 05:39 1686016 ----a-w- c:\windows\system32\esent.dll
2011-04-27 15:36 . 2011-03-11 05:37 74240 ----a-w- c:\windows\system32\fsutil.exe
2011-04-27 15:36 . 2011-02-18 05:33 31232 ----a-w- c:\windows\system32\prevhost.exe
2011-04-27 15:36 . 2011-02-26 05:33 2614784 ----a-w- c:\windows\explorer.exe
2011-04-22 08:48 . 2011-04-22 08:49 -------- d-----w- c:\program files\Outlook Import Wizard
2011-04-14 20:05 . 2011-03-11 05:40 1164288 ----a-w- c:\windows\system32\mfc42u.dll
2011-04-14 20:05 . 2011-03-11 05:40 1137664 ----a-w- c:\windows\system32\mfc42.dll
2011-04-14 20:05 . 2011-02-12 05:30 191488 ----a-w- c:\windows\system32\FXSCOVER.exe
2011-04-14 20:05 . 2011-03-03 03:31 2331136 ----a-w- c:\windows\system32\win32k.sys
2011-04-14 20:05 . 2011-03-08 05:38 740864 ----a-w- c:\windows\system32\inetcomm.dll
2011-04-14 20:05 . 2011-02-24 05:32 288256 ----a-w- c:\windows\system32\XpsGdiConverter.dll
2011-04-14 20:05 . 2011-02-23 05:05 221696 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2011-04-14 20:05 . 2011-02-23 05:05 95744 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2011-04-14 20:05 . 2011-02-23 05:05 123392 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-04-14 20:05 . 2011-02-23 05:05 69632 ----a-w- c:\windows\system32\drivers\bowser.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-02-19 05:33 . 2011-03-20 11:24 802304 ----a-w- c:\windows\system32\FntCache.dll
2011-02-19 05:32 . 2011-03-20 11:24 1074176 ----a-w- c:\windows\system32\DWrite.dll
2011-02-19 05:32 . 2011-03-20 11:24 739840 ----a-w- c:\windows\system32\d2d1.dll
2011-02-18 16:36 . 2011-02-18 16:36 41984 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2011-02-18 16:36 . 2011-02-18 16:36 4184352 ----a-w- c:\windows\system32\usbaaplrc.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"AGRSMMSG"="AGRSMMSG.exe" [2004-10-08 88363]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-09-23 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-09-23 173592]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-09-23 150552]
"VirtualCloneDrive"="c:\program files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" [2009-06-17 85160]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-03-07 421160]
"ServiceManager.exe"="c:\program files\Virgin Media\Service Manager\ServiceManager.exe" [2011-03-25 4371768]
"Malwarebytes' Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-12-20 963976]
.
c:\users\Nick\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
WDDMStatus.lnk - c:\program files\Western Digital\WD SmartWare\WD Drive Manager\WDDMStatus.exe [2009-11-13 2057536]
WDSmartWare.lnk - c:\program files\Western Digital\WD SmartWare\Front Parlor\WDSmartWare.exe [2009-11-13 9117504]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ PDBoot.exe\0autocheck autochk *
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Radialpoint Security Services]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ServicepointService]
@="Service"
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-07-04 1343400]
R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\DRIVERS\wdcsam.sys [2009-02-13 11520]
S0 RadialpointIDSEH;RadialpointIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2009-11-02 25608]
S2 Radialpoint Security Services;Virgin Media Security;c:\program files\Virgin Media\Security\RpsSecurityAwareR.exe [2011-04-28 166944]
S2 RadialpointIDSAgent;RadialpointIDSAgent;c:\program files\Virgin Media\Security\AVG\Identity Protection\agent\Bin\AVGIDSAgent.exe RadialpointIDSAgent [x]
S2 ServicepointService;ServicepointService;c:\program files\Virgin Media\Service Manager\ServicepointService.exe [2011-03-25 689464]
S2 WDDMService;WD SmartWare Drive Manager;c:\program files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe [2009-11-13 110592]
S2 WDSmartWareBackgroundService;WD SmartWare Background Service;c:\program files\Western Digital\WD SmartWare\Front Parlor\WDSmartWareBackgroundService.exe [2009-06-16 20480]
S3 netw5v32;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\DRIVERS\netw5v32.sys [2009-07-13 4231168]
S3 RadialpointIDSDriver;RadialpointIDSDriver;c:\program files\Virgin Media\Security\AVG\Identity Protection\agent\drivers\AVGIDSDriver.sys [2009-11-02 122376]
S3 RadialpointIDSFilter;RadialpointIDSFilter;c:\program files\Virgin Media\Security\AVG\Identity Protection\agent\drivers\AVGIDSFilter.sys [2009-11-02 30216]
S3 RadialpointIDSShim;RadialpointIDSShim;c:\program files\Virgin Media\Security\AVG\Identity Protection\agent\drivers\AVGIDSShim.sys [2009-11-02 21208]
S3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk62x86.sys [2009-07-13 311296]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - 4AD4256B
*Deregistered* - 4ad4256b
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bdx REG_MULTI_SZ scan sysagent
.
Contents of the 'Scheduled Tasks' folder
.
2011-05-11 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2755048422-3352278054-1094013794-1000Core.job
- c:\users\Nick\AppData\Local\Google\Update\GoogleUpdate.exe [2010-05-08 16:19]
.
2011-05-14 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2755048422-3352278054-1094013794-1000UA.job
- c:\users\Nick\AppData\Local\Google\Update\GoogleUpdate.exe [2010-05-08 16:19]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
mStart Page = about:blank
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\users\Nick\AppData\Roaming\Mozilla\Firefox\Profiles\vr4sgge4.default\
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-2755048422-3352278054-1094013794-1000\Software\G*e*n*i*e*"!\FM Genie Scout 11]
"GameDir"="c:\\Users\\Nick\\Documents\\Sports Interactive\\Football Manager 2011\\games"
"ShortlistDir"="c:\\Users\\Nick\\Documents\\Sports Interactive\\Football Manager 2011\\shortlists"
"FMPath"=""
"ScreenshotsDir"="c:\\Users\\Nick\\Documents\\Sports Interactive\\Football Manager 2011"
"SaveDir"="c:\\Users\\Nick\\Documents\\Sports Interactive\\Football Manager 2011\\"
"HistoryDir"="c:\\FM Genie Scout 11\\History Points"
"LangDB"="c:\\FM Genie Scout 11\\lang_db.dat"
"LastSaveGame"="c:\\Users\\Nick\\Documents\\Sports Interactive\\Football Manager 2011\\games\\manchesterUnited.fm"
"Language"="English"
"LoadLangDB"=dword:00000001
"CompressHistoryPoints"=dword:00000000
"HighlightedAttributes"=dword:00000000
"MinCondition"=dword:00000050
"GraphStep"=dword:00000000
"SkinName"="PSV Eindhoven"
"LastUpdateCheck"=dword:00009edd
"HighQualityGUI"=dword:00000001
"AutomaticallyUpdateCheck"=dword:00000001
"AdvancedGeneration"=dword:00000000
"TranslateStaffSkills"=dword:00000001
"TranslatePlayerSkills"=dword:00000001
"TranslatePositions"=dword:00000001
"ShowHistory"=dword:00000001
"Version"=dword:00000080
"UniqueID"="14-8500-E1BF"
"Currency"=dword:00000056
"UseProxy"=dword:00000000
"ProxyHost"=""
"ProxyPort"=""
"UseAuthentication"=dword:00000000
"UserName"=""
"UserPassword"=""
"PlayerSearchFeatureNum"=dword:00000004
"StaffSearchFeatureNum"=dword:00000000
"ClubSearchFeatureNum"=dword:00000001
"FilterByClubFeatureNum"=dword:00000000
"CompareFeatureNum"=dword:00000000
"ShortlistFeatureNum"=dword:00000000
"ExportFeatureNum"=dword:00000000
"HistoryFeatureNum"=dword:00000000
"LanguageDBFeatureNum"=dword:00000005
"HintsFeatureNum"=dword:00000000
"GenieReportFeatureNum"=dword:00000000
"TopFormationFeatureNum"=dword:00000000
"ScreenshotFeatureNum"=dword:00000000
.
[HKEY_USERS\S-1-5-21-2755048422-3352278054-1094013794-1000\Software\G*e*n*i*e*"!\FM Genie Scout 11g]
"PicturesNumber"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Virgin Media\Security\Fws.exe
c:\windows\system32\taskhost.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\windows\system32\conhost.exe
c:\windows\system32\sppsvc.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\system32\msfeedssync.exe
.
**************************************************************************
.
Completion time: 2011-05-14 11:06:32 - machine was rebooted
ComboFix-quarantined-files.txt 2011-05-14 10:06
ComboFix2.txt 2011-05-09 19:50
ComboFix3.txt 2011-05-07 22:26
ComboFix4.txt 2009-06-18 13:38
.
Pre-Run: 31,674,556,416 bytes free
Post-Run: 31,649,992,704 bytes free
.
- - End Of File - - BD1A215FB338CDA910DDFB057F3BF0B2

 

[Bobbye]

Combofix scan looks good. I may have mentioned this before, but in case I did not: There are 2 locked Registry keys for this:
[HKEY_USERS\S-1-5-21-2755048422-3352278054-1094013794-1000\Software\G*e*n*i*e*"!\FM Genie Scout 11]. The first contains a large number of processes with settings. I can open the key with script, but I doubt it would show me anything more than what I see. These appear to be special settings for the Genie Scout. Please rake a look in the log an assure me that you have made all of the settings.
================================
Please run one more Eset scan. Let's make sure there are no new entries. The link and directions can be found in Reply #2. If there are no new entries, then I'll have you remove the cleaning tools.