Redirecting pages [Archive] - Safer-Networking Forums

yawroc

2009-04-19, 01:26

Hi i have had a few problems in the last couple of days. It started a search of a specific item in google instead of taking me to the page i wanted to view a different page appeared, I just thought a mistake had occurred but this is happening now quite often and i am anticipating that i have some kind of malware in the system. However i have ran a scan with my own spyware programme and it has found nothing, I used a programme called stop and this came up with something called tanspy some kind of trojan. However i did an sdfix scan in safe mode and this report came back as no viruses found.
Spy-bot would not start when all this started happening, i downloaded stop which stated that it would conflict with spy-bot so spy-bot was removed. I have since uninstalled stop and have tried to download spy-bot again but it still refuses to start even though at times the tea timer sits on the task bar and seems to be working.
I have prepared a hijack this printout i have gone through this list but there maybe something still in there that i don't recognise.
Hope this is correct in the way it has been prepared.

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Virgin Broadband\PCguard\Fws.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\EACCEL~1\FRAMEW~1\eac_productsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\PROGRA~1\EACCEL~1\FRAMEW~1\eac_svc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\SYSTEM32\USRmlnkA.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\SYSTEM32\USRshutA.exe
C:\WINDOWS\SYSTEM32\USRmlnkA.exe
C:\PROGRA~1\BLUEYO~1\SMARTB~1\blueyonder-istnotifier.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Yahoo!\Common\YMailAdvisor.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe
C:\Program Files\Virgin Broadband\PCguard\Rps.exe
C:\Program Files\Acceleration Software\Anti-Virus\stopsignav.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\blueyonder IST\bin\mpbtn.exe
C:\Program Files\Virgin Broadband\PCguard\rpsupdaterR.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://toolbar.ask.com/toolbarv/askRedirect?o=101668&gct=&gc=1&q=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://toolbar.ask.com/toolbarv/askRedirect?o=101668&gct=&gc=1&q=%s
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://localhost:9100/proxy.pac
R3 - URLSearchHook: DefaultSearchHook Class - {C94E154B-1459-4A47-966B-4B843BEFC7DB} - C:\Program Files\AskSearch\bin\DefaultSearch.dll
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe
O2 - BHO: Pop-Up Blocker BHO - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\Virgin Broadband\PCguard\pkR.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Google Gears Helper - {E0FEFE40-FBF9-42AE-BA58-794CA7E3FB53} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.4.2\gears.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [USRpdA] C:\WINDOWS\SYSTEM32\USRmlnkA.exe RunServices \Device\3cpipe-USRpdA
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [PAC207_Monitor] C:\WINDOWS\PixArt\PAC207\Monitor.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\BLUEYO~1\SMARTB~1\blueyonder-istnotifier.exe
O4 - HKLM\..\Run: [Media Codec Update Service] C:\Program Files\Essentials Codec Pack\WECPUpdate.exe -s
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [YMailAdvisor] "C:\Program Files\Yahoo!\Common\YMailAdvisor.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Broadbandadvisor.exe] "C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe" /AUTORUN
O4 - HKLM\..\Run: [PCguard] "C:\Program Files\Virgin Broadband\PCguard\Rps.exe"
O4 - HKLM\..\Run: [-FreedomNeedsReboot] "C:\Program Files\Virgin Broadband\PCguard\ZkRunOnceR.exe"
O4 - HKLM\..\Run: [webscan] "C:\Program Files\Acceleration Software\Anti-Virus\stopsignav.exe" -k
O4 - HKLM\..\Run: [SoftwareStation] "C:\Program Files\eAcceleration\Station\station.exe" /b Startup
O4 - HKLM\..\RunOnce: [IndexCleaner] "C:\Program Files\Virgin Broadband\PCguard\IdxClnR.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\RunOnce: [IndexCleaner] "C:\Program Files\Virgin Broadband\PCguard\IdxClnR.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RealUpgradeHelper] "C:\Program Files\Common Files\Real\Update_OB\upgrdhlp.exe" "RealNetworks|RealPlayer|6.0" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RealUpgradeHelper] "C:\Program Files\Common Files\Real\Update_OB\upgrdhlp.exe" "RealNetworks|RealPlayer|6.0" (User 'Default user')
O4 - Global Startup: blueyonder Instant Support Tool.lnk = C:\Program Files\blueyonder IST\bin\blueyonder-istconfig.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Mozilla Firefox.lnk = C:\Program Files\Mozilla Firefox\firefox.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1144979886703
O16 - DPF: {90F7E144-984F-4FA6-83A7-C9C8DCB9974C} (RSActiveXObj Control) - http://www.radarsync.com/RSActiveX.ocx
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by104fd.bay104.hotmail.msn.com/activex/HMAtchmt.ocx
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.112.128,85.255.112.142
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 85.255.112.128,85.255.112.142
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.112.128,85.255.112.142
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
O23 - Service: eAcceleration Notification Service (eac_notifysvc) - eAcceleration Corp - C:\PROGRA~1\EACCEL~1\FRAMEW~1\eac_svc.exe
O23 - Service: eAcceleration Product Manager Service (eac_productsvc) - eAcceleration Corp - C:\PROGRA~1\EACCEL~1\FRAMEW~1\eac_productsvc.exe
O23 - Service: Google Desktop Manager 5.5.709.30344 (GoogleDesktopManager-093007-112848) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Desktop Manager 5.5.709.30344 (GoogleDesktopManager-093007-112848) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Update Service (gupdate1c9a5d083292664) (gupdate1c9a5d083292664) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Virgin Broadband PCguard Update Service (RPSUpdaterR) - Radialpoint Inc. - C:\Program Files\Virgin Broadband\PCguard\rpsupdaterR.exe
O23 - Service: PCguard Firewall (RP_FWS) - Virgin Media - C:\Program Files\Virgin Broadband\PCguard\Fws.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: StopSign Antivirus Security Center Provider (sstsmonsvc) - eAcceleration Corp - C:\PROGRA~1\EACCEL~1\FRAMEW~1\eac_svc.exe
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

--
End of file - 11737 bytes

pskelley

2009-04-19, 21:35

yawroc

2009-04-20, 00:59

Thanks for your reply. OK i installed the application malwarebytes onto the desk top as directed. However clicking on it or trying to open the programme is doing nothing. Its acting exactly like Spy-Bot clicking on Spy-Bot fails to load the programme. However look in task manager and both programmes are there but not actually using any CPU. Its almost as though something in this PC is preventing either programme running.
There is also another strange thing going on, my son might be on his games console on line and i am on line on the pc at the same time he then loses his connection but i still have mine.
Also if the pc is shut down over night and then restarted say in the morning the home page fails to load and there is an error message that page cannot be displayed. But when i repair the connection everything seems to be ok. This has only started recently could these problems all be linked to the same problem. I will also post the full hijack this list as required.

yawroc

2009-04-20, 01:05

Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance) http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.

You must have read and followed the "Before you Post" instructions, anything else will waste your time and mine.

85.255.112.128 <<< at the very least you are hacked by criminals form the Ukraine.
http://whois.domaintools.com/85.255.112.128

You have cut off the header of the HJT log which contains information we need. Post like this from notepad:
Edit > Select All > copy/paste all highlited information.

Malware may be hidden, we will begin our search like this:

1) Please DO NOT ENABLE Spybot S&D TeaTimer while we work together.

2) Download Malwarebytes' Anti-Malware to your Desktop
http://www.malwarebytes.org/

http://www.besttechie.net/mbam/mbam-setup.exe <<< download

* Double-click mbam-setup.exe and follow the prompts to install the program.
* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform FULL SCAN, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt
* Please post contents of that file & a new HJT log in your next reply.

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

Tutorial if needed:
http://www.techsupportteam.org/forum/tutorials/2282-malwarebytes-anti-malware-mbam.html

3) Post also an uninstall list: Open Hijackthis.
Click the "Open the Misc Tools" section Button.
Click the "Open Uninstall Manager" Button.
Click the "Save list..." Button.
Save it to your desktop. Copy and paste the contents into your reply.
Image: http://img.bleepingcomputer.com/tutorials/hijackthis/uninstall-man.jpg

Thanks

Now you are starting to worry me are you saying that my particular connection has been hacked by these Ukraines?

Here is the complete log file hijack this
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:02:23, on 19/04/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Virgin Broadband\PCguard\Fws.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\EACCEL~1\FRAMEW~1\eac_productsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\PROGRA~1\EACCEL~1\FRAMEW~1\eac_svc.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\SYSTEM32\USRmlnkA.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\SYSTEM32\USRshutA.exe
C:\WINDOWS\SYSTEM32\USRmlnkA.exe
C:\PROGRA~1\BLUEYO~1\SMARTB~1\blueyonder-istnotifier.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe
C:\Program Files\Virgin Broadband\PCguard\Rps.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Virgin Broadband\PCguard\rpsupdaterR.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://localhost:9100/proxy.pac
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe
O2 - BHO: Pop-Up Blocker BHO - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\Virgin Broadband\PCguard\pkR.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Google Gears Helper - {E0FEFE40-FBF9-42AE-BA58-794CA7E3FB53} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.4.2\gears.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [USRpdA] C:\WINDOWS\SYSTEM32\USRmlnkA.exe RunServices \Device\3cpipe-USRpdA
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [PAC207_Monitor] C:\WINDOWS\PixArt\PAC207\Monitor.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\BLUEYO~1\SMARTB~1\blueyonder-istnotifier.exe
O4 - HKLM\..\Run: [Media Codec Update Service] C:\Program Files\Essentials Codec Pack\WECPUpdate.exe -s
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Broadbandadvisor.exe] "C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe" /AUTORUN
O4 - HKLM\..\Run: [PCguard] "C:\Program Files\Virgin Broadband\PCguard\Rps.exe"
O4 - HKLM\..\Run: [-FreedomNeedsReboot] "C:\Program Files\Virgin Broadband\PCguard\ZkRunOnceR.exe"
O4 - HKLM\..\RunOnce: [IndexCleaner] "C:\Program Files\Virgin Broadband\PCguard\IdxClnR.exe"
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\RunOnce: [IndexCleaner] "C:\Program Files\Virgin Broadband\PCguard\IdxClnR.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RealUpgradeHelper] "C:\Program Files\Common Files\Real\Update_OB\upgrdhlp.exe" "RealNetworks|RealPlayer|6.0" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RealUpgradeHelper] "C:\Program Files\Common Files\Real\Update_OB\upgrdhlp.exe" "RealNetworks|RealPlayer|6.0" (User 'Default user')
O4 - Global Startup: blueyonder Instant Support Tool.lnk = C:\Program Files\blueyonder IST\bin\blueyonder-istconfig.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O9 - Extra button: Fiddler2 - {CF819DA3-9882-4944-ADF5-6EF17ECF3C6E} - "C:\Program Files\Fiddler2\Fiddler.exe" (file missing)
O9 - Extra 'Tools' menuitem: Fiddler2 - {CF819DA3-9882-4944-ADF5-6EF17ECF3C6E} - "C:\Program Files\Fiddler2\Fiddler.exe" (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1144979886703
O16 - DPF: {90F7E144-984F-4FA6-83A7-C9C8DCB9974C} (RSActiveXObj Control) - http://www.radarsync.com/RSActiveX.ocx
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by104fd.bay104.hotmail.msn.com/activex/HMAtchmt.ocx
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.112.128,85.255.112.142
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 85.255.112.128,85.255.112.142
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.112.128,85.255.112.142
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
O23 - Service: eAcceleration Notification Service (eac_notifysvc) - eAcceleration Corp - C:\PROGRA~1\EACCEL~1\FRAMEW~1\eac_svc.exe
O23 - Service: eAcceleration Product Manager Service (eac_productsvc) - eAcceleration Corp - C:\PROGRA~1\EACCEL~1\FRAMEW~1\eac_productsvc.exe
O23 - Service: Google Desktop Manager 5.5.709.30344 (GoogleDesktopManager-093007-112848) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Desktop Manager 5.5.709.30344 (GoogleDesktopManager-093007-112848) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Update Service (gupdate1c9a5d083292664) (gupdate1c9a5d083292664) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Virgin Broadband PCguard Update Service (RPSUpdaterR) - Radialpoint Inc. - C:\Program Files\Virgin Broadband\PCguard\rpsupdaterR.exe
O23 - Service: PCguard Firewall (RP_FWS) - Virgin Media - C:\Program Files\Virgin Broadband\PCguard\Fws.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: StopSign Antivirus Security Center Provider (sstsmonsvc) - eAcceleration Corp - C:\PROGRA~1\EACCEL~1\FRAMEW~1\eac_svc.exe
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

--
End of file - 11093 bytes

pskelley

2009-04-20, 01:08

Would it surprise you if I told you the hackers are doing all they can to keep you from removing their junk? We have to get the tools to run to do this. Start by trying to run MBAM in safe mode:
http://spyware-free.us/tutorials/safemode/

If that does not work, delete the program and download it again, this time when you click this link:
http://www.malwarebytes.org/affiliates/besttechie/mbam-setup.exe

Then choose Save this file now
Save it to the Desktop
Down at the bottom where it says "File name:"
change that to say yawroc-setup.exe then save it
Now double click and see if it will update and run
if not...try in safe mode again

pskelley

2009-04-20, 01:16

Please do not quote my instructions, I know what I say and you can scroll back if you need to read it. I do not need that HJT log until after the tool (MBAM in this case) has been run.

Thanks

yawroc

2009-04-20, 01:49

Tried all you said started in safe mode too! Changed the file name programme still not starting.

pskelley

2009-04-20, 01:54

You understand that reformat is an option:
http://spyware-free.us/tutorials/reformat/
http://www.cyberwalker.net/faqs/how-tos/reinstall-faq.html
http://helpdesk.its.uiowa.edu/windows/instructions/reformat.htm

Let's see if you can run combofix:

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own. This tool is not a toy and not for everyday use

Download ComboFix from here:

Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)

* IMPORTANT !!! Save ComboFix.exe to your Desktop

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
See this Link (http://www.bleepingcomputer.com/forums/topic114351.html) for programs that need to be disabled and instruction on how to disable them.
Remember to re-enable them when we're done.

Double click on ComboFix.exe & follow the prompts.

As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

http://i24.photobucket.com/albums/c30/ken545/RcAuto1.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

http://i24.photobucket.com/albums/c30/ken545/whatnext.jpg

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a New Hijackthis log.

*If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.

Tutorial if needed
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

yawroc

2009-04-20, 06:54

Just to update i was awaiting a scan to finish from a trusted site and here are two items found in the pc. win32worm agent and another called zango. Zango was quarantined and win32 worm agent was removed. I am now downloading a fresh copy of spy bot to see if it will now start obviously if it does not i will use the combofix application as directed. Will be back to update. But thank you for your help so far.

yawroc

2009-04-20, 16:49

Hi PSKelley
I did the combofix today. I just want to say that after running that programme i was able to load up Spy-Bot i still have some programmes still to remove which might conflict with spy-bot but at least i am able to run this.
I have enclosed the scan of combofix and a new HT scan. Things seem to be a lot better thankyou for your help thus far.

ComboFix 09-04-20.A0 - Carlito Corway 20/04/2009 13:35.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.44.1033.18.510.181 [GMT 1:00]
Running from: c:\documents and settings\Carlito Corway\Desktop\ComboFix.exe
AV: PCguard Anti-Virus *On-access scanning disabled* (Updated)
AV: StopSign Antivirus FREE TRIAL diagnostic version *On-access scanning disabled* (Updated)
FW: PCguard Firewall *disabled*
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\BMaafe2273.txt
c:\windows\BMaafe2273.xml
c:\windows\system32\drivers\gaopdxnbdotlmjkrqevpwuvtryasuvptjpsali.sys
c:\windows\system32\drivers\gaopdxpqjwmrxrgitbacbigskllloymkoqjxjn.sys
c:\windows\system32\gaopdxcounter
c:\windows\system32\gaopdxukwiqvenroaioejmmhgcyrqovowypkxe.dll
c:\windows\system32\SrchSTS.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_gaopdxserv.sys

((((((((((((((((((((((((( Files Created from 2009-03-20 to 2009-04-20 )))))))))))))))))))))))))))))))
.

2009-04-20 04:19 . 2009-04-20 04:20 -------- dc----w C:\Spybot - Search & Destroy
2009-04-20 04:01 . 2009-04-20 04:01 -------- d-----w c:\program files\SPY-BOT
2009-04-20 03:30 . 2009-04-20 03:30 268 -c-ha-w C:\sqmdata03.sqm
2009-04-20 03:30 . 2009-04-20 03:30 244 -c-ha-w C:\sqmnoopt03.sqm
2009-04-20 03:22 . 2009-03-09 19:06 15688 ----a-w c:\windows\system32\lsdelete.exe
2009-04-20 00:01 . 2009-04-20 00:01 -------- d-sh--w c:\windows\system32\config\systemprofile\IETldCache
2009-04-19 23:50 . 2009-04-19 23:50 268 -c-ha-w C:\sqmdata02.sqm
2009-04-19 23:50 . 2009-04-19 23:50 244 -c-ha-w C:\sqmnoopt02.sqm
2009-04-19 23:50 . 2009-03-09 19:06 64160 ----a-w c:\windows\system32\drivers\Lbd.sys
2009-04-19 23:49 . 2009-04-19 23:49 -------- dc-h--w c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-04-19 23:48 . 2009-04-19 23:48 -------- d-----w c:\program files\Lavasoft
2009-04-19 22:46 . 2009-04-06 14:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-19 22:46 . 2009-04-06 14:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-19 22:46 . 2009-04-19 22:46 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-19 22:46 . 2009-04-19 22:46 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-19 22:30 . 2009-04-19 22:30 268 -c-ha-w C:\sqmdata01.sqm
2009-04-19 22:30 . 2009-04-19 22:30 244 -c-ha-w C:\sqmnoopt01.sqm
2009-04-19 19:24 . 2009-04-19 19:24 268 -c-ha-w C:\sqmdata00.sqm
2009-04-19 19:24 . 2009-04-19 19:24 244 -c-ha-w C:\sqmnoopt00.sqm
2009-04-19 17:30 . 2009-04-19 17:30 3584 -csha-w C:\Thumbs.db
2009-04-18 22:50 . 2009-04-18 22:50 -------- d-----w c:\program files\Fiddler2
2009-04-18 21:45 . 2009-04-18 21:45 -------- d-----w c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2009-04-17 08:59 . 2009-04-17 09:04 -------- d-----w c:\program files\LimeWire
2009-04-15 14:45 . 2009-04-15 14:45 -------- d-----w c:\windows\ERUNT
2009-04-15 14:36 . 2009-04-15 15:20 -------- dc----w C:\SDFix
2009-04-15 07:30 . 2009-04-15 07:30 -------- d-----w c:\documents and settings\Carlito Corway\Application Data\eAcceleration
2009-04-15 07:24 . 2009-04-19 21:00 -------- d-----w c:\program files\Acceleration Software
2009-04-15 07:22 . 2009-04-15 07:31 -------- d-----w c:\documents and settings\All Users\Application Data\eAcceleration
2009-04-15 07:21 . 2009-04-15 07:25 -------- d-----w c:\program files\Common Files\eAcceleration
2009-04-15 07:21 . 2009-04-15 07:30 -------- d-----w c:\program files\eAcceleration
2009-04-15 07:02 . 2009-04-15 07:02 -------- d-sh--w c:\documents and settings\Administrator\IETldCache
2009-04-14 17:11 . 2009-04-14 17:11 -------- d-----w c:\program files\Raxco
2009-04-14 17:11 . 2009-04-14 17:11 -------- d-----w c:\documents and settings\All Users\Application Data\Raxco
2009-04-14 15:19 . 2009-04-14 17:09 53192 ----a-w c:\windows\system32\drivers\rp_skt32.sys
2009-04-14 15:18 . 2007-04-19 10:36 48384 ----a-w c:\windows\system32\drivers\rp_pkt32.sys
2009-04-14 15:18 . 2009-04-14 15:18 -------- d-----w c:\program files\Common Files\Authentium
2009-04-14 15:17 . 2009-04-14 15:29 -------- d-----w c:\program files\Common Files\Scanner
2009-04-14 15:11 . 2009-04-14 15:11 -------- d-----w c:\documents and settings\Carlito Corway\Application Data\InstallShield
2009-04-14 15:06 . 2009-04-14 15:16 -------- d-----w c:\program files\Virgin Broadband
2009-04-14 13:33 . 2009-04-14 13:33 -------- d-sh--w c:\documents and settings\NetworkService\IETldCache
2009-04-14 07:14 . 2009-04-19 13:49 -------- d-----w c:\documents and settings\Carlito Corway\Application Data\Any Video Converter
2009-04-14 07:13 . 2009-04-14 07:16 -------- d-----w c:\program files\Any Video Converter
2009-04-14 07:08 . 2009-04-14 07:08 -------- d-----w c:\documents and settings\Carlito Corway\Application Data\Broad Intelligence
2009-04-14 07:04 . 2009-04-14 07:06 -------- d-----w c:\program files\MediaCoder
2009-04-14 06:33 . 2009-04-14 06:33 -------- d-sh--w c:\documents and settings\Carlito Corway\IECompatCache
2009-04-14 06:31 . 2009-04-14 06:31 -------- d-sh--w c:\documents and settings\Carlito Corway\PrivacIE
2009-04-14 06:15 . 2009-04-14 06:15 -------- d-sh--w c:\documents and settings\LocalService\IETldCache
2009-04-14 06:11 . 2009-04-14 06:11 -------- d-sh--w c:\documents and settings\Carlito Corway\IETldCache
2009-04-14 05:30 . 2009-04-14 05:30 -------- d-----w c:\windows\ie8updates
2009-04-14 05:25 . 2009-04-14 05:26 -------- dc-h--w c:\windows\ie8
2009-04-14 05:24 . 2009-02-28 04:55 105984 -c----w c:\windows\system32\dllcache\iecompat.dll
2009-04-11 23:08 . 2004-08-03 23:56 32866 ------w c:\windows\system32\slrundll.exe
2009-04-11 23:08 . 2004-08-03 23:56 188508 ------w c:\windows\system32\slgen.dll
2009-04-11 23:08 . 2004-08-03 23:56 73796 ------w c:\windows\system32\slserv.exe
2009-04-11 23:08 . 2004-08-03 23:56 32866 ------w c:\windows\slrundll.exe
2009-04-11 22:59 . 2009-04-11 22:59 -------- d-----w c:\windows\ServicePackFiles
2009-04-11 22:56 . 2004-07-17 10:40 19528 ----a-w c:\windows\000001_.tmp
2009-04-11 21:29 . 2009-04-11 21:29 -------- dc----w C:\i386
2009-04-10 20:08 . 2009-04-10 20:08 -------- dc----w C:\73f2dece83ab1992bbc95d88
2009-04-08 16:20 . 2009-04-08 16:20 -------- d-----w c:\program files\Common Files\xing shared
2009-04-08 15:44 . 2009-04-08 15:44 -------- d-----w c:\program files\RADVideo
2009-04-06 02:46 . 2009-04-06 02:46 -------- d-s---w c:\documents and settings\Carlito Corway\UserData
2009-04-06 01:06 . 2009-04-06 15:19 -------- d-----w c:\program files\Common Files\Yahoo!
2009-04-05 23:03 . 2009-04-05 23:19 -------- d-----w c:\documents and settings\Carlito Corway\Application Data\Download Manager
2009-04-02 03:15 . 2009-04-02 03:15 -------- dc----w C:\carlitonesean_VR
2009-03-29 01:30 . 2009-03-29 01:31 -------- d-----w c:\program files\CA Yahoo! Anti-Spy
2009-03-26 08:31 . 2009-04-19 23:48 -------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft
2009-03-26 08:25 . 2009-03-26 08:25 -------- d-----w c:\program files\Trend Micro
2009-03-25 09:02 . 2009-03-25 09:02 -------- d-----w c:\documents and settings\Carlito Corway\Application Data\IObit
2009-03-25 09:02 . 2009-03-25 09:02 -------- d-----w c:\program files\IObit
2009-03-23 00:01 . 2009-03-23 00:01 -------- dcsha-r C:\autorun.inf
2009-03-22 04:59 . 2009-03-22 12:19 -------- d-----w c:\program files\MP3 Key Changer
2009-03-22 01:02 . 2009-03-22 01:02 -------- d-----w c:\documents and settings\Carlito Corway\Application Data\Screaming Bee

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-20 12:33 . 2009-04-06 17:08 5177 -c--a-w C:\aaw7boot.log
2009-04-20 04:20 . 2007-07-10 05:22 -------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-04-19 19:37 . 2006-05-06 06:52 -------- d-----w c:\program files\Secure-Delete
2009-04-18 23:05 . 2006-05-01 17:36 -------- d--h--r c:\documents and settings\Carlito Corway\Application Data\yahoo!
2009-04-17 09:48 . 2007-04-27 21:42 -------- d-----w c:\documents and settings\Carlito Corway\Application Data\LimeWire
2009-04-17 08:37 . 2007-01-15 05:01 -------- d-----w c:\documents and settings\All Users\Application Data\Google Updater
2009-04-15 07:11 . 2006-11-24 01:44 -------- d-----w c:\program files\eBay
2009-04-15 06:29 . 2006-10-08 12:12 -------- d-----w c:\documents and settings\All Users\Application Data\SecTaskMan
2009-04-14 15:17 . 2008-03-14 04:06 -------- d-----w c:\program files\CA
2009-04-14 15:15 . 2008-03-14 03:56 -------- d-----w c:\documents and settings\All Users\Application Data\Virgin Broadband
2009-04-14 14:36 . 2008-03-14 03:57 -------- d-----w c:\documents and settings\Carlito Corway\Application Data\Virgin Broadband
2009-04-12 03:10 . 2006-12-15 08:30 -------- d-----w c:\program files\File-Saver
2009-04-11 23:38 . 2006-04-14 01:41 40256 ----a-w c:\documents and settings\Carlito Corway\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-08 16:19 . 2006-04-14 02:36 -------- d-----w c:\program files\Common Files\Real
2009-04-07 05:33 . 2006-04-14 01:38 -------- d--h--w c:\program files\InstallShield Installation Information
2009-04-07 05:33 . 2009-03-02 01:35 -------- d-----w c:\program files\HOTALBUMMyBOX
2009-04-07 05:29 . 2009-03-02 01:39 -------- d-----w c:\program files\CASIO
2009-04-06 17:51 . 2008-04-11 19:28 -------- d-----w c:\program files\Common Files\Teleca Shared
2009-04-06 16:17 . 2006-08-05 14:29 -------- d-----w c:\documents and settings\All Users\Application Data\Roxio
2009-04-06 16:16 . 2006-04-14 03:05 -------- d-----w c:\program files\Common Files\Roxio Shared
2009-04-06 15:52 . 2006-05-03 14:08 50432 ----a-w c:\documents and settings\Carlito Corway\Application Data\GDIPFONTCACHEV1.DAT
2009-04-06 15:21 . 2007-01-28 09:24 -------- d-----w c:\program files\PhotoArtMaster Classic
2009-04-06 15:14 . 2008-08-11 02:08 -------- d-----w c:\program files\CamStudio
2009-04-06 02:48 . 2008-11-19 07:44 -------- d-----w c:\documents and settings\All Users\Application Data\Pinnacle VideoSpin
2009-04-06 01:06 . 2008-11-18 23:11 -------- d-----w c:\program files\Pinnacle
2009-04-05 08:54 . 2007-07-10 06:27 144756 -c--a-w C:\avi_log.txt
2009-04-05 05:58 . 2006-04-14 02:23 -------- d-----w c:\documents and settings\All Users\Application Data\DVD Shrink
2009-03-31 23:54 . 2008-06-19 20:59 -------- d-----w c:\program files\Common Files\DVDVideoSoft
2009-03-31 23:53 . 2009-03-05 05:29 -------- d-----w c:\program files\DVDVideoSoft
2009-03-31 22:46 . 2007-01-11 09:30 -------- d-----w c:\program files\PeerGuardian2
2009-03-29 01:28 . 2006-04-25 06:20 -------- d-----w c:\documents and settings\All Users\Application Data\Yahoo! Companion
2009-03-29 01:24 . 2006-05-01 17:27 -------- d--h--r c:\documents and settings\All Users\Application Data\yahoo!
2009-03-29 01:24 . 2006-04-25 06:19 -------- d-----w c:\program files\Yahoo!
2009-03-24 05:37 . 2008-09-05 15:49 -------- d-----w c:\program files\Flickr Uploadr
2009-03-22 05:26 . 2009-03-21 07:39 -------- d-----w c:\program files\ZD Soft
2009-03-16 00:47 . 2006-04-14 02:08 -------- d-----w c:\program files\Google
2009-03-14 18:46 . 2009-03-14 18:41 -------- d-----w c:\documents and settings\Carlito Corway\Application Data\Audacity
2009-03-08 03:34 . 2004-08-04 12:00 914944 ----a-w c:\windows\system32\wininet.dll
2009-03-08 03:34 . 2004-08-04 12:00 43008 ----a-w c:\windows\system32\licmgr10.dll
2009-03-08 03:33 . 2004-08-04 12:00 18944 ----a-w c:\windows\system32\corpol.dll
2009-03-08 03:33 . 2004-08-04 12:00 420352 ----a-w c:\windows\system32\vbscript.dll
2009-03-08 03:32 . 2004-08-04 12:00 72704 ----a-w c:\windows\system32\admparse.dll
2009-03-08 03:32 . 2004-08-04 12:00 71680 ----a-w c:\windows\system32\iesetup.dll
2009-03-08 03:31 . 2004-08-04 12:00 34816 ----a-w c:\windows\system32\imgutil.dll
2009-03-08 03:31 . 2004-08-04 12:00 48128 ----a-w c:\windows\system32\mshtmler.dll
2009-03-08 03:31 . 2004-08-04 12:00 45568 ----a-w c:\windows\system32\mshta.exe
2009-03-08 03:22 . 2004-08-04 12:00 156160 ----a-w c:\windows\system32\msls31.dll
2009-03-06 14:44 . 2004-08-04 12:00 283648 ----a-w c:\windows\system32\pdh.dll
2009-03-04 15:11 . 2009-03-04 15:11 -------- d-----w c:\program files\BadgerIT
2009-03-03 18:10 . 2009-03-03 18:10 -------- d-----w c:\program files\AskSearch
2009-03-02 18:26 . 2008-05-13 01:10 -------- d-----w c:\program files\NCH Swift Sound
2009-03-02 18:26 . 2008-05-13 01:10 -------- d-----w c:\documents and settings\Carlito Corway\Application Data\NCH Swift Sound
2009-03-02 17:12 . 2009-03-02 17:11 -------- d-----w c:\program files\Essentials Codec Pack
2009-03-02 02:24 . 2009-03-02 02:24 -------- d-----w c:\documents and settings\Carlito Corway\Application Data\CASIO
2009-03-02 01:23 . 2006-11-28 06:45 -------- d-----w c:\documents and settings\Carlito Corway\Application Data\Apple Computer
2009-02-28 00:44 . 2009-02-28 00:44 -------- d-----w c:\program files\NCH Software
2009-02-09 10:20 . 2004-08-04 12:00 723456 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 10:20 . 2004-08-04 12:00 399360 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 10:20 . 2004-08-04 12:00 714752 ----a-w c:\windows\system32\ntdll.dll
2009-02-09 10:20 . 2004-08-04 12:00 616960 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 10:19 . 2004-08-04 12:00 1846272 ----a-w c:\windows\system32\win32k.sys
2009-02-06 17:24 . 2004-08-04 12:00 2180480 ----a-w c:\windows\system32\ntoskrnl.exe
2009-02-06 17:14 . 2004-08-04 12:00 110592 ----a-w c:\windows\system32\services.exe
2009-02-06 16:54 . 2004-08-04 12:00 35328 ----a-w c:\windows\system32\sc.exe
2009-02-06 16:49 . 2004-08-03 22:59 2057728 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-02-05 23:35 . 2009-02-05 23:35 189712 ----a-w c:\windows\system32\RALMain.dll
2009-02-05 23:35 . 2009-02-05 23:35 38160 ----a-w c:\windows\system32\MLPagAx.dll
2009-02-05 23:33 . 2009-02-05 23:33 54544 ----a-w c:\windows\system32\PCLEGetGuid.dll
2009-02-03 20:08 . 2004-08-04 12:00 55808 ----a-w c:\windows\system32\secur32.dll
2007-09-17 15:24 . 2006-10-18 05:56 17 ---ha-w c:\documents and settings\Carlito Corway\Local Settings\Application Data\19720201.dat
2006-04-29 10:01 . 2006-04-29 10:02 774144 ----a-w c:\program files\RngInterstitial.dll
2004-10-01 14:00 . 2006-11-24 14:07 40960 ----a-w c:\program files\Uninstall_CDS.exe
2008-02-09 07:2007-01-15 05:02 38:54 . c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-03-30 68856]
"msnmsgr"="c:\program files\MSN Messenger\msnmsgr.exe" [2007-01-19 5674352]
"SpybotSD TeaTimer"="c:\spybot - search & destroy\TeaTimer.exe" [2009-01-26 2144088]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"IndexCleaner"="c:\program files\Virgin Broadband\PCguard\IdxClnR.exe" [2007-09-05 61168]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"USRpdA"="c:\windows\SYSTEM32\USRmlnkA.exe" [2004-08-04 77891]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-11-10 136600]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 32768]
"PAC207_Monitor"="c:\windows\PixArt\PAC207\Monitor.exe" [2006-11-03 319488]
"Motive SmartBridge"="c:\progra~1\BLUEYO~1\SMARTB~1\blueyonder-istnotifier.exe" [2005-09-22 438359]
"Media Codec Update Service"="c:\program files\Essentials Codec Pack\WECPUpdate.exe" [2009-01-25 196608]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2002-07-17 90112]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-04-08 185896]
"Broadbandadvisor.exe"="c:\program files\Virgin Broadband\advisor\Broadbandadvisor.exe" [2009-01-29 2303216]
"PCguard"="c:\program files\Virgin Broadband\PCguard\Rps.exe" [2007-09-05 310000]
"-FreedomNeedsReboot"="c:\program files\Virgin Broadband\PCguard\ZkRunOnceR.exe" [2007-09-05 13552]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-03-09 515416]
"BluetoothAuthenticationAgent"="bthprops.cpl" - c:\windows\system32\bthprops.cpl [2004-08-04 110592]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"GrpConv"="grpconv -o" [X]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RealUpgradeHelper"="c:\program files\Common Files\Real\Update_OB\upgrdhlp.exe" [2009-04-08 335872]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
blueyonder Instant Support Tool.lnk - c:\program files\blueyonder IST\bin\blueyonder-istconfig.exe [2006-5-24 217088]
Logitech Desktop Messenger.lnk - c:\program files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe [2006-5-6 169472]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ PDBoot.exe\0autocheck autochk *\0lsdelete

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Google Updater.lnk
backup=c:\windows\pss\Google Updater.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Works Calendar Reminders.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Works Calendar Reminders.lnk
backup=c:\windows\pss\Microsoft Works Calendar Reminders.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Mozilla Firefox.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Mozilla Firefox.lnk
backup=c:\windows\pss\Mozilla Firefox.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^YouTube Uploader for CASIO.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\YouTube Uploader for CASIO.lnk
backup=c:\windows\pss\YouTube Uploader for CASIO.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Carlito Corway^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
path=c:\documents and settings\Carlito Corway\Start Menu\Programs\Startup\LimeWire On Startup.lnk
backup=c:\windows\pss\LimeWire On Startup.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"PDEngine"=3 (0x3)
"PDAgent"=2 (0x2)
"LightScribeService"=2 (0x2)
"Lavasoft Ad-Aware Service"=2 (0x2)
"ITMRTSVC"=2 (0x2)
"dvpapi"=2 (0x2)
"NMIndexingService"=3 (0x3)
"LvHidSvc"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\IncrediMail\\bin\\IMApp.exe"=
"c:\\Program Files\\IncrediMail\\bin\\IncMail.exe"=
"c:\\Program Files\\IncrediMail\\bin\\ImpCnt.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\StubInstaller.exe"=
"c:\\Program Files\\Pinnacle\\VideoSpin\\Programs\\RM.exe"=
"c:\\Program Files\\Pinnacle\\VideoSpin\\Programs\\umi.exe"=
"c:\\Program Files\\Pinnacle\\VideoSpin\\Programs\\VideoSpin.exe"=

R0 TfFsMon;TfFsMon; [x]
R0 TfSysMon;TfSysMon; [x]
R2 gupdate1c9a5d083292664;Google Update Service (gupdate1c9a5d083292664);c:\program files\Google\Update\GoogleUpdate.exe [2009-03-16 133104]
R2 OMSCAN;OMSCAN; [x]
R2 sstsmonsvc;StopSign Antivirus Security Center Provider;c:\progra~1\EACCEL~1\FRAMEW~1\eac_svc.exe [2009-02-24 111952]
R3 CrystalSysInfo;CrystalSysInfo;c:\program files\MediaCoder\SysInfo.sys [2007-09-25 15152]
R3 GoogleDesktopManager-093007-112848;Google Desktop Manager 5.5.709.30344;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2008-02-09 29744]
R3 iAimFP8;iAimFP8;c:\windows\system32\DRIVERS\wADV11nt.sys [2002-07-23 11935]
R3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2005-08-02 32512]
R3 SCREAMINGBDRIVER;Screaming Bee Audio; [x]
R3 TfNetMon;TfNetMon; [x]
R3 USBSHGX;SHARP GSM GPRS USB Driver 2.0.0;c:\windows\system32\DRIVERS\usbgx_2.sys [2004-03-25 24144]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [2009-03-09 64160]
S2 eac_notifysvc;eAcceleration Notification Service;c:\progra~1\EACCEL~1\FRAMEW~1\eac_svc.exe [2009-02-24 111952]
S2 eac_productsvc;eAcceleration Product Manager Service;c:\progra~1\EACCEL~1\FRAMEW~1\eac_productsvc.exe [2009-02-24 263504]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2009-03-09 951632]
S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [2006-11-03 13592]
S2 YahooAUService;Yahoo! Updater;c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe [2008-11-09 602392]
S3 4mmdat;4mmdat;c:\windows\system32\DRIVERS\4mmdat.sys [2004-08-03 12288]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-04-19 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 19:06]

2009-04-20 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 11:20]

2009-04-20 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-01-15 22:38]

2009-04-20 c:\windows\Tasks\GoogleUpdateTaskMachine.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-16 00:45]

2009-04-20 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-796845957-1897051121-725345543-1003.job
- c:\documents and settings\Carlito Corway\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-11-08 19:45]

2009-04-20 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 18:20]
.
- - - - ORPHANS REMOVED - - - -

HKLM-RunOnce-<NO NAME> - (no file)

.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
Trusted Zone: cover-paradies.to\www
Trusted Zone: freewebs.com
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Carlito Corway\Application Data\Mozilla\Firefox\Profiles\teov9h8y.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT1822311&SearchSource=3&q=
FF - prefs.js: browser.search.selectedEngine - Ask
FF - prefs.js: browser.startup.homepage - javascript:document.location='hxxp://keepvid.com/?url='+escape(window.location);
FF - prefs.js: keyword.URL - hxxp://toolbar.ask.com/toolbarv/askRedirect?o=101668&gct=&gc=1&q=
FF - component: c:\documents and settings\Carlito Corway\Application Data\Mozilla\Firefox\Profiles\teov9h8y.default\extensions\{62760FD6-B943-48C9-AB09-F99C6FE96088}\platform\WINNT\components\EbayAccessService.dll
FF - component: c:\documents and settings\Carlito Corway\Application Data\Mozilla\Firefox\Profiles\teov9h8y.default\extensions\{62760FD6-B943-48C9-AB09-F99C6FE96088}\platform\WINNT\components\EbayFormSubmitObserver.dll
FF - component: c:\documents and settings\Carlito Corway\Application Data\Mozilla\Firefox\Profiles\teov9h8y.default\extensions\{943c7cef-740f-430f-9538-e6945a985368}\components\FFAlert.dll
FF - component: c:\documents and settings\Carlito Corway\Application Data\Mozilla\Firefox\Profiles\teov9h8y.default\extensions\{a33fa729-d155-4b23-842b-2c665ecabdb6}\components\FFAlert.dll
FF - component: c:\program files\Google\Google Gears\Firefox\components\gears.dll
FF - component: c:\program files\Mozilla Firefox\components\GoogleDesktopMozilla.dll
FF - plugin: c:\documents and settings\Carlito Corway\Local Settings\Application Data\Google\Update\1.2.141.5\npGoogleOneClick7.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Google\Update\1.2.141.5\npGoogleOneClick7.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Real\RealArcade\Plugins\Mozilla\npracplug.dll
FF - plugin: c:\program files\Virgin Broadband\advisor\nprpspa.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-20 13:43
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\gaopdxserv.sys]
"imagepath"="\systemroot\system32\drivers\gaopdxnbdotlmjkrqevpwuvtryasuvptjpsali.sys"

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\OMSCAN]
"ImagePath"="\Sys"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"cd042efbbd7f7af1647644e76e06692b"=hex:c8,28,51,af,b0,29,a3,98,9c,4c,8e,cf,98,
d9,8a,9d,2e,e8,e1,00,eb,16,2b,de,b9,6a,ed,a1,05,71,de,cd,e2,63,26,f1,3f,c8,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"bca643cdc5c2726b20d2ecedcc62c59b"=hex:6a,9c,d6,61,af,45,84,18,f1,ef,f2,5a,9b,
33,b7,d8,46,47,15,b0,92,4b,c7,ef,41,ab,ee,3b,81,05,f7,77,6a,9c,d6,61,af,45,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"2c81e34222e8052573023a60d06dd016"=hex:ff,7c,85,e0,43,d4,0e,fe,29,1e,16,a7,30,
8e,cb,fd,7a,45,05,fd,91,e8,6f,31,a9,4b,78,d3,ea,2b,66,92,ff,7c,85,e0,43,d4,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"2582ae41fb52324423be06337561aa48"=hex:3e,1e,9e,e0,57,5a,93,61,e6,74,b4,70,ba,
ff,42,7b,6b,65,49,6a,7e,99,74,f7,98,7c,8f,40,7b,57,7c,97,86,8c,21,01,be,91,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"caaeda5fd7a9ed7697d9686d4b818472"=hex:cd,44,cd,b9,a6,33,6c,cd,6a,42,64,ec,40,
a6,93,15,e9,02,6c,fa,fb,1d,47,57,ef,3c,96,32,61,0d,44,02,f5,1d,4d,73,a8,13,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"a4a1bcf2cc2b8bc3716b74b2b4522f5d"=hex:b0,18,ed,a7,3f,8d,37,a4,30,85,02,b2,8b,
0f,47,39,50,93,e5,ab,ec,6a,4e,ab,7c,4c,b9,df,fb,fe,c7,94,df,20,58,62,78,6b,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"4d370831d2c43cd13623e232fed27b7b"=hex:31,77,e1,ba,b1,f8,68,02,17,ed,dc,da,e9,
63,cd,0a,97,20,4e,9a,c7,f1,35,ee,e1,89,13,69,31,e3,91,2a,fb,a7,78,e6,12,2f,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"1d68fe701cdea33e477eb204b76f993d"=hex:01,3a,48,fc,e8,04,4a,f1,02,00,27,91,ec,
f6,17,0d,aa,52,c6,00,84,3c,26,64,7c,52,ab,74,53,24,61,e8,01,3a,48,fc,e8,04,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"1fac81b91d8e3c5aa4b0a51804d844a3"=hex:51,fa,6e,91,28,9e,14,cc,48,b6,59,b6,ef,
e2,41,12,b2,46,9a,e2,1b,fe,1b,94,74,31,86,40,5a,fb,33,ee,f6,0f,4e,58,98,5b,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"f5f62a6129303efb32fbe080bb27835b"=hex:3d,ce,ea,26,2d,45,aa,78,6f,a8,55,d9,f3,
64,14,5f,37,a4,aa,c3,a6,15,56,0a,da,2b,95,15,bf,88,7b,3b,3d,ce,ea,26,2d,45,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"fd4e2e1a3940b94dceb5a6a021f2e3c6"=hex:e3,0e,66,d5,eb,bc,2f,6b,82,a1,14,7e,31,
1b,bf,c9,f8,31,0f,a9,5f,a0,ec,fb,90,a8,a5,96,b5,33,49,3a,2a,b7,cc,b5,b9,7f,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"8a8aec57dd6508a385616fbc86791ec2"=hex:6c,43,2d,1e,aa,22,2f,9c,04,ca,da,0c,13,
bc,1b,39,05,73,21,dd,54,d8,4a,c5,9d,15,cf,58,bb,eb,59,06,6c,43,2d,1e,aa,22,\
.
Completion time: 2009-04-20 13:48
ComboFix-quarantined-files.txt 2009-04-20 12:47

Pre-Run: 35,682,373,632 bytes free
Post-Run: 36,171,739,136 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

407 --- E O F --- 2009-04-16 08:17

[B]And HT Scan

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:38:23, on 20/04/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Virgin Broadband\PCguard\Fws.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
C:\PROGRA~1\EACCEL~1\FRAMEW~1\eac_productsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\PROGRA~1\EACCEL~1\FRAMEW~1\eac_svc.exe
C:\WINDOWS\SYSTEM32\USRmlnkA.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\SYSTEM32\USRshutA.exe
C:\WINDOWS\SYSTEM32\USRmlnkA.exe
C:\PROGRA~1\BLUEYO~1\SMARTB~1\blueyonder-istnotifier.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe
C:\Program Files\Virgin Broadband\PCguard\Rps.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\blueyonder IST\bin\mpbtn.exe
C:\Program Files\Virgin Broadband\PCguard\rpsupdaterR.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Spybot - Search & Destroy\SpybotSD.exe
C:\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://localhost:9100/proxy.pac
O2 - BHO: Pop-Up Blocker BHO - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\Virgin Broadband\PCguard\pkR.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Google Gears Helper - {E0FEFE40-FBF9-42AE-BA58-794CA7E3FB53} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.4.2\gears.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [USRpdA] C:\WINDOWS\SYSTEM32\USRmlnkA.exe RunServices \Device\3cpipe-USRpdA
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [PAC207_Monitor] C:\WINDOWS\PixArt\PAC207\Monitor.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\BLUEYO~1\SMARTB~1\blueyonder-istnotifier.exe
O4 - HKLM\..\Run: [Media Codec Update Service] C:\Program Files\Essentials Codec Pack\WECPUpdate.exe -s
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Broadbandadvisor.exe] "C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe" /AUTORUN
O4 - HKLM\..\Run: [PCguard] "C:\Program Files\Virgin Broadband\PCguard\Rps.exe"
O4 - HKLM\..\Run: [-FreedomNeedsReboot] "C:\Program Files\Virgin Broadband\PCguard\ZkRunOnceR.exe"
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\RunOnce: [IndexCleaner] "C:\Program Files\Virgin Broadband\PCguard\IdxClnR.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\RunOnce: [IndexCleaner] "C:\Program Files\Virgin Broadband\PCguard\IdxClnR.exe"
O4 - HKUS\S-1-5-21-796845957-1897051121-725345543-500\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Administrator')
O4 - HKUS\S-1-5-21-796845957-1897051121-725345543-500\..\Run: [SpybotSD TeaTimer] C:\Program Files\yawspy\TeaTimer.exe (User 'Administrator')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RealUpgradeHelper] "C:\Program Files\Common Files\Real\Update_OB\upgrdhlp.exe" "RealNetworks|RealPlayer|6.0" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RealUpgradeHelper] "C:\Program Files\Common Files\Real\Update_OB\upgrdhlp.exe" "RealNetworks|RealPlayer|6.0" (User 'Default user')
O4 - Global Startup: blueyonder Instant Support Tool.lnk = C:\Program Files\blueyonder IST\bin\blueyonder-istconfig.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O9 - Extra button: Fiddler2 - {CF819DA3-9882-4944-ADF5-6EF17ECF3C6E} - "C:\Program Files\Fiddler2\Fiddler.exe" (file missing)
O9 - Extra 'Tools' menuitem: Fiddler2 - {CF819DA3-9882-4944-ADF5-6EF17ECF3C6E} - "C:\Program Files\Fiddler2\Fiddler.exe" (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\SPYBOT~1\SDHelper.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1144979886703
O16 - DPF: {90F7E144-984F-4FA6-83A7-C9C8DCB9974C} (RSActiveXObj Control) - http://www.radarsync.com/RSActiveX.ocx
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by104fd.bay104.hotmail.msn.com/activex/HMAtchmt.ocx
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
O23 - Service: eAcceleration Notification Service (eac_notifysvc) - eAcceleration Corp - C:\PROGRA~1\EACCEL~1\FRAMEW~1\eac_svc.exe
O23 - Service: eAcceleration Product Manager Service (eac_productsvc) - eAcceleration Corp - C:\PROGRA~1\EACCEL~1\FRAMEW~1\eac_productsvc.exe
O23 - Service: Google Desktop Manager 5.5.709.30344 (GoogleDesktopManager-093007-112848) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Update Service (gupdate1c9a5d083292664) (gupdate1c9a5d083292664) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Virgin Broadband PCguard Update Service (RPSUpdaterR) - Radialpoint Inc. - C:\Program Files\Virgin Broadband\PCguard\rpsupdaterR.exe
O23 - Service: PCguard Firewall (RP_FWS) - Virgin Media - C:\Program Files\Virgin Broadband\PCguard\Fws.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: StopSign Antivirus Security Center Provider (sstsmonsvc) - eAcceleration Corp - C:\PROGRA~1\EACCEL~1\FRAMEW~1\eac_svc.exe
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

--
End of file - 10717 bytes

pskelley

2009-04-20, 17:58

Posted directions:

1) Please DO NOT ENABLE Spybot S&D TeaTimer while we work together.

C:\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-21-796845957-1897051121-725345543-500\..\Run: [SpybotSD TeaTimer] C:\Program Files\yawspy\TeaTimer.exe (User 'Administrator')

1) LimeWire <<< uninstall this and any other p2p program on the computer.
http://forums.spybot.info/showthread.php?t=282

If your helper detects the presence of such programs on your computer he/she will ask you to remove them. Help will be withdrawn should you not agree to their removal.

2) Disable TeaTimer:
We need first to disable TeaTimer that it doesn't interfere with fixes. You can re-enable it when you're clean again:
* Run Spybot-S&D in Advanced Mode.
* If it is not already set to do this Go to the Mode menu select "Advanced Mode"
* On the left hand side, Click on Tools
* Then click on the Resident Icon in the List
* Uncheck "Resident TeaTimer" and OK any prompts.
* Restart your computer.
(leave TT disabled until we finish)

3) Disable Adwatch:
Right click on the Ad-Watch icon in the system tray.
At the bottom of the screen there will be two checkable items called "Active" and "Automatic".
Active: This will turn Ad-Watch On\Off without closing it
Automatic: Suspicious activity will be blocked automatically
Uncheck both of those boxes.

4) Please download ATF Cleaner by Atribune
http://www.atribune.org/public-beta/ATF-Cleaner.exe
Save it to your Desktop. Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.

*Cleaning Prefetch may result in a few slow starts until the folder is repopulated:
http://www.windowsnetworking.com/articles_tutorials/Gaining-Speed-Empty-Prefetch-XP.html

5) Download Malwarebytes' Anti-Malware to your Desktop
http://www.malwarebytes.org/

* Double-click mbam-setup.exe and follow the prompts to install the program.
* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform FULL SCAN, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt
* Please post contents of that file & a new HJT log in your next reply.

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

Tutorial if needed:
http://www.techsupportteam.org/forum/tutorials/2282-malwarebytes-anti-malware-mbam.html

6) Post also an uninstall list: Open Hijackthis.
Click the "Open the Misc Tools" section Button.
Click the "Open Uninstall Manager" Button.
Click the "Save list..." Button.
Save it to your desktop. Copy and paste the contents into your reply.
(You may edit out Microsoft, Hotfixes, Security Update for Windows XP,
Update for Windows XP and Windows XP Hotfix to shorten the list)
Image: http://img.bleepingcomputer.com/tutorials/hijackthis/uninstall-man.jpg

Tell me how this computer is running?

yawroc

2009-04-20, 18:59

OK will do. I have already deleted Ad Aware in add remove programmes but will run HT to make sure this is removed.
Spy Bot Tea Timer off and spy/bot scan is running currently. I have also before executing the above in spy-bot i have also immunised all products the only products that could not be immunised are in Opera but i am going to take that off anyway as i never use it.
Thus far no pages have so far been redirected and both Spy-Bot Malewarebytes are able to be started. Will be back with all details requested but there maybe a delay. I will recommence in the morning.
Thank you once again.:bigthumb:

yawroc

2009-04-21, 10:19

Here is the Malwarebytes Scan. Now although it says no action taken the files were quarantined all files removed with exception of the Personlised clocks this is still in Quarantine as i did not want to remove that in case this damaged the programme and all information in that programme will be lost. Obviously with this file in quarantine that should be ok should it not???

Malwarebytes' Anti-Malware 1.36
Database version: 2015
Windows 5.1.2600 Service Pack 2

21/04/2009 07:06:41
mbam-log-2009-04-21 (07-06-11)2nd scan.txt

Scan type: Full Scan (C:\|)
Objects scanned: 158024
Time elapsed: 38 minute(s), 27 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 4
Files Infected: 8

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{0ac49246-419b-4ee0-8917-8818daad6a4e} (Adware.180Solutions) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{99410cde-6f16-42ce-9d49-3807f78f0287} (Adware.180Solutions) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{f31a5d11-bf0b-4a4e-90af-274f2090aaa6} (Adware.180Solutions) -> No action taken.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Documents and Settings\Carlito Corway\Application Data\EvidenceEraser (Rogue.EvidenceEraser) -> No action taken.
C:\Documents and Settings\Carlito Corway\Application Data\EvidenceEraser\Log (Rogue.EvidenceEraser) -> No action taken.
C:\Documents and Settings\Carlito Corway\Application Data\EvidenceEraser\Registry Backups (Rogue.EvidenceEraser) -> No action taken.
C:\Documents and Settings\Carlito Corway\Application Data\EvidenceEraser\Settings (Rogue.EvidenceEraser) -> No action taken.

Files Infected:
C:\WINDOWS\Personalised Clocks\uninstall.exe (Trojan.Agent) -> No action taken.
C:\Documents and Settings\Carlito Corway\Application Data\EvidenceEraser\DataBase.ref (Rogue.EvidenceEraser) -> No action taken.
C:\Documents and Settings\Carlito Corway\Application Data\EvidenceEraser\Settings\CustomScan.stg (Rogue.EvidenceEraser) -> No action taken.
C:\Documents and Settings\Carlito Corway\Application Data\EvidenceEraser\Settings\IgnoreList.stg (Rogue.EvidenceEraser) -> No action taken.
C:\Documents and Settings\Carlito Corway\Application Data\EvidenceEraser\Settings\ScanInfo.stg (Rogue.EvidenceEraser) -> No action taken.
C:\Documents and Settings\Carlito Corway\Application Data\EvidenceEraser\Settings\SelectedFolders.stg (Rogue.EvidenceEraser) -> No action taken.
C:\Documents and Settings\Carlito Corway\Application Data\EvidenceEraser\Settings\Settings.stg (Rogue.EvidenceEraser) -> No action taken.
C:\WINDOWS\system32\clkcnt.txt (Trojan.Vundo) -> No action taken.

HT Unintstall List. Note that Limewire could not be located here and it was not also visible in ad remove programmes i instead followed the path and deleted the application in C:\Programmes and then did a search for any other files under "Limewire" Once these were found they were sent to the recycle bin permanently removed. Another search was initiated to make sure that all files were no longer in PC No Files Found. Here is the HT Uninstall List

Adobe Flash Player 10 Plugin
Adobe Flash Player 9 ActiveX
Adobe Flash Player ActiveX
Adobe Reader 8.1.3
Album Creator
Alesis io|2 ASIO Driver
Any Video Converter 2.7.2
AoA Audio Extractor 1.0
ArcSoft PhotoImpression
blueyonder Instant Support Tool
CA Yahoo! Anti-Spy (remove only)
Canon PhotoRecord
Canon PIXMA iP3000
Canon Utilities Easy-PhotoPrint
Canon Utilities Easy-PrintToolBox
CCleaner (remove only)
CD-LabelPrint
Checksheet Generator
ClockCreator
ClockCreator 1.0
Collab
Cookies Game Burner 2.00
Creative Live! Cam Center
Cucusoft MPEG/MOV/RM/DivX/AVI to DVD/VCD/SVCD Creator Pro 7.07
DDFileCatcher Version 2.5021.1
Digital Video
DivX Codec
DivX Content Uploader
DivX Converter
DivX Player
DivX Web Player
DVD Decrypter (Remove Only)
DVD Shrink 3.2
DVD Solution
DVDFab Decrypter 3.0.5.0
EKITSClockDesigner
EPSON Attach To Email
EPSON Copy Utility 3
EPSON Event Manager
EPSON File Manager
EPSON Image Clip Palette
EPSON Scan
EPSON Scan Assistant
File-Saver
Flickr Uploadr 3.0.5
Free Video Dub version 1.4
GCH Guitar academy
Google Desktop
Google Earth
Google Gears
Google Pack Screensaver
Google Toolbar for Internet Explorer
Google Update Helper
Google Updater
Google Web Accelerator
GX15 USB-Handset Manager
HijackThis 2.0.2
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB952287)
Image Thumbnailer and Converter
ImgBurn
Intel(R) 810/810E/815/815E/815EM Chipset Graphics Driver Software
J2SE Runtime Environment 5.0 Update 6
Java(TM) 6 Update 11
Java(TM) 6 Update 3
Java(TM) 6 Update 5
Java(TM) 6 Update 7
Key Ring Creator V1.0.0
Key Ring Creator V1.0.0
Key Ring Creator V1.0.0
LifeView TVR
Line 6 Uninstaller
Logitech Desktop Messenger
Logitech iTouch Software
Logitech Resource Center
Macromedia Flash Player 8
MAGIX audio cleaning lab
MagnetMaker
MagnetMaker V1.0
Malwarebytes' Anti-Malware
Map Button (Windows Live Toolbar)
MediaCoder 0.7.0.4370
MediaFACE 4.0
MediaFACE 4.0 Business Image Library
MediaFACE 4.0 General Image Library
MediaFACE 4.0 Lifestyle Image Library
MediaFACE 4.0 Music Image Library
MediaFACE 4.0 Special Occasion Image Library
MediaFACE 4.0 Spiritual Image Library
Microsoft .NET Framework 2.0
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office XP Professional with FrontPage
Microsoft Text-to-Speech Engine 4.0 (English)
Microsoft Visual C++ 2005 Redistributable
Microsoft Works 2000
MidiLogic
MozBackup 1.4.7
Mozilla Firefox (3.0.8)
MP3 Key Changer - Version 1.3.1.305
MP3 to WAV Decoder
MSN
MSXML 4.0 SP2 (KB925672)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 6 Service Pack 2 (KB954459)
Multimedia Launcher
Naevius GVI Converter 1.4
NBFree MP3 to WMA Converter v2
Nic's XviD Decoder
OneCare Advisor (Windows Live Toolbar)
OpenMG Jukebox
OpenMG Secure Module 3.0.03
OpenOffice.org Installer 1.0
Perf3490P_3590P User's Guide
PerfectDisk
Personalised Clocks
Personalised Clocks
Photo Transport
Pinnacle VideoSpin
Popup Blocker (Windows Live Toolbar)
Power CD+G Burner
PowerDVD
PowerProducer
QuickTime
RAD Video Tools
RealPlayer
Riva FLV Encoder 2.0
Riva FLV Player
RPS Ad Blocker
RPS AntiFraud
RPS AntiSpyware
RPS AntiVirus
RPS App Detector
RPS AsRealtime
RPS Backup
RPS Burn
RPS Diagnostic Utility
RPS Firewall
RPS ParentalControl
RPS Performance Tool
RPS PopupBlocker
RPS Privacy Manager
RPS RpsCore
RPS Security Cleanup
RPS Zip
Sayz Me
Secure-Delete
SHARP GSM GPRS USB Driver Ver2.0.0
Smart Menus (Windows Live Toolbar)
SmartRead
Sony Net MD Help
SoundTap Streaming Audio Recorder
Spybot - Search & Destroy
Switch Sound File Converter
Virgin Broadband advisor 1.5.24
Virgin Broadband PCguard
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
Visual C++ 8.0 CRT (x86) WinSXS MSM
Visual C++ 8.0 CRT.Policy (x86) WinSXS MSM
Visual C++ 8.0 MFC (x86) WinSXS MSM
Visual C++ 8.0 MFC.Policy (x86) WinSXS MSM
VOB2MPG 2.5
WEPOS Hotfix - KB903896
Windows Defender
Windows Defender Signatures
Windows Essentials Media Codec Pack 2.2
Windows Imaging Component
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 8
Windows Live Favorites for Windows Live Toolbar
Windows Live Messenger
Windows Live Outlook Toolbar (Windows Live Toolbar)
Windows Live Sign-in Assistant
Windows Live Toolbar
Windows Live Toolbar
Windows Live Toolbar Extension (Windows Live Toolbar)
Windows Live Toolbar Feed Detector (Windows Live Toolbar)
Windows Media Format Runtime
Windows Media Player Firefox Plugin
Windows XP Creativity Fun Packs - Windows Movie
WinPcap 3.1
WinRAR archiver
XVID Codec Installation
Yahoo! Install Manager
Yahoo! Internet Mail
Yahoo! Mail Advisor
Yahoo! Photos Easy Upload Tool 1v7
Yahoo! Software Update
Yahoo! Toolbar

I am not sure if you also asked for a new HT Scan so here is that scan

Scan saved at 08:13:00, on 21/04/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Virgin Broadband\PCguard\Fws.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\WINDOWS\SYSTEM32\USRmlnkA.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\SYSTEM32\USRshutA.exe
C:\WINDOWS\SYSTEM32\USRmlnkA.exe
C:\PROGRA~1\BLUEYO~1\SMARTB~1\blueyonder-istnotifier.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe
C:\Program Files\Virgin Broadband\PCguard\Rps.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\blueyonder IST\bin\mpbtn.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Virgin Broadband\PCguard\rpsupdaterR.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://localhost:9100/proxy.pac
O2 - BHO: Pop-Up Blocker BHO - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\Virgin Broadband\PCguard\pkR.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Google Gears Helper - {E0FEFE40-FBF9-42AE-BA58-794CA7E3FB53} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.4.2\gears.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [USRpdA] C:\WINDOWS\SYSTEM32\USRmlnkA.exe RunServices \Device\3cpipe-USRpdA
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [PAC207_Monitor] C:\WINDOWS\PixArt\PAC207\Monitor.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\BLUEYO~1\SMARTB~1\blueyonder-istnotifier.exe
O4 - HKLM\..\Run: [Media Codec Update Service] C:\Program Files\Essentials Codec Pack\WECPUpdate.exe -s
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Broadbandadvisor.exe] "C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe" /AUTORUN
O4 - HKLM\..\Run: [PCguard] "C:\Program Files\Virgin Broadband\PCguard\Rps.exe"
O4 - HKLM\..\Run: [-FreedomNeedsReboot] "C:\Program Files\Virgin Broadband\PCguard\ZkRunOnceR.exe"
O4 - HKLM\..\RunOnce: [IndexCleaner] "C:\Program Files\Virgin Broadband\PCguard\IdxClnR.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\RunOnce: [IndexCleaner] "C:\Program Files\Virgin Broadband\PCguard\IdxClnR.exe"
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RealUpgradeHelper] "C:\Program Files\Common Files\Real\Update_OB\upgrdhlp.exe" "RealNetworks|RealPlayer|6.0" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RealUpgradeHelper] "C:\Program Files\Common Files\Real\Update_OB\upgrdhlp.exe" "RealNetworks|RealPlayer|6.0" (User 'Default user')
O4 - Global Startup: blueyonder Instant Support Tool.lnk = C:\Program Files\blueyonder IST\bin\blueyonder-istconfig.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O9 - Extra button: Fiddler2 - {CF819DA3-9882-4944-ADF5-6EF17ECF3C6E} - "C:\Program Files\Fiddler2\Fiddler.exe" (file missing)
O9 - Extra 'Tools' menuitem: Fiddler2 - {CF819DA3-9882-4944-ADF5-6EF17ECF3C6E} - "C:\Program Files\Fiddler2\Fiddler.exe" (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\SPYBOT~1\SDHelper.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1144979886703
O16 - DPF: {90F7E144-984F-4FA6-83A7-C9C8DCB9974C} (RSActiveXObj Control) - http://www.radarsync.com/RSActiveX.ocx
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by104fd.bay104.hotmail.msn.com/activex/HMAtchmt.ocx
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
O23 - Service: eAcceleration Notification Service (eac_notifysvc) - eAcceleration Corp - C:\PROGRA~1\EACCEL~1\FRAMEW~1\eac_svc.exe
O23 - Service: eAcceleration Product Manager Service (eac_productsvc) - eAcceleration Corp - C:\PROGRA~1\EACCEL~1\FRAMEW~1\eac_productsvc.exe
O23 - Service: Google Desktop Manager 5.5.709.30344 (GoogleDesktopManager-093007-112848) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Update Service (gupdate1c9a5d083292664) (gupdate1c9a5d083292664) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Virgin Broadband PCguard Update Service (RPSUpdaterR) - Radialpoint Inc. - C:\Program Files\Virgin Broadband\PCguard\rpsupdaterR.exe
O23 - Service: PCguard Firewall (RP_FWS) - Virgin Media - C:\Program Files\Virgin Broadband\PCguard\Fws.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: StopSign Antivirus Security Center Provider (sstsmonsvc) - eAcceleration Corp - C:\PROGRA~1\EACCEL~1\FRAMEW~1\eac_svc.exe
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

--
End of file - 10102 bytes

As for what the PC is running like i will know this in the days ahead, to see if the crashing has also gone as this was also happening and was starting to become quite regular. The page redirecting both IE8 and Mozilla have since stopped. No real difference in computer running any faster but i do note that the browsers are loading quicker.

I await your comments
My donation to Spy-Bot will be forthcoming as i am very respectful of the help received here. Cracking!!!:bigthumb:

pskelley

2009-04-21, 15:57

If MBAM makes a mistake, and it would be rare but can happen with any program, that is why the stuff it removes is quarantined and not removed completely. You can restore from quarantine any file you are positive is safe. Here are freeware tools you can use to be sure:
http://virusscan.jotti.org/
http://www.kaspersky.com/scanforvirus
http://www.virustotal.com/

This can be done as time permits, but it is important, and may be why you are infected.
Uninstall list: I look for malware and security issues and will not know all of your programs, but you should.
Hackers are using out of date programs to infect folks more and more,
Here is a small free tool that lets you know when something needs an update if you are interested:
http://secunia.com/vulnerability_scanning/personal/ While PSI runs in the System Tray for realtime notifications, I personally prefer to turn it off in MSConfig and run it from All Programs when I want to do a check.

Adobe Flash Player 10 Plugin
Adobe Flash Player 9 ActiveX
Adobe Flash Player ActiveX
Adobe recommends all users of Adobe Flash Player 10.0.12.36 and earlier versions upgrade to the newest version 10.0.22.87
http://www.adobe.com/support/security/bulletins/apsb09-01.html

Adobe Reader 8.1.3 <<< out of date and unsafe, see this:
http://news.cnet.com/8301-1009_3-10081618-83.html?tag=nl.e433
http://www.filehippo.com/download_adobe_reader/
(if you want a smaller program, look at this one)
Foxit Reader 2.3 for Windows (make sure to uncheck any toolbars)
http://www.foxitsoftware.com/pdf/rd_intro.php

J2SE Runtime Environment 5.0 Update 6
Java(TM) 6 Update 11
Java(TM) 6 Update 3
Java(TM) 6 Update 5
Java(TM) 6 Update 7
All out of date and unsafe, see this:
http://forums.spybot.info/showpost.php?p=12880&postcount=2
Be aware of this information so you can opt out of anything you do not want.
Microsoft Does MSN Toolbar Distribution Deal With Java:
http://searchengineland.com/microsoft-does-msn-toolbar-distribution-deal-with-java-15413.php

Logitech Desktop Messenger
gets installed along with another Logitech program because the EULA agreement is not read. Unless you know what it is and use it, it is a resource waster and can be removed in Add Remove programs.

Spybot - Search & Destroy
Please be sure Spybot S&D is up to date and fully immunized.
http://www.safer-networking.org/en/faq/index.html
http://www.safer-networking.org/en/tutorial/index.html

As far as I can see, we removed the malware, this information will help the computer run better if you will apply it.
http://www.netsquirrel.com/msconfig/msconfig_xp.html
http://www.malwareremoval.com/tutorials/runningslowly.php
http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html
http://www.microsoft.com/atwork/getstarted/speed.mspx

combofix is reporting two antivirus programs, if this is the case, please uninstall one of those:
AV: PCguard Anti-Virus *On-access scanning disabled* (Updated)
AV: StopSign Antivirus FREE TRIAL diagnostic version *On-access scanning disabled* (Updated)
http://service1.symantec.com/SUPPORT/nav.nsf/docid/2000031316555206
"Microsoft recommends that you have only one anti-virus program installed on your computer."
http://www.washingtonpost.com/wp-dyn/content/article/2005/12/03/AR2005120300087.html
http://www.smartcomputing.com/editorial/article.asp?article=articles/2003/s1407/38s07/38s07.asp

Let's continue to see if we can wrap up for you:

Remove combofix from the computer like this:

Click START then RUN
Now type or copy Combofix /u in the runbox and click OK.
Note the space between the X and the U, it needs to be there.

http://i189.photobucket.com/albums/z176/EPL47/CF_Cleanup.png

Clean the System Restore files like this:

Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

Reboot

Turn ON System Restore,
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.

Update MBAM and scan to be sure we missed none of the junk, there is no need to post a clean scan result.
(MBAM is yours to keep if you wish, update it and run it once a month or so)

Update the antivirus and scan the system, to be sure it is running right and scanning clean. If you have problems with the program, contact tech support for instructions.

If all is well at this point, let me know and I will close the topic.

Some good information for you:
http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx

Here is some great information from experts in this field that will help you stay clean and safe online.
http://users.telenet.be/bluepatchy/miekiemoes/prevention.html
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml

http://www.malwarecomplaints.info/

Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.

http://users.telenet.be/bluepatchy/miekiemoes/Links.html
http://www.microsoft.com/windows/ie/community/columns/protection.mspx
Improve the safety of your browsing and e-mail activities
http://www.microsoft.com/protect/computer/advanced/browsing.mspx

yawroc

2009-04-24, 09:45

Thanks for this info a lot of those links you have given are very useful.
I have removed and updated ll the programmes you have suggested. I did another scan with MB and all came back clear no infections found.
The computer is running perfectly the redirecting of pages have since stopped obviously, Another matter i have noticed is the fact that if computer has been shut down at the wall after the PC has properly shut down- i notice now that i no longer have to go to internet options to repair connection so i can get on line which i thought was the fault of the router playing up but this was due to the fact that it was due to the fact that the connection or pc or both were hijacked.I know i made a grave mistake when i downloaded Stop Sign Anti Spyware etc and this also had infected my computer. I would like to take this step in warning others beware of this application. Especially the fact that i downloaded it from their own site.
Combo fix will be removed today or tomorrow but everything now up and running.
Thank you for all your expert help. I can only see fit to donate to Spy-Bot seeing that the help i received was top notch. Thankyou. I think you can close this now...;)

pskelley

2009-04-24, 14:01

Thanks for the feedback and for taking the time to provide it:bigthumb: safe surfing.