PDA

View Full Version : Another click.giftload problem - :(



nicks_scotland
2011-03-31, 13:11
Hi,

3 things started happening:

1) my browers kept redirecting websites
2) my avast kept "blocking malicious urls"
3) Just-in-time debugging pop up, asking me to choose a debugger

I think I have done all the pre-post things, and have pasted logs below/attached zip and turned tea/timer off.

Your help would be very much appreciated.

*****************
Dss.txt

.
DDS (Ver_11-03-05.01) - NTFSx86
Run by user at 10:13:28.26 on 31/03/2011
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.5.0_09
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2015.1364 [GMT 1:00]
.
AV: avast! Antivirus *Enabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\DivX\DivX Update\DivXUpdate.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\qaddress\Rapid32.315\qarapidn.exe
C:\WINDOWS\system32\sistray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\user\My Documents\Downloads\dds.scr
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.co.uk/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mDefault_Page_URL = hxxp://www.baztex.com
mDefault_Search_URL = hxxp://www.google.com/ie
mSearch Page =
mStart Page = hxxp://www.google.co.uk/
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
BHO: DivX Plus Web Player HTML5 <video>: {326e768d-4182-46fd-9c16-1449a49795f4} - c:\program files\divx\divx plus web player\npdivx32.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: DivX HiQ: {593ddec6-7468-4cdd-90e1-42dadaa222e9} - c:\program files\divx\divx plus web player\npdivx32.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.6209.1142\swg.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - No File
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File
uRun: [EPSON Stylus Photo RX420 Series] c:\windows\system32\spool\drivers\w32x86\3\E_FATI9CE.EXE /P31 "EPSON Stylus Photo RX420 Series" /M "Stylus Photo RX420" /EF "HKCU"
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [scheduler_monitor] c:\program files\reaconverter 5.5 pro\init_scheduler.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [VeohPlugin] "c:\program files\veoh networks\veohwebplayer\veohwebplayer.exe"
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
mRun: [SiSUSBRG] c:\windows\SiSUSBrg.exe
mRun: [Smapp] c:\program files\analog devices\soundmax\SMTray.exe
mRun: [EPSON Stylus Photo RX420 Series] c:\windows\system32\spool\drivers\w32x86\3\E_FATI9CE.EXE /P31 "EPSON Stylus Photo RX420 Series" /O6 "USB001" /M "Stylus Photo RX420"
mRun: [MBoxUtil Clean] c:\program files\konica minolta\box utility\BoxUtil.exe /clean
mRun: [avast5] c:\progra~1\alwils~1\avast5\avastUI.exe /nogui
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [DivXUpdate] "c:\program files\divx\divx update\DivXUpdate.exe" /CHECKNOW
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.5.0_09\bin\jusched.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\rapid.lnk - c:\qaddress\rapid32.315\qarapidn.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\utilit~1.lnk - c:\windows\system32\sistray.exe
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_E11712C84EA7E12B.dll/cmsidewiki.html
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_09\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\msoffice\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {138E6DC9-722B-4F4B-B09D-95D191869696} - hxxp://www.bebo.com/files/BeboUploader.5.1.4.cab
DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} - file://c:\program files\mahjong escape - ancient japan\images\stg_drm.ocx
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\yinsthelper.dll
DPF: {745395C8-D0E1-4227-8586-624CA9A10A8D} - hxxp://almcam2.lofer.at:1003//activex/AMC.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0014-0002-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} - file://c:\program files\mahjong escape - ancient japan\images\armhelper.ocx
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - hxxp://www.popcap.com/webgames/popcaploader_v10.cab
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Eudora's Shell Extension: {edb0e980-90bd-11d4-8599-0008c7d3b6f8} - c:\program files\qualcomm\eudora\EuShlExt.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\docume~1\user\applic~1\mozilla\firefox\profiles\e26cpkhm.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/
FF - component: c:\documents and settings\user\application data\mozilla\firefox\profiles\e26cpkhm.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - component: c:\documents and settings\user\application data\mozilla\firefox\profiles\e26cpkhm.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbar-ff3.dll
FF - plugin: c:\documents and settings\user\application data\facebook\npfbplugin_1_0_0.dll
FF - plugin: c:\documents and settings\user\application data\facebook\npfbplugin_1_0_3.dll
FF - plugin: c:\program files\divx\divx ovs helper\npovshelper.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\java\jre1.5.0_09\bin\NPJPI150_09.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - Ext: Google Toolbar for Firefox: {3112ca9c-de6d-4884-a869-9855de68056c} - %profile%\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: DivX Plus Web Player HTML5 &lt;video&gt;: {23fcfd51-4958-4f00-80a3-ae97e717ed8b} - c:\program files\divx\divx plus web player\firefox\html5video
FF - Ext: DivX HiQ: {6904342A-8307-11DF-A508-4AE2DFD72085} - c:\program files\divx\divx plus web player\firefox\wpa
.
---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
============= SERVICES / DRIVERS ===============
.
R0 BtHidBus;Bluetooth HID Bus Service;c:\windows\system32\drivers\BtHidBus.sys [2009-9-24 19592]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2008-8-27 294608]
R2 aawservice;Ad-Aware 2007 Service;c:\program files\lavasoft\ad-aware 2007\aawservice.exe [2008-1-4 587096]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2008-8-27 17744]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-2-18 40384]
R3 EUCR;ENE USB Mass Storage;c:\windows\system32\drivers\EUCR6SK.sys [2005-5-13 40576]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-1-6 135664]
S3 btnetBUs;Bluetooth PAN Bus Service;c:\windows\system32\drivers\btnetBus.sys [2009-9-24 22528]
S3 IvtBtBUs;IVT Bluetooth Bus Service;c:\windows\system32\drivers\IvtBtBus.sys [2009-6-17 25480]
S3 rcp_service;ReaConverter scheduler service;c:\program files\reaconverter 5.5 pro\rcp_scheduler.exe [2007-11-30 558592]
.
=============== Created Last 30 ================
.
2011-03-31 08:49:58 49265 ----a-w- c:\windows\system32\jpicpl32.cpl
2011-03-29 15:32:06 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-03-29 15:32:06 -------- d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2011-03-23 11:00:25 -------- d-----w- c:\program files\common files\L&H
2011-03-23 10:59:50 -------- d-----w- c:\program files\Microsoft ActiveSync
2011-03-23 09:51:09 33104 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\msonpppr.dll
2011-03-23 09:51:08 32592 ----a-w- c:\windows\system32\msonpmon.dll
2011-03-23 09:18:28 -------- d-----w- c:\docume~1\user\locals~1\applic~1\Microsoft Help
2011-03-21 14:01:36 165376 ----a-w- c:\windows\system32\unrar.dll
2011-03-21 14:01:23 839680 ----a-w- c:\windows\system32\lameACM.acm
2011-03-21 14:01:22 237568 ----a-w- c:\windows\system32\yv12vfw.dll
2011-03-21 14:01:22 151552 ----a-w- c:\windows\system32\ac3acm.acm
2011-03-21 14:01:21 810496 ----a-w- c:\windows\system32\xvidcore.dll
2011-03-21 14:01:21 183808 ----a-w- c:\windows\system32\xvidvfw.dll
2011-03-21 14:01:03 -------- d-----w- c:\program files\K-Lite Codec Pack
2011-03-21 13:43:00 -------- d-----w- c:\program files\common files\DivX Shared
2011-03-21 13:38:59 -------- d-----w- c:\docume~1\alluse~1\applic~1\DivX
2011-03-21 13:33:42 421888 ----a-w- c:\windows\system32\ac3filter.acm
2011-03-21 13:33:25 -------- d-----w- c:\program files\XP Codec Pack
2011-03-01 15:10:42 -------- d-----w- c:\program files\iTunes
2011-03-01 15:10:42 -------- d-----w- c:\docume~1\alluse~1\applic~1\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2011-03-01 15:03:39 -------- d-----w- c:\program files\Bonjour
.
==================== Find3M ====================
.
2011-02-28 08:00:00 80896 ----a-w- c:\windows\system32\ff_vfw.dll
2011-01-13 08:47:35 38848 ----a-w- c:\windows\avastSS.scr
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: Maxtor_4R120L0 rev.RAMB1TU0 -> Harddisk0\DR0 -> \Device\Ide\IdePort2 P2T0L0-3
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x89B84439]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x89b8a7d0]; MOV EAX, [0x89b8a84c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 nt!IofCallDriver[0x804E37D5] -> \Device\Harddisk0\DR0[0x89B6BAB8]
3 CLASSPNP[0xF763805B] -> nt!IofCallDriver[0x804E37D5] -> \Device\00000058[0x89BD5F18]
5 ACPI[0xF75AE620] -> nt!IofCallDriver[0x804E37D5] -> [0x89B70D98]
\Driver\atapi[0x89B46A68] -> IRP_MJ_CREATE -> 0x89B84439
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
\Device\Ide\IdeDeviceP2T0L0-3 -> \??\IDE#DiskMaxtor_4R120L0__________________________RAMB1TU0#3352323134584548202020202020202020202020#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
\Driver\atapi DriverStartIo -> 0x89B8427F
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !
.
============= FINISH: 10:17:37.44 ===============

*******************************************
Searchbot log

Click.GiftLoad: [SBI $89783858] User settings (Registry value, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main\featurecontrol\FEATURE_BROWSER_EMULATION\svchost.exe


--- Spybot - Search & Destroy version: 1.6.2 (build: 20090126) ---

2009-01-26 blindman.exe (1.0.0.8)
2009-01-26 SDFiles.exe (1.6.1.7)
2009-01-26 SDMain.exe (1.0.0.6)
2009-01-26 SDShred.exe (1.0.2.5)
2009-01-26 SDUpdate.exe (1.6.0.12)
2009-01-26 SpybotSD.exe (1.6.2.46)
2009-03-05 TeaTimer.exe (1.6.6.32)
2011-03-29 unins000.exe (51.49.0.0)
2009-01-26 Update.exe (1.6.0.7)
2009-11-04 advcheck.dll (1.6.5.20)
2007-04-02 aports.dll (2.1.0.0)
2008-06-14 DelZip179.dll (1.79.11.1)
2009-01-26 SDHelper.dll (1.6.2.14)
2008-06-19 sqlite3.dll
2009-01-26 Tools.dll (2.1.6.10)
2009-01-16 UninsSrv.dll (1.0.0.0)
2011-03-18 Includes\Adware.sbi (*)
2011-03-22 Includes\AdwareC.sbi (*)
2010-08-13 Includes\Cookies.sbi (*)
2010-12-14 Includes\Dialer.sbi (*)
2011-03-08 Includes\DialerC.sbi (*)
2011-02-24 Includes\HeavyDuty.sbi (*)
2011-03-29 Includes\Hijackers.sbi (*)
2011-03-29 Includes\HijackersC.sbi (*)
2010-09-15 Includes\iPhone.sbi (*)
2010-12-14 Includes\Keyloggers.sbi (*)
2011-03-08 Includes\KeyloggersC.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2011-03-29 Includes\Malware.sbi (*)
2011-03-29 Includes\MalwareC.sbi (*)
2011-02-24 Includes\PUPS.sbi (*)
2011-03-15 Includes\PUPSC.sbi (*)
2010-01-25 Includes\Revision.sbi (*)
2009-01-13 Includes\Security.sbi (*)
2011-03-08 Includes\SecurityC.sbi (*)
2008-06-03 Includes\Spybots.sbi (*)
2008-06-03 Includes\SpybotsC.sbi (*)
2011-02-24 Includes\Spyware.sbi (*)
2011-03-15 Includes\SpywareC.sbi (*)
2010-03-08 Includes\Tracks.uti
2010-12-28 Includes\Trojans.sbi (*)
2011-03-25 Includes\TrojansC-02.sbi (*)
2011-03-29 Includes\TrojansC-03.sbi (*)
2011-03-08 Includes\TrojansC-04.sbi (*)
2011-03-29 Includes\TrojansC-05.sbi (*)
2011-03-08 Includes\TrojansC.sbi (*)
2008-03-04 Plugins\Chai.dll
2008-03-05 Plugins\Fennel.dll
2008-02-26 Plugins\Mate.dll
2007-12-24 Plugins\TCPIPAddress.dll
***********************

Blade81
2011-04-02, 13:57
Hi,

Disable Spybot's TeaTimer to make sure it won't interfere with fixes. You can re-enable it when you're clean again:
Run Spybot-S&D in Advanced Mode
If it is not already set to do this, go to the Mode menu
select
Advanced Mode

On the left hand side, click on Tools
Then click on the Resident icon in the list
Uncheck
Resident TeaTimer
and OK any prompts.
Restart your computer


Download aswMBR (http://public.avast.com/~gmerek/aswMBR.exe) to your desktop. Double click the aswMBR.exe to run it
Click the Scan button to start scan

On completion of the scan click save log, save it to your desktop and post in your next reply.

nicks_scotland
2011-04-02, 14:05
Thanks for replying!

Tea timer off.

Log below:

aswMBR version 0.9.4 Copyright(c) 2011 AVAST Software
Run date: 2011-04-02 12:03:35
-----------------------------
12:03:35.843 OS Version: Windows 5.1.2600 Service Pack 2
12:03:35.843 Number of processors: 1 586 0xA00
12:03:35.843 ComputerName: OFFICE2 UserName: user
12:03:37.093 Initialize success
12:03:45.093 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdePort2
12:03:45.093 Disk 0 Vendor: Maxtor_4R120L0 RAMB1TU0 Size: 117246MB BusType: 3
12:03:45.093 Device \Device\Ide\IdeDeviceP2T0L0-3 -> \??\IDE#DiskMaxtor_4R120L0__________________________RAMB1TU0#3352323134584548202020202020202020202020#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} not found
12:03:45.093 Device \Driver\atapi -> DriverStartIo 89b8427f
12:03:47.093 Disk 0 MBR read successfully
12:03:47.109 Disk 0 MBR scan
12:03:47.109 Disk 0 TDL4@MBR code has been found
12:03:47.109 Disk 0 MBR hidden
12:03:47.109 Disk 0 MBR [TDL4] **ROOTKIT**
12:03:47.109 Disk 0 trace - called modules:
12:03:47.109 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x89b84439]<<
12:03:47.125 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x89b6bab8]
12:03:47.125 3 CLASSPNP.SYS[f763805b] -> nt!IofCallDriver -> \Device\00000058[0x89bd5f18]
12:03:47.125 5 ACPI.sys[f75ae620] -> nt!IofCallDriver -> [0x89b70d98]
12:03:47.484 \Driver\atapi[0x89b46a68] -> IRP_MJ_CREATE -> 0x89b84439
12:03:47.484 Scan finished successfully

Blade81
2011-04-02, 14:20
Hi again :)

Re-Run aswMBR Click Scan On completion of the scan Click the Fix for TDL4. Save the log as before and post in your next reply.

nicks_scotland
2011-04-02, 16:00
New log below.

Should I reboot like it asks?

aswMBR version 0.9.4 Copyright(c) 2011 AVAST Software
Run date: 2011-04-02 13:58:51
-----------------------------
13:58:51.906 OS Version: Windows 5.1.2600 Service Pack 2
13:58:51.906 Number of processors: 1 586 0xA00
13:58:51.906 ComputerName: OFFICE2 UserName: user
13:58:52.359 Initialize success
13:58:53.281 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdePort2
13:58:53.281 Disk 0 Vendor: Maxtor_4R120L0 RAMB1TU0 Size: 117246MB BusType: 3
13:58:53.281 Device \Device\Ide\IdeDeviceP2T0L0-3 -> \??\IDE#DiskMaxtor_4R120L0__________________________RAMB1TU0#3352323134584548202020202020202020202020#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} not found
13:58:53.296 Device \Driver\atapi -> DriverStartIo 89b8427f
13:58:55.296 Disk 0 MBR read successfully
13:58:55.296 Disk 0 MBR scan
13:58:55.296 Disk 0 TDL4@MBR code has been found
13:58:55.296 Disk 0 MBR hidden
13:58:55.296 Disk 0 MBR [TDL4] **ROOTKIT**
13:58:55.312 Disk 0 trace - called modules:
13:58:55.312 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x89b84439]<<
13:58:55.312 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x89b6bab8]
13:58:55.312 3 CLASSPNP.SYS[f763805b] -> nt!IofCallDriver -> \Device\00000058[0x89bd5f18]
13:58:55.312 5 ACPI.sys[f75ae620] -> nt!IofCallDriver -> [0x89b70d98]
13:58:55.656 \Driver\atapi[0x89b46a68] -> IRP_MJ_CREATE -> 0x89b84439
13:58:55.671 Scan finished successfully
13:59:08.781 Disk 0 fixing MBR
13:59:18.843 Disk 0 MBR restored successfully
13:59:19.000 Infection fixed successfully - please reboot ASAP

Blade81
2011-04-02, 16:04
Please do.

nicks_scotland
2011-04-02, 16:18
Ok, rebooted. So far so good. No "dings" from avast saying it's stopping malicious urls and no debugging popups.

What now?? :)

Blade81
2011-04-02, 16:30
Good. Now we'll do some more cleaning :)

Disable Spybot's TeaTimer to make sure it won't interfere with fixes. You can re-enable it when you're clean again:
Run Spybot-S&D in Advanced Mode
If it is not already set to do this, go to the Mode menu
select
Advanced Mode

On the left hand side, click on Tools
Then click on the Resident icon in the list
Uncheck
Resident TeaTimer
and OK any prompts.
Restart your computer


Please visit this webpage for download links, and instructions for running ComboFix tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide carefully first.

Please continue as follows:


Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link (http://www.bleepingcomputer.com/forums/topic114351.html)
Remember to re-enable them afterwards.


Click Yes to allow ComboFix to continue scanning for malware.


When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New dds log.

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.

nicks_scotland
2011-04-02, 17:54
:)

Combo fix log:

ComboFix 11-04-01.01 - user 02/04/2011 15:36:15.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2015.1565 [GMT 1:00]
Running from: c:\documents and settings\user\Desktop\ComboFix.exe
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\Downloaded Program Files\popcaploader.dll
c:\windows\Downloaded Program Files\popcaploader.inf
c:\windows\jestertb.dll
c:\windows\sedmgac.dll
.
.
((((((((((((((((((((((((( Files Created from 2011-03-02 to 2011-04-02 )))))))))))))))))))))))))))))))
.
.
2011-04-01 11:49 . 2011-04-02 08:29 -------- d-----w- c:\windows\$XNTUninstall643$
2011-03-31 16:26 . 2011-03-31 16:26 -------- d-s---w- c:\documents and settings\NetworkService\UserData
2011-03-31 09:15 . 2011-03-31 09:16 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2011-03-31 09:09 . 2011-03-31 09:09 -------- d-----w- c:\program files\ERUNT
2011-03-31 08:49 . 2006-10-12 03:10 49265 ----a-w- c:\windows\system32\jpicpl32.cpl
2011-03-31 08:21 . 2011-03-31 08:21 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Microsoft Help
2011-03-29 15:32 . 2011-03-29 16:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2011-03-29 15:32 . 2011-03-29 15:35 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-03-23 11:00 . 2011-03-23 11:00 -------- d-----w- c:\program files\Common Files\L&H
2011-03-23 10:59 . 2011-03-23 10:59 -------- d-----w- c:\program files\Microsoft ActiveSync
2011-03-23 10:57 . 2011-03-23 10:57 -------- d-----w- c:\program files\Microsoft.NET
2011-03-23 10:55 . 2011-03-23 10:55 -------- d-----r- C:\MSOCache
2011-03-23 09:51 . 2006-10-26 19:56 33104 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\msonpppr.dll
2011-03-23 09:51 . 2006-10-26 19:56 32592 ----a-w- c:\windows\system32\msonpmon.dll
2011-03-23 09:45 . 2011-03-26 09:37 -------- d-----w- c:\program files\Microsoft Works
2011-03-23 09:18 . 2011-03-23 09:18 -------- d-----w- c:\documents and settings\user\Local Settings\Application Data\Microsoft Help
2011-03-23 09:18 . 2011-03-31 08:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2011-03-21 14:01 . 2010-03-15 10:31 165376 ----a-w- c:\windows\system32\unrar.dll
2011-03-21 14:01 . 2008-09-24 19:41 839680 ----a-w- c:\windows\system32\lameACM.acm
2011-03-21 14:01 . 2010-11-03 19:08 237568 ----a-w- c:\windows\system32\yv12vfw.dll
2011-03-21 14:01 . 2010-01-17 16:18 151552 ----a-w- c:\windows\system32\ac3acm.acm
2011-03-21 14:01 . 2010-12-07 18:40 183808 ----a-w- c:\windows\system32\xvidvfw.dll
2011-03-21 14:01 . 2010-12-07 18:22 810496 ----a-w- c:\windows\system32\xvidcore.dll
2011-03-21 14:01 . 2011-03-21 14:02 -------- d-----w- c:\program files\K-Lite Codec Pack
2011-03-21 13:45 . 2011-03-21 13:46 -------- d-----w- c:\documents and settings\user\Application Data\DivX
2011-03-21 13:43 . 2011-03-21 13:43 -------- d-----w- c:\program files\Common Files\DivX Shared
2011-03-21 13:38 . 2011-03-21 13:45 -------- d-----w- c:\documents and settings\All Users\Application Data\DivX
2011-03-21 13:33 . 2008-07-09 09:05 421888 ----a-w- c:\windows\system32\ac3filter.acm
2011-03-21 13:33 . 2011-03-21 13:33 -------- d-----w- c:\program files\XP Codec Pack
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-02-28 08:00 . 2008-12-17 17:22 80896 ----a-w- c:\windows\system32\ff_vfw.dll
2011-01-13 08:47 . 2010-07-02 08:20 38848 ----a-w- c:\windows\avastSS.scr
2011-01-13 08:47 . 2008-08-27 14:12 188216 ----a-w- c:\windows\system32\aswBoot.exe
2011-01-13 08:41 . 2008-08-27 14:12 294608 ----a-w- c:\windows\system32\drivers\aswSP.sys
2011-01-13 08:40 . 2008-08-27 14:12 47440 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2011-01-13 08:40 . 2008-08-27 14:12 100176 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2011-01-13 08:39 . 2008-08-27 14:12 94544 ----a-w- c:\windows\system32\drivers\aswmon.sys
2011-01-13 08:37 . 2008-08-27 14:12 23632 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2011-01-13 08:37 . 2008-08-27 14:12 29392 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2011-01-13 08:37 . 2008-08-27 14:12 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-21 68856]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2010-04-16 3872080]
"scheduler_monitor"="c:\program files\ReaConverter 5.5 Pro\init_scheduler.exe" [2007-06-15 27136]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SiSPower"="SiSPower.dll" [2004-09-02 49152]
"SiSUSBRG"="c:\windows\SiSUSBrg.exe" [2002-07-12 106496]
"Smapp"="c:\program files\Analog Devices\SoundMAX\SMTray.exe" [2003-05-05 143360]
"MBoxUtil Clean"="c:\program files\KONICA MINOLTA\BOX Utility\BoxUtil.exe" [2004-03-22 614400]
"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2011-01-13 3396624]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-01-25 421160]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2011-02-15 1230704]
"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_09\bin\jusched.exe" [2006-10-12 49263]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Rapid.LNK - c:\qaddress\Rapid32.315\qarapidn.exe [2007-9-21 465408]
Utility Tray.lnk - c:\windows\system32\sistray.exe [2005-3-25 331776]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Nicola\\odds\\utorrent.exe"=
"c:\\Program Files\\Veoh Networks\\VeohWebPlayer\\veohwebplayer.exe"=
"c:\\Program Files\\Spotify\\spotify.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
.
R0 BtHidBus;Bluetooth HID Bus Service;c:\windows\system32\drivers\BtHidBus.sys [24/09/2009 06:40 19592]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [27/08/2008 15:12 294608]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [27/08/2008 15:12 17744]
R3 EUCR;ENE USB Mass Storage;c:\windows\system32\drivers\EUCR6SK.sys [13/05/2005 05:09 40576]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [06/01/2010 12:27 135664]
S3 btnetBUs;Bluetooth PAN Bus Service;c:\windows\system32\drivers\btnetBus.sys [24/09/2009 14:38 22528]
S3 IvtBtBUs;IVT Bluetooth Bus Service;c:\windows\system32\drivers\IvtBtBus.sys [17/06/2009 15:01 25480]
S3 rcp_service;ReaConverter scheduler service;c:\program files\ReaConverter 5.5 Pro\rcp_scheduler.exe [30/11/2007 12:27 558592]
.
Contents of the 'Scheduled Tasks' folder
.
2011-04-02 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-01-24 10:48]
.
2011-04-02 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-06 11:27]
.
2011-04-02 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-06 11:27]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mStart Page = hxxp://www.google.co.uk/
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html
FF - ProfilePath - c:\documents and settings\user\Application Data\Mozilla\Firefox\Profiles\e26cpkhm.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - Ext: Google Toolbar for Firefox: {3112ca9c-de6d-4884-a869-9855de68056c} - %profile%\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: DivX Plus Web Player HTML5 &lt;video&gt;: {23fcfd51-4958-4f00-80a3-ae97e717ed8b} - c:\program files\DivX\DivX Plus Web Player\firefox\html5video
FF - Ext: DivX HiQ: {6904342A-8307-11DF-A508-4AE2DFD72085} - c:\program files\DivX\DivX Plus Web Player\firefox\wpa
FF - user.js: yahoo.homepage.dontask - true
.
- - - - ORPHANS REMOVED - - - -
.
HKCU-Run-EPSON Stylus Photo RX420 Series - c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATI9CE.EXE
HKLM-Run-EPSON Stylus Photo RX420 Series - c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATI9CE.EXE
ShellExecuteHooks-{EDB0E980-90BD-11D4-8599-0008C7D3B6F8} - c:\program files\Qualcomm\Eudora\EuShlExt.dll
AddRemove-HijackThis - d:\antivirus\syscleanfiles\hjt\HijackThis.exe
AddRemove-3718539502.skyplayer.sky.com - c:\program files\Microsoft Silverlight\4.0.50917.0\Silverlight.Configuration.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-04-02 15:42
Windows 5.1.2600 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
EPSON Stylus Photo RX420 Series = c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATI9CE.EXE /P31 "EPSON Stylus Photo RX420 Series" /M "Stylus Photo RX420" /EF "HKCU"??????????????????????????????p???g??w0??w????*??w???w????O??w??????????????????[????w????????????????????T???????????g??w???w???????w???w??[????????????w???????????????????????????????|??????????[?????????????O??ws??w???w'??w????????????X???????????"????>X? ???????????4????a?w????????????????P???????????????T????b?w????P???????{S??????????????h??w????P???????z??wP???????8???????????`??
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-219886449-789616257-1325824072-1005\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{DACFF4A5-98A0-3937-3497-8D627EFCCB26}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"eaifjglknd"=hex:66,61,63,65,69,68,6d,64,6e,68,66,6c,00,31
"dangcgdi"=hex:64,62,6d,69,6f,62,6c,61,6a,6d,6a,6e,6e,68,6d,61,69,66,6f,68,6f,
62,68,67,70,61,63,6e,6a,62,68,65,67,6d,6c,66,6a,6c,6f,66,00,00
"iaaiibhadllegimcop"=hex:6a,61,66,61,6f,70,64,6f,65,6d,70,64,6c,65,65,65,62,6e,
6d,62,00,00
"hakikpmjandahchp"=hex:6a,61,68,61,66,70,6c,6a,63,70,6b,70,70,6e,65,65,6a,6a,
6d,6b,00,00
.
Completion time: 2011-04-02 15:45:48
ComboFix-quarantined-files.txt 2011-04-02 14:45
.
Pre-Run: 59,086,094,336 bytes free
Post-Run: 59,257,753,600 bytes free
.
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
.
- - End Of File - - 03A0BCC8F2C88488570909673A7F487F

************************
DDS log

.
DDS (Ver_11-03-05.01) - NTFSx86
Run by user at 15:53:20.14 on 02/04/2011
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.5.0_09
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2015.1398 [GMT 1:00]
.
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\DivX\DivX Update\DivXUpdate.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\sistray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\user\Desktop\dds(3).scr
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.co.uk/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mStart Page = hxxp://www.google.co.uk/
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
BHO: DivX Plus Web Player HTML5 <video>: {326e768d-4182-46fd-9c16-1449a49795f4} - c:\program files\divx\divx plus web player\npdivx32.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: DivX HiQ: {593ddec6-7468-4cdd-90e1-42dadaa222e9} - c:\program files\divx\divx plus web player\npdivx32.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.6209.1142\swg.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - No File
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [scheduler_monitor] c:\program files\reaconverter 5.5 pro\init_scheduler.exe
mRun: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
mRun: [SiSUSBRG] c:\windows\SiSUSBrg.exe
mRun: [Smapp] c:\program files\analog devices\soundmax\SMTray.exe
mRun: [MBoxUtil Clean] c:\program files\konica minolta\box utility\BoxUtil.exe /clean
mRun: [avast5] c:\progra~1\alwils~1\avast5\avastUI.exe /nogui
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [DivXUpdate] "c:\program files\divx\divx update\DivXUpdate.exe" /CHECKNOW
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.5.0_09\bin\jusched.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\rapid.lnk - c:\qaddress\rapid32.315\qarapidn.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\utilit~1.lnk - c:\windows\system32\sistray.exe
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_09\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\msoffice\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {138E6DC9-722B-4F4B-B09D-95D191869696} - hxxp://www.bebo.com/files/BeboUploader.5.1.4.cab
DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} - file://c:\program files\mahjong escape - ancient japan\images\stg_drm.ocx
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\yinsthelper.dll
DPF: {745395C8-D0E1-4227-8586-624CA9A10A8D} - hxxp://almcam2.lofer.at:1003//activex/AMC.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0014-0002-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} - file://c:\program files\mahjong escape - ancient japan\images\armhelper.ocx
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - hxxp://www.popcap.com/webgames/popcaploader_v10.cab
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\docume~1\user\applic~1\mozilla\firefox\profiles\e26cpkhm.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/
FF - component: c:\documents and settings\user\application data\mozilla\firefox\profiles\e26cpkhm.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - component: c:\documents and settings\user\application data\mozilla\firefox\profiles\e26cpkhm.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbar-ff3.dll
FF - plugin: c:\documents and settings\user\application data\facebook\npfbplugin_1_0_0.dll
FF - plugin: c:\documents and settings\user\application data\facebook\npfbplugin_1_0_3.dll
FF - plugin: c:\program files\divx\divx ovs helper\npovshelper.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\java\jre1.5.0_09\bin\NPJPI150_09.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - Ext: Google Toolbar for Firefox: {3112ca9c-de6d-4884-a869-9855de68056c} - %profile%\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: DivX Plus Web Player HTML5 &lt;video&gt;: {23fcfd51-4958-4f00-80a3-ae97e717ed8b} - c:\program files\divx\divx plus web player\firefox\html5video
FF - Ext: DivX HiQ: {6904342A-8307-11DF-A508-4AE2DFD72085} - c:\program files\divx\divx plus web player\firefox\wpa
.
---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
.
============= SERVICES / DRIVERS ===============
.
R0 BtHidBus;Bluetooth HID Bus Service;c:\windows\system32\drivers\BtHidBus.sys [2009-9-24 19592]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2008-8-27 294608]
R2 aawservice;Ad-Aware 2007 Service;c:\program files\lavasoft\ad-aware 2007\aawservice.exe [2008-1-4 587096]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2008-8-27 17744]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-2-18 40384]
R3 EUCR;ENE USB Mass Storage;c:\windows\system32\drivers\EUCR6SK.sys [2005-5-13 40576]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-1-6 135664]
S3 btnetBUs;Bluetooth PAN Bus Service;c:\windows\system32\drivers\btnetBus.sys [2009-9-24 22528]
S3 IvtBtBUs;IVT Bluetooth Bus Service;c:\windows\system32\drivers\IvtBtBus.sys [2009-6-17 25480]
S3 rcp_service;ReaConverter scheduler service;c:\program files\reaconverter 5.5 pro\rcp_scheduler.exe [2007-11-30 558592]
.
=============== Created Last 30 ================
.
2011-04-02 14:32:37 -------- d-sha-r- C:\cmdcons
2011-04-02 14:24:08 98816 ----a-w- c:\windows\sed.exe
2011-04-02 14:24:08 89088 ----a-w- c:\windows\MBR.exe
2011-04-02 14:24:08 256512 ----a-w- c:\windows\PEV.exe
2011-04-02 14:24:08 161792 ----a-w- c:\windows\SWREG.exe
2011-04-01 11:49:27 -------- d-----w- c:\windows\$XNTUninstall643$
2011-03-31 08:49:58 49265 ----a-w- c:\windows\system32\jpicpl32.cpl
2011-03-29 15:32:06 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-03-29 15:32:06 -------- d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2011-03-23 11:00:25 -------- d-----w- c:\program files\common files\L&H
2011-03-23 10:59:50 -------- d-----w- c:\program files\Microsoft ActiveSync
2011-03-23 09:51:09 33104 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\msonpppr.dll
2011-03-23 09:51:08 32592 ----a-w- c:\windows\system32\msonpmon.dll
2011-03-23 09:18:28 -------- d-----w- c:\docume~1\user\locals~1\applic~1\Microsoft Help
2011-03-21 14:01:36 165376 ----a-w- c:\windows\system32\unrar.dll
2011-03-21 14:01:23 839680 ----a-w- c:\windows\system32\lameACM.acm
2011-03-21 14:01:22 237568 ----a-w- c:\windows\system32\yv12vfw.dll
2011-03-21 14:01:22 151552 ----a-w- c:\windows\system32\ac3acm.acm
2011-03-21 14:01:21 810496 ----a-w- c:\windows\system32\xvidcore.dll
2011-03-21 14:01:21 183808 ----a-w- c:\windows\system32\xvidvfw.dll
2011-03-21 14:01:03 -------- d-----w- c:\program files\K-Lite Codec Pack
2011-03-21 13:43:00 -------- d-----w- c:\program files\common files\DivX Shared
2011-03-21 13:38:59 -------- d-----w- c:\docume~1\alluse~1\applic~1\DivX
2011-03-21 13:33:42 421888 ----a-w- c:\windows\system32\ac3filter.acm
2011-03-21 13:33:25 -------- d-----w- c:\program files\XP Codec Pack
.
==================== Find3M ====================
.
2011-02-28 08:00:00 80896 ----a-w- c:\windows\system32\ff_vfw.dll
2011-01-13 08:47:35 38848 ----a-w- c:\windows\avastSS.scr
.
============= FINISH: 15:53:41.57 ===============

Blade81
2011-04-02, 19:21
Hi again,


Open notepad and copy/paste the text in the quotebox below into it:



Regnull::
[HKEY_USERS\S-1-5-21-219886449-789616257-1325824072-1005\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{DACFF4A5-98A0-3937-3497-8D627EFCCB26}*]
DDS::
TB: {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - No File
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File



Save this as
CFScript

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Close all browser windows and refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.


Uninstall old Adobe Reader versions and get the latest one ((Adobe Reader X + 10.0.1 update for it)) here (http://www.adobe.com/support/downloads/product.jsp?product=10&platform=Windows) or get Foxit Reader here (http://www.foxitsoftware.com/pdf/reader_2/down_reader.htm). Make sure you don't install toolbar if choose Foxit Reader! You may also check free readers introduced here (http://pdfreaders.org/).

Uninstall your current Adobe shockwave player and get the fresh one here (http://get.adobe.com/shockwave/) if needed.



Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update to the latest version...

Updating Java:

Download the latest version of Java Runtime Environment (JRE) 6 Update 24 (http://java.sun.com/javase/downloads/index.jsp).
Click the
Download
button to the right.
Select Windows on platform combobox and check the box that says:
Accept License Agreement. Click continue.

The page will refresh.
Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
Close any programs you may have running - especially your web browser.
Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
Check any item with Java Runtime Environment (JRE or J2SE) in the name.
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java versions.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on jre-6u24-windows-i586-p.exe to install the newest version. Uncheck Carbonite online backup trial if it's offered there.


* Go here (http://www.eset.eu/online-scanner) to run an online scanner from ESET.
Note: You will need to use Internet explorer for this scan
Tick the box next to YES, I accept the Terms of Use.
Click Start
When asked, allow the activex control to install
Click Start
Make sure that the option Remove found threats is not checkmarked.
Click Scan
Wait for the scan to finish.


Post back its report, a fresh dds.txt log and above mentioned ComboFix resultant log.

nicks_scotland
2011-04-04, 13:32
Sorry it's taken me so long to reply.

Computer seems to be taking an age to do anything just now as well :(

Logs below....

*********************
Combofix

ComboFix 11-04-01.01 - user 02/04/2011 17:35:31.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2015.1525 [GMT 1:00]
Running from: c:\documents and settings\user\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\user\Desktop\cfscript.txt
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
.
((((((((((((((((((((((((( Files Created from 2011-03-02 to 2011-04-02 )))))))))))))))))))))))))))))))
.
.
2011-04-01 11:49 . 2011-04-02 08:29 -------- d-----w- c:\windows\$XNTUninstall643$
2011-03-31 16:26 . 2011-03-31 16:26 -------- d-s---w- c:\documents and settings\NetworkService\UserData
2011-03-31 09:15 . 2011-03-31 09:16 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2011-03-31 09:09 . 2011-03-31 09:09 -------- d-----w- c:\program files\ERUNT
2011-03-31 08:49 . 2006-10-12 03:10 49265 ----a-w- c:\windows\system32\jpicpl32.cpl
2011-03-31 08:21 . 2011-03-31 08:21 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Microsoft Help
2011-03-29 15:32 . 2011-03-29 16:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2011-03-29 15:32 . 2011-03-29 15:35 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-03-23 11:00 . 2011-03-23 11:00 -------- d-----w- c:\program files\Common Files\L&H
2011-03-23 10:59 . 2011-03-23 10:59 -------- d-----w- c:\program files\Microsoft ActiveSync
2011-03-23 10:57 . 2011-03-23 10:57 -------- d-----w- c:\program files\Microsoft.NET
2011-03-23 10:55 . 2011-03-23 10:55 -------- d-----r- C:\MSOCache
2011-03-23 09:51 . 2006-10-26 19:56 33104 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\msonpppr.dll
2011-03-23 09:51 . 2006-10-26 19:56 32592 ----a-w- c:\windows\system32\msonpmon.dll
2011-03-23 09:45 . 2011-03-26 09:37 -------- d-----w- c:\program files\Microsoft Works
2011-03-23 09:18 . 2011-03-23 09:18 -------- d-----w- c:\documents and settings\user\Local Settings\Application Data\Microsoft Help
2011-03-23 09:18 . 2011-03-31 08:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2011-03-21 14:01 . 2010-03-15 10:31 165376 ----a-w- c:\windows\system32\unrar.dll
2011-03-21 14:01 . 2008-09-24 19:41 839680 ----a-w- c:\windows\system32\lameACM.acm
2011-03-21 14:01 . 2010-11-03 19:08 237568 ----a-w- c:\windows\system32\yv12vfw.dll
2011-03-21 14:01 . 2010-01-17 16:18 151552 ----a-w- c:\windows\system32\ac3acm.acm
2011-03-21 14:01 . 2010-12-07 18:40 183808 ----a-w- c:\windows\system32\xvidvfw.dll
2011-03-21 14:01 . 2010-12-07 18:22 810496 ----a-w- c:\windows\system32\xvidcore.dll
2011-03-21 14:01 . 2011-03-21 14:02 -------- d-----w- c:\program files\K-Lite Codec Pack
2011-03-21 13:45 . 2011-03-21 13:46 -------- d-----w- c:\documents and settings\user\Application Data\DivX
2011-03-21 13:43 . 2011-03-21 13:43 -------- d-----w- c:\program files\Common Files\DivX Shared
2011-03-21 13:38 . 2011-03-21 13:45 -------- d-----w- c:\documents and settings\All Users\Application Data\DivX
2011-03-21 13:33 . 2008-07-09 09:05 421888 ----a-w- c:\windows\system32\ac3filter.acm
2011-03-21 13:33 . 2011-03-21 13:33 -------- d-----w- c:\program files\XP Codec Pack
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-02-28 08:00 . 2008-12-17 17:22 80896 ----a-w- c:\windows\system32\ff_vfw.dll
2011-01-13 08:47 . 2010-07-02 08:20 38848 ----a-w- c:\windows\avastSS.scr
2011-01-13 08:47 . 2008-08-27 14:12 188216 ----a-w- c:\windows\system32\aswBoot.exe
2011-01-13 08:41 . 2008-08-27 14:12 294608 ----a-w- c:\windows\system32\drivers\aswSP.sys
2011-01-13 08:40 . 2008-08-27 14:12 47440 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2011-01-13 08:40 . 2008-08-27 14:12 100176 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2011-01-13 08:39 . 2008-08-27 14:12 94544 ----a-w- c:\windows\system32\drivers\aswmon.sys
2011-01-13 08:37 . 2008-08-27 14:12 23632 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2011-01-13 08:37 . 2008-08-27 14:12 29392 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2011-01-13 08:37 . 2008-08-27 14:12 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-21 68856]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2010-04-16 3872080]
"scheduler_monitor"="c:\program files\ReaConverter 5.5 Pro\init_scheduler.exe" [2007-06-15 27136]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SiSPower"="SiSPower.dll" [2004-09-02 49152]
"SiSUSBRG"="c:\windows\SiSUSBrg.exe" [2002-07-12 106496]
"Smapp"="c:\program files\Analog Devices\SoundMAX\SMTray.exe" [2003-05-05 143360]
"MBoxUtil Clean"="c:\program files\KONICA MINOLTA\BOX Utility\BoxUtil.exe" [2004-03-22 614400]
"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2011-01-13 3396624]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-01-25 421160]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2011-02-15 1230704]
"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_09\bin\jusched.exe" [2006-10-12 49263]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Rapid.LNK - c:\qaddress\Rapid32.315\qarapidn.exe [2007-9-21 465408]
Utility Tray.lnk - c:\windows\system32\sistray.exe [2005-3-25 331776]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Nicola\\odds\\utorrent.exe"=
"c:\\Program Files\\Veoh Networks\\VeohWebPlayer\\veohwebplayer.exe"=
"c:\\Program Files\\Spotify\\spotify.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
.
R0 BtHidBus;Bluetooth HID Bus Service;c:\windows\system32\drivers\BtHidBus.sys [24/09/2009 06:40 19592]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [27/08/2008 15:12 294608]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [27/08/2008 15:12 17744]
R3 EUCR;ENE USB Mass Storage;c:\windows\system32\drivers\EUCR6SK.sys [13/05/2005 05:09 40576]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [06/01/2010 12:27 135664]
S3 btnetBUs;Bluetooth PAN Bus Service;c:\windows\system32\drivers\btnetBus.sys [24/09/2009 14:38 22528]
S3 IvtBtBUs;IVT Bluetooth Bus Service;c:\windows\system32\drivers\IvtBtBus.sys [17/06/2009 15:01 25480]
S3 rcp_service;ReaConverter scheduler service;c:\program files\ReaConverter 5.5 Pro\rcp_scheduler.exe [30/11/2007 12:27 558592]
.
Contents of the 'Scheduled Tasks' folder
.
2011-04-02 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-01-24 10:48]
.
2011-04-02 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-06 11:27]
.
2011-04-02 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-06 11:27]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mStart Page = hxxp://www.google.co.uk/
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html
FF - ProfilePath - c:\documents and settings\user\Application Data\Mozilla\Firefox\Profiles\e26cpkhm.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - Ext: Google Toolbar for Firefox: {3112ca9c-de6d-4884-a869-9855de68056c} - %profile%\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: DivX Plus Web Player HTML5 &lt;video&gt;: {23fcfd51-4958-4f00-80a3-ae97e717ed8b} - c:\program files\DivX\DivX Plus Web Player\firefox\html5video
FF - Ext: DivX HiQ: {6904342A-8307-11DF-A508-4AE2DFD72085} - c:\program files\DivX\DivX Plus Web Player\firefox\wpa
FF - user.js: yahoo.homepage.dontask - true
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-04-02 17:44
Windows 5.1.2600 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(2640)
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2011-04-02 17:48:43
ComboFix-quarantined-files.txt 2011-04-02 16:48
ComboFix2.txt 2011-04-02 14:45
.
Pre-Run: 59,263,418,368 bytes free
Post-Run: 59,251,220,480 bytes free
.
- - End Of File - - 6DEF61B10CA637D5960FE1517BE9DADF
*******************

ESET

ComboFix 11-04-01.01 - user 02/04/2011 17:35:31.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2015.1525 [GMT 1:00]
Running from: c:\documents and settings\user\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\user\Desktop\cfscript.txt
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
.
((((((((((((((((((((((((( Files Created from 2011-03-02 to 2011-04-02 )))))))))))))))))))))))))))))))
.
.
2011-04-01 11:49 . 2011-04-02 08:29 -------- d-----w- c:\windows\$XNTUninstall643$
2011-03-31 16:26 . 2011-03-31 16:26 -------- d-s---w- c:\documents and settings\NetworkService\UserData
2011-03-31 09:15 . 2011-03-31 09:16 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2011-03-31 09:09 . 2011-03-31 09:09 -------- d-----w- c:\program files\ERUNT
2011-03-31 08:49 . 2006-10-12 03:10 49265 ----a-w- c:\windows\system32\jpicpl32.cpl
2011-03-31 08:21 . 2011-03-31 08:21 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Microsoft Help
2011-03-29 15:32 . 2011-03-29 16:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2011-03-29 15:32 . 2011-03-29 15:35 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-03-23 11:00 . 2011-03-23 11:00 -------- d-----w- c:\program files\Common Files\L&H
2011-03-23 10:59 . 2011-03-23 10:59 -------- d-----w- c:\program files\Microsoft ActiveSync
2011-03-23 10:57 . 2011-03-23 10:57 -------- d-----w- c:\program files\Microsoft.NET
2011-03-23 10:55 . 2011-03-23 10:55 -------- d-----r- C:\MSOCache
2011-03-23 09:51 . 2006-10-26 19:56 33104 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\msonpppr.dll
2011-03-23 09:51 . 2006-10-26 19:56 32592 ----a-w- c:\windows\system32\msonpmon.dll
2011-03-23 09:45 . 2011-03-26 09:37 -------- d-----w- c:\program files\Microsoft Works
2011-03-23 09:18 . 2011-03-23 09:18 -------- d-----w- c:\documents and settings\user\Local Settings\Application Data\Microsoft Help
2011-03-23 09:18 . 2011-03-31 08:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2011-03-21 14:01 . 2010-03-15 10:31 165376 ----a-w- c:\windows\system32\unrar.dll
2011-03-21 14:01 . 2008-09-24 19:41 839680 ----a-w- c:\windows\system32\lameACM.acm
2011-03-21 14:01 . 2010-11-03 19:08 237568 ----a-w- c:\windows\system32\yv12vfw.dll
2011-03-21 14:01 . 2010-01-17 16:18 151552 ----a-w- c:\windows\system32\ac3acm.acm
2011-03-21 14:01 . 2010-12-07 18:40 183808 ----a-w- c:\windows\system32\xvidvfw.dll
2011-03-21 14:01 . 2010-12-07 18:22 810496 ----a-w- c:\windows\system32\xvidcore.dll
2011-03-21 14:01 . 2011-03-21 14:02 -------- d-----w- c:\program files\K-Lite Codec Pack
2011-03-21 13:45 . 2011-03-21 13:46 -------- d-----w- c:\documents and settings\user\Application Data\DivX
2011-03-21 13:43 . 2011-03-21 13:43 -------- d-----w- c:\program files\Common Files\DivX Shared
2011-03-21 13:38 . 2011-03-21 13:45 -------- d-----w- c:\documents and settings\All Users\Application Data\DivX
2011-03-21 13:33 . 2008-07-09 09:05 421888 ----a-w- c:\windows\system32\ac3filter.acm
2011-03-21 13:33 . 2011-03-21 13:33 -------- d-----w- c:\program files\XP Codec Pack
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-02-28 08:00 . 2008-12-17 17:22 80896 ----a-w- c:\windows\system32\ff_vfw.dll
2011-01-13 08:47 . 2010-07-02 08:20 38848 ----a-w- c:\windows\avastSS.scr
2011-01-13 08:47 . 2008-08-27 14:12 188216 ----a-w- c:\windows\system32\aswBoot.exe
2011-01-13 08:41 . 2008-08-27 14:12 294608 ----a-w- c:\windows\system32\drivers\aswSP.sys
2011-01-13 08:40 . 2008-08-27 14:12 47440 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2011-01-13 08:40 . 2008-08-27 14:12 100176 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2011-01-13 08:39 . 2008-08-27 14:12 94544 ----a-w- c:\windows\system32\drivers\aswmon.sys
2011-01-13 08:37 . 2008-08-27 14:12 23632 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2011-01-13 08:37 . 2008-08-27 14:12 29392 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2011-01-13 08:37 . 2008-08-27 14:12 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-21 68856]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2010-04-16 3872080]
"scheduler_monitor"="c:\program files\ReaConverter 5.5 Pro\init_scheduler.exe" [2007-06-15 27136]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SiSPower"="SiSPower.dll" [2004-09-02 49152]
"SiSUSBRG"="c:\windows\SiSUSBrg.exe" [2002-07-12 106496]
"Smapp"="c:\program files\Analog Devices\SoundMAX\SMTray.exe" [2003-05-05 143360]
"MBoxUtil Clean"="c:\program files\KONICA MINOLTA\BOX Utility\BoxUtil.exe" [2004-03-22 614400]
"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2011-01-13 3396624]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-01-25 421160]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2011-02-15 1230704]
"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_09\bin\jusched.exe" [2006-10-12 49263]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Rapid.LNK - c:\qaddress\Rapid32.315\qarapidn.exe [2007-9-21 465408]
Utility Tray.lnk - c:\windows\system32\sistray.exe [2005-3-25 331776]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Nicola\\odds\\utorrent.exe"=
"c:\\Program Files\\Veoh Networks\\VeohWebPlayer\\veohwebplayer.exe"=
"c:\\Program Files\\Spotify\\spotify.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
.
R0 BtHidBus;Bluetooth HID Bus Service;c:\windows\system32\drivers\BtHidBus.sys [24/09/2009 06:40 19592]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [27/08/2008 15:12 294608]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [27/08/2008 15:12 17744]
R3 EUCR;ENE USB Mass Storage;c:\windows\system32\drivers\EUCR6SK.sys [13/05/2005 05:09 40576]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [06/01/2010 12:27 135664]
S3 btnetBUs;Bluetooth PAN Bus Service;c:\windows\system32\drivers\btnetBus.sys [24/09/2009 14:38 22528]
S3 IvtBtBUs;IVT Bluetooth Bus Service;c:\windows\system32\drivers\IvtBtBus.sys [17/06/2009 15:01 25480]
S3 rcp_service;ReaConverter scheduler service;c:\program files\ReaConverter 5.5 Pro\rcp_scheduler.exe [30/11/2007 12:27 558592]
.
Contents of the 'Scheduled Tasks' folder
.
2011-04-02 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-01-24 10:48]
.
2011-04-02 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-06 11:27]
.
2011-04-02 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-06 11:27]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mStart Page = hxxp://www.google.co.uk/
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html
FF - ProfilePath - c:\documents and settings\user\Application Data\Mozilla\Firefox\Profiles\e26cpkhm.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - Ext: Google Toolbar for Firefox: {3112ca9c-de6d-4884-a869-9855de68056c} - %profile%\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: DivX Plus Web Player HTML5 &lt;video&gt;: {23fcfd51-4958-4f00-80a3-ae97e717ed8b} - c:\program files\DivX\DivX Plus Web Player\firefox\html5video
FF - Ext: DivX HiQ: {6904342A-8307-11DF-A508-4AE2DFD72085} - c:\program files\DivX\DivX Plus Web Player\firefox\wpa
FF - user.js: yahoo.homepage.dontask - true
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-04-02 17:44
Windows 5.1.2600 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(2640)
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2011-04-02 17:48:43
ComboFix-quarantined-files.txt 2011-04-02 16:48
ComboFix2.txt 2011-04-02 14:45
.
Pre-Run: 59,263,418,368 bytes free
Post-Run: 59,251,220,480 bytes free
.
- - End Of File - - 6DEF61B10CA637D5960FE1517BE9DADF

**********************

DDS

.
DDS (Ver_11-03-05.01) - NTFSx86
Run by user at 11:23:14.12 on 04/04/2011
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_24
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2015.1563 [GMT 1:00]
.
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\DivX\DivX Update\DivXUpdate.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\sistray.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Documents and Settings\user\Desktop\dds(3).scr
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.co.uk/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mStart Page = hxxp://www.google.co.uk/
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: DivX Plus Web Player HTML5 <video>: {326e768d-4182-46fd-9c16-1449a49795f4} - c:\program files\divx\divx plus web player\npdivx32.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: DivX HiQ: {593ddec6-7468-4cdd-90e1-42dadaa222e9} - c:\program files\divx\divx plus web player\npdivx32.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.6209.1142\swg.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [scheduler_monitor] c:\program files\reaconverter 5.5 pro\init_scheduler.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
mRun: [SiSUSBRG] c:\windows\SiSUSBrg.exe
mRun: [Smapp] c:\program files\analog devices\soundmax\SMTray.exe
mRun: [MBoxUtil Clean] c:\program files\konica minolta\box utility\BoxUtil.exe /clean
mRun: [avast5] c:\progra~1\alwils~1\avast5\avastUI.exe /nogui
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [DivXUpdate] "c:\program files\divx\divx update\DivXUpdate.exe" /CHECKNOW
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 10.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\rapid.lnk - c:\qaddress\rapid32.315\qarapidn.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\utilit~1.lnk - c:\windows\system32\sistray.exe
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\msoffice\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {138E6DC9-722B-4F4B-B09D-95D191869696} - hxxp://www.bebo.com/files/BeboUploader.5.1.4.cab
DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} - file://c:\program files\mahjong escape - ancient japan\images\stg_drm.ocx
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\yinsthelper.dll
DPF: {745395C8-D0E1-4227-8586-624CA9A10A8D} - hxxp://almcam2.lofer.at:1003//activex/AMC.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} - file://c:\program files\mahjong escape - ancient japan\images\armhelper.ocx
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - hxxp://www.popcap.com/webgames/popcaploader_v10.cab
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\docume~1\user\applic~1\mozilla\firefox\profiles\e26cpkhm.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/
FF - component: c:\documents and settings\user\application data\mozilla\firefox\profiles\e26cpkhm.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - component: c:\documents and settings\user\application data\mozilla\firefox\profiles\e26cpkhm.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbar-ff3.dll
FF - plugin: c:\documents and settings\user\application data\facebook\npfbplugin_1_0_0.dll
FF - plugin: c:\documents and settings\user\application data\facebook\npfbplugin_1_0_3.dll
FF - plugin: c:\program files\divx\divx ovs helper\npovshelper.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
FF - Ext: Google Toolbar for Firefox: {3112ca9c-de6d-4884-a869-9855de68056c} - %profile%\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: DivX Plus Web Player HTML5 &lt;video&gt;: {23fcfd51-4958-4f00-80a3-ae97e717ed8b} - c:\program files\divx\divx plus web player\firefox\html5video
FF - Ext: DivX HiQ: {6904342A-8307-11DF-A508-4AE2DFD72085} - c:\program files\divx\divx plus web player\firefox\wpa
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
.
---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
.
============= SERVICES / DRIVERS ===============
.
R0 BtHidBus;Bluetooth HID Bus Service;c:\windows\system32\drivers\BtHidBus.sys [2009-9-24 19592]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2008-8-27 294608]
R2 aawservice;Ad-Aware 2007 Service;c:\program files\lavasoft\ad-aware 2007\aawservice.exe [2008-1-4 587096]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2008-8-27 17744]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-2-18 40384]
R3 EUCR;ENE USB Mass Storage;c:\windows\system32\drivers\EUCR6SK.sys [2005-5-13 40576]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-1-6 135664]
S3 btnetBUs;Bluetooth PAN Bus Service;c:\windows\system32\drivers\btnetBus.sys [2009-9-24 22528]
S3 IvtBtBUs;IVT Bluetooth Bus Service;c:\windows\system32\drivers\IvtBtBus.sys [2009-6-17 25480]
S3 rcp_service;ReaConverter scheduler service;c:\program files\reaconverter 5.5 pro\rcp_scheduler.exe [2007-11-30 558592]
.
=============== Created Last 30 ================
.
2011-04-02 17:16:34 -------- d-----w- c:\program files\ESET
2011-04-02 17:10:36 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-04-02 17:10:36 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-04-02 17:10:36 472808 ----a-w- c:\program files\mozilla firefox\plugins\npdeployJava1.dll
2011-04-02 14:32:37 -------- d-sha-r- C:\cmdcons
2011-04-02 14:24:08 98816 ----a-w- c:\windows\sed.exe
2011-04-02 14:24:08 89088 ----a-w- c:\windows\MBR.exe
2011-04-02 14:24:08 256512 ----a-w- c:\windows\PEV.exe
2011-04-02 14:24:08 161792 ----a-w- c:\windows\SWREG.exe
2011-04-01 11:49:27 -------- d-----w- c:\windows\$XNTUninstall643$
2011-03-29 15:32:06 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-03-29 15:32:06 -------- d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2011-03-23 11:00:25 -------- d-----w- c:\program files\common files\L&H
2011-03-23 10:59:50 -------- d-----w- c:\program files\Microsoft ActiveSync
2011-03-23 09:51:09 33104 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\msonpppr.dll
2011-03-23 09:51:08 32592 ----a-w- c:\windows\system32\msonpmon.dll
2011-03-23 09:18:28 -------- d-----w- c:\docume~1\user\locals~1\applic~1\Microsoft Help
2011-03-21 14:01:36 165376 ----a-w- c:\windows\system32\unrar.dll
2011-03-21 14:01:23 839680 ----a-w- c:\windows\system32\lameACM.acm
2011-03-21 14:01:22 237568 ----a-w- c:\windows\system32\yv12vfw.dll
2011-03-21 14:01:22 151552 ----a-w- c:\windows\system32\ac3acm.acm
2011-03-21 14:01:21 810496 ----a-w- c:\windows\system32\xvidcore.dll
2011-03-21 14:01:21 183808 ----a-w- c:\windows\system32\xvidvfw.dll
2011-03-21 14:01:03 -------- d-----w- c:\program files\K-Lite Codec Pack
2011-03-21 13:43:00 -------- d-----w- c:\program files\common files\DivX Shared
2011-03-21 13:38:59 -------- d-----w- c:\docume~1\alluse~1\applic~1\DivX
2011-03-21 13:33:42 421888 ----a-w- c:\windows\system32\ac3filter.acm
2011-03-21 13:33:25 -------- d-----w- c:\program files\XP Codec Pack
.
==================== Find3M ====================
.
2011-02-28 08:00:00 80896 ----a-w- c:\windows\system32\ff_vfw.dll
2011-01-13 08:47:35 38848 ----a-w- c:\windows\avastSS.scr
.
============= FINISH: 11:24:57.92 ===============

****************

nicks_scotland
2011-04-04, 13:53
Oops and Sorry, I seem to have pasted the combofix log twice instead of the eset log.

eset below:
C:\Documents and Settings\All Users\Application Data\SecTaskMan\mbdwt.dll.q_E6D8004_q a variant of Win32/Adware.Lifze.R application
C:\Qoobox\Quarantine\C\WINDOWS\sedmgac.dll.vir a variant of Win32/Cimag.GN trojan
C:\System Volume Information\_restore{F930169F-4B0C-43D4-9D10-C9462D70F0A9}\RP1644\A0455312.dll a variant of Win32/Adware.Lifze.R application
C:\System Volume Information\_restore{F930169F-4B0C-43D4-9D10-C9462D70F0A9}\RP1645\A0456423.dll a variant of Win32/Cimag.GN trojan

Blade81
2011-04-04, 16:33
Hi again,

Delete C:\Documents and Settings\All Users\Application Data\SecTaskMan\mbdwt.dll.q_E6D8004_q file.

Is some specific operation slow there? Windows XP service pack 3 and Windows Internet Explorer 8 should be installed.

nicks_scotland
2011-04-04, 17:13
Hi,

I've deleted that file. The speed of the computer has gone mostly back to normal after I rebooted.

The only thing that I've noticed is slower than usual is waiting for it to populate the list when I click on "add remove programs". But it does show the list after a wee bit.

I don't use ie, I use firefox and it's fine now.

Anything else you think I need to do?

Cheers again for the help, so much appreciated. :D

nicks_scotland
2011-04-04, 17:14
Hrm, seems I only have service pack 2. You're saying I should update, right?

Blade81
2011-04-04, 17:22
Hrm, seems I only have service pack 2. You're saying I should update, right?
Yes, and Windows Internet Explorer 8 too.

Before that uninstall ComboFix though:

Click START then RUN
Now copy-paste Combofix /uninstall in the runbox and click OK

nicks_scotland
2011-04-04, 18:58
Aaargh!! Sp3 seems to have completely disabled my wireless/network card.

Just looking for updated drivers for it on another computer! :(

nicks_scotland
2011-04-04, 22:28
Oh dear. I want to swear but I won't!!

None of the drivers or the fixes worked to get my wireless/network router working again, so I uninstalled sp3!!

But now my computer won't boot up at all, not in normal mode, not in safe mode and not to the last known good configuration. It gets so far, windows screen comes up, flash of blue then it seems like the power goes and starts booting again!

Help!! X

Blade81
2011-04-05, 08:27
I wish you hadn't tried anything to fix that wireless problem. Now it's really difficult if you can't make the system boot. Only chance at this point is likely to have Windows XP Home installation disk and try repair installation (http://www.michaelstevenstech.com/XPrepairinstall.htm) with that.

nicks_scotland
2011-04-05, 12:31
I was browsing around last night looking for advice on what to do and someone somewhere mentioned that it was the USB connections that were causing the boot loop.

I unplugged all the usb things and connected a ps2 mouse, managed to uninstall and reinstall all the USB controllers and the computer now boots up fine and I can use my usb mouse/keyboard again.

Now the problem I seem to have is I can't get onto the internet! It finds the wireless connection, I'm connected to it (can access other computer on network). Just no internet connectivity!

So now searching on how to fix that - any help would be much appreciated althought this is now a completely different problem from the virus stuff that you helped me with.

Not a good week so far!!! :)

Blade81
2011-04-05, 16:32
Hi,

Please post fresh dds logs. Does device manager show anything wireless related error?

nicks_scotland
2011-04-07, 13:45
Blade81,

Sorry it's taken me so long to repost. Got a friend to help get network/internet working again. We have managed to do so and have installed SP3 and ie8 and all the other updates that were waiting.

Thought I was all clear as computer working fine (and browser not re-directing) but did another scan with searchbot and the click.giftload is still there :(

DDS log below and spybot attached (was too long for pasting here).

Thanks in advance.

.
DDS (Ver_11-03-05.01) - NTFSx86
Run by user at 11:34:25.43 on 07/04/2011
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_24
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2015.1256 [GMT 1:00]
.
AV: avast! Antivirus *Enabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\SearchIndexer.exe
C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\sistray.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\MSOffice\OFFICE11\MSACCESS.EXE
C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Documents and Settings\user\Desktop\dds.scr
.
============== Pseudo HJT Report ===============
.
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: DivX Plus Web Player HTML5 <video>: {326e768d-4182-46fd-9c16-1449a49795f4} - c:\program files\divx\divx plus web player\npdivx32.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: DivX HiQ: {593ddec6-7468-4cdd-90e1-42dadaa222e9} - c:\program files\divx\divx plus web player\npdivx32.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [avast5] c:\progra~1\alwils~1\avast5\avastUI.exe /nogui
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\rapid.lnk - c:\qaddress\rapid32.315\qarapidn.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\utilit~1.lnk - c:\windows\system32\sistray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {138E6DC9-722B-4F4B-B09D-95D191869696} - hxxp://www.bebo.com/files/BeboUploader.5.1.4.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {745395C8-D0E1-4227-8586-624CA9A10A8D} - hxxp://almcam2.lofer.at:1003//activex/AMC.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
LSA: Notification Packages = scecli scecli
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\docume~1\user\applic~1\mozilla\firefox\profiles\e26cpkhm.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/
FF - component: c:\documents and settings\user\application data\mozilla\firefox\profiles\e26cpkhm.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - component: c:\documents and settings\user\application data\mozilla\firefox\profiles\e26cpkhm.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbar-ff3.dll
FF - plugin: c:\program files\divx\divx ovs helper\npovshelper.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
FF - Ext: Google Toolbar for Firefox: {3112ca9c-de6d-4884-a869-9855de68056c} - %profile%\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: DivX Plus Web Player HTML5 &lt;video&gt;: {23fcfd51-4958-4f00-80a3-ae97e717ed8b} - c:\program files\divx\divx plus web player\firefox\html5video
FF - Ext: DivX HiQ: {6904342A-8307-11DF-A508-4AE2DFD72085} - c:\program files\divx\divx plus web player\firefox\wpa
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
.
---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
.
============= SERVICES / DRIVERS ===============
.
R0 BtHidBus;Bluetooth HID Bus Service;c:\windows\system32\drivers\BtHidBus.sys [2009-9-24 19592]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2008-8-27 294608]
R2 aawservice;Ad-Aware 2007 Service;c:\program files\lavasoft\ad-aware 2007\aawservice.exe [2008-1-4 587096]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2008-8-27 17744]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-2-18 40384]
R3 EUCR;ENE USB Mass Storage;c:\windows\system32\drivers\EUCR6SK.sys [2005-5-13 40576]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-1-6 135664]
S3 btnetBUs;Bluetooth PAN Bus Service;c:\windows\system32\drivers\btnetBus.sys [2009-9-24 22528]
S3 IvtBtBUs;IVT Bluetooth Bus Service;c:\windows\system32\drivers\IvtBtBus.sys [2009-6-17 25480]
S3 rcp_service;ReaConverter scheduler service;c:\program files\reaconverter 5.5 pro\rcp_scheduler.exe [2007-11-30 558592]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2005-3-25 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2011-04-07 09:24:41 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-04-07 09:24:37 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-04-07 09:24:37 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-04-06 14:27:20 -------- d-sh--w- c:\documents and settings\user\IECompatCache
2011-04-06 14:26:16 -------- d-sh--w- c:\documents and settings\user\PrivacIE
2011-04-06 14:10:53 -------- d-sh--w- c:\documents and settings\user\IETldCache
2011-04-06 13:39:36 -------- d-----w- c:\windows\system32\winrm
2011-04-06 13:39:31 -------- dc-h--w- c:\windows\$968930Uinstall_KB968930$
2011-04-06 13:31:57 7680 -c----w- c:\windows\system32\dllcache\iecompat.dll
2011-04-06 13:31:34 -------- d-----w- c:\windows\ie8updates
2011-04-06 13:31:21 247808 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2011-04-06 13:31:21 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2011-04-06 13:31:20 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll
2011-04-06 13:30:29 -------- dc-h--w- c:\windows\ie8
2011-04-06 13:22:53 -------- d-----w- c:\docume~1\user\applic~1\Windows Desktop Search
2011-04-06 13:22:13 -------- d-----w- c:\program files\Windows Desktop Search
2011-04-06 13:22:12 -------- d-----w- c:\windows\system32\GroupPolicy
2011-04-06 13:21:51 98304 -c----w- c:\windows\system32\dllcache\nlhtml.dll
2011-04-06 13:21:51 29696 -c----w- c:\windows\system32\dllcache\mimefilt.dll
2011-04-06 13:21:51 192000 -c----w- c:\windows\system32\dllcache\offfilt.dll
2011-04-06 13:19:35 602112 -c----w- c:\windows\system32\dllcache\msfeeds.dll
2011-04-06 13:19:35 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll
2011-04-06 13:19:35 1991680 -c----w- c:\windows\system32\dllcache\iertutil.dll
2011-04-06 13:19:35 13824 -c----w- c:\windows\system32\dllcache\ieudinit.exe
2011-04-06 13:19:34 59904 -c--a-w- c:\windows\system32\dllcache\icardie.dll
2011-04-06 13:19:34 445952 -c--a-w- c:\windows\system32\dllcache\ieapfltr.dll
2011-04-06 13:19:34 3698584 -c--a-w- c:\windows\system32\dllcache\ieapfltr.dat
2011-04-06 13:19:34 11080704 -c----w- c:\windows\system32\dllcache\ieframe.dll
2011-04-06 12:55:40 974848 -c----w- c:\windows\system32\dllcache\mfc42.dll
2011-04-06 12:55:40 953856 -c----w- c:\windows\system32\dllcache\mfc40u.dll
2011-04-06 12:54:53 617472 -c----w- c:\windows\system32\dllcache\comctl32.dll
2011-04-06 12:53:40 40960 -c----w- c:\windows\system32\dllcache\ndproxy.sys
2011-04-06 12:47:48 45568 -c----w- c:\windows\system32\dllcache\wab.exe
2011-04-06 12:01:49 272128 -c----w- c:\windows\system32\dllcache\bthport.sys
2011-04-06 12:01:34 357248 -c----w- c:\windows\system32\dllcache\srv.sys
2011-04-06 12:01:05 81920 -c----w- c:\windows\system32\dllcache\fontsub.dll
2011-04-06 12:01:05 119808 -c----w- c:\windows\system32\dllcache\t2embed.dll
2011-04-06 12:01:00 473600 -c----w- c:\windows\system32\dllcache\fastprox.dll
2011-04-06 12:01:00 401408 -c----w- c:\windows\system32\dllcache\rpcss.dll
2011-04-06 12:01:00 284160 -c----w- c:\windows\system32\dllcache\pdh.dll
2011-04-06 12:01:00 227840 -c----w- c:\windows\system32\dllcache\wmiprvse.exe
2011-04-06 12:01:00 110592 -c----w- c:\windows\system32\dllcache\services.exe
2011-04-06 12:00:59 730112 -c----w- c:\windows\system32\dllcache\lsasrv.dll
2011-04-06 12:00:59 718336 -c----w- c:\windows\system32\dllcache\ntdll.dll
2011-04-06 12:00:59 617472 -c----w- c:\windows\system32\dllcache\advapi32.dll
2011-04-06 12:00:59 453120 -c----w- c:\windows\system32\dllcache\wmiprvsd.dll
2011-04-06 12:00:58 2148864 -c----w- c:\windows\system32\dllcache\ntkrnlmp.exe
2011-04-06 12:00:57 2192768 -c----w- c:\windows\system32\dllcache\ntoskrnl.exe
2011-04-06 12:00:56 2027008 -c----w- c:\windows\system32\dllcache\ntkrpamp.exe
2011-04-06 12:00:27 203136 -c----w- c:\windows\system32\dllcache\rmcast.sys
2011-04-06 11:59:10 337408 -c----w- c:\windows\system32\dllcache\netapi32.dll
2011-04-06 11:54:07 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2011-04-06 11:53:54 218112 -c----w- c:\windows\system32\dllcache\wordpad.exe
2011-04-06 11:52:59 455680 -c----w- c:\windows\system32\dllcache\mrxsmb.sys
2011-04-06 11:52:43 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll
2011-04-06 10:30:03 -------- d-----w- c:\windows\system32\CatRoot_bak
2011-04-06 09:55:22 63663 ------w- c:\windows\system32\drivers\ati1rvxx.sys
2011-04-06 09:54:15 19569 ----a-w- c:\windows\002667_.tmp
2011-04-05 13:17:33 -------- d-----w- c:\docume~1\user\applic~1\Malwarebytes
2011-04-05 13:17:26 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2011-04-05 11:03:19 -------- d-----w- c:\docume~1\user\applic~1\Easeware
2011-04-04 15:18:23 132096 ----a-w- c:\windows\system32\wkssvc.dll
2011-04-04 15:16:03 92928 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2011-04-04 15:14:52 345600 ----a-w- c:\windows\system32\localspl.dll
2011-04-04 15:13:19 149504 ----a-w- c:\windows\system32\schannel.dll
2011-04-04 15:12:05 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-04-04 15:11:54 357248 ----a-w- c:\windows\system32\drivers\srv.sys
2011-04-04 15:10:50 730112 ----a-w- c:\windows\system32\lsasrv.dll
2011-04-04 15:10:50 718336 ----a-w- c:\windows\system32\ntdll.dll
2011-04-04 15:10:50 110592 ----a-w- c:\windows\system32\services.exe
2011-04-04 15:10:49 2192768 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-04-04 15:10:49 2069376 ----a-w- c:\windows\system32\ntkrnlpa.exe
2011-04-04 15:09:21 1854976 ----a-w- c:\windows\system32\win32k.sys
2011-04-04 15:08:17 361600 ----a-w- c:\windows\system32\drivers\tcpip.sys
2011-04-04 15:08:17 226880 ----a-w- c:\windows\system32\drivers\tcpip6.sys
2011-04-04 15:08:17 138496 ----a-w- c:\windows\system32\drivers\afd.sys
2011-04-04 15:07:09 203136 ----a-w- c:\windows\system32\drivers\rmcast.sys
2011-04-04 15:01:19 -------- d-----w- c:\windows\system32\scripting
2011-04-04 15:01:19 -------- d-----w- c:\windows\l2schemas
2011-04-04 15:01:18 -------- d-----w- c:\windows\system32\en
2011-04-04 15:01:18 -------- d-----w- c:\windows\system32\bits
2011-04-04 14:55:00 -------- d-----w- c:\windows\network diagnostic
2011-04-04 14:49:58 617472 ----a-w- c:\windows\system32\comctl32.dll
2011-04-04 14:23:39 -------- d-----w- c:\windows\EHome
2011-04-02 17:10:36 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-04-02 17:10:36 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-04-02 17:10:36 472808 ----a-w- c:\program files\mozilla firefox\plugins\npdeployJava1.dll
2011-04-02 14:32:37 -------- d-sha-r- C:\cmdcons
2011-03-29 15:32:06 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-03-29 15:32:06 -------- d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2011-03-23 11:00:25 -------- d-----w- c:\program files\common files\L&H
2011-03-23 10:59:50 -------- d-----w- c:\program files\Microsoft ActiveSync
2011-03-23 09:51:09 33104 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\msonpppr.dll
2011-03-23 09:51:08 32592 ----a-w- c:\windows\system32\msonpmon.dll
2011-03-23 09:18:28 -------- d-----w- c:\docume~1\user\locals~1\applic~1\Microsoft Help
2011-03-21 14:01:36 165376 ----a-w- c:\windows\system32\unrar.dll
2011-03-21 14:01:23 839680 ----a-w- c:\windows\system32\lameACM.acm
2011-03-21 14:01:22 237568 ----a-w- c:\windows\system32\yv12vfw.dll
2011-03-21 14:01:22 151552 ----a-w- c:\windows\system32\ac3acm.acm
2011-03-21 14:01:21 810496 ----a-w- c:\windows\system32\xvidcore.dll
2011-03-21 14:01:21 183808 ----a-w- c:\windows\system32\xvidvfw.dll
2011-03-21 14:01:03 -------- d-----w- c:\program files\K-Lite Codec Pack
2011-03-21 13:43:00 -------- d-----w- c:\program files\common files\DivX Shared
2011-03-21 13:38:59 -------- d-----w- c:\docume~1\alluse~1\applic~1\DivX
2011-03-21 13:33:42 421888 ----a-w- c:\windows\system32\ac3filter.acm
2011-03-21 13:33:25 -------- d-----w- c:\program files\XP Codec Pack
.
==================== Find3M ====================
.
2011-02-28 08:00:00 80896 ----a-w- c:\windows\system32\ff_vfw.dll
2011-02-09 13:53:52 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53:52 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-02 07:58:35 2067456 ----a-w- c:\windows\system32\mstscax.dll
2011-01-27 11:57:06 677888 ----a-w- c:\windows\system32\mstsc.exe
2011-01-21 14:44:37 439296 ----a-w- c:\windows\system32\shimgvw.dll
2011-01-13 08:47:35 38848 ----a-w- c:\windows\avastSS.scr
2011-01-07 14:09:02 290048 ----a-w- c:\windows\system32\atmfd.dll
.
============= FINISH: 11:35:58.64 ===============

Blade81
2011-04-07, 13:50
Hi,

Save text below as fix.reg on Notepad (save it as all files (*.*)) on the Desktop.


REGEDIT4

[HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main\featurecontrol\FEATURE_BROWSER_EMULATION]
"svchost.exe"=-


It should look like this -> http://users.telenet.be/bluepatchy/miekiemoes/images/reg.gif

Doubleclick fix.reg, press Yes and ok.

Reboot and see if Spybot still finds the item.

nicks_scotland
2011-04-07, 14:37
Thanks for the super quick response! The spybot scan is now only telling me that the windows firewall isn't on. No sign of click.giftload. :D

Do you think I'm in the clear now?

Nicks x

Blade81
2011-04-07, 15:56
Good. If no symptoms left I believe case is finished. To help keeping system up-to-date I recommend downloading Secunia Personal Software Inspector (PSI) (http://secunia.com/vulnerability_scanning/personal/) :)

Blade81
2011-04-13, 15:31
Since this issue appears to be resolved ... this Topic has been closed. Glad I could help. :)

Note:If it has been three days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh DDS log and a link to your previous thread.

If it has been less than three days since your last response and you need the thread re-opened, please send me or other MOD a private message (pm). A valid, working link to the closed topic is required.