Google Redirect and More

Status
Not open for further replies.
S

Stotty4321

New member
Hello

I started to have issues with links from google being randomly redirected. The issue got worse with all sorts starting to pop up, mostly many thing telling me my computer was infected and 'click here to sort it'.

I do have Sophos however the license is expired and it is about a year out of date. I have tried to use Spy Bot and Malwarebytes. However Firefox and IE says it can't find the website for them. I was able to get the setup file for Spy Bot onto my computer but when it tried to connect to its server it was blocked. It says 'Error sending request. Server name or address could not be resolved'.

Hope you can help
Matt

DDS (Ver_10-03-17.01) - NTFSx86
Run by Matt at 22:36:40.98 on 27/09/2010
Internet Explorer: 8.0.6001.18943
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.44.1033.18.2037.775 [GMT 1:00]

SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Program Files\Sophos\Sophos Anti-Virus\SavService.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Windows\system32\aestsrv.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Windows\OEM02Mon.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Kontiki\KService.exe
C:\Windows\WindowsMobile\wmdc.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Dell\Dell Webcam Manager\DellWMgr.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
C:\Program Files\Dell\MediaDirect\PCMService.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Kontiki\KHost.exe
C:\Program Files\Sigmatel\C-Major Audio\WDM\sttray.exe
C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe
C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Sophos\AutoUpdate\ALsvc.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Windows\system32\STacSV.exe
C:\Program Files\DNA\btdna.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Sophos\AutoUpdate\ALMon.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Windows\system32\UI0Detect.exe
C:\Windows\system32\svchost.exe -k WindowsMobile
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\CPSHelpRunner.exe
c:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\Java\jre1.6.0\bin\jucheck.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Skype\Toolbars\Shared\SkypeNames2.exe
C:\PROGRA~1\MICROS~2\Office12\OUTLOOK.EXE
C:\Users\Matt\Downloads\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.sky.com
uWindow Title = Internet Explorer Provided By Sky Broadband
uDefault_Page_URL = hxxp://www.sky.com
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Sophos Web Content Scanner: {39ea7695-b3f2-4c44-a4bc-297ada8fd235} - c:\program files\sophos\sophos anti-virus\SophosBHO.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0\bin\ssv.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.5612.1312\swg.dll
BHO: Windows Live Toolbar Helper: {bdbd1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
BHO: 1 (0x1) - No File
TB: Windows Live Toolbar: {bdad1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [kdx] c:\program files\kontiki\KHost.exe -all
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [MsnMsgr] "c:\program files\windows live\messenger\MsnMsgr.Exe" /background
uRun: [SRS Audio Sandbox] "c:\program files\srs labs\audio sandbox\SRSSSC.exe" /hideme
uRun: [BitTorrent DNA] "c:\program files\dna\btdna.exe"
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [OEM02Mon.exe] c:\windows\OEM02Mon.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [Windows Mobile Device Center] %windir%\WindowsMobile\wmdc.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0\bin\jusched.exe"
mRun: [DELL Webcam Manager] "c:\program files\dell\dell webcam manager\DellWMgr.exe" /s
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [<NO NAME>]
mRun: [RoxWatchTray] "c:\program files\common files\roxio shared\9.0\sharedcom\RoxWatchTray9.exe"
mRun: [PCMService] "c:\program files\dell\mediadirect\PCMService.exe"
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [kdx] "c:\program files\kontiki\KHost.exe" -all
mRun: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\sttray.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [EPSON Stylus DX4800 Series] c:\windows\system32\spool\drivers\w32x86\3\e_fatiade.exe /f "c:\windows\temp\E_SED13.tmp" /EF "HKLM"
mRun: [BlackBerryAutoUpdate] c:\program files\common files\research in motion\auto update\RIMAutoUpdate.exe /background
mRun: [HPUsageTracking] "c:\program files\hp\hp ut\bin\hppusg.exe" "c:\program files\hp\hp ut\"
StartupFolder: c:\users\matt\appdata\roaming\micros~1\windows\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\autoup~1.lnk - c:\program files\sophos\autoupdate\ALMon.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\deskto~1.lnk - c:\program files\research in motion\blackberry\DesktopMgr.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\quickset.lnk - c:\windows\installer\{7f0c4457-8e64-491b-8d7b-991504365d1e}\NewShortcut2_53A01CC614B04512A2E710D39BF83DC4.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\winzip~1.lnk - c:\program files\winzip\WZQKPICK.EXE
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: &Windows Live Search - c:\program files\windows live toolbar\msntb.dll/search.htm
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
IE: Send image to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {08E730A4-FB02-45BD-A900-01E4AD8016F6} - http://www.sky.com
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0\bin\npjpi160.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\windows\windowsmobile\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\windows\windowsmobile\INetRepl.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
TCP: NameServer = 93.188.163.67,93.188.166.6
TCP: {5FAE5581-F0D5-4728-8339-E612FEF4B4F5} = 93.188.163.67,93.188.166.6
TCP: {60E4C816-DA8F-4AFD-B59B-45084A636007} = 93.188.163.67,93.188.166.6
TCP: {A68F1797-2E8A-46E9-830B-C38FCB98706C} = 93.188.163.67,93.188.166.6
TCP: {EBAE34D1-F32D-467E-BED8-47708A826A52} = 93.188.163.67,93.188.166.6
Filter: application/x-internet-signup - {A173B69A-1F9B-4823-9FDA-412F641E65D6} - c:\program files\tiscali\tiscali internet\dlls\tiscalifilter.dll
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: c:\progra~1\sophos\sophos~1\SOPHOS~1.DLL
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

================= FIREFOX ===================

FF - ProfilePath - c:\users\matt\appdata\roaming\mozilla\firefox\profiles\b8ci8yug.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.bath.ac.uk/internal/
FF - component: c:\program files\mozilla firefox\extensions\{ab2ce124-6272-4b12-94a9-7303c7397bd1}\components\SkypeFfComponent.dll
FF - component: c:\users\matt\appdata\roaming\mozilla\firefox\profiles\b8ci8yug.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - plugin: c:\program files\common files\research in motion\bbwebsllauncher\NPWebSLLauncher.dll
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\java\jre1.6.0\bin\npjava11.dll
FF - plugin: c:\program files\java\jre1.6.0\bin\npjava12.dll
FF - plugin: c:\program files\java\jre1.6.0\bin\npjava13.dll
FF - plugin: c:\program files\java\jre1.6.0\bin\npjava14.dll
FF - plugin: c:\program files\java\jre1.6.0\bin\npjava32.dll
FF - plugin: c:\program files\java\jre1.6.0\bin\npjpi160.dll
FF - plugin: c:\program files\java\jre1.6.0\bin\npoji610.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npbittorrent.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");

============= SERVICES / DRIVERS ===============

R1 SAVOnAccess;SAVOnAccess;c:\windows\system32\drivers\savonaccess.sys [2009-2-26 93192]
R2 AESTFilters;Andrea ST Filters Service;c:\windows\system32\AEstSrv.exe [2008-1-31 73728]
R2 SAVAdminService;Sophos Anti-Virus status reporter;c:\program files\sophos\sophos anti-virus\SAVAdminService.exe [2009-5-28 80936]
R2 SAVService;Sophos Anti-Virus;c:\program files\sophos\sophos anti-virus\SavService.exe [2008-10-15 98304]
R2 Sophos AutoUpdate Service;Sophos AutoUpdate Service;c:\program files\sophos\autoupdate\ALsvc.exe [2009-7-1 172032]
R3 tap0801;TAP-Win32 Adapter V8;c:\windows\system32\drivers\tap0801.sys [2006-10-1 26624]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-2-13 135664]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S4 SophosBootDriver;SophosBootDriver;c:\windows\system32\drivers\SophosBootDriver.sys [2008-10-15 20288]

=============== Created Last 30 ================

2010-09-15 18:39:22 126464 ----a-w- c:\windows\system32\spoolsv.exe
2010-09-15 18:39:14 501760 ----a-w- c:\windows\system32\usp10.dll
2010-09-15 18:39:13 317952 ----a-w- c:\windows\system32\MP4SDECD.DLL
2010-09-15 18:39:02 738816 ----a-w- c:\windows\system32\inetcomm.dll
2010-09-01 22:02:26 0 d-----w- c:\program files\Network Stumbler

==================== Find3M ====================

2010-09-27 18:00:07 3308 ----a-w- c:\windows\bthservsdp.dat
2010-08-04 17:06:09 172947 ----a-w- c:\windows\hppins13.dat
2010-08-04 16:57:16 51200 ----a-w- c:\windows\inf\infpub.dat
2010-08-04 16:57:16 143360 ----a-w- c:\windows\inf\infstrng.dat
2010-08-04 16:57:09 86016 ----a-w- c:\windows\inf\infstor.dat
2008-11-17 20:36:59 174 --sha-w- c:\program files\desktop.ini
2008-11-17 20:23:56 665600 ----a-w- c:\windows\inf\drvindex.dat
2008-03-24 11:12:54 2400784 ----a-w- c:\program files\WLinstaller.exe
2008-03-19 13:21:07 642796 ----a-w- c:\program files\XviD-1.1.3-28062007.exe
2008-03-19 12:00:53 873784 ----a-w- c:\program files\BitTorrent-6.0.3.exe
2008-03-19 11:47:49 10719256 ----a-w- c:\program files\SkyAnytimeSetup.exe
2008-03-10 12:04:02 26936432 ----a-w- c:\program files\savw70sasfx.exe
2008-02-20 23:55:56 526428264 ----a-w- c:\program files\X12-30307(2).exe
2008-02-20 23:30:12 259585360 ----a-w- c:\program files\X13-11296.exe
2007-12-14 08:42:32 4597 ------w- c:\program files\readsavxp_70_eng.txt
2007-06-04 16:18:32 3189 ----a-w- c:\program files\readesavxpsa.txt
2007-05-08 13:49:50 143360 ----a-w- c:\program files\SavResIt.dll
2007-05-02 13:01:44 252984 ----a-w- c:\program files\Setup.exe
2007-05-02 13:00:54 249856 ----a-w- c:\program files\SavResChs.dll
2007-05-02 13:00:54 155648 ----a-w- c:\program files\SavResEng.dll
2007-05-02 13:00:52 327680 ----a-w- c:\program files\SavResCht.dll
2007-05-02 13:00:52 204800 ----a-w- c:\program files\SavResDeu.dll
2007-05-02 13:00:50 188416 ----a-w- c:\program files\SavResFra.dll
2007-05-02 13:00:50 155648 ----a-w- c:\program files\SavResEsp.dll
2007-05-02 13:00:48 339968 ----a-w- c:\program files\SavResJap.dll
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2004-05-07 11:25:14 1822520 ----a-w- c:\program files\instmsiW.exe
2004-05-07 11:25:10 1708856 ----a-w- c:\program files\instmsiA.exe
2008-01-31 12:21:07 76 --sh--r- c:\windows\CT4CET.bin
2008-03-01 17:41:43 16384 --sha-w- c:\windows\temp\cookies\index.dat
2008-03-01 17:41:43 16384 --sha-w- c:\windows\temp\history\history.ie5\index.dat
2008-03-01 17:41:43 32768 --sha-w- c:\windows\temp\temporary internet files\content.ie5\index.dat
2008-01-31 19:55:58 8192 --sha-w- c:\windows\users\default\NTUSER.DAT

============= FINISH: 22:38:00.74 ===============
 
:snwelcome:


Please read Before You Post
While best efforts are made to assist in removing infections safely, unexpected stuff can happen. It is advisable that you back up your important data before starting any clean up procedure. Neither Safer Networking Forums nor the Analyst providing the advice may be held responsible for any loss.

Until we deem your system clean I am going to ask you not to install or uninstall any software or hardware execpt for the programs we may run.


Your computer has been hijacked by the lovely people in the uKraine, and by using programs like BitTorrent is most likely how you got your computer infected. Your downloading that file from an unknown source, malware writers are in tune with this and use File Sharing Programs to infect you. I am going to ask you to go to Start> Control Panel> Programs and Features and uninstall it.


Download ComboFix from one of these locations:

Link 1
Link 2


* IMPORTANT !!! Save ComboFix.exe to your Desktop


  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • See this Link for programs that need to be disabled and instruction on how to disable them.
  • Remember to re-enable them when we're done.

  • Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


RC1.png


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
RC2-1.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

*If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.
 
Hello

I have removed bittorrent

I have downloaded ComboFix but it will not run. I have tried downloading it from both links, and restarted my computer several times but still no luck. When I double click it I get the standard windows warning about an unverified publisher, but when i click run the window disappears and nothing happens.

DDS files attached should you need an update.

Thanks
Matt

DDS (Ver_10-03-17.01) - NTFSx86
Run by Matt at 23:03:38.55 on 30/09/2010
Internet Explorer: 8.0.6001.18943
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.44.1033.18.2037.871 [GMT 1:00]

SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\aestsrv.exe
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\Kontiki\KService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\OEM02Mon.exe
C:\Windows\System32\igfxpers.exe
C:\Windows\WindowsMobile\wmdc.exe
C:\Program Files\Java\jre1.6.0\bin\jusched.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Program Files\Dell\Dell Webcam Manager\DellWMgr.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe
C:\Program Files\Dell\MediaDirect\PCMService.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Kontiki\KHost.exe
C:\Program Files\Sigmatel\C-Major Audio\WDM\sttray.exe
C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe
C:\Program Files\HP\HP UT\bin\hppusg.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Windows\ehome\ehmsas.exe
C:\Windows\system32\STacSV.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Windows\system32\svchost.exe -k WindowsMobile
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
c:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\CPSHelpRunner.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Skype\Toolbars\Shared\SkypeNames2.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\Taskmgr.exe
C:\Windows\system32\taskeng.exe
C:\Users\Matt\Downloads\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.sky.com
uWindow Title = Internet Explorer Provided By Sky Broadband
uDefault_Page_URL = hxxp://www.sky.com
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0\bin\ssv.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.5612.1312\swg.dll
BHO: Windows Live Toolbar Helper: {bdbd1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
BHO: 1 (0x1) - No File
TB: Windows Live Toolbar: {bdad1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [kdx] c:\program files\kontiki\KHost.exe -all
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [MsnMsgr] "c:\program files\windows live\messenger\MsnMsgr.Exe" /background
uRun: [SRS Audio Sandbox] "c:\program files\srs labs\audio sandbox\SRSSSC.exe" /hideme
uRun: [BitTorrent DNA] "c:\program files\dna\btdna.exe"
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [OEM02Mon.exe] c:\windows\OEM02Mon.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [Windows Mobile Device Center] %windir%\WindowsMobile\wmdc.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0\bin\jusched.exe"
mRun: [DELL Webcam Manager] "c:\program files\dell\dell webcam manager\DellWMgr.exe" /s
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [<NO NAME>]
mRun: [RoxWatchTray] "c:\program files\common files\roxio shared\9.0\sharedcom\RoxWatchTray9.exe"
mRun: [PCMService] "c:\program files\dell\mediadirect\PCMService.exe"
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [kdx] "c:\program files\kontiki\KHost.exe" -all
mRun: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\sttray.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [EPSON Stylus DX4800 Series] c:\windows\system32\spool\drivers\w32x86\3\e_fatiade.exe /f "c:\windows\temp\E_SED13.tmp" /EF "HKLM"
mRun: [BlackBerryAutoUpdate] c:\program files\common files\research in motion\auto update\RIMAutoUpdate.exe /background
mRun: [HPUsageTracking] "c:\program files\hp\hp ut\bin\hppusg.exe" "c:\program files\hp\hp ut\"
StartupFolder: c:\users\matt\appdata\roaming\micros~1\windows\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\deskto~1.lnk - c:\program files\research in motion\blackberry\DesktopMgr.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\quickset.lnk - c:\windows\installer\{7f0c4457-8e64-491b-8d7b-991504365d1e}\NewShortcut2_53A01CC614B04512A2E710D39BF83DC4.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\winzip~1.lnk - c:\program files\winzip\WZQKPICK.EXE
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: &Windows Live Search - c:\program files\windows live toolbar\msntb.dll/search.htm
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
IE: Send image to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {08E730A4-FB02-45BD-A900-01E4AD8016F6} - http://www.sky.com
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0\bin\npjpi160.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\windows\windowsmobile\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\windows\windowsmobile\INetRepl.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
TCP: NameServer = 93.188.163.67,93.188.166.6
TCP: {5FAE5581-F0D5-4728-8339-E612FEF4B4F5} = 93.188.163.67,93.188.166.6
TCP: {60E4C816-DA8F-4AFD-B59B-45084A636007} = 93.188.163.67,93.188.166.6
TCP: {A68F1797-2E8A-46E9-830B-C38FCB98706C} = 93.188.163.67,93.188.166.6
TCP: {EBAE34D1-F32D-467E-BED8-47708A826A52} = 93.188.163.67,93.188.166.6
Filter: application/x-internet-signup - {A173B69A-1F9B-4823-9FDA-412F641E65D6} - c:\program files\tiscali\tiscali internet\dlls\tiscalifilter.dll
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

================= FIREFOX ===================

FF - ProfilePath - c:\users\matt\appdata\roaming\mozilla\firefox\profiles\b8ci8yug.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.bath.ac.uk/internal/
FF - component: c:\program files\mozilla firefox\extensions\{ab2ce124-6272-4b12-94a9-7303c7397bd1}\components\SkypeFfComponent.dll
FF - component: c:\users\matt\appdata\roaming\mozilla\firefox\profiles\b8ci8yug.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - plugin: c:\program files\common files\research in motion\bbwebsllauncher\NPWebSLLauncher.dll
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\java\jre1.6.0\bin\npjava11.dll
FF - plugin: c:\program files\java\jre1.6.0\bin\npjava12.dll
FF - plugin: c:\program files\java\jre1.6.0\bin\npjava13.dll
FF - plugin: c:\program files\java\jre1.6.0\bin\npjava14.dll
FF - plugin: c:\program files\java\jre1.6.0\bin\npjava32.dll
FF - plugin: c:\program files\java\jre1.6.0\bin\npjpi160.dll
FF - plugin: c:\program files\java\jre1.6.0\bin\npoji610.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");

============= SERVICES / DRIVERS ===============

R2 AESTFilters;Andrea ST Filters Service;c:\windows\system32\AEstSrv.exe [2008-1-31 73728]
R3 tap0801;TAP-Win32 Adapter V8;c:\windows\system32\drivers\tap0801.sys [2006-10-1 26624]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-2-13 135664]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]

=============== Created Last 30 ================

2010-09-15 18:39:22 126464 ----a-w- c:\windows\system32\spoolsv.exe
2010-09-15 18:39:14 501760 ----a-w- c:\windows\system32\usp10.dll
2010-09-15 18:39:13 317952 ----a-w- c:\windows\system32\MP4SDECD.DLL
2010-09-15 18:39:02 738816 ----a-w- c:\windows\system32\inetcomm.dll
2010-09-01 22:02:26 0 d-----w- c:\program files\Network Stumbler

==================== Find3M ====================

2010-09-30 21:43:09 3308 ----a-w- c:\windows\bthservsdp.dat
2010-08-04 17:06:09 172947 ----a-w- c:\windows\hppins13.dat
2010-08-04 16:57:16 51200 ----a-w- c:\windows\inf\infpub.dat
2010-08-04 16:57:16 143360 ----a-w- c:\windows\inf\infstrng.dat
2010-08-04 16:57:09 86016 ----a-w- c:\windows\inf\infstor.dat
2008-11-17 20:36:59 174 --sha-w- c:\program files\desktop.ini
2008-11-17 20:23:56 665600 ----a-w- c:\windows\inf\drvindex.dat
2008-03-24 11:12:54 2400784 ----a-w- c:\program files\WLinstaller.exe
2008-03-19 13:21:07 642796 ----a-w- c:\program files\XviD-1.1.3-28062007.exe
2008-03-19 12:00:53 873784 ----a-w- c:\program files\BitTorrent-6.0.3.exe
2008-03-19 11:47:49 10719256 ----a-w- c:\program files\SkyAnytimeSetup.exe
2008-03-10 12:04:02 26936432 ----a-w- c:\program files\savw70sasfx.exe
2008-02-20 23:55:56 526428264 ----a-w- c:\program files\X12-30307(2).exe
2008-02-20 23:30:12 259585360 ----a-w- c:\program files\X13-11296.exe
2007-12-14 08:42:32 4597 ------w- c:\program files\readsavxp_70_eng.txt
2007-06-04 16:18:32 3189 ----a-w- c:\program files\readesavxpsa.txt
2007-05-08 13:49:50 143360 ----a-w- c:\program files\SavResIt.dll
2007-05-02 13:01:44 252984 ----a-w- c:\program files\Setup.exe
2007-05-02 13:00:54 249856 ----a-w- c:\program files\SavResChs.dll
2007-05-02 13:00:54 155648 ----a-w- c:\program files\SavResEng.dll
2007-05-02 13:00:52 327680 ----a-w- c:\program files\SavResCht.dll
2007-05-02 13:00:52 204800 ----a-w- c:\program files\SavResDeu.dll
2007-05-02 13:00:50 188416 ----a-w- c:\program files\SavResFra.dll
2007-05-02 13:00:50 155648 ----a-w- c:\program files\SavResEsp.dll
2007-05-02 13:00:48 339968 ----a-w- c:\program files\SavResJap.dll
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2004-05-07 11:25:14 1822520 ----a-w- c:\program files\instmsiW.exe
2004-05-07 11:25:10 1708856 ----a-w- c:\program files\instmsiA.exe
2008-01-31 12:21:07 76 --sh--r- c:\windows\CT4CET.bin
2008-03-01 17:41:43 16384 --sha-w- c:\windows\temp\cookies\index.dat
2008-03-01 17:41:43 16384 --sha-w- c:\windows\temp\history\history.ie5\index.dat
2008-03-01 17:41:43 32768 --sha-w- c:\windows\temp\temporary internet files\content.ie5\index.dat
2008-01-31 19:55:58 8192 --sha-w- c:\windows\users\default\NTUSER.DAT

============= FINISH: 23:07:14.70 ===============
 
Hi,

Drag Combofix to the trash and do it this way, after you rename and download it right click on the icon and select RUN AS ADMINISTRATOR

Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop.

Link 1
Link 2


CF_download_FF.gif



CF_download_rename.gif


* IMPORTANT !!! Save ComboFix.exe to your Desktop


  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • See this Link for programs that need to be disabled and instruction on how to disable them.
  • Remember to re-enable them when we're done.

  • Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


RC1.png


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
RC2-1.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

*If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.
 
Hello

Please find attached the log file.

Couple of things to note. When I booted my computer to start doing this it firstly went through Windows Check Disk. When Windows did finally boot I could not open any internet browser and many other programs that required internet connection would not work. I restarted

When I rebooted again windows crashed on the start up screen. On a third attempt Windows started some form of repair program during booting. This ran for a while and made some changes - although I did not get what they were. When Windows booted this time the computer now 'seems' fine. No web pages have been redirected and I was able to open FireFox Download, Rename and Run ComboFix as instructed.

Many Thanks
Matt


ComboFix 10-10-02.02 - Matt 03/10/2010 22:45:08.1.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.44.1033.18.2037.930 [GMT 1:00]
Running from: c:\users\Matt\Desktop\Blaaaa.exe
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\\setup.exe
c:\program files\Setup.exe
c:\users\Matt\vlc-0.8.6e-win32.exe
c:\windows\system32\logs
c:\windows\system32\logs\ALUpdate20090512T160813.2430000.log
c:\windows\system32\spool\prtprocs\w32x86\x931793u79.dll

Infected copy of c:\windows\system32\drivers\termdd.sys was found and disinfected
Restored copy from - Kitty had a snack :p
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_usnjsvc


((((((((((((((((((((((((( Files Created from 2010-09-03 to 2010-10-03 )))))))))))))))))))))))))))))))
.

2010-10-03 21:56 . 2010-10-03 22:01 -------- d-----w- c:\users\Matt\AppData\Local\temp
2010-10-03 21:56 . 2010-10-03 21:56 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-10-03 21:08 . 2010-10-03 21:08 -------- d-----w- C:\found.001
2010-09-27 18:47 . 2010-09-27 18:48 -------- d-----w- c:\program files\ERUNT
2010-09-26 19:17 . 2010-09-26 19:17 -------- d-----w- c:\users\Matt\AppData\Local\Sophos
2010-09-15 18:39 . 2010-08-17 13:32 126464 ----a-w- c:\windows\system32\spoolsv.exe
2010-09-15 18:39 . 2010-04-16 16:10 501760 ----a-w- c:\windows\system32\usp10.dll
2010-09-15 18:39 . 2010-04-05 16:08 317952 ----a-w- c:\windows\system32\MP4SDECD.DLL
2010-09-15 18:39 . 2010-05-27 19:16 738816 ----a-w- c:\windows\system32\inetcomm.dll
2010-09-05 21:25 . 2010-08-30 13:34 1496064 ----a-w- c:\users\Matt\AppData\Roaming\Mozilla\Firefox\Profiles\b8ci8yug.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
2010-09-05 21:25 . 2010-08-30 13:33 43008 ----a-w- c:\users\Matt\AppData\Roaming\Mozilla\Firefox\Profiles\b8ci8yug.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbarloader.dll
2010-09-05 21:25 . 2010-08-30 13:33 338944 ----a-w- c:\users\Matt\AppData\Roaming\Mozilla\Firefox\Profiles\b8ci8yug.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff2.dll
2010-09-05 21:25 . 2010-08-30 13:33 346112 ----a-w- c:\users\Matt\AppData\Roaming\Mozilla\Firefox\Profiles\b8ci8yug.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff3.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-10-03 22:03 . 2008-03-19 00:02 -------- d-----w- c:\programdata\Kontiki
2010-10-03 22:01 . 2009-11-14 10:07 256 ----a-w- c:\windows\system32\pool.bin
2010-10-03 22:00 . 2009-07-23 13:02 -------- d-----w- c:\users\Matt\AppData\Roaming\Skype
2010-10-03 21:59 . 2008-03-19 12:01 -------- d-----w- c:\users\Matt\AppData\Roaming\DNA
2010-10-03 21:59 . 2008-03-19 12:01 -------- d-----w- c:\program files\DNA
2010-10-03 21:58 . 2008-01-31 12:03 3308 ----a-w- c:\windows\bthservsdp.dat
2010-10-03 21:16 . 2009-07-23 13:05 -------- d-----w- c:\users\Matt\AppData\Roaming\skypePM
2010-10-03 20:51 . 2008-02-29 13:54 -------- d-----w- c:\programdata\Google Updater
2010-09-30 19:40 . 2008-03-10 14:01 -------- d-----w- c:\programdata\Sophos
2010-09-27 17:40 . 2008-05-14 20:22 -------- d-----w- c:\program files\Photoshop CS2 v9.0
2010-09-19 02:38 . 2008-03-13 13:11 -------- d-----w- c:\program files\Microsoft Silverlight
2010-09-19 02:36 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-09-19 02:20 . 2008-02-29 15:05 -------- d-----w- c:\programdata\Microsoft Help
2010-09-08 18:43 . 2008-04-11 14:07 -------- d-----w- c:\program files\Mozilla Thunderbird
2010-09-01 22:02 . 2010-09-01 22:02 -------- d-----w- c:\program files\Network Stumbler
2010-08-26 19:53 . 2008-04-11 14:07 -------- d-----w- c:\users\Matt\AppData\Roaming\Thunderbird
2010-08-08 11:35 . 2010-08-08 11:35 -------- d-----w- c:\programdata\Office Genuine Advantage
2010-08-05 08:08 . 2010-08-05 08:08 -------- d-----w- c:\program files\Common Files\Skype
2010-08-05 08:04 . 2008-02-28 18:51 141456 ----a-w- c:\users\Matt\AppData\Local\GDIPFONTCACHEV1.DAT
2010-08-04 17:06 . 2010-08-04 16:54 172947 ----a-w- c:\windows\hppins13.dat
2010-08-04 16:57 . 2006-11-02 10:25 51200 ----a-w- c:\windows\Inf\infpub.dat
2010-08-04 16:57 . 2006-11-02 10:25 143360 ----a-w- c:\windows\Inf\infstrng.dat
2010-08-04 16:57 . 2006-11-02 10:25 86016 ----a-w- c:\windows\Inf\infstor.dat
2008-03-24 11:12 . 2008-03-24 11:12 2400784 ----a-w- c:\program files\WLinstaller.exe
2008-03-19 13:21 . 2008-03-19 13:21 642796 ----a-w- c:\program files\XviD-1.1.3-28062007.exe
2008-03-19 12:00 . 2008-03-19 12:00 873784 ----a-w- c:\program files\BitTorrent-6.0.3.exe
2008-03-19 11:47 . 2008-03-19 11:47 10719256 ----a-w- c:\program files\SkyAnytimeSetup.exe
2008-03-10 12:04 . 2008-03-10 12:04 26936432 ----a-w- c:\program files\savw70sasfx.exe
2008-02-20 23:55 . 2008-02-29 14:50 526428264 ----a-w- c:\program files\X12-30307(2).exe
2008-02-20 23:30 . 2008-02-29 14:49 259585360 ----a-w- c:\program files\X13-11296.exe
2007-12-14 08:42 . 2008-03-10 13:59 4597 ------w- c:\program files\readsavxp_70_eng.txt
2007-06-04 16:18 . 2008-03-10 13:59 3189 ----a-w- c:\program files\readesavxpsa.txt
2007-05-08 13:49 . 2008-03-10 13:59 143360 ----a-w- c:\program files\SavResIt.dll
2007-05-02 13:00 . 2008-03-10 13:59 249856 ----a-w- c:\program files\SavResChs.dll
2007-05-02 13:00 . 2008-03-10 13:59 155648 ----a-w- c:\program files\SavResEng.dll
2007-05-02 13:00 . 2008-03-10 13:59 327680 ----a-w- c:\program files\SavResCht.dll
2007-05-02 13:00 . 2008-03-10 13:59 204800 ----a-w- c:\program files\SavResDeu.dll
2007-05-02 13:00 . 2008-03-10 13:59 188416 ----a-w- c:\program files\SavResFra.dll
2007-05-02 13:00 . 2008-03-10 13:59 155648 ----a-w- c:\program files\SavResEsp.dll
2007-05-02 13:00 . 2008-03-10 13:59 339968 ----a-w- c:\program files\SavResJap.dll
2004-05-07 11:25 . 2008-03-10 13:59 1822520 ----a-w- c:\program files\instmsiW.exe
2004-05-07 11:25 . 2008-03-10 13:59 1708856 ----a-w- c:\program files\instmsiA.exe
2008-01-31 12:21 . 2008-01-31 12:21 76 --sh--r- c:\windows\CT4CET.bin
2008-01-31 19:55 . 2008-01-31 19:45 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-19 1233920]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-02-29 68856]
"kdx"="c:\program files\Kontiki\KHost.exe" [2007-04-23 1032640]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]
"BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2009-11-13 323392]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2010-05-13 26192168]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-04-28 857648]
"OEM02Mon.exe"="c:\windows\OEM02Mon.exe" [2007-12-03 36864]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-09-26 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-09-26 154136]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-09-26 129560]
"Windows Mobile Device Center"="c:\windows\WindowsMobile\wmdc.exe" [2007-05-31 648072]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0\bin\jusched.exe" [2008-01-31 77824]
"DELL Webcam Manager"="c:\program files\Dell\Dell Webcam Manager\DellWMgr.exe" [2007-07-27 118784]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-10-03 81920]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2006-11-05 221184]
"PCMService"="c:\program files\Dell\MediaDirect\PCMService.exe" [2007-11-01 189736]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"kdx"="c:\program files\Kontiki\KHost.exe" [2007-04-23 1032640]
"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\sttray.exe" [2007-09-07 405504]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]
"BlackBerryAutoUpdate"="c:\program files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe" [2009-08-31 623960]
"HPUsageTracking"="c:\program files\HP\HP UT\bin\hppusg.exe" [2009-10-06 30264]

c:\users\Matt\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696]
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2006-11-3 703280]
Desktop Manager.lnk - c:\program files\Research In Motion\BlackBerry\DesktopMgr.exe [2009-8-31 1799512]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2008-1-31 50688]
QuickSet.lnk - c:\windows\Installer\{7F0C4457-8E64-491B-8D7B-991504365D1E}\NewShortcut2_53A01CC614B04512A2E710D39BF83DC4.exe [2008-1-31 45056]
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2008-9-10 525664]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-02-13 135664]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
S2 AESTFilters;Andrea ST Filters Service;c:\windows\system32\aestsrv.exe [2007-08-29 73728]
S3 tap0801;TAP-Win32 Adapter V8;c:\windows\system32\DRIVERS\tap0801.sys [2006-10-01 26624]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ BthServ
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder

2008-03-24 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 11:20]

2010-10-03 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-02-29 20:54]

2010-10-03 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-13 03:42]

2010-09-30 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-13 03:42]

2010-10-03 c:\windows\Tasks\User_Feed_Synchronization-{1E9CB9D5-E156-4D9B-884A-B900BFFB0EE4}.job
- c:\windows\system32\msfeedssync.exe [2010-08-12 04:24]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.sky.com
IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
IE: Send image to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
IE: {{08E730A4-FB02-45BD-A900-01E4AD8016F6} - http://www.sky.com
FF - ProfilePath - c:\users\Matt\AppData\Roaming\Mozilla\Firefox\Profiles\b8ci8yug.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.bath.ac.uk/internal/
FF - component: c:\program files\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}\components\SkypeFfComponent.dll
FF - component: c:\users\Matt\AppData\Roaming\Mozilla\Firefox\Profiles\b8ci8yug.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - plugin: c:\program files\Common Files\Research In Motion\BBWebSLLauncher\NPWebSLLauncher.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava11.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava12.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava13.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava14.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava32.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjpi160.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npoji610.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-SRS Audio Sandbox - c:\program files\SRS Labs\Audio Sandbox\SRSSSC.exe
AddRemove-Adult Emoticons and Avatars - c:\users\Matt\Desktop\Adult Emoticons and Avatars\uninstall.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-10-03 22:59
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0004\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0005\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(6036)
c:\windows\system32\btncopy.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Kontiki\KService.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
c:\windows\system32\STacSV.exe
c:\windows\system32\DRIVERS\xaudio.exe
c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\Dell\QuickSet\quickset.exe
c:\windows\ehome\ehmsas.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\system32\wbem\unsecapp.exe
c:\program files\WIDCOMM\Bluetooth Software\BtStackServer.exe
c:\program files\Skype\Plugin Manager\skypePM.exe
c:\program files\Common Files\Research In Motion\RIMDeviceManager\RIMDeviceManager.exe
c:\program files\Common Files\Research In Motion\USB Drivers\BbDevMgr.exe
.
**************************************************************************
.
Completion time: 2010-10-03 23:10:46 - machine was rebooted
ComboFix-quarantined-files.txt 2010-10-03 22:10

Pre-Run: 37,992,988,672 bytes free
Post-Run: 38,590,603,264 bytes free

- - End Of File - - 012E61F77B16AE40DF3B825B990B6272
 
Last edited by a moderator:
Hi,

You had some nasty stuff removed. Windows Terminal Server was infected and CF fixed it.

Please just copy and paste the logs into the forum in lew of attaching them, its much easier for me to analyze them.

I need to go over CF with a fine tooth comb, in the meantime do this please



Please download ATF Cleaner by Atribune to your desktop.
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main choose: Select All
  • Click the Empty Selected button.
Your system may start up slower after running ATF Cleaner, this is expected but will be back to normal after the first or second boot up
Please note: If you use online banking or are registered online with any other organizations, ensure you have memorized password and other personal information as removing cookies will temporarily disable the auto-login facility.






Please download Malwarebytes from Here or Here

  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
    MBAMCapture.jpg
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected .
  • When completed, a log will open in Notepad. Please save it to a convenient location and post the results.
  • Note: If you receive a notice that some of the items couldn't be removed, that they have been added to the delete on reboot list, please reboot.
Post the report please
 
Hello

All done as requested.

Malwarebytes log below.


Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4747

Windows 6.0.6001 Service Pack 1
Internet Explorer 8.0.6001.18943

05/10/2010 18:44:38
mbam-log-2010-10-05 (18-44-38).txt

Scan type: Quick scan
Objects scanned: 147175
Time elapsed: 6 minute(s), 42 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Users\Matt\Desktop\Download 100,000 Emoticons!.url (Rogue.Link) -> Quarantined and deleted successfully.
C:\Users\Matt\Desktop\Sherv.NET - Animated Emoticons, Winks, Display Pics, plus more!.url (Rogue.Link) -> Quarantined and deleted successfully.
 
Hi,

I am not looking at anything bad on your Combofix log, but I do still see bits and pieces of BitTorrent, its also set to startup when windows starts. This is your computer, all I can do is advise you, but those types of programs are just going to keep getting you in trouble. Whatever you downloaded infected c:\windows\system32\drivers\termdd.sys <--This is serious stuff, not to be taken lightly. There are threats going around now that are uncleanable, what I mean by that is they do so much damage that almost the entire OS is infected, the only recourse is to format the drive and reinstall windows, all pictures and documents are lost.

If you want to remove the remnants of BitTorrent let me know and we can run a program to remove it completely.


Lets check for left overs

Please run this free online virus scanner from ESET
  • Note: You will need to use Internet explorer for this scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Make sure that the option Remove found threats is ticked, and the option Scan unwanted applications is checked
  • Click Scan
  • Wait for the scan to finish
  • Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  • Copy and paste that log as a reply to this topic


Post the ESET log and let me know how things are running now ?
 
Hello

ESET Log below.

Yes can you please let me know how to get rid of BitTorrent.

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=c4dbe05ce874a24c90bcdb287d9e213d
# end=finished
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2010-10-05 11:57:08
# local_time=2010-10-06 12:57:08 (+0000, GMT Daylight Time)
# country="United Kingdom"
# lang=1033
# osver=6.0.6001 NT Service Pack 1
# compatibility_mode=5892 16776573 100 100 100772 123847705 0 0
# compatibility_mode=8192 67108863 100 0 129 129 0 0
# scanned=284672
# found=7
# cleaned=7
# scan_time=8051
C:\Qoobox\Quarantine\C\Windows\system32\Drivers\termdd.sys.vir Win32/Olmarik.ZC trojan (cleaned - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\Windows\system32\spool\prtprocs\w32x86\x931793u79.dll.vir a variant of Win32/Kryptik.HBL trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Users\Matt\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\23\3eed9817-45b6332e Java/TrojanDownloader.Agent.NBU trojan (deleted - quarantined) 00000000000000000000000000000000 C
C:\Users\Matt\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\23\f34b057-68ed756b multiple threats (deleted - quarantined) 00000000000000000000000000000000 C
C:\Users\Matt\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\33\30dcb2a1-1dc5df54 a variant of Java/Mugademel.A trojan (deleted - quarantined) 00000000000000000000000000000000 C
C:\Users\Matt\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\48\59b3a2f0-479c2ea8 a variant of Java/Mugademel.A trojan (deleted - quarantined) 00000000000000000000000000000000 C
C:\Users\Matt\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\9\3963fe09-262a0356 Java/TrojanDownloader.Agent.NBU trojan (deleted - quarantined) 00000000000000000000000000000000 C
 
Hi,

What ESET found where some backups from Combofix and some bad files in your java cache.

1. Click Start > Settings > Control Panel.
2. Double-click the Java Plug-in icon in the control panel.
3. Click the Cache tab.
4. Click Clear A confirmation dialog box appears.
5. Click Yes to confirm.
6. Click Apply.






Open Notepad Go to Start> All Programs> Assessories> Notepad ( this will only work with Notepad )and copy all the text inside the Codebox by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad, make sure there is no space before and above File::


Code: 
File::
c:\program files\BitTorrent-6.0.3.exe

Folder::
c:\users\Matt\AppData\Roaming\DNA
c:\program files\DNA


Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BitTorrent DNA"=-

Save this as CFScript to your desktop.

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

CFScriptB-4.gif



This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply
 
Hi

My Java app looks a little different to what you describe.

I get under general tab

Temporary internet files
Settings
Delete Files
Then there are tick boxes for 'Applications and Applets' and 'Trace and Log files'

What should I Do

Many Thanks
Matt
 
ComboFix Report Below - should be the end of bit torrent.

All seems OK now.

ComboFix 10-10-07.01 - Matt 07/10/2010 19:15:03.2.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.44.1033.18.2037.810 [GMT 1:00]
Running from: c:\users\Matt\Desktop\Blaaaa.exe
Command switches used :: c:\users\Matt\Desktop\CFScript.txt
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

FILE ::
"c:\program files\BitTorrent-6.0.3.exe"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\BitTorrent-6.0.3.exe
c:\program files\DNA
c:\program files\DNA\btdna.exe
c:\program files\DNA\DNAcpl.cpl
c:\program files\DNA\plugins\npbtdna.dll
c:\users\Matt\AppData\Roaming\DNA
c:\users\Matt\AppData\Roaming\DNA\dht.dat
c:\users\Matt\AppData\Roaming\DNA\dht.dat.old
c:\users\Matt\AppData\Roaming\DNA\dna.lng
c:\users\Matt\AppData\Roaming\DNA\resume.dat
c:\users\Matt\AppData\Roaming\DNA\resume.dat.old
c:\users\Matt\AppData\Roaming\DNA\rss.dat
c:\users\Matt\AppData\Roaming\DNA\rss.dat.old
c:\users\Matt\AppData\Roaming\DNA\settings.dat
c:\users\Matt\AppData\Roaming\DNA\settings.dat.old

.
((((((((((((((((((((((((( Files Created from 2010-09-07 to 2010-10-07 )))))))))))))))))))))))))))))))
.

2010-10-03 21:08 . 2010-10-03 21:08 -------- d-----w- C:\found.001
2010-09-27 18:47 . 2010-09-27 18:48 -------- d-----w- c:\program files\ERUNT
2010-09-26 19:17 . 2010-09-26 19:17 -------- d-----w- c:\users\Matt\AppData\Local\Sophos
2010-09-15 18:39 . 2010-08-17 13:32 126464 ----a-w- c:\windows\system32\spoolsv.exe
2010-09-15 18:39 . 2010-04-16 16:10 501760 ----a-w- c:\windows\system32\usp10.dll
2010-09-15 18:39 . 2010-04-05 16:08 317952 ----a-w- c:\windows\system32\MP4SDECD.DLL
2010-09-15 18:39 . 2010-05-27 19:16 738816 ----a-w- c:\windows\system32\inetcomm.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-10-07 18:24 . 2009-07-23 13:02 -------- d-----w- c:\users\Matt\AppData\Roaming\Skype
2010-10-07 18:23 . 2008-03-19 00:02 -------- d-----w- c:\programdata\Kontiki
2010-10-07 17:34 . 2008-02-29 13:54 -------- d-----w- c:\programdata\Google Updater
2010-10-07 17:16 . 2009-07-23 13:05 -------- d-----w- c:\users\Matt\AppData\Roaming\skypePM
2010-10-06 02:01 . 2008-03-13 13:11 -------- d-----w- c:\program files\Microsoft Silverlight
2010-10-05 21:40 . 2010-10-05 21:40 -------- d-----w- c:\program files\ESET
2010-10-05 18:39 . 2009-11-14 10:07 256 ----a-w- c:\windows\system32\pool.bin
2010-10-05 18:23 . 2008-01-31 12:03 3308 ----a-w- c:\windows\bthservsdp.dat
2010-10-05 17:35 . 2010-10-05 17:35 -------- d-----w- c:\users\Matt\AppData\Roaming\Malwarebytes
2010-10-05 17:35 . 2010-10-05 17:35 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-10-05 17:35 . 2010-10-05 17:35 -------- d-----w- c:\programdata\Malwarebytes
2010-09-30 19:40 . 2008-03-10 14:01 -------- d-----w- c:\programdata\Sophos
2010-09-27 17:40 . 2008-05-14 20:22 -------- d-----w- c:\program files\Photoshop CS2 v9.0
2010-09-19 02:36 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-09-19 02:20 . 2008-02-29 15:05 -------- d-----w- c:\programdata\Microsoft Help
2010-09-08 18:43 . 2008-04-11 14:07 -------- d-----w- c:\program files\Mozilla Thunderbird
2010-09-01 22:02 . 2010-09-01 22:02 -------- d-----w- c:\program files\Network Stumbler
2010-08-30 13:34 . 2010-09-05 21:25 1496064 ----a-w- c:\users\Matt\AppData\Roaming\Mozilla\Firefox\Profiles\b8ci8yug.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
2010-08-30 13:33 . 2010-09-05 21:25 43008 ----a-w- c:\users\Matt\AppData\Roaming\Mozilla\Firefox\Profiles\b8ci8yug.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbarloader.dll
2010-08-30 13:33 . 2010-09-05 21:25 338944 ----a-w- c:\users\Matt\AppData\Roaming\Mozilla\Firefox\Profiles\b8ci8yug.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff2.dll
2010-08-30 13:33 . 2010-09-05 21:25 346112 ----a-w- c:\users\Matt\AppData\Roaming\Mozilla\Firefox\Profiles\b8ci8yug.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff3.dll
2010-08-26 19:53 . 2008-04-11 14:07 -------- d-----w- c:\users\Matt\AppData\Roaming\Thunderbird
2010-08-05 08:04 . 2008-02-28 18:51 141456 ----a-w- c:\users\Matt\AppData\Local\GDIPFONTCACHEV1.DAT
2010-08-04 17:06 . 2010-08-04 16:54 172947 ----a-w- c:\windows\hppins13.dat
2010-08-04 16:57 . 2006-11-02 10:25 51200 ----a-w- c:\windows\Inf\infpub.dat
2010-08-04 16:57 . 2006-11-02 10:25 143360 ----a-w- c:\windows\Inf\infstrng.dat
2010-08-04 16:57 . 2006-11-02 10:25 86016 ----a-w- c:\windows\Inf\infstor.dat
2008-03-24 11:12 . 2008-03-24 11:12 2400784 ----a-w- c:\program files\WLinstaller.exe
2008-03-19 13:21 . 2008-03-19 13:21 642796 ----a-w- c:\program files\XviD-1.1.3-28062007.exe
2008-03-19 11:47 . 2008-03-19 11:47 10719256 ----a-w- c:\program files\SkyAnytimeSetup.exe
2008-03-10 12:04 . 2008-03-10 12:04 26936432 ----a-w- c:\program files\savw70sasfx.exe
2008-02-20 23:55 . 2008-02-29 14:50 526428264 ----a-w- c:\program files\X12-30307(2).exe
2008-02-20 23:30 . 2008-02-29 14:49 259585360 ----a-w- c:\program files\X13-11296.exe
2007-12-14 08:42 . 2008-03-10 13:59 4597 ------w- c:\program files\readsavxp_70_eng.txt
2007-06-04 16:18 . 2008-03-10 13:59 3189 ----a-w- c:\program files\readesavxpsa.txt
2007-05-08 13:49 . 2008-03-10 13:59 143360 ----a-w- c:\program files\SavResIt.dll
2007-05-02 13:00 . 2008-03-10 13:59 249856 ----a-w- c:\program files\SavResChs.dll
2007-05-02 13:00 . 2008-03-10 13:59 155648 ----a-w- c:\program files\SavResEng.dll
2007-05-02 13:00 . 2008-03-10 13:59 327680 ----a-w- c:\program files\SavResCht.dll
2007-05-02 13:00 . 2008-03-10 13:59 204800 ----a-w- c:\program files\SavResDeu.dll
2007-05-02 13:00 . 2008-03-10 13:59 188416 ----a-w- c:\program files\SavResFra.dll
2007-05-02 13:00 . 2008-03-10 13:59 155648 ----a-w- c:\program files\SavResEsp.dll
2007-05-02 13:00 . 2008-03-10 13:59 339968 ----a-w- c:\program files\SavResJap.dll
2004-05-07 11:25 . 2008-03-10 13:59 1822520 ----a-w- c:\program files\instmsiW.exe
2004-05-07 11:25 . 2008-03-10 13:59 1708856 ----a-w- c:\program files\instmsiA.exe
2008-01-31 12:21 . 2008-01-31 12:21 76 --sh--r- c:\windows\CT4CET.bin
2008-01-31 19:55 . 2008-01-31 19:45 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-19 1233920]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-02-29 68856]
"kdx"="c:\program files\Kontiki\KHost.exe" [2007-04-23 1032640]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2010-05-13 26192168]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-04-28 857648]
"OEM02Mon.exe"="c:\windows\OEM02Mon.exe" [2007-12-03 36864]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-09-26 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-09-26 154136]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-09-26 129560]
"Windows Mobile Device Center"="c:\windows\WindowsMobile\wmdc.exe" [2007-05-31 648072]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0\bin\jusched.exe" [2008-01-31 77824]
"DELL Webcam Manager"="c:\program files\Dell\Dell Webcam Manager\DellWMgr.exe" [2007-07-27 118784]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-10-03 81920]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2006-11-05 221184]
"PCMService"="c:\program files\Dell\MediaDirect\PCMService.exe" [2007-11-01 189736]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"kdx"="c:\program files\Kontiki\KHost.exe" [2007-04-23 1032640]
"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\sttray.exe" [2007-09-07 405504]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]
"BlackBerryAutoUpdate"="c:\program files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe" [2009-08-31 623960]
"HPUsageTracking"="c:\program files\HP\HP UT\bin\hppusg.exe" [2009-10-06 30264]

c:\users\Matt\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696]
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2006-11-3 703280]
Desktop Manager.lnk - c:\program files\Research In Motion\BlackBerry\DesktopMgr.exe [2009-8-31 1799512]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2008-1-31 50688]
QuickSet.lnk - c:\windows\Installer\{7F0C4457-8E64-491B-8D7B-991504365D1E}\NewShortcut2_53A01CC614B04512A2E710D39BF83DC4.exe [2008-1-31 45056]
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2008-9-10 525664]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-02-13 135664]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
S2 AESTFilters;Andrea ST Filters Service;c:\windows\system32\aestsrv.exe [2007-08-29 73728]
S3 tap0801;TAP-Win32 Adapter V8;c:\windows\system32\DRIVERS\tap0801.sys [2006-10-01 26624]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ BthServ
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder

2008-03-24 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 11:20]

2010-10-07 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-02-29 20:54]

2010-10-06 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-13 03:42]

2010-10-07 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-13 03:42]

2010-10-07 c:\windows\Tasks\User_Feed_Synchronization-{1E9CB9D5-E156-4D9B-884A-B900BFFB0EE4}.job
- c:\windows\system32\msfeedssync.exe [2010-08-12 04:24]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.sky.com
IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
IE: Send image to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
IE: {{08E730A4-FB02-45BD-A900-01E4AD8016F6} - http://www.sky.com
FF - ProfilePath - c:\users\Matt\AppData\Roaming\Mozilla\Firefox\Profiles\b8ci8yug.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.bath.ac.uk/internal/
FF - component: c:\program files\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}\components\SkypeFfComponent.dll
FF - component: c:\users\Matt\AppData\Roaming\Mozilla\Firefox\Profiles\b8ci8yug.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - plugin: c:\program files\Common Files\Research In Motion\BBWebSLLauncher\NPWebSLLauncher.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava11.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava12.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava13.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava14.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava32.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjpi160.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npoji610.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
.
- - - - ORPHANS REMOVED - - - -

AddRemove-BitTorrent DNA - c:\program files\DNA\btdna.exe


.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0004\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0005\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2010-10-07 19:28:05
ComboFix-quarantined-files.txt 2010-10-07 18:28
ComboFix2.txt 2010-10-03 22:10

Pre-Run: 41,220,739,072 bytes free
Post-Run: 40,931,696,640 bytes free

- - End Of File - - 350D75B16BCBACD6B6A028143C485E40
 
All Looking back to normal now. Thank you very much for you help.

A quick question about protection software. There are loads of products out there today some you pay a fortune for and some are free. What would you recommend for good protection and a fair price.

Many Thanks again
Matt
 
Hello Matt,

First off I am glad things are running well for you again :bigthumb:

Lets go over a few things. Years ago when I first got into this, kids and miscreants wrote viruses, at most they they made your screen wobble or some other stupid thing, but not anymore, all this garbage is written by Cyber Criminals, mostly from Russia and Eastern Europe, also from China and some other armpits of the world. These people are thieves and all they want to do is to steal anything they can from you in the form of bank account numbers, credit card numbers and log on passwords, they also try to infect you with rouge programs that are hard to remove and want money from you to register them. If you did that you would be giving your credit card number to thieves.

On my own systems, I run Norton Internet Security ( cost about $59 a year for 3 computers ) , it includes a firewall, anti virus software and anti malware software. Doing what I do I go to conventions and met the fine people that own Malwarebytes, the program you used is free and yours to keep, if you purchased the paid version it would include a protection module. This program is optional but I have it on all three of my systems. If you should go to a bad site, you will get a PAGE NOT FOUND and them a pop up stating that Malwarebytes blocked the site. Its not expensive, somewhere around $20 or so but this is for life, not a yearly payment, this is of course your call.


This basically is all I use and so far have been doing pretty good. Some people make the mistake of adding to much and then there system grinds to a halt.

You want to stay away from Registry Cleaners, some are ok and some can be bad, if they remove legit not needed entries you will see no difference in system performance but if they remove the wrong entry ( and they sometimes do ) you can wind up with an unbootable computer.


If your ever in a website and a warning pops up telling you your infected to click here for a free scan, your not infected but you will be if you download the free scan, just get out of that site as fast as you can.

There are alternatives for AV software in you care not to purchase one. I see you have Sophos Anti-Virus, if it runs ok and its not clogging up your system, just keep it, but be sure to keep it up to date and run a full scan at least once a week

Stay out of porn sites, some are a hotbed of infections.

Keep away from any File sharing, like any of the torrents and Limewire, you will be sure to infect yourself using programs like these.



Ken....who is now off his soapbox :police:


ATF Cleaner <-- Yours to keep, run it now and then to clean out the clutter.

Combofix <---Is not a general cleaning tool, just run it with supervision or you can damage your system

  • Click START then RUN
  • Now type Combofix /uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.

    • CF-Uninstall.png

  • When shown the disclaimer, Select "2"

The above procedure will:
  • Delete the following:
    • ComboFix and its associated files and folders.
    • VundoFix backups, if present
    • The C:_OtMoveIt folder, if present
  • Reset the clock settings.
  • Hide file extensions, if required.
  • Hide System/Hidden files, if required.
  • Reset System Restore.



Now to remove most of the tools that we have used in fixing your machine:
  • Make sure you have an Internet Connection.
  • Download OTC to your desktop and run it
  • A list of tool components used in the cleanup of malware will be downloaded.
  • If your Firewall or Real Time protection attempts to block OTC to reach the Internet, please allow the application to do so.
  • Click Yes to begin the cleanup process and remove these components, including this application.
  • You will be asked to reboot the machine to finish the cleanup process. If you are asked to reboot the machine choose Yes.






Safe Surfn
Ken
 
Hi Ken

Thanks very much for all your help. Programs removed. I am now running a full version of Malewarebytes.

Just to let you know my housemate is hoping you guys might be able to help him with an issue he has, although I think it is much less serious. He will post a new thread under his account. But he will be using the same internet connection.

Many Thanks again for all your help.

Matt
 
Hello Matt,

Great, your housemate needs to start a new thread with his own log on name. The same IP is no problem but trying to fix two computers on the same post can be very confusing. If you want to post back when he has registered and posted you can , let me know what his log on name is, if I miss it we have a great staff and he will be in good hands
 
Since this issue appears to be resolved ... this Topic has been closed. Glad I could help.
 
Status
Not open for further replies.
Back
Top