Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Search engine redirect malware - just can't remove it


  • Please log in to reply
28 replies to this topic

#1 John_Hall

John_Hall

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:03:08 PM

Posted 29 December 2009 - 04:00 PM

For the past few days have been experiencing a very nasty little piece of malware which, following any search engine search (Google, Bing etc.), when you click on any of the displayed result links you are automatically redirected to a different site.

The destination site is invariably a shopping site Xlittle.co.uk but sometimes other shopping sites are displayed. Also, immediately before the destination site is displayed (e.g. Xlittle.co.uk) a message is shown in the browser window "Ezanga - Hop on and go!".

Infuriating that, try as I might, I just can't get rid of it. I already had full MacAfee Security Centre running but it didn't/doesn't stop it and doesn't pick anything up on a full scan. Have also scanned with:
- Malwarebytes
- a-squared malware
- PC Tools Spyware Doctor
- Microsoft Security Essentials
- StopZilla

NONE of which has identified or sorted out the problem.

In desparation I have tried unistalling all search engine toolbars and upgrading from Internet Explorer 7 to Internet Explorer 8, but still no joy.

Only crumb of joy is that, after the redirect, if you hit the browser back arrow to go back to the search engine results screen and then click your desired link a second time, you do seem to get where you want to go without a redirect.

Please can you offer assistance - really don't know what else to try. DDS text attached below and (Attach.txt and ark.txt files attached).

Many, many thanks in advance for your support.

Regards.

John Hall


DDS (Ver_09-12-01.01) - NTFSx86
Run by John at 19:52:27.48 on 29/12/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.289 [GMT 0:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
AV: Microsoft Security Essentials *On-access scanning enabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
AV: a-squared Anti-Malware *On-access scanning disabled* (Updated) {0F8591BB-342B-4493-91C3-4E948ED21255}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
C:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exe
C:\WINDOWS\system32\svchost -k rpcss
c:\Program Files\Microsoft Security Essentials\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Program Files\a-squared Anti-Malware\a2service.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SupServ.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\WINDOWS\System32\alg.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\Samsung\PanelMgr\SSMMgr.exe
C:\Program Files\Belkin\F5D7050v3\Belkinwcui.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\MSN\Toolbar\3.0.1203.0\msntask.exe
C:\Program Files\Windows Live\Toolbar\wltuser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Samsung\Samsung ML-2240 Series\SPanel\Spanel.exe
c:\Program Files\Microsoft Security Essentials\MpCmdRun.exe
C:\Documents and Settings\John\Desktop\dds.scr
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.co.uk/
uSearchMigratedDefaultURL = hxxp://search.orange.co.uk/all?brand=ouk&tab=web&p=_adr&q={searchTerms}
uInternet Connection Wizard,ShellNext = hxxp://www.dell.co.uk/myway
uInternet Settings,ProxyOverride = *.local
mURLSearchHooks: SrchHook Class: {d3f669eb-57ce-4f45-8fbd-e245cbb46366} - c:\program files\stopzilla!\toolbar\SZIESearchHook.dll
BHO: ZILLAbar Browser Helper Object: {1827766b-9f49-4854-8034-f6ee26fcb1ec} - c:\program files\stopzilla!\toolbar\SZSG.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: McAfee Phishing Filter: {27b4851a-3207-45a2-b947-be8afe6163ab} - c:\progra~1\mcafee\msk\mskapbho.dll
BHO: PC Tools Browser Guard BHO: {2a0f3d1b-0909-4ff4-b272-609cce6054e7} - c:\program files\spyware doctor\bdt\PCTBrowserDefender.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - No File
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: MSN Toolbar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn\toolbar\3.0.1203.0\msneshellx.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
BHO: STOPzilla Browser Helper Object: {e3215f20-3212-11d6-9f8b-00d0b743919d} - c:\program files\stopzilla!\SZIEBHO.dll
TB: Wanadoo: {8b68564d-53fd-4293-b80c-993a9f3988ee} - c:\progra~1\wanadoo\wsbar\WSBar.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: PC Tools Browser Guard: {472734ea-242a-422b-adf8-83d1e48cc825} - c:\program files\spyware doctor\bdt\PCTBrowserDefender.dll
TB: STOPzilla: {98828ded-a591-462f-83ba-d2f62a68b8b8} - c:\program files\stopzilla!\toolbar\SZSG.dll
TB: MSN Toolbar: {1e61ed7c-7cb8-49d6-b9e9-ab4c880c8414} - c:\program files\msn\toolbar\3.0.1203.0\msneshellx.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [CTDVDDET] "c:\program files\creative\sbaudigy2zs\dvdaudio\CTDVDDET.EXE"
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [IntelMeM] c:\program files\intel\modem event monitor\IntelMEM.exe
mRun: [IAAnotif] c:\program files\intel\intel application accelerator\iaanotif.exe
mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
mRun: [PCMService] "c:\program files\dell\media experience\PCMService.exe"
mRun: [SunJavaUpdateSched] c:\program files\java\j2re1.4.2_03\bin\jusched.exe
mRun: [UpdReg] c:\windows\UpdReg.EXE
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [CTHelper] CTHELPER.EXE
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [Samsung PanelMgr] c:\windows\samsung\panelmgr\SSMMgr.exe /autorun
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [F5D7050v3] c:\program files\belkin\f5d7050v3\Belkinwcui.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\john\startm~1\programs\startup\seagat~1.lnk - c:\documents and settings\john\application data\leadertech\powerregister\Seagate 2GHJLDQ3 Product Registration.exe
StartupFolder: c:\docume~1\john\startm~1\programs\startup\SPEEDT~1.LNK -
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\desktop messenger\8876480\program\LogitechDesktopMessenger.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
IE: Search with Wanadoo - c:\progra~1\wanadoo\wsbar\WSBar.dll/VSearch.htm
IE: {94EDF7B4-4272-4af3-8F8B-4E2F68E225B7} - c:\progra~1\pacifi~1\pacificpoker.exe
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {08B0E5C0-4FCB-11CF-AAA5-00401C608501}
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {38E51477-DDB4-4aed-9D61-D0C193E10749} - {38E51477-DDB4-4aed-9D61-D0C193E10749} {38E51477-DDB4-4aed-9D61-D0C193E10749} - {38e51477-ddb4-4aed-9d61-d0c193e10749}\inprocserver32 does not exist!
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
Trusted Zone: internet
Trusted Zone: mcafee.com
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/8/b/d/8bd77752-5704-4d68-a152-f7252adaa4f2/LegitCheckControl.cab
DPF: {2A0B9B82-D5C8-4D3D-8338-AD55B23662B1} - hxxps://myaggreko.aggreko.biz/vdesk/cachecleaner.cab#version=6010,2007,0223,0315
DPF: {2BCDB465-81F9-41CB-832C-8037A4064446} - hxxps://myaggreko.aggreko.biz/vdesk/terminal/urxvpn.cab#version=6030,2008,904,1951
DPF: {41EF3CD2-D8CC-4438-84B1-280BB4E77C8E} - hxxps://myaggreko.aggreko.biz/vdesk/terminal/f5tunsrv.cab#version=6030,2008,904,1947
DPF: {45B69029-F3AB-4204-92DE-D5140C3E8E74} - c:\docume~1\john\locals~1\temp\ixp000.tmp\InstallerControl.cab
DPF: {5D637FAD-E202-48D1-8F18-5B9C459BD1E3} - hxxp://www.tescophoto.com/wpp/tesco/app/ImageUploader5.cab
DPF: {6C275925-A1ED-4DD2-9CEE-9823F5FDAA10} - hxxps://myaggreko.aggreko.biz/vdesk/terminal/urTermProxy.cab#version=6020,2008,0514,2337
DPF: {BF6BBE9A-0656-4598-A0CD-32DAC03959B5} - hxxp://www.tescophoto.com/wpp/tesco/app/opcuploader.cab
DPF: {CC85ACDF-B277-486F-8C70-2C9B2ED2A4E7} - hxxps://myaggreko.aggreko.biz/vdesk/terminal/urxshost.cab#version=6030,2008,904,1945
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://kpmguk.webex.com/client/T26L/webex/ieatgpc.cab
DPF: {E0FF21FA-B857-45C5-8621-F120A0C17FF2} - hxxps://myaggreko.aggreko.biz/vdesk/terminal/urxhost.cab#version=6030,2008,904,1940
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\logitech\desktop messenger\8876480\program\GAPlugProtocol-8876480.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009-12-27 207792]
R0 szkg5;szkg5;c:\windows\system32\drivers\SZKG.sys [2009-12-7 61328]
R0 szkgfs;szkgfs;c:\windows\system32\drivers\SZKGFS.sys [2009-12-14 163600]
R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2006-10-29 214664]
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2009-6-18 142832]
R2 a2AntiMalware;a-squared Anti-Malware Service;c:\program files\a-squared anti-malware\a2service.exe [2009-12-26 1858144]
R2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\spyware doctor\bdt\BDTUpdateService.exe [2009-12-27 112592]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2003-9-6 255136]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2003-9-6 234656]
R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [2009-4-13 54752]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2006-10-29 359952]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2006-10-29 144704]
R2 OMSI download service;Sony Ericsson OMSI download service;c:\program files\sony ericsson\sony ericsson pc suite\SupServ.exe [2009-12-13 90112]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2006-10-29 606736]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2006-10-29 79816]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2006-10-29 35272]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2006-10-29 40552]
R3 MusCAudio;MusCAudio;c:\windows\system32\drivers\MusCAudio.sys [2008-11-2 23096]
R3 MusCVideo;MusCVideo;c:\windows\system32\drivers\MusCVideo.sys [2008-11-2 3768]
R3 seehcri;Sony Ericsson seehcri Device Driver;c:\windows\system32\drivers\seehcri.sys [2009-12-13 27632]
R3 urvpndrv;F5 Networks VPN Adapter;c:\windows\system32\drivers\covpndrv.sys [2008-9-4 33400]
S0 is3srv;is3srv;c:\windows\system32\drivers\is3srv.sys [2009-12-7 61328]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2009-12-26 135664]
S2 SAVRTPEL;SAVRTPEL;\??\c:\program files\norton internet security\norton antivirus\savrtpel.sys --> c:\program files\norton internet security\norton antivirus\SAVRTPEL.SYS [?]
S2 SBService;ScriptBlocking Service;c:\progra~1\common~1\symant~1\script~1\SBServ.exe [2003-6-24 66784]
S2 SSPORT;SSPORT;\??\c:\windows\system32\drivers\ssport.sys --> c:\windows\system32\drivers\SSPORT.sys [?]
S3 ccPwdSvc;Symantec Password Validation;c:\program files\common files\symantec shared\ccPwdSvc.exe [2003-9-6 87200]
S3 f5ipfw;F5 Networks StoneWall Filter;c:\windows\system32\drivers\urfltw2k.sys [2007-4-15 10744]
S3 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2009-8-5 704864]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2006-10-29 34248]
S3 MusCDriverV32;MusCDriverV32;c:\windows\system32\drivers\MusCDriverV32.sys [2008-8-20 509312]
S3 MusCVideo32;MusCVideo32;c:\windows\system32\drivers\MusCVideo32.sys [2008-8-20 3768]
S3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20030814.007\NAVENG.SYS [2005-1-16 67800]
S3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20030814.007\NAVEX15.SYS [2005-1-16 531160]
S3 s0017bus;Sony Ericsson Device 0017 driver (WDM);c:\windows\system32\drivers\s0017bus.sys [2009-12-13 86824]
S3 s0017mdfl;Sony Ericsson Device 0017 USB WMC Modem Filter;c:\windows\system32\drivers\s0017mdfl.sys [2009-12-13 15016]
S3 s0017mdm;Sony Ericsson Device 0017 USB WMC Modem Driver;c:\windows\system32\drivers\s0017mdm.sys [2009-12-13 114600]
S3 s0017mgmt;Sony Ericsson Device 0017 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\s0017mgmt.sys [2009-12-13 108328]
S3 s0017nd5;Sony Ericsson Device 0017 USB Ethernet Emulation SEMC0017 (NDIS);c:\windows\system32\drivers\s0017nd5.sys [2009-12-13 26024]
S3 s0017obex;Sony Ericsson Device 0017 USB WMC OBEX Interface;c:\windows\system32\drivers\s0017obex.sys [2009-12-13 104616]
S3 s0017unic;Sony Ericsson Device 0017 USB Ethernet Emulation SEMC0017 (WDM);c:\windows\system32\drivers\s0017unic.sys [2009-12-13 109736]
S3 SAVRT;SAVRT;\??\c:\program files\norton internet security\norton antivirus\savrt.sys --> c:\program files\norton internet security\norton antivirus\SAVRT.SYS [?]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2009-12-27 359624]
S3 sdCoreService;PC Tools Security Service;c:\program files\spyware doctor\pctsSvc.exe [2009-12-27 1141712]
S3 SoundMovieServer;SoundMovieServer;c:\windows\system32\snmvtsvc.exe [2008-11-2 200704]

=============== Created Last 30 ================

2009-12-29 19:09:22 0 dcsh--w- c:\documents and settings\john\IECompatCache
2009-12-29 18:56:58 0 dcsh--w- c:\documents and settings\john\PrivacIE
2009-12-29 16:05:27 744 ----a-w- c:\windows\system32\drivers\kgpcpy.cfg
2009-12-29 11:22:51 0 dcsh--w- c:\documents and settings\john\IETldCache
2009-12-29 11:19:06 0 d-----w- c:\windows\ie8updates
2009-12-29 11:15:57 0 dc-h--w- c:\windows\ie8
2009-12-29 11:11:08 246272 ------w- c:\windows\system32\dllcache\ieproxy.dll
2009-12-29 11:11:08 12800 ------w- c:\windows\system32\dllcache\xpshims.dll
2009-12-29 11:10:01 92160 ------w- c:\windows\system32\dllcache\iecompat.dll
2009-12-28 11:10:47 0 dc----w- c:\docume~1\alluse~1\applic~1\SITEguard
2009-12-28 11:09:47 0 d-----w- c:\program files\STOPzilla!
2009-12-28 11:09:43 0 d-----w- c:\program files\common files\iS3
2009-12-28 11:09:40 0 dc----w- c:\docume~1\alluse~1\applic~1\STOPzilla!
2009-12-27 22:27:43 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-12-27 22:17:34 0 d-----w- c:\program files\Microsoft Security Essentials
2009-12-27 22:04:04 767952 ----a-w- c:\windows\BDTSupport.dll
2009-12-27 22:04:03 883 ----a-w- c:\windows\RegSDImport.xml
2009-12-27 22:04:03 880 ----a-w- c:\windows\RegISSImport.xml
2009-12-27 22:04:03 165840 ----a-w- c:\windows\PCTBDRes.dll
2009-12-27 22:04:03 1640400 ----a-w- c:\windows\PCTBDCore.dll
2009-12-27 22:04:03 149456 ----a-w- c:\windows\SGDetectionTool.dll
2009-12-27 22:04:03 131 ----a-w- c:\windows\IDB.zip
2009-12-27 22:04:03 1152444 ----a-w- c:\windows\UDB.zip
2009-12-27 21:54:34 7387 ----a-w- c:\windows\system32\drivers\pctgntdi.cat
2009-12-27 21:54:33 233136 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2009-12-27 21:54:25 87784 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2009-12-27 21:54:25 7412 ----a-w- c:\windows\system32\drivers\PCTAppEvent.cat
2009-12-27 21:54:25 7383 ----a-w- c:\windows\system32\drivers\pctcore.cat
2009-12-27 21:54:25 207792 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2009-12-27 21:54:13 7383 ----a-w- c:\windows\system32\drivers\pctplsg.cat
2009-12-27 21:54:13 70408 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2009-12-27 21:54:04 0 dc----w- c:\docume~1\john\applic~1\PC Tools
2009-12-27 21:54:04 0 dc----w- c:\docume~1\alluse~1\applic~1\PC Tools
2009-12-27 21:54:04 0 d-----w- c:\program files\Spyware Doctor
2009-12-27 21:54:04 0 d-----w- c:\program files\common files\PC Tools
2009-12-26 20:30:12 0 ----a-w- c:\windows\system32\d3d9caps.tmp
2009-12-26 18:54:41 0 d-----w- c:\program files\a-squared Anti-Malware
2009-12-26 16:15:20 0 ---ha-w- c:\windows\system32\drivers\Msft_User_PCCSWpdDriver_01_07_00.Wdf
2009-12-26 16:15:13 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_user_01_07_00.Wdf
2009-12-26 16:14:34 26112 ----a-w- c:\windows\system32\drivers\usbser.sys
2009-12-26 16:14:34 26112 ----a-w- c:\windows\system32\dllcache\usbser.sys
2009-12-26 16:14:18 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_ccdcmb_01007.Wdf
2009-12-26 16:14:17 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01007_Coinstaller_Critical.Wdf
2009-12-26 16:14:11 14640 ------w- c:\windows\system32\spmsgXP_2k3.dll
2009-12-26 16:07:15 0 d-----w- c:\program files\common files\PCSuite
2009-12-26 16:07:05 0 d-----w- c:\program files\common files\Nokia
2009-12-26 16:06:45 18816 ----a-w- c:\windows\system32\drivers\pccsmcfd.sys
2009-12-26 16:06:31 0 d-----w- c:\program files\PC Connectivity Solution
2009-12-26 16:06:23 7936 ----a-w- c:\windows\system32\drivers\usbser_lowerfltj.sys
2009-12-26 16:06:22 7936 ----a-w- c:\windows\system32\drivers\usbser_lowerflt.sys
2009-12-26 16:06:19 22016 ----a-w- c:\windows\system32\drivers\ccdcmbo.sys
2009-12-26 16:06:10 660480 ----a-w- c:\windows\system32\nmwcdcocls.dll
2009-12-26 16:06:10 17664 ----a-w- c:\windows\system32\drivers\ccdcmb.sys
2009-12-26 16:06:10 1112288 ----a-w- c:\windows\system32\wdfcoinstaller01007.dll
2009-12-26 16:05:49 91136 ----a-w- c:\windows\system32\nmwcdcls.dll
2009-12-26 16:05:47 0 d-----w- c:\program files\Nokia
2009-12-24 11:43:41 0 dc----w- c:\docume~1\john\applic~1\Malwarebytes
2009-12-24 11:43:33 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-24 11:43:32 0 dc----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-12-24 11:43:31 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-24 11:43:31 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-23 21:36:43 0 d-----w- c:\program files\E Zanga Removal Tool[1]
2009-12-23 14:13:34 545424 ----a-r- c:\windows\system32\SZComp5.dll
2009-12-23 14:13:32 438928 ----a-r- c:\windows\system32\SZBase5.dll
2009-12-23 14:04:54 17408 ----a-r- c:\windows\system32\SZIO5.dll
2009-12-14 10:24:24 163600 ----a-r- c:\windows\system32\drivers\SZKGFS.sys
2009-12-13 19:30:55 0 d-----w- c:\program files\common files\Sony Shared
2009-12-13 19:30:10 0 d-----w- c:\program files\Sony
2009-12-13 19:27:03 0 d-----w- c:\program files\Sony Setup
2009-12-13 18:55:06 148736 -c--a-w- c:\docume~1\alluse~1\applic~1\hpe1BB.dll
2009-12-13 18:54:21 0 dc----w- c:\docume~1\alluse~1\applic~1\Sony Ericsson
2009-12-13 18:54:21 0 d-----w- c:\program files\Sony Ericsson
2009-12-12 00:06:43 132096 --sha-r- c:\windows\system32\wscsvc5.dll
2009-12-10 16:11:40 126976 ----a-r- c:\windows\system32\IS3HTUI5.dll
2009-12-10 16:11:32 393216 ----a-r- c:\windows\system32\IS3DBA5.dll
2009-12-10 16:09:24 385024 ----a-r- c:\windows\system32\IS3UI5.dll
2009-12-10 16:09:08 61440 ----a-r- c:\windows\system32\IS3Hks5.dll
2009-12-10 16:08:48 23040 ----a-r- c:\windows\system32\IS3XDat5.dll
2009-12-10 16:06:52 225280 ----a-r- c:\windows\system32\IS3Win325.dll
2009-12-10 16:06:30 94208 ----a-r- c:\windows\system32\IS3Inet5.dll
2009-12-10 16:05:54 94208 ----a-r- c:\windows\system32\IS3Svc5.dll
2009-12-10 16:02:42 729088 ----a-r- c:\windows\system32\IS3Base5.dll
2009-12-07 20:04:49 0 d-----w- c:\program files\Inkscape
2009-12-07 16:59:32 61328 ----a-r- c:\windows\system32\drivers\SZKG.sys
2009-12-07 16:59:32 61328 ----a-r- c:\windows\system32\drivers\is3srv.sys
2009-12-06 19:16:28 0 d-----w- c:\program files\Microsoft Office Outlook Connector

==================== Find3M ====================

2009-12-29 16:04:28 0 ----a-w- c:\windows\system32\drivers\lvuvc.hs
2009-12-29 16:04:21 0 ----a-w- c:\windows\system32\drivers\logiflt.iad
2009-10-29 07:46:51 133120 ----a-w- c:\windows\system32\dllcache\extmgr.dll
2009-10-29 07:45:38 916480 ----a-w- c:\windows\system32\wininet.dll
2009-10-29 07:45:38 916480 ------w- c:\windows\system32\dllcache\wininet.dll
2009-10-29 07:45:37 5940736 ------w- c:\windows\system32\dllcache\mshtml.dll
2009-10-29 07:45:37 206848 ------w- c:\windows\system32\dllcache\occache.dll
2009-10-29 07:45:37 1208832 ------w- c:\windows\system32\dllcache\urlmon.dll
2009-10-29 07:45:35 594432 ------w- c:\windows\system32\dllcache\msfeeds.dll
2009-10-29 07:45:35 55296 ------w- c:\windows\system32\dllcache\msfeedsbs.dll
2009-10-29 07:45:35 25600 ------w- c:\windows\system32\dllcache\jsproxy.dll
2009-10-29 07:45:34 1985536 ------w- c:\windows\system32\dllcache\iertutil.dll
2009-10-29 07:45:34 184320 ------w- c:\windows\system32\dllcache\iepeers.dll
2009-10-29 07:45:33 11069952 ------w- c:\windows\system32\dllcache\ieframe.dll
2009-10-29 07:45:32 387584 ------w- c:\windows\system32\dllcache\iedkcs32.dll
2009-10-28 14:40:47 173056 ------w- c:\windows\system32\dllcache\ie4uinit.exe
2009-10-28 14:36:11 13824 ------w- c:\windows\system32\dllcache\ieudinit.exe
2009-10-21 05:38:36 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38:36 75776 ------w- c:\windows\system32\dllcache\strmfilt.dll
2009-10-21 05:38:36 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-21 05:38:36 25088 ------w- c:\windows\system32\dllcache\httpapi.dll
2009-10-20 16:20:16 265728 ------w- c:\windows\system32\dllcache\http.sys
2009-10-13 10:30:16 270336 ----a-w- c:\windows\system32\oakley.dll
2009-10-13 10:30:16 270336 ------w- c:\windows\system32\dllcache\oakley.dll
2009-10-12 13:38:19 149504 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:38:19 149504 ------w- c:\windows\system32\dllcache\rastls.dll
2009-10-12 13:38:18 79872 ----a-w- c:\windows\system32\raschap.dll
2009-10-12 13:38:18 79872 ------w- c:\windows\system32\dllcache\raschap.dll
2008-04-20 13:18:18 0 -c--a-w- c:\program files\temp01
2005-05-07 08:22:20 774144 -c--a-w- c:\program files\RngInterstitial.dll
1998-08-24 12:09:10 10000 -c--a-w- c:\windows\inf\unregpn.exe
2008-09-06 13:22:16 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008090620080907\index.dat

============= FINISH: 19:53:47.20 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 jpshortstuff

jpshortstuff

    WhatTheTech Teacher


  • Members
  • 660 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:04:08 PM

Posted 29 December 2009 - 06:22 PM

Hi,

Please download and run this tool, then post the log it gives:
http://jpshortstuff.247fixes.com/Kenco.exe


Please download ComboFix to your desktop from one of these locations. You must rename it before saving it. Save it to your desktop.
Link 1
Link 2
Link 3

Posted Image

Posted Image

IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here
  • Double click on Combo-Fix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image
  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
Posted Image
  • Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.
3. ComboFix may reset a number of Internet Explorer's settings, including making IE the default browser.
4. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please advise.
5. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
Trained at the What The Tech Classroom where you too could learn to help others.

My help is free, however, if you wish to make a small donation to show appreciation and to help me continue the fight against Malware, then click here Posted Image

Posted Image

#3 John_Hall

John_Hall
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:03:08 PM

Posted 30 December 2009 - 07:55 AM

Hi,

Thanks very much for the prompt response. Have run Kenco tool and CF as instructed.
Kenco log is reproduced below, followed by CF log (also attached as a txt doc).

Also, not sure if relevant or not, when I ran the Rootrepeal tool per initial Bleeping Computer instructions, I got an error message "Invalid PE image found" but then it all seemed to work OK anyway. Thought I should mention in case relevant.

Thanks again for your help.

John

Kenco by jpshortstuff (30.12.09.1)
Log created at 12:07 on 30/12/2009 (John)

========== Task Unlocker ==========
C:\WINDOWS\Tasks\ggejezbbef.job -> Unlocked!

========== KencoScan ==========
C:\WINDOWS\system32\wscsvc5.dll -> Unlocked!
C:\WINDOWS\system32\wscsvc5.dll -> Infected -> Deleted successfully!
C:\WINDOWS\Tasks\ggejezbbef.job -> Deleted successfully!
C:\WINDOWS\system32John -> Error retrieving security information [123]!
C:\WINDOWS\system32John -> Unable to open file [123]!

========== C:\WINDOWS\Tasks ==========
AppleSoftwareUpdate.job -> [09:07 08/09/2007] 284 bytes
GoogleUpdateTaskMachineCore.job -> [10:48 26/12/2009] 880 bytes
GoogleUpdateTaskMachineUA.job -> [10:48 26/12/2009] 884 bytes
ISP signup reminder 1.job -> [21:09 11/01/2005] 258 bytes
McDefragTask.job -> [15:52 29/10/2006] 262 bytes
McQcTask.job -> [15:52 29/10/2006] 350 bytes
MP Scheduled Scan.job -> [22:23 27/12/2009] 408 bytes
User_Feed_Synchronization-{70A5A20C-54E7-4960-8AA0-B4699AF50902}.job -> [11:23 29/12/2009] 390 bytes

-=E.O.F=-



ComboFix 09-12-29.05 - John 30/12/2009 12:21:19.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.479 [GMT 0:00]
Running from: c:\documents and settings\John\Desktop\Combo-Fix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\hpe1BB.dll
c:\windows\system32\clrviddc.dll

.
((((((((((((((((((((((((( Files Created from 2009-11-28 to 2009-12-30 )))))))))))))))))))))))))))))))
.

2009-12-30 11:33 . 2009-12-30 11:33 20747 ----a-w- c:\windows\system32\drivers\AegisP.sys
2009-12-30 11:33 . 2006-08-15 11:42 200704 ----a-w- c:\windows\system32\UpdateDriver.exe
2009-12-30 11:33 . 2009-12-30 11:33 -------- d-----w- c:\program files\Belkin-JEH
2009-12-30 11:33 . 2009-12-30 11:33 -------- dc----w- c:\documents and settings\John\Application Data\InstallShield
2009-12-29 19:09 . 2009-12-29 19:09 -------- dcsh--w- c:\documents and settings\John\IECompatCache
2009-12-29 18:56 . 2009-12-29 18:57 -------- dcsh--w- c:\documents and settings\John\PrivacIE
2009-12-29 12:10 . 2009-12-29 12:10 -------- d-sh--w- c:\documents and settings\Vikki\IETldCache
2009-12-29 11:24 . 2009-12-29 11:24 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2009-12-29 11:22 . 2009-12-29 11:22 -------- dcsh--w- c:\documents and settings\John\IETldCache
2009-12-29 11:19 . 2009-12-29 11:19 -------- d-----w- c:\windows\ie8updates
2009-12-29 11:15 . 2009-12-29 11:17 -------- dc-h--w- c:\windows\ie8
2009-12-29 11:11 . 2009-10-29 07:45 12800 ------w- c:\windows\system32\dllcache\xpshims.dll
2009-12-29 11:11 . 2009-10-29 07:45 246272 ------w- c:\windows\system32\dllcache\ieproxy.dll
2009-12-29 11:10 . 2009-10-02 04:44 92160 ------w- c:\windows\system32\dllcache\iecompat.dll
2009-12-28 23:35 . 2009-12-28 23:35 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\PCHealth
2009-12-28 11:10 . 2009-12-29 10:31 -------- dc----w- c:\documents and settings\All Users\Application Data\SITEguard
2009-12-28 11:09 . 2009-12-28 11:12 -------- d-----w- c:\program files\STOPzilla!
2009-12-28 11:09 . 2009-12-28 11:09 -------- d-----w- c:\program files\Common Files\iS3
2009-12-28 11:09 . 2009-12-30 12:32 -------- dc----w- c:\documents and settings\All Users\Application Data\STOPzilla!
2009-12-27 23:35 . 2009-12-27 23:35 -------- d-----w- c:\documents and settings\Vikki\Local Settings\Application Data\Threat Expert
2009-12-27 22:27 . 2009-11-02 20:42 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-12-27 22:14 . 2009-12-27 22:14 -------- dc----w- c:\documents and settings\John\Local Settings\Application Data\Threat Expert
2009-12-27 22:04 . 2009-11-10 10:28 1640400 ----a-w- c:\windows\PCTBDCore.dll
2009-12-27 21:54 . 2009-12-30 12:15 -------- d-----w- c:\program files\Spyware Doctor
2009-12-27 21:54 . 2009-12-30 12:15 -------- d-----w- c:\program files\Common Files\PC Tools
2009-12-27 21:14 . 2009-12-27 21:14 -------- d-----w- c:\documents and settings\Vikki\Application Data\McAfee
2009-12-27 20:53 . 2009-12-27 20:54 -------- d-----w- c:\documents and settings\Vikki\Local Settings\Application Data\Temp
2009-12-27 16:58 . 2009-12-27 16:58 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\PC Suite
2009-12-27 16:56 . 2009-12-27 16:56 -------- dc----w- c:\documents and settings\Jamie\Application Data\PC Suite
2009-12-27 13:00 . 2009-12-27 13:00 66608 -c--a-w- c:\documents and settings\John\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-12-26 18:54 . 2009-12-30 12:12 -------- d-----w- c:\program files\a-squared Anti-Malware
2009-12-26 17:49 . 2009-12-26 17:49 -------- d-----w- c:\documents and settings\Vikki\Application Data\PC Suite
2009-12-26 16:18 . 2009-12-16 14:42 872960 -c--a-w- c:\documents and settings\John\Application Data\Mozilla\Firefox\Profiles\d4ivme3m.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
2009-12-26 16:18 . 2009-12-16 14:42 43008 -c--a-w- c:\documents and settings\John\Application Data\Mozilla\Firefox\Profiles\d4ivme3m.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbarloader.dll
2009-12-26 16:18 . 2009-12-16 14:42 340480 -c--a-w- c:\documents and settings\John\Application Data\Mozilla\Firefox\Profiles\d4ivme3m.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff2.dll
2009-12-26 16:18 . 2009-12-16 14:41 346624 -c--a-w- c:\documents and settings\John\Application Data\Mozilla\Firefox\Profiles\d4ivme3m.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff3.dll
2009-12-26 16:14 . 2008-04-13 19:45 26112 ----a-w- c:\windows\system32\drivers\usbser.sys
2009-12-26 16:14 . 2008-04-13 19:45 26112 ----a-w- c:\windows\system32\dllcache\usbser.sys
2009-12-26 16:14 . 2008-03-21 13:57 14640 ------w- c:\windows\system32\spmsgXP_2k3.dll
2009-12-26 16:07 . 2009-12-26 16:16 -------- dc----w- c:\documents and settings\John\Application Data\Nokia
2009-12-26 16:07 . 2009-12-26 16:14 -------- dc----w- c:\documents and settings\John\Application Data\PC Suite
2009-12-26 16:07 . 2009-12-26 16:14 -------- dc----w- c:\documents and settings\All Users\Application Data\PC Suite
2009-12-26 16:05 . 2009-12-26 16:04 34429264 -c--a-w- c:\documents and settings\All Users\Application Data\Installations\{9249D7E7-33E7-4CC8-BB0B-3DF3C3CB2568}\Nokia_PC_Suite_7_1_40_1_eng_web[1].exe
2009-12-26 16:04 . 2009-12-26 16:04 95232 -c--a-w- c:\documents and settings\All Users\Application Data\Installations\{9249D7E7-33E7-4CC8-BB0B-3DF3C3CB2568}\Installer\CommonCustomActions\pcswpcsi.exe
2009-12-26 16:04 . 2009-12-26 16:04 8192 -c--a-w- c:\documents and settings\All Users\Application Data\Installations\{9249D7E7-33E7-4CC8-BB0B-3DF3C3CB2568}\Installer\CommonCustomActions\UninstCCD.exe
2009-12-26 16:04 . 2009-12-26 16:04 61440 -c--a-w- c:\documents and settings\All Users\Application Data\Installations\{9249D7E7-33E7-4CC8-BB0B-3DF3C3CB2568}\Installer\CommonCustomActions\UninstPCSFEMsi.exe
2009-12-26 16:04 . 2009-12-26 16:04 10240 -c--a-w- c:\documents and settings\All Users\Application Data\Installations\{9249D7E7-33E7-4CC8-BB0B-3DF3C3CB2568}\Installer\CommonCustomActions\UninstPCS.exe
2009-12-26 16:04 . 2009-12-26 16:04 -------- dc----w- c:\documents and settings\All Users\Application Data\Installations
2009-12-26 11:23 . 2009-12-26 11:23 -------- d-----w- c:\documents and settings\Vikki\Application Data\Malwarebytes
2009-12-26 10:53 . 2009-12-26 10:53 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google
2009-12-26 10:48 . 2009-12-26 10:48 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Google
2009-12-25 22:02 . 2009-12-25 22:02 -------- dc----w- c:\documents and settings\Jamie\Application Data\skypePM
2009-12-25 21:52 . 2009-12-25 21:52 -------- dc----w- c:\documents and settings\Jamie\Local Settings\Application Data\LogiShrd
2009-12-24 11:43 . 2009-12-24 11:43 -------- dc----w- c:\documents and settings\John\Application Data\Malwarebytes
2009-12-24 11:43 . 2009-12-24 11:43 -------- dc----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-12-24 05:59 . 2009-09-30 12:11 288096 -c--a-r- c:\documents and settings\John\Application Data\McAfee\Supportability\MVTLogs\Results\detect.dll
2009-12-23 21:36 . 2009-12-27 00:36 -------- d-----w- c:\program files\E Zanga Removal Tool[1]
2009-12-23 14:13 . 2009-12-23 14:13 545424 ----a-r- c:\windows\system32\SZComp5.dll
2009-12-23 14:13 . 2009-12-23 14:13 438928 ----a-r- c:\windows\system32\SZBase5.dll
2009-12-23 14:04 . 2009-12-23 14:04 17408 ----a-r- c:\windows\system32\SZIO5.dll
2009-12-14 10:24 . 2009-12-14 10:24 163600 ----a-r- c:\windows\system32\drivers\SZKGFS.sys
2009-12-13 19:33 . 2009-12-18 19:04 -------- dc----w- c:\documents and settings\John\Local Settings\Application Data\Sony
2009-12-13 19:30 . 2009-12-13 19:30 -------- d-----w- c:\program files\Common Files\Sony Shared
2009-12-13 19:30 . 2009-12-13 19:30 -------- dc----w- c:\documents and settings\John\Local Settings\Application Data\Downloaded Installations
2009-12-13 19:30 . 2009-12-29 11:02 -------- d-----w- c:\program files\Sony
2009-12-13 19:27 . 2009-12-13 19:31 -------- dc----w- c:\documents and settings\John\Application Data\Sony
2009-12-13 19:27 . 2009-12-13 19:27 -------- dc----w- c:\documents and settings\John\Application Data\Sony Setup
2009-12-13 19:27 . 2009-12-13 19:27 -------- d-----w- c:\program files\Sony Setup
2009-12-13 18:57 . 2009-12-13 18:57 -------- dc----w- c:\documents and settings\John\Local Settings\Application Data\Sony Ericsson
2009-12-13 18:54 . 2009-12-13 18:54 -------- dc----w- c:\documents and settings\All Users\Application Data\Sony Ericsson
2009-12-13 18:54 . 2009-12-13 18:54 -------- d-----w- c:\program files\Sony Ericsson
2009-12-13 14:45 . 2009-12-26 16:14 -------- d-----w- c:\windows\system32\drivers\UMDF
2009-12-10 16:11 . 2009-12-10 16:11 126976 ----a-r- c:\windows\system32\IS3HTUI5.dll
2009-12-10 16:11 . 2009-12-10 16:11 393216 ----a-r- c:\windows\system32\IS3DBA5.dll
2009-12-10 16:09 . 2009-12-10 16:09 385024 ----a-r- c:\windows\system32\IS3UI5.dll
2009-12-10 16:09 . 2009-12-10 16:09 61440 ----a-r- c:\windows\system32\IS3Hks5.dll
2009-12-10 16:08 . 2009-12-10 16:08 23040 ----a-r- c:\windows\system32\IS3XDat5.dll
2009-12-10 16:06 . 2009-12-10 16:06 225280 ----a-r- c:\windows\system32\IS3Win325.dll
2009-12-10 16:06 . 2009-12-10 16:06 94208 ----a-r- c:\windows\system32\IS3Inet5.dll
2009-12-10 16:05 . 2009-12-10 16:05 94208 ----a-r- c:\windows\system32\IS3Svc5.dll
2009-12-10 16:02 . 2009-12-10 16:02 729088 ----a-r- c:\windows\system32\IS3Base5.dll
2009-12-08 18:12 . 2009-12-08 18:12 -------- d-----w- c:\documents and settings\Vikki\Application Data\inkscape
2009-12-07 20:14 . 2009-12-07 20:14 -------- dc----w- c:\documents and settings\Jamie\Application Data\inkscape
2009-12-07 20:04 . 2009-12-07 20:13 -------- d-----w- c:\program files\Inkscape
2009-12-07 16:59 . 2009-12-07 16:59 61328 ----a-r- c:\windows\system32\drivers\SZKG.sys
2009-12-07 16:59 . 2009-12-07 16:59 61328 ----a-r- c:\windows\system32\drivers\is3srv.sys
2009-12-06 19:16 . 2009-12-06 19:16 -------- d-----w- c:\program files\Microsoft Office Outlook Connector

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-30 12:32 . 2009-12-30 11:39 2872 ----a-w- c:\windows\system32\drivers\kgpcpy.cfg
2009-12-30 12:32 . 2009-12-30 12:16 1056 ----a-w- c:\windows\system32\drivers\kgpfr2.cfg
2009-12-30 12:15 . 2007-09-06 19:32 -------- dc--a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-12-30 11:49 . 2008-11-10 19:51 0 ----a-w- c:\windows\system32\drivers\lvuvc.hs
2009-12-30 11:49 . 2008-11-10 19:51 0 ----a-w- c:\windows\system32\drivers\logiflt.iad
2009-12-30 11:36 . 2005-01-07 00:39 384 ----a-w- c:\windows\system32\DVCStateBkp-{00000004-00000000-00000000-00001102-00000004-20061102}.dat
2009-12-30 11:36 . 2005-01-07 00:39 384 ----a-w- c:\windows\system32\DVCState-{00000004-00000000-00000000-00001102-00000004-20061102}.dat
2009-12-30 11:33 . 2005-01-07 00:37 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-12-29 11:00 . 2006-03-02 17:05 -------- d-----w- c:\program files\Yahoo!
2009-12-29 10:41 . 2006-01-18 18:39 -------- d-----w- c:\program files\Google
2009-12-26 20:39 . 2009-12-26 20:30 0 ----a-w- c:\windows\system32\d3d9caps.tmp
2009-12-26 16:15 . 2009-12-26 16:15 0 ---ha-w- c:\windows\system32\drivers\Msft_User_PCCSWpdDriver_01_07_00.Wdf
2009-12-26 16:15 . 2009-12-26 16:15 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_user_01_07_00.Wdf
2009-12-26 16:14 . 2009-12-26 16:14 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_ccdcmb_01007.Wdf
2009-12-26 16:14 . 2009-12-26 16:14 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01007_Coinstaller_Critical.Wdf
2009-12-26 16:07 . 2009-12-26 16:06 -------- d-----w- c:\program files\DIFX
2009-12-26 16:07 . 2009-12-26 16:07 -------- d-----w- c:\program files\Common Files\PCSuite
2009-12-26 16:07 . 2009-12-26 16:07 -------- d-----w- c:\program files\Common Files\Nokia
2009-12-26 16:07 . 2009-12-26 16:05 -------- d-----w- c:\program files\Nokia
2009-12-26 16:06 . 2009-12-26 16:06 -------- d-----w- c:\program files\PC Connectivity Solution
2009-12-25 23:57 . 2009-07-21 17:33 -------- dc----w- c:\documents and settings\Jamie\Application Data\Skype
2009-12-25 21:52 . 2008-11-10 19:47 -------- d-----w- c:\program files\Logitech
2009-12-24 06:26 . 2005-01-13 20:06 -------- d-----w- c:\program files\Common Files\Adobe
2009-12-24 05:58 . 2005-09-22 23:02 -------- dc----w- c:\documents and settings\John\Application Data\McAfee
2009-12-24 05:58 . 2005-10-13 18:11 -------- dc----w- c:\documents and settings\All Users\Application Data\McAfee
2009-12-24 05:58 . 2005-10-13 18:11 -------- d-----w- c:\program files\McAfee
2009-12-14 22:14 . 2005-01-20 21:04 -------- d-----w- c:\program files\Microsoft Money 2005
2009-12-13 18:57 . 2005-01-07 00:38 -------- dc----w- c:\documents and settings\All Users\Application Data\BVRP Software
2009-12-12 16:15 . 2008-04-20 13:18 -------- d-----w- c:\program files\bfgclient
2009-12-12 16:14 . 2008-04-20 13:17 -------- dc----w- c:\documents and settings\All Users\Application Data\BigFishGamesCache
2009-12-12 16:05 . 2005-01-15 15:56 -------- d-----w- c:\program files\NoteWorthy Composer
2009-12-06 19:14 . 2009-04-13 10:51 -------- d-----w- c:\program files\Windows Live
2009-11-28 10:48 . 2009-11-28 10:46 -------- d-----w- c:\program files\iTunes
2009-11-28 10:46 . 2005-11-05 15:21 -------- d-----w- c:\program files\iPod
2009-11-28 10:46 . 2007-09-08 09:06 -------- d-----w- c:\program files\Common Files\Apple
2009-11-28 10:41 . 2009-11-28 10:39 -------- d-----w- c:\program files\QuickTime
2009-11-28 10:31 . 2009-11-28 10:31 79144 -c--a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.2.25\SetupAdmin.exe
2009-11-22 16:20 . 2008-04-20 13:52 -------- d-----w- c:\program files\Mystery Case Files - Madame Fate
2009-10-29 07:45 . 2004-08-04 05:00 916480 ----a-w- c:\windows\system32\wininet.dll
2009-10-21 05:38 . 2004-08-04 05:00 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38 . 2004-08-04 05:00 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-20 16:20 . 2004-08-04 05:00 265728 ----a-w- c:\windows\system32\drivers\http.sys
2009-10-13 10:30 . 2004-08-04 05:00 270336 ----a-w- c:\windows\system32\oakley.dll
2009-10-12 13:38 . 2004-08-04 05:00 149504 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:38 . 2004-08-04 05:00 79872 ----a-w- c:\windows\system32\raschap.dll
2009-10-06 11:55 . 2009-12-26 16:06 1112288 ----a-w- c:\windows\system32\wdfcoinstaller01007.dll
2009-10-06 11:52 . 2009-12-26 16:06 7936 ----a-w- c:\windows\system32\drivers\usbser_lowerfltj.sys
2009-10-06 11:52 . 2009-12-26 16:06 660480 ----a-w- c:\windows\system32\nmwcdcocls.dll
2009-10-06 11:52 . 2009-12-26 16:05 91136 ----a-w- c:\windows\system32\nmwcdcls.dll
2009-10-06 11:52 . 2009-12-26 16:06 7936 ----a-w- c:\windows\system32\drivers\usbser_lowerflt.sys
2009-10-06 11:52 . 2009-12-26 16:06 22016 ----a-w- c:\windows\system32\drivers\ccdcmbo.sys
2009-10-06 11:52 . 2009-12-26 16:06 17664 ----a-w- c:\windows\system32\drivers\ccdcmb.sys
2008-04-20 13:18 . 2008-04-20 13:18 0 -c--a-w- c:\program files\temp01
2005-05-07 08:22 . 2005-05-07 08:22 774144 -c--a-w- c:\program files\RngInterstitial.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTDVDDET"="c:\program files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE" [2003-06-18 45056]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-08-25 339968]
"IntelMeM"="c:\program files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 221184]
"IAAnotif"="c:\program files\Intel\Intel Application Accelerator\iaanotif.exe" [2004-06-29 135168]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-10-12 57344]
"PCMService"="c:\program files\Dell\Media Experience\PCMService.exe" [2004-04-11 290816]
"SunJavaUpdateSched"="c:\program files\Java\j2re1.4.2_03\bin\jusched.exe" [2003-11-19 32881]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-08-13 122939]
"CTHelper"="CTHELPER.EXE" [2004-03-11 28672]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2003-09-06 70816]
"Samsung PanelMgr"="c:\windows\Samsung\PanelMgr\SSMMgr.exe" [2008-04-14 536576]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-08-13 177440]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-11-12 141600]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-10 417792]
"F5D7050v3"="c:\program files\Belkin-JEH\F5D7050v3\Belkinwcui.exe" [2007-10-30 1654784]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]

c:\documents and settings\John\Start Menu\Programs\Startup\
Seagate 2GHJLDQ3 Product Registration.lnk - c:\documents and settings\John\Application Data\Leadertech\PowerRegister\Seagate 2GHJLDQ3 Product Registration.exe [2009-8-1 1731736]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.exe.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-1-13 113664]
Logitech Desktop Messenger.lnk - c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [2008-11-10 66864]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0 szkg5;szkg5;c:\windows\SYSTEM32\DRIVERS\SZKG.sys [07/12/2009 16:59 61328]
R0 szkgfs;szkgfs;c:\windows\SYSTEM32\DRIVERS\SZKGFS.sys [14/12/2009 10:24 163600]
R2 fssfltr;FssFltr;c:\windows\SYSTEM32\DRIVERS\fssfltr_tdi.sys [13/04/2009 10:55 54752]
R3 MusCAudio;MusCAudio;c:\windows\SYSTEM32\DRIVERS\MusCAudio.sys [02/11/2008 21:14 23096]
R3 MusCVideo;MusCVideo;c:\windows\SYSTEM32\DRIVERS\MusCVideo.sys [02/11/2008 21:14 3768]
R3 seehcri;Sony Ericsson seehcri Device Driver;c:\windows\SYSTEM32\DRIVERS\seehcri.sys [13/12/2009 18:55 27632]
R3 urvpndrv;F5 Networks VPN Adapter;c:\windows\SYSTEM32\DRIVERS\covpndrv.sys [04/09/2008 19:53 33400]
R4 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys --> c:\windows\system32\drivers\PCTCore.sys [?]
S0 is3srv;is3srv;c:\windows\SYSTEM32\DRIVERS\is3srv.sys [07/12/2009 16:59 61328]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [26/12/2009 10:48 135664]
S2 OMSI download service;Sony Ericsson OMSI download service;c:\program files\Sony Ericsson\Sony Ericsson PC Suite\SupServ.exe [13/12/2009 18:54 90112]
S2 SSPORT;SSPORT;\??\c:\windows\system32\Drivers\SSPORT.sys --> c:\windows\system32\Drivers\SSPORT.sys [?]
S3 f5ipfw;F5 Networks StoneWall Filter;c:\windows\SYSTEM32\DRIVERS\urfltw2k.sys [15/04/2007 09:17 10744]
S3 fsssvc;Windows Live Family Safety Service;c:\program files\Windows Live\Family Safety\fsssvc.exe [05/08/2009 22:48 704864]
S3 MusCDriverV32;MusCDriverV32;c:\windows\SYSTEM32\DRIVERS\MusCDriverV32.sys [20/08/2008 20:37 509312]
S3 MusCVideo32;MusCVideo32;c:\windows\SYSTEM32\DRIVERS\MusCVideo32.sys [20/08/2008 20:37 3768]
S3 s0017bus;Sony Ericsson Device 0017 driver (WDM);c:\windows\SYSTEM32\DRIVERS\s0017bus.sys [13/12/2009 18:55 86824]
S3 s0017mdfl;Sony Ericsson Device 0017 USB WMC Modem Filter;c:\windows\SYSTEM32\DRIVERS\s0017mdfl.sys [13/12/2009 18:55 15016]
S3 s0017mdm;Sony Ericsson Device 0017 USB WMC Modem Driver;c:\windows\SYSTEM32\DRIVERS\s0017mdm.sys [13/12/2009 18:55 114600]
S3 s0017mgmt;Sony Ericsson Device 0017 USB WMC Device Management Drivers (WDM);c:\windows\SYSTEM32\DRIVERS\s0017mgmt.sys [13/12/2009 18:55 108328]
S3 s0017nd5;Sony Ericsson Device 0017 USB Ethernet Emulation SEMC0017 (NDIS);c:\windows\SYSTEM32\DRIVERS\s0017nd5.sys [13/12/2009 18:55 26024]
S3 s0017obex;Sony Ericsson Device 0017 USB WMC OBEX Interface;c:\windows\SYSTEM32\DRIVERS\s0017obex.sys [13/12/2009 18:55 104616]
S3 s0017unic;Sony Ericsson Device 0017 USB Ethernet Emulation SEMC0017 (WDM);c:\windows\SYSTEM32\DRIVERS\s0017unic.sys [13/12/2009 18:55 109736]
S3 SoundMovieServer;SoundMovieServer;c:\windows\SYSTEM32\snmvtsvc.exe [02/11/2008 21:14 200704]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - GTNDIS5
.
Contents of the 'Scheduled Tasks' folder

2009-12-23 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2009-12-30 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-26 10:48]

2009-12-30 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-26 10:48]

2005-01-11 c:\windows\Tasks\ISP signup reminder 1.job
- c:\windows\system32\OOBE\OOBEBALN.EXE [2004-08-04 00:12]

2009-11-15 c:\windows\Tasks\McDefragTask.job
- c:\windows\system32\DEFRAG.EXE [2004-08-04 00:12]

2008-05-01 c:\windows\Tasks\McQcTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2006-10-29 11:22]

2009-12-30 c:\windows\Tasks\User_Feed_Synchronization-{70A5A20C-54E7-4960-8AA0-B4699AF50902}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 04:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
uSearchMigratedDefaultURL = hxxp://search.orange.co.uk/all?brand=ouk&tab=web&p=_adr&q={searchTerms}
uInternet Connection Wizard,ShellNext = hxxp://www.dell.co.uk/myway
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
IE: Search with Wanadoo - c:\progra~1\Wanadoo\WSBar\WSBar.dll/VSearch.htm
Trusted Zone: internet
Trusted Zone: mcafee.com
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
.
- - - - ORPHANS REMOVED - - - -

Toolbar-SITEguard - (no file)
WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-30 12:32
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-2837822355-3373135964-4271574992-1006\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*,%s*j%]
@Class="Shell"
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-2837822355-3373135964-4271574992-1006\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*,%s*j%\OpenWithList]
@Class="Shell"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(940)
c:\windows\System32\NETUI0.dll
.
Completion time: 2009-12-30 12:35:52
ComboFix-quarantined-files.txt 2009-12-30 12:35

Pre-Run: 67,919,458,304 bytes free
Post-Run: 68,712,714,240 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - FB7B38B5399F2BEB1903E41C9E026787

Attached Files



#4 jpshortstuff

jpshortstuff

    WhatTheTech Teacher


  • Members
  • 660 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:04:08 PM

Posted 30 December 2009 - 08:52 AM

Hi,

Looking good, how's the computer running?

I want to check out a file on your system. Please go to this page:
http://www.bleepingcomputer.com/submit-mal....php?channel=72
and upload this file:
C:\QooBox\Quarantine\c\windows\system32\clrviddc.dll.vir (might not have the .vir extensions)

Any other problems?
Trained at the What The Tech Classroom where you too could learn to help others.

My help is free, however, if you wish to make a small donation to show appreciation and to help me continue the fight against Malware, then click here Posted Image

Posted Image

#5 John_Hall

John_Hall
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:03:08 PM

Posted 30 December 2009 - 10:10 AM

Hi again,

Have submitted file as requested. Don't seem to be getting any redirects at present which is brilliant. Hoping that this is now sorted, I'd love to know exactly what the problem was and how it could circumvent all the protection/scanners I have. Is it also something which is others are experiencing?

Many thanks again - hugely appreciated.

John

#6 jpshortstuff

jpshortstuff

    WhatTheTech Teacher


  • Members
  • 660 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:04:08 PM

Posted 30 December 2009 - 10:27 AM

Thanks for the submission. I'm just having it checked out, it looks like it might be a false positive.

Glad the redirects have stopped. You did indeed have a fairly new infection, which is why it wasn't picked up by the other scanners. Kenco was only written yesterday, which is why it got it. Other people are starting to experience this as well, it looks like it has only been around for a couple of weeks.

I'll get back to your shortly on that submissions.
Trained at the What The Tech Classroom where you too could learn to help others.

My help is free, however, if you wish to make a small donation to show appreciation and to help me continue the fight against Malware, then click here Posted Image

Posted Image

#7 John_Hall

John_Hall
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:03:08 PM

Posted 30 December 2009 - 02:01 PM

Thanks. Just need a bit of help on a few follow on points:

1. Have since turned PC off and, after reboot, started IE8. Unfortunately it won't open up properly (I'm having to reply to you via separate laptop) - on trying to starte IE8 I get a pop-up "Alert!" window which says:

"Symantec Script Blocking has prevented a script action that could be harmful to you.

Application: msntask.exe

Source file: C:\\WINDOWS\system32\-Embedding

Object: Object for constructing type libraries for scriplets

Method GUID"

There is an "OK" button in the pop-up window - after clicking the window goes away for a bit but then reappears. IE8 won't open up properly. How do I sort this please? I don't have any Symantec stuff installed on my PC as far as I'm aware but it may be related to the stuff we ran earlier.


2. My STOPZilla programme is doing its nut identifying various Trojans, Hijackers and 1 Adware infection "COGNAC". Am I OK to hit the "Remove Now" button or should I hold fire for the time being. Again it looks like these are a left over from the stuff we ran earlier.

3. To the uneducated, what's a "false positive"?

Many thanks.

John.

#8 jpshortstuff

jpshortstuff

    WhatTheTech Teacher


  • Members
  • 660 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:04:08 PM

Posted 30 December 2009 - 03:49 PM

Symantec can be a pain to get rid of. You appear to have their script blocker installed. Click Start >> Control Panel >> Add/Remove Programs then find and Remove this:
Symantec Script Blocking Installer

Can you tell me the location of the files that StopZilla is identifying? It could be that it is looking at ComboFix's backups.

A False Positive is when an AntiMalware program falsely identifies a file as being bad, when it is legit. We might have one here (the file you uploaded). Do you remember installing a ClearVideo codec recently?
Trained at the What The Tech Classroom where you too could learn to help others.

My help is free, however, if you wish to make a small donation to show appreciation and to help me continue the fight against Malware, then click here Posted Image

Posted Image

#9 John_Hall

John_Hall
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:03:08 PM

Posted 30 December 2009 - 04:27 PM

Unfortunately nothing Symantec related in Add/Remove programs menu. Any ideas?

Re StopZilla, its coming up with the following 31 infections (Infection Name, Type, Element, Location, Severity):

1. GASF, Trojan, File, c:\combo-fix\mbr.cfxxe, Critical
2. GASF, Trojan, File, c:\windows\mbr.exe, Critical
3. CatchMe, Trojan, File, c:\documents and settings\john\local settings\temp\catchme.sys, High
4. CatchMe, Trojan, File, c:\docume~1\temp\catchme.sys, High
5 -26. CatchMe, Trojan, Registry Key, HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CATCHME\ [various x 22], High
27 - 28. System Policies.DisableRegistryTools, Hijacker, Registry Key, hkus\[long alpha-numerics x 2], Moderate
29. System Policies.DisableRegistryTools, Hijacker, Registry Key, hklm\software\microsoft\windows\currentversion\policies\system, Moderate
30. System Policies.DisableRegistryTools, Hijacker, Registry Key, hklm\software\microsoft\windows\currentversion\policies\system\"DisableRegistryTools"="0x00000000 (0)", Moderate
31. Cognac, Adware, File, c:\windows\pev.exe, Moderate

Re your last point, certainly don't think I've downloaded anything from ClearVideo lately. Not a name I recognise.

Thanks.

John

#10 jpshortstuff

jpshortstuff

    WhatTheTech Teacher


  • Members
  • 660 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:04:08 PM

Posted 30 December 2009 - 04:35 PM

That's odd, because the script blocker shows in DDS log as being in your Add-Remove programs list. Odd. Is there anything in your Start Menu? Anything in C:\Program Files?

None of those files StopZilla is finding are a threat, they are all parts of ComboFix and will be removed when we uninstall it.
Trained at the What The Tech Classroom where you too could learn to help others.

My help is free, however, if you wish to make a small donation to show appreciation and to help me continue the fight against Malware, then click here Posted Image

Posted Image

#11 John_Hall

John_Hall
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:03:08 PM

Posted 30 December 2009 - 04:53 PM

Ran a C drive search on files/folders with "Symantec" in name and it picked up the following:

C:\Documents and Settings\ All Users\Application Data\ Symantec
C:\Documents and Settings\John\ Application Data \ Symantec
C:\Program Files\Common Files\Symantec Shared

Latter folder includes a "Script Blocking" folder with the following 4 files:

ScrBlock.dll
ScrAuth.dll
ScrTrust.dll
SBServ

Thinking about it, I have a vague recollection that the PC came pre-installed with an option to subscribe to Norton Anti-Virus/Symantec but that I opted to take a subscription with MacAfee instead. Could this be why it doesn't show on the Add/Remove Programs list?

I guess it may not be as simple as just deleting these folders/files to solve the problem?

Thanks.

John

#12 jpshortstuff

jpshortstuff

    WhatTheTech Teacher


  • Members
  • 660 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:04:08 PM

Posted 30 December 2009 - 04:58 PM

No, deleting folders alone won't do it, and it probably wouldn't let you anyway. No matter, we will find a way. It shows as uninstallable in the DDS log, so let's find out how. Please click Start >> Run then copy/paste this command and hit Enter:
regedit /e "%userprofile%\Desktop\export.txt" "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall"

The will create a log on your Desktop entitled export.txt, please attach that in your next post.
Trained at the What The Tech Classroom where you too could learn to help others.

My help is free, however, if you wish to make a small donation to show appreciation and to help me continue the fight against Malware, then click here Posted Image

Posted Image

#13 John_Hall

John_Hall
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:03:08 PM

Posted 30 December 2009 - 05:11 PM

Done, but file size is too big (597k) for download into allocated attachment space. I could copy and paste into body of a reply but given its such a large amount of text is it easier if I copy/paste specific text elements e.g. anything related to Symantec?

#14 jpshortstuff

jpshortstuff

    WhatTheTech Teacher


  • Members
  • 660 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:04:08 PM

Posted 30 December 2009 - 05:14 PM

You could submit it to my BC malware channel, that's got a higher limit:
http://www.bleepingcomputer.com/submit-mal....php?channel=72
Trained at the What The Tech Classroom where you too could learn to help others.

My help is free, however, if you wish to make a small donation to show appreciation and to help me continue the fight against Malware, then click here Posted Image

Posted Image

#15 John_Hall

John_Hall
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:03:08 PM

Posted 30 December 2009 - 05:26 PM

OK - done.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users