Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google redirects and firefox popups


  • This topic is locked This topic is locked
9 replies to this topic

#1 indiemonkey

indiemonkey

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:05:08 AM

Posted 10 August 2010 - 12:09 PM

I've been having this problem for a couple of weeks now. When I search in google using Firefox, quite often the link I click will redirect me to another search engine's results page for the same query (Ask Jeeves is the most noteworthy, I forget the names of the others). Alongside this, I find I'm getting a lot of popups appearing (I never used to get this - I use AdBlocker). I have AVG, Malwarebytes, Spybot and Ad-aware installed, and keep all of them up to date. I've ran all of them several times in the past couple of weeks (generally in succession until none of them detect anything) but the problem is still occurring. AVG is coming up with alerts occasionally as well, saying that it's blocking attempts to accss my computer or words to that effect - don't have any of the actual alerts written down but if it helps I'll try to get this information.

Edit: Just after I posted an Ad-Watch Live! alert popped up saying 'Ad-Watch Live! has blocked svchost.exe from conneting to a malicious website on the internet. IP address 205.252.166.169 (port: 80)'

Another edit: I just ran Malwarebytes and the most recent virus it's detected isworm.koobface in C:\Program Files\Last.fm\killer.exe. I've detected (and removed) other things before now - it seems to keep infecting me with new things.

Any help would be very much appreciated!

My DDS log is as follows:


DDS (Ver_10-03-17.01) - NTFSx86
Run by Ed at 9:19:35.39 on 10/08/2010
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_16
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1010 [GMT 1:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\EdExplore.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\vVX1000.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Logitech\SetPointP\SetPoint.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
D:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
D:\program files\steam\steam.exe
C:\Program Files\RivaTuner v2.11\RivaTuner.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\WINDOWS\system32\PnkBstrA.exe
D:\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\AVG\AVG9\avgemc.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Documents and Settings\Ed\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie_rsearch.html
uStart Page = hxxp://www.google.com
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mDefault_Page_URL = hxxp://www.google.com
mStart Page = hxxp://www.google.com
uInternet Settings,ProxyOverride = <local>
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
mSearchAssistant = hxxp://www.google.com/ie_rsearch.html
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
uURLSearchHooks: Vuze Remote Toolbar: {ba14329e-9550-4989-b3f2-9732e92d17cc} - c:\program files\vuze_remote\tbVuze.dll
mWinlogon: Shell=EdExplore.exe
mWinlogon: SfcDisable=-99 (0xffffff9d)
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Vuze Remote Toolbar: {ba14329e-9550-4989-b3f2-9732e92d17cc} - c:\program files\vuze_remote\tbVuze.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\progra~1\yahoo!\companion\installs\cpn\YTSingleInstance.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
TB: Vuze Remote Toolbar: {ba14329e-9550-4989-b3f2-9732e92d17cc} - c:\program files\vuze_remote\tbVuze.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\wcescomm.exe"
uRun: [Steam] "d:\program files\steam\steam.exe" -silent
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [RivaTunerStartupDaemon] "c:\program files\rivatuner v2.11\RivaTuner.exe" /S
mRun: [VX1000] c:\windows\vVX1000.exe
mRun: [ATIModeChange] Ati2mdxx.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [EvtMgr6] c:\program files\logitech\setpointp\SetPoint.exe /launchGaming
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
mRun: [AirPort Base Station Agent] "d:\program files\airport\APAgent.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "d:\program files\itunes\iTunesHelper.exe"
dRunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N
StartupFolder: c:\docume~1\ed\startm~1\programs\startup\logite~1.lnk - c:\program files\common files\logishrd\ereg\setpoint\eReg.exe
StartupFolder: c:\docume~1\ed\startm~1\programs\startup\rivatu~1.lnk - c:\program files\rivatuner v2.11\RivaTuner.exe
uPolicies-explorer: NoResolveTrack = 1 (0x1)
uPolicies-explorer: NoSMMyPictures = 1 (0x1)
uPolicies-explorer: NoSMConfigurePrograms = 1 (0x1)
uPolicies-explorer: MemCheckBoxInRunDlg = 1 (0x1)
uPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: MemCheckBoxInRunDlg = 1 (0x1)
mPolicies-explorer: StartMenuFavorites = 0 (0x0)
mPolicies-explorer: Start_ShowHelp = 0 (0x0)
mPolicies-explorer: Start_ShowMyComputer = 1 (0x1)
mPolicies-explorer: Start_ShowMyDocs = 1 (0x1)
mPolicies-explorer: Start_ShowMyMusic = 0 (0x0)
mPolicies-explorer: Start_ShowRun = 1 (0x1)
mPolicies-explorer: Start_ShowSearch = 0 (0x0)
dPolicies-explorer: NoSMHelp = 1 (0x1)
dPolicies-explorer: ForceClassicControlPanel = 1 (0x1)
dPolicies-explorer: NoResolveTrack = 1 (0x1)
dPolicies-explorer: NoSMMyPictures = 1 (0x1)
dPolicies-explorer: NoSMConfigurePrograms = 1 (0x1)
dPolicies-explorer: MemCheckBoxInRunDlg = 1 (0x1)
dPolicies-explorer: NoActiveDesktop = 1 (0x1)
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} - hxxp://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: LBTWlgn - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\ed\applic~1\mozilla\firefox\profiles\q26jp75n.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2504091&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine - Google Powered Search
FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2504091&q=
FF - component: c:\documents and settings\ed\application data\mozilla\firefox\profiles\q26jp75n.default\extensions\{ba14329e-9550-4989-b3f2-9732e92d17cc}\components\FFExternalAlert.dll
FF - component: c:\documents and settings\ed\application data\mozilla\firefox\profiles\q26jp75n.default\extensions\{ba14329e-9550-4989-b3f2-9732e92d17cc}\components\RadioWMPCore.dll
FF - component: c:\program files\avg\avg9\firefox\components\avgssff.dll
FF - plugin: c:\documents and settings\all users\application data\nexoneu\ngm\npNxGameeu.dll
FF - plugin: d:\program files\itunes\mozilla plugins\npitunes.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-8-13 64288]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-1-25 216400]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-1-25 29584]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-1-25 243024]
R2 avg9emc;AVG Free E-mail Scanner;c:\program files\avg\avg9\avgemc.exe [2010-7-15 921952]
R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-7-15 308136]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2010-7-12 1352832]
R2 StarWindServiceAE;StarWind AE Service;d:\alcohol 120\starwind\StarWindServiceAE.exe [2007-5-28 275968]
R3 AtcL001;NDIS Miniport Driver for Atheros L1 Gigabit Ethernet Controller;c:\windows\system32\drivers\l151x86.sys [2008-11-2 36864]
S3 DAUpdaterSvc;Dragon Age: Origins - Content Updater;d:\games\dragon age\bin_ship\daupdatersvc.service.exe [2009-12-15 25832]
S3 LiveTurbineMessageService;Turbine Message Service - Live;d:\program files\turbine\turbine download manager\TurbineMessageService.exe [2009-2-10 267760]
S3 LiveTurbineNetworkService;Turbine Network Service - Live;d:\program files\turbine\turbine download manager\TurbineNetworkService.exe [2009-2-10 218608]
S3 SaiH0461;SaiH0461;c:\windows\system32\drivers\SaiH0461.sys [2009-4-17 182528]

=============== Created Last 30 ================

2010-08-10 08:14:27 20 ----a-w- c:\documents and settings\ed\defogger_reenable
2010-08-09 21:59:57 0 d-----w- c:\program files\TuneUpMedia
2010-08-09 21:59:50 0 d-----w- c:\docume~1\ed\applic~1\TuneUpMedia
2010-08-09 21:59:38 0 d-----w- c:\docume~1\alluse~1\applic~1\TuneUpMedia
2010-08-09 21:59:24 0 d-----w- c:\docume~1\ed\applic~1\Azureus
2010-08-09 21:52:40 0 d-----w- c:\program files\Conduit
2010-08-09 21:52:38 0 d-----w- c:\program files\Vuze
2010-08-09 21:52:30 0 d-----w- c:\program files\Vuze_Remote
2010-08-01 15:33:41 0 d-----w- c:\docume~1\ed\applic~1\W
2010-08-01 15:32:55 0 d-----w- c:\docume~1\ed\applic~1\wargaming.net
2010-08-01 15:29:49 74072 ----a-w- c:\windows\system32\XAPOFX1_5.dll
2010-08-01 15:29:49 527192 ----a-w- c:\windows\system32\XAudio2_7.dll
2010-08-01 15:29:48 239960 ----a-w- c:\windows\system32\xactengine3_7.dll
2010-08-01 15:29:48 2106216 ----a-w- c:\windows\system32\D3DCompiler_43.dll
2010-08-01 15:29:48 1868128 ----a-w- c:\windows\system32\d3dcsx_43.dll
2010-08-01 15:29:47 470880 ----a-w- c:\windows\system32\d3dx10_43.dll
2010-08-01 15:29:47 248672 ----a-w- c:\windows\system32\d3dx11_43.dll
2010-08-01 15:29:47 1998168 ----a-w- c:\windows\system32\D3DX9_43.dll
2010-08-01 15:29:46 74072 ----a-w- c:\windows\system32\XAPOFX1_4.dll
2010-08-01 15:29:46 528216 ----a-w- c:\windows\system32\XAudio2_6.dll
2010-08-01 15:29:46 238936 ----a-w- c:\windows\system32\xactengine3_6.dll
2010-08-01 15:29:46 22360 ----a-w- c:\windows\system32\X3DAudio1_7.dll
2010-07-31 15:18:31 327168 ----a-w- c:\windows\IsUninst.exe
2010-07-31 15:18:19 496 ----a-w- c:\windows\_delis32.ini
2010-07-28 18:49:21 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2010-07-25 16:46:51 0 d-----w- c:\program files\iPod
2010-07-16 00:38:22 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-07-16 00:33:55 0 dc-h--w- c:\docume~1\alluse~1\applic~1\{BD986C1B-72EC-4B82-B47B-6CAC4E6F494E}
2010-07-15 22:54:27 12536 ----a-w- c:\windows\system32\avgrsstx.dll

==================== Find3M ====================

2010-07-31 16:58:07 218808 ----a-w- c:\windows\system32\PnkBstrB.exe
2010-07-31 16:45:53 137256 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2010-07-15 22:54:28 243024 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-07-15 22:53:57 216400 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-07-12 08:55:39 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-07-12 08:55:38 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-05-28 19:41:38 138056 ----a-w- c:\docume~1\ed\applic~1\PnkBstrK.sys
2010-05-28 19:41:15 2434856 ----a-w- c:\windows\system32\pbsvc_bc2.exe
2010-05-28 19:36:37 75064 ----a-w- c:\windows\system32\PnkBstrA.exe
2010-05-16 23:40:46 19396 ---ha-w- c:\windows\system32\mlfcache.dat
2006-06-23 14:48:54 32768 ----a-r- c:\windows\inf\UpdateUSB.exe

============= FINISH: 9:20:44.46 ===============

Attached Files


Edited by indiemonkey, 10 August 2010 - 01:53 PM.


BC AdBot (Login to Remove)

 


#2 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:05:08 AM

Posted 10 August 2010 - 02:36 PM

Good evening. smile.gif

Take a trip to this webpage for download links and instructions for running Combofix by sUBs.*
  • Please be aware that this tool may require the PC to be rebooted so close any programs you have open before you start.
  • When CF has finished, it will produce a log - C:\ComboFix.txt - copy and paste it into your next reply.
  • Let me know how the PC is behaving.
* There are two points to note from the instructions page:

1) The Recovery Console.

It is recommended that you install this as, in certain circumstances, it may be the difference between a successful repair and a reformat. If you are uncertain as to whether or not you already have the Recovery Console installed, simply run CF and it will prompt you if it does not detect it.
CF will complete some, but not all, of it's removal tasks without the installation of the Console so, should you choose not to allow the installation, you may not get the results you hoped for.

2) Disabling your Anti-Virus.

CF has been the victim of false-positive detections on occasion and a resident AV may incorrectly identify and delete part of the tool which won't do it much good. If you don't disable your AV, you may not get the results you hoped for either.

So long, and thanks for all the fish.

 

 


#3 indiemonkey

indiemonkey
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:05:08 AM

Posted 10 August 2010 - 03:49 PM

Hi, thanks for the swift response! Have just run Combofix - here is the log:

ComboFix 10-08-10.03 - Ed 10/08/2010 21:31:07.1.4 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1231 [GMT 1:00]
Running from: c:\documents and settings\Ed\My Documents\Downloads\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\msconfig.exe
D:\install.exe

Infected copy of c:\windows\system32\srsvc.dll was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\srsvc.dll

.
((((((((((((((((((((((((( Files Created from 2010-07-10 to 2010-08-10 )))))))))))))))))))))))))))))))
.

2010-08-10 20:32 . 2008-04-14 05:42 171008 ----a-w- c:\windows\system32\srsvc.dll
2010-08-09 21:59 . 2010-08-09 22:00 -------- d-----w- c:\program files\TuneUpMedia
2010-08-09 21:59 . 2010-08-09 21:59 310208 ----a-w- c:\documents and settings\Ed\Application Data\Azureus\plugins\mlab\ShaperProbeC.exe
2010-08-09 21:59 . 2010-08-10 00:27 -------- d-----w- c:\documents and settings\Ed\Application Data\TuneUpMedia
2010-08-09 21:59 . 2010-08-09 22:00 -------- d-----w- c:\documents and settings\All Users\Application Data\TuneUpMedia
2010-08-09 21:59 . 2010-08-10 18:58 -------- d-----w- c:\documents and settings\Ed\Application Data\Azureus
2010-08-09 21:52 . 2010-08-09 21:52 -------- d-----w- c:\program files\Conduit
2010-08-09 21:52 . 2010-08-09 21:52 -------- d-----w- c:\documents and settings\Ed\Local Settings\Application Data\Conduit
2010-08-09 21:52 . 2010-08-09 22:02 -------- d-----w- c:\program files\Vuze
2010-08-09 21:52 . 2010-08-09 21:52 52224 ----a-w- c:\documents and settings\Ed\Application Data\Mozilla\Firefox\Profiles\q26jp75n.default\extensions\{ba14329e-9550-4989-b3f2-9732e92d17cc}\components\FFExternalAlert.dll
2010-08-09 21:52 . 2010-08-09 21:52 101376 ----a-w- c:\documents and settings\Ed\Application Data\Mozilla\Firefox\Profiles\q26jp75n.default\extensions\{ba14329e-9550-4989-b3f2-9732e92d17cc}\components\RadioWMPCore.dll
2010-08-09 21:52 . 2010-08-09 21:52 -------- d-----w- c:\documents and settings\Ed\Local Settings\Application Data\Vuze_Remote
2010-08-09 21:52 . 2010-08-09 21:52 -------- d-----w- c:\program files\Vuze_Remote
2010-08-05 17:27 . 2010-08-05 17:27 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-08-01 15:33 . 2010-08-01 15:34 -------- d-----w- c:\documents and settings\Ed\Application Data\W
2010-08-01 15:32 . 2010-08-01 15:32 -------- d-----w- c:\documents and settings\Ed\Application Data\wargaming.net
2010-08-01 15:29 . 2010-06-02 03:55 74072 ----a-w- c:\windows\system32\XAPOFX1_5.dll
2010-08-01 15:29 . 2010-06-02 03:55 527192 ----a-w- c:\windows\system32\XAudio2_7.dll
2010-08-01 15:29 . 2010-06-02 03:55 239960 ----a-w- c:\windows\system32\xactengine3_7.dll
2010-08-01 15:29 . 2010-05-26 10:41 2106216 ----a-w- c:\windows\system32\D3DCompiler_43.dll
2010-08-01 15:29 . 2010-05-26 10:41 1868128 ----a-w- c:\windows\system32\d3dcsx_43.dll
2010-08-01 15:29 . 2010-05-26 10:41 470880 ----a-w- c:\windows\system32\d3dx10_43.dll
2010-08-01 15:29 . 2010-05-26 10:41 248672 ----a-w- c:\windows\system32\d3dx11_43.dll
2010-08-01 15:29 . 2010-05-26 10:41 1998168 ----a-w- c:\windows\system32\D3DX9_43.dll
2010-08-01 15:29 . 2010-02-04 09:01 74072 ----a-w- c:\windows\system32\XAPOFX1_4.dll
2010-08-01 15:29 . 2010-02-04 09:01 528216 ----a-w- c:\windows\system32\XAudio2_6.dll
2010-08-01 15:29 . 2010-02-04 09:01 238936 ----a-w- c:\windows\system32\xactengine3_6.dll
2010-08-01 15:29 . 2010-02-04 09:01 22360 ----a-w- c:\windows\system32\X3DAudio1_7.dll
2010-07-31 15:18 . 1998-10-02 18:00 327168 ----a-w- c:\windows\IsUninst.exe
2010-07-28 18:49 . 2010-08-10 18:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-07-25 22:58 . 2010-07-25 22:58 2568656 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\install_flash_player.exe
2010-07-25 16:46 . 2010-07-25 16:46 -------- d-----w- c:\program files\iPod
2010-07-25 16:44 . 2010-07-25 16:44 73000 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.2.1.5\SetupAdmin.exe
2010-07-16 00:38 . 2010-07-16 00:38 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-07-16 00:34 . 2010-07-16 00:34 -------- d-----w- c:\documents and settings\Ed\Local Settings\Application Data\Sunbelt Software
2010-07-16 00:33 . 2010-07-28 18:51 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{BD986C1B-72EC-4B82-B47B-6CAC4E6F494E}
2010-07-16 00:33 . 2010-07-12 08:56 2979280 -c--a-w- c:\documents and settings\All Users\Application Data\{BD986C1B-72EC-4B82-B47B-6CAC4E6F494E}\Ad-AwareInstall.exe
2010-07-15 22:54 . 2010-07-15 22:54 12536 ----a-w- c:\windows\system32\avgrsstx.dll
2010-07-15 22:45 . 2010-07-16 00:24 -------- d-----w- c:\documents and settings\Ed\Local Settings\Application Data\xlpdfvkcs

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-09 03:57 . 2009-01-14 23:47 -------- d-----w- c:\documents and settings\Ed\Application Data\Spotify
2010-08-05 17:27 . 2009-05-18 22:55 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2010-08-03 07:35 . 2008-11-09 15:22 -------- d-----w- c:\documents and settings\Ed\Application Data\uTorrent
2010-07-31 16:58 . 2008-11-03 19:07 218808 ----a-w- c:\windows\system32\PnkBstrB.exe
2010-07-31 16:45 . 2008-11-03 19:07 137256 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2010-07-30 19:47 . 2008-11-03 02:26 -------- d-----w- c:\program files\eXPerience
2010-07-28 17:08 . 2009-07-13 18:34 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-07-25 16:46 . 2009-05-19 00:25 -------- d-----w- c:\program files\Common Files\Apple
2010-07-15 22:54 . 2009-01-25 15:51 243024 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-07-15 22:53 . 2009-01-25 15:51 216400 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-07-12 08:55 . 2009-08-13 00:09 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-07-12 08:55 . 2009-08-13 08:01 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-07-05 18:29 . 2010-07-05 18:29 -------- d-sh--w- c:\documents and settings\All Users\Application Data\SecuROM
2010-07-03 19:14 . 2010-06-06 14:55 -------- d-----w- c:\documents and settings\Ed\Application Data\Mumble
2010-07-03 11:41 . 2009-09-01 17:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Blizzard Entertainment
2010-06-28 23:30 . 2009-01-09 20:32 1 ----a-w- c:\documents and settings\Ed\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2010-06-15 20:54 . 2009-01-25 15:51 29584 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-06-14 23:55 . 2010-06-14 23:55 -------- d-----w- c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-06-14 23:54 . 2010-06-14 23:53 -------- d-----w- c:\program files\QuickTime
2010-06-14 19:49 . 2010-06-14 19:46 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2010-06-14 19:46 . 2009-01-25 15:51 -------- d-----w- c:\program files\AVG
2010-05-28 19:41 . 2008-11-03 19:07 138056 ----a-w- c:\documents and settings\Ed\Application Data\PnkBstrK.sys
2010-05-28 19:41 . 2008-11-03 19:07 138056 ----a-w- c:\documents and settings\Ed\Application Data\PnkBstrK.sys
2010-05-28 19:41 . 2010-05-28 19:36 2434856 ----a-w- c:\windows\system32\pbsvc_bc2.exe
2010-05-28 19:36 . 2008-11-03 19:07 75064 ----a-w- c:\windows\system32\PnkBstrA.exe
2010-05-22 15:55 . 2010-05-22 15:55 53248 ----a-r- c:\documents and settings\Ed\Application Data\Microsoft\Installer\{3EE9BCAE-E9A9-45E5-9B1C-83A4D357E05C}\ARPPRODUCTICON.exe
2010-05-22 15:55 . 2010-05-22 15:55 16400 ----a-w- c:\windows\system32\drivers\LNonPnP.sys
2010-05-16 23:40 . 2009-12-13 03:23 19396 ---ha-w- c:\windows\system32\mlfcache.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{ba14329e-9550-4989-b3f2-9732e92d17cc}"= "c:\program files\Vuze_Remote\tbVuze.dll" [2010-06-13 2734688]

[HKEY_CLASSES_ROOT\clsid\{ba14329e-9550-4989-b3f2-9732e92d17cc}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ba14329e-9550-4989-b3f2-9732e92d17cc}]
2010-06-13 18:10 2734688 ----a-w- c:\program files\Vuze_Remote\tbVuze.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{ba14329e-9550-4989-b3f2-9732e92d17cc}"= "c:\program files\Vuze_Remote\tbVuze.dll" [2010-06-13 2734688]

[HKEY_CLASSES_ROOT\clsid\{ba14329e-9550-4989-b3f2-9732e92d17cc}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Steam"="d:\program files\steam\steam.exe" [2010-05-07 1238352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2008-05-16 16862720]
"RivaTunerStartupDaemon"="c:\program files\RivaTuner v2.11\RivaTuner.exe" [2008-09-16 2715648]
"VX1000"="c:\windows\vVX1000.exe" [2007-04-10 709992]
"ATIModeChange"="Ati2mdxx.exe" [2010-04-07 26112]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2010-01-17 149280]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2010-04-06 102400]
"EvtMgr6"="c:\program files\Logitech\SetPointP\SetPoint.exe" [2010-01-27 1312848]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2010-07-15 2065760]
"AirPort Base Station Agent"="d:\program files\AirPort\APAgent.exe" [2009-11-11 771360]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-17 421888]
"iTunesHelper"="d:\program files\iTunes\iTunesHelper.exe" [2010-07-21 141608]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nltide_3"="advpack.dll" [2010-05-04 124928]

c:\documents and settings\Ed\Start Menu\Programs\Startup\
Logitech . Product Registration.lnk - c:\program files\Common Files\LogiShrd\eReg\SetPoint\eReg.exe [2009-11-16 517384]
RivaTuner.lnk - c:\program files\RivaTuner v2.11\RivaTuner.exe [2008-9-16 2715648]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"MemCheckBoxInRunDlg"= 1 (0x1)
"StartMenuFavorites"= 0 (0x0)
"Start_ShowHelp"= 0 (0x0)
"Start_ShowMyComputer"= 1 (0x1)
"Start_ShowMyDocs"= 1 (0x1)
"Start_ShowMyMusic"= 0 (0x0)
"Start_ShowRun"= 1 (0x1)
"Start_ShowSearch"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack"= 1 (0x1)
"NoSMMyPictures"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)
"MemCheckBoxInRunDlg"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"= 1 (0x1)
"ForceClassicControlPanel"= 1 (0x1)
"NoResolveTrack"= 1 (0x1)
"NoSMMyPictures"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)
"MemCheckBoxInRunDlg"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-07-15 22:54 12536 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2010-01-29 21:17 64592 ----a-w- c:\program files\Common Files\LogiShrd\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-02-27 16:10 35696 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcoholAutomount]
2008-03-20 16:46 217544 ----a-w- d:\alcohol 120\AxCmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Comrade.exe]
2007-05-27 02:19 36864 ----a-w- c:\program files\GameSpy\Comrade\Comrade.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-07-21 14:53 141608 ----a-w- d:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LifeCam]
2007-05-17 21:45 279912 ----a-w- c:\program files\Microsoft LifeCam\LifeExp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Profiler]
2006-08-09 13:23 184320 ----a-w- c:\program files\Saitek\Software\ProfilerU.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-03-17 20:53 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SaiMfd]
2006-08-14 11:12 126976 ----a-w- c:\program files\Saitek\Software\SaiMfd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
2009-07-01 16:37 37888 ----a-w- d:\winamp\winampa.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"d:\\Games\\FC2\\Far Cry 2\\bin\\FarCry2.exe"=
"d:\\Games\\FC2\\Far Cry 2\\bin\\FC2Launcher.exe"=
"d:\\Games\\FC2\\Far Cry 2\\bin\\FC2Editor.exe"=
"d:\\Program Files\\THQ\\Dawn Of War\\Dawn of War - Dark Crusade\\DarkCrusade.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"d:\\Games\\Activision\\Rome - Total War\\RomeTW.exe"=
"d:\\Program Files\\EA GAMES\\Battlefield 2\\BF2.exe"=
"d:\\Program Files\\THQ\\S.T.A.L.K.E.R. - Shadow of Chernobyl\\bin\\XR_3DA.exe"=
"d:\\Program Files\\THQ\\S.T.A.L.K.E.R. - Shadow of Chernobyl\\bin\\dedicated\\XR_3DA.exe"=
"d:\\Program Files\\Xfire\\Xfire.exe"=
"d:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"d:\\Program Files\\Spotify\\spotify.exe"=
"c:\\Nexon\\NEXON_EU_Downloader\\NEXON_EU_Downloader_Engine.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonEU\\NGM\\NGM.exe"=
"d:\\Program Files\\Turbine\\The Lord of the Rings Online\\lotroclient.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"d:\\Games\\World of Warcraft\\BackgroundDownloader.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"d:\\Games\\World of Warcraft\\Launcher.exe"=
"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
"d:\\Program Files\\eMule\\emule.exe"=
"d:\\Program Files\\THQ\\Company of Heroes\\RelicCOH.exe"=
"d:\\Program Files\\2K Games\\Firaxis Games\\Sid Meier's Civilization 4 Complete\\Beyond the Sword\\Civ4BeyondSword.exe"=
"d:\\Program Files\\Bohemia Interactive\\ArmA 2\\arma2.exe"=
"d:\\Program Files\\Sierra\\FEAR\\FEAR.exe"=
"d:\\Program Files\\Bethesda Softworks\\Fallout 3\\Fallout3.exe"=
"d:\\Program Files\\Turbine\\Turbine Download Manager\\TurbineMessageService.exe"=
"d:\\Program Files\\Turbine\\Turbine Download Manager\\TurbineNetworkService.exe"=
"d:\\Games\\World of Warcraft\\WoW-3.1.3.9947-to-3.2.0.10192-enGB-downloader.exe"=
"d:\\Games\\World of Warcraft\\WoW-3.2.0.10192-to-3.2.0.10314-enGB-downloader.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"d:\\Program Files\\THQ\\Company of Heroes\\RelicDownloader\\RelicDownloader.exe"=
"d:\\Games\\World of Warcraft\\WoW-3.2.0.10314-to-3.2.2.10482-enGB-downloader.exe"=
"d:\\Games\\World of Warcraft\\WoW-3.2.2.10482-to-3.2.2.10505-enGB-downloader.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"d:\\Games\\World of Warcraft\\WoW-3.2.0-enGB-downloader.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"d:\\Games\\Dragon Age\\bin_ship\\daorigins.exe"=
"d:\\Games\\Dragon Age\\DAOriginsLauncher.exe"=
"d:\\Program Files\\Steam\\Steam.exe"=
"d:\\Games\\Mass Effect\\Binaries\\MassEffect.exe"=
"d:\\Games\\Mass Effect\\MassEffectLauncher.exe"=
"d:\\Games\\Dragon Age\\bin_ship\\daupdatersvc.service.exe"=
"d:\\Program Files\\Steam\\steamapps\\common\\beyond good and evil\\CheckApplication.exe"=
"d:\\Games\\Mass Effect 2\\Binaries\\MassEffect2.exe"=
"d:\\Games\\Mass Effect 2\\MassEffect2Launcher.exe"=
"d:\\Program Files\\Steam\\steamapps\\common\\red orchestra\\System\\RedOrchestra.exe"=
"d:\\Program Files\\Steam\\steamapps\\common\\torchlight\\Torchlight.exe"=
"d:\\Program Files\\Steam\\steamapps\\common\\torchlight\\TorchED\\Editor.exe"=
"d:\\Program Files\\Steam\\steamapps\\common\\call of duty modern warfare 2\\iw4mp.exe"=
"d:\\Program Files\\Steam\\steamapps\\common\\empire total war\\Empire.exe"=
"d:\\Program Files\\Steam\\steamapps\\common\\fallout 3 goty\\FalloutLauncher.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=
"d:\\Program Files\\AirPort\\APAgent.exe"=
"d:\\Program Files\\Steam\\steamapps\\common\\battlefield bad company 2\\BFBC2Game.exe"=
"d:\\Program Files\\Steam\\steamapps\\common\\battlefield bad company 2\\Support\\EA Help\\Electronic_Arts_Technical_Support.htm"=
"d:\\Program Files\\Steam\\steamapps\\common\\the witcher enhanced edition\\System\\witcher.exe"=
"d:\\Program Files\\Steam\\steamapps\\common\\the witcher enhanced edition\\System\\djinni!.exe"=
"d:\\Program Files\\Steam\\steamapps\\common\\grand theft auto iv\\GTAIV\\LaunchGTAIV.exe"=
"d:\\Program Files\\iTunes\\iTunes.exe"=
"d:\\Program Files\\Steam\\steamapps\\common\\killingfloor\\System\\KillingFloor.exe"=
"d:\\Program Files\\Steam\\steamapps\\common\\alien swarm\\swarm.exe"=
"d:\\Program Files\\Steam\\steamapps\\common\\left 4 dead 2\\left4dead2.exe"=
"c:\\Program Files\\Vuze\\Azureus.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"123:UDP"= 123:UDP:SNTP
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
"5353:UDP"= 5353:UDP:Bonjour

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [13/08/2009 01:09 64288]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [25/01/2009 16:51 216400]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [25/01/2009 16:51 243024]
R2 avg9emc;AVG Free E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [15/07/2010 23:53 921952]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [15/07/2010 23:54 308136]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [12/07/2010 09:55 1352832]
R3 AtcL001;NDIS Miniport Driver for Atheros L1 Gigabit Ethernet Controller;c:\windows\system32\drivers\l151x86.sys [02/11/2008 19:59 36864]
S3 DAUpdaterSvc;Dragon Age: Origins - Content Updater;d:\games\Dragon Age\bin_ship\daupdatersvc.service.exe [15/12/2009 21:07 25832]
S3 LiveTurbineMessageService;Turbine Message Service - Live;d:\program files\Turbine\Turbine Download Manager\TurbineMessageService.exe [10/02/2009 23:41 267760]
S3 LiveTurbineNetworkService;Turbine Network Service - Live;d:\program files\Turbine\Turbine Download Manager\TurbineNetworkService.exe [10/02/2009 23:41 218608]
S3 SaiH0461;SaiH0461;c:\windows\system32\drivers\SaiH0461.sys [17/04/2009 18:33 182528]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [03/11/2008 00:18 716272]
.
Contents of the 'Scheduled Tasks' folder

2010-08-10 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-07-12 08:55]

2010-07-31 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mStart Page = hxxp://www.google.com
uInternet Settings,ProxyOverride = <local>
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
FF - ProfilePath - c:\documents and settings\Ed\Application Data\Mozilla\Firefox\Profiles\q26jp75n.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2504091&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine - Google Powered Search
FF - prefs.js: network.proxy.type - 4
FF - component: c:\documents and settings\Ed\Application Data\Mozilla\Firefox\Profiles\q26jp75n.default\extensions\{ba14329e-9550-4989-b3f2-9732e92d17cc}\components\FFExternalAlert.dll
FF - component: c:\documents and settings\Ed\Application Data\Mozilla\Firefox\Profiles\q26jp75n.default\extensions\{ba14329e-9550-4989-b3f2-9732e92d17cc}\components\RadioWMPCore.dll
FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll
FF - plugin: c:\documents and settings\All Users\Application Data\NexonEU\NGM\npNxGameeu.dll
FF - plugin: d:\program files\iTunes\Mozilla Plugins\npitunes.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS REMOVED - - - -

AddRemove-Bookworm Adventures Vol. 2 - c:\program files\PopCap Games\Bookworm Adventures Vol. 2\PopUninstall.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-08-10 21:35
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1708537768-162531612-839522115-1001\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:8e,12,5f,9d,06,b7,a1,cf,55,87,ec,35,e2,12,b6,fa,6d,3e,82,70,81,90,b9,
ba,76,fe,60,1f,71,86,68,00,98,b7,59,70,44,2c,48,94,bf,56,85,d1,53,7c,49,2e,\
"??"=hex:26,c3,fd,cd,d5,85,8e,d5,cf,a0,5e,43,28,ef,ab,ef

[HKEY_USERS\S-1-5-21-1708537768-162531612-839522115-1001\Software\SecuROM\License information*]
"datasecu"=hex:1e,78,8d,5e,c9,5f,5a,3b,43,38,ed,9c,76,99,fd,88,ad,f4,8b,3c,8b,
8e,d1,69,e0,7c,85,44,22,2b,05,23,9b,8c,a0,1e,10,55,96,b2,d6,4a,23,30,39,4a,\
"rkeysecu"=hex:2f,0f,d5,3e,02,2b,06,63,b1,0b,dd,b6,71,e2,54,98
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(844)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\atiadlxx.dll
c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll

- - - - - - - > 'explorer.exe'(3972)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\windows\RTHDCPL.EXE
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Microsoft ActiveSync\wcescomm.exe
c:\program files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE
c:\program files\Microsoft LifeCam\MSCamS32.exe
c:\progra~1\MI3AA1~1\rapimgr.exe
c:\windows\system32\PnkBstrA.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
d:\alcohol 120\StarWind\StarWindServiceAE.exe
c:\program files\AVG\AVG9\avgnsx.exe
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\windows\system32\wbem\unsecapp.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\wscntfy.exe
c:\program files\Lavasoft\Ad-Aware\AAWTray.exe
.
**************************************************************************
.
Completion time: 2010-08-10 21:38:05 - machine was rebooted
ComboFix-quarantined-files.txt 2010-08-10 20:37

Pre-Run: 3,697,188,864 bytes free
Post-Run: 3,736,780,800 bytes free

- - End Of File - - 79A38BC65D36FE59B9BBFEE38F1B3841


#4 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:05:08 AM

Posted 10 August 2010 - 05:37 PM

QUOTE
Let me know how the PC is behaving.

So long, and thanks for all the fish.

 

 


#5 indiemonkey

indiemonkey
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:05:08 AM

Posted 10 August 2010 - 06:33 PM

Sorry - was going to give it a little time to see how things were before I responded to that bit.

I've been on here about 2-2.5 hours since running ComboFix and I haven't received any more popups, and Google's search function seems to be behaving itself and not redirecting so I think whatever ComboFix did has solved the problem.

If anything does pop up shall I just report in this thread and otherwise we can assume that the problem's fixed?

Thanks very much for your help - it's really very much appreciated.

#6 indiemonkey

indiemonkey
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:05:08 AM

Posted 10 August 2010 - 07:35 PM

Sorry to trouble again - I'm just running AVG (most recent update), it's midway through the scan but already it's found the Win32/patched.dx virus in 'C:\Qoobox\32788R22FWJFW\rasacd.sys' sad.gif don't think I'm out of the woods yet

#7 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:05:08 AM

Posted 11 August 2010 - 02:03 PM

Good evening. smile.gif

C:\Qoobox\32788R22FWJFW\rasacd.sys is a file that is held within the quarantine folder that ComboFix uses - it's a file that has already been deleted and so is of no real interest as far as you're concerned.

I think a little nose around the hard drive won't hurt, just as a precaution. Download Malwarebytes' Anti-Malware from here and save it to your Desktop - unless you already have it, in which case skip to the "updating" bit below.
  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • Ensure a checkmark is placed next to both Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware and then click Finish.
  • If an update is found, it will download and install the latest version - you'll need to clear it with your firewall.
  • Once the program has loaded, select Perform full scan and then Scan.
  • When the scan has finished, click OK and then Show Results to view the results - no surprise there!
  • If MBAM finds anything, check the box(es) and click Remove Selected.
  • Please note - Leave unchecked any boxes that have \System Volume Information\ in the filepath. These pose no immediate risk to your PC unless you use System Restore and will be dealt with later.
  • When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt
Let me have the MBAM log, a fresh DDS log AND a description of how your PC is behaving.

So long, and thanks for all the fish.

 

 


#8 indiemonkey

indiemonkey
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:05:08 AM

Posted 11 August 2010 - 06:41 PM

Ok, been running the machine all evening and haven't encountered ANY alerts from AVG or Ad-Aware, no popups in Firefox and no Google search results being directed. I've just run MBAM and it came up clean (log below along with the other info you requested)

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4420

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.11

12/08/2010 00:20:55
mbam-log-2010-08-12 (00-20-55).txt

Scan type: Full scan (C:\|D:\|)
Objects scanned: 459030
Time elapsed: 1 hour(s), 25 minute(s), 29 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

And the DDS:


DDS (Ver_10-03-17.01) - NTFSx86
Run by Ed at 0:39:47.17 on 12/08/2010
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_16
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.748 [GMT 1:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\vVX1000.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Logitech\SetPointP\SetPoint.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE
D:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
D:\program files\steam\steam.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\RivaTuner v2.11\RivaTuner.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\WINDOWS\system32\PnkBstrA.exe
D:\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\AVG\AVG9\avgemc.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
D:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Documents and Settings\Ed\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mStart Page = hxxp://www.google.com
uInternet Settings,ProxyOverride = <local>
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
uURLSearchHooks: Vuze Remote Toolbar: {ba14329e-9550-4989-b3f2-9732e92d17cc} - c:\program files\vuze_remote\tbVuze.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Vuze Remote Toolbar: {ba14329e-9550-4989-b3f2-9732e92d17cc} - c:\program files\vuze_remote\tbVuze.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\progra~1\yahoo!\companion\installs\cpn\YTSingleInstance.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
TB: Vuze Remote Toolbar: {ba14329e-9550-4989-b3f2-9732e92d17cc} - c:\program files\vuze_remote\tbVuze.dll
uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\wcescomm.exe"
uRun: [Steam] "d:\program files\steam\steam.exe" -silent
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [RivaTunerStartupDaemon] "c:\program files\rivatuner v2.11\RivaTuner.exe" /S
mRun: [VX1000] c:\windows\vVX1000.exe
mRun: [ATIModeChange] Ati2mdxx.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [EvtMgr6] c:\program files\logitech\setpointp\SetPoint.exe /launchGaming
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
mRun: [AirPort Base Station Agent] "d:\program files\airport\APAgent.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "d:\program files\itunes\iTunesHelper.exe"
dRunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N
StartupFolder: c:\docume~1\ed\startm~1\programs\startup\logite~1.lnk - c:\program files\common files\logishrd\ereg\setpoint\eReg.exe
StartupFolder: c:\docume~1\ed\startm~1\programs\startup\rivatu~1.lnk - c:\program files\rivatuner v2.11\RivaTuner.exe
uPolicies-explorer: NoResolveTrack = 1 (0x1)
uPolicies-explorer: NoSMMyPictures = 1 (0x1)
uPolicies-explorer: NoSMConfigurePrograms = 1 (0x1)
uPolicies-explorer: MemCheckBoxInRunDlg = 1 (0x1)
mPolicies-explorer: MemCheckBoxInRunDlg = 1 (0x1)
mPolicies-explorer: StartMenuFavorites = 0 (0x0)
mPolicies-explorer: Start_ShowHelp = 0 (0x0)
mPolicies-explorer: Start_ShowMyComputer = 1 (0x1)
mPolicies-explorer: Start_ShowMyDocs = 1 (0x1)
mPolicies-explorer: Start_ShowMyMusic = 0 (0x0)
mPolicies-explorer: Start_ShowRun = 1 (0x1)
mPolicies-explorer: Start_ShowSearch = 0 (0x0)
dPolicies-explorer: NoSMHelp = 1 (0x1)
dPolicies-explorer: ForceClassicControlPanel = 1 (0x1)
dPolicies-explorer: NoResolveTrack = 1 (0x1)
dPolicies-explorer: NoSMMyPictures = 1 (0x1)
dPolicies-explorer: NoSMConfigurePrograms = 1 (0x1)
dPolicies-explorer: MemCheckBoxInRunDlg = 1 (0x1)
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} - hxxp://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: LBTWlgn - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\ed\applic~1\mozilla\firefox\profiles\q26jp75n.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2504091&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine - Google Powered Search
FF - prefs.js: network.proxy.type - 4
FF - component: c:\documents and settings\ed\application data\mozilla\firefox\profiles\q26jp75n.default\extensions\{ba14329e-9550-4989-b3f2-9732e92d17cc}\components\FFExternalAlert.dll
FF - component: c:\documents and settings\ed\application data\mozilla\firefox\profiles\q26jp75n.default\extensions\{ba14329e-9550-4989-b3f2-9732e92d17cc}\components\RadioWMPCore.dll
FF - component: c:\program files\avg\avg9\firefox\components\avgssff.dll
FF - plugin: c:\documents and settings\all users\application data\nexoneu\ngm\npNxGameeu.dll
FF - plugin: d:\program files\itunes\mozilla plugins\npitunes.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-8-13 64288]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-1-25 216400]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-1-25 29584]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-1-25 243024]
R2 avg9emc;AVG Free E-mail Scanner;c:\program files\avg\avg9\avgemc.exe [2010-7-15 921952]
R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-7-15 308136]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2010-7-12 1352832]
R2 StarWindServiceAE;StarWind AE Service;d:\alcohol 120\starwind\StarWindServiceAE.exe [2007-5-28 275968]
R3 AtcL001;NDIS Miniport Driver for Atheros L1 Gigabit Ethernet Controller;c:\windows\system32\drivers\l151x86.sys [2008-11-2 36864]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2009-7-2 38224]
S3 DAUpdaterSvc;Dragon Age: Origins - Content Updater;d:\games\dragon age\bin_ship\daupdatersvc.service.exe [2009-12-15 25832]
S3 LiveTurbineMessageService;Turbine Message Service - Live;d:\program files\turbine\turbine download manager\TurbineMessageService.exe [2009-2-10 267760]
S3 LiveTurbineNetworkService;Turbine Network Service - Live;d:\program files\turbine\turbine download manager\TurbineNetworkService.exe [2009-2-10 218608]
S3 SaiH0461;SaiH0461;c:\windows\system32\drivers\SaiH0461.sys [2009-4-17 182528]

=============== Created Last 30 ================

2010-08-10 20:32:59 171008 ----a-w- c:\windows\system32\srsvc.dll
2010-08-10 20:09:05 0 d-sha-r- C:\cmdcons
2010-08-10 20:07:24 98816 ----a-w- c:\windows\sed.exe
2010-08-10 20:07:24 77312 ----a-w- c:\windows\MBR.exe
2010-08-10 20:07:24 256512 ----a-w- c:\windows\PEV.exe
2010-08-10 20:07:24 161792 ----a-w- c:\windows\SWREG.exe
2010-08-10 08:14:27 20 ----a-w- c:\documents and settings\ed\defogger_reenable
2010-08-09 21:59:57 0 d-----w- c:\program files\TuneUpMedia
2010-08-09 21:59:50 0 d-----w- c:\docume~1\ed\applic~1\TuneUpMedia
2010-08-09 21:59:38 0 d-----w- c:\docume~1\alluse~1\applic~1\TuneUpMedia
2010-08-09 21:59:24 0 d-----w- c:\docume~1\ed\applic~1\Azureus
2010-08-09 21:52:40 0 d-----w- c:\program files\Conduit
2010-08-09 21:52:38 0 d-----w- c:\program files\Vuze
2010-08-09 21:52:30 0 d-----w- c:\program files\Vuze_Remote
2010-08-01 15:33:41 0 d-----w- c:\docume~1\ed\applic~1\W
2010-08-01 15:32:55 0 d-----w- c:\docume~1\ed\applic~1\wargaming.net
2010-08-01 15:29:49 74072 ----a-w- c:\windows\system32\XAPOFX1_5.dll
2010-08-01 15:29:49 527192 ----a-w- c:\windows\system32\XAudio2_7.dll
2010-08-01 15:29:48 239960 ----a-w- c:\windows\system32\xactengine3_7.dll
2010-08-01 15:29:48 2106216 ----a-w- c:\windows\system32\D3DCompiler_43.dll
2010-08-01 15:29:48 1868128 ----a-w- c:\windows\system32\d3dcsx_43.dll
2010-08-01 15:29:47 470880 ----a-w- c:\windows\system32\d3dx10_43.dll
2010-08-01 15:29:47 248672 ----a-w- c:\windows\system32\d3dx11_43.dll
2010-08-01 15:29:47 1998168 ----a-w- c:\windows\system32\D3DX9_43.dll
2010-08-01 15:29:46 74072 ----a-w- c:\windows\system32\XAPOFX1_4.dll
2010-08-01 15:29:46 528216 ----a-w- c:\windows\system32\XAudio2_6.dll
2010-08-01 15:29:46 238936 ----a-w- c:\windows\system32\xactengine3_6.dll
2010-08-01 15:29:46 22360 ----a-w- c:\windows\system32\X3DAudio1_7.dll
2010-07-31 15:18:31 327168 ----a-w- c:\windows\IsUninst.exe
2010-07-31 15:18:19 496 ----a-w- c:\windows\_delis32.ini
2010-07-28 18:49:21 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2010-07-25 16:46:51 0 d-----w- c:\program files\iPod
2010-07-16 00:38:22 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-07-16 00:33:55 0 dc-h--w- c:\docume~1\alluse~1\applic~1\{BD986C1B-72EC-4B82-B47B-6CAC4E6F494E}
2010-07-15 22:54:27 12536 ----a-w- c:\windows\system32\avgrsstx.dll

==================== Find3M ====================

2010-07-31 16:58:07 218808 ----a-w- c:\windows\system32\PnkBstrB.exe
2010-07-31 16:45:53 137256 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2010-07-15 22:54:28 243024 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-07-15 22:53:57 216400 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-07-12 08:55:39 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-07-12 08:55:38 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-05-28 19:41:38 138056 ----a-w- c:\docume~1\ed\applic~1\PnkBstrK.sys
2010-05-28 19:41:15 2434856 ----a-w- c:\windows\system32\pbsvc_bc2.exe
2010-05-28 19:36:37 75064 ----a-w- c:\windows\system32\PnkBstrA.exe
2010-05-16 23:40:46 19396 ---ha-w- c:\windows\system32\mlfcache.dat
2006-06-23 14:48:54 32768 ----a-r- c:\windows\inf\UpdateUSB.exe

============= FINISH: 0:40:05.81 ===============


As I say - the machine seems to be running fine now so I think that with your help the problem has been cleared up! Thanks very much once again for all your assistance.



#9 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:05:08 AM

Posted 12 August 2010 - 01:50 PM

Good evening. smile.gif

Looks like a success to me. A little housekeeping to do is all:

Your version of Sun Java needs updating:

1) Go here and click on the Windows XP/Vista/2000/2003/2008 Offline link in the Windows section near the top and save it to your Desktop.

2) Download JavaRa from here and save it to your Desktop.
You will need to extract the file(s):
Right click on the zipped folder and from the menu that appears, click on Extract All...
In the 'Extraction Wizard' window that opens, click on Next> and in the next window that appears, click on Next> again.
In the final window, click on Finish


***Please close any instances of Internet Explorer before continuing!***
  • Double-click JavaRa.exe to begin.
  • Pick your preferred language from the drop-down menu and click Select.
  • Click on Remove Older Versions to remove older version of Java - obvious really, isn't it!
  • Click Yes when prompted. When JavaRa is done, a notice will appear that a logfile has been produced. Click OK.
  • A logfile will pop up. Please save it to a convenient location, just in case you have any problems with Java afterwards.
3) Run the installer that you downloaded earlier.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Your copy of Adobe Reader is out of date. You can get the latest version here, feel free to uncheck the McAfee download first, or you can update from within the program itself: Help > Check for Updates...

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Your log doesn't appear to show a third-party software firewall installed - if you have one, and i've missed it, please ignore this.
If you are relying the firewall that comes with Service Pack 2, then you need to install one. While the SP2 firewall is better than nothing, it doesn't monitor outgoing traffic, so anything malicious on your computer can 'phone home' at will.
If you are using a wireless router that comes with a NAT hardware firewall, this also doesn't monitor outgoing connections.

There are a few free firewalls available, of which the following are just three:

Comodo Firewall Pro, available here.
PC Tools Firewall Plus, available here.
Online Armor Free, available here.

It is important to note that you should only have one firewall installed at a time, but you can download them all to your Desktop and install each in turn to see which one you prefer.

Understanding and Using Firewalls: http://www.bleepingcomputer.com/tutorials/understanding-and-using-firewalls/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

I want you to run your PC as normal for a few days and when you are happy that everything is fine, do the following:

Go to Start > Run, enter the following into the textbox and click OK: ComboFix /Uninstall
This will uninstall Combofix and do a little housework besides.

Create a new Restore Point with a memorable name - this will give a clean one should you need it in the future. If you use a Restore Point from before this point you may reinstall any infection that was present at the time, so only do so if using this latest one doesn't solve any issues.
A tutorial for System Restore is available here.

Some bedtime reading: This is a very good tutorial about keeping your computer safe and secure on the internet.

So long, and thanks for all the fish.

 

 


#10 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:05:08 AM

Posted 17 August 2010 - 02:49 PM

As this issue appears to have been resolved this thread is now closed.

So long, and thanks for all the fish.

 

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users