1. You are viewing our forum as a guest. For full access please Register. WindowsBBS.com is completely free, paid for by advertisers and donations.

Active google redirect malware

Discussion in 'Malware and Virus Removal Archive' started by loftyoz, 2009/09/27.

  1. 2009/09/27
    loftyoz

    loftyoz Inactive Thread Starter

    Joined:
    2009/09/27
    Messages:
    4
    Likes Received:
    0
    [Active] google redirect malware

    Hi,

    I have the dreaded google redirect malware on my machine. I am using Windows XP. I have run malwarebytes but this does not seem to have fixed it - and it now says the system is clean. Please see my Hijackthis log:

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 15:19:42, on 27/09/2009
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16876)
    Boot mode: Normal

    Running processes:
    C:\WINXP\System32\smss.exe
    C:\WINXP\system32\winlogon.exe
    C:\WINXP\system32\services.exe
    C:\WINXP\system32\lsass.exe
    C:\WINXP\system32\svchost.exe
    C:\WINXP\System32\svchost.exe
    C:\WINXP\system32\spoolsv.exe
    C:\Program Files\Apache Software Foundation\Apache2.2\bin\httpd.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\Apache Software Foundation\Apache2.2\bin\httpd.exe
    C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\CVSNT\cvslock.exe
    C:\WINXP\Explorer.EXE
    C:\PROGRA~1\AVG\AVG8\avgrsx.exe
    C:\PROGRA~1\AVG\AVG8\avgnsx.exe
    C:\Program Files\CVSNT\cvsservice.exe
    C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
    C:\Program Files\MySQL\MySQL Server 5.1\bin\mysqld.exe
    C:\Program Files\USBIR\FrontPanelIo.exe
    C:\WINXP\system32\VTTimer.exe
    C:\WINXP\SOUNDMAN.EXE
    C:\WINXP\system32\svchost.exe
    C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
    C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
    C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
    C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    C:\Program Files\Picasa2\PicasaMediaDetector.exe
    C:\PROGRA~1\AVG\AVG8\avgtray.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Logitech\QuickCam\Quickcam.exe
    C:\WINXP\system32\ctfmon.exe
    C:\Program Files\Skype\Phone\Skype.exe
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    C:\program files\reuters\rmc\rmc.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe
    C:\Program Files\Registry Mechanic\RegMech.exe
    C:\PROGRA~1\AVG\AVG8\avgemc.exe
    C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
    C:\Documents and Settings\Robert Loft\Local Settings\Application Data\Google\Update\1.2.183.7\GoogleCrashHandler.exe
    C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    C:\Program Files\Apache Software Foundation\Apache2.2\bin\ApacheMonitor.exe
    C:\Program Files\AVG\AVG8\avgcsrvx.exe
    C:\Program Files\SystemControl\SystemControl\SystemControl.exe
    C:\Program Files\U.S. Robotics\Cordless Skype Dual Phone\USR9630.exe
    C:\Program Files\WinZip\WZQKPICK.EXE
    C:\Program Files\OpenOffice.org1.1.4\program\soffice.exe
    C:\Program Files\OpenOffice.org 2.2\program\soffice.exe
    C:\Program Files\OpenOffice.org 2.2\program\soffice.BIN
    C:\Program Files\Skype\Plugin Manager\SkypePM.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINXP\system32\ZoneLabs\vsmon.exe
    C:\WINXP\system32\wuauclt.exe
    C:\Program Files\Java\jre1.5.0_06\bin\jucheck.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sky.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.footballfansunited.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided By Sky Broadband
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
    R3 - URLSearchHook: (no name) - *{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
    O1 - Hosts: 174.132.115.157 www.11renwang.cn
    O1 - Hosts: 174.132.115.154 www.premierchinasolutions.com premierchinasolutions.com
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
    O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
    O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll (file missing)
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll
    O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll (file missing)
    O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
    O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
    O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
    O4 - HKLM\..\Run: [USBIR] c:\Program Files\USBIR\FrontPanelIo.exe
    O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINXP\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe "
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    O4 - HKLM\..\Run: [PostCast Server] C:\Program Files\PostCast Server Professional\postcastserver.exe
    O4 - HKLM\..\Run: [D-Link AirPlus G] C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
    O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
    O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe "
    O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
    O4 - HKLM\..\Run: [gemstrmw] C:\WINXP\system32\gemstrmw.exe /r
    O4 - HKLM\..\Run: [MenuOrder] C:\Program Files\ICBCPe~1\ICBC\Gemplus(Personal)\MenuOrder\MenuOrder.exe
    O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe "
    O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide
    O4 - HKLM\..\Run: [Nlolucohotuceja] rundll32.exe "C:\WINXP\idizawos.dll ",Startup
    O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINXP\system32\ctfmon.exe
    O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1
    O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    O4 - HKCU\..\Run: [RMC] C:\program files\reuters\rmc\rmc.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Robert Loft\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
    O4 - HKCU\..\Run: [TomTomHOME.exe] "C:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe "
    O4 - HKCU\..\Run: [RegistryMechanic] C:\Program Files\Registry Mechanic\RegMech.exe /H
    O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINXP\system32\CTFMON.EXE (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINXP\system32\CTFMON.EXE (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-21-4159782051-1203752577-514352727-500\..\Run: [RMC] "C:\Program Files\Reuters\RMC\\RunRM.exe" (User 'Administrator')
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINXP\system32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINXP\system32\CTFMON.EXE (User 'Default user')
    O4 - S-1-5-18 Startup: OpenOffice.org 1.1.4.lnk = C:\Program Files\OpenOffice.org1.1.4\program\quickstart.exe (User 'SYSTEM')
    O4 - S-1-5-18 Startup: OpenOffice.org 2.2.lnk = C:\Program Files\OpenOffice.org 2.2\program\quickstart.exe (User 'SYSTEM')
    O4 - S-1-5-18 Startup: Scheduler.lnk = C:\Program Files\SpyCatcher\Scheduler daemon.exe (User 'SYSTEM')
    O4 - .DEFAULT Startup: OpenOffice.org 1.1.4.lnk = C:\Program Files\OpenOffice.org1.1.4\program\quickstart.exe (User 'Default user')
    O4 - .DEFAULT Startup: OpenOffice.org 2.2.lnk = C:\Program Files\OpenOffice.org 2.2\program\quickstart.exe (User 'Default user')
    O4 - .DEFAULT Startup: Scheduler.lnk = C:\Program Files\SpyCatcher\Scheduler daemon.exe (User 'Default user')
    O4 - Startup: OpenOffice.org 1.1.4.lnk = C:\Program Files\OpenOffice.org1.1.4\program\quickstart.exe
    O4 - Startup: OpenOffice.org 2.2.lnk = C:\Program Files\OpenOffice.org 2.2\program\quickstart.exe
    O4 - Startup: Scheduler.lnk = C:\Program Files\SpyCatcher\Scheduler daemon.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: Monitor Apache Servers.lnk = C:\Program Files\Apache Software Foundation\Apache2.2\bin\ApacheMonitor.exe
    O4 - Global Startup: SystemControl.lnk = ?
    O4 - Global Startup: USRobotics Cordless Skype Dual Phone.lnk = C:\Program Files\U.S. Robotics\Cordless Skype Dual Phone\USR9630.exe
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
    O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
    O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
    O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra button: Sky - {08E730A4-FB02-45BD-A900-01E4AD8016F6} - http://www.sky.com (file missing)
    O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll (file missing)
    O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINXP\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINXP\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O15 - Trusted Zone: http://www.icbc.com.cn
    O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - https://connect.barcap.com/workplace/webifiers/wficat.cab
    O16 - DPF: {2A493D5F-8914-4D3E-8BF3-767F281862F4} (TraderMediaImgX Control) - http://sell.autotrader.co.uk/uk-ola/common/TraderMediaX.cab
    O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedInContactFinderControl.cab
    O16 - DPF: {8FEFF364-6A5F-4966-A917-A3AC28411659} (SopCore Control) - http://download.sopcast.com/download/SOPCORE.CAB
    O16 - DPF: {971127BB-259F-48C2-BD75-5F97A3331551} (Microsoft RDP Client Control (redist)) - https://connect.barcap.com/workplace/webifiers/msrdp.cab
    O16 - DPF: {FFFFFFFF-CAFE-BABE-BABE-00AA0055595A} - http://www.networksolutionsemailpopwizard.com/TrueSwitchEC.exe
    O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
    O20 - Winlogon Notify: avgrsstarter - C:\WINXP\SYSTEM32\avgrsstx.dll
    O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
    O23 - Service: Apache2.2 - Apache Software Foundation - C:\Program Files\Apache Software Foundation\Apache2.2\bin\httpd.exe
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
    O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: CVSNT Locking Service 2.5.03.2221 (cvslock) - Unknown owner - C:\Program Files\CVSNT\cvslock.exe
    O23 - Service: CVSNT Dispatch service 2.5.03.2221 (cvsnt) - March Hare Software Ltd - C:\Program Files\CVSNT\cvsservice.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
    O23 - Service: MySQL - Unknown owner - C:\Program.exe (file missing)
    O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
    O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
    O23 - Service: Apache Tomcat (Tomcat5) - Apache Software Foundation - C:\Program Files\Apache Software Foundation\Tomcat 5.5\bin\tomcat5.exe
    O23 - Service: TomTomHOMEService - TomTom - C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
    O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINXP\system32\ZoneLabs\vsmon.exe

    --
    End of file - 16063 bytes
     
    loftyoz,
    #1
  2. 2009/09/27
    Admin.

    Admin. Administrator Administrator Staff

    Joined:
    2001/12/30
    Messages:
    6,687
    Likes Received:
    107
    Hi,

    Read this post as indicated at the top of this forum & follow the instructions.
     
    Admin.,
    #2


  3. to hide this advert.

  4. 2009/09/28
    loftyoz

    loftyoz Inactive Thread Starter

    Joined:
    2009/09/27
    Messages:
    4
    Likes Received:
    0
    dds.scr report

    Hi sorry about that. Sure - I have run the DDS script and below is the DDS.txt and Attach.txt logs.
    I have run scans with AVG, MalwareBytes and SuperAntispyware and they all say the system is clear - but its not.

    DDS.txt:


    DDS (Ver_09-09-24.01) - NTFSx86
    Run by Robert Loft at 18:38:56.26 on 28/09/2009
    Internet Explorer: 7.0.5730.11
    Microsoft Windows XP Home Edition 5.1.2600.2.1252.44.1033.18.958.224 [GMT 1:00]

    AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
    FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

    ============== Running Processes ===============

    C:\WINXP\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINXP\System32\svchost.exe -k netsvcs
    svchost.exe
    svchost.exe
    C:\WINXP\system32\spoolsv.exe
    svchost.exe
    C:\Program Files\Apache Software Foundation\Apache2.2\bin\httpd.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\Apache Software Foundation\Apache2.2\bin\httpd.exe
    C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\CVSNT\cvslock.exe
    C:\PROGRA~1\AVG\AVG8\avgrsx.exe
    C:\PROGRA~1\AVG\AVG8\avgnsx.exe
    C:\Program Files\CVSNT\cvsservice.exe
    C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
    C:\Program Files\MySQL\MySQL Server 5.1\bin\mysqld.exe
    C:\WINXP\system32\svchost.exe -k imgsvc
    C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
    C:\WINXP\Explorer.EXE
    C:\Program Files\USBIR\FrontPanelIo.exe
    C:\WINXP\system32\VTTimer.exe
    C:\PROGRA~1\AVG\AVG8\avgemc.exe
    C:\WINXP\SOUNDMAN.EXE
    C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
    C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
    C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
    C:\Program Files\AVG\AVG8\avgcsrvx.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    C:\Program Files\Picasa2\PicasaMediaDetector.exe
    C:\PROGRA~1\AVG\AVG8\avgtray.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Logitech\QuickCam\Quickcam.exe
    C:\WINXP\system32\ctfmon.exe
    C:\Program Files\Skype\Phone\Skype.exe
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    C:\program files\reuters\rmc\rmc.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Documents and Settings\Robert Loft\Local Settings\Application Data\Google\Update\1.2.183.7\GoogleCrashHandler.exe
    C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
    C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    C:\Program Files\Apache Software Foundation\Apache2.2\bin\ApacheMonitor.exe
    C:\Program Files\SystemControl\SystemControl\SystemControl.exe
    C:\WINXP\system32\ZoneLabs\vsmon.exe
    C:\Program Files\U.S. Robotics\Cordless Skype Dual Phone\USR9630.exe
    C:\Program Files\Skype\Plugin Manager\SkypePM.exe
    C:\WINXP\system32\wuauclt.exe
    C:\Program Files\WinZip\WZQKPICK.EXE
    C:\Program Files\OpenOffice.org1.1.4\program\soffice.exe
    C:\Program Files\OpenOffice.org 2.2\program\soffice.exe
    C:\Program Files\OpenOffice.org 2.2\program\soffice.BIN
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Java\jre1.5.0_06\bin\jucheck.exe
    C:\Documents and Settings\Robert Loft\Desktop\dds.scr

    ============== Pseudo HJT Report ===============

    uStart Page = hxxp://www.footballfansunited.com/
    uSearch Page = hxxp://www.google.com
    uSearch Bar = hxxp://www.google.com/ie
    uDefault_Search_URL = hxxp://www.google.com/ie
    uWindow Title = Internet Explorer Provided By Sky Broadband
    uDefault_Page_URL = hxxp://www.sky.com
    uInternet Settings,ProxyOverride = *.local
    uSearchAssistant = hxxp://www.google.com/ie
    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
    uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
    uURLSearchHooks: H - No File
    mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
    BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
    BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\progra~1\skype\phone\ieplugin\SKYPEI~1.DLL
    BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
    BHO: PCTools Site Guard: {5c8b2a36-3db1-42a4-a3cb-d426709bbfeb} - c:\progra~1\spywar~1\tools\iesdsg.dll
    BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
    BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
    BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
    BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
    BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar1.dll
    BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\3.1.807.1746\swg.dll
    BHO: PCTools Browser Monitor: {b56a7d7d-6927-48c8-a975-17df180c71ac} - c:\progra~1\spywar~1\tools\iesdpb.dll
    BHO: ZoneAlarm Spy Blocker BHO: {f0d4b231-da4b-4daf-81e4-dfee4931a4aa} - c:\program files\zonealarmsb\bar\1.bin\SPYBLOCK.DLL
    TB: Easy-WebPrint: {327c2873-e90d-4c37-aa9d-10ac9baba46c} - c:\program files\canon\easy-webprint\Toolband.dll
    TB: ZoneAlarm Spy Blocker: {f0d4b239-da4b-4daf-81e4-dfee4931a4aa} - c:\program files\zonealarmsb\bar\1.bin\SPYBLOCK.DLL
    TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll
    TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
    TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
    uRun: [ctfmon.exe] c:\winxp\system32\ctfmon.exe
    uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
    uRun: [MsnMsgr] "c:\program files\msn messenger\MsnMsgr.Exe" /background
    uRun: [updateMgr] "c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1
    uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
    uRun: [RMC] c:\program files\reuters\rmc\rmc.exe
    uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
    uRun: [Google Update] "c:\documents and settings\robert loft\local settings\application data\google\update\GoogleUpdate.exe" /c
    uRun: [TomTomHOME.exe] "c:\program files\tomtom home 2\TomTomHOMERunner.exe "
    uRun: [RegistryMechanic] c:\program files\registry mechanic\RegMech.exe /H
    uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
    mRun: [USBIR] c:\program files\usbir\FrontPanelIo.exe
    mRun: [VTTimer] VTTimer.exe
    mRun: [SoundMan] SOUNDMAN.EXE
    mRun: [NeroFilterCheck] c:\winxp\system32\NeroCheck.exe
    mRun: [OpwareSE2] "c:\program files\scansoft\omnipagese2.0\OpwareSE2.exe "
    mRun: [SunJavaUpdateSched] c:\program files\java\jre1.5.0_06\bin\jusched.exe
    mRun: [PostCast Server] c:\program files\postcast server professional\postcastserver.exe
    mRun: [D-Link AirPlus G] c:\program files\d-link\airplus g\AirGCFG.exe
    mRun: [ANIWZCS2Service] c:\program files\ani\aniwzcs2 service\WZCSLDR2.exe
    mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe "
    mRun: [Picasa Media Detector] c:\program files\picasa2\PicasaMediaDetector.exe
    mRun: [gemstrmw] c:\winxp\system32\gemstrmw.exe /r
    mRun: [MenuOrder] c:\program files\icbcpe~1\icbc\gemplus(personal)\menuorder\MenuOrder.exe
    mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
    mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
    mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe "
    mRun: [LogitechQuickCamRibbon] "c:\program files\logitech\quickcam\Quickcam.exe" /hide
    mRun: [Nlolucohotuceja] rundll32.exe "c:\winxp\idizawos.dll ",Startup
    mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
    dRun: [CTFMON.EXE] c:\winxp\system32\CTFMON.EXE
    StartupFolder: c:\docume~1\robert~1\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org1.1.4\program\quickstart.exe
    StartupFolder: c:\docume~1\robert~1\startm~1\programs\startup\openof~2.lnk - c:\program files\openoffice.org 2.2\program\quickstart.exe
    StartupFolder: c:\docume~1\robert~1\startm~1\programs\startup\schedu~1.lnk - c:\program files\spycatcher\Scheduler daemon.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\monito~1.lnk - c:\program files\apache software foundation\apache2.2\bin\ApacheMonitor.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\system~1.lnk - c:\program files\systemcontrol\systemcontrol\SystemControl.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\usrobo~1.lnk - c:\program files\u.s. robotics\cordless skype dual phone\USR9630.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\winzip~1.lnk - c:\program files\winzip\WZQKPICK.EXE
    IE: Easy-WebPrint Add To Print List - c:\program files\canon\easy-webprint\Resource.dll/RC_AddToList.html
    IE: Easy-WebPrint High Speed Print - c:\program files\canon\easy-webprint\Resource.dll/RC_HSPrint.html
    IE: Easy-WebPrint Preview - c:\program files\canon\easy-webprint\Resource.dll/RC_Preview.html
    IE: Easy-WebPrint Print - c:\program files\canon\easy-webprint\Resource.dll/RC_Print.html
    IE: {08E730A4-FB02-45BD-A900-01E4AD8016F6} - http://www.sky.com
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
    IE: {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - {A1EDC4A1-940F-48E0-8DFD-E38F1D501021} - c:\progra~1\spywar~1\tools\iesdpb.dll
    IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\progra~1\skype\phone\ieplugin\SKYPEI~1.DLL
    Trusted Zone: com.cn\mybank.icbc
    Trusted Zone: com.cn\www.icbc
    DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/templates/ieawsdc.cab
    DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} - hxxp://www.ipix.com/download/ipixx.cab
    DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
    DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} - hxxps://connect.barcap.com/workplace/webifiers/wficat.cab
    DPF: {2A493D5F-8914-4D3E-8BF3-767F281862F4} - hxxp://sell.autotrader.co.uk/uk-ola/common/TraderMediaX.cab
    DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} - hxxp://www.linkedin.com/cab/LinkedInContactFinderControl.cab
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
    DPF: {8FEFF364-6A5F-4966-A917-A3AC28411659} - hxxp://download.sopcast.com/download/SOPCORE.CAB
    DPF: {971127BB-259F-48C2-BD75-5F97A3331551} - hxxps://connect.barcap.com/workplace/webifiers/msrdp.cab
    DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
    DPF: {FFFFFFFF-CAFE-BABE-BABE-00AA0055595A} - hxxp://www.networksolutionsemailpopwizard.com/TrueSwitchEC.exe
    Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
    Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
    Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
    Notify: avgrsstarter - avgrsstx.dll
    SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
    LSA: Authentication Packages = msv1_0 setuid

    ================= FIREFOX ===================

    FF - ProfilePath - c:\docume~1\robert~1\applic~1\mozilla\firefox\profiles\18gzq1hk.default\
    FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
    FF - prefs.js: browser.search.selectedEngine - Google
    FF - prefs.js: browser.startup.homepage - hxxp://www.footballfansunited.com/
    FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava11.dll
    FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava12.dll
    FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava13.dll
    FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava14.dll
    FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava32.dll
    FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJPI150_06.dll
    FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPOJI610.dll
    FF - plugin: c:\program files\videoegg\loader\2663\npvideoegg-loader.dll
    FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
    FF - HiddenExtension: XULRunner: {55E3FEE9-B5D2-4DF5-AECA-283D4C58270F} - c:\documents and settings\robert loft\local settings\application data\{55E3FEE9-B5D2-4DF5-AECA-283D4C58270F}

    ============= SERVICES / DRIVERS ===============

    R0 PCTCore;PCTools KDS;c:\winxp\system32\drivers\PCTCore.sys [2009-9-24 206256]
    R1 AvgLdx86;AVG AVI Loader Driver x86;c:\winxp\system32\drivers\avgldx86.sys [2008-4-28 335240]
    R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\winxp\system32\drivers\avgmfx86.sys [2006-11-29 27784]
    R1 AvgTdiX;AVG8 Network Redirector;c:\winxp\system32\drivers\avgtdix.sys [2008-4-28 108552]
    R1 BS_I2cIo;BS_I2cIo;c:\winxp\system32\drivers\BS_I2cIo.sys [2005-12-15 5120]
    R1 KLIF;KLIF;c:\winxp\system32\drivers\klif.sys [2008-9-7 127768]
    R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-9-15 9968]
    R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-9-15 74480]
    R1 vsdatant;vsdatant;c:\winxp\system32\vsdatant.sys [2006-1-10 394952]
    R2 Apache2.2;Apache2.2;c:\program files\apache software foundation\apache2.2\bin\httpd.exe [2008-12-10 24636]
    R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2009-2-16 908056]
    R2 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-2-16 297752]
    R2 TomTomHOMEService;TomTomHOMEService;c:\program files\tomtom home 2\TomTomHOMEService.exe [2009-4-24 92008]
    R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-9-15 7408]
    S2 vsmon;TrueVector Internet Monitor;c:\winxp\system32\zonelabs\vsmon.exe -service --> c:\winxp\system32\zonelabs\vsmon.exe -service [?]
    S3 GKeyUSB;GKeyUSB;c:\winxp\system32\drivers\GKeyUSB.sys [2007-9-10 62096]
    S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2008-1-21 348752]
    S3 sdCoreService;PC Tools Security Service;c:\program files\spyware doctor\pctsSvc.exe [2008-1-21 1097096]
    S3 se44bus;Sony Ericsson Device 068 driver (WDM);c:\winxp\system32\drivers\se44bus.sys [2006-7-25 61536]
    S3 se44mdfl;Sony Ericsson Device 068 USB WMC Modem Filter;c:\winxp\system32\drivers\se44mdfl.sys [2006-7-25 9360]
    S3 se44mdm;Sony Ericsson Device 068 USB WMC Modem Driver;c:\winxp\system32\drivers\se44mdm.sys [2006-7-25 97088]
    S3 se44mgmt;Sony Ericsson Device 068 USB WMC Device Management Drivers (WDM);c:\winxp\system32\drivers\se44mgmt.sys [2006-7-25 88624]
    S3 se44nd5;Sony Ericsson Device 068 USB Ethernet Emulation SEMC44 (NDIS);c:\winxp\system32\drivers\se44nd5.sys [2006-7-25 18704]
    S3 se44obex;Sony Ericsson Device 068 USB WMC OBEX Interface;c:\winxp\system32\drivers\se44obex.sys [2006-7-25 86432]
    S3 se44unic;Sony Ericsson Device 068 USB Ethernet Emulation SEMC44 (WDM);c:\winxp\system32\drivers\se44unic.sys [2006-7-25 90800]
    S3 Tomcat5;Apache Tomcat;c:\program files\apache software foundation\tomcat 5.5\bin\tomcat5.exe [2006-1-3 102400]
    S3 ZD1211U(3COM Corporation);3COM OfficeConnect Wireless 11g Compact USB Adapter(3COM Corporation);c:\winxp\system32\drivers\zd1211u.sys --> c:\winxp\system32\drivers\zd1211u.sys [?]

    =============== Created Last 30 ================

    2009-09-28 18:36 <DIR> --d----- C:\bbs windows
    2009-09-27 14:07 <DIR> --d----- C:\_OTM
    2009-09-24 17:50 <DIR> --d----- c:\docume~1\robert~1\applic~1\Malwarebytes
    2009-09-24 17:49 38,224 a------- c:\winxp\system32\drivers\mbamswissarmy.sys
    2009-09-24 17:49 19,160 a------- c:\winxp\system32\drivers\mbam.sys
    2009-09-24 17:49 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
    2009-09-24 17:49 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
    2009-09-24 17:09 <DIR> --d----- c:\program files\Western Digital
    2009-09-24 16:34 <DIR> --d----- C:\malwarebytes
    2009-09-24 16:16 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
    2009-09-24 16:15 <DIR> --d----- c:\program files\SUPERAntiSpyware
    2009-09-24 16:15 <DIR> --d----- c:\docume~1\robert~1\applic~1\SUPERAntiSpyware.com
    2009-09-24 16:14 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
    2009-09-24 16:13 <DIR> --d----- C:\superantispyware
    2009-09-24 16:11 <DIR> --d----- C:\stopzilla
    2009-09-24 15:41 <DIR> --d----- c:\program files\Trend Micro
    2009-09-24 15:38 <DIR> --d----- C:\hijackthis
    2009-09-24 15:37 623,511 a------- c:\temp\HijackThisInstaller.exe
    2009-09-24 09:30 159,600 a------- c:\winxp\system32\drivers\pctgntdi.sys
    2009-09-24 09:29 206,256 a------- c:\winxp\system32\drivers\PCTCore.sys
    2009-09-24 09:29 86,888 a------- c:\winxp\system32\drivers\PCTAppEvent.sys
    2009-09-24 09:29 7,396 a------- c:\winxp\system32\drivers\pctcore.cat
    2009-09-24 09:29 <DIR> --d----- c:\program files\common files\PC Tools
    2009-09-24 09:29 64,392 a------- c:\winxp\system32\drivers\pctplsg.sys
    2009-09-24 09:29 <DIR> --d----- c:\docume~1\alluse~1\applic~1\PC Tools
    2009-09-24 09:24 26,733,120 a------- c:\temp\sdsetup.exe
    2009-09-13 12:43 0 a------- c:\winxp\Uwopikapakuka.bin
    2009-09-13 12:43 120 a------- c:\winxp\Mmisisukina.dat
    2009-09-13 11:56 81 a------- C:\CTX.DAT
    2009-09-13 11:56 <DIR> --d----- c:\documents and settings\robert loft\Citrix
    2009-09-13 11:33 <DIR> --d----- c:\docume~1\robert~1\applic~1\Aventail
    2009-09-12 14:13 1,108 a------- c:\temp\robert.loft%40premierchinasolutions.com%20Email%20Settings.reg
    2009-09-08 08:02 <DIR> --d----- c:\docume~1\robert~1\applic~1\MSNInstaller

    ==================== Find3M ====================

    2009-09-27 15:21 138,792,992 a--sh--- c:\winxp\system32\drivers\fidbox.dat
    2009-09-27 15:21 1,624,532 a--sh--- c:\winxp\system32\drivers\fidbox.idx
    2009-08-29 10:49 0 a------- c:\winxp\system32\drivers\lvuvc.hs
    2009-08-29 10:49 0 a------- c:\winxp\system32\drivers\logiflt.iad
    2009-08-23 09:26 11,952 a------- c:\winxp\system32\avgrsstx.dll
    2009-08-23 09:26 335,240 a------- c:\winxp\system32\drivers\avgldx86.sys
    2009-08-05 10:11 204,800 a------- c:\winxp\system32\mswebdvd.dll
    2009-07-17 19:55 58,880 a------- c:\winxp\system32\atl.dll
    2009-07-13 10:08 286,720 a------- c:\winxp\system32\wmpdxm.dll
    2004-08-09 23:30 40,960 a------- c:\program files\Uninstall_CDS.exe

    ============= FINISH: 18:42:30.20 ===============


    Attach.txt:


    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT

    DDS (Ver_09-09-24.01)

    Microsoft Windows XP Home Edition
    Boot Device: \Device\HarddiskVolume1
    Install Date: 15/12/2005 11:18:00
    System Uptime: 28/09/2009 18:24:59 (0 hours ago)

    Motherboard: | | P4M800-8237
    Processor: Intel(R) Pentium(R) 4 CPU 3.00GHz | Socket 478 | 2992/200mhz
    Processor: Intel(R) Pentium(R) 4 CPU 3.00GHz | Socket 478 | 2992/200mhz

    ==== Disk Partitions =========================

    A: is Removable
    C: is FIXED (NTFS) - 190 GiB total, 141.83 GiB free.
    D: is CDROM ()

    ==== Disabled Device Manager Items =============

    ==== System Restore Points ===================

    RP744: 30/06/2009 07:09:43 - Avg8 Update
    RP745: 30/06/2009 07:11:39 - Avg8 Update
    RP746: 01/07/2009 19:49:32 - System Checkpoint
    RP747: 04/07/2009 09:00:13 - System Checkpoint
    RP748: 05/07/2009 15:45:42 - System Checkpoint
    RP749: 06/07/2009 08:32:27 - Software Distribution Service 3.0
    RP750: 07/07/2009 19:44:53 - System Checkpoint
    RP751: 09/07/2009 19:13:33 - System Checkpoint
    RP752: 13/07/2009 08:01:04 - Avg8 Update
    RP753: 13/07/2009 08:33:48 - Avg8 Update
    RP754: 14/07/2009 18:47:39 - System Checkpoint
    RP755: 15/07/2009 21:49:27 - Software Distribution Service 3.0
    RP756: 17/07/2009 18:22:12 - Avg8 Update
    RP757: 19/07/2009 11:18:24 - System Checkpoint
    RP758: 20/07/2009 19:17:13 - System Checkpoint
    RP759: 21/07/2009 20:25:26 - System Checkpoint
    RP760: 22/07/2009 20:27:16 - System Checkpoint
    RP761: 23/07/2009 21:53:35 - Installed iTunes
    RP762: 26/07/2009 12:28:44 - System Checkpoint
    RP763: 27/07/2009 18:34:06 - Installed USB WEB CAMERA
    RP764: 27/07/2009 18:47:37 - Update to an unsigned driver
    RP765: 27/07/2009 19:15:28 - Removed USB WEB CAMERA
    RP766: 27/07/2009 19:39:19 - Configured AirPlus G
    RP767: 27/07/2009 19:42:06 - Installed AirPlus G
    RP768: 27/07/2009 20:43:37 - Restore Operation
    RP769: 28/07/2009 21:25:50 - Software Distribution Service 3.0
    RP770: 01/08/2009 11:13:16 - Logitech QuickCam v11.90.1262
    RP771: 04/08/2009 14:15:15 - System Checkpoint
    RP772: 06/08/2009 18:37:03 - System Checkpoint
    RP773: 12/08/2009 20:02:34 - System Checkpoint
    RP774: 13/08/2009 20:15:59 - System Checkpoint
    RP775: 13/08/2009 22:17:37 - Software Distribution Service 3.0
    RP776: 16/08/2009 14:28:14 - System Checkpoint
    RP777: 18/08/2009 19:56:54 - System Checkpoint
    RP778: 20/08/2009 20:30:44 - System Checkpoint
    RP779: 22/08/2009 10:14:07 - System Checkpoint
    RP780: 23/08/2009 09:25:23 - Avg8 Update
    RP781: 23/08/2009 09:26:31 - Avg8 Update
    RP782: 24/08/2009 14:47:32 - System Checkpoint
    RP783: 25/08/2009 22:00:49 - Software Distribution Service 3.0
    RP784: 28/08/2009 07:03:08 - System Checkpoint
    RP785: 29/08/2009 11:08:14 - System Checkpoint
    RP786: 02/09/2009 20:02:14 - System Checkpoint
    RP787: 03/09/2009 20:41:26 - System Checkpoint
    RP788: 07/09/2009 19:44:23 - System Checkpoint
    RP789: 10/09/2009 20:00:33 - System Checkpoint
    RP790: 10/09/2009 21:14:33 - Software Distribution Service 3.0
    RP791: 12/09/2009 10:11:45 - System Checkpoint
    RP792: 14/09/2009 08:29:37 - System Checkpoint
    RP793: 14/09/2009 21:46:02 - Software Distribution Service 3.0
    RP794: 15/09/2009 07:17:38 - Software Distribution Service 3.0
    RP795: 17/09/2009 20:28:37 - System Checkpoint
    RP796: 21/09/2009 20:39:27 - System Checkpoint
    RP797: 23/09/2009 19:25:49 - System Checkpoint
    RP798: 24/09/2009 16:15:35 - Installed SUPERAntiSpyware Free Edition
    RP799: 26/09/2009 13:15:03 - System Checkpoint

    ==== Installed Programs ======================

    Adobe Flash Player 10 Plugin
    Adobe Flash Player 9 ActiveX
    Adobe Reader 7.0.7
    Adobe Shockwave Player 11
    Adobe SVG Viewer 3.0
    AirPlus G
    AlphaButton 2.2.1
    ANIO Service
    ANIWZCS2 Service
    Apache HTTP Server 2.2.11
    Apache Tomcat 5.5 (remove only)
    Apple Mobile Device Support
    Apple Software Update
    ArcSoft PhotoStudio 5.5
    Aventail Access Manager
    Aventail Web Proxy Agent
    Aventail Webifiers
    AVG Free 8.5
    Bonjour
    Business Plan Software
    Canon MP Navigator 2.0
    Canon MP170
    Canon Utilities Easy-PhotoPrint
    Citrix Presentation Server Web Client for Win32
    CVSNT 2.5.03.2221
    DVD Solution
    Easy-WebPrint
    Exadel Studio 3.0.5
    FLV Player 1.3.3
    Football Superstars RC82
    Free Buttons.org
    Gemplus Smart Card Reader Tools
    GemSafe OEM Edition 5.0 for China
    GnuWin32: Wget version 1.10.1
    Google Chrome
    Google Earth
    Google Toolbar for Internet Explorer
    HighMAT Extension to Microsoft Windows XP CD Writing Wizard
    HijackThis 2.0.2
    Hotfix for Windows Internet Explorer 7 (KB947864)
    Hotfix for Windows XP (KB896344)
    Hotfix for Windows XP (KB914440)
    Hotfix for Windows XP (KB915865)
    Hotfix for Windows XP (KB952287)
    Hotfix for Windows XP (KB970653-v3)
    ICBC install (goldpac personal version)
    ICBC Install(Gemplus Personal)
    iPod for Windows 2005-10-12
    iPod for Windows 2006-01-10
    IrfanView (remove only)
    iTunes
    J2SE Development Kit 5.0 Update 6
    J2SE Runtime Environment 5.0 Update 6
    Kybtec World Clock 3.3.1.1
    Logitech QuickCam
    Logitech QuickCam Driver Package
    Macromedia Dreamweaver 8
    Macromedia Extension Manager
    MadOnion.com/3DMark2001 SE
    Malwarebytes' Anti-Malware
    Microsoft .NET Framework 1.1
    Microsoft .NET Framework 1.1 Hotfix (KB928366)
    Microsoft Base Smart Card Cryptographic Service Provider Package
    Microsoft Internationalized Domain Names Mitigation APIs
    Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
    Microsoft National Language Support Downlevel APIs
    Microsoft Visual C++ 2005 Redistributable
    Mozilla Firefox (2.0.0.20)
    MSN
    MySQL Server 5.1
    MySQL Tools for 5.0
    Nero Suite
    OmniPage SE
    OpenOffice.org 1.1.4
    OpenOffice.org 2.2
    Opera
    Picasa 2
    PowerDirector Express
    PowerDVD
    PowerProducer
    PSPad editor
    QuickTime
    RealPlayer
    Realtek AC'97 Audio
    Registry Mechanic 8.0
    Reuters Messaging 7
    Reuters Messaging Troubleshooting Tool
    RTLSetup 2.50.503
    S3 S3Display
    S3 S3Gamma2
    S3 S3Info2
    S3 S3Overlay
    Security Update for Windows Internet Explorer 7 (KB928090)
    Security Update for Windows Internet Explorer 7 (KB929969)
    Security Update for Windows Internet Explorer 7 (KB931768)
    Security Update for Windows Internet Explorer 7 (KB933566)
    Security Update for Windows Internet Explorer 7 (KB937143)
    Security Update for Windows Internet Explorer 7 (KB938127)
    Security Update for Windows Internet Explorer 7 (KB939653)
    Security Update for Windows Internet Explorer 7 (KB942615)
    Security Update for Windows Internet Explorer 7 (KB944533)
    Security Update for Windows Internet Explorer 7 (KB950759)
    Security Update for Windows Internet Explorer 7 (KB953838)
    Security Update for Windows Internet Explorer 7 (KB956390)
    Security Update for Windows Internet Explorer 7 (KB958215)
    Security Update for Windows Internet Explorer 7 (KB960714)
    Security Update for Windows Internet Explorer 7 (KB961260)
    Security Update for Windows Internet Explorer 7 (KB963027)
    Security Update for Windows Internet Explorer 7 (KB969897)
    Security Update for Windows Internet Explorer 7 (KB972260)
    Security Update for Windows Media Player (KB911564)
    Security Update for Windows Media Player (KB952069)
    Security Update for Windows Media Player (KB968816)
    Security Update for Windows Media Player (KB973540)
    Security Update for Windows Media Player 10 (KB911565)
    Security Update for Windows Media Player 10 (KB917734)
    Security Update for Windows Media Player 10 (KB936782)
    Security Update for Windows Media Player 6.4 (KB925398)
    Security Update for Windows XP (KB890046)
    Security Update for Windows XP (KB893066)
    Security Update for Windows XP (KB893756)
    Security Update for Windows XP (KB896358)
    Security Update for Windows XP (KB896422)
    Security Update for Windows XP (KB896423)
    Security Update for Windows XP (KB896424)
    Security Update for Windows XP (KB896428)
    Security Update for Windows XP (KB899587)
    Security Update for Windows XP (KB899591)
    Security Update for Windows XP (KB900725)
    Security Update for Windows XP (KB901017)
    Security Update for Windows XP (KB901190)
    Security Update for Windows XP (KB901214)
    Security Update for Windows XP (KB902400)
    Security Update for Windows XP (KB904706)
    Security Update for Windows XP (KB905414)
    Security Update for Windows XP (KB905749)
    Security Update for Windows XP (KB905915)
    Security Update for Windows XP (KB908519)
    Security Update for Windows XP (KB908531)
    Security Update for Windows XP (KB911280)
    Security Update for Windows XP (KB911562)
    Security Update for Windows XP (KB911567)
    Security Update for Windows XP (KB911927)
    Security Update for Windows XP (KB912812)
    Security Update for Windows XP (KB912919)
    Security Update for Windows XP (KB913446)
    Security Update for Windows XP (KB913580)
    Security Update for Windows XP (KB914388)
    Security Update for Windows XP (KB914389)
    Security Update for Windows XP (KB916281)
    Security Update for Windows XP (KB917159)
    Security Update for Windows XP (KB917344)
    Security Update for Windows XP (KB917422)
    Security Update for Windows XP (KB917953)
    Security Update for Windows XP (KB918118)
    Security Update for Windows XP (KB918439)
    Security Update for Windows XP (KB918899)
    Security Update for Windows XP (KB919007)
    Security Update for Windows XP (KB920213)
    Security Update for Windows XP (KB920214)
    Security Update for Windows XP (KB920670)
    Security Update for Windows XP (KB920683)
    Security Update for Windows XP (KB920685)
    Security Update for Windows XP (KB921398)
    Security Update for Windows XP (KB921503)
    Security Update for Windows XP (KB921883)
    Security Update for Windows XP (KB922616)
    Security Update for Windows XP (KB922760)
    Security Update for Windows XP (KB922819)
    Security Update for Windows XP (KB923191)
    Security Update for Windows XP (KB923414)
    Security Update for Windows XP (KB923561)
    Security Update for Windows XP (KB923689)
    Security Update for Windows XP (KB923694)
    Security Update for Windows XP (KB923789)
    Security Update for Windows XP (KB923980)
    Security Update for Windows XP (KB924191)
    Security Update for Windows XP (KB924270)
    Security Update for Windows XP (KB924496)
    Security Update for Windows XP (KB924667)
    Security Update for Windows XP (KB925486)
    Security Update for Windows XP (KB925902)
    Security Update for Windows XP (KB926255)
    Security Update for Windows XP (KB926436)
    Security Update for Windows XP (KB927779)
    Security Update for Windows XP (KB927802)
    Security Update for Windows XP (KB928255)
    Security Update for Windows XP (KB928843)
    Security Update for Windows XP (KB929123)
    Security Update for Windows XP (KB930178)
    Security Update for Windows XP (KB931261)
    Security Update for Windows XP (KB931784)
    Security Update for Windows XP (KB932168)
    Security Update for Windows XP (KB933729)
    Security Update for Windows XP (KB935839)
    Security Update for Windows XP (KB935840)
    Security Update for Windows XP (KB936021)
    Security Update for Windows XP (KB938464)
    Security Update for Windows XP (KB938829)
    Security Update for Windows XP (KB941202)
    Security Update for Windows XP (KB941568)
    Security Update for Windows XP (KB941569)
    Security Update for Windows XP (KB941644)
    Security Update for Windows XP (KB941693)
    Security Update for Windows XP (KB943055)
    Security Update for Windows XP (KB943460)
    Security Update for Windows XP (KB943485)
    Security Update for Windows XP (KB944653)
    Security Update for Windows XP (KB945553)
    Security Update for Windows XP (KB946026)
    Security Update for Windows XP (KB946648)
    Security Update for Windows XP (KB948590)
    Security Update for Windows XP (KB948881)
    Security Update for Windows XP (KB950749)
    Security Update for Windows XP (KB950760)
    Security Update for Windows XP (KB950762)
    Security Update for Windows XP (KB950974)
    Security Update for Windows XP (KB951066)
    Security Update for Windows XP (KB951376-v2)
    Security Update for Windows XP (KB951376)
    Security Update for Windows XP (KB951698)
    Security Update for Windows XP (KB951748)
    Security Update for Windows XP (KB952004)
    Security Update for Windows XP (KB952954)
    Security Update for Windows XP (KB953839)
    Security Update for Windows XP (KB954211)
    Security Update for Windows XP (KB954600)
    Security Update for Windows XP (KB955069)
    Security Update for Windows XP (KB956391)
    Security Update for Windows XP (KB956572)
    Security Update for Windows XP (KB956802)
    Security Update for Windows XP (KB956803)
    Security Update for Windows XP (KB956841)
    Security Update for Windows XP (KB956844)
    Security Update for Windows XP (KB957095)
    Security Update for Windows XP (KB957097)
    Security Update for Windows XP (KB958470)
    Security Update for Windows XP (KB958644)
    Security Update for Windows XP (KB958687)
    Security Update for Windows XP (KB958690)
    Security Update for Windows XP (KB959426)
    Security Update for Windows XP (KB960225)
    Security Update for Windows XP (KB960715)
    Security Update for Windows XP (KB960803)
    Security Update for Windows XP (KB960859)
    Security Update for Windows XP (KB961371)
    Security Update for Windows XP (KB961373)
    Security Update for Windows XP (KB961501)
    Security Update for Windows XP (KB968537)
    Security Update for Windows XP (KB969898)
    Security Update for Windows XP (KB970238)
    Security Update for Windows XP (KB971557)
    Security Update for Windows XP (KB971633)
    Security Update for Windows XP (KB971657)
    Security Update for Windows XP (KB971961)
    Security Update for Windows XP (KB973346)
    Security Update for Windows XP (KB973354)
    Security Update for Windows XP (KB973507)
    Security Update for Windows XP (KB973869)
    Sky Broadband
    Skype 3.0
    Skype add-on for IE
    Skype Plugin Manager
    SopCore 1.1.2
    Spyware Doctor 6.1
    SUPERAntiSpyware Free Edition
    SystemControl
    TextPad 5
    TomTom HOME 2.6.3.1609
    TomTom HOME Visual Studio Merge Modules
    TortoiseCVS 1.8.24
    UniChrome IGP Driver and Utilities
    Update for Windows XP (KB894391)
    Update for Windows XP (KB898461)
    Update for Windows XP (KB900485)
    Update for Windows XP (KB900930)
    Update for Windows XP (KB904942)
    Update for Windows XP (KB910437)
    Update for Windows XP (KB916595)
    Update for Windows XP (KB920872)
    Update for Windows XP (KB922582)
    Update for Windows XP (KB927891)
    Update for Windows XP (KB929338)
    Update for Windows XP (KB930916)
    Update for Windows XP (KB931836)
    Update for Windows XP (KB932823-v3)
    Update for Windows XP (KB933360)
    Update for Windows XP (KB936357)
    Update for Windows XP (KB938828)
    Update for Windows XP (KB942763)
    Update for Windows XP (KB951072-v2)
    Update for Windows XP (KB955839)
    Update for Windows XP (KB967715)
    Update for Windows XP (KB968389)
    Update for Windows XP (KB973815)
    USRobotics Cordless Skype Dual Phone
    VideoEgg Publisher
    Viewpoint Media Player (Remove Only)
    WebFldrs XP
    Windows Backup Utility
    Windows Genuine Advantage Notifications (KB905474)
    Windows Genuine Advantage v1.3.0254.0
    Windows Genuine Advantage Validation Tool
    Windows Installer 3.1 (KB893803)
    Windows Internet Explorer 7
    Windows Live Messenger
    Windows Live Sign-in Assistant
    Windows Media Connect
    Windows Media Format Runtime
    Windows Media Format SDK Hotfix - KB891122
    Windows Media Player 10
    Windows XP Hotfix - KB873339
    Windows XP Hotfix - KB885250
    Windows XP Hotfix - KB885835
    Windows XP Hotfix - KB885836
    Windows XP Hotfix - KB886185
    Windows XP Hotfix - KB887472
    Windows XP Hotfix - KB887742
    Windows XP Hotfix - KB887797
    Windows XP Hotfix - KB888113
    Windows XP Hotfix - KB888302
    Windows XP Hotfix - KB890859
    Windows XP Hotfix - KB891781
    WinMerge 2.4.6.0
    WinRAR archiver
    WinSCP 4.0.7
    WinZip
    ZoneAlarm
    ZoneAlarm Spy Blocker

    ==== Event Viewer Messages From Past Week ========

    27/09/2009 13:30:20, information: Windows File Protection [64002] - File replacement was attempted on the protected system file wdmaud.sys. This file was restored to the original version to maintain system stability. The file version of the system file is 5.1.2600.2180.
    24/09/2009 17:42:03, error: Service Control Manager [7023] - The HTTP SSL service terminated with the following error: Insufficient system resources exist to complete the requested service.
    24/09/2009 17:04:59, error: Server [2505] - The server could not bind to the transport \Device\NetBT_Tcpip_{A3B7E99D-53B8-4CF1-BB54-73AF8D54CEDB} because another computer on the network has the same name. The server could not start.
    24/09/2009 17:04:59, error: Server [2505] - The server could not bind to the transport \Device\NetbiosSmb because another computer on the network has the same name. The server could not start.
    24/09/2009 09:44:27, error: System Error [1003] - Error code 1000000a, parameter1 00000000, parameter2 0000001c, parameter3 00000000, parameter4 804f8933.
    24/09/2009 09:44:12, error: Service Control Manager [7023] - The Process Monitor service terminated with the following error: The system cannot open the device or file specified.
    24/09/2009 09:42:16, error: Service Control Manager [7000] - The Logitech LVPr2Mon Driver service failed to start due to the following error: The parameter is incorrect.
    24/09/2009 09:36:36, error: Service Control Manager [7034] - The PC Tools Security Service service terminated unexpectedly. It has done this 3 time(s).
    24/09/2009 09:28:07, error: Service Control Manager [7034] - The PC Tools Security Service service terminated unexpectedly. It has done this 2 time(s).
    24/09/2009 09:18:24, error: Service Control Manager [7034] - The PC Tools Security Service service terminated unexpectedly. It has done this 1 time(s).
    23/09/2009 18:24:59, error: Service Control Manager [7034] - The ANIWZCSd Service service terminated unexpectedly. It has done this 1 time(s).
    23/09/2009 18:21:29, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the TrueVector Internet Monitor service to connect.
    23/09/2009 18:21:29, error: Service Control Manager [7000] - The TrueVector Internet Monitor service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
    23/09/2009 18:20:11, error: DCOM [10005] - DCOM got error "%1055" attempting to start the service iPod Service with arguments " " in order to run the server: {063D34A4-BF84-4B8D-B699-E8CA06504DDE}
    23/09/2009 18:20:10, error: DCOM [10005] - DCOM got error "%1055" attempting to start the service winmgmt with arguments " " in order to run the server: {8BC3F05E-D86B-11D0-A075-00C04FB68820}

    ==== End Of File ===========================


    Thanks for your help
     
    loftyoz,
    #3
  5. 2009/09/28
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Please download ComboFix from [color= "Red"]Here[/color] or [color= "#FF0000"]Here[/color] to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    1. Please, never rename Combofix unless instructed.
    2. Close any open browsers.
    3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results ".
      • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
      NOTE. If Combofix asks you to install Recovery Console, please allow it.
      • Close any open browsers.
      • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
      • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    4. Double click on combofix.exe & follow the prompts.
    5. When finished, it will produce a report for you.
    6. Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
    **Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

    Make sure, you re-enable your security programs, when you're done with Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!



    Download HijackThis:
    http://www.trendsecure.com/portal/en-US/tools/security_tools/hijackthis/download
    by clicking on Download HijackThis Installer
    Install, and run it.
    Post HijackTHis log.
    Do NOT attempt to fix anything!

    NOTE. If you're using Vista, right click on HijackThis, and click Run as Administrator
     
    broni,
    #4
  6. 2009/09/29
    loftyoz

    loftyoz Inactive Thread Starter

    Joined:
    2009/09/27
    Messages:
    4
    Likes Received:
    0
    logs

    Hi,

    Please find below the Comfix.txt and Hijackthis logs.
    Please note when ComboFix was running I got a windows error popup saying 'C:\WINXP\System32\sfcfiles.dll is not a valid windows image. Please check against your installation diskette'.
    Also - since I ran Combofix I can't open Windows services utility?
    Before running I shut down AVG - though when I looked at task manager there were a few processes starting with avg running - so I tried to shut down the processes but they kept starting up straight away? I also now can't copy and paste much - i.e. have to copy small chunks of text and paste? This doesn't look good...

    ComboFix.txt:

    ComboFix 09-09-28.01 - Robert Loft 29/09/2009 19:15.1.2 - NTFSx86
    Microsoft Windows XP Home Edition 5.1.2600.2.1252.44.1033.18.958.291 [GMT 1:00]
    Running from: c:\documents and settings\Robert Loft\Desktop\ComboFix.exe
    AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
    AV: Spyware Doctor with AntiVirus *On-access scanning disabled* (Updated) {D3C23B96-C9DC-477F-8EF1-69AF17A6EFF6}
    FW: ZoneAlarm Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
    .

    ((((((((((((((((((((((((( Files Created from 2009-08-28 to 2009-09-29 )))))))))))))))))))))))))))))))
    .

    2009-09-28 20:33 . 2008-12-11 07:38 159600 ----a-w- c:\winxp\system32\drivers\pctgntdi.sys
    2009-09-28 20:32 . 2009-08-24 13:05 206256 ----a-w- c:\winxp\system32\drivers\PCTCore.sys
    2009-09-28 20:32 . 2009-08-19 10:01 86888 ----a-w- c:\winxp\system32\drivers\PCTAppEvent.sys
    2009-09-28 20:32 . 2009-09-28 20:35 -------- d-----w- c:\program files\Common Files\PC Tools
    2009-09-28 20:32 . 2008-12-10 10:36 64392 ----a-w- c:\winxp\system32\drivers\pctplsg.sys
    2009-09-28 20:32 . 2009-09-28 20:51 -------- d-----w- c:\program files\Spyware Doctor
    2009-09-28 20:32 . 2009-09-28 20:32 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
    2009-09-28 17:36 . 2009-09-28 17:36 -------- d-----w- C:\bbs windows
    2009-09-27 13:07 . 2009-09-27 13:07 -------- d-----w- C:\_OTM
    2009-09-24 16:50 . 2009-09-24 16:50 -------- d-----w- c:\documents and settings\Robert Loft\Application Data\Malwarebytes
    2009-09-24 16:49 . 2009-09-10 13:54 38224 ----a-w- c:\winxp\system32\drivers\mbamswissarmy.sys
    2009-09-24 16:49 . 2009-09-27 13:05 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2009-09-24 16:49 . 2009-09-24 16:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2009-09-24 16:49 . 2009-09-10 13:53 19160 ----a-w- c:\winxp\system32\drivers\mbam.sys
    2009-09-24 16:09 . 2009-09-24 16:09 -------- d-----w- c:\program files\Western Digital
    2009-09-24 15:34 . 2009-09-27 13:06 -------- d-----w- C:\malwarebytes
    2009-09-24 15:16 . 2009-09-24 15:16 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
    2009-09-24 15:15 . 2009-09-24 15:15 -------- d-----w- c:\program files\SUPERAntiSpyware
    2009-09-24 15:15 . 2009-09-24 15:15 -------- d-----w- c:\documents and settings\Robert Loft\Application Data\SUPERAntiSpyware.com
    2009-09-24 15:14 . 2009-09-24 15:14 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
    2009-09-24 15:13 . 2009-09-24 15:13 -------- d-----w- C:\superantispyware
    2009-09-24 15:11 . 2009-09-24 15:11 -------- d-----w- C:\stopzilla
    2009-09-24 14:41 . 2009-09-24 14:41 -------- d-----w- c:\program files\Trend Micro
    2009-09-24 14:38 . 2009-09-24 14:45 -------- d-----w- C:\hijackthis
    2009-09-24 14:37 . 2009-09-24 14:37 623511 ----a-w- c:\temp\HijackThisInstaller.exe
    2009-09-24 08:24 . 2009-09-28 20:30 26733120 ----a-w- c:\temp\sdsetup.exe
    2009-09-13 11:43 . 2009-09-29 17:47 0 ----a-w- c:\winxp\Uwopikapakuka.bin
    2009-09-13 11:43 . 2009-09-29 17:47 120 ----a-w- c:\winxp\Mmisisukina.dat
    2009-09-13 11:43 . 2009-09-13 11:43 -------- d-----w- c:\documents and settings\Robert Loft\Local Settings\Application Data\{55E3FEE9-B5D2-4DF5-AECA-283D4C58270F}
    2009-09-13 10:56 . 2009-09-13 10:56 81 ----a-w- C:\CTX.DAT
    2009-09-13 10:56 . 2009-09-13 10:56 -------- d-----w- c:\documents and settings\Robert Loft\Citrix
    2009-09-13 10:33 . 2009-09-13 10:35 -------- d-----w- c:\documents and settings\Robert Loft\Application Data\Aventail
    2009-09-12 13:13 . 2009-09-12 13:12 1108 ----a-w- c:\temp\robert.loft%40premierchinasolutions.com%20Email%20Settings.reg
    2009-09-08 07:02 . 2009-09-08 07:02 -------- d-----w- c:\documents and settings\Robert Loft\Application Data\MSNInstaller

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2009-09-29 18:43 . 2007-09-24 19:42 138879008 --sha-w- c:\winxp\system32\drivers\fidbox.dat
    2009-09-29 17:57 . 2007-01-14 15:35 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
    2009-09-29 17:47 . 2007-05-05 11:25 -------- d-----w- c:\documents and settings\Robert Loft\Application Data\OpenOffice.org2
    2009-09-29 17:46 . 2005-12-15 12:09 -------- d-----w- c:\program files\OpenOffice.org1.1.4
    2009-09-28 21:47 . 2007-09-24 19:42 1627052 --sha-w- c:\winxp\system32\drivers\fidbox.idx
    2009-09-24 12:16 . 2009-06-09 19:31 -------- d-----w- c:\program files\TomTom HOME 2
    2009-09-15 20:16 . 2007-02-10 14:27 -------- d-----w- c:\documents and settings\Robert Loft\Application Data\Skype
    2009-09-12 13:37 . 2008-06-21 16:52 -------- d-----w- c:\documents and settings\Robert Loft\Application Data\MySQL
    2009-09-10 19:18 . 2006-01-21 13:59 -------- d-----w- c:\program files\eclipse
    2009-08-29 09:49 . 2009-08-01 10:16 0 ----a-w- c:\winxp\system32\drivers\lvuvc.hs
    2009-08-29 09:49 . 2009-08-01 10:14 0 ----a-w- c:\winxp\system32\drivers\logiflt.iad
    2009-08-23 08:26 . 2008-04-28 10:06 11952 ----a-w- c:\winxp\system32\avgrsstx.dll
    2009-08-23 08:26 . 2008-04-28 10:06 335240 ----a-w- c:\winxp\system32\drivers\avgldx86.sys
    2009-08-23 08:26 . 2006-11-29 11:29 27784 ----a-w- c:\winxp\system32\drivers\avgmfx86.sys
    2009-08-14 05:58 . 2009-09-28 20:32 7396 ----a-w- c:\winxp\system32\drivers\pctcore.cat
    2009-08-11 20:04 . 2009-08-11 20:04 -------- d-----w- c:\program files\IrfanView
    2009-08-05 09:11 . 2004-08-04 12:00 204800 ----a-w- c:\winxp\system32\mswebdvd.dll
    2009-08-01 10:16 . 2009-08-01 10:16 -------- d-----w- c:\documents and settings\Robert Loft\Application Data\Leadertech
    2009-08-01 10:16 . 2009-08-01 10:12 -------- d-----w- c:\program files\Common Files\LogiShrd
    2009-08-01 10:12 . 2009-08-01 10:11 -------- d-----w- c:\documents and settings\All Users\Application Data\LogiShrd
    2009-08-01 10:12 . 2009-08-01 10:12 -------- d-----w- c:\program files\Logitech
    2009-07-27 19:30 . 2005-12-15 10:58 5 ----a-w- c:\winxp\system32\BSETUP.TMP
    2009-07-17 18:55 . 2004-08-04 12:00 58880 ----a-w- c:\winxp\system32\atl.dll
    2009-07-13 09:08 . 2004-08-04 12:00 286720 ----a-w- c:\winxp\system32\wmpdxm.dll
    2004-08-09 22:30 . 2006-10-26 19:28 40960 ----a-w- c:\program files\Uninstall_CDS.exe
    2008-12-20 17:07 . 2008-07-09 18:10 67688 ----a-w- c:\program files\mozilla firefox\components\jar50.dll
    2008-12-20 17:07 . 2008-07-09 18:10 54368 ----a-w- c:\program files\mozilla firefox\components\jsd3250.dll
    2008-12-20 17:07 . 2008-07-09 18:10 34944 ----a-w- c:\program files\mozilla firefox\components\myspell.dll
    2008-12-20 17:07 . 2008-07-09 18:10 46712 ----a-w- c:\program files\mozilla firefox\components\spellchk.dll
    2008-12-20 17:07 . 2008-07-09 18:10 172136 ----a-w- c:\program files\mozilla firefox\components\xpinstal.dll
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
    "{A3BC75A2-1F87-4686-AA43-5347D756017C} "= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-07-24 1090816]

    [HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
    2009-07-24 08:55 1090816 ----a-w- c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
    "{CCC7A320-B3CA-4199-B1A6-9F516DD69829} "= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-07-24 1090816]

    [HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
    "{CCC7A320-B3CA-4199-B1A6-9F516DD69829} "= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-07-24 1090816]

    [HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Skype "= "c:\program files\Skype\Phone\Skype.exe" [2007-02-05 25370152]
    "MsnMsgr "= "c:\program files\MSN Messenger\MsnMsgr.Exe" [2007-01-19 5674352]
    "updateMgr "= "c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2005-10-24 307200]
    "swg "= "c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-03-24 68856]
    "RMC "= "c:\program files\reuters\rmc\rmc.exe" [2007-11-15 4145248]
    "MSMSGS "= "c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
    "Google Update "= "c:\documents and settings\Robert Loft\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-09-03 133104]
    "TomTomHOME.exe "= "c:\program files\TomTom HOME 2\TomTomHOMERunner.exe" [2009-04-24 251240]
    "RegistryMechanic "= "c:\program files\Registry Mechanic\RegMech.exe" [2009-06-30 2836376]
    "SUPERAntiSpyware "= "c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-09-15 1998576]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "USBIR "= "c:\program files\USBIR\FrontPanelIo.exe" [2004-10-03 24576]
    "NeroFilterCheck "= "c:\winxp\system32\NeroCheck.exe" [2001-07-09 155648]
    "OpwareSE2 "= "c:\program files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe" [2003-05-08 49152]
    "SunJavaUpdateSched "= "c:\program files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 36975]
    "D-Link AirPlus G "= "c:\program files\D-Link\AirPlus G\AirGCFG.exe" [2005-11-23 1544192]
    "ANIWZCS2Service "= "c:\program files\ANI\ANIWZCS2 Service\WZCSLDR2.exe" [2005-10-19 49152]
    "ZoneAlarm Client "= "c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-07-09 919016]
    "Picasa Media Detector "= "c:\program files\Picasa2\PicasaMediaDetector.exe" [2007-06-15 366400]
    "gemstrmw "= "c:\winxp\system32\gemstrmw.exe" [2004-09-15 24576]
    "MenuOrder "= "c:\program files\ICBCPe~1\ICBC\Gemplus(Personal)\MenuOrder\MenuOrder.exe" [2005-02-19 45056]
    "AVG8_TRAY "= "c:\progra~1\AVG\AVG8\avgtray.exe" [2009-08-23 2007832]
    "QuickTime Task "= "c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]
    "iTunesHelper "= "c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128]
    "LogitechQuickCamRibbon "= "c:\program files\Logitech\QuickCam\Quickcam.exe" [2008-12-20 2656528]
    "Nlolucohotuceja "= "c:\winxp\idizawos.dll" [2007-03-08 165376]
    "Malwarebytes Anti-Malware (reboot) "= "c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
    "VTTimer "= "VTTimer.exe" - c:\winxp\system32\VTTimer.exe [2004-09-01 53248]
    "SoundMan "= "SOUNDMAN.EXE" - c:\winxp\SOUNDMAN.EXE [2005-02-02 77824]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE "= "c:\winxp\system32\CTFMON.EXE" [2004-08-04 15360]

    c:\documents and settings\Robert Loft\Start Menu\Programs\Startup\
    OpenOffice.org 1.1.4.lnk - c:\program files\OpenOffice.org1.1.4\program\quickstart.exe [2004-10-28 61440]
    OpenOffice.org 2.2.lnk - c:\program files\OpenOffice.org 2.2\program\quickstart.exe [2007-2-2 393216]

    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-24 29696]
    Monitor Apache Servers.lnk - c:\program files\Apache Software Foundation\Apache2.2\bin\ApacheMonitor.exe [2008-12-10 41042]
    SystemControl.lnk - c:\program files\SystemControl\SystemControl\SystemControl.exe [2005-12-15 2958848]
    USRobotics Cordless Skype Dual Phone.lnk - c:\program files\U.S. Robotics\Cordless Skype Dual Phone\USR9630.exe [2006-8-1 763904]
    WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2006-1-25 122880]

    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} "= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
    2009-09-03 14:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
    2009-08-23 08:26 11952 ----a-w- c:\winxp\system32\avgrsstx.dll

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
    Authentication Packages REG_MULTI_SZ msv1_0 setuid

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
    @=" "

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
    @=" "

    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "FirewallOverride "=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
    "DisableMonitoring "=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "DisableUnicastResponsesToMulticastBroadcast "= 1 (0x1)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe "=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe "=
    "c:\\Program Files\\MSN Messenger\\msnmsgr.exe "=
    "c:\\Program Files\\MSN Messenger\\livecall.exe "=
    "c:\\Program Files\\AVG\\AVG8\\avgupd.exe "=
    "c:\\Program Files\\AVG\\AVG8\\avgemc.exe "=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe "=
    "c:\\Program Files\\iTunes\\iTunes.exe "=
    "c:\\Program Files\\Skype\\Phone\\Skype.exe "=

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "2799:UDP "= 2799:UDP:Altova License Metering Port (UDP)
    "2799:TCP "= 2799:TCP:Altova License Metering Port (TCP)

    R0 PCTCore;PCTools KDS;c:\winxp\system32\drivers\PCTCore.sys [28/09/2009 21:32 206256]
    R1 AvgLdx86;AVG AVI Loader Driver x86;c:\winxp\system32\drivers\avgldx86.sys [28/04/2008 11:06 335240]
    R1 AvgTdiX;AVG8 Network Redirector;c:\winxp\system32\drivers\avgtdix.sys [28/04/2008 11:06 108552]
    R1 BS_I2cIo;BS_I2cIo;c:\winxp\system32\drivers\BS_I2cIo.sys [15/12/2005 12:10 5120]
    R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [15/09/2009 11:42 9968]
    R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [15/09/2009 11:42 74480]
    R2 Apache2.2;Apache2.2;c:\program files\Apache Software Foundation\Apache2.2\bin\httpd.exe [10/12/2008 01:10 24636]
    R2 TomTomHOMEService;TomTomHOMEService;c:\program files\TomTom HOME 2\TomTomHOMEService.exe [24/04/2009 12:57 92008]
    R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [15/09/2009 11:42 7408]
    S2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [16/02/2009 10:15 908056]
    S3 GKeyUSB;GKeyUSB;c:\winxp\system32\drivers\GKeyUSB.sys [10/09/2007 19:56 62096]
    S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [28/09/2009 21:32 348752]
    S3 Tomcat5;Apache Tomcat;c:\program files\Apache Software Foundation\Tomcat 5.5\bin\tomcat5.exe [03/01/2006 16:14 102400]
    S3 ZD1211U(3COM Corporation);3COM OfficeConnect Wireless 11g Compact USB Adapter(3COM Corporation);c:\winxp\system32\DRIVERS\zd1211u.sys --> c:\winxp\system32\DRIVERS\zd1211u.sys [?]
    S4 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [16/02/2009 10:15 297752]

    --- Other Services/Drivers In Memory ---

    *Deregistered* - mchInjDrv
    .
    Contents of the 'Scheduled Tasks' folder

    2009-09-08 c:\winxp\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

    2009-09-28 c:\winxp\Tasks\GoogleUpdateTaskUserS-1-5-21-4159782051-1203752577-514352727-1005Core.job
    - c:\documents and settings\Robert Loft\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-03 10:57]

    2009-09-28 c:\winxp\Tasks\GoogleUpdateTaskUserS-1-5-21-4159782051-1203752577-514352727-1005UA.job
    - c:\documents and settings\Robert Loft\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-03 10:57]

    2008-10-13 c:\winxp\Tasks\system backup.job
    - c:\winxp\system32\ntbackup.exe [2001-08-17 21:36]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.footballfansunited.com/
    uDefault_Search_URL = hxxp://www.google.com/ie
    uInternet Settings,ProxyOverride = *.local
    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
    IE: Easy-WebPrint Add To Print List - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
    IE: Easy-WebPrint High Speed Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
    IE: Easy-WebPrint Preview - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
    IE: Easy-WebPrint Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
    IE: {{08E730A4-FB02-45BD-A900-01E4AD8016F6} - http://www.sky.com
    Trusted Zone: com.cn\mybank.icbc
    Trusted Zone: com.cn\www.icbc
    DPF: {2A493D5F-8914-4D3E-8BF3-767F281862F4} - hxxp://sell.autotrader.co.uk/uk-ola/common/TraderMediaX.cab
    DPF: {971127BB-259F-48C2-BD75-5F97A3331551} - hxxps://connect.barcap.com/workplace/webifiers/msrdp.cab
    DPF: {FFFFFFFF-CAFE-BABE-BABE-00AA0055595A} - hxxp://www.networksolutionsemailpopwizard.com/TrueSwitchEC.exe
    FF - ProfilePath - c:\documents and settings\Robert Loft\Application Data\Mozilla\Firefox\Profiles\18gzq1hk.default\
    FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
    FF - prefs.js: browser.search.selectedEngine - Google
    FF - prefs.js: browser.startup.homepage - hxxp://www.footballfansunited.com/
    FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
    FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava11.dll
    FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava12.dll
    FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava13.dll
    FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava14.dll
    FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava32.dll
    FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJPI150_06.dll
    FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPOJI610.dll
    FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
    FF - HiddenExtension: XULRunner: {55E3FEE9-B5D2-4DF5-AECA-283D4C58270F} - c:\documents and settings\Robert Loft\Local Settings\Application Data\{55E3FEE9-B5D2-4DF5-AECA-283D4C58270F}
    .
    - - - - ORPHANS REMOVED - - - -

    HKLM-Run-PostCast Server - c:\program files\PostCast Server Professional\postcastserver.exe



    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2009-09-29 19:42
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************

    [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MySQL]
    "ImagePath "= "\ "c:\program files\MySQL\MySQL Server 5.1\bin\mysqld\" --defaults-file=\ "c:\program files\MySQL\MySQL Server 5.1\my.ini\" MySQL "
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'winlogon.exe'(732)
    c:\program files\SUPERAntiSpyware\SASWINLO.dll
    c:\winxp\system32\WININET.dll

    - - - - - - - > 'lsass.exe'(792)
    c:\winxp\system32\setuid.dll

    - - - - - - - > 'explorer.exe'(4856)
    c:\winxp\system32\WININET.dll
    c:\program files\ScanSoft\OmniPageSE2.0\ophookSE2.dll
    c:\program files\TortoiseCVS\TrtseShl.dll
    c:\winxp\system32\ieframe.dll
    .
    Completion time: 2009-09-29 19:49
    ComboFix-quarantined-files.txt 2009-09-29 18:49

    Pre-Run: 152,184,774,656 bytes free
    Post-Run: 153,933,742,080 bytes free

    WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(1)\WINXP
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT= "Microsoft Windows Recovery Console" /cmdcons
    multi(0)disk(0)rdisk(0)partition(1)\WINXP= "Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

    263 --- E O F --- 2009-09-15 06:18

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 15:45:37, on 24/09/2009
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16876)
    Boot mode: Normal

    Running processes:
    C:\WINXP\System32\smss.exe
    C:\WINXP\system32\csrss.exe
    C:\WINXP\system32\winlogon.exe
    C:\WINXP\system32\services.exe
    C:\WINXP\system32\lsass.exe
    C:\WINXP\system32\svchost.exe
    C:\WINXP\system32\svchost.exe
    C:\WINXP\System32\svchost.exe
    C:\WINXP\system32\svchost.exe
    C:\WINXP\system32\svchost.exe
    C:\WINXP\system32\spoolsv.exe
    C:\WINXP\System32\SCardSvr.exe
    C:\WINXP\system32\svchost.exe
    C:\Program Files\Apache Software Foundation\Apache2.2\bin\httpd.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Apache Software Foundation\Apache2.2\bin\httpd.exe
    C:\Program Files\CVSNT\cvslock.exe
    C:\Program Files\CVSNT\cvsservice.exe
    C:\PROGRA~1\AVG\AVG8\avgrsx.exe
    C:\WINXP\Explorer.EXE
    C:\PROGRA~1\AVG\AVG8\avgnsx.exe
    C:\Program Files\MySQL\MySQL Server 5.1\bin\mysqld.exe
    C:\Program Files\USBIR\FrontPanelIo.exe
    C:\WINXP\system32\VTTimer.exe
    C:\WINXP\SOUNDMAN.EXE
    C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
    C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
    C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    C:\Program Files\Picasa2\PicasaMediaDetector.exe
    C:\WINXP\system32\svchost.exe
    C:\Program Files\Gemplus\GemSafe Libraries\BIN\Regtool.exe
    C:\PROGRA~1\AVG\AVG8\avgtray.exe
    C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Logitech\QuickCam\Quickcam.exe
    C:\WINXP\system32\wdfmgr.exe
    C:\WINXP\system32\ctfmon.exe
    C:\Program Files\Skype\Phone\Skype.exe
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    C:\program files\reuters\rmc\rmc.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe
    C:\Program Files\Registry Mechanic\RegMech.exe
    C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
    C:\Documents and Settings\Robert Loft\Local Settings\Application Data\Google\Update\1.2.183.7\GoogleCrashHandler.exe
    C:\Program Files\Apache Software Foundation\Apache2.2\bin\ApacheMonitor.exe
    C:\PROGRA~1\AVG\AVG8\avgemc.exe
    C:\Program Files\SystemControl\SystemControl\SystemControl.exe
    C:\Program Files\U.S. Robotics\Cordless Skype Dual Phone\USR9630.exe
    C:\Program Files\WinZip\WZQKPICK.EXE
    C:\Program Files\AVG\AVG8\avgcsrvx.exe
    C:\Program Files\OpenOffice.org1.1.4\program\soffice.exe
    C:\Program Files\OpenOffice.org 2.2\program\soffice.exe
    C:\Program Files\OpenOffice.org 2.2\program\soffice.BIN
    C:\Program Files\Skype\Plugin Manager\SkypePM.exe
    C:\WINXP\system32\wuauclt.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINXP\System32\alg.exe
    C:\WINXP\system32\ZoneLabs\vsmon.exe
    C:\Program Files\Java\jre1.5.0_06\bin\jucheck.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
    C:\Program Files\Citrix\icaweb32\Wfcrun32.exe
    C:\PROGRA~1\Citrix\icaweb32\WFICA32.EXE
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sky.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.footballfansunited.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided By Sky Broadband
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
    R3 - URLSearchHook: (no name) - *{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
    O1 - Hosts: 174.132.115.157 www.11renwang.cn
    O1 - Hosts: 174.132.115.154 www.premierchinasolutions.com premierchinasolutions.com
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
    O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
    O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll (file missing)
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll
    O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll (file missing)
    O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
    O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
    O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
    O4 - HKLM\..\Run: [USBIR] c:\Program Files\USBIR\FrontPanelIo.exe
    O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINXP\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe "
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    O4 - HKLM\..\Run: [PostCast Server] C:\Program Files\PostCast Server Professional\postcastserver.exe
    O4 - HKLM\..\Run: [D-Link AirPlus G] C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
    O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
    O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe "
    O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
    O4 - HKLM\..\Run: [gemstrmw] C:\WINXP\system32\gemstrmw.exe /r
    O4 - HKLM\..\Run: [Regtool] C:\Program Files\Gemplus\GemSafe Libraries\BIN\Regtool.exe
    O4 - HKLM\..\Run: [MenuOrder] C:\Program Files\ICBCPe~1\ICBC\Gemplus(Personal)\MenuOrder\MenuOrder.exe
    O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe "
    O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide
    O4 - HKLM\..\Run: [Nlolucohotuceja] rundll32.exe "C:\WINXP\idizawos.dll ",Startup
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINXP\system32\ctfmon.exe
    O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1
    O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    O4 - HKCU\..\Run: [RMC] C:\program files\reuters\rmc\rmc.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Robert Loft\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
    O4 - HKCU\..\Run: [TomTomHOME.exe] "C:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe "
    O4 - HKCU\..\Run: [RegistryMechanic] C:\Program Files\Registry Mechanic\RegMech.exe /H
    O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINXP\system32\CTFMON.EXE (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINXP\system32\CTFMON.EXE (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-21-4159782051-1203752577-514352727-500\..\Run: [RMC] "C:\Program Files\Reuters\RMC\\RunRM.exe" (User 'Administrator')
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINXP\system32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINXP\system32\CTFMON.EXE (User 'Default user')
    O4 - S-1-5-18 Startup: OpenOffice.org 1.1.4.lnk = C:\Program Files\OpenOffice.org1.1.4\program\quickstart.exe (User 'SYSTEM')
    O4 - S-1-5-18 Startup: OpenOffice.org 2.2.lnk = C:\Program Files\OpenOffice.org 2.2\program\quickstart.exe (User 'SYSTEM')
    O4 - S-1-5-18 Startup: Scheduler.lnk = C:\Program Files\SpyCatcher\Scheduler daemon.exe (User 'SYSTEM')
    O4 - .DEFAULT Startup: OpenOffice.org 1.1.4.lnk = C:\Program Files\OpenOffice.org1.1.4\program\quickstart.exe (User 'Default user')
    O4 - .DEFAULT Startup: OpenOffice.org 2.2.lnk = C:\Program Files\OpenOffice.org 2.2\program\quickstart.exe (User 'Default user')
    O4 - .DEFAULT Startup: Scheduler.lnk = C:\Program Files\SpyCatcher\Scheduler daemon.exe (User 'Default user')
    O4 - Startup: OpenOffice.org 1.1.4.lnk = C:\Program Files\OpenOffice.org1.1.4\program\quickstart.exe
    O4 - Startup: OpenOffice.org 2.2.lnk = C:\Program Files\OpenOffice.org 2.2\program\quickstart.exe
    O4 - Startup: Scheduler.lnk = C:\Program Files\SpyCatcher\Scheduler daemon.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: Monitor Apache Servers.lnk = C:\Program Files\Apache Software Foundation\Apache2.2\bin\ApacheMonitor.exe
    O4 - Global Startup: SystemControl.lnk = ?
    O4 - Global Startup: USRobotics Cordless Skype Dual Phone.lnk = C:\Program Files\U.S. Robotics\Cordless Skype Dual Phone\USR9630.exe
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
    O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
    O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
    O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra button: Sky - {08E730A4-FB02-45BD-A900-01E4AD8016F6} - http://www.sky.com (file missing)
    O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll (file missing)
    O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINXP\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINXP\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O15 - Trusted Zone: http://www.icbc.com.cn
    O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - https://connect.barcap.com/workplace/webifiers/wficat.cab
    O16 - DPF: {2A493D5F-8914-4D3E-8BF3-767F281862F4} (TraderMediaImgX Control) - http://sell.autotrader.co.uk/uk-ola/common/TraderMediaX.cab
    O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedInContactFinderControl.cab
    O16 - DPF: {8FEFF364-6A5F-4966-A917-A3AC28411659} (SopCore Control) - http://download.sopcast.com/download/SOPCORE.CAB
    O16 - DPF: {971127BB-259F-48C2-BD75-5F97A3331551} (Microsoft RDP Client Control (redist)) - https://connect.barcap.com/workplace/webifiers/msrdp.cab
    O16 - DPF: {AF2E62B6-F9E1-4D4F-A10A-9DC8E6DCBCC0} (VideoEgg ActiveX Loader) - http://update.videoegg.com/Install/Windows/Initial/VideoEggPublisher.exe
    O16 - DPF: {FFFFFFFF-CAFE-BABE-BABE-00AA0055595A} - http://www.networksolutionsemailpopwizard.com/TrueSwitchEC.exe
    O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
    O20 - Winlogon Notify: avgrsstarter - C:\WINXP\SYSTEM32\avgrsstx.dll
    O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
    O23 - Service: Apache2.2 - Apache Software Foundation - C:\Program Files\Apache Software Foundation\Apache2.2\bin\httpd.exe
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
    O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: CVSNT Locking Service 2.5.03.2221 (cvslock) - Unknown owner - C:\Program Files\CVSNT\cvslock.exe
    O23 - Service: CVSNT Dispatch service 2.5.03.2221 (cvsnt) - March Hare Software Ltd - C:\Program Files\CVSNT\cvsservice.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
    O23 - Service: MySQL - Unknown owner - C:\Program.exe (file missing)
    O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
    O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
    O23 - Service: Apache Tomcat (Tomcat5) - Apache Software Foundation - C:\Program Files\Apache Software Foundation\Tomcat 5.5\bin\tomcat5.exe
    O23 - Service: TomTomHOMEService - TomTom - C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
    O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINXP\system32\ZoneLabs\vsmon.exe

    --
    End of file - 16396 bytes
     
    loftyoz,
    #5
  7. 2009/09/29
    loftyoz

    loftyoz Inactive Thread Starter

    Joined:
    2009/09/27
    Messages:
    4
    Likes Received:
    0
    quick update to last reply - can now see services after reboot - however the google redirect virus is still there
     
    loftyoz,
    #6
  8. 2009/09/29
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Combofix on first run didn't actually find anything, so no changes were made.

    You're running two AV programs, Spyware Doctor with AntiVirus and AVG.
    One of them has to go.
    It's up to you, but if you want to uninstall AVG, make sure you run AVG Remover: http://www.avg.com/download-tools
    Spyware Doctor should uninstall through Add\Remove.

    Do the above first.

    ===================================================================

    Which browser is getting redirected?

    ==================================================================

    Please, uninstall Registry Mechanic. Registry tools are nothing, but a trouble.

    ==================================================================

    1. Please open Notepad
    • Click Start , then Run
    • Type notepad .exe in the Run Box.

    2. Now copy/paste the entire content of the codebox below into the Notepad window:

    Code:
    File::
c:\winxp\Uwopikapakuka.bin
c:\winxp\Mmisisukina.dat
c:\temp\robert.loft%40premierchinasolutions.com%20Email%20Settings.reg
c:\winxp\system32\drivers\lvuvc.hs
c:\winxp\system32\drivers\logiflt.iad
c:\winxp\system32\BSETUP.TMP
c:\winxp\idizawos.dll


Folder::
C:\stopzilla


Driver::

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
 "Nlolucohotuceja "=-

RegLockDel::

    3. Save the above as CFScript.txt

    4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

    [​IMG]


    5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
    • Combofix.txt
    • A new HijackThis log.
     
    broni,
    #7

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...