1. You are viewing our forum as a guest. For full access please Register. WindowsBBS.com is completely free, paid for by advertisers and donations.

Active Google redircting, please help

Discussion in 'Malware and Virus Removal Archive' started by roostroo, 2009/08/29.

  1. 2009/08/29
    roostroo

    roostroo Inactive Thread Starter

    Joined:
    2009/08/29
    Messages:
    2
    Likes Received:
    0
    [Active] Google redircting, please help

    Hi,

    Google keeps redirecting when clicking on the links. It also blocks certain sites and updates. I have tried numerous scans and software to remore this with no luck, please help.

    My logs are below:

    DDS (Ver_09-07-30.01) - NTFSx86
    Run by Ross Walker at 11:16:42.29 on 29/08/2009
    Internet Explorer: 8.0.6001.18702
    Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.3326.2532 [GMT 1:00]

    AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
    FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

    ============== Running Processes ===============

    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    svchost.exe
    svchost.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\LEXPPS.EXE
    svchost.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\WINDOWS\sySTEM32\SvchoSt.ExE -k ddnsfilter
    C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
    C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
    c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
    c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
    C:\Program Files\McAfee\MPF\MPFSrv.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\Program Files\O2\bin\sprtsvc.exe
    C:\Program Files\Viewpoint\Common\ViewpointService.exe
    C:\WINDOWS\system32\svchost.exe -k netsvcs
    C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
    C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Novation\USB Audio Driver\nvnusbaudiolog.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\McAfee.com\Agent\mcagent.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Windows Live\Messenger\usnsvc.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
    C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
    C:\WINDOWS\system32\NOTEPAD.EXE
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
    C:\Documents and Settings\Ross Walker\Desktop\dds.scr

    ============== Pseudo HJT Report ===============

    uStart Page = about:blank
    uSearchMigratedDefaultURL = hxxp://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
    uInternet Settings,ProxyOverride = *.local
    BHO: Windows Live Toolbar Helper: {bdbd1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
    BHO: 1 (0x1) - No File
    TB: Windows Live Toolbar: {bdad1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
    TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
    uRun: [MsnMsgr] "c:\program files\windows live\messenger\MsnMsgr.Exe" /background
    uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
    uRun: [manager] "c:\windows\system32\drivers\setup\manager.exe "
    uRun: [Aim6]
    uRun: [PeerGuardian] c:\program files\peerguardian2\pg2.exe
    uRun: [AVScan] c:\documents and settings\ross walker\application data\winav.exe
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    mRun: [AsusStartupHelp] c:\program files\asus\aasp\1.00.24\AsRunHelp.exe
    mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
    mRun: [nwiz] nwiz.exe /install
    mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
    mRun: [O2] "c:\program files\o2\bin\sprtcmd.exe" /P O2
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe "
    mRun: [manager] "c:\windows\system32\drivers\setup\manager.exe "
    mRun: [NeroCheck] c:\windows\system32\NeroCheck.exe
    mRun: [NvnUsbAudioLogger] "c:\program files\novation\usb audio driver\nvnusbaudiolog.exe "
    mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
    mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe "
    mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
    IE: &Windows Live Search - c:\program files\windows live toolbar\msntb.dll/search.htm
    IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    LSP: %SYSTEMROOT%\system32\nvappfilter.dll
    Trusted Zone: o2.co.uk\*.broadband
    DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader5.cab
    DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    DPF: {41564D57-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/0/A/9/0A9F8B32-9F8C-4D74-A130-E4CAB36EB01F/wmvadvd.cab
    DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader1006.cab
    DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab
    DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
    Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll

    ================= FIREFOX ===================

    FF - ProfilePath - c:\docume~1\rosswa~1\applic~1\mozilla\firefox\profiles\fso87wkp.default\
    FF - prefs.js: browser.search.selectedEngine - Yahoo
    FF - prefs.js: browser.startup.homepage - hxxp://www.hsbc.co.uk/1/2/
    FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll
    FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nppl3260.dll
    FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nprpjplug.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
    FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll

    ---- FIREFOX POLICIES ----
    FF - user.js: dom.disable_open_during_load - true // Popupblocker control handled by McAfee Privacy Service
    c:\program files\mozilla firefox\greprefs\all.js - pref( "media.enforce_same_site_origin ", false);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "media.cache_size ", 51200);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "media.ogg.enabled ", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "media.wave.enabled ", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "media.autoplay.enabled ", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "browser.urlbar.autocomplete.enabled ", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "capability.policy.mailnews.*.wholeText ", "noAccess ");
    c:\program files\mozilla firefox\greprefs\all.js - pref( "dom.storage.default_quota ", 5120);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "content.sink.event_probe_rate ", 3);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "network.http.prompt-temp-redirect ", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "layout.css.dpi ", -1);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "layout.css.devPixelsPerPx ", -1);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "gestures.enable_single_finger_input ", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "dom.max_chrome_script_run_time ", 0);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "network.tcp.sendbuffer ", 131072);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "geo.enabled ", true);
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref( "security.remember_cert_checkbox_default_setting ", true);
    c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref( "browser.search.param.yahoo-fr ", "moz35 ");
    c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref( "browser.search.param.yahoo-fr-cjkt ", "moz35 ");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "extensions.blocklist.level ", 2);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "browser.urlbar.restrict.typed ", "~ ");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "browser.urlbar.default.behavior ", 0);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "privacy.clearOnShutdown.history ", true);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "privacy.clearOnShutdown.formdata ", true);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "privacy.clearOnShutdown.passwords ", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "privacy.clearOnShutdown.downloads ", true);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "privacy.clearOnShutdown.cookies ", true);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "privacy.clearOnShutdown.cache ", true);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "privacy.clearOnShutdown.sessions ", true);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "privacy.clearOnShutdown.offlineApps ", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "privacy.clearOnShutdown.siteSettings ", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "privacy.cpd.history ", true);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "privacy.cpd.formdata ", true);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "privacy.cpd.passwords ", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "privacy.cpd.downloads ", true);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "privacy.cpd.cookies ", true);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "privacy.cpd.cache ", true);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "privacy.cpd.sessions ", true);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "privacy.cpd.offlineApps ", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "privacy.cpd.siteSettings ", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "privacy.sanitize.migrateFx3Prefs ", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "browser.ssl_override_behavior ", 2);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "security.alternate_certificate_error_page ", "certerror ");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "browser.privatebrowsing.autostart ", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "browser.privatebrowsing.dont_prompt_on_enter ", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "geo.wifi.uri ", "https://www.google.com/loc/json ");

    ============= SERVICES / DRIVERS ===============

    R?2 ddnsfilter;ddnsfilter;c:\windows\system32\SvchoSt.ExE -k ddnsfilter [2008-4-14 14336]
    R1 DnsFilter;DnsFilter;c:\windows\system32\drivers\DnsFilter.sys [2009-8-20 38016]
    R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-3-25 214024]
    R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2009-6-20 210216]
    R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2009-6-20 359952]
    R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2009-6-20 144704]
    R2 sprtsvc_O2;SupportSoft Sprocket Service (O2);c:\program files\o2\bin\sprtsvc.exe [2007-6-7 202280]
    R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2008-6-19 24652]
    R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2009-8-24 38496]
    R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2009-6-20 606736]
    R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2009-6-20 79880]
    R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2009-6-20 35272]
    R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2009-6-20 40552]
    S3 KORG_1394;KORG_1394;c:\windows\system32\drivers\KORG_1394.sys [2008-6-1 114176]
    S3 KORG_avs;KORG_avs;c:\windows\system32\drivers\KORG_avs.sys [2008-6-1 28672]
    S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2009-6-20 34216]
    S3 NvnUsbAudio;NvnUsbAudio;c:\windows\system32\drivers\nvnusbaudio.sys [2008-9-4 25600]

    =============== Created Last 30 ================

    2009-08-29 11:01 <DIR> --d----- c:\program files\Trend Micro
    2009-08-24 21:57 <DIR> --d----- c:\docume~1\rosswa~1\applic~1\Malwarebytes
    2009-08-24 21:57 15,504 a------- c:\windows\system32\drivers\mbam.sys
    2009-08-24 21:57 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
    2009-08-24 21:57 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
    2009-08-24 21:57 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
    2009-08-24 20:32 <DIR> -cd----- c:\windows\system32\dllcache\cache
    2009-08-24 20:19 50,176 ac------ c:\windows\system32\dllcache\proquota.exe
    2009-08-24 20:19 50,176 a------- c:\windows\system32\proquota.exe
    2009-08-24 20:15 <DIR> a-dshr-- C:\cmdcons
    2009-08-24 20:14 229,376 a------- c:\windows\PEV.exe
    2009-08-24 20:13 161,792 a------- c:\windows\SWREG.exe
    2009-08-24 20:13 98,816 a------- c:\windows\sed.exe
    2009-08-24 19:53 <DIR> --dsh--- c:\documents and settings\ross walker\IECompatCache
    2009-08-24 19:53 <DIR> --dsh--- c:\documents and settings\ross walker\PrivacIE
    2009-08-24 19:37 <DIR> --dsh--- c:\documents and settings\ross walker\IETldCache
    2009-08-24 19:19 <DIR> -cd-h--- c:\windows\ie8
    2009-08-22 11:20 <DIR> --d----- c:\program files\Enigma Software Group
    2009-08-22 11:13 <DIR> --d----- c:\docume~1\rosswa~1\applic~1\AVG8
    2009-08-20 10:08 38,016 a------- c:\windows\system32\drivers\DnsFilter.sys
    2009-08-20 10:08 <DIR> --d----- c:\program files\DDnsFilter
    2009-08-17 11:11 <DIR> --d----- C:\17e270deff5fa1c52d5645cd1b3f7386
    2009-08-17 11:11 <DIR> --d----- c:\windows\system32\XPSViewer
    2009-08-17 11:10 1,676,288 -c------ c:\windows\system32\dllcache\xpssvcs.dll
    2009-08-17 11:10 597,504 -c------ c:\windows\system32\dllcache\printfilterpipelinesvc.exe
    2009-08-17 11:10 575,488 -c------ c:\windows\system32\dllcache\xpsshhdr.dll
    2009-08-17 11:10 89,088 -c------ c:\windows\system32\dllcache\filterpipelineprintproc.dll
    2009-08-17 11:10 <DIR> --d----- C:\77b94478b7a9ade0b4b63be3e3143550
    2009-08-17 11:10 1,676,288 -------- c:\windows\system32\xpssvcs.dll
    2009-08-17 11:10 575,488 -------- c:\windows\system32\xpsshhdr.dll
    2009-08-17 11:10 117,760 -------- c:\windows\system32\prntvpt.dll
    2009-08-15 09:26 13,361 a------- c:\windows\mms17890.dat
    2009-08-15 09:26 1 a------- c:\windows\ckms134.dat
    2009-08-15 09:20 2 a------- c:\windows\0535251103110107106.xry
    2009-08-15 09:20 1 ----h--- c:\windows\mmsmark2.dat
    2009-08-07 08:24 <DIR> --d----- c:\program files\rgcaudio software

    ==================== Find3M ====================

    2009-08-25 21:15 310,358 a------- c:\windows\pchealth\helpctr\config\cache\Professional_32_1033.dat

    ============= FINISH: 11:17:07.09 ===============


    HJS Log:

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 11:01:25, on 29/08/2009
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v8.00 (8.00.6001.18702)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\WINDOWS\sySTEM32\SvchoSt.ExE
    C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
    C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
    c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
    c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
    C:\Program Files\McAfee\MPF\MPFSrv.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\Program Files\O2\bin\sprtsvc.exe
    C:\Program Files\Viewpoint\Common\ViewpointService.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
    C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\O2\bin\sprtcmd.exe
    C:\Program Files\Novation\USB Audio Driver\nvnusbaudiolog.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\McAfee.com\Agent\mcagent.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Windows Live\Messenger\usnsvc.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
    c:\PROGRA~1\mcafee\msc\mcshell.exe
    C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
    O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
    O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
    O4 - HKLM\..\Run: [AsusStartupHelp] C:\Program Files\ASUS\AASP\1.00.24\AsRunHelp.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [O2] "C:\Program Files\O2\bin\sprtcmd.exe" /P O2
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe "
    O4 - HKLM\..\Run: [manager] "C:\Windows\System32\drivers\setup\manager.exe "
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [NvnUsbAudioLogger] "C:\Program Files\Novation\USB Audio Driver\nvnusbaudiolog.exe "
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe "
    O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [manager] "C:\Windows\System32\drivers\setup\manager.exe "
    O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exe
    O4 - HKCU\..\Run: [AVScan] C:\Documents and Settings\Ross Walker\Application Data\winav.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
    O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O15 - Trusted Zone: http://*.broadband.o2.co.uk
    O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/FacebookPhotoUploader5.cab
    O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
    O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
    O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
    O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
    O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
    O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
    O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
    O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
    O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
    O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
    O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
    O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
    O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: SupportSoft Sprocket Service (O2) (sprtsvc_O2) - SupportSoft, Inc. - C:\Program Files\O2\bin\sprtsvc.exe
    O23 - Service: SupportSoft RemoteAssist - SupportSoft, Inc. - C:\Program Files\Common Files\Supportsoft\bin\ssrc.exe
    O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

    --
    End of file - 7945 bytes


    Many thanks
     
    roostroo,
    #1
  2. 2009/08/29
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Please download ComboFix from [color= "Red"]Here[/color] or [color= "#FF0000"]Here[/color] to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    1. Please, never rename Combofix unless instructed.
    2. Close any open browsers.
    3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results ".
      • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
      NOTE. If Combofix asks you to install Recovery Console, please allow it.
      • Close any open browsers.
      • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
      • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    4. Double click on combofix.exe & follow the prompts.
    5. When finished, it will produce a report for you.
    6. Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
    **Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

    Make sure, you re-enable your security programs, when you're done with Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
     
    broni,
    #2


  3. to hide this advert.

  4. 2009/08/30
    roostroo

    roostroo Inactive Thread Starter

    Joined:
    2009/08/29
    Messages:
    2
    Likes Received:
    0
    Here are my logs;

    ComboFix 09-08-29.01 - Ross Walker 30/08/2009 15:31.3.4 - NTFSx86
    Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.3326.2864 [GMT 1:00]
    Running from: c:\documents and settings\Ross Walker\Desktop\ComboFix.exe
    AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
    FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
    c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
    c:\program files\DDnsFilter
    c:\program files\DDnsFilter\DDnsFilter.dll
    c:\windows\system32\drivers\DnsFilter.sys

    ----- BITS: Possible infected sites -----

    hxxp://sync.broadband.o2.co.uk:8080
    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    -------\Service_SfX
    -------\Legacy_ddnsfilter
    -------\Legacy_DnsFilter
    -------\Service_ddnsfilter
    -------\Service_DnsFilter


    ((((((((((((((((((((((((( Files Created from 2009-07-28 to 2009-08-30 )))))))))))))))))))))))))))))))
    .

    2009-08-30 14:25 . 2009-08-30 14:25 152576 ----a-w- c:\documents and settings\Ross Walker\Application Data\Sun\Java\jre1.6.0_15\lzma.dll
    2009-08-29 10:01 . 2009-08-29 10:01 -------- d-----w- c:\program files\Trend Micro
    2009-08-25 18:51 . 2009-08-25 18:51 2967799 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
    2009-08-24 20:57 . 2009-08-24 20:57 -------- d-----w- c:\documents and settings\Ross Walker\Application Data\Malwarebytes
    2009-08-24 20:57 . 2009-04-06 14:32 15504 ----a-w- c:\windows\system32\drivers\mbam.sys
    2009-08-24 20:57 . 2009-04-06 14:32 38496 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2009-08-24 20:57 . 2009-08-25 20:44 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2009-08-24 20:57 . 2009-08-24 20:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2009-08-24 20:24 . 2009-08-24 20:24 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
    2009-08-24 19:19 . 2008-04-14 03:42 50176 -c--a-w- c:\windows\system32\dllcache\proquota.exe
    2009-08-24 19:19 . 2008-04-14 03:42 50176 ----a-w- c:\windows\system32\proquota.exe
    2009-08-24 18:53 . 2009-08-24 18:53 -------- d-sh--w- c:\documents and settings\Ross Walker\IECompatCache
    2009-08-24 18:53 . 2009-08-24 18:53 -------- d-sh--w- c:\documents and settings\Ross Walker\PrivacIE
    2009-08-24 18:39 . 2009-08-24 18:39 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
    2009-08-24 18:37 . 2009-08-24 18:37 -------- d-sh--w- c:\documents and settings\Ross Walker\IETldCache
    2009-08-24 18:19 . 2009-08-24 18:20 -------- dc-h--w- c:\windows\ie8
    2009-08-22 10:20 . 2009-08-22 10:20 -------- d-----w- c:\program files\Enigma Software Group
    2009-08-22 10:13 . 2009-08-22 10:13 -------- d-----w- c:\documents and settings\Ross Walker\Application Data\AVG8
    2009-08-17 10:11 . 2009-08-24 21:51 -------- d-----w- C:\17e270deff5fa1c52d5645cd1b3f7386
    2009-08-17 10:11 . 2009-08-17 10:11 -------- d-----w- c:\windows\system32\XPSViewer
    2009-08-17 10:11 . 2009-08-17 10:11 -------- d-----w- c:\program files\MSBuild
    2009-08-17 10:11 . 2009-08-17 10:11 -------- d-----w- c:\program files\Reference Assemblies
    2009-08-17 10:10 . 2009-08-17 10:11 -------- d-----w- C:\77b94478b7a9ade0b4b63be3e3143550
    2009-08-17 10:10 . 2008-07-06 12:06 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
    2009-08-17 10:10 . 2008-07-06 12:06 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
    2009-08-17 10:10 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
    2009-08-17 10:10 . 2008-07-06 12:06 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
    2009-08-17 10:10 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
    2009-08-17 10:10 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
    2009-08-17 10:10 . 2008-07-06 10:50 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
    2009-08-15 08:26 . 2009-08-16 12:36 13361 ----a-w- c:\windows\mms17890.dat
    2009-08-15 08:26 . 2009-08-15 08:26 1 ----a-w- c:\windows\ckms134.dat
    2009-08-15 08:20 . 2009-08-15 08:20 1 ---h--w- c:\windows\mmsmark2.dat
    2009-08-07 07:24 . 2009-08-07 07:24 -------- d-----w- c:\program files\rgcaudio software

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2009-08-30 14:41 . 2009-04-23 19:50 -------- d-----w- c:\program files\PeerGuardian2
    2009-08-30 14:30 . 2008-05-31 21:12 -------- d-----w- c:\documents and settings\Ross Walker\Application Data\LimeWire
    2009-08-30 14:25 . 2008-12-11 20:50 411368 ----a-w- c:\windows\system32\deploytk.dll
    2009-08-27 19:05 . 2008-07-18 10:55 -------- d-----w- c:\documents and settings\Ross Walker\Application Data\OpenOffice.org2
    2009-08-27 16:22 . 2008-07-18 10:56 1 ----a-w- c:\documents and settings\Ross Walker\Application Data\OpenOffice.org2\user\uno_packages\cache\stamp.sys
    2009-08-25 20:15 . 2009-08-25 20:25 310358 ----a-w- c:\windows\pchealth\helpctr\Config\Cache\Professional_32_1033.dat
    2009-08-25 19:36 . 2008-05-22 15:54 16504 ----a-w- c:\documents and settings\Ross Walker\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
    2009-08-24 20:21 . 2008-05-31 21:11 -------- d-----w- c:\program files\Java
    2009-08-24 18:42 . 2008-05-22 15:56 -------- d-----w- c:\program files\Common Files\InstallShield
    2009-08-24 18:42 . 2008-05-22 16:03 -------- d-----w- c:\program files\ASUS
    2009-08-24 18:42 . 2008-05-22 15:57 -------- d--h--w- c:\program files\InstallShield Installation Information
    2009-08-22 16:13 . 2009-03-16 22:37 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
    2009-08-22 10:04 . 2008-05-31 22:00 -------- d-----w- c:\program files\Google
    2009-08-20 21:50 . 2008-05-31 20:25 -------- d-----w- c:\program files\Soulseek
    2009-08-13 20:35 . 2008-10-02 19:20 -------- d-----w- c:\documents and settings\LocalService\Application Data\SACore
    2009-07-11 17:25 . 2008-05-31 22:01 -------- d-----w- c:\program files\VstPlugins
    2009-07-10 19:12 . 2008-05-31 20:05 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
    2009-07-10 19:05 . 2009-06-20 18:19 -------- d-----w- c:\program files\McAfee
    2009-06-20 11:22 . 2009-04-11 18:11 0 ----a-w- c:\documents and settings\Ross Walker\Local Settings\Application Data\prvlcl.dat
    .

    ((((((((((((((((((((((((((((( SnapShot@2009-08-24_19.24.38 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2009-08-30 14:40 . 2009-08-30 14:40 16384 c:\windows\Temp\Perflib_Perfdata_14c.dat
    + 2009-08-24 20:10 . 2009-08-30 14:23 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
    - 2008-05-22 15:53 . 2009-08-24 18:43 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
    - 2008-05-22 15:53 . 2009-08-24 18:43 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
    + 2008-05-22 15:53 . 2009-08-30 14:23 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
    - 2008-05-22 15:53 . 2009-08-24 18:43 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
    + 2008-05-22 15:53 . 2009-08-30 14:23 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
    + 2008-12-28 10:50 . 2009-08-25 20:45 283192 c:\windows\system32\Restore\rstrlog.dat
    + 2009-08-30 14:26 . 2009-08-30 14:25 149280 c:\windows\system32\javaws.exe
    + 2009-08-30 14:26 . 2009-08-30 14:25 145184 c:\windows\system32\javaw.exe
    + 2009-08-30 14:26 . 2009-08-30 14:25 145184 c:\windows\system32\java.exe
    + 2009-08-30 14:25 . 2009-08-30 14:25 537600 c:\windows\Installer\84bbb.msi
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "MsnMsgr "= "c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]
    "MSMSGS "= "c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
    "manager "= "c:\windows\System32\drivers\setup\manager.exe" [BU]
    "PeerGuardian "= "c:\program files\PeerGuardian2\pg2.exe" [2007-01-29 1432064]
    "AVScan "= "c:\documents and settings\Ross Walker\Application Data\winav.exe" [BU]
    "Aim6 "=" " [BU]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "AsusStartupHelp "= "c:\program files\ASUS\AASP\1.00.24\AsRunHelp.exe" [2006-12-29 363008]
    "NvCplDaemon "= "c:\windows\system32\NvCpl.dll" [2007-02-14 7630848]
    "NvMediaCenter "= "c:\windows\system32\NvMcTray.dll" [2007-02-14 86016]
    "O2 "= "c:\program files\O2\bin\sprtcmd.exe" [2008-03-28 198184]
    "Adobe Reader Speed Launcher "= "c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
    "manager "= "c:\windows\System32\drivers\setup\manager.exe" [BU]
    "NeroCheck "= "c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
    "NvnUsbAudioLogger "= "c:\program files\Novation\USB Audio Driver\nvnusbaudiolog.exe" [2007-05-22 7168]
    "QuickTime Task "= "c:\program files\QuickTime\qttask.exe" [2008-11-04 413696]
    "iTunesHelper "= "c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
    "mcagent_exe "= "c:\program files\McAfee.com\Agent\mcagent.exe" [2009-03-25 645328]
    "SunJavaUpdateSched "= "c:\program files\Java\jre6\bin\jusched.exe" [2009-08-30 149280]
    "nwiz "= "nwiz.exe" - c:\windows\system32\nwiz.exe [2007-02-14 1519616]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
    @=" "

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
    @=" "

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
    "DisableMonitoring "=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
    "DisableMonitoring "=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall "= 0 (0x0)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\Network Diagnostic\\xpnetdiag.exe "=
    "%windir%\\system32\\sessmgr.exe "=
    "c:\\Program Files\\O2\\bin\\wificfg.exe "=
    "c:\\Program Files\\O2\\agent\\bin\\bcont.exe "=
    "c:\\Program Files\\Common Files\\SupportSoft\\bin\\ssrc.exe "=
    "c:\\Program Files\\O2\\agent\\bin\\bcont_nm.exe "=
    "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe "=
    "c:\\Program Files\\Windows Live\\Messenger\\livecall.exe "=
    "c:\\Program Files\\Soulseek\\slsk.exe "=
    "c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe "=
    "c:\\Program Files\\AIM6\\aim6.exe "=
    "c:\\Program Files\\LimeWire\\LimeWire.exe "=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe "=
    "c:\\Program Files\\iTunes\\iTunes.exe "=
    "c:\\Program Files\\Orb Networks\\Orb\\bin\\Orb.exe "=
    "c:\\Program Files\\Orb Networks\\Orb\\bin\\OrbTray.exe "=
    "c:\\Program Files\\Orb Networks\\Orb\\bin\\OrbStreamerClient.exe "=
    "c:\\Program Files\\Orb Networks\\Orb\\bin\\xmltv.exe "=
    "c:\\Program Files\\Orb Networks\\Orb\\bin\\OrbChannelScan.exe "=
    "c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe "=

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "8085:TCP "= 8085:TCP:ddnsfilter

    R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [20/06/2009 19:21 210216]
    R2 sprtsvc_O2;SupportSoft Sprocket Service (O2);c:\program files\O2\bin\sprtsvc.exe [07/06/2007 16:19 202280]
    R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [19/06/2008 20:54 24652]
    S3 KORG_1394;KORG_1394;c:\windows\system32\drivers\KORG_1394.sys [01/06/2008 13:07 114176]
    S3 KORG_avs;KORG_avs;c:\windows\system32\drivers\KORG_avs.sys [01/06/2008 13:07 28672]
    S3 NvnUsbAudio;NvnUsbAudio;c:\windows\system32\drivers\nvnusbaudio.sys [04/09/2008 20:40 25600]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    ddnsfilter REG_MULTI_SZ ddnsfilter

    [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
    "c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll ",BrandIEActiveSetup SIGNUP
    .
    Contents of the 'Scheduled Tasks' folder

    2009-08-24 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

    2009-06-20 c:\windows\Tasks\McDefragTask.job
    - c:\progra~1\mcafee\mqc\QcConsol.exe [2009-06-20 09:53]

    2009-06-20 c:\windows\Tasks\McQcTask.job
    - c:\progra~1\mcafee\mqc\QcConsol.exe [2009-06-20 09:53]

    2009-08-30 c:\windows\Tasks\WGASetup.job
    - c:\windows\system32\KB905474\wgasetup.exe [2009-04-23 21:18]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = about:blank
    uSearchMigratedDefaultURL = hxxp://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
    uInternet Settings,ProxyOverride = *.local
    IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
    IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
    LSP: %SYSTEMROOT%\system32\nvappfilter.dll
    Trusted Zone: o2.co.uk\*.broadband
    FF - ProfilePath - c:\documents and settings\Ross Walker\Application Data\Mozilla\Firefox\Profiles\fso87wkp.default\
    FF - prefs.js: browser.search.selectedEngine - Yahoo
    FF - prefs.js: browser.startup.homepage - hxxp://www.hsbc.co.uk/1/2/
    FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
    FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll
    FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
    FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll

    ---- FIREFOX POLICIES ----
    FF - user.js: dom.disable_open_during_load - true // Popupblocker control handled by McAfee Privacy Service
    c:\program files\Mozilla Firefox\greprefs\all.js - pref( "media.enforce_same_site_origin ", false);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref( "media.cache_size ", 51200);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref( "media.ogg.enabled ", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref( "media.wave.enabled ", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref( "media.autoplay.enabled ", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref( "browser.urlbar.autocomplete.enabled ", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref( "capability.policy.mailnews.*.wholeText ", "noAccess ");
    c:\program files\Mozilla Firefox\greprefs\all.js - pref( "dom.storage.default_quota ", 5120);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref( "content.sink.event_probe_rate ", 3);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref( "network.http.prompt-temp-redirect ", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref( "layout.css.dpi ", -1);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref( "layout.css.devPixelsPerPx ", -1);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref( "gestures.enable_single_finger_input ", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref( "dom.max_chrome_script_run_time ", 0);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref( "network.tcp.sendbuffer ", 131072);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref( "geo.enabled ", true);
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref( "security.remember_cert_checkbox_default_setting ", true);
    c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref( "browser.search.param.yahoo-fr ", "moz35 ");
    c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref( "browser.search.param.yahoo-fr-cjkt ", "moz35 ");
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "extensions.blocklist.level ", 2);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "browser.urlbar.restrict.typed ", "~ ");
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "browser.urlbar.default.behavior ", 0);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "privacy.clearOnShutdown.history ", true);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "privacy.clearOnShutdown.formdata ", true);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "privacy.clearOnShutdown.passwords ", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "privacy.clearOnShutdown.downloads ", true);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "privacy.clearOnShutdown.cookies ", true);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "privacy.clearOnShutdown.cache ", true);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "privacy.clearOnShutdown.sessions ", true);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "privacy.clearOnShutdown.offlineApps ", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "privacy.clearOnShutdown.siteSettings ", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "privacy.cpd.history ", true);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "privacy.cpd.formdata ", true);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "privacy.cpd.passwords ", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "privacy.cpd.downloads ", true);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "privacy.cpd.cookies ", true);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "privacy.cpd.cache ", true);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "privacy.cpd.sessions ", true);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "privacy.cpd.offlineApps ", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "privacy.cpd.siteSettings ", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "privacy.sanitize.migrateFx3Prefs ", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "browser.ssl_override_behavior ", 2);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "security.alternate_certificate_error_page ", "certerror ");
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "browser.privatebrowsing.autostart ", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "browser.privatebrowsing.dont_prompt_on_enter ", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "geo.wifi.uri ", "https://www.google.com/loc/json ");
    .

    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2009-08-30 15:40
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
    @Denied: (A 2) (Everyone)
    @= "FlashBroker "
    "LocalizedString "= "@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101 "

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
    "Enabled "=dword:00000001

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
    @= "c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe "

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
    @= "{FAB3E735-69C7-453B-A446-B6823C6DF1C9} "

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
    @Denied: (A 2) (Everyone)
    @= "IFlashBroker3 "

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
    @= "{00020424-0000-0000-C000-000000000046} "

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
    @= "{FAB3E735-69C7-453B-A446-B6823C6DF1C9} "
    "Version "= "1.0 "
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'lsass.exe'(984)
    c:\windows\system32\nvappfilter.dll

    - - - - - - - > 'explorer.exe'(3232)
    c:\program files\McAfee\SiteAdvisor\saHook.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\OneX.DLL
    c:\windows\system32\eappprxy.dll
    c:\windows\system32\webcheck.dll
    c:\program files\WinRAR\rarext.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\windows\system32\LEXBCES.EXE
    c:\windows\system32\LEXPPS.EXE
    c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    c:\program files\Bonjour\mDNSResponder.exe
    c:\program files\Java\jre6\bin\jqs.exe
    c:\progra~1\McAfee\MSC\mcmscsvc.exe
    c:\program files\Common Files\McAfee\MNA\McNASvc.exe
    c:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe
    c:\progra~1\McAfee\VIRUSS~1\Mcshield.exe
    c:\program files\McAfee\MPF\MpfSrv.exe
    c:\windows\system32\nvsvc32.exe
    c:\windows\system32\wdfmgr.exe
    c:\program files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
    c:\program files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
    c:\windows\system32\wscntfy.exe
    c:\program files\iPod\bin\iPodService.exe
    c:\progra~1\McAfee\VIRUSS~1\mcsysmon.exe
    .
    **************************************************************************
    .
    Completion time: 2009-08-30 15:47 - machine was rebooted
    ComboFix-quarantined-files.txt 2009-08-30 14:47
    ComboFix2.txt 2009-08-24 19:57

    Pre-Run: 349,429,891,072 bytes free
    Post-Run: 349,517,586,432 bytes free

    313 --- E O F --- 2009-08-24 18:21


    DDS (Ver_09-07-30.01) - NTFSx86
    Run by Ross Walker at 11:16:42.29 on 29/08/2009
    Internet Explorer: 8.0.6001.18702
    Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.3326.2532 [GMT 1:00]

    AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
    FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

    ============== Running Processes ===============

    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    svchost.exe
    svchost.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\LEXPPS.EXE
    svchost.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\WINDOWS\sySTEM32\SvchoSt.ExE -k ddnsfilter
    C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
    C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
    c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
    c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
    C:\Program Files\McAfee\MPF\MPFSrv.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\Program Files\O2\bin\sprtsvc.exe
    C:\Program Files\Viewpoint\Common\ViewpointService.exe
    C:\WINDOWS\system32\svchost.exe -k netsvcs
    C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
    C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Novation\USB Audio Driver\nvnusbaudiolog.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\McAfee.com\Agent\mcagent.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Windows Live\Messenger\usnsvc.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
    C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
    C:\WINDOWS\system32\NOTEPAD.EXE
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
    C:\Documents and Settings\Ross Walker\Desktop\dds.scr

    ============== Pseudo HJT Report ===============

    uStart Page = about:blank
    uSearchMigratedDefaultURL = hxxp://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
    uInternet Settings,ProxyOverride = *.local
    BHO: Windows Live Toolbar Helper: {bdbd1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
    BHO: 1 (0x1) - No File
    TB: Windows Live Toolbar: {bdad1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
    TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
    uRun: [MsnMsgr] "c:\program files\windows live\messenger\MsnMsgr.Exe" /background
    uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
    uRun: [manager] "c:\windows\system32\drivers\setup\manager.exe "
    uRun: [Aim6]
    uRun: [PeerGuardian] c:\program files\peerguardian2\pg2.exe
    uRun: [AVScan] c:\documents and settings\ross walker\application data\winav.exe
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    mRun: [AsusStartupHelp] c:\program files\asus\aasp\1.00.24\AsRunHelp.exe
    mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
    mRun: [nwiz] nwiz.exe /install
    mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
    mRun: [O2] "c:\program files\o2\bin\sprtcmd.exe" /P O2
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe "
    mRun: [manager] "c:\windows\system32\drivers\setup\manager.exe "
    mRun: [NeroCheck] c:\windows\system32\NeroCheck.exe
    mRun: [NvnUsbAudioLogger] "c:\program files\novation\usb audio driver\nvnusbaudiolog.exe "
    mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
    mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe "
    mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
    IE: &Windows Live Search - c:\program files\windows live toolbar\msntb.dll/search.htm
    IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    LSP: %SYSTEMROOT%\system32\nvappfilter.dll
    Trusted Zone: o2.co.uk\*.broadband
    DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader5.cab
    DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    DPF: {41564D57-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/0/A/9/0A9F8B32-9F8C-4D74-A130-E4CAB36EB01F/wmvadvd.cab
    DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader1006.cab
    DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab
    DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
    Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll

    ================= FIREFOX ===================

    FF - ProfilePath - c:\docume~1\rosswa~1\applic~1\mozilla\firefox\profiles\fso87wkp.default\
    FF - prefs.js: browser.search.selectedEngine - Yahoo
    FF - prefs.js: browser.startup.homepage - hxxp://www.hsbc.co.uk/1/2/
    FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll
    FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nppl3260.dll
    FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nprpjplug.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
    FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll

    ---- FIREFOX POLICIES ----
    FF - user.js: dom.disable_open_during_load - true // Popupblocker control handled by McAfee Privacy Service
    c:\program files\mozilla firefox\greprefs\all.js - pref( "media.enforce_same_site_origin ", false);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "media.cache_size ", 51200);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "media.ogg.enabled ", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "media.wave.enabled ", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "media.autoplay.enabled ", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "browser.urlbar.autocomplete.enabled ", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "capability.policy.mailnews.*.wholeText ", "noAccess ");
    c:\program files\mozilla firefox\greprefs\all.js - pref( "dom.storage.default_quota ", 5120);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "content.sink.event_probe_rate ", 3);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "network.http.prompt-temp-redirect ", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "layout.css.dpi ", -1);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "layout.css.devPixelsPerPx ", -1);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "gestures.enable_single_finger_input ", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "dom.max_chrome_script_run_time ", 0);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "network.tcp.sendbuffer ", 131072);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "geo.enabled ", true);
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref( "security.remember_cert_checkbox_default_setting ", true);
    c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref( "browser.search.param.yahoo-fr ", "moz35 ");
    c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref( "browser.search.param.yahoo-fr-cjkt ", "moz35 ");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "extensions.blocklist.level ", 2);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "browser.urlbar.restrict.typed ", "~ ");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "browser.urlbar.default.behavior ", 0);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "privacy.clearOnShutdown.history ", true);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "privacy.clearOnShutdown.formdata ", true);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "privacy.clearOnShutdown.passwords ", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "privacy.clearOnShutdown.downloads ", true);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "privacy.clearOnShutdown.cookies ", true);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "privacy.clearOnShutdown.cache ", true);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "privacy.clearOnShutdown.sessions ", true);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "privacy.clearOnShutdown.offlineApps ", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "privacy.clearOnShutdown.siteSettings ", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "privacy.cpd.history ", true);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "privacy.cpd.formdata ", true);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "privacy.cpd.passwords ", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "privacy.cpd.downloads ", true);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "privacy.cpd.cookies ", true);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "privacy.cpd.cache ", true);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "privacy.cpd.sessions ", true);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "privacy.cpd.offlineApps ", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "privacy.cpd.siteSettings ", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "privacy.sanitize.migrateFx3Prefs ", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "browser.ssl_override_behavior ", 2);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "security.alternate_certificate_error_page ", "certerror ");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "browser.privatebrowsing.autostart ", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "browser.privatebrowsing.dont_prompt_on_enter ", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "geo.wifi.uri ", "https://www.google.com/loc/json ");

    ============= SERVICES / DRIVERS ===============

    R?2 ddnsfilter;ddnsfilter;c:\windows\system32\SvchoSt.ExE -k ddnsfilter [2008-4-14 14336]
    R1 DnsFilter;DnsFilter;c:\windows\system32\drivers\DnsFilter.sys [2009-8-20 38016]
    R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-3-25 214024]
    R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2009-6-20 210216]
    R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2009-6-20 359952]
    R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2009-6-20 144704]
    R2 sprtsvc_O2;SupportSoft Sprocket Service (O2);c:\program files\o2\bin\sprtsvc.exe [2007-6-7 202280]
    R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2008-6-19 24652]
    R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2009-8-24 38496]
    R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2009-6-20 606736]
    R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2009-6-20 79880]
    R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2009-6-20 35272]
    R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2009-6-20 40552]
    S3 KORG_1394;KORG_1394;c:\windows\system32\drivers\KORG_1394.sys [2008-6-1 114176]
    S3 KORG_avs;KORG_avs;c:\windows\system32\drivers\KORG_avs.sys [2008-6-1 28672]
    S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2009-6-20 34216]
    S3 NvnUsbAudio;NvnUsbAudio;c:\windows\system32\drivers\nvnusbaudio.sys [2008-9-4 25600]

    =============== Created Last 30 ================

    2009-08-29 11:01 <DIR> --d----- c:\program files\Trend Micro
    2009-08-24 21:57 <DIR> --d----- c:\docume~1\rosswa~1\applic~1\Malwarebytes
    2009-08-24 21:57 15,504 a------- c:\windows\system32\drivers\mbam.sys
    2009-08-24 21:57 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
    2009-08-24 21:57 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
    2009-08-24 21:57 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
    2009-08-24 20:32 <DIR> -cd----- c:\windows\system32\dllcache\cache
    2009-08-24 20:19 50,176 ac------ c:\windows\system32\dllcache\proquota.exe
    2009-08-24 20:19 50,176 a------- c:\windows\system32\proquota.exe
    2009-08-24 20:15 <DIR> a-dshr-- C:\cmdcons
    2009-08-24 20:14 229,376 a------- c:\windows\PEV.exe
    2009-08-24 20:13 161,792 a------- c:\windows\SWREG.exe
    2009-08-24 20:13 98,816 a------- c:\windows\sed.exe
    2009-08-24 19:53 <DIR> --dsh--- c:\documents and settings\ross walker\IECompatCache
    2009-08-24 19:53 <DIR> --dsh--- c:\documents and settings\ross walker\PrivacIE
    2009-08-24 19:37 <DIR> --dsh--- c:\documents and settings\ross walker\IETldCache
    2009-08-24 19:19 <DIR> -cd-h--- c:\windows\ie8
    2009-08-22 11:20 <DIR> --d----- c:\program files\Enigma Software Group
    2009-08-22 11:13 <DIR> --d----- c:\docume~1\rosswa~1\applic~1\AVG8
    2009-08-20 10:08 38,016 a------- c:\windows\system32\drivers\DnsFilter.sys
    2009-08-20 10:08 <DIR> --d----- c:\program files\DDnsFilter
    2009-08-17 11:11 <DIR> --d----- C:\17e270deff5fa1c52d5645cd1b3f7386
    2009-08-17 11:11 <DIR> --d----- c:\windows\system32\XPSViewer
    2009-08-17 11:10 1,676,288 -c------ c:\windows\system32\dllcache\xpssvcs.dll
    2009-08-17 11:10 597,504 -c------ c:\windows\system32\dllcache\printfilterpipelinesvc.exe
    2009-08-17 11:10 575,488 -c------ c:\windows\system32\dllcache\xpsshhdr.dll
    2009-08-17 11:10 89,088 -c------ c:\windows\system32\dllcache\filterpipelineprintproc.dll
    2009-08-17 11:10 <DIR> --d----- C:\77b94478b7a9ade0b4b63be3e3143550
    2009-08-17 11:10 1,676,288 -------- c:\windows\system32\xpssvcs.dll
    2009-08-17 11:10 575,488 -------- c:\windows\system32\xpsshhdr.dll
    2009-08-17 11:10 117,760 -------- c:\windows\system32\prntvpt.dll
    2009-08-15 09:26 13,361 a------- c:\windows\mms17890.dat
    2009-08-15 09:26 1 a------- c:\windows\ckms134.dat
    2009-08-15 09:20 2 a------- c:\windows\0535251103110107106.xry
    2009-08-15 09:20 1 ----h--- c:\windows\mmsmark2.dat
    2009-08-07 08:24 <DIR> --d----- c:\program files\rgcaudio software

    ==================== Find3M ====================

    2009-08-25 21:15 310,358 a------- c:\windows\pchealth\helpctr\config\cache\Professional_32_1033.dat

    ============= FINISH: 11:17:07.09 ===============


    HJS Log:

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 11:01:25, on 29/08/2009
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v8.00 (8.00.6001.18702)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\WINDOWS\sySTEM32\SvchoSt.ExE
    C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
    C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
    c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
    c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
    C:\Program Files\McAfee\MPF\MPFSrv.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\Program Files\O2\bin\sprtsvc.exe
    C:\Program Files\Viewpoint\Common\ViewpointService.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
    C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\O2\bin\sprtcmd.exe
    C:\Program Files\Novation\USB Audio Driver\nvnusbaudiolog.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\McAfee.com\Agent\mcagent.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Windows Live\Messenger\usnsvc.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
    c:\PROGRA~1\mcafee\msc\mcshell.exe
    C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
    O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
    O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
    O4 - HKLM\..\Run: [AsusStartupHelp] C:\Program Files\ASUS\AASP\1.00.24\AsRunHelp.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [O2] "C:\Program Files\O2\bin\sprtcmd.exe" /P O2
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe "
    O4 - HKLM\..\Run: [manager] "C:\Windows\System32\drivers\setup\manager.exe "
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [NvnUsbAudioLogger] "C:\Program Files\Novation\USB Audio Driver\nvnusbaudiolog.exe "
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe "
    O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [manager] "C:\Windows\System32\drivers\setup\manager.exe "
    O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exe
    O4 - HKCU\..\Run: [AVScan] C:\Documents and Settings\Ross Walker\Application Data\winav.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
    O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O15 - Trusted Zone: http://*.broadband.o2.co.uk
    O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/...oUploader5.cab
    O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
    O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
    O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
    O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
    O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
    O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
    O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
    O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
    O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
    O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
    O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
    O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
    O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: SupportSoft Sprocket Service (O2) (sprtsvc_O2) - SupportSoft, Inc. - C:\Program Files\O2\bin\sprtsvc.exe
    O23 - Service: SupportSoft RemoteAssist - SupportSoft, Inc. - C:\Program Files\Common Files\Supportsoft\bin\ssrc.exe
    O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

    --
    End of file - 7945 bytes
     
    roostroo,
    #3
  5. 2009/08/31
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    How is redirection right now?

    Are you familiar with KORG Zero 4 FireWire Audio Mixer?
     
    broni,
    #4

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...