Solved Google Redirecting, Pop up adverts and Just in Time Debugging

MRB1 · 2010/02/15

[Resolved] Google Redirecting, Pop up adverts and Just in Time Debugging

Good afternoon,

I have a problem with my laptop, whereby it has started popping up a 'Just In Time Debugging' window, which just keeps pooping back up every time I try to close it. In addition to this, when using Internet Explorer I have found that and advertisement window keeps popping up from time to time. Also when clicking on links suggested by the Google search engine, I find that I am automatically redirected to a random website, not the one I was hoping to visit. I came upon this website during my attempts to fix the problem and noticed that Broni had been recently dealing with another forum member, Racsan, who has been experiencing the same issue. I read that post very carefully but decided to post my own query as some of the fixes suggested for him were specific to his computer. I have run DDS, Hijack This, McAfee VirusScan and also Malwarebytes' Anti-malware. The logs are posted below. Malwarebytes' found some errors and I have deleted the objects suggested. I would be ever so greatful if someone, perhaps Broni, could help me with this issue. Thanks in advance.

DDS.txt Log:

DDS (Ver_09-12-01.01) - NTFSx86
Run by stbellamy at 15:46:35.80 on 15/02/2010
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.393 [GMT 0:00]

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Luidia\eBeam Device Service\eBeamDeviceServiceMain.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\SMART Technologies Inc\SMART Board Software\SMARTBoardService.exe
C:\Program Files\Luidia\eBeam Device Service\eBeamDeviceServiceUI.exe
C:\Program Files\SMART Technologies Inc\SMART Board Software\WebServer.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Dell\QuickSet\Quickset.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Network Associates\Common Framework\McTray.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Documents and Settings\stbellamy.DELL14\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.co.uk/
uDefault_Page_URL = hxxp://www.euro.dell.com/countries/uk/enu/gen/default.htm
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - No File
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: CIEDownload Object: {67bcf957-85fc-4036-8dc4-d4d80e00a77b} - c:\program files\smart technologies inc\notebook software\NotebookPlugin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: EpsonToolBandKicker Class: {e99421fb-68dd-40f0-b4ac-b7027cae2f1a} - c:\program files\epson\epson web-to-page\EPSON Web-To-Page.dll
TB: EPSON Web-To-Page: {ee5d279f-081b-4404-994d-c6b60aaeba6d} - c:\program files\epson\epson web-to-page\EPSON Web-To-Page.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [TOY5KNQ8OC] c:\docume~1\stbell~1.del\locals~1\temp\Nrl.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [A_M_P_NET] c:\program files\antimalwarepro\AntiMalwarePro.exe
uRun: [A_M_P_NEScheduler] c:\program files\antimalwarepro\AntiMalwarePro.exe SCHEDULER
mRun: [Apoint] c:\program files\apoint\Apoint.exe
mRun: [DVDSentry] c:\windows\system32\DSentry.exe
mRun: [AdaptecDirectCD] "c:\program files\roxio\easy cd creator 5\directcd\DirectCD.exe "
mRun: [Dell QuickSet] c:\program files\dell\quickset\Quickset.exe
mRun: [ShStatEXE] "c:\program files\network associates\virusscan\SHSTAT.EXE" /STANDALONE
mRun: [McAfeeUpdaterUI] "c:\program files\network associates\common framework\UdaterUI.exe" /StartedFromRunKey
mRun: [Network Associates Error Reporting Service] "c:\program files\common files\network associates\talkback\TBMon.exe "
mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe "
mRun: [IntelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe "
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe "
dRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\epsons~1.lnk - c:\windows\system32\spool\drivers\w32x86\3\E_SRCV03.EXE
mPolicies-system: EnableLUA = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1265566252186
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1258925630590
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
TCP: NameServer = 93.188.163.158,93.188.166.88
TCP: {73FC5D3E-33F1-4665-99B2-8E7750AAD9B6} = 93.188.163.158,93.188.166.88
TCP: {EE65D96B-6AA6-4DFB-92D5-F41510CE969A} = 93.188.163.158,93.188.166.88
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll
mASetup: {9C450606-ED24-4958-92BA-B8940C99D441} - c:\program files\pixiepack codec pack\InstallerHelper.exe
Hosts: 127.0.0.1 www.spywareinfo.com

============= SERVICES / DRIVERS ===============

P2 McShield;Network Associates McShield;c:\program files\network associates\virusscan\Mcshield.exe [2004-9-22 221191]
R1 NaiAvTdi1;NaiAvTdi1;c:\windows\system32\drivers\mvstdi5x.sys [2008-9-25 58464]
R2 eBeam Device Service;eBeam Device Service;c:\program files\luidia\ebeam device service\eBeamDeviceServiceMain.exe [2008-9-16 180224]
R2 McAfeeFramework;McAfee Framework Service;c:\program files\network associates\common framework\FrameworkService.exe [2008-9-25 103744]
R2 McTaskManager;Network Associates Task Manager;c:\program files\network associates\virusscan\VsTskMgr.exe [2004-9-22 28672]
R2 SMART Web Server;SMART Web Server;c:\program files\smart technologies inc\smart board software\WebServer.exe [2007-4-19 759312]
R3 NaiAvFilter1;NaiAvFilter1;c:\windows\system32\drivers\naiavf5x.sys [2008-9-25 108480]
R3 RRNetCapMP;RRNetCapMP;c:\windows\system32\drivers\rrnetcap.sys [2010-2-9 27752]
R3 WsAudio_DeviceS(1);WsAudio_DeviceS(1);c:\windows\system32\drivers\WsAudio_DeviceS(1).sys [2010-2-11 25704]
R3 WsAudio_DeviceS(2);WsAudio_DeviceS(2);c:\windows\system32\drivers\WsAudio_DeviceS(2).sys [2010-2-11 25704]
R3 WsAudio_DeviceS(3);WsAudio_DeviceS(3);c:\windows\system32\drivers\WsAudio_DeviceS(3).sys [2010-2-11 25704]
R3 WsAudio_DeviceS(4);WsAudio_DeviceS(4);c:\windows\system32\drivers\WsAudio_DeviceS(4).sys [2010-2-11 25704]
R3 WsAudio_DeviceS(5);WsAudio_DeviceS(5);c:\windows\system32\drivers\WsAudio_DeviceS(5).sys [2010-2-11 25704]
S1 mferkdk;VSCore mferkdk;\??\c:\program files\mcafee\virusscan enterprise\mferkdk.sys --> c:\program files\mcafee\virusscan enterprise\mferkdk.sys [?]
S3 {E2B953A7-195A-44F9-9BA3-3D5F4E32BB55};AIM 3.0 Part 01 Codec Driver CH-7009-B;c:\windows\system32\drivers\wa301b.sys [1979-12-31 33847]
S3 DrmCAudio;DrmCAudio;c:\windows\system32\drivers\DrmCAudio.sys [2010-2-13 23096]
S3 DrmCVideo;DrmCVideo;c:\windows\system32\drivers\DrmCVideo.sys [2010-2-13 5688]
S3 pmxscan;Visioneer USB Kernel;c:\windows\system32\drivers\usbscan.sys [2006-5-15 15104]
S3 RRNetCap;RRNetCap Service;c:\windows\system32\drivers\rrnetcap.sys [2010-2-9 27752]
S3 STI2303X;SMART Board cable;c:\windows\system32\drivers\STI2303X.sys [2005-5-26 13440]

=============== Created Last 30 ================

2010-02-14 21:53:14 0 d-----w- c:\program files\Daniusoft
2010-02-14 12:09:51 0 d-----w- C:\QUARANTINE
2010-02-14 02:15:01 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-14 02:14:56 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-14 02:14:55 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-13 22:45:51 0 d-----w- c:\program files\Wondershare
2010-02-13 22:32:48 54156 ---ha-w- c:\windows\QTFont.qfn
2010-02-13 22:32:48 1409 ----a-w- c:\windows\QTFont.for
2010-02-13 22:25:47 5688 ----a-w- c:\windows\system32\drivers\DrmCVideo.sys
2010-02-13 22:25:46 23096 ----a-w- c:\windows\system32\drivers\DrmCAudio.sys
2010-02-13 22:25:42 0 d-----w- c:\program files\DRM Converter
2010-02-13 19:21:30 0 d-----w- c:\docume~1\stbell~1.del\applic~1\PeaZip
2010-02-13 19:20:07 0 d-----w- c:\program files\PeaZip
2010-02-13 14:40:09 0 d-----w- c:\program files\PixiePack Codec Pack
2010-02-13 14:34:38 0 d-----w- c:\program files\RapidSolution
2010-02-13 14:34:37 0 d-----w- c:\docume~1\alluse~1\applic~1\RapidSolution
2010-02-11 23:39:28 0 d-----w- c:\docume~1\alluse~1\applic~1\xml_param
2010-02-11 23:28:15 25704 ----a-w- c:\windows\system32\drivers\WsAudio_DeviceS(5).sys
2010-02-11 23:28:03 25704 ----a-w- c:\windows\system32\drivers\WsAudio_DeviceS(4).sys
2010-02-11 23:27:47 25704 ----a-w- c:\windows\system32\drivers\WsAudio_DeviceS(3).sys
2010-02-11 23:27:31 25704 ----a-w- c:\windows\system32\drivers\WsAudio_DeviceS(2).sys
2010-02-11 23:26:29 25704 ----a-w- c:\windows\system32\drivers\WsAudio_DeviceS(1).sys
2010-02-11 23:16:29 0 d-----w- c:\windows\system32\wbem\Repository
2010-02-09 19:15:40 37920 ----a-w- c:\windows\system32\drivers\tbhsd.sys
2010-02-09 19:15:14 27752 ----a-w- c:\windows\system32\drivers\rrnetcap.sys
2010-02-07 19:43:23 1089593 ------w- c:\windows\system32\dllcache\ntprint.cat
2010-02-07 18:42:31 0 d-----w- c:\windows\system32\XPSViewer
2010-02-07 18:40:55 89088 ------w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2010-02-07 18:40:55 117760 ------w- c:\windows\system32\prntvpt.dll
2010-02-07 18:40:54 597504 ------w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2010-02-07 18:40:54 575488 ------w- c:\windows\system32\xpsshhdr.dll
2010-02-07 18:40:54 575488 ------w- c:\windows\system32\dllcache\xpsshhdr.dll
2010-02-07 18:40:54 1676288 ------w- c:\windows\system32\xpssvcs.dll
2010-02-07 18:40:54 1676288 ------w- c:\windows\system32\dllcache\xpssvcs.dll
2010-02-02 09:37:54 0 d-----w- c:\program files\Podium
2010-02-02 09:34:04 0 d-----w- c:\program files\illiminable
2010-01-22 22:41:21 664 ----a-w- c:\windows\system32\d3d9caps.dat

==================== Find3M ====================

2009-12-31 15:33:06 70656 ----a-w- c:\windows\system32\dllcache\ie4uinit.exe
2009-12-31 15:33:06 13824 ------w- c:\windows\system32\dllcache\ieudinit.exe
2009-12-18 13:05:43 634648 ------w- c:\windows\system32\dllcache\iexplore.exe
2009-12-18 13:04:09 161792 ----a-w- c:\windows\system32\dllcache\ieakui.dll
2009-11-21 15:51:04 471552 ----a-w- c:\windows\system32\dllcache\aclayers.dll
2008-05-15 21:02:46 32768 -csha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008051520080516\index.dat

============= FINISH: 15:47:42.90 ===============

Attach.txt Log:

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-12-01.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume2
Install Date: 15/06/2004 13:07:23
System Uptime: 15/02/2010 15:37:34 (0 hours ago)

Motherboard: Dell Inc. | | 0H2049
Processor: Intel(R) Pentium(R) M processor 1500MHz | Microprocessor | 1498/133mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 37 GiB total, 14.502 GiB free.
D: is CDROM ()

==== Disabled Device Manager Items =============

==== System Restore Points ===================

No restore point in system.

==== Installed Programs ======================

2007 Microsoft Office Suite Service Pack 1 (SP1)
32 Bit HP CIO Components Installer
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Reader 8.2.0
ALPS Touch Pad Driver
Audacity 1.3.7 (Unicode)
BBC iPlayer Desktop
Compatibility Pack for the 2007 Office system
Conexant D480 MDC V.92 Modem
Daniusoft Media Converter Ultimate(Build 2.5.4.3)
Dell Solution Center
Digital Line Detect
DVDSentry
Easy CD Creator 5 Basic
eBeam Device Service 1.0
eBeam Interact 1.3.1
EPSON Printer Software
Exploring Maths - Tier 3 ActiveTeach
Exploring Maths - Toolset
Exploring Maths Teacher Files (Tier 3)
Express Rip Uninstall
Help and Support Customization
HighMAT Extension to Microsoft Windows XP CD Writing Wizard
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Intel(R) Extreme Graphics 2 Driver
Intel(R) PRO Network Adapters and Drivers
Intel(R) PROSet for Wired Connections
Intel(R) PROSet/Wireless Software
InterVideo WinDVD
Java(TM) 6 Update 17
Macromedia Flash Player
Malwarebytes' Anti-Malware
McAfee Anti-Spyware Enterprise Module
McAfee VirusScan Enterprise
mCore
mDriver
mDrWiFi
mHlpDell
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB953297)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Professional Edition 2003
Microsoft Office Professional Plus 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Silverlight
Microsoft Software Update for Web Folders (English) 12
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
mIWA
mLogView
mMHouse
Modem Helper
mPfMgr
mPfWiz
mProSafe
mSCfg
mSSO
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 6.0 Parser
mWlsSafe
mWMI
mZConfig
NetWaiting
oggcodecs 0.73.1936
PeaZip 2.8
PixiePack Codec Pack
Podium
QuickSet
QuickTime
RealPlayer
Security Update for 2007 Microsoft Office System (KB951550)
Security Update for 2007 Microsoft Office System (KB951944)
Security Update for Microsoft Office Excel 2007 (KB959997)
Security Update for Microsoft Office PowerPoint 2007 (KB951338)
Security Update for Microsoft Office Publisher 2007 (KB950114)
Security Update for Microsoft Office Word 2007 (KB956358)
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 7 (KB972260)
Security Update for Windows Internet Explorer 7 (KB974455)
Security Update for Windows Internet Explorer 7 (KB978207)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows Media Player 9 (KB936782)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371-v2)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Shockwave
Shockwave Player
Sketchpad
Skypeâ„¢ 4.1
SMART Board Software
SMART Essentials for Educators
SpeedTouch USB Software
Spybot - Search & Destroy
Stream Viewer Utility
Switch Uninstall
Tunebite
Unlocker 1.8.8
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft Office Outlook 2007 (KB952142)
Update for Outlook 2007 Junk Email Filter (kb977839)
Update for Windows Internet Explorer 7 (KB976749)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
VT Transaction+
WavePad Uninstall
WebFldrs XP
Windows Driver Package - Intel (w29n51) net (09/12/2005 9.0.3.9)
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage v1.3.0254.0
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 7
Windows XP Service Pack 3
Wondershare Media Converter(Build 1.2.2.0)

==== Event Viewer Messages From Past Week ========

14/02/2010 15:48:01, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: IntelIde
14/02/2010 15:46:55, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000001' while processing the file '' on the volume 'HarddiskVolume2'. It has stopped monitoring the volume.
14/02/2010 01:28:08, error: Service Control Manager [7034] - The Network Associates McShield service terminated unexpectedly. It has done this 1 time(s).
13/02/2010 14:39:22, error: Dhcp [1001] - Your computer was not assigned an address from the network (by the DHCP Server) for the Network Card with network address 000E3557CDFE. The following error occurred: The operation was canceled by the user. . Your computer will continue to try and obtain an address on its own from the network address (DHCP) server.
11/02/2010 18:41:02, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the ShellHWDetection service.
11/02/2010 18:40:53, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the WZCSVC service.
10/02/2010 09:11:45, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the SMART Board Service service.
10/02/2010 09:10:18, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the wuauserv service.
10/02/2010 09:10:18, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the w32time service.
10/02/2010 09:10:18, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the stisvc service.
10/02/2010 09:10:18, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the RpcSs service.
10/02/2010 09:10:18, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the JavaQuickStarterService service.
10/02/2010 09:10:18, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the Dnscache service.
10/02/2010 09:04:38, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the Schedule service.
10/02/2010 08:12:12, error: Service Control Manager [7000] - The hpdj service failed to start due to the following error: The system cannot find the path specified.
10/02/2010 08:10:33, error: Dhcp [1002] - The IP address lease 192.168.1.9 for the Network Card with network address 000E3557CDFE has been denied by the DHCP server 10.11.151.249 (The DHCP Server sent a DHCPNACK message).
10/02/2010 08:10:27, error: Dhcp [1002] - The IP address lease 10.11.150.27 for the Network Card with network address 000F1FBB13AC has been denied by the DHCP server 10.9.37.254 (The DHCP Server sent a DHCPNACK message).
09/02/2010 21:34:01, error: NETLOGON [5719] - No Domain Controller is available for domain HENLOW due to the following: There are currently no logon servers available to service the logon request. . Make sure that the computer is connected to the network and try again. If the problem persists, please contact your domain administrator.
09/02/2010 16:26:32, error: Dhcp [1002] - The IP address lease 10.11.150.12 for the Network Card with network address 000E3557CDFE has been denied by the DHCP server 10.9.37.254 (The DHCP Server sent a DHCPNACK message).
09/02/2010 09:10:18, error: EventLog [6004] - A driver packet received from the I/O subsystem was invalid. The data is the packet.

==== End Of File ===========================

Hijack This Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:49:34, on 15/02/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16981)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Luidia\eBeam Device Service\eBeamDeviceServiceMain.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\SMART Technologies Inc\SMART Board Software\SMARTBoardService.exe
C:\Program Files\Luidia\eBeam Device Service\eBeamDeviceServiceUI.exe
C:\Program Files\SMART Technologies Inc\SMART Board Software\WebServer.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Dell\QuickSet\Quickset.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Network Associates\Common Framework\McTray.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/countries/uk/enu/gen/default.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - (no file)
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SMART Notebook Download Plugin - {67BCF957-85FC-4036-8DC4-D4D80E00A77B} - C:\Program Files\SMART Technologies Inc\Notebook Software\NotebookPlugin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe "
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\Quickset.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe "
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe "
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe "
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe "
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [TOY5KNQ8OC] C:\DOCUME~1\STBELL~1.DEL\LOCALS~1\Temp\Nrl.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [A_M_P_NET] C:\Program Files\AntiMalwarePro\AntiMalwarePro.exe
O4 - HKCU\..\Run: [A_M_P_NEScheduler] C:\Program Files\AntiMalwarePro\AntiMalwarePro.exe SCHEDULER
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: EPSON Status Monitor 3 Environment Check.lnk = C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\E_SRCV03.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/wuweb_site.cab?1265566252186
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1258925630590
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = henlowmiddle.beds.sch.uk
O17 - HKLM\Software\..\Telephony: DomainName = henlowmiddle.beds.sch.uk
O17 - HKLM\System\CCS\Services\Tcpip\..\{73FC5D3E-33F1-4665-99B2-8E7750AAD9B6}: NameServer = 93.188.163.158,93.188.166.88
O17 - HKLM\System\CCS\Services\Tcpip\..\{EE65D96B-6AA6-4DFB-92D5-F41510CE969A}: NameServer = 93.188.163.158,93.188.166.88
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = henlowmiddle.beds.sch.uk
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 93.188.163.158,93.188.166.88
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = henlowmiddle.beds.sch.uk
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 93.188.163.158,93.188.166.88
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 93.188.163.158,93.188.166.88
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: eBeam Device Service - Luidia, Inc. - C:\Program Files\Luidia\eBeam Device Service\eBeamDeviceServiceMain.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: hpdj - Unknown owner - C:\DOCUME~1\STANDR~1.HEN\LOCALS~1\Temp\hpdj.exe (file missing)
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SMART Board Service - SMART Technologies Inc. - C:\Program Files\SMART Technologies Inc\SMART Board Software\SMARTBoardService.exe
O23 - Service: SMART Web Server - Unknown owner - C:\Program Files\SMART Technologies Inc\SMART Board Software\WebServer.exe
O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel(R) Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 10357 bytes

Malwarebytes' Anti-malware Log:

Malwarebytes' Anti-Malware 1.44
Database version: 3510
Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.11

15/02/2010 15:35:34
mbam-log-2010-02-15 (15-35-34).txt

Scan type: Full Scan (C:\|)
Objects scanned: 214266
Time elapsed: 1 hour(s), 43 minute(s), 8 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\XML (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Documents and Settings\All Users\AVP 2009 (Malware.Trace) -> Quarantined and deleted successfully.

Files Infected:
C:\Documents and Settings\All Users\AVP 2009\1.dat (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\Tasks\{66BA574B-1E11-49b8-909C-8CC9E0E8E015}.job (Trojan.Downloader) -> Quarantined and deleted successfully.

McAfee VirusScan number 1 Log:

On-Demand Scan

2/14/2010 2:17:53 AM Engine version =5400
2/14/2010 2:17:53 AM DAT version =5891
2/14/2010 2:17:53 AM Number of virus signatures in EXTRA.DAT =None
2/14/2010 2:17:53 AM Names of viruses that EXTRA.DAT can detect =None
2/14/2010 2:17:43 AM Scan Started DELL14\stbellamy On-Demand Scan
2/14/2010 7:10:39 AM Deleted stbellamy c:\documents and settings\stbellamy\cookies\stbellamy@doubleclick[2].txt Cookie-Doubleclick(Potentially Unwanted Program)
2/14/2010 7:11:07 AM Deleted stbellamy c:\documents and settings\stbellamy\cookies\stbellamy@statcounter[2].txt Cookie-Statcounter(Potentially Unwanted Program)
2/14/2010 7:11:48 AM Deleted stbellamy c:\documents and settings\stbellamy.dell14\cookies\stbellamy@247realmedia[2].txt Cookie-247realmedia(Potentially Unwanted Program)
2/14/2010 7:11:49 AM Deleted stbellamy c:\documents and settings\stbellamy.dell14\cookies\stbellamy@ad.yieldmanager[2].txt Cookie-Yieldmanager(Potentially Unwanted Program)
2/14/2010 7:11:52 AM Deleted stbellamy c:\documents and settings\stbellamy.dell14\cookies\stbellamy@adtech[2].txt Cookie-Adtech(Potentially Unwanted Program)
2/14/2010 7:11:52 AM Deleted stbellamy c:\documents and settings\stbellamy.dell14\cookies\stbellamy@advertising[1].txt Cookie-Advertising(Potentially Unwanted Program)
2/14/2010 7:11:52 AM Deleted stbellamy c:\documents and settings\stbellamy.dell14\cookies\stbellamy@adviva[2].txt Cookie-Adviva(Potentially Unwanted Program)
2/14/2010 7:11:53 AM Deleted stbellamy c:\documents and settings\stbellamy.dell14\cookies\stbellamy@associatedcontent.112.2o7[1].txt Cookie-2O7(Potentially Unwanted Program)
2/14/2010 7:11:54 AM Deleted stbellamy c:\documents and settings\stbellamy.dell14\cookies\stbellamy@at.atwola[2].txt Cookie-Atwola(Potentially Unwanted Program)
2/14/2010 7:11:54 AM Deleted stbellamy c:\documents and settings\stbellamy.dell14\cookies\stbellamy@atdmt[1].txt Cookie-Atdmt(Potentially Unwanted Program)
2/14/2010 7:11:54 AM Deleted stbellamy c:\documents and settings\stbellamy.dell14\cookies\stbellamy@atwola[2].txt Cookie-Atwola(Potentially Unwanted Program)
2/14/2010 7:11:55 AM Deleted stbellamy c:\documents and settings\stbellamy.dell14\cookies\stbellamy@bluestreak[1].txt Cookie-Bluestreak(Potentially Unwanted Program)
2/14/2010 7:11:56 AM Deleted stbellamy c:\documents and settings\stbellamy.dell14\cookies\stbellamy@bs.serving-sys[2].txt Cookie-Eyeblaster(Potentially Unwanted Program)
2/14/2010 7:11:56 AM Deleted stbellamy c:\documents and settings\stbellamy.dell14\cookies\stbellamy@burstnet[2].txt Cookie-Burst(Potentially Unwanted Program)
2/14/2010 7:11:56 AM Deleted stbellamy c:\documents and settings\stbellamy.dell14\cookies\stbellamy@c4.zedo[1].txt Cookie-Zedo(Potentially Unwanted Program)
2/14/2010 7:11:56 AM Deleted stbellamy c:\documents and settings\stbellamy.dell14\cookies\stbellamy@c5.zedo[2].txt Cookie-Zedo(Potentially Unwanted Program)
2/14/2010 7:11:57 AM Deleted stbellamy c:\documents and settings\stbellamy.dell14\cookies\stbellamy@cdn5.specificclick[2].txt Cookie-SpecClick(Potentially Unwanted Program)
2/14/2010 7:12:01 AM Deleted stbellamy c:\documents and settings\stbellamy.dell14\cookies\stbellamy@doubleclick[1].txt Cookie-Doubleclick(Potentially Unwanted Program)
2/14/2010 7:12:03 AM Deleted stbellamy c:\documents and settings\stbellamy.dell14\cookies\stbellamy@fastclick[2].txt Cookie-Fastclick(Potentially Unwanted Program)
2/14/2010 7:12:06 AM Deleted stbellamy c:\documents and settings\stbellamy.dell14\cookies\stbellamy@imrworldwide[2].txt Cookie-Imrworldwide(Potentially Unwanted Program)
2/14/2010 7:12:06 AM Deleted stbellamy c:\documents and settings\stbellamy.dell14\cookies\stbellamy@insightexpressai[1].txt Cookie-Insightexpres(Potentially Unwanted Program)
2/14/2010 7:12:09 AM Deleted stbellamy c:\documents and settings\stbellamy.dell14\cookies\stbellamy@mediaplex[1].txt Cookie-Mediaplex(Potentially Unwanted Program)
2/14/2010 7:12:12 AM Deleted stbellamy c:\documents and settings\stbellamy.dell14\cookies\stbellamy@overture[2].txt Cookie-Overture(Potentially Unwanted Program)
2/14/2010 7:12:13 AM Deleted stbellamy c:\documents and settings\stbellamy.dell14\cookies\stbellamy@pro-market[1].txt Cookie-ProMarket(Potentially Unwanted Program)
2/14/2010 7:12:14 AM Deleted stbellamy c:\documents and settings\stbellamy.dell14\cookies\stbellamy@questionmarket[2].txt Cookie-Questionmarke(Potentially Unwanted Program)
2/14/2010 7:12:16 AM Deleted stbellamy c:\documents and settings\stbellamy.dell14\cookies\stbellamy@sageanalyst[1].txt Cookie-Sageanalyst(Potentially Unwanted Program)
2/14/2010 7:12:17 AM Deleted stbellamy c:\documents and settings\stbellamy.dell14\cookies\stbellamy@server.iad.liveperson[2].txt Cookie-Liveperson(Potentially Unwanted Program)
2/14/2010 7:12:17 AM Deleted stbellamy c:\documents and settings\stbellamy.dell14\cookies\stbellamy@serving-sys[2].txt Cookie-Eyeblaster(Potentially Unwanted Program)
2/14/2010 7:12:18 AM Deleted stbellamy c:\documents and settings\stbellamy.dell14\cookies\stbellamy@smartadserver[2].txt Cookie-Adserver(Potentially Unwanted Program)
2/14/2010 7:12:18 AM Deleted stbellamy c:\documents and settings\stbellamy.dell14\cookies\stbellamy@specificclick[2].txt Cookie-SpecClick(Potentially Unwanted Program)
2/14/2010 7:12:19 AM Deleted stbellamy c:\documents and settings\stbellamy.dell14\cookies\stbellamy@statcounter[2].txt Cookie-Statcounter(Potentially Unwanted Program)
2/14/2010 7:12:21 AM Deleted stbellamy c:\documents and settings\stbellamy.dell14\cookies\stbellamy@tradedoubler[1].txt Cookie-Tradedoubler(Potentially Unwanted Program)
2/14/2010 7:12:22 AM Deleted stbellamy c:\documents and settings\stbellamy.dell14\cookies\stbellamy@tribalfusion[1].txt Cookie-Tribalfusion(Potentially Unwanted Program)
2/14/2010 7:12:23 AM Deleted stbellamy c:\documents and settings\stbellamy.dell14\cookies\stbellamy@uk.at.atwola[1].txt Cookie-Atwola(Potentially Unwanted Program)
2/14/2010 7:12:24 AM Deleted stbellamy c:\documents and settings\stbellamy.dell14\cookies\stbellamy@videoegg.adbureau[2].txt Cookie-AdBureau(Potentially Unwanted Program)
2/14/2010 7:12:24 AM Deleted stbellamy c:\documents and settings\stbellamy.dell14\cookies\stbellamy@vimby.adbureau[2].txt Cookie-AdBureau(Potentially Unwanted Program)
2/14/2010 7:12:26 AM Deleted stbellamy c:\documents and settings\stbellamy.dell14\cookies\stbellamy@www.burstnet[2].txt Cookie-Burst(Potentially Unwanted Program)
2/14/2010 7:12:30 AM Deleted stbellamy c:\documents and settings\stbellamy.dell14\cookies\stbellamy@yadro[1].txt Cookie-Yadro(Potentially Unwanted Program)
2/14/2010 7:12:31 AM Deleted stbellamy c:\documents and settings\stbellamy.dell14\cookies\stbellamy@zedo[1].txt Cookie-Zedo(Potentially Unwanted Program)
2/14/2010 7:12:37 AM Scan Summary DELL14\stbellamy Scan Summary
2/14/2010 7:12:37 AM Scan Summary DELL14\stbellamy Processes scanned : 58
2/14/2010 7:12:37 AM Scan Summary DELL14\stbellamy Processes detected : 0
2/14/2010 7:12:37 AM Scan Summary DELL14\stbellamy Processes cleaned : 0
2/14/2010 7:12:37 AM Scan Summary DELL14\stbellamy Boot sectors scanned : 2
2/14/2010 7:12:37 AM Scan Summary DELL14\stbellamy Boot sectors detected: 0
2/14/2010 7:12:37 AM Scan Summary DELL14\stbellamy Boot sectors cleaned : 0
2/14/2010 7:12:37 AM Scan Summary DELL14\stbellamy Files scanned : 118813
2/14/2010 7:12:37 AM Scan Summary DELL14\stbellamy Files with detections: 0
2/14/2010 7:12:37 AM Scan Summary DELL14\stbellamy File detections : 0
2/14/2010 7:12:37 AM Scan Summary DELL14\stbellamy Files cleaned : 0
2/14/2010 7:12:37 AM Scan Summary DELL14\stbellamy Files moved : 0
2/14/2010 7:12:37 AM Scan Summary DELL14\stbellamy Files deleted : 0
2/14/2010 7:12:37 AM Scan Summary DELL14\stbellamy Files not scanned : 29
2/14/2010 7:12:37 AM Scan Summary DELL14\stbellamy Scan Summary (Registry Scanning)
2/14/2010 7:12:37 AM Scan Summary DELL14\stbellamy Keys scanned : 3619
2/14/2010 7:12:37 AM Scan Summary DELL14\stbellamy Keys detected : 0
2/14/2010 7:12:37 AM Scan Summary DELL14\stbellamy Keys cleaned : 0
2/14/2010 7:12:37 AM Scan Summary DELL14\stbellamy Scan Summary (Cookie Scanning)
2/14/2010 7:12:37 AM Scan Summary DELL14\stbellamy Cookies scanned : 10828
2/14/2010 7:12:37 AM Scan Summary DELL14\stbellamy Cookies detected : 39
2/14/2010 7:12:37 AM Scan Summary DELL14\stbellamy Cookies moved : 0
2/14/2010 7:12:37 AM Scan Summary DELL14\stbellamy Cookies deleted : 39
2/14/2010 7:12:37 AM Scan Summary DELL14\stbellamy Run time : 4:54:54
2/14/2010 7:12:37 AM Scan Complete DELL14\stbellamy

McAfee VirusScan number 2 Log:

On-Demand Scan

2/14/2010 11:43:38 AM Engine version =5400
2/14/2010 11:43:38 AM DAT version =5891
2/14/2010 11:43:38 AM Number of virus signatures in EXTRA.DAT =None
2/14/2010 11:43:38 AM Names of viruses that EXTRA.DAT can detect =None
2/14/2010 11:43:25 AM Scan Started DELL14\stbellamy On-Demand Scan
2/14/2010 2:03:00 PM Deleted stbellamy c:\documents and settings\stbellamy.dell14\cookies\stbellamy@247realmedia[2].txt Cookie-247realmedia(Potentially Unwanted Program)
2/14/2010 2:03:01 PM Deleted stbellamy c:\documents and settings\stbellamy.dell14\cookies\stbellamy@2o7[1].txt Cookie-2O7(Potentially Unwanted Program)
2/14/2010 2:03:02 PM Deleted stbellamy c:\documents and settings\stbellamy.dell14\cookies\stbellamy@ad.yieldmanager[1].txt Cookie-Yieldmanager(Potentially Unwanted Program)
2/14/2010 2:03:06 PM Deleted stbellamy c:\documents and settings\stbellamy.dell14\cookies\stbellamy@adtech[1].txt Cookie-Adtech(Potentially Unwanted Program)
2/14/2010 2:03:06 PM Deleted stbellamy c:\documents and settings\stbellamy.dell14\cookies\stbellamy@advertising[2].txt Cookie-Advertising(Potentially Unwanted Program)
2/14/2010 2:03:06 PM Deleted stbellamy c:\documents and settings\stbellamy.dell14\cookies\stbellamy@adviva[2].txt Cookie-Adviva(Potentially Unwanted Program)
2/14/2010 2:03:08 PM Deleted stbellamy c:\documents and settings\stbellamy.dell14\cookies\stbellamy@atdmt[1].txt Cookie-Atdmt(Potentially Unwanted Program)
2/14/2010 2:03:10 PM Deleted stbellamy c:\documents and settings\stbellamy.dell14\cookies\stbellamy@bs.serving-sys[2].txt Cookie-Eyeblaster(Potentially Unwanted Program)
2/14/2010 2:03:11 PM Deleted stbellamy c:\documents and settings\stbellamy.dell14\cookies\stbellamy@c4.zedo[1].txt Cookie-Zedo(Potentially Unwanted Program)
2/14/2010 2:03:11 PM Deleted stbellamy c:\documents and settings\stbellamy.dell14\cookies\stbellamy@c5.zedo[1].txt Cookie-Zedo(Potentially Unwanted Program)
2/14/2010 2:03:17 PM Deleted stbellamy c:\documents and settings\stbellamy.dell14\cookies\stbellamy@doubleclick[2].txt Cookie-Doubleclick(Potentially Unwanted Program)
2/14/2010 2:03:18 PM Deleted stbellamy c:\documents and settings\stbellamy.dell14\cookies\stbellamy@educationsuccess.122.2o7[1].txt Cookie-2O7(Potentially Unwanted Program)
2/14/2010 2:03:23 PM Deleted stbellamy c:\documents and settings\stbellamy.dell14\cookies\stbellamy@imrworldwide[2].txt Cookie-Imrworldwide(Potentially Unwanted Program)
2/14/2010 2:03:23 PM Deleted stbellamy c:\documents and settings\stbellamy.dell14\cookies\stbellamy@insightexpressai[1].txt Cookie-Insightexpres(Potentially Unwanted Program)
2/14/2010 2:03:27 PM Deleted stbellamy c:\documents and settings\stbellamy.dell14\cookies\stbellamy@mediaplex[1].txt Cookie-Mediaplex(Potentially Unwanted Program)
2/14/2010 2:03:29 PM Deleted stbellamy c:\documents and settings\stbellamy.dell14\cookies\stbellamy@mygeek[2].txt Cookie-MyGeek(Potentially Unwanted Program)
2/14/2010 2:03:31 PM Deleted stbellamy c:\documents and settings\stbellamy.dell14\cookies\stbellamy@overture[1].txt Cookie-Overture(Potentially Unwanted Program)
2/14/2010 2:03:33 PM Deleted stbellamy c:\documents and settings\stbellamy.dell14\cookies\stbellamy@questionmarket[1].txt Cookie-Questionmarke(Potentially Unwanted Program)
2/14/2010 2:03:36 PM Deleted stbellamy c:\documents and settings\stbellamy.dell14\cookies\stbellamy@roiservice[1].txt Cookie-Roiservice(Potentially Unwanted Program)
2/14/2010 2:03:37 PM Deleted stbellamy c:\documents and settings\stbellamy.dell14\cookies\stbellamy@serving-sys[2].txt Cookie-Eyeblaster(Potentially Unwanted Program)
2/14/2010 2:03:38 PM Deleted stbellamy c:\documents and settings\stbellamy.dell14\cookies\stbellamy@smartadserver[1].txt Cookie-Adserver(Potentially Unwanted Program)
2/14/2010 2:03:39 PM Deleted stbellamy c:\documents and settings\stbellamy.dell14\cookies\stbellamy@specificclick[2].txt Cookie-SpecClick(Potentially Unwanted Program)
2/14/2010 2:03:42 PM Deleted stbellamy c:\documents and settings\stbellamy.dell14\cookies\stbellamy@tradedoubler[2].txt Cookie-Tradedoubler(Potentially Unwanted Program)
2/14/2010 2:03:53 PM Deleted stbellamy c:\documents and settings\stbellamy.dell14\cookies\stbellamy@zedo[1].txt Cookie-Zedo(Potentially Unwanted Program)
2/14/2010 2:03:57 PM Scan Summary DELL14\stbellamy Scan Summary
2/14/2010 2:03:57 PM Scan Summary DELL14\stbellamy Processes scanned : 56
2/14/2010 2:03:57 PM Scan Summary DELL14\stbellamy Processes detected : 0
2/14/2010 2:03:57 PM Scan Summary DELL14\stbellamy Processes cleaned : 0
2/14/2010 2:03:57 PM Scan Summary DELL14\stbellamy Boot sectors scanned : 2
2/14/2010 2:03:57 PM Scan Summary DELL14\stbellamy Boot sectors detected: 0
2/14/2010 2:03:57 PM Scan Summary DELL14\stbellamy Boot sectors cleaned : 0
2/14/2010 2:03:57 PM Scan Summary DELL14\stbellamy Files scanned : 119604
2/14/2010 2:03:57 PM Scan Summary DELL14\stbellamy Files with detections: 0
2/14/2010 2:03:57 PM Scan Summary DELL14\stbellamy File detections : 0
2/14/2010 2:03:57 PM Scan Summary DELL14\stbellamy Files cleaned : 0
2/14/2010 2:03:57 PM Scan Summary DELL14\stbellamy Files moved : 0
2/14/2010 2:03:57 PM Scan Summary DELL14\stbellamy Files deleted : 0
2/14/2010 2:03:57 PM Scan Summary DELL14\stbellamy Files not scanned : 35
2/14/2010 2:03:57 PM Scan Summary DELL14\stbellamy Scan Summary (Registry Scanning)
2/14/2010 2:03:57 PM Scan Summary DELL14\stbellamy Keys scanned : 3619
2/14/2010 2:03:57 PM Scan Summary DELL14\stbellamy Keys detected : 0
2/14/2010 2:03:57 PM Scan Summary DELL14\stbellamy Keys cleaned : 0
2/14/2010 2:03:57 PM Scan Summary DELL14\stbellamy Scan Summary (Cookie Scanning)
2/14/2010 2:03:57 PM Scan Summary DELL14\stbellamy Cookies scanned : 11589
2/14/2010 2:03:57 PM Scan Summary DELL14\stbellamy Cookies detected : 24
2/14/2010 2:03:57 PM Scan Summary DELL14\stbellamy Cookies moved : 0
2/14/2010 2:03:57 PM Scan Summary DELL14\stbellamy Cookies deleted : 24
2/14/2010 2:03:57 PM Scan Summary DELL14\stbellamy Run time : 2:16:14
2/14/2010 2:03:57 PM Scan Complete DELL14\stbellamy

broni · 2010/02/15

Please download ComboFix from [color= "Red"]Here[/color] or [color= "#FF0000"]Here[/color] to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

Please, never rename Combofix unless instructed.

Close any open browsers.

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results ".

Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

NOTE 1. If Combofix asks you to install Recovery Console, please allow it.
NOTE 2. If Combofix asks you to update the program, always do so.

Close any open browsers.

WARNING: Combofix will disconnect your machine from the Internet as soon as it starts

Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.

If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

Double click on combofix.exe & follow the prompts.

When finished, it will produce a report for you.

Please post the "C:\ComboFix.txt " along with a new HijackThis log for further review.

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Make sure, you re-enable your security programs, when you're done with Combofix.

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!

MRB1 · 2010/02/16

Hi Broni

I followed your instructions to the letter, but I can't get Combofix to work properly. The first time it ran, it asked to install the recovery console which worked ok, but then stalled when trying to scan. I then tried again and it got to 'Completed stage_4' before stalling. I've tried about 10 times now. The most successful was attempt 4 which got to 'Completed stage_50' before it stalled. Every other attempt has got to the message about scanning the computer and it usually taking 10 mins etc etc and then it stalls before even completing stage 1.

broni · 2010/02/16

Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.

There are 4 different versions. If one of them won't run then download and try to run the other one.

Vista and Win7 users need to right click Rkill and choose Run as Administrator

You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

* Rkill.com
* Rkill.scr
* Rkill.pif
* Rkill.exe

* Double-click on the Rkill desktop icon to run the tool.
* If using Vista or Windows 7 right-click on it and choose Run As Administrator.
* A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
* If not, delete the file, then download and use the one provided in Link 2.
* If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
* Do not reboot until instructed.
* If the tool does not run from any of the links provided, please let me know.

Once you've gotten one of them to run then try to immediately run Combofix..

MRB1 · 2010/02/16

I downloaded the first version of rkill (rkill.com). It seemed to run ok, I got the black DOS box and it generated a short report. So I immediately ran Combofix, but exactly the same thing happened; it stalled just after the message about scanning the computer and it usually taking 10 minutes etc. So I decided to try each of the versions of rkill in turn with a freshly installed version of combofix (I uninstalled the previous one each time and dowloaded a fresh copy). Nothing changed, it still stalled in the same place each time. The only difference was when I used rkill.exe (the 4th version), this time combofix asked to update the program which I did, but then it still stalled in the same place. I just can't seem to get Combofix to run properly.

broni · 2010/02/16

Download TDSSKiller and save it to your Desktop.
Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.
Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK.

"%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt -v

If it says "Hidden service detected" DO NOT type anything in. Just press Enter on your keyboard to not do anything to the file.
When it is done, a log file should be created on your C: drive called TDSSKiller.txt please copy and paste the contents of that file here.

MRB1 · 2010/02/16

I ran TDSSKiller. At the end it asked me to reboot to complete the task; Y or N. I wasn't sure so I hit enter instead. It didn't reboot but perhaps I need to? Let me know. Anyway the log is here:

03:05:33:019 2208 TDSS rootkit removing tool 2.2.4 Feb 15 2010 19:38:31
03:05:33:019 2208 ================================================================================
03:05:33:019 2208 SystemInfo:

03:05:33:019 2208 OS Version: 5.1.2600 ServicePack: 3.0
03:05:33:019 2208 Product type: Workstation
03:05:33:019 2208 ComputerName: DELL14
03:05:33:019 2208 UserName: stbellamy
03:05:33:019 2208 Windows directory: C:\WINDOWS
03:05:33:019 2208 Processor architecture: Intel x86
03:05:33:019 2208 Number of processors: 1
03:05:33:019 2208 Page size: 0x1000
03:05:33:019 2208 Boot type: Normal boot
03:05:33:019 2208 ================================================================================
03:05:33:049 2208 UnloadDriverW: NtUnloadDriver error 2
03:05:33:049 2208 ForceUnloadDriverW: UnloadDriverW(klmd21) error 2
03:05:33:079 2208 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\drivers\klmd.sys) returned status 00000000
03:05:33:349 2208 UtilityInit: KLMD drop and load success
03:05:33:349 2208 KLMD_OpenDevice: Trying to open KLMD Device(KLMD201010)
03:05:33:349 2208 UtilityInit: KLMD open success
03:05:33:349 2208 UtilityInit: Initialize success
03:05:33:349 2208
03:05:33:349 2208 Scanning Services ...
03:05:33:349 2208 CreateRegParser: Registry parser init started
03:05:33:349 2208 DisableWow64Redirection: GetProcAddress(Wow64DisableWow64FsRedirection) error 127
03:05:33:349 2208 CreateRegParser: DisableWow64Redirection error
03:05:33:349 2208 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\system
03:05:33:349 2208 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\config\system) returned status C0000043
03:05:33:349 2208 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
03:05:33:349 2208 wfopen_ex: Trying to KLMD file open
03:05:33:349 2208 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\config\system
03:05:33:349 2208 wfopen_ex: File opened ok (Flags 2)
03:05:33:349 2208 CreateRegParser: HIVE_ADAPTER(C:\WINDOWS\system32\config\system) init success: 394AD8
03:05:33:349 2208 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\software
03:05:33:349 2208 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\config\software) returned status C0000043
03:05:33:349 2208 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
03:05:33:349 2208 wfopen_ex: Trying to KLMD file open
03:05:33:349 2208 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\config\software
03:05:33:349 2208 wfopen_ex: File opened ok (Flags 2)
03:05:33:349 2208 CreateRegParser: HIVE_ADAPTER(C:\WINDOWS\system32\config\software) init success: 394950
03:05:33:349 2208 EnableWow64Redirection: GetProcAddress(Wow64RevertWow64FsRedirection) error 127
03:05:33:349 2208 CreateRegParser: EnableWow64Redirection error
03:05:33:349 2208 CreateRegParser: RegParser init completed
03:05:34:080 2208 GetAdvancedServicesInfo: Raw services enum returned 407 services
03:05:34:090 2208 fclose_ex: Trying to close file C:\WINDOWS\system32\config\system
03:05:34:090 2208 fclose_ex: Trying to close file C:\WINDOWS\system32\config\software
03:05:34:090 2208
03:05:34:090 2208 Scanning Kernel memory ...
03:05:34:090 2208 KLMD_GetSystemObjectAddressByNameW: Trying to get system object address by name \Driver\Disk
03:05:34:090 2208 DetectCureTDL3: \Driver\Disk PDRIVER_OBJECT: 87374A08
03:05:34:090 2208 DetectCureTDL3: KLMD_GetDeviceObjectList returned 3 DevObjects
03:05:34:090 2208
03:05:34:090 2208 DetectCureTDL3: DEVICE_OBJECT: 873D3C68
03:05:34:090 2208 KLMD_GetLowerDeviceObject: Trying to get lower device object for 873D3C68
03:05:34:090 2208 KLMD_ReadMem: Trying to ReadMemory 0x873D3C68[0x38]
03:05:34:090 2208 DetectCureTDL3: DRIVER_OBJECT: 87374A08
03:05:34:090 2208 KLMD_ReadMem: Trying to ReadMemory 0x87374A08[0xA8]
03:05:34:090 2208 KLMD_ReadMem: Trying to ReadMemory 0xE19D1E90[0x18]
03:05:34:090 2208 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
03:05:34:090 2208 DetectCureTDL3: IRP_MJ_CREATE : F76E9BB0
03:05:34:090 2208 DetectCureTDL3: IRP_MJ_CREATE_NAMED_PIPE : 804FA87E
03:05:34:090 2208 DetectCureTDL3: IRP_MJ_CLOSE : F76E9BB0
03:05:34:090 2208 DetectCureTDL3: IRP_MJ_READ : F76E3D1F
03:05:34:090 2208 DetectCureTDL3: IRP_MJ_WRITE : F76E3D1F
03:05:34:090 2208 DetectCureTDL3: IRP_MJ_QUERY_INFORMATION : 804FA87E
03:05:34:090 2208 DetectCureTDL3: IRP_MJ_SET_INFORMATION : 804FA87E
03:05:34:090 2208 DetectCureTDL3: IRP_MJ_QUERY_EA : 804FA87E
03:05:34:090 2208 DetectCureTDL3: IRP_MJ_SET_EA : 804FA87E
03:05:34:090 2208 DetectCureTDL3: IRP_MJ_FLUSH_BUFFERS : F76E42E2
03:05:34:090 2208 DetectCureTDL3: IRP_MJ_QUERY_VOLUME_INFORMATION : 804FA87E
03:05:34:090 2208 DetectCureTDL3: IRP_MJ_SET_VOLUME_INFORMATION : 804FA87E
03:05:34:090 2208 DetectCureTDL3: IRP_MJ_DIRECTORY_CONTROL : 804FA87E
03:05:34:090 2208 DetectCureTDL3: IRP_MJ_FILE_SYSTEM_CONTROL : 804FA87E
03:05:34:090 2208 DetectCureTDL3: IRP_MJ_DEVICE_CONTROL : F76E43BB
03:05:34:090 2208 DetectCureTDL3: IRP_MJ_INTERNAL_DEVICE_CONTROL : F76E7F28
03:05:34:090 2208 DetectCureTDL3: IRP_MJ_SHUTDOWN : F76E42E2
03:05:34:100 2208 DetectCureTDL3: IRP_MJ_LOCK_CONTROL : 804FA87E
03:05:34:100 2208 DetectCureTDL3: IRP_MJ_CLEANUP : 804FA87E
03:05:34:100 2208 DetectCureTDL3: IRP_MJ_CREATE_MAILSLOT : 804FA87E
03:05:34:100 2208 DetectCureTDL3: IRP_MJ_QUERY_SECURITY : 804FA87E
03:05:34:100 2208 DetectCureTDL3: IRP_MJ_SET_SECURITY : 804FA87E
03:05:34:100 2208 DetectCureTDL3: IRP_MJ_POWER : F76E5C82
03:05:34:100 2208 DetectCureTDL3: IRP_MJ_SYSTEM_CONTROL : F76EA99E
03:05:34:100 2208 DetectCureTDL3: IRP_MJ_DEVICE_CHANGE : 804FA87E
03:05:34:100 2208 DetectCureTDL3: IRP_MJ_QUERY_QUOTA : 804FA87E
03:05:34:100 2208 DetectCureTDL3: IRP_MJ_SET_QUOTA : 804FA87E
03:05:34:100 2208 TDL3_FileDetect: Processing driver: Disk
03:05:34:100 2208 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys
03:05:34:100 2208 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys
03:05:34:151 2208 TDL3_FileDetect: Processing driver: Disk
03:05:34:151 2208 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys
03:05:34:151 2208 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys
03:05:34:151 2208 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
03:05:34:151 2208
03:05:34:151 2208 DetectCureTDL3: DEVICE_OBJECT: 8738EC68
03:05:34:151 2208 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8738EC68
03:05:34:151 2208 KLMD_ReadMem: Trying to ReadMemory 0x8738EC68[0x38]
03:05:34:151 2208 DetectCureTDL3: DRIVER_OBJECT: 87374A08
03:05:34:151 2208 KLMD_ReadMem: Trying to ReadMemory 0x87374A08[0xA8]
03:05:34:151 2208 KLMD_ReadMem: Trying to ReadMemory 0xE19D1E90[0x18]
03:05:34:151 2208 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
03:05:34:151 2208 DetectCureTDL3: IRP_MJ_CREATE : F76E9BB0
03:05:34:151 2208 DetectCureTDL3: IRP_MJ_CREATE_NAMED_PIPE : 804FA87E
03:05:34:151 2208 DetectCureTDL3: IRP_MJ_CLOSE : F76E9BB0
03:05:34:151 2208 DetectCureTDL3: IRP_MJ_READ : F76E3D1F
03:05:34:151 2208 DetectCureTDL3: IRP_MJ_WRITE : F76E3D1F
03:05:34:151 2208 DetectCureTDL3: IRP_MJ_QUERY_INFORMATION : 804FA87E
03:05:34:151 2208 DetectCureTDL3: IRP_MJ_SET_INFORMATION : 804FA87E
03:05:34:151 2208 DetectCureTDL3: IRP_MJ_QUERY_EA : 804FA87E
03:05:34:151 2208 DetectCureTDL3: IRP_MJ_SET_EA : 804FA87E
03:05:34:151 2208 DetectCureTDL3: IRP_MJ_FLUSH_BUFFERS : F76E42E2
03:05:34:151 2208 DetectCureTDL3: IRP_MJ_QUERY_VOLUME_INFORMATION : 804FA87E
03:05:34:151 2208 DetectCureTDL3: IRP_MJ_SET_VOLUME_INFORMATION : 804FA87E
03:05:34:151 2208 DetectCureTDL3: IRP_MJ_DIRECTORY_CONTROL : 804FA87E
03:05:34:151 2208 DetectCureTDL3: IRP_MJ_FILE_SYSTEM_CONTROL : 804FA87E
03:05:34:151 2208 DetectCureTDL3: IRP_MJ_DEVICE_CONTROL : F76E43BB
03:05:34:151 2208 DetectCureTDL3: IRP_MJ_INTERNAL_DEVICE_CONTROL : F76E7F28
03:05:34:151 2208 DetectCureTDL3: IRP_MJ_SHUTDOWN : F76E42E2
03:05:34:151 2208 DetectCureTDL3: IRP_MJ_LOCK_CONTROL : 804FA87E
03:05:34:151 2208 DetectCureTDL3: IRP_MJ_CLEANUP : 804FA87E
03:05:34:151 2208 DetectCureTDL3: IRP_MJ_CREATE_MAILSLOT : 804FA87E
03:05:34:151 2208 DetectCureTDL3: IRP_MJ_QUERY_SECURITY : 804FA87E
03:05:34:151 2208 DetectCureTDL3: IRP_MJ_SET_SECURITY : 804FA87E
03:05:34:151 2208 DetectCureTDL3: IRP_MJ_POWER : F76E5C82
03:05:34:151 2208 DetectCureTDL3: IRP_MJ_SYSTEM_CONTROL : F76EA99E
03:05:34:151 2208 DetectCureTDL3: IRP_MJ_DEVICE_CHANGE : 804FA87E
03:05:34:151 2208 DetectCureTDL3: IRP_MJ_QUERY_QUOTA : 804FA87E
03:05:34:151 2208 DetectCureTDL3: IRP_MJ_SET_QUOTA : 804FA87E
03:05:34:151 2208 TDL3_FileDetect: Processing driver: Disk
03:05:34:151 2208 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys
03:05:34:151 2208 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys
03:05:34:161 2208 TDL3_FileDetect: Processing driver: Disk
03:05:34:161 2208 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys
03:05:34:161 2208 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys
03:05:34:161 2208 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
03:05:34:161 2208
03:05:34:161 2208 DetectCureTDL3: DEVICE_OBJECT: 87391AB8
03:05:34:161 2208 KLMD_GetLowerDeviceObject: Trying to get lower device object for 87391AB8
03:05:34:161 2208 DetectCureTDL3: DEVICE_OBJECT: 8738BB00
03:05:34:161 2208 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8738BB00
03:05:34:161 2208 KLMD_ReadMem: Trying to ReadMemory 0x8738BB00[0x38]
03:05:34:161 2208 DetectCureTDL3: DRIVER_OBJECT: 873CE420
03:05:34:161 2208 KLMD_ReadMem: Trying to ReadMemory 0x873CE420[0xA8]
03:05:34:161 2208 KLMD_ReadMem: Trying to ReadMemory 0xE101DE58[0x1A]
03:05:34:161 2208 DetectCureTDL3: DRIVER_OBJECT name: \Driver\atapi, Driver Name: atapi
03:05:34:161 2208 DetectCureTDL3: IRP_MJ_CREATE : F75D1B3A
03:05:34:161 2208 DetectCureTDL3: IRP_MJ_CREATE_NAMED_PIPE : F75D1B3A
03:05:34:161 2208 DetectCureTDL3: IRP_MJ_CLOSE : F75D1B3A
03:05:34:161 2208 DetectCureTDL3: IRP_MJ_READ : F75D1B3A
03:05:34:161 2208 DetectCureTDL3: IRP_MJ_WRITE : F75D1B3A
03:05:34:161 2208 DetectCureTDL3: IRP_MJ_QUERY_INFORMATION : F75D1B3A
03:05:34:161 2208 DetectCureTDL3: IRP_MJ_SET_INFORMATION : F75D1B3A
03:05:34:161 2208 DetectCureTDL3: IRP_MJ_QUERY_EA : F75D1B3A
03:05:34:161 2208 DetectCureTDL3: IRP_MJ_SET_EA : F75D1B3A
03:05:34:161 2208 DetectCureTDL3: IRP_MJ_FLUSH_BUFFERS : F75D1B3A
03:05:34:161 2208 DetectCureTDL3: IRP_MJ_QUERY_VOLUME_INFORMATION : F75D1B3A
03:05:34:161 2208 DetectCureTDL3: IRP_MJ_SET_VOLUME_INFORMATION : F75D1B3A
03:05:34:161 2208 DetectCureTDL3: IRP_MJ_DIRECTORY_CONTROL : F75D1B3A
03:05:34:161 2208 DetectCureTDL3: IRP_MJ_FILE_SYSTEM_CONTROL : F75D1B3A
03:05:34:161 2208 DetectCureTDL3: IRP_MJ_DEVICE_CONTROL : F75D1B3A
03:05:34:161 2208 DetectCureTDL3: IRP_MJ_INTERNAL_DEVICE_CONTROL : F75D1B3A
03:05:34:161 2208 DetectCureTDL3: IRP_MJ_SHUTDOWN : F75D1B3A
03:05:34:161 2208 DetectCureTDL3: IRP_MJ_LOCK_CONTROL : F75D1B3A
03:05:34:161 2208 DetectCureTDL3: IRP_MJ_CLEANUP : F75D1B3A
03:05:34:161 2208 DetectCureTDL3: IRP_MJ_CREATE_MAILSLOT : F75D1B3A
03:05:34:161 2208 DetectCureTDL3: IRP_MJ_QUERY_SECURITY : F75D1B3A
03:05:34:161 2208 DetectCureTDL3: IRP_MJ_SET_SECURITY : F75D1B3A
03:05:34:161 2208 DetectCureTDL3: IRP_MJ_POWER : F75D1B3A
03:05:34:161 2208 DetectCureTDL3: IRP_MJ_SYSTEM_CONTROL : F75D1B3A
03:05:34:161 2208 DetectCureTDL3: IRP_MJ_DEVICE_CHANGE : F75D1B3A
03:05:34:161 2208 DetectCureTDL3: IRP_MJ_QUERY_QUOTA : F75D1B3A
03:05:34:171 2208 DetectCureTDL3: IRP_MJ_SET_QUOTA : F75D1B3A
03:05:34:171 2208 TDL3_FileDetect: Processing driver: atapi
03:05:34:171 2208 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\atapi.sys
03:05:34:171 2208 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\atapi.sys
03:05:34:191 2208 DetectCureTDL3: All IRP handlers pointed to one addr: F75D1B3A
03:05:34:191 2208 KLMD_ReadMem: Trying to ReadMemory 0xF75D1B3A[0x400]
03:05:34:191 2208 TDL3_IrpHookDetect: TDL3 Stub signature found, trying to get hook true addr
03:05:34:191 2208 KLMD_ReadMem: Trying to ReadMemory 0xFFDF0308[0x4]
03:05:34:191 2208 KLMD_ReadMem: Trying to ReadMemory 0x873E10B4[0x4]
03:05:34:191 2208 TDL3_IrpHookDetect: New IrpHandler addr: 873828C8
03:05:34:191 2208 KLMD_ReadMem: Trying to ReadMemory 0x873828C8[0x400]
03:05:34:191 2208 TDL3_IrpHookDetect: CheckParameters: 10, FFDF0308, 510, 134, 3, 120
03:05:34:191 2208 Driver "atapi" Irp handler infected by TDSS rootkit ... 03:05:34:191 2208 KLMD_WriteMem: Trying to WriteMemory 0x8738294E[0xD]
03:05:34:191 2208 cured
03:05:34:191 2208 KLMD_ReadMem: Trying to ReadMemory 0xF75CF864[0x400]
03:05:34:191 2208 TDL3_StartIoHookDetect: CheckParameters: 0, 00000000, 0
03:05:34:191 2208 TDL3_FileDetect: Processing driver: atapi
03:05:34:191 2208 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\atapi.sys
03:05:34:191 2208 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\atapi.sys
03:05:34:191 2208 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\atapi.sys - Verdict: Infected
03:05:34:191 2208 File C:\WINDOWS\system32\DRIVERS\atapi.sys infected by TDSS rootkit ... 03:05:34:201 2208 TDL3_FileCure: Processing driver file: C:\WINDOWS\system32\DRIVERS\atapi.sys
03:05:34:201 2208 ProcessDirEnumEx: FindFirstFile(C:\WINDOWS\system32\DriverStore\FileRepository\*) error 3
03:05:34:231 2208 CABFileCallback: Processing cab-file: C:\WINDOWS\Driver Cache\I386\sp2.cab
03:05:49:242 2208 CABFileCallback: Processing cab-file: C:\WINDOWS\Driver Cache\I386\sp3.cab
03:06:04:314 2208 CabinetCallback: Backup candidate found: atapi.sys:96512, extracting..
03:06:04:604 2208 CabinetCallback: File extracted successfully: C:\DOCUME~1\STBELL~1.DEL\LOCALS~1\Temp\bckC.tmp
03:06:04:604 2208 ValidateDriverFile: Stage 1 passed
03:06:04:604 2208 ValidateDriverFile: Stage 2 passed
03:06:04:684 2208 DigitalSignVerifyByHandle: Embedded DS result: 800B0100
03:06:05:265 2208 DigitalSignVerifyByHandle: Cat DS result: 00000000
03:06:05:265 2208 ValidateDriverFile: Stage 3 passed
03:06:05:265 2208 CabinetCallback: File validated successfully, restore information prepared
03:06:05:265 2208 FindDriverFileBackup: Backup copy found in cab-file
03:06:05:265 2208 TDL3_FileCure: Backup copy found, using it..
03:06:05:265 2208 TDL3_FileCure: Dumping cured buffer to file C:\WINDOWS\system32\drivers\tskD.tmp
03:06:05:365 2208 TDL3_FileCure: New / Old Image paths: (system32\drivers\tskD.tmp, system32\drivers\atapi.sys)
03:06:05:365 2208 TDL3_FileCure: KLMD jobs schedule success
03:06:05:365 2208 will be cured on next reboot
03:06:05:365 2208 UtilityBootReinit: Reboot required for cure complete..
03:06:05:365 2208 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\drivers\klmdb.sys) returned status 00000000
03:06:05:486 2208 UtilityBootReinit: KLMD drop success
03:06:05:486 2208 KLMD_ApplyPendList: Pending buffer(CBB_2F09, 600) dropped successfully
03:06:05:486 2208 UtilityBootReinit: Cure on reboot scheduled successfully
03:06:05:486 2208
03:06:05:486 2208 Completed
03:06:05:486 2208
03:06:05:486 2208 Results:
03:06:05:486 2208 Memory objects infected / cured / cured on reboot: 1 / 1 / 0
03:06:05:486 2208 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
03:06:05:486 2208 File objects infected / cured / cured on reboot: 1 / 0 / 1
03:06:05:486 2208
03:06:05:486 2208 UnloadDriverW: NtUnloadDriver error 1
03:06:05:486 2208 KLMD_Unload: UnloadDriverW(klmd21) error 1
03:06:05:486 2208 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\drivers\klmd.sys) returned status 00000000
03:06:05:486 2208 UtilityDeinit: KLMD(ARK) unloaded successfully

broni · 2010/02/16

Very good

Try Combofix again, please.

MRB1 · 2010/02/16

Shall I reboot first? Shall I also uninstall Combofix and install a fresh version?

broni · 2010/02/16

I assume TDSSKiller rebooted computer, correct?
Don't uninstall Combofix, but simply delete Combofix file from your desktop and download fresh copy.

MRB1 · 2010/02/16

TDSSKiller gave me the option to reboot the computer, but I wasn't sure so I pressed enter which I guess defaulted to "No ". Anyway I rebooted manually before running Combofix again. But guess what, it stalled again in the same place. I rebooted again and tried a second time but still no luck.

broni · 2010/02/16

Delete Combofix.
Download fresh copy and rename it to broni.exe BEFORE saving it to your desktop.
Run rkill and broni.exe right after that.

MRB1 · 2010/02/16

OK did that but still same result. The hard drive stops whirring and the cursor just keeps flashing at me. I suppose if I waited longer nothing else would happen? Anyway it's 4:30 in the morning here in the UK and I need some sleep so I'll check for fresh posts again in a few hours. Thanks for all your help so far.

broni · 2010/02/16

Try to run Combofix in Safe Mode.

MRB1 · 2010/02/17

Hey success! Combofix ran OK in safe mode. I then ran Hijackthis again as you previously requested. Here are the logs:

Combofix Log:

ComboFix 10-02-12.01 - stbellamy 17/02/2010 15:52:30.3.1 - x86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.812 [GMT 0:00]
Running from: c:\documents and settings\stbellamy.DELL14\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Thumbs.db
c:\windows\EventSystem.log
c:\windows\repair.exe
c:\windows\system32\comrepl.exe
c:\windows\system32\reboot.txt
c:\windows\system32\twain.dll
c:\windows\system32\twain_32.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_PASSWORD

((((((((((((((((((((((((( Files Created from 2010-01-17 to 2010-02-17 )))))))))))))))))))))))))))))))
.

2010-02-17 03:41 . 2010-02-17 03:41 -------- d-----r- C:\assembly
2010-02-15 16:35 . 2010-02-16 23:58 -------- d-----w- c:\program files\Panda Security
2010-02-15 15:48 . 2010-02-15 15:48 -------- d-----w- c:\program files\Trend Micro
2010-02-14 21:53 . 2010-02-14 21:53 -------- d-----w- c:\program files\Daniusoft
2010-02-14 12:09 . 2010-02-14 12:09 -------- d-----w- C:\QUARANTINE
2010-02-14 02:15 . 2010-01-07 16:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-14 02:14 . 2010-01-07 16:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-14 02:14 . 2010-02-14 02:15 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-13 22:45 . 2010-02-13 22:45 -------- d-----w- c:\program files\Wondershare
2010-02-13 22:25 . 2010-01-15 12:51 5688 ----a-w- c:\windows\system32\drivers\DrmCVideo.sys
2010-02-13 22:25 . 2010-01-15 12:51 23096 ----a-w- c:\windows\system32\drivers\DrmCAudio.sys
2010-02-13 22:25 . 2010-02-14 00:45 -------- d-----w- c:\program files\DRM Converter
2010-02-13 19:21 . 2010-02-13 19:24 -------- d-----w- c:\documents and settings\stbellamy.DELL14\Application Data\PeaZip
2010-02-13 19:20 . 2010-02-13 19:21 -------- d-----w- c:\program files\PeaZip
2010-02-13 14:40 . 2010-02-13 14:40 -------- d-----w- c:\program files\PixiePack Codec Pack
2010-02-13 14:34 . 2010-02-13 19:34 -------- d-----w- c:\program files\RapidSolution
2010-02-13 14:34 . 2010-02-13 19:34 -------- d-----w- c:\documents and settings\All Users\Application Data\RapidSolution
2010-02-13 14:33 . 2010-02-13 14:33 -------- d-----w- c:\documents and settings\stbellamy.DELL14\Local Settings\Application Data\RapidSolution
2010-02-11 23:39 . 2010-02-13 22:58 -------- d-----w- c:\documents and settings\All Users\Application Data\xml_param
2010-02-11 23:28 . 2009-12-04 12:01 25704 ----a-w- c:\windows\system32\drivers\WsAudio_DeviceS(5).sys
2010-02-11 23:28 . 2009-12-04 12:01 25704 ----a-w- c:\windows\system32\drivers\WsAudio_DeviceS(4).sys
2010-02-11 23:27 . 2009-12-04 12:01 25704 ----a-w- c:\windows\system32\drivers\WsAudio_DeviceS(3).sys
2010-02-11 23:27 . 2009-12-04 12:01 25704 ----a-w- c:\windows\system32\drivers\WsAudio_DeviceS(2).sys
2010-02-11 23:26 . 2009-12-04 12:01 25704 ----a-w- c:\windows\system32\drivers\WsAudio_DeviceS(1).sys
2010-02-11 23:16 . 2010-02-11 23:16 -------- d-----w- c:\windows\system32\wbem\Repository
2010-02-09 19:15 . 2010-02-09 19:15 37920 ----a-w- c:\windows\system32\drivers\tbhsd.sys
2010-02-09 19:15 . 2010-02-09 19:15 27752 ----a-w- c:\windows\system32\drivers\rrnetcap.sys
2010-02-07 18:42 . 2010-02-07 18:42 -------- d-----w- c:\windows\system32\XPSViewer
2010-02-07 18:42 . 2010-02-07 18:42 -------- d-----w- c:\program files\MSBuild
2010-02-07 18:42 . 2010-02-07 18:42 -------- d-----w- c:\program files\Reference Assemblies
2010-02-07 18:41 . 2008-07-06 12:06 89088 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\filterpipelineprintproc.dll
2010-02-07 18:40 . 2008-07-06 12:06 89088 ------w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2010-02-07 18:40 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
2010-02-07 18:40 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
2010-02-07 18:40 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\dllcache\xpsshhdr.dll
2010-02-07 18:40 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
2010-02-07 18:40 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\dllcache\xpssvcs.dll
2010-02-07 18:40 . 2008-07-06 10:50 597504 ------w- c:\windows\system32\Spool\prtprocs\w32x86\printfilterpipelinesvc.exe
2010-02-07 18:40 . 2008-07-06 10:50 597504 ------w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2010-02-02 09:43 . 2010-02-02 09:43 -------- d-----w- c:\documents and settings\stbellamy\Application Data\Softease
2010-02-02 09:37 . 2010-02-02 09:38 -------- d-----w- c:\program files\Podium
2010-02-02 09:34 . 2010-02-02 09:34 -------- d-----w- c:\program files\illiminable
2010-01-22 22:41 . 2010-01-22 22:41 664 ----a-w- c:\windows\system32\d3d9caps.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-17 03:22 . 2003-04-23 08:29 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-02-17 00:18 . 2009-06-23 18:44 -------- d-----w- c:\program files\Common Files\Adobe AIR
2010-02-17 00:18 . 2009-06-23 18:44 38784 ----a-w- c:\documents and settings\stbellamy.DELL14\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-02-13 19:36 . 2008-09-15 17:02 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-02-13 14:40 . 2010-02-13 14:40 476512 ----a-w- c:\documents and settings\All Users\Application Data\RapidSolution\Tunebite_2009\RadioRip\RadioRip.dll
2010-02-13 14:40 . 2010-02-13 14:40 169312 ----a-w- c:\documents and settings\All Users\Application Data\RapidSolution\Tunebite_2009\RadioRip\PlgSoundclick.dll
2010-02-13 14:40 . 2010-02-13 14:40 111968 ----a-w- c:\documents and settings\All Users\Application Data\RapidSolution\Tunebite_2009\RadioRip\PlgPandora.dll
2010-02-13 14:40 . 2010-02-13 14:40 128352 ----a-w- c:\documents and settings\All Users\Application Data\RapidSolution\Tunebite_2009\RadioRip\PlgMyspace.dll
2010-02-13 14:40 . 2010-02-13 14:40 99680 ----a-w- c:\documents and settings\All Users\Application Data\RapidSolution\Tunebite_2009\RadioRip\PlgIJigg.dll
2010-02-13 14:40 . 2010-02-13 14:40 111968 ----a-w- c:\documents and settings\All Users\Application Data\RapidSolution\Tunebite_2009\RadioRip\PlgLastfm.dll
2010-02-13 14:40 . 2010-02-13 14:40 230752 ----a-w- c:\documents and settings\All Users\Application Data\RapidSolution\Tunebite_2009\RadioRip\PlgHypemachine.dll
2010-02-13 14:40 . 2010-02-13 14:40 120160 ----a-w- c:\documents and settings\All Users\Application Data\RapidSolution\Tunebite_2009\RadioRip\PlgGeneral.dll
2010-02-13 14:40 . 2010-02-13 14:40 91488 ----a-w- c:\documents and settings\All Users\Application Data\RapidSolution\Tunebite_2009\RadioRip\PlgDefault.dll
2010-02-13 14:40 . 2010-02-13 14:40 140640 ----a-w- c:\documents and settings\All Users\Application Data\RapidSolution\Tunebite_2009\RadioRip\PlgDeezer.dll
2010-02-13 14:40 . 2010-02-13 14:40 495616 ----a-w- c:\documents and settings\All Users\Application Data\RapidSolution\Tunebite_2009\EncodingBackend\lame_enc.dll
2010-02-09 09:16 . 2008-06-14 22:34 118064 -c--a-w- c:\documents and settings\stbellamy\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-02-08 18:56 . 2008-06-14 12:18 118064 -c--a-w- c:\documents and settings\stbellamy.DELL14\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-02-07 20:40 . 2009-05-25 11:34 -------- d-----w- c:\program files\Microsoft Silverlight
2010-02-07 20:23 . 2010-01-11 18:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-02-05 01:37 . 2009-11-19 17:19 -------- d-----w- c:\documents and settings\stbellamy.DELL14\Application Data\Skype
2010-02-05 00:51 . 2008-12-07 11:08 -------- d-----w- c:\documents and settings\stbellamy.DELL14\Application Data\skypePM
2010-02-01 22:02 . 2008-12-09 16:10 -------- d-----w- c:\program files\NCH Swift Sound
2010-01-16 19:08 . 2004-06-21 10:37 -------- d-----w- c:\program files\Common Files\Adobe
2010-01-12 23:29 . 2004-06-09 16:43 -------- d-----w- c:\program files\Microsoft Works
2010-01-05 10:00 . 2004-02-06 17:05 832512 ----a-w- c:\windows\system32\wininet.dll
2010-01-05 10:00 . 2005-10-31 15:58 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-01-05 10:00 . 2002-08-29 04:00 17408 ------w- c:\windows\system32\corpol.dll
2009-12-29 13:20 . 2009-12-29 13:20 -------- d-----w- c:\program files\Veoh Networks
2009-12-21 16:29 . 2009-12-21 16:29 -------- d-----w- c:\program files\Thomson
2009-12-21 16:29 . 2004-06-09 16:38 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-12-11 17:42 . 2009-12-11 17:42 0 ----a-w- c:\documents and settings\All Users\Application Data\RapidSolution\GUIcommon.dll
2009-11-21 15:51 . 2002-08-29 04:00 471552 ----a-w- c:\windows\AppPatch\aclayers.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint "= "c:\program files\Apoint\Apoint.exe" [2004-02-02 155648]
"DVDSentry "= "c:\windows\System32\DSentry.exe" [2002-07-17 28672]
"AdaptecDirectCD "= "c:\program files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2002-12-17 684032]
"ShStatEXE "= "c:\program files\Network Associates\VirusScan\SHSTAT.EXE" [2004-09-22 94208]
"McAfeeUpdaterUI "= "c:\program files\Network Associates\Common Framework\UdaterUI.exe" [2008-07-17 136512]
"Network Associates Error Reporting Service "= "c:\program files\Common Files\Network Associates\TalkBack\TBMon.exe" [2003-10-07 147514]
"IntelZeroConfig "= "c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-02-21 819200]
"IntelWireless "= "c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-02-21 970752]
"igfxtray "= "c:\windows\system32\igfxtray.exe" [2005-09-20 94208]
"igfxhkcmd "= "c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
"igfxpers "= "c:\windows\system32\igfxpers.exe" [2005-09-20 114688]
"Adobe Reader Speed Launcher "= "c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2009-12-18 40368]
"Adobe ARM "= "c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]
"TkBellExe "= "c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-10-07 198160]
"Dell QuickSet "= "c:\program files\Dell\QuickSet\Quickset.exe" [2004-03-04 487424]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE "= "c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2004-6-9 24576]
EPSON Status Monitor 3 Environment Check.lnk - c:\windows\SYSTEM32\SPOOL\DRIVERS\W32X86\3\E_SRCV03.EXE [2000-9-18 121856]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-4195505588-4177592582-3926765826-1128\Scripts\Logon\0\0]
"Script "=SiR.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"EPSON Stylus Photo RX420 Series "=c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATI9CE.EXE /P31 "EPSON Stylus Photo RX420 Series" /O6 "USB002" /M "Stylus Photo RX420 "
"QuickTime Task "= "c:\program files\QuickTime\qttask.exe" -atboottime
"SpeedTouch USB Diagnostics "= "c:\program files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
"SunJavaUpdateSched "= "c:\program files\Java\jre6\bin\jusched.exe "
"Synchronization Manager "=%SystemRoot%\system32\mobsync.exe /logon
"TkBellExe "= "c:\program files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall "= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "=
"%windir%\\Network Diagnostic\\xpnetdiag.exe "=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe "=
"c:\\Program Files\\Skype\\Phone\\Skype.exe "=
"c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe "=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP "= 3389:TCPxpsp2res.dll,-22009

R1 NaiAvTdi1;NaiAvTdi1;c:\windows\SYSTEM32\DRIVERS\mvstdi5x.sys [25/09/2008 09:08 58464]
R2 eBeam Device Service;eBeam Device Service;c:\program files\Luidia\eBeam Device Service\eBeamDeviceServiceMain.exe [16/09/2008 11:42 180224]
R2 SMART Web Server;SMART Web Server;c:\program files\SMART Technologies Inc\SMART Board Software\WebServer.exe [19/04/2007 05:42 759312]
R3 RRNetCapMP;RRNetCapMP;c:\windows\SYSTEM32\DRIVERS\rrnetcap.sys [09/02/2010 19:15 27752]
R3 WsAudio_DeviceS(1);WsAudio_DeviceS(1);c:\windows\SYSTEM32\DRIVERS\WsAudio_DeviceS(1).sys [11/02/2010 23:26 25704]
R3 WsAudio_DeviceS(2);WsAudio_DeviceS(2);c:\windows\SYSTEM32\DRIVERS\WsAudio_DeviceS(2).sys [11/02/2010 23:27 25704]
R3 WsAudio_DeviceS(3);WsAudio_DeviceS(3);c:\windows\SYSTEM32\DRIVERS\WsAudio_DeviceS(3).sys [11/02/2010 23:27 25704]
R3 WsAudio_DeviceS(4);WsAudio_DeviceS(4);c:\windows\SYSTEM32\DRIVERS\WsAudio_DeviceS(4).sys [11/02/2010 23:28 25704]
R3 WsAudio_DeviceS(5);WsAudio_DeviceS(5);c:\windows\SYSTEM32\DRIVERS\WsAudio_DeviceS(5).sys [11/02/2010 23:28 25704]
S3 {E2B953A7-195A-44F9-9BA3-3D5F4E32BB55};AIM 3.0 Part 01 Codec Driver CH-7009-B;c:\windows\SYSTEM32\DRIVERS\wa301b.sys [31/12/1979 23:00 33847]
S3 DrmCAudio;DrmCAudio;c:\windows\SYSTEM32\DRIVERS\DrmCAudio.sys [13/02/2010 22:25 23096]
S3 DrmCVideo;DrmCVideo;c:\windows\SYSTEM32\DRIVERS\DrmCVideo.sys [13/02/2010 22:25 5688]
S3 pmxscan;Visioneer USB Kernel;c:\windows\SYSTEM32\DRIVERS\usbscan.sys [15/05/2006 11:05 15104]
S3 RRNetCap;RRNetCap Service;c:\windows\SYSTEM32\DRIVERS\rrnetcap.sys [09/02/2010 19:15 27752]
S3 STI2303X;SMART Board cable;c:\windows\SYSTEM32\DRIVERS\STI2303X.sys [26/05/2005 15:20 13440]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - ENTDRV51

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{9C450606-ED24-4958-92BA-B8940C99D441}]
2009-03-04 16:32 8192 ----a-w- c:\program files\PixiePack Codec Pack\InstallerHelper.exe
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: {73FC5D3E-33F1-4665-99B2-8E7750AAD9B6} = 93.188.163.158,93.188.166.88
TCP: {EE65D96B-6AA6-4DFB-92D5-F41510CE969A} = 93.188.163.158,93.188.166.88
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-A_M_P_NET - c:\program files\AntiMalwarePro\AntiMalwarePro.exe
HKCU-Run-A_M_P_NEScheduler - c:\program files\AntiMalwarePro\AntiMalwarePro.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-17 16:06
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(1424)
c:\windows\system32\EntApi.dll
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(3836)
c:\windows\system32\WININET.dll
c:\windows\system32\EntApi.dll
c:\windows\system32\ieframe.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Intel\Wireless\Bin\WLKeeper.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Network Associates\Common Framework\FrameworkService.exe
c:\program files\Network Associates\VirusScan\Mcshield.exe
c:\program files\Network Associates\VirusScan\VsTskMgr.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\SMART Technologies Inc\SMART Board Software\SMARTBoardService.exe
c:\program files\Network Associates\Common Framework\naPrdMgr.exe
c:\program files\Luidia\eBeam Device Service\eBeamDeviceServiceUI.exe
c:\program files\Apoint\Apntex.exe
c:\program files\Network Associates\Common Framework\McTray.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\Intel\Wireless\Bin\Dot1XCfg.exe
.
**************************************************************************
.
Completion time: 2010-02-17 16:13:57 - machine was rebooted
ComboFix-quarantined-files.txt 2010-02-17 16:13

Pre-Run: 15,978,258,432 bytes free
Post-Run: 14,882,742,272 bytes free

- - End Of File - - 7D4E41C82851FB5ABBDFF4AA98CA031D

New Hijackthis Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:15:53, on 17/02/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16981)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Luidia\eBeam Device Service\eBeamDeviceServiceMain.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\SMART Technologies Inc\SMART Board Software\SMARTBoardService.exe
C:\Program Files\SMART Technologies Inc\SMART Board Software\WebServer.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Luidia\eBeam Device Service\eBeamDeviceServiceUI.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Dell\QuickSet\Quickset.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Network Associates\Common Framework\McTray.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - (no file)
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: SMART Notebook Download Plugin - {67BCF957-85FC-4036-8DC4-D4D80E00A77B} - C:\Program Files\SMART Technologies Inc\Notebook Software\NotebookPlugin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe "
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe "
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe "
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe "
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe "
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\Quickset.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: EPSON Status Monitor 3 Environment Check.lnk = C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\E_SRCV03.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/wuweb_site.cab?1265566252186
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1258925630590
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = henlowmiddle.beds.sch.uk
O17 - HKLM\Software\..\Telephony: DomainName = henlowmiddle.beds.sch.uk
O17 - HKLM\System\CCS\Services\Tcpip\..\{73FC5D3E-33F1-4665-99B2-8E7750AAD9B6}: NameServer = 93.188.163.158,93.188.166.88
O17 - HKLM\System\CCS\Services\Tcpip\..\{EE65D96B-6AA6-4DFB-92D5-F41510CE969A}: NameServer = 93.188.163.158,93.188.166.88
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = henlowmiddle.beds.sch.uk
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: eBeam Device Service - Luidia, Inc. - C:\Program Files\Luidia\eBeam Device Service\eBeamDeviceServiceMain.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: hpdj - Unknown owner - C:\DOCUME~1\STANDR~1.HEN\LOCALS~1\Temp\hpdj.exe (file missing)
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SMART Board Service - SMART Technologies Inc. - C:\Program Files\SMART Technologies Inc\SMART Board Software\SMARTBoardService.exe
O23 - Service: SMART Web Server - Unknown owner - C:\Program Files\SMART Technologies Inc\SMART Board Software\WebServer.exe
O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel(R) Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 9317 bytes

broni · 2010/02/17

Good

Uninstall Combofix:
Go Start > Run [Vista users, go Start> "Start search"]
Type in:
Combofix /Uninstall
Note the space between the "Combofix" and the "/Uninstall "
Click OK (Vista users - press Enter).
Restart computer.

============================================================

Print these instructions out.

NOTE. If any of the programs listed below refuse to run, try renaming executive file to something else; for instance, rename hijackthis.exe to scanner.exe

***VERY IMPORTANT! Make sure, you update Malwarebytes before running the scans.***

STEP 1. Download Malwarebytes' Anti-Malware: http://www.malwarebytes.org/mbam.php to your desktop.
(Malwarebytes is free to use as a manual scanner. Payment is only required if you wish to have it run and update automatically which is not necessary for our purposes)

* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform Quick Scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad.
* Post the log back here.

The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt

RESTART COMPUTER!

STEP 2.
Post fresh HijackThis log.
NOTE. If you're using Vista, right click on HijackThis, and click Run as Administrator
Do NOT attempt to "fix" anything!

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!

MRB1 · 2010/02/17

The Malwarebytes website doesn't seem to exist. Neither can I right click and save target as. Have a go, you'll see what I mean. Anyway, I've already got MBAM on my computer; I downloaded it from CNET last week when I first got this problem. However, because of the problem with Malwarebytes' website, it won't update. I'll do a scan with what I've got, unless you have another suggestion.

broni · 2010/02/17

MBAM site works for me.

If you are having problems downloading the database via the program, you can now download it as an installer.

http://mbam.malwarebytes.org/database/mbam-rules.exe

MRB1 · 2010/02/18

When I click on the links you've given me for Malwarebytes' website I just get the 'Internet Explorer cannot display the webpage' message with the blue 'i' symbol and the standard message about most likely causes etc. The same happens if I type www.malwarebytes.org into the address bar of internet explorer. If I right click your links and choose 'save as', an error message pops up saying 'Cannot download mbam.php from Malwarebytes.org. The site was not found. Make sure the address is correct, and try again'. The same happens with the mbam-rules.exe. However, this seems to be specific to my laptop as I've tried to access the malwarebytes.org website on my sister's computer and it works fine, as you found when you tried it. So why is my laptop preventing me from accessing this particular website? Is it the malware/virus that I have?

Anyway for the moment I'm going to download the database installer using my sister's computer, save it to a memory stick and transfer it to my computer then do a scan.

MRB1 · 2010/02/18

OK, I installed the update for MBAM downloaded via my sister's computer, then ran a scan. It picked up 2 infected registry entries, which I deleted, and guess what... I can now access the Malwarebytes' website and the MBAM program updates when you click the update button. Here are the new logs:

MBAM Log:

Malwarebytes' Anti-Malware 1.44
Database version: 3740
Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.11

18/02/2010 19:05:17
mbam-log-2010-02-18 (19-05-17).txt

Scan type: Quick Scan
Objects scanned: 133525
Time elapsed: 11 minute(s), 40 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{73fc5d3e-33f1-4665-99b2-8e7750aad9b6}\NameServer (Trojan.DNSChanger) -> Data: 93.188.163.158,93.188.166.88 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{ee65d96b-6aa6-4dfb-92d5-f41510ce969a}\NameServer (Trojan.DNSChanger) -> Data: 93.188.163.158,93.188.166.88 -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

New Hijackthis Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:55:28, on 18/02/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16981)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Luidia\eBeam Device Service\eBeamDeviceServiceMain.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\SMART Technologies Inc\SMART Board Software\SMARTBoardService.exe
C:\Program Files\SMART Technologies Inc\SMART Board Software\WebServer.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Luidia\eBeam Device Service\eBeamDeviceServiceUI.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Dell\QuickSet\Quickset.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Network Associates\Common Framework\McTray.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - (no file)
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: SMART Notebook Download Plugin - {67BCF957-85FC-4036-8DC4-D4D80E00A77B} - C:\Program Files\SMART Technologies Inc\Notebook Software\NotebookPlugin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe "
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe "
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe "
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe "
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe "
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\Quickset.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')
O4 - Global Startup: EPSON Status Monitor 3 Environment Check.lnk = C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\E_SRCV03.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/wuweb_site.cab?1265566252186
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1258925630590
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = henlowmiddle.beds.sch.uk
O17 - HKLM\Software\..\Telephony: DomainName = henlowmiddle.beds.sch.uk
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = henlowmiddle.beds.sch.uk
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: eBeam Device Service - Luidia, Inc. - C:\Program Files\Luidia\eBeam Device Service\eBeamDeviceServiceMain.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: hpdj - Unknown owner - C:\DOCUME~1\STANDR~1.HEN\LOCALS~1\Temp\hpdj.exe (file missing)
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SMART Board Service - SMART Technologies Inc. - C:\Program Files\SMART Technologies Inc\SMART Board Software\SMARTBoardService.exe
O23 - Service: SMART Web Server - Unknown owner - C:\Program Files\SMART Technologies Inc\SMART Board Software\WebServer.exe
O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel(R) Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 9070 bytes

I'm now going to do a full scan using MBAM.

Log in or Sign up

Solved Google Redirecting, Pop up adverts and Just in Time Debugging

MRB1 Inactive Thread Starter

broni Moderator Malware Analyst

MRB1 Inactive Thread Starter

broni Moderator Malware Analyst

MRB1 Inactive Thread Starter

broni Moderator Malware Analyst

MRB1 Inactive Thread Starter

broni Moderator Malware Analyst

MRB1 Inactive Thread Starter

broni Moderator Malware Analyst

MRB1 Inactive Thread Starter

broni Moderator Malware Analyst

MRB1 Inactive Thread Starter

broni Moderator Malware Analyst

MRB1 Inactive Thread Starter

broni Moderator Malware Analyst

MRB1 Inactive Thread Starter

broni Moderator Malware Analyst

MRB1 Inactive Thread Starter

MRB1 Inactive Thread Starter

Share This Page

Log in or Sign up

Solved Google Redirecting, Pop up adverts and Just in Time Debugging

MRB1 Inactive Thread Starter

broni Moderator Malware Analyst

MRB1 Inactive Thread Starter

broni Moderator Malware Analyst

MRB1 Inactive Thread Starter

broni Moderator Malware Analyst

MRB1 Inactive Thread Starter

broni Moderator Malware Analyst

MRB1 Inactive Thread Starter

broni Moderator Malware Analyst

MRB1 Inactive Thread Starter

broni Moderator Malware Analyst

MRB1 Inactive Thread Starter

broni Moderator Malware Analyst

MRB1 Inactive Thread Starter

broni Moderator Malware Analyst

MRB1 Inactive Thread Starter

broni Moderator Malware Analyst

MRB1 Inactive Thread Starter

MRB1 Inactive Thread Starter

Share This Page

Useful Searches