Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Redirected Websites Virus


  • Please log in to reply

#1
leeironmonger

leeironmonger

    New Member

  • Member
  • Pip
  • 6 posts
Hi,

It appears that i have a virus that redirects me when i click links on a search engine. I have done the standard virus checking using AVG Free and Spybot Search and Destroy and have removed some issues but there is still a problem that neither of these finds.

after searching online it appears the virus is known as the Google Redirect virus. after finding this out i searched around and found that many people undertake a scan using Hijack This. As everyone seems to get different results i thought it would be best to start a new thread.

These are my results from my Hijack This scan:-

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 18:29:01, on 31/08/2010
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18943)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\igfxpers.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\AVG\AVG9\avgtray.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Lexmark 2300 Series\ezprint.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Windows\ehome\ehmsas.exe
C:\PROGRA~1\HEWLET~1\Shared\HPQTOA~1.EXE
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\System32\mobsync.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Windows\explorer.exe
C:\Users\Lee\AppData\Roaming\SystemProc\lsass.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.ask.com?o=14196&l=dis
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.h...SARIO&pf=laptop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.h...SARIO&pf=laptop
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: (no name) - {044CC9E9-2C92-4979-8DCF-8DED49570C0e} - C:\Windows\system32\devmgr32.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Ask Toolbar BHO - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: FrostWire Toolbar - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [NapsterShell] C:\Program Files\Napster\napster.exe /systray
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [HP Health Check Scheduler] C:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
O4 - HKLM\..\Run: [WAWifiMessage] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [SynTPStart] C:\Program Files\Synaptics\SynTP\SynTPStart.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [LXCGCATS] rundll32 C:\Windows\system32\spool\DRIVERS\W32X86\3\LXCGtime.dll,[email protected]
O4 - HKLM\..\Run: [lxcgmon.exe] "C:\Program Files\Lexmark 2300 Series\lxcgmon.exe"
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 2300 Series\ezprint.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\RunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
O4 - HKLM\..\RunOnce: [Spybot - Search & Destroy] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKLM\..\RunOnce: [SpybotDeletingA5354] command.com /c del "C:\WINDOWS\System32\ddraw32.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC5056] cmd.exe /c del "C:\WINDOWS\System32\ddraw32.dll_old"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [FlashGet 3] "C:\Program Files\FlashGet Network\FlashGet 3\FlashGet3.exe" -minimize
O4 - HKCU\..\Run: [PPAP] C:\ProgramData\PPLiveVA\Application\PPAP.exe
O4 - HKCU\..\Run: [Google Update] "C:\Users\Lee\AppData\Local\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe" /systray /nologon
O4 - HKCU\..\Run: [RTHDBPL] C:\Users\Lee\AppData\Roaming\SystemProc\lsass.exe
O4 - Startup: BBC iPlayer Desktop.lnk = C:\Program Files\BBC iPlayer Desktop\BBC iPlayer Desktop.exe
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\Windows\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O20 - AppInit_DLLs: C:\Windows\system32\ddraw32.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
O23 - Service: AddFiltr - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\AddFiltr.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free E-mail Scanner (avg9emc) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgemc.exe
O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: CopySafe Helper Service (CSHelper) - Unknown owner - C:\Windows\system32\CSHelper.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - C:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Roxio\Roxio MyDVD Basic v9\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: lxcg_device - - C:\Windows\system32\lxcgcoms.exe
O23 - Service: Sony Ericsson OMSI download service (OMSI download service) - Unknown owner - C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SupServ.exe
O23 - Service: Rapport Management Service (RapportMgmtService) - Trusteer Ltd. - C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 9838 bytes

If anyone understands this and can direct me in the right direction i would be extremely grateful.

Many thanks in advance

Lee
  • 0

Advertisements


#2
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Download ComboFix here :

Link 1
Link 2


* IMPORTANT !!! Save ComboFix.exe to your Desktop


  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Here is a guide on how to disable them

    Click me

  • Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Posted Image



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt log in your next reply.
  • 0

#3
leeironmonger

leeironmonger

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Hi,

Thanks for the reply.

this is my Combofix log (i think). I have also attached the actual file.

ComboFix 10-08-31.01 - Lee 31/08/2010 20:57:36.1.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.44.1033.18.2037.1040 [GMT 1:00]
Running from: c:\users\Lee\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
SP: AVG Anti-Virus Free *enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\programdata\hpe229C.dll
c:\programdata\SysWoW32
c:\programdata\SysWoW32\_u1023033086v0
c:\programdata\SysWoW32\_u1023033086v1
c:\programdata\SysWoW32\_u1023033086v2
c:\programdata\SysWoW32\mu1023033086v4.kwd
c:\programdata\SysWoW32\mu1023033086v5.kwd
c:\programdata\SysWoW32\mu1023033086v6.kwd
c:\programdata\SysWoW32\mu1023033086v7.kwd
c:\programdata\SysWoW32\wu1023033086v0
c:\programdata\SysWoW32\wu1023033086v0.kwd
c:\programdata\SysWoW32\wu1023033086v1
c:\programdata\SysWoW32\wu1023033086v1.kwd
c:\programdata\SysWoW32\wu1023033086v2
c:\programdata\SysWoW32\wu1023033086v2.kwd
c:\programdata\SysWoW32\wu1023033086v3
c:\programdata\SysWoW32\wu1023033086v3.kwd
c:\programdata\unrar.exe
c:\users\Lee\AppData\Roaming\02000000d30b7ae3988C.manifest
c:\users\Lee\AppData\Roaming\02000000d30b7ae3988O.manifest
c:\users\Lee\AppData\Roaming\02000000d30b7ae3988P.manifest
c:\users\Lee\AppData\Roaming\02000000d30b7ae3988S.manifest
c:\users\Lee\AppData\Roaming\66CC.tmp
c:\users\Lee\AppData\Roaming\6765.tmp
c:\users\Lee\AppData\Roaming\B826.tmp
c:\users\Lee\AppData\Roaming\BITS
c:\users\Lee\AppData\Roaming\BITS\BITS.ini
c:\users\Lee\AppData\Roaming\BITS\pl.dat
c:\users\Lee\AppData\Roaming\BITS\UPnP.ini
c:\users\Lee\AppData\Roaming\C1DD.tmp
c:\users\Lee\AppData\Roaming\C2.tmp
c:\users\Lee\AppData\Roaming\C4D7.tmp
c:\users\Lee\AppData\Roaming\FlashGetBHO
c:\users\Lee\AppData\Roaming\FlashGetBHO\FlashGetBHO3.dll
c:\users\Lee\AppData\Roaming\FlashGetBHO\GetAllUrl.htm
c:\users\Lee\AppData\Roaming\FlashGetBHO\GetUrl.htm
c:\users\Lee\AppData\Roaming\Microsoft\Windows\Recent\ANTIGEN.drv
c:\users\Lee\AppData\Roaming\Microsoft\Windows\Recent\ANTIGEN.sys
c:\users\Lee\AppData\Roaming\Microsoft\Windows\Recent\cb.exe
c:\users\Lee\AppData\Roaming\Microsoft\Windows\Recent\cid.drv
c:\users\Lee\AppData\Roaming\Microsoft\Windows\Recent\cid.exe
c:\users\Lee\AppData\Roaming\Microsoft\Windows\Recent\DBOLE.exe
c:\users\Lee\AppData\Roaming\Microsoft\Windows\Recent\eb.dll
c:\users\Lee\AppData\Roaming\Microsoft\Windows\Recent\eb.tmp
c:\users\Lee\AppData\Roaming\Microsoft\Windows\Recent\energy.tmp
c:\users\Lee\AppData\Roaming\Microsoft\Windows\Recent\exec.dll
c:\users\Lee\AppData\Roaming\Microsoft\Windows\Recent\kernel32.exe
c:\users\Lee\AppData\Roaming\Microsoft\Windows\Recent\pal.dll
c:\users\Lee\AppData\Roaming\Microsoft\Windows\Recent\pal.drv
c:\users\Lee\AppData\Roaming\Microsoft\Windows\Recent\PE.dll
c:\users\Lee\AppData\Roaming\Microsoft\Windows\Recent\PE.sys
c:\users\Lee\AppData\Roaming\Microsoft\Windows\Recent\runddl.tmp
c:\users\Lee\AppData\Roaming\Microsoft\Windows\Recent\std.dll
c:\users\Lee\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows System Defender.lnk
c:\users\Lee\AppData\Roaming\Microsoft\Windows\Start Menu\Windows System Defender.lnk
c:\users\Lee\AppData\Roaming\Mozilla\Firefox\Profiles\nmggnuvi.default\extensions\{6c81d31a-2882-440e-b7c8-e97023b0c357}
c:\users\Lee\AppData\Roaming\Mozilla\Firefox\Profiles\nmggnuvi.default\extensions\{6c81d31a-2882-440e-b7c8-e97023b0c357}\chrome.manifest
c:\users\Lee\AppData\Roaming\Mozilla\Firefox\Profiles\nmggnuvi.default\extensions\{6c81d31a-2882-440e-b7c8-e97023b0c357}\chrome\xulcache.jar
c:\users\Lee\AppData\Roaming\Mozilla\Firefox\Profiles\nmggnuvi.default\extensions\{6c81d31a-2882-440e-b7c8-e97023b0c357}\defaults\preferences\xulcache.js
c:\users\Lee\AppData\Roaming\Mozilla\Firefox\Profiles\nmggnuvi.default\extensions\{6c81d31a-2882-440e-b7c8-e97023b0c357}\install.rdf
c:\users\Lee\AppData\Roaming\SystemProc
c:\users\Lee\AppData\Roaming\SystemProc\lsass.exe
c:\windows\system32\%appdata%
c:\windows\system32\5lD2GSqus6U98j6.vbs
c:\windows\system32\ddraw32.dll
c:\windows\system32\devmgr32.dll
c:\windows\system32\secushr.dat
c:\windows\system32\secustat.dat

.
((((((((((((((((((((((((( Files Created from 2010-07-28 to 2010-08-31 )))))))))))))))))))))))))))))))
.

2010-08-31 20:10 . 2010-08-31 20:13 -------- d-----w- c:\users\Lee\AppData\Local\temp
2010-08-31 20:10 . 2010-08-31 20:10 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-08-30 14:08 . 2010-08-30 14:08 -------- d-----w- c:\program files\Trend Micro
2010-08-29 18:14 . 2010-08-29 18:14 266240 ----a-w- c:\windows\system32\CSHelper.exe
2010-08-29 18:14 . 2010-08-29 18:14 225280 ----a-w- c:\windows\system32\CSInstru.DLL
2010-08-27 19:25 . 2010-08-29 20:24 -------- d-----w- c:\programdata\1418855363
2010-08-27 19:24 . 2010-08-31 20:09 220160 ----a-w- c:\windows\system32\ddraw32.dll
2010-08-23 17:11 . 2010-08-23 17:11 -------- d-----w- c:\users\Lee\AppData\Local\AskToolbar
2010-08-23 17:10 . 2010-08-23 17:10 -------- d-----w- c:\users\Lee\Boris
2010-08-19 21:19 . 2010-08-19 21:19 -------- d-----w- c:\program files\Hornby Hobbies
2010-08-19 21:16 . 2010-08-19 21:18 -------- d-----w- c:\users\Lee\Hornby Virtual Railway Folder
2010-08-12 22:17 . 2010-06-21 13:37 2037760 ----a-w- c:\windows\system32\win32k.sys
2010-08-12 22:17 . 2010-06-18 17:31 36864 ----a-w- c:\windows\system32\rtutils.dll
2010-08-12 22:17 . 2010-06-08 17:35 3600768 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-08-12 22:17 . 2010-06-08 17:35 3548040 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-08-12 22:17 . 2010-06-11 16:15 1248768 ----a-w- c:\windows\system32\msxml3.dll
2010-08-12 22:17 . 2010-06-18 15:04 302080 ----a-w- c:\windows\system32\drivers\srv.sys
2010-08-12 22:17 . 2010-06-18 15:04 144896 ----a-w- c:\windows\system32\drivers\srv2.sys
2010-08-12 22:17 . 2010-06-16 16:04 905088 ----a-w- c:\windows\system32\drivers\tcpip.sys
2010-08-05 18:38 . 2010-08-05 18:38 -------- d-----w- c:\program files\MSECache
2010-08-03 19:26 . 2010-08-03 19:48 -------- d-----w- c:\users\Lee\Scanned Photos
2010-08-03 19:23 . 2010-08-03 19:23 -------- d-----w- c:\programdata\Ezprint
2010-08-03 19:22 . 2010-08-03 19:48 -------- d-----w- c:\program files\Lx_cats
2010-08-03 19:21 . 2007-01-30 06:32 118272 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\lxcgpp5c.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-31 20:11 . 2009-10-08 17:07 12 ----a-w- c:\windows\bthservsdp.dat
2010-08-31 20:05 . 2010-06-15 18:48 -------- d-----w- c:\program files\Ask.com
2010-08-31 19:52 . 2010-03-28 09:00 0 ----a-w- c:\users\Lee\AppData\Local\prvlcl.dat
2010-08-31 17:06 . 2010-08-31 17:06 0 ----a-w- c:\users\Lee\AppData\Roaming\6545.tmp
2010-08-30 14:08 . 2010-08-30 14:08 388096 ----a-r- c:\users\Lee\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-08-29 17:18 . 2010-08-29 17:18 320512 ----a-w- c:\programdata\d3dx10_3732.dll
2010-08-29 17:18 . 2010-08-29 17:18 320512 ----a-w- c:\programdata\d3dx10_3732.dll
2010-08-28 20:52 . 2009-11-08 11:58 -------- d-----w- c:\programdata\avg9
2010-08-27 19:33 . 2009-05-26 09:35 -------- d-----w- c:\users\Lee\AppData\Roaming\FrostWire
2010-08-27 19:24 . 2010-08-27 19:24 320512 ----a-w- c:\programdata\dmutil32.dll
2010-08-27 19:24 . 2010-08-27 19:24 320512 ----a-w- c:\programdata\dmutil32.dll
2010-08-23 18:45 . 2010-04-04 10:44 -------- d-----w- c:\users\Lee\AppData\Roaming\PrimoPDF
2010-08-23 17:11 . 2010-05-10 20:07 -------- d-----w- c:\program files\Mozilla Firefox 3.5
2010-08-22 21:19 . 2006-12-08 07:52 -------- d-----w- c:\program files\Common Files\Java
2010-08-22 21:19 . 2006-12-08 07:52 -------- d-----w- c:\program files\Java
2010-08-22 12:01 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-08-21 17:27 . 2006-12-08 07:16 -------- d-----w- c:\programdata\Roxio
2010-08-03 19:23 . 2009-11-21 12:40 -------- d-----w- c:\program files\Lexmark 2300 Series
2010-07-26 21:29 . 2010-07-26 20:28 -------- d-----w- c:\program files\JDownloader
2010-07-17 04:00 . 2010-06-03 18:35 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-07-15 17:22 . 2009-05-17 00:25 243024 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-07-15 17:22 . 2010-07-15 17:22 12536 ----a-w- c:\windows\system32\avgrsstx.dll
2010-07-15 17:21 . 2009-05-17 00:25 216400 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-07-07 20:48 . 2010-07-07 20:30 -------- d-----w- c:\users\Lee\AppData\Roaming\Sony
2010-07-07 20:44 . 2010-07-07 20:44 -------- d-----w- c:\program files\Common Files\Sony Shared
2010-07-07 20:43 . 2010-07-07 20:38 -------- d-----w- c:\program files\Sony
2010-07-07 20:42 . 2010-07-07 20:42 10134 ----a-r- c:\users\Lee\AppData\Roaming\Microsoft\Installer\{0E532C84-4275-41B3-9D81-D4A1A20D8EE7}\ARPPRODUCTICON.exe
2010-07-07 20:38 . 2010-07-07 20:38 -------- d-----w- c:\programdata\Sony Corporation
2010-07-07 20:30 . 2010-07-07 20:30 -------- d-----w- c:\users\Lee\AppData\Roaming\Sony Setup
2010-07-01 11:07 . 2010-07-01 11:07 434176 ----a-w- c:\programdata\Trusteer\Rapport\store\exts\RapportMS\17053\RapportMS.dll
2010-06-26 06:05 . 2010-08-12 22:18 916480 ----a-w- c:\windows\system32\wininet.dll
2010-06-26 06:02 . 2010-08-12 22:18 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-06-26 06:02 . 2010-08-12 22:18 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-06-26 04:25 . 2010-08-12 22:18 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2010-06-12 18:02 . 2010-06-12 18:02 655360 ----a-w- c:\users\Lee\AppData\Roaming\Spotify\Gracenote\gnsdk_sdkmanager.dll
2010-06-12 18:02 . 2010-06-12 18:02 282624 ----a-w- c:\users\Lee\AppData\Roaming\Spotify\Gracenote\gnsdk_musicid_file.dll
2010-06-12 18:02 . 2010-06-12 18:02 208896 ----a-w- c:\users\Lee\AppData\Roaming\Spotify\Gracenote\gnsdk_dsp.dll
2010-06-11 16:16 . 2010-08-12 22:18 274944 ----a-w- c:\windows\system32\schannel.dll
2010-06-03 02:41 . 2010-06-03 02:41 3600384 ----a-w- c:\windows\system32\GPhotos.scr
2010-06-02 22:03 . 2009-05-17 00:24 29584 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
2010-05-26 14:23 1385864 ----a-w- c:\program files\Ask.com\GenericAskToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-05-26 1385864]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-05-26 1385864]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"Google Update"="c:\users\Lee\AppData\Local\Google\Update\GoogleUpdate.exe" [2009-10-27 133104]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"Sony Ericsson PC Suite"="c:\program files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe" [2009-11-20 434176]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-09-15 1021224]
"QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2006-12-03 167936]
"QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2006-11-06 159744]
"HP Health Check Scheduler"="c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2006-11-10 46704]
"WAWifiMessage"="c:\program files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe" [2006-10-18 317152]
"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2006-10-18 472800]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-11 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-11 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-11 133656]
"SynTPStart"="c:\program files\Synaptics\SynTP\SynTPStart.exe" [2007-09-15 102400]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-04-02 342312]
"PWRISOVM.EXE"="c:\program files\PowerISO\PWRISOVM.EXE" [2009-03-15 180224]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2010-07-15 2065760]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2010-06-17 40368]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"LXCGCATS"="c:\windows\system32\spool\DRIVERS\W32X86\3\LXCGtime.dll" [2007-02-22 73728]
"lxcgmon.exe"="c:\program files\Lexmark 2300 Series\lxcgmon.exe" [2007-04-29 205744]
"EzPrint"="c:\program files\Lexmark 2300 Series\ezprint.exe" [2007-04-29 103344]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Launcher"="c:\windows\SMINST\launcher.exe" [2006-11-08 44128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(b):71,fe,8b,42,62,27,ca,01

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R3 s1018bus;Sony Ericsson Device 1018 driver (WDM);c:\windows\system32\DRIVERS\s1018bus.sys [2009-03-25 86824]
R3 s1018mdfl;Sony Ericsson Device 1018 USB WMC Modem Filter;c:\windows\system32\DRIVERS\s1018mdfl.sys [2009-03-25 15016]
R3 s1018mdm;Sony Ericsson Device 1018 USB WMC Modem Driver;c:\windows\system32\DRIVERS\s1018mdm.sys [2009-03-25 114728]
R3 s1018mgmt;Sony Ericsson Device 1018 USB WMC Device Management Drivers (WDM);c:\windows\system32\DRIVERS\s1018mgmt.sys [2009-03-25 106208]
R3 s1018nd5;Sony Ericsson Device 1018 USB Ethernet Emulation (NDIS);c:\windows\system32\DRIVERS\s1018nd5.sys [2009-03-25 26024]
R3 s1018obex;Sony Ericsson Device 1018 USB WMC OBEX Interface;c:\windows\system32\DRIVERS\s1018obex.sys [2009-03-25 104744]
R3 s1018unic;Sony Ericsson Device 1018 USB Ethernet Emulation (WDM);c:\windows\system32\DRIVERS\s1018unic.sys [2009-03-25 109864]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
R4 sptd;sptd;c:\windows\system32\Drivers\sptd.sys [2009-05-19 721904]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2010-07-15 216400]
S1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\System32\Drivers\avgtdix.sys [2010-07-15 243024]
S1 RapportBuka;RapportBuka;c:\windows\system32\drivers\RapportBuka.sys [2010-02-27 390528]
S1 RapportKELL;RapportKELL;c:\program files\Trusteer\Rapport\bin\RapportKELL.sys [2010-07-01 59240]
S1 RapportPG;RapportPG;c:\program files\Trusteer\Rapport\bin\RapportPG.sys [2010-07-01 166632]
S2 avg9emc;AVG Free E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [2010-07-20 921952]
S2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [2010-07-15 308136]
S2 CSHelper;CopySafe Helper Service;c:\windows\system32\CSHelper.exe [2010-08-29 266240]
S2 OMSI download service;Sony Ericsson OMSI download service;c:\program files\Sony Ericsson\Sony Ericsson PC Suite\SupServ.exe [2009-04-30 90112]
S2 RapportMgmtService;Rapport Management Service;c:\program files\Trusteer\Rapport\bin\RapportMgmtService.exe [2010-07-01 840936]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ BthServ
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
vvdsvc REG_MULTI_SZ vvdsvc
.
Contents of the 'Scheduled Tasks' folder

2010-08-31 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3133330365-3398836651-270941216-1000Core.job
- c:\users\Lee\AppData\Local\Google\Update\GoogleUpdate.exe [2009-10-27 20:46]

2010-08-31 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3133330365-3398836651-270941216-1000UA.job
- c:\users\Lee\AppData\Local\Google\Update\GoogleUpdate.exe [2009-10-27 20:46]

2010-08-31 c:\windows\Tasks\User_Feed_Synchronization-{B2F50987-206C-4FB5-A5AF-86099DE9C626}.job
- c:\windows\system32\msfeedssync.exe [2010-08-12 04:24]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://uk.ask.com?o=14196&l=dis
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_GB&c=71&bd=PRESARIO&pf=laptop
uInternet Settings,ProxyOverride = *.local
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\users\Lee\AppData\Roaming\Mozilla\Firefox\Profiles\nmggnuvi.default\
FF - prefs.js: browser.startup.homepage - www.google.co.uk
FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npArtistScope42.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npArtistScopeDRM11.dll
FF - plugin: c:\program files\Sony\Media Go\npmediago.dll
FF - plugin: c:\program files\Unity\WebPlayer\loader\npUnity3D32.dll
FF - plugin: c:\program files\Veetle\Player\npvlc.dll
FF - plugin: c:\program files\Veetle\plugins\npVeetle.dll
FF - plugin: c:\program files\Veetle\VLCBroadcast\npvbp.dll
FF - plugin: c:\users\Lee\AppData\Local\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
.
------- File Associations -------
.
.txt=
.
- - - - ORPHANS REMOVED - - - -

BHO-{044CC9E9-2C92-4979-8DCF-8DED49570C0e} - c:\windows\system32\devmgr32.dll
HKCU-Run-FlashGet 3 - c:\program files\FlashGet Network\FlashGet 3\FlashGet3.exe
HKCU-Run-PPAP - c:\programdata\PPLiveVA\Application\PPAP.exe
HKCU-Run-RTHDBPL - c:\users\Lee\AppData\Roaming\SystemProc\lsass.exe
HKLM-Run-NapsterShell - c:\program files\Napster\napster.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-08-31 21:12
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
LXCGCATS = rundll32 c:\windows\system32\spool\DRIVERS\W32X86\3\LXCGtime.dll,[email protected]???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
RTHDBPL = c:\users\Lee\AppData\Roaming\SystemProc\lsass.exe???????????????????????????????????#???????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-3133330365-3398836651-270941216-1000\Software\SecuROM\License information*]
"datasecu"=hex:30,39,65,bc,cc,5d,93,9d,7f,3e,59,20,77,ea,8a,c0,8f,42,e5,0f,e0,
d1,d8,2e,f7,54,57,ce,06,e8,e5,27,bf,a6,69,97,52,ba,83,c9,a2,ce,88,aa,00,a2,\
"rkeysecu"=hex:97,39,43,ff,2d,b0,71,fc,e5,c0,df,1c,82,2a,17,56

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0004\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(6628)
c:\program files\Trusteer\Rapport\bin\rooksbas.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\WLANExt.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Hewlett-Packard\HP Health Check\hphc_service.exe
c:\program files\AVG\AVG9\avgnsx.exe
c:\windows\system32\lxcgcoms.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\windows\system32\DRIVERS\xaudio.exe
c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\windows\servicing\TrustedInstaller.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\program files\Windows Media Player\wmpnscfg.exe
c:\windows\system32\vssvc.exe
.
**************************************************************************
.
Completion time: 2010-08-31 21:22:58 - machine was rebooted
ComboFix-quarantined-files.txt 2010-08-31 20:22

Pre-Run: 10,552,926,208 bytes free
Post-Run: 10,457,362,432 bytes free

- - End Of File - - 61523363D55846C0A529A6ABC4F3BEEA

Thanks again

Lee

Attached Files


  • 0

#4
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Open notepad and copy/paste the text in the quotebox below into it:

http://www.geekstogo.com/forum/topic/285573-redirected-websites-virus/

Collect::
c:\windows\system32\ddraw32.dll
c:\users\Lee\AppData\Roaming\6545.tmp

Folder::
c:\programdata\1418855363

Suspect::

Save this as CFScript.txt


Posted Image

Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you. Post that log in your next reply.

**Note**

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.
  • Ensure you are connected to the internet and click OK on the message box.

  • 0

#5
leeironmonger

leeironmonger

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Hi,

Finished the ComboFix scan (with CFScript.txt).

I have attached the log generated.

Lee

Attached Files

  • Attached File  log.txt   18.2KB   50 downloads

  • 0

#6
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
don't attach the logs

Download TFC to your desktop
  • Open the file and close any other windows.
  • It will close all programs itself when run, make sure to let it run uninterrupted.
  • Click the Start button to begin the process. The program should not take long to finish its job
  • Once its finished it should reboot your machine, if not, do this yourself to ensure a complete clean




Please download Malwarebytes' Anti-Malware from Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.






Go to Kaspersky website and perform an online antivirus scan.

  • Read through the requirements and privacy statement and click on Accept button.
  • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  • When the downloads have finished, click on Settings.
  • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
    • Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
      Mail databases
  • Click on My Computer under Scan.
  • Once the scan is complete, it will display the results. Click on View Scan Report.
  • You will see a list of infected items there. Click on Save Report As....
  • Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button. Then post it here.

  • 0

#7
leeironmonger

leeironmonger

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Hi,

Could you please confirm what TFC is, as i have no idea.

thanks

Lee

Sorry...worked out that it is a link to download TFC.

Working through the things to do now.

thanks

Edited by leeironmonger, 01 September 2010 - 01:38 PM.

  • 0

#8
leeironmonger

leeironmonger

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Hi,

I am unable to undertake the Kasperspy online scan as it keeps showing errors and telling me that I have to run as administrator (which i have done). This is then followed by "File Operation Failure" telling me that I am not connected to the internet even though I am.

I have completed the MBAM scan and these are the results:-

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4525

Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.18943

01/09/2010 20:56:29
mbam-log-2010-09-01 (20-56-29).txt

Scan type: Quick scan
Objects scanned: 136181
Time elapsed: 7 minute(s), 24 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 1
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CLASSES_ROOT\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\URL (Hijack.SearchPage) -> Bad: (http://search-gala.c...q={searchTerms}) Good: (http://www.google.co...age={startPage}) -> Quarantined and deleted successfully.

Folders Infected:
C:\Users\Lee\AppData\Roaming\Windows System Defender (Rogue.WindowsSystemDefender) -> Quarantined and deleted successfully.

Files Infected:
C:\ProgramData\d3dx10_3732.dll (Trojan.Tracur) -> Quarantined and deleted successfully.
C:\ProgramData\dmutil32.dll (Trojan.Tracur) -> Quarantined and deleted successfully.
C:\Users\Lee\AppData\Roaming\Windows System Defender\cookies.sqlite (Rogue.WindowsSystemDefender) -> Quarantined and deleted successfully.
C:\Users\Lee\AppData\Roaming\Windows System Defender\Instructions.ini (Rogue.WindowsSystemDefender) -> Quarantined and deleted successfully.


Thanks

Lee
  • 0

#9
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
update mbam run a new quick scan post that log

and do this

* Go here to run an online scannner from ESET.
  • Note: You will need to use Internet explorer for this scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Check next options: Remove found threats and Scan unwanted applications.
  • Click Scan
  • Wait for the scan to finish
  • Use notepad to open the logfile located at C:\Program Files\ESET\ESET Online Scanner\log.txt
  • Copy and paste that log as a reply to this topic

  • 0

#10
leeironmonger

leeironmonger

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Hi,

here are the results from the MBAM scan:-

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4525

Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.18943

01/09/2010 20:56:29
mbam-log-2010-09-01 (20-56-29).txt

Scan type: Quick scan
Objects scanned: 136181
Time elapsed: 7 minute(s), 24 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 1
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CLASSES_ROOT\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\URL (Hijack.SearchPage) -> Bad: (http://search-gala.c...q={searchTerms}) Good: (http://www.google.co...age={startPage}) -> Quarantined and deleted successfully.

Folders Infected:
C:\Users\Lee\AppData\Roaming\Windows System Defender (Rogue.WindowsSystemDefender) -> Quarantined and deleted successfully.

Files Infected:
C:\ProgramData\d3dx10_3732.dll (Trojan.Tracur) -> Quarantined and deleted successfully.
C:\ProgramData\dmutil32.dll (Trojan.Tracur) -> Quarantined and deleted successfully.
C:\Users\Lee\AppData\Roaming\Windows System Defender\cookies.sqlite (Rogue.WindowsSystemDefender) -> Quarantined and deleted successfully.
C:\Users\Lee\AppData\Roaming\Windows System Defender\Instructions.ini (Rogue.WindowsSystemDefender) -> Quarantined and deleted successfully.


and here are the results from the ESET Online Scanner:-

[email protected] as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=95d1724ea404e14cbe45c02585fa29a0
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-09-01 10:49:35
# local_time=2010-09-01 11:49:35 (+0000, GMT Daylight Time)
# country="United Kingdom"
# lang=9
# osver=6.0.6002 NT Service Pack 2
# compatibility_mode=1024 16777215 100 0 25698934 25698934 0 0
# compatibility_mode=5892 16776574 100 100 25573767 120909545 0 0
# compatibility_mode=8192 67108863 100 0 127 127 0 0
# scanned=147648
# found=17
# cleaned=17
# scan_time=4557
C:\ProgramData\Spybot - Search & Destroy\Recovery\DNSFlushcws1.zip Win32/Bagle.gen.zip worm (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\ProgramData\Spybot - Search & Destroy\Recovery\WinFraudLoadedt4.zip Win32/Bagle.gen.zip worm (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\ProgramData\Spybot - Search & Destroy\Recovery\WinFraudLoadedt7.zip Win32/Bagle.gen.zip worm (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\Users\Lee\AppData\Roaming\66CC.tmp.vir a variant of Win32/Kryptik.FCE trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\Users\Lee\AppData\Roaming\6765.tmp.vir a variant of Win32/Kryptik.FCE trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\Users\Lee\AppData\Roaming\C1DD.tmp.vir a variant of Win32/Kryptik.FCE trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\Users\Lee\AppData\Roaming\C2.tmp.vir a variant of Win32/Kryptik.FCE trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\Users\Lee\AppData\Roaming\SystemProc\lsass.exe.vir Win32/Dursg.B trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\WINDOWS\System32\devmgr32.dll.vir a variant of Win32/Kryptik.FCE trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Users\Lee\AppData\Local\VirtualStore\WINDOWS\System32\net.net a variant of Win32/TrojanClicker.Punad.AA trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Users\Lee\Desktop\Memory Stick - 01 08 10\Music\06 Track 6.wma WMA/TrojanDownloader.Wimad.D trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Users\Lee\Desktop\Memory Stick - 01 08 10\Music\aquarium camille saint saens.mp3 WMA/TrojanDownloader.GetCodec.C trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Users\Lee\Desktop\Memory Stick - 01 08 10\Music\beauty beast intro.mp3 WMA/TrojanDownloader.GetCodec.C trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Users\Lee\Desktop\Memory Stick - 01 08 10\Music\betterman robbie williams.mp3 WMA/TrojanDownloader.GetCodec.C trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Users\Lee\Desktop\Memory Stick - 01 08 10\Music\Top of Charts - 2004.wma WMA/TrojanDownloader.Wimad.L trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Users\Lee\Incomplete\T-5554522-plan b-stay too long.mp3 a variant of WMA/TrojanDownloader.GetCodec.gen trojan (cleaned - quarantined) 00000000000000000000000000000000 C
C:\Users\Lee\Music\jaguar skills.mp3 WMA/TrojanDownloader.GetCodec.C trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C


thanks

Lee
  • 0

#11
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Your logs are clean


Follow these steps to uninstall Combofix and tools used in the removal of malware

Uninstall ComboFix

Remove Combofix now that we're done with it.
  • Please press the Windows Key and R on your keyboard. This will bring up the Run... command.
  • Now type in Combofix /Uninstall in the runbox and click OK. (Notice the space between the "x" and "/")
    Posted Image
  • Please follow the prompts to uninstall Combofix.
  • You will then recieve a message saying Combofix was uninstalled successfully once it's done uninstalling itself.


  • Download OTC to your desktop and run it
  • Click Yes to beginning the Cleanup process and remove these components, including this application.
  • You will be asked to reboot the machine to finish the Cleanup process. Choose Yes.

  • Please read my guide on how to prevent malware and about safe computing here
Thank you for your patience, and performing all of the procedures requested.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP