Help with Hijack this, please.

aliEnRIK

gave you wrong link i think (Keep the iso file though as we may yet use it)

http://dl1.pro.antivir.de/down/windows/tool_en.exe

matphil

That one worked ok. It's not letting me copy the results to post here though. It came back as no infected files or processes, also no malware found in memory or on hard drives.

aliEnRIK

Im shocked at that

SUPERANTISPYWARE next

Then/or

Download DR WEBS CURE IT
It will auto QUICK scan. Then change to a FULL scan

matphil

When I click on the SUPERANTISPYWARE link it says internet explorer cannot display this page.
When I click on download file for DR WEBS CURE IT nothing happens, I click on the blue line below the toolbar to allow the file to be downloaded but it doesn't download.
Edit: I clicked the link to download it manually and it has now downloaded is is scanning at the moment.

Browntoa

i'd get a friend to download and copy combofix and malwarebytes to a CD or USB drive for you , then copy them over and run combofix , followed by Malwarebytes

due to your infection I suspect that you are going to get nowhere easily on your machine as it will fight you at every move

combifix should break the back of it if you can get it onto the PC

aliEnRIK

Glad weve got something running

matphil

I am now able to open IE in normal mode.
DR WEBS CURE IT found 3 infections - Backdoor.Tdss.119 and 2 Trojan.Packed.444I rebooted in normal mode but IE could still not display the webpage but it let me run MALWAREBYTES this time this found no malicious items.
I then ran SPYBOT search and destroy and it found Adrevolver x 3, Doubleclick and MediaPlex x2 which all got deleted. It also found Bearshare and Zlob.DNSChanger x2 which it said that it couldn't delete as I wasn't the administrator although I am signed in as the administrator.
After this it has let me access IE in normal mode but I think there is still a problem with googleads.com.
Thanks.

aliEnRIK

COMBOFIX is next to run

matphil

Running from: c:\users\**** ******\Downloads\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\users\**** ******\AppData\Roaming\inst.exe
c:\windows\system32\gxvxccounter
c:\windows\system32\gxvxcexjximfvuxctupbuqvxoefdxwwkystin.dll
\resycled
d:\resycled\boot.com

.
((((((((((((((((((((((((( Files Created from 2009-04-06 to 2009-05-06 )))))))))))))))))))))))))))))))
.

2009-05-05 20:13 . 2009-05-05 20:13

---

d

---

w c:\users\**** ******\DoctorWeb
2009-05-05 18:16 . 2009-04-06 14:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-05-05 18:16 . 2009-04-06 14:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-04 17:09 . 2009-05-04 17:09

---

d

---

w c:\users\**** ******\AppData\Roaming\Systweak
2009-05-04 17:09 . 2009-05-04 17:09

---

d

---

w c:\users\All Users\Systweak
2009-05-04 17:09 . 2009-05-04 17:09

---

d

---

w c:\program files\Systweak
2009-05-04 17:09 . 2008-11-10 18:49 17136 ----a-w c:\windows\system32\sasnative32.exe
2009-05-01 12:02 . 2009-05-01 12:02

---

d

---

w c:\users\**** ******\AppData\Roaming\Media Player Classic
2009-05-01 12:02 . 2009-05-02 11:26

---

d

---

w c:\windows\system32\quicktime
2009-05-01 12:02 . 2009-05-02 11:26

---

d

---

w c:\program files\Common Files\Real
2009-05-01 09:37 . 2009-05-01 09:37

---

d

---

w c:\windows\system32\msmq
2009-04-30 22:16 . 2009-04-30 22:16

---

d

---

w c:\users\*****\AppData\Local\Mozilla
2009-04-27 09:00 . 2009-04-27 09:00

---

d

---

w c:\program files\Vuze
2009-04-22 18:28 . 2009-04-22 18:28

---

d

---

w c:\users\**** ******\AppData\Roaming\Malwarebytes
2009-04-22 18:28 . 2009-04-22 18:28

---

d

---

w c:\users\All Users\Malwarebytes
2009-04-22 18:28 . 2009-05-05 18:16

---

d

---

w c:\program files\Malwarebytes' Anti-Malware
2009-04-17 14:09 . 2008-12-06 04:42 376832 ----a-w c:\windows\system32\winhttp.dll
2009-04-17 14:09 . 2009-02-13 08:49 1255936 ----a-w c:\windows\system32\lsasrv.dll
2009-04-17 14:09 . 2009-02-13 08:49 72704 ----a-w c:\windows\system32\secur32.dll
2009-04-17 14:09 . 2009-03-17 03:38 13824 ----a-w c:\windows\system32\apilogen.dll
2009-04-17 14:09 . 2009-03-17 03:38 24064 ----a-w c:\windows\system32\amxread.dll
2009-04-15 07:46 . 2008-07-27 18:03 96760 ----a-w c:\windows\system32\dfshim.dll
2009-04-15 07:46 . 2008-07-27 18:03 282112 ----a-w c:\windows\system32\mscoree.dll
2009-04-15 07:46 . 2008-07-27 18:03 41984 ----a-w c:\windows\system32\netfxperf.dll
2009-04-15 07:45 . 2008-07-27 18:03 158720 ----a-w c:\windows\system32\mscorier.dll
2009-04-15 07:45 . 2008-07-27 18:03 83968 ----a-w c:\windows\system32\mscories.dll
2009-04-14 12:26 . 2009-04-14 12:28

---

d

---

w c:\program files\Motorola Phone Tools
2009-04-14 12:26 . 2009-04-14 12:45

---

d

---

w c:\users\All Users\BVRP Software
2009-04-14 10:31 . 2007-06-18 15:18 23680 ----a-w c:\windows\system32\drivers\motmodem.sys
2009-04-14 10:31 . 2006-11-13 15:45 1419232 ----a-w c:\windows\system32\wdfcoinstaller01005.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-05 22:11 . 2008-01-17 21:51 8252 ----a-w c:\windows\bthservsdp.dat
2009-05-05 19:34 . 2008-01-22 10:07 6540 ----a-w c:\users\**** ******\AppData\Local\d3d9caps.dat
2009-05-05 16:09 . 2008-06-04 20:19

---

d

---

w c:\program files\Common Files\Wise Installation Wizard
2009-04-30 22:13 . 2009-04-30 22:13 68624 ----a-w c:\users\*****\AppData\Local\GDIPFONTCACHEV1.DAT
2009-04-27 08:47 . 2008-01-24 21:13

---

d

---

w c:\program files\BitSpirit
2009-04-27 08:46 . 2008-01-17 22:04

---

d--h--w c:\program files\InstallShield Installation Information
2009-04-25 07:41 . 2008-01-17 22:16

---

d

---

w c:\program files\Google
2009-04-19 17:41 . 2008-03-23 17:31

---

d

---

w c:\program files\NetMeter
2009-04-18 06:49 . 2006-11-02 11:18

---

d

---

w c:\program files\Windows Mail
2009-04-14 12:29 . 2006-11-02 10:25 86016 ----a-w c:\windows\inf\infstor.dat
2009-04-14 12:29 . 2006-11-02 10:25 51200 ----a-w c:\windows\inf\infpub.dat
2009-04-14 12:29 . 2006-11-02 10:25 143360 ----a-w c:\windows\inf\infstrng.dat
2009-04-02 12:59 . 2009-04-02 12:58

---

d

---

w c:\program files\Deluxe Menus Trial
2009-04-01 14:39 . 2009-04-01 14:39 266240 ----a-w c:\windows\system32\CSHelper.exe
2009-04-01 14:39 . 2009-04-01 14:39 225280 ----a-w c:\windows\system32\CSInstru.DLL
2009-03-31 17:36 . 2008-01-24 19:28

---

d

---

w c:\program files\Windows Live
2009-03-31 17:34 . 2009-03-31 17:34

---

d

---

w c:\program files\Microsoft
2009-03-31 17:33 . 2009-03-31 17:33

---

d

---

w c:\program files\Windows Live SkyDrive
2009-03-31 17:28 . 2009-03-31 17:28

---

d

---

w c:\program files\Common Files\Windows Live
2009-03-27 11:06 . 2009-03-27 11:01 24192 ----a-w c:\users\**** ******\usbsermptxp.sys
2009-03-27 11:06 . 2009-03-27 11:01 22768 ----a-w c:\users\**** ******\usbsermpt.sys
2009-03-26 15:36 . 2009-03-26 15:36

---

d

---

w c:\program files\LEGO Company
2009-03-16 09:59 . 2009-03-16 09:25

---

d

---

w c:\program files\PeerGuardian2
2009-03-16 08:40 . 2008-11-14 17:37

---

d

---

w c:\program files\NOS
2009-03-15 12:16 . 2009-03-15 12:16

---

d

---

w c:\program files\Common Files\Adobe AIR
2009-03-15 12:14 . 2009-03-15 12:13

---

d

---

w c:\program files\Common Files\Adobe
2009-03-14 11:43 . 2009-03-14 11:42

---

d

---

w c:\program files\Softonic_English_TC
2009-03-14 11:43 . 2009-03-14 11:43

---

d

---

w c:\program files\Conduit
2009-03-14 11:41 . 2009-03-14 11:41

---

d

---

w c:\program files\DsNET Corp
2009-03-03 04:46 . 2009-04-17 18:51 3599328 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-03-03 04:46 . 2009-04-17 18:51 3547632 ----a-w c:\windows\system32\ntoskrnl.exe
2009-03-03 04:40 . 2009-04-17 18:51 827392 ----a-w c:\windows\system32\wininet.dll
2009-03-03 04:39 . 2009-04-17 18:51 183296 ----a-w c:\windows\system32\sdohlp.dll
2009-03-03 04:39 . 2009-04-17 18:51 551424 ----a-w c:\windows\system32\rpcss.dll
2009-03-03 04:39 . 2009-04-17 18:51 26112 ----a-w c:\windows\system32\printfilterpipelineprxy.dll
2009-03-03 04:37 . 2009-04-17 18:51 78336 ----a-w c:\windows\system32\ieencode.dll
2009-03-03 04:37 . 2009-04-17 18:51 98304 ----a-w c:\windows\system32\iasrecst.dll
2009-03-03 04:37 . 2009-04-17 18:51 44032 ----a-w c:\windows\system32\iasdatastore.dll
2009-03-03 04:37 . 2009-04-17 18:51 54784 ----a-w c:\windows\system32\iasads.dll
2009-03-03 03:04 . 2009-04-17 18:51 666624 ----a-w c:\windows\system32\printfilterpipelinesvc.exe
2009-03-03 02:38 . 2009-04-17 18:51 17408 ----a-w c:\windows\system32\iashost.exe
2009-03-03 02:28 . 2009-04-17 18:51 26624 ----a-w c:\windows\system32\ieUnatt.exe
2009-02-09 03:10 . 2009-03-11 14:35 2033152 ----a-w c:\windows\system32\win32k.sys
2009-02-06 17:52 . 2009-02-06 17:52 49504 ----a-w c:\windows\system32\sirenacm.dll
2008-10-10 02:49 . 2006-11-02 12:48 174 --sha-w c:\program files\desktop.ini
2008-01-18 05:43 . 2008-01-18 05:31 8192 --sha-w c:\windows\Users\Default\NTUSER.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-11-12 39408]
"Yahoo! Pager"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 4670704]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"dellsupportcenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064]
"Advanced System Protector"="c:\program files\Systweak\Advanced System Protector\ASP.exe" [2009-03-09 15593704]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~2\GoogleDesktopNetwork3.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0sasnative32

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Bluetooth.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Bluetooth.lnk
backup=c:\windows\pss\Bluetooth.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=c:\windows\pss\Digital Line Detect.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^DSLMON.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\DSLMON.lnk
backup=c:\windows\pss\DSLMON.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^QuickSet.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\QuickSet.lnk
backup=c:\windows\pss\QuickSet.lnk.CommonStartup
backupExtension=.CommonStartup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001
"AntiSpywareOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{4F7DC963-5792-4C6E-B125-418929E8FCF8}"= Profile=Private|Profile=Public|c:\program files\Common Files\Mcafee\MNA\McNaSvc.exe:McAfee Network Agent
"{06CD0DFA-CC4E-4204-9680-0C9B33D16CFE}"= c:\program files\Dell\MediaDirect\MediaDirect.exe:Dell MediaDirect
"{80219B46-0815-4B5E-AF49-D433C334C8B6}"= c:\program files\Dell\MediaDirect\PCMService.exe:CyberLink PowerCinema Resident Program
"{72379E0A-E42A-440E-B382-44FFC17000AF}"= c:\program files\Dell\MediaDirect\Kernel\DMP\CLBrowserEngine.exe:Cyberlink Media Server Browser Engine
"{B07EF187-692C-4E8B-88AE-39444505BE51}"= c:\program files\Dell\MediaDirect\Kernel\DMS\CLMSService.exe:CyberLink Media Server
"{FA272447-580C-4853-8D6D-6305231D8B9D}"= UDP:c:\program files\LimeWire\LimeWire.exe:LimeWire
"{448A619C-5C48-4FC5-A888-F119E58BCB95}"= TCP:c:\program files\LimeWire\LimeWire.exe:LimeWire
"{A21CD3FE-2D04-4E19-A12C-3826B9C3560D}"= UDP:c:\program files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{467CA261-9B01-4179-AE6E-D4E9891B3B1A}"= TCP:c:\program files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{D4729501-BCBA-442D-861D-BC63536F83EA}"= UDP:c:\program files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"{9AC7C9F4-8D64-4E22-B45C-092DFB763029}"= TCP:c:\program files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"{A0CE1E4D-9EEB-400F-9593-4EF06B723CE5}"= UDP:c:\users\**** ******\Music\**** music!!!!\***** music\LimeWire\LimeWire.exe:LimeWire
"{A111EAC2-C54D-4794-8F4E-4AD56182F51E}"= TCP:c:\users\**** ******\Music\**** music!!!!\**** music\LimeWire\LimeWire.exe:LimeWire
"{A07ED9B8-7666-4407-9626-E39803FC667A}"= UDP:c:\users\**** ******\AppData\Local\Temp\Installer.exe:SpeedTouch Home Install Wizard
"{BE0DB480-FE01-40F3-8D62-FBAB7C729A8B}"= TCP:c:\users\**** ******\AppData\Local\Temp\Installer.exe:SpeedTouch Home Install Wizard
"{DD7AAD06-7959-4A05-9617-67EA7FBD1D34}"= UDP:c:\program files\Thomson\ST330\service\st330service.exe:ST330 service
"{2CD85511-D86A-4B4D-B7CA-1AD43705F79E}"= TCP:c:\program files\Thomson\ST330\service\st330service.exe:ST330 service
"{78FD33A8-3305-40B8-9132-1A52F66048A1}"= UDP:c:\users\**** ******\AppData\Local\Temp\Installer.exe:SpeedTouch Home Install Wizard
"{9F3CFBEB-9E9E-4F90-8C49-6D0C13577270}"= TCP:c:\users\**** ******\AppData\Local\Temp\Installer.exe:SpeedTouch Home Install Wizard
"{5CAF2890-C391-4D02-AC81-C1FB48CB4CBE}"= UDP:c:\program files\Kontiki\KService.exe:Delivery Manager Service
"{EDE45D59-F768-46EC-B2E8-26A5B621F904}"= TCP:c:\program files\Kontiki\KService.exe:Delivery Manager Service
"{61D4216A-D031-4EA9-969E-1028726F8960}"= UDP:c:\program files\Kontiki\KService.exe:Delivery Manager Service
"{D27334D4-6F06-43A0-A00B-C2B07051C93D}"= TCP:c:\program files\Kontiki\KService.exe:Delivery Manager Service
"{CED8695A-0D70-42B1-9093-3B89276E7B44}"= UDP:c:\windows\System32\lxbccoms.exe:Lexmark Communications System
"{F5114780-EE0C-49A9-A440-8DF217B10FED}"= TCP:c:\windows\System32\lxbccoms.exe:Lexmark Communications System
"{931D45ED-4511-4BCB-8C47-61CCF8F19078}"= UDP:c:\windows\System32\spool\drivers\w32x86\3\LXBCPSWX.EXE:Printer Status Window
"{44F647B8-CBD3-401E-954D-D4A7B21A8A2C}"= TCP:c:\windows\System32\spool\drivers\w32x86\3\LXBCPSWX.EXE:Printer Status Window
"{57693182-4DD3-41CC-AD9C-73B4C959ED8F}"= UDP:c:\users\**** ******\Music\**** music!!!!\**** music\LimeWire.exe:LimeWire
"{2B3FBBA5-05F3-44C5-9614-E96BFAD048E7}"= TCP:c:\users\**** ******\Music\**** music!!!!\**** music\LimeWire.exe:LimeWire
"{E59CD474-2713-4106-853F-007D65642C51}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{924EBDFC-BA80-4BD2-8732-788DE2664F6A}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes
"TCP Query User{96238F93-A2AB-4111-878F-2114945071B7}c:\\program files\\yahoo!\\messenger\\yahoomessenger.exe"= UDP:c:\program files\yahoo!\messenger\yahoomessenger.exe:Yahoo! Messenger
"UDP Query User{353A92C6-3CB1-4E92-B99B-F17FC039EBFB}c:\\program files\\yahoo!\\messenger\\yahoomessenger.exe"= TCP:c:\program files\yahoo!\messenger\yahoomessenger.exe:Yahoo! Messenger
"TCP Query User{BF386223-E9D2-4FAB-A08A-68BAEE39266A}c:\\program files\\bitspirit\\bitspirit.exe"= UDP:c:\program files\bitspirit\bitspirit.exe:The powerful and easy-to-use BitTorrent Client
"UDP Query User{263DE0D7-FB29-46A8-84DC-20CCD691E462}c:\\program files\\bitspirit\\bitspirit.exe"= TCP:c:\program files\bitspirit\bitspirit.exe:The powerful and easy-to-use BitTorrent Client
"{C4C11B51-67F9-4BFD-A593-44A8553E43C0}"= UDP:c:\program files\TalkTalk\agent\bin\bcont.exe:bcont.exe
"{7E96C5BB-C357-497E-8092-918605B9DEFF}"= TCP:c:\program files\TalkTalk\agent\bin\bcont.exe:bcont.exe
"{A526C31B-A87A-48B2-AB66-8CC5A26AC41A}"= UDP:c:\program files\Common Files\supportsoft\bin\tgsrvc.exe:tgsrvc.exe
"{2257AEAC-509A-40DF-81F5-BB2AF61035D4}"= TCP:c:\program files\Common Files\supportsoft\bin\tgsrvc.exe:tgsrvc.exe
"{83D16269-41A5-43AE-9A32-8CA423FEEE49}"= UDP:c:\program files\TalkTalk\agent\bin\bcont_nm.exe:bcont_nm.exe
"{7201ECBC-C5B0-4AB6-BE3A-3CB30710EF30}"= TCP:c:\program files\TalkTalk\agent\bin\bcont_nm.exe:bcont_nm.exe
"{7A82DB2A-544B-4211-98A3-892EDEB9CFFC}"= UDP:c:\program files\TalkTalk\bin\sprtcmd.exe:sprtcmd.exe
"{439FEA8C-C982-4945-9D79-EF3864BB1097}"= TCP:c:\program files\TalkTalk\bin\sprtcmd.exe:sprtcmd.exe
"{C3A5356A-DDD5-43C2-BCE9-FDED2937A4CE}"= UDP:c:\users\**** ******\Music\**** music!!!!\**** music\LimeWire.exe:LimeWire
"{16BDBAE2-E502-4510-A2D6-C80EECA7593A}"= TCP:c:\users\**** ******\Music\**** music!!!!\**** music\LimeWire.exe:LimeWire
"{55B15EEC-B08C-4C80-B702-AB05EC012F8A}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{62BFB7ED-8A78-404C-A229-BDC10BF7C2F2}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes
"{CE4488DE-7F2B-4B1F-B401-0DD4E8FCA0C2}"= UDP:c:\program files\Roxio\Digital Home 9\RoxioUpnpService9.exe:RoxioUpnpService9
"{FEDE7DFD-63B9-4D4A-A606-94B641F55861}"= TCP:c:\program files\Roxio\Digital Home 9\RoxioUpnpService9.exe:RoxioUpnpService9
"{C28C4C04-4004-4B57-B14D-F5CC44314F22}"= UDP:c:\program files\Roxio\Digital Home 9\RoxioUpnpService9.exe:RoxioUpnpService9
"{CEDA530C-FDFD-4DB6-B846-C41C14FF51E8}"= TCP:c:\program files\Roxio\Digital Home 9\RoxioUpnpService9.exe:RoxioUpnpService9
"{F517C9E5-999F-43DE-8764-27100F474F9D}"= UDP:c:\program files\Roxio\Digital Home 9\RoxioUpnpService9.exe:RoxioUpnpService9
"{6222811B-F841-43D1-824C-64E6A6E379F5}"= TCP:c:\program files\Roxio\Digital Home 9\RoxioUpnpService9.exe:RoxioUpnpService9
"{DC0DD8D8-3977-4C98-89E0-646E2523197F}"= UDP:c:\users\**** ******\Music\**** music!!!!\FrostWire\FrostWire.exe:FrostWire
"{B4ADE4D9-11D4-4752-9409-331621E98C22}"= TCP:c:\users\**** ******\Music\**** music!!!!\FrostWire\FrostWire.exe:FrostWire
"{BD6AB76A-1A15-43E9-8718-1CF1EDD1863B}"= UDP:c:\program files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe:RoxioUPnPRenderer9
"{27813199-EDD0-458C-B089-3256FFF1B592}"= TCP:c:\program files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe:RoxioUPnPRenderer9
"{008C9731-A6DC-4D5E-BFC3-8E4DD39C457E}"= UDP:c:\program files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe:RoxioUPnPRenderer9
"{44C398E2-9B24-4733-AF02-8BD047E448DC}"= TCP:c:\program files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe:RoxioUPnPRenderer9
"{CF09B80A-D8D1-4359-ACB9-0D48F0454FAF}"= UDP:c:\program files\uTorrent\uTorrent.exe:µTorrent (TCP-In)
"{9AE8269E-9C5C-444B-BA83-ADB622519971}"= TCP:c:\program files\uTorrent\uTorrent.exe:µTorrent (UDP-In)
"TCP Query User{99EEF07B-656E-4926-BE8A-54FB723DE0B9}c:\\program files\\vuze\\azureus.exe"= UDP:c:\program files\vuze\azureus.exe:Azureus
"UDP Query User{0E5BB2C0-01E6-4A9E-B201-369247DB509B}c:\\program files\\vuze\\azureus.exe"= TCP:c:\program files\vuze\azureus.exe:Azureus
"TCP Query User{A1FBCF5D-BFD4-4B6F-83C9-4ECA027637A6}c:\\program files\\vuze\\azureus.exe"= UDP:c:\program files\vuze\azureus.exe:Azureus
"UDP Query User{7B19E9F6-5A05-4029-9021-BE43E2E18379}c:\\program files\\vuze\\azureus.exe"= TCP:c:\program files\vuze\azureus.exe:Azureus
"TCP Query User{D7DDEC93-193E-42D1-86EC-08D63BDC6481}c:\\program files\\internet explorer\\iexplore.exe"= UDP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"UDP Query User{8D1609A3-1678-4A92-B25D-7E901153C8D2}c:\\program files\\internet explorer\\iexplore.exe"= TCP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"TCP Query User{33706E01-7C66-4F60-B0EC-3D6991587ABC}c:\\program files\\nero\\nero 7\\nero home\\nerohome.exe"= UDP:c:\program files\nero\nero 7\nero home\nerohome.exe:Nero Home
"UDP Query User{E202B4B5-BC74-489D-B082-2EC6DAAD5C19}c:\\program files\\nero\\nero 7\\nero home\\nerohome.exe"= TCP:c:\program files\nero\nero 7\nero home\nerohome.exe:Nero Home

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"c:\\windows\\system32\\drivers\\etc\\install.exe"= c:\windows\system32\drivers\etc\install.exe:*:Enabled:mIRC

R2 AESTFilters;Andrea ST Filters Service;c:\windows\System32\AEstSrv.exe [15/10/2008 19:16 73728]
R2 CSHelper;CopySafe Helper Service;c:\windows\System32\CSHelper.exe [01/04/2009 15:39 266240]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\System32\drivers\LMIRfsDriver.sys [24/02/2009 17:17 47640]
R2 lxbc_device;lxbc_device;c:\windows\system32\lxbccoms.exe -service --> c:\windows\system32\lxbccoms.exe -service [?]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [30/03/2008 22:11 810320]
R2 sprtsvc_TalkTalk;SupportSoft Sprocket Service (TalkTalk);c:\program files\TalkTalk\bin\sprtsvc.exe [12/10/2007 08:33 202016]
R2 tgsrvc_TalkTalk;SupportSoft Repair Service (TalkTalk);c:\program files\Common Files\supportsoft\bin\tgsrvc.exe [02/08/2007 13:42 148768]
R3 BCASPROT;Advanced System Protector;c:\program files\Systweak\Advanced System Protector\sasprot32.sys [04/05/2009 18:09 6656]
S2 gupdate1c95d6df24e8b05;Google Update Service (gupdate1c95d6df24e8b05);c:\program files\Google\Update\GoogleUpdate.exe [13/12/2008 22:58 133104]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\System32\drivers\mbamswissarmy.sys [05/05/2009 19:16 38496]
S3 Ndisprot;ArcNet NDIS Protocol Driver;c:\windows\System32\drivers\ndisprot.sys [21/11/2008 16:37 29192]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
bthsvcs REG_MULTI_SZ BthServ
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1c271065-8c77-11dd-9f65-95bf4ef80b72}]
\shell\AutoRun\command - F:\StartVMCLite.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{20c231bf-8d5f-11dd-8df6-afd03efcc873}]
\shell\AutoRun\command - F:\StartVMCLite.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{20c231c3-8d5f-11dd-8df6-afd03efcc873}]
\shell\AutoRun\command - F:\StartVMCLite.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2ebcab39-8b9d-11dd-a038-8f5e749d835b}]
\shell\AutoRun\command - F:\StartVMCLite.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{47278554-8c14-11dd-8a75-806e6f6e6963}]
\shell\AutoRun\command - F:\StartVMCLite.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e92b2f93-8bee-11dd-a060-e9cf0b6ab24c}]
\shell\AutoRun\command - F:\StartVMCLite.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e92b2fad-8bee-11dd-a060-e9cf0b6ab24c}]
\shell\AutoRun\command - F:\StartVMCLite.exe
.
Contents of the 'Scheduled Tasks' folder

2008-01-28 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 11:20]

2009-05-06 c:\windows\Tasks\GoogleUpdateTaskMachine.job
- c:\program files\Google\Update\GoogleUpdate.exe [2008-12-13 21:58]

2009-05-05 c:\windows\Tasks\User_Feed_Synchronization-{2F85EA71-EF3E-4448-A035-74C3D1C3A9B1}.job
- c:\windows\system32\msfeedssync.exe [2008-10-01 07:33]
.

matphil

- - - - ORPHANS REMOVED - - - -

WebBrowser-{6638A9DE-0745-4292-8A2E-AE530E7B9B3F} - (no file)
WebBrowser-{4FF5F6EA-FFAF-43E5-9A01-361C0893C3E8} - (no file)


.

---

Supplementary Scan

---

.
uStart Page = https://login.yahoo.com/config/login_verify2?&.src=ym
uSearchURL,(Default) = hxxp://uk.search.yahoo.com/search?fr=mcafee&p=%s
IE: &ieSpell Options - c:\program files\ieSpell\iespell.dll/SPELLOPTION.HTM
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: Check &Spelling - c:\program files\ieSpell\iespell.dll/SPELLCHECK.HTM
IE: Customize Menu - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
IE: Fill Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
IE: Lookup on Merriam Webster - file://c:\program files\ieSpell\Merriam Webster.HTM
IE: Lookup on Wikipedia - file://c:\program files\ieSpell\wikipedia.HTM
IE: RoboForm Toolbar - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
IE: Save Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
IE: Send image to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
Trusted Zone: internet
Trusted Zone: mcafee.com
FF - ProfilePath - c:\users\**** ******\AppData\Roaming\Mozilla\Firefox\Profiles\tcbnefhv.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2040441&SearchSource=3&q=
FF - prefs.js: browser.search.selectedEngine - Softonic_English_TC Customized Web Search
FF - prefs.js: browser.startup.homepage - hxxps://login.yahoo.com/config/login_verify2?&.src=ym
FF - component: c:\program files\Mozilla Firefox\extensions\{4ff5f6ea-ffaf-43e5-9a01-361c0893c3e8}\components\FFAlert.dll
FF - component: c:\users\**** ******\AppData\Roaming\Mozilla\Firefox\Profiles\tcbnefhv.default\extensions\{22119944-ED35-4ab1-910B-E619EA06A115}\components\rfproxy_27.dll
FF - plugin: c:\program files\Google\Update\1.2.141.5\npGoogleOneClick7.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava11.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava12.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava13.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava14.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava32.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjpi160.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npoji610.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-06 09:10
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.

---

LOCKED REGISTRY KEYS

---

[HKEY_LOCAL_MACHINE\system\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0004\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0005\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0006\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0007\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0008\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0009\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0010\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0011\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0014\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0015\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2009-05-06 9:12
ComboFix-quarantined-files.txt 2009-05-06 08:12

Pre-Run: 41,161,441,280 bytes free
Post-Run: 41,138,061,312 bytes free

368 --- E O F --- 2009-04-19 18:01