Help with Hijack this, please.

matphil

I don't know how the smilies got in the first part of the log I didn't put them in!
Thanks for all your help so far is there anything else I should now do.

aliEnRIK

Open notepad and copy/paste the text in RED below

Registry::
[HKEY_LOCAL_MACHINE\system\ControlSet002\Control\Cl !!!\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
[HKEY_LOCAL_MACHINE\system\ControlSet002\Control\Cl !!!\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
[HKEY_LOCAL_MACHINE\system\ControlSet002\Control\Cl !!!\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
[HKEY_LOCAL_MACHINE\system\ControlSet002\Control\Cl !!!\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
[HKEY_LOCAL_MACHINE\system\ControlSet002\Control\Cl !!!\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0004\AllUserSettings]
[HKEY_LOCAL_MACHINE\system\ControlSet002\Control\Cl !!!\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0005\AllUserSettings]
[HKEY_LOCAL_MACHINE\system\ControlSet002\Control\Cl !!!\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0006\AllUserSettings]
[HKEY_LOCAL_MACHINE\system\ControlSet002\Control\Cl !!!\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0007\AllUserSettings]
[HKEY_LOCAL_MACHINE\system\ControlSet002\Control\Cl !!!\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0008\AllUserSettings]
[HKEY_LOCAL_MACHINE\system\ControlSet002\Control\Cl !!!\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0009\AllUserSettings]
[HKEY_LOCAL_MACHINE\system\ControlSet002\Control\Cl !!!\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0010\AllUserSettings]
[HKEY_LOCAL_MACHINE\system\ControlSet002\Control\Cl !!!\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0011\AllUserSettings]
[HKEY_LOCAL_MACHINE\system\ControlSet002\Control\Cl !!!\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0014\AllUserSettings]
[HKEY_LOCAL_MACHINE\system\ControlSet002\Control\Cl !!!\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0015\AllUserSettings]


Save this as "CFScript"

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.




This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.

aliEnRIK

Try this again ~
Download HostsXpert
http://www.softpedia.com/get/Security/Security-Related/Hoster.shtml
and then follow the below steps.

* Unzip HostsXpert.zip
* It will create a folder named HostsXpert in whatever folder you extract it to.
* Run HostsXpert.exe by double clicking on it.
* click the Make Writeable? button.
* click Restore Microsoft's Hosts File and then click OK.
* Click the X to exit the program


Did you run spybots IMMUNISE feature? If not make sure it reads ZERO unprotected

Please open malwarebytes and goto LOGS and post the WHOLE of the log (Even though its clean)

Download SUPERANTISPYWARE (Make sure you click 'DOWNLOAD LATEST VERSION')
http://www.filehippo.com/download_superantispyware/
UPDATE and PERFORM COMPLETE SCAN
(Then goto console and LOGS and post the log it created then untick it from STARTING UP WITH WINDOWS)

matphil

ComboFix 09-05-05.04 - 06/05/2009 15:05.2 - NTFSx86
Microsoft® Windows Vista™ Home Basic 6.0.6001.1.1252.44.1033.18.2037.1152 [GMT 1:00]
Running from: c:\users\\Documents\ComboFix.exe
Command switches used :: c:\users\\CFScript.txt
.

((((((((((((((((((((((((( Files Created from 2009-04-06 to 2009-05-06 )))))))))))))))))))))))))))))))
.

2009-05-05 20:13 . 2009-05-05 20:13

---

d

---

w c:\users\\DoctorWeb
2009-05-05 18:16 . 2009-04-06 14:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-05-05 18:16 . 2009-04-06 14:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-04 17:09 . 2009-05-04 17:09

---

d

---

w c:\users\\AppData\Roaming\Systweak
2009-05-04 17:09 . 2009-05-04 17:09

---

d

---

w c:\users\All Users\Systweak
2009-05-04 17:09 . 2009-05-04 17:09

---

d

---

w c:\program files\Systweak
2009-05-04 17:09 . 2008-11-10 18:49 17136 ----a-w c:\windows\system32\sasnative32.exe
2009-05-01 12:02 . 2009-05-01 12:02

---

d

---

w c:\users\\AppData\Roaming\Media Player Classic
2009-05-01 12:02 . 2009-05-02 11:26

---

d

---

w c:\windows\system32\quicktime
2009-05-01 12:02 . 2009-05-02 11:26

---

d

---

w c:\program files\Common Files\Real
2009-05-01 09:37 . 2009-05-01 09:37

---

d

---

w c:\windows\system32\msmq
2009-04-30 22:16 . 2009-04-30 22:16

---

d

---

w c:\users\\AppData\Local\Mozilla
2009-04-27 09:00 . 2009-04-27 09:00

---

d

---

w c:\program files\Vuze
2009-04-22 18:28 . 2009-04-22 18:28

---

d

---

w c:\users\\AppData\Roaming\Malwarebytes
2009-04-22 18:28 . 2009-04-22 18:28

---

d

---

w c:\users\All Users\Malwarebytes
2009-04-22 18:28 . 2009-05-05 18:16

---

d

---

w c:\program files\Malwarebytes' Anti-Malware
2009-04-17 14:09 . 2008-12-06 04:42 376832 ----a-w c:\windows\system32\winhttp.dll
2009-04-17 14:09 . 2009-02-13 08:49 1255936 ----a-w c:\windows\system32\lsasrv.dll
2009-04-17 14:09 . 2009-02-13 08:49 72704 ----a-w c:\windows\system32\secur32.dll
2009-04-17 14:09 . 2009-03-17 03:38 13824 ----a-w c:\windows\system32\apilogen.dll
2009-04-17 14:09 . 2009-03-17 03:38 24064 ----a-w c:\windows\system32\amxread.dll
2009-04-15 07:46 . 2008-07-27 18:03 96760 ----a-w c:\windows\system32\dfshim.dll
2009-04-15 07:46 . 2008-07-27 18:03 282112 ----a-w c:\windows\system32\mscoree.dll
2009-04-15 07:46 . 2008-07-27 18:03 41984 ----a-w c:\windows\system32\netfxperf.dll
2009-04-15 07:45 . 2008-07-27 18:03 158720 ----a-w c:\windows\system32\mscorier.dll
2009-04-15 07:45 . 2008-07-27 18:03 83968 ----a-w c:\windows\system32\mscories.dll
2009-04-14 12:26 . 2009-04-14 12:28

---

d

---

w c:\program files\Motorola Phone Tools
2009-04-14 12:26 . 2009-04-14 12:45

---

d

---

w c:\users\All Users\BVRP Software
2009-04-14 10:31 . 2007-06-18 15:18 23680 ----a-w c:\windows\system32\drivers\motmodem.sys
2009-04-14 10:31 . 2006-11-13 15:45 1419232 ----a-w c:\windows\system32\wdfcoinstaller01005.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-06 11:43 . 2008-01-17 21:51 8252 ----a-w c:\windows\bthservsdp.dat
2009-05-05 19:34 . 2008-01-22 10:07 6540 ----a-w c:\users\\AppData\Local\d3d9caps.dat
2009-05-05 16:09 . 2008-06-04 20:19

---

d

---

w c:\program files\Common Files\Wise Installation Wizard
2009-04-30 22:13 . 2009-04-30 22:13 68624 ----a-w c:\users\\AppData\Local\GDIPFONTCACHEV1.DAT
2009-04-27 08:47 . 2008-01-24 21:13

---

d

---

w c:\program files\BitSpirit
2009-04-27 08:46 . 2008-01-17 22:04

---

d--h--w c:\program files\InstallShield Installation Information
2009-04-25 07:41 . 2008-01-17 22:16

---

d

---

w c:\program files\Google
2009-04-19 17:41 . 2008-03-23 17:31

---

d

---

w c:\program files\NetMeter
2009-04-18 06:49 . 2006-11-02 11:18

---

d

---

w c:\program files\Windows Mail
2009-04-14 12:29 . 2006-11-02 10:25 86016 ----a-w c:\windows\inf\infstor.dat
2009-04-14 12:29 . 2006-11-02 10:25 51200 ----a-w c:\windows\inf\infpub.dat
2009-04-14 12:29 . 2006-11-02 10:25 143360 ----a-w c:\windows\inf\infstrng.dat
2009-04-02 12:59 . 2009-04-02 12:58

---

d

---

w c:\program files\Deluxe Menus Trial
2009-04-01 14:39 . 2009-04-01 14:39 266240 ----a-w c:\windows\system32\CSHelper.exe
2009-04-01 14:39 . 2009-04-01 14:39 225280 ----a-w c:\windows\system32\CSInstru.DLL
2009-03-31 17:36 . 2008-01-24 19:28

---

d

---

w c:\program files\Windows Live
2009-03-31 17:34 . 2009-03-31 17:34

---

d

---

w c:\program files\Microsoft
2009-03-31 17:33 . 2009-03-31 17:33

---

d

---

w c:\program files\Windows Live SkyDrive
2009-03-31 17:28 . 2009-03-31 17:28

---

d

---

w c:\program files\Common Files\Windows Live
2009-03-27 11:06 . 2009-03-27 11:01 24192 ----a-w c:\users\\usbsermptxp.sys
2009-03-27 11:06 . 2009-03-27 11:01 22768 ----a-w c:\users\\usbsermpt.sys
2009-03-26 15:36 . 2009-03-26 15:36

---

d

---

w c:\program files\LEGO Company
2009-03-16 09:59 . 2009-03-16 09:25

---

d

---

w c:\program files\PeerGuardian2
2009-03-16 08:40 . 2008-11-14 17:37

---

d

---

w c:\program files\NOS
2009-03-15 12:16 . 2009-03-15 12:16

---

d

---

w c:\program files\Common Files\Adobe AIR
2009-03-15 12:14 . 2009-03-15 12:13

---

d

---

w c:\program files\Common Files\Adobe
2009-03-14 11:43 . 2009-03-14 11:42

---

d

---

w c:\program files\Softonic_English_TC
2009-03-14 11:43 . 2009-03-14 11:43

---

d

---

w c:\program files\Conduit
2009-03-14 11:41 . 2009-03-14 11:41

---

d

---

w c:\program files\DsNET Corp
2009-03-03 04:46 . 2009-04-17 18:51 3599328 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-03-03 04:46 . 2009-04-17 18:51 3547632 ----a-w c:\windows\system32\ntoskrnl.exe
2009-03-03 04:40 . 2009-04-17 18:51 827392 ----a-w c:\windows\system32\wininet.dll
2009-03-03 04:39 . 2009-04-17 18:51 183296 ----a-w c:\windows\system32\sdohlp.dll
2009-03-03 04:39 . 2009-04-17 18:51 551424 ----a-w c:\windows\system32\rpcss.dll
2009-03-03 04:39 . 2009-04-17 18:51 26112 ----a-w c:\windows\system32\printfilterpipelineprxy.dll
2009-03-03 04:37 . 2009-04-17 18:51 78336 ----a-w c:\windows\system32\ieencode.dll
2009-03-03 04:37 . 2009-04-17 18:51 98304 ----a-w c:\windows\system32\iasrecst.dll
2009-03-03 04:37 . 2009-04-17 18:51 44032 ----a-w c:\windows\system32\iasdatastore.dll
2009-03-03 04:37 . 2009-04-17 18:51 54784 ----a-w c:\windows\system32\iasads.dll
2009-03-03 03:04 . 2009-04-17 18:51 666624 ----a-w c:\windows\system32\printfilterpipelinesvc.exe
2009-03-03 02:38 . 2009-04-17 18:51 17408 ----a-w c:\windows\system32\iashost.exe
2009-03-03 02:28 . 2009-04-17 18:51 26624 ----a-w c:\windows\system32\ieUnatt.exe
2009-02-09 03:10 . 2009-03-11 14:35 2033152 ----a-w c:\windows\system32\win32k.sys
2009-02-06 17:52 . 2009-02-06 17:52 49504 ----a-w c:\windows\system32\sirenacm.dll
2008-10-10 02:49 . 2006-11-02 12:48 174 --sha-w c:\program files\desktop.ini
2008-01-18 05:43 . 2008-01-18 05:31 8192 --sha-w c:\windows\Users\Default\NTUSER.DAT
.

((((((((((((((((((((((((((((( SnapShot@2009-05-06_08.10.23 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-01-17 22:03 . 2009-05-06 11:46 78438 c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2006-11-02 13:02 . 2009-05-06 11:46 91086 c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2008-01-22 10:08 . 2009-05-06 11:46 18454 c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-851576316-2899959154-1967201376-1000_UserData.bin
+ 2008-01-22 10:06 . 2009-05-06 11:44 32768 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2008-01-22 10:06 . 2009-05-06 06:38 32768 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2008-01-22 10:06 . 2009-05-06 11:44 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2008-01-22 10:06 . 2009-05-06 06:38 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2008-01-22 10:06 . 2009-05-06 11:44 16384 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2008-01-22 10:06 . 2009-05-06 06:38 16384 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-05-06 06:38 . 2009-05-06 06:38 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2009-05-06 11:44 . 2009-05-06 11:44 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2009-05-06 11:44 . 2009-05-06 11:44 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2009-05-06 06:38 . 2009-05-06 06:38 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-11-12 39408]
"Yahoo! Pager"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 4670704]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"dellsupportcenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064]
"Advanced System Protector"="c:\program files\Systweak\Advanced System Protector\ASP.exe" [2009-03-09 15593704]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0sasnative32

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Bluetooth.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Bluetooth.lnk
backup=c:\windows\pss\Bluetooth.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=c:\windows\pss\Digital Line Detect.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^DSLMON.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\DSLMON.lnk
backup=c:\windows\pss\DSLMON.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^QuickSet.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\QuickSet.lnk
backup=c:\windows\pss\QuickSet.lnk.CommonStartup
backupExtension=.CommonStartup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001
"AntiSpywareOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{4F7DC963-5792-4C6E-B125-418929E8FCF8}"= Profile=Private|Profile=Public|c:\program files\Common Files\Mcafee\MNA\McNaSvc.exe:McAfee Network Agent
"{06CD0DFA-CC4E-4204-9680-0C9B33D16CFE}"= c:\program files\Dell\MediaDirect\MediaDirect.exe:Dell MediaDirect
"{80219B46-0815-4B5E-AF49-D433C334C8B6}"= c:\program files\Dell\MediaDirect\PCMService.exe:CyberLink PowerCinema Resident Program
"{72379E0A-E42A-440E-B382-44FFC17000AF}"= c:\program files\Dell\MediaDirect\Kernel\DMP\CLBrowserEngine.exe:Cyberlink Media Server Browser Engine
"{B07EF187-692C-4E8B-88AE-39444505BE51}"= c:\program files\Dell\MediaDirect\Kernel\DMS\CLMSService.exe:CyberLink Media Server
"{FA272447-580C-4853-8D6D-6305231D8B9D}"= UDP:c:\program files\LimeWire\LimeWire.exe:LimeWire
"{448A619C-5C48-4FC5-A888-F119E58BCB95}"= TCP:c:\program files\LimeWire\LimeWire.exe:LimeWire
"{A21CD3FE-2D04-4E19-A12C-3826B9C3560D}"= UDP:c:\program files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{467CA261-9B01-4179-AE6E-D4E9891B3B1A}"= TCP:c:\program files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{D4729501-BCBA-442D-861D-BC63536F83EA}"= UDP:c:\program files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"{9AC7C9F4-8D64-4E22-B45C-092DFB763029}"= TCP:c:\program files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"{A0CE1E4D-9EEB-400F-9593-4EF06B723CE5}"= UDP:c:\users\\Music\ music!!!!\ music\LimeWire\LimeWire.exe:LimeWire
"{A111EAC2-C54D-4794-8F4E-4AD56182F51E}"= TCP:c:\users\\Music\ music!!!!\ music\LimeWire\LimeWire.exe:LimeWire
"{A07ED9B8-7666-4407-9626-E39803FC667A}"= UDP:c:\users\\AppData\Local\Temp\Installer.exe:SpeedTouch Home Install Wizard
"{BE0DB480-FE01-40F3-8D62-FBAB7C729A8B}"= TCP:c:\users\\AppData\Local\Temp\Installer.exe:SpeedTouch Home Install Wizard
"{DD7AAD06-7959-4A05-9617-67EA7FBD1D34}"= UDP:c:\program files\Thomson\ST330\service\st330service.exe:ST330 service
"{2CD85511-D86A-4B4D-B7CA-1AD43705F79E}"= TCP:c:\program files\Thomson\ST330\service\st330service.exe:ST330 service
"{78FD33A8-3305-40B8-9132-1A52F66048A1}"= UDP:c:\users\\AppData\Local\Temp\Installer.exe:SpeedTouch Home Install Wizard
"{9F3CFBEB-9E9E-4F90-8C49-6D0C13577270}"= TCP:c:\users\\AppData\Local\Temp\Installer.exe:SpeedTouch Home Install Wizard
"{5CAF2890-C391-4D02-AC81-C1FB48CB4CBE}"= UDP:c:\program files\Kontiki\KService.exe:Delivery Manager Service
"{EDE45D59-F768-46EC-B2E8-26A5B621F904}"= TCP:c:\program files\Kontiki\KService.exe:Delivery Manager Service
"{61D4216A-D031-4EA9-969E-1028726F8960}"= UDP:c:\program files\Kontiki\KService.exe:Delivery Manager Service
"{D27334D4-6F06-43A0-A00B-C2B07051C93D}"= TCP:c:\program files\Kontiki\KService.exe:Delivery Manager Service
"{CED8695A-0D70-42B1-9093-3B89276E7B44}"= UDP:c:\windows\System32\lxbccoms.exe:Lexmark Communications System
"{F5114780-EE0C-49A9-A440-8DF217B10FED}"= TCP:c:\windows\System32\lxbccoms.exe:Lexmark Communications System
"{931D45ED-4511-4BCB-8C47-61CCF8F19078}"= UDP:c:\windows\System32\spool\drivers\w32x86\3\LXBCPSWX.EXE:Printer Status Window
"{44F647B8-CBD3-401E-954D-D4A7B21A8A2C}"= TCP:c:\windows\System32\spool\drivers\w32x86\3\LXBCPSWX.EXE:Printer Status Window
"{57693182-4DD3-41CC-AD9C-73B4C959ED8F}"= UDP:c:\users\\Music\ music!!!!\ music\LimeWire.exe:LimeWire
"{2B3FBBA5-05F3-44C5-9614-E96BFAD048E7}"= TCP:c:\users\\Music\ music!!!!\ music\LimeWire.exe:LimeWire
"{E59CD474-2713-4106-853F-007D65642C51}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{924EBDFC-BA80-4BD2-8732-788DE2664F6A}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes
"TCP Query User{96238F93-A2AB-4111-878F-2114945071B7}c:\\program files\\yahoo!\\messenger\\yahoomessenger.exe"= UDP:c:\program files\yahoo!\messenger\yahoomessenger.exe:Yahoo! Messenger
"UDP Query User{353A92C6-3CB1-4E92-B99B-F17FC039EBFB}c:\\program files\\yahoo!\\messenger\\yahoomessenger.exe"= TCP:c:\program files\yahoo!\messenger\yahoomessenger.exe:Yahoo! Messenger
"TCP Query User{BF386223-E9D2-4FAB-A08A-68BAEE39266A}c:\\program files\\bitspirit\\bitspirit.exe"= UDP:c:\program files\bitspirit\bitspirit.exe:The powerful and easy-to-use BitTorrent Client
"UDP Query User{263DE0D7-FB29-46A8-84DC-20CCD691E462}c:\\program files\\bitspirit\\bitspirit.exe"= TCP:c:\program files\bitspirit\bitspirit.exe:The powerful and easy-to-use BitTorrent Client
"{C4C11B51-67F9-4BFD-A593-44A8553E43C0}"= UDP:c:\program files\TalkTalk\agent\bin\bcont.exe:bcont.exe
"{7E96C5BB-C357-497E-8092-918605B9DEFF}"= TCP:c:\program files\TalkTalk\agent\bin\bcont.exe:bcont.exe
"{A526C31B-A87A-48B2-AB66-8CC5A26AC41A}"= UDP:c:\program files\Common Files\supportsoft\bin\tgsrvc.exe:tgsrvc.exe
"{2257AEAC-509A-40DF-81F5-BB2AF61035D4}"= TCP:c:\program files\Common Files\supportsoft\bin\tgsrvc.exe:tgsrvc.exe
"{83D16269-41A5-43AE-9A32-8CA423FEEE49}"= UDP:c:\program files\TalkTalk\agent\bin\bcont_nm.exe:bcont_nm.exe
"{7201ECBC-C5B0-4AB6-BE3A-3CB30710EF30}"= TCP:c:\program files\TalkTalk\agent\bin\bcont_nm.exe:bcont_nm.exe
"{7A82DB2A-544B-4211-98A3-892EDEB9CFFC}"= UDP:c:\program files\TalkTalk\bin\sprtcmd.exe:sprtcmd.exe
"{439FEA8C-C982-4945-9D79-EF3864BB1097}"= TCP:c:\program files\TalkTalk\bin\sprtcmd.exe:sprtcmd.exe
"{C3A5356A-DDD5-43C2-BCE9-FDED2937A4CE}"= UDP:c:\users\\Music\ music!!!!\ music\LimeWire.exe:LimeWire
"{16BDBAE2-E502-4510-A2D6-C80EECA7593A}"= TCP:c:\users\\Music\ music!!!!\ music\LimeWire.exe:LimeWire
"{55B15EEC-B08C-4C80-B702-AB05EC012F8A}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{62BFB7ED-8A78-404C-A229-BDC10BF7C2F2}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes
"{CE4488DE-7F2B-4B1F-B401-0DD4E8FCA0C2}"= UDP:c:\program files\Roxio\Digital Home 9\RoxioUpnpService9.exe:RoxioUpnpService9
"{FEDE7DFD-63B9-4D4A-A606-94B641F55861}"= TCP:c:\program files\Roxio\Digital Home 9\RoxioUpnpService9.exe:RoxioUpnpService9
"{C28C4C04-4004-4B57-B14D-F5CC44314F22}"= UDP:c:\program files\Roxio\Digital Home 9\RoxioUpnpService9.exe:RoxioUpnpService9
"{CEDA530C-FDFD-4DB6-B846-C41C14FF51E8}"= TCP:c:\program files\Roxio\Digital Home 9\RoxioUpnpService9.exe:RoxioUpnpService9
"{F517C9E5-999F-43DE-8764-27100F474F9D}"= UDP:c:\program files\Roxio\Digital Home 9\RoxioUpnpService9.exe:RoxioUpnpService9
"{6222811B-F841-43D1-824C-64E6A6E379F5}"= TCP:c:\program files\Roxio\Digital Home 9\RoxioUpnpService9.exe:RoxioUpnpService9
"{DC0DD8D8-3977-4C98-89E0-646E2523197F}"= UDP:c:\users\Andy phillips\Music\matthews music!!!!\FrostWire\FrostWire.exe:FrostWire
"{B4ADE4D9-11D4-4752-9409-331621E98C22}"= TCP:c:\users\Andy phillips\Music\matthews music!!!!\FrostWire\FrostWire.exe:FrostWire
"{BD6AB76A-1A15-43E9-8718-1CF1EDD1863B}"= UDP:c:\program files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe:RoxioUPnPRenderer9
"{27813199-EDD0-458C-B089-3256FFF1B592}"= TCP:c:\program files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe:RoxioUPnPRenderer9
"{008C9731-A6DC-4D5E-BFC3-8E4DD39C457E}"= UDP:c:\program files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe:RoxioUPnPRenderer9
"{44C398E2-9B24-4733-AF02-8BD047E448DC}"= TCP:c:\program files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe:RoxioUPnPRenderer9
"{CF09B80A-D8D1-4359-ACB9-0D48F0454FAF}"= UDP:c:\program files\uTorrent\uTorrent.exe:µTorrent (TCP-In)
"{9AE8269E-9C5C-444B-BA83-ADB622519971}"= TCP:c:\program files\uTorrent\uTorrent.exe:µTorrent (UDP-In)
"TCP Query User{99EEF07B-656E-4926-BE8A-54FB723DE0B9}c:\\program files\\vuze\\azureus.exe"= UDP:c:\program files\vuze\azureus.exe:Azureus
"UDP Query User{0E5BB2C0-01E6-4A9E-B201-369247DB509B}c:\\program files\\vuze\\azureus.exe"= TCP:c:\program files\vuze\azureus.exe:Azureus
"TCP Query User{A1FBCF5D-BFD4-4B6F-83C9-4ECA027637A6}c:\\program files\\vuze\\azureus.exe"= UDP:c:\program files\vuze\azureus.exe:Azureus
"UDP Query User{7B19E9F6-5A05-4029-9021-BE43E2E18379}c:\\program files\\vuze\\azureus.exe"= TCP:c:\program files\vuze\azureus.exe:Azureus
"TCP Query User{D7DDEC93-193E-42D1-86EC-08D63BDC6481}c:\\program files\\internet explorer\\iexplore.exe"= UDP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"UDP Query User{8D1609A3-1678-4A92-B25D-7E901153C8D2}c:\\program files\\internet explorer\\iexplore.exe"= TCP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"TCP Query User{33706E01-7C66-4F60-B0EC-3D6991587ABC}c:\\program files\\nero\\nero 7\\nero home\\nerohome.exe"= UDP:c:\program files\nero\nero 7\nero home\nerohome.exe:Nero Home
"UDP Query User{E202B4B5-BC74-489D-B082-2EC6DAAD5C19}c:\\program files\\nero\\nero 7\\nero home\\nerohome.exe"= TCP:c:\program files\nero\nero 7\nero home\nerohome.exe:Nero Home

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"c:\\windows\\system32\\drivers\\etc\\install.exe"= c:\windows\system32\drivers\etc\install.exe:*:Enabled:mIRC

R2 AESTFilters;Andrea ST Filters Service;c:\windows\System32\AEstSrv.exe [15/10/2008 19:16 73728]
R2 CSHelper;CopySafe Helper Service;c:\windows\System32\CSHelper.exe [01/04/2009 15:39 266240]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\System32\drivers\LMIRfsDriver.sys [24/02/2009 17:17 47640]
R2 lxbc_device;lxbc_device;c:\windows\system32\lxbccoms.exe -service --> c:\windows\system32\lxbccoms.exe -service [?]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [30/03/2008 22:11 810320]
R2 sprtsvc_TalkTalk;SupportSoft Sprocket Service (TalkTalk);c:\program files\TalkTalk\bin\sprtsvc.exe [12/10/2007 08:33 202016]
R2 tgsrvc_TalkTalk;SupportSoft Repair Service (TalkTalk);c:\program files\Common Files\supportsoft\bin\tgsrvc.exe [02/08/2007 13:42 148768]
R3 BCASPROT;Advanced System Protector;c:\program files\Systweak\Advanced System Protector\sasprot32.sys [04/05/2009 18:09 6656]
S2 gupdate1c95d6df24e8b05;Google Update Service (gupdate1c95d6df24e8b05);c:\program files\Google\Update\GoogleUpdate.exe [13/12/2008 22:58 133104]
S3 Ndisprot;ArcNet NDIS Protocol Driver;c:\windows\System32\drivers\ndisprot.sys [21/11/2008 16:37 29192]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
bthsvcs REG_MULTI_SZ BthServ
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1c271065-8c77-11dd-9f65-95bf4ef80b72}]
\shell\AutoRun\command - F:\StartVMCLite.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{20c231bf-8d5f-11dd-8df6-afd03efcc873}]
\shell\AutoRun\command - F:\StartVMCLite.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{20c231c3-8d5f-11dd-8df6-afd03efcc873}]
\shell\AutoRun\command - F:\StartVMCLite.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2ebcab39-8b9d-11dd-a038-8f5e749d835b}]
\shell\AutoRun\command - F:\StartVMCLite.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{47278554-8c14-11dd-8a75-806e6f6e6963}]
\shell\AutoRun\command - F:\StartVMCLite.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e92b2f93-8bee-11dd-a060-e9cf0b6ab24c}]
\shell\AutoRun\command - F:\StartVMCLite.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e92b2fad-8bee-11dd-a060-e9cf0b6ab24c}]
\shell\AutoRun\command - F:\StartVMCLite.exe
.
Contents of the 'Scheduled Tasks' folder

2008-01-28 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 11:20]

2009-05-06 c:\windows\Tasks\GoogleUpdateTaskMachine.job
- c:\program files\Google\Update\GoogleUpdate.exe [2008-12-13 21:58]

2009-05-05 c:\windows\Tasks\User_Feed_Synchronization-{2F85EA71-EF3E-4448-A035-74C3D1C3A9B1}.job
- c:\windows\system32\msfeedssync.exe [2008-10-01 07:33]
.
.

matphil

---

Supplementary Scan

---

.
uStart Page = https://login.yahoo.com/config/login_verify2?&.src=ym
uSearchURL,(Default) = hxxp://uk.search.yahoo.com/search?fr=mcafee&p=%s
IE: &ieSpell Options - c:\program files\ieSpell\iespell.dll/SPELLOPTION.HTM
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: Check &Spelling - c:\program files\ieSpell\iespell.dll/SPELLCHECK.HTM
IE: Customize Menu - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
IE: Fill Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
IE: Lookup on Merriam Webster - file://c:\program files\ieSpell\Merriam Webster.HTM
IE: Lookup on Wikipedia - file://c:\program files\ieSpell\wikipedia.HTM
IE: RoboForm Toolbar - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
IE: Save Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
IE: Send image to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
Trusted Zone: internet
Trusted Zone: mcafee.com
FF - ProfilePath - c:\users\\AppData\Roaming\Mozilla\Firefox\Profiles\tcbnefhv.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2040441&SearchSource=3&q=
FF - prefs.js: browser.search.selectedEngine - Softonic_English_TC Customized Web Search
FF - prefs.js: browser.startup.homepage - hxxps://login.yahoo.com/config/login_verify2?&.src=ym
FF - component: c:\program files\Mozilla Firefox\extensions\{4ff5f6ea-ffaf-43e5-9a01-361c0893c3e8}\components\FFAlert.dll
FF - component: c:\users\\AppData\Roaming\Mozilla\Firefox\Profiles\tcbnefhv.default\extensions\{22119944-ED35-4ab1-910B-E619EA06A115}\components\rfproxy_27.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-06 15:08
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.

---

LOCKED REGISTRY KEYS

---

[HKEY_LOCAL_MACHINE\system\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0004\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0005\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0006\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0007\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0008\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0009\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0010\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0011\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0014\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0015\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.

---

DLLs Loaded Under Running Processes

---

- - - - - - - > 'Explorer.exe'(948)
c:\windows\system32\btncopy.dll
.
Completion time: 2009-05-06 15:10
ComboFix-quarantined-files.txt 2009-05-06 14:10
ComboFix2.txt 2009-05-06 08:12

Pre-Run: 41,428,807,680 bytes free
Post-Run: 41,377,775,616 bytes free

368 --- E O F --- 2009-04-19 18:01

matphil

Have to go out now so will do the rest when I get back.

matphil

Malwarebytes' Anti-Malware 1.36
Database version: 1945
Windows 6.0.6001 Service Pack 1

06/05/2009 12:41:59
mbam-log-2009-05-06 (12-41-59).txt

Scan type: Full Scan (C:\|D:\|E:\|)
Objects scanned: 246712
Time elapsed: 2 hour(s), 41 minute(s), 24 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 6
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.116.150 85.255.112.148 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{54c47cd1-44c2-4248-ab52-6e5f929c94ec}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.116.150 85.255.112.148 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.116.150 85.255.112.148 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces\{54c47cd1-44c2-4248-ab52-6e5f929c94ec}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.116.150 85.255.112.148 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\Tcpip\Parameters\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.116.150 85.255.112.148 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\Tcpip\Parameters\Interfaces\{54c47cd1-44c2-4248-ab52-6e5f929c94ec}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.116.150 85.255.112.148 -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

matphil

aliEnRIK wrote: »

Try this again ~
Download HostsXpert
http://www.softpedia.com/get/Security/Security-Related/Hoster.shtml
and then follow the below steps.

* Unzip HostsXpert.zip
* It will create a folder named HostsXpert in whatever folder you extract it to.
* Run HostsXpert.exe by double clicking on it.
* click the Make Writeable? button.
* click Restore Microsoft's Hosts File and then click OK.
* Click the X to exit the program


Did you run spybots IMMUNISE feature? If not make sure it reads ZERO unprotected

Please open malwarebytes and goto LOGS and post the WHOLE of the log (Even though its clean)

Download SUPERANTISPYWARE (Make sure you click 'DOWNLOAD LATEST VERSION')
http://www.filehippo.com/download_superantispyware/
UPDATE and PERFORM COMPLETE SCAN
(Then goto console and LOGS and post the log it created then untick it from STARTING UP WITH WINDOWS)

I am having trouble with downloading HostsXpert, what exactly do I click on after clicking on your link. Whatever I click on it opens a word document that I can't read.
The malwarebytes log is now posted.
SUPERANTISPYWARE wouldn't let me up date it but it is now running a complete scan.
I don't know if I ran spybots IMMUNISE feature, I will check this once the SUPERANTISPYWARE scan is finished.

aliEnRIK

I think you might be downloading the wrong file
Heres a direct link ~
http://download.softpedia.com/dl/ba21b51853a49d6baa68e5c6f553981e/4a01ede2/100027041/software/system/HostsXpert.zip

aliEnRIK

please update MALWAREBYTES as your using old definition files (currently 2085, yours is Database version: 1945) and run another full scan