We'd like to remind Forumites to please avoid political debate on the Forum... Read More »
We're aware that some users are experiencing technical issues which the team are working to resolve. See the Community Noticeboard for more info. Thank you for your patience.
📨 Have you signed up to the Forum's new Email Digest yet? Get a selection of trending threads sent straight to your inbox daily, weekly or monthly!
XP won't shut down properly
Options
Comments
-
Please UPDATE malwarebytes and run a FULL scan as originally requested:idea:0
-
Here is the log from the full scan after I updated Malwarebytes:
Malwarebytes' Anti-Malware 1.46
https://www.malwarebytes.org
Database version: 4236
Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.11
25/06/2010 09:00:32
mbam-log-2010-06-25 (09-00-32).txt
Scan type: Full scan (C:\|D:\|)
Objects scanned: 224103
Time elapsed: 42 minute(s), 44 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)0 -
Please run COMBOFIX
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
Shut down your anti virus
Follow the simple instructions it gives
Post the COMPLETE log it creates here (Split into sections if need be) ~ if there are loads of 'SNAPSHOT' pages then leave them out
If it comes up with a RENAMING error then RIGHT click the exe file and RENAME and call it QWERTY (Making the complete file name 'QWERTY.exe') Or SAVE as 'QWERTY' on download
(If no log comes up or you lose it, COMBOFIX.TXT can be found in C drive):idea:0 -
Hi Alienrik,
Hope this means something to you:
ComboFix 10-06-26.02 - Steven 27/06/2010 11:22:12.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.1014.438 [GMT 1:00]
Running from: c:\documents and settings\Steven\My Documents\Downloads\ComboFix.exe
AV: AVG 7.5.488 *On-access scanning enabled* (Outdated) {41564737-3200-1071-989B-0000E87B4FB1}
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\docume~1\Steven\LOCALS~1\Temp\swtlib-32\swt-gdip-win32-3550.dll
c:\docume~1\Steven\LOCALS~1\Temp\swtlib-32\swt-win32-3550.dll
c:\documents and settings\Steven\Local Settings\Temp\swtlib-32\swt-gdip-win32-3550.dll
c:\documents and settings\Steven\Local Settings\Temp\swtlib-32\swt-win32-3550.dll
C:\ipconfig.txt
c:\temp\1cb
c:\temp\1cb\syscheck.log
c:\temp\fse
c:\temp\fse\tmpZTF.log
c:\windows\recover.reg
c:\windows\system32\configs
c:\windows\system32\f10WtR
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
\Legacy_FOPN
((((((((((((((((((((((((( Files Created from 2010-05-27 to 2010-06-27 )))))))))))))))))))))))))))))))
.
2010-06-24 08:55 . 2010-06-24 08:55
d
w- c:\program files\Trend Micro
2010-06-24 07:39 . 2010-06-24 07:39
d
w- c:\documents and settings\Steven\Application Data\Malwarebytes
2010-06-24 07:38 . 2010-04-29 14:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-06-24 07:38 . 2010-06-24 07:51
d
w- c:\program files\Malwarebytes' Anti-Malware
2010-06-24 07:38 . 2010-06-24 07:38
d
w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-06-24 07:38 . 2010-04-29 14:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-06-24 07:33 . 2010-06-24 07:33
d
w- c:\documents and settings\All Users\Application Data\McAfee Security Scan
2010-06-24 07:33 . 2010-06-24 07:33
d
w- c:\program files\McAfee Security Scan
2010-06-23 09:24 . 2010-06-23 09:24 37084 ---ha-w- c:\windows\system32\mlfcache.dat
2010-06-23 08:22 . 2010-06-23 08:22
d
w- c:\program files\iPod
2010-06-23 08:22 . 2010-06-23 08:23
d
w- c:\program files\iTunes
2010-06-23 08:22 . 2010-06-23 08:23
d
w- c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-06-23 08:16 . 2010-06-23 08:16
d
w- c:\program files\Bonjour
2010-06-23 07:36 . 2010-06-23 07:36
d
w- c:\program files\ERUNT
2010-06-23 07:22 . 2010-06-23 07:22
d
w- c:\program files\CCleaner
2010-06-22 15:01 . 2010-06-22 15:01
d
w- c:\documents and settings\Steven\Application Data\Mp3tag
2010-06-22 15:01 . 2010-06-22 15:01
d
w- c:\program files\Mp3tag
2010-06-21 10:30 . 2010-06-21 10:35
d
w- c:\program files\UPHClean
2010-06-16 09:05 . 2010-06-16 09:05
d
w- c:\program files\Windows Installer Clean Up
2010-06-16 09:04 . 2010-06-16 09:04
d
w- c:\program files\MSECACHE
2010-06-11 11:36 . 2010-06-11 11:36
d
w- c:\documents and settings\Steven\Application Data\Scrabble Plus
2010-06-11 11:35 . 2010-06-11 11:35
d
w- c:\program files\Games
2010-06-08 13:25 . 2010-06-08 13:25
d
w- c:\program files\NCH Software
2010-06-03 07:55 . 2010-06-03 07:55
d
w- c:\documents and settings\Steven\Application Data\Trusteer
2010-06-03 07:55 . 2010-06-03 07:55
d
w- c:\program files\Trusteer
2010-06-03 07:54 . 2010-06-03 07:54
d
w- c:\documents and settings\All Users\Application Data\Trusteer
2010-06-02 15:45 . 2010-06-02 15:45
d--h--w- c:\windows\PIF
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-27 10:28 . 2007-01-28 14:59
d
w- c:\documents and settings\Steven\Application Data\Azureus
2010-06-24 08:55 . 2010-06-24 08:55 388096 ----a-r- c:\documents and settings\Steven\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-06-24 07:33 . 2006-04-13 09:28
d
w- c:\documents and settings\All Users\Application Data\McAfee
2010-06-23 09:03 . 2006-07-03 09:52
d
w- c:\documents and settings\Steven\Application Data\Apple Computer
2010-06-23 08:22 . 2008-01-27 15:47
d
w- c:\program files\Common Files\Apple
2010-06-23 08:20 . 2006-07-03 09:51
d
w- c:\program files\QuickTime
2010-06-23 08:13 . 2010-06-23 08:13 72504 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.2.0.61\SetupAdmin.exe
2010-06-16 09:05 . 2010-06-16 09:05 3584 ----a-r- c:\documents and settings\Steven\Application Data\Microsoft\Installer\{121634B0-2F4B-11D3-ADA3-00C04F52DD52}\Icon386ED4E3.exe
2010-06-09 10:02 . 2006-05-06 15:11
d
w- c:\program files\Dl_cats
2010-06-08 09:43 . 2006-04-13 09:22
d--h--w- c:\program files\InstallShield Installation Information
2010-06-08 09:42 . 2006-05-06 15:17
d
w- c:\documents and settings\Steven\Application Data\Jasc Software Inc
2010-06-08 09:42 . 2006-05-06 15:17
d
w- c:\program files\Jasc Software Inc
2010-06-08 09:39 . 2006-04-13 09:21
d
w- c:\program files\Common Files\Sonic Shared
2010-06-08 09:39 . 2006-04-13 09:21
d
w- c:\program files\Dell
2010-06-08 09:37 . 2006-04-13 09:24
d
w- c:\program files\Corel
2010-06-07 09:37 . 2006-04-29 18:13 5904 --sha-w- c:\windows\system32\KGyGaAvL.sys
2010-06-07 09:37 . 2006-04-29 18:13 104 --sh--r- c:\windows\system32\D8B1BDD4AC.sys
2010-05-27 12:53 . 2010-05-27 12:53
d
w- c:\documents and settings\All Users\Application Data\NCH Swift Sound
2010-05-27 12:52 . 2010-05-27 12:52
d
w- c:\program files\NCH Swift Sound
2010-05-27 12:52 . 2010-05-27 12:52
d
w- c:\documents and settings\Steven\Application Data\NCH Swift Sound
2010-05-27 11:56 . 2010-05-27 11:56 434176 ----a-w- c:\documents and settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportMS\17053\RapportMS.dll
2010-05-26 09:26 . 2010-05-26 09:26 503808 ----a-w- c:\documents and settings\Steven\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-3c742cfc-n\msvcp71.dll
2010-05-26 09:26 . 2010-05-26 09:26 499712 ----a-w- c:\documents and settings\Steven\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-3c742cfc-n\jmc.dll
2010-05-26 09:26 . 2010-05-26 09:26 348160 ----a-w- c:\documents and settings\Steven\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-3c742cfc-n\msvcr71.dll
2010-05-26 09:26 . 2010-05-26 09:26 61440 ----a-w- c:\documents and settings\Steven\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-297c4f75-n\decora-sse.dll
2010-05-26 09:26 . 2010-05-26 09:26 12800 ----a-w- c:\documents and settings\Steven\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-297c4f75-n\decora-d3d.dll
2010-05-22 11:57 . 2007-01-28 14:58
d
w- c:\program files\Azureus
2010-05-21 13:34 . 2010-05-21 13:34
d
w- c:\documents and settings\Steven\Application Data\vlc
2010-05-21 13:32 . 2010-05-21 13:32
d
w- c:\program files\VideoLAN
2010-05-21 13:27 . 2006-04-13 09:21
d
w- c:\program files\InterActual
2010-05-21 10:45 . 2006-04-29 18:13 44376 ----a-w- c:\documents and settings\Steven\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-05-18 15:35 . 2010-05-18 15:35 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-05-18 15:35 . 2010-05-18 15:35 197920 ----a-w- c:\windows\system32\dnssdX.dll
2010-05-18 15:35 . 2010-05-18 15:35 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-05-14 17:54 . 2010-05-14 17:54
d
w- c:\program files\MSBuild
2010-05-14 17:54 . 2010-05-14 17:54
d
w- c:\program files\Reference Assemblies
2010-05-14 16:49 . 2006-07-30 12:51
d
w- c:\program files\Google
2010-05-14 16:49 . 2010-05-14 16:49 503808 ----a-w- c:\documents and settings\Steven\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-5f90acc7-n\msvcp71.dll
2010-05-14 16:49 . 2010-05-14 16:49 499712 ----a-w- c:\documents and settings\Steven\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-5f90acc7-n\jmc.dll
2010-05-14 16:49 . 2010-05-14 16:49 348160 ----a-w- c:\documents and settings\Steven\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-5f90acc7-n\msvcr71.dll
2010-05-14 16:49 . 2010-05-14 16:49 61440 ----a-w- c:\documents and settings\Steven\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-27ac5086-n\decora-sse.dll
2010-05-14 16:49 . 2010-05-14 16:49 12800 ----a-w- c:\documents and settings\Steven\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-27ac5086-n\decora-d3d.dll
2010-05-14 16:49 . 2010-05-14 16:49 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-05-14 16:49 . 2006-04-13 09:16
d
w- c:\program files\Java
2010-05-14 16:25 . 2010-05-14 16:25
d
w- c:\program files\MSXML 4.0
2010-05-04 17:20 . 2005-08-16 03:18 832512 ----a-w- c:\windows\system32\wininet.dll
2010-05-04 17:20 . 2005-08-16 03:18 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-05-04 17:20 . 2005-08-16 03:18 17408 ----a-w- c:\windows\system32\corpol.dll
2010-05-02 05:22 . 2005-08-16 03:18 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-04-20 05:30 . 2005-08-16 03:18 285696 ----a-w- c:\windows\system32\atmfd.dll
2010-03-30 23:16 . 2010-03-30 23:16 99176 ----a-w- c:\windows\system32\PresentationHostProxy.dll
2010-03-30 23:10 . 2010-03-30 23:10 295264 ----a-w- c:\windows\system32\PresentationHost.exe
2010-02-12 11:24 . 2010-02-12 11:24 251 ----a-w- c:\program files\wt3d.ini
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="c:\program files\Dell Support\DSAgnt.exe" [2004-07-19 306688]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-29 68856]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-10-14 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-10-14 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-10-14 114688]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-22 339968]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
"DLCFCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\DLCFtime.dll" [2005-09-08 73728]
"SpeedTouch USB Diagnostics"="c:\program files\Thomson\SpeedTouch USB\Dragdiag.exe" [2004-01-26 866816]
"TalkTalk"="c:\program files\TalkTalk\bin\sprtcmd.exe" [2005-08-15 192512]
"MSKDetectorExe"="c:\program files\McAfee\SpamKiller\MSKDetct.exe" [2005-07-12 1117184]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-11-18 185896]
"WireLessMouse"="c:\program files\DS-3200 Wireless Optical Slimline Deskset\MouseDrv.exe" [2005-08-30 303104]
"WireLessKeyboard"="c:\program files\DS-3200 Wireless Optical Slimline Deskset\PS2USBKbdDrv.exe" [2005-08-30 319488]
"Corel Photo Downloader"="c:\program files\Corel\Corel Photo Album 6\MediaDetect.exe" [2005-08-31 106496]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-18 421888]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-06-15 141624]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
c:\documents and settings\Steven\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-4-13 24576]
McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\2.0.181\SSScheduler.exe [2010-1-15 255536]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
Ralink Wireless Utility.lnk - c:\program files\RALINK\Common\RaUI.exe [2008-9-5 1531904]
Run Google Web Accelerator.lnk - c:\program files\Google\Web Accelerator\GoogleWebAccWarden.exe [2007-7-9 1134592]
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Azureus\\Azureus.exe"=
"c:\\Program Files\\RALINK\\Common\\ApUI.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
R1 RapportKELL;RapportKELL;c:\program files\Trusteer\Rapport\bin\RapportKELL.sys [27/05/2010 12:56 59240]
R1 RapportPG;RapportPG;c:\program files\Trusteer\Rapport\bin\RapportPG.sys [27/05/2010 12:56 166632]
R2 RapportMgmtService;Rapport Management Service;c:\program files\Trusteer\Rapport\bin\RapportMgmtService.exe [27/05/2010 12:56 840936]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [14/05/2010 17:49 135664]
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [15/01/2010 13:49 227232]
--- Other Services/Drivers In Memory ---
*Deregistered* - uphcleanhlp
.
Contents of the 'Scheduled Tasks' folder
2008-09-05 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]
2010-06-27 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-05-14 16:49]
2010-06-27 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-05-14 16:49]
2010-06-27 c:\windows\Tasks\RegCure Program Check.job
- c:\program files\RegCure\RegCure.exe [2007-08-02 08:20]
2008-09-17 c:\windows\Tasks\RegCure.job
- c:\program files\RegCure\RegCure.exe [2007-08-02 08:20]
2010-06-22 c:\windows\Tasks\switchShakeIcon.job
- c:\program files\NCH Swift Sound\Switch\switch.exe [2010-05-27 12:52]
.
.
Supplementary Scan
.
uStart Page = hxxp://www.tiscali.co.uk
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = hxxp://www.apple.com/support/itunes/hottips/
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office10\EXCEL.EXE/3000
TCP: {10F514B7-457B-4322-A456-9721E884AAEE} = 62.24.128.191 62.24.128.190
FF - ProfilePath - c:\documents and settings\Steven\Application Data\Mozilla\Firefox\Profiles\5ts2hkqw.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - ALOT Search
FF - prefs.js: browser.startup.homepage - hxxp://en-US.start3.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - prefs.js: keyword.URL - hxxp://search.alot.com/web?&src_id=11511&client_id=787eac05f848940898a426a4&camp_id=-3&install_time=2010-05-22T11:36Z&tb_version=2.4.2000%28F%29&pr=auto&q=
FF - component: c:\documents and settings\Steven\Application Data\Mozilla\Firefox\Profiles\5ts2hkqw.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - plugin: c:\program files\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 10);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-27 11:30
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DLCFCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\DLCFtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
LOCKED REGISTRY KEYS
[HKEY_USERS\S-1-5-21-4118611697-1528870311-3673466176-1005\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
DLLs Loaded Under Running Processes
- - - - - - - > 'explorer.exe'(5680)
c:\windows\system32\WININET.dll
c:\program files\Trusteer\Rapport\bin\rooksbas.dll
c:\windows\system32\ieframe.dll
.
Other Running Processes
.
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\UPHClean\uphclean.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\dllhost.exe
c:\windows\stsystra.exe
c:\windows\system32\rundll32.exe
c:\program files\Google\Web Accelerator\googlewebaccclient.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2010-06-27 11:37:02 - machine was rebooted
ComboFix-quarantined-files.txt 2010-06-27 10:36
Pre-Run: 50,221,674,496 bytes free
Post-Run: 50,315,341,824 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect
- - End Of File - - 7EE3DDDB9B4668930F1B9D44F84A395F
Thanks again!0 -
Open notepad and copy/paste the text in RED below
File::
c:\program files\wt3d.ini
Save this as "CFScript" (FULL file will be 'CFScript.txt' EXACTLY as shown)
Then drag the CFScript into ComboFix.exe as you see in the screenshot below.
This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply
Combofix should never take more that 30 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
............................................
Id also recommend you remove 'google web accelerator':idea:0 -
Here is the new log from ComboFix:
ComboFix 10-06-26.02 - Steven 27/06/2010 13:08:58.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.1014.294 [GMT 1:00]
Running from: c:\documents and settings\Steven\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Steven\Desktop\CFScript.txt
AV: AVG 7.5.488 *On-access scanning enabled* (Outdated) {41564737-3200-1071-989B-0000E87B4FB1}
FILE ::
"c:\program files\wt3d.ini"
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\docume~1\Steven\LOCALS~1\Temp\swtlib-32\swt-gdip-win32-3550.dll
c:\docume~1\Steven\LOCALS~1\Temp\swtlib-32\swt-win32-3550.dll
c:\documents and settings\Steven\Local Settings\Temp\swtlib-32\swt-gdip-win32-3550.dll
c:\documents and settings\Steven\Local Settings\Temp\swtlib-32\swt-win32-3550.dll
c:\program files\wt3d.ini
.
((((((((((((((((((((((((( Files Created from 2010-05-27 to 2010-06-27 )))))))))))))))))))))))))))))))
.
2010-06-24 08:55 . 2010-06-24 08:55
d
w- c:\program files\Trend Micro
2010-06-24 07:39 . 2010-06-24 07:39
d
w- c:\documents and settings\Steven\Application Data\Malwarebytes
2010-06-24 07:38 . 2010-04-29 14:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-06-24 07:38 . 2010-06-24 07:51
d
w- c:\program files\Malwarebytes' Anti-Malware
2010-06-24 07:38 . 2010-06-24 07:38
d
w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-06-24 07:38 . 2010-04-29 14:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-06-24 07:33 . 2010-06-24 07:33
d
w- c:\documents and settings\All Users\Application Data\McAfee Security Scan
2010-06-24 07:33 . 2010-06-24 07:33
d
w- c:\program files\McAfee Security Scan
2010-06-23 09:24 . 2010-06-23 09:24 37084 ---ha-w- c:\windows\system32\mlfcache.dat
2010-06-23 08:22 . 2010-06-23 08:22
d
w- c:\program files\iPod
2010-06-23 08:22 . 2010-06-23 08:23
d
w- c:\program files\iTunes
2010-06-23 08:22 . 2010-06-23 08:23
d
w- c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-06-23 08:16 . 2010-06-23 08:16
d
w- c:\program files\Bonjour
2010-06-23 07:36 . 2010-06-23 07:36
d
w- c:\program files\ERUNT
2010-06-23 07:22 . 2010-06-23 07:22
d
w- c:\program files\CCleaner
2010-06-22 15:01 . 2010-06-22 15:01
d
w- c:\documents and settings\Steven\Application Data\Mp3tag
2010-06-22 15:01 . 2010-06-22 15:01
d
w- c:\program files\Mp3tag
2010-06-21 10:30 . 2010-06-21 10:35
d
w- c:\program files\UPHClean
2010-06-16 09:05 . 2010-06-16 09:05
d
w- c:\program files\Windows Installer Clean Up
2010-06-16 09:04 . 2010-06-16 09:04
d
w- c:\program files\MSECACHE
2010-06-11 11:36 . 2010-06-11 11:36
d
w- c:\documents and settings\Steven\Application Data\Scrabble Plus
2010-06-11 11:35 . 2010-06-11 11:35
d
w- c:\program files\Games
2010-06-08 13:25 . 2010-06-08 13:25
d
w- c:\program files\NCH Software
2010-06-03 07:55 . 2010-06-03 07:55
d
w- c:\documents and settings\Steven\Application Data\Trusteer
2010-06-03 07:55 . 2010-06-03 07:55
d
w- c:\program files\Trusteer
2010-06-03 07:54 . 2010-06-03 07:54
d
w- c:\documents and settings\All Users\Application Data\Trusteer
2010-06-02 15:45 . 2010-06-02 15:45
d--h--w- c:\windows\PIF
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-27 12:16 . 2007-01-28 14:59
d
w- c:\documents and settings\Steven\Application Data\Azureus
2010-06-27 11:08 . 2006-07-30 12:51
d
w- c:\program files\Google
2010-06-24 08:55 . 2010-06-24 08:55 388096 ----a-r- c:\documents and settings\Steven\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-06-24 07:33 . 2006-04-13 09:28
d
w- c:\documents and settings\All Users\Application Data\McAfee
2010-06-23 09:03 . 2006-07-03 09:52
d
w- c:\documents and settings\Steven\Application Data\Apple Computer
2010-06-23 08:22 . 2008-01-27 15:47
d
w- c:\program files\Common Files\Apple
2010-06-23 08:20 . 2006-07-03 09:51
d
w- c:\program files\QuickTime
2010-06-23 08:13 . 2010-06-23 08:13 72504 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.2.0.61\SetupAdmin.exe
2010-06-16 09:05 . 2010-06-16 09:05 3584 ----a-r- c:\documents and settings\Steven\Application Data\Microsoft\Installer\{121634B0-2F4B-11D3-ADA3-00C04F52DD52}\Icon386ED4E3.exe
2010-06-09 10:02 . 2006-05-06 15:11
d
w- c:\program files\Dl_cats
2010-06-08 09:43 . 2006-04-13 09:22
d--h--w- c:\program files\InstallShield Installation Information
2010-06-08 09:42 . 2006-05-06 15:17
d
w- c:\documents and settings\Steven\Application Data\Jasc Software Inc
2010-06-08 09:42 . 2006-05-06 15:17
d
w- c:\program files\Jasc Software Inc
2010-06-08 09:39 . 2006-04-13 09:21
d
w- c:\program files\Common Files\Sonic Shared
2010-06-08 09:39 . 2006-04-13 09:21
d
w- c:\program files\Dell
2010-06-08 09:37 . 2006-04-13 09:24
d
w- c:\program files\Corel
2010-06-07 09:37 . 2006-04-29 18:13 5904 --sha-w- c:\windows\system32\KGyGaAvL.sys
2010-06-07 09:37 . 2006-04-29 18:13 104 --sh--r- c:\windows\system32\D8B1BDD4AC.sys
2010-05-27 12:53 . 2010-05-27 12:53
d
w- c:\documents and settings\All Users\Application Data\NCH Swift Sound
2010-05-27 12:52 . 2010-05-27 12:52
d
w- c:\program files\NCH Swift Sound
2010-05-27 12:52 . 2010-05-27 12:52
d
w- c:\documents and settings\Steven\Application Data\NCH Swift Sound
2010-05-27 11:56 . 2010-05-27 11:56 434176 ----a-w- c:\documents and settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportMS\17053\RapportMS.dll
2010-05-26 09:26 . 2010-05-26 09:26 503808 ----a-w- c:\documents and settings\Steven\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-3c742cfc-n\msvcp71.dll
2010-05-26 09:26 . 2010-05-26 09:26 499712 ----a-w- c:\documents and settings\Steven\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-3c742cfc-n\jmc.dll
2010-05-26 09:26 . 2010-05-26 09:26 348160 ----a-w- c:\documents and settings\Steven\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-3c742cfc-n\msvcr71.dll
2010-05-26 09:26 . 2010-05-26 09:26 61440 ----a-w- c:\documents and settings\Steven\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-297c4f75-n\decora-sse.dll
2010-05-26 09:26 . 2010-05-26 09:26 12800 ----a-w- c:\documents and settings\Steven\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-297c4f75-n\decora-d3d.dll
2010-05-22 11:57 . 2007-01-28 14:58
d
w- c:\program files\Azureus
2010-05-21 13:34 . 2010-05-21 13:34
d
w- c:\documents and settings\Steven\Application Data\vlc
2010-05-21 13:32 . 2010-05-21 13:32
d
w- c:\program files\VideoLAN
2010-05-21 13:27 . 2006-04-13 09:21
d
w- c:\program files\InterActual
2010-05-21 10:45 . 2006-04-29 18:13 44376 ----a-w- c:\documents and settings\Steven\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-05-18 15:35 . 2010-05-18 15:35 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-05-18 15:35 . 2010-05-18 15:35 197920 ----a-w- c:\windows\system32\dnssdX.dll
2010-05-18 15:35 . 2010-05-18 15:35 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-05-14 17:54 . 2010-05-14 17:54
d
w- c:\program files\MSBuild
2010-05-14 17:54 . 2010-05-14 17:54
d
w- c:\program files\Reference Assemblies
2010-05-14 16:49 . 2010-05-14 16:49 503808 ----a-w- c:\documents and settings\Steven\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-5f90acc7-n\msvcp71.dll
2010-05-14 16:49 . 2010-05-14 16:49 499712 ----a-w- c:\documents and settings\Steven\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-5f90acc7-n\jmc.dll
2010-05-14 16:49 . 2010-05-14 16:49 348160 ----a-w- c:\documents and settings\Steven\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-5f90acc7-n\msvcr71.dll
2010-05-14 16:49 . 2010-05-14 16:49 61440 ----a-w- c:\documents and settings\Steven\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-27ac5086-n\decora-sse.dll
2010-05-14 16:49 . 2010-05-14 16:49 12800 ----a-w- c:\documents and settings\Steven\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-27ac5086-n\decora-d3d.dll
2010-05-14 16:49 . 2010-05-14 16:49 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-05-14 16:49 . 2006-04-13 09:16
d
w- c:\program files\Java
2010-05-14 16:25 . 2010-05-14 16:25
d
w- c:\program files\MSXML 4.0
2010-05-04 17:20 . 2005-08-16 03:18 832512 ----a-w- c:\windows\system32\wininet.dll
2010-05-04 17:20 . 2005-08-16 03:18 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-05-04 17:20 . 2005-08-16 03:18 17408 ----a-w- c:\windows\system32\corpol.dll
2010-05-02 05:22 . 2005-08-16 03:18 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-04-20 05:30 . 2005-08-16 03:18 285696 ----a-w- c:\windows\system32\atmfd.dll
2010-03-30 23:16 . 2010-03-30 23:16 99176 ----a-w- c:\windows\system32\PresentationHostProxy.dll
2010-03-30 23:10 . 2010-03-30 23:10 295264 ----a-w- c:\windows\system32\PresentationHost.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="c:\program files\Dell Support\DSAgnt.exe" [2004-07-19 306688]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-29 68856]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-10-14 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-10-14 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-10-14 114688]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-22 339968]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
"DLCFCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\DLCFtime.dll" [2005-09-08 73728]
"SpeedTouch USB Diagnostics"="c:\program files\Thomson\SpeedTouch USB\Dragdiag.exe" [2004-01-26 866816]
"TalkTalk"="c:\program files\TalkTalk\bin\sprtcmd.exe" [2005-08-15 192512]
"MSKDetectorExe"="c:\program files\McAfee\SpamKiller\MSKDetct.exe" [2005-07-12 1117184]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-11-18 185896]
"WireLessMouse"="c:\program files\DS-3200 Wireless Optical Slimline Deskset\MouseDrv.exe" [2005-08-30 303104]
"WireLessKeyboard"="c:\program files\DS-3200 Wireless Optical Slimline Deskset\PS2USBKbdDrv.exe" [2005-08-30 319488]
"Corel Photo Downloader"="c:\program files\Corel\Corel Photo Album 6\MediaDetect.exe" [2005-08-31 106496]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-18 421888]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-06-15 141624]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
c:\documents and settings\Steven\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-4-13 24576]
McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\2.0.181\SSScheduler.exe [2010-1-15 255536]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
Ralink Wireless Utility.lnk - c:\program files\RALINK\Common\RaUI.exe [2008-9-5 1531904]
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Azureus\\Azureus.exe"=
"c:\\Program Files\\RALINK\\Common\\ApUI.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
R1 RapportKELL;RapportKELL;c:\program files\Trusteer\Rapport\bin\RapportKELL.sys [27/05/2010 12:56 59240]
R1 RapportPG;RapportPG;c:\program files\Trusteer\Rapport\bin\RapportPG.sys [27/05/2010 12:56 166632]
R2 RapportMgmtService;Rapport Management Service;c:\program files\Trusteer\Rapport\bin\RapportMgmtService.exe [27/05/2010 12:56 840936]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [14/05/2010 17:49 135664]
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [15/01/2010 13:49 227232]
--- Other Services/Drivers In Memory ---
*Deregistered* - uphcleanhlp
.
Contents of the 'Scheduled Tasks' folder
2008-09-05 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]
2010-06-27 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-05-14 16:49]
2010-06-27 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-05-14 16:49]
2010-06-27 c:\windows\Tasks\RegCure Program Check.job
- c:\program files\RegCure\RegCure.exe [2007-08-02 08:20]
2008-09-17 c:\windows\Tasks\RegCure.job
- c:\program files\RegCure\RegCure.exe [2007-08-02 08:20]
2010-06-22 c:\windows\Tasks\switchShakeIcon.job
- c:\program files\NCH Swift Sound\Switch\switch.exe [2010-05-27 12:52]
.
.
Supplementary Scan
.
uStart Page = hxxp://www.tiscali.co.uk
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = hxxp://www.apple.com/support/itunes/hottips/
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office10\EXCEL.EXE/3000
TCP: {10F514B7-457B-4322-A456-9721E884AAEE} = 62.24.243.1 62.24.243.2
FF - ProfilePath - c:\documents and settings\Steven\Application Data\Mozilla\Firefox\Profiles\5ts2hkqw.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - ALOT Search
FF - prefs.js: browser.startup.homepage - hxxp://en-US.start3.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - prefs.js: keyword.URL - hxxp://search.alot.com/web?&src_id=11511&client_id=787eac05f848940898a426a4&camp_id=-3&install_time=2010-05-22T11:36Z&tb_version=2.4.2000%28F%29&pr=auto&q=
FF - component: c:\documents and settings\Steven\Application Data\Mozilla\Firefox\Profiles\5ts2hkqw.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - plugin: c:\program files\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-27 13:18
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DLCFCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\DLCFtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
LOCKED REGISTRY KEYS
[HKEY_USERS\S-1-5-21-4118611697-1528870311-3673466176-1005\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
DLLs Loaded Under Running Processes
- - - - - - - > 'explorer.exe'(5364)
c:\windows\system32\WININET.dll
c:\program files\Trusteer\Rapport\bin\rooksbas.dll
c:\windows\system32\ieframe.dll
.
Other Running Processes
.
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\UPHClean\uphclean.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\dllhost.exe
c:\windows\stsystra.exe
c:\windows\system32\rundll32.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2010-06-27 13:24:11 - machine was rebooted
ComboFix-quarantined-files.txt 2010-06-27 12:24
ComboFix2.txt 2010-06-27 10:37
Pre-Run: 49,452,199,936 bytes free
Post-Run: 49,448,718,336 bytes free
- - End Of File - - C96B4F984BDC9A75A8DD0B90513E657E
I also removed Google web accelerator as you requested.0 -
Id also recommend uninstalling 'REGCURE'
Give the system a clean ~
Download CCLEANER
http://www.piriform.com/ccleaner/download/slim
Run the CLEANER scan (UNTICK 'cookies')
Then run the REGISTRY scan (Backup the registry when it asks)
.................................................................................................................
The rerun of combofix removed even more items so ive rechecked the logs
Open notepad and copy/paste the text in RED below
File::
c:\windows\system32\dnssd.dll
c:\windows\system32\dnssdX.dll
c:\windows\system32\dns-sd.exe
c:\windows\system32\KGyGaAvL.sys
c:\windows\system32\D8B1BDD4AC.sys
Save this as "CFScript" (FULL file will be 'CFScript.txt' EXACTLY as shown)
Then drag the CFScript into ComboFix.exe as you see in the screenshot below.
This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply
Combofix should never take more that 30 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.:idea:0 -
Hi alienrik,
Here is the new log from Combo fix:
ComboFix 10-06-27.03 - Steven 28/06/2010 8:58.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.1014.319 [GMT 1:00]
Running from: c:\documents and settings\Steven\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Steven\Desktop\CFScript.txt
AV: AVG 7.5.488 *On-access scanning enabled* (Outdated) {41564737-3200-1071-989B-0000E87B4FB1}
FILE ::
"c:\windows\system32\D8B1BDD4AC.sys"
"c:\windows\system32\dns-sd.exe"
"c:\windows\system32\dnssd.dll"
"c:\windows\system32\dnssdX.dll"
"c:\windows\system32\KGyGaAvL.sys"
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\system32\D8B1BDD4AC.sys
c:\windows\system32\dns-sd.exe
c:\windows\system32\dnssd.dll
c:\windows\system32\dnssdX.dll
c:\windows\system32\KGyGaAvL.sys
.
((((((((((((((((((((((((( Files Created from 2010-05-28 to 2010-06-28 )))))))))))))))))))))))))))))))
.
2010-06-28 07:48 . 2010-06-28 07:48
d
w- c:\documents and settings\LocalService\Application Data\McAfee
2010-06-24 08:55 . 2010-06-24 08:55 388096 ----a-r- c:\documents and settings\Steven\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-06-24 08:55 . 2010-06-24 08:55
d
w- c:\program files\Trend Micro
2010-06-24 07:39 . 2010-06-24 07:39
d
w- c:\documents and settings\Steven\Application Data\Malwarebytes
2010-06-24 07:38 . 2010-04-29 14:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-06-24 07:38 . 2010-06-24 07:51
d
w- c:\program files\Malwarebytes' Anti-Malware
2010-06-24 07:38 . 2010-06-24 07:38
d
w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-06-24 07:38 . 2010-04-29 14:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-06-24 07:33 . 2010-06-24 07:33
d
w- c:\documents and settings\All Users\Application Data\McAfee Security Scan
2010-06-24 07:33 . 2010-06-28 07:48
d
w- c:\program files\McAfee Security Scan
2010-06-23 09:24 . 2010-06-23 09:24 37084 ---ha-w- c:\windows\system32\mlfcache.dat
2010-06-23 08:22 . 2010-06-23 08:22
d
w- c:\program files\iPod
2010-06-23 08:22 . 2010-06-23 08:23
d
w- c:\program files\iTunes
2010-06-23 08:22 . 2010-06-23 08:23
d
w- c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-06-23 08:16 . 2010-06-23 08:16
d
w- c:\program files\Bonjour
2010-06-23 08:13 . 2010-06-23 08:13 72504 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.2.0.61\SetupAdmin.exe
2010-06-23 07:36 . 2010-06-23 07:36
d
w- c:\program files\ERUNT
2010-06-23 07:22 . 2010-06-23 07:22
d
w- c:\program files\CCleaner
2010-06-22 15:01 . 2010-06-22 15:01
d
w- c:\documents and settings\Steven\Application Data\Mp3tag
2010-06-22 15:01 . 2010-06-22 15:01
d
w- c:\program files\Mp3tag
2010-06-21 10:30 . 2010-06-21 10:35
d
w- c:\program files\UPHClean
2010-06-16 09:05 . 2010-06-16 09:05 3584 ----a-r- c:\documents and settings\Steven\Application Data\Microsoft\Installer\{121634B0-2F4B-11D3-ADA3-00C04F52DD52}\Icon386ED4E3.exe
2010-06-16 09:05 . 2010-06-16 09:05
d
w- c:\program files\Windows Installer Clean Up
2010-06-16 09:04 . 2010-06-16 09:04
d
w- c:\program files\MSECACHE
2010-06-11 11:36 . 2010-06-11 11:36
d
w- c:\documents and settings\Steven\Application Data\Scrabble Plus
2010-06-11 11:35 . 2010-06-11 11:35
d
w- c:\program files\Games
2010-06-08 13:25 . 2010-06-08 13:25
d
w- c:\program files\NCH Software
2010-06-03 07:55 . 2010-06-03 07:55
d
w- c:\documents and settings\Steven\Application Data\Trusteer
2010-06-03 07:55 . 2010-06-03 07:55
d
w- c:\program files\Trusteer
2010-06-03 07:54 . 2010-06-03 07:54
d
w- c:\documents and settings\All Users\Application Data\Trusteer
2010-06-02 15:45 . 2010-06-02 15:45
d--h--w- c:\windows\PIF
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-28 07:44 . 2007-01-28 14:59
d
w- c:\documents and settings\Steven\Application Data\Azureus
2010-06-27 11:08 . 2006-07-30 12:51
d
w- c:\program files\Google
2010-06-24 07:33 . 2006-04-13 09:28
d
w- c:\documents and settings\All Users\Application Data\McAfee
2010-06-23 09:03 . 2006-07-03 09:52
d
w- c:\documents and settings\Steven\Application Data\Apple Computer
2010-06-23 08:22 . 2008-01-27 15:47
d
w- c:\program files\Common Files\Apple
2010-06-23 08:20 . 2006-07-03 09:51
d
w- c:\program files\QuickTime
2010-06-09 10:02 . 2006-05-06 15:11
d
w- c:\program files\Dl_cats
2010-06-08 09:43 . 2006-04-13 09:22
d--h--w- c:\program files\InstallShield Installation Information
2010-06-08 09:42 . 2006-05-06 15:17
d
w- c:\documents and settings\Steven\Application Data\Jasc Software Inc
2010-06-08 09:42 . 2006-05-06 15:17
d
w- c:\program files\Jasc Software Inc
2010-06-08 09:39 . 2006-04-13 09:21
d
w- c:\program files\Common Files\Sonic Shared
2010-06-08 09:39 . 2006-04-13 09:21
d
w- c:\program files\Dell
2010-06-08 09:37 . 2006-04-13 09:24
d
w- c:\program files\Corel
2010-05-27 12:53 . 2010-05-27 12:53
d
w- c:\documents and settings\All Users\Application Data\NCH Swift Sound
2010-05-27 12:52 . 2010-05-27 12:52
d
w- c:\program files\NCH Swift Sound
2010-05-27 12:52 . 2010-05-27 12:52
d
w- c:\documents and settings\Steven\Application Data\NCH Swift Sound
2010-05-27 11:56 . 2010-05-27 11:56 434176 ----a-w- c:\documents and settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportMS\17053\RapportMS.dll
2010-05-26 09:26 . 2010-05-26 09:26 503808 ----a-w- c:\documents and settings\Steven\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-3c742cfc-n\msvcp71.dll
2010-05-26 09:26 . 2010-05-26 09:26 499712 ----a-w- c:\documents and settings\Steven\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-3c742cfc-n\jmc.dll
2010-05-26 09:26 . 2010-05-26 09:26 348160 ----a-w- c:\documents and settings\Steven\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-3c742cfc-n\msvcr71.dll
2010-05-26 09:26 . 2010-05-26 09:26 61440 ----a-w- c:\documents and settings\Steven\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-297c4f75-n\decora-sse.dll
2010-05-26 09:26 . 2010-05-26 09:26 12800 ----a-w- c:\documents and settings\Steven\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-297c4f75-n\decora-d3d.dll
2010-05-22 11:57 . 2007-01-28 14:58
d
w- c:\program files\Azureus
2010-05-21 13:34 . 2010-05-21 13:34
d
w- c:\documents and settings\Steven\Application Data\vlc
2010-05-21 13:32 . 2010-05-21 13:32
d
w- c:\program files\VideoLAN
2010-05-21 13:27 . 2006-04-13 09:21
d
w- c:\program files\InterActual
2010-05-21 10:45 . 2006-04-29 18:13 44376 ----a-w- c:\documents and settings\Steven\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-05-14 17:54 . 2010-05-14 17:54
d
w- c:\program files\MSBuild
2010-05-14 17:54 . 2010-05-14 17:54
d
w- c:\program files\Reference Assemblies
2010-05-14 16:49 . 2010-05-14 16:49 503808 ----a-w- c:\documents and settings\Steven\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-5f90acc7-n\msvcp71.dll
2010-05-14 16:49 . 2010-05-14 16:49 499712 ----a-w- c:\documents and settings\Steven\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-5f90acc7-n\jmc.dll
2010-05-14 16:49 . 2010-05-14 16:49 348160 ----a-w- c:\documents and settings\Steven\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-5f90acc7-n\msvcr71.dll
2010-05-14 16:49 . 2010-05-14 16:49 61440 ----a-w- c:\documents and settings\Steven\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-27ac5086-n\decora-sse.dll
2010-05-14 16:49 . 2010-05-14 16:49 12800 ----a-w- c:\documents and settings\Steven\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-27ac5086-n\decora-d3d.dll
2010-05-14 16:49 . 2010-05-14 16:49 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-05-14 16:49 . 2006-04-13 09:16
d
w- c:\program files\Java
2010-05-14 16:25 . 2010-05-14 16:25
d
w- c:\program files\MSXML 4.0
2010-05-04 17:20 . 2005-08-16 03:18 832512 ----a-w- c:\windows\system32\wininet.dll
2010-05-04 17:20 . 2005-08-16 03:18 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-05-04 17:20 . 2005-08-16 03:18 17408 ----a-w- c:\windows\system32\corpol.dll
2010-05-02 05:22 . 2005-08-16 03:18 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-04-20 05:30 . 2005-08-16 03:18 285696 ----a-w- c:\windows\system32\atmfd.dll
2010-03-30 23:16 . 2010-03-30 23:16 99176 ----a-w- c:\windows\system32\PresentationHostProxy.dll
2010-03-30 23:10 . 2010-03-30 23:10 295264 ----a-w- c:\windows\system32\PresentationHost.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="c:\program files\Dell Support\DSAgnt.exe" [2004-07-19 306688]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-29 68856]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-10-14 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-10-14 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-10-14 114688]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-22 339968]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
"DLCFCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\DLCFtime.dll" [2005-09-08 73728]
"SpeedTouch USB Diagnostics"="c:\program files\Thomson\SpeedTouch USB\Dragdiag.exe" [2004-01-26 866816]
"TalkTalk"="c:\program files\TalkTalk\bin\sprtcmd.exe" [2005-08-15 192512]
"MSKDetectorExe"="c:\program files\McAfee\SpamKiller\MSKDetct.exe" [2005-07-12 1117184]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-11-18 185896]
"WireLessMouse"="c:\program files\DS-3200 Wireless Optical Slimline Deskset\MouseDrv.exe" [2005-08-30 303104]
"WireLessKeyboard"="c:\program files\DS-3200 Wireless Optical Slimline Deskset\PS2USBKbdDrv.exe" [2005-08-30 319488]
"Corel Photo Downloader"="c:\program files\Corel\Corel Photo Album 6\MediaDetect.exe" [2005-08-31 106496]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-18 421888]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-06-15 141624]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
c:\documents and settings\Steven\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-4-13 24576]
McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\2.0.181\SSScheduler.exe [2010-1-15 255536]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
Ralink Wireless Utility.lnk - c:\program files\RALINK\Common\RaUI.exe [2008-9-5 1531904]
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Azureus\\Azureus.exe"=
"c:\\Program Files\\RALINK\\Common\\ApUI.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
R1 RapportKELL;RapportKELL;c:\program files\Trusteer\Rapport\bin\RapportKELL.sys [27/05/2010 12:56 59240]
R1 RapportPG;RapportPG;c:\program files\Trusteer\Rapport\bin\RapportPG.sys [27/05/2010 12:56 166632]
R2 RapportMgmtService;Rapport Management Service;c:\program files\Trusteer\Rapport\bin\RapportMgmtService.exe [27/05/2010 12:56 840936]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [14/05/2010 17:49 135664]
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [15/01/2010 13:49 227232]
--- Other Services/Drivers In Memory ---
*NewlyCreated* - MCCOMPONENTHOSTSERVICE
*Deregistered* - uphcleanhlp
.
Contents of the 'Scheduled Tasks' folder
2008-09-05 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]
2010-06-28 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-05-14 16:49]
2010-06-27 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-05-14 16:49]
2010-06-22 c:\windows\Tasks\switchShakeIcon.job
- c:\program files\NCH Swift Sound\Switch\switch.exe [2010-05-27 12:52]
.
.
Supplementary Scan
.
uStart Page = hxxp://www.tiscali.co.uk
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = hxxp://www.apple.com/support/itunes/hottips/
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office10\EXCEL.EXE/3000
TCP: {10F514B7-457B-4322-A456-9721E884AAEE} = 62.24.243.1 62.24.243.2
FF - ProfilePath - c:\documents and settings\Steven\Application Data\Mozilla\Firefox\Profiles\5ts2hkqw.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - ALOT Search
FF - prefs.js: browser.startup.homepage - hxxp://en-US.start3.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - prefs.js: keyword.URL - hxxp://search.alot.com/web?&src_id=11511&client_id=787eac05f848940898a426a4&camp_id=-3&install_time=2010-05-22T11:36Z&tb_version=2.4.2000%28F%29&pr=auto&q=
FF - component: c:\documents and settings\Steven\Application Data\Mozilla\Firefox\Profiles\5ts2hkqw.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - plugin: c:\program files\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-28 09:08
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DLCFCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\DLCFtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
LOCKED REGISTRY KEYS
[HKEY_USERS\S-1-5-21-4118611697-1528870311-3673466176-1005\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
Completion time: 2010-06-28 09:13:48
ComboFix-quarantined-files.txt 2010-06-28 08:13
ComboFix2.txt 2010-06-27 12:24
ComboFix3.txt 2010-06-27 10:37
Pre-Run: 49,455,644,672 bytes free
Post-Run: 49,439,322,112 bytes free
- - End Of File - - CDD143047B675A4FAB8B84B00CF7552E
I also uninstalled RegCure as you suggested and performed all the tasks you recommended with CCleaner.
Thanks again!0 -
Hows it running now?:idea:0
-
Seems to be much better (fingers crossed!).
Thanks again for your time and assistance.0
This discussion has been closed.
Confirm your email address to Create Threads and Reply

Categories
- All Categories
- 350.9K Banking & Borrowing
- 253.1K Reduce Debt & Boost Income
- 453.5K Spending & Discounts
- 243.9K Work, Benefits & Business
- 598.8K Mortgages, Homes & Bills
- 176.9K Life & Family
- 257.2K Travel & Transport
- 1.5M Hobbies & Leisure
- 16.1K Discuss & Feedback
- 37.6K Read-Only Boards