We're aware that some users are experiencing technical issues which the team are working to resolve. See the Community Noticeboard for more info. Thank you for your patience.
📨 Have you signed up to the Forum's new Email Digest yet? Get a selection of trending threads sent straight to your inbox daily, weekly or monthly!

XP won't shut down properly

Options
2

Comments

  • aliEnRIK
    aliEnRIK Posts: 17,741 Forumite
    Part of the Furniture Combo Breaker
    Please UPDATE malwarebytes and run a FULL scan as originally requested
    :idea:
  • thorpette
    thorpette Posts: 44 Forumite
    Here is the log from the full scan after I updated Malwarebytes:


    Malwarebytes' Anti-Malware 1.46
    https://www.malwarebytes.org

    Database version: 4236

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 7.0.5730.11

    25/06/2010 09:00:32
    mbam-log-2010-06-25 (09-00-32).txt

    Scan type: Full scan (C:\|D:\|)
    Objects scanned: 224103
    Time elapsed: 42 minute(s), 44 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)
  • aliEnRIK
    aliEnRIK Posts: 17,741 Forumite
    Part of the Furniture Combo Breaker
    Please run COMBOFIX
    http://download.bleepingcomputer.com/sUBs/ComboFix.exe
    Shut down your anti virus
    Follow the simple instructions it gives
    Post the COMPLETE log it creates here (Split into sections if need be) ~ if there are loads of 'SNAPSHOT' pages then leave them out

    If it comes up with a RENAMING error then RIGHT click the exe file and RENAME and call it QWERTY (Making the complete file name 'QWERTY.exe') Or SAVE as 'QWERTY' on download
    (If no log comes up or you lose it, COMBOFIX.TXT can be found in C drive)
    :idea:
  • thorpette
    thorpette Posts: 44 Forumite
    Hi Alienrik,

    Hope this means something to you:


    ComboFix 10-06-26.02 - Steven 27/06/2010 11:22:12.1.2 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.1014.438 [GMT 1:00]
    Running from: c:\documents and settings\Steven\My Documents\Downloads\ComboFix.exe
    AV: AVG 7.5.488 *On-access scanning enabled* (Outdated) {41564737-3200-1071-989B-0000E87B4FB1}
    * Created a new restore point
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\docume~1\Steven\LOCALS~1\Temp\swtlib-32\swt-gdip-win32-3550.dll
    c:\docume~1\Steven\LOCALS~1\Temp\swtlib-32\swt-win32-3550.dll
    c:\documents and settings\Steven\Local Settings\Temp\swtlib-32\swt-gdip-win32-3550.dll
    c:\documents and settings\Steven\Local Settings\Temp\swtlib-32\swt-win32-3550.dll
    C:\ipconfig.txt
    c:\temp\1cb
    c:\temp\1cb\syscheck.log
    c:\temp\fse
    c:\temp\fse\tmpZTF.log
    c:\windows\recover.reg
    c:\windows\system32\configs
    c:\windows\system32\f10WtR

    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    \Legacy_FOPN


    ((((((((((((((((((((((((( Files Created from 2010-05-27 to 2010-06-27 )))))))))))))))))))))))))))))))
    .

    2010-06-24 08:55 . 2010-06-24 08:55
    d
    w- c:\program files\Trend Micro
    2010-06-24 07:39 . 2010-06-24 07:39
    d
    w- c:\documents and settings\Steven\Application Data\Malwarebytes
    2010-06-24 07:38 . 2010-04-29 14:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-06-24 07:38 . 2010-06-24 07:51
    d
    w- c:\program files\Malwarebytes' Anti-Malware
    2010-06-24 07:38 . 2010-06-24 07:38
    d
    w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2010-06-24 07:38 . 2010-04-29 14:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-06-24 07:33 . 2010-06-24 07:33
    d
    w- c:\documents and settings\All Users\Application Data\McAfee Security Scan
    2010-06-24 07:33 . 2010-06-24 07:33
    d
    w- c:\program files\McAfee Security Scan
    2010-06-23 09:24 . 2010-06-23 09:24 37084 ---ha-w- c:\windows\system32\mlfcache.dat
    2010-06-23 08:22 . 2010-06-23 08:22
    d
    w- c:\program files\iPod
    2010-06-23 08:22 . 2010-06-23 08:23
    d
    w- c:\program files\iTunes
    2010-06-23 08:22 . 2010-06-23 08:23
    d
    w- c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
    2010-06-23 08:16 . 2010-06-23 08:16
    d
    w- c:\program files\Bonjour
    2010-06-23 07:36 . 2010-06-23 07:36
    d
    w- c:\program files\ERUNT
    2010-06-23 07:22 . 2010-06-23 07:22
    d
    w- c:\program files\CCleaner
    2010-06-22 15:01 . 2010-06-22 15:01
    d
    w- c:\documents and settings\Steven\Application Data\Mp3tag
    2010-06-22 15:01 . 2010-06-22 15:01
    d
    w- c:\program files\Mp3tag
    2010-06-21 10:30 . 2010-06-21 10:35
    d
    w- c:\program files\UPHClean
    2010-06-16 09:05 . 2010-06-16 09:05
    d
    w- c:\program files\Windows Installer Clean Up
    2010-06-16 09:04 . 2010-06-16 09:04
    d
    w- c:\program files\MSECACHE
    2010-06-11 11:36 . 2010-06-11 11:36
    d
    w- c:\documents and settings\Steven\Application Data\Scrabble Plus
    2010-06-11 11:35 . 2010-06-11 11:35
    d
    w- c:\program files\Games
    2010-06-08 13:25 . 2010-06-08 13:25
    d
    w- c:\program files\NCH Software
    2010-06-03 07:55 . 2010-06-03 07:55
    d
    w- c:\documents and settings\Steven\Application Data\Trusteer
    2010-06-03 07:55 . 2010-06-03 07:55
    d
    w- c:\program files\Trusteer
    2010-06-03 07:54 . 2010-06-03 07:54
    d
    w- c:\documents and settings\All Users\Application Data\Trusteer
    2010-06-02 15:45 . 2010-06-02 15:45
    d--h--w- c:\windows\PIF

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-06-27 10:28 . 2007-01-28 14:59
    d
    w- c:\documents and settings\Steven\Application Data\Azureus
    2010-06-24 08:55 . 2010-06-24 08:55 388096 ----a-r- c:\documents and settings\Steven\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
    2010-06-24 07:33 . 2006-04-13 09:28
    d
    w- c:\documents and settings\All Users\Application Data\McAfee
    2010-06-23 09:03 . 2006-07-03 09:52
    d
    w- c:\documents and settings\Steven\Application Data\Apple Computer
    2010-06-23 08:22 . 2008-01-27 15:47
    d
    w- c:\program files\Common Files\Apple
    2010-06-23 08:20 . 2006-07-03 09:51
    d
    w- c:\program files\QuickTime
    2010-06-23 08:13 . 2010-06-23 08:13 72504 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.2.0.61\SetupAdmin.exe
    2010-06-16 09:05 . 2010-06-16 09:05 3584 ----a-r- c:\documents and settings\Steven\Application Data\Microsoft\Installer\{121634B0-2F4B-11D3-ADA3-00C04F52DD52}\Icon386ED4E3.exe
    2010-06-09 10:02 . 2006-05-06 15:11
    d
    w- c:\program files\Dl_cats
    2010-06-08 09:43 . 2006-04-13 09:22
    d--h--w- c:\program files\InstallShield Installation Information
    2010-06-08 09:42 . 2006-05-06 15:17
    d
    w- c:\documents and settings\Steven\Application Data\Jasc Software Inc
    2010-06-08 09:42 . 2006-05-06 15:17
    d
    w- c:\program files\Jasc Software Inc
    2010-06-08 09:39 . 2006-04-13 09:21
    d
    w- c:\program files\Common Files\Sonic Shared
    2010-06-08 09:39 . 2006-04-13 09:21
    d
    w- c:\program files\Dell
    2010-06-08 09:37 . 2006-04-13 09:24
    d
    w- c:\program files\Corel
    2010-06-07 09:37 . 2006-04-29 18:13 5904 --sha-w- c:\windows\system32\KGyGaAvL.sys
    2010-06-07 09:37 . 2006-04-29 18:13 104 --sh--r- c:\windows\system32\D8B1BDD4AC.sys
    2010-05-27 12:53 . 2010-05-27 12:53
    d
    w- c:\documents and settings\All Users\Application Data\NCH Swift Sound
    2010-05-27 12:52 . 2010-05-27 12:52
    d
    w- c:\program files\NCH Swift Sound
    2010-05-27 12:52 . 2010-05-27 12:52
    d
    w- c:\documents and settings\Steven\Application Data\NCH Swift Sound
    2010-05-27 11:56 . 2010-05-27 11:56 434176 ----a-w- c:\documents and settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportMS\17053\RapportMS.dll
    2010-05-26 09:26 . 2010-05-26 09:26 503808 ----a-w- c:\documents and settings\Steven\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-3c742cfc-n\msvcp71.dll
    2010-05-26 09:26 . 2010-05-26 09:26 499712 ----a-w- c:\documents and settings\Steven\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-3c742cfc-n\jmc.dll
    2010-05-26 09:26 . 2010-05-26 09:26 348160 ----a-w- c:\documents and settings\Steven\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-3c742cfc-n\msvcr71.dll
    2010-05-26 09:26 . 2010-05-26 09:26 61440 ----a-w- c:\documents and settings\Steven\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-297c4f75-n\decora-sse.dll
    2010-05-26 09:26 . 2010-05-26 09:26 12800 ----a-w- c:\documents and settings\Steven\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-297c4f75-n\decora-d3d.dll
    2010-05-22 11:57 . 2007-01-28 14:58
    d
    w- c:\program files\Azureus
    2010-05-21 13:34 . 2010-05-21 13:34
    d
    w- c:\documents and settings\Steven\Application Data\vlc
    2010-05-21 13:32 . 2010-05-21 13:32
    d
    w- c:\program files\VideoLAN
    2010-05-21 13:27 . 2006-04-13 09:21
    d
    w- c:\program files\InterActual
    2010-05-21 10:45 . 2006-04-29 18:13 44376 ----a-w- c:\documents and settings\Steven\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
    2010-05-18 15:35 . 2010-05-18 15:35 91424 ----a-w- c:\windows\system32\dnssd.dll
    2010-05-18 15:35 . 2010-05-18 15:35 197920 ----a-w- c:\windows\system32\dnssdX.dll
    2010-05-18 15:35 . 2010-05-18 15:35 107808 ----a-w- c:\windows\system32\dns-sd.exe
    2010-05-14 17:54 . 2010-05-14 17:54
    d
    w- c:\program files\MSBuild
    2010-05-14 17:54 . 2010-05-14 17:54
    d
    w- c:\program files\Reference Assemblies
    2010-05-14 16:49 . 2006-07-30 12:51
    d
    w- c:\program files\Google
    2010-05-14 16:49 . 2010-05-14 16:49 503808 ----a-w- c:\documents and settings\Steven\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-5f90acc7-n\msvcp71.dll
    2010-05-14 16:49 . 2010-05-14 16:49 499712 ----a-w- c:\documents and settings\Steven\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-5f90acc7-n\jmc.dll
    2010-05-14 16:49 . 2010-05-14 16:49 348160 ----a-w- c:\documents and settings\Steven\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-5f90acc7-n\msvcr71.dll
    2010-05-14 16:49 . 2010-05-14 16:49 61440 ----a-w- c:\documents and settings\Steven\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-27ac5086-n\decora-sse.dll
    2010-05-14 16:49 . 2010-05-14 16:49 12800 ----a-w- c:\documents and settings\Steven\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-27ac5086-n\decora-d3d.dll
    2010-05-14 16:49 . 2010-05-14 16:49 411368 ----a-w- c:\windows\system32\deployJava1.dll
    2010-05-14 16:49 . 2006-04-13 09:16
    d
    w- c:\program files\Java
    2010-05-14 16:25 . 2010-05-14 16:25
    d
    w- c:\program files\MSXML 4.0
    2010-05-04 17:20 . 2005-08-16 03:18 832512 ----a-w- c:\windows\system32\wininet.dll
    2010-05-04 17:20 . 2005-08-16 03:18 78336 ----a-w- c:\windows\system32\ieencode.dll
    2010-05-04 17:20 . 2005-08-16 03:18 17408 ----a-w- c:\windows\system32\corpol.dll
    2010-05-02 05:22 . 2005-08-16 03:18 1851264 ----a-w- c:\windows\system32\win32k.sys
    2010-04-20 05:30 . 2005-08-16 03:18 285696 ----a-w- c:\windows\system32\atmfd.dll
    2010-03-30 23:16 . 2010-03-30 23:16 99176 ----a-w- c:\windows\system32\PresentationHostProxy.dll
    2010-03-30 23:10 . 2010-03-30 23:10 295264 ----a-w- c:\windows\system32\PresentationHost.exe
    2010-02-12 11:24 . 2010-02-12 11:24 251 ----a-w- c:\program files\wt3d.ini
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "DellSupport"="c:\program files\Dell Support\DSAgnt.exe" [2004-07-19 306688]
    "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-29 68856]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
    "igfxtray"="c:\windows\system32\igfxtray.exe" [2005-10-14 94208]
    "igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-10-14 77824]
    "igfxpers"="c:\windows\system32\igfxpers.exe" [2005-10-14 114688]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
    "SigmatelSysTrayApp"="stsystra.exe" [2005-03-22 339968]
    "ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
    "ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
    "DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
    "DLCFCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\DLCFtime.dll" [2005-09-08 73728]
    "SpeedTouch USB Diagnostics"="c:\program files\Thomson\SpeedTouch USB\Dragdiag.exe" [2004-01-26 866816]
    "TalkTalk"="c:\program files\TalkTalk\bin\sprtcmd.exe" [2005-08-15 192512]
    "MSKDetectorExe"="c:\program files\McAfee\SpamKiller\MSKDetct.exe" [2005-07-12 1117184]
    "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-11-18 185896]
    "WireLessMouse"="c:\program files\DS-3200 Wireless Optical Slimline Deskset\MouseDrv.exe" [2005-08-30 303104]
    "WireLessKeyboard"="c:\program files\DS-3200 Wireless Optical Slimline Deskset\PS2USBKbdDrv.exe" [2005-08-30 319488]
    "Corel Photo Downloader"="c:\program files\Corel\Corel Photo Album 6\MediaDetect.exe" [2005-08-31 106496]
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-18 421888]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
    "BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-06-15 141624]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

    c:\documents and settings\Steven\Start Menu\Programs\Startup\
    ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]

    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-4-13 24576]
    McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\2.0.181\SSScheduler.exe [2010-1-15 255536]
    Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
    Ralink Wireless Utility.lnk - c:\program files\RALINK\Common\RaUI.exe [2008-9-5 1531904]
    Run Google Web Accelerator.lnk - c:\program files\Google\Web Accelerator\GoogleWebAccWarden.exe [2007-7-9 1134592]

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Messenger\\msmsgs.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\Azureus\\Azureus.exe"=
    "c:\\Program Files\\RALINK\\Common\\ApUI.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=

    R1 RapportKELL;RapportKELL;c:\program files\Trusteer\Rapport\bin\RapportKELL.sys [27/05/2010 12:56 59240]
    R1 RapportPG;RapportPG;c:\program files\Trusteer\Rapport\bin\RapportPG.sys [27/05/2010 12:56 166632]
    R2 RapportMgmtService;Rapport Management Service;c:\program files\Trusteer\Rapport\bin\RapportMgmtService.exe [27/05/2010 12:56 840936]
    S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [14/05/2010 17:49 135664]
    S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [15/01/2010 13:49 227232]

    --- Other Services/Drivers In Memory ---

    *Deregistered* - uphcleanhlp
    .
    Contents of the 'Scheduled Tasks' folder

    2008-09-05 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

    2010-06-27 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-05-14 16:49]

    2010-06-27 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-05-14 16:49]

    2010-06-27 c:\windows\Tasks\RegCure Program Check.job
    - c:\program files\RegCure\RegCure.exe [2007-08-02 08:20]

    2008-09-17 c:\windows\Tasks\RegCure.job
    - c:\program files\RegCure\RegCure.exe [2007-08-02 08:20]

    2010-06-22 c:\windows\Tasks\switchShakeIcon.job
    - c:\program files\NCH Swift Sound\Switch\switch.exe [2010-05-27 12:52]
    .
    .
    Supplementary Scan
    .
    uStart Page = hxxp://www.tiscali.co.uk
    uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
    uInternet Connection Wizard,ShellNext = hxxp://www.apple.com/support/itunes/hottips/
    uSearchAssistant = hxxp://www.google.com/ie
    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office10\EXCEL.EXE/3000
    TCP: {10F514B7-457B-4322-A456-9721E884AAEE} = 62.24.128.191 62.24.128.190
    FF - ProfilePath - c:\documents and settings\Steven\Application Data\Mozilla\Firefox\Profiles\5ts2hkqw.default\
    FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
    FF - prefs.js: browser.search.selectedEngine - ALOT Search
    FF - prefs.js: browser.startup.homepage - hxxp://en-US.start3.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
    FF - prefs.js: keyword.URL - hxxp://search.alot.com/web?&src_id=11511&client_id=787eac05f848940898a426a4&camp_id=-3&install_time=2010-05-22T11:36Z&tb_version=2.4.2000%28F%29&pr=auto&q=
    FF - component: c:\documents and settings\Steven\Application Data\Mozilla\Firefox\Profiles\5ts2hkqw.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
    FF - plugin: c:\program files\Google\Update\1.2.183.29\npGoogleOneClick8.dll
    FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
    FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

    ---- FIREFOX POLICIES ----
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 10);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
    .

    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-06-27 11:30
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    HKLM\Software\Microsoft\Windows\CurrentVersion\Run
    DLCFCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\DLCFtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    LOCKED REGISTRY KEYS

    [HKEY_USERS\S-1-5-21-4118611697-1528870311-3673466176-1005\Software\Microsoft\SystemCertificates\AddressBook*]
    @Allowed: (Read) (RestrictedCode)
    @Allowed: (Read) (RestrictedCode)
    .
    DLLs Loaded Under Running Processes

    - - - - - - - > 'explorer.exe'(5680)
    c:\windows\system32\WININET.dll
    c:\program files\Trusteer\Rapport\bin\rooksbas.dll
    c:\windows\system32\ieframe.dll
    .
    Other Running Processes
    .
    c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    c:\program files\Bonjour\mDNSResponder.exe
    c:\windows\eHome\ehRecvr.exe
    c:\windows\eHome\ehSched.exe
    c:\program files\Java\jre6\bin\jqs.exe
    c:\program files\UPHClean\uphclean.exe
    c:\windows\ehome\mcrdsvc.exe
    c:\windows\system32\dllhost.exe
    c:\windows\stsystra.exe
    c:\windows\system32\rundll32.exe
    c:\program files\Google\Web Accelerator\googlewebaccclient.exe
    c:\program files\iPod\bin\iPodService.exe
    .
    **************************************************************************
    .
    Completion time: 2010-06-27 11:37:02 - machine was rebooted
    ComboFix-quarantined-files.txt 2010-06-27 10:36

    Pre-Run: 50,221,674,496 bytes free
    Post-Run: 50,315,341,824 bytes free

    WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

    - - End Of File - - 7EE3DDDB9B4668930F1B9D44F84A395F



    Thanks again!
  • aliEnRIK
    aliEnRIK Posts: 17,741 Forumite
    Part of the Furniture Combo Breaker
    Open notepad and copy/paste the text in RED below

    File::
    c:\program files\wt3d.ini


    Save this as "CFScript" (FULL file will be 'CFScript.txt' EXACTLY as shown)

    Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

    CFScript.gif


    This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply

    Combofix should never take more that 30 minutes including the reboot if malware is detected.
    If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.


    ............................................

    Id also recommend you remove 'google web accelerator'
    :idea:
  • thorpette
    thorpette Posts: 44 Forumite
    Here is the new log from ComboFix:


    ComboFix 10-06-26.02 - Steven 27/06/2010 13:08:58.2.2 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.1014.294 [GMT 1:00]
    Running from: c:\documents and settings\Steven\Desktop\ComboFix.exe
    Command switches used :: c:\documents and settings\Steven\Desktop\CFScript.txt
    AV: AVG 7.5.488 *On-access scanning enabled* (Outdated) {41564737-3200-1071-989B-0000E87B4FB1}

    FILE ::
    "c:\program files\wt3d.ini"
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\docume~1\Steven\LOCALS~1\Temp\swtlib-32\swt-gdip-win32-3550.dll
    c:\docume~1\Steven\LOCALS~1\Temp\swtlib-32\swt-win32-3550.dll
    c:\documents and settings\Steven\Local Settings\Temp\swtlib-32\swt-gdip-win32-3550.dll
    c:\documents and settings\Steven\Local Settings\Temp\swtlib-32\swt-win32-3550.dll
    c:\program files\wt3d.ini

    .
    ((((((((((((((((((((((((( Files Created from 2010-05-27 to 2010-06-27 )))))))))))))))))))))))))))))))
    .

    2010-06-24 08:55 . 2010-06-24 08:55
    d
    w- c:\program files\Trend Micro
    2010-06-24 07:39 . 2010-06-24 07:39
    d
    w- c:\documents and settings\Steven\Application Data\Malwarebytes
    2010-06-24 07:38 . 2010-04-29 14:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-06-24 07:38 . 2010-06-24 07:51
    d
    w- c:\program files\Malwarebytes' Anti-Malware
    2010-06-24 07:38 . 2010-06-24 07:38
    d
    w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2010-06-24 07:38 . 2010-04-29 14:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-06-24 07:33 . 2010-06-24 07:33
    d
    w- c:\documents and settings\All Users\Application Data\McAfee Security Scan
    2010-06-24 07:33 . 2010-06-24 07:33
    d
    w- c:\program files\McAfee Security Scan
    2010-06-23 09:24 . 2010-06-23 09:24 37084 ---ha-w- c:\windows\system32\mlfcache.dat
    2010-06-23 08:22 . 2010-06-23 08:22
    d
    w- c:\program files\iPod
    2010-06-23 08:22 . 2010-06-23 08:23
    d
    w- c:\program files\iTunes
    2010-06-23 08:22 . 2010-06-23 08:23
    d
    w- c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
    2010-06-23 08:16 . 2010-06-23 08:16
    d
    w- c:\program files\Bonjour
    2010-06-23 07:36 . 2010-06-23 07:36
    d
    w- c:\program files\ERUNT
    2010-06-23 07:22 . 2010-06-23 07:22
    d
    w- c:\program files\CCleaner
    2010-06-22 15:01 . 2010-06-22 15:01
    d
    w- c:\documents and settings\Steven\Application Data\Mp3tag
    2010-06-22 15:01 . 2010-06-22 15:01
    d
    w- c:\program files\Mp3tag
    2010-06-21 10:30 . 2010-06-21 10:35
    d
    w- c:\program files\UPHClean
    2010-06-16 09:05 . 2010-06-16 09:05
    d
    w- c:\program files\Windows Installer Clean Up
    2010-06-16 09:04 . 2010-06-16 09:04
    d
    w- c:\program files\MSECACHE
    2010-06-11 11:36 . 2010-06-11 11:36
    d
    w- c:\documents and settings\Steven\Application Data\Scrabble Plus
    2010-06-11 11:35 . 2010-06-11 11:35
    d
    w- c:\program files\Games
    2010-06-08 13:25 . 2010-06-08 13:25
    d
    w- c:\program files\NCH Software
    2010-06-03 07:55 . 2010-06-03 07:55
    d
    w- c:\documents and settings\Steven\Application Data\Trusteer
    2010-06-03 07:55 . 2010-06-03 07:55
    d
    w- c:\program files\Trusteer
    2010-06-03 07:54 . 2010-06-03 07:54
    d
    w- c:\documents and settings\All Users\Application Data\Trusteer
    2010-06-02 15:45 . 2010-06-02 15:45
    d--h--w- c:\windows\PIF

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-06-27 12:16 . 2007-01-28 14:59
    d
    w- c:\documents and settings\Steven\Application Data\Azureus
    2010-06-27 11:08 . 2006-07-30 12:51
    d
    w- c:\program files\Google
    2010-06-24 08:55 . 2010-06-24 08:55 388096 ----a-r- c:\documents and settings\Steven\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
    2010-06-24 07:33 . 2006-04-13 09:28
    d
    w- c:\documents and settings\All Users\Application Data\McAfee
    2010-06-23 09:03 . 2006-07-03 09:52
    d
    w- c:\documents and settings\Steven\Application Data\Apple Computer
    2010-06-23 08:22 . 2008-01-27 15:47
    d
    w- c:\program files\Common Files\Apple
    2010-06-23 08:20 . 2006-07-03 09:51
    d
    w- c:\program files\QuickTime
    2010-06-23 08:13 . 2010-06-23 08:13 72504 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.2.0.61\SetupAdmin.exe
    2010-06-16 09:05 . 2010-06-16 09:05 3584 ----a-r- c:\documents and settings\Steven\Application Data\Microsoft\Installer\{121634B0-2F4B-11D3-ADA3-00C04F52DD52}\Icon386ED4E3.exe
    2010-06-09 10:02 . 2006-05-06 15:11
    d
    w- c:\program files\Dl_cats
    2010-06-08 09:43 . 2006-04-13 09:22
    d--h--w- c:\program files\InstallShield Installation Information
    2010-06-08 09:42 . 2006-05-06 15:17
    d
    w- c:\documents and settings\Steven\Application Data\Jasc Software Inc
    2010-06-08 09:42 . 2006-05-06 15:17
    d
    w- c:\program files\Jasc Software Inc
    2010-06-08 09:39 . 2006-04-13 09:21
    d
    w- c:\program files\Common Files\Sonic Shared
    2010-06-08 09:39 . 2006-04-13 09:21
    d
    w- c:\program files\Dell
    2010-06-08 09:37 . 2006-04-13 09:24
    d
    w- c:\program files\Corel
    2010-06-07 09:37 . 2006-04-29 18:13 5904 --sha-w- c:\windows\system32\KGyGaAvL.sys
    2010-06-07 09:37 . 2006-04-29 18:13 104 --sh--r- c:\windows\system32\D8B1BDD4AC.sys
    2010-05-27 12:53 . 2010-05-27 12:53
    d
    w- c:\documents and settings\All Users\Application Data\NCH Swift Sound
    2010-05-27 12:52 . 2010-05-27 12:52
    d
    w- c:\program files\NCH Swift Sound
    2010-05-27 12:52 . 2010-05-27 12:52
    d
    w- c:\documents and settings\Steven\Application Data\NCH Swift Sound
    2010-05-27 11:56 . 2010-05-27 11:56 434176 ----a-w- c:\documents and settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportMS\17053\RapportMS.dll
    2010-05-26 09:26 . 2010-05-26 09:26 503808 ----a-w- c:\documents and settings\Steven\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-3c742cfc-n\msvcp71.dll
    2010-05-26 09:26 . 2010-05-26 09:26 499712 ----a-w- c:\documents and settings\Steven\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-3c742cfc-n\jmc.dll
    2010-05-26 09:26 . 2010-05-26 09:26 348160 ----a-w- c:\documents and settings\Steven\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-3c742cfc-n\msvcr71.dll
    2010-05-26 09:26 . 2010-05-26 09:26 61440 ----a-w- c:\documents and settings\Steven\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-297c4f75-n\decora-sse.dll
    2010-05-26 09:26 . 2010-05-26 09:26 12800 ----a-w- c:\documents and settings\Steven\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-297c4f75-n\decora-d3d.dll
    2010-05-22 11:57 . 2007-01-28 14:58
    d
    w- c:\program files\Azureus
    2010-05-21 13:34 . 2010-05-21 13:34
    d
    w- c:\documents and settings\Steven\Application Data\vlc
    2010-05-21 13:32 . 2010-05-21 13:32
    d
    w- c:\program files\VideoLAN
    2010-05-21 13:27 . 2006-04-13 09:21
    d
    w- c:\program files\InterActual
    2010-05-21 10:45 . 2006-04-29 18:13 44376 ----a-w- c:\documents and settings\Steven\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
    2010-05-18 15:35 . 2010-05-18 15:35 91424 ----a-w- c:\windows\system32\dnssd.dll
    2010-05-18 15:35 . 2010-05-18 15:35 197920 ----a-w- c:\windows\system32\dnssdX.dll
    2010-05-18 15:35 . 2010-05-18 15:35 107808 ----a-w- c:\windows\system32\dns-sd.exe
    2010-05-14 17:54 . 2010-05-14 17:54
    d
    w- c:\program files\MSBuild
    2010-05-14 17:54 . 2010-05-14 17:54
    d
    w- c:\program files\Reference Assemblies
    2010-05-14 16:49 . 2010-05-14 16:49 503808 ----a-w- c:\documents and settings\Steven\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-5f90acc7-n\msvcp71.dll
    2010-05-14 16:49 . 2010-05-14 16:49 499712 ----a-w- c:\documents and settings\Steven\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-5f90acc7-n\jmc.dll
    2010-05-14 16:49 . 2010-05-14 16:49 348160 ----a-w- c:\documents and settings\Steven\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-5f90acc7-n\msvcr71.dll
    2010-05-14 16:49 . 2010-05-14 16:49 61440 ----a-w- c:\documents and settings\Steven\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-27ac5086-n\decora-sse.dll
    2010-05-14 16:49 . 2010-05-14 16:49 12800 ----a-w- c:\documents and settings\Steven\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-27ac5086-n\decora-d3d.dll
    2010-05-14 16:49 . 2010-05-14 16:49 411368 ----a-w- c:\windows\system32\deployJava1.dll
    2010-05-14 16:49 . 2006-04-13 09:16
    d
    w- c:\program files\Java
    2010-05-14 16:25 . 2010-05-14 16:25
    d
    w- c:\program files\MSXML 4.0
    2010-05-04 17:20 . 2005-08-16 03:18 832512 ----a-w- c:\windows\system32\wininet.dll
    2010-05-04 17:20 . 2005-08-16 03:18 78336 ----a-w- c:\windows\system32\ieencode.dll
    2010-05-04 17:20 . 2005-08-16 03:18 17408 ----a-w- c:\windows\system32\corpol.dll
    2010-05-02 05:22 . 2005-08-16 03:18 1851264 ----a-w- c:\windows\system32\win32k.sys
    2010-04-20 05:30 . 2005-08-16 03:18 285696 ----a-w- c:\windows\system32\atmfd.dll
    2010-03-30 23:16 . 2010-03-30 23:16 99176 ----a-w- c:\windows\system32\PresentationHostProxy.dll
    2010-03-30 23:10 . 2010-03-30 23:10 295264 ----a-w- c:\windows\system32\PresentationHost.exe
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "DellSupport"="c:\program files\Dell Support\DSAgnt.exe" [2004-07-19 306688]
    "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-29 68856]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
    "igfxtray"="c:\windows\system32\igfxtray.exe" [2005-10-14 94208]
    "igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-10-14 77824]
    "igfxpers"="c:\windows\system32\igfxpers.exe" [2005-10-14 114688]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
    "SigmatelSysTrayApp"="stsystra.exe" [2005-03-22 339968]
    "ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
    "ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
    "DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
    "DLCFCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\DLCFtime.dll" [2005-09-08 73728]
    "SpeedTouch USB Diagnostics"="c:\program files\Thomson\SpeedTouch USB\Dragdiag.exe" [2004-01-26 866816]
    "TalkTalk"="c:\program files\TalkTalk\bin\sprtcmd.exe" [2005-08-15 192512]
    "MSKDetectorExe"="c:\program files\McAfee\SpamKiller\MSKDetct.exe" [2005-07-12 1117184]
    "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-11-18 185896]
    "WireLessMouse"="c:\program files\DS-3200 Wireless Optical Slimline Deskset\MouseDrv.exe" [2005-08-30 303104]
    "WireLessKeyboard"="c:\program files\DS-3200 Wireless Optical Slimline Deskset\PS2USBKbdDrv.exe" [2005-08-30 319488]
    "Corel Photo Downloader"="c:\program files\Corel\Corel Photo Album 6\MediaDetect.exe" [2005-08-31 106496]
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-18 421888]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
    "BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-06-15 141624]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

    c:\documents and settings\Steven\Start Menu\Programs\Startup\
    ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]

    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-4-13 24576]
    McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\2.0.181\SSScheduler.exe [2010-1-15 255536]
    Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
    Ralink Wireless Utility.lnk - c:\program files\RALINK\Common\RaUI.exe [2008-9-5 1531904]

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Messenger\\msmsgs.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\Azureus\\Azureus.exe"=
    "c:\\Program Files\\RALINK\\Common\\ApUI.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=

    R1 RapportKELL;RapportKELL;c:\program files\Trusteer\Rapport\bin\RapportKELL.sys [27/05/2010 12:56 59240]
    R1 RapportPG;RapportPG;c:\program files\Trusteer\Rapport\bin\RapportPG.sys [27/05/2010 12:56 166632]
    R2 RapportMgmtService;Rapport Management Service;c:\program files\Trusteer\Rapport\bin\RapportMgmtService.exe [27/05/2010 12:56 840936]
    S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [14/05/2010 17:49 135664]
    S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [15/01/2010 13:49 227232]

    --- Other Services/Drivers In Memory ---

    *Deregistered* - uphcleanhlp
    .
    Contents of the 'Scheduled Tasks' folder

    2008-09-05 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

    2010-06-27 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-05-14 16:49]

    2010-06-27 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-05-14 16:49]

    2010-06-27 c:\windows\Tasks\RegCure Program Check.job
    - c:\program files\RegCure\RegCure.exe [2007-08-02 08:20]

    2008-09-17 c:\windows\Tasks\RegCure.job
    - c:\program files\RegCure\RegCure.exe [2007-08-02 08:20]

    2010-06-22 c:\windows\Tasks\switchShakeIcon.job
    - c:\program files\NCH Swift Sound\Switch\switch.exe [2010-05-27 12:52]
    .
    .
    Supplementary Scan
    .
    uStart Page = hxxp://www.tiscali.co.uk
    uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
    uInternet Connection Wizard,ShellNext = hxxp://www.apple.com/support/itunes/hottips/
    uSearchAssistant = hxxp://www.google.com/ie
    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office10\EXCEL.EXE/3000
    TCP: {10F514B7-457B-4322-A456-9721E884AAEE} = 62.24.243.1 62.24.243.2
    FF - ProfilePath - c:\documents and settings\Steven\Application Data\Mozilla\Firefox\Profiles\5ts2hkqw.default\
    FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
    FF - prefs.js: browser.search.selectedEngine - ALOT Search
    FF - prefs.js: browser.startup.homepage - hxxp://en-US.start3.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
    FF - prefs.js: keyword.URL - hxxp://search.alot.com/web?&src_id=11511&client_id=787eac05f848940898a426a4&camp_id=-3&install_time=2010-05-22T11:36Z&tb_version=2.4.2000%28F%29&pr=auto&q=
    FF - component: c:\documents and settings\Steven\Application Data\Mozilla\Firefox\Profiles\5ts2hkqw.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
    FF - plugin: c:\program files\Google\Update\1.2.183.29\npGoogleOneClick8.dll
    FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
    FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

    ---- FIREFOX POLICIES ----
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
    .

    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-06-27 13:18
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    HKLM\Software\Microsoft\Windows\CurrentVersion\Run
    DLCFCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\DLCFtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    LOCKED REGISTRY KEYS

    [HKEY_USERS\S-1-5-21-4118611697-1528870311-3673466176-1005\Software\Microsoft\SystemCertificates\AddressBook*]
    @Allowed: (Read) (RestrictedCode)
    @Allowed: (Read) (RestrictedCode)
    .
    DLLs Loaded Under Running Processes

    - - - - - - - > 'explorer.exe'(5364)
    c:\windows\system32\WININET.dll
    c:\program files\Trusteer\Rapport\bin\rooksbas.dll
    c:\windows\system32\ieframe.dll
    .
    Other Running Processes
    .
    c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    c:\program files\Bonjour\mDNSResponder.exe
    c:\windows\eHome\ehRecvr.exe
    c:\windows\eHome\ehSched.exe
    c:\program files\Java\jre6\bin\jqs.exe
    c:\program files\UPHClean\uphclean.exe
    c:\windows\ehome\mcrdsvc.exe
    c:\windows\system32\dllhost.exe
    c:\windows\stsystra.exe
    c:\windows\system32\rundll32.exe
    c:\program files\iPod\bin\iPodService.exe
    .
    **************************************************************************
    .
    Completion time: 2010-06-27 13:24:11 - machine was rebooted
    ComboFix-quarantined-files.txt 2010-06-27 12:24
    ComboFix2.txt 2010-06-27 10:37

    Pre-Run: 49,452,199,936 bytes free
    Post-Run: 49,448,718,336 bytes free

    - - End Of File - - C96B4F984BDC9A75A8DD0B90513E657E



    I also removed Google web accelerator as you requested.
  • aliEnRIK
    aliEnRIK Posts: 17,741 Forumite
    Part of the Furniture Combo Breaker
    Id also recommend uninstalling 'REGCURE'

    Give the system a clean ~
    Download CCLEANER
    http://www.piriform.com/ccleaner/download/slim
    Run the CLEANER scan (UNTICK 'cookies')
    Then run the REGISTRY scan (Backup the registry when it asks)

    .................................................................................................................

    The rerun of combofix removed even more items so ive rechecked the logs

    Open notepad and copy/paste the text in RED below

    File::
    c:\windows\system32\dnssd.dll
    c:\windows\system32\dnssdX.dll
    c:\windows\system32\dns-sd.exe
    c:\windows\system32\KGyGaAvL.sys
    c:\windows\system32\D8B1BDD4AC.sys



    Save this as "CFScript" (FULL file will be 'CFScript.txt' EXACTLY as shown)

    Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

    CFScript.gif


    This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply

    Combofix should never take more that 30 minutes including the reboot if malware is detected.
    If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
    :idea:
  • thorpette
    thorpette Posts: 44 Forumite
    Hi alienrik,

    Here is the new log from Combo fix:


    ComboFix 10-06-27.03 - Steven 28/06/2010 8:58.3.2 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.1014.319 [GMT 1:00]
    Running from: c:\documents and settings\Steven\Desktop\ComboFix.exe
    Command switches used :: c:\documents and settings\Steven\Desktop\CFScript.txt
    AV: AVG 7.5.488 *On-access scanning enabled* (Outdated) {41564737-3200-1071-989B-0000E87B4FB1}

    FILE ::
    "c:\windows\system32\D8B1BDD4AC.sys"
    "c:\windows\system32\dns-sd.exe"
    "c:\windows\system32\dnssd.dll"
    "c:\windows\system32\dnssdX.dll"
    "c:\windows\system32\KGyGaAvL.sys"
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\windows\system32\D8B1BDD4AC.sys
    c:\windows\system32\dns-sd.exe
    c:\windows\system32\dnssd.dll
    c:\windows\system32\dnssdX.dll
    c:\windows\system32\KGyGaAvL.sys

    .
    ((((((((((((((((((((((((( Files Created from 2010-05-28 to 2010-06-28 )))))))))))))))))))))))))))))))
    .

    2010-06-28 07:48 . 2010-06-28 07:48
    d
    w- c:\documents and settings\LocalService\Application Data\McAfee
    2010-06-24 08:55 . 2010-06-24 08:55 388096 ----a-r- c:\documents and settings\Steven\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
    2010-06-24 08:55 . 2010-06-24 08:55
    d
    w- c:\program files\Trend Micro
    2010-06-24 07:39 . 2010-06-24 07:39
    d
    w- c:\documents and settings\Steven\Application Data\Malwarebytes
    2010-06-24 07:38 . 2010-04-29 14:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-06-24 07:38 . 2010-06-24 07:51
    d
    w- c:\program files\Malwarebytes' Anti-Malware
    2010-06-24 07:38 . 2010-06-24 07:38
    d
    w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2010-06-24 07:38 . 2010-04-29 14:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-06-24 07:33 . 2010-06-24 07:33
    d
    w- c:\documents and settings\All Users\Application Data\McAfee Security Scan
    2010-06-24 07:33 . 2010-06-28 07:48
    d
    w- c:\program files\McAfee Security Scan
    2010-06-23 09:24 . 2010-06-23 09:24 37084 ---ha-w- c:\windows\system32\mlfcache.dat
    2010-06-23 08:22 . 2010-06-23 08:22
    d
    w- c:\program files\iPod
    2010-06-23 08:22 . 2010-06-23 08:23
    d
    w- c:\program files\iTunes
    2010-06-23 08:22 . 2010-06-23 08:23
    d
    w- c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
    2010-06-23 08:16 . 2010-06-23 08:16
    d
    w- c:\program files\Bonjour
    2010-06-23 08:13 . 2010-06-23 08:13 72504 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.2.0.61\SetupAdmin.exe
    2010-06-23 07:36 . 2010-06-23 07:36
    d
    w- c:\program files\ERUNT
    2010-06-23 07:22 . 2010-06-23 07:22
    d
    w- c:\program files\CCleaner
    2010-06-22 15:01 . 2010-06-22 15:01
    d
    w- c:\documents and settings\Steven\Application Data\Mp3tag
    2010-06-22 15:01 . 2010-06-22 15:01
    d
    w- c:\program files\Mp3tag
    2010-06-21 10:30 . 2010-06-21 10:35
    d
    w- c:\program files\UPHClean
    2010-06-16 09:05 . 2010-06-16 09:05 3584 ----a-r- c:\documents and settings\Steven\Application Data\Microsoft\Installer\{121634B0-2F4B-11D3-ADA3-00C04F52DD52}\Icon386ED4E3.exe
    2010-06-16 09:05 . 2010-06-16 09:05
    d
    w- c:\program files\Windows Installer Clean Up
    2010-06-16 09:04 . 2010-06-16 09:04
    d
    w- c:\program files\MSECACHE
    2010-06-11 11:36 . 2010-06-11 11:36
    d
    w- c:\documents and settings\Steven\Application Data\Scrabble Plus
    2010-06-11 11:35 . 2010-06-11 11:35
    d
    w- c:\program files\Games
    2010-06-08 13:25 . 2010-06-08 13:25
    d
    w- c:\program files\NCH Software
    2010-06-03 07:55 . 2010-06-03 07:55
    d
    w- c:\documents and settings\Steven\Application Data\Trusteer
    2010-06-03 07:55 . 2010-06-03 07:55
    d
    w- c:\program files\Trusteer
    2010-06-03 07:54 . 2010-06-03 07:54
    d
    w- c:\documents and settings\All Users\Application Data\Trusteer
    2010-06-02 15:45 . 2010-06-02 15:45
    d--h--w- c:\windows\PIF

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-06-28 07:44 . 2007-01-28 14:59
    d
    w- c:\documents and settings\Steven\Application Data\Azureus
    2010-06-27 11:08 . 2006-07-30 12:51
    d
    w- c:\program files\Google
    2010-06-24 07:33 . 2006-04-13 09:28
    d
    w- c:\documents and settings\All Users\Application Data\McAfee
    2010-06-23 09:03 . 2006-07-03 09:52
    d
    w- c:\documents and settings\Steven\Application Data\Apple Computer
    2010-06-23 08:22 . 2008-01-27 15:47
    d
    w- c:\program files\Common Files\Apple
    2010-06-23 08:20 . 2006-07-03 09:51
    d
    w- c:\program files\QuickTime
    2010-06-09 10:02 . 2006-05-06 15:11
    d
    w- c:\program files\Dl_cats
    2010-06-08 09:43 . 2006-04-13 09:22
    d--h--w- c:\program files\InstallShield Installation Information
    2010-06-08 09:42 . 2006-05-06 15:17
    d
    w- c:\documents and settings\Steven\Application Data\Jasc Software Inc
    2010-06-08 09:42 . 2006-05-06 15:17
    d
    w- c:\program files\Jasc Software Inc
    2010-06-08 09:39 . 2006-04-13 09:21
    d
    w- c:\program files\Common Files\Sonic Shared
    2010-06-08 09:39 . 2006-04-13 09:21
    d
    w- c:\program files\Dell
    2010-06-08 09:37 . 2006-04-13 09:24
    d
    w- c:\program files\Corel
    2010-05-27 12:53 . 2010-05-27 12:53
    d
    w- c:\documents and settings\All Users\Application Data\NCH Swift Sound
    2010-05-27 12:52 . 2010-05-27 12:52
    d
    w- c:\program files\NCH Swift Sound
    2010-05-27 12:52 . 2010-05-27 12:52
    d
    w- c:\documents and settings\Steven\Application Data\NCH Swift Sound
    2010-05-27 11:56 . 2010-05-27 11:56 434176 ----a-w- c:\documents and settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportMS\17053\RapportMS.dll
    2010-05-26 09:26 . 2010-05-26 09:26 503808 ----a-w- c:\documents and settings\Steven\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-3c742cfc-n\msvcp71.dll
    2010-05-26 09:26 . 2010-05-26 09:26 499712 ----a-w- c:\documents and settings\Steven\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-3c742cfc-n\jmc.dll
    2010-05-26 09:26 . 2010-05-26 09:26 348160 ----a-w- c:\documents and settings\Steven\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-3c742cfc-n\msvcr71.dll
    2010-05-26 09:26 . 2010-05-26 09:26 61440 ----a-w- c:\documents and settings\Steven\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-297c4f75-n\decora-sse.dll
    2010-05-26 09:26 . 2010-05-26 09:26 12800 ----a-w- c:\documents and settings\Steven\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-297c4f75-n\decora-d3d.dll
    2010-05-22 11:57 . 2007-01-28 14:58
    d
    w- c:\program files\Azureus
    2010-05-21 13:34 . 2010-05-21 13:34
    d
    w- c:\documents and settings\Steven\Application Data\vlc
    2010-05-21 13:32 . 2010-05-21 13:32
    d
    w- c:\program files\VideoLAN
    2010-05-21 13:27 . 2006-04-13 09:21
    d
    w- c:\program files\InterActual
    2010-05-21 10:45 . 2006-04-29 18:13 44376 ----a-w- c:\documents and settings\Steven\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
    2010-05-14 17:54 . 2010-05-14 17:54
    d
    w- c:\program files\MSBuild
    2010-05-14 17:54 . 2010-05-14 17:54
    d
    w- c:\program files\Reference Assemblies
    2010-05-14 16:49 . 2010-05-14 16:49 503808 ----a-w- c:\documents and settings\Steven\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-5f90acc7-n\msvcp71.dll
    2010-05-14 16:49 . 2010-05-14 16:49 499712 ----a-w- c:\documents and settings\Steven\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-5f90acc7-n\jmc.dll
    2010-05-14 16:49 . 2010-05-14 16:49 348160 ----a-w- c:\documents and settings\Steven\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-5f90acc7-n\msvcr71.dll
    2010-05-14 16:49 . 2010-05-14 16:49 61440 ----a-w- c:\documents and settings\Steven\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-27ac5086-n\decora-sse.dll
    2010-05-14 16:49 . 2010-05-14 16:49 12800 ----a-w- c:\documents and settings\Steven\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-27ac5086-n\decora-d3d.dll
    2010-05-14 16:49 . 2010-05-14 16:49 411368 ----a-w- c:\windows\system32\deployJava1.dll
    2010-05-14 16:49 . 2006-04-13 09:16
    d
    w- c:\program files\Java
    2010-05-14 16:25 . 2010-05-14 16:25
    d
    w- c:\program files\MSXML 4.0
    2010-05-04 17:20 . 2005-08-16 03:18 832512 ----a-w- c:\windows\system32\wininet.dll
    2010-05-04 17:20 . 2005-08-16 03:18 78336 ----a-w- c:\windows\system32\ieencode.dll
    2010-05-04 17:20 . 2005-08-16 03:18 17408 ----a-w- c:\windows\system32\corpol.dll
    2010-05-02 05:22 . 2005-08-16 03:18 1851264 ----a-w- c:\windows\system32\win32k.sys
    2010-04-20 05:30 . 2005-08-16 03:18 285696 ----a-w- c:\windows\system32\atmfd.dll
    2010-03-30 23:16 . 2010-03-30 23:16 99176 ----a-w- c:\windows\system32\PresentationHostProxy.dll
    2010-03-30 23:10 . 2010-03-30 23:10 295264 ----a-w- c:\windows\system32\PresentationHost.exe
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "DellSupport"="c:\program files\Dell Support\DSAgnt.exe" [2004-07-19 306688]
    "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-29 68856]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
    "igfxtray"="c:\windows\system32\igfxtray.exe" [2005-10-14 94208]
    "igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-10-14 77824]
    "igfxpers"="c:\windows\system32\igfxpers.exe" [2005-10-14 114688]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
    "SigmatelSysTrayApp"="stsystra.exe" [2005-03-22 339968]
    "ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
    "ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
    "DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
    "DLCFCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\DLCFtime.dll" [2005-09-08 73728]
    "SpeedTouch USB Diagnostics"="c:\program files\Thomson\SpeedTouch USB\Dragdiag.exe" [2004-01-26 866816]
    "TalkTalk"="c:\program files\TalkTalk\bin\sprtcmd.exe" [2005-08-15 192512]
    "MSKDetectorExe"="c:\program files\McAfee\SpamKiller\MSKDetct.exe" [2005-07-12 1117184]
    "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-11-18 185896]
    "WireLessMouse"="c:\program files\DS-3200 Wireless Optical Slimline Deskset\MouseDrv.exe" [2005-08-30 303104]
    "WireLessKeyboard"="c:\program files\DS-3200 Wireless Optical Slimline Deskset\PS2USBKbdDrv.exe" [2005-08-30 319488]
    "Corel Photo Downloader"="c:\program files\Corel\Corel Photo Album 6\MediaDetect.exe" [2005-08-31 106496]
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-18 421888]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
    "BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-06-15 141624]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

    c:\documents and settings\Steven\Start Menu\Programs\Startup\
    ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]

    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-4-13 24576]
    McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\2.0.181\SSScheduler.exe [2010-1-15 255536]
    Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
    Ralink Wireless Utility.lnk - c:\program files\RALINK\Common\RaUI.exe [2008-9-5 1531904]

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Messenger\\msmsgs.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\Azureus\\Azureus.exe"=
    "c:\\Program Files\\RALINK\\Common\\ApUI.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=

    R1 RapportKELL;RapportKELL;c:\program files\Trusteer\Rapport\bin\RapportKELL.sys [27/05/2010 12:56 59240]
    R1 RapportPG;RapportPG;c:\program files\Trusteer\Rapport\bin\RapportPG.sys [27/05/2010 12:56 166632]
    R2 RapportMgmtService;Rapport Management Service;c:\program files\Trusteer\Rapport\bin\RapportMgmtService.exe [27/05/2010 12:56 840936]
    S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [14/05/2010 17:49 135664]
    S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [15/01/2010 13:49 227232]

    --- Other Services/Drivers In Memory ---

    *NewlyCreated* - MCCOMPONENTHOSTSERVICE
    *Deregistered* - uphcleanhlp
    .
    Contents of the 'Scheduled Tasks' folder

    2008-09-05 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

    2010-06-28 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-05-14 16:49]

    2010-06-27 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-05-14 16:49]

    2010-06-22 c:\windows\Tasks\switchShakeIcon.job
    - c:\program files\NCH Swift Sound\Switch\switch.exe [2010-05-27 12:52]
    .
    .
    Supplementary Scan
    .
    uStart Page = hxxp://www.tiscali.co.uk
    uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
    uInternet Connection Wizard,ShellNext = hxxp://www.apple.com/support/itunes/hottips/
    uSearchAssistant = hxxp://www.google.com/ie
    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office10\EXCEL.EXE/3000
    TCP: {10F514B7-457B-4322-A456-9721E884AAEE} = 62.24.243.1 62.24.243.2
    FF - ProfilePath - c:\documents and settings\Steven\Application Data\Mozilla\Firefox\Profiles\5ts2hkqw.default\
    FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
    FF - prefs.js: browser.search.selectedEngine - ALOT Search
    FF - prefs.js: browser.startup.homepage - hxxp://en-US.start3.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
    FF - prefs.js: keyword.URL - hxxp://search.alot.com/web?&src_id=11511&client_id=787eac05f848940898a426a4&camp_id=-3&install_time=2010-05-22T11:36Z&tb_version=2.4.2000%28F%29&pr=auto&q=
    FF - component: c:\documents and settings\Steven\Application Data\Mozilla\Firefox\Profiles\5ts2hkqw.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
    FF - plugin: c:\program files\Google\Update\1.2.183.29\npGoogleOneClick8.dll
    FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
    FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

    ---- FIREFOX POLICIES ----
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
    .

    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-06-28 09:08
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    HKLM\Software\Microsoft\Windows\CurrentVersion\Run
    DLCFCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\DLCFtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    LOCKED REGISTRY KEYS

    [HKEY_USERS\S-1-5-21-4118611697-1528870311-3673466176-1005\Software\Microsoft\SystemCertificates\AddressBook*]
    @Allowed: (Read) (RestrictedCode)
    @Allowed: (Read) (RestrictedCode)
    .
    Completion time: 2010-06-28 09:13:48
    ComboFix-quarantined-files.txt 2010-06-28 08:13
    ComboFix2.txt 2010-06-27 12:24
    ComboFix3.txt 2010-06-27 10:37

    Pre-Run: 49,455,644,672 bytes free
    Post-Run: 49,439,322,112 bytes free

    - - End Of File - - CDD143047B675A4FAB8B84B00CF7552E


    I also uninstalled RegCure as you suggested and performed all the tasks you recommended with CCleaner.

    Thanks again!
  • aliEnRIK
    aliEnRIK Posts: 17,741 Forumite
    Part of the Furniture Combo Breaker
    Hows it running now?
    :idea:
  • thorpette
    thorpette Posts: 44 Forumite
    Seems to be much better (fingers crossed!).

    Thanks again for your time and assistance.
This discussion has been closed.
Meet your Ambassadors

🚀 Getting Started

Hi new member!

Our Getting Started Guide will help you get the most out of the Forum

Categories

  • All Categories
  • 350.9K Banking & Borrowing
  • 253.1K Reduce Debt & Boost Income
  • 453.5K Spending & Discounts
  • 243.9K Work, Benefits & Business
  • 598.8K Mortgages, Homes & Bills
  • 176.9K Life & Family
  • 257.2K Travel & Transport
  • 1.5M Hobbies & Leisure
  • 16.1K Discuss & Feedback
  • 37.6K Read-Only Boards

Is this how you want to be seen?

We see you are using a default avatar. It takes only a few seconds to pick a picture.