Firefox redirecting

dogmaryxx · 11 November 2010 at 6:18PM

So Hitman Pro detected rootkit but failed in removing it. Is that correct?

Have you rebooted to see if rootkit reappears?

Lotus-eater · 12 November 2010 at 9:12AM

aliEnRIK wrote: »

HITMAN will cease working after 30 days If I recall

Yes I think you're right

dogmaryxx wrote: »

So Hitman Pro detected rootkit but failed in removing it. Is that correct?

Have you rebooted to see if rootkit reappears?

Well it found the rootkit and I searched on the net for it and found the kaspersky program and used that instead, that was before I had got the 30 days free licence for Hitman, so it didn't sort anything out, just scan.
I did get the licence after that, but didn't need to use it as after rebooting, it didn't find anything on the scan.
And yes it all appears to be gone, thankgoodness.

aliEnRIK · 12 November 2010 at 10:53AM

Lotus-eater wrote: »

Yes I think you're right

Its why I only suggest using it as a LAST resort

Please run COMBOFIX
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
Shut down your anti virus
Follow the simple instructions it gives
Post the COMPLETE log it creates here (Split into sections if need be) ~ if there are loads of 'SNAPSHOT' pages then leave them out

If it comes up with a RENAMING error then RIGHT click the exe file and RENAME and call it QWERTY (Making the complete file name 'QWERTY.exe') Or SAVE as 'QWERTY' on download
(If no log comes up or you lose it, COMBOFIX.TXT can be found in C drive)

Lotus-eater · 13 November 2010 at 10:54AM

ComboFix 10-11-11.01 - matt 12/11/2010 10:06:15.1.1 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1391 [GMT 0:00]
Running from: c:\documents and settings\*\My Documents\Downloads\ComboFix.exe
AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\matt\Application Data\26B7269E928CC7B444705621E683FCB3
c:\documents and settings\matt\Application Data\26B7269E928CC7B444705621E683FCB3\enemies-names.txt
c:\documents and settings\matt\Application Data\26B7269E928CC7B444705621E683FCB3\local.ini
c:\documents and settings\matt\Application Data\install
c:\documents and settings\matt\Application Data\Intote
c:\documents and settings\matt\Application Data\Intote\dusi.tiu
c:\windows\Tasks\At1.job
c:\windows\Tasks\At10.job
c:\windows\Tasks\At11.job
c:\windows\Tasks\At12.job
c:\windows\Tasks\At13.job
c:\windows\Tasks\At14.job
c:\windows\Tasks\At15.job
c:\windows\Tasks\At16.job
c:\windows\Tasks\At17.job
c:\windows\Tasks\At18.job
c:\windows\Tasks\At19.job
c:\windows\Tasks\At2.job
c:\windows\Tasks\At20.job
c:\windows\Tasks\At21.job
c:\windows\Tasks\At22.job
c:\windows\Tasks\At23.job
c:\windows\Tasks\At24.job
c:\windows\Tasks\At25.job
c:\windows\Tasks\At26.job
c:\windows\Tasks\At27.job
c:\windows\Tasks\At28.job
c:\windows\Tasks\At29.job
c:\windows\Tasks\At3.job
c:\windows\Tasks\At30.job
c:\windows\Tasks\At31.job
c:\windows\Tasks\At32.job
c:\windows\Tasks\At33.job
c:\windows\Tasks\At34.job
c:\windows\Tasks\At35.job
c:\windows\Tasks\At36.job
c:\windows\Tasks\At37.job
c:\windows\Tasks\At38.job
c:\windows\Tasks\At39.job
c:\windows\Tasks\At4.job
c:\windows\Tasks\At40.job
c:\windows\Tasks\At41.job
c:\windows\Tasks\At42.job
c:\windows\Tasks\At43.job
c:\windows\Tasks\At44.job
c:\windows\Tasks\At45.job
c:\windows\Tasks\At46.job
c:\windows\Tasks\At47.job
c:\windows\Tasks\At48.job
c:\windows\Tasks\At49.job
c:\windows\Tasks\At5.job
c:\windows\Tasks\At50.job
c:\windows\Tasks\At51.job
c:\windows\Tasks\At52.job
c:\windows\Tasks\At53.job
c:\windows\Tasks\At54.job
c:\windows\Tasks\At55.job
c:\windows\Tasks\At56.job
c:\windows\Tasks\At57.job
c:\windows\Tasks\At58.job
c:\windows\Tasks\At59.job
c:\windows\Tasks\At6.job
c:\windows\Tasks\At60.job
c:\windows\Tasks\At61.job
c:\windows\Tasks\At62.job
c:\windows\Tasks\At63.job
c:\windows\Tasks\At64.job
c:\windows\Tasks\At65.job
c:\windows\Tasks\At66.job
c:\windows\Tasks\At67.job
c:\windows\Tasks\At68.job
c:\windows\Tasks\At69.job
c:\windows\Tasks\At7.job
c:\windows\Tasks\At70.job
c:\windows\Tasks\At71.job
c:\windows\Tasks\At72.job
c:\windows\Tasks\At73.job
c:\windows\Tasks\At74.job
c:\windows\Tasks\At75.job
c:\windows\Tasks\At76.job
c:\windows\Tasks\At77.job
c:\windows\Tasks\At78.job
c:\windows\Tasks\At79.job
c:\windows\Tasks\At8.job
c:\windows\Tasks\At80.job
c:\windows\Tasks\At81.job
c:\windows\Tasks\At82.job
c:\windows\Tasks\At83.job
c:\windows\Tasks\At84.job
c:\windows\Tasks\At85.job
c:\windows\Tasks\At86.job
c:\windows\Tasks\At87.job
c:\windows\Tasks\At88.job
c:\windows\Tasks\At89.job
c:\windows\Tasks\At9.job
c:\windows\Tasks\At90.job
c:\windows\Tasks\At91.job
c:\windows\Tasks\At92.job
c:\windows\Tasks\At93.job
c:\windows\Tasks\At94.job
c:\windows\Tasks\At95.job
c:\windows\Tasks\At96.job

.
((((((((((((((((((((((((( Files Created from 2010-10-12 to 2010-11-12 )))))))))))))))))))))))))))))))
.

2010-11-11 19:06 . 2010-10-08 00:21 6146896 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\{8B1B7243-ED91-423B-B8BD-AFBABF435E45}\mpengine.dll
2010-11-11 16:36 . 2010-11-11 17:05 16968 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-11-11 16:36 . 2010-11-11 16:36

d

w- c:\program files\Hitman Pro 3.5
2010-11-11 16:34 . 2010-11-11 16:35

d

w- c:\documents and settings\All Users\Application Data\Hitman Pro
2010-11-11 11:11 . 2010-11-11 11:11 388096 ----a-r- c:\documents and settings\*\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-11-11 11:11 . 2010-11-11 11:11

d

w- c:\program files\Trend Micro
2010-11-08 16:40 . 2010-11-08 16:40

d--h--w- c:\windows\system32\GroupPolicy
2010-10-31 18:51 . 2010-09-23 07:46 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-10-31 14:00 . 2010-11-03 15:52 98392 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-10-31 13:37 . 2010-10-31 13:37

d

w- c:\documents and settings\matt\Local Settings\Application Data\Sunbelt Software
2010-10-31 10:31 . 2010-10-31 10:31

d--h--w- c:\documents and settings\All Users\Application Data\{E961CE1B-C3EA-4882-9F67-F859B555D097}
2010-10-31 10:29 . 2010-10-31 10:29

d

w- c:\program files\Lavasoft
2010-10-31 10:29 . 2010-10-31 10:29

d

w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-10-29 16:00 . 2010-10-29 16:00

d

w- c:\documents and settings\LocalService\Local Settings\Application Data\Thunderbird
2010-10-29 16:00 . 2010-10-29 16:00

d

w- c:\documents and settings\LocalService\Application Data\Thunderbird
2010-10-26 20:16 . 2010-10-26 20:16

d

w- c:\documents and settings\NetworkService\Local Settings\Application Data\Thunderbird
2010-10-26 20:16 . 2010-10-26 20:16

d

w- c:\documents and settings\NetworkService\Application Data\Thunderbird
2010-10-26 19:00 . 2010-10-26 19:00

d

w- c:\documents and settings\LocalService\Local Settings\Application Data\PCHealth
2010-10-26 17:07 . 2010-10-26 17:07

d

w- c:\documents and settings\LocalService\Local Settings\Application Data\Apple
2010-10-26 12:15 . 2010-09-07 15:52 165584 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-10-26 12:15 . 2010-09-07 15:47 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-10-26 12:15 . 2010-09-07 15:47 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-10-26 12:15 . 2010-09-07 15:52 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-10-26 12:15 . 2010-09-07 15:47 100176 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-10-26 12:15 . 2010-09-07 15:47 94544 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-10-26 12:15 . 2010-09-07 15:46 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-10-26 12:14 . 2010-09-07 16:12 38848 ----a-w- c:\windows\avastSS.scr
2010-10-26 12:14 . 2010-09-07 16:11 167592 ----a-w- c:\windows\system32\aswBoot.exe
2010-10-26 12:13 . 2010-10-26 12:13

d

w- c:\program files\Alwil Software
2010-10-26 12:13 . 2010-10-26 12:13

d

w- c:\documents and settings\All Users\Application Data\Alwil Software
2010-10-26 11:55 . 2010-10-26 11:55

d

w- c:\documents and settings\*\Application Data\ImgBurn
2010-10-26 11:44 . 2010-10-26 11:44

d

w- c:\program files\ImgBurn
2010-10-24 13:16 . 2010-10-24 13:16

d

w- c:\program files\Emsisoft Anti-Malware
2010-10-24 10:39 . 2010-10-24 10:39

d

w- c:\documents and settings\*\Application Data\Malwarebytes
2010-10-24 10:39 . 2010-04-29 15:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-10-24 10:39 . 2010-10-24 10:39

d

w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-10-24 10:39 . 2010-10-24 10:39

d

w- c:\program files\Malwarebytes' Anti-Malware
2010-10-24 10:39 . 2010-04-29 15:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-10-24 09:25 . 2010-10-24 09:25

d

w- C:\FOUND.001
2010-10-24 09:04 . 2010-10-24 09:04

d

w- C:\FOUND.000

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-10-19 11:41 . 2009-10-03 07:43 222080

w- c:\windows\system32\MpSigStub.exe
2010-10-08 00:21 . 2007-05-16 17:22 6146896 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\Backup\mpengine.dll
2010-09-18 12:23 . 2004-08-10 04:00 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 07:53 . 2004-08-10 04:00 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 07:53 . 2004-08-10 04:00 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 07:53 . 2004-08-10 04:00 953856 ----a-w- c:\windows\system32\mfc40u.dll
2010-09-09 14:38 . 2006-01-09 11:02 832512 ----a-w- c:\windows\system32\wininet.dll
2010-09-09 14:38 . 2004-08-10 04:00 1830912

w- c:\windows\system32\inetcpl.cpl
2010-09-09 14:38 . 2004-08-10 04:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-09-09 14:38 . 2004-08-10 04:00 17408

w- c:\windows\system32\corpol.dll
2010-09-08 16:57 . 2004-08-10 04:00 389120 ----a-w- c:\windows\system32\html.iec
2010-09-01 12:51 . 2004-08-10 04:00 285824 ----a-w- c:\windows\system32\atmfd.dll
2010-08-31 14:42 . 2004-08-10 04:00 1852800 ----a-w- c:\windows\system32\win32k.sys
2010-08-27 09:02 . 2004-08-10 04:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2010-08-27 06:57 . 2004-08-10 04:00 99840 ----a-w- c:\windows\system32\srvsvc.dll
2010-08-26 14:39 . 2004-08-10 04:00 357248 ----a-w- c:\windows\system32\drivers\srv.sys
2010-08-26 13:52 . 2009-04-16 09:53 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2010-08-23 17:12 . 2004-08-10 04:00 617472 ----a-w- c:\windows\system32\comctl32.dll
2010-08-17 14:17 . 2010-08-17 14:17 58880 ----a-w- c:\windows\system32\spoolsv.exe
2010-08-16 09:45 . 2004-08-10 04:00 590848 ----a-w- c:\windows\system32\rpcrt4.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{1C4AB6A5-595F-4e86-B15F-F93CCE2BBD48}"= "c:\program files\Family Toolbar\tbhelper.dll" [2009-05-07 355840]

[HKEY_CLASSES_ROOT\clsid\{1c4ab6a5-595f-4e86-b15f-f93cce2bbd48}]
[HKEY_CLASSES_ROOT\URLSearchHook.MHURLSearchHook.1]
[HKEY_CLASSES_ROOT\TypeLib\{1EA6B471-CAD2-419a-9539-0586EEFE2D09}]
[HKEY_CLASSES_ROOT\URLSearchHook.MHURLSearchHook]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0C37B053-FD68-456a-82E1-D788EE342E6F}]
2009-05-07 21:46 2642432 ----a-w- c:\program files\Family Toolbar\tbcore3.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{FD2FD708-1F6F-4B68-B141-C5778F0C19BB}"= "c:\program files\Family Toolbar\tbcore3.dll" [2009-05-07 2642432]

[HKEY_CLASSES_ROOT\clsid\{fd2fd708-1f6f-4b68-b141-c5778f0c19bb}]
[HKEY_CLASSES_ROOT\MHToolbar.MHToolbar.3]
[HKEY_CLASSES_ROOT\TypeLib\{EC4085F2-8DB3-45a6-AD0B-CA289F3C5D7E}]
[HKEY_CLASSES_ROOT\MHToolbar.MHToolbar]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{FD2FD708-1F6F-4B68-B141-C5778F0C19BB}"= "c:\program files\Family Toolbar\tbcore3.dll" [2009-05-07 2642432]

[HKEY_CLASSES_ROOT\clsid\{fd2fd708-1f6f-4b68-b141-c5778f0c19bb}]
[HKEY_CLASSES_ROOT\MHToolbar.MHToolbar.3]
[HKEY_CLASSES_ROOT\TypeLib\{EC4085F2-8DB3-45a6-AD0B-CA289F3C5D7E}]
[HKEY_CLASSES_ROOT\MHToolbar.MHToolbar]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"preload"="c:\windows\RUNXMLPL.exe" [2005-05-19 32768]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-12-16 761945]
"AzMixerSel"="c:\program files\Realtek\InstallShield\AzMixerSel.exe" [2005-06-11 53248]
"AGRSMMSG"="AGRSMMSG.exe" [2005-12-12 88204]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-10 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-10 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-10 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-10 455168]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-02-07 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-02-07 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-02-07 118784]
"RTHDCPL"="RTHDCPL.EXE" [2006-07-21 16261632]
"avast5"="c:\program files\Alwil Software\Avast5\avastUI.exe" [2010-09-07 2838912]
"ePower_DMC"="c:\acer\Empowering Technology\ePower\ePower_DMC.exe" [2006-03-30 421888]
"HitmanPro35"="c:\program files\Hitman Pro 3.5\HitmanPro35.exe" [2010-11-11 6387008]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acer Empowering Technology.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Acer Empowering Technology.lnk
backup=c:\windows\pss\Acer Empowering Technology.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Status Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Status Monitor.lnk
backup=c:\windows\pss\Status Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
backup=c:\windows\pss\WinZip Quick Pick.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^*^Start Menu^Programs^Startup^BBC iPlayer Desktop.lnk]
path=c:\documents and settings\*\Start Menu\Programs\Startup\BBC iPlayer Desktop.lnk
backup=c:\windows\pss\BBC iPlayer Desktop.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^*^Start Menu^Programs^Startup^PMB Media Check Tool.lnk]
path=c:\documents and settings\*\Start Menu\Programs\Startup\PMB Media Check Tool.lnk
backup=c:\windows\pss\PMB Media Check Tool.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acer ePresentation HPD]
2006-03-31 16:39 204800 ----a-w- c:\acer\Empowering Technology\ePresentation\ePresentation.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
2009-08-13 15:51 177440 ----a-w- c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BisonBar]
2006-09-08 11:49 245760 ----a-w- c:\windows\BUtilityBar\BisonBar.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BluetoothAuthenticationAgent]
2008-04-14 01:12 110592 ----a-w- c:\windows\system32\bthprops.cpl

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Boot]
2006-03-15 22:12 579584 ----a-w- c:\acer\Empowering Technology\ePower\Boot.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ControlCenter2.0]
2005-05-17 17:42 933888

w- c:\program files\Brother\ControlCenter2\brctrcen.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CtrlVol]
2003-09-16 14:28 20480 ----a-w- c:\program files\Launch Manager\CtrlVol.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ePower_DMC]
2006-03-30 18:47 421888 ----a-w- c:\acer\Empowering Technology\ePower\ePower_DMC.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eRecoveryService]
2006-06-01 14:40 413696 ----a-w- c:\acer\Empowering Technology\eRecovery\eRAgent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Family Tree Builder Update]
2009-11-02 08:58 222736 ----a-w- c:\program files\MyHeritage\Bin\FTBCheckUpdates.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndexSearch]
2005-03-17 14:45 40960 ----a-w- c:\program files\ScanSoft\PaperPort\IndexSearch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\kdx]
2008-02-27 17:56 1032376 ----a-w- c:\program files\Kontiki\KHost.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LaunchAp]
2005-07-25 13:36 32768 ----a-w- c:\program files\Launch Manager\LaunchAp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LManager]
2006-04-19 15:08 69632 ----a-w- c:\program files\Launch Manager\HotkeyApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LMgrOSD]
2005-07-25 10:45 241664 ----a-w- c:\program files\Launch Manager\OSDCtrl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 01:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ntiMUI]
2005-05-11 17:15 45056 ----a-w- c:\program files\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PaperPort PTD]
2005-03-17 14:25 57393 ----a-w- c:\program files\ScanSoft\PaperPort\pptd40nt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-08-10 05:15 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SetDefPrt]
2005-01-26 18:02 49152

w- c:\program files\Brother\Brmfl05a\BrStDvPt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2009-03-11 12:00 24095528 ----a-r- c:\program files\Skype\Phone\Skype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkyTel]
2006-05-16 19:04 2879488 ----a-w- c:\windows\SkyTel.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSBkgdUpdate]
2003-10-14 10:22 155648 ----a-r- c:\program files\Common Files\ScanSoft Shared\SSBkgdUpdate\SSBkgdUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-10-11 04:17 149280 ----a-w- c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2010-03-12 00:40 202256 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Wbutton]
2006-04-20 09:23 86016 ----a-w- c:\program files\Launch Manager\WButton.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
2006-11-03 18:20 866584 ----a-w- c:\program files\Windows Defender\MSASCui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\MSMSGS.EXE"=
"c:\\Program Files\\Kontiki\\KService.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Spotify\\spotify.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [26/10/2010 12:15 165584]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [26/10/2010 12:15 17744]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [23/09/2010 07:46 1375992]
S1 mailKmd;mailKmd; [x]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [08/09/2010 10:33 136176]
S3 hitmanpro35;Hitman Pro 3.5 Support Driver;c:\windows\system32\drivers\hitmanpro35.sys [11/11/2010 16:36 16968]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\Lavasoft\Ad-Aware\kernexplorer.sys [23/09/2010 07:46 15264]
S3 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [03/11/2006 18:19 13592]
.
Contents of the 'Scheduled Tasks' folder

2010-11-11 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 18:20]

2010-11-09 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2010-11-09 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-3682170528-3259484559-1157366810-1005.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-24 22:09]

2010-11-12 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-3682170528-3259484559-1157366810-1005.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-24 22:09]

2010-11-12 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-09-08 10:33]

2010-11-12 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-09-08 10:33]

2010-11-12 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-09-23 15:51]
.
.

Supplementary Scan

.
uStart Page = hxxp://www.google.co.uk/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mStart Page = hxxp://search.myheritage.com
uInternet Connection Wizard,ShellNext = hxxp://en.uk.acer.yahoo.com/
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://uk.rd.yahoo.com/customize/ycomp/defaults/su/*http://uk.yahoo.com
FF - ProfilePath - c:\documents and settings\*\Application Data\Mozilla\Firefox\Profiles\499m3u5q.default\
FF - prefs.js: browser.search.selectedEngine - AVG Secure Search
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/
FF - prefs.js: keyword.URL - hxxp://search.avg.com/route/?d=4cc68491&v=6.010.006.004&i=23&tp=ab&iy=b&ychte=uk&lng=en-GB&q=
FF - prefs.js: network.proxy.type - 4
FF - component: c:\documents and settings\*\Application Data\Mozilla\Firefox\Profiles\499m3u5q.default\extensions\{FD2FD708-1F6F-4B68-B141-C5778F0C19BB}\components\mhxpcom2.dll
FF - plugin: c:\documents and settings\*\Application Data\Mozilla\Firefox\Profiles\499m3u5q.default\extensions\{195A3098-0BD5-4e90-AE22-BA1C540AFD1E}\plugins\npGarmin.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npBBCPlugin.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true); // Traditional
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true); // Simplified
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);

Lotus-eater · 13 November 2010 at 10:54AM

- - - - ORPHANS REMOVED - - - -

Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
SafeBoot-AVG Anti-Spyware Driver
SafeBoot-AVG Anti-Spyware Guard
MSConfigStartUp-eLockMonitor - c:\acer\Empowering Technology\eLock\Monitor\LaunchMonitor.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-11-12 10:10
Windows 5.1.2600 Service Pack 3 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2010-11-12 10:11:35
ComboFix-quarantined-files.txt 2010-11-12 10:11

Pre-Run: 18,325,143,552 bytes free
Post-Run: 18,482,626,560 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

- - End Of File - - 5B027B18C03776F0E2086E934BFD7029

Lotus-eater · 13 November 2010 at 10:55AM

aliEnRIK wrote: »

Its why I only suggest using it as a LAST resort

Please run COMBOFIX
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
Shut down your anti virus
Follow the simple instructions it gives
Post the COMPLETE log it creates here (Split into sections if need be) ~ if there are loads of 'SNAPSHOT' pages then leave them out

If it comes up with a RENAMING error then RIGHT click the exe file and RENAME and call it QWERTY (Making the complete file name 'QWERTY.exe') Or SAVE as 'QWERTY' on download
(If no log comes up or you lose it, COMBOFIX.TXT can be found in C drive)

Done, hope you can read something in it.

aliEnRIK · 13 November 2010 at 1:25PM

Log seems ok now

Id suggest one final (very long) scan

Download and run the FREE version of DR WEB
http://www.freedrweb.com/download+cureit/gr/
Turn your anti virus OFF
Click CANCEL to its first question (Unless your happy to lock windows until its run)
Click NO to opening the purchase page
Click START
click YES
It will auto QUICK scan
Pess the STOP button on the right (Unless your happy to quick scan first)
After that set to COMPLETE SCAN the computer and press the 'play' icon
This will more than likely take hours (12 is average!), so leave running overnight or whatever

***DO NOT UPGRADE TO FULL VERSION***

reset the HOSTS file if it asks you

Firefox redirecting

Comments

Confirm your email address to Create Threads and Reply

🚀 Getting Started

Categories

Is this how you want to be seen?

Get our FREE Weekly email full of deals & guides - and it’s spam-free