system repair virus

blahfckingblah · 24-08-2011 7:20pm

hmm holy **** this isnt looking good,,, log coming soon

blahfckingblah · 24-08-2011 7:30pm

5126 errors :O i dunno how to give you the specifics,,,
1077 active x and com
8 application paths
392 file types
3 fonts
4 help files
35 history lists
3 shared files
332 software
1 startup
2996 deep scan
275 current user
4 regestry tweaks

junk
5 memory dump
93 recent documents
33 recycle bin
14 shortcuts
53 taskbar jumplist
94 temporary files
210 temporart internet files

ASJ112 · 24-08-2011 7:33pm

there should be a log here

C:\combofix.txt

can you post that ?

blahfckingblah · 24-08-2011 7:36pm

nope no log there

blahfckingblah · 24-08-2011 7:45pm

im such a computard...hold on

ASJ112 · 24-08-2011 7:47pm

looks like you downloaded the wrong thing

go to this link, download combofix.exe and run it

http://www.bleepingcomputer.com/download/anti-virus/combofix

blahfckingblah · 24-08-2011 8:22pm

yep i had i got the one from the support.com ad, combofix running at the minute though

blahfckingblah · 24-08-2011 8:48pm

been creating the log longer now than its been running, dont think thats normal??

blahfckingblah · 24-08-2011 8:59pm

ComboFix 11-08-24.04 - Ruairí 24/08/2011 19:54:31.1.2 - x64
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.353.1033.18.3835.1525 [GMT 1:00]
Running from: C:\Users\Ruairí\Downloads\ComboFix.exe
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

((((((((((((((((((((((((( Files Created from 2011-07-24 to 2011-08-24 )))))))))))))))))))))))))))))))

2011-08-24 19:27:45 . 2011-08-24 19:27:45

d

w- C:\Users\Default\AppData\Local\temp
2011-08-24 18:15:48 . 2011-08-24 18:40:24

d

w- C:\Users\Ruairí\AppData\Roaming\Sammsoft
2011-08-24 18:15:46 . 2011-08-24 18:16:03

d

w- C:\Program Files (x86)\Ask.com
2011-08-23 11:09:37 . 2011-08-12 04:10:01 8862544 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{F279D32D-41D4-4B55-B032-DA3B0FC1D382}\mpengine.dll
2011-08-14 17:01:32 . 2011-08-14 17:01:32 512 ----a-w- C:\PhysicalMBR.bin
2011-08-13 19:13:38 . 2011-08-13 19:13:38

d

w- C:\_OTL
2011-08-12 15:15:09 . 2011-08-12 15:15:09

d--h--w- C:\Users\Ruairí\AppData\Local\Conduit
2011-08-12 15:15:09 . 2011-08-12 15:15:09

d

w- C:\Program Files (x86)\NCH_EN
2011-08-12 15:13:40 . 2011-08-16 13:10:30

d

w- C:\Program Files (x86)\NCH Software
2011-08-11 10:58:27 . 2011-06-15 09:58:31 212992 ----a-w- C:\Windows\system32\odbctrac.dll
2011-08-11 10:58:27 . 2011-06-15 09:58:31 163840 ----a-w- C:\Windows\system32\odbccp32.dll
2011-08-11 10:58:27 . 2011-06-15 09:58:31 106496 ----a-w- C:\Windows\system32\odbccu32.dll
2011-08-11 10:58:27 . 2011-06-15 09:58:31 106496 ----a-w- C:\Windows\system32\odbccr32.dll
2011-08-11 10:58:27 . 2011-06-15 09:58:29 126976 ----a-w- C:\Program Files\Common Files\System\Ole DB\msdaosp.dll
2011-08-11 10:58:27 . 2011-06-15 09:04:46 319488 ----a-w- C:\Windows\SysWow64\odbcjt32.dll
2011-08-11 10:58:26 . 2011-06-15 09:04:46 86016 ----a-w- C:\Windows\SysWow64\odbccu32.dll
2011-08-11 10:58:26 . 2011-06-15 09:04:46 81920 ----a-w- C:\Windows\SysWow64\odbccr32.dll
2011-08-11 10:58:26 . 2011-06-15 09:04:46 163840 ----a-w- C:\Windows\SysWow64\odbctrac.dll
2011-08-11 10:58:26 . 2011-06-15 09:04:46 122880 ----a-w- C:\Windows\SysWow64\odbccp32.dll
2011-08-11 10:58:26 . 2011-06-15 09:04:41 94208 ----a-w- C:\Program Files (x86)\Common Files\System\Ole DB\msdaosp.dll
2011-08-11 10:56:59 . 2011-07-16 05:04:54 6144 ---ha-w- C:\Windows\system32\api-ms-win-security-base-l1-1-0.dll
2011-08-11 10:55:27 . 2011-06-23 05:29:39 5507968 ----a-w- C:\Windows\system32\ntoskrnl.exe
2011-08-11 10:55:25 . 2011-06-23 04:38:05 3957120 ----a-w- C:\Windows\SysWow64\ntkrnlpa.exe
2011-08-11 10:55:24 . 2011-06-23 04:38:04 3902336 ----a-w- C:\Windows\SysWow64\ntoskrnl.exe
2011-08-10 10:35:56 . 2011-08-11 20:21:48

d

w- C:\Users\Ruairí\AppData\Local\ElevatedDiagnostics
2011-08-09 19:58:12 . 2011-08-09 19:58:12

d--h--w- C:\Users\Ruairí\AppData\Local\Real
2011-08-09 19:57:28 . 2011-08-10 21:40:15

d

w- C:\Program Files (x86)\Real
2011-08-09 19:57:27 . 2011-08-10 21:40:21

d--h--w- C:\Users\Ruairí\AppData\Roaming\Real
2011-08-01 14:58:05 . 2011-08-01 14:58:05

d--h--w- C:\Users\Ruairí\AppData\Roaming\Adobe Mini Bridge CS5
2011-08-01 14:58:04 . 2011-08-01 14:58:04

d--h--w- C:\Users\Ruairí\AppData\Roaming\StageManager.BD092818F67280F4B42B04877600987F0111B594.1
.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2011-08-09 19:19:23 . 2011-07-07 10:33:28 404640 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2011-07-16 04:32:14 . 2011-08-11 10:57:02 44032 ----a-w- C:\Windows\apppatch\acwow64.dll
2011-07-06 18:52:42 . 2011-02-28 17:02:35 41272 ----a-w- C:\Windows\SysWow64\drivers\mbamswissarmy.sys
2011-06-11 02:56:44 . 2011-07-13 10:36:24 3134464 ----a-w- C:\Windows\system32\win32k.sys

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{37483b40-c254-4a72-bda4-22ee90182c1e}"= "C:\Program Files (x86)\NCH_EN\prxtbNCH_.dll" [2011-01-17 15:54:02 175912]

[HKEY_CLASSES_ROOT\clsid\{37483b40-c254-4a72-bda4-22ee90182c1e}]

[HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{30F9B915-B755-4826-820B-08FBA6BD249D}]
2010-09-12 14:02:22 3863136 ----a-w- C:\Program Files (x86)\ConduitEngine\ConduitEngine.dll

[HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{37483b40-c254-4a72-bda4-22ee90182c1e}]
2011-01-17 15:54:02 175912 ----a-w- C:\Program Files (x86)\NCH_EN\prxtbNCH_.dll

[HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{414b6d9d-4a95-4e8d-b5b1-149dd2d93bb3}]
2010-06-03 17:24:50 2736736 ----a-w- C:\Program Files (x86)\Softonic-Eng7\tbSoft.dll

[HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{ba14329e-9550-4989-b3f2-9732e92d17cc}]
2010-09-12 14:02:22 3863136 ----a-w- C:\Program Files (x86)\Vuze_Remote\tbVuze.dll

[HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
2011-07-29 21:05:36 1515688 ----a-w- C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar]
"{ba14329e-9550-4989-b3f2-9732e92d17cc}"= "C:\Program Files (x86)\Vuze_Remote\tbVuze.dll" [2010-09-12 14:02:22 3863136]
"{30F9B915-B755-4826-820B-08FBA6BD249D}"= "C:\Program Files (x86)\ConduitEngine\ConduitEngine.dll" [2010-09-12 14:02:22 3863136]
"{414b6d9d-4a95-4e8d-b5b1-149dd2d93bb3}"= "C:\Program Files (x86)\Softonic-Eng7\tbSoft.dll" [2010-06-03 17:24:50 2736736]
"{37483b40-c254-4a72-bda4-22ee90182c1e}"= "C:\Program Files (x86)\NCH_EN\prxtbNCH_.dll" [2011-01-17 15:54:02 175912]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll" [2011-07-29 21:05:36 1515688]

[HKEY_CLASSES_ROOT\clsid\{ba14329e-9550-4989-b3f2-9732e92d17cc}]

[HKEY_CLASSES_ROOT\clsid\{30f9b915-b755-4826-820b-08fba6bd249d}]

[HKEY_CLASSES_ROOT\clsid\{414b6d9d-4a95-4e8d-b5b1-149dd2d93bb3}]

[HKEY_CLASSES_ROOT\clsid\{37483b40-c254-4a72-bda4-22ee90182c1e}]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2010-03-15 09:42:42 98304]
"ToshibaServiceStation"="C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe" [2009-10-06 08:23:12 1294136]
"TWebCamera"="C:\Program Files (x86)\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe" [2010-02-24 00:54:48 2454840]
"BCSSync"="C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" [2010-01-21 17:22:24 91520]
"SwitchBoard"="C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 12:37:14 517096]
"ApnUpdater"="C:\Program Files (x86)\Ask.com\Updater\Updater.exe" [2011-07-29 21:05:42 887976]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"TOSHIBA Online Product Information"="C:\Program Files (x86)\TOSHIBA\TOSHIBA Online Product Information\topi.exe" [2010-03-03 11:47:38 4581280]

C:\Users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
TRDCReminder.lnk - C:\Program Files (x86)\Toshiba\TRDCReminder\TRDCReminder.exe [2009-9-1 481184]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
"EnableLinkedConnections"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 13:16:28 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 14:27:14 138576]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\PROGRA~2\mcafee\SITEAD~1\mcsacore.exe [x]
R3 ewusbnet;HUAWEI USB-NDIS miniport;C:\Windows\system32\DRIVERS\ewusbnet.sys [x]
R3 ExpressAccountsService;Express Accounts;C:\Program Files (x86)\NCH Software\ExpressAccounts\expressaccounts.exe [2011-08-16 13:10:21 2640900]
R3 ExpressInvoiceService;Express Invoice;C:\Program Files (x86)\NCH Software\ExpressInvoice\expressinvoice.exe [2011-08-16 13:10:11 1796612]
R3 FLEXnet Licensing Service 64;FLEXnet Licensing Service 64;C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService64.exe [2010-10-19 17:05:45 1436424]
R3 hwusbfake;Huawei DataCard USB Fake;C:\Windows\system32\DRIVERS\ewusbfake.sys [x]
R3 InventoriaService;Inventoria Stock Manager;C:\Program Files (x86)\NCH Software\Inventoria\inventoria.exe [2011-08-16 13:10:30 1363460]
R3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE [2010-01-21 17:51:12 30963576]
R3 osppsvc;Office Software Protection Platform;C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-09 20:34:24 4925184]
R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;C:\Windows\system32\Drivers\RtsUStor.sys [x]
R3 SwitchBoard;SwitchBoard;C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2010-02-19 12:37:14 517096]
R3 TMachInfo;TMachInfo;C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe [2009-10-06 08:21:50 51512]
R3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\system32\Drivers\usbaapl64.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\system32\Wat\WatAdminSvc.exe [x]
R3 WPRO_40_1340;WinPcap Packet Driver (WPRO_40_1340);C:\Windows\system32\drivers\WPRO_40_1340.sys [x]
S0 sptd;sptd;C:\Windows\System32\Drivers\sptd.sys [x]
S1 vwififlt;Virtual WiFi Filter Driver;C:\Windows\system32\DRIVERS\vwififlt.sys [x]
S2 Akamai;Akamai NetSession Interface;C:\Windows\System32\svchost.exe [2009-07-14 01:39:46 27136]
S2 AMD External Events Utility;AMD External Events Utility;C:\Windows\system32\atiesrxx.exe [x]
S2 cfWiMAXService;ConfigFree WiMAX Service;C:\Program Files (x86)\TOSHIBA\ConfigFree\CFIWmxSvcs64.exe [2010-01-28 15:44:40 249200]
S2 ConfigFree Service;ConfigFree Service;C:\Program Files (x86)\TOSHIBA\ConfigFree\CFSvcs.exe [2009-03-10 17:51:20 46448]
S2 TemproMonitoringService;Notebook Performance Tuning Service (TEMPRO);C:\Program Files (x86)\Toshiba TEMPRO\TemproSvc.exe [2010-02-11 01:40:12 124368]
S3 amdkmdag;amdkmdag;C:\Windows\system32\DRIVERS\atipmdag.sys [x]
S3 amdkmdap;amdkmdap;C:\Windows\system32\DRIVERS\atikmpag.sys [x]
S3 FwLnk;FwLnk Driver;C:\Windows\system32\DRIVERS\FwLnk.sys [x]
S3 L1C;NDIS Miniport Driver for Atheros AR813x/AR815x PCI-E Ethernet Controller;C:\Windows\system32\DRIVERS\L1C62x64.sys [x]
S3 PGEffect;Pangu effect driver;C:\Windows\system32\DRIVERS\pgeffect.sys [x]
S3 TOSHIBA HDD SSD Alert Service;TOSHIBA HDD SSD Alert Service;C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe [2010-02-05 16:44:48 137560]

[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
Akamai REG_MULTI_SZ Akamai

Contents of the 'Scheduled Tasks' folder

x86-64

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SmartAudio"="C:\Program Files\CONEXANT\SAII\SAIICpl.exe" [2009-11-19 12:45:12 307768]
"TosSENotify"="C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosWaitSrv.exe" [2010-02-05 16:45:06 709976]
"TosVolRegulator"="C:\Program Files\TOSHIBA\TosVolRegulator\TosVolRegulator.exe" [2009-11-11 13:31:34 24376]
"AdobeAAMUpdater-1.0"="C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2011-07-07 16:41:53 500208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=0x0

Supplementary Scan

uLocal Page = C:\Windows\system32\blank.htm
uStart Page = hxxp://search.conduit.com?SearchSource=10&ctid=CT2801948
mLocal Page = C:\Windows\SysWOW64\blank.htm
uInternet Settings,ProxyServer = 144.162.120.230:80
uInternet Settings,ProxyOverride = <local>
TCP: DhcpNameServer = 192.168.1.254
FF - ProfilePath - C:\Users\Ruairí\AppData\Roaming\Mozilla\Firefox\Profiles\3chm9ftp.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2801948&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.startup.homepage - hxxp://www.google.ie/
FF - prefs.js: keyword.URL - hxxp://www.wicso.com/search/?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&rls=RqfNzEEm&q=
FF - user.js: keyword.URL - hxxp://www.wicso.com/search/?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&rls=RqfNzEEm&q=

- - - - ORPHANS REMOVED - - - -

Toolbar-Locked - (no file)
Toolbar-Locked - (no file)
WebBrowser-{414B6D9D-4A95-4E8D-B5B1-149DD2D93BB3} - (no file)
WebBrowser-{BA14329E-9550-4989-B3F2-9732E92D17CC} - (no file)
WebBrowser-{30F9B915-B755-4826-820B-08FBA6BD249D} - (no file)
WebBrowser-{37483B40-C254-4A72-BDA4-22EE90182C1E} - (no file)
HKLM-Run-TPwrMain - C:\Program Files (x86)\TOSHIBA\Power Saver\TPwrMain.EXE
HKLM-Run-SmoothView - C:\Program Files (x86)\Toshiba\SmoothView\SmoothView.exe
HKLM-Run-00TCrdMain - C:\Program Files (x86)\TOSHIBA\FlashCards\TCrdMain.exe
HKLM-Run-SynTPEnh - C:\Program Files (x86)\Synaptics\SynTP\SynTPEnh.exe
HKLM-Run-SmartFaceVWatcher - C:\Program Files (x86)\Toshiba\SmartFaceV\SmartFaceVWatcher.exe
AddRemove-Adobe Shockwave Player - C:\Windows\system32\Adobe\Shockwave 11\uninstaller.exe
AddRemove-{7B63B2922B174135AFC0E1377DD81EC2} - C:\Program Files (x86)\DivX\DivXCodecUninstall.exe
AddRemove-{8ADFC4160D694100B5B8A22DE9DCABD9} - C:\Program Files (x86)\DivX\DivXPlayerUninstall.exe

ASJ112 · 24-08-2011 9:17pm

can you update mbam run a quick scan post that log here

also do you use a router ?

blahfckingblah · 24-08-2011 9:18pm

ASJ112 wrote: »

can you update mbam run a quick scan post that log here

also do you use a router ?

wireless from a netopia eircom router

blahfckingblah · 24-08-2011 9:23pm

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 5363

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

28/02/2011 17:52:01
mbam-log-2011-02-28 (17-52-01).txt

Scan type: Full scan (C:\|D:\|E:\|F:\|G:\|)
Objects scanned: 354848
Time elapsed: 48 minute(s), 0 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Associations\bak_Application (Hijacker.Application) -> Value: bak_Application -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Associations\Application (Hijacker.Application) -> Bad: (http://www.helpmeopen.com/?n=app&ext=%s) Good: (http://shell.windows.com/fileassoc/%04x/xml/redir.asp?Ext=%s) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
c:\Users\Ruairí\documents\vuze downloads\photoshop cs2 v9.0 + working keygen\photoshop.cs2.keygen.exe (Trojan.Agent.CK) -> Quarantined and deleted successfully.

blahfckingblah · 24-08-2011 9:30pm

in my idiocy i linked to an old log really not with it today,

Malwarebytes' Anti-Malware 1.51.1.1800
www.malwarebytes.org

Database version: 7557

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

24/08/2011 21:22:24
mbam-log-2011-08-24 (21-22-24).txt

Scan type: Quick scan
Objects scanned: 179455
Time elapsed: 2 minute(s), 28 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

ASJ112 · 24-08-2011 9:31pm

can you reset the router and let me know if you get any redirects after that

blahfckingblah · 24-08-2011 9:37pm

seems ok since before reseting the router il keep you posted. and again thanks

blahfckingblah · 25-08-2011 7:46pm

just got another redirect to gomeo

ASJ112 · 25-08-2011 10:09pm

best run a deeper scan

Download GMER Rootkit Scanner from

http://www.gmer.net/gmer.zip

Extract the contents of the zipped file to desktop.
Double click GMER.exe. If asked to allow gmer.sys driver to load, please consent .
If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.

In the right panel, you will see several boxes that have been checked. Uncheck the following ...
IAT/EAT
Drives/Partition other than Systemdrive (typically C:\)
Show All (don't miss this one)

Then click the Scan button & wait for it to finish.
Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.

Save it where you can easily find it, such as your desktop, and attach it in your reply.

Notes:
**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

-- If you encounter any problems, try running GMER in safe mode.
-- If GMER crashes or keeps resulting in a BSODs, uncheck Devices on the right side before scanning.

also run eset online scanner

http://www.eset.com/us/online-scanner/run

post the log from it

Dubstar07 · 27-08-2011 1:52pm

Hi,

I think we may have picked up something too.
I've ran the OTL scan but got no infected files listed.
Also ran windows defender full scan which picked up just Hotbar. I've removed this anyway.

The reason I think there is something is becaue my gmail has been sending mails automatically to everyone in my address book.
other than that the pc seems to be running ok.

AVG is installed but I'm not 100% confident it's working right. Does it sound like there is something infected?

Appoligies for tagging on to the original post

Thanks, Dub

ASJ112 · 27-08-2011 2:29pm

you need to post an OTL log

Dubstar07 · 27-08-2011 2:44pm

Ran this last night:

OTL logfile created on: 26/08/2011 21:16:07 - Run 1
OTL by OldTimer - Version 3.2.26.5 Folder = C:\Users\J\Desktop
Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00001809 | Country: Ireland | Language: ENI | Date Format: dd/MM/yyyy

2.00 Gb Total Physical Memory | 1.07 Gb Available Physical Memory | 53.79% Memory free
4.23 Gb Paging File | 3.21 Gb Available in Paging File | 75.80% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 298.03 Gb Total Space | 158.89 Gb Free Space | 53.32% Space Free | Partition Type: NTFS

Computer Name: PC1 | User Name: J | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/08/26 21:14:49 | 000,580,096 | ---- | M] (OldTimer Tools) -- C:\Users\J\Desktop\OTL.exe
PRC - [2011/08/20 13:52:47 | 000,924,632 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2011/05/25 21:07:14 | 024,176,560 | ---- | M] (Dropbox, Inc.) -- C:\Users\J\AppData\Roaming\Dropbox\bin\Dropbox.exe
PRC - [2010/10/29 16:00:00 | 000,612,168 | R--- | M] (WinZip Computing, S.L.) -- C:\Program Files\WinZip\WZQKPICK.EXE
PRC - [2010/10/22 17:47:26 | 000,524,288 | ---- | M] (Spigot, Inc.) -- C:\Program Files\Common Files\Spigot\Search Settings\SearchSettings.exe
PRC - [2010/10/22 17:38:46 | 000,386,560 | ---- | M] (Spigot, Inc.) -- C:\Program Files\Application Updater\ApplicationUpdater.exe
PRC - [2010/06/10 13:22:44 | 000,554,328 | ---- | M] (LeapFrog Enterprises, Inc.) -- C:\Program Files\LeapFrog\LeapFrog Connect\Monitor.exe
PRC - [2010/06/09 19:14:30 | 001,156,440 | ---- | M] (LeapFrog Enterprises, Inc.) -- C:\Program Files\LeapFrog\LeapFrog Connect\CommandService.exe
PRC - [2010/01/15 13:49:20 | 000,255,536 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee Security Scan\2.0.181\SSScheduler.exe
PRC - [2009/12/02 14:41:54 | 000,184,320 | ---- | M] () -- C:\Users\J\AppData\Roaming\Transcend\SJelite3\SJelite3Launch.exe
PRC - [2009/09/22 18:00:00 | 000,028,672 | ---- | M] (Creative Technology Ltd.) -- C:\Windows\V0640Mon.exe
PRC - [2009/08/05 11:12:43 | 001,370,488 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgfws8.exe
PRC - [2009/08/05 11:12:41 | 000,297,752 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgwdsvc.exe
PRC - [2009/04/11 07:27:36 | 002,926,592 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
PRC - [2007/12/05 07:17:24 | 000,077,824 | ---- | M] (Andrea Electronics Corporation) -- C:\Windows\System32\AERTSrv.exe

========== Modules (No Company Name) ==========

MOD - [2011/08/20 13:52:47 | 001,846,232 | ---- | M] () -- C:\Program Files\Mozilla Firefox\mozjs.dll
MOD - [2010/01/31 23:52:12 | 008,347,648 | ---- | M] () -- C:\Program Files\LeapFrog\LeapFrog Connect\QtGui4.dll
MOD - [2010/01/31 23:52:12 | 002,244,608 | ---- | M] () -- C:\Program Files\LeapFrog\LeapFrog Connect\QtCore4.dll
MOD - [2009/12/02 14:41:54 | 000,184,320 | ---- | M] () -- C:\Users\J\AppData\Roaming\Transcend\SJelite3\SJelite3Launch.exe
MOD - [2009/07/18 04:21:00 | 003,883,424 | ---- | M] () -- C:\Windows\System32\Macromed\Flash\NPSWF32.dll
MOD - [2008/06/03 04:35:18 | 000,159,744 | ---- | M] () -- C:\Windows\System32\atitmmxx.dll

========== Win32 Services (SafeList) ==========

SRV - [2010/11/14 23:25:31 | 000,077,944 | ---- | M] (Autodesk) [On_Demand | Stopped] -- C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe -- (Autodesk Licensing Service)
SRV - [2010/10/26 15:00:33 | 000,651,720 | ---- | M] (Macrovision Europe Ltd.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service)
SRV - [2010/10/22 17:38:46 | 000,386,560 | ---- | M] (Spigot, Inc.) [Auto | Running] -- C:\Program Files\Application Updater\ApplicationUpdater.exe -- (Application Updater)
SRV - [2010/06/09 19:14:30 | 001,156,440 | ---- | M] (LeapFrog Enterprises, Inc.) [Auto | Running] -- C:\Program Files\LeapFrog\LeapFrog Connect\CommandService.exe -- (LeapFrog Connect Device Service)
SRV - [2010/01/15 13:49:20 | 000,227,232 | ---- | M] (McAfee, Inc.) [On_Demand | Stopped] -- C:\Program Files\McAfee Security Scan\2.0.181\McCHSvc.exe -- (McComponentHostService)
SRV - [2009/08/05 11:12:52 | 000,908,056 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Stopped] -- C:\Program Files\AVG\AVG8\avgemc.exe -- (avg8emc)
SRV - [2009/08/05 11:12:43 | 001,370,488 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files\AVG\AVG8\avgfws8.exe -- (avgfws8)
SRV - [2009/08/05 11:12:41 | 000,297,752 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files\AVG\AVG8\avgwdsvc.exe -- (avg8wd)
SRV - [2008/01/21 03:23:32 | 000,272,952 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV - [2007/12/05 07:17:24 | 000,077,824 | ---- | M] (Andrea Electronics Corporation) [Auto | Running] -- C:\Windows\System32\AERTSrv.exe -- (AERTFilters)

========== Driver Services (SafeList) ==========

DRV - [2010/08/12 12:07:50 | 000,292,712 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\nvmfdx32.sys -- (NVNET)
DRV - [2010/08/12 12:07:50 | 000,292,712 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\nvmfdx32.sys -- (NVENETFD)
DRV - [2010/03/01 09:50:22 | 000,027,632 | ---- | M] (Sony Ericsson Mobile Communications) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\seehcri.sys -- (seehcri)
DRV - [2010/02/24 07:13:40 | 000,494,368 | ---- | M] (Ralink Technology, Corp.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\netr73.sys -- (netr73)
DRV - [2009/12/03 18:00:00 | 000,273,760 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\V0640Vid.sys -- (V0640Vid) Creative Live! Cam Socialize (VF0640)
DRV - [2009/08/05 11:12:59 | 000,335,240 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] -- C:\Windows\System32\Drivers\avgldx86.sys -- (AvgLdx86)
DRV - [2009/08/05 11:12:59 | 000,027,784 | ---- | M] (AVG Technologies CZ, s.r.o.) [File_System | System | Running] -- C:\Windows\System32\Drivers\avgmfx86.sys -- (AvgMfx86)
DRV - [2009/05/05 13:47:45 | 000,012,552 | ---- | M] (AVG Technologies CZ, s.r.o.) [File_System | Boot | Running] -- C:\Windows\System32\Drivers\avgrkx86.sys -- (AvgRkx86)
DRV - [2009/05/05 13:47:21 | 000,108,552 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] -- C:\Windows\System32\Drivers\avgtdix.sys -- (AvgTdiX)
DRV - [2009/01/22 23:47:04 | 000,029,208 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\avgfwdx.sys -- (Avgfwfd)
DRV - [2009/01/22 23:47:04 | 000,029,208 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\avgfwdx.sys -- (Avgfwdx)
DRV - [2008/06/03 07:22:56 | 003,695,104 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\atikmdag.sys -- (R300)
DRV - [2008/06/03 07:22:56 | 003,695,104 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\atikmdag.sys -- (atikmdag)
DRV - [2008/05/16 12:33:14 | 000,115,752 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\s0016unic.sys -- (s0016unic) Sony Ericsson Device 0016 USB Ethernet Emulation SEMC0016 (WDM)
DRV - [2008/05/16 12:33:14 | 000,025,512 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\s0016nd5.sys -- (s0016nd5) Sony Ericsson Device 0016 USB Ethernet Emulation SEMC0016 (NDIS)
DRV - [2008/05/16 12:33:14 | 000,015,016 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\s0016mdfl.sys -- (s0016mdfl)
DRV - [2008/05/16 12:33:12 | 000,120,744 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\s0016mdm.sys -- (s0016mdm)
DRV - [2008/05/16 12:33:12 | 000,114,216 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\s0016mgmt.sys -- (s0016mgmt) Sony Ericsson Device 0016 USB WMC Device Management Drivers (WDM)
DRV - [2008/05/16 12:33:12 | 000,110,632 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\s0016obex.sys -- (s0016obex)
DRV - [2008/05/16 12:33:12 | 000,089,256 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\s0016bus.sys -- (s0016bus) Sony Ericsson Device 0016 driver (WDM)
DRV - [2007/08/09 19:12:30 | 000,110,624 | ---- | M] (NVIDIA Corporation) [Kernel | Boot | Running] -- C:\Windows\system32\DRIVERS\nvstor32.sys -- (nvstor32)
DRV - [2007/06/18 19:21:46 | 000,019,456 | ---- | M] (LeapFrog) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\FlyUsb.sys -- (FlyUsb)
DRV - [2007/04/23 13:54:50 | 000,100,488 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\s115mgmt.sys -- (s115mgmt) Sony Ericsson Device 115 USB WMC Device Management Drivers (WDM)
DRV - [2007/04/23 13:54:50 | 000,098,568 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\s115obex.sys -- (s115obex)
DRV - [2007/04/23 13:54:48 | 000,108,680 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\s115mdm.sys -- (s115mdm)
DRV - [2007/04/23 13:54:48 | 000,015,112 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\s115mdfl.sys -- (s115mdfl)
DRV - [2007/04/23 13:54:46 | 000,083,208 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\s115bus.sys -- (s115bus) Sony Ericsson Device 115 driver (WDM)
DRV - [2006/01/12 12:46:28 | 000,252,928 | ---- | M] (Ralink Technology, Corp.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\rt73.sys -- (RT73)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://vshare.toolbarhome.com/?hp=df
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://ie.msn.com/?ocid=iehp
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-ie
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = EF 75 BB 99 48 AF CB 01 [binary data]
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1
IE - HKCU\..\URLSearchHook: {B922D405-6D13-4A2B-AE89-08A030DA4402} - C:\Program Files\pdfforge Toolbar\IE\4.1\pdfforgeToolbarIE.dll (Spigot, Inc.)
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
FF - HKLM\Software\MozillaPlugins\@Google.com/GoogleEarthPlugin: C:\Program Files\Google\Google Earth\plugin\npgeplugin.dll (Google)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: C:\Program Files\Microsoft Silverlight\4.0.60531.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/OfficeLive,version=1.5: C:\Program Files\Microsoft\Office Live\npOLW.dll (Microsoft Corp.)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: C:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@real.com/nppl3260;version=6.0.12.450: c:\program files\real\realplayer\Netscape6\nppl3260.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprjplug;version=1.0.3.448: c:\program files\real\realplayer\Netscape6\nprjplug.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprpjplug;version=6.0.12.448: c:\program files\real\realplayer\Netscape6\nprpjplug.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nsJSRealPlayerPlugin;version=: File not found
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.65\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.65\npGoogleUpdate3.dll (Google Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 6.0\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/08/20 13:52:47 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 6.0\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/05/07 08:02:22 | 000,000,000 | ---D | M]

[2009/09/22 20:07:13 | 000,000,000 | ---D | M] (No name found) -- C:\Users\J\AppData\Roaming\Mozilla\Extensions
[2011/05/07 07:32:50 | 000,000,000 | ---D | M] (No name found) -- C:\Users\J\AppData\Roaming\Mozilla\Firefox\Profiles\njlp074h.default\extensions
[2010/09/22 20:52:09 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Users\J\AppData\Roaming\Mozilla\Firefox\Profiles\njlp074h.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2009/11/30 08:05:50 | 000,002,171 | ---- | M] () -- C:\Users\J\AppData\Roaming\Mozilla\Firefox\Profiles\njlp074h.default\searchplugins\bing.xml
[2011/02/02 21:51:16 | 000,001,592 | ---- | M] () -- C:\Users\J\AppData\Roaming\Mozilla\Firefox\Profiles\njlp074h.default\searchplugins\web-search.xml
[2011/06/25 20:40:51 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2011/07/09 14:35:32 | 000,000,000 | ---D | M] (Skype extension) -- C:\Program Files\Mozilla Firefox\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}
File not found (No name found) --
[2011/08/20 13:52:47 | 000,134,104 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll
[2009/08/03 16:07:42 | 000,373,104 | ---- | M] (Microsoft Corporation) -- C:\Program Files\mozilla firefox\plugins\npOGAPlugin.dll
[2011/05/07 08:02:11 | 000,001,538 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\amazon-en-GB.xml
[2011/05/07 08:02:11 | 000,002,252 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml
[2011/05/07 08:02:11 | 000,000,947 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\chambers-en-GB.xml
[2011/05/07 08:02:11 | 000,001,180 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\eBay-en-GB.xml
[2011/05/07 08:02:11 | 000,001,135 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\yahoo-en-GB.xml

O1 HOSTS File: ([2006/09/18 22:41:30 | 000,000,761 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O2 - BHO: (RealPlayer Download and Record Plugin for Internet Explorer) - {3049C3E9-B461-4BC5-8870-4C09146192CA} - c:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll (RealPlayer)
O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (AVG Technologies CZ, s.r.o.)
O2 - BHO: (Skype Browser Helper) - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O2 - BHO: (pdfforge Toolbar) - {B922D405-6D13-4A2B-AE89-08A030DA4402} - C:\Program Files\pdfforge Toolbar\IE\4.1\pdfforgeToolbarIE.dll (Spigot, Inc.)
O3 - HKLM\..\Toolbar: (pdfforge Toolbar) - {B922D405-6D13-4A2B-AE89-08A030DA4402} - C:\Program Files\pdfforge Toolbar\IE\4.1\pdfforgeToolbarIE.dll (Spigot, Inc.)
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No CLSID value found.
O4 - HKLM..\Run: [] File not found
O4 - HKLM..\Run: [Monitor] C:\Program Files\LeapFrog\LeapFrog Connect\Monitor.exe (LeapFrog Enterprises, Inc.)
O4 - HKLM..\Run: [SearchSettings] C:\Program Files\Common Files\Spigot\Search Settings\SearchSettings.exe (Spigot, Inc.)
O4 - HKLM..\Run: [V0640Mon.exe] C:\Windows\V0640Mon.exe (Creative Technology Ltd.)
O4 - HKCU..\Run: [SJelite3Launch] C:\Users\J\AppData\Roaming\Transcend\SJelite3\SJelite3Launch.exe ()
O4 - Startup: C:\Users\J\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk = C:\Users\J\AppData\Roaming\Dropbox\bin\Dropbox.exe (Dropbox, Inc.)
O9 - Extra Button: Skype Plug-In - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O9 - Extra 'Tools' menuitem : Skype Plug-In - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000007 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O13 - gopher Prefix: missing
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/products/plugin/autodl/jinstall-160-windows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0014-0002-0004-ABCDEFFEDCBA} http://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab (Java Plug-in 1.4.2_04)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 89.101.160.4 89.101.160.5
O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll (AVG Technologies CZ, s.r.o.)
O18 - Protocol\Handler\skype-ie-addon-data {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O20 - AppInit_DLLs: (avgrsstx.dll) - C:\Windows\System32\avgrsstx.dll (AVG Technologies CZ, s.r.o.)
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\System32\userinit.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Users\J\Pictures\christmas\xmax 2010\L&T couch.JPG
O24 - Desktop BackupWallPaper: C:\Users\J\Pictures\christmas\xmax 2010\L&T couch.JPG
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/09/18 22:43:36 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O33 - MountPoints2\{0afa0ae4-1f00-11df-81ac-001aa050aa8a}\Shell\Auto\command - "" = E:\asp.net
O33 - MountPoints2\{0afa0ae4-1f00-11df-81ac-001aa050aa8a}\Shell\AutoRun\command - "" = C:\Windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL E:\asp.net
O33 - MountPoints2\{30e9b3af-3130-11e0-9ed0-001aa050aa8a}\Shell\AutoRun\command - "" = J:\Setup.exe
O34 - HKLM BootExecute: (autocheck autochk /r \??\K:) - File not found
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/08/26 21:14:43 | 000,580,096 | ---- | C] (OldTimer Tools) -- C:\Users\J\Desktop\OTL.exe
[2011/02/27 21:43:13 | 014,755,424 | ---- | C] (Dropbox, Inc.) -- C:\Program Files\Dropbox 1.0.20.exe
[2010/11/24 22:50:10 | 003,385,600 | ---- | C] (BizEE Software Ltd ) -- C:\Program Files\EnergyLens-setup-1.6.1.exe
[2010/11/13 16:52:30 | 000,674,664 | ---- | C] (Autodesk, Inc.) -- C:\Program Files\SetupUi.dll
[2010/11/13 16:52:30 | 000,672,616 | ---- | C] (Autodesk, Inc.) -- C:\Program Files\SetupAcadUi.dll
[2010/11/13 16:52:30 | 000,319,248 | ---- | C] (Autodesk, Inc.) -- C:\Program Files\UPI32.dll
[2010/11/13 16:52:28 | 001,049,240 | ---- | C] (Autodesk, Inc.) -- C:\Program Files\PatchMgr.dll
[2010/11/13 16:52:27 | 000,655,872 | ---- | C] (Microsoft Corporation) -- C:\Program Files\msvcr90.dll
[2010/11/13 16:52:27 | 000,568,832 | ---- | C] (Microsoft Corporation) -- C:\Program Files\msvcp90.dll
[2010/11/13 16:52:27 | 000,224,768 | ---- | C] (Microsoft Corporation) -- C:\Program Files\msvcm90.dll
[2010/11/13 16:52:25 | 000,106,344 | ---- | C] (Autodesk, Inc.) -- C:\Program Files\LiteHtml.dll
[2010/11/13 16:52:24 | 001,645,320 | ---- | C] (Microsoft Corporation) -- C:\Program Files\gdiplus.dll
[2010/11/13 16:52:23 | 000,550,248 | ---- | C] (Autodesk, Inc.) -- C:\Program Files\DeployUi.dll
[2010/11/13 16:52:16 | 001,245,032 | ---- | C] (Autodesk) -- C:\Program Files\adlmPIT.dll
[2010/11/13 16:52:16 | 000,182,632 | ---- | C] (Autodesk) -- C:\Program Files\adlmutil.dll
[2010/11/13 16:52:13 | 000,087,704 | ---- | C] (Autodesk, Inc.) -- C:\Program Files\AcSetup.dll
[2010/11/13 16:52:04 | 000,451,944 | ---- | C] (Autodesk, Inc.) -- C:\Program Files\setup.exe
[2010/11/13 16:51:35 | 000,161,640 | ---- | C] (Autodesk, Inc.) -- C:\Program Files\AcDelTree.exe
[4 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]
[4 C:\Users\J\AppData\Local\*.tmp files -> C:\Users\J\AppData\Local\*.tmp -> ]
[1 C:\Users\J\Desktop\*.tmp files -> C:\Users\J\Desktop\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2011/08/26 21:14:49 | 000,580,096 | ---- | M] (OldTimer Tools) -- C:\Users\J\Desktop\OTL.exe
[2011/08/26 21:04:31 | 000,003,712 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2011/08/26 21:04:30 | 000,003,712 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2011/08/26 21:04:11 | 000,000,882 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
[2011/08/26 21:03:52 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2011/08/26 21:02:27 | 000,000,000 | ---- | M] () -- C:\Users\J\AppData\Local\{749462DC-5432-44F7-A57B-AD86113A2AD3}
[2011/08/26 10:47:14 | 000,000,886 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
[2011/08/15 19:23:23 | 000,222,208 | ---- | M] () -- C:\Users\J\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2011/08/08 23:00:00 | 014,957,056 | ---- | M] () -- C:\Users\J\Documents\photo wall.pub
[2011/08/07 10:13:12 | 000,000,000 | ---- | M] () -- C:\Users\J\AppData\Local\{5E0ACD61-08FA-452B-9836-DBBCF3560F98}
[4 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]
[4 C:\Users\J\AppData\Local\*.tmp files -> C:\Users\J\AppData\Local\*.tmp -> ]
[1 C:\Users\J\Desktop\*.tmp files -> C:\Users\J\Desktop\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011/08/26 21:02:27 | 000,000,000 | ---- | C] () -- C:\Users\J\AppData\Local\{749462DC-5432-44F7-A57B-AD86113A2AD3}
[2011/08/08 22:21:01 | 014,957,056 | ---- | C] () -- C:\Users\J\Documents\photo wall.pub
[2011/08/07 10:13:12 | 000,000,000 | ---- | C] () -- C:\Users\J\AppData\Local\{5E0ACD61-08FA-452B-9836-DBBCF3560F98}
[2011/04/21 19:44:10 | 000,040,960 | ---- | C] () -- C:\Windows\System32\DPW939.dll
[2010/12/21 12:00:15 | 000,116,224 | ---- | C] () -- C:\Windows\System32\pdfcmnnt.dll
[2010/11/14 22:58:22 | 000,000,258 | RHS- | C] () -- C:\ProgramData\ntuser.pol
[2010/11/13 16:54:15 | 000,005,560 | ---- | C] () -- C:\Program Files\AutoCADConfig.pit
[2010/11/13 16:51:35 | 000,000,043 | ---- | C] () -- C:\Program Files\autorun.inf
[2010/11/13 16:51:31 | 000,015,315 | ---- | C] () -- C:\Program Files\Setup.ini
[2010/07/07 14:40:48 | 000,000,056 | -H-- | C] () -- C:\ProgramData\ezsidmv.dat
[2010/02/25 16:53:45 | 000,000,680 | ---- | C] () -- C:\Users\J\AppData\Local\d3d9caps.dat
[2009/10/26 17:31:52 | 000,000,488 | ---- | C] () -- C:\Windows\{687EAE16-F2E7-4B96-B58C-AC09F9119B8C}_WiseFW.ini
[2009/09/26 11:16:21 | 000,117,248 | ---- | C] () -- C:\Windows\System32\EhStorAuthn.dll
[2009/09/26 11:16:21 | 000,107,612 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchema.bin
[2009/08/03 16:07:42 | 000,403,816 | ---- | C] () -- C:\Windows\System32\OGACheckControl.dll
[2009/08/03 16:07:42 | 000,230,768 | ---- | C] () -- C:\Windows\System32\OGAEXEC.exe
[2009/02/05 12:03:14 | 000,130,926 | ---- | C] () -- C:\Windows\hpoins18.dat
[2009/01/23 09:43:53 | 000,222,208 | ---- | C] () -- C:\Users\J\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/01/23 00:08:15 | 000,011,164 | ---- | C] () -- C:\Windows\System32\drivers\nvphy.bin
[2009/01/23 00:00:36 | 000,000,000 | ---- | C] () -- C:\Windows\ativpsrm.bin
[2009/01/22 23:59:08 | 000,018,904 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchemaTrivial.bin
[2009/01/22 23:05:28 | 000,000,162 | ---- | C] () -- C:\Windows\ODBC.INI
[2008/06/03 04:02:02 | 003,107,788 | ---- | C] () -- C:\Windows\System32\atiumdva.dat
[2008/04/28 22:09:10 | 000,172,033 | ---- | C] () -- C:\Windows\System32\atiicdxx.dat
[2008/03/06 01:38:44 | 000,090,112 | ---- | C] () -- C:\Windows\System32\atibrtmon.exe
[2008/01/21 03:24:21 | 000,002,048 | ---- | C] () -- C:\Windows\System32\dmdskres2.dll
[2007/03/01 00:41:30 | 000,006,600 | ---- | C] () -- C:\Windows\hpomdl18.dat
[2006/11/02 13:57:28 | 000,067,584 | --S- | C] () -- C:\Windows\bootstat.dat
[2006/11/02 13:47:37 | 000,445,776 | ---- | C] () -- C:\Windows\System32\FNTCACHE.DAT
[2006/11/02 13:35:32 | 000,005,632 | ---- | C] () -- C:\Windows\System32\sysprepMCE.dll
[2006/11/02 11:33:01 | 013,211,202 | ---- | C] () -- C:\Windows\System32\perfh009.dat
[2006/11/02 11:33:01 | 000,287,440 | ---- | C] () -- C:\Windows\System32\perfi009.dat
[2006/11/02 11:33:01 | 000,030,674 | ---- | C] () -- C:\Windows\System32\perfd009.dat
[2006/11/02 11:33:01 | 000,009,436 | ---- | C] () -- C:\Windows\System32\perfc009.dat
[2006/11/02 11:25:44 | 000,159,744 | ---- | C] () -- C:\Windows\System32\atitmmxx.dll
[2006/11/02 11:23:21 | 000,215,943 | ---- | C] () -- C:\Windows\System32\dssec.dat
[2006/11/02 09:58:30 | 000,043,131 | ---- | C] () -- C:\Windows\mib.bin
[2006/11/02 09:37:54 | 000,008,704 | ---- | C] () -- C:\Windows\System32\KBDHEPT.DLL
[2006/11/02 09:37:53 | 000,005,632 | ---- | C] () -- C:\Windows\System32\KBDHE.DLL
[2006/11/02 09:33:13 | 000,003,072 | ---- | C] () -- C:\Windows\System32\lz32.dll
[2006/11/02 09:19:00 | 000,000,741 | ---- | C] () -- C:\Windows\System32\NOISE.DAT
[2006/11/02 08:40:29 | 000,013,750 | ---- | C] () -- C:\Windows\System32\pacerprf.ini
[2006/11/02 08:25:31 | 000,673,088 | ---- | C] () -- C:\Windows\System32\mlang.dat

========== LOP Check ==========

[2010/11/14 23:21:13 | 000,000,000 | ---D | M] -- C:\Users\J\AppData\Roaming\Autodesk
[2010/02/15 16:28:41 | 000,000,000 | ---D | M] -- C:\Users\J\AppData\Roaming\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
[2011/08/26 21:05:07 | 000,000,000 | ---D | M] -- C:\Users\J\AppData\Roaming\Dropbox
[2010/11/24 23:00:18 | 000,000,000 | ---D | M] -- C:\Users\J\AppData\Roaming\Energy Lens
[2011/01/24 19:43:31 | 000,000,000 | ---D | M] -- C:\Users\J\AppData\Roaming\Image Zone Express
[2011/08/07 00:07:47 | 000,000,000 | ---D | M] -- C:\Users\J\AppData\Roaming\Microgaming
[2010/04/24 17:31:01 | 000,000,000 | ---D | M] -- C:\Users\J\AppData\Roaming\Printer Info Cache
[2010/08/08 19:46:05 | 000,000,000 | ---D | M] -- C:\Users\J\AppData\Roaming\Transcend
[2010/03/22 22:16:30 | 000,000,000 | ---D | M] -- C:\Users\J\AppData\Roaming\Uniblue
[2009/06/23 09:12:58 | 000,000,000 | ---D | M] -- C:\Users\J\AppData\Roaming\WebEx
[2010/11/23 16:38:58 | 000,000,000 | ---D | M] -- C:\Users\J\AppData\Roaming\Win
[2011/08/26 21:02:37 | 000,032,622 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT

========== Purity Check ==========

========== Files - Unicode (All) ==========
[2011/06/24 13:52:56 | 000,014,297 | ---- | M] ()(C:\Users\J\Documents\?.docx) -- C:\Users\J\Documents\幸.docx
[2011/06/24 13:52:56 | 000,014,297 | ---- | C] ()(C:\Users\J\Documents\?.docx) -- C:\Users\J\Documents\幸.docx

< End of report >

ASJ112 · 27-08-2011 3:09pm

not much there

if you have MBAM can you update and run a quick scan with it, post that log here

you can download it here if you need to

http://download.cnet.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.html

Dubstar07 · 27-08-2011 4:02pm

Right this is where the fun starts!

I ran the malware porgram and got 2mins 12 secs into it before it froze everything. Waited a couple of mins and then shut power off.

Re-started and went to safe mode, ran malware again in safemode.
Got to 2 mins 48 secs this time and pc froze again.

Again, shut power off, re-started in safe mode and then re-started to normal mode.

Ran malware scan again with the intention of stopping after 2 mins so I
could get a partial log to post up. The malware gave nine infected files
(which were indicated on the other two scans). Proceded to delete these via the malware program. Available log is as below.

Other point to note is that each time the pc froze it began making a repetitive clicking noise. It also happened at each of the times when it re-started.

Malwarebytes' Anti-Malware 1.51.1.1800
www.malwarebytes.org

Database version: 7587

Windows 6.0.6002 Service Pack 2
Internet Explorer 9.0.8112.16421

27/08/2011 15:46:28
mbam-log-2011-08-27 (15-46-28).txt

Scan type: Quick scan
Objects scanned: 60102
Time elapsed: 2 minute(s), 2 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 6
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{B922D405-6D13-4A2B-AE89-08A030DA4402} (PUP.Dealio.TB) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B922D405-6D13-4A2B-AE89-08A030DA4402} (PUP.Dealio.TB) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{B922D405-6D13-4A2B-AE89-08A030DA4402} (PUP.Dealio.TB) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{B922D405-6D13-4A2B-AE89-08A030DA4402} (PUP.Dealio.TB) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{B922D405-6D13-4A2B-AE89-08A030DA4402} (PUP.Dealio.TB) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks\{B922D405-6D13-4A2B-AE89-08A030DA4402} (PUP.Dealio.TB) -> Value: {B922D405-6D13-4A2B-AE89-08A030DA4402} -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{B922D405-6D13-4A2B-AE89-08A030DA4402} (PUP.Dealio.TB) -> Value: {B922D405-6D13-4A2B-AE89-08A030DA4402} -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\program files\pdfforge toolbar\IE\4.1\pdfforgetoolbarie.dll (PUP.Dealio.TB) -> Quarantined and deleted successfully.

ASJ112 · 27-08-2011 4:11pm

well those things are all harmless, sounds like your password got phished rather than your PC got infected

I'd change ALL your passwords, use one that is a mix of numbers and letters

Open OTL, paste this in the custom scan/fixes box

:Commands
[PURITY]
[EMPTYTEMP]
[EMPTYFLASH]
[RESETHOSTS]
[CREATERESTOREPOINT]
[Reboot]
:Files
ipconfig /flushdns /c

click Run Fix. And that is about it really.

Dubstar07 · 27-08-2011 4:54pm

Great, thanks for all your help.

I'l give that a bash and see how it goes

blahfckingblah · 07-09-2011 7:09pm

sorry for the delay I had no access to this computer since then until today, I got GMER, I opened it and in a tab it says rootkit/malware and the window is empty. the only things on the right hand side that are selected are; services, regestry and files. the rest are grey (you know when you cant click them).

blahfckingblah · 07-09-2011 9:18pm

eset report:
C:\Users\Ruairí\Downloads\fear-loathing-in-las-vegas.exe multiple threats deleted - quarantined

please tell me what to do with the above post

ASJ112 · 07-09-2011 10:46pm

that file got deleted, I wouldn't worry much bout it

can you run this

download aswMBR.exe

http://public.avast.com/~gmerek/aswMBR.htm

Double click the aswMBR.exe to run it

Click the [Scan] button to start scan

On completion of the scan click [Save log], save it to your desktop and post in your next reply

blahfckingblah · 08-09-2011 12:41pm

I ran it and saved the log, in hindsight im unsure if the scan was complete heres the log anyway

blahfckingblah · 08-09-2011 12:43pm

No it wasnt, just stopped moving for a while.
heres the finished log

ASJ112 · 08-09-2011 1:14pm

Re-Run aswMBR

Click Scan

On completion of the scan
Click the FIXMBR Button

Save the log as before and post in your next reply

system repair virus

Comments