Google Hijack - MBAM logs

Question

Lewis_UnderGrad 0 Light Poster

14 Years Ago

Hi guys,

It appears my IE has been hijacked. I've ran a number of MBAM scans, updating before each scan, a number of issues have been found and removed however, google still redirects. Here are the logs:

28th Jan 2010 - Scan 1
alwarebytes' Anti-Malware 1.44
Database version: 3510
Windows 5.1.2600 Service Pack 2
Internet Explorer 8.0.6001.18702

28/01/2010 12:29:58
mbam-log-2010-01-28 (12-29-58).txt

Scan type: Full Scan (C:\|D:\|G:\|)
Objects scanned: 227907
Time elapsed: 1 hour(s), 12 minute(s), 54 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 7
Registry Values Infected: 1
Registry Data Items Infected: 4
Folders Infected: 1
Files Infected: 9

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\Documents and Settings\Avnish Jani\Local Settings\Temp\21.tmp (Backdoor.Bot) -> Delete on reboot.

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\idid (Trojan.Sasfix) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sorrd (Trojan.Goldun) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\saifx (Trojan.Goldun) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot\Minimal\sorrd.sys (Trojan.Goldun) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot\Network\sorrd.sys (Trojan.Goldun) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\uid (Malware.Trace) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Spyware.Zbot) -> Data: c:\windows\system32\sdra64.exe -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Spyware.Zbot) -> Data: system32\sdra64.exe -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell (Hijack.Shell) -> Bad: (Explorer.exe rundll32.exe ecrm.goo srjds) Good: (Explorer.exe) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.Userinit) -> Bad: (C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\sdra64.exe,) Good: (Userinit.exe) -> Quarantined and deleted successfully.

Folders Infected:
C:\WINDOWS\system32\lowsec (Stolen.data) -> Delete on reboot.

Files Infected:
C:\Documents and Settings\Avnish Jani\Local Settings\Temp\21.tmp (Backdoor.Bot) -> Delete on reboot.
C:\Documents and Settings\Avnish Jani\Local Settings\Temp\27.tmp (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ecrm.goo (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lowsec\local.ds (Stolen.data) -> Delete on reboot.
C:\WINDOWS\system32\lowsec\user.ds (Stolen.data) -> Delete on reboot.
C:\WINDOWS\system32\sdra64.exe (Spyware.Zbot) -> Delete on reboot.
C:\WINDOWS\system32\spool\prtprocs\w32x86\000060ed.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\spool\prtprocs\w32x86\00006e64.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\sorrd.sys (Trojan.Goldun) -> Quarantined and deleted successfully.

28th Jan 2010 - Scan 2
Malwarebytes' Anti-Malware 1.44
Database version: 3510
Windows 5.1.2600 Service Pack 2
Internet Explorer 8.0.6001.18702

28/01/2010 15:27:55
mbam-log-2010-01-28 (15-27-55).txt

Scan type: Full Scan (C:\|D:\|G:\|)
Objects scanned: 228534
Time elapsed: 1 hour(s), 18 minute(s), 29 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{494e6cec-7483-a4ee-0938-895519a84bc7} (Backdoor.Bot) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

29th Jan 2010
Malwarebytes' Anti-Malware 1.44
Database version: 3510
Windows 5.1.2600 Service Pack 2
Internet Explorer 8.0.6001.18702

29/01/2010 18:09:19
mbam-log-2010-01-29 (18-09-19).txt

Scan type: Full Scan (C:\|D:\|G:\|)
Objects scanned: 230709
Time elapsed: 1 hour(s), 22 minute(s), 22 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Any suggestions welcome.

Thanks :icon_smile:

windows-virus

2 Contributors
9 Replies
1K Views
1 Week Discussion Span
Latest Post 14 Years Ago Latest Post by crunchie

crunchie 990 Most Valuable Poster

14 Years Ago

Hi. Sorry to inform you, but MBA-M has not been updated. The database looks to be between 1 and 2 weeks old.
Current database is 3662. Yours is 3510. That's 152 updates old.

crunchie 990 Most Valuable Poster

14 Years Ago

In IE's Internet Options under connections > Lan Settings, is it set to automatically detect settings?
It would appear there is no internet connection being made by MBA-M.

Download MBA-M rules from http://malwarebytes.gt500.org/

Do a full scan and remove what is found. Post the log after rebooting the pc.

==

Download HijackThis Executable from here. Save it to your desktop.
Start HJT & press the "Do a system scan and save a log file" button. When the scan is finished a window will pop up giving you the option of where to save it. Save it to desktop where it is easy to access. Open the log file and then go to the format Tab and make sure that wordwrap is unchecked. Copy the entire contents of the file & paste it into the body of your post. DO NOT FIX ANYTHING YET. Most of what is there is necessary for the running of your system.

crunchie 990 Most Valuable Poster

14 Years Ago

Download the HostsXpert.
Run it and press "Restore M$ Hosts File" and press "OK". Exit Program.
Note that if you have a custom host file, this will remove it.

=====

Please download ComboFix by sUBs from HERE or HERE

You must download it to and run it from your Desktop
Physically disconnect from the internet.
Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
Double click combofix.exe & follow the prompts.
When finished, it will produce a log. Please save that log to post in your next reply along with a fresh HJT log
Re-enable all the programs that were disabled during the running of ComboFix..

Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Run Combofix ONCE only!!

Reply to this topic

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.

Lewis_UnderGrad 0 Light Poster · Answer 1 · 2010-01-30T20:00:35+00:00

Hi Crunchie,

I have just tried to run an update and am presented with the following error:

[IMG]http://i256.photobucket.com/albums/hh179/v1raj/Misc/MBAMUpdateError.jpg[/IMG]

Lewis_UnderGrad 0 Light Poster · Answer 2 · 2010-01-31T21:19:06+00:00

Was unable to download MBAM-Rules on the machine infected so a friend downloaded it and sent my the file. Results:

Malwarebytes' Anti-Malware 1.44
Database version: 3628
Windows 5.1.2600 Service Pack 2
Internet Explorer 8.0.6001.18702

30/01/2010 18:57:59
mbam-log-2010-01-30 (18-57-59).txt

Scan type: Full Scan (C:\|D:\|G:\|)
Objects scanned: 232486
Time elapsed: 1 hour(s), 6 minute(s), 9 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Downloaded HiJack This. Results:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:33:02, on 30/01/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\ftusbsrv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Sony\VAIO Event Service\VESMgr.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Secway\SimpLite-MSN 2.2\SimpLite-MSN.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\iTunes\iTunes.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:7171
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local;<local>
O1 - Hosts: 82.146.46.170 myonlineaccounts2.abbeynational.co.uk
O1 - Hosts: 82.146.46.170 www.myonlineaccounts2.abbeynational.co.uk
O1 - Hosts: 82.146.46.170 online.lloydstsb.co.uk
O1 - Hosts: 82.146.46.170 www.online.lloydstsb.co.uk
O1 - Hosts: 82.146.46.170 online-business.lloydstsb.co.uk
O1 - Hosts: 82.146.46.170 www.online-business.lloydstsb.co.uk
O1 - Hosts: 82.146.46.170 online-offshore.lloydstsb.com
O1 - Hosts: 82.146.46.170 www.online-offshore.lloydstsb.com
O1 - Hosts: 82.146.46.170 abbeyinternational.com
O1 - Hosts: 82.146.46.170 www.abbeyinternational.com
O1 - Hosts: 82.146.46.170 ibank.cahoot.com
O1 - Hosts: 82.146.46.170 www.ibank.cahoot.com
O1 - Hosts: 82.146.46.170 home.ybonline.co.uk
O1 - Hosts: 82.146.46.170 www.home.ybonline.co.uk
O1 - Hosts: 82.146.46.170 home.cbonline.co.uk
O1 - Hosts: 82.146.46.170 www.home.cbonline.co.uk
O1 - Hosts: 82.146.46.170 mybank.alliance-leicester.co.uk
O1 - Hosts: 82.146.46.170 www.mybank.alliance-leicester.co.uk
O1 - Hosts: 82.146.46.170 mybusinessbank.co.uk
O1 - Hosts: 82.146.46.170 www.mybusinessbank.co.uk
O1 - Hosts: 82.146.46.170 mybankoffshore.alil.co.im
O1 - Hosts: 82.146.46.170 www.mybankoffshore.alil.co.im
O1 - Hosts: 82.146.46.170 ibank.internationalbanking.barclays.com
O1 - Hosts: 82.146.46.170 www.ibank.internationalbanking.barclays.com
O1 - Hosts: 82.146.46.170 welcome27.co-operativebank.co.uk
O1 - Hosts: 82.146.46.170 www.welcome27.co-operativebank.co.uk
O1 - Hosts: 82.146.46.170 welcome23.smile.co.uk
O1 - Hosts: 82.146.46.170 www.welcome23.smile.co.uk
O1 - Hosts: 82.146.46.170 egg.com
O1 - Hosts: 82.146.46.170 www.egg.com
O1 - Hosts: 82.146.46.170 new.egg.com
O1 - Hosts: 82.146.46.170 www.new.egg.com
O1 - Hosts: 82.146.46.170 moneybookers.com
O1 - Hosts: 82.146.46.170 www.moneybookers.com
O1 - Hosts: 82.146.46.170 inscape.com
O1 - Hosts: 82.146.46.170 www.inscape.com
O1 - Hosts: 82.146.46.170 bankcardservices.co.uk
O1 - Hosts: 82.146.46.170 www.bankcardservices.co.uk
O1 - Hosts: 82.146.46.170 alliance-leicester.co.uk
O1 - Hosts: 82.146.46.170 www.alliance-leicester.co.uk
O1 - Hosts: 82.146.46.170 cahoot.com
O1 - Hosts: 82.146.46.170 www.cahoot.com
O1 - Hosts: 82.146.46.170 icicibank.co.uk
O1 - Hosts: 82.146.46.170 www.icicibank.co.uk
O1 - Hosts: 82.146.46.170 natwest.com
O1 - Hosts: 82.146.46.170 www.natwest.com
O1 - Hosts: 82.146.46.170 nwolb.com
O1 - Hosts: 82.146.46.170 www.nwolb.com
O1 - Hosts: 82.146.46.170 mbna.co.uk
O1 - Hosts: 82.146.46.170 www.mbna.co.uk
O1 - Hosts: 82.146.46.170 businesscreditcardsonline.co.uk
O1 - Hosts: 82.146.46.170 www.businesscreditcardsonline.co.uk
O1 - Hosts: 82.146.46.170 capitaloneonline.co.uk
O1 - Hosts: 82.146.46.170 www.capitaloneonline.co.uk
O1 - Hosts: 82.146.46.170 welcome26.co-operativebank.co.uk
O1 - Hosts: 82.146.46.170 www.welcome26.co-operativebank.co.uk
O1 - Hosts: 82.146.46.170 welcome22.smile.co.uk
O1 - Hosts: 82.146.46.170 www.welcome22.smile.co.uk
O1 - Hosts: 82.146.46.170 service.citicards.co.uk
O1 - Hosts: 82.146.46.170 www.service.citicards.co.uk
O1 - Hosts: 82.146.46.170 citibank.co.uk
O1 - Hosts: 82.146.46.170 www.citibank.co.uk
O1 - Hosts: 82.146.46.170 scotwest.co.uk
O1 - Hosts: 82.146.46.170 www.scotwest.co.uk
O1 - Hosts: 82.146.46.170 secure.scotwest.co.uk
O1 - Hosts: 82.146.46.170 www.secure.scotwest.co.uk
O1 - Hosts: 82.146.46.170 partnerandaffinitycards.co.uk
O1 - Hosts: 82.146.46.170 www.partnerandaffinitycards.co.uk
O1 - Hosts: 82.146.46.170 esavingsaccount.co.uk
O1 - Hosts: 82.146.46.170 www.esavingsaccount.co.uk
O1 - Hosts: 82.146.46.170 firstdirect.com
O1 - Hosts: 82.146.46.170 www.firstdirect.com
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [LXCFCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCFtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe"
O4 - HKCU\..\Run: [Simp] C:\Program Files\Secway\SimpLite-MSN 2.2\SimpLite-MSN.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Transfer by Image Converter 2 - C:\Program Files\Sony\Image Converter 2\menu.htm
O14 - IERESET.INF: START_PAGE_URL=http://www.club-vaio.com/en/
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w3/pr01/resources/MSNPUpld.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2330B0C8-2AE5-433D-8A7A-F971BF993667}: NameServer = 93.188.165.108,93.188.166.30
O17 - HKLM\System\CCS\Services\Tcpip\..\{F46D8AD5-0AC2-44A9-A59B-F5DAF722CC8D}: NameServer = 93.188.165.108,93.188.166.30
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 93.188.165.108,93.188.166.30
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 93.188.165.108,93.188.166.30
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 93.188.165.108,93.188.166.30
O23 - Service: Adobe Active File Monitor (AdobeActiveFileMonitor) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: USB over Network (Server) service (ftusbsrv) - FabulaTech - C:\WINDOWS\system32\ftusbsrv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Image Converter video recording monitor for VAIO Entertainment - Sony Corporation - C:\Program Files\Sony\Image Converter 2\IcVzMon.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: lxcf_device - - C:\WINDOWS\system32\lxcfcoms.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Photoshop Elements Device Connect (PhotoshopElementsDeviceConnect) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: VAIO Entertainment Aggregation and Control Service - Unknown owner - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzRs\VzRs.exe (file missing)
O23 - Service: VAIO Event Service - Sony Corporation - C:\Program Files\Sony\VAIO Event Service\VESMgr.exe
O23 - Service: VAIO Cooporated Initialisation (VCI) - Sony Corporation - C:\Program Files\Sony\VAIO Cooperated Initialisation\VCI_SVC.exe

--
End of file - 11771 bytes

Lewis_UnderGrad 0 Light Poster · Answer 3 · 2010-02-03T22:17:39+00:00

Hi Crunchie,

I am unable to download the file from the HostXpert link you provided:

http://www.funkytoad.com/content/view/13/31/

Is there anywhere else i can download it from?

crunchie 990 Most Valuable Poster Team Colleague Featured Poster · Answer 4 · 2010-02-04T02:22:59+00:00

Looks like they moved it.

http://www.funkytoad.com/index.php?option=com_content&task=view&id=13&Itemid=

Lewis_UnderGrad 0 Light Poster · Answer 5 · 2010-02-08T16:25:04+00:00

Thanks. ComboFix:

ComboFix 10-02-03.08 - Avnish Jani 04/02/2010 18:50:00.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.44.1033.18.510.328 [GMT 0:00]
Running from: c:\documents and settings\Avnish Jani\Desktop\ComboFix.exe
AV: Avira AntiVir PersonalEdition *On-access scanning disabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\recycler\S-1-5-21-2203416353-1657562295-645918495-500
c:\recycler\S-1-5-21-978585148-2060435377-995363448-500
c:\windows\system32\al.txt
c:\windows\system32\dz1.txt
c:\windows\system32\kjs
c:\windows\system32\p1.txt
c:\windows\system32\r24.txt

c:\windows\system32\grpconv.exe . . . is missing!!

c:\windows\system32\proquota.exe . . . is missing!!

.
((((((((((((((((((((((((( Files Created from 2010-01-04 to 2010-02-04 )))))))))))))))))))))))))))))))
.

2010-01-13 16:50 . 2009-11-21 16:36 470528 -c----w- c:\windows\system32\dllcache\aclayers.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-30 17:23 . 2009-01-11 12:55 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-26 19:18 . 2005-09-22 12:38 -------- d-----w- c:\documents and settings\Avnish Jani\Application Data\Azureus
2010-01-23 12:43 . 2009-03-12 21:33 5115824 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-01-20 09:15 . 2005-11-22 21:42 -------- d-----w- c:\program files\Lx_cats
2010-01-07 16:07 . 2009-01-11 12:55 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-07 16:07 . 2009-01-11 12:55 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-29 21:15 . 2006-10-07 20:43 -------- d-----w- c:\program files\Blubster
2009-12-21 19:14 . 2005-03-03 09:11 916480 ----a-w- c:\windows\system32\wininet.dll
2009-11-21 16:36 . 2005-03-03 09:10 470528 ----a-w- c:\windows\AppPatch\aclayers.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"Simp"="c:\program files\Secway\SimpLite-MSN 2.2\SimpLite-MSN.exe" [2009-05-15 2108928]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-02-17 5406720]
"LXCFCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\LXCFtime.dll" [2005-07-20 73728]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 110592]
"avgnt"="c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\VESWinlogon]
2005-01-18 12:48 73728 ----a-w- c:\windows\system32\VESWinlogon.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk
backup=c:\windows\pss\Acrobat Assistant.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
2005-02-21 04:49 69632 ----a-w- c:\windows\ALCMTR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Apoint]
2003-11-07 08:21 114688 ----a-w- c:\program files\Apoint\Apoint.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Blubster]
2006-09-11 12:20 5570560 ----a-w- c:\program files\Blubster\Blubster.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISBMgr.exe]
2004-02-20 14:12 32768 ----a-w- c:\program files\Sony\ISB Utility\ISBMgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-04-02 15:11 342312 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Mouse Suite 98 Daemon]
2002-03-14 16:46 45056 ----a-w- c:\windows\system32\ico.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2004-10-13 16:24 1694208 ------w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 10:50 155648 ----a-w- c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-01-05 15:18 413696 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\reminder]
2004-10-12 07:49 315392 ----a-w- c:\windows\Reminder.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
2005-02-21 15:09 13783040 ----a-w- c:\windows\RTHDCPL.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SonyPowerCfg]
2005-01-14 16:18 184320 ----a-w- c:\program files\Sony\VAIO Power Management\SPMgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VAIO Update 2]
2005-01-14 13:43 151552 ----a-w- c:\program files\Sony\VAIO Update 2\VAIOUpdt.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Java\\jre1.5.0_01\\bin\\javaw.exe"=
"c:\\Program Files\\Blubster\\Blubster.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\system32\\ftusbsrv.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpCtr.exe"=

R2 ftusbsrv;USB over Network (Server) service;c:\windows\system32\ftusbsrv.exe [15/04/2009 13:19 585728]
R3 ftusbload;ftusbload;c:\windows\system32\drivers\ftusbload.sys [15/04/2009 13:18 37368]
S2 AdobeActiveFileMonitor;Adobe Active File Monitor;c:\program files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe [04/10/2004 04:47 98304]
S2 PhotoshopElementsDeviceConnect;Photoshop Elements Device Connect;c:\program files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe [04/10/2004 03:40 118784]
S3 ftusb;ftusb;c:\windows\system32\drivers\ftusb.sys [15/04/2009 13:18 17400]
S3 massfilter;ZTE Mass Storage Filter Driver;c:\windows\system32\drivers\massfilter.sys [22/08/2008 18:56 7680]
.
Contents of the 'Scheduled Tasks' folder

2009-11-16 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
uInternet Settings,ProxyServer = http=localhost:7171
uInternet Settings,ProxyOverride = *.local;<local>
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
IE: Transfer by Image Converter 2 - c:\program files\Sony\Image Converter 2\menu.htm
TCP: {2330B0C8-2AE5-433D-8A7A-F971BF993667} = 93.188.165.108,93.188.166.30
TCP: {F46D8AD5-0AC2-44A9-A59B-F5DAF722CC8D} = 93.188.165.108,93.188.166.30
FF - ProfilePath - c:\documents and settings\Avnish Jani\Application Data\Mozilla\Firefox\Profiles\4ux2jb1e.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/
FF - plugin: c:\program files\Java\jre1.5.0_01\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_01\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_01\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_01\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_01\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_01\bin\NPJPI150_01.dll
FF - plugin: c:\program files\Java\jre1.5.0_01\bin\NPOJI610.dll
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-ccApp - c:\program files\Common Files\Symantec Shared\ccApp.exe
MSConfigStartUp-WinampAgent - c:\program files\Winamp3\winampa.exe
MSConfigStartUp-Yahoo! Pager - c:\program files\Yahoo!\Messenger\ypager.exe
ActiveSetup-{2E1A9DE4-ADA0-4501-A46E-6633CDB01654} - xagkf32.dll
ActiveSetup-{AC018590-FBBD-4789-A15B-FFBBBE6C8965} - bekbn.dll
AddRemove-CNXT_MODEM_HDAUDIO_VEN_14F1&DEV_2BFA&SUBSYS_104D0200 - c:\program files\CONEXANT\CNXT_MODEM_HDAUDIO_VEN_14F1&DEV_2BFA&SUBSYS_104D0200\HXFSETUP.EXE -U -IHDAUDIO\FUNC_02&VEN_14F1&DEV_2BFA&SUBSYS_104D0200

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-04 18:58
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
LXCFCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\LXCFtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys >>UNKNOWN [0x82D368C8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf860afc3
\Driver\ACPI -> ACPI.sys @ 0xf847dcb8
\Driver\atapi -> atapi.sys @ 0xf83f49f2
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x8057807e
ParseProcedure -> ntkrnlpa.exe @ 0x80576ce0
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x8057807e
ParseProcedure -> ntkrnlpa.exe @ 0x80576ce0
NDIS: Intel(R) PRO/Wireless 2200BG Network Connection -> SendCompleteHandler -> NDIS.sys @ 0xf82eaba0
PacketIndicateHandler -> NDIS.sys @ 0xf82d9a0b
SendHandler -> NDIS.sys @ 0xf82edb31
user & kernel MBR OK

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(860)
c:\windows\system32\VESWinlogon.dll
.
Completion time: 2010-02-04 19:01:45
ComboFix-quarantined-files.txt 2010-02-04 19:01

Pre-Run: 5,860,532,224 bytes free
Post-Run: 14,688,555,008 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - A7EE84AED85C9992E009DD2C55618960

HJT Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:08:26, on 04/02/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\ftusbsrv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Sony\VAIO Event Service\VESMgr.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Secway\SimpLite-MSN 2.2\SimpLite-MSN.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:7171
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local;<local>
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [LXCFCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCFtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Simp] C:\Program Files\Secway\SimpLite-MSN 2.2\SimpLite-MSN.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Transfer by Image Converter 2 - C:\Program Files\Sony\Image Converter 2\menu.htm
O14 - IERESET.INF: START_PAGE_URL=http://www.club-vaio.com/en/
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w3/pr01/resources/MSNPUpld.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2330B0C8-2AE5-433D-8A7A-F971BF993667}: NameServer = 93.188.165.108,93.188.166.30
O17 - HKLM\System\CCS\Services\Tcpip\..\{F46D8AD5-0AC2-44A9-A59B-F5DAF722CC8D}: NameServer = 93.188.165.108,93.188.166.30
O23 - Service: Adobe Active File Monitor (AdobeActiveFileMonitor) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: USB over Network (Server) service (ftusbsrv) - FabulaTech - C:\WINDOWS\system32\ftusbsrv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Image Converter video recording monitor for VAIO Entertainment - Sony Corporation - C:\Program Files\Sony\Image Converter 2\IcVzMon.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: lxcf_device - - C:\WINDOWS\system32\lxcfcoms.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Photoshop Elements Device Connect (PhotoshopElementsDeviceConnect) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: VAIO Entertainment Aggregation and Control Service - Unknown owner - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzRs\VzRs.exe (file missing)
O23 - Service: VAIO Event Service - Sony Corporation - C:\Program Files\Sony\VAIO Event Service\VESMgr.exe
O23 - Service: VAIO Cooporated Initialisation (VCI) - Sony Corporation - C:\Program Files\Sony\VAIO Cooperated Initialisation\VCI_SVC.exe

--
End of file - 7635 bytes

crunchie 990 Most Valuable Poster Team Colleague Featured Poster · Answer 6 · 2010-02-08T17:17:19+00:00

Are you still being re-directed?
Looks like you have a couple of files missing that should be there.

Please download FileFind from Atribune:
http://www.atribune.org/downloads/FileFind.zip

Unzip the file and save it to your desktop.

To run FileFind, please do the following:

Click on FileFind.exe
In the box labeled "Enter the directory to search"
Enter Drive eg.. C:\
In the box labeled "Enter the file to search"
Enter the file grpconv.exe
Now click on the "Find" button
Once the utility has found the files click on "Export"
This will save a text file to your C:\ drive as "Export.txt"
Repeat for proquota.exe
Double click on Export.txt, copy and paste this information in your next post.