Google survey then persistent popup(s)
- Thread starter andyq
- Start date
Do not click on that message alert box that. I need a screenshot of when the browser safeguard windows pops up when you try to run otl. Do me a favor. Do a file/folder search in your system for "Browser safeguard" and let me know if there are any files or folders found and locations.
hi john
i'm perplexed why you keep mentioning browser safeguard. it isn't on my PC and it has never appeared when trying to run OTL. I've tried to run OTL in safe mode but get the same result. (i've done a search for browser safeguard and found nothing by the by). below is what i get when trying to run OTL. i've expanded the boxes in case it helps.
i'm perplexed why you keep mentioning browser safeguard. it isn't on my PC and it has never appeared when trying to run OTL. I've tried to run OTL in safe mode but get the same result. (i've done a search for browser safeguard and found nothing by the by). below is what i get when trying to run OTL. i've expanded the boxes in case it helps.
What green box are you talking about? All you do is click on that link i gave you and the file should automatically pop up for download. Do not click anywhere else on that page. I'm thinking i need to remotely access your system so i can see exactly whats going on.
The question that can't seem to get answered is what are you doing to get that browser safeguard page to come up in your browser?
hi john
Malwarebytes log:-
Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org
Database version: v2013.09.30.07
Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
andrew quarmby :: HOME-DBA9F381EB [administrator]
30/09/2013 19:34:35
mbam-log-2013-09-30 (19-34-35).txt
Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 222083
Time elapsed: 25 minute(s), 5 second(s)
Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 0
(No malicious items detected)
Registry Values Detected: 0
(No malicious items detected)
Registry Data Items Detected: 0
(No malicious items detected)
Folders Detected: 0
(No malicious items detected)
Files Detected: 2
C:\RECYCLER\S-1-5-21-2000478354-261903793-682003330-1003\Dc7.exe (PUP.Optional.iBryte) -> Quarantined and deleted successfully.
C:\RECYCLER\S-1-5-21-2000478354-261903793-682003330-1003\Dc8.exe (PUP.Optional.iBryte) -> Quarantined and deleted successfully.
(end)
ADWcleaner log:-
# AdwCleaner v3.005 - Report created 30/09/2013 at 20:40:42
# Updated 22/09/2013 by Xplode
# Operating System : Microsoft Windows XP Service Pack 3 (32 bits)
# Username : andrew quarmby - HOME-DBA9F381EB
# Running from : C:\Documents and Settings\andrew quarmby\Desktop\adwcleaner2.exe
# Option : Clean
***** [ Services ] *****
***** [ Files / Folders ] *****
***** [ Shortcuts ] *****
***** [ Registry ] *****
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}
***** [ Browsers ] *****
-\\ Internet Explorer v8.0.6001.18702
-\\ Google Chrome v29.0.1547.76
[ File : C:\Documents and Settings\andrew quarmby\Local Settings\Application Data\Google\Chrome\User Data\Default\preferences ]
*************************
AdwCleaner[R0].txt - [3766 octets] - [10/09/2013 19:48:58]
AdwCleaner[R1].txt - [1073 octets] - [30/09/2013 20:35:45]
AdwCleaner[S0].txt - [3834 octets] - [10/09/2013 19:54:27]
AdwCleaner[S1].txt - [998 octets] - [30/09/2013 20:40:42]
########## EOF - C:\AdwCleaner\AdwCleaner[S1].txt - [1057 octets] ##########
Malwarebytes log:-
Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org
Database version: v2013.09.30.07
Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
andrew quarmby :: HOME-DBA9F381EB [administrator]
30/09/2013 19:34:35
mbam-log-2013-09-30 (19-34-35).txt
Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 222083
Time elapsed: 25 minute(s), 5 second(s)
Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 0
(No malicious items detected)
Registry Values Detected: 0
(No malicious items detected)
Registry Data Items Detected: 0
(No malicious items detected)
Folders Detected: 0
(No malicious items detected)
Files Detected: 2
C:\RECYCLER\S-1-5-21-2000478354-261903793-682003330-1003\Dc7.exe (PUP.Optional.iBryte) -> Quarantined and deleted successfully.
C:\RECYCLER\S-1-5-21-2000478354-261903793-682003330-1003\Dc8.exe (PUP.Optional.iBryte) -> Quarantined and deleted successfully.
(end)
ADWcleaner log:-
# AdwCleaner v3.005 - Report created 30/09/2013 at 20:40:42
# Updated 22/09/2013 by Xplode
# Operating System : Microsoft Windows XP Service Pack 3 (32 bits)
# Username : andrew quarmby - HOME-DBA9F381EB
# Running from : C:\Documents and Settings\andrew quarmby\Desktop\adwcleaner2.exe
# Option : Clean
***** [ Services ] *****
***** [ Files / Folders ] *****
***** [ Shortcuts ] *****
***** [ Registry ] *****
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}
***** [ Browsers ] *****
-\\ Internet Explorer v8.0.6001.18702
-\\ Google Chrome v29.0.1547.76
[ File : C:\Documents and Settings\andrew quarmby\Local Settings\Application Data\Google\Chrome\User Data\Default\preferences ]
*************************
AdwCleaner[R0].txt - [3766 octets] - [10/09/2013 19:48:58]
AdwCleaner[R1].txt - [1073 octets] - [30/09/2013 20:35:45]
AdwCleaner[S0].txt - [3834 octets] - [10/09/2013 19:54:27]
AdwCleaner[S1].txt - [998 octets] - [30/09/2013 20:40:42]
########## EOF - C:\AdwCleaner\AdwCleaner[S1].txt - [1057 octets] ##########
OK, rerun combofix.
Download and Run ComboFix
If you already have Combofix, please delete this copy and download it again as it's being updated regularly.
If for some reason, if you try to run a program or open a file and you get an error message saying "illegal operation attempted on a registry key that has been marked for deletion", please just reboot your pc and you'll be fine.
In your next reply please post:
Download and Run ComboFix
If you already have Combofix, please delete this copy and download it again as it's being updated regularly.
- Download this file here :
Combofix
- When the page loads click on the blue combofix download link next to the BleepingComputer Mirror.
- Save the file to your windows desktop. The combofix icon will look like this when it has downloaded to your desktop.
- We are almost ready to start ComboFix, but before we do so, we need to take some preventative measures so that there are no conflicts with other programs when running ComboFix. At this point you should do the following:
- Close all open Windows including this one.
- Close or disable all running Antivirus, Antispyware, and Firewall programs as they may interfere with the proper running of ComboFix. Instructions on disabling these type of programs can be found here.
Once these two steps have been completed, double-click on the ComboFix icon found on your desktop. Please note, that once you start ComboFix you should not click anywhere on the ComboFix window as it can cause the program to stall. In fact, when ComboFix is running, do not touch your computer at all. The scan could take a while, so please be patient.
- Please click on I agree on the disclaimer window.
- ComboFix will now install itself on to your computer. When it is done, a blue screen will appear as shown below.
- ComboFix is now preparing to run. When it has finished ComboFix will automatically attempt to create a System Restore point so that if any problems occur while using the program you can restore back to your previous configuration. When ComboFix has finished creating the restore point, it will then backup your Windows Registry as shown in the image below.
- Once the Windows Registry has finished being backed up, ComboFix will attempt to detect if you have the Windows Recovery Console installed. If you already have it installed, you can skip to this section and continue reading. Otherwise you will see the following message as shown below:
- At the above message box, please click on the Yes button in order for ComboFix to continue. Please follow the steps and instructions given by ComboFix in order to finish the installation of the Recovery Console.
- Please click on yes in the next window to continue scanning for malware.
- ComboFix will now disconnect your computer from the Internet, so do not be surprised or concerned if you receive any warnings stating that you are no longer on the Internet. When ComboFix has finished it will automatically restore your Internet connection.
- ComboFix will now start scanning your computer for known infections. This procedure can take some time, so please be patient.
- While the program is scanning your computer, it will change your clock format, so do not be concerned when you see this happen. When ComboFix is finished it will restore your clock settings to their previous settings. You will also see the text in the ComboFix window being updated as it goes through the various stages of its scan. An example of this can be seen below.
- When ComboFix has finished running, you will see a screen stating that it is preparing the log report.
- This can take a while, so please be patient. If you see your Windows desktop disappear, do not worry. This is normal and ComboFix will restore your desktop before it is finished. Eventually you will see a new screen that states the program is almost finished and telling you the programs log file, or report, will be located at C:\ComboFix.txt.
- When ComboFix has finished, it will automatically close the program and change your clock back to its original format. It will then display the log file automatically for you.
- Now you just click on the edit menu and click on select all, then click on the edit menu again and click on copy. Then come to the forum in your reply and right click on your mouse and click on paste.
If for some reason, if you try to run a program or open a file and you get an error message saying "illegal operation attempted on a registry key that has been marked for deletion", please just reboot your pc and you'll be fine.
In your next reply please post:
- The ComboFix log
- A fresh HiJackThis log
- An update on how your computer is running
hi John
latest combofix log
ComboFix 13-10-01.03 - andrew quarmby 01/10/2013 19:27:50.4.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.991.452 [GMT 1:00]
Running from: c:\documents and settings\andrew quarmby\Desktop\ComboFix.exe
AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Firewall *Disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\TEMP
c:\windows\offitems.log
.
.
((((((((((((((((((((((((( Files Created from 2013-09-01 to 2013-10-01 )))))))))))))))))))))))))))))))
.
.
2013-09-22 12:10 . 2013-09-22 12:10 -------- d-----w- c:\windows\ERUNT
2013-09-22 12:10 . 2013-09-22 12:26 -------- d-----w- c:\documents and settings\Administrator
2013-09-11 22:14 . 2013-09-11 22:14 -------- d-sh--w- c:\documents and settings\andrew quarmby\IECompatCache
2013-09-10 18:48 . 2013-09-30 19:41 -------- d-----w- C:\AdwCleaner
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-08-09 01:56 . 2004-08-04 12:00 386560 ----a-w- c:\windows\system32\themeui.dll
2013-08-08 06:05 . 2004-08-04 12:00 920064 ----a-w- c:\windows\system32\wininet.dll
2013-08-08 06:05 . 2004-08-04 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2013-08-08 06:05 . 2004-08-04 12:00 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2013-08-08 06:05 . 2004-08-04 12:00 18944 ----a-w- c:\windows\system32\corpol.dll
2013-08-08 01:27 . 2013-02-24 11:09 1877760 ----a-w- c:\windows\system32\win32k.sys
2013-08-08 00:02 . 2004-08-04 12:00 385024 ----a-w- c:\windows\system32\html.iec
2013-08-07 12:02 . 2012-11-09 06:56 60920 ----a-w- c:\windows\system32\drivers\cfwids.sys
2013-08-07 11:59 . 2013-01-03 20:02 172416 ----a-w- c:\windows\system32\mfevtps.exe
2013-08-07 11:58 . 2012-11-09 06:53 91736 ----a-w- c:\windows\system32\drivers\mfetdi2k.sys
2013-08-07 11:56 . 2012-11-09 06:51 568632 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2013-08-07 11:55 . 2013-08-13 19:29 85064 ----a-w- c:\windows\system32\drivers\mfendisk.sys
2013-08-07 11:55 . 2012-11-09 06:50 365224 ----a-w- c:\windows\system32\drivers\mfefirek.sys
2013-08-07 11:55 . 2012-11-09 06:50 65928 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2013-08-07 11:54 . 2012-11-09 06:49 235520 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2013-08-07 11:53 . 2012-11-09 06:49 133992 ----a-w- c:\windows\system32\drivers\mfeapfk.sys
2013-08-05 13:30 . 2004-08-04 12:00 1289728 ----a-w- c:\windows\system32\ole32.dll
2013-08-03 13:18 . 2006-10-18 21:47 1543680 ------w- c:\windows\system32\wmvdecod.dll
2013-07-10 10:37 . 2004-08-04 12:00 406016 ----a-w- c:\windows\system32\usp10.dll
2013-07-09 06:34 . 2012-11-02 01:46 10152 ----a-w- c:\windows\system32\drivers\mfeclnrk.sys
2013-07-09 06:34 . 2012-11-02 01:46 80656 ----a-w- c:\windows\system32\drivers\mfencrk.sys
2013-07-09 06:34 . 2012-11-02 01:46 288056 ----a-w- c:\windows\system32\drivers\mfencbdc.sys
2013-07-04 02:59 . 2004-08-04 12:00 2193536 ----a-w- c:\windows\system32\ntoskrnl.exe
2013-07-04 02:08 . 2004-08-03 22:59 2070144 ----a-w- c:\windows\system32\ntkrnlpa.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\MOBK]
@="{3c3f3c1a-9153-7c05-f938-622e7003894d}"
[HKEY_CLASSES_ROOT\CLSID\{3c3f3c1a-9153-7c05-f938-622e7003894d}]
2010-04-13 19:11 2872120 ----a-w- c:\program files\McAfee Online Backup\MOBKshell.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\MOBK2]
@="{e6ea1d7d-144e-b977-98c4-84c53c1a69d0}"
[HKEY_CLASSES_ROOT\CLSID\{e6ea1d7d-144e-b977-98c4-84c53c1a69d0}]
2010-04-13 19:11 2872120 ----a-w- c:\program files\McAfee Online Backup\MOBKshell.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\MOBK3]
@="{b4caf489-1eec-c617-49ad-8d7088598c06}"
[HKEY_CLASSES_ROOT\CLSID\{b4caf489-1eec-c617-49ad-8d7088598c06}]
2010-04-13 19:11 2872120 ----a-w- c:\program files\McAfee Online Backup\MOBKshell.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-16 68856]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Smapp"="c:\program files\Analog Devices\SoundMAX\SMTray.exe" [2003-05-05 143360]
"SiSUSBRG"="c:\windows\SiSUSBrg.exe" [2002-07-12 106496]
"SiSPower"="SiSPower.dll" [2004-09-02 49152]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]
"EEventManager"="c:\progra~1\EPSONS~1\EVENTM~1\EEventManager.exe" [2009-04-07 673616]
"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2013-08-06 516912]
"mcpltui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2013-08-06 516912]
"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2010-10-27 207424]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Labtec Mouse Software 2.0.lnk - c:\program files\Labtec\Wireless Mouse\MulMouse.exe [2006-1-7 253952]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLinkedConnections"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcpltsvc]
@=""
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BlueSoleil.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\BlueSoleil.lnk
backup=c:\windows\pss\BlueSoleil.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^andrew quarmby^Start Menu^Programs^Startup^Microsoft Find Fast.lnk]
path=c:\documents and settings\andrew quarmby\Start Menu\Programs\Startup\Microsoft Find Fast.lnk
backup=c:\windows\pss\Microsoft Find Fast.lnkStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^andrew quarmby^Start Menu^Programs^Startup^Office Startup.lnk]
path=c:\documents and settings\andrew quarmby\Start Menu\Programs\Startup\Office Startup.lnk
backup=c:\windows\pss\Office Startup.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NokiaMServer]
c:\program files\Common Files\Nokia\MPlatform\NokiaMServer [X]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD]
2005-07-25 12:01 1397760 ------w- c:\program files\Ahead\InCD\InCD.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-04-02 15:11 342312 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBAgent]
2011-11-18 12:37 1492264 ----a-w- c:\program files\Nero\Nero 11\Nero BackItUp\NBAgent.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 10:50 155648 ----a-w- c:\windows\system32\NeroCheck.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NokiaMusic FastStart]
2010-10-20 15:32 2192752 ----a-w- c:\program files\Nokia\Ovi Player\NokiaOviPlayer.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2007-06-16 19:45 68856 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TomTomHOME.exe]
2010-08-24 09:38 247144 ----a-w- c:\program files\TomTom HOME 2\TomTomHOMERunner.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"McAfee SiteAdvisor Service"=2 (0x2)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\ASUS\\AsusUpdate\\Update.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Epson Software\\Event Manager\\EEventManager.exe"=
"c:\\Program Files\\Common Files\\Mcafee\\McSvcHost\\McSvHost.exe"=
"c:\\Program Files\\Common Files\\Mcafee\\Platform\\McSvcHost\\McSvHost.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:Remote Desktop
"65533:TCP"= 65533:TCP:Services
"52344:TCP"= 52344:TCP:Services
.
R0 NBVol;Nero Backup Volume Filter Driver;c:\windows\system32\drivers\NBVol.sys [10/01/2012 22:05 56496]
R0 NBVolUp;Nero Backup Volume Upper Filter Driver;c:\windows\system32\drivers\NBVolUp.sys [10/01/2012 22:06 12464]
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [09/11/2012 07:53 91736]
R1 MOBKFilter;MOBKFilter;c:\windows\system32\drivers\MOBK.sys [22/08/2011 20:02 54776]
R1 UsbFltr;WayTechUSBFilterDriver;c:\windows\system32\drivers\UsbFltr.sys [07/01/2006 11:49 6144]
R2 HomeNetSvc;McAfee Home Network;"c:\program files\Common Files\Mcafee\Platform\McSvcHost\McSvHost.exe" /McCoreSvc [03/01/2013 21:02 281560]
R2 LcSvrAdm;ELSA Administration Service;c:\elsawin\bin\LcSvrAdm.exe [28/08/2010 11:59 147456]
R2 LcSvrDba;ELSA DBA Server;c:\elsawin\bin\LcSvrDba.exe [28/08/2010 11:59 241664]
R2 LcSvrHis;ELSA Historie Server;c:\elsawin\bin\LcSvrHis.exe [28/08/2010 11:59 217088]
R2 LcSvrPAS;ELSA PASS Server;c:\elsawin\bin\LcSvrPas.exe [28/08/2010 11:59 368640]
R2 LcSvrSaz;ELSA APOSpro Server;c:\elsawin\bin\LcSvrSaz.exe [05/09/2010 12:07 249856]
R2 McAPExe;McAfee AP Service;c:\program files\McAfee\MSC\McAPExe.exe [03/01/2013 21:02 145600]
R2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\Common Files\Mcafee\Platform\McSvcHost\McSvHost.exe" /McCoreSvc [03/01/2013 21:02 281560]
R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\Common Files\Mcafee\Platform\McSvcHost\McSvHost.exe" /McCoreSvc [03/01/2013 21:02 281560]
R2 mcpltsvc;McAfee Platform Services;"c:\program files\Common Files\Mcafee\Platform\McSvcHost\McSvHost.exe" /McCoreSvc [03/01/2013 21:02 281560]
R2 mfecore;McAfee Anti-Malware Core;c:\program files\Common Files\Mcafee\AMCore\mcshield.exe [03/01/2013 21:03 638976]
R2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\Mcafee\SystemCore\mfefire.exe [03/01/2013 21:02 169320]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [03/01/2013 21:02 172416]
R2 MOBKbackup;McAfee Online Backup;c:\program files\McAfee Online Backup\MOBKbackup.exe [13/04/2010 20:11 229688]
R2 NAUpdate;Nero Update;c:\program files\Nero\Update\NASvc.exe [25/11/2011 17:32 687400]
R2 TomTomHOMEService;TomTomHOMEService;c:\program files\TomTom HOME 2\TomTomHOMEService.exe [24/08/2010 10:38 92008]
R2 VSGate;ELSA Vaudis Service;c:\elsawin\bin\VSGate.exe [28/08/2010 11:59 81920]
R3 Bonifay;Bonifay;c:\windows\system32\drivers\Bonifay.sys [07/12/2006 22:02 12288]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [09/11/2012 07:56 60920]
R3 LcSvrAuf;ELSA Auftragsverwaltungs Service;c:\elsawin\bin\LcSvrAuf.exe [28/08/2010 11:59 1306624]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [09/11/2012 07:50 365224]
R3 mfencbdc;McAfee Inc. mfencbdc;c:\windows\system32\drivers\mfencbdc.sys [02/11/2012 02:46 288056]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [13/08/2013 20:29 85064]
S3 Gonzales;Gonzales;c:\windows\system32\drivers\Gonzales.sys [07/12/2006 22:02 7040]
S3 HipShieldK;McAfee Inc. HipShieldK;c:\windows\system32\drivers\HipShieldK.sys [11/11/2012 12:56 147472]
S3 mfencrk;McAfee Inc. mfencrk;c:\windows\system32\drivers\mfencrk.sys [02/11/2012 02:46 80656]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [13/08/2013 20:29 85064]
S3 TFBULK;Topfield USB client driver;c:\windows\system32\drivers\TfBulk.sys [26/08/2003 06:11 41996]
S4 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [22/08/2011 20:00 167784]
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2013-09-20 19:01 1177552 ----a-w- c:\program files\Google\Chrome\Application\29.0.1547.76\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2013-09-30 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-04 19:11]
.
2013-09-03 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]
.
2013-09-22 c:\windows\Tasks\Epson Printer Software Downloader.job
- c:\program files\EPSON\EPAPDL\E_SAPDL2.EXE [2009-05-26 11:43]
.
2013-10-01 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-06 21:13]
.
2013-09-30 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-06 21:13]
.
2013-10-01 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-04-30 21:18]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/webhp?complete=0
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://uk.search.yahoo.com/search?fr=mcafee&p=%s
Trusted Zone: internet
Trusted Zone: mcafee.com
TCP: DhcpNameServer = 194.168.4.100 194.168.8.100
DPF: {DB28CF23-0083-40B5-BF63-69925D672385} - hxxp://www.nero.com/doc/NeroVersionChecker.cab
.
- - - - ORPHANS REMOVED - - - -
.
HKLM-Run-SunJavaUpdateSched - c:\program files\Java\jre7\bin\jusched.exe
MSConfigStartUp-updateMgr - c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-10-01 19:41
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-2000478354-261903793-682003330-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
[HKEY_USERS\S-1-5-21-2000478354-261903793-682003330-1003\Software\Policies\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (S-1-5-21-2000478354-261903793-682003330-1003)
@Allowed: (Read) (S-1-5-21-2000478354-261903793-682003330-1003)
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_7_700_169_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_7_700_169_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
Completion time: 2013-10-01 19:45:08
ComboFix-quarantined-files.txt 2013-10-01 18:45
ComboFix2.txt 2013-09-11 20:56
ComboFix3.txt 2013-09-10 19:42
ComboFix4.txt 2011-11-03 19:59
.
Pre-Run: 35,870,732,288 bytes free
Post-Run: 36,073,025,536 bytes free
.
- - End Of File - - A53063A7A8A9DCF3201E2EE8F7D102FB
8F558EB6672622401DA993E1E865C861
latest combofix log
ComboFix 13-10-01.03 - andrew quarmby 01/10/2013 19:27:50.4.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.991.452 [GMT 1:00]
Running from: c:\documents and settings\andrew quarmby\Desktop\ComboFix.exe
AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Firewall *Disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\TEMP
c:\windows\offitems.log
.
.
((((((((((((((((((((((((( Files Created from 2013-09-01 to 2013-10-01 )))))))))))))))))))))))))))))))
.
.
2013-09-22 12:10 . 2013-09-22 12:10 -------- d-----w- c:\windows\ERUNT
2013-09-22 12:10 . 2013-09-22 12:26 -------- d-----w- c:\documents and settings\Administrator
2013-09-11 22:14 . 2013-09-11 22:14 -------- d-sh--w- c:\documents and settings\andrew quarmby\IECompatCache
2013-09-10 18:48 . 2013-09-30 19:41 -------- d-----w- C:\AdwCleaner
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-08-09 01:56 . 2004-08-04 12:00 386560 ----a-w- c:\windows\system32\themeui.dll
2013-08-08 06:05 . 2004-08-04 12:00 920064 ----a-w- c:\windows\system32\wininet.dll
2013-08-08 06:05 . 2004-08-04 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2013-08-08 06:05 . 2004-08-04 12:00 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2013-08-08 06:05 . 2004-08-04 12:00 18944 ----a-w- c:\windows\system32\corpol.dll
2013-08-08 01:27 . 2013-02-24 11:09 1877760 ----a-w- c:\windows\system32\win32k.sys
2013-08-08 00:02 . 2004-08-04 12:00 385024 ----a-w- c:\windows\system32\html.iec
2013-08-07 12:02 . 2012-11-09 06:56 60920 ----a-w- c:\windows\system32\drivers\cfwids.sys
2013-08-07 11:59 . 2013-01-03 20:02 172416 ----a-w- c:\windows\system32\mfevtps.exe
2013-08-07 11:58 . 2012-11-09 06:53 91736 ----a-w- c:\windows\system32\drivers\mfetdi2k.sys
2013-08-07 11:56 . 2012-11-09 06:51 568632 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2013-08-07 11:55 . 2013-08-13 19:29 85064 ----a-w- c:\windows\system32\drivers\mfendisk.sys
2013-08-07 11:55 . 2012-11-09 06:50 365224 ----a-w- c:\windows\system32\drivers\mfefirek.sys
2013-08-07 11:55 . 2012-11-09 06:50 65928 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2013-08-07 11:54 . 2012-11-09 06:49 235520 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2013-08-07 11:53 . 2012-11-09 06:49 133992 ----a-w- c:\windows\system32\drivers\mfeapfk.sys
2013-08-05 13:30 . 2004-08-04 12:00 1289728 ----a-w- c:\windows\system32\ole32.dll
2013-08-03 13:18 . 2006-10-18 21:47 1543680 ------w- c:\windows\system32\wmvdecod.dll
2013-07-10 10:37 . 2004-08-04 12:00 406016 ----a-w- c:\windows\system32\usp10.dll
2013-07-09 06:34 . 2012-11-02 01:46 10152 ----a-w- c:\windows\system32\drivers\mfeclnrk.sys
2013-07-09 06:34 . 2012-11-02 01:46 80656 ----a-w- c:\windows\system32\drivers\mfencrk.sys
2013-07-09 06:34 . 2012-11-02 01:46 288056 ----a-w- c:\windows\system32\drivers\mfencbdc.sys
2013-07-04 02:59 . 2004-08-04 12:00 2193536 ----a-w- c:\windows\system32\ntoskrnl.exe
2013-07-04 02:08 . 2004-08-03 22:59 2070144 ----a-w- c:\windows\system32\ntkrnlpa.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\MOBK]
@="{3c3f3c1a-9153-7c05-f938-622e7003894d}"
[HKEY_CLASSES_ROOT\CLSID\{3c3f3c1a-9153-7c05-f938-622e7003894d}]
2010-04-13 19:11 2872120 ----a-w- c:\program files\McAfee Online Backup\MOBKshell.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\MOBK2]
@="{e6ea1d7d-144e-b977-98c4-84c53c1a69d0}"
[HKEY_CLASSES_ROOT\CLSID\{e6ea1d7d-144e-b977-98c4-84c53c1a69d0}]
2010-04-13 19:11 2872120 ----a-w- c:\program files\McAfee Online Backup\MOBKshell.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\MOBK3]
@="{b4caf489-1eec-c617-49ad-8d7088598c06}"
[HKEY_CLASSES_ROOT\CLSID\{b4caf489-1eec-c617-49ad-8d7088598c06}]
2010-04-13 19:11 2872120 ----a-w- c:\program files\McAfee Online Backup\MOBKshell.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-16 68856]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Smapp"="c:\program files\Analog Devices\SoundMAX\SMTray.exe" [2003-05-05 143360]
"SiSUSBRG"="c:\windows\SiSUSBrg.exe" [2002-07-12 106496]
"SiSPower"="SiSPower.dll" [2004-09-02 49152]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]
"EEventManager"="c:\progra~1\EPSONS~1\EVENTM~1\EEventManager.exe" [2009-04-07 673616]
"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2013-08-06 516912]
"mcpltui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2013-08-06 516912]
"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2010-10-27 207424]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Labtec Mouse Software 2.0.lnk - c:\program files\Labtec\Wireless Mouse\MulMouse.exe [2006-1-7 253952]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLinkedConnections"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcpltsvc]
@=""
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BlueSoleil.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\BlueSoleil.lnk
backup=c:\windows\pss\BlueSoleil.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^andrew quarmby^Start Menu^Programs^Startup^Microsoft Find Fast.lnk]
path=c:\documents and settings\andrew quarmby\Start Menu\Programs\Startup\Microsoft Find Fast.lnk
backup=c:\windows\pss\Microsoft Find Fast.lnkStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^andrew quarmby^Start Menu^Programs^Startup^Office Startup.lnk]
path=c:\documents and settings\andrew quarmby\Start Menu\Programs\Startup\Office Startup.lnk
backup=c:\windows\pss\Office Startup.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NokiaMServer]
c:\program files\Common Files\Nokia\MPlatform\NokiaMServer [X]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD]
2005-07-25 12:01 1397760 ------w- c:\program files\Ahead\InCD\InCD.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-04-02 15:11 342312 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBAgent]
2011-11-18 12:37 1492264 ----a-w- c:\program files\Nero\Nero 11\Nero BackItUp\NBAgent.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 10:50 155648 ----a-w- c:\windows\system32\NeroCheck.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NokiaMusic FastStart]
2010-10-20 15:32 2192752 ----a-w- c:\program files\Nokia\Ovi Player\NokiaOviPlayer.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2007-06-16 19:45 68856 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TomTomHOME.exe]
2010-08-24 09:38 247144 ----a-w- c:\program files\TomTom HOME 2\TomTomHOMERunner.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"McAfee SiteAdvisor Service"=2 (0x2)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\ASUS\\AsusUpdate\\Update.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Epson Software\\Event Manager\\EEventManager.exe"=
"c:\\Program Files\\Common Files\\Mcafee\\McSvcHost\\McSvHost.exe"=
"c:\\Program Files\\Common Files\\Mcafee\\Platform\\McSvcHost\\McSvHost.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:Remote Desktop
"65533:TCP"= 65533:TCP:Services
"52344:TCP"= 52344:TCP:Services
.
R0 NBVol;Nero Backup Volume Filter Driver;c:\windows\system32\drivers\NBVol.sys [10/01/2012 22:05 56496]
R0 NBVolUp;Nero Backup Volume Upper Filter Driver;c:\windows\system32\drivers\NBVolUp.sys [10/01/2012 22:06 12464]
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [09/11/2012 07:53 91736]
R1 MOBKFilter;MOBKFilter;c:\windows\system32\drivers\MOBK.sys [22/08/2011 20:02 54776]
R1 UsbFltr;WayTechUSBFilterDriver;c:\windows\system32\drivers\UsbFltr.sys [07/01/2006 11:49 6144]
R2 HomeNetSvc;McAfee Home Network;"c:\program files\Common Files\Mcafee\Platform\McSvcHost\McSvHost.exe" /McCoreSvc [03/01/2013 21:02 281560]
R2 LcSvrAdm;ELSA Administration Service;c:\elsawin\bin\LcSvrAdm.exe [28/08/2010 11:59 147456]
R2 LcSvrDba;ELSA DBA Server;c:\elsawin\bin\LcSvrDba.exe [28/08/2010 11:59 241664]
R2 LcSvrHis;ELSA Historie Server;c:\elsawin\bin\LcSvrHis.exe [28/08/2010 11:59 217088]
R2 LcSvrPAS;ELSA PASS Server;c:\elsawin\bin\LcSvrPas.exe [28/08/2010 11:59 368640]
R2 LcSvrSaz;ELSA APOSpro Server;c:\elsawin\bin\LcSvrSaz.exe [05/09/2010 12:07 249856]
R2 McAPExe;McAfee AP Service;c:\program files\McAfee\MSC\McAPExe.exe [03/01/2013 21:02 145600]
R2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\Common Files\Mcafee\Platform\McSvcHost\McSvHost.exe" /McCoreSvc [03/01/2013 21:02 281560]
R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\Common Files\Mcafee\Platform\McSvcHost\McSvHost.exe" /McCoreSvc [03/01/2013 21:02 281560]
R2 mcpltsvc;McAfee Platform Services;"c:\program files\Common Files\Mcafee\Platform\McSvcHost\McSvHost.exe" /McCoreSvc [03/01/2013 21:02 281560]
R2 mfecore;McAfee Anti-Malware Core;c:\program files\Common Files\Mcafee\AMCore\mcshield.exe [03/01/2013 21:03 638976]
R2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\Mcafee\SystemCore\mfefire.exe [03/01/2013 21:02 169320]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [03/01/2013 21:02 172416]
R2 MOBKbackup;McAfee Online Backup;c:\program files\McAfee Online Backup\MOBKbackup.exe [13/04/2010 20:11 229688]
R2 NAUpdate;Nero Update;c:\program files\Nero\Update\NASvc.exe [25/11/2011 17:32 687400]
R2 TomTomHOMEService;TomTomHOMEService;c:\program files\TomTom HOME 2\TomTomHOMEService.exe [24/08/2010 10:38 92008]
R2 VSGate;ELSA Vaudis Service;c:\elsawin\bin\VSGate.exe [28/08/2010 11:59 81920]
R3 Bonifay;Bonifay;c:\windows\system32\drivers\Bonifay.sys [07/12/2006 22:02 12288]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [09/11/2012 07:56 60920]
R3 LcSvrAuf;ELSA Auftragsverwaltungs Service;c:\elsawin\bin\LcSvrAuf.exe [28/08/2010 11:59 1306624]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [09/11/2012 07:50 365224]
R3 mfencbdc;McAfee Inc. mfencbdc;c:\windows\system32\drivers\mfencbdc.sys [02/11/2012 02:46 288056]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [13/08/2013 20:29 85064]
S3 Gonzales;Gonzales;c:\windows\system32\drivers\Gonzales.sys [07/12/2006 22:02 7040]
S3 HipShieldK;McAfee Inc. HipShieldK;c:\windows\system32\drivers\HipShieldK.sys [11/11/2012 12:56 147472]
S3 mfencrk;McAfee Inc. mfencrk;c:\windows\system32\drivers\mfencrk.sys [02/11/2012 02:46 80656]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [13/08/2013 20:29 85064]
S3 TFBULK;Topfield USB client driver;c:\windows\system32\drivers\TfBulk.sys [26/08/2003 06:11 41996]
S4 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [22/08/2011 20:00 167784]
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2013-09-20 19:01 1177552 ----a-w- c:\program files\Google\Chrome\Application\29.0.1547.76\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2013-09-30 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-04 19:11]
.
2013-09-03 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]
.
2013-09-22 c:\windows\Tasks\Epson Printer Software Downloader.job
- c:\program files\EPSON\EPAPDL\E_SAPDL2.EXE [2009-05-26 11:43]
.
2013-10-01 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-06 21:13]
.
2013-09-30 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-06 21:13]
.
2013-10-01 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-04-30 21:18]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/webhp?complete=0
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://uk.search.yahoo.com/search?fr=mcafee&p=%s
Trusted Zone: internet
Trusted Zone: mcafee.com
TCP: DhcpNameServer = 194.168.4.100 194.168.8.100
DPF: {DB28CF23-0083-40B5-BF63-69925D672385} - hxxp://www.nero.com/doc/NeroVersionChecker.cab
.
- - - - ORPHANS REMOVED - - - -
.
HKLM-Run-SunJavaUpdateSched - c:\program files\Java\jre7\bin\jusched.exe
MSConfigStartUp-updateMgr - c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-10-01 19:41
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-2000478354-261903793-682003330-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
[HKEY_USERS\S-1-5-21-2000478354-261903793-682003330-1003\Software\Policies\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (S-1-5-21-2000478354-261903793-682003330-1003)
@Allowed: (Read) (S-1-5-21-2000478354-261903793-682003330-1003)
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_7_700_169_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_7_700_169_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
Completion time: 2013-10-01 19:45:08
ComboFix-quarantined-files.txt 2013-10-01 18:45
ComboFix2.txt 2013-09-11 20:56
ComboFix3.txt 2013-09-10 19:42
ComboFix4.txt 2011-11-03 19:59
.
Pre-Run: 35,870,732,288 bytes free
Post-Run: 36,073,025,536 bytes free
.
- - End Of File - - A53063A7A8A9DCF3201E2EE8F7D102FB
8F558EB6672622401DA993E1E865C861
Ok, I do not see any new files/folders created in regards to browser safeguard. If you are still having problems we may be forced to have me remotely connect to your pc to find out whats going on. From the logs you have posted, you shouldn't be experiencing any issues at this time.
still won't run. done some searching would i be ok to try whats suggested in this link.
http://www.geekstogo.com/forum/topic/289425-otl-wont-run/
i seen elsewhere Rkill being mentioned is it worth running this beforehand. I've downloaded OTL from the above link and its a script file, should i run this instead of the exe from your link.
getting a connection to my pc will be difficult due to the time difference, i'm 6 hours ahead of you and in bed when you come online. it would have to be on Saturday.
http://www.geekstogo.com/forum/topic/289425-otl-wont-run/
i seen elsewhere Rkill being mentioned is it worth running this beforehand. I've downloaded OTL from the above link and its a script file, should i run this instead of the exe from your link.
getting a connection to my pc will be difficult due to the time difference, i'm 6 hours ahead of you and in bed when you come online. it would have to be on Saturday.
Yes, lets try running rkill to see if there is any difference in running OTL.
Download and run this file and post the results.
http://www.bleepingcomputer.com/download/rkill/dl/132/
Download and run this file and post the results.
http://www.bleepingcomputer.com/download/rkill/dl/132/
ran rkill, log below, still no joy(popups were still flying up after running rkill). booted in safe mode and ran rkill, same result.
1) should i try the geekstogo way of running OTL (see link in my previous post)
2) is it chrome that is infected, should i uninstall and re-install. IE8 gets no popups.
3)if you want to get a connection i'm up late on friday & saturday nights. at 1am my time it will be 7pm your time. so if you want to make a date for friday or saturday evening at 7pm your time please let me know
RKILL log
Rkill 2.6.1 by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2013 BleepingComputer.com
More Information about Rkill can be found at this link:
http://www.bleepingcomputer.com/forums/topic308364.html
Program started at: 10/03/2013 08:18:40 PM in x86 mode. (Safe Mode)
Windows Version: Microsoft Windows XP Service Pack 3
Checking for Windows services to stop:
* No malware services found to stop.
Checking for processes to terminate:
* No malware processes found to kill.
Checking Registry for malware related settings:
* No issues found in the Registry.
Resetting .EXE, .COM, & .BAT associations in the Windows Registry.
Performing miscellaneous checks:
* Windows Firewall Disabled
[HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = dword:00000000
* Reparse Point/Junctions Found (Most likely legitimate)!
* C:\WINDOWS\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a => C:\WINDOWS\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_4.0.0.0_x-ww_29b51492 [Dir]
Checking Windows Service Integrity:
* AFD (AFD) is not Running.
Startup Type set to: System
* DHCP Client (Dhcp) is not Running.
Startup Type set to: Automatic
* DNS Client (Dnscache) is not Running.
Startup Type set to: Automatic
* COM+ Event System (EventSystem) is not Running.
Startup Type set to: Manual
* Network Connections (Netman) is not Running.
Startup Type set to: Manual
* Security Center (wscsvc) is not Running.
Startup Type set to: Automatic
* Automatic Updates (wuauserv) is not Running.
Startup Type set to: Automatic
* AFD (AFD) is not Running.
Startup Type set to: System
* IPSEC driver (IPSec) is not Running.
Startup Type set to: System
* NetBios over Tcpip (NetBT) is not Running.
Startup Type set to: System
* TCP/IP Protocol Driver (Tcpip) is not Running.
Startup Type set to: System
Searching for Missing Digital Signatures:
* No issues found.
Checking HOSTS File:
* HOSTS file entries found:
127.0.0.1 localhost
Program finished at: 10/03/2013 08:20:49 PM
Execution time: 0 hours(s), 2 minute(s), and 9 seconds(s)
1) should i try the geekstogo way of running OTL (see link in my previous post)
2) is it chrome that is infected, should i uninstall and re-install. IE8 gets no popups.
3)if you want to get a connection i'm up late on friday & saturday nights. at 1am my time it will be 7pm your time. so if you want to make a date for friday or saturday evening at 7pm your time please let me know
RKILL log
Rkill 2.6.1 by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2013 BleepingComputer.com
More Information about Rkill can be found at this link:
http://www.bleepingcomputer.com/forums/topic308364.html
Program started at: 10/03/2013 08:18:40 PM in x86 mode. (Safe Mode)
Windows Version: Microsoft Windows XP Service Pack 3
Checking for Windows services to stop:
* No malware services found to stop.
Checking for processes to terminate:
* No malware processes found to kill.
Checking Registry for malware related settings:
* No issues found in the Registry.
Resetting .EXE, .COM, & .BAT associations in the Windows Registry.
Performing miscellaneous checks:
* Windows Firewall Disabled
[HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = dword:00000000
* Reparse Point/Junctions Found (Most likely legitimate)!
* C:\WINDOWS\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a => C:\WINDOWS\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_4.0.0.0_x-ww_29b51492 [Dir]
Checking Windows Service Integrity:
* AFD (AFD) is not Running.
Startup Type set to: System
* DHCP Client (Dhcp) is not Running.
Startup Type set to: Automatic
* DNS Client (Dnscache) is not Running.
Startup Type set to: Automatic
* COM+ Event System (EventSystem) is not Running.
Startup Type set to: Manual
* Network Connections (Netman) is not Running.
Startup Type set to: Manual
* Security Center (wscsvc) is not Running.
Startup Type set to: Automatic
* Automatic Updates (wuauserv) is not Running.
Startup Type set to: Automatic
* AFD (AFD) is not Running.
Startup Type set to: System
* IPSEC driver (IPSec) is not Running.
Startup Type set to: System
* NetBios over Tcpip (NetBT) is not Running.
Startup Type set to: System
* TCP/IP Protocol Driver (Tcpip) is not Running.
Startup Type set to: System
Searching for Missing Digital Signatures:
* No issues found.
Checking HOSTS File:
* HOSTS file entries found:
127.0.0.1 localhost
Program finished at: 10/03/2013 08:20:49 PM
Execution time: 0 hours(s), 2 minute(s), and 9 seconds(s)
hi John
Success! it was a add on(extension) called Toparcade. Deleted that and everything seems Ok now. even the red strike thro on the http address bar has disappeared. Big big thanks for your help and above all patience.
andrew
ps OTL still won't run, suppose it doesn't matter, well for now.
Success! it was a add on(extension) called Toparcade. Deleted that and everything seems Ok now. even the red strike thro on the http address bar has disappeared. Big big thanks for your help and above all patience.
andrew
ps OTL still won't run, suppose it doesn't matter, well for now.