Unknown virus- search redirecting

I've downloaded and run Hijackthis, it opened fine and started scanning but then just closed so I'm unable to post a log file. This has happened with McAfee (I didn't have this installed before the computer was infected), SUPERAntispyware, and Malwarebytes anti malware where in the middle of scanning the programs just close!

The only noticeable thing happening is google results being redirected to affiliate links.

Any help would be much appreciated!

I've downloaded multiple other programs (spybot, adaware..) and everytime I begin to scan it works fine, but then stops abruptly, as if when it comes across the infected file it makes it close..

The only scanning that revealed something for me was an online one at http://www.pandasecurity.com/activescan

It said it found:

Generic Trojan Virus
Active
Hide + Info
Not disinfectable
1. globalroot\Device\__max++>\E58321D6.x86.dll

Please download the current version of HijackThis from HERE

• Double click and run the installer.
  
• It will install to C:\Program Files\Trend Micro\HijackThis\hijackthis.exe
  
• After installing, you should get the user agreement, press accept and Hijack This will run.
  
• Select Do a system scan and save a log file. This will open a notepad file of everything Hijack This found, copy and paste it back here.
  

Thanks for that.

The same as the previous version of Hijack this though, it goes through and does the scan but then midway just closes automatically so I'm unable to save a logfile.

Edit: Also, with all of these scanning programs that close automatically, the second time I try to open the specific program it doesn't work, a dialog box comes up saying "Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item." So it seems to have even somehow disabled the program! I'm doing this under an Administrator account.

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

• Double-click SystemLook.exe to run it.
  
• Copy the content of the following codebox into the main textfield:
  

  Code:

  
:filefind
scecli.dll
netlogon.dll
eventlog.dll

  
  
  
• Click the Look button to start the scan.
  
• When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
  

Note: The log can also be found on your Desktop entitled SystemLook.txt

This one worked

SystemLook v1.0 by jpshortstuff (29.08.09)
Log created at 10:31 on 03/09/2009 by Ammy (Administrator - Elevation successful)

========== filefind ==========

Searching for "scecli.dll"
C:\Windows\System32\scecli.dll --a--- 176640 bytes [08:43 02/11/2006] [09:46 02/11/2006] 80E2839D05CA5970A86D7BE2A08BFF61
C:\Windows\winsxs\x86_microsoft-windows-s..urationengineclient_31bf3856ad364e35_6.0.6000.16386_none_35d7205fdc305e3e\scecli.dll --a--- 176640 bytes [08:43 02/11/2006] [09:46 02/11/2006] 80E2839D05CA5970A86D7BE2A08BFF61

Searching for "netlogon.dll"
C:\Windows\System32\netlogon.dll --a--- 559616 bytes [08:45 02/11/2006] [09:46 02/11/2006] 889A2C9F2AACCD8F64EF50AC0B3D553B
C:\Windows\winsxs\x86_microsoft-windows-security-netlogon_31bf3856ad364e35_6.0.6000.16386_none_fb80f5473b0ed783\netlogon.dll --a--- 559616 bytes [08:45 02/11/2006] [09:46 02/11/2006] 889A2C9F2AACCD8F64EF50AC0B3D553B

Searching for "eventlog.dll"
No files found.

-=End Of File=-

PLease check the File size of Cngaudit.dll .

You can find that File in

c:\windows\system32\cngaudit.dll

Hi,

The file is 60.5kb (last modified 2/11/2006).

I've read through other people's posts and found a few experiencing the same thing.. would it be ok to run the program scans advised to them (and then post the log here, not actually follow the advice given to them after that)?

Hello.
Don't run anything without us asking you to.

Do another SystemLook scan using this script.

SystemLook v1.0 by jpshortstuff (29.08.09)
Log created at 08:13 on 04/09/2009 by Ammy (Administrator - Elevation successful)

========== filefind ==========

Searching for "Cngaudit.dll"
C:\Windows\System32\cngaudit.dll --a--- 61952 bytes [08:43 02/11/2006] [09:46 02/11/2006] (Unable to calculate MD5)
C:\Windows\winsxs\x86_microsoft-windows-cngaudit-dll_31bf3856ad364e35_6.0.6000.16386_none_e62d292932a96ce6\cngaudit.dll --a--- 11776 bytes [08:43 02/11/2006] [09:46 02/11/2006] 7F15B4953378C8B5161D65C26D5FED4D

-=End Of File=-

1. Please download The Avenger by Swandog46 to your Desktop
Link: HERE

• Click on Avenger.zip to open the file
  
• Extract avenger.exe to your desktop
  

2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Files to delete:
C:\WINDOWS\system32\cngaudit.dll

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, start The Avenger program by clicking on its icon on your desktop.

• Under "Input script here:", paste in the script from the quote box above.
  
• Leave the ticked box "Scan for rootkit" ticked.
  
• Then tick "Disable any rootkits found"
  
• Now click on the Execute to begin execution of the script.
  
• Answer "Yes" twice when prompted.
  
  The Avenger will automatically do the following:
  
  
• It will Restart your computer.
  
• On reboot, it will briefly open a black command window on your desktop, this is normal.
  
• After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  
• The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
  

4. Please copy/paste the content of c:\avenger.txt into your reply.

Thanks for the help.

Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows Vista

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

File "C:\WINDOWS\system32\cngaudit.dll" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

See if you can download and run HijackThis from here:

http://www.sendspace.com/pro/dl/932rpd

It worked!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:16:42 PM, on 4/9/2009
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Unable to get Internet Explorer version!
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Windows\Explorer.EXE
C:\Users\Ammy\firefox.exe
C:\Users\Ammy\Downloads\winlogon(2).exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local;192.168.1.1
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: McAfee Phishing Filter - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:\PROGRA~1\mcafee\msk\mskapbho.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: superiorads - {79F562E5-768C-4494-8E6C-824ADA4A9C2C} - C:\Windows\system32\sprt_ads.dll (file missing)
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\siteadvisor\mcieplg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdm2.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\siteadvisor\mcieplg.dll
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\Microsoft Office\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\SCIEPlgn.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\Microsoft Office\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O13 - Gopher Prefix:
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\siteadvisor\mcieplg.dll
O20 - AppInit_DLLs: C:\PROGRA~1\Kaspersky Lab\Kaspersky Internet Security 2010\kloehk.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Com4Qlb - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4Qlb.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - C:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - Unknown owner - C:\PROGRA~1\McAfee\VirusScan\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VirusScan\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VirusScan\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: stllssvr - Unknown owner - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe (file missing)
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 7643 bytes

Hello.

• Open HijackThis
  
• Choose "Do a system scan only"
  
• Check the boxes in front of these lines:
  
  
  R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
  O2 - BHO: superiorads - {79F562E5-768C-4494-8E6C-824ADA4A9C2C} - C:\Windows\system32\sprt_ads.dll (file missing)
  O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
  
  
  
• Press "Fix Checked"
  
• Close Hijack This.
  

Please download and run this tool.

Download Malwarebytes' Anti-Malware from Here

Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  
• If an update is found, it will download and install the latest version.
  
• Once the program has loaded, select "Perform Quick Scan", then click Scan.
  
• The scan may take some time to finish,so please be patient.
  
• When the scan is complete, click OK, then Show Results to view the results.
  
• Make sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  

Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.

Post the contents of the MBAM Log.

Thanks Belahzur.

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 10
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 6

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{79f562e5-768c-4494-8e6c-824ada4a9c2c} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\adpanel.panel1 (Adware.SuperiorAds) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\adpanel.panel1.1 (Adware.SuperiorAds) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\monamia2 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\plodaq.bho (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\AdvRemoteDbg (Adware.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\XML (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Bind (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Monopod (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\NordBull (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\Windows\System32\memman.vxd (Rogue.sysCleanerPro) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\kr_done1 (Malware.Trace) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Windows\System32\memman.vxd (Rogue.sysCleanerPro) -> Quarantined and deleted successfully.
C:\Windows\System32\WhoisCL.exe (Adware.BHO) -> Quarantined and deleted successfully.
C:\Windows\k.txt (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Windows\System32\kr_done1 (Malware.Trace) -> Quarantined and deleted successfully.
C:\Windows\Tasks\{BB65B0FB-5712-401b-B616-E69AC55E2757}.job (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Windows\Tasks\{7B02EF0B-A410-4938-8480-9BA26420A627}.job (Trojan.Downloader) -> Quarantined and deleted successfully.

Hello.

• Please download DDS by sUBs to your Desktop (Important!!) from one of these locations:
  Link 1
  Link 2
  
• Double click DDS.scr to run.
  
• When complete, two logs will open. Save both of the report to your Desktop.
  
• Copy and paste DDS.txt back here, I don't need to see attach.txt just yet.
  

Thanks.


DDS (Ver_09-07-30.01) - NTFSx86
Run by Ammy at 10:44:33.13 on Sun 06/09/2009
Internet Explorer: 7.0.6000.16609 BrowserJavaVersion: 1.6.0_03
Microsoft Windows Vista Home Basic 6.0.6000.0.1252.65.1033.18.2037.906 [GMT 10:00]

AV: Kaspersky Internet Security *On-access scanning enabled* (Outdated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
SP: McAfee VirusScan *enabled* (Updated) {C78B3C70-4777-4742-BB91-9D615CC575E6}
SP: Spybot - Search and Destroy *disabled* (Updated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
SP: Kaspersky Internet Security *enabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
SP: SUPERAntiSpyware *enabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
FW: Kaspersky Internet Security *enabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Windows\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Windows\system32\rundll32.exe
C:\PROGRA~1\McAfee\VirusScan\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Windows\system32\taskeng.exe
C:\Users\Ammy\firefox.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\PROGRA~1\McAfee\VirusScan\mcsysmon.exe
C:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\Windows\system32\wuauclt.exe
C:\Users\Ammy\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uInternet Settings,ProxyOverride = local;192.168.1.1
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: McAfee Phishing Filter: {27b4851a-3207-45a2-b947-be8afe6163ab} - c:\progra~1\mcafee\msk\mskapbho.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_03\bin\ssv.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.0.926.3450\swg.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\siteadvisor\mcieplg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_219B3E1547538286.dll
BHO: FDMIECookiesBHO Class: {cc59e0f9-7e43-44fa-9faa-8377850bf205} - c:\program files\free download manager\iefdm2.dll
TB: &Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\siteadvisor\mcieplg.dll
TB: {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - No File
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
dRun: [DelayShred] c:\progra~1\mcafee\mshr\shrcl.exe /p7 /q c:\$recycle.bin\s-bdc6~1\$r2tkwpk.sh! c:\$recycle.bin\s-bdc6~1\$r2tkwpk\mymusi~1.sh! c:\$recycle.bin\s-bdc6~1\$r2tkwpk\mypict~1.sh! c:\$recycle.bin\s-bdc6~1\$r2tkwpk\MYVIDE~1.SH!
mPolicies-system: EnableLUA = 0 (0x0)
IE: Download all with Free Download Manager - file://c:\program files\free download manager\dlall.htm
IE: Download selected with Free Download Manager
IE: Download video with Free Download Manager
IE: Download with Free Download Manager - file://c:\program files\free download manager\dllink.htm
IE: E&xport to Microsoft Excel - c:\progra~1\microsoft office\office11\EXCEL.EXE/3000
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_03\bin\ssv.dll
IE: {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - {85E0B171-04FA-11D1-B7DA-00A0C90348D6} - c:\program files\kaspersky lab\kaspersky internet security 7.0\SCIEPlgn.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\microsoft office\office11\REFIEBAR.DLL
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\siteadvisor\McIEPlg.dll
Notify: igfxcui - igfxdev.dll
Notify: klogon - c:\windows\system32\klogon.dll
AppInit_DLLs: c:\progra~1\kaspersky lab\kaspersky internet security 2010\kloehk.dll

================= FIREFOX ===================

FF - ProfilePath - c:\users\ammy\appdata\roaming\mozilla\firefox\profiles\5piqf0py.default\
FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll
FF - component: c:\users\ammy\appdata\roaming\mozilla\firefox\profiles\5piqf0py.default\extensions\{6ac85730-7d0f-4de0-b3fa-21142dd85326}\platform\winnt\components\ColorZilla.dll
FF - component: c:\users\ammy\extensions\linkfilter@kaspersky.ru\components\KavLinkFilter.dll

---- FIREFOX POLICIES ----
c:\users\ammy\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\users\ammy\greprefs\all.js - pref("media.cache_size", 51200);
c:\users\ammy\greprefs\all.js - pref("media.ogg.enabled", true);
c:\users\ammy\greprefs\all.js - pref("media.wave.enabled", true);
c:\users\ammy\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\users\ammy\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\users\ammy\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\users\ammy\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\users\ammy\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\users\ammy\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\users\ammy\greprefs\all.js - pref("layout.css.dpi", -1);
c:\users\ammy\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\users\ammy\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\users\ammy\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\users\ammy\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\users\ammy\greprefs\all.js - pref("geo.enabled", true);
c:\users\ammy\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\users\ammy\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\users\ammy\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\users\ammy\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\users\ammy\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\users\ammy\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\users\ammy\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\users\ammy\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\users\ammy\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\users\ammy\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\users\ammy\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\users\ammy\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\users\ammy\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\users\ammy\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\users\ammy\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\users\ammy\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\users\ammy\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\users\ammy\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\users\ammy\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\users\ammy\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\users\ammy\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\users\ammy\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\users\ammy\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\users\ammy\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\users\ammy\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\users\ammy\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\users\ammy\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\users\ammy\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\users\ammy\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\users\ammy\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");

============= SERVICES / DRIVERS ===============

R1 pfmfs_27B;pfmfs_27B;c:\windows\system32\drivers\pfmfs_27B.sys [2009-4-26 179896]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2009-9-3 210216]
R3 HssDrv;Hotspot Shield Helper Miniport;c:\windows\system32\drivers\hssdrv.sys [2009-2-1 31704]
S2 0003991252157886mcinstcleanup;McAfee Application Installer Cleanup (0003991252157886);c:\windows\temp\0003991252157886mcinst.exe c:\progra~1\common~1\mcafee\installer\cleanup.ini -cleanup -nolog -service --> c:\windows\temp\0003991252157886mcinst.exe c:\progra~1\common~1\mcafee\installer\cleanup.ini -cleanup -nolog -service [?]
S4 HssSrv;Hotspot Shield Helper Service;c:\program files\hotspot shield\hsswpr\hsssrv.exe [2009-2-6 117208]

=============== Created Last 30 ================

2009-09-05 16:42 --d----- c:\program files\SmartFTP Client 3.0 Setup Files
2009-09-04 17:02 1,205,818 a------- c:\windows\system32\WinRAR 3.71 Corporate Edition.exe
2009-09-04 17:02 464,018 a------- c:\windows\system32\Kool_nfo_reader.exe
2009-09-04 17:02 176 a------- c:\windows\system32\Latest Downloads.html
2009-09-03 12:31 --d----- c:\program files\SmartFTP Client
2009-09-03 11:08 --d----- c:\users\ammy\.realobjects
2009-09-03 09:37 --d----- c:\program files\Trend Micro
2009-09-02 19:30 --d----- c:\programdata\Spybot - Search & Destroy
2009-09-02 19:30 --d----- c:\program files\Spybot - Search & Destroy
2009-09-02 19:30 --d----- c:\progra~2\Spybot - Search & Destroy
2009-09-02 18:25 --d----- c:\program files\Panda Security
2009-09-02 17:41 --d----- c:\programdata\SUPERAntiSpyware.com
2009-09-02 17:41 --d----- c:\progra~2\SUPERAntiSpyware.com
2009-09-02 17:41 --d----- c:\users\ammy\appdata\roaming\SUPERAntiSpyware.com
2009-09-02 17:41 --d----- c:\program files\SUPERAntiSpyware
2009-09-02 17:38 --d----- c:\users\ammy\appdata\roaming\Malwarebytes
2009-09-02 17:38 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-02 17:38 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-09-02 17:38 --d----- c:\programdata\Malwarebytes
2009-09-02 17:38 --d----- c:\program files\Malwarebytes' Anti-Malware
2009-09-02 17:38 --d----- c:\progra~2\Malwarebytes
2009-09-02 15:58 10,839 a------- c:\windows\system32\Config.MPF
2009-09-02 15:57 --d----- c:\programdata\SiteAdvisor
2009-09-02 15:57 --d----- c:\program files\SiteAdvisor
2009-09-02 15:53 79,816 a------- c:\windows\system32\drivers\mfeavfk.sys
2009-09-02 15:53 40,552 a------- c:\windows\system32\drivers\mfesmfk.sys
2009-09-02 15:53 35,272 a------- c:\windows\system32\drivers\mfebopk.sys
2009-09-02 15:53 130,424 a------- c:\windows\system32\drivers\Mpfp.sys
2009-09-02 15:53 --d----- c:\program files\common files\McAfee
2009-09-02 15:53 --d----- c:\program files\McAfee.com
2009-09-02 15:53 --d----- c:\program files\McAfee
2009-09-02 15:52 34,248 a------- c:\windows\system32\drivers\mferkdk.sys
2009-09-02 15:17 --d----- c:\programdata\McAfee
2009-09-02 12:15 604,140 a--sh--- c:\windows\system32\drivers\ISwift3.dat
2009-09-02 11:57 --d----- c:\programdata\Kaspersky Lab Setup Files
2009-09-02 11:57 --d----- c:\progra~2\Kaspersky Lab Setup Files
2009-08-31 21:15 84 a------- c:\windows\forminfo.ini
2009-08-31 19:03 13 a------- c:\windows\system32\WinSys32.crc
2009-08-31 18:58 913,560 a------- c:\windows\system32\wodFtpDLX.ocx
2009-08-31 18:55 233,472 a------- c:\windows\system32\Ilda32.dll
2009-08-31 18:55 18,944 a------- c:\windows\system32\BORLNDMM.DLL
2009-08-31 18:55 --d----- c:\users\ammy\CoffeeCup Software
2009-08-27 08:30 --d----- c:\users\ammy\AIM Lite
2009-08-12 17:18 --d----- C:\Removable Disk
2009-08-10 16:11 --d----- c:\program files\InstantEyedropper

==================== Find3M ====================

2009-09-02 17:38 86,016 a------- c:\windows\inf\infstrng.dat
2009-09-02 17:38 86,016 a------- c:\windows\inf\infstor.dat
2009-09-02 17:38 51,200 a------- c:\windows\inf\infpub.dat
2009-09-02 08:32 66,578,208 a--sh--- c:\windows\system32\drivers\fidbox.dat
2009-08-26 09:13 855,524 a--sh--- c:\windows\system32\drivers\fidbox.idx
2009-07-08 13:44 214,024 a------- c:\windows\system32\drivers\mfehidk.sys
2009-04-11 02:09 856,064 a------- c:\users\ammy\qfrcore.dll
2009-04-11 01:22 1,905,664 a------- c:\users\ammy\InstantRename.dll
2008-02-20 05:43 665,600 a------- c:\windows\inf\drvindex.dat
2008-01-14 06:01 174 a--sh--- c:\program files\desktop.ini
2007-04-20 03:12 364,544 a------- c:\users\ammy\taglib.dll
2007-04-19 15:09 73,728 a------- c:\users\ammy\zlib1.dll
2005-03-12 09:40 4,004,352 a------- c:\users\ammy\Filerecovery.exe
2005-02-24 23:55 130,556 a------- c:\users\ammy\PCIFR4_1000.dat
2005-02-24 23:55 130,556 a------- c:\users\ammy\PCIFR4_7000.dat
2005-02-24 23:55 130,556 a------- c:\users\ammy\PCIFR4_5000.dat
2005-02-24 23:55 130,556 a------- c:\users\ammy\PCIFR4_13000.dat
2005-02-24 23:55 130,556 a------- c:\users\ammy\PCIFR4_3000.dat
2004-05-25 15:16 1,047,552 a------- c:\users\ammy\mfc71u.dll
2003-08-30 16:50 199,168 a------- c:\users\ammy\Uninstall.exe
2003-02-21 22:42 348,160 a------- c:\users\ammy\msvcr71.dll

============= FINISH: 10:45:22.86 ===============

Hello.
Nearly done now.

• Open HijackThis.
  
• When Hijack This opens, click "Open the Misc Tools section"
  
• Then select "Open Uninstall Manager"
  
• Click on "Save List..." (generates uninstall_list.txt)
  
• Click Save, copy and paste the results in your next post.
  

Thanks. A few programs that used to be installed and working before the virus hit (like Internet Explorer) just don't work anymore, they don't show up on the list of programs and when clicked say you don't have permission etc, should I re-download these programs or is the virus still there and will destroy them again?

Thanks again for the help!

ABC Amber ICL Converter
ActiveCheck component for HP Active Support Library
Adobe Bridge 1.0
Adobe Common File Installer
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Flash Player 9 ActiveX
Adobe Help Center 1.0
Adobe Photoshop CS2
Adobe Reader 8
Adobe Shockwave Player 11
Adobe Stock Photos 1.0
AIM Lite 0.33
Alien Skin Xenofex 2.0
Apple Mobile Device Support
Apple Software Update
Artistic Effects by Lokas Software
CoffeeCup HTML Editor 2008
Compatibility Pack for the 2007 Office system
Conexant HD Audio
DHTML Editing Component
Documalis Free Scanner 1.0
DVD Flick 1.3.0.6
ESU for Microsoft Vista
Font Creator 5.0
Free Download Manager 3.0
Google Toolbar for Internet Explorer
HDAUDIO Soft Data Fax Modem with SmartCP
HijackThis 2.0.2
HP Active Support Library
HP Active Support Library 32 bit components
HP Color LaserJet CM1015/CM1017 MFP 2.0
HP Customer Experience Enhancements
HP Doc Viewer
HP DVD Play 3.2
HP Easy Setup - Frontend
HP Help and Support
HP Imaging Device Functions 8.0
HP Photosmart Essential 2.0
HP Quick Launch Buttons 6.20 G2
HP Update
HP User Guides 0078
HP Wireless Assistant
HPAsset component for HP Active Support Library
HTML-Kit
Instant Eyedropper 1.75
Intel(R) Graphics Media Accelerator Driver
IrfanView (remove only)
iTunes
Java(TM) 6 Update 3
Java(TM) SE Runtime Environment 6
Kaspersky Internet Security 7.0
Kaspersky Internet Security 7.0
Lernout & Hauspie TruVoice American English TTS Engine
Logitech Harmony Remote Software
Malwarebytes' Anti-Malware
McAfee SecurityCenter
Microsoft Office Professional Edition 2003
Microsoft Silverlight
Microsoft Visual C++ 2005 Redistributable
Mozilla Firefox (3.5.2)
MSCU for Microsoft Vista
NetWaiting
Pismo File Mount Audit Package
QuickTime
RealPlayer
Realtek 8139 and 8139C+ Ethernet Network Card Driver for Windows Vista
Realtek USB 2.0 Card Reader
Roxio Activation Module
SmartFTP Client
SmartFTP Client 3.0 Setup Files (remove only)
SPSS 16.0
Touch Pad Driver
Windows Live installer
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Media Player Firefox Plugin
WinRAR archiver
Xvid 1.1.3 final uninstall

Press Start > Run.
Type in cmd, then press enter.

At the DOS prompt execute the following commands, one by one.
Press the enter key after each entry.

regsvr32 urlmon.dll
regsvr32 Shdocvw.dll
regsvr32 Msjava.dll
regsvr32 Actxprxy.dll
regsvr32 Oleaut32.dll
regsvr32 Mshtml.dll
regsvr32 Browseui.dll
regsvr32 Shell32.dll

Type Exit press enter to return the operating mode.

Reboot normally.

Is Internet Explorer available now?

Thanks Origin.

This is what happened when I did each line:

1. succeeded
2. was loaded but entry point not found
3. failed to load could not be found
4. succeeded
5. succeeded
6. was loaded but entry point not found
7. was loaded but entry point not found
8. succeeded

The message that comes up when I try to open Internet Explorer is still "Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item".

Ok lets try this:

• Download combofix from here
  Link 1
  Link 2
  

1. If you are using Firefox, make sure that your download settings are as follows:

* Tools->Options->Main tab
* Set to "Always ask me where to Save the files".

2. During the download, rename Combofix to svchost as follows:





3. It is important you rename Combofix during the download, but not after.
4. Please do not rename Combofix to other names, but only to the one indicated.
5. Close any open browsers.
6. We need to disable your local AV (Anti-virus) before running Combofix.

• See HERE for how to disable your AV.
  
• Double click on svchost.exe.
  
• Follow the prompts. NOTE:
  
• Allow combofix to run
  
• Post C:\combofix.txt back here.
  
  Note:
  Do not mouse click combofix's window whilst it's running. That may cause it to stall.
  

I disabled McAfee security centre, and it said Kaspersky and SUPERantipyware were running and to shut them, but I had uninstalled them yesterday.. although they still have folders in my program file folder and when trying to delete them they wouldn't delete, and when trying to start the programs through their folders it wouldn't open, so I couldn't figure out how to disable them both.. I just renamed their folders and did the scan even though it said they were still running..

I looked at the log and c:\windows\system32\filerenamerred.sys according to google is a trojan.. should I delete it?


ComboFix 09-09-06.03 - Ammy 07/09/2009 16:21.5.1 - NTFSx86
Microsoft Windows Vista Home Basic 6.0.6000.0.1252.65.1033.18.2037.1242 [GMT 10:00]
Running from: c:\users\Ammy\Desktop\ComboFix.exe
AV: Kaspersky Internet Security *On-access scanning enabled* (Outdated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: Kaspersky Internet Security *enabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
SP: Kaspersky Internet Security *enabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
SP: McAfee VirusScan *disabled* (Updated) {C78B3C70-4777-4742-BB91-9D615CC575E6}
SP: Spybot - Search and Destroy *disabled* (Updated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: SUPERAntiSpyware *enabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\$recycle.bin\S-1-5-21-2880441570-389058512-4063806805-500
c:\$recycle.bin\S-1-5-21-3777358621-2682700068-859322637-1002
c:\$recycle.bin\S-1-5-21-3777358621-2682700068-859322637-1003
c:\$recycle.bin\S-1-5-21-3777358621-2682700068-859322637-500
c:\users\Ammy\Uninstall.exe
c:\windows\Installer\30962.msi
c:\windows\Installer\5c4a5.msi
c:\windows\Installer\a0625d.msi

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226EE}


((((((((((((((((((((((((( Files Created from 2009-08-07 to 2009-09-07 )))))))))))))))))))))))))))))))
.

2009-09-07 06:29 . 2009-09-07 06:30 -------- d-----w- c:\users\Ammy\AppData\Local\temp
2009-09-07 06:29 . 2009-09-07 06:29 -------- d-----w- c:\users\Public\AppData\Local\temp
2009-09-07 06:29 . 2009-09-07 06:29 -------- d-----w- c:\users\Guest\AppData\Local\temp
2009-09-07 06:29 . 2009-09-07 06:29 -------- d-----w- c:\users\Default\AppData\Local\temp
2009-09-05 06:42 . 2009-09-05 06:42 -------- d-----w- c:\program files\SmartFTP Client 3.0 Setup Files
2009-09-03 02:31 . 2009-09-05 06:43 -------- d-----w- c:\program files\SmartFTP Client
2009-09-03 01:08 . 2009-09-03 01:08 -------- d-----w- c:\users\Ammy\.realobjects
2009-09-02 23:37 . 2009-09-02 23:37 -------- d-----w- c:\program files\Trend Micro
2009-09-02 09:30 . 2009-09-04 07:03 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2009-09-02 08:25 . 2009-09-04 07:13 -------- d-----w- c:\program files\Panda Security
2009-09-02 07:41 . 2009-09-02 07:41 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2009-09-02 07:41 . 2009-09-02 07:41 -------- d-----w- c:\users\Ammy\AppData\Roaming\SUPERAntiSpyware.com
2009-09-02 07:38 . 2009-09-02 07:38 -------- d-----w- c:\users\Ammy\AppData\Roaming\Malwarebytes
2009-09-02 07:38 . 2009-08-03 03:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-02 07:38 . 2009-09-04 00:12 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-02 07:38 . 2009-09-02 07:38 -------- d-----w- c:\programdata\Malwarebytes
2009-09-02 07:38 . 2009-08-03 03:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-02 05:57 . 2009-09-02 05:57 -------- d-----w- c:\programdata\SiteAdvisor
2009-09-02 05:57 . 2009-09-05 06:56 -------- d-----w- c:\program files\SiteAdvisor
2009-09-02 05:53 . 2009-07-08 03:44 79816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2009-09-02 05:53 . 2009-07-08 03:44 40552 ----a-w- c:\windows\system32\drivers\mfesmfk.sys
2009-09-02 05:53 . 2009-07-08 03:44 35272 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2009-09-02 05:53 . 2009-07-16 02:32 130424 ----a-w- c:\windows\system32\drivers\Mpfp.sys
2009-09-02 05:53 . 2009-09-02 05:53 -------- d-----w- c:\program files\Common Files\McAfee
2009-09-02 05:53 . 2009-09-02 05:53 -------- d-----w- c:\program files\McAfee.com
2009-09-02 05:53 . 2009-09-07 02:06 -------- d-----w- c:\program files\McAfee
2009-09-02 05:52 . 2009-07-08 03:43 34248 ----a-w- c:\windows\system32\drivers\mferkdk.sys
2009-09-02 05:17 . 2009-09-02 08:54 -------- d-----w- c:\programdata\McAfee
2009-09-02 02:15 . 2009-09-02 02:15 604140 --sha-w- c:\windows\system32\drivers\ISwift3.dat
2009-09-02 01:57 . 2009-09-02 01:57 -------- d-----w- c:\programdata\Kaspersky Lab Setup Files
2009-08-31 08:55 . 1999-03-22 02:29 233472 ----a-w- c:\windows\system32\Ilda32.dll
2009-08-31 08:55 . 1998-06-16 18:00 18944 ----a-w- c:\windows\system32\BORLNDMM.DLL
2009-08-31 08:55 . 2009-09-02 07:28 -------- d-----w- c:\users\Ammy\CoffeeCup Software
2009-08-26 22:30 . 2009-08-26 22:30 -------- d-----w- c:\users\Ammy\AIM Lite
2009-08-12 07:18 . 2009-09-03 00:30 -------- d-----w- C:\Removable Disk
2009-08-11 01:44 . 2009-08-11 01:44 -------- d-----w- c:\users\Officeworks\AppData\Roaming\InstallShield
2009-08-10 06:11 . 2009-08-10 06:12 -------- d-----w- c:\program files\InstantEyedropper

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-07 05:52 . 2008-01-09 10:39 -------- d-----w- c:\program files\Kaspedrsky Lab
2009-09-07 05:11 . 2008-01-09 10:39 -------- d-----w- c:\programdata\Kaspersky Lab
2009-09-05 01:11 . 2007-07-06 06:01 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-09-03 23:19 . 2009-03-14 23:39 -------- d-----w- c:\users\Officeworks\AppData\Roaming\Free Download Manager
2009-09-03 23:18 . 2007-08-28 12:46 8224 ----a-w- c:\users\Officeworks\AppData\Local\GDIPFONTCACHEV1.DAT
2009-09-03 01:11 . 2006-12-06 06:53 163856 ----a-w- c:\users\Ammy\AppData\Local\GDIPFONTCACHEV1.DAT
2009-09-02 07:37 . 2009-03-14 01:29 -------- d-----w- c:\users\Ammy\AppData\Roaming\Free Download Manager
2009-09-01 22:32 . 2008-01-09 10:39 66578208 --sha-w- c:\windows\system32\drivers\fidbox.dat
2009-08-25 23:13 . 2008-01-09 10:39 855524 --sha-w- c:\windows\system32\drivers\fidbox.idx
2009-08-17 09:06 . 2007-07-06 07:18 -------- d-----w- c:\program files\Common Files\Adobe
2009-08-06 22:35 . 2009-08-06 22:35 -------- d-----w- c:\program files\MSECache
2009-07-31 06:16 . 2009-07-31 06:16 224 ----a-w- c:\windows\system32\filerenamerred.sys
2009-07-31 06:13 . 2009-07-31 06:11 2 ----a-w- c:\windows\system32\krx260.dat
2009-07-19 07:47 . 2009-06-10 01:02 -------- d-----w- c:\users\Ammy\AppData\Roaming\Apple Computer
2009-07-08 03:44 . 2009-07-08 03:44 214024 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2009-07-06 10:51 . 2008-10-23 03:18 680 ----a-w- c:\users\Ammy\AppData\Local\d3d9caps.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\{4BBAAAE9-0004-4000-9AA5-1BBD98C86E9B}]
@="{4BBAAAE9-0004-4000-9AA5-1BBD98C86E9B}"
[HKEY_CLASSES_ROOT\CLSID\{4BBAAAE9-0004-4000-9AA5-1BBD98C86E9B}]
2009-03-06 03:17 143160 ----a-w- c:\windows\System32\pfmshx_27B.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 5724184]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk
backup=c:\windows\pss\Adobe Reader Synchronizer.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Logitech Harmony Remote V5.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Logitech Harmony Remote V5.lnk
backup=c:\windows\pss\Logitech Harmony Remote V5.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^Users^Ammy^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=c:\users\Ammy\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=c:\windows\pss\Adobe Gamma.lnk.Startup
backupExtension=.Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001
"AntiSpywareOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile\AuthorizedApplications\List]
"c:\\Program Files\\Logitech\\Harmony Remote\\HarmonyClient"= c:\program files\Logitech\Harmony Remote\HarmonyClient:*:Enabled:Logitech Harmony Remote Software
"c:\\Program Files\\Logitech\\Harmony Remote\\PatchHelper.exe"= c:\program files\Logitech\Harmony Remote\PatchHelper.exe:*:Enabled:Remote Control Software Patch Helper

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{B0D13AF7-D7B8-401E-98C2-E0C7C39D8387}"= c:\program files\HP\QuickPlay\QP.exe:Quick Play
"{7CC58E7F-73D3-4739-A60A-3A1E2AFA4E18}"= c:\program files\HP\QuickPlay\QPService.exe:Quick Play Resident Program
"{B623973A-0921-43A2-8083-ABB4E368E71B}"= c:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{BEE065E0-ABB0-45BC-B40A-CBA74C5EFFAB}"= Disabled:UDP:c:\program files\SPSSInc\SPSS16EV\SPSSWinWrapIDE.exe:SPSS Basic Script Editor (1033)
"{39D658C6-7556-4F8E-B78B-8145E537E6A6}"= Profile=Private|Profile=Public|c:\program files\Common Files\Mcafee\MNA\McNaSvc.exe:McAfee Network Agent
"{69F6352A-20C3-4FF6-B77C-279563C17807}"= UDP:c:\program files\SmartFTP Client\SmartFTP.exe:SmartFTP Client
"{45BD984B-3968-46C1-9B7A-85EA9056D6EB}"= TCP:c:\program files\SmartFTP Client\SmartFTP.exe:SmartFTP Client

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"c:\\Program Files\\Logitech\\Harmony Remote\\HarmonyClient"= c:\program files\Logitech\Harmony Remote\HarmonyClient:*:Enabled:Logitech Harmony Remote Software
"c:\\Program Files\\Logitech\\Harmony Remote\\PatchHelper.exe"= c:\program files\Logitech\Harmony Remote\PatchHelper.exe:*:Enabled:Remote Control Software Patch Helper

R1 pfmfs_27B;pfmfs_27B;c:\windows\System32\drivers\pfmfs_27B.sys [26/4/2009 7:56 PM 179896]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [3/9/2009 4:51 PM 210216]
R3 HssDrv;Hotspot Shield Helper Miniport;c:\windows\System32\drivers\hssdrv.sys [1/2/2009 6:57 PM 31704]
S2 0032191252289196mcinstcleanup;McAfee Application Installer Cleanup (0032191252289196);c:\windows\TEMP\0032191252289196mcinst.exe c:\progra~1\COMMON~1\McAfee\Installer\cleanup.ini -cleanup -nolog -service --> c:\windows\TEMP\0032191252289196mcinst.exe c:\progra~1\COMMON~1\McAfee\Installer\cleanup.ini -cleanup -nolog -service [?]
S4 HssSrv;Hotspot Shield Helper Service;c:\program files\Hotspot Shield\HssWPR\hsssrv.exe [6/2/2009 7:56 AM 117208]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"c:\program files\Common Files\LightScribe\LSRunOnce.exe"
.
Contents of the 'Scheduled Tasks' folder

2009-09-02 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-09-02 11:26]

2009-09-02 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-09-02 11:26]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = local;192.168.1.1
IE: Download all with Free Download Manager - file://c:\program files\Free Download Manager\dlall.htm
IE: Download selected with Free Download Manager
IE: Download video with Free Download Manager
IE: Download with Free Download Manager - file://c:\program files\Free Download Manager\dllink.htm
IE: E&xport to Microsoft Excel - c:\progra~1\Microsoft Office\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\users\Ammy\AppData\Roaming\Mozilla\Firefox\Profiles\5piqf0py.default\
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - component: c:\users\Ammy\AppData\Roaming\Mozilla\Firefox\Profiles\5piqf0py.default\extensions\{6AC85730-7D0F-4de0-B3FA-21142DD85326}\platform\WINNT\components\ColorZilla.dll
FF - component: c:\users\Ammy\extensions\linkfilter@kaspersky.ru\components\KavLinkFilter.dll
FF - plugin: c:\users\Ammy\plugins\np-mswmp.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-07 16:30
Windows 6.0.6000 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(1968)
c:\program files\McAfee\SiteAdvisor\saHook.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\audiodg.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe
c:\windows\System32\rundll32.exe
c:\progra~1\McAfee\VirusScan\Mcshield.exe
c:\program files\McAfee\MPF\MpfSrv.exe
c:\program files\McAfee\MSK\msksrver.exe
c:\windows\System32\drivers\XAudio.exe
c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\McAfee.com\Agent\mcagent.exe
c:\program files\Windows Live\Messenger\usnsvc.exe
c:\program files\McAfee\VirusScan\mcsysmon.exe
c:\program files\Hewlett-Packard\HP Health Check\HPHC_Service.exe
c:\program files\Common Files\McAfee\MNA\McNASvc.exe
.
**************************************************************************
.
Completion time: 2009-09-07 16:32 - machine was rebooted
ComboFix-quarantined-files.txt 2009-09-07 06:32

Pre-Run: 11,003,375,616 bytes free
Post-Run: 11,123,302,400 bytes free

260 --- E O F --- 2008-02-26 09:09

It says in the log "Running from: c:\users\Ammy\Desktop\ComboFix.exe" but I was sure I renamed combofix to what I was supposed to.. please let me know if I should try it again. Thanks for the help.

Thanks Belahzur.

All of the scanners found nothing.
Additional info
File size: 143160 bytes
Filetype: PE32 executable for MS Windows (DLL) (GUI) Intel 80386 32-bit
MD5: 9e715ae9868acc8f6bbd2afc28e6e342
SHA1: 527137c27d2194d85072efe6af8f2c43699abdb2

Hello.

• Click Start >> Control Panel.
  
• Under the Programs click Uninstall a Program
  
• Highlight the following:
  
  Java(TM) 6 Update 3
  Java(TM) SE Runtime Environment 6
  
  
• Click on the Uninstall/Change button at the top.
  

You are running two antivirus', I see from the uninstall list you have Mcafee installed, along with Kaspersky. This is a bad idea as they can conflict and cause more problems. I recommend that one of them is removed.

Which one do you use the most?

Thanks Belahzur,

I've uninstalled both of the Javas.

I'm planning on using Mcafee, I uninstalled Kaspersky and SUPERAntiSpyware a few days ago but their folders are still in my program folders and won't delete, saying I need permission to perform that action.. I guess there are some processes of them still running but I can't identify them in my processes list so I don't know how to get rid of it or disable it.

Are you sure you uninstalled it? The uninstall log from page 2 still shows it, so it's still there under the uninstall key in the registry; which means it should be on the uninstall list too.

Kaspersky Internet Security 7.0

I'm not sure why it didn't work.. I uninstalled them both through control panel -> programs and features -> then right clicked it and uninstalled it, it went through successfully and is no longer listed as a program in the uninstall or change a program list.. so I can't think of how else to get rid of it.. if it matters both Kaspersky and SUPERantispyware stopped working after the virus stopped them midway through scan.. so the programs themselves wouldn't open properly after that and just came up with the message saying I need permission to open it like it's saying now with Internet Explorer. I don't have a system restore point where I can go back to when they all worked so I can't think of anything I can do about it, I might try downloading them again and then uninstalling them while they're still working..

Ammy, The malware you got is a New one. It succeeded over most of the Antivirus Engines. Mcafee is one among its Hit list.

I personally recommend Kaspersky when compared with Mcafee. Still its your wish.

And the programs which you get Error message like "permission denied" wont work again. Reinstallaion of those programs is the only way to Fix it.

I've uninstalled Mcafee and freshly installed Kaspersky and IE, the search redirect isn't happening anymore.. thanks again for your help, it's much appreciated