Can't run Spybot and mozilla is infected [Archive]

View Full Version : Can't run Spybot and mozilla is infected

kevboy67

2009-02-23, 11:20

I am unable to run Spybot in Safe Mode or Unsafe, Combofix and Malwarebytes, I can click the .exe shortcuts but nothing happens. Spybot was the only previous program I had installed and running. I then downloaded the combofix and malwarebytes etc.. but can't get them to run.

I realised I had a problem when my google started redirecting to other sites then just crashing or going to blank screens. See my scan below, and attached unfortunatley unable to run any other screeners etc as I cant get them to startup.

Not sure how complex this problem is but it wouldn't allow me to login or register to your site on the problem pc, when I clicked date of birth it just hungup. Then when I registered on the other comp I still could'nt and can't login on the problem pc....

Log files below for the dss checker as couldn't get any combofix etc to install/run after downloading.

Thanks in advance for any support
Kevin

DDS (Ver_09-02-01.01) - NTFSx86
Run by kev at 16:52:41.02 on 22/02/2009
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.5.0_12
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.536 [GMT 0:00]
AV: AVG 7.5.552 *On-access scanning enabled* (Updated)
============== Running Processes ===============
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\kev\Desktop\dds.scr
============== Pseudo HJT Report ===============
uStart Page = hxxp://www.google.co.uk/
uInternet Connection Wizard,ShellNext = hxxp:///
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn0\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\progra~1\yahoo!\companion\installs\cpn0\yt.dll
BHO: NoExplorer - No File
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 5.0\reader\activex\AcroIEHelper.ocx
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\program files\yahoo!\common\yiesrvc.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_12\bin\ssv.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn0\yt.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [AVG7_CC] c:\progra~1\grisoft\avg7\avgcc.exe /STARTUP
mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSConfig.exe /auto
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRun: [AVG7_Run] c:\progra~1\grisoft\avg7\avgw.exe /RUNONCE
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0012-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_12\bin\ssv.dll
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_12-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_12-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Notification Packages = scecli
================= FIREFOX ===================
FF - ProfilePath - c:\docume~1\kev\applic~1\mozilla\firefox\profiles\h2r5ca2b.default\
FF - plugin: c:\program files\java\jre1.5.0_12\bin\NPJava11.dll
FF - plugin: c:\program files\java\jre1.5.0_12\bin\NPJava12.dll
FF - plugin: c:\program files\java\jre1.5.0_12\bin\NPJava13.dll
FF - plugin: c:\program files\java\jre1.5.0_12\bin\NPJava14.dll
FF - plugin: c:\program files\java\jre1.5.0_12\bin\NPJava32.dll
FF - plugin: c:\program files\java\jre1.5.0_12\bin\NPJPI150_12.dll
FF - plugin: c:\program files\java\jre1.5.0_12\bin\NPOJI610.dll
============= SERVICES / DRIVERS ===============
R1 Avg7Core;AVG7 Kernel;c:\windows\system32\drivers\avg7core.sys [2007-12-27 821856]
R1 Avg7RsW;AVG7 Wrap Driver;c:\windows\system32\drivers\avg7rsw.sys [2007-12-27 4224]
R1 Avg7RsXP;AVG7 Resident Driver XP;c:\windows\system32\drivers\avg7rsxp.sys [2007-12-27 27776]
R1 AvgClean;AVG7 Clean Driver;c:\windows\system32\drivers\avgclean.sys [2007-12-27 10760]
R1 IBMTPCHK;IBMTPCHK;c:\windows\system32\drivers\IBMBLDID.SYS [2007-12-27 2295]
R1 TPPWR;TPPWR;c:\windows\system32\drivers\TPPWR.SYS [2007-12-27 15360]
R2 Avg7Alrt;AVG7 Alert Manager Server;c:\progra~1\grisoft\avg7\avgamsvr.exe [2007-12-27 418816]
R2 Avg7UpdSvc;AVG7 Update Service;c:\progra~1\grisoft\avg7\avgupsvc.exe [2007-12-27 49664]
R2 AVGEMS;AVG E-mail Scanner;c:\progra~1\grisoft\avg7\avgemc.exe [2007-12-27 406528]
R2 AvgTdi;AVG Network Redirector;c:\windows\system32\drivers\avgtdi.sys [2007-12-27 4960]
S3 {FBE1D620-5418-4aae-A0F0-316D590663A1};{FBE1D620-5418-4aae-A0F0-316D590663A1};\??\c:\windows\system32\{fbe1d620-5418-4aae-a0f0-316d590663a1} --> c:\windows\system32\{FBE1D620-5418-4aae-A0F0-316D590663A1} [?]
S3 ggflt;SEMC USB Flash Driver Filter;c:\windows\system32\drivers\ggflt.sys [2008-3-16 13352]
=============== Created Last 30 ================
2009-02-09 00:05 36,864 a------- c:\windows\system32\SDDEVMGR.dll
2009-02-06 22:41 1,197,294 -------- c:\windows\system32\dllcache\sysmain.sdb
2009-02-06 22:41 764,868 -------- c:\windows\system32\dllcache\apph_sp.sdb
2009-02-06 22:41 217,118 -------- c:\windows\system32\dllcache\apphelp.sdb
2009-02-06 22:40 <DIR> --d----- c:\program files\Windows Media Connect 2
2009-02-06 22:34 <DIR> --d----- c:\program files\VideoLAN
==================== Find3M ====================
2009-02-05 22:01 7,304 a------- c:\windows\TMP0001.TMP
2008-12-12 17:33 3,060,224 a------- c:\windows\system32\dllcache\mshtml.dll
2008-12-11 11:57 333,184 a------- c:\windows\system32\dllcache\srv.sys
2008-10-15 08:57 83,544 a------- c:\docume~1\kev\applic~1\GDIPFONTCACHEV1.DAT
============= FINISH: 16:53:37.87 ===============

kevboy67

2009-02-24, 01:46

Hi, Managed to get combofix ran here is the file...

ComboFix 09-02-21.01 - kev 2009-02-23 22:15:15.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.701 [GMT 0:00]
Running from: c:\documents and settings\kev\Desktop\ComboFix1.exe
AV: AVG 7.5.552 *On-access scanning enabled* (Updated)

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\_006126_.tmp.dll
c:\windows\system32\_006127_.tmp.dll
c:\windows\system32\_006128_.tmp.dll
c:\windows\system32\_006129_.tmp.dll
c:\windows\system32\_006135_.tmp.dll
c:\windows\system32\_006136_.tmp.dll
c:\windows\system32\_006137_.tmp.dll
c:\windows\system32\_006138_.tmp.dll
c:\windows\system32\_006139_.tmp.dll
c:\windows\system32\_006141_.tmp.dll
c:\windows\system32\_006142_.tmp.dll
c:\windows\system32\_006145_.tmp.dll
c:\windows\system32\_006146_.tmp.dll
c:\windows\system32\_006148_.tmp.dll
c:\windows\system32\_006149_.tmp.dll
c:\windows\system32\_006150_.tmp.dll
c:\windows\system32\_006152_.tmp.dll
c:\windows\system32\_006155_.tmp.dll
c:\windows\system32\_006156_.tmp.dll
c:\windows\system32\_006160_.tmp.dll
c:\windows\system32\_006161_.tmp.dll
c:\windows\system32\_006163_.tmp.dll
c:\windows\system32\_006166_.tmp.dll
c:\windows\system32\_006168_.tmp.dll
c:\windows\system32\_006169_.tmp.dll
c:\windows\system32\_006170_.tmp.dll
c:\windows\system32\_006171_.tmp.dll
c:\windows\system32\_006172_.tmp.dll
c:\windows\system32\_006175_.tmp.dll
c:\windows\system32\_006176_.tmp.dll
c:\windows\system32\_006177_.tmp.dll
c:\windows\system32\_006178_.tmp.dll
c:\windows\system32\_006179_.tmp.dll
c:\windows\system32\_006184_.tmp.dll
c:\windows\system32\_006186_.tmp.dll
c:\windows\system32\drivers\UACnqqoedbw.sys
c:\windows\system32\UACcmalexvk.log
c:\windows\system32\UACebafmxfb.db
c:\windows\system32\UACixrohntt.log
c:\windows\system32\UAClwxidmir.dll
c:\windows\system32\UACpatneaon.dll
c:\windows\system32\UACqeexdore.dll
c:\windows\system32\UACulqpppmn.dll
c:\windows\system32\UACvpevxews.dat
c:\windows\system32\UACwwkvdjyq.dll
c:\windows\system32\UACxvbuyfbo.log

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_UACd.sys
-------\Legacy_{FBE1D620-5418-4AAE-A0F0-316D590663A1}
-------\Service_{FBE1D620-5418-4aae-A0F0-316D590663A1}

((((((((((((((((((((((((( Files Created from 2009-01-23 to 2009-02-23 )))))))))))))))))))))))))))))))
.

2009-02-23 21:58 . 2009-02-23 21:59 <DIR> d-------- C:\ComboFixx
2009-02-23 21:33 . 2009-02-23 21:33 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-02-23 21:33 . 2009-02-23 21:33 <DIR> d-------- c:\documents and settings\kev\Application Data\Malwarebytes
2009-02-23 21:33 . 2009-02-23 21:33 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-02-23 21:33 . 2009-02-11 10:19 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-23 21:33 . 2009-02-11 10:19 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-02-23 21:25 . 2009-02-23 21:25 <DIR> d-------- c:\program files\Trend Micro
2009-02-22 19:16 . 2009-02-22 20:05 <DIR> d-------- c:\windows\system32\NtmsData
2009-02-21 19:02 . 2009-02-23 17:23 5,187 --a------ c:\windows\system32\uacinit.dll
2009-02-09 00:05 . 2009-02-09 00:05 <DIR> d-------- c:\program files\Panasonic
2009-02-09 00:05 . 2006-02-27 11:45 36,864 --a------ c:\windows\system32\SDDEVMGR.dll
2009-02-06 22:41 . 2006-10-04 14:06 1,197,294 --------- c:\windows\system32\dllcache\sysmain.sdb
2009-02-06 22:41 . 2006-10-04 14:06 764,868 --------- c:\windows\system32\dllcache\apph_sp.sdb
2009-02-06 22:41 . 2006-10-04 14:06 217,118 --------- c:\windows\system32\dllcache\apphelp.sdb
2009-02-06 22:40 . 2009-02-06 22:40 <DIR> d-------- c:\program files\Windows Media Connect 2
2009-02-06 22:37 . 2009-02-06 22:38 <DIR> d-------- c:\windows\system32\drivers\UMDF
2009-02-06 22:36 . 2009-02-06 22:38 <DIR> d-------- c:\documents and settings\kev\Application Data\vlc
2009-02-06 22:34 . 2009-02-06 22:34 <DIR> d-------- c:\program files\VideoLAN

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-23 17:20 --------- d-----w c:\documents and settings\kev\Application Data\AVG7
2009-02-22 20:28 --------- d--h--r c:\documents and settings\kev\Application Data\yahoo!
2009-02-22 20:28 --------- d-----w c:\program files\Yahoo!
2009-02-22 20:28 --------- d-----w c:\documents and settings\All Users\Application Data\Yahoo!
2009-02-22 15:20 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-02-22 15:18 --------- d-----w c:\program files\Spybot - Search & Destroy
2009-02-09 00:05 --------- d--h--w c:\program files\InstallShield Installation Information
2009-02-05 22:01 7,304 ----a-w c:\windows\TMP0001.TMP
2008-10-15 08:57 83,544 ------w c:\documents and settings\kev\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSConfig"="c:\windows\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2004-08-04 158208]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2004-08-04 15360]
"AVG7_Run"="c:\progra~1\Grisoft\AVG7\avgw.exe" [2007-12-27 219136]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
--a------ 2003-04-30 05:00 315392 c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_CC]
--a------ 2008-10-16 16:13 590848 c:\progra~1\Grisoft\AVG7\avgcc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BMMGAG]
--a------ 2003-01-17 09:32 64000 c:\progra~1\ThinkPad\UTILIT~1\PWRMONIT.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BMMLREF]
--a------ 2003-01-17 09:32 20480 c:\program files\ThinkPad\Utilities\BMMLREF.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
--a------ 2003-01-10 11:50 106551 c:\windows\system32\dla\tfswctrl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EZEJMNAP]
--a------ 2002-12-24 10:01 204800 c:\progra~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ibmmessages]
--a------ 2003-01-07 22:52 495616 c:\program files\IBM\Messages By IBM\ibmmessages.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
--------- 2007-12-27 22:30 155648 c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QCWLICON]
--a------ 2003-03-27 10:06 53248 c:\program files\ThinkPad\ConnectUtilities\QCWLICON.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
--------- 2009-01-26 15:31 2144088 c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StorageGuard]
--a------ 2002-06-18 08:01 155648 c:\program files\VERITAS Software\Update Manager\sgtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-05-02 04:15 75520 c:\program files\Java\jre1.5.0_12\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
--a------ 2003-06-24 13:33 561152 c:\program files\Synaptics\SynTP\SynTPEnh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPLpr]
--a------ 2003-06-24 13:34 126976 c:\program files\Synaptics\SynTP\SynTPLpr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TPHOTKEY]
--a------ 2003-01-25 01:37 94208 c:\progra~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TPKMAPMN]
--a------ 2003-02-17 08:30 32835 c:\program files\ThinkPad\Utilities\TpKmapMn.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
--a------ 2002-10-18 19:07 87751 c:\windows\AGRSMMSG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIModeChange]
--a------ 2005-03-22 18:56 25088 c:\windows\system32\Ati2mdxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BluetoothAuthenticationAgent]
--a------ 2004-08-04 07:56 380416 c:\windows\system32\irprops.cpl

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EXSHOW95.EXE]
--a------ 2001-09-07 16:18 45056 c:\windows\system32\exshow95.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\S3TRAY2]
--a------ 2001-10-12 06:32 69632 c:\windows\system32\S3Tray2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TP4EX]
--a------ 2002-09-04 09:05 53248 c:\windows\system32\TP4EX.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"aawservice"=2 (0x2)
"AVGEMS"=2 (0x2)
"Avg7UpdSvc"=2 (0x2)
"Avg7Alrt"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\William Hill Poker\\UA.exe"=
"c:\\WINDOWS\\system32\\rtcshare.exe"=
"c:\\Program Files\\NetMeeting\\conf.exe"=

R1 IBMTPCHK;IBMTPCHK;c:\windows\system32\drivers\IBMBLDID.SYS [2007-12-27 2295]
R1 TPPWR;TPPWR;c:\windows\system32\drivers\TPPWR.SYS [2007-12-27 15360]
S3 ggflt;SEMC USB Flash Driver Filter;c:\windows\system32\drivers\ggflt.sys [2008-03-16 13352]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0fb395e0-b4ff-11dd-9b17-00054e41e1f6}]
\Shell\AutoRun\command - E:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0fb395e2-b4ff-11dd-9b17-00054e41e1f6}]
\Shell\AutoRun\command - E:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{837f8450-b7e1-11dd-9b1e-00054e41e1f6}]
\Shell\AutoRun\command - E:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{837f8451-b7e1-11dd-9b1e-00054e41e1f6}]
\Shell\AutoRun\command - E:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{837f8452-b7e1-11dd-9b1e-00054e41e1f6}]
\Shell\AutoRun\command - E:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{83ff6fc0-b751-11dd-9b1c-00054e41e1f6}]
\Shell\AutoRun\command - E:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{83ff6fc1-b751-11dd-9b1c-00054e41e1f6}]
\Shell\AutoRun\command - E:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{83ff6fc2-b751-11dd-9b1c-00054e41e1f6}]
\Shell\AutoRun\command - E:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8b8e3dc0-b419-11dd-9b0f-00054e41e1f6}]
\Shell\AutoRun\command - E:\AutoRun.exe
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-msnmsgr - c:\program files\Windows Live\Messenger\msnmsgr.exe
MSConfigStartUp-PostSetupCheck - c:\windows\System32\atgban.dll
MSConfigStartUp-SpywareBot - c:\program files\SpywareBot\SpywareBot.exe
MSConfigStartUp-tgcmd - c:\program files\Support.com\bin\tgcmd.exe
MSConfigStartUp-Yahoo! Pager - c:\program files\Yahoo!\Messenger\YahooMessenger.exe

.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
uInternet Connection Wizard,ShellNext = hxxp:///
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\kev\Application Data\Mozilla\Firefox\Profiles\h2r5ca2b.default\
FF - plugin: c:\program files\Java\jre1.5.0_12\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_12\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_12\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_12\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_12\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_12\bin\NPJPI150_12.dll
FF - plugin: c:\program files\Java\jre1.5.0_12\bin\NPOJI610.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-23 22:35:27
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-627446036-2653871946-2631661031-1004\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*`%T%,%]
@Class="Shell"
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-627446036-2653871946-2631661031-1004\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*`%T%,%\OpenWithList]
@Class="Shell"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(812)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2009-02-23 22:39:04 - machine was rebooted [kev]
ComboFix-quarantined-files.txt 2009-02-23 22:38:20

Pre-Run: 28,845,436,928 bytes free
Post-Run: 29,725,700,096 bytes free

234 --- E O F --- 2009-02-22 14:45:03

kevboy67

2009-02-24, 01:48

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:22:24, on 23/02/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http:///
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - (no file)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_12\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {9030D464-4C02-4ABF-8ECC-5164760863C6} - (no file)
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_12\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_12\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: QCONSVC - Unknown owner - C:\WINDOWS\System32\QCONSVC.EXE

--
End of file - 4029 bytes