Google redirecting & malware prevents spybot from loading..(Resolved)

**Mussy** · 2009-08-23, 20:54

ComboFix 09-08-22.06 - Owner 23/08/2009 17:30.1.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.287 [GMT 1:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\info.exe
c:\program files\WinPCap
c:\program files\WinPCap\daemon_mgm.exe
c:\program files\WinPCap\npf_mgm.exe
c:\program files\WinPCap\rpcapd.exe
c:\windows\system32\_000005_.tmp.dll
c:\windows\system32\_000008_.tmp.dll
c:\windows\system32\_000012_.tmp.dll
c:\windows\system32\drivers\npf.sys
c:\windows\system32\drivers\UACkmtnsbavto.sys
c:\windows\system32\Packet.dll
c:\windows\system32\pthreadVC.dll
c:\windows\system32\UACimrdlyouxb.db
c:\windows\system32\uacinit.dll
c:\windows\system32\UACjkjbowmalt.dat
c:\windows\system32\UAClijxvmdxmv.dll
c:\windows\system32\UACmfuwulrqjd.dll
c:\windows\system32\UACnvogomykhe.dll
c:\windows\system32\UACrkcqkqoygl.dll
c:\windows\system32\WanPacket.dll
c:\windows\system32\wpcap.dll
D:\AUTORUN.INF

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_UACd.sys
-------\Legacy_UACd.sys
-------\Legacy_NPF
-------\Service_NPF

((((((((((((((((((((((((( Files Created from 2009-07-23 to 2009-08-23 )))))))))))))))))))))))))))))))
.

2009-08-23 13:08 . 2009-08-23 13:09 -------- d-----w- c:\program files\trend micro
2009-08-23 13:08 . 2009-08-23 13:09 -------- d-----w- C:\rsit
2009-08-22 13:52 . 2009-08-22 14:03 -------- d-----w- c:\program files\Enigma Software Group
2009-08-20 22:26 . 2009-08-20 22:26 194064 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-08-20 22:02 . 2009-08-20 22:02 -------- d-----w- c:\program files\Uniblue
2009-08-20 21:52 . 2009-08-20 21:52 -------- d-----w- c:\program files\Virgin Broadband
2009-08-20 21:06 . 2009-08-20 21:06 -------- d-----w- C:\VundoFix Backups
2009-08-20 17:23 . 2009-08-20 17:23 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-08-13 12:41 . 2009-07-10 13:27 1315328 -c----w- c:\windows\system32\dllcache\msoe.dll
2009-08-05 09:01 . 2009-08-05 09:01 204800 -c----w- c:\windows\system32\dllcache\mswebdvd.dll
2009-07-27 12:43 . 2009-08-23 17:43 -------- d-----w- c:\documents and settings\Owner\Application Data\WTablet

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-23 15:03 . 2007-07-04 22:34 -------- d-----w- c:\program files\mIRC
2009-08-23 14:56 . 2009-04-14 00:11 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2009-08-23 13:25 . 2007-12-22 16:52 -------- d-----w- c:\program files\BitLord
2009-08-20 22:03 . 2008-04-15 12:30 -------- d-----w- c:\documents and settings\Owner\Application Data\Uniblue
2009-08-20 21:58 . 2009-04-14 00:11 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-08-17 22:40 . 2009-07-16 18:19 -------- d-----w- c:\documents and settings\Owner\Application Data\Skype
2009-08-17 22:17 . 2009-07-16 18:23 -------- d-----w- c:\documents and settings\Owner\Application Data\skypePM
2009-08-05 18:24 . 2009-04-03 10:14 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-08-05 09:01 . 2002-06-27 20:29 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-27 12:43 . 2009-07-27 12:42 -------- d-----w- c:\program files\Tablet
2009-07-17 19:01 . 2002-06-27 20:27 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-16 18:24 . 2009-07-16 18:24 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2009-07-16 18:17 . 2009-07-16 18:17 -------- d-----w- c:\program files\Common Files\Skype
2009-07-16 18:16 . 2009-07-16 18:16 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Skype
2009-07-13 22:43 . 2007-07-03 23:22 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-06-29 16:12 . 2002-05-08 22:43 827392 ----a-w- c:\windows\system32\wininet.dll
2009-06-29 16:12 . 2009-07-10 23:35 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-06-29 16:12 . 2002-06-27 20:28 17408 ----a-w- c:\windows\system32\corpol.dll
2009-06-25 08:25 . 2002-06-27 20:30 54272 ----a-w- c:\windows\system32\wdigest.dll
2009-06-25 08:25 . 2002-06-27 20:30 56832 ----a-w- c:\windows\system32\secur32.dll
2009-06-25 08:25 . 2002-06-27 20:30 147456 ----a-w- c:\windows\system32\schannel.dll
2009-06-25 08:25 . 2002-06-27 20:29 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-06-25 08:25 . 2002-06-27 20:28 301568 ----a-w- c:\windows\system32\kerberos.dll
2009-06-25 08:25 . 2002-05-08 22:43 730112 ----a-w- c:\windows\system32\lsasrv.dll
2009-06-24 11:18 . 2002-05-08 22:43 92928 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2009-06-16 14:36 . 2002-06-27 20:30 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-16 14:36 . 2002-06-27 20:28 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-12 12:31 . 2002-05-08 22:43 76288 ----a-w- c:\windows\system32\telnet.exe
2009-06-10 14:13 . 2002-06-27 20:27 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-06-10 08:19 . 2002-06-27 20:29 2066432 ----a-w- c:\windows\system32\mstscax.dll
2009-06-10 06:14 . 2002-06-27 20:30 132096 ----a-w- c:\windows\system32\wkssvc.dll
2009-06-03 19:09 . 2002-06-27 20:29 1291264 ----a-w- c:\windows\system32\quartz.dll
2009-05-02 01:23 . 2009-05-02 01:23 113504 ----a-w- c:\program files\mozilla firefox\components\FFConnectorLauncher.dll
2009-05-02 01:23 . 2009-05-02 01:23 232288 ----a-w- c:\program files\mozilla firefox\components\FFSource.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Advanced SystemCare 3"="c:\program files\IObit\Advanced SystemCare 3\AWC.exe" [2009-06-30 2329224]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-22 7700480]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-08-22 155648]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-10-22 86016]
"wltray.exe"="c:\windows\system32\wltray.exe" [2005-01-29 696422]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"Wireless Manager"="c:\program files\Virgin Broadband Wireless\Wireless Manager.exe" [2008-05-26 585728]
"Broadbandadvisor.exe"="c:\program files\Virgin Broadband\advisor\Broadbandadvisor.exe" [2009-05-27 2303216]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2006-10-22 1622016]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"Suite"="regedit -s" [X]

c:\docume~1\ALLUSE~1\STARTM~1\Programs\Startup\
hp center.lnk - c:\program files\hp center\137903\Program\BackWeb-137903.exe [2002-5-21 16384]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ 'autocheck autochk *'

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BT Broadband Desktop Help.lnk]
backup=c:\windows\pss\BT Broadband Desktop Help.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^Adobe Gamma.lnk]
backup=c:\windows\pss\Adobe Gamma.lnkStartup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBKeyScan
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YBrowser

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\hp center\\137903\\Program\\BackWeb-137903.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\Opera\\opera.exe"=
"c:\\Program Files\\IObit\\Advanced SystemCare 3\\AWC.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Avira\\AntiVir Desktop\\avcenter.exe"=
"c:\\Program Files\\XP TCPIP Repair\\netrepair.exe"=
"c:\\Documents and Settings\\Owner\\My Documents\\Haroon & Musawir\\Musawir\\Phone\\Skype.exe"=

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [03/04/2009 11:14 108289]
R2 TabletServicePen;TabletServicePen;c:\windows\system32\Pen_Tablet.exe [27/07/2009 13:42 3032360]
S3 wacmoumonitor;Wacom Mode Helper;c:\windows\system32\drivers\wacmoumonitor.sys [27/07/2009 13:42 15144]
.
- - - - ORPHANS REMOVED - - - -

Toolbar-SITEguard - (no file)

.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = local;localhost
uInternet Settings,ProxyServer = 127.0.0.1:81
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {2A493D5F-8914-4D3E-8BF3-767F281862F4} - hxxp://sell.autotrader.co.uk/uk-ola/common/TraderMediaX.cab
FF - ProfilePath - c:\docume~1\Owner\APPLIC~1\Mozilla\Firefox\Profiles\0qr0oo5m.default\
FF - prefs.js: browser.search.selectedEngine - Google.co.uk
FF - prefs.js: browser.startup.homepage - hxxp://google.com
FF - component: c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\0qr0oo5m.default\extensions\{81BF1D23-5F17-408D-AC6B-BD6DF7CAF670}\components\XpcomOpusConnector.dll
FF - component: c:\program files\Mozilla Firefox\components\FFConnectorLauncher.dll
FF - component: c:\program files\Mozilla Firefox\components\FFSource.dll
FF - plugin: c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\0qr0oo5m.default\extensions\flashplugin@idm\platform\WINNT\plugins\npidmdcp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Opera\program\plugins\nppdf32.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - plugin: c:\program files\Virgin Broadband\advisor\nprpspa.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-23 18:43
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(616)
c:\windows\System32\BCMLogon.dll

- - - - - - - > 'explorer.exe'(2128)
c:\windows\system32\WININET.dll
c:\windows\system32\nview.dll
c:\docume~1\Owner\LOCALS~1\Temp\IadHide3.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\msi.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\wltrysvc.exe
c:\windows\system32\bcmwltry.exe
c:\program files\Virgin Broadband Wireless\AffinegyService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\WTablet\Pen_TabletUser.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\rundll32.exe
.
**************************************************************************
.
Completion time: 2009-08-23 18:53 - machine was rebooted
ComboFix-quarantined-files.txt 2009-08-23 17:53

Pre-Run: 42,056,515,584 bytes free
Post-Run: 42,085,871,616 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

216 --- E O F --- 2009-08-22 13:10

**katana** · 2009-08-24, 00:39

Do you have the MalwareBytes log ?

How are things running now ?

**Mussy** · 2009-08-24, 01:02

i am running a full scan now, will post logs when i get. I think everything is ok now, because malwarebytes loaded, also i got Windows security alerts because the anti virus + spybot etc.. are disabled. I left them disabled and havent surfed the web just incase. When should i put the anti's on again?

**katana** · 2009-08-24, 01:11

You can put your Antivirus back on as soon as MBAM has finished.
Leave Spybot until we are finished.

**Mussy** · 2009-08-24, 01:11

alrighty, once mbam has finished scanning ill post logs..

**Mussy** · 2009-08-24, 02:15

Malwarebytes' Anti-Malware 1.40
Database version: 2685
Windows 5.1.2600 Service Pack 3

24/08/2009 00:14:51
mbam-log-2009-08-24 (00-14-43).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 191944
Time elapsed: 1 hour(s), 11 minute(s), 47 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 5

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Qoobox\Quarantine\C\WINDOWS\system32\UAClijxvmdxmv.dll.vir (Rogue.Agent) -> No action taken.
C:\Qoobox\Quarantine\C\WINDOWS\system32\UACmfuwulrqjd.dll.vir (Trojan.Agent) -> No action taken.
C:\System Volume Information\_restore{92A8331C-E9E0-4E8A-AA2B-5D1491B9B74A}\RP0\A0000002.dll (Trojan.Agent) -> No action taken.
C:\System Volume Information\_restore{92A8331C-E9E0-4E8A-AA2B-5D1491B9B74A}\RP0\A0000003.dll (Rogue.Agent) -> No action taken.
C:\WINDOWS\system32\form.txt (Malware.Trace) -> No action taken.

**Mussy** · 2009-08-24, 02:18

Files Infected:
C:\Qoobox\Quarantine\C\WINDOWS\system32\UAClijxvmdxmv.dll.vir (Rogue.Agent) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\UACmfuwulrqjd.dll.vir (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{92A8331C-E9E0-4E8A-AA2B-5D1491B9B74A}\RP0\A0000002.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{92A8331C-E9E0-4E8A-AA2B-5D1491B9B74A}\RP0\A0000003.dll (Rogue.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\form.txt (Malware.Trace) -> Quarantined and deleted successfully.

Sorry about double posting, didnt realise i had to remove them too, had to go back to the earlier post and check.

**katana** · 2009-08-24, 10:49

That's looking fine now, please post a fresh RSIT log for a final check.

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.

Please download Java SE Runtime Environment (JRE) . ( don't install it yet )

Scroll down to where it says "Java SE Runtime Environment (JRE)".
Click the "Download" button to the right.
- Platform = Windows
- Language = Multi Language
Check the box that says: "Accept License Agreement".
The page will refresh.
Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.

Now download JavaRa and unzip it to your desktop.

***Please close any instances of Internet Explorer (or other web browser) before continuing!***

Double-click on JavaRa.exe to start the program.
From the drop-down menu, choose English and click on Select.
JavaRa will open; click on Remove Older Versions to remove the older versions of Java installed on your computer.
Click Yes when prompted. When JavaRa is done, a notice will appear that a logfile has been produced. Click OK.
A logfile will pop up. Please save it to a convenient location.

Now install the Java SE Runtime Environment (JRE) package you downloaded
(it comes with a toolbar pre-selected, so make sure you uncheck the box)

You can delete JavaRa (zip and exe)

**Mussy** · 2009-08-24, 15:43

Logfile of random's system information tool 1.06 (written by random/random)
Run by Owner at 2009-08-24 13:43:17
Microsoft Windows XP Home Edition Service Pack 3
System drive C: has 40 GB (74%) free of 54 GB
Total RAM: 511 MB (38% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:43:34, on 24/08/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16876)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\WINDOWS\system32\wltray.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe
C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Virgin Broadband Wireless\AffinegyService.exe
C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\Pen_Tablet.exe
C:\WINDOWS\system32\WTablet\Pen_TabletUser.exe
C:\WINDOWS\system32\Pen_Tablet.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner\Desktop\RSIT.exe
C:\Program Files\trend micro\Owner.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:81
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local;localhost
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [wltray.exe] C:\WINDOWS\system32\wltray.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [Wireless Manager] "C:\Program Files\Virgin Broadband Wireless\Wireless Manager.exe" startup
O4 - HKLM\..\Run: [Broadbandadvisor.exe] "C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe" /AUTORUN
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [Advanced SystemCare 3] "C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [Suite] regedit -s c:\windows\temp\adj_hp.reg (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [Suite] regedit -s c:\windows\temp\adj_hp.reg (User 'Default user')
O4 - Global Startup: hp center.lnk = C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
O9 - Extra button: iOpus iMacros - {0483894E-2422-45E0-8384-021AFF1AF3CD} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: iMacros Web Automation - {0483894E-2422-45E0-8384-021AFF1AF3CD} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Money Viewer - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: Yahoo! Pool 2 - http://download2.games.yahoo.com/gam...s/y/poti_x.cab
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.srtest.com/srl_bin/sysreqlab_srl.cab
O16 - DPF: {2A493D5F-8914-4D3E-8BF3-767F281862F4} (TraderMediaImgX Control) - http://sell.autotrader.co.uk/uk-ola/...aderMediaX.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {50647AB5-18FD-4142-82B0-5852478DD0D5} (Keynote Connector Launcher 2) - http://webeffective.keynote.com/appl...orLauncher.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1183564976156
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/de...e/HPDEXAXO.cab
O16 - DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} (GMNRev Class) - http://h20270.www2.hp.com/ediags/gmn...tDetection.cab
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://help.broadbandassist.com/bbde...ivePreQual.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} - http://messenger.zone.msn.com/binary...r.cab56986.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AffinegyService - Affinegy, Inc. - C:\Program Files\Virgin Broadband Wireless\AffinegyService.exe
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - C:\Program Files\WinPcap\rpcapd.exe (file missing)
O23 - Service: TabletServicePen - Wacom Technology, Corp. - C:\WINDOWS\system32\Pen_Tablet.exe
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

--
End of file - 8148 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job
C:\WINDOWS\tasks\AppleSoftwareUpdate.job
C:\WINDOWS\tasks\Schedule Task Weekly.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
Spybot-S&D IE Protection - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll [2009-01-26 1879896]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FDD3B846-8D59-4ffb-8758-209B6AD74ACC}]
C:\Program Files\Microsoft Money\System\mnyviewer.dll [2001-07-25 143420]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"=C:\WINDOWS\system32\NvCpl.dll [2006-10-22 7700480]
"QuickTime Task"=C:\Program Files\QuickTime\qttask.exe [2007-08-22 155648]
"nwiz"=nwiz.exe /install []
"NvMediaCenter"=C:\WINDOWS\system32\NvMcTray.dll [2006-10-22 86016]
"wltray.exe"=C:\WINDOWS\system32\wltray.exe [2005-01-29 696422]
"avgnt"=C:\Program Files\Avira\AntiVir Desktop\avgnt.exe [2009-03-02 209153]
"Wireless Manager"=C:\Program Files\Virgin Broadband Wireless\Wireless Manager.exe [2008-05-26 585728]
"Broadbandadvisor.exe"=C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe [2009-05-27 2303216]
"KernelFaultCheck"=C:\WINDOWS\system32\dumprep 0 -k []

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"Advanced SystemCare 3"=C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe [2009-06-30 2329224]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\btbb_McciTrayApp]
C:\Program Files\BT Broadband Desktop Help\bin\BTHelpNotifier.exe [2007-08-22 936960]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\btbb_wcm_McciTrayApp]
C:\Program Files\btbb_wcm\McciTrayApp.exe [2006-12-07 935936]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\system32\ctfmon.exe [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
C:\WINDOWS\system32\dla\tfswctrl.exe [2002-05-09 102455]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
C:\WINDOWS\System32\hkcmd.exe [2002-03-27 106496]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpsysdrv]
c:\windows\system\hpsysdrv.exe [1998-05-07 52736]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
C:\WINDOWS\System32\igfxtray.exe [2002-03-27 155648]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe ASO-616B5711-6DAE-4795-A05F-39A1E5104020 []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
C:\Program Files\iTunes\iTunesHelper.exe [2005-09-16 274432]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KBD]
C:\HP\KBD\KBD.EXE [2001-07-06 61440]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
C:\WINDOWS\system32\NvCpl.dll [2006-10-22 7700480]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
nwiz.exe /installquiet /keeploaded /nodetect []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PS2]
C:\WINDOWS\system32\ps2.exe [2001-07-03 81920]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask.exe [2007-08-22 155648]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
C:\WINDOWS\SMINST\RECGUARD.EXE [2001-12-18 212992]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sonic RecordNow! Deluxe]
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe ASO-616B5711-6DAE-4795-A05F-39A1E5104020 []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe [2003-08-19 110592]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
C:\Program Files\Windows Defender\MSASCui.exe -hide []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\wltray.exe]
C:\WINDOWS\system32\wltray.exe [2005-01-29 696422]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YOP]
C:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BT Broadband Desktop Help.lnk]
C:\PROGRA~1\BTBROA~1\bin\matcli.exe [2006-05-24 217088]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^Adobe Gamma.lnk]
C:\PROGRA~1\COMMON~1\Adobe\CALIBR~1\ADOBEG~1.EXE [2005-03-16 113664]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
hp center.lnk - C:\Program Files\hp center\137903\Program\BackWeb-137903.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
C:\WINDOWS\system32\igfxsrvc.dll [2002-03-27 294912]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\WINDOWS\system32\WgaLogon.dll [2007-03-15 236928]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\UploadMgr]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=323
"NoDriveAutoRun"=67108863
"NoDrives"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"HonorAutoRunSetting"=
"NoResolveSearch"=
"NoDriveAutoRun"=
"NoDriveTypeAutoRun"=
"NoDrives"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\hp center\137903\Program\BackWeb-137903.exe"="C:\Program Files\hp center\137903\Program\BackWeb-137903.exe:*:Disabled:BackWeb-137903"
"C:\Program Files\Messenger\msmsgs.exe"="C:\Program Files\Messenger\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\Program Files\Common Files\AOL\Loader\aolload.exe"="C:\Program Files\Common Files\AOL\Loader\aolload.exe:*:Enabled:AOL Loader"
"C:\Program Files\iTunes\iTunes.exe"="C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\MSN Messenger\msnmsgr.exe"="C:\Program Files\MSN Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\Program Files\MSN Messenger\livecall.exe"="C:\Program Files\MSN Messenger\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"C:\Program Files\Opera\opera.exe"="C:\Program Files\Opera\opera.exe:*:Enabled:Opera"
"C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe"="C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe:*:Enabled:Advanced SystemCare"
"C:\Program Files\Mozilla Firefox\firefox.exe"="C:\Program Files\Mozilla Firefox\firefox.exe:*:Enabled:Mozilla Firefox"
"C:\Program Files\Avira\AntiVir Desktop\avcenter.exe"="C:\Program Files\Avira\AntiVir Desktop\avcenter.exe:*:Enabled:Start AntiVir"
"C:\Program Files\XP TCPIP Repair\netrepair.exe"="C:\Program Files\XP TCPIP Repair\netrepair.exe:*:Enabled:XP TCPIP Repair"
"C:\Program Files\Virgin Broadband Wireless\Wireless Manager.exe"="C:\Program Files\Virgin Broadband Wireless\Wireless Manager.exe:LocalSubNet:Enabled:Wireless Manager"
"C:\Documents and Settings\Owner\My Documents\Haroon & Musawir\Musawir\Phone\Skype.exe"="C:\Documents and Settings\Owner\My Documents\Haroon & Musawir\Musawir\Phone\Skype.exe:*:Enabled:Skype"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\MSN Messenger\msnmsgr.exe"="C:\Program Files\MSN Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\Program Files\MSN Messenger\livecall.exe"="C:\Program Files\MSN Messenger\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"C:\Program Files\Virgin Broadband Wireless\Wireless Manager.exe"="C:\Program Files\Virgin Broadband Wireless\Wireless Manager.exe:LocalSubNet:Enabled:Wireless Manager"

======File associations======

.txt - open -

======List of files/folders created in the last 1 months======

2009-08-23 23:05:43 ----SHD---- C:\RECYCLER
2009-08-23 22:58:29 ----D---- C:\Documents and Settings\Owner\Application Data\Malwarebytes
2009-08-23 22:58:17 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2009-08-23 22:58:17 ----D---- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2009-08-23 18:53:59 ----A---- C:\ComboFix.txt
2009-08-23 17:22:47 ----A---- C:\Boot.bak
2009-08-23 17:22:25 ----RASHD---- C:\cmdcons
2009-08-23 17:19:20 ----A---- C:\WINDOWS\zip.exe
2009-08-23 17:19:20 ----A---- C:\WINDOWS\SWXCACLS.exe
2009-08-23 17:19:20 ----A---- C:\WINDOWS\SWSC.exe
2009-08-23 17:19:20 ----A---- C:\WINDOWS\SWREG.exe
2009-08-23 17:19:20 ----A---- C:\WINDOWS\sed.exe
2009-08-23 17:19:20 ----A---- C:\WINDOWS\PEV.exe
2009-08-23 17:19:20 ----A---- C:\WINDOWS\NIRCMD.exe
2009-08-23 17:19:20 ----A---- C:\WINDOWS\grep.exe
2009-08-23 16:10:18 ----D---- C:\WINDOWS\ERDNT
2009-08-23 16:07:51 ----D---- C:\Qoobox
2009-08-23 14:08:11 ----D---- C:\Program Files\trend micro
2009-08-23 14:08:10 ----D---- C:\rsit
2009-08-22 14:52:52 ----D---- C:\Program Files\Enigma Software Group
2009-08-21 12:44:24 ----SHD---- C:\Config.Msi
2009-08-20 23:02:32 ----D---- C:\Program Files\Uniblue
2009-08-20 22:52:31 ----D---- C:\Program Files\Virgin Broadband
2009-08-20 22:06:46 ----D---- C:\VundoFix Backups
2009-08-20 22:06:46 ----A---- C:\VundoFix.txt
2009-08-17 03:01:59 ----HDC---- C:\WINDOWS\$NtUninstallKB968389$
2009-08-14 02:26:24 ----HDC---- C:\WINDOWS\$NtUninstallKB960859$
2009-08-14 02:26:14 ----HDC---- C:\WINDOWS\$NtUninstallKB971657$
2009-08-14 02:26:00 ----HDC---- C:\WINDOWS\$NtUninstallKB971557$
2009-08-14 02:25:50 ----HDC---- C:\WINDOWS\$NtUninstallKB956744$
2009-08-14 02:25:38 ----HDC---- C:\WINDOWS\$NtUninstallKB973869$
2009-08-14 02:25:27 ----HDC---- C:\WINDOWS\$NtUninstallKB973507$
2009-08-14 02:25:17 ----HDC---- C:\WINDOWS\$NtUninstallKB973354$
2009-08-14 02:24:54 ----HDC---- C:\WINDOWS\$NtUninstallKB973540_WM9$
2009-08-14 02:22:25 ----HDC---- C:\WINDOWS\$NtUninstallKB973815$
2009-07-27 13:43:51 ----D---- C:\Documents and Settings\Owner\Application Data\WTablet
2009-07-27 13:43:20 ----A---- C:\WINDOWS\system32\hidserv.dll
2009-07-27 13:42:26 ----D---- C:\WINDOWS\system32\WTablet
2009-07-27 13:42:22 ----N---- C:\WINDOWS\system32\Wintab32.dll
2009-07-27 13:42:22 ----N---- C:\WINDOWS\system32\Pen_Tablet.dll
2009-07-27 13:42:20 ----N---- C:\WINDOWS\system32\Pen_Tablet.exe
2009-07-27 13:42:16 ----D---- C:\Program Files\Tablet

======List of files/folders modified in the last 1 months======

2009-08-24 13:32:41 ----D---- C:\WINDOWS\Temp
2009-08-24 13:32:15 ----D---- C:\WINDOWS\system32\CatRoot2
2009-08-24 13:32:09 ----D---- C:\WINDOWS
2009-08-24 13:32:03 ----A---- C:\WINDOWS\ModemLog_HSP56 World MicroModem.txt
2009-08-24 01:14:39 ----A---- C:\WINDOWS\SchedLgU.Txt
2009-08-24 00:20:41 ----D---- C:\WINDOWS\system32\drivers
2009-08-24 00:17:51 ----D---- C:\WINDOWS\system32
2009-08-23 23:00:57 ----D---- C:\WINDOWS\system32\FxsTmp
2009-08-23 22:58:17 ----RD---- C:\Program Files
2009-08-23 19:44:48 ----D---- C:\Program Files\Mozilla Firefox
2009-08-23 18:51:50 ----RSHDC---- C:\WINDOWS\system32\dllcache
2009-08-23 18:44:41 ----D---- C:\WINDOWS\Prefetch
2009-08-23 18:43:37 ----A---- C:\WINDOWS\system.ini
2009-08-23 17:42:05 ----D---- C:\WINDOWS\system32\config
2009-08-23 17:36:37 ----D---- C:\WINDOWS\AppPatch
2009-08-23 17:36:21 ----D---- C:\Program Files\Common Files
2009-08-23 17:22:48 ----RASH---- C:\BOOT.INI
2009-08-23 17:19:17 ----D---- C:\WINDOWS\system32\Restore
2009-08-23 16:03:12 ----D---- C:\Program Files\mIRC
2009-08-23 15:56:23 ----D---- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2009-08-23 15:36:55 ----D---- C:\Program Files\HijackThis
2009-08-23 14:25:28 ----D---- C:\Program Files\BitLord
2009-08-23 14:00:28 ----D---- C:\WINDOWS\Minidump
2009-08-21 23:21:46 ----D---- C:\WINDOWS\inf
2009-08-21 23:21:26 ----D---- C:\WINDOWS\system32\en-US
2009-08-21 23:21:26 ----D---- C:\Program Files\Internet Explorer
2009-08-21 13:19:34 ----SHD---- C:\WINDOWS\Installer
2009-08-21 12:46:04 ----HD---- C:\WINDOWS\$hf_mig$
2009-08-21 12:44:30 ----SD---- C:\WINDOWS\Tasks
2009-08-21 12:44:30 ----SD---- C:\Documents and Settings\All Users\Application Data\Microsoft
2009-08-21 01:15:13 ----A---- C:\WINDOWS\ntbtlog.txt
2009-08-20 23:32:21 ----D---- C:\WINDOWS\Media
2009-08-20 23:32:20 ----D---- C:\WINDOWS\Help
2009-08-20 23:31:22 ----D---- C:\WINDOWS\ie8updates
2009-08-20 23:03:21 ----D---- C:\Documents and Settings\Owner\Application Data\Uniblue
2009-08-20 22:58:16 ----D---- C:\Program Files\Spybot - Search & Destroy
2009-08-20 22:19:30 ----A---- C:\WINDOWS\imsins.BAK
2009-08-20 21:45:56 ----SHD---- C:\System Volume Information
2009-08-17 23:40:40 ----D---- C:\Documents and Settings\Owner\Application Data\Skype
2009-08-17 23:17:02 ----D---- C:\Documents and Settings\Owner\Application Data\skypePM
2009-08-14 02:25:20 ----D---- C:\Program Files\Outlook Express
2009-08-05 10:01:48 ----A---- C:\WINDOWS\system32\mswebdvd.dll
2009-07-30 03:00:38 ----D---- C:\WINDOWS\WinSxS
2009-07-30 01:49:14 ----A---- C:\WINDOWS\system32\MRT.exe
2009-07-27 13:43:17 ----D---- C:\WINDOWS\system32\ReinstallBackups

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 avgio;avgio; \??\C:\Program Files\Avira\AntiVir Desktop\avgio.sys []
R1 avipbb;avipbb; C:\WINDOWS\system32\DRIVERS\avipbb.sys [2009-04-27 96104]
R1 intelppm;Intel Processor Driver; C:\WINDOWS\System32\DRIVERS\intelppm.sys [2008-04-13 36352]
R1 kbdhid;Keyboard HID Driver; C:\WINDOWS\system32\DRIVERS\kbdhid.sys [2008-04-13 14592]
R1 sscdbhk5;sscdbhk5; C:\WINDOWS\system32\drivers\sscdbhk5.sys [2002-01-29 5589]
R1 ssmdrv;ssmdrv; C:\WINDOWS\system32\DRIVERS\ssmdrv.sys [2009-06-10 28520]
R1 ssrtln;ssrtln; C:\WINDOWS\system32\drivers\ssrtln.sys [2002-01-29 22963]
R1 WS2IFSL;Windows Socket 2.0 Non-IFS Service Provider Support Environment; C:\WINDOWS\System32\drivers\ws2ifsl.sys [2001-08-18 12032]
R2 AegisP;AEGIS Protocol (IEEE 802.1x) v3.2.0.3; C:\WINDOWS\system32\DRIVERS\AegisP.sys [2009-03-20 17801]
R2 avgntflt;avgntflt; C:\WINDOWS\system32\DRIVERS\avgntflt.sys [2009-08-05 55656]
R2 drvnddm;drvnddm; C:\WINDOWS\system32\drivers\drvnddm.sys [2002-02-12 40096]
R2 tfsnboio;tfsnboio; C:\WINDOWS\system32\dla\tfsnboio.sys [2002-05-09 23607]
R2 tfsncofs;tfsncofs; C:\WINDOWS\system32\dla\tfsncofs.sys [2002-05-09 34743]
R2 tfsndrct;tfsndrct; C:\WINDOWS\system32\dla\tfsndrct.sys [2002-05-09 4119]
R2 tfsndres;tfsndres; C:\WINDOWS\system32\dla\tfsndres.sys [2002-05-09 2203]
R2 tfsnifs;tfsnifs; C:\WINDOWS\system32\dla\tfsnifs.sys [2002-05-09 52790]
R2 tfsnopio;tfsnopio; C:\WINDOWS\system32\dla\tfsnopio.sys [2002-05-09 13847]
R2 tfsnpool;tfsnpool; C:\WINDOWS\system32\dla\tfsnpool.sys [2002-05-09 6327]
R2 tfsnudf;tfsnudf; C:\WINDOWS\system32\dla\tfsnudf.sys [2002-05-09 88758]
R2 tfsnudfa;tfsnudfa; C:\WINDOWS\system32\dla\tfsnudfa.sys [2002-05-09 94679]
R3 ALCXWDM;Service for Avance AC97 Audio (WDM); C:\WINDOWS\system32\drivers\ALCXWDM.SYS [2002-04-09 305100]
R3 GEARAspiWDM;GEARAspiWDM; C:\WINDOWS\System32\Drivers\GEARAspiWDM.sys [2005-02-02 14408]
R3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\System32\DRIVERS\hidusb.sys [2008-04-13 10368]
R3 mouhid;Mouse HID Driver; C:\WINDOWS\System32\DRIVERS\mouhid.sys [2001-08-17 12160]
R3 ms_mpu401;Microsoft MPU-401 MIDI UART Driver; C:\WINDOWS\system32\drivers\msmpu401.sys [2001-08-17 2944]
R3 nv;nv; C:\WINDOWS\System32\DRIVERS\nv4_mini.sys [2006-10-22 3994624]
R3 pfc;Padus ASPI Shell; C:\WINDOWS\system32\drivers\pfc.sys [2002-03-26 13780]
R3 Ps2;PS2; C:\WINDOWS\System32\DRIVERS\PS2.sys [2001-06-04 14112]
R3 Ptserial;W2K Pctel Serial Device Driver; C:\WINDOWS\System32\DRIVERS\ptserial.sys [2002-01-09 120705]
R3 USB_RNDIS;BT Voyager 1055 Laptop Adapter Driver; C:\WINDOWS\system32\DRIVERS\usb8023.sys [2005-01-19 11136]
R3 usbhub;USB Root Hub (usbport); C:\WINDOWS\System32\DRIVERS\usbhub.sys [2008-04-13 59520]
R3 usbohci;Microsoft USB Open Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbohci.sys [2008-04-13 17152]
R3 wacommousefilter;Wacom Mouse Filter Driver; C:\WINDOWS\system32\DRIVERS\wacommousefilter.sys [2007-02-16 11312]
R3 wacomvhid;Wacom Virtual Hid Driver; C:\WINDOWS\system32\DRIVERS\wacomvhid.sys [2008-01-15 13480]
R3 WacomVKHid;Virtual Keyboard Driver; C:\WINDOWS\system32\DRIVERS\WacomVKHid.sys [2007-02-16 11440]
S1 {6080A529-897E-4629-A488-ABA0C29B635E};Intel(R) Graphics Platform (SoftBIOS) Driver; C:\WINDOWS\system32\drivers\ialmsbw.sys [2002-04-05 88320]
S1 AmdK7;AMD K7 Processor Driver; C:\WINDOWS\System32\DRIVERS\amdk7.sys [2008-04-13 37760]
S2 RPSKT;Security Services Driver (x86); C:\WINDOWS\system32\DRIVERS\rp_skt32.sys []
S3 {D31A0762-0CEB-444e-ACFF-B049A1F6FE91};Intel(R) Graphics Chipset (KCH) Driver; C:\WINDOWS\system32\drivers\ialmkchw.sys [2002-04-05 69472]
S3 AFGMp50;AFGMp50 NDIS Protocol Driver; C:\WINDOWS\System32\Drivers\AFGMp50.sys []
S3 AFGSp50;AFGSp50 NDIS Protocol Driver; C:\WINDOWS\System32\Drivers\AFGSp50.sys [2008-05-26 27072]
S3 Arp1394;1394 ARP Client Protocol; C:\WINDOWS\System32\DRIVERS\arp1394.sys [2008-04-13 60800]
S3 catchme;catchme; \??\C:\ComboFix\catchme.sys []
S3 ialm;ialm; C:\WINDOWS\System32\DRIVERS\ialmnt5.sys [2002-04-05 77277]
S3 k750bus;Sony Ericsson 750 driver (WDM); C:\WINDOWS\system32\DRIVERS\k750bus.sys [2005-02-11 55216]
S3 k750mdfl;Sony Ericsson 750 USB WMC Modem Filter; C:\WINDOWS\system32\DRIVERS\k750mdfl.sys [2005-02-11 6576]
S3 k750mdm;Sony Ericsson 750 USB WMC Modem Drivers; C:\WINDOWS\system32\DRIVERS\k750mdm.sys [2005-02-11 89872]
S3 k750obex;Sony Ericsson 750 USB WMC OBEX Interface Drivers; C:\WINDOWS\system32\DRIVERS\k750obex.sys [2005-02-11 79488]
S3 MREMPR5;MREMPR5 NDIS Protocol Driver; \??\C:\PROGRA~1\COMMON~1\Motive\MREMPR5.SYS []
S3 MRENDIS5;MRENDIS5 NDIS Protocol Driver; \??\C:\PROGRA~1\COMMON~1\Motive\MRENDIS5.SYS []
S3 NIC1394;1394 Net Driver; C:\WINDOWS\System32\DRIVERS\nic1394.sys [2008-04-13 61824]
S3 nv4;nv4; C:\WINDOWS\System32\DRIVERS\nv4.sys [2001-08-17 731648]
S3 rtl8139;Realtek RTL8139(A/B/C)-based PCI Fast Ethernet Adapter NT Driver; C:\WINDOWS\System32\DRIVERS\RTL8139.SYS [2004-08-03 20992]
S3 USBAAPL;Apple Mobile USB Driver; C:\WINDOWS\System32\Drivers\usbaapl.sys []
S3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\System32\DRIVERS\usbccgp.sys [2008-04-13 32128]
S3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbehci.sys [2008-04-13 30208]
S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\System32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]
S3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbuhci.sys [2008-04-13 20608]
S3 wacmoumonitor;Wacom Mode Helper; C:\WINDOWS\system32\DRIVERS\wacmoumonitor.sys [2008-03-17 15144]
S3 WpdUsb;WpdUsb; C:\WINDOWS\system32\DRIVERS\wpdusb.sys [2006-10-18 38528]
S3 WUDFRd;WUDFRd; C:\WINDOWS\system32\DRIVERS\WUDFRd.sys [2006-09-28 82944]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 AffinegyService;AffinegyService; C:\Program Files\Virgin Broadband Wireless\AffinegyService.exe [2008-05-26 143360]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler; C:\Program Files\Avira\AntiVir Desktop\sched.exe [2009-06-10 108289]
R2 JavaQuickStarterService;Java Quick Starter; C:\Program Files\Java\jre6\bin\jqs.exe [2009-04-14 152984]
R2 NVSvc;NVIDIA Display Driver Service; C:\WINDOWS\system32\nvsvc32.exe [2006-10-22 159810]
R2 TabletServicePen;TabletServicePen; C:\WINDOWS\system32\Pen_Tablet.exe [2008-05-01 3032360]
R2 wltrysvc;Broadcom Wireless LAN Tray Service; C:\WINDOWS\System32\wltrysvc.exe [2005-01-19 65536]
R2 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2008-04-14 14336]
S2 Fax;Fax; C:\WINDOWS\system32\fxssvc.exe [2008-04-14 267776]
S2 rpcapd;Remote Packet Capture Protocol v.0 (experimental); C:\Program Files\WinPcap\rpcapd.exe -d -f C:\Program Files\WinPcap\rpcapd.ini []
S3 Adobe LM Service;Adobe LM Service; C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe [2007-07-05 72704]
S3 AntiVirService;Avira AntiVir Guard; C:\Program Files\Avira\AntiVir Desktop\avguard.exe [2009-08-05 185089]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2008-07-25 34312]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2008-07-25 69632]
S3 FontCache3.0.0.0;Windows Presentation Foundation Font Cache 3.0.0.0; C:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe [2008-07-29 46104]
S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe [2005-04-04 69632]
S3 idsvc;Windows CardSpace; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe [2008-07-29 881664]
S3 iPodService;iPodService; C:\Program Files\iPod\bin\iPodService.exe [2005-09-21 323584]
S3 usnjsvc;Messenger Sharing Folders USN Journal Reader service; C:\Program Files\MSN Messenger\usnsvc.exe [2007-01-19 97136]
S3 WMPNetworkSvc;Windows Media Player Network Sharing Service; C:\Program Files\Windows Media Player\WMPNetwk.exe [2006-10-18 913408]
S4 NetTcpPortSharing;Net.Tcp Port Sharing Service; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe [2008-07-29 132096]

-----------------EOF-----------------

**katana** · 2009-08-24, 19:51

Congratulations your logs look clean

Let's see if I can help you keep it that way

First lets tidy up

Uninstall Combofix

This will clear your System Volume Information restore points and remove all the infected files that were quarantined
Click START then RUN
Now type Combofix /u in the runbox and click OK. Note the space between the X and the /U, it needs to be there.

OTCleanup
Please download OTCleanup from HERE
Click the OTC.exe icon and then click the CleanUp button.
If you get any pop ups asking if it is OK let the program proceed. At the end the program will ask to let it reboot the computer. Let it do so.
Let me know if there were any problems with OT CleanIt

You can also delete any logs we have produced, and empty your Recycle bin.

----------------------------------------------------------- -----------------------------------------------------------

The following is some info to help you stay safe and clean.

You may already have some of the following programs, but I include the full list for the benefit of all the other people who will be reading this thread in the future.
( Vista users must ensure that any programs are Vista compatible BEFORE installing )

Online Scanners
I would recommend a scan at one or more of the following sites at least once a month.

http://www.pandasecurity.com/activescan
http://www.kaspersky.com/kos/eng/par...avwebscan.html

!!! Make sure that all your programs are updated !!!
Secunia Software Inspector does all the work for you, .... see HERE for details

AntiSpyware

AntiSpyware is not the same thing as Antivirus.
Different AntiSpyware programs detect different things, so in this case it is recommended that you have more than one.
You should only have one running all the time, the other/s should be used "on demand" on a regular basis.
Most of the programs in this list have a free (for Home Users ) and paid versions,
it is worth paying for one and having "realtime" protection, unless you intend to do a manual scan often.
Spybot - Search & Destroy <<< A must have program
- It includes host protection and registry protection
- A hosts file is a bit like a phone book, it points to the actual numeric address (i.e. the IP address) from the human friendly name of a website. This feature can be used to block malicious websites
MalwareBytes Anti-malware <<< A New and effective program
a-squared Free <<< A good "realtime" or "on demand" scanner
superantispyware <<< A good "realtime" or "on demand" scanner

Prevention

These programs don't detect malware, they help stop it getting on your machine in the first place.
Each does a different job, so you can have more than one
Winpatrol
- An excellent startup manager and then some !!
- Notifies you if programs are added to startup
- Allows delayed startup
- A must have addition
SpywareBlaster 4.0
- SpywareBlaster sets killbits in the registry to prevent known malicious activex controls from installing themselves on your computer.
SpywareGuard 2.2
- SpywareGuard provides real-time protection against spyware.
- Not required if you have other "realtime" antispyware or Winpatrol
ZonedOut
- Formerly known as IE-SPYAD, adds a long list of sites and domains associated with known advertisers and marketers to the Restricted sites zone of Internet Explorer.
MVPS HOSTS
- This little program packs a powerful punch as it blocks ads, banners, 3rd party Cookies, 3rd party page counters, web bugs, and many hijackers.
- For information on how to download and install, please read this tutorial by WinHelp2002.
- Not required if you are using other host file protections

Internet Browsers

Microsoft has worked hard to make IE.7 a more secure browser, unfortunately whilst it is still the leading browser of choice it will always be under attack from the bad guys.
Using a different web browser can help stop malware getting on your machine.
- Make your Internet Explorer more secure - This can be done by following these simple instructions:
  1. From within Internet Explorer click on the Tools menu and then click on Options.
  2. Click once on the Security tab
  3. Click once on the Internet icon so it becomes highlighted.
  4. Click once on the Custom Level button.
    - Change the Download signed ActiveX controls to Prompt
    - Change the Download unsigned ActiveX controls to Disable
    - Change the Initialise and script ActiveX controls not marked as safe to Disable
    - Change the Installation of desktop items to Prompt
    - Change the Launching programs and files in an IFRAME to Prompt
    - Change the Navigate sub-frames across different domains to Prompt
    - When all these settings have been made, click on the OK button.
    - If it prompts you as to whether or not you want to save the settings, press the Yes button.
  5. Next press the Apply button and then the OK to exit the Internet Properties page.
If you are still using IE6 then either update, or get one of the following.
- FireFox
  - With many addons available that make customization easy this is a very popular choice
  - NoScript and AdBlockPlus addons are essential
- Opera
  - Another popular alternative
- Netscape
  - Another popular alternative
  - Also has Addons available

Cleaning Temporary Internet Files and Tracking Cookies

Temporary Internet Files are mainly the files that are downloaded when you open a web page.
Unfortunately, if the site you visit is of a dubious nature or has been hacked, they can also be an entry point for malware.
It is a good idea to empty the Temporary Internet Files folder on a regular basis.

Tracking Cookies are files that websites use to monitor which sites you visit and how often.
A lot of Antispyware scanners pick up these tracking cookies and flag them as unwanted.
CAUTION :- If you delete all your cookies you will lose any autologin information for sites that you visit, and will need your passwords

Both of these can be cleaned manually, but a quicker option is to use a program
ATF Cleaner
- Free and very simple to use
CCleaner
- Free and very flexible, you can chose which cookies to keep

Also PLEASE read this article.....So How Did I Get Infected In The First Place

The last and most important thing I can tell you is UPDATE.
If you don't update your security programs (Antivirus, Antispyware even Windows) then you are at risk.
Malware changes on a day to day basis. You should update every week at the very least.

If you follow this advice then (with a bit of luck) you will never have to hear from me again :D

If you could post back one more time to let me know everything is OK, then I can have this thread archived.

Happy surfing K'

Thread: Google redirecting & malware prevents spybot from loading..(Resolved)

Thread Tools

Display

Posting Permissions