Google redirect problem

J

JamesB1983

New member
Having a problem whereby when I use google, approximately 80% of the links I click on I am redirected to a wide variety of sites.
segsy.com, honeycuttconsulting.com etc.

Here is my HJT log,
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:56:40, on 31/10/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
f:\apps\Avast4\aswUpdSv.exe
f:\apps\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
F:\apps\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\oodtray.exe
F:\apps\Creative\Sound Blaster X-Fi\Console Launcher\CTAPR2.exe
F:\apps\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe
F:\apps\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\James.X-WING\Desktop\Utilities\utorrent.exe
F:\apps\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\oodag.exe
F:\apps\Sony Ericsson\Sony Ericsson PC Suite\SupServ.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
f:\apps\NVIDIA~1\NETWOR~1\bin\nSvcAppFlt.exe
f:\apps\NVIDIA~1\NETWOR~1\bin\nSvcIp.exe
f:\apps\Avast4\ashMaiSv.exe
f:\apps\Avast4\ashWebSv.exe
F:\apps\HP\Digital Imaging\bin\hpqSTE08.exe
F:\apps\HP\Digital Imaging\bin\hpqbam08.exe
C:\WINDOWS\System32\svchost.exe
F:\apps\Mozilla Firefox\firefox.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
D:\Downloads\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.divx.com/divx/divx6/new/en?rcv=1&dist=divxdotcom
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - F:\apps\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [nwiz] C:\Program Files\NVIDIA Corporation\nView\nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [HP Software Update] F:\apps\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [hpqSRMon] F:\apps\HP\Digital Imaging\bin\hpqSRMon.exe
O4 - HKLM\..\Run: [OODefragTray] C:\WINDOWS\system32\oodtray.exe
O4 - HKLM\..\Run: [CTAPR2] "f:\apps\Creative\Sound Blaster X-Fi\Console Launcher\CTAPR2.exe" /r
O4 - HKLM\..\Run: [VolPanel] "f:\apps\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe" /r
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [avast!] f:\apps\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [uTorrent] "C:\Documents and Settings\James.X-WING\Desktop\Utilities\utorrent.exe"
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\James.X-WING\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = F:\apps\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - F:\apps\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - F:\apps\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - f:\apps\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - f:\apps\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - f:\apps\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - f:\apps\Avast4\ashWebSv.exe
O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - f:\apps\NVIDIA~1\NETWOR~1\bin\nSvcAppFlt.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA Corporation - f:\apps\NVIDIA~1\NETWOR~1\bin\nSvcIp.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe
O23 - Service: Sony Ericsson OMSI download service (OMSI download service) - Unknown owner - F:\apps\Sony Ericsson\Sony Ericsson PC Suite\SupServ.exe

--
End of file - 6463 bytes
 
Hello JamesB1983

Welcome to Safer Networking.

Please read Before You Post
While best efforts are made to assist in removing infections safely, unexpected stuff can happen. It is advisable that you back up your important data before starting any clean up procedure. Neither Safer Networking Forums nor the Analyst providing the advice may be held responsible for any loss.



Read this please as this may be how you got infected


We have noticed that many people seeking help from us are coming with infections contracted from the use of P2P programs.

Because of this, we changed our malware forum's policy on the use of P2P file sharing programs.

  • If your helper detects the presence of such programs on your computer he/she will ask you to remove them. Help will be withdrawn should you not agree to their removal.
  • If we clean your computer of infection, and you return to us a short time later with an infection contracted by the use of P2P programs, volunteer analysts will refuse their help.

We do not ask you to do this without reason.


P2P (File Sharing ) programs form a direct conduit onto your computer, their security measures are easily circumvented, and Malware writers are increasingly exploiting them to spread their wares onto your computer. Further to that, if your P2P program is not configured correctly you may be sharing more files than you realize. There have been cases where people's Passwords, Address Books and other personal, private, and financial details have been exposed to the file sharing network by a badly configured program.

Many of the programs come bundled with other unwanted programs, but even the ones free of any bundled software are not safe to use.

This article from InfoWorld illustrates the dangers of a poorly configured P2P program.
http://www.infoworld.com/article/07/09/06/...ID-theft_1.html

When you use them you are downloading software from an unknown source directly onto your computer, bypassing your Firewall and Anti-Virus software. Hardly surprising then that many of these Downloads are being targeted to carry infections.
Click to expand...


uTorrent. <-- Just want to give you a heads up on P2P programs, your downloading a file from an unknown source, you never know whats attached to that file, its like playing Russian roulette malwarewise. I would strongly urge you to uninstall it.



Download TFC to your desktop
  • Close any open windows.
  • Double click the TFC icon to run the program
  • TFC will close all open programs itself in order to run,
  • Click the Start button to begin the process.
  • Allow TFC to run uninterrupted.
  • The program should not take long to finish it's job
  • Once its finished it should automatically reboot your machine,
  • if it doesn't, manually reboot to ensure a complete clean




Please download Malwarebytes from Here or Here

  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
    post_a4255_MBAM.PNG
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected .
  • When completed, a log will open in Notepad. Please save it to a convenient location and post the results.
  • Note: If you receive a notice that some of the items couldn't be removed, that they have been added to the delete on reboot list, please reboot.
Post the report and also a new HJT log please
 
HJT log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 06:58:32, on 03/11/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
f:\apps\Avast4\aswUpdSv.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
f:\apps\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
F:\apps\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\oodtray.exe
F:\apps\Creative\Sound Blaster X-Fi\Console Launcher\CTAPR2.exe
F:\apps\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
F:\apps\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
F:\apps\FreeCall\FreeCall.exe
F:\apps\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\oodag.exe
F:\apps\Sony Ericsson\Sony Ericsson PC Suite\SupServ.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
f:\apps\NVIDIA~1\NETWOR~1\bin\nSvcAppFlt.exe
C:\WINDOWS\system32\wuauclt.exe
f:\apps\NVIDIA~1\NETWOR~1\bin\nSvcIp.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
f:\apps\Avast4\ashMaiSv.exe
f:\apps\Avast4\ashWebSv.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
F:\apps\HP\Digital Imaging\bin\hpqSTE08.exe
F:\apps\HP\Digital Imaging\bin\hpqbam08.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
F:\apps\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.divx.com/divx/divx6/new/en?rcv=1&dist=divxdotcom
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - F:\apps\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [nwiz] C:\Program Files\NVIDIA Corporation\nView\nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [HP Software Update] F:\apps\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [hpqSRMon] F:\apps\HP\Digital Imaging\bin\hpqSRMon.exe
O4 - HKLM\..\Run: [OODefragTray] C:\WINDOWS\system32\oodtray.exe
O4 - HKLM\..\Run: [CTAPR2] "f:\apps\Creative\Sound Blaster X-Fi\Console Launcher\CTAPR2.exe" /r
O4 - HKLM\..\Run: [VolPanel] "f:\apps\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe" /r
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [avast!] f:\apps\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "F:\apps\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [FreeCall] "F:\apps\FreeCall\FreeCall.exe" -nosplash -minimized
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = F:\apps\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - F:\apps\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - F:\apps\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - f:\apps\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - f:\apps\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - f:\apps\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - f:\apps\Avast4\ashWebSv.exe
O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - f:\apps\NVIDIA~1\NETWOR~1\bin\nSvcAppFlt.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA Corporation - f:\apps\NVIDIA~1\NETWOR~1\bin\nSvcIp.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe
O23 - Service: Sony Ericsson OMSI download service (OMSI download service) - Unknown owner - F:\apps\Sony Ericsson\Sony Ericsson PC Suite\SupServ.exe

--
End of file - 6702 bytes

MBAM log

Malwarebytes' Anti-Malware 1.41
Database version: 3090
Windows 5.1.2600 Service Pack 3

03/11/2009 06:54:04
mbam-log-2009-11-03 (06-54-04).txt

Scan type: Quick Scan
Objects scanned: 139878
Time elapsed: 3 minute(s), 43 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\pqrs.tmo (Backdoor.Bredavi) -> Delete on reboot.

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell (Hijack.Shell) -> Bad: (Explorer.exe rundll32.exe pqrs.tmo printer) Good: (Explorer.exe) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\pqrs.tmo (Backdoor.Bredavi) -> Delete on reboot.

After these fixes I am still experiencing problems. Avast is finding the following file, but it appears to reinstall on reboot. tdlwsp.dll

Thanks for your help!
 
Good Morning,

One of what Malwarebytes removed was a backdoor, what I would do to be on the safeside is to go to a known clean computer and change all the passwords for sites that you frequent, especially for sites like eBay, your mail, and any online banking sites, sites that you would use a credit card.


Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop.

Link 1
Link 2
Link 3

CF_download_FF.gif



CF_download_rename.gif


* IMPORTANT !!! Save ComboFix.exe to your Desktop


  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • See this Link for programs that need to be disabled and instruction on how to disable them.
  • Remember to re-enable them when we're done.

  • Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


RC1.png


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
RC2-1.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a New Hijackthis log.

*If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.
 
combo fix log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:59:17, on 03/11/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
f:\apps\Avast4\aswUpdSv.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
f:\apps\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\oodag.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
f:\apps\NVIDIA~1\NETWOR~1\bin\nSvcAppFlt.exe
f:\apps\NVIDIA~1\NETWOR~1\bin\nSvcIp.exe
f:\apps\Avast4\ashMaiSv.exe
f:\apps\Avast4\ashWebSv.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
F:\apps\Mozilla Firefox\firefox.exe
F:\apps\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.divx.com/divx/divx6/new/en?rcv=1&dist=divxdotcom
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - F:\apps\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [nwiz] C:\Program Files\NVIDIA Corporation\nView\nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [HP Software Update] F:\apps\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [hpqSRMon] F:\apps\HP\Digital Imaging\bin\hpqSRMon.exe
O4 - HKLM\..\Run: [OODefragTray] C:\WINDOWS\system32\oodtray.exe
O4 - HKLM\..\Run: [CTAPR2] "f:\apps\Creative\Sound Blaster X-Fi\Console Launcher\CTAPR2.exe" /r
O4 - HKLM\..\Run: [VolPanel] "f:\apps\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe" /r
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [avast!] f:\apps\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "F:\apps\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [FreeCall] "F:\apps\FreeCall\FreeCall.exe" -nosplash -minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')u
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = F:\apps\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - F:\apps\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - F:\apps\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - f:\apps\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - f:\apps\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - f:\apps\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - f:\apps\Avast4\ashWebSv.exe
O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - f:\apps\NVIDIA~1\NETWOR~1\bin\nSvcAppFlt.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA Corporation - f:\apps\NVIDIA~1\NETWOR~1\bin\nSvcIp.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe
O23 - Service: Sony Ericsson OMSI download service (OMSI download service) - Unknown owner - F:\apps\Sony Ericsson\Sony Ericsson PC Suite\SupServ.exe

--
End of file - 6123 bytes


HJT Log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:59:17, on 03/11/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
f:\apps\Avast4\aswUpdSv.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
f:\apps\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\oodag.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
f:\apps\NVIDIA~1\NETWOR~1\bin\nSvcAppFlt.exe
f:\apps\NVIDIA~1\NETWOR~1\bin\nSvcIp.exe
f:\apps\Avast4\ashMaiSv.exe
f:\apps\Avast4\ashWebSv.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
F:\apps\Mozilla Firefox\firefox.exe
F:\apps\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.divx.com/divx/divx6/new/en?rcv=1&dist=divxdotcom
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - F:\apps\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [nwiz] C:\Program Files\NVIDIA Corporation\nView\nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [HP Software Update] F:\apps\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [hpqSRMon] F:\apps\HP\Digital Imaging\bin\hpqSRMon.exe
O4 - HKLM\..\Run: [OODefragTray] C:\WINDOWS\system32\oodtray.exe
O4 - HKLM\..\Run: [CTAPR2] "f:\apps\Creative\Sound Blaster X-Fi\Console Launcher\CTAPR2.exe" /r
O4 - HKLM\..\Run: [VolPanel] "f:\apps\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe" /r
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [avast!] f:\apps\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "F:\apps\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [FreeCall] "F:\apps\FreeCall\FreeCall.exe" -nosplash -minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')u
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = F:\apps\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - F:\apps\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - F:\apps\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - f:\apps\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - f:\apps\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - f:\apps\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - f:\apps\Avast4\ashWebSv.exe
O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - f:\apps\NVIDIA~1\NETWOR~1\bin\nSvcAppFlt.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA Corporation - f:\apps\NVIDIA~1\NETWOR~1\bin\nSvcIp.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe
O23 - Service: Sony Ericsson OMSI download service (OMSI download service) - Unknown owner - F:\apps\Sony Ericsson\Sony Ericsson PC Suite\SupServ.exe

--
End of file - 6123 bytes

The problem does appear to have gone away now, thank you very much for your help with this problem. A few days of checking and being 100% sure are likely necessary.

Once again many thanks!
 
Sorry I posted the same log twice above. Here is the combo fix log.

ComboFix 09-11-03.01 - James 03/11/2009 21:45.1.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.2046.1563 [GMT 0:00]
Running from: c:\documents and settings\James.X-WING\Desktop\Combo-Fix.exe
AV: avast! antivirus 4.8.1356 [VPS 091103-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
ADS - WINDOWS: deleted 72 bytes in 1 streams.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\$recycle.bin\S-1-5-21-1344558027-4278620720-11692346-1000
c:\$recycle.bin\S-1-5-21-3520112810-3141085873-887644257-1000
c:\documents and settings\James.X-WING\My Documents\backup.reg
c:\recycler\S-1-5-21-527237240-1592454029-1801674531-1003
c:\recycler\S-1-5-21-527237240-1592454029-1801674531-500
c:\recycler\S-1-5-21-57989841-1450960922-725345543-1003
c:\windows\system32\Data

Infected copy of c:\windows\system32\DRIVERS\atapi.sys was found and disinfected
Restored copy from - Kitty ate it :p
.
((((((((((((((((((((((((( Files Created from 2009-10-03 to 2009-11-03 )))))))))))))))))))))))))))))))
.

2009-11-03 21:41 . 2006-09-21 14:39 105344 ----a-w- c:\windows\system32\drivers\nvata.sys
2009-10-31 18:26 . 2009-06-30 10:37 28552 ----a-w- c:\windows\system32\drivers\pavboot.sys
2009-10-31 18:25 . 2009-10-31 18:25 -------- d-----w- c:\program files\Panda Security
2009-10-31 17:58 . 2009-10-31 16:36 15880 ----a-w- c:\windows\system32\lsdelete.exe
2009-10-31 16:36 . 2009-09-23 12:55 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-10-31 16:36 . 2009-10-31 16:36 93360 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2009-10-31 16:33 . 2009-10-31 16:33 -------- dc-h--w- c:\documents and settings\All Users.WINDOWS\Application Data\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}
2009-10-31 16:33 . 2009-10-31 16:36 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Lavasoft
2009-10-31 16:33 . 2009-10-31 16:33 -------- d-----w- c:\program files\Lavasoft
2009-10-30 08:04 . 2009-10-30 08:04 -------- d-----w- c:\documents and settings\James.X-WING\Application Data\Malwarebytes
2009-10-30 08:04 . 2009-09-10 14:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-30 08:04 . 2009-10-30 08:04 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Malwarebytes
2009-10-30 08:04 . 2009-09-10 14:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-30 07:55 . 2009-09-15 11:54 23152 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2009-10-30 07:55 . 2009-09-15 11:54 52368 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2009-10-30 07:55 . 2009-09-15 11:53 27408 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2009-10-30 07:55 . 2009-09-15 11:53 97480 ----a-w- c:\windows\system32\AvastSS.scr
2009-10-30 07:55 . 2009-09-15 11:55 114768 ----a-w- c:\windows\system32\drivers\aswSP.sys
2009-10-30 07:55 . 2009-09-15 11:55 20560 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2009-10-30 07:55 . 2009-09-15 11:56 93424 ----a-w- c:\windows\system32\drivers\aswmon.sys
2009-10-30 07:55 . 2009-09-15 11:56 94160 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2009-10-30 07:55 . 2003-03-18 21:20 1060864 ----a-w- c:\windows\system32\MFC71.dll
2009-10-30 07:55 . 2009-09-15 11:59 1279968 ----a-w- c:\windows\system32\aswBoot.exe
2009-10-29 12:57 . 2009-10-30 13:18 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy
2009-10-28 16:21 . 2009-10-28 16:21 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-10-25 18:13 . 2009-10-25 18:13 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\BVRP Software
2009-10-25 18:05 . 2008-01-09 11:28 27632 ----a-w- c:\windows\system32\drivers\seehcri.sys
2009-10-25 18:03 . 2008-05-16 12:33 25512 ----a-w- c:\windows\system32\drivers\s0016nd5.sys
2009-10-25 18:03 . 2008-05-16 12:33 115752 ----a-w- c:\windows\system32\drivers\s0016unic.sys
2009-10-25 18:03 . 2008-05-16 12:33 114216 ----a-w- c:\windows\system32\drivers\s0016mgmt.sys
2009-10-25 18:03 . 2008-05-16 12:33 110632 ----a-w- c:\windows\system32\drivers\s0016obex.sys
2009-10-25 18:03 . 2008-05-16 12:33 10792 ----a-w- c:\windows\system32\drivers\s0016cr.sys
2009-10-25 18:03 . 2008-05-16 12:33 15016 ----a-w- c:\windows\system32\drivers\s0016mdfl.sys
2009-10-25 18:03 . 2008-05-16 12:33 89256 ----a-w- c:\windows\system32\drivers\s0016bus.sys
2009-10-25 18:03 . 2008-05-16 12:33 12200 ----a-w- c:\windows\system32\drivers\s0016whnt.sys
2009-10-25 18:03 . 2008-05-16 12:33 12200 ----a-w- c:\windows\system32\drivers\s0016wh.sys
2009-10-25 18:03 . 2008-05-16 12:33 12200 ----a-w- c:\windows\system32\drivers\s0016cmnt.sys
2009-10-25 18:03 . 2008-05-16 12:33 12200 ----a-w- c:\windows\system32\drivers\s0016cm.sys
2009-10-25 18:03 . 2008-05-16 12:33 120744 ----a-w- c:\windows\system32\drivers\s0016mdm.sys
2009-10-25 17:49 . 2009-10-25 17:49 -------- d-----w- c:\documents and settings\James.X-WING\Local Settings\Application Data\Sony Ericsson
2009-10-25 17:49 . 2009-10-25 17:49 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Sony Ericsson
2009-10-23 22:01 . 2009-10-23 22:01 -------- d-----w- c:\program files\Microsoft Games for Windows - LIVE
2009-10-22 19:42 . 2008-07-11 00:28 50200 ----a-w- c:\windows\system32\perf-SQLAgent$SQLEXPRESS-sqlagtctr10.0.1600.22.dll
2009-10-22 19:42 . 2008-07-11 00:28 79896 ----a-w- c:\windows\system32\perf-MSSQL$SQLEXPRESS-sqlctr10.0.1600.22.dll
2009-10-22 19:41 . 2009-10-22 19:41 -------- d-----w- c:\windows\system32\RsFx
2009-10-22 19:40 . 2009-10-22 19:40 -------- d-----w- c:\program files\Microsoft Visual Studio 9.0
2009-10-22 19:31 . 2009-10-22 19:41 -------- d-----w- c:\program files\Microsoft SQL Server
2009-10-22 19:31 . 2009-10-22 19:31 -------- d-----w- c:\program files\Microsoft Synchronization Services
2009-10-22 19:31 . 2009-10-22 19:31 -------- d-----w- c:\program files\Microsoft SQL Server Compact Edition
2009-10-22 19:30 . 2009-10-22 19:30 -------- d-----w- c:\documents and settings\James.X-WING\Local Settings\Application Data\Microsoft Help
2009-10-22 19:29 . 2009-10-22 19:31 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Microsoft Help
2009-10-22 19:28 . 2009-10-22 19:28 -------- d-----w- c:\program files\Microsoft SDKs
2009-10-22 17:00 . 2009-10-22 17:00 -------- d-----w- c:\documents and settings\James.X-WING\Local Settings\Application Data\Apple Computer
2009-10-21 19:41 . 2008-07-12 07:18 467984 ----a-w- c:\windows\system32\d3dx10_39.dll
2009-10-21 06:37 . 2009-10-23 18:43 -------- d-----w- c:\documents and settings\James.X-WING\Application Data\FreeCall
2009-10-18 09:44 . 2006-08-18 09:30 446464 ----a-w- c:\windows\system32\CapabilityTable.exe
2009-10-18 09:43 . 2006-09-11 16:27 356352 ------w- c:\windows\system32\nvuide.exe
2009-10-18 09:43 . 2006-08-07 15:39 110080 ----a-w- c:\windows\system32\drivers\nvtcp.sys
2009-10-18 09:43 . 2006-08-03 22:48 208896 ----a-w- c:\windows\system32\nvunrm.exe
2009-10-18 09:43 . 2006-06-07 18:49 208896 ----a-w- c:\windows\system32\nvusmb.exe
2009-10-18 09:43 . 2006-08-18 09:28 208896 ----a-w- c:\windows\system32\NVUNINST.EXE
2009-10-18 09:42 . 2006-09-21 14:39 363008 ----a-w- c:\windows\system32\idecoiins.dll
2009-10-18 09:42 . 2006-09-21 14:39 363008 ----a-w- c:\windows\system32\idecoi.dll
2009-10-18 09:42 . 2006-09-11 16:27 35840 ----a-w- c:\windows\system32\NVCOI.DLL
2009-10-18 09:42 . 2006-08-07 15:39 18944 ----a-w- c:\windows\system32\drivers\nvnetbus.sys
2009-10-18 09:42 . 2006-08-07 15:39 52736 ----a-w- c:\windows\system32\drivers\NVENETFD.sys
2009-10-18 09:42 . 2006-08-07 15:39 1104896 ----a-w- c:\windows\system32\drivers\nvnrm.sys
2009-10-18 09:42 . 2006-08-07 15:38 261120 ----a-w- c:\windows\system32\drivers\nvsnpu.sys
2009-10-18 09:42 . 2006-08-03 22:48 35840 ----a-w- c:\windows\system32\nvconrm.dll
2009-10-18 09:42 . 2006-08-07 15:37 202240 ----a-w- c:\windows\system32\fdco1.dll
2009-10-18 09:42 . 2006-08-07 15:37 10240 ----a-w- c:\windows\system32\bdco1ins.dll
2009-10-18 09:42 . 2006-08-07 15:37 10240 ----a-w- c:\windows\system32\bdco1.dll
2009-10-16 06:16 . 2009-10-16 06:16 -------- d--h--r- c:\documents and settings\James.X-WING\Application Data\SecuROM
2009-10-16 06:13 . 2009-09-04 16:44 69464 ----a-w- c:\windows\system32\XAPOFX1_3.dll
2009-10-16 06:13 . 2009-03-16 13:18 517448 ----a-w- c:\windows\system32\XAudio2_4.dll
2009-10-16 06:13 . 2009-03-09 14:27 4178264 ----a-w- c:\windows\system32\D3DX9_41.dll
2009-10-16 06:13 . 2009-03-16 13:18 22360 ----a-w- c:\windows\system32\X3DAudio1_6.dll
2009-10-16 06:13 . 2007-04-04 18:53 81768 ----a-w- c:\windows\system32\xinput1_3.dll
2009-10-14 16:12 . 2009-11-02 16:12 -------- d-----w- c:\documents and settings\James.X-WING\Application Data\skypePM
2009-10-14 16:12 . 2009-10-14 16:12 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2009-10-14 16:12 . 2009-11-02 20:27 -------- d-----w- c:\documents and settings\James.X-WING\Application Data\Skype
2009-10-14 16:08 . 2009-10-14 16:08 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Skype
2009-10-14 05:22 . 2009-08-13 15:16 512000 -c----w- c:\windows\system32\dllcache\jscript.dll
2009-10-12 20:05 . 2009-10-12 20:05 -------- d-----w- c:\windows\system32\scripting
2009-10-12 20:05 . 2009-10-12 20:05 -------- d-----w- c:\windows\system32\en
2009-10-12 20:05 . 2009-10-12 20:05 -------- d-----w- c:\windows\l2schemas
2009-10-12 20:05 . 2009-10-12 20:05 -------- d-----w- c:\windows\system32\bits
2009-10-12 18:24 . 2009-10-12 18:24 -------- d-----w- c:\windows\system32\MpEngineStore
2009-10-11 19:05 . 2004-08-03 21:29 73216 ------w- c:\windows\system32\drivers\atintuxx.sys
2009-10-11 18:53 . 2008-06-13 11:05 272128 -c----w- c:\windows\system32\dllcache\bthport.sys
2009-10-11 18:53 . 2008-06-13 11:05 272128 ------w- c:\windows\system32\drivers\bthport.sys
2009-10-11 18:52 . 2009-06-25 08:25 730112 -c----w- c:\windows\system32\dllcache\lsasrv.dll
2009-10-11 18:52 . 2009-03-06 14:22 284160 -c----w- c:\windows\system32\dllcache\pdh.dll
2009-10-11 18:52 . 2009-02-09 12:10 714752 -c----w- c:\windows\system32\dllcache\ntdll.dll
2009-10-11 18:52 . 2009-02-09 12:10 617472 -c----w- c:\windows\system32\dllcache\advapi32.dll
2009-10-11 18:52 . 2009-02-09 12:10 473600 -c----w- c:\windows\system32\dllcache\fastprox.dll
2009-10-11 18:52 . 2009-02-09 12:10 453120 -c----w- c:\windows\system32\dllcache\wmiprvsd.dll
2009-10-11 18:52 . 2009-02-09 12:10 401408 -c----w- c:\windows\system32\dllcache\rpcss.dll
2009-10-11 18:52 . 2009-02-06 11:11 110592 -c----w- c:\windows\system32\dllcache\services.exe
2009-10-11 18:52 . 2009-02-06 10:10 227840 -c----w- c:\windows\system32\dllcache\wmiprvse.exe
2009-10-11 18:52 . 2009-08-04 15:13 2145280 -c----w- c:\windows\system32\dllcache\ntkrnlmp.exe
2009-10-11 18:52 . 2009-08-04 19:44 2189184 -c----w- c:\windows\system32\dllcache\ntoskrnl.exe
2009-10-11 18:52 . 2009-08-04 14:20 2023936 -c----w- c:\windows\system32\dllcache\ntkrpamp.exe
2009-10-11 18:51 . 2008-05-08 14:02 203136 -c----w- c:\windows\system32\dllcache\rmcast.sys
2009-10-11 18:51 . 2008-04-11 19:04 691712 -c----w- c:\windows\system32\dllcache\inetcomm.dll
2009-10-11 18:40 . 2008-12-11 10:57 333952 -c----w- c:\windows\system32\dllcache\srv.sys
2009-10-11 18:38 . 2008-10-24 11:21 455296 -c----w- c:\windows\system32\dllcache\mrxsmb.sys
2009-10-11 18:37 . 2009-07-10 13:27 1315328 -c----w- c:\windows\system32\dllcache\msoe.dll
2009-10-11 18:37 . 2008-10-15 16:34 337408 -c----w- c:\windows\system32\dllcache\netapi32.dll
2009-10-11 18:35 . 2008-05-03 11:55 2560 ------w- c:\windows\system32\xpsp4res.dll
2009-10-11 18:35 . 2008-04-21 12:08 215552 -c----w- c:\windows\system32\dllcache\wordpad.exe
2009-10-11 17:21 . 2009-10-11 20:10 -------- d-----w- c:\documents and settings\James.X-WING\Local Settings\Application Data\Adobe
2009-10-11 17:10 . 2009-10-11 17:10 -------- d-----w- C:\Hodder Education
2009-10-11 15:36 . 2009-10-11 15:36 -------- d-----w- c:\documents and settings\James.X-WING\Application Data\DivX
2009-10-11 14:20 . 1999-09-04 20:23 91136 ----a-r- c:\windows\system32\msls2.dll
2009-10-11 14:12 . 2009-10-31 12:17 -------- d-----w- c:\documents and settings\James.X-WING\Local Settings\Application Data\Temp
2009-10-11 13:16 . 2006-10-06 06:17 53248 ------w- c:\windows\Ctregrun.exe
2009-10-11 13:13 . 2005-06-15 03:07 11264 ----a-r- c:\windows\InRes.DLL
2009-10-11 13:11 . 2008-04-13 18:45 6272 ----a-w- c:\windows\system32\drivers\splitter.sys
2009-10-11 13:11 . 2008-04-13 19:17 83072 ----a-w- c:\windows\system32\drivers\wdmaud.sys
2009-10-11 13:11 . 2008-04-13 18:45 52864 ----a-w- c:\windows\system32\drivers\dmusic.sys
2009-10-11 13:11 . 2008-04-13 18:45 56576 ----a-w- c:\windows\system32\drivers\swmidi.sys
2009-10-11 13:11 . 2008-04-13 16:39 142592 ----a-w- c:\windows\system32\drivers\aec.sys
2009-10-11 13:11 . 2008-04-13 18:45 2944 ----a-w- c:\windows\system32\drivers\drmkaud.sys
2009-10-11 13:11 . 2008-04-13 18:45 172416 ----a-w- c:\windows\system32\drivers\kmixer.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-31 07:32 . 2007-11-01 07:57 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-10-28 16:21 . 2007-10-30 16:39 -------- d-----w- c:\program files\Java
2009-10-27 21:39 . 2007-10-01 13:51 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-10-27 10:32 . 2007-10-01 13:45 -------- d-----w- c:\program files\Common Files\Adobe
2009-10-25 18:03 . 2009-10-25 18:03 148736 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\hpe82D.dll
2009-10-22 19:40 . 2008-09-02 10:24 -------- d-----w- c:\program files\Microsoft.NET
2009-10-11 11:29 . 2009-07-24 06:09 -------- d-----w- c:\program files\NVIDIA Corporation
2009-10-11 08:26 . 2009-09-20 06:12 -------- d-----w- c:\documents and settings\James.X-WING.000\Application Data\HpUpdate
2009-10-10 11:42 . 2008-04-29 17:11 77000 ----a-w- c:\documents and settings\James.X-WING.000\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-08 20:15 . 2008-12-16 21:52 -------- d-----w- c:\documents and settings\James.X-WING.000\Application Data\dvdcss
2009-10-08 16:00 . 2009-08-02 10:11 -------- d-----w- c:\documents and settings\James.X-WING.000\Application Data\Skype
2009-10-08 15:09 . 2009-08-02 10:12 -------- d-----w- c:\documents and settings\James.X-WING.000\Application Data\skypePM
2009-10-01 06:08 . 2009-10-01 06:08 -------- d-----w- c:\program files\Common Files\Futuremark Shared
2009-10-01 05:49 . 2009-10-01 05:49 -------- d-----w- c:\program files\SystemRequirementsLab
2009-10-01 05:48 . 2009-10-01 05:48 -------- d-----w- c:\documents and settings\James.X-WING.000\Application Data\SystemRequirementsLab
2009-09-27 17:19 . 2009-09-27 17:19 3674112 ----a-w- c:\windows\system32\nvwssr.dll
2009-09-27 15:12 . 2009-09-27 15:12 888832 ----a-w- c:\windows\system32\nvapi.dll
2009-09-27 15:12 . 2009-09-27 15:12 7655872 ----a-w- c:\windows\system32\drivers\nv4_mini.sys
2009-09-27 15:12 . 2009-09-27 15:12 5900416 ----a-w- c:\windows\system32\nv4_disp.dll
2009-09-27 15:12 . 2009-09-27 15:12 2194024 ----a-w- c:\windows\system32\nvcuvid.dll
2009-09-27 15:12 . 2009-09-27 15:12 2007040 ----a-w- c:\windows\system32\nvcuda.dll
2009-09-27 15:12 . 2009-09-27 15:12 1714792 ----a-w- c:\windows\system32\nvcuvenc.dll
2009-09-27 15:12 . 2009-09-27 15:12 170600 ----a-w- c:\windows\system32\nvcodins.dll
2009-09-27 15:12 . 2009-09-27 15:12 170600 ----a-w- c:\windows\system32\nvcod.dll
2009-09-27 15:12 . 2009-09-27 15:12 1604482 ----a-w- c:\windows\system32\nvdata.bin
2009-09-27 15:12 . 2009-09-27 15:12 10756096 ----a-w- c:\windows\system32\nvoglnt.dll
2009-09-26 17:49 . 2009-09-26 17:49 -------- d-----w- c:\documents and settings\James.X-WING.000\Application Data\ImgBurn
2009-09-26 17:24 . 2009-09-26 17:22 -------- d-----w- c:\program files\AVS4YOU
2009-09-26 17:24 . 2008-10-14 17:53 -------- d-----w- c:\program files\Common Files\AVSMedia
2009-09-26 17:22 . 2008-10-14 17:53 -------- d-----w- c:\documents and settings\James.X-WING.000\Application Data\AVS4YOU
2009-09-26 10:27 . 2008-04-29 18:36 -------- d-----w- c:\documents and settings\James.X-WING.000\Application Data\Apple Computer
2009-09-25 19:48 . 2009-09-14 18:46 -------- d-----w- c:\documents and settings\James.X-WING.000\Application Data\Tropico 3 Demo
2009-09-25 05:37 . 2004-08-04 12:00 667136 ----a-w- c:\windows\system32\wininet.dll
2009-09-25 05:37 . 2004-08-04 12:00 81920 ----a-w- c:\windows\system32\ieencode.dll
2009-09-23 18:27 . 2008-05-01 17:45 -------- d-----w- c:\program files\Microsoft Works
2009-09-20 09:08 . 2008-03-07 08:45 -------- d-----w- c:\program files\iPod
2009-09-20 09:08 . 2007-10-02 09:45 -------- d-----w- c:\program files\Common Files\Apple
2009-09-20 06:12 . 2007-10-01 14:54 -------- d-----w- c:\program files\HP
2009-09-18 18:07 . 2009-09-18 18:05 -------- d-----w- c:\documents and settings\James.X-WING.000\Application Data\HP
2009-09-11 14:18 . 2004-08-04 12:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:03 . 2004-08-04 12:00 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-09-04 16:44 . 2009-10-21 19:42 515416 ----a-w- c:\windows\system32\XAudio2_5.dll
2009-09-04 16:44 . 2009-10-21 19:42 238936 ----a-w- c:\windows\system32\xactengine3_5.dll
2009-09-04 16:29 . 2009-10-21 19:42 453456 ----a-w- c:\windows\system32\d3dx10_42.dll
2009-09-04 16:29 . 2009-10-21 19:42 235344 ----a-w- c:\windows\system32\d3dx11_42.dll
2009-09-04 16:29 . 2009-10-21 19:42 5501792 ----a-w- c:\windows\system32\d3dcsx_42.dll
2009-09-04 16:29 . 2009-10-21 19:42 1974616 ----a-w- c:\windows\system32\D3DCompiler_42.dll
2009-09-04 16:29 . 2009-10-21 19:42 1892184 ----a-w- c:\windows\system32\D3DX9_42.dll
2009-08-26 08:00 . 2004-08-04 12:00 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-14 12:36 . 2009-08-14 12:36 70936 ----a-w- c:\windows\system32\PhysXLoader.dll
2009-08-06 19:24 . 2009-10-11 11:17 327896 ----a-w- c:\windows\system32\wucltui.dll
2009-08-06 19:24 . 2009-10-11 11:17 209632 ----a-w- c:\windows\system32\wuweb.dll
2009-08-06 19:24 . 2009-10-11 11:17 35552 ----a-w- c:\windows\system32\wups.dll
2009-08-06 19:24 . 2008-10-16 13:09 44768 ----a-w- c:\windows\system32\wups2.dll
2009-08-06 19:24 . 2009-10-11 11:17 53472 ----a-w- c:\windows\system32\wuauclt.exe
2009-08-06 19:24 . 2004-08-04 12:00 96480 ----a-w- c:\windows\system32\cdm.dll
2009-08-06 19:23 . 2009-10-11 11:17 575704 ----a-w- c:\windows\system32\wuapi.dll
2009-08-06 19:23 . 2009-10-11 11:17 1929952 ----a-w- c:\windows\system32\wuaueng.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"FreeCall"="f:\apps\FreeCall\FreeCall.exe" [2009-07-30 9156912]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2009-09-23 1657448]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-09-27 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-09-27 13918208]
"HP Software Update"="f:\apps\HP\HP Software Update\HPWuSchd2.exe" [2007-10-14 49152]
"hpqSRMon"="f:\apps\HP\Digital Imaging\bin\hpqSRMon.exe" [2007-08-22 80896]
"OODefragTray"="c:\windows\system32\oodtray.exe" [2007-05-11 2512392]
"CTAPR2"="f:\apps\Creative\Sound Blaster X-Fi\Console Launcher\CTAPR2.exe" [2007-02-15 57344]
"VolPanel"="f:\apps\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe" [2007-02-28 180224]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
"avast!"="f:\apps\Avast4\ashDisp.exe" [2009-09-15 81000]
"Malwarebytes Anti-Malware (reboot)"="f:\apps\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - f:\apps\HP\Digital Imaging\bin\hpqtra08.exe [2007-10-14 214360]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0OODBS\0lsdelete

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"idsvc"=3 (0x3)
"CachemanService"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"f:\\apps\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"f:\\apps\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"f:\\apps\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"f:\\apps\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"f:\\apps\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"f:\\apps\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"f:\\apps\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"f:\\apps\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"f:\\apps\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"f:\\apps\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"f:\\apps\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"f:\\apps\\Sony Ericsson\\Update Service\\Update Service.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"f:\\apps\\FreeCall\\FreeCall.exe"=
"f:\\Games\\Warhammer_Dawn_of_War_2-WiCKED\\DOW2.exe"=
"f:\\Games\\Batman Arkham Asylum\\Binaries\\ShippingPC-BmGame.exe"=
"f:\\Games\\Borderlands\\Binaries\\Borderlands.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [31/10/2009 16:36 64288]
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [31/10/2009 18:26 28552]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [30/10/2009 07:55 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [30/10/2009 07:55 20560]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [24/09/2009 11:17 1179232]
R3 seehcri;Sony Ericsson seehcri Device Driver;c:\windows\system32\drivers\seehcri.sys [25/10/2009 18:05 27632]
R3 t3;Sound Blaster X-Fi Xtreme Audio;c:\windows\system32\drivers\t3.sys [11/10/2009 13:09 733184]
R3 t3filt;t3filt;c:\windows\system32\drivers\t3filt.sys [11/10/2009 13:09 1656576]
S2 OMSI download service;Sony Ericsson OMSI download service;f:\apps\Sony Ericsson\Sony Ericsson PC Suite\SupServ.exe [25/10/2009 18:03 90112]
S3 s0016bus;Sony Ericsson Device 0016 driver (WDM);c:\windows\system32\drivers\s0016bus.sys [25/10/2009 18:03 89256]
S3 s0016mdfl;Sony Ericsson Device 0016 USB WMC Modem Filter;c:\windows\system32\drivers\s0016mdfl.sys [25/10/2009 18:03 15016]
S3 s0016mdm;Sony Ericsson Device 0016 USB WMC Modem Driver;c:\windows\system32\drivers\s0016mdm.sys [25/10/2009 18:03 120744]
S3 s0016mgmt;Sony Ericsson Device 0016 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\s0016mgmt.sys [25/10/2009 18:03 114216]
S3 s0016nd5;Sony Ericsson Device 0016 USB Ethernet Emulation SEMC0016 (NDIS);c:\windows\system32\drivers\s0016nd5.sys [25/10/2009 18:03 25512]
S3 s0016obex;Sony Ericsson Device 0016 USB WMC OBEX Interface;c:\windows\system32\drivers\s0016obex.sys [25/10/2009 18:03 110632]
S3 s0016unic;Sony Ericsson Device 0016 USB Ethernet Emulation SEMC0016 (WDM);c:\windows\system32\drivers\s0016unic.sys [25/10/2009 18:03 115752]
S4 CachemanService;Cacheman Service;f:\apps\Cacheman\CachemanServ.exe [10/09/2009 23:13 221240]
S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\Microsoft SQL Server\100\Shared\sqladhlp.exe [11/07/2008 00:28 47128]
S4 RsFx0102;RsFx0102 Driver;c:\windows\system32\drivers\RsFx0102.sys [10/07/2008 01:49 242712]
S4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE [11/07/2008 00:28 369688]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - MBR
*Deregistered* - mbr
*Deregistered* - PROCEXP113

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2009-11-03 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-10-01 16:36]

2009-11-01 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1960408961-179605362-725345543-1003Core.job
- c:\documents and settings\James.X-WING\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-10-11 14:12]

2009-11-03 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1960408961-179605362-725345543-1003UA.job
- c:\documents and settings\James.X-WING\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-10-11 14:12]

2009-10-31 c:\windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job
- f:\apps\Spybot - Search & Destroy\SpybotSD.exe [2008-05-01 15:31]

2009-10-31 c:\windows\Tasks\Spybot - Search & Destroy Updater - Scheduled Task.job
- f:\apps\Spybot - Search & Destroy\SDUpdate.exe [2008-05-01 15:31]
.
.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = hxxp://go.divx.com/divx/divx6/new/en?rcv=1&dist=divxdotcom
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
LSP: %SYSTEMROOT%\system32\nvappfilter.dll
FF - ProfilePath - c:\documents and settings\James.X-WING\Application Data\Mozilla\Firefox\Profiles\vzp3oe7s.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/
FF - plugin: c:\documents and settings\James.X-WING\Local Settings\Application Data\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: f:\apps\codecs\Real Alternative\browser\plugins\nppl3260.dll
FF - plugin: f:\apps\codecs\Real Alternative\browser\plugins\nprpjplug.dll
FF - plugin: f:\apps\Opera\program\plugins\npdsplay.dll
FF - plugin: f:\apps\Opera\program\plugins\NPOFFICE.DLL
FF - plugin: f:\apps\Opera\program\plugins\nppl3260.dll
FF - plugin: f:\apps\Opera\program\plugins\npqtplugin.dll
FF - plugin: f:\apps\Opera\program\plugins\npqtplugin2.dll
FF - plugin: f:\apps\Opera\program\plugins\npqtplugin3.dll
FF - plugin: f:\apps\Opera\program\plugins\npqtplugin4.dll
FF - plugin: f:\apps\Opera\program\plugins\npqtplugin5.dll
FF - plugin: f:\apps\Opera\program\plugins\nprpjplug.dll
FF - plugin: f:\apps\Opera\program\plugins\NPSWF32.dll
FF - plugin: f:\apps\Opera\program\plugins\npwmsdrm.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
f:\apps\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-03 21:51
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1960408961-179605362-725345543-1003\Software\SecuROM\License information*]
"datasecu"=hex:d9,12,1f,d5,d3,3f,38,78,8f,f4,e2,e2,8f,38,fe,9a,88,53,ca,a1,12,
4b,97,ea,5e,dd,97,2d,5e,00,a8,95,0d,5b,ab,cd,de,e8,16,b9,1a,f9,5b,d9,fa,e1,\
"rkeysecu"=hex:8b,75,25,fe,27,3c,3f,a4,9c,ed,3a,c1,52,e1,5f,92

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\System*]
"OODEFRAG10.00.00.01WORKSTATION"="7E04CD018D3A30BDE6C5D99CF944736172FEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CA6A0AC4980AC7933C038D530D6EB34528EDD5E5BE2F6E667A2D97226D213B55588EF44A3BD22FD9E8033E8A7278E97BB5F85D867584E88E6B2BEA9619D97D2BBB1F92A30FD4BFC19E72F2E373FD5864A29CEA7D04913234450F9091B4C504FF95C42854CC1D0ACB6CEFB9598B8EA388D5FA3CF28EE32C35607C9112142B2CCBF4E9EF53868B89BEB73FA235EFD2EAD9B610CDC71628401F4EF007105652E99467C47EEB8C2AB69F1CBECAE20ED2000D1BFF42CB32E04863A594FAC608F59150A14DA381718F74FC57FF866F3DBE95AC9BFACEF79D2D19605475198CE0C6BB549735AEF9EA11017296C28CA7B8E54FB69DA65AC5045B104796F02626E9C4304092F2B82A10E8A9DA12269B0544250375540B83ECA6C8C39FEBB408663F65F9E128E9734F2FE9F56F6E58FC0A7A5EFF4F651A05001A4EB3040CB53D8D643E635F08C4B1F6C0BAE47B62ED0F79D5AE8AE7D21FCE50D3E82792BF06200F19E220EF35958AC6ABA388A332A48A5E2F818F45A7B11538DFCA2B975B3F8F6E61AFC823158359D4D0E634F00B97270AA0B7B6945DC04C42598C22A944C888B67BB897F00A03906FAF5F9D5F76F34502A12364636F76136793E0295C2AA65E1ABFAFB85FBFE24CD5A5868F5B516D1929A7E8ED4EC3119FA378C9EDC027047EFEFC6AD2B857115305910C21A1D2AF656BA3870746BA1FD370B18FBF492F5CA80F37E9A1AC1AB933CE7E9BDBF525A3293CA1A69987797C7E3A86922657DC2F0B27AF6E40E189608D6FAA8B3F93D8CF48F11F3AE481B9591D147FABD4A0D181E78CAF9D0D7344C40B78A02A1ED0D5915695888941F244FDBA1A0BF9ED4D1E7991AB245485F879C6B6A9421AAD6320D4F116C8E96CCA5AE08C77318B9489CD69131FE88569BC40C22CE98A29304E02840CA9EB05593F5D25F8E82DEA47D06C194AC8669AD1B65CFDC191C99C65493DEEAB0C78E91CBAD8B8B15945F9BE0E83798CF9E81217E24D6F7CFA78A53418619B5AEBDBB34DFACDE1ECBF3580071E4777430A2DC2C7B82BDB64FC672E854BB756A8561BDC550938688F76F0055C5DBFAE5BAF3FCE8DBC459BBC70CBB5E2BF743394A1290772EC9EFA3B4D97C4204F66C0D2CF5D61BFA71B0923D0ACAAEF7C30732E536231AA3783C2A700AEA94691F286D180F53264C567FA706DAF4F5026C784C143759A6690F423B6BDADA3A46854370652CCF125382B5CDCF1A83F7230506E3670388B650BE09DABAA9D049FE1B03624FBB1D8DAA4B76B819E93699495F4FB4438C7C0A3BFDD1EF4ADAC3F68A996273E3B27FE8FD471903B5EDBC637618A7E2E0C6F482A0850AC55653A1A1F77A8F388588B19811"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(1176)
c:\windows\system32\nvappfilter.dll
.
Completion time: 2009-11-03 21:52
ComboFix-quarantined-files.txt 2009-11-03 21:52

Pre-Run: 25,116,704,768 bytes free
Post-Run: 25,112,219,648 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect /usepmtimer
 
Hi,

Logs look fine. :bigthumb:


Please run this free online virus scanner from ESET
  • Note: You will need to use Internet explorer for this scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Make sure that the option Remove found threats is ticked, and the option Scan unwanted applications is checked
  • Click Scan
  • Wait for the scan to finish
  • Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  • Copy and paste that log as a reply to this topic
 
ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=2851b48ab931394698d3a930e7bced10
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2009-11-05 06:03:57
# local_time=2009-11-05 06:03:57 (+0000, GMT Standard Time)
# country="United Kingdom"
# lang=9
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 0 0 0 0
# compatibility_mode=769 16775125 100 98 5278 193724706 1712 0
# compatibility_mode=8192 67108863 100 0 3751 3751 0 0
# scanned=322967
# found=1
# cleaned=1
# scan_time=4284
F:\Games\Warblade\pztrain.exe probably a variant of Win32/Agent trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

Thanks again for your help, i've had no problems since.:bigthumb:
 
Great :bigthumb:

TFC <--Yours to keep, run it about once aweek to clean out the clutter.

Malwarebytes <-- Yours to keep also, check for updates and run a scan now and then.

Combofix <---Is not a general cleaning tool, just run it with supervision or you can bork your system

  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.

    • CF_Cleanup.png

  • When shown the disclaimer, Select "2"

The above procedure will:
  • Delete the following:
    • ComboFix and its associated files and folders.
    • VundoFix backups, if present
    • The C:\Deckard folder, if present
    • The C:_OtMoveIt folder, if present
  • Reset the clock settings.
  • Hide file extensions, if required.
  • Hide System/Hidden files, if required.
  • Reset System Restore.





Keep in mind if you install some of these programs. Only ONE Anti Virus and only ONE Firewall is recommended, more is overkill and can cause you problems. You can install all the Spyware programs I have listed without any problems. If you install Spyware Blaster and Spyware Guard, they will conflict with the TeaTimer in Spybot , you can still install Spybot Search and Destroy but do not enable the TeaTimer .
Click to expand...


Here are some free programs to install, all free and highly regarded by the fine people in the Malware Removal Community
  • Spybot Search and Destroy 1.6
    Check for Updates/ Immunize and run a Full System Scan on a regular basis. If you install Spyware Blaster ( Recommended ) then do not enable the TeaTimer in Spybot Search and Destroy.
  • Spyware Blaster It will prevent most spyware from ever being installed. No scan to run, just update about once a week and enable all protection.
  • Spyware Guard It offers realtime protection from spyware installation attempts, again, no scan to run, just install it and let it do its thing.
  • IE-Spyad
    IE-Spyad places over 6000 web sites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (cookies etc) from the sites listed, although you will still be able to connect to the sites.
  • Firefox 3 It has more features and is a lot more secure than IE. It is a very easy and painless download and install, it will no way interfere with IE, you can use them both.


Safe Surfn
Ken
 
You must log in or register to reply here.
Back
Top