Inactive [InActive] Malware removal, sites blocked and google redirection

Firstly please excuse the absence of the DDS log files. The programme would not work.- I downloaded all the files and ran them but all that happened was a flicker of an MS DOS window and then nothing. No output files were created. I will gladly attach if advised how.

Symptoms -
First noticed no AVG updates last week, it will update from local directory.
Then noticed google was redirecting on some clicks for sites to advert sites.
Then tried regedit and cmd and these will not work - the desktop shows blankly for a moment (without icons and start/task bar).
Followed advice on removal - could not go to malware removal web sites, but could get files from download.com (but not update them).
Have run various scanners (MalwarebytesAM, SpyBot, AVG and all come back clean) in standard and safe mode.
Running Hijack this caused error messages and it to fail due to a registry key, on running later it did work so could provide that file if needed.

***Update*** Reading posts by Geri on a similar issue I ran combofix which was successful and it deleted a couple of files (log available if needed). I then tried the dds utilities and these have now run I will post in a reply in a moment. I have just checked and AVG now updating and regedit functional. Could you look a the logs and let me know if I'm all clear now?

 

Successful run of DDS below.

DDS (Ver_09-03-16.01) - NTFSx86
Run by David Vincent at 22:19:06.10 on 22/04/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_03
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.1023.520 [GMT 1:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Saitek\DirectOutput\DirectOutputService.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\System32\MsPMSPSv.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\Cherry\KeyMan\KeyMan.exe
C:\Program Files\Saitek\SD6\Software\ProfilerU.exe
C:\Program Files\Saitek\SD6\Software\SaiMfd.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Cherry\CDI\cdi.exe
C:\Program Files\Microsoft ActiveSync\Wcescomm.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\PROGRA~1\MICROS~3\rapimgr.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Documents and Settings\David Vincent\Desktop\virus stuff\dds.pif

============== Pseudo HJT Report ===============

uStart Page = hxxp://news.bbc.co.uk/
uSearchMigratedDefaultURL = hxxp://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot\SDHelper.dll
BHO: CIEDownload Object: {67bcf957-85fc-4036-8dc4-d4d80e00a77b} - c:\program files\smart technologies\notebook software\NotebookPlugin.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_03\bin\ssv.dll
TB: Easy-WebPrint: {327c2873-e90d-4c37-aa9d-10ac9baba46c} - c:\program files\canon printer\easy-webprint\Toolband.dll
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File
TB: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
uRun: [TClockEx] c:\program files\tclockex\TCLOCKEX.EXE
uRun: [StartCCC] c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe
uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\Wcescomm.exe "
mRun: [CherryKeyMan] "c:\program files\cherry\keyman\KeyMan.exe "
mRun: [ProfilerU] c:\program files\saitek\sd6\software\ProfilerU.exe
mRun: [SaiMfd] c:\program files\saitek\sd6\software\SaiMfd.exe
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
IE: Download all with Free Download Manager - file://c:\program files\free download manager\dlall.htm
IE: Download selected with Free Download Manager - file://c:\program files\free download manager\dlselected.htm
IE: Download web site with Free Download Manager - file://c:\program files\free download manager\dlpage.htm
IE: Download with Free Download Manager - file://c:\program files\free download manager\dllink.htm
IE: E&xport to Microsoft Excel - c:\progra~1\mi69df~1\office12\EXCEL.EXE/3000
IE: Easy-WebPrint Add To Print List - c:\program files\canon printer\easy-webprint\Resource.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\canon printer\easy-webprint\Resource.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\canon printer\easy-webprint\Resource.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\canon printer\easy-webprint\Resource.dll/RC_Print.html
IE: Send to Keyman - c:\program files\cherry\keyman\IEMenuExtKeyman.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_03\bin\ssv.dll
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~3\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~3\INetRepl.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi69df~1\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot\SDHelper.dll
Trusted Zone: londonprayer.net\www
Trusted Zone: microsoft.com\*.download
Trusted Zone: microsoft.com\*.update
Trusted Zone: t-mobile.co.uk\www
DPF: FirstViewer - hxxp://barnet.documentretrieval.co.uk/alchemyweb/Components/FirstVwr.CAB
DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} - hxxps://support.microsoft.com/OAS/ActiveX/MSDcode.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://www.truprint.co.uk/TruprintActivia.cab
DPF: {46431044-1B22-4EF3-B333-863AAF310153} - hxxp://download.five.tv/Download/five_3_4_0_8.cab
DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader3.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1121038112281
DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} - hxxps://webdl.symantec.com/activex/symdlmgr.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1142533988515
DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} - hxxp://download.zonelabs.com/bin/promotions/spywaredetector/ICSScanner37960.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} - hxxp://www.crucial.com/controls/cpcScanner.cab
DPF: {BDEE1959-AB6B-4745-A29B-F492861102CC}
DPF: {C432C4BD-3566-411C-8F3C-E5E0D3AE5D33} - hxxp://viewers.streamingfaith.com/common/mbrowser/MINIBrowser.CAB
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CE7D2BF2-D173-4CE2-9DAF-15EA153B5B43} - hxxp://download.five.tv/Download/Entriq_3_4_0_10_Silent.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {D821DC4A-0814-435E-9820-661C543A4679} - hxxp://drmlicense.one.microsoft.com/crlupdate/en/crlocx.ocx
DPF: {DBFECB3F-B78F-442E-AE46-4952E6F17545} - hxxp://webalbum.bonusprint.com/ukipc01/downloads//ImageUploader3.cab
Handler: lbxfile - {56831180-F115-11d2-B6AA-00104B2B9943} - c:\program files\libronix dls\system\FileProt.dll
Handler: lbxres - {24508F1B-9E94-40EE-9759-9AF5795ADF52} - c:\program files\libronix dls\system\ResProt.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: RegCompact - RegCompact.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\davidv~1\applic~1\mozilla\firefox\profiles\apr9vdf3.default\
FF - prefs.js: browser.startup.homepage - hxxp://news.bbc.co.uk/

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-4-21 325640]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-4-21 27656]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-4-21 108552]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2009-4-21 908056]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-4-21 298264]
R2 SaiDOutput;Saitek DirectOutput;c:\program files\saitek\directoutput\DirectOutputService.exe [2008-4-4 147456]
R3 Ch2kPS2;Cherry PS/2 Keyboard Driver (CDI);c:\windows\system32\drivers\Ch2kPS2.sys [2002-9-23 134446]
R3 Cherry Device Interface;Cherry Device Interface;c:\program files\cherry\cdi\cdi.exe [2005-11-14 569390]
S3 ES1370;Creative AudioPCI (ES1370), SB PCI 64/128 (WDM);c:\windows\system32\drivers\es1370mp.sys [2004-3-2 37120]
S3 P0630VID;Creative WebCam Live!;c:\windows\system32\drivers\P0630Vid.sys [2007-9-16 91841]
S3 SaiH0762;SaiH0762;c:\windows\system32\drivers\SaiH0762.sys [2007-5-1 136832]
S3 SaiHFF0C;SaiHFF0C;c:\windows\system32\drivers\SaiHFF0C.sys [2007-5-1 132232]
S3 SaitekPad;deviceX634 driver;c:\windows\system32\drivers\hidsaitek.sys [2004-3-12 9472]
S3 SaiUFF0C;SaiUFF0C;c:\windows\system32\drivers\SaiUFF0C.sys [2007-5-1 28416]
S4 cdawdm;CDAWDM;c:\windows\system32\drivers\cdawdm.sys --> c:\windows\system32\drivers\CDAWDM.sys [?]

=============== Created Last 30 ================

2009-04-22 22:19 <DIR> --d----- c:\temp\RarSFX0
2009-04-22 22:13 <DIR> --d----- c:\temp\WPDNSE
2009-04-22 22:08 60,416 a------- c:\temp\Perflib_Perfdata__755.dat
2009-04-22 22:02 161,792 a------- c:\windows\SWREG.exe
2009-04-22 22:02 98,816 a------- c:\windows\sed.exe
2009-04-22 21:28 <DIR> --d----- c:\program files\Trend Micro
2009-04-22 18:44 <DIR> --d----- c:\docume~1\davidv~1\applic~1\Safer Networking
2009-04-22 18:34 <DIR> --d----- c:\program files\Safer Networking
2009-04-22 18:32 <DIR> --d----- c:\program files\Spybot
2009-04-22 18:32 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-04-22 16:09 <DIR> --d----- c:\docume~1\davidv~1\applic~1\Malwarebytes
2009-04-22 16:09 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-04-22 16:08 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-22 16:08 <DIR> --d----- c:\program files\Malwarebytes Anti-Malware
2009-04-22 16:08 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-04-21 23:02 <DIR> --dsh--- c:\documents and settings\david vincent\IECompatCache
2009-04-21 23:00 <DIR> --dsh--- c:\documents and settings\david vincent\PrivacIE
2009-04-21 22:57 <DIR> --dsh--- c:\documents and settings\david vincent\IETldCache
2009-04-21 22:53 <DIR> -cd-h--- c:\windows\ie8
2009-04-21 18:20 10,520 a------- c:\windows\system32\avgrsstx.dll
2009-04-21 18:20 <DIR> --d----- c:\windows\system32\drivers\Avg
2009-04-21 18:20 325,640 a------- c:\windows\system32\drivers\avgldx86.sys
2009-04-21 18:20 108,552 a------- c:\windows\system32\drivers\avgtdix.sys
2009-04-21 18:19 <DIR> --d----- c:\program files\AVG
2009-04-21 16:49 <DIR> --d----- c:\docume~1\alluse~1\applic~1\NortonInstaller
2009-04-19 00:38 <DIR> --d-h--- C:\$AVG8.VAULT$
2009-04-19 00:17 <DIR> --d----- c:\docume~1\alluse~1\applic~1\avg8
2009-04-15 16:24 401,408 -c------ c:\windows\system32\dllcache\rpcss.dll
2009-04-15 16:24 284,160 -c------ c:\windows\system32\dllcache\pdh.dll
2009-04-15 16:24 729,088 -c------ c:\windows\system32\dllcache\lsasrv.dll
2009-04-15 16:24 617,472 -c------ c:\windows\system32\dllcache\advapi32.dll
2009-04-15 16:24 473,600 -c------ c:\windows\system32\dllcache\fastprox.dll
2009-04-15 16:24 453,120 -c------ c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-15 16:24 227,840 -c------ c:\windows\system32\dllcache\wmiprvse.exe
2009-04-15 16:24 110,592 -c------ c:\windows\system32\dllcache\services.exe
2009-04-15 16:24 714,752 -c------ c:\windows\system32\dllcache\ntdll.dll
2009-04-15 16:22 1,203,922 -c------ c:\windows\system32\dllcache\sysmain.sdb
2009-04-15 16:22 2,560 -------- c:\windows\system32\xpsp4res.dll
2009-04-15 16:22 215,552 -c------ c:\windows\system32\dllcache\wordpad.exe
2009-04-04 19:10 <DIR> --d----- c:\program files\common files\xing shared

==================== Find3M ====================

2009-04-09 16:21 133,250 a------- c:\docume~1\davidv~1\applic~1\mdbu.bin
2009-03-11 21:43 156,672 a------- c:\windows\system32\rmc_fixasf.exe
2009-03-11 21:43 237,568 a------- c:\windows\system32\rmc_rtspdl.dll
2009-03-11 21:43 323,584 a------- c:\windows\system32\AUDIOGENIE2.DLL
2009-03-08 04:34 914,944 a------- c:\windows\system32\wininet.dll
2009-03-08 04:34 43,008 a------- c:\windows\system32\licmgr10.dll
2009-03-08 04:33 18,944 a------- c:\windows\system32\corpol.dll
2009-03-08 04:33 420,352 a------- c:\windows\system32\vbscript.dll
2009-03-08 04:32 72,704 a------- c:\windows\system32\admparse.dll
2009-03-08 04:32 71,680 a------- c:\windows\system32\iesetup.dll
2009-03-08 04:31 34,816 a------- c:\windows\system32\imgutil.dll
2009-03-08 04:31 48,128 a------- c:\windows\system32\mshtmler.dll
2009-03-08 04:31 45,568 a------- c:\windows\system32\mshta.exe
2009-03-08 04:22 156,160 a------- c:\windows\system32\msls31.dll
2009-03-06 15:22 284,160 a------- c:\windows\system32\pdh.dll
2009-02-09 13:10 729,088 a------- c:\windows\system32\lsasrv.dll
2009-02-09 13:10 714,752 a------- c:\windows\system32\ntdll.dll
2009-02-09 13:10 617,472 a------- c:\windows\system32\advapi32.dll
2009-02-09 13:10 401,408 a------- c:\windows\system32\rpcss.dll
2009-02-09 12:13 1,846,784 a------- c:\windows\system32\win32k.sys
2009-02-06 12:11 110,592 a------- c:\windows\system32\services.exe
2009-02-06 12:06 2,145,280 a------- c:\windows\system32\ntoskrnl.exe
2009-02-06 11:39 35,328 a------- c:\windows\system32\sc.exe
2009-02-06 11:32 2,023,936 a------- c:\windows\system32\ntkrnlpa.exe
2009-02-03 20:59 56,832 a------- c:\windows\system32\secur32.dll
2008-05-11 08:53 45,536 a------- c:\docume~1\davidv~1\applic~1\GDIPFONTCACHEV1.DAT
2008-05-06 20:52 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008050620080507\index.dat

============= FINISH: 22:19:25.03 ===============

 

ComboFix log file which seemed to sort the update issue below: Am I in the clear now?

ComboFix 09-04-23.02 - David Vincent 22/04/2009 22:05.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.1023.537 [GMT 1:00]
Running from: c:\documents and settings\David Vincent\Desktop\virus stuff\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\David Vincent\Application Data\Microsoft\SystemCertificates\Request
c:\windows\aci.bqk
c:\windows\Downloaded Program Files\setup.dll

.
((((((((((((((((((((((((( Files Created from 2009-03-22 to 2009-04-22 )))))))))))))))))))))))))))))))
.

2009-04-22 21:10 . 2009-04-22 21:10 -------- d-----w c:\temp\WPDNSE
2009-04-22 20:28 . 2009-04-22 20:28 -------- d-----w c:\program files\Trend Micro
2009-04-22 18:18 . 2009-04-22 18:18 -------- d-----w c:\documents and settings\All Users\Application Data\TEMP
2009-04-22 17:44 . 2009-04-22 17:44 -------- d-----w c:\documents and settings\David Vincent\Application Data\Safer Networking
2009-04-22 17:34 . 2009-04-22 17:34 -------- d-----w c:\program files\Safer Networking
2009-04-22 17:32 . 2009-04-22 17:33 -------- d-----w c:\program files\Spybot
2009-04-22 17:32 . 2009-04-22 17:33 -------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-04-22 15:09 . 2009-04-22 15:09 -------- d-----w c:\documents and settings\David Vincent\Application Data\Malwarebytes
2009-04-22 15:09 . 2009-04-06 14:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-22 15:08 . 2009-04-06 14:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-22 15:08 . 2009-04-22 17:05 -------- d-----w c:\program files\Malwarebytes Anti-Malware
2009-04-22 15:08 . 2009-04-22 15:08 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-21 22:02 . 2009-04-21 22:02 -------- d-sh--w c:\documents and settings\David Vincent\IECompatCache
2009-04-21 22:00 . 2009-04-21 22:00 -------- d-sh--w c:\documents and settings\David Vincent\PrivacIE
2009-04-21 21:57 . 2009-04-21 21:57 -------- d-sh--w c:\documents and settings\David Vincent\IETldCache
2009-04-21 21:53 . 2009-04-21 21:54 -------- dc-h--w c:\windows\ie8
2009-04-21 17:20 . 2009-04-21 17:20 10520 ----a-w c:\windows\system32\avgrsstx.dll
2009-04-21 17:20 . 2009-04-22 15:07 -------- d-----w c:\windows\system32\drivers\Avg
2009-04-21 17:20 . 2009-04-21 17:20 325640 ----a-w c:\windows\system32\drivers\avgldx86.sys
2009-04-21 17:20 . 2009-04-21 17:20 108552 ----a-w c:\windows\system32\drivers\avgtdix.sys
2009-04-21 17:19 . 2009-04-21 17:19 -------- d-----w c:\program files\AVG
2009-04-21 15:49 . 2009-04-21 15:49 -------- d-----w c:\documents and settings\All Users\Application Data\NortonInstaller
2009-04-18 23:38 . 2009-04-21 11:35 -------- d--h--w C:\$AVG8.VAULT$
2009-04-18 23:17 . 2009-04-21 17:19 -------- d-----w c:\documents and settings\All Users\Application Data\avg8
2009-04-15 15:24 . 2009-03-06 14:22 284160 -c----w c:\windows\system32\dllcache\pdh.dll
2009-04-15 15:24 . 2009-02-09 12:10 401408 -c----w c:\windows\system32\dllcache\rpcss.dll
2009-04-15 15:24 . 2009-02-09 12:10 729088 -c----w c:\windows\system32\dllcache\lsasrv.dll
2009-04-15 15:24 . 2009-02-09 12:10 617472 -c----w c:\windows\system32\dllcache\advapi32.dll
2009-04-15 15:24 . 2009-02-09 12:10 473600 -c----w c:\windows\system32\dllcache\fastprox.dll
2009-04-15 15:24 . 2009-02-09 12:10 453120 -c----w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-15 15:24 . 2009-02-06 11:11 110592 -c----w c:\windows\system32\dllcache\services.exe
2009-04-15 15:24 . 2009-02-06 10:10 227840 -c----w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-15 15:24 . 2009-02-09 12:10 714752 -c----w c:\windows\system32\dllcache\ntdll.dll
2009-04-15 15:22 . 2009-03-27 06:58 1203922 -c----w c:\windows\system32\dllcache\sysmain.sdb
2009-04-15 15:22 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll
2009-04-15 15:22 . 2008-04-21 12:08 215552 -c----w c:\windows\system32\dllcache\wordpad.exe
2009-04-04 18:10 . 2009-04-04 18:10 -------- d-----w c:\program files\Common Files\xing shared

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-22 16:32 . 2007-09-16 19:57 -------- d-----w c:\program files\Creative
2009-04-21 15:51 . 2004-02-10 17:13 -------- d-----w c:\documents and settings\All Users\Application Data\Symantec
2009-04-18 22:22 . 2005-12-21 13:13 -------- d-----w c:\program files\Free Download Manager
2009-04-16 19:45 . 2008-06-10 19:01 -------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2009-04-13 18:34 . 2007-09-11 18:27 -------- d-----w c:\documents and settings\David Vincent\Application Data\Skype
2009-04-13 17:21 . 2007-09-11 18:25 -------- d-----r c:\program files\Skype
2009-04-13 17:21 . 2007-09-11 18:24 -------- d-----w c:\documents and settings\All Users\Application Data\Skype
2009-04-09 15:21 . 2008-10-09 20:44 133250 ----a-w c:\documents and settings\David Vincent\Application Data\mdbu.bin
2009-04-04 18:10 . 2004-02-11 00:40 -------- d-----w c:\program files\Common Files\Real
2009-04-04 18:10 . 2004-02-11 00:40 -------- d-----w c:\program files\Real
2009-03-19 19:28 . 2007-05-09 19:33 -------- d-----w c:\documents and settings\All Users\Application Data\Kontiki
2009-03-11 20:43 . 2009-01-16 19:34 156672 ----a-w c:\windows\system32\rmc_fixasf.exe
2009-03-11 20:43 . 2009-01-16 19:34 237568 ----a-w c:\windows\system32\rmc_rtspdl.dll
2009-03-11 20:43 . 2009-01-16 19:33 323584 ----a-w c:\windows\system32\AUDIOGENIE2.DLL
2009-03-10 10:13 . 2004-02-20 13:29 -------- d-----w c:\program files\MSI
2009-03-09 14:07 . 2009-03-09 14:07 -------- d-----w c:\program files\Microsoft ActiveSync
2009-03-08 03:34 . 2004-08-23 19:32 914944 ----a-w c:\windows\system32\wininet.dll
2009-03-08 03:34 . 2003-03-31 12:00 43008 ----a-w c:\windows\system32\licmgr10.dll
2009-03-08 03:33 . 2003-03-31 12:00 18944 ----a-w c:\windows\system32\corpol.dll
2009-03-08 03:33 . 2003-03-31 12:00 420352 ----a-w c:\windows\system32\vbscript.dll
2009-03-08 03:32 . 2003-03-31 12:00 72704 ----a-w c:\windows\system32\admparse.dll
2009-03-08 03:32 . 2003-03-31 12:00 71680 ----a-w c:\windows\system32\iesetup.dll
2009-03-08 03:31 . 2003-03-31 12:00 34816 ----a-w c:\windows\system32\imgutil.dll
2009-03-08 03:31 . 2003-03-31 12:00 48128 ----a-w c:\windows\system32\mshtmler.dll
2009-03-08 03:31 . 2003-03-31 12:00 45568 ----a-w c:\windows\system32\mshta.exe
2009-03-08 03:22 . 2003-03-31 12:00 156160 ----a-w c:\windows\system32\msls31.dll
2009-03-06 14:22 . 2003-03-31 12:00 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-05 20:08 . 2006-04-11 21:54 -------- d-----w c:\documents and settings\David Vincent\Application Data\Canon
2009-03-03 10:15 . 2009-03-03 10:02 -------- d-----w c:\program files\CCleaner
2009-03-02 20:59 . 2005-12-21 13:13 -------- d-----w c:\documents and settings\David Vincent\Application Data\Free Download Manager
2009-02-09 12:10 . 2003-03-31 12:00 729088 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 12:10 . 2004-05-10 09:01 401408 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 12:10 . 2003-03-31 12:00 714752 ----a-w c:\windows\system32\ntdll.dll
2009-02-09 12:10 . 2003-03-31 12:00 617472 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 11:13 . 2003-03-31 12:00 1846784 ----a-w c:\windows\system32\win32k.sys
2009-02-06 11:11 . 2003-03-31 12:00 110592 ----a-w c:\windows\system32\services.exe
2009-02-06 11:06 . 2003-03-31 12:00 2145280 ----a-w c:\windows\system32\ntoskrnl.exe
2009-02-06 10:39 . 2003-03-31 12:00 35328 ----a-w c:\windows\system32\sc.exe
2009-02-06 10:32 . 2002-08-29 01:04 2023936 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-02-03 19:59 . 2003-03-31 12:00 56832 ----a-w c:\windows\system32\secur32.dll
2009-01-28 19:16 . 2004-02-28 19:21 120016 ----a-w c:\documents and settings\David Vincent\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2008-05-11 07:53 . 2004-04-08 17:01 45536 ----a-w c:\documents and settings\David Vincent\Application Data\GDIPFONTCACHEV1.DAT
2006-04-20 14:33 . 2006-04-20 14:33 136 ----a-w c:\documents and settings\David Vincent\Local Settings\Application Data\fusioncache.dat
2007-08-25 03:2007-12-22 17:13 52:00 . c:\program files\mozilla firefox\components\coFFPlgn.dll
2008-05-06 19:52 . 2008-05-06 19:52 32768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008050620080507\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TClockEx "= "c:\program files\TClockEx\TCLOCKEX.EXE" [2000-03-09 89088]
"StartCCC "= "c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 90112]
"H/PC Connection Agent "= "c:\program files\Microsoft ActiveSync\Wcescomm.exe" [2006-11-13 1289000]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CherryKeyMan "= "c:\program files\Cherry\KeyMan\KeyMan.exe" [2005-12-22 254004]
"ProfilerU "= "c:\program files\Saitek\SD6\Software\ProfilerU.exe" [2008-04-04 233472]
"SaiMfd "= "c:\program files\Saitek\SD6\Software\SaiMfd.exe" [2008-04-04 131072]
"AVG8_TRAY "= "c:\progra~1\AVG\AVG8\avgtray.exe" [2009-04-21 1932568]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-04-21 17:20 10520 ----a-w c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\RegCompact]
2006-04-10 17:42 138552 ----a-w c:\windows\system32\RegCompact.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring "=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring "=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring "=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "=
"c:\\Program Files\\Messenger\\msmsgs.exe "=
"%windir%\\Network Diagnostic\\xpnetdiag.exe "=
"c:\\Program Files\\Kontiki\\KService.exe "=
"c:\\WINDOWS\\system32\\mmc.exe "=
"c:\\Program Files\\Parsons\\QuickVerse 7\\QuickVerse\\qvwin.exe "=
"c:\program files\Microsoft ActiveSync\rapimgr.exe "= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe "= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe "= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\Skype\\Phone\\Skype.exe "=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe "=
"c:\\Program Files\\AVG\\AVG8\\avgiproxy.exe "=
"c:\\Program Files\\AVG\\AVG8\\avgui.exe "=
"c:\\Program Files\\AVG\\AVG8\\avgtray.exe "=
"c:\\Program Files\\AVG\\AVG8\\avgwdsvc.exe "=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe "=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"2308:UDP "= 2308:UDP:Windows Media Format SDK (iexplore.exe)
"2309:UDP "= 2309:UDP:Windows Media Format SDK (iexplore.exe)
"2318:UDP "= 2318:UDP:Windows Media Format SDK (iexplore.exe)
"26675:TCP "= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R3 ES1370;Creative AudioPCI (ES1370), SB PCI 64/128 (WDM);c:\windows\system32\drivers\ES1370MP.sys [2001-08-17 37120]
R3 P0630VID;Creative WebCam Live!;c:\windows\system32\DRIVERS\P0630Vid.sys [2005-06-06 91841]
R3 SaiH0762;SaiH0762;c:\windows\system32\DRIVERS\SaiH0762.sys [2008-04-04 136832]
R3 SaiHFF0C;SaiHFF0C;c:\windows\system32\DRIVERS\SaiHFF0C.sys [2007-05-01 132232]
R3 SaitekPad;deviceX634 driver;c:\windows\system32\drivers\hidsaitek.sys [2002-05-23 9472]
R3 SaiUFF0C;SaiUFF0C;c:\windows\system32\DRIVERS\SaiUFF0C.sys [2007-05-01 28416]
R4 cdawdm;cdawdm; [x]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2009-04-21 325640]
S1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\System32\Drivers\avgtdix.sys [2009-04-21 108552]
S2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2009-04-21 908056]
S2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-04-21 298264]
S2 SaiDOutput;Saitek DirectOutput;c:\program files\Saitek\DirectOutput\DirectOutputService.exe [2008-04-04 147456]
S3 Ch2kPS2;Cherry PS/2 Keyboard Driver (CDI);c:\windows\system32\DRIVERS\Ch2kPS2.sys [2005-10-26 134446]
S3 Cherry Device Interface;Cherry Device Interface;c:\program files\Cherry\CDI\cdi.exe [2005-11-14 569390]


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c9609e6a-706d-11dd-8bd1-000c7655f6af}]
\Shell\AutoRun\command - g:\wd_windows_tools\Setup.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll ",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-04-21 c:\windows\Tasks\User_Feed_Synchronization-{78A20E46-E1DC-42AB-A2D3-583DC683257C}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 03:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://news.bbc.co.uk/
uSearchMigratedDefaultURL = hxxp://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
IE: Download all with Free Download Manager - file://c:\program files\Free Download Manager\dlall.htm
IE: Download selected with Free Download Manager - file://c:\program files\Free Download Manager\dlselected.htm
IE: Download web site with Free Download Manager - file://c:\program files\Free Download Manager\dlpage.htm
IE: Download with Free Download Manager - file://c:\program files\Free Download Manager\dllink.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MI69DF~1\Office12\EXCEL.EXE/3000
IE: Easy-WebPrint Add To Print List - c:\program files\Canon Printer\Easy-WebPrint\Resource.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\Canon Printer\Easy-WebPrint\Resource.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\Canon Printer\Easy-WebPrint\Resource.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\Canon Printer\Easy-WebPrint\Resource.dll/RC_Print.html
IE: Send to Keyman - c:\program files\Cherry\KeyMan\IEMenuExtKeyman.html
Trusted Zone: londonprayer.net\www
Trusted Zone: microsoft.com\*.download
Trusted Zone: microsoft.com\*.update
Trusted Zone: t-mobile.co.uk\www
DPF: FirstViewer - hxxp://barnet.documentretrieval.co.uk/alchemyweb/Components/FirstVwr.CAB
DPF: {46431044-1B22-4EF3-B333-863AAF310153} - hxxp://download.five.tv/Download/five_3_4_0_8.cab
DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} - hxxp://download.zonelabs.com/bin/promotions/spywaredetector/ICSScanner37960.cab
DPF: {BDEE1959-AB6B-4745-A29B-F492861102CC}
DPF: {DBFECB3F-B78F-442E-AE46-4952E6F17545} - hxxp://webalbum.bonusprint.com/ukipc01/downloads//ImageUploader3.cab
FF - ProfilePath - c:\documents and settings\David Vincent\Application Data\Mozilla\Firefox\Profiles\apr9vdf3.default\
FF - prefs.js: browser.startup.homepage - hxxp://news.bbc.co.uk/
FF - plugin: c:\program files\Mozilla Firefox\plugins\npBBCPlugin.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-22 22:10
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(528)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\RegCompact.dll

- - - - - - - > 'explorer.exe'(5848)
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\system32\OneX.DLL
c:\windows\system32\eappprxy.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\windows\system32\MsPMSPSv.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\windows\system32\wscntfy.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
c:\progra~1\MICROS~3\rapimgr.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
.
**************************************************************************
.
Completion time: 2009-04-22 22:14 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-22 21:14

Pre-Run: 53,732,995,072 bytes free
Post-Run: 53,808,779,264 bytes free

241 --- E O F --- 2009-03-15 18:18

 

Hi and welcome, sorry for the delay.


Print this topic or save to notepad, it will make it easier for you to follow the instructions and complete all of the necessary steps as we will need to close all windows that are open later in the fix.



Your version of Java is outdated.

Please download JavaRa to your desktop and unzip it to its own folder

Run JavaRa.exe, pick the language of your choice and click Select. Then click Remove Older Versions.
Accept any prompts.
Open JavaRa.exe again and select Search For Updates.
Select Update Using Sun Java's Website then click Search and click on the Open Webpage button. Download and install the latest Java Runtime Environment (JRE) version for your computer.




Please download ATF Cleaner by Atribune From Here and save it to your Desktop.
Follow the instructions for the browser you use.
Read the instructions about the cookies. Delete what you do not need.

Double click ATF-Cleaner.exe to run the program.
Check the boxes to the left of:
Windows Temp
Current User Temp
All Users Temp
Temporary Internet Files
Java Cache
The rest are optional - if you want to remove the lot, check "Select All ".
Finally click Empty Selected. When you get the "Done Cleaning " message, click OK.
If you use the Firefox or Opera browsers, you can use this program
as a quick way to tidy those up as well.
When you have finished, click on the Exit button in the Main menu.
========================



NEXT**
I'd like for you to run this next online scan to check for remnants or anything that might be hidden.
The below scan can take up to an hour or longer, please be patient.

*Note
It is recommended to disable onboard antivirus program and antispyware programs while performing scans so no conflicts and to speed up scan time.
Please don't go surfing while your resident protection is disabled!
Once scan is finished remember to re-enable resident antivirus protection along with whatever antispyware app you use.


Using Internet Explorer, visit http://www.kaspersky.com/service?chapter=161739400

Other available links
Kaspersky Online Scanner or from here
http://www.kaspersky.com/virusscanner

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

Click on the Accept button and install any components it needs.

• The program will install and then begin downloading the latest definition
  files.
• After the files have been downloaded on the left side of the page in the Scan section select My Computer.
• This will start the program and scan your system.
• The scan will take a while, so be patient and let it run. (At times it may appear to stall)
  * Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
  * Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  * Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
  
• Once the scan is complete, click on View scan report To obtain the report:

Click on: Save Report As
Next, in the Save as prompt, Save in area, select: Desktop
In the File name area, use KScan, or something similar In Save as type, click the drop arrow and select:
Text file [*.txt]
Then, click: Save
Please post the Kaspersky Online Scanner Report in
your reply.

Animated tutorial
http://i275.photobucket.com/albums/jj285/Bleeping/KAS/KAS9.gif

(Note.. for Internet Explorer 7 users:
If at any time you have trouble with the "Accept" button of the license, click on the "Zoom" tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%.)
Or use Firefox with IE-Tab plugin
https://addons.mozilla.org/en-US/firefox/addon/1419


In your next reply post:
Kaspersky log
New HJT log taken after the above scans have run


You may need several replies to post the requested logs, otherwise they might get cut off.


How's your computer now?