[Active] In doubt if comp is clean

**Mohanddo** · 08-08-2009

I had a virus + trojan a few days ago which i managed to remove with spybot SD, AVG and malware bytes but im still in doubt if my computer is clean. Im getting some link forwarding in google especially with anti virus results. For example if i search for AVAST and i want to click the first result. It takes me to (i believe) malicious site : Avast Anti-Virus Software and Internet Security - Free download .

Here is a HiJackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:11:58, on 08/08/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\sySTEM32\SvchoSt.ExE
C:\Program Files\Webroot\Client\commagent.exe
C:\WINDOWS\system32\CCM\CcmExec.exe
C:\Program Files\Webroot\Client\spysweeper.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\dvdpaly.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Webroot\Client\SpySweeperUI.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\sofatnet.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\fonts\services.exe
C:\WINDOWS\system32\wiawow32.sys

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = Home | Glasgow Caledonian University | Scotland, UK
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Bing
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Bing
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = MSN.com
F3 - REG:win.ini: load=C:\WINDOWS\system32\msotcvzf.exe
F3 - REG:win.ini: run=C:\WINDOWS\system32\msugfqur.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Dell Wireless Manager UI] C:\WINDOWS\system32\WLTRAY
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [KeyAccess] C:\WINDOWS\keyacc32.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WebrootClientUI] "C:\Program Files\Webroot\Client\SpySweeperUI.EXE" /StartInTray
O4 - HKLM\..\Run: [MSxmlHpr] RUNDLL32.EXE C:\WINDOWS\system32\msxm192z.dll,w
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NordBull] C:\WINDOWS\msa.exe
O4 - HKCU\..\Run: [Monopod] C:\DOCUME~1\nme2\LOCALS~1\Temp\b.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKLM\..\Policies\Explorer\Run: [exec] C:\WINDOWS\system32\msgutuyw.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.caledonian.ac.uk
O15 - Trusted Zone: *.campuskelpie.co.uk
O15 - Trusted Zone: *.campuskelpie.com
O15 - Trusted Zone: *.enterprise.gcal.ac.uk
O15 - Trusted Zone: *.gcal.ac.uk
O15 - Trusted Zone: http://*.broadband.o2.co.uk
O16 - DPF: {164B406B-0FD6-4E7F-BA7E-64D227D4CA37} (DNL Reader) - http://www.digitalwebbooks.com/reader/dbplugin.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl.sun.com/webapps/downlo...BundleId=26688
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = enterprise.gcal.ac.uk
O17 - HKLM\Software\..\Telephony: DomainName = enterprise.gcal.ac.uk
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = enterprise.gcal.ac.uk
O20 - AppInit_DLLs: KATRACK.DLL ejtiqw.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: sofatnet Service (sofatnet) - Sigma Designs In - C:\WINDOWS\system32\sofatnet.exe
O23 - Service: Webroot CommAgent Service (WebrootCommAgentService) - Webroot Software, Inc. - C:\Program Files\Webroot\Client\commagent.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Client\spysweeper.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

--
End of file - 9023 bytes

____________________________

Thnx for your time.

**broni** · 08-08-2009

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

Please, never rename Combofix unless instructed.
Close any open browsers.
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
- Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
- Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
- Close any open browsers.
- WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
- Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
- If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.
Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Make sure, you re-enable your security programs, when you're done with Combofix.

**Mohanddo** · 09-08-2009

Combofix log:

ComboFix 09-08-08.04 - nme2 09/08/2009 9:59.1.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.44.1033.18.502.174 [GMT 1:00]
Running from: c:\documents and settings\nme2\Desktop\ComboFix.exe
AV: McAfee VirusScan Enterprise *On-access scanning disabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\-1795547835
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\nme2\Local Settings\Temporary Internet Files\fbk.sts
C:\install.exe
c:\program files\sFX
c:\program files\sFX\sfX.sYs
c:\recycler\S-1-5-21-1448488827-3963006239-106543105-500
c:\recycler\S-1-5-21-1881867250-3900311715-1981324906-500
c:\recycler\S-1-5-21-746137067-1957994488-839522115-1003
c:\recycler\S-1-5-21-746137067-1957994488-839522115-500
c:\windows\FONTS\cooecp.tlb
c:\windows\FONTS\logcde.dll
c:\windows\Fonts\mlog
c:\windows\FONTS\windef.dll
c:\windows\FONTS\windef.Log
c:\windows\FONTS\winpaged.ocx
c:\windows\Install.txt
c:\windows\Installer\15405.msp
c:\windows\Installer\1540b.msp
c:\windows\Installer\40f0c3.msp
c:\windows\system32\6to4v32.dll
c:\windows\system32\certstore.dat
c:\windows\system32\DMLEng.dll
c:\windows\system32\FInstall.sys
c:\windows\system32\lsprst7.dll
c:\windows\system32\msavx.exe
c:\windows\system32\mscgukjs.exe
c:\windows\system32\mschw.exe
c:\windows\system32\mscjrbty.exe
c:\windows\system32\msclccqb.exe
c:\windows\system32\msclvyr.exe
c:\windows\system32\mscndyb.exe
c:\windows\system32\mscpgrdp.exe
c:\windows\system32\mscsraa.exe
c:\windows\system32\mscyc.exe
c:\windows\system32\mscyczht.exe
c:\windows\system32\msczo.exe
c:\windows\system32\msdcbm.exe
c:\windows\system32\msdhcjb.exe
c:\windows\system32\msdhj.exe
c:\windows\system32\msdihnm.exe
c:\windows\system32\msdkd.exe
c:\windows\system32\msdmwo.exe
c:\windows\system32\msdxs.exe
c:\windows\system32\msdzuo.exe
c:\windows\system32\mseaf.exe
c:\windows\system32\msebmuzf.exe
c:\windows\system32\mseiyo.exe
c:\windows\system32\msemheex.exe
c:\windows\system32\msenaq.exe
c:\windows\system32\mseopn.exe
c:\windows\system32\mservghw.exe
c:\windows\system32\msfish.exe
c:\windows\system32\msfja.exe
c:\windows\system32\msfnn.exe
c:\windows\system32\msfqztr.exe
c:\windows\system32\msftkvz.exe
c:\windows\system32\msfvltl.exe
c:\windows\system32\msfvqdx.exe
c:\windows\system32\msgam.exe
c:\windows\system32\msged.exe
c:\windows\system32\msgem.exe
c:\windows\system32\msglgvp.exe
c:\windows\system32\msgnzln.exe
c:\windows\system32\msgqesjq.exe
c:\windows\system32\msgqpyf.exe
c:\windows\system32\msgrghpk.exe
c:\windows\system32\msgsdyc.exe
c:\windows\system32\msgutuyw.exe
c:\windows\system32\msgviqel.exe
c:\windows\system32\msgxgcg.exe
c:\windows\system32\mshbiu.exe
c:\windows\system32\mshcytu.exe
c:\windows\system32\mshfqmtn.exe
c:\windows\system32\mshgrh.exe
c:\windows\system32\mshihx.exe
c:\windows\system32\mshiya.exe
c:\windows\system32\mshmha.exe
c:\windows\system32\mshxiu.exe
c:\windows\system32\mshzvpxr.exe
c:\windows\system32\msibi.exe
c:\windows\system32\msidtv.exe
c:\windows\system32\msigcqr.exe
c:\windows\system32\msihxhgf.exe
c:\windows\system32\msiik.exe
c:\windows\system32\msijrgid.exe
c:\windows\system32\msiqxooa.exe
c:\windows\system32\msjca.exe
c:\windows\system32\msjfwyra.exe
c:\windows\system32\msjjrg.exe
c:\windows\system32\msjnj.exe
c:\windows\system32\msjnlwpy.exe
c:\windows\system32\msjnupqt.exe
c:\windows\system32\msjsawu.exe
c:\windows\system32\msjsvis.exe
c:\windows\system32\msjsy.exe
c:\windows\system32\msjvq.exe
c:\windows\system32\mskmnx.exe
c:\windows\system32\mskmwr.exe
c:\windows\system32\mskqfij.exe
c:\windows\system32\mskqxcng.exe
c:\windows\system32\mskrso.exe
c:\windows\system32\mskstyy.exe
c:\windows\system32\mskxmo.exe
c:\windows\system32\mskynsbo.exe
c:\windows\system32\mslasbn.exe
c:\windows\system32\msldeic.exe
c:\windows\system32\msleztd.exe
c:\windows\system32\mslfsksq.exe
c:\windows\system32\mslgdc.exe
c:\windows\system32\mslgs.exe
c:\windows\system32\mslkfcb.exe
c:\windows\system32\mslkiywv.exe
c:\windows\system32\msltjopp.exe
c:\windows\system32\mslvoh.exe
c:\windows\system32\mslwcl.exe
c:\windows\system32\msmbhyb.exe
c:\windows\system32\msmcndqc.exe
c:\windows\system32\msmcsxw.exe
c:\windows\system32\msmcy.exe
c:\windows\system32\msmeimuk.exe
c:\windows\system32\msmimjlw.exe
c:\windows\system32\msmtdwx.exe
c:\windows\system32\msmyycp.exe
c:\windows\system32\msnfrs.exe
c:\windows\system32\msnmgcl.exe
c:\windows\system32\msnnab.exe
c:\windows\system32\msnngu.exe
c:\windows\system32\msnqg.exe
c:\windows\system32\msnrvafr.exe
c:\windows\system32\msnrvc.exe
c:\windows\system32\msnwzfii.exe
c:\windows\system32\msnzwki.exe
c:\windows\system32\msoimcu.exe
c:\windows\system32\msomfabs.exe
c:\windows\system32\msompo.exe
c:\windows\system32\msotcvzf.exe
c:\windows\system32\msoxtrzn.exe
c:\windows\system32\mspahur.exe
c:\windows\system32\mspajn.exe
c:\windows\system32\msphjou.exe
c:\windows\system32\mspmne.exe
c:\windows\system32\mspnuu.exe
c:\windows\system32\mspozkb.exe
c:\windows\system32\mspvaf.exe
c:\windows\system32\mspwd.exe
c:\windows\system32\mspwgev.exe
c:\windows\system32\mspzd.exe
c:\windows\system32\mspzpx.exe
c:\windows\system32\msqkjhz.exe
c:\windows\system32\msqwn.exe
c:\windows\system32\msqwxzo.exe
c:\windows\system32\msrcwszk.exe
c:\windows\system32\msrdiy.exe
c:\windows\system32\msrinfkb.exe
c:\windows\system32\msrjsi.exe
c:\windows\system32\msrkqtph.exe
c:\windows\system32\msrlehv.exe
c:\windows\system32\msrpzk.exe
c:\windows\system32\msrqre.exe
c:\windows\system32\msrsgnd.exe
c:\windows\system32\msrvqa.exe
c:\windows\system32\msrybtyw.exe
c:\windows\system32\mssbpoj.exe
c:\windows\system32\mssck.exe
c:\windows\system32\msshjv.exe
c:\windows\system32\mssnbgf.exe
c:\windows\system32\mssnyq.exe
c:\windows\system32\mssoktf.exe
c:\windows\system32\mssqe.exe
c:\windows\system32\mssqi.exe
c:\windows\system32\mssxtprx.exe
c:\windows\system32\mssznif.exe
c:\windows\system32\mstauow.exe
c:\windows\system32\mstbyl.exe
c:\windows\system32\mstdufvj.exe
c:\windows\system32\mstew.exe
c:\windows\system32\mstjux.exe
c:\windows\system32\mstmay.exe
c:\windows\system32\mstqg.exe
c:\windows\system32\mstrtv.exe
c:\windows\system32\mstutqi.exe
c:\windows\system32\msugfqur.exe
c:\windows\system32\msult.exe
c:\windows\system32\msusclm.exe
c:\windows\system32\msusd.exe
c:\windows\system32\msutecun.exe
c:\windows\system32\msuxam.exe
c:\windows\system32\msuyvq.exe
c:\windows\system32\msvks.exe
c:\windows\system32\msvkskl.exe
c:\windows\system32\msvmibu.exe
c:\windows\system32\msvncdut.exe
c:\windows\system32\msvpq.exe
c:\windows\system32\msvsiux.exe
c:\windows\system32\msvsx.exe
c:\windows\system32\msvwhxbp.exe
c:\windows\system32\msvyqkx.exe
c:\windows\system32\mswbiv.exe
c:\windows\system32\mswdlcnp.exe
c:\windows\system32\mswetj.exe
c:\windows\system32\mswfs.exe
c:\windows\system32\mswgmgn.exe
c:\windows\system32\mswoil.exe
c:\windows\system32\mswpkpfy.exe
c:\windows\system32\mswssjcz.exe
c:\windows\system32\msxafc.exe
c:\windows\system32\msxdf.exe
c:\windows\system32\msxfdqd.exe
c:\windows\system32\msxgug.exe
c:\windows\system32\msxkje.exe
c:\windows\system32\msxmhqww.exe
c:\windows\system32\msxmqxof.exe
c:\windows\system32\msxmza.exe
c:\windows\system32\msxngffd.exe
c:\windows\system32\msxpb.exe
c:\windows\system32\msxqg.exe
c:\windows\system32\msxqtk.exe
c:\windows\system32\msxrc.exe
c:\windows\system32\msxrz.exe
c:\windows\system32\msxsggm.exe
c:\windows\system32\msxsrqiw.exe
c:\windows\system32\msyaxu.exe
c:\windows\system32\msyctrsy.exe
c:\windows\system32\msydbtl.exe
c:\windows\system32\msydg.exe
c:\windows\system32\msyfv.exe
c:\windows\system32\msyibw.exe
c:\windows\system32\mszapp.exe
c:\windows\system32\mszasipe.exe
c:\windows\system32\mszegm.exe
c:\windows\system32\mszet.exe
c:\windows\system32\mszfmn.exe
c:\windows\system32\mszgny.exe
c:\windows\system32\mszidt.exe
c:\windows\system32\mszrhhbs.exe
c:\windows\system32\mszvc.exe
c:\windows\system32\mszvvmb.exe
c:\windows\system32\nsprs.dll
c:\windows\system32\wiawow32.sys
c:\windows\system32\wiwow64.exe
c:\windows\TEMP\mta53701.dll

----- BITS: Possible infected sites -----

hxxp://citsms-mp.enterprise.gcal.ac.uk:80
hxxp://CITSMS-MP.enterprise.gcal.ac.uk:80
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_6TO4
-------\Legacy_NETCARD
-------\Legacy_SFX
-------\Legacy_SFXDRV
-------\Service_6to4
-------\Service_netcard
-------\Service_sfx
-------\Service_sFxdrv

((((((((((((((((((((((((( Files Created from 2009-07-09 to 2009-08-09 )))))))))))))))))))))))))))))))
.

2009-08-06 15:52 . 2009-08-06 15:52 -------- d-----w- c:\program files\Trend Micro
2009-08-05 23:41 . 2009-08-05 23:41 -------- d-sh--w- c:\documents and settings\nme2\IECompatCache
2009-08-05 18:36 . 2009-08-05 22:58 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-08-05 18:15 . 2009-08-05 23:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-08-05 18:15 . 2009-08-05 23:01 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-08-05 17:56 . 2009-08-05 13:02 145408 ----a-w- c:\windows\msb.exe
2009-07-30 09:04 . 2009-07-30 09:04 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2009-07-30 09:04 . 2009-07-30 09:04 -------- d-----w- c:\documents and settings\All Users\Application Data\SupportSoft
2009-07-30 09:02 . 2009-07-30 09:09 -------- d-----w- c:\program files\O2
2009-07-30 08:53 . 2009-07-30 08:53 -------- d-----w- c:\documents and settings\nme2\Local Settings\Application Data\SupportSoft
2009-07-30 08:53 . 2009-07-30 08:53 -------- d-----w- c:\program files\Common Files\SupportSoft
2009-07-26 13:34 . 2002-01-05 13:37 344064 ----a-w- c:\windows\system32\msvcr70.dll
2009-07-26 13:33 . 2009-07-26 13:34 -------- d-----w- c:\program files\Common Files\DVDVideoSoft
2009-07-21 19:54 . 2009-07-21 19:54 -------- d-sh--w- c:\documents and settings\nme2\PrivacIE
2009-07-21 19:53 . 2009-07-21 19:53 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2009-07-21 19:52 . 2009-07-21 19:52 -------- d-sh--w- c:\documents and settings\nme2\IETldCache
2009-07-21 19:41 . 2009-07-21 19:44 -------- dc-h--w- c:\windows\ie8
2009-07-21 09:11 . 2009-07-22 06:31 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-07-21 09:11 . 2009-07-22 06:31 -------- d-----w- c:\program files\NOS
2009-07-19 23:12 . 2004-08-03 23:56 25600 ----a-w- c:\documents and settings\LocalService\Application Data\Microsoft\UPnP Device Host\upnphost\udhisapi.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2009-08-06 18:13 . 2005-06-30 13:09 -------- d-----w- c:\program files\Apoint
2009-08-05 13:03 . 2008-12-17 23:49 -------- d-----w- c:\documents and settings\nme2\Application Data\AdobeUM
2009-07-29 22:24 . 2009-06-27 13:54 -------- d-----w- c:\documents and settings\nme2\Application Data\uTorrent
2009-07-27 15:39 . 2009-03-11 19:02 -------- d-----w- c:\documents and settings\nme2\Application Data\Audacity
2009-07-22 00:08 . 2009-05-02 15:09 34 ----a-w- c:\documents and settings\nme2\jagex_runescape_preferences.dat
2009-07-03 01:36 . 2009-07-03 01:36 1022432 ----a-w- c:\windows\dbplugin.exe
2009-06-27 14:16 . 2009-06-25 08:46 -------- d-----w- c:\documents and settings\nme2\Application Data\Orbit
2009-06-27 13:46 . 2009-06-27 13:46 -------- d-----w- c:\program files\DivX
2009-06-27 13:46 . 2009-06-27 13:46 -------- d-----w- c:\program files\Common Files\DivX Shared
2009-06-25 08:47 . 2009-06-25 08:46 -------- d-----w- c:\documents and settings\nme2\Application Data\GrabPro
2009-05-14 22:18 . 2008-12-16 14:26 186 ----a-w- c:\documents and settings\All Users\Application Data\SafeNet Sentinel\Sentinel RMS Development Kit\System\prsgrc.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"Dell Wireless Manager UI"="c:\windows\system32\WLTRAY" [X]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2004-09-13 155648]
"KeyAccess"="c:\windows\keyacc32.exe" [2004-03-20 311296]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-05 344064]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-07-19 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-07-19 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-07-19 114688]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\UdaterUI.exe" [2007-03-27 136768]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2008-01-24 111952]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-23 136600]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2005-07-01 98304]
"WebrootClientUI"="c:\program files\Webroot\Client\SpySweeperUI.EXE" [2008-07-16 435616]
"MSxmlHpr"="c:\windows\system32\msxm192z.dll" [2004-08-17 28672]
"AGRSMMSG"="AGRSMMSG.exe" - c:\windows\agrsmmsg.exe [2004-12-22 88358]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-03 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - c:\program files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-5-15 217193]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
2004-09-07 15:08 110592 ----a-w- c:\program files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\katrack.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\group policy\state\S-1-5-21-823518204-152049171-682003330-50548\Scripts\Logon\0\0]
"Script"=b-ie7.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\group policy\state\S-1-5-21-823518204-152049171-682003330-50548\Scripts\Logon\0\1]
"Script"=refworks.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\group policy\state\S-1-5-21-823518204-152049171-682003330-50548\Scripts\Logon\0\2]
"Script"=totalinfo.bat

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\WebrootSpySweeperService]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Client.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Client.lnk
backup=c:\windows\pss\Client.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office OneNote 2003 Quick Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office OneNote 2003 Quick Launch.lnk
backup=c:\windows\pss\Microsoft Office OneNote 2003 Quick Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=
"c:\\Program Files\\Windows Media Player\\wmplayer.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\GloballyOpenPorts\List]
"8085:TCP"= 8085:TCP:sfx

R2 EvdoServer;EvdoServer;c:\windows\system32\svchost. exe -k netsvcs [04/08/2004 00:56 14336]
R2 sofatnet;sofatnet Service;c:\windows\system32\sofatnet.exe [29/08/2002 13:00 93696]
S3 dump_wmimmc;dump_wmimmc;\??\e:\flyff\GameGuard\dum p_wmimmc.sys --> e:\flyff\GameGuard\dump_wmimmc.sys [?]
S3 GTIPCI21;GTIPCI21;c:\windows\system32\drivers\gtip ci21.sys [03/05/2004 16:26 80384]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSe tup SIGNUP
.
Contents of the 'Scheduled Tasks' folder
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-NordBull - c:\windows\msa.exe

.
------- Supplementary Scan -------
.
uStart Page = hxxp://home.gcal.ac.uk/
uInternet Connection Wizard,ShellNext = iexplore
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: caledonian.ac.uk
Trusted Zone: campuskelpie.co.uk
Trusted Zone: campuskelpie.com
Trusted Zone: gcal.ac.uk
Trusted Zone: gcal.ac.uk\*.enterprise
Trusted Zone: o2.co.uk\*.broadband
DPF: {164B406B-0FD6-4E7F-BA7E-64D227D4CA37} - hxxp://www.digitalwebbooks.com/reader/dbplugin.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
.

************************************************** ************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover
Rootkit scan 2009-08-09 10:12
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

************************************************** ************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\ESET\ESET Security\CurrentVersion\Info]
@Denied: (3) (LocalSystem)
@Allowed: (3) (LocalSystem)
"AppDataDir"="c:\\Documents and Settings\\All Users\\Application Data\\ESET\\ESET NOD32 Antivirus\\"
"DataDir"="ESET\\ESET NOD32 Antivirus\\"
"EditionName"="Student Edition"
"InstallDir"="c:\\Program Files\\ESET\\ESET NOD32 Antivirus\\"
"LanguageId"=dword:00000409
"ProductBase"=dword:00000000
"ProductCode"="{4EAE8F8E-0C2E-4814-9A04-635AFB9050AA}"
"ProductName"="ESET NOD32 Antivirus"
"ProductType"="eav"
"ProductVersion"="3.0.684.0"
"UniqueId"="0015E9004953C6F4"
"ScannerBuild"=dword:00000ed0
"ScannerVersionId"=dword:00000de1
"ScannerVersion"=""
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(724)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\WRLogonNtf.DLL
c:\program files\Intel\Wireless\Bin\LgNotify.dll

- - - - - - - > 'explorer.exe'(932)
c:\windows\system32\ieframe.dll
c:\windows\system32\msxm192z.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Intel\Wireless\Bin\WLKEEPER.exe
c:\windows\system32\WLTRYSVC.EXE
c:\windows\system32\BCMWLTRY.EXE
c:\windows\system32\scardsvr.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\McAfee\Common Framework\FrameworkService.exe
c:\program files\McAfee\VirusScan Enterprise\VsTskMgr.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Dell\NicConfigSvc\NicConfigSvc.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\Webroot\Client\CommAgent.exe
c:\program files\McAfee\Common Framework\naPrdMgr.exe
c:\windows\system32\CCM\CcmExec.exe
c:\program files\Webroot\Client\SPYSWEEPER.EXE
c:\windows\system32\msiexec.exe
c:\program files\Intel\Wireless\Bin\ZCfgSvc.exe
c:\windows\system32\WLTRAY.EXE
c:\program files\McAfee\Common Framework\Mctray.exe
c:\windows\system32\rundll32.exe
.
************************************************** ************************
.
Completion time: 2009-08-09 10:15 - machine was rebooted
ComboFix-quarantined-files.txt 2009-08-09 09:15

Pre-Run: 29,668,442,112 bytes free
Post-Run: 31,922,225,152 bytes free

455 --- E O F --- 2009-05-13 11:57

New HiJackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:44:11, on 09/08/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Webroot\Client\commagent.exe
C:\WINDOWS\system32\CCM\CcmExec.exe
C:\Program Files\Webroot\Client\spysweeper.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Webroot\Client\SpySweeperUI.EXE
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\dvdpaly.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\sofatnet.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\wiawow32.sys
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = Home | Glasgow Caledonian University | Scotland, UK
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Bing
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Bing
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = MSN.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Dell Wireless Manager UI] C:\WINDOWS\system32\WLTRAY
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [KeyAccess] C:\WINDOWS\keyacc32.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WebrootClientUI] "C:\Program Files\Webroot\Client\SpySweeperUI.EXE" /StartInTray
O4 - HKLM\..\Run: [MSxmlHpr] RUNDLL32.EXE C:\WINDOWS\system32\msxm192z.dll,w
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.caledonian.ac.uk
O15 - Trusted Zone: *.campuskelpie.co.uk
O15 - Trusted Zone: *.campuskelpie.com
O15 - Trusted Zone: *.enterprise.gcal.ac.uk
O15 - Trusted Zone: *.gcal.ac.uk
O15 - Trusted Zone: http://*.broadband.o2.co.uk
O16 - DPF: {164B406B-0FD6-4E7F-BA7E-64D227D4CA37} (DNL Reader) - http://www.digitalwebbooks.com/reader/dbplugin.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl.sun.com/webapps/downlo...BundleId=26688
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = enterprise.gcal.ac.uk
O17 - HKLM\Software\..\Telephony: DomainName = enterprise.gcal.ac.uk
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = enterprise.gcal.ac.uk
O20 - AppInit_DLLs: C:\WINDOWS\katrack.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: sofatnet Service (sofatnet) - Sigma Designs In - C:\WINDOWS\system32\sofatnet.exe
O23 - Service: Webroot CommAgent Service (WebrootCommAgentService) - Webroot Software, Inc. - C:\Program Files\Webroot\Client\commagent.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Client\spysweeper.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

--
End of file - 8461 bytes

NOTE: There browser problem has been fixed. Any last precautions would be helpful. Thnx for your time

.

**broni** · 09-08-2009

How is redirection issue now?

1. Please open Notepad

Click Start , then Run
Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

Code:

File::
c:\windows\msb.exe


Folder::

Driver::

Registry::

RegLockDel::

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

Combofix.txt
A new HijackThis log.

[Active] In doubt if comp is clean

[Active] In doubt if comp is clean

Similar Threads

I doubt anyone can help...

simple doubt

Clean or not too clean? That is the question...

clean-up

i want to know if I'm clean