--------------
KASPERSKY ONLINE SCANNER REPORT
Tuesday, April 08, 2008 7:56:49 PM
Operating System: Microsoft Windows Vista Home Edition, (Build 6000)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 8/04/2008
Kaspersky Anti-Virus database records: 691113
--------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\
F:\
G:\
H:\
I:\

Scan Statistics:
Total number of scanned objects: 171297
Number of viruses found: 4
Number of infected objects: 8
Number of suspicious objects: 30
Duration of the scan process: 02:04:23

Infected Object Name / Virus Name / Last Action
C:\Program Files\PC-Doctor 5 for Windows\Configuration\config.xml Object is locked skipped
C:\ProgramData\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\ProgramData\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\168fe1e8af1c1dfdddb3b03e91b2080a_c2fbe3d4-d678-4bf5-98f1-ad1cd5570497 Object is locked skipped
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\34de200bab6320e3f71c9591d83c7374_c2fbe3d4-d678-4bf5-98f1-ad1cd5570497 Object is locked skipped
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\b90343f8f8433fd3a29d7b13a24bce9e_c2fbe3d4-d678-4bf5-98f1-ad1cd5570497 Object is locked skipped
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\f686aace6942fb7f7ceb231212eef4a4_c2fbe3d4-d678-4bf5-98f1-ad1cd5570497 Object is locked skipped
C:\ProgramData\Microsoft\Windows\DRM\Cache\Indiv01.tmp Object is locked skipped
C:\ProgramData\Microsoft\Windows\DRM\drmstore.hds Object is locked skipped
C:\ProgramData\muvee Technologies\030625\0103\0399\values Object is locked skipped
C:\Users\Penny\AppData\Local\Temp\igwrwtvm.dll Infected: Packed.Win32.Monder.gen skipped
C:\Users\Penny\AppData\Local\Temp\JET537C.tmp Object is locked skipped
C:\Users\Penny\AppData\Local\Temp\MainFrame.Log.txt Object is locked skipped
C:\Users\Penny\AppData\Local\Temp\~DF2C77.tmp Object is locked skipped
C:\Users\Penny\AppData\Local\Temp\~DF2C81.tmp Object is locked skipped
C:\Users\Penny\AppData\Local\Ahead\Nero Home\bl.db Object is locked skipped
C:\Users\Penny\AppData\Local\Ahead\Nero Home\is2.db Object is locked skipped
C:\Users\Penny\AppData\Local\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Users\Penny\AppData\Local\Microsoft\Internet Explorer\MSIMGSIZ.DAT Object is locked skipped
C:\Users\Penny\AppData\Local\Microsoft\Media Player\CurrentDatabase_360.wmdb Object is locked skipped
C:\Users\Penny\AppData\Local\Microsoft\Messenger\pennenny@hotmail.com\SharingMetadata\Logs\Dfsr00005.log Object is locked skipped
C:\Users\Penny\AppData\Local\Microsoft\Messenger\pennenny@hotmail.com\SharingMetadata\pending.dat Object is locked skipped
C:\Users\Penny\AppData\Local\Microsoft\Messenger\pennenny@hotmail.com\SharingMetadata\Working\database_AEF0_CD5_F00C_A5A5\dfsr.db Object is locked skipped
C:\Users\Penny\AppData\Local\Microsoft\Messenger\pennenny@hotmail.com\SharingMetadata\Working\database_AEF0_CD5_F00C_A5A5\fsr.log Object is locked skipped
C:\Users\Penny\AppData\Local\Microsoft\Messenger\pennenny@hotmail.com\SharingMetadata\Working\database_AEF0_CD5_F00C_A5A5\fsrtmp.log Object is locked skipped
C:\Users\Penny\AppData\Local\Microsoft\Messenger\pennenny@hotmail.com\SharingMetadata\Working\database_AEF0_CD5_F00C_A5A5\tmp.edb Object is locked skipped
C:\Users\Penny\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat Object is locked skipped
C:\Users\Penny\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.dat Object is locked skipped
C:\Users\Penny\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\GJ9QY9AM\iddqd[1] Infected: Packed.Win32.Monder.gen skipped
C:\Users\Penny\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Users\Penny\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Users\Penny\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\index.dat Object is locked skipped
C:\Users\Penny\AppData\Local\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Users\Penny\AppData\Local\Microsoft\Windows\UsrClass.dat.LOG1 Object is locked skipped
C:\Users\Penny\AppData\Local\Microsoft\Windows\UsrClass.dat.LOG2 Object is locked skipped
C:\Users\Penny\AppData\Local\Microsoft\Windows\UsrClass.dat{ef5ec0b0-5b55-11dc-b1b5-001bfc405e06}.TM.blf Object is locked skipped
C:\Users\Penny\AppData\Local\Microsoft\Windows\UsrClass.dat{ef5ec0b0-5b55-11dc-b1b5-001bfc405e06}.TMContainer00000000000000000001.regtrans-ms Object is locked skipped
C:\Users\Penny\AppData\Local\Microsoft\Windows\UsrClass.dat{ef5ec0b0-5b55-11dc-b1b5-001bfc405e06}.TMContainer00000000000000000002.regtrans-ms Object is locked skipped
C:\Users\Penny\AppData\Local\Microsoft\Windows Defender\FileTracker\{CD4EC1BB-91EE-402E-81D3-400154D22CCB} Object is locked skipped
C:\Users\Penny\AppData\Local\Microsoft\Windows Live Contacts\pennenny@hotmail.com\real\members.stg Object is locked skipped
C:\Users\Penny\AppData\Local\Microsoft\Windows Sidebar\Settings.ini Object is locked skipped
C:\Users\Penny\AppData\Roaming\microsoft\Windows\Cookies\index.dat Object is locked skipped
C:\Users\Penny\AppData\Roaming\microsoft\Windows\Cookies\Low\index.dat Object is locked skipped
C:\Users\Penny\AppData\Roaming\Hewlett-Packard\HPAdvisor\HPAdvisorToDo.ldb Object is locked skipped
C:\Users\Penny\AppData\Roaming\Hewlett-Packard\HPAdvisor\HPAdvisorToDo.mdb Object is locked skipped
C:\Users\Penny\AppData\Roaming\Thunderbird\Profiles\z8sfh25d.default\Mail\mail.shaw.ca\Inbox/[From "The Diet.com Challenge" <DietCare@Diet.com>][Date Wed, 06 Jul 2005 05:00:00 -0400]/UNNAMED/[From Patrick Brooks <oudhuxh@level3.net>][Date Mon, 18 Jul 2005 00:42:08 -0700]/text/[From Amado Buchanan <ixtmikh@covad.net>][Date Fri, 22 Jul 2005 20:29:56 -0100]/text/[From rufina marshall <kellen@spankthedonkey.com>][Date Sat, 23 Jul 2005 17:54:44 +0400]/html/[From benedict thom <kee ... /[From "aw-confirm@eBay.com" <aw-confirm@eBay.com>][Date Tue, 16 Aug 2005 18:01:07 +0900 (JST)]/html Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\Users\Penny\AppData\Roaming\Thunderbird\Profiles\z8sfh25d.default\Mail\mail.shaw.ca\Inbox/[From "The Diet.com Challenge" <DietCare@Diet.com>][Date Wed, 06 Jul 2005 05:00:00 -0400]/UNNAMED/[From Patrick Brooks <oudhuxh@level3.net>][Date Mon, 18 Jul 2005 00:42:08 -0700]/text/[From Amado Buchanan <ixtmikh@covad.net>][Date Fri, 22 Jul 2005 20:29:56 -0100]/text/[From rufina marshall <kellen@spankthedonkey.com>][Date Sat, 23 Jul 2005 17:54:44 +0400]/html/[From benedict thom <kee ... /[From ... /[From Wesley Shirley <FGKIWKG@prodigy.net>][Date Sat, 13 Aug 2005 18:34:01 -0300]/UNNAMED Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\Users\Penny\AppData\Roaming\Thunderbird\Profiles\z8sfh25d.default\Mail\mail.shaw.ca\Inbox/[From "The Diet.com Challenge" <DietCare@Diet.com>][Date Wed, 06 Jul 2005 05:00:00 -0400]/UNNAMED/[From Patrick Brooks <oudhuxh@level3.net>][Date Mon, 18 Jul 2005 00:42:08 -0700]/text/[From Amado Buchanan <ixtmikh@covad.net>][Date Fri, 22 Jul 2005 20:29:56 -0100]/text/[From rufina marshall <kellen@spankthedonkey.com>][Date Sat, 23 Jul 2005 17:54:44 +0400]/html/[From benedict thom <kee ... /[From ... /[F ... /[From Sheree Comer <zcdfv@telus.net>][Date Thu, 11 Aug 2005 05:18:50 +0600]/text Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\Users\Penny\AppData\Roaming\Thunderbird\Profiles\z8sfh25d.default\Mail\mail.shaw.ca\Inbox/[From "The Diet.com Challenge" <DietCare@Diet.com>][Date Wed, 06 Jul 2005 05:00:00 -0400]/UNNAMED/[From Patrick Brooks <oudhuxh@level3.net>][Date Mon, 18 Jul 2005 00:42:08 -0700]/text/[From Amado Buchanan <ixtmikh@covad.net>][Date Fri, 22 Jul 2005 20:29:56 -0100]/text/[From rufina marshall <kellen@spankthedonkey.com>][Date Sat, 23 Jul 2005 17:54:44 +0400]/html/[From benedict thom <kee ... /[From ... /[From marcelo wicker <jaynagie@mc-laren.com>][Date Thu, 04 Aug 2005 11:35:13 -1000]/text Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\Users\Penny\AppData\Roaming\Thunderbird\Profiles\z8sfh25d.default\Mail\mail.shaw.ca\Inbox/[From "The Diet.com Challenge" <DietCare@Diet.com>][Date Wed, 06 Jul 2005 05:00:00 -0400]/UNNAMED/[From Patrick Brooks <oudhuxh@level3.net>][Date Mon, 18 Jul 2005 00:42:08 -0700]/text/[From Amado Buchanan <ixtmikh@covad.net>][Date Fri, 22 Jul 2005 20:29:56 -0100]/text/[From rufina marshall <kellen@spankthedonkey.com>][Date Sat, 23 Jul 2005 17:54:44 +0400]/html/[From benedict thom <kee ... /[From erin tsunoda < ... /[From Ora <leehk21@bol.com.br>][Date Sat, 30 Jul 2005 07:54:05 +0000]/html Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\Users\Penny\AppData\Roaming\Thunderbird\Profiles\z8sfh25d.default\Mail\mail.shaw.ca\Inbox/[From "The Diet.com Challenge" <DietCare@Diet.com>][Date Wed, 06 Jul 2005 05:00:00 -0400]/UNNAMED/[From Patrick Brooks <oudhuxh@level3.net>][Date Mon, 18 Jul 2005 00:42:08 -0700]/text/[From Amado Buchanan <ixtmikh@covad.net>][Date Fri, 22 Jul 2005 20:29:56 -0100]/text/[From rufina marshall <kellen@spankthedonkey.com>][Date Sat, 23 Jul 2005 17:54:44 +0400]/html/[From benedict thom <kee ... /[From erin tsunoda <kamryne@onlineforsuccess.every1.net>][Date Wed, 27 Jul 2005 21:03:17 +0200]/text Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\Users\Penny\AppData\Roaming\Thunderbird\Profiles\z8sfh25d.default\Mail\mail.shaw.ca\Inbox/[From "The Diet.com Challenge" <DietCare@Diet.com>][Date Wed, 06 Jul 2005 05:00:00 -0400]/UNNAMED/[From Patrick Brooks <oudhuxh@level3.net>][Date Mon, 18 Jul 2005 00:42:08 -0700]/text/[From Amado Buchanan <ixtmikh@covad.net>][Date Fri, 22 Jul 2005 20:29:56 -0100]/text/[From rufina marshall <kellen@spankthedonkey.com>][Date Sat, 23 Jul 2005 17:54:44 +0400]/html/[From benedict thom <keesha@akss.net> ... /[From Doreen Dailey <tskialw@arealcity.com>][Date Tue, 26 Jul 2005 17:58:10 -0100]/html Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\Users\Penny\AppData\Roaming\Thunderbird\Profiles\z8sfh25d.default\Mail\mail.shaw.ca\Inbox/[From "The Diet.com Challenge" <DietCare@Diet.com>][Date Wed, 06 Jul 2005 05:00:00 -0400]/UNNAMED/[From Patrick Brooks <oudhuxh@level3.net>][Date Mon, 18 Jul 2005 00:42:08 -0700]/text/[From Amado Buchanan <ixtmikh@covad.net>][Date Fri, 22 Jul 2005 20:29:56 -0100]/text/[From rufina marshall <kellen@spankthedonkey.com>][Date Sat, 23 Jul 2005 17:54:44 +0400]/html/[From benedict thom <keesha@akss.net>][Date Sun, 24 Jul 2005 18:12:24 -0200]/text Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\Users\Penny\AppData\Roaming\Thunderbird\Profiles\z8sfh25d.default\Mail\mail.shaw.ca\Inbox/[From "The Diet.com Challenge" <DietCare@Diet.com>][Date Wed, 06 Jul 2005 05:00:00 -0400]/UNNAMED/[From Patrick Brooks <oudhuxh@level3.net>][Date Mon, 18 Jul 2005 00:42:08 -0700]/text/[From Amado Buchanan <ixtmikh@covad.net>][Date Fri, 22 Jul 2005 20:29:56 -0100]/text/[From rufina marshall <kellen@spankthedonkey.com>][Date Sat, 23 Jul 2005 17:54:44 +0400]/html Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\Users\Penny\AppData\Roaming\Thunderbird\Profiles\z8sfh25d.default\Mail\mail.shaw.ca\Inbox/[From "The Diet.com Challenge" <DietCare@Diet.com>][Date Wed, 06 Jul 2005 05:00:00 -0400]/UNNAMED/[From Patrick Brooks <oudhuxh@level3.net>][Date Mon, 18 Jul 2005 00:42:08 -0700]/text/[From Amado Buchanan <ixtmikh@covad.net>][Date Fri, 22 Jul 2005 20:29:56 -0100]/text Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\Users\Penny\AppData\Roaming\Thunderbird\Profiles\z8sfh25d.default\Mail\mail.shaw.ca\Inbox/[From "The Diet.com Challenge" <DietCare@Diet.com>][Date Wed, 06 Jul 2005 05:00:00 -0400]/UNNAMED/[From Patrick Brooks <oudhuxh@level3.net>][Date Mon, 18 Jul 2005 00:42:08 -0700]/text Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\Users\Penny\AppData\Roaming\Thunderbird\Profiles\z8sfh25d.default\Mail\mail.shaw.ca\Inbox/[From "The Diet.com Challenge" <DietCare@Diet.com>][Date Wed, 06 Jul 2005 05:00:00 -0400]/UNNAMED/[From lilla howard <dorathy@pww.every1.net>][Date Thu, 08 Sep 2005 14:05:24 +0500]/text/[From lin thompson <lynell@hong-kong-1.com>][Date Sun, 18 Sep 2005 08:08:27 +0900]/text/[From shad sneathen <ragnai@lebinfo.org>][Date Thu, 22 Sep 2005 02:48:12 -1100]/text/[From "aw-confirm@eBay.com" <aw-confirm@eBay.com>][Date Mon, 14 Nov 2005 09:50:28 +0100 (CET)]/html Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\Users\Penny\AppData\Roaming\Thunderbird\Profiles\z8sfh25d.default\Mail\mail.shaw.ca\Inbox/[From "The Diet.com Challenge" <DietCare@Diet.com>][Date Wed, 06 Jul 2005 05:00:00 -0400]/UNNAMED/[From lilla howard <dorathy@pww.every1.net>][Date Thu, 08 Sep 2005 14:05:24 +0500]/text/[From lin thompson <lynell@hong-kong-1.com>][Date Sun, 18 Sep 2005 08:08:27 +0900]/text/[From shad sneathen <ragnai@lebinfo.org>][Date Thu, 22 Sep 2005 02:48:12 -1100]/text Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\Users\Penny\AppData\Roaming\Thunderbird\Profiles\z8sfh25d.default\Mail\mail.shaw.ca\Inbox/[From "The Diet.com Challenge" <DietCare@Diet.com>][Date Wed, 06 Jul 2005 05:00:00 -0400]/UNNAMED/[From lilla howard <dorathy@pww.every1.net>][Date Thu, 08 Sep 2005 14:05:24 +0500]/text/[From lin thompson <lynell@hong-kong-1.com>][Date Sun, 18 Sep 2005 08:08:27 +0900]/text Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\Users\Penny\AppData\Roaming\Thunderbird\Profiles\z8sfh25d.default\Mail\mail.shaw.ca\Inbox/[From "The Diet.com Challenge" <DietCare@Diet.com>][Date Wed, 06 Jul 2005 05:00:00 -0400]/UNNAMED/[From lilla howard <dorathy@pww.every1.net>][Date Thu, 08 Sep 2005 14:05:24 +0500]/text Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\Users\Penny\AppData\Roaming\Thunderbird\Profiles\z8sfh25d.default\Mail\mail.shaw.ca\Inbox/[From "The Diet.com Challenge" <DietCare@Diet.com>][Date Wed, 06 Jul 2005 05:00:00 -0400]/UNNAMED/[From MBNA Bank <support@mbna.ca>][Date Sun, 06 Aug 2006 21:02:16 +0400]/html Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\Users\Penny\AppData\Roaming\Thunderbird\Profiles\z8sfh25d.default\Mail\mail.shaw.ca\Inbox/[From "The Diet.com Challenge" <DietCare@Diet.com>][Date Wed, 06 Jul 2005 05:00:00 -0400]/UNNAMED/[From Walker <talbal2@shaw.ca>][Date Fri, 29 Sep 2006 12:33:44 +0200]/UNNAMED/[From "service@intl.paypal.com" <service@intl.paypal.com>][Date Fri, 23 Feb 2007 01:34:10 -0800]/html Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\Users\Penny\AppData\Roaming\Thunderbird\Profiles\z8sfh25d.default\Mail\mail.shaw.ca\Inbox/[From "The Diet.com Challenge" <DietCare@Diet.com>][Date Wed, 06 Jul 2005 05:00:00 -0400]/UNNAMED/[From Walker <talbal2@shaw.ca>][Date Fri, 29 Sep 2006 12:33:44 +0200]/UNNAMED/[From Branch Banking and Trust <clients-28639770432653ib@bbt.com>][Date Date header was inserted by l-daemon]/html Infected: Trojan-Spy.HTML.Bankfraud.ra skipped
C:\Users\Penny\AppData\Roaming\Thunderbird\Profiles\z8sfh25d.default\Mail\mail.shaw.ca\Inbox/[From "The Diet.com Challenge" <DietCare@Diet.com>][Date Wed, 06 Jul 2005 05:00:00 -0400]/UNNAMED/[From Walker <talbal2@shaw.ca>][Date Fri, 29 Sep 2006 12:33:44 +0200]/UNNAMED/[From "paypal_notify@3343.com" <paypal_notify@3343.com>][Date Wed, 23 May 2007 11:01:55 -0800]/html Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\Users\Penny\AppData\Roaming\Thunderbird\Profiles\z8sfh25d.default\Mail\mail.shaw.ca\Inbox/[From "The Diet.com Challenge" <DietCare@Diet.com>][Date Wed, 06 Jul 2005 05:00:00 -0400]/UNNAMED/[From Walker <talbal2@shaw.ca>][Date Fri, 29 Sep 2006 12:33:44 +0200]/UNNAMED Infected: Trojan-Spy.HTML.Fraud.gen skipped
C:\Users\Penny\AppData\Roaming\Thunderbird\Profiles\z8sfh25d.default\Mail\mail.shaw.ca\Inbox/[From "The Diet.com Challenge" <DietCare@Diet.com>] [Date Thu, 18 May 2006 12:30:16 -0700]/UNNAMED/[From Penny Daflos <penny@ultimateshootout.ca>][Date Mon, 12 Jun 2006 13:28:58 -0700]/UNNAMED Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\Users\Penny\AppData\Roaming\Thunderbird\Profiles\z8sfh25d.default\Mail\mail.shaw.ca\Sent/[From "panagiota@shaw.ca" <panagiota@shaw.ca>][Date Mon, 19 Dec 2005 12:27:40 -0800]/UNNAMED/[From Penny Daflos <penny@ikmedia.net>][Date Wed, 22 Mar 2006 10:32:21 -0800]/UNNAMED/[From Penny Daflos <penny@ultimateshootout.ca>][Date Thu, 18 May 2006 12:30:16 -0700]/UNNAMED Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\Users\Penny\AppData\Roaming\Thunderbird\Profiles\z8sfh25d.default\Mail\mail.shaw.ca\Sent/[From "panagiota@shaw.ca" <panagiota@shaw.ca>][Date Mon, 19 Dec 2005 12:27:40 -0800]/UNNAMED/[From Penny Daflos <penny@ikmedia.net>][Date Wed, 22 Mar 2006 10:32:21 -0800]/UNNAMED Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\Users\Penny\AppData\Roaming\Thunderbird\Profiles\z8sfh25d.default\Mail\mail.shaw.ca\Sent/[From "panagiota@shaw.ca" <panagiota@shaw.ca>][Date Mon, 19 Dec 2005 12:27:40 -0800]/UNNAMED Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\Users\Penny\AppData\Roaming\Thunderbird\Profiles\z8sfh25d.default\Mail\mail.shaw.ca\Sent Mail Berkeley mbox: suspicious - 11 skipped
C:\Users\Penny\AppData\Roaming\Thunderbird\Profiles\z8sfh25d.default\Mail\mail.telus-1.net\Personal.sbd\whistler/[From Ann Spence (auto reply) <goldendreams@whistlerweb.net>][Date Mon, 22 Jan 2001 10:16:47 -0800]/text Infected: Email-Worm.VBS.KakWorm skipped
C:\Users\Penny\AppData\Roaming\Thunderbird\Profiles\z8sfh25d.default\Mail\mail.telus-1.net\Personal.sbd\whistler Mail Berkeley mbox: infected - 1 skipped
C:\Users\Penny\NTUSER.DAT Object is locked skipped
C:\Users\Penny\ntuser.dat.LOG1 Object is locked skipped
C:\Users\Penny\ntuser.dat.LOG2 Object is locked skipped
C:\Users\Penny\NTUSER.DAT{3a539871-6a70-11db-887c-d362bd253390}.TM.blf Object is locked skipped
C:\Users\Penny\NTUSER.DAT{3a539871-6a70-11db-887c-d362bd253390}.TMContainer00000000000000000001.regtrans-ms Object is locked skipped
C:\Users\Penny\NTUSER.DAT{3a539871-6a70-11db-887c-d362bd253390}.TMContainer00000000000000000002.regtrans-ms Object is locked skipped
C:\Windows\Debug\PASSWD.LOG Object is locked skipped
C:\Windows\Debug\sam.log Object is locked skipped
C:\Windows\Debug\WIA\wiatrace.log Object is locked skipped
C:\Windows\Installer\MSIE066.tmp Object is locked skipped
C:\Windows\Logs\CBS\CBS.log Object is locked skipped
C:\Windows\Logs\CBS\CBS.persist.log Object is locked skipped
C:\Windows\Logs\DPX\setupact.log Object is locked skipped
C:\Windows\Logs\DPX\setuperr.log Object is locked skipped
C:\Windows\MEMORY.DMP Object is locked skipped
C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe.config Object is locked skipped
C:\Windows\Panther\UnattendGC\diagerr.xml Object is locked skipped
C:\Windows\Panther\UnattendGC\diagwrn.xml Object is locked skipped
C:\Windows\Panther\UnattendGC\setupact.log Object is locked skipped
C:\Windows\Panther\UnattendGC\setuperr.log Object is locked skipped
C:\Windows\security\database\secedit.sdb Object is locked skipped
C:\Windows\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0 Object is locked skipped
C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0 Object is locked skipped
C:\Windows\System32\catroot2\edb.log Object is locked skipped
C:\Windows\System32\catroot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\catdb Object is locked skipped
C:\Windows\System32\catroot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb Object is locked skipped
C:\Windows\System32\config\COMPONENTS Object is locked skipped
C:\Windows\System32\config\COMPONENTS.LOG1 Object is locked skipped
C:\Windows\System32\config\COMPONENTS.LOG2 Object is locked skipped

C:\Windows\System32\config\DEFAULT Object is locked skipped
C:\Windows\System32\config\DEFAULT.LOG1 Object is locked skipped
C:\Windows\System32\config\DEFAULT.LOG2 Object is locked skipped
C:\Windows\System32\config\SAM Object is locked skipped
C:\Windows\System32\config\SAM.LOG1 Object is locked skipped
C:\Windows\System32\config\SAM.LOG2 Object is locked skipped
C:\Windows\System32\config\SECURITY Object is locked skipped
C:\Windows\System32\config\SECURITY.LOG1 Object is locked skipped
C:\Windows\System32\config\SECURITY.LOG2 Object is locked skipped
C:\Windows\System32\config\SOFTWARE Object is locked skipped
C:\Windows\System32\config\SOFTWARE.LOG1 Object is locked skipped
C:\Windows\System32\config\SOFTWARE.LOG2 Object is locked skipped
C:\Windows\System32\config\SYSTEM Object is locked skipped
C:\Windows\System32\config\SYSTEM.LOG1 Object is locked skipped
C:\Windows\System32\config\SYSTEM.LOG2 Object is locked skipped
C:\Windows\System32\config\TxR\{250834b7-750c-494d-bdc3-da86b6e2101a}.TxR.0.regtrans-ms Object is locked skipped
C:\Windows\System32\config\TxR\{250834b7-750c-494d-bdc3-da86b6e2101a}.TxR.1.regtrans-ms Object is locked skipped
C:\Windows\System32\config\TxR\{250834b7-750c-494d-bdc3-da86b6e2101a}.TxR.2.regtrans-ms Object is locked skipped
C:\Windows\System32\config\TxR\{250834b7-750c-494d-bdc3-da86b6e2101a}.TxR.blf Object is locked skipped
C:\Windows\System32\config\TxR\{250834B7-750C-494d-BDC3-DA86B6E2101B}.TM.blf Object is locked skipped
C:\Windows\System32\config\TxR\{250834B7-750C-494d-BDC3-DA86B6E2101B}.TMContainer00000000000000000001.regtrans-ms Object is locked skipped
C:\Windows\System32\config\TxR\{250834B7-750C-494d-BDC3-DA86B6E2101B}.TMContainer00000000000000000002.regtrans-ms Object is locked skipped
C:\Windows\System32\config\TxR\{250834B7-750C-494d-BDC3-DA86B6E2101B}.TMContainer00000000000000000003.regtrans-ms Object is locked skipped
C:\Windows\System32\config\TxR\{250834B7-750C-494d-BDC3-DA86B6E2101B}.TMContainer00000000000000000004.regtrans-ms Object is locked skipped
C:\Windows\System32\LogFiles\Scm\SCM.EVM Object is locked skipped
C:\Windows\System32\LogFiles\WUDF\WUDFTrace.etl Object is locked skipped
C:\Windows\System32\restore\MachineGuid.txt Object is locked skipped
C:\Windows\System32\spool\SpoolerETW.etl Object is locked skipped
C:\Windows\System32\sysprep\Panther\diagerr.xml Object is locked skipped
C:\Windows\System32\sysprep\Panther\diagwrn.xml Object is locked skipped
C:\Windows\System32\sysprep\Panther\setupact.log Object is locked skipped
C:\Windows\System32\sysprep\Panther\setuperr.log Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\3460B7617E0429A960E481B197F238A3.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\8A94AF24F162D580E3D9889344A3A317.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\E478A5DB75C9721E744C05D78DBACFD3.mof Object is locked skipped
C:\Windows\System32\wbem\Logs\WMITracing.log Object is locked skipped
C:\Windows\System32\wbem\Repository\INDEX.BTR Object is locked skipped
C:\Windows\System32\wbem\Repository\MAPPING1.MAP Object is locked skipped
C:\Windows\System32\wbem\Repository\MAPPING2.MAP Object is locked skipped
C:\Windows\System32\wbem\Repository\OBJECTS.DATA Object is locked skipped
C:\Windows\System32\winevt\Logs\Application.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\DFS Replication.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\HardwareEvents.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Internet Explorer.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Key Management Service.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Media Center.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Bits-Client%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-CodeIntegrity%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Diagnosis-DPS%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Diagnostics-Networking%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Diagnostics-Performance%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-DiskDiagnosticDataCollector%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-DriverFrameworks-UserMode%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-GroupPolicy%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Help%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-International%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-WHEA.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-LanguagePackSetup%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-MUI%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-NetworkAccessProtection%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-ParentalControls%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Program-Compatibility-Assistant%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-ReadyBoost%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-ReliabilityAnalysisComponent%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Resource-Exhaustion-Resolver%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Resource-Leak-Diagnostic%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-RestartManager%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-TaskScheduler%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-UAC%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-UAC-FileVirtualization%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-WindowsUpdateClient%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Winsock-WS2HELP%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-WLAN-AutoConfig%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\ODiag.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\OSession.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Security.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Setup.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\System.evtx Object is locked skipped
C:\Windows\Tasks\SCHEDLGU.TXT Object is locked skipped
C:\Windows\Temp\fwtsqmfile00.sqm Object is locked skipped
C:\Windows\Temp\fwtsqmfile01.sqm Object is locked skipped
C:\Windows\Temp\fwtsqmfile02.sqm Object is locked skipped
C:\Windows\Temp\fwtsqmfile03.sqm Object is locked skipped
C:\Windows\Temp\fwtsqmfile04.sqm Object is locked skipped
C:\Windows\Temp\fwtsqmfile05.sqm Object is locked skipped
C:\Windows\Temp\fwtsqmfile06.sqm Object is locked skipped
C:\Windows\Temp\fwtsqmfile07.sqm Object is locked skipped
C:\Windows\Temp\fwtsqmfile08.sqm Object is locked skipped
C:\Windows\Temp\fwtsqmfile09.sqm Object is locked skipped
C:\Windows\Temp\fwtsqmfile10.sqm Object is locked skipped
C:\Windows\Temp\fwtsqmfile11.sqm Object is locked skipped
C:\Windows\Temp\fwtsqmfile12.sqm Object is locked skipped
C:\Windows\Temp\fwtsqmfile13.sqm Object is locked skipped
C:\Windows\Temp\fwtsqmfile14.sqm Object is locked skipped
C:\Windows\Temp\fwtsqmfile15.sqm Object is locked skipped
C:\Windows\Temp\fwtsqmfile16.sqm Object is locked skipped
C:\Windows\Temp\fwtsqmfile17.sqm Object is locked skipped
C:\Windows\Temp\fwtsqmfile18.sqm Object is locked skipped
C:\Windows\Temp\fwtsqmfile19.sqm Object is locked skipped
C:\Windows\WindowsUpdate.log Object is locked skipped
C:\Windows\winsxs\x86_microsoft-windows-n..n_service_datastore_31bf3856ad364e35_6.0.6000.16386_none_cef7ceb03914a67f\dnary.xsd Object is locked skipped

Scan process completed.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:22:20 PM, on 08/04/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16609)
Boot mode: Normal

Running processes:
C:\Windows\SYSTEM32\WISPTIS.EXE
C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\WTablet\Pen_TabletUser.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\hp\support\hpsysdrv.exe
C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_SL.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\Grisoft\AVG7\avgcc.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Windows\System32\mobsync.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\hp\kbd\kbd.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Hewlett-Packard\SDP\RemEngine.exe
C:\Program Files\Hewlett-Packard\SDP\RemEngine.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_CA&c=73&bd=Pavilion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_CA&c=73&bd=Pavilion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_CA&c=73&bd=Pavilion&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: NOW!Imaging - {9AA2F14F-E956-44B8-8694-A5B615CDF341} - C:\Program Files\Netscape Accelerator\components\NOWImaging.dll (file missing)
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [hpsysdrv] c:\hp\support\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KbdStub.EXE
O4 - HKLM\..\Run: [OsdMaestro] "C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [HPAdvisor] C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe autoRun
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSServer] rundll32.exe C:\Users\Penny\AppData\Local\Temp\tuvtr.dll,#1
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [cmds] rundll32.exe C:\Users\Penny\AppData\Local\Temp\opnnk.dll,c
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [BMf33f9696] Rundll32.exe "C:\Users\Penny\AppData\Local\Temp\igwrwtvm.dll",s
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: TabUserW.exe.lnk = C:\Windows\System32\Wtablet\TabUserW.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O13 - Gopher Prefix:
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O20 - Winlogon Notify: avgwlntf - C:\Windows\SYSTEM32\avgwlntf.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - c:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: stllssvr - Unknown owner - c:\Program Files\Common Files\SureThing Shared\stllssvr.exe (file missing)
O23 - Service: TabletServicePen - Wacom Technology, Corp. - C:\Windows\system32\Pen_Tablet.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 10204 bytes

Hi

1. Download combofix from any of these links and save it to Desktop:
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
Link 3 (http://subs.geekstogo.com/ComboFix.exe)

**Note: It is important that it is saved directly to your desktop**

2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you (C:\ComboFix.txt). Post that log & a fresh hjt log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

If you have problems with Combofix usage, see here (http://www.bleepingcomputer.com/combofix/how-to-use-combofix)

Hey Blade, thanks for the response.

I'm having some trouble getting ComboFix to work. I've double checked the download from all three sources to make suire it's working and it's not the file. Every time I try to start it, when the blue screen comes up all it says is:

"The system cannot find message text for message number 0x8 in the message file f[screencuts off]
or System."

I've checked out the instructions link you posted as well, and that doesn't seem to be helping.

Mike

Hi Mike

Do you have User account control (UAC) enabled? Please try disabling it according to #4 method instructed here (http://www.petri.co.il/disable_uac_in_windows_vista.htm). Then try running ComboFix again.

If it still doesn't work. Try rebooting into safe mode (http://www.computerhope.com/issues/chsafe.htm#03) and running ComboFix there.

Blade,

I had been running as administrator, but I disabled UAC as well and ran as administrator. Seemed to work, but the screen did hang up on the "preparing Log" screen and didn't actually pop up the log like it did on my last computer.

Here is what was generated, found at c:\ComboFix\ComboFix.txt, I don't know if this is complete or not:

ComboFix 08-04-13.1 - Penny 2008-04-14 12:09:19.2 - NTFSx86
Running from: C:\Users\Penny\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_PortProxy


((((((((((((((((((((((((( Files Created from 2008-03-14 to 2008-04-14 )))))))))))))))))))))))))))))))
.

No new files created in this timespan

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-14 19:07 --------- d-----w C:\Users\Penny\AppData\Roaming\WTablet
2008-04-14 18:57 --------- d-----w C:\Users\Penny\AppData\Roaming\AVG7
2008-04-14 07:40 --------- d-----w C:\Program Files\LogMeIn
2008-04-10 16:38 --------- d-----w C:\Program Files\Common Files\Adobe
2008-04-09 10:14 --------- d-----w C:\Program Files\Windows Mail
2008-04-09 10:08 --------- d-----w C:\ProgramData\Microsoft Help
2008-04-09 03:21 --------- d-----w C:\Program Files\Trend Micro
2008-03-27 16:52 --------- d-----w C:\ProgramData\Minnetonka Audio Software
2008-03-22 18:31 --------- d-----w C:\ProgramData\Lavasoft
2008-03-22 18:19 --------- d-----w C:\Program Files\Lavasoft
2008-03-22 18:17 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-03-20 15:38 --------- d-----w C:\ProgramData\Spybot - Search & Destroy
2008-03-20 15:36 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-03-20 15:30 691,545 ----a-w C:\Windows\unins000.exe
2008-03-18 10:02 --------- d-----w C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-03-17 21:01 --------- d-----w C:\Program Files\Windows Live
2008-03-17 20:58 --------- dcsh--w C:\Program Files\Common Files\WindowsLiveInstaller
2008-03-17 20:43 --------- d-----w C:\ProgramData\WLInstaller
2008-03-14 20:31 --------- d-----w C:\Program Files\Roxio
2008-03-14 20:29 --------- d-----w C:\Program Files\Common Files\Roxio Shared
2008-03-14 20:28 --------- d-----w C:\ProgramData\Roxio
2008-03-11 01:09 --------- d-----w C:\Users\Penny\AppData\Roaming\Ahead
2008-03-11 01:08 --------- d-----w C:\ProgramData\LightScribe
2008-03-11 00:53 --------- d-----w C:\ProgramData\Ahead
2008-03-11 00:51 --------- d-----w C:\Program Files\Common Files\Ahead
2008-03-11 00:45 --------- d-----w C:\ProgramData\Nero
2008-03-11 00:45 --------- d-----w C:\Program Files\Nero
2008-03-10 23:37 --------- d-----w C:\Program Files\Ahead
2008-03-02 22:45 --------- d-----w C:\Program Files\iTunes
2008-03-02 22:45 --------- d-----w C:\Program Files\iPod
2008-03-02 22:44 --------- d-----w C:\Program Files\QuickTime
2008-02-29 09:17 --------- d-----w C:\Users\Penny\AppData\Roaming\muvee Technologies
2008-02-29 09:16 --------- d-----w C:\Users\Penny\AppData\Roaming\Roxio
2008-02-29 09:15 --------- d---a-w C:\ProgramData\TEMP
2008-02-29 06:51 19,000 ----a-w C:\Windows\System32\kd1394.dll
2008-02-29 06:39 40,960 ----a-w C:\Windows\System32\srclient.dll
2008-02-29 06:39 371,712 ----a-w C:\Windows\System32\srcore.dll
2008-02-29 06:38 313,856 ----a-w C:\Windows\System32\rstrui.exe
2008-02-29 06:38 16,384 ----a-w C:\Windows\System32\srdelayed.exe
2008-02-29 06:35 6,656 ----a-w C:\Windows\System32\kbd106n.dll
2008-02-29 06:34 7,168 ----a-w C:\Windows\System32\f3ahvoas.dll
2008-02-29 04:16 2,027,008 ----a-w C:\Windows\System32\win32k.sys
2008-02-28 15:23 --------- d-----w C:\Program Files\Mozilla Thunderbird
2008-02-21 04:43 826,368 ----a-w C:\Windows\System32\wininet.dll
2008-02-21 04:43 56,320 ----a-w C:\Windows\System32\iesetup.dll
2008-02-21 04:43 52,736 ----a-w C:\Windows\AppPatch\iebrshim.dll
2008-02-21 04:43 296,448 ----a-w C:\Windows\System32\gdi32.dll
2008-02-21 04:43 26,624 ----a-w C:\Windows\System32\ieUnatt.exe
2008-02-19 05:10 620,088 ----a-w C:\Windows\System32\ci.dll
2008-02-14 23:19 944,184 ----a-w C:\Windows\System32\winload.exe
2008-02-13 11:11 194,560 ----a-w C:\Windows\System32\WebClnt.dll
2008-02-13 11:05 3,504,696 ----a-w C:\Windows\System32\ntkrnlpa.exe
2008-02-13 11:05 3,470,392 ----a-w C:\Windows\System32\ntoskrnl.exe
2008-02-13 11:05 24,064 ----a-w C:\Windows\System32\netcfg.exe
2008-02-13 11:05 22,016 ----a-w C:\Windows\System32\netiougc.exe
2008-02-13 11:05 167,424 ----a-w C:\Windows\System32\tcpipcfg.dll
2008-02-13 11:04 537,600 ----a-w C:\Windows\AppPatch\AcLayers.dll
2008-02-13 11:04 449,536 ----a-w C:\Windows\AppPatch\AcSpecfc.dll
2008-02-13 11:04 4,247,552 ----a-w C:\Windows\System32\GameUXLegacyGDFs.dll
2008-02-13 11:04 2,560 ----a-w C:\Windows\AppPatch\AcRes.dll
2008-02-13 11:04 2,144,256 ----a-w C:\Windows\AppPatch\AcGenral.dll
2008-02-13 11:04 173,056 ----a-w C:\Windows\AppPatch\AcXtrnal.dll
2008-02-13 11:04 1,686,528 ----a-w C:\Windows\System32\gameux.dll
2008-02-06 07:37 9,216 ----a-w C:\Windows\System32\avgwlntf.dll
2007-09-05 05:18 174 --sha-w C:\Program Files\desktop.ini
2006-11-02 12:55 1,630 ----a-w C:\Program Files\Windows Media Center.lnk
2007-08-09 21:08 8,784 ----a-w C:\Program Files\mozilla firefox\plugins\ractrlkeyhook.dll
2007-08-09 21:10 245,408 ----a-w C:\Program Files\mozilla firefox\plugins\unicows.dll
2007-09-05 03:23 22 --sha-w C:\Windows\SMINST\HPCD.sys
.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:31, on 2008-04-14
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16643)
Boot mode: Normal

Running processes:
C:\Windows\SYSTEM32\WISPTIS.EXE
C:\Windows\system32\Dwm.exe
C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\WTablet\Pen_TabletUser.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\hp\support\hpsysdrv.exe
C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\Grisoft\AVG7\avgcc.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Windows\system32\conime.exe
C:\hp\kbd\kbd.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\InputPersonalization.exe
C:\Windows\Explorer.exe
C:\Windows\system32\CF9443.exe
C:\Windows\system32\NOTEPAD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_CA&c=73&bd=Pavilion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_CA&c=73&bd=Pavilion&pf=desktop
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: NOW!Imaging - {9AA2F14F-E956-44B8-8694-A5B615CDF341} - C:\Program Files\Netscape Accelerator\components\NOWImaging.dll (file missing)
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [hpsysdrv] c:\hp\support\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KbdStub.EXE
O4 - HKLM\..\Run: [OsdMaestro] "C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [HPAdvisor] C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe autoRun
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: TabUserW.exe.lnk = C:\Windows\System32\Wtablet\TabUserW.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O13 - Gopher Prefix:
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O20 - Winlogon Notify: avgwlntf - C:\Windows\SYSTEM32\avgwlntf.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - c:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: stllssvr - Unknown owner - c:\Program Files\Common Files\SureThing Shared\stllssvr.exe (file missing)
O23 - Service: TabletServicePen - Wacom Technology, Corp. - C:\Windows\system32\Pen_Tablet.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 9374 bytes

Oh, btw, I think ComboFix may have run twice, because of the way it looked like it was hung up, so this is the second log...when it restarted the first time, TeaTimer showed me that a number of deletions were made.

Yes, looks like it was run twice since hjt log looks much better than before combo :) Let's run a scan with Malwarebytes' Anti-Malware to see if it still notices something.


Please download Malwarebytes' Anti-Malware (http://www.besttechie.net/tools/mbam-setup.exe) to your desktop.

Double-click mbam-setup.exe and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform full scan, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected.
When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be found here: C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Please post contents of that file & a fresh hjt log in your next reply.

At long last, the scan is complete!

Also, I noticed while the Malwarebytes scan was running, sometime during or after the COmboFix, my desktop wallpaper disappeared, and now when I go to try and load it back on, I can't see any of the thumbnails, and I can't get any image to load...all I can do is switch the flat colour of the background...!




Malwarebytes' Anti-Malware 1.11
Database version: 629

Scan type: Full Scan (C:\|)
Objects scanned: 472153
Time elapsed: 5 hour(s), 15 minute(s), 48 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cmds (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BMf33f9696 (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:31, on 2008-04-14
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16643)
Boot mode: Normal

Running processes:
C:\Windows\SYSTEM32\WISPTIS.EXE
C:\Windows\system32\Dwm.exe
C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\WTablet\Pen_TabletUser.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\hp\support\hpsysdrv.exe
C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\Grisoft\AVG7\avgcc.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Windows\system32\conime.exe
C:\hp\kbd\kbd.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\InputPersonalization.exe
C:\Windows\Explorer.exe
C:\Windows\system32\CF9443.exe
C:\Windows\system32\NOTEPAD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_CA&c=73&bd=Pavilion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_CA&c=73&bd=Pavilion&pf=desktop
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: NOW!Imaging - {9AA2F14F-E956-44B8-8694-A5B615CDF341} - C:\Program Files\Netscape Accelerator\components\NOWImaging.dll (file missing)
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [hpsysdrv] c:\hp\support\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KbdStub.EXE
O4 - HKLM\..\Run: [OsdMaestro] "C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [HPAdvisor] C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe autoRun
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: TabUserW.exe.lnk = C:\Windows\System32\Wtablet\TabUserW.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O13 - Gopher Prefix:
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O20 - Winlogon Notify: avgwlntf - C:\Windows\SYSTEM32\avgwlntf.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - c:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: stllssvr - Unknown owner - c:\Program Files\Common Files\SureThing Shared\stllssvr.exe (file missing)
O23 - Service: TabletServicePen - Wacom Technology, Corp. - C:\Windows\system32\Pen_Tablet.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 9374 bytes

Also, I noticed while the Malwarebytes scan was running, sometime during or after the COmboFix, my desktop wallpaper disappeared, and now when I go to try and load it back on, I can't see any of the thumbnails, and I can't get any image to load...all I can do is switch the flat colour of the background...!
Hi

Have you rebooted after that? Please do so if you haven't.

Yeah, both warm and cold, a couple of times each. And I'm noticing now that if I open any folder, the icon/thumbnail is blank as well, and will only appear if I start switching around the views. But if I close the folder and then open it again, it's back to being blank icons. I'm assuming something in the registry got mucked up by the malware as it was being stripped...?

Hi

Could you post your ComboFix.txt files in root of c: drive as attachments here? There should be at least ComboFix.txt and ComboFix2.txt.. That way I can track down what ComboFix has removed (especially on the first run).

There are no logs in the root drive. The only log I could find (and that I posted) was located at c:\ComboFix\ComboFix.txt

Hi

I would like for you to download & run this file :> http://download.bleepingcomputer.com/sUBs/grab.exe

Grab.exe is an exploratory tool for troubleshooting ComboFix issues. What it'll do is search your machine for the C:\ComboFix folder & when found, will create a zip file compressing of files from the C:\ComboFix folder. This zipped file shall be named _sUBs-.zip & should be located on your Desktop.

I shall need for you to upload this file to > http://www.bleepingcomputer.com/submit-malware.php?channel=4

Please let me know when you have uploaded the above file. Thanks.

Hey, I've uploaded the file as requested.

Grab.exe threw me an error message when it was done, along the lines of "Nothing to do! a.zip", but it did still create the zip file, so hopefully that'll help.

Thanks!

Mike

Hi Mike

Please uninstall your current ComboFix release by doing following:

Click START then RUN
Now type Combofix /u in the runbox and click OK.


Then download latest release from one of these links to your desktop:
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
Link 3 (http://subs.geekstogo.com/ComboFix.exe)

Double click combofix.exe & follow the prompts. When finished, it shall produce a log for you as it did before (C:\ComboFix.txt). Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Hey Blade,

OK, I uninstalled ComboFix and then installed a fresh version, UAC is still disabled, I ran ComboFix.exe as Administrator. It went through the whole process, and then hangs up at:

"Preparing Log Report.
Do not run any programs until ComboFix has finished"

There's no log at C:\ComboFix.txt, but there is a C:\ComboFix\COmbofix.txt which I've pasted below.

So far, I still can't set a background, see icons in my folders, or set the clock out of 24hr mode.

ComboFix 08-04-20.2 - Penny 2008-04-20 13:54:08.3 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.1028 [GMT -7:00]
Running from: C:\Users\Penny\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2008-03-20 to 2008-04-20 )))))))))))))))))))))))))))))))
.

No new files created in this timespan

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-20 20:51 --------- d-----w C:\Users\Penny\AppData\Roaming\AVG7
2008-04-20 20:50 --------- d-----w C:\Users\Penny\AppData\Roaming\WTablet
2008-04-20 09:54 --------- d-----w C:\Program Files\LogMeIn
2008-04-14 21:08 --------- d-----w C:\Users\Penny\AppData\Roaming\Malwarebytes
2008-04-14 21:07 --------- d-----w C:\ProgramData\Malwarebytes
2008-04-14 21:07 --------- d-----w C:\Program Files\Malwarebytes' Anti-Malware
2008-04-10 16:38 --------- d-----w C:\Program Files\Common Files\Adobe
2008-04-09 10:14 --------- d-----w C:\Program Files\Windows Mail
2008-04-09 10:08 --------- d-----w C:\ProgramData\Microsoft Help
2008-04-09 03:21 --------- d-----w C:\Program Files\Trend Micro
2008-03-27 16:52 --------- d-----w C:\ProgramData\Minnetonka Audio Software
2008-03-22 18:31 --------- d-----w C:\ProgramData\Lavasoft
2008-03-22 18:19 --------- d-----w C:\Program Files\Lavasoft
2008-03-22 18:17 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-03-20 15:38 --------- d-----w C:\ProgramData\Spybot - Search & Destroy
2008-03-20 15:36 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-03-20 15:30 691,545 ----a-w C:\Windows\unins000.exe
2008-03-18 10:02 --------- d-----w C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-03-17 21:01 --------- d-----w C:\Program Files\Windows Live
2008-03-17 20:58 --------- dcsh--w C:\Program Files\Common Files\WindowsLiveInstaller
2008-03-17 20:43 --------- d-----w C:\ProgramData\WLInstaller
2008-03-14 20:31 --------- d-----w C:\Program Files\Roxio
2008-03-14 20:29 --------- d-----w C:\Program Files\Common Files\Roxio Shared
2008-03-14 20:28 --------- d-----w C:\ProgramData\Roxio
2008-03-11 01:09 --------- d-----w C:\Users\Penny\AppData\Roaming\Ahead
2008-03-11 01:08 --------- d-----w C:\ProgramData\LightScribe
2008-03-11 00:53 --------- d-----w C:\ProgramData\Ahead
2008-03-11 00:51 --------- d-----w C:\Program Files\Common Files\Ahead
2008-03-11 00:45 --------- d-----w C:\ProgramData\Nero
2008-03-11 00:45 --------- d-----w C:\Program Files\Nero
2008-03-10 23:37 --------- d-----w C:\Program Files\Ahead
2008-03-02 22:45 --------- d-----w C:\Program Files\iTunes
2008-03-02 22:45 --------- d-----w C:\Program Files\iPod
2008-03-02 22:44 --------- d-----w C:\Program Files\QuickTime
2008-02-29 09:17 --------- d-----w C:\Users\Penny\AppData\Roaming\muvee Technologies
2008-02-29 09:16 --------- d-----w C:\Users\Penny\AppData\Roaming\Roxio
2008-02-29 09:15 --------- d---a-w C:\ProgramData\TEMP
2008-02-29 06:51 19,000 ----a-w C:\Windows\System32\kd1394.dll
2008-02-29 06:39 40,960 ----a-w C:\Windows\System32\srclient.dll
2008-02-29 06:39 371,712 ----a-w C:\Windows\System32\srcore.dll
2008-02-29 06:38 313,856 ----a-w C:\Windows\System32\rstrui.exe
2008-02-29 06:38 16,384 ----a-w C:\Windows\System32\srdelayed.exe
2008-02-29 06:35 6,656 ----a-w C:\Windows\System32\kbd106n.dll
2008-02-29 06:34 7,168 ----a-w C:\Windows\System32\f3ahvoas.dll
2008-02-29 04:16 2,027,008 ----a-w C:\Windows\System32\win32k.sys
2008-02-28 15:23 --------- d-----w C:\Program Files\Mozilla Thunderbird
2008-02-21 04:43 826,368 ----a-w C:\Windows\System32\wininet.dll
2008-02-21 04:43 56,320 ----a-w C:\Windows\System32\iesetup.dll
2008-02-21 04:43 52,736 ----a-w C:\Windows\AppPatch\iebrshim.dll
2008-02-21 04:43 296,448 ----a-w C:\Windows\System32\gdi32.dll
2008-02-21 04:43 26,624 ----a-w C:\Windows\System32\ieUnatt.exe
2008-02-19 05:10 620,088 ----a-w C:\Windows\System32\ci.dll
2008-02-14 23:19 944,184 ----a-w C:\Windows\System32\winload.exe
2008-02-13 11:11 194,560 ----a-w C:\Windows\System32\WebClnt.dll
2008-02-13 11:05 3,504,696 ----a-w C:\Windows\System32\ntkrnlpa.exe
2008-02-13 11:05 3,470,392 ----a-w C:\Windows\System32\ntoskrnl.exe
2008-02-13 11:05 24,064 ----a-w C:\Windows\System32\netcfg.exe
2008-02-13 11:05 22,016 ----a-w C:\Windows\System32\netiougc.exe
2008-02-13 11:05 167,424 ----a-w C:\Windows\System32\tcpipcfg.dll
2008-02-13 11:04 537,600 ----a-w C:\Windows\AppPatch\AcLayers.dll
2008-02-13 11:04 449,536 ----a-w C:\Windows\AppPatch\AcSpecfc.dll
2008-02-13 11:04 4,247,552 ----a-w C:\Windows\System32\GameUXLegacyGDFs.dll
2008-02-13 11:04 2,560 ----a-w C:\Windows\AppPatch\AcRes.dll
2008-02-13 11:04 2,144,256 ----a-w C:\Windows\AppPatch\AcGenral.dll
2008-02-13 11:04 173,056 ----a-w C:\Windows\AppPatch\AcXtrnal.dll
2008-02-13 11:04 1,686,528 ----a-w C:\Windows\System32\gameux.dll
2008-02-06 07:37 9,216 ----a-w C:\Windows\System32\avgwlntf.dll
2007-09-05 05:18 174 --sha-w C:\Program Files\desktop.ini
2006-11-02 12:55 1,630 ----a-w C:\Program Files\Windows Media Center.lnk
2007-08-09 21:08 8,784 ----a-w C:\Program Files\mozilla firefox\plugins\ractrlkeyhook.dll
2007-08-09 21:10 245,408 ----a-w C:\Program Files\mozilla firefox\plugins\unicows.dll
2007-09-05 03:23 22 --sha-w C:\Windows\SMINST\HPCD.sys
.


Thanks!

Hi

Looks like we have no other options left than do a system restore.

Please see "Perform a system restore" part here (http://articles.techrepublic.com.com/5100-10877_11-6159394.html) and restore the system back to date before the very first ComboFix run.

Post a fresh hjt log after doing that and let me know if it helped.

Hey Blade, sorry I've been in exams and offline for a few days here. I actually just removed a few references to the wallpaper from the registry and did a couple of cold boots and everything seems to be working fine (I'm on another computer, so can't post the HJT log, but right now everything seems to be coming along fine)..

Thanks for your help, I think we're good!

That's really great to hear :laugh: Guess we'll close the topic now?

Might as well, thanks once again for the help!

Since this issue appears to be resolved ... this Topic has been closed. Glad I could help. :)

Note:If it has been five days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.

If it has been less than five days since your last response and you need the thread re-opened, please send me or your helper a private message (pm). A valid, working link to the closed topic is required.