zlob dns changer rtk

It's come back iv'e just got rid of this now its back i tried to be carefull of my browsing is there no way to keep this out of my system.
I ran spybot in safe mode an it said it was dealt with so i ran Malwarebytes anti malware in safe mode just to check and it hadn't gone after


Please help........


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:32:12, on 12/04/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\F-SECU~1\backweb\4476822\Program\SERVIC~1.EXE
C:\Program Files\COMODO\Firewall\cmdagent.exe
C:\Program Files\F-Secure Internet Security\Anti-Virus\fsgk32st.exe
C:\Program Files\F-Secure Internet Security\Anti-Virus\FSGK32.EXE
C:\Program Files\F-Secure Internet Security\backweb\4476822\program\fsbwsys.exe
C:\Program Files\F-Secure Internet Security\Anti-Virus\fssm32.exe
C:\Program Files\F-Secure Internet Security\Common\FSMA32.EXE
C:\Program Files\Kontiki\KService.exe
C:\Program Files\F-Secure Internet Security\Common\FSMB32.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\F-Secure Internet Security\Common\FCH32.EXE
C:\Program Files\F-Secure Internet Security\Common\FAMEH32.EXE
C:\Program Files\F-Secure Internet Security\Anti-Virus\fsqh.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\F-Secure Internet Security\Anti-Virus\fsrw.exe
C:\Program Files\F-Secure Internet Security\FWES\Program\fsdfwd.exe
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\TalkTalk\bin\sprtcmd.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\F-Secure Internet Security\Common\FSM32.EXE
C:\Program Files\F-Secure Internet Security\FSGUI\ispnews.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\COMODO\Firewall\cfp.exe
C:\Program Files\Kontiki\KHost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe
C:\Program Files\F-Secure Internet Security\backweb\4476822\Program\fspex.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\F-Secure Internet Security\Anti-Virus\fsav32.exe
C:\PROGRA~1\F-SECU~1\ANTI-S~1\fsaw.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\F-Secure Internet Security\FSGUI\fsguidll.exe
C:\Program Files\PC Connectivity Solution\Transports\NclUSBSrv.exe
C:\Program Files\PC Connectivity Solution\Transports\NclRSSrv.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [TalkTalk] "C:\Program Files\TalkTalk\bin\sprtcmd.exe" /P TalkTalk
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\F-Secure Internet Security\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\F-Secure Internet Security\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [F-Secure Startup Wizard] "C:\Program Files\F-Secure Internet Security\FSGUI\FSSW.EXE" /reboot
O4 - HKLM\..\Run: [News Service] "C:\Program Files\F-Secure Internet Security\FSGUI\ispnews.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\COMODO\Firewall\cfp.exe" -h
O4 - HKLM\..\Run: [4oD] "C:\Program Files\Kontiki\KHost.exe" -all
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [kdx] C:\Program Files\Kontiki\KHost.exe -all
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [PC Suite Tray] "C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe" -onlytray
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: F-Secure 2006.lnk = C:\Program Files\F-Secure Internet Security\backweb\4476822\Program\fspex.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Block this popup - C:\Program Files\F-Secure Internet Security\Anti-Spyware\blockpopups.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: IE Shield - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\F-Secure Internet Security\Anti-Spyware\ieshield.dll
O9 - Extra 'Tools' menuitem: IE Shield... - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\F-Secure Internet Security\Anti-Spyware\ieshield.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1205734530171
O17 - HKLM\System\CCS\Services\Tcpip\..\{5712A3D9-784D-4F7D-A617-525E46C9377B}: NameServer = 62.24.218.50,62.24.218.51
O17 - HKLM\System\CS1\Services\Tcpip\..\{5712A3D9-784D-4F7D-A617-525E46C9377B}: NameServer = 62.24.218.50,62.24.218.51
O17 - HKLM\System\CS2\Services\Tcpip\..\{5712A3D9-784D-4F7D-A617-525E46C9377B}: NameServer = 62.24.218.50,62.24.218.51
O20 - AppInit_DLLs: C:\WINDOWS\system32\guard32.dll
O23 - Service: F-Secure 2006 (BackWeb Plug-in - 4476822) - F-Secure Internet Security 2005 - C:\PROGRA~1\F-SECU~1\backweb\4476822\Program\SERVIC~1.EXE
O23 - Service: COMODO Firewall Pro Helper Service (cmdAgent) - COMODO - C:\Program Files\COMODO\Firewall\cmdagent.exe
O23 - Service: F-Secure BlackLight Sensor - F-Secure Corporation - C:\WINDOWS\TEMP\F-Secure\Anti-Virus\fsblsrv.exe
O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corporation - C:\Program Files\F-Secure Internet Security\Anti-Virus\fsgk32st.exe
O23 - Service: fsbwsys - F-Secure Corp. - C:\Program Files\F-Secure Internet Security\backweb\4476822\program\fsbwsys.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\F-Secure Internet Security\FWES\Program\fsdfwd.exe
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\F-Secure Internet Security\Common\FSMA32.EXE
O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

--
End of file - 9890 bytes
all

hi wolfblitz,

update and run malwarebytes and post that log please:

select Perform FULL SCAN, then click Scan.

* When the scan is complete, click OK, then Show Results to view the results.

* Be sure that everything is checked, and click Remove Selected.

* When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt


shelf life

Hi shelf life thanks for your reply and help


Malwarebytes' Anti-Malware 1.11
Database version: 669

Scan type: Full Scan (A:\|C:\|D:\|)
Objects scanned: 90269
Time elapsed: 1 hour(s), 13 minute(s), 25 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\System (Rootkit.DNSChanger) -> Data: kdmzj.exe -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

hi,

looks like malwarebytes took care of it. hows it all looking on that end now?

Hi shelf life thanks for your reply
I ran spybot in safe mode and it's still there
Maybe this will help

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:11:37, on 23/04/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\F-SECU~1\backweb\4476822\Program\SERVIC~1.EXE
C:\Program Files\COMODO\Firewall\cmdagent.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\F-Secure Internet Security\Anti-Virus\fsgk32st.exe
C:\Program Files\F-Secure Internet Security\Anti-Virus\FSGK32.EXE
C:\Program Files\F-Secure Internet Security\backweb\4476822\program\fsbwsys.exe
C:\Program Files\F-Secure Internet Security\Anti-Virus\fssm32.exe
C:\Program Files\F-Secure Internet Security\Common\FSMA32.EXE
C:\Program Files\F-Secure Internet Security\Common\FSMB32.EXE
C:\Program Files\Kontiki\KService.exe
C:\Program Files\F-Secure Internet Security\backweb\4476822\Program\fspex.exe
C:\Program Files\F-Secure Internet Security\Common\FCH32.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\F-Secure Internet Security\Common\FAMEH32.EXE
C:\Program Files\F-Secure Internet Security\Anti-Virus\fsqh.exe
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\TalkTalk\bin\sprtcmd.exe
C:\Program Files\F-Secure Internet Security\Anti-Virus\fsrw.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\F-Secure Internet Security\Common\FSM32.EXE
C:\Program Files\F-Secure Internet Security\FSGUI\ispnews.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\COMODO\Firewall\cfp.exe
C:\Program Files\Kontiki\KHost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\F-Secure Internet Security\FWES\Program\fsdfwd.exe
C:\Program Files\F-Secure Internet Security\Anti-Virus\fsav32.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\PROGRA~1\F-SECU~1\ANTI-S~1\fsaw.exe
C:\Program Files\F-Secure Internet Security\FSGUI\fsguidll.exe
C:\Program Files\PC Connectivity Solution\Transports\NclUSBSrv.exe
C:\Program Files\PC Connectivity Solution\Transports\NclRSSrv.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [TalkTalk] "C:\Program Files\TalkTalk\bin\sprtcmd.exe" /P TalkTalk
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\F-Secure Internet Security\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\F-Secure Internet Security\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [F-Secure Startup Wizard] "C:\Program Files\F-Secure Internet Security\FSGUI\FSSW.EXE" /reboot
O4 - HKLM\..\Run: [News Service] "C:\Program Files\F-Secure Internet Security\FSGUI\ispnews.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\COMODO\Firewall\cfp.exe" -h
O4 - HKLM\..\Run: [4oD] "C:\Program Files\Kontiki\KHost.exe" -all
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [kdx] C:\Program Files\Kontiki\KHost.exe -all
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [PC Suite Tray] "C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe" -onlytray
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: F-Secure 2006.lnk = C:\Program Files\F-Secure Internet Security\backweb\4476822\Program\fspex.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Block this popup - C:\Program Files\F-Secure Internet Security\Anti-Spyware\blockpopups.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: IE Shield - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\F-Secure Internet Security\Anti-Spyware\ieshield.dll
O9 - Extra 'Tools' menuitem: IE Shield... - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\F-Secure Internet Security\Anti-Spyware\ieshield.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1205734530171
O17 - HKLM\System\CCS\Services\Tcpip\..\{5712A3D9-784D-4F7D-A617-525E46C9377B}: NameServer = 62.24.218.50,62.24.218.51
O17 - HKLM\System\CS1\Services\Tcpip\..\{5712A3D9-784D-4F7D-A617-525E46C9377B}: NameServer = 62.24.218.50,62.24.218.51
O17 - HKLM\System\CS2\Services\Tcpip\..\{5712A3D9-784D-4F7D-A617-525E46C9377B}: NameServer = 62.24.218.50,62.24.218.51
O20 - AppInit_DLLs: C:\WINDOWS\system32\guard32.dll
O23 - Service: F-Secure 2006 (BackWeb Plug-in - 4476822) - F-Secure Internet Security 2005 - C:\PROGRA~1\F-SECU~1\backweb\4476822\Program\SERVIC~1.EXE
O23 - Service: COMODO Firewall Pro Helper Service (cmdAgent) - COMODO - C:\Program Files\COMODO\Firewall\cmdagent.exe
O23 - Service: F-Secure BlackLight Sensor - F-Secure Corporation - C:\WINDOWS\TEMP\F-Secure\Anti-Virus\fsblsrv.exe
O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corporation - C:\Program Files\F-Secure Internet Security\Anti-Virus\fsgk32st.exe
O23 - Service: fsbwsys - F-Secure Corp. - C:\Program Files\F-Secure Internet Security\backweb\4476822\program\fsbwsys.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\F-Secure Internet Security\FWES\Program\fsdfwd.exe
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\F-Secure Internet Security\Common\FSMA32.EXE
O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

--
End of file - 9829 bytes

hi wolfblitz,

you saw what malwarebytes removed?

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\System (Rootkit.DNSChanger) -> Data: kdmzj.exe -> Quarantined and deleted successfully.
------------------
there is a way in spybot to get the last scan result. not the entire scan but only what was found after the scan. iam in linux right now and cant check how to do that in spybot. see if you can manage, spybot will have to be in advanced mode. mode>advanced then tools or something. next time iam in windows i will check and post back if you havent already figured it out.
just curious to see what spybot is flagging.

also you might re-run malwarebytes after checking for updates.

shelf life

Hi shelf life thanks for your reply
I ran malwarebytes and Zlob was detected fixed problem
Then I ran spybot and Zlob was still there
Hope these logs help

Malwarebytes' Anti-Malware 1.11
Database version: 679

Scan type: Full Scan (A:\|C:\|D:\|)
Objects scanned: 91726
Time elapsed: 1 hour(s), 4 minute(s), 18 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\System (Rootkit.DNSChanger) -> Data: kdmzj.exe -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


(spybot log)

--- Report generated: 2008-04-25 08:09 ---

Zlob.DNSChanger.Rtk: [SBI $FE3023DF] Settings (Registry value, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\System=...KDMZJ.EXE...


--- Spybot - Search & Destroy version: 1.5.2 (build: 20080128) ---

2008-01-28 blindman.exe (1.0.0.7)
2008-01-28 SDDelFile.exe (1.0.2.4)
2008-01-28 SDMain.exe (1.0.0.5)
2007-10-07 SDShred.exe (1.0.1.2)
2008-01-28 SDUpdate.exe (1.0.8.8)
2008-01-28 SDWinSec.exe (1.0.0.11)
2008-01-28 SpybotSD.exe (1.5.2.20)
2008-01-28 TeaTimer.exe (1.5.2.16)
2008-03-27 unins000.exe (51.49.0.0)
2008-01-28 Update.exe (1.4.0.6)
2008-01-28 advcheck.dll (1.5.4.5)
2007-04-02 aports.dll (2.1.0.0)
2007-11-17 DelZip179.dll (1.79.7.4)
2008-01-28 SDFiles.dll (1.5.1.19)
2008-01-28 SDHelper.dll (1.5.0.11)
2008-01-28 Tools.dll (2.1.3.3)
2008-03-26 Includes\Cookies.sbi (*)
2007-12-26 Includes\Dialer.sbi (*)
2008-03-26 Includes\DialerC.sbi (*)
2008-03-26 Includes\HeavyDuty.sbi (*)
2008-03-19 Includes\Hijackers.sbi (*)
2008-03-26 Includes\HijackersC.sbi (*)
2008-02-27 Includes\Keyloggers.sbi (*)
2008-03-26 Includes\KeyloggersC.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2008-03-26 Includes\Malware.sbi (*)
2008-03-26 Includes\MalwareC.sbi (*)
2008-03-26 Includes\PUPS.sbi (*)
2008-03-26 Includes\PUPSC.sbi (*)
2008-03-26 Includes\Revision.sbi (*)
2008-01-09 Includes\Security.sbi (*)
2008-03-26 Includes\SecurityC.sbi (*)
2008-03-19 Includes\Spybots.sbi (*)
2008-03-26 Includes\SpybotsC.sbi (*)
2007-11-06 Includes\Tracks.uti
2008-03-19 Includes\Trojans.sbi (*)
2008-03-26 Includes\TrojansC.sbi (*)
2008-03-04 Plugins\Chai.dll
2008-04-01 Plugins\Fennel.dll
2008-02-26 Plugins\Mate.dll
2007-12-24 Plugins\TCPIPAddress.dll

hi wolfblitz,

lets try Fixwareout:

You may want to print out these instructions for reference, since you
will have to restart your computer during the fix.

Please download FixWareout from one of these sites:


http://downloads.subratam.org/Fixwareout.exe
http://www.bleepingcomputer.com/file...Fixwareout.exe

Save it to your desktop and run it. Click Next, then Install, then make
sure Run fixit box is checked and click Finish. The fix will
begin; follow the prompts. You will be asked to reboot your computer;
please do so. Your system may take longer than usual to load; this is
normal.

At the end of the fix, you may need to restart your computer again.

Finally, please post a new HijackThis log, along with the contents of
the logfile C:\fixwareout\report.txt

Hi Shelf life thanks for your reply
I did as you asked I also ran spy bot again and guess what ? it's still there.....
here are the logs

Username "Geoff" - 26/04/2008 16:55:39 [Fixwareout edited 9/01/2007]

~~~~~ Prerun check
HKLM\SOFTWARE\~\Winlogon\ "System"="kdmzj.exe"

Successfully flushed the DNS Resolver Cache.


System was rebooted successfully.

~~~~~ Postrun check
HKLM\SOFTWARE\~\Winlogon\ "system"="kdmzj.exe"
....
....
~~~~~ Misc files.
....
~~~~~ Checking for older varients.
....

~~~~~ Current runs (hklm hkcu "run" Keys Only)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VTTimer"="VTTimer.exe"
"SoundMan"="SOUNDMAN.EXE"
"TalkTalk"="\"C:\\Program Files\\TalkTalk\\bin\\sprtcmd.exe\" /P TalkTalk"
"IntelliPoint"="\"C:\\Program Files\\Microsoft IntelliPoint\\point32.exe\""
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"F-Secure Manager"="\"C:\\Program Files\\F-Secure Internet Security\\Common\\FSM32.EXE\" /splash"
"F-Secure TNB"="\"C:\\Program Files\\F-Secure Internet Security\\TNB\\TNBUtil.exe\" /CHECKALL /WAITFORSW"
"F-Secure Startup Wizard"="\"C:\\Program Files\\F-Secure Internet Security\\FSGUI\\FSSW.EXE\" /reboot"
"News Service"="\"C:\\Program Files\\F-Secure Internet Security\\FSGUI\\ispnews.exe\""
"Adobe Reader Speed Launcher"="\"C:\\Program Files\\Adobe\\Reader 8.0\\Reader\\Reader_sl.exe\""
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0_05\\bin\\jusched.exe\""
"HP Software Update"="\"C:\\Program Files\\HP\\HP Software Update\\HPWuSchd2.exe\""
"HP Component Manager"="\"C:\\Program Files\\HP\\hpcoretech\\hpcmpmgr.exe\""
"COMODO Firewall Pro"="\"C:\\Program Files\\COMODO\\Firewall\\cfp.exe\" -h"
"4oD"="\"C:\\Program Files\\Kontiki\\KHost.exe\" -all"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\ctfmon.exe"
"NBJ"="\"C:\\Program Files\\Ahead\\Nero BackItUp\\NBJ.exe\""
"kdx"="C:\\Program Files\\Kontiki\\KHost.exe -all"
"SpybotSD TeaTimer"="C:\\Program Files\\Spybot - Search & Destroy\\TeaTimer.exe"
"Start WingMan Profiler"=""
"PC Suite Tray"="\"C:\\Program Files\\Nokia\\Nokia PC Suite 6\\PCSuite.exe\" -onlytray"
....
Hosts file was reset, If you use a custom hosts file please replace it...
~~~~~ End report ~~~~~


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:13:05, on 26/04/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\F-SECU~1\backweb\4476822\Program\SERVIC~1.EXE
C:\Program Files\COMODO\Firewall\cmdagent.exe
C:\Program Files\F-Secure Internet Security\Anti-Virus\fsgk32st.exe
C:\Program Files\F-Secure Internet Security\Anti-Virus\FSGK32.EXE
C:\Program Files\F-Secure Internet Security\backweb\4476822\program\fsbwsys.exe
C:\Program Files\F-Secure Internet Security\Anti-Virus\fssm32.exe
C:\Program Files\F-Secure Internet Security\Common\FSMA32.EXE
C:\Program Files\Kontiki\KService.exe
C:\Program Files\F-Secure Internet Security\Common\FSMB32.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\F-Secure Internet Security\Common\FCH32.EXE
C:\Program Files\F-Secure Internet Security\Common\FAMEH32.EXE
C:\Program Files\F-Secure Internet Security\Anti-Virus\fsqh.exe
C:\Program Files\F-Secure Internet Security\Anti-Virus\fsrw.exe
C:\Program Files\F-Secure Internet Security\FWES\Program\fsdfwd.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\F-Secure Internet Security\Anti-Virus\fsav32.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\TalkTalk\bin\sprtcmd.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\F-Secure Internet Security\Common\FSM32.EXE
C:\Program Files\F-Secure Internet Security\FSGUI\ispnews.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\PROGRA~1\F-SECU~1\ANTI-S~1\fsaw.exe
C:\Program Files\COMODO\Firewall\cfp.exe
C:\Program Files\Kontiki\KHost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\F-Secure Internet Security\FSGUI\fsguidll.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe
C:\Program Files\F-Secure Internet Security\backweb\4476822\Program\fspex.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\PC Connectivity Solution\Transports\NclUSBSrv.exe
C:\Program Files\PC Connectivity Solution\Transports\NclRSSrv.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [TalkTalk] "C:\Program Files\TalkTalk\bin\sprtcmd.exe" /P TalkTalk
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\F-Secure Internet Security\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\F-Secure Internet Security\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [F-Secure Startup Wizard] "C:\Program Files\F-Secure Internet Security\FSGUI\FSSW.EXE" /reboot
O4 - HKLM\..\Run: [News Service] "C:\Program Files\F-Secure Internet Security\FSGUI\ispnews.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\COMODO\Firewall\cfp.exe" -h
O4 - HKLM\..\Run: [4oD] "C:\Program Files\Kontiki\KHost.exe" -all
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [kdx] C:\Program Files\Kontiki\KHost.exe -all
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [PC Suite Tray] "C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe" -onlytray
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: F-Secure 2006.lnk = C:\Program Files\F-Secure Internet Security\backweb\4476822\Program\fspex.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Block this popup - C:\Program Files\F-Secure Internet Security\Anti-Spyware\blockpopups.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: IE Shield - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\F-Secure Internet Security\Anti-Spyware\ieshield.dll
O9 - Extra 'Tools' menuitem: IE Shield... - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\F-Secure Internet Security\Anti-Spyware\ieshield.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1205734530171
O17 - HKLM\System\CCS\Services\Tcpip\..\{5712A3D9-784D-4F7D-A617-525E46C9377B}: NameServer = 62.24.218.50,62.24.218.51
O17 - HKLM\System\CS1\Services\Tcpip\..\{5712A3D9-784D-4F7D-A617-525E46C9377B}: NameServer = 62.24.218.50,62.24.218.51
O17 - HKLM\System\CS2\Services\Tcpip\..\{5712A3D9-784D-4F7D-A617-525E46C9377B}: NameServer = 62.24.218.50,62.24.218.51
O20 - AppInit_DLLs: C:\WINDOWS\system32\guard32.dll
O23 - Service: F-Secure 2006 (BackWeb Plug-in - 4476822) - F-Secure Internet Security 2005 - C:\PROGRA~1\F-SECU~1\backweb\4476822\Program\SERVIC~1.EXE
O23 - Service: COMODO Firewall Pro Helper Service (cmdAgent) - COMODO - C:\Program Files\COMODO\Firewall\cmdagent.exe
O23 - Service: F-Secure BlackLight Sensor - F-Secure Corporation - C:\WINDOWS\TEMP\F-Secure\Anti-Virus\fsblsrv.exe
O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corporation - C:\Program Files\F-Secure Internet Security\Anti-Virus\fsgk32st.exe
O23 - Service: fsbwsys - F-Secure Corp. - C:\Program Files\F-Secure Internet Security\backweb\4476822\program\fsbwsys.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\F-Secure Internet Security\FWES\Program\fsdfwd.exe
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\F-Secure Internet Security\Common\FSMA32.EXE
O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

--
End of file - 9866 bytes


SPYBOT LOG


--- Report generated: 2008-04-26 17:42 ---

Zlob.DNSChanger.Rtk: [SBI $FE3023DF] Settings (Registry value, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\System=...KDMZJ.EXE...


--- Spybot - Search & Destroy version: 1.5.2 (build: 20080128) ---

2008-01-28 blindman.exe (1.0.0.7)
2008-01-28 SDDelFile.exe (1.0.2.4)
2008-01-28 SDMain.exe (1.0.0.5)
2007-10-07 SDShred.exe (1.0.1.2)
2008-01-28 SDUpdate.exe (1.0.8.8)
2008-01-28 SDWinSec.exe (1.0.0.11)
2008-01-28 SpybotSD.exe (1.5.2.20)
2008-01-28 TeaTimer.exe (1.5.2.16)
2008-03-27 unins000.exe (51.49.0.0)
2008-01-28 Update.exe (1.4.0.6)
2008-01-28 advcheck.dll (1.5.4.5)
2007-04-02 aports.dll (2.1.0.0)
2007-11-17 DelZip179.dll (1.79.7.4)
2008-01-28 SDFiles.dll (1.5.1.19)
2008-01-28 SDHelper.dll (1.5.0.11)
2008-01-28 Tools.dll (2.1.3.3)
2008-03-26 Includes\Cookies.sbi (*)
2007-12-26 Includes\Dialer.sbi (*)
2008-03-26 Includes\DialerC.sbi (*)
2008-03-26 Includes\HeavyDuty.sbi (*)
2008-03-19 Includes\Hijackers.sbi (*)
2008-03-26 Includes\HijackersC.sbi (*)
2008-02-27 Includes\Keyloggers.sbi (*)
2008-03-26 Includes\KeyloggersC.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2008-03-26 Includes\Malware.sbi (*)
2008-03-26 Includes\MalwareC.sbi (*)
2008-03-26 Includes\PUPS.sbi (*)
2008-03-26 Includes\PUPSC.sbi (*)
2008-03-26 Includes\Revision.sbi (*)
2008-01-09 Includes\Security.sbi (*)
2008-03-26 Includes\SecurityC.sbi (*)
2008-03-19 Includes\Spybots.sbi (*)
2008-03-26 Includes\SpybotsC.sbi (*)
2007-11-06 Includes\Tracks.uti
2008-03-19 Includes\Trojans.sbi (*)
2008-03-26 Includes\TrojansC.sbi (*)
2008-03-04 Plugins\Chai.dll
2008-04-01 Plugins\Fennel.dll
2008-02-26 Plugins\Mate.dll
2007-12-24 Plugins\TCPIPAddress.dll

hi wolfblitz,

ok yet another download to get:


Download Deckard's System Scanner to your Desktop.:

http://www.techsupportforum.com/sectools/Deckard/dss.exe
http://deckard.geekstogo.com/dss.exe

Close all applications and windows.
Double-click on dss.exe to run it, and follow the prompts.
When the scan is complete, a text file will open - Main.txt
Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of Main.txt here.
A folder, C:\Deckard\System Scanner, will also open. In it will be another text file, Extra.txt.
Please attach Extra.txt to your post.

Hi shelf life many thanks again for your reply and help


Deckard's System Scanner v20071014.68
Run by Geoff on 2008-04-27 07:35:10
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
67: 2008-04-27 06:35:56 UTC - RP67 - Deckard's System Scanner Restore Point
66: 2008-04-26 17:24:33 UTC - RP66 - System Checkpoint
65: 2008-04-25 14:50:43 UTC - RP65 - Installed Logitech Gaming Software
64: 2008-04-25 05:27:56 UTC - RP64 - System Checkpoint
63: 2008-04-24 04:46:29 UTC - RP63 - System Checkpoint


-- First Restore Point --
1: 2008-03-16 09:51:21 UTC - RP1 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 224 MiB (512 MiB recommended).


-- HijackThis (run as Geoff.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 07:43:56, on 27/04/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\F-SECU~1\backweb\4476822\Program\SERVIC~1.EXE
C:\Program Files\COMODO\Firewall\cmdagent.exe
C:\Program Files\F-Secure Internet Security\Anti-Virus\fsgk32st.exe
C:\Program Files\F-Secure Internet Security\Anti-Virus\FSGK32.EXE
C:\Program Files\F-Secure Internet Security\backweb\4476822\program\fsbwsys.exe
C:\Program Files\F-Secure Internet Security\Anti-Virus\fssm32.exe
C:\Program Files\F-Secure Internet Security\backweb\4476822\Program\fspex.exe
C:\Program Files\F-Secure Internet Security\Common\FSMA32.EXE
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\TalkTalk\bin\sprtcmd.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\F-Secure Internet Security\Common\FSM32.EXE
C:\Program Files\Kontiki\KService.exe
C:\Program Files\F-Secure Internet Security\Common\FSMB32.EXE
C:\Program Files\F-Secure Internet Security\FSGUI\ispnews.exe
C:\Program Files\F-Secure Internet Security\Common\FCH32.EXE
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\F-Secure Internet Security\Common\FAMEH32.EXE
C:\Program Files\F-Secure Internet Security\Anti-Virus\fsqh.exe
C:\Program Files\F-Secure Internet Security\Anti-Virus\fsrw.exe
C:\Program Files\COMODO\Firewall\cfp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Kontiki\KHost.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\F-Secure Internet Security\FWES\Program\fsdfwd.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\PC Connectivity Solution\Transports\NclUSBSrv.exe
C:\Program Files\PC Connectivity Solution\Transports\NclRSSrv.exe
C:\Program Files\F-Secure Internet Security\Anti-Virus\fsav32.exe
C:\PROGRA~1\F-SECU~1\ANTI-S~1\fsaw.exe
C:\Program Files\F-Secure Internet Security\FSGUI\fsguidll.exe
C:\Documents and Settings\Geoff\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Geoff.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [TalkTalk] "C:\Program Files\TalkTalk\bin\sprtcmd.exe" /P TalkTalk
O4 - HKLM\..\Run: "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\F-Secure Internet Security\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\F-Secure Internet Security\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [F-Secure Startup Wizard] "C:\Program Files\F-Secure Internet Security\FSGUI\FSSW.EXE" /reboot
O4 - HKLM\..\Run: [News Service] "C:\Program Files\F-Secure Internet Security\FSGUI\ispnews.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\COMODO\Firewall\cfp.exe" -h
O4 - HKLM\..\Run: [4oD] "C:\Program Files\Kontiki\KHost.exe" -all
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [kdx] C:\Program Files\Kontiki\KHost.exe -all
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [PC Suite Tray] "C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe" -onlytray
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: F-Secure 2006.lnk = C:\Program Files\F-Secure Internet Security\backweb\4476822\Program\fspex.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Block this popup - C:\Program Files\F-Secure Internet Security\Anti-Spyware\blockpopups.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: IE Shield - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\F-Secure Internet Security\Anti-Spyware\ieshield.dll
O9 - Extra 'Tools' menuitem: IE Shield... - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\F-Secure Internet Security\Anti-Spyware\ieshield.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1205734530171
O17 - HKLM\System\CCS\Services\Tcpip\..\{5712A3D9-784D-4F7D-A617-525E46C9377B}: NameServer = 62.24.218.50,62.24.218.51
O17 - HKLM\System\CS1\Services\Tcpip\..\{5712A3D9-784D-4F7D-A617-525E46C9377B}: NameServer = 62.24.218.50,62.24.218.51
O17 - HKLM\System\CS2\Services\Tcpip\..\{5712A3D9-784D-4F7D-A617-525E46C9377B}: NameServer = 62.24.218.50,62.24.218.51
O20 - AppInit_DLLs: C:\WINDOWS\system32\guard32.dll
O23 - Service: F-Secure 2006 (BackWeb Plug-in - 4476822) - F-Secure Internet Security 2005 - C:\PROGRA~1\F-SECU~1\backweb\4476822\Program\SERVIC~1.EXE
O23 - Service: COMODO Firewall Pro Helper Service (cmdAgent) - COMODO - C:\Program Files\COMODO\Firewall\cmdagent.exe
O23 - Service: F-Secure BlackLight Sensor - Unknown owner - C:\WINDOWS\TEMP\F-Secure\Anti-Virus\fsblsrv.exe (file missing)
O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corporation - C:\Program Files\F-Secure Internet Security\Anti-Virus\fsgk32st.exe
O23 - Service: fsbwsys - F-Secure Corp. - C:\Program Files\F-Secure Internet Security\backweb\4476822\program\fsbwsys.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\F-Secure Internet Security\FWES\Program\fsdfwd.exe
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\F-Secure Internet Security\Common\FSMA32.EXE
O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

--
End of file - 9825 bytes

-- HijackThis Fixed Entries (C:\PROGRA~1\TRENDM~1\HIJACK~1\backups\) -----------

backup-20080402-065529-115 O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
backup-20080402-065529-158 O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
backup-20080402-065529-458 O17 - HKLM\System\CS1\Services\Tcpip\..\{5712A3D9-784D-4F7D-A617-525E46C9377B}: NameServer = 208.67.220.220,208.67.222.222
backup-20080402-065529-487 O17 - HKLM\System\CCS\Services\Tcpip\..\{5712A3D9-784D-4F7D-A617-525E46C9377B}: NameServer = 208.67.220.220,208.67.222.222
backup-20080402-065529-599 O17 - HKLM\System\CS2\Services\Tcpip\..\{5712A3D9-784D-4F7D-A617-525E46C9377B}: NameServer = 208.67.220.220,208.67.222.222
backup-20080402-065529-652 O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222

-- File Associations -----------------------------------------------------------

.reg - regfile - shell\open\command - regedit.exe "%1" %*
.scr - scrfile - shell\open\command - "%1" %*


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 FSFW (F-Secure Firewall Driver) - c:\windows\system32\drivers\fsdfw.sys <Not Verified; F-Secure Corporation; F-Secure Anti-Virus Internet Shield>
R2 F-Secure Filter (F-Secure File System Filter) - c:\program files\f-secure internet security\anti-virus\win2k\fsfilter.sys
R2 F-Secure Gatekeeper - c:\program files\f-secure internet security\anti-virus\win2k\fsgk.sys
R2 F-Secure Recognizer (F-Secure File System Recognizer) - c:\program files\f-secure internet security\anti-virus\win2k\fsrec.sys
R3 pcouffin (VSO Software pcouffin) - c:\windows\system32\drivers\pcouffin.sys <Not Verified; VSO Software; Patin couffin engine>

S3 iadusb (MT882) - c:\windows\system32\drivers\glauiad.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 BackWeb Plug-in - 4476822 (F-Secure 2006) - c:\progra~1\f-secu~1\backweb\4476822\program\servic~1.exe <Not Verified; F-Secure Internet Security 2005; RunnerEXE Application>
R2 fsbwsys - "c:\program files\f-secure internet security\backweb\4476822\program\fsbwsys.exe" <Not Verified; F-Secure Corp.; F-Secure BackWeb>
R2 F-Secure Gatekeeper Handler Starter (FSGKHS) - "c:\program files\f-secure internet security\anti-virus\fsgk32st.exe" <Not Verified; F-Secure Corporation; F-Secure Corp. Startup service>
R2 FSMA (F-Secure Management Agent) - "c:\program files\f-secure internet security\common\fsma32.exe" <Not Verified; F-Secure Corporation; F-Secure Management Agent>
R3 FSDFWD (F-Secure Anti-Virus Firewall Daemon) - "c:\program files\f-secure internet security\fwes\program\fsdfwd.exe" <Not Verified; F-Secure Corporation; F-Secure Anti-Virus Internet Shield>
R3 ServiceLayer - "c:\program files\pc connectivity solution\servicelayer.exe" <Not Verified; Nokia.; PC Connectivity Solution>

S3 F-Secure BlackLight Sensor - c:\windows\temp\f-secure\anti-virus\fsblsrv.exe (file missing)


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: RAID Controller
Device ID: PCI\VEN_1106&DEV_3149&SUBSYS_1411147B&REV_80\3&61AAA01&0&78
Manufacturer:
Name: RAID Controller
PNP Device ID: PCI\VEN_1106&DEV_3149&SUBSYS_1411147B&REV_80\3&61AAA01&0&78
Service:

Class GUID: {EEC5AD98-8080-425F-922A-DABF3DE3F69A}
Description: Nokia Windows Portable Device Driver
Device ID: ROOT\WPD\0000
Manufacturer: Nokia
Name: Nokia 6280
PNP Device ID: ROOT\WPD\0000
Service: WUDFRd

Class GUID: {EEC5AD98-8080-425F-922A-DABF3DE3F69A}
Description: Nokia 6111
Device ID: ROOT\WPD\0001
Manufacturer: Nokia
Name: Nokia 6111
PNP Device ID: ROOT\WPD\0001
Service: WUDFRd


-- Scheduled Tasks -------------------------------------------------------------

2008-04-25 01:24:55 544 --a------ C:\WINDOWS\Tasks\Scheduled scanning task.job


-- Files created between 2008-03-27 and 2008-04-27 -----------------------------

2008-04-25 15:51:37 0 d-------- C:\Program Files\Common Files\Logitech
2008-04-25 15:50:49 0 d-------- C:\Program Files\Logitech
2008-04-25 15:47:52 151552 --a------ C:\WINDOWS\system32\MSOSS.DLL <Not Verified; Microsoft Corporation; Microsoft(R) Windows NT(R) Operating System>
2008-04-25 15:47:52 0 d-------- C:\Program Files\Codemasters
2008-04-18 20:17:06 0 d-------- C:\Program Files\TryMedia
2008-04-18 20:06:13 0 d-------- C:\Program Files\City Interactive
2008-04-12 09:09:42 0 d-------- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
2008-04-10 20:16:56 0 d-------- C:\Program Files\505 Game Collection
2008-04-10 17:45:30 0 d-------- C:\Program Files\Selectsoft
2008-04-08 09:29:27 0 d-------- C:\Program Files\Google
2008-04-04 09:40:50 0 d-------- C:\Program Files\Kontiki
2008-04-04 09:40:46 0 d-------- C:\Program Files\Channel4
2008-04-04 09:40:46 0 d-------- C:\Documents and Settings\All Users\Application Data\Kontiki
2008-04-04 09:40:03 0 d-------- C:\Documents and Settings\All Users\Application Data\Channel4
2008-04-04 07:20:27 0 d-------- C:\Documents and Settings\Geoff\Application Data\Nokia Multimedia Player
2008-04-02 13:47:35 0 d-------- C:\Documents and Settings\Geoff\Application Data\Malwarebytes
2008-04-02 13:41:14 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-02 13:40:15 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-04-01 23:42:52 0 d--h----- C:\WINDOWS\system32\GroupPolicy
2008-04-01 23:13:01 0 d-------- C:\WINDOWS\network diagnostic
2008-04-01 23:05:47 0 d-------- C:\4b6c686b320a0b02071e8779
2008-04-01 18:15:58 0 d-------- C:\6e972bc5707354af1511998a9cbadb
2008-03-31 07:52:32 0 d-------- C:\Documents and Settings\Administrator\Application Data\Mozilla
2008-03-31 07:52:03 0 d-------- C:\Documents and Settings\Administrator\Application Data\Comodo
2008-03-31 07:39:55 0 d-------- C:\Documents and Settings\Administrator\Application Data\Sun
2008-03-30 19:34:20 1167 --a------ C:\WINDOWS\mozver.dat
2008-03-30 19:23:50 0 --a------ C:\WINDOWS\nsreg.dat
2008-03-30 19:22:52 0 d-------- C:\Documents and Settings\Geoff\Application Data\Mozilla
2008-03-30 17:29:22 0 d-------- C:\Program Files\Trend Micro
2008-03-30 17:13:35 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-03-30 17:12:29 0 d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-03-29 14:26:27 552 --a------ C:\WINDOWS\system32\d3d8caps.dat
2008-03-29 02:02:13 0 dr------- C:\Documents and Settings\LocalService\Favorites
2008-03-28 17:40:38 0 d-------- C:\Documents and Settings\Geoff\Application Data\Comodo
2008-03-28 17:40:25 0 d-------- C:\Documents and Settings\All Users\Application Data\comodo
2008-03-28 17:39:06 0 d-------- C:\Program Files\COMODO
2008-03-28 15:40:34 0 d-------- C:\WINDOWS\Internet Logs
2008-03-28 15:24:28 0 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-03-28 15:19:28 0 d-------- C:\Program Files\SpywareBlaster
2008-03-27 17:04:09 0 d-------- C:\Program Files\MediaMonkey
2008-03-27 16:01:25 0 d-------- C:\Documents and Settings\All Users\Application Data\NCH Software
2008-03-27 16:01:06 0 d-------- C:\Documents and Settings\All Users\Application Data\NCH Swift Sound
2008-03-27 16:01:00 0 d-------- C:\Program Files\NCH Software
2008-03-27 15:59:48 0 d-------- C:\Program Files\NCH Swift Sound
2008-03-27 15:59:48 0 d-------- C:\Documents and Settings\Geoff\Application Data\NCH Swift Sound
2008-03-27 13:09:38 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-27 07:26:58 0 d--h----- C:\Documents and Settings\Administrator\Templates
2008-03-27 07:26:58 0 dr------- C:\Documents and Settings\Administrator\Start Menu
2008-03-27 07:26:58 0 dr-h----- C:\Documents and Settings\Administrator\SendTo
2008-03-27 07:26:58 0 d--h----- C:\Documents and Settings\Administrator\Recent
2008-03-27 07:26:58 0 d--h----- C:\Documents and Settings\Administrator\PrintHood
2008-03-27 07:26:58 0 d--h----- C:\Documents and Settings\Administrator\NetHood
2008-03-27 07:26:58 0 d-------- C:\Documents and Settings\Administrator\My Documents
2008-03-27 07:26:58 0 d--h----- C:\Documents and Settings\Administrator\Local Settings
2008-03-27 07:26:58 0 d-------- C:\Documents and Settings\Administrator\Favorites
2008-03-27 07:26:58 0 d-------- C:\Documents and Settings\Administrator\Desktop
2008-03-27 07:26:58 0 d--hs---- C:\Documents and Settings\Administrator\Cookies
2008-03-27 07:26:58 0 dr-h----- C:\Documents and Settings\Administrator\Application Data
2008-03-27 07:26:58 0 d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2008-03-27 07:26:57 1835008 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT


-- Find3M Report ---------------------------------------------------------------

2008-04-26 10:39:49 0 d-------- C:\Documents and Settings\Geoff\Application Data\uTorrent
2008-04-25 15:51:37 0 d-------- C:\Program Files\Common Files
2008-04-25 15:50:43 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-04-25 15:49:27 0 d-------- C:\Program Files\Common Files\InstallShield
2008-04-05 17:59:37 0 d-------- C:\Documents and Settings\Geoff\Application Data\Ahead
2008-04-04 07:05:28 0 d-------- C:\Documents and Settings\Geoff\Application Data\PC Suite
2008-04-02 00:32:44 0 d-------- C:\Program Files\Java
2008-03-29 10:05:30 668 --a------ C:\Documents and Settings\Geoff\Application Data\vso_ts_preview.xml
2008-03-29 10:05:23 0 d-------- C:\Documents and Settings\Geoff\Application Data\Vso
2008-03-28 07:55:55 1744 --a------ C:\WINDOWS\system32\d3d9caps.dat
2008-03-24 17:00:34 0 d-------- C:\Documents and Settings\Geoff\Application Data\Nokia
2008-03-24 16:58:21 0 d-------- C:\Program Files\DIFX
2008-03-24 16:56:23 0 d-------- C:\Program Files\Common Files\Nokia
2008-03-24 16:56:08 0 d-------- C:\Program Files\Common Files\PCSuite
2008-03-24 16:55:48 0 d-------- C:\Program Files\Nokia
2008-03-24 16:54:37 0 d-------- C:\Program Files\PC Connectivity Solution
2008-03-23 22:15:35 0 d-------- C:\Documents and Settings\Geoff\Application Data\mIRC
2008-03-23 11:28:21 0 d-------- C:\Program Files\MediaTV
2008-03-23 11:12:31 0 d-------- C:\Program Files\Windows Media Connect 2
2008-03-23 03:53:44 0 d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-03-23 03:50:53 0 d-------- C:\Program Files\MSXML 4.0
2008-03-21 17:14:37 104265 --a------ C:\WINDOWS\hpoins04.dat
2008-03-21 17:12:11 0 d-------- C:\Program Files\HP
2008-03-21 17:08:58 0 d-------- C:\Program Files\Common Files\HP
2008-03-21 17:06:29 0 d-------- C:\Program Files\Hewlett-Packard
2008-03-21 17:04:20 0 d-------- C:\Program Files\Common Files\Hewlett-Packard
2008-03-21 11:01:22 0 d-------- C:\Program Files\DivXCodec
2008-03-21 03:52:20 0 d-------- C:\Documents and Settings\Geoff\Application Data\Sun
2008-03-21 03:51:02 0 d-------- C:\Program Files\Common Files\Java
2008-03-21 03:28:30 0 d-------- C:\Program Files\MT882
2008-03-21 01:15:26 0 d-------- C:\Program Files\Netgear
2008-03-21 00:57:44 0 d-------- C:\Documents and Settings\Geoff\Application Data\Adobe
2008-03-19 17:52:28 0 d-------- C:\Documents and Settings\Geoff\Application Data\WinRAR
2008-03-19 10:31:35 34 --a------ C:\Documents and Settings\Geoff\Application Data\pcouffin.log
2008-03-19 10:31:30 47360 --a------ C:\Documents and Settings\Geoff\Application Data\pcouffin.sys <Not Verified; VSO Software; Patin couffin engine>
2008-03-19 10:31:30 1144 --a------ C:\Documents and Settings\Geoff\Application Data\pcouffin.inf
2008-03-19 10:31:30 7887 --a------ C:\Documents and Settings\Geoff\Application Data\pcouffin.cat
2008-03-19 10:31:21 0 d-------- C:\Program Files\VSO
2008-03-17 04:10:07 0 d-------- C:\Program Files\Messenger
2008-03-16 13:18:47 0 d-------- C:\Program Files\uTorrent
2008-03-16 13:15:37 0 d-------- C:\Documents and Settings\Geoff\Application Data\Azureus
2008-03-16 12:37:04 0 d-------- C:\Documents and Settings\Geoff\Application Data\Macromedia
2008-03-16 12:21:29 0 d-------- C:\Program Files\Common Files\Adobe
2008-03-16 12:10:01 0 d-------- C:\Documents and Settings\Geoff\Application Data\F-Secure
2008-03-16 11:41:40 0 d-------- C:\Documents and Settings\Geoff\Application Data\ispnews
2008-03-16 11:39:22 0 d-------- C:\Program Files\F-Secure Internet Security
2008-03-16 11:21:10 0 d-------- C:\Program Files\Ahead
2008-03-16 11:19:42 0 d-------- C:\Program Files\Common Files\Ahead
2008-03-16 11:16:54 0 d-------- C:\Program Files\Microsoft IntelliPoint
2008-03-16 11:14:09 0 d-------- C:\Program Files\TalkTalk
2008-03-16 11:14:06 0 d-------- C:\Program Files\SupportSoft
2008-03-16 11:14:00 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-03-16 11:07:30 0 d-------- C:\Program Files\Common Files\SupportSoft
2008-03-16 11:02:38 0 d-------- C:\Program Files\Microsoft.NET
2008-03-16 11:02:35 0 d-------- C:\Program Files\Microsoft ActiveSync
2008-03-16 10:55:43 0 d-------- C:\Program Files\Realtek Sound Manager
2008-03-16 10:55:42 0 d-------- C:\Program Files\AvRack
2008-03-16 10:54:23 0 d-------- C:\Program Files\S3
2008-03-16 10:51:05 0 d-------- C:\Documents and Settings\Geoff\Application Data\Identities
2008-03-16 09:30:07 0 d-------- C:\Program Files\microsoft frontpage
2008-03-16 09:29:27 0 -rahs---- C:\MSDOS.SYS
2008-03-16 09:29:27 0 -rahs---- C:\IO.SYS
2008-03-16 09:29:27 0 --a------ C:\CONFIG.SYS
2008-03-16 09:29:27 0 --a------ C:\AUTOEXEC.BAT
2008-03-16 09:27:44 0 d--h----- C:\Program Files\WindowsUpdate
2008-03-16 09:27:39 0 d-------- C:\Program Files\Online Services
2008-03-16 09:26:55 0 d-------- C:\Program Files\Common Files\MSSoap
2008-03-16 09:26:48 0 d-------- C:\Program Files\Movie Maker
2008-03-16 09:25:53 21640 --a------ C:\WINDOWS\system32\emptyregdb.dat
2008-03-16 09:25:18 0 d-------- C:\Program Files\MSN Gaming Zone
2008-03-16 09:25:11 0 d-------- C:\Program Files\Windows NT
2008-03-16 02:20:11 0 d-------- C:\Program Files\Common Files\ODBC
2008-03-16 02:20:08 0 d-------- C:\Program Files\Common Files\SpeechEngines
2008-03-16 02:19:46 62 --ahs---- C:\Documents and Settings\Geoff\Application Data\desktop.ini


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VTTimer"="VTTimer.exe" [15/01/2004 13:33 C:\WINDOWS\system32\VTTimer.exe]
"SoundMan"="SOUNDMAN.EXE" [30/08/2004 06:48 C:\WINDOWS\SOUNDMAN.EXE]
"TalkTalk"="C:\Program Files\TalkTalk\bin\sprtcmd.exe" [16/08/2005 01:12]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\point32.exe" [24/03/2005 00:26]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [09/07/2001 11:50]
"F-Secure Manager"="C:\Program Files\F-Secure Internet Security\Common\FSM32.exe" [26/10/2005 02:51]
"F-Secure TNB"="C:\Program Files\F-Secure Internet Security\TNB\TNBUtil.exe" [18/07/2005 15:51]
"F-Secure Startup Wizard"="C:\Program Files\F-Secure Internet Security\FSGUI\FSSW.exe" [18/10/2005 09:29]
"News Service"="C:\Program Files\F-Secure Internet Security\FSGUI\ispnews.exe" [31/05/2005 13:45]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [11/01/2008 23:16]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [22/02/2008 04:25]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [12/02/2004 14:38]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [12/05/2004 16:18]
"COMODO Firewall Pro"="C:\Program Files\COMODO\Firewall\cfp.exe" [19/04/2008 16:31]
"4oD"="C:\Program Files\Kontiki\KHost.exe" [23/04/2007 11:23]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [28/02/2006 13:00]
"NBJ"="C:\Program Files\Ahead\Nero BackItUp\NBJ.exe" [10/02/2005 18:00]
"kdx"="C:\Program Files\Kontiki\KHost.exe" [23/04/2007 11:23]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [28/01/2008 12:43]
"Start WingMan Profiler"="" []
"PC Suite Tray"="C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe" [10/12/2007 11:12]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Nokia.PCSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" /NoDialog

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
F-Secure 2006.lnk - C:\Program Files\F-Secure Internet Security\backweb\4476822\Program\fspex.exe [16/03/2008 11:37:55]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [28/05/2004 23:31:38]
HP Image Zone Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [29/05/2004 00:06:36]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"system"="kdmzj.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"= C:\WINDOWS\system32\guard32.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,




-- End of Deckard's System Scanner: finished at 2008-04-27 07:45:21 ------------

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: AMD Sempron(tm) 2400+
Percentage of Memory in Use: 85%
Physical Memory (total/avail): 223.48 MiB / 32.81 MiB
Pagefile Memory (total/avail): 569.41 MiB / 162.81 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1921.57 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 76.68 GiB total, 18.27 GiB free.
D: is CDROM (No Media)
E: is CDROM (No Media)

\\.\PHYSICALDRIVE0 - HDS728080PLAT20 - 76.69 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 76.68 GiB - C:



-- Security Center -------------------------------------------------------------

AUOptions is set to notify before download.
Windows Internal Firewall is disabled.

FirstRunDisabled is set.

FW: COMODO Firewall Pro v3.0 (COMODO)
AV: F-Secure Anti-Virus 2006 6.12 v6.12 (F-Secure Corporation)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\F-Secure Internet Security\\backweb\\4476822\\Program\\fspex.exe"="C:\\Program Files\\F-Secure Internet Security\\backweb\\4476822\\Program\\fspex.exe:*:Enabled:F-Secure 2006"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\\Program Files\\F-Secure Internet Security\\backweb\\4476822\\Program\\fspex.exe"="C:\\Program Files\\F-Secure Internet Security\\backweb\\4476822\\Program\\fspex.exe:*:Enabled:F-Secure 2006"
"C:\\Program Files\\Azureus\\Azureus.exe"="C:\\Program Files\\Azureus\\Azureus.exe:*:Enabled:Azureus"
"C:\\Program Files\\uTorrent\\uTorrent.exe"="C:\\Program Files\\uTorrent\\uTorrent.exe:*:Enabled:µTorrent"
"C:\\WINDOWS\\system32\\sessmgr.exe"="C:\\WINDOWS\\system32\\sessmgr.exe:*:Disabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Kontiki\\KService.exe"="C:\\Program Files\\Kontiki\\KService.exe:*:Enabled:Delivery Manager Service"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Geoff\Application Data
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=BONDOGWATS4154
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Geoff
LOGONSERVER=\\BONDOGWATS4154
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\Program Files\PC Connectivity Solution\;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 8 Stepping 1, AuthenticAMD
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0801
ProgramFiles=C:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Geoff\LOCALS~1\Temp
TMP=C:\DOCUME~1\Geoff\LOCALS~1\Temp
USERDOMAIN=BONDOGWATS4154
USERNAME=Geoff
USERPROFILE=C:\Documents and Settings\Geoff
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Geoff [I](admin)
Administrator (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> "C:\Program Files\F-Secure Internet Security\fsuninst.exe" /UninstRegKey:"F-Secure Anti-Spyware Scanner"
--> "C:\Program Files\F-Secure Internet Security\fsuninst.exe" /UninstRegKey:"F-Secure Anti-Spyware"
--> "C:\Program Files\F-Secure Internet Security\fsuninst.exe" /UninstRegKey:"F-Secure Anti-Virus Client Security Installer"
--> "C:\Program Files\F-Secure Internet Security\fsuninst.exe" /UninstRegKey:"F-Secure Anti-Virus"
--> "C:\Program Files\F-Secure Internet Security\fsuninst.exe" /UninstRegKey:"F-Secure DAAS"
--> "C:\Program Files\F-Secure Internet Security\fsuninst.exe" /UninstRegKey:"F-Secure Diagnostics"
--> "C:\Program Files\F-Secure Internet Security\fsuninst.exe" /UninstRegKey:"F-Secure E-mail Scanning"
--> "C:\Program Files\F-Secure Internet Security\fsuninst.exe" /UninstRegKey:"F-Secure FWES"
--> "C:\Program Files\F-Secure Internet Security\fsuninst.exe" /UninstRegKey:"F-Secure GUI"
--> "C:\Program Files\F-Secure Internet Security\fsuninst.exe" /UninstRegKey:"F-Secure Help"
--> "C:\Program Files\F-Secure Internet Security\fsuninst.exe" /UninstRegKey:"F-Secure Management Agent"
--> "C:\Program Files\F-Secure Internet Security\fsuninst.exe" /UninstRegKey:"F-Secure TNB"
--> "C:\Program Files\F-Secure Internet Security\fsuninst.exe" /UninstRegKey:"News Service"
--> C:\Program Files\Ahead\nero\uninstall\UNNERO.exe /UNINSTALL
--> C:\WINDOWS\UNNeroVision.exe /UNINSTALL
--> C:\WINDOWS\UNNMP.exe /UNINSTALL
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
4oD --> MsiExec.exe /I {8B7443F5-E141-42A0-AB61-ED2331AAD606}
505 Game Collection --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{33C3FB8A-B803-435D-AB5E-5A20E2294B94}
555 Games XP Championship --> "C:\Program Files\Selectsoft\555 Games XP Championship\uninstall.exe"
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Reader 8.1.2 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81200000003}
Adobe Shockwave Player --> C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log
µTorrent --> "C:\Program Files\uTorrent\uTorrent.exe" /UNINSTALL
Colin McRae Rally 2 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{19B72AA9-985A-11D4-9C8A-00D0B75D1498}\setup.exe"
COMODO Firewall Pro --> C:\Program Files\COMODO\Firewall\cfpconfg.exe -u
ConvertXtoDVD 3.0.0.1 --> "C:\Program Files\VSO\ConvertX\3\unins000.exe"
DG834 --> C:\WINDOWS\uninst.exe -f"C:\Program Files\Netgear\DG834\DeIsL1.isu" -c"C:\Program Files\Netgear\DG834\_ISREG32.DLL"
DivX 4.12 Codec --> "C:\Program Files\DivXCodec\uninstall.exe"
F-Secure Anti-Virus 2006 --> C:\PROGRA~1\F-SECU~1\Common\fsbwih.exe /uninstall
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Hotfix for Windows Media Format 11 SDK (KB929399) --> "C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
HP Image Zone 4.2 --> C:\Program Files\HP\Digital Imaging\uninstall\hpzscr01.exe -datfile hpqscr01.dat
HP PSC & OfficeJet 4.2 --> "C:\Program Files\HP\Digital Imaging\{A1062847-0846-427A-92A1-BB8251A91E91}\setup\hpzscr01.exe" -datfile hposcr04.dat
HP Software Update --> MsiExec.exe /X{457791C5-D702-4143-A7B2-2744BE9573F2}
Java 2 Runtime Environment, SE v1.4.2_15 --> MsiExec.exe /I{7148F0A8-6813-11D6-A77B-00B0D0142150}
Java(TM) 6 Update 5 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160050}
Kaspersky Online Scanner --> C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
Logitech Gaming Software --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{648F9C94-EC44-487B-9DA4-44ED72A082CC}\setup.exe" -l0x9
Malwarebytes' Anti-Malware --> "C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Office Professional Edition 2003 --> MsiExec.exe /I{91110409-6000-11D3-8CFE-0150048383C9}
Microsoft User-Mode Driver Framework Feature Pack 1.5 --> "C:\WINDOWS\$NtUninstallWudf01005$\spuninst\spuninst.exe"
Mozilla Firefox (2.0.0.14) --> C:\PROGRA~1\Mozilla Firefox\uninstall\helper.exe
MSVC80_x86 --> MsiExec.exe /I{212748BB-0DA5-46DE-82A1-403736DC9F27}
MT882 --> C:\Program Files\MT882\Adsl\uninstall.exe
Nero Suite --> C:\Program Files\Common Files\Ahead\Uninstall\setup.exe /uninstall ExtraUninstallID=""
Nokia Connectivity Cable Driver --> MsiExec.exe /X{0A3D3C54-2EC0-4D67-B265-FF17926E6D67}
Nokia PC Suite --> C:\Documents and Settings\All Users\Application Data\Installations\{29466F9C-7C6A-419C-B301-F440FAF78760}\Nokia_PC_Suite_rel_6_85_14_1_eng_web[1].exe
Nokia PC Suite --> MsiExec.exe /I{29466F9C-7C6A-419C-B301-F440FAF78760}
PC Connectivity Solution --> MsiExec.exe /I{BA084E7C-8ABA-4670-BDE8-B85E689A5C1B}
Realtek AC'97 Audio --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FB08F381-6533-4108-B7DD-039E11FBC27E}\setup.exe" REMOVE
S3 S3Display --> vtuninst.exe -reg 5 'HKLM\Software\S3\VT\S3Uninst\S3Display'
S3 S3Gamma2 --> vtuninst.exe -reg 5 'HKLM\Software\S3\VT\S3Uninst\S3Gamma2'
S3 S3Info2 --> vtuninst.exe -reg 5 'HKLM\Software\S3\VT\S3Uninst\S3Info2'
S3 S3Overlay --> vtuninst.exe -reg 5 'HKLM\Software\S3\VT\S3Uninst\S3Overlay'
Security Update for CAPICOM (KB931906) --> MsiExec.exe /I{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for CAPICOM (KB931906) --> MsiExec.exe /X{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Shockwave --> C:\WINDOWS\system32\Macromed\SHOCKW~2\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~2\INSTALL.LOG
Spybot - Search & Destroy --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
SpywareBlaster 4.0 --> "C:\Program Files\SpywareBlaster\unins000.exe"
TalkTalk Assist & Go --> MsiExec.exe /X{D084B1A9-153B-409D-AEBF-C40FCEF925EA}
UniChrome IGP Driver and Utilities --> C:\PROGRA~1\S3\S3\s3setvga.exe -s -fC:\PROGRA~1\S3\S3\S3.uns
Windows Driver Package - Nokia Modem (08/03/2007 6.84.0.2) --> C:\PROGRA~1\DIFX\270581355A767BF1\dpinst.exe /u C:\WINDOWS\system32\DRVSTORE\nokbtmdm_1EB5F2E6F54A6BEDE9F436D1BA5D830FC71739BE\nokbtmdm.inf
Windows Driver Package - Nokia Modem (10/12/2007 3.6) --> C:\PROGRA~1\DIFX\270581355A767BF1\dpinst.exe /u C:\WINDOWS\system32\DRVSTORE\nokia_blue_0A5D98F754C6588B2E3DDE89DDEF097075ADFFB7\nokia_bluetooth.inf
Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe


-- Application Event Log -------------------------------------------------------

Event Record #/Type1016 / Error
Event Submitted/Written: 04/26/2008 08:41:12 PM
Event ID/Source: 103 / F-Secure Anti-Virus
Event Description:
3 2008-04-26 20:41:11+01:00 bondogwats4154 BONDOGWATS4154\Geoff F-Secure Anti-Virus
Scanning of C:\WINDOWS\SYSTEM32\WMPEFFECTS.DLL was aborted due to exceeded scanning time limit. The file may be in use or reading it was too slow (e.g. network connection was under stress).

Event Record #/Type1015 / Error
Event Submitted/Written: 04/26/2008 05:58:27 PM / 04/26/2008 05:58:28 PM
Event ID/Source: 103 / F-Secure Anti-Virus
Event Description:
2 2008-04-26 17:58:22+01:00 bondogwats4154 BONDOGWATS4154\Geoff F-Secure Anti-Virus
Scanning of C:\DOCUMENTS AND SETTINGS\GEOFF\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\TEEZLUI9.DEFAULT\SESSIONSTORE-2.JS was aborted due to exceeded scanning time limit. The file may be in use or reading it was too slow (e.g. network connection was under stress).

Event Record #/Type1014 / Error
Event Submitted/Written: 04/26/2008 05:48:56 PM
Event ID/Source: 103 / F-Secure Anti-Virus
Event Description:
1 2008-04-26 17:48:42+01:00 bondogwats4154 BONDOGWATS4154\Geoff F-Secure Anti-Virus
Scanning of C:\WINDOWS\SYSTEM32\WUAUENG.DLL was aborted due to exceeded scanning time limit. The file may be in use or reading it was too slow (e.g. network connection was under stress).

Event Record #/Type1009 / Error
Event Submitted/Written: 04/26/2008 05:12:23 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application HijackThis.exe, version 2.0.0.2, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type1008 / Error
Event Submitted/Written: 04/26/2008 05:12:22 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application HijackThis.exe, version 2.0.0.2, hang module hungapp, version 0.0.0.0, hang address 0x00000000.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type3889 / Warning
Event Submitted/Written: 04/27/2008 07:23:30 AM
Event ID/Source: 36 / W32Time
Event Description:
The time service has not been able to synchronize the system time
for 49152 seconds because none of the time providers has been able to
provide a usable time stamp. The system clock is unsynchronized.

Event Record #/Type3882 / Error
Event Submitted/Written: 04/26/2008 08:59:24 PM
Event ID/Source: 59 / SideBySide
Event Description:
Generate Activation Context failed for C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\MFC80U.DLL.
Reference error message: The operation completed successfully.
.

Event Record #/Type3881 / Error
Event Submitted/Written: 04/26/2008 08:59:24 PM
Event ID/Source: 59 / SideBySide
Event Description:
Resolve Partial Assembly failed for Microsoft.VC80.MFCLOC.
Reference error message: The referenced assembly is not installed on your system.
.

Event Record #/Type3880 / Error
Event Submitted/Written: 04/26/2008 08:59:24 PM
Event ID/Source: 32 / SideBySide
Event Description:
Dependent Assembly Microsoft.VC80.MFCLOC could not be found and Last Error was The referenced assembly is not installed on your system.

Event Record #/Type3851 / Error
Event Submitted/Written: 04/26/2008 05:44:39 PM
Event ID/Source: 59 / SideBySide
Event Description:
Generate Activation Context failed for C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\MFC80U.DLL.
Reference error message: The operation completed successfully.
.



-- End of Deckard's System Scanner: finished at 2008-04-27 07:45:21 ------------

hi,

ok thanks for all the info. i see the registry item in the log

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"system"="kdmzj.exe"

iam not sure about the proper syntax for a reg file. so lets get one more download to use:

Download combofix from one of these links and save it to Desktop:

http://subs.geekstogo.com/ComboFix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

as a precaution, before using combofix:


1. * Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan.
* Click on this link below to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
* Remember to re enable the protection again afterwards before connecting to the net

link:
http://www.bleepingcomputer.com/forums/topic114351.html

2. Close any open browsers and make sure you are disconnected from the net. Unplug the cable if need be before running combofix.

* IF you have not already done so Combofix will disconnect your machine from the Internet when it starts.
* If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.

3. Now double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.
Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review

Note: Do not mouseclick combofix's window while it's running. That may cause it to stall or freeze.

shelf life

Hi shelf life thanks for your reply

ComboFix 08-04-26.5 - Geoff 2008-04-27 20:38:50.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.57 [GMT 1:00]
Running from: C:\Documents and Settings\Geoff\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Geoff\Application Data\inst.exe
C:\WINDOWS\system32\dllcache\spoolsv.exe
C:\WINDOWS\system32\kdmzj.exe

.
((((((((((((((((((((((((( Files Created from 2008-03-27 to 2008-04-27 )))))))))))))))))))))))))))))))
.

2008-04-27 19:03 . 2008-04-27 19:03 <DIR> d-------- C:\Program Files\Common Files\PCSuite
2008-04-27 19:03 . 2008-04-27 19:04 <DIR> d-------- C:\Program Files\Common Files\Nokia
2008-04-27 19:00 . 2007-09-17 15:53 21,632 --a------ C:\WINDOWS\system32\drivers\pccsmcfd.sys
2008-04-27 18:59 . 2008-04-27 19:00 <DIR> d-------- C:\Program Files\PC Connectivity Solution
2008-04-27 07:34 . 2008-04-27 07:34 <DIR> d-------- C:\Deckard
2008-04-25 15:54 . 2004-08-03 22:58 14,848 --a------ C:\WINDOWS\system32\drivers\kbdhid.sys
2008-04-25 15:54 . 2004-08-03 22:58 14,848 --a--c--- C:\WINDOWS\system32\dllcache\kbdhid.sys
2008-04-25 15:51 . 2008-04-25 15:51 <DIR> d-------- C:\Program Files\Common Files\Logitech
2008-04-25 15:51 . 2004-05-13 23:40 167,936 --a------ C:\WINDOWS\system32\WmJoyFrc.dll
2008-04-25 15:51 . 2004-05-13 23:54 44,384 --a------ C:\WINDOWS\system32\drivers\WmXlCore.sys
2008-04-25 15:51 . 2004-05-13 23:54 21,440 --a------ C:\WINDOWS\system32\drivers\WmFilter.sys
2008-04-25 15:51 . 2004-05-13 23:54 14,720 --a------ C:\WINDOWS\system32\drivers\WmHidLo.sys
2008-04-25 15:51 . 2004-05-13 23:54 10,144 --a------ C:\WINDOWS\system32\drivers\WmBEnum.sys
2008-04-25 15:51 . 2004-05-13 23:54 5,600 --a------ C:\WINDOWS\system32\drivers\WmVirHid.sys
2008-04-25 15:50 . 2008-04-25 15:50 <DIR> d-------- C:\Program Files\Logitech
2008-04-25 15:47 . 2008-04-25 15:47 <DIR> d-------- C:\Program Files\Codemasters
2008-04-25 15:47 . 1999-04-23 22:22 151,552 --a------ C:\WINDOWS\system32\MSOSS.DLL
2008-04-18 20:17 . 2008-04-18 20:17 <DIR> d-------- C:\Program Files\TryMedia
2008-04-18 20:06 . 2008-04-18 20:27 <DIR> d-------- C:\Program Files\City Interactive
2008-04-14 23:33 . 2008-04-14 23:33 1,409 --a------ C:\WINDOWS\system32\tmp51B34.FOT
2008-04-14 23:33 . 2008-04-14 23:33 1,409 --a------ C:\WINDOWS\system32\tmp27B34.FOT
2008-04-14 23:33 . 2008-04-14 23:33 1,409 --a------ C:\WINDOWS\system32\tmp0DB34.FOT
2008-04-14 23:24 . 2008-04-14 23:24 1,409 --a------ C:\WINDOWS\system32\tmpFC66C.FOT
2008-04-14 23:21 . 2008-04-14 23:21 1,409 --a------ C:\WINDOWS\system32\tmpEFB69.FOT
2008-04-12 09:09 . 2008-04-12 09:09 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
2008-04-10 20:16 . 2008-04-10 20:18 <DIR> d-------- C:\Program Files\505 Game Collection
2008-04-10 17:45 . 2008-04-10 17:45 <DIR> d-------- C:\Program Files\Selectsoft
2008-04-10 17:44 . 2008-04-10 17:44 36 --a------ C:\WINDOWS\Tiny_Run.ini
2008-04-08 09:29 . 2008-04-11 10:29 <DIR> d-------- C:\Program Files\Google
2008-04-04 09:40 . 2008-04-04 09:41 <DIR> d-------- C:\Program Files\Kontiki
2008-04-04 09:40 . 2008-04-04 09:40 <DIR> d-------- C:\Program Files\Channel4
2008-04-04 09:40 . 2008-04-27 20:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kontiki
2008-04-04 09:40 . 2008-04-04 09:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Channel4
2008-04-04 07:20 . 2008-04-04 07:20 <DIR> d-------- C:\Documents and Settings\Geoff\Application Data\Nokia Multimedia Player
2008-04-02 13:47 . 2008-04-02 13:47 <DIR> d-------- C:\Documents and Settings\Geoff\Application Data\Malwarebytes
2008-04-02 13:41 . 2008-04-02 13:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-02 13:40 . 2008-04-08 12:43 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-04-02 00:32 . 2008-02-22 02:33 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-04-01 23:42 . 2008-04-01 23:43 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
2008-04-01 23:05 . 2008-04-01 23:06 <DIR> d-------- C:\4b6c686b320a0b02071e8779
2008-04-01 18:15 . 2008-04-01 18:20 <DIR> d-------- C:\6e972bc5707354af1511998a9cbadb
2008-03-31 18:01 . 2008-04-26 17:03 <DIR> d-------- C:\fixwareout
2008-03-31 07:52 . 2008-03-31 07:52 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Comodo
2008-03-30 19:34 . 2008-03-30 19:35 1,167 --a------ C:\WINDOWS\mozver.dat
2008-03-30 19:23 . 2008-03-30 19:23 0 --a------ C:\WINDOWS\nsreg.dat
2008-03-30 17:29 . 2008-03-30 17:29 <DIR> d-------- C:\Program Files\Trend Micro
2008-03-30 17:13 . 2008-03-30 17:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-03-30 17:12 . 2008-03-30 17:12 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-03-29 14:26 . 2008-03-29 14:26 552 --a------ C:\WINDOWS\system32\d3d8caps.dat
2008-03-28 17:40 . 2008-03-28 17:40 <DIR> d-------- C:\Documents and Settings\Geoff\Application Data\Comodo
2008-03-28 17:40 . 2008-03-28 19:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\comodo
2008-03-28 17:40 . 2008-04-26 10:03 139,008 --a------ C:\WINDOWS\system32\guard32.dll
2008-03-28 17:40 . 2008-04-26 10:03 87,312 --a------ C:\WINDOWS\system32\drivers\cmdguard.sys
2008-03-28 17:40 . 2008-04-26 10:03 23,824 --a------ C:\WINDOWS\system32\drivers\cmdhlp.sys
2008-03-28 17:39 . 2008-03-28 17:39 <DIR> d-------- C:\Program Files\COMODO
2008-03-28 17:21 . 2008-03-28 17:21 <DIR> d-------- C:\Program Files\Zone Labs
2008-03-28 15:40 . 2008-03-28 17:21 <DIR> d-------- C:\WINDOWS\Internet Logs
2008-03-28 15:24 . 2008-04-27 20:28 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-03-28 15:21 . 2005-08-25 19:19 115,920 --a------ C:\WINDOWS\system32\MSINET.OCX
2008-03-28 15:19 . 2008-04-08 09:45 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-03-27 17:04 . 2008-03-27 19:12 <DIR> d-------- C:\Program Files\MediaMonkey
2008-03-27 16:01 . 2008-03-27 16:07 <DIR> d-------- C:\Program Files\NCH Software
2008-03-27 16:01 . 2008-03-27 16:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\NCH Swift Sound
2008-03-27 16:01 . 2008-03-27 16:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\NCH Software
2008-03-27 15:59 . 2008-03-27 16:07 <DIR> d-------- C:\Program Files\NCH Swift Sound
2008-03-27 15:59 . 2008-03-27 16:07 <DIR> d-------- C:\Documents and Settings\Geoff\Application Data\NCH Swift Sound
2008-03-27 13:09 . 2008-03-27 13:10 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-03-27 13:09 . 2008-03-27 13:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-27 07:26 . 2008-03-27 07:27 <DIR> d-------- C:\Documents and Settings\Administrator
2008-03-27 07:26 . 2008-04-27 20:38 1,024 --ah----- C:\Documents and Settings\Administrator\NtUser.dat.LOG

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-27 18:03 --------- d-----w C:\Program Files\Nokia
2008-04-27 17:51 --------- d-----w C:\Documents and Settings\All Users\Application Data\Installations
2008-04-27 17:23 --------- d-----w C:\Documents and Settings\Geoff\Application Data\uTorrent
2008-04-25 14:50 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-25 14:49 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-04-05 16:59 --------- d-----w C:\Documents and Settings\Geoff\Application Data\Ahead
2008-04-04 06:05 --------- d-----w C:\Documents and Settings\Geoff\Application Data\PC Suite
2008-04-01 23:32 --------- d-----w C:\Program Files\Java
2008-03-29 09:05 --------- d-----w C:\Documents and Settings\Geoff\Application Data\Vso
2008-03-24 16:00 --------- d-----w C:\Documents and Settings\Geoff\Application Data\Nokia
2008-03-24 15:59 --------- d-----w C:\Documents and Settings\All Users\Application Data\PC Suite
2008-03-24 15:58 --------- d-----w C:\Program Files\DIFX
2008-03-23 21:15 --------- d-----w C:\Documents and Settings\Geoff\Application Data\mIRC
2008-03-23 10:28 --------- d-----w C:\Program Files\MediaTV
2008-03-23 10:12 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-03-23 02:53 --------- d-----w C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-03-23 02:50 --------- d-----w C:\Program Files\MSXML 4.0
2008-03-21 16:12 --------- d-----w C:\Program Files\HP
2008-03-21 16:08 --------- d-----w C:\Program Files\Common Files\HP
2008-03-21 16:06 --------- d-----w C:\Program Files\Hewlett-Packard
2008-03-21 16:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\Hewlett-Packard
2008-03-21 16:04 --------- d-----w C:\Program Files\Common Files\Hewlett-Packard
2008-03-21 10:01 --------- d-----w C:\Program Files\DivXCodec
2008-03-21 02:51 --------- d-----w C:\Program Files\Common Files\Java
2008-03-21 02:28 --------- d-----w C:\Program Files\MT882
2008-03-21 00:15 --------- d-----w C:\Program Files\Netgear
2008-03-19 12:01 --------- d-----w C:\Documents and Settings\All Users\Application Data\vsosdk
2008-03-19 09:31 47,360 ----a-w C:\WINDOWS\system32\drivers\pcouffin.sys
2008-03-19 09:31 47,360 ----a-w C:\Documents and Settings\Geoff\Application Data\pcouffin.sys
2008-03-19 09:31 --------- d-----w C:\Program Files\VSO
2008-03-16 12:18 --------- d-----w C:\Program Files\uTorrent
2008-03-16 12:15 --------- d-----w C:\Documents and Settings\Geoff\Application Data\Azureus
2008-03-16 11:21 --------- d-----w C:\Program Files\Common Files\Adobe
2008-03-16 11:10 --------- d-----w C:\Documents and Settings\Geoff\Application Data\F-Secure
2008-03-16 11:05 --------- d-----w C:\Documents and Settings\All Users\Application Data\Azureus
2008-03-16 10:41 --------- d-----w C:\Documents and Settings\Geoff\Application Data\ispnews
2008-03-16 10:39 --------- d-----w C:\Program Files\F-Secure Internet Security
2008-03-16 10:39 --------- d-----w C:\Documents and Settings\All Users\Application Data\F-Secure
2008-03-16 10:37 118,842 ------r C:\WINDOWS\bwUnin-6.3.2.123-4476822L.exe
2008-03-16 10:21 --------- d-----w C:\Program Files\Ahead
2008-03-16 10:19 --------- d-----w C:\Program Files\Common Files\Ahead
2008-03-16 10:18 --------- d-----w C:\Documents and Settings\All Users\Application Data\Ahead
2008-03-16 10:16 --------- d-----w C:\Program Files\Microsoft IntelliPoint
2008-03-16 10:14 --------- d-----w C:\Program Files\TalkTalk
2008-03-16 10:14 --------- d-----w C:\Program Files\SupportSoft
2008-03-16 10:14 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-03-16 10:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\SupportSoft
2008-03-16 10:07 --------- d-----w C:\Program Files\Common Files\SupportSoft
2008-03-16 10:02 --------- d-----w C:\Program Files\Microsoft.NET
2008-03-16 10:02 --------- d-----w C:\Program Files\Microsoft ActiveSync
2008-03-16 09:55 --------- d-----w C:\Program Files\Realtek Sound Manager
2008-03-16 09:55 --------- d-----w C:\Program Files\AvRack
2008-03-16 09:54 --------- d-----w C:\Program Files\S3
2008-03-16 08:30 --------- d-----w C:\Program Files\microsoft frontpage
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2006-02-28 13:00 15360]
"NBJ"="C:\Program Files\Ahead\Nero BackItUp\NBJ.exe" [2005-02-10 18:00 1937408]
"kdx"="C:\Program Files\Kontiki\KHost.exe" [2007-04-23 11:23 1032640]
"Start WingMan Profiler"="" []
"PC Suite Tray"="C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe" [2008-03-28 11:20 1079296]
"Nokia.PCSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PCSync2.exe" [2008-03-26 18:41 1232896]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VTTimer"="VTTimer.exe" [2004-01-15 13:33 49152 C:\WINDOWS\system32\VTTimer.exe]
"SoundMan"="SOUNDMAN.EXE" [2004-08-30 06:48 69632 C:\WINDOWS\SOUNDMAN.EXE]
"TalkTalk"="C:\Program Files\TalkTalk\bin\sprtcmd.exe" [2005-08-16 01:12 192512]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\point32.exe" [2005-03-24 00:26 217088]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]
"F-Secure Manager"="C:\Program Files\F-Secure Internet Security\Common\FSM32.exe" [2005-10-26 02:51 122929]
"F-Secure TNB"="C:\Program Files\F-Secure Internet Security\TNB\TNBUtil.exe" [2005-07-18 15:51 700416]
"F-Secure Startup Wizard"="C:\Program Files\F-Secure Internet Security\FSGUI\FSSW.exe" [2005-10-18 09:29 372736]
"News Service"="C:\Program Files\F-Secure Internet Security\FSGUI\ispnews.exe" [2005-05-31 13:45 356352]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2004-02-12 14:38 49152]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2004-05-12 16:18 241664]
"COMODO Firewall Pro"="C:\Program Files\COMODO\Firewall\cfp.exe" [2008-04-19 16:31 1572608]
"4oD"="C:\Program Files\Kontiki\KHost.exe" [2007-04-23 11:23 1032640]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2006-02-28 13:00 15360]
"Nokia.PCSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2008-03-26 18:41 1232896]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2004-05-28 23:31:38 241664]
HP Image Zone Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [2004-05-29 00:06:36 53248]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"= C:\WINDOWS\system32\guard32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.I420"= i263_32.drv
"msacm.g723"= g723.acm
"vidc.I263"= I263_32.drv

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\F-Secure Internet Security\\backweb\\4476822\\Program\\fspex.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Kontiki\\KService.exe"=

R0 FSFW;F-Secure Firewall Driver;C:\WINDOWS\system32\drivers\fsdfw.sys [2005-11-18 16:04]
R1 cmdGuard;COMODO Firewall Pro Sandbox Driver;C:\WINDOWS\system32\DRIVERS\cmdguard.sys [2008-04-26 10:03]
R1 cmdHlp;COMODO Firewall Pro Helper Driver;C:\WINDOWS\system32\DRIVERS\cmdhlp.sys [2008-04-26 10:03]
R2 F-Secure Filter;F-Secure File System Filter;C:\Program Files\F-Secure Internet Security\Anti-Virus\Win2K\FSfilter.sys [2004-09-10 16:14]
R2 F-Secure Gatekeeper;F-Secure Gatekeeper;C:\Program Files\F-Secure Internet Security\Anti-Virus\Win2K\FSgk.sys [2008-03-17 11:27]
R2 F-Secure Recognizer;F-Secure File System Recognizer;C:\Program Files\F-Secure Internet Security\Anti-Virus\Win2K\FSrec.sys [2004-06-01 10:03]
S2 BackWeb Plug-in - 4476822;F-Secure 2006;C:\PROGRA~1\F-SECU~1\backweb\4476822\Program\SERVIC~1.EXE [2008-03-16 11:37]
S3 F-Secure BlackLight Sensor;F-Secure BlackLight Sensor;C:\WINDOWS\TEMP\F-Secure\Anti-Virus\fsblsrv.exe []
S3 iadusb;MT882;C:\WINDOWS\system32\DRIVERS\glauiad.sys []
S3 pccsmcfd;PCCS Mode Change Filter Driver;C:\WINDOWS\system32\DRIVERS\pccsmcfd.sys [2007-09-17 15:53]

*Newly Created Service* - SERVICELAYER
.
Contents of the 'Scheduled Tasks' folder
"2008-04-25 00:24:55 C:\WINDOWS\Tasks\Scheduled scanning task.job"
- C:\PROGRA~1\F-SECU~1\ANTI-V~1\fsav.exeZ /HARD /ARCHIVE /DISINF /SCHED /NOBREAK /REPORT=C:\PROGRA~1\F-SECU~1\ANTI-V~1\report.txt
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-27 20:47:12
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\COMODO\Firewall\cmdagent.exe
C:\Program Files\F-Secure Internet Security\Anti-Virus\fsgk32st.exe
C:\Program Files\F-Secure Internet Security\Anti-Virus\fsgk32.exe
C:\Program Files\F-Secure Internet Security\Anti-Virus\fssm32.exe
C:\Program Files\F-Secure Internet Security\Common\FSMA32.EXE
C:\Program Files\Kontiki\KService.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\PC Connectivity Solution\Transports\NclUSBSrv.exe
C:\Program Files\PC Connectivity Solution\Transports\NclRSSrv.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\Common Files\Nokia\MPAPI\MPAPI3s.exe
C:\Program Files\F-Secure Internet Security\Common\FSLAUNCH.EXE
C:\WINDOWS\system32\verclsid.exe
.
**************************************************************************
.
Completion time: 2008-04-27 21:02:16 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-27 20:01:44

Pre-Run: 19,756,720,128 bytes free
Post-Run: 19,814,309,888 bytes free

239 --- E O F --- 2008-04-13 08:31:49


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:21:58, on 27/04/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\COMODO\Firewall\cmdagent.exe
C:\Program Files\F-Secure Internet Security\Anti-Virus\fsgk32st.exe
C:\Program Files\F-Secure Internet Security\Anti-Virus\FSGK32.EXE
C:\Program Files\F-Secure Internet Security\Anti-Virus\fssm32.exe
C:\Program Files\F-Secure Internet Security\Common\FSMA32.EXE
C:\Program Files\Kontiki\KService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\TalkTalk\bin\sprtcmd.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Kontiki\KHost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe
C:\Program Files\Nokia\Nokia PC Suite 6\PCSync2.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\PC Connectivity Solution\Transports\NclUSBSrv.exe
C:\Program Files\PC Connectivity Solution\Transports\NclRSSrv.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\Common Files\Nokia\MPAPI\MPAPI3s.exe
C:\Program Files\F-Secure Internet Security\Common\FSLAUNCH.EXE
C:\WINDOWS\explorer.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\COMODO\Firewall\cfp.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [TalkTalk] "C:\Program Files\TalkTalk\bin\sprtcmd.exe" /P TalkTalk
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\F-Secure Internet Security\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\F-Secure Internet Security\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [F-Secure Startup Wizard] "C:\Program Files\F-Secure Internet Security\FSGUI\FSSW.EXE" /reboot
O4 - HKLM\..\Run: [News Service] "C:\Program Files\F-Secure Internet Security\FSGUI\ispnews.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\COMODO\Firewall\cfp.exe" -h
O4 - HKLM\..\Run: [4oD] "C:\Program Files\Kontiki\KHost.exe" -all
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [kdx] C:\Program Files\Kontiki\KHost.exe -all
O4 - HKCU\..\Run: [PC Suite Tray] "C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe" -onlytray
O4 - HKCU\..\Run: [Nokia.PCSync] "C:\Program Files\Nokia\Nokia PC Suite 6\PCSync2.exe" /NoDialog
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Block this popup - C:\Program Files\F-Secure Internet Security\Anti-Spyware\blockpopups.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: IE Shield - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\F-Secure Internet Security\Anti-Spyware\ieshield.dll
O9 - Extra 'Tools' menuitem: IE Shield... - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\F-Secure Internet Security\Anti-Spyware\ieshield.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1205734530171
O17 - HKLM\System\CCS\Services\Tcpip\..\{5712A3D9-784D-4F7D-A617-525E46C9377B}: NameServer = 62.24.218.50,62.24.218.51
O17 - HKLM\System\CS1\Services\Tcpip\..\{5712A3D9-784D-4F7D-A617-525E46C9377B}: NameServer = 62.24.218.50,62.24.218.51
O17 - HKLM\System\CS2\Services\Tcpip\..\{5712A3D9-784D-4F7D-A617-525E46C9377B}: NameServer = 62.24.218.50,62.24.218.51
O20 - AppInit_DLLs: C:\WINDOWS\system32\guard32.dll
O23 - Service: F-Secure 2006 (BackWeb Plug-in - 4476822) - F-Secure Internet Security 2005 - C:\PROGRA~1\F-SECU~1\backweb\4476822\Program\SERVIC~1.EXE
O23 - Service: COMODO Firewall Pro Helper Service (cmdAgent) - COMODO - C:\Program Files\COMODO\Firewall\cmdagent.exe
O23 - Service: F-Secure BlackLight Sensor - Unknown owner - C:\WINDOWS\TEMP\F-Secure\Anti-Virus\fsblsrv.exe (file missing)
O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corporation - C:\Program Files\F-Secure Internet Security\Anti-Virus\fsgk32st.exe
O23 - Service: fsbwsys - F-Secure Corp. - C:\Program Files\F-Secure Internet Security\backweb\4476822\program\fsbwsys.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\F-Secure Internet Security\FWES\Program\fsdfwd.exe
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\F-Secure Internet Security\Common\FSMA32.EXE
O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

--
End of file - 9073 bytes

hi,

ok thanks for the info. theres are guy:

C:\WINDOWS\system32\kdmzj.exe

try running spybot now and see if you get the message.

shelf life

Hi shelf life
that seems to have done the trick thanks
can combofix be used on a regular basis like spybot

thanks for your help

hi wolfblitz,

ok good. this wareout or Zlob infection as its called is usually not that difficult to remove. the ever changing malware, it adapts to!


can combofix be used on a regular basis like spybot
iam sure some people no doubt do that but its not recommended in a unsupervised environment. it may remove some things on its own but alot of malware may require script files for removal.

before we clean up using explorer, click on your Local Disk (C) and delete these two folders:

C:\4b6c686b320a0b02071e8779
C:\6e972bc5707354af1511998a9cbadb

shelf life

Hi shelf life
Thanks for your reply

Folders deleted
As matter of interest what were the folders I just deleted ?

hi wolfblitz,

ok good. really i have no idea what those folders where. they were displayed in combofix. sometimes folders/files are known malware like a .exe or .dlls. sometimes its not so easy to distinguish between the good and the bad. if a search dosnt turn up any results i assume they can be deleted. they may have been harmless, just empty leftover folders. malware can create and drop files/folders all over your computer.

in any case if all is good you can delete the fixwareout icon off your desktop and delete combofix like this:
start>run and type in combofix /u click ok
note: there is a space after the x and before the /

scan once in awhile with malwarebytes after checking for updates.

a good tool to use to help keep stuff like temp dir cleaned up is atf cleaner:
http://www.majorgeeks.com/ATF_Cleaner_d4949.html

two things:
i think there is a newer java version out now. the how and the why:

Vulnerabilities/exploits in versions of Sun Java may be responsible for some malware installs via your browser.

It is important to keep Sun Java up to date and also to remove older versions which may have vulnerabilites/exploits that can be taken advantage of to introduce malware.

* 1. Uninstall old versions of Sun Java via Add/Remove Programs.
* 2. Click the Remove or Change/Remove button
* 3. Reboot your PC if prompted.

to check if you have the latest version of Java and to download the latest version:

http://www.java.com/en/download/installed.jsp

restore points, the how and why:
One of the features of Windows ME, XP and Vista is the System Restore option, however if a malware infects a computer with this operating system it can be backed up in the System Restore folder. Therefore, clearing the restore points is a good idea after malware is removed.


To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.

(winXP)

1. Turn off System Restore. (deletes old possibly infected restore point)
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore.(new restore points on a clean system)
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK, then reboot

i have some prevention tips in link below.

happy safe surfing.

Hi shelf life

Ok done that

Thanks for all your help it was much appreciated

Wolfblitz

hi wolfblitz

your welcome. happy safe surfing.

The Short Version:

1) Keep your OS, browser and software up to date.
2) Know what you are installing to your computer.
3) Dont click on adds/pop ups or offers from websites to install software.
4) Dont click on offers to "scan" your computer.
5) Dont click on links or install files you receive via E-Mail or IM.
6) Set up and use limited accounts rather than administrator accounts.
7) Consider using an alternate browser and E-mail client.
8) Install, keep updated: antivirus and one or two anti-malware applications.
9) Install and understand the limitations of a third party software firewall.
10) If your habits include warez, cracks/keygens, P2P or visting adult sites you are much more likely to encounter malicious code.

the long version in link below: