Previous log archived - see here : http://forums.spybot.info/showthread.php?p=277438#post277438

here are the sdfix, combofix and new HJT logs:

SDfix


SDFix: Version 1.240
Run by Jamie on 18/01/2009 at 23:43

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :

Name :
TDSSserv.sys

Path :
\\?\globalroot\systemroot\system32\drivers\TDSSbpjyidoe.sys

TDSSserv.sys - Deleted



Restoring Default Security Values
Restoring Default Hosts File

Rebooting


Checking Files :

Trojan Files Found:

C:\WINDOWS\system32\wvUNhijI.dll - Deleted
C:\WINDOWS\system32\szbcplfcwaf.dll - Deleted
C:\WINDOWS\system32\_szbcplfcwaf.dll - Deleted
C:\839718~1 - Deleted
C:\WINDOWS\system32\winpfz33.sys - Deleted
C:\WINDOWS\antiv.exe - Deleted
C:\WINDOWS\system32\drivers\system32.sys - Deleted
C:\WINDOWS\SYSTEM32\DRIVERS\TDSSBP~1.sys - Deleted
C:\WINDOWS\SYSTEM32\TDSSOD~1.dll - Deleted
C:\WINDOWS\SYSTEM32\TDSSVK~1.dat - Deleted
C:\WINDOWS\system32\drivers\tdssserv.sys - Deleted


Could Not Remove C:\WINDOWS\system32\drivers\core.cache.dsk

Folder C:\Temp\tn3 - Removed


Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-18 23:56:20
Windows 5.1.2600 Service Pack 3 FAT NTAPI

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\BitTorrent\\bittorrent.exe"="C:\\Program Files\\BitTorrent\\bittorrent.exe:*:Enabled:BitTorrent"
"C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\\Program Files\\Skype\\Phone\\Skype.exe"="C:\\Program Files\\Skype\\Phone\\Skype.exe:*:Enabled:Skype"
"C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"="C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe:*:Enabled:EasyShare"
"C:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"="C:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe:*:Enabled:Kodak Software Updater"
"C:\\Team17\\Worms2\\frontend.exe"="C:\\Team17\\Worms2\\frontend.exe:*:Enabled:Worms 2 Frontend"
"C:\\Program Files\\Team17\\Worms Armageddon\\wa.exe"="C:\\Program Files\\Team17\\Worms Armageddon\\wa.exe:*:Enabled:Worms Armageddon"
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"="C:\\Program Files\\Grisoft\\AVG7\\avginet.exe:*:Enabled:avginet.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe:*:Enabled:avgamsvr.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe:*:Enabled:avgcc.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe:*:Enabled:avgemc.exe"
"C:\\Program Files\\SmartFTP Client 2.0\\SmartFTP.exe"="C:\\Program Files\\SmartFTP Client 2.0\\SmartFTP.exe:*:Enabled:SmartFTP Client 2.0"
"C:\\Documents and Settings\\Jamie\\My Documents\\nes\\Nes\\NESTCL95.EXE"="C:\\Documents and Settings\\Jamie\\My Documents\\nes\\Nes\\NESTCL95.EXE:*:Disabled:NESTCL95"
"C:\\Program Files\\MATLAB71\\BIN\\WIN32\\MATLAB.EXE"="C:\\Program Files\\MATLAB71\\BIN\\WIN32\\MATLAB.EXE:*:Disabled:MATLAB"
"C:\\Program Files\\Microsoft Games\\Age of Empires II\\EMPIRES2.ICD"="C:\\Program Files\\Microsoft Games\\Age of Empires II\\EMPIRES2.ICD:*:Enabled:Age of Empires II"
"C:\\Program Files\\Azureus\\Azureus.exe"="C:\\Program Files\\Azureus\\Azureus.exe:*:Enabled:Azureus"
"C:\\WINDOWS\\System32\\dplaysvr.exe"="C:\\WINDOWS\\System32\\dplaysvr.exe:*:Enabled:Microsoft DirectPlay Helper"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\Kontiki\\KService.exe"="C:\\Program Files\\Kontiki\\KService.exe:*:Enabled:Delivery Manager Service"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Windows Live\\Messenger\\MsnMsgr.Exe"="C:\\Program Files\\Windows Live\\Messenger\\MsnMsgr.Exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"
"C:\\Program Files\\Nokia\\Nokia PC Suite 6\\LaunchApplication.exe"="C:\\Program Files\\Nokia\\Nokia PC Suite 6\\LaunchApplication.exe:*:Enabled:LaunchApplication"
"C:\\WINDOWS\\System32\\Rundll32.exe"="C:\\WINDOWS\\System32\\Rundll32.exe:*:Enabled:Rundll32"
"C:\\WINDOWS\\System32\\logonui.exe"="C:\\WINDOWS\\System32\\logonui.exe:*:Enabled:logonui"
"C:\\WINDOWS\\System32\\winlogon.exe"="C:\\WINDOWS\\System32\\winlogon.exe:*:Enabled:winlogon"
"C:\\WINDOWS\\System32\\sistray.exe"="C:\\WINDOWS\\System32\\sistray.exe:*:Enabled:sistray"
"C:\\WINDOWS\\System32\\ctfmon.exe"="C:\\WINDOWS\\System32\\ctfmon.exe:*:Enabled:ctfmon"
"C:\\WINDOWS\\System32\\rkwnw64q.exe"="C:\\WINDOWS\\System32\\rkwnw64q.exe:*:Enabled:rkwnw64q"
"C:\\Program Files\\Launch Manager\\QtZgAcer.EXE"="C:\\Program Files\\Launch Manager\\QtZgAcer.EXE:*:Enabled:QtZgAcer"
"C:\\Program Files\\Synaptics\\SynTP\\SynTPLpr.exe"="C:\\Program Files\\Synaptics\\SynTP\\SynTPLpr.exe:*:Enabled:SynTPLpr"
"C:\\Program Files\\Synaptics\\SynTP\\SynTPEnh.exe"="C:\\Program Files\\Synaptics\\SynTP\\SynTPEnh.exe:*:Enabled:SynTPEnh"
"C:\\WINDOWS\\System32\\Keyhook.exe"="C:\\WINDOWS\\System32\\Keyhook.exe:*:Enabled:keyhook"
"C:\\Documents and Settings\\Jamie\\Local Settings\\Temp\\3094746098.exe"="C:\\Documents and Settings\\Jamie\\Local Settings\\Temp\\3094746098.exe:*:Enabled:3094746098"
"C:\\Program Files\\Common Files\\Microsoft Shared\\Windows Live\\WLLoginProxy.exe"="C:\\Program Files\\Common Files\\Microsoft Shared\\Windows Live\\WLLoginProxy.exe:*:Enabled:WLLoginProxy"
"C:\\Program Files\\Mozilla Firefox\\FIREFOX.EXE"="C:\\Program Files\\Mozilla Firefox\\FIREFOX.EXE:*:Enabled:firefox"
"C:\\WINDOWS\\SOUNDMAN.EXE"="C:\\WINDOWS\\SOUNDMAN.EXE:*:Enabled:SOUNDMAN"
"C:\\Documents and Settings\\Jamie\\Local Settings\\Temp\\csrssc.exe"="C:\\Documents and Settings\\Jamie\\Local Settings\\Temp\\csrssc.exe:*:Enabled:csrssc"
"C:\\Program Files\\Arcade\\PCMService.exe"="C:\\Program Files\\Arcade\\PCMService.exe:*:Enabled:PCMService"
"C:\\WINDOWS\\System32\\LSASS.EXE"="C:\\WINDOWS\\System32\\LSASS.EXE:*:Enabled:lsass"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Windows Live\\Messenger\\MsnMsgr.Exe"="C:\\Program Files\\Windows Live\\Messenger\\MsnMsgr.Exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"

Remaining Files :

C:\WINDOWS\system32\drivers\core.cache.dsk Found

File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Sun 7 Dec 2008 63,541 A.SH. --- "C:\WINDOWS\system32\mibewoja.dll"
Wed 17 Dec 2008 68,167 A.SH. --- "C:\WINDOWS\system32\tuvikize.dll"
Sun 7 Sep 2008 63,541 A.SH. --- "C:\WINDOWS\system32\tubakile.dll"
Fri 9 Jan 2009 90,317 A.SH. --- "C:\WINDOWS\system32\vabazaja.dll"
Tue 16 Sep 2008 65,635 A.SH. --- "C:\WINDOWS\system32\dobazusi.dll.tmp"
Sun 14 Dec 2008 61,733 A.SH. --- "C:\WINDOWS\system32\yuwehosu.dll"
Wed 10 Dec 2008 63,658 A.SH. --- "C:\WINDOWS\system32\gepibura.dll"
Sun 18 Jan 2009 64,240 A.SH. --- "C:\WINDOWS\system32\hudiyili.dll"
Sun 18 Jan 2009 64,240 A.SH. --- "C:\WINDOWS\system32\zibipudo.dll"
Wed 24 Dec 2008 84,037 A.SH. --- "C:\WINDOWS\system32\losamine.dll"
Wed 24 Dec 2008 63,188 A.SH. --- "C:\WINDOWS\system32\mosowisi.dll"
Fri 26 Dec 2008 60,029 A.SH. --- "C:\WINDOWS\system32\yawugedu.dll"
Fri 26 Dec 2008 87,137 A.SH. --- "C:\WINDOWS\system32\fekidafa.dll"
Sun 7 Sep 2008 63,541 A.SH. --- "C:\WINDOWS\system32\wovahova.dll.tmp"
Sun 7 Sep 2008 63,541 A.SH. --- "C:\WINDOWS\system32\kusitozo.dll.tmp"
Tue 16 Dec 2008 65,635 A.SH. --- "C:\WINDOWS\system32\tijawani.dll"
Wed 10 Sep 2008 63,658 A.SH. --- "C:\WINDOWS\system32\tifupeva.dll.tmp"
Wed 10 Sep 2008 63,658 A.SH. --- "C:\WINDOWS\system32\juposeno.dll.tmp"
Sun 4 Jan 2009 66,128 A.SH. --- "C:\WINDOWS\system32\zalevale.dll"
Sun 14 Sep 2008 61,733 A.SH. --- "C:\WINDOWS\system32\hivunote.dll.tmp"
Sun 14 Sep 2008 61,733 A.SH. --- "C:\WINDOWS\system32\hotomoho.dll.tmp"
Sun 14 Sep 2008 61,733 A.SH. --- "C:\WINDOWS\system32\selekide.dll.tmp"
Tue 16 Sep 2008 65,635 A.SH. --- "C:\WINDOWS\system32\tuweseje.dll.tmp"
Sun 18 Jan 2009 64,240 A.SH. --- "C:\WINDOWS\system32\nudegoya.dll"
Sat 10 Jan 2009 91,458 A.SH. --- "C:\WINDOWS\system32\fagometo.dll"
Fri 26 Sep 2008 60,029 A.SH. --- "C:\WINDOWS\system32\yujukaku.dll.tmp"
Fri 26 Sep 2008 60,029 A.SH. --- "C:\WINDOWS\system32\ravoruna.dll.tmp"
Fri 26 Sep 2008 60,029 A.SH. --- "C:\WINDOWS\system32\gisusuje.dll.tmp"
Wed 7 Jan 2009 65,689 A.SH. --- "C:\WINDOWS\system32\pamuzuwa.dll"
Fri 9 Jan 2009 31,744 A.SH. --- "C:\WINDOWS\system32\zudeyuwi.dll"
Sun 18 Jan 2009 64,240 A.SH. --- "C:\WINDOWS\system32\sinehotu.dll"
Thu 8 Jan 2009 120 ..SH. --- "C:\WINDOWS\system32\alewisub.tmp"
Fri 9 Jan 2009 67,196 A.SH. --- "C:\WINDOWS\system32\jewipaje.dll"
Tue 27 Dec 2005 1,024 ...HR --- "C:\WINDOWS\system32\NTICDMK7.dll"
Tue 27 Dec 2005 1,024 ...HR --- "C:\WINDOWS\system32\NTIMPEG2.dll"
Tue 27 Dec 2005 1,024 ...HR --- "C:\WINDOWS\system32\NTIMP3.dll"
Tue 27 Dec 2005 1,024 ...HR --- "C:\WINDOWS\system32\NTIFCD3.dll"
Tue 27 Dec 2005 1,024 ...HR --- "C:\WINDOWS\system32\NTIBUN4.dll"
Tue 2 Aug 2005 187,904 A.SHR --- "C:\WINDOWS\SmFtaWU\asappsrv.dll"
Tue 2 Aug 2005 293,888 A.SHR --- "C:\WINDOWS\SmFtaWU\command.exe"
Thu 1 May 2008 6,104,632 A..H. --- "C:\Program Files\Picasa2\setup.exe"
Mon 7 Jul 2008 1,429,840 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDUpdate.exe"
Mon 7 Jul 2008 4,891,472 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
Mon 7 Jul 2008 2,156,368 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
Wed 9 Apr 2008 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Sat 10 Jan 2009 62,976 A..H. --- "C:\Documents and Settings\Jamie\Desktop\a.exe"
Wed 3 Sep 2008 64,512 A.SH. --- "C:\System Volume Information\_restore{A23683EB-4EFA-4C5A-A26B-DDC1E28DFDAE}\RP414\A0156533.DLL"
Wed 3 Sep 2008 64,512 A.SH. --- "C:\System Volume Information\_restore{A23683EB-4EFA-4C5A-A26B-DDC1E28DFDAE}\RP414\A0156534.dll"
Wed 3 Sep 2008 64,512 A.SH. --- "C:\System Volume Information\_restore{A23683EB-4EFA-4C5A-A26B-DDC1E28DFDAE}\RP414\A0156535.DLL"
Sun 7 Sep 2008 63,541 A.SH. --- "C:\System Volume Information\_restore{A23683EB-4EFA-4C5A-A26B-DDC1E28DFDAE}\RP414\A0158525.dll"
Sun 7 Sep 2008 63,541 A.SH. --- "C:\System Volume Information\_restore{A23683EB-4EFA-4C5A-A26B-DDC1E28DFDAE}\RP414\A0158526.dll"
Wed 10 Sep 2008 63,658 A.SH. --- "C:\System Volume Information\_restore{A23683EB-4EFA-4C5A-A26B-DDC1E28DFDAE}\RP415\A0160550.DLL"
Wed 10 Sep 2008 63,658 A.SH. --- "C:\System Volume Information\_restore{A23683EB-4EFA-4C5A-A26B-DDC1E28DFDAE}\RP415\A0160551.dll"
Sun 14 Sep 2008 61,733 A.SH. --- "C:\System Volume Information\_restore{A23683EB-4EFA-4C5A-A26B-DDC1E28DFDAE}\RP416\A0160589.dll"
Sun 14 Sep 2008 61,733 A.SH. --- "C:\System Volume Information\_restore{A23683EB-4EFA-4C5A-A26B-DDC1E28DFDAE}\RP416\A0160590.dll"
Sun 14 Sep 2008 61,733 A.SH. --- "C:\System Volume Information\_restore{A23683EB-4EFA-4C5A-A26B-DDC1E28DFDAE}\RP416\A0160591.dll"
Tue 16 Sep 2008 65,635 A.SH. --- "C:\System Volume Information\_restore{A23683EB-4EFA-4C5A-A26B-DDC1E28DFDAE}\RP416\A0161596.DLL"
Tue 16 Sep 2008 65,635 A.SH. --- "C:\System Volume Information\_restore{A23683EB-4EFA-4C5A-A26B-DDC1E28DFDAE}\RP416\A0161597.dll"
Wed 17 Sep 2008 68,167 A.SH. --- "C:\System Volume Information\_restore{A23683EB-4EFA-4C5A-A26B-DDC1E28DFDAE}\RP416\A0162599.dll"
Wed 17 Sep 2008 68,167 A.SH. --- "C:\System Volume Information\_restore{A23683EB-4EFA-4C5A-A26B-DDC1E28DFDAE}\RP416\A0162600.DLL"
Wed 17 Sep 2008 68,167 A.SH. --- "C:\System Volume Information\_restore{A23683EB-4EFA-4C5A-A26B-DDC1E28DFDAE}\RP416\A0162601.dll"
Wed 24 Sep 2008 63,188 A.SH. --- "C:\System Volume Information\_restore{A23683EB-4EFA-4C5A-A26B-DDC1E28DFDAE}\RP416\A0162613.dll"
Wed 24 Sep 2008 63,188 A.SH. --- "C:\System Volume Information\_restore{A23683EB-4EFA-4C5A-A26B-DDC1E28DFDAE}\RP416\A0162614.dll"
Wed 24 Sep 2008 63,188 A.SH. --- "C:\System Volume Information\_restore{A23683EB-4EFA-4C5A-A26B-DDC1E28DFDAE}\RP416\A0162615.dll"
Fri 26 Sep 2008 60,029 A.SH. --- "C:\System Volume Information\_restore{A23683EB-4EFA-4C5A-A26B-DDC1E28DFDAE}\RP417\A0162645.dll"
Fri 26 Sep 2008 60,029 A.SH. --- "C:\System Volume Information\_restore{A23683EB-4EFA-4C5A-A26B-DDC1E28DFDAE}\RP417\A0162646.dll"
Fri 26 Sep 2008 60,029 A.SH. --- "C:\System Volume Information\_restore{A23683EB-4EFA-4C5A-A26B-DDC1E28DFDAE}\RP417\A0162647.DLL"
Sun 4 Jan 2009 66,128 A.SH. --- "C:\System Volume Information\_restore{A23683EB-4EFA-4C5A-A26B-DDC1E28DFDAE}\RP417\A0164829.DLL"
Sun 4 Jan 2009 66,128 A.SH. --- "C:\System Volume Information\_restore{A23683EB-4EFA-4C5A-A26B-DDC1E28DFDAE}\RP417\A0164830.dll"
Sun 4 Jan 2009 66,128 A.SH. --- "C:\System Volume Information\_restore{A23683EB-4EFA-4C5A-A26B-DDC1E28DFDAE}\RP417\A0164831.DLL"
Wed 7 Jan 2009 65,689 A.SH. --- "C:\System Volume Information\_restore{A23683EB-4EFA-4C5A-A26B-DDC1E28DFDAE}\RP417\A0164918.DLL"
Wed 7 Jan 2009 65,689 A.SH. --- "C:\System Volume Information\_restore{A23683EB-4EFA-4C5A-A26B-DDC1E28DFDAE}\RP417\A0164919.DLL"
Wed 7 Jan 2009 65,689 A.SH. --- "C:\System Volume Information\_restore{A23683EB-4EFA-4C5A-A26B-DDC1E28DFDAE}\RP417\A0164920.DLL"
Fri 9 Jan 2009 67,196 A.SH. --- "C:\System Volume Information\_restore{A23683EB-4EFA-4C5A-A26B-DDC1E28DFDAE}\RP418\A0166086.DLL"
Fri 9 Jan 2009 67,196 A.SH. --- "C:\System Volume Information\_restore{A23683EB-4EFA-4C5A-A26B-DDC1E28DFDAE}\RP418\A0166087.DLL"
Wed 9 Apr 2008 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Tue 8 Nov 2005 25,088 A..H. --- "C:\Documents and Settings\Jamie\My Documents\WORK\Design\MED2A\Copy_of_engineering_work_year_13\Copy of engineering work year 13\~WRL0004.tmp"
Wed 9 Nov 2005 26,112 A..H. --- "C:\Documents and Settings\Jamie\My Documents\WORK\Design\MED2A\Copy_of_engineering_work_year_13\Copy of engineering work year 13\~WRL1583.tmp"
Wed 9 Nov 2005 22,528 A..H. --- "C:\Documents and Settings\Jamie\My Documents\WORK\Design\MED2A\Copy_of_engineering_work_year_13\Copy of engineering work year 13\~WRL1788.tmp"
Wed 9 Nov 2005 26,112 A..H. --- "C:\Documents and Settings\Jamie\My Documents\WORK\Design\MED2A\Copy_of_engineering_work_year_13\Copy of engineering work year 13\~WRL1962.tmp"
Tue 8 Nov 2005 22,528 A..H. --- "C:\Documents and Settings\Jamie\My Documents\WORK\Design\MED2A\Copy_of_engineering_work_year_13\Copy of engineering work year 13\~WRL2709.tmp"

Finished!


COMBOFIX

ComboFix 09-01-18.01 - Jamie 2009-01-19 0:28:43.1 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.957.365 [GMT 0:00]
Running from: c:\documents and settings\Jamie\Desktop\ComboFix.exe
AV: AVG 7.5.516 *On-access scanning disabled* (Outdated)
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\Jamie\Application Data\Google\ocboo1892823.exe
c:\documents and settings\Jamie\Application Data\Google\sysspc.dll
c:\documents and settings\Jamie\Application Data\IUpd721
c:\documents and settings\Jamie\Application Data\IUpd721\Logs\scns.log
c:\documents and settings\Jamie\Application Data\NI.GSCNS
c:\documents and settings\Jamie\Application Data\NI.GSCNS\dl.ini
c:\documents and settings\Jamie\Application Data\NI.GSCNS\settings.ini
c:\documents and settings\Jamie\Local Settings\Temporary Internet Files\fbk.sts
c:\temp\DIV55
c:\temp\DIV55\xDb.log
c:\windows\system32\adiebrfx.dll
c:\windows\system32\afadikef.ini
c:\windows\system32\ajazabav.ini
c:\windows\system32\alanokeh.ini
c:\windows\system32\alewisub.ini
c:\windows\system32\atofmq.dll
c:\windows\system32\byXnLCvT.dll
c:\windows\system32\ebsosidn.dll
c:\windows\system32\ecuojrvx.dll
c:\windows\system32\ekigimut.ini
c:\windows\system32\erenonit.ini
c:\windows\system32\fagometo.dll
c:\windows\system32\fekidafa.dll
c:\windows\system32\fngpaefi.dll
c:\windows\system32\fokjbtrd.dll
c:\windows\system32\gepibura.dll
c:\windows\system32\gside.exe
c:\windows\system32\harcxegb.dll
c:\windows\system32\hemycswj.dll
c:\windows\system32\hlwztf.dll
c:\windows\system32\honybhiu.dll
c:\windows\system32\hudiyili.dll
c:\windows\system32\hwqrfqtkakd.dll
c:\windows\system32\itomusan.ini
c:\windows\system32\izezayan.ini
c:\windows\system32\jewipaje.dll
c:\windows\system32\jgtsotpt.dll
c:\windows\system32\jpptthut.dll
c:\windows\system32\jwdcnsca.dll
c:\windows\system32\jwscymeh.ini
c:\windows\system32\ksiafv.dll
c:\windows\system32\lbflwxqc.dll
c:\windows\system32\losamine.dll
c:\windows\system32\mibewoja.dll
c:\windows\system32\mosowisi.dll
c:\windows\system32\nasumoti.dll
c:\windows\system32\nudegoya.dll
c:\windows\system32\orutikay.ini
c:\windows\system32\otemogaf.ini
c:\windows\system32\oxjhoith.dll
c:\windows\system32\pamuzuwa.dll
c:\windows\system32\prunnet.exe
c:\windows\system32\rkwnw64q.exe
c:\windows\system32\sinehotu.dll
c:\windows\system32\tijawani.dll
c:\windows\system32\tuvikize.dll
c:\windows\system32\twex.exe
c:\windows\system32\ugojogut.ini
c:\windows\system32\vabazaja.dll
c:\windows\system32\vanwqohm.dll
c:\windows\system32\vljdxc.dll
c:\windows\system32\yawugedu.dll
c:\windows\system32\yuwehosu.dll
c:\windows\system32\zalevale.dll
c:\windows\system32\zibipudo.dll
c:\windows\system32\zudeyuwi.dll
c:\windows\Tasks\cljdifjb.job
c:\windows\system32\drivers\core.cache.dsk . . . . failed to delete

----- BITS: Possible infected sites -----

hxxp://childhe.com
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_CMDSERVICE


((((((((((((((((((((((((( Files Created from 2008-12-19 to 2009-01-19 )))))))))))))))))))))))))))))))
.

2009-01-19 00:37 . 2009-01-19 00:37 <DIR> d-------- c:\temp\tn3
2009-01-19 00:12 . 2009-01-18 13:30 <DIR> d-------- C:\32788R22FWJFW.0.tmp
2009-01-18 23:49 . 2009-01-18 23:49 167,976 --------- c:\windows\system32\drivers\core.cache.dsk
2009-01-18 23:41 . 2009-01-18 23:41 578,560 --a------ c:\windows\system32\dllcache\user32.dll
2009-01-18 23:32 . 2009-01-18 23:32 <DIR> d-------- c:\windows\ERUNT
2009-01-18 22:54 . 2008-11-06 02:03 <DIR> d-------- C:\SDFix
2009-01-10 23:22 . 2009-01-10 23:23 <DIR> d--hs---- c:\windows\system32\twain32
2009-01-10 00:53 . 2009-01-10 00:53 <DIR> d-------- c:\program files\Trend Micro
2009-01-08 23:39 . 2009-01-08 23:39 120 ---hs---- c:\windows\system32\alewisub.tmp
2008-12-23 11:03 . 2008-12-23 11:03 <DIR> d--hs---- C:\FOUND.003

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-18 22:51 47,601 ----a-w c:\windows\system32\plhlmahcxqjmlyix.exe
2009-01-09 02:24 7,874 ----a-w c:\program files\n
2008-12-15 07:56 68,513 ----a-w c:\windows\system32\szbcplfcwaf.dll-uninst.exe
2008-12-10 00:38 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-12-10 00:38 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-03 14:21 64,859 ----a-w c:\windows\system32\bbdakgemdktmsef.exe
2008-12-03 14:21 153,362 ----a-w c:\windows\system32\g27.exe
2008-12-03 13:09 548,928 ----a-w c:\windows\system32\ncntltdl.exe
2008-12-03 13:08 129,024 ----a-w c:\windows\system32\qmsehmhc.dll
2008-12-03 13:08 129,024 ----a-w c:\windows\system32\kygyah.dll
2008-12-03 02:32 46 ----a-w C:\p2hhr.bat
2008-12-03 02:32 35,840 ----a-w c:\windows\system32\TDSSxylkxjtv.dll
2008-12-03 02:31 86,272 ----a-w c:\windows\system32\drivers\usbcamdd.sys
2008-12-03 02:31 8,192 ----a-w C:\opdwrpjm.exe
2008-12-03 02:31 16,384 ----a-w C:\qmhqfeu.exe
2008-12-03 02:31 10,000 ----a-w c:\windows\system32\gs73gfidgf.dll
2008-12-03 02:30 34,816 ----a-w c:\windows\system32\wvUlifGw.dll
2008-12-03 02:23 32,768 ----a-w c:\windows\system32\xxyxVnkk.dll
2008-12-03 02:21 41,472 ----a-w c:\windows\system32\pindsmhh.dll
2008-12-03 02:14 65,024 ----a-w c:\windows\system32\khfeDWMG.dll
2008-11-11 23:33 27,822 ----a-w c:\documents and settings\Jamie\Application Data\wklnhst.dat
2008-10-24 11:21 455,296 ------w c:\windows\system32\dllcache\mrxsmb.sys
2006-10-08 01:44 24,192 ----a-w c:\documents and settings\Jamie\usbsermptxp.sys
2006-10-08 01:44 22,768 ----a-w c:\documents and settings\Jamie\usbsermpt.sys
2009-01-06 12:33 67,688 ----a-w c:\program files\mozilla firefox\components\jar50.dll
2009-01-06 12:33 54,368 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll
2009-01-06 12:33 34,944 ----a-w c:\program files\mozilla firefox\components\myspell.dll
2009-01-06 12:33 46,712 ----a-w c:\program files\mozilla firefox\components\spellchk.dll
2009-01-06 12:33 172,136 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll
2008-09-07 01:05 63,541 --sha-w c:\windows\system32\tubakile.dll
2005-08-02 16:46 187,904 --sha-r c:\windows\SmFtaWU\asappsrv.dll
2005-08-02 16:58 293,888 --sha-r c:\windows\SmFtaWU\command.exe
2005-07-29 16:24 472 --sha-r c:\windows\SmFtaWU\mAIQuqo.vbs
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LaunchApp"="Alaunch" [X]
"SiS Windows KeyHook"="c:\windows\system32\keyhook.exe" [2005-03-04 32768]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-10-07 98394]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-10-07 688218]
"PCMService"="c:\program files\Arcade\PCMService.exe" [2005-03-09 49152]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"LManager"="c:\program files\Launch Manager\QtZgAcer.EXE" [2005-03-28 315392]
"eRecoveryService"="c:\acer\Empowering Technology\eRecovery\Monitor.exe" [2005-11-16 393216]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_04\bin\jusched.exe" [2007-12-14 144784]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-01-31 385024]
"PCSuiteTrayApplication"="c:\program files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [2007-06-18 271360]
"SiSPower"="SiSPower.dll" [2005-02-25 c:\windows\system32\SiSPower.dll]
"SoundMan"="SOUNDMAN.EXE" [2005-02-23 c:\windows\SOUNDMAN.EXE]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="c:\progra~1\Grisoft\AVG7\avgw.exe" [2007-10-24 219136]
"Picasa Media Detector"="c:\program files\Picasa2\PicasaMediaDetector.exe" [2008-02-26 443968]
"Nokia.PCSync"="c:\program files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-06-19 1241088]

c:\documents and settings\Jamie\Start Menu\Programs\Startup\
Last.fm Helper.lnk - c:\program files\Last.fm\LastFMHelper.exe [2008-04-09 106496]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Utility Tray.lnk - c:\windows\system32\sistray.exe [2005-01-04 331776]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Google Updater.lnk
backup=c:\windows\pss\Google Updater.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=c:\windows\pss\Kodak EasyShare software.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Jamie^Start Menu^Programs^Startup^Freecom Personal Media Suite.lnk]
path=c:\documents and settings\Jamie\Start Menu\Programs\Startup\Freecom Personal Media Suite.lnk
backup=c:\windows\pss\Freecom Personal Media Suite.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Jamie^Start Menu^Programs^Startup^Last.fm Helper.lnk]
path=c:\documents and settings\Jamie\Start Menu\Programs\Startup\Last.fm Helper.lnk
backup=c:\windows\pss\Last.fm Helper.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_CC]
--a------ 2007-12-31 17:43 579072 c:\progra~1\Grisoft\AVG7\avgcc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-02-04 14:18 267048 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Picasa Media Detector]
--a------ 2008-02-26 02:23 443968 c:\program files\Picasa2\PicasaMediaDetector.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2008-03-24 01:54 68856 c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Veoh]
--a------ 2007-11-01 13:22 3317760 c:\program files\Veoh Networks\Veoh\VeohClient.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=
"c:\\Program Files\\MATLAB71\\BIN\\WIN32\\MATLAB.EXE"=
"c:\\Program Files\\Microsoft Games\\Age of Empires II\\EMPIRES2.ICD"=
"c:\\Program Files\\Azureus\\Azureus.exe"=
"c:\\WINDOWS\\System32\\dplaysvr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Kontiki\\KService.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\MsnMsgr.Exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Nokia\\Nokia PC Suite 6\\LaunchApplication.exe"=
"c:\\WINDOWS\\System32\\sistray.exe"=
"c:\\Program Files\\Launch Manager\\QtZgAcer.EXE"=
"c:\\Program Files\\Synaptics\\SynTP\\SynTPLpr.exe"=
"c:\\Program Files\\Synaptics\\SynTP\\SynTPEnh.exe"=
"c:\\WINDOWS\\System32\\Keyhook.exe"=
"c:\\Program Files\\Common Files\\Microsoft Shared\\Windows Live\\WLLoginProxy.exe"=
"c:\\Program Files\\Mozilla Firefox\\FIREFOX.EXE"=
"c:\\WINDOWS\\SOUNDMAN.EXE"=
"c:\\Program Files\\Arcade\\PCMService.exe"=

R1 usbcamdd;usbcamdd;c:\windows\system32\drivers\usbcamdd.sys [2008-12-03 86272]
R3 Bonifay;Bonifay;c:\windows\system32\drivers\Bonifay.sys [2007-06-24 12160]
R3 HSFHWSIS;HSFHWSIS;c:\windows\system32\drivers\HSFHWSIS.sys [2004-12-15 200576]
R4 osaio;osaio;c:\windows\system32\drivers\osaio.sys [2005-06-30 7296]
R4 osanbm;osanbm;c:\windows\system32\drivers\osanbm.sys [2005-01-14 4010]
S3 Gonzales;Gonzales;c:\windows\system32\drivers\Gonzales.sys [2007-06-24 7040]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2008-03-24 747912]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b0365c7c-3cf9-11db-bb74-00163651f741}]
\Shell\AutoRun\command - F:\LaunchU3.exe
.
Contents of the 'Scheduled Tasks' folder

2008-11-13 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 14:57]
.
- - - - ORPHANS REMOVED - - - -

BHO-{0C96CE82-5117-40AD-9390-3C06C29BB057} - (no file)
BHO-{0d7e183c-a844-49bc-8f7f-ea995f9eab8f} - c:\windows\system32\atofmq.dll
BHO-{2A21E7AA-9A92-4BB1-BF7D-FF08F8E6BA33} - (no file)
BHO-{4D689E15-E9ED-E9B9-48EF-E4E6E9867557} - c:\windows\system32\hwqrfqtkakd.dll
BHO-{5ba4849e-fed7-4f33-92bc-52e72cdac3c0} - c:\windows\system32\zibipudo.dll
BHO-{840B9AAC-01C1-4EF5-A9B1-82E00674A32B} - (no file)
BHO-{8f7a4d00-aec0-478f-bb14-516534b47401} - (no file)
BHO-{AD28FAA4-D9D4-4662-A27D-0C8AB32487C1} - c:\windows\system32\byXnLCvT.dll
BHO-{C6E88E54-FD12-4A96-A945-D8DE42EA881E} - (no file)
BHO-{C752DE2B-A5D7-4310-B02D-BC8EE4869C01} - (no file)
HKLM-Run-vinclock - c:\documents and settings\Jamie\Application Data\Google\ocboo1892823.exe


.
------- Supplementary Scan -------
.
uStart Page = https://www.ease.ed.ac.uk/cosign.cgi?cosign-eucsCosign-www.myed.ed.ac.uk=OQdL94QBaasXErW8yFPcjYb09E6KGXGSeIaYxWkl7hZ2GmiJCtXslm9GUMxsXfnU1NAFgcw2cNadfcPwUk3NjPgrX5xX0-WfoRzkaOLGECnF7eS0JBi0awClLNWq;&https://www.myed.ed.ac.uk/uPortal/?Login+with+EASE.x=47&Login+with+EASE.y=12
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uDefault_Search_URL = hxxp://www.google.com/ie
mSearch Bar = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sb/*http://uk.docs.yahoo.com/info/bt_side.html
uInternet Settings,ProxyOverride = 127.0.0.1
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

O16 -: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
c:\windows\Downloaded Program Files\Microsoft XML Parser for Java.osd
FF - ProfilePath - c:\documents and settings\Jamie\Application Data\Mozilla\Firefox\Profiles\4257ryif.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
FF - component: c:\program files\Mozilla Firefox\extensions\talkback@mozilla.org\components\qfaservices.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-19 00:37:39
Windows 5.1.2600 Service Pack 3 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\acer\EMANAGER\ANBMSERV.EXE
c:\program files\COMMON FILES\APPLE\MOBILE DEVICE SUPPORT\BIN\APPLEMOBILEDEVICESERVICE.EXE
c:\program files\GRISOFT\AVG7\AVGAMSVR.EXE
c:\program files\GRISOFT\AVG7\AVGUPSVC.EXE
c:\program files\GRISOFT\AVG7\AVGEMC.EXE
c:\program files\GOOGLE\COMMON\GOOGLE UPDATER\GOOGLEUPDATERSERVICE.EXE
c:\program files\KONTIKI\KSERVICE.EXE
c:\program files\MATLAB71\WEBSERVER\BIN\WIN32\MATLABSERVER.EXE
c:\program files\MATLAB71\BIN\WIN32\MATLAB.EXE
c:\windows\system32\wscntfy.exe
c:\program files\PC Connectivity Solution\ServiceLayer.exe
.
**************************************************************************
.
Completion time: 2009-01-19 0:41:25 - machine was rebooted [Jamie]
ComboFix-quarantined-files.txt 2009-01-19 00:41:24

Pre-Run: 1,534,574,592 bytes free
Post-Run: 1,541,341,184 bytes free

297 --- E O F --- 2008-11-15 03:26:11


HJT
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 00:48:55, on 19/01/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Acer\eManager\anbmServ.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Kontiki\KService.exe
C:\Program Files\MATLAB71\webserver\bin\win32\matlabserver.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\keyhook.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Acer\Empowering Technology\eRecovery\Monitor.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Arcade\PCMService.exe
C:\Program Files\Launch Manager\QtZgAcer.EXE
C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\sistray.exe
C:\Program Files\Last.fm\LastFMHelper.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Java\jre1.6.0_04\bin\jucheck.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.ease.ed.ac.uk/cosign.cgi?cosign-eucsCosign-www.myed.ed.ac.uk=OQdL94QBaasXErW8yFPcjYb09E6KGXGSeIaYxWkl7hZ2GmiJCtXslm9GUMxsXfnU1NAFgcw2cNadfcPwUk3NjPgrX5xX0-WfoRzkaOLGECnF7eS0JBi0awClLNWq;&https://www.myed.ed.ac.uk/uPortal/?Login+with+EASE.x=47&Login+with+EASE.y=12
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sb/*http://uk.docs.yahoo.com/info/bt_side.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\4.1.805.4472\swg.dll
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O4 - HKLM\..\Run: [LaunchApp] Alaunch
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [SiS Windows KeyHook] C:\WINDOWS\system32\keyhook.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Arcade\PCMService.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [LManager] C:\Program Files\Launch Manager\QtZgAcer.EXE
O4 - HKLM\..\Run: [eRecoveryService] C:\Acer\Empowering Technology\eRecovery\Monitor.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Nokia.PCSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: Last.fm Helper.lnk = C:\Program Files\Last.fm\LastFMHelper.exe
O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - Cmdmapping - (no file) (HKCU)
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www1.snapfish.co.uk/SnapfishUKActivia.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/FacebookPhotoUploader3.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab53083.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O23 - Service: Notebook Manager Service (anbmService) - OSA Technologies Inc. - C:\Acer\eManager\anbmServ.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe
O23 - Service: MATLAB Server (matlabserver) - Unknown owner - C:\Program Files\MATLAB71\webserver\bin\win32\matlabserver.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

--
End of file - 9103 bytes


hope you can help

cheers,

James

IMPORTANT I notice there are signs of one or more P2P (Peer to Peer) File Sharing Programs on your computer.

Azureus


I'd like you to read this thread (http://forums.spybot.info/showthread.php?t=282).

Please go to Control Panel > Add/Remove Programs and uninstall the programs listed above (in red).

Delete these folders afterwards:

C:\Program Files\Azureus


Empty Recycle Bin.

After that:

Start hjt, do a system scan, check (if found):
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/c...o/bt_side.html
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O9 - Extra button: (no name) - Cmdmapping - (no file) (HKCU)

Close browsers and fix checked.




Open notepad and copy/paste the text in the quotebox below into it:



Driver::
usbcamdd

File::
c:\windows\system32\drivers\core.cache.dsk
c:\windows\system32\alewisub.tmp
c:\windows\system32\plhlmahcxqjmlyix.exe
c:\program files\n
c:\windows\system32\szbcplfcwaf.dll-uninst.exe
c:\windows\system32\bbdakgemdktmsef.exe
c:\windows\system32\g27.exe
c:\windows\system32\ncntltdl.exe
c:\windows\system32\qmsehmhc.dll
c:\windows\system32\kygyah.dll
C:\p2hhr.bat
c:\windows\system32\TDSSxylkxjtv.dll
c:\windows\system32\drivers\usbcamdd.sys
C:\opdwrpjm.exe
C:\qmhqfeu.exe
c:\windows\system32\gs73gfidgf.dll
c:\windows\system32\wvUlifGw.dll
c:\windows\system32\xxyxVnkk.dll
c:\windows\system32\pindsmhh.dll
c:\windows\system32\khfeDWMG.dll
c:\windows\system32\tubakile.dll

Folder::
c:\temp\tn3
c:\windows\SmFtaWU
C:\Program Files\Azureus

DirLook::
c:\windows\system32\twain32

Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Azureus\\Azureus.exe"=-



Save this as
CFScript

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.


Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.


Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update to the latest version...

Updating Java:

Download the latest version of Java Runtime Environment (JRE) 6 Update 11 (http://java.sun.com/javase/downloads/index.jsp).
Click the
Download
button to the right.
Select Windows on platform combobox and check the box that says:
Accept License Agreement. Click continue.

The page will refresh.
Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
Close any programs you may have running - especially your web browser.
Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
Check any item with Java Runtime Environment (JRE or J2SE) in the name.
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java versions.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on jre-6u11-windows-i586-p.exe to install the newest version.


Download ATF (Atribune Temp File) Cleaner© by Atribune (http://www.atribune.org/ccount/click.php?id=1) to your desktop.

Double-click ATF Cleaner.exe to open it

Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.

If you use Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

If you use Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Click Exit on the Main menu to close the program.


Please run an online scan with Kaspersky Online Scanner (http://www.kaspersky.com/virusscanner) as instructed in the screenshot here (http://i275.photobucket.com/albums/jj285/Bleeping/KAS/KAS9.gif). If you get a message that latest Java must be installed "enable" the Java add-ons in IE7. Do that using "manage add-ons" from the IE7 toolbar.


Post back its report, a fresh hjt log and above mentioned ComboFix resultant log.

HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 02:36:42, on 23/01/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Acer\eManager\anbmServ.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Kontiki\KService.exe
C:\Program Files\MATLAB71\webserver\bin\win32\matlabserver.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\keyhook.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Acer\Empowering Technology\eRecovery\Monitor.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Arcade\PCMService.exe
C:\Program Files\Launch Manager\QtZgAcer.EXE
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\sistray.exe
C:\Program Files\Last.fm\LastFMHelper.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.ease.ed.ac.uk/cosign.cgi?cosign-eucsCosign-www.myed.ed.ac.uk=OQdL94QBaasXErW8yFPcjYb09E6KGXGSeIaYxWkl7hZ2GmiJCtXslm9GUMxsXfnU1NAFgcw2cNadfcPwUk3NjPgrX5xX0-WfoRzkaOLGECnF7eS0JBi0awClLNWq;&https://www.myed.ed.ac.uk/uPortal/?Login+with+EASE.x=47&Login+with+EASE.y=12
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\4.1.805.4472\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O4 - HKLM\..\Run: [LaunchApp] Alaunch
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [SiS Windows KeyHook] C:\WINDOWS\system32\keyhook.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Arcade\PCMService.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [LManager] C:\Program Files\Launch Manager\QtZgAcer.EXE
O4 - HKLM\..\Run: [eRecoveryService] C:\Acer\Empowering Technology\eRecovery\Monitor.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Nokia.PCSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: Last.fm Helper.lnk = C:\Program Files\Last.fm\LastFMHelper.exe
O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www1.snapfish.co.uk/SnapfishUKActivia.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/FacebookPhotoUploader3.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab53083.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O23 - Service: Notebook Manager Service (anbmService) - OSA Technologies Inc. - C:\Acer\eManager\anbmServ.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe
O23 - Service: MATLAB Server (matlabserver) - Unknown owner - C:\Program Files\MATLAB71\webserver\bin\win32\matlabserver.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

--
End of file - 8938 bytes

Combofix log

ComboFix 09-01-18.01 - Jamie 2009-01-22 19:59:51.2 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.957.453 [GMT 0:00]
Running from: c:\documents and settings\Jamie\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Jamie\Desktop\CFScript.txt
AV: AVG 7.5.516 *On-access scanning disabled* (Outdated)
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\opdwrpjm.exe
C:\p2hhr.bat
c:\program files\n
C:\qmhqfeu.exe
c:\windows\system32\alewisub.tmp
c:\windows\system32\bbdakgemdktmsef.exe
c:\windows\system32\drivers\core.cache.dsk
c:\windows\system32\drivers\usbcamdd.sys
c:\windows\system32\g27.exe
c:\windows\system32\gs73gfidgf.dll
c:\windows\system32\khfeDWMG.dll
c:\windows\system32\kygyah.dll
c:\windows\system32\ncntltdl.exe
c:\windows\system32\pindsmhh.dll
c:\windows\system32\plhlmahcxqjmlyix.exe
c:\windows\system32\qmsehmhc.dll
c:\windows\system32\szbcplfcwaf.dll-uninst.exe
c:\windows\system32\TDSSxylkxjtv.dll
c:\windows\system32\tubakile.dll
c:\windows\system32\wvUlifGw.dll
c:\windows\system32\xxyxVnkk.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\opdwrpjm.exe
C:\p2hhr.bat
c:\program files\n
C:\qmhqfeu.exe
c:\temp\tn3
c:\windows\SmFtaWU
c:\windows\SmFtaWU\asappsrv.dll
c:\windows\SmFtaWU\command.exe
c:\windows\SmFtaWU\mAIQuqo.vbs
c:\windows\system32\alewisub.tmp
c:\windows\system32\bbdakgemdktmsef.exe
c:\windows\system32\drivers\core.cache.dsk
c:\windows\system32\drivers\usbcamdd.sys
c:\windows\system32\g27.exe
c:\windows\system32\gs73gfidgf.dll
c:\windows\system32\khfeDWMG.dll
c:\windows\system32\kygyah.dll
c:\windows\system32\ncntltdl.exe
c:\windows\system32\pindsmhh.dll
c:\windows\system32\plhlmahcxqjmlyix.exe
c:\windows\system32\qmsehmhc.dll
c:\windows\system32\szbcplfcwaf.dll-uninst.exe
c:\windows\system32\TDSSxylkxjtv.dll
c:\windows\system32\tubakile.dll
c:\windows\system32\wvUlifGw.dll
c:\windows\system32\xxyxVnkk.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_USBCAMDD
-------\Service_usbcamdd


((((((((((((((((((((((((( Files Created from 2008-12-22 to 2009-01-22 )))))))))))))))))))))))))))))))
.

2009-01-20 15:08 . 2009-01-22 15:47 54,156 --ah----- c:\windows\QTFont.qfn
2009-01-20 15:08 . 2009-01-20 15:08 1,409 --a------ c:\windows\QTFont.for
2009-01-19 00:12 . 2009-01-18 13:30 <DIR> d-------- C:\32788R22FWJFW.0.tmp
2009-01-18 23:41 . 2009-01-18 23:41 578,560 --a------ c:\windows\system32\dllcache\user32.dll
2009-01-18 23:32 . 2009-01-18 23:32 <DIR> d-------- c:\windows\ERUNT
2009-01-18 22:54 . 2008-11-06 02:03 <DIR> d-------- C:\SDFix
2009-01-10 23:22 . 2009-01-10 23:23 <DIR> d--hs---- c:\windows\system32\twain32
2009-01-10 00:53 . 2009-01-10 00:53 <DIR> d-------- c:\program files\Trend Micro
2008-12-23 11:03 . 2008-12-23 11:03 <DIR> d--hs---- C:\FOUND.003

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-13 06:40 3,593,216 ----a-w c:\windows\system32\dllcache\mshtml.dll
2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys
2008-12-11 10:57 333,952 ------w c:\windows\system32\dllcache\srv.sys
2008-12-10 00:38 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-12-10 00:38 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-11-11 23:33 27,822 ----a-w c:\documents and settings\Jamie\Application Data\wklnhst.dat
2008-10-24 11:21 455,296 ------w c:\windows\system32\dllcache\mrxsmb.sys
2008-10-23 12:36 286,720 ----a-w c:\windows\system32\gdi32.dll
2008-10-23 12:36 286,720 ------w c:\windows\system32\dllcache\gdi32.dll
2006-10-08 01:44 24,192 ----a-w c:\documents and settings\Jamie\usbsermptxp.sys
2006-10-08 01:44 22,768 ----a-w c:\documents and settings\Jamie\usbsermpt.sys
2009-01-06 12:33 67,688 ----a-w c:\program files\mozilla firefox\components\jar50.dll
2009-01-06 12:33 54,368 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll
2009-01-06 12:33 34,944 ----a-w c:\program files\mozilla firefox\components\myspell.dll
2009-01-06 12:33 46,712 ----a-w c:\program files\mozilla firefox\components\spellchk.dll
2009-01-06 12:33 172,136 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

---- Directory of c:\windows\system32\twain32 ----

2009-01-19 00:26 0 --a------ c:\windows\system32\twain32\user.ds
2009-01-19 00:07 12815 --a------ c:\windows\system32\twain32\local.ds


((((((((((((((((((((((((((((( snapshot@2009-01-19_ 0.40.00.48 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-08-26 08:24:28 124,928 ------w c:\windows\ie7updates\KB958215-IE7\advpack.dll
+ 2008-08-26 08:24:28 347,136 ------w c:\windows\ie7updates\KB958215-IE7\dxtmsft.dll
+ 2008-08-26 08:24:28 214,528 ------w c:\windows\ie7updates\KB958215-IE7\dxtrans.dll
+ 2008-08-26 08:24:28 133,120 ------w c:\windows\ie7updates\KB958215-IE7\extmgr.dll
+ 2008-08-26 08:24:28 63,488 ------w c:\windows\ie7updates\KB958215-IE7\icardie.dll
+ 2008-08-25 09:38:00 70,656 ------w c:\windows\ie7updates\KB958215-IE7\ie4uinit.exe
+ 2008-08-26 08:24:28 153,088 ------w c:\windows\ie7updates\KB958215-IE7\ieakeng.dll
+ 2008-08-26 08:24:28 230,400 ------w c:\windows\ie7updates\KB958215-IE7\ieaksie.dll
+ 2008-08-23 06:54:52 161,792 ------w c:\windows\ie7updates\KB958215-IE7\ieakui.dll
+ 2008-08-26 08:24:28 383,488 ------w c:\windows\ie7updates\KB958215-IE7\ieapfltr.dll
+ 2008-08-26 08:24:30 384,512 ------w c:\windows\ie7updates\KB958215-IE7\iedkcs32.dll
+ 2008-10-03 18:41:16 6,066,176 ------w c:\windows\ie7updates\KB958215-IE7\ieframe.dll
+ 2008-08-26 08:24:30 44,544 ------w c:\windows\ie7updates\KB958215-IE7\iernonce.dll
+ 2008-08-26 08:24:30 267,776 ------w c:\windows\ie7updates\KB958215-IE7\iertutil.dll
+ 2008-08-25 09:38:00 13,824 ------w c:\windows\ie7updates\KB958215-IE7\ieudinit.exe
+ 2008-08-23 06:56:16 635,848 ------w c:\windows\ie7updates\KB958215-IE7\iexplore.exe
+ 2008-08-26 08:24:30 27,648 ------w c:\windows\ie7updates\KB958215-IE7\jsproxy.dll
+ 2008-08-26 08:24:30 459,264 ------w c:\windows\ie7updates\KB958215-IE7\msfeeds.dll
+ 2008-08-26 08:24:30 52,224 ------w c:\windows\ie7updates\KB958215-IE7\msfeedsbs.dll
+ 2008-08-26 08:24:30 477,696 ------w c:\windows\ie7updates\KB958215-IE7\mshtmled.dll
+ 2008-08-26 08:24:30 193,024 ------w c:\windows\ie7updates\KB958215-IE7\msrating.dll
+ 2008-08-26 08:24:30 671,232 ------w c:\windows\ie7updates\KB958215-IE7\mstime.dll
+ 2008-08-26 08:24:30 102,912 ------w c:\windows\ie7updates\KB958215-IE7\occache.dll
+ 2008-08-26 08:24:30 44,544 ------w c:\windows\ie7updates\KB958215-IE7\pngfilt.dll
+ 2007-03-06 01:22:40 213,216 ------w c:\windows\ie7updates\KB958215-IE7\spuninst\spuninst.exe
+ 2007-03-06 01:23:52 371,424 ------w c:\windows\ie7updates\KB958215-IE7\spuninst\updspapi.dll
+ 2008-08-26 08:24:30 105,984 ------w c:\windows\ie7updates\KB958215-IE7\url.dll
+ 2008-08-26 08:24:32 1,159,680 ------w c:\windows\ie7updates\KB958215-IE7\urlmon.dll
+ 2008-08-26 08:24:32 233,472 ------w c:\windows\ie7updates\KB958215-IE7\webcheck.dll
+ 2008-08-26 08:24:32 826,368 ------w c:\windows\ie7updates\KB958215-IE7\wininet.dll
+ 2008-08-27 09:24:32 3,593,216 ------w c:\windows\ie7updates\KB960714-IE7\mshtml.dll
+ 2007-03-06 01:22:40 213,216 ------w c:\windows\ie7updates\KB960714-IE7\spuninst\spuninst.exe
+ 2007-03-06 01:23:48 371,424 ------w c:\windows\ie7updates\KB960714-IE7\spuninst\updspapi.dll
- 2008-10-17 12:07:52 135,168 ----a-r c:\windows\Installer\{90840409-6000-11D3-8CFE-0150048383C9}\misc.exe
+ 2009-01-20 17:59:06 135,168 ----a-r c:\windows\Installer\{90840409-6000-11D3-8CFE-0150048383C9}\misc.exe
- 2008-10-17 12:07:52 40,960 ----a-r c:\windows\Installer\{90840409-6000-11D3-8CFE-0150048383C9}\xlvicon.exe
+ 2009-01-20 17:59:06 40,960 ----a-r c:\windows\Installer\{90840409-6000-11D3-8CFE-0150048383C9}\xlvicon.exe
- 2008-08-26 08:24:28 124,928 ----a-w c:\windows\system32\advpack.dll
+ 2008-10-16 20:38:34 124,928 ----a-w c:\windows\system32\advpack.dll
- 2008-08-26 08:24:28 124,928 ----a-w c:\windows\system32\dllcache\advpack.dll
+ 2008-10-16 20:38:34 124,928 ----a-w c:\windows\system32\dllcache\advpack.dll
- 2008-08-26 08:24:28 347,136 ----a-w c:\windows\system32\dllcache\dxtmsft.dll
+ 2008-10-16 20:38:34 347,136 ----a-w c:\windows\system32\dllcache\dxtmsft.dll
- 2008-08-26 08:24:28 214,528 ----a-w c:\windows\system32\dllcache\dxtrans.dll
+ 2008-10-16 20:38:34 214,528 ----a-w c:\windows\system32\dllcache\dxtrans.dll
- 2008-08-26 08:24:28 133,120 ----a-w c:\windows\system32\dllcache\extmgr.dll
+ 2008-10-16 20:38:36 133,120 ----a-w c:\windows\system32\dllcache\extmgr.dll
- 2008-08-26 08:24:28 63,488 ------w c:\windows\system32\dllcache\icardie.dll
+ 2008-10-16 20:38:36 63,488 ------w c:\windows\system32\dllcache\icardie.dll
- 2008-08-25 09:38:00 70,656 ----a-w c:\windows\system32\dllcache\ie4uinit.exe
+ 2008-10-16 13:11:10 70,656 ----a-w c:\windows\system32\dllcache\ie4uinit.exe
- 2008-08-26 08:24:28 153,088 ----a-w c:\windows\system32\dllcache\ieakeng.dll
+ 2008-10-16 20:38:36 153,088 ----a-w c:\windows\system32\dllcache\ieakeng.dll
- 2008-08-26 08:24:28 230,400 ----a-w c:\windows\system32\dllcache\ieaksie.dll
+ 2008-10-16 20:38:36 230,400 ----a-w c:\windows\system32\dllcache\ieaksie.dll
- 2008-08-23 06:54:52 161,792 ----a-w c:\windows\system32\dllcache\ieakui.dll
+ 2008-10-15 07:04:54 161,792 ----a-w c:\windows\system32\dllcache\ieakui.dll
- 2008-08-26 08:24:28 383,488 ------w c:\windows\system32\dllcache\ieapfltr.dll
+ 2008-10-16 20:38:36 383,488 ------w c:\windows\system32\dllcache\ieapfltr.dll
- 2008-08-26 08:24:30 384,512 ----a-w c:\windows\system32\dllcache\iedkcs32.dll
+ 2008-10-16 20:38:36 384,512 ----a-w c:\windows\system32\dllcache\iedkcs32.dll
- 2008-10-03 18:41:16 6,066,176 ------w c:\windows\system32\dllcache\ieframe.dll
+ 2008-10-16 20:38:38 6,066,176 ------w c:\windows\system32\dllcache\ieframe.dll
- 2008-08-26 08:24:30 44,544 ----a-w c:\windows\system32\dllcache\iernonce.dll
+ 2008-10-16 20:38:38 44,544 ----a-w c:\windows\system32\dllcache\iernonce.dll
- 2008-08-26 08:24:30 267,776 ------w c:\windows\system32\dllcache\iertutil.dll
+ 2008-10-16 20:38:38 267,776 ------w c:\windows\system32\dllcache\iertutil.dll
- 2008-08-25 09:38:00 13,824 ------w c:\windows\system32\dllcache\ieudinit.exe
+ 2008-10-16 13:11:10 13,824 ------w c:\windows\system32\dllcache\ieudinit.exe
- 2008-08-23 06:56:16 635,848 ----a-w c:\windows\system32\dllcache\iexplore.exe
+ 2008-10-15 07:06:26 633,632 ----a-w c:\windows\system32\dllcache\iexplore.exe
- 2008-08-26 08:24:30 27,648 ----a-w c:\windows\system32\dllcache\jsproxy.dll
+ 2008-10-16 20:38:38 27,648 ----a-w c:\windows\system32\dllcache\jsproxy.dll
- 2006-10-18 20:03:58 100,864 ----a-w c:\windows\system32\dllcache\logagent.exe
+ 2008-06-18 01:09:22 100,864 ----a-w c:\windows\system32\dllcache\logagent.exe
- 2008-08-26 08:24:30 459,264 ------w c:\windows\system32\dllcache\msfeeds.dll
+ 2008-10-16 20:38:38 459,264 ------w c:\windows\system32\dllcache\msfeeds.dll
- 2008-08-26 08:24:30 52,224 ------w c:\windows\system32\dllcache\msfeedsbs.dll
+ 2008-10-16 20:38:38 52,224 ------w c:\windows\system32\dllcache\msfeedsbs.dll
- 2008-08-26 08:24:30 477,696 ----a-w c:\windows\system32\dllcache\mshtmled.dll
+ 2008-10-16 20:38:38 477,696 ----a-w c:\windows\system32\dllcache\mshtmled.dll
- 2008-08-26 08:24:30 193,024 ----a-w c:\windows\system32\dllcache\msrating.dll
+ 2008-10-16 20:38:38 193,024 ----a-w c:\windows\system32\dllcache\msrating.dll
- 2008-08-26 08:24:30 671,232 ----a-w c:\windows\system32\dllcache\mstime.dll
+ 2008-10-16 20:38:40 671,232 ----a-w c:\windows\system32\dllcache\mstime.dll
- 2008-08-26 08:24:30 102,912 ----a-w c:\windows\system32\dllcache\occache.dll
+ 2008-10-16 20:38:40 102,912 ----a-w c:\windows\system32\dllcache\occache.dll
- 2008-08-26 08:24:30 44,544 ----a-w c:\windows\system32\dllcache\pngfilt.dll
+ 2008-10-16 20:38:40 44,544 ----a-w c:\windows\system32\dllcache\pngfilt.dll
- 2008-04-14 01:12:08 246,814 ----a-w c:\windows\system32\dllcache\strmdll.dll
+ 2008-10-03 10:02:42 247,326 ----a-w c:\windows\system32\dllcache\strmdll.dll
- 2008-08-26 08:24:30 105,984 ----a-w c:\windows\system32\dllcache\url.dll
+ 2008-10-16 20:38:40 105,984 ----a-w c:\windows\system32\dllcache\url.dll
- 2008-08-26 08:24:32 1,159,680 ----a-w c:\windows\system32\dllcache\urlmon.dll
+ 2008-10-16 20:38:40 1,160,192 ----a-w c:\windows\system32\dllcache\urlmon.dll
- 2008-08-26 08:24:32 233,472 ----a-w c:\windows\system32\dllcache\webcheck.dll
+ 2008-10-16 20:38:40 233,472 ----a-w c:\windows\system32\dllcache\webcheck.dll
- 2008-08-26 08:24:32 826,368 ----a-w c:\windows\system32\dllcache\wininet.dll
+ 2008-10-16 20:38:40 826,368 ----a-w c:\windows\system32\dllcache\wininet.dll
- 2006-10-18 21:47:20 937,984 ----a-w c:\windows\system32\dllcache\WMNetMgr.dll
+ 2008-06-18 05:03:08 938,496 ----a-w c:\windows\system32\dllcache\WMNetmgr.dll
- 2006-10-18 21:47:22 2,450,944 ----a-w c:\windows\system32\dllcache\wmvcore.dll
+ 2008-06-18 05:03:14 2,458,112 ----a-w c:\windows\system32\dllcache\WMVCore.dll
- 2008-08-26 08:24:28 347,136 ----a-w c:\windows\system32\dxtmsft.dll
+ 2008-10-16 20:38:34 347,136 ----a-w c:\windows\system32\dxtmsft.dll
- 2008-08-26 08:24:28 214,528 ----a-w c:\windows\system32\dxtrans.dll
+ 2008-10-16 20:38:34 214,528 ----a-w c:\windows\system32\dxtrans.dll
- 2008-08-26 08:24:28 133,120 ----a-w c:\windows\system32\extmgr.dll
+ 2008-10-16 20:38:36 133,120 ----a-w c:\windows\system32\extmgr.dll
- 2008-08-26 08:24:28 63,488 ----a-w c:\windows\system32\icardie.dll
+ 2008-10-16 20:38:36 63,488 ----a-w c:\windows\system32\icardie.dll
- 2008-08-25 09:38:00 70,656 ----a-w c:\windows\system32\ie4uinit.exe
+ 2008-10-16 13:11:10 70,656 ----a-w c:\windows\system32\ie4uinit.exe
- 2008-08-26 08:24:28 153,088 ----a-w c:\windows\system32\ieakeng.dll
+ 2008-10-16 20:38:36 153,088 ----a-w c:\windows\system32\ieakeng.dll
- 2008-08-26 08:24:28 230,400 ----a-w c:\windows\system32\ieaksie.dll
+ 2008-10-16 20:38:36 230,400 ----a-w c:\windows\system32\ieaksie.dll
- 2008-08-23 06:54:52 161,792 ----a-w c:\windows\system32\ieakui.dll
+ 2008-10-15 07:04:54 161,792 ----a-w c:\windows\system32\ieakui.dll
- 2008-08-26 08:24:28 383,488 ----a-w c:\windows\system32\ieapfltr.dll
+ 2008-10-16 20:38:36 383,488 ----a-w c:\windows\system32\ieapfltr.dll
- 2008-08-26 08:24:30 384,512 ----a-w c:\windows\system32\iedkcs32.dll
+ 2008-10-16 20:38:36 384,512 ----a-w c:\windows\system32\iedkcs32.dll
- 2008-10-03 18:41:16 6,066,176 ----a-w c:\windows\system32\ieframe.dll
+ 2008-10-16 20:38:38 6,066,176 ----a-w c:\windows\system32\ieframe.dll
- 2008-08-26 08:24:30 44,544 ----a-w c:\windows\system32\iernonce.dll
+ 2008-10-16 20:38:38 44,544 ----a-w c:\windows\system32\iernonce.dll
- 2008-08-26 08:24:30 267,776 ----a-w c:\windows\system32\iertutil.dll
+ 2008-10-16 20:38:38 267,776 ----a-w c:\windows\system32\iertutil.dll
- 2008-08-25 09:38:00 13,824 ----a-w c:\windows\system32\ieudinit.exe
+ 2008-10-16 13:11:10 13,824 ----a-w c:\windows\system32\ieudinit.exe
- 2008-08-26 08:24:30 27,648 ----a-w c:\windows\system32\jsproxy.dll
+ 2008-10-16 20:38:38 27,648 ----a-w c:\windows\system32\jsproxy.dll
- 2006-10-18 20:03:58 100,864 ----a-w c:\windows\system32\logagent.exe
+ 2008-06-18 01:09:22 100,864 ----a-w c:\windows\system32\logagent.exe
+ 2009-01-09 17:35:30 20,853,704 ----a-w c:\windows\system32\MRT.exe
- 2008-08-26 08:24:30 459,264 ----a-w c:\windows\system32\msfeeds.dll
+ 2008-10-16 20:38:38 459,264 ----a-w c:\windows\system32\msfeeds.dll
- 2008-08-26 08:24:30 52,224 ----a-w c:\windows\system32\msfeedsbs.dll
+ 2008-10-16 20:38:38 52,224 ----a-w c:\windows\system32\msfeedsbs.dll
- 2008-08-27 09:24:32 3,593,216 ----a-w c:\windows\system32\mshtml.dll
+ 2008-12-13 06:40:02 3,593,216 ----a-w c:\windows\system32\mshtml.dll
- 2008-08-26 08:24:30 477,696 ----a-w c:\windows\system32\mshtmled.dll
+ 2008-10-16 20:38:38 477,696 ----a-w c:\windows\system32\mshtmled.dll
- 2008-08-26 08:24:30 193,024 ----a-w c:\windows\system32\msrating.dll
+ 2008-10-16 20:38:38 193,024 ----a-w c:\windows\system32\msrating.dll
- 2008-08-26 08:24:30 671,232 ----a-w c:\windows\system32\mstime.dll
+ 2008-10-16 20:38:40 671,232 ----a-w c:\windows\system32\mstime.dll
- 2008-08-26 08:24:30 102,912 ----a-w c:\windows\system32\occache.dll
+ 2008-10-16 20:38:40 102,912 ----a-w c:\windows\system32\occache.dll
- 2008-08-26 08:24:30 44,544 ----a-w c:\windows\system32\pngfilt.dll
+ 2008-10-16 20:38:40 44,544 ----a-w c:\windows\system32\pngfilt.dll
- 2008-07-08 13:02:02 17,272 ------w c:\windows\system32\spmsg.dll
+ 2007-07-27 09:41:40 16,760 ------w c:\windows\system32\spmsg.dll
- 2008-04-14 01:12:08 246,814 ----a-w c:\windows\system32\strmdll.dll
+ 2008-10-03 10:02:42 247,326 ----a-w c:\windows\system32\strmdll.dll
- 2008-04-14 01:12:38 60,416 ------w c:\windows\system32\tzchange.exe
+ 2008-10-23 10:07:00 62,976 ------w c:\windows\system32\tzchange.exe
- 2008-08-26 08:24:30 105,984 ----a-w c:\windows\system32\url.dll
+ 2008-10-16 20:38:40 105,984 ----a-w c:\windows\system32\url.dll
- 2008-08-26 08:24:32 1,159,680 ----a-w c:\windows\system32\urlmon.dll
+ 2008-10-16 20:38:40 1,160,192 ----a-w c:\windows\system32\urlmon.dll
- 2008-08-26 08:24:32 233,472 ----a-w c:\windows\system32\webcheck.dll
+ 2008-10-16 20:38:40 233,472 ----a-w c:\windows\system32\webcheck.dll
- 2008-08-26 08:24:32 826,368 ----a-w c:\windows\system32\wininet.dll
+ 2008-10-16 20:38:40 826,368 ----a-w c:\windows\system32\wininet.dll
- 2006-10-18 21:47:20 937,984 ----a-w c:\windows\system32\WMNetMgr.dll
+ 2008-06-18 05:03:08 938,496 ----a-w c:\windows\system32\WMNetmgr.dll
- 2006-10-18 21:47:22 2,450,944 ----a-w c:\windows\system32\wmvcore.dll
+ 2008-06-18 05:03:14 2,458,112 ----a-w c:\windows\system32\WMVCore.dll
+ 2009-01-22 20:05:32 16,384 ----a-w c:\windows\Temp\Perflib_Perfdata_6a0.dat
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LaunchApp"="Alaunch" [X]
"SiS Windows KeyHook"="c:\windows\system32\keyhook.exe" [2005-03-04 32768]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-10-07 98394]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-10-07 688218]
"PCMService"="c:\program files\Arcade\PCMService.exe" [2005-03-09 49152]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"LManager"="c:\program files\Launch Manager\QtZgAcer.EXE" [2005-03-28 315392]
"eRecoveryService"="c:\acer\Empowering Technology\eRecovery\Monitor.exe" [2005-11-16 393216]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_04\bin\jusched.exe" [2007-12-14 144784]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-01-31 385024]
"PCSuiteTrayApplication"="c:\program files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [2007-06-18 271360]
"SiSPower"="SiSPower.dll" [2005-02-25 c:\windows\system32\SiSPower.dll]
"SoundMan"="SOUNDMAN.EXE" [2005-02-23 c:\windows\SOUNDMAN.EXE]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="c:\progra~1\Grisoft\AVG7\avgw.exe" [2007-10-24 219136]
"Picasa Media Detector"="c:\program files\Picasa2\PicasaMediaDetector.exe" [2008-02-26 443968]
"Nokia.PCSync"="c:\program files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-06-19 1241088]

c:\documents and settings\Jamie\Start Menu\Programs\Startup\
Last.fm Helper.lnk - c:\program files\Last.fm\LastFMHelper.exe [2008-04-09 106496]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Utility Tray.lnk - c:\windows\system32\sistray.exe [2005-01-04 331776]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Google Updater.lnk
backup=c:\windows\pss\Google Updater.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=c:\windows\pss\Kodak EasyShare software.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Jamie^Start Menu^Programs^Startup^Freecom Personal Media Suite.lnk]
path=c:\documents and settings\Jamie\Start Menu\Programs\Startup\Freecom Personal Media Suite.lnk
backup=c:\windows\pss\Freecom Personal Media Suite.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Jamie^Start Menu^Programs^Startup^Last.fm Helper.lnk]
path=c:\documents and settings\Jamie\Start Menu\Programs\Startup\Last.fm Helper.lnk
backup=c:\windows\pss\Last.fm Helper.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_CC]
--a------ 2007-12-31 17:43 579072 c:\progra~1\Grisoft\AVG7\avgcc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-02-04 14:18 267048 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Picasa Media Detector]
--a------ 2008-02-26 02:23 443968 c:\program files\Picasa2\PicasaMediaDetector.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2008-03-24 01:54 68856 c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Veoh]
--a------ 2007-11-01 13:22 3317760 c:\program files\Veoh Networks\Veoh\VeohClient.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=
"c:\\Program Files\\MATLAB71\\BIN\\WIN32\\MATLAB.EXE"=
"c:\\Program Files\\Microsoft Games\\Age of Empires II\\EMPIRES2.ICD"=
"c:\\WINDOWS\\System32\\dplaysvr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Kontiki\\KService.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\MsnMsgr.Exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Nokia\\Nokia PC Suite 6\\LaunchApplication.exe"=
"c:\\WINDOWS\\System32\\sistray.exe"=
"c:\\Program Files\\Launch Manager\\QtZgAcer.EXE"=
"c:\\Program Files\\Synaptics\\SynTP\\SynTPLpr.exe"=
"c:\\Program Files\\Synaptics\\SynTP\\SynTPEnh.exe"=
"c:\\WINDOWS\\System32\\Keyhook.exe"=
"c:\\Program Files\\Common Files\\Microsoft Shared\\Windows Live\\WLLoginProxy.exe"=
"c:\\Program Files\\Mozilla Firefox\\FIREFOX.EXE"=
"c:\\WINDOWS\\SOUNDMAN.EXE"=
"c:\\Program Files\\Arcade\\PCMService.exe"=

R3 Bonifay;Bonifay;c:\windows\system32\drivers\Bonifay.sys [2007-06-24 12160]
R3 HSFHWSIS;HSFHWSIS;c:\windows\system32\drivers\HSFHWSIS.sys [2004-12-15 200576]
R4 osaio;osaio;c:\windows\system32\drivers\osaio.sys [2005-06-30 7296]
R4 osanbm;osanbm;c:\windows\system32\drivers\osanbm.sys [2005-01-14 4010]
S3 Gonzales;Gonzales;c:\windows\system32\drivers\Gonzales.sys [2007-06-24 7040]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2008-03-24 747912]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b0365c7c-3cf9-11db-bb74-00163651f741}]
\Shell\AutoRun\command - F:\LaunchU3.exe
.
Contents of the 'Scheduled Tasks' folder

2008-11-13 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 14:57]
.
.
------- Supplementary Scan -------
.
uStart Page = https://www.ease.ed.ac.uk/cosign.cgi?cosign-eucsCosign-www.myed.ed.ac.uk=OQdL94QBaasXErW8yFPcjYb09E6KGXGSeIaYxWkl7hZ2GmiJCtXslm9GUMxsXfnU1NAFgcw2cNadfcPwUk3NjPgrX5xX0-WfoRzkaOLGECnF7eS0JBi0awClLNWq;&https://www.myed.ed.ac.uk/uPortal/?Login+with+EASE.x=47&Login+with+EASE.y=12
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = 127.0.0.1
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

O16 -: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
c:\windows\Downloaded Program Files\Microsoft XML Parser for Java.osd
FF - ProfilePath - c:\documents and settings\Jamie\Application Data\Mozilla\Firefox\Profiles\4257ryif.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
FF - component: c:\program files\Mozilla Firefox\extensions\talkback@mozilla.org\components\qfaservices.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-22 20:17:25
Windows 5.1.2600 Service Pack 3 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\acer\eManager\anbmServ.exe
c:\program files\COMMON FILES\APPLE\MOBILE DEVICE SUPPORT\BIN\APPLEMOBILEDEVICESERVICE.EXE
c:\program files\GRISOFT\AVG7\AVGAMSVR.EXE
c:\program files\GRISOFT\AVG7\AVGUPSVC.EXE
c:\program files\GRISOFT\AVG7\AVGEMC.EXE
c:\program files\GOOGLE\COMMON\GOOGLE UPDATER\GOOGLEUPDATERSERVICE.EXE
c:\program files\KONTIKI\KSERVICE.EXE
c:\program files\MATLAB71\WEBSERVER\BIN\WIN32\MATLABSERVER.EXE
c:\program files\MATLAB71\BIN\WIN32\MATLAB.EXE
c:\windows\system32\wscntfy.exe
c:\program files\PC Connectivity Solution\ServiceLayer.exe
.
**************************************************************************
.
Completion time: 2009-01-22 20:21:10 - machine was rebooted
ComboFix-quarantined-files.txt 2009-01-22 20:21:08
ComboFix2.txt 2009-01-19 00:41:28

Pre-Run: 2,515,501,056 bytes free
Post-Run: 2,506,571,776 bytes free

424 --- E O F --- 2009-01-20 20:58:16


kaspersky log

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Friday, January 23, 2009
Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Thursday, January 22, 2009 17:28:07
Records in database: 1668742
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\

Scan statistics:
Files scanned: 160759
Threat name: 26
Infected objects: 45
Suspicious objects: 0
Duration of the scan: 02:53:17


File name / Threat name / Threats count
C:\WINDOWS\system32\tdi\peco85IV.exe Infected: Trojan-Downloader.Win32.Agent.afzg 1
C:\System Volume Information\_restore{A23683EB-4EFA-4C5A-A26B-DDC1E28DFDAE}\RP425\A0169635.exe Infected: Trojan.Win32.Small.yql 1
C:\System Volume Information\_restore{A23683EB-4EFA-4C5A-A26B-DDC1E28DFDAE}\RP425\A0169638.dll Infected: not-a-virus:AdWare.Win32.CommAd.a 1
C:\System Volume Information\_restore{A23683EB-4EFA-4C5A-A26B-DDC1E28DFDAE}\RP425\A0169639.exe Infected: not-a-virus:AdWare.Win32.CommAd.a 1
C:\System Volume Information\_restore{A23683EB-4EFA-4C5A-A26B-DDC1E28DFDAE}\RP425\A0169642.exe Infected: Trojan-Clicker.Win32.Agent.buj 1
C:\System Volume Information\_restore{A23683EB-4EFA-4C5A-A26B-DDC1E28DFDAE}\RP425\A0169643.dll Infected: Trojan.Win32.Agent.artu 1
C:\System Volume Information\_restore{A23683EB-4EFA-4C5A-A26B-DDC1E28DFDAE}\RP425\A0169644.dll Infected: Trojan.Win32.Agent.asus 1
C:\System Volume Information\_restore{A23683EB-4EFA-4C5A-A26B-DDC1E28DFDAE}\RP425\A0169645.dll Infected: Trojan.Win32.Monder.abke 1
C:\System Volume Information\_restore{A23683EB-4EFA-4C5A-A26B-DDC1E28DFDAE}\RP425\A0169646.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.ca 1
C:\System Volume Information\_restore{A23683EB-4EFA-4C5A-A26B-DDC1E28DFDAE}\RP425\A0169649.dll Infected: Trojan.Win32.Monder.abke 1
C:\System Volume Information\_restore{A23683EB-4EFA-4C5A-A26B-DDC1E28DFDAE}\RP425\A0169651.dll Infected: Backdoor.Win32.TDSS.blh 1
C:\System Volume Information\_restore{A23683EB-4EFA-4C5A-A26B-DDC1E28DFDAE}\RP425\A0169653.dll Infected: Trojan.Win32.Pakes.mag 1
C:\System Volume Information\_restore{A23683EB-4EFA-4C5A-A26B-DDC1E28DFDAE}\RP425\A0169654.dll Infected: Trojan.Win32.Monder.acoy 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\gside.exe.vir Infected: Trojan-Downloader.Win32.Zlob.ymu 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\prunnet.exe.vir Infected: Trojan.Win32.VB.hfs 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\rkwnw64q.exe.vir Infected: Trojan-Downloader.Win32.Agent.afzg 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\atofmq.dll.vir Infected: Trojan.Win32.Monder.aokh 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\ecuojrvx.dll.vir Infected: Trojan.Win32.Monder.apga 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\fagometo.dll.vir Infected: Trojan.Win32.Monder.amxk 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\jgtsotpt.dll.vir Infected: Trojan.Win32.Monder.aokh 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\jwdcnsca.dll.vir Infected: Trojan.Win32.Monder.aokn 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\ksiafv.dll.vir Infected: Trojan.Win32.Monder.apga 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\lbflwxqc.dll.vir Infected: Trojan.Win32.Monder.alko 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\mosowisi.dll.vir Infected: Trojan-Downloader.Win32.BHO.afm 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\nasumoti.dll.vir Infected: Trojan.Win32.Monder.aidi 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\oxjhoith.dll.vir Infected: Trojan.Win32.Monder.alkp 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\vabazaja.dll.vir Infected: Trojan.Win32.Agent.bfdf 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\vljdxc.dll.vir Infected: Trojan.Win32.Monder.alkp 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\g27.exe.vir Infected: Trojan-Clicker.Win32.Agent.buj 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\gs73gfidgf.dll.vir Infected: Trojan.Win32.Agent.artu 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\khfeDWMG.dll.vir Infected: Trojan.Win32.Agent.asus 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\kygyah.dll.vir Infected: Trojan.Win32.Monder.abke 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\ncntltdl.exe.vir Infected: not-a-virus:AdWare.Win32.ZenoSearch.ca 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\qmsehmhc.dll.vir Infected: Trojan.Win32.Monder.abke 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\TDSSxylkxjtv.dll.vir Infected: Backdoor.Win32.TDSS.blh 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\wvUlifGw.dll.vir Infected: Trojan.Win32.Pakes.mag 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\xxyxVnkk.dll.vir Infected: Trojan.Win32.Monder.acoy 1
C:\Qoobox\Quarantine\C\WINDOWS\SmFtaWU\asappsrv.dll.vir Infected: not-a-virus:AdWare.Win32.CommAd.a 1
C:\Qoobox\Quarantine\C\WINDOWS\SmFtaWU\command.exe.vir Infected: not-a-virus:AdWare.Win32.CommAd.a 1
C:\Qoobox\Quarantine\C\Documents and Settings\Jamie\Application Data\Google\ocboo1892823.exe.vir Infected: Trojan-Dropper.Win32.Agent.aexx 1
C:\Qoobox\Quarantine\C\opdwrpjm.exe.vir Infected: Trojan.Win32.Small.yql 1
C:\FOUND.002\FILE0036.CHK Infected: Packed.Win32.Krap.d 1
C:\SDFix\backups\backups.zip Infected: Trojan.Win32.Monder.acoy 1
C:\SDFix\backups\catchme.zip Infected: Backdoor.Win32.TDSS.bkw 1
C:\SDFix\backups\catchme.zip Infected: Backdoor.Win32.TDSS.asz 1

The selected area was scanned.


Also completed other steps, azureus removed and java updated.

whats next?

cheers,

James

Hi James,

Open notepad and copy/paste the text in the quotebox below into it:



Folder::
c:\windows\system32\twain32
C:\WINDOWS\system32\tdi
C:\FOUND.002



Save this as
CFScript

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log & a fresh hjt log. How's the system running?


Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

Due to inactivity, this thread will now be closed.

Note:If it has been four days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.

If it has been less than four days since your last response and you need the thread re-opened, please send me or MOD a private message (pm). A valid, working link to the closed topic is required.