Sorry about that, here is the new hjt log and the combo fix log that was requested in this thread: http://forums.spybot.info/showthread.php?p=310632

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:46:12 PM, on 13/05/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adlib\Express\AdlibFMR.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\LxrJD31s.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MPSC_DB\Binn\sqlservr.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\RTHDCPL.EXE
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\XeloPDFWriter\XeloPDFWriter.exe
C:\Program Files\2BrightSparks\SyncBack\SyncBack.exe
C:\WINDOWS\system32\Tablet.exe
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\WINDOWS\system32\Tablet.exe
C:\Program Files\UltraVNC\WinVNC.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {37113941-f025-4a5f-9552-2a649db45b2e} - C:\WINDOWS\system32\bivayuye.dll (file missing)
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\UltraVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck /autofix /autoclose
O4 - HKCU\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Startup: SyncBack.lnk = C:\Program Files\2BrightSparks\SyncBack\SyncBack.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Acrobat Synchronizer.lnk = C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: FTP Utility.lnk = C:\Program Files\KONICA MINOLTA\FTP Utility\KMFtp.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O4 - Global Startup: Xelo PDF Driver.lnk = C:\XeloPDFWriter\XeloPDFWriter.exe
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Adlib FMR - Adlib eDocument Solutions - C:\Program Files\Adlib\Express\AdlibFMR.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Imapi Helper - Alex Feinman - C:\Program Files\Alex Feinman\ISO Recorder\ImapiHelper.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logitech\Bluetooth\LBTServ.exe
O23 - Service: Lexar JD31 (LxrJD31s) - Unknown owner - C:\WINDOWS\SYSTEM32\LxrJD31s.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe
O23 - Service: VNC Server (winvnc) - UltraVNC - C:\Program Files\UltraVNC\WinVNC.exe
O24 - Desktop Component 0: (no name) - file:///C:/DOCUME~1/SCONAC~1/LOCALS~1/Temp/msohtml1/03/clip_image002.jpg
O24 - Desktop Component 1: (no name) - file:///C:/DOCUME~1/SCONAC~1/LOCALS~1/Temp/msohtml1/01/clip_image002.jpg

--
End of file - 11403 bytes


ComboFix 09-05-13.02 - Scona Copy 13/05/2009 16:36.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.894.481 [GMT -6:00]
Running from: c:\documents and settings\Scona Copy\Desktop\Desktop Icons\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Scona Copy\Local Settings\Temporary Internet Files\Cpvff.stt

.
((((((((((((((((((((((((( Files Created from 2009-04-13 to 2009-05-13 )))))))))))))))))))))))))))))))
.

2009-05-06 17:51 . 2009-05-06 17:57 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-05-06 17:51 . 2009-05-06 17:56 -------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-05-06 15:14 . 2009-05-06 15:15 -------- d-----w c:\program files\ERUNT
2009-05-06 15:07 . 2009-05-06 15:07 -------- d-----w c:\program files\Trend Micro
2009-05-05 23:13 . 2009-05-06 16:02 -------- d-----w c:\documents and settings\Scona Copy\Application Data\Twain
2009-05-05 17:13 . 2009-05-07 15:08 -------- d-----w c:\documents and settings\Scona Copy\Application Data\ptidle
2009-05-04 17:16 . 2009-05-04 17:16 -------- d-----w c:\documents and settings\All Users\Application Data\FLEXnet
2009-05-04 17:11 . 2009-05-04 17:11 -------- d-----w c:\program files\Common Files\Control Panels
2009-05-04 17:09 . 2009-05-04 17:09 -------- d-----w c:\documents and settings\All Users\Application Data\ALM
2009-05-04 17:03 . 2007-02-20 22:04 190696 ----a-w c:\windows\system32\NPSWF32_FlashUtil.exe
2009-05-04 17:03 . 2007-02-20 22:04 2463976 ----a-w c:\windows\system32\NPSWF32.dll
2009-05-04 16:56 . 2009-05-04 16:56 -------- d-----w c:\program files\Bonjour
2009-05-04 16:52 . 2009-05-04 16:52 -------- d-----w c:\program files\Common Files\Macrovision Shared
2009-05-04 16:46 . 2009-05-04 16:46 -------- d-----w c:\documents and settings\All Users\Application Data\MainType
2009-05-04 15:49 . 2009-05-04 15:49 -------- d-----w c:\program files\High-Logic
2009-05-04 15:49 . 2009-05-04 15:49 -------- d-----w c:\documents and settings\Scona Copy\Application Data\MainType
2009-04-23 21:58 . 2009-04-28 19:39 -------- d-----w C:\temp
2009-04-23 21:58 . 2009-04-23 21:58 -------- d-----w c:\temp\RPCSC2500
2009-04-23 15:21 . 2009-04-23 15:21 -------- d-----w c:\program files\MSECache
2009-04-22 09:00 . 2009-03-11 04:18 453512 ----a-w c:\windows\system32\KB905474\wgasetup.exe
2009-04-22 09:00 . 2009-03-11 04:26 1403264 ----a-w c:\windows\system32\KB905474\wganotifypackageinner.exe
2009-04-22 09:00 . 2009-04-22 09:00 -------- d-----w c:\windows\system32\KB905474
2009-04-15 23:12 . 2009-03-06 14:22 284160 -c----w c:\windows\system32\dllcache\pdh.dll
2009-04-15 23:12 . 2009-02-09 12:10 401408 -c----w c:\windows\system32\dllcache\rpcss.dll
2009-04-15 23:12 . 2009-02-06 11:11 110592 -c----w c:\windows\system32\dllcache\services.exe
2009-04-15 23:12 . 2009-02-09 12:10 473600 -c----w c:\windows\system32\dllcache\fastprox.dll
2009-04-15 23:12 . 2009-02-06 10:10 227840 -c----w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-15 23:12 . 2009-02-09 12:10 453120 -c----w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-15 23:12 . 2009-02-09 12:10 729088 -c----w c:\windows\system32\dllcache\lsasrv.dll
2009-04-15 23:12 . 2009-02-09 12:10 617472 -c----w c:\windows\system32\dllcache\advapi32.dll
2009-04-15 23:12 . 2009-02-09 12:10 714752 -c----w c:\windows\system32\dllcache\ntdll.dll
2009-04-15 23:12 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll
2009-04-15 23:12 . 2008-04-21 12:08 215552 -c----w c:\windows\system32\dllcache\wordpad.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-10 15:07 . 2009-01-29 00:08 11952 ----a-w c:\windows\system32\avgrsstx.dll
2009-05-10 15:07 . 2008-05-28 21:24 325896 ----a-w c:\windows\system32\drivers\avgldx86.sys
2009-05-07 15:16 . 2008-10-02 18:13 -------- d-----w c:\documents and settings\Scona Copy\Application Data\SUPERAntiSpyware.com
2009-05-07 15:15 . 2008-10-02 18:13 -------- d-----w c:\program files\SUPERAntiSpyware
2009-05-04 22:40 . 2007-12-06 07:02 -------- d-----w c:\program files\Common Files\Adobe
2009-05-04 18:36 . 2007-12-06 06:06 401928 ----a-w c:\documents and settings\Scona Copy\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-04 15:48 . 2007-12-06 06:44 -------- d-----w c:\program files\WinClamAVShield
2009-05-04 15:48 . 2007-12-06 06:43 -------- d-----w c:\program files\Spyware Terminator
2009-04-02 15:12 . 2007-12-06 06:59 -------- d-----w c:\program files\Java
2009-03-31 17:15 . 2008-06-18 18:06 9188 ----a-w c:\windows\fnerr.dat
2009-03-27 16:57 . 2009-03-27 16:56 -------- d-----w c:\program files\QuickTime
2009-03-27 16:55 . 2009-03-27 16:55 -------- d-----w c:\program files\Apple Software Update
2009-03-24 20:34 . 2009-03-24 20:34 1468 ----a-w c:\windows\Fonts\FTBC____.PFM
2009-03-24 20:34 . 2009-03-24 20:34 1084 ----a-w c:\windows\Fonts\FTB_____.PFM
2009-03-24 20:34 . 2009-03-24 20:34 1330 ----a-w c:\windows\Fonts\ETEBC___.PFM
2009-03-24 20:12 . 2009-03-24 20:37 1351 ----a-w c:\windows\Fonts\hebco___.pfm
2009-03-24 20:12 . 2009-03-24 20:39 1068 ----a-w c:\windows\Fonts\hli_____.pfm
2009-03-24 20:12 . 2009-03-24 20:40 1042 ----a-w c:\windows\Fonts\hllv____.pfm
2009-03-24 20:12 . 2009-03-24 20:40 1048 ----a-w c:\windows\Fonts\hltv____.pfm
2009-03-24 20:12 . 2009-03-24 20:39 1052 ----a-w c:\windows\Fonts\hlbvo___.pfm
2009-03-24 20:12 . 2009-03-24 20:40 1326 ----a-w c:\windows\Fonts\hltc____.pfm
2009-03-24 20:12 . 2009-03-24 20:40 1402 ----a-w c:\windows\Fonts\hlmc____.pfm
2009-03-24 20:11 . 2009-03-24 20:40 1083 ----a-w c:\windows\Fonts\hlti____.pfm
2009-03-24 20:11 . 2009-03-24 20:40 1093 ----a-w c:\windows\Fonts\hlm_____.pfm
2009-03-24 20:11 . 2009-03-24 20:41 1060 ----a-w c:\windows\Fonts\hvek____.pfm
2009-03-24 20:11 . 2009-03-24 20:40 1405 ----a-w c:\windows\Fonts\hlmco___.pfm
2009-03-24 20:09 . 2009-03-24 20:41 1244 ----a-w c:\windows\Fonts\hlzc____.pfm
2009-03-24 20:09 . 2009-03-24 20:39 1100 ----a-w c:\windows\Fonts\hlh_____.pfm
2009-03-24 20:09 . 2009-03-24 20:39 1054 ----a-w c:\windows\Fonts\hlhvo___.pfm
2009-03-24 20:09 . 2009-03-24 20:38 1060 ----a-w c:\windows\Fonts\hlbi____.pfm
2009-03-24 20:09 . 2009-03-24 20:40 1045 ----a-w c:\windows\Fonts\hllvo___.pfm
2009-03-24 20:09 . 2009-03-24 20:38 1215 ----a-w c:\windows\Fonts\hlbc____.pfm
2009-03-24 20:09 . 2009-03-24 20:41 1064 ----a-w c:\windows\Fonts\hvuk____.pfm
2009-03-24 20:09 . 2009-03-24 20:38 1235 ----a-w c:\windows\Fonts\hebo____.pfm
2009-03-24 20:09 . 2009-03-24 20:41 1045 ----a-w c:\windows\Fonts\hlvo____.pfm
2009-03-09 11:19 . 2008-12-19 16:15 410984 ----a-w c:\windows\system32\deploytk.dll
2009-03-06 14:22 . 2006-02-28 12:00 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-03 00:18 . 2006-02-28 12:00 826368 ----a-w c:\windows\system32\wininet.dll
2009-02-20 18:09 . 2006-02-28 12:00 78336 ----a-w c:\windows\system32\ieencode.dll
2009-04-22 07:12 . 2009-04-22 07:12 90624 ----a-w c:\program files\mozilla firefox\components\WWShow.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-05-05_17.44.52 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-05-12 23:00 . 2009-05-12 23:00 16384 c:\windows\Temp\Perflib_Perfdata_6f0.dat
+ 2009-05-12 23:00 . 2009-05-12 23:00 16384 c:\windows\Temp\Perflib_Perfdata_460.dat
+ 2009-05-12 23:00 . 2009-05-12 23:00 16384 c:\windows\Temp\Perflib_Perfdata_268.dat
+ 2007-12-07 22:21 . 2009-05-10 15:07 27784 c:\windows\system32\drivers\avgmfx86.sys
+ 2009-05-06 15:17 . 2009-05-06 15:17 8192 c:\windows\ERDNT\06-05-2009\Users\00000004\UsrClass.dat
+ 2009-05-06 15:17 . 2009-05-06 15:17 8192 c:\windows\ERDNT\06-05-2009\Users\00000002\UsrClass.dat
+ 2009-05-12 23:00 . 2009-05-12 23:01 196608 c:\windows\ERDNT\AutoBackup\12-05-2009\Users\00000002\UsrClass.dat
+ 2009-05-12 23:01 . 2005-10-20 18:02 163328 c:\windows\ERDNT\AutoBackup\12-05-2009\ERDNT.EXE
+ 2009-05-11 15:15 . 2009-05-11 15:15 196608 c:\windows\ERDNT\AutoBackup\11-05-2009\Users\00000002\UsrClass.dat
+ 2009-05-11 15:15 . 2005-10-20 18:02 163328 c:\windows\ERDNT\AutoBackup\11-05-2009\ERDNT.EXE
+ 2009-05-08 14:53 . 2009-05-08 14:53 192512 c:\windows\ERDNT\AutoBackup\08-05-2009\Users\00000002\UsrClass.dat
+ 2009-05-08 14:53 . 2005-10-20 18:02 163328 c:\windows\ERDNT\AutoBackup\08-05-2009\ERDNT.EXE
+ 2009-05-07 23:14 . 2009-05-07 23:14 192512 c:\windows\ERDNT\AutoBackup\07-05-2009\Users\00000002\UsrClass.dat
+ 2009-05-07 23:14 . 2005-10-20 18:02 163328 c:\windows\ERDNT\AutoBackup\07-05-2009\ERDNT.EXE
+ 2009-05-06 16:05 . 2009-05-06 16:05 196608 c:\windows\ERDNT\AutoBackup\06-05-2009\Users\00000002\UsrClass.dat
+ 2009-05-06 16:05 . 2005-10-20 18:02 163328 c:\windows\ERDNT\AutoBackup\06-05-2009\ERDNT.EXE
+ 2009-05-06 15:17 . 2009-05-06 15:17 196608 c:\windows\ERDNT\06-05-2009\Users\00000006\UsrClass.dat
+ 2009-05-06 15:17 . 2009-05-06 15:17 233472 c:\windows\ERDNT\06-05-2009\Users\00000003\NTUSER.DAT
+ 2009-05-06 15:17 . 2009-05-06 15:17 229376 c:\windows\ERDNT\06-05-2009\Users\00000001\NTUSER.DAT
+ 2009-05-06 15:17 . 2005-10-20 18:02 163328 c:\windows\ERDNT\06-05-2009\ERDNT.EXE
+ 2009-05-12 23:00 . 2009-05-12 23:00 9949184 c:\windows\ERDNT\AutoBackup\12-05-2009\Users\00000001\NTUSER.DAT
+ 2009-05-11 15:15 . 2009-05-11 15:15 9949184 c:\windows\ERDNT\AutoBackup\11-05-2009\Users\00000001\NTUSER.DAT
+ 2009-05-08 14:53 . 2009-05-08 14:53 9949184 c:\windows\ERDNT\AutoBackup\08-05-2009\Users\00000001\NTUSER.DAT
+ 2009-05-07 23:14 . 2009-05-07 23:14 9949184 c:\windows\ERDNT\AutoBackup\07-05-2009\Users\00000001\NTUSER.DAT
+ 2009-05-06 16:05 . 2009-05-06 16:05 6668288 c:\windows\ERDNT\AutoBackup\06-05-2009\Users\00000001\NTUSER.DAT
+ 2009-05-06 15:17 . 2009-05-06 15:17 6668288 c:\windows\ERDNT\06-05-2009\Users\00000005\NTUSER.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{37113941-f025-4a5f-9552-2a649db45b2e}]
c:\windows\system32\bivayuye.dll [BU]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 90112]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-06-01 153136]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-04-23 68856]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 153136]
"WinVNC"="c:\program files\UltraVNC\WinVNC.exe" [2006-06-18 712704]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-05-10 1947928]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2006-10-23 620152]
"SpybotSnD"="c:\program files\Spybot - Search & Destroy\SpybotSD.exe" [2009-01-26 5365592]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2007-03-21 16126464]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" - c:\windows\KHALMNPR.Exe [2008-02-29 76304]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" - c:\windows\KHALMNPR.Exe [2008-02-29 76304]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\Scona Copy\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
SyncBack.lnk - c:\program files\2BrightSparks\SyncBack\SyncBack.exe [2007-12-6 2721536]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-7760-000000000003}\_SC_Acrobat.exe [2009-5-4 295606]
Adobe Acrobat Synchronizer.lnk - c:\program files\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe [2006-10-23 734872]
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]
FTP Utility.lnk - c:\program files\KONICA MINOLTA\FTP Utility\KMFtp.exe [2004-10-27 102400]
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2008-8-14 805392]
Service Manager.lnk - c:\program files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2002-12-17 74308]
Xelo PDF Driver.lnk - c:\xelopdfwriter\XeloPDFWriter.exe [2007-12-7 684032]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2008-05-02 08:42 72208 ----a-w c:\program files\Common Files\Logitech\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-05-10 15:07 11952 ----a-w c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\KONICA MINOLTA\\FTP Utility\\KMFtp.exe"=

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [28/05/2008 3:24 PM 325896]
R1 sp_rsdrv2;Spyware Terminator Driver 2;c:\windows\system32\drivers\sp_rsdrv2.sys [06/12/2007 12:44 AM 138752]
R2 Adlib FMR;Adlib FMR;c:\program files\Adlib\Express\AdlibFMR.exe [22/07/2008 12:59 PM 294912]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [28/01/2009 6:08 PM 298776]
R2 MSSQL$MPSC_DB;MSSQL$MPSC_DB;c:\program files\Microsoft SQL Server\MSSQL$MPSC_DB\Binn\sqlservr.exe -sMPSC_DB --> c:\program files\Microsoft SQL Server\MSSQL$MPSC_DB\Binn\sqlservr.exe -sMPSC_DB [?]
R2 vnccom;vnccom;c:\windows\system32\drivers\vnccom.SYS [06/12/2007 1:05 AM 6016]
S3 SQLAgent$MPSC_DB;SQLAgent$MPSC_DB;c:\program files\Microsoft SQL Server\MSSQL$MPSC_DB\Binn\sqlagent.EXE -i MPSC_DB --> c:\program files\Microsoft SQL Server\MSSQL$MPSC_DB\Binn\sqlagent.EXE -i MPSC_DB [?]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{30985a8c-9acb-11dd-a734-001bfc1ce711}]
\Shell\AutoRun\command - G:\Installer.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{44e0b5fb-0a7d-11dd-a685-001bfc1ce711}]
\Shell\AutoRun\command - G:\vsdflc.exe
\Shell\explore\Command - G:\vsdflc.exe
\Shell\open\Command - G:\vsdflc.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4c7f7784-75f4-11dd-a707-001bfc1ce711}]
\Shell\AutoRun\command - G:\LaunchU3.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5b1e7466-6d46-11dd-a6fc-001bfc1ce711}]
\Shell\AutoRun\command - G:\LaunchU3.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5fdd80aa-13da-11de-a7c0-001bfc1ce711}]
\Shell\AutoRun\command - setupSNK.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{64265b8e-d050-11dc-a641-001bfc1ce711}]
\Shell\AutoRun\command - G:\LaunchU3.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7ca86e3b-0a37-11dd-a684-001bfc1ce711}]
\Shell\AutoRun\command - g:\portableapps\PortableAppsMenu\PortableAppsMenu.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{86a3cf13-2e8c-11de-a7dd-001bfc1ce711}]
\Shell\AutoRun\command - G:\jxqevly.exe
\Shell\explore\Command - G:\jxqevly.exe
\Shell\open\Command - G:\jxqevly.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{873d2bcc-33e9-11dd-a6ad-001bfc1ce711}]
\Shell\AutoRun\command - G:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8bc27d10-a3c4-11dc-a609-001bfc1ce711}]
\Shell\AutoRun\command - g:\portableapps\PortableAppsMenu\PortableAppsMenu.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9170ab63-ed98-11dd-a798-001bfc1ce711}]
\Shell\AutoRun\command - G:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{97d75bd9-35d8-11de-a7e6-001bfc1ce711}]
\Shell\AutoRun\command - g:\restore\k-1-3542-4232123213-7676767-8888886\Wins32.exe
\Shell\open\command - g:\restore\k-1-3542-4232123213-7676767-8888886\Wins32.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{97d75be2-35d8-11de-a7e6-001bfc1ce711}]
\Shell\AutoRun\command - g:\restore\k-1-3542-4232123213-7676767-8888886\Wins32.exe
\Shell\open\command - g:\restore\k-1-3542-4232123213-7676767-8888886\Wins32.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{97ef9b90-badc-11dc-a629-001bfc1ce711}]
\Shell\AutoRun\command - H:\LaunchU3.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9a53e8cb-283d-11de-a7d6-001bfc1ce711}]
\Shell\AutoRun\command - g:\restore\k-1-3542-4232123213-7676767-8888886\Wins32.exe
\Shell\open\command - g:\restore\k-1-3542-4232123213-7676767-8888886\Wins32.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9a5476a5-2e67-11dd-a6a8-001bfc1ce711}]
\Shell\Auto\command - exp1orer.exe
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL exp1orer.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9a5476a6-2e67-11dd-a6a8-001bfc1ce711}]
\Shell\AutoRun\command - G:\LaunchU3.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9a5476a7-2e67-11dd-a6a8-001bfc1ce711}]
\Shell\AutoRun\command - ntde1ect.com
\Shell\explore\Command - ntde1ect.com
\Shell\open\Command - ntde1ect.com

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9c52b6e5-d0e2-11dc-a642-001bfc1ce711}]
\Shell\AutoRun\command - G:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{bd13e656-5d82-11dd-a6e4-001bfc1ce711}]
\Shell\auto\command - Knight.exe open
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Knight.exe open
\Shell\explore\command - Knight.exe open
\Shell\find\command - Knight.exe open
\Shell\install\command - Knight.exe open
\Shell\open\command - Knight.exe open

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e9f1ef62-8664-11dd-a71b-001bfc1ce711}]
\Shell\AutoRun\command - G:\Autorun.exe /run
\Shell\Shell00\Command - G:\Autorun.exe /run
\Shell\Shell01\Command - G:\Autorun.exe /action
\Shell\Shell02\Command - G:\Autorun.exe /uninstall

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f2bca009-ab6b-11dd-a74d-001bfc1ce711}]
\Shell\AutoRun\command - G:\setupSNK.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f45e35a8-7dcf-11dd-a710-001bfc1ce711}]
\Shell\AutoRun\command - G:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f4a0b912-c60d-11dd-a76a-001bfc1ce711}]
\Shell\1\Command - G:\Recycled.exe
\Shell\2\Command - G:\Recycled.exe
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Recycled.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{fbf28ea9-663c-11dd-a6f3-001bfc1ce711}]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe uc.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\ccc-core-static]
msiexec /fums {A75BF1D0-C7C3-CB55-EE17-3225387FD154} /qb
.
Contents of the 'Scheduled Tasks' folder

2009-05-12 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34]

2009-05-06 c:\windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job
- c:\program files\Spybot - Search & Destroy\SpybotSD.exe [2009-05-06 21:31]

2009-05-13 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-04-22 04:18]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-ptidle - c:\documents and settings\Scona Copy\Application Data\ptidle\ptidle.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.ca/
uInternet Settings,ProxyOverride = *.local
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Scona Copy\Application Data\Mozilla\Firefox\Profiles\ou9zvgzm.default\
FF - component: c:\program files\Mozilla Firefox\components\WWShow.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-13 16:37
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(720)
c:\windows\system32\Ati2evxx.dll
c:\program files\common files\logitech\bluetooth\LBTWlgn.dll
c:\program files\common files\logitech\bluetooth\LBTServ.dll
c:\windows\system32\MSVCP60.dll
.
Completion time: 2009-05-13 16:39
ComboFix-quarantined-files.txt 2009-05-13 22:39
ComboFix2.txt 2009-05-06 20:13
ComboFix3.txt 2009-05-05 17:50

Pre-Run: 14,699,622,400 bytes free
Post-Run: 15,324,618,752 bytes free

301 --- E O F --- 2009-04-22 09:00

Hi,


IMPORTANT I notice there are signs of one or more P2P (Peer to Peer) File Sharing Programs on your computer.

µTorrent


I'd like you to read this thread (http://forums.spybot.info/showthread.php?t=282).

Please go to Control Panel > Add/Remove Programs and uninstall the programs listed above (in red).


After that:


Disable Spybot's TeaTimer to make sure it won't interfere with fixes. You can re-enable it when you're clean again:
Run Spybot-S&D in Advanced Mode
If it is not already set to do this, go to the Mode menu
select
Advanced Mode

On the left hand side, click on Tools
Then click on the Resident icon in the list
Uncheck
Resident TeaTimer
and OK any prompts.
Restart your computer



If you have used removable storage drives with this system during the infection, please have those attached so that we can clean them too.

Open notepad and copy/paste the text in the quotebox below into it:



DirLook::
c:\temp\RPCSC2500
c:\documents and settings\Scona Copy\Application Data\Twain

File::
G:\vsdflc.exe
G:\jxqevly.exe
G:\Recycled.exe

Folder::
c:\documents and settings\Scona Copy\Application Data\ptidle
c:\program files\utorrent
g:\restore

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{37113941-f025-4a5f-9552-2a649db45b2e}]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=-

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\uTorrent\\uTorrent.exe"=-

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{30985a8c-9acb-11dd-a734-001bfc1ce711}]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{44e0b5fb-0a7d-11dd-a685-001bfc1ce711}]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{86a3cf13-2e8c-11de-a7dd-001bfc1ce711}]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{97d75bd9-35d8-11de-a7e6-001bfc1ce711}]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{97d75be2-35d8-11de-a7e6-001bfc1ce711}]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9a53e8cb-283d-11de-a7d6-001bfc1ce711}]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9a5476a5-2e67-11dd-a6a8-001bfc1ce711}]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9a5476a7-2e67-11dd-a6a8-001bfc1ce711}]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{bd13e656-5d82-11dd-a6e4-001bfc1ce711}]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f4a0b912-c60d-11dd-a76a-001bfc1ce711}]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{fbf28ea9-663c-11dd-a6f3-001bfc1ce711}]



Save this as
CFScript

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Close all browser windows and refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.


Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.


Download ATF (Atribune Temp File) Cleaner© by Atribune (http://www.atribune.org/ccount/click.php?id=1) to your desktop.

Double-click ATF Cleaner.exe to open it

Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.

If you use Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

If you use Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Click Exit on the Main menu to close the program.


Please run an online scan with Kaspersky Online Scanner (http://www.kaspersky.com/virusscanner) as instructed in the screenshot here (http://i275.photobucket.com/albums/jj285/Bleeping/KAS/KAS9.gif). If you get a message that latest Java must be installed "enable" the Java add-ons in IE7. Do that using "manage add-ons" from the IE7 toolbar.


Post back its report, a fresh hjt log and above mentioned ComboFix resultant log.


Also, generate an Uninstall List:

* Open HijackThis
* Click on Open Misc Tools Section
* Click on Open Uninstall Manager
* Click on Save list
* Save it to your Desktop
* Post it on your next reply.

Due to inactivity, this thread will now be closed.

Note:If it has been four days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread. Please do not add any logs that might have been requested in the closed topic, you would be starting fresh.

If it has been less than four days since your last response and you need the thread re-opened, please send me or MOD a private message (pm). A valid, working link to the closed topic is required.