Hello,

I have something on my system which exhibits the following symptoms:

1. Upon starting a Spybot scan, Spybot is automatically closed and cannot be restarted, nor can the SpybotSD.exe file be seen, renamed, deleted or accessed. Symptom is repeatable upon re-install, even if I select different folder names. I will manually close TeaTimer before running through guidance from yourselves as I cannot get it off the start-up list through Spybot!
2. Hijackthis is automatically closed when a scan is run, hence no log below.
3. Firefox regularly jumps to obvious "Your computer is infected!" Malware sites when I go to certain websites.
4. Firefox homepage (news.bbc.co.uk) is sometimes diverted also to one of these sites.
5. AVG Resident Shield and Email scanner have been disabled
6. AVG system scan comes up clean (apart from the odd cookie)

As mentioned above, I cannot post a HJT log due to the problems outlined above.

From the "BEFORE you post checklist:

- Attempted to disable resident, cannot open Spybot, however.
- ERUNT job done
- HJT download but will not run, as mentioned above

Any help would be SINCERELY appreciated.

Best regards,

Tim

This appears, to the uneducated, to be very similar to the symptoms described by gary_deskin.

Please note that all instructions given are customised for this computer only,
the tools used may cause damage if used on a computer with different infections.

If you think you have similar problems, please post a log in the HJT forum and wait for help.

Hello and welcome to the forums

My name is Katana and I will be helping you to remove any infection(s) that you may have.

Please observe these rules while we work:
Please Read All Instructions Carefully
If you don't understand something, stop and ask! Don't keep going on.
Please do not run any other tools or scans whilst I am helping you
Failure to reply within 5 days will result in the topic being closed.
Please continue to respond until I give you the "All Clear"
(Just because you can't see a problem doesn't mean it isn't there)

If you can do those few things, everything should go smoothly http://www.countingcows.de/laechel.gif

Some of the logs I request will be quite large, You may need to split them over a couple of replies.

Please Note, your security programs may give warnings for some of the tools I will ask you to use.
Be assured, any links I give are safe
----------------------------------------------------------------------------------------




Download and Run ComboFix (by sUBs)
Please visit this webpage for instructions for downloading and running ComboFix:

Bleeping Computer ComboFix Tutorial (http://www.bleepingcomputer.com/combofix/how-to-use-combofix)

You must download it to and run it from your Desktop
Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
Double click combofix.exe & follow the prompts.
When finished, it will produce a log. Please save that log to post in your next reply
Re-enable all the programs that were disabled during the running of ComboFix..


A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own.
This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper

For instructions on how to disable your security programs, please see this topic
How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs (http://www.bleepingcomputer.com/forums/topic114351.html)

Hello Katana,

Thanks for the response. ComboFix log is below...

START

ComboFix 09-08-30.04 - Tim 31/08/2009 18:46.1.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2558.2085 [GMT 1:00]
Running from: c:\documents and settings\Tim\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system\WinDic20162.dll
c:\windows\system\WinDic21717.dll
c:\windows\system\WinDic31181.dll
c:\windows\system32\descript.lnk
c:\windows\system32\drivers\kbiwkmxjyotxdp.sys
c:\windows\system32\drivers\UACd.sys
c:\windows\system32\kbiwkmnmttmtnm.dll
c:\windows\system32\kbiwkmsxrsqaka.dll
c:\windows\system32\kbiwkmwkvndlte.dat
c:\windows\system32\kbiwkmywrgrfdc.dat
c:\windows\system32\lowsec
c:\windows\system32\lowsec\local.ds
c:\windows\system32\lowsec\user.ds
c:\windows\system32\lspwfp.dll.bak
c:\windows\system32\sdra64.exe
c:\windows\system32\sqla.dll

Infected copy of c:\windows\system32\eventlog.dll was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\eventlog.dll
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_kbiwkmmoyfnvml
-------\Legacy_kbiwkmmoyfnvml
-------\Service_UACd.sys
-------\Legacy_UACd.sys
-------\Legacy_OREANS32
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226EE}
-------\Service_oreans32


((((((((((((((((((((((((( Files Created from 2009-07-28 to 2009-08-31 )))))))))))))))))))))))))))))))
.

2009-08-29 17:02 . 2009-08-29 17:02 -------- d-----w- c:\program files\ERUNT
2009-08-29 16:53 . 2009-08-29 16:53 -------- d-----w- c:\program files\Trend Micro
2009-08-29 16:20 . 2009-08-29 16:23 -------- d-----w- c:\program files\Test
2009-08-29 16:14 . 2009-08-29 16:19 -------- d-----w- c:\program files\Spybot - Search & Destroy2
2009-08-27 20:53 . 2009-08-27 20:53 -------- d-----w- c:\program files\Seven-G
2009-08-27 20:32 . 2009-08-27 20:32 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-08-27 18:09 . 2009-08-27 18:09 -------- d-sh--w- c:\documents and settings\Tim\PrivacIE
2009-08-22 20:48 . 1999-12-17 09:13 86016 ----a-w- c:\windows\unvise32.exe
2009-08-22 20:48 . 2009-08-22 20:48 -------- d-----w- c:\program files\DivXLand
2009-08-19 20:57 . 2009-08-19 21:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Watermark Factory
2009-08-19 20:57 . 2009-08-19 20:57 -------- d-----w- c:\program files\Watermark Factory 2
2009-08-14 23:50 . 2009-08-14 23:50 -------- d-sh--w- c:\documents and settings\Default User\IETldCache
2009-08-14 23:49 . 2009-08-14 23:49 -------- d-----w- c:\windows\system32\XPSViewer
2009-08-14 23:49 . 2009-08-14 23:49 -------- d-----w- c:\program files\MSBuild
2009-08-14 23:49 . 2009-08-14 23:49 -------- d-----w- c:\program files\Reference Assemblies
2009-08-14 23:48 . 2008-07-06 12:06 89088 ------w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-08-14 23:48 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
2009-08-14 23:48 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\dllcache\xpsshhdr.dll
2009-08-14 23:48 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
2009-08-14 23:48 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\dllcache\xpssvcs.dll
2009-08-14 23:48 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
2009-08-14 23:48 . 2008-07-06 10:50 597504 ------w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-08-14 23:48 . 2009-08-14 23:49 -------- d-----w- C:\e5972bd564fc0a96f39a6ae453ea
2009-08-14 23:44 . 2009-08-14 23:44 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2009-08-12 17:52 . 2009-07-10 13:27 1315328 ------w- c:\windows\system32\dllcache\msoe.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-31 18:00 . 2008-04-28 21:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Kontiki
2009-08-31 17:37 . 2004-08-10 12:51 56320 ----a-w- c:\windows\system32\eventlog.dll
2009-08-31 17:29 . 2006-03-27 09:18 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-08-30 21:59 . 2009-02-27 23:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-08-29 16:11 . 2006-03-27 09:18 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-08-28 21:48 . 2006-03-27 08:20 57256 ----a-w- c:\documents and settings\Tim\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-28 21:33 . 2008-12-11 19:18 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-08-18 17:08 . 2009-04-13 16:54 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-08-18 17:08 . 2009-04-13 16:54 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-08-18 17:08 . 2009-04-13 16:54 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-08-12 19:11 . 2007-06-04 19:17 -------- d-----w- c:\program files\ORBITER
2009-08-05 09:01 . 2004-08-10 12:51 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-31 08:24 . 2008-02-28 06:44 -------- d-----w- c:\program files\Microsoft Silverlight
2009-07-19 14:18 . 2009-07-19 10:13 -------- d-----w- c:\program files\Railroad Tycoon 3
2009-07-19 10:13 . 2006-03-22 01:19 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-07-17 19:01 . 2004-08-10 12:50 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-13 22:43 . 2004-08-10 12:51 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-12 17:23 . 2006-12-07 21:51 -------- d-----w- c:\program files\Microsoft Games
2009-07-03 17:09 . 2004-08-10 12:51 915456 ----a-w- c:\windows\system32\wininet.dll
2009-06-16 14:36 . 2004-08-10 12:51 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-16 14:36 . 2004-08-10 12:51 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-12 12:31 . 2004-08-10 12:51 76288 ----a-w- c:\windows\system32\telnet.exe
2009-06-10 14:13 . 2004-08-10 12:50 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-06-10 08:19 . 2004-08-10 13:01 2066432 ----a-w- c:\windows\system32\mstscax.dll
2009-06-10 06:14 . 2004-08-10 12:51 132096 ----a-w- c:\windows\system32\wkssvc.dll
2009-06-03 19:09 . 2004-08-10 12:51 1291264 ----a-w- c:\windows\system32\quartz.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2009-02-06 3885408]
"SpybotSD TeaTimer"="c:\program files\Test\TeaTimer.exe" [2009-03-05 2260480]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-05 344064]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-08-18 2007832]
"BluetoothAuthenticationAgent"="bthprops.cpl" - c:\windows\system32\bthprops.cpl [2008-04-14 110592]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk.disabled [2006-5-3 1918]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696]
Adobe Reader Speed Launch.lnk.disabled [2007-6-3 1757]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]
Wireless USB 2.0 WLAN Card Utility.lnk - c:\program files\Dell Wireless\PRISMCFG.exe [2006-3-22 921704]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableStatusMessages"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"GreyMSIAds"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-24 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-18 17:08 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PRISMAPI.DLL]
2005-12-22 20:08 450646 ----a-w- c:\windows\system32\PRISMAPI.dll

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Skype"="c:\program files\Skype\Phone\Skype.exe" /nosplash /minimized
"ctfmon.exe"=c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime
"RealTray"=c:\program files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
"SunJavaUpdateSched"=c:\program files\Java\j2re1.4.2_03\bin\jusched.exe
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" -osboot
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" -start
"SigmatelSysTrayApp"=stsystra.exe
"MSKDetectorExe"=c:\program files\McAfee\SpamKiller\MSKDetct.exe /uninstall

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Documents and Settings\\Tim\\Desktop\\utorrent.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Microsoft Office\\OFFICE11\\WINWORD.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpCtr.exe"=
"c:\\Program Files\\Condor\\CondorDedicated.exe"=
"c:\\Program Files\\Condor\\Condor.exe"=
"c:\\Documents and Settings\\Tim\\Desktop\\Jaiken\\Miranda\\miranda32.exe"=
"c:\\Program Files\\Kontiki\\KService.exe"=
"c:\\WINDOWS\\system32\\searchprotocolhost.exe"=
"c:\\Program Files\\NetMeeting\\conf.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\Java\\jre1.5.0_09\\bin\\javaw.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:UDP"= 5353:UDP:Bonjour
"32458:TCP"= 32458:TCP:uTorrent
"32458:UDP"= 32458:UDP:uTorrent UDP

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [13/04/2009 17:54 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [13/04/2009 17:54 108552]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [13/04/2009 17:54 297752]
R2 PRISMSVC;PRISMSVC;c:\windows\system32\PRISMSVC.exe [22/03/2006 02:20 61526]
S2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [13/04/2009 17:54 908056]
S2 CoLinuxDriver;CoLinuxDriver;\??\c:\program files\coLinux\linux.sys --> c:\program files\coLinux\linux.sys [?]
S2 gupdate1c999314d0ec792;Google Update Service (gupdate1c999314d0ec792);c:\program files\Google\Update\GoogleUpdate.exe [28/02/2009 00:15 133104]
S3 tap0801co;TAP-Win32 Adapter V8 (coLinux);c:\windows\system32\drivers\tap0801co.sys [15/05/2005 20:37 24576]
S3 usb2vcom;USB Data Cable;c:\windows\system32\drivers\usb2vcom.sys [07/08/2006 22:21 28704]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-08-31 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-01-16 23:29]

2009-08-31 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-27 23:15]

2009-08-31 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-27 23:15]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www1.euro.dell.com/content/default.aspx?c=uk&l=en&s=gen
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mSearch Bar = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sb/*http://uk.docs.yahoo.com/info/bt_side.html
uInternet Settings,ProxyOverride = 127.0.0.1
uSearchURL,(Default) = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/su/*http://uk.search.yahoo.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: adecco.com\*.xpert
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
FF - ProfilePath - c:\documents and settings\Tim\Application Data\Mozilla\Firefox\Profiles\o4yrvs9c.default\
FF - prefs.js: browser.startup.homepage - hxxp://news.bbc.co.uk
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Google\Update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\Java\jre1.5.0_09\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_09\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_09\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_09\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_09\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_09\bin\NPJPI150_09.dll
FF - plugin: c:\program files\Java\jre1.5.0_09\bin\NPOJI610.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-31 18:56
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1306922480-1943138660-1850605678-1006\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{509867F3-D498-0E06-AF93-48B97744C58B}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"oagbjebehidcfedphcdlebabbbkmbl"=hex:6a,61,6e,6b,63,65,70,69,63,6d,6a,6c,70,6e,
69,67,6c,70,65,64,00,5f
"naabdiapchjgbnionbbgjmfimnnp"=hex:6a,61,6e,6b,63,65,70,69,63,6d,6a,6c,70,6e,
69,67,6c,70,65,64,00,5f

[HKEY_USERS\S-1-5-21-1306922480-1943138660-1850605678-1006\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:1b,dc,92,f7,4c,c9,e3,d6,b9,97,66,bb,38,2c,9a,ec,36,08,ec,08,0b,09,61,
12,b6,ac,20,70,14,fb,0d,3a,ba,89,3b,13,e0,59,cc,3c,ed,c3,f6,b6,83,ed,94,80,\
"??"=hex:de,35,5c,16,45,cf,5e,dc,d0,db,75,29,75,86,e6,bc

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"cd042efbbd7f7af1647644e76e06692b"=hex:c8,28,51,af,b0,29,a3,98,55,dd,35,d8,88,
33,34,0f,e2,63,26,f1,3f,c8,ff,68,c4,fe,ed,f8,98,7c,0a,b5,e2,63,26,f1,3f,c8,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"bca643cdc5c2726b20d2ecedcc62c59b"=hex:6a,9c,d6,61,af,45,84,18,44,4c,35,60,de,
09,39,a2,6a,9c,d6,61,af,45,84,18,3c,c2,51,90,03,de,a6,4f,6a,9c,d6,61,af,45,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"2c81e34222e8052573023a60d06dd016"=hex:ff,7c,85,e0,43,d4,0e,fe,0d,0a,e2,6e,1c,
9a,43,d1,ff,7c,85,e0,43,d4,0e,fe,1d,9a,aa,16,f5,60,8d,e2,ff,7c,85,e0,43,d4,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"2582ae41fb52324423be06337561aa48"=hex:6b,65,49,6a,7e,99,74,f7,00,2d,d6,a5,86,
fa,9d,15,86,8c,21,01,be,91,eb,e7,fd,cc,2b,4b,a5,d6,62,ca,86,8c,21,01,be,91,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"caaeda5fd7a9ed7697d9686d4b818472"=hex:cd,44,cd,b9,a6,33,6c,cd,c3,2a,4c,38,e9,
46,61,1e,f5,1d,4d,73,a8,13,5c,05,f5,d3,ca,63,8c,ee,b5,0e,f5,1d,4d,73,a8,13,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"a4a1bcf2cc2b8bc3716b74b2b4522f5d"=hex:b0,18,ed,a7,3f,8d,37,a4,12,c5,96,e9,9a,
22,c6,91,df,20,58,62,78,6b,cf,c8,6f,bc,16,f4,b4,fc,3e,d8,df,20,58,62,78,6b,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"4d370831d2c43cd13623e232fed27b7b"=hex:fb,a7,78,e6,12,2f,9a,ea,7f,d2,33,3c,1b,
06,86,aa,fb,a7,78,e6,12,2f,9a,ea,2f,56,0a,cb,49,65,cc,13,fb,a7,78,e6,12,2f,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"1d68fe701cdea33e477eb204b76f993d"=hex:01,3a,48,fc,e8,04,4a,f1,d6,c0,45,03,ed,
fb,ea,b7,01,3a,48,fc,e8,04,4a,f1,96,e7,f0,06,a0,82,06,5d,01,3a,48,fc,e8,04,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"1fac81b91d8e3c5aa4b0a51804d844a3"=hex:f6,0f,4e,58,98,5b,89,c9,e6,78,d6,e3,1b,
e3,32,70,f6,0f,4e,58,98,5b,89,c9,27,2d,68,e0,cf,d3,8b,db,f6,0f,4e,58,98,5b,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"f5f62a6129303efb32fbe080bb27835b"=hex:b1,cd,45,5a,a8,c4,f8,b9,11,ee,e0,f3,09,
64,e0,15,3d,ce,ea,26,2d,45,aa,78,73,95,9b,9e,50,8a,51,90,3d,ce,ea,26,2d,45,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"fd4e2e1a3940b94dceb5a6a021f2e3c6"=hex:e3,0e,66,d5,eb,bc,2f,6b,73,5a,09,b7,a6,
96,0b,ed,2a,b7,cc,b5,b9,7f,41,e7,17,60,82,2e,19,68,be,d1,2a,b7,cc,b5,b9,7f,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"8a8aec57dd6508a385616fbc86791ec2"=hex:6c,43,2d,1e,aa,22,2f,9c,06,43,68,71,20,
73,eb,3b,6c,43,2d,1e,aa,22,2f,9c,a0,d2,24,fe,04,a0,11,0a,6c,43,2d,1e,aa,22,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(288)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\program files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\program files\Kontiki\KService.exe
c:\windows\system32\searchindexer.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\PRISMSVR.exe
c:\windows\system32\rundll32.exe
c:\program files\HP\Digital Imaging\bin\hpqste08.exe
c:\program files\Windows Live\Contacts\wlcomm.exe
.
**************************************************************************
.
Completion time: 2009-08-31 19:05 - machine was rebooted
ComboFix-quarantined-files.txt 2009-08-31 18:05

Pre-Run: 5,161,988,096 bytes free
Post-Run: 5,080,723,456 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

390 --- E O F --- 2009-08-25 21:12

END

Many thanks for the help :thanks:

Regards,

Tim

Disable Teatimer
We need to disable Teatimer as it may interfere with the cleaning.
Please do not re-enable it until I give instructions.

First step: Right-click the Spybot Icon in the System Tray (looks like a blue/white calendar with a padlock symbol)
If you have the new version 1.5, Click once on Resident Protection, then Right click the Spybot icon again and make sure Resident Protection is now Unchecked. The Spybot icon in the System tray should now be now colorless.
If you have Version 1.4, Click on Exit Spybot S&D Resident Second step, For Either Version : Open Spybot S&D
Click Mode, choose Advanced Mode
Go To the bottom of the Vertical Panel on the Left, Click Tools
then, also in left panel, click Resident shows a red/white shield.
If your firewall raises a question, say OK
In the Resident protection status frame, Uncheck the box labeled Resident "Tea-Timer"(Protection of over-all system settings) active
OK any prompts.
Use File, Exit to terminate Spybot
Click Link >>> HERE <<< Link (http://www.neoshine.co.uk/mina/Downloads/TTWipe.bat) and select "save as" and save it to your desktop
Double click TTWipe.bat
Reboot your machine for the changes to take effect.


----------------------------------------------------------------------------------------
Step 1

Please download the Win32kDiag.exe tool from the following location and save it to your desktop:

http://download.bleepingcomputer.com/rootrepeal/Win32kDiag.exe

Once downloaded, double-click on the program and let it finish. When it states Finished! Press any key to exit..., you can press any key on your keyboard to close the program. On your desktop should now be a file called Win32kDiag.txt.

Double-click on this file and post the contents as a reply to this topic.

----------------------------------------------------------------------------------------
Step 2

Download and Run RSIT

Please download Random's System Information Tool by random/random from here (http://images.malwareremoval.com/random/RSIT.exe) and save it to your desktop.
Double click on RSIT.exe to run RSIT.
Click Continue at the disclaimer screen.
Once it has finished, two logs will open:

log.txt will be opened maximized.
info.txt will be opened minimized.

Please post the contents of both log.txt and info.txt.
( They can also be found in the C:\RSIT folder )

Katana,

Thanks for the quick response.

From looking at your instructions, I assume this doesn't matter at this stage, but I think I'd better ask anyway :-

In line with the original symptoms, I am unable to access Spybot. Teatimer is currently disabled from the tray, however I can not access Spybot to properly disable it.

Continue regardless?

Tim

Log file 1:

START

Log file is located at: C:\Documents and Settings\Tim\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...



Cannot access: C:\WINDOWS\system32\dumprep.exe

[1] 2004-08-04 06:00:00 10752 C:\WINDOWS\$NtServicePackUninstall$\dumprep.exe (Microsoft Corporation)

[1] 2008-04-14 01:12:18 10752 C:\WINDOWS\ServicePackFiles\i386\dumprep.exe (Microsoft Corporation)

[1] 2008-04-14 01:12:18 10752 C:\WINDOWS\system32\dumprep.exe ()

[1] 2004-08-04 06:00:00 10752 C:\i386\dumprep.exe (Microsoft Corporation)


Finished!

END


Second log coming soon!!

Tim

That looked like a sneaky way to run HJT while avoiding the Malware! nice!

Here goes:

Logfile of random's system information tool 1.06 (written by random/random)
Run by Tim at 2009-08-31 20:18:58
Microsoft Windows XP Home Edition Service Pack 3
System drive C: has 5 GB (7%) free of 73 GB
Total RAM: 2558 MB (67% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:19:11, on 31/08/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Kontiki\KService.exe
C:\WINDOWS\system32\PRISMSVC.EXE
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\PRISMSVR.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Test\TeaTimer.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Dell Wireless\PRISMCFG.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Documents and Settings\Tim\Desktop\RSIT.exe
C:\Program Files\trend micro\Tim.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www1.euro.dell.com/content/default.aspx?c=uk&l=en&s=gen
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sb/*http://uk.docs.yahoo.com/info/bt_side.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/su/*http://uk.search.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (file missing)
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Test\SDHelper.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Test\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk.disabled
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk.disabled
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O4 - Global Startup: Wireless USB 2.0 WLAN Card Utility.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Test\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Test\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Broken Internet access because of LSP provider 'c:\windows\system32\lspwfp.dll' missing
O15 - Trusted Zone: http://*.xpert.adecco.com
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/pr02/resources/MSNPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1145652825717
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Google Update Service (gupdate1c999314d0ec792) (gupdate1c999314d0ec792) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PRISMSVC - Conexant Systems, Inc. - C:\WINDOWS\system32\PRISMSVC.EXE

--
End of file - 8011 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\Google Software Updater.job
C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
Adobe PDF Reader Link Helper - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}]
AVG Safe Search - C:\Program Files\AVG\AVG8\avgssie.dll [2009-08-18 1111320]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
Spybot-S&D IE Protection - C:\Program Files\Test\SDHelper.dll [2009-01-26 1879896]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C255C8A-E604-49b4-9D64-90988571CECB}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
SSVHelper Class - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll [2006-10-12 434279]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9030D464-4C02-4ABF-8ECC-5164760863C6}]
Windows Live Sign-in Helper - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2009-02-17 408440]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}]
Google Toolbar Notifier BHO - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll [2009-03-21 668656]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"=C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe [2005-08-05 344064]
"BluetoothAuthenticationAgent"=bthprops.cpl,,BluetoothAuthenticationAgent []
"AVG8_TRAY"=C:\PROGRA~1\AVG\AVG8\avgtray.exe [2009-08-18 2007832]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"=C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe [2009-02-06 3885408]
"SpybotSD TeaTimer"=C:\Program Files\Test\TeaTimer.exe [2009-03-05 2260480]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2008-04-14 15360]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Adobe Gamma Loader.lnk.disabled - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
Adobe Reader Speed Launch.lnk.disabled - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
Windows Search.lnk - C:\Program Files\Windows Desktop Search\WindowsSearch.exe
Wireless USB 2.0 WLAN Card Utility.lnk - C:\Program Files\Dell Wireless\PRISMCFG.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\avgrsstarter]
C:\WINDOWS\system32\avgrsstx.dll [2009-08-18 11952]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\PRISMAPI.DLL]
C:\WINDOWS\system32\PRISMAPI.DLL [2005-12-22 450646]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\WINDOWS\system32\WgaLogon.dll [2007-03-15 236928]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
UPnPMonitor - {e57ce738-33e8-4c51-8354-bb4de9d215d1} - C:\WINDOWS\system32\upnpui.dll [2008-04-14 239616]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"=C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll [2009-05-24 304128]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
"DisableStatusMessages"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=323
"GreyMSIAds"=0
"NoDriveAutoRun"=67108863
"NoDrives"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"HonorAutoRunSetting"=
"NoDriveAutoRun"=
"NoDriveTypeAutoRun"=
"NoDrives"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\Messenger\msmsgs.exe"="C:\Program Files\Messenger\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\WINDOWS\system32\dpvsetup.exe"="C:\WINDOWS\system32\dpvsetup.exe:*:Enabled:Microsoft DirectPlay Voice Test"
"C:\Documents and Settings\Tim\Desktop\utorrent.exe"="C:\Documents and Settings\Tim\Desktop\utorrent.exe:*:Enabled:µTorrent"
"C:\Program Files\Mozilla Firefox\firefox.exe"="C:\Program Files\Mozilla Firefox\firefox.exe:*:Enabled:Firefox"
"C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE"="C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE:*:Enabled:Microsoft Office Word"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\WINDOWS\pchealth\helpctr\binaries\HelpCtr.exe"="C:\WINDOWS\pchealth\helpctr\binaries\HelpCtr.exe:*:Enabled:Remote Assistance - Windows Messenger and Voice"
"C:\Program Files\Condor\CondorDedicated.exe"="C:\Program Files\Condor\CondorDedicated.exe:*:Enabled:CondorDedicated"
"C:\Program Files\Condor\Condor.exe"="C:\Program Files\Condor\Condor.exe:*:Enabled:Condor"
"C:\Documents and Settings\Tim\Desktop\Jaiken\Miranda\miranda32.exe"="C:\Documents and Settings\Tim\Desktop\Jaiken\Miranda\miranda32.exe:*:Enabled:Miranda IM"
"C:\Program Files\Kontiki\KService.exe"="C:\Program Files\Kontiki\KService.exe:*:Enabled:Delivery Manager Service"
"C:\WINDOWS\system32\searchprotocolhost.exe"="C:\WINDOWS\system32\searchprotocolhost.exe:*:Enabled:SearchProtocolHost"
"C:\Program Files\NetMeeting\conf.exe"="C:\Program Files\NetMeeting\conf.exe:*:Enabled:Windows® NetMeeting®"
"C:\Program Files\Windows Live\Messenger\wlcsdk.exe"="C:\Program Files\Windows Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call"
"C:\Program Files\Windows Live\Messenger\msnmsgr.exe"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\Program Files\AVG\AVG8\avgemc.exe"="C:\Program Files\AVG\AVG8\avgemc.exe:*:Enabled:avgemc.exe"
"C:\Program Files\AVG\AVG8\avgupd.exe"="C:\Program Files\AVG\AVG8\avgupd.exe:*:Enabled:avgupd.exe"
"C:\Program Files\AVG\AVG8\avgnsx.exe"="C:\Program Files\AVG\AVG8\avgnsx.exe:*:Enabled:avgnsx.exe"
"C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe"="C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe:*:Enabled:hpqtra08.exe"
"C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe"="C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe:*:Enabled:hpqste08.exe"
"C:\Program Files\HP\Digital Imaging\bin\hpofxm08.exe"="C:\Program Files\HP\Digital Imaging\bin\hpofxm08.exe:*:Enabled:hpofxm08.exe"
"C:\Program Files\HP\Digital Imaging\bin\hposfx08.exe"="C:\Program Files\HP\Digital Imaging\bin\hposfx08.exe:*:Enabled:hposfx08.exe"
"C:\Program Files\HP\Digital Imaging\bin\hposid01.exe"="C:\Program Files\HP\Digital Imaging\bin\hposid01.exe:*:Enabled:hposid01.exe"
"C:\Program Files\HP\Digital Imaging\bin\hpqscnvw.exe"="C:\Program Files\HP\Digital Imaging\bin\hpqscnvw.exe:*:Enabled:hpqscnvw.exe"
"C:\Program Files\HP\Digital Imaging\bin\hpqkygrp.exe"="C:\Program Files\HP\Digital Imaging\bin\hpqkygrp.exe:*:Enabled:hpqkygrp.exe"
"C:\Program Files\HP\Digital Imaging\bin\hpqCopy.exe"="C:\Program Files\HP\Digital Imaging\bin\hpqCopy.exe:*:Enabled:hpqcopy.exe"
"C:\Program Files\HP\Digital Imaging\bin\hpfccopy.exe"="C:\Program Files\HP\Digital Imaging\bin\hpfccopy.exe:*:Enabled:hpfccopy.exe"
"C:\Program Files\HP\Digital Imaging\bin\hpzwiz01.exe"="C:\Program Files\HP\Digital Imaging\bin\hpzwiz01.exe:*:Enabled:hpzwiz01.exe"
"C:\Program Files\HP\Digital Imaging\bin\hpoews01.exe"="C:\Program Files\HP\Digital Imaging\bin\hpoews01.exe:*:Enabled:hpoews01.exe"
"C:\Program Files\HP\Digital Imaging\bin\hpqnrs08.exe"="C:\Program Files\HP\Digital Imaging\bin\hpqnrs08.exe:*:Enabled:hpqnrs08.exe"
"C:\Program Files\Java\jre1.5.0_09\bin\javaw.exe"="C:\Program Files\Java\jre1.5.0_09\bin\javaw.exe:*:Enabled:Java(TM) 2 Platform Standard Edition binary"
"C:\Program Files\uTorrent\uTorrent.exe"="C:\Program Files\uTorrent\uTorrent.exe:*:Enabled:µTorrent"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\Windows Live\Messenger\wlcsdk.exe"="C:\Program Files\Windows Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call"
"C:\Program Files\Windows Live\Messenger\msnmsgr.exe"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger"

======File associations======

.js - edit -

======List of files/folders created in the last 1 months======

2009-08-31 20:18:58 ----D---- C:\rsit
2009-08-31 19:05:37 ----A---- C:\ComboFix.txt
2009-08-31 18:34:04 ----A---- C:\Boot.bak
2009-08-31 18:33:53 ----RASHD---- C:\cmdcons
2009-08-31 18:31:01 ----A---- C:\WINDOWS\zip.exe
2009-08-31 18:31:01 ----A---- C:\WINDOWS\SWXCACLS.exe
2009-08-31 18:31:01 ----A---- C:\WINDOWS\SWSC.exe
2009-08-31 18:31:01 ----A---- C:\WINDOWS\SWREG.exe
2009-08-31 18:31:01 ----A---- C:\WINDOWS\sed.exe
2009-08-31 18:31:01 ----A---- C:\WINDOWS\PEV.exe
2009-08-31 18:31:01 ----A---- C:\WINDOWS\NIRCMD.exe
2009-08-31 18:31:01 ----A---- C:\WINDOWS\grep.exe
2009-08-31 18:30:28 ----D---- C:\WINDOWS\ERDNT
2009-08-31 18:30:01 ----D---- C:\Qoobox
2009-08-29 18:02:07 ----D---- C:\Program Files\ERUNT
2009-08-29 17:53:58 ----D---- C:\Program Files\Trend Micro
2009-08-29 17:20:51 ----D---- C:\Program Files\Test
2009-08-29 17:14:09 ----D---- C:\Program Files\Spybot - Search & Destroy2
2009-08-27 21:53:24 ----D---- C:\Program Files\Seven-G
2009-08-25 22:12:12 ----HDC---- C:\WINDOWS\$NtUninstallKB970653-v3$
2009-08-22 21:48:38 ----A---- C:\WINDOWS\unvise32.exe
2009-08-22 21:48:36 ----D---- C:\Program Files\DivXLand
2009-08-19 21:57:59 ----D---- C:\Documents and Settings\All Users\Application Data\Watermark Factory
2009-08-19 21:57:43 ----D---- C:\Program Files\Watermark Factory 2
2009-08-16 15:06:25 ----HDC---- C:\WINDOWS\$NtUninstallKB961118$
2009-08-15 00:49:38 ----D---- C:\WINDOWS\system32\XPSViewer
2009-08-15 00:49:33 ----D---- C:\Program Files\MSBuild
2009-08-15 00:49:18 ----D---- C:\Program Files\Reference Assemblies
2009-08-15 00:48:25 ----N---- C:\WINDOWS\system32\xpssvcs.dll
2009-08-15 00:48:25 ----N---- C:\WINDOWS\system32\xpsshhdr.dll
2009-08-15 00:48:25 ----N---- C:\WINDOWS\system32\prntvpt.dll
2009-08-15 00:48:24 ----D---- C:\e5972bd564fc0a96f39a6ae453ea
2009-08-12 22:38:55 ----HDC---- C:\WINDOWS\$NtUninstallKB960859$
2009-08-12 22:36:15 ----HDC---- C:\WINDOWS\$NtUninstallKB971657$
2009-08-12 22:36:01 ----HDC---- C:\WINDOWS\$NtUninstallKB971557$
2009-08-12 22:35:46 ----HDC---- C:\WINDOWS\$NtUninstallKB956744$
2009-08-12 22:35:32 ----HDC---- C:\WINDOWS\$NtUninstallKB973869$
2009-08-12 22:35:17 ----HDC---- C:\WINDOWS\$NtUninstallKB973507$
2009-08-12 22:35:04 ----HDC---- C:\WINDOWS\$NtUninstallKB973354$
2009-08-12 22:34:41 ----HDC---- C:\WINDOWS\$NtUninstallKB973540_WM9$
2009-08-12 22:30:24 ----HDC---- C:\WINDOWS\$NtUninstallKB973815$

======List of files/folders modified in the last 1 months======

2009-08-31 20:18:18 ----D---- C:\Documents and Settings\All Users\Application Data\Kontiki
2009-08-31 20:08:22 ----D---- C:\Program Files\Mozilla Firefox
2009-08-31 20:06:39 ----D---- C:\WINDOWS\Temp
2009-08-31 20:06:20 ----SD---- C:\WINDOWS\Tasks
2009-08-31 20:04:48 ----A---- C:\WINDOWS\SchedLgU.Txt
2009-08-31 20:04:12 ----D---- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2009-08-31 19:05:40 ----D---- C:\WINDOWS\system32\drivers
2009-08-31 19:05:40 ----D---- C:\WINDOWS\system32
2009-08-31 19:03:56 ----RSHD---- C:\WINDOWS\system32\dllcache
2009-08-31 19:03:49 ----D---- C:\WINDOWS\system32\CatRoot2
2009-08-31 18:57:41 ----D---- C:\WINDOWS\Prefetch
2009-08-31 18:56:59 ----D---- C:\WINDOWS
2009-08-31 18:56:59 ----A---- C:\WINDOWS\system.ini
2009-08-31 18:54:24 ----D---- C:\WINDOWS\system32\config
2009-08-31 18:53:44 ----D---- C:\WINDOWS\system
2009-08-31 18:52:31 ----D---- C:\WINDOWS\AppPatch
2009-08-31 18:52:23 ----D---- C:\Program Files\Common Files
2009-08-31 18:37:07 ----N---- C:\WINDOWS\system32\eventlog.dll
2009-08-31 18:37:05 ----HD---- C:\WINDOWS\PIF
2009-08-31 18:37:05 ----D---- C:\WINDOWS\system32\xircom
2009-08-31 18:37:05 ----D---- C:\WINDOWS\system32\wins
2009-08-31 18:37:05 ----D---- C:\WINDOWS\system32\ShellExt
2009-08-31 18:37:05 ----D---- C:\WINDOWS\system32\inetsrv
2009-08-31 18:37:05 ----D---- C:\WINDOWS\system32\export
2009-08-31 18:37:05 ----D---- C:\WINDOWS\system32\dhcp
2009-08-31 18:37:05 ----D---- C:\WINDOWS\system32\3com_dmi
2009-08-31 18:37:05 ----D---- C:\WINDOWS\system32\3076
2009-08-31 18:37:05 ----D---- C:\WINDOWS\system32\2052
2009-08-31 18:37:05 ----D---- C:\WINDOWS\system32\1054
2009-08-31 18:37:05 ----D---- C:\WINDOWS\system32\1042
2009-08-31 18:37:05 ----D---- C:\WINDOWS\system32\1041
2009-08-31 18:37:05 ----D---- C:\WINDOWS\system32\1037
2009-08-31 18:37:05 ----D---- C:\WINDOWS\system32\1031
2009-08-31 18:37:05 ----D---- C:\WINDOWS\system32\1028
2009-08-31 18:37:05 ----D---- C:\WINDOWS\system32\1025
2009-08-31 18:37:05 ----D---- C:\WINDOWS\SxsCaPendDel
2009-08-31 18:37:05 ----D---- C:\WINDOWS\occache
2009-08-31 18:37:05 ----D---- C:\WINDOWS\mui
2009-08-31 18:37:05 ----D---- C:\WINDOWS\Motive
2009-08-31 18:37:05 ----D---- C:\WINDOWS\Connection Wizard
2009-08-31 18:37:05 ----D---- C:\WINDOWS\Config
2009-08-31 18:37:05 ----D---- C:\WINDOWS\addins
2009-08-31 18:34:05 ----RASH---- C:\boot.ini
2009-08-30 22:59:16 ----D---- C:\Documents and Settings\All Users\Application Data\Google Updater
2009-08-30 15:57:00 ----SHD---- C:\WINDOWS\Installer
2009-08-30 15:53:41 ----HD---- C:\Config.Msi
2009-08-29 18:02:07 ----RD---- C:\Program Files
2009-08-29 17:11:50 ----D---- C:\Program Files\Spybot - Search & Destroy
2009-08-29 17:01:32 ----A---- C:\WINDOWS\ntbtlog.txt
2009-08-29 16:20:57 ----D---- C:\WINDOWS\Minidump
2009-08-28 22:52:58 ----HD---- C:\$AVG8.VAULT$
2009-08-28 22:33:10 ----D---- C:\Documents and Settings\All Users\Application Data\avg8
2009-08-25 22:12:17 ----HD---- C:\WINDOWS\inf
2009-08-22 00:55:43 ----D---- C:\Documents and Settings\All Users\Application Data\Adobe
2009-08-21 23:35:00 ----D---- C:\Documents and Settings\Tim\Application Data\Adobe
2009-08-19 21:23:08 ----A---- C:\WINDOWS\imsins.BAK
2009-08-18 18:08:10 ----A---- C:\WINDOWS\system32\avgrsstx.dll
2009-08-16 15:06:56 ----D---- C:\WINDOWS\system32\CatRoot
2009-08-15 09:28:20 ----D---- C:\WINDOWS\Microsoft.NET
2009-08-15 09:28:18 ----RSD---- C:\WINDOWS\assembly
2009-08-15 00:54:15 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI
2009-08-15 00:53:47 ----D---- C:\WINDOWS\WinSxS
2009-08-15 00:49:35 ----D---- C:\WINDOWS\system32\en-US
2009-08-15 00:49:27 ----RSD---- C:\WINDOWS\Fonts
2009-08-15 00:48:57 ----D---- C:\WINDOWS\system32\spool
2009-08-15 00:45:48 ----D---- C:\Program Files\Internet Explorer
2009-08-12 22:35:41 ----HD---- C:\WINDOWS\$hf_mig$
2009-08-12 22:35:07 ----D---- C:\Program Files\Outlook Express
2009-08-12 21:10:18 ----A---- C:\WINDOWS\NeroDigital.ini
2009-08-12 20:11:08 ----D---- C:\Program Files\ORBITER
2009-08-05 10:01:48 ----A---- C:\WINDOWS\system32\mswebdvd.dll

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 AvgLdx86;AVG Free AVI Loader Driver x86; C:\WINDOWS\System32\Drivers\avgldx86.sys [2009-08-18 335240]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86; C:\WINDOWS\System32\Drivers\avgmfx86.sys [2009-08-18 27784]
R1 AvgTdiX;AVG Free8 Network Redirector; C:\WINDOWS\System32\Drivers\avgtdix.sys [2009-05-02 108552]
R1 intelppm;Intel Processor Driver; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2008-04-13 36352]
R1 kbdhid;Keyboard HID Driver; C:\WINDOWS\system32\DRIVERS\kbdhid.sys [2008-04-13 14592]
R1 StarOpen;StarOpen; C:\WINDOWS\system32\drivers\StarOpen.sys [2006-07-24 5632]
R2 AegisP;AEGIS Protocol (IEEE 802.1x) v3.1.0.1; C:\WINDOWS\system32\DRIVERS\AegisP.sys [2005-10-12 20747]
R3 ati2mtag;ati2mtag; C:\WINDOWS\system32\DRIVERS\ati2mtag.sys [2005-08-04 1273344]
R3 DELL_A02;Dell TrueMobile 1300 USB2.0 WLAN Card Driver; C:\WINDOWS\system32\DRIVERS\PRISMA02.sys [2006-06-01 357344]
R3 E100B;Intel(R) PRO Network Connection Driver; C:\WINDOWS\system32\DRIVERS\e100b325.sys [2004-10-14 155648]
R3 HDAudBus;Microsoft UAA Bus Driver for High Definition Audio; C:\WINDOWS\system32\DRIVERS\HDAudBus.sys [2008-04-13 144384]
R3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-04-13 10368]
R3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2001-08-17 12160]
R3 pfc;Padus ASPI Shell; C:\WINDOWS\system32\drivers\pfc.sys [2006-02-08 9856]
R3 portio;winThrottle PortIO Service; C:\WINDOWS\system32\DRIVERS\throttle.sys [2006-06-29 5546]
R3 ROOTMODEM;Microsoft Legacy Modem Driver; C:\WINDOWS\System32\Drivers\RootMdm.sys [2004-08-04 5888]
R3 STHDA;SigmaTel High Definition Audio CODEC; C:\WINDOWS\system32\drivers\sthda.sys [2005-11-16 1047816]
R3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2008-04-13 32128]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2008-04-13 30208]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2008-04-13 59520]
R3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2008-04-13 20608]
R3 VComm;Virtual Serial port driver; C:\WINDOWS\system32\DRIVERS\VComm.sys [2004-10-19 61312]
R3 VcommMgr;Bluetooth VComm Manager Service; C:\WINDOWS\System32\Drivers\VcommMgr.sys [2004-11-05 82148]
S1 nvport;NVIDIA PORT IO Control Driver; \??\C:\WINDOWS\system32\Drivers\nvport.sys []
S2 CoLinuxDriver;CoLinuxDriver; \??\C:\Program Files\coLinux\linux.sys []
S3 BlueletAudio;Bluetooth Audio Service; C:\WINDOWS\system32\DRIVERS\blueletaudio.sys [2004-10-19 20096]
S3 BT;Bluetooth PAN Network Adapter; C:\WINDOWS\system32\DRIVERS\btnetdrv.sys [2004-09-21 10804]
S3 Btcsrusb;Bluetooth USB For Bluetooth Service; C:\WINDOWS\System32\Drivers\btcusb.sys [2004-12-01 22488]
S3 BthEnum;Bluetooth Enumerator Service; C:\WINDOWS\system32\DRIVERS\BthEnum.sys [2008-04-13 17024]
S3 BTHidEnum;Bluetooth HID Enumerator; C:\WINDOWS\system32\DRIVERS\vbtenum.sys [2004-09-21 11604]
S3 BTHPORT;Bluetooth Port Driver; C:\WINDOWS\System32\Drivers\BTHport.sys [2008-06-13 272128]
S3 BTHUSB;Bluetooth Radio USB Driver; C:\WINDOWS\System32\Drivers\BTHUSB.sys [2008-04-13 18944]
S3 BTNetFilter;Bluetooth Network Filter; \??\C:\WINDOWS\system32\drivers\BTNetFilter.sys []
S3 catchme;catchme; \??\C:\ComboFix\catchme.sys []
S3 CCDECODE;Closed Caption Decoder; C:\WINDOWS\system32\DRIVERS\CCDECODE.sys [2008-04-13 17024]
S3 HPZid412;IEEE-1284.4 Driver HPZid412; C:\WINDOWS\system32\DRIVERS\HPZid412.sys [2006-04-12 49664]
S3 HPZipr12;Print Class Driver for IEEE-1284.4 HPZipr12; C:\WINDOWS\system32\DRIVERS\HPZipr12.sys [2006-04-12 16496]
S3 HPZius12;USB to IEEE-1284.4 Translation Driver HPZius12; C:\WINDOWS\system32\DRIVERS\HPZius12.sys [2006-04-12 21568]
S3 MRENDIS5;MRENDIS5 NDIS Protocol Driver; \??\C:\PROGRA~1\COMMON~1\Motive\MRENDIS5.SYS []
S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; C:\WINDOWS\system32\drivers\MSTEE.sys [2008-04-13 5504]
S3 NABTSFEC;NABTS/FEC VBI Codec; C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys [2008-04-13 85248]
S3 NdisIP;Microsoft TV/Video Connection; C:\WINDOWS\system32\DRIVERS\NdisIP.sys [2008-04-13 10880]
S3 nv;nv; C:\WINDOWS\system32\DRIVERS\nv4_mini.sys [2004-08-03 1897408]
S3 RFCOMM;Bluetooth Device (RFCOMM Protocol TDI); C:\WINDOWS\system32\DRIVERS\rfcomm.sys [2008-04-13 59136]
S3 SLIP;BDA Slip De-Framer; C:\WINDOWS\system32\DRIVERS\SLIP.sys [2008-04-13 11136]
S3 ss_bus;SAMSUNG Mobile USB Device 1.0 driver (WDM); C:\WINDOWS\system32\DRIVERS\ss_bus.sys [2005-08-30 58320]
S3 ss_mdfl;SAMSUNG Mobile USB Modem 1.0 Filter; C:\WINDOWS\system32\DRIVERS\ss_mdfl.sys [2005-08-30 8304]
S3 ss_mdm;SAMSUNG Mobile USB Modem 1.0 Drivers; C:\WINDOWS\system32\DRIVERS\ss_mdm.sys [2005-08-30 94000]
S3 streamip;BDA IPSink; C:\WINDOWS\system32\DRIVERS\StreamIP.sys [2008-04-13 15232]
S3 tap0801co;TAP-Win32 Adapter V8 (coLinux); C:\WINDOWS\system32\DRIVERS\tap0801co.sys [2005-05-15 24576]
S3 usb2vcom;USB Data Cable; C:\WINDOWS\system32\DRIVERS\usb2vcom.sys [2005-08-06 28704]
S3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2008-04-13 25856]
S3 usbscan;USB Scanner Driver; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2008-04-13 15104]
S3 VMnetAdapter;VMware Virtual Ethernet Adapter Driver; C:\WINDOWS\system32\DRIVERS\vmnetadapter.sys []
S3 wanatw;WAN Miniport (ATW); C:\WINDOWS\system32\DRIVERS\wanatw4.sys []
S3 WinDriver6;WinDriver6; C:\WINDOWS\system32\drivers\windrvr6.sys []
S3 WSTCODEC;World Standard Teletext Codec; C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS [2008-04-13 19200]
S3 WudfPf;Windows Driver Foundation - User-mode Driver Framework Platform Driver; C:\WINDOWS\system32\DRIVERS\WudfPf.sys [2006-09-28 77568]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-28 82944]
S4 agp440;Intel AGP Bus Filter; C:\WINDOWS\system32\DRIVERS\agp440.sys [2008-04-13 42368]
S4 agpCPQ;Compaq AGP Bus Filter; C:\WINDOWS\system32\DRIVERS\agpCPQ.sys [2008-04-13 44928]
S4 alim1541;ALI AGP Bus Filter; C:\WINDOWS\system32\DRIVERS\alim1541.sys [2008-04-13 42752]
S4 amdagp;AMD AGP Bus Filter Driver; C:\WINDOWS\system32\DRIVERS\amdagp.sys [2008-04-13 43008]
S4 cbidf;cbidf; C:\WINDOWS\system32\DRIVERS\cbidf2k.sys [2001-08-17 13952]
S4 IntelIde;IntelIde; C:\WINDOWS\system32\DRIVERS\intelide.sys [2008-04-13 5504]
S4 sisagp;SIS AGP Bus Filter; C:\WINDOWS\system32\DRIVERS\sisagp.sys [2008-04-13 40960]
S4 viaagp;VIA AGP Bus Filter; C:\WINDOWS\system32\DRIVERS\viaagp.sys [2008-04-13 42240]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 Ati HotKey Poller;Ati HotKey Poller; C:\WINDOWS\system32\Ati2evxx.exe [2005-08-04 380928]
R2 avg8wd;AVG Free8 WatchDog; C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2009-08-18 297752]
R2 BthServ;Bluetooth Support Service; C:\WINDOWS\system32\svchost.exe [2008-04-14 14336]
R2 KService;KService; C:\Program Files\Kontiki\KService.exe [2007-04-23 3068352]
R2 PRISMSVC;PRISMSVC; C:\WINDOWS\system32\PRISMSVC.EXE [2005-12-22 61526]
R2 WSearch;Windows Search; C:\WINDOWS\system32\SearchIndexer.exe [2008-05-26 439808]
S2 avg8emc;AVG Free8 E-mail Scanner; C:\PROGRA~1\AVG\AVG8\avgemc.exe [2009-08-18 908056]
S2 gupdate1c999314d0ec792;Google Update Service (gupdate1c999314d0ec792); C:\Program Files\Google\Update\GoogleUpdate.exe [2009-02-28 133104]
S2 gusvc;Google Software Updater; C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-03-21 183280]
S2 Pml Driver HPZ12;Pml Driver HPZ12; C:\WINDOWS\system32\HPZipm12.exe [2006-03-03 69632]
S3 Adobe LM Service;Adobe LM Service; C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe [2006-05-03 68096]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2008-07-25 34312]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2008-07-25 69632]
S3 FontCache3.0.0.0;Windows Presentation Foundation Font Cache 3.0.0.0; c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe [2008-07-29 46104]
S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe [2005-04-04 69632]
S3 idsvc;Windows CardSpace; c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe [2008-07-29 881664]
S3 NetSvc;Intel NCS NetService; C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe [2004-11-19 147456]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2003-07-28 89136]
S3 WMPNetworkSvc;Windows Media Player Network Sharing Service; C:\Program Files\Windows Media Player\WMPNetwk.exe [2006-10-18 913408]
S3 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2008-04-14 14336]
S4 NetTcpPortSharing;Net.Tcp Port Sharing Service; c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe [2008-07-29 132096]

-----------------EOF-----------------


Cheers,

Tim

Why is Teatimer running from C:\Program Files\Test ?

----------------------------------------------------------------------------------------
Step 1

We need to scan the system with this special tool.
Please download Junction.zip (http://download.sysinternals.com/Files/Junction.zip) and save it.
Unzip it and put junction.exe in the main drive directory (C:\).

Create A Batch File
Please copy (Ctrl+C) and paste (Ctrl+V) the following text in the quote to Notepad.
Save it as "All Files" and name it look.bat Please save it on your desktop.



@Echo Off
If exist "%Temp%\Klog.txt" del /q "%Temp%\Klog.txt"
If exist "%SYSTEMDRIVE%\junction.exe" goto Cont
If exist "%UserProfile%\Desktop\junction.exe" (copy "%UserProfile%\Desktop\junction.exe" "%SYSTEMDRIVE%\junction.exe"&& Goto Cont )
Echo Junction Not Found !! >>"%Temp%\Klog.txt"
Goto End
:Cont
%SYSTEMDRIVE%\junction.exe -s c:\ >"%Temp%\Klog.txt"
:End
"%Temp%\Klog.txt"
del /q "%Temp%\Klog.txt"
del /q %0

Double click on look.bat
Please be patient, as this will search the entire disc

Notepad will open, please copy/paste the results here.


----------------------------------------------------------------------------------------
Step 2

Kaspersky Online Scanner .
Your Antivirus and/or Antispyware may give a warning during the scan. This is perfectly normal
NOTE:- This scan is best done from IE (Internet Explorer)
NOTE:- Vista users should start IE by Start(Vista Orb) >> Internet Explorer >> Right-Click Run As Admin
Go Here http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html

Read the Requirements and limitations before you click Accept.
Once the database has downloaded, click My Computer in the left pane
Now go and put the kettle on !
When the scan has completed, click Save Report As...
Enter a name for the file in the Filename: text box and then click the down arrow to the right of Save as type: and select text file (*.txt)
Click Save - by default the file will be saved to your Desktop, but you can change this if you wish.


**Note**

To optimize scanning time and produce a more sensible report for review: Close any open programs.
Turn off the real-time scanner of all antivirus or antispyware programs while performing the online scan.
Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.

----------------------------------------------------------------------------------------
Logs/Information to Post in Reply
Please post the following logs/Information in your reply
Some of the logs I request will be quite large, You may need to split them over a couple of replies.

Klog.txt
Kaspersky Log
Contents of C:\RSIT\Info.txt

It's running from C:\Program Files\Test because I reinstalled Spybot in differently named folders to see if it would inhibit the malware from being able to block access to it.

... Didn't work!

I'll eventually put everything back to normal.

Right... to your instructions...

Junction v1.05 - Windows junction creator and reparse point viewer
Copyright (C) 2000-2007 Mark Russinovich
Systems Internals - http://www.sysinternals.com


Failed to open \\?\c:\\hiberfil.sys: The process cannot access the file because it is being used by another process.

Failed to open \\?\c:\\pagefile.sys: The process cannot access the file because it is being used by another process.
...


Failed to open \\?\c:\\Documents and Settings\Tim\My Documents\Downloads\HiJackThis.exe: Access is denied.
...

.
Failed to open \\?\c:\\Program Files\AVG\AVG8\avgcsrvx.exe: Access is denied.
..


...
Failed to open \\?\c:\\Program Files\Spybot - Search & Destroy\SpybotSD.exe: Access is denied.

Failed to open \\?\c:\\Program Files\Spybot - Search & Destroy2\SpybotSD.exe: Access is denied.

Failed to open \\?\c:\\Program Files\Test\SpybotSD.exe: Access is denied.

Failed to open \\?\c:\\Program Files\Trend Micro\HijackThis\HijackThis.exe: Access is denied.
...

...
Failed to open \\?\c:\\System Volume Information\MountPointManagerRemoteDatabase: Access is denied.
..
Failed to open \\?\c:\\WINDOWS\system32\dumprep.exe: Access is denied.
.


No reparse points found.

Don't mind waiting if need be, but is the Kapersky download always this slow??
The size of the update seems to be getting bigger as the download progresses also!

Strange!

Tim

1) but is the Kapersky download always this slow??
2) The size of the update seems to be getting bigger as the download progresses also!


1) yep
2) It's downloading different components.

Why do you think I said put the kettle on ?

The scan is still going and we're off to bed..

I'll leave the machine on overnight and will put the log on my memory stick tomorrow morning. Will then post while I'm at work.

Many thanks for all the help today.

Is there anyway of donating to the spybot world?

Tim

Finished! Log below...

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Tuesday, September 1, 2009
Operating system: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Monday, August 31, 2009 22:54:45
Infected: 2732586
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
F:\
G:\
H:\
I:\
J:\
K:\

Scan statistics:
Objects scanned: 144695
Threats found: 21
Infected objects found: 88
Suspicious objects found: 2
Scan duration: 02:30:14


File name / Threat / Threats count
C:\Documents and Settings\Tim\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-51fad18-7f59ffa9.zip Infected: Exploit.Java.Gimsh.a 1
C:\Documents and Settings\Tim\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-5404ed29-50dd3b84.zip Infected: Exploit.Java.Gimsh.b 1
C:\Documents and Settings\Tim\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-6b13a7e7-370e62de.zip Infected: Exploit.Java.Gimsh.b 1
C:\Documents and Settings\Tim\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-6d00d9f7-41ecdfa2.zip Infected: Exploit.Java.Gimsh.a 1
C:\Documents and Settings\Tim\Application Data\Thunderbird\Profiles\n59ep3cy.default\Mail\mail.misemusic.com\Inbox Infected: Email-Worm.Win32.Luder.a 4
C:\Documents and Settings\Tim\Application Data\Thunderbird\Profiles\n59ep3cy.default\Mail\mail.misemusic.com\Inbox Infected: Trojan-Spy.HTML.Bayfraud.ln 2
C:\Documents and Settings\Tim\Application Data\Thunderbird\Profiles\n59ep3cy.default\Mail\mail.misemusic.com\Inbox Infected: Trojan-Downloader.Win32.Small.dam 1
C:\Documents and Settings\Tim\Application Data\Thunderbird\Profiles\n59ep3cy.default\Mail\mail.misemusic.com\Inbox Infected: Email-Worm.Win32.Zhelatin.a 8
C:\Documents and Settings\Tim\Application Data\Thunderbird\Profiles\n59ep3cy.default\Mail\mail.misemusic.com\Inbox Infected: Trojan-Proxy.Win32.Lager.dp 2
C:\Documents and Settings\Tim\Application Data\Thunderbird\Profiles\n59ep3cy.default\Mail\mail.misemusic.com\Inbox Infected: Email-Worm.Win32.Zhelatin.h 2
C:\Documents and Settings\Tim\Application Data\Thunderbird\Profiles\n59ep3cy.default\Mail\mail.misemusic.com\Inbox Infected: Email-Worm.Win32.Zhelatin.k 1
C:\Documents and Settings\Tim\Application Data\Thunderbird\Profiles\n59ep3cy.default\Mail\mail.misemusic.com\Inbox Infected: Email-Worm.Win32.Zhelatin.m 2
C:\Documents and Settings\Tim\Application Data\Thunderbird\Profiles\n59ep3cy.default\Mail\mail.misemusic.com\Inbox Infected: Email-Worm.Win32.Zhelatin.o 1
C:\Documents and Settings\Tim\Application Data\Thunderbird\Profiles\n59ep3cy.default\Mail\mail.misemusic.com\Inbox Infected: Email-Worm.Win32.Zhelatin.r 1
C:\Documents and Settings\Tim\Application Data\Thunderbird\Profiles\n59ep3cy.default\Mail\mail.misemusic.com\Inbox Infected: Email-Worm.Win32.Zhelatin.u 2
C:\Documents and Settings\Tim\Application Data\Thunderbird\Profiles\n59ep3cy.default\Mail\mail.misemusic.com\Inbox Infected: Email-Worm.Win32.Zhelatin.ab 1
C:\Documents and Settings\Tim\Application Data\Thunderbird\Profiles\n59ep3cy.default\Mail\mail.misemusic.com\Inbox Infected: Trojan-Spy.HTML.Bankfraud.ra 5
C:\Documents and Settings\Tim\Application Data\Thunderbird\Profiles\n59ep3cy.default\Mail\mail.misemusic.com\Inbox Infected: Trojan-Spy.HTML.Bankfraud.ri 5
C:\Documents and Settings\Tim\Application Data\Thunderbird\Profiles\n59ep3cy.default\Mail\mail.misemusic.com\Inbox Infected: Trojan-Spy.HTML.Bankfraud.rw 2
C:\Documents and Settings\Tim\Application Data\Thunderbird\Profiles\n59ep3cy.default\Mail\mail.misemusic.com\Inbox Infected: Trojan-Spy.HTML.Chasfraud.u 2
C:\Documents and Settings\Tim\Application Data\Thunderbird\Profiles\n59ep3cy.default\Mail\mail.misemusic.com\Inbox Suspicious: Trojan-Spy.HTML.Fraud.gen 1
C:\Documents and Settings\Tim\Application Data\Thunderbird\Profiles\n59ep3cy.default\Mail\mail.misemusic.com\Trash Infected: Email-Worm.Win32.Luder.a 4
C:\Documents and Settings\Tim\Application Data\Thunderbird\Profiles\n59ep3cy.default\Mail\mail.misemusic.com\Trash Infected: Trojan-Spy.HTML.Bayfraud.ln 2
C:\Documents and Settings\Tim\Application Data\Thunderbird\Profiles\n59ep3cy.default\Mail\mail.misemusic.com\Trash Infected: Trojan-Downloader.Win32.Small.dam 1
C:\Documents and Settings\Tim\Application Data\Thunderbird\Profiles\n59ep3cy.default\Mail\mail.misemusic.com\Trash Infected: Email-Worm.Win32.Zhelatin.a 8
C:\Documents and Settings\Tim\Application Data\Thunderbird\Profiles\n59ep3cy.default\Mail\mail.misemusic.com\Trash Infected: Trojan-Proxy.Win32.Lager.dp 2
C:\Documents and Settings\Tim\Application Data\Thunderbird\Profiles\n59ep3cy.default\Mail\mail.misemusic.com\Trash Infected: Email-Worm.Win32.Zhelatin.h 2
C:\Documents and Settings\Tim\Application Data\Thunderbird\Profiles\n59ep3cy.default\Mail\mail.misemusic.com\Trash Infected: Email-Worm.Win32.Zhelatin.k 1
C:\Documents and Settings\Tim\Application Data\Thunderbird\Profiles\n59ep3cy.default\Mail\mail.misemusic.com\Trash Infected: Email-Worm.Win32.Zhelatin.m 2
C:\Documents and Settings\Tim\Application Data\Thunderbird\Profiles\n59ep3cy.default\Mail\mail.misemusic.com\Trash Infected: Email-Worm.Win32.Zhelatin.o 1
C:\Documents and Settings\Tim\Application Data\Thunderbird\Profiles\n59ep3cy.default\Mail\mail.misemusic.com\Trash Infected: Email-Worm.Win32.Zhelatin.r 1
C:\Documents and Settings\Tim\Application Data\Thunderbird\Profiles\n59ep3cy.default\Mail\mail.misemusic.com\Trash Infected: Email-Worm.Win32.Zhelatin.u 2
C:\Documents and Settings\Tim\Application Data\Thunderbird\Profiles\n59ep3cy.default\Mail\mail.misemusic.com\Trash Infected: Email-Worm.Win32.Zhelatin.ab 1
C:\Documents and Settings\Tim\Application Data\Thunderbird\Profiles\n59ep3cy.default\Mail\mail.misemusic.com\Trash Infected: Trojan-Spy.HTML.Bankfraud.rw 2
C:\Documents and Settings\Tim\Application Data\Thunderbird\Profiles\n59ep3cy.default\Mail\mail.misemusic.com\Trash Infected: Trojan-Spy.HTML.Chasfraud.u 2
C:\Documents and Settings\Tim\Application Data\Thunderbird\Profiles\n59ep3cy.default\Mail\mail.misemusic.com\Trash Infected: Trojan-Spy.HTML.Bankfraud.ra 5
C:\Documents and Settings\Tim\Application Data\Thunderbird\Profiles\n59ep3cy.default\Mail\mail.misemusic.com\Trash Infected: Trojan-Spy.HTML.Bankfraud.ri 5
C:\Documents and Settings\Tim\Application Data\Thunderbird\Profiles\n59ep3cy.default\Mail\mail.misemusic.com\Trash Suspicious: Trojan-Spy.HTML.Fraud.gen 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\lspwfp.dll.bak.vir Infected: Trojan-PSW.Win32.Agent.mso 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\_sdra64_.exe.zip Infected: Packed.Win32.Zack.a 1

Selected area has been scanned.

Logfile of random's system information tool 1.06 (written by random/random)
Run by Tim at 2009-09-01 08:25:46
Microsoft Windows XP Home Edition Service Pack 3
System drive C: has 5 GB (7%) free of 73 GB
Total RAM: 2558 MB (68% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 08:26:02, on 01/09/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Kontiki\KService.exe
C:\WINDOWS\system32\PRISMSVC.EXE
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\PRISMSVR.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Test\TeaTimer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Dell Wireless\PRISMCFG.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Tim\Desktop\RSIT.exe
C:\Program Files\trend micro\Tim.exe
C:\Program Files\AVG\AVG8\avgupd.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www1.euro.dell.com/content/default.aspx?c=uk&l=en&s=gen
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sb/*http://uk.docs.yahoo.com/info/bt_side.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/su/*http://uk.search.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (file missing)
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Test\SDHelper.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Test\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk.disabled
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk.disabled
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O4 - Global Startup: Wireless USB 2.0 WLAN Card Utility.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Test\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Test\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Broken Internet access because of LSP provider 'c:\windows\system32\lspwfp.dll' missing
O15 - Trusted Zone: http://*.xpert.adecco.com
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/pr02/resources/MSNPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1145652825717
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Google Update Service (gupdate1c999314d0ec792) (gupdate1c999314d0ec792) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PRISMSVC - Conexant Systems, Inc. - C:\WINDOWS\system32\PRISMSVC.EXE

--
End of file - 8005 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\Google Software Updater.job
C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
Adobe PDF Reader Link Helper - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}]
AVG Safe Search - C:\Program Files\AVG\AVG8\avgssie.dll [2009-08-18 1111320]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
Spybot-S&D IE Protection - C:\Program Files\Test\SDHelper.dll [2009-01-26 1879896]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C255C8A-E604-49b4-9D64-90988571CECB}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
SSVHelper Class - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll [2006-10-12 434279]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9030D464-4C02-4ABF-8ECC-5164760863C6}]
Windows Live Sign-in Helper - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2009-02-17 408440]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}]
Google Toolbar Notifier BHO - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll [2009-03-21 668656]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"=C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe [2005-08-05 344064]
"BluetoothAuthenticationAgent"=bthprops.cpl,,BluetoothAuthenticationAgent []
"AVG8_TRAY"=C:\PROGRA~1\AVG\AVG8\avgtray.exe [2009-08-18 2007832]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"=C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe [2009-02-06 3885408]
"SpybotSD TeaTimer"=C:\Program Files\Test\TeaTimer.exe [2009-03-05 2260480]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2008-04-14 15360]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Adobe Gamma Loader.lnk.disabled - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
Adobe Reader Speed Launch.lnk.disabled - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
Windows Search.lnk - C:\Program Files\Windows Desktop Search\WindowsSearch.exe
Wireless USB 2.0 WLAN Card Utility.lnk - C:\Program Files\Dell Wireless\PRISMCFG.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\avgrsstarter]
C:\WINDOWS\system32\avgrsstx.dll [2009-08-18 11952]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\PRISMAPI.DLL]
C:\WINDOWS\system32\PRISMAPI.DLL [2005-12-22 450646]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\WINDOWS\system32\WgaLogon.dll [2007-03-15 236928]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
UPnPMonitor - {e57ce738-33e8-4c51-8354-bb4de9d215d1} - C:\WINDOWS\system32\upnpui.dll [2008-04-14 239616]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"=C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll [2009-05-24 304128]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
"DisableStatusMessages"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=323
"GreyMSIAds"=0
"NoDriveAutoRun"=67108863
"NoDrives"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"HonorAutoRunSetting"=
"NoDriveAutoRun"=
"NoDriveTypeAutoRun"=
"NoDrives"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\Messenger\msmsgs.exe"="C:\Program Files\Messenger\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\WINDOWS\system32\dpvsetup.exe"="C:\WINDOWS\system32\dpvsetup.exe:*:Enabled:Microsoft DirectPlay Voice Test"
"C:\Documents and Settings\Tim\Desktop\utorrent.exe"="C:\Documents and Settings\Tim\Desktop\utorrent.exe:*:Enabled:µTorrent"
"C:\Program Files\Mozilla Firefox\firefox.exe"="C:\Program Files\Mozilla Firefox\firefox.exe:*:Enabled:Firefox"
"C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE"="C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE:*:Enabled:Microsoft Office Word"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\WINDOWS\pchealth\helpctr\binaries\HelpCtr.exe"="C:\WINDOWS\pchealth\helpctr\binaries\HelpCtr.exe:*:Enabled:Remote Assistance - Windows Messenger and Voice"
"C:\Program Files\Condor\CondorDedicated.exe"="C:\Program Files\Condor\CondorDedicated.exe:*:Enabled:CondorDedicated"
"C:\Program Files\Condor\Condor.exe"="C:\Program Files\Condor\Condor.exe:*:Enabled:Condor"
"C:\Documents and Settings\Tim\Desktop\Jaiken\Miranda\miranda32.exe"="C:\Documents and Settings\Tim\Desktop\Jaiken\Miranda\miranda32.exe:*:Enabled:Miranda IM"
"C:\Program Files\Kontiki\KService.exe"="C:\Program Files\Kontiki\KService.exe:*:Enabled:Delivery Manager Service"
"C:\WINDOWS\system32\searchprotocolhost.exe"="C:\WINDOWS\system32\searchprotocolhost.exe:*:Enabled:SearchProtocolHost"
"C:\Program Files\NetMeeting\conf.exe"="C:\Program Files\NetMeeting\conf.exe:*:Enabled:Windows® NetMeeting®"
"C:\Program Files\Windows Live\Messenger\wlcsdk.exe"="C:\Program Files\Windows Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call"
"C:\Program Files\Windows Live\Messenger\msnmsgr.exe"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\Program Files\AVG\AVG8\avgemc.exe"="C:\Program Files\AVG\AVG8\avgemc.exe:*:Enabled:avgemc.exe"
"C:\Program Files\AVG\AVG8\avgupd.exe"="C:\Program Files\AVG\AVG8\avgupd.exe:*:Enabled:avgupd.exe"
"C:\Program Files\AVG\AVG8\avgnsx.exe"="C:\Program Files\AVG\AVG8\avgnsx.exe:*:Enabled:avgnsx.exe"
"C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe"="C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe:*:Enabled:hpqtra08.exe"
"C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe"="C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe:*:Enabled:hpqste08.exe"
"C:\Program Files\HP\Digital Imaging\bin\hpofxm08.exe"="C:\Program Files\HP\Digital Imaging\bin\hpofxm08.exe:*:Enabled:hpofxm08.exe"
"C:\Program Files\HP\Digital Imaging\bin\hposfx08.exe"="C:\Program Files\HP\Digital Imaging\bin\hposfx08.exe:*:Enabled:hposfx08.exe"
"C:\Program Files\HP\Digital Imaging\bin\hposid01.exe"="C:\Program Files\HP\Digital Imaging\bin\hposid01.exe:*:Enabled:hposid01.exe"
"C:\Program Files\HP\Digital Imaging\bin\hpqscnvw.exe"="C:\Program Files\HP\Digital Imaging\bin\hpqscnvw.exe:*:Enabled:hpqscnvw.exe"
"C:\Program Files\HP\Digital Imaging\bin\hpqkygrp.exe"="C:\Program Files\HP\Digital Imaging\bin\hpqkygrp.exe:*:Enabled:hpqkygrp.exe"
"C:\Program Files\HP\Digital Imaging\bin\hpqCopy.exe"="C:\Program Files\HP\Digital Imaging\bin\hpqCopy.exe:*:Enabled:hpqcopy.exe"
"C:\Program Files\HP\Digital Imaging\bin\hpfccopy.exe"="C:\Program Files\HP\Digital Imaging\bin\hpfccopy.exe:*:Enabled:hpfccopy.exe"
"C:\Program Files\HP\Digital Imaging\bin\hpzwiz01.exe"="C:\Program Files\HP\Digital Imaging\bin\hpzwiz01.exe:*:Enabled:hpzwiz01.exe"
"C:\Program Files\HP\Digital Imaging\bin\hpoews01.exe"="C:\Program Files\HP\Digital Imaging\bin\hpoews01.exe:*:Enabled:hpoews01.exe"
"C:\Program Files\HP\Digital Imaging\bin\hpqnrs08.exe"="C:\Program Files\HP\Digital Imaging\bin\hpqnrs08.exe:*:Enabled:hpqnrs08.exe"
"C:\Program Files\Java\jre1.5.0_09\bin\javaw.exe"="C:\Program Files\Java\jre1.5.0_09\bin\javaw.exe:*:Enabled:Java(TM) 2 Platform Standard Edition binary"
"C:\Program Files\uTorrent\uTorrent.exe"="C:\Program Files\uTorrent\uTorrent.exe:*:Enabled:µTorrent"
"C:\Program Files\Internet Explorer\iexplore.exe"="C:\Program Files\Internet Explorer\iexplore.exe:*:Enabled:Internet Explorer"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\Windows Live\Messenger\wlcsdk.exe"="C:\Program Files\Windows Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call"
"C:\Program Files\Windows Live\Messenger\msnmsgr.exe"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2105bcf2-ef86-11da-990a-806d6172696f}]
shell\AutoRun\command - E:\_AUTORUN\AUTORUN.EXE


======File associations======

.js - edit -

======List of files/folders created in the last 1 months======

2009-08-31 20:59:42 ----A---- C:\junction.exe
2009-08-31 20:18:58 ----D---- C:\rsit
2009-08-31 19:05:37 ----A---- C:\ComboFix.txt
2009-08-31 18:34:04 ----A---- C:\Boot.bak
2009-08-31 18:33:53 ----RASHD---- C:\cmdcons
2009-08-31 18:31:01 ----A---- C:\WINDOWS\zip.exe
2009-08-31 18:31:01 ----A---- C:\WINDOWS\SWXCACLS.exe
2009-08-31 18:31:01 ----A---- C:\WINDOWS\SWSC.exe
2009-08-31 18:31:01 ----A---- C:\WINDOWS\SWREG.exe
2009-08-31 18:31:01 ----A---- C:\WINDOWS\sed.exe
2009-08-31 18:31:01 ----A---- C:\WINDOWS\PEV.exe
2009-08-31 18:31:01 ----A---- C:\WINDOWS\NIRCMD.exe
2009-08-31 18:31:01 ----A---- C:\WINDOWS\grep.exe
2009-08-31 18:30:28 ----D---- C:\WINDOWS\ERDNT
2009-08-31 18:30:01 ----D---- C:\Qoobox
2009-08-29 18:02:07 ----D---- C:\Program Files\ERUNT
2009-08-29 17:53:58 ----D---- C:\Program Files\Trend Micro
2009-08-29 17:20:51 ----D---- C:\Program Files\Test
2009-08-29 17:14:09 ----D---- C:\Program Files\Spybot - Search & Destroy2
2009-08-27 21:53:24 ----D---- C:\Program Files\Seven-G
2009-08-25 22:12:12 ----HDC---- C:\WINDOWS\$NtUninstallKB970653-v3$
2009-08-22 21:48:38 ----A---- C:\WINDOWS\unvise32.exe
2009-08-22 21:48:36 ----D---- C:\Program Files\DivXLand
2009-08-19 21:57:59 ----D---- C:\Documents and Settings\All Users\Application Data\Watermark Factory
2009-08-19 21:57:43 ----D---- C:\Program Files\Watermark Factory 2
2009-08-16 15:06:25 ----HDC---- C:\WINDOWS\$NtUninstallKB961118$
2009-08-15 00:49:38 ----D---- C:\WINDOWS\system32\XPSViewer
2009-08-15 00:49:33 ----D---- C:\Program Files\MSBuild
2009-08-15 00:49:18 ----D---- C:\Program Files\Reference Assemblies
2009-08-15 00:48:25 ----N---- C:\WINDOWS\system32\xpssvcs.dll
2009-08-15 00:48:25 ----N---- C:\WINDOWS\system32\xpsshhdr.dll
2009-08-15 00:48:25 ----N---- C:\WINDOWS\system32\prntvpt.dll
2009-08-15 00:48:24 ----D---- C:\e5972bd564fc0a96f39a6ae453ea
2009-08-12 22:38:55 ----HDC---- C:\WINDOWS\$NtUninstallKB960859$
2009-08-12 22:36:15 ----HDC---- C:\WINDOWS\$NtUninstallKB971657$
2009-08-12 22:36:01 ----HDC---- C:\WINDOWS\$NtUninstallKB971557$
2009-08-12 22:35:46 ----HDC---- C:\WINDOWS\$NtUninstallKB956744$
2009-08-12 22:35:32 ----HDC---- C:\WINDOWS\$NtUninstallKB973869$
2009-08-12 22:35:17 ----HDC---- C:\WINDOWS\$NtUninstallKB973507$
2009-08-12 22:35:04 ----HDC---- C:\WINDOWS\$NtUninstallKB973354$
2009-08-12 22:34:41 ----HDC---- C:\WINDOWS\$NtUninstallKB973540_WM9$
2009-08-12 22:30:24 ----HDC---- C:\WINDOWS\$NtUninstallKB973815$

======List of files/folders modified in the last 1 months======

2009-09-01 08:25:52 ----D---- C:\WINDOWS\Prefetch
2009-09-01 08:24:59 ----D---- C:\Documents and Settings\All Users\Application Data\Kontiki
2009-09-01 08:22:49 ----D---- C:\Program Files\Mozilla Firefox
2009-09-01 08:14:29 ----D---- C:\WINDOWS\Temp
2009-09-01 08:14:00 ----SD---- C:\WINDOWS\Tasks
2009-09-01 06:03:03 ----A---- C:\WINDOWS\SchedLgU.Txt
2009-09-01 00:00:17 ----D---- C:\Documents and Settings\All Users\Application Data\Google Updater
2009-08-31 20:04:12 ----D---- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2009-08-31 19:05:40 ----D---- C:\WINDOWS\system32\drivers
2009-08-31 19:05:40 ----D---- C:\WINDOWS\system32
2009-08-31 19:03:56 ----RSHD---- C:\WINDOWS\system32\dllcache
2009-08-31 19:03:49 ----D---- C:\WINDOWS\system32\CatRoot2
2009-08-31 18:56:59 ----D---- C:\WINDOWS
2009-08-31 18:56:59 ----A---- C:\WINDOWS\system.ini
2009-08-31 18:54:24 ----D---- C:\WINDOWS\system32\config
2009-08-31 18:53:44 ----D---- C:\WINDOWS\system
2009-08-31 18:52:31 ----D---- C:\WINDOWS\AppPatch
2009-08-31 18:52:23 ----D---- C:\Program Files\Common Files
2009-08-31 18:37:07 ----N---- C:\WINDOWS\system32\eventlog.dll
2009-08-31 18:37:05 ----HD---- C:\WINDOWS\PIF
2009-08-31 18:37:05 ----D---- C:\WINDOWS\system32\xircom
2009-08-31 18:37:05 ----D---- C:\WINDOWS\system32\wins
2009-08-31 18:37:05 ----D---- C:\WINDOWS\system32\ShellExt
2009-08-31 18:37:05 ----D---- C:\WINDOWS\system32\inetsrv
2009-08-31 18:37:05 ----D---- C:\WINDOWS\system32\export
2009-08-31 18:37:05 ----D---- C:\WINDOWS\system32\dhcp
2009-08-31 18:37:05 ----D---- C:\WINDOWS\system32\3com_dmi
2009-08-31 18:37:05 ----D---- C:\WINDOWS\system32\3076
2009-08-31 18:37:05 ----D---- C:\WINDOWS\system32\2052
2009-08-31 18:37:05 ----D---- C:\WINDOWS\system32\1054
2009-08-31 18:37:05 ----D---- C:\WINDOWS\system32\1042
2009-08-31 18:37:05 ----D---- C:\WINDOWS\system32\1041
2009-08-31 18:37:05 ----D---- C:\WINDOWS\system32\1037
2009-08-31 18:37:05 ----D---- C:\WINDOWS\system32\1031
2009-08-31 18:37:05 ----D---- C:\WINDOWS\system32\1028
2009-08-31 18:37:05 ----D---- C:\WINDOWS\system32\1025
2009-08-31 18:37:05 ----D---- C:\WINDOWS\SxsCaPendDel
2009-08-31 18:37:05 ----D---- C:\WINDOWS\occache
2009-08-31 18:37:05 ----D---- C:\WINDOWS\mui
2009-08-31 18:37:05 ----D---- C:\WINDOWS\Motive
2009-08-31 18:37:05 ----D---- C:\WINDOWS\Connection Wizard
2009-08-31 18:37:05 ----D---- C:\WINDOWS\Config
2009-08-31 18:37:05 ----D---- C:\WINDOWS\addins
2009-08-31 18:34:05 ----RASH---- C:\boot.ini
2009-08-30 15:57:00 ----SHD---- C:\WINDOWS\Installer
2009-08-30 15:53:41 ----HD---- C:\Config.Msi
2009-08-29 18:02:07 ----RD---- C:\Program Files
2009-08-29 17:11:50 ----D---- C:\Program Files\Spybot - Search & Destroy
2009-08-29 17:01:32 ----A---- C:\WINDOWS\ntbtlog.txt
2009-08-29 16:20:57 ----D---- C:\WINDOWS\Minidump
2009-08-28 22:52:58 ----HD---- C:\$AVG8.VAULT$
2009-08-28 22:33:10 ----D---- C:\Documents and Settings\All Users\Application Data\avg8
2009-08-25 22:12:17 ----HD---- C:\WINDOWS\inf
2009-08-22 00:55:43 ----D---- C:\Documents and Settings\All Users\Application Data\Adobe
2009-08-21 23:35:00 ----D---- C:\Documents and Settings\Tim\Application Data\Adobe
2009-08-19 21:23:08 ----A---- C:\WINDOWS\imsins.BAK
2009-08-18 18:08:10 ----A---- C:\WINDOWS\system32\avgrsstx.dll
2009-08-16 15:06:56 ----D---- C:\WINDOWS\system32\CatRoot
2009-08-15 09:28:20 ----D---- C:\WINDOWS\Microsoft.NET
2009-08-15 09:28:18 ----RSD---- C:\WINDOWS\assembly
2009-08-15 00:54:15 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI
2009-08-15 00:53:47 ----D---- C:\WINDOWS\WinSxS
2009-08-15 00:49:35 ----D---- C:\WINDOWS\system32\en-US
2009-08-15 00:49:27 ----RSD---- C:\WINDOWS\Fonts
2009-08-15 00:48:57 ----D---- C:\WINDOWS\system32\spool
2009-08-15 00:45:48 ----D---- C:\Program Files\Internet Explorer
2009-08-12 22:35:41 ----HD---- C:\WINDOWS\$hf_mig$
2009-08-12 22:35:07 ----D---- C:\Program Files\Outlook Express
2009-08-12 21:10:18 ----A---- C:\WINDOWS\NeroDigital.ini
2009-08-12 20:11:08 ----D---- C:\Program Files\ORBITER
2009-08-05 10:01:48 ----A---- C:\WINDOWS\system32\mswebdvd.dll

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 AvgLdx86;AVG Free AVI Loader Driver x86; C:\WINDOWS\System32\Drivers\avgldx86.sys [2009-08-18 335240]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86; C:\WINDOWS\System32\Drivers\avgmfx86.sys [2009-08-18 27784]
R1 AvgTdiX;AVG Free8 Network Redirector; C:\WINDOWS\System32\Drivers\avgtdix.sys [2009-05-02 108552]
R1 intelppm;Intel Processor Driver; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2008-04-13 36352]
R1 kbdhid;Keyboard HID Driver; C:\WINDOWS\system32\DRIVERS\kbdhid.sys [2008-04-13 14592]
R1 StarOpen;StarOpen; C:\WINDOWS\system32\drivers\StarOpen.sys [2006-07-24 5632]
R2 AegisP;AEGIS Protocol (IEEE 802.1x) v3.1.0.1; C:\WINDOWS\system32\DRIVERS\AegisP.sys [2005-10-12 20747]
R3 ati2mtag;ati2mtag; C:\WINDOWS\system32\DRIVERS\ati2mtag.sys [2005-08-04 1273344]
R3 DELL_A02;Dell TrueMobile 1300 USB2.0 WLAN Card Driver; C:\WINDOWS\system32\DRIVERS\PRISMA02.sys [2006-06-01 357344]
R3 E100B;Intel(R) PRO Network Connection Driver; C:\WINDOWS\system32\DRIVERS\e100b325.sys [2004-10-14 155648]
R3 HDAudBus;Microsoft UAA Bus Driver for High Definition Audio; C:\WINDOWS\system32\DRIVERS\HDAudBus.sys [2008-04-13 144384]
R3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-04-13 10368]
R3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2001-08-17 12160]
R3 pfc;Padus ASPI Shell; C:\WINDOWS\system32\drivers\pfc.sys [2006-02-08 9856]
R3 portio;winThrottle PortIO Service; C:\WINDOWS\system32\DRIVERS\throttle.sys [2006-06-29 5546]
R3 ROOTMODEM;Microsoft Legacy Modem Driver; C:\WINDOWS\System32\Drivers\RootMdm.sys [2004-08-04 5888]
R3 STHDA;SigmaTel High Definition Audio CODEC; C:\WINDOWS\system32\drivers\sthda.sys [2005-11-16 1047816]
R3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2008-04-13 32128]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2008-04-13 30208]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2008-04-13 59520]
R3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2008-04-13 20608]
R3 VComm;Virtual Serial port driver; C:\WINDOWS\system32\DRIVERS\VComm.sys [2004-10-19 61312]
R3 VcommMgr;Bluetooth VComm Manager Service; C:\WINDOWS\System32\Drivers\VcommMgr.sys [2004-11-05 82148]
S1 nvport;NVIDIA PORT IO Control Driver; \??\C:\WINDOWS\system32\Drivers\nvport.sys []
S2 CoLinuxDriver;CoLinuxDriver; \??\C:\Program Files\coLinux\linux.sys []
S3 BlueletAudio;Bluetooth Audio Service; C:\WINDOWS\system32\DRIVERS\blueletaudio.sys [2004-10-19 20096]
S3 BT;Bluetooth PAN Network Adapter; C:\WINDOWS\system32\DRIVERS\btnetdrv.sys [2004-09-21 10804]
S3 Btcsrusb;Bluetooth USB For Bluetooth Service; C:\WINDOWS\System32\Drivers\btcusb.sys [2004-12-01 22488]
S3 BthEnum;Bluetooth Enumerator Service; C:\WINDOWS\system32\DRIVERS\BthEnum.sys [2008-04-13 17024]
S3 BTHidEnum;Bluetooth HID Enumerator; C:\WINDOWS\system32\DRIVERS\vbtenum.sys [2004-09-21 11604]
S3 BTHPORT;Bluetooth Port Driver; C:\WINDOWS\System32\Drivers\BTHport.sys [2008-06-13 272128]
S3 BTHUSB;Bluetooth Radio USB Driver; C:\WINDOWS\System32\Drivers\BTHUSB.sys [2008-04-13 18944]
S3 BTNetFilter;Bluetooth Network Filter; \??\C:\WINDOWS\system32\drivers\BTNetFilter.sys []
S3 catchme;catchme; \??\C:\ComboFix\catchme.sys []
S3 CCDECODE;Closed Caption Decoder; C:\WINDOWS\system32\DRIVERS\CCDECODE.sys [2008-04-13 17024]
S3 HPZid412;IEEE-1284.4 Driver HPZid412; C:\WINDOWS\system32\DRIVERS\HPZid412.sys [2006-04-12 49664]
S3 HPZipr12;Print Class Driver for IEEE-1284.4 HPZipr12; C:\WINDOWS\system32\DRIVERS\HPZipr12.sys [2006-04-12 16496]
S3 HPZius12;USB to IEEE-1284.4 Translation Driver HPZius12; C:\WINDOWS\system32\DRIVERS\HPZius12.sys [2006-04-12 21568]
S3 MRENDIS5;MRENDIS5 NDIS Protocol Driver; \??\C:\PROGRA~1\COMMON~1\Motive\MRENDIS5.SYS []
S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; C:\WINDOWS\system32\drivers\MSTEE.sys [2008-04-13 5504]
S3 NABTSFEC;NABTS/FEC VBI Codec; C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys [2008-04-13 85248]
S3 NdisIP;Microsoft TV/Video Connection; C:\WINDOWS\system32\DRIVERS\NdisIP.sys [2008-04-13 10880]
S3 nv;nv; C:\WINDOWS\system32\DRIVERS\nv4_mini.sys [2004-08-03 1897408]
S3 RFCOMM;Bluetooth Device (RFCOMM Protocol TDI); C:\WINDOWS\system32\DRIVERS\rfcomm.sys [2008-04-13 59136]
S3 SLIP;BDA Slip De-Framer; C:\WINDOWS\system32\DRIVERS\SLIP.sys [2008-04-13 11136]
S3 ss_bus;SAMSUNG Mobile USB Device 1.0 driver (WDM); C:\WINDOWS\system32\DRIVERS\ss_bus.sys [2005-08-30 58320]
S3 ss_mdfl;SAMSUNG Mobile USB Modem 1.0 Filter; C:\WINDOWS\system32\DRIVERS\ss_mdfl.sys [2005-08-30 8304]
S3 ss_mdm;SAMSUNG Mobile USB Modem 1.0 Drivers; C:\WINDOWS\system32\DRIVERS\ss_mdm.sys [2005-08-30 94000]
S3 streamip;BDA IPSink; C:\WINDOWS\system32\DRIVERS\StreamIP.sys [2008-04-13 15232]
S3 tap0801co;TAP-Win32 Adapter V8 (coLinux); C:\WINDOWS\system32\DRIVERS\tap0801co.sys [2005-05-15 24576]
S3 usb2vcom;USB Data Cable; C:\WINDOWS\system32\DRIVERS\usb2vcom.sys [2005-08-06 28704]
S3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2008-04-13 25856]
S3 usbscan;USB Scanner Driver; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2008-04-13 15104]
S3 VMnetAdapter;VMware Virtual Ethernet Adapter Driver; C:\WINDOWS\system32\DRIVERS\vmnetadapter.sys []
S3 wanatw;WAN Miniport (ATW); C:\WINDOWS\system32\DRIVERS\wanatw4.sys []
S3 WinDriver6;WinDriver6; C:\WINDOWS\system32\drivers\windrvr6.sys []
S3 WSTCODEC;World Standard Teletext Codec; C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS [2008-04-13 19200]
S3 WudfPf;Windows Driver Foundation - User-mode Driver Framework Platform Driver; C:\WINDOWS\system32\DRIVERS\WudfPf.sys [2006-09-28 77568]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-28 82944]
S4 agp440;Intel AGP Bus Filter; C:\WINDOWS\system32\DRIVERS\agp440.sys [2008-04-13 42368]
S4 agpCPQ;Compaq AGP Bus Filter; C:\WINDOWS\system32\DRIVERS\agpCPQ.sys [2008-04-13 44928]
S4 alim1541;ALI AGP Bus Filter; C:\WINDOWS\system32\DRIVERS\alim1541.sys [2008-04-13 42752]
S4 amdagp;AMD AGP Bus Filter Driver; C:\WINDOWS\system32\DRIVERS\amdagp.sys [2008-04-13 43008]
S4 cbidf;cbidf; C:\WINDOWS\system32\DRIVERS\cbidf2k.sys [2001-08-17 13952]
S4 IntelIde;IntelIde; C:\WINDOWS\system32\DRIVERS\intelide.sys [2008-04-13 5504]
S4 sisagp;SIS AGP Bus Filter; C:\WINDOWS\system32\DRIVERS\sisagp.sys [2008-04-13 40960]
S4 viaagp;VIA AGP Bus Filter; C:\WINDOWS\system32\DRIVERS\viaagp.sys [2008-04-13 42240]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 Ati HotKey Poller;Ati HotKey Poller; C:\WINDOWS\system32\Ati2evxx.exe [2005-08-04 380928]
R2 avg8wd;AVG Free8 WatchDog; C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2009-08-18 297752]
R2 BthServ;Bluetooth Support Service; C:\WINDOWS\system32\svchost.exe [2008-04-14 14336]
R2 KService;KService; C:\Program Files\Kontiki\KService.exe [2007-04-23 3068352]
R2 PRISMSVC;PRISMSVC; C:\WINDOWS\system32\PRISMSVC.EXE [2005-12-22 61526]
R2 WSearch;Windows Search; C:\WINDOWS\system32\SearchIndexer.exe [2008-05-26 439808]
S2 avg8emc;AVG Free8 E-mail Scanner; C:\PROGRA~1\AVG\AVG8\avgemc.exe [2009-08-18 908056]
S2 gupdate1c999314d0ec792;Google Update Service (gupdate1c999314d0ec792); C:\Program Files\Google\Update\GoogleUpdate.exe [2009-02-28 133104]
S2 gusvc;Google Software Updater; C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-03-21 183280]
S2 Pml Driver HPZ12;Pml Driver HPZ12; C:\WINDOWS\system32\HPZipm12.exe [2006-03-03 69632]
S3 Adobe LM Service;Adobe LM Service; C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe [2006-05-03 68096]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2008-07-25 34312]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2008-07-25 69632]
S3 FontCache3.0.0.0;Windows Presentation Foundation Font Cache 3.0.0.0; c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe [2008-07-29 46104]
S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe [2005-04-04 69632]
S3 idsvc;Windows CardSpace; c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe [2008-07-29 881664]
S3 NetSvc;Intel NCS NetService; C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe [2004-11-19 147456]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2003-07-28 89136]
S3 WMPNetworkSvc;Windows Media Player Network Sharing Service; C:\Program Files\Windows Media Player\WMPNetwk.exe [2006-10-18 913408]
S3 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2008-04-14 14336]
S4 NetTcpPortSharing;Net.Tcp Port Sharing Service; c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe [2008-07-29 132096]

-----------------EOF-----------------


There you go. I think that's all you wanted!

Wish me well for 8 hours of work... :surrender:

Many thanks,

Tim

Information
You posted a fresh RSIT Log.txt ... I need to see Info.txt
C:\RSIT\Info.txt

----------------------------------------------------------------------------------------
Step 1

Download this file Inherit.exe (http://download.bleepingcomputer.com/sUBs/MiniFixes/Inherit.exe) and Save it to your Desktop

Create A Batch File
Please copy (Ctrl+C) and paste (Ctrl+V) the following text in the quote to Notepad.
Save it as "All Files" and name it Reset.bat Please save it on your desktop.



@Echo Off
set INHERIT="%UserProfile%\Desktop\Inherit.exe"
If not exist %INHERIT% (@Echo Inherit Not Found&&Pause&&Goto End)
For %%G IN (
"c:\Documents and Settings\Tim\My Documents\Downloads\HiJackThis.exe"
"c:\Program Files\AVG\AVG8\avgcsrvx.exe"
"c:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
"c:\Program Files\Spybot - Search & Destroy2\SpybotSD.exe"
"c:\Program Files\Test\SpybotSD.exe"
"c:\Program Files\Trend Micro\HijackThis\HijackThis.exe"
"c:\System Volume Information\MountPointManagerRemoteDatabase"
"c:\WINDOWS\system32\dumprep.exe"
) DO (%INHERIT% %%G)
For %%G in (
%UserProfile%\Desktop\Inherit.exe
%UserProfile%\Desktop\Win32kDiag.exe
%UserProfile%\Desktop\Junction.zip
\Junction.exe
) do (
If exist "%%G" Del /q "%%G"
)
:End
RD /s "C:\Documents and Settings\Tim\Application Data\Sun\Java\Deployment\cache\javapi\v1.0"
Del /q %0

Double click on Reset.bat

Click OK to any prompts.


----------------------------------------------------------------------------------------
Step 2

You need to empty your Inbox in Thunderbird, and then the Trash folder ..... There are quite a few infected e-mails in there.


----------------------------------------------------------------------------------------
Step 3

Malwarebytes' Anti-Malware

Please download Malwarebytes' Anti-Malware (http://www.malwarebytes.org/mbam-download.php) to your desktop.

Double-click mbam-setup.exe and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to
Update Malwarebytes' Anti-Malware
and Launch Malwarebytes' Anti-Malware
then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform full scan, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected.
When completed, a log will open in Notepad. please copy and paste the log into your next reply
If requested, please reboot
If you accidently close it, the log file is saved here and will be named like this:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt



----------------------------------------------------------------------------------------
Logs/Information to Post in Reply
Please post the following logs/Information in your reply
Some of the logs I request will be quite large, You may need to split them over a couple of replies.

C:\RSIT\Info.txt
MalwareBytes log
How are things running now ?

Apologies, Katana. File contents shown below.

Will work on the others now.

Tim

(Had to come home from work early to sort out our mortgage application)




info.txt logfile of random's system information tool 1.06 2009-08-31 20:19:13

======Uninstall list======

-->C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
-->C:\Program Files\Nero\Nero 7\nero\uninstall\UNNERO.exe /UNINSTALL
-->C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\orun32.isu
-->MsiExec.exe /I{403EF592-953B-4794-BCEF-ECAB835C2095}
-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
4oD-->MsiExec.exe /I {8B7443F5-E141-42A0-AB61-ED2331AAD606}
Adobe Flash Player 10 Plugin-->C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Flash Player 9 ActiveX-->C:\WINDOWS\system32\Macromed\Flash\FlashUtil9b.exe -uninstallDelete
Adobe Photoshop CS-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{EFB21DE7-8C19-4A88-BB28-A766E16493BC}\setup.exe" -l0x9
Adobe Reader 7.1.0-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A71000000002}
Adobe Shockwave Player-->C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log
Age of Empires III-->C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\11\INTEL3~1\IDriver.exe /M{7B9CC60A-9B81-46A3-A953-76B6BF9EEC97}
Air Traffic Control Center-->MsiExec.exe /I{83E60EE9-35DB-11D5-A55B-00A0CC27E359}
All Media Fixer 8.8-->"C:\Program Files\All Media Fixer\unins000.exe"
Antarctica Scenery 01.04-->C:\Program Files\Condor\Landscapes\Antarctica\Uninstal_Antarctica0104.exe
ATI Control Panel-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{0BEDBD4E-2D34-47B5-9973-57E62B29307C}\setup.exe"
ATI Display Driver-->rundll32 C:\WINDOWS\system32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL@16 -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean
ATI DVD Decoder-->C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{BE29663C-9BA7-4D7B-B779-91B5D16BECC2}
AusLogics BoostSpeed-->"C:\Program Files\Auslogics\AusLogics BoostSpeed\unins000.exe"
AVG 8.5-->C:\Program Files\AVG\AVG8\setup.exe /UNINSTALL
BT Home Hub-->C:\Program Files\BT Home Hub\Uninstall.exe
Choice Guard-->MsiExec.exe /I{8FFC5648-FAF8-43A3-BC8F-42BA1E275C4E}
Chronotron Plug-in for Winamp/WMP 9 (remove only)-->"C:\Program Files\Chronotron Inc\Chronotron\uninst-chronotron.exe"
Compatibility Pack for the 2007 Office system-->MsiExec.exe /X{90120000-0020-0409-0000-0000000FF1CE}
Condor: The Competition Soaring Simulator 1.1.2-->C:\Program Files\Condor\uninst.exe
Cool Edit 2000-->C:\Program Files\Cool2000\ce2Kunin.exe
Cool Edit 96-->C:\WINDOWS\c96unins.exe C:\WINDOWS\c96unins.log
Critical Update for Windows Media Player 11 (KB959772)-->"C:\WINDOWS\$NtUninstallKB959772_WM11$\spuninst\spuninst.exe"
DAEMON Tools-->MsiExec.exe /I{3DED3A72-61A8-4B87-98A5-EF0BC8038AA0}
Dangerous Waters-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{DCFF5D9C-C618-45C9-A61E-14A6981F28C6}\Setup.exe" Uninstall
DefilerPak 1.22 (Remove Only)-->"C:\Program Files\DefilerPak\UnDefile.exe"
Dell Driver Reset Tool-->MsiExec.exe /I{5905F42D-3F5F-4916-ADA6-94A3646AEE76}
Dell Support 5.0.0 (630)-->rundll32 C:\PROGRA~1\DELLSU~1\AUInst.dll,ExUninstall
Direct Show Ogg Vorbis Filter (remove only)-->"C:\WINDOWS\system32\OggDSuninst.exe"
DivX 4.12 Codec-->"C:\Program Files\DivXCodec\uninstall.exe"
DivXLand Media Subtitler-->C:\WINDOWS\unvise32.exe C:\Program Files\DivXLand\Media Subtitler\uninstal.log
EasternAlps Scenery 2.0-->C:\Program Files\Condor\Landscapes\uninstall_EasternAlps2.0.exe
ERUNT 1.1j-->"C:\Program Files\ERUNT\unins000.exe"
Gangsters-->C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Hothouse Creations\Gangsters\Uninst.isu"
Google Earth-->MsiExec.exe /X{CC016F21-3970-11DE-B878-005056806466}
Google Update Helper-->MsiExec.exe /I{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}
Google Updater-->"C:\Program Files\Google\Google Updater\GoogleUpdater.exe" -uninstall
GSpot Codec Information Appliance-->C:\Program Files\GSpot\Uninstall.exe
High Definition Audio Driver Package - KB835221-->C:\WINDOWS\$NtUninstallKB835221WXP$\spuninst\spuninst.exe
HijackThis 2.0.2-->"C:\Documents and Settings\Tim\My Documents\Downloads\HijackThis.exe" /uninstall
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)-->C:\WINDOWS\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall /qb+ REBOOTPROMPT=""
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)-->C:\WINDOWS\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall {A7EEA2F2-BFCD-4A54-A575-7B81A786E658} /qb+ REBOOTPROMPT=""
Hotfix for Windows Internet Explorer 7 (KB947864)-->"C:\WINDOWS\ie7updates\KB947864-IE7\spuninst\spuninst.exe"
Hotfix for Windows Media Format 11 SDK (KB929399)-->"C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
Hotfix for Windows Media Player 11 (KB939683)-->"C:\WINDOWS\$NtUninstallKB939683$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB915800-v4)-->"C:\WINDOWS\$NtUninstallKB915800-v4$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB952287)-->"C:\WINDOWS\$NtUninstallKB952287$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB961118)-->"C:\WINDOWS\$NtUninstallKB961118$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB970653-v3)-->"C:\WINDOWS\$NtUninstallKB970653-v3$\spuninst\spuninst.exe"
HP Imaging Device Functions 7.0-->C:\Program Files\HP\Digital Imaging\DeviceManagement\hpzscr01.exe -datfile hpqbud01.dat
HP Photosmart, Officejet and Deskjet 7.0.A-->C:\Program Files\HP\Digital Imaging\{BDBE2F3E-42DB-4d4a-8CB1-19BA765DBC6C}\setup\hpzscr01.exe -datfile hposcr11.dat
Intel(R) PRO Network Connections Drivers-->Prounstl.exe
Intel(R) PROSet for Wired Connections-->MsiExec.exe /I{83F793B5-8BBF-42FD-A8A6-868CB3E2AAEA}
J2SE Runtime Environment 5.0 Update 9-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150090}
Java 2 Runtime Environment, SE v1.4.2_03-->MsiExec.exe /I{7148F0A8-6813-11D6-A77B-00B0D0142030}
Kulch's Space Research Center spaceports, release 2-->"C:\Program Files\ORBITER\unins000.exe"
Local 1-->C:\WINDOWS\ST5UNST.EXE -n "C:\Program Files\Local 1\ST5UNST.LOG"
MCU-->MsiExec.exe /I{D2988E9B-C73F-422C-AD4B-A66EBE257120}
Microsoft .NET Framework 1.1 Hotfix (KB928366)-->"C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\hotfix.exe" "C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\M928366\M928366Uninstall.msp"
Microsoft .NET Framework 1.1-->msiexec.exe /X {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 1.1-->MsiExec.exe /X{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 2.0 Service Pack 2-->MsiExec.exe /I{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}
Microsoft .NET Framework 3.0 Service Pack 2-->MsiExec.exe /I{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}
Microsoft .NET Framework 3.5 SP1-->C:\WINDOWS\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\setup.exe
Microsoft .NET Framework 3.5 SP1-->MsiExec.exe /I{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}
Microsoft Compression Client Pack 1.0 for Windows XP-->"C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Internationalized Domain Names Mitigation APIs-->"C:\WINDOWS\$NtServicePackUninstallIDNMitigationAPIs$\spuninst\spuninst.exe"
Microsoft National Language Support Downlevel APIs-->"C:\WINDOWS\$NtServicePackUninstallNLSDownlevelMapping$\spuninst\spuninst.exe"
Microsoft Office FrontPage 2003-->MsiExec.exe /I{90170409-6000-11D3-8CFE-0150048383C9}
Microsoft Office Professional Edition 2003-->MsiExec.exe /I{90110409-6000-11D3-8CFE-0150048383C9}
Microsoft Office Visio Professional 2003-->MsiExec.exe /I{90510409-6000-11D3-8CFE-0150048383C9}
Microsoft Silverlight-->MsiExec.exe /I{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}
Microsoft Speech 5.1-->MsiExec.exe /I{6E43578E-23DB-45EB-8B58-EF5856340DAB}
Microsoft User-Mode Driver Framework Feature Pack 1.0-->"C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053-->MsiExec.exe /X{770657D0-A123-3C07-8E44-1C83EC895118}
Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Mozilla Firefox (3.5.2)-->C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MSVCRT-->MsiExec.exe /I{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}
MSXML 4.0 SP2 (KB927978)-->MsiExec.exe /I{37477865-A3F1-4772-AD43-AAFC6BCFF99F}
MSXML 4.0 SP2 (KB936181)-->MsiExec.exe /I{C04E32E0-0416-434D-AFB9-6969D703A9EF}
MSXML 4.0 SP2 (KB954430)-->MsiExec.exe /I{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}
MSXML 4.0 SP2 Parser and SDK-->MsiExec.exe /I{716E0306-8318-4364-8B8F-0CC4E9376BAC}
Nero 7 Premium-->MsiExec.exe /I{235BBFC6-D863-4066-A01A-3BD504C31033}
Oxygen Phone Manager II for Nokia phones-->C:\PROGRA~1\OXYGEN~1\OPM2\UNWISE.EXE C:\PROGRA~1\OXYGEN~1\OPM2\INSTALL.LOG
Picasa 3-->"C:\Program Files\Google\Picasa3\Uninstall.exe"
QuickTime-->C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\11\INTEL3~1\IDriver.exe /M{929408E6-D265-4174-805F-81D1D914E2A4} /l1033
RadLight MPC DirectShow Filter (remove only)-->"C:\WINDOWS\system32\RadLightMPCUninstall.exe"
Railroad Tycoon 3-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{DE29025A-091F-4998-AD2D-24C84421190F}\setup.exe" -l0x9
RealPlayer-->C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
Rogue Spear-->C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Red Storm Entertainment\Rogue Spear\Uninst.isu"
SAMSUNG CDMA Modem Driver Set-->C:\WINDOWS\system32\Samsung_USB_Drivers\3\SSCDUninstall.exe
SAMSUNG Mobile Composite Device Software-->C:\WINDOWS\system32\Samsung_USB_Drivers\6\SSBCUninstall.exe
Samsung Mobile phone USB driver Software-->C:\WINDOWS\system32\Samsung_USB_Drivers\5\SSSDUninstall.exe
SAMSUNG Mobile USB Modem 1.0 Software-->C:\WINDOWS\system32\Samsung_USB_Drivers\1\SS_Uninstall.exe
SAMSUNG Mobile USB Modem Software-->C:\WINDOWS\system32\Samsung_USB_Drivers\2\SSM_Uninstall.exe
Samsung PC Studio 3 USB Driver Installer-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{EBA29752-DDD2-4B62-B2E3-9841F92A3E3A}\setup.exe" -l0x9 -removeonly
Samsung PC Studio-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C4A4722E-79F9-417C-BD72-8D359A090C97}\setup.exe" -l0x9 -removeonly
Security Update for Step By Step Interactive Training (KB898458)-->"C:\WINDOWS\$NtUninstallKB898458$\spuninst\spuninst.exe"
Security Update for Step By Step Interactive Training (KB923723)-->"C:\WINDOWS\$NtUninstallKB923723$\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB928090)-->"C:\WINDOWS\ie7updates\KB928090-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB929969)-->"C:\WINDOWS\ie7updates\KB929969\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB931768)-->"C:\WINDOWS\ie7updates\KB931768-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB933566)-->"C:\WINDOWS\ie7updates\KB933566-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB937143)-->"C:\WINDOWS\ie7updates\KB937143-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB938127)-->"C:\WINDOWS\ie7updates\KB938127-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB939653)-->"C:\WINDOWS\ie7updates\KB939653-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB942615)-->"C:\WINDOWS\ie7updates\KB942615-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB944533)-->"C:\WINDOWS\ie7updates\KB944533-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB950759)-->"C:\WINDOWS\ie7updates\KB950759-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB953838)-->"C:\WINDOWS\ie7updates\KB953838-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB956390)-->"C:\WINDOWS\ie7updates\KB956390-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB958215)-->"C:\WINDOWS\ie7updates\KB958215-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB960714)-->"C:\WINDOWS\ie7updates\KB960714-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB961260)-->"C:\WINDOWS\ie7updates\KB961260-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB963027)-->"C:\WINDOWS\ie7updates\KB963027-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB969897)-->"C:\WINDOWS\ie7updates\KB969897-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 8 (KB969897)-->"C:\WINDOWS\ie8updates\KB969897-IE8\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 8 (KB972260)-->"C:\WINDOWS\ie8updates\KB972260-IE8\spuninst\spuninst.exe"
Security Update for Windows Media Player (KB952069)-->"C:\WINDOWS\$NtUninstallKB952069_WM9$\spuninst\spuninst.exe"
Security Update for Windows Media Player (KB973540)-->"C:\WINDOWS\$NtUninstallKB973540_WM9$\spuninst\spuninst.exe"
Security Update for Windows Media Player 10 (KB911565)-->"C:\WINDOWS\$NtUninstallKB911565$\spuninst\spuninst.exe"
Security Update for Windows Media Player 10 (KB917734)-->"C:\WINDOWS\$NtUninstallKB917734_WMP10$\spuninst\spuninst.exe"
Security Update for Windows Media Player 11 (KB936782)-->"C:\WINDOWS\$NtUninstallKB936782_WMP11$\spuninst\spuninst.exe"
Security Update for Windows Media Player 11 (KB954154)-->"C:\WINDOWS\$NtUninstallKB954154_WM11$\spuninst\spuninst.exe"
Security Update for Windows Search 4 - KB963093-->"C:\WINDOWS\$NtUninstallKB963093$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923561)-->"C:\WINDOWS\$NtUninstallKB923561$\spuninst\spuninst.exe"
Security Update for Windows XP (KB938464)-->"C:\WINDOWS\$NtUninstallKB938464$\spuninst\spuninst.exe"
Security Update for Windows XP (KB941569)-->"C:\WINDOWS\$NtUninstallKB941569$\spuninst\spuninst.exe"
Security Update for Windows XP (KB946648)-->"C:\WINDOWS\$NtUninstallKB946648$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950760)-->"C:\WINDOWS\$NtUninstallKB950760$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950762)-->"C:\WINDOWS\$NtUninstallKB950762$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950974)-->"C:\WINDOWS\$NtUninstallKB950974$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951066)-->"C:\WINDOWS\$NtUninstallKB951066$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951376)-->"C:\WINDOWS\$NtUninstallKB951376$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951376-v2)-->"C:\WINDOWS\$NtUninstallKB951376-v2$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951698)-->"C:\WINDOWS\$NtUninstallKB951698$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951748)-->"C:\WINDOWS\$NtUninstallKB951748$\spuninst\spuninst.exe"
Security Update for Windows XP (KB952004)-->"C:\WINDOWS\$NtUninstallKB952004$\spuninst\spuninst.exe"
Security Update for Windows XP (KB952954)-->"C:\WINDOWS\$NtUninstallKB952954$\spuninst\spuninst.exe"
Security Update for Windows XP (KB953839)-->"C:\WINDOWS\$NtUninstallKB953839$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954211)-->"C:\WINDOWS\$NtUninstallKB954211$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954459)-->"C:\WINDOWS\$NtUninstallKB954459$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954600)-->"C:\WINDOWS\$NtUninstallKB954600$\spuninst\spuninst.exe"
Security Update for Windows XP (KB955069)-->"C:\WINDOWS\$NtUninstallKB955069$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956391)-->"C:\WINDOWS\$NtUninstallKB956391$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956572)-->"C:\WINDOWS\$NtUninstallKB956572$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956744)-->"C:\WINDOWS\$NtUninstallKB956744$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956802)-->"C:\WINDOWS\$NtUninstallKB956802$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956803)-->"C:\WINDOWS\$NtUninstallKB956803$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956841)-->"C:\WINDOWS\$NtUninstallKB956841$\spuninst\spuninst.exe"
Security Update for Windows XP (KB957095)-->"C:\WINDOWS\$NtUninstallKB957095$\spuninst\spuninst.exe"
Security Update for Windows XP (KB957097)-->"C:\WINDOWS\$NtUninstallKB957097$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958644)-->"C:\WINDOWS\$NtUninstallKB958644$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958687)-->"C:\WINDOWS\$NtUninstallKB958687$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958690)-->"C:\WINDOWS\$NtUninstallKB958690$\spuninst\spuninst.exe"
Security Update for Windows XP (KB959426)-->"C:\WINDOWS\$NtUninstallKB959426$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960225)-->"C:\WINDOWS\$NtUninstallKB960225$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960715)-->"C:\WINDOWS\$NtUninstallKB960715$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960803)-->"C:\WINDOWS\$NtUninstallKB960803$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960859)-->"C:\WINDOWS\$NtUninstallKB960859$\spuninst\spuninst.exe"
Security Update for Windows XP (KB961371)-->"C:\WINDOWS\$NtUninstallKB961371$\spuninst\spuninst.exe"
Security Update for Windows XP (KB961373)-->"C:\WINDOWS\$NtUninstallKB961373$\spuninst\spuninst.exe"
Security Update for Windows XP (KB961501)-->"C:\WINDOWS\$NtUninstallKB961501$\spuninst\spuninst.exe"
Security Update for Windows XP (KB968537)-->"C:\WINDOWS\$NtUninstallKB968537$\spuninst\spuninst.exe"
Security Update for Windows XP (KB969898)-->"C:\WINDOWS\$NtUninstallKB969898$\spuninst\spuninst.exe"
Security Update for Windows XP (KB970238)-->"C:\WINDOWS\$NtUninstallKB970238$\spuninst\spuninst.exe"
Security Update for Windows XP (KB971557)-->"C:\WINDOWS\$NtUninstallKB971557$\spuninst\spuninst.exe"
Security Update for Windows XP (KB971633)-->"C:\WINDOWS\$NtUninstallKB971633$\spuninst\spuninst.exe"
Security Update for Windows XP (KB971657)-->"C:\WINDOWS\$NtUninstallKB971657$\spuninst\spuninst.exe"
Security Update for Windows XP (KB973346)-->"C:\WINDOWS\$NtUninstallKB973346$\spuninst\spuninst.exe"
Security Update for Windows XP (KB973354)-->"C:\WINDOWS\$NtUninstallKB973354$\spuninst\spuninst.exe"
Security Update for Windows XP (KB973507)-->"C:\WINDOWS\$NtUninstallKB973507$\spuninst\spuninst.exe"
Security Update for Windows XP (KB973869)-->"C:\WINDOWS\$NtUninstallKB973869$\spuninst\spuninst.exe"
Segoe UI-->MsiExec.exe /I{A1F66FC9-11EE-4F2F-98C9-16F8D1E69FB7}
Seven-G 1.03.2-->C:\Program Files\Seven-G\uninst.exe
Simon Bergner´s ATC Simulator-->MsiExec.exe /I{EA312C43-6187-11D8-AEFD-00A0CC5F5288}
Sonic Activation Module-->MsiExec.exe /I{5B6BE547-21E2-49CA-B2E2-6A5F470593B1}
Spybot - Search & Destroy-->"C:\Program Files\Test\unins000.exe"
SubtitlesSynch-->C:\Program Files\SubtitlesSynch\uninstall.exe
TMA-->C:\WINDOWS\ST4UNST.EXE -n "C:\Program Files\TMA\ST4UNST.LOG"
Tropico-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{818FB39B-1A57-4F1B-A54D-391C33D6C596}\setup.exe" -l0x9
Update for Windows Internet Explorer 8 (KB971930)-->"C:\WINDOWS\ie8updates\KB971930-IE8\spuninst\spuninst.exe"
Update for Windows XP (KB951072-v2)-->"C:\WINDOWS\$NtUninstallKB951072-v2$\spuninst\spuninst.exe"
Update for Windows XP (KB951978)-->"C:\WINDOWS\$NtUninstallKB951978$\spuninst\spuninst.exe"
Update for Windows XP (KB955839)-->"C:\WINDOWS\$NtUninstallKB955839$\spuninst\spuninst.exe"
Update for Windows XP (KB961503)-->"C:\WINDOWS\$NtUninstallKB961503$\spuninst\spuninst.exe"
Update for Windows XP (KB967715)-->"C:\WINDOWS\$NtUninstallKB967715$\spuninst\spuninst.exe"
Update for Windows XP (KB973815)-->"C:\WINDOWS\$NtUninstallKB973815$\spuninst\spuninst.exe"
USB 2.0 Wireless LAN Card Utility-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A3BC5D37-30F9-4CF7-BD5C-0DFF063E4B6D}\setup.exe" -l0x9 -L0x9 -removeonly
Video Fixer 3.23-->"C:\Program Files\videofixer\unins000.exe"
VideoLAN VLC media player 0.8.6a-->C:\Program Files\VideoLAN\VLC\uninstall.exe
Watermark Factory 2-->"C:\Program Files\Watermark Factory 2\unins000.exe"
WAV MP3 Converter 3.7 build 956-->C:\Program Files\HooTech\WAV_MP3\uninst.exe
WAV MP3 Converter v2.1 build 621-->"C:\Program Files\HooTech\WAVMP3\unins000.exe"
Windows Imaging Component-->"C:\WINDOWS\$NtUninstallWIC$\spuninst\spuninst.exe"
Windows Internet Explorer 8-->"C:\WINDOWS\ie8\spuninst\spuninst.exe"
Windows Live Call-->MsiExec.exe /I{F6BD194C-4190-4D73-B1B1-C48C99921BFE}
Windows Live Communications Platform-->MsiExec.exe /I{3B4E636E-9D65-4D67-BA61-189800823F52}
Windows Live Essentials-->C:\Program Files\Windows Live\Installer\wlarp.exe
Windows Live Essentials-->MsiExec.exe /I{C6CA8874-5F22-4AF0-9BE3-016BF299C536}
Windows Live Messenger-->MsiExec.exe /X{0AAA9C97-74D4-47CE-B089-0B147EF3553C}
Windows Live Sign-in Assistant-->MsiExec.exe /I{9422C8EA-B0C6-4197-B8FC-DC797658CA00}
Windows Live Upload Tool-->MsiExec.exe /I{205C6BDD-7B73-42DE-8505-9A093F35A238}
Windows Media Format 11 runtime-->"C:\Program Files\Windows Media Player\wmsetsdk.exe" /UninstallAll
Windows Media Format 11 runtime-->"C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Windows Media Player 11-->"C:\Program Files\Windows Media Player\Setup_wm.exe" /Uninstall
Windows Media Player 11-->"C:\WINDOWS\$NtUninstallwmp11$\spuninst\spuninst.exe"
Windows Media Player Firefox Plugin-->MsiExec.exe /I{69FDFBB6-351D-4B8C-89D8-867DC9D0A2A4}
Windows Search 4.0-->"C:\WINDOWS\$NtUninstallKB940157$\spuninst\spuninst.exe"
Windows XP Service Pack 3-->"C:\WINDOWS\$NtServicePackUninstall$\spuninst\spuninst.exe"
WinRAR archiver-->C:\Program Files\WinRAR\uninstall.exe
XviD 1.1 final uninstall-->"C:\Program Files\XviD\unins000.exe"

======Security center information======

AV: AVG Anti-Virus Free (disabled)

======System event log======

Computer Name: TIMSCOMPUTER
Event Code: 7009
Message: Timeout (30000 milliseconds) waiting for the Application Layer Gateway Service service to connect.

Record Number: 28
Source Name: Service Control Manager
Time Written: 20090828205751.000000+060
Event Type: error
User:

Computer Name: TIMSCOMPUTER
Event Code: 7026
Message: The following boot-start or system-start driver(s) failed to load:
nvport

Record Number: 21
Source Name: Service Control Manager
Time Written: 20090828205748.000000+060
Event Type: error
User:

Computer Name: TIMSCOMPUTER
Event Code: 7000
Message: The CoLinuxDriver service failed to start due to the following error:
The system cannot find the path specified.


Record Number: 20
Source Name: Service Control Manager
Time Written: 20090828205737.000000+060
Event Type: error
User:

Computer Name: TIMSCOMPUTER
Event Code: 57
Message: The system failed to flush data to the transaction log. Corruption may occur.

Record Number: 3
Source Name: Ftdisk
Time Written: 20090827221001.000000+060
Event Type: warning
User:

Computer Name: TIMSCOMPUTER
Event Code: 23
Message: Printer Auto Canon BJC-2100 on KLAPPRECHNER failed to initialize because a suitable Canon Bubble-Jet BJC-2100 driver could not be found.

Record Number: 2
Source Name: Print
Time Written: 20090827212403.000000+060
Event Type: error
User: NT AUTHORITY\SYSTEM

=====Application event log=====

Computer Name: TIMSCOMPUTER
Event Code: 3013
Message: The entry <C:\DOCUMENTS AND SETTINGS\TIM\DESKTOP\EXPENSES\MARCH 2009 BUDGET.XLS> in the hash map cannot be updated.

Context: Application, SystemIndex Catalog

Details:
A device attached to the system is not functioning. (0x8007001f)


Record Number: 23455
Source Name: Windows Search Service
Time Written: 20090412184015.000000+060
Event Type: error
User:

Computer Name: TIMSCOMPUTER
Event Code: 1002
Message: Hanging application firefox.exe, version 1.9.0.3372, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Record Number: 23435
Source Name: Application Hang
Time Written: 20090411222823.000000+060
Event Type: error
User:

Computer Name: TIMSCOMPUTER
Event Code: 1517
Message: Windows saved user TIMSCOMPUTER\Tim registry while an application or service was still using the registry during log off. The memory used by the user's registry has not been freed. The registry will be unloaded when it is no longer in use.


This is often caused by services running as a user account, try configuring the services to run in either the LocalService or NetworkService account.

Record Number: 23419
Source Name: Userenv
Time Written: 20090411202458.000000+060
Event Type: warning
User: NT AUTHORITY\SYSTEM

Computer Name: TIMSCOMPUTER
Event Code: 1517
Message: Windows saved user TIMSCOMPUTER\Tim registry while an application or service was still using the registry during log off. The memory used by the user's registry has not been freed. The registry will be unloaded when it is no longer in use.


This is often caused by services running as a user account, try configuring the services to run in either the LocalService or NetworkService account.

Record Number: 23351
Source Name: Userenv
Time Written: 20090409224719.000000+060
Event Type: warning
User: NT AUTHORITY\SYSTEM

Computer Name: TIMSCOMPUTER
Event Code: 1517
Message: Windows saved user TIMSCOMPUTER\Tim registry while an application or service was still using the registry during log off. The memory used by the user's registry has not been freed. The registry will be unloaded when it is no longer in use.


This is often caused by services running as a user account, try configuring the services to run in either the LocalService or NetworkService account.

Record Number: 23322
Source Name: Userenv
Time Written: 20090407222628.000000+060
Event Type: warning
User: NT AUTHORITY\SYSTEM

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"Path"=%systemroot%\system32;%systemroot%;%systemroot%\system32\wbem;c:\program files\ati technologies\ati control panel;c:\program files\common files\roxio shared\dllshared;c:\program files\quicktime\qtsystem;;C:\Program Files\Samsung\Samsung PC Studio 3
"windir"=%SystemRoot%
"FP_NO_HOST_CHECK"=NO
"OS"=Windows_NT
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_LEVEL"=15
"PROCESSOR_IDENTIFIER"=x86 Family 15 Model 4 Stepping 3, GenuineIntel
"PROCESSOR_REVISION"=0403
"NUMBER_OF_PROCESSORS"=2
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"CLASSPATH"=C:\Program Files\Java\j2re1.4.2_03\lib\ext\QTJava.zip
"QTJAVA"=C:\Program Files\Java\j2re1.4.2_03\lib\ext\QTJava.zip

-----------------EOF-----------------

Malwarebytes' Anti-Malware 1.40
Database version: 2725
Windows 5.1.2600 Service Pack 3

01/09/2009 15:50:51
mbam-log-2009-09-01 (15-50-47).txt

Scan type: Full Scan (C:\|)
Objects scanned: 241538
Time elapsed: 1 hour(s), 14 minute(s), 13 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Qoobox\Quarantine\C\WINDOWS\system32\kbiwkmnmttmtnm.dll.vir (Rootkit.TDSS) -> No action taken.
C:\Qoobox\Quarantine\C\WINDOWS\system32\kbiwkmsxrsqaka.dll.vir (Rootkit.TDSS) -> No action taken.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP779\A0103987.dll (Rootkit.TDSS) -> No action taken.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP779\A0103988.dll (Rootkit.TDSS) -> No action taken.


I'm still not able to access Spybot or HJT and AVG is still partially disabled.

Should that not be the case at this stage?!

Tim

Also, I no longer have Thunderbird installed. Do you happen to know where old Thunderbird emails are stored so that I can delete them manually from their nesting places?!

Tim

-> No action taken.

I'm still not able to access Spybot or HJT and AVG is still partially disabled.

Should that not be the case at this stage?!

Not really, no ?
Did you allow MBAM to remove those items ?




We need to scan the system with Junction again.
Please download Junction.zip (http://download.sysinternals.com/Files/Junction.zip) and save it.
Unzip it and put junction.exe in the main directory ( usually C: )

Create A Batch File
Please copy (Ctrl+C) and paste (Ctrl+V) the following text in the quote to Notepad.
Save it as "All Files" and name it look.bat Please save it on your desktop.



@Echo Off
If exist "%Temp%\Klog.txt" del /q "%Temp%\Klog.txt"
If exist "%SYSTEMDRIVE%\junction.exe" goto Cont
If exist "%UserProfile%\Desktop\junction.exe" (copy "%UserProfile%\Desktop\junction.exe" "%SYSTEMDRIVE%\junction.exe"&& Goto Cont )
Echo Junction Not Found !! >>"%Temp%\Klog.txt"
Goto End
:Cont
%SYSTEMDRIVE%\junction.exe -s c:\ >"%Temp%\Klog.txt"
:End
"%Temp%\Klog.txt"
del /q "%Temp%\Klog.txt"
del /q %0

Double click on look.bat
Please be patient, as this will search the entire disc

Notepad will open, please copy/paste the results here.

Also, I no longer have Thunderbird installed. Do you happen to know where old Thunderbird emails are stored so that I can delete them manually from their nesting places?!

Tim

Sorry, I didn't see that post.

Don't worry then, I'll remove them in the next stage.

Should junction appear to be hanging without visible progress while it's running?

Been a while!

Tim

I have a sneaky suspicion that Inherit.exe might not have worked - it ran and closed itself very, very, VERY quickly.

Junction still hanging.

Ran junction without the batch file and the report is "No matching files found". Don't know if that's a report, or if it's telling me I'm not using the program correctly! :S

Worked!!


Junction v1.05 - Windows junction creator and reparse point viewer
Copyright (C) 2000-2007 Mark Russinovich
Systems Internals - http://www.sysinternals.com


Failed to open \\?\c:\\hiberfil.sys: The process cannot access the file because it is being used by another process.

Failed to open \\?\c:\\pagefile.sys: The process cannot access the file because it is being used by another process.

Failed to open \\?\c:\\Documents and Settings\Tim\My Documents\Downloads\HiJackThis.exe: Access is denied.
.
Failed to open \\?\c:\\Program Files\AVG\AVG8\avgcsrvx.exe: Access is denied.
...
Failed to open \\?\c:\\Program Files\Spybot - Search & Destroy\SpybotSD.exe: Access is denied.

Failed to open \\?\c:\\Program Files\Spybot - Search & Destroy2\SpybotSD.exe: Access is denied.

Failed to open \\?\c:\\Program Files\Test\SpybotSD.exe: Access is denied.

Failed to open \\?\c:\\Program Files\Trend Micro\HijackThis\HijackThis.exe: Access is denied.

Failed to open \\?\c:\\System Volume Information\MountPointManagerRemoteDatabase: Access is denied.

Failed to open \\?\c:\\WINDOWS\system32\dumprep.exe: Access is denied.

Very curious ?
Let's try that again ..

Download this file Inherit.exe (http://download.bleepingcomputer.com/sUBs/MiniFixes/Inherit.exe) and Save it to your Desktop

Create A Batch File
Please copy (Ctrl+C) and paste (Ctrl+V) the following text in the quote to Notepad.
Save it as "All Files" and name it Reset.bat Please save it on your desktop.

@Echo Off
set INHERIT="%UserProfile%\Desktop\Inherit.exe"
If not exist %INHERIT% (@Echo Inherit Not Found&&Pause&&Goto End)
For %%G IN (
"c:\Documents and Settings\Tim\My Documents\Downloads\HiJackThis.exe"
"c:\Program Files\AVG\AVG8\avgcsrvx.exe"
"c:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
"c:\Program Files\Spybot - Search & Destroy2\SpybotSD.exe"
"c:\Program Files\Test\SpybotSD.exe"
"c:\Program Files\Trend Micro\HijackThis\HijackThis.exe"
"c:\System Volume Information\MountPointManagerRemoteDatabase"
"c:\WINDOWS\system32\dumprep.exe"
) DO (%INHERIT% %%G)
:End
Del /q %0

Double click on Reset.bat

Click OK to any prompts.

Try now.

Sorted!!

Worked that time... Strange...

I haven't yet tried to run Spybot or HJT ... I wonder if they'll be blocked again??

Tim

I haven't yet tried to run Spybot or HJT ... I wonder if they'll be blocked again??

They should be fine now.



OTMoveIt
Please download OTM by OldTimer (http://oldtimer.geekstogo.com/OTM.exe) and save it to your desktop

Double-click OTM.exe to run it.
Copy the lines in the codebox below. ( Make sure you include :Processes )



:Processes
:Files
C:\Documents and Settings\Tim\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\*.*
C:\Documents and Settings\Tim\Application Data\Thunderbird
:Commands
[Purity]
[EmptyTemp]


Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste.


- Close ALL open windows (especially Internet Explorer!)-
Click the red Moveit! button.
Copy everything in the Results window (under the green bar), and paste it in your next reply.
Close OTM


If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.


----------------------------------------------------------------------------------------
Logs/Information to Post in Reply
Please post the following logs/Information in your reply
Some of the logs I request will be quite large, You may need to split them over a couple of replies.

OTMoveIt Log
A HJT Log
How are things running now ?


---------------------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------------
Additional Notes

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.

Please download Java SE Runtime Environment (JRE) (http://java.sun.com/javase/downloads/index.jsp). ( don't install it yet )

Scroll down to where it says "Java SE Runtime Environment (JRE)".
Click the "Download" button to the right.
Platform = Windows Language = Multi Language
Check the box that says: "Accept License Agreement".
The page will refresh.
Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.

Now download JavaRa (http://sourceforge.net/project/downloading.php?groupname=javara&filename=JavaRa.zip&use_mirror=osdn) and unzip it to your desktop.

***Please close any instances of Internet Explorer (or other web browser) before continuing!***

Double-click on JavaRa.exe to start the program.
From the drop-down menu, choose English and click on Select.
JavaRa will open; click on Remove Older Versions to remove the older versions of Java installed on your computer.
Click Yes when prompted. When JavaRa is done, a notice will appear that a logfile has been produced. Click OK.
A logfile will pop up. Please save it to a convenient location.

Now install the Java SE Runtime Environment (JRE) package you downloaded
(it comes with a toolbar pre-selected, so make sure you uncheck the box)

You can delete JavaRa (zip and exe)

Your Adobe Acrobat Reader is out of date. Older versions have vulnerabilities that malware can use to infect your system.

Adobe Reader is a large program and uses unnecessary space.
If you prefer a smaller program you can get Foxit 3.0 from http://www.foxitsoftware.com/pdf/rd_intro.php << Recommended

There is a newer version of Adobe Acrobat Reader available.

Please go to this link Adobe Acrobat Reader Download Link (http://www.adobe.com/products/acrobat/readstep2.html)
Click Download
On the right Untick Adobe Phototshop Album Starter Edition if you do not wish to include this in the installation.
Click the Continue button
Click Run, and click Run again
Next click the Install Now button and follow the on screen prompts

That program looks pretty severe!! Like a computer style detox :S

Where has it 'moved' those files to?

Other info coming soon.

Tim



All processes killed
========== PROCESSES ==========
========== FILES ==========
C:\Documents and Settings\Tim\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\AcuteScroller.jar-2fafd47-77333edb.idx moved successfully.
C:\Documents and Settings\Tim\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\AcuteScroller.jar-2fafd47-77333edb.zip moved successfully.
C:\Documents and Settings\Tim\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\AdBannerDeploy.jar-7ce6e1c7-374649f4.idx moved successfully.
C:\Documents and Settings\Tim\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\AdBannerDeploy.jar-7ce6e1c7-374649f4.zip moved successfully.
C:\Documents and Settings\Tim\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\AdBannerDeploy.jar-eb59cb-7c2527b4.idx moved successfully.
C:\Documents and Settings\Tim\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\AdBannerDeploy.jar-eb59cb-7c2527b4.zip moved successfully.
C:\Documents and Settings\Tim\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\AnFade.jar-50486846-4fd80384.idx moved successfully.
C:\Documents and Settings\Tim\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\AnFade.jar-50486846-4fd80384.zip moved successfully.
C:\Documents and Settings\Tim\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\AnFade.jar-77b707bd-44ee40ff.idx moved successfully.
C:\Documents and Settings\Tim\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\AnFade.jar-77b707bd-44ee40ff.zip moved successfully.
C:\Documents and Settings\Tim\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\AnFade.jar-7c9365b8-48f7d823.idx moved successfully.
C:\Documents and Settings\Tim\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\AnFade.jar-7c9365b8-48f7d823.zip moved successfully.
C:\Documents and Settings\Tim\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\AnLake.jar-4fb8cb89-2a0adf29.idx moved successfully.
C:\Documents and Settings\Tim\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\AnLake.jar-4fb8cb89-2a0adf29.zip moved successfully.
C:\Documents and Settings\Tim\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\AnLens.jar-16e854ef-5c2571ec.idx moved successfully.
C:\Documents and Settings\Tim\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\AnLens.jar-16e854ef-5c2571ec.zip moved successfully.
C:\Documents and Settings\Tim\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\AnLens.jar-5b868abe-645abfe6.idx moved successfully.
C:\Documents and Settings\Tim\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\AnLens.jar-5b868abe-645abfe6.zip moved successfully.
C:\Documents and Settings\Tim\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\AnWater.jar-63bd0562-7773e797.idx moved successfully.
C:\Documents and Settings\Tim\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\AnWater.jar-63bd0562-7773e797.zip moved successfully.
C:\Documents and Settings\Tim\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\apPopupMenu.jar-4711b79d-6ec8caf6.idx moved successfully.
C:\Documents and Settings\Tim\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\apPopupMenu.jar-4711b79d-6ec8caf6.zip moved successfully.
C:\Documents and Settings\Tim\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\BombMap.jar-5b215a5d-7417ba9c.idx moved successfully.
C:\Documents and Settings\Tim\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\BombMap.jar-5b215a5d-7417ba9c.zip moved successfully.
C:\Documents and Settings\Tim\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\ChatAppletUser.jar-7f244e06-269a5374.idx moved successfully.
C:\Documents and Settings\Tim\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\ChatAppletUser.jar-7f244e06-269a5374.zip moved successfully.
C:\Documents and Settings\Tim\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\com.objectplanet.NewsTicker.jar-13964058-4db12d21.idx moved successfully.
C:\Documents and Settings\Tim\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\com.objectplanet.NewsTicker.jar-13964058-4db12d21.zip moved successfully.
C:\Documents and Settings\Tim\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\cortado.jar-145c4a10-5bb30bb6.idx moved successfully.
C:\Documents and Settings\Tim\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\cortado.jar-145c4a10-5bb30bb6.zip moved successfully.
C:\Documents and Settings\Tim\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-409f7e24-468a1e0f.idx moved successfully.
C:\Documents and Settings\Tim\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\designonline.jar-4f915116-65e3bf9e.idx moved successfully.
C:\Documents and Settings\Tim\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\designonline.jar-4f915116-65e3bf9e.zip moved successfully.
C:\Documents and Settings\Tim\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\FacebookPhotoUploader.jar-2cce3b73-20bd8b99.idx moved successfully.
C:\Documents and Settings\Tim\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\FacebookPhotoUploader.jar-2cce3b73-20bd8b99.zip moved successfully.
C:\Documents and Settings\Tim\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\FacebookPhotoUploader5.jar-62950ace-69a68555.idx moved successfully.
C:\Documents and Settings\Tim\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\FacebookPhotoUploader5.jar-62950ace-69a68555.zip moved successfully.
C:\Documents and Settings\Tim\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\FaceMorphLib.jar-2e869252-13cef101.idx moved successfully.
C:\Documents and Settings\Tim\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\FaceMorphLib.jar-2e869252-13cef101.zip moved successfully.
C:\Documents and Settings\Tim\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\Flirt4FreeLiveApplet.jar-21fe1581-52e96bcc.idx moved successfully.
C:\Documents and Settings\Tim\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\Flirt4FreeLiveApplet.jar-21fe1581-52e96bcc.zip moved successfully.
C:\Documents and Settings\Tim\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\holomatix.jar-18542e8-495dca85.idx moved successfully.
C:\Documents and Settings\Tim\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\holomatix.jar-18542e8-495dca85.zip moved successfully.
C:\Documents and Settings\Tim\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\holomatix.jar-6799bdf0-23398a02.idx moved successfully.
C:\Documents and Settings\Tim\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\holomatix.jar-6799bdf0-23398a02.zip moved successfully.
C:\Documents and Settings\Tim\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\HueSelector.jar-6d89bfa2-3ad14721.idx moved successfully.
C:\Documents and Settings\Tim\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\HueSelector.jar-6d89bfa2-3ad14721.zip moved successfully.
C:\Documents and Settings\Tim\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\IpixViewer.jar-19273be9-6e8518fe.idx moved successfully.
C:\Documents and Settings\Tim\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\IpixViewer.jar-19273be9-6e8518fe.zip moved successfully.
C:\Documents and Settings\Tim\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\IpixViewer.jar-2bd5941d-1d5ab28c.idx moved successfully.
C:\Documents and Settings\Tim\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\IpixViewer.jar-2bd5941d-1d5ab28c.zip moved successfully.
C:\Documents and Settings\Tim\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jl020.jar-19dbad05-6b409048.idx moved successfully.
C:\Documents and Settings\Tim\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jl020.jar-19dbad05-6b409048.zip moved successfully.
C:\Documents and Settings\Tim\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-51fad18-7f59ffa9.idx moved successfully.
C:\Documents and Settings\Tim\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-51fad18-7f59ffa9.zip moved successfully.
C:\Documents and Settings\Tim\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-5404ed29-50dd3b84.idx moved successfully.
C:\Documents and Settings\Tim\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-5404ed29-50dd3b84.zip moved successfully.
C:\Documents and Settings\Tim\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-552c06e3-790ce436.idx moved successfully.
C:\Documents and Settings\Tim\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-552c06e3-790ce436.zip moved successfully.
C:\Documents and Settings\Tim\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-6b13a7e7-370e62de.idx moved successfully.
C:\Documents and Settings\Tim\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-6b13a7e7-370e62de.zip moved successfully.
C:\Documents and Settings\Tim\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-6d00d9f7-41ecdfa2.idx moved successfully.
C:\Documents and Settings\Tim\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-6d00d9f7-41ecdfa2.zip moved successfully.
C:\Documents and Settings\Tim\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmseria.jar-39536c18-59422dbc.idx moved successfully.
C:\Documents and Settings\Tim\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmseria.jar-39536c18-59422dbc.zip moved successfully.
C:\Documents and Settings\Tim\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmseria.jar-56150ada-11d1352f.idx moved successfully.
C:\Documents and Settings\Tim\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmseria.jar-56150ada-11d1352f.zip moved successfully.
C:\Documents and Settings\Tim\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\kos-main.jar-a28c4e6-3ce280df.idx moved successfully.
C:\Documents and Settings\Tim\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\kos-main.jar-a28c4e6-3ce280df.zip moved successfully.
C:\Documents and Settings\Tim\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\kt4.jar-6345c8ef-4a55ab4a.idx moved successfully.
C:\Documents and Settings\Tim\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\kt4.jar-6345c8ef-4a55ab4a.zip moved successfully.
C:\Documents and Settings\Tim\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\map24portal_2006_NT_EUROPE_3.5_en-DE.zip-ef74bb-7ebcbf65.idx moved successfully.
C:\Documents and Settings\Tim\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\map24portal_2006_NT_EUROPE_3.5_en-DE.zip-ef74bb-7ebcbf65.zip moved successfully.
C:\Documents and Settings\Tim\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\map24portal_blue_NT_EUROPE_en-UK.zip-7a7af145-55d3b774.idx moved successfully.
C:\Documents and Settings\Tim\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\map24portal_blue_NT_EUROPE_en-UK.zip-7a7af145-55d3b774.zip moved successfully.
C:\Documents and Settings\Tim\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\molle.jar-6f3ffa28-6dba3aae.idx moved successfully.
C:\Documents and Settings\Tim\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\molle.jar-6f3ffa28-6dba3aae.zip moved successfully.
C:\Documents and Settings\Tim\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\ms03011.jar-3847f8dc-7f80a030.idx moved successfully.
C:\Documents and Settings\Tim\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\newdebtclk.jar-1f5e57a7-723180e8.idx moved successfully.
C:\Documents and Settings\Tim\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\newdebtclk.jar-1f5e57a7-723180e8.zip moved successfully.
C:\Documents and Settings\Tim\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\OP.jar-2d9beeb4-7caf9c0f.idx moved successfully.
C:\Documents and Settings\Tim\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\PlotUK006.jar-ffa0c5f-1af22de5.idx moved successfully.
C:\Documents and Settings\Tim\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\PlotUK006.jar-ffa0c5f-1af22de5.zip moved successfully.
C:\Documents and Settings\Tim\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\preload.jar-2424f66c-3d4300ab.idx moved successfully.
C:\Documents and Settings\Tim\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\preload.jar-2424f66c-3d4300ab.zip moved successfully.
C:\Documents and Settings\Tim\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\preload.jar-697d5eb4-7d946e65.idx moved successfully.
C:\Documents and Settings\Tim\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\preload.jar-697d5eb4-7d946e65.zip moved successfully.
C:\Documents and Settings\Tim\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\ptviewer.jar-2114602b-6ce464f7.idx moved successfully.
C:\Documents and Settings\Tim\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\ptviewer.jar-2114602b-6ce464f7.zip moved successfully.
C:\Documents and Settings\Tim\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\rac_NT_EUROPE_en.zip-44cc435f-77e534d0.idx moved successfully.
C:\Documents and Settings\Tim\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\rac_NT_EUROPE_en.zip-44cc435f-77e534d0.zip moved successfully.
C:\Documents and Settings\Tim\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\rtv.jar-5e125f49-1c3f78d5.idx moved successfully.
C:\Documents and Settings\Tim\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\rtv.jar-5e125f49-1c3f78d5.zip moved successfully.
C:\Documents and Settings\Tim\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\Scroller.jar-5e299250-2945847c.idx moved successfully.
C:\Documents and Settings\Tim\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\Scroller.jar-5e299250-2945847c.zip moved successfully.
C:\Documents and Settings\Tim\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\SlickTree.jar-6185745b-47f684b7.idx moved successfully.
C:\Documents and Settings\Tim\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\SlickTree.jar-6185745b-47f684b7.zip moved successfully.
C:\Documents and Settings\Tim\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\speedtest.jar-384cac2a-2c13f23a.idx moved successfully.
C:\Documents and Settings\Tim\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\speedtest.jar-384cac2a-2c13f23a.zip moved successfully.
C:\Documents and Settings\Tim\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\TextScroll.jar-21b34a9f-2431c370.idx moved successfully.
C:\Documents and Settings\Tim\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\TextScroll.jar-21b34a9f-2431c370.zip moved successfully.
C:\Documents and Settings\Tim\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\tinyplayer.jar-33f22c36-1e14e02b.idx moved successfully.
C:\Documents and Settings\Tim\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\tinyplayer.jar-33f22c36-1e14e02b.zip moved successfully.
C:\Documents and Settings\Tim\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\webeq.jar-7bfe8004-1d0cca50.idx moved successfully.
C:\Documents and Settings\Tim\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\webeq.jar-7bfe8004-1d0cca50.zip moved successfully.
C:\Documents and Settings\Tim\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\wt1.jar-4ac79958-3d1b9690.idx moved successfully.
C:\Documents and Settings\Tim\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\wt1.jar-4ac79958-3d1b9690.zip moved successfully.
C:\Documents and Settings\Tim\Application Data\Thunderbird\Profiles\n59ep3cy.default\Mail\mail.misemusic.com moved successfully.
C:\Documents and Settings\Tim\Application Data\Thunderbird\Profiles\n59ep3cy.default\Mail\Local Folders moved successfully.
C:\Documents and Settings\Tim\Application Data\Thunderbird\Profiles\n59ep3cy.default\Mail\127.0.0.1 moved successfully.
C:\Documents and Settings\Tim\Application Data\Thunderbird\Profiles\n59ep3cy.default\Mail moved successfully.
C:\Documents and Settings\Tim\Application Data\Thunderbird\Profiles\n59ep3cy.default\ImapMail\student-imap-srv.bris.ac.uk\INBOX.sbd moved successfully.
C:\Documents and Settings\Tim\Application Data\Thunderbird\Profiles\n59ep3cy.default\ImapMail\student-imap-srv.bris.ac.uk moved successfully.
C:\Documents and Settings\Tim\Application Data\Thunderbird\Profiles\n59ep3cy.default\ImapMail moved successfully.
C:\Documents and Settings\Tim\Application Data\Thunderbird\Profiles\n59ep3cy.default\extensions moved successfully.
C:\Documents and Settings\Tim\Application Data\Thunderbird\Profiles\n59ep3cy.default moved successfully.
C:\Documents and Settings\Tim\Application Data\Thunderbird\Profiles moved successfully.
C:\Documents and Settings\Tim\Application Data\Thunderbird moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32902 bytes

User: LocalService
->Temp folder emptied: 0 bytes
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
->Temporary Internet Files folder emptied: 735314 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
File delete failed. C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
->Temporary Internet Files folder emptied: 32902 bytes

User: Tim
->Temp folder emptied: 79678174 bytes
->Temporary Internet Files folder emptied: 16458497 bytes
->Java cache emptied: 10634900 bytes
->FireFox cache emptied: 100148793 bytes
->Google Chrome cache emptied: 120194549 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 19569 bytes
%systemroot%\System32 .tmp files removed: 3717137 bytes
Windows Temp folder emptied: 664 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 316.29 mb


OTM by OldTimer - Version 3.0.0.6 log created on 09012009_201147

Files moved on Reboot...

Registry entries deleted on Reboot...

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:20:49, on 01/09/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Kontiki\KService.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\PRISMSVC.EXE
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\PRISMSVR.EXE
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Test\TeaTimer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Dell Wireless\PRISMCFG.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www1.euro.dell.com/content/default.aspx?c=uk&l=en&s=gen
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sb/*http://uk.docs.yahoo.com/info/bt_side.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/su/*http://uk.search.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (file missing)
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Test\SDHelper.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Test\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk.disabled
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk.disabled
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O4 - Global Startup: Wireless USB 2.0 WLAN Card Utility.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Test\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Test\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Broken Internet access because of LSP provider 'c:\windows\system32\lspwfp.dll' missing
O15 - Trusted Zone: http://*.xpert.adecco.com
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/pr02/resources/MSNPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1145652825717
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Google Update Service (gupdate1c999314d0ec792) (gupdate1c999314d0ec792) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PRISMSVC - Conexant Systems, Inc. - C:\WINDOWS\system32\PRISMSVC.EXE

--
End of file - 8174 bytes

Pretty damn well now, thank you... :)

How the hell do you learn all this??

Is there any way of making a donation to this service?!

Tim

Java and Foxit now installed, also.

1) Where has it 'moved' those files to?
2) How the hell do you learn all this??
3) Is there any way of making a donation to this service?!


1) To a backup folder that we will remove shortly.
2) MalwareRemoval.com --- it's an online school for learning this.
3) http://www.safer-networking.org/en/donate/index.html


----------------------------------------------------------------------------------------
Step 1

LSP-Fix
Download LSP-Fix from the following link and save it to your desktop.
LSP-Fix Download Link (http://www.bleepingcomputer.com/files/lspfix.php)
Extract the zip folder to your desktop.
Open the new folder LspFix and double click LSPFix.exe
Put a tick in the "I know what I'm doing" box
Highlight lspwfp.dll[b] and click the [b]>> button to move it to the Remove window (If it is already there, don't worry)
(if the file appears more than once repeat for each instance)
click on the finish button
click OK
Now reboot your PC



----------------------------------------------------------------------------------------
Step 2

Fix With HJT

Close all other windows and then start HiJack This
Click Do A System Scan Only
When it has finished scanning put a check next to the following lines IF still present

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/c...o/bt_side.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.red.clientapps.yahoo.com/c...rch.yahoo.com/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Test\SDHelper.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Test\TeaTimer.exe
O4 - Global Startup: Adobe Gamma Loader.lnk.disabled
O4 - Global Startup: Adobe Reader Speed Launch.lnk.disabled
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll

- Close ALL open windows (especially Internet Explorer!)-
Now click Fix checked
Click yes to any prompts
Close HijackThis

Please post a fresh HJT log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:58:45, on 01/09/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Kontiki\KService.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\PRISMSVC.EXE
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\PRISMSVR.EXE
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Dell Wireless\PRISMCFG.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www1.euro.dell.com/content/default.aspx?c=uk&l=en&s=gen
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O4 - Global Startup: Wireless USB 2.0 WLAN Card Utility.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.xpert.adecco.com
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/pr02/resources/MSNPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1145652825717
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Google Update Service (gupdate1c999314d0ec792) (gupdate1c999314d0ec792) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PRISMSVC - Conexant Systems, Inc. - C:\WINDOWS\system32\PRISMSVC.EXE

--
End of file - 7062 bytes

Congratulations your logs look clean :)

Let's see if I can help you keep it that way

First lets tidy up



Uninstall Combofix
This will clear your System Volume Information restore points and remove all the infected files that were quarantined
Click START then RUN
Now type Combofix /u in the runbox and click OK. Note the space between the X and the /U, it needs to be there.
http://i189.photobucket.com/albums/z176/EPL47/CF_Cleanup.png




Uninstall OTMoveIt (OTM.exe)
Open OTMoveIt Click Cleanup,
When a box pops up click YES.


You can also delete any logs we have produced and any other tools we have downloaded.

----------------------------------------------------------- -----------------------------------------------------------

The following is some info to help you stay safe and clean.


You may already have some of the following programs, but I include the full list for the benefit of all the other people who will be reading this thread in the future.
( Vista users must ensure that any programs are Vista compatible BEFORE installing )

Online Scanners
I would recommend a scan at one or more of the following sites at least once a month.

http://www.pandasecurity.com/activescan
http://www.kaspersky.com/kos/eng/partner/71706/kavwebscan.html

!!! Make sure that all your programs are updated !!!
Secunia Software Inspector does all the work for you, .... see HERE (http://secunia.com/software_inspector/) for details

AntiSpyware
AntiSpyware is not the same thing as Antivirus.
Different AntiSpyware programs detect different things, so in this case it is recommended that you have more than one.
You should only have one running all the time, the other/s should be used "on demand" on a regular basis.
Most of the programs in this list have a free (for Home Users ) and paid versions,
it is worth paying for one and having "realtime" protection, unless you intend to do a manual scan often.
Spybot - Search & Destroy (http://www.safer-networking.org/) <<< A must have program It includes host protection and registry protection A hosts file is a bit like a phone book, it points to the actual numeric address (i.e. the IP address) from the human friendly name of a website. This feature can be used to block malicious websites
MalwareBytes Anti-malware (http://www.malwarebytes.org/mbam.php) <<< A New and effective program
a-squared Free (http://www.emsisoft.com/en/software/free/) <<< A good "realtime" or "on demand" scanner
superantispyware (http://www.superantispyware.com/) <<< A good "realtime" or "on demand" scanner

Prevention
These programs don't detect malware, they help stop it getting on your machine in the first place.
Each does a different job, so you can have more than one
Winpatrol (http://www.winpatrol.com) An excellent startup manager and then some !! Notifies you if programs are added to startup Allows delayed startup A must have addition
SpywareBlaster 4.0 (http://www.javacoolsoftware.com/spywareblaster.html) SpywareBlaster sets killbits in the registry to prevent known malicious activex controls from installing themselves on your computer.
SpywareGuard 2.2 (http://www.javacoolsoftware.com/spywareguard.html) SpywareGuard provides real-time protection against spyware. Not required if you have other "realtime" antispyware or Winpatrol
ZonedOut (http://www.funkytoad.com/index.php?option=com_content&view=article&id=15&Itemid=33) Formerly known as IE-SPYAD, adds a long list of sites and domains associated with known advertisers and marketers to the Restricted sites zone of Internet Explorer.
MVPS HOSTS (http://www.mvps.org/winhelp2002/hosts.zip) This little program packs a powerful punch as it blocks ads, banners, 3rd party Cookies, 3rd party page counters, web bugs, and many hijackers. For information on how to download and install, please read this tutorial (http://www.mvps.org/winhelp2002/hosts.htm) by WinHelp2002. Not required if you are using other host file protections

Internet Browsers
Microsoft has worked hard to make IE.7 a more secure browser, unfortunately whilst it is still the leading browser of choice it will always be under attack from the bad guys.
Using a different web browser can help stop malware getting on your machine.

Make your Internet Explorer more secure - This can be done by following these simple instructions:
From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.

Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialise and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub-frames across different domains to Prompt
When all these settings have been made, click on the OK button.
If it prompts you as to whether or not you want to save the settings, press the Yes button.

Next press the Apply button and then the OK to exit the Internet Properties page.

If you are still using IE6 then either update, or get one of the following.
FireFox (http://www.mozilla.com/en-US/firefox/) With many addons available that make customization easy this is a very popular choice NoScript and AdBlockPlus addons are essential
Opera (http://www.opera.com/) Another popular alternative
Netscape (http://browser.netscape.com/addons) Another popular alternative Also has Addons available

Cleaning Temporary Internet Files and Tracking Cookies
Temporary Internet Files are mainly the files that are downloaded when you open a web page.
Unfortunately, if the site you visit is of a dubious nature or has been hacked, they can also be an entry point for malware.
It is a good idea to empty the Temporary Internet Files folder on a regular basis.

Tracking Cookies are files that websites use to monitor which sites you visit and how often.
A lot of Antispyware scanners pick up these tracking cookies and flag them as unwanted.
CAUTION :- If you delete all your cookies you will lose any autologin information for sites that you visit, and will need your passwords

Both of these can be cleaned manually, but a quicker option is to use a program
ATF Cleaner (http://www.atribune.org/index.php?option=com_content&task=view&id=25&Itemid=25) Free and very simple to use
CCleaner (http://www.ccleaner.com/) Free and very flexible, you can chose which cookies to keep

Also PLEASE read this article.....So How Did I Get Infected In The First Place (http://forum.malwareremoval.com/viewtopic.php?t=4959)

The last and most important thing I can tell you is UPDATE.
If you don't update your security programs (Antivirus, Antispyware even Windows) then you are at risk.
Malware changes on a day to day basis. You should update every week at the very least.

If you follow this advice then (with a bit of luck) you will never have to hear from me again :D


If you could post back one more time to let me know everything is OK, then I can have this thread archived.

Happy surfing K'

Katana,

Thank you so very much for all your help - it's very much appreciated.

I've donated £10 to 'der Spybot Welt'. Not much, but symbolic for me, as I'm not generally a big donater.

I'm off to Italy for work for the next couple of days, but I will most certainly thereafter install some more of your recommended applications. Been relying on Spybot and AVG mostly - should get some more protection.

Thanks again, and good luck for the future,

Tim

I've donated £10 to 'der Spybot Welt'. Not much, but symbolic for me, as I'm not generally a big donater.


That is much appreciated,

I'm sure I speak for all the Spybot Team when I say Thank You

:thanks: