Win32 patched.cg [Archive] - Safer-Networking Forums

geedee137

2010-06-06, 19:21

Hi again - this is a re thread from 25/5/2010 - sorry I couldn't respond to your reply within the 3 days - was away from home unexpectedly.
http://forums.spybot.info/showthread.php?t=57555

Here are the logs you need
DDS (Ver_10-03-17.01) - NTFSx86
Run by Graham Davies at 15:49:44.04 on 06/06/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.2.1252.44.1033.18.510.97 [GMT 1:00]

AV: AVG Internet Security *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
svchost.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\AVG\AVG9\Identity Protection\Agent\Bin\AVGIDSAgent.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\btbb_wcm\McciTrayApp.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\PROGRA~1\BTBROA~2\SMARTB~1\BTHelpNotifier.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Hp\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\AVG\AVG9\avgam.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\NETGEAR\WG511v2\WG511v2.exe
C:\Program Files\AVG\AVG9\Identity Protection\agent\bin\avgidsmonitor.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HPQ\Shared\hpqwmi.exe
C:\Program Files\AVG\AVG9\avgscanx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Graham Davies.GRAHAM-0976B11A\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com
uSearch Page = hxxp://www.google.com
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uDefault_Search_URL = hxxp://www.google.com/ie
uSearch Bar = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = 127.0.0.1;*.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: {a057a204-bacc-4d26-9990-79a187e2698e} - AVG Security Toolbar
TB: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} -
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [Cpqset] c:\program files\hpq\default settings\cpqset.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [eabconfg.cpl] c:\program files\hpq\quick launch buttons\EabServr.exe /Start
mRun: [hpWirelessAssistant] c:\program files\hpq\hp wireless assistant\HP Wireless Assistant.exe
mRun: [btbb_wcm_McciTrayApp] c:\program files\btbb_wcm\McciTrayApp.exe
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
mRun: [Motive SmartBridge] c:\progra~1\btbroa~2\smartb~1\BTHelpNotifier.exe
mRun: [WinampAgent] "c:\program files\winamp\winampa.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRunOnce: [WMC_0] c:\windows\system32\cmd.exe /c """""c:\windows\inf\unregmp2.exe"" /ShowWMP"""
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe
StartupFolder: c:\docume~1\alluse~1.win\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1.win\startm~1\programs\startup\hpimag~1.lnk - c:\program files\hp\digital imaging\bin\hpqthb08.exe
StartupFolder: c:\docume~1\alluse~1.win\startm~1\programs\startup\netgea~1.lnk - c:\program files\netgear\wg511v2\WG511v2.exe
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
IE: {08E730A4-FB02-45BD-A900-01E4AD8016F6} - http://www.sky.com
IE: {53F6FCCD-9E22-4d71-86EA-6E43136192AB}
IE: {925DAB62-F9AC-4221-806A-057BFB1014AA}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} - file:///C:/Program%20Files/Super%20Collapse!%20II/Images/stg_drm.ocx
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx1.hotmail.com/mail/w3/resources/MSNPUpld.cab
DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} - hxxps://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos-beta/OnlineScanner.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} - file:///C:/Program%20Files/Super%20Collapse!%20II/Images/armhelper.ocx
DPF: {D0C0F75C-683A-4390-A791-1ACFD5599AB8} - hxxp://skyonline.oberon-media.com/Gameshell/GameHost/1.0/OberonGameHost.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: {73B5FFDD-5DC2-4C35-99B6-521DAF6F6B3B} = 192.168.0.1
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: avgrsstarter - avgrsstx.dll
LSA: Notification Packages = scecli dpryprt.dll

============= SERVICES / DRIVERS ===============

R0 AVGIDSErHrxpx;AVG9IDSErHr;c:\windows\system32\drivers\AVGIDSxx.sys [2009-11-8 25096]
R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [2009-11-8 52872]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-11-8 216200]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-11-8 29584]
R1 AvgTdiX;AVG Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-11-8 242896]
R2 avg9wd;AVG WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-3-4 308064]
R2 AVGIDSAgent;AVG9IDSAgent;c:\program files\avg\avg9\identity protection\agent\bin\AVGIDSAgent.exe [2010-3-4 5888008]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-10-20 55656]
R3 AVGIDSDriverxpx;AVG9IDSDriver;c:\program files\avg\avg9\identity protection\agent\driver\platform_xp\AVGIDSDriver.sys [2009-11-8 122376]
R3 AVGIDSFilterxpx;AVG9IDSFilter;c:\program files\avg\avg9\identity protection\agent\driver\platform_xp\AVGIDSFilter.sys [2009-11-8 30216]
R3 AVGIDSShimxpx;AVG9IDSShim;c:\program files\avg\avg9\identity protection\agent\driver\platform_xp\AVGIDSShim.sys [2009-11-8 26120]
R3 HSFHWATI;HSFHWATI;c:\windows\system32\drivers\HSFHWATI.sys [2006-10-23 200192]
S1 avgio;avgio;\??\c:\program files\avira\antivir desktop\avgio.sys --> c:\program files\avira\antivir desktop\avgio.sys [?]
S2 AntiVirSchedulerService;Avira AntiVir Scheduler;"c:\program files\avira\antivir desktop\sched.exe" --> c:\program files\avira\antivir desktop\sched.exe [?]
S2 AntiVirService;Avira AntiVir Guard;"c:\program files\avira\antivir desktop\avguard.exe" --> c:\program files\avira\antivir desktop\avguard.exe [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2009-12-7 135664]
S2 SSHNAS;SSHNAS;c:\windows\system32\svchost.exe -k netsvcs [2004-8-4 14336]

=============== Created Last 30 ================

==================== Find3M ====================

2010-06-01 16:57:13 242896 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-04-09 20:48:18 3600384 ----a-w- c:\windows\system32\GPhotos.scr
2010-03-10 06:15:52 420352 ----a-w- c:\windows\system32\vbscript.dll
2007-05-24 14:58:00 249856 ----a-w- c:\windows\inf\wg511v2\InsDrv2k.exe
2006-12-04 11:38:30 53248 ----a-w- c:\windows\inf\wg511v2\snetcfg .exe
2006-12-04 11:38:30 265984 ----a-w- c:\windows\inf\wg511v2\WG511v2XP.sys
2006-12-04 11:38:30 249856 ----a-w- c:\windows\inf\wg511v2\InsDrvlh.exe
2006-12-04 11:38:30 21376 ----a-w- c:\windows\inf\wg511v2\wlndis51.sys
2006-12-04 11:38:30 212992 ----a-w- c:\windows\inf\wg511v2\CopyWHQLDriver.exe
2008-10-04 23:01:51 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008100520081006\index.dat

============= FINISH: 15:51:08.32 ===============

ComboFix 10-06-05.02 - Graham Davies 06/06/2010 16:21:09.3.1 - x86
Running from: c:\documents and settings\Graham Davies.GRAHAM-0976B11A\Desktop\ComboFix.exe
AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
AV: AVG Internet Security *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Graham Davies.GRAHAM-0976B11A\FgYFzJ.exe
c:\documents and settings\Graham Davies.GRAHAM-0976B11A\System
c:\documents and settings\Graham Davies.GRAHAM-0976B11A\System\win_qs8.jqx
C:\Thumbs.db
c:\windows\Downloaded Program Files\f3initialsetup1.0.1.1.inf
c:\windows\system32\system
c:\windows\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job
c:\windows\Tasks\{66BA574B-1E11-49b8-909C-8CC9E0E8E015}.job

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_SSHNAS
-------\Service_SSHNAS

((((((((((((((((((((((((( Files Created from 2010-05-06 to 2010-06-06 )))))))))))))))))))))))))))))))
.

No new files created in this timespan

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-06 15:10 . 2005-05-12 04:07 -------- d-----w- c:\program files\Google
2010-06-06 14:47 . 2008-07-06 00:10 -------- d-----w- c:\documents and settings\Graham Davies.GRAHAM-0976B11A\Application Data\uTorrent
2010-06-06 14:27 . 2006-10-22 23:16 -------- d-----w- c:\program files\Windows Media Connect 2
2010-06-06 14:25 . 2008-11-02 16:39 -------- d-----w- c:\program files\NCH Swift Sound
2010-06-06 14:23 . 2005-11-11 19:00 -------- d-----w- c:\program files\QuickTime
2010-06-06 14:11 . 2009-11-24 22:12 -------- d-----w- c:\documents and settings\Graham Davies.GRAHAM-0976B11A\Application Data\Amazon
2010-06-06 14:11 . 2008-09-04 21:23 -------- d-----w- c:\program files\Amazon
2010-06-06 14:10 . 2005-10-08 16:30 -------- d-----w- c:\program files\Common Files\Adobe
2010-06-06 14:07 . 2009-10-18 17:13 -------- d-----w- c:\program files\ABC Amber Audio Converter
2010-06-01 16:58 . 2010-06-01 16:58 242896 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\avg9\update\backup\avgtdix.sys
2010-06-01 16:58 . 2010-06-01 16:58 29512 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\avg9\update\backup\avgmfx86.sys
2010-06-01 16:57 . 2009-11-08 14:45 242896 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-06-01 16:57 . 2009-11-08 14:44 29584 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-05-24 22:56 . 2010-05-24 22:56 -------- d-----w- c:\program files\ERUNT
2010-05-06 17:05 . 2009-11-09 22:00 -------- d-----w- c:\program files\RegCure
2010-04-15 17:12 . 2006-10-26 19:39 -------- d-----w- c:\documents and settings\Graham Davies.GRAHAM-0976B11A\Application Data\Apple Computer
2010-04-13 20:00 . 2010-04-13 19:56 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-04-13 20:00 . 2009-11-08 11:40 -------- d-----w- c:\program files\iTunes
2010-04-13 19:58 . 2005-05-12 04:08 -------- d-----w- c:\program files\iPod
2010-04-13 19:58 . 2007-06-30 15:02 -------- d-----w- c:\program files\Common Files\Apple
2010-04-13 19:39 . 2010-04-13 19:39 -------- d-----w- c:\program files\Bonjour
2010-04-13 19:23 . 2010-04-13 19:23 73000 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\Apple Computer\Installer Cache\iTunes 9.1.0.79\SetupAdmin.exe
2010-04-09 20:48 . 2010-04-09 20:48 3600384 ----a-w- c:\windows\system32\GPhotos.scr
2010-03-10 06:15 . 2004-08-04 12:00 420352 ----a-w- c:\windows\system32\vbscript.dll
.

<pre>
c:\windows\inf\WG511v2\snetcfg .exe
</pre>------- Sigcheck -------

[-] 2008-04-13 . 9F3A2F5AA6875C72BF062C712CFA2674 . 96512 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\atapi.sys
[-] 2004-08-04 12:00 . CF3B538C6256F4F64FB8AB78699177C4 . 95360 . . [------] . . c:\windows\system32\drivers\atapi.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Cpqset"="c:\program files\HPQ\Default Settings\cpqset.exe" [2005-02-17 233534]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2005-02-02 102492]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-02-02 692316]
"eabconfg.cpl"="c:\program files\HPQ\Quick Launch Buttons\EabServr.exe" [2004-12-03 290816]
"hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2005-04-11 794624]
"btbb_wcm_McciTrayApp"="c:\program files\btbb_wcm\McciTrayApp.exe" [2006-12-08 543232]
"Motive SmartBridge"="c:\progra~1\BTBROA~2\SMARTB~1\BTHelpNotifier.exe" [2006-02-06 462935]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [N/A]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-03-26 142120]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"tscuninstall"="c:\windows\system32\tscupgrd.exe" [2004-08-04 44544]

c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\Hp\Digital Imaging\bin\hpqtra08.exe [2004-11-4 258048]
HP Image Zone Fast Start.lnk - c:\program files\Hp\Digital Imaging\bin\hpqthb08.exe [2004-11-4 53248]
NETGEAR WG511v2 Smart Wizard.lnk - c:\program files\NETGEAR\WG511v2\WG511v2.exe [2007-6-26 1499136]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-03-04 18:27 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgam.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgdiagex.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R0 AVGIDSErHrxpx;AVG9IDSErHr;c:\windows\system32\drivers\AVGIDSxx.sys [08/11/2009 15:45 25096]
R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [08/11/2009 15:45 52872]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [08/11/2009 15:44 216200]
R1 AvgTdiX;AVG Network Redirector;c:\windows\system32\drivers\avgtdix.sys [08/11/2009 15:45 242896]
R2 avg9wd;AVG WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [04/03/2010 19:26 308064]
R2 AVGIDSAgent;AVG9IDSAgent;c:\program files\AVG\AVG9\Identity Protection\Agent\Bin\AVGIDSAgent.exe [04/03/2010 19:26 5888008]
R3 AVGIDSDriverxpx;AVG9IDSDriver;c:\program files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSDriver.sys [08/11/2009 15:41 122376]
R3 AVGIDSFilterxpx;AVG9IDSFilter;c:\program files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSFilter.sys [08/11/2009 15:41 30216]
R3 AVGIDSShimxpx;AVG9IDSShim;c:\program files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSShim.sys [08/11/2009 15:41 26120]
R3 HSFHWATI;HSFHWATI;c:\windows\system32\drivers\HSFHWATI.sys [23/10/2006 21:35 200192]
S2 AntiVirSchedulerService;Avira AntiVir Scheduler;"c:\program files\Avira\AntiVir Desktop\sched.exe" --> c:\program files\Avira\AntiVir Desktop\sched.exe [?]
.
Contents of the 'Scheduled Tasks' folder

2010-06-01 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 11:34]

2010-06-06 c:\windows\Tasks\RegCure Program Check.job
- c:\program files\RegCure\RegCure.exe [2010-04-29 18:43]

2010-06-06 c:\windows\Tasks\RegCure Startup.job
- c:\program files\RegCure\RegCure.exe [2010-04-29 18:43]

2010-04-04 c:\windows\Tasks\RegCure.job
- c:\program files\RegCure\RegCure.exe [2010-04-29 18:43]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = 127.0.0.1;*.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
IE: {{08E730A4-FB02-45BD-A900-01E4AD8016F6} - http://www.sky.com
TCP: {73B5FFDD-5DC2-4C35-99B6-521DAF6F6B3B} = 192.168.0.1
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-06 16:50
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\HPQ\Default Settings\cpqset.exe????????????h?k??????? ???B?????????????hLC? ??????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(776)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(2112)
c:\windows\system32\WININET.dll
c:\progra~1\BTBROA~2\SMARTB~1\SBHook.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\msi.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\HPZipm12.exe
c:\windows\system32\wdfmgr.exe
c:\program files\AVG\AVG9\avgnsx.exe
c:\program files\HP\Digital Imaging\bin\hpqgalry.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\HPQ\Shared\hpqwmi.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\program files\AVG\AVG9\avgscanx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
.
**************************************************************************
.
Completion time: 2010-06-06 17:07:43 - machine was rebooted
ComboFix-quarantined-files.txt 2010-06-06 16:07
ComboFix2.txt 2009-10-20 00:03
ComboFix3.txt 2009-10-19 20:50

Pre-Run: 46,079,815,680 bytes free
Post-Run: 46,294,745,088 bytes free

- - End Of File - - 5D694E8B449D2A81E18E99AA1E00E918

Blade81

2010-06-10, 13:58

Hi again,

Open notepad and copy/paste the text in the quotebox below into it:

DDS::
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
Folder::
c:\documents and settings\Graham Davies.GRAHAM-0976B11A\Application Data\uTorrent
RenV::
c:\windows\inf\WG511v2\snetcfg .exe
FCopy::
c:\windows\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\atapi.sys|c:\windows\system32\drivers\atapi.sys

Save this as
CFScript

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Close all browser windows and refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.

Uninstall old Adobe Reader versions and get the latest one (both 9.3 and update 9.3.2) here (http://www.adobe.com/support/downloads/product.jsp?product=10&platform=Windows) or get Foxit Reader here (http://www.foxitsoftware.com/pdf/reader_2/down_reader.htm). Make sure you don't install toolbar if choose Foxit Reader! You may also check free readers introduced here (http://pdfreaders.org/).

Download ATF (Atribune Temp File) Cleaner© by Atribune (http://www.atribune.org/ccount/click.php?id=1) to your desktop.

Double-click ATF Cleaner.exe to open it

Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.

If you use Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

If you use Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Click Exit on the Main menu to close the program.

* Go here (http://www.eset.eu/online-scanner) to run an online scanner from ESET.
Note: You will need to use Internet explorer for this scan
Tick the box next to YES, I accept the Terms of Use.
Click Start
When asked, allow the activex control to install
Click Start
Make sure that the option Remove found threats is UNchecked and the option Scan unwanted applications is checkmarked.
Click Scan
Wait for the scan to finish

Post back its report, a fresh dds.txt log and above mentioned ComboFix resultant log.

geedee137

2010-06-10, 23:07

C:\Qoobox\Quarantine\C\Documents and Settings\Graham Davies.GRAHAM-0976B11A\FgYFzJ.exe.vir a variant of Win32/Injector.BJE trojan
C:\System Volume Information\_restore{F5340FAC-DF54-4810-85AC-2CFB37F58F52}\RP179\A0071457.exe a variant of Win32/Injector.BJE trojan
C:\WINDOWS\system32\drivers\atapi.sys Win32/Olmarik.VM trojan

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-03-17.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 22/11/2009 14:41:52
System Uptime: 06/10/2010 17:45:58 (-2829 hours ago)

Motherboard: Hewlett-Packard | | 3085
Processor: AMD Athlon(tm) 64 Processor 3200+ | U23 | 1790/mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 75 GiB total, 42.932 GiB free.
D: is CDROM ()

==== Disabled Device Manager Items =============

Class GUID: {4D36E97D-E325-11CE-BFC1-08002BE10318}
Description: ATI SMBus
Device ID: PCI\VEN_1002&DEV_4372&SUBSYS_3085103C&REV_10\3&13C0B0C5&0&A0
Manufacturer: ATI Technologies Inc
Name: ATI SMBus
PNP Device ID: PCI\VEN_1002&DEV_4372&SUBSYS_3085103C&REV_10\3&13C0B0C5&0&A0
Service:

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: Network Controller
Device ID: PCI\VEN_14E4&DEV_4318&SUBSYS_1355103C&REV_02\4&13826118&0&10A4
Manufacturer:
Name: Network Controller
PNP Device ID: PCI\VEN_14E4&DEV_4318&SUBSYS_1355103C&REV_02\4&13826118&0&10A4
Service:

==== System Restore Points ===================

RP81: 09/03/2010 00:29:01 - System Checkpoint
RP82: 09/03/2010 19:22:16 - Avg Update
RP83: 12/03/2010 00:47:33 - Software Distribution Service 3.0
RP84: 12/03/2010 18:44:06 - RegCure Backup
RP85: 13/03/2010 11:43:47 - RegCure Backup
RP86: 15/03/2010 00:01:52 - RegCure Backup
RP87: 15/03/2010 18:27:30 - RegCure Backup
RP88: 16/03/2010 19:30:29 - Avg Update
RP89: 17/03/2010 01:06:57 - Software Distribution Service 3.0
RP90: 18/03/2010 23:58:23 - RegCure Backup
RP91: 20/03/2010 14:17:05 - RegCure Backup
RP92: 22/03/2010 23:59:22 - System Checkpoint
RP93: 01/04/2010 20:48:01 - Avg Update
RP94: 01/04/2010 20:49:25 - Avg Update
RP95: 02/04/2010 02:30:28 - Software Distribution Service 3.0
RP96: 02/04/2010 16:29:45 - RegCure Backup
RP97: 02/04/2010 17:57:36 - Restore Operation
RP98: 02/04/2010 18:03:21 - Restore Operation
RP99: 02/04/2010 18:09:28 - Restore Operation
RP100: 02/04/2010 18:15:39 - Restore Operation
RP101: 02/04/2010 18:31:36 - Restore Operation
RP102: 04/04/2010 01:22:15 - Avg Update
RP103: 04/04/2010 13:16:53 - Restore Operation
RP104: 04/04/2010 13:32:20 - Avg Update
RP105: 04/04/2010 13:48:57 - RegCure Backup
RP106: 05/04/2010 13:06:56 - Unsigned printer driver HP PSC 1400 series installed.
RP107: 05/04/2010 19:15:15 - Unsigned printer driver HP PSC 1400 series installed.
RP108: 06/04/2010 17:51:53 - Unsigned printer driver HP PSC 1400 series installed.
RP109: 11/04/2010 01:41:29 - System Checkpoint
RP110: 12/04/2010 23:48:22 - System Checkpoint
RP111: 13/04/2010 20:37:49 - Removed Apple Application Support
RP112: 13/04/2010 20:42:16 - Removed Apple Mobile Device Support
RP113: 14/04/2010 01:17:47 - Software Distribution Service 3.0
RP114: 16/04/2010 01:15:54 - System Checkpoint
RP115: 16/04/2010 08:11:37 - Software Distribution Service 3.0
RP116: 17/04/2010 01:26:44 - Software Distribution Service 3.0
RP117: 17/04/2010 17:14:44 - Software Distribution Service 3.0
RP118: 19/04/2010 01:14:40 - Software Distribution Service 3.0
RP119: 19/04/2010 18:35:01 - Avg Update
RP120: 19/04/2010 18:42:07 - Avg Update
RP121: 20/04/2010 00:18:12 - Removed Google Earth.
RP122: 20/04/2010 01:49:03 - Software Distribution Service 3.0
RP123: 21/04/2010 01:38:13 - Software Distribution Service 3.0
RP124: 23/04/2010 00:40:51 - System Checkpoint
RP125: 23/04/2010 01:50:16 - Software Distribution Service 3.0
RP126: 24/04/2010 01:25:43 - Software Distribution Service 3.0
RP127: 24/04/2010 08:57:17 - Software Distribution Service 3.0
RP128: 27/04/2010 00:50:35 - Software Distribution Service 3.0
RP129: 28/04/2010 01:08:51 - Software Distribution Service 3.0
RP130: 29/04/2010 00:46:21 - Software Distribution Service 3.0
RP131: 30/04/2010 18:06:07 - Avg Update
RP132: 01/05/2010 01:25:55 - Software Distribution Service 3.0
RP133: 01/05/2010 12:19:35 - Software Distribution Service 3.0
RP134: 01/05/2010 16:18:20 - Software Distribution Service 3.0
RP135: 01/05/2010 22:47:58 - RegCure Backup
RP136: 02/05/2010 03:00:30 - Software Distribution Service 3.0
RP137: 02/05/2010 03:04:58 - Software Distribution Service 3.0
RP138: 03/05/2010 02:16:12 - Software Distribution Service 3.0
RP139: 04/05/2010 02:05:23 - Software Distribution Service 3.0
RP140: 05/05/2010 02:09:57 - Software Distribution Service 3.0
RP141: 06/05/2010 18:06:47 - Avg Update
RP142: 07/05/2010 01:53:34 - Software Distribution Service 3.0
RP143: 08/05/2010 02:32:33 - Software Distribution Service 3.0
RP144: 08/05/2010 12:36:32 - Removed Google Earth.
RP145: 09/05/2010 03:00:35 - Software Distribution Service 3.0
RP146: 10/05/2010 01:11:37 - Software Distribution Service 3.0
RP147: 10/05/2010 20:38:28 - Installed iPod for Windows 2005-06-26
RP148: 11/05/2010 00:51:06 - Software Distribution Service 3.0
RP149: 11/05/2010 19:25:11 - Unsigned printer driver HP PSC 1400 series installed.
RP150: 12/05/2010 01:21:36 - Software Distribution Service 3.0
RP151: 14/05/2010 00:53:14 - System Checkpoint
RP152: 14/05/2010 01:09:02 - Software Distribution Service 3.0
RP153: 15/05/2010 02:18:05 - Software Distribution Service 3.0
RP154: 16/05/2010 01:11:01 - Software Distribution Service 3.0
RP155: 17/05/2010 00:59:35 - Software Distribution Service 3.0
RP156: 18/05/2010 01:15:50 - System Checkpoint
RP157: 18/05/2010 01:22:33 - Software Distribution Service 3.0
RP158: 19/05/2010 01:31:49 - Software Distribution Service 3.0
RP159: 22/05/2010 21:25:58 - RegCure Backup
RP160: 23/05/2010 01:23:50 - Software Distribution Service 3.0
RP161: 24/05/2010 01:07:17 - Software Distribution Service 3.0
RP162: 25/05/2010 01:06:17 - Software Distribution Service 3.0
RP163: 26/05/2010 00:54:20 - Software Distribution Service 3.0
RP164: 27/05/2010 20:59:48 - System Checkpoint
RP165: 28/05/2010 00:43:04 - Software Distribution Service 3.0
RP166: 28/05/2010 21:22:49 - Installed Windows Media Player 10
RP167: 28/05/2010 21:28:05 - Software Distribution Service 3.0
RP168: 29/05/2010 01:40:55 - Software Distribution Service 3.0
RP169: 30/05/2010 02:18:39 - Software Distribution Service 3.0
RP170: 30/05/2010 13:41:48 - Software Distribution Service 3.0
RP171: 31/05/2010 16:36:31 - System Checkpoint
RP172: 01/06/2010 00:55:57 - Software Distribution Service 3.0
RP173: 01/06/2010 17:57:50 - Avg Update
RP174: 02/06/2010 01:13:46 - Software Distribution Service 3.0
RP175: 06/06/2010 13:52:25 - Software Distribution Service 3.0
RP176: 06/06/2010 14:51:12 - Unsigned printer driver HP PSC 1400 series installed.
RP177: 06/06/2010 15:09:49 - Removed Adobe Reader 8.2.0
RP178: 06/06/2010 15:15:03 - Removed Google Earth.
RP179: 06/06/2010 15:22:17 - Removed QuickTime
RP180: 07/06/2010 01:12:50 - Software Distribution Service 3.0
RP181: 08/06/2010 00:54:42 - Software Distribution Service 3.0
RP182: 10/06/2010 18:13:16 - Installed Adobe Reader 9.3.

==== Installed Programs ======================

1400
1400_Help
1400Trb
Acrobat.com
Adobe AIR
Adobe Download Manager
Adobe Reader 9.3
AiO_Scan
AiOSoftware
Apple Application Support
Apple Mobile Device Support
Apple Software Update
Athlon 64 Processor Driver
ATI Display Driver
AVG 9.0
Bonjour
BufferChm
Compaq Presario r4000 User Guides
Conexant AC-Link Audio
Copy
CP_AtenaShokunin1Config
cp_dwShrek2Albums1
cp_dwShrek2Cards1
CreativeProjects
CreativeProjectsTemplates
CueTour
Data Fax SoftModem with SmartCP
Destinations
Director
DocProc
DocumentViewer
ERUNT 1.1j
ESET Online Scanner v3
Fax
Google Earth
Hotfix for Windows XP (KB926239)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB976002-v5)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
Hotfix for Windows XP (KB981793)
HP Help and Support
HP Image Zone 4.7
HP Pavillion zv6000 User Guides
HP Product Assistant
HP PSC & OfficeJet 4.7
HP Update
HP Wireless Assistant 1.01 A3
HPSystemDiagnostics
InstantShare
iPod for Windows 2005-06-26
iPod for Windows 2006-01-10
iTunes
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB953297)
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Office Standard Edition 2003
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
MSXML 4.0 SP2 (KB973688)
MSXML 6 Service Pack 2 (KB973686)
NETGEAR WG511v2 wireless PC card
OpenMG Secure Module 4.3.00
PanoStandAlone
PhotoGallery
Picasa 3
ProductContext
QFolder
Quick Launch Buttons 5.10 B3
Readme
RegCure
Scan
ScannerCopy
Security Update for CAPICOM (KB931906)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB976325)
Security Update for Windows Internet Explorer 8 (KB978207)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Media Player (KB973540)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB944338-v2)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958470)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371-v2)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971032)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974455)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB976325)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB980232)
SkinsHP1
Sky Broadband
Super Collapse! II
Synaptics Pointing Device Driver
Texas Instruments PCIxx21/x515 drivers.
TIxx21
TrayApp
Unload
Update for Windows Internet Explorer 8 (KB975364)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows Internet Explorer 8 (KB980182)
Update for Windows XP (KB955759)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Update for Windows XP (KB976749)
UserGuides
WebFldrs XP
WebReg
Winamp Toolbar for Firefox
Windows Feature Pack for Storage (32-bit) - IMAPI update for Blu-Ray
Windows Genuine Advantage Notifications (KB905474)
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 8
Windows Live Mail
Windows Media Format 11 runtime
Windows Media Player 11

==== Event Viewer Messages From Past Week ========

06/06/2010 15:29:01, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Windows User Mode Driver Framework service to connect.
06/06/2010 15:29:01, error: Service Control Manager [7000] - The Windows User Mode Driver Framework service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
06/06/2010 14:01:33, error: Windows Update Agent [20] - Installation Failure: Windows failed to install the following update with error 0x8007f0f4: Security Update for Windows XP (KB979683).
05/06/2010 12:09:38, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: avgio
05/06/2010 12:09:13, error: Service Control Manager [7023] - The SSHNAS service terminated with the following error: The system cannot find the file specified.
05/06/2010 12:09:13, error: Service Control Manager [7000] - The Avira AntiVir Scheduler service failed to start due to the following error: The system cannot find the path specified.
05/06/2010 12:09:13, error: Service Control Manager [7000] - The Avira AntiVir Guard service failed to start due to the following error: The system cannot find the path specified.

==== End Of File ===========================

DDS (Ver_10-03-17.01) - NTFSx86
Run by Graham Davies at 20:56:39.78 on 10/06/2010
Internet Explorer: 8.0.6001.18702

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\btbb_wcm\McciTrayApp.exe
C:\PROGRA~1\BTBROA~2\SMARTB~1\BTHelpNotifier.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Hp\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\NETGEAR\WG511v2\WG511v2.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\HPQ\Shared\hpqwmi.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVG\AVG9\avgscanx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\DllHost.exe
C:\Documents and Settings\Graham Davies.GRAHAM-0976B11A\Desktop\dds.scr
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\System32\svchost.exe -k getPlusHelper

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = 127.0.0.1;*.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: {a057a204-bacc-4d26-9990-79a187e2698e} - AVG Security Toolbar
TB: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} -
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [Cpqset] c:\program files\hpq\default settings\cpqset.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [eabconfg.cpl] c:\program files\hpq\quick launch buttons\EabServr.exe /Start
mRun: [hpWirelessAssistant] c:\program files\hpq\hp wireless assistant\HP Wireless Assistant.exe
mRun: [btbb_wcm_McciTrayApp] c:\program files\btbb_wcm\McciTrayApp.exe
mRun: [Motive SmartBridge] c:\progra~1\btbroa~2\smartb~1\BTHelpNotifier.exe
mRun: [WinampAgent] "c:\program files\winamp\winampa.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRunOnce: [Uninstall Adobe Download Manager] "c:\windows\system32\rundll32.exe" "c:\program files\nos\bin\getPlus_Helper.dll",Uninstall /IE2883E8F-472F-4fb0-9522-AC9BF37916A7 /Get1noarp
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
IE: {08E730A4-FB02-45BD-A900-01E4AD8016F6} - http://www.sky.com
IE: {53F6FCCD-9E22-4d71-86EA-6E43136192AB}
IE: {925DAB62-F9AC-4221-806A-057BFB1014AA}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} - file:///C:/Program%20Files/Super%20Collapse!%20II/Images/stg_drm.ocx
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx1.hotmail.com/mail/w3/resources/MSNPUpld.cab
DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} - hxxps://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} - file:///C:/Program%20Files/Super%20Collapse!%20II/Images/armhelper.ocx
DPF: {D0C0F75C-683A-4390-A791-1ACFD5599AB8} - hxxp://skyonline.oberon-media.com/Gameshell/GameHost/1.0/OberonGameHost.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: {73B5FFDD-5DC2-4C35-99B6-521DAF6F6B3B} = 192.168.0.1
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: avgrsstarter - avgrsstx.dll

============= SERVICES / DRIVERS ===============

R? AntiVirSchedulerService;Avira AntiVir Scheduler
R? AntiVirService;Avira AntiVir Guard
R? avgio;avgio
S? avg9wd;AVG WatchDog
S? AVGIDSAgent;AVG9IDSAgent
S? AVGIDSDriverxpx;AVG9IDSDriver
S? AVGIDSErHrxpx;AVG9IDSErHr
S? AVGIDSFilterxpx;AVG9IDSFilter
S? AVGIDSShimxpx;AVG9IDSShim
S? AvgLdx86;AVG AVI Loader Driver x86
S? AvgMfx86;AVG On-access Scanner Minifilter Driver x86
S? avgntflt;avgntflt
S? AvgRkx86;avgrkx86.sys
S? AvgTdiX;AVG Network Redirector
S? HSFHWATI;HSFHWATI

=============== Created Last 30 ================

2010-06-10 18:08:11 0 d-----w- c:\program files\ESET
2010-06-10 17:00:43 0 d-----w- C:\ComboFix
2010-06-06 15:15:19 77312 ----a-w- c:\windows\MBR.exe

==================== Find3M ====================

2010-06-01 16:57:13 242896 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-04-26 14:58:12 256512 ----a-w- c:\windows\PEV.exe
2010-04-09 20:48:18 3600384 ----a-w- c:\windows\system32\GPhotos.scr
2007-05-24 14:58:00 249856 ----a-w- c:\windows\inf\wg511v2\InsDrv2k.exe
2006-12-04 11:38:30 53248 ----a-w- c:\windows\inf\wg511v2\snetcfg .exe
2006-12-04 11:38:30 265984 ----a-w- c:\windows\inf\wg511v2\WG511v2XP.sys
2006-12-04 11:38:30 249856 ----a-w- c:\windows\inf\wg511v2\InsDrvlh.exe
2006-12-04 11:38:30 21376 ----a-w- c:\windows\inf\wg511v2\wlndis51.sys
2006-12-04 11:38:30 212992 ----a-w- c:\windows\inf\wg511v2\CopyWHQLDriver.exe
2008-10-04 23:01:51 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008100520081006\index.dat

============= FINISH: 20:58:04.65 ===============

DDS (Ver_10-03-17.01) - NTFSx86
Run by Graham Davies at 20:56:39.78 on 10/06/2010
Internet Explorer: 8.0.6001.18702

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\btbb_wcm\McciTrayApp.exe
C:\PROGRA~1\BTBROA~2\SMARTB~1\BTHelpNotifier.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Hp\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\NETGEAR\WG511v2\WG511v2.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\HPQ\Shared\hpqwmi.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVG\AVG9\avgscanx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\DllHost.exe
C:\Documents and Settings\Graham Davies.GRAHAM-0976B11A\Desktop\dds.scr
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\System32\svchost.exe -k getPlusHelper

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = 127.0.0.1;*.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: {a057a204-bacc-4d26-9990-79a187e2698e} - AVG Security Toolbar
TB: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} -
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [Cpqset] c:\program files\hpq\default settings\cpqset.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [eabconfg.cpl] c:\program files\hpq\quick launch buttons\EabServr.exe /Start
mRun: [hpWirelessAssistant] c:\program files\hpq\hp wireless assistant\HP Wireless Assistant.exe
mRun: [btbb_wcm_McciTrayApp] c:\program files\btbb_wcm\McciTrayApp.exe
mRun: [Motive SmartBridge] c:\progra~1\btbroa~2\smartb~1\BTHelpNotifier.exe
mRun: [WinampAgent] "c:\program files\winamp\winampa.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRunOnce: [Uninstall Adobe Download Manager] "c:\windows\system32\rundll32.exe" "c:\program files\nos\bin\getPlus_Helper.dll",Uninstall /IE2883E8F-472F-4fb0-9522-AC9BF37916A7 /Get1noarp
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
IE: {08E730A4-FB02-45BD-A900-01E4AD8016F6} - http://www.sky.com
IE: {53F6FCCD-9E22-4d71-86EA-6E43136192AB}
IE: {925DAB62-F9AC-4221-806A-057BFB1014AA}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} - file:///C:/Program%20Files/Super%20Collapse!%20II/Images/stg_drm.ocx
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx1.hotmail.com/mail/w3/resources/MSNPUpld.cab
DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} - hxxps://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} - file:///C:/Program%20Files/Super%20Collapse!%20II/Images/armhelper.ocx
DPF: {D0C0F75C-683A-4390-A791-1ACFD5599AB8} - hxxp://skyonline.oberon-media.com/Gameshell/GameHost/1.0/OberonGameHost.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: {73B5FFDD-5DC2-4C35-99B6-521DAF6F6B3B} = 192.168.0.1
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: avgrsstarter - avgrsstx.dll

============= SERVICES / DRIVERS ===============

R? AntiVirSchedulerService;Avira AntiVir Scheduler
R? AntiVirService;Avira AntiVir Guard
R? avgio;avgio
S? avg9wd;AVG WatchDog
S? AVGIDSAgent;AVG9IDSAgent
S? AVGIDSDriverxpx;AVG9IDSDriver
S? AVGIDSErHrxpx;AVG9IDSErHr
S? AVGIDSFilterxpx;AVG9IDSFilter
S? AVGIDSShimxpx;AVG9IDSShim
S? AvgLdx86;AVG AVI Loader Driver x86
S? AvgMfx86;AVG On-access Scanner Minifilter Driver x86
S? avgntflt;avgntflt
S? AvgRkx86;avgrkx86.sys
S? AvgTdiX;AVG Network Redirector
S? HSFHWATI;HSFHWATI

=============== Created Last 30 ================

2010-06-10 18:08:11 0 d-----w- c:\program files\ESET
2010-06-10 17:00:43 0 d-----w- C:\ComboFix
2010-06-06 15:15:19 77312 ----a-w- c:\windows\MBR.exe

==================== Find3M ====================

2010-06-01 16:57:13 242896 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-04-26 14:58:12 256512 ----a-w- c:\windows\PEV.exe
2010-04-09 20:48:18 3600384 ----a-w- c:\windows\system32\GPhotos.scr
2007-05-24 14:58:00 249856 ----a-w- c:\windows\inf\wg511v2\InsDrv2k.exe
2006-12-04 11:38:30 53248 ----a-w- c:\windows\inf\wg511v2\snetcfg .exe
2006-12-04 11:38:30 265984 ----a-w- c:\windows\inf\wg511v2\WG511v2XP.sys
2006-12-04 11:38:30 249856 ----a-w- c:\windows\inf\wg511v2\InsDrvlh.exe
2006-12-04 11:38:30 21376 ----a-w- c:\windows\inf\wg511v2\wlndis51.sys
2006-12-04 11:38:30 212992 ----a-w- c:\windows\inf\wg511v2\CopyWHQLDriver.exe
2008-10-04 23:01:51 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008100520081006\index.dat

============= FINISH: 20:58:04.65 ===============

Blade81

2010-06-11, 08:31

Hi,

1. Download TDSSKiller (http://support.kaspersky.com/downloads/utils/tdsskiller.zip) and extract its contents into a folder in desired location (i.e. c:\tdsskiller).
2. Execute the file TDSSKiller.exe and wait for the process to finish.
3. Post back contents of log file in c: drive root (name should be in UtilityName.Version_Date_Time_log.txt format)

geedee137

2010-06-11, 21:06

TDSS rootkit removing tool, Kaspersky Lab, 2010
version 2.3.2.0 May 31 2010 10:39:48

Scanning Services ...

Scanning Drivers ...
File "C:\WINDOWS\system32\DRIVERS\atapi.sys" infected by TDSS rootkit ... will b
e cured on next reboot

Completed

Results:
Registry objects infected / cured / cured on reboot: 0 / 0 / 0
File objects infected / cured / cured on reboot: 1 / 0 / 1

To finalize removal of infection and avoid loosing of data program will
reboot your PC now.
Close all programs and choose Y to restart or N to continue

geedee137

2010-06-11, 21:17

TDSS rootkit removing tool, Kaspersky Lab, 2010
version 2.3.2.0 May 31 2010 10:39:48

Scanning Services ...

Scanning Drivers ...

Completed

Results:
Registry objects infected / cured / cured on reboot: 0 / 0 / 0
File objects infected / cured / cured on reboot: 0 / 0 / 0

Press any key to continue . . .

Blade81

2010-06-11, 21:54

Good. How's the system running now?

geedee137

2010-06-13, 03:15

all appears to be resolved

many thanks for your help

GEEDEE

Blade81

2010-06-13, 13:35

You're welcome :)

It's time to secure your system to prevent against further intrusions.

THESE STEPS ARE VERY IMPORTANT

Let's reset system restore
Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs changing those files. This is the only way to clean these files: You will lose all previous restore points which are likely to be infected. Please note you need Administrator Access to do clean the restore points.

1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.
NOTE: only do this ONCE,NOT on a regular basis

Now lets uninstall ComboFix:

Click START then RUN
Now copy-paste Combofix /uninstall in the runbox and click OK

Please download OTC (http://oldtimer.geekstogo.com/OTC.exe) and save it to desktop.

Double-click OTC.exe.
Click the CleanUp! button.
Select Yes when the
Begin cleanup Process?
prompt appears.
If you are prompted to Reboot during the cleanup, select Yes.
The tool will delete itself once it finishes, if not delete it by yourself.

Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.

UPDATING WINDOWS AND INTERNET EXPLORER

IMPORTANT: You Need to Update Windows and Internet Explorer to protect your computer from the malware that is around on the Internet. Please go to the windows update site (http://windowsupdate.microsoft.com/) to get the critical updates.

If you are running Microsoft Office, or any portion thereof, go to the Microsoft's Office Update site and make sure you have at least all the critical updates installed (Free) Microsoft Office Update.

Make your Internet Explorer more secure

This can be done by following these simple instructions:
From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialize and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub-frames across different domains to Prompt
When all these settings have been made, click on the OK button.
If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.

The following are recommended third party programs that are designed to keep your computer clean. A link as well as a brief description is included with each item.

hosts file:
Every version of windows has a hosts file as part of them. In a very basic sense, they are used to locate webpages. We can customize a hosts file so that it blocks certain webpages. However, it can slow down certain computers. This is why using a hosts file is optional!!
Download it here (http://www.mvps.org/winhelp2002/hosts.htm). Make sure you read the instructions on how to install the hosts file. There is a good tutorial here (http://www.bleepingcomputer.com/forums/tutorial51.html)
If you decide to download the hosts file, the slowdown problems can usually be avoided by following these steps:
Click the start button (at the lower left hand corner of your screen) Click run In the dialog box, type services.msc hit enter, then locate dns client Highlight it, then double-click it. On the dropdown box, change the setting from automatic to manual. Click ok
Run Secunia vulnerability check here (http://secunia.com/vulnerability_scanning/online/) and fix its findings.
Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is susceptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly. For more info, check this (http://www.bleepingcomputer.com/forums/tutorial60.html) webpage out.
If you don't have a 3rd party firewall or a router behind NAT then I recommend getting one. I recommend either Online Armor Free (http://www.tallemu.com/free-firewall-protection-software.html) or Comodo Firewall Pro (http://www.personalfirewall.comodo.com/download_firewall.html#fw3.0) (If you choose Comodo: Uncheck during installation Install Comodo HopSurf.., Make Comodo my default search provider and Make Comodo Search my homepage and install firewall ONLY!). Both providers have support forums that help with configuration related questions.

Just a final reminder for you. I am trying to stress these two points.
UPDATE UPDATE UPDATE!!! Make sure you do this about every 1-2 weeks.
Make sure all of your security programs are up to date.
Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

Once again, please post and tell me how things are going with your system... problems etc.

Have a great day,
Blade :cool: