Win32.Agent.pz not being removed by Spybot

Open HijackThis, click do a system scan only and checkmark these:

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:7171
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\pavuppad.exe,
O2 - BHO: Ask Search Assistant BHO - {9CB65201-89C4-402c-BA80-02D8C59F9B1D} - (no file)
O2 - BHO: Ask Toolbar BHO - {FE063DB1-4EC0-403e-8DD8-394C54984B2C} - C:\Program Files\AskTBar\bar\1.bin\ASKTBAR.DLL (file missing)
O3 - Toolbar: Ask Toolbar - {FE063DB9-4EC0-403e-8DD8-394C54984B2C} - C:\Program Files\AskTBar\bar\1.bin\ASKTBAR.DLL (file missing)
O4 - HKCU\..\Run: [SYS32DLL] SYS32DLL

Close all windows including browser and press fix checked.

Reboot.

Delete if present:

C:\WINDOWS\system32\pavuppad.exe

Empty Recycle Bin.

Post back a fresh HijackThis log, please.
 
Hi Shaba,
I was unable to delete the file either in normal mode or in safe mode: message 'Cannot delete - being used by another person or program'.
Current situation after rebooting and attempting to delete the file is this
- when I boot in normal mode the following happens in this order
1. message saying ifrmewrk.exe application error - the application failed to initialize properly (0xc0000142). click ok to terminate
2.spywareguard browser protection alert: An attempt to change Internet Explorer settings has been detected. your internet explorer current user search bar has been changed from
http://www.microsoft.com/ispi/redir.dll?prd=iear=iesearch
to
<none>
I get the optio to accept or change back. I just close the window and do nothing

Here is the current HJT log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:40:18, on 15/05/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\PROGRA~1\SYMANT~2\SYMANT~1\DefWatch.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\PROGRA~1\SYMANT~2\SYMANT~1\Rtvscan.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Pen_Tablet.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\WTablet\Pen_TabletUser.exe
C:\WINDOWS\system32\Pen_Tablet.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\Apoint\Apntex.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\PROGRA~1\Yahoo!\YOP\yop.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\PROGRA~1\SYMANT~2\SYMANT~1\vptray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe
C:\Program Files\CyberLink\PowerDVD8\PDVD8Serv.exe
C:\Program Files\Cyberlink\Shared Files\brs.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\Yahoo!\YOP\SSDK02.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Creative\Shared Files\CamTray.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\SearchFilterHost.exe
C:\Documents and Settings\admin\Desktop\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.co.uk/ig/dell?hl=en&client=dell-usuk-rel&channel=uk&ibd=4070312
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/...b/*http://uk.docs.yahoo.com/info/bt_side.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www1.euro.dell.com/content/default.aspx?c=uk&l=en&s=gen
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.co.uk/ig/dell?hl=en&client=dell-usuk-rel&channel=uk&ibd=4070312
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local;<local>
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,C:\WINDOWS\system32\pavuppad.exe,
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: CBrowserHelperObject Object - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~2\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RemoteControl8] "C:\Program Files\CyberLink\PowerDVD8\PDVD8Serv.exe"
O4 - HKLM\..\Run: [PDVD8LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD8\Language\Language.exe"
O4 - HKLM\..\Run: [BDRegion] C:\Program Files\Cyberlink\Shared Files\brs.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [NVHotkey] rundll32.exe nvHotkey.dll,Start
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [EPSON Stylus Photo R220 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAIE.EXE /FU "C:\WINDOWS\TEMP\E_SA1.tmp" /EF "HKCU"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [eyeBeam SIP Client] "C:\Program Files\BT Broadband Talk Softphone\BTSoftphone.exe"
O4 - HKCU\..\Run: [Creative WebCam Tray] C:\Program Files\Creative\Shared Files\CamTray.exe
O4 - HKCU\..\Run: [internat] C:\WINDOWS\internat.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: BT Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper20073151.dll
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {5D637FAD-E202-48D1-8F18-5B9C459BD1E3} (Image Uploader Control) - http://www.microquiz.eu/ImageUploader5.cab
O16 - DPF: {61628958-4627-48F4-99FD-30719188568D} (XCheck Control) - http://www.ifrontiers.com/ActiveX/XCheck.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://test.update.microsoft.com/wi...ls/en/x86/client/wuweb_site.cab?1174297478281
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://test.update.microsoft.com/mi...ls/en/x86/client/muweb_site.cab?1174297563946
O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} (Image Uploader Control) - http://www.microquiz.eu/ImageUploader4.cab
O16 - DPF: {7FC1B346-83E6-4774-8D20-1A6B09B0E737} (Windows Live Photo Upload Control) - http://cid-ea0211234474d475.spaces.live.com/PhotoUpload/MsnPUpld.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl.sun.com/webapps/download/AutoDL?BundleId=23100
O16 - DPF: {E33968CE-FF77-4DC3-A052-2921C0D60177} (LoaderOnline Class) - https://www.remotecontrol26.co.uk/dms website/kiosk/Bootstrap2610/2.6.10.107/BootstrapXP.cab
O16 - DPF: {F137B9BA-89EA-4B04-9C67-2074A9DF61FD} (Photo Upload Plugin Class) - http://www.asda-photo.co.uk/upload/activex/v2_0_0_11/PCAXSetupv2.0.0.11.cab?
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/softwareupdate/su2/ocx/15105/CTPID.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Automatic LiveUpdate Scheduler - Unknown owner - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~2\SYMANT~1\DefWatch.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: EPSON V3 Service4(01) (EPSON_PM_RPCV4_01) - SEIKO EPSON CORPORATION - C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: McciCMService - Motive Communications, Inc. - C:\Program Files\Common Files\Motive\McciCMService.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~2\SYMANT~1\Rtvscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: TabletServicePen - Wacom Technology, Corp. - C:\WINDOWS\system32\Pen_Tablet.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel(R) Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE
O24 - Desktop Component AutorunsDisabled: (no name) - (no file)

--
End of file - 17623 bytes
 
1) is related to Intel(R) PROSet/Wireless. Uninstalling/reinstalling might help.

2) is normal one, you can ignore it.

  • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

    Code: 
    File::
C:\WINDOWS\system32\pavuppad.exe
  • Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.

    CFScriptB-4.gif

  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.
CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
 
Hi Shaba,

log file as requested

ComboFix 09-05-09.05 - admin 15/05/2009 19:50.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2046.1389 [GMT 1:00]
Running from: c:\documents and settings\admin\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\admin\Desktop\CFScript.txt
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated)
* Created a new restore point

FILE ::
c:\windows\system32\pavuppad.exe
.

((((((((((((((((((((((((( Files Created from 2009-04-15 to 2009-05-15 )))))))))))))))))))))))))))))))
.

2009-05-13 18:00 . 2009-05-13 18:30 -------- d-----w C:\xfer
2009-05-11 19:56 . 2009-05-11 19:57 -------- d-----w c:\program files\ERUNT
2009-05-10 22:07 . 2008-06-13 13:10 272128 -c----w c:\windows\system32\dllcache\bthport.sys
2009-05-10 15:24 . 2002-08-29 12:00 31232 -c--a-w c:\windows\system32\dllcache\weitekp9.sys
2009-05-10 15:23 . 2002-08-29 12:00 229439 -c--a-w c:\windows\system32\dllcache\multibox.dll
2009-05-10 15:22 . 2002-08-29 12:00 36864 -c--a-w c:\windows\system32\dllcache\hanjadic.dll
2009-05-10 15:21 . 2003-03-24 15:52 188480 -c--a-w c:\windows\system32\dllcache\cfgwiz.exe
2009-05-10 15:21 . 2003-03-24 15:52 16439 -c--a-w c:\windows\system32\dllcache\author.exe
2009-05-10 15:21 . 2003-03-24 15:52 20540 -c--a-w c:\windows\system32\dllcache\author.dll
2009-05-10 15:21 . 2003-03-24 15:52 16439 -c--a-w c:\windows\system32\dllcache\admin.exe
2009-05-10 15:21 . 2003-03-24 15:52 20540 -c--a-w c:\windows\system32\dllcache\admin.dll
2009-05-10 15:18 . 2004-08-04 05:56 628224 -c--a-w c:\windows\system32\dllcache\catsrvut.dll
2009-05-10 15:18 . 2004-08-04 05:56 628224 ----a-w c:\windows\system32\catsrvut.dll
2009-05-10 15:07 . 2002-08-29 12:00 13312 -c--a-w c:\windows\system32\dllcache\irclass.dll
2009-05-10 15:07 . 2002-08-29 12:00 13312 ----a-w c:\windows\system32\irclass.dll
2009-05-10 15:07 . 2002-08-29 12:00 24661 -c--a-w c:\windows\system32\dllcache\spxcoins.dll
2009-05-10 15:07 . 2002-08-29 12:00 24661 ----a-w c:\windows\system32\spxcoins.dll
2009-05-09 09:35 . 2009-05-09 09:36 -------- d-----w C:\SAV32CLI
2009-05-08 18:18 . 2009-05-08 18:18 -------- d-----w c:\windows\system32\CatRoot_bak
2009-05-08 18:11 . 2009-05-08 18:11 -------- d-----w c:\program files\TeaTimer (Spybot - Search & Destroy)
2009-05-08 18:11 . 2009-05-08 18:11 -------- d-----w c:\program files\Misc. Support Library (Spybot - Search & Destroy)
2009-05-08 18:11 . 2009-05-08 18:11 -------- d-----w c:\program files\SDHelper (Spybot - Search & Destroy)
2009-05-08 18:11 . 2009-05-08 18:11 -------- d-----w c:\program files\File Scanner Library (Spybot - Search & Destroy)
2009-05-08 15:30 . 2009-05-08 15:30 -------- d-----w c:\windows\repair
2009-05-08 14:55 . 2002-08-29 12:00 16384 -c--a-w c:\windows\system32\dllcache\isignup.exe
2009-05-08 14:52 . 2002-08-29 12:00 7680 -c--a-w c:\windows\system32\dllcache\inetmgr.exe
2009-05-08 12:40 . 2009-05-08 12:40 45056 ----a-w c:\windows\system32\DeleteNotifyDll.dll
2009-05-08 12:37 . 2008-04-14 00:12 23040 ----a-w c:\windows\system32\AAP.DLL
2009-05-08 12:35 . 2009-03-21 14:06 989696 ----a-w c:\windows\system32\AAK.dll
2009-05-08 12:35 . 2009-02-09 12:10 617472 ----a-w c:\windows\system32\AAD.DLL
2009-05-08 12:34 . 2009-05-08 12:39 -------- d-----w c:\program files\Adware Away
2009-05-06 22:58 . 2009-05-06 22:58 75264 ----a-w c:\windows\internat.exe
2009-05-05 21:20 . 2009-05-05 23:01 -------- d-----w c:\program files\PXL Soft
2009-04-30 21:01 . 1999-10-15 11:50 1056768 ----a-w c:\windows\system32\ROBOEX32.DLL
2009-04-30 21:01 . 2006-07-22 18:37 49152 ----a-w c:\windows\system32\INETWH32.dll
2009-04-17 19:48 . 2008-09-17 13:24 49996376 ----a-w C:\avg_free_stf_en_8_169a1359.exe
2009-04-16 18:27 . 2008-05-03 11:55 2560 ----a-w c:\windows\system32\xpsp4res.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-15 18:41 . 2007-03-12 10:38 144264 ----a-w c:\windows\system32\nvModes.dat
2009-05-15 06:45 . 2007-04-12 18:43 -------- d-----w c:\program files\BitLord
2009-05-10 15:37 . 2009-05-10 15:37 65024 ----a-w C:\calc.exe
2009-05-10 15:20 . 2004-08-11 17:00 67 --sha-w c:\windows\Fonts\desktop.ini
2009-05-10 15:18 . 2004-08-11 17:12 23428 ----a-w c:\windows\system32\emptyregdb.dat
2009-05-10 15:18 . 2009-05-10 15:18 1663 ----a-w c:\windows\inf\COM1ED.tmp
2009-05-08 18:30 . 2007-03-19 14:42 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-05-08 12:29 . 2008-11-30 12:53 -------- d-----w c:\program files\SpywareGuard
2009-05-02 17:04 . 2008-11-28 17:21 20 ---h--w c:\documents and settings\All Users\Application Data\PKP_DLbx.DAT
2009-05-02 17:02 . 2008-11-29 20:12 20 ---h--w c:\documents and settings\All Users\Application Data\PKP_DLdw.DAT
2009-04-30 21:18 . 2007-03-12 11:08 36368 ----a-w c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-30 21:01 . 2007-04-18 22:17 -------- d-----w c:\program files\Common Files\Ulead Systems
2009-04-30 21:00 . 2007-04-18 22:17 -------- d-----w c:\program files\Ulead Systems
2009-04-30 21:00 . 2007-03-12 10:56 -------- d--h--w c:\program files\InstallShield Installation Information
2009-03-25 23:28 . 2007-06-07 19:46 -------- d-----w c:\program files\NO1 Video Converter
2009-03-18 08:31 . 2009-03-18 08:31 -------- d-----w c:\program files\Windows Installer Clean Up
2009-03-18 08:31 . 2009-03-18 08:31 -------- d-----w c:\program files\MSECACHE
2009-03-17 20:44 . 2009-03-17 20:36 -------- d-----w c:\program files\hkSFV
2009-03-06 14:44 . 2004-08-04 05:56 283648 ----a-w c:\windows\system32\pdh.dll
2009-03-02 21:09 . 2009-03-02 21:09 2368 ----a-w c:\windows\system32\SVKP.sys
2009-02-20 08:30 . 2004-08-04 05:56 659456 ----a-w c:\windows\system32\wininet.dll
2009-02-20 08:30 . 2004-08-04 05:56 81920 ----a-w c:\windows\system32\ieencode.dll
2003-12-19 19:36 . 2007-06-12 21:56 40960 ----a-w c:\program files\Uninstall_CDS.exe
.

((((((((((((((((((((((((((((( SnapShot_2009-05-14_08.20.09 )))))))))))))))))))))))))))))))))))))))))
.
- 2004-08-11 17:00 . 2009-05-14 07:53 81120 c:\windows\system32\perfc009.dat
+ 2004-08-11 17:00 . 2009-05-15 18:45 81120 c:\windows\system32\perfc009.dat
+ 2007-03-16 15:41 . 2009-05-15 18:41 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2007-03-16 15:41 . 2009-05-14 07:50 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2007-03-16 15:41 . 2009-05-15 18:41 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2007-03-16 15:41 . 2009-05-14 07:50 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2007-03-16 15:41 . 2009-05-15 18:41 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2007-03-16 15:41 . 2009-05-14 07:50 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2004-08-11 17:00 . 2009-05-15 18:45 468916 c:\windows\system32\perfh009.dat
- 2004-08-11 17:00 . 2009-05-14 07:53 468916 c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"EPSON Stylus Photo R220 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIAIE.EXE" [2006-12-25 177664]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]
"eyeBeam SIP Client"="c:\program files\BT Broadband Talk Softphone\BTSoftphone.exe" [2006-07-31 19857408]
"Creative WebCam Tray"="c:\program files\Creative\Shared Files\CamTray.exe" [2005-10-27 299008]
"internat"="c:\windows\internat.exe" [2009-05-06 75264]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2005-10-07 176128]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-01-19 7401472]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2006-10-18 802816]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2006-10-18 696320]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-07-19 52896]
"YBrowser"="c:\progra~1\Yahoo!\browser\ybrwicon.exe" [2006-07-21 129536]
"YOP"="c:\progra~1\Yahoo!\YOP\yop.exe" [2007-06-26 509224]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2007-05-10 624248]
"Symantec NetDriver Monitor"="c:\progra~1\SYMNET~1\SNDMon.exe" [2007-11-19 99984]
"vptray"="c:\progra~1\SYMANT~2\SYMANT~1\vptray.exe" [2003-05-21 90112]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2007-12-08 185896]
"RoxioDragToDisc"="c:\program files\Roxio\Drag-to-Disc\DrgToDsc.exe" [2006-08-17 1116920]
"RemoteControl8"="c:\program files\CyberLink\PowerDVD8\PDVD8Serv.exe" [2008-03-20 83240]
"PDVD8LanguageShortcut"="c:\program files\CyberLink\PowerDVD8\Language\Language.exe" [2007-12-14 50472]
"BDRegion"="c:\program files\Cyberlink\Shared Files\brs.exe" [2008-05-19 91432]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 57344]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2006-01-19 1519616]
"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2006-03-24 282624]
"NVHotkey"="nvHotkey.dll" - c:\windows\system32\nvhotkey.dll [2006-01-19 73728]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]

c:\documents and settings\admin\Start Menu\Programs\Startup\
SpywareGuard.lnk - c:\program files\SpywareGuard\sgmain.exe [2003-8-29 360448]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Windows Desktop Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2007-2-5 118784]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"EditLevel"= 0 (0x0)
"NoCommonGroups"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2007-02-05 294400]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"userinit"="c:\windows\system32\userinit.exe,c:\windows\system32\pavuppad.exe,"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0\0sprestrt\0sprestrt

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2031643626-816787558-188441444-1002\Scripts\Logon\0\0]
"Script"=remedylastlogin.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2031643626-816787558-188441444-3814\Scripts\Logon\0\0]
"Script"=remedylastlogin.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\VoiceLine SoftPhone\\VoiceLine.exe"=
"c:\\Program Files\\Yahoo!\\browser\\ybrowser.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\NetMeeting\\conf.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

R0 BsStor;B.H.A Storage Helper Driver;c:\windows\system32\drivers\BsStor.sys [12/06/2007 22:59 9344]
R2 {FE4C91E7-22C2-4D0C-9F6B-82F1B7742054};{FE4C91E7-22C2-4D0C-9F6B-82F1B7742054};c:\program files\CyberLink\PowerDVD8\000.fcl [15/05/2008 13:07 61424]
R2 MDC80211;iPass Protocol (IEEE 802.1x) v2.3.1.9;c:\windows\system32\drivers\mdc80211.sys [19/03/2007 14:58 15793]
R2 SVKP;SVKP;c:\windows\system32\SVKP.sys [02/03/2009 22:09 2368]
R2 TabletServicePen;TabletServicePen;c:\windows\system32\Pen_Tablet.exe [26/12/2008 14:44 3032360]
S3 G3GRUMDM;G3G R USB Modem;c:\windows\system32\drivers\g3grumdm.sys [13/08/2007 17:04 26496]
S3 G3GRUSER;G3G R USB Serial;c:\windows\system32\drivers\g3gruser.sys [13/08/2007 17:04 23296]
S3 V0260VID;Live! Cam Vista IM;c:\windows\system32\drivers\V0260Vid.sys [02/09/2008 17:56 178913]
S3 wacmoumonitor;Wacom Mode Helper;c:\windows\system32\drivers\wacmoumonitor.sys [26/12/2008 14:44 15144]
S4 MSExchangeMGMT;Microsoft Exchange Management;c:\program files\Exchsrvr\bin\exmgmt.exe [16/03/2007 17:21 3117568]
.
Contents of the 'Scheduled Tasks' folder

2009-05-15 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 10:20]
.
.
------- Supplementary Scan -------
.
mStart Page = hxxp://www1.euro.dell.com/content/default.aspx?c=uk&l=en&s=gen
mSearch Bar = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sb/*http://uk.docs.yahoo.com/info/bt_side.html
uInternet Settings,ProxyOverride = *.local;<local>
IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {61628958-4627-48F4-99FD-30719188568D} - hxxp://www.ifrontiers.com/ActiveX/XCheck.CAB
DPF: {E33968CE-FF77-4DC3-A052-2921C0D60177} - hxxps://www.remotecontrol26.co.uk/dms%20website/kiosk/Bootstrap2610/2.6.10.107/BootstrapXP.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-15 20:03
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
internat = c:\windows\internat.exe????????????????????|?????????????P@?????? ??????? ??????S

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\{FE4C91E7-22C2-4D0C-9F6B-82F1B7742054}]
"ImagePath"="\??\c:\program files\CyberLink\PowerDVD8\000.fcl"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(1320)
c:\windows\system32\relog_ap.dll

- - - - - - - > 'explorer.exe'(2492)
c:\program files\Windows Desktop Search\deskbar.dll
c:\program files\Windows Desktop Search\en-us\dbres.dll.mui
c:\program files\Windows Desktop Search\dbres.dll
c:\program files\Windows Desktop Search\wordwheel.dll
c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui
c:\program files\Windows Desktop Search\msnlExtRes.dll
c:\program files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-05-15 20:14
ComboFix-quarantined-files.txt 2009-05-15 19:14
ComboFix2.txt 2009-05-14 08:29
ComboFix3.txt 2009-05-11 17:28
ComboFix4.txt 2009-05-10 22:21

Pre-Run: 20,438,478,848 bytes free
Post-Run: 20,417,626,112 bytes free

Current=1 Default=1 Failed=0 LastKnownGood=5 Sets=1,2,3,4,5
231 --- E O F --- 2009-05-12 17:00
 
If it is, how would you explain these?

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2031643626-816787558-188441444-1002\Scripts\Logon\0\0]
"Script"=remedylastlogin.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2031643626-816787558-188441444-3814\Scripts\Logon\0\0]
"Script"=remedylastlogin.vbs
 
Hi Shaba,

I have just taken early retirement from my job and was allowed to keep my laptop. If anything needs t be removed from it I will be happy to remove it.
 
Thank you for information.

Let's try this next:

  • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

    Code: 
    Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"userinit"="c:\windows\system32\userinit.exe,"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2031643626-816787558-188441444-1002\Scripts\Logon\0\0]
"Script"=-

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2031643626-816787558-188441444-3814\Scripts\Logon\0\0]
"Script"=-
  • Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.

    CFScriptB-4.gif

  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.
CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
 
Hi Shaba,,log file as requested

ComboFix 09-05-09.05 - admin 16/05/2009 11:16.5 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2046.1342 [GMT 1:00]
Running from: c:\documents and settings\admin\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\admin\Desktop\CFScript.txt
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated)
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2009-04-16 to 2009-05-16 )))))))))))))))))))))))))))))))
.

2009-05-13 18:00 . 2009-05-13 18:30 -------- d-----w C:\xfer
2009-05-11 19:56 . 2009-05-11 19:57 -------- d-----w c:\program files\ERUNT
2009-05-10 22:07 . 2008-06-13 13:10 272128 -c----w c:\windows\system32\dllcache\bthport.sys
2009-05-10 15:24 . 2002-08-29 12:00 31232 -c--a-w c:\windows\system32\dllcache\weitekp9.sys
2009-05-10 15:23 . 2002-08-29 12:00 229439 -c--a-w c:\windows\system32\dllcache\multibox.dll
2009-05-10 15:22 . 2002-08-29 12:00 36864 -c--a-w c:\windows\system32\dllcache\hanjadic.dll
2009-05-10 15:21 . 2003-03-24 15:52 188480 -c--a-w c:\windows\system32\dllcache\cfgwiz.exe
2009-05-10 15:21 . 2003-03-24 15:52 16439 -c--a-w c:\windows\system32\dllcache\author.exe
2009-05-10 15:21 . 2003-03-24 15:52 20540 -c--a-w c:\windows\system32\dllcache\author.dll
2009-05-10 15:21 . 2003-03-24 15:52 16439 -c--a-w c:\windows\system32\dllcache\admin.exe
2009-05-10 15:21 . 2003-03-24 15:52 20540 -c--a-w c:\windows\system32\dllcache\admin.dll
2009-05-10 15:18 . 2004-08-04 05:56 628224 -c--a-w c:\windows\system32\dllcache\catsrvut.dll
2009-05-10 15:18 . 2004-08-04 05:56 628224 ----a-w c:\windows\system32\catsrvut.dll
2009-05-10 15:07 . 2002-08-29 12:00 13312 -c--a-w c:\windows\system32\dllcache\irclass.dll
2009-05-10 15:07 . 2002-08-29 12:00 13312 ----a-w c:\windows\system32\irclass.dll
2009-05-10 15:07 . 2002-08-29 12:00 24661 -c--a-w c:\windows\system32\dllcache\spxcoins.dll
2009-05-10 15:07 . 2002-08-29 12:00 24661 ----a-w c:\windows\system32\spxcoins.dll
2009-05-09 09:35 . 2009-05-09 09:36 -------- d-----w C:\SAV32CLI
2009-05-08 18:18 . 2009-05-08 18:18 -------- d-----w c:\windows\system32\CatRoot_bak
2009-05-08 18:11 . 2009-05-08 18:11 -------- d-----w c:\program files\TeaTimer (Spybot - Search & Destroy)
2009-05-08 18:11 . 2009-05-08 18:11 -------- d-----w c:\program files\Misc. Support Library (Spybot - Search & Destroy)
2009-05-08 18:11 . 2009-05-08 18:11 -------- d-----w c:\program files\SDHelper (Spybot - Search & Destroy)
2009-05-08 18:11 . 2009-05-08 18:11 -------- d-----w c:\program files\File Scanner Library (Spybot - Search & Destroy)
2009-05-08 15:30 . 2009-05-08 15:30 -------- d-----w c:\windows\repair
2009-05-08 14:55 . 2002-08-29 12:00 16384 -c--a-w c:\windows\system32\dllcache\isignup.exe
2009-05-08 14:52 . 2002-08-29 12:00 7680 -c--a-w c:\windows\system32\dllcache\inetmgr.exe
2009-05-08 12:40 . 2009-05-08 12:40 45056 ----a-w c:\windows\system32\DeleteNotifyDll.dll
2009-05-08 12:37 . 2008-04-14 00:12 23040 ----a-w c:\windows\system32\AAP.DLL
2009-05-08 12:35 . 2009-03-21 14:06 989696 ----a-w c:\windows\system32\AAK.dll
2009-05-08 12:35 . 2009-02-09 12:10 617472 ----a-w c:\windows\system32\AAD.DLL
2009-05-08 12:34 . 2009-05-08 12:39 -------- d-----w c:\program files\Adware Away
2009-05-06 22:58 . 2009-05-06 22:58 75264 ----a-w c:\windows\internat.exe
2009-05-05 21:20 . 2009-05-05 23:01 -------- d-----w c:\program files\PXL Soft
2009-04-30 21:01 . 1999-10-15 11:50 1056768 ----a-w c:\windows\system32\ROBOEX32.DLL
2009-04-30 21:01 . 2006-07-22 18:37 49152 ----a-w c:\windows\system32\INETWH32.dll
2009-04-17 19:48 . 2008-09-17 13:24 49996376 ----a-w C:\avg_free_stf_en_8_169a1359.exe
2009-04-16 18:27 . 2008-05-03 11:55 2560 ----a-w c:\windows\system32\xpsp4res.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-16 10:07 . 2007-03-12 10:38 144249 ----a-w c:\windows\system32\nvModes.dat
2009-05-15 06:45 . 2007-04-12 18:43 -------- d-----w c:\program files\BitLord
2009-05-10 15:37 . 2009-05-10 15:37 65024 ----a-w C:\calc.exe
2009-05-10 15:20 . 2004-08-11 17:00 67 --sha-w c:\windows\Fonts\desktop.ini
2009-05-10 15:18 . 2004-08-11 17:12 23428 ----a-w c:\windows\system32\emptyregdb.dat
2009-05-10 15:18 . 2009-05-10 15:18 1663 ----a-w c:\windows\inf\COM1ED.tmp
2009-05-08 18:30 . 2007-03-19 14:42 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-05-08 12:29 . 2008-11-30 12:53 -------- d-----w c:\program files\SpywareGuard
2009-05-02 17:04 . 2008-11-28 17:21 20 ---h--w c:\documents and settings\All Users\Application Data\PKP_DLbx.DAT
2009-05-02 17:02 . 2008-11-29 20:12 20 ---h--w c:\documents and settings\All Users\Application Data\PKP_DLdw.DAT
2009-04-30 21:18 . 2007-03-12 11:08 36368 ----a-w c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-30 21:01 . 2007-04-18 22:17 -------- d-----w c:\program files\Common Files\Ulead Systems
2009-04-30 21:00 . 2007-04-18 22:17 -------- d-----w c:\program files\Ulead Systems
2009-04-30 21:00 . 2007-03-12 10:56 -------- d--h--w c:\program files\InstallShield Installation Information
2009-03-25 23:28 . 2007-06-07 19:46 -------- d-----w c:\program files\NO1 Video Converter
2009-03-18 08:31 . 2009-03-18 08:31 -------- d-----w c:\program files\Windows Installer Clean Up
2009-03-18 08:31 . 2009-03-18 08:31 -------- d-----w c:\program files\MSECACHE
2009-03-17 20:44 . 2009-03-17 20:36 -------- d-----w c:\program files\hkSFV
2009-03-06 14:44 . 2004-08-04 05:56 283648 ----a-w c:\windows\system32\pdh.dll
2009-03-02 21:09 . 2009-03-02 21:09 2368 ----a-w c:\windows\system32\SVKP.sys
2009-02-20 08:30 . 2004-08-04 05:56 659456 ----a-w c:\windows\system32\wininet.dll
2009-02-20 08:30 . 2004-08-04 05:56 81920 ----a-w c:\windows\system32\ieencode.dll
2003-12-19 19:36 . 2007-06-12 21:56 40960 ----a-w c:\program files\Uninstall_CDS.exe
.

((((((((((((((((((((((((((((( SnapShot_2009-05-14_08.20.09 )))))))))))))))))))))))))))))))))))))))))
.
- 2004-08-11 17:00 . 2009-05-14 07:53 81120 c:\windows\system32\perfc009.dat
+ 2004-08-11 17:00 . 2009-05-16 10:11 81120 c:\windows\system32\perfc009.dat
+ 2007-03-16 15:41 . 2009-05-16 10:07 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2007-03-16 15:41 . 2009-05-14 07:50 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2007-03-16 15:41 . 2009-05-16 10:07 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2007-03-16 15:41 . 2009-05-14 07:50 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2007-03-16 15:41 . 2009-05-16 10:07 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2007-03-16 15:41 . 2009-05-14 07:50 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2004-08-11 17:00 . 2009-05-16 10:11 468916 c:\windows\system32\perfh009.dat
- 2004-08-11 17:00 . 2009-05-14 07:53 468916 c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"EPSON Stylus Photo R220 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIAIE.EXE" [2006-12-25 177664]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]
"eyeBeam SIP Client"="c:\program files\BT Broadband Talk Softphone\BTSoftphone.exe" [2006-07-31 19857408]
"Creative WebCam Tray"="c:\program files\Creative\Shared Files\CamTray.exe" [2005-10-27 299008]
"internat"="c:\windows\internat.exe" [2009-05-06 75264]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2005-10-07 176128]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-01-19 7401472]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2006-10-18 802816]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2006-10-18 696320]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-07-19 52896]
"YBrowser"="c:\progra~1\Yahoo!\browser\ybrwicon.exe" [2006-07-21 129536]
"YOP"="c:\progra~1\Yahoo!\YOP\yop.exe" [2007-06-26 509224]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2007-05-10 624248]
"Symantec NetDriver Monitor"="c:\progra~1\SYMNET~1\SNDMon.exe" [2007-11-19 99984]
"vptray"="c:\progra~1\SYMANT~2\SYMANT~1\vptray.exe" [2003-05-21 90112]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2007-12-08 185896]
"RoxioDragToDisc"="c:\program files\Roxio\Drag-to-Disc\DrgToDsc.exe" [2006-08-17 1116920]
"RemoteControl8"="c:\program files\CyberLink\PowerDVD8\PDVD8Serv.exe" [2008-03-20 83240]
"PDVD8LanguageShortcut"="c:\program files\CyberLink\PowerDVD8\Language\Language.exe" [2007-12-14 50472]
"BDRegion"="c:\program files\Cyberlink\Shared Files\brs.exe" [2008-05-19 91432]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 57344]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2006-01-19 1519616]
"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2006-03-24 282624]
"NVHotkey"="nvHotkey.dll" - c:\windows\system32\nvhotkey.dll [2006-01-19 73728]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]

c:\documents and settings\admin\Start Menu\Programs\Startup\
SpywareGuard.lnk - c:\program files\SpywareGuard\sgmain.exe [2003-8-29 360448]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Windows Desktop Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2007-2-5 118784]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"EditLevel"= 0 (0x0)
"NoCommonGroups"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2007-02-05 294400]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"userinit"="c:\windows\system32\userinit.exe,c:\windows\system32\pavuppad.exe,"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0\0sprestrt\0sprestrt

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\VoiceLine SoftPhone\\VoiceLine.exe"=
"c:\\Program Files\\Yahoo!\\browser\\ybrowser.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\NetMeeting\\conf.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

R0 BsStor;B.H.A Storage Helper Driver;c:\windows\system32\drivers\BsStor.sys [12/06/2007 22:59 9344]
R2 {FE4C91E7-22C2-4D0C-9F6B-82F1B7742054};{FE4C91E7-22C2-4D0C-9F6B-82F1B7742054};c:\program files\CyberLink\PowerDVD8\000.fcl [15/05/2008 13:07 61424]
R2 MDC80211;iPass Protocol (IEEE 802.1x) v2.3.1.9;c:\windows\system32\drivers\mdc80211.sys [19/03/2007 14:58 15793]
R2 SVKP;SVKP;c:\windows\system32\SVKP.sys [02/03/2009 22:09 2368]
R2 TabletServicePen;TabletServicePen;c:\windows\system32\Pen_Tablet.exe [26/12/2008 14:44 3032360]
S3 G3GRUMDM;G3G R USB Modem;c:\windows\system32\drivers\g3grumdm.sys [13/08/2007 17:04 26496]
S3 G3GRUSER;G3G R USB Serial;c:\windows\system32\drivers\g3gruser.sys [13/08/2007 17:04 23296]
S3 V0260VID;Live! Cam Vista IM;c:\windows\system32\drivers\V0260Vid.sys [02/09/2008 17:56 178913]
S3 wacmoumonitor;Wacom Mode Helper;c:\windows\system32\drivers\wacmoumonitor.sys [26/12/2008 14:44 15144]
S4 MSExchangeMGMT;Microsoft Exchange Management;c:\program files\Exchsrvr\bin\exmgmt.exe [16/03/2007 17:21 3117568]
.
Contents of the 'Scheduled Tasks' folder

2009-05-15 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 10:20]
.
.
------- Supplementary Scan -------
.
mStart Page = hxxp://www1.euro.dell.com/content/default.aspx?c=uk&l=en&s=gen
mSearch Bar = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sb/*http://uk.docs.yahoo.com/info/bt_side.html
uInternet Settings,ProxyOverride = *.local;<local>
IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {61628958-4627-48F4-99FD-30719188568D} - hxxp://www.ifrontiers.com/ActiveX/XCheck.CAB
DPF: {E33968CE-FF77-4DC3-A052-2921C0D60177} - hxxps://www.remotecontrol26.co.uk/dms%20website/kiosk/Bootstrap2610/2.6.10.107/BootstrapXP.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-16 11:22
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
internat = c:\windows\internat.exe????????????????????|?????????????P@?????? ??????? ??????S

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\{FE4C91E7-22C2-4D0C-9F6B-82F1B7742054}]
"ImagePath"="\??\c:\program files\CyberLink\PowerDVD8\000.fcl"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(1320)
c:\windows\system32\relog_ap.dll

- - - - - - - > 'explorer.exe'(2228)
c:\program files\Windows Desktop Search\deskbar.dll
c:\program files\Windows Desktop Search\en-us\dbres.dll.mui
c:\program files\Windows Desktop Search\dbres.dll
c:\program files\Windows Desktop Search\wordwheel.dll
c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui
c:\program files\Windows Desktop Search\msnlExtRes.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-05-16 11:24
ComboFix-quarantined-files.txt 2009-05-16 10:24
ComboFix2.txt 2009-05-15 19:14
ComboFix3.txt 2009-05-14 08:29
ComboFix4.txt 2009-05-11 17:28
ComboFix5.txt 2009-05-16 10:15

Pre-Run: 20,399,763,456 bytes free
Post-Run: 20,383,129,600 bytes free

Current=1 Default=1 Failed=0 LastKnownGood=5 Sets=1,2,3,4,5
225 --- E O F --- 2009-05-12 17:00
 
new log
ComboFix 09-05-09.05 - admin 16/05/2009 12:02.6 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2046.1377 [GMT 1:00]
Running from: c:\documents and settings\admin\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\admin\Desktop\CFScript.txt
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated)
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2009-04-16 to 2009-05-16 )))))))))))))))))))))))))))))))
.

2009-05-13 18:00 . 2009-05-13 18:30 -------- d-----w C:\xfer
2009-05-11 19:56 . 2009-05-11 19:57 -------- d-----w c:\program files\ERUNT
2009-05-10 22:07 . 2008-06-13 13:10 272128 -c----w c:\windows\system32\dllcache\bthport.sys
2009-05-10 15:24 . 2002-08-29 12:00 31232 -c--a-w c:\windows\system32\dllcache\weitekp9.sys
2009-05-10 15:23 . 2002-08-29 12:00 229439 -c--a-w c:\windows\system32\dllcache\multibox.dll
2009-05-10 15:22 . 2002-08-29 12:00 36864 -c--a-w c:\windows\system32\dllcache\hanjadic.dll
2009-05-10 15:21 . 2003-03-24 15:52 188480 -c--a-w c:\windows\system32\dllcache\cfgwiz.exe
2009-05-10 15:21 . 2003-03-24 15:52 16439 -c--a-w c:\windows\system32\dllcache\author.exe
2009-05-10 15:21 . 2003-03-24 15:52 20540 -c--a-w c:\windows\system32\dllcache\author.dll
2009-05-10 15:21 . 2003-03-24 15:52 16439 -c--a-w c:\windows\system32\dllcache\admin.exe
2009-05-10 15:21 . 2003-03-24 15:52 20540 -c--a-w c:\windows\system32\dllcache\admin.dll
2009-05-10 15:18 . 2004-08-04 05:56 628224 -c--a-w c:\windows\system32\dllcache\catsrvut.dll
2009-05-10 15:18 . 2004-08-04 05:56 628224 ----a-w c:\windows\system32\catsrvut.dll
2009-05-10 15:07 . 2002-08-29 12:00 13312 -c--a-w c:\windows\system32\dllcache\irclass.dll
2009-05-10 15:07 . 2002-08-29 12:00 13312 ----a-w c:\windows\system32\irclass.dll
2009-05-10 15:07 . 2002-08-29 12:00 24661 -c--a-w c:\windows\system32\dllcache\spxcoins.dll
2009-05-10 15:07 . 2002-08-29 12:00 24661 ----a-w c:\windows\system32\spxcoins.dll
2009-05-09 09:35 . 2009-05-09 09:36 -------- d-----w C:\SAV32CLI
2009-05-08 18:18 . 2009-05-08 18:18 -------- d-----w c:\windows\system32\CatRoot_bak
2009-05-08 18:11 . 2009-05-08 18:11 -------- d-----w c:\program files\TeaTimer (Spybot - Search & Destroy)
2009-05-08 18:11 . 2009-05-08 18:11 -------- d-----w c:\program files\Misc. Support Library (Spybot - Search & Destroy)
2009-05-08 18:11 . 2009-05-08 18:11 -------- d-----w c:\program files\SDHelper (Spybot - Search & Destroy)
2009-05-08 18:11 . 2009-05-08 18:11 -------- d-----w c:\program files\File Scanner Library (Spybot - Search & Destroy)
2009-05-08 15:30 . 2009-05-08 15:30 -------- d-----w c:\windows\repair
2009-05-08 14:55 . 2002-08-29 12:00 16384 -c--a-w c:\windows\system32\dllcache\isignup.exe
2009-05-08 14:52 . 2002-08-29 12:00 7680 -c--a-w c:\windows\system32\dllcache\inetmgr.exe
2009-05-08 12:40 . 2009-05-08 12:40 45056 ----a-w c:\windows\system32\DeleteNotifyDll.dll
2009-05-08 12:37 . 2008-04-14 00:12 23040 ----a-w c:\windows\system32\AAP.DLL
2009-05-08 12:35 . 2009-03-21 14:06 989696 ----a-w c:\windows\system32\AAK.dll
2009-05-08 12:35 . 2009-02-09 12:10 617472 ----a-w c:\windows\system32\AAD.DLL
2009-05-08 12:34 . 2009-05-08 12:39 -------- d-----w c:\program files\Adware Away
2009-05-06 22:58 . 2009-05-06 22:58 75264 ----a-w c:\windows\internat.exe
2009-05-05 21:20 . 2009-05-05 23:01 -------- d-----w c:\program files\PXL Soft
2009-04-30 21:01 . 1999-10-15 11:50 1056768 ----a-w c:\windows\system32\ROBOEX32.DLL
2009-04-30 21:01 . 2006-07-22 18:37 49152 ----a-w c:\windows\system32\INETWH32.dll
2009-04-17 19:48 . 2008-09-17 13:24 49996376 ----a-w C:\avg_free_stf_en_8_169a1359.exe
2009-04-16 18:27 . 2008-05-03 11:55 2560 ----a-w c:\windows\system32\xpsp4res.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-16 10:54 . 2007-03-12 10:38 144264 ----a-w c:\windows\system32\nvModes.dat
2009-05-15 06:45 . 2007-04-12 18:43 -------- d-----w c:\program files\BitLord
2009-05-10 15:37 . 2009-05-10 15:37 65024 ----a-w C:\calc.exe
2009-05-10 15:20 . 2004-08-11 17:00 67 --sha-w c:\windows\Fonts\desktop.ini
2009-05-10 15:18 . 2004-08-11 17:12 23428 ----a-w c:\windows\system32\emptyregdb.dat
2009-05-10 15:18 . 2009-05-10 15:18 1663 ----a-w c:\windows\inf\COM1ED.tmp
2009-05-08 18:30 . 2007-03-19 14:42 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-05-08 12:29 . 2008-11-30 12:53 -------- d-----w c:\program files\SpywareGuard
2009-05-02 17:04 . 2008-11-28 17:21 20 ---h--w c:\documents and settings\All Users\Application Data\PKP_DLbx.DAT
2009-05-02 17:02 . 2008-11-29 20:12 20 ---h--w c:\documents and settings\All Users\Application Data\PKP_DLdw.DAT
2009-04-30 21:18 . 2007-03-12 11:08 36368 ----a-w c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-30 21:01 . 2007-04-18 22:17 -------- d-----w c:\program files\Common Files\Ulead Systems
2009-04-30 21:00 . 2007-04-18 22:17 -------- d-----w c:\program files\Ulead Systems
2009-04-30 21:00 . 2007-03-12 10:56 -------- d--h--w c:\program files\InstallShield Installation Information
2009-03-25 23:28 . 2007-06-07 19:46 -------- d-----w c:\program files\NO1 Video Converter
2009-03-18 08:31 . 2009-03-18 08:31 -------- d-----w c:\program files\Windows Installer Clean Up
2009-03-18 08:31 . 2009-03-18 08:31 -------- d-----w c:\program files\MSECACHE
2009-03-17 20:44 . 2009-03-17 20:36 -------- d-----w c:\program files\hkSFV
2009-03-06 14:44 . 2004-08-04 05:56 283648 ----a-w c:\windows\system32\pdh.dll
2009-03-02 21:09 . 2009-03-02 21:09 2368 ----a-w c:\windows\system32\SVKP.sys
2009-02-20 08:30 . 2004-08-04 05:56 659456 ----a-w c:\windows\system32\wininet.dll
2009-02-20 08:30 . 2004-08-04 05:56 81920 ----a-w c:\windows\system32\ieencode.dll
2003-12-19 19:36 . 2007-06-12 21:56 40960 ----a-w c:\program files\Uninstall_CDS.exe
.

((((((((((((((((((((((((((((( SnapShot_2009-05-14_08.20.09 )))))))))))))))))))))))))))))))))))))))))
.
- 2004-08-11 17:00 . 2009-05-14 07:53 81120 c:\windows\system32\perfc009.dat
+ 2004-08-11 17:00 . 2009-05-16 10:58 81120 c:\windows\system32\perfc009.dat
+ 2007-03-16 15:41 . 2009-05-16 10:54 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2007-03-16 15:41 . 2009-05-14 07:50 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2007-03-16 15:41 . 2009-05-16 10:54 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2007-03-16 15:41 . 2009-05-14 07:50 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2007-03-16 15:41 . 2009-05-16 10:54 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2007-03-16 15:41 . 2009-05-14 07:50 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2004-08-11 17:00 . 2009-05-16 10:58 468916 c:\windows\system32\perfh009.dat
- 2004-08-11 17:00 . 2009-05-14 07:53 468916 c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"EPSON Stylus Photo R220 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIAIE.EXE" [2006-12-25 177664]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]
"eyeBeam SIP Client"="c:\program files\BT Broadband Talk Softphone\BTSoftphone.exe" [2006-07-31 19857408]
"Creative WebCam Tray"="c:\program files\Creative\Shared Files\CamTray.exe" [2005-10-27 299008]
"internat"="c:\windows\internat.exe" [2009-05-06 75264]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2005-10-07 176128]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-01-19 7401472]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2006-10-18 802816]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2006-10-18 696320]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-07-19 52896]
"YBrowser"="c:\progra~1\Yahoo!\browser\ybrwicon.exe" [2006-07-21 129536]
"YOP"="c:\progra~1\Yahoo!\YOP\yop.exe" [2007-06-26 509224]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2007-05-10 624248]
"Symantec NetDriver Monitor"="c:\progra~1\SYMNET~1\SNDMon.exe" [2007-11-19 99984]
"vptray"="c:\progra~1\SYMANT~2\SYMANT~1\vptray.exe" [2003-05-21 90112]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2007-12-08 185896]
"RoxioDragToDisc"="c:\program files\Roxio\Drag-to-Disc\DrgToDsc.exe" [2006-08-17 1116920]
"RemoteControl8"="c:\program files\CyberLink\PowerDVD8\PDVD8Serv.exe" [2008-03-20 83240]
"PDVD8LanguageShortcut"="c:\program files\CyberLink\PowerDVD8\Language\Language.exe" [2007-12-14 50472]
"BDRegion"="c:\program files\Cyberlink\Shared Files\brs.exe" [2008-05-19 91432]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 57344]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2006-01-19 1519616]
"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2006-03-24 282624]
"NVHotkey"="nvHotkey.dll" - c:\windows\system32\nvhotkey.dll [2006-01-19 73728]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]

c:\documents and settings\admin\Start Menu\Programs\Startup\
SpywareGuard.lnk - c:\program files\SpywareGuard\sgmain.exe [2003-8-29 360448]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Windows Desktop Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2007-2-5 118784]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"EditLevel"= 0 (0x0)
"NoCommonGroups"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2007-02-05 294400]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"userinit"="c:\windows\system32\userinit.exe,c:\windows\system32\pavuppad.exe,"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0\0sprestrt\0sprestrt

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\VoiceLine SoftPhone\\VoiceLine.exe"=
"c:\\Program Files\\Yahoo!\\browser\\ybrowser.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\NetMeeting\\conf.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

R0 BsStor;B.H.A Storage Helper Driver;c:\windows\system32\drivers\BsStor.sys [12/06/2007 22:59 9344]
R2 {FE4C91E7-22C2-4D0C-9F6B-82F1B7742054};{FE4C91E7-22C2-4D0C-9F6B-82F1B7742054};c:\program files\CyberLink\PowerDVD8\000.fcl [15/05/2008 13:07 61424]
R2 MDC80211;iPass Protocol (IEEE 802.1x) v2.3.1.9;c:\windows\system32\drivers\mdc80211.sys [19/03/2007 14:58 15793]
R2 SVKP;SVKP;c:\windows\system32\SVKP.sys [02/03/2009 22:09 2368]
R2 TabletServicePen;TabletServicePen;c:\windows\system32\Pen_Tablet.exe [26/12/2008 14:44 3032360]
S3 G3GRUMDM;G3G R USB Modem;c:\windows\system32\drivers\g3grumdm.sys [13/08/2007 17:04 26496]
S3 G3GRUSER;G3G R USB Serial;c:\windows\system32\drivers\g3gruser.sys [13/08/2007 17:04 23296]
S3 V0260VID;Live! Cam Vista IM;c:\windows\system32\drivers\V0260Vid.sys [02/09/2008 17:56 178913]
S3 wacmoumonitor;Wacom Mode Helper;c:\windows\system32\drivers\wacmoumonitor.sys [26/12/2008 14:44 15144]
S4 MSExchangeMGMT;Microsoft Exchange Management;c:\program files\Exchsrvr\bin\exmgmt.exe [16/03/2007 17:21 3117568]
.
Contents of the 'Scheduled Tasks' folder

2009-05-15 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 10:20]
.
.
------- Supplementary Scan -------
.
mStart Page = hxxp://www1.euro.dell.com/content/default.aspx?c=uk&l=en&s=gen
mSearch Bar = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sb/*http://uk.docs.yahoo.com/info/bt_side.html
uInternet Settings,ProxyOverride = *.local;<local>
IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {61628958-4627-48F4-99FD-30719188568D} - hxxp://www.ifrontiers.com/ActiveX/XCheck.CAB
DPF: {E33968CE-FF77-4DC3-A052-2921C0D60177} - hxxps://www.remotecontrol26.co.uk/dms%20website/kiosk/Bootstrap2610/2.6.10.107/BootstrapXP.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-16 12:18
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
internat = c:\windows\internat.exe????????????????????|?????????????P@?????? ??????? ??????S

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\{FE4C91E7-22C2-4D0C-9F6B-82F1B7742054}]
"ImagePath"="\??\c:\program files\CyberLink\PowerDVD8\000.fcl"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(1324)
c:\windows\system32\relog_ap.dll

- - - - - - - > 'explorer.exe'(1208)
c:\program files\Windows Desktop Search\deskbar.dll
c:\program files\Windows Desktop Search\en-us\dbres.dll.mui
c:\program files\Windows Desktop Search\dbres.dll
c:\program files\Windows Desktop Search\wordwheel.dll
c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui
c:\program files\Windows Desktop Search\msnlExtRes.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-05-16 12:32
ComboFix-quarantined-files.txt 2009-05-16 11:31
ComboFix2.txt 2009-05-16 10:24
ComboFix3.txt 2009-05-15 19:14
ComboFix4.txt 2009-05-14 08:29
ComboFix5.txt 2009-05-16 10:59

Pre-Run: 20,356,333,568 bytes free
Post-Run: 20,333,481,984 bytes free

Current=1 Default=1 Failed=0 LastKnownGood=5 Sets=1,2,3,4,5
225 --- E O F --- 2009-05-12 17:00
 
log from safe mode
ComboFix 09-05-09.05 - admin 16/05/2009 13:20.7 - NTFSx86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2046.1688 [GMT 1:00]
Running from: c:\documents and settings\admin\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\admin\Desktop\CFScript.txt
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated)
.

((((((((((((((((((((((((( Files Created from 2009-04-16 to 2009-05-16 )))))))))))))))))))))))))))))))
.

2009-05-13 18:00 . 2009-05-13 18:30 -------- d-----w C:\xfer
2009-05-11 19:56 . 2009-05-11 19:57 -------- d-----w c:\program files\ERUNT
2009-05-10 22:07 . 2008-06-13 13:10 272128 -c----w c:\windows\system32\dllcache\bthport.sys
2009-05-10 15:24 . 2002-08-29 12:00 31232 -c--a-w c:\windows\system32\dllcache\weitekp9.sys
2009-05-10 15:23 . 2002-08-29 12:00 229439 -c--a-w c:\windows\system32\dllcache\multibox.dll
2009-05-10 15:22 . 2002-08-29 12:00 36864 -c--a-w c:\windows\system32\dllcache\hanjadic.dll
2009-05-10 15:21 . 2003-03-24 15:52 188480 -c--a-w c:\windows\system32\dllcache\cfgwiz.exe
2009-05-10 15:21 . 2003-03-24 15:52 16439 -c--a-w c:\windows\system32\dllcache\author.exe
2009-05-10 15:21 . 2003-03-24 15:52 20540 -c--a-w c:\windows\system32\dllcache\author.dll
2009-05-10 15:21 . 2003-03-24 15:52 16439 -c--a-w c:\windows\system32\dllcache\admin.exe
2009-05-10 15:21 . 2003-03-24 15:52 20540 -c--a-w c:\windows\system32\dllcache\admin.dll
2009-05-10 15:18 . 2004-08-04 05:56 628224 -c--a-w c:\windows\system32\dllcache\catsrvut.dll
2009-05-10 15:18 . 2004-08-04 05:56 628224 ----a-w c:\windows\system32\catsrvut.dll
2009-05-10 15:07 . 2002-08-29 12:00 13312 -c--a-w c:\windows\system32\dllcache\irclass.dll
2009-05-10 15:07 . 2002-08-29 12:00 13312 ----a-w c:\windows\system32\irclass.dll
2009-05-10 15:07 . 2002-08-29 12:00 24661 -c--a-w c:\windows\system32\dllcache\spxcoins.dll
2009-05-10 15:07 . 2002-08-29 12:00 24661 ----a-w c:\windows\system32\spxcoins.dll
2009-05-09 09:35 . 2009-05-09 09:36 -------- d-----w C:\SAV32CLI
2009-05-08 18:18 . 2009-05-08 18:18 -------- d-----w c:\windows\system32\CatRoot_bak
2009-05-08 18:11 . 2009-05-08 18:11 -------- d-----w c:\program files\TeaTimer (Spybot - Search & Destroy)
2009-05-08 18:11 . 2009-05-08 18:11 -------- d-----w c:\program files\Misc. Support Library (Spybot - Search & Destroy)
2009-05-08 18:11 . 2009-05-08 18:11 -------- d-----w c:\program files\SDHelper (Spybot - Search & Destroy)
2009-05-08 18:11 . 2009-05-08 18:11 -------- d-----w c:\program files\File Scanner Library (Spybot - Search & Destroy)
2009-05-08 15:30 . 2009-05-08 15:30 -------- d-----w c:\windows\repair
2009-05-08 14:55 . 2002-08-29 12:00 16384 -c--a-w c:\windows\system32\dllcache\isignup.exe
2009-05-08 14:52 . 2002-08-29 12:00 7680 -c--a-w c:\windows\system32\dllcache\inetmgr.exe
2009-05-08 12:40 . 2009-05-08 12:40 45056 ----a-w c:\windows\system32\DeleteNotifyDll.dll
2009-05-08 12:37 . 2008-04-14 00:12 23040 ----a-w c:\windows\system32\AAP.DLL
2009-05-08 12:35 . 2009-03-21 14:06 989696 ----a-w c:\windows\system32\AAK.dll
2009-05-08 12:35 . 2009-02-09 12:10 617472 ----a-w c:\windows\system32\AAD.DLL
2009-05-08 12:34 . 2009-05-08 12:39 -------- d-----w c:\program files\Adware Away
2009-05-06 22:58 . 2009-05-13 17:38 -------- d-sh--w c:\windows\system32\bookls
2009-05-06 22:58 . 2009-05-06 22:58 75264 ----a-w c:\windows\internat.exe
2009-05-05 21:20 . 2009-05-05 23:01 -------- d-----w c:\program files\PXL Soft
2009-04-30 21:01 . 1999-10-15 11:50 1056768 ----a-w c:\windows\system32\ROBOEX32.DLL
2009-04-30 21:01 . 2006-07-22 18:37 49152 ----a-w c:\windows\system32\INETWH32.dll
2009-04-17 19:48 . 2008-09-17 13:24 49996376 ----a-w C:\avg_free_stf_en_8_169a1359.exe
2009-04-16 18:27 . 2008-05-03 11:55 2560 ----a-w c:\windows\system32\xpsp4res.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-16 10:54 . 2007-03-12 10:38 144264 ----a-w c:\windows\system32\nvModes.dat
2009-05-15 06:45 . 2007-04-12 18:43 -------- d-----w c:\program files\BitLord
2009-05-10 15:37 . 2009-05-10 15:37 65024 ----a-w C:\calc.exe
2009-05-10 15:20 . 2004-08-11 17:00 67 --sha-w c:\windows\Fonts\desktop.ini
2009-05-10 15:18 . 2004-08-11 17:12 23428 ----a-w c:\windows\system32\emptyregdb.dat
2009-05-10 15:18 . 2009-05-10 15:18 1663 ----a-w c:\windows\inf\COM1ED.tmp
2009-05-08 18:30 . 2007-03-19 14:42 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-05-08 12:29 . 2008-11-30 12:53 -------- d-----w c:\program files\SpywareGuard
2009-05-02 17:04 . 2008-11-28 17:21 20 ---h--w c:\documents and settings\All Users\Application Data\PKP_DLbx.DAT
2009-05-02 17:02 . 2008-11-29 20:12 20 ---h--w c:\documents and settings\All Users\Application Data\PKP_DLdw.DAT
2009-04-30 21:18 . 2007-03-12 11:08 36368 ----a-w c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-30 21:01 . 2007-04-18 22:17 -------- d-----w c:\program files\Common Files\Ulead Systems
2009-04-30 21:00 . 2007-04-18 22:17 -------- d-----w c:\program files\Ulead Systems
2009-04-30 21:00 . 2007-03-12 10:56 -------- d--h--w c:\program files\InstallShield Installation Information
2009-03-25 23:28 . 2007-06-07 19:46 -------- d-----w c:\program files\NO1 Video Converter
2009-03-18 08:31 . 2009-03-18 08:31 -------- d-----w c:\program files\Windows Installer Clean Up
2009-03-18 08:31 . 2009-03-18 08:31 -------- d-----w c:\program files\MSECACHE
2009-03-17 20:44 . 2009-03-17 20:36 -------- d-----w c:\program files\hkSFV
2009-03-06 14:44 . 2004-08-04 05:56 283648 ----a-w c:\windows\system32\pdh.dll
2009-03-02 21:09 . 2009-03-02 21:09 2368 ----a-w c:\windows\system32\SVKP.sys
2009-02-20 08:30 . 2004-08-04 05:56 659456 ----a-w c:\windows\system32\wininet.dll
2009-02-20 08:30 . 2004-08-04 05:56 81920 ----a-w c:\windows\system32\ieencode.dll
2003-12-19 19:36 . 2007-06-12 21:56 40960 ----a-w c:\program files\Uninstall_CDS.exe
.

((((((((((((((((((((((((((((( SnapShot_2009-05-14_08.20.09 )))))))))))))))))))))))))))))))))))))))))
.
+ 2004-08-11 17:00 . 2009-05-16 10:58 81120 c:\windows\system32\perfc009.dat
- 2004-08-11 17:00 . 2009-05-14 07:53 81120 c:\windows\system32\perfc009.dat
+ 2007-03-16 15:41 . 2009-05-16 12:09 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2007-03-16 15:41 . 2009-05-14 07:50 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2007-03-16 15:41 . 2009-05-14 07:50 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2007-03-16 15:41 . 2009-05-16 12:09 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2007-03-16 15:41 . 2009-05-16 12:09 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2007-03-16 15:41 . 2009-05-14 07:50 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2004-08-11 17:00 . 2009-05-14 07:53 468916 c:\windows\system32\perfh009.dat
+ 2004-08-11 17:00 . 2009-05-16 10:58 468916 c:\windows\system32\perfh009.dat
+ 2004-08-04 05:56 . 2004-08-04 05:56 384000 c:\windows\system32\pavuppad.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"EPSON Stylus Photo R220 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIAIE.EXE" [2006-12-25 177664]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]
"eyeBeam SIP Client"="c:\program files\BT Broadband Talk Softphone\BTSoftphone.exe" [2006-07-31 19857408]
"Creative WebCam Tray"="c:\program files\Creative\Shared Files\CamTray.exe" [2005-10-27 299008]
"internat"="c:\windows\internat.exe" [2009-05-06 75264]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2005-10-07 176128]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-01-19 7401472]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2006-10-18 802816]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2006-10-18 696320]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-07-19 52896]
"YBrowser"="c:\progra~1\Yahoo!\browser\ybrwicon.exe" [2006-07-21 129536]
"YOP"="c:\progra~1\Yahoo!\YOP\yop.exe" [2007-06-26 509224]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2007-05-10 624248]
"Symantec NetDriver Monitor"="c:\progra~1\SYMNET~1\SNDMon.exe" [2007-11-19 99984]
"vptray"="c:\progra~1\SYMANT~2\SYMANT~1\vptray.exe" [2003-05-21 90112]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2007-12-08 185896]
"RoxioDragToDisc"="c:\program files\Roxio\Drag-to-Disc\DrgToDsc.exe" [2006-08-17 1116920]
"RemoteControl8"="c:\program files\CyberLink\PowerDVD8\PDVD8Serv.exe" [2008-03-20 83240]
"PDVD8LanguageShortcut"="c:\program files\CyberLink\PowerDVD8\Language\Language.exe" [2007-12-14 50472]
"BDRegion"="c:\program files\Cyberlink\Shared Files\brs.exe" [2008-05-19 91432]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 57344]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2006-01-19 1519616]
"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2006-03-24 282624]
"NVHotkey"="nvHotkey.dll" - c:\windows\system32\nvhotkey.dll [2006-01-19 73728]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]

c:\documents and settings\admin\Start Menu\Programs\Startup\
SpywareGuard.lnk - c:\program files\SpywareGuard\sgmain.exe [2003-8-29 360448]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Windows Desktop Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2007-2-5 118784]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"EditLevel"= 0 (0x0)
"NoCommonGroups"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2007-02-05 294400]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"userinit"="c:\windows\system32\userinit.exe,c:\windows\system32\pavuppad.exe,"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0\0sprestrt\0sprestrt

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\VoiceLine SoftPhone\\VoiceLine.exe"=
"c:\\Program Files\\Yahoo!\\browser\\ybrowser.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\NetMeeting\\conf.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

R0 BsStor;B.H.A Storage Helper Driver;c:\windows\system32\drivers\BsStor.sys [12/06/2007 22:59 9344]
S2 {FE4C91E7-22C2-4D0C-9F6B-82F1B7742054};{FE4C91E7-22C2-4D0C-9F6B-82F1B7742054};c:\program files\CyberLink\PowerDVD8\000.fcl [15/05/2008 13:07 61424]
S2 MDC80211;iPass Protocol (IEEE 802.1x) v2.3.1.9;c:\windows\system32\drivers\mdc80211.sys [19/03/2007 14:58 15793]
S2 SVKP;SVKP;c:\windows\system32\SVKP.sys [02/03/2009 22:09 2368]
S2 TabletServicePen;TabletServicePen;c:\windows\system32\Pen_Tablet.exe [26/12/2008 14:44 3032360]
S3 G3GRUMDM;G3G R USB Modem;c:\windows\system32\drivers\g3grumdm.sys [13/08/2007 17:04 26496]
S3 G3GRUSER;G3G R USB Serial;c:\windows\system32\drivers\g3gruser.sys [13/08/2007 17:04 23296]
S3 V0260VID;Live! Cam Vista IM;c:\windows\system32\drivers\V0260Vid.sys [02/09/2008 17:56 178913]
S3 wacmoumonitor;Wacom Mode Helper;c:\windows\system32\drivers\wacmoumonitor.sys [26/12/2008 14:44 15144]
S4 MSExchangeMGMT;Microsoft Exchange Management;c:\program files\Exchsrvr\bin\exmgmt.exe [16/03/2007 17:21 3117568]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - MDMXSDK
.
Contents of the 'Scheduled Tasks' folder

2009-05-15 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 10:20]
.
.
------- Supplementary Scan -------
.
mStart Page = hxxp://www1.euro.dell.com/content/default.aspx?c=uk&l=en&s=gen
mSearch Bar = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sb/*http://uk.docs.yahoo.com/info/bt_side.html
uInternet Settings,ProxyOverride = *.local;<local>
IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {61628958-4627-48F4-99FD-30719188568D} - hxxp://www.ifrontiers.com/ActiveX/XCheck.CAB
DPF: {E33968CE-FF77-4DC3-A052-2921C0D60177} - hxxps://www.remotecontrol26.co.uk/dms%20website/kiosk/Bootstrap2610/2.6.10.107/BootstrapXP.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-16 13:26
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
internat = c:\windows\internat.exe????????????????????|?????????????P@?????? ??????? ??????S

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\{FE4C91E7-22C2-4D0C-9F6B-82F1B7742054}]
"ImagePath"="\??\c:\program files\CyberLink\PowerDVD8\000.fcl"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(344)
c:\windows\system32\relog_ap.dll
.
Completion time: 2009-05-16 13:31
ComboFix-quarantined-files.txt 2009-05-16 12:30
ComboFix2.txt 2009-05-16 11:32
ComboFix3.txt 2009-05-16 10:24
ComboFix4.txt 2009-05-15 19:14
ComboFix5.txt 2009-05-16 12:18

Pre-Run: 22,493,933,568 bytes free
Post-Run: 22,474,129,408 bytes free

Current=1 Default=1 Failed=0 LastKnownGood=5 Sets=1,2,3,4,5
218 --- E O F --- 2009-05-12 17:00
 
Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2
  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    Code: 
    :file
c:\windows\system32\pavuppad.exe
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt
 
ran in normal boot mode
SystemLook v1.0 by jpshortstuff (24.04.09)
Log created at 19:20 on 16/05/2009 by admin (Administrator - Elevation successful)

========== file ==========

c:\windows\system32\pavuppad.exe - Unable to find/read file.

I then ran in safe mode

SystemLook v1.0 by jpshortstuff (24.04.09)
Log created at 19:26 on 16/05/2009 by admin (Administrator - Elevation successful)

========== file ==========

c:\windows\system32\pavuppad.exe - Unable to find/read file.

-=End Of File=-

File is there - I checked

-=End Of File=-
 
You must log in or register to reply here.
Back
Top