[Jamjam525]

Hey guys,
After logging onto my pc this yesterday afternoon, I noticed that it was running unbelievably slowly. I checked task manager, which told me that explorer.exe was about 148,060K of memory and about 50% CPU. Whilst there, I also noticed that iexplore.exe was running, even though I had no internet explorer windows, and I usually use firefox. I ended the process of iexplore.exe, only to see that it had reappeared. Looking at it now, it is using about 20,000k of memory.

About the popups mentioned in the title: A few days ago, I found a virus on my pc, which was creating popups, and kept downloading or creating new threats (avg found a new one every few minutes in local settings.) I found 6 viruses doing a full AVG scan, followed by a search and destroy spyware scan, which found 19 objects. I then used uniblue spyeraser which found a keylogger which it rated 'severe', amongst other things, all of which I deleted. One of the things which was fixed was awvvt.dll in system32, which seems to be a common trouble maker for other people.

So, I thought that I had fixed the problem, and it seemed that way until yesterday, when I noticed how slow my pc was running, and that iexplore.exe was running by itself in the background (is that natural?). Also my pc has taken ages to startup (maybe that is because explorer.exe is taking up lots of system resources?)

I would greatly appreciate any help you guys can give .

EDIT: Explorer is no longer using too much memory, but now firefox is :S.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:43:09, on 06/03/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\BT Auto Backup\VaultClientSRV.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\mHotkey.exe
C:\WINDOWS\system32\PRISMSTA.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\V0220Mon.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\btbb_wcm\McciTrayApp.exe
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
C:\Program Files\BT Broadband Desktop Help\bin\BTHelpNotifier.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\WINDOWS\system32\Rundll32.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Documents and Settings\All Users\Application Data\U3\U3Launcher\LaunchU3.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\Uniblue\PowerSuite\PowerSuite.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\svchost.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.client....o/bt_side.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = www.google.co.uk
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = www.google.co.uk
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
O4 - HKLM\..\Run: [ledpointer] CNYHKey.exe
O4 - HKLM\..\Run: [PRISMSTA.EXE] PRISMSTA.EXE START
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [V0220Mon.exe] C:\WINDOWS\V0220Mon.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [btbb_wcm_McciTrayApp] C:\Program Files\btbb_wcm\McciTrayApp.exe
O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [btbb_McciTrayApp] C:\Program Files\BT Broadband Desktop Help\bin\BTHelpNotifier.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [7726367961707D235426] Rundll32.exe "C:\WINDOWS\system32\rwpengsb.dll",s
O4 - HKCU\..\Run: [AlcoholAutomount] "C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" /automount
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: LaunchU3.exe.lnk = ?
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: BT Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.aldi.com/
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.truprint....rintActivia.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitd....an8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi....?1191357337656
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemreq.../sysreqlab2.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft....ree/asinst.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.....iveXPlugin.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.c.../cpcScanner.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zon....t.cab56907.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = chome
O17 - HKLM\Software\..\Telephony: DomainName = chome
O17 - HKLM\System\CCS\Services\Tcpip\..\{ABA115CE-5D0A-4A66-8FB1-2D25270C55C6}: NameServer = 172.16.0.1
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = chome
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Adobe Version Cue CS3 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: CA License Client (CA_LIC_CLNT) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmt.exe
O23 - Service: CA License Server (CA_LIC_SRVR) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmtd.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Event Log Watch (LogWatch) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2004\WinStylerThemeSvc.exe
O23 - Service: BT Auto Backup Service (VaultClientSRV) - Unknown owner - C:\Program Files\BT Auto Backup\VaultClientSRV.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: X10 Device Network Service (x10nets) - X10 - C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

--
End of file - 14134 bytes

Edited by Jamjam525, 07 March 2008 - 12:31 PM.

[Advertisements]

Hi there could you confirm that IE is not your main browser

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

O4 - HKLM\..\Run: [7726367961707D235426] Rundll32.exe "C:\WINDOWS\system32\rwpengsb.dll",s


Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis.

THEN

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

• Please, never rename Combofix unless instructed.
• Close any open browsers.
• Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  

  -----------------------------------------------------------

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
    

    -----------------------------------------------------------

  • Close any open browsers.
  • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

  -----------------------------------------------------------

• Double click on combofix.exe & follow the prompts.
• When finished, it will produce a report for you.
• Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Logs required : Combofix and a new Hijackthis

[Essexboy]

Hi there could you confirm that IE is not your main browser

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

O4 - HKLM\..\Run: [7726367961707D235426] Rundll32.exe "C:\WINDOWS\system32\rwpengsb.dll",s


Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis.

THEN

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

• Please, never rename Combofix unless instructed.
• Close any open browsers.
• Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  

  -----------------------------------------------------------

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
    

    -----------------------------------------------------------

  • Close any open browsers.
  • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

  -----------------------------------------------------------

• Double click on combofix.exe & follow the prompts.
• When finished, it will produce a report for you.
• Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Logs required : Combofix and a new Hijackthis

[Jamjam525]

Ok.

Firefox is my main browser.
Between my first post and this one, I have done an AVG anti-virus scan, which seems to have got rid of:

O4 - HKLM\..\Run: [7726367961707D235426] Rundll32.exe "C:\WINDOWS\system32\rwpengsb.dll",s

I will do combofix now.

Edited by Jamjam525, 07 March 2008 - 02:48 PM.

[Jamjam525]

Combofix log:

ComboFix 08-03-07.3 - James 2008-03-07 20:56:37.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.975 [GMT 0:00]
Running from: C:\Documents and Settings\James\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\Helper
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\ckzrewcl.dll
C:\WINDOWS\system32\dniilbrf.dll
C:\WINDOWS\system32\fbcdvlhm.dll
C:\WINDOWS\system32\fnkayjpt.dll
C:\WINDOWS\system32\hsegwhqq.dll
C:\WINDOWS\system32\kiirbril.dll
C:\WINDOWS\system32\krmgcfeq.dll
C:\WINDOWS\system32\lkzeioqr.dll
C:\WINDOWS\system32\mnrosskx.dll
C:\WINDOWS\system32\nqstv.ini
C:\WINDOWS\system32\nqstv.ini2
C:\WINDOWS\system32\rptxpkla.dll
C:\WINDOWS\system32\rqrrrro.dll
C:\WINDOWS\system32\rwpengsb.dll
C:\WINDOWS\system32\tabmxeos.dll
C:\WINDOWS\system32\vjpmfshg.dll
C:\WINDOWS\system32\vtnuggjp.dll
C:\WINDOWS\system32\vtsqn.dll
C:\WINDOWS\system32\wznbhygc.dll
C:\WINDOWS\system32\xzccjida.dll
C:\WINDOWS\system32\zxmkjbhx.dll

.
((((((((((((((((((((((((( Files Created from 2008-02-07 to 2008-03-07 )))))))))))))))))))))))))))))))
.

2008-03-07 16:39 . 2008-03-07 16:39 <DIR> d-------- C:\Program Files\Common Files\Skype
2008-03-07 16:05 . 2008-03-07 16:05 <DIR> d-------- C:\Program Files\Secunia
2008-03-07 08:18 . 2008-03-07 08:09 2,826,339 --a------ C:\WINDOWS\system32\dniilbrf.xml
2008-03-07 08:12 . 2008-03-07 08:09 2,826,339 --a------ C:\WINDOWS\system32\rptxpkla.xml
2008-03-07 00:47 . 2008-03-07 00:43 2,826,339 --a------ C:\WINDOWS\system32\krmgcfeq.xml
2008-03-06 23:33 . 2008-03-06 23:31 2,826,322 --a------ C:\WINDOWS\system32\vjpmfshg.xml
2008-03-06 23:00 . 2008-03-07 19:09 2,826,356 --a------ C:\WINDOWS\system32\zxmkjbhx.xml
2008-03-06 22:38 . 2008-03-06 22:34 2,826,322 --a------ C:\WINDOWS\system32\ckzrewcl.xml
2008-03-06 22:15 . 2008-03-06 22:11 2,826,271 --a------ C:\WINDOWS\system32\mnrosskx.xml
2008-03-06 22:02 . 2008-03-06 22:00 2,826,271 --a------ C:\WINDOWS\system32\wznbhygc.xml
2008-03-05 22:44 . 2007-06-08 09:44 8,576 --a------ C:\WINDOWS\system32\drivers\ecyeophrmidq.sys
2008-03-05 22:31 . 2007-12-07 02:21 6,066,176 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll
2008-03-05 22:31 . 2007-07-01 03:31 2,455,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2008-03-05 22:31 . 2007-07-01 03:36 991,232 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2008-03-05 22:31 . 2007-12-07 02:21 459,264 -----c--- C:\WINDOWS\system32\dllcache\msfeeds.dll
2008-03-05 22:31 . 2007-12-07 02:21 383,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2008-03-05 22:31 . 2007-12-07 02:21 267,776 -----c--- C:\WINDOWS\system32\dllcache\iertutil.dll
2008-03-05 22:31 . 2007-12-07 02:21 63,488 -----c--- C:\WINDOWS\system32\dllcache\icardie.dll
2008-03-05 22:31 . 2007-12-07 02:21 52,224 -----c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2008-03-05 22:31 . 2007-08-13 18:54 33,792 --a--c--- C:\WINDOWS\system32\dllcache\custsat.dll
2008-03-05 22:31 . 2007-12-06 11:00 13,824 -----c--- C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-03-05 21:19 . 2007-06-08 09:44 8,576 --a------ C:\WINDOWS\system32\drivers\qpyruunnovft.sys
2008-03-05 19:15 . 2007-06-05 10:56 44,928 --a------ C:\WINDOWS\system32\drivers\SDTHOOK.SYS
2008-03-05 18:58 . 2008-03-05 22:44 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2008-03-05 18:58 . 2008-03-05 22:40 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2008-03-05 18:58 . 2008-03-05 22:40 1,406 --a------ C:\WINDOWS\system32\Help.ico
2008-03-05 17:24 . 2008-03-05 17:24 <DIR> d-------- C:\Program Files\Trend Micro
2008-03-05 17:21 . 2008-03-05 17:21 <DIR> d-------- C:\Deckard
2008-03-05 16:24 . 2008-03-05 16:24 <DIR> d-------- C:\Program Files\ACW
2008-03-05 15:42 . 2008-03-05 15:38 2,826,050 --a------ C:\WINDOWS\system32\lkzeioqr.xml
2008-03-05 00:15 . 2008-03-05 00:14 2,825,999 --a------ C:\WINDOWS\system32\tabmxeos.xml
2008-03-04 22:29 . 2008-03-04 22:29 <DIR> d-------- C:\Documents and Settings\Gary.STUDY\Application Data\Uniblue
2008-03-04 22:04 . 2008-03-04 22:04 2,825,642 --a------ C:\WINDOWS\system32\hsegwhqq.xml
2008-03-04 17:04 . 2008-03-04 17:01 2,825,642 --a------ C:\WINDOWS\system32\xzccjida.xml
2008-03-04 17:01 . 2008-03-06 22:59 2,826,322 --a------ C:\WINDOWS\system32\rwpengsb.xml
2008-03-04 16:03 . 2008-03-05 19:54 <DIR> d-------- C:\Program Files\Common Files\Blizzard Entertainment
2008-03-04 07:53 . 2008-03-04 07:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Uniblue
2008-03-04 07:48 . 2008-03-04 07:52 <DIR> d-------- C:\Documents and Settings\James\Application Data\Uniblue
2008-03-04 07:47 . 2008-03-04 07:47 <DIR> d-------- C:\Program Files\Uniblue
2008-03-03 17:42 . 2001-08-17 13:28 762,780 --a--c--- C:\WINDOWS\system32\dllcache\3cwmcru.sys
2008-03-03 17:42 . 2001-08-17 14:55 689,216 --a--c--- C:\WINDOWS\system32\dllcache\3dfxvs.dll
2008-03-03 17:42 . 2001-08-17 14:06 11,264 --a--c--- C:\WINDOWS\system32\dllcache\1394vdbg.sys
2008-03-03 17:41 . 2001-08-17 14:56 66,048 --a--c--- C:\WINDOWS\system32\dllcache\s3legacy.dll
2008-03-03 17:08 . 2008-03-03 17:22 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2008-03-03 17:02 . 2008-03-03 17:02 <DIR> d-------- C:\VundoFix Backups
2008-03-03 16:50 . 2008-03-04 22:25 <DIR> d-------- C:\Program Files\Security Task Manager
2008-03-03 16:50 . 2008-03-07 07:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SecTaskMan
2008-03-03 16:32 . 2008-03-03 16:32 324,608 --------- C:\WINDOWS\system32\awvvt.dll_old
2008-03-03 15:44 . 2008-03-03 15:40 2,833,014 --a------ C:\WINDOWS\system32\kiirbril.xml
2008-03-03 10:41 . 2008-03-03 16:53 2,833,133 --a------ C:\WINDOWS\system32\fbcdvlhm.xml
2008-03-03 08:02 . 2008-03-03 07:59 691,545 --a------ C:\WINDOWS\unins000.exe
2008-03-03 08:02 . 2008-03-03 08:02 2,540 --a------ C:\WINDOWS\unins000.dat
2008-03-02 17:19 . 2008-03-02 17:19 <DIR> d-------- C:\Documents and Settings\Amy\Application Data\Sibelius Software
2008-03-02 12:13 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2008-03-02 12:13 . 2007-07-30 19:19 207,736 --a------ C:\WINDOWS\system32\muweb.dll
2008-03-02 12:13 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-03-02 08:17 . 2008-03-02 08:17 <DIR> d--hsc--- C:\Program Files\Common Files\WindowsLiveInstaller
2008-03-02 08:16 . 2008-03-02 08:18 <DIR> d-------- C:\Program Files\Windows Live
2008-03-02 08:16 . 2008-03-02 08:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-03-01 15:30 . 2008-03-01 15:31 <DIR> d-------- C:\WINDOWS\Downloaded Installations
2008-03-01 09:18 . 1998-01-20 22:06 252,928 --a------ C:\WINDOWS\system32\astrolib32.dll
2008-03-01 09:11 . 2008-03-01 09:11 <DIR> d-------- C:\WINDOWS\profiles
2008-03-01 09:11 . 1998-12-01 09:21 684,032 --a------ C:\WINDOWS\system32\rave.dll
2008-03-01 09:11 . 2005-05-23 20:37 475,136 --a------ C:\WINDOWS\system32\ds_flyer.scr
2008-03-01 09:11 . 2005-05-14 19:48 372,802 --a------ C:\WINDOWS\system32\QD3DRAVE_HW.rav
2008-03-01 09:11 . 1997-04-15 12:44 82,432 --a------ C:\WINDOWS\system32\ewdll32.dll
2008-03-01 09:11 . 1997-04-14 18:35 77,824 --a------ C:\WINDOWS\system32\helpmsg32.dll
2008-03-01 09:11 . 2005-05-23 20:37 50,609 --a------ C:\WINDOWS\system32\Drawwnd.obj
2008-03-01 09:11 . 2005-01-27 22:28 45,056 --a------ C:\WINDOWS\system32\avi_util32.dll
2008-03-01 09:11 . 2008-03-01 09:11 417 --a------ C:\WINDOWS\dst_suns.ini
2008-03-01 08:45 . 2008-03-01 09:11 <DIR> d-------- C:\Program Files\Astronomy programmes
2008-02-28 20:47 . 2008-02-28 20:47 <DIR> d-------- C:\Program Files\A-Z
2008-02-28 07:43 . 2008-02-28 07:43 <DIR> d-------- C:\Documents and Settings\James\Application Data\M05
2008-02-25 19:44 . 2008-03-03 20:57 <DIR> d-------- C:\Documents and Settings\James\Application Data\Hamachi
2008-02-25 19:43 . 2008-02-25 19:44 <DIR> d-------- C:\Program Files\Hamachi
2008-02-25 19:43 . 2008-02-25 19:43 25,280 --a------ C:\WINDOWS\system32\drivers\hamachi.sys
2008-02-23 20:45 . 2008-03-06 07:16 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-02-23 20:45 . 2008-02-23 20:45 1,409 --a------ C:\WINDOWS\QTFont.for
2008-02-23 20:44 . 2008-02-23 20:44 <DIR> d-------- C:\Program Files\iPod
2008-02-23 20:43 . 2008-03-05 21:18 <DIR> d-------- C:\Program Files\iTunes
2008-02-19 08:24 . 2008-02-19 08:24 7,808 --a------ C:\WINDOWS\system32\drivers\psi_mf.sys
2008-02-13 15:50 . 2008-02-13 15:51 <DIR> d-------- C:\SEE
2008-02-13 15:03 . 2008-02-13 15:04 <DIR> d-------- C:\Program Files\DivX
2008-02-12 13:31 . 2008-02-12 13:31 <DIR> d-------- C:\Program Files\Common Files\SWF Studio
2008-02-11 11:56 . 2008-02-11 11:56 <DIR> dr-h----- C:\Documents and Settings\James\Application Data\yahoo!
2008-02-10 19:19 . 2008-02-10 19:19 <DIR> d-------- C:\Program Files\Electric Rain

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-07 21:18 6,343,588 ----a-w C:\WINDOWS\Internet Logs\tvDebug.zip
2008-03-07 21:17 7,580 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2008-03-07 21:17 2,697,248 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat
2008-03-07 20:51 --------- d-----w C:\Documents and Settings\James\Application Data\Free Download Manager
2008-03-07 20:43 --------- d-----w C:\Documents and Settings\James\Application Data\Skype
2008-03-07 19:22 --------- d-----w C:\Documents and Settings\Gary.STUDY\Application Data\AVG7
2008-03-07 19:07 --------- d-----w C:\Documents and Settings\Gary.STUDY\Application Data\Free Download Manager
2008-03-07 18:05 --------- d-----w C:\Program Files\Motive
2008-03-07 18:05 --------- d-----w C:\Program Files\BT Broadband Desktop Help
2008-03-07 17:33 --------- d-----w C:\Program Files\Common Files\AOL
2008-03-07 17:27 --------- d-----w C:\Program Files\Yahoo!
2008-03-07 17:17 --------- d-----w C:\Program Files\IrfanView
2008-03-07 16:46 --------- d-----w C:\Program Files\VideoLAN
2008-03-07 16:39 --------- d-----w C:\Program Files\Skype
2008-03-07 16:39 --------- d-----w C:\Documents and Settings\All Users\Application Data\Skype
2008-03-07 08:27 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7
2008-03-07 00:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2008-03-06 22:39 755,712 ----a-w C:\WINDOWS\Internet Logs\xDB2.tmp
2008-03-06 16:20 1,288,704 ----a-w C:\WINDOWS\Internet Logs\xDB1.tmp
2008-03-06 08:04 --------- d-----w C:\Documents and Settings\James\Application Data\AVG7
2008-03-05 21:20 --------- d-----w C:\Program Files\Bonjour
2008-03-05 21:18 --------- d-----w C:\Program Files\Common Files\Motive
2008-03-05 21:18 --------- d-----w C:\Program Files\btbb_wcm
2008-03-05 21:18 --------- d-----w C:\Program Files\BT Auto Backup
2008-03-05 21:17 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-03-05 21:17 --------- d-----w C:\Program Files\Google
2008-03-05 21:17 --------- d-----w C:\Program Files\Free Download Manager
2008-03-05 13:52 2,828 ----a-w C:\Documents and Settings\Maureen\Application Data\wklnhst.dat
2008-03-04 19:05 --------- d-----w C:\Documents and Settings\James\Application Data\U3
2008-03-03 16:34 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-02 23:11 --------- d-----w C:\Program Files\XTrkCad
2008-03-02 20:11 --------- d-----w C:\Documents and Settings\James\Application Data\My The Lord of the Rings, The Rise of the Witch-king Files
2008-03-02 14:02 2,798 ----a-w C:\Documents and Settings\James\Application Data\wklnhst.dat
2008-03-01 22:15 --------- d-----w C:\Documents and Settings\James\Application Data\My Battle for Middle-earth™ II Files
2008-03-01 10:55 --------- d-----w C:\Documents and Settings\Gary.STUDY\Application Data\FUJIFILM
2008-02-28 20:48 --------- d-----w C:\Program Files\XviD
2008-02-27 21:23 --------- d-----w C:\Program Files\Finalbig
2008-02-09 23:31 --------- d-----w C:\Program Files\QuickTime
2008-02-09 11:08 --------- d-----w C:\Documents and Settings\Gary.STUDY\Application Data\Skype
2008-02-03 10:12 --------- d-----w C:\Program Files\Electronic Arts
2008-02-01 17:33 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-01 15:05 --------- d-----w C:\Program Files\Virtual Earth 3D
2008-01-31 07:36 --------- d-----w C:\Documents and Settings\All Users\Application Data\U3
2008-01-27 14:29 --------- d--h--r C:\Documents and Settings\Amy\Application Data\yahoo!
2008-01-27 14:01 172 ----a-w C:\Documents and Settings\Amy\Application Data\wklnhst.dat
2008-01-26 21:27 --------- d-----w C:\Documents and Settings\James\Application Data\Apple Computer
2008-01-26 15:55 --------- d-----w C:\Documents and Settings\William\Application Data\Talkback
2008-01-26 09:17 --------- d-----w C:\Documents and Settings\Maureen\Application Data\Motive
2008-01-25 20:12 --------- d--h--r C:\Documents and Settings\William\Application Data\yahoo!
2008-01-25 07:59 --------- d-s---w C:\Program Files\Xfire
2008-01-24 17:00 --------- d-----w C:\Documents and Settings\James\Application Data\Xfire
2008-01-21 22:20 6,688 ----a-w C:\WINDOWS\movexe.exe
2008-01-21 18:15 --------- d-----w C:\Documents and Settings\James\Application Data\Motive
2008-01-21 17:08 --------- d-----w C:\Documents and Settings\All Users\Application Data\yahoo!
2008-01-21 16:52 --------- d-----w C:\Documents and Settings\All Users\Application Data\Motive
2008-01-21 08:16 --------- d--h--r C:\Documents and Settings\Maureen\Application Data\yahoo!
2008-01-20 23:48 --------- d-----w C:\Documents and Settings\Gary.STUDY\Application Data\Motive
2008-01-20 20:13 --------- d-----w C:\Documents and Settings\Gary.STUDY\Application Data\Yahoo!
2008-01-20 19:46 --------- d-----w C:\Program Files\BTHomeHub
2008-01-20 09:25 --------- d-----w C:\Program Files\Neuratron PhotoScore
2008-01-16 22:37 54,608 ----a-w C:\WINDOWS\system32\xfcodec.dll
2008-01-13 19:33 --------- d-----w C:\Program Files\WoLoSoft
2008-01-12 15:03 36,864 ----a-w C:\WINDOWS\system32\SurveillanceSaver.scr
2008-01-09 15:01 53,248 ----a-w C:\WINDOWS\bdoscandel.exe
2007-12-31 15:15 28,672 ----a-w C:\WINDOWS\system32\M05.Support.Mjpeg.dll
2007-12-26 11:46 93,864 ----a-w C:\Documents and Settings\Gary.STUDY\Application Data\GDIPFONTCACHEV1.DAT
2007-12-26 11:46 1,852 ----a-w C:\Documents and Settings\Gary.STUDY\Application Data\wklnhst.dat
2007-12-25 13:30 65,024 ----a-w C:\WINDOWS\IFinst26.exe
2007-12-07 02:21 824,832 ----a-w C:\WINDOWS\system32\wininet.dll
2007-11-07 18:24 93,864 ----a-w C:\Documents and Settings\Amy\Application Data\GDIPFONTCACHEV1.DAT
2007-10-25 19:13 144 ----a-w C:\Documents and Settings\William\Application Data\wklnhst.dat
2007-10-11 15:28 1,140 ----a-w C:\Program Files\INSTALL.LOG
2007-10-11 15:21 604 ---ha-w C:\Program Files\STLL Notifier
2006-02-19 02:28 12,288 -c--a-w C:\WINDOWS\Fonts\RandFont.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA}]
2007-12-16 09:59 262144 --a------ C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}"= "C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL" [2007-12-16 09:59 262144]

[HKEY_CLASSES_ROOT\clsid\{f0d4b239-da4b-4daf-81e4-dfee4931a4aa}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}"= C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL [2007-12-16 09:59 262144]

[HKEY_CLASSES_ROOT\clsid\{f0d4b239-da4b-4daf-81e4-dfee4931a4aa}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AlcoholAutomount"="C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" [2007-07-02 10:29 220544]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:56 15360]
"msnmsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 11:34 5724184]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Cmaudio"="cmicnfg.cpl" [2003-10-14 16:31 2269184 C:\WINDOWS\CMICNFG.CPL]
"CHotkey"="mHotkey.exe" [2003-06-27 22:39 506368 C:\WINDOWS\mHotkey.exe]
"ledpointer"="CNYHKey.exe" [2003-06-27 16:36 5798912 C:\WINDOWS\CNYHKey.exe]
"PRISMSTA.EXE"="PRISMSTA.exe" [2003-08-04 13:54 215552 C:\WINDOWS\system32\PRISMSTA.exe]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-12-20 18:11 579072]
"REGSHAVE"="C:\Program Files\REGSHAVE\REGSHAVE.exe" [2002-02-04 21:32 53248]
"V0220Mon.exe"="C:\WINDOWS\V0220Mon.exe" [2006-05-16 01:00 28672]
"PinnacleDriverCheck"="C:\WINDOWS\System32\PSDrvCheck.exe" [2003-05-28 15:37 394240]
"btbb_wcm_McciTrayApp"="C:\Program Files\btbb_wcm\McciTrayApp.exe" [2006-12-07 06:59 935936]
"btbb_McciTrayApp"="C:\Program Files\BT Broadband Desktop Help\bin\BTHelpNotifier.exe" [ ]
"Microsoft Works Update Detection"="C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2003-06-09 23:11 50688]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-01-31 23:13 385024]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-11-14 16:05 919016]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 07:56 15360]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Bluetooth.lnk - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe [2005-07-22 15:50:16 577597]
LaunchU3.exe.lnk - C:\WINDOWS\Installer\{D8E363A7-88B7-446D-B2C0-E26CE4DC8E54}\_294823.exe [2008-01-31 07:43:58 1078]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{88485281-8b4b-4f8d-9ede-82e29a064277}"= C:\PROGRA~1\MarkAny\CONTEN~1\MACSMA~1.DLL [2004-11-23 16:51 192512]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WBSrv]
C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\wbsrv.dll 2006-03-19 13:37 110592 C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\WbSrv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=wbsys.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Exif Launcher.lnk]
backup=C:\WINDOWS\pss\Exif Launcher.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Google Updater.lnk
backup=C:\WINDOWS\pss\Google Updater.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Photosmart Premier Fast Start.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Photosmart Premier Fast Start.lnk
backup=C:\WINDOWS\pss\HP Photosmart Premier Fast Start.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
--a------ 2008-01-11 19:54 623992 C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe_ID0EYTHM]
--a------ 2007-03-20 15:40 1884160 C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICCC]
--a------ 2005-08-12 13:43 45056 C:\Program Files\ATI Technologies\ATI.ACE\cli.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
--a------ 2007-09-20 15:35 202024 C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\braviax]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dit]
--a------ 2002-08-28 20:43 73728 C:\WINDOWS\Dit.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2006-02-19 01:41 49152 C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-02-19 13:10 267048 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
C:\Program Files\MSN Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBKeyScan]
--a------ 2007-09-20 09:51 1836328 C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2007-03-01 15:57 153136 C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]
--a------ 2003-06-24 14:23 61440 C:\Program Files\Medion Home Cinema XL II\PowerCinema\PCMService.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-01-31 23:13 385024 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SMSTray]
--a------ 2007-09-20 08:23 132624 C:\Program Files\Samsung\Samsung Media Studio 5\SMSTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
-rahs---- 2008-01-28 11:43 2097488 C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ZangoOE]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ZangoSA]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"NMIndexingService"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS3\\Server\\bin\\VersionCueCS3.exe"=
"C:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Civilization4.exe"=
"C:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Warlords\\Civ4Warlords.exe"=
"C:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Warlords\\Civ4Warlords_PitBoss.exe"=
"C:\\WINDOWS\\system32\\muzapp.exe"=
"C:\\Program Files\\Electronic Arts\\The Battle for Middle-earth ™ II\\game.dat"=
"C:\\Program Files\\Electronic Arts\\The Lord of the Rings, The Rise of the Witch-king\\game.dat"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3703:TCP"= 3703:TCP:Adobe Version Cue CS3 Server
"3704:TCP"= 3704:TCP:Adobe Version Cue CS3 Server
"50900:TCP"= 50900:TCP:Adobe Version Cue CS3 Server
"50901:TCP"= 50901:TCP:Adobe Version Cue CS3 Server

R2 LogWatch;Event Log Watch;C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe [2002-09-20 16:29]
R2 VaultClientSRV;BT Auto Backup Service;C:\Program Files\BT Auto Backup\VaultClientSRV.exe [2007-07-04 21:01]
R3 Cap7134;MEDION (7134) WDM Video Capture;C:\WINDOWS\system32\DRIVERS\Cap7134.sys [2003-06-05 06:04]
R3 Intels51;Creatix V.9X DSP Data Fax Modem;C:\WINDOWS\system32\DRIVERS\ctxs51.sys [2003-05-22 15:44]
R3 PhTVTune;MEDION TV-TUNER 7134 MK2/3;C:\WINDOWS\system32\DRIVERS\PhTVTune.sys [2003-06-12 06:47]
R3 PRISM_A00;PRISM 802.11g Driver;C:\WINDOWS\system32\DRIVERS\PRISMA00.sys [2003-08-07 14:36]
S1 qwetab;qwetab;C:\WINDOWS\inf\qwetab.inf []
S3 CA_LIC_CLNT;CA License Client;C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmt.exe [2002-09-20 16:27]
S3 CA_LIC_SRVR;CA License Server;C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmtd.exe [2002-09-20 16:41]
S3 FET5X86V;VIA Rhine-Family Fast-Ethernet Adapter Driver Service;C:\WINDOWS\system32\DRIVERS\fetnd5bv.sys [2006-12-20 06:00]
S3 PSI;PSI;C:\WINDOWS\system32\DRIVERS\psi_mf.sys [2008-02-19 08:24]
S3 ss_bus;SAMSUNG Mobile USB Device 1.0 driver (WDM);C:\WINDOWS\system32\DRIVERS\ss_bus.sys [2005-08-30 17:57]
S3 ss_mdfl;SAMSUNG Mobile USB Modem 1.0 Filter;C:\WINDOWS\system32\DRIVERS\ss_mdfl.sys [2005-08-30 17:58]
S3 ss_mdm;SAMSUNG Mobile USB Modem 1.0 Drivers;C:\WINDOWS\system32\DRIVERS\ss_mdm.sys [2005-08-30 17:59]
S3 V0220Dev;Live! Cam Video IM;C:\WINDOWS\system32\DRIVERS\V0220Dev.sys [2006-05-24 08:55]
S3 V0220Vfx;V0220VFX;C:\WINDOWS\system32\DRIVERS\V0220Vfx.sys [2006-03-24 08:24]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{bf182266-7369-11dc-b755-000c76761b71}]
\Shell\AutoRun\command - P:\StartPortableApps.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d2da6e20-717b-11dc-b74e-000c76761b71}]
\Shell\AutoRun\command - Q:\StartPortableApps.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-03-07 17:15:00 C:\WINDOWS\Tasks\1-Click Maintenance.job"
- C:\Program Files\TuneUp Utilities 2007\SystemOptimizer.exe
"2008-03-04 23:53:35 C:\WINDOWS\Tasks\Uniblue SpyEraser.job"
- C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-07 21:20:59
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\qwetab]
"ImagePath"="\??\C:\WINDOWS\inf\qwetab.inf"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\explorer.exe [6.00.2900.3156]
-> C:\Program Files\WIDCOMM\Bluetooth Software\btkeyind.dll
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Documents and Settings\All Users\Application Data\U3\U3Launcher\LaunchU3.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
.
**************************************************************************
.
Completion time: 2008-03-07 21:27:40 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-07 21:27:34
.
2008-03-06 16:14:02 --- E O F ---

[Jamjam525]

And new Hijackthis:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:33:32, on 07/03/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\mHotkey.exe
C:\WINDOWS\system32\PRISMSTA.EXE
C:\Program Files\BT Auto Backup\VaultClientSRV.exe
C:\WINDOWS\V0220Mon.exe
C:\Program Files\btbb_wcm\McciTrayApp.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\All Users\Application Data\U3\U3Launcher\LaunchU3.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.client...fo/bt_side.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: ContributeBHO Class - {074C1DC5-9320-4A9A-947D-C042949C6216} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\PROGRA~1\FREEDO~1\iefdmcks.dll
O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
O4 - HKLM\..\Run: [ledpointer] CNYHKey.exe
O4 - HKLM\..\Run: [PRISMSTA.EXE] PRISMSTA.EXE START
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [V0220Mon.exe] C:\WINDOWS\V0220Mon.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe
O4 - HKLM\..\Run: [btbb_wcm_McciTrayApp] C:\Program Files\btbb_wcm\McciTrayApp.exe
O4 - HKLM\..\Run: [btbb_McciTrayApp] C:\Program Files\BT Broadband Desktop Help\bin\BTHelpNotifier.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [AlcoholAutomount] "C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" /automount
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: LaunchU3.exe.lnk = ?
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.aldi.com/
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.truprint....rintActivia.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitd...can8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1191357337656
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemreq.../sysreqlab2.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius....tiveXPlugin.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.c.../cpcScanner.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zon...nt.cab56907.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = chome
O17 - HKLM\Software\..\Telephony: DomainName = chome
O17 - HKLM\System\CCS\Services\Tcpip\..\{ABA115CE-5D0A-4A66-8FB1-2D25270C55C6}: NameServer = 172.16.0.1
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = chome
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Adobe Version Cue CS3 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: CA License Client (CA_LIC_CLNT) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmt.exe
O23 - Service: CA License Server (CA_LIC_SRVR) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmtd.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Event Log Watch (LogWatch) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2004\WinStylerThemeSvc.exe
O23 - Service: BT Auto Backup Service (VaultClientSRV) - Unknown owner - C:\Program Files\BT Auto Backup\VaultClientSRV.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: X10 Device Network Service (x10nets) - X10 - C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

--
End of file - 13787 bytes

[Essexboy]

Getting there

1. Please open Notepad

• Click Start , then Run
• Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

Driver::
qwetab

File::
C:\WINDOWS\inf\qwetab.inf
C:\WINDOWS\system32\dniilbrf.xml
C:\WINDOWS\system32\rptxpkla.xml
C:\WINDOWS\system32\krmgcfeq.xml
C:\WINDOWS\system32\vjpmfshg.xml
C:\WINDOWS\system32\zxmkjbhx.xml
C:\WINDOWS\system32\ckzrewcl.xml
C:\WINDOWS\system32\mnrosskx.xml
C:\WINDOWS\system32\wznbhygc.xml
C:\WINDOWS\system32\drivers\ecyeophrmidq.sys
C:\WINDOWS\system32\drivers\qpyruunnovft.sys
c:\WINDOWS\system32\lkzeioqr.xml
C:\WINDOWS\system32\tabmxeos.xml
C:\WINDOWS\system32\hsegwhqq.xml
C:\WINDOWS\system32\xzccjida.xml
C:\WINDOWS\system32\rwpengsb.xml
C:\WINDOWS\system32\awvvt.dll_old
C:\WINDOWS\system32\kiirbril.xml
C:\WINDOWS\system32\fbcdvlhm.xml

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\braviax]

3. Then in the text file go to FILE > SAVE AS and in the dropdown box select SAVE AS TYPE to ALL FILES

4. Save the above as CFScript.txt

5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.




5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

• Combofix.txt
• A new HijackThis log.

[Jamjam525]

Ok, thanks a lot, seems to be coming along well.

Combofix log:

ComboFix 08-03-07.3 - James 2008-03-07 21:55:45.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.974 [GMT 0:00]
Running from: C:\Documents and Settings\James\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\James\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\inf\qwetab.inf
C:\WINDOWS\system32\awvvt.dll_old
C:\WINDOWS\system32\ckzrewcl.xml
C:\WINDOWS\system32\dniilbrf.xml
C:\WINDOWS\system32\drivers\ecyeophrmidq.sys
C:\WINDOWS\system32\drivers\qpyruunnovft.sys
C:\WINDOWS\system32\fbcdvlhm.xml
C:\WINDOWS\system32\hsegwhqq.xml
C:\WINDOWS\system32\kiirbril.xml
C:\WINDOWS\system32\krmgcfeq.xml
c:\WINDOWS\system32\lkzeioqr.xml
C:\WINDOWS\system32\mnrosskx.xml
C:\WINDOWS\system32\rptxpkla.xml
C:\WINDOWS\system32\rwpengsb.xml
C:\WINDOWS\system32\tabmxeos.xml
C:\WINDOWS\system32\vjpmfshg.xml
C:\WINDOWS\system32\wznbhygc.xml
C:\WINDOWS\system32\xzccjida.xml
C:\WINDOWS\system32\zxmkjbhx.xml
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\awvvt.dll_old
C:\WINDOWS\system32\ckzrewcl.xml
C:\WINDOWS\system32\dniilbrf.xml
C:\WINDOWS\system32\drivers\ecyeophrmidq.sys
C:\WINDOWS\system32\drivers\qpyruunnovft.sys
C:\WINDOWS\system32\fbcdvlhm.xml
C:\WINDOWS\system32\hsegwhqq.xml
C:\WINDOWS\system32\kiirbril.xml
C:\WINDOWS\system32\krmgcfeq.xml
c:\WINDOWS\system32\lkzeioqr.xml
C:\WINDOWS\system32\mnrosskx.xml
C:\WINDOWS\system32\rptxpkla.xml
C:\WINDOWS\system32\rwpengsb.xml
C:\WINDOWS\system32\tabmxeos.xml
C:\WINDOWS\system32\vjpmfshg.xml
C:\WINDOWS\system32\wznbhygc.xml
C:\WINDOWS\system32\xzccjida.xml
C:\WINDOWS\system32\zxmkjbhx.xml

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\qwetab


((((((((((((((((((((((((( Files Created from 2008-02-07 to 2008-03-07 )))))))))))))))))))))))))))))))
.

2008-03-07 21:53 . 2008-03-07 21:53 <DIR> d-------- C:\Program Files\ToniArts
2008-03-07 16:39 . 2008-03-07 16:39 <DIR> d-------- C:\Program Files\Common Files\Skype
2008-03-07 16:05 . 2008-03-07 16:05 <DIR> d-------- C:\Program Files\Secunia
2008-03-05 22:31 . 2007-12-07 02:21 6,066,176 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll
2008-03-05 22:31 . 2007-07-01 03:31 2,455,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2008-03-05 22:31 . 2007-07-01 03:36 991,232 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2008-03-05 22:31 . 2007-12-07 02:21 459,264 -----c--- C:\WINDOWS\system32\dllcache\msfeeds.dll
2008-03-05 22:31 . 2007-12-07 02:21 383,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2008-03-05 22:31 . 2007-12-07 02:21 267,776 -----c--- C:\WINDOWS\system32\dllcache\iertutil.dll
2008-03-05 22:31 . 2007-12-07 02:21 63,488 -----c--- C:\WINDOWS\system32\dllcache\icardie.dll
2008-03-05 22:31 . 2007-12-07 02:21 52,224 -----c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2008-03-05 22:31 . 2007-08-13 18:54 33,792 --a--c--- C:\WINDOWS\system32\dllcache\custsat.dll
2008-03-05 22:31 . 2007-12-06 11:00 13,824 -----c--- C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-03-05 19:15 . 2007-06-05 10:56 44,928 --a------ C:\WINDOWS\system32\drivers\SDTHOOK.SYS
2008-03-05 18:58 . 2008-03-05 22:44 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2008-03-05 18:58 . 2008-03-05 22:40 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2008-03-05 18:58 . 2008-03-05 22:40 1,406 --a------ C:\WINDOWS\system32\Help.ico
2008-03-05 17:24 . 2008-03-05 17:24 <DIR> d-------- C:\Program Files\Trend Micro
2008-03-05 17:21 . 2008-03-05 17:21 <DIR> d-------- C:\Deckard
2008-03-05 16:24 . 2008-03-05 16:24 <DIR> d-------- C:\Program Files\ACW
2008-03-04 22:29 . 2008-03-04 22:29 <DIR> d-------- C:\Documents and Settings\Gary.STUDY\Application Data\Uniblue
2008-03-04 16:03 . 2008-03-05 19:54 <DIR> d-------- C:\Program Files\Common Files\Blizzard Entertainment
2008-03-04 07:53 . 2008-03-04 07:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Uniblue
2008-03-04 07:48 . 2008-03-04 07:52 <DIR> d-------- C:\Documents and Settings\James\Application Data\Uniblue
2008-03-04 07:47 . 2008-03-04 07:47 <DIR> d-------- C:\Program Files\Uniblue
2008-03-03 17:42 . 2001-08-17 13:28 762,780 --a--c--- C:\WINDOWS\system32\dllcache\3cwmcru.sys
2008-03-03 17:42 . 2001-08-17 14:55 689,216 --a--c--- C:\WINDOWS\system32\dllcache\3dfxvs.dll
2008-03-03 17:42 . 2001-08-17 14:06 11,264 --a--c--- C:\WINDOWS\system32\dllcache\1394vdbg.sys
2008-03-03 17:41 . 2001-08-17 14:56 66,048 --a--c--- C:\WINDOWS\system32\dllcache\s3legacy.dll
2008-03-03 17:08 . 2008-03-03 17:22 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2008-03-03 17:02 . 2008-03-03 17:02 <DIR> d-------- C:\VundoFix Backups
2008-03-03 16:50 . 2008-03-04 22:25 <DIR> d-------- C:\Program Files\Security Task Manager
2008-03-03 16:50 . 2008-03-07 07:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SecTaskMan
2008-03-03 08:02 . 2008-03-03 07:59 691,545 --a------ C:\WINDOWS\unins000.exe
2008-03-03 08:02 . 2008-03-03 08:02 2,540 --a------ C:\WINDOWS\unins000.dat
2008-03-02 17:19 . 2008-03-02 17:19 <DIR> d-------- C:\Documents and Settings\Amy\Application Data\Sibelius Software
2008-03-02 12:13 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2008-03-02 12:13 . 2007-07-30 19:19 207,736 --a------ C:\WINDOWS\system32\muweb.dll
2008-03-02 12:13 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-03-02 08:17 . 2008-03-02 08:17 <DIR> d--hsc--- C:\Program Files\Common Files\WindowsLiveInstaller
2008-03-02 08:16 . 2008-03-02 08:18 <DIR> d-------- C:\Program Files\Windows Live
2008-03-02 08:16 . 2008-03-02 08:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-03-01 15:30 . 2008-03-01 15:31 <DIR> d-------- C:\WINDOWS\Downloaded Installations
2008-03-01 09:18 . 1998-01-20 22:06 252,928 --a------ C:\WINDOWS\system32\astrolib32.dll
2008-03-01 09:11 . 2008-03-01 09:11 <DIR> d-------- C:\WINDOWS\profiles
2008-03-01 09:11 . 1998-12-01 09:21 684,032 --a------ C:\WINDOWS\system32\rave.dll
2008-03-01 09:11 . 2005-05-23 20:37 475,136 --a------ C:\WINDOWS\system32\ds_flyer.scr
2008-03-01 09:11 . 2005-05-14 19:48 372,802 --a------ C:\WINDOWS\system32\QD3DRAVE_HW.rav
2008-03-01 09:11 . 1997-04-15 12:44 82,432 --a------ C:\WINDOWS\system32\ewdll32.dll
2008-03-01 09:11 . 1997-04-14 18:35 77,824 --a------ C:\WINDOWS\system32\helpmsg32.dll
2008-03-01 09:11 . 2005-05-23 20:37 50,609 --a------ C:\WINDOWS\system32\Drawwnd.obj
2008-03-01 09:11 . 2005-01-27 22:28 45,056 --a------ C:\WINDOWS\system32\avi_util32.dll
2008-03-01 09:11 . 2008-03-01 09:11 417 --a------ C:\WINDOWS\dst_suns.ini
2008-03-01 08:45 . 2008-03-01 09:11 <DIR> d-------- C:\Program Files\Astronomy programmes
2008-02-28 20:47 . 2008-02-28 20:47 <DIR> d-------- C:\Program Files\A-Z
2008-02-28 07:43 . 2008-02-28 07:43 <DIR> d-------- C:\Documents and Settings\James\Application Data\M05
2008-02-25 19:44 . 2008-03-03 20:57 <DIR> d-------- C:\Documents and Settings\James\Application Data\Hamachi
2008-02-25 19:43 . 2008-02-25 19:44 <DIR> d-------- C:\Program Files\Hamachi
2008-02-25 19:43 . 2008-02-25 19:43 25,280 --a------ C:\WINDOWS\system32\drivers\hamachi.sys
2008-02-23 20:45 . 2008-03-06 07:16 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-02-23 20:45 . 2008-02-23 20:45 1,409 --a------ C:\WINDOWS\QTFont.for
2008-02-23 20:44 . 2008-02-23 20:44 <DIR> d-------- C:\Program Files\iPod
2008-02-23 20:43 . 2008-03-05 21:18 <DIR> d-------- C:\Program Files\iTunes
2008-02-19 08:24 . 2008-02-19 08:24 7,808 --a------ C:\WINDOWS\system32\drivers\psi_mf.sys
2008-02-13 15:50 . 2008-02-13 15:51 <DIR> d-------- C:\SEE
2008-02-13 15:03 . 2008-02-13 15:04 <DIR> d-------- C:\Program Files\DivX
2008-02-12 13:31 . 2008-02-12 13:31 <DIR> d-------- C:\Program Files\Common Files\SWF Studio
2008-02-11 11:56 . 2008-02-11 11:56 <DIR> dr-h----- C:\Documents and Settings\James\Application Data\yahoo!
2008-02-10 19:19 . 2008-02-10 19:19 <DIR> d-------- C:\Program Files\Electric Rain

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-07 22:02 8,732 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2008-03-07 22:02 2,697,248 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat
2008-03-07 21:53 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-07 21:52 --------- d-----w C:\Documents and Settings\James\Application Data\Free Download Manager
2008-03-07 21:18 6,343,588 ----a-w C:\WINDOWS\Internet Logs\tvDebug.zip
2008-03-07 20:43 --------- d-----w C:\Documents and Settings\James\Application Data\Skype
2008-03-07 19:22 --------- d-----w C:\Documents and Settings\Gary.STUDY\Application Data\AVG7
2008-03-07 19:07 --------- d-----w C:\Documents and Settings\Gary.STUDY\Application Data\Free Download Manager
2008-03-07 18:05 --------- d-----w C:\Program Files\Motive
2008-03-07 18:05 --------- d-----w C:\Program Files\BT Broadband Desktop Help
2008-03-07 17:33 --------- d-----w C:\Program Files\Common Files\AOL
2008-03-07 17:27 --------- d-----w C:\Program Files\Yahoo!
2008-03-07 17:17 --------- d-----w C:\Program Files\IrfanView
2008-03-07 16:46 --------- d-----w C:\Program Files\VideoLAN
2008-03-07 16:39 --------- d-----w C:\Program Files\Skype
2008-03-07 16:39 --------- d-----w C:\Documents and Settings\All Users\Application Data\Skype
2008-03-07 08:27 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7
2008-03-07 00:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2008-03-06 22:39 755,712 ----a-w C:\WINDOWS\Internet Logs\xDB2.tmp
2008-03-06 16:20 1,288,704 ----a-w C:\WINDOWS\Internet Logs\xDB1.tmp
2008-03-06 08:04 --------- d-----w C:\Documents and Settings\James\Application Data\AVG7
2008-03-05 21:20 --------- d-----w C:\Program Files\Bonjour
2008-03-05 21:18 --------- d-----w C:\Program Files\Common Files\Motive
2008-03-05 21:18 --------- d-----w C:\Program Files\btbb_wcm
2008-03-05 21:18 --------- d-----w C:\Program Files\BT Auto Backup
2008-03-05 21:17 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-03-05 21:17 --------- d-----w C:\Program Files\Google
2008-03-05 21:17 --------- d-----w C:\Program Files\Free Download Manager
2008-03-05 13:52 2,828 ----a-w C:\Documents and Settings\Maureen\Application Data\wklnhst.dat
2008-03-04 19:05 --------- d-----w C:\Documents and Settings\James\Application Data\U3
2008-03-03 16:34 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-02 23:11 --------- d-----w C:\Program Files\XTrkCad
2008-03-02 20:11 --------- d-----w C:\Documents and Settings\James\Application Data\My The Lord of the Rings, The Rise of the Witch-king Files
2008-03-02 14:02 2,798 ----a-w C:\Documents and Settings\James\Application Data\wklnhst.dat
2008-03-01 22:15 --------- d-----w C:\Documents and Settings\James\Application Data\My Battle for Middle-earth™ II Files
2008-03-01 10:55 --------- d-----w C:\Documents and Settings\Gary.STUDY\Application Data\FUJIFILM
2008-02-28 20:48 --------- d-----w C:\Program Files\XviD
2008-02-27 21:23 --------- d-----w C:\Program Files\Finalbig
2008-02-09 23:31 --------- d-----w C:\Program Files\QuickTime
2008-02-09 11:08 --------- d-----w C:\Documents and Settings\Gary.STUDY\Application Data\Skype
2008-02-03 10:12 --------- d-----w C:\Program Files\Electronic Arts
2008-02-01 15:05 --------- d-----w C:\Program Files\Virtual Earth 3D
2008-01-31 07:36 --------- d-----w C:\Documents and Settings\All Users\Application Data\U3
2008-01-27 14:29 --------- d--h--r C:\Documents and Settings\Amy\Application Data\yahoo!
2008-01-27 14:01 172 ----a-w C:\Documents and Settings\Amy\Application Data\wklnhst.dat
2008-01-26 21:27 --------- d-----w C:\Documents and Settings\James\Application Data\Apple Computer
2008-01-26 15:55 --------- d-----w C:\Documents and Settings\William\Application Data\Talkback
2008-01-26 09:17 --------- d-----w C:\Documents and Settings\Maureen\Application Data\Motive
2008-01-25 20:12 --------- d--h--r C:\Documents and Settings\William\Application Data\yahoo!
2008-01-25 07:59 --------- d-s---w C:\Program Files\Xfire
2008-01-24 17:00 --------- d-----w C:\Documents and Settings\James\Application Data\Xfire
2008-01-21 22:20 6,688 ----a-w C:\WINDOWS\movexe.exe
2008-01-21 18:15 --------- d-----w C:\Documents and Settings\James\Application Data\Motive
2008-01-21 17:08 --------- d-----w C:\Documents and Settings\All Users\Application Data\yahoo!
2008-01-21 16:52 --------- d-----w C:\Documents and Settings\All Users\Application Data\Motive
2008-01-21 08:16 --------- d--h--r C:\Documents and Settings\Maureen\Application Data\yahoo!
2008-01-20 23:48 --------- d-----w C:\Documents and Settings\Gary.STUDY\Application Data\Motive
2008-01-20 20:13 --------- d-----w C:\Documents and Settings\Gary.STUDY\Application Data\Yahoo!
2008-01-20 19:46 --------- d-----w C:\Program Files\BTHomeHub
2008-01-20 09:25 --------- d-----w C:\Program Files\Neuratron PhotoScore
2008-01-16 22:37 54,608 ----a-w C:\WINDOWS\system32\xfcodec.dll
2008-01-13 19:33 --------- d-----w C:\Program Files\WoLoSoft
2008-01-12 15:03 36,864 ----a-w C:\WINDOWS\system32\SurveillanceSaver.scr
2008-01-09 15:01 53,248 ----a-w C:\WINDOWS\bdoscandel.exe
2007-12-31 15:15 28,672 ----a-w C:\WINDOWS\system32\M05.Support.Mjpeg.dll
2007-12-26 11:46 93,864 ----a-w C:\Documents and Settings\Gary.STUDY\Application Data\GDIPFONTCACHEV1.DAT
2007-12-26 11:46 1,852 ----a-w C:\Documents and Settings\Gary.STUDY\Application Data\wklnhst.dat
2007-12-25 13:30 65,024 ----a-w C:\WINDOWS\IFinst26.exe
2007-12-07 02:21 824,832 ----a-w C:\WINDOWS\system32\wininet.dll
2007-11-07 18:24 93,864 ----a-w C:\Documents and Settings\Amy\Application Data\GDIPFONTCACHEV1.DAT
2007-10-25 19:13 144 ----a-w C:\Documents and Settings\William\Application Data\wklnhst.dat
2007-10-11 15:28 1,140 ----a-w C:\Program Files\INSTALL.LOG
2007-10-11 15:21 604 ---ha-w C:\Program Files\STLL Notifier
2006-02-19 02:28 12,288 -c--a-w C:\WINDOWS\Fonts\RandFont.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA}]
2007-12-16 09:59 262144 --a------ C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}"= "C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL" [2007-12-16 09:59 262144]

[HKEY_CLASSES_ROOT\clsid\{f0d4b239-da4b-4daf-81e4-dfee4931a4aa}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}"= C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL [2007-12-16 09:59 262144]

[HKEY_CLASSES_ROOT\clsid\{f0d4b239-da4b-4daf-81e4-dfee4931a4aa}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AlcoholAutomount"="C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" [2007-07-02 10:29 220544]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:56 15360]
"msnmsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 11:34 5724184]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Cmaudio"="cmicnfg.cpl" [2003-10-14 16:31 2269184 C:\WINDOWS\CMICNFG.CPL]
"CHotkey"="mHotkey.exe" [2003-06-27 22:39 506368 C:\WINDOWS\mHotkey.exe]
"ledpointer"="CNYHKey.exe" [2003-06-27 16:36 5798912 C:\WINDOWS\CNYHKey.exe]
"PRISMSTA.EXE"="PRISMSTA.exe" [2003-08-04 13:54 215552 C:\WINDOWS\system32\PRISMSTA.exe]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-12-20 18:11 579072]
"REGSHAVE"="C:\Program Files\REGSHAVE\REGSHAVE.exe" [2002-02-04 21:32 53248]
"V0220Mon.exe"="C:\WINDOWS\V0220Mon.exe" [2006-05-16 01:00 28672]
"PinnacleDriverCheck"="C:\WINDOWS\System32\PSDrvCheck.exe" [2003-05-28 15:37 394240]
"btbb_wcm_McciTrayApp"="C:\Program Files\btbb_wcm\McciTrayApp.exe" [2006-12-07 06:59 935936]
"btbb_McciTrayApp"="C:\Program Files\BT Broadband Desktop Help\bin\BTHelpNotifier.exe" [ ]
"Microsoft Works Update Detection"="C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2003-06-09 23:11 50688]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-01-31 23:13 385024]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-11-14 16:05 919016]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 07:56 15360]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Bluetooth.lnk - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe [2005-07-22 15:50:16 577597]
LaunchU3.exe.lnk - C:\WINDOWS\Installer\{D8E363A7-88B7-446D-B2C0-E26CE4DC8E54}\_294823.exe [2008-01-31 07:43:58 1078]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{88485281-8b4b-4f8d-9ede-82e29a064277}"= C:\PROGRA~1\MarkAny\CONTEN~1\MACSMA~1.DLL [2004-11-23 16:51 192512]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WBSrv]
C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\wbsrv.dll 2006-03-19 13:37 110592 C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\WbSrv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=wbsys.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Exif Launcher.lnk]
backup=C:\WINDOWS\pss\Exif Launcher.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Google Updater.lnk
backup=C:\WINDOWS\pss\Google Updater.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Photosmart Premier Fast Start.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Photosmart Premier Fast Start.lnk
backup=C:\WINDOWS\pss\HP Photosmart Premier Fast Start.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
--a------ 2008-01-11 19:54 623992 C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe_ID0EYTHM]
--a------ 2007-03-20 15:40 1884160 C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICCC]
--a------ 2005-08-12 13:43 45056 C:\Program Files\ATI Technologies\ATI.ACE\cli.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
--a------ 2007-09-20 15:35 202024 C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dit]
--a------ 2002-08-28 20:43 73728 C:\WINDOWS\Dit.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2006-02-19 01:41 49152 C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-02-19 13:10 267048 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
C:\Program Files\MSN Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBKeyScan]
--a------ 2007-09-20 09:51 1836328 C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2007-03-01 15:57 153136 C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]
--a------ 2003-06-24 14:23 61440 C:\Program Files\Medion Home Cinema XL II\PowerCinema\PCMService.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-01-31 23:13 385024 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SMSTray]
--a------ 2007-09-20 08:23 132624 C:\Program Files\Samsung\Samsung Media Studio 5\SMSTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
-rahs---- 2008-01-28 11:43 2097488 C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ZangoOE]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ZangoSA]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"NMIndexingService"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS3\\Server\\bin\\VersionCueCS3.exe"=
"C:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Civilization4.exe"=
"C:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Warlords\\Civ4Warlords.exe"=
"C:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Warlords\\Civ4Warlords_PitBoss.exe"=
"C:\\WINDOWS\\system32\\muzapp.exe"=
"C:\\Program Files\\Electronic Arts\\The Battle for Middle-earth ™ II\\game.dat"=
"C:\\Program Files\\Electronic Arts\\The Lord of the Rings, The Rise of the Witch-king\\game.dat"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3703:TCP"= 3703:TCP:Adobe Version Cue CS3 Server
"3704:TCP"= 3704:TCP:Adobe Version Cue CS3 Server
"50900:TCP"= 50900:TCP:Adobe Version Cue CS3 Server
"50901:TCP"= 50901:TCP:Adobe Version Cue CS3 Server

R2 LogWatch;Event Log Watch;C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe [2002-09-20 16:29]
R2 VaultClientSRV;BT Auto Backup Service;C:\Program Files\BT Auto Backup\VaultClientSRV.exe [2007-07-04 21:01]
R3 Cap7134;MEDION (7134) WDM Video Capture;C:\WINDOWS\system32\DRIVERS\Cap7134.sys [2003-06-05 06:04]
R3 Intels51;Creatix V.9X DSP Data Fax Modem;C:\WINDOWS\system32\DRIVERS\ctxs51.sys [2003-05-22 15:44]
R3 PhTVTune;MEDION TV-TUNER 7134 MK2/3;C:\WINDOWS\system32\DRIVERS\PhTVTune.sys [2003-06-12 06:47]
R3 PRISM_A00;PRISM 802.11g Driver;C:\WINDOWS\system32\DRIVERS\PRISMA00.sys [2003-08-07 14:36]
S3 CA_LIC_CLNT;CA License Client;C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmt.exe [2002-09-20 16:27]
S3 CA_LIC_SRVR;CA License Server;C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmtd.exe [2002-09-20 16:41]
S3 FET5X86V;VIA Rhine-Family Fast-Ethernet Adapter Driver Service;C:\WINDOWS\system32\DRIVERS\fetnd5bv.sys [2006-12-20 06:00]
S3 PSI;PSI;C:\WINDOWS\system32\DRIVERS\psi_mf.sys [2008-02-19 08:24]
S3 ss_bus;SAMSUNG Mobile USB Device 1.0 driver (WDM);C:\WINDOWS\system32\DRIVERS\ss_bus.sys [2005-08-30 17:57]
S3 ss_mdfl;SAMSUNG Mobile USB Modem 1.0 Filter;C:\WINDOWS\system32\DRIVERS\ss_mdfl.sys [2005-08-30 17:58]
S3 ss_mdm;SAMSUNG Mobile USB Modem 1.0 Drivers;C:\WINDOWS\system32\DRIVERS\ss_mdm.sys [2005-08-30 17:59]
S3 V0220Dev;Live! Cam Video IM;C:\WINDOWS\system32\DRIVERS\V0220Dev.sys [2006-05-24 08:55]
S3 V0220Vfx;V0220VFX;C:\WINDOWS\system32\DRIVERS\V0220Vfx.sys [2006-03-24 08:24]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{bf182266-7369-11dc-b755-000c76761b71}]
\Shell\AutoRun\command - P:\StartPortableApps.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d2da6e20-717b-11dc-b74e-000c76761b71}]
\Shell\AutoRun\command - Q:\StartPortableApps.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-03-07 17:15:00 C:\WINDOWS\Tasks\1-Click Maintenance.job"
- C:\Program Files\TuneUp Utilities 2007\SystemOptimizer.exe
"2008-03-04 23:53:35 C:\WINDOWS\Tasks\Uniblue SpyEraser.job"
- C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-07 22:04:48
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\explorer.exe [6.00.2900.3156]
-> C:\WINDOWS\HKCYDLL.dll
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Documents and Settings\All Users\Application Data\U3\U3Launcher\LaunchU3.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
.
**************************************************************************
.
Completion time: 2008-03-07 22:13:48 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-07 22:13:42
ComboFix2.txt 2008-03-07 21:27:41
.
2008-03-06 16:14:02 --- E O F ---

[Jamjam525]

Hijackthis logfile:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:15:56, on 07/03/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\BT Auto Backup\VaultClientSRV.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\mHotkey.exe
C:\WINDOWS\CNYHKey.exe
C:\WINDOWS\system32\PRISMSTA.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\V0220Mon.exe
C:\Program Files\btbb_wcm\McciTrayApp.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Documents and Settings\All Users\Application Data\U3\U3Launcher\LaunchU3.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.client...fo/bt_side.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: ContributeBHO Class - {074C1DC5-9320-4A9A-947D-C042949C6216} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\PROGRA~1\FREEDO~1\iefdmcks.dll
O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
O4 - HKLM\..\Run: [ledpointer] CNYHKey.exe
O4 - HKLM\..\Run: [PRISMSTA.EXE] PRISMSTA.EXE START
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [V0220Mon.exe] C:\WINDOWS\V0220Mon.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe
O4 - HKLM\..\Run: [btbb_wcm_McciTrayApp] C:\Program Files\btbb_wcm\McciTrayApp.exe
O4 - HKLM\..\Run: [btbb_McciTrayApp] C:\Program Files\BT Broadband Desktop Help\bin\BTHelpNotifier.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [AlcoholAutomount] "C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" /automount
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: LaunchU3.exe.lnk = ?
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.aldi.com/
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.truprint....rintActivia.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitd...can8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1191357337656
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemreq.../sysreqlab2.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius....tiveXPlugin.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.c.../cpcScanner.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zon...nt.cab56907.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = chome
O17 - HKLM\Software\..\Telephony: DomainName = chome
O17 - HKLM\System\CCS\Services\Tcpip\..\{ABA115CE-5D0A-4A66-8FB1-2D25270C55C6}: NameServer = 172.16.0.1
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = chome
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Adobe Version Cue CS3 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: CA License Client (CA_LIC_CLNT) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmt.exe
O23 - Service: CA License Server (CA_LIC_SRVR) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmtd.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Event Log Watch (LogWatch) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2004\WinStylerThemeSvc.exe
O23 - Service: BT Auto Backup Service (VaultClientSRV) - Unknown owner - C:\Program Files\BT Auto Backup\VaultClientSRV.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: X10 Device Network Service (x10nets) - X10 - C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

--
End of file - 13847 bytes

[Essexboy]

OK lets go hunt some orphan registry entries now

Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select "Perform Quick Scan", then click Scan.
• The scan may take some time to finish,so please be patient.
• When the scan is complete, click OK, then Show Results to view the results.
• Make sure that everything is checked, and click Remove Selected.
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
• Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

How is your computer now ?

[Jamjam525]

Its looking good, thanks for all the help . Nothing was found. Plus it looks like the popups have stopped and explorer is running at a reasonable memory usage again.

-----------------------------------------------------------

Here is the log:

Malwarebytes' Anti-Malware 1.07
Database version: 465

Scan type: Quick Scan
Objects scanned: 36689
Time elapsed: 6 minute(s), 46 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Edited by Jamjam525, 07 March 2008 - 04:33 PM.

[Essexboy]

Now the best part of the day ----- Your log now appears clean

You may now delete the programmes I had you download


Now to get you off to a good start we will re-set your restore points so that all the bad stuff is gone for good. Then if you need to restore at some stage you will be clean. There are several ways to reset your your restore point but this is my method:

1. Select Start > All Programs > Accessories > System tools > System Restore.
2. On the dialogue box that appears select Create a Restore Point
3. Click NEXT
4. Enter a name e.g. Clean
5. Click CREATE

You now have a clean restore point, to get rid of the bad ones:

1. Select Start > All Programs > Accessories > System tools > Disk Cleanup.
2. In the Drop down box that appears select your main drive e.g. C
3. Click OK
4. The System will do some calculation and the display a dialogue box with TABS
5. Select the More Options Tab.
6. At the bottom will be a system restore box with a CLEANUP button click this
7. Accept the Warning and select OK again, the program will close and you are done



Now that you are clean, to help protect your computer in the future I recommend that you get the following free program:

• SpywareBlaster to help prevent spyware from installing in the first place.
• SuperAntispyware Run weekly to keep your system clean

It is critical to have both a firewall and anti virus to protect your system and to keep them updated.

To keep your operating system up to date visit

• Microsoft Windows Update

To learn more about how to protect yourself while on the internet read this article by Tony Klien: So how did I get infected in the first place?


Keep safe

[Essexboy]

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help.

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.