[marcp1967]

My dad has run into some serious problems with his computer.
When he booted into Windows, the explorer shell would crash and restart in a cycle, while the system tray clock would display 'VIRUS ALEART'.

Task Manager, right click, and acces to C: were disabled by the 'administrator'; even although there is no admin account on this PC.

I have managed to scan the computer's HDD with Super antispyware, AVG free and windows defender, and I now have a stable usable system. There were several variances of the 'Avundo' malware found and removed.

However, there seems to be some malicious software still at play.

When I try to change the windows desktop picture, I get an In IE explorer error saying

'cannot find 'file:///C:/Windows/privacy_danger/index.htm'

Computer is running Windows XP Home Ed, Service Pack 3, with all latest patches. IE version 7 with latest patches. All driver software up to date.


----------------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:43:23, on 02/08/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe
C:\Program Files\Lexmark X74-X75\lxbbbmon.exe
C:\Program Files\Tevion multimedia\PVR Plus\TVR\Scheduled.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\Common Files\BinarySense\hldasvc.exe
C:\Program Files\Common Files\BinarySense\hldasvc.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe
C:\PROGRA~1\INCRED~1\bin\IMApp.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
C:\WINDOWS\system32\ScsiAccess.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Tevion multimedia\TV713X Utilities\P3XRCtl.exe
C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tiscali.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - (no file)
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: iercptbho - {D4CDC21D-43BE-4101-A1EF-E379F134771E} - (no file)
O3 - Toolbar: (no name) - {43D1D84F-EF2E-40C7-9773-01C6D85FF5C3} - (no file)
O4 - HKLM\..\Run: [IncrediMail] C:\Program Files\IncrediMail\bin\IncMail.exe /c
O4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [PVR Agent] C:\Program Files\Tevion multimedia\PVR Plus\TVR\Scheduled.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Picture Motion Browser Media Check Tool.lnk = C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BlueSoleil.lnk = C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O4 - Global Startup: TV Remote Control.lnk = C:\Program Files\Tevion multimedia\TV713X Utilities\P3XRCtl.exe
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Researcher - {9455301C-CF6B-11D3-A266-00C04F689C50} - C:\Program Files\Common Files\Microsoft Shared\Encarta Researcher\EROPROJ.DLL
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.medion.co.uk
O15 - Trusted Zone: http://toolbar.imageshack.us
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfar...p1.0.0.15-3.cab
O16 - DPF: {38F5F92F-BD40-40DF-A569-6C1FCB638190} (InSPECS3_0 Control) - http://www.powerleap.../InSPECS3_0.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1105804695843
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1134563516500
O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) - http://community.web...otoUploader.CAB
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.c.../cpcScanner.cab
O16 - DPF: {AF2E62B6-F9E1-4D4F-A10A-9DC8E6DCBCC0} (VideoEgg ActiveX Loader) - http://update.videoe...ggPublisher.exe
O16 - DPF: {E36C5562-C4E0-4220-BCB2-1C671E3A5916} - http://www.seagate.c.../npseatools.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abac...abasetup161.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{ECE80144-14ED-4F49-9B66-FC0AA1E9F6ED}: NameServer = 212.139.132.6,212.136.132.7
O18 - Protocol: hddlife - {BD758015-47D9-477A-8873-4B688A2BC0E2} - "C:\Program Files\BinarySense\HDDlife 3\hlAPP.dll" (file missing)
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: khfEVNef - khfEVNef.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HDDlife HDD Access service - BinarySense, Inc. - C:\Program Files\Common Files\BinarySense\hldasvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\system32\ScsiAccess.EXE
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

--
End of file - 11261 bytes
-----

Any help would be much appreciated.

EDIT: I have run regedit and removed all instances of C:/Windows/privacy_danger/index.htm and the system seems to be ok. I have edited my log after removal. Could someone check that my system is clean?

Many thanks

Edited by marcp1967, 02 August 2008 - 06:10 AM.

[Advertisements]

Hi marcp1967

welcome to geekstogo

you have done a pretty good job in removing the infections. i can see some traces, which we will remove in the next post. but first i want to gather some more information to see what else those infections brought in.


====STEP 1====
Please download SmitfraudFix (by S!Ri) to your Desktop.

Double-click SmitfraudFix.exe
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

**If the tool fails to launch from the Desktop, please move SmitfraudFix.exe directly to the root of the system drive (usually C:), and launch from there.


Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlog...processutil.htm



====STEP 2====
Please download Deckard's System Scanner (DSS) and save it to your Desktop.

• Close all other windows before proceeding.
• Double-click on dss.exe and follow the prompts.
• When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

In your next reply could i see:
1. the smirfraudfix report
2. the 2 DSS logs (though there may only be one)

The text from these files may exceed the maximum post length for this forum. Hence, you may need to post the information over 2 or more posts.

andrewuk

[andrewuk]

Hi marcp1967

welcome to geekstogo

you have done a pretty good job in removing the infections. i can see some traces, which we will remove in the next post. but first i want to gather some more information to see what else those infections brought in.


====STEP 1====
Please download SmitfraudFix (by S!Ri) to your Desktop.

Double-click SmitfraudFix.exe
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

**If the tool fails to launch from the Desktop, please move SmitfraudFix.exe directly to the root of the system drive (usually C:), and launch from there.


Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlog...processutil.htm



====STEP 2====
Please download Deckard's System Scanner (DSS) and save it to your Desktop.

• Close all other windows before proceeding.
• Double-click on dss.exe and follow the prompts.
• When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

In your next reply could i see:
1. the smirfraudfix report
2. the 2 DSS logs (though there may only be one)

The text from these files may exceed the maximum post length for this forum. Hence, you may need to post the information over 2 or more posts.

andrewuk

[marcp1967]

Many thanks for your reply

My Smitfraudfix log:

-----------------------------
SmitFraudFix v2.333

Scan done at 13:33:23.18, 02/08/2008
Run from D:\Documents and Settings\Pollock\My Documents\My Downloads\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Lexmark X74-X75\lxbbbmon.exe
C:\Program Files\Tevion multimedia\PVR Plus\TVR\Scheduled.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\Common Files\BinarySense\hldasvc.exe
C:\Program Files\Common Files\BinarySense\hldasvc.exe
C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Tevion multimedia\TV713X Utilities\P3XRCtl.exe
C:\PROGRA~1\INCRED~1\bin\IMApp.exe
C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\ScsiAccess.EXE
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\mmc.exe
C:\WINDOWS\system32\DfrgNtfs.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\cmd.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts


»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Pollock


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Pollock\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Pollock\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components



»»»»»»»»»»»»»»»»»»»»»»»» IEDFix
!!!Attention, following keys are not inevitably infected!!!




»»»»»»»»»»»»»»»»»»»»»»»» VACFix
!!!Attention, following keys are not inevitably infected!!!

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» 404Fix
!!!Attention, following keys are not inevitably infected!!!

404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"="avgrsstx.dll"
"LoadAppInit_DLLs"=dword:00000001


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"="C:\\WINDOWS\\system32\\userinit.exe,"
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Rustock



»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: Realtek RTL8139 Family PCI Fast Ethernet NIC - Packet Scheduler Miniport
DNS Server Search Order: 212.139.132.6
DNS Server Search Order: 212.136.132.7

HKLM\SYSTEM\CCS\Services\Tcpip\..\{ECE80144-14ED-4F49-9B66-FC0AA1E9F6ED}: NameServer=212.139.132.6,212.136.132.7
HKLM\SYSTEM\CS1\Services\Tcpip\..\{ECE80144-14ED-4F49-9B66-FC0AA1E9F6ED}: NameServer=212.139.132.6,212.136.132.7
HKLM\SYSTEM\CS2\Services\Tcpip\..\{ECE80144-14ED-4F49-9B66-FC0AA1E9F6ED}: NameServer=212.139.132.6,212.136.132.7
HKLM\SYSTEM\CS3\Services\Tcpip\..\{ECE80144-14ED-4F49-9B66-FC0AA1E9F6ED}: NameServer=212.139.132.6,212.136.132.7


»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End

----------------------------------------

Main.txt:
--------------------------
Deckard's System Scanner v20071014.68
Run by Pollock on 2008-08-02 13:36:12
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

System Restore is disabled; attempting to re-enable...success.


-- Last 1 Restore Point(s) --
1: 2008-08-02 12:36:13 UTC - RP1 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as Pollock.exe) ---------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:38:14, on 02/08/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Lexmark X74-X75\lxbbbmon.exe
C:\Program Files\Tevion multimedia\PVR Plus\TVR\Scheduled.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\Common Files\BinarySense\hldasvc.exe
C:\Program Files\Common Files\BinarySense\hldasvc.exe
C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Tevion multimedia\TV713X Utilities\P3XRCtl.exe
C:\PROGRA~1\INCRED~1\bin\IMApp.exe
C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\ScsiAccess.EXE
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\iPod\bin\iPodService.exe
D:\Documents and Settings\Pollock\My Documents\My Downloads\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Pollock.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tiscali.co.uk/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - (no file)
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: iercptbho - {D4CDC21D-43BE-4101-A1EF-E379F134771E} - (no file)
O3 - Toolbar: (no name) - {43D1D84F-EF2E-40C7-9773-01C6D85FF5C3} - (no file)
O4 - HKLM\..\Run: [IncrediMail] C:\Program Files\IncrediMail\bin\IncMail.exe /c
O4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [PVR Agent] C:\Program Files\Tevion multimedia\PVR Plus\TVR\Scheduled.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Picture Motion Browser Media Check Tool.lnk = C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BlueSoleil.lnk = C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O4 - Global Startup: TV Remote Control.lnk = C:\Program Files\Tevion multimedia\TV713X Utilities\P3XRCtl.exe
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Researcher - {9455301C-CF6B-11D3-A266-00C04F689C50} - C:\Program Files\Common Files\Microsoft Shared\Encarta Researcher\EROPROJ.DLL
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.medion.co.uk
O15 - Trusted Zone: http://toolbar.imageshack.us
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfar...p1.0.0.15-3.cab
O16 - DPF: {38F5F92F-BD40-40DF-A569-6C1FCB638190} (InSPECS3_0 Control) - http://www.powerleap.../InSPECS3_0.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1105804695843
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1134563516500
O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) - http://community.web...otoUploader.CAB
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.c.../cpcScanner.cab
O16 - DPF: {AF2E62B6-F9E1-4D4F-A10A-9DC8E6DCBCC0} (VideoEgg ActiveX Loader) - http://update.videoe...ggPublisher.exe
O16 - DPF: {E36C5562-C4E0-4220-BCB2-1C671E3A5916} - http://www.seagate.c.../npseatools.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abac...abasetup161.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{ECE80144-14ED-4F49-9B66-FC0AA1E9F6ED}: NameServer = 212.139.132.6,212.136.132.7
O18 - Protocol: hddlife - {BD758015-47D9-477A-8873-4B688A2BC0E2} - "C:\Program Files\BinarySense\HDDlife 3\hlAPP.dll" (file missing)
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: khfEVNef - khfEVNef.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HDDlife HDD Access service - BinarySense, Inc. - C:\Program Files\Common Files\BinarySense\hldasvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\system32\ScsiAccess.EXE
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

--
End of file - 10722 bytes

-- File Associations -----------------------------------------------------------

.cpl - cplfile - shell\cplopen\command - rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.cpl - cplfile - shell\runas\command - rundll32.exe shell32.dll,Control_RunDLLAsUser "%1",%*


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 BTHidMgr (Bluetooth HID Manager Service) - c:\windows\system32\drivers\bthidmgr.sys <Not Verified; IVT Corporation; BlueSoleil©>
R1 cdrbsvsd - c:\windows\system32\drivers\cdrbsvsd.sys <Not Verified; B.H.A Corporation; B's Recorder GOLD7>
R1 meiudf - c:\windows\system32\drivers\meiudf.sys <Not Verified; Matsushita Electric Industrial Co.,Ltd.; >
R1 StarOpen - c:\windows\system32\drivers\staropen.sys
R2 cdenable - c:\windows\system32\drivers\cdenable.sys
R2 MASPINT - c:\windows\system32\drivers\maspint.sys <Not Verified; MicroStaff Co.,Ltd.; Aspi32 Driver for WinNT>
R3 BlueletAudio (Bluetooth Audio Service) - c:\windows\system32\drivers\blueletaudio.sys <Not Verified; IVT Corporation; Windows ® 2000 DDK driver>
R3 BlueletSCOAudio (Bluetooth SCO Audio Service) - c:\windows\system32\drivers\blueletscoaudio.sys <Not Verified; IVT Corporation; Windows ® 2000 DDK driver>
R3 BT (Bluetooth PAN Network Adapter) - c:\windows\system32\drivers\btnetdrv.sys <Not Verified; IVT Corporation; BlueSoleil>
R3 BTHidEnum (Bluetooth HID Enumerator) - c:\windows\system32\drivers\vbtenum.sys
R3 Cap7134 (Philips Cap7134 Capture) - c:\windows\system32\drivers\cap7134.sys <Not Verified; Philips Semiconductors; Philips cap7134>
R3 pfc (Padus ASPI Shell) - c:\windows\system32\drivers\pfc.sys <Not Verified; Padus, Inc.; Padus® ASPI Shell>
R3 PhTVTune (Philips WDM TVTuner) - c:\windows\system32\drivers\phtvtune.sys <Not Verified; Philips Semiconductors; Philips TVTuner WDM Driver>
R3 VComm (Virtual Serial port driver) - c:\windows\system32\drivers\vcomm.sys <Not Verified; IVT Corporation; BlueSoleil>
R3 VcommMgr (Bluetooth VComm Manager Service) - c:\windows\system32\drivers\vcommmgr.sys <Not Verified; IVT Corporation; BlueSoleil>

S1 ATITool (ATITool Overclocking Utility) - c:\windows\system32\drivers\atitool.sys <Not Verified; W1zzard; ATITool Driver>
S3 Btcsrusb (Bluetooth USB For Bluetooth Service) - c:\windows\system32\drivers\btcusb.sys <Not Verified; IVT Corporation; Bluetooth USB Device Driver>
S3 FlyPCI - c:\windows\system32\drivers\flypci.sys
S3 Pcouffin (VSO Software pcouffin) - c:\windows\system32\drivers\pcouffin.sys <Not Verified; VSO Software; Patin couffin engine>
S3 PIXMCV (JVC Communication PIX-MCV Driver) - c:\windows\system32\drivers\pixmcvc.sys <Not Verified; Pixela; PIX-MCV Communication Driver (WinMe/2000/XP)>
S3 PIXMCVA (JVC PIX-MCV Audio Capture) - c:\windows\system32\drivers\pixmcva.sys <Not Verified; Pixela; Pixela>
S3 PIXMCVV (JVC PIX-MCV Video Capture) - c:\windows\system32\drivers\pixmcvv.sys <Not Verified; Pixela; Pixela>
S3 Ser2pl (MAT Serial port driver) - c:\windows\system32\drivers\ser2pl.sys <Not Verified; Prolific Technology Inc.; Prolific USB-to-Serial Bridge Cable>
S3 STV680 (Digital Camera) - c:\windows\system32\drivers\stv680.sys (file missing)
S3 wanatw (WAN Miniport (ATW)) - c:\windows\system32\drivers\wanatw4.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 BlueSoleil Hid Service - c:\program files\ivt corporation\bluesoleil\btntservice.exe
R2 DVD-RAM_Service - c:\windows\system32\dvdramsv.exe <Not Verified; Matsushita Electric Industrial Co., Ltd.; >
R2 ScsiAccess - c:\windows\system32\scsiaccess.exe

S3 ServiceLayer - "c:\program files\pc connectivity solution\servicelayer.exe" <Not Verified; Nokia.; PC Connectivity Solution>


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {FF646F80-8DEF-11D2-9449-00105A075F6B}
Description: pcouffin device for 32 bits systems
Device ID: ROOT\PCOUFFIN\0000
Manufacturer: VSO Software
Name: pcouffin device for 32 bits systems
PNP Device ID: ROOT\PCOUFFIN\0000
Service: pcouffin

Class GUID: {EEC5AD98-8080-425F-922A-DABF3DE3F69A}
Description: Frank's Nokia
Device ID: ROOT\WPD\0000
Manufacturer: Nokia
Name: Frank's Nokia
PNP Device ID: ROOT\WPD\0000
Service: WUDFRd


-- Scheduled Tasks -------------------------------------------------------------

2008-08-02 13:37:38 414 --a------ C:\WINDOWS\Tasks\Symantec NetDetect.job
2008-08-02 13:25:08 330 --ah----- C:\WINDOWS\Tasks\MP Scheduled Scan.job


-- Files created between 2008-07-02 and 2008-08-02 -----------------------------

2008-08-02 13:16:38 2742 --a------ C:\WINDOWS\system32\tmp.reg
2008-08-02 12:35:42 0 d--hs---- C:\Documents and Settings\Pollock\Recent
2008-08-02 03:32:51 0 d-------- C:\Program Files\Trend Micro
2008-08-02 03:11:08 0 d-------- C:\Program Files\Java
2008-08-02 03:10:07 0 d-------- C:\Program Files\Common Files\Java
2008-08-01 22:35:21 0 d--h----- C:\$AVG8.VAULT$
2008-08-01 22:28:53 0 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-08-01 22:28:26 0 d-------- C:\Program Files\SUPERAntiSpyware
2008-08-01 22:28:26 0 d-------- C:\Documents and Settings\Pollock\Application Data\SUPERAntiSpyware.com
2008-08-01 22:23:37 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-08-01 22:22:15 0 d-------- C:\WINDOWS\system32\drivers\Avg
2008-08-01 22:22:00 0 d-------- C:\Program Files\AVG
2008-08-01 22:22:00 0 d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-07-23 17:20:38 0 d-------- C:\My Downloads
2008-07-23 17:17:06 575007 --ahs---- C:\WINDOWS\system32\eOrqAcdd.ini2
2008-07-23 16:59:29 0 d-------- C:\Documents and Settings\Pollock\Application Data\TmpRecentIcons


-- Find3M Report ---------------------------------------------------------------

2008-08-02 04:05:16 0 d-------- C:\Program Files\Google
2008-08-02 03:17:49 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-08-02 03:17:48 0 d-------- C:\Program Files\Symantec
2008-08-02 03:17:21 0 d-------- C:\Program Files\Common Files
2008-07-15 14:48:23 0 d-------- C:\Documents and Settings\Pollock\Application Data\Google
2008-06-21 11:20:15 0 d-------- C:\Program Files\MSN Messenger
2008-06-20 22:41:03 0 d-------- C:\Program Files\Messenger
2008-06-20 22:40:38 0 d-------- C:\Program Files\Movie Maker
2008-06-20 22:37:37 0 d-------- C:\Program Files\Windows NT
2008-06-04 19:14:57 0 d-------- C:\Documents and Settings\Pollock\Application Data\MSN6


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4CDC21D-43BE-4101-A1EF-E379F134771E}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IncrediMail"="C:\Program Files\IncrediMail\bin\IncMail.exe" [12/08/2007 21:25]
"Lexmark X74-X75"="C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe" [14/10/2002 21:09]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [09/07/2001 11:50]
"PVR Agent"="C:\Program Files\Tevion multimedia\PVR Plus\TVR\Scheduled.exe" [13/09/2004 17:19]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [22/10/2006 12:22]
"nwiz"="nwiz.exe" [22/10/2006 12:22 C:\WINDOWS\system32\nwiz.exe]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [23/02/2006 15:45]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [19/04/2006 14:40]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [03/11/2006 19:20]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [22/10/2006 12:22]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [01/08/2008 22:22]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [10/06/2008 04:27]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [14/04/2008 01:12]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [14/04/2008 01:12]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [18/10/2006 20:05]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [28/05/2008 10:33]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"RunNarrator"=Narrator.exe

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t

C:\Documents and Settings\Pollock\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [16/03/2005 20:16:50]
Picture Motion Browser Media Check Tool.lnk - C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe [07/01/2008 17:43:58]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [23/04/2008 03:38:16]
BlueSoleil.lnk - C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe [16/07/2006 18:33:36]
KODAK Software Updater.lnk - C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe [08/06/2003 17:48:18]
RAMASST.lnk - C:\WINDOWS\system32\RAMASST.exe [15/01/2005 18:07:31]
TV Remote Control.lnk - C:\Program Files\Tevion multimedia\TV713X Utilities\P3XRCtl.exe [01/03/2005 22:36:37]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{93994DE8-8239-4655-B1D1-5F4E91300429}"= C:\Program Files\DVD Region-Free\DVDShell.dll [20/12/2003 21:58 49152]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [13/05/2008 10:13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 19/04/2007 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\dimsntfy]
C:\WINDOWS\System32\dimsntfy.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\khfEVNef]
khfEVNef.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\ddcAqrOe

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
eapsvcs eaphost
dot3svc dot3svc

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
napagent
hkmsvc




-- End of Deckard's System Scanner: finished at 2008-08-02 13:39:39 ------------

Edited by marcp1967, 02 August 2008 - 06:43 AM.

[marcp1967]

My extra.txt
---------------
Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 3.0
Architecture: X86; Language: English

CPU 0: Intel® Pentium® 4 CPU 2.53GHz
Percentage of Memory in Use: 47%
Physical Memory (total/avail): 1023.48 MiB / 532.61 MiB
Pagefile Memory (total/avail): 2464.44 MiB / 2002.29 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1929.08 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 39.06 GiB total, 25.26 GiB free.
D: is Fixed (NTFS) - 143.73 GiB total, 49.27 GiB free.
E: is Fixed (FAT32) - 3.51 GiB total, 2.29 GiB free.
F: is Fixed (NTFS) - 74.53 GiB total, 35.49 GiB free.
G: is CDROM (No Media)
H: is CDROM (No Media)
I: is CDROM (No Media)
J: is Removable (No Media)
K: is Removable (No Media)
L: is Removable (No Media)
M: is Removable (No Media)
N: is Removable (FAT)

\\.\PHYSICALDRIVE0 - SAMSUNG SP2014N - 186.31 GiB - 3 partitions
\PARTITION0 (bootable) - Installable File System - 39.06 GiB - C:
\PARTITION1 - Extended w/Extended Int 13 - 147.25 GiB - D: - E:

\\.\PHYSICALDRIVE1 - ST380020A - 74.53 GiB - 1 partition
\PARTITION0 - Installable File System - 74.53 GiB - F:

\\.\PHYSICALDRIVE2 - SMSC 223 U HS-CF USB Device

\\.\PHYSICALDRIVE3 - SMSC 223 U HS-MS USB Device

\\.\PHYSICALDRIVE5 - SMSC 223 U HS-SD/MMC USB Device

\\.\PHYSICALDRIVE4 - SMSC 223 U HS-SM USB Device

\\.\PHYSICALDRIVE6 - Verbatim Store 'n' Go USB Device - 1921.84 MiB - 1 partition
\PARTITION0 - 16-bit FAT - 1928 MiB - N:



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Pollock\Application Data
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=FAMILY
ComSpec=C:\WINDOWS\system32\cmd.exe
DBCONFIG=C:\Adabas\sql
DBROOT=C:\Adabas
DBWORK=C:\Adabas\sql
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Pollock
LOGONSERVER=\\FAMILY
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\Program Files\Internet Explorer;;C:\Program Files\PC Connectivity Solution\;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\QuickTime\QTSystem\;C:\Program Files\Samsung\Samsung PC Studio 3\;C:\Program Files\Common Files\Adobe\AGL;C:\Adabas\bin;C:\Adabas\pgm;C:\Program Files\AVG\AVG8
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 2 Stepping 4, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0204
ProgramFiles=C:\Program Files
PROMPT=$P$G
RNLOG_BASEKEY=Software\RealNetworks\RealPlayer\6.0\Preferences\BrowserRecordPluginLog
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Pollock\LOCALS~1\Temp
TMP=C:\DOCUME~1\Pollock\LOCALS~1\Temp
USERDOMAIN=FAMILY
USERNAME=Pollock
USERPROFILE=C:\Documents and Settings\Pollock
windir=C:\WINDOWS
__COMPAT_LAYER=EnableNXShowUI


-- User Profiles ---------------------------------------------------------------

Owner (admin)
Pollock (admin)
Administrator (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
--> C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\orun32.isu
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{4E7DC12A-3597-4A94-9429-F6C6987361B1}\setup.exe" -l0x9 -removeonly
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7DADB304-AF20-48C3-A780-4B4133A08817}\setup.exe" -l0x9 -removeonly
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9C423CF6-2DAA-4A37-94B8-59D7ECC7DB13}\setup.exe" -l0x9 -removeonly
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{ADEF1025-6D3B-485C-9AC9-1A2D81665B7F}\setup.exe" -l0x9 -removeonly
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FA6CC4B4-7741-4F8D-8E81-15C4BAB9869B}\setup.exe" -l0x9 -removeonly
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
#1 DVD Audio Ripper 1.0.3 --> "C:\Program Files\NO1 DVD Audio Ripper\unins000.exe"
Abacast Client --> C:\PROGRA~1\Abacast\UNWISE.EXE C:\PROGRA~1\Abacast\client.LOG
ABBYY FineReader 5.0 Sprint --> MsiExec.exe /X{4468EF97-A253-4699-9E1C-88CAE2C6832D}
Adobe Bridge 1.0 --> MsiExec.exe /I{B74D4E10-6884-0000-0000-000000000103}
Adobe Common File Installer --> MsiExec.exe /I{8EDBA74D-0686-4C99-BFDD-F894678E5B39}
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Help Center 1.0 --> MsiExec.exe /I{E9787678-1033-0000-8E67-000000000001}
Adobe Photoshop CS2 --> msiexec /I {236BB7C4-4419-42FD-0409-1E257A25E34D}
Adobe Reader 7.1.0 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A71000000002}
Adobe Stock Photos 1.0 --> MsiExec.exe /I{786C5747-1033-0000-B58E-000000000001}
aspi --> MsiExec.exe /I{015E4B8A-29B5-4AE3-BD08-38220FADFF4C}
Audacity 1.2.4 --> "C:\Program Files\Audacity\unins000.exe"
Avance AC'97 Audio --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FB08F381-6533-4108-B7DD-039E11FBC27E}\setup.exe" REMOVE
AVG Free 8.0 --> C:\Program Files\AVG\AVG8\setup.exe /UNINSTALL
Azureus --> C:\Program Files\Azureus\Uninstall.exe
BlueSoleil --> MsiExec.exe /X{996D8BB8-9B47-46C7-92DC-DCCE64467AB8}
CCHelp --> MsiExec.exe /I{9D1CF8B6-17B3-4832-B062-2C2DD0B57B04}
CCleaner (remove only) --> "C:\Program Files\CCleaner\uninst.exe"
CCScore --> MsiExec.exe /I{B4B44FE7-41FF-4DAD-8C0A-E406DDA72992}
ConvertXtoDVD 2.1.14.223 --> "C:\Program Files\vso\ConvertXtoDVD\unins000.exe"
CR2 --> MsiExec.exe /I{432C3720-37BF-4BD7-8E49-F38E090246D0}
CutePDF Writer 2.3 --> C:\WINDOWS\system32\uninscpw.exe C:\Program Files\
Debugging Tools for Windows --> MsiExec.exe /I{5C741A01-05D6-4306-BA6A-DC8401285AE8}
DVD-RAM Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9D765FA6-F2BC-40AF-8145-50808F9BDF4E}\Setup.exe" DVD-RAM Driver
DVD Region-Free 3.32 --> "C:\Program Files\DVD Region-Free\unins000.exe"
DVD Shrink 3.2 --> "C:\Program Files\DVD Shrink\unins000.exe"
ESSAdpt --> MsiExec.exe /I{D15E9DB5-6BEB-4534-901E-80C0A29BAB97}
ESSANUP --> MsiExec.exe /I{A6F18A67-B771-4191-8A33-36D2E742D6D9}
ESSBrwr --> MsiExec.exe /I{643EAE81-920C-4931-9F0B-4B343B225CA6}
ESSCAM --> MsiExec.exe /I{469730CC-78DF-4CD3-B286-562D459EA619}
ESSCDBK --> MsiExec.exe /I{AE1FA02D-E6A4-4EA0-8E58-6483CAC016DD}
ESScore --> MsiExec.exe /I{9D8FEE90-0377-49A9-AEFB-525BDE549BA4}
ESSgui --> MsiExec.exe /I{91517631-A9F3-4B7C-B482-43E0068FD55A}
ESShelp --> MsiExec.exe /I{87843A41-7808-4F2E-B13F-25C1E67CF2FD}
ESSini --> MsiExec.exe /I{8E92D746-CD9F-4B90-9668-42B74C14F765}
ESSPCD --> MsiExec.exe /I{14D4ED84-6A9A-45A0-96F6-1753768C3CB5}
ESSTUTOR --> MsiExec.exe /I{CA60320D-6A16-49C8-A34F-84EEF4799567}
ESSvpaht --> MsiExec.exe /I{A5B3EB8A-4071-42F0-8E8E-7A8342AA8E69}
ESSvpot --> MsiExec.exe /I{48C82F7A-F100-4DAB-A310-8E18BF2159E1}
EVEREST Home Edition v2.20 --> "C:\Program Files\Lavalys\EVEREST Home Edition\unins000.exe"
FaxTools --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F45298E5-0083-426F-A668-1A2C5F04B8A0}\setup.exe" -l0x9 ControlPanel
FreeRIP v2.40 --> "C:\Program Files\FreeRIP2\unins000.exe"
Google Earth --> MsiExec.exe /I{97C0EA4A-1A0B-4C53-ACEB-49984DA79C90}
HDDlife Pro 3.0 --> MsiExec.exe /X{A46A4058-41AE-4828-9329-A3320EB87FC7}
HighMAT Extension to Microsoft Windows XP CD Writing Wizard --> MsiExec.exe /X{FCE65C4E-B0E8-4FBD-AD16-EDCBE6CD591F}
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Hotfix for Windows Media Format 11 SDK (KB929399) --> "C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
Image Analyzer --> C:\Program Files\MeeSoft\ImageAnalyzer\Uninstall.exe
Image Data Converter SR --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{0F429FF7-8C47-40D7-AF6F-D8B090233D04}\setup.exe" -l0x9 -removeonly
ImageMixer --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5AA18C57-381C-4C99-8FE6-5EB1CB0A5BC0}\Setup.exe" -l0x9
ImgBurn (Remove Only) --> "C:\Program Files\ImgBurn\uninstall.exe"
IncrediMail JunkFilter Plus --> C:\PROGRA~1\INCRED~1\bin\imsetup.exe /remove /addon:JunkFilterPlus
IncrediMail Xe --> C:\PROGRA~1\INCRED~1\bin\imsetup.exe /remove /addon:IncrediMail /log:IncMail.log
Informations about your PC --> MsiExec.exe /I{0AB149EB-2AE0-466C-9BA4-3A718CF06432}
iTunes --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\11\INTEL3~1\IDriver.exe /M{59C4F14F-7590-45FC-BE9F-A67AB3590709} /l1033
Java™ 6 Update 7 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160070}
K-Lite Mega Codec Pack 1.16 --> "C:\Program Files\K-Lite Codec Pack\unins000.exe"
Kazaa Lite K++ v2.4.3 --> "C:\Program Files\Kazaa Lite K++\unins000.exe"
Kodak EasyShare software --> C:\Documents and Settings\All Users\Application Data\Kodak\EasyShareSetup\$SETUP_3c0002_1990e\Setup.exe /APR-REMOVE
KSU --> MsiExec.exe /I{B997C2A0-4383-41BF-B76E-9B8B7ECFB267}
Lexmark X74-X75 --> C:\WINDOWS\system32\spool\drivers\w32x86\3\LXBBUN5C.EXE -dLexmark X74-X75
LimeWire PRO 4.12.3 --> "C:\Program Files\LimeWire\uninstall.exe"
LiveUpdate BVRP Software --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{76E41F43-59D2-4F30-BA42-9A762EE1E8DE}\Setup.exe" -l0x9
Macromedia Shockwave Player --> C:\WINDOWS\system32\Macromed\SHOCKW~2\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~2\Install.log
Microsoft Base Smart Card Cryptographic Service Provider Package --> "C:\WINDOWS\$NtUninstallbasecsp$\spuninst\spuninst.exe"
Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Encarta Reference Library 2005 --> MsiExec.exe /I{05410141-64A6-4248-A026-9745C1E9E159}
Microsoft Office FrontPage 2003 --> MsiExec.exe /I{90170409-6000-11D3-8CFE-0150048383C9}
Microsoft Office Professional Edition 2003 --> MsiExec.exe /I{90110409-6000-11D3-8CFE-0150048383C9}
Microsoft Reader --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B6F7DBE7-2FE2-458F-A738-B10832746036}\Setup.exe" -L0x9
Microsoft Text-to-Speech Engine 4.0 (English) --> RunDll32 advpack.dll,LaunchINFSection C:\WINDOWS\INF\msTTSf22.inf, Uninstall
Microsoft User-Mode Driver Framework Feature Pack 1.5 --> "C:\WINDOWS\$NtUninstallWudf01005$\spuninst\spuninst.exe"
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Microsoft Windows Journal Viewer --> MsiExec.exe /X{43DCF766-6838-4F9A-8C91-D92DA586DFA7}
Microsoft Windows Vista Upgrade Advisor --> MsiExec.exe /I{5F1788B3-C9CE-4BAD-8293-3B622DA643D1}
MicroStaff WINASPI --> C:\MWASPI\uninst.exe
MINITAB 13 --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\MTBDEMO\Uninst.isu"
mobile PhoneTools --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F18E8A0F-BE99-4305-96A5-6C0FD9D7D999}\setup.exe" -l0x9
Motorola Handset USB Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{44B3522B-195C-488D-84AC-9526FA99CB73}\Setup.exe"
Nero 6 Ultra Edition --> C:\Program Files\Ahead\nero\uninstall\UNNERO.exe /UNINSTALL
Nokia Connectivity Cable Driver --> MsiExec.exe /X{0FF1922C-B6C4-40BB-AF30-BEF75A482444}
Norton WMI Update --> MsiExec.exe /X{1526D87C-A955-4FAB-BF18-697BA457E352}
Notifier --> MsiExec.exe /I{0008546E-DF6E-4CC1-AFD0-2CB8E16C95A2}
NVIDIA Drivers --> C:\WINDOWS\system32\nvudisp.exe UninstallGUI
Office Animation Runtime --> MsiExec.exe /X{AEEB3643-71DE-414d-9E3F-1159177FE211}
OTtBP --> MsiExec.exe /I{F71760CD-0F8B-4DCC-B7B7-6B223CC3843C}
PC Connectivity Solution --> MsiExec.exe /I{AB2347E4-153B-4194-AA3B-97C0A662B369}
PCDLNCH --> MsiExec.exe /I{69BD6399-3D8F-45B7-81D9-819361F5101D}
Philips TV713X WDM Drivers --> C:\WINDOWS\p3xunist.exe
Picasa 2 --> "C:\Program Files\Picasa2\Uninstall.exe"
PowerDVD --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\Setup.exe" -uninstall
PVR Plus --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5B893587-00A8-4A4E-83F0-8AFA7BFC7C1A}\setup.exe" -l0x9
QuickTime --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\11\INTEL3~1\IDriver.exe /M{929408E6-D265-4174-805F-81D1D914E2A4} /l1033
RealPlayer --> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
SAMSUNG CDMA Modem Driver Set --> C:\WINDOWS\system32\Samsung_USB_Drivers\3\SSCDUninstall.exe
SAMSUNG Mobile Modem Driver Set --> C:\WINDOWS\system32\Samsung_USB_Drivers\3\SSCDUninstall.exe
Samsung Mobile phone USB driver Software --> C:\WINDOWS\system32\Samsung_USB_Drivers\5\SSSDUninstall.exe
SAMSUNG Mobile USB Modem ^^ --> C:\WINDOWS\system32\Samsung_USB_Drivers\4\SSVDUninstall.exe
SAMSUNG Mobile USB Modem 1.0 Software --> C:\WINDOWS\system32\Samsung_USB_Drivers\1\SS_Uninstall.exe
SAMSUNG Mobile USB Modem Software --> C:\WINDOWS\system32\Samsung_USB_Drivers\2\SSM_Uninstall.exe
Samsung PC Studio 3 --> "C:\Program Files\InstallShield Installation Information\{C4A4722E-79F9-417C-BD72-8D359A090C97}\setup.exe" -runfromtemp -l0x0009 -removeonly
Security Update for Step By Step Interactive Training (KB898458) --> "C:\WINDOWS\$NtUninstallKB898458$\spuninst\spuninst.exe"
Security Update for Step By Step Interactive Training (KB923723) --> "C:\WINDOWS\$NtUninstallKB923723$\spuninst\spuninst.exe"
SFR --> MsiExec.exe /I{C354C9B6-A4E0-4BB0-A368-6DC6BCA0E314}
SFR2 --> MsiExec.exe /I{ABE068DF-8DC4-4947-ABFC-DD2B40850225}
Shockwave --> C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log
Sony Picture Utility --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D5068583-D569-468B-9755-5FBF5848F46F}\setup.exe" -l0x9 /removeonly uninstall -removeonly
Sony USB Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5C29CB8B-AC1E-4114-8D68-9CD080140D4A}\Setup.exe" UNINSTALL
Starry Night Bundle Edition --> C:\WINDOWS\uninst.exe -f"C:\Program Files\Sienna\Starry Night Bundle Edition\DeIsL1.isu" -c"C:\Program Files\Sienna\Starry Night Bundle Edition\_ISREG32.DLL"
Stellarium 0.8.2 --> "C:\Program Files\Stellarium\unins000.exe"
SUPERAntiSpyware Free Edition --> MsiExec.exe /X{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}
Tevion TV713X Utilities --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{477AB148-138C-46D2-820B-0DBFA744CEE8}\Setup.exe" -l0x9 -uninst
TMPGEnc DVD Author 1.6 --> MsiExec.exe /I{9CD89DD7-234A-4801-9D87-3DE352E146A0}
TVR Update --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C2995A04-6209-40C2-B31D-4D85852B6D8B}\setup.exe" -l0x9
VideoEgg Publisher --> C:\Program Files\VideoEgg\Uninstall.exe
VideoLAN VLC media player 0.8.6a --> C:\Program Files\VideoLAN\VLC\uninstall.exe
Windows Backup Utility --> MsiExec.exe /I{76EFFC7C-17A6-479D-9E47-8E658C1695AE}
Windows Defender --> MsiExec.exe /I{A06275F4-324B-4E85-95E6-87B2CD729401}
Windows Defender Signatures --> MsiExec.exe /I{A5CC2A09-E9D3-49EC-923D-03874BBD4C2C}
Windows Driver Package - Nokia (WUDFRd) WPD (11/03/2006 6.82.26.2) --> C:\PROGRA~1\DIFX\D6ACC4BE676423A2B130B78A4B627FC457D98997\dpinst.exe /u C:\WINDOWS\system32\DRVSTORE\pccswpddri_6B630EE2E66584353C6CD8683D447072872F34D8\pccswpddriver.inf
Windows Live Messenger --> MsiExec.exe /I{571700F0-DB9D-4B3A-B03D-35A14BB5939F}
Windows Media Connect --> "C:\WINDOWS\$NtUninstallWMCSetup$\spuninst\spuninst.exe"
Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Windows Media Format SDK Hotfix - KB891122 --> "C:\WINDOWS\$NtUninstallKB891122$\spuninst\spuninst.exe"
Windows XP Service Pack 3 --> "C:\WINDOWS\$NtServicePackUninstall$\spuninst\spuninst.exe"
WinImage --> "C:\Program Files\WinImage\winimage.exe" /uninstall
WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe
WinXMedia DVD MPEG/AVI/Audio Converter 3.2 --> C:\Program Files\WinXMedia\WinXMedia DVD Converter\uninst.exe
WMI Tools --> MsiExec.exe /I{25A13826-8E4A-4FBF-AD2B-776447FE9646}


-- Application Event Log -------------------------------------------------------

Event Record #/Type53981 / Warning
Event Submitted/Written: 08/02/2008 01:13:05 PM
Event ID/Source: 1524 / Userenv
Event Description:
Windows cannot unload your classes registry file - it is still in use by other applications or services. The file will be unloaded when it is no longer in use.

Event Record #/Type53976 / Success
Event Submitted/Written: 08/02/2008 00:27:36 PM
Event ID/Source: 12001 / usnjsvc
Event Description:
The Messenger Sharing USN Journal Reader service started successfully.

Event Record #/Type53970 / Warning
Event Submitted/Written: 08/02/2008 04:48:34 AM
Event ID/Source: 1524 / Userenv
Event Description:
Windows cannot unload your classes registry file - it is still in use by other applications or services. The file will be unloaded when it is no longer in use.

Event Record #/Type53955 / Success
Event Submitted/Written: 08/02/2008 03:24:58 AM
Event ID/Source: 12001 / usnjsvc
Event Description:
The Messenger Sharing USN Journal Reader service started successfully.

Event Record #/Type53946 / Warning
Event Submitted/Written: 08/02/2008 03:12:58 AM
Event ID/Source: 1524 / Userenv
Event Description:
Windows cannot unload your classes registry file - it is still in use by other applications or services. The file will be unloaded when it is no longer in use.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type126968 / Warning
Event Submitted/Written: 08/02/2008 01:39:02 PM
Event ID/Source: 3004 / WinDefend
Event Description:
%FAMILY27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %FAMILY27 can't undo changes that you allow.

For more information please see the following:
%FAMILY275

Scan ID: {4C5E47EC-35C5-474E-BD44-F2A779273F2D}

User: FAMILY\Pollock

Name: %FAMILY271

ID: %FAMILY272

Severity: 1.1.1593.05

Category: 1.1.1593.06

Path Found: %FAMILY276

Alert Type: %FAMILY278

Detection Type: 1.1.1593.02

Event Record #/Type126967 / Warning
Event Submitted/Written: 08/02/2008 01:39:02 PM
Event ID/Source: 3004 / WinDefend
Event Description:
%FAMILY27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %FAMILY27 can't undo changes that you allow.

For more information please see the following:
%FAMILY275

Scan ID: {5D9D8087-F958-469B-9D4F-8E3A7DB7562B}

User: FAMILY\Pollock

Name: %FAMILY271

ID: %FAMILY272

Severity: 1.1.1593.05

Category: 1.1.1593.06

Path Found: %FAMILY276

Alert Type: %FAMILY278

Detection Type: 1.1.1593.02

Event Record #/Type126966 / Warning
Event Submitted/Written: 08/02/2008 01:39:02 PM
Event ID/Source: 3004 / WinDefend
Event Description:
%FAMILY27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %FAMILY27 can't undo changes that you allow.

For more information please see the following:
%FAMILY275

Scan ID: {007E2125-C512-4831-991A-3A0BF554160A}

User: FAMILY\Pollock

Name: %FAMILY271

ID: %FAMILY272

Severity: 1.1.1593.05

Category: 1.1.1593.06

Path Found: %FAMILY276

Alert Type: %FAMILY278

Detection Type: 1.1.1593.02

Event Record #/Type126965 / Warning
Event Submitted/Written: 08/02/2008 01:39:00 PM
Event ID/Source: 3004 / WinDefend
Event Description:
%FAMILY27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %FAMILY27 can't undo changes that you allow.

For more information please see the following:
%FAMILY275

Scan ID: {EFF42B4A-732C-41D2-904C-9BA271AA658B}

User: FAMILY\Pollock

Name: %FAMILY271

ID: %FAMILY272

Severity: 1.1.1593.05

Category: 1.1.1593.06

Path Found: %FAMILY276

Alert Type: %FAMILY278

Detection Type: 1.1.1593.02

Event Record #/Type126964 / Warning
Event Submitted/Written: 08/02/2008 01:39:00 PM
Event ID/Source: 3004 / WinDefend
Event Description:
%FAMILY27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %FAMILY27 can't undo changes that you allow.

For more information please see the following:
%FAMILY275

Scan ID: {49C0A4F9-7E33-490E-A8B7-933B0DD297CA}

User: FAMILY\Pollock

Name: %FAMILY271

ID: %FAMILY272

Severity: 1.1.1593.05

Category: 1.1.1593.06

Path Found: %FAMILY276

Alert Type: %FAMILY278

Detection Type: 1.1.1593.02



-- End of Deckard's System Scanner: finished at 2008-08-02 13:39:39 ------------

---------

Many thanks again

[andrewuk]

looks like a few friends were brought along. in this post i want to scan a suspicious looking file and start removing the malware.


====STEP 1====
Jotti File Submission:

Please go to Jotti's malware scan
Copy and paste the following file path into the "File to upload & scan"box on the top of the page:
c:\windows\system32\drivers\flypci.sys

Click on the submit button

Please post the results of the scan in your next reply.

If Jotti is busy, try the same atVirustotal



====STEP 2====
if you have already downloaded combofix then could you delete the current version of combofix you have and then follow these instructions:

Please visit this web page for instructions for downloading and running ComboFix

http://www.bleepingc...to-use-combofix

This includes installing the Windows XP Recovery Console in case you have not installed it yet. (All the instructions for installing the Recovery Console are in the above link, but for more information on the Windows XP Recovery Console read http://support.micro...com/kb/314058.)

Once you install the Recovery Console, when you reboot your computer, you'll see the option for the Recovery Console now as well. Don't select Recovery Console as we don't need it. By default, your main OS is selected there. The screen stays for 2 seconds and then it proceeds to load Windows. That is normal.

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

In your next reply could i see:
1. the jotti scan
2. the combofix scan
3. a new hijackthis log

The text from these files may exceed the maximum post length for this forum. Hence, you may need to post the information over 2 or more posts.

andrewuk

[marcp1967]

Wow!

You are such a great help. Thanks very much!

My jotti scan log for the file you requested:

Scanner results
Scan taken on 02 Aug 2008 13:17:22 (GMT)
A-Squared Found nothing
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Fortinet Found nothing
Ikarus Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Sophos Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found nothing

[marcp1967]

My combofix log:
----------------------------------------------------
ComboFix 08-08-01.04 - Pollock 2008-08-02 14:39:28.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.609 [GMT 1:00]
Running from: D:\Documents and Settings\Pollock\My Documents\My Downloads\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Pollock\Local Settings\Application Data\Microsoft\Windows Media\10.0\WMSDKNSD.XML
C:\WINDOWS\Downloaded Program Files\setup.inf
C:\WINDOWS\system32\btfunc.dll
C:\WINDOWS\system32\eOrqAcdd.ini
C:\WINDOWS\system32\eOrqAcdd.ini2

.
((((((((((((((((((((((((( Files Created from 2008-07-02 to 2008-08-02 )))))))))))))))))))))))))))))))
.

2008-08-02 13:35 . 2008-08-02 13:35 <DIR> d-------- C:\Deckard
2008-08-02 13:16 . 2008-08-02 13:33 2,742 --a------ C:\WINDOWS\system32\tmp.reg
2008-08-02 03:32 . 2008-08-02 03:32 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-02 03:12 . 2008-06-10 02:32 73,728 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-08-02 03:11 . 2008-08-02 03:12 <DIR> d-------- C:\Program Files\Java
2008-08-02 03:10 . 2008-08-02 03:10 <DIR> d-------- C:\Program Files\Common Files\Java
2008-08-01 22:35 . 2008-08-02 01:01 <DIR> d--h----- C:\$AVG8.VAULT$
2008-08-01 22:28 . 2008-08-01 22:28 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-08-01 22:28 . 2008-08-01 22:28 <DIR> d-------- C:\Documents and Settings\Pollock\Application Data\SUPERAntiSpyware.com
2008-08-01 22:28 . 2008-08-01 22:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-08-01 22:23 . 2008-08-01 22:23 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-08-01 22:22 . 2008-08-01 22:34 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg
2008-08-01 22:22 . 2008-08-01 22:22 <DIR> d-------- C:\Program Files\AVG
2008-08-01 22:22 . 2008-08-01 22:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-08-01 22:22 . 2008-08-01 22:22 96,520 --a------ C:\WINDOWS\system32\drivers\avgldx86.sys
2008-08-01 22:22 . 2008-08-01 22:22 76,040 --a------ C:\WINDOWS\system32\drivers\avgtdix.sys
2008-08-01 22:22 . 2008-08-01 22:22 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll
2008-07-23 17:20 . 2008-07-23 17:20 <DIR> d-------- C:\My Downloads
2008-07-23 16:59 . 2008-07-23 16:59 <DIR> d-------- C:\Documents and Settings\Pollock\Application Data\TmpRecentIcons

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-02 13:42 196 ----a-w C:\WINDOWS\system32\drivers\ALCICH.DAT
2008-08-02 13:42 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-08-02 03:05 --------- d-----w C:\Program Files\Google
2008-08-02 02:17 --------- d-----w C:\Program Files\Symantec
2008-08-02 02:17 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-08-02 01:57 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-06-21 10:20 --------- d-----w C:\Program Files\MSN Messenger
2008-06-20 17:46 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-20 11:51 361,600 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 11:40 138,496 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 11:08 225,856 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-13 11:05 272,128 ----a-w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-04 18:14 --------- d-----w C:\Documents and Settings\Pollock\Application Data\MSN6
2008-05-09 10:53 90,112 ----a-w C:\WINDOWS\system32\wshext.dll
2008-05-09 10:53 430,080 ----a-w C:\WINDOWS\system32\vbscript.dll
2008-05-09 10:53 180,224 ----a-w C:\WINDOWS\system32\scrobj.dll
2008-05-09 10:53 172,032 ----a-w C:\WINDOWS\system32\scrrun.dll
2008-05-08 11:24 155,648 ----a-w C:\WINDOWS\system32\wscript.exe
2008-05-07 09:07 135,168 ----a-w C:\WINDOWS\system32\cscript.exe
2008-05-07 05:12 1,288,192 ----a-w C:\WINDOWS\system32\quartz.dll
2007-03-25 13:56 87,608 ----a-w C:\Documents and Settings\Pollock\Application Data\ezpinst.exe
2007-03-25 13:56 47,360 ----a-w C:\Documents and Settings\Pollock\Application Data\pcouffin.sys
2005-06-04 11:45 774,144 ----a-w C:\Program Files\RngInterstitial.dll
2004-10-01 14:00 40,960 ----a-w C:\Program Files\Uninstall_CDS.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-14 01:12 15360]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2008-04-14 01:12 1695232]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 20:05 204288]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-05-28 10:33 1506544]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IncrediMail"="C:\Program Files\IncrediMail\bin\IncMail.exe" [2007-08-12 21:25 208946]
"Lexmark X74-X75"="C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe" [2002-10-14 21:09 57344]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]
"PVR Agent"="C:\Program Files\Tevion multimedia\PVR Plus\TVR\Scheduled.exe" [2004-09-13 17:19 733696]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-10-22 12:22 7700480]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-02-23 15:45 278528]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-04-19 14:40 155648]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-10-22 12:22 86016]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-08-01 22:22 1232152]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
"nwiz"="nwiz.exe" [2006-10-22 12:22 1622016 C:\WINDOWS\system32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2008-04-14 01:12 15360]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 15:38 39264]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2008-04-14 01:12 53760 C:\WINDOWS\system32\narrator.exe]

C:\Documents and Settings\Pollock\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 20:16:50 113664]
Picture Motion Browser Media Check Tool.lnk - C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe [2008-01-07 17:43:58 200704]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 03:38:16 29696]
BlueSoleil.lnk - C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe [2006-07-16 18:33:36 626176]
KODAK Software Updater.lnk - C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe [2003-06-08 17:48:18 16432]
RAMASST.lnk - C:\WINDOWS\system32\RAMASST.exe [2005-01-15 18:07:31 155648]
TV Remote Control.lnk - C:\Program Files\Tevion multimedia\TV713X Utilities\P3XRCtl.exe [2005-03-01 22:36:37 57344]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{93994DE8-8239-4655-B1D1-5F4E91300429}"= "C:\Program Files\DVD Region-Free\DVDShell.dll" [2003-12-20 21:58 49152]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 10:13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.DIV3"= DivXc32.dll
"vidc.DIV4"= DivXc32f.dll
"vidc.3iv2"= 3ivxVfWCodec.dll
"VIDC.HFYU"= huffyuv.dll
"VIDC.VP31"= vp31vfw.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\IncrediMail\\bin\\ImpCnt.exe"=
"C:\\Program Files\\IncrediMail\\bin\\IncMail.exe"=
"C:\\Program Files\\IncrediMail\\bin\\IMApp.exe"=
"C:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\backWeb-7288971.exe"=
"C:\\WINDOWS\\system32\\LEXPPS.EXE"=
"D:\\mobile PhoneTools\\mPhonetools.exe"=
"C:\\Program Files\\Abacast\\Abaclient.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"D:\\Documents and Settings\\Pollock\\My Documents\\NES\\NESTCL95.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"=
"C:\\Program Files\\Azureus\\Azureus.exe"=
"C:\\Program Files\\Kazaa Lite K++\\KazaaLite.kpp"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"D:\\Documents and Settings\\Pollock\\My Documents\\Azureus Downloads\\IncrediMail Xe Premium 5.65 Build 3056\\magentic_installBuild 296.exe"=
"C:\\Program Files\\IncrediMail\\bin\\ImLc.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"2869:TCP"= 2869:TCP:@xpsp2res.dll,-22008
"55300:TCP"= 55300:TCP:55300_1
"55300:UDP"= 55300:UDP:55300
"6881:TCP"= 6881:TCP:6881
"6881:UDP"= 6881:UDP:6881_1
"60000:TCP"= 60000:TCP:60000
"60000:UDP"= 60000:UDP:60000

R0 Ramdisk;Ramdisk [ QSoft ];C:\WINDOWS\system32\DRIVERS\ramdisk.sys [2008-04-13 19:41]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-08-01 22:22]
R2 avg8emc;AVG Free8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-08-01 22:22]
R2 avg8wd;AVG Free8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-08-01 22:22]
R2 AvgTdiX;AVG Free8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-08-01 22:22]
R2 cdenable;cdenable;C:\WINDOWS\system32\Drivers\cdenable.sys [2001-09-10 18:43]
R2 HDDlife HDD Access service;HDDlife HDD Access service;C:\Program Files\Common Files\BinarySense\hldasvc.exe [2007-08-09 14:23]
R3 Cap7134;Philips Cap7134 Capture;C:\WINDOWS\system32\DRIVERS\Cap7134.sys [2004-07-29 23:36]
R3 PhTVTune;Philips WDM TVTuner;C:\WINDOWS\system32\DRIVERS\PhTVTune.sys [2004-07-29 23:36]
S3 FlyPCI;FlyPCI;C:\WINDOWS\system32\drivers\FlyPCI.sys [2003-10-10 11:06]
S3 ham50;Creatix V.92 HAM Data Fax Modem;C:\WINDOWS\system32\DRIVERS\CTXH51.sys [2002-02-28 01:49]
S3 PIXMCV;JVC Communication PIX-MCV Driver;C:\WINDOWS\system32\Drivers\pixmcvc.sys [2003-12-05 14:39]
S3 PIXMCVA;JVC PIX-MCV Audio Capture;C:\WINDOWS\system32\Drivers\pixmcva.sys [2003-12-05 14:39]
S3 PIXMCVV;JVC PIX-MCV Video Capture;C:\WINDOWS\system32\Drivers\pixmcvv.sys [2003-12-05 14:39]
S3 S3SAVAGE4M;S3SAVAGE4M;C:\WINDOWS\system32\DRIVERS\s3sav4m.sys [2001-08-17 13:50]
.
Contents of the 'Scheduled Tasks' folder

2008-08-02 C:\WINDOWS\Tasks\MP Scheduled Scan.job
- C:\Program Files\Windows Defender\MpCmdRun.exe [2006-11-03 19:20]

2008-08-02 C:\WINDOWS\Tasks\Symantec NetDetect.job
- C:\Program Files\Symantec\LiveUpdate\NDetect.exe []
.
- - - - ORPHANS REMOVED - - - -

Notify-AtiExtEvent - (no file)
Notify-khfEVNef - khfEVNef.dll


.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Pollock\Application Data\Mozilla\Firefox\Profiles\5ce3erss.default\


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-02 14:43:00
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\ScsiAccess.EXE
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\Program Files\Lexmark X74-X75\lxbbbmon.exe
C:\PROGRA~1\INCRED~1\bin\IMApp.exe
C:\Program Files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2008-08-02 14:46:49 - machine was rebooted [Pollock]
ComboFix-quarantined-files.txt 2008-08-02 13:46:39

Pre-Run: 26,997,481,472 bytes free
Post-Run: 26,911,580,160 bytes free

202 --- E O F --- 2008-07-23 09:43:22
----------------------------------------------------------------


Many thanks again

[marcp1967]

New HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:50:38, on 02/08/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\Common Files\BinarySense\hldasvc.exe
C:\Program Files\Common Files\BinarySense\hldasvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\ScsiAccess.EXE
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe
C:\Program Files\Tevion multimedia\PVR Plus\TVR\Scheduled.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Lexmark X74-X75\lxbbbmon.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\PROGRA~1\INCRED~1\bin\IMApp.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Tevion multimedia\TV713X Utilities\P3XRCtl.exe
C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tiscali.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [IncrediMail] C:\Program Files\IncrediMail\bin\IncMail.exe /c
O4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [PVR Agent] C:\Program Files\Tevion multimedia\PVR Plus\TVR\Scheduled.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Picture Motion Browser Media Check Tool.lnk = C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BlueSoleil.lnk = C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O4 - Global Startup: TV Remote Control.lnk = C:\Program Files\Tevion multimedia\TV713X Utilities\P3XRCtl.exe
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Researcher - {9455301C-CF6B-11D3-A266-00C04F689C50} - C:\Program Files\Common Files\Microsoft Shared\Encarta Researcher\EROPROJ.DLL
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.medion.co.uk
O15 - Trusted Zone: http://toolbar.imageshack.us
O16 - DPF: {38F5F92F-BD40-40DF-A569-6C1FCB638190} (InSPECS3_0 Control) - http://www.powerleap.../InSPECS3_0.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1105804695843
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1134563516500
O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) - http://community.web...otoUploader.CAB
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.c.../cpcScanner.cab
O16 - DPF: {AF2E62B6-F9E1-4D4F-A10A-9DC8E6DCBCC0} (VideoEgg ActiveX Loader) - http://update.videoe...ggPublisher.exe
O16 - DPF: {E36C5562-C4E0-4220-BCB2-1C671E3A5916} - http://www.seagate.c.../npseatools.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abac...abasetup161.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{ECE80144-14ED-4F49-9B66-FC0AA1E9F6ED}: NameServer = 212.139.132.6,212.136.132.7
O18 - Protocol: hddlife - {BD758015-47D9-477A-8873-4B688A2BC0E2} - "C:\Program Files\BinarySense\HDDlife 3\hlAPP.dll" (file missing)
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: khfEVNef - khfEVNef.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HDDlife HDD Access service - BinarySense, Inc. - C:\Program Files\Common Files\BinarySense\hldasvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\system32\ScsiAccess.EXE
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

--
End of file - 10504 bytes

[andrewuk]

in this post we will clear out a couple of entries, fix your file associations and run some general scans to see where we stand. with luck, we are almost done.

the scans will likely take 3 hours, quite possibly much longer. so just let them run.

firstly, some questions:
1. your start page is set to http://www.medion.co.uk ..... is this meant to be the case?
2. you have set http://toolbar.imageshack.us to be in the trusted zones, which means it as the lowest form of security applied to it. is this meant to be the case?

secondly:
Real-time protection can interfere with Scanners

Disable Windows Defender until the computer is clean

• Open Windows Defender
• Select Tools and then General Settings
• Under Real Time Protection Options uncheck Turn on real-time protection
• Select Save

Don't forget to re-enable it, when your computer is clean.



====STEP 1====
1. Please open Notepad

• Click Start , then Run
• Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

Registry::
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{38F5F92F-BD40-40DF-A569-6C1FCB638190}]
[-HKEY_CLASSES_ROOT\CLSID\{38F5F92F-BD40-40DF-A569-6C1FCB638190}]

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.




5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

• Combofix.txt

====STEP 2====
Please download ATF Cleaner by Atribune.

Caution: This program is for Windows 2000, XP and Vista only
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.



====STEP 3====
Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select "Perform Full Scan", then click Scan.
• The scan may take some time to finish,so please be patient.
• When the scan is complete, click OK, then Show Results to view the results.
• Make sure that everything is checked, and click Remove Selected.
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
• Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.



====STEP 4====
click on Start, click on Run
copy and paste the following in bold in the open window and then click OK
"%userprofile%\desktop\dss.exe" /daft
This will open up Deckard's File Association Tool

• Click on the Scan button.
• Select everything it is displaying there
• Click the Fix button.
• Then rescan with DAFT again - it should say now that "All associations are OK"
• Close DAFT if you receive that message. This means that it is fixed now.

if that does not work then Please download DAFT and save it to your desktop and Double-click the daft.exe icon, and then follow the above instructions from "Click on the Scan button"



====STEP 5====
Please do an online scan with Kaspersky WebScanner

Click on Accept

You will be promted to install an ActiveX component from Kaspersky, Click Yes.

• The program will launch and then begin downloading the latest definition files:
• Once the files have been downloaded click on NEXT
  
• Now click on Scan Settings
• In the scan settings make that the following are selected:
  • Scan using the following Anti-Virus database:
  Extended (if available otherwise Standard)
  
  • Scan Options:
  Scan Archives
  Scan Mail Bases
• Click OK
• Now under select a target to scan:Select My Computer
• This will program will start and scan your system.
• The scan will take a while so be patient and let it run.
• Once the scan is complete it will display if your system has been infected.
  
  • Now click on the Save as Text button:
• Save the file to your desktop.
• Copy and paste that information in your next post.

====STEP 4====




In your next reply could i see:
1. the answers to the above questions
2. the combofix log
3. the malwarebytes log
4. the kaspersky log
5. a new hijackthis log

The text from these files may exceed the maximum post length for this forum. Hence, you may need to post the information over 2 or more posts.

andrewuk

[marcp1967]

Hi again.

Thanks very much for your continued help:

To answer your questions;

1) Medion is the PC maker, so I assume this their default homepage
2) My fathaer uses the PC mainly for photography and uses the imageshack hosting site quite often. I am fairly sure he would have athorised this, but I'm not sure if that has any impact on the system's security.

Combo Fix log:

ComboFix 08-08-01.04 - Pollock 2008-08-02 15:40:06.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.610 [GMT 1:00]
Running from: D:\Documents and Settings\Pollock\My Documents\My Downloads\ComboFix.exe
Command switches used :: C:\CFScript.txt
* Created a new restore point

.

((((((((((((((((((((((((( Files Created from 2008-07-02 to 2008-08-02 )))))))))))))))))))))))))))))))
.

2008-08-02 13:35 . 2008-08-02 13:35 <DIR> d-------- C:\Deckard
2008-08-02 13:16 . 2008-08-02 13:33 2,742 --a------ C:\WINDOWS\system32\tmp.reg
2008-08-02 03:32 . 2008-08-02 03:32 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-02 03:12 . 2008-06-10 02:32 73,728 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-08-02 03:11 . 2008-08-02 03:12 <DIR> d-------- C:\Program Files\Java
2008-08-02 03:10 . 2008-08-02 03:10 <DIR> d-------- C:\Program Files\Common Files\Java
2008-08-01 22:35 . 2008-08-02 15:40 <DIR> d--h----- C:\$AVG8.VAULT$
2008-08-01 22:28 . 2008-08-01 22:28 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-08-01 22:28 . 2008-08-01 22:28 <DIR> d-------- C:\Documents and Settings\Pollock\Application Data\SUPERAntiSpyware.com
2008-08-01 22:28 . 2008-08-01 22:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-08-01 22:23 . 2008-08-01 22:23 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-08-01 22:22 . 2008-08-01 22:34 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg
2008-08-01 22:22 . 2008-08-01 22:22 <DIR> d-------- C:\Program Files\AVG
2008-08-01 22:22 . 2008-08-01 22:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-08-01 22:22 . 2008-08-01 22:22 96,520 --a------ C:\WINDOWS\system32\drivers\avgldx86.sys
2008-08-01 22:22 . 2008-08-01 22:22 76,040 --a------ C:\WINDOWS\system32\drivers\avgtdix.sys
2008-08-01 22:22 . 2008-08-01 22:22 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll
2008-07-23 17:20 . 2008-07-23 17:20 <DIR> d-------- C:\My Downloads
2008-07-23 16:59 . 2008-07-23 16:59 <DIR> d-------- C:\Documents and Settings\Pollock\Application Data\TmpRecentIcons

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-02 14:36 196 ----a-w C:\WINDOWS\system32\drivers\ALCICH.DAT
2008-08-02 14:36 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-08-02 14:08 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-08-02 03:05 --------- d-----w C:\Program Files\Google
2008-08-02 02:17 --------- d-----w C:\Program Files\Symantec
2008-08-02 01:57 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-06-21 10:20 --------- d-----w C:\Program Files\MSN Messenger
2008-06-20 17:46 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-20 11:51 361,600 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 11:40 138,496 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 11:08 225,856 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-13 11:05 272,128 ----a-w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-04 18:14 --------- d-----w C:\Documents and Settings\Pollock\Application Data\MSN6
2008-05-09 10:53 90,112 ----a-w C:\WINDOWS\system32\wshext.dll
2008-05-09 10:53 430,080 ----a-w C:\WINDOWS\system32\vbscript.dll
2008-05-09 10:53 180,224 ----a-w C:\WINDOWS\system32\scrobj.dll
2008-05-09 10:53 172,032 ----a-w C:\WINDOWS\system32\scrrun.dll
2008-05-08 11:24 155,648 ----a-w C:\WINDOWS\system32\wscript.exe
2008-05-07 09:07 135,168 ----a-w C:\WINDOWS\system32\cscript.exe
2008-05-07 05:12 1,288,192 ----a-w C:\WINDOWS\system32\quartz.dll
2007-03-25 13:56 87,608 ----a-w C:\Documents and Settings\Pollock\Application Data\ezpinst.exe
2007-03-25 13:56 47,360 ----a-w C:\Documents and Settings\Pollock\Application Data\pcouffin.sys
2005-06-04 11:45 774,144 ----a-w C:\Program Files\RngInterstitial.dll
2004-10-01 14:00 40,960 ----a-w C:\Program Files\Uninstall_CDS.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-14 01:12 15360]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2008-04-14 01:12 1695232]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 20:05 204288]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-05-28 10:33 1506544]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IncrediMail"="C:\Program Files\IncrediMail\bin\IncMail.exe" [2007-08-12 21:25 208946]
"Lexmark X74-X75"="C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe" [2002-10-14 21:09 57344]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]
"PVR Agent"="C:\Program Files\Tevion multimedia\PVR Plus\TVR\Scheduled.exe" [2004-09-13 17:19 733696]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-10-22 12:22 7700480]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-02-23 15:45 278528]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-04-19 14:40 155648]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-10-22 12:22 86016]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-08-01 22:22 1232152]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
"nwiz"="nwiz.exe" [2006-10-22 12:22 1622016 C:\WINDOWS\system32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2008-04-14 01:12 15360]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 15:38 39264]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2008-04-14 01:12 53760 C:\WINDOWS\system32\narrator.exe]

C:\Documents and Settings\Pollock\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 20:16:50 113664]
Picture Motion Browser Media Check Tool.lnk - C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe [2008-01-07 17:43:58 200704]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 03:38:16 29696]
BlueSoleil.lnk - C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe [2006-07-16 18:33:36 626176]
KODAK Software Updater.lnk - C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe [2003-06-08 17:48:18 16432]
RAMASST.lnk - C:\WINDOWS\system32\RAMASST.exe [2005-01-15 18:07:31 155648]
TV Remote Control.lnk - C:\Program Files\Tevion multimedia\TV713X Utilities\P3XRCtl.exe [2005-03-01 22:36:37 57344]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{93994DE8-8239-4655-B1D1-5F4E91300429}"= "C:\Program Files\DVD Region-Free\DVDShell.dll" [2003-12-20 21:58 49152]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 10:13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\khfEVNef]
khfEVNef.dll [BU]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.DIV3"= DivXc32.dll
"vidc.DIV4"= DivXc32f.dll
"vidc.3iv2"= 3ivxVfWCodec.dll
"VIDC.HFYU"= huffyuv.dll
"VIDC.VP31"= vp31vfw.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\IncrediMail\\bin\\ImpCnt.exe"=
"C:\\Program Files\\IncrediMail\\bin\\IncMail.exe"=
"C:\\Program Files\\IncrediMail\\bin\\IMApp.exe"=
"C:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\backWeb-7288971.exe"=
"C:\\WINDOWS\\system32\\LEXPPS.EXE"=
"D:\\mobile PhoneTools\\mPhonetools.exe"=
"C:\\Program Files\\Abacast\\Abaclient.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"D:\\Documents and Settings\\Pollock\\My Documents\\NES\\NESTCL95.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"=
"C:\\Program Files\\Azureus\\Azureus.exe"=
"C:\\Program Files\\Kazaa Lite K++\\KazaaLite.kpp"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"D:\\Documents and Settings\\Pollock\\My Documents\\Azureus Downloads\\IncrediMail Xe Premium 5.65 Build 3056\\magentic_installBuild 296.exe"=
"C:\\Program Files\\IncrediMail\\bin\\ImLc.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"2869:TCP"= 2869:TCP:@xpsp2res.dll,-22008
"55300:TCP"= 55300:TCP:55300_1
"55300:UDP"= 55300:UDP:55300
"6881:TCP"= 6881:TCP:6881
"6881:UDP"= 6881:UDP:6881_1
"60000:TCP"= 60000:TCP:60000
"60000:UDP"= 60000:UDP:60000

R0 Ramdisk;Ramdisk [ QSoft ];C:\WINDOWS\system32\DRIVERS\ramdisk.sys [2008-04-13 19:41]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-08-01 22:22]
R2 avg8emc;AVG Free8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-08-01 22:22]
R2 avg8wd;AVG Free8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-08-01 22:22]
R2 AvgTdiX;AVG Free8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-08-01 22:22]
R2 cdenable;cdenable;C:\WINDOWS\system32\Drivers\cdenable.sys [2001-09-10 18:43]
R2 HDDlife HDD Access service;HDDlife HDD Access service;C:\Program Files\Common Files\BinarySense\hldasvc.exe [2007-08-09 14:23]
R3 Cap7134;Philips Cap7134 Capture;C:\WINDOWS\system32\DRIVERS\Cap7134.sys [2004-07-29 23:36]
R3 PhTVTune;Philips WDM TVTuner;C:\WINDOWS\system32\DRIVERS\PhTVTune.sys [2004-07-29 23:36]
S3 FlyPCI;FlyPCI;C:\WINDOWS\system32\drivers\FlyPCI.sys [2003-10-10 11:06]
S3 ham50;Creatix V.92 HAM Data Fax Modem;C:\WINDOWS\system32\DRIVERS\CTXH51.sys [2002-02-28 01:49]
S3 PIXMCV;JVC Communication PIX-MCV Driver;C:\WINDOWS\system32\Drivers\pixmcvc.sys [2003-12-05 14:39]
S3 PIXMCVA;JVC PIX-MCV Audio Capture;C:\WINDOWS\system32\Drivers\pixmcva.sys [2003-12-05 14:39]
S3 PIXMCVV;JVC PIX-MCV Video Capture;C:\WINDOWS\system32\Drivers\pixmcvv.sys [2003-12-05 14:39]
S3 S3SAVAGE4M;S3SAVAGE4M;C:\WINDOWS\system32\DRIVERS\s3sav4m.sys [2001-08-17 13:50]

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder

2008-08-02 C:\WINDOWS\Tasks\MP Scheduled Scan.job
- C:\Program Files\Windows Defender\MpCmdRun.exe [2006-11-03 19:20]

2008-08-02 C:\WINDOWS\Tasks\Symantec NetDetect.job
- C:\Program Files\Symantec\LiveUpdate\NDetect.exe []
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-02 15:42:44
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-08-02 15:43:44
ComboFix-quarantined-files.txt 2008-08-02 14:43:36
ComboFix2.txt 2008-08-02 13:46:53

Pre-Run: 26,962,149,376 bytes free
Post-Run: 26,947,964,928 bytes free

176 --- E O F --- 2008-07-23 09:43:22

[marcp1967]

MWB log:

Malwarebytes' Anti-Malware 1.24
Database version: 1015
Windows 5.1.2600 Service Pack 3

16:35:51 02/08/2008
mbam-log-8-2-2008 (16-35-51).txt

Scan type: Full Scan (C:\|D:\|E:\|F:\|)
Objects scanned: 106814
Time elapsed: 47 minute(s), 23 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 37
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 16
Files Infected: 296

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{e282c728-189d-419e-8ee2-1601f4b39ba5} (Adware.VideoEgg) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{168dc258-1455-4e61-8590-9dac2f27b675} (Adware.VideoEgg) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{1a8642f1-dc80-4edc-a39d-0fb62a58b455} (Adware.VideoEgg) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{3f91eb90-ef62-44ee-a685-fac29af111cd} (Adware.VideoEgg) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{5c29c7e4-5321-4cad-be2e-877666bed5df} (Adware.VideoEgg) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{83dfb6ee-ab18-41b5-86d4-b544a141d67e} (Adware.VideoEgg) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{88d6cf0e-cf70-4c24-bf6e-e4e414bc649c} (Adware.VideoEgg) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{8f6a82a2-d7b1-443e-bb9f-f7dc887dd618} (Adware.VideoEgg) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{9856e2d8-ffb2-4fe5-8cad-d5ad6a35a804} (Adware.VideoEgg) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{a3d06987-c35e-49e4-8fe2-ac67b9fbfb4c} (Adware.VideoEgg) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{a58c497b-3ee2-45e7-9594-daca6be2a0d0} (Adware.VideoEgg) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{ad0a3058-fd49-4f98-a514-fd055201835e} (Adware.VideoEgg) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{ad5915ea-b61a-4dba-b5c8-ef4b2df0a3c7} (Adware.VideoEgg) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{af2e62b6-f9e1-4d4f-a10a-9dc8e6dcbcc0} (Adware.VideoEgg) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{af2e62b6-f9e1-4d4f-a10a-9dc8e6dcbcc0} (Adware.VideoEgg) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{bb187c0d-6f53-4f3e-9590-98fd3a7364a2} (Adware.VideoEgg) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{c5041fd9-4819-4dc4-b20e-c950b5b03d2a} (Adware.VideoEgg) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{d17726cc-d4dd-4c4a-9671-471d56e413b5} (Adware.VideoEgg) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{db8cce99-59c6-4552-8bfc-058feb38d6ce} (Adware.VideoEgg) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{dc3a04ee-cdd7-4407-915c-a5502f97eecd} (Adware.VideoEgg) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{e1a63484-a022-4d42-830a-fbd411514440} (Adware.VideoEgg) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\videoegg.activexloader (Adware.VideoEgg) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\videoegg.activexloader.1 (Adware.VideoEgg) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{59c345ba-3d5e-44e3-9d10-d3848af15d73} (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{a6fbd2e4-1c7e-4eab-80dd-01de2645566a} (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\{3a9377a6-be7f-485d-908c-d44114691389} (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{a4730ebe-43a6-443e-9776-36915d323ad3} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{2e9937fc-cf2f-4f56-af54-5a6a3dd375cc} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{741de825-a6f0-4497-9aa6-8023cf9b0fff} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256a51-b582-467e-b8d4-7786eda79ae0} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256a51-b582-467e-b8d4-7786eda79ae0} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\iercpt.DLL (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VideoEgg (Adware.VideoEgg) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Fun Web Products (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\MyWebSearch (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Fun Web Products (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Documents and Settings\All Users\Application Data\VideoEgg (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\Pollock\Application Data\VideoEgg (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\Pollock\Application Data\VideoEgg\Publisher (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\Pollock\Application Data\VideoEgg\Publisher\2396 (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\Pollock\Application Data\VideoEgg\Publisher\2396\resources (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\Pollock\Application Data\VideoEgg\Publisher\2396\resources\VideoEgg (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\Pollock\Application Data\VideoEgg\Publisher\2396\resources\VideoEgg\images (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\Pollock\Application Data\VideoEgg\Publisher\2396\resources\VideoEgg\messages (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\Pollock\Application Data\VideoEgg\Publisher\2655 (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\Pollock\Application Data\VideoEgg\Publisher\2655\resources (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\Pollock\Application Data\VideoEgg\Publisher\2655\resources\VideoEgg (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\Pollock\Application Data\VideoEgg\Publisher\2655\resources\VideoEgg\images (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\Pollock\Application Data\VideoEgg\Publisher\2655\resources\VideoEgg\messages (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\Pollock\Application Data\VideoEgg\Updater (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\Pollock\Application Data\VideoEgg\Updater\2364 (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\Pollock\Local Settings\Application Data\qip (Rogue.Multiple) -> Quarantined and deleted successfully.

Files Infected:
C:\Program Files\VideoEgg\Loader\2364\npvideoegg-loader.dll (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\Pollock\Local Settings\Application Data\qip\QuickInstallPack.exe (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Program Files\vso\ConvertXtoDVD\Patch.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\VideoEgg\user.dat (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\Pollock\Application Data\VideoEgg\Publisher\publisher.ver (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\Pollock\Application Data\VideoEgg\Publisher\2396\avcodec.dll (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\Pollock\Application Data\VideoEgg\Publisher\2396\crashRpt.dll (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\Pollock\Application Data\VideoEgg\Publisher\2396\dataCollection.tmp (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\Pollock\Application Data\VideoEgg\Publisher\2396\FLVEncoder.dll (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\Pollock\Application Data\VideoEgg\Publisher\2396\lame_enc.dll (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\Pollock\Application Data\VideoEgg\Publisher\2396\LevelMeter.ax (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\Pollock\Application Data\VideoEgg\Publisher\2396\libcurlve.dll (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\Pollock\Application Data\VideoEgg\Publisher\2396\libpng.dll (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\Pollock\Application Data\VideoEgg\Publisher\2396\npvideoegg-publisher.dll (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\Pollock\Application Data\VideoEgg\Publisher\2396\remoteblacklist (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\Pollock\Application Data\VideoEgg\Publisher\2396\report.log (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\Pollock\Application Data\VideoEgg\Publisher\2396\VideoEgg_FLVWriter.ax (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\Pollock\Application Data\VideoEgg\Publisher\2396\zlib.dll (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\Pollock\Application Data\VideoEgg\Publisher\2396\resources\VideoEgg\images\aol_watermark.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\Pollock\Application Data\VideoEgg\Publisher\2396\resources\VideoEgg\images\audio_combo.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\Pollock\Application Data\VideoEgg\Publisher\2396\resources\VideoEgg\images\audio_source.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\Pollock\Application Data\VideoEgg\Publisher\2396\resources\VideoEgg\images\big_gray_logo.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\Pollock\Application Data\VideoEgg\Publisher\2396\resources\VideoEgg\images\big_logo_cropped.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\Pollock\Application Data\VideoEgg\Publisher\2396\resources\VideoEgg\images\blank_slide.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\Pollock\Application Data\VideoEgg\Publisher\2396\resources\VideoEgg\images\button_browse_down.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\Pollock\Application Data\VideoEgg\Publisher\2396\resources\VideoEgg\images\button_browse_over.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\Pollock\Application Data\VideoEgg\Publisher\2396\resources\VideoEgg\images\button_browse_up.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\Pollock\Application Data\VideoEgg\Publisher\2396\resources\VideoEgg\images\camcorders_title.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\Pollock\Application Data\VideoEgg\Publisher\2396\resources\VideoEgg\images\camcorder_btn_highlighted.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\Pollock\Application Data\VideoEgg\Publisher\2396\resources\VideoEgg\images\camcorder_slide.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\Pollock\Application Data\VideoEgg\Publisher\2396\resources\VideoEgg\images\corners_bottom_left.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\Pollock\Application Data\VideoEgg\Publisher\2396\resources\VideoEgg\images\corners_bottom_left_curve.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\Pollock\Application Data\VideoEgg\Publisher\2396\resources\VideoEgg\images\corners_bottom_right.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\Pollock\Application Data\VideoEgg\Publisher\2396\resources\VideoEgg\images\corners_top_right.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\Pollock\Application Data\VideoEgg\Publisher\2396\resources\VideoEgg\images\done.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\Pollock\Application Data\VideoEgg\Publisher\2396\resources\VideoEgg\images\done_capture.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\Pollock\Application Data\VideoEgg\Publisher\2396\resources\VideoEgg\images\done_capture_down.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\Pollock\Application Data\VideoEgg\Publisher\2396\resources\VideoEgg\images\done_capture_over.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\Pollock\Application Data\VideoEgg\Publisher\2396\resources\VideoEgg\images\done_down.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\Pollock\Application Data\VideoEgg\Publisher\2396\resources\VideoEgg\images\done_over.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\Pollock\Application Data\VideoEgg\Publisher\2396\resources\VideoEgg\images\dropshadow_bottom_left.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\Pollock\Application Data\VideoEgg\Publisher\2396\resources\VideoEgg\images\dropshadow_horiz.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\Pollock\Application Data\VideoEgg\Publisher\2396\resources\VideoEgg\images\dropshadow_vertical.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\Pollock\Application Data\VideoEgg\Publisher\2396\resources\VideoEgg\images\dropzone.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\Pollock\Application Data\VideoEgg\Publisher\2396\resources\VideoEgg\images\dv_fast_forward.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\Pollock\Application Data\VideoEgg\Publisher\2396\resources\VideoEgg\images\dv_pause.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\Pollock\Application Data\VideoEgg\Publisher\2396\resources\VideoEgg\images\dv_play.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\Pollock\Application Data\VideoEgg\Publisher\2396\resources\VideoEgg\images\dv_rewind.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\Pollock\Application Data\VideoEgg\Publisher\2396\resources\VideoEgg\images\dv_stop.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\Pollock\Application Data\VideoEgg\Publisher\2396\resources\VideoEgg\images\email_instructions.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\Pollock\Application Data\VideoEgg\Publisher\2396\resources\VideoEgg\images\email_sent.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\Pollock\Application Data\VideoEgg\Publisher\2396\resources\VideoEgg\images\email_sent_down.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\Pollock\Application Data\VideoEgg\Publisher\2396\resources\VideoEgg\images\email_sent_over.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\Pollock\Application Data\VideoEgg\Publisher\2396\resources\VideoEgg\images\eraser.CUR (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\Pollock\Application Data\VideoEgg\Publisher\2396\resources\VideoEgg\images\eraser_cursor.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\Pollock\Application Data\VideoEgg\Publisher\2396\resources\VideoEgg\images\file_btn_highlighted.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\Pollock\Application Data\VideoEgg\Publisher\2396\resources\VideoEgg\images\file_slide.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\Pollock\Application Data\VideoEgg\Publisher\2396\resources\VideoEgg\images\help.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\Pollock\Application Data\VideoEgg\Publisher\2396\resources\VideoEgg\images\icon_camcorder.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\Pollock\Application Data\VideoEgg\Publisher\2396\resources\VideoEgg\images\icon_camcorders.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\Pollock\Application Data\VideoEgg\Publisher\2396\resources\VideoEgg\images\icon_camcorder_dark.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\Pollock\Application Data\VideoEgg\Publisher\2396\resources\VideoEgg\images\icon_camcorder_light.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\Pollock\Application Data\VideoEgg\Publisher\2396\resources\VideoEgg\images\icon_ff.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\Pollock\Application Data\VideoEgg\Publisher\2396\resources\VideoEgg\images\icon_file_dark.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\Pollock\Application Data\VideoEgg\Publisher\2396\resources\VideoEgg\images\icon_file_light.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\Pollock\Application Data\VideoEgg\Publisher\2396\resources\VideoEgg\images\icon_pause.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\Pollock\Application Data\VideoEgg\Publisher\2396\resources\VideoEgg\images\icon_phone_dark.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\Pollock\Application Data\VideoEgg\Publisher\2396\resources\VideoEgg\images\icon_phone_light.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\Pollock\Application Data\VideoEgg\Publisher\2396\resources\VideoEgg\images\icon_play.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\Pollock\Application Data\VideoEgg\Publisher\2396\resources\VideoEgg\images\icon_rewind.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\Pollock\Application Data\VideoEgg\Publisher\2396\resources\VideoEgg\images\icon_stop.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\Pollock\Application Data\VideoEgg\Publisher\2396\resources\VideoEgg\images\icon_webcam.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\Pollock\Application Data\VideoEgg\Publisher\2396\resources\VideoEgg\images\icon_webcams.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\Pollock\Application Data\VideoEgg\Publisher\2396\resources\VideoEgg\images\icon_webcam_dark.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\Pollock\Application Data\VideoEgg\Publisher\2396\resources\VideoEgg\images\icon_webcam_light.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\Pollock\Application Data\VideoEgg\Publisher\2396\resources\VideoEgg\images\loading.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\Pollock\Application Data\VideoEgg\Publisher\2396\resources\VideoEgg\images\loading_movie.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\Pollock\Application Data\VideoEgg\Publisher\2396\resources\VideoEgg\images\locating.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\Pollock\Application Data\VideoEgg\Publisher\2396\resources\VideoEgg\images\logo.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\Pollock\Application Data\VideoEgg\Publisher\2396\resources\VideoEgg\images\logo_bottom.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\Pollock\Application Data\VideoEgg\Publisher\2396\resources\VideoEgg\images\logo_middle.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\Pollock\Application Data\VideoEgg\Publisher\2396\resources\VideoEgg\images\logo_top.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\Pollock\Application Data\VideoEgg\Publisher\2396\resources\VideoEgg\images\mobile_btn_highlighted.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\Pollock\Application Data\VideoEgg\Publisher\2396\resources\VideoEgg\images\mobile_slide.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\Pollock\Application Data\VideoEgg\Publisher\2396\resources\VideoEgg\images\mobile_slide_disabled.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\Pollock\Application Data\VideoEgg\Publisher\2396\resources\VideoEgg\images\movie_placeholder.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\Pollock\Application Data\VideoEgg\Publisher\2396\resources\VideoEgg\images\ok.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\Pollock\Application Data\VideoEgg\Publisher\2396\resources\VideoEgg\images\ok_down.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\Pollock\Application Data\VideoEgg\Publisher\2396\resources\VideoEgg\images\ok_over.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\Pollock\Application Data\VideoEgg\Publisher\2396\resources\VideoEgg\images\player_fast_forward.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\Pollock\Application Data\VideoEgg\Publisher\2396\resources\VideoEgg\images\player_fast_forward_disabled.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\Pollock\Application Data\VideoEgg\Publisher\2396\resources\VideoEgg\images\player_fill.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\Pollock\Application Data\VideoEgg\Publisher\2396\resources\VideoEgg\images\player_pause.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\Pollock\Application Data\VideoEgg\Publisher\2396\resources\VideoEgg\images\player_play.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\Pollock\Application Data\VideoEgg\Publisher\2396\resources\VideoEgg\images\player_rewind.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\Pollock\Application Data\VideoEgg\Publisher\2396\resources\VideoEgg\images\player_rewind_disabled.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\Pollock\Application Data\VideoEgg\Publisher\2396\resources\VideoEgg\images\player_rewind_to_start.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\Pollock\Application Data\VideoEgg\Publisher\2396\resources\VideoEgg\images\playhead.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\Pollock\Application Data\VideoEgg\Publisher\2396\resources\VideoEgg\images\powered_by.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\Pollock\Application Data\VideoEgg\Publisher\2396\resources\VideoEgg\images\progress.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\Pollock\Application Data\VideoEgg\Publisher\2396\resources\VideoEgg\images\refresh_list_down.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\Pollock\Application Data\VideoEgg\Publisher\2396\resources\VideoEgg\images\refresh_list_over.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\Pollock\Application Data\VideoEgg\Publisher\2396\resources\VideoEgg\images\refresh_list_up.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\Pollock\Application Data\VideoEgg\Publisher\2396\resources\VideoEgg\images\restart.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\Pollock\Application Data\VideoEgg\Publisher\2396\resources\VideoEgg\images\restart_over.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\Pollock\Application Data\VideoEgg\Publisher\2396\resources\VideoEgg\images\start_capture.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\Pollock\Application Data\VideoEgg\Publisher\2396\resources\VideoEgg\images\start_capture_disabled.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\Pollock\Application Data\VideoEgg\Publisher\2396\resources\VideoEgg\images\start_capture_down.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\Pollock\Application Data\VideoEgg\Publisher\2396\resources\VideoEgg\images\start_capture_over.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\Pollock\Application Data\VideoEgg\Publisher\2396\resources\VideoEgg\images\start_over.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\Pollock\Application Data\VideoEgg\Publisher\2396\resources\VideoEgg\images\start_over_highlight.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\Pollock\Application Data\VideoEgg\Publisher\2396\resources\VideoEgg\images\start_slider.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\Pollock\Application Data\VideoEgg\Publisher\2396\resources\VideoEgg\images\stop_capture.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\Pollock\Application Data\VideoEgg\Publisher\2396\resources\VideoEgg\images\stop_capture_disabled.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\Pollock\Application Data\VideoEgg\Publisher\2396\resources\VideoEgg\images\stop_capture_down.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\Pollock\Application Data\VideoEgg\Publisher\2396\resources\VideoEgg\images\stop_capture_over.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\Pollock\Application Data\VideoEgg\Publisher\2396\resources\VideoEgg\images\stop_slider.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\Pollock\Application Data\VideoEgg\Publisher\2396\resources\VideoEgg\images\tab_slide_deselected.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\Pollock\Application Data\VideoEgg\Publisher\2396\resources\VideoEgg\images\tape_control.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\Pollock\Application Data\VideoEgg\Publisher\2396\resources\VideoEgg\images\text_camcorder.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\Pollock\Application Data\VideoEgg\Publisher\2396\resources\VideoEgg\images\text_camcorder_highlight.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\Pollock\Application Data\VideoEgg\Publisher\2396\resources\VideoEgg\images\text_file.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\Pollock\Application Data\VideoEgg\Publisher\2396\resources\VideoEgg\images\text_file_highlight.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\Pollock\Application Data\VideoEgg\Publisher\2396\resources\VideoEgg\images\text_phone.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\Pollock\Application Data\VideoEgg\Publisher\2396\resources\VideoEgg\images\text_phone_highlight.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\Pollock\Application Data\VideoEgg\Publisher\2396\resources\VideoEgg\images\text_webcam.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\Pollock\Application Data\VideoEgg\Publisher\2396\resources\VideoEgg\images\text_webcam_highlight.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\Pollock\Application Data\VideoEgg\Publisher\2396\resources\VideoEgg\images\title.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\Pollock\Application Data\VideoEgg\Publisher\2396\resources\VideoEgg\images\upload.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\Pollock\Application Data\VideoEgg\Publisher\2396\resources\VideoEgg\images\uploading.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\Pollock\Application Data\VideoEgg\Publisher\2396\resources\VideoEgg\images\uploading_fill.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\Pollock\Application Data\VideoEgg\Publisher\2396\resources\VideoEgg\images\uploading_high.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\Pollock\Application Data\VideoEgg\Publisher\2396\resources\VideoEgg\images\uploading_low.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\Pollock\Application Data\VideoEgg\Publisher\2396\resources\VideoEgg\images\uploading_medium.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\Pollock\Application Data\VideoEgg\Publisher\2396\resources\VideoEgg\images\uploading_thumbnail.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\Pollock\Application Data\VideoEgg\Publisher\2396\resources\VideoEgg\images\upload_down.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\Pollock\Application Data\VideoEgg\Publisher\2396\resources\VideoEgg\images\upload_from.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\Pollock\Application Data\VideoEgg\Publisher\2396\resources\VideoEgg\images\upload_over.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\Pollock\Application Data\VideoEgg\Publisher\2396\resources\VideoEgg\images\volume_gray.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\Pollock\Application Data\VideoEgg\Publisher\2396\resources\VideoEgg\images\volume_green.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\Pollock\Application Data\VideoEgg\Publisher\2396\resources\VideoEgg\images\volume_high.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\Pollock\Application Data\VideoEgg\Publisher\2396\resources\VideoEgg\images\volume_low.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\Pollock\Application Data\VideoEgg\Publisher\2396\resources\VideoEgg\images\volume_orange.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\Pollock\Application Data\VideoEgg\Publisher\2396\resources\VideoEgg\images\volume_red.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\Pollock\Application Data\VideoEgg\Publisher\2396\resources\VideoEgg\images\volume_slider.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\Pollock\Application Data\VideoEgg\Publisher\2396\resources\VideoEgg\images\waiting_for_email.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\Pollock\Application Data\VideoEgg\Publisher\2396\resources\VideoEgg\images\webcams_title.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\Pollock\Application Data\VideoEgg\Publisher\2396\resources\VideoEgg\images\webcam_btn_highlighted.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\Pollock\Application Data\VideoEgg\Publisher\2396\resources\VideoEgg\images\webcam_slide.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\Pollock\Application Data\VideoEgg\Publisher\2396\resources\VideoEgg\messages\messages.en-US.bundle (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\Pollock\Application Data\VideoEgg\Publisher\2655\avcodec.dll (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\Pollock\Application Data\VideoEgg\Publisher\2655\crashRpt.dll (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\Pollock\Application Data\VideoEgg\Publisher\2655\FLVEncoder.dll (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\Pollock\Application Data\VideoEgg\Publisher\2655\lame_enc.dll (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\Pollock\Application Data\VideoEgg\Publisher\2655\LevelMeter.ax (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\Pollock\Application Data\VideoEgg\Publisher\2655\libcurlve.dll (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\Pollock\Application Data\VideoEgg\Publisher\2655\libpng.dll (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\Pollock\Application Data\VideoEgg\Publisher\2655\npvideoegg-publisher.dll (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\Pollock\Application Data\VideoEgg\Publisher\2655\report.log (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\Pollock\Application Data\VideoEgg\Publisher\2655\VideoEgg_FLVWriter.ax (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\Pollock\Application Data\VideoEgg\Publisher\2655\zlib.dll (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\Pollock\Application Data\VideoEgg\Publisher\2655\resources\VideoEgg\images\aol_watermark.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\Pollock\Application Data\VideoEgg\Publisher\2655\resources\VideoEgg\images\audio_combo.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\Pollock\Application Data\VideoEgg\Publisher\2655\resources\VideoEgg\images\audio_source.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\Pollock\Application Data\VideoEgg\Publisher\2655\resources\VideoEgg\images\big_gray_logo.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\Pollock\Application Data\VideoEgg\Publisher\2655\resources\VideoEgg\images\big_logo_cropped.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\Pollock\Application Data\VideoEgg\Publisher\2655\resources\VideoEgg\images\blank_slide.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\Pollock\Application Data\VideoEgg\Publisher\2655\resources\VideoEgg\images\button_browse_down.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\Pollock\Application Data\VideoEgg\Publisher\2655\resources\VideoEgg\images\button_browse_over.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\Pollock\Application Data\VideoEgg\Publisher\2655\resources\VideoEgg\images\button_browse_up.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\Pollock\Application Data\VideoEgg\Publisher\2655\resources\VideoEgg\images\camcorders_title.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\Pollock\Application Data\VideoEgg\Publisher\2655\resources\VideoEgg\images\camcorder_btn_highlighted.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\Pollock\Application Data\VideoEgg\Publisher\2655\resources\VideoEgg\images\camcorder_slide.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\Pollock\Application Data\VideoEgg\Publisher\2655\resources\VideoEgg\images\corners_bottom_left.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\Pollock\Application Data\VideoEgg\Publisher\2655\resources\VideoEgg\images\corners_bottom_left_curve.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\Pollock\Application Data\VideoEgg\Publisher\2655\resources\VideoEgg\images\corners_bottom_right.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\Pollock\Application Data\VideoEgg\Publisher\2655\resources\VideoEgg\images\corners_top_right.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\Pollock\Application Data\VideoEgg\Publisher\2655\resources\VideoEgg\images\done.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\Pollock\Application Data\VideoEgg\Publisher\2655\resources\VideoEgg\images\done_capture.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\Pollock\Application Data\VideoEgg\Publisher\2655\resources\VideoEgg\images\done_capture_down.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\Pollock\Application Data\VideoEgg\Publisher\2655\resources\VideoEgg\images\done_capture_over.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\Pollock\Application Data\VideoEgg\Publisher\2655\resources\VideoEgg\images\done_down.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\Pollock\Application Data\VideoEgg\Publisher\2655\resources\VideoEgg\images\done_over.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\Pollock\Application Data\VideoEgg\Publisher\2655\resources\VideoEgg\images\dropshadow_bottom_left.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\Pollock\Application Data\VideoEgg\Publisher\2655\resources\VideoEgg\images\dropshadow_horiz.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\Pollock\Application Data\VideoEgg\Publisher\2655\resources\VideoEgg\images\dropshadow_vertical.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\Pollock\Application Data\VideoEgg\Publisher\2655\resources\VideoEgg\images\dropzone.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\Pollock\Application Data\VideoEgg\Publisher\2655\resources\VideoEgg\images\dv_fast_forward.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\Pollock\Application Data\VideoEgg\Publisher\2655\resources\VideoEgg\images\dv_pause.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\Pollock\Application Data\VideoEgg\Publisher\2655\resources\VideoEgg\images\dv_play.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\Pollock\Application Data\VideoEgg\Publisher\2655\resources\VideoEgg\images\dv_rewind.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\Pollock\Application Data\VideoEgg\Publisher\2655\resources\VideoEgg\images\dv_stop.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\Pollock\Application Data\VideoEgg\Publisher\2655\resources\VideoEgg\images\email_instructions.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\Pollock\Application Data\VideoEgg\Publisher\2655\resources\VideoEgg\images\email_sent.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\Pollock\Application Data\VideoEgg\Publisher\2655\resources\VideoEgg\images\email_sent_down.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\Pollock\Application Data\VideoEgg\Publisher\2655\resources\VideoEgg\images\email_sent_over.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\Pollock\Application Data\VideoEgg\Publisher\2655\resources\VideoEgg\images\eraser.CUR (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\Pollock\Application Data\VideoEgg\Publisher\2655\resources\VideoEgg\images\eraser_cursor.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\Pollock\Application Data\VideoEgg\Publisher\2655\resources\VideoEgg\images\file_btn_highlighted.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\Pollock\Application Data\VideoEgg\Publisher\2655\resources\VideoEgg\images\file_slide.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\Pollock\Application Data\VideoEgg\Publisher\2655\resources\VideoEgg\images\help.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\Pollock\Application Data\VideoEgg\Publisher\2655\resources\VideoEgg\images\icon_camcorder.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\Pollock\Application Data\VideoEgg\Publisher\2655\resources\VideoEgg\images\icon_camcorders.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\Pollock\Application Data\VideoEgg\Publisher\2655\resources\VideoEgg\images\icon_camcorder_dark.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\Pollock\Application Data\VideoEgg\Publisher\2655\resources\VideoEgg\images\icon_camcorder_light.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\Pollock\Application Data\VideoEgg\Publisher\2655\resources\VideoEgg\images\icon_ff.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\Pollock\Application Data\VideoEgg\Publisher\2655\resources\VideoEgg\images\icon_file_dark.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\Pollock\Application Data\VideoEgg\Publisher\2655\resources\VideoEgg\images\icon_file_light.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\Pollock\Application Data\VideoEgg\Publisher\2655\resources\VideoEgg\images\icon_pause.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\Pollock\Application Data\VideoEgg\Publisher\2655\resources\VideoEgg\images\icon_phone_dark.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\Pollock\Application Data\VideoEgg\Publisher\2655\resources\VideoEgg\images\icon_phone_light.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\Pollock\Application Data\VideoEgg\Publisher\2655\resources\VideoEgg\images\icon_play.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\Pollock\Application Data\VideoEgg\Publisher\2655\resources\VideoEgg\images\icon_rewind.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\Pollock\Application Data\VideoEgg\Publisher\2655\resources\VideoEgg\images\icon_stop.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\Pollock\Application Data\VideoEgg\Publisher\2655\resources\VideoEgg\images\icon_webcam.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\Pollock\Application Data\VideoEgg\Publisher\2655\resources\VideoEgg\images\icon_webcams.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\Pollock\Application Data\VideoEgg\Publisher\2655\resources\VideoEgg\images\icon_webcam_dark.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\Pollock\Application Data\VideoEgg\Publisher\2655\resources\VideoEgg\images\icon_webcam_light.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\Pollock\Application Data\VideoEgg\Publisher\2655\resources\VideoEgg\images\loading.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\Pollock\Application Data\VideoEgg\Publisher\2655\resources\VideoEgg\images\loading_movie.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\Pollock\Application Data\VideoEgg\Publisher\2655\resources\VideoEgg\images\locating.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\Pollock\Application Data\VideoEgg\Publisher\2655\resources\VideoEgg\images\logo.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\Pollock\Application Data\VideoEgg\Publisher\2655\resources\VideoEgg\images\logo_bottom.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\Pollock\Application Data\VideoEgg\Publisher\2655\resources\VideoEgg\images\logo_middle.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\Pollock\Application Data\VideoEgg\Publisher\2655\resources\VideoEgg\images\logo_top.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\Pollock\Application Data\VideoEgg\Publisher\2655\resources\VideoEgg\images\mobile_btn_highlighted.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\Pollock\Application Data\VideoEgg\Publisher\2655\resources\VideoEgg\images\mobile_slide.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\Pollock\Application Data\VideoEgg\Publisher\2655\resources\VideoEgg\images\mobile_slide_disabled.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\Pollock\Application Data\VideoEgg\Publisher\2655\resources\VideoEgg\images\movie_placeholder.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\Pollock\Application Data\VideoEgg\Publisher\2655\resources\VideoEgg\images\ok.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\Pollock\Application Data\VideoEgg\Publisher\2655\resources\VideoEgg\images\ok_down.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\Pollock\Application Data\VideoEgg\Publisher\2655\resources\VideoEgg\images\ok_over.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\Pollock\Application Data\VideoEgg\Publisher\2655\resources\VideoEgg\images\player_fast_forward.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\Pollock\Application Data\VideoEgg\Publisher\2655\resources\VideoEgg\images\player_fast_forward_disabled.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\Pollock\Application Data\VideoEgg\Publisher\2655\resources\VideoEgg\images\player_fill.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\Pollock\Application Data\VideoEgg\Publisher\2655\resources\VideoEgg\images\player_pause.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\Pollock\Application Data\VideoEgg\Publisher\2655\resources\VideoEgg\images\player_play.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\Pollock\Application Data\VideoEgg\Publisher\2655\resources\VideoEgg\images\player_rewind.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\Pollock\Application Data\VideoEgg\Publisher\2655\resources\VideoEgg\images\player_rewind_disabled.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\Pollock\Application Data\VideoEgg\Publisher\2655\resources\VideoEgg\images\player_rewind_to_start.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\Pollock\Application Data\VideoEgg\Publisher\2655\resources\VideoEgg\images\playhead.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\Pollock\Application Data\VideoEgg\Publisher\2655\resources\VideoEgg\images\powered_by.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\Pollock\Application Data\VideoEgg\Publisher\2655\resources\VideoEgg\images\progress.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\Pollock\Application Data\VideoEgg\Publisher\2655\resources\VideoEgg\images\refresh_list_down.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\Pollock&

[marcp1967]

Kaspersky Log:

KASPERSKY ONLINE SCANNER REPORT
Saturday, August 02, 2008 8:01:56 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 3 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 2/08/2008
Kaspersky Anti-Virus database records: 1044946


Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true

Scan Target My Computer
A:\
C:\
D:\
E:\
F:\
G:\
H:\
I:\
J:\
K:\
L:\
M:\
N:\

Scan Statistics
Total number of scanned objects 73627
Number of viruses found 24
Number of infected objects 58
Number of suspicious objects 8
Duration of the scan process 02:49:28

Infected Object Name Virus Name Last Action
C:\Documents and Settings\All Users\Application Data\avg8\emc\Log\emc.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\avg8\Log\avgcore.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\avg8\Log\avgrs.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\avg8\Log\avgsched.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\avg8\Log\avgsrm.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\avg8\Log\avgui.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\avg8\Log\avgwd.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Windows Defender\Support\MPLog-12172006-110033.log Object is locked skipped

C:\Documents and Settings\All Users\DRM\Cache\Indiv03.tmp Object is locked skipped

C:\Documents and Settings\All Users\DRM\drmstore.hds Object is locked skipped

C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\Pollock\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\Pollock\Cookies\pollock@adrevolver[2].txt Object is locked skipped

C:\Documents and Settings\Pollock\Cookies\[email protected][2].txt Object is locked skipped

C:\Documents and Settings\Pollock\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped

C:\Documents and Settings\Pollock\Local Settings\Application Data\Microsoft\Media Player\CurrentDatabase_360.wmdb Object is locked skipped

C:\Documents and Settings\Pollock\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\Pollock\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\Pollock\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Pollock\Local Settings\History\History.IE5\MSHist012008080220080803\index.dat Object is locked skipped

C:\Documents and Settings\Pollock\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped

C:\Documents and Settings\Pollock\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Pollock\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\Pollock\ntuser.dat.LOG Object is locked skipped

C:\Program Files\IncrediMail\bin\IncrediMail_Install.exe Infected: not-a-virus:Downloader.Win32.ImLoader.k skipped

C:\Program Files\IncrediMail\Data\Identities\{FF48DBE9-F78B-47BD-8BA2-E4D24E76C2DB}\Message Store\JunkMail.imm/[From "Nikki Tripp" ][Date Wed, 26 Dec 2007 11:49:24 -0100]/text/[From HSBC Bank ][Date Thu, 27 Dec 2007 14:47:00 -0400]/html Suspicious: Trojan-Spy.HTML.Fraud.gen skipped

C:\Program Files\IncrediMail\Data\Identities\{FF48DBE9-F78B-47BD-8BA2-E4D24E76C2DB}\Message Store\JunkMail.imm/[From "Nikki Tripp" ][Date Wed, 26 Dec 2007 11:49:24 -0100]/text Suspicious: Trojan-Spy.HTML.Fraud.gen skipped

C:\Program Files\IncrediMail\Data\Identities\{FF48DBE9-F78B-47BD-8BA2-E4D24E76C2DB}\Message Store\JunkMail.imm/[From "Bert Poole" ][Date Fri, 11 Jan 2008 18:52:49 +0100 (added by [email protected])]/text/[From "NatWest Bank Direct Banking'07" ][Date Wed, 16 Jan 2008 09:53:47 +0200]/UNNAMED/html Suspicious: Trojan-Spy.HTML.Fraud.gen skipped

C:\Program Files\IncrediMail\Data\Identities\{FF48DBE9-F78B-47BD-8BA2-E4D24E76C2DB}\Message Store\JunkMail.imm/[From "Bert Poole" ][Date Fri, 11 Jan 2008 18:52:49 +0100 (added by [email protected])]/text/[From "NatWest Bank Direct Banking'07" ][Date Wed, 16 Jan 2008 09:53:47 +0200]/UNNAMED Suspicious: Trojan-Spy.HTML.Fraud.gen skipped

C:\Program Files\IncrediMail\Data\Identities\{FF48DBE9-F78B-47BD-8BA2-E4D24E76C2DB}\Message Store\JunkMail.imm/[From "Bert Poole" ][Date Fri, 11 Jan 2008 18:52:49 +0100 (added by [email protected])]/text/[From "Damon J. Swan" ][Date Wed, 16 Jan 2008 02:15:52 -0700]/UNNAMED/html Suspicious: Trojan-Spy.HTML.Fraud.gen skipped

C:\Program Files\IncrediMail\Data\Identities\{FF48DBE9-F78B-47BD-8BA2-E4D24E76C2DB}\Message Store\JunkMail.imm/[From "Bert Poole" ][Date Fri, 11 Jan 2008 18:52:49 +0100 (added by [email protected])]/text/[From "Damon J. Swan" ][Date Wed, 16 Jan 2008 02:15:52 -0700]/UNNAMED Suspicious: Trojan-Spy.HTML.Fraud.gen skipped

C:\Program Files\IncrediMail\Data\Identities\{FF48DBE9-F78B-47BD-8BA2-E4D24E76C2DB}\Message Store\JunkMail.imm/[From "Bert Poole" ][Date Fri, 11 Jan 2008 18:52:49 +0100 (added by [email protected])]/text Suspicious: Trojan-Spy.HTML.Fraud.gen skipped

C:\Program Files\IncrediMail\Data\Identities\{FF48DBE9-F78B-47BD-8BA2-E4D24E76C2DB}\Message Store\JunkMail.imm Mail: suspicious - 7 skipped

C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\BWKDLogs\BWTargetInf.log Object is locked skipped

C:\Program Files\Kodak\KODAK Software Updater\7288971\Users\Default\Data\agent.log Object is locked skipped

C:\Program Files\Kodak\KODAK Software Updater\7288971\Users\Default\Data\busyprs.log Object is locked skipped

C:\Program Files\Kodak\KODAK Software Updater\7288971\Users\Default\Data\BWLocalWebListener.log Object is locked skipped

C:\Program Files\Kodak\KODAK Software Updater\7288971\Users\Default\Data\chandir.dat Object is locked skipped

C:\Program Files\Kodak\KODAK Software Updater\7288971\Users\Default\Data\chandir.idx Object is locked skipped

C:\Program Files\Kodak\KODAK Software Updater\7288971\Users\Default\Data\chn.dat Object is locked skipped

C:\Program Files\Kodak\KODAK Software Updater\7288971\Users\Default\Data\chn.idx Object is locked skipped

C:\Program Files\Kodak\KODAK Software Updater\7288971\Users\Default\Data\D0000000.FCS Object is locked skipped

C:\Program Files\Kodak\KODAK Software Updater\7288971\Users\Default\Data\FileDL.log Object is locked skipped

C:\Program Files\Kodak\KODAK Software Updater\7288971\Users\Default\Data\inuse.txt Object is locked skipped

C:\Program Files\Kodak\KODAK Software Updater\7288971\Users\Default\Data\L0000001.FCS Object is locked skipped

C:\Program Files\Kodak\KODAK Software Updater\7288971\Users\Default\Data\main.log Object is locked skipped

C:\Program Files\Kodak\KODAK Software Updater\7288971\Users\Default\Data\prs.dat Object is locked skipped

C:\Program Files\Kodak\KODAK Software Updater\7288971\Users\Default\Data\prs.idx Object is locked skipped

C:\Program Files\Kodak\KODAK Software Updater\7288971\Users\Default\Data\prs_die.dat Object is locked skipped

C:\Program Files\Kodak\KODAK Software Updater\7288971\Users\Default\Data\prs_die.idx Object is locked skipped

C:\Program Files\Kodak\KODAK Software Updater\7288971\Users\Default\Data\prs_dnd.dat Object is locked skipped

C:\Program Files\Kodak\KODAK Software Updater\7288971\Users\Default\Data\prs_dnd.idx Object is locked skipped

C:\Program Files\Kodak\KODAK Software Updater\7288971\Users\Default\Data\prs_ext.dat Object is locked skipped

C:\Program Files\Kodak\KODAK Software Updater\7288971\Users\Default\Data\prs_ext.idx Object is locked skipped

C:\Program Files\Kodak\KODAK Software Updater\7288971\Users\Default\Data\prs_rcv.dat Object is locked skipped

C:\Program Files\Kodak\KODAK Software Updater\7288971\Users\Default\Data\prs_rcv.idx Object is locked skipped

C:\Program Files\Kodak\KODAK Software Updater\7288971\Users\Default\Data\RG.log Object is locked skipped

C:\Program Files\Kodak\KODAK Software Updater\7288971\Users\Default\Data\scheddbg.log Object is locked skipped

C:\Program Files\Kodak\KODAK Software Updater\7288971\Users\Default\Data\storydb.dat Object is locked skipped

C:\Program Files\Kodak\KODAK Software Updater\7288971\Users\Default\Data\storydb.idx Object is locked skipped

C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

C:\System Volume Information\_restore{D6D4104F-5828-40E3-AB0F-05D46C6B9362}\RP2\change.log Object is locked skipped

C:\WINDOWS\$NtUninstallQ307274$\shgina.dll Object is locked skipped

C:\WINDOWS\$NtUninstallQ307274$\spuninst\spuninst.exe Object is locked skipped

C:\WINDOWS\$NtUninstallQ307274$\spuninst\spuninst.inf Object is locked skipped

C:\WINDOWS\$NtUninstallQ307869$\guitrn.dll Object is locked skipped

C:\WINDOWS\$NtUninstallQ307869$\guitrn_a.dll Object is locked skipped

C:\WINDOWS\$NtUninstallQ307869$\migapp.inf Object is locked skipped

C:\WINDOWS\$NtUninstallQ307869$\migwiz.exe Object is locked skipped

C:\WINDOWS\$NtUninstallQ307869$\migwiz_a.exe Object is locked skipped

C:\WINDOWS\$NtUninstallQ307869$\script.dll Object is locked skipped

C:\WINDOWS\$NtUninstallQ307869$\script_a.dll Object is locked skipped

C:\WINDOWS\$NtUninstallQ307869$\spuninst\spuninst.exe Object is locked skipped

C:\WINDOWS\$NtUninstallQ307869$\spuninst\spuninst.inf Object is locked skipped

C:\WINDOWS\$NtUninstallQ307869$\sysmod.dll Object is locked skipped

C:\WINDOWS\$NtUninstallQ307869$\sysmod_a.dll Object is locked skipped

C:\WINDOWS\$NtUninstallQ308276$\smlogsvc.exe Object is locked skipped

C:\WINDOWS\$NtUninstallQ308276$\spuninst\spuninst.exe Object is locked skipped

C:\WINDOWS\$NtUninstallQ308276$\spuninst\spuninst.inf Object is locked skipped

C:\WINDOWS\$NtUninstallQ308677$\spuninst\spuninst.exe Object is locked skipped

C:\WINDOWS\$NtUninstallQ308677$\spuninst\spuninst.inf Object is locked skipped

C:\WINDOWS\$NtUninstallQ308677$\userenv.dll Object is locked skipped

C:\WINDOWS\$NtUninstallQ309376$\rdbss.sys Object is locked skipped

C:\WINDOWS\$NtUninstallQ309376$\spuninst\spuninst.exe Object is locked skipped

C:\WINDOWS\$NtUninstallQ309376$\spuninst\spuninst.inf Object is locked skipped

C:\WINDOWS\$NtUninstallQ309495$\msi.dll Object is locked skipped

C:\WINDOWS\$NtUninstallQ309495$\spuninst\spuninst.exe Object is locked skipped

C:\WINDOWS\$NtUninstallQ309495$\spuninst\spuninst.inf Object is locked skipped

C:\WINDOWS\$NtUninstallQ310437$\spuninst\spuninst.exe Object is locked skipped

C:\WINDOWS\$NtUninstallQ310437$\spuninst\spuninst.inf Object is locked skipped

C:\WINDOWS\$NtUninstallQ310437$\ups.exe Object is locked skipped

C:\WINDOWS\$NtUninstallQ310507$\aec.sys Object is locked skipped

C:\WINDOWS\$NtUninstallQ310507$\dxmrtp.dll Object is locked skipped

C:\WINDOWS\$NtUninstallQ310507$\splitter.sys Object is locked skipped

C:\WINDOWS\$NtUninstallQ310507$\spuninst\spuninst.exe Object is locked skipped

C:\WINDOWS\$NtUninstallQ310507$\spuninst\spuninst.inf Object is locked skipped

C:\WINDOWS\$NtUninstallQ311889$\spuninst\spuninst.exe Object is locked skipped

C:\WINDOWS\$NtUninstallQ311889$\spuninst\spuninst.inf Object is locked skipped

C:\WINDOWS\$NtUninstallQ311889$\termsrv.dll Object is locked skipped

C:\WINDOWS\$NtUninstallQ312368$\spuninst\spuninst.exe Object is locked skipped

C:\WINDOWS\$NtUninstallQ312368$\spuninst\spuninst.inf Object is locked skipped

C:\WINDOWS\$NtUninstallQ312368$\syssetup.dll Object is locked skipped

C:\WINDOWS\$NtUninstallQ314862$\qmgr.dll Object is locked skipped

C:\WINDOWS\$NtUninstallQ314862$\spuninst\spuninst.exe Object is locked skipped

C:\WINDOWS\$NtUninstallQ314862$\spuninst\spuninst.inf Object is locked skipped

C:\WINDOWS\$NtUninstallQ318966$\spuninst\Q318966.log Object is locked skipped

C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped

C:\WINDOWS\SchedLgU.Txt Object is locked skipped

C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped

C:\WINDOWS\Sti_Trace.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped

C:\WINDOWS\system32\config\ACEEvent.evt Object is locked skipped

C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\default Object is locked skipped

C:\WINDOWS\system32\config\default.LOG Object is locked skipped

C:\WINDOWS\system32\config\Internet.evt Object is locked skipped

C:\WINDOWS\system32\config\SAM Object is locked skipped

C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped

C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\SECURITY Object is locked skipped

C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped

C:\WINDOWS\system32\config\software Object is locked skipped

C:\WINDOWS\system32\config\software.LOG Object is locked skipped

C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\system Object is locked skipped

C:\WINDOWS\system32\config\system.LOG Object is locked skipped

C:\WINDOWS\system32\h323log.txt Object is locked skipped

C:\WINDOWS\system32\LogFiles\HTTPERR\httperr1.log Object is locked skipped

C:\WINDOWS\system32\LogFiles\WUDF\WUDFTrace.etl Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped

C:\WINDOWS\wiadebug.log Object is locked skipped

C:\WINDOWS\wiaservc.log Object is locked skipped

C:\WINDOWS\WindowsUpdate.log Object is locked skipped

D:\Documents and Settings\Pollock\My Documents\BluesPortScan\BluesPortScan.exe Infected: not-a-virus:NetTool.Win32.Delf.d skipped

D:\Documents and Settings\Pollock\My Documents\My Downloads\block-checker-xp.exe/setup.zip/1 Infected: IM-Worm.Win32.Chiem.a skipped

D:\Documents and Settings\Pollock\My Documents\My Downloads\block-checker-xp.exe/setup.zip/3 Infected: Trojan.Win32.Starter.e skipped

D:\Documents and Settings\Pollock\My Documents\My Downloads\block-checker-xp.exe/setup.zip/4 Infected: not-a-virus:AdWare.Win32.Chiem.a skipped

D:\Documents and Settings\Pollock\My Documents\My Downloads\block-checker-xp.exe/setup.zip Infected: not-a-virus:AdWare.Win32.Chiem.a skipped

D:\Documents and Settings\Pollock\My Documents\My Downloads\block-checker-xp.exe SEA: infected - 4 skipped

D:\Documents and Settings\Pollock\My Documents\My Downloads\freeripmp3.exe/data0011 Infected: not-a-virus:AdWare.Win32.MyWay.j skipped

D:\Documents and Settings\Pollock\My Documents\My Downloads\freeripmp3.exe Inno: infected - 1 skipped

D:\Documents and Settings\Pollock\My Documents\My Downloads\HotlineConnectClient-1.9.1.exe/0001\F7\setup280.exe/cd_clint.dll Infected: not-a-virus:AdWare.Win32.Cydoor skipped

D:\Documents and Settings\Pollock\My Documents\My Downloads\HotlineConnectClient-1.9.1.exe/0001\F7\setup280.exe/cd_htm.dll Infected: not-a-virus:AdWare.Win32.Cydoor skipped

D:\Documents and Settings\Pollock\My Documents\My Downloads\HotlineConnectClient-1.9.1.exe/0001\F7\setup280.exe Infected: not-a-virus:AdWare.Win32.Cydoor skipped

D:\Documents and Settings\Pollock\My Documents\My Downloads\HotlineConnectClient-1.9.1.exe Tarma: infected - 3 skipped

D:\Documents and Settings\Pollock\My Documents\My Downloads\HotlineConnectClient-1.9.1.exe UPX: infected - 3 skipped

D:\Documents and Settings\Pollock\My Documents\My Downloads\incredimail_install.exe Infected: not-a-virus:Downloader.Win32.ImLoader.k skipped

D:\Documents and Settings\Pollock\My Documents\My Downloads\netpumper-1.03-setup.exe/data0044/cd_clint.dll Infected: not-a-virus:AdWare.Win32.Cydoor skipped

D:\Documents and Settings\Pollock\My Documents\My Downloads\netpumper-1.03-setup.exe/data0044/cd_htm.dll Infected: not-a-virus:AdWare.Win32.Cydoor skipped

D:\Documents and Settings\Pollock\My Documents\My Downloads\netpumper-1.03-setup.exe/data0044 Infected: not-a-virus:AdWare.Win32.Cydoor skipped

D:\Documents and Settings\Pollock\My Documents\My Downloads\netpumper-1.03-setup.exe Inno: infected - 3 skipped

D:\Documents and Settings\Pollock\My Documents\My Downloads\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped

D:\Documents and Settings\Pollock\My Documents\My Downloads\SmitfraudFix.exe/SmitfraudFix/IEDFix.exe Infected: Hoax.Win32.Renos.vaoz skipped

D:\Documents and Settings\Pollock\My Documents\My Downloads\SmitfraudFix.exe/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped

D:\Documents and Settings\Pollock\My Documents\My Downloads\SmitfraudFix.exe RAR: infected - 2 skipped

D:\Documents and Settings\Pollock\My Documents\My Downloads\ZIPS\BluesPortScan.zip/BluesPortScan.exe Infected: not-a-virus:NetTool.Win32.Delf.d skipped

D:\Documents and Settings\Pollock\My Documents\My Downloads\ZIPS\BluesPortScan.zip ZIP: infected - 1 skipped

D:\Documents and Settings\Pollock\My Documents\Old Docs\My Downloads\Setups\kmd161_en.exe/data0004/cd_clint.dll Infected: not-a-virus:AdWare.Win32.Cydoor skipped

D:\Documents and Settings\Pollock\My Documents\Old Docs\My Downloads\Setups\kmd161_en.exe/data0004/cd_htm.dll Infected: not-a-virus:AdWare.Win32.Cydoor skipped

D:\Documents and Settings\Pollock\My Documents\Old Docs\My Downloads\Setups\kmd161_en.exe/data0004 Infected: not-a-virus:AdWare.Win32.Cydoor skipped

D:\Documents and Settings\Pollock\My Documents\Old Docs\My Downloads\Setups\kmd161_en.exe/data0007 Infected: not-a-virus:AdWare.Win32.NewDotNet skipped

D:\Documents and Settings\Pollock\My Documents\Old Docs\My Downloads\Setups\kmd161_en.exe/data0008/SaveNow.exe Infected: not-a-virus:AdWare.Win32.SaveNow.av skipped

D:\Documents and Settings\Pollock\My Documents\Old Docs\My Downloads\Setups\kmd161_en.exe/data0008/Uninst.exe Infected: not-a-virus:AdWare.Win32.SaveNow.au skipped

D:\Documents and Settings\Pollock\My Documents\Old Docs\My Downloads\Setups\kmd161_en.exe/data0008 Infected: not-a-virus:AdWare.Win32.SaveNow.au skipped

D:\Documents and Settings\Pollock\My Documents\Old Docs\My Downloads\Setups\kmd161_en.exe/data0009 Infected: not-a-virus:AdWare.Win32.DownloadWare.a skipped

D:\Documents and Settings\Pollock\My Documents\Old Docs\My Downloads\Setups\kmd161_en.exe/data0012/bdedetect1.dll Infected: not-a-virus:AdWare.Win32.BrilliantDigital.1007 skipped

D:\Documents and Settings\Pollock\My Documents\Old Docs\My Downloads\Setups\kmd161_en.exe/data0012 Infected: not-a-virus:AdWare.Win32.BrilliantDigital.1007 skipped

D:\Documents and Settings\Pollock\My Documents\Old Docs\My Downloads\Setups\kmd161_en.exe/data0015 Infected: not-a-virus:AdWare.Win32.BrilliantDigital.1007 skipped

D:\Documents and Settings\Pollock\My Documents\Old Docs\My Downloads\Setups\kmd161_en.exe/data0016 Infected: not-a-virus:AdWare.Win32.Altnet.a skipped

D:\Documents and Settings\Pollock\My Documents\Old Docs\My Downloads\Setups\kmd161_en.exe/data0020/bde3d_ref2.dll Infected: not-a-virus:AdWare.Win32.BrilliantDigital.d skipped

D:\Documents and Settings\Pollock\My Documents\Old Docs\My Downloads\Setups\kmd161_en.exe/data0020 Infected: not-a-virus:AdWare.Win32.BrilliantDigital.d skipped

D:\Documents and Settings\Pollock\My Documents\Old Docs\My Downloads\Setups\kmd161_en.exe/data0021/bdesecureinstall.exe Infected: not-a-virus:AdWare.Win32.BrilliantDigital.a skipped

D:\Documents and Settings\Pollock\My Documents\Old Docs\My Downloads\Setups\kmd161_en.exe/data0021/BDEVerify.exe Infected: not-a-virus:AdWare.Win32.BrilliantDigital.a skipped

D:\Documents and Settings\Pollock\My Documents\Old Docs\My Downloads\Setups\kmd161_en.exe/data0021/BDEVerify.dll Infected: not-a-virus:AdWare.Win32.BrilliantDigital.b skipped

D:\Documents and Settings\Pollock\My Documents\Old Docs\My Downloads\Setups\kmd161_en.exe/data0021 Infected: not-a-virus:AdWare.Win32.BrilliantDigital.b skipped

D:\Documents and Settings\Pollock\My Documents\Old Docs\My Downloads\Setups\kmd161_en.exe/data0024/bdeload.dll Infected: not-a-virus:AdWare.Win32.BrilliantDigital.e skipped

D:\Documents and Settings\Pollock\My Documents\Old Docs\My Downloads\Setups\kmd161_en.exe/data0024 Infected: not-a-virus:AdWare.Win32.BrilliantDigital.e skipped

D:\Documents and Settings\Pollock\My Documents\Old Docs\My Downloads\Setups\kmd161_en.exe/data0025/bdeplayer2.dll Infected: not-a-virus:AdWare.Win32.BrilliantDigital.f skipped

D:\Documents and Settings\Pollock\My Documents\Old Docs\My Downloads\Setups\kmd161_en.exe/data0025 Infected: not-a-virus:AdWare.Win32.BrilliantDigital.f skipped

D:\Documents and Settings\Pollock\My Documents\Old Docs\My Downloads\Setups\kmd161_en.exe/data0028/BDESac10.dll Infected: not-a-virus:AdWare.Win32.BrilliantDigital.3120 skipped

D:\Documents and Settings\Pollock\My Documents\Old Docs\My Downloads\Setups\kmd161_en.exe/data0028 Infected: not-a-virus:AdWare.Win32.BrilliantDigital.3120 skipped

D:\Documents and Settings\Pollock\My Documents\Old Docs\My Downloads\Setups\kmd161_en.exe/data0029/bdeviewer.exe Infected: Trojan.Win32.Krepper.y skipped

D:\Documents and Settings\Pollock\My Documents\Old Docs\My Downloads\Setups\kmd161_en.exe/data0029 Infected: Trojan.Win32.Krepper.y skipped

D:\Documents and Settings\Pollock\My Documents\Old Docs\My Downloads\Setups\kmd161_en.exe Inno: infected - 26 skipped

D:\Documents and Settings\Pollock\My Documents\Old Docs\My Downloads\Setups\kmd171gu_en.exe/data0004/cd_clint.dll Infected: not-a-virus:AdWare.Win32.Cydoor skipped

D:\Documents and Settings\Pollock\My Documents\Old Docs\My Downloads\Setups\kmd171gu_en.exe/data0004/cd_htm.dll Infected: not-a-virus:AdWare.Win32.Cydoor skipped

D:\Documents and Settings\Pollock\My Documents\Old Docs\My Downloads\Setups\kmd171gu_en.exe/data0004 Infected: not-a-virus:AdWare.Win32.Cydoor skipped

D:\Documents and Settings\Pollock\My Documents\Old Docs\My Downloads\Setups\kmd171gu_en.exe Inno: infected - 3 skipped

D:\Documents and Settings\Pollock\My Documents\Old Docs\My Received Files\flowers.exe/hauntpc.exe Infected: not-virus:BadJoke.Win32.Hauntpc skipped

D:\Documents and Settings\Pollock\My Documents\Old Docs\My Received Files\flowers.exe ZIP: infected - 1 skipped

D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

D:\System Volume Information\_restore{D6D4104F-5828-40E3-AB0F-05D46C6B9362}\RP2\change.log Object is locked skipped

E:\System Volume Information\_restore{D6D4104F-5828-40E3-AB0F-05D46C6B9362}\RP2\change.log Object is locked skipped

F:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

F:\System Volume Information\_restore{D6D4104F-5828-40E3-AB0F-05D46C6B9362}\RP2\change.log Object is locked skipped

Scan process completed.

[marcp1967]

New HJT Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:04:43, on 02/08/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\Common Files\BinarySense\hldasvc.exe
C:\Program Files\Common Files\BinarySense\hldasvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\ScsiAccess.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
C:\WINDOWS\system32\RAMASST.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\explorer.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tiscali.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [IncrediMail] C:\Program Files\IncrediMail\bin\IncMail.exe /c
O4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [PVR Agent] C:\Program Files\Tevion multimedia\PVR Plus\TVR\Scheduled.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Picture Motion Browser Media Check Tool.lnk = C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BlueSoleil.lnk = C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O4 - Global Startup: TV Remote Control.lnk = C:\Program Files\Tevion multimedia\TV713X Utilities\P3XRCtl.exe
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Researcher - {9455301C-CF6B-11D3-A266-00C04F689C50} - C:\Program Files\Common Files\Microsoft Shared\Encarta Researcher\EROPROJ.DLL
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.medion.co.uk
O15 - Trusted Zone: http://toolbar.imageshack.us
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1105804695843
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1134563516500
O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) - http://community.web...otoUploader.CAB
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.c.../cpcScanner.cab
O16 - DPF: {E36C5562-C4E0-4220-BCB2-1C671E3A5916} - http://www.seagate.c.../npseatools.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abac...abasetup161.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{ECE80144-14ED-4F49-9B66-FC0AA1E9F6ED}: NameServer = 212.139.132.6,212.136.132.7
O18 - Protocol: hddlife - {BD758015-47D9-477A-8873-4B688A2BC0E2} - "C:\Program Files\BinarySense\HDDlife 3\hlAPP.dll" (file missing)
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: khfEVNef - khfEVNef.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HDDlife HDD Access service - BinarySense, Inc. - C:\Program Files\Common Files\BinarySense\hldasvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\system32\ScsiAccess.EXE
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

--
End of file - 9891 bytes

[andrewuk]

My fathaer uses the PC mainly for photography and uses the imageshack hosting site quite often. I am fairly sure he would have athorised this, but I'm not sure if that has any impact on the system's security.

if he authorised it, then it will be ok

something seems to be re-infecting your machine.....we will remove the infections that the kaspersky scan found and see where that leaves us.


====STEP 1====
Jotti File Submission:

Please go to Jotti's malware scan
Copy and paste the following file path into the "File to upload & scan"box on the top of the page:
C:\WINDOWS\system32\DRIVERS\ramdisk.sys

Click on the submit button

Please post the results of the scan in your next reply.

If Jotti is busy, try the same atVirustotal



====STEP 2====
Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

O20 - Winlogon Notify: khfEVNef - khfEVNef.dll (file missing)

Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis.




====STEP 3====
1. Please open Notepad

• Click Start , then Run
• Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
C:\Program Files\IncrediMail\bin\IncrediMail_Install.exe
D:\Documents and Settings\Pollock\My Documents\BluesPortScan\BluesPortScan.exe
D:\Documents and Settings\Pollock\My Documents\My Downloads\block-checker-xp.exe
D:\Documents and Settings\Pollock\My Documents\My Downloads\freeripmp3.exe
D:\Documents and Settings\Pollock\My Documents\My Downloads\HotlineConnectClient-1.9.1.exe
D:\Documents and Settings\Pollock\My Documents\My Downloads\incredimail_install.exe
D:\Documents and Settings\Pollock\My Documents\My Downloads\netpumper-1.03-setup.exe
D:\Documents and Settings\Pollock\My Documents\My Downloads\ZIPS\BluesPortScan.zip
D:\Documents and Settings\Pollock\My Documents\Old Docs\My Downloads\Setups\kmd161_en.exe
D:\Documents and Settings\Pollock\My Documents\Old Docs\My Downloads\Setups\kmd171gu_en.exe

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.




5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

• Combofix.txt

In your next reply could i see:
1. the jotti scan
2. the combofix log
3. a new hijackthis log

The text from these files may exceed the maximum post length for this forum. Hence, you may need to post the information over 2 or more posts.

andrewuk

[marcp1967]

Here goes...

Jotti scan:

File: ramdisk.sys
Status: OK
MD5: eb631ad8b3e8dce20cef046b6d602b98
Packers detected: -

Scanner results
Scan taken on 03 Aug 2008 11:32:17 (GMT)
A-Squared Found nothing
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Fortinet Found nothing
Ikarus Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Sophos Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found nothing