Egwene,
thank you for helping me, i was slow in getting back to you because this virus has crippled my normal internet use, it stopped me using my normal machine to acess any anti malware sites, and my work machine wouldnt accept the RSIT site, however i installed in an old harddrive, installed win 98 on it, and my internet connection and i can now at least get the tools needed to continue withyour help (phew, a bit fo an afternoon there). In order to communicate with you i gotta reboot up in bios, change the boot up drive, talk to you and download tools, then reboot up in bios, change to my infected drive, run the analysis, reboot in bios again using this windown 98 drive, log on here and pass on results.
dont worry all tools will actualy be run on the infected drive, the windows 98 drive is just os as ican DL them
I seriously hate what this virus has doen to my machine, and the work it is making me do.
anwway back to business.
firstly, Yes that initial posting was he complete HJT log, its short as i used blavkvipers guidance to strip down the processes runnign and keep the machine slick as posible.
here are the two files from RSTI
Logfile of random's system information tool 1.04 (written by random/random)
Run by Dave Murphy at 2008-10-22 21:18:50
Microsoft Windows XP Professional Service Pack 2
System drive E: has 45 GB (59%) free of 76 GB
Total RAM: 1022 MB (69% free)
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:18:55, on 22/10/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\Program Files\Ahead\InCD\InCDsrv.exe
E:\WINDOWS\System32\svchost.exe
E:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
E:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
E:\Program Files\Alwil Software\Avast4\ashServ.exe
E:\WINDOWS\Explorer.EXE
E:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
E:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
E:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
E:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
E:\WINDOWS\system32\spoolsv.exe
E:\WINDOWS\System32\svchost.exe
E:\Program Files\Alwil Software\Avast4\setup\avast.setup
E:\WINDOWS\system32\wuauclt.exe
E:\Documents and Settings\Dave Murphy\Desktop\RSIT.exe
E:\Program Files\Trend Micro\HijackThis\Dave Murphy.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.google.co.uk/O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: (no name) - {A057A204-BACC-4D26-9990-79A187E2698E} - (no file)
O4 - HKLM\..\Run: [avast!] E:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [ashMaiSv] E:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] E:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [HijackThis startup scan] E:\Program Files\Trend Micro\HijackThis\HijackThis.exe /startupscan
O4 - Global Startup: DSLMON.lnk = E:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - E:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - E:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - E:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - E:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - E:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - E:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - E:\Program Files\Ahead\InCD\InCDsrv.exe
--
End of file - 2897 bytes
======Registry dump======
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
Spybot-S&D IE Protection - E:\PROGRA~1\SPYBOT~1\SDHelper.dll [2008-09-15 1562960]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{A057A204-BACC-4D26-9990-79A187E2698E}
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"avast!"=E:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe [2004-06-13 98352]
"KernelFaultCheck"=E:\WINDOWS\system32\dumprep 0 -k []
"ashMaiSv"=E:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe [2004-06-13 200752]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"=E:\Program Files\Spybot - Search & Destroy\TeaTimer.exe [2008-09-16 1833296]
"HijackThis startup scan"=E:\Program Files\Trend Micro\HijackThis\HijackThis.exe [2008-10-19 396288]
E:\Documents and Settings\All Users\Start Menu\Programs\Startup
DSLMON.lnk - E:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
WgaLogon.dll []
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\aawservice]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\nm]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\nm.sys]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\UploadMgr]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"NoDispScrSavPage"=0
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"E:\WINDOWS\system32\sessmgr.exe"="E:\WINDOWS\system32\sessmgr.exe:*:Disabled:@xpsp2res.dll,-22019"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1cfb80e1-29b9-11d9-b9e9-806d6172696f}]
shell\AutoRun\command - D:\Setup.EXE
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d428d6cf-8aed-11d9-a15f-806d6172696f}]
shell\AutoRun\command - D:\dsetup.exe
======List of files/folders created in the last 3 months======
2008-10-22 21:18:50 ----D---- E:\rsit
2008-10-22 14:19:20 ----A---- E:\WINDOWS\IE4 Error Log.txt
2008-10-21 20:46:44 ----HDC---- E:\WINDOWS\$NtUninstallKB925902$
2008-10-21 20:46:41 ----A---- E:\WINDOWS\imsins.BAK
2008-10-21 20:46:34 ----HDC---- E:\WINDOWS\$NtUninstallKB926436$
2008-10-20 16:41:59 ----ASH---- E:\desktop.ini
2008-10-19 11:30:01 ----D---- E:\Program Files\AVG
2008-10-19 00:29:01 ----D---- E:\!KillBox
2008-10-19 00:16:16 ----D---- E:\Program Files\Trend Micro
2008-10-19 00:15:49 ----D---- E:\Program Files\Hijackthis
2008-10-19 00:02:00 ----D---- E:\Program Files\Enigma Software Group
2008-10-18 21:56:21 ----A---- E:\WINDOWS\system32\delself.bat
2008-09-16 07:33:57 ----D---- E:\Program Files\McDonaldsDragons
2008-09-13 15:48:10 ----D---- E:\Program Files\McDonaldsFairies
2008-09-13 15:47:40 ----SHD---- E:\WINDOWS\ftpcache
2008-08-07 02:46:29 ----D---- E:\Documents and Settings\Dave Murphy\Application Data\rhcg1bj0ea58
2008-07-29 22:06:31 ----D---- E:\Documents and Settings\All Users\Application Data\Avg8
======List of files/folders modified in the last 3 months======
2008-10-22 21:14:37 ----D---- E:\Program Files\Mozilla Firefox
2008-10-22 21:14:21 ----AD---- E:\WINDOWS\Temp
2008-10-22 20:53:48 ----A---- E:\WINDOWS\SchedLgU.Txt
2008-10-22 20:27:34 ----D---- E:\WINDOWS\Prefetch
2008-10-22 20:22:32 ----A---- E:\WINDOWS\ODBC.INI
2008-10-22 20:18:34 ----D---- E:\WINDOWS\system32\drivers
2008-10-22 20:18:27 ----D---- E:\WINDOWS\system32
2008-10-22 19:48:25 ----D---- E:\WINDOWS\system32\CatRoot2
2008-10-22 14:19:20 ----D---- E:\WINDOWS
2008-10-22 11:26:33 ----D---- E:\Program Files\Paint Shop Pro 6
2008-10-22 09:14:20 ----SD---- E:\Documents and Settings\Dave Murphy\Application Data\Microsoft
2008-10-21 23:02:31 ----HD---- E:\WINDOWS\inf
2008-10-21 23:00:19 ----HD---- E:\WINDOWS\$hf_mig$
2008-10-21 22:47:28 ----A---- E:\WINDOWS\NeroDigital.ini
2008-10-21 20:47:17 ----D---- E:\WINDOWS\system32\CatRoot
2008-10-21 20:46:47 ----RSHDC---- E:\WINDOWS\system32\dllcache
2008-10-19 17:02:21 ----D---- E:\WINDOWS\Minidump
2008-10-19 15:38:14 ----D---- E:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-10-19 13:16:21 ----SHD---- E:\System Volume Information
2008-10-19 13:16:21 ----D---- E:\WINDOWS\system32\Restore
2008-10-19 11:30:01 ----SHD---- E:\WINDOWS\Installer
2008-10-19 11:30:01 ----SHD---- E:\Config.Msi
2008-10-19 11:30:01 ----RD---- E:\Program Files
2008-10-19 11:30:00 ----D---- E:\WINDOWS\WinSxS
2008-10-19 11:30:00 ----D---- E:\Program Files\Common Files\Microsoft Shared
2008-10-19 10:48:26 ----D---- E:\WINDOWS\system32\Macromed
2008-10-19 01:39:58 ----SD---- E:\WINDOWS\Downloaded Program Files
2008-10-19 00:51:28 ----D---- E:\WINDOWS\Help
2008-10-19 00:51:28 ----D---- E:\Program Files\Web Publish
2008-10-19 00:51:28 ----D---- E:\Program Files\CCleaner
2008-10-19 00:51:13 ----D---- E:\Program Files\QuickTime
2008-10-19 00:50:17 ----HD---- E:\Program Files\InstallShield Installation Information
2008-10-19 00:48:56 ----D---- E:\Program Files\GameSpy Arcade
2008-10-19 00:48:27 ----D---- E:\Program Files\DivX
2008-10-19 00:45:57 ----D---- E:\Program Files\Common Files\Adobe
2008-10-19 00:44:08 ----D---- E:\WINDOWS\Debug
2008-10-18 22:31:52 ----D---- E:\WINDOWS\security
2008-10-02 14:44:18 ----D---- E:\Program Files\Spybot - Search & Destroy
2008-09-07 14:12:15 ----D---- E:\Program Files\Common Files
2008-09-07 14:10:25 ----D---- E:\Documents and Settings\Dave Murphy\Application Data\Real
2008-09-04 10:30:28 ----A---- E:\WINDOWS\system32\dcdbda9_z.dll
2008-09-02 21:44:42 ----D---- E:\Program Files\Lavasoft
2008-08-21 12:39:31 ----D---- E:\Documents and Settings\Dave Murphy\Application Data\Adobe
2008-08-03 15:21:24 ----D---- E:\Program Files\Common Files\Wise Installation Wizard
2008-08-03 15:07:33 ----D---- E:\Documents and Settings\All Users\Application Data\Lavasoft
======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======
R1 Aavmker4;avast! Asynchronous Virus Monitor; E:\WINDOWS\system32\drivers\Aavmker4.sys [2004-06-13 13248]
R1 aswSP;avast! Self Protection; E:\WINDOWS\system32\drivers\aswSP.sys [2008-07-19 78416]
R1 aswTdi;avast! Network Shield Support; E:\WINDOWS\system32\drivers\aswTdi.sys [2008-07-19 42912]
R1 InCDPass;InCDPass; E:\WINDOWS\System32\DRIVERS\InCDPass.sys [2004-07-16 28672]
R1 prodrv06;StarForce Protection Environment Driver v6; E:\WINDOWS\System32\drivers\prodrv06.sys [2004-08-09 53920]
R2 aswFsBlk;aswFsBlk; E:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-07-19 20560]
R2 aswMon2;avast! Standard Shield Support; E:\WINDOWS\system32\drivers\aswMon2.sys [2004-06-13 56960]
R3 adiusbaw;USB ADSL WAN Adapter; E:\WINDOWS\System32\DRIVERS\adiusbaw.sys [2003-03-27 127145]
R3 ALCXWDM;Service for Realtek AC97 Audio (WDM); E:\WINDOWS\system32\drivers\ALCXWDM.SYS [2007-03-08 4027840]
R3 nv;nv; E:\WINDOWS\system32\DRIVERS\nv4_mini.sys [2005-07-20 3198368]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; E:\WINDOWS\System32\DRIVERS\usbehci.sys [2004-08-03 26624]
R3 usbhub;USB2 Enabled Hub; E:\WINDOWS\System32\DRIVERS\usbhub.sys [2004-08-03 57600]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; E:\WINDOWS\System32\DRIVERS\usbuhci.sys [2004-08-03 20480]
R3 WmBEnum;Logitech Virtual Bus Enumerator Driver; E:\WINDOWS\system32\drivers\WmBEnum.sys [2003-05-14 10144]
R3 WmXlCore;Logitech WingMan Translation Layer Driver; E:\WINDOWS\system32\drivers\WmXlCore.sys [2003-05-14 44288]
R4 InCDfs;InCD File System; E:\WINDOWS\system32\drivers\InCDfs.sys [2004-07-16 92672]
S1 kbdhid;Keyboard HID Driver; E:\WINDOWS\system32\DRIVERS\kbdhid.sys [2004-08-03 14848]
S1 P3;Intel PentiumIII Processor Driver; E:\WINDOWS\System32\DRIVERS\p3.sys [2004-08-03 42496]
S2 ADILOADER;General Purpose USB Driver (adildr.sys); E:\WINDOWS\System32\Drivers\adildr.sys [2003-07-17 46167]
S3 Ad-Watch Connect Filter;Ad-Watch Connect Kernel Filter; \??\E:\WINDOWS\system32\drivers\NSDriver.sys []
S3 ALCXSENS;Service for WDM 3D Audio Driver; E:\WINDOWS\system32\drivers\ALCXSENS.SYS [2004-02-24 400384]
S3 aswRdr;aswRdr; \??\E:\WINDOWS\system32\drivers\aswRdr.sys []
S3 CCDECODE;Closed Caption Decoder; E:\WINDOWS\system32\DRIVERS\CCDECODE.sys [2004-08-04 17024]
S3 ENTECH;ENTECH; \??\E:\WINDOWS\system32\DRIVERS\ENTECH.sys []
S3 ess;ESS Audio Driver (WDM); E:\WINDOWS\system32\drivers\ess.sys [2001-08-17 63360]
S3 gwiopm;gwiopm; \??\E:\Program Files\Unknown Device Identifier\gwiopm.sys []
S3 hidusb;Microsoft HID Class Driver; E:\WINDOWS\System32\DRIVERS\hidusb.sys [2001-08-23 9600]
S3 jatmlano;jatmlano; \??\E:\DOCUME~1\DAVEMU~1\LOCALS~1\Temp\jatmlano.sys []
S3 mouhid;Mouse HID Driver; E:\WINDOWS\System32\DRIVERS\mouhid.sys [2001-08-23 12160]
S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; E:\WINDOWS\system32\drivers\MSTEE.sys [2004-08-03 5504]
S3 NABTSFEC;NABTS/FEC VBI Codec; E:\WINDOWS\system32\DRIVERS\NABTSFEC.sys [2004-08-04 85376]
S3 NdisIP;Microsoft TV/Video Connection; E:\WINDOWS\system32\DRIVERS\NdisIP.sys [2004-08-03 10880]
S3 NUVision;Studio OnLine; E:\WINDOWS\system32\DRIVERS\NUVision.sys [2000-07-16 136352]
S3 SANDRA;SANDRA; \??\E:\Program Files\SiSoftware\SiSoftware Sandra Lite XII.SP2c\WNt500x86\Sandra.sys []
S3 SLIP;BDA Slip De-Framer; E:\WINDOWS\system32\DRIVERS\SLIP.sys [2004-08-03 11136]
S3 streamip;BDA IPSink; E:\WINDOWS\system32\DRIVERS\StreamIP.sys [2004-08-03 15360]
S3 TVICHW32;TVICHW32; \??\E:\WINDOWS\System32\DRIVERS\TVICHW32.SYS []
S3 ULI5261;ULi Based Ethernet NT Driver; E:\WINDOWS\system32\DRIVERS\ULILAN.SYS [2004-07-26 29696]
S3 ULI5261XP;ULi M526X Ethernet NT Driver; E:\WINDOWS\system32\DRIVERS\ULILAN51.SYS [2005-03-22 28672]
S3 usbohci;Microsoft USB Open Host Controller Miniport Driver; E:\WINDOWS\System32\DRIVERS\usbohci.sys [2004-08-03 17024]
S3 usbscan;USB Scanner Driver; E:\WINDOWS\System32\DRIVERS\usbscan.sys [2004-08-03 15104]
S3 USBSTOR;USB Mass Storage Driver; E:\WINDOWS\System32\DRIVERS\USBSTOR.SYS [2004-08-03 26496]
S3 WinDMI;WinDMI; \??\E:\Program Files\AOpen\WinDMI\windmidrv.SYS []
S3 WmFilter;Logitech WingMan HID Filter Driver; E:\WINDOWS\system32\drivers\WmFilter.sys [2003-05-14 21216]
S3 WmVirHid;Logitech Virtual Hid Device Driver; E:\WINDOWS\system32\drivers\WmVirHid.sys [2003-05-14 5728]
S3 WSTCODEC;World Standard Teletext Codec; E:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS [2004-08-04 19328]
======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======
R2 aawservice;Lavasoft Ad-Aware Service; E:\Program Files\Lavasoft\Ad-Aware\aawservice.exe [2008-07-07 611664]
R2 aswUpdSv;avast! iAVS4 Control Service; E:\Program Files\Alwil Software\Avast4\aswUpdSv.exe [2004-06-13 53248]
R2 avast! Antivirus;avast! Antivirus; E:\Program Files\Alwil Software\Avast4\ashServ.exe [2004-06-13 77872]
R2 InCDsrv;InCD Helper; E:\Program Files\Ahead\InCD\InCDsrv.exe [2004-07-16 1163378]
S2 spupdsvc;Windows Service Pack Installer update service; E:\WINDOWS\system32\spupdsvc.exe [2005-06-28 22752]
S3 avast! Mail Scanner;avast! Mail Scanner; E:\Program Files\Alwil Software\Avast4\ashMaiSv.exe [2004-06-13 200752]
S3 avast! Web Scanner;avast! Web Scanner; E:\Program Files\Alwil Software\Avast4\ashWebSv.exe [2008-07-23 348344]
S3 IDriverT;InstallDriver Table Manager; E:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe [2005-04-04 69632]
S3 Visual Studio Analyzer RPC bridge;Visual Studio Analyzer RPC bridge; E:\Program Files\Microsoft Visual Studio\Common\Tools\VS-Ent98\Vanalyzr\varpc.exe [1998-06-06 34036]
S4 NVSvc;NVIDIA Display Driver Service; E:\WINDOWS\system32\nvsvc32.exe [2005-07-20 127043]
-----------------EOF-----------------
********************************************************************************
*********************************************
NEXT THE INFO FILE
********************************************************************************
***********************************************
info.txt logfile of random's system information tool 1.04 2008-10-22 21:18:57
======Uninstall list======
-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 E:\WINDOWS\INF\PCHealth.inf
3DMark05-->RunDll32 E:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "E:\Program Files\InstallShield Installation Information\{2DF7B278-D3B6-40A4-B25C-0E7149F439EA}\Setup.exe" -l0x9
Ad-Aware-->MsiExec.exe /I{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}
Adobe Flash Player 10 ActiveX-->E:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Flash Player Plugin-->E:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Reader 7.0-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70000000000}
ALi mini IDE driver-->E:\WINDOWS\System32\ALi5minst.exe E:\WINDOWS\inf\mshdc.inf PCI\VEN_10B9&DEV_5229 1
AOpen Multimedia Utilities-->E:\WINDOWS\IsUninst.exe -f"C:\Program Files\AOpen\Multimedia Utilities\AOMUinst.isu"
avast! Antivirus-->rundll32 E:\PROGRA~1\ALWILS~1\Avast4\Setup\setiface.dll,RunSetup
B17 - The Mighty Eighth-->RunDll32 E:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "E:\Program Files\InstallShield Installation Information\{63B263C2-1B61-11D4-8B6D-00C0F01F6881}\setup.exe" SetupCheck
BJC-1000-->E:\WINDOWS\system32\CNMCP1W.EXE -@E:\WINDOWS\IsUninst.exe -f"E:\BJPrinter\CNMWINDOWS\Canon BJC-1000 Installer\Inst\DeIsL1.isu" -pCanon BJC-1000-c"E:\BJPrinter\CNMWINDOWS\Canon BJC-1000 Installer\Inst\bjinst.dll
Canon Camera Support Core Library-->E:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{5662C158-CA24-4228-BF6C-596FADA08682} /l1033
Canon Camera Window DS for ZoomBrowser EX-->E:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{7B847C9D-6758-45E6-B598-3BD8F43EAE9E}
Canon Camera Window DVC for ZoomBrowser EX-->E:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{A70D14C6-FF2C-4B8E-A643-7E74EC607614}
Canon Camera Window for ZoomBrowser EX-->E:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{E73534D5-CC93-4C63-9072-5A9734255C74}
Canon Internet Library for ZoomBrowser EX-->E:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{954BF446-BBC9-42CC-87A6-EBF0D55CA19A}
Canon MovieEdit Task for ZoomBrowser EX-->E:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{DEB416DB-4FA9-42B6-84D3-1E0081300C9E}
Canon PhotoRecord-->MsiExec.exe /X{862983D7-FA08-493E-A9ED-6B7859E069D3}
Canon RAW Image Task for ZoomBrowser EX-->E:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{A0F34E4E-25F0-4B68-AE8F-EF0C15CB1FED}
Canon RemoteCapture Task for ZoomBrowser EX-->E:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{28291BD5-92D2-4685-82DC-CCA925C53CCA}
Canon Utilities PhotoStitch 3.1-->E:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{218BBBE3-FE63-4BB2-81A8-7435575A84FA}
Canon ZoomBrowser EX-->MsiExec.exe /X{C1D76D7A-F3BB-47EA-A746-5B1E2FFC1DF2}
CCleaner (remove only)-->"E:\Program Files\CCleaner\uninst.exe"
Encarta World Atlas 99-->"E:\Program Files\Microsoft Reference\Encarta World Atlas 99\evgunnst.exe" /uninstall
Google Earth-->MsiExec.exe /I{1E04F83B-2AB9-4301-9EF7-E86307F79C72}
HijackThis 2.0.2-->"E:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
IL-2 Sturmovik: Forgotten Battles-->E:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{8DF712DA-D325-4FD0-8DE8-E2D78FC3CDC3} /l1033
InCD-->E:\WINDOWS\NuNInst.exe /UNINSTALL
Kubex Software 3D Home Designer-->RunDll32 E:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "E:\Program Files\InstallShield Installation Information\{5D536ABE-4396-11D5-8578-00105ADDC431}\Setup.exe" -l0x9
Logitech Gaming Software-->RunDll32 E:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "E:\Program Files\InstallShield Installation Information\{93EC14D5-7AAA-4EAD-BB75-013817A96598}\Setup.Exe" -l0x9
Macromedia Shockwave Player-->E:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE E:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log
Madden NFL 2004-->E:\Program Files\EA SPORTS\Madden NFL 2004\EAUninstall.exe
MapInfo Professional 7.0-->MsiExec.exe /I{0660BFE2-CD47-400F-A19D-8EC89C91CA8B}
MapInfo Professional Data-->E:\PROGRA~1\MapInfo\PROGRA~1\MapInfo\Data\UNWISE.EXE E:\PROGRA~1\MapInfo\PROGRA~1\MapInfo\Data\INSTALL.LOG
McDonald's Dragons-->E:\Program Files\McDonaldsDragons\uninstall.exe
McDonald's Fairies-->E:\Program Files\McDonaldsFairies\uninstall.exe
Microsoft MapPoint Europe 2004-->MsiExec.exe /I{8704D51E-25B7-4F23-81E7-AA4F54790240}
Microsoft Office XP Professional-->MsiExec.exe /I{90110409-6000-11D3-8CFE-0050048383C9}
Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Microsoft Visual Studio 6.0 Enterprise Edition-->"E:\Program Files\Microsoft Visual Studio\Common\Setup\1033\Setup.exe"
Mozilla Firefox (3.0.3)-->E:\Program Files\Mozilla Firefox\uninstall\helper.exe
Nero OEM-->E:\Program Files\Ahead\nero\uninstall\UNNERO.exe /UNINSTALL
NVIDIA Drivers-->E:\WINDOWS\System32\nvudisp.exe UninstallGUI
Outlook Express Backup Wizard version 1.1-->"E:\Program Files\Outlook Express Backup Wizard\unins000.exe"
Paint Shop Pro 6.0 (CD-ROM)-->E:\PROGRA~1\PAINTS~1\Unwise.exe E:\PROGRA~1\PAINTS~1\INSTALL.LOG
Populous: The Beginning-->E:\WINDOWS\IsUninst.exe -f"E:\Program Files\Bullfrog\Populous\Uninst.isu" -c"E:\Program Files\Bullfrog\Populous\uninst.dll"
POW-->E:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{CD277B3E-8043-496E-B83B-D53186A072AB} /l1033
PowerDVD-->RunDll32 E:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "E:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\setup.exe" -uninstall
Realtek AC'97 Audio-->Alcrmv.exe -r -m
Rome - Total War-->E:\PROGRA~1\COMMON~1\INSTAL~1\Driver\9\INTEL3~1\IDriver.exe /M{4089999C-6CB7-4F9D-A2F6-DB158DBF91FB} /l1033 /x
SAGEM F@st 800-840-->RunDll32 E:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "E:\Program Files\InstallShield Installation Information\{4AE3A0CB-87B0-4F51-BECD-3D1F8DFDD62F}\setup.exe" -l0x9
Security Update for Windows XP (KB925902)-->"E:\WINDOWS\$NtUninstallKB925902$\spuninst\spuninst.exe"
Security Update for Windows XP (KB926436)-->"E:\WINDOWS\$NtUninstallKB926436$\spuninst\spuninst.exe"
Spybot - Search & Destroy-->"E:\Program Files\Spybot - Search & Destroy\unins001.exe"
Studio Online-->E:\WINDOWS\IsUninst.exe -f"E:\Program Files\Pinnacle\Studio Online\ISTUDIO.ISU" -cE:\WINDOWS\ISTUDIO.dll
TalonSoft's West Front Combat Pack-->E:\WINDOWS\IsUninst.exe -f"E:\Program Files\TalonSoft\West Front\Uninst.isu"
Truprint Viewer-->RunDll32 E:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "E:\Program Files\InstallShield Installation Information\{07802C2B-0ABD-439A-9510-1A89FD4FD5AB}\Setup.exe"
ubi.com-->RunDll32 E:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "E:\Program Files\InstallShield Installation Information\{AEDDF5A3-29CE-11D5-A8C2-000102246AAE}\Setup.exe" -l0x9 UNINSTALL-L0x9 -uninst
ULi AGP Driver 2.20-->E:\WINDOWS\system32\UnAGP.EXE RunDll32 E:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "E:\Program Files\InstallShield Installation Information\{0DD0650C-5113-4FEE-BDDA-AC0B76FD0BD1}\Setup.exe" -uninst
ULi LAN Driver-->E:\WINDOWS\system32\UnLAN.EXE RunDll32 E:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "E:\Program Files\InstallShield Installation Information\{143BE018-D8F8-4014-8CB6-AF63F5799D21}\Setup.exe" -uninst
VIA Platform Device Manager-->E:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{20D4A895-748C-4D88-871C-FDB1695B0169}
Windows Blaster Worm Removal Tool (KB833330)-->E:\WINDOWS\$NtUninstallKB833330$\spuninst\spuninst.exe
Windows Genuine Advantage v1.3.0254.0-->MsiExec.exe /I{63569CE9-FA00-469C-AF5C-E5D4D93ACF91}
Windows XP Hotfix - KB873333-->E:\WINDOWS\$NtUninstallKB873333$\spuninst\spuninst.exe
Windows XP Hotfix - KB873339-->E:\WINDOWS\$NtUninstallKB873339$\spuninst\spuninst.exe
Windows XP Service Pack 2-->E:\WINDOWS\$NtServicePackUninstall$\spuninst\spuninst.exe
=====HijackThis Backups=====
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -
http://www.update.mi...b?1215262989953R3 - Default URLSearchHook is missing
O16 - DPF: {A1F35586-A5A8-4D37-947A-81875350B11F} (Bonusprint Image Uploader Version 4.5 Control) -
http://webalbum.bonu...geUploader4.cabO16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) -
http://www.crucial.c.../cpcScanner.cabO16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) -
http://plugin.driver...driveragent.cabO2 - BHO: (no name) - {58F07DD3-924D-4141-BC74-299F523A95F1} - (no file)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe (file missing)
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - E:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
======Hosts File======
127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com
======Security center information======
AV: avast! antivirus 4.1.1229 [VPS 0424-3] (outdated)
======Environment variables======
"ComSpec"=%SystemRoot%\system32\cmd.exe
"devmgr_show_nonpresent_devices"=1
"FP_NO_HOST_CHECK"=NO
"NUMBER_OF_PROCESSORS"=1
"OS"=Windows_NT
"Path"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\system32\WBEM
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_IDENTIFIER"=x86 Family 15 Model 31 Stepping 0, AuthenticAMD
"PROCESSOR_LEVEL"=15
"PROCESSOR_REVISION"=1f00
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"windir"=%SystemRoot%
"CLASSPATH"=.;
-----------------EOF-----------------
Thanks again, the help your giving is an honourable venture, unlike those creating this malware
you have my respects
Dave