[Desumacchhi]

Hi,

Having read this forum I suspect I might have a dose of the nasties that appear to be doing the rounds. My problem is that if I do a search in google for example bbc - and then click on bbc.co.uk search result, I sometimes (but not always) get redirected to a junk meaningless site with no relationship to the BBC.

Things I've done:

1. Run AVG 8.5 (this initially found a trojan which it appeared to deal with at first, but didnt solve the problem)
2. Run Trendmicro housecall - (this picked up 2 trojans and about 14 other things it couldnt cope with)
3. Run ATF Cleaner
4. Run Adaware - this was useless
5. Run Malawarebytes - This picked up about 15 errors. It requested a reboot to delete all the errors which I did. The PC then wouldnt reboot and just kept going around the reboot cycle. I rebooted into safe mode and ran the scan again. It picked up 5 errors, which it deleted, rebooted then fine back into normal windows.
6. Run SuperAntiSpyware - this didnt pick up anything.

AVG, Adaware, Malwarebytes and Superantispyware are all now coming back with clean scans, but the problem still persists

Any help will be much appreciated



Rootkit Log

Microsoft Windows XP Professional (5.1.2600) Service Pack 2

A:\ [Removable] (Total:0 Mo/Free:0 Mo)
C:\ [Fixed] - NTFS - (Total:38162 Mo/Free:23 Mo)
D:\ [CD-Rom] (Total:3764 Mo/Free:0 Mo)
E:\ [CD-Rom] (Total:0 Mo/Free:0 Mo)
F:\ [Fixed] - FAT32 - (Total:157026 Mo/Free:3861 Mo)

09/04/2009|12:51

----------------------\\ Processes..

--Locked-- [System Process]
---------- System
---------- \SystemRoot\System32\smss.exe
---------- \??\C:\WINDOWS\system32\csrss.exe
---------- \??\C:\WINDOWS\system32\winlogon.exe
---------- C:\WINDOWS\system32\services.exe
---------- C:\WINDOWS\system32\lsass.exe
---------- C:\WINDOWS\system32\svchost.exe
---------- C:\WINDOWS\system32\svchost.exe
---------- C:\WINDOWS\System32\svchost.exe
---------- C:\WINDOWS\System32\svchost.exe
---------- C:\WINDOWS\System32\svchost.exe
---------- C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
---------- C:\WINDOWS\Explorer.EXE
---------- C:\WINDOWS\Mixer.exe
---------- C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
---------- C:\Program Files\Portrait Displays\forteManager\DTHtml.exe
---------- C:\Program Files\O2\bin\sprtcmd.exe
---------- C:\Program Files\iTunes\iTunesHelper.exe
---------- C:\PROGRA~1\AVG\AVG8\avgtray.exe
---------- C:\Program Files\Common Files\Real\Update_OB\realsched.exe
---------- C:\Program Files\Java\jre6\bin\jusched.exe
---------- C:\Program Files\Common Files\Portrait Displays\Shared\HookManager.exe
---------- C:\Program Files\Kontiki\KHost.exe
---------- C:\Documents and Settings\H Jardine\Application Data\pidle\pidle.exe
---------- C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
---------- C:\WINDOWS\system32\spoolsv.exe
---------- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
---------- C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
---------- C:\Program Files\Bonjour\mDNSResponder.exe
---------- C:\Program Files\Common Files\Portrait Displays\Shared\DTSRVC.exe
---------- C:\Program Files\Java\jre6\bin\jqs.exe
---------- C:\Program Files\Kontiki\KService.exe
---------- C:\PROGRA~1\AVG\AVG8\avgrsx.exe
---------- C:\WINDOWS\system32\nvsvc32.exe
---------- C:\WINDOWS\system32\PnkBstrA.exe
---------- C:\WINDOWS\system32\PnkBstrB.exe
---------- C:\Program Files\O2\bin\sprtsvc.exe
---------- C:\WINDOWS\System32\svchost.exe
---------- C:\WINDOWS\system32\wdfmgr.exe
---------- C:\Program Files\iPod\bin\iPodService.exe
---------- C:\WINDOWS\system32\wscntfy.exe
---------- C:\WINDOWS\System32\alg.exe
---------- C:\PROGRA~1\AVG\AVG8\avgnsx.exe
---------- C:\Program Files\Mozilla Firefox\firefox.exe
---------- C:\Documents and Settings\H Jardine\My Documents\Downloads\OTListIt2.exe
---------- C:\WINDOWS\notepad.exe
---------- C:\WINDOWS\notepad.exe
---------- C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
---------- C:\WINDOWS\system32\NOTEPAD.EXE
---------- C:\WINDOWS\system32\cmd.exe
---------- C:\Rooter$\RK.exe

----------------------\\ Search..

----------------------\\ ROOTKIT !!


----------------------\\ Cracks & Keygens..

C:\DOCUME~1\HJARDI~1\My Documents\Indesign\_crack_\help.txt


1 - "C:\Rooter$\Rooter_1.txt" - 09/04/2009|12:52

----------------------\\ Scan completed at 12:52



HJT Log


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:48:47, on 09/04/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\Mixer.exe
C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
C:\Program Files\Portrait Displays\forteManager\DTHtml.exe
C:\Program Files\O2\bin\sprtcmd.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Common Files\Portrait Displays\Shared\HookManager.exe
C:\Program Files\Kontiki\KHost.exe
C:\Documents and Settings\H Jardine\Application Data\pidle\pidle.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Portrait Displays\Shared\DTSRVC.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Kontiki\KService.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\Program Files\O2\bin\sprtsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\H Jardine\My Documents\Downloads\OTListIt2.exe
C:\WINDOWS\notepad.exe
C:\WINDOWS\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O4 - HKLM\..\Run: [EPSON Stylus DX4800 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIADE.EXE /P26 "EPSON Stylus DX4800 Series" /O6 "USB001" /M "Stylus DX4800"
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
O4 - HKLM\..\Run: [DT LGE] C:\Program Files\Portrait Displays\forteManager\DTHtml.exe -startup_folder
O4 - HKLM\..\Run: [O2] "C:\Program Files\O2\bin\sprtcmd.exe" /P O2
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [EPSON Stylus DX4800 Series (Copy 1)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIADE.EXE /P35 "EPSON Stylus DX4800 Series (Copy 1)" /O6 "USB004" /M "Stylus DX4800"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [PVR] C:\Program Files\XemiComputers\Pocket Voice Recorder\PVR.exe
O4 - HKCU\..\Run: [kdx] C:\Program Files\Kontiki\KHost.exe -all
O4 - HKCU\..\Run: [pidle] "C:\Documents and Settings\H Jardine\Application Data\pidle\pidle.exe" 61A847B5BBF728173599284503996897C881250221C8670836AC4FA7C8833201749139
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - C:\Documents and Settings\H Jardine\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk
O9 - Extra 'Tools' menuitem: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - C:\Documents and Settings\H Jardine\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.t...ivex/hcImpl.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: C:\WINDOWS\system32\sikonese.dll C:\WINDOWS\system32\fineloto.dll C:\WINDOWS\system32\sonuleme.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Portrait Displays Display Tune Service (DTSRVC) - Unknown owner - C:\Program Files\Common Files\Portrait Displays\Shared\DTSRVC.exe
O23 - Service: COM+ Event System EventSystemlanmanworkstation (EventSystemlanmanworkstation) - Unknown owner - C:\WINDOWS\TEMP\4E.tmp.exe (file missing)
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: System Event Notification SENSMSIServer (SENSMSIServer) - Unknown owner - C:\WINDOWS\TEMP\1.tmp.exe (file missing)
O23 - Service: SupportSoft Sprocket Service (O2) (sprtsvc_O2) - SupportSoft, Inc. - C:\Program Files\O2\bin\sprtsvc.exe
O23 - Service: SupportSoft RemoteAssist - SupportSoft, Inc. - C:\Program Files\Common Files\Supportsoft\bin\ssrc.exe
O23 - Service: MS Software Shadow Copy Provider SwPrvSpooler (SwPrvSpooler) - Unknown owner - C:\WINDOWS\TEMP\1.tmp.exe (file missing)

--
End of file - 9295 bytes



Edit: Since making the original post earlier in the day, I had to rush oput of the house for a couple of hours and left the machine running. When I came back, I did another Malwarebytes scan and it picked 13 or so Trojan.BHO files. I allowed Malwarebytes to clean them out and reboot. Since then I have also just run combofix.... which appears to have tidied some stuff too... see log below:

ComboFix 09-04-04.01 - H Jardine 2009-04-09 19:01:57.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.617 [GMT 1:00]
Running from: c:\documents and settings\H Jardine\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\H Jardine\Local Settings\Temporary Internet Files\fbk.sts
c:\documents and settings\LocalService\Application Data\twain_32
c:\documents and settings\LocalService\Application Data\twain_32\user.ds
c:\windows\IDE.EXE
c:\windows\system32\AUTOSETUP.EXE
c:\windows\system32\CMMGR32.EXE

----- BITS: Possible infected sites -----

hxxp://sync.broadband.o2.co.uk:8080
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_EVENTSYSTEMLANMANWORKSTATION
-------\Legacy_SENSMSISERVER
-------\Legacy_SWPRVSPOOLER
-------\Service_EventSystemlanmanworkstation
-------\Service_SENSMSIServer
-------\Service_SwPrvSpooler


((((((((((((((((((((((((( Files Created from 2009-03-09 to 2009-04-09 )))))))))))))))))))))))))))))))
.

2009-04-09 17:53 . 2009-04-09 17:53 <DIR> d-------- c:\program files\Panda Security
2009-04-09 17:53 . 2008-06-19 16:24 28,544 --a------ c:\windows\system32\drivers\pavboot.sys
2009-04-09 17:01 . 2009-04-09 17:01 <DIR> d-------- c:\program files\CCleaner
2009-04-09 14:56 . 2009-04-09 16:42 <DIR> d-------- c:\documents and settings\H Jardine\Application Data\Twain
2009-04-09 03:05 . 2009-04-09 12:52 <DIR> d-------- C:\Rooter$
2009-04-09 02:39 . 2009-04-09 02:39 <DIR> d-------- C:\VundoFix Backups
2009-04-09 02:06 . 2009-04-09 17:17 <DIR> d-------- c:\program files\SUPERAntiSpyware
2009-04-09 02:06 . 2009-04-09 02:06 <DIR> d-------- c:\documents and settings\H Jardine\Application Data\SUPERAntiSpyware.com
2009-04-09 02:06 . 2009-04-09 02:06 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-04-09 01:49 . 2009-04-09 01:49 <DIR> d-------- c:\program files\Trend Micro
2009-04-09 01:26 . 2009-04-09 01:26 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-04-09 01:10 . 2009-04-09 01:10 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-04-09 01:10 . 2009-04-09 01:10 <DIR> d-------- c:\documents and settings\H Jardine\Application Data\Malwarebytes
2009-04-09 01:10 . 2009-04-09 01:10 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-09 01:10 . 2009-04-06 15:32 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-09 01:10 . 2009-04-06 15:32 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-04-08 22:19 . 2009-04-08 22:19 <DIR> d-------- c:\documents and settings\Administrator
2009-04-08 17:35 . 2009-04-08 19:44 <DIR> d-------- c:\documents and settings\H Jardine\.housecall6.6
2009-04-08 15:15 . 2009-04-08 15:15 155 --a------ c:\windows\system32\SelfDel.bat
2009-04-08 14:45 . 2009-04-08 14:45 <DIR> d-------- c:\documents and settings\H Jardine\Application Data\pidle
2009-03-31 13:31 . 2009-03-31 13:31 <DIR> d-------- c:\program files\Common Files\xing shared
2009-03-31 13:03 . 2009-03-31 13:03 <DIR> d-------- c:\program files\Apple Software Update
2009-03-27 15:24 . 2009-04-08 23:00 <DIR> d--h----- C:\$AVG8.VAULT$
2009-03-27 15:00 . 2009-04-09 18:25 <DIR> d-------- c:\windows\system32\drivers\Avg
2009-03-27 15:00 . 2009-03-27 15:00 <DIR> d-------- c:\program files\AVG
2009-03-27 15:00 . 2009-04-08 22:43 <DIR> d-------- c:\documents and settings\All Users\Application Data\avg8
2009-03-27 15:00 . 2009-03-27 15:00 325,640 --a------ c:\windows\system32\drivers\avgldx86.sys
2009-03-27 15:00 . 2009-03-27 15:00 107,912 --a------ c:\windows\system32\drivers\avgtdix.sys
2009-03-27 15:00 . 2009-03-27 15:00 10,520 --a------ c:\windows\system32\avgrsstx.dll
2009-03-17 17:39 . 2009-03-24 18:12 <DIR> d-------- c:\program files\Macromedia
2009-03-17 17:39 . 2009-03-24 18:12 <DIR> d-------- c:\program files\Common Files\Macromedia

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-09 18:03 --------- d-----w c:\documents and settings\All Users\Application Data\Kontiki
2009-04-09 01:12 --------- d-----w c:\program files\PCI Audio Applications
2009-04-09 01:06 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-04-08 16:29 --------- d-----w c:\program files\Java
2009-04-02 15:00 --------- d-----w c:\documents and settings\H Jardine\Application Data\Apple Computer
2009-03-31 12:30 --------- d-----w c:\program files\Common Files\Real
2009-03-31 12:04 --------- d-----w c:\program files\QuickTime
2009-03-26 23:10 --------- d-----w c:\documents and settings\H Jardine\Application Data\Azureus
2009-03-09 04:19 410,984 ----a-w c:\windows\system32\deploytk.dll
2009-03-07 13:32 --------- d-----w c:\program files\Lavasoft
2009-03-07 13:27 --------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft
2009-03-06 12:47 --------- d-----w c:\program files\Azureus
2009-03-03 21:30 --------- d-----w c:\program files\Mozilla Thunderbird
2007-10-26 10:29 28,720 ----a-w c:\documents and settings\H Jardine\Application Data\GDIPFONTCACHEV1.DAT
2007-02-12 22:00 92,064 ----a-w c:\documents and settings\H Jardine\mqdmmdm.sys
2007-02-12 22:00 9,232 ----a-w c:\documents and settings\H Jardine\mqdmmdfl.sys
2007-02-12 22:00 79,328 ----a-w c:\documents and settings\H Jardine\mqdmserd.sys
2007-02-12 22:00 66,656 ----a-w c:\documents and settings\H Jardine\mqdmbus.sys
2007-02-12 22:00 6,208 ----a-w c:\documents and settings\H Jardine\mqdmcmnt.sys
2007-02-12 22:00 5,936 ----a-w c:\documents and settings\H Jardine\mqdmwhnt.sys
2007-02-12 22:00 4,048 ----a-w c:\documents and settings\H Jardine\mqdmcr.sys
2007-02-12 22:00 25,600 ----a-w c:\documents and settings\H Jardine\usbsermptxp.sys
2007-02-12 22:00 22,768 ----a-w c:\documents and settings\H Jardine\usbsermpt.sys
2006-02-23 13:37 836 ----a-w c:\documents and settings\H Jardine\Application Data\ViewerApp.dat
.

------- Sigcheck -------

2005-05-25 20:07 359936 63fdfea54eb53de2d863ee454937ce1e c:\windows\$hf_mig$\KB893066\SP2QFE\tcpip.sys
2001-08-23 13:00 327168 e7774698bb0d14b0710a9a31e209f9b6 c:\windows\$NtServicePackUninstall$\tcpip.sys
2004-08-04 07:14 359040 9f4b36614a0fc234525ba224957de55c c:\windows\$NtUninstallKB893066$\tcpip.sys
2004-08-04 07:14 359040 1745b00fc1141404b28f4b94f69a8871 c:\windows\ServicePackFiles\i386\tcpip.sys
2005-05-25 20:04 359808 e1999538d7213db7a05a660ba9d63658 c:\windows\system32\drivers\tcpip.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"kdx"="c:\program files\Kontiki\KHost.exe" [2008-02-27 1032376]
"pidle"="c:\documents and settings\H Jardine\Application Data\pidle\pidle.exe" [2009-04-08 56832]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-02-27 1310720]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"EPSON Stylus DX4800 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIADE.EXE" [2005-02-02 98304]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-22 7700480]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-10-22 86016]
"LVCOMS"="c:\program files\Common Files\Logitech\QCDriver\LVCOMS.EXE" [2001-11-13 98304]
"DT LGE"="c:\program files\Portrait Displays\forteManager\DTHtml.exe" [2007-06-12 291328]
"O2"="c:\program files\O2\bin\sprtcmd.exe" [2008-03-28 198184]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-03-30 267048]
"EPSON Stylus DX4800 Series (Copy 1)"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIADE.EXE" [2005-02-02 98304]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-03-27 1932568]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-03-31 198160]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"C-Media Mixer"="Mixer.exe" [2002-10-15 c:\windows\mixer.exe]
"nwiz"="nwiz.exe" [2006-10-22 c:\windows\system32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2004-08-04 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-06-20 110592]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2006-12-20 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2007-02-27 11:39 282624 c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-03-27 15:00 10520 c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"MSVideo"= lvfwwdmt.dll
"VIDC.XFR1"= xfcodec.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Picture Package Menu.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Picture Package Menu.lnk
backup=c:\windows\pss\Picture Package Menu.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Picture Package VCD Maker.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Picture Package VCD Maker.lnk
backup=c:\windows\pss\Picture Package VCD Maker.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^H Jardine^Start Menu^Programs^Startup^Registration THE SETTLERS - Heritage of Kings.LNK]
path=c:\documents and settings\H Jardine\Start Menu\Programs\Startup\Registration THE SETTLERS - Heritage of Kings.LNK
backup=c:\windows\pss\Registration THE SETTLERS - Heritage of Kings.LNKStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelliPoint]
--a------ 2004-06-03 01:50 204800 c:\program files\Microsoft IntelliPoint\point32.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
--a------ 2001-07-09 11:50 155648 c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 11:50 155648 c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2009-03-31 13:30 198160 c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
-ra------ 2006-03-30 17:45 313472 c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\EA GAMES\\The Battle for Middle-earth ™\\game.dat"=
"c:\\Program Files\\Quake III Arena\\quake3.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Azureus\\Azureus.exe"=
"c:\\Program Files\\Xfire\\Xfire.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\StubInstaller.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\WINDOWS\\PCHEALTH\\HELPCTR\\Binaries\\helpctr.exe"=
"c:\\Program Files\\O2\\bin\\wificfg.exe"=
"c:\\Program Files\\O2\\agent\\bin\\bcont.exe"=
"c:\\Program Files\\Common Files\\SupportSoft\\bin\\ssrc.exe"=
"c:\\Program Files\\O2\\agent\\bin\\bcont_nm.exe"=
"c:\\Program Files\\Kontiki\\KService.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2009-04-09 28544]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-03-27 325640]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-03-27 107912]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2006-10-10 5632]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2007-02-27 32256]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-03-27 298264]
R2 sprtsvc_O2;SupportSoft Sprocket Service (O2);c:\program files\O2\bin\sprtsvc.exe [2007-06-07 202280]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2006-02-16 4096]
S0 jalk;jalk;c:\windows\system32\drivers\intllhx.sys --> c:\windows\system32\drivers\intllhx.sys [?]
S0 ktksnlvs;ktksnlvs;c:\windows\system32\drivers\rydwvcxy.sys --> c:\windows\system32\drivers\rydwvcxy.sys [?]
S0 udymyj;udymyj;c:\windows\system32\drivers\ulorqkwc.sys --> c:\windows\system32\drivers\ulorqkwc.sys [?]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - PAVBOOT

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a9c2b7c0-7296-11da-bb79-806d6172696f}]
\Shell\AutoRun\command - D:\Setup.exe
.
Contents of the 'Scheduled Tasks' folder

2009-03-31 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-PVR - c:\program files\XemiComputers\Pocket Voice Recorder\PVR.exe
HKLM-Run-NWEReboot - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\H Jardine\Application Data\Mozilla\Firefox\Profiles\sjd1pyyb.default\
FF - prefs.js: browser.search.selectedEngine - Google.co.uk
FF - prefs.js: browser.startup.homepage - hxxp://start.mozilla.org/firefox?client=firefox-a&rls=org.mozilla:en-GB:official
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\Real\RealPlayer\browserrecord\components\nprpbrowserrecordplugin.dll
FF - plugin: c:\progra~1\Yahoo!\Common\npyaxmpb.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npBBCPlugin.dll
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-09 19:07:14
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\ovfsthgxvkapyvbmygodsxylkojcebdbdovmkn]
"imagepath"="\systemroot\system32\drivers\ovfsthfrwhxdupkctvittmnbfwbobbtaktaden.sys"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1801674531-1202660629-839522115-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(612)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\program files\Common Files\Portrait Displays\Shared\HookManager.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\Portrait Displays\Shared\DTSRVC.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Kontiki\KService.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\PnkBstrA.exe
c:\windows\system32\PnkBstrB.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\windows\system32\wdfmgr.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\wscntfy.exe
c:\program files\AVG\AVG8\avgcmgr.exe
.
**************************************************************************
.
Completion time: 2009-04-09 19:10:01 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-09 18:09:58

Pre-Run: 8,613,040,128 bytes free
Post-Run: 8,530,821,120 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

269

Edited by Desumacchhi, 09 April 2009 - 12:20 PM.

[Advertisements]

Hi Desumacchhi,

Welcome to Geeks to Go! My name is SpySentinel and I will be helping you fix your computer problem.
Sorry for the delay, we have been very busy lately, and I apologize for your wait.

In the future, please do not run tools unless we ask for them, especially ComboFix. It is a very powerful tool that if not used properly, can cause your system to crash and leave it unbootable.



1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

Folder::
c:\documents and settings\H Jardine\Application Data\pidle

Driver::
jalk
ktksnlvs
udymyj

Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

[SpySentinel]

Hi Desumacchhi,

Welcome to Geeks to Go! My name is SpySentinel and I will be helping you fix your computer problem.
Sorry for the delay, we have been very busy lately, and I apologize for your wait.

In the future, please do not run tools unless we ask for them, especially ComboFix. It is a very powerful tool that if not used properly, can cause your system to crash and leave it unbootable.



1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

Folder::
c:\documents and settings\H Jardine\Application Data\pidle

Driver::
jalk
ktksnlvs
udymyj

Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

[Desumacchhi]

Many thanks for taking a look SpySentinel....

log:


ComboFix 09-04-17.01 - H Jardine 17/04/2009 0:48.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.44.1033.18.1023.527 [GMT 1:00]
Running from: c:\documents and settings\H Jardine\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\H Jardine\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\H Jardine\Application Data\Microsoft\SystemCertificates\Request
c:\windows\IDE.EXE
c:\windows\system32\AUTOSETUP.EXE
c:\windows\system32\CMMGR32.EXE

----- BITS: Possible infected sites -----

hxxp://sync.broadband.o2.co.uk:8080
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_jalk
-------\Service_ktksnlvs
-------\Service_udymyj


((((((((((((((((((((((((( Files Created from 2009-03-16 to 2009-04-16 )))))))))))))))))))))))))))))))
.

2009-04-09 16:53 . 2008-06-19 15:24 28544 ----a-w c:\windows\system32\drivers\pavboot.sys
2009-04-09 16:53 . 2009-04-09 16:53 -------- d-----w c:\program files\Panda Security
2009-04-09 16:01 . 2009-04-09 16:01 -------- d-----w c:\program files\CCleaner
2009-04-09 13:56 . 2009-04-09 15:42 -------- d-----w c:\documents and settings\H Jardine\Application Data\Twain
2009-04-09 02:05 . 2009-04-09 11:52 -------- d-----w C:\Rooter$
2009-04-09 01:39 . 2009-04-09 01:39 -------- d-----w C:\VundoFix Backups
2009-04-09 01:06 . 2009-04-09 01:06 -------- d-----w c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-04-09 01:06 . 2009-04-15 22:56 -------- d-----w c:\program files\SUPERAntiSpyware
2009-04-09 01:06 . 2009-04-09 01:06 -------- d-----w c:\documents and settings\H Jardine\Application Data\SUPERAntiSpyware.com
2009-04-09 00:49 . 2009-04-09 00:49 -------- d-----w c:\program files\Trend Micro
2009-04-09 00:26 . 2009-04-09 00:26 -------- d-----w c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-04-09 00:10 . 2009-04-09 00:10 -------- d-----w c:\documents and settings\H Jardine\Application Data\Malwarebytes
2009-04-09 00:10 . 2009-04-06 14:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-09 00:10 . 2009-04-06 14:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-09 00:10 . 2009-04-09 00:10 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-09 00:10 . 2009-04-09 00:10 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-08 16:35 . 2009-04-08 18:44 -------- d-----w c:\documents and settings\H Jardine\.housecall6.6
2009-04-08 14:15 . 2009-04-08 14:15 155 ----a-w c:\windows\system32\SelfDel.bat
2009-03-31 12:31 . 2009-03-31 12:31 -------- d-----w c:\program files\Common Files\xing shared
2009-03-31 12:03 . 2009-03-31 12:03 -------- d-----w c:\program files\Apple Software Update
2009-03-27 14:24 . 2009-04-16 11:11 -------- d--h--w C:\$AVG8.VAULT$
2009-03-27 14:00 . 2009-03-27 14:00 10520 ----a-w c:\windows\system32\avgrsstx.dll
2009-03-27 14:00 . 2009-03-27 14:00 107912 ----a-w c:\windows\system32\drivers\avgtdix.sys
2009-03-27 14:00 . 2009-03-27 14:00 325640 ----a-w c:\windows\system32\drivers\avgldx86.sys
2009-03-27 14:00 . 2009-04-16 16:53 -------- d-----w c:\windows\system32\drivers\Avg
2009-03-27 14:00 . 2009-03-27 14:00 -------- d-----w c:\program files\AVG
2009-03-27 14:00 . 2009-04-14 15:04 -------- d-----w c:\documents and settings\All Users\Application Data\avg8

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-16 23:51 . 2008-05-06 22:11 -------- d-----w c:\documents and settings\All Users\Application Data\Kontiki
2009-04-14 12:37 . 2005-08-09 13:55 -------- d-----w c:\documents and settings\H Jardine\Application Data\Azureus
2009-04-09 11:52 . 2009-04-09 11:52 3222 ----a-w C:\Rooter.txt
2009-04-09 01:52 . 2009-04-09 01:39 135 ----a-w C:\VundoFix.txt
2009-04-09 01:12 . 2005-06-13 16:34 -------- d-----w c:\program files\PCI Audio Applications
2009-04-09 01:06 . 2009-03-07 13:31 -------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-04-08 16:29 . 2005-06-13 21:55 -------- d-----w c:\program files\Java
2009-04-02 15:00 . 2008-05-10 11:46 -------- d-----w c:\documents and settings\H Jardine\Application Data\Apple Computer
2009-03-31 12:30 . 2006-04-17 22:47 -------- d-----w c:\program files\Common Files\Real
2009-03-31 12:04 . 2008-05-10 11:44 -------- d-----w c:\program files\QuickTime
2009-03-26 19:46 . 2005-06-13 20:10 28720 ----a-w c:\documents and settings\H Jardine\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-03-24 17:12 . 2009-03-17 16:39 -------- d-----w c:\program files\Common Files\Macromedia
2009-03-24 17:12 . 2009-03-17 16:39 -------- d-----w c:\program files\Macromedia
2009-03-09 04:19 . 2009-02-07 13:21 410984 ----a-w c:\windows\system32\deploytk.dll
2009-03-07 13:32 . 2008-02-18 20:02 -------- d-----w c:\program files\Lavasoft
2009-03-07 13:27 . 2008-02-18 20:02 -------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft
2009-03-06 12:47 . 2005-08-09 13:55 -------- d-----w c:\program files\Azureus
2009-03-03 21:30 . 2006-11-07 23:39 -------- d-----w c:\program files\Mozilla Thunderbird
2007-10-26 10:29 . 2006-06-06 09:39 28720 ----a-w c:\documents and settings\H Jardine\Application Data\GDIPFONTCACHEV1.DAT
2007-02-12 22:00 . 2007-02-12 14:51 9232 ----a-w c:\documents and settings\H Jardine\mqdmmdfl.sys
2007-02-12 22:00 . 2007-02-12 14:51 92064 ----a-w c:\documents and settings\H Jardine\mqdmmdm.sys
2007-02-12 22:00 . 2007-02-12 14:51 79328 ----a-w c:\documents and settings\H Jardine\mqdmserd.sys
2007-02-12 22:00 . 2007-02-12 14:51 66656 ----a-w c:\documents and settings\H Jardine\mqdmbus.sys
2007-02-12 22:00 . 2007-02-12 14:51 6208 ----a-w c:\documents and settings\H Jardine\mqdmcmnt.sys
2007-02-12 22:00 . 2007-02-12 14:51 5936 ----a-w c:\documents and settings\H Jardine\mqdmwhnt.sys
2007-02-12 22:00 . 2007-02-12 14:51 4048 ----a-w c:\documents and settings\H Jardine\mqdmcr.sys
2007-02-12 22:00 . 2007-02-12 14:36 25600 ----a-w c:\documents and settings\H Jardine\usbsermptxp.sys
2007-02-12 22:00 . 2007-02-12 14:36 22768 ----a-w c:\documents and settings\H Jardine\usbsermpt.sys
2006-02-23 13:37 . 2005-08-06 12:20 836 ----a-w c:\documents and settings\H Jardine\Application Data\ViewerApp.dat
.

------- Sigcheck -------

[7] 2005-05-25 19:07 359936 63FDFEA54EB53DE2D863EE454937CE1E c:\windows\$hf_mig$\KB893066\SP2QFE\tcpip.sys
[-] 2001-08-23 12:00 327168 E7774698BB0D14B0710A9A31E209F9B6 c:\windows\$NtServicePackUninstall$\tcpip.sys
[7] 2004-08-04 06:14 359040 9F4B36614A0FC234525BA224957DE55C c:\windows\$NtUninstallKB893066$\tcpip.sys
[-] 2004-08-04 06:14 359040 1745B00FC1141404B28F4B94F69A8871 c:\windows\ServicePackFiles\i386\tcpip.sys
[-] 2005-05-25 19:04 359808 E1999538D7213DB7A05A660BA9D63658 c:\windows\system32\drivers\tcpip.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"kdx"="c:\program files\Kontiki\KHost.exe" [2008-02-27 1032376]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-02-27 1310720]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"EPSON Stylus DX4800 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIADE.EXE" [2005-02-02 98304]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-22 7700480]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-10-22 86016]
"LVCOMS"="c:\program files\Common Files\Logitech\QCDriver\LVCOMS.EXE" [2001-11-13 98304]
"DT LGE"="c:\program files\Portrait Displays\forteManager\DTHtml.exe" [2007-06-12 291328]
"O2"="c:\program files\O2\bin\sprtcmd.exe" [2008-03-28 198184]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-03-30 267048]
"EPSON Stylus DX4800 Series (Copy 1)"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIADE.EXE" [2005-02-02 98304]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-03-27 1932568]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-03-31 198160]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"C-Media Mixer"="Mixer.exe" - c:\windows\mixer.exe [2002-10-15 1818624]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2006-10-22 1622016]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2004-08-04 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-6-20 110592]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2006-12-20 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2007-02-27 10:39 282624 ----a-w c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-03-27 14:00 10520 ----a-w c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"MSVideo"= lvfwwdmt.dll
"VIDC.XFR1"= xfcodec.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Picture Package Menu.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Picture Package Menu.lnk
backup=c:\windows\pss\Picture Package Menu.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Picture Package VCD Maker.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Picture Package VCD Maker.lnk
backup=c:\windows\pss\Picture Package VCD Maker.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^H Jardine^Start Menu^Programs^Startup^Registration THE SETTLERS - Heritage of Kings.LNK]
path=c:\documents and settings\H Jardine\Start Menu\Programs\Startup\Registration THE SETTLERS - Heritage of Kings.LNK
backup=c:\windows\pss\Registration THE SETTLERS - Heritage of Kings.LNKStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelliPoint]
2004-06-03 00:50 204800 ----a-w c:\program files\Microsoft IntelliPoint\point32.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
2001-07-09 10:50 155648 ----a-w c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 10:50 155648 ----a-w c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2009-03-31 12:30 198160 ----a-w c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
2006-03-30 16:45 313472 ----a-r c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\EA GAMES\\The Battle for Middle-earth ™\\game.dat"=
"c:\\Program Files\\Quake III Arena\\quake3.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Azureus\\Azureus.exe"=
"c:\\Program Files\\Xfire\\Xfire.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\StubInstaller.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\WINDOWS\\PCHEALTH\\HELPCTR\\Binaries\\helpctr.exe"=
"c:\\Program Files\\O2\\bin\\wificfg.exe"=
"c:\\Program Files\\O2\\agent\\bin\\bcont.exe"=
"c:\\Program Files\\Common Files\\SupportSoft\\bin\\ssrc.exe"=
"c:\\Program Files\\O2\\agent\\bin\\bcont_nm.exe"=
"c:\\Program Files\\Kontiki\\KService.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

R0 wlhzuw;wlhzuw; [x]
S0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2008-06-19 28544]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2009-03-27 325640]
S1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\System32\Drivers\avgtdix.sys [2009-03-27 107912]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2006-10-10 5632]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2007-02-27 32256]
S2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-03-27 298264]
S2 sprtsvc_O2;SupportSoft Sprocket Service (O2);c:\program files\O2\bin\sprtsvc.exe [2007-06-07 202280]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2006-02-16 4096]


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a9c2b7c0-7296-11da-bb79-806d6172696f}]
\Shell\AutoRun\command - D:\Setup.exe
.
Contents of the 'Scheduled Tasks' folder

2009-03-31 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\H Jardine\Application Data\Mozilla\Firefox\Profiles\sjd1pyyb.default\
FF - prefs.js: browser.search.selectedEngine - Google.co.uk
FF - prefs.js: browser.startup.homepage - hxxp://start.mozilla.org/firefox?client=firefox-a&rls=org.mozilla:en-GB:official
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\Real\RealPlayer\browserrecord\components\nprpbrowserrecordplugin.dll
FF - plugin: c:\progra~1\Yahoo!\Common\npyaxmpb.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npBBCPlugin.dll
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-17 00:55
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1801674531-1202660629-839522115-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(616)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Common Files\Portrait Displays\Shared\HookManager.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\Portrait Displays\Shared\DTSRVC.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Kontiki\KService.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\PnkBstrA.exe
c:\windows\system32\PnkBstrB.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\wscntfy.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-04-16 1:00 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-17 00:00
ComboFix2.txt 2009-04-09 18:10

Pre-Run: 8,336,183,296 bytes free
Post-Run: 8,456,916,992 bytes free

248

[SpySentinel]

You're welcome


You are using peer-to-peer programs, specifically LimeWire.
These are what we call an optional removal. However, anytime you are running any type of peer-to-peer application, you are more prone to infection by malware, and this is probably how you became infected in the first place. The choice to remove them is entirely up to you, but I would strongly recommend that you do.
If you do not want to, please at least refrain from using any peer-to-peer programs for the remainder of my fix.



1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a9c2b7c0-7296-11da-bb79-806d6172696f}]

Driver::
wlhzuw

Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

[SpySentinel]

You're welcome


You are using peer-to-peer programs, specifically LimeWire.
These are what we call an optional removal. However, anytime you are running any type of peer-to-peer application, you are more prone to infection by malware, and this is probably how you became infected in the first place. The choice to remove them is entirely up to you, but I would strongly recommend that you do.
If you do not want to, please at least refrain from using any peer-to-peer programs for the remainder of my fix.



1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a9c2b7c0-7296-11da-bb79-806d6172696f}]

Driver::
wlhzuw

Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

[Desumacchhi]

Thanks SpySentinel for the fast response.... Tip top....

Noted on Limewire...... haven't used it in ages... certainly wont be using it anytime soon....

New log:

ComboFix 09-04-17.01 - H Jardine 17/04/2009 1:15.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.44.1033.18.1023.583 [GMT 1:00]
Running from: c:\documents and settings\H Jardine\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\H Jardine\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_wlhzuw


((((((((((((((((((((((((( Files Created from 2009-03-17 to 2009-04-17 )))))))))))))))))))))))))))))))
.

2009-04-09 16:53 . 2008-06-19 15:24 28544 ----a-w c:\windows\system32\drivers\pavboot.sys
2009-04-09 16:53 . 2009-04-09 16:53 -------- d-----w c:\program files\Panda Security
2009-04-09 16:01 . 2009-04-09 16:01 -------- d-----w c:\program files\CCleaner
2009-04-09 13:56 . 2009-04-09 15:42 -------- d-----w c:\documents and settings\H Jardine\Application Data\Twain
2009-04-09 02:05 . 2009-04-09 11:52 -------- d-----w C:\Rooter$
2009-04-09 01:39 . 2009-04-09 01:39 -------- d-----w C:\VundoFix Backups
2009-04-09 01:06 . 2009-04-09 01:06 -------- d-----w c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-04-09 01:06 . 2009-04-15 22:56 -------- d-----w c:\program files\SUPERAntiSpyware
2009-04-09 01:06 . 2009-04-09 01:06 -------- d-----w c:\documents and settings\H Jardine\Application Data\SUPERAntiSpyware.com
2009-04-09 00:49 . 2009-04-09 00:49 -------- d-----w c:\program files\Trend Micro
2009-04-09 00:26 . 2009-04-09 00:26 -------- d-----w c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-04-09 00:10 . 2009-04-09 00:10 -------- d-----w c:\documents and settings\H Jardine\Application Data\Malwarebytes
2009-04-09 00:10 . 2009-04-06 14:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-09 00:10 . 2009-04-06 14:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-09 00:10 . 2009-04-09 00:10 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-09 00:10 . 2009-04-09 00:10 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-08 16:35 . 2009-04-08 18:44 -------- d-----w c:\documents and settings\H Jardine\.housecall6.6
2009-04-08 14:15 . 2009-04-08 14:15 155 ----a-w c:\windows\system32\SelfDel.bat
2009-03-31 12:31 . 2009-03-31 12:31 -------- d-----w c:\program files\Common Files\xing shared
2009-03-31 12:03 . 2009-03-31 12:03 -------- d-----w c:\program files\Apple Software Update
2009-03-27 14:24 . 2009-04-16 11:11 -------- d--h--w C:\$AVG8.VAULT$
2009-03-27 14:00 . 2009-03-27 14:00 10520 ----a-w c:\windows\system32\avgrsstx.dll
2009-03-27 14:00 . 2009-03-27 14:00 107912 ----a-w c:\windows\system32\drivers\avgtdix.sys
2009-03-27 14:00 . 2009-03-27 14:00 325640 ----a-w c:\windows\system32\drivers\avgldx86.sys
2009-03-27 14:00 . 2009-04-16 16:53 -------- d-----w c:\windows\system32\drivers\Avg
2009-03-27 14:00 . 2009-03-27 14:00 -------- d-----w c:\program files\AVG
2009-03-27 14:00 . 2009-04-14 15:04 -------- d-----w c:\documents and settings\All Users\Application Data\avg8

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-17 00:22 . 2008-05-06 22:11 -------- d-----w c:\documents and settings\All Users\Application Data\Kontiki
2009-04-14 12:37 . 2005-08-09 13:55 -------- d-----w c:\documents and settings\H Jardine\Application Data\Azureus
2009-04-09 11:52 . 2009-04-09 11:52 3222 ----a-w C:\Rooter.txt
2009-04-09 01:52 . 2009-04-09 01:39 135 ----a-w C:\VundoFix.txt
2009-04-09 01:12 . 2005-06-13 16:34 -------- d-----w c:\program files\PCI Audio Applications
2009-04-09 01:06 . 2009-03-07 13:31 -------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-04-08 16:29 . 2005-06-13 21:55 -------- d-----w c:\program files\Java
2009-04-02 15:00 . 2008-05-10 11:46 -------- d-----w c:\documents and settings\H Jardine\Application Data\Apple Computer
2009-03-31 12:30 . 2006-04-17 22:47 -------- d-----w c:\program files\Common Files\Real
2009-03-31 12:04 . 2008-05-10 11:44 -------- d-----w c:\program files\QuickTime
2009-03-26 19:46 . 2005-06-13 20:10 28720 ----a-w c:\documents and settings\H Jardine\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-03-24 17:12 . 2009-03-17 16:39 -------- d-----w c:\program files\Common Files\Macromedia
2009-03-24 17:12 . 2009-03-17 16:39 -------- d-----w c:\program files\Macromedia
2009-03-09 04:19 . 2009-02-07 13:21 410984 ----a-w c:\windows\system32\deploytk.dll
2009-03-07 13:32 . 2008-02-18 20:02 -------- d-----w c:\program files\Lavasoft
2009-03-07 13:27 . 2008-02-18 20:02 -------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft
2009-03-06 12:47 . 2005-08-09 13:55 -------- d-----w c:\program files\Azureus
2009-03-03 21:30 . 2006-11-07 23:39 -------- d-----w c:\program files\Mozilla Thunderbird
2007-10-26 10:29 . 2006-06-06 09:39 28720 ----a-w c:\documents and settings\H Jardine\Application Data\GDIPFONTCACHEV1.DAT
2007-02-12 22:00 . 2007-02-12 14:51 9232 ----a-w c:\documents and settings\H Jardine\mqdmmdfl.sys
2007-02-12 22:00 . 2007-02-12 14:51 92064 ----a-w c:\documents and settings\H Jardine\mqdmmdm.sys
2007-02-12 22:00 . 2007-02-12 14:51 79328 ----a-w c:\documents and settings\H Jardine\mqdmserd.sys
2007-02-12 22:00 . 2007-02-12 14:51 66656 ----a-w c:\documents and settings\H Jardine\mqdmbus.sys
2007-02-12 22:00 . 2007-02-12 14:51 6208 ----a-w c:\documents and settings\H Jardine\mqdmcmnt.sys
2007-02-12 22:00 . 2007-02-12 14:51 5936 ----a-w c:\documents and settings\H Jardine\mqdmwhnt.sys
2007-02-12 22:00 . 2007-02-12 14:51 4048 ----a-w c:\documents and settings\H Jardine\mqdmcr.sys
2007-02-12 22:00 . 2007-02-12 14:36 25600 ----a-w c:\documents and settings\H Jardine\usbsermptxp.sys
2007-02-12 22:00 . 2007-02-12 14:36 22768 ----a-w c:\documents and settings\H Jardine\usbsermpt.sys
2006-02-23 13:37 . 2005-08-06 12:20 836 ----a-w c:\documents and settings\H Jardine\Application Data\ViewerApp.dat
.

------- Sigcheck -------

[7] 2005-05-25 19:07 359936 63FDFEA54EB53DE2D863EE454937CE1E c:\windows\$hf_mig$\KB893066\SP2QFE\tcpip.sys
[-] 2001-08-23 12:00 327168 E7774698BB0D14B0710A9A31E209F9B6 c:\windows\$NtServicePackUninstall$\tcpip.sys
[7] 2004-08-04 06:14 359040 9F4B36614A0FC234525BA224957DE55C c:\windows\$NtUninstallKB893066$\tcpip.sys
[-] 2004-08-04 06:14 359040 1745B00FC1141404B28F4B94F69A8871 c:\windows\ServicePackFiles\i386\tcpip.sys
[-] 2005-05-25 19:04 359808 E1999538D7213DB7A05A660BA9D63658 c:\windows\system32\drivers\tcpip.sys
.
((((((((((((((((((((((((((((( SnapShot@2009-04-16_23.55.52 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-04-17 00:21 . 2009-04-17 00:21 16384 c:\windows\Temp\Perflib_Perfdata_6f4.dat
+ 2009-04-17 00:21 . 2009-04-17 00:21 16384 c:\windows\Temp\Perflib_Perfdata_678.dat
+ 2001-08-23 12:00 . 2009-04-16 23:59 41792 c:\windows\system32\perfc009.dat
- 2001-08-23 12:00 . 2009-04-16 09:42 41792 c:\windows\system32\perfc009.dat
+ 2001-08-23 12:00 . 2009-04-16 23:59 315062 c:\windows\system32\perfh009.dat
- 2001-08-23 12:00 . 2009-04-16 09:42 315062 c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"kdx"="c:\program files\Kontiki\KHost.exe" [2008-02-27 1032376]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-02-27 1310720]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"EPSON Stylus DX4800 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIADE.EXE" [2005-02-02 98304]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-22 7700480]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-10-22 86016]
"LVCOMS"="c:\program files\Common Files\Logitech\QCDriver\LVCOMS.EXE" [2001-11-13 98304]
"DT LGE"="c:\program files\Portrait Displays\forteManager\DTHtml.exe" [2007-06-12 291328]
"O2"="c:\program files\O2\bin\sprtcmd.exe" [2008-03-28 198184]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-03-30 267048]
"EPSON Stylus DX4800 Series (Copy 1)"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIADE.EXE" [2005-02-02 98304]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-03-27 1932568]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-03-31 198160]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"C-Media Mixer"="Mixer.exe" - c:\windows\mixer.exe [2002-10-15 1818624]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2006-10-22 1622016]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2004-08-04 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-6-20 110592]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2006-12-20 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2007-02-27 10:39 282624 ----a-w c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-03-27 14:00 10520 ----a-w c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"MSVideo"= lvfwwdmt.dll
"VIDC.XFR1"= xfcodec.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Picture Package Menu.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Picture Package Menu.lnk
backup=c:\windows\pss\Picture Package Menu.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Picture Package VCD Maker.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Picture Package VCD Maker.lnk
backup=c:\windows\pss\Picture Package VCD Maker.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^H Jardine^Start Menu^Programs^Startup^Registration THE SETTLERS - Heritage of Kings.LNK]
path=c:\documents and settings\H Jardine\Start Menu\Programs\Startup\Registration THE SETTLERS - Heritage of Kings.LNK
backup=c:\windows\pss\Registration THE SETTLERS - Heritage of Kings.LNKStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelliPoint]
2004-06-03 00:50 204800 ----a-w c:\program files\Microsoft IntelliPoint\point32.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
2001-07-09 10:50 155648 ----a-w c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 10:50 155648 ----a-w c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2009-03-31 12:30 198160 ----a-w c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
2006-03-30 16:45 313472 ----a-r c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\EA GAMES\\The Battle for Middle-earth ™\\game.dat"=
"c:\\Program Files\\Quake III Arena\\quake3.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Azureus\\Azureus.exe"=
"c:\\Program Files\\Xfire\\Xfire.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\StubInstaller.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\WINDOWS\\PCHEALTH\\HELPCTR\\Binaries\\helpctr.exe"=
"c:\\Program Files\\O2\\bin\\wificfg.exe"=
"c:\\Program Files\\O2\\agent\\bin\\bcont.exe"=
"c:\\Program Files\\Common Files\\SupportSoft\\bin\\ssrc.exe"=
"c:\\Program Files\\O2\\agent\\bin\\bcont_nm.exe"=
"c:\\Program Files\\Kontiki\\KService.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

S0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2008-06-19 28544]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2009-03-27 325640]
S1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\System32\Drivers\avgtdix.sys [2009-03-27 107912]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2006-10-10 5632]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2007-02-27 32256]
S2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-03-27 298264]
S2 sprtsvc_O2;SupportSoft Sprocket Service (O2);c:\program files\O2\bin\sprtsvc.exe [2007-06-07 202280]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2006-02-16 4096]

.
Contents of the 'Scheduled Tasks' folder

2009-03-31 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\H Jardine\Application Data\Mozilla\Firefox\Profiles\sjd1pyyb.default\
FF - prefs.js: browser.search.selectedEngine - Google.co.uk
FF - prefs.js: browser.startup.homepage - hxxp://start.mozilla.org/firefox?client=firefox-a&rls=org.mozilla:en-GB:official
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\Real\RealPlayer\browserrecord\components\nprpbrowserrecordplugin.dll
FF - plugin: c:\progra~1\Yahoo!\Common\npyaxmpb.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npBBCPlugin.dll
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-17 01:21
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1801674531-1202660629-839522115-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(616)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\program files\Common Files\Portrait Displays\Shared\HookManager.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\Portrait Displays\Shared\DTSRVC.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Kontiki\KService.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\PnkBstrA.exe
c:\windows\system32\PnkBstrB.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\wscntfy.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-04-17 1:26 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-17 00:26
ComboFix2.txt 2009-04-17 00:00
ComboFix3.txt 2009-04-09 18:10

Pre-Run: 8,445,358,080 bytes free
Post-Run: 8,427,794,432 bytes free

245

[SpySentinel]

Thanks SpySentinel for the fast response.... Tip top....

Hi Desumacchhi, You're welcome


Launch Malwarebytes' Anti-Malware

• If an update is found, it will download and install the latest version.
• Once the program has loaded, select "Perform Quick Scan", then click Scan.
• The scan may take some time to finish,so please be patient.
• When the scan is complete, click OK, then Show Results to view the results.
• Make sure that everything is checked, and click Remove Selected.
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
• Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.



Go to Kaspersky website and perform an online antivirus scan.

• Read through the requirements and privacy statement and click on Accept button.
• It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
• When the downloads have finished, click on Settings.
• Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
  • Spyware, Adware, Dialers, and other potentially dangerous programs
    Archives
    Mail databases
• Click on My Computer under Scan.
• Once the scan is complete, it will display the results. Click on View Scan Report.
• You will see a list of infected items there. Click on Save Report As....
• Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.

[Desumacchhi]

Like working these things out quickly huh?

MBAM log below.... I suspect Kaspersky will take some time.... so i'll post the .txt when it finishes in this post.....

Malwarebytes' Anti-Malware 1.36
Database version: 1992
Windows 5.1.2600 Service Pack 2

17/04/2009 02:04:14
mbam-log-2009-04-17 (02-04-14).txt

Scan type: Quick Scan
Objects scanned: 72868
Time elapsed: 3 minute(s), 33 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

[Desumacchhi]

this is the kaspersky scan:

Btw... for some reason my Java is showing the background to everything as red - weird. Its been doing it for some time tho......it was happening even before i noticed this infection.

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0 REPORT
Friday, April 17, 2009
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Friday, April 17, 2009 06:10:49
Records in database: 2052482
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\

Scan statistics:
Files scanned: 98940
Threat name: 11
Infected objects: 61
Suspicious objects: 1
Duration of the scan: 04:56:53


File name / Threat name / Threats count
C:\Documents and Settings\H Jardine\.housecall6.6\Quarantine\ftpetsetnw.tmp.bac_a03424 Suspicious: Trojan.Win32.Patched.dy 1
C:\Documents and Settings\H Jardine\.housecall6.6\Quarantine\ftp_non_crp.exe.bac_a03424 Infected: Packed.Win32.PolyCrypt.d 1
C:\Documents and Settings\H Jardine\.housecall6.6\Quarantine\rasesnet.tmp.bac_a03424 Infected: Trojan.Win32.Stuh.ep 1
C:\Documents and Settings\H Jardine\Application Data\Thunderbird\Profiles\647rq3u9.default\Mail\Local Folders\Inbox Infected: Email-Worm.Win32.Zhelatin.a 2
C:\Documents and Settings\H Jardine\Application Data\Thunderbird\Profiles\647rq3u9.default\Mail\Local Folders\Inbox Infected: Trojan-Proxy.Win32.Lager.dp 1
C:\Documents and Settings\H Jardine\Application Data\Thunderbird\Profiles\647rq3u9.default\Mail\Local Folders\Inbox Infected: Trojan-Downloader.Win32.Small.ciw 2
C:\Documents and Settings\H Jardine\Application Data\Thunderbird\Profiles\647rq3u9.default\Mail\Local Folders\Inbox Infected: Email-Worm.Win32.Zhelatin.d 4
C:\Documents and Settings\H Jardine\Application Data\Thunderbird\Profiles\647rq3u9.default\Mail\Local Folders\Inbox Infected: Email-Worm.Win32.Zhelatin.h 8
C:\Documents and Settings\H Jardine\Application Data\Thunderbird\Profiles\647rq3u9.default\Mail\Local Folders\Inbox Infected: Email-Worm.Win32.Zhelatin.k 1
C:\Documents and Settings\H Jardine\Application Data\Thunderbird\Profiles\647rq3u9.default\Mail\Local Folders\Inbox Infected: Email-Worm.Win32.Zhelatin.m 1
C:\Documents and Settings\H Jardine\Application Data\Thunderbird\Profiles\647rq3u9.default\Mail\Local Folders\Inbox Infected: Email-Worm.Win32.Zhelatin.o 1
C:\Documents and Settings\H Jardine\Application Data\Thunderbird\Profiles\647rq3u9.default\Mail\Local Folders\Junk Infected: Email-Worm.Win32.Zhelatin.a 2
C:\Documents and Settings\H Jardine\Application Data\Thunderbird\Profiles\647rq3u9.default\Mail\Local Folders\Junk Infected: Trojan-Proxy.Win32.Lager.dp 1
C:\Documents and Settings\H Jardine\Application Data\Thunderbird\Profiles\647rq3u9.default\Mail\Local Folders\Junk Infected: Trojan-Downloader.Win32.Small.ciw 2
C:\Documents and Settings\H Jardine\Application Data\Thunderbird\Profiles\647rq3u9.default\Mail\Local Folders\Junk Infected: Email-Worm.Win32.Zhelatin.d 4
C:\Documents and Settings\H Jardine\Application Data\Thunderbird\Profiles\647rq3u9.default\Mail\Local Folders\Junk Infected: Email-Worm.Win32.Zhelatin.h 8
C:\Documents and Settings\H Jardine\Application Data\Thunderbird\Profiles\647rq3u9.default\Mail\Local Folders\Junk Infected: Email-Worm.Win32.Zhelatin.m 1
C:\Documents and Settings\H Jardine\Application Data\Thunderbird\Profiles\647rq3u9.default\Mail\Local Folders\Junk Infected: Email-Worm.Win32.Zhelatin.o 1
C:\Documents and Settings\H Jardine\Application Data\Thunderbird\Profiles\647rq3u9.default\Mail\Local Folders\Trash Infected: Email-Worm.Win32.Zhelatin.a 2
C:\Documents and Settings\H Jardine\Application Data\Thunderbird\Profiles\647rq3u9.default\Mail\Local Folders\Trash Infected: Trojan-Proxy.Win32.Lager.dp 1
C:\Documents and Settings\H Jardine\Application Data\Thunderbird\Profiles\647rq3u9.default\Mail\Local Folders\Trash Infected: Email-Worm.Win32.Zhelatin.k 1
C:\Documents and Settings\H Jardine\Application Data\Thunderbird\Profiles\647rq3u9.default\Mail\Local Folders\Trash Infected: Trojan-Downloader.Win32.Small.ciw 2
C:\Documents and Settings\H Jardine\Application Data\Thunderbird\Profiles\647rq3u9.default\Mail\Local Folders\Trash Infected: Email-Worm.Win32.Zhelatin.d 4
C:\Documents and Settings\H Jardine\Application Data\Thunderbird\Profiles\647rq3u9.default\Mail\Local Folders\Trash Infected: Email-Worm.Win32.Zhelatin.h 8
C:\Documents and Settings\H Jardine\Application Data\Thunderbird\Profiles\647rq3u9.default\Mail\Local Folders\Trash Infected: Email-Worm.Win32.Zhelatin.m 1
C:\Documents and Settings\H Jardine\Application Data\Thunderbird\Profiles\647rq3u9.default\Mail\Local Folders\Trash Infected: Email-Worm.Win32.Zhelatin.o 1

The selected area was scanned.

Edited by Desumacchhi, 17 April 2009 - 02:04 PM.

[SpySentinel]

Like working these things out quickly huh?

Looks like your Thunderbird Profile is infected, you have some infected emails in the Inbox as well as the Trash can, I would recommend removing them.



Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe

• Doubleclick the drweb-cureit.exe file and Allow to run the express scan
• This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
• Once the short scan has finished, mark the drives that you want to scan.
• Select all drives. A red dot shows which drives have been chosen.
• Click the green arrow at the right, and the scan will start.
• Click 'Yes to all' if it asks if you want to cure/move the file.
• When the scan has finished, in the menu, click file and choose save report list
• Save the report to your desktop. The report will be called DrWeb.csv
• Close Dr.Web Cureit.

[Desumacchhi]

Hi SpySentinel....

Not sure if Dr Web successfully dealt with everything.... heres a copy of the .csv file.... (I tried to attach a copy, but look like im not permitted to upload that type of file.

ftp_non_crp.exe.bac_a03424;C:\Documents and Settings\H Jardine\.housecall6.6\Quarantine;Trojan.Packed.166;Deleted.;
kegosipi.dll.bac_a03424;C:\Documents and Settings\H Jardine\.housecall6.6\Quarantine;Trojan.Virtumod.1636;Deleted.;
rasesnet.tmp.bac_a03424;C:\Documents and Settings\H Jardine\.housecall6.6\Quarantine;Trojan.Virtumod.1636;Deleted.;
rewagiki.dll.bac_a03424;C:\Documents and Settings\H Jardine\.housecall6.6\Quarantine;Trojan.Virtumod.1636;Deleted.;
zovudala.dll.bac_a03424;C:\Documents and Settings\H Jardine\.housecall6.6\Quarantine;Trojan.Virtumod.1636;Deleted.;
ComboFix.exe/data002\32788R22FWJFW\c.bat;C:\Documents and Settings\H Jardine\Desktop\ComboFix.exe/data002;Probably BATCH.Virus;;
ComboFix.exe/data002\32788R22FWJFW\psexec.cfexe;C:\Documents and Settings\H Jardine\Desktop\ComboFix.exe/data002;Program.PsExec.171;;
data002;C:\Documents and Settings\H Jardine\Desktop;Archive contains infected objects;;
ComboFix.exe;C:\Documents and Settings\H Jardine\Desktop;Container contains infected objects;Moved.;
A0109906.exe/data002\32788R22FWJFW\c.bat;C:\System Volume Information\_restore{928E50AF-11AA-47FF-A72B-8D70494017B2}\RP1113\A0109906.exe/data002;Probably BATCH.Virus;;
A0109906.exe/data002\32788R22FWJFW\psexec.cfexe;C:\System Volume Information\_restore{928E50AF-11AA-47FF-A72B-8D70494017B2}\RP1113\A0109906.exe/data002;Program.PsExec.171;;
data002;C:\System Volume Information\_restore{928E50AF-11AA-47FF-A72B-8D70494017B2}\RP1113;Archive contains infected objects;;
A0109906.exe;C:\System Volume Information\_restore{928E50AF-11AA-47FF-A72B-8D70494017B2}\RP1113;Container contains infected objects;Moved.;
A0110954.bat;C:\System Volume Information\_restore{928E50AF-11AA-47FF-A72B-8D70494017B2}\RP1114;Probably BATCH.Virus;Incurable.Moved.;
A0111009.bat;C:\System Volume Information\_restore{928E50AF-11AA-47FF-A72B-8D70494017B2}\RP1114;Probably BATCH.Virus;Incurable.Moved.;
A0111060.exe/data002\32788R22FWJFW\c.bat;C:\System Volume Information\_restore{928E50AF-11AA-47FF-A72B-8D70494017B2}\RP1114\A0111060.exe/data002;Probably BATCH.Virus;;
A0111060.exe/data002\32788R22FWJFW\psexec.cfexe;C:\System Volume Information\_restore{928E50AF-11AA-47FF-A72B-8D70494017B2}\RP1114\A0111060.exe/data002;Program.PsExec.171;;
data002;C:\System Volume Information\_restore{928E50AF-11AA-47FF-A72B-8D70494017B2}\RP1114;Archive contains infected objects;;
A0111060.exe;C:\System Volume Information\_restore{928E50AF-11AA-47FF-A72B-8D70494017B2}\RP1114;Container contains infected objects;Moved.;
A0111068.bat;C:\System Volume Information\_restore{928E50AF-11AA-47FF-A72B-8D70494017B2}\RP1114;Probably BATCH.Virus;Incurable.Moved.;
A0111154.bat;C:\System Volume Information\_restore{928E50AF-11AA-47FF-A72B-8D70494017B2}\RP1115;Probably BATCH.Virus;Incurable.Moved.;
A0111158.EXE;C:\System Volume Information\_restore{928E50AF-11AA-47FF-A72B-8D70494017B2}\RP1115;Program.PsExec.170;Incurable.Moved.;
A0111245.bat;C:\System Volume Information\_restore{928E50AF-11AA-47FF-A72B-8D70494017B2}\RP1116;Probably BATCH.Virus;Incurable.Moved.;
A0111249.EXE;C:\System Volume Information\_restore{928E50AF-11AA-47FF-A72B-8D70494017B2}\RP1116;Program.PsExec.170;Incurable.Moved.;
A0111353.exe/data002\32788R22FWJFW\c.bat;C:\System Volume Information\_restore{928E50AF-11AA-47FF-A72B-8D70494017B2}\RP1118\A0111353.exe/data002;Probably BATCH.Virus;;
A0111353.exe/data002\32788R22FWJFW\psexec.cfexe;C:\System Volume Information\_restore{928E50AF-11AA-47FF-A72B-8D70494017B2}\RP1118\A0111353.exe/data002;Program.PsExec.171;;
data002;C:\System Volume Information\_restore{928E50AF-11AA-47FF-A72B-8D70494017B2}\RP1118;Archive contains infected objects;;
A0111353.exe;C:\System Volume Information\_restore{928E50AF-11AA-47FF-A72B-8D70494017B2}\RP1118;Container contains infected objects;Moved.;




Thanks
Desumacchi

[SpySentinel]

Hi Desumacchi,

Did you remove those infected emails and profile?


Step #1

• Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
• Double click on RSIT.exe to run RSIT.
• Click Continue at the disclaimer screen.
• Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)

Step #2

Download and scan with SUPERAntiSpyware Free for Home Users

• Double-click SUPERAntiSpyware.exe and use the default settings for installation.
• An icon will be created on your desktop. Double-click that icon to launch the program.
• If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here.)
• Under "Configuration and Preferences", click the Preferences button.
• Click the Scanning Control tab.
• Under Scanner Options make sure the following are checked (leave all others unchecked):
  
  • Close browsers before scanning.
  • Scan for tracking cookies.
  • Terminate memory threats before quarantining.
• Click the "Close" button to leave the control center screen.
• Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
• On the left, make sure you check C:\Fixed Drive.
• On the right, under "Complete Scan", choose Perform Complete Scan.
• Click "Next" to start the scan. Please be patient while it scans your computer.
• After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
• Make sure everything has a checkmark next to it and click "Next".
• A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
• If asked if you want to reboot, click "Yes".
• To retrieve the removal information after reboot, launch SUPERAntispyware again.
  o Click Preferences, then click the Statistics/Logs tab.
  o Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
  o If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
  o Please copy and paste the Scan Log results in your next reply.
• Click Close to exit the program.

[Desumacchhi]

Hi...

First Set of logs as requested... im running superantispyware now....


Logfile of random's system information tool 1.06 (written by random/random)
Run by H Jardine at 2009-04-19 19:43:02
Microsoft Windows XP Professional Service Pack 2
System drive C: has 8 GB (21%) free of 38 GB
Total RAM: 1023 MB (48% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:43:04, on 19/04/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\Mixer.exe
C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
C:\Program Files\Portrait Displays\forteManager\DTHtml.exe
C:\Program Files\O2\bin\sprtcmd.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Kontiki\KHost.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Common Files\Portrait Displays\Shared\HookManager.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Portrait Displays\Shared\DTSRVC.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Kontiki\KService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\Program Files\O2\bin\sprtsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Java\jre6\bin\java.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\AVG\AVG8\avgui.exe
C:\Documents and Settings\H Jardine\My Documents\Downloads\RSIT.exe
C:\Program Files\Trend Micro\HijackThis\H Jardine.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O4 - HKLM\..\Run: [EPSON Stylus DX4800 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIADE.EXE /P26 "EPSON Stylus DX4800 Series" /O6 "USB001" /M "Stylus DX4800"
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
O4 - HKLM\..\Run: [DT LGE] C:\Program Files\Portrait Displays\forteManager\DTHtml.exe -startup_folder
O4 - HKLM\..\Run: [O2] "C:\Program Files\O2\bin\sprtcmd.exe" /P O2
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [EPSON Stylus DX4800 Series (Copy 1)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIADE.EXE /P35 "EPSON Stylus DX4800 Series (Copy 1)" /O6 "USB004" /M "Stylus DX4800"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [kdx] C:\Program Files\Kontiki\KHost.exe -all
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - C:\Documents and Settings\H Jardine\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk
O9 - Extra 'Tools' menuitem: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - C:\Documents and Settings\H Jardine\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.t...ivex/hcImpl.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Portrait Displays Display Tune Service (DTSRVC) - Unknown owner - C:\Program Files\Common Files\Portrait Displays\Shared\DTSRVC.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: SupportSoft Sprocket Service (O2) (sprtsvc_O2) - SupportSoft, Inc. - C:\Program Files\O2\bin\sprtsvc.exe
O23 - Service: SupportSoft RemoteAssist - SupportSoft, Inc. - C:\Program Files\Common Files\Supportsoft\bin\ssrc.exe

--
End of file - 7846 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\AppleSoftwareUpdate.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{EE5D279F-081B-4404-994D-C6B60AAEBA6D} - EPSON Web-To-Page - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll [2005-02-22 368640]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"EPSON Stylus DX4800 Series"=C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIADE.EXE [2005-02-02 98304]
"C-Media Mixer"=Mixer.exe /startup []
"NvCplDaemon"=C:\WINDOWS\system32\NvCpl.dll [2006-10-22 7700480]
"nwiz"=nwiz.exe /install []
"NvMediaCenter"=C:\WINDOWS\system32\NvMcTray.dll [2006-10-22 86016]
"LVCOMS"=C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE [2001-11-13 98304]
"DT LGE"=C:\Program Files\Portrait Displays\forteManager\DTHtml.exe [2007-06-12 291328]
"O2"=C:\Program Files\O2\bin\sprtcmd.exe [2008-03-28 198184]
"iTunesHelper"=C:\Program Files\iTunes\iTunesHelper.exe [2008-03-30 267048]
"EPSON Stylus DX4800 Series (Copy 1)"=C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIADE.EXE [2005-02-02 98304]
"AVG8_TRAY"=C:\PROGRA~1\AVG\AVG8\avgtray.exe [2009-03-27 1932568]
"QuickTime Task"=C:\Program Files\QuickTime\qttask.exe [2009-01-05 413696]
"TkBellExe"=C:\Program Files\Common Files\Real\Update_OB\realsched.exe [2009-03-31 198160]
"SunJavaUpdateSched"=C:\Program Files\Java\jre6\bin\jusched.exe [2009-03-09 148888]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"kdx"=C:\Program Files\Kontiki\KHost.exe [2008-02-27 1032376]
"SUPERAntiSpyware"=C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe [2007-02-27 1310720]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelliPoint]
C:\Program Files\Microsoft IntelliPoint\point32.exe [2004-06-03 204800]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
C:\WINDOWS\system32\NeroCheck.exe [2001-07-09 155648]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe [2001-07-09 155648]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
C:\Program Files\Common Files\Real\Update_OB\realsched.exe [2009-03-31 198160]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe [2006-03-30 313472]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Picture Package Menu.lnk]
C:\PROGRA~1\SONYCO~1\PICTUR~1\PICTUR~3\SonyTray.exe [2003-11-21 151552]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Picture Package VCD Maker.lnk]
C:\PROGRA~1\SONYCO~1\PICTUR~1\PICTUR~1\RESIDE~1.EXE [2003-12-17 106496]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^H Jardine^Start Menu^Programs^Startup^Registration THE SETTLERS - Heritage of Kings.LNK]
C:\PROGRA~1\Ubisoft\BLUEBY~1\THESET~1\Support\Register\REGIST~1.EXE -d 802504 -l english -r 7 -g THE SETTLERS - Heritage of Kings -c us -i 2057 []

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll [2007-02-27 282624]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\avgrsstarter]
C:\WINDOWS\system32\avgrsstx.dll [2009-03-27 10520]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"=C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 77824]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\aawservice]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\UploadMgr]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=323
"NoDriveAutoRun"=67108863
"NoDrives"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveAutoRun"=
"NoDriveTypeAutoRun"=
"NoDrives"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\Messenger\msmsgs.exe"="C:\Program Files\Messenger\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\Program Files\Yahoo!\Messenger\YServer.exe"="C:\Program Files\Yahoo!\Messenger\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\Program Files\EA GAMES\The Battle for Middle-earth ™\game.dat"="C:\Program Files\EA GAMES\The Battle for Middle-earth ™\game.dat:*:Enabled:The Battle for Middle-earth ™"
"C:\Program Files\Quake III Arena\quake3.exe"="C:\Program Files\Quake III Arena\quake3.exe:*:Enabled:quake3"
"C:\Program Files\LimeWire\LimeWire.exe"="C:\Program Files\LimeWire\LimeWire.exe:*:Enabled:LimeWire"
"C:\Program Files\Azureus\Azureus.exe"="C:\Program Files\Azureus\Azureus.exe:*:Enabled:Azureus"
"C:\Program Files\Xfire\Xfire.exe"="C:\Program Files\Xfire\Xfire.exe:*:Enabled:Xfire"
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\Program Files\Real\RealPlayer\realplay.exe"="C:\Program Files\Real\RealPlayer\realplay.exe:*:Enabled:RealPlayer"
"C:\StubInstaller.exe"="C:\StubInstaller.exe:*:Enabled:LimeWire swarmed installer"
"C:\Program Files\MSN Messenger\msnmsgr.exe"="C:\Program Files\MSN Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\Program Files\MSN Messenger\livecall.exe"="C:\Program Files\MSN Messenger\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"C:\WINDOWS\PCHEALTH\HELPCTR\Binaries\helpctr.exe"="C:\WINDOWS\PCHEALTH\HELPCTR\Binaries\helpctr.exe:*:Enabled:Remote Assistance - Windows Messenger and Voice"
"C:\Program Files\O2\bin\wificfg.exe"="C:\Program Files\O2\bin\wificfg.exe:*:Enabled:sprtcmd.exe"
"C:\Program Files\O2\agent\bin\bcont.exe"="C:\Program Files\O2\agent\bin\bcont.exe:*:Enabled:bcont.exe"
"C:\Program Files\Common Files\SupportSoft\bin\ssrc.exe"="C:\Program Files\Common Files\SupportSoft\bin\ssrc.exe:*:Enabled:ssrc.exe"
"C:\Program Files\O2\agent\bin\bcont_nm.exe"="C:\Program Files\O2\agent\bin\bcont_nm.exe:*:Enabled:bcont_nm.exe"
"C:\Program Files\Kontiki\KService.exe"="C:\Program Files\Kontiki\KService.exe:*:Enabled:Delivery Manager Service"
"C:\Program Files\Bonjour\mDNSResponder.exe"="C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\Program Files\iTunes\iTunes.exe"="C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes"
"C:\Program Files\Skype\Phone\Skype.exe"="C:\Program Files\Skype\Phone\Skype.exe:*:Enabled:Skype"
"C:\Program Files\AVG\AVG8\avgupd.exe"="C:\Program Files\AVG\AVG8\avgupd.exe:*:Enabled:avgupd.exe"
"C:\Program Files\AVG\AVG8\avgnsx.exe"="C:\Program Files\AVG\AVG8\avgnsx.exe:*:Enabled:avgnsx.exe"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\MSN Messenger\msnmsgr.exe"="C:\Program Files\MSN Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\Program Files\MSN Messenger\livecall.exe"="C:\Program Files\MSN Messenger\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"

======File associations======

.js - edit - "C:\Program Files\Macromedia\Dreamweaver 8\dreamweaver.exe" "%1"

======List of files/folders created in the last 1 months======

2009-04-19 19:43:02 ----D---- C:\rsit
2009-04-19 14:55:14 ----SHD---- C:\RECYCLER
2009-04-17 01:26:35 ----A---- C:\ComboFix.txt
2009-04-09 18:59:45 ----A---- C:\Boot.bak
2009-04-09 18:59:37 ----RASHD---- C:\cmdcons
2009-04-09 18:58:34 ----A---- C:\WINDOWS\zip.exe
2009-04-09 18:58:34 ----A---- C:\WINDOWS\VFIND.exe
2009-04-09 18:58:34 ----A---- C:\WINDOWS\SWXCACLS.exe
2009-04-09 18:58:34 ----A---- C:\WINDOWS\SWSC.exe
2009-04-09 18:58:34 ----A---- C:\WINDOWS\SWREG.exe
2009-04-09 18:58:34 ----A---- C:\WINDOWS\sed.exe
2009-04-09 18:58:34 ----A---- C:\WINDOWS\NIRCMD.exe
2009-04-09 18:58:34 ----A---- C:\WINDOWS\grep.exe
2009-04-09 18:58:29 ----D---- C:\WINDOWS\ERDNT
2009-04-09 18:56:20 ----D---- C:\Qoobox
2009-04-09 17:53:13 ----D---- C:\Program Files\Panda Security
2009-04-09 17:01:49 ----D---- C:\Program Files\CCleaner
2009-04-09 14:56:26 ----D---- C:\Documents and Settings\H Jardine\Application Data\Twain
2009-04-09 12:52:45 ----A---- C:\Rooter.txt
2009-04-09 03:05:36 ----D---- C:\Rooter$
2009-04-09 02:39:51 ----D---- C:\VundoFix Backups
2009-04-09 02:39:51 ----A---- C:\VundoFix.txt
2009-04-09 02:06:45 ----D---- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2009-04-09 02:06:39 ----D---- C:\Program Files\SUPERAntiSpyware
2009-04-09 02:06:39 ----D---- C:\Documents and Settings\H Jardine\Application Data\SUPERAntiSpyware.com
2009-04-09 01:49:22 ----D---- C:\Program Files\Trend Micro
2009-04-09 01:10:30 ----D---- C:\Documents and Settings\H Jardine\Application Data\Malwarebytes
2009-04-09 01:10:23 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2009-04-09 01:10:23 ----D---- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2009-04-08 17:29:31 ----A---- C:\WINDOWS\system32\javaws.exe
2009-04-08 17:29:31 ----A---- C:\WINDOWS\system32\javaw.exe
2009-04-08 17:29:31 ----A---- C:\WINDOWS\system32\java.exe
2009-04-08 15:15:18 ----A---- C:\WINDOWS\system32\SelfDel.bat
2009-03-31 13:31:11 ----D---- C:\Program Files\Common Files\xing shared
2009-03-31 13:03:00 ----D---- C:\Program Files\Apple Software Update
2009-03-27 15:24:21 ----HD---- C:\$AVG8.VAULT$
2009-03-27 15:00:38 ----A---- C:\WINDOWS\system32\avgrsstx.dll
2009-03-27 15:00:02 ----D---- C:\Program Files\AVG
2009-03-27 15:00:01 ----D---- C:\Documents and Settings\All Users\Application Data\avg8

======List of files/folders modified in the last 1 months======

2009-04-19 19:42:59 ----D---- C:\WINDOWS\Prefetch
2009-04-19 19:42:27 ----D---- C:\Documents and Settings\All Users\Application Data\Kontiki
2009-04-19 18:51:46 ----D---- C:\Program Files\Mozilla Thunderbird
2009-04-19 18:29:45 ----D---- C:\WINDOWS\Temp
2009-04-19 16:22:20 ----D---- C:\Program Files\Mozilla Firefox
2009-04-18 10:47:25 ----D---- C:\WINDOWS\system32
2009-04-18 10:47:25 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI
2009-04-17 23:02:20 ----A---- C:\WINDOWS\SchedLgU.Txt
2009-04-17 09:49:54 ----D---- C:\WINDOWS\system32\drivers
2009-04-17 01:26:35 ----D---- C:\WINDOWS
2009-04-17 01:25:27 ----D---- C:\WINDOWS\system32\CatRoot2
2009-04-17 01:21:51 ----A---- C:\WINDOWS\system.ini
2009-04-17 01:18:12 ----D---- C:\WINDOWS\system32\config
2009-04-17 01:17:20 ----D---- C:\WINDOWS\AppPatch
2009-04-17 01:17:17 ----D---- C:\Program Files\Common Files
2009-04-15 18:37:16 ----D---- C:\WINDOWS\Minidump
2009-04-14 13:37:48 ----D---- C:\Documents and Settings\H Jardine\Application Data\Azureus
2009-04-14 13:26:43 ----A---- C:\WINDOWS\NeroDigital.ini
2009-04-09 18:59:45 ----RASH---- C:\boot.ini
2009-04-09 17:53:30 ----HD---- C:\WINDOWS\inf
2009-04-09 17:53:13 ----RD---- C:\Program Files
2009-04-09 17:04:08 ----D---- C:\WINDOWS\Debug
2009-04-09 02:12:13 ----D---- C:\Program Files\PCI Audio Applications
2009-04-09 02:06:42 ----SHD---- C:\WINDOWS\Installer
2009-04-09 02:06:22 ----D---- C:\Program Files\Common Files\Wise Installation Wizard
2009-04-08 22:19:15 ----D---- C:\Documents and Settings
2009-04-08 17:35:00 ----SD---- C:\WINDOWS\Downloaded Program Files
2009-04-08 17:29:24 ----D---- C:\Program Files\Java
2009-04-02 16:00:50 ----D---- C:\Documents and Settings\H Jardine\Application Data\Apple Computer
2009-03-31 13:30:54 ----D---- C:\Program Files\Common Files\Real
2009-03-31 13:30:50 ----A---- C:\WINDOWS\system32\rmoc3260.dll
2009-03-31 13:30:26 ----A---- C:\WINDOWS\system32\pndx5032.dll
2009-03-31 13:30:26 ----A---- C:\WINDOWS\system32\pndx5016.dll
2009-03-31 13:30:20 ----A---- C:\WINDOWS\system32\pncrt.dll
2009-03-31 13:04:31 ----D---- C:\Program Files\QuickTime
2009-03-31 13:03:06 ----SD---- C:\WINDOWS\Tasks
2009-03-27 12:11:50 ----D---- C:\WINDOWS\WinSxS
2009-03-27 12:11:50 ----D---- C:\Program Files\Common Files\Microsoft Shared
2009-03-24 18:13:05 ----D---- C:\Documents and Settings\H Jardine\Application Data\Macromedia
2009-03-24 18:12:16 ----D---- C:\Program Files\Common Files\Macromedia
2009-03-24 18:12:05 ----D---- C:\Program Files\Macromedia
2009-03-24 18:10:32 ----D---- C:\WINDOWS\Downloaded Installations
2009-03-24 12:06:39 ----D---- C:\Documents and Settings\H Jardine\Application Data\Adobe
2009-03-24 12:06:39 ----D---- C:\Documents and Settings\All Users\Application Data\Adobe

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 AmdK7;AMD K7 Processor Driver; C:\WINDOWS\System32\DRIVERS\amdk7.sys [2004-08-04 37376]
R1 AvgLdx86;AVG Free AVI Loader Driver x86; C:\WINDOWS\System32\Drivers\avgldx86.sys [2009-03-27 325640]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86; C:\WINDOWS\System32\Drivers\avgmfx86.sys [2009-03-27 27656]
R1 AvgTdiX;AVG Free8 Network Redirector; C:\WINDOWS\System32\Drivers\avgtdix.sys [2009-04-17 108552]
R1 cdrbsvsd;cdrbsvsd; C:\WINDOWS\system32\drivers\cdrbsvsd.sys [2003-12-03 13566]
R1 kbdhid;Keyboard HID Driver; C:\WINDOWS\system32\DRIVERS\kbdhid.sys [2004-08-04 14848]
R1 SASDIFSV;SASDIFSV; \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS []
R1 SASKUTIL;SASKUTIL; \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys []
R1 VIAPFD;VIAPFD; C:\WINDOWS\System32\Drivers\VIAPFD.SYS [2001-12-18 3279]
R3 cmpci;C-Media PCI Audio Driver (WDM); C:\WINDOWS\system32\drivers\cmaudio.sys [2002-11-18 377358]
R3 GEARAspiWDM;GEARAspiWDM; C:\WINDOWS\System32\Drivers\GEARAspiWDM.sys [2008-01-29 16168]
R3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2001-08-17 9600]
R3 ms_mpu401;Microsoft MPU-401 MIDI UART Driver; C:\WINDOWS\system32\drivers\msmpu401.sys [2001-08-17 2944]
R3 nv;nv; C:\WINDOWS\system32\DRIVERS\nv4_mini.sys [2006-10-22 3994624]
R3 pdiddcci;DDC/CI monitor; C:\WINDOWS\System32\DRIVERS\pdiddcci.sys [2007-06-12 11776]
R3 PdiPorts;Portrait Displays low level device driver; C:\WINDOWS\System32\Drivers\PdiPorts.sys [2006-11-16 15920]
R3 Point32;Microsoft IntelliPoint Filter Driver; C:\WINDOWS\system32\DRIVERS\point32.sys [2004-06-03 20352]
R3 ROOTMODEM;Microsoft Legacy Modem Driver; C:\WINDOWS\System32\Drivers\RootMdm.sys [2001-08-23 5888]
R3 RTL8023xp;Realtek RTL8139/810x/8169/8110 all in one NDIS XP Driver; C:\WINDOWS\system32\DRIVERS\Rtlnicxp.sys [2004-07-16 70400]
R3 SASENUM;SASENUM; \??\C:\Program Files\SUPERAntiSpyware\SASENUM.SYS []
R3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2004-08-04 31616]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\System32\DRIVERS\usbhub.sys [2004-08-04 57600]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbuhci.sys [2004-08-04 20480]
R3 VIAudio;VIA AC'97 Audio Controller (WDM); C:\WINDOWS\system32\drivers\viaudios.sys [2003-02-26 370048]
R3 WmBEnum;Logitech Virtual Bus Enumerator Driver; C:\WINDOWS\system32\drivers\WmBEnum.sys [2003-05-14 10144]
R3 WmXlCore;Logitech WingMan Translation Layer Driver; C:\WINDOWS\system32\drivers\WmXlCore.sys [2003-05-14 44288]
S1 InCDPass;InCDPass; C:\WINDOWS\system32\drivers\InCDPass.sys []
S1 InCDRm;InCD Reader; C:\WINDOWS\system32\drivers\InCDRm.sys []
S3 catchme;catchme; \??\C:\DOCUME~1\HJARDI~1\LOCALS~1\Temp\catchme.sys []
S3 CCDECODE;Closed Caption Decoder; C:\WINDOWS\system32\DRIVERS\CCDECODE.sys [2004-08-04 17024]
S3 G400;G400; C:\WINDOWS\system32\DRIVERS\G400m.sys [2001-08-17 322432]
S3 mouhid;Mouse HID Driver; C:\WINDOWS\System32\DRIVERS\mouhid.sys [2001-08-17 12160]
S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; C:\WINDOWS\system32\drivers\MSTEE.sys [2004-08-04 5504]
S3 NABTSFEC;NABTS/FEC VBI Codec; C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys [2004-08-04 85376]
S3 NdisIP;Microsoft TV/Video Connection; C:\WINDOWS\system32\DRIVERS\NdisIP.sys [2004-08-04 10880]
S3 PnkBstrK;PnkBstrK; \??\C:\WINDOWS\system32\drivers\PnkBstrK.sys []
S3 QCDonner;Labtec WebCam(PID_0840); C:\WINDOWS\system32\DRIVERS\LVCD.sys [2001-11-13 38912]
S3 rtl8139;Realtek RTL8139/810X Family PCI Fast Ethernet NIC NT Driver; C:\WINDOWS\System32\DRIVERS\RTL8139.SYS [2001-08-23 25434]
S3 SLIP;BDA Slip De-Framer; C:\WINDOWS\system32\DRIVERS\SLIP.sys [2004-08-04 11136]
S3 SONYPVU1;Sony USB Filter Driver (SONYPVU1); C:\WINDOWS\system32\DRIVERS\SONYPVU1.SYS [2001-08-17 7552]
S3 streamip;BDA IPSink; C:\WINDOWS\system32\DRIVERS\StreamIP.sys [2004-08-04 15360]
S3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2004-08-04 25856]
S3 usbscan;USB Scanner Driver; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2004-08-04 15104]
S3 usbser;Motorola A1000 USB Modem Driver; C:\WINDOWS\system32\DRIVERS\usbser.sys [2004-08-04 25600]
S3 usbsermpt;Motorola USB Modem Driver for MPT; C:\WINDOWS\system32\DRIVERS\usbsermpt.sys [2007-02-12 22768]
S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-04 26496]
S3 WINFLASH;WINFLASH; \??\C:\WINDOWS\system32\DRIVERS\WINFLASH.sys []
S3 WmFilter;Logitech WingMan HID Filter Driver; C:\WINDOWS\system32\drivers\WmFilter.sys [2003-05-14 21216]
S3 WmHidLo;Logitech WingMan USB Filter Driver; C:\WINDOWS\system32\drivers\WmHidLo.sys [2003-05-14 13920]
S3 WmVirHid;Logitech Virtual Hid Device Driver; C:\WINDOWS\system32\drivers\WmVirHid.sys [2003-05-14 5728]
S3 WSTCODEC;World Standard Teletext Codec; C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS [2004-08-04 19328]
S4 InCDFs;InCD File System; C:\WINDOWS\system32\drivers\InCDFs.sys []
S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys []

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 aawservice;Lavasoft Ad-Aware Service; C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe [2008-07-07 611664]
R2 Apple Mobile Device;Apple Mobile Device; C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [2008-02-18 110592]
R2 avg8wd;AVG Free8 WatchDog; C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2009-03-27 298264]
R2 Bonjour Service;Bonjour Service; C:\Program Files\Bonjour\mDNSResponder.exe [2007-07-24 229376]
R2 DTSRVC;Portrait Displays Display Tune Service; C:\Program Files\Common Files\Portrait Displays\Shared\DTSRVC.exe [2007-06-12 73728]
R2 JavaQuickStarterService;Java Quick Starter; C:\Program Files\Java\jre6\bin\jqs.exe [2009-03-09 152984]
R2 KService;KService; C:\Program Files\Kontiki\KService.exe [2008-02-27 3072184]
R2 NVSvc;NVIDIA Display Driver Service; C:\WINDOWS\system32\nvsvc32.exe [2006-10-22 159810]
R2 PnkBstrA;PnkBstrA; C:\WINDOWS\system32\PnkBstrA.exe [2007-08-16 66872]
R2 PnkBstrB;PnkBstrB; C:\WINDOWS\system32\PnkBstrB.exe [2008-04-16 107832]
R2 sprtsvc_O2;SupportSoft Sprocket Service (O2); C:\Program Files\O2\bin\sprtsvc.exe [2007-06-07 202280]
R2 UMWdf;Windows User Mode Driver Framework; C:\WINDOWS\system32\wdfmgr.exe [2005-01-28 38912]
R3 iPod Service;iPod Service; C:\Program Files\iPod\bin\iPodService.exe [2008-03-30 504104]
S3 FLEXnet Licensing Service;FLEXnet Licensing Service; C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe [2007-05-20 654848]
S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe [2004-10-22 73728]
S3 SupportSoft RemoteAssist;SupportSoft RemoteAssist; C:\Program Files\Common Files\Supportsoft\bin\ssrc.exe [2007-07-27 382320]
S3 usnjsvc;Messenger Sharing Folders USN Journal Reader service; C:\Program Files\MSN Messenger\usnsvc.exe [2007-01-19 97136]

-----------------EOF-----------------


info.txt logfile of random's system information tool 1.06 2009-04-19 19:43:08

======Uninstall list======

-->C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Absolute Poker-->C:\Program Files\_uninstallation_info\Absolute Poker\CasinoUninstall.exe
AC3Filter (remove only)-->C:\Program Files\AC3Filter\uninstall.exe
Ad-Aware-->MsiExec.exe /I{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}
Adobe Anchor Service CS3-->MsiExec.exe /I{90176341-0A8B-4CCC-A78D-F862228A6B95}
Adobe Asset Services CS3-->MsiExec.exe /I{6FF5DD7A-FE28-4439-B8CF-1E9AF4EA0A61}
Adobe Bridge CS3-->MsiExec.exe /I{9C9824D9-9000-4373-A6A5-D0E5D4831394}
Adobe Bridge Start Meeting-->MsiExec.exe /I{08B32819-6EEF-4057-AEDA-5AB681A36A23}
Adobe Camera Raw 4.0-->MsiExec.exe /I{B3BF6689-A81D-40D8-9A86-4AC4ACD9FC1C}
Adobe CMaps-->MsiExec.exe /I{A2B242BD-FF8D-4840-9DAA-9170EABEC59C}
Adobe Color Common Settings-->MsiExec.exe /I{DADD7B8A-BCB0-44F5-967A-ECB6B4F2ECD9}
Adobe Color EU Recommended Settings-->MsiExec.exe /I{73B5D990-04EA-4751-B10F-5534770B91F2}
Adobe Color JA Extra Settings-->MsiExec.exe /I{DD7DB3C5-6FA3-4FA3-8A71-C2F2940EB029}
Adobe Color NA Extra Settings-->MsiExec.exe /I{FF29A7E2-FF40-4D07-B7E4-2093DE59E10A}
Adobe Default Language CS3-->MsiExec.exe /I{B9B35331-B7E4-4E5C-BF4C-7BC87856124D}
Adobe ExtendScript Toolkit 2-->MsiExec.exe /I{C2D69781-F392-4118-A5A7-C7E9C38DBFC2}
Adobe Flash Player 10 ActiveX-->C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Flash Player 10 Plugin-->C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Fonts All-->MsiExec.exe /I{6ABE0BEE-D572-4FE8-B434-9E72A289431B}
Adobe Help Viewer CS3-->MsiExec.exe /I{04AF207D-9A77-465A-8B76-991F6AB66245}
Adobe Illustrator CS-->RunDll32 "C:\Program Files\Common Files\InstallShield\Professional\RunTime\0701\Intel32\ctor.dll",LaunchSetup "C:\Program Files\InstallShield Installation Information\{91A4AD99-69CE-4745-97B7-0E0DFBECFDE5}\setup.exe"
Adobe InDesign CS3 Icon Handler-->MsiExec.exe /I{EA7B3CC4-366D-4CF6-8350-FD7A7034116E}
Adobe InDesign CS3-->C:\Program Files\Common Files\Adobe\Installers\05ba3a63f36684fe0c5dde2ebe6f8f5\Setup.exe
Adobe InDesign CS3-->MsiExec.exe /I{CB3F8375-B600-4B9F-83C9-238ED1E583FD}
Adobe Linguistics CS3-->MsiExec.exe /I{54793AA1-5001-42F4-ABB6-C364617C6078}
Adobe PDF Library Files-->MsiExec.exe /I{D2559B88-CC9D-4B48-81BB-F492BAA9C48C}
Adobe Photoshop Elements 2.0-->C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\Adobe\Photoshop Elements 2\Uninst.isu" -c"C:\Program Files\Adobe\Photoshop Elements 2\Uninst.dll"
Adobe Reader 7.0.9-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70900000002}
Adobe Setup-->MsiExec.exe /I{56B8B892-317E-4FDE-9E4D-44B189848A27}
Adobe Shockwave Player-->C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log
Adobe SING CS3-->MsiExec.exe /I{3F9B2FD2-1C83-4401-9967-C3636638E958}
Adobe Stock Photos CS3-->MsiExec.exe /I{29E5EA97-5F74-4A57-B8B2-D4F169117183}
Adobe SVG Viewer 3.0-->C:\Program Files\Common Files\Adobe\SVG Viewer 3.0\Uninstall\Winstall.exe -u -fC:\Program Files\Common Files\Adobe\SVG Viewer 3.0\Uninstall\Install.log
Adobe Type Support-->MsiExec.exe /I{8E6808E2-613D-4FCD-81A2-6C8FA8E03312}
Adobe Update Manager CS3-->MsiExec.exe /I{E69AE897-9E0B-485C-8552-7841F48D42D8}
Adobe Version Cue CS3 Client-->MsiExec.exe /I{D0DFF92A-492E-4C40-B862-A74A173C25C5}
Adobe WinSoft Linguistics Plugin-->MsiExec.exe /I{184CE391-7E0E-4C63-9935-D7A10EDFD3C6}
Adobe XMP Panels CS3-->MsiExec.exe /I{802771A9-A856-4A41-ACF7-1450E523C923}
Apple Mobile Device Support-->MsiExec.exe /I{44734179-8A79-4DEE-BB08-73037F065543}
Apple Software Update-->MsiExec.exe /I{6956856F-B6B3-4BE0-BA0B-8F495BE32033}
Audacity 1.2.6-->"C:\Program Files\Audacity\unins000.exe"
Avanquest update-->C:\Program Files\InstallShield Installation Information\{76E41F43-59D2-4F30-BA42-9A762EE1E8DE}\Setup.exe -runfromtemp -l0x0009 -removeonly
Avery Wizard 3.1-->C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\1050\INTEL3~1\IDriver.exe /M{EB7A2041-6A16-4BAC-8079-43B985673C2C}
AVG 8.5-->C:\Program Files\AVG\AVG8\setup.exe /UNINSTALL
Azureus-->C:\Program Files\Azureus\Uninstall.exe
BBC iPlayer Download Manager-->MsiExec.exe /I {D466F3D9-510C-4729-B7D4-2E70490E4CDF}
Bonjour-->MsiExec.exe /I{47BF1BD6-DCAC-468F-A0AD-E5DECC2211C3}
CCleaner (remove only)-->"C:\Program Files\CCleaner\uninst.exe"
EPSON Attach To Email-->C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{20C45B32-5AB6-46A4-94EF-58950CAF05E5} /l1033 ADDREMOVEDLG
EPSON Copy Utility 3-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{67EDD823-135A-4D59-87BD-950616D6E857}\SETUP.EXE" -l0x9 -UnInstall
EPSON Easy Photo Print-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5DA7BC15-18D3-41A0-9F59-838DA3EAEF17}\SETUP.EXE" -l0x9 UNINST
EPSON File Manager-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{E86BC406-944E-41F6-ADE6-2C136734C96B}\Setup.exe" -l0x9 UNINST
EPSON Image Clip Palette-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{314F6D08-A8B7-11D8-8446-0050BA1D384D}\Setup.exe" -l0x9 -u
EPSON Printer Software-->C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EPUPDATE.EXE /R
EPSON Scan Assistant-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2A88F1BF-7041-4E42-84B1-6B4ACB83AC64}\Setup.exe" -l0x9 -u
EPSON Scan-->C:\Program Files\epson\escndv\setup\setup.exe /r
EPSON Web-To-Page-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7F14F68C-17FA-4F88-B3FD-7F449C1EBF32}\SETUP.EXE" -l0x9 -anything
ESDX4800_4200 User's Guide-->C:\Program Files\EPSON\TPMANUAL\ESDX4800_4200\USE_G\DOCUNINS.EXE
forteManager-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{1883A84D-94AA-432C-9519-FA31B6B118B9}\setup.exe" -l0x9 -removeonly
FreeRIP v3.00-->"C:\Program Files\FreeRIP3\unins000.exe"
Full Tilt Poker-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D4C9692E-4EFA-4DA0-8B7F-9439466D9E31}\setup.exe" -l0x9 -removeonly
HijackThis 2.0.2-->"C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
HoldemPoker.com (remove only)-->"C:\Program Files\HoldemPoker\uninst.exe"
Hotfix for Windows XP (KB896344)-->"C:\WINDOWS\$NtUninstallKB896344$\spuninst\spuninst.exe"
iTunes-->MsiExec.exe /I{585776BC-4BD6-4BD2-A19A-1D6CB44A403B}
J2SE Runtime Environment 5.0 Update 10-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150100}
J2SE Runtime Environment 5.0 Update 11-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150110}
J2SE Runtime Environment 5.0 Update 2-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150020}
J2SE Runtime Environment 5.0 Update 4-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150040}
J2SE Runtime Environment 5.0 Update 6-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150060}
J2SE Runtime Environment 5.0 Update 9-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150090}
Java™ 6 Update 13-->MsiExec.exe /X{26A24AE4-039D-4CA4-87B4-2F83216012FF}
Java™ 6 Update 2-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160020}
Java™ 6 Update 3-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160030}
Java™ 6 Update 5-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160050}
Java™ SE Runtime Environment 6 Update 1-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160010}
Juiced-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{902C9C8F-BFC8-4A70-BCE5-F311D6D9CFFD}\setup.exe" -l0x9 -removeonly
Labtec WebCam-->MsiExec.exe /I{0463B519-E4C8-4C16-84AA-4743D1ED91B5}
LeechFTP -->C:\WINDOWS\eraser.exe KILL "C:\Program Files\LeechFTP\uninstall.uif"
LimeWire 4.16.6-->"C:\Program Files\LimeWire\uninstall.exe"
Logitech Gaming Software-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{93EC14D5-7AAA-4EAD-BB75-013817A96598}\Setup.Exe" -l0x9
Macromedia Dreamweaver 8-->MsiExec.exe /I{0837A661-FEC3-48B3-876C-91E7D32048A9}
Macromedia Extension Manager-->MsiExec.exe /I{5546CDB5-2CE2-498B-B059-5B3BF81FC41F}
Macromedia Fireworks 8-->MsiExec.exe /I{4C24A8C1-7CFA-4650-AF15-732F5BD7B46D}
Macromedia Flash Player-->MsiExec.exe /X{4ecaf021-478c-40c1-b777-3368a15f9966}
Malwarebytes' Anti-Malware-->"C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
Matrox Imaging Products-->C:\WINDOWS\UnInstallMIP.exe
Microsoft DirectX Transform optional components-->RUNDLL32.EXE ADVPACK.DLL,LaunchINFSection C:\WINDOWS\INF\DXTXTRA.INF,UNINSTALL.NT,12
Microsoft Office XP Professional-->MsiExec.exe /I{90110409-6000-11D3-8CFE-0050048383C9}
Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Motorola Phone Tools-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{BAD8CA9C-77C0-4663-B00B-A8D3B13C341B}\setup.exe" -l0x9 -removeonly
Mozilla Firefox (3.0.8)-->C:\Program Files\Mozilla Firefox\uninstall\helper.exe
Mozilla Thunderbird (2.0.0.12)-->C:\Program Files\Mozilla Thunderbird\uninstall\helper.exe
mp3-2-wav converter 1.14-->C:\WINDOWS\iun506.exe C:\Program Files\Mp3 File Editor\plugins\\irunin_mp32wav.ini
Nero 7 Premium-->MsiExec.exe /I{4781569D-5404-1F26-4B2B-6DF444441031}
NVIDIA Drivers-->C:\WINDOWS\system32\nvudisp.exe UninstallGUI
O2 Broadband Assistant-->MsiExec.exe /X{4507868A-A9CD-4ECC-BD54-0EAB6EE81D42}
OFx Q3 Version Switch v2.05 (C:\Program Files\Quake III Arena\)-->C:\WINDOWS\st6unst.exe -n "C:\Program Files\Quake III Arena\ST6UNST.LOG"
OFx Q3 Version Switch v2.05-->C:\WINDOWS\st6unst.exe -n "C:\Program Files\Quake III Arena\ST6UNST.LOG"
Panda ActiveScan 2.0-->C:\Program Files\Panda Security\ActiveScan 2.0\as2uninst.exe
PCI Audio Applications-->C:\Program Files\PCI Audio Applications\Bin\Uninstall.exe
PCI Audio Driver-->cmuninst.exe
PDF Settings-->MsiExec.exe /I{AC5B0C19-D851-42F4-BDA0-410ECF7F70A5}
Picture Package-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{1E2F8AE3-3437-44E6-BB75-E95751D6B83F}\setup.exe" -l0x9 UNINSTALL
PictureGear Studio 2.0-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{88DA0A52-3372-4803-971A-ADFB961707E8}\setup.exe"
PIF DESIGNER-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B90450DF-E781-46FD-B1F1-0C86DA40E443}\SETUP.EXE" -l0x9 anything
PowerDVD-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\SETUP.EXE" -uninstall
Quake III Arena Point Release 1.32-->C:\WINDOWS\unvise32.exe C:\Program Files\Quake III Arena\uninstal5.log
Quake III Arena-->C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Quake III Arena\QIII.isu"
QuickTime-->MsiExec.exe /I{216AB108-2AE1-4130-B3D5-20B2C4C80F8F}
RealPlayer-->C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
RTLSetup-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{97AA0C55-AFAD-4126-B21C-F1318FB6DADA}\SETUP.EXE" -l0x9 REMOVE
SDK-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{0DEA342C-15CB-4F52-97B6-06A9C4B9C06F}\setup.exe" -l0x9
Security Update for Windows XP (KB883939)-->"C:\WINDOWS\$NtUninstallKB883939$\spuninst\spuninst.exe"
Security Update for Windows XP (KB890046)-->"C:\WINDOWS\$NtUninstallKB890046$\spuninst\spuninst.exe"
Security Update for Windows XP (KB893756)-->"C:\WINDOWS\$NtUninstallKB893756$\spuninst\spuninst.exe"
Security Update for Windows XP (KB896358)-->"C:\WINDOWS\$NtUninstallKB896358$\spuninst\spuninst.exe"
Security Update for Windows XP (KB896422)-->"C:\WINDOWS\$NtUninstallKB896422$\spuninst\spuninst.exe"
Security Update for Windows XP (KB896423)-->"C:\WINDOWS\$NtUninstallKB896423$\spuninst\spuninst.exe"
Security Update for Windows XP (KB896424)-->"C:\WINDOWS\$NtUninstallKB896424$\spuninst\spuninst.exe"
Security Update for Windows XP (KB896428)-->"C:\WINDOWS\$NtUninstallKB896428$\spuninst\spuninst.exe"
Security Update for Windows XP (KB896688)-->"C:\WINDOWS\$NtUninstallKB896688$\spuninst\spuninst.exe"
Security Update for Windows XP (KB899587)-->"C:\WINDOWS\$NtUninstallKB899587$\spuninst\spuninst.exe"
Security Update for Windows XP (KB899589)-->"C:\WINDOWS\$NtUninstallKB899589$\spuninst\spuninst.exe"
Security Update for Windows XP (KB899591)-->"C:\WINDOWS\$NtUninstallKB899591$\spuninst\spuninst.exe"
Security Update for Windows XP (KB900725)-->"C:\WINDOWS\$NtUninstallKB900725$\spuninst\spuninst.exe"
Security Update for Windows XP (KB901017)-->"C:\WINDOWS\$NtUninstallKB901017$\spuninst\spuninst.exe"
Security Update for Windows XP (KB901214)-->"C:\WINDOWS\$NtUninstallKB901214$\spuninst\spuninst.exe"
Security Update for Windows XP (KB902400)-->"C:\WINDOWS\$NtUninstallKB902400$\spuninst\spuninst.exe"
Security Update for Windows XP (KB903235)-->"C:\WINDOWS\$NtUninstallKB903235$\spuninst\spuninst.exe"
Security Update for Windows XP (KB904706)-->"C:\WINDOWS\$NtUninstallKB904706$\spuninst\spuninst.exe"
Security Update for Windows XP (KB905414)-->"C:\WINDOWS\$NtUninstallKB905414$\spuninst\spuninst.exe"
Security Update for Windows XP (KB905749)-->"C:\WINDOWS\$NtUninstallKB905749$\spuninst\spuninst.exe"
Skype 2.5-->"C:\Program Files\Skype\Phone\unins000.exe"
Sony USB Driver-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5C29CB8B-AC1E-4114-8D68-9CD080140D4A}\Setup.exe" UNINSTALL
SUPERAntiSpyware Free Edition-->MsiExec.exe /X{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}
SyncBack-->"C:\Program Files\2BrightSparks\SyncBack\unins000.exe"
TeamSpeak 2 RC2-->"C:\Program Files\Teamspeak2_RC2\unins000.exe"
The Battle for Middle-earth ™-->C:\Program Files\EA GAMES\The Battle for Middle-earth ™\EAUninstall.exe
Update for Windows XP (KB894391)-->"C:\WINDOWS\$NtUninstallKB894391$\spuninst\spuninst.exe"
Update for Windows XP (KB898461)-->"C:\WINDOWS\$NtUninstallKB898461$\spuninst\spuninst.exe"
Update for Windows XP (KB900930)-->"C:\WINDOWS\$NtUninstallKB900930$\spuninst\spuninst.exe"
VIA Audio Driver Setup Program-->RunDll32.exe UnAudioNT.dll,UninstallAudio C:\WINDOWS\IsUninst.exe -f"C:\PROGRA~1\VIATEC~1\VIAAUD~1/Uninst.isu"
VIA Platform Device Manager-->C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{20D4A895-748C-4D88-871C-FDB1695B0169}
Vodei Multimedia Processor 2.10-->C:\Program Files\Vodei\uninst.exe
Windows Genuine Advantage v1.3.0254.0-->MsiExec.exe /I{63569CE9-FA00-469C-AF5C-E5D4D93ACF91}
Windows Installer 3.1 (KB893803)-->"C:\WINDOWS\$MSI31Uninstall_KB893803v2$\spuninst\spuninst.exe"
Windows Live Messenger-->MsiExec.exe /I{571700F0-DB9D-4B3A-B03D-35A14BB5939F}
Windows Media Format Runtime-->"C:\Program Files\Windows Media Player\wmsetsdk.exe" /UninstallAll
Windows Media Player 10-->"C:\Program Files\Windows Media Player\Setup_wm.exe" /Uninstall
Windows XP Hotfix - KB873333-->C:\WINDOWS\$NtUninstallKB873333$\spuninst\spuninst.exe
Windows XP Hotfix - KB873339-->C:\WINDOWS\$NtUninstallKB873339$\spuninst\spuninst.exe
Windows XP Hotfix - KB885250-->C:\WINDOWS\$NtUninstallKB885250$\spuninst\spuninst.exe
Windows XP Hotfix - KB885835-->C:\WINDOWS\$NtUninstallKB885835$\spuninst\spuninst.exe
Windows XP Hotfix - KB885836-->C:\WINDOWS\$NtUninstallKB885836$\spuninst\spuninst.exe
Windows XP Hotfix - KB885884-->C:\WINDOWS\$NtUninstallKB885884$\spuninst\spuninst.exe
Windows XP Hotfix - KB886185-->C:\WINDOWS\$NtUninstallKB886185$\spuninst\spuninst.exe
Windows XP Hotfix - KB887472-->C:\WINDOWS\$NtUninstallKB887472$\spuninst\spuninst.exe
Windows XP Hotfix - KB887742-->C:\WINDOWS\$NtUninstallKB887742$\spuninst\spuninst.exe
Windows XP Hotfix - KB887797-->C:\WINDOWS\$NtUninstallKB887797$\spuninst\spuninst.exe
Windows XP Hotfix - KB888113-->C:\WINDOWS\$NtUninstallKB888113$\spuninst\spuninst.exe
Windows XP Hotfix - KB888302-->C:\WINDOWS\$NtUninstallKB888302$\spuninst\spuninst.exe
Windows XP Hotfix - KB890175-->C:\WINDOWS\$NtUninstallKB890175$\spuninst\spuninst.exe
Windows XP Hotfix - KB890859-->"C:\WINDOWS\$NtUninstallKB890859$\spuninst\spuninst.exe"
Windows XP Hotfix - KB890923-->"C:\WINDOWS\$NtUninstallKB890923$\spuninst\spuninst.exe"
Windows XP Hotfix - KB891781-->C:\WINDOWS\$NtUninstallKB891781$\spuninst\spuninst.exe
Windows XP Hotfix - KB893066-->"C:\WINDOWS\$NtUninstallKB893066$\spuninst\spuninst.exe"
Windows XP Hotfix - KB893086-->"C:\WINDOWS\$NtUninstallKB893086$\spuninst\spuninst.exe"
Windows XP Service Pack 2-->C:\WINDOWS\$NtServicePackUninstall$\spuninst\spuninst.exe
WinMX-->C:\Program Files\WinMX\uninstall.exe
WinRAR archiver-->C:\Program Files\WinRAR\uninstall.exe
Xfire (remove only)-->"C:\Program Files\Xfire\uninst.exe"
XviD 1.1 final uninstall-->"C:\Program Files\XviD\unins000.exe"
Yahoo! Messenger-->C:\PROGRA~1\Yahoo!\MESSEN~1\UNWISE.EXE /U C:\PROGRA~1\Yahoo!\MESSEN~1\INSTALL.LOG

=====HijackThis Backups=====

O1 - Hosts: 82.98.231.89 microsoft.browser-security-center.com [2009-04-09]
O1 - Hosts: 82.98.231.89 microsoft.softwaresecurityhelp.com [2009-04-09]
O1 - Hosts: 82.98.231.89 best-click-scanner.info [2009-04-09]
O1 - Hosts: 82.98.231.89 onlinenotifyq.net [2009-04-09]
O1 - Hosts: 82.98.231.89 browser-security.microsoft.com [2009-04-09]
O1 - Hosts: 82.98.231.89 microsoft.infosecuritycenter.com [2009-04-09]
O1 - Hosts: 82.98.231.89 antivirusxp-pro-2009.com [2009-04-09]
O1 - Hosts: 82.98.231.89 antivirus-xp-pro-2009.com [2009-04-09]
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local [2009-04-09]

======Security center information======

AV: AVG Anti-Virus Free (disabled)

======System event log======

Computer Name: HAMISH
Event Code: 1000
Message: Your computer has lost the lease to its IP address 192.168.1.66 on the
Network Card with network address 000795C676EF.

Record Number: 54006
Source Name: Dhcp
Time Written: 20090203200510.000000+000
Event Type: error
User:

Computer Name: HAMISH
Event Code: 1003
Message: Your computer was not able to renew its address from the network (from the
DHCP Server) for the Network Card with network address 000795C676EF. The following
error occurred:
The semaphore timeout period has expired.
.
Your computer will continue to try and obtain an address on its own from
the network address (DHCP) server.

Record Number: 54005
Source Name: Dhcp
Time Written: 20090203200510.000000+000
Event Type: warning
User:

Computer Name: HAMISH
Event Code: 36
Message: The time service has not been able to synchronize the system time
for 49152 seconds because none of the time providers has been able to
provide a usable time stamp. The system clock is unsynchronized.

Record Number: 54003
Source Name: W32Time
Time Written: 20090203181931.000000+000
Event Type: warning
User:

Computer Name: HAMISH
Event Code: 36
Message: The time service has not been able to synchronize the system time
for 49152 seconds because none of the time providers has been able to
provide a usable time stamp. The system clock is unsynchronized.

Record Number: 53998
Source Name: W32Time
Time Written: 20090202012019.000000+000
Event Type: warning
User:

Computer Name: HAMISH
Event Code: 36
Message: The time service has not been able to synchronize the system time
for 49152 seconds because none of the time providers has been able to
provide a usable time stamp. The system clock is unsynchronized.

Record Number: 53996
Source Name: W32Time
Time Written: 20090131010252.000000+000
Event Type: warning
User:

=====Application event log=====

Computer Name: HAMISH
Event Code: 1002
Message: Hanging application wmplayer.exe, version 10.0.0.3802, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Record Number: 13047
Source Name: Application Hang
Time Written: 20090205145711.000000+000
Event Type: error
User:

Computer Name: HAMISH
Event Code: 12001
Message: The Messenger Sharing USN Journal Reader service started successfully.

Record Number: 13024
Source Name: usnjsvc
Time Written: 20090204143647.000000+000
Event Type:
User:

Computer Name: HAMISH
Event Code: 1000
Message: Faulting application wmplayer.exe, version 10.0.0.3802, faulting module quartz.dll, version 6.5.2600.2749, fault address 0x0003155d.

Record Number: 13011
Source Name: Application Error
Time Written: 20090203182455.000000+000
Event Type: error
User:

Computer Name: HAMISH
Event Code: 12001
Message: The Messenger Sharing USN Journal Reader service started successfully.

Record Number: 12998
Source Name: usnjsvc
Time Written: 20090202014041.000000+000
Event Type:
User:

Computer Name: HAMISH
Event Code: 12001
Message: The Messenger Sharing USN Journal Reader service started successfully.

Record Number: 12973
Source Name: usnjsvc
Time Written: 20090130112002.000000+000
Event Type:
User:

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"Path"=%systemroot%\system32;%systemroot%;%systemroot%\system32\wbem;C:\Program Files\QuickTime\QTSystem
"windir"=%SystemRoot%
"OS"=Windows_NT
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_LEVEL"=6
"PROCESSOR_IDENTIFIER"=x86 Family 6 Model 6 Stepping 2, AuthenticAMD
"PROCESSOR_REVISION"=0602
"NUMBER_OF_PROCESSORS"=1
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"FP_NO_HOST_CHECK"=NO
"VGAVCF"=c:\Program Files\Matrox Imaging\drivers\vga\vcf
"CLASSPATH"=.;C:\Program Files\Java\jre6\lib\ext\QTJava.zip
"QTJAVA"=C:\Program Files\Java\jre6\lib\ext\QTJava.zip

-----------------EOF-----------------

[SpySentinel]

Thanks for the update Desumacchhi, go ahead and post the SUPER AntiSpyware log when it is finished.

[Desumacchhi]

Hi again, my apologies for the delay in replying - i'm having an unbelievably manic week.... one of those weeks where if it can go wrong it will go wrong.... Thanks for your patience....

Heres the log:

SUPERAntiSpyware Scan Log
Generated 04/20/2009 at 02:01 PM

Application Version : 3.6.1000

Core Rules Database Version : 3852
Trace Rules Database Version: 1805

Scan type : Complete Scan
Total Scan Time : 02:53:22

Memory items scanned : 408
Memory threats detected : 0
Registry items scanned : 6008
Registry threats detected : 0
File items scanned : 98737
File threats detected : 0